AIX
-
- Aix — execve /bin/sh — 88 bytes by Georgi Guninski
Alpha
-
- Alpha — /bin/sh — 80 bytes by Lamont Granquist
- Alpha — execve() — 112 bytes by n/a
- Alpha — setuid() — 156 bytes by n/a
BSD
-
- BSD/32bits — Passive Connection — 126 bytes by Scrippie
- BSD/ppc — execve(/bin/sh) — 128 bytes by Palante
- BSD/x86 — setreuid(geteuid(), geteuid()) and execve(/bin/sh, /bin/sh, 0) by Jihyeog Lim
- BSD/x86 — setuid/execve — 30 bytes by Marco Ivaldi
- BSD/x86 — setuid/portbind — 94 bytes by Marco Ivaldi
- BSD/x86 — break chroot — 45 bytes by Matias Sedalo
- BSD/x86 — cat /etc/master.passwd & mail root@localhost — 92 bytes by Matias Sedalo
- BSD/x86 — execve(/bin/sh) & setuid(0) — 29 bytes by Matias Sedalo
- BSD/x86 — bindshell on port 2525 — 167 bytes by beosroot
- BSD/x86 — execve /bin/sh Crypt /bin/sh — 49 bytes by dev0id
- BSD/x86 — execve(/bin/sh) — 27 bytes by n0gada
- BSD/x86 — Connect Back Port 6969 — 133 bytes by Marcetam
- BSD/x86 — back-connect TCP/2222 — 93 bytes by dev0id
Cisco
-
- Cisco IOS — Connectback shellcode v1.0 by Gyan Chawdhary
- Cisco IOS — Tiny shellcode v1.0 by Gyan Chawdhary
- Cisco IOS — Bind shellcode v1.0 by Varun Uppal
Sco
-
- Sco/x86 — execve(/bin/sh, …, NULL) — 43 bytes by minervini
FreeBSD
Intel x86-64
-
- FreeBSD/x86-64 — execve — 28 bytes by Gitsnik
- FreeBSD/x86-64 — bind_tcp with passcode — 127 bytes by Gitsnik
- FreeBSD/x86-64 — exec(/bin/sh) Shellcode — 31 bytes by Hack’n Roll
- FreeBSD/x86-64 — execve /bin/sh shellcode 34 bytes by Hack’n Roll
- FreeBSD/x86-64 — Execve /bin/sh — Anti-Debugging by c0d3_z3r0
Intel x86
-
- FreeBSD/x86 — execve /tmp/sh — 34 bytes by Claes M. Nyberg
- FreeBSD/x86 — execve /bin/sh 23 bytes by IZ
- FreeBSD/x86 — reboot(RB_AUTOBOOT) — 7 bytes by IZ
- FreeBSD/x86 — bind port:4883 with auth shellcode by MahDelin
- FreeBSD/x86 — connect back /bin/sh. 81 bytes by Tosh
- FreeBSD/x86 — execv(/bin/sh) — 23 bytes by Tosh
- FreeBSD/x86 — portbind shell + fork — 111 bytes by Tosh
- FreeBSD/x86 — 8.0-RELEASE — //sbin/pfctl -F all Shellcode 47 Bytes by antrhacks
- FreeBSD/x86 — encrypted shellcode /bin/sh 48 bytes by c0d3_z3r0
- FreeBSD/x86 — kldload /tmp/o.o — 74 bytes by dev0id
- FreeBSD/x86 — /bin/sh — 23 bytes by marcetam
- FreeBSD/x86 — execve /bin/sh 37 bytes by preedator
- FreeBSD/x86 — portbind shellcode — 167 bytes by sbz
- FreeBSD/x86 — execve(/bin/cat & /etc/master.passwd) — 65 bytes by sm4x
- FreeBSD/x86 — reverse connect dl(shellcode) and execute, exit — 90 bytes by sm4x
- FreeBSD/x86 — reverse portbind /bin/sh — 89 bytes by sm4x
- FreeBSD/x86 — setuid(0)&execve({//sbin/ipf,-Faa,0},0); — 57 bytes by sm4x
- FreeBSD/x86 — connect back.send.exit /etc/passwd — 112 bytes by suN8Hclf
- FreeBSD/x86 — kill all processes — 12 bytes by suN8Hclf
- FreeBSD/x86 — setreuid(0, 0) & execve(pfctl -d) — 56 bytes by suN8Hclf
- FreeBSD/x86 — bind sh port 41254 — 115 bytes by zillion
- FreeBSD/x86 — reboot() — 15 bytes by zillion
Hp-Ux
Irix
-
- Irix — execve(/bin/sh -c) — 72 bytes by n/a
- Irix — execve(/bin/sh) — 43 bytes by n/a
- Irix — Bind Port — 364 bytes by scut/teso
- Irix — execve(/bin/sh) — 68 bytes by scut/teso
- Irix — stdin-read shellcode — 40 bytes by scut/teso
Linux
ARM
-
- Linux/ARM — execve(«/bin/sh», NULL, 0) — 34 bytes Jonathan ‘dummys’ Borgeaud
- Linux/ARM — Add map in /etc/hosts file — 79 bytes Osanda Malith Jayathissa
- Linux/ARM — chmod(«/etc/passwd», 0777) — 39 bytes gunslinger_
- Linux/ARM — creat(«/root/pwned», 0777) — 39 bytes gunslinger_
- Linux/ARM — execve(«/bin/sh», [], [0 vars]) — 35 bytes gunslinger_
- Linux/ARM — Bind Connect UDP Port 68 by Daniel Godas-Lopez
- Linux/ARM — Bindshell port 0x1337 by Daniel Godas-Lopez
- Linux/ARM — Loader Port 0x1337 by Daniel Godas-Lopez
- Linux/ARM — ifconfig eth0 and Assign Address by Daniel Godas-Lopez
- Linux/ARM — chmod(/etc/shadow, 0777) Shellcode — 35 Bytes by Florian Gaultier
- Linux/ARM — polymorphic chmod(/etc/shadow, 0777) — 84 Bytes by Florian Gaultier
- Linux/ARM — Polymorphic execve(«/bin/sh», [«/bin/sh»], NULL); — XOR — 78 bytes by Jonathan Salwan
- Linux/ARM — execve(/bin/sh, /bin/sh, 0) — 30 bytes by Jonathan Salwan
- Linux/ARM — execve(/bin/sh, [0], [0 vars]) — 27 bytes by Jonathan Salwan
- Linux/ARM — execve(/bin/sh,NULL,0) — 31 bytes by Jonathan Salwan
- Linux/ARM — setuid(0) & execve(/bin/sh, /bin/sh, 0) — 38 bytes by Jonathan Salwan
- Linux/ARM — connect back /bin/sh. 79 bytes by Neil Klopfenstein
- Linux/ARM — chmod(/etc/shadow, 0777) — 41 bytes by midnitesnake
- Linux/ARM — execve(/bin/sh, [0], [0 vars]) — 30 bytes by midnitesnake
- Linux/ARM — reverse_shell(tcp,10.1.1.2,0×1337) by midnitesnake
Strong ARM
-
- Linux/StrongARM — bind() portshell — 203 bytes by funkysh
- Linux/StrongARM — execve() — 47 bytes by funkysh
- Linux/StrongARM — setuid() — 20 bytes by funkysh
Super-H
-
- Linux/SuperH — sh4 — Bind /bin/sh on port 31337 by Dad`
- Linux/SuperH — sh4 execve(/bin/sh, 0, 0) — 19 bytes by Florian Gaultier
- Linux/SuperH — sh4 — setuid(0) ; execve(/bin/sh, NULL, NULL) — 27 bytes by Jonathan Salwan
MIPS
-
- Linux/mips — Reverse Shell Shellcode — 200 bytes by Jacob Holcomb
- Linux/mips — execve(/bin/sh) — 56 bytes by core
- Linux/mips — execve(/bin/sh, */bin/sh, 0) — 52 bytes by entropy
- Linux/mips — add user(UID 0) with password — 164 bytes by rigan
- Linux/mips — connect back shellcode (port 0x7a69) — 168 bytes by rigan
- Linux/mips — execve /bin/sh — 48 bytes by rigan
- Linux/mips — reboot() — 32 bytes by rigan
- Linux/mips — execve(/bin/sh,[/bin/sh],[]); — 60 bytes by vaicebine
- Linux/mips — port bind 4919 — 276 bytes by vaicebine
PPC
-
- Linux/ppc — connect back execve /bin/sh — 240 bytes by Charles Stevenson
- Linux/ppc — execve /bin/sh — 60 bytes by Charles Stevenson
- Linux/ppc — read & exec shellcode — 32 bytes by Charles Stevenson
- Linux/ppc — execve /bin/sh — 112 bytes by Palante
Sparc
-
- Linux/sparc — [setreuid(0,0); execve() of /bin/sh] — 64 bytes by anathema
- Linux/sparc — Portbind 8975/tcp — 284 bytes by killah
- Linux/sparc — connect back — 216 bytes by killah
- Linux/sparc — setreuid(0,0)&standard execve() — 72 bytes by michel kaempf
CRISv32
Intel x86-64
-
- Linux/x86-64 — Add map in /etc/hosts file — 110 bytes by Osanda Malith Jayathissa
- Linux/x86-64 — Connect Back Shellcode — 139 bytes by MadMouse
- Linux/x86-64 — access() Egghunter — 49 bytes by Doreth.Z10
- Linux/x86-64 — Shutdown — 64 bytes by Keyman
- Linux/x86-64 — Read password — 105 bytes by Keyman
- Linux/x86-64 — Password Protected Reverse Shell — 136 bytes by Keyman
- Linux/x86-64 — Password Protected Bind Shell — 147 bytes by Keyman
- Linux/x86-64 — Add root — Polymorphic — 273 bytes by Keyman
- Linux/x86-64 — Bind TCP stager with egghunter — 157 bytes by Christophe G
- Linux/x86-64 — Add user and password with open,write,close — 358 bytes by Christophe G
- Linux/x86-64 — Add user and password with echo cmd — 273 bytes by Christophe G
- Linux/x86-64 — Read /etc/passwd — 82 bytes by Mr.Un1k0d3r
- Linux/x86-64 — shutdown -h now — 65 bytes by Osanda Malith Jayathissa
- Linux/x86-64 — TCP Bind 4444 with password — 173 bytes by Christophe G
- Linux/x86-64 — TCP reverse shell with password — 138 bytes by Andriy Brukhovetskyy
- Linux/x86-64 — TCP bind shell with password — 175 bytes by Andriy Brukhovetskyy
- Linux/x86-64 — Reads data from /etc/passwd to /tmp/outfile — 118 bytes by Chris Higgins
- Linux/x86-64 — shell bind TCP random port — 57 bytes by Geyslan G. Bem
- Linux/x86-64 — TCP bind shell — 150 bytes by Russell Willis
- Linux/x86-64 — Reverse TCP shell — 118 bytes by Russell Willis
- Linux/x86-64 — add user with passwd — 189 bytes by 0_o
- Linux/x86-64 — execve(/sbin/iptables, [/sbin/iptables, -F], NULL) — 49 bytes by 10n1z3d
- Linux/x86-64 — Execute /bin/sh — 27 bytes by Dad`
- Linux/x86-64 — bind-shell with netcat — 131 bytes by Gaussillusion
- Linux/x86-64 — connect back shell with netcat — 109 bytes by Gaussillusion
- Linux/x86-64 — setreuid(0,0) execve(/bin/ash,NULL,NULL) + XOR — 85 bytes by egeektronic
- Linux/x86-64 — setreuid(0,0) execve(/bin/csh, [/bin/csh, NULL]) + XOR — 87 bytes by egeektronic
- Linux/x86-64 — setreuid(0,0) execve(/bin/ksh, [/bin/ksh, NULL]) + XOR — 87 bytes by egeektronic
- Linux/x86-64 — setreuid(0,0) execve(/bin/zsh, [/bin/zsh, NULL]) + XOR — 87 bytes by egeektronic
- Linux/x86-64 — bindshell port:4444 shellcode — 132 bytes by evil.xi4oyu
- Linux/x86-64 — setuid(0) + execve(/bin/sh) 49 bytes by evil.xi4oyu
- Linux/x86-64 — execve(/bin/sh, [/bin/sh], NULL) — 33 bytes by hophet
- Linux/x86-64 — execve(/bin/sh); — 30 bytes by zbt
- Linux/x86-64 — reboot(POWER_OFF) — 19 bytes by zbt
- Linux/x86-64 — sethostname() & killall — 33 bytes by zbt
Intel x86
-
- Linux/x86 — Followtheleader custom execve-shellcode Encoder/Decoder — 136 bytes by Konstantinos Alexiou
- Linux/x86 — ROT-7 Decoder execve — 74 bytes by Stavros Metzidakis
- Linux/x86 — Add map in /etc/hosts file — 77 bytes by Javier Tejedor
- Linux/x86 — Obfuscated — chmod({passwd,shadow}) — add new root user — exec /bin/sh — 512 bytes by Ali Razmjoo
- Linux/x86 — setreuid() + exec /usr/bin/python — 54 bytes by Ali Razmjoo
- Linux/x86 — chmod + Add new root user with password + exec sh — 378 bytes by Ali Razmjoo
- Linux/x86 — Shell Reverse TCP Shellcode — 74 bytes by Julien Ahrens
- Linux/x86 — Shell Bind TCP Shellcode Port 1337 — 89 bytes by Julien Ahrens
- Linux/x86 — sockfd trick + dup2(0,0),dup2(0,1),dup2(0,2) + execve /bin/sh — 50 bytes by ZadYree
- Linux/x86 — shutdown -h now — 56 bytes by Osanda Malith Jayathissa
- Linux/x86 — chmod 0777 /etc/shadow (a bit obfuscated) Shellcode — 51 bytes by Osanda Malith Jayathissa
- Linux/x86 — /bin/nc -le /bin/sh -vp 17771 — 58 bytes by Oleg Boytsev
- Linux/x86 — JMP-FSTENV execve shell — 67 bytes by Paolo Stivanin
- Linux/x86 — shift-bit-encoder execve — 114 bytes by Shihao Song
- Linux/x86 — Copy /etc/passwd to /tmp/outfile — 97 bytes by Paolo Stivanin
- Linux/x86 — jump-call-pop execve shell — 52 bytes by Paolo Stivanin
- Linux/x86 — Download + chmod + exec — 108 bytes by Daniel Sauder
- Linux/x86 — reads /etc/passwd and sends the content to 127.1.1.1 port 12345 — 111 bytes by Daniel Sauder
- Linux/x86 — Multi-Egghunter by Ryan Fenno
- Linux/x86 — Obfuscated tcp bind shell — 112 bytes by Russell Willis
- Linux/x86 — Obfuscated execve /bin/sh — 30 bytes by Russell Willis
- Linux/x86 — egghunter shellcode by Russell Willis
- Linux/x86 — Reverse TCP bind shell — 92 bytes by Russell Willis
- Linux/x86 — Set /proc/sys/net/ipv4/ip_forward to 0 & exit() — 83 bytes by Hamid Zamani
- Linux/x86 — TCP bind shell — 108 bytes by Russell Willis
- Linux/x86 — Encrypted execve /bin/sh with uzumaki algorithm — 50 bytes by Geyslan G. Bem
- Linux/x86 — Mutated Execve Wget — 96 bytes by Geyslan G. Bem
- Linux/x86 — Mutated Fork Bomb — 15 bytes by Geyslan G. Bem
- Linux/x86 — Mutated Reboot — 55 bytes by Geyslan G. Bem
- Linux/x86 — Tiny read /etc/passwd file — 51 bytes by Geyslan G. Bem
- Linux/x86 — Tiny Execve sh Shellcode — 21 bytes by Geyslan G. Bem
- Linux/x86 — Insertion Decoder Shellcode — 33+ bytes by Geyslan G. Bem
- Linux/x86 — Egg Hunter Shellcode — 38 bytes by Geyslan G. Bem
- Linux/x86 — Tiny Shell Reverse TCP — 67 bytes by Geyslan G. Bem
- Linux/x86 — Tiny Shell Bind TCP Random Port — 57 bytes by Geyslan G. Bem
- Linux/x86 — Tiny Shell Bind TCP — 73 bytes by Geyslan G. Bem
- Linux/x86 — Shell Bind TCP (GetPC/Call/Ret Method) — 89 bytes by Geyslan G. Bem
- Linux/x86 — append /etc/passwd & exit() — 107 bytes by $andman
- Linux/x86 — unlink(/etc/passwd) & exit() — 35 bytes by $andman
- Linux/x86 — connect back&send&exit /etc/shadow — 155 bytes by 0in
- Linux/x86 — execve read shellcode — 92 bytes by 0ut0fbound
- Linux/x86 — egghunt shellcode — 29 bytes by Ali Raheem
- Linux/x86 — nc -lvve/bin/sh -p13377 — 62 bytes by Anonymous
- Linux/x86 — /bin/sh Null-Free Polymorphic — 46 bytes by Aodrulez
- Linux/x86 — execve() Diassembly Obfuscation Shellcode — 32 bytes by BaCkSpAcE
- Linux/x86 — SET_IP() Connectback Shellcode — 82 bytes by Benjamin Orozco
- Linux/x86 — SET_PORT() portbind — 100 bytes by Benjamin Orozco
- Linux/x86 — netcat bindshell port 8080 — 75 bytes by Blake
- Linux/x86 — netcat connect back port 8080 — 76 bytes by Blake
- Linux/x86 — adds a root user no-passwd to /etc/passwd — 83 bytes by Bob [Dtors.net]
- Linux/x86 — chmod(//bin/sh ,04775); set sh +s — 31 bytes by Bob [Dtors.net]
- Linux/x86 — execve()/bin/ash; exit; — 34 bytes by Bob [Dtors.net]
- Linux/x86 — setuid(); execve(); exit(); — 44 bytes by Bob [Dtors.net]
- Linux/x86 — setreuid(0, 0) + execve(/bin//sh, [/bin//sh, -c, cmd], NULL); by Bunker
- Linux/x86 — dup2(0,0); dup2(0,1); dup2(0,2); 15 bytes by Charles Stevenson
- Linux/x86 — exit(1) — 7 bytes by Charles Stevenson
- Linux/x86 — if(read(fd,buf,512)<=2) _exit(1) else buf(); — 29 bytes by Charles Stevenson
- Linux/x86 — read(0,buf,2541); chmod(buf,4755); — 23 bytes by Charles Stevenson
- Linux/x86 — execve(/bin/dash) — 49 bytes by Chroniccommand
- Linux/x86 — Audio (knock knock knock) via /dev/dsp+setreuid(0,0)+execve() — 566 bytes by Cody Tubbs
- Linux/x86 — Surprise ! ! ! — 361 bytes by Florian Gaultier
- Linux/x86 — Write FS PHP Connect Back Utility Shellcode — 508 bytes by GS2008
- Linux/x86 — Bind TCP Port — with SO_REUSEADDR set (Avoiding SIGSEGV) — 103 bytes by Geyslan G. Bem
- Linux/x86 — Shell Bind TCP Random Port — 65 bytes by Geyslan G. Bem
- Linux/x86 — Shell Reverse TCP Shellcode — 72 bytes by Geyslan G. Bem
- Linux/x86 — Password Authentication portbind port 64713/tcp — 166 bytes by Gotfault Security
- Linux/x86 — portbind port 64713 — 86 bytes by Gotfault Security
- Linux/x86 — setreuid(0,0) + execve(/bin/sh, [/bin/sh, NULL]) — 33 bytes by Gotfault Security
- Linux/x86 — setuid(0) setgid(0) execve(«/bin/sh», [«/bin/sh», NULL]) — 37 bytes by Gotfault Security
- Linux/x86 — Force Reboot shellcode 36 bytes by Hamza Megahed
- Linux/x86 — Remote Port forwarding — 87 bytes by Hamza Megahed
- Linux/x86 — execve /bin/sh shellcode — 23 bytes by Hamza Megahed
- Linux/x86 — execve-chmod 0777 /etc/shadow — 57 bytes by Hamza Megahed
- Linux/x86 — iptables —flush — 43 bytes by Hamza Megahed
- Linux/x86 — ASLR deactivation — 83 bytes by Jean Pascal Pereira
- Linux/x86 — chmod 666 /etc/passwd & /etc/shadow — 57 bytes by Jean Pascal Pereira
- Linux/x86 — execve(/bin/sh) — 28 bytes by Jean Pascal Pereira
- Linux/x86 — ///sbin/iptables -POUTPUT DROP — 60 bytes by John Babio
- Linux/x86 — /etc/init.d/apparmor teardown — 53 bytes by John Babio
- Linux/x86 — /usr/bin/killall snort — 46 bytes by John Babio
- Linux/x86 — /bin/sh polymorphic shellcode — 48 bytes by Jonathan Salwan
- Linux/x86 — ConnectBack with SSL connection — 422 bytes by Jonathan Salwan
- Linux/x86 — Remote file Download — 42 bytes by Jonathan Salwan
- Linux/x86 — execve(/bin/bash, [/bin/sh, -p], NULL) — 33 bytes by Jonathan Salwan
- Linux/x86 — polymorphic execve(/bin/bash, [/bin/sh, -p], NULL) — 57 bytes by Jonathan Salwan
- Linux/x86 — /bin/sh — 8 bytes by JungHoon Shin
- Linux/x86 — add root user (r00t) with no password to /etc/passwd by Kris Katterjohn
- Linux/x86 — chmod(/etc/shadow, 0666) & exit() by Kris Katterjohn
- Linux/x86 — execve(rm -rf /) — 45 bytes by Kris Katterjohn
- Linux/x86 — forkbomb — 7 bytes by Kris Katterjohn
- Linux/x86 — ipchains -F — 40 bytes by Kris Katterjohn
- Linux/x86 — kill all processes — 11 bytes by Kris Katterjohn
- Linux/x86 — set system time to 0 & exit by Kris Katterjohn
- Linux/x86 — setuid(0) setgid(0) execve(echo 0 > /proc/sys/kernel/randomize_va_space) — 79 bytes by LiquidWorm
- Linux/x86 — DoS-Badger-Game — 6 bytes by Magnefikko
- Linux/x86 — SLoc-DoS shellcode — 55 bytes by Magnefikko
- Linux/x86 — bind sh@64533 — 97 bytes by Magnefikko
- Linux/x86 — chmod(/etc/shadow, 0666) — 36 bytes by Magnefikko
- Linux/x86 — chmod(/etc/shadow, 0777) — 29 bytes by Magnefikko
- Linux/x86 — execve(/bin/sh) — 25 bytes by Magnefikko
- Linux/x86 — execve(a->/bin/sh) — 14 bytes by Magnefikko
- Linux/x86 — setreud(getuid(), getuid()) & execve(/bin/sh) — 34 bytes by Magnefikko
- Linux/x86 — setuid(0) ^ execve(/bin/sh, 0, 0) — 27 bytes by Magnefikko
- Linux/x86 — setuid(0) + execve(/bin/sh,…) — 29 bytes by Marcin Ulikowski
- Linux/x86 — re-use of (/bin/sh) string in .rodata — 16 bytes by Marco Ivaldi
- Linux/x86 — setuid/portbind port 31337 TCP — 96 bytes by Marco Ivaldi
- Linux/x86 — stdin re-open and /bin/sh execute by Marco Ivaldi
- Linux/x86 — add user t00r ENCRYPT — 116 bytes by Matias Sedalo
- Linux/x86 — chmod 666 /etc/shadow — 41 bytes by Matias Sedalo
- Linux/x86 — chmod 666 shadow ENCRYPT — 75 bytes by Matias Sedalo
- Linux/x86 — execve /bin/sh encrypted — 58 bytes by Matias Sedalo
- Linux/x86 — portbind a shell in port 5074 — 92 bytes by Matias Sedalo
- Linux/x86 — execve /bin/sh anti-ids 40 bytes by NicatiN
- Linux/x86 — /bin/cp /bin/sh /tmp/katy & chmod 4555 — 126 bytes by RaiSe
- Linux/x86 — execve(/bin//sh/,[/bin//sh],NULL) — 22 bytes by Revenge
- Linux/x86 — setuid(0) + execve(/bin//sh, [/bin//sh], NULL) — 28 bytes by Revenge
- Linux/x86 — Port Bind 4444 ( xor-encoded ) — 152 bytes by Rick
- Linux/x86 — edit /etc/sudoers for full access — 86 bytes by Rick
- Linux/x86 — Connect Back shellcode — 90 bytes by Russell Sanford
- Linux/x86 — socket-proxy — 372 bytes by Russell Sanford
- Linux/x86 — [setreuid()] -> [/sbin/iptables -F] -> [exit(0)] — 76 bytes by Sh3llc0d3
- Linux/x86 — Add root user /etc/passwd — 104 bytes by Shok
- Linux/x86 — iptables -F — 49 bytes by Sp4rK
- Linux/x86 — execve(/sbin/halt,/sbin/halt) — 27 bytes by TheWorm
- Linux/x86 — execve(/sbin/reboot,/sbin/reboot) — 28 bytes by TheWorm
- Linux/x86 — execve(/sbin/shutdown,/sbin/shutdown 0) — 36 bytes by TheWorm
- Linux/x86 — exit(0) 3 bytes or exit(1) 4 bytes by TheWorm
- Linux/x86 — setuid(0) & execve(/bin/sh,0) — 25 bytes by TheWorm
- Linux/x86 — setuid(0), setgid(0) & execve(/bin/sh,[/bin/sh,NULL]) — 33 bytes by TheWorm
- Linux/x86 — System Beep — 45 bytes by Thomas Rinsma
- Linux/x86 — Bindshell TCP/5074 — 226 bytes by Tora
- Linux/x86 — iptables -F — 45 bytes by UnboundeD
- Linux/x86 — Connect-Back port UDP/54321 — 151 bytes by XenoMuta
- Linux/x86 — append rsa key to /root/.ssh/authorized_keys2 — 295 bytes by XenoMuta
- Linux/x86 — listens for shellcode on tcp/5555 and jumps to it — 83 bytes by XenoMuta
- Linux/x86 — Self-modifying ShellCode for IDS evasion — 64 bytes by Xenomuta
- Linux/x86 — shellcode that forks a HTTP Server on port tcp/8800 — 166 bytes by Xenomuta
- Linux/x86 — stagger that reads second stage shellcode (127 bytes maximum) from stdin — 14 bytes by _fkz
- Linux/x86 — alphanumeric Bomb FORK Shellcode — 117 Bytes by agix
- Linux/x86 — chmod(/etc/shadow, 0666) ASCII — 443 bytes by agix
- Linux/x86 — pwrite(/etc/shadow, hash, 32, 8) — 89 Bytes by agix
- Linux/x86 — Polymorphic — setuid(0) + chmod(/etc/shadow, 0666) — 61 Bytes by antrhacks
- Linux/x86 — execve(/bin/cat, /etc/shadow, NULL) — 42 bytes by antrhacks
- Linux/x86 — setuid(0) + chmod(/etc/shadow, 0666) — 37 Bytes by antrhacks
- Linux/x86 — setreuid(geteuid(),geteuid()),execve(/bin/sh,0,0) — 34bytes by blue9057
- Linux/x86 — /bin/sh sysenter Opcode Array Payload — 23 Bytes by c0ntex & BaCkSpAcE
- Linux/x86 — File Reader /etc/passwd — 65 bytes by certaindeath
- Linux/x86 — sends Phuck3d! to all terminals — 60 bytes by condis
- Linux/x86 — upload & exec — 189 bytes by cybertronic
- Linux/x86 — File unlinker 18 bytes + file path length by darkjoker
- Linux/x86 — Perl script execution 99 bytes + script length by darkjoker
- Linux/x86 — iptables -F — 58 bytes by dev0id
- Linux/x86 — symlink /bin/sh xoring — 56 bytes by dev0id
- Linux/x86 — iopl(3); asm(cli); while(1){} — 12 bytes by dun
- Linux/x86 — SWAP restore — 109 bytes by dx & spud
- Linux/x86 — SWAP store — 99 bytes by dx & spud
- Linux/x86 — /sbin/iptables —flush — 69 bytes by eSDee [Netric .org]
- Linux/x86 — connect back shellcode (port=0xb0ef) — 131 bytes by eSDee [Netric .org]
- Linux/x86 — forking portbind shellcode — port=0xb0ef(45295) — 200 bytes by eSDee [Netric .org]
- Linux/x86 — setreuid(0,0) execve(«/bin/zsh», [/bin/zsh, NULL]) + XOR — 53 bytes by egeektronic
- Linux/x86 — setreuid(0,0) execve(«/bin/csh», [/bin/csh, NULL]) + XOR — 53 bytes by egeektronic
- Linux/x86 — setreuid(0,0) execve(«/bin/ksh», [/bin/ksh, NULL]) + XOR — 53 bytes by egeektronic
- Linux/x86 — setreuid(0,0) execve(/bin/ash,NULL,NULL) + XOR — 58 bytes by egeektronic
- Linux/x86 — bin/cat /etc/passwd — 43 bytes by fb1h2s
- Linux/x86 — execve() — 51bytes by fl0 fl0w
- Linux/x86 — Find all writeable folder in filesystem linux polymorphic shellcode by gunslinger_
- Linux/x86 — Polymorphic bindport to 13123 — 125 bytes by gunslinger_
- Linux/x86 — Polymorphic bindport to 31337 with setreuid (0,0) — 131 bytes by gunslinger_
- Linux/x86 — bind port to 6678 XOR encoded polymorphic — 125 bytes by gunslinger_
- Linux/x86 — cdrom ejecting shellcode — 46 bytes by gunslinger_
- Linux/x86 — chown root:root /bin/sh — 48 bytes by gunslinger_
- Linux/x86 — force unmount /media/disk — 33 bytes by gunslinger_
- Linux/x86 — give all user root access when execute /bin/sh — 45 bytes by gunslinger_
- Linux/x86 — hard reboot (without any message) and data not lost — 33 bytes by gunslinger_
- Linux/x86 — hard reboot (without any message) and data will be lost — 29 bytes by gunslinger_
- Linux/x86 — nc -lp 31337 -e /bin//sh polymorphic — 91 bytes by gunslinger_
- Linux/x86 — polymorphic cdrom ejecting — 74 bytes by gunslinger_
- Linux/x86 — setdomainname to (th1s s3rv3r h4s b33n h1j4ck3d !!) by gunslinger_
- Linux/x86 — sys_chmod(/etc/shadow, 599) — 39 bytes by gunslinger_
- Linux/x86 — sys_execve(/bin/sh, -c, ping localhost) — 55 bytes by gunslinger_
- Linux/x86 — sys_exit(0) — 8 bytes by gunslinger_
- Linux/x86 — sys_kill(-1,9) — 11 bytes by gunslinger_
- Linux/x86 — sys_rmdir(/tmp/willdeleted) — 41 bytes by gunslinger_
- Linux/x86 — sys_sethostname(PwNeD !!, 8) — 32 bytes by gunslinger_
- Linux/x86 — sys_setuid(0) & sys_setgid(0) & execve (/bin/sh) — 39 bytes by gunslinger_
- Linux/x86 — sys_sync — 6 bytes by gunslinger_
- Linux/x86 — unlink /etc/shadow — 33 bytes by gunslinger_
- Linux/x86 — Reverse Telnet by hts
- Linux/x86 — execve /bin/sh — 21 bytes by ipv
- Linux/x86 — HTTP/1.x GET, Downloads & execve() — 111 bytes+ by izik
- Linux/x86 — HTTP/1.x GET, Downloads and JMP — 68 bytes+ by izik
- Linux/x86 — anti-debug trick (INT 3h trap) execve(/bin/sh, [/bin/sh, NULL], NULL) — 39 bytes by izik
- Linux/x86 — cat /dev/urandom > /dev/console, no real profit just for kicks — 63 bytes by izik
- Linux/x86 — eject & close cd-rom frenzy loop (follows /dev/cdrom symlink) — 45 bytes by izik
- Linux/x86 — execve /bin/sh xored for Intel x86 CPUID 41 bytes by izik
- Linux/x86 — execve(/bin/sh, [/bin/sh, NULL]) + Bitmap — 27 bytes by izik
- Linux/x86 — execve(/bin/sh, [/bin/sh, NULL]) + RIFF Header — 28 bytes by izik
- Linux/x86 — execve(/bin/sh, [/bin/sh, NULL]) + RTF header — 30 bytes by izik
- Linux/x86 — execve(/bin/sh, [/bin/sh, NULL]) + ZIP Header — 28 bytes by izik
- Linux/x86 — execve(/bin/sh, [/bin/sh], NULL) / encoded by +1 — 39 bytes by izik
- Linux/x86 — open cd-rom loop (follows /dev/cdrom symlink) — 39 bytes by izik
- Linux/x86 — quick (yet conditional, eax != 0 and edx == 0) exit — 4 bytes by izik
- Linux/x86 — chmod(/etc/shadow, 0666) & exit() — 33 bytes by ka0x
- Linux/x86 — setuid(0) & execve(/bin/cat /etc/shadow) — 49 bytes by ka0x
- Linux/x86 — setuid(0) & execve(/sbin/poweroff -f) — 47 bytes by ka0x
- Linux/x86 — execve (/bin/sh) — 21 Bytes by kernel_panik
- Linux/x86 — Bindport TCP/3879 by lamagra
- Linux/x86 — connect back, download a file and execute — 149 bytes by militan
- Linux/x86 — raw-socket ICMP/checksum shell — 235 bytes by mu-b
- Linux/x86 — hence dropping a SUID root shell in /tmp — 126 bytes by n/a
- Linux/x86 — kill snort — 151 bytes by nob0dy
- Linux/x86 — setreuid & execve — 31 bytes by oc192
- Linux/x86 — rm -rf / which attempts to block the process from being stopped — 132 bytes by onionring
- Linux/x86 — portbind (define your own port) — 84 bytes by oveRet
- Linux/x86 — setuid(0)+setgid(0)+add user iph without password — 124 bytes by pentesters.ir
- Linux/x86 — break chroot execve /bin/sh — 80 bytes by preedator
- Linux/x86 — Search php,html writable files and add your code — 380+ bytes by rigan
- Linux/x86 — chmod 666 /etc/shadow — 27 bytes by root@thegibson
- Linux/x86 — eject /dev/cdrom — 42 bytes by root@thegibson
- Linux/x86 — kill all processes — 9 bytes by root@thegibson
- Linux/x86 — overwrite MBR on /dev/sda with LOL! — 43 bytes by root@thegibson
- Linux/x86 — execve(/bin/sh,0,0) — 21 bytes by sToRm
- Linux/x86 — portbind /bin/sh (port 64713) — 83 bytes by sToRm
- Linux/x86 — setuid(0) & execve(/bin/sh,0,0) — 28 bytes by sToRm
- Linux/x86 — setresuid(0,0,0); execve /bin/sh; exit; — 41 bytes by sacrine
- Linux/x86 — setuid(0) & execve(/bin/sh,0,0) — 28 bytes by sch3m4
- Linux/x86 — disabled modsecurity — 64 bytes by sekfault
- Linux/x86 — shared memory exec — 50 bytes by sloth
- Linux/x86 — chmod(/etc/shadow, 0777) — 33 bytes by sm0k
- Linux/x86 — setresuid(0,0,0)-/bin/sh — 35 bytes by sorrow
- Linux/x86 — Add User USER=t00r PASS=t00r — Encoder PexFnstenvSub — 116 bytes by vlad902
- Linux/x86 — disables shadowing — 42 bytes by vlan7
- Linux/x86 — setuid() & execve() — 27 bytes by vlan7
- Linux/x86 — examples of long-term payloads hide-wait-change — 187 bytes+ by xort & izik
- Linux/x86 — Alpha-Numeric using IMUL Method — 88 bytes by xort
- Linux/x86 — Magic Byte Self Modifying Code for surviving — execve() _exit() — 76 bytes by xort
- Linux/x86 — Radically Self Modifying Code — execve & _exit() — 70 bytes by xort
- Linux/x86 — alpha-numeric — 64 bytes by xort
- Linux/x86 — examples of long-term payloads hide-wait-change (.s) by xort
- Linux/x86 — add a passwordless local root account w000t — 177 bytes by zillion
- Linux/x86 — execve of /bin/sh /tmp/p00p — 70 bytes by zillion
- Linux/x86 — execve of /sbin/ipchains -F — 70 bytes by zillion
- Linux/x86 — execve() of /sbin/iptables -F — 70 bytes by zillion
- Linux/x86 — mkdir() & exit() — 36 bytes by zillion
NetBSD
-
- NetBSD/x86 — kill all processes shellcode — 23 bytes by Anonymous
- NetBSD/x86 — execve(/bin/sh) — 68 bytes by humble
- NetBSD/x86 — callback (port 6666) — 83 bytes by minervini
- NetBSD/x86 — setreuid(0, 0); execve(/bin//sh, …, NULL); — 29 bytes by minervini
OpenBSD
-
- OpenBSD/x86 — reboot() — 15 bytes by beosroot
- OpenBSD/x86 — execve(/bin/sh) — 23 bytes by hophet
- OpenBSD/x86 — add user w00w00 — 112 bytes by n/a
- OpenBSD/x86 — portbind port 6969 — 148 bytes by noir
OSX
PPC
-
- Osx/ppc — Add user r00t — 219 bytes by B-r00t
- Osx/ppc — add inetd backdoor — 222 bytes by B-r00t
- Osx/ppc — create /tmp/suid — 122 bytes by B-r00t
- Osx/ppc — remote findsock by recv() key shellcode by Dino Dai Zovi
- Osx/ppc — Single Reverse TCP by H D Moore
- Osx/ppc — stager sock find peek by H D Moore
- Osx/ppc — stager sock find by H D Moore
- Osx/ppc — stager sock reverse by H D Moore
- Osx/ppc — Bind Shell PORT TCP/8000 — encoder OSXPPCLongXOR — 300 bytes by H D moore
- Osx/ppc — shellcode execve(/bin/sh) by ghandi
- Osx/ppc — execve(/bin/sh,[/bin/sh],NULL)& exit() — 72 bytes by haphet
- Osx/ppc — sync(), reboot() — 32 bytes by haphet
Intel x86-64
-
- Osx/x86-64 — setuid shell x86_64 — 51 bytes by Dustin Schultz
- Osx/x86-64 — reverse tcp shellcode — 131 bytes by Jacob Hammack
- Osx/x86-64 — universal OSX dyld ROP shellcode by pa_kt
Intel x86
-
- Osx/x86 — execve(/bin/sh) — 24 bytes by Simon Derouineau
Solaris
MIPS
-
- Solaris/mips — connect-back (with XNOR encoded session) — 600 bytes by Russell Sanford
- Solaris/mips — download and execute — 278 bytes by Russell Sanford
SPARC
-
- Solaris/sparc — setreuid(geteuid()), setregid(getegid()), execve /bin/sh by Claes M. Nyberg
- Solaris/sparc — Bind /bin/sh TCP port 2001 by ghandi
- Solaris/sparc — portbind | port 6666 — 240 bytes by lhall
- Solaris/sparc — setreuid — 56 bytes by lhall
- Solaris/sparc — execve(/bin/sh) — 52 bytes by LSD
- Solaris/sparc — Single bind TCP shell by vlad902
Intel x86
-
- Solaris/x86 — setuid(0) /bin/cat //etc/shadow — 61 bytes by John Babio
- Solaris/x86 — Remote Download file — 79 bytes by Jonathan Salwan
- Solaris/x86 — execve(/bin/sh, /bin/sh, NULL) — 27 bytes by Jonathan Salwan
- Solaris/x86 — add services and execve inetd — 201 bytes by n/a
- Solaris/x86 — execve /bin/sh toupper evasion — 84 bytes by n/a
- Solaris/x86 — execve /bin/sh — 43 bytes by shellcode.com.ar
- Solaris/x86 — setuid(0)&execve(//bin/sh)&exit(0) — 39 bytes by sm4x
- Solaris/x86 — setuid(0)&execve(/bin/cat, /etc/shadow)&exit(0) — 59 bytes by sm4x
Windows
- Windows/64 — Obfuscated Shellcode x86/x64 Download And Execute [Use PowerShell] — Generator by Ali Razmjoo
- Windows/64 — Add Admin, enable RDP, stop firewall and start terminal service — 1218 bytes by Ali Razmjoo
- Windows/64 — (URLDownloadToFileA) download and execute — 218+ bytes by Weiss
- Windows/64 — Windows Seven x64 (cmd) — 61 bytes by agix
- Windows — Add Admin, enable RDP, stop firewall and start terminal service — 1218 bytes by Ali Razmjoo
- Windows — Add Admin User Shellcode — 194 bytes by Giuseppe D’Amore
- Windows — Safari JS JITed shellcode — exec calc (ASLR/DEP bypass) by Alexey Sintsov
- Windows — Vista/7/2008 — download and execute file via reverse DNS channel by Alexey Sintsov
- Windows — sp2 (En + Ar) cmd.exe — 23 bytes by AnTi SeCuRe
- Windows — add new local administrator — 326 bytes by Anastasios Monachos
- Windows — pro sp3 (EN) — add new local administrator 113 bytes by Anastasios Monachos
- Windows — xp sp2 PEB ISbeingdebugged shellcode — 56 bytes by Anonymous
- Windows — XP Pro Sp2 English Message-Box Shellcode — 16 Bytes by Aodrulez
- Windows — XP Pro Sp2 English Wordpad Shellcode — 15 bytes by Aodrulez
- Windows — Write-to-file Shellcode by Brett Gervasoni
- Windows — telnetbind by winexec — 111 bytes by DATA_SNIPER
- Windows — useradd shellcode for russian systems — 318 bytes by Darkeagle
- Windows — XP SP3 English MessageBoxA — 87 bytes by Glafkos Charalambous
- Windows — SP2 english ( calc.exe ) — 37 bytes by Hazem mofeed
- Windows — SP3 english ( calc.exe ) — 37 bytes by Hazem mofeed
- Windows — Shellcode (cmd.exe) for XP SP2 Turkish — 26 Bytes by Hellcode
- Windows — Shellcode (cmd.exe) for XP SP3 English — 26 Bytes by Hellcode
- Windows — XP SP3 EN Calc Shellcode — 16 Bytes by John Leitch
- Windows — win32/PerfectXp-pc1/sp3 (Tr) Add Admin Shellcode — 112 bytes by KaHPeSeSe
- Windows — PEB Kernel32.dll ImageBase Finder — 49 Bytes by Koshi
- Windows — PEB Kernel32.dll ImageBase Finder Alphanumeric — 67 bytes by Koshi
- Windows — PEB!NtGlobalFlags shellcode — 14 bytes by Koshi
- Windows — XP sp3 (Ru) WinExec+ExitProcess cmd shellcode — 12 bytes by Lord Kelvin
- Windows — Reverse Generic Shellcode w/o Loader — 249 bytes by Matthieu Suiche
- Windows — Pop up message box (XP/SP2) — 110 bytes by Omega7
- Windows — sp3 (FR) Sleep — 14 bytes by Optix
- Windows — XP download and exec source by Peter Winter-Smith
- Windows — Allwin MessageBoxA — 238 bytes by RubberDuck
- Windows — Allwin WinExec add new local administrator + ExitProcess Shellcode — 272 bytes by RubberDuck
- Windows — Allwin WinExec cmd.exe + ExitProcess Shellcode — 195 bytes by RubberDuck
- Windows — Shellcode Collection — (calc) 19 bytes by SkuLL-HacKeR
- Windows — null-free 32-bit Windows download and LoadLibrary shellcode — 164 bytes by SkyLined
- Windows — null-free 32-bit Windows shellcode that executes calc.exe — 100 bytes by SkyLined
- Windows — null-free 32-bit Windows shellcode that shows a message box — 140 bytes by SkyLined
- Windows — null-free bindshell for Windows 5.0-6.0 all service packs by SkyLined
- Windows — XP sp2 (FR) Sellcode cmd.exe — 32 bytes by Stack
- Windows — XP/sp2 (EN) cmd.exe — 23 bytes by Stack
- Windows — XP Professional SP2 ita calc.exe — 36 bytes by Stoke
- Windows — WinExec() Command Parameter — 104 bytes by Weiss
- Windows — download and execute — 124 bytes by Weiss
- Windows — Download and Execute Shellcode Generator by YAG KOHHA
- Windows — sp3 (Tr) Add Admin Account Shellcode — 127 bytes by ZoRLu
- Windows — sp3 (Tr) MessageBoxA Shellcode — 109 bytes by ZoRLu
- Windows — sp3 (Tr) calc.exe Shellcode 53 bytes by ZoRLu
- Windows — sp3 (Tr) cmd.exe Shellcode — 42 bytes by ZoRLu
- Windows — sp3 (Tr) cmd.exe Shellcode 52 bytes by ZoRLu
- Windows — Xp Pro SP3 Fr (calc.exe) — 31 Bytes by agix
- Windows — XP PRO SP3 — Full ROP calc shellcode by b33f
- Windows — xp pro sp3 (calc) — 57 bytes by cr4wl3r
- Windows — win32/xp pro sp3 MessageBox shellcode — 11 bytes by d3c0der
- Windows — download & exec shellcode — 226 bytes+ by darkeagle
- Windows — Shellcode Checksum Routine by dijital1
- Windows — IsDebuggerPresent ShellCode (NT/XP) — 39 bytes by ex-pb
- Windows — PEB method (9x/NT/2k/XP) — 29 bytes by loco
- Windows — connectback, receive, save and execute shellcode by loco
- Windows — Bind Shell (NT/XP/2000/2003) — 356 bytes by metasploit
- Windows — Create Admin User Account (NT/XP/2000) — 304 bytes by metasploit
- Windows — Vampiric Import Reverse Connect — 179 bytes by metasploit
- Windows — PEB method (9x/NT/2k/XP) by oc192
- Windows — eggsearch shellcode — 33 bytes by oxff
- Windows — XP-sp1 portshell on port 58821 — 116 bytes by silicon
- Windows — XP SP3 addFirewallRule by sinn3r
- Windows — PEB method (9x/NT/2k/XP) — 31 bytes by twoci
- Windows — Beep Shellcode (SP1/SP2) — 35 bytes by xnull