flat assembler
Message board for the users of flat assembler.

Index > Windows > shellcode error

Author
Thread Post new topic Reply to topic
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 19 Jan 2008, 23:41
Code:
shellcode db 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0xFF, 0x15, 0x8C, 0x30, 0x40, 0x00, 0xC3
    

this is a shellcode of MessageBoxA(0,0,0,0); return 0;.
I know it will work only on my version of windows, but its not working Sad
I created RemoteThread with kernel32 api, and process crashed.
I checked, and its written properly. And i opened process with openprocess. This is my first shellcode, so its 100% wrong.


Last edited by asmrox on 19 Jan 2008, 23:56; edited 1 time in total
Post 19 Jan 2008, 23:41
View user's profile Send private message Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 19 Jan 2008, 23:52
The code isn't showing up for me, just bar
Post 19 Jan 2008, 23:52
View user's profile Send private message Visit poster's website Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 19 Jan 2008, 23:55
dont use ie Wink
scroll it up and down.
...and what about my error?
Post 19 Jan 2008, 23:55
View user's profile Send private message Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 19 Jan 2008, 23:58
There we go, uhhh is shellcode supposed to be a string? I'm not getting something...
Post 19 Jan 2008, 23:58
View user's profile Send private message Visit poster's website Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 20 Jan 2008, 00:03
i copy it to virtualallocex'ed memory, and createremotethread it.
Post 20 Jan 2008, 00:03
View user's profile Send private message Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 20 Jan 2008, 00:09
I wouldn't know anythin' about shellcode, don't even know what it does.
Post 20 Jan 2008, 00:09
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 20 Jan 2008, 01:21
asmrox, it is more harder that that... Or you are completely sure that at $0040308C there is an import table entry in the process you are injecting the code to pointing to MessageBox?

BTW, how did you inject the code? You just called VirtualAllocEx and used the pointer directly?

I posted some links related to this topic somewhere, try searching code injection on the forum or WriteProcessMemory till you find my post.
Post 20 Jan 2008, 01:21
View user's profile Send private message Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 20 Jan 2008, 02:17
fund only this topic
i thought maybe addres should in big endian, but no, dont work. I tried with kernel32 wich must have static address:
Code:
format pe console
section '.code' code readable executable
push 1708
push 0
push 0x001F0FFF
call [OpenProcess]
mov ebx, eax
push 0x00000040
push 0x00001000
push 32
push 0
push ebx
call [VirtualAllocEx]
mov esi, eax
push 0
push 8
push shellcode
push esi
push ebx
call [WriteProcessMemory]
push 0
push 0
push 0
push esi
push 0
push 0
push ebx
call [CreateRemoteThread]
push eax
push f
call [printf]
retn -8
section '.data' data readable writeable
f db '%p',13,10,0
old dd ?
jump db 0xFF, 0x16
shellcode db 0x6A, 0x00, 0xFF, 0x15, 0x80, 0x30, 0x40, 0x00
section '.idata' import data readable
dd 0,0,0,RVA msvcrt_name,RVA msvcrt_table
dd 0,0,0,RVA kernel32_name,RVA kernel32_table
dd 0,0,0,RVA ntdll_name,RVA ntdll_table
dd 0,0,0,RVA user32_name,RVA user32_table
dd 5 dup 0
msvcrt_table:
printf dd RVA _printf
dd 0
kernel32_table:
OpenProcess dd RVA _OpenProcess
WriteProcessMemory dd RVA _WriteProcessMemory
VirtualProtectEx dd RVA _VirtualProtectEx
VirtualAllocEx dd RVA _VirtualAllocEx
CreateRemoteThread dd RVA _CreateRemoteThread
ExitProcess dd RVA _ExitProcess
dd 0
ntdll_table:
NtQuerySystemInformation dd RVA _NtQuerySystemInformation
dd 0
user32_table:
MessageBoxA dd RVA _MessageBoxA
dd 0

msvcrt_name db 'msvcrt.dll',0
kernel32_name db 'kernel32.dll',0
ntdll_name db 'ntdll.dll',0
user32_name db 'user32.dll',0

_printf db 0,0,'printf',0
_VirtualProtectEx db 0,0,'VirtualProtectEx',0
_OpenProcess db 0,0,'OpenProcess',0
_WriteProcessMemory db 0,0,'WriteProcessMemory',0
_VirtualAllocEx db 0,0,'VirtualAllocEx',0
_CreateRemoteThread db 0,0,'CreateRemoteThread',0
_ExitProcess db 0,0,'ExitProcess',0

_NtQuerySystemInformation db 0,0,'NtQuerySystemInformation',0

_MessageBoxA db 0,0,'MessageBoxA',0    
Post 20 Jan 2008, 02:17
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 20 Jan 2008, 03:44
Quote:
call [printf]
retn -8


Jesus man, what I've told you in the other thread? ret first uses [ESP] as return address and later does "add esp, ret_operand". Also note that since ret does not sign extends the operand the result is that you increment ESP in $FFF8 units. In 16-bit world would have the effect of subtracting by eight but still wrong since instead of releasing the room occupied by the args you are duplicating it.


Well, with that said now this problem in particular...

Code:
format pe console
section '.code' code readable executable
; MODIFIED FOR TESTING:
;push 1708
;push 0
;push 0x001F0FFF
;call [OpenProcess]
;mov ebx, eax

mov  ebx, -1


push 0x00000040
push 0x00001000 
push 32 
push 0 
push ebx 
call [VirtualAllocEx] 
mov esi, eax

mov  eax, [MessageBoxA]
mov  [shellcode.messageBox], eax

push 0
push sizeof.shellcode
push shellcode 
push esi 
push ebx 
call [WriteProcessMemory] 

push 0
push 0 
push 0 
push esi 
push 0 
push 0 
push ebx 
call [CreateRemoteThread] 

push eax
push f 
call [printf] 
; ret -8 ; if you want this program to crash itself silently without showing the MessageBox then uncomment the instruction
add  esp, 8
ret

section '.data' data readable writeable 
f db '%p',13,10,0 

shellcode:
  push  0
  call  @f
  db "Hello World Very Happy", 0
@@:
  call  @f
  db "Is this supposed to be a shellcode?", 0
@@:
  push  0
  call  dword [.messageBox]
  ret
.messageBox dd ?

sizeof.shellcode = $ - shellcode


section '.idata' import data readable
dd 0,0,0,RVA msvcrt_name,RVA msvcrt_table 
dd 0,0,0,RVA kernel32_name,RVA kernel32_table 
dd 0,0,0,RVA ntdll_name,RVA ntdll_table 
dd 0,0,0,RVA user32_name,RVA user32_table 
dd 5 dup 0 
msvcrt_table: 
printf dd RVA _printf 
dd 0 
kernel32_table: 
OpenProcess dd RVA _OpenProcess 
WriteProcessMemory dd RVA _WriteProcessMemory 
VirtualProtectEx dd RVA _VirtualProtectEx 
VirtualAllocEx dd RVA _VirtualAllocEx 
CreateRemoteThread dd RVA _CreateRemoteThread 
ExitProcess dd RVA _ExitProcess 
dd 0 
ntdll_table: 
NtQuerySystemInformation dd RVA _NtQuerySystemInformation 
dd 0 
user32_table: 
MessageBoxA dd RVA _MessageBoxA 
dd 0 

msvcrt_name db 'msvcrt.dll',0 
kernel32_name db 'kernel32.dll',0 
ntdll_name db 'ntdll.dll',0 
user32_name db 'user32.dll',0 

_printf db 0,0,'printf',0 
_VirtualProtectEx db 0,0,'VirtualProtectEx',0 
_OpenProcess db 0,0,'OpenProcess',0 
_WriteProcessMemory db 0,0,'WriteProcessMemory',0 
_VirtualAllocEx db 0,0,'VirtualAllocEx',0 
_CreateRemoteThread db 0,0,'CreateRemoteThread',0 
_ExitProcess db 0,0,'ExitProcess',0 

_NtQuerySystemInformation db 0,0,'NtQuerySystemInformation',0 

_MessageBoxA db 0,0,'MessageBoxA',0    


But it is somewhat unreliable, the "shellcode" as you call it must use LoadLibrary/GetProcAddress to get API function addresses. The exception is with Kernel32.dll that since it is always loaded it would be very strange that the address of, say, LoadLibrary in process A is different in process B. (The link I posted somewhere explains this fact and also provides many other methods of code injection).
Post 20 Jan 2008, 03:44
View user's profile Send private message Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox 20 Jan 2008, 04:39
i found that link, but its only dll injection wich is easy.
Post 20 Jan 2008, 04:39
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 20 Jan 2008, 04:54
But Win9x/Me lacks of CreateRemoteThread so it shown techniques around this topic among others (like installing a hook) to inject the DLL as far as I can recall.
Post 20 Jan 2008, 04:54
View user's profile Send private message Reply with quote
asmfan



Joined: 11 Aug 2006
Posts: 392
Location: Russian
asmfan 20 Jan 2008, 07:26
Goto study assembler, lame shellcoder
Post 20 Jan 2008, 07:26
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.