Code archives/Miscellaneous/Arbitary Code Excecution
This code has been declared by its author to be Public Domain code.
Download source code
| |||||
This is a very simple demo that I find interesting. There are a number of reasons that you may want to run code directly from the heap: - the code could have been generated at runtime providing flexibility and efficiency - you want to try out that amazing new shellcode you were writing - you like getting inside the computer The payload in this example was writen by 'xnull' and was posted at http://www.milw0rm.com You will have to change the commenting if you want to run the example on a computer with service pack 1 instead of sp2. This is because the function addresses within kernel32.dll were changed as a result. | |||||
'/** ' * ARBITARY ( HEAP ) CODE EXECUTION ' * ' * this code will store a set of machine instructions ' * in the heap and then excecute them. im not sure ' * how stable this techinque would be for a bigger ' * program as the stack frame may be corrupted after ' * the shell code completes (i havent looked into it) ' * ' * the shell code was written by 'xnull' and can be ' * found at milw0rm.com in the shellcode section. ' * once running the PC speaker will be set to beep at ' * 3585hz for 2 seconds ' * ' * this will only run on WinXP Service Pack 2! ' * change the commenting for service pack 1 ' * ' * - Pantheon ' * ' */ ' this address will point to our shell code. ' Global ShellCode:Byte Ptr ' point to memory of 35 bytes (on the heap) ' ShellCode = MemAlloc( 35 ) ' inserts the shellcode into the array ' ShellCode[ 00 ] = $55 ShellCode[ 01 ] = $89 ShellCode[ 02 ] = $E5 ShellCode[ 03 ] = $83 ShellCode[ 04 ] = $EC ShellCode[ 05 ] = $18 ShellCode[ 06 ] = $C7 ShellCode[ 07 ] = $45 ShellCode[ 08 ] = $FC ShellCode[ 09 ] = $53 ' Address for Service Pack 2 ShellCode[ 10 ] = $8A ShellCode[ 11 ] = $83 ShellCode[ 12 ] = $7C 'ShellCode[ 09 ] = 10$' Address for Service Pack 1 'ShellCode[ 10 ] = C9$ 'ShellCode[ 11 ] = EA$ 'ShellCode[ 12 ] = 77$ ShellCode[ 13 ] = $C7 ShellCode[ 14 ] = $44 ShellCode[ 15 ] = $24 ShellCode[ 16 ] = $04 ShellCode[ 17 ] = $D0 ' Length $D003 = 2000 (2 seconds) ShellCode[ 18 ] = $03 ShellCode[ 19 ] = $00 ShellCode[ 20 ] = $00 ShellCode[ 21 ] = $C7 ShellCode[ 22 ] = $04 ShellCode[ 23 ] = $24 ShellCode[ 24 ] = $01 ' Frequency $010E = 3585 ShellCode[ 25 ] = $0E ShellCode[ 26 ] = $00 ShellCode[ 27 ] = $00 ShellCode[ 28 ] = $8B ShellCode[ 29 ] = $45 ShellCode[ 30 ] = $FC ShellCode[ 31 ] = $FF ShellCode[ 32 ] = $D0 ShellCode[ 33 ] = $C9 ShellCode[ 34 ] = $C3 ' define a function using standard C calling convention ' residing at the address of ShellCode (on the heap) ' Global Exec( ) "C" = ShellCode ' start excecution of the shellcode ' Exec( ) ' test the stack frame ' Print "Stack Frame Is Ok!" ' exit program ' End |
Comments
| ||
I get an Unhandled Memory Exception with and without debug mode. Edit: I tried the SP1 code and it doesn't give an Exception but no sound. |
| ||
Same thing happened to me. (same as Azathoth, that is) and I also have SP2 |
Code Archives Forum