Government Security
Network Security Resources

Jump to content

Photo

Windows Shellcode

- - - - - windows exploit shell
  • Please log in to reply
18 replies to this topic

#1 Codecfault

Codecfault

    Private

  • Members
  • 18 posts

Posted 22 October 2003 - 11:19 PM

Does anyone know the whereabouts of any info on how to write shellcode for windows. I am looking to understand how various exploits work and hopefully to write my own.

Thank you for your time

Codecfault

#2 pr0t0type

pr0t0type

    Specialist

  • Members
  • 104 posts

Posted 23 October 2003 - 04:16 AM

Been trying to learn myself. I posted a good into into into buffer overflows in the sticky above and I've found this article to be really helpfull. I'd be interested if anyones got anmy good asm tuts :)

#3 Codecfault

Codecfault

    Private

  • Members
  • 18 posts

Posted 23 October 2003 - 10:09 PM

great link thanks pr0t0type

#4 SLiM577

SLiM577

    Private First Class

  • Members
  • 83 posts

Posted 06 December 2003 - 11:20 AM

thanks alot guys im also trying to learn to code /etc

#5 nazinofix

nazinofix

    Private

  • Members
  • 4 posts

Posted 19 December 2003 - 10:03 PM

http://www.hick.org/...2-shellcode.pdf

#6 Buluemoon

Buluemoon

    Specialist

  • Members
  • 116 posts

Posted 25 December 2003 - 01:53 PM

Thanks to all who posted links on this subject, the last 2 look very useful, and have to go and read them, been looking around but never saw these.

#7 Codecfault

Codecfault

    Private

  • Members
  • 18 posts

Posted 27 December 2003 - 09:28 PM

thanks a lot nazinofix great link

#8 skorpio

skorpio

    Private First Class

  • Members
  • 47 posts

Posted 28 December 2003 - 04:55 AM

thx nazinofix
very interesting link :)

byee

#9 Guest_[_0z_]_*

Guest_[_0z_]_*
  • Guests

Posted 07 January 2004 - 08:15 AM

great work.

#10 Guest_Hexboy_*

Guest_Hexboy_*
  • Guests

Posted 07 January 2004 - 05:49 PM

http://www.shellcode.com.ar has some windows shell code. I've learned a few sweet tricks from code available there.

#11 BillyJawz

BillyJawz

    Private First Class

  • Members
  • 31 posts

Posted 09 January 2004 - 12:30 PM

http://www.cs.fit.ed.../cs-2002-12.pdf

W32 buffer overflow froma A to Z .

#12 nipagini

nipagini

    Private

  • Members
  • 11 posts

Posted 08 February 2004 - 11:22 AM

wow thx m8!!! that's a realy good documentation about buffer overflows!!

#13 riotz

riotz

    Specialist

  • Members
  • 118 posts

Posted 10 February 2004 - 08:30 AM

these 2 pdfs are a real nice reading..
thnx for shaing :)

#14 Guest_archphase_*

Guest_archphase_*
  • Guests

Posted 10 February 2004 - 02:11 PM

Windows shellcode is a bitch too write. All of those win32 shellcode papers show how to get it by SEH or you can get it by using the TEB block i think or whatever is at fs:[30]..but i think the more code efficent way is like this..or atleast i think it is.

mov ebx, ebp
mov eax, esp
sub eax, ebx; eax = amount of bytes on stack
mov ecx, [esp+eax]; ecx = somewhere in k32..search

loopme:
cmp word ptr [ecx], 'M' + 'Z'
jz foundMZ
dec ecx
jmp loopme

foundMZ:
nop; found if we find mz header.

I think that'll work on a typicall vc++ app which builds the stack frame..just an idea.

#15 nazinofix

nazinofix

    Private

  • Members
  • 4 posts

Posted 11 February 2004 - 06:20 PM

The 'Understanding Windows Shellcode' paper cited earlier in this thread covers the technique of walking down in increments of 16 pages (64KB) to locate the MZ header associated with kernel32 by taking an address that is known to be inside kernel32. It applies this technique with both walking the SEH list to the last handler as well as using a known offset from the top of the stack which is in the TEB. The latter ends up being about 25 bytes all told. Is this what you're describing?





Also tagged with one or more of these keywords: windows, exploit, shell