Vulnerability Development mailing list archives
Re: ms03-049 exploit xp sp0
From: "upb" <upb () email ee>
Date: Thu, 13 Nov 2003 02:22:18 +0200
heya. the shortest way i know is : 00000000: EB14 jmps 000000016 00000002: 832C2440 sub d,[esp],040 ;"@" 00000006: E8F5FFFFFF call 000000000 11 bytes :( however, if you know that the code will be on stack, you could do like 00000000: 83EC44 sub esp,044 ;"D" 00000003: FFE4 jmp esp upb ----- Original Message ----- From: "wirepair" <wirepair () roguemail net> To: <vuln-dev () securityfocus com> Sent: Wednesday, November 12, 2003 11:03 PM Subject: ms03-049 exploit xp sp0
lo all, Well I got xp sp0 to execute my code, but sp1 has a different stack
layout. after the return address data only has about 4 or 8
bytes (I can't remember and i'm too lazy to check because i've been
messing with this for he past 7 hours).
Since I have 4/8 bytes to work with i'm contemplating doing some sort of
jmp / call and stuff my shellcode in the beginning of the
buffer instead of tacking it on to the end like my current exploit.
Unfortunately my asm is lacking still and I am unsure about
the best way of making it jmp/call the address (without nulls and without
hardset stack addresses).
If you can offer any suggestions I would *greatly* appreciate it. Anyways here's my code http://sh0dan.org/files/0349.cpp or the exe: http://sh0dan.org/files/0349.exe. Remember this is SP0 only,
sp1 will definitly crash.
Thanks, -wire -- Visit Things From Another World for the best comics, movies, toys, collectibles and more. http://www.tfaw.com/?qt=wmf
Current thread:
- ms03-049 exploit xp sp0 wirepair (Nov 12)
- Re: ms03-049 exploit xp sp0 upb (Nov 12)
- <Possible follow-ups>
- Re: ms03-049 exploit xp sp0 upb (Nov 12)
- Re: ms03-049 exploit xp sp0 dave (Nov 13)