About ShellCode In this tutorial you'll learn all about shellcode, of course if you'll be reading this article. Let's begin. How could we obtain a ShellCode? What is ShellCodeing? First of all, when we think about ShellCodeing, we think about a Code that will return a remote shell when it's executed. The meaning of ShellCode evolved, now we understand it this way: any byte code which is introduced in an exploit, how'll take an action. CAUTION! A ShellCode cannot contain Null Bytes, and it's even more beautiful if the byte size is small. Another think, important, of course, in this tutorial i'll present only Windows ShellCodeing!Thank's Slick for your help! The tool's you'll need : 1. NASM (The compiling of ASM will make it with NASM) Download : code: Code: http://nasm.sourceforge.net/ 2. ALINK (*.exe will make it with this tool) Download : Code: Code: http://alink.sourceforge.net/download.html 3. ARWIN [With this program C, which will be compiled, we can find the API function address in the dll) Download : Code: Code: http://www.vividmachines.com/shellcode/arwin.c 4. W32DASM [· Disassembles Both 16 and 32 Bit Windows Programs · Displays for Exports, Imports, Menu, Dialog, and Text References · Integrated Debugger for 32 Bit Programs (16 Bit Debug Not Available) · Includes Text Search and Navigation Functions. I recommend v.8.93] 5. WDHEX [A useful tool which copyed the ShellCode from a list to anther .afl saved with W32DASMU]. Download : Code: Code: http://rapidshare.com/files/46936025/wdhex.exe.html Now that we have this tool's and a little decent knowledge about ASM, let's see how will extract the ShellCode and ,further more, to optimize the ASM code for ShellCode, because we want to have the size as small as possible; without Null Bytes (\x00). Let's consider a little ASM code, which dosen't do much, only a BEEP! CAUTION! A detailed thing . . . i 'll not reach in this tutorial (maybe, the next tutorial) : any kind of application come's loaded with kernel32.dll, so useing other API function's from other dll's (user32.dll, etc.) will need to load the library ( 2 API function's <<very important>> : LoadLibraryA and GetProcAddress).Another thing, when will extract the ShellCode, will extract him only from the zone .. start of the programe made in ASM; declareing the variable's is DENIED!, and importing API function's above this section is the same: incorrect. Let's see an incorrect code: Code: Code: %include "win32n.inc" extern SetCursorPos import SetCursorPos user32.dll title db "hello",0 message db "hello world",0 So, you get the idea? i'll present now a little code, a CORRECT one, after this will leave this idea and move on to dezvolting the base's of ShellCodeing. Code: Code: segment .code USE32 ..start xor eax, eax xor ebx, ebx xor ecx, ecx xor edx, edx jmp short function ; jump to the label @function function2: pop eax ;remove's the stack from the last value and put's it in eax mov byte [eax+10], dl ;we write 10 character's: user32.dll, ignore N mov ebx, 0x77e7d961 ;function address LoadLibraryA push eax ;same thing with push user32.dll call ebx ;calling LoadLibraryA mov ecx, eax xor eax, eax jmp short function3 function4: pop eax mov byte [eax+12], dl mov ebx, 0x77e7b332 ;function address GetProcAddress push eax push ecx call ebx the rest: push byte 1 push byte 1 call eax ;SetCursorPos mov ebx, 0x77e798fd ;function address ExitProcess push byte 1 call ebx function: call function2 db 'user32.dllN' jmp short function2 ; jump (back to labe @function2) function3: call function4 db 'SetCursorPosN' The code in FASM is much mode simple, because we could use direct the variable's, and in NASM we can't write like : push something Call(APIfunction), only if something is a number. Before we execute the lable of a API function we jumped to another label which calles the initial label which contain's a very important element: db 'SetCursorPosN', where SetCursorPos is the name of the "variable" needed to be used of course; N come's from Null Byte. I'll carry on now, hopeing you understand something from the above code, i'll move on to simple thing's. Let's consider again our little code, which make's the BEEP. Code: Code: ;beep.asm segment .code USE32 ..start: xor eax, eax xor ebx, ebx xor ecx, ecx mov ebx, 0x77eac910 ;Beep function address from kernel32.dll mov ax, 750 ;the sound frequency in Hertz mov cx, 3000 ;time of the Beep push eax push ecx call ebx ;Calling function Beep mov ebx, 0x77e798fd ;ExitProcess Function address in kernel32.dll mov ax, 1 push eax call ebx If you want to learn more about the API function Beep : Code: http://msdn2.microsoft.com/en-us/library/ms679277.aspx In Windows, a NASM code begin's with segment .code USE32..start:, and Linux : [SECTION .text] global _start_start: CAUTION! The API function addresses in dll's can differ from a windows user to another, because the Windows version's, Service Pack version's and the different update's which are made daily. That's why will use ARWIN to find out the function addresses in dll's from our Windows. Will enter the folder were we saved the arwin.exe useing CMD!! After we made it, type the following command: arwin.exe TheDllName FunctionName. For example, we can put: arwin.exe kernel32.dll Beep. Maybe the following image will be helpful: After your done with the API code above, the fun can start! Copy the code (with your modification) in Notepad and then save it with .ASM extension (File -> Save As -> Filename: beep.asm). So our file will be named like : beep, got it? Ok. It would be better to save all the file's above ( the compiled one's 2 - if it's necessary ) in a folder. Now open CMD to compile the ASM code and to make it .exe ! Enter in CMD in the folder ( were you saved the shit ), then type the following command : nasmw.exe -fobj beep.asm This way were checking for error's, now we can go further. Type in cmd CMD : alink -c -oPE -subsys gui beep If the operation worked you can type beep in CMD to run. Maybe this image will help : Now we created the exe, let's extract the ShellCode. For this, open .exe with W32DASM. n the above image, you can see : addresses, shellcode and the ASM code ( left -> right ).We can extract this shellcode manual, for example from 31C031DB we obtain : “\x31\xC0\x31\xDBâ€, or useing wdhex (automatic extractor for the code). For this thing, we need to save all we have seen in W32DASM. How? Easy: File -> Save Disassembly Text File and Create Project File -> FileName: beep.ALF -> Ok. Note: the extension need to be : .ALF, NOT .ELF ( some of you guy's know, i mean, it's for Linux ). Now go to : CMD -> your folder,were you saved the beep.alf -> type : wdhex beep.alf , the app will show the shellcode extracted . Conclusion: Our Shellcode is : Code: char shellcode[]= "\x31\xC0\x31\xDB\x31\xC9\xBB\x10\xC9\xEA\x77\x66\xB8\xEE\x02" "\x66\xB9\xB8\x0B\x50\x51\xFF\xD3\xBB\xFD\x98\xE7\x77\x66\xB8" "\x00\x00\x50\xFF\xD3"; How can we verify if the ShellCode work's? Very simple!!! let's consider this C application : Code: /*shellcodetest.c*/ char code[] = "bytecode will go here!"; int main(int argc, char **argv) { int (*func)(); func = (int (*)()) code; (int)(*func)(); } Feelas you'll need to modify : "bytecode will go here!" with your shellcode, then compile the app, and make it .exe and see if it work's. here our some good links Code: http://www.vividmachines.com/shellcode/shellcode.html Code: [url]http://en.wikipedia.org/wiki/Shellcode[/url] Code: http://www.bradleybeast.com/content/view/84/ NOTE:THAT VLAD IS NOT A REAL USER ACCOUNT IT IS A FALSE ACCOUNT THAT HAS BEEN DELETED. AND IS NO LONGER AVAILBE Hope you all like my tutorial if you need help dont hesitate to ask me
