Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: So shellcode work is phun

From: Berend-Jan Wever <berendjanwever () gmail com>
Date: Sat, 25 Jul 2009 14:24:01 +0200
If you're not paranoid about blowing stuff up and just want your shellcode
to be both small and have a decent chance to work on Windows 7, try this:
http://skypher.com/index.php/2009/07/22/shellcode-finding-kernel32-in-windows-7/
(do let me know if that doesn't work on your machine!)

Cheers,
SkyLined

Berend-Jan Wever <berendjanwever () gmail com>
http://skypher.com/SkyLined




On Tue, Jun 30, 2009 at 5:28 PM, Dave Aitel <dave () kof immunityinc com>wrote:


So today, in class, at the very end of the day, one of the students go his
bindshell working. And he was connecting to it happily and quite pleased
with himself and checking out his admin cmd.exe in taskmanager until we
pointed out that he should probably bind to localhost instead of 0.0.0.0, at
which point he got super paranoid. :>

Anyways, one of the things we teach in class is to do error correction in
your shellcode. That jne might cost you 2 bytes of space, but at least that
1/100th of a time when your bind() fails, you don't have to worry that you
AVed some poor guy's lsass.

That same thing is true for parsing the PEB and it's mighty linked lists.
If you make assumptions about what order modules are loaded in, then things
are going to blow up eventually. Probably not when you want them too.

-dave



On Mon, Jun 29, 2009 at 3:42 AM, Chris Eagle <cseagle () redshift com> wrote:


Perhaps relevant:


http://www.harmonysecurity.com/blog/2009/06/retrieving-kernel32s-base-address.html

Chris

Jared DeMott wrote:

Dear Dave,

Just for phun, I sat down to test a simple popup calc shellcode on
Windows 7 RC today and it pooped.  I verified that it worked on XP and
Vista, and thought darn ... now I'm going to have to see why it failed
on Windows 7 and email H D Moore.  Anyone else seen this or am I on
crack today?

Cheers,
Jared
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave




_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave




_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave



_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: