Penetration Testing mailing list archives
Re: pen testing & obfuscated shell code
From: Dragos Ruiu <dr () kyx net>
Date: Wed, 11 Feb 2004 19:56:15 -0800
On February 10, 2004 05:24 am, Don Parker wrote:
Hello Marius, indeed the trick is in using a 1 byte function, but also in making sure that it does not affect the egg itself. That is the real trick. There is no shortage of 1 byte functions for use, problem is to make it still works after. It is simple to just use an ascii character as well, but that is a different story as well. Thanks for your reply :-)
List of NOP equivalents: http://dragos.com/noplist-v1-1.txt Not all the world's an x86. Other arches use lengths other than one. In some cases/exploits you can use multibyte NOP sleds. Also see K2's ADMmutate.... cheers, --dr (I should really add PPC one of these days... info donations welcome :-) -- Top security experts. Cutting edge tools, techniques and information. Vancouver, Canada April 21-23 2004 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- Re: pen testing & obfuscated shell code Don Parker (Feb 11)
- Re: pen testing & obfuscated shell code Dragos Ruiu (Feb 13)
- <Possible follow-ups>
- Re: pen testing & obfuscated shell code Marius Huse Jacobsen (Feb 11)
- Re: pen testing & obfuscated shell code Karsten Johansson (Feb 12)
- Re: pen testing & obfuscated shell code Don Parker (Feb 16)