Changeset 494

Timestamp:

04/08/06 19:51:08 (3 years ago)

Author:

common

Message:

Nepenthes
- shellcode-signatures add execute::msf_win32_exec

Files:

• nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc (modified) (1 diff)

nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc

@@ -969 +969 @@
-};
-
+
+
+execute::msf_win32_exec
+{
+
+/* win32_exec -  EXITFUNC=seh CMD=cmd.exe & ftp.exe Size=147 Encoder=None http://metasploit.com */
+
+        pattern
+        "\\xfc\\xe8\\x44\\x00\\x00\\x00\\x8b\\x45\\x3c\\x8b\\x7c\\x05\\x78\\x01\\xef\\x8b"
+        "\\x4f\\x18\\x8b\\x5f\\x20\\x01\\xeb\\x49\\x8b\\x34\\x8b\\x01\\xee\\x31\\xc0\\x99"
+        "\\xac\\x84\\xc0\\x74\\x07\\xc1\\xca\\x0d\\x01\\xc2\\xeb\\xf4\\x3b\\x54\\x24\\x04"
+        "\\x75\\xe5\\x8b\\x5f\\x24\\x01\\xeb\\x66\\x8b\\x0c\\x4b\\x8b\\x5f\\x1c\\x01\\xeb"
+        "\\x8b\\x1c\\x8b\\x01\\xeb\\x89\\x5c\\x24\\x04\\xc3\\x31\\xc0\\x64\\x8b\\x40\\x30"
+        "\\x85\\xc0\\x78\\x0c\\x8b\\x40\\x0c\\x8b\\x70\\x1c\\xad\\x8b\\x68\\x08\\xeb\\x09"
+        "\\x8b\\x80\\xb0\\x00\\x00\\x00\\x8b\\x68\\x3c\\x5f\\x31\\xf6\\x60\\x56\\x89\\xf8"
+        "\\x83\\xc0\\x7b\\x50\\x68\\xf0\\x8a\\x04\\x5f\\x68\\x98\\xfe\\x8a\\x0e\\x57\\xff"
+        "\\xe7(.*\\x00)";
+        mapping (none,command);
+};
+
+
+
-// taken from shellcode-generic/sch_genric_wget.cpp
-