Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

ShellCode Aint working!

Featured Replies

Posted

Im trying to create a shellcode but it aint working. Maybe im doing it wrong or i dunno lol



int main()
{
    char *msg = "Hello World!";
    char *title = "World!";
    char *usr ="user32.dll";
    char *mbox ="MessageBoxA";     DWORD lLib = (DWORD)GetProcAddress(LoadLibraryA("kernel32"), "LoadLibraryA");
    DWORD lProc = (DWORD)GetProcAddress(LoadLibraryA("kernel32"), "GetProcAddress");     //This shit works
    /*
    __asm
    {
        push    usr
        call    [lLib]
        push    mbox
        push    eax
        call    [lProc]
        push    00000000h
        push    title
        push    msg
        push    00000000h
        call    eax
        xor     eax,eax
        retn
    }
    */     /*
    //Extracted using pe explorer
    void HelloWorld()
    {
        char* szMessage = "Hello World!";
        char* szCaption = "Hello!";         HMODULE hModule   = LoadLibraryA( "user32.dll" );
        FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" );         ( ( int ( WINAPI *)( HWND, LPCSTR, LPCSTR, UINT ) ) fFuncProc )( 0, szMessage, szCaption, 0 );     }     68 4C 20 40 00                    push    SSZ0040204C_user32_dll
    FF 15 04 20 40 00                 call    [KERNEL32.dll!LoadLibraryA]
    68 58 20 40 00                    push    SSZ00402058_MessageBoxA
    50                                push    eax
    FF 15 00 20 40 00                 call    [KERNEL32.dll!GetProcAddress]
    6A 00                             push    00000000h
    68 44 20 40 00                    push    SSZ00402044_Hello_
    68 34 20 40 00                    push    SSZ00402034_Hello_World_
    6A 00                             push    00000000h
    FF D0                             call    eax
    33 C0                             xor     eax,eax
    C3                                retn
    */     //This shit aint working
    char *bv = "\x68\x4C\x20\x40\x00\xFF\x15\x04\x20\x40\x00\x68\x58\x20\x40\x00\x50\xFF\x15\x00\x20\x40\x00\x6A\x00\x68\x44\x20\x40\x00\x68\x34\x20\x40\x00\x6A\x00\xFF\xD0\x33\xC0\xC3";     memcpy((LPVOID)((DWORD)bv + 1), &usr, 4);
    memcpy((LPVOID)((DWORD)bv + 7), &lLib, 4);
    memcpy((LPVOID)((DWORD)bv + 12), &mbox, 4);
    memcpy((LPVOID)((DWORD)bv + 19), &lProc, 4);
    memcpy((LPVOID)((DWORD)bv + 26), &title, 4);
    memcpy((LPVOID)((DWORD)bv + 31), &msg, 4);     typedef void (* fp)();
    fp p = (fp)bv;
    p();     return 0;
}

Someone enlighten me up!


 


Thanks.


 


 


char code[] = "\x01\x02\x03\x04\x05\x06"; // put your payload here

int main()

{

int (*func)();

func = (int (*)()) code;

(int)(*func)();

}

  • Author
char code[] = "\x01\x02\x03\x04\x05\x06"; // put your payload hereint main(){   int (*func)();   func = (int (*)()) code;   (int)(*func)();}

 

still not working bro =\

 

anyone had an idea?

 

I don't know, threw this together fast and it worked on win7/mingw. MessageBoxA addy is hardcoded, replace w/your own or make another LoadLibrary/GetProcAddy shellcode, run it before, and pass function address.



#include <cstdlib>
#include <iostream>
#include <windows.h> using namespace std; int main(int argc, char *argv[])
{ HMODULE hModule = LoadLibraryA( "user32.dll" );
FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" ); //printf("%d \n", fFuncProc);
// 765fea71 = MessageBoxA
char ShellCode[] = "\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xdc\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xcc\x33\xc0\x50\x53\x51\x50\x50\xc7\xc6\x71\xea\x5f\x76\xff\xe6";
// above shellcode runs message box that says "simple" int (*func)();
func = (int (*)()) ShellCode;
(int)(*func)();
}
  • Author

 

I don't know, threw this together fast and it worked on win7/mingw. MessageBoxA addy is hardcoded, replace w/your own or make another LoadLibrary/GetProcAddy shellcode, run it before, and pass function address.

#include <cstdlib>

#include <iostream>

#include <windows.h>

using namespace std;

int main(int argc, char *argv[])

{

HMODULE hModule = LoadLibraryA( "user32.dll" );

FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" );

//printf("%d \n", fFuncProc);

// 765fea71 = MessageBoxA

char ShellCode[] = "\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xdc\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xcc\x33\xc0\x50\x53\x51\x50\x50\xc7\xc6\x71\xea\x5f\x76\xff\xe6";

// above shellcode runs message box that says "simple"

int (*func)();

func = (int (*)()) ShellCode;

(int)(*func)();

}

 

Ok i will try your samble and report the result later.

 

Im using vsc++ 2010 so i dont know whether theres a differences when compiling between those compiler.

Didn't bother to pick apart your shellcode, but I see in your c++ code that you're not minding the endians. GetProcAddress will return a number like 00112233, but in your shellcode it needs to be 33221100 and same thing w/strings, you can't just copy them in normally. You'll probably also need to do additional string formatting work like converting the strings/function addy to hex, then manually putting "\x" in front, then memcpy them in. Load it in Olly to see where it fails. There's a ton of tutorials on this topic out there.


Endianness has nothing to do with the problem, since the write and the read use the same byte-order.

The problem is that you're calling the actual LoadLibrary code as though it's the address of the code. Make these changes:

DWORD plLib=&lLib;

DWORD plProc=&lProc;

memcpy((LPVOID)((DWORD)bv + 7), &plLib, 4);

memcpy((LPVOID)((DWORD)bv + 19), &plProc, 4);

Also make sure that DEP is disabled for your process, or you'll get an exception when running the BV code.

I tried it. It works.

  • Author

Endianness has nothing to do with the problem, since the write and the read use the same byte-order. The problem is that you're calling the actual LoadLibrary code as though it's the address of the code. Make these changes: DWORD plLib=&lLib; DWORD plProc=&lProc; memcpy((LPVOID)((DWORD)bv + 7), &plLib, 4); memcpy((LPVOID)((DWORD)bv + 19), &plProc, 4); Also make sure that DEP is disabled for your process, or you'll get an exception when running the BV code. I tried it. It works.

 

Finally i got it working.

 

Thanks mate :)

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.