143 bytes small Windows/x86 stager generic MSHTA shellcode.
cd26783c34c055b8e7b1aa54b1801d75
113 bytes small Linux/x86 Socat bind shellcode.
bb6b9dc9e8fde4989a5257fab4161276
123 bytes small Linux/x64 reverse shell shellcode that connects to TCP/127.1.1.1:4444.
6fdcaaec184d84b16a741d95de7b3961
65 bytes small Linux/x86 bindshell shellcode that binds /bin/sh to TCP/0.0.0.0:13377.
b50ae92a79eb994d20eae879ab538a64
This Metasploit module exploit BITS behavior which tries to connect to the local Windows Remote Management server (WinRM) every times it starts. The module launches a fake WinRM server which listen on port 5985 and triggers BITS. When BITS starts, it tries to authenticate to the Rogue WinRM server, which allows to steal a SYSTEM token. This token is then used to launch a new process as SYSTEM user. In the case of this exploit, notepad.exe is launched as SYSTEM. Then, it writes shellcode in its previous memory space and trigger its execution. As this exploit uses reflective dll injection, it does not write any file on the disk. Vulnerable operating systems are Windows 10 and Windows servers where WinRM is not running. Lab experiments has shown that Windows 7 does not exhibit the vulnerable behavior.
c3736b57f1257197d426a69fdf409d38
114 bytes small Linux/x86 reverse TCP shellcode.
736ab2fee6b1fc77956e403631161630
This Metasploit module exploits a buffer overflow in Free MP3 CD Ripper versions 2.6 and 2.8. By constructing a specially crafted WMA WAV M3U ACC FLAC file and attempting to convert it to an MP3 file in the application, a buffer is overwritten, which allows for running shellcode.
93482b8f1d9c8f6f9b71706c24ed882a
A trivial to reach stack-based buffer overflow is present in libpam on Solaris. The vulnerable code exists in pam_framework.c parse_user_name() which allocates a fixed size buffer of 512 bytes on the stack and parses a username supplied to PAM modules (such as authtok_get used by SunSSH). This issue can be reached remotely pre-authentication via SunSSH when "keyboard-interactive" is enabled to use PAM based authentication. The vulnerability was discovered being actively exploited by FireEye in the wild and is part of an APT toolkit called "EVILSUN". The vulnerability is present in both SPARC/x86 versions of Solaris and others (eg. illumos). This exploit uses ROP gadgets to disable nxstack through mprotect on x86 and a helper shellcode stub. Tested against latest Solaris 10 without patch applied and the configuration is vulnerable in a default vanilla install. This exploit requires libssh2, the vulnerability has been identified and confirmed reachable on Solaris 10 through 11.0.
3fbcd0fdda16b92f50dc244f60276db1
This Metasploit module exploits an incorrect side-effect modeling of the 'in' operator. The DFG compiler assumes that the 'in' operator is side-effect free, however the embed element with the PDF plugin provides a callback that can trigger side-effects leading to type confusion (CVE-2020-9850). The type confusion can be used as addrof and fakeobj primitives that then lead to arbitrary read/write of memory. These primitives allow us to write shellcode into a JIT region (RWX memory) containing the next stage of the exploit. The next stage uses CVE-2020-9856 to exploit a heap overflow in CVM Server, and extracts a macOS application containing our payload into /var/db/CVMS. The payload can then be opened with CVE-2020-9801, executing the payload as a user but without sandbox restrictions.
2dc9b201150ea12e09390643b437b269
84 bytes small Linux/x86 reverse TCP shellcode.
d27c925e63f6be65e2fe56789bbf7646
10 bytes small Linux/x86 execve "/bin/sh" shellcode.
17eba74611ee88dd5e7b38ff76974d98
35 bytes small Linux/x86 /dev/sda wiping shellcode.
19e25cdfd1453bac178a73395ba04bfa
This Metasploit module exploits a JIT optimization bug in Safari Webkit. This allows us to write shellcode to an RWX memory section in JavaScriptCore and execute it. The shellcode contains a kernel exploit (CVE-2016-4669) that obtains kernel rw, obtains root and disables code signing. Finally we download and execute the meterpreter payload. This module has been tested against iOS 7.1.2 on an iPhone 4.
193bef4f6ec1463a50a80fcde4b59fa1
35 bytes small Linux/x86 Egghunter(0x50905090) + sigaction + execve(/bin/sh) shellcode.
f1b110ff59b4adb7c79737eb1fc046c4
100 bytes small Windows/x86 download using mshta.exe shellcode.
35ca25f1d948941abefae3daa165c025
EternalBlueC is the EternalBlue suite remade in C which includes an MS17-010 exploit, EternalBlue/MS17-010 vulnerability detector, DoublePulsar detector, and DoublePulsar UploadDLL and shellcode.
f0bed2dc06084b8a89c0c2fe9adefb55
NetPCLinker version 1.0.0.0 SEH with egghunter shellcode buffer overflow exploit.
e76e96a4dcb2e6ca5a001536d6231df6
100 bytes small null-free Linux/ARM shellcode that binds /bin/sh to 0.0.0.0:1337/TCP.
111a5d97d0327b4f3d4106f084eac97e
32 bytes small Linux/ARM execve /bin/dash shellcode.
abc2225ec6ad691079909d8f03eab5a9
102 bytes small Linux/x86 add map in /etc/hosts file polymorphic shellcode.
979a6e0e42c8f46c1647b1c2de0c533a
124 bytes small ASLR deactivation polymorphic shellcode.
68fed31edbc95b6538cd08d866de9910
75 bytes small Linux/x86 tiny read polymorphic shellcode.
d6f58fd7c7c280218ab60f1656e524b7
198 bytes small macOS/x64 RickRolling shellcode.
629ad7b064b5d84ed3f906842421a4f2
113 bytes small Linux/x64 anti-debug trick (INT3 trap) with execve("/bin/sh") shellcode that is NULL free.
ba4326c992e6781e3f2d205bf50de438
39 bytes small Linux/x86 egghunter null-free shellcode. The egghunter dynamically searches memory for 2 instances of the egg. When the eggs are found, the egghunter passes execution control to the payload at the memory address of the eggs.
3cc1d7e8ad5391ad63e8cd52726be7e0