171 bytes small Windows/x86 shellcode with a new method to find the kernel32 base address by walking down the stack and look for a possible Kernel32 address using a custom SEH handler. Each address found on the stack will be tested using the Exception handling function. If it's valid and starts with 7, then it's a possible kernel32 address.
e7941faf4a7799cf5e35fcf962b075b17a9570e4f37e959633b2962f8d3bf53d
133 bytes small Windows/x86 kernel32 base address / memory sieve method shellcode.
02598a837cdf14b2aa15f8aa989595e031da15dac8d7e4835e2d041eda455355
458 bytes small Windows/x86 download file and execute dynamic PEB and EDT method shellcode.
373527dc3abce798f323c157f33b7e37a9ae39642431558cc7be8a6423eec576
Windows/x86 bind TCP shellcode / dynamic PEB and EDT method null-free shellcode. This a bind tcp shellcode that open a listen socket on 0.0.0.0 and port 1337. In order to accomplish this task the shellcode uses the PEB method to locate the baseAddress of the required module and the Export Directory Table to locate symbols. Also the shellcode uses a hash function to gather dynamically the required symbols without worry about the length.
7dd9706d9d60f259d8e6ef790111d2ef99c07abddaae6debfdc64b5c0856ce2f
178 bytes small Windows/x86 shellcode that pops calc.exe. The shellcode uses the PEB method to locate the baseAddress of the required module and the Export Directory Table to locate symbols. It also uses a hash function to dynamically gather the required symbols without worry about the length. Finally, the shellcode pops the calc.exe using WinExec and exits gracefully using TerminateProcess.
9b19277190c962885d3585247da068c374f5db74bbb693ce9cb6fe906a1118a8
330 bytes small Windows/x86 reverse TCP shellcode that connects to 192.168.201.11:4444.
12149f06ca22bb6ea072202a3c3d714fb9e0922026292c67e2fc3c768fa2b30f
Linux/x86 egghunter reverse TCP shell shellcode generator with dynamic IP and port.
f381e9e627457c622f41f2e0f02fd7275a109fbf7c64277852a12fa68a12f383
86 bytes small Linux/x86 reverse TCP shell with dynamic IP and port binding shellcode.
098ad2f853874de86f3c54be8fe5f0603e48dcd1deaae5ff49d0f3c6ecd04c34
102 bytes small Linux/x86 bindshell shellcode with dynamic port binding.
5c78bdabecd99971442c81d97f0c4cac565a54711d65cfb78e5c749c02cc5a5a
Solaris SunSSH version 11.0 on x86 libpam remote root exploit.
678892d62f9d4edd74e135ec10ed7cd1fb0389a420617db1549d49e581caa0db
Linux/x86 custom shellcode ASCII And-Sub encoder.
e94e7d4fd85ab353e369c5db6283be701e1beb64be40051eb7290608b3d9b335
70 bytes small Linux/x86 shellcode with XOR decoder stub and fstenv MMX FPU spawning a /bin/sh shell.
11b3b90f9432231138d2380813aec5392fb07dbce222b7123fb12312d6eaa007
29 bytes small Linux/x86 shellcode that performs setreuid to 0 and then executes /bin/sh.
e6a46129d157e756ab079a8bd8c0b4fb71e4329d98e97809fa092cf1d9ec5876
It was discovered that the overlayfs implementation in the Linux kernel did not properly validate the application of file system capabilities with respect to user namespaces. A local attacker could use this to gain elevated privileges. Piotr Krysiuk discovered that the BPF JIT compiler for x86 in the Linux kernel did not properly validate computation of branch displacements in some situations. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.
2804a214253fb2c002641f38c8aae9e4023d617f9897b0c5c01ff06e5794df2b
Ubuntu Security Notice 4916-1 - It was discovered that the overlayfs implementation in the Linux kernel did not properly validate the application of file system capabilities with respect to user namespaces. A local attacker could use this to gain elevated privileges. Piotr Krysiuk discovered that the BPF JIT compiler for x86 in the Linux kernel did not properly validate computation of branch displacements in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Various other issues were also addressed.
731316af4af43b6a4f4a4888d410c88049b391c7650608ca1fd2ed0566f0f141
17 bytes small Linux/x86 execve(/bin/sh) shellcode.
0d57e5917177f7b2c8c614412ee8c4d46b75b72f8a5547e97bce99f62fabc111
Ubuntu Security Notice 4912-1 - Piotr Krysiuk discovered that the BPF JIT compiler for x86 in the Linux kernel did not properly validate computation of branch displacements in some situations. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the binder IPC implementation in the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Various other issues were also addressed.
590166453ec29f1473b4cb64bcf7651991eb909ac482b366e52b4648a1f60409
240 bytes small Windows/x86 add user Alfred to administrators/remote desktop users group shellcode.
87baea02c93852f7ff91efddf99dce46312ecdece68e0c0d68050ac306f14f2d
143 bytes small Windows/x86 stager generic MSHTA shellcode.
b3750f247e2ed7dcb6ee222de9c4f5ac7edab96f0e3914f254fe001ae66530ba
113 bytes small Linux/x86 Socat bind shellcode.
8582129220ea4d9eff4d86d04649d9798ba7ff744aa5aa89e2c6803aaf18c075
65 bytes small Linux/x86 bindshell shellcode that binds /bin/sh to TCP/0.0.0.0:13377.
0b6f0d113dff3fe9e7fd8830f15d89012a24c53b6fd740940fa27df4be7c06fe
Intel Matrix Storage Event Monitor x86 version 8.0.0.1039 suffers from an IAANTMON unquoted service path vulnerability.
53a6ec5e6199676d3685d5babcf43c618caa8d1dbff3b3ae796deb36a20a2cab
114 bytes small Linux/x86 reverse TCP shellcode.
2683c644409206f0c3a9aae6d82afb5a6f04a316245fb265c0cdab4441651ee1
This Metasploit module exploits a stack-based buffer overflow in the Solaris PAM library's username parsing code, as used by the SunSSH daemon when the keyboard-interactive authentication method is specified. Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 (x86) in VirtualBox, VMware Fusion, and VMware Player. Bare metal untested. Your addresses may vary.
255a53ba4764640c38d52b8d61674d66f25d7a11c08ebc0d8b26cc5cdb1d4ace
Solaris SunSSH versions 10 through 11.0 on x86 libpam remote root exploit.
93c50138db56dcc96e612d0fa56cca01459695d4f656345667a2e4fdec807e5d