Shellcoding ... again.
From: deepcode . (pondermate_at_hotmail.com)
Date: 07/24/03
- Previous message: kathy tuckey: "Does IE object type overflow work only on an Administrator account?"
- Next in thread: Patrick Strawderman: "RE: Shellcoding ... again."
- Reply: Patrick Strawderman: "RE: Shellcoding ... again."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: vuln-dev@securityfocus.com Date: Thu, 24 Jul 2003 12:57:27 -0300
Here I am again with shellcoding questions ... bear with me, its hard to
find info on this subject other than txts with 2 pages of assembly codes
that constitutes a remote, http-trojan downloading, all portable, optimized
shellcodes that I can't even begin to assimilate.
I'm just trying a simple ExitProcess shellcode, hardcoded address.
(By the way, this is on win32.)
kernel32.dll
imagebase= 0x77E80000
ExitProcess RVA = 0x0000F32D
Got these from DUMPPE, added them together to get 0x77E8F32D for ExitProcess
address. Pretty
sure thats the right way to get address.
To test it out, I wrote a program that used inline assembly with that
address.
-----------------------------------------------------
#include <windows.h>
int main()
{
HINSTANCE h;
h = LoadLibrary("kernel32.dll");
__asm("
xor %edi, %edi
push %edi
call 0x77E8F32D
");
FreeLibrary(h);
}
----------------------------------------------------
The program runs fine. No errors, no problems at all, so i'm assuming it
worked just fine.
When disassembled in Gdb(win32 port), I followed from xor edi, edi with x/bx
to get the
opcodes
0x31, 0xFF, 0x57 for the xor and push; which doesn't seem right.
0xE8 for call, and and then 0xF9, 0xE0, 0xA8 and 0x77. I assume it loaded
into memory
at diferent addresses and got addresses changed, no biggy.
I put the codes into a char array shellcode, and put my original address in
after the 0xE8
backwards (I think thats how to do it.) and it errors out.
I've tried rearranging the address all possible combinations, so I don't
think thats the
problem.
--------------------------------------------------------
#include <windows.h>
char shellcode[] =
"\x31\xFF\x57\xE8" // opcodes gotten from gdb
"\x2D\xF3\xE8\x77"; // address backwards.
int main(void)
{
HINSTANCE h;
h = LoadLibrary("kernel32.dll");
((void (*)(void)) &shellcode)();
FreeLibrary(h);
}
-----------------------------------------------------
I'm getting lost now ... this was so much easier on unix.
if anyone would like to help me out, i'd appreciate it.
deepcode
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
- Previous message: kathy tuckey: "Does IE object type overflow work only on an Administrator account?"
- Next in thread: Patrick Strawderman: "RE: Shellcoding ... again."
- Reply: Patrick Strawderman: "RE: Shellcoding ... again."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
