Welcome to the world of shellcode
I've been meaning to post this for some time. However I’ve had a few things I wanted to tidy up before doing so. About 6 months ago I decided I wanted to learn to write shellcode, so the below pieces are the result of that!
I've written a number of pieces for both Linux and Windows; however I’ll just be releasing the following shellcode:
- Dynamic WinExec - cmd.exe (win32) - dynamiccmd.asm
- Dynamic Message Box (win32) - dynamicmsg.asm
I wasn't sure whether or not I’d bother releasing dynamiccmd.asm but here it is... I'm sure it would come in handy for someone else attempting to learn win32 shellcode. Due to the size (228 bytes) I wouldn't bother using it for an actual exploit over metasploit's implementation :)
dynamicmsg.asm is shellcode which will display a message box, then exit. When developing proof of concept exploits I got tired of watching calc.exe being spawned, as a result I figured a message box would be cooler! To make it worth using the shellcode had to be dynamic. I was unable to find any dynamic implementations of this on the internet. Again the size is quiet large, weighing in at 302 bytes. However, it was designed with proof of concepts in mind so having a large payload will come in handy in case someone else wants to swap shellcode. This way the researcher will have to find space for 302 bytes. Other, malicious payloads are generally smaller in size.
At the time of coding I had decided to use the PEB method to find the base of kernel32, and the Directory Export Table in order to find function addresses. Since the release of Windows 7 I read somewhere that using PEB to find the base of kernel32 is no longer feasible. When I get some time I might do an update (and remove all nulls while I’m at it). It’s not a big job to modify the code, just swap the find_kernal32 code with the new method (I believe it’s documented and sample code is available somewhere). So at the moment this shellcode will function correctly on:
If you have viewed both files you will notice nulls are contained in the shellcode. These are the remaining nulls I was unable to easily remove. However I do have another version which eliminates a number of them, but not all. I figured I’d wait until I worked out how to completely remove my null problem before posting that version. One of the major problems I am having in regards to null bytes is that calls and jmps were creating nulls. If I rearranged the code a bit and used short jmps I was able to avoid some of the nulls. Anyway, to combat null and bad byte problems I decided I’d write a shellcode encoder/decoder.
The shellcode encoder/decoder is additive. In that the encoder will minus a specific number (the key) from each byte of shellcode, then the decoder will add a specific number (again the key) to each byte in order to decode the original shellcode on the other side (interesting to watch in a debugger).
The encoder takes an input file of hex values, presented like so: 41424344, then a key value (int) which is used to subtract from each byte. The encoder will then print out the decoder, followed by the encoded shellcode in C/C++ formatting.
The encoder will print out one of two encoders, depending on which one is required to decode the shellcode. Decoder 1 uses the CL register to store the size of the shellcode. This means that the size of the shellcode must be less than 255 bytes. Decoder 1 weighs 20 bytes. Decoder 2 uses the CX register which allows for larger shellcode to be decoded. Decoder 2 weighs 22 bytes.
At the moment, the encoder does not verify that bad bytes have been eliminated after encoding, so this is a bit of a manual process. I had been planning an upgrade before release but who knows when that'll come! Again the encoder/decoder was a learning curve so I’m sure metasploit's implementation is much better :)
The bmgsec-shellcode-and-encoder.zip file contains all source code along with a binary, sample code and some custom tools to help make a shellcoder’s life easier! It also includes a copy of the dynamic message box and dynamic CMD shellcode.
I used the encoder/decoder and dynamic message box shellcode in my latest exploit, TheGreenBow VPN Client. The exploit is Vista certified! Unfortunately i am unable to release this exploit since the company i work for have elected to keep it private.