Penetration Testing mailing list archives
Re: Obfuscated shellcode
From: "Don Parker" <dparker () rigelksecurity com>
Date: Tue, 24 Feb 2004 19:08:02 -0500 (EST)
Hi dk, thanks for the input :-) I already had the list, but thanks anyways. You are quite correct of course that this type of thing should be included in a pentest. But that is just in my opinion. Though this type of attack has a limited time window it is still quite effective for obvious reasons. Cheers! Don ------------------------------------------- Don Parker, GCIA Intrusion Detection Specialist Rigel Kent Security & Advisory Services Inc www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319 -------------------------------------------- On Feb 24, dk <dk () pwarchitects com> wrote: Don Parker wrote:
Hello all, do any of you bother using obfuscated eggs during a pentest? I ask here for
I
got no responses elsewhere. Though changing the well known x90 sled to some other 1
byte
function that won't affect the egg won't work against a patched service it will,
however
elude an IDS signature.
[[:snip:]]
Hi don,
I realize this message is 23 days after your post, and not fully OT; But it
came to mind when you mentioned non-\x00 codes. It's a list from an old snort
preprocessor... Not sure if they moved this into the core project or not, been
a while since I've ran a snort NIDS. Anyway, it has been handy before, and
I've forgotten where I got it from, 'prolly old snort code that you have
already, but if not...
Oh, BTW. Though I don't pentest professionally, it would seem logical to run
tests that are similar to that which /may/ happen in the field. non-\x00 is
used there, so why not in a p-test? Seems like it would increase the quality
of work provided with little cost on your end up front.
--
dk
NOP Equivalent opcodes for shellcodes - Canonical List
Used by snort:spp_fnord.c nop sled detector - www.snort.org
Information on this polymorphic mutated shelcode detection
will be provided at CanSecWest/core02 - <a href='http://cansecwest.org'>http://
cansecwest.org</a>
and SANS Real World Intrusion Detection - <a href='http://sans.org'>http://sans.org</a>
Please mail any additions or mistakes to Dragos Ruiu (dr () kyx net)
v1.0 - 2002 Feb 26
Arch Code (hex, 00=wild) Opcode
---- ----------------- ---------------------
HPPA 08 21 02 9a xor %r1,%r1,%r26
HPPA 08 41 02 83 xor %r1,%r2,%r3
HPPA 08 a4 02 46 or %r4,%r5,%r6
HPPA 09 04 06 8f shladd %r4,2,%r8,%r15
HPPA 09 09 04 07 sub %r9,%r8,%r7
HPPA 09 6a 02 8c xor %r10,%r11,%12
HPPA 09 cd 06 0f add %r13,%r14,%r15
Sprc 20 bf bf 00 bn -random
IA32 27 daa '
IA32 2f das /
IA32 33 c0 xor %eax,%eax
IA32 37 aaa 7
IA32 3f aas ?
IA32 40 inc %eax @
IA32 41 inc %ecx A
IA32 42 inc %edx B
IA32 43 inc %ebx C
IA32 44 inc %esp D
IA32 45 inc %ebp E
IA32 46 inc %esi F
IA32 47 inc %edi G
IA32 48 dec %eax, H
IA32 4a dec %edx J
IA32 4b dec %ebx K
IA32 4c dec %esp L
IA32 4d dec %ebp, M
IA32 4e dec %esi N
IA32 4f dec %edi O
IA32 50 push %eax P
IA32 51 push %ecx Q
IA32 52 push %edx R
IA32 53 push %ebx S
IA32 54 push %dsp T
IA32 55 push %ebp U
IA32 56 push %esi V
IA32 57 push %edi W
IA32 58 pop %eax X
IA32 59 pop %ecx Y
IA32 5a pop %edx Z
IA32 5b pop %ebx [
IA32 5d pop %ebp ]
IA32 5e pop %esi ^
IA32 5f pop %edi _
IA32 60 pusha `
IA32 6b c0 00 imul N,%eax
Sprc 81 d0 20 00 tn random
IA32 83 e0 00 and N,%eax
IA32 83 c8 00 or N,%eax
IA32 83 e8 00 sub N,%eax
IA32 83 f0 00 xor N,%eax
IA32 83 f8 00 cmp N,%eax
IA32 83 f9 00 cmp N,%ecx
IA32 83 fa 00 cmp N,%edx
IA32 83 fb 00 cmp N,%ebx
IA32 83 c0 00 add N,%eax
IA32 85 c0 test %eax,%eax
IA32 87 d2 xchg %edx,%edx
IA32 87 db xchg %ebx,%ebx
IA32 87 c9 xchg %ecx,%ecx
Sprc 89 a5 08 22 fadds %f20,%f2,%f4
IA32 8c c0 mov %es,%eax
IA32 8c e0 mov %fs,%eax
IA32 8c e8 mov %gs,%eax
IA32 90 regular NOP
IA32 91 xchg %eax,%ecx
IA32 92 xchg %eax,%edx
IA32 93 xchg %eax,%ebx
HPPA 94 6c e0 84 subi,OD 42,%r3,%r12
IA32 95 xchg %eax,%ebp
IA32 96 xchg %eax,%esi
Sprc 96 23 60 00 sub %o5, 42,%o3
Sprc 96 24 80 12 sub %l2,%l2,%o3
IA32 97 xchg %eax,%edi
IA32 98 cwtl
Sprc 98 3e 80 12 xnor %i2,%l2,%o4
IA32 99 cltd
IA32 9b fwait
IA32 9c pushf
IA32 9e safh
IA32 9f lahf
Sprc a0 26 e0 00 sub %i3, 42,%l0
Sprc a2 03 40 12 add %o5,%l2,%l1
Sprc a2 0e 80 13 and %i2,%l3,%l1
Sprc a2 1a 40 0a xor %o1,%o2,%l1
Sprc a2 1c 80 12 xor %l2,%l2,%l1
Sprc a4 04 e0 00 add %l3, 42,%l2
Sprc a4 27 40 12 sub %i5,%l2,%l2
Sprc a4 32 a0 00 orn %o2, 42,%l2
IA32 b0 00 mov N,%eax
Sprc b2 03 60 00 add %o5, 42,%i1
Sprc b2 26 80 19 sub %i2,%i1,%i1
HPPA b5 03 e0 00 addi,OD 42,%r8,%r3
HPPA b5 4b e0 00 addi,OD 42,%r10,%r11
Sprc b6 06 40 1a add %i1,%i2,%i3
Sprc b6 16 40 1a or %i1,%i2,%i3
Sprc b6 04 80 12 add %l2,%l2,%i3
Sprc b6 03 60 00 add %o5, 42,%i3
Sprc ba 56 a0 00 umul %i2, 42,%i5
IA32 c1 c0 00 rol N,%eax
IA32 c1 c8 00 ror N,%eax
IA32 c1 e8 00 shr N,%eax
HPPA d0 e8 0a e9 shrpw %r8,%r7,8,%r9
IA32 f5 cmc
IA32 f7 d0 not %eax
IA32 f8 clc
IA32 f9 stc
IA32 fc cld
---------------------------------------------------------------------------
----------------------------------------------------------------------------
Current thread:
- Re: Obfuscated shellcode Don Parker (Feb 25)