Vulnerability Development mailing list archives

Tiny Windows 2000 Reverse Connect


From: H D Moore <sflist () digitaloffense net>
Date: Mon, 6 Oct 2003 16:11:19 -0500

Most operating systems ship with a massive number of files that have not 
been modified since the initial release, these files can be used to 
develop really small service-pack independent shellcode. The trick is to 
use a single LoadLibraryA call to get the module base, then call the IAT 
functions directly using hardcoded offsets. The result is a 
reverse-connect/download-shellcode payload that is 179 bytes and works on 
every service pack of Windows 2000 :)

I managed to get a null-free version right around 200 bytes, but any 
really small XOR encoder will work as well. This technique, dubbed 
'Vampiric Imports' is implemented in the following code:
 - http://metasploit.com/sc/win2000_vampiric_connector.asm

A tiny XOR decoder based on noir's fnstenv getpc is online at:
 - http://metasploit.com/sc/x86_fnstenv_xor_byte.asm

It should be possible to build similar payloads that work with NT 4.0, 
Windows XP, and Windows 2003...

-HD


Current thread: