RE: Shellcoding ... again.

I've been working on writing shellcode for win32 as well. The following should be what you're looking for:

unsigned char shellcode[] =
"\x33\xff" // xor edi, edi

"\xfd\x98\xe7\x77" is the address of ExitProcess on xp sp1, in reverse
order. I got the bytecodes from the VC++ Debugger disassembly.

-----Original Message-----
From: deepcode . [mailto:pondermate@hotmail.com] Sent: Thursday, July 24, 2003 11:57 AM
To: vuln-dev@securityfocus.com
Subject: Shellcoding ... again.

Here I am again with shellcoding questions ... bear with me, its hard to find info on this subject other than txts with 2 pages of assembly codes that constitutes a remote, http-trojan downloading, all portable, optimized shellcodes that I can't even begin to assimilate.

I'm just trying a simple ExitProcess shellcode, hardcoded address. (By the way, this is on win32.)

kernel32.dll

imagebase= 0x77E80000
ExitProcess RVA = 0x0000F32D

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Got these from DUMPPE, added them together to get 0x77E8F32D for ExitProcess

address. Pretty
sure thats the right way to get address.

To test it out, I wrote a program that used inline assembly with that address.

int main()
{
HINSTANCE h;

h = LoadLibrary("kernel32.dll");

__asm("
xor %edi, %edi
push %edi
call 0x77E8F32D
");

FreeLibrary(h);
}

The program runs fine. No errors, no problems at all, so i'm assuming it worked just fine.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

When disassembled in Gdb(win32 port), I followed from xor edi, edi with x/bx

to get the
opcodes

0x31, 0xFF, 0x57 for the xor and push; which doesn't seem right. 0xE8 for call, and and then 0xF9, 0xE0, 0xA8 and 0x77. I assume it loaded into memory
at diferent addresses and got addresses changed, no biggy.

I put the codes into a char array shellcode, and put my original address in after the 0xE8
backwards (I think thats how to do it.) and it errors out.

I've tried rearranging the address all possible combinations, so I don't think thats the
problem.

char shellcode[] =
"\x31\xFF\x57\xE8" // opcodes gotten from gdb

int main(void)
{

     HINSTANCE h;

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

     h = LoadLibrary("kernel32.dll");

    ((void (*)(void)) &shellcode)();

    FreeLibrary(h);
}

I'm getting lost now ... this was so much easier on unix.

if anyone would like to help me out, i'd appreciate it.

deepcode