::Exploits:: ::Shellcode:: ::Tools::

::Shellcode::

Solaris
bindshell.txt	Open a shell on a predefined port (195 bytes)
dup3.c	Sample dup() shellcode
find_dup2_shell.txt	Find your socket, dup2 it and open a shell

Win32
bindshell_hardcoded_nonulls.c	Open a shell on a predefined port. Offsets of API calls hardcoded for Windows XP only. Without null bytes on the shellcode (276 bytes)
bindshell_find_nulls.c	Open a shell on a predefined port. Find the API calls. Null bytes on the shellcode (554 bytes)
bindshell_find_nonulls.c	Open a shell on a predefined port. Find the API calls. Without null bytes. (626 bytes)
bindshell_find_nonulls_encoded.c	Open a shell on a predefined port. Find the API calls. Without null bytes and encoded. (575 bytes)
getpeername_find_nulls.c	Find the last sockect open and launch a shell. Find the API calls. Null bytes on the shellcode (367 bytes)
getpeername_find_nonulls.c	Find the last sockect open and launch a shell. Find the API calls. Without null bytes on the shellcode (417 bytes)
getpeername_hardcoded_nonulls.c	Find the last sockect open and launch a shell. Offsets of API calls hardcoded for Windows XP only. Without null bytes on the shellcode (172 bytes)
pipes_bindshell_hardcoded_nonulls.c	Open a shell on a predefined port. Use standard socket and dup() the shell with pipes. Offsets of API calls hardcoded for Windows XP only. Without null bytes on the shellcode (516 bytes)
pipes_getpeername_find_nonulls.c	Find the last sockect open and launch a shell dup()ing with pipes. Without null bytes on the shellcode (739 bytes)
pipes_getpeername_hardcoded_nonulls.c	Find the last sockect open and launch a shell dup()ing with pipes. Offsets of API calls hardcoded for Windows XP only. Without null bytes on the shellcode (414 bytes)

SCO
sc_sco_shell.txt	Simple shellcode
sc_sco_cmd.txt	Command Execution shellcode
sc_sco_chroot.txt	Break chroot shellcode