A mirror of the Gitlab repo: https://gitlab.com/exploit-database/exploitdb
1db36d5e8b
76 changes to exploits/shellcodes
Printoxx - Local Buffer Overflow (PoC)
Picpuz 2.1.1 - Buffer Overflow (Denial of Service) (PoC)
Printoxx - Local Buffer Overflow (PoC)
Picpuz 2.1.1 - Buffer Overflow (Denial of Service) (PoC)
Microsoft Edge Chakra JIT - Incorrect Bounds Calculation
Microsoft Edge Chakra - 'JavascriptGeneratorFunction::GetPropertyBuiltIns' Type Confusion
Microsoft Edge Chakra - Incorrect Scope Handling
Microsoft Edge Chakra - Deferred Parsing Makes Wrong Scopes (2)
Microsoft Edge Chakra JIT - Out-of-Bounds Write
Microsoft Edge Chakra - 'AsmJSByteCodeGenerator::EmitCall' Out-of-Bounds Read
Microsoft Edge Chakra JIT - Stack-to-Heap Copy
Transmission - RPC DNS Rebinding
Master IP CAM 01 - Multiple Vulnerabilities
Zomato Clone Script - Arbitrary File Upload
Reservo Image Hosting Script 1.5 - Cross-Site Scripting
D-Link DSL-2640R - Unauthenticated DNS Change
Belkin N600DB Wireless Router - Multiple Vulnerabilities
SugarCRM 3.5.1 - Cross-Site Scripting
Linux/x86 - HTTP Server (8800/TCP) + Fork Shellcode (166 bytes)
Linux/x86 - HTTP Server (8800/TCP) + fork() Shellcode (166 bytes)
Linux/x86 - Append RSA key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)
Linux/x86 - Append RSA Key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)
Linux/x86 - Set System Time to 0 + exit Shellcode (12 bytes)
Linux/x86 - Set System Time to 0 + exit() Shellcode (12 bytes)
Linux/x86 - chmod 0666 /etc/shadow + exit Shellcode (36 bytes)
Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (36 bytes)
Linux/x86 - Add Root User (xtz) To /etc/passwd Shellcode (59 bytes)
Linux/x86 - Add Root User (xtz) To /etc/passwd + No Password Shellcode (59 bytes)
Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) exit Shellcode (4 bytes)
Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) + exit() Shellcode (4 bytes)
Linux/x86 - write(0__Hello core!\n__12) + Exit Shellcode (36/43 bytes)
Linux/x86 - write(0__Hello core!\n__12) + exit() Shellcode (36/43 bytes)
Linux/x86 - execve(/bin/sh) Standard Opcode Array Payload Shellcode (21 bytes)
Linux/x86 - execve(/bin/sh) + Standard Opcode Array Payload Shellcode (21 bytes)
Linux/x86 - Alphanumeric Encoder (IMUL Method) Shellcode (88 bytes)
Linux/x86 - Alphanumeric Encoded (IMUL Method) Shellcode (88 bytes)
Linux/x86 - execve(/bin/sh) Alphanumeric Shellcode (392 bytes)
Linux/x86 - execve(/bin/sh) + Alphanumeric Shellcode (392 bytes)
Linux/x86 - Add Root User (t00r) + Anti-IDS Shellcode (116 bytes)
Linux/x86 - Add Root User (t00r) To /etc/passwd + Anti-IDS Shellcode (116 bytes)
Linux/x86 - Add Root User (t00r) Shellcode (82 bytes)
Linux/x86 - Add Root User (t00r) To /etc/passwd Shellcode (82 bytes)
Linux/x86 - Add Root User (z) Shellcode (70 bytes)
Linux/x86 - Add Root User (z) To /etc/passwd Shellcode (70 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder Alphanumeric Shellcode (67 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder + Alphanumeric Shellcode (67 bytes)
Linux/x86 - unlink(/etc/passwd) + exit() Shellcode (35 bytes)
Linux/x86 - Add Root User (toor) To /etc/passwd + exit() Shellcode (107 bytes)
Linux/x86 - Add Root User (toor) To /etc/passwd + No password + exit() Shellcode (107 bytes)
Linux/x86 - pwrite(_/etc/shadow__ hash_ 32_ 8) Shellcode (83 bytes)
Linux/x86 - Fork Bomb Alphanumeric Shellcode (117 bytes)
Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (83 bytes)
Linux/x86 - Fork Bomb + Alphanumeric Shellcode (117 bytes)
Linux/x86 - unlink _/etc/shadow_ Shellcode (33 bytes)
Linux/x86 - unlink /etc/shadow Shellcode (33 bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) Shellcode (390 bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{shadow_passwd} Shellcode (390 bytes)
Linux - Bind TCP (31337/TCP) Netcat Shell + Polymorphic Shellcode (91 bytes)
Linux/x86 - Bind TCP (31337/TCP) Netcat Shell + Polymorphic Shellcode (91 bytes)
Linux/ARM - Add Root User (shell-storm/toor) Shellcode (151 bytes)
Linux/ARM - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (151 bytes)
FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + Fork Shellcode (111 bytes)
FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + fork() Shellcode (111 bytes)
Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)
Linux/SuperH (sh4) - Add Root User (shell-storm/toor) Shellcode (143 bytes)
Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)
Linux/SuperH (sh4) - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (143 bytes)
Linux/MIPS - Add Root User (rOOt/pwn3d) Shellcode (164 bytes)
Linux/MIPS - Add Root User (rOOt/pwn3d) To /etc/passwd Shellcode (164 bytes)
Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + Polymorphic Shellcode
Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password Polymorphic Shellcode
Linux/x86-64 - Add Root User (t0r/Winner) Shellcode (189 bytes)
Linux/x86-64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + Execute /bin/sh Shellcode (378 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)
Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) Position Independent Alphanumeric Shellcode (87 bytes)
Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (23 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (1)
Linux/x86 - Create File With Permission 7775 + exit Shellcode (Generator)
Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + Fork + IPv4/6 + Password + Null-Free Shellcode (176 bytes)
Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes)
Linux/x86-64 - Bind TCP Stager (4444/TCP) + Egghunter Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd Shellcode (273 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{shadow_passwd} Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{shadow_passwd} Shellcode (273 bytes)
Linux/x86 - execve(/bin/sh /tmp/p00p) Shellcode (70 bytes)
Linux/x86 - execve(/bin/ash) + exit() Shellcode (34 bytes)
Linux/x86 - Add Root User To /etc/passwd + No Password + exit() Shellcode (83 bytes)
Linux/x86 - setuid() + execve() + exit() Shellcode (44 bytes)
Linux/x86 - chmod(/bin/sh_04775) + set sh +s Shellcode (31 bytes)
Linux/x86 - socket-proxy Shellcode (372 bytes) (Generator)
Linux/x86 - setresuid(0_0_0) + execve(/bin/sh) + exit() Shellcode (41 bytes)
Linux/x86 - Reverse TCP (www.netric.org:45295/TCP) Shell (/bin/sh) Shellcode (131 bytes)
Linux/x86 - Bind TCP (45295/TCP) Shell (/bin/sh) + fork() Shellcode (200 bytes)
Linux/x86 - /sbin/iptables --flush Shellcode (69 bytes)
Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (29 bytes)
Linux/x86 - setuid(0) + execve(/bin/sh_ 0_ 0) Shellcode (27 bytes)
Linux/x86 - setuid(0) + chmod(/etc/shadow_ 0666) Shellcode (37 bytes)
Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (89 bytes)
Linux/x86 - Remote File Download Shellcode (42 bytes)
Linux/x86 - CDRom Ejecting Shellcode (46 bytes)
Linux/x86 - sethostname(PwNeD !!_ 8) Shellcode (32 bytes)
Linux/x86 - exit(0) Shellcode (8 bytes)
Linux/x86 - sync Shellcode (6 bytes)
Linux/x86 - execve(/bin/sh_ -c_ ping localhost) Shellcode (55 bytes)
Linux/x86 - rmdir(_/tmp/willdeleted_) Shellcode (41 bytes)
Linux/x86 - setdomainname(_th1s s3rv3r h4s b33n h1j4ck3d !!_) Shellcode (58 bytes)
Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (26 bytes)
Linux/x86 - Force unmount /media/disk Shellcode (33 bytes)
Linux/x86 - chmod(/etc/shadow_ 0666) + ASCII Shellcode (443 bytes)
Linux/x86 - CDRom Ejecting + Polymorphic Shellcode (74 bytes)
Linux/x86 - Bind TCP (31337/TCP) Shell + Polymorphic Shellcode (125 bytes)
Linux/x86 - /sbin/iptables -POUTPUT DROP Shellcode (60 bytes)
Linux/x86 - /usr/bin/killall snort Shellcode (46 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (3)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (5)
Linux/x86 - execve(/bin/dash) Shellcode (49 bytes)
Linux/x86 - execve(/bin/cat_ /etc/shadow_ NULL) Shellcode (42 bytes)
Linux/x86 - /etc/init.d/apparmor teardown Shellcode (53 bytes)
Linux/x86 - setreuid() + /sbin/iptables -F + exit(0) Shellcode (76 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (28 bytes)
Linux/x86 - mkdir(hacked) + exit() Shellcode (36 bytes)
Linux/x86 - Stager Reads Second Stage From STDIN Shellcode (14 bytes)
Linux/x86 - iptables --flush Shellcode (43 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (2)
Linux/x86 - Force Reboot Shellcode (36 bytes)
Linux/x86 - execve(chmod 0777 /etc/shadow) Shellcode (57 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + SO_REUSEADDR Set (Avoiding SIGSEGV) Shellcode (103 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:55555/TCP) Shell Shellcode (72 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (65 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + GetPC/Call/Ret Method Shellcode (89 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell Shellcode (73 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes)
Linux/x86 - Egghunter Shellcode (38 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (4)
Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes)
|
||
|---|---|---|
| exploits | ||
| shellcodes | ||
| files_exploits.csv | ||
| files_shellcodes.csv | ||
| LICENSE.md | ||
| README.md | ||
| searchsploit | ||
The Exploit Database Git Repository
This is an official repository of The Exploit Database, a project sponsored by Offensive Security. Our repositories are:
- Exploits & Shellcodes: https://github.com/offensive-security/exploit-database
- Binary Exploits: https://github.com/offensive-security/exploit-database-bin-sploits
- Papers: https://github.com/offensive-security/exploit-database-papers
The Exploit Database is an archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of exploits, shellcode and papers gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and Proof-of-Concepts rather than advisories, making it a valuable resource for those who need actionable data right away. You can learn more about the project here (about) and here (history).
This repository is updated daily with the most recently added submissions. Any additional resources can be found in our binary sploits repository.
Exploits are located in the /exploit/ directory, shellcodes can be found in the /shellcode/ directory.
Included with this repository is the SearchSploit utility, which will allow you to search through exploits and shellcodes using one or more terms. For more information, please see the SearchSploit manual.
root@kali:~# searchsploit -h
Usage: searchsploit [options] term1 [term2] ... [termN]
==========
Examples
==========
searchsploit afd windows local
searchsploit -t oracle windows
searchsploit -p 39446
searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
For more examples, see the manual: https://www.exploit-db.com/searchsploit/
=========
Options
=========
-c, --case [Term] Perform a case-sensitive search (Default is inSEnsITiVe).
-e, --exact [Term] Perform an EXACT match on exploit title (Default is AND) [Implies "-t"].
-h, --help Show this help screen.
-j, --json [Term] Show result in JSON format.
-m, --mirror [EDB-ID] Mirror (aka copies) an exploit to the current working directory.
-o, --overflow [Term] Exploit titles are allowed to overflow their columns.
-p, --path [EDB-ID] Show the full path to an exploit (and also copies the path to the clipboard if possible).
-t, --title [Term] Search JUST the exploit title (Default is title AND the file's path).
-u, --update Check for and install any exploitdb package updates (deb or git).
-w, --www [Term] Show URLs to Exploit-DB.com rather than the local path.
-x, --examine [EDB-ID] Examine (aka opens) the exploit using $PAGER.
--colour Disable colour highlighting in search results.
--id Display the EDB-ID value rather than local path.
--nmap [file.xml] Checks all results in Nmap's XML output with service version (e.g.: nmap -sV -oX file.xml).
Use "-v" (verbose) to try even more combinations
--exclude="term" Remove values from results. By using "|" to separated you can chain multiple values.
e.g. --exclude="term1|term2|term3".
=======
Notes
=======
* You can use any number of search terms.
* Search terms are not case-sensitive (by default), and ordering is irrelevant.
* Use '-c' if you wish to reduce results by case-sensitive searching.
* And/Or '-e' if you wish to filter results by using an exact match.
* Use '-t' to exclude the file's path to filter the search results.
* Remove false positives (especially when searching using numbers - i.e. versions).
* When updating or displaying help, search terms will be ignored.
root@kali:~#
root@kali:~# searchsploit afd windows local
---------------------------------------------------------------------------------------- -----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------- -----------------------------------
Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046) | exploits/win_x86/local/40564.c
Microsoft Windows - 'AfdJoinLeaf' Local Privilege Escalation (MS11-080) (Metasploit) | exploits/windows/local/21844.rb
Microsoft Windows - 'afd.sys' Local Kernel (PoC) (MS11-046) | exploits/windows/dos/18755.c
Microsoft Windows 7 (x64) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040) | exploits/win_x86-64/local/39525.py
Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040) | exploits/win_x86/local/39446.py
Microsoft Windows XP - 'afd.sys' Local Kernel Denial of Service | exploits/windows/dos/17133.c
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (K-plugin) (MS08-066) | exploits/windows/local/6757.txt
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (MS11-080) | exploits/windows/local/18176.py
---------------------------------------------------------------------------------------- -----------------------------------
root@kali:~#
root@kali:~# searchsploit -p 39446
Exploit: Microsoft Windows 7 (x86) - 'afd.sys' Dangling Pointer Privilege Escalation (MS14-040)
URL: https://www.exploit-db.com/exploits/39446/
Path: /usr/share/exploitdb/exploits/win_x86/local/39446.py
Copied EDB-ID 39446's path to the clipboard.
root@kali:~#
SearchSploit requires either "CoreUtils" or "utilities" (e.g. bash, sed, grep, awk, etc.) for the core features to work. The self updating function will require git, and the Nmap XML option to work, will require xmllint (found in the libxml2-utils package in Debian-based systems).