|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: ms03-049 exploit xp sp0
From: upb (upb
email.ee)
Date: Wed Nov 12 2003 - 18:22:18 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
heya.
the shortest way i know is :
00000000: EB14 jmps 000000016
00000002: 832C2440 sub d,[esp],040 ;""
00000006: E8F5FFFFFF call 000000000
11 bytes :(
however, if you know that the code will be on stack, you could do like
00000000: 83EC44 sub esp,044 ;"D"
00000003: FFE4 jmp esp
upb
----- Original Message -----
From: "wirepair" <wirepairroguemail.net>
To: <vuln-devsecurityfocus.com>
Sent: Wednesday, November 12, 2003 11:03 PM
Subject: ms03-049 exploit xp sp0
> lo all,
> Well I got xp sp0 to execute my code, but sp1 has a different stack
layout. after the return address data only has about 4 or 8
> bytes (I can't remember and i'm too lazy to check because i've been
messing with this for he past 7 hours).
> Since I have 4/8 bytes to work with i'm contemplating doing some sort of
jmp / call and stuff my shellcode in the beginning of the
> buffer instead of tacking it on to the end like my current exploit.
Unfortunately my asm is lacking still and I am unsure about
> the best way of making it jmp/call the address (without nulls and without
hardset stack addresses).
> If you can offer any suggestions I would *greatly* appreciate it.
> Anyways here's my code http://sh0dan.org/files/0349.cpp
> or the exe: http://sh0dan.org/files/0349.exe. Remember this is SP0 only,
sp1 will definitly crash.
> Thanks,
> -wire
> --
> Visit Things From Another World for the best
> comics, movies, toys, collectibles and more.
> http://www.tfaw.com/?qt=wmf
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]