shell-storm | Shellcodes Database

Shellcodes database for study cases

Description

Although these kinds of shellcode presented on this page are rarely used for real exploitations, this page lists some of them for study cases and proposes an API to search specific ones. To learn modern exploitation, checkout how to the Return Oriented Programming works.

API

This is very straightforward to communicate with this API. Just send a simple GET method. The "s" argument contains your keyword.

http://shell-storm.org/api/?s=<keyword>

Use "*" for multiple keywords search.

/?s=<keyword1>*<keyword2>*<keyword3>

The output should be like this:

<auteur 1>::::<plateforme 1>::::<shellcode title 1>::::<shellcode id 1>::::<shellcode url 1>
<auteur 2>::::<plateforme 2>::::<shellcode title 2>::::<shellcode id 2>::::<shellcode url 2>
<auteur 3>::::<plateforme 3>::::<shellcode title 3>::::<shellcode id 3>::::<shellcode url 3>

For more information about how can you use it, read this shell-storm API python script. You can also find this API utilization in the Peda GDB project (shellcode command).

AIX

Aix - execve /bin/sh - 88 bytes by Georgi Guninski

Alpha

Alpha - /bin/sh - 80 bytes by Lamont Granquist
Alpha - execve() - 112 bytes by n/a
Alpha - setuid() - 156 bytes by n/a

BSD

BSD/32bits - Passive Connection - 126 bytes by Scrippie
BSD/ppc - execve(/bin/sh) - 128 bytes by Palante
BSD/x86 - setreuid(geteuid(), geteuid()) and execve(/bin/sh, /bin/sh, 0) by Jihyeog Lim
BSD/x86 - setuid/execve - 30 bytes by Marco Ivaldi
BSD/x86 - setuid/portbind - 94 bytes by Marco Ivaldi
BSD/x86 - break chroot - 45 bytes by Matias Sedalo
BSD/x86 - cat /etc/master.passwd & mail root@localhost - 92 bytes by Matias Sedalo
BSD/x86 - execve(/bin/sh) & setuid(0) - 29 bytes by Matias Sedalo
BSD/x86 - bindshell on port 2525 - 167 bytes by beosroot
BSD/x86 - execve /bin/sh Crypt /bin/sh - 49 bytes by dev0id
BSD/x86 - execve(/bin/sh) - 27 bytes by n0gada
BSD/x86 - Connect Back Port 6969 - 133 bytes by Marcetam
BSD/x86 - back-connect TCP/2222 - 93 bytes by dev0id

Cisco

Cisco IOS - Connectback shellcode v1.0 by Gyan Chawdhary
Cisco IOS - Tiny shellcode v1.0 by Gyan Chawdhary
Cisco IOS - Bind shellcode v1.0 by Varun Uppal

Sco

Sco/x86 - execve(/bin/sh, ..., NULL) - 43 bytes by minervini

FreeBSD

Intel x86-64

FreeBSD/x86-64 - execve - 28 bytes by Gitsnik
FreeBSD/x86-64 - bind_tcp with passcode - 127 bytes by Gitsnik
FreeBSD/x86-64 - exec(/bin/sh) Shellcode - 31 bytes by Hack'n Roll
FreeBSD/x86-64 - execve /bin/sh shellcode 34 bytes by Hack'n Roll
FreeBSD/x86-64 - Execve /bin/sh - Anti-Debugging by c0d3_z3r0

Intel x86

FreeBSD/x86 - execve /tmp/sh - 34 bytes by Claes M. Nyberg
FreeBSD/x86 - execve /bin/sh 23 bytes by IZ
FreeBSD/x86 - reboot(RB_AUTOBOOT) - 7 bytes by IZ
FreeBSD/x86 - bind port:4883 with auth shellcode by MahDelin
FreeBSD/x86 - connect back /bin/sh. 81 bytes by Tosh
FreeBSD/x86 - execv(/bin/sh) - 23 bytes by Tosh
FreeBSD/x86 - portbind shell + fork - 111 bytes by Tosh
FreeBSD/x86 - 8.0-RELEASE - //sbin/pfctl -F all Shellcode 47 Bytes by antrhacks
FreeBSD/x86 - encrypted shellcode /bin/sh 48 bytes by c0d3_z3r0
FreeBSD/x86 - kldload /tmp/o.o - 74 bytes by dev0id
FreeBSD/x86 - /bin/sh - 23 bytes by marcetam
FreeBSD/x86 - execve /bin/sh 37 bytes by preedator
FreeBSD/x86 - portbind shellcode - 167 bytes by sbz
FreeBSD/x86 - execve(/bin/cat & /etc/master.passwd) - 65 bytes by sm4x
FreeBSD/x86 - reverse connect dl(shellcode) and execute, exit - 90 bytes by sm4x
FreeBSD/x86 - reverse portbind /bin/sh - 89 bytes by sm4x
FreeBSD/x86 - setuid(0)&execve({//sbin/ipf,-Faa,0},0); - 57 bytes by sm4x
FreeBSD/x86 - connect back.send.exit /etc/passwd - 112 bytes by suN8Hclf
FreeBSD/x86 - kill all processes - 12 bytes by suN8Hclf
FreeBSD/x86 - setreuid(0, 0) & execve(pfctl -d) - 56 bytes by suN8Hclf
FreeBSD/x86 - bind sh port 41254 - 115 bytes by zillion
FreeBSD/x86 - reboot() - 15 bytes by zillion

Hp-Ux

Hp-Ux - execve(/bin/sh) - 58 bytes by K2

Irix

Irix - execve(/bin/sh -c) - 72 bytes by n/a
Irix - execve(/bin/sh) - 43 bytes by n/a
Irix - Bind Port - 364 bytes by scut/teso
Irix - execve(/bin/sh) - 68 bytes by scut/teso
Irix - stdin-read shellcode - 40 bytes by scut/teso

Linux

ARM

Linux/ARM - execve("/bin/sh", NULL, 0) - 34 bytes by Jonathan 'dummys' Borgeaud
Linux/ARM - Add map in /etc/hosts file - 79 bytes by Osanda Malith Jayathissa
Linux/ARM - chmod("/etc/passwd", 0777) - 39 bytes by gunslinger_
Linux/ARM - creat("/root/pwned", 0777) - 39 bytes by gunslinger_
Linux/ARM - execve("/bin/sh", [], [0 vars]) - 35 bytes by gunslinger_
Linux/ARM - Bind Connect UDP Port 68 by Daniel Godas-Lopez
Linux/ARM - Bindshell port 0x1337 by Daniel Godas-Lopez
Linux/ARM - Loader Port 0x1337 by Daniel Godas-Lopez
Linux/ARM - ifconfig eth0 and Assign Address by Daniel Godas-Lopez
Linux/ARM - chmod(/etc/shadow, 0777) Shellcode - 35 Bytes by Florian Gaultier
Linux/ARM - polymorphic chmod(/etc/shadow, 0777) - 84 Bytes by Florian Gaultier
Linux/ARM - Polymorphic execve("/bin/sh", ["/bin/sh"], NULL); - XOR - 78 bytes by Jonathan Salwan
Linux/ARM - execve(/bin/sh, /bin/sh, 0) - 30 bytes by Jonathan Salwan
Linux/ARM - execve(/bin/sh, [0], [0 vars]) - 27 bytes by Jonathan Salwan
Linux/ARM - execve(/bin/sh,NULL,0) - 31 bytes by Jonathan Salwan
Linux/ARM - setuid(0) & execve(/bin/sh, /bin/sh, 0) - 38 bytes by Jonathan Salwan
Linux/ARM - connect back /bin/sh. 79 bytes by Neil Klopfenstein
Linux/ARM - chmod(/etc/shadow, 0777) - 41 bytes by midnitesnake
Linux/ARM - execve(/bin/sh, [0], [0 vars]) - 30 bytes by midnitesnake
Linux/ARM - reverse_shell(tcp,10.1.1.2,0x1337) by midnitesnake

Strong ARM

Linux/StrongARM - bind() portshell - 203 bytes by funkysh
Linux/StrongARM - execve() - 47 bytes by funkysh
Linux/StrongARM - setuid() - 20 bytes by funkysh

Super-H

Linux/SuperH - sh4 - Bind /bin/sh on port 31337 by Dad`
Linux/SuperH - sh4 execve(/bin/sh, 0, 0) - 19 bytes by Florian Gaultier
Linux/SuperH - sh4 - setuid(0) ; execve(/bin/sh, NULL, NULL) - 27 bytes by Jonathan Salwan

MIPS

Linux/mips - Reverse Shell Shellcode - 200 bytes by Jacob Holcomb
Linux/mips - execve(/bin/sh) - 56 bytes by core
Linux/mips - execve(/bin/sh, */bin/sh, 0) - 52 bytes by entropy
Linux/mips - add user(UID 0) with password - 164 bytes by rigan
Linux/mips - connect back shellcode (port 0x7a69) - 168 bytes by rigan
Linux/mips - execve /bin/sh - 48 bytes by rigan
Linux/mips - reboot() - 32 bytes by rigan
Linux/mips - execve(/bin/sh,[/bin/sh],[]); - 60 bytes by vaicebine
Linux/mips - port bind 4919 - 276 bytes by vaicebine

PPC

Linux/ppc - connect back execve /bin/sh - 240 bytes by Charles Stevenson
Linux/ppc - execve /bin/sh - 60 bytes by Charles Stevenson
Linux/ppc - read & exec shellcode - 32 bytes by Charles Stevenson
Linux/ppc - execve /bin/sh - 112 bytes by Palante

Sparc

Linux/sparc - [setreuid(0,0); execve() of /bin/sh] - 64 bytes by anathema
Linux/sparc - Portbind 8975/tcp - 284 bytes by killah
Linux/sparc - connect back - 216 bytes by killah
Linux/sparc - setreuid(0,0)&standard execve() - 72 bytes by michel kaempf

CRISv32

Linux/CRISv32 - Connect Back Shellcode - 189 bytes by bashis

RISC-V64

Linux/RISC-V64 - execve(/bin/sh, NULL, 0) - 34 bytes by Christina Quast

Intel x86-64

Linux/x86-64 - Dynamic null-free reverse TCP shell - 65 bytes by Philippe Dugre
Linux/x86-64 - execveat("/bin//sh") - 29 bytes by ZadYree, vaelio and DaShrooms
Linux/x86-64 - Add map in /etc/hosts file - 110 bytes by Osanda Malith Jayathissa
Linux/x86-64 - Connect Back Shellcode - 139 bytes by MadMouse
Linux/x86-64 - access() Egghunter - 49 bytes by Doreth.Z10
Linux/x86-64 - Shutdown - 64 bytes by Keyman
Linux/x86-64 - Read password - 105 bytes by Keyman
Linux/x86-64 - Password Protected Reverse Shell - 136 bytes by Keyman
Linux/x86-64 - Password Protected Bind Shell - 147 bytes by Keyman
Linux/x86-64 - Add root - Polymorphic - 273 bytes by Keyman
Linux/x86-64 - Bind TCP stager with egghunter - 157 bytes by Christophe G
Linux/x86-64 - Add user and password with open,write,close - 358 bytes by Christophe G
Linux/x86-64 - Add user and password with echo cmd - 273 bytes by Christophe G
Linux/x86-64 - Read /etc/passwd - 82 bytes by Mr.Un1k0d3r
Linux/x86-64 - shutdown -h now - 65 bytes by Osanda Malith Jayathissa
Linux/x86-64 - TCP Bind 4444 with password - 173 bytes by Christophe G
Linux/x86-64 - TCP reverse shell with password - 138 bytes by Andriy Brukhovetskyy
Linux/x86-64 - TCP bind shell with password - 175 bytes by Andriy Brukhovetskyy
Linux/x86-64 - Reads data from /etc/passwd to /tmp/outfile - 118 bytes by Chris Higgins
Linux/x86-64 - shell bind TCP random port - 57 bytes by Geyslan G. Bem
Linux/x86-64 - TCP bind shell - 150 bytes by Russell Willis
Linux/x86-64 - Reverse TCP shell - 118 bytes by Russell Willis
Linux/x86-64 - add user with passwd - 189 bytes by 0_o
Linux/x86-64 - execve(/sbin/iptables, [/sbin/iptables, -F], NULL) - 49 bytes by 10n1z3d
Linux/x86-64 - Execute /bin/sh - 27 bytes by Dad`
Linux/x86-64 - bind-shell with netcat - 131 bytes by Gaussillusion
Linux/x86-64 - connect back shell with netcat - 109 bytes by Gaussillusion
Linux/x86-64 - setreuid(0,0) execve(/bin/ash,NULL,NULL) + XOR - 85 bytes by egeektronic
Linux/x86-64 - setreuid(0,0) execve(/bin/csh, [/bin/csh, NULL]) + XOR - 87 bytes by egeektronic
Linux/x86-64 - setreuid(0,0) execve(/bin/ksh, [/bin/ksh, NULL]) + XOR - 87 bytes by egeektronic
Linux/x86-64 - setreuid(0,0) execve(/bin/zsh, [/bin/zsh, NULL]) + XOR - 87 bytes by egeektronic
Linux/x86-64 - bindshell port:4444 shellcode - 132 bytes by evil.xi4oyu
Linux/x86-64 - setuid(0) + execve(/bin/sh) 49 bytes by evil.xi4oyu
Linux/x86-64 - execve(/bin/sh, [/bin/sh], NULL) - 33 bytes by hophet
Linux/x86-64 - execve(/bin/sh); - 30 bytes by zbt
Linux/x86-64 - reboot(POWER_OFF) - 19 bytes by zbt
Linux/x86-64 - sethostname() & killall - 33 bytes by zbt

Intel x86

Linux/x86 - setuid + setgid + stdin re-open + exceve - 71 bytes by Andres C. Rodriguez (acamro)
Linux/x86 - Followtheleader custom execve-shellcode Encoder/Decoder - 136 bytes by Konstantinos Alexiou
Linux/x86 - ROT-7 Decoder execve - 74 bytes by Stavros Metzidakis
Linux/x86 - Add map in /etc/hosts file - 77 bytes by Javier Tejedor
Linux/x86 - Obfuscated - chmod({passwd,shadow}) - add new root user - exec /bin/sh - 512 bytes by Ali Razmjoo
Linux/x86 - setreuid() + exec /usr/bin/python - 54 bytes by Ali Razmjoo
Linux/x86 - chmod + Add new root user with password + exec sh - 378 bytes by Ali Razmjoo
Linux/x86 - Shell Reverse TCP Shellcode - 74 bytes by Julien Ahrens
Linux/x86 - Shell Bind TCP Shellcode Port 1337 - 89 bytes by Julien Ahrens
Linux/x86 - sockfd trick + dup2(0,0),dup2(0,1),dup2(0,2) + execve /bin/sh - 50 bytes by ZadYree
Linux/x86 - shutdown -h now - 56 bytes by Osanda Malith Jayathissa
Linux/x86 - chmod 0777 /etc/shadow (a bit obfuscated) Shellcode - 51 bytes by Osanda Malith Jayathissa
Linux/x86 - /bin/nc -le /bin/sh -vp 17771 - 58 bytes by Oleg Boytsev
Linux/x86 - JMP-FSTENV execve shell - 67 bytes by Paolo Stivanin
Linux/x86 - shift-bit-encoder execve - 114 bytes by Shihao Song
Linux/x86 - Copy /etc/passwd to /tmp/outfile - 97 bytes by Paolo Stivanin
Linux/x86 - jump-call-pop execve shell - 52 bytes by Paolo Stivanin
Linux/x86 - Download + chmod + exec - 108 bytes by Daniel Sauder
Linux/x86 - reads /etc/passwd and sends the content to 127.1.1.1 port 12345 - 111 bytes by Daniel Sauder
Linux/x86 - Multi-Egghunter by Ryan Fenno
Linux/x86 - Obfuscated tcp bind shell - 112 bytes by Russell Willis
Linux/x86 - Obfuscated execve /bin/sh - 30 bytes by Russell Willis
Linux/x86 - egghunter shellcode by Russell Willis
Linux/x86 - Reverse TCP bind shell - 92 bytes by Russell Willis
Linux/x86 - Set /proc/sys/net/ipv4/ip_forward to 0 & exit() - 83 bytes by Hamid Zamani
Linux/x86 - TCP bind shell - 108 bytes by Russell Willis
Linux/x86 - Encrypted execve /bin/sh with uzumaki algorithm - 50 bytes by Geyslan G. Bem
Linux/x86 - Mutated Execve Wget - 96 bytes by Geyslan G. Bem
Linux/x86 - Mutated Fork Bomb - 15 bytes by Geyslan G. Bem
Linux/x86 - Mutated Reboot - 55 bytes by Geyslan G. Bem
Linux/x86 - Tiny read /etc/passwd file - 51 bytes by Geyslan G. Bem
Linux/x86 - Tiny Execve sh Shellcode - 21 bytes by Geyslan G. Bem
Linux/x86 - Insertion Decoder Shellcode - 33+ bytes by Geyslan G. Bem
Linux/x86 - Egg Hunter Shellcode - 38 bytes by Geyslan G. Bem
Linux/x86 - Tiny Shell Reverse TCP - 67 bytes by Geyslan G. Bem
Linux/x86 - Tiny Shell Bind TCP Random Port - 57 bytes by Geyslan G. Bem
Linux/x86 - Tiny Shell Bind TCP - 73 bytes by Geyslan G. Bem
Linux/x86 - Shell Bind TCP (GetPC/Call/Ret Method) - 89 bytes by Geyslan G. Bem
Linux/x86 - append /etc/passwd & exit() - 107 bytes by $andman
Linux/x86 - unlink(/etc/passwd) & exit() - 35 bytes by $andman
Linux/x86 - connect back&send&exit /etc/shadow - 155 bytes by 0in
Linux/x86 - execve read shellcode - 92 bytes by 0ut0fbound
Linux/x86 - egghunt shellcode - 29 bytes by Ali Raheem
Linux/x86 - nc -lvve/bin/sh -p13377 - 62 bytes by Anonymous
Linux/x86 - /bin/sh Null-Free Polymorphic - 46 bytes by Aodrulez
Linux/x86 - execve() Diassembly Obfuscation Shellcode - 32 bytes by BaCkSpAcE
Linux/x86 - SET_IP() Connectback Shellcode - 82 bytes by Benjamin Orozco
Linux/x86 - SET_PORT() portbind - 100 bytes by Benjamin Orozco
Linux/x86 - netcat bindshell port 8080 - 75 bytes by Blake
Linux/x86 - netcat connect back port 8080 - 76 bytes by Blake
Linux/x86 - adds a root user no-passwd to /etc/passwd - 83 bytes by Bob [Dtors.net]
Linux/x86 - chmod(//bin/sh ,04775); set sh +s - 31 bytes by Bob [Dtors.net]
Linux/x86 - execve()/bin/ash; exit; - 34 bytes by Bob [Dtors.net]
Linux/x86 - setuid(); execve(); exit(); - 44 bytes by Bob [Dtors.net]
Linux/x86 - setreuid(0, 0) + execve(/bin//sh, [/bin//sh, -c, cmd], NULL); by Bunker
Linux/x86 - dup2(0,0); dup2(0,1); dup2(0,2); 15 bytes by Charles Stevenson
Linux/x86 - exit(1) - 7 bytes by Charles Stevenson
Linux/x86 - if(read(fd,buf,512)<=2) _exit(1) else buf(); - 29 bytes by Charles Stevenson
Linux/x86 - read(0,buf,2541); chmod(buf,4755); - 23 bytes by Charles Stevenson
Linux/x86 - execve(/bin/dash) - 49 bytes by Chroniccommand
Linux/x86 - Audio (knock knock knock) via /dev/dsp+setreuid(0,0)+execve() - 566 bytes by Cody Tubbs
Linux/x86 - Surprise ! ! ! - 361 bytes by Florian Gaultier
Linux/x86 - Write FS PHP Connect Back Utility Shellcode - 508 bytes by GS2008
Linux/x86 - Bind TCP Port - with SO_REUSEADDR set (Avoiding SIGSEGV) - 103 bytes by Geyslan G. Bem
Linux/x86 - Shell Bind TCP Random Port - 65 bytes by Geyslan G. Bem
Linux/x86 - Shell Reverse TCP Shellcode - 72 bytes by Geyslan G. Bem
Linux/x86 - Password Authentication portbind port 64713/tcp - 166 bytes by Gotfault Security
Linux/x86 - portbind port 64713 - 86 bytes by Gotfault Security
Linux/x86 - setreuid(0,0) + execve(/bin/sh, [/bin/sh, NULL]) - 33 bytes by Gotfault Security
Linux/x86 - setuid(0) setgid(0) execve("/bin/sh", ["/bin/sh", NULL]) - 37 bytes by Gotfault Security
Linux/x86 - Force Reboot shellcode 36 bytes by Hamza Megahed
Linux/x86 - Remote Port forwarding - 87 bytes by Hamza Megahed
Linux/x86 - execve /bin/sh shellcode - 23 bytes by Hamza Megahed
Linux/x86 - execve-chmod 0777 /etc/shadow - 57 bytes by Hamza Megahed
Linux/x86 - iptables --flush - 43 bytes by Hamza Megahed
Linux/x86 - ASLR deactivation - 83 bytes by Jean Pascal Pereira
Linux/x86 - chmod 666 /etc/passwd & /etc/shadow - 57 bytes by Jean Pascal Pereira
Linux/x86 - execve(/bin/sh) - 28 bytes by Jean Pascal Pereira
Linux/x86 - ///sbin/iptables -POUTPUT DROP - 60 bytes by John Babio
Linux/x86 - /etc/init.d/apparmor teardown - 53 bytes by John Babio
Linux/x86 - /usr/bin/killall snort - 46 bytes by John Babio
Linux/x86 - /bin/sh polymorphic shellcode - 48 bytes by Jonathan Salwan
Linux/x86 - ConnectBack with SSL connection - 422 bytes by Jonathan Salwan
Linux/x86 - Remote file Download - 42 bytes by Jonathan Salwan
Linux/x86 - execve(/bin/bash, [/bin/sh, -p], NULL) - 33 bytes by Jonathan Salwan
Linux/x86 - polymorphic execve(/bin/bash, [/bin/sh, -p], NULL) - 57 bytes by Jonathan Salwan
Linux/x86 - /bin/sh - 8 bytes by JungHoon Shin
Linux/x86 - add root user (r00t) with no password to /etc/passwd by Kris Katterjohn
Linux/x86 - chmod(/etc/shadow, 0666) & exit() by Kris Katterjohn
Linux/x86 - execve(rm -rf /) - 45 bytes by Kris Katterjohn
Linux/x86 - forkbomb - 7 bytes by Kris Katterjohn
Linux/x86 - ipchains -F - 40 bytes by Kris Katterjohn
Linux/x86 - kill all processes - 11 bytes by Kris Katterjohn
Linux/x86 - set system time to 0 & exit by Kris Katterjohn
Linux/x86 - setuid(0) setgid(0) execve(echo 0 > /proc/sys/kernel/randomize_va_space) - 79 bytes by LiquidWorm
Linux/x86 - DoS-Badger-Game - 6 bytes by Magnefikko
Linux/x86 - SLoc-DoS shellcode - 55 bytes by Magnefikko
Linux/x86 - bind sh@64533 - 97 bytes by Magnefikko
Linux/x86 - chmod(/etc/shadow, 0666) - 36 bytes by Magnefikko
Linux/x86 - chmod(/etc/shadow, 0777) - 29 bytes by Magnefikko
Linux/x86 - execve(/bin/sh) - 25 bytes by Magnefikko
Linux/x86 - execve(a->/bin/sh) - 14 bytes by Magnefikko
Linux/x86 - setreud(getuid(), getuid()) & execve(/bin/sh) - 34 bytes by Magnefikko
Linux/x86 - setuid(0) ^ execve(/bin/sh, 0, 0) - 27 bytes by Magnefikko
Linux/x86 - setuid(0) + execve(/bin/sh,...) - 29 bytes by Marcin Ulikowski
Linux/x86 - re-use of (/bin/sh) string in .rodata - 16 bytes by Marco Ivaldi
Linux/x86 - setuid/portbind port 31337 TCP - 96 bytes by Marco Ivaldi
Linux/x86 - stdin re-open and /bin/sh execute by Marco Ivaldi
Linux/x86 - add user t00r ENCRYPT - 116 bytes by Matias Sedalo
Linux/x86 - chmod 666 /etc/shadow - 41 bytes by Matias Sedalo
Linux/x86 - chmod 666 shadow ENCRYPT - 75 bytes by Matias Sedalo
Linux/x86 - execve /bin/sh encrypted - 58 bytes by Matias Sedalo
Linux/x86 - portbind a shell in port 5074 - 92 bytes by Matias Sedalo
Linux/x86 - execve /bin/sh anti-ids 40 bytes by NicatiN
Linux/x86 - /bin/cp /bin/sh /tmp/katy & chmod 4555 - 126 bytes by RaiSe
Linux/x86 - execve(/bin//sh/,[/bin//sh],NULL) - 22 bytes by Revenge
Linux/x86 - setuid(0) + execve(/bin//sh, [/bin//sh], NULL) - 28 bytes by Revenge
Linux/x86 - Port Bind 4444 ( xor-encoded ) - 152 bytes by Rick
Linux/x86 - edit /etc/sudoers for full access - 86 bytes by Rick
Linux/x86 - Connect Back shellcode - 90 bytes by Russell Sanford
Linux/x86 - socket-proxy - 372 bytes by Russell Sanford
Linux/x86 - [setreuid()] -> [/sbin/iptables -F] -> [exit(0)] - 76 bytes by Sh3llc0d3
Linux/x86 - Add root user /etc/passwd - 104 bytes by Shok
Linux/x86 - iptables -F - 49 bytes by Sp4rK
Linux/x86 - execve(/sbin/halt,/sbin/halt) - 27 bytes by TheWorm
Linux/x86 - execve(/sbin/reboot,/sbin/reboot) - 28 bytes by TheWorm
Linux/x86 - execve(/sbin/shutdown,/sbin/shutdown 0) - 36 bytes by TheWorm
Linux/x86 - exit(0) 3 bytes or exit(1) 4 bytes by TheWorm
Linux/x86 - setuid(0) & execve(/bin/sh,0) - 25 bytes by TheWorm
Linux/x86 - setuid(0), setgid(0) & execve(/bin/sh,[/bin/sh,NULL]) - 33 bytes by TheWorm
Linux/x86 - System Beep - 45 bytes by Thomas Rinsma
Linux/x86 - Bindshell TCP/5074 - 226 bytes by Tora
Linux/x86 - iptables -F - 45 bytes by UnboundeD
Linux/x86 - Connect-Back port UDP/54321 - 151 bytes by XenoMuta
Linux/x86 - append rsa key to /root/.ssh/authorized_keys2 - 295 bytes by XenoMuta
Linux/x86 - listens for shellcode on tcp/5555 and jumps to it - 83 bytes by XenoMuta
Linux/x86 - Self-modifying ShellCode for IDS evasion - 64 bytes by Xenomuta
Linux/x86 - shellcode that forks a HTTP Server on port tcp/8800 - 166 bytes by Xenomuta
Linux/x86 - stagger that reads second stage shellcode (127 bytes maximum) from stdin - 14 bytes by _fkz
Linux/x86 - alphanumeric Bomb FORK Shellcode - 117 Bytes by agix
Linux/x86 - chmod(/etc/shadow, 0666) ASCII - 443 bytes by agix
Linux/x86 - pwrite(/etc/shadow, hash, 32, 8) - 89 Bytes by agix
Linux/x86 - Polymorphic - setuid(0) + chmod(/etc/shadow, 0666) - 61 Bytes by antrhacks
Linux/x86 - execve(/bin/cat, /etc/shadow, NULL) - 42 bytes by antrhacks
Linux/x86 - setuid(0) + chmod(/etc/shadow, 0666) - 37 Bytes by antrhacks
Linux/x86 - setreuid(geteuid(),geteuid()),execve(/bin/sh,0,0) - 34bytes by blue9057
Linux/x86 - /bin/sh sysenter Opcode Array Payload - 23 Bytes by c0ntex & BaCkSpAcE
Linux/x86 - File Reader /etc/passwd - 65 bytes by certaindeath
Linux/x86 - sends Phuck3d! to all terminals - 60 bytes by condis
Linux/x86 - upload & exec - 189 bytes by cybertronic
Linux/x86 - File unlinker 18 bytes + file path length by darkjoker
Linux/x86 - Perl script execution 99 bytes + script length by darkjoker
Linux/x86 - iptables -F - 58 bytes by dev0id
Linux/x86 - symlink /bin/sh xoring - 56 bytes by dev0id
Linux/x86 - iopl(3); asm(cli); while(1){} - 12 bytes by dun
Linux/x86 - SWAP restore - 109 bytes by dx & spud
Linux/x86 - SWAP store - 99 bytes by dx & spud
Linux/x86 - /sbin/iptables --flush - 69 bytes by eSDee [Netric .org]
Linux/x86 - connect back shellcode (port=0xb0ef) - 131 bytes by eSDee [Netric .org]
Linux/x86 - forking portbind shellcode - port=0xb0ef(45295) - 200 bytes by eSDee [Netric .org]
Linux/x86 - setreuid(0,0) execve("/bin/zsh", [/bin/zsh, NULL]) + XOR - 53 bytes by egeektronic
Linux/x86 - setreuid(0,0) execve("/bin/csh", [/bin/csh, NULL]) + XOR - 53 bytes by egeektronic
Linux/x86 - setreuid(0,0) execve("/bin/ksh", [/bin/ksh, NULL]) + XOR - 53 bytes by egeektronic
Linux/x86 - setreuid(0,0) execve(/bin/ash,NULL,NULL) + XOR - 58 bytes by egeektronic
Linux/x86 - bin/cat /etc/passwd - 43 bytes by fb1h2s
Linux/x86 - execve() - 51bytes by fl0 fl0w
Linux/x86 - Find all writeable folder in filesystem linux polymorphic shellcode by gunslinger_
Linux/x86 - Polymorphic bindport to 13123 - 125 bytes by gunslinger_
Linux/x86 - Polymorphic bindport to 31337 with setreuid (0,0) - 131 bytes by gunslinger_
Linux/x86 - bind port to 6678 XOR encoded polymorphic - 125 bytes by gunslinger_
Linux/x86 - cdrom ejecting shellcode - 46 bytes by gunslinger_
Linux/x86 - chown root:root /bin/sh - 48 bytes by gunslinger_
Linux/x86 - force unmount /media/disk - 33 bytes by gunslinger_
Linux/x86 - give all user root access when execute /bin/sh - 45 bytes by gunslinger_
Linux/x86 - hard reboot (without any message) and data not lost - 33 bytes by gunslinger_
Linux/x86 - hard reboot (without any message) and data will be lost - 29 bytes by gunslinger_
Linux/x86 - nc -lp 31337 -e /bin//sh polymorphic - 91 bytes by gunslinger_
Linux/x86 - polymorphic cdrom ejecting - 74 bytes by gunslinger_
Linux/x86 - setdomainname to (th1s s3rv3r h4s b33n h1j4ck3d !!) by gunslinger_
Linux/x86 - sys_chmod(/etc/shadow, 599) - 39 bytes by gunslinger_
Linux/x86 - sys_execve(/bin/sh, -c, ping localhost) - 55 bytes by gunslinger_
Linux/x86 - sys_exit(0) - 8 bytes by gunslinger_
Linux/x86 - sys_kill(-1,9) - 11 bytes by gunslinger_
Linux/x86 - sys_rmdir(/tmp/willdeleted) - 41 bytes by gunslinger_
Linux/x86 - sys_sethostname(PwNeD !!, 8) - 32 bytes by gunslinger_
Linux/x86 - sys_setuid(0) & sys_setgid(0) & execve (/bin/sh) - 39 bytes by gunslinger_
Linux/x86 - sys_sync - 6 bytes by gunslinger_
Linux/x86 - unlink /etc/shadow - 33 bytes by gunslinger_
Linux/x86 - Reverse Telnet by hts
Linux/x86 - execve /bin/sh - 21 bytes by ipv
Linux/x86 - HTTP/1.x GET, Downloads & execve() - 111 bytes+ by izik
Linux/x86 - HTTP/1.x GET, Downloads and JMP - 68 bytes+ by izik
Linux/x86 - anti-debug trick (INT 3h trap) execve(/bin/sh, [/bin/sh, NULL], NULL) - 39 bytes by izik
Linux/x86 - cat /dev/urandom > /dev/console, no real profit just for kicks - 63 bytes by izik
Linux/x86 - eject & close cd-rom frenzy loop (follows /dev/cdrom symlink) - 45 bytes by izik
Linux/x86 - execve /bin/sh xored for Intel x86 CPUID 41 bytes by izik
Linux/x86 - execve(/bin/sh, [/bin/sh, NULL]) + Bitmap - 27 bytes by izik
Linux/x86 - execve(/bin/sh, [/bin/sh, NULL]) + RIFF Header - 28 bytes by izik
Linux/x86 - execve(/bin/sh, [/bin/sh, NULL]) + RTF header - 30 bytes by izik
Linux/x86 - execve(/bin/sh, [/bin/sh, NULL]) + ZIP Header - 28 bytes by izik
Linux/x86 - execve(/bin/sh, [/bin/sh], NULL) / encoded by +1 - 39 bytes by izik
Linux/x86 - open cd-rom loop (follows /dev/cdrom symlink) - 39 bytes by izik
Linux/x86 - quick (yet conditional, eax != 0 and edx == 0) exit - 4 bytes by izik
Linux/x86 - chmod(/etc/shadow, 0666) & exit() - 33 bytes by ka0x
Linux/x86 - setuid(0) & execve(/bin/cat /etc/shadow) - 49 bytes by ka0x
Linux/x86 - setuid(0) & execve(/sbin/poweroff -f) - 47 bytes by ka0x
Linux/x86 - execve (/bin/sh) - 21 Bytes by kernel_panik
Linux/x86 - Bindport TCP/3879 by lamagra
Linux/x86 - connect back, download a file and execute - 149 bytes by militan
Linux/x86 - raw-socket ICMP/checksum shell - 235 bytes by mu-b
Linux/x86 - hence dropping a SUID root shell in /tmp - 126 bytes by n/a
Linux/x86 - kill snort - 151 bytes by nob0dy
Linux/x86 - setreuid & execve - 31 bytes by oc192
Linux/x86 - rm -rf / which attempts to block the process from being stopped - 132 bytes by onionring
Linux/x86 - portbind (define your own port) - 84 bytes by oveRet
Linux/x86 - setuid(0)+setgid(0)+add user iph without password - 124 bytes by pentesters.ir
Linux/x86 - break chroot execve /bin/sh - 80 bytes by preedator
Linux/x86 - Search php,html writable files and add your code - 380+ bytes by rigan
Linux/x86 - chmod 666 /etc/shadow - 27 bytes by root@thegibson
Linux/x86 - eject /dev/cdrom - 42 bytes by root@thegibson
Linux/x86 - kill all processes - 9 bytes by root@thegibson
Linux/x86 - overwrite MBR on /dev/sda with LOL! - 43 bytes by root@thegibson
Linux/x86 - execve(/bin/sh,0,0) - 21 bytes by sToRm
Linux/x86 - portbind /bin/sh (port 64713) - 83 bytes by sToRm
Linux/x86 - setuid(0) & execve(/bin/sh,0,0) - 28 bytes by sToRm
Linux/x86 - setresuid(0,0,0); execve /bin/sh; exit; - 41 bytes by sacrine
Linux/x86 - setuid(0) & execve(/bin/sh,0,0) - 28 bytes by sch3m4
Linux/x86 - disabled modsecurity - 64 bytes by sekfault
Linux/x86 - shared memory exec - 50 bytes by sloth
Linux/x86 - chmod(/etc/shadow, 0777) - 33 bytes by sm0k
Linux/x86 - setresuid(0,0,0)-/bin/sh - 35 bytes by sorrow
Linux/x86 - Add User USER=t00r PASS=t00r - Encoder PexFnstenvSub - 116 bytes by vlad902
Linux/x86 - disables shadowing - 42 bytes by vlan7
Linux/x86 - setuid() & execve() - 27 bytes by vlan7
Linux/x86 - examples of long-term payloads hide-wait-change - 187 bytes+ by xort & izik
Linux/x86 - Alpha-Numeric using IMUL Method - 88 bytes by xort
Linux/x86 - Magic Byte Self Modifying Code for surviving - execve() _exit() - 76 bytes by xort
Linux/x86 - Radically Self Modifying Code - execve & _exit() - 70 bytes by xort
Linux/x86 - alpha-numeric - 64 bytes by xort
Linux/x86 - examples of long-term payloads hide-wait-change (.s) by xort
Linux/x86 - add a passwordless local root account w000t - 177 bytes by zillion
Linux/x86 - execve of /bin/sh /tmp/p00p - 70 bytes by zillion
Linux/x86 - execve of /sbin/ipchains -F - 70 bytes by zillion
Linux/x86 - execve() of /sbin/iptables -F - 70 bytes by zillion
Linux/x86 - mkdir() & exit() - 36 bytes by zillion

NetBSD

NetBSD/x86 - kill all processes shellcode - 23 bytes by Anonymous
NetBSD/x86 - execve(/bin/sh) - 68 bytes by humble
NetBSD/x86 - callback (port 6666) - 83 bytes by minervini
NetBSD/x86 - setreuid(0, 0); execve(/bin//sh, ..., NULL); - 29 bytes by minervini

OpenBSD

OpenBSD/x86 - reboot() - 15 bytes by beosroot
OpenBSD/x86 - execve(/bin/sh) - 23 bytes by hophet
OpenBSD/x86 - add user w00w00 - 112 bytes by n/a
OpenBSD/x86 - portbind port 6969 - 148 bytes by noir

OSX

PPC

Osx/ppc - Add user r00t - 219 bytes by B-r00t
Osx/ppc - add inetd backdoor - 222 bytes by B-r00t
Osx/ppc - create /tmp/suid - 122 bytes by B-r00t
Osx/ppc - remote findsock by recv() key shellcode by Dino Dai Zovi
Osx/ppc - Single Reverse TCP by H D Moore
Osx/ppc - stager sock find peek by H D Moore
Osx/ppc - stager sock find by H D Moore
Osx/ppc - stager sock reverse by H D Moore
Osx/ppc - Bind Shell PORT TCP/8000 - encoder OSXPPCLongXOR - 300 bytes by H D moore
Osx/ppc - shellcode execve(/bin/sh) by ghandi
Osx/ppc - execve(/bin/sh,[/bin/sh],NULL)& exit() - 72 bytes by haphet
Osx/ppc - sync(), reboot() - 32 bytes by haphet

Intel x86-64

Osx/x86-64 - setuid shell x86_64 - 51 bytes by Dustin Schultz
Osx/x86-64 - reverse tcp shellcode - 131 bytes by Jacob Hammack
Osx/x86-64 - universal OSX dyld ROP shellcode by pa_kt

Intel x86

Osx/x86 - execve(/bin/sh) - 24 bytes by Simon Derouineau

Solaris

MIPS

Solaris/mips - connect-back (with XNOR encoded session) - 600 bytes by Russell Sanford
Solaris/mips - download and execute - 278 bytes by Russell Sanford

SPARC

Solaris/sparc - setreuid(geteuid()), setregid(getegid()), execve /bin/sh by Claes M. Nyberg
Solaris/sparc - Bind /bin/sh TCP port 2001 by ghandi
Solaris/sparc - portbind | port 6666 - 240 bytes by lhall
Solaris/sparc - setreuid - 56 bytes by lhall
Solaris/sparc - execve(/bin/sh) - 52 bytes by LSD
Solaris/sparc - Single bind TCP shell by vlad902

Intel x86

Solaris/x86 - setuid(0) /bin/cat //etc/shadow - 61 bytes by John Babio
Solaris/x86 - Remote Download file - 79 bytes by Jonathan Salwan
Solaris/x86 - execve(/bin/sh, /bin/sh, NULL) - 27 bytes by Jonathan Salwan
Solaris/x86 - add services and execve inetd - 201 bytes by n/a
Solaris/x86 - execve /bin/sh toupper evasion - 84 bytes by n/a
Solaris/x86 - execve /bin/sh - 43 bytes by shellcode.com.ar
Solaris/x86 - setuid(0)&execve(//bin/sh)&exit(0) - 39 bytes by sm4x
Solaris/x86 - setuid(0)&execve(/bin/cat, /etc/shadow)&exit(0) - 59 bytes by sm4x

Windows

Windows/64 - Obfuscated Shellcode x86/x64 Download And Execute [Use PowerShell] - Generator by Ali Razmjoo
Windows/64 - Add Admin, enable RDP, stop firewall and start terminal service - 1218 bytes by Ali Razmjoo
Windows/64 - (URLDownloadToFileA) download and execute - 218+ bytes by Weiss
Windows/64 - Windows Seven x64 (cmd) - 61 bytes by agix
Windows - Add Admin, enable RDP, stop firewall and start terminal service - 1218 bytes by Ali Razmjoo
Windows - Add Admin User Shellcode - 194 bytes by Giuseppe D'Amore
Windows - Safari JS JITed shellcode - exec calc (ASLR/DEP bypass) by Alexey Sintsov
Windows - Vista/7/2008 - download and execute file via reverse DNS channel by Alexey Sintsov
Windows - sp2 (En + Ar) cmd.exe - 23 bytes by AnTi SeCuRe
Windows - add new local administrator - 326 bytes by Anastasios Monachos
Windows - pro sp3 (EN) - add new local administrator 113 bytes by Anastasios Monachos
Windows - xp sp2 PEB ISbeingdebugged shellcode - 56 bytes by Anonymous
Windows - XP Pro Sp2 English Message-Box Shellcode - 16 Bytes by Aodrulez
Windows - XP Pro Sp2 English Wordpad Shellcode - 15 bytes by Aodrulez
Windows - Write-to-file Shellcode by Brett Gervasoni
Windows - telnetbind by winexec - 111 bytes by DATA_SNIPER
Windows - useradd shellcode for russian systems - 318 bytes by Darkeagle
Windows - XP SP3 English MessageBoxA - 87 bytes by Glafkos Charalambous
Windows - SP2 english ( calc.exe ) - 37 bytes by Hazem mofeed
Windows - SP3 english ( calc.exe ) - 37 bytes by Hazem mofeed
Windows - Shellcode (cmd.exe) for XP SP2 Turkish - 26 Bytes by Hellcode
Windows - Shellcode (cmd.exe) for XP SP3 English - 26 Bytes by Hellcode
Windows - XP SP3 EN Calc Shellcode - 16 Bytes by John Leitch
Windows - win32/PerfectXp-pc1/sp3 (Tr) Add Admin Shellcode - 112 bytes by KaHPeSeSe
Windows - PEB Kernel32.dll ImageBase Finder - 49 Bytes by Koshi
Windows - PEB Kernel32.dll ImageBase Finder Alphanumeric - 67 bytes by Koshi
Windows - PEB!NtGlobalFlags shellcode - 14 bytes by Koshi
Windows - XP sp3 (Ru) WinExec+ExitProcess cmd shellcode - 12 bytes by Lord Kelvin
Windows - Reverse Generic Shellcode w/o Loader - 249 bytes by Matthieu Suiche
Windows - Pop up message box (XP/SP2) - 110 bytes by Omega7
Windows - sp3 (FR) Sleep - 14 bytes by Optix
Windows - XP download and exec source by Peter Winter-Smith
Windows - Allwin MessageBoxA - 238 bytes by RubberDuck
Windows - Allwin WinExec add new local administrator + ExitProcess Shellcode - 272 bytes by RubberDuck
Windows - Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes by RubberDuck
Windows - Shellcode Collection - (calc) 19 bytes by SkuLL-HacKeR
Windows - null-free 32-bit Windows download and LoadLibrary shellcode - 164 bytes by SkyLined
Windows - null-free 32-bit Windows shellcode that executes calc.exe - 100 bytes by SkyLined
Windows - null-free 32-bit Windows shellcode that shows a message box - 140 bytes by SkyLined
Windows - null-free bindshell for Windows 5.0-6.0 all service packs by SkyLined
Windows - XP sp2 (FR) Sellcode cmd.exe - 32 bytes by Stack
Windows - XP/sp2 (EN) cmd.exe - 23 bytes by Stack
Windows - XP Professional SP2 ita calc.exe - 36 bytes by Stoke
Windows - WinExec() Command Parameter - 104 bytes by Weiss
Windows - download and execute - 124 bytes by Weiss
Windows - Download and Execute Shellcode Generator by YAG KOHHA
Windows - sp3 (Tr) Add Admin Account Shellcode - 127 bytes by ZoRLu
Windows - sp3 (Tr) MessageBoxA Shellcode - 109 bytes by ZoRLu
Windows - sp3 (Tr) calc.exe Shellcode 53 bytes by ZoRLu
Windows - sp3 (Tr) cmd.exe Shellcode - 42 bytes by ZoRLu
Windows - sp3 (Tr) cmd.exe Shellcode 52 bytes by ZoRLu
Windows - Xp Pro SP3 Fr (calc.exe) - 31 Bytes by agix
Windows - XP PRO SP3 - Full ROP calc shellcode by b33f
Windows - xp pro sp3 (calc) - 57 bytes by cr4wl3r
Windows - win32/xp pro sp3 MessageBox shellcode - 11 bytes by d3c0der
Windows - download & exec shellcode - 226 bytes+ by darkeagle
Windows - Shellcode Checksum Routine by dijital1
Windows - IsDebuggerPresent ShellCode (NT/XP) - 39 bytes by ex-pb
Windows - PEB method (9x/NT/2k/XP) - 29 bytes by loco
Windows - connectback, receive, save and execute shellcode by loco
Windows - Bind Shell (NT/XP/2000/2003) - 356 bytes by metasploit
Windows - Create Admin User Account (NT/XP/2000) - 304 bytes by metasploit
Windows - Vampiric Import Reverse Connect - 179 bytes by metasploit
Windows - PEB method (9x/NT/2k/XP) by oc192
Windows - eggsearch shellcode - 33 bytes by oxff
Windows - XP-sp1 portshell on port 58821 - 116 bytes by silicon
Windows - XP SP3 addFirewallRule by sinn3r
Windows - PEB method (9x/NT/2k/XP) - 31 bytes by twoci
Windows - Beep Shellcode (SP1/SP2) - 35 bytes by xnull