Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free (415 bytes)

Description:

This a bind tcp shellcode that open a listen socket on 0.0.0.0 and port 1337. In order to accomplish this task the shellcode uses the PEB method to locate the baseAddress of the required module and the Export Directory Table to locate symbols. Also the shellcode uses a hash function to gather dynamically the required symbols without worry about the length.

• Author: h4pp1n3ss
• Date: Mon 10/05/2021
• Tested on: Microsoft Windows [Version 10.0.19042.1237]

Windows API

This shellcode uses a couple of Windows API from ws2_32.dll

WSAStartup function (winsock2.h)

WSAStartup function

int WSAStartup(
  WORD      wVersionRequired,
  LPWSADATA lpWSAData
);

and

WSASocketA function (winsock2.h)

WSASocketA function

SOCKET WSAAPI WSASocketA(
  int                 af,
  int                 type,
  int                 protocol,
  LPWSAPROTOCOL_INFOA lpProtocolInfo,
  GROUP               g,
  DWORD               dwFlags
);

bind function (winsock2.h)

bind function

int bind(
  SOCKET         s,
  const sockaddr *addr,
  int            namelen
);

listen function (winsock2.h)

listen function

int WSAAPI listen(
  SOCKET s,
  int    backlog
);

WSAGetLastError function (winsock.h)

WSAGetLastError function

int WSAGetLastError();

accept function (winsock2.h)

accept function

SOCKET WSAAPI accept(
  SOCKET   s,
  sockaddr *addr,
  int      *addrlen
);

Resources

• Corelan - Exploit writing tutorial part 9
• Shell-storm
• Phrack - History and Advances in Windows Shellcode
• Skape - Understanding Windows Shellcode