Microsoft Windows Shellcode


This section is still under development...

You may be be interested in the Windows section of the msfweb demonstration or the interactive Win32 syscall page.

Obsolete Shellcode Examples



Win32 Vampiric Import Example
Many win32 operating systems include a large amount of libraries and executables which are static across service packs. These files can be used to write really small service-pack independent payloads. The example below attaches to dbmssocn.dll and uses the import address table to download and execute a secondary payload.

Assembled Size: 179 bytes

- Windows 2000 Vampiric Import ASM
- Windows 2000 Vampiric Import C
- Windows 2000 Vampiric Import Perl
- Windows 2000 Vampiric Import Exe MD5 (30053a85bf2f57a8c8ac93f30ae10596)


Win32 OS/SP Independent Loader
This code uses the kernel32.dll locating technique described by LSD in their "Win32 Assembly Components" paper. Our implementation is based off code by Dino Dai Zovi, with minor changes to remove the need for any calls to GetProcAddress (all functions are found solely by their hash) and to provide a C function to obtain the hash value for a given string. The majority of the win32 payloads on this site use this loader.

- Win32 OS/SP Independent Loader C [Visual Studio]


Win32 Bind Shell
This payload will load winsock, listen on a port, and spawn a cmd.exe shell when a connection is made. It will call WaitForSingleObject with an infinite timeout and then ExitProcess when the cmd.exe process has terminated. This payload has been tested on many service packs of Windows NT 4.0, Windows 2000, and Windows XP. This payload will NOT work on Windows 9x since cmd.exe does not exist and command.com can't send its output back to the socket.

Assembled Size: 356 bytes

- Win32 Bind Shell ASM
- Win32 Bind Shell C
- Win32 Bind Shell Perl
- Win32 Bind Shell Exe MD5 (7995b0f4b8ab2f0ee2166ee51ae2048f)


Win32 Reverse Shell
This payload will load winsock, connect to the specified host, and spawn a cmd.exe shell. It will call WaitForSingleObject with an infinite timeout and then ExitProcess when the cmd.exe process has terminated. This payload has been tested on many service packs of Windows NT 4.0, Windows 2000, and Windows XP. This payload will NOT work on Windows 9x since cmd.exe does not exist and command.com can't send its output back to the socket. A newer, much smaller version of this payload will be released soon.

Assembled Size: 335 bytes

- Win32 Reverse Shell ASM
- Win32 Reverse Shell C
- Win32 Reverse Shell Exe MD5 (323b372de2ee3998a9d0ee4e33184279)


Win32 Create Local Admin User
This payload will load netapi32.dll and call NetUserAdd followed by NetLocalGroupAddMembers. It will create a new user account with the username and password of "X" and add it to the local group "Administrators". This payload has been tested against Windows 2000 and Windows XP, it will not work on Windows 9x systems.

Assembled Size: 304 bytes

- Win32 Add User ASM
- Win32 Add User C
- Win32 Add User Exe MD5 (bbc784fe965163b21cfac8f5a38eabcb)


Win32 Exception Handle Example
This payload demonstrates the use of the Windows exception handling system. Essentially it overwrites the SEH chain at fs:[0] and then triggers an exception through a null pointer dereference, jumping to the code we specify. This technique becomes very useful when writing exploits for bugs which only allow for a small number of bytes to be overwritten.

- Win32 Exception Handler ASM