Re: ms03-049 exploit xp sp0

From: upb (upb_at_email.ee)
Date: 11/13/03

  • Next message: upb: "Re: ms03-049 exploit xp sp0" 
    To: "wirepair" <wirepair@roguemail.net>, <vuln-dev@securityfocus.com>
Date: Thu, 13 Nov 2003 02:22:18 +0200

    heya.
    the shortest way i know is :
    00000000: EB14 jmps 000000016
    00000002: 832C2440 sub d,[esp],040 ;"@"
    00000006: E8F5FFFFFF call 000000000

    11 bytes :(
    however, if you know that the code will be on stack, you could do like
    00000000: 83EC44 sub esp,044 ;"D"
    00000003: FFE4 jmp esp

    upb
    ----- Original Message -----
    From: "wirepair" <wirepair@roguemail.net>
    To: <vuln-dev@securityfocus.com>
    Sent: Wednesday, November 12, 2003 11:03 PM
    Subject: ms03-049 exploit xp sp0

    > lo all,
    > Well I got xp sp0 to execute my code, but sp1 has a different stack
    layout. after the return address data only has about 4 or 8
    > bytes (I can't remember and i'm too lazy to check because i've been
    messing with this for he past 7 hours).
    > Since I have 4/8 bytes to work with i'm contemplating doing some sort of
    jmp / call and stuff my shellcode in the beginning of the
    > buffer instead of tacking it on to the end like my current exploit.
    Unfortunately my asm is lacking still and I am unsure about
    > the best way of making it jmp/call the address (without nulls and without
    hardset stack addresses).
    > If you can offer any suggestions I would *greatly* appreciate it.
    > Anyways here's my code http://sh0dan.org/files/0349.cpp
    > or the exe: http://sh0dan.org/files/0349.exe. Remember this is SP0 only,
    sp1 will definitly crash.
    > Thanks,
    > -wire
    > --
    > Visit Things From Another World for the best
    > comics, movies, toys, collectibles and more.
    > http://www.tfaw.com/?qt=wmf
    >

  • Next message: upb: "Re: ms03-049 exploit xp sp0"

    Relevant Pages

    • Re: C to Forth converter?
      ... small problem sets, but will be impractical for larger ones. ... work for more than 5 stack elements and whether it was ... If you find the shortest versions ... but this doesn't address Frank Buss's question regarding ...
      (comp.lang.forth)
    • Re: C to Forth converter?
      ... small problem sets, but will be impractical for larger ones. ... work for more than 5 stack elements and whether it was ... If you find the shortest versions ... but this doesn't address Frank Buss's question regarding ...
      (comp.lang.forth)
    • Re: C to Forth converter?
      ... small problem sets, but will be impractical for larger ones. ... work for more than 5 stack elements and whether it was ... finding the optimal solution so it's not, in general, useful to prove ... If you find the shortest versions ...
      (comp.lang.forth)