Windows Shellcoding

Hey Squad,

Hey Squad,

Today, we will see how to write shellcode on windows to create a Dialog box.


Investigate the MessageBoxA Function

  1. https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-messageboxa
int MessageBoxA( 
  HWND hWnd, 
  LPCSTR lpText, 
  LPCSTR lpCaption, 
  UINT uType 
);

The first argument as well as the last one can be zeroed. We are just interested in the two in the middle — Text, and Caption.

Develop your shellcode

Using arwin we can find the addresses of MessageBoxA and ExitProcess, as follows.

basic shellcode is given below:

BITS 32 
global _start 
mov eax, 0x764f2270; MessageBoxA address 
xor ecx, ecx; ecx will hold 0 for future use 
mov ebx, 0x02022376 
sub ebx, 0x02020202; null-byte mitigation trick - we add an arbitrary value to the original register's content and then subtract it 
push ebx ;\0\0!t 
push 0x756f2068 ; uo h 
push 0x63746157 ; ctaW 
mov ebx, esp; ebx holds the addr of Caption 
mov edx, 0x03032468 
sub edx, 0x03030303; again the null byte trick. We need double null since the stack has to be 4 byte aligned. 
push edx ;\0\0!e 
push 0x646f636c ;docl 
push 0x6c656873 ;lehs 
push 0x20657469 ; eti 
push 0x7277206e ;rw n 
push 0x61632049 ;ac I 
mov edx, esp ;edx now holds the Content 
push ecx; uType 
push ebx; Caption 
push edx; Content 
push ecx 
call eax; Call MessageBoxA 
push ecx; push 0 to the stack 
mov eax, 0x75024f20; make eax contain the address of ExitProcess() 
call eax; call ExitProcess while the 0 parameter is on the stack

Run the shellcode

execute the below command to get the opcode.

nasm msgbox.asm -o msgbox.bin 
python bin2sc msgbox.bin
"\xb8\x70\x22\x4f\x76\x31\xc9\xbb\x76\x23\x02\x02\x81\xeb\x02" + 
"\x02\x02\x02\x53\x68\x68\x20\x6f\x75\x68\x57\x61\x74\x63\x89" + 
"\xe3\xba\x68\x24\x03\x03\x81\xea\x03\x03\x03\x03\x52\x68\x6c" + 
"\x63\x6f\x64\x68\x73\x68\x65\x6c\x68\x69\x74\x65\x20\x68\x6e" + 
"\x20\x77\x72\x68\x49\x20\x63\x61\x89\xe2\x51\x53\x52\x51\xff" + 
"\xd0\x51\xb8\x20\x4f\x02\x75\xff\xd0"

Let’s paste the above into the shellcode tester.

#include <stdio.h> 
#include <windows.h> 
 
int main() 
{ 
 LoadLibrary("user32.dll"); 
 char* shellcode = ""; 
 
 LPVOID lpAlloc = VirtualAlloc(0, strlen(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE); 
 memcpy(lpAlloc, shellcode, strlen(shellcode)); 
  
 ((void(*)())lpAlloc)(); 
  
 return 0; 
}

Result

Finally, let’s compile and run.


Please give me a clap if you found it to be useful and follow me to get more hacking knowledge.

You can buy me a coffee if you would like to -> https://www.buymeacoffee.com/gowthamaraj