| Author |
Description |
|
|
| Peter Van Eeckhoutte | Exploit writing tutorial part 8 : Win32 Egg Hunting |
| P.Fayolle & V.Glaume | A Buffer Overflow Study Attacks & Defenses |
| funkysh | Developing StrongARM/Linux shellcode |
| MISC Magazine | Corruption de la m´emoire lors de l’exploitation |
| K.Fenzi & D.Wreski | Linux Security HOWTO |
| linuxsecurity.com | Linux Security Quick Reference Guide |
| Peter Van Eeckhoutte | Exploit writing tutorial part 7 : Unicode – from 0×00410041 to calc |
| Peter Van Eeckhoutte | Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, HW DEP and ASLR |
| Peter Van Eeckhoutte | Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development |
| Peter Van Eeckhoutte | Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics |
| Peter Van Eeckhoutte | Exploit writing tutorial part 3b : SEH Based Exploits – just another example |
| Peter Van Eeckhoutte | Exploit writing tutorial part 3 : SEH Based Exploits |
| Peter Van Eeckhoutte | Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode |
| Peter Van Eeckhoutte | Exploit writing tutorial part 1 : Stack Based Overflows |
| Gerard Beekmans | Linux From Scratch |
| Alexandr Polyakov | SAP security: attacking sap client |
| Yingbo Song | On the Infeasibility of Modeling Polymorphic Shellcode |
| Fermin J. Serna | Polymorphic Shellcodes vs. Application IDSs |
| Peter Teufl | Hybrid Engine for Polymorphic Shellcode Detection |
| Michalis Polychronakis | Network-Level Polymorphic Shellcode Detection Using Emulation |
| Jianwei Huang | Reverse Engineering MAC: A Non-Cooperative Game Model [2] |
| Pamela Samuelson | The Law and Economics of Reverse Engineering |
| Aaron Portnoy | Reverse Engineer’s Cookbook |
| Timothy S. Gardner | Reverse-engineering transcription control networks |
| skape | Reverse Engineering: Memory Analysis |
| Weidong Cui | Tupni: Automatic Reverse Engineering of Input Formats |
| Pamela Samuelson | REVERSE ENGINEERING UNDER SIEGE |
| J-M. Petit | Towards the Reverse Engineering of Denormalized Relational Databases |
| r10jm.ps | Reverse Engineering and Program Understanding |
| Solange coupet | Introduction to CAML |
| M.Shang & W.Du | System Call Sequence (_chmod example) |
| Jialong He | LINUX System Call Quick Reference |
| D.Mazzocchio | Writing shellcode for Linux and *BSD |
| scut/teso | Writing MIPS/IRIX shellcode |
| ngssoftware.com | Writing Small Shellcode |
| nologin.org | Safely Searching Process Virtual Address Space |
| B-r00t | PowerPC / OS X (Darwin) Shellcode Assembly |
| nologin.org | Understanding Windows Shellcode |
| H D Moore | Mac OS X PPC Shellcode Tricks |
| spoonm | Recent Shellcode Developments |
| Tim Hurman | Exploring Windows CE Shellcode |
| Masaki Suenaga | Evolving Shell Code (Symantec) |
| Barabas | Pratical Linux Shellcode |
| Kezhaya & Joglekar | Writing shellcode exploits for VoIP phones |
| ghostsinthestack | Les Shellcodes par ghostsinthestack.org |
| Michal Piotrowski | Optimisation des shellcodes sous linux (Hakin9 mag) |
| Jonathan Salwan | Creation of Shellcode on Linux x86/32bits |
| Michal Piotrowski | Creation of Shellcode polymorphic (Hakin9 mag) |
| athias.fr | ConnectBack Shellcode (win32) |
| Julien Olivian | Le polymorphisme et le camouflage des shellcodes |
| Nightmare | PE Infection – How to Inject a dll |
| Julien Vanegue | Reverse engineering des systemes ELF/INTEL |
| Robert Calderbank | Reverse Engineering MAC Protocol |
| Karsten Nohl | Reverse-Engineering a Cryptographic RFID Tag |
| John Aycock | UCPy: Reverse-Engineering Python |
| Paul Vincent Sabanal | Reversing C++ |
| Omer Berkman | The unbearable lightness of PIN cracking |
| Mike Bond | Decimalisation Table Attacks for PIN Cracking |
| Aelphaeis Mangarae | Learn Information Gathering By Example |
| Aelphaeis Mangarae | SEH Overwrites Simplified v1.01 |
| Aelphaeis Mangarae | Cracking the basics |
| Aelphaeis Mangarae | Steganography FAQ |
| Aelphaeis Mangarae | Hardening Windows NT |
| hEYWIRE | Cyclic Redundancy Check (CRC) |
| Aelphaeis Mangarae | Assault on PHP Applications |
| Lavakumar Kuppan | Bypassing Web Application Firewalls with HTTP Parameter Pollution |
| Saitek | How do I crack your WEP: The FMS attack explanation |
| Saitek | Routers and Routing process explanation through the Network Address Translation |
| Saitek | Analysis and Working of a Rootkit in the Operative System |
| David Kennedy | Bypassing Hardware Based Data Execution Prevention (DEP) On Windows 2003 SP2 |
| aidi youssef | Shellcodes sous Linux dans les processeurs de 32 bits x86 |
| Jason R. Davis | MPI and Password Cracking |
| Jean-luc HENRY | Solutions de sécurité GNU/Linux |
| Eric Botcazou | Compile-time stack requirements analysis with GCC |
| Peter Brass | Elementary Structures |
| Malcolm Heywood | On Evolving Buffer Overflow Attacks Using Genetic Programming |
| Nick Feamster | Wireless Security and Buffer Overflows |
| Zhimin Gu | Buffer Overflow Attacks on Linux Principles Analyzing and Protection |
| Brian Fellowes | Debugging multi-threaded applications with RTOS-aware tools |
| Eric Chien & Peter Szor | Blended attacks exploits, Vulnerabilities and Buffer-Overlow Techinques |
| Stephane DUVERGER | Exploitation en espace noyau sous Linux 2.6 |
| n/a | Building A Simple Stack Abstraction |
| Stefan Schauer | Experiencing Enhanced Emulation Debugging |
| Igor Yuklyanyuk | Stack Based Buffer Overflows and Protection Mechanisms |
| Zili Shao | Defending Embedded Systems Against Buffer Overflow via Hardware/Software |
| Thomas W. Olzak | Web Application Security - Buffer Overflows: Are you really at risk? |
| Maxim | Implementing a Soft Stack in Data Memory on the MAXQ2000 |
| Marius Gafen | Alternative Java Threading Designs for Real-Time Environments |
| Asia Slowinska | Accurate analysis of heap and stack overflows by means of age stamps |
| Xavier Allamigeon | Détection de heap overflow par analyse statique |
| Kostya Kortchinsky | Exploitation fiable des heap overflows sous Windows |
| Alexander Anisimov | Contournement de la protection du tas de Windows XP/SP2 et contournement du DEP |
| Nicolas Falliere | Bypassing Windows heap protections |
| Greg Hoglund | The cross-page overwrite and it’ application in heap overflows |
| YJ.Park & G.Lee | Repairing Return Address Stack for Buffer Overflow Protection |
| A.Iyer & M. Liebrock | Vulnerability Scanning for Buffer Overflow |
| André Zuquete | StackFences: a run-time approach for detecting stack overflows |
| Olivier Gay | Exploitation avancée de buffer overflows |
| Ali Rahbar | Stack overflow on Windows XP SP2 |
| Yoonseo Choi | Optimal Register Reassignment for Register Stack Overflow Minimization |
| Yair Wiseman | Eliminating the Threat of Kernel Stack Overflows |
| Michael Ligh | Compression Plus and Tumbleweed EMF Stack Overflow Security Advisory |
| Malcolm Heywood | Evolving Successful Stack Overflow Attacks for Vulnerability Testing |
| n/a | Analysis of ANI “anih” Header Stack Overflow Vulnerability |
| npouvesle | NetWare Kernel Stack Overflow Exploitation |
| Ryan Smith | RARLab’s WinRAR Local Stack Overflow |
| Jérome ATHIAS | Stack Overflows Exploitation du SEH par défaut pour améliorer la stabilité d’un Exploit |
| Adrian Dunston | Stack Overflow: A Great Place for Answers |
| Alexander Sotirov | Heap Feng Shui in JavaScript |
| Sergio Alvarez | Win32 Stack BufferOverFlow Real Life Vuln-Dev Process |
| Aelphaeis Mangarae | Stack Overflow Exploitation Explained |
| steve hanna | Shellcoding for Linux and Windows Tutorial |
| Nicolas Falliere | Anatomy of a Malware |
| Luke Jennings | Security Implications of Windows Access Tokens |
| Charalambous Glafkos | Securing & Hardening Linux v1.0 |
| Brett Moore | Access Through Access |
| warlord | ActiveX - Active Exploitation |
| Alex Hernandez | Symantec Altiris Deployment Solution Elevation of Privileges Vulnerabilities |
| N.George & C.Glafkos | Reverse Engineering: Anti-Cracking Techniques |
| N.George & C.Glafkos | Reverse Engineering: Smashing the Signature |
| Jeremy Brown | A Useful Approach to Finding Bugs |
| mxatone | Analyzing local privilege escalations in win32k |
| skape | Using dual-mappings to evade automated unpackers |
| Chaitanya Sharma | TippingPoint IPS Signature Evasion through Packet Fragmentation |
| Feathers McGraw | Using (ShoutBoxes) to control malicious software |
| Bui Quang Minh | How Conficker makes use of MS08-067 |
| Nightmare | Reverse Code Engineering (RCE) |
| Sergey Rublev | WPAD TECHNOLOGY WEAKNESSES |
| Luca Carettoni | HTTP Parameter Pollution |
| Kim Davies | DNS Cache Poisoning Vulnerability |
| C.Cowan & P.Wagle ... | Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade |
| Trent Nelson | Common Control System Vulnerability |
| Mitja Kolsek | Session Fixation Vulnerability in Web-based Applications |
| Charlie Miller | The Legitimate Vulnerability Market |
| NIST | PBX Vulnerability Analysis |
| David Litchfield | Lateral SQL Injection: A ew Class of Vulnerability in Oracle |
| Jeffrey R. Jones | Browser Vulnerability Analysis |
| securityevaluators.com | Engineering Heap Overflow Exploits with JavaScript |
| X.Wang & CC.Pan ... | A Signature-free Buffer Overflow Attack Blocker |
| Sebastian Krahmer | x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique |
| alexander steven | Defeating compiler-level buffer overflow protection |
| Michael Zhivich | Dynamic Buffer Overflow Detection |
| David Larochelle | Statically Detecting Likely Buffer Overflow Vulnerabilities |
| E.Haugh & M.Bishop | Testing C Programs for Buffer Overflow Vulnerabilities |
| g][org0re/3ey | Analyse technique de faille --- Internet Explorer IFRAME Overflow |
| O.Ruwase & S.Lam | A Practical Dynamic Buffer Overflow Detector |
| Jonathan Salwan | Outrepasser une authentification par buffer overflow |
| David Litchfield | Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server |
| mati*@*see-security.com | Tutorial sur l’exploitation d’un Buffer Overflow dans le Serveur Web Savant 3.1 |
| David M. Alter | Online Stack Overflow Detection on the TMS320C28x DSP |
| Ali Rahbar | Stack overflow on Windows Vista |
| Regehr & Reid & Webb | Eliminating stack overflow by abstract interpretation |
| tal.z | How-to exploit default exception handler to gain stability on win32 |
| Pierre Guillemin | Stack Overflow Detection Using The ST9 TIMER/WATCHDOG |
| Peter Winter-Smith | Blind Exploitation of Stack Overflow Vulnerabilities |
| Shell-Storm Staff | Vulnerability Discovered in Httpdx Server FTP v0.8 |
| Shell-Storm Staff | Vulnerability Discovered in Personal FTP Server version <= 5.x |
| Shell-Storm Staff | Vulnerability Discovered in Baby FTP Server version 1.x |
| Shell-Storm Staff | Vulnerability Discovered in Wine version 1.0.1 |
| Shell-Storm Staff | Vulnerability Discovered in TYPSoft FTP Server version 1.11 |
| Shell-Storm Staff | Vulnerability Discovered in Xitami HTTP Server version <= 5.0 |
| Shell-Storm Staff | Vulnerability Discovered inZervit HTTP Server version <= v0.3 |
| Shell-Storm Staff | Vulnerability Discovered in Sami HTTP Server version 2.x |
| Shell-Storm Staff | Vulnerability Discovered in XM Easy Personnal FTP Server version <= 5.7.0 |
| Shell-Storm Staff | Vulnerability Discovered in Sysax Multi Server version 4.3 |
| Shell-Storm Staff | Vulnerability Discovered inTelnet-Ftp Service Server version 1.x |
| Shell-Storm Staff | Vulnerability Discovered in SW-HTTPD Server version 0.x |
| Shell-Storm Staff | Vulnerability Discovered in FTP Serv-u Version 7.4.0.1 - [2] |
| Shell-Storm Staff | Vulnerability Discovered in FTP Serv-u Version 7.4.0.1 |
| Shell-Storm Staff | Vulnerability Discovered in GuildFTPd FTP Server Version 0.x.x |
| Shell-Storm Staff | Vulnerability Discovered in Femitter Server FTP version 1.x |
| sekfault | Linux/x86 - disabled modsecurity - 64 bytes |
| Hazem mofeed | Windows - SP3 english ( calc.exe ) - 37 bytes |
| Hazem mofeed | Windows - SP2 english ( calc.exe ) - 37 bytes |
| ipv | Linux/x86 - execve /bin/sh - 21 bytes |
| JungHoon Shin | Linux/x86 - /bin/sh - 8 bytes |
| Hellcode | Windows - Shellcode (cmd.exe) for XP SP2 Turkish - 26 Bytes |
| Hellcode | Windows - Shellcode (cmd.exe) for XP SP3 English - 26 Bytes |
| fb1h2s | Linux/x86 - bin/cat /etc/passwd - 43 bytes |
| sbz | FreeBSD/x86 - portbind shellcode - 167 bytes |
| sinn3r | Windows - XP SP3 addFirewallRule |
| AnTi SeCuRe | Windows - sp2 (En + Ar) cmd.exe - 23 bytes |
| SkuLL-HacKeR | Windows - Shellcode Collection - (calc) 19 bytes |
| root@thegibson | Linux/x86 - chmod 666 /etc/shadow - 27 bytes |
| root@thegibson | Linux/x86 - overwrite MBR on /dev/sda with LOL! - 43 bytes |
| root@thegibson | Linux/x86 - kill all processes - 9 bytes |
| root@thegibson | Linux/x86 - eject /dev/cdrom - 42 bytes |
| $andman | Linux/x86 - append /etc/passwd & exit() - 107 bytes |
| $andman | Linux/x86 - unlink(/etc/passwd) & exit() - 35 bytes |
| Teo Manojlovic | Windows - xp sp2 PEB ISbeingdebugged shellcode - 56 bytes |
| ka0x | Linux/x86 - setuid(0) & execve(/sbin/poweroff -f) - 47 bytes |
| ka0x | Linux/x86 - setuid(0) & execve(/bin/cat /etc/shadow) - 49 bytes |
| ka0x | Linux/x86 - chmod(/etc/shadow, 0666) & exit() - 33 bytes |
| fl0 fl0w | Linux/x86 - execve() - 51bytes |
| eSDee [Netric .org] | Linux/x86 - /sbin/iptables --flush - 69 bytes |
| eSDee [Netric .org] | Linux/x86 - forking portbind shellcode - port=0xb0ef(45295) - 200 bytes |
| eSDee [Netric .org] | Linux/x86 - connect back shellcode (port=0xb0ef) - 131 bytes |
| sacrine | Linux/x86 - setresuid(0,0,0); execve /bin/sh; exit; - 41 bytes |
| Bob [Dtors.net] | Linux/x86 - chmod(//bin/sh ,04775); set sh +s - 31 bytes |
| Bob [Dtors.net] | Linux/x86 - setuid(); execve(); exit(); - 44 bytes |
| Bob [Dtors.net] | Linux/x86 - adds a root user no-passwd to /etc/passwd - 83 bytes |
| Bob [Dtors.net] | Linux/x86 - execve()/bin/ash; exit; - 34 bytes |
| zillion | Linux/x86 - execve of /bin/sh /tmp/p00p - 70 bytes |
| zillion | Linux/x86 - execve() of /sbin/iptables -F - 70 bytes |
| zillion | Linux/x86 - execve of /sbin/ipchains -F - 70 bytes |
| zillion | Linux/x86 - add a passwordless local root account w000t - 177 bytes |
| zillion | Linux/x86 - mkdir() & exit() - 36 bytes |
| Cody Tubbs | Linux/x86 - Audio (knock knock knock) via /dev/dsp+setreuid(0,0)+execve() - 566 bytes |
| n/a | Linux/x86 - hence dropping a SUID root shell in /tmp - 126 bytes |
| Jonathan Salwan | Linux/x86 - polymorphic ip6tables -F - 71 bytes |
| Jonathan Salwan | Linux/x86 - ip6tables -F - 47 bytes |
| Aodrulez | Windows - XP Pro Sp2 English Message-Box Shellcode - 16 Bytes |
| sToRm | Linux/x86 - execve(/bin/sh,0,0) - 21 bytes |
| sToRm | Linux/x86 - setuid(0) & execve(/bin/sh,0,0) - 28 bytes |
| sToRm | Linux/x86 - portbind /bin/sh (port 64713) - 83 bytes |
| Aodrulez | Windows - XP Pro Sp2 English Wordpad Shellcode - 15 bytes |
| Jonathan Salwan | Linux/x86 - pacman -S <package> (default package: backdoor) - 64 bytes |
| Jonathan Salwan | Linux/x86 - pacman -R <package> - 59 bytes |
| Xenomuta | Linux/x86 - shellcode that forks a HTTP Server on port tcp/8800 - 166 bytes |
| Xenomuta | Linux/x86 - Self-modifying ShellCode for IDS evasion - 64 bytes |
| XenoMuta | Linux/x86 - listens for shellcode on tcp/5555 and jumps to it - 83 bytes |
| Optix | Windows - sp3 (FR) Sleep - 14 bytes |
| Jonathan Salwan | Linux/x86 - Polymorphic shellcode for disable Network Card - 75 bytes |
| Jonathan Salwan | Linux/x86 - /bin/sh polymorphic shellcode - 48 bytes |
| Jonathan Salwan | Linux/x86 - killall5 polymorphic shellcode - 61 bytes |
| SkyLined | Windows - null-free bindshell for Windows 5.0-6.0 all service packs |
| TheWorm | Linux/x86 - execve(/sbin/halt,/sbin/halt) - 27 bytes |
| Stack | Windows - XP/sp2 (EN) cmd.exe - 23 bytes |
| Rick | Linux/x86 - Port Bind 4444 ( xor-encoded ) - 152 bytes |
| TheWorm | Utility - Linux/x86 shellcode generator NULL-free - execve(executable/command) - [2] |
| TheWorm | Utility - Linux/x86 shellcode generator NULL-free - execve(executable/command) - [1] |
| TheWorm | Utility - Linux x86 BlackLight NULL-free shellcode generator |
| TheWorm | Linux/x86 - execve(/sbin/reboot,/sbin/reboot) - 28 bytes |
| TheWorm | Linux/x86 - execve(/sbin/shutdown,/sbin/shutdown 0) - 36 bytes |
| TheWorm | Linux/x86 - setuid(0), setgid(0) & execve(/bin/sh,[/bin/sh,NULL]) - 33 bytes |
| TheWorm | Linux/x86 - setuid(0) & execve(/bin/sh,0) - 25 bytes |
| TheWorm | Linux/x86 - exit(0) 3 bytes or exit(1) 4 bytes |
| vlan7 | Linux/x86 - setuid() & execve() - 27 bytes |
| vlan7 | Linux/x86 - disables shadowing - 42 bytes |
| Teo Manojlovic | Windows - xp-sp3 beep and exitprocess shellcode - 28 bytes |
| certaindeath | Utility - Shellcode Generator null byte free. |
| Jonathan Salwan | Linux/x86 - reboot() polymorphic shellcode - 57 bytes |
| Teo Manojlovic | NetBSD/x86 - kill all processes shellcode |
| Shok | Linux/x86 - Add root user /etc/passwd - 104 bytes |
| blue9057 | Linux/x86 - setreuid(geteuid(),geteuid()),execve(/bin/sh,0,0) - 34bytes |
| Koshi | Windows - PEB Kernel32.dll ImageBase Finder Alphanumeric - 67 bytes |
| Koshi | Windows - PEB Kernel32.dll ImageBase Finder - 49 Bytes |
| Weiss | Windows - download and execute - 124 bytes |
| Weiss | Windows - WinExec() Command Parameter - 104 bytes |
| Darkeagle | Windows - useradd shellcode for russian systems - 318 bytes |
| Matthieu Suiche | Windows - Reverse Generic Shellcode w/o Loader - 249 bytes |
| loco | Windows - PEB method (9x/NT/2k/XP) - 29 bytes |
| twoci | Windows - PEB method (9x/NT/2k/XP) - 31 bytes |
| shellcode.com.ar | Solaris/x86 - execve /bin/sh - 43 bytes |
| Claes M. Nyberg | Solaris/sparc - setreuid(geteuid()), setregid(getegid()), execve /bin/sh |
| Tora | Linux/x86 - Bindshell TCP/5074 - 226 bytes |
| sloth | Linux/x86 - shared memory exec - 50 bytes |
| UnboundeD | Linux/x86 - iptables -F - 45 bytes |
| hts | Linux/x86 - Reverse Telnet |
| lamagra | Linux/x86 - Bindport TCP/3879 |
| Sp4rK | Linux/x86 - iptables -F - 49 bytes |
| preedator | Linux/x86 - chroot()/execve() code |
| preedator | Linux/x86 - break chroot execve /bin/sh - 80 bytes |
| dev0id | BSD/x86 - execve /bin/sh Crypt /bin/sh - 49 bytes |
| dev0id | Linux/x86 - iptables -F - 58 bytes |
| dev0id | Linux/x86 - back-connect TCP/2222 - 93 bytes |
| Matias Sedalo | Linux/x86 - execve /bin/sh encrypted - 58 bytes |
| Matias Sedalo | Linux/x86 - portbind a shell in port 5074 - 92 bytes |
| Matias Sedalo | BSD/x86 - break chroot - 45 bytes |
| Matias Sedalo | Linux/x86 - chmod 666 /etc/shadow - 41 bytes |
| Matias Sedalo | Linux/x86 - chmod 666 shadow ENCRYPT - 75 bytes |
| Matias Sedalo | Linux/x86 - add user t00r ENCRYPT - 116 bytes |
| Jonathan Salwan | Linux/x86 - Shellcode Polymorphic chmod(/etc/shadow) & exit() - 54 bytes |
| Jonathan Salwan | Utility - Solaris/x86 - Generate PortBind/TCP |
| sorrow | Utility - /bin/sh Polymorphic shellcode with printable ASCII characters |
| BlackLight | Utility - linux/x86 shellcode generator / null free |
| Avri Schneider | Utility - Alphanumeric Shellcode Encoder Decoder |
| izik | Utility - Utility for generating HTTP/1.x requests for shellcodes |
| SkyLined | Utility - Multi-Format Shellcode Encoding Tool |
| Jonathan Salwan | Utility - Generate Payload PortBind Windows XP/SP1 |
| Jonathan Salwan | Utility - Generate Payload PortBind Linux/x86 |
| (unistd_32.h) | Utility - Linux i386 - The system call numbers |
| (unistd_64.h) | Utility - Linux x86/64 - The system call numbers |
| Xash | Utility - ToHex - Convert string in hexadecimal |
| vlad902 | Solaris/sparc - Single bind TCP shell |
| H D moore | Osx/ppc - Bind Shell PORT TCP/8000 - encoder OSXPPCLongXOR - 300 bytes |
| vlad902 | Linux/x86 - Add User USER=t00r PASS=t00r - Encoder PexFnstenvSub - 116 bytes |
| Jonathan Salwan | Linux/x86 - Bindport TCP/8000 & execve add user with access root - 225 bytes+ |
| Jonathan Salwan | Linux/x86 - Bindport TCP/8000 & execve iptables -F - 176 bytes |
| oc192 | Linux/x86 - setreuid & execve - 31 bytes |
| oc192 | Windows - PEB method (9x/NT/2k/XP) |
| Charles Stevenson | Linux/x86 - dup2(0,0); dup2(0,1); dup2(0,2); 15 bytes |
| Charles Stevenson | Linux/x86 - if(read(fd,buf,512)<=2) _exit(1) else buf(); - 29 bytes |
| Charles Stevenson | Linux/x86 - read(0,buf,2541); chmod(buf,4755); - 23 bytes |
| NicatiN | Linux/x86 - execve /bin/sh anti-ids 40 bytes |
| dx & spud | Linux/x86 - SWAP restore - 109 bytes |
| dx & spud | Linux/x86 - SWAP store - 99 bytes |
| Gotfault Security | Linux/x86 - Password Authentication portbind port 64713/tcp - 166 bytes |
| Gotfault Security | Linux/x86 - portbind port 64713 - 86 bytes |
| Gotfault Security | Linux/x86 - setuid(0) + setgid(0) + execve(\"/bin/sh\", [\"/bin/sh\", NULL]) - 37 bytes |
| Gotfault Security | Linux/x86 - setreuid(0,0) + execve(/bin/sh, [/bin/sh, NULL]) - 33 bytes |
| xort | Linux/x86 - Magic Byte Self Modifying Code for surviving - execve() _exit() - 76 bytes |
| xort | Linux/x86 - Radically Self Modifying Code - execve & _exit() - 70 bytes |
| xort | Linux/x86 - Alpha-Numeric using IMUL Method - 88 bytes |
| xort | Linux/x86 - alpha-numeric - 64 bytes |
| xort | Linux/x86 - examples of long-term payloads hide-wait-change (.s) |
| xort & izik | Linux/x86 - examples of long-term payloads hide-wait-change - 187 bytes+ |
| Russell Sanford | Linux/x86 - socket-proxy - 372 bytes |
| Russell Sanford | Linux/x86 - Connect Back shellcode - 90 bytes |
| Russell Sanford | Solaris/mips - connect-back (with XNOR encoded session) - 600 bytes |
| Russell Sanford | Solaris/mips - download and execute - 278 bytes |
| Benjamin Orozco | Linux/x86 - SET_IP() Connectback Shellcode - 82 bytes |
| Benjamin Orozco | Linux/x86 - SET_PORT() portbind - 100 bytes |
| BaCkSpAcE | Linux/x86 - execve() Diassembly Obfuscation Shellcode - 32 bytes |
| c0ntex & BaCkSpAcE | Linux/x86 - /bin/sh sysenter Opcode Array Payload - 23 Bytes |
| oveRet | Linux/x86 - portbind (define your own port) - 84 bytes |
| izik | Linux/x86 - cat /dev/urandom > /dev/console, no real profit just for kicks - 63 bytes |
| izik | Linux/x86 - quick (yet conditional, eax != 0 and edx == 0) exit - 4 bytes |
| izik | Linux/x86 - eject & close cd-rom frenzy loop (follows /dev/cdrom symlink) - 45 bytes |
| izik | Linux/x86 - open cd-rom loop (follows /dev/cdrom symlink) - 39 bytes |
| izik | Linux/x86 - anti-debug trick (INT 3h trap) + execve(/bin/sh, [/bin/sh, NULL], NULL) - 39 bytes |
| izik | Linux/x86 - execve(/bin/sh, [/bin/sh], NULL) / encoded by +1 - 39 bytes |
| izik | Linux/x86 - execve /bin/sh xored for Intel x86 CPUID 41 bytes |
| izik | Linux/x86 - HTTP/1.x GET, Downloads and JMP - 68 bytes+ |
| izik | Linux/x86 - execve(/bin/sh, [/bin/sh, NULL]) + Bitmap - 27 bytes |
| izik | Linux/x86 - execve(/bin/sh, [/bin/sh, NULL]) + RIFF Header - 28 bytes |
| izik | Linux/x86 - execve(/bin/sh, [/bin/sh, NULL]) + RTF header - 30 bytes |
| izik | Linux/x86 - execve(/bin/sh, [/bin/sh, NULL]) + ZIP Header - 28 bytes |
| LiquidWorm | Linux/x86 - setuid(0) + setgid(0) + execve(echo 0 > /proc/sys/kernel/randomize_va_space) - 79 bytes |
| onionring | Linux/x86 - rm -rf / which attempts to block the process from being stopped - 132 bytes |
| sorrow | Linux/x86 - setresuid(0,0,0)-/bin/sh - 35 bytes |
| Marco Ivaldi | Linux/x86 - stdin re-open and /bin/sh execute |
| Marco Ivaldi | Linux/x86 - re-use of (/bin/sh) string in .rodata - 16 bytes |
| Marco Ivaldi | Linux/x86 - setuid/portbind port 31337 TCP - 96 bytes |
| Bunker | Linux/x86 - setreuid(0, 0) + execve(/bin//sh, [/bin//sh, -c, cmd], NULL); |
| Revenge | Linux/x86 - setuid(0) + execve(/bin//sh, [/bin//sh], NULL) - 28 bytes |
| Kris Katterjohn | Linux/x86 - forkbomb - 7 bytes |
| Kris Katterjohn | Linux/x86 - set system time to 0 & exit |
| Kris Katterjohn | Linux/x86 - kill all processes - 11 bytes |
| Kris Katterjohn | Linux/x86 - add root user (r00t) with no password to /etc/passwd |
| Kris Katterjohn | Linux/x86 - chmod(/etc/shadow, 0666) & exit() |
| mu-b | Linux/x86 - raw-socket ICMP/checksum shell - 235 bytes |
| GS2008 | Linux/x86 - Write FS PHP Connect Back Utility Shellcode - 508 bytes |
| 0in | Linux/x86 - connect back&send&exit /etc/shadow - 155 byte |
| militan | Linux/x86 - connect back, download a file and execute - 149 bytes |
| dun | Linux/x86 - iopl(3); asm(cli); while(1){} - 12 bytes |
| 0ut0fbound | Linux/x86 - execve read shellcode - 92 bytes |
| metasploit | Windows - Create Admin User Account (NT/XP/2000) - 304 bytes |
| metasploit | Windows - Vampiric Import Reverse Connect - 179 bytes |
| metasploit | Windows - Bind Shell (NT/XP/2000/2003) - 356 bytes |
| dev0id | FreeBSD/x86 - kldload /tmp/o.o - 74 bytes |
| preedator | FreeBSD/x86 - execve /bin/sh 37 bytes |
| IZ | FreeBSD/x86 - execve /bin/sh 23 bytes |
| MahDelin | FreeBSD/x86 - bind port:4883 with auth shellcode |
| c0d3_z3r0 | FreeBSD/x86 - encrypted shellcode /bin/sh 48 bytes |
| sm4x | FreeBSD/x86 - reverse connect dl(shellcode) and execute, exit - 90 bytes |
| suN8Hclf | FreeBSD/x86 - connect back.send.exit /etc/passwd - 112 bytes |
| n/a | OpenBSD/x86 - add user w00w00 - 112 bytes |
| noir | OpenBSD/x86 - portbind port 6969 - 148 bytes |
| hophet | OpenBSD/x86 - execve(/bin/sh) - 23 bytes |
| darkeagle | Windows - download & exec shellcode - 226 bytes+ |
| Omega7 | Windows - Pop up message box (XP/SP2) - 110 bytes |
| ex-pb | Windows - IsDebuggerPresent ShellCode (NT/XP) - 39 bytes |
| YAG KOHHA | Windows - Download and Execute Shellcode Generator |
| loco | Windows - connectback, receive, save and execute shellcode |
| Koshi | Windows - PEB!NtGlobalFlags shellcode - 14 bytes |
| ex-pb | Windows - IsDebuggerPresent ShellCode (NT/XP) - 39 bytes |
| xnull | Windows - Beep Shellcode (SP1/SP2) - 35 bytes |
| Jonathan Salwan | Linux/x86 - Bind asm code localhost:8000 - 179 bytes |
| Weiss | Windows-64 - (URLDownloadToFileA) download and execute - 218+ bytes |
| Stack | Windows - XP sp2 (FR) Sellcode cmd.exe - 32 bytes |
| DATA_SNIPER | Windows - telnetbind by winexec - 111 bytes |
| silicon | Windows - XP-sp1 portshell on port 58821 - 116 bytes |
| Peter Winter-Smith | Windows - XP download and exec source |
| Gyan Chawdhary | Cisco IOS - Connectback shellcode v1.0 |
| Varun Uppal | Cisco IOS - Bind shellcode v1.0 |
| Gyan Chawdhary | Cisco IOS - Tiny shellcode v1.0 |
| n/a | Irix - execve(/bin/sh) - 43 bytes |
| scut/teso | Irix - execve(/bin/sh) - 68 bytes |
| n/a | Irix - execve(/bin/sh -c) - 72 bytes |
| scut/teso | Irix - Bind Port - 364 bytes |
| scut/teso | Irix - stdin-read shellcode - 40 bytes |
| n/a | Alpha - execve() - 112 bytes |
| n/a | Alpha - setuid() - 156 bytes |
| Lamont Granquist | Alpha - /bin/sh - 80 bytes |
| K2 | Hp-Ux - execve(/bin/sh) - 58 bytes |
| Georgi Guninski | Aix - execve /bin/sh - 88 bytes |
| minervini | Cso/x86 - execve(/bin/sh, ..., NULL) - 43 bytes |
| haphet | Osx/ppc - sync(), reboot() - 32 bytes |
| haphet | Osx/ppc - execve(/bin/sh,[/bin/sh],NULL)& exit() - 72 bytes |
| B-r00t | Osx/ppc - Add user r00t - 219 bytes |
| B-r00t | Osx/ppc - add inetd backdoor - 222 bytes |
| B-r00t | Osx/ppc - create /tmp/suid - 122 bytes |
| H D Moore | Osx/ppc - stager sock reverse |
| H D Moore | Osx/ppc - stager sock find |
| H D Moore | Osx/ppc - stager sock find peek |
| H D Moore | Osx/ppc - Single Reverse TCP |
| Dino Dai Zovi | Osx/ppc - remote findsock by recv() key shellcode |
| ghandi | Osx/ppc - shellcode execve(/bin/sh) |
| lhall | Solaris/sparc - setreuid - 56 bytes |
| lhall | Solaris/sparc - portbind | port 6666 - 240 bytes |
| n/a | Solaris/sparc - execve(/bin/sh) - 52 bytes |
| ghandi | Solaris/sparc - Bind /bin/sh TCP port 2001 |
| n/a | Solaris/x86 - add services and execve inetd - 201 bytes |
| n/a | Solaris/x86 - execve /bin/sh toupper evasion - 84 bytes |
| sm4x | Solaris/x86 - setuid(0)&execve(//bin/sh)&exit(0) - 39 bytes |
| sm4x | Solaris/x86 - setuid(0)&execve(/bin/cat, /etc/shadow)&exit(0) - 59 bytes |
| minervini | NetBSD/x86 - callback (port 6666) - 83 bytes |
| minervini | NetBSD/x86 - setreuid(0, 0); execve(/bin//sh, ..., NULL); - 29 bytes |
| humble | NetBSD/x86 - execve(/bin/sh) - 68 bytes |
| Palante | BSD/ppc - execve(/bin/sh) - 128 bytes |
| Hack'n Roll | FreeBSD/x86-64 - exec(/bin/sh) Shellcode - 31 bytes |
| Hack'n Roll | FreeBSD/x86-64 - execve /bin/sh shellcode 34 bytes |
| c0d3_z3r0 | FreeBSD/x86-64 - Execve /bin/sh - Anti-Debugging |
| suN8Hclf | FreeBSD/x86 - kill all processes - 12 bytes |
| IZ | FreeBSD/x86 - reboot(RB_AUTOBOOT) - 7 bytes |
| Claes M. Nyberg | FreeBSD/x86 - execve /tmp/sh - 34 bytes |
| sm4x | FreeBSD/x86 - execve(/bin/cat & /etc/master.passwd) - 65 bytes |
| sm4x | FreeBSD/x86 - reverse portbind /bin/sh - 89 bytes |
| sm4x | FreeBSD/x86 - setuid(0)&execve({//sbin/ipf,-Faa,0},0); - 57 bytes |
| suN8Hclf | FreeBSD/x86 - setreuid(0, 0) & execve(pfctl -d) - 56 bytes |
| Marco Ivaldi | BSD/x86 - setuid/execve - 30 bytes |
| Marco Ivaldi | BSD/x86 - setuid/portbind - 94 bytes |
| n0gada | BSD/x86 - execve(/bin/sh) - 27 bytes |
| Matias Sedalo | BSD/x86 - execve(/bin/sh) & setuid(0) - 29 bytes |
| Matias Sedalo | BSD/x86 - cat /etc/master.passwd & mail root@localhost - 92 bytes |
| Scrippie | BSD/32bits - Passive Connection - 126 bytes |
| Palante | Linux/ppc - execve /bin/sh - 112 bytes |
| Charles Stevenson | Linux/ppc - read & exec shellcode - 32 bytes |
| Charles Stevenson | Linux/ppc - connect back execve /bin/sh - 240 bytes |
| Charles Stevenson | Linux/ppc - execve /bin/sh - 60 bytes |
| killah | Linux/sparc - connect back - 216 bytes |
| killah | Linux/sparc - Portbind 8975/tcp - 284 bytes |
| anathema | Linux/sparc - [setreuid(0,0); execve() of /bin/sh] - 64 bytes |
| michel kaempf | Linux/sparc - setreuid(0,0)&standard execve() - 72 bytes |
| vaicebine | Linux/mips - port bind 4919 - 276 bytes |
| vaicebine | Linux/mips - execve(/bin/sh,[/bin/sh],[]); - 60 bytes |
| core | Linux/mips - execve(/bin/sh) - 56 bytes |
| evil.xi4oyu | Linux/x86-64 - bindshell port:4444 shellcode - 132 bytes |
| evil.xi4oyu | Linux/x86-64 - setuid(0) + execve(/bin/sh) 49 bytes |
| hophet | Linux/x86-64 - execve(/bin/sh, [/bin/sh], NULL) - 33 bytes |
| darkjoker | Linux/x86 - File unlinker 18 bytes + file path length |
| darkjoker | Linux/x86 - Perl script execution 99 bytes + script length |
| certaindeath | Linux/x86 - File Reader /etc/passwd - 65 bytes |
| Jonathan Salwan | Linux/x86 - setuid(0) & chmod(/tmp,111) & exit(0) - 25 bytes |
| Jonathan Salwan | Linux/x86 - chmod() /etc/shadow 666 & exit() - 30 bytes |
| Jonathan Salwan | Linux/x86 - SystemV killall command - 34 bytes |
| Jonathan Salwan | Linux/x86 - Push Reboot() - 30 bytes |
| Jonathan Salwan | Linux/x86 - Shutdown computer - 51 bytes |
| Jonathan Salwan | Linux/x86 - Ifconfig eth0 down - 51 bytes |
| Jonathan Salwan | Linux/x86 - Kill service apache2 + pure-ftpd + sshd - 81 bytes |
| Kris Katterjohn | Linux/x86 - ipchains -F - 40 bytes |
| XenoMuta | Linux/x86 - Connect-Back port UDP/54321 - 151 bytes |
| XenoMuta | Linux/x86 - append rsa key to /root/.ssh/authorized_keys2 - 295 bytes |
| Rick | Linux/x86 - edit /etc/sudoers for full access - 86 bytes |
| sch3m4 | Linux/x86 - setuid(0) & execve(/bin/sh,0,0) - 28 bytes |
| Thomas Rinsma | Linux/x86 - System Beep - 45 bytes |
| izik | Linux/x86 - HTTP/1.x GET, Downloads & execve() - 111 bytes+ |
| Revenge | Linux/x86 - execve(/bin//sh/,[/bin//sh],NULL) - 22 bytes |
| Kris Katterjohn | Linux/x86 - execve(rm -rf /) - 45 bytes |
| Russell Sanford | Linux/x86 - socket-proxy - 372 bytes |
| Charles Stevenson | Linux/x86 - exit(1) - 7 bytes |
| cybertronic | Linux/x86 - upload & exec - 189 bytes |
| dev0id | Linux/x86 - symlink /bin/sh xoring - 56 bytes |
| nob0dy | Linux/x86 - kill snort - 151 bytes |
| RaiSe | Linux/x86 - /bin/cp /bin/sh /tmp/katy & chmod 4555 - 126 bytes |
| lamagra | Linux/x86 - cdrom ejecting - 64 bytes |
| Matias Sedalo | Linux/x86 - chmod 666 /etc/shadow - 41 bytes |
| Matias Sedalo | Linux/x86 - execve(/bin/sh) - 24 bytes |
| izik | Linux/x86 - adds user xtz without password to /etc/passwd - 59 bytes |
| izik | Linux/x86 - bind /bin/sh to 31337/tcp - 80 bytes |
| izik | Linux/x86 - bind /bin/sh to 31337/tcp & fork() - 98 bytes |
| Marco Ivaldi | Linux/x86 - execve(/bin/sh) - 16 bytes |
| sch3m4 | Linux/x86 - setuid(0) && execve() - 25 bytes |
| jcyberpunk | Linux/x86 - setuid / setgid / chroot break |
| Russell Sanford | Linux/x86 - connect-back 11.22.33.44,31337/tcp - 90 bytes |
| izik | Linux/x86 - connect-back 127.0.0.1:31337/tcp - 74 bytes |
