Quote Originally Posted by oldschool View Post
Well, I succeeded in adapting the minishare exploit to work under XP SP3.

I won't write a long post about how I did it, I'll just give the essential information which should be all that's required, especially if you were learning the processes involved rather than just treating it as a copy and paste exercise.

The only 2 differences were;

1) The location in memory for the first usable memory address for the JMP ESP was different in the XP SP3 Shell32.dll file so that address had to replace the one in the original exploit.
2) The shellcode that I produced using the msfpayload and msfencode tools was different to what lupin had provided on his examples. Not sure why, maybe the version of the program I have is different. I'm using BackTrack4 Final (the latest distro as of the date of this post).

Please feel free to contact me if you would like to discuss this further or ask any questions.

Did a quick post about getting the tutorials working under SP3 here that explains some of the issues around this. Yes, you are right in saying that the JMP ESP address needs to be changed, as Service Pack 3 provides a new version of shell32.dll which is obviously structured differently from the one provided with SP2. Since we use a hard coded address for that JMP ESP instruction the address needs to change when the module changes.

There are a number of reasons why the shellcode might be different. Newer releases of Metasploit sometimes contain slightly modified versions of shellcode, different parameters fed to msfpayload will modify the shellcode generated and the shikata_ga_nai encoder in msfencode can produce different encoded output on subsequent runs. Differences in the shellcode are not overly important as long as it does what you need it to however.