A small, null-free Windows shellcode that executes calc.exe (x86/x64, all OS/SPs)
Assembly C
Latest commit 054c77d Dec 19, 2014 @peterferrie credits

README.md

Small null-free shellcode that execute calc.exe. Runs on x86 and x64 versions of Windows 5.0-6.3 (2000, XP, 2003, 2008, 7, 8, 8.1), all service packs.

Sizes (build 306)

platform size stack align function wrapper func+save regs func+stack func+stack+regs
x86 72 75 77 77 84 84
x64 85 90 98 105 106 112
x86+x64 113 118 179 188 188 196

Features:

  • NULL Free
  • Windows version and service pack independent.
  • ISA independent: runs on x86 (w32-exec-calc-shellcode) or x64 (w64-exec-calc-shellcode) architecture, or both x86 and x64 architecture (win-exec-calc-shellcode).
  • Stack pointer can be aligned if needed (if you are seeing crashes in WinExec, try using the stack aligning version).
  • No assumptions are made about the values in registers or on the stack.
  • x86: "/3GB" and WoW64 compatible: pointers are not assumed to be smaller than 0x80000000.
  • DEP/ASLR compatible: data is not executed, code is not modified.
  • Able to save and restore registers and return for use in PoC code that calls the shellcode as a function using cdecl/stdcall/fastcall calling convention.

Credits: Skylined and Peter Ferrie