Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

dailydave logo Dailydave mailing list archives

Re: Shellcode
From: Alexander Sotirov <asotirov () determina com>
Date: Tue, 29 Nov 2005 11:55:50 -0800
Pedro E wrote:


LibraryReturn:
      pop ecx                         ;get the library string
      mov [ecx + 10], dl              ;MY PROBLEM is this line I don't
have the right permissions to modify the NULL value and finish the string
      mov ebx, 0x79470221             ;LoadLibraryA(libraryname);
      push ecx                        ;beginning of user32.dll
      call ebx                        ;eax will hold the module handle
      jmp short FunctionName
xxx
..
..
GetLibrary:
      call LibraryReturn
      db 'user32.dllN'


Just put the string on the stack:

push 0x5f5f6c6c              ; 'll__'
push 0x642e3233            ; '32.d'
push 0x72657375            ; 'user'
call LibraryReturn

LibraryReturn:
    lea ecx, [esp+4]            ; esp+4 points to the string "user32.dllXX"
    mov [ecx + 10], dl        ; the string is on the stack, so you can
write the null terminator


or even better:

xor eax, eax
mov ax, 6c6c
push eax                          ; 'll\0\0'
push 0x642e3233            ; '32.d'
push 0x72657375            ; 'user'
call LibraryReturn



Alex

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]