StoneHeart Posted August 20, 2013 Posted August 20, 2013 Im trying to create a shellcode but it aint working. Maybe im doing it wrong or i dunno lol int main() { char *msg = "Hello World!"; char *title = "World!"; char *usr ="user32.dll"; char *mbox ="MessageBoxA"; DWORD lLib = (DWORD)GetProcAddress(LoadLibraryA("kernel32"), "LoadLibraryA"); DWORD lProc = (DWORD)GetProcAddress(LoadLibraryA("kernel32"), "GetProcAddress"); //This shit works /* __asm { push usr call [lLib] push mbox push eax call [lProc] push 00000000h push title push msg push 00000000h call eax xor eax,eax retn } */ /* //Extracted using pe explorer void HelloWorld() { char* szMessage = "Hello World!"; char* szCaption = "Hello!"; HMODULE hModule = LoadLibraryA( "user32.dll" ); FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" ); ( ( int ( WINAPI *)( HWND, LPCSTR, LPCSTR, UINT ) ) fFuncProc )( 0, szMessage, szCaption, 0 ); } 68 4C 20 40 00 push SSZ0040204C_user32_dll FF 15 04 20 40 00 call [KERNEL32.dll!LoadLibraryA] 68 58 20 40 00 push SSZ00402058_MessageBoxA 50 push eax FF 15 00 20 40 00 call [KERNEL32.dll!GetProcAddress] 6A 00 push 00000000h 68 44 20 40 00 push SSZ00402044_Hello_ 68 34 20 40 00 push SSZ00402034_Hello_World_ 6A 00 push 00000000h FF D0 call eax 33 C0 xor eax,eax C3 retn */ //This shit aint working char *bv = "\x68\x4C\x20\x40\x00\xFF\x15\x04\x20\x40\x00\x68\x58\x20\x40\x00\x50\xFF\x15\x00\x20\x40\x00\x6A\x00\x68\x44\x20\x40\x00\x68\x34\x20\x40\x00\x6A\x00\xFF\xD0\x33\xC0\xC3"; memcpy((LPVOID)((DWORD)bv + 1), &usr, 4); memcpy((LPVOID)((DWORD)bv + 7), &lLib, 4); memcpy((LPVOID)((DWORD)bv + 12), &mbox, 4); memcpy((LPVOID)((DWORD)bv + 19), &lProc, 4); memcpy((LPVOID)((DWORD)bv + 26), &title, 4); memcpy((LPVOID)((DWORD)bv + 31), &msg, 4); typedef void (* fp)(); fp p = (fp)bv; p(); return 0; }Someone enlighten me up! Thanks.
simple Posted August 20, 2013 Posted August 20, 2013 char code[] = "\x01\x02\x03\x04\x05\x06"; // put your payload here int main() { int (*func)(); func = (int (*)()) code; (int)(*func)(); }
StoneHeart Posted August 21, 2013 Author Posted August 21, 2013 char code[] = "\x01\x02\x03\x04\x05\x06"; // put your payload hereint main(){ int (*func)(); func = (int (*)()) code; (int)(*func)();} still not working bro =\ anyone had an idea?
simple Posted August 21, 2013 Posted August 21, 2013 I don't know, threw this together fast and it worked on win7/mingw. MessageBoxA addy is hardcoded, replace w/your own or make another LoadLibrary/GetProcAddy shellcode, run it before, and pass function address. #include <cstdlib> #include <iostream> #include <windows.h> using namespace std; int main(int argc, char *argv[]) { HMODULE hModule = LoadLibraryA( "user32.dll" ); FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" ); //printf("%d \n", fFuncProc); // 765fea71 = MessageBoxA char ShellCode[] = "\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xdc\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xcc\x33\xc0\x50\x53\x51\x50\x50\xc7\xc6\x71\xea\x5f\x76\xff\xe6"; // above shellcode runs message box that says "simple" int (*func)(); func = (int (*)()) ShellCode; (int)(*func)(); }
StoneHeart Posted August 21, 2013 Author Posted August 21, 2013 I don't know, threw this together fast and it worked on win7/mingw. MessageBoxA addy is hardcoded, replace w/your own or make another LoadLibrary/GetProcAddy shellcode, run it before, and pass function address. #include <cstdlib> #include <iostream> #include <windows.h> using namespace std; int main(int argc, char *argv[]) { HMODULE hModule = LoadLibraryA( "user32.dll" ); FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" ); //printf("%d \n", fFuncProc); // 765fea71 = MessageBoxA char ShellCode[] = "\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xdc\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xcc\x33\xc0\x50\x53\x51\x50\x50\xc7\xc6\x71\xea\x5f\x76\xff\xe6"; // above shellcode runs message box that says "simple" int (*func)(); func = (int (*)()) ShellCode; (int)(*func)(); } Ok i will try your samble and report the result later. Im using vsc++ 2010 so i dont know whether theres a differences when compiling between those compiler.
simple Posted August 21, 2013 Posted August 21, 2013 Didn't bother to pick apart your shellcode, but I see in your c++ code that you're not minding the endians. GetProcAddress will return a number like 00112233, but in your shellcode it needs to be 33221100 and same thing w/strings, you can't just copy them in normally. You'll probably also need to do additional string formatting work like converting the strings/function addy to hex, then manually putting "\x" in front, then memcpy them in. Load it in Olly to see where it fails. There's a ton of tutorials on this topic out there.
Peter Ferrie Posted August 23, 2013 Posted August 23, 2013 Endianness has nothing to do with the problem, since the write and the read use the same byte-order. The problem is that you're calling the actual LoadLibrary code as though it's the address of the code. Make these changes: DWORD plLib=&lLib; DWORD plProc=&lProc; memcpy((LPVOID)((DWORD)bv + 7), &plLib, 4); memcpy((LPVOID)((DWORD)bv + 19), &plProc, 4); Also make sure that DEP is disabled for your process, or you'll get an exception when running the BV code. I tried it. It works. 1
StoneHeart Posted August 25, 2013 Author Posted August 25, 2013 Endianness has nothing to do with the problem, since the write and the read use the same byte-order. The problem is that you're calling the actual LoadLibrary code as though it's the address of the code. Make these changes: DWORD plLib=&lLib; DWORD plProc=&lProc; memcpy((LPVOID)((DWORD)bv + 7), &plLib, 4); memcpy((LPVOID)((DWORD)bv + 19), &plProc, 4); Also make sure that DEP is disabled for your process, or you'll get an exception when running the BV code. I tried it. It works. Finally i got it working. Thanks mate
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now