Hello,
I didn't made post last week so I will be discussing about shellcodes which I did previous week also.
I started working on Create Directory shellcode in week 2 and completed it soon as It wasn't big as I used function CreateDirectoryA which is available in kernel32.dll so there was no need to load any dll's into process.
Then came the next shellcode Creating File, I thought it would be straightforward Load msvcrt.dll library > Find fopen to create file > find fprintf and use it to write to file > Close file . But when I started to work on it fopen was not working as usual, It was changing stack so I was not able to get the values like kernel32.dll address which I saved in stack for later use. I tried debugging it but couldn't find it as fopen was giving some error values and calling _wfopen and so stack was changing. Using fopen, file was created but stack was not same so I couldn't get values which I saved on stack. I was still able to write code which after creating file, exits successfully but it was getting long. So Ali said about system() which he used for creating linux create file Shellcode. system function is in msvcrt.dll so I loaded it first and then after finding address used it as system("echo data>file"). Here is create file shellcode : https://github.com/Ali-Razmjoo/OWASP-ZSC/pull/47/files . It takes two values one is file name and other is content of file.
Next I started working on downloading file shellcode. This will be created as two shellcodes : 1. for downloading file 2. downloading and executing file. I completed both of them and PR of downloading file is merged https://github.com/Ali-Razmjoo/OWASP-ZSC/pull/48 now I am pushing the shellcode of download and execute. For downloading I used URLDownloadToFileA function. The Shellcode takes values as url and filename. I spend one day on execution part after completing the download part and after lot of debugging I found that I was doing mistake where I was passing parameters in wrong order :P
I am on my schedule and next I will be working on Creating user and adding to admin. I will be using NetUserAdd method or do this part through command whichever would be short.
I didn't made post last week so I will be discussing about shellcodes which I did previous week also.
I started working on Create Directory shellcode in week 2 and completed it soon as It wasn't big as I used function CreateDirectoryA which is available in kernel32.dll so there was no need to load any dll's into process.
Then came the next shellcode Creating File, I thought it would be straightforward Load msvcrt.dll library > Find fopen to create file > find fprintf and use it to write to file > Close file . But when I started to work on it fopen was not working as usual, It was changing stack so I was not able to get the values like kernel32.dll address which I saved in stack for later use. I tried debugging it but couldn't find it as fopen was giving some error values and calling _wfopen and so stack was changing. Using fopen, file was created but stack was not same so I couldn't get values which I saved on stack. I was still able to write code which after creating file, exits successfully but it was getting long. So Ali said about system() which he used for creating linux create file Shellcode. system function is in msvcrt.dll so I loaded it first and then after finding address used it as system("echo data>file"). Here is create file shellcode : https://github.com/Ali-Razmjoo/OWASP-ZSC/pull/47/files . It takes two values one is file name and other is content of file.
Next I started working on downloading file shellcode. This will be created as two shellcodes : 1. for downloading file 2. downloading and executing file. I completed both of them and PR of downloading file is merged https://github.com/Ali-Razmjoo/OWASP-ZSC/pull/48 now I am pushing the shellcode of download and execute. For downloading I used URLDownloadToFileA function. The Shellcode takes values as url and filename. I spend one day on execution part after completing the download part and after lot of debugging I found that I was doing mistake where I was passing parameters in wrong order :P
I am on my schedule and next I will be working on Creating user and adding to admin. I will be using NetUserAdd method or do this part through command whichever would be short.
