Scribd
Upload
81 views10 pages

Lab7 Windows Shellcoding

The document provides instructions for writing Windows shellcode to display a message box. It describes using MSDN to find the API call, loading the required library, and hardcoding addresses. The tasks are to create shellcode to display the message box and exit cleanly without errors.

Uploaded by

Saw Gyi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
81 views10 pages

Lab7 Windows Shellcoding

The document provides instructions for writing Windows shellcode to display a message box. It describes using MSDN to find the API call, loading the required library, and hardcoding addresses. The tasks are to create shellcode to display the message box and exit cleanly without errors.

Uploaded by

Saw Gyi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

© 2019 Caendra Inc.

| Hera for XDS | Windows Shellcoding 1


You have been tasked by your red team manager, to refresh your Windows shellcoding skills.
Specifically, he provided you with a machine (172.16.172.51) that contains everything
needed to develop Windows shellcode. Your task is to write a shellcode that will display the
following window upon execution and then exit gracefully without causing memory
corruption. You are allowed to hardcode addresses.

• Create a shellcode that will create a window that looks like the above
• Make it exit without any error

• Windows shellcode writing


• Dealing with null bytes
• Using MSDN to create a corresponding assembly code

© 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 2


• arwin
• dev-c++
• immunity debugger
• nasm
• text editor
• bin2sc utility

• Penetration tester’s Subnet: 172.16.172.0/24

• Vulnerable machine: 172.16.172.51

• Connection Type: RDP

Username: elsadmin
Password: elsadmin1

© 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 3


Using MSDN, figure out how to call the MessageBoxA function. You might need to update the
shellcode-tester.c application so that it includes the proper DLL library. The LoadLibrary
function might be helpful.

Develop shellcode that will produce the window presented above. Be reminded, that you can
hardcode addresses.

Hint: Arwin can help you find those addresses.

Use the shellcode-tester.c to compile your shellcode into an application and check if it works
as expected.

© 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 4


© 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 5
Below, you can find solutions for each task. Remember though that you can follow your
own strategy (which may be different from the one explained in the following lab).

First, let’s navigate to msdn (https://docs.microsoft.com/en-


us/windows/win32/api/winuser/nf-winuser-messageboxa) and check the function
specification. It takes 4 arguments. The first argument as well as the last one can be zeroed.
We are just interested in the two in the middle – Text and Caption.

int MessageBoxA(
HWND hWnd,
LPCSTR lpText,
LPCSTR lpCaption,
UINT uType
);

MessageBoxA is exported by user32.dll which is not loaded into the shellcode tester
application by default. You need to modify its source code and add a call to
LoadLibrary(“user32.dll”), as follows.

Without that line you will not be able to call MessageBoxA.

© 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 6


Using arwin we can find the addresses of MessageBoxA and ExitProcess, as follows.

Then we incorporate these addresses into a basic shellcode.

BITS 32

mov eax, 0x77d66476; MessageBoxA address


xor ecx, ecx; ecx will hold 0 for future use

mov ebx, 0x02022376


sub ebx, 0x02020202; null-byte mitigation trick – we add an arbitrary value
to the original register’s content and then subtract it
push ebx ;\0\0!t
push 0x756f2068 ; uo h
push 0x63746157 ; ctaW
mov ebx, esp; ebx holds the addr of Caption

mov edx, 0x03032468


sub edx, 0x03030303; again the null byte trick. We need double null since the
stack has to be 4 byte aligned.
push edx ;\0\0!e
push 0x646f636c ;docl
push 0x6c656873 ;lehs
push 0x20657469 ; eti
push 0x7277206e ;rw n
push 0x61632049 ;ac I

© 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 7


mov edx, esp ;edx now holds the Content

push ecx; uType


push ebx; Caption
push edx; Content
push ecx
call eax; Call MessageBoxA

push ecx; push 0 to the stack


mov eax, 0x77e798fd; make eax contain the address of ExitProcess()
call eax; call ExitProcess while the 0 parameter is on the stack

© 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 8


Let’s use the shellcode-tester.c to compile our shellcode into an application and check if it
works as expected. We can do that as follows.

nasm msgbox.asm -o msgbox.bin


python bin2sc msgbox.bin

"\xb8\x76\x64\xd6\x77\x31\xc9\xbb\x76\x23\x02\x02\x81\xeb\x02"
"\x02\x02\x02\x53\x68\x68\x20\x6f\x75\x68\x57\x61\x74\x63\x89"
"\xe3\xba\x68\x24\x03\x03\x81\xea\x03\x03\x03\x03\x52\x68\x6c"
"\x63\x6f\x64\x68\x73\x68\x65\x6c\x68\x69\x74\x65\x20\x68\x6e"
"\x20\x77\x72\x68\x49\x20\x63\x61\x89\xe2\x51\x53\x52\x51\xff"
"\xd0\x51\xb8\xfd\x98\xe7\x77\xff\xd0"

Let’s paste the above it into the shellcode tester.

Finally let’s compile and run.

© 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 9


It looks like our basic shellcode was enough to achieve the task!

© 2019 Caendra Inc. | Hera for XDS | Windows Shellcoding 10

You might also like