November 21, 2017, 03:56:09 PM

Author Topic: [bmx] Arbitary Code Excecution by Pantheon [ 1+ years ago ]  (Read 201 times)

Offline BlitzBot

  • Newbie
  • *
  • Posts: 0
Title : Arbitary Code Excecution
Author : Pantheon
Posted : 1+ years ago

Description : This is a very simple demo that I find interesting. There are a number of reasons that you may want to run code directly from the heap:

- the code could have been generated at runtime providing flexibility and efficiency
- you want to try out that amazing new shellcode you were writing
- you like getting inside the computer

The payload in this example was writen by 'xnull' and was posted at <a href="http://www.milw0rm.com/" target="_blank">http://www.milw0rm.com[/url]

You will have to change the commenting if you want to run the example on a computer with service pack 1 instead of sp2. This is because the function addresses within kernel32.dll were changed as a result.


Code :
Code: BlitzMax
  1. '/**
  2. ' * ARBITARY ( HEAP ) CODE EXECUTION
  3. ' *    
  4. ' *       this code will store a set of machine instructions
  5. ' *   in the heap and then  excecute  them. im not  sure
  6. ' *   how  stable this  techinque would be for a  bigger
  7. ' *   program as the stack frame may be corrupted  after
  8. ' *   the shell code completes (i havent looked into it)
  9. ' *
  10. ' *   the  shell code was  written by 'xnull' and can be
  11. ' *   found  at  milw0rm.com  in the shellcode  section.
  12. ' *   once running the PC speaker will be set to beep at
  13. ' *   3585hz for 2 seconds
  14. ' *
  15. ' *   this will only run on WinXP Service Pack 2!
  16. ' *   change the commenting for service pack 1
  17. ' *
  18. ' *   - Pantheon
  19. ' *
  20. ' */
  21.  
  22. ' this address will point to our shell code.
  23. '
  24. Global ShellCode:Byte Ptr
  25.  
  26. ' point to memory of 35 bytes (on the heap)
  27. '
  28. ShellCode = MemAlloc( 35 )
  29.  
  30. ' inserts the shellcode into the array
  31. '
  32. ShellCode[ 00 ] = $55
  33. ShellCode[ 01 ] = $89
  34. ShellCode[ 02 ] = $E5
  35. ShellCode[ 03 ] = $83
  36. ShellCode[ 04 ] = $EC
  37. ShellCode[ 05 ] = $18
  38. ShellCode[ 06 ] = $C7
  39. ShellCode[ 07 ] = $45
  40. ShellCode[ 08 ] = $FC
  41.  
  42. ShellCode[ 09 ] = $53 ' Address for Service Pack 2
  43. ShellCode[ 10 ] = $8A
  44. ShellCode[ 11 ] = $83
  45. ShellCode[ 12 ] = $7C
  46.  
  47. 'ShellCode[ 09 ] = 10$' Address for Service Pack 1
  48. 'ShellCode[ 10 ] = C9$
  49. 'ShellCode[ 11 ] = EA$
  50. 'ShellCode[ 12 ] = 77$
  51.  
  52. ShellCode[ 13 ] = $C7
  53. ShellCode[ 14 ] = $44
  54. ShellCode[ 15 ] = $24
  55. ShellCode[ 16 ] = $04
  56. ShellCode[ 17 ] = $D0 ' Length $D003 = 2000 (2 seconds)
  57. ShellCode[ 18 ] = $03
  58. ShellCode[ 19 ] = $00
  59. ShellCode[ 20 ] = $00
  60. ShellCode[ 21 ] = $C7
  61. ShellCode[ 22 ] = $04
  62. ShellCode[ 23 ] = $24
  63. ShellCode[ 24 ] = $01 ' Frequency $010E = 3585
  64. ShellCode[ 25 ] = $0E
  65. ShellCode[ 26 ] = $00
  66. ShellCode[ 27 ] = $00
  67. ShellCode[ 28 ] = $8B
  68. ShellCode[ 29 ] = $45
  69. ShellCode[ 30 ] = $FC
  70. ShellCode[ 31 ] = $FF
  71. ShellCode[ 32 ] = $D0
  72. ShellCode[ 33 ] = $C9
  73. ShellCode[ 34 ] = $C3
  74.  
  75. ' define a function using standard C calling convention
  76. ' residing at the address of ShellCode (on the heap)
  77. '
  78. Global Exec( ) "C" = ShellCode
  79.  
  80. ' start excecution of the shellcode
  81. '
  82. Exec( )
  83.  
  84. ' test the stack frame
  85. '
  86. Print "Stack Frame Is Ok!"
  87.  
  88. ' exit program
  89. '
  90. End


Comments :


Azathoth(Posted 1+ years ago)

 I get an Unhandled Memory Exception with and without debug mode.Edit: I tried the SP1 code and it doesn't give an Exception but no sound.


spacerat(Posted 1+ years ago)

 Same thing happened to me. (same as Azathoth, that is) and I also have SP2