Hacking/Shellcode/Alphanumeric/ALPHA3/x86/ASCII/Mixedcase/SEH GetPC (XP sp3)
From Skypher
|
▼Main Page |
|
SEH GetPC code can determine where it is being executed in memory. This is required by self-modifying or self-decoding shellcodes, such as alphanumeric shellcodes created using ALPHA2 and ALPHA3. These need to know where they are located, in order to modify or decode themselves. The below examples show how to create SEH GetPC code that is 100% alphanumeric ASCII, for use with these alphanumeric shellcode encoders. This code successfully bypasses all mitigation implemented in SEH code on Windows XP up to sp3 by generating the structured exception handler code on the heap. The realization that this would bypass existing mitigations came after analyzing this VML fill method BoF exploit by jamikazu. It overwrites the entire stack with pointers to shellcode on the heap before causing an exception. The exception will cause the SEH to execute the shellcode because the mitigations in Windows XP sp3 allow the SEH code to be on the heap.
CODE
There are currently two implementation, each referring to EIP in a different way:
See also
- x86 printable opcodes - A list of all available opcodes for alphanmeric code on x86.
- ALPHA3: x86 ASCII mixedcase decoder - A mixedcase alphanumeric decoder for x86.
- GetPC - A description of how GetPC works.
SkyLined would like to thank the following people:
- rix for the phrack article on aphanumeric shellcode.
- obscou for the phrack article on unicode-proof shellcode.
- Costin Ionescu for the idea behind w32 SEH GetPC code.
- tms320/ph4nt0m Security Team for the article on using a different IMUL value in my alphanumeric decoders.
- jamikazu for this VML fill method BoF exploit that points the SEH to the heap to bypass Software DEP .
