Re: pen testing & obfuscated shell code (more neat stuff)

From: Angelo Dell'Aera (buffer@antifork.org)
Date: Tue Feb 17 2004 - 09:53:51 EST


On 16 Feb 2004 17:52:45 -0000
Karsten Johansson <ksaj@penetrationtest.com> wrote:

>In-Reply-To: <002d01c3f358$6339a660$6401a8c0@harrypotter>

>Since the people that use NOP sleds don't really care about the
>registers and what's on the stack, then there are probably a lot more
>useful NOP sled opcodes available - as long as they don't generate
>errors.

Don't like too much talking about myself but I just want to point out
a work I realized two years ago for showing how to defeat an IDS in
"shellcode catching". In that occasion, I wrote two completely
alphanumeric codes you may find on my homepage (reported below) and
named buffer-i386-raptus.c and buffer-i386-delirium.c. In particular,
the latter is an alphanumeric asm code which builds a shellcode and
then executes it. Using these codes, you can use whatever padding you
want since they make no assumptions on the registers' contents thus
always setting them properly. This is obviously true even if you
generate an alphanumeric shellcode using f.e. Rix's ASC starting by
"I-make-no-assumptions" classic shellcode.

Regards.

--
Angelo Dell'Aera 'buffer' 
Antifork Research, Inc.	  	http://buffer.antifork.org
PGP information in e-mail header




This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:48 EDT