Shellcode Tutorial 2: My First Simple Shellcode

Introduction

This tutorial teaches you the basics of shellcoding, including finding function addresses in Windows DLLs, simple assembly, how to compile ASM code, and how to execute your shellcode to see if it works. We will be creating the most simple shellcode that simply sleeps for five seconds and then exists.

Some of this tutorial was based on information pulled fromhttp://www.vividmachines.com/shellcode/shellcode.html.

How to find function addresses in Windows DLLs

The Windows function that allows us to sleep is surprisingly called "Sleep". So what do I need to know to utilize this function? In assembly we use the "call 0xXXXXXXXX" instruction, where XXXXXXXX is the address of the function in memory. So we need to find where this function is loaded.

This can be done using the "arwin" program that we downloaded and compiled in the first tutorial. If you run ./arwin.exe, from your shellcode directory we create, you will get the following usage information:

     $ ./arwin.exe
    arwin - win32 address resolution program - by steve hanna - v.01
    ./arwin <Library Name> <Function Name>

So to use Arwin we need to know the DLL that the function exists in. This will often be Kernel32.dll or User32.dll or ws2_32.dll; however, this will depend upon what your shellcode is trying to achieve. I have written the following script "findFunctionInDLL.sh", which is a wrapper of arwin, that searches through the DLLs on your local system to find which DLLs the function exists in.

+----------------- Start findFunctionInDLL.sh -----------------+

#!/bin/bash

if [ $# -ne 1 ]
then
printf "\n\tUsage: $0 functionname\n\n"
exit
fi

functionname=$1
searchDir="/cygdrive/c/WINDOWS/system32"

arwin_exe="`pwd`/arwin.exe"
cd $searchDir

ls -1d *.dll | grep -v gui | while read dll
do
printf "\r ";
printf "\r$dll";
count=0
count=`$arwin_exe $dll $functionname | grep -c "is located at"`
if [ $count -ne 0 ]
then
printf "\n";
$arwin_exe $dll $functionname | grep "is located at"
printf "\n";
fi
done
printf "\r ";

+----------------- End findFunctionInDLL.sh -----------------+

Copy the findFunctionInDLL.sh code above onto your own system, and make it executable by running "chmod 755 findFunctionInDLL.sh". You should ensure that your Windows system directory is located at /cygdrive/c/WINDOWS/system32 from within your Cygwin environment (i.e. C: drive).

We can now use this script to find which DLL we need to pass to arwin. You should see the script looping through the DLLs on your system, and it should then notify you of any matching functions and addresses:

    # ./findFunctionInDLL.sh Sleep
   
    kernel32.dll
    Sleep is located at 0x7c802442 in kernel32.dll

The address that you get may be different to mine depending on Operating System and Service Pack. I am using Windows XP SP2. This means that your shellcode will only work on the same Operating System and Service Pack that you are using since we are hardcoding the memory address of the function. There are more advanced techniques that can be used to dynamically locate Kernel32.dll and the function addresses; however, that will be covered in a later tutorial.

This can take a while, so if you already know which DLL your function exists in then you can use arwin directly by running:

    # ./arwin.exe Kernel32.dll Sleep
    arwin - win32 address resolution program - by steve hanna - v.01
    Sleep is located at 0x7c802442 in Kernel32.dll

The Assembly Code

The following is the code for sleep.asm, which was originally pulled fromhttp://www.vividmachines.com/shellcode/shellcode.html, with very slight modifications and comments.

Create sleep.asm on your local system within your Cygwin shellcode directory using the following code. Make sure you read the comments throughout the code since they explain what action each line performs, and gives handy tips for later shellcode development. Remember to replace the address of "Sleep" with the one that you enumerated above with arwin.

+----------------- Start sleep.asm -----------------+

;sleep.asm
[SECTION .text]

; set the code to be 32-bit
; Tip: If you don't have this line in more complex shellcode,
;    the resulting instructions may end up being different to
;    what you were expecting.
BITS 32

global _start

_start:
; clear the eax register
; Tip: xor is great for zeroing out registers to clear previous values.
xor eax,eax

; move address of Sleep to ebx that we gained from "./arwin.exe Kernel32.dll Sleep"
mov ebx, 0x7c802442

; pause for 5000ms by putting 5000 into ax (8 bit eax register)
; Tip: ax is the lower half of eax. Using ax when possible reduces
;    the instruction size, and therefore the shellcode size.
mov ax, 5000

; push eax onto the stack as the first parameter to the Sleep function.
; Tip: When functions are called, the parameters are pulled from the stack.
push eax

; call the address of Sleep(ms) located in ebx
; Tip: Sleep has one parameter and will pull this from the stack.
call ebx

+----------------- End sleep.asm -----------------+

Compiling the Assembly Code

So now that we have our shellcode written in assembly, we need to compile it. This can be done using the nasm assembly compiler, using the following command where sleep.asm is your assembly source code file, and sleep.bin is the compiled binary output file:

    # nasm -f bin -o sleep.bin sleep.asm

Obtaining the shellcode

Now that we have a compiled binary file we can use the xxd tool to generate the shellcode for us. This can be done using the following xxd command, which will generate the following output:

    # xxd -i sleep.bin
    unsigned char sleep_bin[] = {
     0x31, 0xc0, 0xbb, 0x42, 0x24, 0x80, 0x7c, 0x66, 0xb8, 0x88, 0x13, 0x50,
     0xff, 0xd3
    };
    unsigned int sleep_bin_len = 14;

This creates an array of characters that can be used within a C program. Each of the hexadecimal numbers (0xXX) in the output represent a byte within the shellcode.

So we want to do with this output to create the shellcode? We are going to use the following script that I put together to strip out the raw shellcode that we can put directly into our "shellcodetest.c" program. Copy the following code onto your own machine in your shellcode directory, and then change the permissions using "chmod 755 xxd-shellcode.sh".

+----------------- Start xxd-shellcode.sh -----------------+

#!/bin/bash
if [ $# -ne 1 ]
then
    printf "\n\tUsage: $0 filename.bin\n\n"
    exit
fi

filename=`echo $1 | sed s/"\.bin$"//`
rm -f $filename.shellcode

for i in `xxd -i $filename.bin | grep , | sed s/" "/" "/ | sed s/","/""/g | sed s/"0x"/"\\\\x"/g`
do
    echo -n "\\$i" >> $filename.shellcode
    echo -n "\\$i"
done
echo

+----------------- End xxd-shellcode.sh -----------------+

This program takes the input file "sleep.bin", so run the following command, which should produce the following output. This output will automatically be saved to "sleep.shellcode". This may vary slightly if you are using a different OS or service pack due to the differing address of Sleep on your system.

    # ./xxd-shellcode.sh sleep.bin
    \x31\xc0\xbb\x42\x24\x80\x7c\x66\xb8\x88\x13\x50\xff\xd3

Testing the shellcode

We will be using the "shellcodetest.c" program to test our shellcode. The aim of this step is to insert our shellcode into a C program, which we can then compile and execute. This program is designed to then execute our shellcode.

Before we can do this you need to insert your shellcode that was generated from the last step into this program. You place it between the quotes of the "code[]" array. It should end up looking something like the following:

+----------------- Start updated shellcodetest.c -----------------+

/*shellcodetest.c*/
char code[] = "\x31\xc0\xbb\x42\x24\x80\x7c\x66\xb8\x88\x13\x50\xff\xd3";
int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}

+----------------- End updated shellcodetest.c -----------------+

We now need to compile the updated shellcodetest.c program so that it can kick off our shellcode. This can be done with the following command:

    # gcc -o shellcodetest shellcodetest.c

This should create the executable program "shellcodetest.exe".

You should now be able to execute this program, which will then kick off your shellcode. Theshellcode is designed to simply sleep for five seconds, which is exactly what you should see with this program, and then it will exit - and may core dump, but we don't care about that at this stage.

    # ./shellcodetest.exe
    (sleeps for 5 seconds)
    (then exits - and may core dump)

Congratulations! You have just coded, compiled, stripped, formatted, and tested your first piece ofshellcode!

Now lets create something that we can actually see!

advance hacking Shellcode 23:42