what you don't know can hurt you
Showing 1 - 25 of 1,202 RSS Feed

Shellcode Files

Cisco RV340 SSL VPN Unauthenticated Remote Code Execution
Posted May 11, 2022
Authored by Pedro Ribeiro, Radek Domanski | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in the Cisco RV series router's SSL VPN functionality. The default SSL VPN configuration is exploitable, with no authentication required and works over the Internet! The stack is executable and no ASLR is in place, which makes exploitation easier. Successful execution of this module results in a reverse root shell. A custom payload is used as Metasploit does not have ARMLE null free shellcode. This vulnerability was presented by the Flashback Team in Pwn2Own Austin 2021 and OffensiveCon 2022. For more information check the referenced advisory. This module has been tested in firmware versions 1.0.03.15 and above and works with around 65% reliability. The service restarts automatically so you can keep trying until you pwn it. Only the RV340 router was tested, but other RV series routers should work out of the box.

tags | exploit, overflow, shell, root, shellcode
systems | cisco
advisories | CVE-2022-20699
SHA-256 | 619682621429d96cd23a1e1bcd69a008398c5244223265886c52e2e417242d02
XDNR Shellcode Cryptor / Encoder
Posted Apr 19, 2022
Authored by Xenofon Vassilakopoulos

X0R Cryptor with DEC/N0T/R0R encoder plus random byte insertion.

tags | tool, shellcode
SHA-256 | 79b9b9a6dd757b66b2e94d3630b76899ed2e53218846c0933182d8877820babb
Firefox MCallGetProperty Write Side Effects Use-After-Free
Posted Mar 1, 2022
Authored by timwr, maxpl0it, 360 ESG Vulnerability Research Institute | Site metasploit.com

This Metasploit modules exploits CVE-2020-26950, a use-after-free exploit in Firefox. The MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This exploit uses a somewhat novel technique of spraying ArgumentsData structures in order to construct primitives. The shellcode is forced into executable memory via the JIT compiler, and executed by writing to the JIT region pointer. This exploit does not contain a sandbox escape, so firefox must be run with the MOZ_DISABLE_CONTENT_SANDBOX environment variable set, in order for the shellcode to run successfully. This vulnerability affects Firefox versions prior to 82.0.3, Firefox ESR versions prior to 78.4.1, and Thunderbird versions prior to 78.4.2, however only Firefox versions up to 79 are supported as a target. Additional work may be needed to support other versions such as Firefox 82.0.1.

tags | exploit, shellcode
advisories | CVE-2020-26950
SHA-256 | c5497acbfe1516edccf2f8747d261489391c42dfa92ad82028efc92b075df944
Solaris/SPARC chmod() Shellcode
Posted Feb 18, 2022
Authored by Marco Ivaldi

64 bytes small Solaris/SPARC setuid(0) + chmod (/bin/ksh) + exit(0) shellcode.

tags | shellcode
systems | solaris
SHA-256 | ac0a8ce6fdd207649a67626e1818a1afd680783d1a46fb94677718a1d1994210
Solaris/SPARC execve() Shellcode
Posted Feb 18, 2022
Authored by Marco Ivaldi

60 bytes small Solaris/SPARC setuid(0) + execve (/bin/ksh) shellcode.

tags | shellcode
systems | solaris
SHA-256 | d785c150823ddd32cb42d29580182ea9055608bea403fff7662eca6bf006f946
Linux/MIPS N32 MSB Reverse Shell Shellcode
Posted Feb 18, 2022
Authored by Marco Ivaldi

Linux/MIPS N32 MSB reverse shell shellcode that showcases various techniques to avoid badchars.

tags | shell, shellcode
systems | linux
SHA-256 | b1b0100dc2ab1910886ea650ac52df457851a4b14a3d07a98e33678c077b6d6e
Solaris/SPARC chmod() Shellcode
Posted Feb 18, 2022
Authored by Marco Ivaldi

Solaris/SPARC chmod() shellcode with a max size of 36 bytes.

tags | shellcode
systems | solaris
SHA-256 | 844bef47108ea6b399c1949416ca0526422e2fc8ce504d583c3f36aaa4144470
Windows/x86 Locate kernel32 Base Address / Stack Crack Method Null Free Shellcode
Posted Feb 8, 2022
Authored by Tarek Ahmed

171 bytes small Windows/x86 shellcode with a new method to find the kernel32 base address by walking down the stack and look for a possible Kernel32 address using a custom SEH handler. Each address found on the stack will be tested using the Exception handling function. If it's valid and starts with 7, then it's a possible kernel32 address.

tags | x86, shellcode
systems | windows
SHA-256 | e7941faf4a7799cf5e35fcf962b075b17a9570e4f37e959633b2962f8d3bf53d
Windows/x86 Local kernel32 Base Address / Memory Sieve Shellcode
Posted Feb 4, 2022
Authored by Tarek Ahmed

133 bytes small Windows/x86 kernel32 base address / memory sieve method shellcode.

tags | x86, shellcode
systems | windows
SHA-256 | 02598a837cdf14b2aa15f8aa989595e031da15dac8d7e4835e2d041eda455355
Windows/x86 Download File / Execute Shellcode
Posted Feb 4, 2022
Authored by Techryptic

458 bytes small Windows/x86 download file and execute dynamic PEB and EDT method shellcode.

tags | x86, shellcode
systems | windows
SHA-256 | 373527dc3abce798f323c157f33b7e37a9ae39642431558cc7be8a6423eec576
Windows/x86 Bind TCP Shellcode
Posted Oct 7, 2021
Authored by h4pp1n3ss

Windows/x86 bind TCP shellcode / dynamic PEB and EDT method null-free shellcode. This a bind tcp shellcode that open a listen socket on 0.0.0.0 and port 1337. In order to accomplish this task the shellcode uses the PEB method to locate the baseAddress of the required module and the Export Directory Table to locate symbols. Also the shellcode uses a hash function to gather dynamically the required symbols without worry about the length.

tags | x86, tcp, shellcode
systems | windows
SHA-256 | 7dd9706d9d60f259d8e6ef790111d2ef99c07abddaae6debfdc64b5c0856ce2f
Windows/x86 nWinExec PopCalc PEB And Export Directory Table NullFree Dynamic Shellcode
Posted Oct 1, 2021
Authored by h4pp1n3ss

178 bytes small Windows/x86 shellcode that pops calc.exe. The shellcode uses the PEB method to locate the baseAddress of the required module and the Export Directory Table to locate symbols. It also uses a hash function to dynamically gather the required symbols without worry about the length. Finally, the shellcode pops the calc.exe using WinExec and exits gracefully using TerminateProcess.

tags | x86, shellcode
systems | windows
SHA-256 | 9b19277190c962885d3585247da068c374f5db74bbb693ce9cb6fe906a1118a8
Windows/x86 Reverse TCP Shellcode
Posted Sep 13, 2021
Authored by Xenofon Vassilakopoulos

330 bytes small Windows/x86 reverse TCP shellcode that connects to 192.168.201.11:4444.

tags | x86, tcp, shellcode
systems | windows
SHA-256 | 12149f06ca22bb6ea072202a3c3d714fb9e0922026292c67e2fc3c768fa2b30f
Linux/x86 Egghunter Reverse TCP Shell Shellcode
Posted Jul 19, 2021
Authored by D7X

Linux/x86 egghunter reverse TCP shell shellcode generator with dynamic IP and port.

tags | shell, x86, tcp, shellcode
systems | linux
SHA-256 | f381e9e627457c622f41f2e0f02fd7275a109fbf7c64277852a12fa68a12f383
Linux/x86 Reverse TCP Shell Shellcode
Posted Jul 12, 2021
Authored by D7X

86 bytes small Linux/x86 reverse TCP shell with dynamic IP and port binding shellcode.

tags | shell, x86, tcp, shellcode
systems | linux
SHA-256 | 098ad2f853874de86f3c54be8fe5f0603e48dcd1deaae5ff49d0f3c6ecd04c34
Linux/x86 Bindshell With Dynamic Port Binding Shellcode
Posted Jul 8, 2021
Authored by D7X | Site promiselabs.net

102 bytes small Linux/x86 bindshell shellcode with dynamic port binding.

tags | x86, shellcode
systems | linux
SHA-256 | 5c78bdabecd99971442c81d97f0c4cac565a54711d65cfb78e5c749c02cc5a5a
Linux/x86 Custom Shellcode ASCII And-Sub Encoder
Posted Jun 16, 2021
Authored by Xenofon Vassilakopoulos

Linux/x86 custom shellcode ASCII And-Sub encoder.

tags | x86, shellcode
systems | linux
SHA-256 | e94e7d4fd85ab353e369c5db6283be701e1beb64be40051eb7290608b3d9b335
Linux/x86 execve /bin/sh Shellcode
Posted Jun 10, 2021
Authored by D7X | Site promiselabs.net

70 bytes small Linux/x86 shellcode with XOR decoder stub and fstenv MMX FPU spawning a /bin/sh shell.

tags | shell, x86, shellcode
systems | linux
SHA-256 | 11b3b90f9432231138d2380813aec5392fb07dbce222b7123fb12312d6eaa007
Linux/x86 setreuid(0) / execve("/bin/sh") Shellcode
Posted May 10, 2021
Authored by Artur Szymczak

29 bytes small Linux/x86 shellcode that performs setreuid to 0 and then executes /bin/sh.

tags | x86, shellcode
systems | linux
SHA-256 | e6a46129d157e756ab079a8bd8c0b4fb71e4329d98e97809fa092cf1d9ec5876
Windows/x64 Inject All Processes With Meterpreter Reverse Shell Shellcode
Posted May 2, 2021
Authored by Bobby Cooke

655 bytes small 64-bit Windows 10 shellcode that injects all processes with Meterpreter reverse shells.

tags | shell, shellcode
systems | windows
SHA-256 | 9b8f41be48c0a71cc5b34fd0d409faea955538963763a4a5c5ca27e1ec4d2afb
Windows/x64 Dynamic Null-Free WinExec PopCalc Shellcode
Posted May 2, 2021
Authored by Bobby Cooke

205 bytes small 64-bit Windows 10 shellcode that dynamically resolves the base address of kernel32.dll via PEB and ExportTable method. It contains no null bytes (0x00), and therefore will not crash if injected into typical stack buffer overflow vulnerabilities.

tags | overflow, vulnerability, shellcode
systems | windows
SHA-256 | 6143eebe8156ea982d4ef3362eab1915ca829a3ac99ed38af8a6c4ca2e852a0d
Windows/x64 Dynamic NoNull Add RDP Admin Shellcode
Posted May 2, 2021
Authored by Bobby Cooke

387 bytes small 64-bit Windows 10 shellcode that adds user BOKU:SP3C1ALM0V3 to the system and the localgroups. Shellcode must be executed from a process with either a HIGH or SYSTEM integrity level.

tags | shellcode
systems | windows
SHA-256 | 0e9ecdb6d32c850a8cd46f1c273c31f8a22128d898a75e6f5be2706159ec67b0
Linux/x86 execve(/bin/sh) Shellcode
Posted Apr 16, 2021
Authored by s1ege

17 bytes small Linux/x86 execve(/bin/sh) shellcode.

tags | x86, shellcode
systems | linux
SHA-256 | 0d57e5917177f7b2c8c614412ee8c4d46b75b72f8a5547e97bce99f62fabc111
Linux/x64 execve(/bin/sh) Shellcode
Posted Apr 16, 2021
Authored by s1ege

21 bytes small Linux/x64 execve(/bin/sh) shellcode.

tags | shellcode
systems | linux
SHA-256 | 7640bb0b2bdd99b08b0876002140a299d855d4c3abe7f76eb8c7c4c0c63ed8bd
Google Chrome SimplfiedLowering Integer Overflow
Posted Apr 9, 2021
Authored by Rajvardhan Agarwal | Site metasploit.com

This Metasploit module exploits an issue in Google Chrome versions before 87.0.4280.88 (64 bit). The exploit makes use of an integer overflow in the SimplifiedLowering phase in turbofan. It is used along with a typer hardening bypass using ArrayPrototypeShift to create a JSArray with a length of -1. This is abused to gain arbitrary read/write into the isolate region. Then an ArrayBuffer can be used to achieve absolute arbitrary read/write. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, the browser must be run with the --no-sandbox option for the payload to work correctly.

tags | exploit, overflow, arbitrary, shellcode
advisories | CVE-2020-16040
SHA-256 | a2c2e0bb6afa9428a1723f49c6bd0ba43ef8b68bb81b7b27053a5cae99795839
Page 1 of 49
Back12345Next

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close