Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   About Shell code (http://www.go4expert.com/articles/about-shell-code-t11833/)

XXxxImmortalxxXX 4Jul2008 12:40

About Shell code
 

About ShellCode



In this tutorial you'll learn all about shellcode, of course if you'll be reading this article.

Let's begin.

How could we obtain a ShellCode?



What is ShellCodeing? First of all, when we think about ShellCodeing, we think about a Code that will return a remote shell when it's executed. The meaning of ShellCode evolved, now we understand it this way: any byte code which is introduced in an exploit, how'll take an action. CAUTION! A ShellCode cannot contain Null Bytes, and it's even more beautiful if the byte size is small. Another think, important, of course, in this tutorial i'll present only Windows ShellCodeing!Thank's Slick for your help!

The tool's you'll need :
1. NASM (The compiling of ASM will make it with NASM)
Download :
code:
Code:

http://nasm.sourceforge.net/
2. ALINK (*.exe will make it with this tool)
Download :
Code:
Code:

http://alink.sourceforge.net/download.html
3. ARWIN [With this program C, which will be compiled, we can find the API function address in the dll)
Download :
Code:
Code:

http://www.vividmachines.com/shellcode/arwin.c
4. W32DASM [· Disassembles Both 16 and 32 Bit Windows Programs
· Displays for Exports, Imports, Menu, Dialog, and Text References
· Integrated Debugger for 32 Bit Programs (16 Bit Debug Not Available)
· Includes Text Search and Navigation Functions.
I recommend v.8.93]
5. WDHEX [A useful tool which copyed the ShellCode from a list to anther .afl saved with W32DASMU].
Download :
Code:
Code:

http://rapidshare.com/files/46936025/wdhex.exe.html
Now that we have this tool's and a little decent knowledge about ASM, let's see how will extract the ShellCode and ,further more, to optimize the ASM code for ShellCode, because we want to have the size as small as possible; without Null Bytes (\x00).

Let's consider a little ASM code, which dosen't do much, only a BEEP! CAUTION! A detailed thing . . . i 'll not reach in this tutorial (maybe, the next tutorial) : any kind of application come's loaded with kernel32.dll, so useing other API function's from other dll's (user32.dll, etc.) will need to load the library ( 2 API function's <<very important>> : LoadLibraryA and GetProcAddress).Another thing, when will extract the ShellCode, will extract him only from the zone .. start of the programe made in ASM; declareing the variable's is DENIED!, and importing API function's above this section is the same: incorrect. Let's see an incorrect code:
Code:
Code:

%include "win32n.inc"

extern SetCursorPos
import SetCursorPos user32.dll
title db "hello",0
message db "hello world",0

So, you get the idea? i'll present now a little code, a CORRECT one, after this will leave this idea and move on to dezvolting the base's of ShellCodeing.
Code:
Code:

segment .code USE32
..start
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
jmp short function  ; jump to the label @function
function2:
pop eax  ;remove's the stack from the last value and put's it in eax
mov byte [eax+10], dl  ;we write 10 character's: user32.dll, ignore N
mov ebx, 0x77e7d961 ;function address LoadLibraryA
push eax  ;same thing with push user32.dll
call ebx  ;calling LoadLibraryA
mov ecx, eax
xor eax, eax
jmp short function3
function4:
pop eax
mov byte [eax+12], dl
mov ebx, 0x77e7b332 ;function address GetProcAddress
push eax
push ecx
call ebx
the rest:
push byte 1
push byte 1
call eax ;SetCursorPos
mov ebx, 0x77e798fd ;function address ExitProcess
push byte 1
call ebx
function:
call function2
db 'user32.dllN'
jmp short function2 ; jump (back to labe @function2)
function3:
call function4
db 'SetCursorPosN'

The code in FASM is much mode simple, because we could use direct the variable's, and in NASM we can't write like : push something Call(APIfunction), only if something is a number. Before we execute the lable of a API function we jumped to another label which calles the initial label which contain's a very important element: db 'SetCursorPosN', where SetCursorPos is the name of the "variable" needed to be used of course; N come's from Null Byte. I'll carry on now, hopeing you understand something from the above code, i'll move on to simple thing's. Let's consider again our little code, which make's the BEEP.
Code:
Code:

;beep.asm
segment .code USE32
..start:
    xor eax, eax
    xor ebx, ebx
    xor ecx, ecx
    mov ebx, 0x77eac910  ;Beep function address from kernel32.dll
    mov ax, 750  ;the sound frequency in Hertz
    mov cx, 3000  ;time of the Beep
    push eax
    push ecx
    call ebx  ;Calling function Beep
    mov ebx, 0x77e798fd  ;ExitProcess Function address in kernel32.dll
    mov ax, 1
    push eax
    call ebx

If you want to learn more about the API function Beep :
Code:

http://msdn2.microsoft.com/en-us/library/ms679277.aspx
In Windows, a NASM code begin's with segment .code USE32..start:, and Linux : [SECTION .text] global _start_start:
CAUTION! The API function addresses in dll's can differ from a windows user to another, because the Windows version's, Service Pack version's and the different update's which are made daily. That's why will use ARWIN to find out the function addresses in dll's from our Windows.
Will enter the folder were we saved the arwin.exe useing CMD!! After we made it, type the following command: arwin.exe TheDllName FunctionName. For example, we can put: arwin.exe kernel32.dll Beep. Maybe the following image will be helpful:

http://www.go4expert.com/images/arti.../arwin2qz4.jpg

After your done with the API code above, the fun can start! Copy the code (with your modification) in Notepad and then save it with .ASM extension (File -> Save As -> Filename: beep.asm). So our file will be named like : beep, got it? Ok. It would be better to save all the file's above ( the compiled one's 2 - if it's necessary ) in a folder. Now open CMD to compile the ASM code and to make it .exe ! Enter in CMD in the folder ( were you saved the shit ), then type the following command :
nasmw.exe -fobj beep.asm
This way were checking for error's, now we can go further. Type in cmd CMD :
alink -c -oPE -subsys gui beep
If the operation worked you can type beep in CMD to run.
Maybe this image will help :

http://www.go4expert.com/images/arti...e/alinkzw8.jpg

Now we created the exe, let's extract the ShellCode. For this, open .exe with W32DASM.

http://www.go4expert.com/images/arti...ode/assfq5.jpg

n the above image, you can see : addresses, shellcode and the ASM code ( left -> right ).We can extract this shellcode manual, for example from 31C031DB we obtain :
“\x31\xC0\x31\xDB”, or useing wdhex (automatic extractor for the code). For this thing, we need to save all we have seen in W32DASM. How? Easy: File -> Save Disassembly Text File and Create Project File -> FileName: beep.ALF -> Ok.
Note: the extension need to be : .ALF, NOT .ELF ( some of you guy's know, i mean, it's for Linux ).
Now go to : CMD -> your folder,were you saved the beep.alf -> type : wdhex beep.alf , the app will show the shellcode extracted .

http://www.go4expert.com/images/arti...e/wdhexgo3.jpg

Conclusion:



Our Shellcode is :
Code:

char shellcode[]=
"\x31\xC0\x31\xDB\x31\xC9\xBB\x10\xC9\xEA\x77\x66\xB8\xEE\x02"
"\x66\xB9\xB8\x0B\x50\x51\xFF\xD3\xBB\xFD\x98\xE7\x77\x66\xB8"
"\x00\x00\x50\xFF\xD3";

How can we verify if the ShellCode work's? Very simple!!! let's consider this C application :
Code:

/*shellcodetest.c*/
char code[] = "bytecode will go here!";
int main(int argc, char **argv)
{
  int (*func)();
  func = (int (*)()) code;
  (int)(*func)();
}

Feelas you'll need to modify : "bytecode will go here!" with your shellcode, then compile the app, and make it .exe and see if it work's.

here our some good links

Code:

http://www.vividmachines.com/shellcode/shellcode.html
Code:

http://www.bradleybeast.com/content/view/84/
NOTE:THAT VLAD IS NOT A REAL USER ACCOUNT IT IS A FALSE ACCOUNT THAT HAS BEEN DELETED. AND IS NO LONGER AVAILBE

Hope you all like my tutorial if you need help dont hesitate to ask me


All times are GMT +5.5. The time now is 05:07.