Over the past few weeks I created a new shellcode that uses the Microsoft Speech API to have the target computer say “You got pwned!” over the speakers. Needless to say, the practical applications are myriad, from impressing women in bars to expediting world peace. However, I expect that the most common application will be people impressing their friends with their 1337 hacker skills.
The size of the shellcode is 242 bytes (add 5 for stack alignment and 39 for EAT bypass). It has all the usual bells and whistles: OS/SP independent, null-free, optional stack alignment and EAT bypass and no register requires a specific value for it to run correctly.
Get the code here.
2 Comments to “w32 speaking shellcode – Pwn in style”
2010/12/31
DEC ECX
CMP DX, SI
JE found_function
JCXZ next_module
JMP next_function_loop
found_function:
what about
CMP DX, SI
LOOPNE next_function_loop
JNE next_module
to save a few bytes?
2011/01/02
Thanks Peter, that saves quite a few bytes! I must admit that I’ve not spent a lot of time minimizing this one; I basically took my MessageBox shellcode and replaced the API calls. Unfortunately, I needed to make one additional call, so I had to modify the original code a bit.
I’ve updated the code. There may be other size imperfections, so let me know if you see anything else!