
Writing Shellcode in C/C++ - kiuhnm
http://expdev.byethost7.com/2015/05/22/shellcode/
======
JoshTriplett
This site redirects to a malware site called "securesignupoffers". It only
appears to do so if your User-Agent looks like a browser, and a quick search
suggests that that site attempts to exploit your browser.

It's a server-side redirect, not a script redirect, and searches suggest that
it's commonly installed on exploited servers via web server configuration. If
the person running the site sees this: check your .htaccess and other web
server configuration, and see if your server has been compromised. (Check your
browser too.) Might also be a problem with the hosting provider.

Meanwhile, could the submitter or an HN admin please take some steps to
prevent exploits of HN readers, such as changing the URL to something
innocuous (such as example.org) and posting the original URL in a comment?

~~~
kiuhnm
My account has been suspended. Unfortunately, being it a free host, my hands
are tied.

~~~
userbinator
Looks like you got the "HN hug of death".

FYI, having used byethost for free hosting before, I don't believe
"securesignupoffers" itself is malware. It's what accounts which have been
suspended or don't have a valid index page redirect to by default.

What happened is that someone set up a bunch of accounts on the host for
malware/phishing/spamming/etc., and those URLs were used by malware. The host
has rightly deleted those accounts, causing malware which forces the user into
visiting the original URL to be taken to securesignupoffers instead.

~~~
kiuhnm
Officially, my account has been suspended because of the cpu limit. I guess
that serving too many pages can do just that.

------
yoha
On Archive.org:
[https://web.archive.org/web/20150522211938/http://expdev.bye...](https://web.archive.org/web/20150522211938/http://expdev.byethost7.com/2015/05/22/shellcode/)

------
jaytaylor
This is a fantastic writeup. Do any of you know of other great PoC security
articles like this one?

~~~
vezzy-fnord
The Corelan exploit development (and other infosec-related) articles:
[https://www.corelan.be/index.php/articles/](https://www.corelan.be/index.php/articles/)

------
2510c39011c5
Google has a cached page for this article...

To access the cached copy, just search in google with the "cache" keyword
prefix

    
    
      "cache:" + ${original_URL}
    

for example:

    
    
      cache:expdev.byethost7.com/2015/05/22/shellcode/

------
ndesaulniers
This must be 32b windows ABI; pushing arguments on the stack instead of using
registers.

------
pizza
Where can I learn the basics about Windows's internals/kernel?

~~~
conductor
Windows Internals, Parts 1 and 2 by Mark Russinovich. And the leaked source
code of NT4.

~~~
JamalSmalls
Got any links to the leaked source code of the NT4?

~~~
Someone1234
It is only a partial Win2K and NT4 leak from Mainsoft (not a typo for
Microsoft, Mainsoft leaked it). Kind of hard to find. Check normal piracy
sites.

