Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Subject: [DeepZone black tool] WinNT/2k portable shellcode generator is on-line!!!
From: |Zan (izanDEEPZONE.ORG)
Date: Thu Dec 28 2000 - 12:35:05 CST
- Next message: Neal Dias: "Re: The NSA's Security-Enhanced Linux"
- Previous message: Mark D. Goldman: "Re: source code extracting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This post was sent recently to BugTraq. Exploits developers can be
I am sure that it can have some little bug but shellcodes are working
-----BEGIN PGP SIGNED MESSAGE-----
Recently a lot of Win32 b0fs are arisen. They are exploitables but it
isn't an easy way. Result is that i am not viewing many "Win32 black
exploits" in BugTraq. Why?? ... well ... you can lose time, resources
and "beautiful dreams" parsing hard streams or in a deep debugging.
This e-mail can contain useful stuff for exploit developers or proof
of concept code exploiters thinking in post to bugtraq their new
WinNT/2k remote exploits ;)
In Unix world, shellcodes "are more generics" but in Win32 world (or
WinAPI world) you have to hack a new shellcode or change minimal
details with any new b0f exploit. Later, "Buggy Application v1.0" can
contain a hard parsing but "Buggy Application v2.0" can contain a
very strong parsing and another API addresses (IT addresses) killing
your previous job :(
Porting shellcodes to different languages is another big problem.
Jack Barnaby has released its shellcode in asm, i have some exploit
in perl ... but i am sure that C is another good choice in Linux
is there an easy solution ? ... well ... it can be ... If buggy
application contains "GetProcAddress and LoadLibraryA addresses"
linked in import table you can run portable code (it isn't new ...
viruses, cracks and another "unofficial addons" works in this way).
If you programs your shellcode with some tips you can get dynamic and
non-null relocate code. It isn't any new thing.
If your NT/2k local/remote objective isn't firewalled you can bind a
shellcode in an arbitrary port (Jack Barnaby technique ;)
Well ... now ... we mix all stuff + CGI technology and we have a
plug&play WinNT/2k shellcode generator connected to Internet (in this
moment, it's on-line). With this automatic BETA tool you only have to
find the correct "return address" and GetProcAddress and LoadLibrary
addresses in import table. Dirty job is maked and you can try new
"hard streams" to bypass those "strong checks" or zero byte problem
with only click a button.
This generator is BETA code and it's only an automatic proof of
concept tool. In this moment it is generating in three different
languages (asm, C y perl) and it supports null-problem or zero
byte-problem (XOR solution).
Shellcodes generated is free and it can be included in any exploit or
proof of concept code to demostrate vulnerabilities in Wintel NT/2k
plataforms. You are free to hack "html interface" with your site's
colour and style too or post us our documentation translated in your
own language. It'll be included giving you credits about your fine
I have coded some new exploits tracking last WinNT/2k b0fs in BugTraq
and shellcodes worked fine.
* spanish version
* english version (direct link)
i hope to view more Win32 black exploits living in BugTraq now ;)
Greetings, credits and another stuff are included in generator.
Please, shellcode is working fine so
if you can't run it or you don't known how to make a new "plug and
play exploit" then you should read
previous papers about Win32 b0fs and phrack articles. Please, don't
flood me with "howto emails" ;)
Any reversing comment, WinNT/2k core stuff, possible addon or ... any
interesting black/white hat stuff please drop me an e-mail freely;
you'll get a fast reply as fast as possible.
Any colaboration posted about this "toy" or new documentation will be
added in previous links
excuse my fantastic english ... but i lost my pocket dictionary ;)
happy new year,
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
-----END PGP SIGNATURE-----