Windows/x86 bind TCP shellcode / dynamic PEB and EDT method null-free shellcode. This a bind tcp shellcode that open a listen socket on 0.0.0.0 and port 1337. In order to accomplish this task the shellcode uses the PEB method to locate the baseAddress of the required module and the Export Directory Table to locate symbols. Also the shellcode uses a hash function to gather dynamically the required symbols without worry about the length.
7dd9706d9d60f259d8e6ef790111d2ef99c07abddaae6debfdc64b5c0856ce2f178 bytes small Windows/x86 shellcode that pops calc.exe. The shellcode uses the PEB method to locate the baseAddress of the required module and the Export Directory Table to locate symbols. It also uses a hash function to dynamically gather the required symbols without worry about the length. Finally, the shellcode pops the calc.exe using WinExec and exits gracefully using TerminateProcess.
9b19277190c962885d3585247da068c374f5db74bbb693ce9cb6fe906a1118a8330 bytes small Windows/x86 reverse TCP shellcode that connects to 192.168.201.11:4444.
12149f06ca22bb6ea072202a3c3d714fb9e0922026292c67e2fc3c768fa2b30fLinux/x86 egghunter reverse TCP shell shellcode generator with dynamic IP and port.
f381e9e627457c622f41f2e0f02fd7275a109fbf7c64277852a12fa68a12f38386 bytes small Linux/x86 reverse TCP shell with dynamic IP and port binding shellcode.
098ad2f853874de86f3c54be8fe5f0603e48dcd1deaae5ff49d0f3c6ecd04c34102 bytes small Linux/x86 bindshell shellcode with dynamic port binding.
5c78bdabecd99971442c81d97f0c4cac565a54711d65cfb78e5c749c02cc5a5aLinux/x86 custom shellcode ASCII And-Sub encoder.
e94e7d4fd85ab353e369c5db6283be701e1beb64be40051eb7290608b3d9b33570 bytes small Linux/x86 shellcode with XOR decoder stub and fstenv MMX FPU spawning a /bin/sh shell.
11b3b90f9432231138d2380813aec5392fb07dbce222b7123fb12312d6eaa00729 bytes small Linux/x86 shellcode that performs setreuid to 0 and then executes /bin/sh.
e6a46129d157e756ab079a8bd8c0b4fb71e4329d98e97809fa092cf1d9ec5876655 bytes small 64-bit Windows 10 shellcode that injects all processes with Meterpreter reverse shells.
9b8f41be48c0a71cc5b34fd0d409faea955538963763a4a5c5ca27e1ec4d2afb205 bytes small 64-bit Windows 10 shellcode that dynamically resolves the base address of kernel32.dll via PEB and ExportTable method. It contains no null bytes (0x00), and therefore will not crash if injected into typical stack buffer overflow vulnerabilities.
6143eebe8156ea982d4ef3362eab1915ca829a3ac99ed38af8a6c4ca2e852a0d387 bytes small 64-bit Windows 10 shellcode that adds user BOKU:SP3C1ALM0V3 to the system and the localgroups. Shellcode must be executed from a process with either a HIGH or SYSTEM integrity level.
0e9ecdb6d32c850a8cd46f1c273c31f8a22128d898a75e6f5be2706159ec67b017 bytes small Linux/x86 execve(/bin/sh) shellcode.
0d57e5917177f7b2c8c614412ee8c4d46b75b72f8a5547e97bce99f62fabc11121 bytes small Linux/x64 execve(/bin/sh) shellcode.
7640bb0b2bdd99b08b0876002140a299d855d4c3abe7f76eb8c7c4c0c63ed8bdThis Metasploit module exploits an issue in Google Chrome versions before 87.0.4280.88 (64 bit). The exploit makes use of an integer overflow in the SimplifiedLowering phase in turbofan. It is used along with a typer hardening bypass using ArrayPrototypeShift to create a JSArray with a length of -1. This is abused to gain arbitrary read/write into the isolate region. Then an ArrayBuffer can be used to achieve absolute arbitrary read/write. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, the browser must be run with the --no-sandbox option for the payload to work correctly.
a2c2e0bb6afa9428a1723f49c6bd0ba43ef8b68bb81b7b27053a5cae99795839240 bytes small Windows/x86 add user Alfred to administrators/remote desktop users group shellcode.
87baea02c93852f7ff91efddf99dce46312ecdece68e0c0d68050ac306f14f2d66 bytes small Linux/x64 execve "cat /etc/shadow" shellcode.
36a64052472bd1336a1edf41b4a7f78a824d3c320e3d02eb95dae19a8e038433142 bytes small Linux/x64 shellcode that binds a password protected shell to TCP 0.0.0.0:4444.
333530589c154018011a1ee45adb6102c069fc8e7b0ef4eaecdb98fd693c95d6143 bytes small Windows/x86 stager generic MSHTA shellcode.
b3750f247e2ed7dcb6ee222de9c4f5ac7edab96f0e3914f254fe001ae66530ba113 bytes small Linux/x86 Socat bind shellcode.
8582129220ea4d9eff4d86d04649d9798ba7ff744aa5aa89e2c6803aaf18c075123 bytes small Linux/x64 reverse shell shellcode that connects to TCP/127.1.1.1:4444.
d489702cacf00b2cfb806769d32c8598c913a2c473ddd76a85a653c65a63168765 bytes small Linux/x86 bindshell shellcode that binds /bin/sh to TCP/0.0.0.0:13377.
0b6f0d113dff3fe9e7fd8830f15d89012a24c53b6fd740940fa27df4be7c06feThis Metasploit module exploit BITS behavior which tries to connect to the local Windows Remote Management server (WinRM) every times it starts. The module launches a fake WinRM server which listen on port 5985 and triggers BITS. When BITS starts, it tries to authenticate to the Rogue WinRM server, which allows to steal a SYSTEM token. This token is then used to launch a new process as SYSTEM user. In the case of this exploit, notepad.exe is launched as SYSTEM. Then, it writes shellcode in its previous memory space and trigger its execution. As this exploit uses reflective dll injection, it does not write any file on the disk. Vulnerable operating systems are Windows 10 and Windows servers where WinRM is not running. Lab experiments has shown that Windows 7 does not exhibit the vulnerable behavior.
67b5ac7fe880d91740fda6036d3554f5b4435e1a61d47cad34a80f769fb5752c114 bytes small Linux/x86 reverse TCP shellcode.
2683c644409206f0c3a9aae6d82afb5a6f04a316245fb265c0cdab4441651ee1This Metasploit module exploits a buffer overflow in Free MP3 CD Ripper versions 2.6 and 2.8. By constructing a specially crafted WMA WAV M3U ACC FLAC file and attempting to convert it to an MP3 file in the application, a buffer is overwritten, which allows for running shellcode.
2fc82acea7b95409d6f96c56885e269103215f19b294a61787c2ac74dca93a0f
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed