I have this shell code which is suppose to open a MessageBox. It works when testing it with https://github.com/NytroRST/ShellcodeCompiler, however when I create a new console application using c and try to compile this
#include <stdio.h>
#include <Windows.h>
unsigned char rc[] = "\x31\xC3\x89\x64\xE2\x80\xB9\x41\x30\xE2\x80\xB9\x40\x0C\xE2\x80\xB9\x70\x14\xC2\xAD\xE2\x80\x93\xC2\xAD\xE2\x80\xB9\x58\x10\xE2\x80\xB9\x53\x3C\x01\xC3\x9A\xE2\x80\xB9\x52\x78\x01\xC3\x9A\xE2\x80\xB9\x72\x20\x01\xC3\x9E\x31\xC3\x89\x41\xC2\xAD\x01\xC3\x98\xC2\x81\x38\x47\x65\x74\x50\x75\xC3\xB4\xC2\x81\x78\x04\x72\x6F\x63\x41\x75\xC3\xAB\xC2\x81\x78\x08\x64\x64\x72\x65\x75\xC3\xA2\xE2\x80\xB9\x72\x24\x01\xC3\x9E\x66\xE2\x80\xB9\x0C\x4E\x49\xE2\x80\xB9\x72\x1C\x01\xC3\x9E\xE2\x80\xB9\x14\xC5\xBD\x01\xC3\x9A\x31\xC3\x89\x53\x52\x51\x68\x61\x72\x79\x41\x68\x4C\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\x53\xC3\xBF\xC3\x92\x92\xC3\x84\x0C\x59\x50\x31\xC3\x80\x66\xC2\xB8\x6C\x6C\x50\x68\x33\x32\x2E\x64\x68\x75\x73\x65\x72\x54\xC3\xBF\x54\x24\x10\xC6\x92\xC3\x84\x0C\x50\x31\xC3\x80\xC2\xB8\x6F\x78\x41\x23\x50\xC6\x92\x6C\x24\x03\x23\x68\x61\x67\x65\x42\x68\x4D\x65\x73\x73\x54\xC3\xBF\x74\x24\x10\xC3\xBF\x54\x24\x1C\xC6\x92\xC3\x84\x0C\x50\x31\xC3\x80\xC2\xB8\x65\x73\x73\x23\x50\xC6\x92\x6C\x24\x03\x23\x68\x50\x72\x6F\x63\x68\x45\x78\x69\x74\x54\xC3\xBF\x74\x24\x20\xC3\xBF\x54\x24\x20\xC6\x92\xC3\x84\x0C\x50\x31\xC3\x80\xC2\xB8\x59\x6F\x75\x23\x50\xC6\x92\x6C\x24\x03\x23\x68\x41\x72\x65\x20\x68\x48\x6F\x77\x20\x68\x48\x65\x79\x20\x54\x31\xC3\x80\x50\x68\x54\x65\x73\x74\x54\x31\xC3\x80\x50\xC3\xBF\x74\x24\x04\xC3\xBF\x74\x24\x14\x31\xC3\x80\x50\xC3\xBF\x54\x24\x34\x92\xC3\x84\x20\x31\xC3\x80\x50\xC3\xBF\x54\x24\x04\x6e";
int main() {
(*(void(*)()) rc)();
}
It always throws an Access Violation Exception after running it, I can get rid of this exception if I change the memory protections at the location of the shell codes injection. But yet it still does not display the MessageBox. I am certain the shell code works because the link above has a program that tests the shellcode and it works flawlessly. Only difference between their exploitation approach is that they are using c++ to do it and im using c.
>Solution :
Because you are trying to call the address of rc, which its Memory Protection is PAGE_READWRITE, hence the access violation error.
You will have to allocate a buffer and set the protection to PAGE_EXECUTE_READ in order for it to work.
Helper function:
void* AllocFunction(const void* rawData, const size_t size)
{
void* pFunction = VirtualAlloc(nullptr, size, MEM_COMMIT, PAGE_READWRITE);
if (pFunction == nullptr) throw;
memcpy(pFunction, rawData, size);
DWORD dwOldProtect;
if (!VirtualProtect(pFunction, size, PAGE_EXECUTE_READ, &dwOldProtect)) throw;
return pFunction;
}
Usage:
void (*lpFunction)() = nullptr;
*(void**)&lpFunction = AllocFunction(rc, sizeof(rc));
lpFunction();