Shellcoding ... again.

From: deepcode . (pondermateat_private)
Date: Thu Jul 24 2003 - 08:57:27 PDT

Next message: Patrick Strawderman: "RE: Shellcoding ... again."

Previous message: kathy tuckey: "Does IE object type overflow work only on an Administrator account?"
Next in thread: Patrick Strawderman: "RE: Shellcoding ... again."
Reply: Patrick Strawderman: "RE: Shellcoding ... again."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here I am again with shellcoding questions ... bear with me, its hard to 
find info on this subject other than txts with 2 pages of assembly codes 
that constitutes a remote, http-trojan downloading, all portable, optimized 
shellcodes that I can't even begin to assimilate.

I'm just trying a simple ExitProcess shellcode, hardcoded address.
(By the way, this is on win32.)

kernel32.dll

imagebase=          0x77E80000
ExitProcess RVA = 0x0000F32D

Got these from DUMPPE, added them together to get 0x77E8F32D for ExitProcess 
address. Pretty
sure thats the right way to get address.

To test it out, I wrote a program that used inline assembly with that 
address.
-----------------------------------------------------
#include <windows.h>

int main()
{
HINSTANCE h;

h = LoadLibrary("kernel32.dll");

__asm("
xor %edi, %edi
push %edi
call 0x77E8F32D
");

FreeLibrary(h);
}
----------------------------------------------------

The program runs fine. No errors, no problems at all, so i'm assuming it 
worked just fine.

When disassembled in Gdb(win32 port), I followed from xor edi, edi with x/bx 
to get the
opcodes

0x31, 0xFF, 0x57 for the xor and push; which doesn't seem right.
0xE8 for call, and and then 0xF9, 0xE0, 0xA8 and 0x77. I assume it loaded 
into memory
at diferent addresses and got addresses changed, no biggy.

I put the codes into a char array shellcode, and put my original address in 
after the 0xE8
backwards (I think thats how to do it.) and it errors out.

I've tried rearranging the address all possible combinations, so I don't 
think thats the
problem.

--------------------------------------------------------
#include <windows.h>

char shellcode[] =
"\x31\xFF\x57\xE8"   // opcodes gotten from gdb
"\x2D\xF3\xE8\x77";  // address backwards.

int main(void)
{
     HINSTANCE h;

     h = LoadLibrary("kernel32.dll");

    ((void (*)(void)) &shellcode)();

    FreeLibrary(h);
}
-----------------------------------------------------

I'm getting lost now ... this was so much easier on unix.

if anyone would like to help me out, i'd appreciate it.

deepcode

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

Next message: Patrick Strawderman: "RE: Shellcoding ... again."
Previous message: kathy tuckey: "Does IE object type overflow work only on an Administrator account?"
Next in thread: Patrick Strawderman: "RE: Shellcoding ... again."
Reply: Patrick Strawderman: "RE: Shellcoding ... again."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 24 2003 - 12:40:02 PDT