{"id":1640,"date":"2019-06-01T09:40:18","date_gmt":"2019-06-01T16:40:18","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=1640"},"modified":"2019-06-30T21:01:44","modified_gmt":"2019-07-01T04:01:44","slug":"expiring-shellcode-update","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2019\/06\/expiring-shellcode-update\/","title":{"rendered":"Expiring Shellcode update"},"content":{"rendered":"

Howdy dudey!<\/p>\n

I’m back with an update. A quickey mind you, but I’m out here posting real UPDATES for once.<\/p>\n

The Metasploit Framework expiration of shellcode commit that was never taken into master had me thinking – how come I never made POC code for Windows?
\nWhy the fuck not right?<\/p>\n

Well, let’s fucking do it!
\n<\/p>\n

\n
.486<\/span>\n.model<\/span> flat<\/span>, stdcall<\/span>\noption<\/span> casemap<\/span> :none<\/span>\ninclude<\/span> \\<\/span>masm32<\/span>\\<\/span>include<\/span>\\<\/span>windows.inc<\/span>\ninclude<\/span> \\<\/span>masm32<\/span>\\<\/span>include<\/span>\\<\/span>kernel32.inc<\/span>\nincludelib<\/span> \\<\/span>masm32<\/span>\\<\/span>lib<\/span>\\<\/span>kernel32.lib<\/span>\n.code<\/span>\nstart:\npush<\/span>    ebp<\/span>\nmov<\/span>     ebp<\/span>, esp<\/span>\nxor<\/span> eax<\/span>,eax<\/span>\npush<\/span> 40h<\/span>     ; PAGE_EXECUTE_READWRITE<\/span>\nmov<\/span> ax<\/span>,4095<\/span>d<\/span> ; FFF in hex, masm bug?<\/span>\ninc<\/span> ax<\/span> ; <\/span>\npush<\/span> eax<\/span> ; MEM_COMMIT 0x00001000<\/span>\npush<\/span> 10h<\/span> ; 16 bytes needed<\/span>\nxor<\/span> eax<\/span>,eax<\/span>\npush<\/span> eax<\/span> ; NULL as we dont care where the allocation is.<\/span>\ncall<\/span> VirtualAlloc<\/span>; VirtualAlloc<\/span>\nmov<\/span> eax<\/span>,ebx<\/span>      ; VVVVV<\/span>\npush<\/span>    eax<\/span> ; ( NULL,dwLength,MEM_COMMIT,PAGE_EXECUTE_READWRITE);     <\/span>\ncall<\/span> GetLocalTime<\/span> ; GetLocalTime with chunk from VirtualAlloc<\/span>\nxor<\/span> ecx<\/span>,ecx<\/span>\nmov<\/span>     cl<\/span>, 6h<\/span> ; MONTH converted to hex (june)<\/span>\ncmp<\/span>     cx<\/span>, [ebx<\/span>+2<\/span>]\njnz<\/span>     short<\/span> exitpart<\/span>\nmov<\/span>     cx<\/span>, 7e3h<\/span> ; YEAR converted to hex (2019)<\/span>\ncmp<\/span>     cx<\/span>, [ebx<\/span>]\njz<\/span>      short<\/span> wegood<\/span>\nexitpart:\n; FAILED date check, exit gracefully<\/span>\nxor<\/span> ebx<\/span>,ebx<\/span>\npush<\/span> ebx<\/span>\ncall<\/span> ExitProcess<\/span> \nwegood:\n; passed checks, can start shellcode now<\/span>\nnop<\/span>\nfnop<\/span>\n; shellcode start<\/span>\nend<\/span> start<\/span>\n<\/pre>\n<\/div>\n
How does it work?
\n\"\"<\/a><\/p>\n
I have a simple list of what’s happening:<\/p>\n
    \n
  1. \nSetup the stack with the required parameters for VirtualAlloc<\/a>. Store the memory block’s address in EBX as it will be lost in EAX after the call to GetLocalTime<\/a>.<\/li>\n
  2. \nPush our returned memory block for use with our function which takes a single argument – a pointer to a SYSTEMTIME<\/a> structure to receive the current local date and time. It’s 16 bytes in size.<\/li>\n
  3. \nStore the value of the selected month in the ‘cl’ register. We use 8 bit registers when the value is tiny to avoid null bytes and save precious space.<\/li>\n
  4. \nWe then compare this MONTH value with the address of the memory location we passed to GetLocalTime, plus 2 bytes forward to get to the place of the MONTH in ‘SYSTEMTIME’.<\/li>\n
  5. \nIf we’re not in the right month, we exit gracefully, if we’re in the right month, then we continue by moving the value of the current YEAR into the CX register (16 bits).<\/li>\n
  6. \nWe compare again the value of the chosen YEAR with the address of the memory location we passed to GetLocalTime as ‘SYSTEMTIME’ starts with the YEAR<\/li>\n
  7. \nIf satisfied, we jump to our shellcode start. If not, we exit gracefully.<\/li>\n<\/ol>\n
    Hope that was easy enough of an explanation. Coded to avoid null bytes, except for calling functions, but you can piece that shit together yourself. Or just use my earlier blog post<\/a> as a skeleton template wherein we derive the functions from the Process Environment and Thread Environment Block(s) to search for function names.<\/p>\n
    More to come soon, I swear.<\/p>\n
    Stay tuned!
    \n    \"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    Howdy dudey! I’m back with an update. A quickey mind you, but I’m out here posting real UPDATES for once. The Metasploit Framework expiration of shellcode commit that was never taken into master had me thinking – how come I never made POC code for Windows? Why the fuck not right? Well, let’s fucking do […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,6],"tags":[119],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1640"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=1640"}],"version-history":[{"count":9,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1640\/revisions"}],"predecessor-version":[{"id":1648,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1640\/revisions\/1648"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=1640"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=1640"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=1640"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}