
■
Bugtraq@securityfocus.com
■
Focus-MS@securityfocus.com
■
Pen-Test@securityfocus.com
Q: I’ve heard that shellcode that contains NULL bytes is useless. Is this true?
A: The answer depends on how the shellcode is used. If the shellcode is injected
into an application via a function that uses NULL bytes as string terminators, it
is useless. However, there are often many other ways to inject shellcode into a
program without having to worry about NULL bytes.You can, for example, put
the shellcode in an environment variable when trying to exploit a local program.
Q: My shellcode contains all kinds of bytes that cause it to be rejected by the appli-
cation I’m ...