![]() 2 new exploits BSD Passive Connection Shellcode BSD - Passive Connection Shellcode FreeBSD i386/AMD64 Execve /bin/sh - Anti-Debugging FreeBSD i386/AMD64 - Execve /bin/sh (Anti-Debugging) freebsd/x86 rev connect_ recv_ jmp_ return results (90 bytes) freebsd/x86 - rev connect_ recv_ jmp_ return results (90 bytes) freebsd/x86 portbind 4883 with auth shellcode freebsd/x86 - portbind 4883 with auth shellcode freebsd/x86 - execve /bin/sh (23 bytes) (2) freebsd/x86 - execve /bin/sh (2) (23 bytes) freebsd/x86 chown 0:0 _ chmod 6755 & execve /tmp/sh (44 bytes) freebsd/x86 - chown 0:0 _ chmod 6755 & execve /tmp/sh (44 bytes) Windows xp/sp1 generate portbind payload Windows XP SP1 - portbind payload (Generator) Linux/x86 - shellcode generator / null free Alphanumeric Shellcode Encoder Decoder Utility for generating HTTP/1.x requests for shellcodes Multi-Format Shellcode Encoding Tool - Beta 2.0 (w32) Linux/x86 - shellcode null free (Generator) Alphanumeric Shellcode Encoder/Decoder HTTP/1.x requests for shellcodes (Generator) (18+ bytes / 26+ bytes) Multi-Format Shellcode Encoding Tool - Beta 2.0 (Win32) (Generator) Cisco IOS Connectback Shellcode 1.0 Cisco IOS Bind Shellcode 1.0 Cisco IOS Tiny Shellcode 1.0 Cisco IOS Shellcode And Exploitation Techniques (BlackHat) Cisco IOS - Connectback Shellcode Cisco IOS - Bind Shellcode 1.0 (116 bytes) Cisco IOS - Tiny Shellcode Cisco IOS - Shellcode And Exploitation Techniques (BlackHat) Linux/mips - (Linksys WRT54G/GL) port bind shellcode (276 bytes) Linux/mips - (Linksys WRT54G/GL) execve shellcode (60 bytes) Linux/mips - execve /bin/sh (56 bytes) Linux/ppc - execve /bin/sh (60 bytes) Linux/ppc - read & exec shellcode (32 bytes) Linux/ppc - connect back execve /bin/sh (240 bytes) Linux/ppc - execve /bin/sh (112 bytes) Linux/MIPS (Linksys WRT54G/GL) - port bind shellcode (276 bytes) Linux/MIPS (Linksys WRT54G/GL) - execve shellcode (60 bytes) Linux/MIPS - execve /bin/sh (56 bytes) Linux/PPC - execve /bin/sh (60 bytes) Linux/PPC - read & exec shellcode (32 bytes) Linux/PPC - connect back execve /bin/sh (240 bytes) Linux/PPC - execve /bin/sh (112 bytes) Linux/x86 - listens for shellcode on tcp/5555 and jumps to it Linux/x86 - listens for shellcode on tcp/5555 and jumps to it (83 bytes) Linux/x86-64 - setuid(0) + execve(/bin/sh) (49 bytes) Linux/x86_64 - setuid(0) + execve(/bin/sh) (49 bytes) Linux/x86 - File unlinker (18 bytes + file path length) Linux/x86 - Perl script execution (99 bytes + script length) Linux/x86 - file reader (65 bytes + pathname) Linux/x86 - File unlinker (18+ bytes) Linux/x86 - Perl script execution (99+ bytes) Linux/x86 - file reader (65+ bytes) Linux x86 shellcode obfuscator Linux/x86 - shellcode obfuscator Linux/86 setreuid(geteuid_ geteuid) + execve(/bin/sh) shellcode Linux/x86 - setreuid(geteuid_ geteuid) + execve(/bin/sh) shellcode Linux/x86 - rm -rf / attempts to block the process from being stopped Linux/x86 - rm -rf / attempts to block the process from being stopped (132 bytes) Linux/x86 - HTTP/1.x GET_ Downloads and execve() (111 bytes+) Linux/x86 - executes command after setreuid (9 + 40 bytes + cmd) Linux/x86 - HTTP/1.x GET_ Downloads and execve() (111+ bytes) Linux/x86 - executes command after setreuid (49+ bytes) Linux/x86 - HTTP/1.x GET_ Downloads and JMP - (68 bytes+) Linux/x86 - HTTP/1.x GET_ Downloads and JMP - (68+ bytes) Linux/x86 - examples of long-term payloads hide-wait-change (.s) Linux/x86 - examples of long-term payloads hide-wait-change 187 bytes+ Linux/x86 - examples of long-term payloads hide-wait-change (.s) (187+ bytes) Linux/x86 - examples of long-term payloads hide-wait-change (187+ bytes) Linux - chroot()/execve() code Linux - chroot()/execve() code (80 bytes) Linux/x86-64 - bindshell port:4444 shellcode (132 bytes) Linux/x86-64 - execve(/bin/sh) (33 bytes) Linux/PPC/x86 execve(_/bin/sh__{_/bin/sh__NULL}_NULL) (99 bytes) OS-X/PPC/x86 execve(_/bin/sh__{_/bin/sh__NULL}_NULL) (121 bytes) Linux/x86 - unix/SPARC irix/mips execve /bin/sh irx.mips (141 bytes) Linux/x86 - unix/SPARC execve /bin/sh (80 bytes) Linux/x86 - bsd/x86 execve /bin/sh (38 bytes) netbsd/x86 kill all processes shellcode (23 bytes) netbsd/x86 callback shellcode (port 6666) (83 bytes) netbsd/x86 setreuid(0_ 0); execve(_/bin//sh__ ..._ NULL); (29 bytes) netbsd/x86 setreuid(0_ 0); execve(_/bin//sh__ ..._ NULL); (30 bytes) netbsd/x86 execve /bin/sh (68 bytes) openbsd/x86 execve(/bin/sh) (23 bytes) openbsd/x86 portbind port 6969 (148 bytes) openbsd/x86 add user w00w00 (112 bytes) OS-X/ppc sync()_ reboot() (32 bytes) OS-X/PPC execve(/bin/sh)_ exit() (72 bytes) OS-X/PPC Add user r00t (219 bytes) OS-X/PPC execve /bin/sh (72 bytes) OS-X/PPC add inetd backdoor (222 bytes) OS-X/PPC reboot (28 bytes) OS-X/PPC setuid(0) + execve /bin/sh (88 bytes) OS-X/PPC create /tmp/suid (122 bytes) OS-X/PPC simple write() (75 bytes) OS-X/PPC execve /usr/X11R6/bin/xterm (141 bytes) sco/x86 execve(_/bin/sh__ ..._ NULL); (43 bytes) Solaris/sparc download and execute (278 bytes) Solaris/sparc executes command after setreuid (92 bytes + cmd) Solaris/sparc connect-back (with XNOR encoded session) (600 bytes) Solaris/sparc setreuid/execve (56 bytes) Solaris/sparc portbind (port 6666) (240 bytes) Solaris/SPARC execve /bin/sh (52 bytes) Solaris/SPARC portbind port 6789 (228 bytes) Solaris/SPARC connect-back (204 bytes) Solaris/SPARC portbinding shellcode Solaris/x86 portbind/tcp shellcode generator Solaris/x86 setuid(0)_ execve(//bin/sh); exit(0) NULL Free (39 bytes) Solaris/x86 setuid(0)_ execve(/bin/cat_ /etc/shadow)_ exit(0) (59 bytes) Solaris/x86 execve /bin/sh toupper evasion (84 bytes) Solaris/x86 add services and execve inetd (201 bytes) Linux/x86_64 - bindshell port:4444 shellcode (132 bytes) Linux/x86_64 - execve(/bin/sh) (33 bytes) Linux PPC & x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) (99 bytes) OS-X PPC & x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) (121 bytes) Linux/x86 & unix/SPARC & irix/mips - execve /bin/sh irx.mips (141 bytes) Linux/x86 & unix/SPARC - execve /bin/sh (80 bytes) Linux/x86 & bsd/x86 - execve /bin/sh (38 bytes) netbsd/x86 - kill all processes shellcode (23 bytes) netbsd/x86 - callback shellcode (port 6666) (83 bytes) netbsd/x86 - setreuid(0_ 0); execve(_/bin//sh__ ..._ NULL); (29 bytes) netbsd/x86 - setreuid(0_ 0); execve(_/bin//sh__ ..._ NULL); (30 bytes) netbsd/x86 - execve /bin/sh (68 bytes) openbsd/x86 - execve(/bin/sh) (23 bytes) openbsd/x86 - portbind port 6969 (148 bytes) openbsd/x86 - add user w00w00 (112 bytes) OS-X/ppc - sync()_ reboot() (32 bytes) OS-X/PPC - execve(/bin/sh)_ exit() (72 bytes) OS-X/PPC - Add user r00t (219 bytes) OS-X/PPC - execve /bin/sh (72 bytes) OS-X/PPC - add inetd backdoor (222 bytes) OS-X/PPC - reboot (28 bytes) OS-X/PPC - setuid(0) + execve /bin/sh (88 bytes) OS-X/PPC - create /tmp/suid (122 bytes) OS-X/PPC - simple write() (75 bytes) OS-X/PPC - execve /usr/X11R6/bin/xterm (141 bytes) sco/x86 - execve(_/bin/sh__ ..._ NULL); (43 bytes) Solaris/SPARC - download and execute (278 bytes) Solaris/SPARC - executes command after setreuid (92+ bytes) Solaris/SPARC - connect-back (with XNOR encoded session) (600 bytes) Solaris/SPARC - setreuid/execve (56 bytes) Solaris/SPARC - portbind (port 6666) (240 bytes) Solaris/SPARC - execve /bin/sh (52 bytes) Solaris/SPARC - portbind port 6789 (228 bytes) Solaris/SPARC - connect-back (204 bytes) Solaris/SPARC - portbinding shellcode Solaris/x86 - portbind/tcp shellcode (Generator) Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) NULL Free (39 bytes) Solaris/x86 - setuid(0)_ execve(/bin/cat_ /etc/shadow)_ exit(0) (59 bytes) Solaris/x86 - execve /bin/sh toupper evasion (84 bytes) Solaris/x86 - add services and execve inetd (201 bytes) Win32/XP SP2 (En) - cmd.exe (23 bytes) Win32/XP SP2 (EN) - cmd.exe (23 bytes) Win32 SEH omelet shellcode 0.1 Win32 -SEH omelet shellcode Win32 PEB!NtGlobalFlags shellcode (14 bytes) Win32 - PEB!NtGlobalFlags shellcode (14 bytes) Win32 PEB Kernel32.dll ImageBase Finder Alphanumeric (67 bytes) Win32 PEB Kernel32.dll ImageBase Finder (Ascii Printable) (49 bytes) Win32 connectback_ receive_ save and execute shellcode Win32 Download and Execute Shellcode Generator (browsers edition) Win32 - PEB Kernel32.dll ImageBase Finder Alphanumeric (67 bytes) Win32 - PEB Kernel32.dll ImageBase Finder (ASCII Printable) (49 bytes) Win32 - connectback_ receive_ save and execute shellcode Win32 - Download and Execute Shellcode (Generator) (Browsers Edition) (275+ bytes) Win32 IsDebuggerPresent ShellCode (NT/XP) (39 bytes) Win32 (NT/XP) - IsDebuggerPresent ShellCode (39 bytes) Win32 - Download & Exec Shellcode (226 bytes+) Win32 - Download & Exec Shellcode (226+ bytes) Windows 9x/NT/2000/XP Reverse Generic Shellcode without Loader (249 bytes) Windows 9x/NT/2000/XP PEB method (29 bytes) Windows 9x/NT/2000/XP PEB method (31 bytes) Windows 9x/NT/2000/XP PEB method (35 bytes) Windows 9x/NT/2000/XP - Reverse Generic Shellcode without Loader (249 bytes) Windows 9x/NT/2000/XP - PEB method (29 bytes) Windows 9x/NT/2000/XP - PEB method (31 bytes) Windows 9x/NT/2000/XP - PEB method (35 bytes) Windows/XP download and exec source Windows XP - download and exec source Microsoft Windows - (DCOM RPC2) Universal Shellcode Windows - (DCOM RPC2) Universal Shellcode Linux - setuid(0) & execve(_/sbin/poweroff -f_) Linux - setuid(0) & execve(_/sbin/poweroff -f_) (47 bytes) Win xp sp2 PEB ISbeingdebugged shellcode Windows XP SP2 - PEB ISbeingdebugged shellcode Win32 XP SP3 ShellExecuteA shellcode Win32 XP SP3 - ShellExecuteA shellcode Win32 XP SP3 addFirewallRule freebsd/x86 portbind shellcode (167 bytes) Win32 XP SP3 - addFirewallRule freebsd/x86 - portbind shellcode (167 bytes) Win32/XP SP2 (En + Ar) - cmd.exe (23 bytes) Win32/XP SP2 (EN + AR) - cmd.exe (23 bytes) Windows XP Pro Sp2 English _Message-Box_ Shellcode Windows XP Pro Sp2 English _Wordpad_ Shellcode Windows XP Pro SP2 English - _Message-Box_ Shellcode Null-Free (16 bytes) Windows XP Pro SP2 English - _Wordpad_ Shellcode Null Free (12 bytes) Linux x86 - polymorphic shellcode ip6tables -F (71 bytes) Linux x86 - ip6tables -F (47 bytes) Linux/x86 - polymorphic shellcode ip6tables -F (71 bytes) Linux/x86 - ip6tables -F (47 bytes) Linux x86 - /bin/sh (8 bytes) Linux x86 - execve /bin/sh (21 bytes) Linux/x86 - /bin/sh (8 bytes) Linux/x86 - execve /bin/sh (21 bytes) Linux x86 - disabled modsecurity (64 bytes) Linux/x86 - disabled modsecurity (64 bytes) Win32 Mini HardCode WinExec&ExitProcess Shellcode (16 bytes) Win32 - Mini HardCode WinExec&ExitProcess Shellcode (16 bytes) Win32/XP SP3 (Ru) - WinExec+ExitProcess cmd shellcode (12 bytes) Shellcode - Win32 MessageBox (Metasploit) JITed egg-hunter stage-0 shellcode Adjusted universal for XP/Vista/Windows 7 Linux x86 - nc -lvve/bin/sh -p13377 shellcode Win32/XP SP3 (RU) - WinExec+ExitProcess cmd shellcode (12 bytes) Win32 - MessageBox (Metasploit) Windows XP/Vista/Windows 7 - JITed egg-hunter stage-0 shellcode Adjusted universal Linux/x86 - nc -lvve/bin/sh -p13377 shellcode Linux write() & exit(0) shellcode genearator with customizable text Linux x86 - polymorphic forkbombe - (30 bytes) Linux x86 forkbombe Linux - write() & exit(0) shellcode genearator with customizable text Linux/x86 - polymorphic forkbombe - (30 bytes) Linux/x86 - forkbomb Linux/x86_64 execve(_/bin/sh_); shellcode (30 bytes) Linux/x86_64 - execve(_/bin/sh_); shellcode (30 bytes) Linux x86 - execve(_/bin/bash___-p__NULL) (33 bytes) Linux x86 - polymorphic execve(_/bin/bash___-p__NULL) (57 bytes) Linux/x86 - execve(_/bin/bash___-p__NULL) (33 bytes) Linux/x86 - polymorphic execve(_/bin/bash___-p__NULL) (57 bytes) Linux x86 - execve(_/usr/bin/wget__ _aaaa_); (42 bytes) Linux/x86 - execve(_/usr/bin/wget__ _aaaa_); (42 bytes) Windows 7 Pro SP1 64 Fr (Beep) Shellcode (39 bytes) Windows 7 Pro SP1 64 FR - (Beep) Shellcode (39 bytes) change mode 0777 of _/etc/shadow_ with sys_chmod syscall Linux/x86 - kill all running process change mode 0777 of _/etc/passwd_ with sys_chmod syscall Linux x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) shellcode (45 bytes) Linux x86 - sys_setuid(0) & sys_setgid(0) & execve (_/bin/sh_) shellcode (39 bytes) Windows 7 x64 (cmd) Shellcode (61 bytes) Linux x86 - unlink _/etc/shadow_ shellcode (33 bytes) Linux x86 - hard / unclean reboot (29 bytes) Linux x86 - hard / unclean reboot (33 bytes) change mode 0777 of _/etc/shadow_ with sys_chmod syscall (39 bytes) Linux/x86 - kill all running process (11 bytes) change mode 0777 of _/etc/passwd_ with sys_chmod syscall (39 bytes) Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) shellcode (45 bytes) Linux/x86 - sys_setuid(0) & sys_setgid(0) & execve (_/bin/sh_) shellcode (39 bytes) Windows 7 x64 - cmd Shellcode (61 bytes) Linux/x86 - unlink _/etc/shadow_ shellcode (33 bytes) Linux/x86 - hard / unclean reboot (29 bytes) Linux/x86 - hard / unclean reboot (33 bytes) Linux - chown root:root /bin/sh x86 shellcode (48 bytes) Linux/x86 - chown root:root /bin/sh shellcode (48 bytes) Linux x86 - netcat connect back port 8080 (76 bytes) Linux/x86 - netcat connect back port 8080 (76 bytes) Allwin MessageBoxA Shellcode Windows - MessageBoxA Shellcode Linux/x86-64 - Disable ASLR Security (143 bytes) Linux/x86_64 - Disable ASLR Security (143 bytes) Polymorphic Bindport 31337 with setreuid (0_0) linux/x86 Linux/x86 - Polymorphic Bindport 31337 with setreuid (0_0) (131 bytes) Linux/x86-64 - setuid(0) & chmod (_/etc/passwd__ 0777) & exit(0) (63 bytes) Linux/x86_64 - setuid(0) & chmod (_/etc/passwd__ 0777) & exit(0) (63 bytes) Linux/x86-64 - Add root user with password (390 bytes) Linux/x86_64 - Add root user with password (390 bytes) ShellCode WinXP SP3 SPA URLDownloadToFileA + CreateProcessA + ExitProcess Windows XP SP3 SPA - URLDownloadToFileA + CreateProcessA + ExitProcess (176+ bytes) Polymorphic /bin/sh x86 linux shellcode Linux/x86 - Polymorphic /bin/sh shellcode (116 bytes) Linux/ARM chmod(_/etc/shadow__ 0777) Shellcode (35 bytes) Linux/ARM - chmod(_/etc/shadow__ 0777) Shellcode (35 bytes) Linux x86 - bind shell port 64533 (97 bytes) Linux/x86 - bind shell port 64533 (97 bytes) 125 bind port to 6778 XOR encoded polymorphic linux shellcode Linux - 125 bind port to 6778 XOR encoded polymorphic ARM Polymorphic - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode Generator ARM - Polymorphic execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (Generator) Win32 - Write-to-file Shellcode Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) (49 bytes) Linux/x86_64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) (49 bytes) Linux x86 - netcat bindshell port 8080 (75 bytes) Linux/x86 - netcat bindshell port 8080 (75 bytes) Linux x86 - /bin/sh Null-Free Polymorphic Shellcode (46 bytes) Linux/x86 - /bin/sh Null-Free Polymorphic Shellcode (46 bytes) Shellcode Checksum Routine Shellcode Checksum Routine (18 bytes) Win32/XP SP3 (Tr) - Add Admin Account Shellcode (127 bytes) Win32/XP SP3 (TR) - Add Admin Account Shellcode (127 bytes) Windows Mobile 6.5 TR (WinCE 5.2) MessageBox Shellcode (ARM) Windows Mobile 6.5 TR (WinCE 5.2) - MessageBox Shellcode (ARM) Windows Mobile 6.5 TR Phone Call Shellcode Windows Mobile 6.5 TR - Phone Call Shellcode Win32/xp pro sp3 (EN) 32-bit - add new local administrator (113 bytes) Win32/XP Pro SP3 (EN) 32-bit - add new local administrator (113 bytes) ARM Bindshell port 0x1337 ARM Bind Connect UDP Port 68 ARM Loader Port 0x1337 ARM ifconfig eth0 and Assign Address ARM - Bindshell port 0x1337 ARM - Bind Connect UDP Port 68 ARM - Loader Port 0x1337 ARM - ifconfig eth0 and Assign Address w32 speaking shellcode Win32 - speaking shellcode BSD x86 connect back Shellcode (81 bytes) BSD x86 portbind + fork shellcode (111 bytes) bds/x86 - connect back Shellcode (81 bytes) bds/x86 - portbind + fork shellcode (111 bytes) OS-X/Intel reverse_tcp shell x86_64 (131 bytes) OS-X/Intel - reverse_tcp shell x86_64 (131 bytes) Allwin WinExec add new local administrator + ExitProcess Shellcode Windows - WinExec add new local administrator + ExitProcess Shellcode (279 bytes) Linux x86 - ASLR deactivation (83 bytes) Linux/x86 - ASLR deactivation (83 bytes) Linux/x86-32 - ConnectBack with SSL connection (422 bytes) Linux/x86_32 - ConnectBack with SSL connection (422 bytes) SuperH (sh4) Add root user with password SuperH (sh4) - Add root user with password (143 bytes) Linux x86 egghunt shellcode Linux/x86 - egghunt shellcode (29 bytes) OSX - Universal ROP shellcode OS-X - Universal ROP shellcode 52 byte Linux MIPS execve Linux/MIPS - execve (52 bytes) MIPS Linux XOR Shellcode Encoder (60 bytes) Linux/MIPS - XOR Shellcode Encoder (60 bytes) Linux/x86-64 - execve(/bin/sh) (52 bytes) Linux/x86_64 - execve(/bin/sh) (52 bytes) Linux/x86 - Search For php/html Writable Files and Add Your Code Linux/x86 - Search For php/html Writable Files and Add Your Code (380+ bytes) Linux x86_64 - add user with passwd (189 bytes) Linux/x86_64 - add user with passwd (189 bytes) Linux x86 - chmod 666 /etc/passwd & /etc/shadow (57 bytes) Linux/x86 - chmod 666 /etc/passwd & /etc/shadow (57 bytes) ntop 1.x - -i Local Format String ntop 1.x - i Local Format String (Raspberry Pi) Linux/ARM - reverse_shell (tcp_10.1.1.2_0x1337) (Raspberry Pi) Linux/ARM - execve(_/bin/sh__ [0]_ [0 vars]) (30 bytes) (Raspberry Pi) Linux/ARM - chmod(_/etc/shadow__ 0777) (41 bytes) Linux/ARM (Raspberry Pi) - reverse_shell (tcp_10.1.1.2_0x1337) (72 bytes) Linux/ARM (Raspberry Pi) - execve(_/bin/sh__ [0]_ [0 vars]) (30 bytes) Linux/ARM (Raspberry Pi) - chmod(_/etc/shadow__ 0777) (41 bytes) Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode Windows - URLDownloadToFile + WinExec + ExitProcess Shellcode MIPS Little Endian Shellcode MIPS Little Endian - Shellcode Media Player Classic 6.4.9 - - FLI File Remote Buffer Overflow Media Player Classic 6.4.9 - FLI File Remote Buffer Overflow Linux x86 - Socket Re-use Shellcode (50 bytes) Linux/x86 - Socket Re-use Shellcode (50 bytes) Linux x86 - chmod (777 /etc/passwd & /etc/shadow)_ Add New Root User (ALI/ALI) & Execute /bin/sh Linux/x86 - chmod (777 /etc/passwd & /etc/shadow)_ Add New Root User (ALI/ALI) & Execute /bin/sh (378 bytes) Obfuscated Shellcode Linux x86 - chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User & Execute /bin/bash Linux/x86 - Obfuscated Shellcode chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User & Execute /bin/bash (521 bytes) Mouse Media Script 1.6 - - Stored XSS Mouse Media Script 1.6 - Stored XSS Linux x86 - rmdir (37 bytes) Linux/x86 - rmdir (37 bytes) Linux x64 - Bind TCP port shellcode (81 bytes_ 96 with password) Linux/x64 - Bind TCP port shellcode (81 bytes / 96 bytes with password) Linux x64 - Reverse TCP connect (77 to 85 bytes_ 90 to 98 with password) Linux/x64 - Reverse TCP connect (77 to 85 bytes / 90 to 98 bytes with password) Windows x86 - Obfuscated Shellcode Add Administrator User/Pass ALI/ALI & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service (1218 Bytes) Windows x64 - Obfuscated Shellcode Add Administrator User/Pass ALI/ALI & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service (1218 Bytes) Windows x86 - Obfuscated Shellcode Add Administrator User/Pass ALI/ALI & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service (1218 bytes) Windows x64 - Obfuscated Shellcode Add Administrator User/Pass ALI/ALI & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service (1218 bytes) Linux MIPS - execve (36 bytes) Linux/MIPS - execve (36 bytes) Win x86-64 - Download & execute (Generator) Windows XP x86-64 - Download & execute (Generator) Linux x86 - Egg-hunter (20 bytes) Linux x86 - Typewriter Shellcode Generator Linux/x86 - Egg-hunter (20 bytes) Linux/x86 - Typewriter Shellcode (Generator) Linux/x86 - execve _/bin/sh_ - shellcode (35 bytes) Linux/x86 - execve _/bin/sh_ shellcode (35 bytes) Linux custom execve-shellcode Encoder/Decoder Linux - custom execve-shellcode Encoder/Decoder Linux x86 - Execve /bin/sh Shellcode Via Push (21 bytes) Linux x86-64 - Execve /bin/sh Shellcode Via Push (23 bytes) Linux/x86 - Execve /bin/sh Shellcode Via Push (21 bytes) Linux/x86_64 - Execve /bin/sh Shellcode Via Push (23 bytes) Linux x86 - /bin/nc -le /bin/sh -vp 17771 Shellcode (58 bytes) Linux/x86 - /bin/nc -le /bin/sh -vp 17771 Shellcode (58 bytes) Linux/x86 - execve /bin/sh shellcode (21 bytes) (2) Linux/x86 - execve /bin/sh shellcode (2) (21 bytes) Linux - execve(/bin/sh) (30 bytes) Linux/x86_64 - execve(/bin/sh) (30 bytes) Linux 64 bit - Encoded execve shellcode Linux 64bit - Encoded execve shellcode Linux x86 /bin/sh ROT7 Encoded Shellcode Linux/x86 - /bin/sh ROT7 Encoded Shellcode Win32/xp[TR] sp3 - MessageBox (24 bytes) Win32/XP SP3 (TR) - MessageBox (24 bytes) Linux x86 - Egg Hunter Shellcode (19 bytes) Linux/x86 - Egg Hunter Shellcode (19 bytes) Windows x86 - user32!MessageBox _Hello World!_ (199 Bytes Null-Free) Windows x86 - user32!MessageBox _Hello World!_ Null-Free (199 bytes) Linux x86 - /bin/sh ROL/ROR Encoded Shellcode Linux/x86 - /bin/sh ROL/ROR Encoded Shellcode OS X x64 /bin/sh Shellcode - NULL Byte Free (34 bytes) OS-X x64 - /bin/sh Shellcode - NULL Byte Free (34 bytes) Mainframe/System Z Bind Shell Mainframe/System Z - Bind Shell Linux/x86 - execve(_/bin/cat__ [_/bin/cat__ _/etc/passwd_]_ NULL) Linux/x86 - execve(_/bin/cat__ [_/bin/cat__ _/etc/passwd_]_ NULL) (75 bytes) OS X x64 - tcp bind shellcode_ NULL byte free (144 bytes) OS-X x64 - tcp bind shellcode_ NULL byte free (144 bytes) Linux x86_64 - /bin/sh Linux/x86_64 - /bin/sh Linux x86_64 - execve Shellcode (22 bytes) Linux/x86_64 - execve Shellcode (22 bytes) Linux x86_64 - Bindshell with Password (92 bytes) Linux/x86_64 - Bindshell with Password (92 bytes) Linux x64 - egghunter (24 bytes) Linux/x64 - egghunter (24 bytes) Linux x86_64 - Polymorphic execve Shellcode (31 bytes) Linux/x86_64 - Polymorphic execve Shellcode (31 bytes) Windows XP-10 - Null-Free WinExec Shellcode (Python) Windows XP<10 - Null-Free WinExec Shellcode (Python) x64 Linux Bind TCP Port Shellcode Linux/x64 - Bind TCP Port Shellcode (103 bytes) x86_64 Linux bind TCP port shellcode Linux/x86_64 - bind TCP port shellcode (103 bytes) Linux/x86 - execve _/bin/sh_ - shellcode 24 byte Linux/x86 - execve _/bin/sh_ shellcode (24 bytes) Linux x86_64 - Egghunter (18 bytes) Linux x86 - Egg-hunter (13 bytes) Linux/x86_64 - Egghunter (18 bytes) Linux/x86 - Egg-hunter (13 bytes) WordPress Booking Calendar Contact Form Plugin <=1.1.23 - Unauthenticated SQL injection WordPress Booking Calendar Contact Form Plugin <= 1.1.23 - Unauthenticated SQL injection x86_64 Linux xor/not/div Encoded execve Shellcode Linux/x86_64 - xor/not/div Encoded execve Shellcode (54 bytes) WordPress Booking Calendar Contact Form Plugin <=1.1.23 - Shortcode SQL Injection WordPress Booking Calendar Contact Form Plugin <= 1.1.23 - Shortcode SQL Injection Linux x86/x86_64 reverse_tcp Shellcode Linux/x86/x86_64 - reverse_tcp Shellcode Linux x86/x86_64 tcp_bind Shellcode Linux x86/x86_64 Read etc/passwd Shellcode Linux/x86/x86_64 - tcp_bind Shellcode Linux/x86/x86_64 - Read etc/passwd Shellcode WordPress Booking Calendar Contact Form <=1.1.24 - Multiple Vulnerabilities WordPress Booking Calendar Contact Form <= 1.1.24 - Multiple Vulnerabilities x86_64 Linux shell_reverse_tcp with Password - Polymorphic Version (1) Linux/x86_64 - shell_reverse_tcp with Password - Polymorphic Version (1) (122 bytes) x86_64 Linux shell_reverse_tcp with Password - Polymorphic Version (2) Linux x86 Download & Execute Shellcode Linux x86_64 - Polymorphic Execve-Stack (47 bytes) Linux/x86_64 - shell_reverse_tcp with Password - Polymorphic Version (2) (135 bytes) Linux/x86 - Download & Execute Shellcode Linux/x86_64 - Polymorphic Execve-Stack (47 bytes) Linux x86_64 - Reverse Shell Shellcode Linux/x86_64 - Reverse Shell Shellcode Linux/x86_x64 - execve(/bin/sh) (26 bytes) Linux/x86_64 - execve(/bin/sh) (26 bytes) Linux/x86_x64 - execve(/bin/sh) (25 bytes) Linux/x86_x64 - execve(/bin/bash) (33 bytes) Linux/x86_64 - execve(/bin/sh) (25 bytes) Linux/x86_64 - execve(/bin/bash) (33 bytes) Linux/x86_64 - bindshell (PORT: 5600) (81 bytes) Linux/x86_64 - bindshell (Pori: 5600) (81 bytes) Windows x86 URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() Shellcode Windows x86 - URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() Shellcode Linux x86 Reverse TCP Shellcode (ipv6) Linux x86 Shellcode - Bind TCP Port 1472 (ipv6) Linux/x86 - Reverse TCP Shellcode (IPv6) Linux/x86 - Bind TCP Port 1472 (IPv6) (1250 bytes) Linux x64 - Bind Shell Shellcode Generator Linux/x64 - Bind Shell Shellcode (Generator) Windows Null-Free Shellcode - Primitive Keylogger to File (431 (0x01AF) bytes) Windows - Null-Free Shellcode Primitive Keylogger to File (431 (0x01AF) bytes) .Net Framework Execute Native x86 Shellcode .Net Framework - Execute Native x86 Shellcode Linux x86_64 Shellcode - Bind TCP Port 1472 (ipv6) Linux/x86_64 - Bind TCP Port 1472 (IPv6) Linux x86_64 Shellcode - Reverse TCP (ipv6) Linux/x86_64 - Reverse TCP (IPv6) Windows - Null-Free Shellcode - Functional Keylogger to File (601 (0x0259) bytes) Windows - Null-Free Shellcode Functional Keylogger to File (601 (0x0259) bytes) Linux x86_64 Shellcode Null-Free Reverse TCP Shell Linux/x86_64 - Null-Free Reverse TCP Shell Linux x86_64 Information Stealer Shellcode Linux/x86_64 - Information Stealer Shellcode Linux x86 - TCP Bind Shell Port 4444 (656 bytes) Linux/x86 - TCP Bind Shell Port 4444 (656 bytes) Linux x86_64 XOR Encode execve Shellcode Linux/x86_64 - XOR Encode execve Shellcode Linux/Windows/BSD x86_64 execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode Linux/Windows/BSD x86_64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes) Windows x86 WinExec(_cmd.exe__0) Shellcode Linux x86 - /bin/nc -le /bin/sh -vp13337 Shellcode (56 bytes) Windows x86 - WinExec(_cmd.exe__0) Shellcode Linux/x86 - /bin/nc -le /bin/sh -vp13337 Shellcode (56 bytes) Windows x86 system(_systeminfo_) Shellcode Windows x86 - system(_systeminfo_) Shellcode Windows x86 ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode Windows x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode Linux x86 /bin/sh Shellcode + ASLR Bruteforce Linux/x86 - /bin/sh Shellcode + ASLR Bruteforce Linux x86_64 /etc/passwd File Sender Shellcode Linux/x86_64 - /etc/passwd File Sender Shellcode Linux x86 - TCP Bind Shell Port 4444 (98 bytes) Linux/x86 - TCP Bind Shell Port 4444 (98 bytes) Linux x86 - TCP Reverse Shellcode (75 bytes) Linux/x86 - TCP Reverse Shellcode (75 bytes) Linux x86-64 - Continuously-Probing Reverse Shell via Socket + Port-range + Password (172 bytes) Linux/x86_64 - Continuously-Probing Reverse Shell via Socket + Port-range + Password (172 bytes) Linux x86 - Reverse Shell using Xterm ///usr/bin/xterm -display 127.1.1.1:10 Linux/x86 - Reverse Shell using Xterm ///usr/bin/xterm -display 127.1.1.1:10 Clear Voyager Hotspot IMW-C910W - Arbitrary File Disclosure |
||
---|---|---|
platforms | ||
files.csv | ||
README.md | ||
searchsploit |
The Exploit-Database Git Repository
This is the official repository of The Exploit Database, a project sponsored by Offensive Security.
The Exploit Database is an archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of exploits gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.
This repository is updated daily with the most recently added submissions. Any additional resources can be found in our binary sploits repository.
Included with this repository is the searchsploit utility, which will allow you to search through the exploits using one or more terms.
root@kali:~# searchsploit -h
Usage: searchsploit [options] term1 [term2] ... [termN]
Example:
searchsploit afd windows local
searchsploit -t oracle windows
=========
Options
=========
-c, --case Perform a case-sensitive search (Default is inSEnsITiVe).
-e, --exact Perform an EXACT match on exploit title (Default is AND) [Implies "-t"].
-h, --help Show this help screen.
-o, --overflow Exploit title's are allowed to overflow their columns.
-p, --path Show the full path to an exploit (Copies path to clipboard if possible).
-t, --title Search just the exploit title (Default is title AND the file's path).
-u, --update Update exploit database from git.
-w, --www Show URLs to Exploit-DB.com rather than local path.
--colour Disable colour highlighting.
--id Display EDB-ID value rather than local path.
=======
Notes
=======
* Use any number of search terms.
* Search terms are not case sensitive, and order is irrelevant.
* Use '-c' if you wish to reduce results by case-sensitive searching.
* And/Or '-e' if you wish to filter results by using an exact match.
* Use '-t' to exclude the file's path to filter the search results.
* Remove false positives (especially when searching numbers/major versions).
* When updating from git or displaying help, search terms will be ignored.
root@kali:~# searchsploit afd windows local
--------------------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
--------------------------------------------------------------------------------- ----------------------------------
Microsoft Windows 2003/XP - AFD.sys Privilege Escalation Exploit (K-plugin) | ./windows/local/6757.txt
Microsoft Windows XP - AFD.sys Local Kernel DoS Exploit | ./windows/dos/17133.c
Microsoft Windows XP/2003 Afd.sys - Local Privilege Escalation Exploit (MS11-080)| ./windows/local/18176.py
Microsoft Windows - AfdJoinLeaf Privilege Escalation (MS11-080) | ./windows/local/21844.rb
Microsoft Windows - AFD.SYS Dangling Pointer Privilege Escalation (MS14-040) | ./win32/local/39446.py
Microsoft Windows 7 x64 - AFD.SYS Privilege Escalation (MS14-040) | ./win64/local/39525.py
--------------------------------------------------------------------------------- ----------------------------------
root@kali:~#