Hacking/Shellcode/Bind/NGS

From Skypher

Jump to: navigation, search

Main Page
├─▷Programming
└─▼Hacking
  ├─▼Shellcode
  │ ├─▼Bind
  │ │ └─●NGS
  │ ├─○Restricted instruction set
  │ ├─▷Alphanumeric
  │ ├─▷ASCII Art
  │ ├─○kernel32
  │ ├─○GetPC
  │ └─▷Egg hunt
  ├─▷Windows internals
  ├─○Vulnerabilities
  ├─○Heap spraying
  └─○List of security teams contact information

Contents

Wikipedia article: Shellcode#Remote_shellcode

A small, null-free port binding shellcode for 32-bit versions of Windows. Windows 5.0-7.0 all service packs are supported. The code binds a socket to a port to accept incomming connections. This code is based largely on code and ideas (C) 2005 by Dafydd Stuttard, NGS Software. Thanks to Pete Beck.

Features

Features both in this and the original code:

  • NULL Free
  • Windows version and service pack independant.

Improvements of this code over the original:

  • No assumptions are made about the values of registers.
  • /3GB compatible: pointers are not assume to be smaller than 0x80000000.
  • DEP and ASLR compatible: data is not executed, code is not modified.
  • Windows 7 compatible: kernel32 is found based on the length of its name.
  • Stealth: does not display a console windows on the target machine when cmd.exe is executed.
  • Allows an unlimited number of consecutive connections.

How it works

The code follows the following steps:

  1. Use the FS: segment register to find the TEB,
  2. Use the TEB to find the PEB,
  3. Use the PEB to find ntdll's LoaderData structure,
  4. Use the LoaderData structure to find the InInitializationOrder list of loaded modules.
  5. Walk the InInitializationOrder list of loaded modules to find the first module that has a NULL as the 13th Unicode character in its name (strlen("kernel32.dll") == 12) in order to find the base address of kernel32.
  6. Parse the PE header of kernel32 to find and parse the export table and use it to find the CreateProcessA and LoadLibraryA functions using hashes of their names.
  7. Call LoadLibraryA to load ws2_32.dll.
  8. Parse the PE header of ws2_32.dll to find and parse the export table and use it to find the WSAStartup, WSASocketA, bind, listen and accept functions using hashes of their names.
  9. Call WSAStartup and WSASocketA to initialize the Winsock DLL and create a socket.
  10. Call bind and listen to bind the socket to a port and listen for incoming connections.
  11. Call accept to accept an incoming connection.
  12. Call CreateProcessA to start cmd.exe with I/O redirected to the socket returned by accept.
  13. Goto 11

Requirements

  • Download the code: here.
  • Download Python: here (if you want to re-calculate the function name hashes).
  • Download NASM: here (if you want to make modifications to the .asm source and recompile it).
Retrieved from "http://skypher.com/wiki/index.php/Hacking/Shellcode/Bind/NGS"
Personal tools