Jump to content
Tuts 4 You

ShellCode Aint working!


StoneHeart

Recommended Posts

Im trying to create a shellcode but it aint working. Maybe im doing it wrong or i dunno lol



int main()
{
    char *msg = "Hello World!";
    char *title = "World!";
    char *usr ="user32.dll";
    char *mbox ="MessageBoxA";     DWORD lLib = (DWORD)GetProcAddress(LoadLibraryA("kernel32"), "LoadLibraryA");
    DWORD lProc = (DWORD)GetProcAddress(LoadLibraryA("kernel32"), "GetProcAddress");     //This shit works
    /*
    __asm
    {
        push    usr
        call    [lLib]
        push    mbox
        push    eax
        call    [lProc]
        push    00000000h
        push    title
        push    msg
        push    00000000h
        call    eax
        xor     eax,eax
        retn
    }
    */     /*
    //Extracted using pe explorer
    void HelloWorld()
    {
        char* szMessage = "Hello World!";
        char* szCaption = "Hello!";         HMODULE hModule   = LoadLibraryA( "user32.dll" );
        FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" );         ( ( int ( WINAPI *)( HWND, LPCSTR, LPCSTR, UINT ) ) fFuncProc )( 0, szMessage, szCaption, 0 );     }     68 4C 20 40 00                    push    SSZ0040204C_user32_dll
    FF 15 04 20 40 00                 call    [KERNEL32.dll!LoadLibraryA]
    68 58 20 40 00                    push    SSZ00402058_MessageBoxA
    50                                push    eax
    FF 15 00 20 40 00                 call    [KERNEL32.dll!GetProcAddress]
    6A 00                             push    00000000h
    68 44 20 40 00                    push    SSZ00402044_Hello_
    68 34 20 40 00                    push    SSZ00402034_Hello_World_
    6A 00                             push    00000000h
    FF D0                             call    eax
    33 C0                             xor     eax,eax
    C3                                retn
    */     //This shit aint working
    char *bv = "\x68\x4C\x20\x40\x00\xFF\x15\x04\x20\x40\x00\x68\x58\x20\x40\x00\x50\xFF\x15\x00\x20\x40\x00\x6A\x00\x68\x44\x20\x40\x00\x68\x34\x20\x40\x00\x6A\x00\xFF\xD0\x33\xC0\xC3";     memcpy((LPVOID)((DWORD)bv + 1), &usr, 4);
    memcpy((LPVOID)((DWORD)bv + 7), &lLib, 4);
    memcpy((LPVOID)((DWORD)bv + 12), &mbox, 4);
    memcpy((LPVOID)((DWORD)bv + 19), &lProc, 4);
    memcpy((LPVOID)((DWORD)bv + 26), &title, 4);
    memcpy((LPVOID)((DWORD)bv + 31), &msg, 4);     typedef void (* fp)();
    fp p = (fp)bv;
    p();     return 0;
}

Someone enlighten me up!


 


Thanks.


 


 


Link to comment

char code[] = "\x01\x02\x03\x04\x05\x06"; // put your payload here

int main()

{

int (*func)();

func = (int (*)()) code;

(int)(*func)();

}

Link to comment
char code[] = "\x01\x02\x03\x04\x05\x06"; // put your payload hereint main(){   int (*func)();   func = (int (*)()) code;   (int)(*func)();}

 

still not working bro =\

 

anyone had an idea?

 

Link to comment

I don't know, threw this together fast and it worked on win7/mingw. MessageBoxA addy is hardcoded, replace w/your own or make another LoadLibrary/GetProcAddy shellcode, run it before, and pass function address.



#include <cstdlib>
#include <iostream>
#include <windows.h> using namespace std; int main(int argc, char *argv[])
{ HMODULE hModule = LoadLibraryA( "user32.dll" );
FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" ); //printf("%d \n", fFuncProc);
// 765fea71 = MessageBoxA
char ShellCode[] = "\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xdc\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xcc\x33\xc0\x50\x53\x51\x50\x50\xc7\xc6\x71\xea\x5f\x76\xff\xe6";
// above shellcode runs message box that says "simple" int (*func)();
func = (int (*)()) ShellCode;
(int)(*func)();
}
Link to comment

 

I don't know, threw this together fast and it worked on win7/mingw. MessageBoxA addy is hardcoded, replace w/your own or make another LoadLibrary/GetProcAddy shellcode, run it before, and pass function address.

#include <cstdlib>

#include <iostream>

#include <windows.h>

using namespace std;

int main(int argc, char *argv[])

{

HMODULE hModule = LoadLibraryA( "user32.dll" );

FARPROC fFuncProc = GetProcAddress( hModule, "MessageBoxA" );

//printf("%d \n", fFuncProc);

// 765fea71 = MessageBoxA

char ShellCode[] = "\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xdc\x68\x6c\x65\x00\x00\x68\x73\x69\x6d\x70\x8b\xcc\x33\xc0\x50\x53\x51\x50\x50\xc7\xc6\x71\xea\x5f\x76\xff\xe6";

// above shellcode runs message box that says "simple"

int (*func)();

func = (int (*)()) ShellCode;

(int)(*func)();

}

 

Ok i will try your samble and report the result later.

 

Im using vsc++ 2010 so i dont know whether theres a differences when compiling between those compiler.

Link to comment

Didn't bother to pick apart your shellcode, but I see in your c++ code that you're not minding the endians. GetProcAddress will return a number like 00112233, but in your shellcode it needs to be 33221100 and same thing w/strings, you can't just copy them in normally. You'll probably also need to do additional string formatting work like converting the strings/function addy to hex, then manually putting "\x" in front, then memcpy them in. Load it in Olly to see where it fails. There's a ton of tutorials on this topic out there.


Link to comment
Peter Ferrie

Endianness has nothing to do with the problem, since the write and the read use the same byte-order.

The problem is that you're calling the actual LoadLibrary code as though it's the address of the code. Make these changes:

DWORD plLib=&lLib;

DWORD plProc=&lProc;

memcpy((LPVOID)((DWORD)bv + 7), &plLib, 4);

memcpy((LPVOID)((DWORD)bv + 19), &plProc, 4);

Also make sure that DEP is disabled for your process, or you'll get an exception when running the BV code.

I tried it. It works.

  • Like 1
Link to comment

Endianness has nothing to do with the problem, since the write and the read use the same byte-order. The problem is that you're calling the actual LoadLibrary code as though it's the address of the code. Make these changes: DWORD plLib=&lLib; DWORD plProc=&lProc; memcpy((LPVOID)((DWORD)bv + 7), &plLib, 4); memcpy((LPVOID)((DWORD)bv + 19), &plProc, 4); Also make sure that DEP is disabled for your process, or you'll get an exception when running the BV code. I tried it. It works.

 

Finally i got it working.

 

Thanks mate :)

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...