[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Alphanumeric Shellcode Encoding and Detection

To: "Avraham Moshe Schneider" <Avraham.Schneider@xxxxxxxxxxx>
Subject: Re: [Full-disclosure] Alphanumeric Shellcode Encoding and Detection
From: "Avraham Schneider" <avri.schneider@xxxxxxxxx>
Date: Tue, 5 Aug 2008 23:31:52 +0300

Oops - that is not correct - it will only work when the second and
third bits of ESP are 0

:-) I was to quick on the send button.

EAX is basically XOR's with the length of the string, and instead I
need to increment it by the length of the string... I'll have to come
up with a better solution... (I'll probably have to resort to
patching... but I was looking for a quick and dirty fix)

If anyone comes up with a solution for this before me, I'll buy them a
Shawarma next time they're in Israel ;-)

Regards,
Avri

On Tue, Aug 5, 2008 at 7:00 PM, Avraham Moshe Schneider
<Avraham.Schneider@xxxxxxxxxxx> wrote:
> I fixed a couple of bugs -
>
> 1. The srand() function was called after calls to rand() - causing a fixed 
> string in the decoder which an IDS could signature on
> 2. Case of ESP register pointing to the head of the decoder was not handled, 
> it is fixed now, but needs to be randomized. Right now, in the case of ESP 
> pointing to the shellcode, the following fixed string would exist at the head 
> of the decoder routine: "TX4640"
> This translates to:
> _asm
> {
>        push esp;
>        pop eax;
>        xor al, 0x36;
>        xor al, 0x30;
> }
>
> The '6' and the '0' can be any alphanumeric byte where the first is the 
> second+6 or vice versa.
>
> You may add alphanumeric NOP instructions in between and change the diff 
> between the bytes accordingly.
> The diff between the two XOR values should be the length of the resulting 
> string.
>
> I used the EAX register, as XOR'ing it with an immediate value is 
> alphanumeric.
>
> Regards,
> Avri
> **********************************************************************************************
>
> The contents of this email and any attachments are confidential.
> It is intended for the named recipient(s) only.
> If you have received this email in error please notify the system manager or  
> the
> sender immediately and do not disclose the contents to anyone or make copies.
> ** eSafe scanned this email for viruses, vandals and malicious content **
>
> **********************************************************************************************
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Alphanumeric Shellcode Encoding and Detection
  - From: Avraham Schneider

References:
- Re: [Full-disclosure] Alphanumeric Shellcode Encoding and Detection
  - From: Avraham Moshe Schneider

Prev by Date: Re: [Full-disclosure] Media backlash begins against HD Moore and I)ruid
Next by Date: Re: [Full-disclosure] Media backlash begins against HD Moore and I)ruid
Previous by thread: Re: [Full-disclosure] Alphanumeric Shellcode Encoding and Detection
Next by thread: Re: [Full-disclosure] Alphanumeric Shellcode Encoding and Detection
Index(es):
- Date
- Thread