Jump to content
Sign in to follow this  
AvengerPL

Shellcode MessageBox in AutoIt + UDF.

Recommended Posts

AvengerPL

Simple MessageBox in AutoIt.

#cs
===========================================================================================
Description ..... Execute MessageBox via shellcode.
Shellcode size .. 51 bytes
Author .......... Avenger
===========================================================================================
-------------------------------------------------------------------------------------------
push 0x0020206f
push 0x6c6c6548
mov ebx, esp
push 0x0020786f
push 0x42656761
push 0x7373654d
mov ecx, esp
xor eax, eax
push eax
push ebx
push ecx
push eax
mov esi, 0x77d7050b
call esi
xor eax, eax
mov eax, 0x7c81caa2
call eax
-------------------------------------------------------------------------------------------
#ce

$SHELLCODE = "0x686F2020006848656C6C" & _
"89E3" & _
"686F7820006861676542684D657373" & _
"89E1" & _
"31C0" & _
"50" & _
"53" & _
"51" & _
"50" & _
"BE0B05D777" & _
"FFD6" & _
"31C0" & _
"B8A2CA817C" & _
"FFD0"

$SHELLCODE_BUFFER = DllStructCreate("BYTE[51]")
$PUT_SHELLCODE_TO_BUFFER = DllStructSetData($SHELLCODE_BUFFER, 1, $SHELLCODE)
$SHELLCODE_EXECUTE = DllCall("user32.dll", "lresult", "CallWindowProc", "ptr", DllStructGetPtr($SHELLCODE_BUFFER))

UDF here: http://autoit.xaa.pl/download/file.php?id=522

Enjoy! :)


[font="'comic sans ms', cursive;"]Are you lost a password for PDF document? Use Metacrack and unlock PDF free.[/font]

Share this post


Link to post
Share on other sites
FireFox

If this is a script to make autoit crash then it's a good example :)


 

OS : Win XP SP2 (32 bits) / Win 7 SP1 (64 bits) / Win 8 (64 bits) | Autoit version: latest stable / beta.
Hardware : Intel(R) Core(TM) i5-2400 CPU @ 3.10Ghz / 8 GiB RAM DDR3.

My UDFs : Skype UDF | TrayIconEx UDF | GUI Panel UDF | Excel XML UDF | Is_Pressed_UDF

My Projects : YouTube Multi-downloader | FTP Easy-UP | Lock'n | WinKill | AVICapture | Skype TM | Tap Maker | ShellNew | Scriptner | Const Replacer | FT_Pocket | Chrome theme maker

My Examples : Capture toolIP Camera | Crosshair | Draw Captured Region | Picture Screensaver | Jscreenfix | Drivetemp | Picture viewer

My Snippets : Basic TCP | Systray_GetIconIndex | Intercept End task | Winpcap various | Advanced HotKeySet | Transparent Edit control

 

Share this post


Link to post
Share on other sites
AvengerPL

Script crash because you must change MessageBox and ExitProcess address in shellcode. :)


[font="'comic sans ms', cursive;"]Are you lost a password for PDF document? Use Metacrack and unlock PDF free.[/font]

Share this post


Link to post
Share on other sites
Shaggi

Script crash because you must change MessageBox and ExitProcess address in shellcode. :)

Why call exitprocess from the asm? autoit has to free it's own resources firstly. Also you can use DllCallAddress instead of callwindowproc.


Ever wanted to call functions in another process? ProcessCall UDFConsole stuff: Console UDFC Preprocessor for AutoIt OMG

Share this post


Link to post
Share on other sites
AvengerPL

Why call exitprocess from the asm? autoit has to free it's own resources firstly. Also you can use DllCallAddress instead of callwindowproc.

 

ExitProcess shellcode should be performed. Yes, you're right. DllCalAddress also be used.


[font="'comic sans ms', cursive;"]Are you lost a password for PDF document? Use Metacrack and unlock PDF free.[/font]

Share this post


Link to post
Share on other sites
guinness

Have you applied the necessary fixes as stated above?


UDF List:

 
_AdapterConnections()_AlwaysRun()_AppMon()_AppMonEx()_ArrayFilter/_ArrayReduce_BinaryBin()_CheckMsgBox()_CmdLineRaw()_ContextMenu()_ConvertLHWebColor()/_ConvertSHWebColor()_DesktopDimensions()_DisplayPassword()_DotNet_Load()/_DotNet_Unload()_Fibonacci()_FileCompare()_FileCompareContents()_FileNameByHandle()_FilePrefix/SRE()_FindInFile()_GetBackgroundColor()/_SetBackgroundColor()_GetConrolID()_GetCtrlClass()_GetDirectoryFormat()_GetDriveMediaType()_GetFilename()/_GetFilenameExt()_GetHardwareID()_GetIP()_GetIP_Country()_GetOSLanguage()_GetSavedSource()_GetStringSize()_GetSystemPaths()_GetURLImage()_GIFImage()_GoogleWeather()_GUICtrlCreateGroup()_GUICtrlListBox_CreateArray()_GUICtrlListView_CreateArray()_GUICtrlListView_SaveCSV()_GUICtrlListView_SaveHTML()_GUICtrlListView_SaveTxt()_GUICtrlListView_SaveXML()_GUICtrlMenu_Recent()_GUICtrlMenu_SetItemImage()_GUICtrlTreeView_CreateArray()_GUIDisable()_GUIImageList_SetIconFromHandle()_GUIRegisterMsg()_GUISetIcon()_Icon_Clear()/_Icon_Set()_IdleTime()_InetGet()_InetGetGUI()_InetGetProgress()_IPDetails()_IsFileOlder()_IsGUID()_IsHex()_IsPalindrome()_IsRegKey()_IsStringRegExp()_IsSystemDrive()_IsUPX()_IsValidType()_IsWebColor()_Language()_Log()_MicrosoftInternetConnectivity()_MSDNDataType()_PathFull/GetRelative/Split()_PathSplitEx()_PrintFromArray()_ProgressSetMarquee()_ReDim()_RockPaperScissors()/_RockPaperScissorsLizardSpock()_ScrollingCredits_SelfDelete()_SelfRename()_SelfUpdate()_SendTo()_ShellAll()_ShellFile()_ShellFolder()_SingletonHWID()_SingletonPID()_Startup()_StringCompact()_StringIsValid()_StringRegExpMetaCharacters()_StringReplaceWholeWord()_StringStripChars()_Temperature()_TrialPeriod()_UKToUSDate()/_USToUKDate()_WinAPI_Create_CTL_CODE()_WinAPI_CreateGUID()_WMIDateStringToDate()/_DateToWMIDateString()Au3 script parsingAutoIt SearchAutoIt3 PortableAutoIt3WrapperToPragmaAutoItWinGetTitle()/AutoItWinSetTitle()CodingDirToHTML5FileInstallrFileReadLastChars()GeoIP databaseGUI - Only Close ButtonGUI ExamplesGUICtrlDeleteImage()GUICtrlGetBkColor()GUICtrlGetStyle()GUIEventsGUIGetBkColor()Int_Parse() & Int_TryParse()IsISBN()LockFile()Mapping CtrlIDsOOP in AutoItParseHeadersToSciTE()PasswordValidPasteBinPosts Per DayPreExpandProtect GlobalsQueue()Resource UpdateResourcesExSciTE JumpSettings INISHELLHOOKShunting-YardSignature CreatorStack()Stopwatch()StringAddLF()/StringStripLF()StringEOLToCRLF()VSCROLLWM_COPYDATAMore Examples...

Updated: 22/04/2018

Share this post


Link to post
Share on other sites
AvengerPL

Have you applied the necessary fixes as stated above?

 

No, because I think it is a good example


[font="'comic sans ms', cursive;"]Are you lost a password for PDF document? Use Metacrack and unlock PDF free.[/font]

Share this post


Link to post
Share on other sites
guinness

No, because I think it is a good example

I think you need to re-read the constructive comments again AvengerPL.


UDF List:

 
_AdapterConnections()_AlwaysRun()_AppMon()_AppMonEx()_ArrayFilter/_ArrayReduce_BinaryBin()_CheckMsgBox()_CmdLineRaw()_ContextMenu()_ConvertLHWebColor()/_ConvertSHWebColor()_DesktopDimensions()_DisplayPassword()_DotNet_Load()/_DotNet_Unload()_Fibonacci()_FileCompare()_FileCompareContents()_FileNameByHandle()_FilePrefix/SRE()_FindInFile()_GetBackgroundColor()/_SetBackgroundColor()_GetConrolID()_GetCtrlClass()_GetDirectoryFormat()_GetDriveMediaType()_GetFilename()/_GetFilenameExt()_GetHardwareID()_GetIP()_GetIP_Country()_GetOSLanguage()_GetSavedSource()_GetStringSize()_GetSystemPaths()_GetURLImage()_GIFImage()_GoogleWeather()_GUICtrlCreateGroup()_GUICtrlListBox_CreateArray()_GUICtrlListView_CreateArray()_GUICtrlListView_SaveCSV()_GUICtrlListView_SaveHTML()_GUICtrlListView_SaveTxt()_GUICtrlListView_SaveXML()_GUICtrlMenu_Recent()_GUICtrlMenu_SetItemImage()_GUICtrlTreeView_CreateArray()_GUIDisable()_GUIImageList_SetIconFromHandle()_GUIRegisterMsg()_GUISetIcon()_Icon_Clear()/_Icon_Set()_IdleTime()_InetGet()_InetGetGUI()_InetGetProgress()_IPDetails()_IsFileOlder()_IsGUID()_IsHex()_IsPalindrome()_IsRegKey()_IsStringRegExp()_IsSystemDrive()_IsUPX()_IsValidType()_IsWebColor()_Language()_Log()_MicrosoftInternetConnectivity()_MSDNDataType()_PathFull/GetRelative/Split()_PathSplitEx()_PrintFromArray()_ProgressSetMarquee()_ReDim()_RockPaperScissors()/_RockPaperScissorsLizardSpock()_ScrollingCredits_SelfDelete()_SelfRename()_SelfUpdate()_SendTo()_ShellAll()_ShellFile()_ShellFolder()_SingletonHWID()_SingletonPID()_Startup()_StringCompact()_StringIsValid()_StringRegExpMetaCharacters()_StringReplaceWholeWord()_StringStripChars()_Temperature()_TrialPeriod()_UKToUSDate()/_USToUKDate()_WinAPI_Create_CTL_CODE()_WinAPI_CreateGUID()_WMIDateStringToDate()/_DateToWMIDateString()Au3 script parsingAutoIt SearchAutoIt3 PortableAutoIt3WrapperToPragmaAutoItWinGetTitle()/AutoItWinSetTitle()CodingDirToHTML5FileInstallrFileReadLastChars()GeoIP databaseGUI - Only Close ButtonGUI ExamplesGUICtrlDeleteImage()GUICtrlGetBkColor()GUICtrlGetStyle()GUIEventsGUIGetBkColor()Int_Parse() & Int_TryParse()IsISBN()LockFile()Mapping CtrlIDsOOP in AutoItParseHeadersToSciTE()PasswordValidPasteBinPosts Per DayPreExpandProtect GlobalsQueue()Resource UpdateResourcesExSciTE JumpSettings INISHELLHOOKShunting-YardSignature CreatorStack()Stopwatch()StringAddLF()/StringStripLF()StringEOLToCRLF()VSCROLLWM_COPYDATAMore Examples...

Updated: 22/04/2018

Share this post


Link to post
Share on other sites
AvengerPL

I think you need to re-read the constructive comments again AvengerPL.

 

I'm sorry but my english is not good because I'm from Poland and I use Google Translate to translate your's answers :-)

You could simply write what you mean?


[font="'comic sans ms', cursive;"]Are you lost a password for PDF document? Use Metacrack and unlock PDF free.[/font]

Share this post


Link to post
Share on other sites
Shaggi

ExitProcess shellcode should be performed. Yes, you're right. DllCalAddress also be used.

 

What if... you wanted to continue the program after the messagebox? :)

A more interesting case where this is useful is, if you create a thread on the assembly instead.


Ever wanted to call functions in another process? ProcessCall UDFConsole stuff: Console UDFC Preprocessor for AutoIt OMG

Share this post


Link to post
Share on other sites
wakillon

No, because I think it is a good example

 

If it's a good example, why _GetTickCount function return always 0 and with the next function, i get an APPCRASH for autoit3.exe  ?  :huh2:


AutoIt 3.3.14.2 X86 - SciTE 3.6.0WIN 8.1 X64 - Other Example Scripts

Share this post


Link to post
Share on other sites
AvengerPL

If it's a good example, why _GetTickCount function return always 0 and with the next function, i get an APPCRASH for autoit3.exe  ?  :huh2:

 

For me everything is working properly.

#include <ShellcodeFunctions.au3>
MsgBox(64,"TickCount",_GetTickCount())
MsgBox(64,"ACP",_GetACP())

[font="'comic sans ms', cursive;"]Are you lost a password for PDF document? Use Metacrack and unlock PDF free.[/font]

Share this post


Link to post
Share on other sites
Danyfirex

your code going to crash. 

try something like this:

#include <winapi.au3>
#include <Memory.au3>



$pRemoteCode = _MemVirtualAlloc(0, 512, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE)
$CodeBuffer = DllStructCreate("byte[512]", $pRemoteCode)
$MessageBoxAddress = DllCall("Kernel32.dll", "ptr", "GetProcAddress", "ptr", _WinAPI_GetModuleHandle("user32.dll"), "str", "MessageBoxW")
$MessageBoxAddress = $MessageBoxAddress[0]


$texto="hola Mundo"
$titulo="Titulo"

 Local $tDataBuffer = DllStructCreate("wchar texto[" & StringLen($texto) + 1 & "]")
Local $tDataBuffer2 = DllStructCreate("wchar titulo[" & StringLen($titulo) + 1 & "]")

    DllStructSetData($tDataBuffer, "texto", $texto)
    DllStructSetData($tDataBuffer2, "titulo", $titulo)


Local $Opcode
$Opcode &= "0x"
$Opcode &= "68" & SwapEndian(2)
$Opcode &= "68" & SwapEndian(DllStructGetPtr($tDataBuffer2, 1))
$Opcode &= "68" & SwapEndian(DllStructGetPtr($tDataBuffer, 1))
$Opcode &= "68" & SwapEndian(0)
$Opcode &= "B8" & SwapEndian($MessageBoxAddress)
$Opcode &= "FFD0"
$Opcode &= "C3"

DllStructSetData($CodeBuffer, 1, $Opcode)


;Local $Ret = DllCall("user32.dll", "int", "CallWindowProc", "ptr", DllStructGetPtr($CodeBuffer), "int", 0, "int", 0, "int", 0, "int", 0)

local $Ret=DllCallAddress("int",DllStructGetPtr($CodeBuffer))
Consolewrite(@CRLF  & $Ret[0] & @CRLF)

Msgbox(0,"","Normal Msgbox")

Func SwapEndian($hex)
    Return Hex(Binary($hex))
EndFunc   ;==>SwapEndian

if you want only OP-code should be Dynamically code.

saludos

Edited by Danyfirex

Share this post


Link to post
Share on other sites
Shaggi

your code going to crash. 

try something like this:

#include <winapi.au3>
#include <Memory.au3>



$pRemoteCode = _MemVirtualAlloc(0, 512, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE)
$CodeBuffer = DllStructCreate("byte[512]", $pRemoteCode)
$MessageBoxAddress = DllCall("Kernel32.dll", "ptr", "GetProcAddress", "ptr", _WinAPI_GetModuleHandle("user32.dll"), "str", "MessageBoxW")
$MessageBoxAddress = $MessageBoxAddress[0]


$texto="hola Mundo"
$titulo="Titulo"

 Local $tDataBuffer = DllStructCreate("wchar texto[" & StringLen($texto) + 1 & "]")
Local $tDataBuffer2 = DllStructCreate("wchar titulo[" & StringLen($titulo) + 1 & "]")

    DllStructSetData($tDataBuffer, "texto", $texto)
    DllStructSetData($tDataBuffer2, "titulo", $titulo)


Local $Opcode
$Opcode &= "0x"
$Opcode &= "68" & SwapEndian(2)
$Opcode &= "68" & SwapEndian(DllStructGetPtr($tDataBuffer2, 1))
$Opcode &= "68" & SwapEndian(DllStructGetPtr($tDataBuffer, 1))
$Opcode &= "68" & SwapEndian(0)
$Opcode &= "B8" & SwapEndian($MessageBoxAddress)
$Opcode &= "FFD0"
$Opcode &= "C3"

DllStructSetData($CodeBuffer, 1, $Opcode)


;Local $Ret = DllCall("user32.dll", "int", "CallWindowProc", "ptr", DllStructGetPtr($CodeBuffer), "int", 0, "int", 0, "int", 0, "int", 0)

local $Ret=DllCallAddress("int",DllStructGetPtr($CodeBuffer))
Consolewrite(@CRLF  & $Ret[0] & @CRLF)

Msgbox(0,"","Normal Msgbox")

Func SwapEndian($hex)
    Return Hex(Binary($hex))
EndFunc   ;==>SwapEndian

if you want only OP-code should be Dynamically code.

saludos

Yeee thats how i like it (have i seen that code before?) 

:P

  • Like 1

Ever wanted to call functions in another process? ProcessCall UDFConsole stuff: Console UDFC Preprocessor for AutoIt OMG

Share this post


Link to post
Share on other sites
Danyfirex

Yeee thats how i like it (have i seen that code before?) 

:P

sure. :thumbsup: 

maybe he should see your good msgbox thread script

 

regards 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×