complete package

Author: peterferrie

COPYRIGHT.txt

@@ -0,0 +1,25 @@
+Copyright (c) 2009-2014 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
+and Peter Ferrie <peter.ferrie@gmail.com>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of the copyright holder nor the names of the
+      contributors may be used to endorse or promote products derived from
+      this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

HOW_TO_BUILD.txt

@@ -0,0 +1,24 @@
+If you want to assemble the shellcode manually, you can use the following commands:
+
+nasm (http://www.nasm.us/):
+  nasm w32-exec-calc-shellcode.asm -o w32-exec-calc-shellcode.bin
+  nasm w64-exec-calc-shellcode.asm -o w64-exec-calc-shellcode.bin
+  nasm win-exec-calc-shellcode.asm -o win-exec-calc-shellcode.bin
+
+yasm (http://yasm.tortall.net/):
+  yasm w32-exec-calc-shellcode.asm -o w32-exec-calc-shellcode.bin
+  yasm w64-exec-calc-shellcode.asm -o w64-exec-calc-shellcode.bin
+  yasm win-exec-calc-shellcode.asm -o win-exec-calc-shellcode.bin
+
+You can add the argument "-DSTACK_ALIGN=TRUE" to build shellcode that re-aligns the stack.
+You can add the argument "-DFUNC=TRUE" to build shellcode as a function that supports returning with non-volatile registers preserved.
+You can add the argument "-DFUNC=TRUE -DCLEAN=TRUE" to build shellcode as a function that supports returning with all registers preserved.
+You can also combine FUNC (and CLEAN) and STACK_ALIGN to produce code that will align the stack and still support returning with registers preserved.
+
+If you want to create a DLL-file that executes the shellcode, you can compile win-dll-run-shellcode.c
+If you want to create an executable that executes the shellcode, you can compile win-exe-run-shellcode.c
+
+Release versions are build using SkyBuild (https://code.google.com/p/skybuild/), which is a python script that uses
+nasm to assemble and Microsoft Visual Studio to compile the source into binary formats. It reads
+build_config.py and build_info.txt to find out what to do and stores a build number in the later.
+

README.md

@@ -1,4 +1,19 @@
-win-exec-calc-shellcode
-=======================
-
-A small, null-free Windows shellcode that executes calc.exe (x86/x64, all OS/SPs)
+Small null-free shellcode that execute calc.exe. Runs on x86 and x64 versions of Windows 5.0-6.3 (2000, XP, 2003, 2008, 7, 8, 8.1), all service packs. 
+
+Sizes (build 306) 
+
+platform	size		stack align		function wrapper		func+save regs	func+stack		func+stack+regs  
+x86		72		75			77				77			84			84  
+x64		85		90			98				105			106			112  
+x86+x64	113		118			179				188			188			196  
+
+
+Features: 
+•NULL Free 
+•Windows version and service pack independent. 
+•ISA independent: runs on x86 (w32-exec-calc-shellcode) or x64 (w64-exec-calc-shellcode) architecture, or both x86 and x64 architecture (win-exec-calc-shellcode). 
+•Stack pointer can be aligned if needed (if you are seeing crashes in WinExec, try using the stack aligning version). 
+•No assumptions are made about the values in registers or on the stack. 
+•x86: "/3GB" and WoW64 compatible: pointers are not assumed to be smaller than 0x80000000. 
+•DEP/ASLR compatible: data is not executed, code is not modified. 
+•Able to save and restore registers and return for use in PoC code that calls the shellcode as a function using cdecl/stdcall/fastcall calling convention. 

build/bin/w32-exec-calc-shellcode-esp-func.bin

@@ -0,0 +1 @@
+`�����P1�RhcalcTYRQd�r0�v�v��0�~�_<�\x�t 
��T$�,BB��<WinEu��t
�<���XX\a�

build/bin/w32-exec-calc-shellcode-esp.bin

@@ -0,0 +1 @@
+���1�RhcalcTYRQd�r0�v�v��0�~�_<�\x�t 
��T$�,BB��<WinEu��t
�<���

build/bin/w32-exec-calc-shellcode-func.bin

@@ -0,0 +1 @@
+`1�RhcalcTYRQd�r0�v�v��0�~�_<�\x�t 
��T$�,BB��<WinEu��t
�<���XXa�

build/bin/w32-exec-calc-shellcode.bin

@@ -0,0 +1 @@
+1�RhcalcTYRQd�r0�v�v��0�~�_<�\x�t 
��T$�,BB��<WinEu��t
�<���

build/bin/w64-exec-calc-shellcode-clean-func.bin

@@ -0,0 +1 @@
+PQRSVWUPj`ZhcalcTYH)�eH�2H�vH�vH�H�0H�~0W<�\(�t H
��T$�,�R��<WinEu�tH
��4�H
����H��p]_^[ZYX�

build/bin/w64-exec-calc-shellcode-esp-clean-func.bin

@@ -0,0 +1 @@
+PQRSVWUTXf���Pj`ZhcalcTYH)�eH�2H�vH�vH�H�0H�~0W<�\(�t H
��T$�,�R��<WinEu�tH
��4�H
����H��h\]_^[ZYX�

build/bin/w64-exec-calc-shellcode-esp-func.bin

@@ -0,0 +1 @@
+SVWUTXf���Pj`ZhcalcTYH)�eH�2H�vH�vH�H�0H�~0W<�\(�t H
��T$�,�R��<WinEu�tH
��4�H
����H��h\]_^[�

build/bin/w64-exec-calc-shellcode-esp.bin

@@ -0,0 +1 @@
+f���Pj`ZhcalcTYH)�eH�2H�vH�vH�H�0H�~0W<�\(�t H
��T$�,�R��<WinEu�tH
��4�H
����

build/bin/w64-exec-calc-shellcode-func.bin

@@ -0,0 +1 @@
+SVWUj`ZhcalcTYH)�eH�2H�vH�vH�H�0H�~0W<�\(�t H
��T$�,�R��<WinEu�tH
��4�H
����H��h]_^[�

build/bin/w64-exec-calc-shellcode.bin

@@ -0,0 +1 @@
+j`ZhcalcTYH)�eH�2H�vH�vH�H�0H�~0W<�\(�t H
��T$�,�R��<WinEu�tH
��4�H
����

build/bin/win-exec-calc-shellcode-clean-func.bin

@@ -0,0 +1 @@
+P1�@�tN`JRhcalcTYRQd�r0�v�v��0�~�_<�\x�t 
��T$�,BB��<WinEu��t
�<���XXa�X�PQSVWUP�`hcalcTYH)�eH�2H�vH�vH�H�0H�~0W<�\(�t H
��T$�,�R��<WinEu�tH
��4�H
����H��p]_^[YZX�

build/bin/win-exec-calc-shellcode-esp-clean-func.bin

@@ -0,0 +1 @@
+PTXf���P1�@�tO`JRhcalcTYRQd�r0�v�v��0�~�_<�\x�t 
��T$�,BB��<WinEu��t
�<���XXa\�X�PQSVWU�`hcalcTYH)�eH�2H�vH�vH�H�0H�~0W<�\(�t H
��T$�,�R��<WinEu�tH
��4�H
����H��h]_^[YZ\X�

build/bin/win-exec-calc-shellcode-esp-func.bin

@@ -0,0 +1 @@
+TXf���P1�@�tM`JRhcalcTYRQd�r0�v�v��0�~�_<�\x�t 
��T$�,BB��<WinEu��t
�<���XXa\�SVWU�`hcalcTYH)�eH�2H�vH�vH�H�0H�~0W<�\(�t H
��T$�,�R��<WinEu�tH
��4�H
����H��h]_^[\�

build/bin/win-exec-calc-shellcode-esp.bin

@@ -0,0 +1 @@
+f���P1�PhcalcTYP@�tQd�r/�v�v��0�~�P��`H)�eH�2H�vH�vH�H�0H�~0W<�\(�t H
��T$�,�R��<WinEu�tH
��4�H
����

build/bin/win-exec-calc-shellcode-func.bin

@@ -0,0 +1 @@
+1�@�tL`JRhcalcTYRQd�r0�v�v��0�~�_<�\x�t 
��T$�,BB��<WinEu��t
�<���XXa�SVWU�`hcalcTYH)�eH�2H�vH�vH�H�0H�~0W<�\(�t H
��T$�,�R��<WinEu�tH
��4�H
����H��h]_^[�

build/bin/win-exec-calc-shellcode.bin

@@ -0,0 +1 @@
+1�PhcalcTYP@�tQd�r/�v�v��0�~�P��`H)�eH�2H�vH�vH�H�0H�~0W<�\(�t H
��T$�,�R��<WinEu�tH
��4�H
����

build/dll/w32-exec-calc-shellcode.dll

@@ -0,0 +1,4 @@
+This file is automatically generated by the build system to keep track of the
+build number and save the timestamp of the last build.
+build number: 306
+Timestamp: Mon, 27 Jan 2014 04:30:02 (UTC)

build/dll/w64-exec-calc-shellcode.dll

@@ -0,0 +1,13 @@
+; Copyright (c) 2009-2014, Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
+; and Peter Ferrie <peter.ferrie@gmail.com>
+; Project homepage: http://code.google.com/p/win-exec-calc-shellcode/
+; All rights reserved. See COPYRIGHT.txt for details.
+
+; Macros for converting between bytes, words, dwords and qwords
+%define B2W(b1,b2)                      (((b2) << 8) + (b1))
+%define W2DW(w1,w2)                     (((w2) << 16) + (w1))
+%define DW2QW(dw1,dw2)                  (((dw2) << 32) + (dw1))
+%define B2DW(b1,b2,b3,b4)               ((B2W(b3, b4) << 16) + B2W(b1, b2))
+%define B2QW(b1,b2,b3,b4,b5,b6,b7,b8)   ((B2DW(b5,b6,b7,b8) << 32) + B2DW(b1,b2,b3,b4))
+%define W2QW(w1,w2,w3,w4)               ((W2DW(w3,w4) << 32) + W2DW(w1,w2))
+

build/exe/w32-exe-run-shellcode.exe

@@ -0,0 +1,107 @@
+; Copyright (c) 2009-2014, Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
+; and Peter Ferrie <peter.ferrie@gmail.com>
+; Project homepage: http://code.google.com/p/win-exec-calc-shellcode/
+; All rights reserved. See COPYRIGHT.txt for details.
+
+; Windows x86 null-free shellcode that executes calc.exe.
+; Works in any x86 application for Windows 5.0-6.3 all service packs.
+BITS 32
+SECTION .text
+
+%include 'type-conversion.asm'
+
+; WinExec *requires* 4 byte stack alignment
+%ifndef PLATFORM_INDEPENDENT
+  %undef USE_COMMON                       ; not allowed as user-supplied
+global _shellcode                         ; _ is needed because LINKER will add it automatically.
+_shellcode:
+  %ifdef FUNC
+     PUSHAD
+  %endif
+  %ifdef STACK_ALIGN
+    %ifdef FUNC
+     MOV    EAX, ESP
+     AND    ESP, -4
+     PUSH   EAX
+    %else
+     AND    ESP, -4
+    %endif
+  %endif
+    XOR     EDX, EDX                      ; EDX = 0
+%elifndef USE_COMMON
+  %ifdef FUNC
+    PUSHAD
+  %endif
+    DEC     EDX
+%endif
+%ifndef USE_COMMON
+    PUSH    EDX                           ; Stack = 0
+    PUSH    B2DW('c', 'a', 'l', 'c')      ; Stack = "calc", 0
+    PUSH    ESP
+    POP     ECX                           ; ECX = &("calc")
+    PUSH    EDX                           ; Stack = 0, "calc", 0
+    PUSH    ECX                           ; Stack = &("calc"), 0, "calc", 0
+; Stack contains arguments for WinExec
+    MOV     ESI, [FS:EDX + 0x30]          ; ESI = [TEB + 0x30] = PEB
+%else
+    PUSH    ECX                           ; Stack = &("calc"), 0, "calc", 0
+; Stack contains arguments for WinExec
+    MOV     ESI, [FS:EDX + 0x2F]          ; ESI = [TEB + 0x30] = PEB (EDX=1)
+%endif
+    MOV     ESI, [ESI + 0x0C]             ; ESI = [PEB + 0x0C] = PEB_LDR_DATA
+    MOV     ESI, [ESI + 0x0C]             ; ESI = [PEB_LDR_DATA + 0x0C] = LDR_MODULE InLoadOrder[0] (process)
+    LODSD                                 ; EAX = InLoadOrder[1] (ntdll)
+    MOV     ESI, [EAX]                    ; ESI = InLoadOrder[2] (kernel32)
+    MOV     EDI, [ESI + 0x18]             ; EDI = [InLoadOrder[2] + 0x18] = kernel32 DllBase
+; Found kernel32 base address (EDI)
+%ifdef USE_COMMON
+    MOV     DL, 0x50
+    JMP     shellcode_common
+%else
+    MOV     EBX, [EDI + 0x3C]             ; EBX = [kernel32 + 0x3C] = offset(PE header)
+; PE header (EDI+EBX) = @0x00 0x04 byte signature
+;                       @0x04 0x18 byte COFF header
+;                       @0x18      PE32 optional header (EDI + EBX + 0x18)
+    MOV     EBX, [EDI + EBX + 0x18 + 0x60] ; EBX = [PE32 optional header + offset(PE32 export table offset)] = offset(export table)
+; Found export table offset (EBX)
+    MOV     ESI, [EDI + EBX + 0x20]       ; ESI = [kernel32 + offset(export table) + 0x20] = offset(names table)
+    ADD     ESI, EDI                      ; ESI = kernel32 + offset(names table) = &(names table)
+; Found export names table (ESI)
+    MOV     EDX, [EDI + EBX + 0x24]       ; EDX = [kernel32 + offset(export table) + 0x24] = offset(ordinals table)
+; Found export ordinals table (EDX)
+find_winexec_x86:
+; speculatively load ordinal (EBP)
+    MOVZX   EBP, WORD [EDI + EDX]         ; EBP = [kernel32 + offset(ordinals table) + offset] = function ordinal
+    INC     EDX
+    INC     EDX                           ; EDX = offset += 2
+    LODSD                                 ; EAX = &(names table[function number]) = offset(function name)
+    CMP     [EDI + EAX], DWORD B2DW('W', 'i', 'n', 'E') ; *(DWORD*)(function name) == "WinE" ?
+    JNE     find_winexec_x86              ;
+    MOV     ESI, [EDI + EBX + 0x1C]       ; ESI = [kernel32 + offset(export table) + 0x1C] = offset(address table)] = offset(address table)
+    ADD     ESI, EDI                      ; ESI = kernel32 + offset(address table) = &(address table)
+    ADD     EDI, [ESI + EBP * 4]          ; EDI = kernel32 + [&(address table)[WinExec ordinal]] = offset(WinExec) = &(WinExec)
+    CALL    EDI                           ; WinExec(&("calc"), 0);
+  %ifndef PLATFORM_INDEPENDENT
+    %ifdef FUNC
+     POP    EAX
+     POP    EAX
+      %ifdef STACK_ALIGN
+     POP    ESP
+      %endif
+     POPAD
+     RET
+    %endif
+  %elifdef FUNC
+     POP    EAX
+     POP    EAX
+     POPAD
+    %ifdef STACK_ALIGN
+     POP    ESP
+    %endif
+    %ifdef CLEAN
+     XCHG   EDX, EAX
+     POP    EAX
+    %endif
+     RET
+  %endif
+%endif

build/exe/w64-exe-run-shellcode.exe

@@ -0,0 +1,141 @@
+; Copyright (c) 2009-2014, Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
+; and Peter Ferrie <peter.ferrie@gmail.com>
+; Project homepage: http://code.google.com/p/win-exec-calc-shellcode/
+; All rights reserved. See COPYRIGHT.txt for details.
+
+; Windows x64 null-free shellcode that executes calc.exe.
+; Works in any x64 application for Windows 5.0-6.3 all service packs.
+BITS 64
+SECTION .text
+
+%include 'type-conversion.asm'
+
+; x64 WinExec *requires* 16 byte stack alignment and four QWORDS of stack space, which may be overwritten.
+; http://msdn.microsoft.com/en-us/library/ms235286.aspx
+%ifndef PLATFORM_INDEPENDENT
+global shellcode
+shellcode:
+%ifdef FUNC                               ; assumes stack ends with 8 on entry, use STACK_ALIGN if it might not be.
+%ifdef CLEAN                              ; 64-bit calling convention considers RAX, RCX, RDX, R8, R9, R10 and R11
+    PUSH    RAX                           ; volatile. Use CLEAN if you want to preserve those as well.
+    PUSH    RCX
+    PUSH    RDX
+%endif
+    PUSH    RBX
+    PUSH    RSI
+    PUSH    RDI
+    PUSH    RBP                           ; Stack now ends with 8 (!CLEAN) or is 16 byte (CLEAN) aligned
+%endif
+%ifdef STACK_ALIGN
+%ifdef FUNC
+    PUSH    RSP
+    POP     RAX
+%endif
+    AND     SP, -16                       ; Align stack to 16 bytes
+                                          ; (we can't force it to end with 8 without dummy push and then or)
+    PUSH    RAX                           ; Force stack to end with 8 before next push, also saves RSP to restore stack
+%elifdef CLEAN
+    PUSH    RAX                           ; dummy push to make stack end with 8 before next push
+%endif
+
+; Note to SkyLined: instructions on 32-bit registers are automatically sign-extended to 64-bits.
+; This means LODSD will set the high DWORD of RAX to 0 if top bit of EAX was 0, or 0xFFFFFFFF if it was 0x80000000.
+    PUSH    BYTE 0x60                     ; Stack 
+    POP     RDX                           ; RDX = 0x60
+%else
+%ifdef FUNC
+%ifdef CLEAN
+    PUSH    RAX                           ; exchanged RDX
+    PUSH    RCX
+%endif
+    PUSH    RBX
+    PUSH    RSI
+    PUSH    RDI
+    PUSH    RBP                           ; Stack now ends with 8 (!CLEAN) or is 16 byte (CLEAN) aligned
+%endif
+%ifdef CLEAN
+%ifndef STACK_ALIGN
+    PUSH    RAX                           ; dummy push to make stack end with 8 before next push
+%endif
+%endif
+    MOV     DL, 0x60
+%endif
+%ifndef USE_COMMON
+    PUSH    B2DW('c', 'a', 'l', 'c')      ; Stack = "calc\0\0\0\0" (stack alignment changes)
+    PUSH    RSP
+    POP     RCX                           ; RCX = &("calc")
+%endif
+    SUB     RSP, RDX                      ; Stack was 16 byte aligned already and there are >4 QWORDS on the stack.
+    MOV     RSI, [GS:RDX]                 ; RSI = [TEB + 0x60] = &PEB
+    MOV     RSI, [RSI + 0x18]             ; RSI = [PEB + 0x18] = PEB_LDR_DATA
+    MOV     RSI, [RSI + 0x10]             ; RSI = [PEB_LDR_DATA + 0x10] = LDR_MODULE InLoadOrder[0] (process)
+    LODSQ                                 ; RAX = InLoadOrder[1] (ntdll)
+    MOV     RSI, [RAX]                    ; RSI = InLoadOrder[2] (kernel32)
+    MOV     RDI, [RSI + 0x30]             ; RDI = [InLoadOrder[2] + 0x30] = kernel32 DllBase
+; Found kernel32 base address (RDI)
+shellcode_common:
+    ADD     EDX, DWORD [RDI + 0x3C]       ; RBX = 0x60 + [kernel32 + 0x3C] = offset(PE header) + 0x60
+; PE header (RDI+RDX-0x60) = @0x00 0x04 byte signature
+;                            @0x04 0x18 byte COFF header
+;                            @0x18      PE32 optional header (= RDI + RDX - 0x60 + 0x18)
+    MOV     EBX, DWORD [RDI + RDX - 0x60 + 0x18 + 0x70] ; RBX = [PE32+ optional header + offset(PE32+ export table offset)] = offset(export table)
+; Export table (RDI+EBX) = @0x20 Name Pointer RVA
+    MOV     ESI, DWORD [RDI + RBX + 0x20] ; RSI = [kernel32 + offset(export table) + 0x20] = offset(names table)
+    ADD     RSI, RDI                      ; RSI = kernel32 + offset(names table) = &(names table)
+; Found export names table (RSI)
+    MOV     EDX, DWORD [RDI + RBX + 0x24] ; EDX = [kernel32 + offset(export table) + 0x24] = offset(ordinals table)
+; Found export ordinals table (RDX)
+find_winexec_x64:
+; speculatively load ordinal (RBP)
+    MOVZX   EBP, WORD [RDI + RDX]         ; RBP = [kernel32 + offset(ordinals table) + offset] = function ordinal
+    LEA     EDX, [RDX + 2]                ; RDX = offset += 2 (will wrap if > 4Gb, but this should never happen)
+    LODSD                                 ; RAX = &(names table[function number]) = offset(function name)
+    CMP     DWORD [RDI + RAX], B2DW('W', 'i', 'n', 'E') ; *(DWORD*)(function name) == "WinE" ?
+    JNE     find_winexec_x64              ;
+    MOV     ESI, DWORD [RDI + RBX + 0x1C] ; RSI = [kernel32 + offset(export table) + 0x1C] = offset(address table)
+    ADD     RSI, RDI                      ; RSI = kernel32 + offset(address table) = &(address table)
+    MOV     ESI, [RSI + RBP * 4]          ; RSI = &(address table)[WinExec ordinal] = offset(WinExec)
+    ADD     RDI, RSI                      ; RDI = kernel32 + offset(WinExec) = WinExec
+; Found WinExec (RDI)
+    CDQ                                   ; RDX = 0 (assuming EAX < 0x80000000, which should always be true)
+    CALL    RDI                           ; WinExec(&("calc"), 0);
+%ifdef FUNC
+%ifdef CLEAN
+%ifdef STACK_ALIGN
+    ADD     RSP, 0x68                     ; reset stack to where it was after pushing registers
+%else
+    ADD     RSP, 0x70                     ; reset stack to where it was after pushing registers
+%endif
+%else
+    ADD     RSP, 0x68                     ; reset stack to where it was after pushing registers
+%endif
+%ifndef PLATFORM_INDEPENDENT
+%ifdef STACK_ALIGN
+    POP     RSP
+%endif
+%endif
+    POP     RBP                           ; POP registers
+    POP     RDI
+    POP     RSI
+    POP     RBX
+%ifndef PLATFORM_INDEPENDENT
+%ifdef CLEAN
+    POP     RDX                           ; POP additional registers
+    POP     RCX
+    POP     RAX
+%endif
+    RET                                   ; Return
+%else
+%ifdef CLEAN
+    POP     RCX                           ; POP additional registers
+    POP     RDX
+%endif
+%ifdef STACK_ALIGN
+    POP     RSP
+%endif
+%ifdef CLEAN
+    POP     RAX
+%endif
+    RET                                   ; Return
+%endif
+%endif