Penetration Testing mailing list archives
Re: pen testing & obfuscated shell code
From: "Don Parker" <dparker () rigelksecurity com>
Date: Tue, 10 Feb 2004 08:24:14 -0500 (EST)
Hello Marius, indeed the trick is in using a 1 byte function, but also in making sure that it does not affect the egg itself. That is the real trick. There is no shortage of 1 byte functions for use, problem is to make it still works after. It is simple to just use an ascii character as well, but that is a different story as well. Thanks for your reply :-) Cheers Don ------------------------------------------- Don Parker, GCIA Intrusion Detection Specialist Rigel Kent Security & Advisory Services Inc www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319 -------------------------------------------- On Feb 9 , Marius Huse Jacobsen <mahuja () c2i net> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Don, Friday, January 30, 2004, 5:44:53 AM, you wrote: DP> Hello group, have a question to ask which is about using obfuscated shell code during a DP> pen test. Do any of you actually use home cooked obfuscated shell code during a pen test? DP> By that I mean do you replace the known sled of x90 with another 1 byte instruction that DP> won't affect the egg? There are many instructions that would fit the bill... Incrementing and decrementing registers, for example. To avoid further filters, you may wish to alternate. E.g. NOP INC EAX INC EDX NOP NOP INC EAX DEC EDX INC EAX XOR EAX,EAX The clue is that the instruction, in machine code, should be one byte only. Simply because if there were two, there would be a chance it "landed" on the odd byte. - -- Best regards, Marius mailto:mahuja () c2i net -----BEGIN PGP SIGNATURE----- iQA/AwUBQCh1EpfZ2CSWpu1rEQK2/ACfdem7rx1ZAjGDH0gkHnYlCt8wp1UAoJdC jssl3iQxyaI6nT+ptaCgLqP7 =iJ1j -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- Re: pen testing & obfuscated shell code Don Parker (Feb 11)
- Re: pen testing & obfuscated shell code Dragos Ruiu (Feb 13)
- <Possible follow-ups>
- Re: pen testing & obfuscated shell code Marius Huse Jacobsen (Feb 11)
- Re: pen testing & obfuscated shell code Karsten Johansson (Feb 12)
- Re: pen testing & obfuscated shell code Don Parker (Feb 16)