Penetration Testing mailing list archives
Re: pen testing & obfuscated shell code (more neat stuff)
From: Karsten Johansson <ksaj () penetrationtest com>
Date: 16 Feb 2004 17:52:45 -0000
In-Reply-To: <002d01c3f358$6339a660$6401a8c0@harrypotter> Greetings, Thanks to those who emailed me. 'abcdefghijklmno' does indeed map to opcodes. The quick test I did showed them as unmapped, but they definitely are mapped. One person found that a .com file with my suggested NOP sled actually made his mouse jump all over the place. That's not very NOPish at all. As well, a few people provided some really good links on the subject. Here are two good ones: http://www.livejournal.com/community/ shellcode/1983.html - ASCII shellcode for writing a message to the console http://cansecwest.com/noplist-v1-1.txt - NOP equivalents used by SNORT spp_fnord.c Since the people that use NOP sleds don't really care about the registers and what's on the stack, then there are probably a lot more useful NOP sled opcodes available - as long as they don't generate errors. I am thinking about finishing the document that I posted here on Byte code replacement, because I wrote that when extended registers weren't an issue. If anyone wants to help, just let me know. Karsten Johansson www.PENETRATIONTEST.com --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- Re: pen testing & obfuscated shell code (more neat stuff) Karsten Johansson (Feb 13)
- Re: pen testing & obfuscated shell code (more neat stuff) Steve Kemp (Feb 16)
- RE: pen testing & obfuscated shell code (more neat stuff) Omar Herrera (Feb 16)
- <Possible follow-ups>
- Re: pen testing & obfuscated shell code (more neat stuff) Karsten Johansson (Feb 17)
- Re: pen testing & obfuscated shell code (more neat stuff) Angelo Dell'Aera (Feb 17)