A mirror of the Gitlab repo: https://gitlab.com/exploit-database/exploitdb
Find a file
Offensive Security 0a9242663c DB: 2016-07-16
2 new exploits

BSD Passive Connection Shellcode
BSD - Passive Connection Shellcode

FreeBSD i386/AMD64 Execve /bin/sh - Anti-Debugging
FreeBSD i386/AMD64 - Execve /bin/sh (Anti-Debugging)

freebsd/x86 rev connect_ recv_ jmp_ return results (90 bytes)
freebsd/x86 - rev connect_ recv_ jmp_ return results (90 bytes)

freebsd/x86 portbind 4883 with auth shellcode
freebsd/x86 - portbind 4883 with auth shellcode

freebsd/x86 - execve /bin/sh (23 bytes) (2)
freebsd/x86 - execve /bin/sh (2) (23 bytes)

freebsd/x86 chown 0:0 _ chmod 6755 & execve /tmp/sh (44 bytes)
freebsd/x86 - chown 0:0 _ chmod 6755 & execve /tmp/sh (44 bytes)

Windows xp/sp1 generate portbind payload
Windows XP SP1 - portbind payload (Generator)
Linux/x86 - shellcode generator / null free
Alphanumeric Shellcode Encoder Decoder
Utility for generating HTTP/1.x requests for shellcodes
Multi-Format Shellcode Encoding Tool - Beta 2.0 (w32)
Linux/x86 - shellcode null free (Generator)
Alphanumeric Shellcode Encoder/Decoder
HTTP/1.x requests for shellcodes  (Generator) (18+ bytes / 26+ bytes)
Multi-Format Shellcode Encoding Tool - Beta 2.0 (Win32) (Generator)
Cisco IOS Connectback Shellcode 1.0
Cisco IOS Bind Shellcode 1.0
Cisco IOS Tiny Shellcode 1.0
Cisco IOS Shellcode And Exploitation Techniques (BlackHat)
Cisco IOS - Connectback Shellcode
Cisco IOS - Bind Shellcode 1.0 (116 bytes)
Cisco IOS - Tiny Shellcode
Cisco IOS - Shellcode And Exploitation Techniques (BlackHat)
Linux/mips - (Linksys WRT54G/GL) port bind shellcode (276 bytes)
Linux/mips - (Linksys WRT54G/GL) execve shellcode (60 bytes)
Linux/mips - execve /bin/sh (56 bytes)
Linux/ppc - execve /bin/sh (60 bytes)
Linux/ppc - read & exec shellcode (32 bytes)
Linux/ppc - connect back execve /bin/sh (240 bytes)
Linux/ppc - execve /bin/sh (112 bytes)
Linux/MIPS (Linksys WRT54G/GL) - port bind shellcode (276 bytes)
Linux/MIPS (Linksys WRT54G/GL) - execve shellcode (60 bytes)
Linux/MIPS - execve /bin/sh (56 bytes)
Linux/PPC - execve /bin/sh (60 bytes)
Linux/PPC - read & exec shellcode (32 bytes)
Linux/PPC - connect back execve /bin/sh (240 bytes)
Linux/PPC - execve /bin/sh (112 bytes)

Linux/x86 - listens for shellcode on tcp/5555 and jumps to it
Linux/x86 - listens for shellcode on tcp/5555 and jumps to it (83 bytes)

Linux/x86-64 - setuid(0) + execve(/bin/sh) (49 bytes)
Linux/x86_64 - setuid(0) + execve(/bin/sh) (49 bytes)
Linux/x86 - File unlinker (18 bytes + file path length)
Linux/x86 - Perl script execution (99 bytes + script length)
Linux/x86 - file reader (65 bytes + pathname)
Linux/x86 - File unlinker (18+ bytes)
Linux/x86 - Perl script execution (99+ bytes)
Linux/x86 - file reader (65+ bytes)

Linux x86 shellcode obfuscator
Linux/x86 - shellcode obfuscator

Linux/86 setreuid(geteuid_ geteuid) + execve(/bin/sh) shellcode
Linux/x86 - setreuid(geteuid_ geteuid) + execve(/bin/sh) shellcode

Linux/x86 - rm -rf / attempts to block the process from being stopped
Linux/x86 - rm -rf / attempts to block the process from being stopped (132 bytes)
Linux/x86 - HTTP/1.x GET_ Downloads and execve() (111 bytes+)
Linux/x86 - executes command after setreuid (9 + 40 bytes + cmd)
Linux/x86 - HTTP/1.x GET_ Downloads and execve() (111+ bytes)
Linux/x86 - executes command after setreuid (49+ bytes)

Linux/x86 - HTTP/1.x GET_ Downloads and JMP - (68 bytes+)
Linux/x86 - HTTP/1.x GET_ Downloads and JMP - (68+ bytes)
Linux/x86 - examples of long-term payloads hide-wait-change (.s)
Linux/x86 - examples of long-term payloads hide-wait-change 187 bytes+
Linux/x86 - examples of long-term payloads hide-wait-change (.s) (187+ bytes)
Linux/x86 - examples of long-term payloads hide-wait-change (187+ bytes)

Linux - chroot()/execve() code
Linux - chroot()/execve() code (80 bytes)
Linux/x86-64 - bindshell port:4444 shellcode (132 bytes)
Linux/x86-64 - execve(/bin/sh) (33 bytes)
Linux/PPC/x86 execve(_/bin/sh__{_/bin/sh__NULL}_NULL) (99 bytes)
OS-X/PPC/x86 execve(_/bin/sh__{_/bin/sh__NULL}_NULL) (121 bytes)
Linux/x86 - unix/SPARC irix/mips execve /bin/sh irx.mips (141 bytes)
Linux/x86 - unix/SPARC execve /bin/sh (80 bytes)
Linux/x86 - bsd/x86 execve /bin/sh (38 bytes)
netbsd/x86 kill all processes shellcode (23 bytes)
netbsd/x86 callback shellcode (port 6666) (83 bytes)
netbsd/x86 setreuid(0_ 0); execve(_/bin//sh__ ..._ NULL); (29 bytes)
netbsd/x86 setreuid(0_ 0); execve(_/bin//sh__ ..._ NULL); (30 bytes)
netbsd/x86 execve /bin/sh (68 bytes)
openbsd/x86 execve(/bin/sh) (23 bytes)
openbsd/x86 portbind port 6969 (148 bytes)
openbsd/x86 add user w00w00 (112 bytes)
OS-X/ppc sync()_ reboot() (32 bytes)
OS-X/PPC execve(/bin/sh)_ exit() (72 bytes)
OS-X/PPC Add user r00t (219 bytes)
OS-X/PPC execve /bin/sh (72 bytes)
OS-X/PPC add inetd backdoor (222 bytes)
OS-X/PPC reboot (28 bytes)
OS-X/PPC setuid(0) + execve /bin/sh (88 bytes)
OS-X/PPC create /tmp/suid (122 bytes)
OS-X/PPC simple write() (75 bytes)
OS-X/PPC execve /usr/X11R6/bin/xterm (141 bytes)
sco/x86 execve(_/bin/sh__ ..._ NULL); (43 bytes)
Solaris/sparc download and execute (278 bytes)
Solaris/sparc executes command after setreuid (92 bytes + cmd)
Solaris/sparc connect-back (with XNOR encoded session) (600 bytes)
Solaris/sparc setreuid/execve (56 bytes)
Solaris/sparc portbind (port 6666) (240 bytes)
Solaris/SPARC execve /bin/sh (52 bytes)
Solaris/SPARC portbind port 6789 (228 bytes)
Solaris/SPARC connect-back (204 bytes)
Solaris/SPARC portbinding shellcode
Solaris/x86 portbind/tcp shellcode generator
Solaris/x86 setuid(0)_ execve(//bin/sh); exit(0) NULL Free (39 bytes)
Solaris/x86 setuid(0)_ execve(/bin/cat_ /etc/shadow)_ exit(0) (59 bytes)
Solaris/x86 execve /bin/sh toupper evasion (84 bytes)
Solaris/x86 add services and execve inetd (201 bytes)
Linux/x86_64 - bindshell port:4444 shellcode (132 bytes)
Linux/x86_64 - execve(/bin/sh) (33 bytes)
Linux PPC & x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) (99 bytes)
OS-X PPC & x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) (121 bytes)
Linux/x86 & unix/SPARC & irix/mips - execve /bin/sh irx.mips (141 bytes)
Linux/x86 & unix/SPARC - execve /bin/sh (80 bytes)
Linux/x86 & bsd/x86 - execve /bin/sh (38 bytes)
netbsd/x86 - kill all processes shellcode (23 bytes)
netbsd/x86 - callback shellcode (port 6666) (83 bytes)
netbsd/x86 - setreuid(0_ 0); execve(_/bin//sh__ ..._ NULL); (29 bytes)
netbsd/x86 - setreuid(0_ 0); execve(_/bin//sh__ ..._ NULL); (30 bytes)
netbsd/x86 - execve /bin/sh (68 bytes)
openbsd/x86 - execve(/bin/sh) (23 bytes)
openbsd/x86 - portbind port 6969 (148 bytes)
openbsd/x86 - add user w00w00 (112 bytes)
OS-X/ppc - sync()_ reboot() (32 bytes)
OS-X/PPC - execve(/bin/sh)_ exit() (72 bytes)
OS-X/PPC - Add user r00t (219 bytes)
OS-X/PPC - execve /bin/sh (72 bytes)
OS-X/PPC - add inetd backdoor (222 bytes)
OS-X/PPC - reboot (28 bytes)
OS-X/PPC - setuid(0) + execve /bin/sh (88 bytes)
OS-X/PPC - create /tmp/suid (122 bytes)
OS-X/PPC - simple write() (75 bytes)
OS-X/PPC - execve /usr/X11R6/bin/xterm (141 bytes)
sco/x86 - execve(_/bin/sh__ ..._ NULL); (43 bytes)
Solaris/SPARC - download and execute (278 bytes)
Solaris/SPARC - executes command after setreuid (92+ bytes)
Solaris/SPARC - connect-back (with XNOR encoded session) (600 bytes)
Solaris/SPARC - setreuid/execve (56 bytes)
Solaris/SPARC - portbind (port 6666) (240 bytes)
Solaris/SPARC - execve /bin/sh (52 bytes)
Solaris/SPARC - portbind port 6789 (228 bytes)
Solaris/SPARC - connect-back (204 bytes)
Solaris/SPARC - portbinding shellcode
Solaris/x86 - portbind/tcp shellcode (Generator)
Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) NULL Free (39 bytes)
Solaris/x86 - setuid(0)_ execve(/bin/cat_ /etc/shadow)_ exit(0) (59 bytes)
Solaris/x86 - execve /bin/sh toupper evasion (84 bytes)
Solaris/x86 - add services and execve inetd (201 bytes)

Win32/XP SP2 (En) - cmd.exe (23 bytes)
Win32/XP SP2 (EN) - cmd.exe (23 bytes)

Win32 SEH omelet shellcode 0.1
Win32  -SEH omelet shellcode

Win32 PEB!NtGlobalFlags shellcode (14 bytes)
Win32 - PEB!NtGlobalFlags shellcode (14 bytes)
Win32 PEB Kernel32.dll ImageBase Finder Alphanumeric (67 bytes)
Win32 PEB Kernel32.dll ImageBase Finder (Ascii Printable) (49 bytes)
Win32 connectback_ receive_ save and execute shellcode
Win32 Download and Execute Shellcode Generator (browsers edition)
Win32 - PEB Kernel32.dll ImageBase Finder Alphanumeric (67 bytes)
Win32 - PEB Kernel32.dll ImageBase Finder (ASCII Printable) (49 bytes)
Win32 - connectback_ receive_ save and execute shellcode
Win32 - Download and Execute Shellcode  (Generator) (Browsers Edition) (275+ bytes)

Win32 IsDebuggerPresent ShellCode (NT/XP) (39 bytes)
Win32 (NT/XP) - IsDebuggerPresent ShellCode (39 bytes)

Win32 - Download & Exec Shellcode (226 bytes+)
Win32 - Download & Exec Shellcode (226+ bytes)
Windows 9x/NT/2000/XP Reverse Generic Shellcode without Loader (249 bytes)
Windows 9x/NT/2000/XP PEB method (29 bytes)
Windows 9x/NT/2000/XP PEB method (31 bytes)
Windows 9x/NT/2000/XP PEB method (35 bytes)
Windows 9x/NT/2000/XP - Reverse Generic Shellcode without Loader (249 bytes)
Windows 9x/NT/2000/XP - PEB method (29 bytes)
Windows 9x/NT/2000/XP - PEB method (31 bytes)
Windows 9x/NT/2000/XP - PEB method (35 bytes)

Windows/XP download and exec source
Windows XP - download and exec source

Microsoft Windows - (DCOM RPC2) Universal Shellcode
Windows - (DCOM RPC2) Universal Shellcode

Linux - setuid(0) & execve(_/sbin/poweroff -f_)
Linux - setuid(0) & execve(_/sbin/poweroff -f_) (47 bytes)

Win xp sp2 PEB ISbeingdebugged shellcode
Windows XP SP2 - PEB ISbeingdebugged shellcode

Win32 XP SP3 ShellExecuteA shellcode
Win32 XP SP3 - ShellExecuteA shellcode
Win32 XP SP3 addFirewallRule
freebsd/x86 portbind shellcode (167 bytes)
Win32 XP SP3 - addFirewallRule
freebsd/x86 - portbind shellcode (167 bytes)

Win32/XP SP2 (En + Ar) - cmd.exe (23 bytes)
Win32/XP SP2 (EN + AR) - cmd.exe (23 bytes)
Windows XP Pro Sp2 English _Message-Box_ Shellcode
Windows XP Pro Sp2 English _Wordpad_ Shellcode
Windows XP Pro SP2 English - _Message-Box_ Shellcode Null-Free (16 bytes)
Windows XP Pro SP2 English - _Wordpad_ Shellcode Null Free (12 bytes)
Linux x86 - polymorphic shellcode ip6tables -F (71 bytes)
Linux x86 - ip6tables -F (47 bytes)
Linux/x86 - polymorphic shellcode ip6tables -F (71 bytes)
Linux/x86 - ip6tables -F (47 bytes)
Linux x86 - /bin/sh (8 bytes)
Linux x86 - execve /bin/sh (21 bytes)
Linux/x86 - /bin/sh (8 bytes)
Linux/x86 - execve /bin/sh (21 bytes)

Linux x86 - disabled modsecurity (64 bytes)
Linux/x86 - disabled modsecurity (64 bytes)

Win32 Mini HardCode WinExec&ExitProcess Shellcode (16 bytes)
Win32 - Mini HardCode WinExec&ExitProcess Shellcode (16 bytes)
Win32/XP SP3 (Ru) - WinExec+ExitProcess cmd shellcode (12 bytes)
Shellcode - Win32 MessageBox (Metasploit)
JITed egg-hunter stage-0 shellcode Adjusted universal for XP/Vista/Windows 7
Linux x86 - nc -lvve/bin/sh -p13377 shellcode
Win32/XP SP3 (RU) - WinExec+ExitProcess cmd shellcode (12 bytes)
Win32 - MessageBox (Metasploit)
Windows XP/Vista/Windows 7 - JITed egg-hunter stage-0 shellcode Adjusted universal
Linux/x86 - nc -lvve/bin/sh -p13377 shellcode
Linux write() & exit(0) shellcode genearator with customizable text
Linux x86 - polymorphic forkbombe - (30 bytes)
Linux x86 forkbombe
Linux - write() & exit(0) shellcode genearator with customizable text
Linux/x86 - polymorphic forkbombe - (30 bytes)
Linux/x86 - forkbomb

Linux/x86_64 execve(_/bin/sh_); shellcode (30 bytes)
Linux/x86_64 - execve(_/bin/sh_); shellcode (30 bytes)
Linux x86 - execve(_/bin/bash___-p__NULL) (33 bytes)
Linux x86 - polymorphic execve(_/bin/bash___-p__NULL) (57 bytes)
Linux/x86 - execve(_/bin/bash___-p__NULL) (33 bytes)
Linux/x86 - polymorphic execve(_/bin/bash___-p__NULL) (57 bytes)

Linux x86 - execve(_/usr/bin/wget__ _aaaa_); (42 bytes)
Linux/x86 - execve(_/usr/bin/wget__ _aaaa_); (42 bytes)

Windows 7 Pro SP1 64 Fr (Beep) Shellcode (39 bytes)
Windows 7 Pro SP1 64 FR - (Beep) Shellcode (39 bytes)
change mode 0777 of _/etc/shadow_ with sys_chmod syscall
Linux/x86 - kill all running process
change mode 0777 of _/etc/passwd_ with sys_chmod syscall
Linux x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) shellcode (45 bytes)
Linux x86 - sys_setuid(0) & sys_setgid(0) & execve (_/bin/sh_) shellcode (39 bytes)
Windows 7 x64 (cmd) Shellcode (61 bytes)
Linux x86 - unlink _/etc/shadow_ shellcode (33 bytes)
Linux x86 - hard / unclean reboot (29 bytes)
Linux x86 - hard / unclean reboot (33 bytes)
change mode 0777 of _/etc/shadow_ with sys_chmod syscall (39 bytes)
Linux/x86 - kill all running process (11 bytes)
change mode 0777 of _/etc/passwd_ with sys_chmod syscall (39 bytes)
Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) shellcode (45 bytes)
Linux/x86 - sys_setuid(0) & sys_setgid(0) & execve (_/bin/sh_) shellcode (39 bytes)
Windows 7 x64 - cmd Shellcode (61 bytes)
Linux/x86 - unlink _/etc/shadow_ shellcode (33 bytes)
Linux/x86 - hard / unclean reboot (29 bytes)
Linux/x86 - hard / unclean reboot (33 bytes)

Linux - chown root:root /bin/sh x86 shellcode (48 bytes)
Linux/x86 - chown root:root /bin/sh shellcode (48 bytes)

Linux x86 - netcat connect back port 8080 (76 bytes)
Linux/x86 - netcat connect back port 8080 (76 bytes)

Allwin MessageBoxA Shellcode
Windows - MessageBoxA Shellcode

Linux/x86-64 - Disable ASLR Security (143 bytes)
Linux/x86_64 - Disable ASLR Security (143 bytes)

Polymorphic Bindport 31337 with setreuid (0_0) linux/x86
Linux/x86 - Polymorphic Bindport 31337 with setreuid (0_0) (131 bytes)

Linux/x86-64 - setuid(0) & chmod (_/etc/passwd__ 0777) & exit(0) (63 bytes)
Linux/x86_64 - setuid(0) & chmod (_/etc/passwd__ 0777) & exit(0) (63 bytes)

Linux/x86-64 - Add root user with password (390 bytes)
Linux/x86_64 - Add root user with password (390 bytes)

ShellCode WinXP SP3 SPA URLDownloadToFileA + CreateProcessA + ExitProcess
Windows XP SP3 SPA - URLDownloadToFileA + CreateProcessA + ExitProcess (176+ bytes)

Polymorphic /bin/sh x86 linux shellcode
Linux/x86 - Polymorphic /bin/sh shellcode (116 bytes)

Linux/ARM chmod(_/etc/shadow__ 0777) Shellcode (35 bytes)
Linux/ARM - chmod(_/etc/shadow__ 0777) Shellcode (35 bytes)

Linux x86 - bind shell port 64533 (97 bytes)
Linux/x86 - bind shell port 64533 (97 bytes)

125 bind port to 6778 XOR encoded polymorphic linux shellcode
Linux - 125 bind port to 6778 XOR encoded polymorphic

ARM Polymorphic - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode Generator
ARM - Polymorphic execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (Generator)

Win32 - Write-to-file Shellcode

Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) (49 bytes)
Linux/x86_64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) (49 bytes)

Linux x86 - netcat bindshell port 8080 (75 bytes)
Linux/x86 - netcat bindshell port 8080 (75 bytes)

Linux x86 - /bin/sh Null-Free Polymorphic Shellcode (46 bytes)
Linux/x86 - /bin/sh Null-Free Polymorphic Shellcode (46 bytes)

Shellcode Checksum Routine
Shellcode Checksum Routine (18 bytes)

Win32/XP SP3 (Tr) - Add Admin Account Shellcode (127 bytes)
Win32/XP SP3 (TR) - Add Admin Account Shellcode (127 bytes)

Windows Mobile 6.5 TR (WinCE 5.2) MessageBox Shellcode (ARM)
Windows Mobile 6.5 TR (WinCE 5.2) - MessageBox Shellcode (ARM)

Windows Mobile 6.5 TR Phone Call Shellcode
Windows Mobile 6.5 TR - Phone Call Shellcode

Win32/xp pro sp3 (EN) 32-bit - add new local administrator (113 bytes)
Win32/XP Pro SP3 (EN) 32-bit - add new local administrator (113 bytes)
ARM Bindshell port 0x1337
ARM Bind Connect UDP Port 68
ARM Loader Port 0x1337
ARM ifconfig eth0 and Assign Address
ARM - Bindshell port 0x1337
ARM - Bind Connect UDP Port 68
ARM - Loader Port 0x1337
ARM - ifconfig eth0 and Assign Address

w32 speaking shellcode
Win32 - speaking shellcode
BSD x86 connect back Shellcode (81 bytes)
BSD x86 portbind + fork shellcode (111 bytes)
bds/x86 - connect back Shellcode (81 bytes)
bds/x86 - portbind + fork shellcode (111 bytes)

OS-X/Intel reverse_tcp shell x86_64 (131 bytes)
OS-X/Intel - reverse_tcp shell x86_64 (131 bytes)

Allwin WinExec add new local administrator + ExitProcess Shellcode
Windows - WinExec add new local administrator + ExitProcess Shellcode (279 bytes)

Linux x86 - ASLR deactivation (83 bytes)
Linux/x86 - ASLR deactivation (83 bytes)

Linux/x86-32 - ConnectBack with SSL connection (422 bytes)
Linux/x86_32 - ConnectBack with SSL connection (422 bytes)

SuperH (sh4) Add root user with password
SuperH (sh4) - Add root user with password (143 bytes)

Linux x86 egghunt shellcode
Linux/x86 - egghunt shellcode (29 bytes)

OSX - Universal ROP shellcode
OS-X - Universal ROP shellcode

52 byte Linux MIPS execve
Linux/MIPS - execve (52 bytes)

MIPS Linux XOR Shellcode Encoder (60 bytes)
Linux/MIPS - XOR Shellcode Encoder (60 bytes)

Linux/x86-64 - execve(/bin/sh) (52 bytes)
Linux/x86_64 - execve(/bin/sh) (52 bytes)

Linux/x86 - Search For php/html Writable Files and Add Your Code
Linux/x86 - Search For php/html Writable Files and Add Your Code (380+ bytes)

Linux x86_64 - add user with passwd (189 bytes)
Linux/x86_64 - add user with passwd (189 bytes)

Linux x86 - chmod 666 /etc/passwd & /etc/shadow (57 bytes)
Linux/x86 - chmod 666 /etc/passwd & /etc/shadow (57 bytes)

ntop 1.x - -i Local Format String
ntop 1.x - i Local Format String
(Raspberry Pi) Linux/ARM - reverse_shell (tcp_10.1.1.2_0x1337)
(Raspberry Pi) Linux/ARM - execve(_/bin/sh__ [0]_ [0 vars]) (30 bytes)
(Raspberry Pi) Linux/ARM - chmod(_/etc/shadow__ 0777) (41 bytes)
Linux/ARM (Raspberry Pi) - reverse_shell (tcp_10.1.1.2_0x1337) (72 bytes)
Linux/ARM (Raspberry Pi) - execve(_/bin/sh__ [0]_ [0 vars]) (30 bytes)
Linux/ARM (Raspberry Pi) - chmod(_/etc/shadow__ 0777) (41 bytes)

Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode
Windows - URLDownloadToFile + WinExec + ExitProcess Shellcode

MIPS Little Endian Shellcode
MIPS Little Endian - Shellcode

Media Player Classic 6.4.9 - - FLI File Remote Buffer Overflow
Media Player Classic 6.4.9 - FLI File Remote Buffer Overflow

Linux x86 - Socket Re-use Shellcode (50 bytes)
Linux/x86 - Socket Re-use Shellcode (50 bytes)

Linux x86 - chmod (777 /etc/passwd & /etc/shadow)_ Add New Root User (ALI/ALI) & Execute /bin/sh
Linux/x86 - chmod (777 /etc/passwd & /etc/shadow)_ Add New Root User (ALI/ALI) & Execute /bin/sh (378 bytes)

Obfuscated Shellcode Linux x86 - chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User & Execute /bin/bash
Linux/x86 - Obfuscated Shellcode chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User & Execute /bin/bash (521 bytes)

Mouse Media Script 1.6 - - Stored XSS
Mouse Media Script 1.6 - Stored XSS

Linux x86 - rmdir (37 bytes)
Linux/x86 - rmdir (37 bytes)

Linux x64 - Bind TCP port shellcode (81 bytes_ 96 with password)
Linux/x64 - Bind TCP port shellcode (81 bytes / 96 bytes with password)

Linux x64 - Reverse TCP connect (77 to 85 bytes_ 90 to 98 with password)
Linux/x64 - Reverse TCP connect (77 to 85 bytes / 90 to 98 bytes with password)
Windows x86 - Obfuscated Shellcode Add Administrator User/Pass ALI/ALI & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service (1218 Bytes)
Windows x64 -  Obfuscated Shellcode Add Administrator User/Pass ALI/ALI & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service (1218 Bytes)
Windows x86 - Obfuscated Shellcode Add Administrator User/Pass ALI/ALI & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service (1218 bytes)
Windows x64 - Obfuscated Shellcode Add Administrator User/Pass ALI/ALI & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service (1218 bytes)

Linux MIPS - execve (36 bytes)
Linux/MIPS - execve (36 bytes)

Win x86-64 - Download & execute (Generator)
Windows XP x86-64 - Download & execute (Generator)
Linux x86 - Egg-hunter (20 bytes)
Linux x86 - Typewriter Shellcode Generator
Linux/x86 - Egg-hunter (20 bytes)
Linux/x86 - Typewriter Shellcode (Generator)

Linux/x86 - execve _/bin/sh_ - shellcode (35 bytes)
Linux/x86 - execve _/bin/sh_ shellcode (35 bytes)

Linux custom execve-shellcode Encoder/Decoder
Linux - custom execve-shellcode Encoder/Decoder
Linux x86 - Execve /bin/sh Shellcode Via Push (21 bytes)
Linux x86-64 - Execve /bin/sh Shellcode Via Push (23 bytes)
Linux/x86 - Execve /bin/sh Shellcode Via Push (21 bytes)
Linux/x86_64 - Execve /bin/sh Shellcode Via Push (23 bytes)

Linux x86 - /bin/nc -le /bin/sh -vp 17771 Shellcode (58 bytes)
Linux/x86 - /bin/nc -le /bin/sh -vp 17771 Shellcode (58 bytes)

Linux/x86 - execve /bin/sh shellcode (21 bytes) (2)
Linux/x86 - execve /bin/sh shellcode (2) (21 bytes)

Linux - execve(/bin/sh) (30 bytes)
Linux/x86_64 - execve(/bin/sh) (30 bytes)

Linux 64 bit - Encoded execve shellcode
Linux 64bit - Encoded execve shellcode

Linux x86 /bin/sh ROT7 Encoded Shellcode
Linux/x86 - /bin/sh ROT7 Encoded Shellcode

Win32/xp[TR] sp3 - MessageBox (24 bytes)
Win32/XP SP3 (TR) - MessageBox (24 bytes)

Linux x86 - Egg Hunter Shellcode (19 bytes)
Linux/x86 - Egg Hunter Shellcode (19 bytes)

Windows x86 - user32!MessageBox _Hello World!_ (199 Bytes Null-Free)
Windows x86 - user32!MessageBox _Hello World!_ Null-Free (199 bytes)

Linux x86 - /bin/sh ROL/ROR Encoded Shellcode
Linux/x86 - /bin/sh ROL/ROR Encoded Shellcode

OS X x64 /bin/sh Shellcode - NULL Byte Free (34 bytes)
OS-X x64 - /bin/sh Shellcode - NULL Byte Free (34 bytes)

Mainframe/System Z Bind Shell
Mainframe/System Z - Bind Shell

Linux/x86 - execve(_/bin/cat__ [_/bin/cat__ _/etc/passwd_]_ NULL)
Linux/x86 - execve(_/bin/cat__ [_/bin/cat__ _/etc/passwd_]_ NULL) (75 bytes)

OS X x64 - tcp bind shellcode_ NULL byte free (144 bytes)
OS-X x64 - tcp bind shellcode_ NULL byte free (144 bytes)

Linux x86_64 - /bin/sh
Linux/x86_64 - /bin/sh

Linux x86_64 - execve Shellcode (22 bytes)
Linux/x86_64 - execve Shellcode (22 bytes)

Linux x86_64 - Bindshell with Password (92 bytes)
Linux/x86_64 - Bindshell with Password (92 bytes)

Linux x64 - egghunter (24 bytes)
Linux/x64 - egghunter (24 bytes)

Linux x86_64 - Polymorphic execve Shellcode (31 bytes)
Linux/x86_64 - Polymorphic execve Shellcode (31 bytes)

Windows XP-10 - Null-Free WinExec Shellcode (Python)
Windows XP<10 - Null-Free WinExec Shellcode (Python)

x64 Linux Bind TCP Port Shellcode
Linux/x64 - Bind TCP Port Shellcode (103 bytes)

x86_64 Linux bind TCP port shellcode
Linux/x86_64 - bind TCP port shellcode (103 bytes)

Linux/x86 - execve _/bin/sh_ - shellcode 24 byte
Linux/x86 - execve _/bin/sh_ shellcode (24 bytes)
Linux x86_64 - Egghunter (18 bytes)
Linux x86 - Egg-hunter (13 bytes)
Linux/x86_64 - Egghunter (18 bytes)
Linux/x86 - Egg-hunter (13 bytes)

WordPress Booking Calendar Contact Form Plugin <=1.1.23 - Unauthenticated SQL injection
WordPress Booking Calendar Contact Form Plugin <= 1.1.23 - Unauthenticated SQL injection

x86_64 Linux xor/not/div Encoded execve Shellcode
Linux/x86_64 - xor/not/div Encoded execve Shellcode (54 bytes)

WordPress Booking Calendar Contact Form Plugin <=1.1.23 - Shortcode SQL Injection
WordPress Booking Calendar Contact Form Plugin <= 1.1.23 - Shortcode SQL Injection

Linux x86/x86_64 reverse_tcp Shellcode
Linux/x86/x86_64 - reverse_tcp Shellcode
Linux x86/x86_64 tcp_bind Shellcode
Linux x86/x86_64 Read etc/passwd Shellcode
Linux/x86/x86_64 - tcp_bind Shellcode
Linux/x86/x86_64 - Read etc/passwd Shellcode

WordPress Booking Calendar Contact Form <=1.1.24 - Multiple Vulnerabilities
WordPress Booking Calendar Contact Form <= 1.1.24 - Multiple Vulnerabilities

x86_64 Linux shell_reverse_tcp with Password - Polymorphic Version (1)
Linux/x86_64 - shell_reverse_tcp with Password - Polymorphic Version (1) (122 bytes)
x86_64 Linux shell_reverse_tcp with Password - Polymorphic Version (2)
Linux x86 Download & Execute Shellcode
Linux x86_64 - Polymorphic Execve-Stack (47 bytes)
Linux/x86_64 - shell_reverse_tcp with Password - Polymorphic Version (2) (135 bytes)
Linux/x86 - Download & Execute Shellcode
Linux/x86_64 - Polymorphic Execve-Stack (47 bytes)

Linux x86_64 - Reverse Shell Shellcode
Linux/x86_64 - Reverse Shell Shellcode

Linux/x86_x64 - execve(/bin/sh) (26 bytes)
Linux/x86_64 - execve(/bin/sh) (26 bytes)
Linux/x86_x64 - execve(/bin/sh) (25 bytes)
Linux/x86_x64 - execve(/bin/bash) (33 bytes)
Linux/x86_64 - execve(/bin/sh) (25 bytes)
Linux/x86_64 - execve(/bin/bash) (33 bytes)

Linux/x86_64 - bindshell (PORT: 5600) (81 bytes)
Linux/x86_64 - bindshell (Pori: 5600) (81 bytes)

Windows x86 URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() Shellcode
Windows x86 - URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() Shellcode
Linux x86 Reverse TCP Shellcode (ipv6)
Linux x86 Shellcode - Bind TCP Port 1472 (ipv6)
Linux/x86 - Reverse TCP Shellcode (IPv6)
Linux/x86 - Bind TCP Port 1472 (IPv6) (1250 bytes)

Linux x64 - Bind Shell Shellcode Generator
Linux/x64 - Bind Shell Shellcode (Generator)

Windows Null-Free Shellcode - Primitive Keylogger to File (431 (0x01AF) bytes)
Windows - Null-Free Shellcode Primitive Keylogger to File (431 (0x01AF) bytes)

.Net Framework Execute Native x86 Shellcode
.Net Framework - Execute Native x86 Shellcode

Linux x86_64 Shellcode - Bind TCP Port 1472 (ipv6)
Linux/x86_64 - Bind TCP Port 1472 (IPv6)

Linux x86_64 Shellcode - Reverse TCP (ipv6)
Linux/x86_64 - Reverse TCP (IPv6)

Windows - Null-Free Shellcode - Functional Keylogger to File (601 (0x0259) bytes)
Windows - Null-Free Shellcode Functional Keylogger to File (601 (0x0259) bytes)

Linux x86_64 Shellcode Null-Free Reverse TCP Shell
Linux/x86_64 - Null-Free Reverse TCP Shell

Linux x86_64 Information Stealer Shellcode
Linux/x86_64 - Information Stealer Shellcode

Linux x86 - TCP Bind Shell Port 4444 (656 bytes)
Linux/x86 - TCP Bind Shell Port 4444 (656 bytes)

Linux x86_64 XOR Encode execve Shellcode
Linux/x86_64 - XOR Encode execve Shellcode

Linux/Windows/BSD x86_64 execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode
Linux/Windows/BSD x86_64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)
Windows x86 WinExec(_cmd.exe__0) Shellcode
Linux x86 - /bin/nc -le /bin/sh -vp13337 Shellcode (56 bytes)
Windows x86 - WinExec(_cmd.exe__0) Shellcode
Linux/x86 - /bin/nc -le /bin/sh -vp13337 Shellcode (56 bytes)

Windows x86 system(_systeminfo_) Shellcode
Windows x86 - system(_systeminfo_) Shellcode

Windows x86 ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode
Windows x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode

Linux x86 /bin/sh Shellcode + ASLR Bruteforce
Linux/x86 - /bin/sh Shellcode + ASLR Bruteforce

Linux x86_64 /etc/passwd File Sender Shellcode
Linux/x86_64 - /etc/passwd File Sender Shellcode

Linux x86 - TCP Bind Shell Port 4444 (98 bytes)
Linux/x86 - TCP Bind Shell Port 4444 (98 bytes)

Linux x86 - TCP Reverse Shellcode (75 bytes)
Linux/x86 - TCP Reverse Shellcode (75 bytes)

Linux x86-64 - Continuously-Probing Reverse Shell via Socket + Port-range + Password (172 bytes)
Linux/x86_64 - Continuously-Probing Reverse Shell via Socket + Port-range + Password (172 bytes)

Linux x86 - Reverse Shell using Xterm ///usr/bin/xterm -display 127.1.1.1:10
Linux/x86 - Reverse Shell using Xterm ///usr/bin/xterm -display 127.1.1.1:10
Clear Voyager Hotspot IMW-C910W - Arbitrary File Disclosure
2016-07-16 05:06:26 +00:00
platforms DB: 2016-07-16 2016-07-16 05:06:26 +00:00
files.csv DB: 2016-07-16 2016-07-16 05:06:26 +00:00
README.md searchsploit -u // Works better with Homebrew (add remote git repo) 2016-04-03 14:28:35 +01:00
searchsploit searchsploit -u // Works better with Homebrew (add remote git repo) 2016-04-03 14:28:35 +01:00

The Exploit-Database Git Repository

This is the official repository of The Exploit Database, a project sponsored by Offensive Security.

The Exploit Database is an archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of exploits gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.

This repository is updated daily with the most recently added submissions. Any additional resources can be found in our binary sploits repository.

Included with this repository is the searchsploit utility, which will allow you to search through the exploits using one or more terms.

root@kali:~# searchsploit -h
  Usage: searchsploit [options] term1 [term2] ... [termN]
Example:
  searchsploit afd windows local
  searchsploit -t oracle windows

=========
 Options
=========
   -c, --case      Perform a case-sensitive search (Default is inSEnsITiVe).
   -e, --exact     Perform an EXACT match on exploit title (Default is AND) [Implies "-t"].
   -h, --help      Show this help screen.
   -o, --overflow  Exploit title's are allowed to overflow their columns.
   -p, --path      Show the full path to an exploit (Copies path to clipboard if possible).
   -t, --title     Search just the exploit title (Default is title AND the file's path).
   -u, --update    Update exploit database from git.
   -w, --www       Show URLs to Exploit-DB.com rather than local path.
       --colour    Disable colour highlighting.
       --id        Display EDB-ID value rather than local path.

=======
 Notes
=======
 * Use any number of search terms.
 * Search terms are not case sensitive, and order is irrelevant.
   * Use '-c' if you wish to reduce results by case-sensitive searching.
   * And/Or '-e' if you wish to filter results by using an exact match.
 * Use '-t' to exclude the file's path to filter the search results.
   * Remove false positives (especially when searching numbers/major versions).
 * When updating from git or displaying help, search terms will be ignored.

root@kali:~# searchsploit afd windows local
--------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                   |  Path
                                                                                 | (/usr/share/exploitdb/platforms)
--------------------------------------------------------------------------------- ----------------------------------
Microsoft Windows 2003/XP - AFD.sys Privilege Escalation Exploit (K-plugin)      | ./windows/local/6757.txt
Microsoft Windows XP - AFD.sys Local Kernel DoS Exploit                          | ./windows/dos/17133.c
Microsoft Windows XP/2003 Afd.sys - Local Privilege Escalation Exploit (MS11-080)| ./windows/local/18176.py
Microsoft Windows - AfdJoinLeaf Privilege Escalation (MS11-080)                  | ./windows/local/21844.rb
Microsoft Windows - AFD.SYS Dangling Pointer Privilege Escalation (MS14-040)     | ./win32/local/39446.py
Microsoft Windows 7 x64 - AFD.SYS Privilege Escalation (MS14-040)                | ./win64/local/39525.py
--------------------------------------------------------------------------------- ----------------------------------
root@kali:~#