Payload Ready

The word payload comes from the idea of delivery and is used in hacking to explain the package of malicious code that is delivered to a victim’s computer for the purposes of attack.

I have worked through some sites and tutorials, trying to understand Heap Spraying (as you may have seen from my earlier post). I’m now at the point where I have code injected into the memory of a computer and just need a trigger to make the code run.

The Heap Spray works by using JavaScript, to set some variables. For example, variable code = “malicious code”. Now if the same data is added to the same variable again and again, then the variable gets big and ends up in lots of places in the computer’s memory. A trigger is then needed to start the computer reading and executing the malicious code.

To make it easier to find the real places that the code has been saved in memory, we can add blanks in to the variable before the code. The blanks will then make a nice slide for the computer to read down until it gets to the code.

So I now have a virtual Windows XP machine that has Internet Explorer 6, 7 and 8. The machine has some HTML web page files that have code in. Opening internet explorer and opening one of the web pages it is then possible to see the code in memory (thanks to WinDBG).

In my HTML files I have lines of JavaScript that have the shell-code for the built-in calculator of Windows XP. This code would be replaced with code for updates for my project. The current stage is proof of concept, which is the reason the calculator code is used.

So now I’m researching how I can try to make this code run (or trigger) in memory. Then I will have a working Drive-by download, which launches calculator, that I can then upgrade the Drive-by to run Windows updates and provide the desired effect of Drive-By Healing.