Thursday, October 27, 2011

Beep Beep Shell Code

If this shell code is injected into any process,a Beep sound will occur with an interval of 20 seconds.
This shell code is hard coded for Windows XP.Gonna work fine with all service packs of XP,but due to "ASLR" in Vista or Win-7 it will not work.

Basically i have used 2 built in functions in windows.
1)Beep
2)Sleep

These two functions are defined in "Kernel32.dll"
Like always i will use ARWIN to get the virtual address of the above mentioned function in Kernel32.dll

D:\exploitkit\arwin>arwin kernel32.dll Beep
arwin – win32 address resolution program – by steve hanna – v.01
Beep is located at 0x7c837aa7 in kernel32.dll

D:\exploitkit\arwin>arwin kernel32.dll Sleep
arwin – win32 address resolution program – by steve hanna – v.01
Sleep is located at 0x7c802446 in kernel32.dll


From above we can see virtual address of these two functions are 0x7c837aa7(Beep) and 0x7c802446 (Sleep)
From MSDN we can see that "Beep" function accepts two arguments Frequency and duration of the Beep.
BOOL WINAPI Beep(
__in  DWORD dwFreq,
__in  DWORD dwDuration
);

and Sleep function accepts one argument that is only Duration of the beep.
VOID WINAPI Sleep(
__in  DWORD dwMilliseconds
);

The assembly code will be like following..

;sleep.asm
[SECTION .text]

global _start


_start:
mov ecx,5                   ; Loop
loop:
xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx



mov eax, 0x7c837aa7 ;address of Beep
mov bx, 750         ;Frequency
mov dx, 50     ;Duration 
push ebx
push edx
call eax     ;Call Beep

xor eax,eax
xor ebx,ebx
mov ebx, 0x7c802446 ;address of Sleep
mov ax, 20000       ;pause for 20 Seconds
push eax
call ebx            ;

dec ecx
jnz loop

Next step is to assemble the above code with NASM assembler.

D:\exploitkit\nasm>nasm -f elf Beep.asm
D:\exploitkit\>ld.exe -o Beep Beep.o


Then we will get an object file that is Beep.o

From that object file will get Mnemonics of the Instructions.
The objdump out put will be like this..

D:\exploitkit>objdump -d Beep.o

Beep.o:     file format elf32-i386

Disassembly of section .text:

00000000 <_start>:
0:   b9 05 00 00 00          mov    $0x5,%ecx

00000005 <loop>:
5:   31 c0                   xor    %eax,%eax
7:   31 db                   xor    %ebx,%ebx
9:   31 c9                   xor    %ecx,%ecx
b:   31 d2                   xor    %edx,%edx
d:   b8 a7 7a 83 7c          mov    $0x7c837aa7,%eax
12:   66 bb ee 02             mov    $0x2ee,%bx
16:   66 ba 32 00             mov    $0x32,%dx
1a:   53                      push   %ebx
1b:   52                      push   %edx
1c:   ff d0                   call   *%eax
1e:   31 c0                   xor    %eax,%eax
20:   31 db                   xor    %ebx,%ebx
22:   bb 46 24 80 7c          mov    $0x7c802446,%ebx
27:   66 b8 e8 03             mov    $0x3e8,%ax
2b:   50                      push   %eax
2c:   ff d3                   call   *%ebx
2e:   49                      dec    %ecx
2f:   75 d4                   jne    5 <loop>
31:   31 c0                   xor    %eax,%eax
33:   b8 12 cb 81 7c          mov    $0x7c81cb12,%eax
38:   50                      push   %eax
39:   ff d0                   call   *%eax

D:\exploitkit>

So the final shell code is like ..

\x31\xc0
\x31\xdb
\x31\xc9
\x31\xd2
\xb8\xa7\x7a\x83\x7c
\x66\xbb\xee\x02
\x66\xba\x32\x00
\x53
\x52
\xff\xd0
\x31\xc0
\x31\xdb
\xbb 46\x24\x80\x7c
\x66\xb8\xe8\x03
\x50
\xff\xd3
\x49
\x75\xd4
\x31\xc0
\xb8\x12\xcb\x81\x7c
\x50
\xff\xd0

To test this shell code compile the following code with any C compiler .
/*shellcodetest.c*/

char code[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb8
\xa7\x7a\x83\x7c\x66\xbb\xee\x02\x66
\xba\x32\x00\x53\x52\xff\xd0\x31\xc0
\x31\xdb\xbb\x46\x24\x80\x7c\x66\xb8
\xe8\x03\x50\xff\xd3\x49\x75\xd4\x31
\xc0\xb8\x12\xcb\x81\x7c\x50\xff\xd0";
int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}

Again opening the executable in Immunity Debugger we can see the same code but in details..

00401000 > $ B9 05000000    MOV ECX,5
00401005   > 31C0           XOR EAX,EAX
00401007   . 31DB           XOR EBX,EBX
00401009   . 31C9           XOR ECX,ECX
0040100B   . 31D2           XOR EDX,EDX
0040100D   . B8 A77A837C    MOV EAX,kernel32.Beep
00401012   . 66:BB EE02     MOV BX,2EE
00401016   . 66:BA 3200     MOV DX,32
0040101A   . 53             PUSH EBX                                 ; /Duration
0040101B   . 52             PUSH EDX                                 ; |Frequency
0040101C   . FFD0           CALL EAX                                 ; \Beep
0040101E   . 31C0           XOR EAX,EAX
00401020   . 31DB           XOR EBX,EBX
00401022   . BB 4624807C    MOV EBX,kernel32.Sleep
00401027   . 66:B8 E803     MOV AX,3E8
0040102B   . 50             PUSH EAX                                 ; /Timeout
0040102C   . FFD3           CALL EBX                                 ; \Sleep
0040102E   . 49             DEC ECX
0040102F   .^75 D4          JNZ SHORT Beep.00401005