Dailydave mailing list archives

Re: Shellcode

From: Alexander Sotirov <asotirov () determina com>
Date: Tue, 29 Nov 2005 11:55:50 -0800

Pedro E wrote:

LibraryReturn:
      pop ecx                         ;get the library string
      mov [ecx + 10], dl              ;MY PROBLEM is this line I don't
have the right permissions to modify the NULL value and finish the string
      mov ebx, 0x79470221             ;LoadLibraryA(libraryname);
      push ecx                        ;beginning of user32.dll
      call ebx                        ;eax will hold the module handle
      jmp short FunctionName
xxx
..
..
GetLibrary:
      call LibraryReturn
      db 'user32.dllN'


Just put the string on the stack:

push 0x5f5f6c6c              ; 'll__'
push 0x642e3233            ; '32.d'
push 0x72657375            ; 'user'
call LibraryReturn

LibraryReturn:
    lea ecx, [esp+4]            ; esp+4 points to the string "user32.dllXX"
    mov [ecx + 10], dl        ; the string is on the stack, so you can
write the null terminator


or even better:

xor eax, eax
mov ax, 6c6c
push eax                          ; 'll\0\0'
push 0x642e3233            ; '32.d'
push 0x72657375            ; 'user'
call LibraryReturn



Alex

Current thread:

Shellcode Pedro E (Nov 29)
- RE: Shellcode Dave Korn (Nov 29)
  - RE: Shellcode Dave Korn (Nov 29)
- Re: Shellcode Alexander Sotirov (Nov 29)
  - Re: Shellcode Isaac Dawson (Nov 29)
    - Re: Shellcode Dave Aitel (Nov 29)
    - Re: Shellcode H D Moore (Nov 29)
    - Re: Shellcode halvar (Nov 30)
    - RE: Shellcode Dafydd Stuttard (Nov 30)
    - Re: Shellcode halvar (Nov 30)
    - Re: HOLY GOD WE ARE SO OLD Matt Hargett (Nov 30)
    - Re: Shellcode halvar (Nov 30)
    - Re: Shellcode Dustin D. Trammell (Nov 30)
    - RE: Shellcode Dave Korn (Nov 30)

(Thread continues...)