[bmx] Arbitary Code Excecution by Pantheon [ 1+ years ago ]

Started by BlitzBot, June 29, 2017, 00:28:43

Previous topic - Next topic

BlitzBot

Title : Arbitary Code Excecution
Author : Pantheon
Posted : 1+ years ago

Description : This is a very simple demo that I find interesting. There are a number of reasons that you may want to run code directly from the heap:

- the code could have been generated at runtime providing flexibility and efficiency
- you want to try out that amazing new shellcode you were writing
- you like getting inside the computer

The payload in this example was writen by 'xnull' and was posted at <a href="http://www.milw0rm.com/" target="_blank">http://www.milw0rm.com</a>

You will have to change the commenting if you want to run the example on a computer with service pack 1 instead of sp2. This is because the function addresses within kernel32.dll were changed as a result.


Code :
Code (blitzmax) Select
'/**
' * ARBITARY ( HEAP ) CODE EXECUTION
' *
' *  this code will store a set of machine instructions
' *   in the heap and then  excecute  them. im not  sure
' *   how  stable this  techinque would be for a  bigger
' *   program as the stack frame may be corrupted  after
' *   the shell code completes (i havent looked into it)
' *
' *   the  shell code was  written by 'xnull' and can be
' *   found  at  milw0rm.com  in the shellcode  section.
' *   once running the PC speaker will be set to beep at
' *   3585hz for 2 seconds
' *
' *   this will only run on WinXP Service Pack 2!
' *   change the commenting for service pack 1
' *
' *   - Pantheon
' *
' */

' this address will point to our shell code.
'
Global ShellCode:Byte Ptr

' point to memory of 35 bytes (on the heap)
'
ShellCode = MemAlloc( 35 )

' inserts the shellcode into the array
'
ShellCode[ 00 ] = $55
ShellCode[ 01 ] = $89
ShellCode[ 02 ] = $E5
ShellCode[ 03 ] = $83
ShellCode[ 04 ] = $EC
ShellCode[ 05 ] = $18
ShellCode[ 06 ] = $C7
ShellCode[ 07 ] = $45
ShellCode[ 08 ] = $FC

ShellCode[ 09 ] = $53 ' Address for Service Pack 2
ShellCode[ 10 ] = $8A
ShellCode[ 11 ] = $83
ShellCode[ 12 ] = $7C

'ShellCode[ 09 ] = 10$' Address for Service Pack 1
'ShellCode[ 10 ] = C9$
'ShellCode[ 11 ] = EA$
'ShellCode[ 12 ] = 77$

ShellCode[ 13 ] = $C7
ShellCode[ 14 ] = $44
ShellCode[ 15 ] = $24
ShellCode[ 16 ] = $04
ShellCode[ 17 ] = $D0 ' Length $D003 = 2000 (2 seconds)
ShellCode[ 18 ] = $03
ShellCode[ 19 ] = $00
ShellCode[ 20 ] = $00
ShellCode[ 21 ] = $C7
ShellCode[ 22 ] = $04
ShellCode[ 23 ] = $24
ShellCode[ 24 ] = $01 ' Frequency $010E = 3585
ShellCode[ 25 ] = $0E
ShellCode[ 26 ] = $00
ShellCode[ 27 ] = $00
ShellCode[ 28 ] = $8B
ShellCode[ 29 ] = $45
ShellCode[ 30 ] = $FC
ShellCode[ 31 ] = $FF
ShellCode[ 32 ] = $D0
ShellCode[ 33 ] = $C9
ShellCode[ 34 ] = $C3

' define a function using standard C calling convention
' residing at the address of ShellCode (on the heap)
'
Global Exec( ) "C" = ShellCode

' start excecution of the shellcode
'
Exec( )

' test the stack frame
'
Print "Stack Frame Is Ok!"

' exit program
'
End


Comments :


Azathoth(Posted 1+ years ago)

 I get an Unhandled Memory Exception with and without debug mode.Edit: I tried the SP1 code and it doesn't give an Exception but no sound.


spacerat(Posted 1+ years ago)

 Same thing happened to me. (same as Azathoth, that is) and I also have SP2