|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Berend-Jan Wever (berendjanwever
gmail.com)
Date: Sat Jul 25 2009 - 07:24:01 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
If you're not paranoid about blowing stuff up and just want your shellcode
to be both small and have a decent chance to work on Windows 7, try this:
http://skypher.com/index.php/2009/07/22/shellcode-finding-kernel32-in-windows-7/
(do let me know if that doesn't work on your machine!)
Cheers,
SkyLined
Berend-Jan Wever <berendjanwevergmail.com>
http://skypher.com/SkyLined
On Tue, Jun 30, 2009 at 5:28 PM, Dave Aitel <davekof.immunityinc.com>wrote:
> So today, in class, at the very end of the day, one of the students go his
> bindshell working. And he was connecting to it happily and quite pleased
> with himself and checking out his admin cmd.exe in taskmanager until we
> pointed out that he should probably bind to localhost instead of 0.0.0.0, at
> which point he got super paranoid. :>
>
> Anyways, one of the things we teach in class is to do error correction in
> your shellcode. That jne might cost you 2 bytes of space, but at least that
> 1/100th of a time when your bind() fails, you don't have to worry that you
> AVed some poor guy's lsass.
>
> That same thing is true for parsing the PEB and it's mighty linked lists.
> If you make assumptions about what order modules are loaded in, then things
> are going to blow up eventually. Probably not when you want them too.
>
> -dave
>
>
>
> On Mon, Jun 29, 2009 at 3:42 AM, Chris Eagle <cseagleredshift.com> wrote:
>
>> Perhaps relevant:
>>
>>
>> http://www.harmonysecurity.com/blog/2009/06/retrieving-kernel32s-base-address.html
>>
>> Chris
>>
>> Jared DeMott wrote:
>> > Dear Dave,
>> >
>> > Just for phun, I sat down to test a simple popup calc shellcode on
>> > Windows 7 RC today and it pooped. I verified that it worked on XP and
>> > Vista, and thought darn ... now I'm going to have to see why it failed
>> > on Windows 7 and email H D Moore. Anyone else seen this or am I on
>> > crack today?
>> >
>> > Cheers,
>> > Jared
>> > _______________________________________________
>> > Dailydave mailing list
>> > Dailydavelists.immunitysec.com
>> > http://lists.immunitysec.com/mailman/listinfo/dailydave
>> >
>> >
>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydavelists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]