The shellcode itself scans for the KERNEL32.DLL by using FS:0 + searching for 'MZ' entry, followed by analysing the PE-Header for API offsets needed by this shellcode. After that we can load WS2 32.DLL for socket APIs and begin the usual shellcode process ! Thanx to several virus coders and Halvar Flake for that rocking idea ! I was wondering why so less people aren't using it today in their exploits ! Just because LSD has made this technique public on HiverCon 2002 ! Actually this one isn't optimized, but later shellcodes will have a size < 300 bytes.
Exploit.IIS.Thcunreal.01.a [Kaspersky]Exploit-IIS.Thcun [McAfee]security risk or a "backdoor" program [F-Prot]Trojan Horse.LC [Panda]
thcunreal.exe