Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Lab7 Windows Shellcoding

    Hochgeladen von

    Saw Gyi
    41 Ansichten10 Seiten

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    41 Ansichten10 Seiten

    Lab7 Windows Shellcoding

    Hochgeladen von

    Saw Gyi

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 10

    © 2019 Caendra Inc.

    | Hera for XDS | Windows Shellcoding 1


    You have been tasked by your red team manager, to refresh your Windows shellcoding skills.
    Specifically, he provided you with a machine (172.16.172.51) that contains everything
    needed to develop Windows shellcode. Your task is to write a shellcode that will display the
    following window upon execution and then exit gracefully without causing memory
    corruption. You are allowed to hardcode addresses.

    • Create a shellcode that will create a window that looks like the above
    • Make it exit without any error

    • Windows shellcode writing


    • Dealing with null bytes
    • Using MSDN to create a corresponding assembly code

    © 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 2


    • arwin
    • dev-c++
    • immunity debugger
    • nasm
    • text editor
    • bin2sc utility

    • Penetration tester’s Subnet: 172.16.172.0/24

    • Vulnerable machine: 172.16.172.51

    • Connection Type: RDP

    Username: elsadmin
    Password: elsadmin1

    © 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 3


    Using MSDN, figure out how to call the MessageBoxA function. You might need to update the
    shellcode-tester.c application so that it includes the proper DLL library. The LoadLibrary
    function might be helpful.

    Develop shellcode that will produce the window presented above. Be reminded, that you can
    hardcode addresses.

    Hint: Arwin can help you find those addresses.

    Use the shellcode-tester.c to compile your shellcode into an application and check if it works
    as expected.

    © 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 4


    © 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 5
    Below, you can find solutions for each task. Remember though that you can follow your
    own strategy (which may be different from the one explained in the following lab).

    First, let’s navigate to msdn (https://docs.microsoft.com/en-


    us/windows/win32/api/winuser/nf-winuser-messageboxa) and check the function
    specification. It takes 4 arguments. The first argument as well as the last one can be zeroed.
    We are just interested in the two in the middle – Text and Caption.

    int MessageBoxA(
    HWND hWnd,
    LPCSTR lpText,
    LPCSTR lpCaption,
    UINT uType
    );

    MessageBoxA is exported by user32.dll which is not loaded into the shellcode tester
    application by default. You need to modify its source code and add a call to
    LoadLibrary(“user32.dll”), as follows.

    Without that line you will not be able to call MessageBoxA.

    © 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 6


    Using arwin we can find the addresses of MessageBoxA and ExitProcess, as follows.

    Then we incorporate these addresses into a basic shellcode.

    BITS 32

    mov eax, 0x77d66476; MessageBoxA address


    xor ecx, ecx; ecx will hold 0 for future use

    mov ebx, 0x02022376


    sub ebx, 0x02020202; null-byte mitigation trick – we add an arbitrary value
    to the original register’s content and then subtract it
    push ebx ;\0\0!t
    push 0x756f2068 ; uo h
    push 0x63746157 ; ctaW
    mov ebx, esp; ebx holds the addr of Caption

    mov edx, 0x03032468


    sub edx, 0x03030303; again the null byte trick. We need double null since the
    stack has to be 4 byte aligned.
    push edx ;\0\0!e
    push 0x646f636c ;docl
    push 0x6c656873 ;lehs
    push 0x20657469 ; eti
    push 0x7277206e ;rw n
    push 0x61632049 ;ac I

    © 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 7


    mov edx, esp ;edx now holds the Content

    push ecx; uType


    push ebx; Caption
    push edx; Content
    push ecx
    call eax; Call MessageBoxA

    push ecx; push 0 to the stack


    mov eax, 0x77e798fd; make eax contain the address of ExitProcess()
    call eax; call ExitProcess while the 0 parameter is on the stack

    © 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 8


    Let’s use the shellcode-tester.c to compile our shellcode into an application and check if it
    works as expected. We can do that as follows.

    nasm msgbox.asm -o msgbox.bin


    python bin2sc msgbox.bin

    "\xb8\x76\x64\xd6\x77\x31\xc9\xbb\x76\x23\x02\x02\x81\xeb\x02"
    "\x02\x02\x02\x53\x68\x68\x20\x6f\x75\x68\x57\x61\x74\x63\x89"
    "\xe3\xba\x68\x24\x03\x03\x81\xea\x03\x03\x03\x03\x52\x68\x6c"
    "\x63\x6f\x64\x68\x73\x68\x65\x6c\x68\x69\x74\x65\x20\x68\x6e"
    "\x20\x77\x72\x68\x49\x20\x63\x61\x89\xe2\x51\x53\x52\x51\xff"
    "\xd0\x51\xb8\xfd\x98\xe7\x77\xff\xd0"

    Let’s paste the above it into the shellcode tester.

    Finally let’s compile and run.

    © 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 9


    It looks like our basic shellcode was enough to achieve the task!

    © 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 10

    Das könnte Ihnen auch gefallen