[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Tiny Windows 2000 Reverse Connect



Most operating systems ship with a massive number of files that have not 
been modified since the initial release, these files can be used to 
develop really small service-pack independent shellcode. The trick is to 
use a single LoadLibraryA call to get the module base, then call the IAT 
functions directly using hardcoded offsets. The result is a 
reverse-connect/download-shellcode payload that is 179 bytes and works on 
every service pack of Windows 2000 :)

I managed to get a null-free version right around 200 bytes, but any 
really small XOR encoder will work as well. This technique, dubbed 
'Vampiric Imports' is implemented in the following code:
 - http://metasploit.com/sc/win2000_vampiric_connector.asm

A tiny XOR decoder based on noir's fnstenv getpc is online at:
 - http://metasploit.com/sc/x86_fnstenv_xor_byte.asm

It should be possible to build similar payloads that work with NT 4.0, 
Windows XP, and Windows 2003...

-HD