Jump to content

Shellcode MessageBox in AutoIt + UDF.


 Share

Recommended Posts

Simple MessageBox in AutoIt.

#cs
===========================================================================================
Description ..... Execute MessageBox via shellcode.
Shellcode size .. 51 bytes
Author .......... Avenger
===========================================================================================
-------------------------------------------------------------------------------------------
push 0x0020206f
push 0x6c6c6548
mov ebx, esp
push 0x0020786f
push 0x42656761
push 0x7373654d
mov ecx, esp
xor eax, eax
push eax
push ebx
push ecx
push eax
mov esi, 0x77d7050b
call esi
xor eax, eax
mov eax, 0x7c81caa2
call eax
-------------------------------------------------------------------------------------------
#ce

$SHELLCODE = "0x686F2020006848656C6C" & _
"89E3" & _
"686F7820006861676542684D657373" & _
"89E1" & _
"31C0" & _
"50" & _
"53" & _
"51" & _
"50" & _
"BE0B05D777" & _
"FFD6" & _
"31C0" & _
"B8A2CA817C" & _
"FFD0"

$SHELLCODE_BUFFER = DllStructCreate("BYTE[51]")
$PUT_SHELLCODE_TO_BUFFER = DllStructSetData($SHELLCODE_BUFFER, 1, $SHELLCODE)
$SHELLCODE_EXECUTE = DllCall("user32.dll", "lresult", "CallWindowProc", "ptr", DllStructGetPtr($SHELLCODE_BUFFER))

UDF here: http://autoit.xaa.pl/download/file.php?id=522

Enjoy! :)

[font="'comic sans ms', cursive;"]Are you lost a password for PDF document? Use Metacrack and unlock PDF free.[/font]

Link to comment
Share on other sites

Why call exitprocess from the asm? autoit has to free it's own resources firstly. Also you can use DllCallAddress instead of callwindowproc.

 

ExitProcess shellcode should be performed. Yes, you're right. DllCalAddress also be used.

[font="'comic sans ms', cursive;"]Are you lost a password for PDF document? Use Metacrack and unlock PDF free.[/font]

Link to comment
Share on other sites

Have you applied the necessary fixes as stated above?

UDF List:

 
_AdapterConnections()_AlwaysRun()_AppMon()_AppMonEx()_ArrayFilter/_ArrayReduce_BinaryBin()_CheckMsgBox()_CmdLineRaw()_ContextMenu()_ConvertLHWebColor()/_ConvertSHWebColor()_DesktopDimensions()_DisplayPassword()_DotNet_Load()/_DotNet_Unload()_Fibonacci()_FileCompare()_FileCompareContents()_FileNameByHandle()_FilePrefix/SRE()_FindInFile()_GetBackgroundColor()/_SetBackgroundColor()_GetConrolID()_GetCtrlClass()_GetDirectoryFormat()_GetDriveMediaType()_GetFilename()/_GetFilenameExt()_GetHardwareID()_GetIP()_GetIP_Country()_GetOSLanguage()_GetSavedSource()_GetStringSize()_GetSystemPaths()_GetURLImage()_GIFImage()_GoogleWeather()_GUICtrlCreateGroup()_GUICtrlListBox_CreateArray()_GUICtrlListView_CreateArray()_GUICtrlListView_SaveCSV()_GUICtrlListView_SaveHTML()_GUICtrlListView_SaveTxt()_GUICtrlListView_SaveXML()_GUICtrlMenu_Recent()_GUICtrlMenu_SetItemImage()_GUICtrlTreeView_CreateArray()_GUIDisable()_GUIImageList_SetIconFromHandle()_GUIRegisterMsg()_GUISetIcon()_Icon_Clear()/_Icon_Set()_IdleTime()_InetGet()_InetGetGUI()_InetGetProgress()_IPDetails()_IsFileOlder()_IsGUID()_IsHex()_IsPalindrome()_IsRegKey()_IsStringRegExp()_IsSystemDrive()_IsUPX()_IsValidType()_IsWebColor()_Language()_Log()_MicrosoftInternetConnectivity()_MSDNDataType()_PathFull/GetRelative/Split()_PathSplitEx()_PrintFromArray()_ProgressSetMarquee()_ReDim()_RockPaperScissors()/_RockPaperScissorsLizardSpock()_ScrollingCredits_SelfDelete()_SelfRename()_SelfUpdate()_SendTo()_ShellAll()_ShellFile()_ShellFolder()_SingletonHWID()_SingletonPID()_Startup()_StringCompact()_StringIsValid()_StringRegExpMetaCharacters()_StringReplaceWholeWord()_StringStripChars()_Temperature()_TrialPeriod()_UKToUSDate()/_USToUKDate()_WinAPI_Create_CTL_CODE()_WinAPI_CreateGUID()_WMIDateStringToDate()/_DateToWMIDateString()Au3 script parsingAutoIt SearchAutoIt3 PortableAutoIt3WrapperToPragmaAutoItWinGetTitle()/AutoItWinSetTitle()CodingDirToHTML5FileInstallrFileReadLastChars()GeoIP databaseGUI - Only Close ButtonGUI ExamplesGUICtrlDeleteImage()GUICtrlGetBkColor()GUICtrlGetStyle()GUIEventsGUIGetBkColor()Int_Parse() & Int_TryParse()IsISBN()LockFile()Mapping CtrlIDsOOP in AutoItParseHeadersToSciTE()PasswordValidPasteBinPosts Per DayPreExpandProtect GlobalsQueue()Resource UpdateResourcesExSciTE JumpSettings INISHELLHOOKShunting-YardSignature CreatorStack()Stopwatch()StringAddLF()/StringStripLF()StringEOLToCRLF()VSCROLLWM_COPYDATAMore Examples...

Updated: 22/04/2018

Link to comment
Share on other sites

No, because I think it is a good example

I think you need to re-read the constructive comments again AvengerPL.

UDF List:

 
_AdapterConnections()_AlwaysRun()_AppMon()_AppMonEx()_ArrayFilter/_ArrayReduce_BinaryBin()_CheckMsgBox()_CmdLineRaw()_ContextMenu()_ConvertLHWebColor()/_ConvertSHWebColor()_DesktopDimensions()_DisplayPassword()_DotNet_Load()/_DotNet_Unload()_Fibonacci()_FileCompare()_FileCompareContents()_FileNameByHandle()_FilePrefix/SRE()_FindInFile()_GetBackgroundColor()/_SetBackgroundColor()_GetConrolID()_GetCtrlClass()_GetDirectoryFormat()_GetDriveMediaType()_GetFilename()/_GetFilenameExt()_GetHardwareID()_GetIP()_GetIP_Country()_GetOSLanguage()_GetSavedSource()_GetStringSize()_GetSystemPaths()_GetURLImage()_GIFImage()_GoogleWeather()_GUICtrlCreateGroup()_GUICtrlListBox_CreateArray()_GUICtrlListView_CreateArray()_GUICtrlListView_SaveCSV()_GUICtrlListView_SaveHTML()_GUICtrlListView_SaveTxt()_GUICtrlListView_SaveXML()_GUICtrlMenu_Recent()_GUICtrlMenu_SetItemImage()_GUICtrlTreeView_CreateArray()_GUIDisable()_GUIImageList_SetIconFromHandle()_GUIRegisterMsg()_GUISetIcon()_Icon_Clear()/_Icon_Set()_IdleTime()_InetGet()_InetGetGUI()_InetGetProgress()_IPDetails()_IsFileOlder()_IsGUID()_IsHex()_IsPalindrome()_IsRegKey()_IsStringRegExp()_IsSystemDrive()_IsUPX()_IsValidType()_IsWebColor()_Language()_Log()_MicrosoftInternetConnectivity()_MSDNDataType()_PathFull/GetRelative/Split()_PathSplitEx()_PrintFromArray()_ProgressSetMarquee()_ReDim()_RockPaperScissors()/_RockPaperScissorsLizardSpock()_ScrollingCredits_SelfDelete()_SelfRename()_SelfUpdate()_SendTo()_ShellAll()_ShellFile()_ShellFolder()_SingletonHWID()_SingletonPID()_Startup()_StringCompact()_StringIsValid()_StringRegExpMetaCharacters()_StringReplaceWholeWord()_StringStripChars()_Temperature()_TrialPeriod()_UKToUSDate()/_USToUKDate()_WinAPI_Create_CTL_CODE()_WinAPI_CreateGUID()_WMIDateStringToDate()/_DateToWMIDateString()Au3 script parsingAutoIt SearchAutoIt3 PortableAutoIt3WrapperToPragmaAutoItWinGetTitle()/AutoItWinSetTitle()CodingDirToHTML5FileInstallrFileReadLastChars()GeoIP databaseGUI - Only Close ButtonGUI ExamplesGUICtrlDeleteImage()GUICtrlGetBkColor()GUICtrlGetStyle()GUIEventsGUIGetBkColor()Int_Parse() & Int_TryParse()IsISBN()LockFile()Mapping CtrlIDsOOP in AutoItParseHeadersToSciTE()PasswordValidPasteBinPosts Per DayPreExpandProtect GlobalsQueue()Resource UpdateResourcesExSciTE JumpSettings INISHELLHOOKShunting-YardSignature CreatorStack()Stopwatch()StringAddLF()/StringStripLF()StringEOLToCRLF()VSCROLLWM_COPYDATAMore Examples...

Updated: 22/04/2018

Link to comment
Share on other sites

I think you need to re-read the constructive comments again AvengerPL.

 

I'm sorry but my english is not good because I'm from Poland and I use Google Translate to translate your's answers :-)

You could simply write what you mean?

[font="'comic sans ms', cursive;"]Are you lost a password for PDF document? Use Metacrack and unlock PDF free.[/font]

Link to comment
Share on other sites

ExitProcess shellcode should be performed. Yes, you're right. DllCalAddress also be used.

 

What if... you wanted to continue the program after the messagebox? :)

A more interesting case where this is useful is, if you create a thread on the assembly instead.

Ever wanted to call functions in another process? ProcessCall UDFConsole stuff: Console UDFC Preprocessor for AutoIt OMG

Link to comment
Share on other sites

If it's a good example, why _GetTickCount function return always 0 and with the next function, i get an APPCRASH for autoit3.exe  ?  :huh2:

 

For me everything is working properly.

#include <ShellcodeFunctions.au3>
MsgBox(64,"TickCount",_GetTickCount())
MsgBox(64,"ACP",_GetACP())

[font="'comic sans ms', cursive;"]Are you lost a password for PDF document? Use Metacrack and unlock PDF free.[/font]

Link to comment
Share on other sites

your code going to crash. 

try something like this:

#include <winapi.au3>
#include <Memory.au3>



$pRemoteCode = _MemVirtualAlloc(0, 512, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE)
$CodeBuffer = DllStructCreate("byte[512]", $pRemoteCode)
$MessageBoxAddress = DllCall("Kernel32.dll", "ptr", "GetProcAddress", "ptr", _WinAPI_GetModuleHandle("user32.dll"), "str", "MessageBoxW")
$MessageBoxAddress = $MessageBoxAddress[0]


$texto="hola Mundo"
$titulo="Titulo"

 Local $tDataBuffer = DllStructCreate("wchar texto[" & StringLen($texto) + 1 & "]")
Local $tDataBuffer2 = DllStructCreate("wchar titulo[" & StringLen($titulo) + 1 & "]")

    DllStructSetData($tDataBuffer, "texto", $texto)
    DllStructSetData($tDataBuffer2, "titulo", $titulo)


Local $Opcode
$Opcode &= "0x"
$Opcode &= "68" & SwapEndian(2)
$Opcode &= "68" & SwapEndian(DllStructGetPtr($tDataBuffer2, 1))
$Opcode &= "68" & SwapEndian(DllStructGetPtr($tDataBuffer, 1))
$Opcode &= "68" & SwapEndian(0)
$Opcode &= "B8" & SwapEndian($MessageBoxAddress)
$Opcode &= "FFD0"
$Opcode &= "C3"

DllStructSetData($CodeBuffer, 1, $Opcode)


;Local $Ret = DllCall("user32.dll", "int", "CallWindowProc", "ptr", DllStructGetPtr($CodeBuffer), "int", 0, "int", 0, "int", 0, "int", 0)

local $Ret=DllCallAddress("int",DllStructGetPtr($CodeBuffer))
Consolewrite(@CRLF  & $Ret[0] & @CRLF)

Msgbox(0,"","Normal Msgbox")

Func SwapEndian($hex)
    Return Hex(Binary($hex))
EndFunc   ;==>SwapEndian

if you want only OP-code should be Dynamically code.

saludos

Edited by Danyfirex
Link to comment
Share on other sites

your code going to crash. 

try something like this:

#include <winapi.au3>
#include <Memory.au3>



$pRemoteCode = _MemVirtualAlloc(0, 512, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE)
$CodeBuffer = DllStructCreate("byte[512]", $pRemoteCode)
$MessageBoxAddress = DllCall("Kernel32.dll", "ptr", "GetProcAddress", "ptr", _WinAPI_GetModuleHandle("user32.dll"), "str", "MessageBoxW")
$MessageBoxAddress = $MessageBoxAddress[0]


$texto="hola Mundo"
$titulo="Titulo"

 Local $tDataBuffer = DllStructCreate("wchar texto[" & StringLen($texto) + 1 & "]")
Local $tDataBuffer2 = DllStructCreate("wchar titulo[" & StringLen($titulo) + 1 & "]")

    DllStructSetData($tDataBuffer, "texto", $texto)
    DllStructSetData($tDataBuffer2, "titulo", $titulo)


Local $Opcode
$Opcode &= "0x"
$Opcode &= "68" & SwapEndian(2)
$Opcode &= "68" & SwapEndian(DllStructGetPtr($tDataBuffer2, 1))
$Opcode &= "68" & SwapEndian(DllStructGetPtr($tDataBuffer, 1))
$Opcode &= "68" & SwapEndian(0)
$Opcode &= "B8" & SwapEndian($MessageBoxAddress)
$Opcode &= "FFD0"
$Opcode &= "C3"

DllStructSetData($CodeBuffer, 1, $Opcode)


;Local $Ret = DllCall("user32.dll", "int", "CallWindowProc", "ptr", DllStructGetPtr($CodeBuffer), "int", 0, "int", 0, "int", 0, "int", 0)

local $Ret=DllCallAddress("int",DllStructGetPtr($CodeBuffer))
Consolewrite(@CRLF  & $Ret[0] & @CRLF)

Msgbox(0,"","Normal Msgbox")

Func SwapEndian($hex)
    Return Hex(Binary($hex))
EndFunc   ;==>SwapEndian

if you want only OP-code should be Dynamically code.

saludos

Yeee thats how i like it (have i seen that code before?) 

:P

Ever wanted to call functions in another process? ProcessCall UDFConsole stuff: Console UDFC Preprocessor for AutoIt OMG

Link to comment
Share on other sites

Yeee thats how i like it (have i seen that code before?) 

:P

sure. :thumbsup: 

maybe he should see your good msgbox thread script

 

regards 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...