Saturday, February 11, 2012

Speaking Shell Code (Win32)


Few days back I saw an interesting Facebook status like:

To know whether your computer is male or female follow the instructions below:

1)Open your notepad
2)Type or copy paste: CreateObject(“SAPI.SpVoice”).Speak”I love you”
3)Save as computer_gender.vbs
4)Run the file.

Coool.

I cannot remember who was that person but I am very much thankful to that person.Finally after successful exploitation my target softwares are now not going to open a boring calculator(calc.exe).Now they are going to speak.:) :)




My brand new speaking shellcode for Win32 environment .It has the ability to automatically find the base address of Kernel32.dll and call required Win32 APIs.

Also available @ http://packetstormsecurity.org/files/109702/Win32-Speaking-Shellcode.html

Basically it uses 5 Win32 APIs.They are

CreateFileA,WriteFile,CloseHandle,WinExec and ExitProcess.

From MSDN:
 
HANDLE WINAPI CreateFile(
  __in      LPCTSTR lpFileName,
  __in      DWORD dwDesiredAccess,
  __in      DWORD dwShareMode,
  __in_opt  LPSECURITY_ATTRIBUTES lpSecurityAttributes,
  __in      DWORD dwCreationDisposition,
  __in      DWORD dwFlagsAndAttributes,
  __in_opt  HANDLE hTemplateFile
);


BOOL WINAPI WriteFile(
  __in         HANDLE hFile,
  __in         LPCVOID lpBuffer,
  __in         DWORD nNumberOfBytesToWrite,
  __out_opt    LPDWORD lpNumberOfBytesWritten,
  __inout_opt  LPOVERLAPPED lpOverlapped
);


BOOL WINAPI CloseHandle(
  __in  HANDLE hObject
);


UINT WINAPI WinExec(
  __in  LPCSTR lpCmdLine,
  __in  UINT uCmdShow
);

VOID WINAPI ExitProcess(
  __in  UINT uExitCode
);

The assembly looks like :







Enjoy..:0