Posted August 20, 201312 yr Im trying to create a shellcode but it aint working. Maybe im doing it wrong or i dunno lol int main() { char *msg = "Hello World!"; char *title = "World!"; char *usr ="user32.dll"; char *mbox ="MessageBoxA"; DWORD lLib = (DWORD)GetProcAddress(LoadLibraryA("kernel32"), "LoadLibraryA"); DWORD lProc = (DWORD)GetProcAddress(LoadLibraryA("kernel32"), "GetProcAddress"); //This shit works /* __asm { push usr call [lLib] push mbox push eax call [lProc] push 00000000h push title push msg push 00000000h call eax xor eax,eax retn } */ /* //Extracted using pe explorer void HelloWorld() { char* szMessage = "Hello World!"; char* szCaption = "Hello!"; HMODULE hModule = LoadLibraryA( "user32.dll" ); FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" ); ( ( int ( WINAPI *)( HWND, LPCSTR, LPCSTR, UINT ) ) fFuncProc )( 0, szMessage, szCaption, 0 ); } 68 4C 20 40 00 push SSZ0040204C_user32_dll FF 15 04 20 40 00 call [KERNEL32.dll!LoadLibraryA] 68 58 20 40 00 push SSZ00402058_MessageBoxA 50 push eax FF 15 00 20 40 00 call [KERNEL32.dll!GetProcAddress] 6A 00 push 00000000h 68 44 20 40 00 push SSZ00402044_Hello_ 68 34 20 40 00 push SSZ00402034_Hello_World_ 6A 00 push 00000000h FF D0 call eax 33 C0 xor eax,eax C3 retn */ //This shit aint working char *bv = "\x68\x4C\x20\x40\x00\xFF\x15\x04\x20\x40\x00\x68\x58\x20\x40\x00\x50\xFF\x15\x00\x20\x40\x00\x6A\x00\x68\x44\x20\x40\x00\x68\x34\x20\x40\x00\x6A\x00\xFF\xD0\x33\xC0\xC3"; memcpy((LPVOID)((DWORD)bv + 1), &usr, 4); memcpy((LPVOID)((DWORD)bv + 7), &lLib, 4); memcpy((LPVOID)((DWORD)bv + 12), &mbox, 4); memcpy((LPVOID)((DWORD)bv + 19), &lProc, 4); memcpy((LPVOID)((DWORD)bv + 26), &title, 4); memcpy((LPVOID)((DWORD)bv + 31), &msg, 4); typedef void (* fp)(); fp p = (fp)bv; p(); return 0; }Someone enlighten me up! Thanks.
August 20, 201312 yr char code[] = "\x01\x02\x03\x04\x05\x06"; // put your payload here int main() { int (*func)(); func = (int (*)()) code; (int)(*func)(); }
August 21, 201312 yr Author char code[] = "\x01\x02\x03\x04\x05\x06"; // put your payload hereint main(){ int (*func)(); func = (int (*)()) code; (int)(*func)();} still not working bro =\ anyone had an idea?
August 21, 201312 yr I don't know, threw this together fast and it worked on win7/mingw. MessageBoxA addy is hardcoded, replace w/your own or make another LoadLibrary/GetProcAddy shellcode, run it before, and pass function address. #include <cstdlib> #include <iostream> #include <windows.h> using namespace std; int main(int argc, char *argv[]) { HMODULE hModule = LoadLibraryA( "user32.dll" ); FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" ); //printf("%d \n", fFuncProc); // 765fea71 = MessageBoxA char ShellCode[] = "\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xdc\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xcc\x33\xc0\x50\x53\x51\x50\x50\xc7\xc6\x71\xea\x5f\x76\xff\xe6"; // above shellcode runs message box that says "simple" int (*func)(); func = (int (*)()) ShellCode; (int)(*func)(); }
August 21, 201312 yr Author I don't know, threw this together fast and it worked on win7/mingw. MessageBoxA addy is hardcoded, replace w/your own or make another LoadLibrary/GetProcAddy shellcode, run it before, and pass function address. #include <cstdlib> #include <iostream> #include <windows.h> using namespace std; int main(int argc, char *argv[]) { HMODULE hModule = LoadLibraryA( "user32.dll" ); FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" ); //printf("%d \n", fFuncProc); // 765fea71 = MessageBoxA char ShellCode[] = "\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xdc\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xcc\x33\xc0\x50\x53\x51\x50\x50\xc7\xc6\x71\xea\x5f\x76\xff\xe6"; // above shellcode runs message box that says "simple" int (*func)(); func = (int (*)()) ShellCode; (int)(*func)(); } Ok i will try your samble and report the result later. Im using vsc++ 2010 so i dont know whether theres a differences when compiling between those compiler.
August 21, 201312 yr Didn't bother to pick apart your shellcode, but I see in your c++ code that you're not minding the endians. GetProcAddress will return a number like 00112233, but in your shellcode it needs to be 33221100 and same thing w/strings, you can't just copy them in normally. You'll probably also need to do additional string formatting work like converting the strings/function addy to hex, then manually putting "\x" in front, then memcpy them in. Load it in Olly to see where it fails. There's a ton of tutorials on this topic out there.
August 23, 201312 yr Endianness has nothing to do with the problem, since the write and the read use the same byte-order. The problem is that you're calling the actual LoadLibrary code as though it's the address of the code. Make these changes: DWORD plLib=&lLib; DWORD plProc=&lProc; memcpy((LPVOID)((DWORD)bv + 7), &plLib, 4); memcpy((LPVOID)((DWORD)bv + 19), &plProc, 4); Also make sure that DEP is disabled for your process, or you'll get an exception when running the BV code. I tried it. It works.
August 25, 201312 yr Author Endianness has nothing to do with the problem, since the write and the read use the same byte-order. The problem is that you're calling the actual LoadLibrary code as though it's the address of the code. Make these changes: DWORD plLib=&lLib; DWORD plProc=&lProc; memcpy((LPVOID)((DWORD)bv + 7), &plLib, 4); memcpy((LPVOID)((DWORD)bv + 19), &plProc, 4); Also make sure that DEP is disabled for your process, or you'll get an exception when running the BV code. I tried it. It works. Finally i got it working. Thanks mate
Create an account or sign in to comment