-
-
Save aaaddress1/3c0ae754f8a40024881343a085954049 to your computer and use it in GitHub Desktop.
| ; x96 shellcode (x32+x64) by aaaddress1@chroot.org | |
| ; yasm -f bin -o x96shell_msgbox x96shell_msgbox.asm | |
| section .text | |
| bits 32 | |
| _main: | |
| call entry | |
| entry: | |
| mov ax, cs | |
| sub ax, 0x23 | |
| jz retTo32b | |
| nop | |
| retTo64b: | |
| add dword [esp], b64_shellcode-entry | |
| ret | |
| retTo32b: | |
| add dword [esp], b32_shellcode-entry | |
| ret | |
| ; 64 bit shellcode - FatalAppExitA(0, "64bit Hello!") | |
| b64_shellcode: | |
| db 0xE9, 0x2B, 0x01, 0x00, 0x00, 0x90, 0x4C, 0x8D, 0x41, 0x02, 0x31, 0xC0, 0x66, 0x83, 0x39, 0x00, 0x74, 0x1E, 0x41, 0x0F, 0xB7, 0x08, 0x49, 0x83, 0xC0, 0x02, 0x89, 0xCA, 0x83, 0xCA, 0x20, 0x0F, 0xB7, 0xD2, 0x01, 0xD0, 0xC1, 0xC8, 0x08, 0x66, 0x85, 0xC9, 0x75, 0xE6, 0xC3, 0x0F, 0x1F, 0x00, 0xC3, 0x4C, 0x8D, 0x41, 0x01, 0x31, 0xC0, 0x80, 0x39, 0x00, 0x74, 0x24, 0x0F, 0x1F, 0x40, 0x00, 0x41, 0x0F, 0xB6, 0x08, 0x49, 0x83, 0xC0, 0x01, 0x89, 0xCA, 0x83, 0xCA, 0x20, 0x0F, 0xBE, 0xD2, 0x01, 0xD0, 0xC1, 0xC8, 0x08, 0x84, 0xC9, 0x75, 0xE7, 0xC3, 0x66, 0x0F, 0x1F, 0x44, 0x00, 0x00, 0xC3, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x18, 0x4C, 0x8B, 0x48, 0x20, 0x4C, 0x8D, 0x50, 0x20, 0x4D, 0x39, 0xD1, 0x74, 0x2F, 0x48, 0x83, 0xEC, 0x28, 0x41, 0x89, 0xCB, 0xEB, 0x08, 0x4D, 0x8B, 0x09, 0x4D, 0x39, 0xD1, 0x74, 0x17, 0x49, 0x8B, 0x49, 0x50, 0xE8, 0x71, 0xFF, 0xFF, 0xFF, 0x44, 0x39, 0xD8, 0x75, 0xEA, 0x49, 0x8B, 0x41, 0x20, 0x48, 0x83, 0xC4, 0x28, 0xC3, 0x31, 0xC0, 0x48, 0x83, 0xC4, 0x28, 0xC3, 0x31, 0xC0, 0xC3, 0x57, 0x56, 0x53, 0x48, 0x83, 0xEC, 0x20, 0x48, 0x63, 0x41, 0x3C, 0x8B, 0xB4, 0x01, 0x88, 0x00, 0x00, 0x00, 0x85, 0xF6, 0x74, 0x42, 0x48, 0x01, 0xCE, 0x8B, 0x46, 0x18, 0x85, 0xC0, 0x74, 0x38, 0x44, 0x8B, 0x4E, 0x20, 0x89, 0xD7, 0x49, 0x89, 0xCB, 0x45, 0x31, 0xD2, 0x8D, 0x58, 0xFF, 0x49, 0x01, 0xC9, 0xEB, 0x03, 0x4D, 0x89, 0xC2, 0x4D, 0x85, 0xC9, 0x74, 0x0F, 0x41, 0x8B, 0x09, 0x4C, 0x01, 0xD9, 0xE8, 0x3D, 0xFF, 0xFF, 0xFF, 0x39, 0xF8, 0x74, 0x18, 0x4D, 0x8D, 0x42, 0x01, 0x49, 0x83, 0xC1, 0x04, 0x4C, 0x39, 0xD3, 0x75, 0xDC, 0x48, 0x83, 0xC4, 0x20, 0x31, 0xC0, 0x5B, 0x5E, 0x5F, 0xC3, 0x90, 0x8B, 0x46, 0x24, 0x4B, 0x8D, 0x14, 0x53, 0x0F, 0xB7, 0x14, 0x02, 0x8B, 0x46, 0x1C, 0x49, 0x8D, 0x14, 0x93, 0x8B, 0x04, 0x02, 0x48, 0x83, 0xC4, 0x20, 0x5B, 0x5E, 0x5F, 0x4C, 0x01, 0xD8, 0xC3, 0x48, 0xB8, 0x46, 0x61, 0x74, 0x61, 0x6C, 0x41, 0x70, 0x70, 0x57, 0x56, 0x53, 0x48, 0x83, 0xEC, 0x40, 0x48, 0x89, 0x44, 0x24, 0x32, 0x48, 0x8D, 0x4C, 0x24, 0x32, 0xB8, 0x41, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x3A, 0x45, 0x78, 0x69, 0x74, 0x66, 0x89, 0x44, 0x24, 0x3E, 0xE8, 0xCF, 0xFE, 0xFF, 0xFF, 0x89, 0xC7, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, 0x48, 0x8B, 0x40, 0x18, 0x48, 0x8B, 0x58, 0x20, 0x48, 0x8D, 0x70, 0x20, 0x48, 0x39, 0xDE, 0x75, 0x0A, 0xEB, 0x45, 0x48, 0x8B, 0x1B, 0x48, 0x39, 0xDE, 0x74, 0x10, 0x48, 0x8B, 0x4B, 0x20, 0x89, 0xFA, 0xE8, 0x1A, 0xFF, 0xFF, 0xFF, 0x48, 0x85, 0xC0, 0x74, 0xE8, 0xC7, 0x44, 0x24, 0x2D, 0x6C, 0x6C, 0x6F, 0x21, 0x48, 0x8D, 0x54, 0x24, 0x25, 0x31, 0xC9, 0x48, 0xBF, 0x36, 0x34, 0x62, 0x69, 0x74, 0x20, 0x48, 0x65, 0x48, 0x89, 0x7C, 0x24, 0x25, 0xC6, 0x44, 0x24, 0x31, 0x00, 0xFF, 0xD0, 0x48, 0x83, 0xC4, 0x40, 0x5B, 0x5E, 0x5F, 0xC3, 0x31, 0xC0, 0xEB, 0xCF, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 | |
| ; 32 bit shellcode - FatalAppExitA(0, "32bit Hello!") | |
| b32_shellcode: | |
| db 0xE9, 0x1E, 0x01, 0x00, 0x00, 0x90, 0x66, 0x83, 0x39, 0x00, 0x74, 0x24, 0x53, 0x31, 0xC0, 0x8D, 0x59, 0x02, 0x0F, 0xB7, 0x0B, 0x83, 0xC3, 0x02, 0x89, 0xCA, 0x83, 0xCA, 0x20, 0x0F, 0xB7, 0xD2, 0x01, 0xD0, 0xC1, 0xC8, 0x08, 0x66, 0x85, 0xC9, 0x75, 0xE8, 0x5B, 0xC3, 0x8D, 0x74, 0x26, 0x00, 0x31, 0xC0, 0xC3, 0x80, 0x39, 0x00, 0x74, 0x28, 0x53, 0x31, 0xC0, 0x8D, 0x59, 0x01, 0x66, 0x90, 0x0F, 0xB6, 0x0B, 0x83, 0xC3, 0x01, 0x89, 0xCA, 0x83, 0xCA, 0x20, 0x0F, 0xBE, 0xD2, 0x01, 0xD0, 0xC1, 0xC8, 0x08, 0x84, 0xC9, 0x75, 0xE9, 0x5B, 0xC3, 0x8D, 0xB4, 0x26, 0x00, 0x00, 0x00, 0x00, 0x31, 0xC0, 0xC3, 0x57, 0x56, 0x53, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x58, 0x14, 0x8D, 0x70, 0x14, 0x39, 0xF3, 0x74, 0x27, 0x89, 0xCF, 0xEB, 0x09, 0x8D, 0x76, 0x00, 0x8B, 0x1B, 0x39, 0xF3, 0x74, 0x1A, 0x8B, 0x4B, 0x28, 0xE8, 0x78, 0xFF, 0xFF, 0xFF, 0x39, 0xF8, 0x75, 0xEE, 0x8B, 0x43, 0x10, 0x5B, 0x5E, 0x5F, 0xC3, 0x8D, 0xB4, 0x26, 0x00, 0x00, 0x00, 0x00, 0x5B, 0x31, 0xC0, 0x5E, 0x5F, 0xC3, 0x8B, 0x41, 0x3C, 0x8B, 0x44, 0x01, 0x78, 0x85, 0xC0, 0x74, 0x6F, 0x55, 0x01, 0xC8, 0x57, 0x56, 0x53, 0x83, 0xEC, 0x08, 0x8B, 0x78, 0x18, 0x89, 0x44, 0x24, 0x04, 0x85, 0xFF, 0x74, 0x28, 0x8B, 0x58, 0x20, 0x89, 0x14, 0x24, 0x89, 0xCE, 0x31, 0xED, 0x01, 0xCB, 0x85, 0xDB, 0x74, 0x0E, 0x8B, 0x0B, 0x01, 0xF1, 0xE8, 0x55, 0xFF, 0xFF, 0xFF, 0x3B, 0x04, 0x24, 0x74, 0x1D, 0x83, 0xC5, 0x01, 0x83, 0xC3, 0x04, 0x39, 0xEF, 0x75, 0xE4, 0x83, 0xC4, 0x08, 0x31, 0xC0, 0x5B, 0x5E, 0x5F, 0x5D, 0xC3, 0x89, 0xF6, 0x8D, 0xBC, 0x27, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x7C, 0x24, 0x04, 0x8D, 0x04, 0x6E, 0x03, 0x47, 0x24, 0x0F, 0xB7, 0x00, 0x8D, 0x04, 0x86, 0x03, 0x47, 0x1C, 0x03, 0x30, 0x83, 0xC4, 0x08, 0x5B, 0x89, 0xF0, 0x5E, 0x5F, 0x5D, 0xC3, 0x90, 0x31, 0xC0, 0xC3, 0x57, 0xB8, 0x41, 0x00, 0x00, 0x00, 0x56, 0x53, 0x83, 0xEC, 0x30, 0x8D, 0x4C, 0x24, 0x22, 0xC7, 0x44, 0x24, 0x22, 0x46, 0x61, 0x74, 0x61, 0xC7, 0x44, 0x24, 0x26, 0x6C, 0x41, 0x70, 0x70, 0xC7, 0x44, 0x24, 0x2A, 0x45, 0x78, 0x69, 0x74, 0x66, 0x89, 0x44, 0x24, 0x2E, 0xE8, 0xDF, 0xFE, 0xFF, 0xFF, 0x89, 0xC7, 0x64, 0xA1, 0x30, 0x00, 0x00, 0x00, 0x8B, 0x40, 0x0C, 0x8B, 0x58, 0x14, 0x8D, 0x70, 0x14, 0x39, 0xDE, 0x75, 0x0D, 0xEB, 0x55, 0x90, 0x8D, 0x74, 0x26, 0x00, 0x8B, 0x1B, 0x39, 0xDE, 0x74, 0x0E, 0x8B, 0x4B, 0x10, 0x89, 0xFA, 0xE8, 0x26, 0xFF, 0xFF, 0xFF, 0x85, 0xC0, 0x74, 0xEC, 0x8D, 0x54, 0x24, 0x15, 0xC7, 0x44, 0x24, 0x15, 0x33, 0x32, 0x62, 0x69, 0xC7, 0x44, 0x24, 0x19, 0x74, 0x20, 0x48, 0x65, 0xC7, 0x44, 0x24, 0x1D, 0x6C, 0x6C, 0x6F, 0x21, 0xC6, 0x44, 0x24, 0x21, 0x00, 0x89, 0x54, 0x24, 0x04, 0xC7, 0x04, 0x24, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xD0, 0x83, 0xEC, 0x08, 0x83, 0xC4, 0x30, 0x5B, 0x5E, 0x5F, 0xC3, 0x8D, 0x74, 0x26, 0x00, 0x31, 0xC0, 0xEB, 0xC0, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 | |
aaaddress1
commented
May 7, 2021
here is a char array payload for test:
\xe8\x00\x00\x00\x00\x66\x8c\xc8\x66\x83\xe8\x23\x74\x06\x90\x83\x04\x24\x17\xc3\x81\x04\x24\xe7\x01\x00\x00\xc3\xe9\x2b\x01\x00\x00\x90\x4c\x8d\x41\x02\x31\xc0\x66\x83\x39\x00\x74\x1e\x41\x0f\xb7\x08\x49\x83\xc0\x02\x89\xca\x83\xca\x20\x0f\xb7\xd2\x01\xd0\xc1\xc8\x08\x66\x85\xc9\x75\xe6\xc3\x0f\x1f\x00\xc3\x4c\x8d\x41\x01\x31\xc0\x80\x39\x00\x74\x24\x0f\x1f\x40\x00\x41\x0f\xb6\x08\x49\x83\xc0\x01\x89\xca\x83\xca\x20\x0f\xbe\xd2\x01\xd0\xc1\xc8\x08\x84\xc9\x75\xe7\xc3\x66\x0f\x1f\x44\x00\x00\xc3\x65\x48\x8b\x04\x25\x60\x00\x00\x00\x48\x8b\x40\x18\x4c\x8b\x48\x20\x4c\x8d\x50\x20\x4d\x39\xd1\x74\x2f\x48\x83\xec\x28\x41\x89\xcb\xeb\x08\x4d\x8b\x09\x4d\x39\xd1\x74\x17\x49\x8b\x49\x50\xe8\x71\xff\xff\xff\x44\x39\xd8\x75\xea\x49\x8b\x41\x20\x48\x83\xc4\x28\xc3\x31\xc0\x48\x83\xc4\x28\xc3\x31\xc0\xc3\x57\x56\x53\x48\x83\xec\x20\x48\x63\x41\x3c\x8b\xb4\x01\x88\x00\x00\x00\x85\xf6\x74\x42\x48\x01\xce\x8b\x46\x18\x85\xc0\x74\x38\x44\x8b\x4e\x20\x89\xd7\x49\x89\xcb\x45\x31\xd2\x8d\x58\xff\x49\x01\xc9\xeb\x03\x4d\x89\xc2\x4d\x85\xc9\x74\x0f\x41\x8b\x09\x4c\x01\xd9\xe8\x3d\xff\xff\xff\x39\xf8\x74\x18\x4d\x8d\x42\x01\x49\x83\xc1\x04\x4c\x39\xd3\x75\xdc\x48\x83\xc4\x20\x31\xc0\x5b\x5e\x5f\xc3\x90\x8b\x46\x24\x4b\x8d\x14\x53\x0f\xb7\x14\x02\x8b\x46\x1c\x49\x8d\x14\x93\x8b\x04\x02\x48\x83\xc4\x20\x5b\x5e\x5f\x4c\x01\xd8\xc3\x48\xb8\x46\x61\x74\x61\x6c\x41\x70\x70\x57\x56\x53\x48\x83\xec\x40\x48\x89\x44\x24\x32\x48\x8d\x4c\x24\x32\xb8\x41\x00\x00\x00\xc7\x44\x24\x3a\x45\x78\x69\x74\x66\x89\x44\x24\x3e\xe8\xcf\xfe\xff\xff\x89\xc7\x65\x48\x8b\x04\x25\x60\x00\x00\x00\x48\x8b\x40\x18\x48\x8b\x58\x20\x48\x8d\x70\x20\x48\x39\xde\x75\x0a\xeb\x45\x48\x8b\x1b\x48\x39\xde\x74\x10\x48\x8b\x4b\x20\x89\xfa\xe8\x1a\xff\xff\xff\x48\x85\xc0\x74\xe8\xc7\x44\x24\x2d\x6c\x6c\x6f\x21\x48\x8d\x54\x24\x25\x31\xc9\x48\xbf\x36\x34\x62\x69\x74\x20\x48\x65\x48\x89\x7c\x24\x25\xc6\x44\x24\x31\x00\xff\xd0\x48\x83\xc4\x40\x5b\x5e\x5f\xc3\x31\xc0\xeb\xcf\x90\x90\x90\x90\x90\x90\x90\xe9\x1e\x01\x00\x00\x90\x66\x83\x39\x00\x74\x24\x53\x31\xc0\x8d\x59\x02\x0f\xb7\x0b\x83\xc3\x02\x89\xca\x83\xca\x20\x0f\xb7\xd2\x01\xd0\xc1\xc8\x08\x66\x85\xc9\x75\xe8\x5b\xc3\x8d\x74\x26\x00\x31\xc0\xc3\x80\x39\x00\x74\x28\x53\x31\xc0\x8d\x59\x01\x66\x90\x0f\xb6\x0b\x83\xc3\x01\x89\xca\x83\xca\x20\x0f\xbe\xd2\x01\xd0\xc1\xc8\x08\x84\xc9\x75\xe9\x5b\xc3\x8d\xb4\x26\x00\x00\x00\x00\x31\xc0\xc3\x57\x56\x53\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x58\x14\x8d\x70\x14\x39\xf3\x74\x27\x89\xcf\xeb\x09\x8d\x76\x00\x8b\x1b\x39\xf3\x74\x1a\x8b\x4b\x28\xe8\x78\xff\xff\xff\x39\xf8\x75\xee\x8b\x43\x10\x5b\x5e\x5f\xc3\x8d\xb4\x26\x00\x00\x00\x00\x5b\x31\xc0\x5e\x5f\xc3\x8b\x41\x3c\x8b\x44\x01\x78\x85\xc0\x74\x6f\x55\x01\xc8\x57\x56\x53\x83\xec\x08\x8b\x78\x18\x89\x44\x24\x04\x85\xff\x74\x28\x8b\x58\x20\x89\x14\x24\x89\xce\x31\xed\x01\xcb\x85\xdb\x74\x0e\x8b\x0b\x01\xf1\xe8\x55\xff\xff\xff\x3b\x04\x24\x74\x1d\x83\xc5\x01\x83\xc3\x04\x39\xef\x75\xe4\x83\xc4\x08\x31\xc0\x5b\x5e\x5f\x5d\xc3\x89\xf6\x8d\xbc\x27\x00\x00\x00\x00\x8b\x7c\x24\x04\x8d\x04\x6e\x03\x47\x24\x0f\xb7\x00\x8d\x04\x86\x03\x47\x1c\x03\x30\x83\xc4\x08\x5b\x89\xf0\x5e\x5f\x5d\xc3\x90\x31\xc0\xc3\x57\xb8\x41\x00\x00\x00\x56\x53\x83\xec\x30\x8d\x4c\x24\x22\xc7\x44\x24\x22\x46\x61\x74\x61\xc7\x44\x24\x26\x6c\x41\x70\x70\xc7\x44\x24\x2a\x45\x78\x69\x74\x66\x89\x44\x24\x2e\xe8\xdf\xfe\xff\xff\x89\xc7\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x58\x14\x8d\x70\x14\x39\xde\x75\x0d\xeb\x55\x90\x8d\x74\x26\x00\x8b\x1b\x39\xde\x74\x0e\x8b\x4b\x10\x89\xfa\xe8\x26\xff\xff\xff\x85\xc0\x74\xec\x8d\x54\x24\x15\xc7\x44\x24\x15\x33\x32\x62\x69\xc7\x44\x24\x19\x74\x20\x48\x65\xc7\x44\x24\x1d\x6c\x6c\x6f\x21\xc6\x44\x24\x21\x00\x89\x54\x24\x04\xc7\x04\x24\x00\x00\x00\x00\xff\xd0\x83\xec\x08\x83\xc4\x30\x5b\x5e\x5f\xc3\x8d\x74\x26\x00\x31\xc0\xeb\xc0\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90