Comments on: Shellcode

By: x64 Windows Shellcode « Didier Stevens

x64 Windows Shellcode « Didier Stevens — Thu, 02 Feb 2012 20:00:49 +0000

[...] can get the code from my shellcode page. Look for filenames starting with sc-x64 in the zip file. Like this:LikeBe the first to like this [...]

By: simple-shellcode-generator.py « Didier Stevens

simple-shellcode-generator.py « Didier Stevens — Fri, 23 Sep 2011 09:04:45 +0000

[...] This shellcode uses the library sc-api-functions.asm you can find in my shellcode repository. [...]

By: [0x0027]Exploit writing tutorial part 9 : Introduction to Win32 shellcoding « Eohnik.c

Sun, 05 Sep 2010 12:28:10 +0000

[...] Didier Stevens [...]

By: Writing WIN32 Shellcode With a C-compiler « Didier Stevens

Writing WIN32 Shellcode With a C-compiler « Didier Stevens — Tue, 04 May 2010 10:17:24 +0000

[...] template can be found here. Leave a [...]

By: Exploit writing tutorial part 9 : Introduction to Win32 shellcoding | Peter Van Eeckhoutte's Blog

Thu, 25 Feb 2010 16:24:30 +0000

[...] Didier Stevens [...]

By: MemoryLoadLibrary: From C Program to Shellcode « Didier Stevens

MemoryLoadLibrary: From C Program to Shellcode « Didier Stevens — Tue, 16 Feb 2010 00:41:40 +0000

[...] MemoryLoadLibrary: From C Program to Shellcode Filed under: Hacking, My Software, Shellcode — Didier Stevens @ 0:40 The DLL-loading shellcode I used in my cmd.xls spreadsheet was generated with a method I worked out to generate WIN32 shellcode with a C-compiler. You can find it on my new Shellcode page. [...]

By: Didier Stevens

Didier Stevens — Sun, 14 Feb 2010 20:55:13 +0000

@Ron Yep, even with an egress firewall, it must perform a DNS lookup first, which you can catch. Unless the server has only access to an internal DNS that doesn’t forward queries to the outside world.

By: Ron

Ron — Sun, 14 Feb 2010 20:50:20 +0000

The problem with URLDownloadToFileA, initially, is that it’ll typically be stopped by an egress firewall.

That being said, I think you’re on to something — I can use the URLDownloadToFileA shellcode with my domain as the URL, but return NXDOMAIN when it tries to download the code. The download will fail, and it’ll never attempt a HTTP connection anywhere, but I will be alerted that it attempted to do so.

By: Didier Stevens

Didier Stevens — Sun, 14 Feb 2010 20:46:04 +0000

OK, now I understand. Yes, a ping would work to, but requires your shellcode to spawn a new process (the ping program).
You could just use that ubiquitous shellcode that downloads a file with URLDownloadToFileA and then executes it with WinExec.
You don’t need to execute the file, just download it from your website and monitor your logs. You can even use an empty file, but do host a file, otherwise, if you don’t host the file, URLDownloadToFileA will take long to execute (it will wait to timeout).

By: Ron

Ron — Sun, 14 Feb 2010 20:12:05 +0000

I think I was writing that too soon after waking up.

My thought is this: I see a vulnerable service on a remote box (say, NTP). I want to verify that it’s vulnerable without worrying about it having an ingress/egress firewall. So, I throw some shellcode with a domain name hardcoded into it that simply does gethostbyname(“xxx”), and I watch my dns server to see if the request gets made.

Now that I think more, it’d probably be easier to just use an exec-style shellcode to run “ping xxx” instead of having special shellcode to do it.

Does that make sense?