ShellCode Aint working!

[StoneHeart]

Im trying to create a shellcode but it aint working. Maybe im doing it wrong or i dunno lol

int main()

{

    char *msg = "Hello World!";

    char *title = "World!";

    char *usr ="user32.dll";

    char *mbox ="MessageBoxA";
    DWORD lLib = (DWORD)GetProcAddress(LoadLibraryA("kernel32"), "LoadLibraryA");

    DWORD lProc = (DWORD)GetProcAddress(LoadLibraryA("kernel32"), "GetProcAddress");
    //This shit works

    /*

    __asm

    {

        push    usr

        call    [lLib]

        push    mbox

        push    eax

        call    [lProc]

        push    00000000h

        push    title

        push    msg

        push    00000000h

        call    eax

        xor     eax,eax

        retn

    }

    */
    /*

    //Extracted using pe explorer

    void HelloWorld()

    {

        char* szMessage = "Hello World!";

        char* szCaption = "Hello!";
        HMODULE hModule   = LoadLibraryA( "user32.dll" );

        FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" );
        ( ( int ( WINAPI *)( HWND, LPCSTR, LPCSTR, UINT ) ) fFuncProc )( 0, szMessage, szCaption, 0 );
    }
    68 4C 20 40 00                    push    SSZ0040204C_user32_dll

    FF 15 04 20 40 00                 call    [KERNEL32.dll!LoadLibraryA]

    68 58 20 40 00                    push    SSZ00402058_MessageBoxA

    50                                push    eax

    FF 15 00 20 40 00                 call    [KERNEL32.dll!GetProcAddress]

    6A 00                             push    00000000h

    68 44 20 40 00                    push    SSZ00402044_Hello_

    68 34 20 40 00                    push    SSZ00402034_Hello_World_

    6A 00                             push    00000000h

    FF D0                             call    eax

    33 C0                             xor     eax,eax

    C3                                retn

    */
    //This shit aint working

    char *bv = "\x68\x4C\x20\x40\x00\xFF\x15\x04\x20\x40\x00\x68\x58\x20\x40\x00\x50\xFF\x15\x00\x20\x40\x00\x6A\x00\x68\x44\x20\x40\x00\x68\x34\x20\x40\x00\x6A\x00\xFF\xD0\x33\xC0\xC3";
    memcpy((LPVOID)((DWORD)bv + 1), &usr, 4);

    memcpy((LPVOID)((DWORD)bv + 7), &lLib, 4);

    memcpy((LPVOID)((DWORD)bv + 12), &mbox, 4);

    memcpy((LPVOID)((DWORD)bv + 19), &lProc, 4);

    memcpy((LPVOID)((DWORD)bv + 26), &title, 4);

    memcpy((LPVOID)((DWORD)bv + 31), &msg, 4);
    typedef void (* fp)();

    fp p = (fp)bv;

    p();
    return 0;

}

Someone enlighten me up!

 

Thanks.

 

 

[simple]

char code[] = "\x01\x02\x03\x04\x05\x06"; // put your payload here

int main()

{

int (*func)();

func = (int (*)()) code;

(int)(*func)();

}

[StoneHeart]

char code[] = "\x01\x02\x03\x04\x05\x06"; // put your payload hereint main(){   int (*func)();   func = (int (*)()) code;   (int)(*func)();}

 

still not working bro =\

 

anyone had an idea?

 

[simple]

I don't know, threw this together fast and it worked on win7/mingw. MessageBoxA addy is hardcoded, replace w/your own or make another LoadLibrary/GetProcAddy shellcode, run it before, and pass function address.

    #include <cstdlib>

    #include <iostream>

    #include <windows.h>
    using namespace std;
    int main(int argc, char *argv[])

    {
        HMODULE hModule   = LoadLibraryA( "user32.dll" );

        FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" );
        //printf("%d \n", fFuncProc);

                                                                                                                                                                  // 765fea71 = MessageBoxA

        char ShellCode[] = "\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xdc\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xcc\x33\xc0\x50\x53\x51\x50\x50\xc7\xc6\x71\xea\x5f\x76\xff\xe6"; 

        // above shellcode runs message box that says "simple"
        int (*func)();

        func = (int (*)()) ShellCode;

        (int)(*func)();

    }

[StoneHeart]

 

I don't know, threw this together fast and it worked on win7/mingw. MessageBoxA addy is hardcoded, replace w/your own or make another LoadLibrary/GetProcAddy shellcode, run it before, and pass function address.

#include <cstdlib>

#include <iostream>

#include <windows.h>

using namespace std;

int main(int argc, char *argv[])

{

HMODULE hModule = LoadLibraryA( "user32.dll" );

FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" );

//printf("%d \n", fFuncProc);

// 765fea71 = MessageBoxA

char ShellCode[] = "\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xdc\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xcc\x33\xc0\x50\x53\x51\x50\x50\xc7\xc6\x71\xea\x5f\x76\xff\xe6";

// above shellcode runs message box that says "simple"

int (*func)();

func = (int (*)()) ShellCode;

(int)(*func)();

}

 

Ok i will try your samble and report the result later.

 

Im using vsc++ 2010 so i dont know whether theres a differences when compiling between those compiler.

[simple]

Didn't bother to pick apart your shellcode, but I see in your c++ code that you're not minding the endians. GetProcAddress will return a number like 00112233, but in your shellcode it needs to be 33221100 and same thing w/strings, you can't just copy them in normally. You'll probably also need to do additional string formatting work like converting the strings/function addy to hex, then manually putting "\x" in front, then memcpy them in. Load it in Olly to see where it fails. There's a ton of tutorials on this topic out there.

[Peter Ferrie]

Endianness has nothing to do with the problem, since the write and the read use the same byte-order.

The problem is that you're calling the actual LoadLibrary code as though it's the address of the code. Make these changes:

DWORD plLib=&lLib;

DWORD plProc=&lProc;

memcpy((LPVOID)((DWORD)bv + 7), &plLib, 4);

memcpy((LPVOID)((DWORD)bv + 19), &plProc, 4);

Also make sure that DEP is disabled for your process, or you'll get an exception when running the BV code.

I tried it. It works.

[StoneHeart]

Endianness has nothing to do with the problem, since the write and the read use the same byte-order. The problem is that you're calling the actual LoadLibrary code as though it's the address of the code. Make these changes: DWORD plLib=&lLib; DWORD plProc=&lProc; memcpy((LPVOID)((DWORD)bv + 7), &plLib, 4); memcpy((LPVOID)((DWORD)bv + 19), &plProc, 4); Also make sure that DEP is disabled for your process, or you'll get an exception when running the BV code. I tried it. It works.

 

Finally i got it working.

 

Thanks mate