Metasploit mailing list archives

Creating Shellcode

From: hdm at metasploit.com (H D Moore)
Date: Thu, 7 Feb 2008 13:26:46 -0600

The objdump output does not equal shellcode, especially if you make *any* 
library calls. On Linux and BSD, you can avoid library calls by going 
directly to inlined syscalls in your C code, however, on Windows, you 
really need to access functions inside kernel32 to make any progress. 
Unless you write your C code very carefully (and essentially mimic what 
most Windows shellcode does with regards to finding the base of 
kernel32), it just won't work.

There are a few options available for doing this properly:

InlineEgg - http://oss.coresecurity.com/projects/inlineegg.html
MOSDEF - http://immunitysec.com/resources-freesoftware.shtml
METASM - http://metasm.cr0.org/ (C compiler is new, not sure if does 
Windows yet)

-HD

On Thursday 07 February 2008, macubergeek at comcast.net wrote:

I just ran objdump -Dslx against nc.exe on a Linux box. It seems to
work ok. Can you see any reason why objdump wouldn't work properly
against windows executables as well as Linux binaries?

Current thread:

Creating Shellcode Ty Miller (Feb 06)
- Creating Shellcode base64 (Feb 06)
  - Creating Shellcode Ty Miller (Feb 07)
    - Creating Shellcode nnp (Feb 07)
    - Creating Shellcode Ty Miller (Feb 07)
- Creating Shellcode Michael Behan (Feb 06)
  - can there be a succeeded exploit? Prince Brave (Feb 06)
    - can there be a succeeded exploit? H D Moore (Feb 06)
    - can there be a succeeded exploit? Prince Brave (Feb 06)
- <Possible follow-ups>
- Creating Shellcode macubergeek at comcast.net (Feb 07)
  - Creating Shellcode H D Moore (Feb 07)
    - Creating Shellcode J.M. Seitz (Feb 07)
    - Creating Shellcode Ty Miller (Feb 07)
    - Creating Shellcode Leo Jackson (Feb 08)
    - Creating Shellcode H D Moore (Feb 09)
  - Creating Shellcode Leo Jackson (Feb 08)
- Creating Shellcode The KiLLeR MaF!a (Feb 07)