(*ret) = (int)scode;
}
C:\grayhat>cl shellcode.c
...
C:\grayhat>shellcode.exe
This harness should just launch our shellcode that simply launches calc.exe. The
shellcode isn??™t optimized for calc.exe, but it??™s definitely easier to get non-optimized
shellcode from a web page than to build optimized shellcode ourselves. The result of
this execution is shown in Figure 11-4.
Bingo??”the shellcode works! You may be wondering why the program crashed after
calling the calculator. As seen in Figure 11-3, the default setting for EXITFUNC is ???seh???,
which will expect a stored exception handler when exiting. Since we don??™t have any
stored exception handlers registered, the program will crash. To avoid this, we could
have selected ???thread??? to safely kill the thread when exiting the main function. Now let??™s
move on toward our goal of exploiting meet.exe to do the same thing.
Figure 11-3 Screenshots of Metasploit shellcode generator
Gray Hat Hacking: The Ethical Hacker??™s Handbook
262
Getting the Return Address
Just as you did with Linux, build a small utility to get the return address:
C:\grayhat>type get_sp.c
get_sp() { __asm mov eax, esp }
int main(){
printf("Stack pointer (ESP): 0x%x\n", get_sp());
}
C:\grayhat>cl get_sp.
Pages:
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482