This is not anything new and exciting¹, and should hopefully be familiar to some of you reading this. Some time ago I reversed the shellcode from Metasploit’s download_exec
module. It’s a bit different from the rest of the stuff in MSF, because there’s no source code with it, and it lacks certain features that the other shellcode[s] have (like being able to set the exit function).
When I started writing this blog post, the day before yesterday, I looked into the history of this particular scrap of code…
It’s very similar to lion‘s downloadurl_v31.c
(previously available here: http://www.milw0rm.com/shellcode/597 [archive] but now also here: http://www.exploit-db.com/exploits/13529/ and here:
http://inj3ct0r.com/exploits/9712 and a zillion other places).
… Except that, that code seems to be a more recent version than the code in MSF. For example, that does the LSD-PL function name hash trick, rather than lug around the full function names for look-up (as the version in MSF does.)
So, lion was a major figure in the Chinese 红客 Honker
scene — literally translated as Red Guest
(or Red Visitor
or Red Passenger
). (Basically Hackers who are also Chinese nationalists.) His group was the Honker Union of China
[HUC], http://www.cnhonker.com — this site seems to have been dead for a while. He wrote a lot of code back in 2003 and 2004. (我现在明白了一些在写这个汉字!)
I managed to dig up an older version of this ‘downloadurl‘ code dated 2003-09-01 which is closer to the code in MSF. http://www.cnhonker.com/index.php?module=releases&act=view&type=3&id=41 [archive] The code credits ey4s (from XFocus I think) for the actual shellcode.
Anyway, big chunks of this code, like the whole PEB method, also look like they were directly copied from Skape‘s old stuff (Dec 2003) — which was copied from Dino Dai Zovi (Apr 2003) — which was copied from Ratter/29A (Mar 2002) etc. etc. Like I said, this is all very old stuff. None of it has really changed since 2002, and it’s still in very common use.
pita‘s contribution to all this appears to be wrapping up the blob of code
output by the lion program above into a MSF2 module:
http://www.governmentsecurity.org/forum/index.php?showtopic=18370
