Solving Bsides 2013 Challenge 1

The challenge was to get a password from the excel document.

If you looked inside the Macro for the excel document you could see it was running shellcode.

So i edited the macro to write the shellcode to a file before it was run.


Private Sub ExecuteShellCode()
Dim lpMemory As Long
Dim sShellCode As String
Dim lResult As Long

sShellCode = ShellCode()
Open "C:\shellcode" For Output As #1
Write #1, ShellCode()
Close #1
lpMemory = VirtualAlloc(0&, Len(sShellCode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
lResult = WriteProcessMemory(-1&, lpMemory, sShellCode, Len(sShellCode), 0&)
lResult = CreateThread(0&, 0&, lpMemory, 0&, 0&, 0&)
End Sub

After opening the file it has some shellcode that decodes and runs the exe thats base 64 encoded.

meh

So I just run the Shellcode using C. As the shellocode was super long windows didn’t like it so I used GCC.


#include <stdio.h>

char shellcode[] = "\xeb\x3a\x31\xd2\x80\x3b\x2b\x75\x04\xb2\x3e\xeb\x26\x80\x3b\x2f\x75\x04\xb2\x3f\xeb\x1d\x80\x3b\x39\x77\x07\x8a\x13\x80\xea\xfc\xeb\x11\x80\x3b\x5a\x77\x07\x8a\x13\x80\xea\x41\xeb\x05\x8a\x13\x80\xea\x47\xc1\xe0\x06\x08\xd0\x43\xc3\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x31\xc9\x80\xc1\x36\x01\xcb\x89\xd9\x31\xc0\x80\x3b\x3d\x74\x25\xe8\xab\xff\xff\xff\xe8\xa6\xff\xff\xff\xe8\xa1\xff\xff\xff\xe8\x9c\xff\xff\xff\x86\xc4\xc1\xc0\x10\x86\xc4\xc1\xc8\x08\x89\x01\x83\xc1\x03\xeb\xd4"

"6FoIAADDVYnlUVZXi00Mi3UQi30U/ +9999 lines of base64 encoded lines.

A=";

int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) shellcode;
(int)(*func)();
}

I then loaded it into olly and stepped through the program and kept an eye on what chars were in the registers. Until I saw “ExcelMagic” in a ECX which was being compared to my input.

gameover

  1. ??????????? ???????? ????????? ?????????, ? ????? ?? ??? ?????? ????????? ?? ??????? ?????? ?? ????????? ????????.
    ?????????????? ?????? ????????
    ????????? ????????? ???????? ?????.
    ????????? ???????, ??????????? ?????????, ??????? ????????? ? ?????????????
    ????????????? ?????????????????
    ????????, ??? ????? ???????????? ??????
    ???????. ??? ??? ?????????? ???????? ????????? ??????????? ???? ????, ?????????
    ???? ????????? ????????? ???????.

    ?? ??? ????????? ????????? ???????? ?? ????? web-?????.
    ????? ?? ????? ???????? ???? ???-?? ??????????? ? ??????????
    ????????? ???????. ???????????? ??????????? ????? ????????? ?????? ???????? ????????????.
    ????????? ?????? ? ???????? ?
    ??????? ??? ?? ?????????? ????? ????? ?? ??????? ??? ?
    ??????? ??????? ???????? ???????????? ? ???????????? ???? ????? ??? ? ????.

    ? ?? ??? ?????? ????

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.