Vulnerability Development mailing list archives
Tiny Windows 2000 Reverse Connect
From: H D Moore <sflist () digitaloffense net>
Date: Mon, 6 Oct 2003 16:11:19 -0500
Most operating systems ship with a massive number of files that have not been modified since the initial release, these files can be used to develop really small service-pack independent shellcode. The trick is to use a single LoadLibraryA call to get the module base, then call the IAT functions directly using hardcoded offsets. The result is a reverse-connect/download-shellcode payload that is 179 bytes and works on every service pack of Windows 2000 :) I managed to get a null-free version right around 200 bytes, but any really small XOR encoder will work as well. This technique, dubbed 'Vampiric Imports' is implemented in the following code: - http://metasploit.com/sc/win2000_vampiric_connector.asm A tiny XOR decoder based on noir's fnstenv getpc is online at: - http://metasploit.com/sc/x86_fnstenv_xor_byte.asm It should be possible to build similar payloads that work with NT 4.0, Windows XP, and Windows 2003... -HD
Current thread:
- Tiny Windows 2000 Reverse Connect H D Moore (Oct 06)
- <Possible follow-ups>
- re: Tiny Windows 2000 Reverse Connect Dave Korn (Oct 08)
