If this shell code is injected into any process,a Beep sound will occur with an interval of 20 seconds.
This shell code is hard coded for Windows XP.Gonna work fine with all service packs of XP,but due to "ASLR" in Vista or Win-7 it will not work.
Basically i have used 2 built in functions in windows.
1)Beep
2)Sleep
These two functions are defined in "Kernel32.dll"
Like always i will use ARWIN to get the virtual address of the above mentioned function in Kernel32.dll
D:\exploitkit\arwin>arwin kernel32.dll Beep
arwin – win32 address resolution program – by steve hanna – v.01
Beep is located at 0x7c837aa7 in kernel32.dll
D:\exploitkit\arwin>arwin kernel32.dll Sleep
arwin – win32 address resolution program – by steve hanna – v.01
Sleep is located at 0x7c802446 in kernel32.dll
From above we can see virtual address of these two functions are 0x7c837aa7(Beep) and 0x7c802446 (Sleep)
From MSDN we can see that "Beep" function accepts two arguments Frequency and duration of the Beep.
and Sleep function accepts one argument that is only Duration of the beep.
The assembly code will be like following..
Next step is to assemble the above code with NASM assembler.
D:\exploitkit\nasm>nasm -f elf Beep.asm
D:\exploitkit\>ld.exe -o Beep Beep.o
Then we will get an object file that is Beep.o
From that object file will get Mnemonics of the Instructions.
The objdump out put will be like this..
So the final shell code is like ..
To test this shell code compile the following code with any C compiler .
Again opening the executable in Immunity Debugger we can see the same code but in details..
This shell code is hard coded for Windows XP.Gonna work fine with all service packs of XP,but due to "ASLR" in Vista or Win-7 it will not work.
Basically i have used 2 built in functions in windows.
1)Beep
2)Sleep
These two functions are defined in "Kernel32.dll"
Like always i will use ARWIN to get the virtual address of the above mentioned function in Kernel32.dll
D:\exploitkit\arwin>arwin kernel32.dll Beep
arwin – win32 address resolution program – by steve hanna – v.01
Beep is located at 0x7c837aa7 in kernel32.dll
D:\exploitkit\arwin>arwin kernel32.dll Sleep
arwin – win32 address resolution program – by steve hanna – v.01
Sleep is located at 0x7c802446 in kernel32.dll
From above we can see virtual address of these two functions are 0x7c837aa7(Beep) and 0x7c802446 (Sleep)
From MSDN we can see that "Beep" function accepts two arguments Frequency and duration of the Beep.
BOOL WINAPI Beep( __in DWORD dwFreq, __in DWORD dwDuration );
and Sleep function accepts one argument that is only Duration of the beep.
VOID WINAPI Sleep( __in DWORD dwMilliseconds );
The assembly code will be like following..
;sleep.asm [SECTION .text] global _start _start: mov ecx,5 ; Loop loop: xor eax,eax xor ebx,ebx xor ecx,ecx xor edx,edx mov eax, 0x7c837aa7 ;address of Beep mov bx, 750 ;Frequency mov dx, 50 ;Duration push ebx push edx call eax ;Call Beep xor eax,eax xor ebx,ebx mov ebx, 0x7c802446 ;address of Sleep mov ax, 20000 ;pause for 20 Seconds push eax call ebx ; dec ecx jnz loop
Next step is to assemble the above code with NASM assembler.
D:\exploitkit\nasm>nasm -f elf Beep.asm
D:\exploitkit\>ld.exe -o Beep Beep.o
Then we will get an object file that is Beep.o
From that object file will get Mnemonics of the Instructions.
The objdump out put will be like this..
D:\exploitkit>objdump -d Beep.o Beep.o: file format elf32-i386 Disassembly of section .text: 00000000 <_start>: 0: b9 05 00 00 00 mov $0x5,%ecx 00000005 <loop>: 5: 31 c0 xor %eax,%eax 7: 31 db xor %ebx,%ebx 9: 31 c9 xor %ecx,%ecx b: 31 d2 xor %edx,%edx d: b8 a7 7a 83 7c mov $0x7c837aa7,%eax 12: 66 bb ee 02 mov $0x2ee,%bx 16: 66 ba 32 00 mov $0x32,%dx 1a: 53 push %ebx 1b: 52 push %edx 1c: ff d0 call *%eax 1e: 31 c0 xor %eax,%eax 20: 31 db xor %ebx,%ebx 22: bb 46 24 80 7c mov $0x7c802446,%ebx 27: 66 b8 e8 03 mov $0x3e8,%ax 2b: 50 push %eax 2c: ff d3 call *%ebx 2e: 49 dec %ecx 2f: 75 d4 jne 5 <loop> 31: 31 c0 xor %eax,%eax 33: b8 12 cb 81 7c mov $0x7c81cb12,%eax 38: 50 push %eax 39: ff d0 call *%eax D:\exploitkit>
So the final shell code is like ..
\x31\xc0 \x31\xdb \x31\xc9 \x31\xd2 \xb8\xa7\x7a\x83\x7c \x66\xbb\xee\x02 \x66\xba\x32\x00 \x53 \x52 \xff\xd0 \x31\xc0 \x31\xdb \xbb 46\x24\x80\x7c \x66\xb8\xe8\x03 \x50 \xff\xd3 \x49 \x75\xd4 \x31\xc0 \xb8\x12\xcb\x81\x7c \x50 \xff\xd0
To test this shell code compile the following code with any C compiler .
/*shellcodetest.c*/
char code[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb8
\xa7\x7a\x83\x7c\x66\xbb\xee\x02\x66
\xba\x32\x00\x53\x52\xff\xd0\x31\xc0
\x31\xdb\xbb\x46\x24\x80\x7c\x66\xb8
\xe8\x03\x50\xff\xd3\x49\x75\xd4\x31
\xc0\xb8\x12\xcb\x81\x7c\x50\xff\xd0";
int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}
Again opening the executable in Immunity Debugger we can see the same code but in details..
00401000 > $ B9 05000000 MOV ECX,5 00401005 > 31C0 XOR EAX,EAX 00401007 . 31DB XOR EBX,EBX 00401009 . 31C9 XOR ECX,ECX 0040100B . 31D2 XOR EDX,EDX 0040100D . B8 A77A837C MOV EAX,kernel32.Beep 00401012 . 66:BB EE02 MOV BX,2EE 00401016 . 66:BA 3200 MOV DX,32 0040101A . 53 PUSH EBX ; /Duration 0040101B . 52 PUSH EDX ; |Frequency 0040101C . FFD0 CALL EAX ; \Beep 0040101E . 31C0 XOR EAX,EAX 00401020 . 31DB XOR EBX,EBX 00401022 . BB 4624807C MOV EBX,kernel32.Sleep 00401027 . 66:B8 E803 MOV AX,3E8 0040102B . 50 PUSH EAX ; /Timeout 0040102C . FFD3 CALL EBX ; \Sleep 0040102E . 49 DEC ECX 0040102F .^75 D4 JNZ SHORT Beep.00401005
I consider, that you are not right. I can prove it. Write to me in PM.
ReplyDeletewhich part ???
ReplyDelete