Stack-Buffer-Overflow-x86

Stack-Based Buffer Overflow: From Bug to Code Execution I...

Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes)

import ctypes, struct from keystone import Shellcode Author: Senzee Shellcode Title: Windows/x64 - PIC Null-Free Calc.exe Shellcode 169 Bytes Date: 07/26/2023 Platform: Windows x64 Tested on: Windows 11 Home/Windows Server 2022 Standard/Windows Server 2019 Datacenter OS Version respectively:...

Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode

; Name: Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode ; Author: Nayani ; Tested on: Microsoft Windows Version 10.0.22621 Build 22621 ; Description: ; This an implementation of DeleteFileA Windows api to delete a file in the C:/Windows/Temp/ directory. ; To test this...

Windows/x86 - Create Administrator User / Dynamic PEB & EDT method null-free Shellcode 373 bytes

; Title: Name: Windows/x86 - Create Administrator User / Dynamic PEB & EDT method null-free Shellcode 373 bytes ; Author: Xavi Beltran ; Contact: email protected ; Website: https://xavibel.com/2023/01/18/shellcode-windows-x86-create-administrator-user-dynamic-peb-edt/ ; Date: 18/01/2022 ; Tested...

Windows/x86 - Locate kernel32 base address / Stack Crack method NullFree Shellcode (171 bytes)

171 bytes small Windows/x86 shellcode with a new method to find the kernel32 base address by walking down the stack and look for a possible Kernel32 address using a custom SEH handler. Each address found on the stack will be tested using the Exception handling function. If it's valid and starts...

Windows/x86 - Locate kernel32 base address / Memory Sieve method Shellcode (133 bytes)

; Shellcode Title: Windows/x86 - Locate kernel32 base address / Memory Sieve method Shellcode 133 bytes ; Description: ; This shellcode is a new method to find kernel32 base address by parsing .text section of memory to find a pointer to kernel32 API. ; Shellcode Author: Tarek Ahmed ; Tested on:...

Windows/x86 Download File / Execute Shellcode (458 bytes)

; Exploit Title: Windows/x86 - Download File and Execute / Dynamic PEB & EDT method Shellcode 458 bytes ; Exploit Author: Techryptic @Tech ; Date: 2022-01-31 ; Tested on: WIN7X86 ; Shoutout to 848 Advanced Software Exploitation and DSU. ; Description: ; The shellcode works in three parts. The fir...

Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)

Title: Windows/x64 - Reverse TCP 192.168.201.11:4444 Shellcode 330 Bytes Author: Xenofon Vassilakopoulos Tested on: Windows/x64 - 10.0.19043 N/A Build 19043 / MIT License Copyright c 2021 Xenofon Vassilakopoulos Permission is hereby granted, free of charge, to any person obtaining a copy of this...

Go-Shellcode - A Repository Of Windows Shellcode Runners And Supporting Utilities

go-shellcode is a repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques. The available Shellcode runners include: CreateFiber CreateProcess CreateProcessWithPipe CreateRemoteThread CreateRemoteThreadNati...

Microsoft Internet Explorer 8/11 and WPAD service (Jscript.dll) - Use-After-Free Exploit

Exploit Title: Microsoft Internet Explorer 8/11 and WPAD service 'Jscript.dll' - Use-After-Free Exploit Author: deadlock Forrest Orr Vendor Homepage: https://www.microsoft.com/ Software Link: https://www.microsoft.com/en-gb/download/internet-explorer.aspx Versions: IE 8-11 64-bit as well as the...

ByeIntegrity-UAC - Bypass UAC By Hijacking A DLL Located In The Native Image Cache

Bypass User Account Control UAC to gain elevated Administrator privileges to run any program at a high integrity level. Requirements Administrator account UAC notification level set to default or lower How it works ByeIntegrity hijacks a DLL located in the Native Image Cache NIC. The NIC is used ...

Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)

Shellcode Title: Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode 205 Bytes Shellcode Author: Bobby Cooke boku Tested on: Windows 10 v2004 x64 Shellcode Description: 64bit Windows 10 shellcode that dynamically resolves the base address of kernel32.dll via PEB & ExportTable method. Contai...

Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)

Shellcode Title: Windows/x64 - Dynamic NoNull Add RDP Admin BOKU:SP3C1ALM0V3 Shellcode 387 Bytes Shellcode Author: Bobby Cooke boku Tested on: Windows 10 v2004 x64 Compiled from: Kali Linux x8664 Full Disclosure: github.com/boku7/x64win-AddRdpAdminShellcode Shellcode Description: 64bit Windows 10...

Windows/x64 Inject All Processes With Meterpreter Reverse Shell Shellcode (655 bytes)

Shellcode Title: Windows/x64 - Inject All Processes with Meterpreter Reverse Shell 655 Bytes Shellcode Author: Bobby Cooke boku Tested on: Windows 10 v2004 x64 Compiled from: Kali Linux x8664 Shellcode Description: 64bit Windows 10 shellcode that injects all processes with Meterpreter reverse...

CallObfuscator - Obfuscate Specific Windows Apis With Different APIs

Obfuscate hide the PE imports from static/dynamic analysis tools. Theory This's pretty forward, let's say I've used VirtualProtect and I want to obfuscate it with Sleep, the tool will manipulate the IAT so that the thunk that points to VirtualProtect will point instead to Sleep, now at executing...

Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)

Exploit Title: Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode 240 bytes Exploit Author: Armando Huesca Prida Tested on: Windows 7 Professional 6.1.7601 SP1 Build 7601 x86 Windows Vista Ultimate 6.0.6002 SP2 Build 6002 x86 Windows Server 2003 Enterprise Editio...

Windows/x86 - Stager Generic MSHTA Shellcode (143 bytes)

Exploit Title: Windows/x86 - Stager Generic MSHTA Shellcode 143 bytes Exploit Author: Armando Huesca Prida Date: 11-01-2021 Tested on: Windows 7 Professional 6.1.7601 SP1 Build 7601 x86 Windows Vista Ultimate 6.0.6002 SP2 Build 6002 x86 Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 37...

LOLBITS v2.0.0 - C2 Framework That Uses Background Intelligent Transfer Service (BITS) As Communication Protocol And Direct Syscalls + Dinvoke For EDR User-Mode Hooking Evasion

LOLBITS is a C2 framework that uses Microsoft's Background Intelligent Transfer Service BITS to establish the communication channel between the compromised host and the backend. The C2 backend is hidden behind an apparently harmless flask web application and it's only accesible when the HTTP...

CA Unified Infrastructure Management Nimsoft 7.80 Buffer Overflow

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow', 'Description' = %q This module exploits a buffer overflow within the...

Raining SYSTEM Shells with Citrix Workspace app

TL;DR Citrix Workspace is vulnerable to a remote command execution attack running under the context of the SYSTEM account. By sending a crafted message over a named pipe and spoofing the client process ID, the Citrix Workspace Updater Service can be tricked into executing an arbitrary process und...