ShellCode Aint working!

Posted August 20, 201312 yr

Im trying to create a shellcode but it aint working. Maybe im doing it wrong or i dunno lol



int main()

{

    char *msg = "Hello World!";

    char *title = "World!";

    char *usr ="user32.dll";

    char *mbox ="MessageBoxA";
    DWORD lLib = (DWORD)GetProcAddress(LoadLibraryA("kernel32"), "LoadLibraryA");

    DWORD lProc = (DWORD)GetProcAddress(LoadLibraryA("kernel32"), "GetProcAddress");
    //This shit works

    /*

    __asm

    {

        push    usr

        call    [lLib]

        push    mbox

        push    eax

        call    [lProc]

        push    00000000h

        push    title

        push    msg

        push    00000000h

        call    eax

        xor     eax,eax

        retn

    }

    */
    /*

    //Extracted using pe explorer

    void HelloWorld()

    {

        char* szMessage = "Hello World!";

        char* szCaption = "Hello!";
        HMODULE hModule   = LoadLibraryA( "user32.dll" );

        FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" );
        ( ( int ( WINAPI *)( HWND, LPCSTR, LPCSTR, UINT ) ) fFuncProc )( 0, szMessage, szCaption, 0 );
    }
    68 4C 20 40 00                    push    SSZ0040204C_user32_dll

    FF 15 04 20 40 00                 call    [KERNEL32.dll!LoadLibraryA]

    68 58 20 40 00                    push    SSZ00402058_MessageBoxA

    50                                push    eax

    FF 15 00 20 40 00                 call    [KERNEL32.dll!GetProcAddress]

    6A 00                             push    00000000h

    68 44 20 40 00                    push    SSZ00402044_Hello_

    68 34 20 40 00                    push    SSZ00402034_Hello_World_

    6A 00                             push    00000000h

    FF D0                             call    eax

    33 C0                             xor     eax,eax

    C3                                retn

    */
    //This shit aint working

    char *bv = "\x68\x4C\x20\x40\x00\xFF\x15\x04\x20\x40\x00\x68\x58\x20\x40\x00\x50\xFF\x15\x00\x20\x40\x00\x6A\x00\x68\x44\x20\x40\x00\x68\x34\x20\x40\x00\x6A\x00\xFF\xD0\x33\xC0\xC3";
    memcpy((LPVOID)((DWORD)bv + 1), &usr, 4);

    memcpy((LPVOID)((DWORD)bv + 7), &lLib, 4);

    memcpy((LPVOID)((DWORD)bv + 12), &mbox, 4);

    memcpy((LPVOID)((DWORD)bv + 19), &lProc, 4);

    memcpy((LPVOID)((DWORD)bv + 26), &title, 4);

    memcpy((LPVOID)((DWORD)bv + 31), &msg, 4);
    typedef void (* fp)();

    fp p = (fp)bv;

    p();
    return 0;

}

Someone enlighten me up!

Thanks.

August 20, 201312 yr

char code[] = "\x01\x02\x03\x04\x05\x06"; // put your payload here

int main()

{

int (*func)();

func = (int (*)()) code;

(int)(*func)();

}

August 21, 201312 yr

Author

char code[] = "\x01\x02\x03\x04\x05\x06"; // put your payload hereint main(){   int (*func)();   func = (int (*)()) code;   (int)(*func)();}

still not working bro =\

anyone had an idea?

August 21, 201312 yr

I don't know, threw this together fast and it worked on win7/mingw. MessageBoxA addy is hardcoded, replace w/your own or make another LoadLibrary/GetProcAddy shellcode, run it before, and pass function address.



    #include <cstdlib>

    #include <iostream>

    #include <windows.h>
    using namespace std;
    int main(int argc, char *argv[])

    {
        HMODULE hModule   = LoadLibraryA( "user32.dll" );

        FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" );
        //printf("%d \n", fFuncProc);

                                                                                                                                                                  // 765fea71 = MessageBoxA

        char ShellCode[] = "\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xdc\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xcc\x33\xc0\x50\x53\x51\x50\x50\xc7\xc6\x71\xea\x5f\x76\xff\xe6"; 

        // above shellcode runs message box that says "simple"
        int (*func)();

        func = (int (*)()) ShellCode;

        (int)(*func)();

    }

August 21, 201312 yr

Author

I don't know, threw this together fast and it worked on win7/mingw. MessageBoxA addy is hardcoded, replace w/your own or make another LoadLibrary/GetProcAddy shellcode, run it before, and pass function address.
#include <cstdlib>
#include <iostream>
#include <windows.h>

using namespace std;

int main(int argc, char *argv[])
{

HMODULE hModule = LoadLibraryA( "user32.dll" );
FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" );

//printf("%d \n", fFuncProc);
// 765fea71 = MessageBoxA
char ShellCode[] = "\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xdc\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xcc\x33\xc0\x50\x53\x51\x50\x50\xc7\xc6\x71\xea\x5f\x76\xff\xe6";
// above shellcode runs message box that says "simple"

int (*func)();
func = (int (*)()) ShellCode;
(int)(*func)();
}

Ok i will try your samble and report the result later.

Im using vsc++ 2010 so i dont know whether theres a differences when compiling between those compiler.

August 21, 201312 yr

Didn't bother to pick apart your shellcode, but I see in your c++ code that you're not minding the endians. GetProcAddress will return a number like 00112233, but in your shellcode it needs to be 33221100 and same thing w/strings, you can't just copy them in normally. You'll probably also need to do additional string formatting work like converting the strings/function addy to hex, then manually putting "\x" in front, then memcpy them in. Load it in Olly to see where it fails. There's a ton of tutorials on this topic out there.

August 23, 201312 yr

Endianness has nothing to do with the problem, since the write and the read use the same byte-order.

The problem is that you're calling the actual LoadLibrary code as though it's the address of the code. Make these changes:

DWORD plLib=&lLib;

DWORD plProc=&lProc;

memcpy((LPVOID)((DWORD)bv + 7), &plLib, 4);

memcpy((LPVOID)((DWORD)bv + 19), &plProc, 4);

Also make sure that DEP is disabled for your process, or you'll get an exception when running the BV code.

I tried it. It works.

1

August 25, 201312 yr

Author

Endianness has nothing to do with the problem, since the write and the read use the same byte-order. The problem is that you're calling the actual LoadLibrary code as though it's the address of the code. Make these changes: DWORD plLib=&lLib; DWORD plProc=&lProc; memcpy((LPVOID)((DWORD)bv + 7), &plLib, 4); memcpy((LPVOID)((DWORD)bv + 19), &plProc, 4); Also make sure that DEP is disabled for your process, or you'll get an exception when running the BV code. I tried it. It works.

Finally i got it working.

Thanks mate

Sign In

ShellCode Aint working!

Featured Replies

Create an account or sign in to comment

Account

Navigation

Search

Configure browser push notifications

Chrome (Android)

Chrome (Desktop)

Safari (iOS 16.4+)

Safari (macOS)

Edge (Android)

Edge (Desktop)

Firefox (Android)

Firefox (Desktop)