<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40"
xmlns:ns0="http://schemas.microsoft.com/office/2004/12/omml"
xmlns:ns1="http://schemas.microsoft.com/exchange/services/2006/types">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="State"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="City"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--a:link
{mso-style-priority: 99
;}
span.MSOHYPERLINK
{mso-style-priority: 99
;}
a:visited
{mso-style-priority: 99
;}
span.MSOHYPERLINKFOLLOWED
{mso-style-priority: 99
;}
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Calibri;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:Calibri;}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:595.3pt 841.9pt;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1 dir=RTL>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Hello everyone,<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>How are you doing?<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Ok, if you didn't follow
up my chat with Matthew, you should read it first,<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>this is how we developed
2 bytes ExitProcess (raising silent exception which will shut the process):<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'><a
href="http://blogs.securiteam.com/index.php/archives/679">http://blogs.securiteam.com/index.php/archives/679</a><o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Anyways, the new trick I just
thought of is:<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>XCHG EAX, ESP (of course,
we assume EAX is < 1000h or just not mapped).<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>That's it ONE byte. That's
really it. </span></font><font size=2 color=navy face=Wingdings><span
style='font-size:10.0pt;font-family:Wingdings;color:navy'>J</span></font><font
size=2 color=navy face=Arial><span style='font-size:10.0pt;font-family:Arial;
color:navy'><o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>The catch is that after
this instruction the thread will continue execution of garbage instructions,
probably will fast enough get to an invalid instruction/access violation and Windows
will shut the process…. Voila<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>Dabah<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'>BTW – 315 bytes for
<st1:place w:st="on"><st1:City w:st="on">Tiny</st1:City> <st1:State w:st="on">PE</st1:State></st1:place><o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div class=MsoNormal align=center dir=LTR style='text-align:center'><font
size=3 face="Times New Roman"><span style='font-size:12.0pt;font-family:"Times New Roman"'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal dir=LTR><b><font size=2 face=Tahoma><span style='font-size:
10.0pt;font-family:Tahoma;font-weight:bold'>From:</span></font></b><font
size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
Ivan_Macalintal@trendmicro.com [mailto:Ivan_Macalintal@trendmicro.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Friday, October 20, 2006
6:33 AM<br>
<b><span style='font-weight:bold'>To:</span></b> jasongef@microsoft.com;
code-crunchers@whitestar.linuxbox.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [Code-Crunchers]
1stsmallestpost!</span></font><font size=3 face="Times New Roman"><span
style='font-size:12.0pt;font-family:"Times New Roman"'><o:p></o:p></span></font></p>
</div>
<p class=MsoNormal dir=LTR><font size=2 face=Calibri><span style='font-size:
11.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal dir=LTR><font size=3 face="Times New Roman"><span
style='font-size:12.0pt;font-family:"Times New Roman"'> </span></font><font
size=2 color=blue face=Arial><span style='font-size:10.0pt;font-family:Arial;
color:blue'>-IM</span></font><font size=3 face="Times New Roman"><span
style='font-size:12.0pt;font-family:"Times New Roman"'><o:p></o:p></span></font></p>
</div>
</div>
</body>
</html>
<table><tr><td bgcolor=#ffffff><font color=#000000>TREND MICRO EMAIL NOTICE<br>
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.<br>
</font></td></tr></table>