Windows Shellcoding
Hey Squad,
Hey Squad,
Today, we will see how to write shellcode on windows to create a Dialog box.
Investigate the MessageBoxA Function
int MessageBoxA(
HWND hWnd,
LPCSTR lpText,
LPCSTR lpCaption,
UINT uType
);
The first argument as well as the last one can be zeroed. We are just interested in the two in the middle — Text, and Caption.
Develop your shellcode
Using arwin we can find the addresses of MessageBoxA and ExitProcess, as follows.
basic shellcode is given below:
BITS 32
global _start
mov eax, 0x764f2270; MessageBoxA address
xor ecx, ecx; ecx will hold 0 for future use
mov ebx, 0x02022376
sub ebx, 0x02020202; null-byte mitigation trick - we add an arbitrary value to the original register's content and then subtract it
push ebx ;\0\0!t
push 0x756f2068 ; uo h
push 0x63746157 ; ctaW
mov ebx, esp; ebx holds the addr of Caption
mov edx, 0x03032468
sub edx, 0x03030303; again the null byte trick. We need double null since the stack has to be 4 byte aligned.
push edx ;\0\0!e
push 0x646f636c ;docl
push 0x6c656873 ;lehs
push 0x20657469 ; eti
push 0x7277206e ;rw n
push 0x61632049 ;ac I
mov edx, esp ;edx now holds the Content
push ecx; uType
push ebx; Caption
push edx; Content
push ecx
call eax; Call MessageBoxA
push ecx; push 0 to the stack
mov eax, 0x75024f20; make eax contain the address of ExitProcess()
call eax; call ExitProcess while the 0 parameter is on the stack
Run the shellcode
execute the below command to get the opcode.
nasm msgbox.asm -o msgbox.bin
python bin2sc msgbox.bin
"\xb8\x70\x22\x4f\x76\x31\xc9\xbb\x76\x23\x02\x02\x81\xeb\x02" +
"\x02\x02\x02\x53\x68\x68\x20\x6f\x75\x68\x57\x61\x74\x63\x89" +
"\xe3\xba\x68\x24\x03\x03\x81\xea\x03\x03\x03\x03\x52\x68\x6c" +
"\x63\x6f\x64\x68\x73\x68\x65\x6c\x68\x69\x74\x65\x20\x68\x6e" +
"\x20\x77\x72\x68\x49\x20\x63\x61\x89\xe2\x51\x53\x52\x51\xff" +
"\xd0\x51\xb8\x20\x4f\x02\x75\xff\xd0"
Let’s paste the above into the shellcode tester.
#include <stdio.h>
#include <windows.h>
int main()
{
LoadLibrary("user32.dll");
char* shellcode = "";
LPVOID lpAlloc = VirtualAlloc(0, strlen(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(lpAlloc, shellcode, strlen(shellcode));
((void(*)())lpAlloc)();
return 0;
}
Result
Finally, let’s compile and run.
Please give me a clap if you found it to be useful and follow me to get more hacking knowledge.
You can buy me a coffee if you would like to -> https://www.buymeacoffee.com/gowthamaraj