Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Shellcoding ... again.

From: "deepcode ." <pondermate () hotmail com>
Date: Thu, 24 Jul 2003 12:57:27 -0300
Here I am again with shellcoding questions ... bear with me, its hard to find info on this subject other than txts with 2 pages of assembly codes that constitutes a remote, http-trojan downloading, all portable, optimized shellcodes that I can't even begin to assimilate. 

I'm just trying a simple ExitProcess shellcode, hardcoded address.
(By the way, this is on win32.)

kernel32.dll

imagebase=          0x77E80000
ExitProcess RVA = 0x0000F32D
Got these from DUMPPE, added them together to get 0x77E8F32D for ExitProcess address. Pretty 
sure thats the right way to get address.
To test it out, I wrote a program that used inline assembly with that address. 
-----------------------------------------------------
#include <windows.h>

int main()
{
HINSTANCE h;

h = LoadLibrary("kernel32.dll");

__asm("
xor %edi, %edi
push %edi
call 0x77E8F32D
");

FreeLibrary(h);
}
----------------------------------------------------
The program runs fine. No errors, no problems at all, so i'm assuming it worked just fine.
When disassembled in Gdb(win32 port), I followed from xor edi, edi with x/bx to get the 
opcodes

0x31, 0xFF, 0x57 for the xor and push; which doesn't seem right.
0xE8 for call, and and then 0xF9, 0xE0, 0xA8 and 0x77. I assume it loaded into memory 
at diferent addresses and got addresses changed, no biggy.
I put the codes into a char array shellcode, and put my original address in after the 0xE8 
backwards (I think thats how to do it.) and it errors out.
I've tried rearranging the address all possible combinations, so I don't think thats the 
problem.

--------------------------------------------------------
#include <windows.h>

char shellcode[] =
"\x31\xFF\x57\xE8"   // opcodes gotten from gdb
"\x2D\xF3\xE8\x77";  // address backwards.

int main(void)
{
    HINSTANCE h;

    h = LoadLibrary("kernel32.dll");

   ((void (*)(void)) &shellcode)();

   FreeLibrary(h);
}
-----------------------------------------------------

I'm getting lost now ... this was so much easier on unix.

if anyone would like to help me out, i'd appreciate it.

deepcode

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
Previous By Date Next
Previous By Thread Next

Current thread: