Dailydave mailing list archives
Re: So shellcode work is phun
From: Berend-Jan Wever <berendjanwever () gmail com>
Date: Sat, 25 Jul 2009 14:24:01 +0200
If you're not paranoid about blowing stuff up and just want your shellcode to be both small and have a decent chance to work on Windows 7, try this: http://skypher.com/index.php/2009/07/22/shellcode-finding-kernel32-in-windows-7/ (do let me know if that doesn't work on your machine!) Cheers, SkyLined Berend-Jan Wever <berendjanwever () gmail com> http://skypher.com/SkyLined On Tue, Jun 30, 2009 at 5:28 PM, Dave Aitel <dave () kof immunityinc com>wrote:
So today, in class, at the very end of the day, one of the students go his bindshell working. And he was connecting to it happily and quite pleased with himself and checking out his admin cmd.exe in taskmanager until we pointed out that he should probably bind to localhost instead of 0.0.0.0, at which point he got super paranoid. :> Anyways, one of the things we teach in class is to do error correction in your shellcode. That jne might cost you 2 bytes of space, but at least that 1/100th of a time when your bind() fails, you don't have to worry that you AVed some poor guy's lsass. That same thing is true for parsing the PEB and it's mighty linked lists. If you make assumptions about what order modules are loaded in, then things are going to blow up eventually. Probably not when you want them too. -dave On Mon, Jun 29, 2009 at 3:42 AM, Chris Eagle <cseagle () redshift com> wrote:Perhaps relevant: http://www.harmonysecurity.com/blog/2009/06/retrieving-kernel32s-base-address.html Chris Jared DeMott wrote:Dear Dave, Just for phun, I sat down to test a simple popup calc shellcode on Windows 7 RC today and it pooped. I verified that it worked on XP and Vista, and thought darn ... now I'm going to have to see why it failed on Windows 7 and email H D Moore. Anyone else seen this or am I on crack today? Cheers, Jared _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: So shellcode work is phun Berend-Jan Wever (Jul 25)