, 0x18f bytes are XOR’ed with the value 0xe7 at ❶., and let the code run. The shellcode payload will be decoded and available for analysis.The code performs a call/pop at ❶ in to obtain the address of the function hashes located at 0x4071bb. Remember that all of the code listings that follow show disassembly of the decoded bytes, so viewing the payload prior to letting the decode loop run will show different values than those in the listings.
. It uses the same findKernel32Base and findSymbolByHash as described in and . It loads the next DWORD containing a symbol hash at ❶, calls findSymbolByHash, and stores the result back to the same location at ❷. This turns the array of hash values into a function pointer array. on the stack by pushing two DWORD values at ❶. The current ESP is passed as the argument to LoadLibraryA at ❷ to load the ws2_32.dll library. This is a common trick to form short strings the shellcode needs while it executes. The shellcode then proceeds to process the three remaining hash values that reside in ws2_32.dll at ❸. shows the socket-creation code. The current ESP is masked with EAX at ❶ to ensure that the stack is properly aligned for structures used by the Winsock library. The shellcode calls WSAStartup at ❷ to initialize the library before any other networking function calls are made. It then calls WSASocketA at ❸ to create a TCP socket. It relies on the value in EAX being 0, and then increments it to create the correct arguments to WSASocketA. The type value is 1 (SOC_STREAM), and the af value is 2 (AF_INET). shows the shellcode creating a struct sockaddr_in on the stack by pushing two DWORD values. The first at ❶ is the value 2C8A8C0h. This is the network-byte-order value of the IP address the shellcode will connect to: 192.168.200.2. The value at ❷ is 12340002h, which is the sin_family (2: AF_INET) and sin_port values: 13330 (0x3412) in network-byte order. This sockaddr_in is passed to the call to connect at ❸. Storing the IP address and port this way is extremely compact and makes static analysis much more difficult when trying to identify network hosts. shows the shellcode responsible for creating the cmd.exe process. The code stores the command to execute ("cmd\x00") on the stack with a simple push at ❶, and then saves the current ESP as a pointer for later use. The shellcode then prepares to call CreateProcessA. Most of the arguments are 0 (the contents of ECX), but note that at ❻, bInheritHandles is 1, indicating that file handles opened by the shellcode will be available to the child process..)You can test connections to the control server by running Netcat on a host with the IP address 192.168.200.2 with this command:
nc -l -p 13330
Once Netcat is running, run Lab19-02.exe on another system. If you have set up networking correctly, the victim machine will connect to 192.168.200.2, and Netcat will show the Windows command-line banner. You can enter commands there as if you were sitting at the victim’s system.
Назад: Lab 19-1 Solutions
Дальше: Lab 19-3 Solutions
Войти в систему
Войти с помощью соц. сетей:
The code performs a call/pop at ❶ in to obtain the address of the function hashes located at 0x4071bb. Remember that all of the code listings that follow show disassembly of the decoded bytes, so viewing the payload prior to letting the decode loop run will show different values than those in the listings.
findKernel32Base and findSymbolByHash as described in and . It loads the next DWORD containing a symbol hash at ❶, calls findSymbolByHash, and stores the result back to the same location at ❷. This turns the array of hash values into a function pointer array.DWORD values at ❶. The current ESP is passed as the argument to LoadLibraryA at ❷ to load the ws2_32.dll library. This is a common trick to form short strings the shellcode needs while it executes. The shellcode then proceeds to process the three remaining hash values that reside in ws2_32.dll at ❸.WSAStartup at ❷ to initialize the library before any other networking function calls are made. It then calls WSASocketA at ❸ to create a TCP socket. It relies on the value in EAX being 0, and then increments it to create the correct arguments to WSASocketA. The type value is 1 (SOC_STREAM), and the af value is 2 (AF_INET).struct sockaddr_in on the stack by pushing two DWORD values. The first at ❶ is the value 2C8A8C0h. This is the network-byte-order value of the IP address the shellcode will connect to: 192.168.200.2. The value at ❷ is 12340002h, which is the sin_family (2: AF_INET) and sin_port values: 13330 (0x3412) in network-byte order. This sockaddr_in is passed to the call to connect at ❸. Storing the IP address and port this way is extremely compact and makes static analysis much more difficult when trying to identify network hosts."cmd\x00") on the stack with a simple push at ❶, and then saves the current ESP as a pointer for later use. The shellcode then prepares to call CreateProcessA. Most of the arguments are 0 (the contents of ECX), but note that at ❻, bInheritHandles is 1, indicating that file handles opened by the shellcode will be available to the child process.You can test connections to the control server by running Netcat on a host with the IP address 192.168.200.2 with this command:
nc -l -p 13330
Once Netcat is running, run Lab19-02.exe on another system. If you have set up networking correctly, the victim machine will connect to 192.168.200.2, and Netcat will show the Windows command-line banner. You can enter commands there as if you were sitting at the victim’s system.
Войти в систему
Войти с помощью соц. сетей: