winShadow v2.0 netcat shell download and execute exploit!
=========================================================

"... because there's no day like 0-day!!!"

About the Exploit:
==================

This exploit will download the file:
http://www.elitehaven.net/ncat.exe, which loads a netcat
listener which spawns a remote command shell on port 9999
for those good times ;o)

If you want it to download another file, you can alter the
url to download from with a hex editor, but you must not
(a) make the url more than two bytes longer than it already
is and (b) terminate the url with 0xff, because that's our
end-of-string detection byte.

This exploit, as far as our research tells us, will work on
*any* windows xp box, regardless of which version or service
pack it is running - heck, what can I say - we found a nice
*universal* return address!

The exploit and shellcode were written by Peter Winter-Smith.
The shellcode can be downloaded from:

http://www.elitehaven.net/code/tinydown.asm

I altered the bytes 0x0d to 0xfd because it ruined the exploit
but that's the only change made :o)

Contact me:
peter4020@hotmail.com
http://www.elitehaven.net


About the Flaw:
===============

This exploits a severe security issue in the way in which
the winShadow client handles the hostname parameter in its
.osh files.

The flaw was discovered by Bahaa Naamneh, who also was a big
help in finding a good return address - thanks there mate!

Contact him:
b_naamneh@hotmail.com
http://www.bsecurity.tk