2022-04-28 16:01:33 +00:00
< details >
2024-01-09 14:11:06 +00:00
< summary > < strong > Aprende hacking en AWS de cero a héroe con< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-01-09 14:11:06 +00:00
Otras formas de apoyar a HackTricks:
2022-04-28 16:01:33 +00:00
2024-02-09 02:10:17 +00:00
* Si quieres ver tu **empresa anunciada en HackTricks** o **descargar HackTricks en PDF** Consulta los [**PLANES DE SUSCRIPCIÓN** ](https://github.com/sponsors/carlospolop )!
* Obtén el [**oficial PEASS & HackTricks swag** ](https://peass.creator-spring.com )
* Descubre [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), nuestra colección exclusiva de [**NFTs** ](https://opensea.io/collection/the-peass-family )
* **Únete al** 💬 [**grupo de Discord** ](https://discord.gg/hRep4RUj7f ) o al [**grupo de telegram** ](https://t.me/peass ) o **síguenos** en **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks_live )**.**
* **Comparte tus trucos de hacking enviando PRs a los** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) y [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) repositorios de github.
2022-04-28 16:01:33 +00:00
< / details >
2022-05-01 16:32:23 +00:00
2024-01-09 14:11:06 +00:00
La única línea modificada del [código original ](https://github.com/OALabs/BlobRunner ) es la línea 10.
2024-02-09 02:10:17 +00:00
Para compilarlo solo **crea un proyecto C/C++ en Visual Studio Code, copia y pega el código y compílalo** .
2021-08-24 22:57:45 +00:00
```c
#include <stdio.h>
#include <windows.h>
#include <stdlib.h>
#ifdef _WIN64
#include <WinBase.h>
#endif
// Define bool
#pragma warning(disable:4996)
#define true 1
#define false 0
const char* _version = "0.0.5";
const char* _banner = " __________ .__ ___. __________ \n"
" \\______ \\ | ____ \\_ |__\\______ \\__ __ ____ ____ ___________ \n"
" | | _/ | / _ \\| __ \\| _/ | \\/ \\ / \\_ / __ \\_ __ \\ \n"
" | | \\ |_( < _ > ) \\_\\ \\ | \\ | / | \\ | \\ ___/| | \\/ \n"
" |______ /____/\\____/|___ /____|_ /____/|___| /___| /\\___ >__| \n"
" \\/ \\/ \\/ \\/ \\/ \\/ \n\n"
" %s \n\n";
void banner() {
2024-01-09 14:11:06 +00:00
system("cls");
printf(_banner, _version);
return;
2021-08-24 22:57:45 +00:00
}
LPVOID process_file(char* inputfile_name, bool jit, int offset, bool debug) {
2024-01-09 14:11:06 +00:00
LPVOID lpvBase;
FILE* file;
unsigned long fileLen;
char* buffer;
DWORD dummy;
2021-08-24 22:57:45 +00:00
2024-01-09 14:11:06 +00:00
file = fopen(inputfile_name, "rb");
2021-08-24 22:57:45 +00:00
2024-01-09 14:11:06 +00:00
if (!file) {
printf(" [!] Error: Unable to open %s\n", inputfile_name);
2021-08-24 22:57:45 +00:00
2024-01-09 14:11:06 +00:00
return (LPVOID)NULL;
}
2021-08-24 22:57:45 +00:00
2024-01-09 14:11:06 +00:00
printf(" [*] Reading file...\n");
fseek(file, 0, SEEK_END);
fileLen = ftell(file); //Get Length
2021-08-24 22:57:45 +00:00
2024-01-09 14:11:06 +00:00
printf(" [*] File Size: 0x%04x\n", fileLen);
fseek(file, 0, SEEK_SET); //Reset
2021-08-24 22:57:45 +00:00
2024-01-09 14:11:06 +00:00
fileLen += 1;
2021-08-24 22:57:45 +00:00
2024-01-09 14:11:06 +00:00
buffer = (char*)malloc(fileLen); //Create Buffer
fread(buffer, fileLen, 1, file);
fclose(file);
2021-08-24 22:57:45 +00:00
2024-01-09 14:11:06 +00:00
printf(" [*] Allocating Memory...");
2021-08-24 22:57:45 +00:00
2024-01-09 14:11:06 +00:00
lpvBase = VirtualAlloc(NULL, fileLen, 0x3000, 0x40);
2021-08-24 22:57:45 +00:00
2024-01-09 14:11:06 +00:00
printf(".Allocated!\n");
printf(" [*] |-Base: 0x%08x\n", (int)(size_t)lpvBase);
printf(" [*] Copying input data...\n");
2021-08-24 22:57:45 +00:00
2024-01-09 14:11:06 +00:00
CopyMemory(lpvBase, buffer, fileLen);
return lpvBase;
2021-08-24 22:57:45 +00:00
}
void execute(LPVOID base, int offset, bool nopause, bool jit, bool debug)
{
2024-01-09 14:11:06 +00:00
LPVOID shell_entry;
2021-08-24 22:57:45 +00:00
#ifdef _WIN64
2024-01-09 14:11:06 +00:00
DWORD thread_id;
HANDLE thread_handle;
const char msg[] = " [*] Navigate to the Thread Entry and set a breakpoint. Then press any key to resume the thread.\n";
2021-08-24 22:57:45 +00:00
#else
2024-01-09 14:11:06 +00:00
const char msg[] = " [*] Navigate to the EP and set a breakpoint. Then press any key to jump to the shellcode.\n";
2021-08-24 22:57:45 +00:00
#endif
2024-01-09 14:11:06 +00:00
shell_entry = (LPVOID)((UINT_PTR)base + offset);
2021-08-24 22:57:45 +00:00
#ifdef _WIN64
2024-01-09 14:11:06 +00:00
printf(" [*] Creating Suspended Thread...\n");
thread_handle = CreateThread(
NULL, // Attributes
0, // Stack size (Default)
shell_entry, // Thread EP
NULL, // Arguments
0x4, // Create Suspended
&thread_id); // Thread identifier
if (thread_handle == NULL) {
printf(" [!] Error Creating thread...");
return;
}
printf(" [*] Created Thread: [%d]\n", thread_id);
printf(" [*] Thread Entry: 0x%016x\n", (int)(size_t)shell_entry);
2021-08-24 22:57:45 +00:00
#endif
2024-01-09 14:11:06 +00:00
if (nopause == false) {
printf("%s", msg);
getchar();
}
else
{
if (jit == true) {
// Force an exception by making the first byte not executable.
// This will cause
DWORD oldp;
2021-08-24 22:57:45 +00:00
2024-01-09 14:11:06 +00:00
printf(" [*] Removing EXECUTE access to trigger exception...\n");
2021-08-24 22:57:45 +00:00
2024-01-09 14:11:06 +00:00
VirtualProtect(shell_entry, 1 , PAGE_READWRITE, &oldp);
}
}
2021-08-24 22:57:45 +00:00
#ifdef _WIN64
2024-01-09 14:11:06 +00:00
printf(" [*] Resuming Thread..\n");
ResumeThread(thread_handle);
2021-08-24 22:57:45 +00:00
#else
2024-01-09 14:11:06 +00:00
printf(" [*] Entry: 0x%08x\n", (int)(size_t)shell_entry);
printf(" [*] Jumping to shellcode\n");
__asm jmp shell_entry;
2021-08-24 22:57:45 +00:00
#endif
}
void print_help() {
2024-01-09 14:11:06 +00:00
printf(" [!] Error: No file!\n\n");
printf(" Required args: < inputfile > \n\n");
printf(" Optional Args:\n");
printf(" --offset < offset > The offset to jump into.\n");
printf(" --nopause Don't pause before jumping to shellcode. Danger!!! \n");
printf(" --jit Forces an exception by removing the EXECUTE permission from the alloacted memory.\n");
printf(" --debug Verbose logging.\n");
printf(" --version Print version and exit.\n\n");
2021-08-24 22:57:45 +00:00
}
int main(int argc, char* argv[])
{
2024-01-09 14:11:06 +00:00
LPVOID base;
int i;
int offset = 0;
bool nopause = false;
bool debug = false;
bool jit = false;
char* nptr;
banner();
if (argc < 2 ) {
print_help();
return -1;
2021-08-24 22:57:45 +00:00
}
2022-04-28 16:01:33 +00:00
2024-01-09 14:11:06 +00:00
printf(" [*] Using file: %s \n", argv[1]);
2022-04-28 16:01:33 +00:00
2024-01-09 14:11:06 +00:00
for (i = 2; i < argc ; i + + ) {
if (strcmp(argv[i], "--offset") == 0) {
printf(" [*] Parsing offset...\n");
i = i + 1;
if (strncmp(argv[i], "0x", 2) == 0) {
offset = strtol(argv[i], & nptr, 16);
}
else {
offset = strtol(argv[i], & nptr, 10);
}
}
else if (strcmp(argv[i], "--nopause") == 0) {
nopause = true;
}
else if (strcmp(argv[i], "--jit") == 0) {
jit = true;
nopause = true;
}
else if (strcmp(argv[i], "--debug") == 0) {
debug = true;
}
else if (strcmp(argv[i], "--version") == 0) {
printf("Version: %s", _version);
}
else {
printf("[!] Warning: Unknown arg: %s\n", argv[i]);
}
}
2022-04-28 16:01:33 +00:00
2024-01-09 14:11:06 +00:00
base = process_file(argv[1], jit, offset, debug);
if (base == NULL) {
printf(" [!] Exiting...");
return -1;
}
printf(" [*] Using offset: 0x%08x\n", offset);
execute(base, offset, nopause, jit, debug);
printf("Pausing - Press any key to quit.\n");
getchar();
return 0;
}
```
< details >
2022-04-28 16:01:33 +00:00
2024-01-09 14:11:06 +00:00
< summary > < strong > Aprende hacking en AWS de cero a héroe con< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-01-09 14:11:06 +00:00
Otras formas de apoyar a HackTricks:
2022-04-28 16:01:33 +00:00
2024-02-09 02:10:17 +00:00
* Si quieres ver tu **empresa anunciada en HackTricks** o **descargar HackTricks en PDF** Consulta los [**PLANES DE SUSCRIPCIÓN** ](https://github.com/sponsors/carlospolop )!
* Obtén el [**oficial PEASS & HackTricks swag** ](https://peass.creator-spring.com )
* Descubre [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), nuestra colección exclusiva de [**NFTs** ](https://opensea.io/collection/the-peass-family )
* **Únete al** 💬 [**grupo de Discord** ](https://discord.gg/hRep4RUj7f ) o al [**grupo de telegram** ](https://t.me/peass ) o **síguenos** en **Twitter** 🐦 [**@carlospolopm** ](https://twitter.com/hacktricks_live )**.**
* **Comparte tus trucos de hacking enviando PRs a los** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) y [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) repositorios de github.
2022-04-28 16:01:33 +00:00
< / details >