OWASP / ZSC

OWASP ZSC - Shellcode/Obfuscate Code Generator https://www.secologist.com/
https://www.secologist.com/
Other
647 stars 217 forks source link

software not exit the loop if find a null in shellcode #80

Open Ali-Razmjoo opened 8 years ago

Ali-Razmjoo commented 8 years ago

hello friends,

I release that when we use a specific value for encoding shellcodes example( sub/xor/add_yourvalue ) it could make a null and there is if in script it tries again if find \x00 in software.

for example run this command zsc.py -p windows_x86/exec/xor_0x41414141 -i calc.exe, we need to check and if there is a null, return an error, also there is more, inc and dec also could make the nulls,

'%x'%(int('0x4f5ec401',16) - int('0x1',16)) '4f5ec400'

or

 '%x'%(int('0x4f5ec4ff',16) + int('0x1',16))
'4f5ec500'

we need to return error and tell user this value make nulls or change value +1 or -1

@Pratik151 please notice that until you adding encoder and we not fix it

Pratik151 commented 8 years ago

81 is fix for that xor_0x41414141 but as you said something like '%x'%(int('0x4f5ec401',16) - int('0x1',16)) '4f5ec400' will still go in infinite loop and I tried it fixing. So how do you suggest fixing it? Like throw an error?(and user has to start everything from start)

or ask user to enter other value in yourvalue? This can be done if we make one user defined exception and throw it when there is null value and catch it somewhere here and we can loop back and get another encode from user. or do you have other way of plan to solve this?

Ali-Razmjoo commented 8 years ago

Maybe we can alert user about couldn't use this code for encoding and automaticly generate shellcode with another value [near the real value] for user, near value could generate like:

while not not found in shellcode:

        value++
while not not found in shellcode:

        value--

or any idea?

Pratik151 commented 8 years ago

@Ali-Razmjoo I tried that for file create and the code is increasing much and we have to do it for all shellcodes like exec, etc., So my suggestion was to ask user only to enter some other value if null is found? or maybe we can give alert when there is null byte and use random encoder?

@CodeMaxx Any suggestions?

CodeMaxx commented 8 years ago

I believe we should ask user to give some other value for encoding. The user might prefer certain values over other.

CodeMaxx commented 8 years ago

@Ali-Razmjoo @Pratik151 Anything finalised about this?

paraschetal commented 8 years ago

I think we should output the shellcode as is and just give a warning to the user about the null bytes. If he doesn't want them then he can try again ith some other value for encoding because some string functions copy the null bytes too without terminating the string at them.

Ali-Razmjoo commented 8 years ago

I was think what if a user get this warning 3 times ?! user will not use this software again. we need to find a better way, maybe enabling verbose mod and show them something to understand where is the problem.

Ali-Razmjoo commented 8 years ago

Hello friends let's come back here to make a decision about solving this bug, I think for now we can warn the users about input value, but it's not solving the problem, just covering it. any idea ?

CodeMaxx commented 8 years ago

Maybe we can give a warning such as

NULL BYTES FOUND

The shellcode you generated contains null bytes. If you did not intend this please use a different value for encoding your shellcode.

Then maybe we can ouput shellcodes for value+1 and value-1 if they don't contain Null Bytes. If both a them have null bytes we provide an option to enter another value.

Ali-Razmjoo commented 8 years ago

I think we need to split the values first and find where is the null byte found, for example if our values are:

ABCD
ESSS
XJYZ

and we xor this values with JJJJ, the second byte of 3rd line will be null, like XNULLXX, now if we make value+1 which mean JJJJ+1= JJJK , second value will be null again, because it's still xoring J with J and it's begin null again, but if we detect, it's second byte making the null, we can change it to JJ+1JJ which will be JKJJ, python syntax:

value[:1] + (value[1] + 1) + value[2:]

and then warn users, which we change value onces because of null was created.