Home > Enterprise >  Cant Overflow The Buffer For Shell Coding
Cant Overflow The Buffer For Shell Coding

Time:10-23

I have this shell code which is suppose to open a MessageBox. It works when testing it with https://github.com/NytroRST/ShellcodeCompiler, however when I create a new console application using c and try to compile this

#include <stdio.h>
#include <Windows.h>

unsigned char rc[] = "\x31\xC3\x89\x64\xE2\x80\xB9\x41\x30\xE2\x80\xB9\x40\x0C\xE2\x80\xB9\x70\x14\xC2\xAD\xE2\x80\x93\xC2\xAD\xE2\x80\xB9\x58\x10\xE2\x80\xB9\x53\x3C\x01\xC3\x9A\xE2\x80\xB9\x52\x78\x01\xC3\x9A\xE2\x80\xB9\x72\x20\x01\xC3\x9E\x31\xC3\x89\x41\xC2\xAD\x01\xC3\x98\xC2\x81\x38\x47\x65\x74\x50\x75\xC3\xB4\xC2\x81\x78\x04\x72\x6F\x63\x41\x75\xC3\xAB\xC2\x81\x78\x08\x64\x64\x72\x65\x75\xC3\xA2\xE2\x80\xB9\x72\x24\x01\xC3\x9E\x66\xE2\x80\xB9\x0C\x4E\x49\xE2\x80\xB9\x72\x1C\x01\xC3\x9E\xE2\x80\xB9\x14\xC5\xBD\x01\xC3\x9A\x31\xC3\x89\x53\x52\x51\x68\x61\x72\x79\x41\x68\x4C\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\x53\xC3\xBF\xC3\x92\x92\xC3\x84\x0C\x59\x50\x31\xC3\x80\x66\xC2\xB8\x6C\x6C\x50\x68\x33\x32\x2E\x64\x68\x75\x73\x65\x72\x54\xC3\xBF\x54\x24\x10\xC6\x92\xC3\x84\x0C\x50\x31\xC3\x80\xC2\xB8\x6F\x78\x41\x23\x50\xC6\x92\x6C\x24\x03\x23\x68\x61\x67\x65\x42\x68\x4D\x65\x73\x73\x54\xC3\xBF\x74\x24\x10\xC3\xBF\x54\x24\x1C\xC6\x92\xC3\x84\x0C\x50\x31\xC3\x80\xC2\xB8\x65\x73\x73\x23\x50\xC6\x92\x6C\x24\x03\x23\x68\x50\x72\x6F\x63\x68\x45\x78\x69\x74\x54\xC3\xBF\x74\x24\x20\xC3\xBF\x54\x24\x20\xC6\x92\xC3\x84\x0C\x50\x31\xC3\x80\xC2\xB8\x59\x6F\x75\x23\x50\xC6\x92\x6C\x24\x03\x23\x68\x41\x72\x65\x20\x68\x48\x6F\x77\x20\x68\x48\x65\x79\x20\x54\x31\xC3\x80\x50\x68\x54\x65\x73\x74\x54\x31\xC3\x80\x50\xC3\xBF\x74\x24\x04\xC3\xBF\x74\x24\x14\x31\xC3\x80\x50\xC3\xBF\x54\x24\x34\x92\xC3\x84\x20\x31\xC3\x80\x50\xC3\xBF\x54\x24\x04\x6e";

int main() {
    (*(void(*)()) rc)();
}

It always throws an Access Violation Exception after running it, I can get rid of this exception if I change the memory protections at the location of the shell codes injection. But yet it still does not display the MessageBox. I am certain the shell code works because the link above has a program that tests the shellcode and it works flawlessly. Only difference between their exploitation approach is that they are using c to do it and im using c.

CodePudding user response:

Because you are trying to call the address of rc, which its Memory Protection is PAGE_READWRITE, hence the access violation error.

You will have to allocate a buffer and set the protection to PAGE_EXECUTE_READ in order for it to work.

Helper function:

void* AllocFunction(const void* rawData, const size_t size)
{
    void* pFunction = VirtualAlloc(nullptr, size, MEM_COMMIT, PAGE_READWRITE);
    if (pFunction == nullptr) throw;

    memcpy(pFunction, rawData, size);

    DWORD dwOldProtect;
    if (!VirtualProtect(pFunction, size, PAGE_EXECUTE_READ, &dwOldProtect)) throw;

    return pFunction;
}

Usage:

void (*lpFunction)() = nullptr;
*(void**)&lpFunction = AllocFunction(rc, sizeof(rc));

lpFunction();

CodePudding user response:

Use virtual protect,

DWORD oldProt = 0;
VirtualProtect(rc,rc,PAGE_EXECUTE_READWRITE, &oldProt);
  • Related