This section gives an overview of my shellcode. Most shellcode is completely coded by hand by me (I use the free nasm assembler), but some shellcode has also been generated with the help of a C-compiler. I worked out a method to generate WIN32 shellcode with a C-compiler. By using special constructs in C and avoiding incompatible constructs, the C-compiler will emit position-independent code for the C functions designed to be converted to shellcode. The shellcode is extracted from the compiled EXE-file when the program is run.

Not only is it easier and faster to code shellcode with C in stead of assembly language; this method makes it also possible to debug shellcode with Visual C++2008 Express’ integrated debugger. I’m currently writing a tutorial for this method.

The shellcodes presented here do not use hardcoded WIN32 API function addresses, they use the PEB method to dynamically lookup the addresses (code published in The Shellcoder’s Handbook, you can find it in the include file sc-api-functions.asm).

Note that shellcodes available for download here are not restricted in the byte-values they may use. Most of them will contain 0x00-bytes. If this is an issue, I’ll provide you with a couple of decoders I developed to exclude specific byte-values.

ShellCode With a C-Compiler

I wrote an article in Hakin9 magazine how to write shellcode with a C-compiler.

Download:

ShellCodeLibLoader_v0_0_1.zip (https)

MD5: F6D4779097A8A11C412BDD47B7B1C8AE

SHA256: 3294A4322926476562AF34A80B8155638EFEEF38E401E69D6DB9BBB652C3EB58

ShellCodeMemoryModule

The DLL-loading shellcode I used in my cmd.xls spreadsheet was generated with my C-Compiler method. You can download Joachim’s code, converted to shellcode with this method, here:

Download:

ShellCodeMemoryModule_V0_0_0_1.zip (https)

MD5: CEABB3A8A9A4A507BA19C52EE2CC5DA9

SHA256: 284344C909E623B0406BB38A67F5A7A1AEE2473721244EED52CCEBB8846B0500

The shellcode is in file ShellCodeMemoryModule.exe.bin (it contains the shellcode with an appended DLL that displays a MessageBox).

Finally, after extensive testing of this shellcode, I disassembled it with ndisasm and optimized it for size (2297 bytes in stead of 2634 bytes). But this step is only necessary if you want assembly code for your shellcode. This assembly code will be released when I’m done tweaking it 😉

MessageBox Shellcode

Per request, I release my assembly code I’ve used in my previous blogposts to display a message box when the injected shellcode gets executed. It’s nothing special, but it will save you some time when you need a similar program.

Assemble the code with nasm like this:

nasm -o sc-mba-hello.bin sc-mba-hello.asm

I use the DLL locating code published in The Shellcoder’s Handbook, you can find it in the include file sc-api-functions.asm. MessageBoxA is located in user32.dll, this dll has to be loaded in the process you’re injecting with sc-mba-hello.

sc-ods.asm is a similar program, calling OutputDebugStringA in stead of MessageBoxA.

The shellcode:

Winexec Shellcode

Another requested file (sc-winexec.asm) was added to my-shellcode_v0_0_3.zip: shellcode to launch calc.exe via a WinExec call. After that, the shellcode will exit with a call to ExitThread.

If you want this shellcode to launch another program than calc.exe, edit the last line of the assembly code to replace calc.exe with the desired program:

COMMAND: db "calc.exe", 0

Ping Shellcode

2 other requested files (sc-ping.asm and sc-ping-computername-username.asm) were added to my-shellcode_v0_0_3.zip: shellcode to perform a ping. First one does a ping with a static payload, second one has dynamic payload (computername + username).

Tweet Shellcode

Shellcode to send a Twitter Update was added to my-shellcode_v0_0_4.zip. Before using/assembling the shellcode, you need to provide Twitter credentials and the text for the status update (url-encoded).

; Customize the following 3 TWITTER_ values according to your needs ; Notice that your Tweet has to be URL encoded! ; USER_AGENT is another value you might want to customize %define TWITTER_CREDENTIAL_NAME "user" %define TWITTER_CREDENTIAL_PASSWORD "password" %define TWITTER_TWEET_URL_ENCODED "This+is+a+Tweet+from+shellcode"

.NET Shellcode

Shellcode to load a .NET assembly in the current process was added to my-shellcode_v0_0_5.zip. Before using/assembling the shellcode, you need to provide your own assembly, class, method and a parameter.

; Customize the following 4 DOTNET_ values according to your needs %define DOTNET_ASSEMBLY_VALUE "C:\HelloWorldClass.dll" %define DOTNET_CLASS_VALUE "DidierStevens.HelloWorld" %define DOTNET_METHOD_VALUE "HelloWorldMessageBox" %define DOTNET_ARGUMENT_VALUE "Call from shellcode sc-dotNET"

Example of a C# class:

using System; using System.Windows.Forms; namespace DidierStevens { public class HelloWorld { public static Int32 HelloWorldMessageBox(String message) { MessageBox.Show(message, "Hello World from .NET"); return 1; } } }

x64 Shellcode

I’ve also started to write x64 shellcode, like this example.

Look for filenames starting with sc-x64 in the zip file (my-shellcode_v….zip).

Download:

my-shellcode_v0_0_8.zip (https)

MD5: 456F014F88A759B0A5CD15DC2C9F4BBD

SHA256: B924200D2F4674F9BC25AAB2C43397647E3F97AF27CBB394CBECCFBF2789D507